ISO/IEC 29192-4:2013/Amd 1:2016

INTERNATIONAL ISO/IEC
STANDARD 29192-4
First edition
2013-06-01
AMENDMENT 1
2016-02-15
Information technology —
Security techniques — Lightweight
cryptography —
Part 4:
Mechanisms using asymmetric
techniques
AMENDMENT 1
Technologies de l’information — Techniques de sécurité —
Cryptographie pour environnements contraints —
Partie 4: Mécanismes basés sur les techniques asymétriques
AMENDEMENT 1
Reference number
ISO/IEC 29192-4:2013/Amd.1:2016(E)
©
ISO/IEC 2016

---------------------- Page: 1 ----------------------
ISO/IEC 29192-4:2013/Amd.1:2016(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 29192-4:2013/Amd.1:2016(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, Security techniques.
© ISO/IEC 2016 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 29192-4:2013/Amd.1:2016(E)
Information technology — Security techniques —
Lightweight cryptography —
Part 4:
Mechanisms using asymmetric techniques
AMENDMENT 1
Page v, Introduction
Change the first sentence to:
This part of ISO/IEC 29192 specifies four lightweight mechanisms based on asymmetric cryptography.
Add the following after the third bullet:
— ELLI is a unilateral authentication scheme based on discrete logarithms on elliptic curves over finite
fields of characteristic two. The scheme is particularly designed with regard to use in passive RFID
tags of vicinity type.
NOTE ELLI has been successfully implemented on a passive RFID tag fully compliant to ISO/IEC 15693/18000-
3. Prototype tags with practical working distance of “vicinity type” were presented at CeBIT 2008 and EuroID 2008.
Add the following after the patent holder of Agency for Science, Technology and Research:
Siemens Aktiengesellschaft
CT IP LT M&A, Otto-Hahn-Ring 6, 81739 Muenchen, Germany
Page 1, Scope
Change the first sentence to:
This part of ISO/IEC 29192 specifies four lightweight mechanisms using asymmetric techniques:
Add the following item to the list:
— a unilateral authentication scheme (ELLI) based on discrete logarithms on elliptic curves defined
over finite fields of characteristic two.
Page 1, Terms and definitions
Add the following and renumber all the terms and definitions alphabetically:
3.28
finite field of characteristic two
finite field whose number of elements is a power of two
Note 1 to entry: All finite fields of characteristic two containing the same number of elements are isomorphic. The
specific model for the description of the finite field of characteristic two that is used in this part of ISO/IEC 29192
is given in Annex E.
© ISO 2016 – All rights reserved 1

---------------------- Page: 4 ----------------------
ISO/IEC 29192-4:2013/Amd.1:2016(E)

3.29
ordinary elliptic curve over a finite field of characteristic two
elliptic curve over a finite field F of characteristic two defined by a short (affine) Weierstrass equation
2 3 2
of type Y + XY = X + aX + b, with a, b ∈ F and b ≠0
F
Note 1 to entry: A reference for the group properties of elliptic curves is ISO/IEC 15946-1:2008, Annex B.
Note 2 to entry: The set of points on E together with one extra symbol 0 constitute a finite abelian group.
E
Page 4, Symbols and abbreviated terms
Replace the following symbol:
i-1 i
∣A∣ bit size of the number A if A is a non-negative integer (i.e. the unique integer i so that 2 ≤ A < 2
16
if A > 0, or 0 if A = 0, e.g. ∣65 537∣ = ∣2 + 1∣ = 17), or bit length of the bit string A if A is a bit string
NOTE To represent a number A as a string of α bits with α > ∣A∣, α - ∣A∣ bits set to 0 are appended to the left of
the ∣A∣ bits.
with
i–1 i
∣Φ∣ bit size of the number Φ if Φ is a non-negative integer (i.e. the unique integer i so that 2 ≤ Φ < 2
16
if Φ > 0, or 0 if Φ = 0, e.g. ∣65 537∣ = ∣2 + 1∣ = 17), or bit length of the bit string Φ if Φ is a bit string
NOTE To represent a number Φ as a string of α bits with α > ∣Φ∣, α - ∣Φ∣ bits set to 0 are appended to the left of
the ∣Φ∣ bits.
Replace the following symbol:
⎿A⏌ the greatest integer that is less than or equal to the real number A
with
⎿Φ⏌ the greatest integer that is less than or equal to the real number Φ
Replace the following symbol:
th
A[i] the i -bit of the number A, where A[1] is the right-most bit and A[∣A∣] is the left-most bit
with
th
Φ[i] the i -bit of the number Φ, where Φ[1] is the right-most bit and Φ[∣Φ∣] is the left-most bit
Replace the following symbol:
B || C bit string resulting from the concatenation of data items B and C in the order specified.
with
Ψ || Γ bit string resulting from the concatenation of data items Ψ and Γ in the order specified.
Insert the following symbols and abbreviated terms and rearrange Clause 4 alphabetically:
A claimant
B verifier
2 © ISO 2016 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/IEC 29192-4:2013/Amd.1:2016(E)

E g
{a,b}
ordinary elliptic curve overF()2 given by its short (affine) Weierstrass equation
g
2 3 2
Y + XY = X + aX + b, together with a point0 at infinity, with a, b ∈F()2 and b ≠0 .
E F
(domain parameter)
E elliptic curve twisted to the elliptic curve E (domain parameter, but not explicitly
twist
used)
#(E ) order (cardinality) of E (domain parameter)
{a,b} {a,b}
g g
F()2 finite field consisting of exactly 2 elements, g a positive integer
f(X) g
irreducible polynomial over F(2) which is used in the construction ofF()2
function depending on the field element b ≠0 that adjoins to the elementx from
MUL kx,
b,aff()
F R
R
g −1
F()2 and the integer k the (affine) x-coordinateXZ of the point S = [k]R =
SS
g
XY:: Z on an ordinary elliptic curve defined overF()2 with parameter b and
()
SS S
with R a point on this curve with affine x-coordinatex
R
NOTE For the mathematical background of MUL kx, , see Annex F.
b,aff()
R
function depending on the field element b ≠0 that adjoins to the elementx from
MUL kx,
()
b,proj
F R
R
g
F()2 and the integer k the projective x-coordinate XZ: of the point [k]R = S =
()
SS
g
XY:: Z on an ordinary elliptic curve defined overF()2 with parameter b and
()
SS S
with R a point on this curve with affine x-coordinatex
R
For the mathematical background of MUL kx, , see Annex F.
b,proj()
NOTE
R
S, T, U points on the elliptic curve E
Tr(a) g
2^0 2^1 2^(g-1)
Tr(a) = a + a + .+ a , for an arbitrary element a ofF()2 . Tr is the “trace
function” and Tr(a) is the “trace of the field element a”. The trace function takes only
the two values1 and0 .
F F
affine coordinates of point R, wherex denotes the x-coordinate andY denotes the
XY,
()
R R
RR
y-coordinate of point R
NOTE The point0 does not have a representation using affine coordinates.
E
© ISO 2016 – All rights reserved 3

---------------------- Page: 6 ----------------------
ISO/IEC 29192-4:2013/Amd.1:2016(E)

XY:: Z projective coordinates of the point R. XY:: Z is the equivalency class of triples
() ()
RR R RR R
g
XY,,Z of elements ofF()2 that solve the adjoined (projective) Weierstrass
()
RR R
2 3 2 3
equation Y Z + XYZ = X +aX Z + bZ , where XY,,Z is called equivalent to
()
′′ ′
RR R
XY,,Z , if and only ifX =λX , Y =λY andZ =λZ , with some element λ ≠0
()
′ ′ ′
RR R R R R R R R F
The point0 has projective coordinates (0 :1 :0 ).
NOTE
E F F F
()XZ: projective x-coordinate of point R
R R
g
−1
: corresponds to the affine coordinateXZ
NOTE 1 Z ≠0 and XZ
() ∈F()2 .
R F R
R RR
has projective coordinates xy:: 1 .
NOTE 2 A point R with affine coordinates xy, ()
(     )
RR F
RR
−−11
NOTE 3 A point R with projective coordinates XY:: Z has affine coordinates XZ ,YZ .
()
()
RR R RR RR
Page 13
Add the following new Clause 8 after 7.5:
8 Unilateral authentication mechanism based on discrete logarithms on elliptic curves
over finite fields of characteristic two
8.1 General
This mechanism, ELLI, has been designed to make asymmetric cryptography available on passive
RFID tags of vicinity type (working distance of up to 1 m) for the intended main application of brand
protection/anti-counterfeiting in large decentralized systems. The ELLI scheme and the concept to
implement it on a passive RFID tag were firstly presented in a submission to the German IT-Security
Competition held by the Horst-Görtz foundation in 2006. The scheme is also described (without using
the name ELLI) in References [30] and [31].
The concept underlying ELLI is closely related to the Diffie-Hellman analogue for elliptic curves over
g
F()2 . But, as it makes use of some specific protocol and parameter optimization steps, it was given a
name of its own. These optimizations comprise the following:
— The y-coordinates of points on elliptic curves are unused.
— Checks on whether or not a given field element is the x-coordinate of a point on a claimed elliptic
curve are omitted.
NOTE ELLI stands for ELLIPTIC LIGHT.
8.2 Security requirements for the environment
The ELLI scheme is a unilateral authentication mechanism based on discrete logarithms on elliptic
curves defined over a finite field of characteristic two. It enables a verifier to check that a claimant
knows the elliptic curve discrete logarithm of a claimed public point with respect to a base point.
4 © ISO 2016 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 29192-4:2013/Amd.1:2016(E)

A general framework for cryptographic techniques based on elliptic curves is given in ISO/IEC 15946-1.
g
For the ELLI mechanism, some additional properties of elliptic curves defined over finite fieldsF()2
are used that are not described in ISO/IEC 15946-1. These properties are presented below.
Within a given domain, the following requirements shall be satisfied. Domain parameters that govern
the operation of the mechanism shall be selected. These parameters comprise the following:
g
— a finite fieldF()2 of characteristic two;
g
— an ordinary elliptic curve E defined overF()2 . The elliptic curve E shall be given by its short
2 3 2
Weierstrass equation Y + XY = X + aX + b, with b ≠0 , and shall be chosen in such a way that the
F
following two conditions hold:
— #(E) = 4q , with a prime q ;
1 1
— #(E ) = 2q , with a prime q ;
twist 2 2
— a point P = xy, on E generating a subgroup of order q .
() 1
PP
NOTE 1 In this situation, the condition q < q is automatically fulfilled. This is due to the fact that #(E) and
1 2
#(E ) are of the same order of magnitude as a consequence of the Hasse-Weil theorem (see Annex F).
twist
g
The size of the finite fieldF()2 and the parameters of the two curves E and E are chosen in such a
twist
way that solving the elliptic curve discrete logarithm problem and solving the static Diffie-Hellman
problem in both E and E are computationally infeasible tasks.
twist
The selected parameters shall be made available, to the necessary extent and in a reliable manner, to all
entities within the domain.
a) Every claimant shall be equipped with a private key.
g
b) Every claimant shall have the ability to execute the operations addition and multiplication inF()2 .
c) Every claimant shall be able to execute the function MUL introduced in Clause 4, for the specific
b,proj
value b related to the elliptic curve E.
d) Every verifier shall obtain an authentic copy of the public key corresponding to the claimant’s
private key.
e) Every verifier shall be equipped with the base point P of the elliptic curve E and with the order q of P.
1
f) Every verifier shall have the ability to execute the operations addition, multiplication and
g
division inF()2 .
g) Every verifier shall be able to generate randomly positive integers 1
h) Every verifier shall be able to execute the function MUL introduced in Clause 4, for the specific
b,aff
value b related to the elliptic curve E.
NOTE 2 There are various options to provide the verifiers with trusted copies of the claimant’s public key.
This topic is beyond the scope of this part of ISO/IEC 29192.
8.3 Key production
To produce a key pair, the following two steps shall be performed.
a) For claimant A an integer Q shall be uniformly and randomly selected from the set {2,…,q -1}. The
1
integer Q is A’s private key.
b) A’s public key G(A) is MUL Q,x , the (affine) x-coordinate of the point G = [Q]P = xy, .
() ()
b,aff
P GG
© ISO 2016 – All rights reserved 5

---------------------- Page: 8 ----------------------
ISO/IEC 29192-4:2013/Amd.1:2016(E)

8.4 Unilateral authentication mechanism
This mechanism, which enables verifier B to authenticate claimant A, is summarized in Figure 3. In
Figure 3, the bracketed letters a) to e) correspond to the steps of the mechanism, including the
exchanges of information, as described in detail below.
NOTE The authentication mechanism follows a “challenge-response” approach.
(b) Challenge d = x
T
A B
(d) Response D = (X  : Z ) (a),
U
U
(c), (d)
(b), (e)
Figure 3 — ELLI
The following procedure shall be performed. The verifier B shall only accept the claimant A as valid if
the following procedure completes successfully:
a) The verifier randomly chooses a fresh number r with 0 < r < q and computes MUL r,x and
()
1 b,aff
P
MUL [r,G(A)], i.e. the affine x-coordinatex of the point T = [r]P and the affine x-coordinatex of
b,aff
T V
the point V = [r]([Q]P).
The challenge d is the field element d =x .
T
b) The verifier sends d to the claimant.
c) On receipt of the challenge d the claimant A computes D = MUL (Q,d) = XZ: , the projective
()
b, proj
UU
g
x-coordinate of the point U = [Q]T, consisting of two field elementsX andZ inF()2 .
U U
D = XZ: is the response.
()
UU
d) The claimant sends D to the verifier.
e) On receipt of the response D, the verifier B checks ifX =0 orZ =0 holds. If one of these equations
U F U F
holds, the claimant is considered not authentic.
g
If X ≠0 andZ ≠0 the verifier computesxZ inF()2 and verifies whether or not the equationX =
U F U F VU U
g
xZ holds inF()2 . The claimant is considered authentic by the verifier if and only if the equationX =
VU U
xZ holds.
VU

Page 14, Annex A
Replace the content with the following:
LightweightCryptography-4{
iso(1) standard(0) lightweight-cryptography(29192)
part4(4) asn1-module(0) algorithm-object-identifiers(0)}
DEFINITIONS ::= BEGIN
EXPORTS ALL;

OID ::= OBJECT IDENTIFIER -- alias
-- Synonyms
is29192-4 OID ::= {iso(1) standard(0) lightweight-cryptography(29192) part4(4)}
6 © ISO 2016 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 29192-4:2013/Amd.1:2016(E)

mechanism OID ::= {is29192-4 mechanisms(1)}
-- Lightweight cryptographic mechanisms
lw-discrete-logarithms-ecc-CryptoGPS OID ::= {mechanism
lw-discrete-logarithms-ecc-CryptoGPS(1)}
lw-authenticated-key-exchange-ALIKE OID ::= {mechanism
lw-authenticated-key-exchange-ALIKE(2)}
lw-identity-based-signature-IBS OID ::= {mechanism
lw-identity-based-signature-IBS(3)}
lw-unilateral-authentication-ecc-ELLI OID ::= {mechanism
lw-unilateral-authentication-ecc-ELLI (4)}

END -- LightweightCryptography-4

Page 21, Annex C
Add the following after C.3.3.2, Example 2:
C.4 ELLI mechanism
C.4.1 Examples based on ELLI_163.1
C.4.1.1 Common properties
g
The elliptic curve ELLI_163.1 and the underlying fieldF()2 are defined as in Annex E.3. In the following,
numerical examples for the ELLI authentication scheme are given, comprising the steps key generation,
challenge generation and response generation.
A common base point P is used in all examples for ELLI_163.1.
BASE POINT P
6 2DAE88E2 17BEFF09 F408E8F8 91EC8E51 05C9E8AB
x
P
0 5B29A42D C1EBEB2D 14AC1914 421FC4AC 2B61C7E5
y
P
NOTE  The y-coordinate y of the base point P is not necessarily used in the ELLI mechanism.
P
C.4.1.2 Example 1
A key pair for claimant A is constructed.
KEY PAIR GENERATION
DFCAC3BC 9A1E4B54 E03FAD6E E932F3BC 61170C51
PRIVATE KEY Q
2 33C2A2B8 8BEE7DD9 1DB430F9 161B0A88 B7FEB527
PUBLIC KEY G(A)
A challenge d is generated by the verifier with input a random number r and the x-coordinatex of the
P
base point and using the function MUL .
b,aff
d = MUL rx,
b,aff()
P
The response D is generated by the claimant with input the challenge d and the private key Q and using
the function MUL .
b,proj
© ISO 2016 – All rights reserved 7

---------------------- Page: 10 ----------------------
ISO/IEC 29192-4:2013/Amd.1:2016(E)

D = XZ: = MUL (Q,d)
() b,proj
UU
CHALLENGE GENERATION d = MUL rx,
b,aff()
P
93D4625C 890DE3CD 8889225C 180E03C3 DF647545
RANDOM NUMBER r
5 3735DD9D 700B0617 D6B0FE8E B0BA11D8 65D9532F
CHALLENGE d
POSSIBLE RESPONSE D = XZ:
()
UU
3 F625D290 2FE3297F A177959A AD59AA0B 9D913C07
X-VALUEX
U
0 447352DD 05B0568B 191865A5 1FA0779C DD81258D
Z-VALUEZ
U
4 531ADD58 617220E6 4A3915D5 6BCD69FD F434A2F2
−1
x =XZ
V UU
(affine)
NOTE The pair XZ: is the “projective x-coordinate”, and hence is not unique as numerical value. The
()
UU
−1
adjoined unique numerical value related to the response is the affine x-coordinatex =XZ . This holds in the
V UU
same way for all the following examples.
C.4.1.3 Example 2
KEY PAIR GENERATION
DE5A6D34 F3A8C4E1 6E132FD4 33F4B4BD 65E20CB9
PRIVATE KEY Q
3 E8462A29 41BB3D71 433AEB2C 67877D4B 88D5529D
PUBLIC KEY G(A)
CHALLENGE GENERATION d = MUL rx,
()
b,aff
P
F9B6C01B CD3A85A8 99986F79 F4AFD289 056A3842
RANDOM NUMBER r
61FE5AEC F245ECE4 B504CD65F E2D70C9C F28E6626
CHALLENGE d
POSSIBLE RESPONSE D = XZ:
()
UU
3 8487B630 029D21C3 0768C095 B2AEF06B 63FE8143
X-VALUEX
U
0 19BF93D2 222E56E0 B8B50A7D B9C41150 B9E9F93C
Z-VALUEZ
U
3 0DFD2997 2FD32C61 7356C895 D6912240 02752BFE
−1
x =XZ
V UU
(affine)
8 © ISO 2016 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 29192-4:2013/Amd.1:2016(E)

C.4.1.4 Example 3
KEY PAIR GENERATION
7E96501F 876C785B 1511893E 97F1E923 0967945E
PRIVATE KEY Q
0 2F1B219C DD1FEBA1 64FB2B1E 805CF6F7 D65C15
...