Emerging key-recovery-service

© RSA 1998

Why Standards?

• Many reasons:– interoperability– stability– assurance

• De facto or de jure?

RSA Data Security, Inc.

Emerging Standards for Public-Key Cryptography

SEIKO INSTRUMENTS PAGER PAL

© RSA 1998

Introduction

• As research matures, it can be made “standard”– ’70s and ’80s research in public-key

cryptography leads to standards in ’90s

• This talk is a snapshot of some of the standards efforts — and the interesting issues they raise



Part I:

Survey of Standards Efforts

© RSA 1998

Outline

I. Survey of Standards Efforts

II. A General Model for Public-Key Standards

III. Strong Primes: A Recurring Technical Debate

IV. Some Research Motivated by Standards

© RSA 1998

Some Public-Key Standards Efforts

• ANSI X9F1

• IEEE P1363

• ISO/IEC JTC1 SC27

• US NIST

© RSA 1998

ANSI X9F1 Efforts

• Some ANSI documents (drafts)– X9.30DSA signatures– X9.31RSA/RW signatures (rDSA)– X9.42 DH/MQV key agreement– X9.44 RSA key transport– X9.62 elliptic curve signatures– X9.63 EC key agreement / transport– X9.79 prime generation

© RSA 1998

ANSI X9F1

• Financial Services / Data and Information Security / Cryptographic Tools

• Corporate membership

• Quarterly meetings in North America

• www.x9.org

© RSA 1998

IEEE P1363

• Standard Specifications for Public-Key Cryptography

• Sponsored by IEEE Microprocessor Standards Committee

• Individual participation

• Meetings mostly in North America

• grouper.ieee.org/groups/1363


© RSA 1998

© RSA 1998

IEEE P1363 Coverage

• Three types of technique:– key agreement, signature, encryption

• From three families:– DL: discrete logarithm– EC: elliptic curve– IF: integer factorization

• Also, number theory background, security considerations


© RSA 1998

© RSA 1998

IEEE P1363a

• Standard Specifications for Public-Key Cryptography: Additional Techniques

• In preparation

• More techniques, probably same families– identification likely to be added


© RSA 1998

© RSA 1998

ISO/IEC JTC1 SC27

• International Organization for Standardization / International Electrotechnical Commission / Information Technology / IT Security Techniques

• National representation, with experts

• Meetings throughout the world

• www.iso.ch


© RSA 1998

© RSA 1998

SC27 Efforts

• Some ISO/IEC documents– 9796 Signatures with message recovery– 9798 Entity authentication– 11770Key management– 13888Nonrepudiation– 14888Signatures with appendix

• Symmetric and public-key techniques


© RSA 1998

© RSA 1998

U.S. NIST FIPS

• National Institute of Standards and Technology– part of U.S. Department of Commerce

• Federal Information Processing Standards (FIPS)

• Computer Security Act (1987) gives charter for government cryptography standards

• www.nist.gov


© RSA 1998

© RSA 1998

NIST Efforts

• Some FIPS:– 186 Digital Signature Standard– 196 Entity Authentication– new Key Exchange / Agreement

• Others of interest:– 46-2 Data Encryption Standard– 180-1 Secure Hash Standard– new Advanced Encryption Standard

© RSA 1998

Comparing the Efforts

• Different goals:– ISO, IEEE: general building blocks– ANSI: US banking requirements– NIST: US government, commercial

• Coordination:– IEEE, ANSI technical convergence– NIST will accept ANSI signature standards for

government purposes– ISO TC68 adopts ANSI X9F1

© RSA 1998

Application Standards of Interest

• S/MIME: messaging

• SSL / TLS: communications

• SET: bank card payments

• PKIX: public-key infrastructure

© RSA 1998

RSA Laboratories’ PKCS

• Public-Key Cryptography Standards

• Informal, intervendor effort coordinated by RSA Laboratories

• Periodic workshops

• www.rsa.com/rsalabs/pubs/PKCS/

© RSA 1998

PKCS Efforts

• Revisions and new documents:– PKCS #1 RSA Cryptography

• v2.0 draft in review, includes Bellare-Rogaway OAEP

– PKCS #5 Password-Based Encryption– PKCS #13 Elliptic Curve Cryptography– PKCS #14 Pseudorandom Generation– PKCS #15(?) Smart Card File Formats



Part II:

A General Model for Public-Key Standards

© RSA 1998

A General Model

• Framework with abstraction, generally following P1363

• Three levels:– primitives– schemes– protocols

• … plus key management

© RSA 1998

P1363 Naming Convention

• General form:– family type - instance

• where– family is DL, EC, IF

– type is one of:• SP: Signature Primitive

• SSA: Signature Scheme with Appendix

• etc.

– instance is a particular algorithm, e.g., DSA, DH, RSA

© RSA 1998

Primitives

• Basic mathematical operations

• Low-level implementation– e.g., crypto-accelerator, software module

• Computational security– enhanced when combined with additional

techniques in a scheme

© RSA 1998

Types of Primitive

• Secret value derivation– shared secret value from public key(s),

party’s private key(s)

• Signature and verification

• Encryption and decryption

© RSA 1998

Example: DLSP-DSA / DLVP-DSA

• DSA signature / verification primitives

• DLSP-DSA ((p, q, g, x), m):– r = (gk mod p) mod q, k random– s = k-1 (m + xr) mod q

• DLVP-DSA ((p, q, g, y), m, (r, s))– r =? (gm/s yr/s mod p) mod q

© RSA 1998

Primitives in P1363

• Secret Value Derivation– DH, MQV in DL, EC families

• Signature / Verification:– DSA, Nyberg-Rueppel in DL, EC families– RSA with and w/o absolute value– Rabin-Williams

• Encryption / Decryption:– RSA

© RSA 1998

Schemes

• Related operations combining primitives, additional techniques– a framework with options

• Medium-level implementation– e.g., cryptographic service library

• Complexity-theoretic security (ideally)– completed when appropriately applied in a

protocol

© RSA 1998

Types of Scheme

• Key agreement

• Signature– with appendix– with message recovery

• Encryption

• Identification (in P1363a)

© RSA 1998

Additional Techniques

• Encoding method– maps between message, data to be

processed by primitive– for signatures, encryption schemes

• Key derivation function– maps from shared secret value to key– for key agreement schemes

© RSA 1998

Example: DL/ECSSA

• DL/EC signature scheme– options: SP / VP / encoding method

• Signature operation (privKey, M):– S = SP (privKey, Encode (M))

• Verification operation (pubKey, M, S):– VP (pubKey, Encode (M), S) [DSA]– Encode (M) =? VP (pubKey, S) [NR]

© RSA 1998

Encoding Methods for Signatures

• DL/EC signatures– Hash (M)

• IF signatures with appendix– Pad || HashID || Hash (M)

• IF signatures wit h message recovery– ISO9796-1 (M)

© RSA 1998

Related Scheme Operations

• Domain parameter generation

• Domain parameter validation

• Key pair generation

• Public key validation

• Private key validation

© RSA 1998

Schemes in P1363

• Key agreement– three DL/EC generic: DH1, DH2, MQV

• Signature with appendix– DL/EC generic– IF generic

• Signature with message recovery– IF generic

• Encryption– IF generic

© RSA 1998

Protocols

• Sequence of operations to be performed by parties to achieve some security goal

• High-level implementation– applications, services

• “Real” security– but depends on implementation

considerations

• (No protocols in P1363)

© RSA 1998

Types of Protocol

• Key establishment– key agreement– key transport

• Entity authentication

• Data origin authentication

• Data confidentiality



Part III:“Strong” Primes:

A Recurring Technical Debate

© RSA 1998

What is a “Strong” Prime?

• RSA key pair consists of– public key (n, e)– private key (n, d)– where n = pq, p and q are large primes, and

ed 1 mod (p-1)(q-1)

• A prime p is strong if p’, the largest factor of p-1, is large

• Are strong primes necessary?

© RSA 1998

Early ’80s: Yes

• Pollard’s p-1 method (1974) can factor n in about p’ operations, so p’ should be large

• Gordon (1984) gives method for generating RSA keys efficiently with strong prime factors– X.509 (1988) also mentions conditions

• Related conditions on p+1, p’-1, etc.

© RSA 1998

Late ’80s / Early ’90s: No

• Lenstra’s ECM (1987) can factor n in O(exp (2 ln p ln ln p)1/2) operations, so p should be large

• … but if p is large and random, then p’ will be large with high probability

• Rivest (unpublished) argues that strong primes don’t help– but don’t hurt either

© RSA 1998

Late ’90s: Maybe

• What about signature repudiation?– Dishonest user chooses n with weak prime

– Later, disavows signature, claiming that someone factored n by p-1 method

• ANSI X9.31 (1998) standardizes on strong primes for banking– also, generates primes as one-way function of

seed

• Still, are strong primes necessary?



Part IV:Some Research Motivated By

Standards

© RSA 1998

Standards and Research

• Just as mature research is standardized, so standards efforts promote additional research

• Areas of research:– efficient implementation– cryptanalysis– components in the “framework”

© RSA 1998

Authenticated Encryption Schemes

• Problem:– Construct authenticated encryption

schemes for DL, EC, IF families with similar properties to OAEP, but with variable message length

• Several solutions proposed for P1363a

© RSA 1998

Model

• C = Encrypt (pubKey, M, P)

• M = Decrypt (privKey, C, P)– M message– C ciphertext– P encoding parameters

• M, C, P arbitrary length

© RSA 1998

Desired Properties

• One application of underlying primitive

• Plaintext-aware encryption– no partial information about M– cannot generate C without M

• hence, cannot modify M

• Binding of P to M– cannot modify P

• Weaker assumptions– i.e., not just random oracle model

© RSA 1998

OAEP for RSA

• As in P1363 (and PKCS #1 v2.0 draft):• Encrypt (pubKey, M, P):

– EM = Encode (M, P)– C = EP (pubKey, EM)

• Decrypt (privKey, C, P):– EM = DP (privKey, C)– M = Decode (EM, P)

• M, C bounded, P arbitrary length

© RSA 1998

OAEP Encoding

• Encode (M, P)– EM = maskedSeed || maskedDB where

• maskedSeed = seed G (maskedDB)

• maskedDB = DB G (seed)

• DB = H (P) || pad || M

• seed random

• H hash function, G mask generation function

• Decode (C, P): an exercise

© RSA 1998

Limitations

• EM must be shorter than RSA modulus, so length of M is bounded

• Assumes encryption primitive — but DL/EC only has secret value derivation primitive

• Relies on random oracle model for G

© RSA 1998

IF Encryption Ideas

1. Encrypt only part of EM (various)– removes bound on length of M– which part?

2. Construct G only partly from random oracle (Bellare, Rogaway 1996)

3. Add more “rounds” to OAEP (Johnson, Matyas, Peyravian 1996)

– may reduce assumptions, need for seed

© RSA 1998

DL/EC Encryption Ideas

• General: Generate shared secret value K as in key agreement scheme, combine with M, P

1. Encode M as in OAEP, exclusive-OR K with part of result (various)

2. Combine with MACs, reduced r.o. methods (Bellare, Rogaway 1996)

3. Combine with universal hash functions, mask generation (Zheng 1996)

© RSA 1998

Some Other Recent Results

• Security of “unified model” of DH key agreement (Blake-Wilson, Johnson, Menezes 1997)

• RSA key validation (Liskov, Silverman 1997)

• Storage-efficient basis conversion (Kaliski, Yin 1998)

© RSA 1998

Conclusions

• Research in cryptology and data security is leading to standards, and vice versa

• Several standards efforts for different sectors, but coordinated

• General model for public-key standards emerging

• … and some technical debate continues

Investor Relations

Emerging key-recovery-service