《ANSI-ISO-IEC-14888-3-1998-R2005.pdf》由会员分享,可在线阅读,更多相关《ANSI-ISO-IEC-14888-3-1998-R2005.pdf(38页珍藏版)》请在三一文库上搜索。
1、B C Reference number ISO/IEC 14888-3:1998(E) INTERNATIONAL STANDARD ISO/IEC 14888-3 First edition 1998-12-15 Information technology Security techniques Digital signatures with appendix Part 3: Certificate-based mechanisms Technologies de linformation Techniques de scurit Signatures digitales avec ap
2、pendice Partie 3: Mcanismes fonds sur certificat Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval:
3、 12/13/00 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2002 by Information Technology Industry Council (ITI). All rights reserved. These materials are subject to copyright claims of International Standardization Organization (ISO), Inter
4、national Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, without the prior written permission of IT
5、I. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=USN Ship Repair Facility Yokosuka/9961031100 Not
6、for Resale, 05/08/2007 20:58:23 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO/IEC 14888-3:1998(E) ISO/IEC 1998 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechani
7、cal, including photocopying and microfilm, without permission in writing from the publisher. ISO/IEC Copyright Office Case postale 56 CH-1211 Genve 20 Switzerland Printed in Switzerland ii Foreword ISO (the International Organization for Standardization) and the IEC (the International Electrotechnic
8、al Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of international standards through technical committees established by the respective organization to deal with particular fields of technical activ
9、ity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical commit
10、tee, ISO/IEC JTC 1. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. International Standard ISO/IEC 14888-3 was prepa
11、red by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 14888 consists of the following parts, under the general title Information technology Security techniques Digital signatures with appendix: Part 1: General Part 2: Identity-bas
12、ed mechanisms Part 3: Certificate-based mechanisms Further parts may follow. Annexes A and B form an integral part of this part of ISO/IEC 14888. Annexes C to G are for information only. Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=USN Ship Repair
13、Facility Yokosuka/9961031100 Not for Resale, 05/08/2007 20:58:23 MDTNo reproduction or networking permitted without license from IHS -,-,- INTERNATIONAL STANDARD ISO/IECISO/IEC 14888-3:1998(E) 1 Information technology Security techniques Digital signatures with appendix Part 3: Certificate-based mec
14、hanisms 1 Scope ISO/IEC 14888 specifies digital signature mechanisms with appendix for messages of arbitrary length and is applicable for providing data origin authentication, non-repudiation, and integrity of data. This part of ISO/IEC 14888 specifies certificate- based digital signature mechanisms
15、 with appendix. In particular, this part of ISO/IEC 14888 provides 1) a general description of certificate-based digital signature mechanisms whose security is based on the difficulty of the discrete logarithm problem in the underlying commutative group (see Clause 6), 2) a general description of ce
16、rtificate-based digital signature mechanisms whose security is based on the difficulty of factoring (see Clause 7), and 3) a variety of normative digital signature mechanisms with appendix using certificate-based mechanisms for messages of arbitrary length (see Annex A and B). 2 Normative references
17、 The following standards contain provisions which, through reference in this text, constitute provisions of this part of ISO/IEC 14888. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this part of ISO/IEC 14888
18、are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. Members of IEC and ISO maintain registers of currently valid International Standards. ISO/IEC 14888-1:1998, Information technology Security techniques Digital signatures with appendix
19、 Part 1: General. ISO/IEC 14888-2:1998, Information technology Security techniques Digital signatures with appendix Part 2: Identity-based mechanisms. ISO/IEC 9796:1991, Information technology Security techniques Digital signature scheme giving message recovery. ISO/IEC 9796-2:1997, Information tech
20、nology Security techniques Digital signature schemes giving message recovery Part 2: Mechanisms using a hash-function. ISO/IEC 10118-3:1998, Information technology Security techniques Hash-functions Part 3: Dedicated hash-functions. ISO/IEC 10118-4:1998, Information technology Security techniques Ha
21、sh-functions Part 4: Hash-functions using modular arithmetic. 3 General This part of ISO/IEC 14888 makes use of the definitions, symbols, legend for figures, and notation given in ISO/IEC 14888-1. The verification of a digital signature requires the signing entitys verification key. It is thus essen
22、tial for a verifier to be able to associate the correct verification key with the signing entity. For certificate-based mechanisms, this association must be provided by some certifying measure, for example, the verification key is retrieved from a certificate. The goal of this part of ISO/IEC 14888
23、is to specify the following processes and functions within the general model described in ISO/IEC 14888-1: - the process of generating keys - generating domain parameters - generating signature and verification keys - the process of producing signatures - (optional) producing pre-signatures - prepar
24、ing the message for signature Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=USN Ship Repair Facility Yokosuka/9961031100 Not for Resale, 05/08/2007 20:58:23 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO/IEC 14888-3:19
25、98(E) ISO/IEC 2 - computing witnesses - computing the signature - the process of verification - preparing message for verification - retrieving the witness - computing the verification function - verifying the witness 4 Definitions For the purpose of this part of ISO/IEC 14888, the definitions of IS
26、O/IEC 14888-1 apply. Additional definitions which are required are as follows. 4.1 Finite commutative group: A finite set J with the binary operation such that: - For all a, b, cJ, (ab) c = a (bc) - There exists eJ with ea = a for all aJ - For all aJ there exists bJ with ba = e - For all a, bJ, ab =
27、 ba 4.2 Order of an element in a finite commutative group: If a0 =e, and an+1=aan (for n 0), is defined recursively, the order of aJ is the least positive integer n such that an = e. 5 Symbols and notation Throughout this part of ISO/IEC 14888 the following symbols and notations are used in addition
28、 to those given in ISO/IEC 14888-1. Ea finite commutative group #Ethe cardinality of E a|bconcatenation of b to a Qa divisor of #E Gan element of order Q in E gcd(U, N)the greatest common divisor of integers U and N T1first part of assignment T2second part of assignment ZNthe set of integers U with
29、0 U 1 GF (P -1)/Q mod P, an element of order Q in E = Z*P The integers P, Q, and G can be public and can be common to a group of users. To achieve FIPS compliance, parameters P and Q are generated as specified in FIPS PUB 186, Appendix 2 (Details can be found in Annex C of this part of ISO/IEC 14888
30、). Note 1: The size of the prime P in this normative example is as specified by the Digital Signature Algorithm (DSA). Note that the size of P is restricted to be at most 1024 bits. As of 19 May 1994, the size of P provides a sufficient security margin. It is acknowledged that future advances in num
31、ber theoretic algorithms may possibly render the size of P of 1024 bits as insufficient. Note 2: It is recommended that all users check the proper generation of the DSA public parameters. Note 3: It is recognized that DSA possesses an unfavourable property in which an attack can be mounted where col
32、lisions on the underlying hash function can be found with a complexity of 274 as compared to 280 in the most secure case. This attack though is easily detectable. For users who may still wish to avoid this property, it can be prevented by using the mechanism of A.1.2. Copyright American National Sta
33、ndards Institute Provided by IHS under license with ANSI Licensee=USN Ship Repair Facility Yokosuka/9961031100 Not for Resale, 05/08/2007 20:58:23 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO/IEC 14888-3:1998(E) ISO/IEC 10 A.1.1.2 DSA generation of signature key and
34、verification key The signature key of a signing entity is a secretly generated random or pseudo-random integer X such that 0 1 GF (P -1)/Q mod P Note: Special care should be taken to the generation of P, Q, and F. For example, the procedures of A.1.1.1 may be used. A.1.2.2 Pointcheval/Vaudenay gener
35、ation of signature key and verification key The signature key of a signing entity is a secretly generated random or pseudo-random integer X such that 0 Q are prime integers and a signature exponent s equal to the verification exponent v, an integer greater than or equal to 4. This common exponent ca
36、n be included in the domain parameters or derived from a certificate in the optional text of the appendix. Also specified (optionally) in the domain parameters is an integer n which specifies the size of the integer primes in bits. Nominally, n is 1/3 the number of bits used to represent N. The size
37、 of the hash token is restricted to n-1 bits (i.e., 0 Q and the signature exponent s with s 4. The factors P and Q shall be kept secret. B.2.2.2 Generation of verification key The verification key is a pair of integers Y = (N, v), where N is the product N = P1P2P3 = P2Q and v is an integer which sat
38、isfies the condition v = s 4. B.2.3 Signature process The signature process of ESIGN follows the general model described in Clause 8 of ISO/IEC 14888-1. It is a randomized signature mechanism which uses a deterministic witness and produces a one-part signature. B.2.3.1 Producing pre-signature The pr
39、e-signature is computed in two steps. B.2.3.1.1 Producing the randomizer The signing entity generates secretly a randomizer which is a random or pseudo-random positive integer K Mod PQ such that 0 x1, , xg. Conversely, a g-long sequence of bits x1, , xg is converted to an integer by the rule x 1, ,
40、xg - x1 * 2 g-1 + x 2 * 2 g-2 + + x g-1 *2 + xg. Note that the first bit of the sequence corresponds to the most significant bit of the corresponding integer and the last bit to the least significant bit. Let L-1 = n*160 + b, where b and n are integers and 0 b 3, then a,b shall satisfy 4a3 + 27b2 ?
41、0 (mod p), and every point P = (xp,yp) on E (other than the point ) shall satisfy the following equation in Fp: baxxy p 3 p 2 p +. If q = 2m is a power of 2 (so the underlying field is F2m), then b shall be non-zero in F2m, and every point P = (xP,yP) on E (other than the point ) shall satisfy the f
42、ollowing equation in F2m: baxxyxy 2 p 3 ppp 2 p +=+. An elliptic curve point P (which is not the point at infinity ) is represented by two field elements, the x-coordinate of P and the y-coordinate of P: P = (xP,yP). D.1.1 Addition rules for elliptic curves over Fp The set of points E(Fp) forms a gr
43、oup with the following addition rules: (i) + = (ii) (x,y) + = + (x,y) = (x,y) for all (x,y) E(Fp) (iii) (x,y) + (x,-y) = for all (x,y) E(Fp) (i.e. the negative of a the point (x,y) is -(x,y) = (x,-y) (iv) (Rule for adding two distinct points that are not inverses of each other) Let: (x1,y1) E(Fp) an
44、d (x2,y2) E(Fp) be two points such that x1 x2. Then (x1,y1) + (x2,y2) = (x3,y3), where: x3 = 2 - x1 - x2, y3 = (x1 - x3) - y1 and 12 12 xx yy =. (v) (Rule for doubling a point) Let (x1,y1) E(Fp) be a point with y1 0. Then 2(x1,y1) = (x3,y3), where: x3 = 2 - 2x1, y3 = (x1 - x3) - y1 and 1 2 1 2y a3x+
45、 = The group E(Fp) is abelian, which means that P1 + P2 = P2 + P1 for all points P1 and P2 in E(Fp). The curve is said to be supersingular if # E(Fp) = p + 1; otherwise it is non-supersingular. D.1.2 Addition rules for elliptic curves over F2m The set of points E(F2m) forms a group with the followin
46、g addition rules: (i) + = (ii) (x,y) + = + (x,y) = (x,y) for all (x,y) E(F2m) Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=USN Ship Repair Facility Yokosuka/9961031100 Not for Resale, 05/08/2007 20:58:23 MDTNo reproduction or networking permitted w
47、ithout license from IHS -,-,- ISO/IECISO/IEC 14888-3:1998(E) 19 (iii) (x,y) + (x,x+y) = for all (x,y) E(F2m) (i.e. the negative of a the point (x,y) is - (x,y) = (x,x+y) (iv) (Rule for adding two distinct points that are not inverses of each other) Let: (x1,y1) E(F2m) and (x2,y2) E(F2m) be two point
48、s such that x1 x2. Then (x1,y1) + (x2,y2) = (x3,y3), where: x3 = 2 + + x1 + x2 + a, y3 = (x1 + x3) + x3 + y1 and 21 21 xx yy + + = (v) (Rule for doubling a point) Let (x1,y1) E(F2m) be a point with x1 0. Then 2(x1,y1) = (x3,y3), where: x3 = 2 + + a, y3 = x12 + ( + 1)x3, and 1 1 1 x y x +=. The group E(F2m) is abelian, which means that P1 + P2 = P2 + P1 for all points P1 and P2 in E(F2m). Copyright American National Standards Institute Provided by IHS under license with