ISO/IEC 14888-2:1999

INTERNATIONAL ISO/IEC
STANDARD 14888-2
First edition
1999-12-15
Information technology — Security
techniques — Digital signatures with
appendix —
Part 2:
Identity-based mechanisms
Technologies de l'information — Techniques de sécurité — Signatures
digitales avec appendice —
Partie 2: Mécanismes basés sur des identités
Reference number
B C
ISO/IEC 14888-2:1999(E)

---------------------- Page: 1 ----------------------
ISO/IEC 14888-2:1999(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)
form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards through technical committees established by the
respective organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in
liaison with ISO and IEC, also take part in the work.
In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.
International Standard ISO/IEC 14888-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 27, IT Security techniques.
ISO/IEC 14888 consists of the following parts, under the general title Information technology — Security techniques —
Digital signatures with appendix
:
— Part 1: General
— Part 2: Identity-based mechanisms
— Part 3: Certificate-based mechanisms
Further parts may follow.
Annexes A and B of this part of ISO/IEC 14888 are for information only.
©  ISO/IEC 1999
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from the publisher.
ISO/IEC Copyright Office • Case postale 56 • CH-1211 Genève 20 • Switzerland
Printed in Switzerland
ii

---------------------- Page: 2 ----------------------
©
INTERNATIONAL STANDARD  ISO/IEC ISO/IEC 14888-2:1999(E)
Information technology — Security techniques — Digital
signatures with appendix —
Part 2:
Identity-based mechanisms
involves a trusted third party. The trusted third party
1  Scope
has a secret parameter, the key generation
exponent, which it uses to derive the signature
ISO/IEC 14888 specifies a variety of digital
keys of other entities. The secrecy of the signature
signature mechanisms with appendix for messages
keys depends unconditionally on the secrecy of the
of arbitrary length and is applicable in schemes
key generation exponent.
providing entity authentication, data origin
authentication, non-repudiation, and integrity of
In the verification of an identity-based signature,
data.
two parameters are needed. The first one, the
domain verification exponent, is common to all
This part of ISO/IEC 14888 specifies the general
entities, while the second one, the signing entity’s
structure and the fundamental procedures which
verification key, is specific to each entity. In the
constitute the signature and verification processes
identity-based mechanism defined in this part of
of an identity-based digital signature mechanism
ISO/IEC 14888, an entity’s verification key is
with appendix for messages of arbitrary length.
derived directly from the entity’s identification data,
using a public function.
2  Normative references
The identity-based signature mechanism with
appendix is an example of a randomized
The following standards contain provisions which,
mechanism, as described in ISO/IEC 14888-1. The
through reference in this text, constitute provisions
descriptions of the signature and verification
of this part of ISO/IEC 14888. At the time of
processes follow the general procedures specified
publication, the editions indicated were valid. All
in Clause 10 of ISO/IEC 14888-1. In particular, this
standards are subject to revision, and parties to
part makes use of the general requirements,
agreements based on this part of ISO/IEC 14888
definitions and symbols given in ISO/IEC 14888-1.
are encouraged to investigate the possibility of
applying the most recent editions of the standards The identity-based digital signature mechanism
indicated below. Members of IEC and ISO maintain with appendix is defined by the specification of the
registers of currently valid International Standards. following processes:
Information technology -
ISO/IEC 9796: 1991, • key generation process;
Security techniques - Digital signature scheme
• signature process; and
giving message recovery.
•
verification process.
ISO/IEC 14888–1: 1998, Information technology -
Security techniques - Digital signatures with
appendix - Part 1: General.
4  Definitions
For the purposes of this part of ISO/IEC 14888, the
3  General
following definitions apply.
The verification of a digital signature requires the
4.1
signing entity’s verification key. It is therefore
domain modulus
essential for a verifier to be able to associate the
a domain parameter, which is a positive integer
correct verification key with the signing entity, or
resulting from the product of two distinct primes
more precisely, with (parts of) the signing entity’s
which are known only to the trusted third party
identification data. If this association is somehow
inherent in the verification key itself, the digital
signature scheme is said to be “identity-based.” 4.2
domain verification exponent
The key generation process of the identity-based
a domain parameter which is a positive integer
mechanism defined in this part of ISO/IEC 14888
1

---------------------- Page: 3 ----------------------
©
ISO/IEC 14888-2:1999(E) ISO/IEC
4.3 generates the private signature key for each entity
key generation exponent
as a function of that entity’s identification data.
a positive integer known only to the trusted third
In some instances the validation of domain
party
parameters and keys, may be required. However, it
is outside the scope of this part of ISO/IEC 14888.
4.4
public key derivation function
a domain parameter, whose function is to map
6.1  Generating domain parameters
strings of bits into positive integers
This procedure is executed once when the domain
NOTE 1  This function is used to transform an entity’s
is set up.
identification data into the entity’s verification key, and

satisfies the following two properties. The trusted third party produces the domain
verification exponent V and the domain modulus N.
The domain verification exponent shall be chosen
• It is computationally infeasible to find any two
to be an odd integer. The domain modulus shall be
distinct inputs which map to the same output.
the product of two large prime integers P and Q
• Either the probability that a randomly chosen such that P - 1 and Q - 1 are coprime to V.
value Y is in the range of the function is
Furthermore, the trusted third party determines the
negligibly small, or for a given output it is
key generation exponent, which is the least positive
computationally infeasible to find for a given
integer D such that DV - 1 is a multiple of lcm (P - 1,
output an input which maps to this output.
Q - 1).
NOTE 2  Negligibility and computational infeasibility Specifically, D shall be such that:
depend on the specific security requirements and
DV
U N=U
mod
environment.
for all integers U, 0 < U < N.
4.5
The public domain parameters are N and V. The
trusted third party
D
trusted third party keeps for its own use. It shall
A security authority, or its agent, trusted by other
be computationally infeasible for other entities to
entities with respect to security related activities
compute D from N and V.
NOTE —  The values of N and V shall be chosen large
enough to satisfy the specific domain security
5  Notation
requirements. The length of N varies typically between
V
1024 bits and 2048 bits while the length of is
5.1  Symbols
recommended to be at least 80 bits.
T, T’ L T - T’ = LV.
Let and be integers such that Let
In addition to the symbols defined in ISO/IEC
X be a signature key and Y be the corresponding
14888-1, the following symbols are used.
’
T T L
verification key as defined in 6.2. Then X” X ⋅ Y
D Key generation exponent
N.
mod
I
Identification data
N Domain modulus
Given a signature (R, S) corresponding to
P, Q Prime numbers
assignment T, one can then produce the signature
V Domain verification exponent
(R, S’) corresponding to assignment T’ by
L
y
Public key derivation function
computing S’= S ⋅ Y mod N (See 7.4). Therefore, V
lcm (A, B) The least positive integer
must be chosen sufficiently large so that given T,
C such that C mod A = 0 and
the probability that a randomly chosen T’ satisfies
C” 0 (mod B)
T - T’” 0 mod V is sufficiently small.
The set of the domain parameters of an identity-
6  Key production process
based signature mechanism with appendix also
includes a public key derivation function y, which is
The key production process of this identity-based
used to transform a signing entity’s identification
signature mechanism is an application of the
data into a positive integer less than N.
signature scheme specified in Annex A of ISO/IEC
9796-1. It consists of the following three
procedures:
6.2  Producing the verification key and
generating the signature key
• generating domain parameters; and
• generating signature key.
Each user entity has unique identification data. To

generate a private signature key for an entity with
An entity shall be chosen to act as a trusted third
I,
identification data the trusted third party first
party. Using its own secrets, the trusted third party
2

---------------------- Page: 4 ----------------------
©
ISO/IEC ISO/IEC 14888-2:1999(E)
computes the verification key Y from the public key this generation procedure. The output of this step is
y I. K, which the signing entity keeps secret.
derivation function and the identification data
Y = y(I).

7.1.2  Computing pre-signature
NOTE —  The probability that Y is equal to zero or an
P Q P
integer multiple of or is negligible, provided that
The input to this step is the randomizer K. The
Q
and are sufficiently large.
output is the pre-signature P computed as:
The trusted authority computes the private
V
P = K mod N.
signature key X as
-D
X ” Y mod N.
7.2  Preparing message
As a result of the key generation process, the entity
Two data fields, M and M are derived from
I X 1 2
with identification data has a signature key
M
the message as described in 8.2 of
which satisfies the equation,
ISO/IEC 14888-1.
V
X ⋅ y (I) mod N ” 1.
The process of preparing the message shall satisfy
In an identity-based signature mechanism, the one of the following two conditions:
verifier obtains the knowledge of the signing entity’s
• the entire message shall be re-
verification key from the signing entity’s
constructible given M and M ; or
1 2
identification data by computing Y = y(I). Once the
verification has been computed, it can be cached
• it shall be computationally infeasible to find
for further use.
two distinct messages M and M’ such that
the derived pairs (M M ) and (M’ M’ ) are
1, 2 1, 2
equal.
7  Signature process
M M M
Typically in the first case, = (when is
1 2
M M M M M
In this clause, the signature process of an identity- empty), or = (when is empty), or = =
2 1 1, 2,
based signature mechanism is described. The M. In the second case, either M or M or both are
1 2
mechanism is randomized and follows the general hash tokens of M.
model for randomized signature mechanisms
described in ISO/IEC 14888-1. The signature
7.3  Computing witness
process consists of the following procedures:
• producing pre-signature;
The deterministic witness is computed as a hash-
• preparing message;
H M
token of using a collision-resistant hash-
1
• computing witness; and
function (see Figure 1).
•
computing signature.
The randomized witness R is defined as the

concatenation of an optional field, which can be
In this process the signer makes use of its
used to identify the hash-function and padding
signature key X and the public domain parameters
method and is computed using a collision-resistant
N and V.
R Phash-function. depends on the pre-signature
S The result of this process is the signature which M , M1
and optionally, on if is not empty (see
1
has two parts, R and S. The signing entity optionally
figure 2).
forms a text field, containing the entity’s

identification data. The signature and the optional
NOTE —  The hash-function identifier shall be included
text field form the appendix, which is appended to
in the hash-token unless the hash-function is uniquely
the message by the signer.
determined by the signature mechanism or by the
domain parameters.
7.1  Producing pre-signature
7.4  Computing signature
The pre-signature procedure of an identity-based
signature mechanism consists of two steps:
The computation of a signature in an identity-based
signature mechanism consists of the following
• producing randomizer K; and
steps:
• Pcomputing pre-signature .
• computing the first part of the signature;
7.1.1  Producing randomizer
• computing assignment; and
•
computing the second part of the
The signing entity generates a randomizer, which is
signature.
an integer, K with 0 < K < N. Depending on the
mechanism, there may be additional constraints on
3

---------------------- Page: 5 ----------------------
©
ISO/IEC 14888-2:1999(E) ISO/IEC
• PGiven and R, the hash-token H can be
message  M signature key  X
X
message M signature key X
X
recovered (see Figure 1).
M
M
PRODUCING
COMPUTING
If the witness is randomized, it is the first part of the
RANDOMIZER
PRE-SIGNATURE
K
PREPARING
PRODUCING
MESSAGE COMPUTING
signature R and no further computation is needed
RANDOMIZER
K PRE-SIGNATURE
K
PREPARINGP
(see Figure 2).
M M
2 MESSAG1 E
COMPUTING
KPWITNESS
NOTE —  The domain parameters must include an
M M
2 1
agreed upon method for converting a string of bits to a
H
COMPUTING
WITNESS
positive integer, in order that this step can be carried
out.
H
COMPUTING FIRST PART
OF SIGNATURE
7.4.2  Computing assignment
The assignment T is a positive integer and
R
COMPUTING
COMPUTING FIRST PART
ASSIGNMENT
OF SIGNATURE
computed as a function of the first part of the
T
signature. The assignment also depends on the
second part M of the message, if M is not empty.
2 2
COMPUTING SECOND
R
COMPUTING
PART OF SIGNATURE
ASSIGNMENT
It is required that the method of computing the pair
S R
T (R, T) satisfies the following condition.
It is computationally infeasible to find any two pairs
signature S
COMPUTING SECOND
PART OF SIGNATURE
(P) ( ’P’) ,
M, and M , with the same resulting pair (R
T ).
S R
signatureS7.4.3  Computing the second part of the
signature
·
Figure 1 — Signature process with a
The signature function of the identity-based
deterministic witness
signature mechanism has the following form,
T
= ⋅
S K X mod N,
message M signature key X
X
M
where K is the randomizer computed in 7.1.1, T is
the assignment computed at 7.4.2, X is the
PRODUCING
COMPUTING
RANDOMIZER
signature key, and is the domain modulus. The
PRE-SIGNATURE N
K
PREPARING
MESSAGE
output of the signature function is the second part S
K
PM M of the signature.
2 1
8  Verification process
The verification process consists of the following
COMPUTING
WITNESS
procedures:
• preparing message;
R
COMPUTING
ASSIGNMENT
• retrieving witness;
T •
computing verification function; and
•
verifying witness.
COMPUTING SECOND
PART OF SIGNATURE
At the beginning of the verification process the
S R
verifier must have the values of the following data
items available:
signatureS
• domain parameters N and V;
• ;
the signer’s verification key Y
Figure 2 — Signature process with a
• message M ;
randomized witness
• S, ;
signature = (R S) and
• optional text (from appendix).
7.4.1  Computing the first part of the signature
A successful verification of a signature implies that
If the witness is deterministic, the first part R of the the signature was created using a signature key X
Pwhich corresponds to the verification key .
signature is computed as a function of H and . Y
This function is invertible in the following way.
4

---------------------- Page: 6 ----------------------
©
ISO/IEC ISO/IEC 14888-2:1999(E)
8.3.1  Retrieving assignment
8.1  Preparing message
This step is identical to 7.4.2. The verifier computes
This procedure is identical to 7.2.
the assignment T as a function of the value R
retrieved in 8.2 and the part M of the message if
2
8.2  Retrieving witness
M is not empty. The assignment is a positive
2
integer.
If the witness is deterministic, then this procedure
is described in 7.3. The verification process is
8.3.2  Recomputing pre-signature
depicted in Figure 3.
PThe verifier produces a recomputed value of the
pre-signature by using the formula,
message M verification key Y
signature S
MSRY TV
P= YS⋅ modN
PREPARING
MESSAGE
Y N
where is the verification key, is the domain
M M
1 2
RETRIEVING
modulus, V is the domain verification exponent, T is
MESSAGE
T
the assignment retrieved at 8.3.1 and S is the
RECOMPUTING
PRE-SIGNATURE
second part of the signature.P
RETRIEVING
RECOMPUTING
WITNESS
WITNESS
H
H
8.3.3  Recomputing witness
VERIFYING
yes/no
WITNESS
If the witness is deterministic, it is the hash-token H
of M . The verifier produces a recomputed value
1
HP.
by recovering it from using R and
Figure 3 — Verification process with a
If the witness is randomized, the computation is
deterministic witness
identical to 7.3, where the inputs are the
If the witness is randomized, the verificationPPM M
recomputed value of and of . The output
1
process is as depicted in Figure 4. The retrieved
R.
is the recomputed witness
witness is the first part R of the signature.
8.4  Verifying witness
At this step the retrieved value of the witness from
m essage M ve rific a tio n k e y Y
signature S
8.2 and the recomputed value of the witness from
MS R Y
8.3.3 are compared. The verification is successful if
PR EPA R IN G
these two witness values are equal.
M E SSAG E
M 1 M 2
RETRIEVING
M E SSAG E
T
RECO M PU TING
PR E-SIG N ATU R E 9  Guillou-Quisquater signature
P
RECO M PU TING mechanism
WITNESS
R
The key production process, signature process and
VE R IF YIN G R
yes/n o
WITNESS
verification process of the identity-based digital
signature scheme of Guillou and Quisquater are
described in Clauses 6 to 8 of this part of ISO/IEC
14888 and depicted in Figures 2 and 4.
—
Figure 4 Verification process with a
The following procedures and functions remain to
randomized witness
be specified in more detail.
• public key derivation function;
•
8.3  Computing verification function preparing message;
•
computing witness;
The computation of the verification function of an
• computing the first part of the signature;
identity-based signature mechanism consists of the
and
following steps:
• computing assignment.
•
retrieving assignment;
•
recomputing pre-signature; and
• recomputing witness.
5

---------------------- Page: 7 ----------------------
©
...