1、 Reference numberISO/IEC 9796-2:2002(E)ISO/IEC 2002INTERNATIONAL STANDARD ISO/IEC9796-2Second edition2002-10-01Information technology Security techniques Digital signature schemes giving message recovery Part 2: Integer factorization based mechanisms Technologies de linformation Techniques de scurit
2、 Schmas de signature numrique rtablissant le message Partie 2: Mcanismes bass sur une factorisation entire Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 7/7/2003Published by American National Standards Institu
3、te,25 West 43rd Street, New York, New York 10036Copyright 2003 by Information Technology Industry Council (ITI).All rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National S
4、tandards Institute (ANSI), and Information Technology Industry Council(ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted t
5、o ITI, 1250 Eye Street NW,Washington, DC 20005.Printed in the United States of AmericaISO/IEC 9796-2:2002(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which
6、are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incor
7、porated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event tha
8、t a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO/IEC 2002 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
9、 and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.ch Web www.iso.ch Printed in Switzerland ii
10、ISO/IEC 2002 All rights reservedISO/IEC 9796-2:2002(E) ISO/IEC 2002 All rights reserved iiiContentssForewordvIntroductionvi1Scope.12Normative references13 Terms and definitions14Symbols and abbreviated terms.35 Converting between bit strings and integers56 Requirements .57 Model for signature and ve
11、rification processes .67.1 Signing a message.77.1.1 Overview .77.1.2 Message allocation 77.1.3 Message representative production 77.1.4 Signature production.77.2 Verifying a signature87.2.1 Overview .87.2.2 Signature opening87.2.3 Message recovery87.2.4 Message assembly.87.3 Specifying a signature s
12、cheme 88 Digital signature scheme 1 .98.1 Parameters98.1.1 Modulus length.98.1.2 Trailer field options98.1.3 Capacity 98.2 Message representative production 98.2.1 Hashing the message 98.2.2 Formatting 98.3 Message recovery109 Digital signature scheme 2 .119.1 Parameters119.1.1 Modulus length.119.1.
13、2 Salt length.119.1.3 Trailer field options119.1.4 Capacity 129.2 Message representative production 129.2.1 Hashing the message129.2.2Formatting129.3Message recovery1210 Digital signature scheme 3 .13Annex A (normative) Public key system for digital signature 14Annex B (normative) Mask generation fu
14、nction 18Annex C (informative) On hash-function identifiers and the choice of the recoverable length of themessage20Annex D (informative) Examples21Bibliography 47PageISO/IEC 9796-2:2002(E) iv ISO/IEC 2002 All rights reservedForeword ISO (the International Organization for Standardization) and IEC (
15、the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with part
16、icular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have esta
17、blished a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint techn
18、ical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. ISO/IEC 9796-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Secur
19、ity techniques. This second edition cancels and replaces the first edition (ISO/IEC 9796-2:1997), which has been technically revised. Implementations which comply with ISO/IEC 9796-2 (1st edition), and which use a hash-code of at least 160 bits in length, will be compliant with ISO/IEC 9796-2 (2nd e
20、dition). Note, however, that implementations complying with ISO/IEC 9796-2 (1st edition) that use a hash-code of less than 160 bits in length will not be compliant with ISO/IEC 9796-2 (2nd edition). ISO/IEC 9796 consists of the following parts, under the general title Information technology Security
21、 techniques Digital signature schemes giving message recovery: Part 1: Mechanisms using redundancy Part 2: Integer factorization based mechanisms Part 3: Discrete logarithm based mechanisms Further parts may follow. Annexes A and B form a normative part of this part of ISO/IEC 9796. Annexes C and D
22、are for information only. ISO/IEC 9796-2:2002(E) ISO/IEC 2002 All rights reserved vIntroductionDigital signature mechanisms can be used to provide services such as entity authentication, data originauthentication, non-repudiation, and integrity of data. A digital signature mechanism satisfies the fo
23、llowingrequirements. Given the verification key but not the signature key it shall be computationally infeasible to produce a validsignature for any message. Given the signatures produced by a signer, it shall be computationally infeasible to produce a valid signatureon a new message or to recover t
24、he signature key. It shall be computationally infeasible, even for the signer, to find two different messages with the samesignature.NOTE Computational feasibility depends on the specific security requirements and environment.Most digital signature mechanisms are based on asymmetric cryptographic te
25、chniques and involve three basicoperations. A process for generating pairs of keys, where each pair consists of a private signature key and thecorresponding public verification key. A process that uses the signature key, called the signature process. A process that uses the verification key, called
26、the verification process.There are two types of digital signature mechanisms. When, for a given signature key, two signatures produced for the same message are identical, the mechanismis said to be non-randomized (or deterministic); see ISO/IEC 14888-1. When, for a given message and signature key, e
27、ach application of the signature process produces a differentsignature, the mechanism is said to be randomized.The first and third of the three mechanisms specified in this part of ISO/IEC 9796 are deterministic (non-randomized), whereas the second of the three mechanisms specified is randomized.Dig
28、ital signature mechanisms can also be divided into the following two categories: When the whole message has to be stored and/or transmitted along with the signature, the mechanism isnamed a signature mechanism with appendix (see ISO/IEC 14888). When the whole message, or part of it, can be recovered
29、 from the signature, the mechanism is named asignature mechanism giving message recovery (see ISO/IEC 9796 (all parts).NOTE Any signature mechanism giving message recovery, for example, the mechanisms specified in ISO/IEC 9796 (allparts), can be converted to give a digital signature with appendix. T
30、his can be achieved by applying the signature mechanismto a hash-code derived as a function of the message. If this approach is employed, then all parties generating and verifyingsignatures must agree on this approach, and must also have a means of unambiguously identifying the hash-function to beus
31、ed to generate the hash-code from the message.The mechanisms specified in ISO/IEC 9796 (all parts) give either total or partial recovery, with the objective ofreducing storage and transmission overhead. If the message is short enough, then the entire message can beincluded in the signature, and reco
32、vered from the signature in the verification process. Otherwise, a part of themessage can be included in the signature, and the remainder stored and/or transmitted along with the signature.ISO/IEC 9796-2:2002(E) vi ISO/IEC 2002 All rights reservedThe mechanisms specified in this part of ISO/IEC 9796
33、 use a hash-function for hashing the entire message(possibly in more than one part). ISO/IEC 10118 specifies hash-functions for digital signatures.ISO/IEC 9796-2:2002(E) ISO/IEC 2002 All rights reserved viiPatent information The International Organization for Standardization (ISO) and the Internatio
34、nal Electrotechnical Commission (IEC) draw attention to the fact that it is claimed that compliance with this part of ISO/IEC 9796 may involve the use of a patent concerning the “Probabilistic signature scheme” (U.S. Patent 6,266,771 issued 2001-07-24). ISO and IEC take no position concerning the ev
35、idence, validity and scope of this patent right. The holder of this patent right has assured ISO and IEC that they are willing to negotiate licences under reasonable and non-discriminatory terms and conditions with applications throughout the world. In this respect, the statement of the holder of th
36、is patent right is registered with ISO and IEC. Information may be obtained from: University of California Senior Licensing Officer Office of Technology Transfer 1111 Franklin Street, 5thFloor Oakland, California 94607-5200 USA Attention is drawn to the possibility that some of the elements of this
37、part of ISO/IEC 9796 may be the subject of patent rights other than that identified above. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 9796-2:2002(E) ISO/IEC 2002 All rights reserved1Information technology Security techniques Digital signaturesche
38、mes giving message recovery Integer factorization based mechanismsPart 2:1 ScopeThis part of ISO/IEC 9796 specifies three digital signature schemes giving message recovery, two of which aredeterministic (non-randomized) and one of which is randomized. The security of all three schemes is based on th
39、edifficulty of factorizing large numbers. All three schemes can provide either total or partial message recovery.The method for key production for the three signature schemes is specified in this part of ISO/IEC 9796. However,techniques for key management and for random number generation (as require
40、d for the randomized signaturescheme), are outside the scope of this part of ISO/IEC 9796.Users of this standard are, wherever possible, recommended to adopt the second mechanism (Digital signaturescheme 2). However, in environments where generation of random variables by the signer is deemed infeas
41、ible,then Digital signature scheme 3 is recommended. Digital signature scheme 1 shall only be used in environmentswhere compatibility is required with systems implementing the first edition of this standard. However, Digitalsignature scheme 1 is only compatible with systems implementing the first ed
42、ition of this standard that use hash-codes of at least 160 bits.2 Normative referencesThe following normative documents contain provisions which, through reference in this text, constitute provisions ofthis part of ISO/IEC 9796. For dated references, subsequent amendments to, or revisions of, any of
43、 thesepublications do not apply. However, parties to agreements based on this part of ISO/IEC 9796 are encouraged toinvestigate the possibility of applying the most recent editions of the normative documents indicated below. Forundated references, the latest edition of the normative document referre
44、d to applies. Members of ISO and IECmaintain registers of currently valid International Standards.ISO/IEC 9796-3:2000, Information technology Security techniques Digital signature schemes giving messagerecovery Part 3: Discrete logarithm based mechanismsISO/IEC 9797-2, Information technology Securit
45、y techniques Message Authentication Codes (MACs) Part 2: Mechanisms using a dedicated hash-functionISO/IEC 9798-1:1997, Information technology Security techniques Entity authentication Part 1: GeneralISO/IEC 10118 (all parts), Information technology Security techniques Hash-functionsISO/IEC 14888 (a
46、ll parts), Information technology Security techniques Digital signatures with appendix3 Terms and definitionsFor the purposes of this part of ISO 9796, the following terms and definitions apply.3.1capacitypositive integer indicating the number of bits available within the signature for the recoverab
47、le part of the message.INTERNATIONAL STANDARD ISO/IEC 9796-2:2002(E)2 ISO/IEC 2002 All rights reserved3.2certificate domaincollection of entities using public key certificates created by a single Certification Authority (CA) or a collection ofCAs operating under a single security policy.3.3certifica
48、te domain parameterscryptographic parameters specific to a certificate domain and which are known and agreed by all members of thecertificate domain.3.4collision-resistant hash-functionhash-function satisfying the following property: it is computationally infeasible to find any two distinct inputs w
49、hich map to the same output.ISO/IEC 10118-1: 20003.5hash-codestring of bits which is the output of a hash-function.ISO/IEC 10118-1: 20003.6hash-functionfunction which maps strings of bits to fixed-length strings of bits, satisfying the following two properties for a given output, it is computationally infeasible to find an input which maps to this output; for a given input, it is computationally infeasible to find a second input which maps to the same output.ISO/IEC 9797-
