# ISO/IEC 18033-5:2015

(Main)## Information technology -- Security techniques -- Encryption algorithms

## Information technology -- Security techniques -- Encryption algorithms

ISO/IEC 18033-5:2015 specifies identity-based encryption mechanisms. For each mechanism the functional interface, the precise operation of the mechanism, and the ciphertext format are specified. However, conforming systems may use alternative formats for storing and transmitting ciphertexts.

## Technologies de l'information -- Techniques de sécurité -- Algorithmes de chiffrement

### General Information

### RELATIONS

### Buy Standard

### Standards Content (sample)

INTERNATIONAL ISO/IEC

STANDARD 18033-5

First edition

2015-12-01

Information technology — Security

techniques — Encryption algorithms —

Part 5:

Identity-based ciphers

Technologies de l’information — Techniques de sécurité —

Algorithmes de chiffrement —

Partie 5: Chiffrements identitaires

Reference number

ISO/IEC 18033-5:2015(E)

ISO/IEC 2015

---------------------- Page: 1 ----------------------

ISO/IEC 18033-5:2015(E)

COPYRIGHT PROTECTED DOCUMENT

© ISO/IEC 2015, Published in Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.ISO copyright office

Ch. de Blandonnet 8 • CP 401

CH-1214 Vernier, Geneva, Switzerland

Tel. +41 22 749 01 11

Fax +41 22 749 09 47

copyright@iso.org

www.iso.org

ii © ISO/IEC 2015 – All rights reserved

---------------------- Page: 2 ----------------------

ISO/IEC 18033-5:2015(E)

Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols, abbreviated terms and conversion functions ............................................................................................... 2

4.1 Symbols ......................................................................................................................................................................................................... 3

4.2 Abbreviated terms ............................................................................................................................................................................... 3

4.3 Conversion functions ......................................................................................................................................................................... 4

5 Cryptographic transforms .......................................................................................................................................................................... 5

5.1 General ........................................................................................................................................................................................................... 5

5.2 The function IHF1 ................................................................................................................................................................................. 5

5.3 The function SHF1 ................................................................................................................................................................................ 5

5.4 The function PHF1 ............................................................................................................................................................................... 6

6 General model for identity-based encryption ....................................................................................................................... 7

6.1 Composition of algorithms ........................................................................................................................................................... 7

6.2 Plaintext length ....................................................................................................................................................................................... 7

6.3 Use of labels ............................................................................................................................................................................................... 8

6.4 Ciphertext format ................................................................................................................................................................................. 8

6.5 IBE operation ......... ................................................................................................................................................................................... 8

7 General model for identity-based hybrid encryption .................................................................................................... 9

7.1 General ........................................................................................................................................................................................................... 9

7.2 Identity-based key encapsulation ........................................................................................................................................... 9

7.2.1 Composition of algorithms ...................................................................................................................................... 9

7.2.2 Prefix-freeness ................................................................................................................................................................10

7.3 Data encapsulation ...........................................................................................................................................................................10

7.3.1 Composition of algorithms ...................................................................................................................................10

7.4 Identity-based hybrid encryption operation .............................................................................................................10

7.4.1 System parameters .....................................................................................................................................................10

7.4.2 Set up ......................................................................................................................................................................................11

7.4.3 Private key extraction ...............................................................................................................................................11

7.4.4 Encryption ..........................................................................................................................................................................11

7.4.5 Decryption ..........................................................................................................................................................................11

8 Identity-based encryption mechanism ......................................................................................................................................11

8.1 General ........................................................................................................................................................................................................11

8.2 The BF mechanism ...........................................................................................................................................................................12

8.2.1 Set up ......................................................................................................................................................................................12

8.2.2 Private key extraction ...............................................................................................................................................12

8.2.3 Encryption ..........................................................................................................................................................................13

8.2.4 Decryption ..........................................................................................................................................................................14

9 Identity-based hybrid encryption mechanisms ................................................................................................................14

9.1 General ........................................................................................................................................................................................................14

9.2 The SK key encapsulation mechanism ............................................................................................................................14

9.2.1 Set up ......................................................................................................................................................................................14

9.2.2 Private key extraction ...............................................................................................................................................15

9.2.3 Session key encapsulation ....................................................................................................................................16

9.2.4 Session key de-encapsulation ............................................................................................................................16

9.3 The BB1 key encapsulation mechanism ........................................................................................................................17

9.3.1 Set up ......................................................................................................................................................................................17

9.3.2 Private key extraction ...............................................................................................................................................17

9.3.3 Session key encapsulation ....................................................................................................................................18

© ISO/IEC 2015 – All rights reserved iii---------------------- Page: 3 ----------------------

ISO/IEC 18033-5:2015(E)

9.3.4 Session key de-encapsulation ............................................................................................................................18

Annex A (normative) Object identifiers .........................................................................................................................................................20

Annex B (informative) Security considerations .....................................................................................................................................21

Annex C (informative) Numerical examples ..............................................................................................................................................22

Annex D (informative) Mechanisms to prevent access to keys by third parties ...................................................35

Bibliography .............................................................................................................................................................................................................................36

iv © ISO/IEC 2015 – All rights reserved---------------------- Page: 4 ----------------------

ISO/IEC 18033-5:2015(E)

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity

assessment, as well as information about ISO’s adherence to the WTO principles in the Technical

Barriers to Trade (TBT), see the following URL: Foreword — Supplementary information.

The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT

Security techniques.ISO/IEC 18033 consists of the following parts, under the general title Information technology ― Security

techniques — Encryption algorithms:— Part 1: General

— Part 2: Asymmetric ciphers

— Part 3: Block ciphers

— Part 4: Stream ciphers

— Part 5: Identity-based ciphers

Further parts may follow.

Annex A forms a normative part of this part of ISO/IEC 18033. Annex B, Annex C and Annex D are

informative only.© ISO/IEC 2015 – All rights reserved v

---------------------- Page: 5 ----------------------

ISO/IEC 18033-5:2015(E)

Introduction

Use of a public key encryption mechanism requires reliable identification of the correct public key

to be used for encryption. A public key infrastructure (PKI) provides functions to give a trusted link

between an entity and to enable the current status of the public key to be determined. In a PKI, a

certification authority (CA) issues a certificate binding a public key to the owner’s identifier together

with other key specific information, e.g. the validity period. If a public key is deemed to be invalid

before its expiry date, then potential users of the public key need to be notified, e.g. by the issue of

a CA-signed Certificate Revocation List (CRL). The generation and distribution of certificates and

CRLs poses a major management problem, which the mechanisms in this part of ISO/IEC 18033 are

designed to address. On encrypting, an encryptor first obtains the CRL and checks the current status

of the certificate. Then the encryptor verifies the certificate, and finally encrypts a message. Therefore,

the encryptor has to be provided with some means of accessing the current CRL, and additionally it

should not require excessive time and computational resources for checking the validity of a certificate

whenever it encrypts a message.Identity-based encryption (IBE) is a type of asymmetric encryption that allows a decryptor to set its

public key to an arbitrary string. By setting the public key to an easily identifiable string (e.g. an e-mail

address), an encryptor can gain assurance in its correctness without using a certificate. Moreover, if

a short validity period can be arranged, significantly shorter than the updating period of a CRL in a

conventional PKI, an encryptor can generate a ciphertext without checking the current status of the

public key because revocation is unlikely to occur during such a short period. As a result IBE is expected

to reduce the certificate management workload.The use of IBE requires a Private Key Generator (PKG), which generates private keys for all decryptors

using its master secret key; this contrasts with ‘traditional’ asymmetric encryption mechanisms, such

as those specified in ISO/IEC 18033-2, in which entities generate their own public/private key pairs. As

a result, use of IBE is only appropriate when it is acceptable for a third party to have decryption access

to all encrypted data.The identity-based encryption mechanisms are specified in Clauses 8 and 9. The specified mechanisms

are the BF identity-based encryption mechanism, the SK identity-based key encapsulation mechanism,

and the BB1 identity-based key encapsulation mechanism.The specifications in this part of ISO/IEC 18033 do not prescribe protocols for reliably obtaining public

values, for proof of possession of a private key, or for validation of either public values or private keys.

Certain sections of Clause 5, Clause 8 and Clause 9 of this part of ISO/IEC 18033 have been reprinted

with permission from [7] IEEE Std 1363.3-2013 - IEEE Standard for Identity-Based Cryptographic

Techniques using Pairings. Reprinted with permission from IEEE. Copyright 2013. All rights reserved.

Annex A gives the assignment of object identifiers to the algorithms specified in this part of

ISO/IEC 18033. Annex B describes security considerations for each specified mechanism and Annex C

provides numerical examples. Annex D introduces techniques which can be used to remove the

decryption capability of the PKG, and thereby reduce the level of trust required in this entity.

The International Organization for Standardization (ISO) and International Electrotechnical

Commission (IEC) draw attention to the fact that it is claimed that compliance with this part of

ISO/IEC 18033 may involve the use of patents. The ISO and IEC take no position concerning the evidence,

validity, and scope of these patent rights.The holders of these patent rights have assured the ISO and IEC that they are willing to negotiate

licences under reasonable and non-discriminatory terms and conditions with applicants throughout

vi © ISO/IEC 2015 – All rights reserved---------------------- Page: 6 ----------------------

ISO/IEC 18033-5:2015(E)

the world. In this respect, the statements of the holders of these patent rights are registered with the

ISO and IEC. Information may be obtained from the following:Patent holder name: Nippon Telegraph and Telephone Corporation

Postal address: Licensing Group, Intellectual Property Center

9-11, Midori-cho, 3-Chome Musashino-Shi, Tokyo 180-8585 Japan

Patent holder name: IBM Corporation

Postal address: IBM Intellectual Property Licensing

North Castle Drive, Armonk, NY 10504 USA

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying

any or all such patent rights.ISO (www.iso.org/patents) and IEC (http://patents.iec.ch) maintain on-line databases of patents

relevant to their standards. Users are encouraged to consult the databases for the most up to date

information concerning patents.© ISO/IEC 2015 – All rights reserved vii

---------------------- Page: 7 ----------------------

INTERNATIONAL STANDARD ISO/IEC 18033-5:2015(E)

Information technology — Security techniques —

Encryption algorithms —

Part 5:

Identity-based ciphers

1 Scope

This part of ISO/IEC 18033 specifies identity-based encryption mechanisms. For each mechanism the

functional interface, the precise operation of the mechanism, and the ciphertext format are specified.

However, conforming systems may use alternative formats for storing and transmitting ciphertexts.

2 Normative referencesThe following documents, in whole or in part, are normatively referenced in this document and are

indispensable for its application. For dated references, only the edition cited applies. For undated

references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 18033-1, Information technology — Security techniques — Encryption algorithms — Part 1: General

ISO/IEC 18033-2, Information technology — Security techniques — Encryption algorithms — Part 2:

Asymmetric ciphersISO/IEC 18033-3, Information technology — Security techniques — Encryption algorithms — Part 3:

Block ciphers3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 18033-1 and the

following apply.3.1

decryptor

entity which decrypts ciphertexts

3.2

encryptor

entity which encrypts plaintexts

3.3

hybrid encryption

encryption performed using a hybrid cipher

3.4

identifier

object that represents something and enables one to identify it

3.5

identity string

string that represents an identity

© ISO/IEC 2015 – All rights reserved 1

---------------------- Page: 8 ----------------------

ISO/IEC 18033-5:2015(E)

3.6

identity-based cipher

asymmetric cipher in which the encryption algorithm takes an arbitrary string as a public key

3.7identity-based hybrid cipher

cipher which is both a hybrid cipher and an identity-based cipher

3.8

identity-based key encapsulation mechanism

key encapsulation mechanism for which the encryption process takes an arbitrary string as a public key

3.9master-public key

public value uniquely determined by the corresponding master-secret key

3.10

master-secret key

secret value used by the private key generator to compute private keys for an IBE algorithm

3.11private key extraction algorithm

method used by the private key generator to compute private keys for an IBE algorithm

3.12private key generator

entity or function which generates a set of private keys

3.13

public key encryption

encryption performed using an asymmetric cipher

3.14

string

ordered sequence of symbols

3.15

set up

process by which the system parameters for an IBE algorithm are selected

3.16

set up algorithm

process which generates a master-secret key and the corresponding master-public key, together with

some part of the system parameters3.17

system parameters

parameters for cryptographic computation including a selection of a particular cryptographic scheme or

function from a family of cryptographic schemes or functions, or from a family of mathematical spaces

3.18trusted third party

security authority, or its agent, trusted by other entities with respect to security related activities

4 Symbols, abbreviated terms and conversion functionsFor the purposes of this part of ISO/IEC 18033, the symbols and abbreviated terms given in

ISO/IEC 18033-1 and the following apply.2 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 9 ----------------------

ISO/IEC 18033-5:2015(E)

4.1 Symbols

[a,…,b) the set of integers {x : a ≤ x < b}.

xy⊕ if x and ỹ are bit/octet strings of the same length, the bit-wise exclusive-or (XOR) of

the two strings.a tuple xx1,,… l of elements.

xx1,,… l

xy|| if x and ỹ are bit/octet strings, the concatenation of the two strings x and ỹ, resulting

in the string consisting of x followed by ỹ.gcd(a,b) for integers a and b, the greatest common divisor of a and b, i.e., the largest positive

integer that divides both a and b (or 0 if a = b = 0).a|b a relation between integers a and b that holds if and only if a divides b i.e., there exists

an integer c such that b = ac.a∤b a relation between integers a and b that holds if and only if a does not divide b i.e.,

there does not exist any integer c such that b = ac.a ≡ b(mod n) for a non-zero integer n, a relation between integers a and b that holds if and only

if a and b are congruent modulo n, i.e., n|(a − b).a (mod n) for integer a and positive integer n, the unique integer r∈[0,…,n) such that

r ≡ a (mod n).a (mod n) for integer a and positive integer n, such that gcd(a,n) = 1, the unique integer b∈[0,…,n)

such that ab ≡ 1(mod n).GF(q) the finite field containing q elements, where q is a power of a prime.

E / GF(q) an elliptic curve defined over the field GF(q).

E(GF(q)) the additive group of points on the elliptic curve E / GF(q).

E(GF(q))[n] the subgroup of E(GF(q)) consisting of all points of order n.

#E(GF(q)) the number of points of an elliptic curve defined over the field GF(q).

4.2 Abbreviated termsciphertext, an octet string.

DEM data encapsulation mechanism.

IBE identity-based encryption.

IBhE identity-based hybrid encryption.

octet string uniquely assigned to a decryptor.

binary representation of ID.

session key for DEM.

κ security parameter.

© ISO/IEC 2015 – All rights reserved 3

---------------------- Page: 10 ----------------------

ISO/IEC 18033-5:2015(E)

KEM key encapsulation mechanism.

label, an octet string.

master-public key of IBE.

mpk

plaintext, an octet string.

Msg

binary representation of Msg.

Msg

master-secret key of IBE.

msk

parms system parameters of IBE.

PKG private key generator.

private key corresponding to ID of IBE.

4.3 Conversion functions

The following conversion functions are given in ISO/IEC 18033-2.

bit string to integer conversion primitive.

BS2IP

bit string to octet string conversion primitive.

BS2OSP

elliptic curve to octet string conversion primitive.

EC2OSP

field element to octet string conversion primitive.

FE2OSP

field element to integer conversion primitive.

FE2IP

integer to bit string conversion primitive.

IB2 SP

integer to octet string conversion primitive.

IO2 SP

octet string to elliptic curve conversion primitive.

OS2ECP

octet string to field element conversion primitive.

OS2FEP

octet string to integer conversion primitive.

OS2IP

octet string to bit string conversion primitive.

OS2BSP

the octet whose integer value is m.

Octm

the number of octets of an integer n.

Lenn

4 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 11 ----------------------

ISO/IEC 18033-5:2015(E)

5 Cryptographic transforms

5.1 General

The schemes specified in this part of ISO/IEC 18033 make use of three cryptographic transformations,

IHF1, SHF1 and PHF1 as specified below. These transformations make use of hash-functions specified in

ISO/IEC 10118-3.5.2 The function IHF1

IHF1 is based on four hash-functions specified in ISO/IEC 10118-3, namely SHA-224, SHA-256, SHA-384

and SHA-512. It inputs a string of bits and outputs an integer in a specified range.

Input:— A string str∈ 01,

— A security parameter κ∈ 112,,128 192,256

— An integer n, 02< Output:

— An integer νν,.0≤< n

Operation: Perform the following steps.

a) If κ =112 then let H be SHA-224;

else if κ =128 then let H be SHA-256;

else if κ =192 then let H be SHA-384;

else if κ =256 then let H be SHA-512.

b) Let h be an all-zero bit string of length 2κ .

c) Let th= ||str.

d) Let hH= t .

e) Let vB= SI2 Ph .

f) Let th= ||str.

g) Let hH= t .

h) Let aB= SI2 Ph .

i) Let νν=+2 a .

2 12

j) Output ν mod n.

5.3 The function SHF1

Returns an n -bit string that is based on a cryptographic hash function applied to an input string.

Input:— A string str∈ 01,

© ISO/IEC 2015 – All rights reserved 5

---------------------- Page: 12 ----------------------

ISO/IEC 18033-5:2015(E)

— A security parameter κ∈ 112,,128 192,256

— An integer n,n> 0

Assumptions: The string str is within the allowed range of values for inputs to the relevant hash

function. The integer n has the property that n≤4κ .Output:

— A string ν∈ 01,

Operation: Use the following steps.

— Output IB21SP IHFs(,tr 2 ,)κ .

5.4 The function PHF1

Returns an element of an elliptic curve group EGFq p for a supersingular elliptic curve

()() []23 23

EG/(Fq): yx=+b or EG/(Fq): yx=+ax. There are other types of pairing-friendly elliptic

curves for which PHF1 is not suitable.Input:

— A string str∈ 01,

— A security parameter κ∈ 112,,128 192,256

— A flag j taking the values 0 or 1 which defines a supersingular elliptic curve, with j= 0 representing

the elliptic curve EG/(Fq): yx=+b and j= 1 representing the elliptic curveEG/(Fq): yx=+ax.

— A prime q with q=23(mod ) when j= 0 or q=34(mod ) when j= 1 that defines the finite field GF()q .

— An integer aa,0<— A prime p with pE|# ((GF q)) and p ∤#(EGFq()) for elliptic curve E defined by the flag j

Output:

— An element of EGFq p for the selected elliptic curve.

()() []

Operation: Use the following steps.

a) Let rq=+()1 /.p

b) If j= 0 then perform the following steps:

1) Let yI= HF1(strq,,κ).

22()q−13/

2) Let xy=−()bq(mod ).

3) Let Jx=(, y).

c) Else if j= 1 perform the following steps:

1) Let xI= HF1(strq,,κ).

2) Let zx=+ax(modq).

6 © ISO/IEC 2015 – All rights reserved

---------------------- Page: 13 ----------------------

ISO/IEC 18033-5:2015(E)

3) If the Jacobi symbol (/zq)=+1 then perform the following steps:

()q+14/

i) Let yz= (mod q).

ii) Let Jx=(, y).

4) If the Jacobi symbol (/zq)=−1 then perform the following steps:

()q+14/

i) Let yz=−() (modq).

ii) Let Jx=−(, y).

d) Return rJ.

6 General model for identity-based encryption

6.1 Composition of algorithms

An identity-based enc

...

DRAFT INTERNATIONAL STANDARD

ISO/IEC DIS 18033-5

ISO/IEC JTC 1/SC 27 Secretariat: DIN

Voting begins on: Voting terminates on:

2014-07-07 2014-10-07

Information technology — Security techniques —

Encryption algorithms —

Part 5:

Identity-based ciphers

Technologies de l’information — Techniques de sécurité — Algorithmes de chiffrement —

Partie 5: Chiffrements identitairesICS: 35.040

THIS DOCUMENT IS A DRAFT CIRCULATED

FOR COMMENT AND APPROVAL. IT IS

THEREFORE SUBJECT TO CHANGE AND MAY

NOT BE REFERRED TO AS AN INTERNATIONAL

STANDARD UNTIL PUBLISHED AS SUCH.

IN ADDITION TO THEIR EVALUATION AS

BEING ACCEPTABLE FOR INDUSTRIAL,

TECHNOLOGICAL, COMMERCIAL AND

USER PURPOSES, DRAFT INTERNATIONAL

STANDARDS MAY ON OCCASION HAVE TO

BE CONSIDERED IN THE LIGHT OF THEIR

POTENTIAL TO BECOME STANDARDS TO

WHICH REFERENCE MAY BE MADE IN

Reference number

NATIONAL REGULATIONS.

ISO/IEC DIS 18033-5:2014(E)

RECIPIENTS OF THIS DRAFT ARE INVITED

TO SUBMIT, WITH THEIR COMMENTS,

NOTIFICATION OF ANY RELEVANT PATENT

RIGHTS OF WHICH THEY ARE AWARE AND TO

PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2014

---------------------- Page: 1 ----------------------

ISO/IEC DIS 18033-5:2014(E)

Copyright notice

This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as

permitted under the applicable laws of the user’s country, neither this ISO draft nor any extract

from it may be reproduced, stored in a retrieval system or transmitted in any form or by any means,

electronic, photocopying, recording or otherwise, without prior written permission being secured.

Requests for permission to reproduce should be addressed to either ISO at the address below or ISO’s

member body in the country of the requester.ISO copyright office

Case postale 56 • CH-1211 Geneva 20

Tel. + 41 22 749 01 11

Fax + 41 22 749 09 47

E-mail copyright@iso.org

Web www.iso.org

Reproduction may be subject to royalty payments or a licensing agreement.

Violators may be prosecuted.

ii © ISO 2014 – All rights reserved

---------------------- Page: 2 ----------------------

ISO/IEC DIS 18033-5

Contents Page

Foreword ............................................................................................................................................................. v

Introduction ........................................................................................................................................................ vi

1 Scope ...................................................................................................................................................... 1

2 Normative references ............................................................................................................................ 1

3 Terms and definitions ........................................................................................................................... 1

4 Symbols and abbreviated terms .......................................................................................................... 3

5 Cryptographic transforms .................................................................................................................... 5

5.1 General ................................................................................................................................................... 5

5.2 The function IHF1 ................................................................................................................................ 5

5.3 The function SHF1 ................................................................................................................................ 6

5.4 The function PHF1 ................................................................................................................................ 6

6 General model for identity-based encryption ..................................................................................... 7

6.1 Composition of algorithms ................................................................................................................... 7

6.2 Plaintext length ...................................................................................................................................... 8

6.3 Use of labels .......................................................................................................................................... 8

6.4 Ciphertext format ................................................................................................................................... 9

6.5 IBE operation ......................................................................................................................................... 9

7 General model for identity-based hybrid encryption ....................................................................... 10

7.1 General ................................................................................................................................................. 10

7.2 Identity-based key encapsulation ...................................................................................................... 10

7.2.1 Composition of algorithms ................................................................................................................. 10

7.2.2 Prefix-freeness ..................................................................................................................................... 11

7.3 Data encapsulation .............................................................................................................................. 11

7.3.1 Composition of algorithms ................................................................................................................. 11

7.4 Identity-based hybrid encryption operation ..................................................................................... 11

7.4.1 System parameters ............................................................................................................................. 11

7.4.2 Set up .................................................................................................................................................... 12

7.4.3 Private key extraction ......................................................................................................................... 12

7.4.4 Encryption ............................................................................................................................................ 12

7.4.5 Decryption ............................................................................................................................................ 12

8 Identity-based encryption mechanism .............................................................................................. 13

8.1 General ................................................................................................................................................. 13

8.2 The BF mechanism .............................................................................................................................. 13

8.2.1 Set up .................................................................................................................................................... 13

8.2.2 Private key extraction ......................................................................................................................... 14

8.2.3 Encryption ............................................................................................................................................ 15

8.2.4 Decryption ............................................................................................................................................ 15

9 Identity-based hybrid encryption mechanisms ................................................................................ 16

9.1 General ................................................................................................................................................. 16

9.2 The SK key encapsulation mechanism ............................................................................................. 16

9.2.1 Set up .................................................................................................................................................... 16

9.2.2 Private key extraction ......................................................................................................................... 17

9.2.3 Session key encapsulation ................................................................................................................ 18

9.2.4 Session key de-encapsulation ........................................................................................................... 18

9.3 The BB1 key encapsulation mechanism ........................................................................................... 18

9.3.1 Set up .................................................................................................................................................... 18

9.3.2 Private key extraction ......................................................................................................................... 19

© ISO/IEC 2014 – All rights reserved iii---------------------- Page: 3 ----------------------

ISO/IEC DIS 18033-5

9.3.3 Session key encapsulation .................................................................................................................20

9.3.4 Session key de-encapsulation ...........................................................................................................20

Annex A (normative) Object identifiers ...........................................................................................................22

Annex B (informative) Security considerations .............................................................................................25

Annex C (informative) Numerical examples ...................................................................................................26

Annex D (informative) Mechanisms to prevent access to keys by third parties ........................................36

Bibliography ......................................................................................................................................................37

iv © ISO/IEC 2014 – All rights reserved---------------------- Page: 4 ----------------------

ISO/IEC DIS 18033-5

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are members of

ISO or IEC participate in the development of International Standards through technical committees

established by the respective organization to deal with particular fields of technical activity. ISO and IEC

technical committees collaborate in fields of mutual interest. Other international organizations, governmental

and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information

technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as

an International Standard requires approval by at least 75 % of the national bodies casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 18033-5 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Security techniques.ISO/IEC 18033 consists of the following parts, under the general title Information technology ― Security

techniques — Encryption algorithms: Part 1: General

Part 2: Asymmetric ciphers

Part 3: Block ciphers

Part 4: Stream ciphers

Part 5: Identity-based ciphers

Further parts may follow.

© ISO/IEC 2014 – All rights reserved v

---------------------- Page: 5 ----------------------

ISO/IEC DIS 18033-5

Introduction

Use of a public key encryption mechanism requires reliable identification of the correct public key to be used

for encryption. A public key infrastructure (PKI) provides functions to give a trusted link between an entity and

to enable the current status of the public key to be determined. In a PKI, a certification authority (CA) issues a

certificate binding a public key to the owner’s identifier together with other key specific information, e.g. the

validity period. If a public key is deemed to be invalid before its expiry date, then potential users of the public

key need to be notified, e.g. by the issue of a CA-signed Certificate Revocation List (CRL). The generation

and distribution of certificates and CRLs poses a major management problem, which the mechanisms in this

part of ISO/IEC 18033 are designed to address. On encrypting, an encryptor first obtains the CRL and checks

the current status of the certificate. Then the encryptor verifies the certificate, and finally encrypts a message.

Therefore, the encryptor has to be provided with some means of accessing the current CRL, and additionally it

should not require excessive time and computational resources for checking the validity of a certificate

whenever it encrypts a message.Identity-based encryption (IBE) is a type of asymmetric encryption that allows a decryptor to set its public key

to an arbitrary string. By setting the public key to an easily identifiable string (e.g. an e-mail address), an

encryptor can gain assurance in its correctness without using a certificate. Moreover, if a short validity period

can be arranged, significantly shorter than the updating period of a CRL in a conventional PKI, an encryptor

can generate a ciphertext without checking the current status of the public key because revocation is unlikely

to occur during such a short period. As a result IBE is expected to reduce the certificate management

workload.The use of IBE requires a Private Key Generator (PKG), which generates private keys for all decryptors using

its master secret key; this contrasts with ‘traditional’ asymmetric encryption mechanisms, such as those

specified in ISO/IEC 18033-2, in which entities generate their own public/private key pairs. As a result, use of

IBE is only appropriate when it is acceptable for a third party to have decryption access to all encrypted data.

The identity-based encryption mechanisms are specified in Clause 8 and Clause 9. The specified

mechanisms are the BF identity-based encryption mechanism, the SK identity-based key encapsulation

mechanism and the BB1 identity-based key encapsulation mechanism.The specifications in this part of ISO/IEC 18033 do not prescribe protocols for reliably obtaining public values,

for proof of possession of a private key, or for validation of either public values or private keys.

Annex A gives the assignment of object identifiers to the algorithms specified in this part of ISO/IEC 18033.

Annex B describes security considerations for each specified mechanism and Annex C provides test vectors.

Annex D introduces techniques which can be used to remove the decryption capability of the PKG, and

thereby reduce the level of trust required in this entity.vi © ISO/IEC 2014 – All rights reserved

---------------------- Page: 6 ----------------------

DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 18033-5

Information technology ― Security techniques — Encryption

algorithms — Part 5: Identity-based ciphers

1 Scope

This part of ISO/IEC 18033 specifies identity-based encryption mechanisms. For each mechanism the

functional interface, the precise operation of the mechanism, and the ciphertext format are specified. However,

conforming systems may use alternative formats for storing and transmitting ciphertexts.

2 Normative referencesThe following referenced documents are indispensable for the application of this document.

ISO/IEC 18033-1, Information technology ― Security techniques ― Encryption algorithms ― Part 1:

General. ISO/IEC 18033-2, Information technology ― Security techniques ― Encryption algorithms ― Part 2:

Asymmetric ciphers. ISO/IEC 18033-3, Information technology ― Security techniques ― Encryption algorithms ― Part 3:

Block ciphers.3 Terms and definitions

For the purposes of this part of ISO/IEC 18033, the terms and definitions given in ISO/IEC 18033-1, and the

following apply.3.1

decryptor

entity which decrypts ciphertexts

3.2

encryptor

entity which encrypts plaintexts

3.3

hybrid encryption

encryption performed using a hybrid cipher

3.4

identifier

object that represents something and enables one to identify it

3.5

identity string

string that represents an identity

© ISO/IEC 2014 – All rights reserved 1

---------------------- Page: 7 ----------------------

ISO/IEC DIS 18033-5

3.6

identity-based cipher

asymmetric cipher in which the encryption algorithm takes an arbitrary string as a public key

3.7identity-based hybrid cipher

cipher which is both a hybrid cipher and an identity-based cipher

3.8

identity-based key encapsulation mechanism

key encapsulation mechanism for which the encryption process takes an arbitrary string as a public key

3.9master-public key

public value uniquely determined by the corresponding master-secret key

3.10

master-secret key

secret value used by the private key generator to compute private keys for an IBE algorithm

3.11private key extraction algorithm

method used by the private key generator to compute private keys for an IBE algorithm

3.12private key generator

entity or function which generates a set of private keys

3.13

public key encryption

encryption performed using an asymmetric cipher

3.14

string

ordered sequence of symbols

3.15

set up

process by which the system parameters for an IBE algorithm are selected

3.16

set up algorithm

process which generates a master-secret key and the corresponding master-public key, together with some

part of the system parameters3.17

system parameters

parameters for cryptographic computation including a selection of a particular cryptographic scheme or

function from a family of cryptographic schemes or functions, or from a family of mathematical spaces

3.18trusted third party

security authority, or its agent, trusted by other entities with respect to security related activities

2 © ISO/IEC 2014 – All rights reserved---------------------- Page: 8 ----------------------

ISO/IEC DIS 18033-5

4 Symbols and abbreviated terms

For the purposes of this part of ISO/IEC 18033, the symbols and abbreviated terms given in ISO/IEC 18033-1

and the following apply.Symbols:

the smallest integer greater than or equal to the real number x.

[a,K,b) the set of integers {x : a ≤ x < b}.

~ ~ ~ ~

x ⊕ y if x and y are bit/octet strings of the same length, the bit-wise exclusive-or

(XOR) of the two strings.a tuple x1,K, xl of elements.

x1,Kxl

~ ~ ~ ~ ~

x || y if and y are bit/octet strings, the concatenation of the two strings and

x x~ ~ ~

y, resulting in the string consisting of followed by y .

gcd(a,b) for integers a and b, the greatest common divisor of a and b, i.e., the

largest positive integer that divides both a and b (or 0 if a = b = 0 ).a | b a relation between integers a and b that holds if and only if a divides b,

i.e., there exists an integer c such that b = ac.a relation between integers a and b that holds if and only if a does not

a ∤ b

divide b, i.e., there does not exist any integer c such that b = ac.

for a non-zero integer n, a relation between integers a and b that holds if

a ≡ b ( mod n )

and only if a and b are congruent modulo n, i.e., n | (a − b).

a ( mod n ) for integer a and positive integer n, the unique integer r ∈ [0,K,n) such that

r ≡ a ( mod n ).for integer a and positive integer n, such that gcd(a,n) = 1, the unique

a ( mod n )

[ )

integer b∈ 0,K, n such that ab ≡ 1( mod n ).

( ) the finite field containing q elements, where q is a power of a prime.

GF q

( ) ( )

E / GF q an elliptic curve defined over the field GF q .

( ( )) ( )

E GF q the additive group of points on the elliptic curve E / GF q .

( ( ))[ ] ( ( ))

E GF q n the subgroup of E GF q consisting of all points of order n.

( ( )) ( )

# E GF q the number of points of an elliptic curve defined over the field GF q .

Abbreviations:

CT ciphertext, an octet string.

© ISO/IEC 2014 – All rights reserved 3

---------------------- Page: 9 ----------------------

ISO/IEC DIS 18033-5

DEM data encapsulation mechanism.

IBE identity-based encryption.

IBhE identity-based hybrid encryption.

ID octet string uniquely assigned to a decryptor.

binary representation of ID.

K session key for DEM.

κ security parameter.

KEM key encapsulation mechanism.

L label, an octet string.

mpk master-public key of IBE.

Msg plaintext, an octet string.

binary representation of Msg .

Msg

master-secret key of IBE.

msk

parms

system parameters of IBE.

PKG private key generator.

sk private key corresponding to ID of IBE.

(All these functions are defined in ISO/IEC 18033-2.):

Conversion Functions

BS2IP bit string to integer conversion primitive.

BS2OSP bit string to octet string conversion primitive.

EC2OSP elliptic curve to octet string conversion primitive.

FE2OSP field element to octet string conversion primitive.

FE2IP field element to integer conversion primitive.

I 2BSP integer to bit string conversion primitive.

I 2OSP integer to octet string conversion primitive.

OS2ECP octet string to elliptic curve conversion primitive.

OS2FEP octet string to field element conversion primitive.

OS2IP octet string to integer conversion primitive.

4 © ISO/IEC 2014 – All rights reserved

---------------------- Page: 10 ----------------------

ISO/IEC DIS 18033-5

OS2BSP octet string to bit string conversion primitive.

the octet whose integer value is m.

Oct(m)

the number of octets of an integer n.

Len(n)

5 Cryptographic transforms

5.1 General

The schemes specified in this part of ISO/IEC 18033 make use of three cryptographic transformations, IHF1,

SHF1 and PHF1 as specified below. These transformations make use of hash-functions specified in ISO/IEC

10118-3.5.2 The function IHF1

IHF1 is based on four hash-functions specified in ISO/IEC 10118-3, namely SHA-224, SHA-256, SHA-384

and SHA-512. It inputs a string of bits and outputs an integer in a specified range.

Input: A string str ∈{0,1}

A security parameter κ ∈{112,128,192, 256}

An integer n, 0 < n < 2

Output:

An integer ν , 0 ≤ν < n.

Operation: Perform the following steps.

(a) If κ = 112 then let H be SHA-224;

else if κ = 128 then let H be SHA-256;

else if κ = 192 then let H be SHA-384;

else if κ = 256 then let H be SHA-512.

(b) Let h be an all-zero bit string of length 2κ .

(c) Let t = h || str .

1 0

(d) Let h = H (t ).

1 1

(e) Let v = BS2IP(h ).

1 1

© ISO/IEC 2014 – All rights reserved 5

---------------------- Page: 11 ----------------------

ISO/IEC DIS 18033-5

(f) Let t = h || str .

2 1

(g) Let h = H (t ).

2 2

(h) Let a = BS2IP(h ).

2 2

(i) Let ν = 2 ν + a .

2 1 2

(j) Output ν mod n.

5.3 The function

SHF1

Returns an n -bit string that is based on a cryptographic hash function applied to an input string.

Input: A string str ∈{0,1}

A security parameter κ ∈{112, 128, 192, 256}

An integer n, n > 0

Assumptions: The string str is within the allowed range of values for inputs to the relevant hash function. The

integer n has the property that n ≤ 4κ .Output:

A string ν ∈{0,1}

Operation: Use the following steps.

(a) Output I 2BSP(IHF1(str, 2 , κ)).

5.4 The function PHF1

Returns an element of an elliptic curve group E(GF(q))[p] for a supersingular elliptic curve

2 3 2 3E / GF(q) : y = x + b or E / GF(q) : y = x + ax. There are other types of pairing-friendly elliptic curves for

which PHF1 is not suitable.Input:

A string str ∈{0,1}

A security parameter κ ∈{112,128,192, 256}

A flag j taking the values 0 or 1 which defines a supersingular elliptic curve, with j = 0 representing

2 3 2 3the elliptic curve E / GF(q) : y = x + b and j = 1 representing the elliptic curve E / GF(q) : y = x + ax.

A prime q with q = 2(mod3) when j = 0 or q = 3(mod 4) when j = 1 that defines the finite field GF(q).

An integer a, 0 < a < q if j = 1 or an integer b, 0 < b < q if j = 0 A prime p with p |# E(GF(q)) and p ∤ # E(GF(q)) for elliptic curve E defined by the flag j

Output:6 © ISO/IEC 2014 – All rights reserved

---------------------- Page: 12 ----------------------

ISO/IEC DIS 18033-5

An element of E(GF(q))[p]for the selected elliptic curve.

Operation: Use the following steps.

(a) Let r = (q +1) / p.

(b) If j = 0 then perform the following steps:

(1) Let y = IHF1(str, q, κ).

2 (2q−1) /3

(2) Let x = (y − b) (mod q).

(3) Let Q = (x, y).

(c) Else if j = 1 perform the following steps:

(1) Let x = IHF1(str, q, κ).

(2) Let z = x + ax (mod q).

(3) If the Jacobi symbol (z / q) = +1 then perform the following steps:

(q+1) / 4

(i) Let y = z (mod q).

(ii) Let Q = (x, y).

(4) If the Jacobi symbol (z / q) = −1 then perform the following steps:

(q+1) / 4

(i) Let y = (−z) (mod q).

(ii) Let Q = (−x, y).

(d) Return rQ.

6 General model for identity-based encryption

6.1 Composition of algorithms

An identity-based encryption scheme consists of the following four algorithms.

IBE.Setup(κ ). Given a security parameter κ, generate a tuple parms, mpk, msk , where parms denotes

system parameters, msk denotes a master-secret key and mpk is the corresponding master-public key.

IBE.Extract(parms, mpk, msk, ID). Given a master-secret key msk, the corresponding master-public key mpk

and an octet string ID with parms, generate a private key sk for ID.© ISO/IEC 2014 – All rights reserved 7

---------------------- Page: 13 ----------------------

ISO/IEC DIS 18033-5

IBE.Enc(parms, mpk, ID, L, Msg). Given a plaintext Msg, a label L and an octet string ID with parms and

mpk, do the encryption and output the ciphertext of Msg, CT, for ID. Note that Msg, L and CT are octet

strings.IBE.Dec(parms, mpk, ID, sk , L, CT ). Given a private key sk with parms, mpk, ID and L, decrypt a

ID IDciphertext CT and output the underlying plaintext.

In general, the setup, key extraction and encryption algorithms are probabilistic algorithms, while the

decryption algorithm is deterministic. It is recommended that applications establish a methodology for

authenticating access to private keys by using the ID string as an identity in a trusted authentication system.

The details of authenticating the key request are beyond the scope of this part of ISO/IEC 18033, but are

critical for the security of an implemented application.NOTE 1 Semantic security against an adaptive chosen ciphertext attack [5] is regarded by the cryptographic research

community as the appropriate security level that a general purpose IBE mechanism should satisfy. Each IBE mechanism

described in this part of ISO/IEC 18033 satisfies this security level. The formal definition of this security notion is described

in Annex B.NOTE 2 A basic requirement of any IBE mechanism is correctness. For any ID / sk pair and for any plaintext of

defined length, the ciphertext of ID under a master-public key and system parameters ID shall be able to be decrypted

with the private key sk under the master-public key and the system parameters ID to the original plaintext. This

requirement may be relaxed, so that it holds only for all but a negligible fraction of ID / sk pairs.

6.2 Plaintext lengthThree types of plaintext length of IBE are defined as follows.

— An arbitrary-plaintext-length IBE encrypts plaintexts of an arbitrary length.

— A fixed-plaintext-length IBE only encrypts plaintexts whose length (in octets) is equal to a fixed value

IBE.MsgLen.— A bounded-plaintext-length IBE only encrypts plaintexts whose length (in octets) is less than or equal to a

fixed value IBE.MaxMsgLen(mpk). Here, the maximum plaintext length may depend on the system

parameter mpk .6.3 Use of labels

A label is an octet string whose value is used by the encryption and decryption algorithms. It may contain

public data that is implicit from context and need not be encrypted, but that should nevertheless be bound to

the ciphertext. A label is an octet string that is meaningful to the application using the IBE scheme, and that is

independent of the implementation of the IBE scheme. Three types of label length of IBE are defined as

follows. An arbitrary-label-length IBE is one in which the encryption and decryption algorithms accept labels of

arbitrary length. A fixed-label-length IBE is one in which the encryption and decryption algorithms only accept labels

whose length (in octets) is equal to a fixed value IBE.LabelLen.8 © ISO/IEC 2014 – All rights reserved

---------------------- Page: 14 ----------------------

ISO/IEC DIS 18033-5

A bounded-label-length IBE is one in which the encryption and decryption algorithms only accept labels

whose length (in octets) is less than or equal to a fixed value IBE.MaxLabelLen.NOTE The traditional notion of security against an

**...**

## Questions, Comments and Discussion

## Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.