Informal Minutes of IEEE P1363 EDITORIAL TELECONFERENCE September 30, 1997, 10:00am Pacific Time Participants: Uri Blumenthal, Lily Chen, Louis Finkelstein, Dave Jablon, Don Johnson, David Kravitz, Burt Kaliski, Leo Reyzin, Jerry Solinas, Lisa Yin, Robert Zuccherato 1. Burt introduced the teleconference. 2. Lisa gave an overview of several editorial changes to the document based on the August meeting, which include new material on key derivation and mask generation, and revisions to the EC secret value derivation primitives and DL/EC key agreement schemes. Uri asked about the differences between KDF-X9.42 and KDF-HMAC, and suggested that a KDF based on the "envelope method" (prepend and append the key, i.e. hash (key || parameters || key) ) may be better than the X9.42 approach (prepend only, i.e., hash (key || parameters) ). Burt said that this a technical issue that could be discussed in November. Don commented on the importance of the key derivation parameters P having an unambiguous interpretation (for either KDF), and similarly on the importance of identifying other choices that an application must make. Application notes may be helpful here. 3. David K. brought up the question of the order in which keys are used in two-key key agreement schemes (i.e., how should each participant decide which key is first and which is second, especially in those application which mix static and ephemeral keys). Burt answered that we are leaving this up to the applications. Don pointed out the importance of ensuring this decision is unambiguous--otherwise this may be a security risk. Security notes as well as application notes with concrete suggestions on how to order keys may be helpful here. 4. Lisa then reviewed MGF-Hash. Don suggested that for backward compatibility with existing schemes that generate a short mask by hashing, the counter field should not be included for short masks. Burt said that this needs to be done carefully, since if a counter is included for other masks from the same shared secret string, there is the possibility of an extension attack. Lisa suggested that we may have the MGF-hash perform differently depending on whether the output length is greater than the hash length: if so, use the counter, and if not, just do a simple hash. This would be a simple modification. We also discussed the possibility of treating MGF as a stream cipher encryption. Both the construction of MGF-hash and the introduction of stream cipher encryption can be discussed as technical issues in November. 5. Burt gave a brief update of the P1363 and P1363a PARs. He prepared material for the revised PARs in accordance with the discussion in August, and they are acceptable to the IEEE Standards Board representative who is helping us with IEEE approval. The next steps are Microprocessor Standards Committee approval in October, and then the IEEE Standards Board in December. (The PAR material will be posted to the mailing list.) 6. Lisa presented the changes to ECSVDP-DH. David J. raised some questions about the choice of terms: "public value," "public key," "EC point," which Burt answered, pointing out the difference between the cases when cofactor multiplication is performed and when it is not. Some further explanation and clarification may be helpful here. David K. recalled the discussion at recent meetings of the case that neither cofactor multiplication nor public-key verification is performed (fully), which is in DL with a subgroup of order (q-1)/2; this should be possible. (Related to this, Leo noted that cofactor multiplication is currently not supported for the DL case, so the scheme does not map the same for DL and EC. The question of whether to have a DL primitive with cofactor multiplication can be taken up in November.) 7. There was some discussion of ECSVDP-MQV and whether cofactor multiplication is required, related to whether the point at infinity might occur. (If it occurs, it's an error, as in the DH primitive.) Lisa said the two steps t = t + 2^h should not be conditional. There is a need to coordinate with X9.63 here. 8. Lisa reviewed the changes to DL/ECKAS-DH1 scheme. She mentioned that related to how the cofactor is handled, there are some changes to the presentation of the scheme (other schemes will be revised similarly to follow the new presentation). Don suggested that the verb "verify" be replaced with "validate," to avoid confusion with signature verification. David K. said we should be careful about the term "cofactor multiplication," which might be more appropriate as "cofactor exponentiation" for DL primitives. Burt said that he tried to downplay the actual implementation by a primitive of public-key verification (validation) by the primitive, so "cofactor multiplication" should not be a significant term in the scheme itself. 9. The next teleconference will be Friday, October 31, 10:00am Pacific time, agenda to include conformance, test vectors, and other issues in preparation for November.