ISO/IEC 18033-5:2015
(Main)Information technology — Security techniques — Encryption algorithms — Part 5: Identity-based ciphers
Information technology — Security techniques — Encryption algorithms — Part 5: Identity-based ciphers
ISO/IEC 18033-5:2015 specifies identity-based encryption mechanisms. For each mechanism the functional interface, the precise operation of the mechanism, and the ciphertext format are specified. However, conforming systems may use alternative formats for storing and transmitting ciphertexts.
Technologies de l'information — Techniques de sécurité — Algorithmes de chiffrement — Partie 5: Chiffrements identitaires
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 18033-5
First edition
2015-12-01
Information technology — Security
techniques — Encryption algorithms —
Part 5:
Identity-based ciphers
Technologies de l’information — Techniques de sécurité —
Algorithmes de chiffrement —
Partie 5: Chiffrements identitaires
Reference number
ISO/IEC 18033-5:2015(E)
©
ISO/IEC 2015
---------------------- Page: 1 ----------------------
ISO/IEC 18033-5:2015(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 18033-5:2015(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols, abbreviated terms and conversion functions . 2
4.1 Symbols . 3
4.2 Abbreviated terms . 3
4.3 Conversion functions . 4
5 Cryptographic transforms . 5
5.1 General . 5
5.2 The function IHF1 . 5
5.3 The function SHF1 . 5
5.4 The function PHF1 . 6
6 General model for identity-based encryption . 7
6.1 Composition of algorithms . 7
6.2 Plaintext length . 7
6.3 Use of labels . 8
6.4 Ciphertext format . 8
6.5 IBE operation . . 8
7 General model for identity-based hybrid encryption . 9
7.1 General . 9
7.2 Identity-based key encapsulation . 9
7.2.1 Composition of algorithms . 9
7.2.2 Prefix-freeness .10
7.3 Data encapsulation .10
7.3.1 Composition of algorithms .10
7.4 Identity-based hybrid encryption operation .10
7.4.1 System parameters .10
7.4.2 Set up .11
7.4.3 Private key extraction .11
7.4.4 Encryption .11
7.4.5 Decryption .11
8 Identity-based encryption mechanism .11
8.1 General .11
8.2 The BF mechanism .12
8.2.1 Set up .12
8.2.2 Private key extraction .12
8.2.3 Encryption .13
8.2.4 Decryption .14
9 Identity-based hybrid encryption mechanisms .14
9.1 General .14
9.2 The SK key encapsulation mechanism .14
9.2.1 Set up .14
9.2.2 Private key extraction .15
9.2.3 Session key encapsulation .16
9.2.4 Session key de-encapsulation .16
9.3 The BB1 key encapsulation mechanism .17
9.3.1 Set up .17
9.3.2 Private key extraction .17
9.3.3 Session key encapsulation .18
© ISO/IEC 2015 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 18033-5:2015(E)
9.3.4 Session key de-encapsulation .18
Annex A (normative) Object identifiers .20
Annex B (informative) Security considerations .21
Annex C (informative) Numerical examples .22
Annex D (informative) Mechanisms to prevent access to keys by third parties .35
Bibliography .36
iv © ISO/IEC 2015 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 18033-5:2015(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT), see the following URL: Foreword — Supplementary information.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT
Security techniques.
ISO/IEC 18033 consists of the following parts, under the general title Information technology ― Security
techniques — Encryption algorithms:
— Part 1: General
— Part 2: Asymmetric ciphers
— Part 3: Block ciphers
— Part 4: Stream ciphers
— Part 5: Identity-based ciphers
Further parts may follow.
Annex A forms a normative part of this part of ISO/IEC 18033. Annex B, Annex C and Annex D are
informative only.
© ISO/IEC 2015 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 18033-5:2015(E)
Introduction
Use of a public key encryption mechanism requires reliable identification of the correct public key
to be used for encryption. A public key infrastructure (PKI) provides functions to give a trusted link
between an entity and to enable the current status of the public key to be determined. In a PKI, a
certification authority (CA) issues a certificate binding a public key to the owner’s identifier together
with other key specific information, e.g. the validity period. If a public key is deemed to be invalid
before its expiry date, then potential users of the public key need to be notified, e.g. by the issue of
a CA-signed Certificate Revocation List (CRL). The generation and distribution of certificates and
CRLs poses a major management problem, which the mechanisms in this part of ISO/IEC 18033 are
designed to address. On encrypting, an encryptor first obtains the CRL and checks the current status
of the certificate. Then the encryptor verifies the certificate, and finally encrypts a message. Therefore,
the encryptor has to be provided with some means of accessing the current CRL, and additionally it
should not require excessive time and computational resources for checking the validity of a certificate
whenever it encrypts a message.
Identity-based encryption (IBE) is a type of asymmetric encryption that allows a decryptor to set its
public key to an arbitrary string. By setting the public key to an easily identifiable string (e.g. an e-mail
address), an encryptor can gain assurance in its correctness without using a certificate. Moreover, if
a short validity period can be arranged, significantly shorter than the updating period of a CRL in a
conventional PKI, an encryptor can generate a ciphertext without checking the current status of the
public key because revocation is unlikely to occur during such a short period. As a result IBE is expected
to reduce the certificate management workload.
The use of IBE requires a Private Key Generator (PKG), which generates private keys for all decryptors
using its master secret key; this contrasts with ‘traditional’ asymmetric encryption mechanisms, such
as those specified in ISO/IEC 18033-2, in which entities generate their own public/private key pairs. As
a result, use of IBE is only appropriate when it is acceptable for a third party to have decryption access
to all encrypted data.
The identity-based encryption mechanisms are specified in Clauses 8 and 9. The specified mechanisms
are the BF identity-based encryption mechanism, the SK identity-based key encapsulation mechanism,
and the BB1 identity-based key encapsulation mechanism.
The specifications in this part of ISO/IEC 18033 do not prescribe protocols for reliably obtaining public
values, for proof of possession of a private key, or for validation of either public values or private keys.
Certain sections of Clause 5, Clause 8 and Clause 9 of this part of ISO/IEC 18033 have been reprinted
with permission from [7] IEEE Std 1363.3-2013 - IEEE Standard for Identity-Based Cryptographic
Techniques using Pairings. Reprinted with permission from IEEE. Copyright 2013. All rights reserved.
Annex A gives the assignment of object identifiers to the algorithms specified in this part of
ISO/IEC 18033. Annex B describes security considerations for each specified mechanism and Annex C
provides numerical examples. Annex D introduces techniques which can be used to remove the
decryption capability of the PKG, and thereby reduce the level of trust required in this entity.
The International Organization for Standardization (ISO) and International Electrotechnical
Commission (IEC) draw attention to the fact that it is claimed that compliance with this part of
ISO/IEC 18033 may involve the use of patents. The ISO and IEC take no position concerning the evidence,
validity, and scope of these patent rights.
The holders of these patent rights have assured the ISO and IEC that they are willing to negotiate
licences under reasonable and non-discriminatory terms and conditions with applicants throughout
vi © ISO/IEC 2015 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 18033-5:2015(E)
the world. In this respect, the statements of the holders of these patent rights are registered with the
ISO and IEC. Information may be obtained from the following:
Patent holder name: Nippon Telegraph and Telephone Corporation
Postal address: Licensing Group, Intellectual Property Center
9-11, Midori-cho, 3-Chome Musashino-Shi, Tokyo 180-8585 Japan
Patent holder name: IBM Corporation
Postal address: IBM Intellectual Property Licensing
North Castle Drive, Armonk, NY 10504 USA
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying
any or all such patent rights.
ISO (www.iso.org/patents) and IEC (http://patents.iec.ch) maintain on-line databases of patents
relevant to their standards. Users are encouraged to consult the databases for the most up to date
information concerning patents.
© ISO/IEC 2015 – All rights reserved vii
---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO/IEC 18033-5:2015(E)
Information technology — Security techniques —
Encryption algorithms —
Part 5:
Identity-based ciphers
1 Scope
This part of ISO/IEC 18033 specifies identity-based encryption mechanisms. For each mechanism the
functional interface, the precise operation of the mechanism, and the ciphertext format are specified.
However, conforming systems may use alternative formats for storing and transmitting ciphertexts.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 18033-1, Information technology — Security techniques — Encryption algorithms — Part 1: General
ISO/IEC 18033-2, Information technology — Security techniques — Encryption algorithms — Part 2:
Asymmetric ciphers
ISO/IEC 18033-3, Information technology — Security techniques — Encryption algorithms — Part 3:
Block ciphers
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 18033-1 and the
following apply.
3.1
decryptor
entity which decrypts ciphertexts
3.2
encryptor
entity which encrypts plaintexts
3.3
hybrid encryption
encryption performed using a hybrid cipher
3.4
identifier
object that represents something and enables one to identify it
3.5
identity string
string that represents an identity
© ISO/IEC 2015 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/IEC 18033-5:2015(E)
3.6
identity-based cipher
asymmetric cipher in which the encryption algorithm takes an arbitrary string as a public key
3.7
identity-based hybrid cipher
cipher which is both a hybrid cipher and an identity-based cipher
3.8
identity-based key encapsulation mechanism
key encapsulation mechanism for which the encryption process takes an arbitrary string as a public key
3.9
master-public key
public value uniquely determined by the corresponding master-secret key
3.10
master-secret key
secret value used by the private key generator to compute private keys for an IBE algorithm
3.11
private key extraction algorithm
method used by the private key generator to compute private keys for an IBE algorithm
3.12
private key generator
entity or function which generates a set of private keys
3.13
public key encryption
encryption performed using an asymmetric cipher
3.14
string
ordered sequence of symbols
3.15
set up
process by which the system parameters for an IBE algorithm are selected
3.16
set up algorithm
process which generates a master-secret key and the corresponding master-public key, together with
some part of the system parameters
3.17
system parameters
parameters for cryptographic computation including a selection of a particular cryptographic scheme or
function from a family of cryptographic schemes or functions, or from a family of mathematical spaces
3.18
trusted third party
security authority, or its agent, trusted by other entities with respect to security related activities
4 Symbols, abbreviated terms and conversion functions
For the purposes of this part of ISO/IEC 18033, the symbols and abbreviated terms given in
ISO/IEC 18033-1 and the following apply.
2 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 18033-5:2015(E)
4.1 Symbols
[a,…,b) the set of integers {x : a ≤ x < b}.
xy⊕ if x and ỹ are bit/octet strings of the same length, the bit-wise exclusive-or (XOR) of
the two strings.
a tuple xx1,,… l of elements.
xx1,,… l
xy|| if x and ỹ are bit/octet strings, the concatenation of the two strings x and ỹ, resulting
in the string consisting of x followed by ỹ.
gcd(a,b) for integers a and b, the greatest common divisor of a and b, i.e., the largest positive
integer that divides both a and b (or 0 if a = b = 0).
a|b a relation between integers a and b that holds if and only if a divides b i.e., there exists
an integer c such that b = ac.
a∤b a relation between integers a and b that holds if and only if a does not divide b i.e.,
there does not exist any integer c such that b = ac.
a ≡ b(mod n) for a non-zero integer n, a relation between integers a and b that holds if and only
if a and b are congruent modulo n, i.e., n|(a − b).
a (mod n) for integer a and positive integer n, the unique integer r∈[0,…,n) such that
r ≡ a (mod n).
−1
a (mod n) for integer a and positive integer n, such that gcd(a,n) = 1, the unique integer b∈[0,…,n)
such that ab ≡ 1(mod n).
GF(q) the finite field containing q elements, where q is a power of a prime.
E / GF(q) an elliptic curve defined over the field GF(q).
E(GF(q)) the additive group of points on the elliptic curve E / GF(q).
E(GF(q))[n] the subgroup of E(GF(q)) consisting of all points of order n.
#E(GF(q)) the number of points of an elliptic curve defined over the field GF(q).
4.2 Abbreviated terms
ciphertext, an octet string.
CT
DEM data encapsulation mechanism.
IBE identity-based encryption.
IBhE identity-based hybrid encryption.
octet string uniquely assigned to a decryptor.
ID
binary representation of ID.
ID
b
session key for DEM.
K
κ security parameter.
© ISO/IEC 2015 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO/IEC 18033-5:2015(E)
KEM key encapsulation mechanism.
label, an octet string.
L
master-public key of IBE.
mpk
plaintext, an octet string.
Msg
binary representation of Msg.
Msg
b
master-secret key of IBE.
msk
parms system parameters of IBE.
PKG private key generator.
private key corresponding to ID of IBE.
sk
ID
4.3 Conversion functions
The following conversion functions are given in ISO/IEC 18033-2.
bit string to integer conversion primitive.
BS2IP
bit string to octet string conversion primitive.
BS2OSP
elliptic curve to octet string conversion primitive.
EC2OSP
field element to octet string conversion primitive.
FE2OSP
field element to integer conversion primitive.
FE2IP
integer to bit string conversion primitive.
IB2 SP
integer to octet string conversion primitive.
IO2 SP
octet string to elliptic curve conversion primitive.
OS2ECP
octet string to field element conversion primitive.
OS2FEP
octet string to integer conversion primitive.
OS2IP
octet string to bit string conversion primitive.
OS2BSP
the octet whose integer value is m.
Octm
()
the number of octets of an integer n.
Lenn
()
4 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 18033-5:2015(E)
5 Cryptographic transforms
5.1 General
The schemes specified in this part of ISO/IEC 18033 make use of three cryptographic transformations,
IHF1, SHF1 and PHF1 as specified below. These transformations make use of hash-functions specified in
ISO/IEC 10118-3.
5.2 The function IHF1
IHF1 is based on four hash-functions specified in ISO/IEC 10118-3, namely SHA-224, SHA-256, SHA-384
and SHA-512. It inputs a string of bits and outputs an integer in a specified range.
Input:
*
— A string str∈ 01,
{}
— A security parameter κ∈ 112,,128 192,256
{}
4κ
— An integer n, 02<
Output:
— An integer νν,.0≤< n
Operation: Perform the following steps.
a) If κ =112 then let H be SHA-224;
else if κ =128 then let H be SHA-256;
else if κ =192 then let H be SHA-384;
else if κ =256 then let H be SHA-512.
b) Let h be an all-zero bit string of length 2κ .
0
c) Let th= ||str.
10
d) Let hH= t .
()
11
e) Let vB= SI2 Ph .
()
11
f) Let th= ||str.
21
g) Let hH= t .
()
22
h) Let aB= SI2 Ph .
()
22
2κ
i) Let νν=+2 a .
2 12
j) Output ν mod n.
2
5.3 The function SHF1
Returns an n -bit string that is based on a cryptographic hash function applied to an input string.
Input:
*
— A string str∈ 01,
{}
© ISO/IEC 2015 – All rights reserved 5
---------------------- Page: 12 ----------------------
ISO/IEC 18033-5:2015(E)
— A security parameter κ∈ 112,,128 192,256
{}
— An integer n,n> 0
Assumptions: The string str is within the allowed range of values for inputs to the relevant hash
function. The integer n has the property that n≤4κ .
Output:
n
— A string ν∈ 01,
{}
Operation: Use the following steps.
n
— Output IB21SP IHFs(,tr 2 ,)κ .
()
5.4 The function PHF1
Returns an element of an elliptic curve group EGFq p for a supersingular elliptic curve
()() []
23 23
EG/(Fq): yx=+b or EG/(Fq): yx=+ax. There are other types of pairing-friendly elliptic
curves for which PHF1 is not suitable.
Input:
*
— A string str∈ 01,
{}
— A security parameter κ∈ 112,,128 192,256
{}
— A flag j taking the values 0 or 1 which defines a supersingular elliptic curve, with j= 0 representing
23
the elliptic curve EG/(Fq): yx=+b and j= 1 representing the elliptic curve
23
EG/(Fq): yx=+ax.
— A prime q with q=23(mod ) when j= 0 or q=34(mod ) when j= 1 that defines the finite field GF()q .
— An integer aa,0<
2
— A prime p with pE|# ((GF q)) and p ∤#(EGFq()) for elliptic curve E defined by the flag j
Output:
— An element of EGFq p for the selected elliptic curve.
()() []
Operation: Use the following steps.
a) Let rq=+()1 /.p
b) If j= 0 then perform the following steps:
1) Let yI= HF1(strq,,κ).
22()q−13/
2) Let xy=−()bq(mod ).
3) Let Jx=(, y).
c) Else if j= 1 perform the following steps:
1) Let xI= HF1(strq,,κ).
3
2) Let zx=+ax(modq).
6 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC 18033-5:2015(E)
3) If the Jacobi symbol (/zq)=+1 then perform the following steps:
()q+14/
i) Let yz= (mod q).
ii) Let Jx=(, y).
4) If the Jacobi symbol (/zq)=−1 then perform the following steps:
()q+14/
i) Let yz=−() (modq).
ii) Let Jx=−(, y).
d) Return rJ.
6 General model for identity-based encryption
6.1 Composition of algorithms
An identity-based enc
...
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 18033-5
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2014-07-07 2014-10-07
Information technology — Security techniques —
Encryption algorithms —
Part 5:
Identity-based ciphers
Technologies de l’information — Techniques de sécurité — Algorithmes de chiffrement —
Partie 5: Chiffrements identitaires
ICS: 35.040
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 18033-5:2014(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2014
---------------------- Page: 1 ----------------------
ISO/IEC DIS 18033-5:2014(E)
Copyright notice
This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as
permitted under the applicable laws of the user’s country, neither this ISO draft nor any extract
from it may be reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, photocopying, recording or otherwise, without prior written permission being secured.
Requests for permission to reproduce should be addressed to either ISO at the address below or ISO’s
member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Reproduction may be subject to royalty payments or a licensing agreement.
Violators may be prosecuted.
ii © ISO 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 18033-5
Contents Page
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 3
5 Cryptographic transforms . 5
5.1 General . 5
5.2 The function IHF1 . 5
5.3 The function SHF1 . 6
5.4 The function PHF1 . 6
6 General model for identity-based encryption . 7
6.1 Composition of algorithms . 7
6.2 Plaintext length . 8
6.3 Use of labels . 8
6.4 Ciphertext format . 9
6.5 IBE operation . 9
7 General model for identity-based hybrid encryption . 10
7.1 General . 10
7.2 Identity-based key encapsulation . 10
7.2.1 Composition of algorithms . 10
7.2.2 Prefix-freeness . 11
7.3 Data encapsulation . 11
7.3.1 Composition of algorithms . 11
7.4 Identity-based hybrid encryption operation . 11
7.4.1 System parameters . 11
7.4.2 Set up . 12
7.4.3 Private key extraction . 12
7.4.4 Encryption . 12
7.4.5 Decryption . 12
8 Identity-based encryption mechanism . 13
8.1 General . 13
8.2 The BF mechanism . 13
8.2.1 Set up . 13
8.2.2 Private key extraction . 14
8.2.3 Encryption . 15
8.2.4 Decryption . 15
9 Identity-based hybrid encryption mechanisms . 16
9.1 General . 16
9.2 The SK key encapsulation mechanism . 16
9.2.1 Set up . 16
9.2.2 Private key extraction . 17
9.2.3 Session key encapsulation . 18
9.2.4 Session key de-encapsulation . 18
9.3 The BB1 key encapsulation mechanism . 18
9.3.1 Set up . 18
9.3.2 Private key extraction . 19
© ISO/IEC 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 18033-5
9.3.3 Session key encapsulation .20
9.3.4 Session key de-encapsulation .20
Annex A (normative) Object identifiers .22
Annex B (informative) Security considerations .25
Annex C (informative) Numerical examples .26
Annex D (informative) Mechanisms to prevent access to keys by third parties .36
Bibliography .37
iv © ISO/IEC 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 18033-5
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 18033-5 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
ISO/IEC 18033 consists of the following parts, under the general title Information technology ― Security
techniques — Encryption algorithms:
Part 1: General
Part 2: Asymmetric ciphers
Part 3: Block ciphers
Part 4: Stream ciphers
Part 5: Identity-based ciphers
Further parts may follow.
© ISO/IEC 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC DIS 18033-5
Introduction
Use of a public key encryption mechanism requires reliable identification of the correct public key to be used
for encryption. A public key infrastructure (PKI) provides functions to give a trusted link between an entity and
to enable the current status of the public key to be determined. In a PKI, a certification authority (CA) issues a
certificate binding a public key to the owner’s identifier together with other key specific information, e.g. the
validity period. If a public key is deemed to be invalid before its expiry date, then potential users of the public
key need to be notified, e.g. by the issue of a CA-signed Certificate Revocation List (CRL). The generation
and distribution of certificates and CRLs poses a major management problem, which the mechanisms in this
part of ISO/IEC 18033 are designed to address. On encrypting, an encryptor first obtains the CRL and checks
the current status of the certificate. Then the encryptor verifies the certificate, and finally encrypts a message.
Therefore, the encryptor has to be provided with some means of accessing the current CRL, and additionally it
should not require excessive time and computational resources for checking the validity of a certificate
whenever it encrypts a message.
Identity-based encryption (IBE) is a type of asymmetric encryption that allows a decryptor to set its public key
to an arbitrary string. By setting the public key to an easily identifiable string (e.g. an e-mail address), an
encryptor can gain assurance in its correctness without using a certificate. Moreover, if a short validity period
can be arranged, significantly shorter than the updating period of a CRL in a conventional PKI, an encryptor
can generate a ciphertext without checking the current status of the public key because revocation is unlikely
to occur during such a short period. As a result IBE is expected to reduce the certificate management
workload.
The use of IBE requires a Private Key Generator (PKG), which generates private keys for all decryptors using
its master secret key; this contrasts with ‘traditional’ asymmetric encryption mechanisms, such as those
specified in ISO/IEC 18033-2, in which entities generate their own public/private key pairs. As a result, use of
IBE is only appropriate when it is acceptable for a third party to have decryption access to all encrypted data.
The identity-based encryption mechanisms are specified in Clause 8 and Clause 9. The specified
mechanisms are the BF identity-based encryption mechanism, the SK identity-based key encapsulation
mechanism and the BB1 identity-based key encapsulation mechanism.
The specifications in this part of ISO/IEC 18033 do not prescribe protocols for reliably obtaining public values,
for proof of possession of a private key, or for validation of either public values or private keys.
Annex A gives the assignment of object identifiers to the algorithms specified in this part of ISO/IEC 18033.
Annex B describes security considerations for each specified mechanism and Annex C provides test vectors.
Annex D introduces techniques which can be used to remove the decryption capability of the PKG, and
thereby reduce the level of trust required in this entity.
vi © ISO/IEC 2014 – All rights reserved
---------------------- Page: 6 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 18033-5
Information technology ― Security techniques — Encryption
algorithms — Part 5: Identity-based ciphers
1 Scope
This part of ISO/IEC 18033 specifies identity-based encryption mechanisms. For each mechanism the
functional interface, the precise operation of the mechanism, and the ciphertext format are specified. However,
conforming systems may use alternative formats for storing and transmitting ciphertexts.
2 Normative references
The following referenced documents are indispensable for the application of this document.
ISO/IEC 18033-1, Information technology ― Security techniques ― Encryption algorithms ― Part 1:
General.
ISO/IEC 18033-2, Information technology ― Security techniques ― Encryption algorithms ― Part 2:
Asymmetric ciphers.
ISO/IEC 18033-3, Information technology ― Security techniques ― Encryption algorithms ― Part 3:
Block ciphers.
3 Terms and definitions
For the purposes of this part of ISO/IEC 18033, the terms and definitions given in ISO/IEC 18033-1, and the
following apply.
3.1
decryptor
entity which decrypts ciphertexts
3.2
encryptor
entity which encrypts plaintexts
3.3
hybrid encryption
encryption performed using a hybrid cipher
3.4
identifier
object that represents something and enables one to identify it
3.5
identity string
string that represents an identity
© ISO/IEC 2014 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC DIS 18033-5
3.6
identity-based cipher
asymmetric cipher in which the encryption algorithm takes an arbitrary string as a public key
3.7
identity-based hybrid cipher
cipher which is both a hybrid cipher and an identity-based cipher
3.8
identity-based key encapsulation mechanism
key encapsulation mechanism for which the encryption process takes an arbitrary string as a public key
3.9
master-public key
public value uniquely determined by the corresponding master-secret key
3.10
master-secret key
secret value used by the private key generator to compute private keys for an IBE algorithm
3.11
private key extraction algorithm
method used by the private key generator to compute private keys for an IBE algorithm
3.12
private key generator
entity or function which generates a set of private keys
3.13
public key encryption
encryption performed using an asymmetric cipher
3.14
string
ordered sequence of symbols
3.15
set up
process by which the system parameters for an IBE algorithm are selected
3.16
set up algorithm
process which generates a master-secret key and the corresponding master-public key, together with some
part of the system parameters
3.17
system parameters
parameters for cryptographic computation including a selection of a particular cryptographic scheme or
function from a family of cryptographic schemes or functions, or from a family of mathematical spaces
3.18
trusted third party
security authority, or its agent, trusted by other entities with respect to security related activities
2 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC DIS 18033-5
4 Symbols and abbreviated terms
For the purposes of this part of ISO/IEC 18033, the symbols and abbreviated terms given in ISO/IEC 18033-1
and the following apply.
Symbols:
the smallest integer greater than or equal to the real number x.
x
[a,K,b) the set of integers {x : a ≤ x < b}.
~ ~ ~ ~
x ⊕ y if x and y are bit/octet strings of the same length, the bit-wise exclusive-or
(XOR) of the two strings.
a tuple x1,K, xl of elements.
x1,Kxl
~ ~ ~ ~ ~
x || y if and y are bit/octet strings, the concatenation of the two strings and
x x
~ ~ ~
y, resulting in the string consisting of followed by y .
x
gcd(a,b) for integers a and b, the greatest common divisor of a and b, i.e., the
largest positive integer that divides both a and b (or 0 if a = b = 0 ).
a | b a relation between integers a and b that holds if and only if a divides b,
i.e., there exists an integer c such that b = ac.
a relation between integers a and b that holds if and only if a does not
a ∤ b
divide b, i.e., there does not exist any integer c such that b = ac.
for a non-zero integer n, a relation between integers a and b that holds if
a ≡ b ( mod n )
and only if a and b are congruent modulo n, i.e., n | (a − b).
a ( mod n ) for integer a and positive integer n, the unique integer r ∈ [0,K,n) such that
r ≡ a ( mod n ).
−1
for integer a and positive integer n, such that gcd(a,n) = 1, the unique
a ( mod n )
[ )
integer b∈ 0,K, n such that ab ≡ 1( mod n ).
( ) the finite field containing q elements, where q is a power of a prime.
GF q
( ) ( )
E / GF q an elliptic curve defined over the field GF q .
( ( )) ( )
E GF q the additive group of points on the elliptic curve E / GF q .
( ( ))[ ] ( ( ))
E GF q n the subgroup of E GF q consisting of all points of order n.
( ( )) ( )
# E GF q the number of points of an elliptic curve defined over the field GF q .
Abbreviations:
CT ciphertext, an octet string.
© ISO/IEC 2014 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC DIS 18033-5
DEM data encapsulation mechanism.
IBE identity-based encryption.
IBhE identity-based hybrid encryption.
ID octet string uniquely assigned to a decryptor.
binary representation of ID.
ID
b
K session key for DEM.
κ security parameter.
KEM key encapsulation mechanism.
L label, an octet string.
mpk master-public key of IBE.
Msg plaintext, an octet string.
binary representation of Msg .
Msg
b
master-secret key of IBE.
msk
parms
system parameters of IBE.
PKG private key generator.
sk private key corresponding to ID of IBE.
ID
(All these functions are defined in ISO/IEC 18033-2.):
Conversion Functions
BS2IP bit string to integer conversion primitive.
BS2OSP bit string to octet string conversion primitive.
EC2OSP elliptic curve to octet string conversion primitive.
FE2OSP field element to octet string conversion primitive.
FE2IP field element to integer conversion primitive.
I 2BSP integer to bit string conversion primitive.
I 2OSP integer to octet string conversion primitive.
OS2ECP octet string to elliptic curve conversion primitive.
OS2FEP octet string to field element conversion primitive.
OS2IP octet string to integer conversion primitive.
4 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC DIS 18033-5
OS2BSP octet string to bit string conversion primitive.
the octet whose integer value is m.
Oct(m)
the number of octets of an integer n.
Len(n)
5 Cryptographic transforms
5.1 General
The schemes specified in this part of ISO/IEC 18033 make use of three cryptographic transformations, IHF1,
SHF1 and PHF1 as specified below. These transformations make use of hash-functions specified in ISO/IEC
10118-3.
5.2 The function IHF1
IHF1 is based on four hash-functions specified in ISO/IEC 10118-3, namely SHA-224, SHA-256, SHA-384
and SHA-512. It inputs a string of bits and outputs an integer in a specified range.
Input:
*
A string str ∈{0,1}
A security parameter κ ∈{112,128,192, 256}
4κ
An integer n, 0 < n < 2
Output:
An integer ν , 0 ≤ν < n.
Operation: Perform the following steps.
(a) If κ = 112 then let H be SHA-224;
else if κ = 128 then let H be SHA-256;
else if κ = 192 then let H be SHA-384;
else if κ = 256 then let H be SHA-512.
(b) Let h be an all-zero bit string of length 2κ .
0
(c) Let t = h || str .
1 0
(d) Let h = H (t ).
1 1
(e) Let v = BS2IP(h ).
1 1
© ISO/IEC 2014 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC DIS 18033-5
(f) Let t = h || str .
2 1
(g) Let h = H (t ).
2 2
(h) Let a = BS2IP(h ).
2 2
2κ
(i) Let ν = 2 ν + a .
2 1 2
(j) Output ν mod n.
2
5.3 The function
SHF1
Returns an n -bit string that is based on a cryptographic hash function applied to an input string.
Input:
*
A string str ∈{0,1}
A security parameter κ ∈{112, 128, 192, 256}
An integer n, n > 0
Assumptions: The string str is within the allowed range of values for inputs to the relevant hash function. The
integer n has the property that n ≤ 4κ .
Output:
n
A string ν ∈{0,1}
Operation: Use the following steps.
n
(a) Output I 2BSP(IHF1(str, 2 , κ)).
5.4 The function PHF1
Returns an element of an elliptic curve group E(GF(q))[p] for a supersingular elliptic curve
2 3 2 3
E / GF(q) : y = x + b or E / GF(q) : y = x + ax. There are other types of pairing-friendly elliptic curves for
which PHF1 is not suitable.
Input:
*
A string str ∈{0,1}
A security parameter κ ∈{112,128,192, 256}
A flag j taking the values 0 or 1 which defines a supersingular elliptic curve, with j = 0 representing
2 3 2 3
the elliptic curve E / GF(q) : y = x + b and j = 1 representing the elliptic curve E / GF(q) : y = x + ax.
A prime q with q = 2(mod3) when j = 0 or q = 3(mod 4) when j = 1 that defines the finite field GF(q).
An integer a, 0 < a < q if j = 1 or an integer b, 0 < b < q if j = 0
2
A prime p with p |# E(GF(q)) and p ∤ # E(GF(q)) for elliptic curve E defined by the flag j
Output:
6 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC DIS 18033-5
An element of E(GF(q))[p]for the selected elliptic curve.
Operation: Use the following steps.
(a) Let r = (q +1) / p.
(b) If j = 0 then perform the following steps:
(1) Let y = IHF1(str, q, κ).
2 (2q−1) /3
(2) Let x = (y − b) (mod q).
(3) Let Q = (x, y).
(c) Else if j = 1 perform the following steps:
(1) Let x = IHF1(str, q, κ).
3
(2) Let z = x + ax (mod q).
(3) If the Jacobi symbol (z / q) = +1 then perform the following steps:
(q+1) / 4
(i) Let y = z (mod q).
(ii) Let Q = (x, y).
(4) If the Jacobi symbol (z / q) = −1 then perform the following steps:
(q+1) / 4
(i) Let y = (−z) (mod q).
(ii) Let Q = (−x, y).
(d) Return rQ.
6 General model for identity-based encryption
6.1 Composition of algorithms
An identity-based encryption scheme consists of the following four algorithms.
IBE.Setup(κ ). Given a security parameter κ, generate a tuple parms, mpk, msk , where parms denotes
system parameters, msk denotes a master-secret key and mpk is the corresponding master-public key.
IBE.Extract(parms, mpk, msk, ID). Given a master-secret key msk, the corresponding master-public key mpk
and an octet string ID with parms, generate a private key sk for ID.
ID
© ISO/IEC 2014 – All rights reserved 7
---------------------- Page: 13 ----------------------
ISO/IEC DIS 18033-5
IBE.Enc(parms, mpk, ID, L, Msg). Given a plaintext Msg, a label L and an octet string ID with parms and
mpk, do the encryption and output the ciphertext of Msg, CT, for ID. Note that Msg, L and CT are octet
strings.
IBE.Dec(parms, mpk, ID, sk , L, CT ). Given a private key sk with parms, mpk, ID and L, decrypt a
ID ID
ciphertext CT and output the underlying plaintext.
In general, the setup, key extraction and encryption algorithms are probabilistic algorithms, while the
decryption algorithm is deterministic. It is recommended that applications establish a methodology for
authenticating access to private keys by using the ID string as an identity in a trusted authentication system.
The details of authenticating the key request are beyond the scope of this part of ISO/IEC 18033, but are
critical for the security of an implemented application.
NOTE 1 Semantic security against an adaptive chosen ciphertext attack [5] is regarded by the cryptographic research
community as the appropriate security level that a general purpose IBE mechanism should satisfy. Each IBE mechanism
described in this part of ISO/IEC 18033 satisfies this security level. The formal definition of this security notion is described
in Annex B.
NOTE 2 A basic requirement of any IBE mechanism is correctness. For any ID / sk pair and for any plaintext of
ID
defined length, the ciphertext of ID under a master-public key and system parameters ID shall be able to be decrypted
with the private key sk under the master-public key and the system parameters ID to the original plaintext. This
ID
requirement may be relaxed, so that it holds only for all but a negligible fraction of ID / sk pairs.
ID
6.2 Plaintext length
Three types of plaintext length of IBE are defined as follows.
— An arbitrary-plaintext-length IBE encrypts plaintexts of an arbitrary length.
— A fixed-plaintext-length IBE only encrypts plaintexts whose length (in octets) is equal to a fixed value
IBE.MsgLen.
— A bounded-plaintext-length IBE only encrypts plaintexts whose length (in octets) is less than or equal to a
fixed value IBE.MaxMsgLen(mpk). Here, the maximum plaintext length may depend on the system
parameter mpk .
6.3 Use of labels
A label is an octet string whose value is used by the encryption and decryption algorithms. It may contain
public data that is implicit from context and need not be encrypted, but that should nevertheless be bound to
the ciphertext. A label is an octet string that is meaningful to the application using the IBE scheme, and that is
independent of the implementation of the IBE scheme. Three types of label length of IBE are defined as
follows.
An arbitrary-label-length IBE is one in which the encryption and decryption algorithms accept labels of
arbitrary length.
A fixed-label-length IBE is one in which the encryption and decryption algorithms only accept labels
whose length (in octets) is equal to a fixed value IBE.LabelLen.
8 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 14 ----------------------
ISO/IEC DIS 18033-5
A bounded-label-length IBE is one in which the encryption and decryption algorithms only accept labels
whose length (in octets) is less than or equal to a fixed value IBE.MaxLabelLen.
NOTE The traditional notion of security against an
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.