1、B CReference numberISO/IEC 14888-3:1998(E)INTERNATIONALSTANDARDISO/IEC14888-3First edition1998-12-15Information technology Securitytechniques Digital signatures withappendix Part 3:Certificate-based mechanismsTechnologies de linformation Techniques de scurit Signaturesdigitales avec appendice Partie
2、 3: Mcanismes fonds sur certificatAdopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 12/13/00Published by American National Standards Institute,25 West 43rd Street, New York, New York 10036Copyright 2002 by Informa
3、tion Technology Industry Council (ITI).All rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council(IT
4、I). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW,Washington, DC 20005.Printed in the United Stat
5、es of AmericaISO/IEC 14888-3:1998(E) ISO/IEC 1998All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronicor mechanical, including photocopying and microfilm, without permission in writing from the publisher.ISO
6、/IEC Copyright Office Case postale 56 CH-1211 Genve 20 SwitzerlandPrinted in SwitzerlandiiForewordISO (the International Organization for Standardization) and the IEC (the International Electrotechnical Commission)form the specialized system for worldwide standardization. National bodies that are me
7、mbers of ISO or IECparticipate in the development of international standards through technical committees established by therespective organization to deal with particular fields of technical activity. ISO and IEC technical committeescollaborate in fields of mutual interest. Other international orga
8、nizations, governmental and non-governmental, inliaison with ISO and IEC, also take part in the work.In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.Draft International Standards adopted by the joint technical committee are circulated t
9、o national bodies for voting.Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.International Standard ISO/IEC 14888-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Informationtechnology, Subcommittee SC 27, IT Security techni
10、ques.ISO/IEC 14888 consists of the following parts, under the general title Information technology Security techniques Digital signatures with appendix: Part 1: General Part 2: Identity-based mechanisms Part 3: Certificate-based mechanismsFurther parts may follow.Annexes A and B form an integral par
11、t of this part of ISO/IEC 14888. Annexes C to G are for information only.INTERNATIONAL STANDARD ISO/IEC ISO/IEC 14888-3:1998(E)1Information technology Security techniques Digitalsignatures with appendix Part 3:Certificate-based mechanisms1 ScopeISO/IEC 14888 specifies digital signaturemechanisms wit
12、h appendix for messages ofarbitrary length and is applicable for providing dataorigin authentication, non-repudiation, and integrityof data.This part of ISO/IEC 14888 specifies certificate-based digital signature mechanisms with appendix.In particular, this part of ISO/IEC 14888 provides 1)a general
13、 description of certificate-based digitalsignature mechanisms whose security is based onthe difficulty of the discrete logarithm problem inthe underlying commutative group (see Clause 6),2) a general description of certificate-based digitalsignature mechanisms whose security is based onthe difficult
14、y of factoring (see Clause 7), and 3) avariety of normative digital signature mechanismswith appendix using certificate-based mechanismsfor messages of arbitrary length (see Annex Aand B).2 Normative referencesThe following standards contain provisions which,through reference in this text, constitut
15、e provisionsof this part of ISO/IEC 14888. At the time ofpublication, the editions indicated were valid. Allstandards are subject to revision, and parties toagreements based on this part of ISO/IEC 14888are encouraged to investigate the possibility ofapplying the most recent editions of the standard
16、sindicated below. Members of IEC and ISO maintainregisters of currently valid International Standards.ISO/IEC 14888-1:1998, Information technology Security techniques Digital signatures withappendix Part 1: General.ISO/IEC 14888-2:1998, Information technology Security techniques Digital signatures w
17、ithappendix Part 2: Identity-based mechanisms.ISO/IEC 9796:1991, Information technology Security techniques Digital signature schemegiving message recovery.ISO/IEC 9796-2:1997, Information technology Security techniques Digital signature schemesgiving message recovery Part 2: Mechanismsusing a hash-
18、function.ISO/IEC 10118-3:1998, Information technology Security techniques Hash-functions Part 3:Dedicated hash-functions.ISO/IEC 10118-4:1998, Information technology Security techniques Hash-functions Part 4:Hash-functions using modular arithmetic.3 GeneralThis part of ISO/IEC 14888 makes use of the
19、definitions, symbols, legend for figures, andnotation given in ISO/IEC 14888-1.The verification of a digital signature requires thesigning entitys verification key. It is thus essentialfor a verifier to be able to associate the correctverification key with the signing entity. Forcertificate-based me
20、chanisms, this associationmust be provided by some certifying measure, forexample, the verification key is retrieved from acertificate.The goal of this part of ISO/IEC 14888 is to specifythe following processes and functions within thegeneral model described in ISO/IEC 14888-1:- the process of gener
21、ating keys- generating domain parameters- generating signature and verification keys- the process of producing signatures- (optional) producing pre-signatures- preparing the message for signatureISO/IEC 14888-3:1998(E)ISO/IEC2- computing witnesses- computing the signature- the process of verificatio
22、n- preparing message for verification- retrieving the witness- computing the verification function- verifying the witness4 DefinitionsFor the purpose of this part of ISO/IEC 14888, thedefinitions of ISO/IEC 14888-1 apply. Additionaldefinitions which are required are as follows.4.1 Finite commutative
23、 group: A finite set J withthe binary operation such that:- For all a, b, cJ, (ab) c = a (bc)- There exists eJ with ea = a for all aJ- For all aJ there exists bJ with ba = e- For all a, bJ, ab = ba4.2 Order of an element in a finite commutativegroup: If a0 =e, and an+1=aan(for n 0), isdefined recurs
24、ively, the order of aJ is the leastpositive integer n such that an= e.5 Symbols and notationThroughout this part of ISO/IEC 14888 thefollowing symbols and notations are used inaddition to those given in ISO/IEC 14888-1.E a finite commutative group#E the cardinality of Ea|b concatenation of b to aQ a
25、 divisor of #EG an element of order Q in Egcd(U, N) the greatest common divisor ofintegers U and NT1 first part of assignmentT2second part of assignmentZNthe set of integers U with 0 U 1GF(P -1)/Qmod P, an element of order Qin E = Z*PThe integers P, Q, and G can be public and can becommon to a group
26、 of users.To achieve FIPS compliance, parameters P and Qare generated as specified in FIPS PUB 186,Appendix 2 (Details can be found in Annex C ofthis part of ISO/IEC 14888).Note 1: The size of the prime P in this normative example is asspecified by the Digital Signature Algorithm (DSA). Note thatthe
27、 size of P is restricted to be at most 1024 bits. As of 19 May1994, the size of P provides a sufficient security margin. It isacknowledged that future advances in number theoreticalgorithms may possibly render the size of P of 1024 bits asinsufficient.Note 2: It is recommended that all users check t
28、he propergeneration of the DSA public parameters.Note 3: It is recognized that DSA possesses an unfavourableproperty in which an attack can be mounted where collisions onthe underlying hash function can be found with a complexity of274as compared to 280in the most secure case. This attackthough is e
29、asily detectable. For users who may still wish toavoid this property, it can be prevented by using themechanism of A.1.2.ISO/IEC 14888-3:1998(E)ISO/IEC10A.1.1.2 DSA generation of signature key andverification keyThe signature key of a signing entity is a secretlygenerated random or pseudo-random int
30、eger Xsuch that 0 1GF(P -1)/Q mod PNote: Special care should be taken to the generation of P, Q,and F. For example, the procedures of A.1.1.1 may be used.A.1.2.2 Pointcheval/Vaudenay generation ofsignature key and verification keyThe signature key of a signing entity is a secretlygenerated random or
31、 pseudo-random integer Xsuch that 0 Qare prime integers and a signature exponent sequal to the verification exponent v, an integergreater than or equal to 4. This common exponentcan be included in the domain parameters orderived from a certificate in the optional text of theappendix. Also specified
32、(optionally) in the domainparameters is an integer n which specifies the sizeof the integer primes in bits. Nominally, n is 1/3 thenumber of bits used to represent N. The size ofthe hash token is restricted to n-1 bits (i.e., 0 Q and the signature exponent s withs 4. The factors P and Q shall be kep
33、t secret.B.2.2.2 Generation of verification keyThe verification key is a pair of integers Y = (N, v),where N is the product N = P1P2P3 = P2Q and v isan integer which satisfies the condition v = s 4.B.2.3 Signature processThe signature process of ESIGN follows thegeneral model described in Clause 8 o
34、f ISO/IEC14888-1. It is a randomized signature mechanismwhich uses a deterministic witness and produces aone-part signature.B.2.3.1 Producing pre-signatureThe pre-signature is computed in two steps.B.2.3.1.1 Producing the randomizerThe signing entity generates secretly a randomizerwhich is a random
35、or pseudo-random positiveinteger K Mod PQ such that 0 x1, , xg.Conversely, a g-long sequence of bits x1, , xgis converted to an integer by the rulex1, , xg - x1* 2g-1+ x2* 2g-2+ + xg-1*2+ xg.Note that the first bit of the sequence correspondsto the most significant bit of the correspondinginteger an
36、d the last bit to the least significant bit.Let L-1 = n*160 + b, where b and n are integersand 0 b 3, then a,b shall satisfy 4a3+ 27b20(mod p), and every point P = (xp,yp) on E (otherthan the point ) shall satisfy the following equationin Fp:baxxyp3p2p+ .If q = 2mis a power of 2 (so the underlying f
37、ield isF2m), then b shall be non-zero in F2m, and everypoint P = (xP,yP) on E (other than the point ) shallsatisfy the following equation in F2m:baxxyxy2p3ppp2p+=+ .An elliptic curve point P (which is not the point atinfinity ) is represented by two field elements, thex-coordinate of P and the y-coo
38、rdinate of P:P = (xP,yP).D.1.1 Addition rules for elliptic curves over FpThe set of points E(Fp) forms a group with thefollowing addition rules:(i) + = (ii) (x,y) + = + (x,y) = (x,y) for all (x,y) E(Fp)(iii) (x,y) + (x,-y) = for all (x,y) E(Fp) (i.e.the negative of a the point (x,y) is -(x,y) =(x,-y
39、)(iv) (Rule for adding two distinct points that arenot inverses of each other)Let: (x1,y1) E(Fp) and (x2,y2) E(Fp) be twopoints such that x1 x2.Then (x1,y1) + (x2,y2) = (x3,y3), where:x3= 2- x1- x2, y3= (x1- x3) - y1and1212xxyy= .(v) (Rule for doubling a point)Let (x1,y1) E(Fp) be a point with y1 0.
40、Then 2(x1,y1) = (x3,y3), where:x3= 2- 2x1, y3= (x1- x3) - y1and1212ya3x +=The group E(Fp) is abelian, which means thatP1+ P2= P2+ P1for all points P1and P2in E(Fp).The curve is said to be supersingular if# E(Fp) = p + 1; otherwise it is non-supersingular.D.1.2 Addition rules for elliptic curves over
41、 F2mThe set of points E(F2m) forms a group with thefollowing addition rules:(i) + = (ii) (x,y) + = + (x,y) = (x,y) for all (x,y) E(F2m)ISO/IEC ISO/IEC 14888-3:1998(E)19(iii) (x,y) + (x,x+y) = for all (x,y) E(F2m) (i.e.the negative of a the point (x,y) is - (x,y) =(x,x+y)(iv) (Rule for adding two dis
42、tinct points that arenot inverses of each other)Let: (x1,y1) E(F2m) and (x2,y2) E(F2m)be two points such that x1 x2.Then (x1,y1) + (x2,y2) = (x3,y3), where:x3= 2+ + x1+ x2+ a, y3= (x1+ x3) +x3+ y1and 2121xxyy+= (v) (Rule for doubling a point)Let (x1,y1) E(F2m) be a point with x1 0.Then 2(x1,y1) = (x
43、3,y3), where:x3= 2+ + a, y3= x12+ ( + 1)x3, and111xyx += .The group E(F2m) is abelian, which means that P1+ P2= P2+ P1for all points P1and P2in E(F2m).ISO/IEC 14888-3:1998(E)ISO/IEC20Annex E(informative)Numerical examples of certificate-based digital signatures with appendixE.1 The U.S. Digital Sign
44、ature Algorithm (DSA)A complete explanation of the generation of all values is given in FIPS PUB 186, Appendix 5. In this examplethe following values, expressed in hexadecimal notation, will be used.E.1.1 DSA parametersL = 200 (51210)SEED = d5014e4b 60ef2ba8 b6211b40 62ba3224 e0427dd3F = 2P = 8df2a4
45、94 492276aa 3d25759b b06869cb eac0d83a fb8d0cf7cbb8324f 0d7882e5 d0762fc5 b7210eaf c2e9adac 32ab7aac49693dfb f83724c2 ec0736ee 31c80291Q = c773218c 737ec8ee 993b4f2d ed30f48e dace915fG = 626d0278 39ea0a13 413163a5 5b4cb500 299d5522 956cefcb3bff10f3 99ce2c2e 71cb9de5 fa24babf 58e5b795 21925c9cc42e9f6
46、f 464b088c c572af53 e6d78802E.1.2 DSA signature key and verification keyX = 2070b322 3dba372f de1c0ffc 7b2e3b49 8b260614Y = 19131871 d75b1612 a819f29d 78d1b0d7 346f7aa7 7bb62a859bfd6c56 75da9d21 2d3a36ef 1672ef66 0b8c7c25 5cc0ec74858fba33 f44c0669 9630a76b 030ee333E.1.3 DSA per message dataK = 358da
47、d57 1462710f 50e254cf 1a376b2b deaadfbfK-1= 0d516729 8202e49b 4116ac10 4fc3f415 ae52f917M = ASCII form of “abc“ = 616263h(M)=a9993e36 4706816a ba3e2571 7850c26c 9cd0d89dE.1.4 DSA signatureR = 8bac1ab6 6410435c b7181f95 b16ab97c 92b341c0S = 41e2345f 1f56df24 58f426d1 55b4ba2d b6dcd8c8E.1.5 DSA Verifi
48、cation valuesR = 8bac1ab6 6410435c b7181f95 b16ab97c 92b341c0E.2 The Pointcheval/Vaudenay Signature AlgorithmThe following values are expressed in hexadecimal notation.ISO/IEC ISO/IEC 14888-3:1998(E)21E.2.1 Pointcheval/Vaudenay parametersL = 200 (=51210)F = 2P = 8df2a494 492276aa 3d25759b b06869cb e
49、ac0d83a fb8d0cf7cbb8324f 0d7882e5 d0762fc5 b7210eaf c2e9adac 32ab7aac49693dfb f83724c2 ec0736ee 31c80291Q = c773218c 737ec8ee 993b4f2d ed30f48e dace915fG = 626d0278 39ea0a13 413163a5 5b4cb500 299d5522 956cefcb3bff10f3 99ce2c2e 71cb9de5 fa24babf 58e5b795 21925c9cc42e9f6f 464b088c c572af53 e6d78802E.2.2 Pointcheval/Vaudenay signature key and verification keyX = 2070b322 3dba372f de1c0ffc 7b2e3b49 8b26061
