MINUTES IEEE P1363: Standard for RSA, Diffie-Hellman, and Related Public-Key Cryptography Burt Kaliski opened the meeting at 1:05 pm. The announced agenda was: MEETING NOTICE Tuesday, November 1, 1994, 1:00-6:00pm Holiday Inn at Fair Oaks, Fairfax, Virginia This fourth meeting of the P1363 working group, open to the public, will review draft sections of a standard for RSA, Diffie-Hellman and other public-key cryptography. The meeting precedes the 2nd ACM Conference on Computer and Communications Security, held November 2-4 at the same location. AGENDA 1. Approval of Minutes from August Meeting 2. Patent Licensing Update 3. Other Reports 4. Review of Sections a. Elliptic curves (Scott Vanstone) b. Hardware support (Terry Arnold) c. Random number generation (Richard Robertson) d. Cryptographic services (Tom Berson) 5. Proposals for New Sections 6. New Work Assignments 7. Meeting Schedule In attendance, we had Rich Ankney John Boone Whitfield Diffie Russell Housley *Burt Kaliski, Chair *John Kennedy Michael Markowitz Alfred Menezes *Mark Oliver *Karen Randall *Richard L. Robertson Avi Rubin *Roger Schlafly, Secretary Rob Shirey *Scott Vanstone Michael J. Wiener Those marked with an asterisk were qualified to vote, having also attended 2 of the last 3 meetings (and thus 3 of 4, including this one). (We mistakenly let Markowitz vote, but his votes have been stricken from the record.) Karen Randall said that we had a quorum. Kaliski distributed copies of the meeting announcement (including the agenda) and the minutes from the last meeting. Motion 1: (Vanstone, Robertson) The agenda is approved. Passed, unanimously. Robertson pointed out that the published minutes for the Aug. 1993 meeting had a crucial "not" missing from motion 3. Schlafly was embarrassed. Motion 2: (Robertson, Oliver) Approve the minutes, as corrected. Passed, unanimously. Kaliski distributed a letter from Jim Bidzos promising a licensing policy for the RSA and Hellman-Merkle patents, and a draft license agreement. This was supposed to meet the IEEE requirements for us to proceed with consideration of an RSA standard. Schlafly objected that the letter falls short of the requirement that the patent holder exhibit a licensing policy. The letter says that PKP holds the patents and yet it was on RSA Data Security stationery. Bidzos is president of both PKP and RSA Data Security, but he explicitly said that the letter is signed in his capacity as president of RSA Data Security. This raises the question of whether he has the authority to grant a PKP license or to promise a PKP licensing policy. Housley said that because the PKP partners are in litigation, the likely outcome is that they will split up, and leave each partner with control of its respective patents. This would leave RSA Data Security in a position to make good on Bidzos's promises. Schlafly argued that this was speculative. There was some discussion about whether the letter would have been acceptable if it came from PKP. Motion 3: (Robertson, Oliver) We direct the Chair to write a letter to Jim Bidzos that the RSA letter is not satisfactory and that we need a letter from PKP or whoever has licensing authority on the patents. Passed, 7-0-0. The RSA letter didn't even address use of Diffie-Hellman or ElGamal, so Kaliski will also encourage PKP to write a letter covering those technologies. Housley and Shirey argued that PKP has issued letters promising licenses in the past, so maybe we should be satisfied with those. Schlafly argued that those letter have been revoked by PKP. Kaliski distributed a report as follows. (Actually, the part on patents was announced during the previous patent discussion.) -------------------- begin Chair's Report -------------------- At the August meeting in Santa Barbara, the working group instructed me to investigate three issues, which I'm reporting on in this message and will discuss further at the meeting next week. 1. Help from the IEEE with patent issues. According to Steve Diamond, chair of the Microprocessor Standards Committee, all the working group has to do is secure letters from each patent holder promising reasonable, nondiscriminatory licensing. It is not our responsibility to determine whether a proposed license satisfies the IEEE's requirements; the Standards Board takes care of that when we go to ballot, or perhaps even later. In this sense, the IEEE helps us avoid getting into endless discussions on patents. We just have to identify the patented technologies, and have the patent holders give IEEE the letter of assurance; then we can draft the affected sections of the standard. 2. Referencing other standards. We can reference standards and documents published outside the IEEE, but it is preferable to cite work by an accredited standards organization. FIPS are considered among the accredited standards (as, I assume, are ANSI, ISO and CCITT documents). 3. Liaison with other committees. Joint membership, informal exchange of information and the like are not only permissible, but encouraged. Thus, we should encourage representatives of ISO, ANSI, etc. to report on work related to ours. The formal channel is for advancement of documents and development of national positions; the Microprocessor Standards Committee handles this for us. In addition, we are required to circulate drafts to several committees, as listed on our Project Authorization Request. Among them are IEEE Security and Privacy; ASC X3; ISO/IEC JTC 1 SC 26 US TAG; ISO/IEC JTC 1 SC 27 US TAG; and IEEE P802.10. (Although we have draft sections of the standard, we don't yet have an integrated draft standard, so I assume we don't have to circulate anything quite yet.) -------------------- end Chair's Report -------------------- Review of sections. Vanstone and Menezes distributed a new draft of the elliptic curves section. They changed the signature scheme to be more like the DSA because of some concerns about the Schnorr patent, and added a signature scheme with message recovery. Some additional detail and explanatory material was added. After some discussion, they claimed the earlier draft actually uses a formula in the prior art before the Schnorr patent, so perhaps that concern was unwarranted. Markowitz had some minor technical corrections to the draft. Vanstone and Menezes threw several topics out for consideration. Should they discuss hardware or software implementations? Is the signature scheme acceptable? Is it better to compress the y coordinate down to one bit, at the cost of maybe 30% more processing time (in characteristic > 2)? Should all users share a curve, or should the curve be included as part of the public key? Menezes said progress had been made on algorithms for counting the points on an elliptic curve, and that freeware was likely to be available soon. Arnold was not present, so we skipped the Hardware support section. Robertson had a new draft of the Random number generation section. He added a statistical test from FIPS 140-1, which includes a failure if two successive words are equal. He wants to specify algorithms to get random numbers based on disk drive turbulence and on random keystrokes. He was looking into an AT&T method using diode bias. Berson was not here to discuss Cryptographic services, but he has completed a draft for the rest of us to work on. Randall had some definitions from other standards which she promised to send. Kaliski announced that a fee of $24 per head must be collected in order to pay for the hotel room. Actually, $16 is for the room and $8 is an optional payment to subsidize IEEE's participation in international standards organization. Motion 4: (Oliver, Kennedy) Markowitz is today's treasurer. Passed, unanimously. We took a lengthy break, and resumed at 4:00. Kaliski reported that David Aucsmith still wants to be our editor, even though he has missed three meetings. Motion 5: (Schlafly, Kennedy) We appoint Oliver Co-editor. Passed, unanimously. Oliver will start on Randall's definitions. Finally, we turned to the scheduling of upcoming meetings. Following the 1994 pattern, we'd like to meet in conjunction with some related conference. The main choices were having the first 1995 meeting at the RSA Data Security conference in January or the ISO conference in San Diego on February 16-17. Most people could attend either, but preferred the RSA Data Security conference. There was some sentiment towards holding a meeting in Europe to encourage more foreign participation. The obvious choice is EuroCrypt, held in Brittany, France in May 1995. However, several people thought the location was inconvenient, and Randall said France has strikes that time of year. Motion 6: (Oliver, Robertson) Schedule the next three P1363 meetings on or about: Jan. 12, 1995, RSA Data Security, Redwood City, Calif. May 10, 1995, IEEE Security & Privacy, Oakland, Calif. Aug., 1995, Crypto '95, Santa Barbara, Calif. Passed, unanimously. Motion 7: (Oliver, Vanstone) Adjourn. Passed, unanimously. We adjourned at 5:00 pm.