1、BRITISH STANDARD BS ISO/IEC 18033-2:2006 Information technology Security techniques Encryption algorithms Part 2: Asymmetric ciphers ICS 35.040 BS ISO/IEC 18033-2:2006 This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 June 2006 BSI 2006 ISBN
2、 0 580 48484 X National foreword This British Standard reproduces verbatim ISO/IEC 18033-2:2006 and implements it as the UK national standard. The UK participation in its preparation was entrusted to Technical Committee IST/33, Information technology Security techniques, which has the responsibility
3、 to: A list of organizations represented on this committee can be obtained on request to its secretary. Cross-references The British Standards which implement international publications referred to in this document may be found in the BSI Catalogue under the section entitled “International Standards
4、 Correspondence Index”, or by using the “Search” facility of the BSI Electronic Catalogue or of British Standards Online. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard doe
5、s not of itself confer immunity from legal obligations. aid enquirers to understand the text; present to the responsible international/European committee any enquiries on the interpretation, or proposals for change, and keep UK interests informed; monitor related international and European developme
6、nts and promulgate them in the UK. Summary of pages This document comprises a front cover, an inside front cover, the ISO/IEC title page, pages ii to vi, pages 1 to 126, an inside back cover and a back cover. The BSI copyright notice displayed in this document indicates when the document was last is
7、sued. Amendments issued since publication Amd. No. Date Comments Reference number ISO/IEC 18033-2:2006(E)INTERNATIONAL STANDARD ISO/IEC 18033-2 First edition 2006-05-01 Information technology Security techniques Encryption algorithms Part 2: Asymmetric ciphers Technologies de linformation Techniques
8、 de scurit Algorithmes de chiffrement Partie 2: Chiffres asymtriques BS ISO/IEC 18033-2:2006ii iiiContentsPage 1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 Normative references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9、. . 1 3 Denitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 Symbols and notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5 Mathematical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5.1 Func
10、tions and algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5.2 Bit strings and octet strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.3 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.4 Elliptic curves . . . .
11、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 6.1 Cryptographic hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 6.2 Key derivation functions . . . . . . . . . . . . . . . . . . . . . . . .
12、 . . . . . . . 15 6.3 MAC algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 6.4 Block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 6.5 Symmetric ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 7
13、Asymmetric ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 7.1 Plaintext length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 7.2 The use of labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 7.3 Ciphertext fo
14、rmat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 7.4 Encryption options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 7.5 Method of operation of an asymmetric cipher . . . . . . . . . . . . . . . . . . . 22 7.6 Allowable asymmetric ciphers . . . .
15、. . . . . . . . . . . . . . . . . . . . . . . . 22 8 Generic hybrid ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 8.1 Key encapsulation mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 8.2 Data encapsulation mechanisms . . . . . . . . . . . . . .
16、 . . . . . . . . . . . . 24 8.3 HC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 9 Constructions of data encapsulation mechanisms . . . . . . . . . . . . . . . . . . . . 26 9.1 DEM1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17、 . . 26 9.2 DEM2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 9.3 DEM3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 10 ElGamal-based key encapsulation mechanisms . . . . . . . . . . . . . . . . . . . . . 30 10.1 Concrete
18、 groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 10.2 ECIES-KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 10.3 PSEC-KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 10.4 ACE-KEM . . . . . . . . . . . .
19、 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 11 RSA-based asymmetric ciphers and key encapsulation mechanisms . . . . . . . . . . 39 11.1 RSA key generation algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 11.2 RSA Transform . . . . . . . . . . . . . . . . . . . . . . .
20、 . . . . . . . . . . . . . 40 11.3 RSA encoding mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 11.4 RSAES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 11.5 RSA-KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21、 . 44 12 Ciphers based on modular squaring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Cryptographic transformations BS ISO/IEC 18033-2:2006iv 12.1HIMEkeygenerationalgorithms45 12.2 HIME encoding mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 12.3 HIME(R) . . .
22、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 AnnexA(normative)ASN.1syntaxforobjectidentiers.51 Annex B (informative) Security considerations . . . . . . . . . . . . . . . . . . . . . . . 61 B.1 MAC algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23、 . . . . 61 B.2 Block ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 B.3 Symmetric ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 B.4 Asymmetric ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 B.5 Key
24、encapsulation mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 B.6 Data encapsulation mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . 66 B.7 Security of HC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 B.8 Intractability assumptions rela
25、ted to concrete groups . . . . . . . . . . . . . . . 68 B.9 Security of ECIES-KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 B.10 Security of PSEC-KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 B.11 Security of ACE-KEM . . . . . . . . . . . . . . . . . . . .
26、 . . . . . . . . . . . . 71 B.12 The RSA inversion problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 B.13 Security of RSAES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 B.14 Security of RSA-KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27、 . 73 B.15 Security of HIME(R) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Annex C (informative) Test vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 C.1 Test vectors for DEM1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 C.2 Test vect
28、ors for ECIES-KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 C.3 Test vectors for PSEC-KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 C.4 Test vectors for ACE-KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 C.5 Test vectors for RSAES . . . . . . . . .
29、 . . . . . . . . . . . . . . . . . . . . . . 100 C.6 Test vectors for RSA-KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 C.7 Test vectors for HC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 C.8 Test vectors for HIME(R) . . . . . . . . . . . . . . . . . . .
30、 . . . . . . . . . . . 112 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 BS ISO/IEC 18033-2:2006vForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized sys
31、tem for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees c
32、ollaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Stand
33、ards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publicatio
34、n as an International Standard requires approval by at least 75 % of the national bodies casting a vote. ISO/IEC 18033-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 18033 consists of the following parts, under t
35、he general title Information technology Security techniques Encryption algorithms: Part 1: General Part 2: Asymmetric ciphers Part 3: Block ciphers Part 4: Stream ciphers BS ISO/IEC 18033-2:2006vi The International Organization for Standardization (ISO) and International Electrotechnical Commission
36、(IEC) draw attention to the fact that it is claimed that compliance with this International Standard may involve the use of patents. The ISO and IEC take no position concerning the evidence, validity and scope of this patent right. The holder of this patent right has assured the ISO and IEC that he
37、is willing to negotiate licences under reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect, the statement of the holder of this patent right is registered with the ISO and IEC. Information may be obtained from: ISO/IEC JTC 1/SC 27 Standing Doc
38、ument 8 (SD8) “Patent Information“ Standing Document 8 (SD8) is publicly available at: http:/www.ni.din.de/sc27 Attention is drawn to the possibility that some of the elements of this International Standard may be the subject of patent rights other than those identified above. ISO and IEC shall not
39、be held responsible for identifying any or all such patent rights. Introduction BS ISO/IEC 18033-2:20061 Information technology Security techniques Encryption algorithms Part 2: Asymmetric ciphers 1 Scope This part of ISO/IEC 18033 specifies several asymmetric ciphers. These specifications prescribe
40、 the functional interfaces and correct methods of use of such ciphers in general, as well as the precise functionality and cipher text format for several specific asymmetric ciphers (although conforming systems may choose to use alternative formats for storing and transmitting cipher-texts). A norma
41、tive annex (Annex A) gives ASN.1 syntax for object identifiers, public keys, and parameter structures to be associated with the algorithms specified in this part of ISO/IEC 18033. However, these specifications do not prescribe protocols for reliably obtaining a public key, for proof of possession of
42、 a private key, or for validation of either public or private keys; see ISO/IEC 11770-3 for guidance on such key management issues. The asymmetric ciphers that are specified in this part of ISO/IEC 18033 are indicated in Clause 7.6. NOTE Briefly, the asymmetric ciphers are: ECIES-HC; PSEC-HC; ACE-HC
43、: generic hybrid ciphers based on ElGamal encryption; RSA-HC: a generic hybrid cipher based on the RSA transform; RSAES: the OAEP padding scheme applied to the RSA transform; HIME(R): a scheme based on the hardness of factoring. 2 Normative references The following referenced documents are indispens
44、able for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 9797-1:1999, Information technology Security techniques Message Authentication Codes (MAC
45、s) Part 1: Mechanisms using a block cipher ISO/IEC 9797-2:2002, Information technology Security techniques Message Authentication Codes (MACs) Part 2: Mechanisms using a dedicated hash-function ISO/IEC 10118-2:2000, Information technology Security techniques Hash-functions Part 2: Hash- functions us
46、ing an n-bit block cipher ISO/IEC 10118-3:2004, Information technology Security techniques Hash-functions Part 3: Dedicated hash-functions ISO/IEC 18033-3:2005, Information technology Security techniques Encryption algorithms Part 3: Block ciphers BS ISO/IEC 18033-2:20062 3 Definitions For the purpo
47、ses of this document, the following terms and definitions apply.NOTE Where appropriate, forward references are given to clauses which contain more detailed definitions and/or further elaboration. 3.1 asymmetric cipher system based on asymmetric cryptographic techniques whose public transformation is
48、 used for encryption and whose private transformation is used for decryption ISO/IEC 18033-1 NOTE See Clause 7. 3.2 asymmetric cryptographic technique cryptographic technique that uses two related transformations, a public transformation (defined by the public key) and a private transformation (defi
49、ned by the private key). The two transformations have the property that, given the public transformation, it is computationally infeasible to derive the private transformation. ISO/IEC 11770-1:1996 3.3 asymmetric key pair pair of related keys, a public key and a private key, where the private key defines the private transformation and the public key defines the public transformation ISO/IEC 9798-1:1997 NOTE