1、BSI Standards Publication BS ISO/IEC 20008-2:2013 Information technology Security techniques Anonymous digital signatures Part 2: Mechanisms using a group public keyBS ISO/IEC 20008-2:2013 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 20008-2:2013. The
2、UK participation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users
3、 are responsible for its correct application. The British Standards Institution 2013. Published by BSI Standards Limited 2013 ISBN 978 0 580 73395 6 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of
4、 the Standards Policy and Strategy Committee on 30 November 2013. Amendments issued since publication Date Text affectedBS ISO/IEC 20008-2:2013 Information technology Security techniques Anonymous digital signatures Part 2: Mechanisms using a group public key Technologies de linformation Techniques
5、de scurit Signatures numriques anonymes Partie 2: Mcanismes utilisant une cl publique de groupe ISO/IEC 2013 INTERNATIONAL STANDARD ISO/IEC 20008-2 First edition 2013-11-15 Reference number ISO/IEC 20008-2:2013(E)BS ISO/IEC 20008-2:2013ISO/IEC 20008-2:2013(E)ii ISO/IEC 2013 All rights reserved COPYR
6、IGHT PROTECTED DOCUMENT ISO/IEC 2013 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written pe
7、rmission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in SwitzerlandBS ISO/I
8、EC 20008-2:2013ISO/IEC 20008-2:2013(E) ISO/IEC 2013 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Symbols (and abbreviated terms) 2 5 General model and requirements. 3 6 Mechanisms with linking capability 4 6.1 Ge
9、neral . 4 6.2 Mechanism 1 . 4 6.3 Mechanism 2 10 6.4 Mechanism 3 15 6.5 Mechanism 4 20 7 Mechanisms with opening capability 23 7.1 General 23 7.2 Mechanism 5 23 7.3 Mechanism 6 26 8 Mechanisms with both opening and linking capabilities .29 8.1 General 29 8.2 Mechanism 7 29 Annex A (normative) Object
10、 identifiers .35 Annex B (normative) Special hash-functions .37 Annex C (informative) Security guidelines for the anonymous signature mechanisms 39 Annex D (informative) Comparison of revocation mechanisms .42 Annex E (informative) Numerical examples 45 Annex F (informative) Proof of correct generat
11、ion in Mechanism 5 81 Bibliography .85BS ISO/IEC 20008-2:2013ISO/IEC 20008-2:2013(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members o
12、f ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organiza
13、tions, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Di
14、rectives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of
15、the national bodies casting a vote. ISO/IEC 20008-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 20008 consists of the following parts, under the general title Information technology Security techniques Anonymous
16、 digital signatures: Part 1: General Part 2: Mechanisms using a group public key Further parts may follow.iv ISO/IEC 2013 All rights reservedBS ISO/IEC 20008-2:2013ISO/IEC 20008-2:2013(E) Introduction Anonymous digital signature mechanisms are a special type of digital signature mechanism in which,
17、given a digital signature, an unauthorized entity cannot discover the signers identifier yet can verify that a legitimate signer has generated a valid signature. ISO/IEC 20008 specifies anonymous digital signature mechanisms. ISO/IEC 20008-1 specifies principles and requirements for two categories o
18、f anonymous digital signatures mechanisms: signature mechanisms using a group public key, and signature mechanisms using multiple public keys. This part of ISO/IEC 20008 specifies a number of anonymous signature mechanisms of the first category. Anonymous signature mechanisms of the first category c
19、an have capabilities for providing more information about the signer. Some have a linking capability, where two signatures signed by the same signer are linkable. Some have an opening capability, where the signature can be opened by a special entity to reveal the identity of the signer. Some have bo
20、th linking and opening capabilities. For each mechanism, the processes of opening, linking, and/or revocation are specified. The mechanisms specified in this part of ISO/IEC 20008 use a collision-resistant hash-function. A hash- function specified in ISO/IEC 10118 is to be used. The International Or
21、ganization for Standardization (ISO) and International Electrotechnical Commission (IEC) draw attention to the fact that it is claimed that compliance with this document may involve the use of patents. ISO and IEC take no position concerning the evidence, validity, and scope of these patent rights.
22、The holders of these patent right have assured the ISO and IEC that they are willing to negotiate licences either free of charge or under reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect, the statements of the holders of these patent rights
23、 are registered with ISO and IEC. Information may be obtained from: Electronics and Telecommunications Research Institute (ETRI) 161, Gajeong-dong, Yuseong-gu, Daejeon, Korea NEC Corporation 7-1, Shiba 5-chome, Minato-Ku, Toyko 108-8001, Japan Attention is drawn to the possibility that some of the e
24、lements of this document may be the subject of patent rights other than those identified above. ISO and/or IEC shall not be held responsible for identifying any or all such patent rights. ISO (www.iso.org/patents) and IEC (http:/ /patents.iec.ch) maintain on-line databases of patents relevant to the
25、ir standards. Users are encouraged to consult the databases for the most up to date information concerning patents. ISO/IEC 2013 All rights reserved vBS ISO/IEC 20008-2:2013BS ISO/IEC 20008-2:2013Information technology Security techniques Anonymous digital signatures Part 2: Mechanisms using a group
26、 public key 1 Scope This part of ISO/IEC 20008 specifies anonymous digital signature mechanisms, in which a verifier makes use of a group public key to verify a digital signature. It provides a general description of an anonymous digital signature mechanism using a group public key, and a variety of
27、 mechanisms that provide such anonymous digital signatures. For each mechanism, this part of ISO/IEC 20008 specifies the process for generating group member signature keys and a group public key, the process for producing signatures, the process for verifying signatures, the process for opening sign
28、atures (if the mechanism supports opening), the process for linking signatures (if the mechanism supports linking), and the process for revoking group members. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for i
29、ts application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 10118 (all parts), Information technology Security techniques Hash-functions ISO/IEC 15946-5, Information technology
30、 Security techniques Cryptographic techniques based on elliptic curves Part 5: Elliptic curve generation ISO/IEC 18031, Information technology Security techniques Random bit generation ISO/IEC 18032, Information technology Security techniques Prime number generation ISO/IEC 20008-1, Information tech
31、nology Security techniques Anonymous digital signatures Part 1: General 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 20008-1 and the following apply. INTERNATIONAL ST ANDARD ISO/IEC 20008-2:2013(E) ISO/IEC 2013 All rights reserved 1BS ISO/I
32、EC 20008-2:2013ISO/IEC 20008-2:2013(E) 3.1 assistant signer entity that can help a principal signer to create anonymous signatures, but that cannot generate anonymous signatures unaided 3.2 member-list list that includes the identities of group members together with their corresponding group members
33、hip credentials 3.3 principal signer entity which is in possession of a group member signature key and which can create anonymous signatures using this key 3.4 secret seed value secret data known to a group member and used for deriving group member private keys 3.5 security parameters variables that
34、 determine the security strength of a mechanism 4 Symbols (and abbreviated terms) For the purposes of this part of ISO/IEC 20008, the following symbols and abbreviations apply. bsn Linking base, either a special symbol or an arbitrary string. e A bilinear map function e: G 1 G 2 G Tsuch that for all
35、 P G 1 , Q G 2 , and all positive integers a, b, the equation e(aP, bQ) = e(P, Q) abholds. This function is also called a pairing function. gcd(a, b) The greatest common divisor of the integers a and b. G 1 An additive cyclic group of order p over an elliptic curve. G 2 An additive cyclic group of o
36、rder p over an elliptic curve. G T A multiplicative cyclic group of order p. H A cryptographic hash-function. m Message to be signed. n An RSA modulus where n = pq. O E The elliptic curve point at infinity. p A prime number. P 1 Generator of G 1 . P 2 Generator of G 2 . q A prime number. Q 1 +Q 2 Th
37、e elliptic curve sum of points Q 1and Q 2 . QR(n) The group of quadratic residues modulo n.2 ISO/IEC 2013 All rights reservedBS ISO/IEC 20008-2:2013ISO/IEC 20008-2:2013(E) Z n * The multiplicative group of invertible elements in Z n . Z p The set of integers in 0, p-1. Z p * The set of integers in 1
38、, p-1. (a|p) The Legendre symbol of a and p where a is an integer and p is an odd prime number. nP Multiplication operation that takes a positive integer n and a point P on the elliptic curve E as input and produces as output another point Q on the curve E, where Q = nP = P + P + + P, i.e., the sum
39、of n copies of P. The operation satisfies 0P = O Eand nP = n(P). x, y The set of integers from x to y inclusive, if x, y are integers satisfying x y. | X | Y is used to mean the result of the concatenation of data items X and Y in the order specified. In cases where the result of concatenating two o
40、r more data items is signed as part of one of the mechanisms specified in this part of ISO/IEC 20008, this result shall be composed so that it can be uniquely resolved into its constituent data strings, i.e. so that there is no possibility of ambiguity in interpretation. This latter property could b
41、e achieved in a variety of different ways, depending on the application. For example, it could be guaranteed by (a) fixing the length of each of the substrings throughout the domain of use of the mechanism, or (b) encoding the sequence of concatenated strings using a method that guarantees unique de
42、coding, e.g. using the distinguished encoding rules defined in ISO/IEC 8825-1. 1 5 General model and requirements This clause specifies the general model and requirements for the anonymous digital signature mechanisms specified in this part of ISO/IEC 20008. Some of the contents of this clause are t
43、aken from Part 1 of this international standard. In addition, specific requirements applying to mechanisms using a group public key are addressed. An anonymous digital signature mechanism using a group public key involves a group and a set of group members. Each group shall possess a group membershi
44、p issuer. There may also be a group membership opener and/or a group signature linker, depending on the mechanism. Multiple entities may function in the role of a group membership opener or a group signature linker. The level of anonymity of the mechanism depends on the anonymity strength (i.e., the
45、 size of the group), whether there is an opening capability, whether there is a linking capability, how revocation is done, whether the issuer knows the private keys, and the likelihood of compromise of a private key. Such an anonymous digital signature mechanism is defined by the specification of t
46、he following processes: key generation process, signature process, verification process, opening process (if the mechanism supports opening), linking process (if the mechanism supports linking), and revocation process. The anonymous digital signature mechanisms using a group public key specified in
47、this part of ISO/IEC 20008 involve a range of types of entity. Some of these entities exist in every mechanism whereas others exist only in some mechanisms. These entities are as follows: Signer: a signer is an entity that generates a digital signature. In some mechanisms, a signer role is split bet
48、ween two entities. For example, in direct anonymous attestation mechanisms, the signer ISO/IEC 2013 All rights reserved 3BS ISO/IEC 20008-2:2013ISO/IEC 20008-2:2013(E) role is split between a principal signer with limited computational and storage capability, e.g. a trusted platform module (TPM), an
49、d an assistant signer with more computational power but less security tolerance, e.g. an ordinary computer platform (namely the Host with an embedded TPM). V er i f i er: a verifier is an entity that verifies a digital signature. Group membership issuer: a group membership issuer is an entity that issues a group membership credential to a signer. This entity exists in all the mechanisms. Group membership opener: a group
