ImageVerifierCode 换一换
格式:PDF , 页数:36 ,大小:479.59KB ,
资源ID:590578      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-590578.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(CAN CSA-ISO IEC 14888-3A-2012 Information technology - Security techniques - Digital signatures with appendix - Part 3 Discrete logarithm based mechanisms - AMENDMENT 1 Elliptic Cu.pdf)为本站会员(inwarn120)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

CAN CSA-ISO IEC 14888-3A-2012 Information technology - Security techniques - Digital signatures with appendix - Part 3 Discrete logarithm based mechanisms - AMENDMENT 1 Elliptic Cu.pdf

1、Information technology Security techniques Digital signatures with appendix Part3: Discrete logarithm based mechanisms AMENDMENT1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schn

2、orr Digital Signature AlgorithmAmendment 1:2012 (IDT) toNational Standard of CanadaCAN/CSA-ISO/IEC 14888-3-07(ISO/IEC 14888-3:2006, IDT)NOT FOR RESALE.PUBLICATION NON DESTINE LA REVENTE.CSA Standards Update ServiceAmendment 1:2012 toCAN/CSA-ISO/IEC 14888-3-07March 2012Title:Information technology Se

3、curity techniques Digital signatures with appendix Part3: Discrete logarithm based mechanisms AMENDMENT1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Alg

4、orithmPagination:30 pages (iii preliminary and 27 text)To register for e-mail notification about any updates to this publication go on-line to shop.csa.caclick on E-mail Services under MY ACCOUNTclick on CSA Standards Update ServiceThe List ID that you will need to register for updates to this publi

5、cation is 2418670.If you require assistance, please e-mail techsupportcsa.ca or call 416-747-2233.Visit CSAs policy on privacy at csagroup.org/legal to find out how we protect your personal information.Reference numberISO/IEC 14888-3:2006/Amd.1:2010(E)ISO/IEC 2010INTERNATIONAL STANDARD ISO/IEC14888-

6、3Second edition2006-11-15AMENDMENT 12010-06-15Information technology Security techniques Digital signatures with appendix Part 3: Discrete logarithm based mechanisms AMENDMENT 1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital S

7、ignature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm Technologies de linformation Techniques de scurit Signatures numriques avec appendice Partie 3: Mcanismes bass sur un logarithme discret AMENDEMENT 1: Algorithme de signature numrique russe de courbe elliptique, algorith

8、me de signature numrique schnorr, algorithme de signature numrique schnorr de courbe elliptique, et algorithme de signature numrique schnorr totale de courbe elliptique ISO/IEC 14888-3:2006/Amd.1:2010(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing

9、 policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Cen

10、tral Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been ta

11、ken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2010 All rights reserved. Unless otherwise specified, no part of

12、this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-

13、1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org ii ISO/IEC 2010 All rights reservedAmendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) ISO/IEC 2010 All rights reserved iiiForeword ISO (the International Organization for

14、 Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective org

15、anization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information techno

16、logy, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards

17、 adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subje

18、ct of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Amendment 1 to ISO/IEC 14888-3:2006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. Amendment 1 to ISO/IEC 14888-

19、3:2006 introduces four digital signature algorithms: Elliptic Curve Russian Digital Signature Algorithm (EC-RDSA), Schnorr Digital Signature Algorithm (SDSA), Elliptic Curve Schnorr Digital Signature Algorithm (EC-SDSA), and Elliptic Curve Full Schnorr Digital Signature Algorithm (EC-FSDSA). Object

20、identifiers, test vectors, a comparison of certificate-based mechanisms, and claimed features for choosing a mechanism are given. Amendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) ISO/IEC 2010 All rights reserved 1Information technology Security techniques Digital sign

21、atures with appendix Part 3: Discrete logarithm based mechanisms AMENDMENT 1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm Page 1, Clause 2 In t

22、he second normative reference, replace “1998” with “2008”. Page 3, Clause 4 Add the following to the end of the list of symbols: Y y-value of F a finite field PF a finite field of prime order p PZ*a multiplicative group over PF Page 27, Clause 6 Add the following subclauses after 6.6.4.6: 6.7 EC-RDS

23、A 6.7.1 Introduction to EC-RDSA EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm) is a signature mechanism with verification key Y = XG; that is, the parameter D is equal to 1. The message is prepared such that M1is empty and M2is the message to be signed, i.e., M2= M. The coefficients (A

24、, B, C) of the EC-RDSA signature equation are set as follows: (A, B, C) = (T1,T2, -S), where TT12(, )= (H, R) and H = h(M) is the hash-code of message M, converted to an integer as described in 6.7.4.5. The witness function is defined by the formula R = FE2I(X) mod q. Amendment 1:2012 to CAN/CSA-ISO

25、/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) 2 ISO/IEC 2010 All rights reservedThus the signature equation becomes HK + RX - S 0 (mod q). NOTE EC-RDSA stands for Elliptic Curve Russian Digital Signature Algorithm. The mechanism is taken from a Russian State Standard 36. The notation here has be

26、en changed from GOST R 34.10-2001 to conform with the notation used in ISO/IEC 14888. 6.7.2 Parameters p a prime E an elliptic curve group over the field GF p() #E the cardinality of E q a prime divisor of #E G a point on the elliptic curve of order q Hash-function identifier or OID with specified h

27、ash-function. All these parameters can be public and can be common to a group of users. 6.7.3 Generation of signature key and verification key The signature key of a signing entity is a secretly generated random or pseudo-random integer X such that 0 X q. The parameter D is 1. The corresponding publ

28、ic verification key Y is Y = XG. A users secret signature key X and public verification key Y are normally fixed for a period of time. The signature key X shall be kept secret. NOTE The Russian standard for digital signature (GOST R 34.10-2001) does not completely specify the process of generation o

29、f a users secret signature key X. 6.7.4 Signature process 6.7.4.1 Producing the randomizer The signing entity generates a random or pseudo-random integer K such that 0 K q. 6.7.4.2 Producing the pre-signature The input to this stage is the randomizer K, and the signing entity computes = KG. 6.7.4.3

30、Preparing message for signing The message is prepared such that M1is empty and M2is the message to be signed, i.e., M2= M. Amendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) ISO/IEC 2010 All rights reserved 36.7.4.4 Computing the witness The signing entity computes R =

31、FE2I(X) mod q. 6.7.4.5 Computing the assignment The signing entity computes =HhM2(). H is then converted to an integer according to conversion rule BS2I in Annex B. If H is equal to 0 mod q, then H is set to 1. The assignment (T1, T2) is (BS2I(H), R), if BS2I(H) 0 (mod q), or (1, R) otherwise. 6.7.4

32、.6 Computing the second part of the signature The signature is (R, S) where R is computed as given in 6.7.4.4, and S = RX + KH mod q. The signer should check whether R = 0 or S = 0. If either R = 0 or S = 0, a new value of K should be generated and the signature should be recalculated. 6.7.4.7 Const

33、ructing the appendix The appendix will be the concatenation of (R, S) and an optional text field text, i.e. it will equal RS text( ) ).,| 6.7.4.8 Constructing the signed message A signed message is the concatenation of the message M and the appendix MRStext( ) ).| , | 6.7.5 Verification process 6.7.

34、5.1 Retrieving the witness The verifier retrieves the witness R and the second part of the signature S from the appendix. The verifier then checks whether 0 R q and 0 S q; if either condition does not hold, the signature shall be rejected. 6.7.5.2 Preparing message for verification The verifier retr

35、ieves M from the signed message and divides the message into two parts M1and M2. M1will be empty and M2= M. 6.7.5.3 Retrieving the assignment This stage is identical to 6.7.4.5. The inputs to the assignment function consist of the witness R from 6.7.5.1 and M2from 6.7.5.2. The assignment =TTT12( , )

36、 is recomputed as the output from the assignment function given in 6.7.4.5. Amendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) 4 ISO/IEC 2010 All rights reserved6.7.5.4 Recomputing the pre-signature The inputs to this stage are system parameters, the verification key Y,

37、 the assignment =TTT12(, ) from 6.7.5.3, and the second part of the signature S from 6.7.5.1. The verifier obtains a recomputed value of the pre-signature by computing it using the formula = + TT qY TS qG1112 1modmod. 6.7.5.5 Recomputing the witness The computations at this stage are the same as in

38、6.7.4.4. The verifier executes the witness function. The input is from 6.7.5.4. The output is the recomputed witness R. 6.7.5.6 Verifying the witness The verifier compares the recomputed witness, R from 6.7.5.5 to the retrieved version of R from 6.7.5.1. If R = R, then the signature is verified. 6.8

39、 SDSA 6.8.1 Introduction to SDSA SDSA (Schnorr Digital Signature Algorithm) is a signature mechanism with E =PZ*, p a prime, and q a prime dividing p-1. The parameter D is equal to 1. The message is prepared such that M1is the message to be signed, i.e., M1= M, and M2is empty. The witness function i

40、s defined by setting R equal to a hash-code. The assignment function is defined by setting T1 = -1 and T2 equal to the negative of the integer which is obtained by converting R to an integer according to the conversion rule, BS2I, given in Annex B and then reducing modulo q. The coefficients (A, B,

41、C) of the SDSA signature equation are set as follows (A, B, C) = TT S12(, ,).Thus the signature equation becomes -K+ T2X+S 0 (mod q). 6.8.2 Parameters p a prime, where p122. q a prime divisor of p -1, where q122. G a generator of the subgroup of order q, such that 1 G q. Four choices for the pair (,

42、 h) are allowed in SDSA, namely (1024, SHA-1), (2048, SHA-224), (2048, SHA-256), and (3072, SHA-256). Corresponding should be selected according to in 5.1.3.1, Table 1. The integers p, q, and G can be public and can be common to a group of users. The parameters p, q and G are generated as specified

43、in Annex D. The parameters p and q can be generated using the prime generation techniques given in ISO/IEC 18032. NOTE 1 It is recommended that all users check the proper generation of the SDSA public parameters according to FIPS PUB 186-3. Amendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888

44、-3:2006/Amd.1:2010(E) ISO/IEC 2010 All rights reserved 5NOTE 2 SHA-1 has recently been demonstrated to provide less than 80 bits of security for digital signatures. The use of SHA-1 is not recommended for the generation of digital signatures. 6.8.3 Generation of signature key and verification key Th

45、e signature key of a signing entity is a secretly generated random or pseudo-random integer X such that 0 X q. The parameter D is 1. The corresponding public verification key Y is Y = GXmod p. A users secret signature key X and public verification key Y are normally fixed for a period of time. The s

46、ignature key X shall be kept secret. 6.8.4 Signature process 6.8.4.1 Producing the randomizer The signing entity computes a random or pseudo-random integer K such that 0 K q. 6.8.4.2 Producing the pre-signature The input to this stage is the randomizer K, and the signing entity computes = GKmod p. 6

47、.8.4.3 Preparing message for signing The message is prepared such that M1is the message to be signed, i.e., M1= M, and M2is empty. 6.8.4.4 Computing the witness The signing entity computes the witness R as the hash-code of the pre-signature and the first part of the message M1R =h(|M). 6.8.4.5 Compu

48、ting the assignment The witness R is converted to an integer according to conversion rule, BS2I, in Annex B and then reducing modulo q. The assignment (T1, T2) is (-1, -BS2I(R) mod q). 6.8.4.6 Computing the second part of the signature The signature is (R, S) where S = (K + BS2I(R)X) mod q. As an op

49、tion, one may wish to check if R = 0 or S = 0. If either R = 0 or S = 0, a new value of K should be generated and the signature should be recalculated. (It is extremely unlikely that R = 0 or S = 0 if signatures are generated properly). 6.8.4.7 Constructing the appendix The appendix will be the concatenation of (R, S) and an optional text field text. Amendment 1:2012 to CAN/CSA-ISO/IEC 14888-3-07ISO/IEC 14888-3:2006/Amd.1:2010(E) 6 ISO/IEC 2010 A

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1