iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty!
ISO

ISO/IEC 14888-3:2016/DAmd 1

(Amendment)

SM2 digital signature mechanism

SM2 digital signature mechanism

.

General Information

Status
Published
ICS
35.030 - IT Security
35.040 - Information coding
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27/WG 2 - Cryptography and security mechanisms
Current Stage
4098 - Project deleted
Start Date
12-Nov-2018
Ref Project

RELATIONS

Revised
ISO/IEC 14888-3:2018 - IT Security techniques -- Digital signatures with appendix
Effective Date
30-Jun-2018
Child
ISO/IEC 14888-3:2016 - Information technology -- Security techniques -- Digital signatures with appendix
Effective Date
23-Apr-2020
Child
ISO/IEC 14888-3:2016 - Information technology -- Security techniques -- Digital signatures with appendix
Effective Date
25-Apr-2020
Child
ISO/IEC 14888-3:2016 - Information technology -- Security techniques -- Digital signatures with appendix
Effective Date
25-Apr-2020
Child
ISO/IEC 14888-3:2016 - Information technology -- Security techniques -- Digital signatures with appendix
Effective Date
14-Jul-2018
Child
ISO/IEC 14888-3:2016 - Information technology -- Security techniques -- Digital signatures with appendix
Effective Date
08-May-2020
Child
ISO/IEC 14888-3:2016 - Information technology -- Security techniques -- Digital signatures with appendix
Effective Date
09-May-2020
Child
ISO/IEC 14888-3:2016 - Information technology -- Security techniques -- Digital signatures with appendix
Effective Date
09-May-2020
Child
ISO/IEC 14888-3:2016 - Information technology -- Security techniques -- Digital signatures with appendix
Effective Date
14-Oct-2020

Buy Standard

ISO/IEC 14888-3:2016/DAmd 1ISO/IEC 14888-3:2016/DAmd 1
PreviousNext
Draft
ISO/IEC 14888-3:2016/DAmd 1 - SM2 digital signature mechanism
English language
25 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

DRAFT AMENDMENT
ISO/IEC 14888-3:2016 DAM 1
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2017-07-20 2017-10-11
Information technology — Security techniques — Digital
signatures with appendix —
Part 3:
Discrete logarithm based mechanisms
AMENDMENT 1: SM2 digital signature mechanism

Technologies de l’information — Techniques de sécurité — Signatures numériques avec appendice —

Partie 3: Mécanismes basés sur un logarithme discret
AMENDEMENT 1: .
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC 14888-3:2016/DAM 1:2017(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2017
---------------------- Page: 1 ----------------------
ISO/IEC 14888-3:2016/DAM 1:2017(E) © ISO/IEC 2017 – All rights reserved
ISO/IEC JTC 1/SC 27 N17467
Date: 2017-05-17
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
ISO/IEC JTC 1/SC 27/WG 2
Secretariat: DIN
Information technology - Security techniques — Digital signatures
with appendix — Part 3: Discrete logarithm based mechanisms

Technologies de l'information — Techniques de sécurité — Signatures numériques avec appendice —

Partie 3: Méchanismes basés sur un logarithme discréte— Amendment 1
Warning

This document is not an ISO International Standard. It is distributed for review and comment. It is

subject to change without notice and may not be referred to as an International Standard.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent

rights of which they are aware and to provide supporting documentation.
— Amendment 1: SM2 + Chinese IBS + KR Defect report
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2017, Published in Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Document type: International Standard
Tel. +41 22 749 01 11
Document subtype: Amendment
Fax +41 22 749 09 47
Document stage: (40) Enquiry
copyright@iso.org
Document language: E
www.iso.org

C:\%Data\%SC27@WG2DocPrep2017\SC27N17467_DAM_14888-3_Amd1_text_20170517.docx STD

ii © ISO/IEC 2017 – All rights reserved
Version 2.8f
---------------------- Page: 2 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical activity.

ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the meaning of ISO specific terms and expressions related to conformity

assessment, as well as information about ISO's adherence to the World Trade Organization (WTO)

principles in the Technical Barriers to Trade (TBT) see the following URL
www.iso.org/iso/foreword.html.

The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC XXX

This second/third/... edition cancels and replaces the first/second/... edition (), [clause(s) /

subclause(s) / table(s) / figure(s) / annex(es)] of which [has / have] been technically revised.

ISO XXXX consists of the following parts. [Add information as necessary.]
© ISO/IEC 2017 – All rights reserved
iii
---------------------- Page: 3 ----------------------
WORKING DRAFT ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
Information technology - Security techniques — Digital
signatures with appendix — Part 3: Discrete logarithm based
mechanisms
— Amendment 1: SM2 + Chinese IBS + KR Defect report
AA: Page 3, Clause 4:
Change the following paragraph:

ID a data string containing an identifier of the signer, used in Mechanisms IBS-1 and IBS-2

to:

ID a data string containing an identifier of the signer, used in Mechanisms SM2, IBS-1, IBS-2 and Chinese

IBS
BB: Page 4, Clause 4:
Change the following paragraph:
P a generator of G which is used in Mechanisms IBS-1 and IBS-2
to:

P a generator of G1 which is used in Mechanisms IBS-1, IBS-2 and Chinese IBS.

CC: Page 7, 5.2.1:
Change the following sentence of paragraph 2:
given that (A, B, C) is a permutation of (S, T , T ),
1 2
to:
given that (A, B, C) is a permutation of (S, T1, T2) or (S, T1, S +T2),.
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
DD: Page 7, 5.2.1:
Change the following sentence of paragraph 4:

Given that (A, B, C) is a permutation of (S, T , T ), U is the master private key and D is a parameter

1 2
depending on the particular mechanism.
to:

Given that (A, B, C) is a permutation of (S, T1, T2) or (S, T1, [Y ]S +T2), U is the master private key,Y is the

public verification key and D is a parameter depending on the particular mechanism.

EE: Page 8, 5.2.4:
Change the following sentence:

In the process of preparing the message, one of M and M becomes message M, the other becomes empty.

1 2
to:

In the process of preparing the message, one of M and M becomes message M (with a prefix, optionally), the

1 2
other becomes empty.
FF: Page 12, 6.1:
Change the first sentence of paragraph 1:
Clause 6 specifies ten certificate-based mechanisms.
to:
Clause 6 specifies eleven certificate-based mechanisms.
GG: Page 12, 6.1:
Change the last sentence of paragraph 1:

The mechanisms using arithmetic in the additive group of elliptic curve points are the Elliptic Curve

DSA (EC-DSA), the Elliptic Curve KCDSA (EC-KCDSA), the Elliptic Curve German Digital Signature

Algorithm (EC-GDSA), The Elliptic Curve Russian Digital Signature Algorithm (EC-RDSA), the Elliptic

Curve Schnorr Digital Signature Algorithm (EC-SDSA), and the Elliptic Curve Full Schnorr Digital

Signature Algorithm (EC-FDSA).
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
to:

The mechanisms using arithmetic in the additive group of elliptic curve points are the Elliptic Curve DSA (EC-

DSA), the Elliptic Curve KCDSA (EC-KCDSA), the Elliptic Curve German Digital Signature Algorithm (EC-

GDSA), the Elliptic Curve Russian Digital Signature Algorithm (EC-RDSA), the Elliptic Curve Schnorr Digital

Signature Algorithm (EC-SDSA), the Elliptic Curve Full Schnorr Digital Signature Algorithm (EC-FSDSA) and

the SM2 algorithm.
HH: Page 12, 6.1:
Change the last sentence of paragraph 2:

Elliptic curves for EC-DSA, EC-KCDSA, EC-GDSA, EC-RDSA, EC-SDSA and EC-FSDSA are restricted to non-

singular and non-supersingular curves.
to:

Elliptic curves for EC-DSA, EC-KCDSA, EC-GDSA, EC-RDSA, EC-SDSA, EC-FSDSA and SM2 are restricted

to non-singular and non-supersingular curves.
II: Page 39, After 6.11.5.7:
Add the following new 6.12 thru 6.12.5.7 after 6.11.5.7:
6.12 SM2
6.12.1 Introduction

The SM2 algorithm is a signature mechanism based on elliptic curves with verification key Y=[X]G; that is, the

parameter D is equal to 1. The message is prepared such that M1 is the concatenation of the hash-code Z and

the message M to be signed, where Z is the hash-code of a message that is the concatenation of the length of

ID (the identifier of the signing entity), the value of ID, a1, a2, the x-coordinate of G, the y-coordinate of G, the

x-coordinate of Y and the y-coordinate of Y, i.e., M = Z||M, and M is empty. The witness function is defined

1 2
by the formula
R = BS2I(γ, h(M1)) + FE2I(r,∏X) mod q.
The conversion rules, BS2I and FE2I, are given in Annex B.
The assignment function is defined by the formula
(T , T ) = (-1, R).
1 2
The coefficients (A, B, C) of the SM2 signature equation are set as follows:
(A, B, C) = (T , S+T , S).
1 2
Thus the signature equation becomes
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
-K+(R+S)X+S ≡ 0 (mod q).

NOTE The SM2 signature mechanism is taken from [42]. The notation here has been changed from [42] to conform

with the notation used in ISO/IEC 14888-3.
6.12.2 Parameters
F a finite field
E an elliptic curve group over field F
# E the cardinality of E
q a prime divisor of # E
G a point on the elliptic curve of order q
Hash-function identifier or OID with specified hash-function
All these parameters can be public and can be common to a group of users.

NOTE It is recommended that all users check the proper generation of the public parameters.

6.12.3 Generation of signature key and verification key

The signature key of a signing entity is a secretly generated random or pseudo-random integer X such that

0 Y = [X]G.

A user’s secret signature key X and public verification key Y are normally fixed for a period of time. The

signature key X shall be kept secret.
6.12.4 Signature process
6.12.4.1 Producing the randomizer

The signing entity generates a random or pseudo-random integer K such that 0 < K < q.

6.12.4.2 Producing the pre-signature

The input to this stage is the randomizer K and the signing entity computes ∏ = [K]G.

6.12.4.3 Preparing message for signing

Let entlen be the bit-length of a distinguishing identifier ID of the signing entity. Let ENTL be two bytes string

transformed from the integer entlen, i.e., ENTL=I2BS(16,entlen). Then Z can be computed as follows

Z=h(ENTL || ID || FE2BS(r,a ) || FE2BS(r,a ) || FE2BS(r,G ) || FE2BS(r,G ) || FE2BS(r,Y ) || FE2BS(r,Y )).

1 2 X Y X Y

The message is prepared such that M1 is the concatenation of the hash-code Z and the message M to be

signed, i.e., M =Z||M and M is empty.
1 2
The conversion rules, I2BS and FE2BS, are given in Annex B.
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
6.12.4.4 Computing the witness

The signing entity computes H = h(M1), and then computes R = (BS2I(γ, H) + FE2I(r,∏X)) mod q.

6.12.4.5 Computing the assignment
The signing entity computes the assignment (T1, T2)=(-1, R).
6.12.4.6 Computing the second part of the signature
The signature is (R, S) where R is computed in 6.12.4.4, and
S = ((1 + X) (K - RX)) mod q.

It is required to check if R = 0, R+K=q, or S = 0. If one of R = 0, R+K=q, or S = 0 holds, a new value of K

should be generated and the signature should be recalculated.

NOTE 1 It is extremely unlikely that R = 0, R+K=q, or S = 0 if signatures are generated properly.

NOTE 2 It is easy to see that R+S=(1+X) (R+K) mod q. In view of 0 6.12.4.7 Constructing the appendix

The appendix will be the concatenation of (R, S) and an optional text field, text, ((R, S), text).

6.12.4.8 Constructing the signed message
A signed message is the concatenation of the message, M, and the appendix.
M||((R, S), text)
6.12.5 Verification process
6.12.5.1 General

The verifying entity acquires the necessary data items required for the verification process.

6.12.5.2 Retrieving the witness

The verifier retrieves the witness R and the second part of the signature S from the appendix. The verifier then

first checks to see that 0 < R < q and 0 < S < q; if either condition is violated, the signature shall be rejected.

6.12.5.3 Preparing message for verification

The verifier retrieves M from the signed message and divides the message into two parts M and M2. M1= Z||M,

where Z=h(ENTL||ID||FE2BS(r,a1)||FE2BS(r,a2)||FE2BS(r,GX)||FE2BS(r,GY)||FE2BS(r,YX)||FE2BS(r,YY)), and

M2 is empty.
6.12.5.4 Retrieving the assignment

The input to the assignment function consists of the witness R from 6.12.5.2. The assignment T = (T1, T2) =(-1,

R).
6.12.5.5 Recomputing the pre-signature

The inputs to this stage are system parameters, verification key Y, assignment T = (T1, T2) from 6.12.5.4 and

the second part of the signature S from 6.12.5.2. The verifier computes W= (T +S) mod q, and checks if W=0.

If the equation W=0 holds, the signature shall be rejected.
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)

The verifier then obtains a recomputed value ∏' of the pre-signature by computing it using the formula

∏' = [S]G + [W]Y.
6.12.5.6 Recomputing the witness

The computations at this stage are the same as in 6.12.4.4. The verifier executes the witness function. The

inputs are ∏' from 6.12.5.5 and M1 from 6.12.5.3. The output is the recomputed witness R'.

6.12.5.7 Verifying the witness

The verifier compares the recomputed witness, R' from 6.12.5.6 to the retrieved version of R from 6.12.5.2. If

R' = R, then the signature is verified.
JJ: Page 40, 7.1:
Change the first sentence of paragraph 1:
Clause 7 specifies two identity-based mechanisms that are based on pairings.
to:
Clause 7 specifies three identity-based mechanisms that are based on pairings.
KK: Page 45, After 7.3.5.7:
Add the following new 7.4 thru 7.4.5.7 after 7.3.5.7:
7.4 Chinese IBS
7.4.1 Introduction

The Chinese IBS algorithm is an identity-based signature scheme on an additive group of elliptic curve points.

It takes
(A, B, C) = (T , S, [Y ]S+T ),
1 2
-1 -1
where T1 = [-Y ]P, T2 =[Y R]P, D = -1. Thus the signature equation becomes
-1 -1 -1 -1
[-KY ]P +[U ]S + [Y ]S +[Y R]P ≡ 0 (in G ).
E 1

NOTE The Chinese IBS signature mechanism is taken from [44]. The notation here has been changed from [44] to

conform with the notation used in ISO/IEC 14888-3.
7.4.2 Parameters

The signature mechanism takes place in an environment where the entities involved share the following

parameters, which have been defined in Clause 4: G , G , P, Q, q, < >, and h.
1 2

Given a hash function h with output bit length v, a non-negative integer n with bit-length bn, and a bit string Z,

the function h (Z, n) for i =1,2 is defined as follows:
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)

1. Set a 32-bit counter ct1= 0x00000001, and let hlen=8⌈(5 bn)/32⌉, where ⌈z⌉ denotes the smallest

integer no less than z.
2. For j = 1 to ⌈hlen /v⌉, let Haj = h(0x0i ||Z||ctj) and then set ctj+1=ctj +1.
3. Set Ha as the first hlen bits of Ha || Ha || ··· || Ha .
1 2 ⌈hlen /v⌉
4. Output (BS2I (Ha) mod (n-1))+1.

NOTE It is recommended that all users check the proper generation of the public parameters.

7.4.3 Generation of master key and signature/verification key

A master key pair of a KGC is (U, V), where U is the master private key generated by choosing an integer

such that 0 < U < q at random, and V is the master public key generated by computing V = [U]Q. The KGC

publishes V and keeps U secret.

A signature and verification key pair of a signer is (X, Y), where Y is the public verification key generated from

an identity string ID, an identifier of the private key generation function hid, and the function h , i.e., Y =

h1(ID||hid, q), and X is the private signature key generated by computing X = [U(U +Y) ]P, which is done by

the KGC and given to the signer. If U+Y mod q = 0, KGC generates another master key pair, publishes the

master public key and updates private signature keys.
7.4.4 Signature process
7.4.4.1 Producing the randomizer

The signing entity generates a random or pseudo-random integer K such that 0 < K < q. The signer keeps the

value K secret.
7.4.4.2 Producing the pre-signature
The signer takes K, P and V as input to produce the pre-signature result
∏ = .
NOTE The pairing can be pre-computed.
7.4.4.3 Preparing message for signing

The signer prepares the message such that M2 is empty and M1 is the signed message M, i.e., M1 = M.

7.4.4.4 Computing the witness

Let ∏ = (∏a, ∏b). The signer applies the function h2 to the concatenation of M1, FE2BS(r,∏a) and

FE2BS(r,∏b) to obtain the witness
R = h2(M1 || FE2BS(r,∏a) || FE2BS(r,∏b), q).

If K-R mod q = 0, a new value of K should be generated and the signature should be recalculated.

For fields of higher extension degree, more terms will appear in the value to be hashed. For example, for

extension degree 3, Π = (Πa, Πb, Πc) and the input to h2 would be
M1 || FE2BS(r,∏a) || FE2BS(r,∏b) || FE2BS(r,∏c).
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
7.4.4.5 Computing the assignment
-1 -1

The assignment is T = (T , T ) as ([-Y ]P, [Y R]P). However, it is not necessary for the signer to compute the

1 2
assignment.
7.4.4.6 Computing the second part of the signature
The signer computes the second part of the signature as
S = [K - R] X.
The signature is Σ = (R, S).
7.4.4.7 Constructing the appendix

The signer constructs the appendix that is the concatenation of (R, S) and an optional text field, text, i.e., ((R,

S), text).
7.4.4.8 Constructing the signed message

A signed message is the concatenation of the message, M, and the appendix, i.e., M || ((R, S), text).

7.4.5 Verification process
7.4.5.1 General

The verifier first acquires the necessary data items required for the verification process.

7.4.5.2 Retrieving the witness

The verifier retrieves the witness R and the second part of the signature S from the appendix.

The verifier then checks if R ∈ [1, q-1] and S ∈ G hold; if either condition is violated the signature shall be

rejected. Otherwise the verifier carries out in the follows steps.
7.4.5.3 Preparing message for verification

The verifier retrieves M from the signed message and divides the message into two parts M and M2 such that

M2 is empty and M is equal to M.
7.4.5.4 Retrieving the assignment
-1 -1

The assignment is T = (T1, T2) where T1 = [-Y ]P, and T2 = [Y R]P. However, it is not necessary for the verifier

to compute the assignment.
7.4.5.5 Recomputing the pre-signature
The verifier recomputes the pre-signature value
∏′ = ∗ .
NOTE The pairing can be pre-computed.
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
7.4.5.6 Recomputing the witness
The verifier recomputes the witness
R′ = h (M ||FE2BS(r, ∏ ') || FE2BS(r, ∏ '), q).
2 1 a b

For fields of higher extension degree, more terms will appear in the value to be hashed. For example, for

extension degree 3, Π = (Πa', Πb', Πc') and the input to h2 would be
M1 || FE2BS(r,∏a') || FE2BS(r,∏b') || FE2BS(r,∏c').
7.4.5.7 Verifying the witness

The verifier checks whether R' = R holds. If it holds, the signature is verified; otherwise, it is invalid.

LL: Page 46, Annex A:
Insert the following 2 lines after id-dswa-dl-EC-SDSA-opt:
id-dswa-dl-SM2 OID ::= { id-dswa-dl sm2(14) }
id-dswa-dl-Chinese IBS OID ::= { id-dswa-dl chinese-IBS(15) }
MM: Page 72, After F.3.3.6:
Add the following new F.3.4 thru F.3.4.6 to the end of F.3.3.6:

F.3.4 Example 4: 2048-bit Prime P, 224-bit Prime Q, SHA-256 (Same parameter as in F.3.3.

However, F.3.4 is provided additionally to be consistent with [36])
F.3.4.1 General

This example uses SHA-256 as the hash-function h. The hash-code is simply the value of SHA-256.

F.3.4.2 Parameters
l = 200 (i.e., 512 in decimal)
α = 2048
β = 224
P = C3159A30 CDBCC00C E2A99043 9634F7D3 FB16FEB1 2C579932
2C14F8B8 A0D9B98E 35F724BF E14C4AFC 475D78F9 3A83F8FB
4636A5DE F357BD6F B0C6245C AC4EF29C 8F7DA5E9 B39F3158
F4FD27C8 4088BCBB 6286D964 29C90E82 B7F31BF3 E76E93C6
8A3163CF B82370E2 75159D66 08F82601 013476D5 50B386CA
34736388 6DF337D7 A54DB7E9 8CC2DF0D 828C31EB C62F3BC2
3F070C89 9648E276 2B26FFED A9D88FFB F684C570 4937FEDC
03F60C10 5B69542E D40F910B 4C66FC09 1F5E1C12 47628ABC
E989B74A B0EF6F1A 14E2567F C083991E 1C846242 0BB8FBF9
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
B3F67B66 B02DE042 0A18D49A 6D4896D0 D1DDDBED 24EE1611
8090221F 9FE9A1E1 2194E0D2 B3C61C13
Q = BB6A5C40 316BD80E 78246E92 AC9BF881 A9EB0CB9 6C7212EB
1E46AE0D
G = 487844C0 B67465B7 18F04DBD 453342B7 49076EE1 F4226F18
1DB282E1 C51B0F29 0DAE9601 AC73ED1F 1B25ADAD D50BFB42
1E8A09FA 07689A93 E5FB52A5 F8012956 B90641F8 45C4B7E4
45CAFE2E 3284775B DD70BCE4 0EF3274E 52CBC3D5 738DA7A8
61BC46C0 A9693AA8 7E0AAE62 BD371FA0 14FFC69F 3625D5A1
FBAAAC80 D81C78A5 9BADEAE5 FDFEA922 EBC330A1 37E7699A
2790E86B DB270C21 35EAB4E0 BCD28B77 13A8B241 1534C63F
2EDF4E00 5902F6CC 1A155C29 F3EAE17F 88ACB5C6 70F5CF19
A5A54E87 6692AB82 08C4A9EF 75A29E74 F08F92AC 1A38592D
46A2557C 3A18C06E D6529B40 BC5ECFF9 715329A2 C01B4245
874250ED 515537EE 7458F898 6FF920BC
F.3.4.3 Signature key and verification key
X = B55D61EC 0114E020 EFC4C9BB 5F2F3D2E 38409E17 D3954174
6D94FF7C
Y = 0712496F CF76CE98 8BE97AC0 9F0DBBE6 2D58707A 767D608A
3301115D 479CC871 4CE3A10B EB152552 46C2623E FE50BFD2
5A83C355 551574E6 E3560E7B D1CD5E7E 8E1269A4 A6F1976C
84E8FE8E 32E55AED D548FCED CC92A6E4 E1BF2D1F 2AA30C0C
0A991C29 B2595029 F903B634 189AA70C FC429531 93016C1F
7BB6276D F3EBFAE7 C060B987 D89088A0 558FC132 27B86F7A
57DDE307 1CC022E0 39BE4B68 3858D782 F52AA730 49D508EF
994A5039 CAB5FAF2 89BDAC07 75EFBB51 EB4D5FF9 99B71D59
C4D833B5 D069202A 968F3AC3 5FA77BAF BDD9C096 0752C5DA
F783929D E2DAD916 F1159E75 A345445D 63C5B422 E0BCD2BA
D9379D14 43892ED5 D12F8285 3D51A705
F.3.4.4 Per message data
M = ASCII form of " This is a test message for KCDSA usage!’’ =
54 68 69 73 20 69 73 20 61 20 74 65 73 74 20 6D
65 73 73 61 67 65 20 66 6F 72 20 4B 43 44 53 41
20 75 73 61 67 65 21
K = A5C22F64 DDE15693 3AD15BCB 928D6A3B 5ACF0D7A 2302615C
E74CCAD6
Y' = C4D833B5 D069202A 968F3AC3 5FA77BAF BDD9C096 0752C5DA
F783929D E2DAD916 F1159E75 A345445D 63C5B422 E0BCD2BA
D9379D14 43892ED5 D12F8285 3D51A705
I2BS(β, BS2I(γ, h(Y' ||M2)) mod 2 ) =
6B1908F3 D9E543EF 08C1C03A 185D8E22 45257F6C D1B454B7
4C2E342B
V = 38EE397D BD535F23 8BA66C32 49442FE9 FE002E63 300A9593
8EB7BDCB
F.3.4.5 Signature
R = 53F7318E 64B61CCC 8367AC08 5119A1CB BB25510F E1BEC124
C29989E0
S = B750F725 1585204C 236E4204 884166A2 6C6CF08B D281167A
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
5EFADD52
F.3.4.6 Verification
R' = 53F7318E 64B61CCC 8367AC08 5119A1CB BB25510F E1BEC124
C29989E0
NN: Page 86, After F.6.5.5
Add the following new F.6.6 thru F.6.8.5 to the end of F.6.5.5:
F.6.6 Example 5: Field F , 192-bit Prime P, SHA-224
F.6.6.1 Parameters
The field is FP where P is in hexadecimal
P = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFF
2 3
The elliptic curve is: Y = X + aX + b over F .
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFC
b = 64210519 E59C80E7 0FA7E9AB 72243049 FEB8DEEC C146B9B1
G= (GX, GY)
GX = 188DA80E B03090F6 7CBF20EB 43A18800 F4FF0AFD 82FF1012
G = 07192B95 FFC8DA78 631011ED 6B24CDD5 73F977A1 1E794811
Q = FFFFFFFF FFFFFFFF FFFFFFFF 99DEF836 146BC9B1 B4D22831
F.6.6.2 Signature key and verification key
X = 1A8D598F C15BF0FD 89030B5C B1111AEB 92AE8BAF 5EA475FB
Y = (YX, YY)
YX = 62B12D60 690CDCF3 30BABAB6 E69763B4 71F994DD 702D16A5
Y = 63BF5EC0 8069705F FFF65E5C A5C0D697 16DFCB34 74373902
F.6.6.3 Per message data
M = ASCII form of “abc” = 61 62 63
h(M) = 23097D22 3405D822 8642A477 BDA255B3 2AADBCE4 BDA0B3F7
E36C9DA7
H = 23097D22 3405D822 8642A477 BDA255B3 2AADBCE4 BDA0B3F7
K = FA6DE297 46BBEB7F 8BB1E761 F85F7DFB 2983169D 82FA2F4E
∏ = (∏X, ∏Y).
∏X = 88505238 0FF147B7 34C330C4 3D39B2C4 A89F29B0 F749FEAD
∏Y = 9CF9FA1C BEFEFB91 7747A3BB 29C072B9 289C2547 884FD835
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 14 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
F.6.6.4 Signature
R = 88505238 0FF147B7 34C330C4 3D39B2C4 A89F29B0 F749FEAD
S = 6663F278 36987EED 458582D1 F443293A 5ED88849 B2FC5CD9
F.6.6.5 Verification
∏' = (∏'X,∏'Y).
∏' = 88505238 0FF147B7 34C330C4 3D39B2C4 A89F29B0 F749FEAD
∏' = 9CF9FA1C BEFEFB91 7747A3BB 29C072B9 289C2547 884FD835
R' = 88505238 0FF147B7 34C330C4 3D39B2C4 A89F29B0 F749FEAD
F.6.7 Example 6: Field F , m=233, SHA-256
F.6.7.1 Parameters
m 233 74

The field F2 is represented as polynomials modulo the irreducible polynomial x + x + 1.

2 3 2 m
The elliptic curve is: Y + XY = X + aX + b over F .
a = 0
b = 1
G = (GX, GY)
G = 0172 32BA853A 7E731AF1 29F22FF4 149563A4 19C26BF5
0A4C9D6E EFAD6126
G = 01DB 537DECE8 19B7F70F 555A67C4 27A8CD9B F18AEB9B
56E0C110 56FAE6A3
Q = 0080 00000000 00000000 00000000 00069D5B B915BCD4
6EFB1AD5 F173ABDF
F.6.7.2 Signature key and verification key
X = 8434613F 4B799B4C 26E4D7AB 8E9481B0 4B09E648 C94AFFD1
4B611A20
Y = (YX, YY)
Y = 017C 9DD766AE FBE4DE4B 15F46DB0 671DC4CA 0767ED51
ECEA9475 7D9C662E
YY = 01CD D7260848 37AE73C1 1C27D605 C6EB2D5E 31482358
780305C2 522B151B
F.6.7.3 Per message data
M = ASCII form of “abc” = 61 62 63
h(M) = BA7816BF 8F01CFEA 414140DE 5DAE2223 B00361A3 96177A9C
B410FF61 F20015AD
H = BA 7816BF8F 01CFEA41 4140DE5D AE2223B0 0361A396
177A9CB4 10FF61F2
K = 0001 90DA60FE 3B179B96 611DB7C7 E5217C9A FF0AEE43
5782EBFB 2DFFF27F
∏ = (∏X, ∏Y).
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 15 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
∏X = 01BE A7231662 E6516F11 E37D59D5 00EAE71D 116E9B7B
BCE5964B 88D4CC4D
∏Y = 00C9 8F8C9A7D 65880920 C2FEBE55 2D824597 9E6D67CE
82A41EF1 BAD22FD3
F.6.7.4 Signature
R = 003E A7231662 E6516F11 E37D59D5 00D70F09 E62D64FE
6FF445C9 B479C8B0
S = 002D 72C73DA3 3A9B267F 0BEC9E6C B6BECEED 014F67D4
A3D30006 B3EBE2DC
F.6.7.5 Verification
∏' = (∏'X,∏'Y).
∏' = 01BE A7231662 E6516F11 E37D59D5 00EAE71D 116E9B7B
BCE5964B 88D4CC4D
∏'Y = 00C9 8F8C9A7D 65880920 C2FEBE55 2D824597 9E6D67CE
82A41EF1 BAD22FD3
R' = 003E A7231662 E6516F11 E37D59D5 00D70F09 E62D64FE
6FF445C9 B479C8B0
F.6.8 Example 7: Field F , m=283, SHA-384
F.6.8.1 Parameters
m 283 12 7 5

The field F is represented as polynomials modulo the irreducible polynomial x + x + x + x + 1.

2 3 2 m
The elliptic curve is: Y + XY = X + aX + b over F2 .
a = 0
b = 1
G = (G , G )
X Y
GX = 0503213F 78CA4488 3F1A3B81 62F188E5 53CD265F 23C1567A
16876913 B0C2AC24 58492836
GY = 01CCDA38 0F1C9E31 8D90F95D 07E5426F E87E45C0 E8184698
E4596236 4E341161 77DD2259
Q = 01FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFE9AE 2ED07577
265DFF7F 94451E06 1E163C61
F.6.8.2 Signature key and verification key
X = 00069E6D 19F7E454 A83664FF 49208F60 38EAF842 E164DF42
D0F64948 FF9C94B0 14988329
Y = (Y , Y )
X Y
YX = 01B64A60 D4A36540 9635AAA2 7E1708D9 0B839AFA 2D9820E1
2B79C3AF 1094B601 0AAEF5BE
YY = 0334B5F3 0CA21756 BDE6D477 38F2458F 56FBF6BD C76FCFB8
F3E59145 5F041A95 2EE87A8E
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 16 ----------------------
ISO/IEC 14888-3:2016/FPDAM 1:2017(E)
F.6.8.3 Per message data
M = ASCII form of “abc” = 61 62 63
h(M) = CB00753F 45A35E8B B5A03D69 9AC65007 272C32AB 0EDED163
1A8B605A 43FF5BED 8086072B A1E7CC23 58BAECA1 34C825A7
H = 019600EA 7E8B46BD 176B407A D3358CA0 0E4E5865 561DBDA2
C63516C0 B487FEB7 DB010C0E
K = E308 4442D66F A9A02C42 890163E5 7EE33CA1 F4583C65
BCBDE927 81C7A3C8 3E89B773
∏ = (∏ , ∏ ).
X Y
∏ = 07C973D5 8FD17A06 AA8F39D5 EC42E0A6 B992F6CC 61F157
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 18032:2020(Main)
Information security -- Prime number generation

This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms. Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups: — probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime; — deterministic methods, which are guaranteed to give the righ...view more

    • sale 15% off
    • Standard
      33 pages
      English language
    • sale 15% off
    • Draft
      33 pages
      English language
    • sale 15% off
    • Draft
      36 pages
      English language
ISO
ISO/IEC 24761:2019(Main)
Information technology -- Security techniques -- Authentication context for biometrics

This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric enrolment and verification process executed at a remote site. This document allows any ACBio instance to accompany any biometric processes related to enrolment and verification. The specification of ACBio is applicable not only to single modal biometric enrolment and verification but also to multimodal fusion. The real-ti...view more

    • sale 15% off
    • Standard
      75 pages
      English language
ISO
ISO/IEC 30111:2019(Main)
Information technology -- Security techniques -- Vulnerability handling processes

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service. This document is applicable to vendors involved in handling vulnerabilities.

    • sale 15% off
    • Standard
      13 pages
      English language
    • sale 15% off
    • Standard
      15 pages
      French language
ISO
ISO/IEC 9798-2:2019(Main)
IT Security techniques -- Entity authentication

This document specifies entity authentication mechanisms using authenticated encryption algorithms. Four of the mechanisms provide entity authentication between two entities where no trusted third party is involved; two of these are mechanisms to unilaterally authenticate one entity to another, while the other two are mechanisms for mutual authentication of two entities. The remaining mechanisms require an on-line trusted third party for the establishment of a common secret key. They also realiz...view more

    • sale 15% off
    • Standard
      15 pages
      English language
ISO
ISO/IEC 9798-3:2019(Main)
IT Security techniques -- Entity authentication

This document specifies entity authentication mechanisms using digital signatures based on asymmetric techniques. A digital signature is used to verify the identity of an entity. Ten mechanisms are specified in this document. The first five mechanisms do not involve an on-line trusted third party and the last five make use of on-line trusted third parties. In both of these two categories, two mechanisms achieve unilateral authentication and the remaining three achieve mutual authentication. Anne...view more

    • sale 15% off
    • Standard
      25 pages
      English language
ISO
ISO/IEC TS 27008:2019(Main)
Information technology -- Security techniques -- Guidelines for the assessment of information security controls

This document provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organization's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organization. This document offers guidance on how to review and assess information security contro...view more

    • sale 15% off
    • Technical specification
      91 pages
      English language
ISO
ISO/IEC 10118-3:2018(Main)
IT Security techniques -- Hash-functions

This document specifies dedicated hash-functions, i.e. specially designed hash-functions. The hash-functions in this document are based on the iterative use of a round-function. Distinct round-functions are specified, giving rise to distinct dedicated hash-functions. The use of Dedicated Hash-Functions 1, 2 and 3 in new digital signature implementations is deprecated. NOTE As a result of their short hash-code length and/or cryptanalytic results, Dedicated Hash-Functions 1, 2 and 3 do not provide...view more

    • sale 15% off
    • Standard
      398 pages
      English language
ISO
ISO/IEC 29147:2018(Main)
Information technology -- Security techniques -- Vulnerability disclosure

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordina...view more

    • sale 15% off
    • Standard
      32 pages
      English language
    • sale 15% off
    • Standard
      34 pages
      French language
ISO
ISO/IEC TS 19608:2018(Main)
Guidance for developing security and privacy functional requirements based on ISO/IEC 15408

This document provides guidance for: — selecting and specifying security functional requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII); — the procedure to define both privacy and security functional requirements in a coordinated manner; and — developing privacy functional requirements as extended components based on the privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2. The intended audience for this document ...view more

    • sale 15% off
    • Technical specification
      48 pages
      English language
ISO
ISO/IEC 27050-2:2018(Main)
Information technology -- Electronic discovery

This document provides guidance for technical and non-technical personnel at senior management levels within an organization, including those with responsibility for compliance with statuary and regulatory requirements, and industry standards. It describes how such personnel can identify and take ownership of risks related to electronic discovery, set policy and achieve compliance with corresponding external and internal requirements. It also suggests how to produce such policies in a form which...view more

    • sale 15% off
    • Standard
      9 pages
      English language
ISO
ISO/IEC 27034-7:2018(Main)
Information technology -- Application security

This document describes the minimum requirements when the required activities specified by an Application Security Control (ASC) are replaced with a Prediction Application Security Rationale (PASR). The ASC mapped to a PASR define the Expected Level of Trust for a subsequent application. In the context of an Expected Level of Trust, there is always an original application where the project team performed the activities of the indicated ASC to achieve an Actual Level of Trust. The use of Predicti...view more

    • sale 15% off
    • Standard
      29 pages
      English language
ISO
ISO/IEC 27034-3:2018(Main)
Information technology -- Application security

This document provides a detailed description and implementation guidance for the Application Security Management Process.

    • sale 15% off
    • Standard
      47 pages
      English language
ISO
ISO/IEC TS 27034-5-1:2018(Main)
Information technology -- Application security

ISO/IEC TS 27034-5-1:2018 defines XML Schemas that implement the minimal set of information requirements and essential attributes of ASCs and the activities and roles of the Application Security Life Cycle Reference Model (ASLCRM) from ISO/IEC 27034-5.

    • sale 15% off
    • Technical specification
      77 pages
      English language
ISO
ISO/IEC TS 29003:2018(Main)
Information technology -- Security techniques -- Identity proofing

ISO/IEC TS 29003:2018: ? gives guidelines for the identity proofing of a person; ? specifies levels of identity proofing, and requirements to achieve these levels. ISO/IEC TS 29003:2018 is applicable to identity management systems.

    • sale 15% off
    • Technical specification
      21 pages
      English language
ISO
ISO/IEC 11770-3:2015/Amd 1:2017(Amendment)
Blinded Diffie-Hellman key agreement
    • sale 15% off
    • Standard
      7 pages
      English language
ISO
ISO/IEC 11770-4:2017(Main)
Information technology -- Security techniques -- Key management

ISO/IEC 11770-4:2017 defines key establishment mechanisms based on weak secrets, i.e. secrets that can be readily memorized by a human, and hence, secrets that will be chosen from a relatively small set of possibilities. It specifies cryptographic techniques specifically designed to establish one or more secret keys based on a weak secret derived from a memorized password, while preventing offline brute-force attacks associated with the weak secret. ISO/IEC 11770-4:2017 is not applicable to the ...view more

    • sale 15% off
    • Standard
      48 pages
      English language
ISO
ISO/IEC 18033-2:2006/Amd 1:2017(Amendment)
FACE
    • sale 15% off
    • Standard
      12 pages
      English language
ISO
ISO/IEC 27019:2017(Main)
Information technology -- Security techniques -- Information security controls for the energy utility industry

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following: - central and distributed process control, monitoring and automation technology as well as information systems used for their o...view more

    • sale 15% off
    • Standard
      33 pages
      English language
    • sale 15% off
    • Standard
      37 pages
      French language
ISO
ISO/IEC 27021:2017(Main)
Information technology -- Security techniques -- Competence requirements for information security management systems professionals

ISO/IEC 27021:2017 specifies the requirements of competence for ISMS professionals leading or involved in establishing, implementing, maintaining and continually improving one or more information security management system processes that conforms to ISO/IEC 27001.

    • sale 15% off
    • Standard
      21 pages
      English language
ISO
ISO/IEC TS 19249:2017(Main)
Information technology -- Security techniques -- Catalogue of architectural and design principles for secure products, systems and applications

ISO/IEC TS 19249:2017 provides a catalogue of architectural and design principles that can be used in the development of secure products, systems and applications together with guidance on how to use those principles effectively. ISO/IEC TS 19249:2017 gives guidelines for the development of secure products, systems and applications including a more effective assessment with respect to the security properties they are supposed to implement. ISO/IEC TS 19249:2017 does not establish any requirement...view more

    • sale 15% off
    • Technical specification
      26 pages
      English language