1、 Reference numberISO/IEC 15946-3:2002(E)ISO/IEC 2002INTERNATIONAL STANDARD ISO/IEC15946-3First edition2002-12-01Information technology Security techniques Cryptographic techniques based on elliptic curves Part 3: Key establishment Technologies de linformation Techniques de scurit Techniques cryptogr
2、aphiques bases sur les courbes elliptiques Partie 3: tablissement de cl Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 7/7/2003Published by American National Standards Institute,25 West 43rd Street, New York, N
3、ew York 10036Copyright 2003 by Information Technology Industry Council (ITI).All rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (ANSI), and Info
4、rmation Technology Industry Council(ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW,Washingto
5、n, DC 20005.Printed in the United States of AmericaISO/IEC 15946-3:2002(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and i
6、nstalled on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software p
7、roducts used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is foun
8、d, please inform the Central Secretariat at the address given below. ISO/IEC 2002 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission
9、 in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2002 All rights reserv
10、edISO/IEC 15946-3:2002(E)Contents1 Scope 12 Normative references 13 Terms and definitions. 24 Symbols and abbreviated terms . 45 Key derivation functions 56 Cofactor multiplication . 57 Key commitment . 68 Key agreement mechanisms 68.1 Common information. 68.2 Non-interactive key agreement of Diffie
11、-Hellman type (KANIDH). 78.2.1 Setup 78.2.2 Mechanism. 78.2.3 Properties 78.3 Key agreement of ElGamal type (KAEG) . 78.3.1 Setup 78.3.2 Mechanism 88.3.3 Properties 88.4 Key agreement of Diffie-Hellman type . 88.4.1 Setup 88.4.2 Mechanism 88.4.3 Properties 98.5 Key agreement of Diffie-Hellman type w
12、ith 2 key pairs (KADH2KP) 98.5.1 Setup 98.5.2 Mechanism. 98.5.3 Properties 108.6 Key agreement of Diffie-Hellman type with 2 signatures and key confirmation (KADH2SKC) 108.6.1 Setup 10 ISO/IEC 2002 All rights reserved iiiISO/IEC 15946-3:2002(E)8.6.2 Mechanism.108.6.3 Properties.119 Key agreement mec
13、hanisms not included in ISO/IEC 11770-3. 129.1 Common information129.2 The Full Unified Model129.2.1 Setup.129.2.2 Mechanism.129.2.3 Properties.139.3 Key agreement of MQV type with 1 pass (KAMQV1P) 139.3.1 Setup .139.3.2 Mechanism.139.3.3 Properties 149.4 Key agreement of MQV type with 2 passes (KAM
14、QV2P) 149.4.1 Setup .149.4.2 Mechanism149.4.3 Properties .1510 Key transport mechanisms.1510.1 Common information1510.2 Key transport of ElGamal type (KTEG).1510.2.1 Setup.1510.2.2 Mechanism.1610.2.3 Properties.1610.3 Key transport of ElGamal type with originator signature (KTEGOS) 1610.3.1 Setup.16
15、10.3.2 Mechanism.1710.3.3 Properties.1711 Key Confirmation .18Annex A (informative) Examples of key derivation functions.20A.1 The IEEE P1363 key derivation function20A.1.1 Preconditions.20A.1.2 Input20iv ISO/IEC 2002 All rights reserved ISO/IEC 15946-3:2002(E)A.1.3 Actions 20A.1.4 Output 20A.2 The
16、ANSI X9.42 key derivation function 20A.2.1 Prerequisites 20A.2.2 Input. 21A.2.3 Actions. 21A.2.4 Output 22A.2.5 ASN.1 syntax. 22A.3 The ANSI X9.63 key derivation function 22A.3.1 Prerequisites 23A.3.2 Input 23A.3.3 Actions 23A.3.4 Output. 23Annex B (informative) A comparison of the claimed propertie
17、s of the mechanisms in this standard 24B.1 Security Properties 24B.2 Performance Considerations . 27Bibliography . 29 ISO/IEC 2002 All rights reservedvISO/IEC 15946-3:2002(E)Forewordvi ISO/IEC 2002 All rights reserved ISO (the International Organization for Standardization) and IEC (the Internationa
18、l Electrotechnical Commission)form the specialized system for worldwide standardization. National bodies that are members of ISO or IECparticipate in the development of International Standards through technical committees established by therespective organization to deal with particular fields of te
19、chnical activity. ISO and IEC technical committeescollaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, inliaison with ISO and IEC, also take part in the work.International Standards are drafted in accordance with the rules given in the ISO/I
20、EC Directives, Part 3.In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.Publication as an International Standard requires
21、approval by at least 75 % of the national bodies casting a vote.International Standard ISO/IEC 15946-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Informationtechnology, Subcommittee SC 27, IT Security techniques.ISO/IEC 15946 consists of the following parts, under the general title Inf
22、ormation technology Security techniques Cryptographic techniques based on elliptic curves: Part 1: General Part 2: Digital signatures Part 3: Key establishment Part 4: Digital signatures giving message recoveryAnnexes A and B of this part of ISO/IEC 15946 are for information only.ISO/IEC 15946-3:200
23、2(E)vii ISO/IEC 2002 All rights reservedIntroductionSome of the most interesting and potentially useful public key cryptosystems that are currently available arecryptosystems based on elliptic curves defined over finite fields. The concept of an elliptic curve based public keycryptosystem is rather
24、simple: Every elliptic curve is endowed with a binary operation “+“ under which it forms a finite abelian group. The group law on elliptic curves extends in a natural way to a “discrete exponentiation“ on the point group ofthe elliptic curve. Based on the discrete exponentiation on an elliptic curve
25、 one can easily derive elliptic curve analogues of thewell known public key schemes of Diffie-Hellman and ElGamal type.The security of such a public key system depends on the difficulty of determining discrete logarithms in the group ofpoints of an elliptic curve. This problem is - with current know
26、ledge - much harder than the factorization of integersor the computation of discrete logarithms in a finite field. Indeed, since Miller and Koblitz in 1985independently suggested the use of elliptic curves for public key cryptographic systems, no substantial progress intackling the elliptic curve di
27、screte logarithm problem has been reported. In general, only algorithms that takeexponential time are known to determine elliptic curve discrete logarithms. Thus, it is possible for elliptic curvebased public key systems to use much shorter parameters than the RSA system or the classical discrete lo
28、garithmbased systems that make use of the multiplicative group of some finite field. This yields significantly shorter digitalsignatures and system parameters and allows for computations using smaller integers.This part of ISO/IEC 15946 describes schemes that can be used for key agreement and scheme
29、s that can be usedfor key transport. Where possible, the schemes are analogous to methods included in ISO/IEC 11770-3. Schemesthat are not included in ISO/IEC 11770-3 are noted as such.The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) drawat
30、tention to the fact that it is claimed that compliance with this International Standard may involve the use ofpatents.ISO and IEC take no position concerning the evidence, validity and scope of these patent rights.The holders of these patent rights have assured ISO and IEC that they are willing to n
31、egotiate licences underreasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect, thestatements of the holders of these patent rights are registered with ISO and IEC. Information may be obtained from:ISO/IEC JTC 1/SC 27 Standing Document 8 (SD 8)SD
32、8 is publicly available at:http:/www.din.de/ni/sc27Attention is drawn to the possibility that some of the elements of this part of ISO/IEC 15946 may be the subject ofpatent rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or allsuch patent right
33、s.INTERNATIONAL STANDARD ISO/IEC 15946-3:2002(E) ISO/IEC 2002 All rights reserved 1Information technology Security techniques Cryptographictechniques based on elliptic curves Part 3: Key establishment1 ScopeInternational Standard ISO/IEC 15946 specifies public key cryptographic techniques based on e
34、lliptic curves. Thestandard is split into four parts and includes the establishment of keys for secret key systems and digital signaturemechanisms.This part of ISO/IEC 15946 specifies techniques for key establishment, which includes key agreement and keytransport, that use elliptic curves.The scope
35、of this standard is restricted to cryptographic techniques based on elliptic curves defined over finitefields of prime power order (including the special cases of prime order or characteristic two). The representation ofelements of the underlying finite field is outside the scope of this standard. T
36、his standard does not fully specify theimplementation of the techniques it defines. There may be different products that comply with this InternationalStandard and yet are not compatible.2 Normative referencesThe following normative documents contain provisions which, through reference in this text,
37、 constitute provisions ofthis part of ISO/IEC 15946. For dated references, subsequent amendments to, or revisions of, any of thesepublications do not apply. However, parties to agreements based on this part of ISO/IEC 15946 are encouraged toinvestigate the possibility of applying the most recent edi
38、tions of the normative documents indicated below. Forundated references, the latest edition of the normative document referred to applies. Members of ISO and IECmaintain registers of currently valid International Standards.ISO/IEC 9796 (parts 2 and 3), Information technology Security techniques Digi
39、tal signature schemes giving message recoveryISO/IEC 9797 (all parts), Information technology Security techniques Message Authentication Codes (MACs)ISO/IEC 10118 (all parts), Information technology Security techniques Hash-functionsISO/IEC 11770-3:1999, Information technology Security techniques Ke
40、y management Part 3:Mechanisms using asymmetric techniquesISO/IEC 14888 (all parts), Information technology Security techniques Digital signatures with appendixISO/IEC 15946-1:2001, Information technology Security techniques Cryptographic techniques based onelliptic curves Part 1: GeneralISO/IEC 159
41、46-2:2001, Information technology Security techniques Cryptographic techniques based on ellipticcurves Part 2: Digital signaturesISO/IEC 15946-3:2002(E)2 ISO/IEC 2002 All rights reserved3 Terms and definitionsFor the purposes of this part of ISO/IEC 15946, the definitions of Part 1 apply. In additio
42、n, the following definitionsfrom ISO/IEC 11770-3 apply.3.1 Asymmetric cryptographic technique: a cryptographic technique that uses two related transformations, apublic transformation (defined by the public key) and a private transformation (defined by the private key). The twotransformations have th
43、e property that, given the public transformation, it is computationally infeasible to derive theprivate transformation.3.2 Asymmetric encipherment system: a system based on asymmetric cryptographic techniques whose publictransformation is used for encipherment and whose private transformation is use
44、d for decipherment.3.3 Asymmetric key pair: a pair of related keys where the private key defines the private transformation and thepublic key defines the public transformation.3.4 Signature system: a system based on asymmetric cryptographic techniques whose private transformation isused for signing
45、and whose public transformation is used for verification.3.5 Cryptographic check function: a cryptographic transformation which takes as input a secret key and anarbitrary string, and which gives a cryptographic check value as output. The computation of a correct check valuewithout knowledge of the
46、secret key shall be infeasible ISO/IEC 9798-1:1997.3.6 Cryptographic check value: information which is derived by performing a cryptographic transformation on thedata unit ISO/IEC 9798-4:1995.NOTE The cryptographic check value is the output of the cryptographic check function.3.7 Decipherment: the r
47、eversal of a corresponding encipherment ISO/IEC 11770-1:1996.3.8 Digital signature: data appended to, or a cryptographic transformation of, a data unit that allows the recipientof the data unit to prove the origin and integrity of the data unit and protect against forgery, e.g. by the recipientISO/I
48、EC 11770-1:1996.3.9 Distinguishing identifier: information which unambiguously distinguishes an entity ISO/IEC 11770-1:1996.3.10 Encipherment: the (reversible) transformation of data by a cryptographic algorithm to produce ciphertext, i.e.to hide the information content of the data ISO/IEC 9798-1:19
49、97.3.11 Entity authentication: the corroboration that an entity is the one claimed ISO/IEC 9798-1:1997.3.12 Entity authentication of A to B: the assurance of the identity of entity A for entity B.3.13 Explicit key authentication from A to B: the assurance for entity B that A is the only other entity that is inpossession of the correct key.NOTE Implicit key authentication from A to B and key confir
