ISO/IEC 20008-2:2013/Amd 2:2023

INTERNATIONAL ISO/IEC
STANDARD 20008-2
First edition
2013-11-15
AMENDMENT 2
2023-04
Information technology — Security
techniques — Anonymous digital
signatures —
Part 2:
Mechanisms using a group public key
AMENDMENT 2
Technologies de l'information — Techniques de sécurité — Signatures
numériques anonymes —
Partie 2: Mécanismes utilisant une clé publique de groupe
AMENDEMENT 2
Reference number
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
© ISO/IEC 2023
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of
any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC
had not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
iii
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Information technology — Security techniques —
Anonymous digital signatures —
Part 2:
Mechanisms using a group public key
AMENDMENT 2
Clause 4
Add the following symbol:
Fp() the finite field containing exactly p elements.

6.1
Replace the first sentence with the following:
This clause specifies five digital signature mechanisms with linking capability.
Replace the text of NOTE 1 with the following:
In the literature, the mechanism of 6.2 is called a list signature scheme, the mechanism of 6.6 is
called a pre-DAA scheme and the mechanisms of 6.3, 6.4 and 6.5 are called DAA schemes. The
mechanisms given in 6.2, 6.4, 6.5 and 6.6 are based on schemes originally specified in References [9],
[6], [11] and [22] respectively, in which security proofs can also be found. The mechanism in 6.3 is
based on a scheme in Reference [3] which is a minor modification of the scheme in Reference [4];
the associated security analysis is given in the full version of Reference [4].
6.6
Add new subclause 6.6 as follows:

6.6  Mechanism 8
6.6.1  Symbols
The following symbols apply in the specification of this mechanism.
— τ : a security parameter.
' '' ''

— P , QX,, YX,,,X CD,,DT′, , TK,,KK,,KK,,KJ′′,,TT,,RR,,TT,,′′RT′′, ′: elements of
1 11 21 21 21 2
111 11
G .
'

— P , X , Y , X , X : elements of G .
2 2 2 22 2
′′ ′′ ′′
— xy,,zx,,zc,,ss,,,,cs uv,,wv,,rs,,kk,,kc,,zz, ,,zc,,sl,,kc,,ρ,c : integers in Z
kx zk 12 rx zr x zs mm p
.
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
— n : an integer of size τ -bit.
I
— H : a hash function that outputs elements in G .
1 1
— H , H : hash functions that output elements in Z .
2 3 p
6.6.2 Key generation process
The key generation process has two parts: setup process and group membership issuing process. The
setup process is executed by the group membership issuer to create the group public parameter, group
public key, and group membership issuing key. The group membership issuing process is an interactive
protocol running between the group membership issuer and a group member to create a unique group
member signature key for the group member.
The setup process takes the following steps by the group membership issuer:
a) Choose τ as a security parameter.
b) Choose a bilinear group pair ( G , G ) of large prime order p , such that no efficiently computable
1 2
homomorphism is known between G and G , in either direction, and an associated pairing
1 2
function e : G × G → G .
1 2 T
c) Choose two random independent generators P and Q of G and provide additional information,
1 1 1
denoted by π , that serve to demonstrate that these two generators were indeed chosen
Gen
independently, that is without a potentially exploitable relationship between them (such as Q =
sP for an integer s chosen by the group membership issuer). An example of how to verifiably
[]
select independent generators and to verify, using π , the correct generation of these generators,
Gen
is given in Annex G.
d) Choose a random generator P of G .
2 2
* * *
e) Choose three hash functions H : 01, → G , H : 01, → Z and H : 01, → Z . An example
{} {} {}
1 1 2 p 3 p
of how to construct such hash functions is provided in Annex B.
f) Choose three random integers x , y and z in Z .
p
g) Compute X = []zP + []xQ , Y = []yP , X = []xP and Y = []yP .
1 1 1 1 1 2 2 2 2
h) Choose two random integers x′ and z′ in Z .
p
' '
′ ′ ′
i) Compute X = []zP + []xQ and X = []xP .
1 1 1 2 2
' '
j) Compute c = H ( P || Q || P || X || Y || X || Y || X || X ).
k 2 1 1 2 1 1 2 2 1 2
k) Compute s = ( x′ + c × x ) mod p and s = ( z′ + c × z ) mod p .
x k z k
l) Set π = cs,,s as a proof that the second component of the representation of X in the base
()
Val kx z 1
P and Q is equal to the discrete logarithm of X in the base P .
1 1 2 2
m) Output the following:
— group public parameter = ( G , G , G , e , P , Q , P , p , H , H , H ),
1 2 T 1 1 2 1 2 3
— group public key = ( X , Y , X , Y , π , π ),
1 1 2 2 Gen Val
— group membership issuing key = ( x , yz, ).
NOTE 1 Examples of recommended parameters are provided in C.2.
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Each entity involved in this anonymous signature mechanism should verify the validity of the group
public key before using it. The group public key validity verification process includes the following
steps:
a) Verify that P and Q were generated independently using π .
1 1 Gen
b) Verify the validity of the proof π :
Val
 
1) Compute X = sP + sQ − cX and X = sP − cX .
[] [] [] [] []
z 1 x 1 k 1 x 2 k 2
1 2
'

2) Compute cH= PQ PX YX Y XX .
()
k 21 12 11 22 12
'
3) Verify that c = c .
k k
c) Verify that e (Y , P ) = e( P , Y ).
1 2 1 2
d) If any of the above verifications fails, output 0 (invalid), otherwise output 1 (valid).
The group membership issuing process requires a secure and authentic channel between the group
member and the group membership issuer. How to establish such a channel is out scope of this
mechanism. The group membership issuing process includes the following steps:
τ
a) The group membership issuer chooses a nonce n ∈ 01, .
{}
I
b) The group membership issuer sends n to the member.
I
c) The member chooses a random integer s from Z .
1 p
d) The member computes C = sY .
[]
1 11
e) The member chooses a random integer u from Z .
p
f) The member computes D = uY .
[]
g) The member computes v = H ( P || Q || P || X || Y || X || Y || C || D || n ).
2 1 1 2 1 1 2 2 1 I
h) The member computes w = ( u + v × s ) mod p .
i) The member sends ( C , v , w ) to the group membership issuer.
j) The group membership issuer computes D' = wY – vC .
[] []
1 1
′
k) The group membership issuer computes v = H ( P || Q || P || X || Y || X || Y || C || D' || n ).
2 1 1 2 1 1 2 2 1 I
′
l) The group membership issuer verifies v = v . If the verification fails, abort the group membership
issuing process.
m) The group membership issuer selects five random integers r , s , k , k and k from Z .
2 r x z p
n) The group membership issuer computes T = []rP and T = []xT + []rC + []rs× Y .
1 1 2 1 1 21
o) The group membership issuer computes K = []kP , K = []kT + []kC( + []sY ) and K =
1 r 1 2 x 1 r 1 21
kP + kQ .
[] []
z 1 x 1
p) The group membership issuer computes cH= ( P || Q || P || X || Y || X || Y || C || s || K ||
2 1 1 2 1 1 2 2 1 2 1
K || K ).
q) The group membership issuer computes z = (k + c × r ) mod p , z = (k + c × x ) mod p
r r x x
and z = (k + c × z ) mod p .
z z
r) The group membership issuer sets (T , T ) as the member’s group membership credential and
1 2
sends (T , Ts,,cz,,zz, ) to the member.
1 22 rx z
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
' '
s) The member computes K = []zP −[]cT , K = []zT +[]zC( + []sY ) −[]cT and K' =
1 r 1 1 2 xr11 21 2
[]zP + []zQ −[]cX .
z 1 x 1 1
' '
′
t) The member computes c = H ( P || Q || P || X || Y || X || Y || C || s || K || K || K ).
2 1 1 2 1 1 2 2 1 2 1 2
u) The member verifies c = c′. If the verification fails, the member aborts.
v) The member computes s = ( s + s ) mod p .
1 2
w) The group member signature key for the member is ( s , T , T ).
1 2
NOTE 2 The group membership issuer can use the same value s (for example s =0 mod p ) for several
2 2
executions of the group membership issuing process. In this case, the security of Mechanism 8 relies on the
[24] [25]
Pointcheval-Sanders (PS) assumption , instead of the q-MSDH assumption if the group membership issuer
uses a fresh random value s for each new session of the group membership issuing process.
6.6.3  Signature process
*
On input of a group member signature key ( s , T , T ), a linking base bsn and a message m ∈ {}01, to
1 2
be signed, the signature process takes the following steps. The linking base, denoted by bsn , is either a
special symbol ⊥ or an arbitrary string used for the linking capability.
a) If bsn = ⊥, the signer chooses a random J from G , otherwise, computes J = H (bsn ).
1 1
b) The signer selects two random integers l and k in Z .
s p
' '
c) The signer computes T = lT and T = lT .
[] []
1 1 2 2
' '
d) The signer computes R = sT and R' = kT .
[] []
1 s 1
e) The signer computes T =[]sJ and T ' = []kJ .
s
' '
f) The signer computes c = H (T || T || J || T || R || T' || R'|| m ).
m 3 1 2
g) The signer computes ρ = (k + cs× ) mod p .
s m
' '
h) The signer outputs the anonymous signature σ = (T , T , JR,,,Tc ,ρ ).
1 2 m
6.6.4   Verification process
' '
On input of a message m , a linking base bsn , a signature (T , T , JR,,,Tc ,ρ ) and a group public key (
1 2 m
X , Y , X , Y ), the verification process takes the following steps:
1 1 2 2
a) If bsn ≠ ⊥ , verify that J = H (bsn ).
'
b) Verify that TO≠ .
1 E
c) If any of the above verifications fails, output 0 (invalid).
'
′′
d) Compute R = ρ T − cR .
[] []
1 m
e) Compute T ′′ = ρ J − cT .
[] []
m
' ' '
′′ ′′
f) Compute c = H (T || T || J || T || R || T || R || m ).
m 3 1 2
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
'
g) Verify that c =c .
m m
' '
h) Verify that e (T , X )×e ( R , Y ) = e(T , P ).
1 2 2 2 2
i) Optionally, call the revocation checking process.
j) If any of the above verifications (steps g and h) fails, output 0 (invalid). Otherwise, output 1 (valid).

6.6.5  Linking process
' ' ' '
ˆ ˆ ˆˆ ˆ
ˆ ˆ ˆ
Given two valid signatures σ = (T , T , JR,,,Tc ,ρ ) and σ = (T , T , JR,,,Tc ,ρ ), the linking
1 2 m
1 2 m
process takes the following steps:
ˆ ˆ
a) If J = J and T = T , output 1 (linked), otherwise, output 0 (not linked).
ˆ
NOTE If the linking process outputs 0 because of J JJ≠ , it means that the linking process cannot determine
whether two signatures were created by the same group member.

6.6.6  Revocation process
Details of the revocation process in this mechanism are surveyed in Reference [10]. There are two types
of revocation (private key revocation and verifier blacklist revocation) supported in this mechanism.
Private key revocation can be either global revocation or local revocation. Verifier blacklist revocation
is a local revocation.
Private key revocation:
— If a group member signature key ( s , T , T ) is compromised, the group membership issuer puts s
1 2
into a revocation list RL of this type.
' '
— Given a valid signature σ = (T , T , JR,,,Tc ,ρ ) computed using a linking base bsn and a
1 2 m
revocation list RL of this type, a verifier can check revocation of this signature as follows: for each
s′∈ RL, verify T ≠ sJ′ . If any of these verifications fails, output 0 (revoked), otherwise, output 1
[]
(valid).
NOTE The private key revocation works only if the group membership issuer or the verifier has learned the
group member signature keys of the compromised group members. This revocation process allows to identify
every group signature generated using this private key. If this key can be associated with a group member (e.g.
by using contextual information), then no anonymity can be retained for this group member as their signatures
can therefore be traced. This is a property inherent to DAA schemes. Thus, a careful assessment of the need for
revocation and the consequences for the corresponding group member will be carried out before deployment.
Verifier blacklist revocation:
— If signatures were computed using a linking base bsn , a verifier can build its own revocation list RL
' '
corresponding to bsn. If the verifier wants to blacklist the signer of a valid signature σ = (T , T ,
1 2
JR,,,Tc ,ρ ), they put T into a revocation list RL of this type.
m
' '
— Given a signature σ = (T , T , JR,,,Tc, ρ ) computed using a linking base bsn and a revocation
1 2 m
ˆ
list RL of this type, a verifier can check revocation of this signature as follows: for each T ∈ RL,
ˆ
verify T ≠ T . If any of these verifications fails, output 0 (revoked), otherwise, output 1 (valid).
In order to use verifier blacklist revocation in this mechanism, a signer must use a specific linking base
for each verifier. The value of the linking base can, for example, be chosen by the verifier or agreed in
advance by the signer and verifier.
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
7.1
Replace the first sentence with the following:
This clause specifies three digital signature mechanisms with opening capability.
Replace the text of NOTE with the following:
The mechanisms and associated security proofs in 7.2, 7.3 and 7.4 are based on References [17],
[14] and [23] (an extended version of Reference [24]), respectively.
7.4
Add new subclause 7.4 as follows:

7.4  Mechanism 9
7.4.1  Symbols
The following symbols apply in the specification of this mechanism.
''
′
— P , S , T , TK,,KT,,T : elements of G .
1 i 1 21 2 1
'' ''
— P , XY,,AB,,YC,,CC,,CKKK,, ,,KK,,KK,,K : elements of G .
2 i 12 3 412 3 412 34 2
′
— WW,,RR, : elements of G .
i T
'
′
— xy, ,,,ab su,,vk,,kk,,cz,,zz,,cr,,tw,,cz,,c : elements of Z .
is uv su vm m p
— H : a hash function that outputs elements in Z .
p
7.4.2  Key generation process
The group membership issuer key generation process takes the following steps:
a) Choose a bilinear group pair ( G , G ) of large prime order p , such that no efficiently computable
1 2
homomorphism is known between G and G , in either direction, and an associated pairing
1 2
function e : G × G → G .
1 2 T
b) Choose a random generator P of G and a random generator P of G .
1 1 2 2
c) Choose two random integers x and y in Z .
p
d) Compute X = []xP and Y = []yP .
2 2
*
e) Choose a hash function H : {}01, → Z . Such a hash function shall be constructed as described in
p
Annex B.
f) Output the following:
— group public parameters: ( G , G , G , e , p , HP,,P ),
1 2 T 12
— group public key: (XY, ),
— group membership issuing key: (xy, ).
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
The group membership opener key generation process takes the following steps:
a) Choose two random integers a and b in Z .
p
b) Compute A = []aP and B = []bP .
2 2
c) Output the following:
— group membership opener public key (AB, ),
— group membership opening key (ab, ).
The group membership issuer manages a member-list LIST = (LIST[1],., LIST[ n ]) where n is the
number of group members who are registered so far. Each entry of the list contains information
associated with each registered user. This member-list LIST can be published but it will only be useful
to the group membership opener.
The group membership issuing process is an interactive protocol running between the group
membership issuer and a user U to create a group member signature key for the user. It consists of the
i
following steps:
a) U selects six random integers su,,vk,,k and k in Z .
i is u v p
b) U computes S = []sP and Y =[]sY .
i i i 1 i i
c) U computes C = []uP , C = Y + []uA , C = []vP , C = Y + []vB .
i 1 2 2 i 3 2 4 i
d) U computes K = kP , K = kP , K = kY + kA , K = kP , K = kY + kB
[] [] [] [] [] [] []
i s 1 1 u 2 2 s u 3 v 2 4 s v
.
e) U computes c = H( P || P || X || Y || A || B || S || Y || C || C || C || C || K || K || K || K || K ).
i 1 2 i i 1 2 3 4 1 2 3 4
f) U computes z = (k + c × s ) mod p , z = (k + c × u ) mod p and z = (kc+×v ) mod p .
i s s i u u v v
g) U sends S , C , C ,,C C c , z , z and z .
i i 1 23 4 , s u v
' '
h) The group membership issuer computes K' = zP − cS , K = zP – cC , K =
[] [] [] []
s 1 i 1 u 2 1 2
' '
[]zY +[]zA −[]cC , K = []zP –[]cC and K = []zY +[]zB −[]cC .
su 2 3 v 2 3 4 sv 4
′
i) The group membership issuer computes c = H( P || P || X || Y || A || B || S || Y || C || C || C ||
1 2 i i 1 2 3
' ' ' '
C || K' || K || K || K || K ).
4 1 2 3 4
j) The group membership issuer checks if cc= ′ and aborts if these two values are different.
k) The group membership issuer stores ( i , S , C , C ,,C C , c , z , z , z ) in LIST[ i ].
i 1 23 4 s u v
l) The group membership issuer selects a random integer r in Z .
p
m) The group membership issuer computes T = rP and T = rx× P + ry× S .
[] [] []
1 1 2 1 i
n) The group membership issuer sends T and T to the user U .
1 2 i
o) The signature key of the group member U is then ( s , T , T ).
i i 1 2
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
7.4.3  Signature process
On input of a group public key ( X , Y ), a group member signature key ( s , T , T ) owned by the signer
i 1 2
*
and a message m ∈ {}01, to be signed, the signature process takes the following steps.
a) The signer selects two random integers t and w in Z .
p
' '
b) The signer computes T = []tT and T = []tT .
1 1 2 2
'
c) The signer computes W = e ([]wT , Y ).
' '
d) The signer computes c = H (T || T || W || m ).
m 1 2
e) The signer computes z = ( w + cs× ) mod p .
mi
' '
f) The signer outputs the group signature σ = (T , T , cz, ).
1 2 m
7.4.4   Verification process
*
' '
On input of a message m ∈ {}01, , a group signature σ = (T , T , cz, ) and a group public key (XY,
1 2 m
), the verification process takes the following steps:
'
a) Verify that TO≠ . If this verification fails, output 0 (invalid).
1 E
' ' '
b) Compute W ' = e ( zT , Y )×−ec TP, ×e ( cT , X ).
[] [] []
()
1 m 22 m 1
' ' '
c) Compute c = H (T || T || W ' || m ).
m 1 2
'
d) Verify that c =c holds.
m m
e) If the above verification fails, output 0 (invalid), otherwise, output 1 (valid).

7.4.5  Opening process
' '
Given a group signature σ = (T , T , cz, ), the member-list LIST=(LIST[1],.,LIST[ n ]) and a group
1 2 m
opening key ( a , b ), the opening process takes the following steps:
' '
a) Compute R = e (T , P )×e ([]−1 T , X ).
2 2 1
b) For each i ∈ [1, n ],
1) Recover ( i , S , C , C ,,C C , c , z , z , z ) from LIST[ i ].
i 1 23 4 s u v
2) Compute Y = C + []−aC .
i 2 1
'
3) Verify if e (T , Y ) = R .
1 i
4) If the above equation holds, output i .

7.4.6  Revocation process
The revocation process is a membership credential revocation. The group membership opener revokes
a user U by adding some element R (defined below) specific to this user in a revocation list RL.
i i
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Revocation can thus be global but also local as any verifier is able to manage its own revocation list by
deciding whether or not to include R . In all cases, the revocation process has no impact whatsoever on
i
the signature process.
— To revoke a user U , the group membership opener, taking as input the group opening key and
i
LIST=(LIST[1],., LIST[ n ]), proceeds as follows:
a) Recovers ( i , S , C , C ,,C C , c , z , z , z ) from LIST[ i ].
i 1 23 4 s u v
b) Computes R = C + −aC .
[]
i 2 1
c) Adds R in RL.
i
' '
— Given a group signature σ = (T , T , cz, ) and a revocation list RL, test for each element R in RL
1 2 m i
' ' '
if e (T , R ) = e (T , P )×e ( −1 T , X ). If this equality is satisfied by some element R in RL, then
[]
1 i 2 2 1 i
output 0 (revoked). Otherwise, output 1 (valid).
Annex A
Insert the following lines after id-as-gpk-m-7 OID ::= { id-as-gpk mechanism7(7) }:
id-as-gpk-m-8 OID ::= { id-as-gpk mechanism8(8) }
id-as-gpk-m-9 OID ::= { id-as-gpk mechanism9(9) }

Replace the line of as-gpk-m-7 with the following:
as-gpk-m-7 |
as-gpk-m-8 |
as-gpk-m-9
Insert the following lines after OID id-as-gpk-m-7 PARMS HashFunctions }:
as-gpk-m-8 ALGORITHM ::= { OID id-as-gpk-m-8 PARMS HashFunctions }
as-gpk-m-9 ALGORITHM ::= { OID id-as-gpk-m-9 PARMS HashFunctions }

C.1.1, first paragraph
Replace the paragraph with the following:
The following computational hardness assumptions underlie the security of the mechanisms
[13]
specified in this document; namely, the strong RSA assumption , the decisional Diffie-Hellman
[2] [12]
(DDH) assumption , the strong Diffie-Hellman (SDH) assumption , the Lysyanskaya-Rivest-
[18] [8]
Sahai-Wolf (LRSW) assumption , the static Diffie-Hellman (Static DH) assumption , the q-MSDH
[25] [24]
assumption and the Pointcheval-Sanders (PS) assumption . Table C.1 below summarizes
which of these assumptions underlie the security of each of the mechanisms specified in this
document.
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Table C.1
Replace Table C.1 with the following table:
Table C.1 — Mathematical assumptions used in the mechanisms
Strong RSA DDH SDH LRSW Static DH q-MSDH PS
Mechanism 1 √ √
Mechanism 2 √ √ √
Mechanism 3 √ √
Mechanism 4 √ √ √
Mechanism 5 √ √
Mechanism 6 √ √
Mechanism 7 √ √
Mechanism 8 √  √
Mechanism 9 √  √
C.1.7
Add new subclause C.1.7 as follows:
C.1.7 The q-MSDH assumption
Let ( G , G ) be a bilinear group pair of type 3 of large prime order p and an associated pairing
1 2
function e : G × G → G . Let PO≠ (respectively PO≠ ) be given in G (respectively in G ).
1 2 T 1 E 2 E 1 2
ii
   
Given q pairs ( xP ,)xP , for i from 1 to q , and a triplet ([]aP ,[]aP , []ax× P ) for some
12 12 2
   
integers a and x in Z , the q-MSDH assumption states that it is computationally infeasible to
p
generate a tuple ( w , Rx,,+wQ aR/ xQ ), where Q is an element of G different from the
[] []()
neutral element of this group, R is a polynomial of degree at most q and w is a scalar such that ( X
+ w ) and R ( X ) are relatively prime.

C.1.8
Add new subclause C.1.8 as follows:
C.1.8 The Pointcheval-Sanders (PS) assumption
Let ( G , G ) be a bilinear group pair of large prime order p and an associated pairing function e :
1 2
G × G → G . Let (,Py P ) be given in G and (Px, P , yP ) be given in G for some integers
[] [] []
1 2 T 11 1 22 2 2
x and y in Z . Assume that an oracle can be called that answers queries s in Z by a pair ( Q ,
p p
xy+×sQ ), where Q is a random group element of G . Let this oracle be called with the following
[]
queries s , s , …, s . The PS assumption states that it is computationally infeasible to generate a
1 2 m
triplet ( t , Rx, +×yt R ), where t ∉ { s , s , …, s } and R is an element of G different from the
[]
1 2 m 1
neutral element of this group.
C.2, first paragraph
Replace the paragraph with the following:
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Mechanisms 3, 4, 6, 7, 8, 9 all make use of a pairing function. Methods of generating pairing-friendly
elliptic curves are given in ISO/IEC 15946-5. For current standard security levels (128-bit, 192-bit
and 256-bit), the curves parameters proposed in section 7 of Reference [21] are recommended.
C.2, third paragraph
Replace the paragraph with the following:
The following security parameters are recommended:
— Mechanism 1: For 112-bit security strength, the following parameters are recommended: l
p
(1 024-bit), k (160-bit), l (160-bit), l (170-bit), l (420-bit), l (410-bit), ε = 5/4.
x e E X
— Mechanism 2:
— For 104-bit security strength, the following parameters are recommended: l (2 048-bit),
n
'
l (104-bit), l (368-bit), l (120-bit), l (2 536-bit), l (80-bit), l (160-bit), l (80-bit),
f e e v ∅ H r
l (1 024-bit), l (1 632-bit), l (208-bit).
s Γ ρ
— For 112-bit security strength, the following parameters are recommended: l (2 048-bit),
n
'
l (112-bit), l (544-bit), l (128-bit), l (2 720-bit), l (128-bit), l (256-bit), l (128-
f e e v ∅ H r
bit), l (1 024-bit), l (2 048-bit), l (224-bit).
s Γ ρ
— Mechanism 5:
— For 80-bit security strength, the following parameters are recommended: K (1 024-bit),
n
K (160-bit), K (160-bit), K (60-bit), K (504-bit), K (60-bit).
′
c s e e
— For 112-bit security strength, the following parameters are recommended: K (2 048-bit),
n
K (224-bit), K (224-bit), K (112-bit), K (736-bit), K (60-bit).
c s e e′
— For 128-bit security strength, the following parameters are recommended: K (3 076-bit),
n
K (256-bit), K (256-bit), K (128-bit), K (832-bit), K (60-bit).
′
c s e e
Annex D, eleventh paragraph
Replace the paragraph with the following:
There are five revocation mechanisms specified in this document. Credential update is a type of
membership credential revocation, where each signer updates its credential so the proof that the
membership credential of the signer is not in the list in inherited in signature generation.
Table D.1 summarizes which mechanisms are global revocation and which are local.
Table D.1
Replace Table D.1 with the following table:
Table D.1 — Categorization of revocation mechanisms
Private key Verifier blacklist Signature Membership Credential
revocation revocation revocation credential update
revocation
Global revocation √ √ √ √
Local revocation √ √ √ √
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Table D.2
Replace Table D.2 with the following table:
Table D.2 — Revocation options used in the anonymous signature mechanisms
Private key Verifier blacklist Signature Membership Credential
revocation revocation revocation credential update
revocation
Mechanism 1 √ √
Mechanism 2 √ √
Mechanism 3 √ √ √
Mechanism 4 √ √ √ √
Mechanism 5  √
Mechanism 6  √
Mechanism 7  √
Mechanism 8 √ √
Mechanism 9  √
Annex D, NOTE 2
Replace the first three sentences of NOTE 2 with the following:
In mechanisms 1-4 and 8, it can be possible for the holder of a revoked private key to be “framed”
for signatures they did not create. If a malicious entity learns a group member private key from the
revocation list, it can obtain a valid group membership credential on that key. In mechanism 3 when
the group membership issuing process is run by the signer with the issuer and in mechanisms 4
and 8, the malicious party can obtain a valid group membership credential by re-enrolling with
this private key.
Annex D, NOTE 3
Replace the first sentence of NOTE 3 with the following:
In mechanisms 1-4 and 8, the group membership issuer can create membership credentials on a
group membership private key that it learned.
E.8
Add new subclause E.8 as follows:

E.8 Mechanism 8
Security parameter
τ = 128
The groups G , G and G shall be constructed by using the BLS-462 curve defined in
1 2 T
ISO/IEC 15946-5:2022, D.3.3.
This curve is defined by the parameters:
77 50 33
u = - 2 + 2 + 2
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
p =
1555 5545554D 5A555A55 D6941493 5FBD6F1E 32D8BACC A47B1484 8B42A8DF FA5C1CC0
0F26AA91 557F0040 00200005 55554AAA AAAC0000 AAAAAAAB

a = 0
b = 4
(uncompressed) G =
023EEF43 38128200 BF5BF4FE 4BB7934B 9DFB4DB5 B8D3590C 01362DB4 040672C0 8172E8CF 3795B85F
1D89DDBF CC047A20 E4D33AAE 107E127F 4EC2039E CE0C0947 FEB77E57 8B058D1D 4D57E0A4 769D50A0
22FC74EF D181D31F A66BDFCE 38A80BDA B1B73B90 E59CFD7B 1402BC10 B4B912C3 F433F34A

n =
FFFFF F7FFFC01 80017FE0 5FD000E8 01FC017F FC800011 00007FEF FFEFFFFC 00000000 00000001

(cofactor) r =
1555554 FFFFD55A AAB01556 AAA7FFFE AAAAAAAB

In the following numeric example, P in G is represented as P.x || P.y, where P.x and P.y are elements in
F ( p ). In the same way P in G is represented as P .x || P .y, where P .x and P .y are elements in F (
2 2 2 2 2 2
p ).
SHA-256 is used as the underlying hash function.
Group membership issuer key generation
x =
00049733 F8F718B4 E10E5561 C41F228B B95FDB87 6341998A 4565895C 7B3FF872 716ECEAD 22B12685

y =
000DD4A8 D8D28000 79FB33B7 A8B44CF4 3C897972 8C6D631A B72DFAED B1C2D991 C9871849 DCA89CE0

z =
00073F1B C112FA0B 976C7BF5 56B09829 C4C26810 ED139AAF 4F44967A 80AB930E F96F1AAC 14C5B248

P =
0D1D6167 8F1BD8CE EEC6C5CF 6B10B11C 7074E954 F64C3C37 9F1BD278 992F0827 3FE13089 A115260C
C033E469 DC88C8A9 EF68B1C7 B4B2CF4E 2ACA10F4 3C6BFA15 4EB071ED 4ECDB73C 90BD8FE1 1ACB9693
EC020AAC 772FEB72 B57039BF DA6D7F45 97C65249 B7CB371C 959EB84B 9939BE5B 16FB3541

Q =
0CAC1679 151DBBFE 05DCFCFC 098D0845 A49E625D 9FD1F057 1BE9DCF7 5F722823 5888646E 56D4D26D
E47C8EFB FE080B93 4CA87537 89C8D13E 16AF10EE 062BC15C 6D8A821A A2EEE5D3 12A1D64D D3350103
2EBC625D 00D975B1 ED43762F E98DF984 0863E731 A9CB7C25 FE3E199E 0814935F FD249D4F

P =
0AA6EE37 803835BC 41CB01B5 27BE2C3D A3FEC9D7 3CAA9147 D67E5BBE 7776E1BB 77A15BC0 4EA31410
6B13FD12 8C017B49 A86E5CA4 06F638C6 B25E09F7 6927330E B7AFB96F D63DADEF 95E66AE5 75656DD4
CB08CC46 AD80CD1C 041FA96A 9A0F8519 46745EDC 44BABBC6 A8EB06A2 63AE805A 741F43A8 00F38198
DE2EFE97 FD6C0A02 EFFF5C11 FEA60504 697E18A0 D6C35073 69B167F0 58F29647 77309E79 211FF700
67D6C576 32353791 7BAB03C5 07FD0FC7 FA314144 8DFC13F5 4B7ADDCA 51FC4A47 45FE427E E509D485
A64E8BC9 116F5D83 70F237CF 063B8446 BF287E4D 2539BF44 EA4B8C12 965786C1

X =
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
029C24BA 66D921C0 0833BF32 48C0D070 4F63194E 424E4482 D9822695 B8AD6E62 7F5F75E2 21D555B6
7D61E315 14C6706E CD988A9F 3246644A 248B13BB 618C9D81 3B6A9644 E1169A7F D00EC234 CD03A374
01F67112 3E65A16F 99FB1915 027F2031 F3FE09E0 E5962BE8 F4A05F28 83706988 4FF5449A

Y =
0BBA851D AF4ECEF2 25B27CC6 EF1C5B80 E7A77329 94B7C216 922963DD 75816C6E 2B6762CA 0AEE7D23
08952478 F881B1DA 81B09F63 6F32A9DF AEA506CA D30DE5E3 4542C843 52DCA8A9 EA1884AD A5685BDF
8EDF8A2F B012A7A2 2F07C4C8 7265DDDB A854174F 83BFA29E C519C9FC 3002A4A6 0050A7D6

X =
052B4CF9 16462ACE ADAB3220 1556CA3F D11CA47B 8B55086F 25AE0F7D 87E149BE 4EE9BFF2 2EB2A9A1
30E06BF2 19448E3E 5EA3855C CB227FEE F3C81432 7C348579 33CF4A5D 764539E4 8DE74D6A 639FF75B
10DB90C4 700B535C F7B8626E 06077DC6 0EEC2B00 A3E61DF2 19DEE937 F062038C 198A34D3 0870C7B4
BFC06E11 D814F7D5 58A31925 BD51EF5C 04CEBB76 E97A60E2 598653EA 7FA9B5DC 1A50E2A9 FABB33C5
C999F1F0 6D07AE93 A7EAA496 21460D87 3DF3F046 9129BF15 F3344BED B6B817E5 27A4DEAD 48A0DC74
B1D59CC5 E781B755 7CC8ECEA BBE29AC2 8D85CD3C 3D97B592 F428C975 24E051CA

Y =
0E3E4BFF F58E6F0D 99D305AF C023232A 7B290855 DA20DEBE 78D04B30 FFBF5A51 6E5AE687 04C45121
920A9919 823D5711 E5F318E4 D92FDED4 3FF10DC6 3707BABD F94F9F6C B5E7ECD5 A8B8E27A 7FAE93FE
200D172B 23148B57 220E9A99 C1696F08 50FBD981 093B630B D6D6549F 50122B8C BD99715F 0EA1B461
B93A5887 F1DB2D37 D1464B78 5313EBA8 D83660DC 86A99BF5 8A7A8632 B95B28CF 06306EAA 2C884A06
2A590C6E 254C96C6 FA0454DF 2A1E0F29 B393319F 0E0F5241 B86E65E5 58E5CC63 7EC13DC3 1F355F67
45F7811E 8026DE77 FCFD967C D9C6DB73 F1408300 6F5CF1D5 86A35E96 DC790765

Group membership issuing process
n =
I
445F8AEC 300DCF97 88FC08A7 6E7A2C38

s =
0003944C B4EFC1BC 1B9345C1 ECFFD432 ED9F99B9 54B8AEAD 3700D233 6F329249 3CB91195 6B4BA2B4

u =
000539E3 E744AA6E 8F364E86 6BB5C9E1 625E6B5A 11043986 264A9219 0ACB5BB5 8E743307 2127727A

C =
133B1A42 DCFEC9B9 6931B63D 1CEA686B D04B6E08 975EF31D 04DFDC8D 1CEA5483 EB861BFC E4FE5DFD
DD44B094 BB50825F 8373910E 29D0F36B 849514F3 45DE9AA9 213EDA5F 6C054EEF C409C497 EA355639
1039E6E1 E701283B 8D155763 49A3AFA3 DCFD7F3B 797D9D6A B33F6D53 E6B618E8 884BC737

D =
003B115D 9906A915 31B10D73 920821D3 F12DDC38 9FD8DCB2 29FC33E0 B14F0DE5 61DE19B0 4F9445BD
61EF30EA 530C22CB 73089FBD DE1BEA11 895D14F2 1FECCCDD D45DA69F C16706D9 B11EE000 A00BF518
E0A462A5 34866595 BD7B1091 0EFECA6D 861BA676 5C9FA417 6A031F1F 4B1949DF CA4A46E9

v =
AD00E959 A1ABA12E F887558D 04D1B667 529ECE62 3726221A 38C2116C F0118D3E

w =
000ED654 F6672247 AD47BFF2 57F67A95 0CF1B544 9F71EA0E 4F3182D8 22367784 975100B4 4A5D579E

D' =
003B115D 9906A915 31B10D73 920821D3 F12DDC38 9FD8DCB2 29FC33E0 B14F0DE5 61DE19B0 4F9445BD
61EF30EA 530C22CB 73089FBD DE1BEA11 895D14F2 1FECCCDD D45DA69F C16706D9 B11EE000 A00BF518
E0A462A5 34866595 BD7B1091 0EFECA6D 861BA676 5C9FA417 6A031F1F 4B1949DF CA4A46E9

© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
v' =
AD00E959 A1ABA12E F887558D 04D1B667 529ECE62 3726221A 38C2116C F0118D3E

r =
000684F8 CA32C059 5B81CF59 4D5EDF59 55E63C05 A457D624 9AA3F0D6 BBBFA775 F314FFC9 6CFFAE84

s =
000735CF BA8ACE92 005CD792 2643BA25 50B2D7E4 49411F11 1F97B6C8 803BBF11 6E6C0450 99EC2767

k =
r
000B7DDF D567AA6F 83081001 A230592D 706078A7 37D04810 24F6E542 323ED467 460337AA FFAE5F38

k =
x
000BC74A 86C37A14 8E4434B0 A4C254BA F0A28DFB 95715AD9 6B534FE5 35297DC2 E1E4A40E 84DF6D9E

k =
z
000B566B 9ED799A6 BB8061AF C0338435 0D0377A8 F3C75E9A 2BE1631E B45D0FAC 25D6D986 8525F779

T =
06F23C80 5437A50B B83D974E 658BD70F B7063418 54E1E503 D7E33197 AB2A22F6 210FB1DA 12F834E3
B1F52931 22666202 B1C6CA4E B9EA14A4 0E8913B9 1D94B361 862A653A D4A71EA0 26530FE3 5FE9F688
FA1AE672 9FCFE016 51DAC03A BE0C2C5B 312508AA C44EE867 BF3C8087 88A8FFD9 A57BE4FE

T =
0991CE1C 6575C5CE FFBC6967 B2AEAD10 A951D0D1 B56E9DCE 54D37BF3 EFC1F217 C86A0204 53FC4CD2
1E721469 0C3B7B98 9785E03F B20FB7EE 3EC1054D D8E9B72A C40C5F18 BE6EDF61 38DF60F8 3A7E991C
167ADD0D 4789C399 0327F749 471C431C D8A8905E B9029BB1 F3E9500C 49E143CB 46537ECE

K =
0235E50D 6D5B8298 5997ED82 F142ED0A AC30E35C 3DD88689 70033588 E3285718 D1265C91 F0D72960
6647AE1E 1034898F E437E0F1 0466A09D 23BE0471 BE01C0CB C5F79EDC 613733B3 2AEF2A66 259C759B
435AE85A ACC7DC56 73528770 5F65697B 9424E454 B655B617 0D151723 F4665C96 683104FE

K =
10001B14 B4474D8A 5E4D05BC 7B795DA7 E28C5DEE 6C9D6BE8 EDD152E7 A870B7A7 56EAC839 7FCCDD56
E26342E5 C25D5AE2 6A044413 4334142F 4B641407 3ACF0276 E8D74241 9C4CA853 2A9F424E 382750CF
179CC3AF E5B3F054 61A27C74 56DA47B3 3FDEDAA1 8B296290 4A1A0CC9 4775BC93 E166D3F3

K =
0891B7E8 91F1FE93 7373AE84 1E78C591 42BC0796 5F0361F5 4E5ACF39 B2922EFC 9F843D50 38FA13CC
C24F887D 5FD824B7 8B89B4AB 7C1C5388 1BE513BC 1C946C94 BFAD98B5 5B960D95 32382813 7610A288
61F98CC0 0E4443D6 2DD27A49 7D87E992 9DBDAF4B E126FEEC 6D6F66C8 CDF31D2C 8C7FC9AD

c =
6BBA6AC3 D099E294 FF6A0A16 6F4E470C B9F3C96C 381279D5 5123A7DE 22FB2A1B

z =
r
0005D015 C7FAA5DA 8A331D22 04E783CB 412444EA C7CC25F7 ECFFB8EF 1C45264D DCF7EDDD 4A138B66

z =
x
0008DB60 D4B86A68 F88C66A1 1F27A927 9AFE9E67 762583A6 3BCDCB06 FFC8EAEF 351E76FF DA80706B

z =
z
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
000A2A2C 9F20F63A 6AC48E76 41E064F8 E4EF46A8 1327BE3D 364ACCEE 5F85DE11 0C993886 64D691E5

'
K =
0235E50D 6D5B8298 5997ED82 F142ED0A AC30E35C 3DD88689 70033588 E3285718 D1265C91 F0D72960
6647AE1E 1034898F E437E0F1 0466A09D 23BE0471 BE01C0CB C5F79EDC 613733B3 2AEF2A66 259C759B
435AE85A ACC7DC56 73528770 5F65697B 9424E454 B655B617 0D151723 F4665C96 683104FE

'
K =
10001B14 B4474D8A 5E4D05BC 7B795DA7 E28C5DEE 6C9D6BE8 EDD152E7 A870B7A7 56EAC839 7FCCDD56
E26342E5 C25D5AE2 6A044413 4334142F 4B641407 3ACF0276 E8D74241 9C4CA853 2A9F424E 382750CF
179CC3AF E5B3F054 61A27C74 56DA47B3 3FDEDAA1 8B296290 4A1A0CC9 4775BC93 E166D3F3

K ' =
0891B7E8 91F1FE93 7373AE84 1E78C591 42BC0796 5F0361F5 4E5ACF39 B2922EFC 9F843D50 38FA13CC
C24F887D 5FD824B7 8B89B4AB 7C1C5388 1BE513BC 1C946C94 BFAD98B5 5B960D95 32382813 7610A288
61F98CC0 0E4443D6 2DD27A49 7D87E992 9DBDAF4B E126FEEC 6D6F66C8 CDF31D2C 8C7FC9AD

c ' =
6BBA6AC3 D099E294 FF6A0A16 6F4E470C B9F3C96C 381279D5 5123A7DE 22FB2A1B

s =
000ACA1C 6F7A904E 1BF01D54 13438E58 3E52719D 9DF9CDBE 569888FB EF6E515A AB2515E6 0537CA1B

Signature process
message m =
"Data to sign"
J =
0C2C0E28 D59346D8 45ED29E5 CFE7CBBF E18CD573 6966825D 94CC1140 1A529B0F 8CB37561 D79EDCC2
680034F3 4724A0FF 73A3A1E9 759452E5 ADFD0D73 724493A8 B6A1B221 4E3DF3F3 F1B7225F 1798C92B
8B6849D2 9C671AAD 6873CEC4 84D81E64 42AB0FCE 1601690D 7020B6C0 EEB301BB EB66D692

l =
0002C46A C93BB89C 505E5723 4E320D2C 0437AA72 2647761F C3941FC0 7252CA6E 7F96FFFA 48CCB186

k =
s
0008A1E1 F3D62F50 DF798B66 063511B3 6F8EE4FA 9F0CD5AB 668FC567 4E3D1028 9D330932 6E17A867

'
T =
0AAE5075 82D3A1C7 49A60007 6F5499B5 99749898 25588C4A DF607DBE 5BD7F575 6B61D1E7 E633B39F
1F768CA4 1423A7C6 23FF6A0D 1A838D99 100E0891 C2E98E2E 58AB4369 1E7FC7E4 4F0D4614 D254C9C3
78AE65FA BD1A79F5 D9BAAAE0 2FEDF765 9C69347B 90DF8D45 7CB0C42D EB1700D9 2A79D1F8

'
T =
0E244CAE F717ACCA A842CF6E 46F47291 C8CC9692 DAF73BF1 8E99AF16 5EA4746B 5E1FAEC8 B0A4CACB
50140398 F9C7358F 1AF9C112 C27FC699 48470FF0 6FB24ACC C9F9F347 595C33DC E17EC565 612DBB6A
E005AF0B E6A30084 0C87F1D0 6B5B356B E658BCF1 E1A7E3D4 0E735374 3AD35D1E EB9D3808

R =
04DCF8C3 07861012 A4F9CEFF D3FEECFD 6653FCC8 0A30253F 693C0613 DEC29AF3 2DA63E88 2B94BCF8
30B7CD9B 328C4FD0 75A70BDC 3BB2111F 6F021459 77EE545C 0ECB280B 613BE3D4 44036EC0 7DB5EB42
96713BAB 30F66A20 99E9DB76 8F5AA7E4 A1668921 AF1BBFF6 AC82D917 1E35E638 6A50F08B

R' =
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
03759853 71F19A13 B0A64FD8 3960506A 69DDCD58 D6C7B891 45BBECA7 834C7802 94AF5738 58D2946B
0B67D554 76592CF3 3060AFA7 A5F5FC0D 781901DD 6F5D6C24 DC18B580 3738A892 BB9BF2E3 44C01250
18EA0789 ADA51A93 F52D1125 6D677647 6DE9BF20 FE0774CA 82B5B5DC C34EEE82 A2D7FF84

T =
0D4CCC68 B34CA281 03A9277F B8BC1CE2 C5118834 BD91F432 913E8847 E6284255 383ABBCA 8ADE57A0
C26FFB07 C1C672BA 49A433F3 992B2CB2 DB960E2D 28FC7CAE 16AD6E51 1B9DE20D BE9032B0 A7784006
CF9DA520 99123CBB 324978A5 1A19C6BB 218A2AC9 E8BE3617 69110A36 A804BCC1 A92195C3

T ' =
1216EFBC 335F37F0 6BFB3EA3 F05FDDB2 C2BD165C FD7F700A 9AA47985 92B1243F 7E790E18 FBF69AC8
B7393AD0 C31E8E75 A775BFF2 0D58EA1F ADF812F9 B9681F58 008ECD9A E987566A 55200402 58EACAFB
53DBC3E2 9CB75E79 BEE6288B FBE3D7BC C8350455 6407D3DE FBFB7D0A E3BDC93F 107FB4E9

c =
m
7F9BA86D 285BB773 E4085B8A 23DEA69C B1670442 02520155 72A45688 2F611E9E

ρ =
0001BBEF 872780BD D763A3B1 A1B5BCEC 090D907D 811BB727 771C9DA0 B1216A2D 60A45167 667A46C8

Verification process
R'' =
03759853 71F19A13 B0A64FD8 3960506A 69DDCD58 D6C7B891 45BBECA7 834C7802 94AF5738 58D2946B
0B67D554 76592CF3 3060AFA7 A5F5FC0D 781901DD 6F5D6C24 DC18B580 3738A892 BB9BF2E3 44C01250
18EA0789 ADA51A93 F52D1125 6D677647 6DE9BF20 FE0774CA 82B5B5DC C34EEE82 A2D7FF84

T'' =
1216EFBC 335F37F0 6BFB3EA3 F05FDDB2 C2BD165C FD7F700A 9AA47985 92B1243F 7E790E18 FBF69AC8
B7393AD0 C31E8E75 A775BFF2 0D58EA1F ADF812F9 B9681F58 008ECD9A E987566A 55200402 58EACAFB
53DBC3E2 9CB75E79 BEE6288B FBE3D7BC C8350455 6407D3DE FBFB7D0A E3BDC93F 107FB4E9

'
c =
m
7F9BA86D 285BB773 E4085B8A 23DEA69C B1670442 02520155 72A45688 2F611E9E

E.9
Add new subclause E.9 as follows:
E.9 Mechanism 9
The groups G , G and G are constructed by using the BLS-462 curve defined ISO/IEC 15946-5:2022,
1 2 T
D.3.3.
This curve is defined by the parameters:
77 50 33
u = - 2 + 2 + 2
p =
1555 5545554D 5A555A55 D6941493 5FBD6F1E 32D8BACC A47B1484 8B42A8DF FA5C1CC0
0F26AA91 557F0040 00200005 55554AAA AAAC0000 AAAAAAAB

a = 0
b = 4
(uncompressed) G =
023EEF43 38128200 BF5BF4FE 4BB7934B 9DFB4DB5 B8D3590C 01362DB4 040672C0 8172E8CF 3795B85F
1D89DDBF CC047A20 E4D33AAE 107E127F 4EC2039E CE0C0947 FEB77E57 8B058D1D 4D57E0A4 769D50A0
© ISO/IEC 2023 – All rights reserved

ISO/IEC 20008-2:2013/Amd. 2:2023(E)
22FC74EF D181D31F A66BDFCE 38A80BDA B1B73B90 E59CFD7B 1402BC10 B4B912C3 F433F34A

n =
FFFFF F7FFFC01 80017FE0 5FD000E8 01FC017F FC800011 00007FEF FFEFFFFC 00000000 00000001

(cofactor) r =
1555554 FFFFD55A AAB01556 AAA7FFFE AAAAAAAB

In the following numeric example, P in G is represented as P.x || P.y, where P.x and P.y are elements in
F ( p ). In the same way P in G is represented as P .x || P .y, where P .x and P .y are elements in F (
2 2 2 2 2 2
p ).
SHA-256 is used as the underlying hash function.
Key generation process (Group membership issuer key generation)
x =
000B5604 DC5A2ACE BB955263 0E274523 C8BF23D3 361862B6 505E5349 CB572B4C 82E5D517 360B4658

y =
000C56B6 865B86F7 F8FA614E 12254EDF 05E04C55 70E3984A E7E77495 09DF654B BAF72CCD 19F03064

P =
023EEF43 38128200 BF5BF4FE 4BB7934B 9DFB4DB5 B8D3590C 01362DB4 040672C0 8172E8CF 3795B85F
1D89DDBF CC047A20 E4D33AAE 107E127F 4EC2039E CE0C0947 FEB77E57 8B058D1D 4D57E0A4 769D50A0
22FC74EF D181D31F A66BDFCE 38A80BDA B1B73B90 E59CFD7B 1402BC10 B4B912C3 F433F34A

P =
05D75191 145C880D 428796E8 C5F45F4E 0DBCFA32 F8EC80BB BD0B52B2 DAFFA29D 0CA2AEFF F23A4E9D
8E2C7B83 D1AB0935 1EFFA7AB 256BE294 2EE813E8 FF40EEA4 537DC516 11128F1E A2A28DFF E1C5FA59
C36F9004 0069E915 1272E89E 3B565460 0328F730 BDF1495C CEE1220E B5CFD3A3 658C672C
...