《BS-ISO-IEC-9796-2-2002.pdf》由会员分享,可在线阅读,更多相关《BS-ISO-IEC-9796-2-2002.pdf(58页珍藏版)》请在三一文库上搜索。
1、BRITISH STANDARD BS ISO/IEC 9796-2:2002 Information technology Security techniques Digital signature schemes giving message recovery Part 2: Integer factorization based mechanisms ICS 35.040 ? Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:01:09 GMT+00:00 2006, Uncontrolled Copy, (c) BSI
2、BS ISO/IEC 9796-2:2002 This British Standard, having been prepared under the direction of the DISC Board, was published under the authority of the Standards Policy and Strategy Committee on 24 October 2002 BSI 24 October 2002 ISBN 0 580 40618 0 National foreword This British Standard reproduces verb
3、atim ISO/IEC 9796-2:2002 and implements it as the UK national standard. It supersedes BS ISO/IEC 9796-2:1997 which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/33, Security techniques, which has the responsibility to: A list of organizations represen
4、ted on this committee can be obtained on request to its secretary. Cross-references The British Standards which implement international publications referred to in this document may be found in the BSI Catalogue under the section entitled “International Standards Correspondence Index”, or by using t
5、he “Search” facility of the BSI Electronic Catalogue or of British Standards Online. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard does not of itself confer immunity from
6、legal obligations. aid enquirers to understand the text; present to the responsible international/European committee any enquiries on the interpretation, or proposals for change, and keep the UK interests informed; monitor related international and European developments and promulgate them in the UK
7、. Summary of pages This document comprises a front cover, an inside front cover, the ISO/IEC title page, pages ii to vii, a blank page, pages 1 to 47 and a back cover. The BSI copyright date displayed in this document indicates when the document was last issued. Amendments issued since publication A
8、md. No. DateComments Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:01:09 GMT+00:00 2006, Uncontrolled Copy, (c) BSI Reference number ISO/IEC 9796-2:2002(E) INTERNATIONAL STANDARD ISO/IEC 9796-2 Second edition 2002-10-01 Information technology Security techniques Digital signature schemes
9、 giving message recovery Part 2: Integer factorization based mechanisms Technologies de linformation Techniques de scurit Schmas de signature numrique rtablissant le message Partie 2: Mcanismes bass sur une factorisation entire BS ISO/IEC 97962:2002 Licensed Copy: sheffieldun sheffieldun, na, Thu No
10、v 23 04:01:09 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO/IEC 97962:2002 ii Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:01:09 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS/OIE6979 C-2:2002(E) I SO/IE 2002 C All irhgts seredevr iii Contents s Forewordv Introduction vi 1Scope.1 2No
11、rmative references 1 3Terms and definitions1 4Symbols and abbreviated terms.3 5Converting between bit strings and integers5 6Requirements.5 7Model for signature and verification processes.6 7.1Signing a message.7 7.1.1Overview.7 7.1.2Message allocation7 7.1.3Message representative production 7 7.1.4
12、Signature production.7 7.2Verifying a signature8 7.2.1Overview.8 7.2.2Signature opening8 7.2.3Message recovery8 7.2.4Message assembly.8 7.3Specifying a signature scheme8 8Digital signature scheme 1 .9 8.1Parameters9 8.1.1Modulus length.9 8.1.2Trailer field options9 8.1.3Capacity 9 8.2Message represe
13、ntative production 9 8.2.1Hashing the message9 8.2.2Formatting 9 8.3Message recovery10 9Digital signature scheme 2 .11 9.1Parameters11 9.1.1Modulus length.11 9.1.2Salt length.11 9.1.3Trailer field options11 9.1.4Capacity 12 9.2Message representative production 12 9.2.1Hashing the message12 9.2.2Form
14、atting 12 9.3Message recovery12 10Digital signature scheme 3 .13 Annex A (normative) Public key system for digital signature14 Annex B (normative) Mask generation function 18 Annex C (informative) On hash-function identifiers and the choice of the recoverable length of the message20 Annex D (informa
15、tive) Examples21 Bibliography 47 Page BS ISO/IEC 97962:2002 iii Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:01:09 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS/OIE6979 C-2:2002(E) vi I SO/IE 2002 C All irhgts seredevr Foreword ISO (the International Organization for Standardization) an
16、d IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal wi
17、th particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC ha
18、ve established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the join
19、t technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. ISO/IEC 9796-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, I
20、T Security techniques. This second edition cancels and replaces the first edition (ISO/IEC 9796-2:1997), which has been technically revised. Implementations which comply with ISO/IEC 9796-2 (1st edition), and which use a hash-code of at least 160 bits in length, will be compliant with ISO/IEC 9796-2
21、 (2nd edition). Note, however, that implementations complying with ISO/IEC 9796-2 (1st edition) that use a hash-code of less than 160 bits in length will not be compliant with ISO/IEC 9796-2 (2nd edition). ISO/IEC 9796 consists of the following parts, under the general title Information technology S
22、ecurity techniques Digital signature schemes giving message recovery: Part 1: Mechanisms using redundancy Part 2: Integer factorization based mechanisms Part 3: Discrete logarithm based mechanisms Further parts may follow. Annexes A and B form a normative part of this part of ISO/IEC 9796. Annexes C
23、 and D are for information only. BS ISO/IEC 97962:2002 iv Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:01:09 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS/OIE6979 C-2:2002(E) I SO/IE 2002 C All irhgts seredevr v Introduction Digital signature mechanisms can be used to provide services s
24、uch as entity authentication, data origin authentication, non-repudiation, and integrity of data. A digital signature mechanism satisfies the following requirements. Given the verification key but not the signature key it shall be computationally infeasible to produce a valid signature for any messa
25、ge. Given the signatures produced by a signer, it shall be computationally infeasible to produce a valid signature on a new message or to recover the signature key. It shall be computationally infeasible, even for the signer, to find two different messages with the same signature. NOTEComputational
26、feasibility depends on the specific security requirements and environment. Most digital signature mechanisms are based on asymmetric cryptographic techniques and involve three basic operations. A process for generating pairs of keys, where each pair consists of a private signature key and the corres
27、ponding public verification key. A process that uses the signature key, called the signature process. A process that uses the verification key, called the verification process. There are two types of digital signature mechanisms. When, for a given signature key, two signatures produced for the same
28、message are identical, the mechanism is said to be non-randomized (or deterministic); see ISO/IEC 14888-1. When, for a given message and signature key, each application of the signature process produces a different signature, the mechanism is said to be randomized. The first and third of the three m
29、echanisms specified in this part of ISO/IEC 9796 are deterministic (non- randomized), whereas the second of the three mechanisms specified is randomized. Digital signature mechanisms can also be divided into the following two categories: When the whole message has to be stored and/or transmitted alo
30、ng with the signature, the mechanism is named a “signature mechanism with appendix” (see ISO/IEC 14888). When the whole message, or part of it, can be recovered from the signature, the mechanism is named a “signature mechanism giving message recovery” (see ISO/IEC 9796 (all parts). NOTEAny signature
31、 mechanism giving message recovery, for example, the mechanisms specified in ISO/IEC 9796 (all parts), can be converted to give a digital signature with appendix. This can be achieved by applying the signature mechanism to a hash-code derived as a function of the message. If this approach is employe
32、d, then all parties generating and verifying signatures must agree on this approach, and must also have a means of unambiguously identifying the hash-function to be used to generate the hash-code from the message. The mechanisms specified in ISO/IEC 9796 (all parts) give either total or partial reco
33、very, with the objective of reducing storage and transmission overhead. If the message is short enough, then the entire message can be included in the signature, and recovered from the signature in the verification process. Otherwise, a part of the message can be included in the signature, and the r
34、emainder stored and/or transmitted along with the signature. BS ISO/IEC 97962:2002 v Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:01:09 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS/OIE6979 C-2:2002(E) iv I SO/IE 2002 C All irhgts seredevr The mechanisms specified in this part of ISO/IE
35、C 9796 use a hash-function for hashing the entire message (possibly in more than one part). ISO/IEC 10118 specifies hash-functions for digital signatures. BS ISO/IEC 97962:2002 vi Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:01:09 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS/OIE6979 C-
36、2:2002(E) I SO/IE 2002 C All irhgts seredevr ivi Patent information The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) draw attention to the fact that it is claimed that compliance with this part of ISO/IEC 9796 may involve the use of a p
37、atent concerning the “Probabilistic signature scheme” (U.S. Patent 6,266,771 issued 2001-07-24). ISO and IEC take no position concerning the evidence, validity and scope of this patent right. The holder of this patent right has assured ISO and IEC that they are willing to negotiate licences under re
38、asonable and non-discriminatory terms and conditions with applications throughout the world. In this respect, the statement of the holder of this patent right is registered with ISO and IEC. Information may be obtained from: University of California Senior Licensing Officer Office of Technology Tran
39、sfer 1111 Franklin Street, 5th Floor Oakland, California 94607-5200 USA Attention is drawn to the possibility that some of the elements of this part of ISO/IEC 9796 may be the subject of patent rights other than that identified above. ISO and IEC shall not be held responsible for identifying any or
40、all such patent rights. BS ISO/IEC 97962:2002 vii Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:01:09 GMT+00:00 2006, Uncontrolled Copy, (c) BSI Licensed Copy: sheffieldun sheffieldun, na, Thu Nov 23 04:01:09 GMT+00:00 2006, Uncontrolled Copy, (c) BSI ISO/IEC979 6-2:0220E() ISO/EIC002 2
41、Allr ightser seevrd1 Information technology Security techniques Digital signature schemes giving message recovery Integer factorization based mechanisms Part 2: 1 Scope This part of ISO/IEC 9796 specifies three digital signature schemes giving message recovery, two of which are deterministic (non-ra
42、ndomized) and one of which is randomized. The security of all three schemes is based on the difficulty of factorizing large numbers. All three schemes can provide either total or partial message recovery. The method for key production for the three signature schemes is specified in this part of ISO/
43、IEC 9796. However, techniques for key management and for random number generation (as required for the randomized signature scheme), are outside the scope of this part of ISO/IEC 9796. Users of this standard are, wherever possible, recommended to adopt the second mechanism (Digital signature scheme
44、2). However, in environments where generation of random variables by the signer is deemed infeasible, then Digital signature scheme 3 is recommended. Digital signature scheme 1 shall only be used in environments where compatibility is required with systems implementing the first edition of this stan
45、dard. However, Digital signature scheme 1 is only compatible with systems implementing the first edition of this standard that use hash- codes of at least 160 bits. 2 Normative references The following normative documents contain provisions which, through reference in this text, constitute provision
46、s of this part of ISO/IEC 9796. For dated references, subsequent amendments to, or revisions of, any of these publications do not apply. However, parties to agreements based on this part of ISO/IEC 9796 are encouraged to investigate the possibility of applying the most recent editions of the normati
47、ve documents indicated below. For undated references, the latest edition of the normative document referred to applies. Members of ISO and IEC maintain registers of currently valid International Standards. ISO/IEC 9796-3:2000, Information technology Security techniques Digital signature schemes givi
48、ng message recovery Part 3: Discrete logarithm based mechanisms ISO/IEC 9797-2, Information technology Security techniques Message Authentication Codes (MACs) Part 2: Mechanisms using a dedicated hash-function ISO/IEC 9798-1:1997, Information technology Security techniques Entity authentication Part
49、 1: General ISO/IEC 10118 (all parts), Information technology Security techniques Hash-functions ISO/IEC 14888 (all parts), Information technology Security techniques Digital signatures with appendix 3 Terms and definitions For the purposes of this part of ISO 9796, the following terms and definitions apply. 3.1 capacity positive integer indicating the number of bits available within the signature for the recovera