ISO/IEC 18033-5:2015/Amd 1:2021

INTERNATIONAL ISO/IEC
STANDARD 18033-5
First edition
2015-12-01
AMENDMENT 1
Information technology —
Security techniques — Encryption
algorithms —
Part 5:
Identity-based ciphers
AMENDMENT 1: SM9 mechanism
Technologies de l'information — Techniques de sécurité —
Algorithmes de chiffrement —
Partie 5: Chiffrements identitaires
AMENDEMENT 1: Mécanisme SM9
PROOF/ÉPREUVE
Reference number
ISO/IEC 18033-5:2015/Amd.1:2021(E)
©
ISO/IEC 2021

---------------------- Page: 1 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see https:// patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 18033 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE iii

---------------------- Page: 3 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
Information technology — Security techniques —
Encryption algorithms —
Part 5:
Identity-based ciphers
AMENDMENT 1: SM9 mechanism
Introduction
Replace the second sentence of the fourth paragraph with the following:
The specified mechanisms are the BF identity-based encryption mechanism, the SK identity-based
key encapsulation mechanism, the BB1 identity-based key encapsulation mechanism and the SM9
identity-based key encapsulation mechanism and encryption mechanisms.
Insert the following sentence between the sixth and seventh paragraphs.
The content of 9.4 follows Reference [8].
4.1
Insert the following line at the end of the table:
⎾x⏋  smallest integer greater than or equal to the real number x.
5.1
Replace the first sentence with the following:
The schemes specified in this document make use of four cryptographic transformations, IHF1,
SHF1, PHF1 and IHF2 as specified below.
5.1
Add the following to the end:
Annex A lists the object identifiers which shall be used to identify the algorithms specified in this
document.
Annex B describes security considerations for each specified mechanism.
Annex C provides numerical examples.
Annex D introduces techniques which can be used to remove the decryption capability of the PKG,
and thereby reduce the level of trust required in this entity.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 1

---------------------- Page: 4 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)

5.5
Add new subclause 5.5 as follows:
5.5  The function IHF2
IHF2 is based on the key derivation function KDF2 defined in ISO/IEC 18033-2. KDF2(x, l) parameterized
by a cryptographic hash function takes an octet string x and a non-negative integer l as input, and
outputs an octet string of length l. KDF2-a(x, b) outputs the first b bits from KDF2(x, ⎾b/8⏋). IHF2 take
three items as input and outputs an integer in a specified range.
Input:
*
— A bit string str ∈ {0,1}
— A security parameter κ ∈ {128}
— A non-negative integer n with bit-length b
n
Output:
— An integer x, 0 Operation: Perform the following steps.
a) If κ = 128, KDF2 uses SM3 as the hash function.
b) Let hlen = 8⎾(5 b )/32⏋.
n
c) Compute Ha = KDF2-a(str, hlen).
d) Output (BS2IP (Ha) mod (n-1)) + 1.
7.3.1
Replace the fifth paragraph with the following:
The allowable data encapsulation mechanisms are those described in ISO/IEC 18033-2.
7.4.1
Insert new NOTE 4 at the end as follows:
NOTE 4 The third mechanism defined in 9.4 will work to encrypt messages with either DEM2 or DEM3,
which are specified in ISO/IEC 18033-2. In these DEMs, the required hash function is SM3, specified in ISO/
IEC 10118-3, and the required block cipher is described in ISO/IEC 18033-3. The required message authen-
tication code is generated by the evaluation function MA.eval(K'', MS) = SM3(MS || K''), where K'' is a secret
key which is part of the session key K, and MS is the octet string to be authenticated as specified in DEM2 and
DEM3. The label input to both DEMs is empty.
9.1
Replace the first sentence with the following:
In this clause, three identity-based key encapsulation mechanisms are specified. These mechanisms
use the following primitives.
Replace list item b) with the following:
2 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)

b)  Four hash functions:
Add new fourth list item as follows:
*
—  H : {0,1}* →Z where H (s) = IHF2(0x01 || s || 0x03, p, κ)
4 4
p

9.4
Add new Subclause 9.4 as follows:
9.4  The SM9 key encapsulation mechanism
9.4.1  Set up
The setup operation creates public system parameters and a master-secret key. This operation shall be
completed by the private key issuer, an entity which shall be trusted by its subscribers.
The steps to create public system parameters and a master-secret key are:
a) Establish the set of base groups G , G , G , and a pairing e: GG×→ G . The order of each group is p.
1 2 3
12 3
b) Select a random generator Q in G and a random generator Q in G .
1 1 2 2
*
c) Generate a random master secret s in Z . Calculate the corresponding R as sQ .
1
p
d) Pre-calculate the pairing value J = e(R, Q ).
2
e) Make the system parameters and the master-public key set params = ˂J, Q , Q , G , G , G , e, p> and
1 2 1 2 3
mpk = R available. Secure the master-secret key msk = s.
9.4.2  Private key extraction
*
The extract operation takes an arbitrary identity string ID in {0,1} and calculates the corresponding
b
private key sk in G . The algorithm to compute the private key sk corresponding to an identity string
ID 2 ID
ID is as follows:
b
Input:
— The system parameters params = ˂J, Q , Q , G , G , G , e, p>
1 2 1 2 3
— The master-public key mpk = R
— The master-secret key msk = s
— An identity string ID
b
Output:
— The derived private key sk , an element of G .
ID 2
Operation: Use the following steps to compute sk .
ID
a) Compute M = H (ID ).
4 b
b) If M + s = 0 mod p, output "error" and stop.
-1
c) Compute t = (M+s) s mod p.
d) Compute sk = tQ .
ID 2
e) Output sk .
ID
The correctness of the value sk can be verified by using the following algorithm:
ID
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 3

---------------------- Page: 6 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)

Input:
— The system parameters params = ˂J, Q , Q , G , G , G , e, p>
1 2 1 2 3
— The master-public key mpk = R
— An identity string ID
b
— The corresponding private key sk
ID
Output:
— The value "valid" if sk is consistent with params, msk and ID , and "invalid" otherwise.
ID b
Operation: Use the following steps.
a) Compute M = H (ID ).
4 b
b) Compute T = e(MQ + R, sk ).
1 ID
c) If T = J, then output the value "valid", otherwise output the value "invalid".
9.4.3  Session key encapsulation
*
The encapsulate operation (KEM.Enc) takes an arbitrary identity string ID in {0,1} and the master-
b
public key mpk = R with the system parameters parms, and outputs the pair ˂K, CT > where K is a
KEM
session key to be used to encrypt a message, and CT is the encapsulation of K to be transmitted to
KEM
the receiver.
The steps to compute the encapsulation values are:
*
a) Select a random integer r in Z .
p
b) Compute M = H (ID ).
4 b
c) Compute E = r(MQ + R).
1
r
d) Compute B = J .
e) Compute K = KDF2-a(EC2OSP(E) || FE2OSP(B) || ID , klen), where klen is the bit-length of the required
b
session key.
f) Set CT = EC2OSP(E).
KEM
g) Output .
KEM
9.4.4  Session key de-encapsulation
The de-encapsulate operation (KEM.Dec) takes an encapsulated value CT computed for identity ID
KEM b
and the private sk that corresponds to ID , and computes the key value K that can be used to decrypt
ID b
the message that was encrypted by the sender.
The steps to compute the de-encapsulation key are:
a) Parse CT as an element E = OS2ECP(CT ).
KEM KEM
b) Check whether E is in G ; if not, output "error".
1
c) Compute B = e(E, sk ).
ID
d) Compute K = KDF2-a(EC2OSP(E) || FE2OSP(B) || ID , klen), where klen is the bit-length of the required
b
session key.
e) Output K.
4 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)


Annex A
Insert the following lines after ib-enc-mechanism-bf:
ib-enc-mechanism-sm9a OID ::= { ib-enc sm9a(2) }  -- sm9 kem with DEM2 as in 7.4.1
ib-enc-mechanism-sm9b OID ::= { ib-enc sm9b(3) }  -- sm9 kem with DEM3 as in 7.4.1

Insert the following lines after ib-kem-mechanism-bb1:
ib-kem-mechanism-sm9 OID ::= { ib-kem sm9(3) }
sm9-dem-one-time-mac OID ::= { ib-kem-mechanism-sm9 one-time-mac(1) }

Insert the following lines after { OID ib-enc-mechanism-bf PARMS HashFunction }:
  |{ OID ib-enc-mechanism-sm9a PARMS HashFunction }
  |{ OID ib-enc-mechanism-sm9b PARMS HashFunction }

Insert the following line after { OID ib-kem-mechanism-bb1 PARMS HashFunction }:
  |{ OID ib-kem-mechanism-sm9 PARMS HashFunction }


Annex B
Replace the last sentence with the following:
Security analyses of the BF, SK, BB1 and SM9 mechanisms can be found in References [4], [5], [3]
and [9], respectively.

Annex C
Add new Clause C.4 as follows:
C.4  SM9 ID-based key encapsulation mechanism
C.4.1  Example 1
C.4.1.1  Set up
2 3
This example makes use of the same Barreto-Naehrig elliptic curve y = x + 5 used in
2
ISO/IEC 14888-3:2018, F.15.1. An element A in Fq is represented as A σ+A , where A and A are
0 0,1 0,0 0,0 0,1
2 2 4
elements of Fq and σ is an element of Fq such that σ + 2 = 0 mod q. Let ν be an element of Fq such that
2 2 12 3 4 12
ν - σ = 0 in Fq and ω be an element of Fq such that ω − ν = 0 in Fq , an element of Fq is represented
2 4
as Aω +Bω+C, where A, B, C are elements of Fq which are represented as A = A ν + A , B = B ν + B ,
1 0 1 0
2
C = C ν + C respectively, and A , A , B , B , C , C are elements of Fq . In this towered fashion, an element
1 0 0 1 0 1 0 1
12
of Fq is represented as a vector (A , A A , A , B , B , B , B , C , C C , C ) wi
...