1、The Institute of Electrical and Electronics Engineers, Inc.3 Park Avenue, New York, NY 10016-5997, USACopyright 2000 by the Institute of Electrical and Electronics Engineers, Inc.All rights reserved. Published 25 August 2000. Printed in the United States of America.Print: ISBN 0-7381-1956-3 SH94820P
2、DF: ISBN 0-7381-1957-1 SS94820No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior written permission of the publisher.IEEE Std 1363-2000IEEE Standard Specifications for Public-Key CryptographySponsorMicroprocessor Standards Com
3、mitteeof theIEEE Computer SocietyApproved 30 January 2000IEEE-SA Standards BoardApproved 27 July 2000American National Standards InstituteAbstract: This standard specifies common public-key cryptographic techniques, includingmathematical primitives for secret value (key) derivation, public-key encry
4、ption, and digitalsignatures, and cryptographic schemes based on those primitives. It also specifies relatedcryptographic parameters, public keys, and private keys. The purpose of this standard is to providea reference for specifications on a variety of techniques from which applications may select.
5、Keywords: digital signature, encryption, key agreement, public-key cryptographyIEEE Standardsdocuments are developed within the IEEE Societies and the Standards Coordinating Com-mittees of the IEEE Standards Association (IEEE-SA) Standards Board. Members of the committees servevoluntarily and withou
6、t compensation. They are not necessarily members of the Institute. The standardsdeveloped within IEEE represent a consensus of the broad expertise on the subject within the Institute aswell as those activities outside of IEEE that have expressed an interest in participating in the development ofthe
7、standard.Use of an IEEE Standard is wholly voluntary. The existence of an IEEE Standard does not imply that thereare no other ways to produce, test, measure, purchase, market, or provide other goods and services related tothe scope of the IEEE Standard. Furthermore, the viewpoint expressed at the ti
8、me a standard is approved andissued is subject to change brought about through developments in the state of the art and commentsreceived from users of the standard. Every IEEE Standard is subjected to review at least every five years forrevision or reaffirmation. When a document is more than five ye
9、ars old and has not been reaffirmed, it is rea-sonable to conclude that its contents, although still of some value, do not wholly reflect the present state ofthe art. Users are cautioned to check to determine that they have the latest edition of any IEEE Standard.Comments for revision of IEEE Standa
10、rds are welcome from any interested party, regardless of membershipaffiliation with IEEE. Suggestions for changes in documents should be in the form of a proposed change oftext, together with appropriate supporting comments.Interpretations: Occasionally questions may arise regarding the meaning of p
11、ortions of standards as theyrelate to specific applications. When the need for interpretations is brought to the attention of IEEE, theInstitute will initiate action to prepare appropriate responses. Since IEEE Standards represent a consensus ofall concerned interests, it is important to ensure that
12、 any interpretation has also received the concurrence of abalance of interests. For this reason, IEEE and the members of its societies and Standards CoordinatingCommittees are not able to provide an instant response to interpretation requests except in those cases wherethe matter has previously rece
13、ived formal consideration. Comments on standards and requests for interpretations should be addressed to:Secretary, IEEE-SA Standards Board445 Hoes LaneP.O. Box 1331Piscataway, NJ 08855-1331USAIEEE is the sole entity that may authorize the use of certification marks, trademarks, or other designation
14、s toindicate compliance with the materials set forth herein.Authorization to photocopy portions of any individual standard for internal or personal use is granted by theInstitute of Electrical and Electronics Engineers, Inc., provided that the appropriate fee is paid to CopyrightClearance Center. To
15、 arrange for payment of licensing fee, please contact Copyright Clearance Center, Cus-tomer Service, 222 Rosewood Drive, Danvers, MA 01923 USA; (978) 750-8400. Permission to photocopyportions of any individual standard for educational classroom use can also be obtained through the Copy-right Clearan
16、ce Center.Note: Attention is called to the possibility that implementation of this standard mayrequire use of subject matter covered by patent rights. By publication of this standard,no position is taken with respect to the existence or validity of any patent rights inconnection therewith. The IEEE
17、shall not be responsible for identifying patents forwhich a license may be required by an IEEE standard or for conducting inquiries intothe legal validity or scope of those patents that are brought to its attention.Copyright 2000 IEEE. All rights reserved.iiiIntroduction(This introduction is not par
18、t of IEEE Std 1363-2000, IEEE Standard Specifications for Public-Key Cryptography.)The P1363 project started as the “Standard for Rivest-Shamir-Adleman, Diffie-Hellman, and RelatedPublic-Key Cryptography,” with its first meeting held in January 1994, following a strategic initiative by theMicroproce
19、ssor Standards Committee to develop standards for cryptography.P1363s scope broadened with the inclusion of elliptic curve cryptosystems as relatedcryptography, andlater the title was changed to the current one to reflect the breadth of the effort. In mid-1996, the workinggroup decided to include th
20、ree families of techniques, based on three different hard problemsintegerfactorization, discrete logarithms over finite fields, and elliptic curve discrete logarithms. By late 1996, theset of techniques was fairly stable, with additionaltechniques deferred to the P1363a project.Most of the next two
21、years saw an increasing intensity of editing, as the Working Group sought to fulfill thescope that remained. In early 1998, the group set a schedule for completion that would bring the document toballot in late 1998, and final sections of the document were prepared.The process of developing a standa
22、rd is always a challenging one, particularly when the subject is astechnical as cryptography and the scope is as broad as proposed for P1363. Moreover, as other groups weredeveloping complementary standards at the same time as P1363, close coordination was an essential aspect.Security implies a grea
23、t deal of caution, and the Working Group was careful in its deliberations not to set any“standards” that might later lead to vulnerabilities (although, as it is pointed out elsewhere, this standard ismuch more about a framework for specifying public-key techniques, than it is about security, per se)
24、.In addition to this standard, the P1363 project has provided a number of other contributions to the computersecurity industry. First, it has presented a forum where experts can discuss general issues related topublic-key standardization. Second, through its Web page and its call for submissions to
25、P1363a, the projecthas given a focal point for the presentation of new developments in public-key technology. Third, it hashelped facilitate the open discussion of intellectual property issues in this area. And, finally, through itsdrafts, P1363 has provided reference material to a wide community of
26、 cryptographers that otherwise wasrelegated to textbooks and research papers. For the duration of its existence, the Working Group intends tomaintain a Web page containing “errata and latest information” as an additional reference to support P1363documents (see http:/grouper.ieee.org/groups/1363/ind
27、ex.html). The P1363 Working Group is grateful to the many experts who have contributed to this standard, andparticularly to those whose development of public-key technology over the past two decades has providedthe foundation for information security in the next century.ivCopyright 2000 IEEE. All ri
28、ghts reserved.ParticipantsThe active participants in the IEEE Std 1363-2000 Working Group at the time this standard was completedand balloted were as follows:Burt Kaliski, ChairTerry S. Arnold, Vice ChairRobert Schlafly, SecretaryMichael Markowitz, TreasurerYiquin Lisa Yin, Technical EditorIn additi
29、on, the Working Group would like to thank the following people for their contributions to thestandard:The Working Group apologizes for any inadvertent omissions from the above list. Please note that inclusionof a persons name on the above two lists does not imply that the person agrees with all the
30、materials in thisstandard.Benjamin AraziIan BlakeLily ChenLouis FinkelsteinWalter FumyDonald B. JohnsonShirley KawamotoTetsutaro KobayashiDavid KravitzPil Joong LeeFranck LeprevostDaniel LiemanAlfred MenezesTatsuaki OkamotoMinghua QuAnand RajanLeonid ReyzinAllen RoginskyRichard SchroeppelAri SingerJ
31、erry SolinasKazuo TakaragiAshok VadekarScott VanstoneWilliam WhyteRobert ZuccheratoMichel AbdallaRich AnkneyDavid AucsmithPaulo S. L. M. BarretoMihir BellareTom BersonSimon Blake-WilsonEric BlossomUri BlumenthalMark ChenDon CoppersmithRichard CrandallWei DaiErik De WinJean-Francois DhemWhitfield Dif
32、fie Carl EllisonAmos FiatRobert GallantJohn GilmoreRoger GolliverGary L. GraunkePhillip GriffinLouis GuillouStuart HaberShai HaleviShouichi HiroseRobert HoferDale HopkinsDavid HopwoodRussell HousleyEric HughesDavid JablonMarc JoyeAleksandar JurisicCharanjit JutlaJohn KennedyKatherine T. KislitzinCet
33、in K. KocRay KopsaRobert J. LambertPeter LandrockLaurie LawChang-Hyi LeeJong-In LimMoses LiskovWenbo MaoStephen M. MatyasPreda Mihailescu Peter MontgomeryFrancois MorainPeter NeumannMark OliverAram PerezMohammad PeyravianBart PreneelJean-Jacques QuisquaterKaren RandallRichard L. RobertsonMatt Robsha
34、w Phillip RogawayPaul RubinRainer RueppelClaus P. SchnorrMike ScottGadiel SeroussiSherry ShannonRobert D. SilvermanTim SkorickDavid SowinskiPaul Van OorschotMichael J. WienerHarold M. WilenskyThomas WuSusumu YoshidaYuliang ZhengCopyright 2000 IEEE. All rights reserved.vThe following members of the b
35、alloting committee voted on this standard:When the IEEE-SA Standards Board approved this standard on 30 January 2000, it had the followingmembership:Richard J. Holleman,ChairDonald N. Heirman,Vice ChairJudith Gorman,Secretary*Member EmeritusAlso included is the following nonvoting IEEE-SA Standards
36、Board liaison:Robert E. HebnerJennifer McClain LongmanIEEE Standards Project EditorCarlisle M. AdamsMalcolm J. AirstChristopher AllenTerry S. ArnoldGlen AtkinsSimon Blake-WilsonLily ChenJohn L. ColeErik De WinDante Del CorsoStephen L. DiamondRobert GallantPatrick S. GoniaJulio Gonzalez-SanzGary L. G
37、raunkeSandor V. HalaszJim D. IsaakDonald B. JohnsonBurt KaliskiShirley KawamotoDavid KravitzThomas M. KuriharaRobert J. LambertPil Joong LeeFranck LeprevostThomas LuedekeMichael J. MarkowitzJoseph R. MarshallSerge MisterStig Frode MjolsnesPaul S. MontagueJohn E. MontagueRoy OishiMinghua QuLeonid Rey
38、zinDavid RockwellRoger SchlaflyMarius SeritanW. Olin SibertAri SingerKeith SollersMichael SteinackerFred J. StraussKazuo TakaragiJoseph TardoMichael D. TeenerAshok VadekarPaul Van OorschotClarence M. Weaver, JrMichael J. WeinerHarold M. WilenskyForrest D. WrightCheng-Wen WuChung-Huang YangYiqun Lisa
39、 YinOren YuenRobert ZuccheratoSatish K. AggarwalDennis BodsonMark D. BowmanJames T. CarloGary R. EngmannHarold E. EpsteinJay Forster*Ruben D. GarzonJames H. GurneyLowell G. JohnsonRobert J. KennellyE. G. “Al” KienerJoseph L. Koepfinger*L. Bruce McClungDaleep C. MohlaRobert F. MunznerLouis-Franois Pa
40、uRonald C. PetersenGerald H. PetersonJohn B. PoseyGary S. RobinsonAkio TojoHans E. WeinrichDonald W. ZipseviCopyright 2000 IEEE. All rights reserved.Contents1. Overview 11.1 Scope 11.2 Purpose. 11.3 Organization of the document 22. References 23. Definitions 34. Types of cryptographic techniques 74.
41、1 General model 74.2 Primitives . 84.3 Schemes . 84.4 Additional methods 94.5 Table summary. 95. Mathematical conventions . 105.1 Mathematical notation . 115.2 Bit strings and octet strings 125.3 Finite fields 135.4 Elliptic curves and points. 145.5 Data type conversion 146. Primitives based on the
42、discrete logarithm problem 176.1 The DL setting . 176.2 Primitives . 197. Primitives based on the elliptic curve discrete logarithm problem 277.1 The EC setting 277.2 Primitives . 298. Primitives based on the integer factorization problem 378.1 The IF setting . 378.2 Primitives . 399. Key agreement
43、schemes. 469.1 General model 469.2 DL/ECKAS-DH1. 479.3 DL/ECKAS-DH2. 499.4 DL/ECKAS-MQV . 5010. Signature schemes 5110.1 General model 51Copyright 2000 IEEE. All rights reserved.vii10.2 DL/ECSSA. 5310.3 IFSSA. 5511. Encryption schemes . 5611.1 General model 5611.2 IFES . 5712. Message-encoding metho
44、ds. 5812.1 Message-encoding methods for signatures with appendix 5912.2 Message-encoding methods for encryption . 6113. Key derivation functions 6313.1 KDF1 6414. Auxiliary functions 6414.1 Hash functions . 6414.2 Mask generation functions. 65Annex A (informative) Number-theoretic background. 67A.1
45、Integer and modular arithmetic: overview. 67A.2 Integer and modular arithmetic: algorithms. 72A.3 Binary finite fields: overview 77A.4 Binary finite fields: algorithms 85A.5 Polynomials over a finite field. 91A.6 General normal bases for binary fields 94A.7 Basis conversion for binary fields 98A.8 B
46、ases for binary fields: tables and algorithms . 104A.9 Elliptic curves: overview . 115A.10 Elliptic curves: algorithms . 121A.11 Functions for elliptic curve parameter and key generation 131A.12 Functions for elliptic curve parameter and key validation. 134A.13 Class group calculations 143A.14 Compl
47、ex multiplication . 147A.15 Primality tests and proofs. 157A.16 Generation and validation of parameters and keys 162Annex B (normative) Conformance 170B.1 General model 170B.2 Conformance requirements 171B.3 Examples 173Annex C (informative) Rationale 177C.1 General. 177C.2 Keys and domain parameter
48、s. 178C.3 Schemes . 179Copyright 2000 IEEE. All rights reserved.viiiAnnex D (informative) Security considerations 182D.1 Introduction 182D.2 General principles 182D.3 Key management considerations . 184D.4 Family-specific considerations 188D.5 Scheme-specific considerations. 198D.6 Random number gen
49、eration. 208D.7 Implementation considerations 212Annex E (informative) Formats 213E.1 Overview 213E.2 Representing basic data types as octet strings . 213E.3 Representing outputs of schemes as octet strings 216Annex F (informative) Bibliography 217Copyright 2000 IEEE. All rights reserved.1IEEE Standard Specifications forPublic-Key Cryptography1. Overview1.1 ScopeThis standard covers specifications for common public-key cryptographic techniques, includingmathematical primitives for secret value (key) derivation, public-key encryption and digital signatures, andcryptographi