IEEE P1363: Standard for Public-Key Cryptography MEETING MINUTES Thursday, May 15, 1997, 2:00pm-5:00pm Friday, May 16, 1997, 8:30am-5:00pm Ramada Halm Hotel Konstanz, Germany THURSDAY, MAY 15. In attendance, we had: Matthias Bauer * Simon Blake-Wilson Karl Brincat Jilyana Cazaran Marcus Dietz Jean-Francois Dhem * Carl Ellison * Walter Fumy Stuart Haber Horst Helmut Horner * Don B. Johnson * Burt Kaliski Byng-Chun Kim Mika Koja Ryszont Kossowski Peter Landrock Pil Joung Lee * Michael Markowitz Henry Massias Patrick Mestre Daniele Micciancio Markus Michels Miodrae Mihaljevic Francois Morain Torben Pedersen Holger Petersen Niels Provos Jean-Jacques Quisquater Jacob Radzikowski Matt Robshaw Allen Roginsky Claus P Schnorr Sherry Shannon * Scott Vanstone Mao Wenbo * Michael J. Wiener William Wolfowicz Konrad Wrona Phillip Zimmerman Those marked with an asterisk above were qualified to vote. As before, attendance at one of the previous three meetings was required to vote. Burt read the minutes of the previous meeting and asked for discussion. There was no discussion. Motion 1. (Carl Ellison, Don Johnson) Accept the minutes. (Approved by acclamation.) As our Secretary was absent, Carl volunteered to take the minutes for the afternoon, but would not be attending on Friday so someone else needed to take the minutes for Friday. The officer reports' followed. Burt gave the first officer report: 1. He is processing letters regarding patent status. One of these letters is marked confidential. Its status has not been resolved. 2. The supplement (or addendum) standard document is a separate IEEE project, to start soon - perhaps in June. 3. There is a request for coordination with another standards group. Coordination with other standards groups, especially European standards efforts, is part of the reason for holding this meeting in Germany. 4. Meeting fees were established at $20/person/day, by IEEE rules. It was decided that the meeting was 1.5 days, with $10 for the first half-day and $20 for the second day. Mike M. gave the treasurer's report: we have a new bank account with IEEE tax money in that account. We then moved to the technical part of the meeting. Burt presented his slides on the history, current status, and plans for the project. Jean-Jacques proposed considering identification schemes. Burt will pursue this for the addendum (ID-based keys, etc.) Peter noted that choice of hash function could be as or more important than the choice of PK scheme. Burt noted that we do discuss choice of hash function in the current document. Don noted that NIST is considering 1, 2, 3 & 4 X multiples of 160 bits for hash functions. We had no details on the methods they are proposing for this extension or even on the names of those functions, although SHA-1, SHA-2, SHA-3 and SHA-4 were mentioned Burt asked how our effort compares to international efforts, such as ISO efforts in this area. Peter noted that we have a good match. Peter then asked why we use ASN.1. This question was repeated by Carl. Burt noted that we may move the ASN.1 specification to the appendix, and perhaps write an S-expression version of the data structure definitions there as well. He noted that it is appropriate to use whatever syntax for key descriptions that is used by the various certificates (X.509, SDSI/SPKI, DNSSEC, etc.). We took a break for 10 minutes. Mike M. started collecting the IEEE tax from those present. Carl volunteered to write an S-expression section for the appendix, when ASN.1 is moved to that appendix. Burt suggested that the S-expression section should wait until SPKI/SDSI settles and probably show up in the supplement rather than the current document. We can produce that section as an RFC earlier, of course. Burt asked if there was any more business for the afternoon session. There appeared to be none. Peter noted that he wanted more detail. There was no objection to what was presented, at the high level that it was being presented, but additional detail might provide room for discussion. For example, why recommend running the Miller-Rabin test 50 times for tests for prime generation? Burt answered that X9F1 is thinking about that at this time and that one needs to be especially careful when testing a candidate prime which has been offered by an outside agency, rather than generated from random numbers. Carl asked if there were comments on the random number section. Don wanted to add the text of the ANSI random number section from one of the X9F1 standards as an example - not just as a reference. Carl noted that there is a crying need for a table of estimates on the entropy rate of various entropy sources, but that this is a large job. There was no volunteer to produce such a table. Don asked if anyone wanted an immediate technical discussion. There was no response. Burt dismissed the meeting until 8:30 the next morning. FRIDAY, MAY 16. In attendance, we had: *Simon Blake-Wilson *Walter Fumy *Don Johnson *Burt Kaliski Mika Kojo Ryszord Kossowski *Mike Markowitz Daniele Micciancio Matt Robshaw Allen Roginsky Konrad Wrona *Michael Wiener We began at 8:40. Burt circulated a letter from Certicom asserting potential patent coverage over point compression and the MQV protocols. (This was the letter whose status had been uncertain on Thursday.) Walter asked whether it mentioned the Nyberg-Rueppel patent; Burt said that the letter stated that Certicom was the North American licensee of that patent, and that he expected a letter on the patent itself from Rainer Rueppel. Allen then presented the IBM contribution on encryption schemes for the addendum (the so-called "four-round swizzle"). He suggested that four rounds of the scheme is enough, and three in some cases, and gave an argument for security. He pointed out that Don Coppersmith's recent results on four-round Luby-Rackoff ciphers did not apply here. The main question is what are the assumptions about the hash functions; there are the usual ones about inversion and collisions, plus a new one about not being able to determine outputs of the hash function except by trial-and-error, which was the subject of some discussion. Several participants suggested that a random oracle assumption would be more likely to lead to a proof, but it was also felt that such an assumption would be too strong, and the IBM assumption seemed more realistic in some sense. Burt then gave a general overview of the encryption schemes to be considered in the addendum, the main question being what features we want the schemes to have. The IBM contribution is one of several in this area; further working group discussion of this and other contributions will help determine what is best for the addendum. After a short break, Burt gave a chart of signature schemes that might be considered for the addendum, including the following: base document - with appendix DL EC IF - with message recovery IF addendum - new primitives - with message recovery DL EC - with partial message recovery DL EC IF Don noted that ISO 14888-3 (in progress) covers appendix techniques, based on a degenerate case of ISO 9796-2 ("partial" with no message recovered). Alignment with X9.31 is intended, as Don has already discussed with Louis Guillou. Walter noted that there had been some recent support within ISO for specifying algorithms in standards. Don said that P1363 would add new signature primitives if they had new attributes. Mike M. asked about whether we'd consider the GQ signature scheme; Burt said we might, especially as we'd be considering identification schemes, including GQ, in the addendum. Ryszord proposed that we consider deterministic DL/EC signature schemes. Michael W. mentioned that a Eurocrypt '97 rump session contribution included one, and Daniele said this could be done under a random oracle assumption. Don then presented the unified Diffie-Hellman key agreement scheme, illustrating the compatibilities between the one-key-pair and two-key-pair cases. Either key pair can be ephemeral or static. Mike M. and Michael W. both said that the standard should explicitly mention the case where one party's ephemeral key is combined with the other party's static key, which is typical in protocols. (The current editorial contribution doesn't make any restrictions on what's combined, but the group's assumption has been that static is combined with static and ephemeral with ephemeral. The pros and cons of the various combinations are a topic for further study. Simon said that there were some issues related to the loss of the long-term secret value that would affect this, and Don observed that MQV does mixing in the protocol itself.) As an aside to these discussions, Burt agreed to send a patent solicitation to the holder of the Goss patent, which has the static-ephemeral combination. Don then continued discussions of unified DH, and Michael W. pondered whether one bit of information might be leaked due to the compatibility mode. Walter said that 11770-3 has related techniques. We then discussed key derivation in X9.42, which involves SHA-1 on the shared secret value or values and other parameters, where the full output of SHA-1 becomes part of the derived key. A question was raised about the process for considering contributions to the addendum; Burt said that contributions would likely be presented and discussed throughout the next year, in parallel with the completion of the base document. Michael W. raised a question about the RSA primitives in the current editorial contribution and the 6 mod 16 condition, which Burt said he would look into. Don mentioned that the ISO 10188-3 registry is the basis for encoding hash function information in ISO 14888-3. We discussed the November meeting plans, not resulting in any conclusion. Burt said it would be worthwhile to meet again sometime in Europe, not just after Eurocrypt. While a Eurocrypt meeting is useful to present the latest information about the work and gather comments, a full meeting in Europe would also be of value. Motion 2. (Michael Wiener, Don Johnson) Adjourn. (Approved by acclamation). We adjourned at 12:05pm.