1、BSI Standards Publication BS ISO/IEC 18033-5:2015 Information technology Security techniques Encryption algorithms Part 5: Identity-based ciphersBS ISO/IEC 18033-5:2015 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 18033-5:2015. The UK participation in
2、its preparation was entrusted to Technical Committee IST/33/2, Cryptography and Security Mechanisms. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are r
3、esponsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 75946 8 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the S
4、tandards Policy and Strategy Committee on 31 December 2015. Amendments/corrigenda issued since publication Date Text affectedBS ISO/IEC 18033-5:2015 Information technology Security techniques Encryption algorithms Part 5: Identity-based ciphers Technologies de linformation Techniques de scurit Algor
5、ithmes de chiffrement Partie 5: Chiffrements identitaires INTERNATIONAL STANDARD ISO/IEC 18033-5 Reference number ISO/IEC 18033-5:2015(E) First edition 2015-12-01 ISO/IEC 2015 BS ISO/IEC 18033-5:2015ii ISO/IEC 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015, Published in Switzerla
6、nd All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be reques
7、ted from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 18033-5:2015(E)BS ISO/IEC 18033-5:2015ISO
8、/IEC 18033-5:2015(E)Foreword v Introduction vi 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Symbols, abbreviated terms and conversion functions . 2 4.1 Symbols . 3 4.2 Abbreviated terms . 3 4.3 Conversion functions . 4 5 Cryptographic transforms 5 5.1 General . 5 5.2 The funct
9、ion IHF1 . 5 5.3 The function SHF1 5 5.4 The function PHF1 . 6 6 General model for identity-based encryption . 7 6.1 Composition of algorithms . 7 6.2 Plaintext length . 7 6.3 Use of labels . 8 6.4 Ciphertext format . 8 6.5 IBE operation . . 8 7 General model for identity-based hybrid encryption 9 7
10、.1 General . 9 7.2 Identity-based key encapsulation . 9 7.2.1 Composition of algorithms 9 7.2.2 Prefix-freeness 10 7.3 Data encapsulation .10 7.3.1 Composition of algorithms .10 7.4 Identity-based hybrid encryption operation .10 7.4.1 System parameters .10 7.4.2 Set up 11 7.4.3 Private key extractio
11、n .11 7.4.4 Encryption 11 7.4.5 Decryption 11 8 Identity-based encryption mechanism 11 8.1 General 11 8.2 The BF mechanism .12 8.2.1 Set up 12 8.2.2 Private key extraction .12 8.2.3 Encryption 13 8.2.4 Decryption 14 9 Identity-based hybrid encryption mechanisms 14 9.1 General 14 9.2 The SK key encap
12、sulation mechanism 14 9.2.1 Set up 14 9.2.2 Private key extraction .15 9.2.3 Session key encapsulation 16 9.2.4 Session key de-encapsulation 16 9.3 The BB1 key encapsulation mechanism 17 9.3.1 Set up 17 9.3.2 Private key extraction .17 9.3.3 Session key encapsulation 18 ISO/IEC 2015 All rights reser
13、ved iii Contents PageBS ISO/IEC 18033-5:2015ISO/IEC 18033-5:2015(E)9.3.4 Session key de-encapsulation 18 Annex A (normative) Object identifiers .20 Annex B (informative) Security considerations .21 Annex C (informative) Numerical examples 22 Annex D (informative) Mechanisms to prevent access to keys
14、 by third parties .35 Bibliography .36 iv ISO/IEC 2015 All rights reservedBS ISO/IEC 18033-5:2015ISO/IEC 18033-5:2015(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization
15、. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual in
16、terest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and tho
17、se intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see w
18、ww.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the
19、 document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific ter
20、ms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT), see the following URL: Foreword Supplementary information. The committee responsible for this document is ISO/IEC JTC 1, Information techno
21、logy, SC 27, IT Security techniques. ISO/IEC 18033 consists of the following parts, under the general title Information technology Security techniques Encryption algorithms: Part 1: General Part 2: Asymmetric ciphers Part 3: Block ciphers Part 4: Stream ciphers Part 5: Identity-based ciphers Further
22、 parts may follow. Annex A forms a normative part of this part of ISO/IEC 18033. Annex B, Annex C and Annex D are informative only. ISO/IEC 2015 All rights reserved vBS ISO/IEC 18033-5:2015ISO/IEC 18033-5:2015(E) Introduction Use of a public key encryption mechanism requires reliable identification
23、of the correct public key to be used for encryption. A public key infrastructure (PKI) provides functions to give a trusted link between an entity and to enable the current status of the public key to be determined. In a PKI, a certification authority (CA) issues a certificate binding a public key t
24、o the owners identifier together with other key specific information, e.g. the validity period. If a public key is deemed to be invalid before its expiry date, then potential users of the public key need to be notified, e.g. by the issue of a CA-signed Certificate Revocation List (CRL). The generati
25、on and distribution of certificates and CRLs poses a major management problem, which the mechanisms in this part of ISO/IEC 18033 are designed to address. On encrypting, an encryptor first obtains the CRL and checks the current status of the certificate. Then the encryptor verifies the certificate,
26、and finally encrypts a message. Therefore, the encryptor has to be provided with some means of accessing the current CRL, and additionally it should not require excessive time and computational resources for checking the validity of a certificate whenever it encrypts a message. Identity-based encryp
27、tion (IBE) is a type of asymmetric encryption that allows a decryptor to set its public key to an arbitrary string. By setting the public key to an easily identifiable string (e.g. an e-mail address), an encryptor can gain assurance in its correctness without using a certificate. Moreover, if a shor
28、t validity period can be arranged, significantly shorter than the updating period of a CRL in a conventional PKI, an encryptor can generate a ciphertext without checking the current status of the public key because revocation is unlikely to occur during such a short period. As a result IBE is expect
29、ed to reduce the certificate management workload. The use of IBE requires a Private Key Generator (PKG), which generates private keys for all decryptors using its master secret key; this contrasts with traditional asymmetric encryption mechanisms, such as those specified in ISO/IEC 18033-2, in which
30、 entities generate their own public/private key pairs. As a result, use of IBE is only appropriate when it is acceptable for a third party to have decryption access to all encrypted data. The identity-based encryption mechanisms are specified in Clauses 8 and 9. The specified mechanisms are the BF i
31、dentity-based encryption mechanism, the SK identity-based key encapsulation mechanism, and the BB1 identity-based key encapsulation mechanism. The specifications in this part of ISO/IEC 18033 do not prescribe protocols for reliably obtaining public values, for proof of possession of a private key, o
32、r for validation of either public values or private keys. Certain sections of Clause 5, Clause 8 and Clause 9 of this part of ISO/IEC 18033 have been reprinted with permission from 7 IEEE Std 1363.3-2013 - IEEE Standard for Identity-Based Cryptographic Techniques using Pairings. Reprinted with permi
33、ssion from IEEE. Copyright 2013. All rights reserved. Annex A gives the assignment of object identifiers to the algorithms specified in this part of ISO/IEC 18033. Annex B describes security considerations for each specified mechanism and Annex C provides numerical examples. Annex D introduces techn
34、iques which can be used to remove the decryption capability of the PKG, and thereby reduce the level of trust required in this entity. The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) draw attention to the fact that it is claimed that compl
35、iance with this part of ISO/IEC 18033 may involve the use of patents. The ISO and IEC take no position concerning the evidence, validity, and scope of these patent rights. The holders of these patent rights have assured the ISO and IEC that they are willing to negotiate licences under reasonable and
36、 non-discriminatory terms and conditions with applicants throughout vi ISO/IEC 2015 All rights reservedBS ISO/IEC 18033-5:2015ISO/IEC 18033-5:2015(E) the world. In this respect, the statements of the holders of these patent rights are registered with the ISO and IEC. Information may be obtained from
37、 the following:Patent holder name: Nippon Telegraph and Telephone CorporationPostal address: Licensing Group, Intellectual Property Center9-11, Midori-cho, 3-Chome Musashino-Shi, Tokyo 180-8585 JapanPatent holder name: IBM CorporationPostal address: IBM Intellectual Property LicensingNorth Castle Dr
38、ive, Armonk, NY 10504 USA Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO (www.iso.org/patents) and IEC
39、 (http:/ /patents.iec.ch) maintain on-line databases of patents relevant to their standards. Users are encouraged to consult the databases for the most up to date information concerning patents. ISO/IEC 2015 All rights reserved viiBS ISO/IEC 18033-5:2015BS ISO/IEC 18033-5:2015Information technology
40、Security techniques Encryption algorithms Part 5: Identity-based ciphers 1 Scope This part of ISO/IEC 18033 specifies identity-based encryption mechanisms. For each mechanism the functional interface, the precise operation of the mechanism, and the ciphertext format are specified. However, conformin
41、g systems may use alternative formats for storing and transmitting ciphertexts. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undate
42、d references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 18033-1, Information technology Security techniques Encryption algorithms Part 1: General ISO/IEC 18033-2, Information technology Security techniques Encryption algorithms Part 2: Asymmetric ciphe
43、rs ISO/IEC 18033-3, Information technology Security techniques Encryption algorithms Part 3: Block ciphers 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 18033-1 and the following apply. 3.1 decryptor entity which decrypts ciphertexts 3.2 enc
44、ryptor entity which encrypts plaintexts 3.3 hybrid encryption encryption performed using a hybrid cipher 3.4 ide nt i f ie r object that represents something and enables one to identify it 3.5 identity string string that represents an identity INTERNATIONAL ST ANDARD ISO/IEC 18033-5:2015(E) ISO/IEC
45、2015 All rights reserved 1BS ISO/IEC 18033-5:2015ISO/IEC 18033-5:2015(E) 3.6 identity-based cipher asymmetric cipher in which the encryption algorithm takes an arbitrary string as a public key 3.7 identity-based hybrid cipher cipher which is both a hybrid cipher and an identity-based cipher 3.8 iden
46、tity-based key encapsulation mechanism key encapsulation mechanism for which the encryption process takes an arbitrary string as a public key 3.9 master-public key public value uniquely determined by the corresponding master-secret key 3.10 master-secret key secret value used by the private key gene
47、rator to compute private keys for an IBE algorithm 3.11 private key extraction algorithm method used by the private key generator to compute private keys for an IBE algorithm 3.12 private key generator entity or function which generates a set of private keys 3.13 public key encryption encryption per
48、formed using an asymmetric cipher 3.14 string ordered sequence of symbols 3.15 set up process by which the system parameters for an IBE algorithm are selected 3.16 set up algorithm process which generates a master-secret key and the corresponding master-public key, together with some part of the sys
49、tem parameters 3.17 system parameters parameters for cryptographic computation including a selection of a particular cryptographic scheme or function from a family of cryptographic schemes or functions, or from a family of mathematical spaces 3.18 trusted third party security authority, or its agent, trusted by other entities with respect to security related activities 4 Symbols, abbreviated terms and conversion functions For the purposes of this part of I