IEEE P1363: Standard Specifications for Public-Key Cryptography

IEEE P1363:IEEE P1363:

Standard Specifications for Standard Specifications for Public-Key CryptographyPublic-Key Cryptography

IEEE P1363:IEEE P1363:

Standard Specifications for Standard Specifications for Public-Key CryptographyPublic-Key Cryptography

David JablonDavid JablonCTO Phoenix TechnologiesCTO Phoenix Technologies

Treasurer, IEEE P1363Treasurer, IEEE P1363

NIST Key Management WorkshopNIST Key Management WorkshopNovember 1-2, 2001November 1-2, 2001

November 1, 2001 NIST Key Management Workshop 2

OutlineOutlineOutlineOutline

History to dateHistory to date

Scope & objective of Std 1363-2000 & P1363aScope & objective of Std 1363-2000 & P1363a

Highlights of development processHighlights of development process

Review of techniques in Std 1363-2000 & P1363aReview of techniques in Std 1363-2000 & P1363a

RationaleRationale

P1363 Study Group begins P1363.1 & P1363.2P1363 Study Group begins P1363.1 & P1363.2


Outline (2)Outline (2)Outline (2)Outline (2)

The presentThe present Current status of P1363aCurrent status of P1363a

Scope and objective of P1363.1Scope and objective of P1363.1

Contents of P1363.1Contents of P1363.1

Scope and objective of P1363.2Scope and objective of P1363.2

Contents of P1363.2Contents of P1363.2


Outline (3)Outline (3)Outline (3)Outline (3)

The futureThe future Schedule for completion of P1363.1 and P1363.2Schedule for completion of P1363.1 and P1363.2

Public-key techniques registryPublic-key techniques registry

Second amendment to Std 1363-2000: P1363bSecond amendment to Std 1363-2000: P1363b


The HistoryThe HistoryThe HistoryThe History


P1363 Working Group P1363 Working Group HistoryHistory

P1363 Working Group P1363 Working Group HistoryHistory

First meeting January 1994First meeting January 1994

Up to now, 31 working group meetingsUp to now, 31 working group meetings

1997: project split into P1363 & P1363a1997: project split into P1363 & P1363a

2000: began exploring additional topics2000: began exploring additional topics

Late 2000: began P1363.1 & P1363.2Late 2000: began P1363.1 & P1363.2


What is IEEE Std 1363-2000 ?What is IEEE Std 1363-2000 ?What is IEEE Std 1363-2000 ?What is IEEE Std 1363-2000 ?

1994: P1363 Working Group commissioned 1994: P1363 Working Group commissioned to start projectto start project Original P1363 became “IEEE Std 1363-2000”Original P1363 became “IEEE Std 1363-2000”

IEEE standard for public-key cryptography IEEE standard for public-key cryptography based on three families:based on three families: Discrete Logarithm (DL) systemsDiscrete Logarithm (DL) systems

Elliptic Curve Discrete Logarithm (EC) systemsElliptic Curve Discrete Logarithm (EC) systems

Integer Factorization (IF) systemsInteger Factorization (IF) systems

Sponsored by Microprocessor Standards Sponsored by Microprocessor Standards CommitteeCommittee


Objective and Scope of Objective and Scope of P1363P1363

Objective and Scope of Objective and Scope of P1363P1363

ObjectiveObjective Facilitate interoperable security by providing Facilitate interoperable security by providing

comprehensive coverage of public-key techniquescomprehensive coverage of public-key techniques

ScopeScope Cryptographic parameters and keysCryptographic parameters and keys

Key agreement, digital signatures, encryptionKey agreement, digital signatures, encryption

Recommended supporting techniquesRecommended supporting techniques


What is P1363a ?What is P1363a ?What is P1363a ?What is P1363a ?

1997: MSC approved P1363 WG to begin 1997: MSC approved P1363 WG to begin work on amendment to Std 1363-2000work on amendment to Std 1363-2000

Supplements techniques in Std 1363-2000Supplements techniques in Std 1363-2000

Intended that the two documents will be Intended that the two documents will be merged in future revisionsmerged in future revisions

Scope was limited to schemes in the same Scope was limited to schemes in the same families and same general goals as in Std families and same general goals as in Std 1363-20001363-2000


Objective and Scope of Objective and Scope of P1363aP1363a

Objective and Scope of Objective and Scope of P1363aP1363a

ObjectiveObjective To facilitate the completion of the base standard To facilitate the completion of the base standard

while providing a forum for discussing additional while providing a forum for discussing additional techniques techniques

To “fill in the gaps” from Std 1363-2000To “fill in the gaps” from Std 1363-2000


Key agreement, digital signatures, encryptionKey agreement, digital signatures, encryption



IEEE Std 1363-2000 and IEEE Std 1363-2000 and P1363aP1363a

IEEE Std 1363-2000 and IEEE Std 1363-2000 and P1363aP1363a

IEEE Std 1363-2000 (base standard)IEEE Std 1363-2000 (base standard) Established techniquesEstablished techniques

Goal: timely publication (First balloted early 1999, Goal: timely publication (First balloted early 1999, approved as a standard January 2000)approved as a standard January 2000)

P1363a (supplement)P1363a (supplement) Techniques in same families that have become Techniques in same families that have become

“established” since work ended on P1363“established” since work ended on P1363

Call for more submissions in April 1998Call for more submissions in April 1998

Goal: fill in gaps, assure thorough study and input Goal: fill in gaps, assure thorough study and input from the communityfrom the community


Existing Public-Key Existing Public-Key StandardsStandards

Existing Public-Key Existing Public-Key StandardsStandards

Standards are essential in several areas:Standards are essential in several areas: Cryptographic schemesCryptographic schemes

Key representationKey representation

Some work in each area, but no single Some work in each area, but no single comprehensive standard ...comprehensive standard ... ANSI X9.30, X9.31, X9.42, X9.44, X9.62, X9.63ANSI X9.30, X9.31, X9.42, X9.44, X9.62, X9.63

ISO/IEC 9796, 10118, 14888, 15946ISO/IEC 9796, 10118, 14888, 15946

PKCS, SEC, EESSPKCS, SEC, EESS

FIPS 180-1, 186-2FIPS 180-1, 186-2

NESSIE, CryptRecNESSIE, CryptRec


1363 Standards: 1363 Standards: A Different Kind of StandardA Different Kind of Standard

1363 Standards: 1363 Standards: A Different Kind of StandardA Different Kind of Standard

A set of tools from which implementations A set of tools from which implementations and other standards can be builtand other standards can be built Framework with selectable components: Framework with selectable components:

applications are expected to “profile” the standardapplications are expected to “profile” the standard Example: signature scheme is based on a particular Example: signature scheme is based on a particular

mathematical primitive (e.g., RSA) with selectable key mathematical primitive (e.g., RSA) with selectable key sizes and “auxiliary” functions (hashing, message sizes and “auxiliary” functions (hashing, message encoding)encoding)

Functional specifications rather than interface Functional specifications rather than interface specificationsspecifications


HighlightsHighlightsHighlightsHighlights

Comprehensive Comprehensive Three families; a variety of algorithmsThree families; a variety of algorithms

Adoption of new developments Adoption of new developments ““Unified” model of key agreementUnified” model of key agreement

““Provably secure” schemesProvably secure” schemes

Key and parameter validationKey and parameter validation

A forum for discussing public-key cryptoA forum for discussing public-key crypto Active discussion mailing listActive discussion mailing list

Web site for new research contributionsWeb site for new research contributions


Std 1363-2000 and P1363a: Std 1363-2000 and P1363a: ContentsContents

Std 1363-2000 and P1363a: Std 1363-2000 and P1363a: ContentsContents

OverviewOverview

ReferencesReferences

DefinitionsDefinitions

Types of cryptographic Types of cryptographic techniquestechniques

Math conventionsMath conventions

DL primitivesDL primitives

EC primitivesEC primitives

IF primitivesIF primitives

Key agreement schemesKey agreement schemes

Signature schemesSignature schemes

Encryption schemesEncryption schemes

Message encodingMessage encoding

Key derivationKey derivation

Auxiliary functionsAuxiliary functions

AnnexesAnnexes


Primitives vs. SchemesPrimitives vs. SchemesPrimitives vs. SchemesPrimitives vs. Schemes

Primitives:Primitives: Basic mathematical operationsBasic mathematical operations

e.g., e.g., cc == mmee mod mod nn

Limited-size inputs, limited securityLimited-size inputs, limited security

Schemes:Schemes: Operations on byte strings, including hashing, Operations on byte strings, including hashing,

formatting, other auxiliary functionsformatting, other auxiliary functions

Often unlimited-size inputs, stronger securityOften unlimited-size inputs, stronger security

Implementations can conform with eitherImplementations can conform with either


Key Agreement SchemesKey Agreement SchemesKey Agreement SchemesKey Agreement Schemes

General modelGeneral model Establish valid domain parametersEstablish valid domain parameters

Select one or more valid private keysSelect one or more valid private keys

Obtain other party’s one or more “public keys”Obtain other party’s one or more “public keys”

Validate the public keys (optional) Validate the public keys (optional)

Compute a shared secret value Compute a shared secret value

Apply key derivation functionApply key derivation function


Signature SchemesSignature SchemesSignature SchemesSignature Schemes

General modelGeneral model Signature operationSignature operation

Select a valid private keySelect a valid private key

Apply message encoding method and signature primitive Apply message encoding method and signature primitive to produce a signatureto produce a signature

Verification operationVerification operation Obtain the signer’s “public key”Obtain the signer’s “public key”

Validate the public key (optional) Validate the public key (optional)

Apply verification primitive and message encoding Apply verification primitive and message encoding method to verify the signaturemethod to verify the signature


Encryption SchemesEncryption SchemesEncryption SchemesEncryption Schemes

General modelGeneral model Encryption operationEncryption operation

Obtain the recipient’s public keyObtain the recipient’s public key

Validate the public key (optional) Validate the public key (optional)

Apply message encoding method and encryption Apply message encoding method and encryption primitive to produce a ciphertext with optional primitive to produce a ciphertext with optional authenticationauthentication

Decryption operationDecryption operation Select the appropriate private keySelect the appropriate private key

Apply decryption primitive and message encoding Apply decryption primitive and message encoding method to obtain plaintextmethod to obtain plaintext

Optionally authenticate the validity of the plaintextOptionally authenticate the validity of the plaintext


Summary of Schemes (1)Summary of Schemes (1)Summary of Schemes (1)Summary of Schemes (1)

Discrete Logarithm (DL) systemsDiscrete Logarithm (DL) systems P1363: Diffie-Hellman, MQV key agreementP1363: Diffie-Hellman, MQV key agreement

P1363: DSA, Nyberg-Rueppel signaturesP1363: DSA, Nyberg-Rueppel signatures

P1363a: Pintsov-Vanstone signatures, signatures P1363a: Pintsov-Vanstone signatures, signatures with message recovery (Nyberg-Rueppel 2)with message recovery (Nyberg-Rueppel 2)

P1363a: DLIES encryptionP1363a: DLIES encryption

Elliptic Curve (EC) systemsElliptic Curve (EC) systems Elliptic curve analogs of DL systemsElliptic curve analogs of DL systems


Summary of Schemes (2)Summary of Schemes (2)Summary of Schemes (2)Summary of Schemes (2)

Integer Factorization (IF) systemsInteger Factorization (IF) systems P1363: RSA encryptionP1363: RSA encryption

P1363: RSA, Rabin-Williams signaturesP1363: RSA, Rabin-Williams signatures

P1363a: EPOC encryptionP1363a: EPOC encryption

P1363a: ESIGN signatures, IF signatures with P1363a: ESIGN signatures, IF signatures with message recoverymessage recovery


Message Encoding and Key Message Encoding and Key DerivationDerivation

Message Encoding and Key Message Encoding and Key DerivationDerivation

Message encoding methodsMessage encoding methods For signatureFor signature

For encryption For encryption

Key derivation functionKey derivation function


Auxiliary FunctionsAuxiliary FunctionsAuxiliary FunctionsAuxiliary Functions

Hash functionsHash functions Hash from arbitrary length inputHash from arbitrary length input

Mask generation functionsMask generation functions Arbitrary length input and outputArbitrary length input and output

Hash (message || 0) || hash (message || 1) || ...Hash (message || 0) || hash (message || 1) || ...


AnnexesAnnexesAnnexesAnnexes

Annex A: Number-theoretic background Annex A: Number-theoretic background

Annex B: ConformanceAnnex B: Conformance

Annex C: RationaleAnnex C: Rationale

Annex D: Security considerationsAnnex D: Security considerations

Annex E: FormatsAnnex E: Formats

Annex F: BibliographyAnnex F: Bibliography

Test vectors to be posted on the webTest vectors to be posted on the web


Annex AAnnex AAnnex AAnnex A

Annex A: Number-theoretic background Annex A: Number-theoretic background (Informative)(Informative) Supporting algorithms and methods for efficiently Supporting algorithms and methods for efficiently

performing operations specified in main bodyperforming operations specified in main body


Annex BAnnex BAnnex BAnnex B

Annex B: Conformance (Normative)Annex B: Conformance (Normative) Provide implementers with a consistent language Provide implementers with a consistent language

for claiming conformance with parts of this for claiming conformance with parts of this standardstandard

An implementation may claim conformance with An implementation may claim conformance with one or more primitives, schemes or scheme one or more primitives, schemes or scheme operationsoperations


Annex CAnnex CAnnex CAnnex C

Annex C: Rationale (Informative)Annex C: Rationale (Informative) Some questions the working group considered . . . Some questions the working group considered . . .

Why is the standard the way it is?Why is the standard the way it is?


General QuestionsGeneral QuestionsGeneral QuestionsGeneral Questions

Why three families?Why three families? All are well understood, established in marketplace

to varying degrees

Different attributes: performance, patents, etc.

Goal is to give standard specifications, not to give a single choice

Why no key sizes?Why no key sizes? Security requirements vary by application, strength

of techniques vary over time

Goal is to give guidance but leave flexibility


Annex DAnnex DAnnex DAnnex D

Annex D: Security Considerations Annex D: Security Considerations (Informative)(Informative) Key management (authentication, generation, Key management (authentication, generation,

validation)validation)

Security parameters (key sizes)Security parameters (key sizes)

Random number generationRandom number generation

Emphasis on common uses and secure practiceEmphasis on common uses and secure practice


Annex EAnnex EAnnex EAnnex E

Annex E: Formats (Informative)Annex E: Formats (Informative) Suggested interface specifications, such as Suggested interface specifications, such as

representation of mathematical objects and representation of mathematical objects and scheme outputsscheme outputs


Annex FAnnex FAnnex FAnnex F

Annex F: Bibliography (Informative)Annex F: Bibliography (Informative) Well, it’s a bibliography . . .Well, it’s a bibliography . . .


Annex GAnnex GAnnex GAnnex G

Annex G: Patent Information (Informative)Annex G: Patent Information (Informative) Collection of information that the working group Collection of information that the working group

has gathered on intellectual property relating to has gathered on intellectual property relating to techniques in the standard (new in P1363a)techniques in the standard (new in P1363a)


Study GroupStudy GroupStudy GroupStudy Group

March 2000: Study Group for Future Public-March 2000: Study Group for Future Public-Key Cryptography Standards commissionedKey Cryptography Standards commissioned

Considered broader scopes for future projects Considered broader scopes for future projects relating to public-key cryptorelating to public-key crypto

Determined where all previously out-of-scope Determined where all previously out-of-scope submissions fitsubmissions fit

Completed work in 2001 with 2 new projects Completed work in 2001 with 2 new projects and additional ideas for the futureand additional ideas for the future


New Project IdeasNew Project IdeasNew Project IdeasNew Project Ideas

Key and domain parameter generation and validationKey and domain parameter generation and validation

Threshold cryptosystemsThreshold cryptosystems

Key establishment protocolsKey establishment protocols

Entity authentication protocolsEntity authentication protocols

Proof-of-possession protocolsProof-of-possession protocols

Guidelines for implementationsGuidelines for implementations updated security considerations, key size recommendations, updated security considerations, key size recommendations,

interoperability issues, etc.interoperability issues, etc.


New Project Ideas (2)New Project Ideas (2)New Project Ideas (2)New Project Ideas (2)

Conformance testingConformance testing

ASN.1 syntaxASN.1 syntax

S-expression syntaxS-expression syntax

Identification schemesIdentification schemes

Password-based security protocolsPassword-based security protocols

Fast implementation techniques and number-Fast implementation techniques and number-theoretic algorithmstheoretic algorithms

New families of cryptosystemsNew families of cryptosystems


The PresentThe PresentThe PresentThe Present


P1363a: Current StatusP1363a: Current StatusP1363a: Current StatusP1363a: Current Status

Document approved by working group and Document approved by working group and MSC for ballotMSC for ballot

IEEE is assembling ballot bodyIEEE is assembling ballot body

Only minor edits and voting remainOnly minor edits and voting remain


What is P1363.1?What is P1363.1?What is P1363.1?What is P1363.1?

MSC approved WG to begin P1363.1MSC approved WG to begin P1363.1 Standard Specifications for Public-Key Standard Specifications for Public-Key

Cryptography: Techniques Based on Hard Cryptography: Techniques Based on Hard Problems over Lattices Problems over Lattices

Grew out of Study Group work in 2000Grew out of Study Group work in 2000

Public-key techniques in a fourth familyPublic-key techniques in a fourth family

Parallel, but independent effort to P1363aParallel, but independent effort to P1363a

Submissions for new techniques close Submissions for new techniques close October 1, 2001October 1, 2001


Objective and Scope of Objective and Scope of P1363.1P1363.1


ObjectiveObjective To continue to facilitate interoperable security by To continue to facilitate interoperable security by

providing comprehensive coverage of public-key providing comprehensive coverage of public-key techniques in the “lattice family”techniques in the “lattice family”


Digital signatures, encryption in lattice familyDigital signatures, encryption in lattice family


Updated specification formatUpdated specification format


Contents of P1363.1Contents of P1363.1Contents of P1363.1Contents of P1363.1

Same general contents as Std 1363-2000 Same general contents as Std 1363-2000 (overview, references, definitions, math (overview, references, definitions, math conventions, etc.)conventions, etc.)

Shortest Vector Problem (SVP) PrimitivesShortest Vector Problem (SVP) Primitives

Signature and Encryption schemesSignature and Encryption schemes

Message Encoding MethodsMessage Encoding Methods

Additional Auxiliary FunctionsAdditional Auxiliary Functions

Number theoretic backgroundNumber theoretic background

Security ConsiderationsSecurity Considerations


Summary of P1363.1 Summary of P1363.1 SchemesSchemes


Shortest Vector (SV) SystemsShortest Vector (SV) Systems NTRU encryptionNTRU encryption

NSS signatures (tentative)NSS signatures (tentative)


What is P1363.2?What is P1363.2?What is P1363.2?What is P1363.2?

MSC approved the P1363 WG to begin work on MSC approved the P1363 WG to begin work on P1363.2 – Standard Specifications for Public-Key P1363.2 – Standard Specifications for Public-Key Cryptography: Password-based TechniquesCryptography: Password-based Techniques

Grew out of Study Group work in 2000Grew out of Study Group work in 2000

Public-key techniques utilizing “low-grade” secretsPublic-key techniques utilizing “low-grade” secrets

Parallel, but independent effort to P1363a and Parallel, but independent effort to P1363a and P1363.1P1363.1

Submissions for new techniques close October 1, Submissions for new techniques close October 1, 20012001




ObjectiveObjective Continue to facilitate interoperable security by Continue to facilitate interoperable security by

providing comprehensive coverage of public-key providing comprehensive coverage of public-key techniques using passwords and other low-grade techniques using passwords and other low-grade secretssecrets


Password-based key establishment & Password-based key establishment & authenticationauthentication



Contents of P1363.2Contents of P1363.2Contents of P1363.2Contents of P1363.2 Same general structure as Std 1363-2000Same general structure as Std 1363-2000

overview, references, definitions, math conventions, etc.overview, references, definitions, math conventions, etc.

Random element derivation, key derivation & secret Random element derivation, key derivation & secret value derivation primitivesvalue derivation primitives

Password-authenticated key retrieval and key Password-authenticated key retrieval and key agreement schemesagreement schemes balanced and augmented trust modelsbalanced and augmented trust models

Password-authenticated key agreement protocols Password-authenticated key agreement protocols Additional auxiliary functionsAdditional auxiliary functions Number theoretic backgroundNumber theoretic background Security considerationsSecurity considerations




Discrete Log SystemsDiscrete Log Systems Password-authenticated key agreementPassword-authenticated key agreement

AMP, PAK, SPEKE, SRP (tentative)AMP, PAK, SPEKE, SRP (tentative)

Balanced and Augmented schemesBalanced and Augmented schemes

Password-authenticated key retrievalPassword-authenticated key retrieval FK (tentative)FK (tentative)

Elliptic Curve SystemsElliptic Curve Systems Analogs to DL systemsAnalogs to DL systems


The FutureThe FutureThe FutureThe Future


Schedule for Completion of Schedule for Completion of P1363.1 and P1363.2P1363.1 and P1363.2

Schedule for Completion of Schedule for Completion of P1363.1 and P1363.2P1363.1 and P1363.2

October 2001: Both projects closing October 2001: Both projects closing submissionssubmissions

2002: Working group to review each 2002: Working group to review each documentdocument

Late 2002: Balloting for P1363.1 expectedLate 2002: Balloting for P1363.1 expected

Early 2003: Balloting for P1363.2 expectedEarly 2003: Balloting for P1363.2 expected


Public-Key RegistryPublic-Key RegistryPublic-Key RegistryPublic-Key Registry

Discussed at great length in study group and Discussed at great length in study group and later in working grouplater in working group

IEEE may support effortIEEE may support effort

Three documentsThree documents Process documentProcess document

Format specification (Standard)Format specification (Standard)

Registry of public-key cryptographic techniquesRegistry of public-key cryptographic techniques

Continuing investigation to determine Continuing investigation to determine usefulness and feasibilityusefulness and feasibility


P1363b: A 2P1363b: A 2ndnd Amendment to Amendment to Std 1363-2000Std 1363-2000

P1363b: A 2P1363b: A 2ndnd Amendment to Amendment to Std 1363-2000Std 1363-2000

Continue adding mature techniquesContinue adding mature techniques

Maintain the currency of the documentMaintain the currency of the document

Working group currently considering the Working group currently considering the projectproject


Meetings in Late 2001Meetings in Late 2001Meetings in Late 2001Meetings in Late 2001

August 23-24 (after Crypto) Santa BarbaraAugust 23-24 (after Crypto) Santa Barbara working group presentationsworking group presentations

working group meetingworking group meeting

October 22-24 – Seoul, KoreaOctober 22-24 – Seoul, Korea CancelledCancelled

... next meeting to be announced ...... next meeting to be announced ...


Current IEEE P1363 OfficersCurrent IEEE P1363 OfficersCurrent IEEE P1363 OfficersCurrent IEEE P1363 Officers

Chair: William WhyteChair: William Whyte [email protected]@ntru.com

Vice Chair: Don JohnsonVice Chair: Don Johnson [email protected]@certicom.com

Secretary: Ari SingerSecretary: Ari Singer [email protected]@ntru.com

Treasurer: David JablonTreasurer: David Jablon [email protected][email protected]

Primary Editor: David SternPrimary Editor: David Stern [email protected]@intel.com


For More InformationFor More InformationFor More InformationFor More Information

IEEE P1363 Web siteIEEE P1363 Web site http://grouper.ieee.org/groups/1363http://grouper.ieee.org/groups/1363

publicly accessible research contributions and publicly accessible research contributions and document submissionsdocument submissions

Two mailing listsTwo mailing lists general announcements list, low volumegeneral announcements list, low volume

technical discussion list, high volumetechnical discussion list, high volume

everybody is welcome to subscribeeverybody is welcome to subscribe web site contains subscription informationweb site contains subscription information

IEEE P1363: Standard Specifications for Public-Key Cryptography

Documents