ISO/IEC 11770-3:2015

INTERNATIONAL ISO/IEC
STANDARD 11770-3
Third edition
2015-08-01
Information technology — Security
techniques — Key management —
Part 3:
Mechanisms using asymmetric
techniques
Technologies de l’information — Techniques de sécurité — Gestion de
clés —
Partie 3: Mécanismes utilisant des techniques asymétriques
Reference number
ISO/IEC 11770-3:2015(E)
©
ISO/IEC 2015

---------------------- Page: 1 ----------------------
ISO/IEC 11770-3:2015(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 11770-3:2015(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Symbols and abbreviations . 7
5 Requirements . 9
6 Key derivation functions . 9
7 Cofactor multiplication . 9
8 Key commitment .10
9 Key confirmation .11
10 Framework for key management .12
10.1 General .12
10.2 Key agreement between two parties .12
10.3 Key agreement between three parties.12
10.4 Secret key transport .13
10.5 Public key transport .13
11 Key agreement .14
11.1 Key agreement mechanism 1.14
11.2 Key agreement mechanism 2.15
11.3 Key agreement mechanism 3.16
11.4 Key agreement mechanism 4.18
11.5 Key agreement mechanism 5.18
11.6 Key agreement mechanism 6.19
11.7 Key agreement mechanism 7.21
11.8 Key agreement mechanism 8.22
11.9 Key agreement mechanism 9.23
11.10 Key agreement mechanism 10 .24
11.11 Key agreement mechanism 11 .25
11.12 Key agreement mechanism 12 .26
12 Secret key transport .27
12.1 Secret key transport mechanism 1 .27
12.2 Secret key transport mechanism 2 .28
12.3 Secret key transport mechanism 3 .30
12.4 Secret key transport mechanism 4 .32
12.5 Secret key transport mechanism 5 .33
12.6 Secret key transport mechanism 6 .35
13 Public key transport .36
13.1 Public key transport mechanism 1 .36
13.2 Public key transport mechanism 2 .37
13.3 Public key transport mechanism 3 .38
Annex A (normative) Object identifiers .40
Annex B (informative) Properties of key establishment mechanisms .47
Annex C (informative) Examples of key derivation functions .49
Annex D (informative) Examples of key establishment mechanisms .56
Annex E (informative) Examples of elliptic curve based key establishment mechanisms.60
© ISO/IEC 2015 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 11770-3:2015(E)

Annex F (informative) Example of bilinear pairing based key establishment mechanisms .68
Annex G (informative) Secret key transport .71
Annex H (informative) Patent information .76
Bibliography .80
iv © ISO/IEC 2015 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 11770-3:2015(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, Security
techniques.
This third edition cancels and replaces the second edition (ISO/IEC 11770-3:2008 with
ISO/IEC 11770-3/Cor1:2009), which has been technically revised.
ISO/IEC 11770 consists of the following parts, under the general title Information technology — Security
techniques — Key management:
— Part 1: Framework
— Part 2: Mechanisms using symmetric techniques
— Part 3: Mechanisms using asymmetric techniques
— Part 4: Mechanisms based on weak secrets
— Part 5: Group key management
— Part 6: Key derivation
Further parts may follow.
© ISO/IEC 2015 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 11770-3:2015(E)

Introduction
This part of ISO/IEC 11770 describes schemes that can be used for key agreement and schemes that can
be used for key transport.
Public key cryptosystems were first proposed in the seminal paper by Diffie and Hellman in 1976. The
security of many such cryptosystems is based on the presumed intractability of solving the discrete
logarithm problem over certain finite fields. Other public key cryptosystems such as RSA are based on
the difficulty of the integer factorization problem.
A third class of public key cryptosystems is based on elliptic curves. The security of such a public
key system depends on the difficulty of determining discrete logarithms in the group of points of an
elliptic curve. When based on a carefully chosen elliptic curve, this problem is, with current knowledge,
much harder than the factorization of integers or the computation of discrete logarithms in a finite
field of comparable size. All known general purpose algorithms for determining elliptic curve discrete
logarithms take exponential time. Thus, it is possible for elliptic curve based public key systems to
use much shorter parameters than the RSA system or the classical discrete logarithm based systems
that make use of the multiplicative group of some finite field. This yields significantly shorter digital
signatures, as well as system parameters, and allows for computations using smaller integers.
This part of ISO/IEC 11770 includes mechanisms based on the following:
— finite fields;
— elliptic curves;
— bilinear pairings.
The International Organization for Standardization (ISO) and International Electrotechnical
Commission (IEC) draw attention to the fact that it is claimed that compliance with this International
Standard may involve the use of patents.
ISO and IEC take no position concerning the evidence, validity and scope of these patent rights.
The holders of these patent rights have assured ISO and IEC that they are willing to negotiate licences
under reasonable and non-discriminatory terms and conditions with applicants throughout the world.
In this respect, the statements of the holders of these patent rights are registered with ISO and IEC.
Information may be obtained from those in Annex H.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying
any or all such patent rights.
ISO (www.iso.org/patents) and IEC (http://patents.iec.ch) maintain on-line databases of patents
relevant to their standards. Users are encouraged to consult the databases for the most up to date
information concerning patents.
vi © ISO/IEC 2015 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 11770-3:2015(E)
Information technology — Security techniques — Key
management —
Part 3:
Mechanisms using asymmetric techniques
1 Scope
This part of ISO/IEC 11770 defines key management mechanisms based on asymmetric cryptographic
techniques. It specifically addresses the use of asymmetric techniques to achieve the following goals.
a) Establish a shared secret key for use in a symmetric cryptographic technique between two entities
A and B by key agreement. In a secret key agreement mechanism, the secret key is computed as
the result of a data exchange between the two entities A and B. Neither of them should be able to
predetermine the value of the shared secret key.
b) Establish a shared secret key for use in a symmetric cryptographic technique between two entities
A and B via key transport. In a secret key transport mechanism, the secret key is chosen by one
entity A and is transferred to another entity B, suitably protected by asymmetric techniques.
c) Make an entity’s public key available to other entities via key transport. In a public key transport
mechanism, the public key of entity A shall be transferred to other entities in an authenticated way,
but not requiring secrecy.
Some of the mechanisms of this part of ISO/IEC 11770 are based on the corresponding authentication
[6]
mechanisms in ISO/IEC 9798-3.
This part of ISO/IEC 11770 does not cover certain aspects of key management, such as
— key lifecycle management,
— mechanisms to generate or validate asymmetric key pairs, and
— mechanisms to store, archive, delete, destroy, etc. keys.
While this part of ISO/IEC 11770 does not explicitly cover the distribution of an entity’s private key
(of an asymmetric key pair) from a trusted third party to a requesting entity, the key transport
mechanisms described can be used to achieve this. A private key can in all cases be distributed with
these mechanisms where an existing, non-compromised key already exists. However, in practice the
distribution of private keys is usually a manual process that relies on technological means such as
smart cards, etc.
This part of ISO/IEC 11770 does not specify the transformations used in the key management
mechanisms.
NOTE To provide origin authentication for key management messages, it is possible to make provisions
for authenticity within the key establishment protocol or to use a public key signature system to sign the key
exchange messages.
2 Normative references
The following referenced documents, in whole or in part, are normatively referenced in this document
and are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
© ISO/IEC 2015 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 11770-3:2015(E)

ISO/IEC 10118 (all parts), Information technology — Security techniques — Hash-functions
ISO/IEC 11770-1, Information technology — Security techniques — Key management — Part 1: Framework
ISO/IEC 15946-1, Information technology — Security techniques — Cryptographic techniques based on
elliptic curves — Part 1: General
ISO/IEC 18031, Information technology — Security techniques — Random bit generation
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
asymmetric cryptographic technique
cryptographic technique that uses two related transformations, a public transformation (defined by the
public key) and a private transformation (defined by the private key), and has the property that given
the public transformation, then it is computationally infeasible to derive the private transformation
Note 1 to entry: A system based on asymmetric cryptographic techniques can either be an encryption system,
a signature system, a combined encryption and signature system, or a key agreement scheme. With asymmetric
cryptographic techniques there are four elementary transformations: signature and verification for signature
systems, encryption and decryption for encryption systems. The signature and the decryption transformations
are kept private by the owning entity, whereas the corresponding verification and encryption transformations
are published. There exist asymmetric cryptosystems (e.g. RSA) where the four elementary functions can be
achieved by only two transformations: one private transformation suffices for both signing and decrypting
messages, and one public transformation suffices for both verifying and encrypting messages. However, since this
does not conform to the principle of key separation, throughout this part of ISO/IEC 11770 the four elementary
transformations and the corresponding keys are kept separate.
3.2
asymmetric encryption system
system based on asymmetric cryptographic techniques whose public transformation is used for
encryption and whose private transformation is used for decryption
3.3
asymmetric key pair
pair of related keys where the private key defines the private transformation and the public key defines
the public transformation
3.4
certification authority
CA
centre trusted to create and assign public key certificates
3.5
collision-resistant hash-function
hash-function satisfying the following property: it is computationally infeasible to find any two distinct
inputs which map to the same output
[SOURCE: ISO/IEC 10118-1:2000, 3.2]
3.6
decryption
reversal of a corresponding encryption
[SOURCE: ISO/IEC 11770-1:2010, 2.6]
2 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 11770-3:2015(E)

3.7
digital signature
data unit appended to, or a cryptographic transformation of, a data unit that allows a recipient of the
data unit to verify the origin and integrity of the data unit and protect the sender and the recipient of
the data unit against forgery by third parties, and the sender against forgery by the recipient
3.8
distinguishing identifier
information which unambiguously distinguishes an entity
[SOURCE: ISO/IEC 11770-1:2010, 2.9]
3.9
encryption
(reversible) transformation of data by a cryptographic algorithm to produce ciphertext, i.e. to hide the
information content of the data
[SOURCE: ISO/IEC 11770-1:2010, 2.10]
3.10
entity authentication
corroboration that an entity is the one claimed
[SOURCE: ISO/IEC 9798-1:2010, 3.14]
3.11
entity authentication of entity A to entity B
assurance of the identity of entity A for entity B
3.12
explicit key authentication from entity A to entity B
assurance for entity B that entity A is the only other entity that is in possession of the correct key
Note 1 to entry: Implicit key authentication from entity A to entity B and key confirmation from entity A to entity
B together imply explicit key authentication from entity A to entity B.
3.13
forward secrecy with respect to entity A
property that knowledge of entity A’s long-term private key subsequent to a key agreement operation
does not enable an opponent to recompute previously derived keys
3.14
forward secrecy with respect to both entity A and entity B individually
property that knowledge of entity A’s long-term private key or knowledge of entity B’s long-term private
key subsequent to a key agreement operation does not enable an opponent to recompute previously
derived keys
Note 1 to entry: This differs from mutual forward secrecy in which knowledge of both entity A’s and entity B’s
long-term private keys do not enable recomputation of previously derived keys.
3.15
hash-function
function which maps strings of bits to fixed-length strings of bits, satisfying the following two
properties:
— it is computationally infeasible to find for a given output, an input which maps to this output;
— it is computationally infeasible to find for a given input, a second input which maps to the same
output
Note 1 to entry: Computational feasibility depends on the specific security requirements and environment.
© ISO/IEC 2015 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 11770-3:2015(E)

Note 2 to entry: For the purposes of this standard all hash-functions are assumed to be collision-resistant
(see 3.5).
[SOURCE: ISO/IEC 10118-1:2000, 3.5]
3.16
implicit key authentication from entity A to entity B
assurance for entity B that entity A is the only other entity that can possibly be in possession of the
correct key
3.17
key
sequence of symbols that controls the operation of a cryptographic transformation (e.g. encryption,
decryption, cryptographic check function computation, signature calculation, or signature verification)
[SOURCE: ISO/IEC 11770-1:2010, 2.12]
3.18
key agreement
process of establishing a shared secret key between entities in such a way that neither of them can
predetermine the value of that key
Note 1 to entry: By predetermine it is meant that neither entity A nor entity B can, in a computationally efficient
way, choose a smaller key space and force the computed key in the protocol to fall into that key space.
3.19
key commitment
process of committing to use specific keys in the operation of a key agreement scheme before revealing
the specified keys
3.20
key confirmation from entity A to entity B
assurance for entity B that entity A is in possession of the correct key
3.21
key control
ability to choose the key or the parameters used in the key computation
3.22
key derivation function
function that outputs one or more shared secrets, for use as keys, given shared secrets and other
mutually known parameters as input
3.23
key establishment
process of making available a shared secret key to one or more entities, where the process includes key
agreement and key transport
3.24
key token
key management message sent from one entity to another entity during the execution of a key
management mechanism
3.25
key transport
process of transferring a key from one entity to another entity, suitably protected
3.26
message authentication code
MAC
4 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 11770-3:2015(E)

string of bits which is the output of a MAC algorithm
[1]
Note 1 to entry: A MAC is sometimes called a cryptographic check value (see for example ISO 7498-2 ).
[SOURCE: ISO/IEC 9797-1:2011, 3.9]
3.27
Message Authentication Code algorithm
MAC algorithm
algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings
of bits, satisfying the following two properties:
— for any key and any input string, the function can be computed efficiently;
— for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to
compute the function value on any new input string, even given knowledge of a set of input strings
and corresponding function values, where the value of the ith input string might have been chosen
after observing the value of the first i – 1 function values (for integers i > 1)
Note 1 to entry: A MAC algorithm is sometimes called a cryptographic check function (see for example
[1]
ISO 7498-2 ).
Note 2 to entry: Computational feasibility depends on the user’s specific security requirements and environment.
[SOURCE: ISO/IEC 9797-1:2011, 3.10]
3.28
mutual entity authentication
entity authentication which provides both entities with assurance of each other’s identity
3.29
mutual forward secrecy
property that knowledge of both entity A’s and entity B’s long-term private keys subsequent to a key
agreement operation does not enable an opponent to recompute previously derived keys
3.30
one-way function
function with the property that it is easy to compute the output for a given input but it is computationally
infeasible to find an input which maps to a given output
3.31
prefix free representation
representation of a data element for which concatenation with any other data does not produce a valid
representation
3.32
private key
key of an entity’s asymmetric key pair that is kept private
Note 1 to entry: The security of an asymmetric system depends on the privacy of this key.
[SOURCE: ISO/IEC 11770-1:2010, 2.35]
3.33
public key
key of an entity’s asymmetric key pair which can usually be made public without compromising security
Note 1 to entry: In the case of an asymmetric signature system, the public key defines the verification
transformation. In the case of an asymmetric encryption system, the public key defines the encryption
transformation, conditional on the inclusion of randomisation elements. A key that is “publicly known” is not
necessarily globally available. The key can only be available to all members of a pre-specified group.
[SOURCE: ISO/IEC 11770-1:2010, 2.36]
© ISO/IEC 2015 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC 11770-3:2015(E)

3.34
public key certificate
public key information of an entity signed by the certification authority and thereby rendered
unforgeable
3.35
public key information
information containing at least the entity’s distinguishing identifier and public key, but can include
other static information regarding the certification authority, the entity, restrictions on key usage, the
validity period, or the involved algorithms
3.36
secret key
key used with symmetric cryptographic techniques by a specified set of entities
3.37
sequence number
time variant parameter whose value is taken from a specified sequence which is non-repeating within
a certain time period
[SOURCE: ISO/IEC 11770-1:2010, 2.44]
3.38
signature system
system based on asymmetric cryptographic techn
...