1、 Reference numberISO/IEC 15946-2:2002(E)ISO/IEC 2002INTERNATIONAL STANDARD ISO/IEC15946-2First edition2002-12-01Information technology Security techniques Cryptographic techniques based on elliptic curves Part 2: Digital signatures Technologies de linformation Techniques de scurit Techniques cryptog
2、raphiques bases sur les courbes elliptiques Partie 2: Signatures digitales Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 7/7/2003Published by American National Standards Institute,25 West 43rd Street, New York
3、, New York 10036Copyright 2003 by Information Technology Industry Council (ITI).All rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (ANSI), and I
4、nformation Technology Industry Council(ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW,Washin
5、gton, DC 20005.Printed in the United States of AmericaISO/IEC 15946-2:2002(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to an
6、d installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the softwar
7、e products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is f
8、ound, please inform the Central Secretariat at the address given below. ISO/IEC 2002 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permiss
9、ion in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2002 All rights res
10、ervedISO/IEC 15946-2:2002(E) ISO/IEC 2002 All rights reserved iiiContentsForewordvIntroduction vi1 Scope12 Normative references13 Symbols and abbreviated terms13.1 Terms and definitions .13.2 Symbols and notation.24 General Model for Digital Signatures with Appendix 34.1 Parameter Generation Process
11、34.1.1 Domain Parameters.34.1.2 User Parameters34.1.3 Validity of Parameters.34.2 Signature Generation Process.44.2.1 Randomizer44.3 Signature Verification Process 45 EC-GDSA Signature Algorithm 55.1 Domain and User Parameters 55.2 Signature Generation Process.55.2.1 Calculation of the message diges
12、t 55.2.2 Elliptic Curve Computations (Arithmetic operations in the underlying field).55.2.3 Computations modulo the group order of G (Arithmetic operations in F(n) 55.3 The Signature.65.4 Signature Verification Process 65.4.1 Signature Size Verification.65.4.2 Calculation of the message digest 65.4.
13、3 Elliptic Curve Computations 65.4.4 Signature Checking.66 EC-DSA.6ISO/IEC 15946-2:2002(E)iv ISO/IEC 2002 All rights reserved6.1 Domain and User Parameters . 66.2 Signature Generation Process 66.2.1 Calculation of the message digest . 76.2.2 Elliptic Curve Computations (Arithmetic operations in the
14、underlying field). 76.2.3 Computations modulo the group order of G. (Arithmetic operations in F(n) . 76.3 The Signature 76.4 Signature Verification Process . 76.4.1 Signature Size Verification 76.4.2 Calculation of the message digest . 86.4.3 Elliptic Curve Computations . 86.4.4 Signature Checking 8
15、7 EC-KCDSA. 87.1 Domain and User Parameters . 87.2 Signature Generation Process 87.2.1 Calculation of the message digest . 87.2.2 Elliptic Curve Computations (Arithmetic operations in the underlying field) 97.2.3 Computations modulo the group order of G (Arithmetic operations in F(n) 97.3 The Signat
16、ure 97.4 Signature Verification Process . 97.4.1 Signature Size Verification 97.4.2 Calculation of the message digest . 97.4.3 Elliptic Curve Computation . 97.4.4 Signature Checking 10Annex A (informative) Comparison. 11Annex B (informative) Examples. 13Bibliography . 29ISO/IEC 15946-2:2002(E) ISO/I
17、EC 2002 All rights reserved vForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)form the specialized system for worldwide standardization. National bodies that are members of ISO or IECparticipate in the development of Internationa
18、l Standards through technical committees established by therespective organization to deal with particular fields of technical activity. ISO and IEC technical committeescollaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, inliaison with ISO
19、and IEC, also take part in the work.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.Draft International Standards adopted by the jo
20、int technical committee are circulated to national bodies for voting.Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.International Standard ISO/IEC 15946-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Informationtechnology
21、, Subcommittee SC 27, IT Security techniques.ISO/IEC 15946 consists of the following parts, under the general title Information technology Security techniques Cryptographic techniques based on elliptic curves: Part 1: General Part 2: Digital signatures Part 3: Key establishment Part 4: Digital signa
22、tures giving message recoveryAnnexes A and B of this part of ISO/IEC 15946 are for information only.ISO/IEC 15946-2:2002(E)vi ISO/IEC 2002 All rights reservedIntroductionSome of the most interesting and potentially useful of the public-key cryptosystems that are currently available arecryptosystems
23、based on elliptic curves defined over finite fields. The concept of an elliptic curve based public-keycryptosystem is rather simple: Every elliptic curve is endowed with a binary operation “+“ under which it forms a finite abelian group. The group law on elliptic curves extends in a natural way to a
24、 “discrete exponentiation“ on the point group ofthe elliptic curve. Based on the discrete exponentiation on an elliptic curve one can easily derive elliptic curve analogues of thewell known public-key schemes of Diffie-Hellman and ElGamal type.The security of such a public-key system depends on the
25、difficulty of determining discrete logarithms in the group ofpoints of an elliptic curve. This problem is - with current knowledge - much harder than the factorization of integersor the computation of discrete logarithms in a finite field. Indeed, since Miller and Koblitz in 1985independently sugges
26、ted the use of elliptic curves for public-key cryptographic systems, no substantial progress intackling the elliptic curve discrete logarithm problem has been reported. The only known general algorithms todetermine elliptic curve discrete logarithms take fully exponential time. Thus, it is possible
27、for elliptic curve basedpublic-key systems to use much shorter parameters than the RSA system or the classical discrete logarithm basedsystems that make use of the multiplicative group of some finite field. This yields significantly shorter digitalsignatures and system parameters and allows for comp
28、utations using smaller integers.It is the purpose of this document to meet the increasing interest in elliptic curve based public key technology anddescribe the components that are necessary to implement a secure digital signature system based on ellipticcurves.The International Organization for Sta
29、ndardization (ISO) and International Electrotechnical Commission (IEC) drawattention to the fact that it is claimed that compliance with this International Standard may involve the use ofpatents.ISO and IEC take no position concerning the evidence, validity and scope of these patent rights.The holde
30、rs of these patent rights have assured ISO and IEC that they are willing to negotiate licences underreasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect, thestatements of the holders of these patent rights are registered with ISO and IEC. Infor
31、mation may be obtained from:ISO/IEC JTC 1/SC 27 Standing Document 8 (SD 8)SD 8 is publicly available at:http:/www.din.de/ni/sc27Attention is drawn to the possibility that some of the elements of this part of ISO/IEC 15946 may be the subject ofpatent rights other than those identified above. ISO and
32、IEC shall not be held responsible for identifying any or allsuch patent rights.INTERNATIONAL STANDARD ISO/IEC 15946-2:2002(E) ISO/IEC 2002 All rights reserved 1Information technology Security techniques Cryptographictechniques based on elliptic curves Part 2: Digital signatures1 ScopeThis part of IS
33、O/IEC 15946 specifies public-key cryptographic techniques based on elliptic curves. They include theestablishment of keys for secret-key systems, and digital signature mechanisms.This part of ISO/IEC 15946 describes mechanisms for digital signatures. The mathematical background andgeneral techniques
34、 necessary for implementing the mechanisms are described in part 1 of ISO/IEC 15946.The scope of this part of ISO/IEC 15946 is restricted to cryptographic techniques based on elliptic curves definedover finite fields of prime power order (including the special cases of prime order and characteristic
35、 two). Therepresentation of elements of the underlying finite field (i.e. which basis is used) is outside the scope of this part ofISO/IEC 15946.This part of ISO/IEC 15946 does not fully specify the implementation of the techniques it defines. Thus, additionalspecification may be required to ensure
36、the compatibility of products complying with this part of ISO/IEC 15946.2 Normative referencesThe following normative documents contain provisions which, through reference in this text, constitute provisions ofthis part of ISO/IEC 15946. For dated references, subsequent amendments to, or revisions o
37、f, any of thesepublications do not apply. However, parties to agreements based on this part of ISO/IEC 15946 are encouraged toinvestigate the possibility of applying the most recent editions of the normative documents indicated below. Forundated references, the latest edition of the normative docume
38、nt referred to applies. Members of ISO and IECmaintain registers of currently valid International Standards.ISO/IEC 10118 (all parts), Information technology Security techniques Hash-functionsISO/IEC 15946-1, Information technology Security techniques Cryptographic techniques based on ellipticcurves
39、 Part 1: General3 Symbols and abbreviated termsFor the purposes of this part of ISO/IEC 15946, the symbols, terms and definitions described in ISO/IEC 15946-1apply. In addition, the following terms and symbols are used.3.1 Terms and definitions3.1.1 domain parameterISO/IEC14888-1 A data item which i
40、s common to and known by or accessible to all entities within the domain.NOTE The set of domain parameters may contain data items such as hash-function identifier, elliptic curve parameters, orother parameters specifying the security policy in the domain.ISO/IEC 15946-2:2002(E)2 ISO/IEC 2002 All rig
41、hts reserved3.1.2 hash-codeISO/IEC 10118-1 The string of bits which is the output of a hash-function.3.1.3 hash-functionISO/IEC 10118-1 A function which maps strings of bits to fixed-length strings of bits, satisfying the following twoproperties: for a given output, it is computationally infeasible
42、to find an input which maps to this output; and for a given input, it is computationally infeasible to find a second input which maps to the same output.NOTE Computational feasibility depends on the specific security requirements and environment.3.1.4 messageISO/IEC 9796-1 A string of bits of any le
43、ngth.3.1.5 randomizerISO/IEC 14888-1 A secret data item produced by the signing entity in the pre-signature production process, andnot predictable by other entities.3.1.6 signatureISO/IEC 9796-1 The string of bits resulting from the signature process.3.1.7 signature keyISO/IEC 14888-1 A secret data
44、item specific to an entity and usable only by this entity in the signature process.3.1.8 signature processISO/IEC 14888-1 A process which takes as inputs the message, the signature key and the domain parameters,and which gives as output the signature.3.1.9 verification keyISO/IEC 14888-1 A data item
45、 which is mathematically related to an entitys signature key and which is used by theverifier in the verification process.3.1.10 verification processISO/IEC 14888-1 A process which takes as input the signed message, the verification key and the domainparameters, and which gives as output the result
46、of the signature verification: valid or invalid.3.2 Symbols and notationIn addition to the symbols and notation defined in ISO/IEC 15946-1, the following symbols and notation are used inthis part of ISO/IEC 15946:Cert_Data certification datae, e hash code and recovered hash code respectivelyk random
47、izerm positive integer(r,s) , (r,s) signature and received signature respectivelyM, M message and received message respectivelylenxlength in bits of xh() hash functionISO/IEC 15946-2:2002(E) ISO/IEC 2002 All rights reserved 34 General Model for Digital Signatures with AppendixThis part of ISO/IEC 15
48、946 describes signature schemes based on the one way property of discrete exponentiationon elliptic curves defined over some finite prime field F(p), some finite field F(2m) or some finite extension field ofF(p).A digital signature scheme is defined by the specification of the following processes: P
49、arameter generation process; Signature generation process; Signature verification process.4.1 Parameter Generation ProcessThe parameters can be divided into domain parameters and user parameters.4.1.1 Domain ParametersThe domain parameters consist of parameters to define a finite field, parameters to define an elliptic curve over thefinite field, and other public information which is common to and known by or accessible to all entities within thedomain. As well as the domain par
