1. doc.: IEEE 802.15-02/220r0 Submission July, 2002 Rene Struik, Certicom Corp.Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [The-Impact-of-Multiple-Public-Key-Mechanisms-on-the-802.15.3-WPAN] Date Submitted: [July 11, 2002] Source: [Rene Struik] Company [Certicom Corp.] Address [5520 Explorer Drive, 4th Floor, Mississauga, ON Canada L4W 5L1] Voice:[+1 (905) 501-6083], FAX: [+1 (905) 507-4230], E-Mail:[rstruik@certicom.com] Re: [Draft D10 of the emerging IEEE 802.15.3 WPAN standard.] Abstract:[This document discusses the consequences of adopting multiple public key mechanisms, rather than one, in the emerging IEEE 802.15.3 High-Rate WPAN standard.] Purpose:[Explain the full consequences of adopting more than one optional public key mechanism in the emerging IEEE 802.15.3 WPAN standard.] Notice:This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release:The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.

2. doc.: IEEE 802.15-02/220r0 Submission July, 2002 Rene Struik, Certicom Corp.Slide 2 The Impact of Multiple Public Key Mechanisms on the IEEE 802.15.3 WPAN René Struik, Certicom Research

3. doc.: IEEE 802.15-02/220r0 Submission July, 2002 Rene Struik, Certicom Corp.Slide 3 Outline: Comparison Metrics of Public key Algorithms Security Factors to be Considered Multiple Public key algorithms and inter-operability

4. doc.: IEEE 802.15-02/220r0 Submission July, 2002 Rene Struik, Certicom Corp.Slide 4 Feature\Public key mechanism Full MQV (submission) ‘ECIES/TLS’ (Mandatory in D10) RSA-OAEP (02/228r1) NTRUEncrypt (Optional in D10) Standardization ANSI X9.63; to become FIPS ECIES: X9.63; ECIES/TLS: no standard PKCS#1, v2.1 (June 14, 2002) Proprietary, no standard (yet) Endorsement by cryptographic community Well-studied DH- algorithm (B. Snow, NSA) ECIES: well studied; ECIES/TLS not studied at (02/213) Well-studiedPending History crypto-block198519781998 Accepted key sizes: (key mgmnt guideline) - 80-bit strength - 128-bit strength Accepted (specified) 163 bits 283 bits Accepted (specified) 1024 bits 3072 bits Controversial (not mentioned) ? Efficiency 128-bit strength: - hardware - software 6660 gates @ 25 MHz, 29 ms small, fast on Strong-ARM, Palm 50,000 gates @ 25 MHz, 184 ms (Not specified for 802.15.3) Efficiency 80-bit strength: - hardware - software 3260 gates @ 50 MHz, 2.66 ms small, fast on Strong-ARM, Palm 34,000 gates 50MHz,19.6ms Small footprint Certificate technology Yes standardized Yes standardized No Newly proposed: NTRUSign, v2 (April 2, 2002) Actual present deployment/customers Wireless, niche markets (future US Gov’t de facto) De facto (legacy) Unknown

5. doc.: IEEE 802.15-02/220r0 Submission July, 2002 Rene Struik, Certicom Corp.Slide 5 Security level: Factors to consider (1) Technical factors that determine required security level for system: 1.Protection life-time (period in which data protected against unauthorized access): - copyright: 75 years; - medical information: never to be disclosed (after death: genetically relevant info!). IEEE 802.15.3 will be around at least 10-15 years (and usually outlives originally intended lifecycle); moreover, protection lifetime might be much longer than this. 2.Advances in cryptanalytic attacks (decreases workload for breaking crypto-system): - RSA: new attacks that were previously believed impossible: improvement of ‘matrix step’ Integer Factoring (Bernstein; Shamir, and Lenstra [2002]); 3.Progress in computational speed (increases time-efficiency of computations). Massive computing power soon available that was unimaginable until recently: 1 Petaflops/s (2 50 operations/s), 100+ Terabytes of storage - Present record: NEC: Earth simulator: 35.86 Tflops (June 2002, www.top500.org);www.top500.org - Developments: IBM Blue Gene: 1 Petaflops, 512+ Gbytes RAM (due before 2003); IBM: 7.5 Teraflop machines (2 43 ops/s) for commercial use (2003); Compaq, HP, et al… Many of these factors are hard to quantify. Prudent to build-in a margin of safety.

6. doc.: IEEE 802.15-02/220r0 Submission July, 2002 Rene Struik, Certicom Corp.Slide 6 Multiple Public key algorithms. Interoperability???