1、IEEE Std 1363a-2004(Amendment toIEEE Std 1363-2000)IEEE Standards1363aTMIEEE Standard Specifications forPublic-Key CryptographyAmendment 1: Additional Techniques3 Park Avenue, New York, NY 10016-5997, USAIEEE Computer SocietySponsored by theMicroprocessor and Microcomputer Standards CommitteeIEEE St
2、andards2 September 2004Print: SH95223PDF: SS95223Recognized as anAmerican National Standard (ANSI)The Institute of Electrical and Electronics Engineers, Inc.3 Park Avenue, New York, NY 10016-5997, USACopyright 2004 by the Institute of Electrical and Electronics Engineers, Inc.All rights reserved. Pu
3、blished 2 September 2004. Printed in the United States of America.IEEE is a registered trademark in the U.S. Patent +1 978 750 8400. Permission to photocopy portions of any individual standard for educationalclassroom use can also be obtained through the Copyright Clearance Center.NOTEAttention is c
4、alled to the possibility that implementation of this standard may require use of subjectmatter covered by patent rights. By publication of this standard, no position is taken with respect to the exist-ence or validity of any patent rights in connection therewith. The IEEE shall not be responsible fo
5、r identifyingpatents for which a license may be required by an IEEE standard or for conducting inquiries into the legal valid-ity or scope of those patents that are brought to its attention.Copyright 2004 IEEE. All rights reserved. iiiIntroduction(This introduction is not part of IEEE Std 1363a-2004
6、, IEEE Standard for Specifications for Public-Key CryptographyAmendment 1: Additional Techniques.)IEEE Std 1363a-2004 started in 1996 as an amendment to IEEE P1363, which later becameIEEE Std 1363TM-2000. At the time of the projects inception, the techniques included in P1363 were fairlystable; howe
7、ver, there were additional techniques that had been submitted to the Working Group that war-ranted further study and consideration. The P1363a project became the entry point for newly proposed andcomparatively less-established techniques, while the P1363 document was solidified and prepared for theI
8、EEE balloting process.In early 1999, the Working Group began to limit the contents of P1363a primarily to include techniques thatfit within the framework of the base document. In particular, the group concentrated on techniques in eachfamily that performed functions that were not available in the P1
9、363 document, such as encryption schemesin the discrete logarithm (DL) and elliptic curve (EC) families and signature schemes with message recoveryin all families DL, EC, and IF (integer factorization).Because of the large number of good candidates and the close similarities between many of the diff
10、erenttechniques, the Working Group began to formalize the criteria for acceptance into P1363a, comparing allaspects of the techniques. By late 1999, the Working Group had converged on several candidate techniquesto include in P1363a, making selections to provide a variety of relevant tradeoffs among
11、 security attributes,computational efficiency, and industry adoption for each family. As with the P1363 project, the WorkingGroup chose to close P1363a to additional techniques and prepare it for ballot, leaving standardization ofadditional techniques that may not have been ready for inclusion at th
12、at time to future standards.Throughout the process of creating IEEE Std 1363a-2004, the Working Group has been very fortunate toreceive numerous submissions of creative, useful, and well-designed public-key cryptographic techniques. Inaddition to techniques in the IF, DL, and EC families that were n
13、ot included in 1363a, there were also a numberof techniques submitted that fell outside of the scope of both IEEE Std 1363-2000 and IEEE Std 1363a-2004.As a result, the Microprocessor Standards Committee (MSC) commissioned a study group, in which many ofthe 1363 working group members participated, t
14、o explore the possibility of creating additional standardsrelated to public-key cryptography. In late 2000, the working group began work on P1363.1 (Public-KeyCryptographic Techniques Based on Hard Problems over Lattices) and P1363.2 (Password-Based Public-KeyCryptographic Techniques). At the time o
15、f this writing, the Working Group is also attempting to put togethera project for the second amendment to Std 1363-2000 (P1363b), which would continue the work fromIEEE Std 1363-2000 and IEEE Std 1363a-2004. The Working Group is considering the creation of a registryfor public-key cryptographic tech
16、niques.The process of developing IEEE Std 1363a-2004 has been very challenging, but it has allowed the WorkingGroup to continue to refine the general understanding of public-key cryptography and to follow up on thework put into IEEE Std 1363-2000. The IEEE P1363 Working Group continues to be an exce
17、llent forum forexperts to discuss technical and standardization issues associated with public-key cryptography. It has pro-vided a focal point for the presentation of new developments in public-key cryptography and remains asource for up-to-date information on the topic. For the duration of its exis
18、tence, the Working Group intendsto maintain a web page that will support all of the 1363 standards and current projects (see http:/grou-per.ieee.org/groups/1363/index.html).iv Copyright 2004 IEEE. All rights reserved.Notice to usersErrataErrata, if any, for this and all other standards can be access
19、ed at the following URL: http:/standards.ieee.org/reading/ieee/updates/errata/index.html. Users are encouraged to check this URL forerrata periodically.InterpretationsCurrent interpretations can be accessed at the following URL: http:/standards.ieee.org/reading/ieee/interp/index.html.PatentsAttentio
20、n is called to the possibility that implementation of this standard may require use of subject mattercovered by patent rights. By publication of this standard, no position is taken with respect to the existence orvalidity of any patent rights in connection therewith. The IEEE shall not be responsibl
21、e for identifyingpatents or patent applications for which a license may be required to implement an IEEE standard or forconducting inquiries into the legal validity or scope of those patents that are brought to its attention. A patentholder or patent applicant has filed a statement of assurance that
22、 it will grant licenses under these rightswithout compensation or under reasonable rates and nondiscriminatory, reasonable terms and conditions toapplicants desiring to obtain such licenses. The IEEE makes no representation as to the reasonableness ofrates, terms, and conditions of the license agree
23、ments offered by patent holders or patent applicants. Furtherinformation may be obtained from the IEEE Standards Department.OrganizationThis standard is written as an amendment to the IEEE Std 1363-2000 document and is intended to be mergedinto a future version of that document. Familiarity with IEE
24、E Std 1363-2000 is assumed. The followingclauses and annexes are updated: Clause 2, References Clause 3, Definitions Clause 4, Types of cryptographic techniques Clause 5, Mathematical conventions Clause 6, Primitives based on the discrete logarithm problem Clause 7, Primitives based on the elliptic
25、curve discrete logarithm problem Clause 8, Primitives based on the integer factorization problem Clause 9, Key agreement schemes Clause 10, Signature schemes Clause 11, Encryption schemes Clause 12, Message-encoding methods Clause 13, Key derivation functions Clause 14, Auxiliary techniques (new tit
26、le) Annex A (informative) Number-theoretic algorithms Annex B (normative) Conformance Annex C (informative) RationaleCopyright 2004 IEEE. All rights reserved. v Annex D (informative) Security considerations Annex E (informative) Formats Annex G (informative) Bibliography (new number; was Annex F)One
27、 new annex is inserted: Annex F (informative) Information about patentsParticipantsThe following is a list of participants in the IEEE P1363 Working Group.William Whyte, Chair Don Johnson, Vice-ChairAri Singer, Secretary David Jablon, TreasurerMike Brenner, Primary Editor Burt Kaliski, P1363a Techni
28、cal Editor In addition, the Working Group would like to thank the following people for their contributions to thisamendment, whether by submitting techniques for consideration, participating in mailing list discussions, orattending meetings.Beni AraziDaniel V. BaileyDaniel BrownLily ChenWei DaiLouis
29、 FinkelsteinGurgen KachatryanPieter KasselmanTetsutaro KobayashiDavid KravitzPil Joong LeeDaniel LiemanMichael MarkowitzTatsuaki OkamotoSatomi OkazakiAnand RajanAllen RoginskyRoger SchlaflyRich SchroeppelJerry SolinasDavid SternMichel AbdallaTolga AcarCarlisle AdamsKochira AkiyamaKazumato AokiTerry
30、ArnoldPaulo BarretoMihir BellareSimon Blake-WilsonDaniel BleichenbacherJurjen BosDong Hyun CheonBram CohenNicolas CourtoisCarlin CoveyScott CrenshawLucien DancanetLei FangLudovic FlamentEiichiro FujisakiWalter FumyErnst GiessmannTom GindinLouis GoubinPeter GutmannSafuat HamdyFlorian HessShouichi Hir
31、oseRobert HoferErik Falk HjstedSeak Hie HongDavid HopwoodFumitaka HoshinoJim HughesJakob JonssonKCDSA Task Force TeamChang Han KimHee Jin KimJeong-Soo KimKunio KobayashiKristin LauterPeter LawrenceByoungcheon LeeChang-Hyi LeeSung Jae LeeFranck LeprevostJon In LimHelger LipmaaMoses LiskovStefan LwePh
32、il MacKenzieJohn Malone-LeeJames MangerMarcel MartinStephen M. MatyasPreda MihailescuBodo MllerJean MonneratShiho MoriaiHikaru MoritaJames MuirAnthony MulcahyHong NguyenSang Ho OhHilarie OrmanChristof PaarChina PellacuruMohammad PeyravianDavid PointchevalMartin RehwaldHolger ReifLeo ReyzinPhillip Ro
33、gawayRei Safavi-NainiErkay SavasDominikus ScherklMartin SchulzeThomas SchweinbergerMichael ScottVictor ShoupJoe SilvermanNigel SmartDavid SowinskiKazuo TakaragiScott VanstoneSerge VaudenayTom WuOk Yeon YiYiqun Lisa YinJoong Chul YoonSusumu YoshidaYuliang Zhengvi Copyright 2004 IEEE. All rights reser
34、ved.The Working Group apologizes for any inadvertent omissions from the previous list. Please note that inclu-sion of a persons name on the previous two lists on page v does not imply that the person agrees with all ofthe materials in this amendment.The following members of the individual balloting
35、committee voted on this amendment. Balloters may havevoted for approval, disapproval, or abstention. When the IEEE-SA Standards Board approved this standard on 25 March 2004, it had the followingmembership:Don Wright, ChairSteve M. Mills, Vice ChairJudith Gorman, Secretary*Member EmeritusAlso includ
36、ed are the following nonvoting IEEE-SA Standards Board liaisons:Satish K. Aggarwal, NRC RepresentativeRichard DeBlasio, DOE RepresentativeAlan Cookson, NIST RepresentativeDon MessinaIEEE Standards Project EditorTerry ArnoldSteven BardMitchell BonnettGuru Dutt DhingraDante Del CorsoSourav DuttaNeil H
37、ormanDon JohnsonJack JohnsonBurt KaliskiDavid KravitzThomas M. KuriharaGregory LuriRobert MortonsonDavid M. RockwellTom SchaalRoger SchlaflyAri SingerJoseph TardoJerry ThrasherJoan ViaplanaPaul WorkDon WrightCheng-Wen WuOren YuenChuck AdamsH. Stephen BergerMark D. BowmanJoseph A. BruderBob DavisRobe
38、rto de BoissonJulian Forster*Arnold M. GreenspanMark S. HalpinRaymond HapemanRichard J. HollemanRichard H. HulettLowell G. JohnsonJoseph L. Koepfinger*Hermann KochThomas J. McGeanDaleep C. MohlaPaul NikolichT. W. OlsenRonald C. PetersenGary S. RobinsonFrank StoneMalcolm V. ThadenDoug ToppingJoe D. W
39、atsonCopyright 2004 IEEE. All rights reserved. viiContents1. Overview 21.1 Scope 21.2 Purpose. 22. References 23. Definitions . 34. Types of cryptographic techniques 44.2 Primitives . 44.3 Schemes . 44.4 Additional methods 44.5 Table summary 55. Mathematical conventions . 75.1 Mathematical notation
40、. 75.4 Elliptic curves and points. 95.5 Data type conversion . 106. Primitives based on the discrete logarithm problem 156.2 Primitives . 157. Primitives based on the elliptic curve discrete logarithm problem 217.2 Primitives . 218. Primitives based on the integer factorization problem 268.2 Primiti
41、ves . 289. Key agreement schemes. 339.2 DL/ECKAS-DH1. 339.3 DL/ECKAS-DH2. 349.4 DL/ECKAS-MQV . 3510. Signature schemes 3610.1 General model 3610.2 DL/ECSSA. 3810.3 IFSSA. 3910.4 DL/ECSSR. 4110.5 DL/ECSSR-PV 4310.6 IFSSR. 46viii Copyright 2004 IEEE. All rights reserved.11. Encryption schemes . 4811.1
42、 General model 4811.2 IFES . 5011.3 DL/ECIES 5011.4 IFES-EPOC 5512. Message-encoding methods . 5712.1 Message-encoding methods for signatures with appendix 5712.2 Message-encoding methods for encryption . 6412.3 Message-encoding methods for signatures giving message recovery . 7113. Key derivation f
43、unctions 7713.2 KDF2 . 7814. Auxiliary techniques 7914.1 Hash functions . 7914.2 Mask generation functions. 8214.3 Symmetric encryption schemes . 8314.4 Message authentication codes 87Annex A (informative) Number-theoretic algorithms . 89Annex B (normative) Conformance 111Annex C (informative) Ratio
44、nale 114Annex D (informative) Security considerations 119Annex E (informative) Formats . 147Annex F (informative) Informative about patents . 151Annex G (informative) Bibliography 152Copyright 2004 IEEE. All rights reserved. 1IEEE Standard Specifications for Public-Key CryptographyAmendment 1: Addit
45、ional TechniquesEDITORS NOTEThe editing instructions contained in this amendment define how to merge the material containedherein into the existing base standard and its amendments to form the comprehensive standard.The editing instructions are shown in bold italic. Four editing instructions are use
46、d: change, delete, insert, and replace.Change is used to make small corrections in existing text or tables. The editing instruction specifies the location of thechange and describes what is being changed either by using strikethrough (to remove old material) or underscore (to addnew material). Delet
47、e removes existing material. Insert adds new material without disturbing the existing material.Insertions may require renumbering. If so, renumbering instructions are given in the editing instructions. Replace is usedto make large changes in existing text, subclauses, tables, or figures by removing
48、existing material and replacing it withnew material. Editorial notes will not be carried over into future editions.IEEEStd 1363a-2003 IEEE STANDARD SPECIFICATIONS FOR PUBLIC-KEY CRYPTOGRAPHY2 Copyright 2004 IEEE. All rights reserved.1. OverviewReplace subclauses 1.1 and 1.2 with the following text:1
49、.1 ScopeSpecifications of common public-key cryptographic techniques supplemental to those considered inIEEE Std 1363TM-2000, including mathematical primitives for secret value (key) derivation, public-keyencryption, digital signatures, and identification, and cryptographic schemes based on those primitives, areprovided. Specifications of related cryptographic parameters, public keys and private keys, are also pro-vided. Class of computer and communications systems is not restricted.1.2 PurposeThe transition from paper to electroni