Presentation is loading. Please wait.

Presentation is loading. Please wait.

Revised 08/16/1999 IEEE P1363: Standard Specifications for Public-Key Cryptography Burt Kaliski Chair, IEEE P1363 August 17, 1999.

Similar presentations


Presentation on theme: "Revised 08/16/1999 IEEE P1363: Standard Specifications for Public-Key Cryptography Burt Kaliski Chair, IEEE P1363 August 17, 1999."— Presentation transcript:

1 Revised 08/16/1999 IEEE P1363: Standard Specifications for Public-Key Cryptography Burt Kaliski Chair, IEEE P1363 August 17, 1999

2 Revised 08/16/1999 OutlineOutline The history The history scope and objective of P1363 scope and objective of P1363 highlights of the development process highlights of the development process The present The present review of techniques in the P1363 document review of techniques in the P1363 document some rationale some rationale The future The future preview of P1363a effort preview of P1363a effort new officers, new projects new officers, new projects

3 Revised 08/16/1999 The History

4 Revised 08/16/1999 What is P1363 ? Emerging IEEE standard for public-key cryptography based on three families: Emerging IEEE standard for public-key cryptography based on three families: Discrete Logarithm (DL) systems Discrete Logarithm (DL) systems Elliptic Curve Discrete Logarithm (EC) systems Elliptic Curve Discrete Logarithm (EC) systems Integer Factorization (IF) systems Integer Factorization (IF) systems Sponsored by Microprocessor Standards Committee Sponsored by Microprocessor Standards Committee

5 Revised 08/16/1999 Objective and Scope Objective Objective to facilitate interoperable security by providing comprehensive coverage of public-key techniques to facilitate interoperable security by providing comprehensive coverage of public-key techniques Scope Scope cryptographic parameters and keys cryptographic parameters and keys key agreement, digital signatures, encryption key agreement, digital signatures, encryption

6 Revised 08/16/1999 Existing Public-Key Standards Standards are essential in several areas: Standards are essential in several areas: cryptographic schemes cryptographic schemes key representation key representation Some work in each area, but no single comprehensive standard... Some work in each area, but no single comprehensive standard... ANSI X9.30, X9.31, X9.42, X9.44, X9.62, X9.63 ANSI X9.30, X9.31, X9.42, X9.44, X9.62, X9.63 ISO/IEC 9796, 10118, ISO/IEC 9796, 10118, PKCS PKCS FIPS 180-1, FIPS 180-1, 186-1

7 Revised 08/16/1999 P1363: A Different Kind of Standard A set of tools from which implementations and other standards can be built A set of tools from which implementations and other standards can be built framework with selectable components: applications are expected to profile the standard framework with selectable components: applications are expected to profile the standard example: signature scheme is based on a particular mathematical primitive (e.g., RSA) with selectable key sizes and auxiliary functions (hashing, message encoding) example: signature scheme is based on a particular mathematical primitive (e.g., RSA) with selectable key sizes and auxiliary functions (hashing, message encoding) functional specifications rather than interface specifications functional specifications rather than interface specifications

8 Revised 08/16/1999 HighlightsHighlights Comprehensive Comprehensive three families; a variety of algorithms three families; a variety of algorithms Adoption of new developments Adoption of new developments unified model of key agreement unified model of key agreement provably secure encryption provably secure encryption key and parameter validation key and parameter validation A forum for discussing public-key crypto A forum for discussing public-key crypto active discussion mailing list active discussion mailing list web site for new research contributions web site for new research contributions

9 Revised 08/16/1999 History and Status First meeting January 1994 First meeting January 1994 Up to now, 23 working group meetings Up to now, 23 working group meetings In 1997, the project split into P1363 and P1363a In 1997, the project split into P1363 and P1363a to facilitate the completion of established techniques to facilitate the completion of established techniques to provide a forum for discussion of newer techniques without the pressures of immediate standardization to provide a forum for discussion of newer techniques without the pressures of immediate standardization

10 Revised 08/16/1999 P1363 vs. P1363a P1363 (base standard) P1363 (base standard) established techniques established techniques goal: timely publication (balloting nearly complete) goal: timely publication (balloting nearly complete) P1363a (supplement) P1363a (supplement) some items in need of more research deferred from P1363 some items in need of more research deferred from P1363 outline currently being developed outline currently being developed goal: thorough study and input from the community goal: thorough study and input from the community

11 Revised 08/16/1999 The Present

12 Revised 08/16/1999 P1363 Outline Overview Overview References References Definitions Definitions Type of crypto tech. Type of crypto tech. Math conventions Math conventions DL primitives DL primitives EC primitives EC primitives IF primitives IF primitives Key agreement schemes Signature schemes Encryption schemes Message encoding Key derivation Auxiliary functions Annexes

13 Revised 08/16/1999 Summary of Techniques Discrete Logarithm (DL) systems Discrete Logarithm (DL) systems Diffie-Hellman, MQV key agreement Diffie-Hellman, MQV key agreement DSA, Nyberg-Rueppel signatures DSA, Nyberg-Rueppel signatures Elliptic Curve (EC) systems Elliptic Curve (EC) systems elliptic curve analogs of DL systems elliptic curve analogs of DL systems Integer Factorization (IF) systems Integer Factorization (IF) systems RSA encryption RSA encryption RSA, Rabin-Williams signatures RSA, Rabin-Williams signatures

14 Revised 08/16/1999 Primitives vs. Schemes Primitives: Primitives: basic mathematical operations (e.g., c = me mod n) basic mathematical operations (e.g., c = me mod n) limited-size inputs, limited security limited-size inputs, limited security Schemes: Schemes: operations on byte strings, including hashing, formatting, other auxiliary functions operations on byte strings, including hashing, formatting, other auxiliary functions often unlimited-size inputs, stronger security often unlimited-size inputs, stronger security Implementations can conform with either Implementations can conform with either

15 Revised 08/16/1999 DL Primitives DL systems DL systems security based on discrete logarithm problem over a finite field (GF(p) or GF(2m)) security based on discrete logarithm problem over a finite field (GF(p) or GF(2m)) Secret value derivation Secret value derivation Diffie-Hellman and MQV Diffie-Hellman and MQV two flavors: with or without cofactor multiplication two flavors: with or without cofactor multiplication Signature and verification Signature and verification DSA DSA Nyberg-Rueppel, has message recovery capability Nyberg-Rueppel, has message recovery capability

16 Revised 08/16/1999 EC Primitives EC systems EC systems security based on discrete logarithm problem over an elliptic curve security based on discrete logarithm problem over an elliptic curve choices of field: GF(2m) and GF(p) choices of field: GF(2m) and GF(p) representation of GF(2m): normal and polynomial basis representation of GF(2m): normal and polynomial basis Primitives are analogous to DL Primitives are analogous to DL

17 Revised 08/16/1999 IF Primitives IF systems IF systems security based on integer factorization problem security based on integer factorization problem RSA has odd public exponent, RW has even public exponent RSA has odd public exponent, RW has even public exponent Encryption and decryption Encryption and decryption RSA RSA Signature and verification Signature and verification RSA and Rabin-Williams RSA and Rabin-Williams both have message recovery capability both have message recovery capability

18 Revised 08/16/1999 Key Agreement Schemes General model General model establish valid domain parameters establish valid domain parameters select one or more valid private keys select one or more valid private keys obtain other partys one or more public keys obtain other partys one or more public keys (optional) validate the public keys (optional) validate the public keys compute a shared secret value compute a shared secret value apply key derivation function apply key derivation function

19 Revised 08/16/1999 DL/EC Key Agreement Schemes DH1 DH1 traditional Diffie-Hellman traditional Diffie-Hellman one key pair from each party one key pair from each party DH2 DH2 Diffie-Hellman with unified model Diffie-Hellman with unified model two key pairs from each party two key pairs from each party MQV MQV two key pairs from each party two key pairs from each party

20 Revised 08/16/1999 Signature Schemes General model General model signature operation signature operation select a valid private key select a valid private key apply message encoding method and signature primitive to produce a signature apply message encoding method and signature primitive to produce a signature verification operation verification operation obtain the signers public key obtain the signers public key (optional) validate the public key (optional) validate the public key apply verification primitive and message encoding method to verify the signature (and recover the message in certain schemes) apply verification primitive and message encoding method to verify the signature (and recover the message in certain schemes)

21 Revised 08/16/1999 DL/EC Signature Schemes DSA with appendix DSA with appendix hash function followed by DSA primitive hash function followed by DSA primitive with SHA-1, appropriate parameter sizes, consistent with Digital Signature Standard with SHA-1, appropriate parameter sizes, consistent with Digital Signature Standard Nyberg-Rueppel with appendix Nyberg-Rueppel with appendix hash function followed by Nyberg-Rueppel primitive hash function followed by Nyberg-Rueppel primitive EC analogs of the above EC analogs of the above

22 Revised 08/16/1999 IF Signature Schemes RSA, RW with appendix RSA, RW with appendix ANSI X9.31 message encoding followed by primitive ANSI X9.31 message encoding followed by primitive RSA, RW with message recovery RSA, RW with message recovery ISO/IEC message encoding followed by primitive ISO/IEC message encoding followed by primitive limited message size limited message size

23 Revised 08/16/1999 IF Encryption Scheme RSA RSA Bellare-Rogaway Optimal Asymmetric Encryption Padding followed by RSA primitive Bellare-Rogaway Optimal Asymmetric Encryption Padding followed by RSA primitive authenticated encryption, control information is optional input authenticated encryption, control information is optional input limited message size limited message size General model for encryption to be included in later version General model for encryption to be included in later version

24 Revised 08/16/1999 Message Encoding and Key Derivation Message encoding methods Message encoding methods for signature for signature hashing, ANSI X9.31, ISO/IEC 9796 hashing, ANSI X9.31, ISO/IEC 9796 for encryption for encryption OAEP OAEP Key derivation function Key derivation function follows ANSI X9.42 follows ANSI X9.42 Hash (secret value || parameters) Hash (secret value || parameters)

25 Revised 08/16/1999 Auxiliary Functions Hash functions Hash functions hash from arbitrary length input hash from arbitrary length input SHA-1, RIPEMD-160 SHA-1, RIPEMD-160 Mask generation functions Mask generation functions arbitrary length input and output arbitrary length input and output Hash (message, 0), Hash (message, 1),... Hash (message, 0), Hash (message, 1),...

26 Revised 08/16/1999 AnnexesAnnexes Annex A: Number-theoretic background Annex A: Number-theoretic background Annex B: Conformance Annex B: Conformance Annex C: Rationale Annex C: Rationale Annex D: Security considerations Annex D: Security considerations Annex E: Formats Annex E: Formats Annex F: Bibliography Annex F: Bibliography Test vectors to be posted on the web Test vectors to be posted on the web

27 Revised 08/16/1999 Annex A Annex A: Number-Theoretic Background (Informative) Annex A: Number-Theoretic Background (Informative) many number-theoretic algorithms for prime- order and binary finite fields many number-theoretic algorithms for prime- order and binary finite fields complex multiplication (CM) method for elliptic curve generation complex multiplication (CM) method for elliptic curve generation primality testing and proving primality testing and proving

28 Revised 08/16/1999 Annex B Annex B: Conformance (Normative) Annex B: Conformance (Normative) language for claiming conformance with parts of the standard language for claiming conformance with parts of the standard an implementation may claim conformance with one or more primitives, schemes or scheme operations an implementation may claim conformance with one or more primitives, schemes or scheme operations

29 Revised 08/16/1999 Annex C Annex C: Rationale (Informative) Annex C: Rationale (Informative) some questions the working group considered... some questions the working group considered... why is the standard the way it is? why is the standard the way it is?

30 Revised 08/16/1999 General Questions Why three families? Why three families? all are well understood, established in marketplace to varying degrees all are well understood, established in marketplace to varying degrees different attributes: performance, patents, etc. different attributes: performance, patents, etc. goal is to give standard specifications, not to give a single choice goal is to give standard specifications, not to give a single choice Why no key sizes? Why no key sizes? security requirements vary by application, strength of techniques vary over time security requirements vary by application, strength of techniques vary over time goal is to give guidance but leave flexibility goal is to give guidance but leave flexibility

31 Revised 08/16/1999 DL/EC Questions Why DH and MQV? Why DH and MQV? DH established, more flexible with unified model DH established, more flexible with unified model MQV optimized for ephemeral/static case MQV optimized for ephemeral/static case Why DSA and NR? Why DSA and NR? DSA in U.S. federal standard DSA in U.S. federal standard NR involves less hardware in some implementations, provides for message recovery NR involves less hardware in some implementations, provides for message recovery

32 Revised 08/16/1999 IF Questions Why RSA and RW? Why RSA and RW? RSA established, also supports encryption RSA established, also supports encryption RW signature verification faster with e = 2, supported along with RSA by ISO/IEC 9796, ANSI X9.31 RW signature verification faster with e = 2, supported along with RSA by ISO/IEC 9796, ANSI X9.31

33 Revised 08/16/1999 Annex D Annex D: Security Considerations (Informative) Annex D: Security Considerations (Informative) key management (authentication, generation, validation) key management (authentication, generation, validation) security parameters (key sizes) security parameters (key sizes) random number generation random number generation emphasis on common uses and secure practice emphasis on common uses and secure practice

34 Revised 08/16/1999 Annex E Annex E: Formats (Informative) Annex E: Formats (Informative) suggested interface specifications, such as representation of mathematical objects and scheme outputs suggested interface specifications, such as representation of mathematical objects and scheme outputs

35 Revised 08/16/1999 Ballot Status IEEE P1363 ballot started February 1999 IEEE P1363 ballot started February 1999 Ballot passed, many comments received Ballot passed, many comments received Recirculation ballot in progress Recirculation ballot in progress based on revised document, response to negative votes based on revised document, response to negative votes Document submitted for IEEE RevCom approval at its September meeting Document submitted for IEEE RevCom approval at its September meeting

36 Revised 08/16/1999 The Future

37 Revised 08/16/1999 Preview of P1363a P1363a will provide missing pieces of P1363 P1363a will provide missing pieces of P1363 It is intended that the two documents will be merged during future revisions It is intended that the two documents will be merged during future revisions Working group has received numerous submissions (see web site) Working group has received numerous submissions (see web site) Four submissions will be presented on Thursday afternoon (Aug. 19) Four submissions will be presented on Thursday afternoon (Aug. 19) some may be more appropriate for other P1363 projects some may be more appropriate for other P1363 projects

38 Revised 08/16/1999 Proposed Outline for P1363a Key agreement schemes (TBD) Key agreement schemes (TBD) Signature schemes Signature schemes DL/EC scheme with message recovery DL/EC scheme with message recovery PSS, FDH, PKCS #1 encoding methods for IF family PSS, FDH, PKCS #1 encoding methods for IF family PSS-R for message recovery in IF family PSS-R for message recovery in IF family Encryption schemes Encryption schemes Abdalla-Bellare-Rogaway DHAES for DL/EC family Abdalla-Bellare-Rogaway DHAES for DL/EC family

39 Revised 08/16/1999 Beyond P1363a Simple, self-contained projects Simple, self-contained projects each separately authorized by IEEE, developed and balloted each separately authorized by IEEE, developed and balloted same working group oversees same working group oversees Another supplement: P1363b for similar techniques Another supplement: P1363b for similar techniques e.g., provably secure schemes, other families e.g., provably secure schemes, other families New projects: P1363.1,.2,.3, … for other types of technique New projects: P1363.1,.2,.3, … for other types of technique

40 Revised 08/16/1999 New Project Ideas (1) Key and domain parameter generation and validation Key and domain parameter generation and validation Threshold cryptosystems Threshold cryptosystems Key establishment protocols Key establishment protocols Entity authentication protocols Entity authentication protocols Proof-of-possession protocols Proof-of-possession protocols Guidelines for implementations Guidelines for implementations updated security considerations, key size recommendations, interoperability issues, etc. updated security considerations, key size recommendations, interoperability issues, etc.

41 Revised 08/16/1999 New Project Ideas (2) Conformance testing Conformance testing ASN.1 syntax ASN.1 syntax S-expression syntax S-expression syntax Identification schemes Identification schemes Password-based security protocols Password-based security protocols Fast implementation techniques and number-theoretic algorithms Fast implementation techniques and number-theoretic algorithms Editors needed! Editors needed!

42 Revised 08/16/1999 OfficersOfficers New slate of officers to be elected in September for two-year terms, under new bylaws New slate of officers to be elected in September for two-year terms, under new bylaws Chair Chair Vice-chair Vice-chair Primary editor Primary editor Secretary Secretary Treasurer Treasurer Send nominations to Burt Kaliski -- self- nominations accepted Send nominations to Burt Kaliski -- self- nominations accepted

43 Revised 08/16/1999 Meetings in 1990 August 19-20, University Center State Street Room, UC Santa Barbara August 19-20, University Center State Street Room, UC Santa Barbara Thursday 2:00-5:30pm Thursday 2:00-5:30pm Friday 8:30-5:00pm Friday 8:30-5:00pm November (?) to be announced November (?) to be announced

44 Revised 08/16/1999 For More Information Web site Web site grouper.ieee.org/groups/1363 grouper.ieee.org/groups/1363 publicly accessible research contributions and P1363a submissions publicly accessible research contributions and P1363a submissions Two mailing lists Two mailing lists general announcements list, low volume general announcements list, low volume technical discussion list, high volume technical discussion list, high volume everybody is welcome to subscribe everybody is welcome to subscribe web site contains subscription information web site contains subscription information

45 Revised 08/16/1999 Current Officers Chair: Burt Kaliski, Chair: Burt Kaliski, officer nominations, P1363a submissions, new project ideas officer nominations, P1363a submissions, new project ideas Vice-chair: Terry Arnold, Vice-chair: Terry Arnold, Secretary: Roger Schlafly, Secretary: Roger Schlafly, Treasurer: Michael Markowitz, Treasurer: Michael Markowitz, Editor: Yiqun Lisa Yin, Editor: Yiqun Lisa Yin, P1363 comments P1363 comments


Download ppt "Revised 08/16/1999 IEEE P1363: Standard Specifications for Public-Key Cryptography Burt Kaliski Chair, IEEE P1363 August 17, 1999."

Similar presentations


Ads by Google