DRAFT ISO/IEC 18033-2: Information technology | …

1 DRAFTISO/IEC18033-2:Informationtechnolog y security techniques Encryptionalgorithms Part 2: AsymmetricCiphersEditor:VictorShoupJanua ry15, 2004 Editor snote:Thefollowingitemsstill needto be addressed: Theeditorneedsto convert to ISOformat. Someoneneedsto take a closelook at the ASN1syntax. A finaldecisionneedsto be reachedas to which schemesare includedin Scope12 Normative references13 Definitions24 Symbols and notation55 algorithms.. stringsand octetstrings.. 116 .. algorithms.. ciphers.. 177 .. of labels .. of operationof an asymmetriccipher.. 228 .. 25i9 Constructionsof .. 2910 ElGamal-basedkey .. 3811 RSA-basedasymmetricciphersand key generationalgorithms.. 4612 generationalgorithms.. 5013 Ciphersbasedon generationalgorithms.. (R).. 54A security considerations(informative annex) algorithms.. ciphers.. ofSC1.. ofSC2.. ofDEM1,DEM2, andDEM3.

2 OfHC.. assumptionsrelatedto concretegroups.. ofECIES-KEM.. ofPSEC-KEM.. ofACE-KEM.. ofRSAES.. ofRSA-KEM.. ofEPOC-2.. ofHIME(R).. 70B ASN1 Syntax for Object Identifiers(normative annex)71C Test Vectors(informative annex) vectorsforDEM1.. vectorsforECIES-KEM.. vectorsforPSEC-KEM.. vectorsforACE-KEM.. vectorsforRSAES.. vectorsforRSA-KEM.. vectorsforHC.. vectorsforEPOC-2.. vectorsforHIME(R).. 143iiiForewordISO(theInternationalOrgani zationfor Standardization)is a worldwidefederationof nationalstandardsbodies (ISOmember bodies).The work of preparingInternationalStandardsis normallycarriedout throughISO member body interestedin a subject for whicha technicalcommitteehas been establishedhas the right to be represented on ,governmental andnon-governmental, in liaisonwithISO,alsotakepartin the InternationalElectrotechnicalCommission( IEC)on all mattersof draftedin accordancewiththe rulesgiven in the ISO/IECD irectives,Part the technicalcommitteesare circulatedto the memberbodiesfor an InternationalStandardrequiresapproval by at least75%ofthe member bodiescastinga drawn to the possibility thatsomeof the elements of this partof ISO/IEC18033maybe the subject of patent rights.

3 ISOshallnot be heldresponsiblefor identifyingany or all suchpatent preparedby Joint TechnicalCommitteeISO/IECJTC1,Informatio ntechnology, SubcommitteeSC 27, the followingparts,underthe generaltitleInformationtechnology Securitytechniques Encryptionalgorithms: Part1: General Part2: Asymmetricciphers Part3; Block ciphers Part4: Stream ciphersAnnexA of this partof ISO/IEC18033is for informationonly. AnnexB formsa normative partof this partif of this partof ISO/IEC18033is for security techniques Encryptionalgo-rithms Part 2: AsymmetricCiphers1 ScopeThispartof functionalinterfacesand correctmethods of use of such ciphersin general,as well as the precisefunctionality andciphertextformatfor severalspecificasymmetricciphers(althoug hconformingsystemsmay choose to use alternative formatsfor storingand transmittingciphertexts).A normative annex(AnnexB) gives for object identifiers,publickeys, and parameterstructuresto be associatedwiththe algorithmsspecifiedin this partof ,thesespecificationsdo not prescribe protocolsfor reliablyobtaininga publickey, for proof ofpossessionof a private key, or for validationof eitherpublicor private keys; see ISO/IEC11770forguidanceon such key management asymmetricciphersthatare specifiedin this partof ISO/IEC18033are indicatedin , the asymmetricciphersare: ECIES-HC,PSEC-HC,ACE-HC: generichybridciphersbasedon ElGamalencryption; RSA-HC: a generichybridcipherbasedon theRSAtransform; RSAES: theOAEP paddingschemeappliedto theRSAtransform.

4 EPOC-2,HIME(R): two schemesbasedon the hardnessof Normative referencesThefollowingnormative documents containprovisionswhich, throughreferencein this text,con-stituteprovisionsfor thispartof datedreferences,subsequent amendmentsto, or revisionsof, any of thesepublicationsdo not apply. For undatedreferences,the latesteditionof the normative document referredto of IECandISOmaintainregistersofcurrently valid ,Informationtechnology Securitytechniques MessageAuthenticationCodes(MACs) Part1: Mechanismsusinga block ,Informationtechnology Securitytechniques MessageAuthenticationCodes(MACs) Part2: Mechanismsusinga dedicated ,Informationtechnology Securitytechniques Modes of operationfor ann-bitblock ,Informationtechnology Securitytechniques Hash-functions Part2:Hash-functionsusingann-bit block ,Informationtechnology Securitytechniques Hash-functions Part3:Dedicated ,Informationtechnology Securitytechniques ,Informationtechnology Securitytechniques Cryptographictechniquesbasedon ellipticcurves Part1.

5 ,Informationtechnology Securitytechniques Randombit ,Informationtechnology Securitytechniques Primenumber ,Informationtechnology Securitytechniques Encryptionalgorithms Part1: ,Informationtechnology Securitytechniques Encryptionalgorithms Part3: Block DefinitionsFor the purposesof this partof ISO/IEC18033,the followingdefinitionsapply;whereappropria te,forward referencesare given to clauseswhich asymmetriccipher:cipherbasedon asymmetriccryptographictechniqueswhosepu blictransformationis usedfor encryptionand whoseprivate transformationis usedfor decryption[ISO/IEC18033-1].(See Clause7.) asymmetriccryptographictechnique:cryptog raphictechniquethatusestwo relatedtransformations,a publictransformation(definedby the publickey) anda private trans-formation(definedby the private key).Thetwo transformationshave the property that,given the publictransformation,it is computationallyinfeasibleto derive the private trans-formation[ISO/IEC18033-1].

6 Asymmetrickey pair:pairof relatedkeys, apublickeyand aprivatekey, wherethe privatekey definesthe private transformationand the publickey definesthe publictransformation[ISO/IEC18033-1].(Se e Clauses7, ) bit:one of the two symbols 0 or 1 .(See ) bit string:an orderedsequenceof bits.(See ) block:stringof bits of a definedlength[ISO/IEC18033-1]. this partof ISO/IEC18033,a block will be restrictedto be an octetstring(inter-pretedin a naturalway as a bit string). block cipher:symmetriccipherwiththe property thatthe encryptionalgorithmoperatesona block of plaintext, , a stringof bitsof a definedlength,to yielda block of ciphertext[ISO/IEC18033-1].(See ) thispartof ISO/IEC18033,plaintext/ciphertextblocks will be restrictedto beoctetstrings(interpretedin a naturalway as bit strings). cipher:cryptographictechniqueusedto protectthe confidentiality of data,and which consistsof threecomponent processes:an encryptionalgorithm,a decryptionalgorithm,and a methodfor generatingkeys [ISO/IEC18033-1].

7 Ciphertext:datawhich has been transformedto hideits informationcontent [ISO/IEC18033-1]. :an explicitdescriptionof a finiteabeliangroup,togetherwithalgorithm sfor performingthe groupoperationand for encodingand decodinggroupelements as octetstrings.(See ) :a functionthatmapsoctetsstringsof any lengthto octetstringsof fixedlength,such thatit is computationallyinfeasibleto find correlationsbetweeninputsandoutputs,ands uch thatgiven one partof the output,but not the input,it iscomputationallyinfeasibleto predictany bit of the depend on the application.(See ) :a cryptographicmechanism,basedon symmetriccryp-tographictechniques,which protectsboth the confidentiality and the integrity of data.( ) :reversalof the correspondingencryption[ISO/IEC18033-1]. :process which transformsciphertextinto plaintext [ISO/IEC18033-1]. :(reversible)transformationof databy a cryptographicalgorithmto produceciphertext, , to hidethe informationcontent of the data[ISO/IEC18033-1].

8 Finitefield:finitefieldthatis represented explicitlyin termsof its char-acteristicand a multiplicationtablefor a basisof the fieldover the underlyingprimefield.(See ) :process which transformsplaintext into ciphertext[ISO/IEC18033-1]. :an optionthatmay be passedto the encryptionalgorithmof an asym-metriccipher,or of a key encapsulationmechanism,to control the formattingof the outputciphertext.(See Clauses7, ) :the mathematicalnotionof a field, , a set of elements, togetherwithbinaryopera-tionsfor additionand multiplicationon this set, such thatthe :a groupsuch thatthe underlyingset of elements is finite,and suchthatthe underlyingbinaryoperationis :a fieldsuch thatthe underlyingset of elements is :the mathematicalnotionof a group, , a set of elements, togetherwitha binaryoperationon this set, such thatthe :an asymmetriccipherthatcombinesboth asymmetricand :a sequenceof symbols thatcontrolsthe operationof a cryptographictransformation( , encryption ,decryption)[ISO/IEC18033-1].

9 Derivationfunction:a functionthatmapsoctetsstringsof any lengthto octet stringsof an arbitrary, specifiedlength,such thatit is computationallyinfeasibleto find correlationsbetween inputsand outputs,and such thatgiven one partof the output,but not the input,itis computationallyinfeasibleto predictany bit of the depend on the application.(See ) encapsulationmechanism:similarto an asymmetriccipher,but the encryptionalgo-rithmtakes as inputa publickey and generatesa secretkey and an encryptionof this secretkey.(See ) generationalgorithm:method for generatingasymmetrickey pairs.(See Clauses7, ) :an octetstringthatis inputto both the encryptionand decryptionalgorithmsof anasymmetriccipher,andof a label is publicinformationthatis boundto the ciphertextin a non-malleableway.(See Clauses7, ) :(1) Thelengthof a bit stringis the number of bits in the string.(See )(2) Thelengthof an octet stringis the number of octetsin the string.

10 (See )(3)Thelengthin bits of a non-negativeintegernis the number of bits in its binaryrepresentation, ,dlog2(n+ 1)e.(See )(4) Thelengthin octetsof a non-negativeintegernisthe number of digitsin its representationbase256, ,dlog256(n+ 1)e.(See ) (MAC):the stringof bits which is the outputof a MACalgorithm[ISO/IEC9797-1].(See ) this partof ISO/IEC18033,a MAC will be restrictedto be an octet string(inter-pretedin a naturalway as a bit string). algorithm :an algorithmfor computinga functionwhich mapsstringsof bits and asecretkey to fixed-lengthstringsof bits,satisfyingthe followingtwo properties: for any key and any inputstring,the functioncan be computedefficiently;4 for any fixedkey, and given no priorknowledgeof the key, it is computationallyinfeasibleto computethe functionvalueon any newinputstring,even given knowledgeof the setof inputstringsandcorrespondingfunctionvalu es,wherethe valueof theith inputstringmay have been chosenafterobservingthe valueof the firsti 1 functionvalues[ISO/IEC9797-1].