CAN CSA-ISO IEC 14888-3A-2012 Information technology - Security techniques - Digital signatures with appendix - Part 3 Discrete logarithm based mechanisms - AMENDMENT 1 Elliptic Cu.pdf

1、Information technology Security techniques Digital signatures with appendix Part3: Discrete logarithm based mechanisms AMENDMENT1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schn

2、orr Digital Signature AlgorithmAmendment 1:2012 (IDT) toNational Standard of CanadaCAN/CSA-ISO/IEC 14888-3-07(ISO/IEC 14888-3:2006, IDT)NOT FOR RESALE.PUBLICATION NON DESTINE LA REVENTE.CSA Standards Update ServiceAmendment 1:2012 toCAN/CSA-ISO/IEC 14888-3-07March 2012Title:Information technology Se

3、curity techniques Digital signatures with appendix Part3: Discrete logarithm based mechanisms AMENDMENT1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Alg

4、orithmPagination:30 pages (iii preliminary and 27 text)To register for e-mail notification about any updates to this publication go on-line to shop.csa.caclick on E-mail Services under MY ACCOUNTclick on CSA Standards Update ServiceThe List ID that you will need to register for updates to this publi

5、cation is 2418670.If you require assistance, please e-mail techsupportcsa.ca or call 416-747-2233.Visit CSAs policy on privacy at csagroup.org/legal to find out how we protect your personal information.Reference numberISO/IEC 14888-3:2006/Amd.1:2010(E)ISO/IEC 2010INTERNATIONAL STANDARD ISO/IEC14888-

6、3Second edition2006-11-15AMENDMENT 12010-06-15Information technology Security techniques Digital signatures with appendix Part 3: Discrete logarithm based mechanisms AMENDMENT 1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital S

7、ignature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm Technologies de linformation Techniques de scurit Signatures numriques avec appendice Partie 3: Mcanismes bass sur un logarithme discret AMENDEMENT 1: Algorithme de signature numrique russe de courbe elliptique, algorith

8、me de signature numrique schnorr, algorithme de signature numrique schnorr de courbe elliptique, et algorithme de signature numrique schnorr totale de courbe elliptique ISO/IEC 14888-3:2006/Amd.1:2010(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing

9、 policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Cen

10、tral Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been ta

11、ken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2010 All rights reserved. Unless otherwise specified, no part of

12、this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-

13、1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org ii ISO/IEC 2010 All rights reservedAmendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) ISO/IEC 2010 All rights reserved iiiForeword ISO (the International Organization for

14、 Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective org

15、anization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information techno

16、logy, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards

17、 adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subje

18、ct of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Amendment 1 to ISO/IEC 14888-3:2006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. Amendment 1 to ISO/IEC 14888-

19、3:2006 introduces four digital signature algorithms: Elliptic Curve Russian Digital Signature Algorithm (EC-RDSA), Schnorr Digital Signature Algorithm (SDSA), Elliptic Curve Schnorr Digital Signature Algorithm (EC-SDSA), and Elliptic Curve Full Schnorr Digital Signature Algorithm (EC-FSDSA). Object

20、identifiers, test vectors, a comparison of certificate-based mechanisms, and claimed features for choosing a mechanism are given. Amendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) ISO/IEC 2010 All rights reserved 1Information technology Security techniques Digital sign

21、atures with appendix Part 3: Discrete logarithm based mechanisms AMENDMENT 1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm Page 1, Clause 2 In t

22、he second normative reference, replace “1998” with “2008”. Page 3, Clause 4 Add the following to the end of the list of symbols: Y y-value of F a finite field PF a finite field of prime order p PZ*a multiplicative group over PF Page 27, Clause 6 Add the following subclauses after 6.6.4.6: 6.7 EC-RDS

23、A 6.7.1 Introduction to EC-RDSA EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm) is a signature mechanism with verification key Y = XG; that is, the parameter D is equal to 1. The message is prepared such that M1is empty and M2is the message to be signed, i.e., M2= M. The coefficients (A

24、, B, C) of the EC-RDSA signature equation are set as follows: (A, B, C) = (T1,T2, -S), where TT12(, )= (H, R) and H = h(M) is the hash-code of message M, converted to an integer as described in 6.7.4.5. The witness function is defined by the formula R = FE2I(X) mod q. Amendment 1:2012 to CAN/CSA-ISO

25、/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) 2 ISO/IEC 2010 All rights reservedThus the signature equation becomes HK + RX - S 0 (mod q). NOTE EC-RDSA stands for Elliptic Curve Russian Digital Signature Algorithm. The mechanism is taken from a Russian State Standard 36. The notation here has be

26、en changed from GOST R 34.10-2001 to conform with the notation used in ISO/IEC 14888. 6.7.2 Parameters p a prime E an elliptic curve group over the field GF p() #E the cardinality of E q a prime divisor of #E G a point on the elliptic curve of order q Hash-function identifier or OID with specified h

27、ash-function. All these parameters can be public and can be common to a group of users. 6.7.3 Generation of signature key and verification key The signature key of a signing entity is a secretly generated random or pseudo-random integer X such that 0 X q. The parameter D is 1. The corresponding publ

28、ic verification key Y is Y = XG. A users secret signature key X and public verification key Y are normally fixed for a period of time. The signature key X shall be kept secret. NOTE The Russian standard for digital signature (GOST R 34.10-2001) does not completely specify the process of generation o

29、f a users secret signature key X. 6.7.4 Signature process 6.7.4.1 Producing the randomizer The signing entity generates a random or pseudo-random integer K such that 0 K q. 6.7.4.2 Producing the pre-signature The input to this stage is the randomizer K, and the signing entity computes = KG. 6.7.4.3

30、Preparing message for signing The message is prepared such that M1is empty and M2is the message to be signed, i.e., M2= M. Amendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) ISO/IEC 2010 All rights reserved 36.7.4.4 Computing the witness The signing entity computes R =

31、FE2I(X) mod q. 6.7.4.5 Computing the assignment The signing entity computes =HhM2(). H is then converted to an integer according to conversion rule BS2I in Annex B. If H is equal to 0 mod q, then H is set to 1. The assignment (T1, T2) is (BS2I(H), R), if BS2I(H) 0 (mod q), or (1, R) otherwise. 6.7.4

32、.6 Computing the second part of the signature The signature is (R, S) where R is computed as given in 6.7.4.4, and S = RX + KH mod q. The signer should check whether R = 0 or S = 0. If either R = 0 or S = 0, a new value of K should be generated and the signature should be recalculated. 6.7.4.7 Const

33、ructing the appendix The appendix will be the concatenation of (R, S) and an optional text field text, i.e. it will equal RS text( ) ).,| 6.7.4.8 Constructing the signed message A signed message is the concatenation of the message M and the appendix MRStext( ) ).| , | 6.7.5 Verification process 6.7.

34、5.1 Retrieving the witness The verifier retrieves the witness R and the second part of the signature S from the appendix. The verifier then checks whether 0 R q and 0 S q; if either condition does not hold, the signature shall be rejected. 6.7.5.2 Preparing message for verification The verifier retr

35、ieves M from the signed message and divides the message into two parts M1and M2. M1will be empty and M2= M. 6.7.5.3 Retrieving the assignment This stage is identical to 6.7.4.5. The inputs to the assignment function consist of the witness R from 6.7.5.1 and M2from 6.7.5.2. The assignment =TTT12( , )

36、 is recomputed as the output from the assignment function given in 6.7.4.5. Amendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) 4 ISO/IEC 2010 All rights reserved6.7.5.4 Recomputing the pre-signature The inputs to this stage are system parameters, the verification key Y,

37、 the assignment =TTT12(, ) from 6.7.5.3, and the second part of the signature S from 6.7.5.1. The verifier obtains a recomputed value of the pre-signature by computing it using the formula = + TT qY TS qG1112 1modmod. 6.7.5.5 Recomputing the witness The computations at this stage are the same as in

38、6.7.4.4. The verifier executes the witness function. The input is from 6.7.5.4. The output is the recomputed witness R. 6.7.5.6 Verifying the witness The verifier compares the recomputed witness, R from 6.7.5.5 to the retrieved version of R from 6.7.5.1. If R = R, then the signature is verified. 6.8

39、 SDSA 6.8.1 Introduction to SDSA SDSA (Schnorr Digital Signature Algorithm) is a signature mechanism with E =PZ*, p a prime, and q a prime dividing p-1. The parameter D is equal to 1. The message is prepared such that M1is the message to be signed, i.e., M1= M, and M2is empty. The witness function i

40、s defined by setting R equal to a hash-code. The assignment function is defined by setting T1 = -1 and T2 equal to the negative of the integer which is obtained by converting R to an integer according to the conversion rule, BS2I, given in Annex B and then reducing modulo q. The coefficients (A, B,

41、C) of the SDSA signature equation are set as follows (A, B, C) = TT S12(, ,).Thus the signature equation becomes -K+ T2X+S 0 (mod q). 6.8.2 Parameters p a prime, where p122. q a prime divisor of p -1, where q122. G a generator of the subgroup of order q, such that 1 G q. Four choices for the pair (,

42、 h) are allowed in SDSA, namely (1024, SHA-1), (2048, SHA-224), (2048, SHA-256), and (3072, SHA-256). Corresponding should be selected according to in 5.1.3.1, Table 1. The integers p, q, and G can be public and can be common to a group of users. The parameters p, q and G are generated as specified

43、in Annex D. The parameters p and q can be generated using the prime generation techniques given in ISO/IEC 18032. NOTE 1 It is recommended that all users check the proper generation of the SDSA public parameters according to FIPS PUB 186-3. Amendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888

44、-3:2006/Amd.1:2010(E) ISO/IEC 2010 All rights reserved 5NOTE 2 SHA-1 has recently been demonstrated to provide less than 80 bits of security for digital signatures. The use of SHA-1 is not recommended for the generation of digital signatures. 6.8.3 Generation of signature key and verification key Th

45、e signature key of a signing entity is a secretly generated random or pseudo-random integer X such that 0 X q. The parameter D is 1. The corresponding public verification key Y is Y = GXmod p. A users secret signature key X and public verification key Y are normally fixed for a period of time. The s

46、ignature key X shall be kept secret. 6.8.4 Signature process 6.8.4.1 Producing the randomizer The signing entity computes a random or pseudo-random integer K such that 0 K q. 6.8.4.2 Producing the pre-signature The input to this stage is the randomizer K, and the signing entity computes = GKmod p. 6

47、.8.4.3 Preparing message for signing The message is prepared such that M1is the message to be signed, i.e., M1= M, and M2is empty. 6.8.4.4 Computing the witness The signing entity computes the witness R as the hash-code of the pre-signature and the first part of the message M1R =h(|M). 6.8.4.5 Compu

48、ting the assignment The witness R is converted to an integer according to conversion rule, BS2I, in Annex B and then reducing modulo q. The assignment (T1, T2) is (-1, -BS2I(R) mod q). 6.8.4.6 Computing the second part of the signature The signature is (R, S) where S = (K + BS2I(R)X) mod q. As an op

49、tion, one may wish to check if R = 0 or S = 0. If either R = 0 or S = 0, a new value of K should be generated and the signature should be recalculated. (It is extremely unlikely that R = 0 or S = 0 if signatures are generated properly). 6.8.4.7 Constructing the appendix The appendix will be the concatenation of (R, S) and an optional text field text. Amendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) 6 ISO/IEC 2010 A