1、 Reference number ISO/IEC 29150:2011(E) ISO/IEC 2011INTERNATIONAL STANDARD ISO/IEC 29150 First edition 2011-12-15 Information technology Security techniques Signcryption Technologies de linformation Techniques de scurit Signcryptage ISO/IEC 29150:2011(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2011 All
2、 rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country o
3、f the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2011 All rights reservedISO/IEC 29150:2011(E) ISO/IEC 2011 All rights reserved iiiContents Page Foreword .
4、v Introduction vi 1 Scope 1 2 Normative references 1 3 Terms and definitions . 2 4 Symbols and notations . 7 5 Finite fields and elliptic curves 8 5.1 Finite fields . 8 5.2 Elliptic curves 9 6 Conversion functions 10 6.1 Bits and strings . 10 6.2 Conversion between bit strings and integers 11 6.3 Co
5、nversion between finite field elements and integers/bit strings . 11 6.4 Conversion between points on elliptic curves and bit strings . 11 7 Cryptographic transformations . 12 7.1 Introduction 12 7.2 Cryptographic hash functions . 12 7.2.1 Standard cryptographic hash functions . 12 7.2.2 Full domain
6、 cryptographic hash functions 12 7.2.2.1 General . 12 7.2.2.2 Allowable full domain cryptographic hash function (FDH1) . 13 7.3 Key derivation functions. 13 8 General model for signcryption . 13 9 Discrete logarithm based signcryption mechanism (DLSC) . 15 9.1 Introduction 15 9.2 Specific requiremen
7、ts . 15 9.3 System wide parameters 15 9.4 Key generation algorithm . 16 9.5 Signcryption algorithm . 16 9.6 Unsigncryption algorithm . 17 10 Elliptic curve based signcryption mechanism (ECDLSC) . 18 10.1 Introduction 18 10.2 Specific requirements . 18 10.3 System wide parameters 18 10.4 Key generati
8、on algorithm . 19 10.5 Signcryption algorithm . 19 10.6 Unsigncryption algorithm . 20 11 Integer factorization based signcryption mechanism (IFSC) . 21 11.1 Introduction 21 11.2 Specific requirements . 22 11.3 System wide parameters 22 11.4 Key generation algorithm . 22 11.5 Signcryption algorithm .
9、 22 11.6 Unsigncryption algorithm . 23 12 Encrypt-then-sign-based mechanism (EtS) 26 12.1 Introduction 26 ISO/IEC 29150:2011(E) iv ISO/IEC 2011 All rights reserved12.2 Specific requirements .26 12.3 Key generation algorithm .26 12.4 Signcryption algorithm .27 12.5 Unsigncryption algorithm .27 Annex
10、A (normative) Object identifiers .28 Annex B (informative) Security considerations .30 Annex C (informative) Guidance on use of the mechanisms .36 Annex D (informative) Examples .40 Bibliography 52 ISO/IEC 29150:2011(E) ISO/IEC 2011 All rights reserved vForeword ISO (the International Organization f
11、or Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective o
12、rganization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information tech
13、nology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standar
14、ds adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the sub
15、ject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 29150 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 29150:2011(E) vi ISO/IEC 2011 All rights
16、reservedIntroduction When data is sent from one place to another, it is often necessary to protect it in some way whilst it is in transit, e.g. against eavesdropping or unauthorized modification. Similarly, when data is stored in an environment to which unauthorized parties can have access, it is im
17、portant to protect it against unauthorized access. If the confidentiality of the data needs to be protected, e.g. against eavesdropping, then one solution is to use public key encryption, as specified in ISO/IEC 18033. Alternatively, if it is necessary to protect the data against unauthorized modifi
18、cation or forgery, then digital signatures, as specified in ISO/IEC 9796 and ISO/IEC 14888, can be used. If both confidentiality and unforgeability are required, then one possibility is to use both public key encryption and digital signature. Whilst these operations can be combined in many ways, not
19、 all combinations of such mechanisms provide the same security guarantees. As a result it is desirable to define in detail exactly how confidentiality and unforgeability mechanisms should be combined to provide the optimum level of security. Moreover, in some cases significant efficiency gains can b
20、e obtained by defining a single method of processing the data with the objective of providing both confidentiality and unforgeability. In this International Standard, signcryption mechanisms are defined. These are methods for processing data to provide both confidentiality and unforgeability. These
21、data processing methods typically involve either the use of an asymmetric encryption scheme and a digital signature scheme combined in a specific way or the use of a specially developed algorithm which fulfils both functions simultaneously. The methods specified in this International Standard have b
22、een designed to maximise the level of security and provide efficient processing of data. All the mechanisms defined here have mathematical “proofs of security”, i.e. rigorous arguments supporting their security claims. INTERNATIONAL STANDARD ISO/IEC 29150:2011(E) ISO/IEC 2011 All rights reserved 1In
23、formation technology Security techniques Signcryption 1 Scope This International Standard specifies four mechanisms for signcryption that employ public key cryptographic techniques requiring both the originator and the recipient of protected data to have their own public and private key pairs. This
24、International Standard is not applicable to infrastructures for management of public keys which are defined in ISO/IEC 11770-1 and ISO/IEC 9594. NOTE 1 Signcryption mechanisms are defined ways of processing a data string with the following security objectives: data confidentiality, i.e. protection a
25、gainst unauthorized disclosure of data; data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified; data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator; data unforgeability, i.e.
26、protection against unauthorized modification of data, even by a recipient of the data. These four security objectives are not necessarily mutually exclusive. The fourth objective, data unforgeability, in particular is a stronger notion of security that implies both data integrity and data origin aut
27、hentication. NOTE 2 Two of the mechanisms specified in this International Standard, namely mechanisms DLSC and ECDLSC, require the employment of system wide public key parameters for both the sender and the recipient of data. In a system where a multiple number of pairs of senders and recipients exi
28、st, the same system wide parameters are required to be used by all these users. The two remaining specified mechanisms, namely IFSC and EtS, do not require the use of such system wide public key parameters. NOTE 3 In selecting the four signcryption mechanisms for inclusion in this International Stan
29、dard from the large variety of such techniques published and in use, the same seven criteria as those stated in ISO/IEC 18033-1:2005, Annex A, have been followed. The exclusion of particular methods does not imply that those methods are insecure. NOTE 4 This International Standard bears a conceptual
30、 similarity to ISO/IEC 19772 14which specifies a number of mechanisms for authenticated encryption, that is, simultaneously achieving message integrity and confidentiality. Major differences between ISO/IEC 19772 and this International Standard include (1) mechanisms specified in ISO/IEC 19772 fall
31、into the category of symmetric cryptographic techniques, whereas those specified in this International Standard are representatives of asymmetric cryptographic techniques; (2) while all mechanisms specified in ISO/IEC 19772 and this International Standard offer the capability of data integrity and o
32、rigin authentication, mechanisms specified in this International Standard further offer the capability of data unforgeability, even by a recipient of the data. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only
33、 the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 9796-2:2010, Information technology Security techniques Digital signature schemes giving message recovery Part 2: Integer factorization based mechanisms ISO/I
34、EC 29150:2011(E) 2 ISO/IEC 2011 All rights reservedISO/IEC 9796-3:2006, Information technology Security techniques Digital signature schemes giving message recovery Part 3: Discrete logarithm based mechanisms ISO/IEC 14888-1:2008, Information technology Security techniques Digital signatures with ap
35、pendix Part 1: General ISO/IEC 14888-2:2008, Information technology Security techniques Digital signatures with appendix Part 2: Integer factorization based mechanisms ISO/IEC 14888-3:2006, Information technology Security techniques Digital signatures with appendix Part 3: Discrete logarithm based m
36、echanisms ISO/IEC 18033-1:2005, Information technology Security techniques Encryption algorithms Part 1: General ISO/IEC 18033-2:2006, Information technology Security techniques Encryption algorithms Part 2: Asymmetric ciphers 3 Terms and definitions For the purposes of this document, the following
37、terms and definitions apply. 3.1 asymmetric cipher alternative term for asymmetric encryption system ISO/IEC 18033-1:2005 3.2 asymmetric cryptographic technique cryptographic technique that uses two related transformations, a public transformation (defined by the public key) and a private transforma
38、tion (defined by the private key) ISO/IEC 11770-1:2010 3.3 asymmetric encryption system system based on asymmetric cryptographic techniques whose public transformation is used for encryption and whose private transformation is used for decryption ISO/IEC 9798-1:2010 3.4 asymmetric key pair pair of r
39、elated keys where the private key defines the private transformation and the public key defines the public transformation ISO/IEC 9798-1:2010 3.5 block string of bits of a defined length ISO/IEC 29150:2011(E) ISO/IEC 2011 All rights reserved 33.6 block cipher symmetric encryption system with the pro
40、perty that encryption operates on a block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext, and decryption operates on the ciphertext to yield the original plaintext ISO/IEC 18033-1:2005 3.7 cipher alternative term for encryption system ISO/IEC 18033-1:2005 3.8
41、 ciphertext data which has been transformed to hide its information content ISO/IEC 10116:2006 3.9 cleartext alternative term for plaintext 3.10 collision-resistant hash-function hash-function satisfying the following property: it is computationally infeasible to find any two distinct inputs which m
42、ap to the same output ISO/IEC 10118-1:2000 3.11 data element integer or bit string or set of integers or set of bit strings 3.12 decryption reversal of encryption by a cryptographic algorithm to produce a plaintext 3.13 decryption algorithm process which transforms a ciphertext into a plaintext ISO/
43、IEC 18033-1:2005 3.14 domain set of entities operating under a single security policy ISO/IEC 14888-1:2008 3.15 domain parameter data element which is common to and known by or accessible to all entities within the domain ISO/IEC 14888-1:2008 ISO/IEC 29150:2011(E) 4 ISO/IEC 2011 All rights reserved3
44、.16 encryption (reversible) transformation of data by a cryptographic algorithm to produce a ciphertext, i.e. to hide the information content of the data NOTE Adapted from ISO/IEC 9797-1:2011. 3.17 encryption algorithm process which transforms a plaintext into a ciphertext ISO/IEC 18033-1:2005 3.18
45、encryption system cryptographic technique used to protect the confidentiality of data, and which consists of three component processes: a method for generating keys, an encryption algorithm and a decryption algorithm 3.19 full domain cryptographic hash function function that maps strings of bits to
46、integers in a fixed range, satisfying the properties of (1) for a given output, it is computationally infeasible to find an input which maps to this output, and (2) for a given input, it is computationally infeasible to find a second input which maps to the same output NOTE A full domain cryptograph
47、ic hash function is similar to a standard cryptographic hash function with the exception that the former outputs an integer rather than a bit string; see 7.2.2. 3.20 identification data sequence of data elements, including the distinguishing identifier for an entity, assigned to an entity and used t
48、o identify it NOTE The identification data can additionally contain data elements such as identifier of the signature process, identifier of the signature key, validity period of the signature key, restrictions on key usage, associated security policy parameters, key serial number, or domain paramet
49、ers. ISO/IEC 14888-1:2008 3.21 key sequence of symbols that controls the operation of a cryptographic transformation (e.g. encryption, decryption) ISO/IEC 11770-1:2010 3.22 key pair pair consisting of a public key and a private key associated with an asymmetric cipher 3.23 keystream pseudorandom sequence of symbols, intended to be secret, used by the encryption and decryption algorithms of a stream cipher NOTE If a portion of the keystream is known by an atta