Minutes of 12 - 13 November 1363 Meetings
Location:  Certicom, Reston, VA

Attendees:
Burt Kaliski*                 RSA Laboratories,        Chair
Shouichi Hirose             Kyoto University
Don Johnson*               Certicom
Shirley Kawamoto*       Concept Five
David Kravitz*              DIVX
Michael Markowitz*      ISC
Tatsuaki Okamoto         NTT
Allen Roginsky              IBM
Rich Schroeppel*
Ari Singer*                    Pitney Bowes
Jerry Solinas*                NSA
Kazuo Takaragi*           Hitachi
*indicates voting member

12 November 1998

Motion 1 (Ari, David):  Approve the Agenda (Unanimously approved)

The minutes from the Santa Barbara meeting were reviewed.  There was
some discussion and corrections were made.

Motion 2 (Don, Mike):  Approve the corrected minutes from the previous
meeting (Unanimously approved)

Burt will record the changes and forward the minutes to Roger.

Don Johnson updated the working group on what's going on relative to
ANSI X9.62.  It has now exited the ballot process and is in a public
comment period.

At the X9.F1 meeting, NIST has announced that it will expand DSA to
include X9.62.  However, NIST will only allow a prime field or if the
field is 2 raised to a power, the power must be a prime.

Officers' Reports

Burt Kaliski - Chair

A letter was received from HP offering reasonable and non-discriminatory
licensing on HP's point compression patent application.

Mike Matyas for IBM and Roger Schlafly sent in letters authorizing
putting their letters re: patents on the 1363 Web site.

Burt sent a reminder to Siemens regarding its license to the Schnorr
patent.

Burt announced his intention to step down as chair of the working group
next year because of other commitments.  Details need to be worked out.
He also said that Lisa is not planning to be editor of the addendum.
However, they will both continue to be involved in the work of the
group.

Balloting on 1363 has not started.  It appears held up in the
Microprocessor Standards Committee.

Mike Markowitz - Treasurer

Mike had a power failure that kept him from reporting on exact amounts.

There is approximately $5,200 in the bank account.  Over $3K of that is
owed to MSC.  Also, some amount is owed UCSB for the previous meeting.
Mike will send firm numbers when he gets back.

A discussion of how to handle ballot resolution questions was started.

1363a Presentations:

"An authenticated Diffie-Hellman key agreement protocol"  was presented
by Shouichi Hirose of Kyoto University

"EPOC: Efficient Probabilistic Public-Key Encryption"  was presented by
Tatsuaki Okamoto of NTT

"TDH-ESIGN:  Efficient Digital Signatures Using Trisection Domain Hash"
was presented by Tatsuaki Okamoto of NTT

"A Threshold Digital Signature Issuing Scheme without Secret
Communication" was presented by Kazuo Takaragi of Hitachi

In addition to the formal presentations several suggestions were made
for algorithms to consider.  When the discussion on the list was
completed, it looked like the list on the Web site
(http://grouper.ieee.org/groups/1363/addendum.html), numbered 1 - 15
according to the Web site numbering, with a large number of  additions
given the number 16 with alpha extensions.  The additions were:

16a.  Deterministic DSA
16b.  NR with message recovery
16c.  DSA with fewer inverses
16d.  Side channel analysis
16e.  Key validation for other families
16f.   Basis conversion
16g.  Improvements on EC arithmetic
16h.  RSA keygen
16i.   Keygen w/ CA involvement
16j.   IF KAS
16k.  KEA
16l.   Station-to-station protocol
16m. GQ
16n.  Schnorr - identification
16o.  Schnorr - signature
16p.  Work by Micali
16q.  Key Sterilization
16r.  Gennaro proactive security
16s.  El Gamal encryption
16t.  Vanstone franking

From there, the submissions, formal and suggested, were categorized.
The following list gives the categories and the assignment of the
algorithms to the category.  The numbering scheme is according to the
list on the Web page and the additional items described above.  Item 6
from the Web page was subdivided into a. for signature, b. for
signcryption, and c. for key agreement.

encryption schemes - 1, 3, 10, 14, 16s
signature schemes (w/ or w/o message recovery) - 6a, 9, 11, 15, 16a,
16b, 16c, 16o
key agreement schemes- 2, 4, 6c, 7, 13, 16j, 16k, 16l
signcryption - 6b
side channel - 16d
identification - 16m, 16n, 16p
number theoretic - 5, 8, 16f, 16g
key generation/validation - 16e, 16h, 16i, 16q
threshold - 12, 16r

1363 algorithms were also classified in this way and a matrix created
with columns for the relevant categories and rows for DL/EC or IF.  This
was done to aid visualization of gaps of standardized techniques in
cryptographic families.  There was also some interest in making sure
that deterministic techniques also be provided where the current
algorithms are probabilistic.

The result was:

For DL/EC:
encryption:  1, 3, 6a, 10, 16s
signature with appendix:  1363 algorithms are randomized, 6a, 9, 16a, 16c,
16o (6a was mistakenly omitted from the list during the discussion)
signature with message recovery:  16b, 16t
Key agreement:  several in 1363, 2, 4, 6c, 7, 13, 16k, 16l
identification:  16n

For IF:
encryption:  1363 has one, 3, 14
signature with appendix:  deterministic options exist in 1363, 11, 15
signature with message recovery:  deterministic options exist in 1363,
11
key agreement:  16j
identification:  16m, 16p

Key gen/Key verification, signcryption, proof of possession and
threshold are not currently addressed in the spec.  But, a case can
probably be made that they are within scope of the working group's
charter.  Key recovery, which was also suggested as a possible topic for
1363a, needs to explicitly be added to the charter if there is a desire
to address it.

13 November

The 1363 balloting process was discussed.  Current projections are for
the ballot body to be closed by the end of the year, ballots will be
sent out in January, comments probably back by March.  June meeting will
be used to finalize responses which will be sent out after that
meeting.  Allow 15 days to get reactions to the responses.

To allow work to proceed on the responses between meeting, it was
proposed that teleconferences  be used for discussion.  The following
process is only applicable to  ballot question resolution.  Although
anyone can participate in the teleconferences, only those who were
eligible to vote in any of the last three face-to-face meetings can vote
on responses to questions. Any potential voter can make a motion or
second to accept the proposed response.  The chair will use e-mail to
call for a vote.  Votes will be due in 10 days.  The chair will
circulate the results, including how each voter voted, to the working
group so that votes can be validated.  Results will be sent out in the
next meeting minutes.  The list of voters will be included in the
minutes.  But, not how they voted.

Motion 3 (Shirley, Ari):  Accept the process for voting on responses
described above (8 - for, 1 - against, 1 - abstain)

After the vote was taken, it was pointed out that sufficient notice
wasn't given to the working group as a whole that a change to procedures
was being considered.  It was agreed that another vote would be taken at
the next meeting to ratify this proposal.  Because of the balloting
schedule, this process is not likely to be used before the next
meeting.  If it is, the results may be questioned.

The process for selecting the new chair was discussed.  Burt will call
for nominations.  Date for closing the nominations will be set at the
next meeting.  The election of the new chair and 1363a editor will be
held in June.

Goal schedule for the standard:

1363:  ballot 1Q99, responses recirculated 3Q99, approved 4Q99
1363a:  ballot 2Q00, responses recirculated 4Q00, approved 1Q01

There was some discussion of how to proceed on 1363a given the large
number of schemes submitted.  It was agreed that the highest priority
will be placed on filling gaps in 1363.  Categories of schemes will be
considered at the same time.  Encryption and signature schemes will be
discussed at the next meeting in March.  KAS will probably be next.  New
submissions must be received one month before the meeting at which the
category will be discussed in order to be guaranteed consideration.
This means that any ES or SS must be received one month prior to the
next meeting to be considered for 1363a.  There was some discussion of the
selection process.

There was some concern about whether 1363a had critical mass.

There was discussion of the schedule and location of working group
meetings.  It was pointed out that having one meeting a year outside of the
US, perhaps alternating between Europe and Asia, was desirable.  Attendees
wanted to keep the 3Q meeting next to Crypto.  It was stated that the 2Q
meeting should be held in the US to maximize the vote on the responses
to the ballot questions.  There was some interest in trying to have 1Q
meeting in Europe adjacent to the AES conference.  17 - 19 March were
proposed.  Burt will ask Walter Fumy if Siemens could host the meeting.
Mike Markowitz offered to host the June meeting in Chicago.

Motion 4 (Rich, Mike):  Adjourn the meeting (Unanimously approved)

Prepared by Shirley Kawamoto, acting secretary