IEEE P1363: Standard Specifications for Public-Key Cryptography. David Jablon CTO Phoenix Technologies Treasurer, IEEE P1363 NIST Key Management Workshop November 1-2, 2001. Outline. History to date Scope & objective of Std 1363-2000 & P1363a Highlights of development process - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IEEE P1363:IEEE P1363:
Standard Specifications for Standard Specifications for Public-Key CryptographyPublic-Key Cryptography
IEEE P1363:IEEE P1363:
Standard Specifications for Standard Specifications for Public-Key CryptographyPublic-Key Cryptography
David JablonDavid JablonCTO Phoenix TechnologiesCTO Phoenix Technologies
Second amendment to Std 1363-2000: P1363bSecond amendment to Std 1363-2000: P1363b
November 1, 2001 NIST Key Management Workshop 5
The HistoryThe HistoryThe HistoryThe History
November 1, 2001 NIST Key Management Workshop 6
P1363 Working Group P1363 Working Group HistoryHistory
P1363 Working Group P1363 Working Group HistoryHistory
First meeting January 1994First meeting January 1994
Up to now, 31 working group meetingsUp to now, 31 working group meetings
1997: project split into P1363 & P1363a1997: project split into P1363 & P1363a
2000: began exploring additional topics2000: began exploring additional topics
Late 2000: began P1363.1 & P1363.2Late 2000: began P1363.1 & P1363.2
November 1, 2001 NIST Key Management Workshop 7
What is IEEE Std 1363-2000 ?What is IEEE Std 1363-2000 ?What is IEEE Std 1363-2000 ?What is IEEE Std 1363-2000 ?
1994: P1363 Working Group commissioned 1994: P1363 Working Group commissioned to start projectto start project Original P1363 became “IEEE Std 1363-2000”Original P1363 became “IEEE Std 1363-2000”
IEEE standard for public-key cryptography IEEE standard for public-key cryptography based on three families:based on three families: Discrete Logarithm (DL) systemsDiscrete Logarithm (DL) systems
What is P1363a ?What is P1363a ?What is P1363a ?What is P1363a ?
1997: MSC approved P1363 WG to begin 1997: MSC approved P1363 WG to begin work on amendment to Std 1363-2000work on amendment to Std 1363-2000
Supplements techniques in Std 1363-2000Supplements techniques in Std 1363-2000
Intended that the two documents will be Intended that the two documents will be merged in future revisionsmerged in future revisions
Scope was limited to schemes in the same Scope was limited to schemes in the same families and same general goals as in Std families and same general goals as in Std 1363-20001363-2000
November 1, 2001 NIST Key Management Workshop 10
Objective and Scope of Objective and Scope of P1363aP1363a
Objective and Scope of Objective and Scope of P1363aP1363a
ObjectiveObjective To facilitate the completion of the base standard To facilitate the completion of the base standard
while providing a forum for discussing additional while providing a forum for discussing additional techniques techniques
To “fill in the gaps” from Std 1363-2000To “fill in the gaps” from Std 1363-2000
ScopeScope Cryptographic parameters and keysCryptographic parameters and keys
Key agreement, digital signatures, encryptionKey agreement, digital signatures, encryption
Goal: timely publication (First balloted early 1999, Goal: timely publication (First balloted early 1999, approved as a standard January 2000)approved as a standard January 2000)
P1363a (supplement)P1363a (supplement) Techniques in same families that have become Techniques in same families that have become
“established” since work ended on P1363“established” since work ended on P1363
Call for more submissions in April 1998Call for more submissions in April 1998
Goal: fill in gaps, assure thorough study and input Goal: fill in gaps, assure thorough study and input from the communityfrom the community
Standards are essential in several areas:Standards are essential in several areas: Cryptographic schemesCryptographic schemes
Key representationKey representation
Some work in each area, but no single Some work in each area, but no single comprehensive standard ...comprehensive standard ... ANSI X9.30, X9.31, X9.42, X9.44, X9.62, X9.63ANSI X9.30, X9.31, X9.42, X9.44, X9.62, X9.63
1363 Standards: 1363 Standards: A Different Kind of StandardA Different Kind of Standard
1363 Standards: 1363 Standards: A Different Kind of StandardA Different Kind of Standard
A set of tools from which implementations A set of tools from which implementations and other standards can be builtand other standards can be built Framework with selectable components: Framework with selectable components:
applications are expected to “profile” the standardapplications are expected to “profile” the standard Example: signature scheme is based on a particular Example: signature scheme is based on a particular
mathematical primitive (e.g., RSA) with selectable key mathematical primitive (e.g., RSA) with selectable key sizes and “auxiliary” functions (hashing, message sizes and “auxiliary” functions (hashing, message encoding)encoding)
Functional specifications rather than interface Functional specifications rather than interface specificationsspecifications
November 1, 2001 NIST Key Management Workshop 14
HighlightsHighlightsHighlightsHighlights
Comprehensive Comprehensive Three families; a variety of algorithmsThree families; a variety of algorithms
Adoption of new developments Adoption of new developments ““Unified” model of key agreementUnified” model of key agreement
General modelGeneral model Signature operationSignature operation
Select a valid private keySelect a valid private key
Apply message encoding method and signature primitive Apply message encoding method and signature primitive to produce a signatureto produce a signature
Verification operationVerification operation Obtain the signer’s “public key”Obtain the signer’s “public key”
Validate the public key (optional) Validate the public key (optional)
Apply verification primitive and message encoding Apply verification primitive and message encoding method to verify the signaturemethod to verify the signature
General modelGeneral model Encryption operationEncryption operation
Obtain the recipient’s public keyObtain the recipient’s public key
Validate the public key (optional) Validate the public key (optional)
Apply message encoding method and encryption Apply message encoding method and encryption primitive to produce a ciphertext with optional primitive to produce a ciphertext with optional authenticationauthentication
Decryption operationDecryption operation Select the appropriate private keySelect the appropriate private key
Apply decryption primitive and message encoding Apply decryption primitive and message encoding method to obtain plaintextmethod to obtain plaintext
Optionally authenticate the validity of the plaintextOptionally authenticate the validity of the plaintext
November 1, 2001 NIST Key Management Workshop 20
Summary of Schemes (1)Summary of Schemes (1)Summary of Schemes (1)Summary of Schemes (1)
Test vectors to be posted on the webTest vectors to be posted on the web
November 1, 2001 NIST Key Management Workshop 25
Annex AAnnex AAnnex AAnnex A
Annex A: Number-theoretic background Annex A: Number-theoretic background (Informative)(Informative) Supporting algorithms and methods for efficiently Supporting algorithms and methods for efficiently
performing operations specified in main bodyperforming operations specified in main body
November 1, 2001 NIST Key Management Workshop 26
Annex BAnnex BAnnex BAnnex B
Annex B: Conformance (Normative)Annex B: Conformance (Normative) Provide implementers with a consistent language Provide implementers with a consistent language
for claiming conformance with parts of this for claiming conformance with parts of this standardstandard
An implementation may claim conformance with An implementation may claim conformance with one or more primitives, schemes or scheme one or more primitives, schemes or scheme operationsoperations
November 1, 2001 NIST Key Management Workshop 27
Annex CAnnex CAnnex CAnnex C
Annex C: Rationale (Informative)Annex C: Rationale (Informative) Some questions the working group considered . . . Some questions the working group considered . . .
Why is the standard the way it is?Why is the standard the way it is?
November 1, 2001 NIST Key Management Workshop 28
General QuestionsGeneral QuestionsGeneral QuestionsGeneral Questions
Why three families?Why three families? All are well understood, established in marketplace
to varying degrees
Different attributes: performance, patents, etc.
Goal is to give standard specifications, not to give a single choice
Why no key sizes?Why no key sizes? Security requirements vary by application, strength
Emphasis on common uses and secure practiceEmphasis on common uses and secure practice
November 1, 2001 NIST Key Management Workshop 30
Annex EAnnex EAnnex EAnnex E
Annex E: Formats (Informative)Annex E: Formats (Informative) Suggested interface specifications, such as Suggested interface specifications, such as
representation of mathematical objects and representation of mathematical objects and scheme outputsscheme outputs
November 1, 2001 NIST Key Management Workshop 31
Annex FAnnex FAnnex FAnnex F
Annex F: Bibliography (Informative)Annex F: Bibliography (Informative) Well, it’s a bibliography . . .Well, it’s a bibliography . . .
November 1, 2001 NIST Key Management Workshop 32
Annex GAnnex GAnnex GAnnex G
Annex G: Patent Information (Informative)Annex G: Patent Information (Informative) Collection of information that the working group Collection of information that the working group
has gathered on intellectual property relating to has gathered on intellectual property relating to techniques in the standard (new in P1363a)techniques in the standard (new in P1363a)
November 1, 2001 NIST Key Management Workshop 33
Study GroupStudy GroupStudy GroupStudy Group
March 2000: Study Group for Future Public-March 2000: Study Group for Future Public-Key Cryptography Standards commissionedKey Cryptography Standards commissioned
Considered broader scopes for future projects Considered broader scopes for future projects relating to public-key cryptorelating to public-key crypto
Determined where all previously out-of-scope Determined where all previously out-of-scope submissions fitsubmissions fit
Completed work in 2001 with 2 new projects Completed work in 2001 with 2 new projects and additional ideas for the futureand additional ideas for the future
November 1, 2001 NIST Key Management Workshop 34
New Project IdeasNew Project IdeasNew Project IdeasNew Project Ideas
Key and domain parameter generation and validationKey and domain parameter generation and validation
Fast implementation techniques and number-Fast implementation techniques and number-theoretic algorithmstheoretic algorithms
New families of cryptosystemsNew families of cryptosystems
November 1, 2001 NIST Key Management Workshop 36
The PresentThe PresentThe PresentThe Present
November 1, 2001 NIST Key Management Workshop 37
P1363a: Current StatusP1363a: Current StatusP1363a: Current StatusP1363a: Current Status
Document approved by working group and Document approved by working group and MSC for ballotMSC for ballot
IEEE is assembling ballot bodyIEEE is assembling ballot body
Only minor edits and voting remainOnly minor edits and voting remain
November 1, 2001 NIST Key Management Workshop 38
What is P1363.1?What is P1363.1?What is P1363.1?What is P1363.1?
MSC approved WG to begin P1363.1MSC approved WG to begin P1363.1 Standard Specifications for Public-Key Standard Specifications for Public-Key
Cryptography: Techniques Based on Hard Cryptography: Techniques Based on Hard Problems over Lattices Problems over Lattices
Grew out of Study Group work in 2000Grew out of Study Group work in 2000
Public-key techniques in a fourth familyPublic-key techniques in a fourth family
Parallel, but independent effort to P1363aParallel, but independent effort to P1363a
Submissions for new techniques close Submissions for new techniques close October 1, 2001October 1, 2001
November 1, 2001 NIST Key Management Workshop 39
Objective and Scope of Objective and Scope of P1363.1P1363.1
Objective and Scope of Objective and Scope of P1363.1P1363.1
ObjectiveObjective To continue to facilitate interoperable security by To continue to facilitate interoperable security by
providing comprehensive coverage of public-key providing comprehensive coverage of public-key techniques in the “lattice family”techniques in the “lattice family”
ScopeScope Cryptographic parameters and keysCryptographic parameters and keys
Digital signatures, encryption in lattice familyDigital signatures, encryption in lattice family
Updated specification formatUpdated specification format
November 1, 2001 NIST Key Management Workshop 40
Contents of P1363.1Contents of P1363.1Contents of P1363.1Contents of P1363.1
Same general contents as Std 1363-2000 Same general contents as Std 1363-2000 (overview, references, definitions, math (overview, references, definitions, math conventions, etc.)conventions, etc.)
Shortest Vector Problem (SVP) PrimitivesShortest Vector Problem (SVP) Primitives
Signature and Encryption schemesSignature and Encryption schemes
What is P1363.2?What is P1363.2?What is P1363.2?What is P1363.2?
MSC approved the P1363 WG to begin work on MSC approved the P1363 WG to begin work on P1363.2 – Standard Specifications for Public-Key P1363.2 – Standard Specifications for Public-Key Cryptography: Password-based TechniquesCryptography: Password-based Techniques
Grew out of Study Group work in 2000Grew out of Study Group work in 2000
Parallel, but independent effort to P1363a and Parallel, but independent effort to P1363a and P1363.1P1363.1
Submissions for new techniques close October 1, Submissions for new techniques close October 1, 20012001
November 1, 2001 NIST Key Management Workshop 43
Objective and Scope of Objective and Scope of P1363.2P1363.2
Objective and Scope of Objective and Scope of P1363.2P1363.2
ObjectiveObjective Continue to facilitate interoperable security by Continue to facilitate interoperable security by
providing comprehensive coverage of public-key providing comprehensive coverage of public-key techniques using passwords and other low-grade techniques using passwords and other low-grade secretssecrets
ScopeScope Cryptographic parameters and keysCryptographic parameters and keys
Contents of P1363.2Contents of P1363.2Contents of P1363.2Contents of P1363.2 Same general structure as Std 1363-2000Same general structure as Std 1363-2000
overview, references, definitions, math conventions, etc.overview, references, definitions, math conventions, etc.
Random element derivation, key derivation & secret Random element derivation, key derivation & secret value derivation primitivesvalue derivation primitives
Password-authenticated key retrieval and key Password-authenticated key retrieval and key agreement schemesagreement schemes balanced and augmented trust modelsbalanced and augmented trust models
Primary Editor: David SternPrimary Editor: David Stern [email protected]@intel.com
November 1, 2001 NIST Key Management Workshop 52
For More InformationFor More InformationFor More InformationFor More Information
IEEE P1363 Web siteIEEE P1363 Web site http://grouper.ieee.org/groups/1363http://grouper.ieee.org/groups/1363
publicly accessible research contributions and publicly accessible research contributions and document submissionsdocument submissions
Two mailing listsTwo mailing lists general announcements list, low volumegeneral announcements list, low volume
technical discussion list, high volumetechnical discussion list, high volume
everybody is welcome to subscribeeverybody is welcome to subscribe web site contains subscription informationweb site contains subscription information