Informal Minutes of the P1363 Teleconference on Friday, October 25, 1996, beginning at 11 am PDT. In attendance: Uri Blumenthal, Don Johnson, Burt Kaliski, Alfred Menezes, Leo Reyzin, Roger Schlafly, Jerry Solinas, Lisa Yin Issues discussed: 1. Jerry reported that he had finished appendix F, adding material on prime generation and formulas for elliptic curve operations with protective coordinates, and incorporating corrections from Roger. He had sent softcopy to Lisa, and would be supplying new material on polynomial and normal bases in the next few days. 2. Don said that the subcommittee on encryption schemes was making progress, pointing to discussions on Yuliang Zheng's proposal on stds-p1363. He said that Mike Matyas had agreed to submit a proposal. Phil Rogaway had some preliminary results, not yet ready for distribution, and was working with Mihir Bellare, trying to reduce random oracle assumptions. So far, Yuliang Zheng's proposal is the only one ready to discuss, and it might be better to wait for others. He asked whether we were planning to have test cases in the standard. The general consensus was that we were waiting until the schemes are finalized. 3. Alfred reported that some implementation was underway at Certicom of the math appendix, and comments would be sent to Jerry. He said he would be available to work more on the rationale and other sections, including a security note on characteristic 2 discrete logarithm systems. 4. Roger said he'd worked through some of Jerry's appendix, and had some minor questions. 5. Uri said he'd had some discussions with Don about methods for generating or selecting elliptic curves. Uri believes the CM method is the best method (with attention to characteristic 2). Don noted that at a recent ANSI meeting, both the CM method and the random method were proposed, but Mark Unkenholz of NSA asked that the CM method be deleted, since it was felt that there might be too much structure in curves selected by the CM method than was suitable for banking applications, and that random selections was the most conservative approach. (However, no weakness is currently known with the CM method.) Uri said he'd discussed this issue with Shigeo Tsujii, who felt that such structure would be in random curves as well. Jerry noted that all curves have complex multiplication, not just those generated by the CM method. (Alfred observed the CM method gives curves with small complex multiplication discriminant.) Don said that in the ANSI standard, 100 curves will be given, in addition to those with full details for examples, to avoid the need to generate curves, though generating new ones is also acceptable. Uri said also that he felt that CM is the only "affordable" method, though Alfred pointed out that Schoof's algorithm has been improved various times, including Morain's method, which is now down to 4 minutes for 2^155 for a random curve. About 100 curves need to be tried in order to find one whose order is almost prime. Uri replied that CM is still much faster, and one can specify the order. Burt said that this would make a good discussion for rationale in the standard: why are both the CM and the random method specified? 6. Lisa reported that they had been working on addressing editorial issues based on discussions at the August meeting. They raised a few issues: Two issues she'd like to reconsider: (1) ISO 9796 - new one or old one? new one has the problem that it mandates partial message recovery, so that a part of the message must be put into the signature block, which does not fit with our current model. (She noted that the BR format for signatures has a partial message recovery variant.) (2) In the Rabin-Williams verification process, ISO 9796 mandates a special padding of the message in order to get the correct root during the verification. This is different than what we are doing now for RSA, and we'd need a new data format. What are the advantages? Don said that if he didn't like message recovery, he wouldn't like partial message recovery either, and felt that ISO 9796 as signature with appendix better would be better than as one with message recovery. Leo pointed out that without message recovery we would not be compatible with the new ISO 9796 (at least the draft version distributed at the August meeting). Lisa offered to get more information from Guillou. 7. Burt reported that he had requested a change in the name of the working group as directed at the August meeting, and also took advantage of the opportunity to ask for a one-year extension in the project (to June 1998). [[Note: He later learned that since a name change is treated similar to a new project, IEEE approval of the name change would give a four-year project period automatically, presumably through December 2000.]] He also said that he'd sent out the solicitation on patent coverage that had been proposed at the August meeting. Burt also brought up the discussion of separating the document into multiple parts, to simplify the process of approval, motivated by a desire to continue work on the schemes, which are still changing, separate from the primitives, which are more stable. (The proposal appeared as a message to stds-p1363.) Roger inquired about the time-frame; Burt's suggestion was to discuss this at the next meeting and to finalize the primitives at the meeting after that. Jerry pointed out that by committing to certain primitives we may be committing ourselves to certain schemes as well (e.g., whether or not to include Schnorr signature primitive). Don asked whether we want a half or full solution? He observed that when PKCS was published it gave not only RSA primitives but also formatting to make it useable and concrete. He said that he is optimistic on submissions for encryption schemes, to be discussed at the November meeting. Alfred suggested that we might include only noncontroversial material in a first version. Burt said he felt that standardization on primitives only was useful to settle definitions, so we can move ahead in other areas, such as the schemes. Further discussion was postponed until the November meeting. 8. November meeting plan. Burt said that the plan for the November meeting was to deal with the document status, various technical issues, the encryption schemes, and the rationale section, covering what's in the document and what's not. Don mentioned that he had forwarded Rich Ankney's comments on ASN.1 syntax to Lisa for editorial consideration. Leo said he would like to get a lot sorted out in the meeting, and recommended that any opinions be stated on the list before the meeting, so there's less need to explain them at the meeting. Lisa said she would sent a list of questions about the document, to which others could add. Burt agreed to remind people to prepare their input for the meeting. Don said that an important question is what to have in the standard, reiterating the need to settle the rationale section. Based on a suggestion by Alfred, Burt offered to post a more detailed meeting agenda, organized by half-days. We concluded at noon Pacific Time.