Information security — Anonymous entity authentication — Part 3: Mechanisms based on blind signatures

This document provides general descriptions and specifications of anonymous entity authentication mechanisms based on blind digital signatures.

Sécurité de l'information — Authentification d'entité anonyme — Partie 3: Mécanismes fondés sur des signatures aveugles

General Information

Status
Published
Publication Date
13-Feb-2022
Current Stage
5060 - Close of voting Proof returned by Secretariat
Completion Date
17-Dec-2021
Ref Project

Buy Standard

Standard
ISO/IEC 20009-3:2022 - Information security — Anonymous entity authentication — Part 3: Mechanisms based on blind signatures Released:2/14/2022
English language
16 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/IEC FDIS 20009-3 - Information security -- Anonymous entity authentication
English language
16 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 20009-3
First edition
2022-02
Information security — Anonymous
entity authentication —
Part 3:
Mechanisms based on blind signatures
Sécurité de l'information — Authentification d'entité anonyme —
Partie 3: Mécanismes fondés sur des signatures aveugles
Reference number
ISO/IEC 20009-3:2022(E)
© ISO/IEC 2022
---------------------- Page: 1 ----------------------
ISO/IEC 20009-3:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2022

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 20009-3:2022(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction .................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 Symbols and abbreviated terms..........................................................................................................................................................3

5 General model and requirements ........................................................................................................................................... ...........4

6 Unilateral anonymous authentication .......................................................................................................................................... 5

6.1 General ........................................................................................................................................................................................................... 5

6.2 Mechanism 1 — Two-pass unilateral anonymous authentication ........................................................... 5

6.2.1 General ........................................................................................................................................................................................ 5

6.2.2 Requirements ........................................................................................................................................................................ 5

6.2.3 Domain parameters generation process ....................................................................................................... 6

6.2.4 Key generation process ................................................................................................................................................ 6

6.2.5 Credential issuance process ..................................................................................................................................... 7

6.2.6 Authentication process ................................................................................................................................................. 8

Annex A (normative) Object identifiers ........................................................................................................................................................10

Annex B (informative) Conversion functions ..........................................................................................................................................11

Annex C (informative) Group description ...................................................................................................................................................12

Annex D (informative) Special hash-functions ......................................................................................................................................13

Annex E (informative) Security considerations ...................................................................................................................................15

Bibliography .............................................................................................................................................................................................................................16

iii
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC 20009-3:2022(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work.

The procedures used to develop this document and those intended for its further maintenance

are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria

needed for the different types of document should be noted. This document was drafted in

accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or

www.iec.ch/members_experts/refdocs).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC

list of patent declarations received (see https://patents.iec.ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.

A list of all parts in the ISO/IEC 20009 series can be found on the ISO and IEC websites.

Any feedback or questions on this document should be directed to the user’s national standards

body. A complete listing of these bodies can be found at www.iso.org/members.html and

www.iec.ch/national-committees.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 20009-3:2022(E)
Introduction

In an anonymous entity authentication mechanism, the entity to be authenticated (the claimant)

provides evidence to a verifier that it has knowledge of a secret without revealing its identifier to any

unauthorized entity. That is, given complete knowledge of the messages exchanged between the parties,

an unauthorized entity cannot discover the identifier of the entity being authenticated. Moreover, it is

possible that even an authorized verifier is not authorized to learn the identifier of the entity being

authenticated.

The anonymous entity authentication mechanisms specified in this document are based on blind

signatures, specified in the ISO/IEC 18370 series.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 20009-3:2022(E)
Information security — Anonymous entity
authentication —
Part 3:
Mechanisms based on blind signatures
1 Scope

This document provides general descriptions and specifications of anonymous entity authentication

mechanisms based on blind digital signatures.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
anonymous entity authentication

corroboration that an entity possesses certain attributes (3.2), without distinguishing this entity from

other entities with the same attributes
[SOURCE: ISO/IEC 20009-1:2013, 2.2]
3.2
attribute
application-specific data element
[SOURCE: ISO/IEC 18370-1:2016, 3.1]
3.3
claimant
entity which is or represents a principal for the purposes of authentication

Note 1 to entry: A claimant includes the functions and the private data necessary for engaging in authentication

exchanges on behalf of a principal.
[SOURCE: ISO/IEC 9798-1:2010, 3.6]
3.4
claimant information field

special credential (3.6) attribute (3.2) encoded within a credential that is not seen by the issuer (3.13)

during credential issuance, and that is always disclosed to a verifier (3.15)
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 20009-3:2022(E)
3.5
collision-resistant hash-function

hash-function (3.12) satisfying the following property: it is computationally infeasible to find any two

distinct inputs which map to the same output

[SOURCE: ISO/IEC 10118-1:2016, 3.1, modified — Note 1 to entry has been deleted.]

3.6
credential

data held by a claimant (3.3) that provides evidence that the claimant is the rightful holder of encoded

attributes (3.2) and/or a public key, corresponding to a private key

Note 1 to entry: In the context of this definition, attributes can include information regarding the qualification,

competence or clearance of the claimant.
3.7
credential information field

special attribute (3.2) encoded within a credential (3.6) that contains metadata about the credential,

such as its expiry date, that is always disclosed to verifiers (3.15)
3.8
credential private key

data item specific to a claimant’s (3.3) credential (3.6) that should only be used by this claimant

3.9
credential public key

data item mathematically related to a credential (3.6) that is disclosed to the verifier (3.15) upon

authentication
3.10
domain
set of entities operating under a single security policy
[SOURCE: ISO/IEC 18370-1:2016, 3.11]
3.11
domain parameter

data element which is common to and known by or accessible to all entities within the domain (3.10)

[SOURCE: ISO/IEC 14888-1:2008, 3.5]
3.12
hash-function

function which maps strings of bits of variable (but usually upper bounded) length to fixed-length

strings of bits, satisfying the following two properties:

— for a given output, it is computationally infeasible to find an input which maps to this output;

— for a given input, it is computationally infeasible to find a second input which maps to the same

output

[SOURCE: ISO/IEC 10118-1:2016, 3.4, modified — Note 1 to entry has been deleted.]

3.13
issuer
entity responsible for provisioning of a credential (3.6) to a claimant (3.3)
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 20009-3:2022(E)
3.14
unilateral anonymous authentication

anonymous entity authentication (3.1) that provides one entity with assurance of the legitimacy of the

other entity, but not vice versa
[SOURCE: ISO/IEC 20009-1:2013, 2.20]
3.15
verifier

entity which requires assurance of the legitimacy of another entity (the claimant (3.3))

[SOURCE: ISO/IEC 20009-1:2013, 2.22]
4 Symbols and abbreviated terms
The null value, a zero-length octet string.
Prefix of a hexadecimal value.
For example, 0x37c5 represents the two octet values 37 and c5 in sequence.
a ∈ A Indicates that element is in set A.
a||b Concatenation of data items a and b in the order specified.

In cases where the result of concatenating two or more data items is input to a cryp-

tographic algorithm as part of one of the mechanisms specified in this document, this

result shall be composed so that it can be uniquely resolved into its constituent data

strings, i.e. so that there is no possibility of ambiguity in interpretation. This latter

property can be achieved in a variety of different ways, depending on the application.

For example, it can be guaranteed by:

a) fixing the length of each of the substrings throughout the domain of use of the mech-

anism; or

b) encoding the sequence of concatenated strings using a method that guarantees

unique decoding, e.g. using the distinguished encoding rules defined in ISO/IEC 8825-1.

AB⊆ Indicates that set A is a subset of or equal to set B.

A \ B When A and B are sets, represents the set of elements present in A but not in B.

CI An extra claimant information field.
cred The claimant’s credential.

Bit length of D if D is a bit string, or bit size of D if D is a non-negative number (i.e. 0 if

i–1 i
D = 0, or the unique integer i such that 2 ≤ D < 2 if D > 0).

desc(G ) Specifies a group G of prime order q in which it is infeasible to compute discrete log-

q q
arithms.
E Elliptic curve over the finite field F for a prime p > 3.

E(F ) Set of all points (x, y), x ∈ F , y ∈ F , which satisfy the defining equation of the curve E,

p p p
together with the point at infinity O .
#E(F ) Order (or cardinality) of E(F ).
p p
F Finite field containing exactly p elements.
g, g Generators of G .
i q
gcd(N , N ) Greatest common divisor of integers N and N .
1 2 1 2
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 20009-3:2022(E)
G Cyclic group of prime order q.

For uniformity, the multiplicative notation is used throughout. As such, when using

the elliptic curve construction it should be understood that ab represents the group

addition of points a and b, that a/b represents the group addition of the point a to the

additive inverse of the point b, and that a represents the scalar multiplication of point

a by the integer b.

NOTE This document specifies two constructions for the group G in which it is infeasible

to compute discrete logarithms. The first is based on a subgroup of a finite field, and the second

is based on an elliptic curve over a finite field F , where q is a prime number. Each construction

is specified by a description denoted by desc(G ). Details of these two constructions with their

corresponding descriptions desc(G ) are provided in Annex C.
H Cryptographic hash-function.
I Finite set of positive integers.
k Security parameter (a positive integer).
l Security parameter (a positive integer).
n Positive integer.

[n]P Scalar multiplication operation that takes a positive integer n and a point P on the elliptic

curve E as input and produces as output another point Q on the elliptic curve E, where

Q = [n]P = P + P + ... + P added n – 1 times.
The operation satisfies [0]P = O (the point at infinity), and [–n]P = [n](–P).
O Point at infinity on the elliptic curve E.
P + Q Elliptic curve sum of points P and Q.
Prime number satisfying q = l .
TI A credential information field.
UID A unique identifier for the domain parameters.
Z Set of integers in [0, p – 1] with arithmetic defined modulo p.

Set of integers U with 0 < U < N and gcd(U, N) = 1, with arithmetic defined modulo N.

Product of the values a for which i ∈ I.
a i
iI∈

[x, y] Set of integers from x to y inclusive, if x, y are integers satisfying x ≤ y.

〈… 〉 Ordered list of values to be hashed.
5 General model and requirements

This clause specifies the general model and requirements for the mechanisms specified in this

document.

NOTE 1 Blind signatures, as specified in the ISO/IEC 18370 series, allow a user to obtain a digital signature as

specified in the ISO/IEC 9796 series on a message of the user’s choice, without giving the signer any information

about the actual message or the resulting signature.

An anonymous entity authentication mechanism based on blind signatures involves an issuer, a set of

claimants and a set of verifiers. Such an anonymous entity authentication mechanism is defined by the

specification of the following processes:
— parameter generation process;
— key generation process;
— credential issuance process;
— authentication process.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 20009-3:2022(E)

Entities of different types can be involved in the mechanism specified in this document, as follows.

— Claimant: an entity to be authenticated in such a way that the claimant’s identity is not revealed. In

this document, a claimant plays the role of requestor in a blind digital signature scheme, as specified

in ISO/IEC 18370-2:2016.

— Verifier: an entity that verifies the validity of a claimant’s credential and which does not learn the

claimant’s identity.

— Issuer: an entity issuing a credential to a claimant. In this document, an issuer plays the role of

signer in a blind digital signature scheme as specified in ISO/IEC 18370-2:2016.

NOTE 2 In the context of this document, the issuer serves as an offline trusted third party (TTP) in the

sense of ISO/IEC 20009-1. It gains knowledge of all a claimant’s attributes but does not learn which subset is

later selected to present the signature.

Annex A lists the object identifiers which shall be used to identify the mechanism defined in this

document.
6 Unilateral anonymous authentication
6.1 General

Unilateral anonymous authentication means that only one of the two entities, the claimant, is

authenticated by use of the mechanism and that the identity of the authenticated entity is anonymous

to the other entity, the verifier.
6.2 Mechanism 1 — Two-pass unilateral anonymous authentication
6.2.1 General

Two-pass means that the authentication phase consists of two messages being exchanged between the

claimant and the verifier.

This mechanism is based on mechanism 4 in ISO/IEC 18370-2:2016. In addition to verifying that a

claimant possesses a valid credential issued by the issuer, this mechanism also enables a verifier to

request the presentation of claimant attributes encoded in the credential. That is, at the end of the

authentication process, the verifier is guaranteed that the claimant holds a credential received from the

issuer that certifies the attributes disclosed during the authentication process.

The mechanism only guarantees anonymity to the claimant if a credential received from the issuer

is used in only one session of the authentication process. If a credential is used in multiple sessions,

these sessions can still not be linked to the corresponding session of the credential issuance process.

However, they can be linked with each other by the verifiers, even if different sets of attributes are

disclosed. In particular, a returning claimant can be recognized by a verifier.

Security considerations and guidance for concrete parameter selections are given in Annex E.

6.2.2 Requirements

In order to use this two-pass unilateral anonymous authentication mechanism, the following

requirements apply.

— Each entity involved in this mechanism shall be aware of the public domain parameters.

— The parties shall agree on the security parameters in use.
NOTE 1 Guidance for parameter choice is given in Clause E.2.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 20009-3:2022(E)

— Each entity shall have access to an authentic copy of the necessary public keys, such as the issuer’s

verification key.

— The entities involved in this mechanism shall agree in advance of use of the mechanism on a positive

integer n, representing the maximum number of attributes that can be encoded in a credential.

— Both issuer and claima
...

FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
20009-3
ISO/IEC JTC 1/SC 27
Information security — Anonymous
Secretariat: DIN
entity authentication —
Voting begins on:
2021-10-21
Part 3:
Voting terminates on:
Mechanisms based on blind signatures
2021-12-16
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC FDIS 20009-3:2021(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO/IEC 2021
---------------------- Page: 1 ----------------------
ISO/IEC FDIS 20009-3:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC FDIS 20009-3:2021(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction .................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 Symbols and abbreviated terms..........................................................................................................................................................3

5 General model and requirements ........................................................................................................................................... ...........4

6 Unilateral anonymous authentication .......................................................................................................................................... 5

6.1 General ........................................................................................................................................................................................................... 5

6.2 Mechanism 1 — Two-pass unilateral anonymous authentication ........................................................... 5

6.2.1 General ........................................................................................................................................................................................ 5

6.2.2 Requirements ........................................................................................................................................................................ 5

6.2.3 Domain parameters generation process ....................................................................................................... 6

6.2.4 Key generation process ................................................................................................................................................ 6

6.2.5 Credential issuance process ..................................................................................................................................... 7

6.2.6 Authentication process ................................................................................................................................................. 8

Annex A (normative) Object identifier ...........................................................................................................................................................10

Annex B (informative) Conversion functions ..........................................................................................................................................11

Annex C (informative) Group description ...................................................................................................................................................12

Annex D (informative) Special hash-functions ......................................................................................................................................13

Annex E (informative) Security considerations ...................................................................................................................................15

Bibliography .............................................................................................................................................................................................................................16

iii
© ISO/IEC 2021 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC FDIS 20009-3:2021(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work.

The procedures used to develop this document and those intended for its further maintenance

are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria

needed for the different types of document should be noted. This document was drafted in

accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or

www.iec.ch/members_experts/refdocs).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC

list of patent declarations received (see https://patents.iec.ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.

A list of all parts in the ISO/IEC 20009 series can be found on the ISO and IEC websites.

Any feedback or questions on this document should be directed to the user’s national standards

body. A complete listing of these bodies can be found at www.iso.org/members.html and

www.iec.ch/national-committees.
© ISO/IEC 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC FDIS 20009-3:2021(E)
Introduction

In an anonymous entity authentication mechanism, the entity to be authenticated (the claimant)

provides evidence to a verifier that it has knowledge of a secret without revealing its identifier to any

unauthorized entity. That is, given complete knowledge of the messages exchanged between the parties,

an unauthorized entity cannot discover the identifier of the entity being authenticated. Moreover, it is

possible that even an authorized verifier is not authorized to learn the identifier of the entity being

authenticated.

The anonymous entity authentication mechanisms specified in this document are based on blind

signatures, specified in the ISO/IEC 18370 series.
© ISO/IEC 2021 – All rights reserved
---------------------- Page: 5 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 20009-3:2021(E)
Information security — Anonymous entity
authentication —
Part 3:
Mechanisms based on blind signatures
1 Scope

This document provides general descriptions and specifications of anonymous entity authentication

mechanisms based on blind digital signatures.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
anonymous entity authentication

corroboration that an entity possesses certain attributes (3.2), without distinguishing this entity from

other entities with the same attributes
[SOURCE: ISO/IEC 20009-1:2013, 2.2]
3.2
attribute
application-specific data element
[SOURCE: ISO/IEC 18370-1:2016, 3.1]
3.3
claimant
entity which is or represents a principal for the purposes of authentication

Note 1 to entry: A claimant includes the functions and the private data necessary for engaging in authentication

exchanges on behalf of a principal.
[SOURCE: ISO/IEC 9798-1:2010, 3.6]
3.4
claimant information field

special credential (3.6) attribute (3.2) encoded within a credential that is not seen by the issuer (3.13)

during credential issuance, and that is always disclosed to a verifier (3.15)
© ISO/IEC 2021 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC FDIS 20009-3:2021(E)
3.5
collision-resistant hash-function

hash-function (3.12) satisfying the following property: it is computationally infeasible to find any two

distinct inputs which map to the same output

[SOURCE: ISO/IEC 10118-1:2016, 3.1, modified — Note 1 to entry has been deleted.]

3.6
credential

data held by a claimant (3.3) that provides evidence that the claimant is the rightful holder of encoded

attributes (3.2) and/or a public key, corresponding to a private key

Note 1 to entry: In the context of this definition, attributes can include information regarding the qualification,

competence or clearance of the claimant.
3.7
credential information field

special attribute (3.2) encoded within a credential (3.6) that contains metadata about the credential,

such as its expiry date, that is always disclosed to verifiers (3.15)
3.8
credential private key

data item specific to a claimant’s (3.3) credential (3.6) that should only be used by this claimant

3.9
credential public key

data item mathematically related to a credential (3.6) that is disclosed to the verifier (3.15) upon

authentication
3.10
domain
set of entities operating under a single security policy
[SOURCE: ISO/IEC 18370-1:2016, 3.11]
3.11
domain parameter

data element which is common to and known by or accessible to all entities within the domain (3.10)

[SOURCE: ISO/IEC 14888-1:2008, 3.5]
3.12
hash-function

function which maps strings of bits of variable (but usually upper bounded) length to fixed-length

strings of bits, satisfying the following two properties:

— for a given output, it is computationally infeasible to find an input which maps to this output;

— for a given input, it is computationally infeasible to find a second input which maps to the same

output

[SOURCE: ISO/IEC 10118-1:2016, 3.4, modified — Note 1 to entry has been deleted.]

3.13
issuer
entity responsible for provisioning of a credential (3.6) to a claimant (3.3)
© ISO/IEC 2021 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC FDIS 20009-3:2021(E)
3.14
unilateral anonymous authentication

anonymous entity authentication (3.1) that provides one entity with assurance of the legitimacy of the

other entity, but not vice versa
[SOURCE: ISO/IEC 20009-1:2013, 2.20]
3.15
verifier

entity which requires assurance of the legitimacy of another entity (the claimant (3.3))

[SOURCE: ISO/IEC 20009-1:2013, 2.22]
4 Symbols and abbreviated terms
The null value, a zero-length octet string.
0x Prefix of a hexadecimal value.
For example, 0x37c5 represents the two octet values 37 and c5 in sequence.
a ∈ A Indicates that element is in set A.
a||b Concatenation of data items a and b in the order specified.

In cases where the result of concatenating two or more data items is input to a cryp-

tographic algorithm as part of one of the mechanisms specified in this document, this

result shall be composed so that it can be uniquely resolved into its constituent data

strings, i.e. so that there is no possibility of ambiguity in interpretation. This latter

property can be achieved in a variety of different ways, depending on the application.

For example, it can be guaranteed by:

a) fixing the length of each of the substrings throughout the domain of use of the

mechanism; or

b) encoding the sequence of concatenated strings using a method that guarantees

unique decoding, e.g. using the distinguished encoding rules defined in ISO/IEC 8825-1.

AB⊆ Indicates that set A is a subset of or equal to set B.

A \ B When A and B are sets, represents the set of elements present in A but not in B.

CI An extra claimant information field.
cred The claimant’s credential.

Bit length of D if D is a bit string, or bit size of D if D is a non-negative number (i.e. 0 if

i–1 i
D = 0, or the unique integer i such that 2 ≤ D < 2 if D > 0).

desc(G ) Specifies a group G of prime order q in which it is infeasible to compute discrete log-

q q
arithms.
E Elliptic curve over the finite field F for a prime p > 3.

E(F ) Set of all points (x, y), x ∈ F , y ∈ F , which satisfy the defining equation of the curve E,

p p p
together with the point at infinity O .
#E(F ) Order (or cardinality) of E(F ).
p p
F Finite field containing exactly p elements.
g, g Generators of G .
i q
gcd(N , N ) Greatest common divisor of integers N and N .
1 2 1 2
© ISO/IEC 2021 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC FDIS 20009-3:2021(E)
G Cyclic group of prime order q.

For uniformity, the multiplicative notation is used throughout. As such, when using

the elliptic curve construction it should be understood that ab represents the group

addition of points a and b, that a/b represents the group addition of the point a to the

additive inverse of the point b, and that a represents the scalar multiplication of point

a by the integer b.

NOTE This document specifies two constructions for the group G in which it is infeasible

to compute discrete logarithms. The first is based on a subgroup of a finite field, and the second

is based on an elliptic curve over a finite field F , where q is a prime number. Each construction

is specified by a description denoted by desc(G ). Details of these two constructions with their

corresponding descriptions desc(G ) are provided in Annex C.
H Cryptographic hash-function.
I Finite set of positive integers.
k Security parameter (a positive integer).
l Security parameter (a positive integer).
n Positive integer.

[n]P Scalar multiplication operation that takes a positive integer n and a point P on the elliptic

curve E as input and produces as output another point Q on the elliptic curve E, where

Q = [n]P = P + P + ... + P added n – 1 times.
The operation satisfies [0]P = O (the point at infinity), and [–n]P = [n](–P).
O Point at infinity on the elliptic curve E.
P + Q Elliptic curve sum of points P and Q.
Prime number satisfying q = l .
TI A credential information field.
UID A unique identifier for the domain parameters.
Z Set of integers in [0, p – 1] with arithmetic defined modulo p.

Set of integers U with 0 < U < N and gcd(U, N) = 1, with arithmetic defined modulo N.

Product of the values a for which i ∈ I.
a i
iI∈

[x, y] Set of integers from x to y inclusive, if x, y are integers satisfying x ≤ y.

〈… 〉 Ordered list of values to be hashed.
5 General model and requirements

This clause specifies the general model and requirements for the mechanisms specified in this

document.

NOTE 1 Blind signatures, as specified in the ISO/IEC 18370 series, allow a user to obtain a digital signature as

specified in the ISO/IEC 9796 series on a message of the user’s choice, without giving the signer any information

about the actual message or the resulting signature.

An anonymous entity authentication mechanism based on blind signatures involves an issuer, a set of

claimants and a set of verifiers. Such an anonymous entity authentication mechanism is defined by the

specification of the following processes:
— parameter generation process;
— key generation process;
— credential issuance process;
— authentication process.
© ISO/IEC 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC FDIS 20009-3:2021(E)

Entities of different types can be involved in the mechanism specified in this document, as follows.

— Claimant: an entity to be authenticated in such a way that the claimant’s identity is not revealed. In

this document, a claimant plays the role of requestor in a blind digital signature scheme, as specified

in ISO/IEC 18370-2:2016.

— Verifier: an entity that verifies the validity of a claimant’s credential and which does not learn the

claimant’s identity.

— Issuer: an entity issuing a credential to a claimant. In this document, an issuer plays the role of

signer in a blind digital signature scheme as specified in ISO/IEC 18370-2:2016.

NOTE 2 In the context of this document, the issuer serves as an offline trusted third party (TTP) in the

sense of ISO/IEC 20009-1. It gains knowledge of all a claimant’s attributes but does not learn which subset is

later selected to present the signature.

Annex A lists the object identifier which shall be used to identify the mechanism defined in this

document.
6 Unilateral anonymous authentication
6.1 General

Unilateral anonymous authentication means that only one of the two entities, the claimant, is

authenticated by use of the mechanism and that the identity of the authenticated entity is anonymous

to the other entity, the verifier.
6.2 Mechanism 1 — Two-pass unilateral anonymous authentication
6.2.1 General

Two-pass means that the authentication phase consists of two messages being exchanged between the

claimant and the verifier.

This mechanism is based on mechanism 4 in ISO/IEC 18370-2:2016. In addition to verifying that a

claimant possesses a valid credential issued by the issuer, this mechanism also enables a verifier to

request the presentation of claimant attributes encoded in the credential. That is, at the end of the

authentication process, the verifier is guaranteed that the claimant holds a credential received from the

issuer that certifies the attributes disclosed during the authentication process.

The mechanism only guarantees anonymity to the claimant if a credential received from the issuer

is used in only one session of the authentication process. If a credential is used in multiple sessions,

these sessions can still not be linked to the corresponding session of the credential issuance process.

However, they can be linked with each other by the verifiers, even if different sets of attributes are

disclosed. In particular, a returning claimant can be recognized by a verifier.

Security considerations and guidance for concrete parameter selections are given in Annex E.

6.2.2 Requirements

In order to use this two-pass unilateral anonymous authentication mechanism, the following

requirements apply.

— Each entity involved in this mechanism shall be aware of the public domain parameters.

— The parties shall agree on the security parameters in use.
NOTE 1 Guidance for parameter choice is given in Clause E.2.
© ISO/IEC 2021 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC FDIS 20009-3:2021(E)

— Each entity shall have access to an authentic copy of the necessary public keys, such as the issuer’s

verif
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.