1、 Reference number ISO/IEC 9796-2:2010(E) ISO/IEC 2010INTERNATIONAL STANDARD ISO/IEC 9796-2 Third edition 2010-12-15 Information technology Security techniques Digital signature schemes giving message recovery Part 2: Integer factorization based mechanisms Technologies de linformation Techniques de s
2、curit Schmas de signature numrique rtablissant le message Partie 2: Mcanismes bass sur une factorisation entire ISO/IEC 9796-2:2010(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited u
3、nless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a tradem
4、ark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies.
5、 In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2010 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any
6、means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail co
7、pyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2010 All rights reservedISO/IEC 9796-2:2010(E) ISO/IEC 2010 All rights reserved iiiContents Page Foreword .v Introductionvi 1 Scope1 2 Normative references1 3 Terms and definitions .1 4 Symbols and abbreviated terms 3 5 Converting be
8、tween bit strings and integers .5 6 Requirements.5 7 Model for signature and verification processes 7 7.1 General .7 7.2 Signing a message7 7.2.1 Overview.7 7.2.2 Message allocation7 7.2.3 Message representative production8 7.2.4 Signature production 8 7.3 Verifying a signature.8 7.3.1 Overview.8 7.
9、3.2 Signature opening.8 7.3.3 Message recovery .8 7.3.4 Message assembly9 7.4 Specifying a signature scheme9 8 Digital signature scheme 1.9 8.1 General .9 8.2 Parameters .9 8.2.1 Modulus length 9 8.2.2 Trailer field options .10 8.2.3 Capacity10 8.3 Message representative production10 8.3.1 Hashing t
10、he message10 8.3.2 Formatting10 8.4 Message recovery .11 9 Digital signature scheme 2.12 9.1 General .12 9.2 Parameters .12 9.2.1 Modulus length 12 9.2.2 Salt length 12 9.2.3 Trailer field options .12 9.2.4 Capacity13 9.3 Message representative production13 9.3.1 Hashing the message13 9.3.2 Formatti
11、ng13 9.4 Message recovery .13 10 Digital signature scheme 3.14 Annex A (normative) ASN.1 module .15 A.1 General.15 A.2 Use of subsequent object identifiers 17 ISO/IEC 9796-2:2010(E) iv ISO/IEC 2010 All rights reservedAnnex B (normative) Public key system for digital signature. 18 B.1 Terms and defin
12、itions 18 B.2 Symbols and abbreviations . 18 B.3 Key production 19 B.3.1 Public verification exponent 19 B.3.2 Secret prime factors and public modulus 19 B.3.3 Private signature exponent 20 B.4 Signature production function 20 B.5 Signature opening function . 20 B.6 Alternative signature production
13、function. 21 B.7 Alternative signature opening function 21 Annex C (normative) Mask generation function . 22 C.1 Symbols and abbreviations . 22 C.2 Requirements 22 C.3 Specification 22 C.3.1 Parameters 22 C.3.2 Mask generation 22 Annex D (informative) On hash-function identifiers and the choice of t
14、he recoverable length of the message. 23 Annex E (informative) Examples. 24 E.1 Examples with public exponent 3 . 24 E.1.1 Example of key production process. 24 E.1.2 Examples with total recovery 25 E.1.3 Examples with partial recovery. 31 E.2 Examples with public exponent 2 . 38 E.2.1 Example of ke
15、y production process. 38 E.2.2 Examples with total recovery 38 E.2.3 Examples with partial recovery. 44 Bibliography. 53 ISO/IEC 9796-2:2010(E) ISO/IEC 2010 All rights reserved vForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)
16、form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IE
17、C technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JT
18、C 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodie
19、s for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identif
20、ying any or all such patent rights. ISO/IEC 9796-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This third edition cancels and replaces the second edition (ISO/IEC 9796-2:2002), which has been technically revised. It als
21、o incorporates the Amendment ISO/IEC 9796-2:2002/Amd.1:2008. Implementations which comply with ISO/IEC 9796-2 (1st edition) and which use a hash-code of at least 160 bits in length will be compliant with ISO/IEC 9796-2 (3rd edition). Note, however, that implementations complying with ISO/IEC 9796-2
22、(1st edition) that use a hash-code of less than 160 bits in length will not be compliant with ISO/IEC 9796-2 (3rd edition). Implementations which comply with ISO/IEC 9796-2 (2nd edition) will be compliant with ISO/IEC 9796-2 (3rd edition). ISO/IEC 9796 consists of the following parts, under the gene
23、ral title Information technology Security techniques Digital signature schemes giving message recovery: Part 2: Integer factorization based mechanisms Part 3: Discrete logarithm based mechanisms Further parts may follow. ISO/IEC 9796-2:2010(E) vi ISO/IEC 2010 All rights reservedIntroduction Digital
24、signature mechanisms can be used to provide services such as entity authentication, data origin authentication, non-repudiation, and integrity of data. A digital signature mechanism satisfies the following requirements. Given the verification key but not the signature key it shall be computationally
25、 infeasible to produce a valid signature for any message. Given the signatures produced by a signer, it shall be computationally infeasible to produce a valid signature on a new message or to recover the signature key. It shall be computationally infeasible, even for the signer, to find two differen
26、t messages with the same signature. NOTE 1 Computational feasibility depends on the specific security requirements and environment. Most digital signature mechanisms are based on asymmetric cryptographic techniques and involve three basic operations: a process for generating pairs of keys, where eac
27、h pair consists of a private signature key and the corresponding public verification key; a process that uses the signature key, called the signature process; a process that uses the verification key, called the verification process. There are two types of digital signature mechanism. When, for a gi
28、ven signature key, two signatures produced for the same message are identical, the mechanism is said to be non-randomized (or deterministic); see ISO/IEC 14888-1. When, for a given message and signature key, each application of the signature process produces a different signature, the mechanism is s
29、aid to be randomized. The first and third of the three mechanisms specified in this part of ISO/IEC 9796 are deterministic (non- randomized), whereas the second of the three mechanisms specified is randomized. Digital signature mechanisms can also be divided into the following two categories: When t
30、he whole message has to be stored and/or transmitted along with the signature, the mechanism is named a “signature mechanism with appendix” (see ISO/IEC 14888). When the whole message, or part of it, can be recovered from the signature, the mechanism is named a “signature mechanism giving message re
31、covery” see ISO/IEC 9796 (all parts). NOTE 2 Any signature mechanism giving message recovery, for example the mechanisms specified in ISO/IEC 9796 (all parts), can be converted to give a digital signature with appendix. This can be achieved by applying the signature mechanism to a hash-code derived
32、as a function of the message. If this approach is employed, then all parties generating and verifying signatures must agree on this approach, and must also have a means of unambiguously identifying the hash-function to be used to generate the hash-code from the message. The mechanisms specified in I
33、SO/IEC 9796 (all parts) give either total or partial recovery, with the objective of reducing storage and transmission overhead. If the message is short enough, then the entire message can be ISO/IEC 9796-2:2010(E) ISO/IEC 2010 All rights reserved viiincluded in the signature, and recovered from the
34、 signature in the verification process. Otherwise, a part of the message can be included in the signature, and the remainder stored and/or transmitted along with the signature. The mechanisms specified in this part of ISO/IEC 9796 use a hash-function for hashing the entire message (possibly in more
35、than one part). ISO/IEC 10118 specifies hash-functions for digital signatures. INTERNATIONAL STANDARD ISO/IEC 9796-2:2010(E) ISO/IEC 2010 All rights reserved 1Information technology Security techniques Digital signature schemes giving message recovery Part 2: Integer factorization based mechanisms 1
36、 Scope This part of ISO/IEC 9796 specifies three digital signature schemes giving message recovery, two of which are deterministic (non-randomized) and one of which is randomized. The security of all three schemes is based on the difficulty of factorizing large numbers. All three schemes can provide
37、 either total or partial message recovery. This part of ISO/IEC 9796 specifies the method for key production for the three signature schemes. However, techniques for key management and for random number generation (as required for the randomized signature scheme) are outside the scope of this part o
38、f ISO/IEC 9796. The first mechanism specified in this part of ISO/IEC 9796 is only applicable for existing implementations, and is retained for reasons of backward compatibility. 2 Normative references The following referenced documents are indispensable for the application of this document. For dat
39、ed references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 10118 (all parts), Information technology Security techniques Hash-functions 3 Terms and definitions For the purposes of this document, the
40、 following terms and definitions apply. 3.1 capacity positive integer indicating the number of bits available within the signature for the recoverable part of the message 3.2 certificate domain collection of entities using public key certificates created by a single Certification Authority (CA) or a
41、 collection of CAs operating under a single security policy 3.3 certificate domain parameters cryptographic parameters specific to a certificate domain and which are known and agreed by all members of the certificate domain ISO/IEC 9796-2:2010(E) 2 ISO/IEC 2010 All rights reserved3.4 collision-resis
42、tant hash-function hash-function satisfying the following property: it is computationally infeasible to find any two distinct inputs which map to the same output ISO/IEC 10118-1 3.5 hash-code string of bits which is the output of a hash-function ISO/IEC 10118-1 3.6 hash-function function which maps
43、strings of bits to fixed-length strings of bits, satisfying the following two properties: for a given output, it is computationally infeasible to find an input which maps to this output; for a given input, it is computationally infeasible to find a second input which maps to the same output ISO/IEC
44、9797-2 3.7 mask generation function function which maps strings of bits to strings of bits of arbitrary specified length, satisfying the following property: it is computationally infeasible to predict, given one part of an output but not the input, another part of the output 3.8 message string of bi
45、ts of any length ISO/IEC 14888-1 3.9 message representative bit string derived as a function of the message and which is combined with the private signature key to yield the signature 3.10 nibble block of four consecutive bits (half an octet) 3.11 non-recoverable part part of the message stored or t
46、ransmitted along with the signature; empty when message recovery is total 3.12 octet string of eight bits 3.13 private key key of an entitys asymmetric key pair which should only be used by that entity ISO/IEC 9798-1 ISO/IEC 9796-2:2010(E) ISO/IEC 2010 All rights reserved 33.14 private signature key
47、 private key which defines the private signature transformation ISO/IEC 9798-1 3.15 public key key of an entitys asymmetric key pair which can be made public ISO/IEC 9798-1 3.16 public key system digital signature cryptographic scheme consisting of three functions: key production, a method for gener
48、ating a key pair made up of a private signature key and a public verification key; signature production, a method for generating a signature from a message representative F and a private signature key; signature opening, a method for obtaining the recovered message representative F* from a signature
49、 and a public verification key NOTE The output of this function also contains an indication as to whether the signature opening procedure succeeded or failed. 3.17 public verification key public key which defines the public verification transformation ISO/IEC 9798-1 3.18 recoverable part part of the message conveyed in the signature 3.19 salt random data item produced by the signing entity during the generation of the message representative in Signatur
