Informal Minutes of the P1363 Teleconference on Friday, September 27, 1996, beginning at 10 am PDT. In attendance: Don Johnson, Burt Kaliski, John Kennedy, Leo Reyzin, Roger Schlafly, Lisa Yin Issues discussed: 1) Progress of the subcommittee on encryption schemes: Johnson reported that there has been input from Bellare and Rogaway and he was still waiting for input from Matyas, whom he would see shortly. 2) Kennedy mentioned that X9.42 was almost complete, and would go to ballot within a week (he hopes). He is adding a section to discuss P1363 alignment. We noted that we are still unsure how P1363 will turn out, but X9.42 will not wait for P1363, so we will have to take that on later by, say, making small modifications to X9.42. Kennedy also mentioned that the parameter generation he adopted from Schlafly's note may be useful for P1363 as well. 3) Kaliski reported that he has the paperwork necessary for the title change of the standard. He also asked for opinion on the patent letter he was about to send, which was generally favorable. He noted that he will add a request to send a non-binding negative response if a party believes it holds no relevant patents. He will also make it clear that the note requests information on patents all over the world, not just the United States. 4) We discussed Schnorr's suggestion regarding DSA. After some discussion, the general consensus was that there are many possible attacks against DSA, and it is really an issue of trusting your parameters. People seemed to agree that it may be better to note possible problems with trusting or not trusting parameters as a security note rather than modify the algorithm. Schlafly noted that we may add some sort of parameter checking scheme as part of the toolbox that the standard provides. 5) We also discussed Schnorr's suggestion regarding Schnorr signature schemes vs. DSA vs. Nyberg-Rueppel. People agreed on the importance of keeping DSA because it is a US standard. There was no consensus on why exactly Nyberg-Rueppel was included. Schnorr signatures have a disadvantage of not fitting neatly into our current model which presents signature schemes in a modular form with a hash function (or a data format) and a signature primitive. People agreed that the model will have to be justified if we are to use this as a rationale point. 6) We then reviewed the comments received from Bellare and Rogaway. On the key agreement (points 1.1-1.4 in their email note), we noted that our schemes are flow-free; their comments are more applicable to what we would call "protocols" rather than what we call "schemes." It was therefore agreed to ask the for clarification on how their comments would apply to our model of flow-free schemes. The general consensus was that we did not want to include the protocol issues as part of the standard (at least not in the normative text). Comment 1.5 was interpreted as MQV being too complex; we decided to bring that up at the meeting. 7) On their point on the Nyberg-Rueppel signature scheme (2.1-2.3), we agreed that we need to take up again the issue of whether Nyberg-Rueppel signatures should be in the standard. On 2.3, the general consensus was that DSA should not be generalized because making things too general makes it even harder to standardize. 8) On 3.1, we agreed that unless the committee decides to allow message recovery, there is no need to allow message recovery in DFS-BR. On 3.2, we asked the subcommittee to consider what are the advantages and disadvantages of decoupling the length; there were some concerns about the possibility of spoofing. On 3.3, it was commented that while ISO 9796 signature scheme may indeed be ad. hoc., we should at least provide a way to support it within P1363, because it is an international standard. It was pointed out that proper security notes should be added. 9) Dropping DLES and ECES and decoupling hash-output from other parameters in OAEP (4.1 and 4.2) were left until the subcommittee comes up with a more comprehensive recommendation. 10) Yin noted that Fiat-Shamir key agreement comment (5.1) was withdrawn (there is no Fiat-Shamir key agreement). The consensus on Fiat-Shamir signature (5.2) was similar to that for the Schnorr signature scheme. 11) Improving the hash function or restricting it to the first part of the output (6.1) was taken as a good point. The consensus was to revisit the technical issues on hash functions (6.1-6.3), especially as part of the subcommittee's work. 12) Notation and auxiliary function naming (7.1 and 7.2) were left up to the editor. On 7.3, it was decided to leave the ordering of the families alphabetical for now, because what is more familiar varies from user to user. 13) After some discussion of Zheng's comments, people seemed to agree that it would be better to avoid naming techniques after their inventors (except for, possibly, well-known ones such as Diffie-Hellman or RSA), and rather give references to appropriate literature. Otherwise, it was pointed out, it would be hard to know how far down the chain the acknowledgments should end (people seemed to object to going all the way back to Gauss). Regarding the universal hash function, it was agreed for the subcommittee to review it for possible inclusion into the standard. 14) There was general consensus that all the people who provided comments should be thanked and replied to before the November meeting. However, any official response from the working group will have to wait until the meeting. Also, there was a generally accepted suggestion that if people want to include some new material into the standard, it would be easier for the working group to make a decision if at least a preliminary version of such text were written up in time for the meeting to consider it. It was therefore decided that we would suggest that to all the people commenting on our draft to provide some text if they want something in particular to be included. Ideally we would be able to just paste such text into the standard. 15) People agreed that more discussion on the mailing list would be useful. We adjourned at about 11:30 am PDT.