1、BS ISO/IEC 18370-1:2016 Information technology Security techniques Blind digital signatures Part 1: General BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 18370-1:2016 BRITISH STANDARD National foreword This British Standard is the UK implementation of I
2、SO/IEC 18370-1:2016. The UK participation in its preparation was entrusted to Technical Committee IST/33/2, Cryptography and Security Mechanisms. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the ne
3、cessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 80103 7 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standa
4、rd was published under the authority of the Standards Policy and Strategy Committee on 30 November 2016. Amendments/Corrigenda issued since publication Date Text affectedBS ISO/IEC 18370-1:2016 Information technology Security techniques Blind digital signatures Part 1: General Technologie de linform
5、ation Techniques de scurit Signatures numriques en blanc Partie 1: Gnralits INTERNATIONAL STANDARD ISO/IEC 18370-1 Reference number ISO/IEC 18370-1:2016(E) First edition 2016-11-15 ISO/IEC 2016 BS ISO/IEC 18370-1:2016ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Publ
6、ished in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permis
7、sion can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 18370-1:2016(E)BS ISO/I
8、EC 18370-1:2016ISO/IEC 18370-1:2016(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 A bbr e viat ed t erms and figur e elements 7 5 Blind signatures 8 5.1 General . 8 5.2 Entities . 8 5.3 Key generation 8 5.4 Blind signature process . 8 5.5 Verificati
9、on process 9 6 Blind signatures with partial disclosure 10 6.1 General 10 6.2 Entities 10 6.3 Key generation .10 6.4 Blind signature process with partial disclosure10 6.5 Verification process .11 7 Blind signatures with selective disclosure .12 7.1 General 12 7.2 Entities 13 7.3 Key generation .13 7
10、.4 Blind signature process with selective disclosure 13 7.5 Presentation process 14 7.6 Verification process .15 8 Traceable blind signatures .16 8.1 General 16 8.2 Entities 17 8.3 Key generation .17 8.4 Traceable blind signature process 17 8.5 Verification process .18 8.6 Requestor tracing process
11、19 8.7 Requestor tracing evidence evaluation process 20 8.8 Signature tracing process .21 8.9 Signature tracing evidence evaluation process22 Annex A (informative) Comparison table of blind digital signature mechanisms .23 Annex B (informative) Additional security information for blind signatures wi
12、th selective disclosure .24 Bibliography .27 ISO/IEC 2016 All rights reserved iii Contents PageBS ISO/IEC 18370-1:2016ISO/IEC 18370-1:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worl
13、dwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate i
14、n fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop
15、this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC
16、 Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the
17、development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning o
18、f ISO specific terms and expressions related to conformit y assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this docum
19、ent is ISO/IEC JTC 1, Information technology, SC 27, IT Security techniques. A list of all parts in the ISO/IEC 18370 series can be found on the ISO website.iv ISO/IEC 2016 All rights reservedBS ISO/IEC 18370-1:2016ISO/IEC 18370-1:2016(E) Introduction Digital signature mechanisms can be used to prov
20、ide services such as entity authentication, data origin authentication, non-repudiation, and data integrity. Blind signature mechanisms are a special type of digital signature mechanisms, as specified in ISO/IEC 9796 (all parts) and ISO/IEC 14888 (all parts), which allow a user (a requestor) to obta
21、in a signature from a signer of the users choice, without giving the signer any information about the actual message or the resulting signature. There are several variants of blind signature mechanisms. In some variants, the signer does not completely lose control over the signed message. In a blind
22、 signature mechanism with partial disclosure, the signer can include explicit information in the resulting signature based on an agreement with the requestor, whereas in a blind signature mechanism with selective disclosure, the choice of the message is restricted and conforms to certain rules. In o
23、ther mechanisms, such as traceable blind signature mechanisms, an authorized entity is allowed to trace a signature to the requestor who requested it. As is the case for conventional digital signature mechanisms, blind signature mechanisms are based on asymmetric cryptographic techniques and involve
24、 three basic operations: a process for generating a private signature key and a public verification key; a process for creating a blind signature that uses the private signature key; a process for verifying a blind signature that uses the public verification key. Blind signatures and their variants
25、can be used to provide users anonymity in a variety of electronic communication and transaction systems. Examples include Internet voting, electronic payment instruments, online auctions, public transport ticketing, road-toll pricing, and loyalty schemes. These mechanisms could also be used to achie
26、ve anonymous entity authentication. Anonymous entity authentication mechanisms are specified in ISO/IEC 20009 (all parts). Like conventional digital signature mechanisms, the security of blind signature mechanisms depends on computational problems believed to be intractable, i.e. problems for which,
27、 given current knowledge, finding a solution is computationally infeasible, such as the integer factorization problem or the discrete logarithm problem in an appropriate group. The mechanisms specified in ISO/IEC 18370 (all parts) are based on the latter problem. However, security of some mechanisms
28、 also depends on the fact that some numbers are not only random but also unique. The ISO/IEC 18370 series specifies three variants of blind signature mechanisms: blind signature mechanisms with partial disclosure, blind signature mechanisms with selective disclosure, and traceable blind signature me
29、chanisms. This document specifies principles and requirements for these mechanisms. ISO/IEC 18370-2 specifies specific instances of these mechanisms. The mechanisms specified in the ISO/IEC 18370 series use a variety of other standardized cryptographic algorithms, such as the following. They may use
30、 a collision-resistant hash-function to hash the message to be signed and to compute signatures. ISO/IEC 10118 (all parts) specifies hash-functions. They may use a conventional digital signature mechanism to certify public keys when such certification is required. Conventional digital signature mech
31、anisms are specified in ISO/IEC 9796 (all parts) and ISO/IEC 14888 (all parts). They may require the use of a conventional entity authentication mechanism, if the signer needs to authenticate the requestor before issuing a blind signature. Entity authentication mechanisms are specified in ISO/IEC 97
32、98 (all parts). They may require the use of a conventional asymmetric encryption mechanism, if certain information of the entities involved in the blind signature mechanism is required to be encrypted ISO/IEC 2016 All rights reserved vBS ISO/IEC 18370-1:2016ISO/IEC 18370-1:2016(E) for the purposes o
33、f privacy and confidentiality. Asymmetric encryption mechanisms are specified in ISO/IEC 18033-2.vi ISO/IEC 2016 All rights reservedBS ISO/IEC 18370-1:2016INTERNATIONAL ST ANDARD ISO/IEC 18370-1:2016(E) Information technology Security techniques Blind digital signatures Part 1: General 1 Scope This
34、document specifies principles, including a general model, a set of entities, a number of processes, and general requirements for blind digital signature mechanisms, as well as the following variants of blind digital signature mechanisms: blind signature mechanisms with partial disclosure; blind sign
35、ature mechanisms with selective disclosure; traceable blind signature mechanisms. It also contains terms, definitions, abbreviated terms and figure elements that are used in all parts of ISO/IEC 18370. See Annex A for a comparison on the blind digital signature mechanisms. 2 Normative references The
36、re are no normative references in this document. 3 T erms a nd definiti ons For the purposes of this document, the following terms and definitions apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at http:/ /www.el
37、ectropedia.org/ ISO Online browsing platform: available at http:/ /www.iso.org/obp 3.1 attribute application-specific data element (3.9) 3.2 blind signature (digital) signature resulting from a blind signature process (3.3) Note 1 to entry: The term “blind digital signature” may also be used because
38、 a blind signature is a special type of digital signature. 3.3 blind signature process signature process (3.37) which allows a requestor (3.25) to obtain a signature (3.34) from a signer (3.45) over data of the requestors choice in such a way that both that data and the resulting signature are not m
39、ade available to the signer (3.45) ISO/IEC 2016 All rights reserved 1BS ISO/IEC 18370-1:2016ISO/IEC 18370-1:2016(E) 3.4 blind signature process with partial disclosure blind signature process (3.3) in which the signer (3.45) and the requestor (3.25) first agree on some information that will be attac
40、hed to the blind signature (3.2) Note 1 to entry: Such a process is sometimes referred to as a “partially blind signature process.” 3.5 blind signature process with selective disclosure blind signature process (3.3) that allows a requestor (3.25) to receive a blind signature (3.2) on a message (3.17
41、) not known to the signer (3.45) but which conforms to specific rules 3.6 blind signature with partial disclosure signature (3.34) resulting from a blind signature process with partial disclosure (3.4) Note 1 to entry: Such a signature is sometimes referred to as a “partially blind signature”. 3.7 b
42、lind signature with selective disclosure signature (3.34) resulting from a blind signature process with selective disclosure (3.5) 3.8 collision-resistant hash-function hash-function (3.14) satisfying the following property: it is computationally infeasible to find any two distinct inputs which map
43、to the same output SOURCE: ISO/IEC 10118-1:2016, 3.1 3.9 data element integer, bit string, set of integers, or set of bit strings SOURCE: ISO/IEC 14888-1:2008, 3.3 3.10 dis t ing uis hing i d e n t if i e r information which unambiguously distinguishes an entity SOURCE: ISO/IEC 11770-2:2008, 3.1 3.1
44、1 domain set of entities operating under a single security policy 3.12 domain parameter data element (3.9) which is common to and known by or accessible to all entities within the domain (3.11) SOURCE: ISO/IEC 14888-1:2008, 3.5 3.13 hash-code string of bits which is the output of a hash-function (3.
45、14) SOURCE: ISO/IEC 10118-1:2016, 3.3 2 ISO/IEC 2016 All rights reservedBS ISO/IEC 18370-1:2016ISO/IEC 18370-1:2016(E) 3.14 hash-function function which maps strings of bits of variable (but usually upper bounded) length to fixed-length strings of bits, satisfying the following two properties: for a
46、 given output, it is computationally infeasible to find an input which maps to this output; for a given input, it is computationally infeasible to find a second input which maps to the same output SOURCE: ISO/IEC 10118-1:2016, 3.4 3.15 key sequence of symbols that controls the operation of a cryptog
47、raphic transformation Note 1 to entry: Examples are encryption, decryption, cryptographic check function computation, signature generation, or signature verification. SOURCE: ISO/IEC 9798-1:2010, 3.16 3.16 key pair pair consisting of a signature key (3.36) and a verification key (3.51), i.e., a set
48、of data elements (3.9) that shall be totally or partially kept secret, to be used only by the signer (3.45); a set of data elements (3.9) that can be totally made public, to be used by any verifier (3.53) SOURCE: ISO/IEC 14888-1:2008, 3.9 3.17 message string of bits of any length SOURCE: ISO/IEC 148
49、88-1:2008, 3.10 3.18 parameter integer, bit string, or hash-function (3.14) SOURCE: ISO/IEC 14888-1:2008, 3.11 3.19 presentation process process which takes as input the message (3.17) to be signed, the set of message (3.17) indices to disclose, the token (3.47), the token private key (3.15), and the signed array of disclosed messages (3.17) and gives as output a presentation proof (3.20) 3.20 presentation proof signature on the messag
