1、American National Standardfor Financial ServicesX9.632001Public Key Cryptography for the Financial ServicesIndustryKey Agreement and Key Transport Using EllipticCurve CryptographySecretariat:Accredited Standards Committee X9, Inc.Approved: November 20, 2001American National Standards Institute 2001
2、American Bankers Association ANSI X9.63-2001- i -ForewordBusiness practice has changed with the introduction of computer-based technologies. Thesubstitution of electronic transactions for their paper-based predecessors has reduced costs andimproved efficiency. Trillions of dollars in funds and secur
3、ities are transferred daily bytelephone, wire services, and other electronic communication mechanisms. The high value orsheer volume of such transactions within an open environment exposes the financial communityand its customers to potentially severe risks from the accidental or deliberate disclosu
4、re,alteration, substitution, or destruction of data. These risks are compounded by interconnectednetworks, and the increased number and sophistication of malicious adversaries. Electronicallycommunicated data may be secured through the use of symmetrically keyed encryptionalgorithms (e.g. ANSI X9.52
5、, Triple-DEA) in combination with public-key cryptography-basedkey management techniques.This standard, X9.63-2001, Public Key Cryptography For The Financial Services Industry: KeyAgreement and Key Transport Using Elliptic Curve Cryptography, defines a suite ofmechanisms designed to facilitate the s
6、ecure establishment of cryptographic data for the keyingof symmetrically keyed algorithms (e.g. DEA, TDEA). These mechanisms are based on theelliptic curve analogue of the Diffie-Hellman key agreement mechanism 4. Because themechanisms are based on the same fundamental mathematics as the Elliptic Cu
7、rve DigitalSignature Algorithm (ECDSA) (see 7), additional efficiencies and functionality may beobtained by combining these and other cryptographic techniques.While the techniques specified in this standard are designed to facilitate key managementapplications, the standard does not guarantee that a
8、 particular implementation is secure. It is theresponsibility of the financial institution to put an overall process in place with the necessarycontrols to ensure that the process is securely implemented. Furthermore, the controls shouldinclude the application of appropriate audit tests in order to
9、verify compliance.The users attention is called to the possibility that compliance with this standard may require theuse of an invention covered by patent rights. By publication of this standard, no position is takenwith respect to the validity of potential claims or of any patent rights in connecti
10、on therewith.The patent holders have, however, filed a statement of willingness to grant a license under theserights on reasonable and nondiscriminatory terms and conditions to applicants desiring to obtainsuch a license. Details may be obtained from the X9 Secretariat,Copyright 2001 by Accredited S
11、tandards Committee X9, Inc.All rights reserved.No part of this publication may be reproduced in any form, in an electronic retrieval system orotherwise, without prior written permission of the publisher. Printed in the United States ofAmerica 2001 American Bankers Association ANSI X9.63-2001- ii -Su
12、ggestions for the improvement or revision of this standard are welcome. They should be sentto Accredited Standards Committee X9, Inc., P.O. Box 4035, Annapolis, Maryland, 21403USA.This standard was processed and approved for submittal to ANSI by the Accredited StandardsCommittee on Financial Service
13、s, X9. Committee approval of the standard does not necessarilyimply that all the committee members voted for its approval.At the time that this standard was approved, the X9 Committee had the following members:Harold G. Deal, X9 Chairman, BB the twokeys have the property that, given the public key,
14、it is computationally infeasible to derive theprivate key.2001 ASC X9, Inc. ANSI X9.63-2001 2001 American Bankers Association ANSI X9.63-2001- 2 -auxiliary functionAn auxiliary function is a transformation that forms part of a cryptographic scheme but isauxiliary rather than central to the goal of t
15、he scheme.base point (G)A selected point on an elliptic curve of large prime order n.basisA representation of the elements of the finite field F2m. Two special kinds of basis are polynomialbasis and normal basis. (See Annex B.2.)binary polynomialA polynomial whose coefficients are in the field F2. W
16、hen adding, multiplying, or dividing twobinary polynomials, the coefficient arithmetic is performed modulo 2.bit stringA bit string is an ordered sequence of 0s and 1s.certificateThe public key and identity of an entity together with some other information, that is renderedunforgeable by signing the
17、 certificate with the private key of the Certification Authority whichissued that certificate. In this Standard, the term certificate will mean a public-key certificate.Certification Authority (CA)A Center trusted by one or more entities to create and assign certificates.challengeData sent from enti
18、ty U to entity V during an execution of a protocol that, in part, determines Vsresponse. In this Standard, challenges will be bit strings at least 80 bits in length.characteristic of a finite fieldIf a finite field has 2melements, its characteristic is 2. If a finite field has p elements, where p is
19、prime, its characteristic is p.characteristic 2 finite fieldA finite field containing 2melements, where m 1 is an integer. In this Standard, onlycharacteristic 2 fields containing 2melements with m prime are used.cofactorThe integer h = #E(Fq)/n, where #E(Fq) is the order of the elliptic curve E, an
20、d n is the order ofthe base pressed formOctet string representation for an elliptic curve point using the point compression techniquedescribed in Section 4.2. (See also Section 4.3.6.)cryptographic hash functionA (mathematical) function which maps values from a large (possibly very large) domain int
21、o asmaller range. The function satisfies the following properties:1. (one-way) it is computationally infeasible to find any input that maps to any pre-specifiedoutput;2001 ASC X9, Inc. ANSI X9.63-2001 2001 American Bankers Association ANSI X9.63-2001- 3 -2. (collision free) it is computationally inf
22、easible to find any two distinct inputs that map tothe same output.cryptographic key (key)A parameter that determines the operation of a cryptographic function such as:1. the transformation from plaintext to ciphertext and vice versa,2. the synchronized generation of keying material,3. a digital sig
23、nature computation or verification.cryptographic protocolA cryptographic scheme in which an ordered sequence of sets of data is passed between twoentities during an ordinary operation of the scheme.cryptographic schemeA cryptographic scheme consists of an unambiguous specification of a set of transf
24、ormations thatare capable of providing a cryptographic service when properly implemented and maintained.cryptographyThe discipline that embodies principles, means and methods for the transformation of data inorder to hide its information content, prevent its undetected modification, prevent itsunaut
25、horized use, or a combination thereof.cryptoperiodThe time span during which a specific key is authorized for use or in which the keys for a givensystem may remain in effect.cyclic groupThe group of points E(Fq) is said to be cyclic if there exists a point PE(Fq) of order n, where n= #E(Fq). In this
26、 case, E(Fq) = kP: 0 k n-1, i.e. E(Fq) can be expressed as the set of allscalar multiples of P.data confidentialityThe assurance provided to entity U that data is unintelligible to entities other than U and V.data integrityThe assurance provided to entity U that data has not been modified by entitie
27、s other than U andV.data origin authenticationThe assurance provided to entity U that data is from V.digital signatureThe result of a cryptographic transformation of data that, when properly implemented, providesthe services of:1. origin authentication,2. data integrity, and2001 ASC X9, Inc. ANSI X9
28、.63-2001 2001 American Bankers Association ANSI X9.63-2001- 4 -3. signer non-repudiation.ECElliptic curve.ECDLPElliptic Curve Discrete Logarithm Problem. (See Annex H.)ECDSAElliptic Curve Digital Signature Algorithm.elliptic curveAn elliptic curve over Fqis a set of points that satisfy a certain equ
29、ation specified by twoparameters a and b, which are elements of the field Fq. (See Section 4.2.)elliptic curve key pair (Q, d)Given particular elliptic curve domain parameters, an elliptic curve key pair consists of anelliptic curve public key (Q) and the corresponding elliptic curve private key (d)
30、.elliptic curve private key (d)Given particular elliptic curve domain parameters, an elliptic curve private key, d, is astatistically unique and unpredictable integer in the interval 1, n-1, where n is the prime orderof the base point G.elliptic curve public key (Q)Given particular elliptic curve do
31、main parameters, and an elliptic curve private key d, thecorresponding elliptic curve public key, Q, is the elliptic curve point Q = dG, where G is the basepoint. Note that Q will never equal O, since 1 d n-1.elliptic curve domain parametersElliptic curve domain parameters are comprised of a field s
32、ize q, an indication FR of the basisused (in the case q = 2m), an optional SEED, two elements a, b in Fqthat define an elliptic curveE over Fq, a point G = (xG,yG) of prime order in E(Fq), the order n of G, and the cofactor h.See Sections 5.1.1.1 and 5.1.2.1 for a complete specification of elliptic
33、curve domain parameters.elliptic curve pointIf E is an elliptic curve defined over a field Fq, then an elliptic curve point P is either: a pair offield elements (xP, yP) (where xP, yP Fq) such that the values x = xPand y = yPsatisfy theequation defining E, or a special point O called the point at in
34、finity. O is the identity element ofthe elliptic curve group.encryption schemeAn encryption scheme is a cryptographic scheme capable of providing data confidentiality.entityA party involved in the operation of a cryptographic system.entity authenticationThe assurance provided to entity U that entity
35、 U has been involved in a real-time communicationwith entity V.2001 ASC X9, Inc. ANSI X9.63-2001 2001 American Bankers Association ANSI X9.63-2001- 5 -ephemeralEphemeral data is relatively short-lived. In this Standard, ephemeral data is data specific to oneexecution of a cryptographic scheme.explic
36、it key authenticationThe assurance provided to entity U that only entities U and V are possibly capable of computingthe session key and that the entities U and V are actually capable of computing the session key.forward secrecyThe assurance provided to an entity U that the session key established be
37、tween entities U and Vwill not be compromised by the compromise of either entitys static private key in the future.Also known as perfect forward secrecy.Gaussian normal basis (GNB)A type of normal basis that can be used to represent the elements of the finite field F2m. (SeeSection 4.1.2.2.)hash fun
38、ctionSee cryptographic hash function.hash valueThe result of applying a cryptographic hash function to a bit string.hybrid formOctet string representation for both the compressed and uncompressed forms of an elliptic curvepoint. (See Section 4.3.6.)implicit key authenticationThe assurance provided t
39、o entity U that only entities U and V are possibly capable of computingthe session key.initiatorAn entity involved in an operation of a protocol that sends the first exchange of the protocol.irreducible binary polynomialA binary polynomial f(x) is irreducible if it cannot be factored into a product
40、of two or morebinary polynomials, each of degree less than the degree of f(x).keySee cryptographic key.key agreement schemeA key agreement scheme is a key establishment scheme in which the keying data established is afunction of contributions provided by both entities in such a way that neither part
41、y canpredetermine the value of the keying data.key-compromise impersonation resilienceThe assurance provided to entity U during an execution of a key establishment scheme that thecompromise of Us static private key has not enabled the impersonation of V to U.key confirmationThe addition of flows to
42、a key establishment scheme providing implicit key authentication sothat explicit key authentication is provided.2001 ASC X9, Inc. ANSI X9.63-2001 2001 American Bankers Association ANSI X9.63-2001- 6 -key derivation functionA key derivation function is a function that takes as input a shared secret v
43、alue and outputskeying data suitable for later cryptographic use.key establishment schemesA key establishment scheme is a cryptographic scheme that establishes keying data suitable forsubsequent cryptographic use by cryptographic schemes to its legitimate users. Key agreementschemes and key transpor
44、t schemes are types of key establishment schemes.keying dataData suitable for use as cryptographic keys.keying materialThe data (e.g., keys, certificates and initialization vectors) necessary to establish and maintaincryptographic keying relationships.key transport schemesA key transport scheme is a
45、 key establishment scheme in which the keying data established isdetermined entirely by one entity.known-key securityThe assurance provided to entity U that the session key established by an execution of a keyestablishment scheme will not be compromised by the compromise of other session keys.messag
46、e authentication code or MAC schemeA message authentication code or MAC scheme is a cryptographic scheme capable of providingdata origin authentication and data integrity.non-repudiationThe assurance provided to entity U that U is able to prove to a third party that data is from V.normal basis (NB)A
47、 type of basis that can be used to represent the elements of the finite field F2m. (See AnnexB.2.3.)octetAn octet is a bit string of length 8. An octet is represented by a hexadecimal string of length 2.The first hexadecimal digit represents the four leftmost bits of the octet, and the secondhexadec
48、imal digit represents the four rightmost bits of the octet. For example, 9D represents thebit string 10011101. An octet also represents an integer in the interval 0, 255. For example, 9Drepresents the integer 157.octet stringAn octet string is an ordered sequence of octets.optimal normal basis (ONB)
49、A type of Gaussian normal basis that can be used to represent the elements of the finite field F2m.(See Section 4.1.2.2.) There are two kinds of ONB, called Type I ONB and Type II ONB.order of a curveThe order of an elliptic curve E defined over the field Fqis the number of points on E, includingO. This is denoted by #E(Fq).2001 ASC X9, Inc. ANSI X9.63-2001 2001 American Bankers Association ANSI X9.63-2001- 7 -order of a pointThe order of a point P is the smallest positive integer n such that nP = O (the point at infinity).ownerThe enti
