Revised 08/16/1999
IEEE P1363:IEEE P1363:Standard Specifications for Standard Specifications for
Public-Key CryptographyPublic-Key Cryptography
IEEE P1363:IEEE P1363:Standard Specifications for Standard Specifications for
Public-Key CryptographyPublic-Key Cryptography
Burt KaliskiBurt KaliskiChair, IEEE P1363Chair, IEEE P1363
August 17, 1999August 17, 1999
Revised 08/16/1999
OutlineOutlineOutlineOutline
The historyThe history scope and objective of P1363scope and objective of P1363
highlights of the development processhighlights of the development process
The presentThe present review of techniques in the P1363 documentreview of techniques in the P1363 document
some rationalesome rationale
The futureThe future preview of P1363a effortpreview of P1363a effort
new officers, new projectsnew officers, new projects
Revised 08/16/1999
The HistoryThe HistoryThe HistoryThe History
Revised 08/16/1999
What is P1363 ?What is P1363 ?What is P1363 ?What is P1363 ?
Emerging IEEE standard for public-Emerging IEEE standard for public-key cryptography based on three key cryptography based on three families:families: Discrete Logarithm (DL) systemsDiscrete Logarithm (DL) systems
Elliptic Curve Discrete Logarithm (EC) Elliptic Curve Discrete Logarithm (EC) systemssystems
Integer Factorization (IF) systemsInteger Factorization (IF) systems
Sponsored by Microprocessor Sponsored by Microprocessor Standards CommitteeStandards Committee
Revised 08/16/1999
Objective and ScopeObjective and ScopeObjective and ScopeObjective and Scope
ObjectiveObjective to facilitate interoperable security by to facilitate interoperable security by
providing comprehensive coverage of providing comprehensive coverage of public-key techniquespublic-key techniques
ScopeScope cryptographic parameters and keyscryptographic parameters and keys
key agreement, digital signatures, key agreement, digital signatures, encryptionencryption
Revised 08/16/1999
Existing Public-Key Existing Public-Key StandardsStandards
Existing Public-Key Existing Public-Key StandardsStandards
Standards are essential in several areas:Standards are essential in several areas: cryptographic schemescryptographic schemes
key representationkey representation
Some work in each area, but no single Some work in each area, but no single comprehensive standard ...comprehensive standard ... ANSI X9.30, X9.31, X9.42, X9.44, X9.62, X9.63ANSI X9.30, X9.31, X9.42, X9.44, X9.62, X9.63
ISO/IEC 9796, 10118, 14888ISO/IEC 9796, 10118, 14888
PKCSPKCS
FIPS 180-1, 186-1FIPS 180-1, 186-1
Revised 08/16/1999
P1363: A Different Kind of P1363: A Different Kind of StandardStandard
P1363: A Different Kind of P1363: A Different Kind of StandardStandard
A set of tools from which A set of tools from which implementations and other implementations and other standards can be builtstandards can be built framework with selectable components: framework with selectable components:
applications are expected to “profile” the applications are expected to “profile” the standardstandard
example: signature scheme is based on a particular example: signature scheme is based on a particular mathematical primitive (e.g., RSA) with selectable mathematical primitive (e.g., RSA) with selectable key sizes and “auxiliary” functions (hashing, key sizes and “auxiliary” functions (hashing, message encoding)message encoding)
functional specifications rather than interface functional specifications rather than interface specificationsspecifications
Revised 08/16/1999
HighlightsHighlightsHighlightsHighlights
ComprehensiveComprehensive three families; a variety of algorithmsthree families; a variety of algorithms
Adoption of new developments Adoption of new developments ““unified” model of key agreementunified” model of key agreement
““provably secure” encryptionprovably secure” encryption
key and parameter validationkey and parameter validation
A forum for discussing public-key cryptoA forum for discussing public-key crypto active discussion mailing listactive discussion mailing list
web site for new research contributionsweb site for new research contributions
Revised 08/16/1999
History and StatusHistory and StatusHistory and StatusHistory and Status
First meeting January 1994First meeting January 1994
Up to now, 23 working group Up to now, 23 working group meetingsmeetings
In 1997, the project split into P1363 In 1997, the project split into P1363 and P1363aand P1363a to facilitate the completion of established to facilitate the completion of established
techniquestechniques
to provide a forum for discussion of newer to provide a forum for discussion of newer techniques without the pressures of techniques without the pressures of immediate standardizationimmediate standardization
Revised 08/16/1999
P1363 vs. P1363aP1363 vs. P1363aP1363 vs. P1363aP1363 vs. P1363a
P1363 (base standard)P1363 (base standard) established techniquesestablished techniques
goal: timely publication (balloting nearly goal: timely publication (balloting nearly complete)complete)
P1363a (supplement)P1363a (supplement) some items in need of more research deferred some items in need of more research deferred
from P1363from P1363
outline currently being developedoutline currently being developed
goal: thorough study and input from the goal: thorough study and input from the communitycommunity
Revised 08/16/1999
The PresentThe PresentThe PresentThe Present
Revised 08/16/1999
P1363 OutlineP1363 OutlineP1363 OutlineP1363 Outline
OverviewOverview
ReferencesReferences
DefinitionsDefinitions
Type of crypto Type of crypto tech.tech.
Math conventionsMath conventions
DL primitivesDL primitives
EC primitivesEC primitives
IF primitivesIF primitives
Key agreement Key agreement schemesschemes
Signature schemesSignature schemes
Encryption schemesEncryption schemes
Message encodingMessage encoding
Key derivationKey derivation
Auxiliary functionsAuxiliary functions
AnnexesAnnexes
Revised 08/16/1999
Summary of TechniquesSummary of TechniquesSummary of TechniquesSummary of Techniques
Discrete Logarithm (DL) systemsDiscrete Logarithm (DL) systems Diffie-Hellman, MQV key agreementDiffie-Hellman, MQV key agreement
DSA, Nyberg-Rueppel signaturesDSA, Nyberg-Rueppel signatures
Elliptic Curve (EC) systemsElliptic Curve (EC) systems elliptic curve analogs of DL systemselliptic curve analogs of DL systems
Integer Factorization (IF) systemsInteger Factorization (IF) systems RSA encryptionRSA encryption
RSA, Rabin-Williams signaturesRSA, Rabin-Williams signatures
Revised 08/16/1999
Primitives vs. SchemesPrimitives vs. SchemesPrimitives vs. SchemesPrimitives vs. Schemes
Primitives:Primitives: basic mathematical operations (e.g., c = me mod basic mathematical operations (e.g., c = me mod
n)n)
limited-size inputs, limited securitylimited-size inputs, limited security
Schemes:Schemes: operations on byte strings, including hashing, operations on byte strings, including hashing,
formatting, other auxiliary functionsformatting, other auxiliary functions
often unlimited-size inputs, stronger securityoften unlimited-size inputs, stronger security
Implementations can conform with Implementations can conform with eithereither
Revised 08/16/1999
DL PrimitivesDL PrimitivesDL PrimitivesDL Primitives
DL systemsDL systems security based on discrete logarithm problem security based on discrete logarithm problem
over a finite field (GF(p) or GF(2m))over a finite field (GF(p) or GF(2m))
Secret value derivationSecret value derivation Diffie-Hellman and MQVDiffie-Hellman and MQV
two flavors: with or without cofactor multiplicationtwo flavors: with or without cofactor multiplication
Signature and verification Signature and verification DSADSA
Nyberg-Rueppel, has message recovery capabilityNyberg-Rueppel, has message recovery capability
Revised 08/16/1999
EC PrimitivesEC PrimitivesEC PrimitivesEC Primitives
EC systemsEC systems security based on discrete logarithm security based on discrete logarithm
problem over an elliptic curveproblem over an elliptic curve
choices of field: GF(2m) and GF(p)choices of field: GF(2m) and GF(p)
representation of GF(2m): normal and representation of GF(2m): normal and polynomial basispolynomial basis
Primitives are analogous to DLPrimitives are analogous to DL
Revised 08/16/1999
IF PrimitivesIF PrimitivesIF PrimitivesIF Primitives
IF systemsIF systems security based on integer factorization problemsecurity based on integer factorization problem
RSA has odd public exponent, RW has even RSA has odd public exponent, RW has even public exponentpublic exponent
Encryption and decryptionEncryption and decryption RSARSA
Signature and verificationSignature and verification RSA and Rabin-WilliamsRSA and Rabin-Williams
both have message recovery capabilityboth have message recovery capability
Revised 08/16/1999
Key Agreement SchemesKey Agreement SchemesKey Agreement SchemesKey Agreement Schemes
General modelGeneral model establish valid domain parametersestablish valid domain parameters
select one or more valid private keysselect one or more valid private keys
obtain other party’s one or more “public obtain other party’s one or more “public keys”keys”
(optional) validate the public keys(optional) validate the public keys
compute a shared secret value compute a shared secret value
apply key derivation functionapply key derivation function
Revised 08/16/1999
DL/EC Key Agreement DL/EC Key Agreement SchemesSchemes
DL/EC Key Agreement DL/EC Key Agreement SchemesSchemes
DH1DH1 ““traditional” Diffie-Hellmantraditional” Diffie-Hellman
one key pair from each partyone key pair from each party
DH2DH2 Diffie-Hellman with “unified model”Diffie-Hellman with “unified model”
two key pairs from each partytwo key pairs from each party
MQVMQV two key pairs from each partytwo key pairs from each party
Revised 08/16/1999
Signature SchemesSignature SchemesSignature SchemesSignature Schemes
General modelGeneral model signature operationsignature operation
select a valid private keyselect a valid private key
apply message encoding method and signature apply message encoding method and signature primitive to produce a signatureprimitive to produce a signature
verification operationverification operation obtain the signer’s “public key”obtain the signer’s “public key”
(optional) validate the public key(optional) validate the public key
apply verification primitive and message encoding apply verification primitive and message encoding method to verify the signature (and recover the method to verify the signature (and recover the message in certain schemes)message in certain schemes)
Revised 08/16/1999
DL/EC Signature SchemesDL/EC Signature SchemesDL/EC Signature SchemesDL/EC Signature Schemes
DSA with appendixDSA with appendix hash function followed by DSA primitivehash function followed by DSA primitive
with SHA-1, appropriate parameter sizes, with SHA-1, appropriate parameter sizes, consistent with Digital Signature Standardconsistent with Digital Signature Standard
Nyberg-Rueppel with appendixNyberg-Rueppel with appendix hash function followed by Nyberg-Rueppel hash function followed by Nyberg-Rueppel
primitiveprimitive
EC analogs of the aboveEC analogs of the above
Revised 08/16/1999
IF Signature SchemesIF Signature SchemesIF Signature SchemesIF Signature Schemes
RSA, RW with appendixRSA, RW with appendix ANSI X9.31 message encoding followed by ANSI X9.31 message encoding followed by
primitiveprimitive
RSA, RW with message recoveryRSA, RW with message recovery ISO/IEC 9796-1 message encoding followed ISO/IEC 9796-1 message encoding followed
by primitiveby primitive
limited message sizelimited message size
Revised 08/16/1999
IF Encryption SchemeIF Encryption SchemeIF Encryption SchemeIF Encryption Scheme
RSARSA Bellare-Rogaway “Optimal Asymmetric Bellare-Rogaway “Optimal Asymmetric
Encryption Padding” followed by RSA Encryption Padding” followed by RSA primitiveprimitive
authenticated encryption, control authenticated encryption, control information is optional inputinformation is optional input
limited message sizelimited message size
General model for encryption to be General model for encryption to be included in later versionincluded in later version
Revised 08/16/1999
Message Encoding and Key Message Encoding and Key DerivationDerivation
Message Encoding and Key Message Encoding and Key DerivationDerivation
Message encoding methodsMessage encoding methods for signaturefor signature
hashing, ANSI X9.31, ISO/IEC 9796hashing, ANSI X9.31, ISO/IEC 9796
for encryption for encryption OAEPOAEP
Key derivation functionKey derivation function follows ANSI X9.42follows ANSI X9.42
Hash (secret value || parameters)Hash (secret value || parameters)
Revised 08/16/1999
Auxiliary FunctionsAuxiliary FunctionsAuxiliary FunctionsAuxiliary Functions
Hash functionsHash functions hash from arbitrary length inputhash from arbitrary length input
SHA-1, RIPEMD-160SHA-1, RIPEMD-160
Mask generation functionsMask generation functions arbitrary length input and outputarbitrary length input and output
Hash (message, 0), Hash (message, 1), ...Hash (message, 0), Hash (message, 1), ...
Revised 08/16/1999
AnnexesAnnexesAnnexesAnnexes
Annex A: Number-theoretic background Annex A: Number-theoretic background
Annex B: ConformanceAnnex B: Conformance
Annex C: RationaleAnnex C: Rationale
Annex D: Security considerationsAnnex D: Security considerations
Annex E: FormatsAnnex E: Formats
Annex F: BibliographyAnnex F: Bibliography
Test vectors to be posted on the webTest vectors to be posted on the web
Revised 08/16/1999
Annex AAnnex AAnnex AAnnex A
Annex A: Number-Theoretic Annex A: Number-Theoretic Background (Informative)Background (Informative) many number-theoretic algorithms for many number-theoretic algorithms for
prime-order and binary finite fieldsprime-order and binary finite fields
complex multiplication (CM) method for complex multiplication (CM) method for elliptic curve generationelliptic curve generation
primality testing and provingprimality testing and proving
Revised 08/16/1999
Annex BAnnex BAnnex BAnnex B
Annex B: ConformanceAnnex B: Conformance(Normative)(Normative) language for claiming conformance with language for claiming conformance with
parts of the standardparts of the standard
an implementation may claim conformance an implementation may claim conformance with one or more primitives, schemes or with one or more primitives, schemes or scheme operationsscheme operations
Revised 08/16/1999
Annex CAnnex CAnnex CAnnex C
Annex C: RationaleAnnex C: Rationale(Informative)(Informative) some questions the working group some questions the working group
considered ...considered ...
why is the standard the way it is?why is the standard the way it is?
Revised 08/16/1999
General QuestionsGeneral QuestionsGeneral QuestionsGeneral Questions
Why three families?Why three families? all are well understood, established in all are well understood, established in
marketplace to varying degreesmarketplace to varying degrees
different attributes: performance, patents, etc.different attributes: performance, patents, etc.
goal is to give standard specifications, not to goal is to give standard specifications, not to give a single choicegive a single choice
Why no key sizes?Why no key sizes? security requirements vary by application, security requirements vary by application,
strength of techniques vary over timestrength of techniques vary over time
goal is to give guidance but leave flexibility goal is to give guidance but leave flexibility
Revised 08/16/1999
DL/EC QuestionsDL/EC QuestionsDL/EC QuestionsDL/EC Questions
Why DH and MQV?Why DH and MQV? DH established, more flexible with unified DH established, more flexible with unified
modelmodel
MQV optimized for ephemeral/static caseMQV optimized for ephemeral/static case
Why DSA and NR?Why DSA and NR? DSA in U.S. federal standardDSA in U.S. federal standard
NR involves less hardware in some NR involves less hardware in some implementations, provides for message implementations, provides for message recoveryrecovery
Revised 08/16/1999
IF QuestionsIF QuestionsIF QuestionsIF Questions
Why RSA and RW?Why RSA and RW? RSA established, also supports encryptionRSA established, also supports encryption
RW signature verification faster with e = 2, RW signature verification faster with e = 2, supported along with RSA by ISO/IEC 9796, supported along with RSA by ISO/IEC 9796, ANSI X9.31ANSI X9.31
Revised 08/16/1999
Annex DAnnex DAnnex DAnnex D
Annex D: Security Considerations Annex D: Security Considerations (Informative)(Informative) key management (authentication, key management (authentication,
generation, validation)generation, validation)
security parameters (key sizes)security parameters (key sizes)
random number generationrandom number generation
emphasis on common uses and secure emphasis on common uses and secure practicepractice
Revised 08/16/1999
Annex EAnnex EAnnex EAnnex E
Annex E: Formats (Informative)Annex E: Formats (Informative) suggested interface specifications, such as suggested interface specifications, such as
representation of mathematical objects and representation of mathematical objects and scheme outputsscheme outputs
Revised 08/16/1999
Ballot StatusBallot StatusBallot StatusBallot Status
IEEE P1363 ballot started February IEEE P1363 ballot started February 19991999
Ballot passed, many comments Ballot passed, many comments receivedreceived
Recirculation ballot in progressRecirculation ballot in progress based on revised document, response to based on revised document, response to
negative votesnegative votes
Document submitted for IEEE RevCom Document submitted for IEEE RevCom approval at its September meetingapproval at its September meeting
Revised 08/16/1999
The FutureThe FutureThe FutureThe Future
Revised 08/16/1999
Preview of P1363aPreview of P1363aPreview of P1363aPreview of P1363a
P1363a will provide “missing pieces” of P1363a will provide “missing pieces” of P1363P1363
It is intended that the two documents It is intended that the two documents will be merged during future revisionswill be merged during future revisions
Working group has received numerous Working group has received numerous submissions (see web site)submissions (see web site)
Four submissions will be presented on Four submissions will be presented on Thursday afternoon (Aug. 19)Thursday afternoon (Aug. 19) some may be more appropriate for other P1363 some may be more appropriate for other P1363
projectsprojects
Revised 08/16/1999
Proposed Outline for P1363aProposed Outline for P1363aProposed Outline for P1363aProposed Outline for P1363a
Key agreement schemes (TBD)Key agreement schemes (TBD)
Signature schemesSignature schemes DL/EC scheme with message recoveryDL/EC scheme with message recovery
PSS, FDH, PKCS #1 encoding methods for IF PSS, FDH, PKCS #1 encoding methods for IF familyfamily
PSS-R for message recovery in IF familyPSS-R for message recovery in IF family
Encryption schemesEncryption schemes Abdalla-Bellare-Rogaway DHAES for DL/EC Abdalla-Bellare-Rogaway DHAES for DL/EC
familyfamily
Revised 08/16/1999
Beyond P1363aBeyond P1363aBeyond P1363aBeyond P1363a
Simple, self-contained projectsSimple, self-contained projects each separately authorized by IEEE, developed each separately authorized by IEEE, developed
and ballotedand balloted
same working group overseessame working group oversees
Another supplement: P1363b for Another supplement: P1363b for similar techniquessimilar techniques e.g., “provably secure” schemes, other familiese.g., “provably secure” schemes, other families
New projects: P1363.1, .2, .3, … for New projects: P1363.1, .2, .3, … for other types of techniqueother types of technique
Revised 08/16/1999
New Project Ideas (1)New Project Ideas (1)New Project Ideas (1)New Project Ideas (1)
Key and domain parameter generation Key and domain parameter generation and validationand validation
Threshold cryptosystemsThreshold cryptosystems
Key establishment protocolsKey establishment protocols
Entity authentication protocolsEntity authentication protocols
Proof-of-possession protocolsProof-of-possession protocols
Guidelines for implementationsGuidelines for implementations updated security considerations, key size updated security considerations, key size
recommendations, interoperability issues, etc.recommendations, interoperability issues, etc.
Revised 08/16/1999
New Project Ideas (2)New Project Ideas (2)New Project Ideas (2)New Project Ideas (2)
Conformance testingConformance testing
ASN.1 syntaxASN.1 syntax
S-expression syntaxS-expression syntax
Identification schemesIdentification schemes
Password-based security protocolsPassword-based security protocols
Fast implementation techniques and Fast implementation techniques and number-theoretic algorithmsnumber-theoretic algorithms
Editors needed!Editors needed!
Revised 08/16/1999
OfficersOfficersOfficersOfficers
New slate of officers to be elected in New slate of officers to be elected in September for two-year terms, under September for two-year terms, under new bylawsnew bylaws ChairChair
Vice-chairVice-chair
Primary editorPrimary editor
SecretarySecretary
TreasurerTreasurer
Send nominations to Burt Kaliski -- self-Send nominations to Burt Kaliski -- self-nominations acceptednominations accepted
Revised 08/16/1999
Meetings in 1990Meetings in 1990Meetings in 1990Meetings in 1990
August 19-20, University Center August 19-20, University Center State Street Room, UC Santa State Street Room, UC Santa BarbaraBarbara Thursday 2:00-5:30pmThursday 2:00-5:30pm
Friday 8:30-5:00pmFriday 8:30-5:00pm
November (?) to be announcedNovember (?) to be announced
Revised 08/16/1999
For More InformationFor More InformationFor More InformationFor More Information
Web siteWeb site grouper.ieee.org/groups/1363grouper.ieee.org/groups/1363
publicly accessible research contributions publicly accessible research contributions and P1363a submissionsand P1363a submissions
Two mailing listsTwo mailing lists general announcements list, low volumegeneral announcements list, low volume
technical discussion list, high volumetechnical discussion list, high volume
everybody is welcome to subscribeeverybody is welcome to subscribe web site contains subscription informationweb site contains subscription information
Revised 08/16/1999
Current OfficersCurrent OfficersCurrent OfficersCurrent Officers
Chair: Burt Kaliski, [email protected]: Burt Kaliski, [email protected] officer nominations, P1363a submissions, new officer nominations, P1363a submissions, new
project ideasproject ideas
Vice-chair: Terry Arnold, Vice-chair: Terry Arnold, [email protected]@merdan.com
Secretary: Roger Schlafly, [email protected]: Roger Schlafly, [email protected]
Treasurer: Michael Markowitz, Treasurer: Michael Markowitz, [email protected]@infosseccorp.com
Editor: Yiqun Lisa Yin, [email protected]: Yiqun Lisa Yin, [email protected] P1363 commentsP1363 comments
Top Related