ICT-2007-216676 ECRYPT II European Network of Excellence ... · ECRYPT II European Network of Excellence in Cryptology II Network of Excellence Information and Communication Technologies

ECRYPT II ECRYPT II

ICT-2007-216676

ECRYPT II

European Network of Excellence in Cryptology II

Network of Excellence

Information and Communication Technologies

D.SPA.19

Yearly Report on Standardization (2012-2013)

Due date of deliverable: 31. Jan 2013Actual submission date: 22. Jan 2013

Start date of project: 1 August 2008 Duration: 4 years

Lead contractor: Katholieke Universiteit Leuven (KUL)

Revision 1.0

Project co-funded by the European Commission within the 7th Framework Programme

Dissemination Level

PU Public X

PP Restricted to other programme participants (including the Commission services)

RE Restricted to a group specified by the consortium (including the Commission services)

CO Confidential, only for members of the consortium (including the Commission services)

Yearly Report on Standardization (2012-2013)

EditorNigel Smart (BRIS)

Past and present contributorsSteve Babbage (VOD), Christian Cachin (IBM), Alex Dent (RHUL),

Christian Gehrmann (ERICS), Marc Girault (FT), Louis Granboulan (ENS),Arjen Lenstra (EPFL), Chris Mitchell (RHUL), Nicky Mouha (KUL),

Mats Naslund (ERICS), Phong Nguyen (ENS), Elisabeth Oswald (Bristol),David Pointcheval (ENS), Bart Preneel (KUL), Matt Robshaw (FT),

Jorg Schwenk (BOCHUM), Martijn Stam (EPFL), Jacques Stern (ENS),Serge Vaudenay (EPFL), Frederik Vercauteren (KUL), Michael Ward (MasterCard),

Erik Zenner (DTU).

22. Jan 2013Revision 1.0

The work described in this report has in part been supported by the Commission of the European Com-munities through the ICT program under contract ICT-2007-216676. The information in this document isprovided as is, and no warranty is given or implied that the information is fit for any particular purpose. Theuser thereof uses the information at its sole risk and liability.

Contents

1 Introduction 1

2 Survey of Standardization Forums 3

2.1 3GPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.2 ANSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.3 Bluetooth SIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.4 BSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.5 CEES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.6 CEN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.7 EPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.8 EMV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.9 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.10 ICAO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.11 IEEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.12 IETF and IRTF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.13 ISO/IEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.14 NIST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.15 NFC Forum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.16 OASIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.17 OMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.18 RSA Labs PKCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.19 SECG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.20 TCG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.21 W3C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.22 ZigBee Alliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.23 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Summary of Standardization Activities of ECRYPT II 11

3.1 ISO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.2 NIST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.3 OASIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.4 EMV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.5 ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.6 SECG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.7 Smart Grids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.8 IETF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

i

ii

3.9 IEEE 1363.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.10 3GPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.11 W3C XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.12 Algorithm/keysize recommendations . . . . . . . . . . . . . . . . . . . . . . . 15

References 15

Abstract

The report is the final summary of the standardization related activities of the ECRYPTII Network of Excellence (NoE), funded within the Information & Communication Technolo-gies (ICT) Programme of the European Commission’s Seventh Framework Programme (FP7).

The report is the official deliverable D.SPA.19 of the NoE.

Chapter 1

Introduction

This report is the yearly report on the standardization activities performed by the ECRYPT IINetwork of Excellence (NoE), which is funded within the Information & Communication Tech-nologies (ICT) Programme of the European Commission’s Seventh Framework Programme(FP7).

The report is the official deliverable D.SPA.19, as specified by the ECRYPT II Descriptionof Work (DoW) and builds on previous reports, including those of the first ECRYPT NoE[10, 11, 12, 13, 14, 15, 16].

Standardization is an important tool to enable interoperability. In the case of cryptogra-phy, it also serves the purpose of enhancing security:

• Open standards makes it easy for the general public, and, in particular, for cryptographyexperts, to scrutinise algorithms’ and protocols’ security properties. This can either leadto increased confidence in the security of the mechanisms contained within a standard,or to the revision/withdrawal of insecure standards.

• It has been said that there are two ways to build security; either make the system socomplex it has no obvious flaws, or, make it so simple that it obviously has no flaws.Today, very few believe in the first approach, and standardization assists in meeting thesecond design principle. By providing well-defined options/choices, standards enablesimpler, yet interoperable systems to be designed.

It is sometimes necessary for standardization in the area of cryptography to be conductedin a reactive fashion, as a response to newly discovered security weaknesses. However, thegoal should be to drive cryptographic standardization in a proactive way, i.e. to not “put all ofthe eggs in one basket”. The expertise available in ECRYPT II is, of course, important bothin the reactive and proactive approach. First, it is not unlikely that ECRYPT II experts fromtime to time will discover new weaknesses, and it is important that ECRYPT II has channelsto feed such results into the affected standardization bodies. Secondly, it is also likely thatECRYPT II will design new algorithms and protocols that fill gaps in existing standards, oreven be the base of completely new standards. In this case, ECRYPT II should be able tocontribute directly to the new standards.

Another area where ECRYPT II can play an important role is to issue statements of “bestcurrent practice”, providing guidelines for how to securely use (configure and implement)existing standards. Also, the explanation of new results in cryptanalysis in such a way

1

2 ECRYPT II — European NoE in Cryptology II

that the difficult mathematics is understandable to the general public is another importantcommunication aspect of ECRYPT II.

To accomplish all of this, the document first surveys standardization activities, identifyingwhich are most relevant to ECRYPT II. This survey can be found in Chapter 2. Secondly, thisdocument makes an inventory of ECRYPT II partners’ involvement in these, to make sureECRYPT II has the needed interfaces to these standards. This summary of the standardsinvolvement can be found in Chapter 3. This summary, in this final report, is cummaltive forthe entire length of the ECRYPT II network.

Note that centrally coordinated responses from ECRYPT II as a whole are usually onlyprovided when a standards body makes an explicit request for comments either to ECRYPT IIspecifically or to the community at large; hence centrally arranged activities are low. However,several partners are highly active in various standardization bodies on an individual basis.

Chapter 2

Survey of Standardization Forums

2.1 3GPP

The 3rd Generation Partnership Project (3GPP) [1] was established in December 1998. Theproject was a result of a collaboration between a number of telecommunications standardsbodies (called Organisational Partners). The current organisational partners are ARIB,CCSA, ETSI, ATIS, TTA, and TTC.

3GPP defines the 3rd generation mobile system functions, based on evolved GSM (GlobalSystem for Mobile communication) and GPRS (General Packet Radio Service) networks.3GPP also works with the maintenance and development of the GSM, GPRS and EnhancedData rates for GSM Evolution (EDGE) technical specifications. The technical specificationwork is performed in five Technical Specification Groups (TSGs). Each group has a numberof working groups. The Services and System Aspects (SA) technical specification group hasone working group devoted to security, the SA WG3 working group [2].

Although 3GPP SA WG3 does not work with cryptographic algorithm design as such (seethe ETSI SAGE group in Section 2.9), it does undertake work relating to cryptanalysis andcryptographic algorithm requirements. These activities are relevant to ECRYPT II.

Other notable, security-intense ongoing work items in 3GPP are:

• Competition of the LTE (“4G”) standard where the air interface protection algorithmswere recently specified.

• Specification of an end-to-end (terminal-to-terminal) security solution for the IP Mul-timedia Subsystem (e.g. Voice-over-IP communication).

• Security for ETWS (Earthquake and Tsunami Warning System) using (short) digitalsignatures over narrow bandwidth channels.

2.2 ANSI

The American National Standards Institute [3] (ANSI) defines standards with world-wide im-pact. It was founded in 1918 as a private not-for-profit organisation. Of particular importancefor ECRYPT II are the highly influential X9.XX series of standards, originally intended forthe financial and banking industries. This series of standards has gone on to influence almostall other cryptographic standards. Algorithms which are contained, or have been contained,

3


in the ANSI X9.XX standards include DES, AES, SHA-1, SHA-2, RSA, various elliptic curvebased algorithms, as well as various techniques which use these algorithms as componentssuch as modes of operations and MACs.

2.3 Bluetooth SIG

The Bluetooth Special Interest Group (SIG) [4] is an industry consortium that was foundedin 1998 by Ericsson, Intel, IBM, Toshiba and Nokia. This group of promoter companies waslater extended to include Microsoft, Agere and Motorola. The SIG is headed by the Boardof Directors (BoD), and each promoter company has one representative. Any other companyor organisation is free to join the SIG either as an associate or adopter member. However,only associate members can influence the development of the technology. The Bluetoothspecification work is done in the SIG committees, working groups and expert groups. Most ofthe security related specification work is done in the radio working group with support fromthe security expert group. Recent work included adding public-key cryptography (in ”securesimple pairing”). The most relevant work to ECRYPT II is the security enhancement workthat is done in the radio working group and security expert group.

2.4 BSI

The German Federal Office for Information Security (BSI) [5] publishes a number of technicalnotes and guidelines. Of particular relevance for ECRYPT II partners has been the workon machine readable travel documents (BSI TR-03110), which has resulted in a number ofECRYPT II partners working on analysis in this area.

2.5 CEES

The Consortium for Efficient Embedded Security CEES [6] is similar to SECG/PKCS andmaintains the EESS #1 standard for NTRUEncrypt and NTRUSign (which can also be foundin the draft IEEE P1363.1).

Some ECRYPT II partners have been (and are) very active in the area of “lattice basedcryptography” to which NTRU belongs.

2.6 CEN

CEN (European Committee for Standardization) [7] is an open organisation consisting of 28National members, 8 Associates from various industry-areas and 2 Counsellors (EC, EFTA).CEN has close partnerships with ISO, ETSI and CENELEC (European Committee for Elec-trotechnical Standardization). CEN’s scope covers the use of those publicly available Euro-pean standards which are intended to be implemented on a national basis. Standards arereviewed every five years. Besides standards specifications, CEN also produces technical re-ports, and organises Workshops aimed at bridging the gap between de-facto standardizationand the consensus approach to standardization. The result of such a Workshop is called a“Workshop agreement”.

D.SPA.19 — Yearly Report on Standardization (2012-2013) 5

The scope of CEN is vast (covering e.g. funeral services, footwear, heating, etc). Thereare CEN Workshops (within CEN/ISSS — the CEN Information Society StandardizationSystem [33]) for e-business, smart-cards, data protection/privacy, and e-authentication whichmay have some relation to ECRYPT II activities. Biometrics is part of the “Security forCitizens” Workshop. The ISSS also co-ordinates Focus groups, including a group in thearea of biometrics, and closed groups on digital rights management (DRM) and networkinformation security (NIS). The latter project is being run in conjunction with ETSI.

2.7 EPC

The European Payments Council (EPC) [9] is the decision making and coordination body ofthe European banking industry in relation to payments. EPC was established in 2002. Itspurpose is to support and promote the creation of a Single Euro Payments Area (SEPA); asingle harmonised, open and interoperable European “domestic” payments market achievedthrough industry self-regulation. EPC defines common positions for core payment serviceswithin a competitive market place, provides strategic guidance for standardization, and for-mulates best practices. Of the EPC reports the most relevant to ECRYPT II is: Guidelineson Algorithms Usage and Key Management.

2.8 EMV

EMVCo is a consortium originally set up by Europay, Mastercard and Visa to develop stan-dards for chip-and-pin technology [25]. The main relevant standard is Book-2 which definesthe encryption and signature mechanisms used between the chip-card and the terminal. Thestandard defines a system of high commercial value, as it secures a significant proportionof credit and debit card transactions world wide (in the customer present at the merchantscenario and for ATMs). In addition it has been started to be used for authentication inon-line banking applications via the CAP system.

2.9 ETSI

The European Telecommunications Standards Institute (ETSI) [26] was founded in 1988 andis an independent, non-profit organisation whose mission is to produce telecommunicationsstandards (for both fixed and radio communications). ETSI consists of 688 members from 55countries inside and outside Europe, including manufacturers, network operators, adminis-trations, service providers, research bodies and users. ETSI is headed by a General Assembly(including a Board). The technical organisation consists of a number of Technical Commit-tees (e.g. TC ESI for electronic signature [27]), a number of Projects (e.g. Broadband RadioAccess Networks, BRAN), Special Committees (e.g. Security Algorithm Group of Experts,SAGE) and Partnership Projects (e.g. 3GPP).

The areas ETSI’s scope that seems most relevant to ECRYPT II are:

• The cryptographic aspects of TC ESI and SAGE. A special task force (TF263) relatedto the ESI work on algorithms and key sizes was been created and it produced TS 102176 “Algorithms and Parameters for Secure Electronic Signatures”.

• Part of the security work done in 3GPP SA3 (treated separately in Section 2.1).


2.10 ICAO

ICAO (the International Civil Aviation Organisation) [28] was formed after an internationalconference in 1944. Like ISO, representation is national. The Council (elected from memberstates) governs the work and an Assembly meets every third year to review the organisation’sactivities.

One of ICAO’s chief activities is the establishment of International Standards, Recom-mended Practices and Procedures (as adopted by the council) covering the technical fields ofaviation. This includes security and safety aspects.

In 2003, ICAO adopted a global, harmonised blueprint for the integration of biomet-ric identification information into passports and other Machine Readable Travel Documents(MRTDs). In particular, some cryptographic techniques are specified in connection to this.For instance, recommended algorithms and key sizes are specified.

2.11 IEEE

The IEEE [29], was formed in 1963 in a merger between the AIEE (American Institute ofElectrical Engineers) and the IRE (Institute of Radio Engineers). The IEEE is the world’slargest technical professional association, connecting more than 360,000 members (member-ship is on a per-individual basis, rather than per-organisation) in approximately 150 countries.Besides standardization activities, IEEE is also a major publisher of books and journals, andorganises workshops and conferences. The technical standardization is done in a number ofprojects.

The scope of IEEE standards is large, covering aerospace, communication/informationtechnology, power/energy technology, etc. For ECRYPT, the most relevant projects beingrun by the IEEE are 1363 on public-key cryptography; and, to some extent, the securityrelated aspects of the LAN/MAN standards in P802 (in particular, 802.1, 802.11, 802.15,802.16 and 802.20). Since the security enhancements for WLAN (802.11i) were recentlyfinalised, the main security work going on in P802 is on 802.1AE, MAC Security.

2.12 IETF and IRTF

The Internet Engineering Task Force (IETF) [30] is an open international community con-cerned with the operation of the Internet and the evolution of the Internet architecture. Par-ticipation is on an individual basis. Work is organised by Areas (headed by Area Directors),and each Area has a number of Working Groups. The ADs form the Internet Engineer-ing Steering Group (IESG). The Internet Architecture Board (IAB) is responsible for the“birds-eye view” of the architecture.

The Internet Research Task Force (IRTF) [31] promotes long-term research about thefuture of the Internet and is composed of a number of Research Groups.

There are several working groups in the IETF and IRTF with a general security focus,and some with a more “core cryptography” focus. In the security Area, the following groupsare most relevant to ECRYPT II

• ipsec the standard IKE/IPsec protocols,

• msec multi-cast and group security,


• tls transport layer security.

There are also a number of groups that may have some relevance, e.g. smime, openpgp,mobike, etc.

Within the IRTF, the Crypto Research Forum Group (CFRG) and Group Security (GSEC)research groups are of interest.

2.13 ISO/IEC

ISO (International Organisation for Standardization) [32] is a network of national standardsinstitutes from 148 countries. Membership is distributed on the basis of one member percountry. However, ISO is a non-governmental organisation: its members are not delegations ofnational governments. Members are mostly representative of standardization in the respectivecountries.

The IEC (International Electrotechnical Commission) was founded in 1906, and is alsobased on national bodies participation. The technical work is done in Technical Commit-tees (TCs), which divide the work between Sub-Committees (SCs) and further into WorkingGroups (WGs).

ISO/IEC standards are revised every 5 years, although standards can be revised earlier ifthere are appropriate technical reasons to do so. Unfortunately, the review period is extendedand changes can take several years to affect a published standard. Simple technical changescan be made within six months by issuing technical corrigenda.

The scope of ISO is vast, covering all aspects of standardisation. The scope of the IECis more limited, covering electrical, electronic and related technologies. Of most relevance toECRYPT II is the work done in ISO/IEC Joint Technical Committee 1 (JTC1) sub-committee27 (IT Security techniques), and, in particular, in Working Group 2 (Security techniques andmechanisms). Also in JTC1 we find SC17, cards and personal identification; and SC37,biometrics. A second body of relevance within SC27 is Working Group 5, concerned withprivacy and identity management.

Also, the work of ISO TC68/SC2 (security management and general banking operations) isrelated to cryptography, e.g. WG 11 is concerned with encryption algorithms used in bankingapplications.

2.14 NIST

Founded in 1901, NIST [34] is a non-regulatory federal agency within the U.S. CommerceDepartment’s Technology Administration. NIST’s mission is to promote U.S. innovation andindustrial competitiveness by advancing measurement science, standards, and technology.

Organisationally, within the NIST Laboratories, we find the Computer Security ResourceCenter (CSRC) [8] maintaining the FIPS series of standards and the 800-series security guide-lines.

While being a US federal organisation, NIST standards are often incorporated into inter-national/European standards and it may thus be of importance to follow the developments.Of potential interest for ECRYPT II partners’ involvement we have identified the on-goingwork on cryptographic hash functions following the recent SHA-1 attacks, (key-size) improve-ments to DSA, possible additions to block cipher modes of operations, planned review of FIPS113 (DES-MAC), and the on-going key management work.


2.15 NFC Forum

Near Field Communication (NFC) is a short-range wireless connectivity technology thatevolved from a combination of existing contactless identification and interconnection tech-nologies.

The NFC Forum [35] is a non-profit industry association that promotes the use of NFCshort-range wireless interaction in consumer electronics, mobile devices and PCs. The NFCForum supports implementation and standardization of NFC technology.

NFC forum comprises a set of different technologies. There is a technical working groupfor security, but presently, no common NFC security standard exists.

2.16 OASIS

Founded in 1993, OASIS (Organisation for the Advancement of Structured Information Stan-dards) [36] is a non-profit, international consortium standardising e-business; XML being animportant example. The consortium is led by a Board of Directors (by election) and thereis also an Executive Committee. The actual technical work is done in technical committees(TCs). Organisations as well as individuals can become members in OASIS.

OASIS has (among many others) TCs for digital signatures, PKI, security services (SAML),web application security, web services security, biometric formats, legal XML contracts, andelection and voter services. The digital signature technical committee is probably the mostrelevant to ECRYPT II, but others may have some relevance.

2.17 OMA

The OMA (Open Mobile Alliance) [37] was formed in 2002 by some 200 companies, includingmobile operators, device and network suppliers, information technology companies, and con-tent and service providers. OMA produces mobile service enabler specifications. Currentlythere are over 300 members. The technical work is carried out in Working Groups, with oneWorking Group specifically targeting security.

The security working group hosts the WTLS standard (TLS optimised for wireless links),specifications for the Wireless Identity Module (WIM), Wireless PKI, etc. The Browser andContent group has a sub-group working on DRM (Digital Rights Management).

2.18 RSA Labs PKCS

The U.S.-based company RSA maintains a set of Public-Key Cryptography Standards (PKCS)[38]. RSA accepts contributions to the standards series from any secure system developer,but takes responsibility for the editorship of the standards and also enforces some IPR rulesfor the companies or individuals contributing to the standards. Contributions are handledby mailing lists and through occasional workshops. The PKCS targets public-key algorithmsand parameter choices, formats for digital signatures and encryption, certificates and crypto-graphic interfaces. The work of PKCS typically feeds into other established standards bodiesas development matures.


All aspects of the public-key cryptographic algorithm work performed within the PKCSforum are relevant to ECRYPT II. Although the operation of PKCS is largely now dormantas other standards activities have taken over the work it did.

2.19 SECG

The Standards for Efficient Cryptography Group (SECG) [39] is an industry consortium,founded in 1998, with the purpose of developing commercial standards that facilitate theadoption of efficient cryptography and interoperability. SECG members include technologycompanies and players in the information security industry. Hence, it has a similar status asRSA Labs PKCS standards. Currently, two standards are maintained, SEC 1: Elliptic CurveCryptography, and SEC 2: Recommended Elliptic Curve Domain Parameters. Current workincludes ECC reference implementation and an ECC CA.

2.20 TCG

The Trusted Computing Group (TCG) [40] is an industry standards body. The organisationdefines standards for a hardware-enabled trusted computing environment. The TCG wasformed in April 2003 by Intel, IBM, Microsoft, HP and AMD. TCG has three differentmember categories: promoter, contributor and adopter. The consortium is headed by theBoard of Directors, on which each promoter company has one representative. A limitednumber of contributor members may also be represented on the Board of Directors, if they arenominated and elected. The TCG has incorporated specifications from its precursor TrustedComputing Platform Alliance (TCPA) into its work. The specification work is performed inwork groups and special committees.

A general trusted computing architecture and related software interfaces are standardisedby the TCG. The core security component in the TCG architecture is the Trusted PlatformModule (TPM). Different type of platforms are handled by platform profiles, e.g., PC platform,PDA platform, and cellular platform. The TCG target both trusted computing architecturesand methods for evaluating implementations based on the TCG platform architecture.

The cryptographic work regarding one-way hash functions, MACs, digital signatures, keywrapping, ciphers, and random number and key generation in the TPM and profile workgroups are relevant to ECRYPT II.

2.21 W3C

The World Wide Web Consortium (W3C) is an international collaboration to create standardsfor the Web. It details everything from the basic definitions of HTML, XML and CSS throughto detailed “Semantic Web” style environments.

2.22 ZigBee Alliance

The ZigBee Alliance [41] is an association of companies working to develop open standardsfor sensor and actuator networks.


The ZigBee specification rely on AES based security (AES counter mode, AES-CBC-MACand AES based key management).

Lightweight (in terms of speed, footprint and power consumption) and scalable solutionfor communication security (encryption, key management, etc) would seem a natural commoninterest with ECRYPT II (SymLab, MAYA). Implementation (DPA resistance, etc) also seemsrelevant (VAMPIRE).

2.23 Summary

Based on the survey above, one can roughly partition the standardization bodies into twocategories: those that specify algorithms and low-level protocols, and those that work withhigher layer protocols and the applications of cryptography (and may use components fromthe other standards bodies).

In the first category, we have the following standardization bodies (with examples of theirstandards).

• ANSI: The X9.XX standards cover a large amount of cryptographic techniques.

• BluetoothSIG: The E-suite of algorithms, e.g. the E0 stream cipher.

• IEEE: The public key algorithms in P1363, the “Michael” message authenticationfunction in 802.11i, etc.

• ISO/IEC: Many examples, e.g. the 18033 4-part encryption standard, the 18031 ran-dom bit generation standard, etc.

• PKCS: Standards for RSA encryption (PKCS#1), etc.

• ETSI: The algorithms produced by 3GPP and SAGE, e.g. the f8/f9 algorithms forUMTS link layer encryption. The algorithm and key size work in ESI is also important.

• IETF: The IETF usually includes algorithm standards by reference to other standards,but a few cases exist where IETF “maintains” an algorithm standard. Also, protocolssuch as IKE and IPsec must (cryptographically) be considered quite low level specifica-tions.

These are all very relevant to the ECRYPT II.The second category contains EPC, EMV, ICAO, NFC, OASIS, TCG, and ZigBee. They

are certainly not without relevance, but ECRYPT II activities in these bodies could be moreof a “monitoring” or “advisory” role.

OMA falls somewhere in between these two. It produces the WTLS specification, whichis known to differ sufficiently from TLS to show different security properties and which mustbe considered low-level cryptography. However, it also produces higher-level standards.

Chapter 3

Summary of StandardizationActivities of ECRYPT II

As this is the final report we summarize a number of standardization activities over the entirelength of the project.

3.1 ISO

In 2011 ECRYPT presented ISO with a response as to how algorithms are selected andchosen for inclusion in ISO standards. ECRYPT II prepared a response which was consideredby ISO at their April 2011 meeting. The main recommendation of ECRYPT II was thatan open public process akin to the NIST processes for AES and SHA-3 is to be preferred.The ISO questions and our response are detailed in the report from 2011. ISO is currentlyupdating ISO/IEC 18033-1 with selection criteria for encryption algorithms. A procedure forthe removal of algorithms is also under construction. In an upcoming project similar criteriafor hash functions will be added to ISO/IEC 10118-1.

Several standards developed by ISO/IEC SC27/WG2 are nearing publication or haverecently been published in 2011-2012. This includes (parts of) standards on key management,time stamping, anonymous entity authentication, anonymous digital signatures, signcryption,MAC functions and lightweight cryptography.

• Much work is being done on a series of standards concerning lightweight cryptography(ISO/IEC 29192). The block cipher PRESENT and the stream cipher Trivium, bothof which were developed involving researchers from one or more ECRYPT II partnersand associate members, made it into the final standard. Photon, Spongent, Keccak andLesamnta-LW were proposed for the lightweight hashing standard and are currently be-ing studied. Two of these hash functions, Spongent and Lesamnta-LW, were developedinvolving researchers from ECRYPT II partners. A comparative study of the perfor-mance of lightweight hash functions by ECRYPT II partners has also been contributedto the ISO study period.

• Two new multi-part standards, ISO/IEC 20008 and ISO/IEC 20009, covering anony-mous digital signatures and anonymous entity authentication, respectively, were recentlyfinished. An ECRYPT II member was editor of 20009-1.

11


• ISO/IEC SC31 has sent several RFID authentication protocols to ISO/IEC SC27 WG2for comments. ECRYPT II partners are currently analyzing these protocols and willsend feedback through SC27.

• Several new standards and study periods were recently started by ISO. Homomorphicencryption, secret sharing and key derivation mechanisms are currently being investi-gated and will likely result in one or more new standard proposals. A first draft of amultipart standard on blind signatures is available.

• The ISO/IEC 11770-3 standard on key management mechanisms based on asymmetriccryptographic techniques is undergoing revision. A scheme by an ECRYPT II memberis included in the latest committee level draft. Publication is expected by 2014. Thestandard covering group key management (ISO/IEC 11770-5) was published in 2011.

• ISO/IEC SC27/WG2 has asked ECRYPT II for contributions for their standing doc-ument SD4. This standing document gives an overview of the security status and imple-mentation results for the cryptographic algorithms standardized by ISO/IEC SC27/WG2.ECRYPT II has contributed several documents, amongst which the Yearly Report onAlgorithms and Key Lengths [24].

• Technical work has continued on the ISO/IEC 29150 signcryption standard. ECRYPTII members have provided significant input in the form of algorithmic descriptions andsecurity analysis. The standard has been published in 2011.

• Work has been completed on a revision of ISO/IEC 9796-2 (covering RSA-based sig-natures which give message recovery). This was an area of keen interest because themechanism in 9796-2 which is used in the EMV card standard has been attacked. Therevised version was published in late 2010 noting that the first mechanism specified inISO/IEC 9796-2:2010 is only applicable for existing implementations, and is retainedfor reasons of backward compatibility.

• A revised edition of ISO/IEC 9797-1 (covering CBC-MACs) containing CMAC has beencompleted and was published at the beginning of 2011. A new MAC standard (ISO/IEC9797-3) covering MACs based on universal hash functions has been published in 2011.

• A new part of the elliptic curve standard (ISO/IEC 15946-5), covering curve generationtechniques, was published in December 2009.

• An amendment to ISO/IEC 18033-4 has been published. It contains two additionalstream cipher algorithms: Rabbit and Decimv2, both of which originated from eS-TREAM, the ECRYPT stream cipher project. A revision of ISO/IEC 18033-4, whichcontains this amendment and adds one more cipher, is currently under development.

• ISO/IEC 19772 (Authenticated encryption) was published in February 2009. ISO/IEC19772 standardises six authenticated encryption techniques. The techniques it coversare: OCB 2.0, key wrap, CCM, EAX, encrypt-then-MAC (combining any symmetricencryption method with any MAC) and GCM.


3.2 NIST

From 2008 to 2012, NIST ran a competition to select a future hash function standard: SHA-3.ECRYPT II SymLab (WG 1: Hash Functions) ran in parallel to this project, and has playeda crucial role in the design, implementation, benchmarking and cryptanalysis of the SHA-3candidate algorithms, as well as the analysis of their theoretical foundations.

Out of the 64 submissions to SHA-3 competition, NIST determined that 51 satisfied thesubmission requirements and advanced to the first round. After a year of intensive cryptanal-ysis, 14 algorithms were selected for the second round. Out of these 14 algorithms, 10 algo-rithms were (co-)designed by people who were, at some point during the ECRYPT II project,employed by ECRYPT II partners or associate members: BLAKE, CubeHash, Echo, Grøstl,Hamsi, Keccak, Luffa, Shabal, SHAvite-3 and SIMD. The winner of the SHA-3 competition isthe Keccak algorithm, designed by the ECRYPT II associate member NXP Semiconductors,Belgium.

During the SHA-3 competition, the only website to provide a complete overview of allSHA-3 candidates and their cryptanalysis results, has been ECRYPT II’s SHA-3 Zoo (part ofD.SYM.1). ECRYPT II has also played a crucial role in benchmarking the SHA-3 candidates.These benchmarking results were provided by the eBASH initiative, which is part of eBACS(ECRYPT Benchmarking of Cryptographic Systems).

To encourage researchers to investigate the properties of the SHA-3 candidate algorithms,ECRYPT II has organized four research retreats, a workshop and a summer school. The fourresearch retreats, where cryptographers sit together in small groups to analyze the SHA-3candidates, have shown to be very fruitful in producing scientific results. These six eventswere the following:

• Hash Function Retreat, hosted by T.U. Graz from May 6 to 7, 2009.

• Hash3: Proofs, Analysis, and Implementation, an ECRYPT II Event on Hash Functionsheld in Tenerife, Spain from November 16 to 20, 2009.

• Second Hash Function Retreat, held at Ecole Normale Superieure, Paris from April 20to 22, 2010.

• Third Hash Function Retreat, held at EPFL, Lausanne, Switzerland from March 21 to23, 2011.

• Hash Function Workshop, held in Tallinn, Estonia from May 19 to May 20, 2011.

• Hash Function Retreat, held at KU Leuven, Leuven, Belgium from November 30 toDecember 1, 2011.

3.3 OASIS

OASIS has started work on the Key Management Interoperability Protocol; it supports cer-tain cryptographic operations related to key management, such as key derivation and keywrapping. ECRYPT II members participated in the standardization group, provided inputand feedback on the draft standard.


Under OASIS, IBM has collaborated with numerous other parties on developing the socalled Key Management Interoperability Protocol V1.0 specification for interoperable com-munication. KMIP delivers a single, comprehensive protocol for communication betweenencryption systems and many different legacy enterprise applications, such as email, storagedevices and databases. KMIP also offers better data security while reducing expenditures onmultiple products, by removing redundant, incompatible key management processes.

At the RSA 2010 Conference, client programs implemented by HP, IBM and SafeNetwere used to communicate using KMIP with key management servers implemented by HPand IBM.

3.4 EMV

In fall 2012 EMVCo asked for input on their new key agreement protocol suite, which is dueto be standardized in 2013. ECRYPT partners from Bristol and Darmstadt analysed theprotocol and provided important feedback into the design process, which is now being takenforward.

3.5 ETSI

KU Leuven and Royal Holloway were commissioned by ETSI to examine the algorithms inthe LTE standard for 4G mobile phone networks.

3.6 SECG

In June 2009 ECRYPT II members provided proof reading help to the authors of the standard.

3.7 Smart Grids

The NIST Smart Grid Interoperability Panel is pushing guidelines for security and privacy insmart grid implementations, covering a wide area of aspects including cryptographic primi-tives and selection of cryptographic standards. ECRYPT II members participated in severalworking groups, and contributed to the panels output, e.g., NISTIR 7638. While the groupcontinues refining and advancing its results, its findings are currently incorporated into thetechnical standards applicable for the smart grid.

The European Smart Grid Task Force Expert Group 2 has been set up by the EuropeanCommission to develop guidelines and technical recomendations for European smartgrid im-plementations, and the group’s output has been the base for the corresponding EuropeanCommission communication COM(2011) 202. ECRYPT II members have substantially con-tributed to the working group, and will be involved in the follow on work on more concretestandards in the follow on activity.

3.8 IETF

We discovered a remote timing attack vulnerability in OpenSSL’s implementation of scalarmultiplication of points on elliptic curves over binary fields. We used this vulnerability to


design and implement a key recovery attack using lattice methods. As a result, CERT is-sued vulnerability note VU#536044 (http://www.kb.cert.org/vuls/id/536044) and theOpenSSL team integrated our countermeasure patch into their development code for upcom-ing stable releases. Eric Rescorla, a maintainer of the TLS RFC, expressed interest in theresult; this specific vulnerability could be something easily addressed at the standardizationlevel.

We have been active in the IETF S/MIME standard. In particular we have proposed amethod to include email header lines in OpenPGP or S/MIME signatures. This method isfully backwards compatible.

3.9 IEEE 1363.3

Detailed input was provided to the IEEE 1363.3 standardization process on pairing basedcryptography. This included submission of schemes for ID-based key agreement, ID-basedsignatures and ID-based encryption. Continuted detailed discussions with the main editorson how the standard should be presented, and line-by-line comments on early drafts havebeen provided.

3.10 3GPP

During the project, 3GPP adopted SNOW 3G and AES (Counter mode + CMAC) as securityalgorithms for the air interface protection. The work was done in collaboration with ETSISAGE and involved input from a number of ECRYPT II partners.

3.11 W3C XML

The W3C XML Security Working Group maintains the evolution of the XML Security spec-ifications. In 2010 W3C-XML fostered the new 1.1 and 2.0 versions of the XML Signaturespecification, which describes the application of digital signature algorithms to XML docu-ments, and the 1.1 version of the XML Encryption specification, describing the application ofencryption algorithms to XML documents. RUB became part of the working group in March2010. Since then, the RUB actively supported the draft versions of the upcoming specifica-tions, giving advice on what can be done to make the new specification versions become morerobust to certain kinds of attacks, more performant, and more convenient to use [42].

3.12 Algorithm/keysize recommendations

ECRYPT’s yearly algorithm report [17, 18, 19, 20] was updated for ECRYPT II and releasedin [21, 22, 23], this has now been updated again in [24]. This report provides an impor-tant reference point not only for many standards bodies, but also for companies working onproprietary closed systems.

http://www.kb.cert.org/vuls/id/536044


Bibliography

[1] 3GPP website, http://www.3gpp.org.

[2] 3GPP SA3 website, http://www.3gpp.org/TB/SA/SA3/SA3.htm.

[3] ANSI, http://www.ansi.org.

[4] Bluetooth SIG Security Expert Group. https://www.bluetooth.org/bluetooth/

landing/g_security.php.

[5] Federal Office for Information Security. https://www.bsi.bund.de/cln_165/EN/Home/home_node.html.

[6] Consortium for Efficient Embedded Security, http://www.ceesstandards.org.

[7] CEN webiste, http://www.cenorm.be.

[8] Computer Security Resource Center, http://csrc.nist.gov.

[9] EPC website, www.europeanpaymentscouncil.eu.

[10] ECRYPT NoE, ECRYPT Yearly Report on Standardization (2004), ECRYPT deliver-able D.SPA.9-1.0, January 2005.



[13] ECRYPT NoE, ECRYPT Yearly Report on Standardization (2008), ECRYPT deliver-able D.SPA.27-1.0, July 2008.

[14] ECRYPT II NoE, ECRYPT II Yearly Report on Standardization (2009), ECRYPT IIdeliverable D.SPA.6-1.0, July 2009.



[17] ECRYPT NoE, ECRYPT Yearly Report on Algorithms and Key Lengths (2004),ECRYPT deliverable D.SPA.10-1.1, March 2005.

17

http://www.3gpp.org

http://www.3gpp.org/TB/SA/SA3/SA3.htm

http://www.ansi.org

https://www.bluetooth.org/bluetooth/landing/g_security.php

https://www.bluetooth.org/bluetooth/landing/g_security.php

https://www.bsi.bund.de/cln_165/EN/Home/home_node.html

https://www.bsi.bund.de/cln_165/EN/Home/home_node.html

http://www.ceesstandards.org

http://www.cenorm.be

http://csrc.nist.gov

www.europeanpaymentscouncil.eu


[18] ECRYPT NoE, ECRYPT Yearly Report on Algorithms and Key Lengths (2005),ECRYPT deliverable D.SPA.16-1.0, January 2006.

[19] ECRYPT NoE, ECRYPT Yearly Report on Algorithms and Key Lengths (2006),ECRYPT deliverable D.SPA.21-1.0, January 2007.

[20] ECRYPT NoE, ECRYPT Yearly Report on Algorithms and Key Lengths (2007-2008),ECRYPT deliverable D.SPA.28-1.0, July 2008.

[21] ECRYPT II NoE, ECRYPT II Yearly Report on Algorithms and Key Lengths (2008-2009), ECRYPT II deliverable D.SPA.7-1.0, July 2009.

[22] ECRYPT II NoE, ECRYPT II Yearly Report on Algorithms and Key Lengths (2009-2010), ECRYPT II deliverable D.SPA.13-1.0, March 2010.

[23] ECRYPT II NoE, ECRYPT II Yearly Report on Algorithms and Key Lengths (2010-2011), ECRYPT II deliverable D.SPA.17-1.0, July 2011.

[24] ECRYPT II NoE, ECRYPT II Yearly Report on Algorithms and Key Lengths (2011-2012), ECRYPT II deliverable D.SPA.20-1.0, Sept. 2012.

[25] EMVCo. http://www.emvco.com.

[26] ETSI website, http://www.etsi.org.

[27] ETSI TC ESI, http://portal.etsi.org/portal_common/home.asp?tbkey1=esi.

[28] ICAO website, http://www.icao.org.

[29] IEEE website, http://www.ieee.org.

[30] IETF website http://www.ietf.org.

[31] IRTF website http://www.irtf.org.

[32] ISO website, http://www.iso.org.

[33] CEN/ISSS website,http://www.cenorm.be/cenorm/businessdomains/businessdomains/isss/index.

asp?pClose=2.

[34] National Institue of Standards and Technology, http://www.nist.gov.

[35] NFC Forum, http://www.nfc-forum.org

[36] OASIS web site, http://www.oasis-open.org.

[37] OMA web site, http://www.openmobilealliance.org.

[38] PKCS website, http://www.rsasecurity.com/rsalabs/.

[39] Standards for Efficient Cryptography Group, http://www.secg.org.

[40] TCG webiste, http://www.trustedcomputinggroup.org/.

http://www.emvco.com

http://www.etsi.org

http://portal.etsi.org/portal_common/home.asp?tbkey1=esi

http://www.icao.org

http://www.ieee.org

http://www.ietf.org

http://www.irtf.org

http://www.iso.org

http://www.cenorm.be/cenorm/businessdomains/businessdomains/isss/index.asp?pClose=2

http://www.cenorm.be/cenorm/businessdomains/businessdomains/isss/index.asp?pClose=2

http://www.nist.gov

http://www.nfc-forum.org

http://www.oasis-open.org

http://www.openmobilealliance.org

http://www.rsasecurity.com/rsalabs/

http://www.secg.org

http://www.trustedcomputinggroup.org/


[41] ZigBee Alliance, http://www.zigbee.org

[42] Tibor Jager and Juraj Somorovsky, “How to Break XML Encryption,” Proceedings ofthe 18th ACM Conference on Computer and Communications Security (CCS), 2011, 10pages.

http://www.zigbee.org