Revised 08/16/1999

IEEE P1363:IEEE P1363:Standard Specifications for Standard Specifications for

Public-Key CryptographyPublic-Key Cryptography

IEEE P1363:IEEE P1363:Standard Specifications for Standard Specifications for

Public-Key CryptographyPublic-Key Cryptography

Burt KaliskiBurt KaliskiChair, IEEE P1363Chair, IEEE P1363

August 17, 1999August 17, 1999

Revised 08/16/1999

OutlineOutlineOutlineOutline

The historyThe history scope and objective of P1363scope and objective of P1363

highlights of the development processhighlights of the development process

The presentThe present review of techniques in the P1363 documentreview of techniques in the P1363 document

some rationalesome rationale

The futureThe future preview of P1363a effortpreview of P1363a effort

new officers, new projectsnew officers, new projects

Revised 08/16/1999

The HistoryThe HistoryThe HistoryThe History

Revised 08/16/1999

What is P1363 ?What is P1363 ?What is P1363 ?What is P1363 ?

Emerging IEEE standard for public-Emerging IEEE standard for public-key cryptography based on three key cryptography based on three families:families: Discrete Logarithm (DL) systemsDiscrete Logarithm (DL) systems

Elliptic Curve Discrete Logarithm (EC) Elliptic Curve Discrete Logarithm (EC) systemssystems

Integer Factorization (IF) systemsInteger Factorization (IF) systems

Sponsored by Microprocessor Sponsored by Microprocessor Standards CommitteeStandards Committee

Revised 08/16/1999

Objective and ScopeObjective and ScopeObjective and ScopeObjective and Scope

ObjectiveObjective to facilitate interoperable security by to facilitate interoperable security by

providing comprehensive coverage of providing comprehensive coverage of public-key techniquespublic-key techniques

ScopeScope cryptographic parameters and keyscryptographic parameters and keys

key agreement, digital signatures, key agreement, digital signatures, encryptionencryption

Revised 08/16/1999

Existing Public-Key Existing Public-Key StandardsStandards

Existing Public-Key Existing Public-Key StandardsStandards

Standards are essential in several areas:Standards are essential in several areas: cryptographic schemescryptographic schemes

key representationkey representation

Some work in each area, but no single Some work in each area, but no single comprehensive standard ...comprehensive standard ... ANSI X9.30, X9.31, X9.42, X9.44, X9.62, X9.63ANSI X9.30, X9.31, X9.42, X9.44, X9.62, X9.63

ISO/IEC 9796, 10118, 14888ISO/IEC 9796, 10118, 14888

PKCSPKCS

FIPS 180-1, 186-1FIPS 180-1, 186-1

Revised 08/16/1999

P1363: A Different Kind of P1363: A Different Kind of StandardStandard

P1363: A Different Kind of P1363: A Different Kind of StandardStandard

A set of tools from which A set of tools from which implementations and other implementations and other standards can be builtstandards can be built framework with selectable components: framework with selectable components:

applications are expected to “profile” the applications are expected to “profile” the standardstandard

example: signature scheme is based on a particular example: signature scheme is based on a particular mathematical primitive (e.g., RSA) with selectable mathematical primitive (e.g., RSA) with selectable key sizes and “auxiliary” functions (hashing, key sizes and “auxiliary” functions (hashing, message encoding)message encoding)

functional specifications rather than interface functional specifications rather than interface specificationsspecifications

Revised 08/16/1999

HighlightsHighlightsHighlightsHighlights

ComprehensiveComprehensive three families; a variety of algorithmsthree families; a variety of algorithms

Adoption of new developments Adoption of new developments ““unified” model of key agreementunified” model of key agreement

““provably secure” encryptionprovably secure” encryption

key and parameter validationkey and parameter validation

A forum for discussing public-key cryptoA forum for discussing public-key crypto active discussion mailing listactive discussion mailing list

web site for new research contributionsweb site for new research contributions

Revised 08/16/1999

History and StatusHistory and StatusHistory and StatusHistory and Status

First meeting January 1994First meeting January 1994

Up to now, 23 working group Up to now, 23 working group meetingsmeetings

In 1997, the project split into P1363 In 1997, the project split into P1363 and P1363aand P1363a to facilitate the completion of established to facilitate the completion of established

techniquestechniques

to provide a forum for discussion of newer to provide a forum for discussion of newer techniques without the pressures of techniques without the pressures of immediate standardizationimmediate standardization

Revised 08/16/1999

P1363 vs. P1363aP1363 vs. P1363aP1363 vs. P1363aP1363 vs. P1363a

P1363 (base standard)P1363 (base standard) established techniquesestablished techniques

goal: timely publication (balloting nearly goal: timely publication (balloting nearly complete)complete)

P1363a (supplement)P1363a (supplement) some items in need of more research deferred some items in need of more research deferred

from P1363from P1363

outline currently being developedoutline currently being developed

goal: thorough study and input from the goal: thorough study and input from the communitycommunity

Revised 08/16/1999

The PresentThe PresentThe PresentThe Present

Revised 08/16/1999

P1363 OutlineP1363 OutlineP1363 OutlineP1363 Outline

OverviewOverview

ReferencesReferences

DefinitionsDefinitions

Type of crypto Type of crypto tech.tech.

Math conventionsMath conventions

DL primitivesDL primitives

EC primitivesEC primitives

IF primitivesIF primitives

Key agreement Key agreement schemesschemes

Signature schemesSignature schemes

Encryption schemesEncryption schemes

Message encodingMessage encoding

Key derivationKey derivation

Auxiliary functionsAuxiliary functions

AnnexesAnnexes

Revised 08/16/1999

Summary of TechniquesSummary of TechniquesSummary of TechniquesSummary of Techniques

Discrete Logarithm (DL) systemsDiscrete Logarithm (DL) systems Diffie-Hellman, MQV key agreementDiffie-Hellman, MQV key agreement

DSA, Nyberg-Rueppel signaturesDSA, Nyberg-Rueppel signatures

Elliptic Curve (EC) systemsElliptic Curve (EC) systems elliptic curve analogs of DL systemselliptic curve analogs of DL systems

Integer Factorization (IF) systemsInteger Factorization (IF) systems RSA encryptionRSA encryption

RSA, Rabin-Williams signaturesRSA, Rabin-Williams signatures

Revised 08/16/1999

Primitives vs. SchemesPrimitives vs. SchemesPrimitives vs. SchemesPrimitives vs. Schemes

Primitives:Primitives: basic mathematical operations (e.g., c = me mod basic mathematical operations (e.g., c = me mod

n)n)

limited-size inputs, limited securitylimited-size inputs, limited security

Schemes:Schemes: operations on byte strings, including hashing, operations on byte strings, including hashing,

formatting, other auxiliary functionsformatting, other auxiliary functions

often unlimited-size inputs, stronger securityoften unlimited-size inputs, stronger security

Implementations can conform with Implementations can conform with eithereither

Revised 08/16/1999

DL PrimitivesDL PrimitivesDL PrimitivesDL Primitives

DL systemsDL systems security based on discrete logarithm problem security based on discrete logarithm problem

over a finite field (GF(p) or GF(2m))over a finite field (GF(p) or GF(2m))

Secret value derivationSecret value derivation Diffie-Hellman and MQVDiffie-Hellman and MQV

two flavors: with or without cofactor multiplicationtwo flavors: with or without cofactor multiplication

Signature and verification Signature and verification DSADSA

Nyberg-Rueppel, has message recovery capabilityNyberg-Rueppel, has message recovery capability

Revised 08/16/1999

EC PrimitivesEC PrimitivesEC PrimitivesEC Primitives

EC systemsEC systems security based on discrete logarithm security based on discrete logarithm

problem over an elliptic curveproblem over an elliptic curve

choices of field: GF(2m) and GF(p)choices of field: GF(2m) and GF(p)

representation of GF(2m): normal and representation of GF(2m): normal and polynomial basispolynomial basis

Primitives are analogous to DLPrimitives are analogous to DL

Revised 08/16/1999

IF PrimitivesIF PrimitivesIF PrimitivesIF Primitives

IF systemsIF systems security based on integer factorization problemsecurity based on integer factorization problem

RSA has odd public exponent, RW has even RSA has odd public exponent, RW has even public exponentpublic exponent

Encryption and decryptionEncryption and decryption RSARSA

Signature and verificationSignature and verification RSA and Rabin-WilliamsRSA and Rabin-Williams

both have message recovery capabilityboth have message recovery capability

Revised 08/16/1999

Key Agreement SchemesKey Agreement SchemesKey Agreement SchemesKey Agreement Schemes

General modelGeneral model establish valid domain parametersestablish valid domain parameters

select one or more valid private keysselect one or more valid private keys

obtain other party’s one or more “public obtain other party’s one or more “public keys”keys”

(optional) validate the public keys(optional) validate the public keys

compute a shared secret value compute a shared secret value

apply key derivation functionapply key derivation function

Revised 08/16/1999

DL/EC Key Agreement DL/EC Key Agreement SchemesSchemes

DL/EC Key Agreement DL/EC Key Agreement SchemesSchemes

DH1DH1 ““traditional” Diffie-Hellmantraditional” Diffie-Hellman

one key pair from each partyone key pair from each party

DH2DH2 Diffie-Hellman with “unified model”Diffie-Hellman with “unified model”

two key pairs from each partytwo key pairs from each party

MQVMQV two key pairs from each partytwo key pairs from each party

Revised 08/16/1999

Signature SchemesSignature SchemesSignature SchemesSignature Schemes

General modelGeneral model signature operationsignature operation

select a valid private keyselect a valid private key

apply message encoding method and signature apply message encoding method and signature primitive to produce a signatureprimitive to produce a signature

verification operationverification operation obtain the signer’s “public key”obtain the signer’s “public key”

(optional) validate the public key(optional) validate the public key

apply verification primitive and message encoding apply verification primitive and message encoding method to verify the signature (and recover the method to verify the signature (and recover the message in certain schemes)message in certain schemes)

Revised 08/16/1999

DL/EC Signature SchemesDL/EC Signature SchemesDL/EC Signature SchemesDL/EC Signature Schemes

DSA with appendixDSA with appendix hash function followed by DSA primitivehash function followed by DSA primitive

with SHA-1, appropriate parameter sizes, with SHA-1, appropriate parameter sizes, consistent with Digital Signature Standardconsistent with Digital Signature Standard

Nyberg-Rueppel with appendixNyberg-Rueppel with appendix hash function followed by Nyberg-Rueppel hash function followed by Nyberg-Rueppel

primitiveprimitive

EC analogs of the aboveEC analogs of the above

Revised 08/16/1999

IF Signature SchemesIF Signature SchemesIF Signature SchemesIF Signature Schemes

RSA, RW with appendixRSA, RW with appendix ANSI X9.31 message encoding followed by ANSI X9.31 message encoding followed by

primitiveprimitive

RSA, RW with message recoveryRSA, RW with message recovery ISO/IEC 9796-1 message encoding followed ISO/IEC 9796-1 message encoding followed

by primitiveby primitive

limited message sizelimited message size

Revised 08/16/1999

IF Encryption SchemeIF Encryption SchemeIF Encryption SchemeIF Encryption Scheme

RSARSA Bellare-Rogaway “Optimal Asymmetric Bellare-Rogaway “Optimal Asymmetric

Encryption Padding” followed by RSA Encryption Padding” followed by RSA primitiveprimitive

authenticated encryption, control authenticated encryption, control information is optional inputinformation is optional input

limited message sizelimited message size

General model for encryption to be General model for encryption to be included in later versionincluded in later version

Revised 08/16/1999

Message Encoding and Key Message Encoding and Key DerivationDerivation

Message Encoding and Key Message Encoding and Key DerivationDerivation

Message encoding methodsMessage encoding methods for signaturefor signature

hashing, ANSI X9.31, ISO/IEC 9796hashing, ANSI X9.31, ISO/IEC 9796

for encryption for encryption OAEPOAEP

Key derivation functionKey derivation function follows ANSI X9.42follows ANSI X9.42

Hash (secret value || parameters)Hash (secret value || parameters)

Revised 08/16/1999

Auxiliary FunctionsAuxiliary FunctionsAuxiliary FunctionsAuxiliary Functions

Hash functionsHash functions hash from arbitrary length inputhash from arbitrary length input

SHA-1, RIPEMD-160SHA-1, RIPEMD-160

Mask generation functionsMask generation functions arbitrary length input and outputarbitrary length input and output

Hash (message, 0), Hash (message, 1), ...Hash (message, 0), Hash (message, 1), ...

Revised 08/16/1999

AnnexesAnnexesAnnexesAnnexes

Annex A: Number-theoretic background Annex A: Number-theoretic background

Annex B: ConformanceAnnex B: Conformance

Annex C: RationaleAnnex C: Rationale

Annex D: Security considerationsAnnex D: Security considerations

Annex E: FormatsAnnex E: Formats

Annex F: BibliographyAnnex F: Bibliography

Test vectors to be posted on the webTest vectors to be posted on the web

Revised 08/16/1999

Annex AAnnex AAnnex AAnnex A

Annex A: Number-Theoretic Annex A: Number-Theoretic Background (Informative)Background (Informative) many number-theoretic algorithms for many number-theoretic algorithms for

prime-order and binary finite fieldsprime-order and binary finite fields

complex multiplication (CM) method for complex multiplication (CM) method for elliptic curve generationelliptic curve generation

primality testing and provingprimality testing and proving

Revised 08/16/1999

Annex BAnnex BAnnex BAnnex B

Annex B: ConformanceAnnex B: Conformance(Normative)(Normative) language for claiming conformance with language for claiming conformance with

parts of the standardparts of the standard

an implementation may claim conformance an implementation may claim conformance with one or more primitives, schemes or with one or more primitives, schemes or scheme operationsscheme operations

Revised 08/16/1999

Annex CAnnex CAnnex CAnnex C

Annex C: RationaleAnnex C: Rationale(Informative)(Informative) some questions the working group some questions the working group

considered ...considered ...

why is the standard the way it is?why is the standard the way it is?

Revised 08/16/1999

General QuestionsGeneral QuestionsGeneral QuestionsGeneral Questions

Why three families?Why three families? all are well understood, established in all are well understood, established in

marketplace to varying degreesmarketplace to varying degrees

different attributes: performance, patents, etc.different attributes: performance, patents, etc.

goal is to give standard specifications, not to goal is to give standard specifications, not to give a single choicegive a single choice

Why no key sizes?Why no key sizes? security requirements vary by application, security requirements vary by application,

strength of techniques vary over timestrength of techniques vary over time

goal is to give guidance but leave flexibility goal is to give guidance but leave flexibility

Revised 08/16/1999

DL/EC QuestionsDL/EC QuestionsDL/EC QuestionsDL/EC Questions

Why DH and MQV?Why DH and MQV? DH established, more flexible with unified DH established, more flexible with unified

modelmodel

MQV optimized for ephemeral/static caseMQV optimized for ephemeral/static case

Why DSA and NR?Why DSA and NR? DSA in U.S. federal standardDSA in U.S. federal standard

NR involves less hardware in some NR involves less hardware in some implementations, provides for message implementations, provides for message recoveryrecovery

Revised 08/16/1999

IF QuestionsIF QuestionsIF QuestionsIF Questions

Why RSA and RW?Why RSA and RW? RSA established, also supports encryptionRSA established, also supports encryption

RW signature verification faster with e = 2, RW signature verification faster with e = 2, supported along with RSA by ISO/IEC 9796, supported along with RSA by ISO/IEC 9796, ANSI X9.31ANSI X9.31

Revised 08/16/1999

Annex DAnnex DAnnex DAnnex D

Annex D: Security Considerations Annex D: Security Considerations (Informative)(Informative) key management (authentication, key management (authentication,

generation, validation)generation, validation)

security parameters (key sizes)security parameters (key sizes)

random number generationrandom number generation

emphasis on common uses and secure emphasis on common uses and secure practicepractice

Revised 08/16/1999

Annex EAnnex EAnnex EAnnex E

Annex E: Formats (Informative)Annex E: Formats (Informative) suggested interface specifications, such as suggested interface specifications, such as

representation of mathematical objects and representation of mathematical objects and scheme outputsscheme outputs

Revised 08/16/1999

Ballot StatusBallot StatusBallot StatusBallot Status

IEEE P1363 ballot started February IEEE P1363 ballot started February 19991999

Ballot passed, many comments Ballot passed, many comments receivedreceived

Recirculation ballot in progressRecirculation ballot in progress based on revised document, response to based on revised document, response to

negative votesnegative votes

Document submitted for IEEE RevCom Document submitted for IEEE RevCom approval at its September meetingapproval at its September meeting

Revised 08/16/1999

The FutureThe FutureThe FutureThe Future

Revised 08/16/1999

Preview of P1363aPreview of P1363aPreview of P1363aPreview of P1363a

P1363a will provide “missing pieces” of P1363a will provide “missing pieces” of P1363P1363

It is intended that the two documents It is intended that the two documents will be merged during future revisionswill be merged during future revisions

Working group has received numerous Working group has received numerous submissions (see web site)submissions (see web site)

Four submissions will be presented on Four submissions will be presented on Thursday afternoon (Aug. 19)Thursday afternoon (Aug. 19) some may be more appropriate for other P1363 some may be more appropriate for other P1363

projectsprojects

Revised 08/16/1999

Proposed Outline for P1363aProposed Outline for P1363aProposed Outline for P1363aProposed Outline for P1363a

Key agreement schemes (TBD)Key agreement schemes (TBD)

Signature schemesSignature schemes DL/EC scheme with message recoveryDL/EC scheme with message recovery

PSS, FDH, PKCS #1 encoding methods for IF PSS, FDH, PKCS #1 encoding methods for IF familyfamily

PSS-R for message recovery in IF familyPSS-R for message recovery in IF family

Encryption schemesEncryption schemes Abdalla-Bellare-Rogaway DHAES for DL/EC Abdalla-Bellare-Rogaway DHAES for DL/EC

familyfamily

Revised 08/16/1999

Beyond P1363aBeyond P1363aBeyond P1363aBeyond P1363a

Simple, self-contained projectsSimple, self-contained projects each separately authorized by IEEE, developed each separately authorized by IEEE, developed

and ballotedand balloted

same working group overseessame working group oversees

Another supplement: P1363b for Another supplement: P1363b for similar techniquessimilar techniques e.g., “provably secure” schemes, other familiese.g., “provably secure” schemes, other families

New projects: P1363.1, .2, .3, … for New projects: P1363.1, .2, .3, … for other types of techniqueother types of technique

Revised 08/16/1999

New Project Ideas (1)New Project Ideas (1)New Project Ideas (1)New Project Ideas (1)

Key and domain parameter generation Key and domain parameter generation and validationand validation

Threshold cryptosystemsThreshold cryptosystems

Key establishment protocolsKey establishment protocols

Entity authentication protocolsEntity authentication protocols

Proof-of-possession protocolsProof-of-possession protocols

Guidelines for implementationsGuidelines for implementations updated security considerations, key size updated security considerations, key size

recommendations, interoperability issues, etc.recommendations, interoperability issues, etc.

Revised 08/16/1999

New Project Ideas (2)New Project Ideas (2)New Project Ideas (2)New Project Ideas (2)

Conformance testingConformance testing

ASN.1 syntaxASN.1 syntax

S-expression syntaxS-expression syntax

Identification schemesIdentification schemes

Password-based security protocolsPassword-based security protocols

Fast implementation techniques and Fast implementation techniques and number-theoretic algorithmsnumber-theoretic algorithms

Editors needed!Editors needed!

Revised 08/16/1999

OfficersOfficersOfficersOfficers

New slate of officers to be elected in New slate of officers to be elected in September for two-year terms, under September for two-year terms, under new bylawsnew bylaws ChairChair

Vice-chairVice-chair

Primary editorPrimary editor

SecretarySecretary

TreasurerTreasurer

Send nominations to Burt Kaliski -- self-Send nominations to Burt Kaliski -- self-nominations acceptednominations accepted

Revised 08/16/1999

Meetings in 1990Meetings in 1990Meetings in 1990Meetings in 1990

August 19-20, University Center August 19-20, University Center State Street Room, UC Santa State Street Room, UC Santa BarbaraBarbara Thursday 2:00-5:30pmThursday 2:00-5:30pm

Friday 8:30-5:00pmFriday 8:30-5:00pm

November (?) to be announcedNovember (?) to be announced

Revised 08/16/1999

For More InformationFor More InformationFor More InformationFor More Information

Web siteWeb site grouper.ieee.org/groups/1363grouper.ieee.org/groups/1363

publicly accessible research contributions publicly accessible research contributions and P1363a submissionsand P1363a submissions

Two mailing listsTwo mailing lists general announcements list, low volumegeneral announcements list, low volume

technical discussion list, high volumetechnical discussion list, high volume

everybody is welcome to subscribeeverybody is welcome to subscribe web site contains subscription informationweb site contains subscription information

Revised 08/16/1999

Current OfficersCurrent OfficersCurrent OfficersCurrent Officers

Chair: Burt Kaliski, burt@rsa.comChair: Burt Kaliski, burt@rsa.com officer nominations, P1363a submissions, new officer nominations, P1363a submissions, new

project ideasproject ideas

Vice-chair: Terry Arnold, Vice-chair: Terry Arnold, Terry.Arnold@merdan.comTerry.Arnold@merdan.com

Secretary: Roger Schlafly, real@ieee.orgSecretary: Roger Schlafly, real@ieee.org

Treasurer: Michael Markowitz, Treasurer: Michael Markowitz, markowitz@infosseccorp.commarkowitz@infosseccorp.com

Editor: Yiqun Lisa Yin, yiqun@nttmcl.comEditor: Yiqun Lisa Yin, yiqun@nttmcl.com P1363 commentsP1363 comments