Procedure for submitting cryptographic techniques

(Provisional Translation)

Information-technology Promotion Agency, Japan

June 13, 2000

Final Version July 5, 2000

1. Purpose of this Project

With the goal of improving administrative efficiency and reducing paperwork costs for the private sector, the Japanese government aims to create, by FY 2003, the infrastructure of an electronic government that will computerize administrative procedures.

When created, this electronic government will be a model in a digital economy/society. A set of IT security measures that will be implemented in the electronic government is also expected to become a model for the private sector, thereby enhancing the security and reliability of the nationwide information network which are a core element of information security in the electronic government.

The purpose of this project is to list valid cryptographic techniques, together with their profile of their security and implementation aspects safety and ease of implementation. People are encouraged to present various proposals for cryptographic techniques, which will be evaluated in a professional and objective manner. The results of this project will be submitted to the government, and used in various ways asreferences for using cryptographic techniques in the electronic government.

2. Overview and Schedule of this Project

This project is part of the Electronic Government Security Technology Development Project, which issponsored by the Ministry of International Trade and Industry (MITI) and entrusted to the Information-technology Promotion Agency (IPA), Japan. For the implementation of this cryptography evaluation project, IPA has established the Cryptography Research and Evaluation Committee, which consists of experts in cryptography. The tasks of IPA and its expert committee are as follows:

(1)To issue a call for submissions for cryptographic techniques that can be applied in building systems within the electronic government

(2)To establish evaluation criteria for each category of cryptographic techniques

(3)To evaluate submitted cryptographic techniques in accordance with the evaluation criteria. Somenon-submitted cryptographic techniques will also be evaluated if an evaluation of these techniques is considered to be necessary. The evaluation will be conducted in two phases: screening and detailed. Detailed evaluation will be conducted on those techniques that have passed the screening phase. Part of the evaluation will be conducted by external cryptography experts in Japan and abroad.

(4)To scrutinize and list the profiles of the cryptographic techniques by using the results of external evaluations and other evaluations by academic groups. The evaluation results will be used within the government, and some appropriate portions of the evaluation results are planned towillbe publicized (The evaluation resultsmight include information that is not beneficial to the submitters).

Schedule for the evaluation of cryptographic techniques (planned)

Publication of evaluation criteria (done): July 5, 2000

Deadline for theproposal of cryptographic techniques arrival:

July 14, 2000

Screening evaluation: August - September, 2000

Announcement of screening evaluation results: Early October, 2000

Detailed evaluation: October - December, 2000

Announcement ofdetailed evaluation results: February, 2001 or later

3. The Categories of Solicited Cryptographic Techniques

We are soliciting proposals regarding cryptographic techniques that may be useful for building systems in the electronic government and that belong to one of the following categories, (1), (2), (3) and (4).

We will limit the scope of proposals to cryptographic techniques whose specifications and other information have been disclosed to the public. The purpose of this limitation is to ensure we receive evaluations from a wide range of specialists as well as to allow many implementers (vendors) to use the results in various applications.

Category (1) Asymmetric Cryptographic Schemes

We are soliciting Asymmetric Cryptographic Schemes that are designed for the following security functions: confidentiality, authentication, signature, and key-sharing. They must be submitted with at least one design example. If your asymmetric cryptographic scheme can implement more than one security function, select one function as the primary. If you believe that your asymmetric cryptographic scheme is capable of handling more than one primary function, submit your proposals respectively for each function.

An Asymmetric Cryptographic Scheme referred to here refers to an algorithm that provides one or more security function by using Cryptographic Primitive(s) and some Auxiliary Function(s), and consists of a description of the algorithm, requirements for cryptographic primitives and auxiliary functions.

A Cryptographic Primitive is an elementary cryptographic algorithm that provides security based on integer factoring problems, discrete logarithm problems, elliptic curves discrete logarithms problems, or other security reasons.

An Auxiliary Function is an element, such as a hash function, a (pseudo-) random number generator, that is not a cryptographic primitive but necessary for a scheme.

Design examples of cryptographic schemes need to clarify specific cryptographic techniques that will be defined by the following procedure and can be implemented on software or hardware. First, define your cryptographic scheme, and then provide details of your specific cryptographic primitive(s) and auxiliary function(s). If your scheme uses a new auxiliary function, submit it to the respective category.

Further, specify the criteria used for selecting parameters to be assigned to the cryptographic primitive(s) or auxiliary function(s), and provide recommended samples of parameter values. Finally, state clearly any multiple-precision operation routines, co-processors, and other features that will be needed to implement your design example.

Category (2) Symmetric Ciphers

The subcategories comprising this Symmetric Ciphers are as follows:

(i) Stream ciphers (initial value space:128 bits or more, number of states:128 bits or more)

(ii) 64-bit block ciphers(key length:128 bits or more)

(iii) 128-bit block ciphers(key length:128 bits or more)

Category (3) Hash Functions

We are soliciting functions that generate 128-bit or longer hash values.

Category (4) Pseudo-Random Number Generators

We are soliciting pseudo-random number generation algorithm that generates keys or seeds of keys or other parameters for cryptographic techniques.

4. What is Required When Making a Submission

The following is required when submitting a proposal for cryptographic techniques:

4.1 Consistency of Submitted Cryptographic Techniques with the Scope of this Project

Any submission of cryptographic technique must satisfy the condition specified in Chapter 3, "The Categories of Solicited Cryptographic Techniques ".

In particular, the “specifications” of submitted technique needs to be available to the public. Whether the proposed cryptographic techniques areavailable to the public is decided determined by using the followingcriteria (1) and (2) below as the criteria. (If any procedures are needed in respect to the Foreign Exchange and Foreign Trade Control Law or other statutes, patents or other rights, among others, the applicant is responsible for satisfying the procedures.) If cryptographic techniquesare not available to the public as defined above, but is are expected to be so by the end of September, 2000, before the detailed evaluation phase is to start in October, a proposal for that technique may be submitted. (If cryptographic techniques cannot be proved to be available to the public by the end ofSeptember, 2000 by the IPA, further evaluation for the techniques will not take place.)

(1)The information (both Japanese and English) identified by (2) - (4) in the Section 4.2, "Submission of Information Needed for Evaluation" (Cryptographic Techniques Overview, Cryptographic Techniques Specifications, and Self Evaluation Reports. These three are hereafter called the “specifications” in this paper) is publicly known technology or another form of information generally available to the public without restriction, and is one of the following:

(i) Technical datagenerally available to the public by way of newspapers, books, magazines, catalogs, or similar documents (excluding information that is contained in users manuals, maintenance manuals, or other documents attached to purchased products).

(ii) Technical data generally accessible to the publicby way of academic journals, published patent information, minutes of open symposiums, or similardocuments.

(iii) Technical data that can be read or listened to by the general public at libraries, through regular courses offered to plant visitors, at lectures, at exhibitions, or in a similar manner.

(2)The “specifications” or specific procedures for obtaining the “specifications” for the general public without restriction or difficulty have been made open available on a Web page prepared on the applicant sideby the applicant.

If submitted cryptographic techniques have passed screening evaluation, the IPA will create a link to the Web page prepared on the applicant sideby the applicantto publicize the information.

4.2 Submission of Information Needed for Evaluation

When submitting a proposal before July 14, 2000, the following items (1) to (9) are available to the public.These items will be used to evaluate the submitted cryptographic techniques. Theseeseinformation items may be disclosed by the Information-technology Promotion Agency, Japan to third parties from July 14, 2000.

No / Item to be submitted / Language / Format
medium
(1) / Cryptographic Techniques Application Form / Japanese or English / Cryptographic Techniques Application Form
Document and electronic medium
(2) / Cryptographic Techniques Overview / Japanese and English / Cryptographic Techniques Overview
Document and electronic medium
(3) / Cryptographic Techniques Specifications / Japanese and English / No specific format
Document and electronic medium
(4) / Self Evaluation Report / Japanese and English / No specific format
Document and electronic medium
(5) / Test vector / Electronic medium only
(text format) / No specific format
(6) / Sample code / Electronic medium only (text format) / No specific format
(7) / Information regarding the public availability status of the "specifications" / Japanese / No specific format
Document and electronic medium
(8) / Information regarding intellectual property rights / Japanese / No specific format
Document and electronic medium
(9) / Company profile / Japanese or English / Company Profile
Document and electronic medium

Japanese and English versions are required for items (2) to (4). However, at the time of submission (on or before July 14, 2000), a Japanese or English version may be accepted by itselfsubmitted independently. The other version must be submitted by the end of September, 2000.

During the evaluation process, the Japanese version will be treated as the formal document and the English version will be treated as an auxiliary document.

Since detailed evaluation may be conducted overseas, items (2) to (4) need to be submitted in both English and Japanese. The Japanese version will be treated as the formal document and the English version will be treated as an auxiliary document. If a conflict is found between the two versions, the Japanese version will be considered correct. However, such conflicts should be eliminated as far as possible. If a conflict of this type hinders the execution of evaluation, the submitted Cryptographic Techniquesmight be made ineligible for evaluation.

Each item to be submitted is explained below.

(1) Cryptographic Techniques Application Form

Write the name of submitted cryptographic techniques, submitter, inventor(s)/developer(s), and other information in the proper location on the

Cryptographic Techniques Application Form format.

(i) Application date

Write the application date.

(ii) Name of cryptographic techniques

Write the name of submitted cryptographic techniques.

(iii) Categories

Select one from asymmetric cryptographic schemes, symmetric ciphers, haush functions and, pseudo-random number generators.

(iv) Submitter’s name

The submitter should be a person who has a well understanding of the proposed cryptographic techniques.

Write thesubmitter’s name, organization (company) name, department/faculty name, title, address, phone number (whether it is a company or dial-in telephone), FAX number, e-mail address, and web address.

(v) Developer’s name

Write the name of the cryptographic techniques inventor(s)/developer(s) if the developer is different from the submitter.

Write the name and organization (company) name of the inventor(s)/developer(s).

(2) Cryptographic Techniques Overview

Write the following information according to the Cryptographic Techniques Overview format.

(i) Name of submitted cryptographic techniques

Write the name of submitted cryptographic techniques.

(ii) Categories

Select one from asymmetric cryptographic schemes, symmetric ciphers, haush functions and, random number generators.

(iii) Security Functions / Subcategories

Choose one out of confidentiality, authentication, signature and key- sharing in the case of asymmetric cryptographic scheme.

Choose one out of the stream ciphers, 64-bits block ciphers and 128-bits block ciphers in the case of the symmetric cipher.

(iv) Design policy

Write what you consider to be most beneficial about your submission in terms of design clarity, structural simplicity, and flexibility.

(v) Intended applications

Write the kind of applications you propose to apply the cryptography to.

(vi) Basic theory and techniques

Write the theory and techniques on which the cryptography is based.

(vii) References of submission

Write principal references of the cryptography and underlying techniques (paper titles, authors, magazine names, and publication dates).

(viii) Previous use

Write previous use of the cryptographic techniques.

(3) Cryptographic Techniques Specifications

(i)Design policy and design criteria

(ii) Cryptographic techniques (all information needed for implementation)

The information provided needs to contain information sufficient to allow any third party to evaluate and implement the submitted cryptographic techniques. If this information is insufficient, the proposal could be made ineligible for evaluation. Follow the Criteria below.

a) Write a complete specification for the cryptographic techniques. The specification needs to include all information needed to implement the cryptographic techniquess (such as mathematical equations, tables, algorithm logic, charts, and parameters).

b) If conditions must be satisfied before cryptographic key or other parameters can be properly set, you should also write configuration standards and recommended parameter values.

c) For an asymmetric cryptographic scheme, specify the field, ring, or group on which the submitted algorithm is based.

d) You should also specify any auxiliary functions required to make the submitted algorithm available (to implement the scheme). If your scheme uses a new auxiliary function, submit it to the respective category.

e) If your symmetric cipher supports multiple key lengths, specify whether compatibility between functions corresponding to different key lengths is provided.

If your submission requires a special device or relies on an algorithm that is not in publicly available, your submission will be made ineligible for evaluation as a rule.

If the information provided is determined to be insufficient for implementation, your submission will be made ineligible for evaluation as a rule.

You may be requested to provide additional information required for evaluation.

(4) Self Evaluation Report

Describe self-evaluation information by the submitter himself toward himregarding yourproposal. In particular, items (i) and (ii) are mandatory. If we judge conclude that your self-evaluation information is inn't sufficient, your proposal might be made ineligible for evaluation.

(i) Evaluation of security aspects

Show a concrete ba basis about of the securityof provided by your submission that you proposed concretely. And, show a provide information on the countermeasure toward the general way of attacking its to be used against a specific attack., which it can usually think about concretely, too. You should also specify countermeasures that will be used against typical attacks that could occur in ordinary environments. For typical attacks, see Chapter 5, "Evaluation Criteria".

You need not evaluate to resistance against all attacks assumed in Chapter 5, "Evaluation Criteria". If you judge conclude that your cryptographic techniques are unable to resist against one of the attacks listed in Chapter 5, you do not have to evaluate your proposal in this respect, but you should clearly state why believe that your proposalwould not be able to resist against the attack. If no self-evaluation is included, cryptographic techniques will not be evaluated.

If a specific attack can be assumed on your proposal, describe specific countermeasures against that attack.

If any academic articles concerning that attack method exist, or any references about the attack method have been made in academic meetings (ISEC, SCIS, CRYPTO, EUROCRYPT, ASIACRYPT, FSE, PKC, etc.), provide a technical commentary quoting the relevant information from such sources.

(ii) Evaluation of software implementation

Describe about speed evaluation, memory usage (code quantity, work area, etc), optimization level, description language, evaluation platform, and so on.

Note: you should also dDescribe the speed evaluation result of the key scheduler individual about for the block cipher, too.

If co-processors are used in an asymmetric cryptographic scheme for acceleration, provide information about the size of the RAM and ROM that control the co-processors. Also provide evaluations about processing speed for entire software/hardware implementations when co-processors are used.

(iii) Evaluation of hardware implementation

Describe the process used process (Field Programmable Gate-Array, gate array), speed evaluation, design environment, resource use quantity (amount of use cell in the case of Field Programmable Gate-Array, the number of gates in case of the gate array etc,) and so on.

Simulation evaluation results may also accept as information that proves the processing speed and resource consumption. And, current rate and the amount of use of a resource don't care even about the simulation evaluation result.

Note the following for evaluation of implementation aspects of asymmetric cryptographic scheme; if the use of a co-processor can increase the speed of processing, describe the functions, the number of gates, and processing performance of the co-processor used.performance.

(iv) Third party's evaluation results

If a third party has already evaluated your submission, provide a report on the evaluation results. Attach the report, if any are available.

(5) Test vector

Provide test vectors that are sufficient in quantity to evaluate the implementation performance of the cryptographic technique. If the quantity of the submitted test vectors is insufficient, the submitted cryptographic technique might be made ineligible for evaluationDescribe test vector of enough quantity to confirm implementation. It is sometimes faced toward the outside of the evaluation object when only an applicant’s test vector of the quantity that an applicant is insufficient is submitted. The minimum requirements are as follows:

(i) Asymmetric Cryptographic Schemes

Number of key pairs: 10

Number of processing samples for each key pair: 20

(ii) Symmetric Ciphers

a) Stream ciphers

Number of keys: 10

Processing sample for each key:

16 initial vectors for each 512 bits/block