ISO/IEC 18370-2:2016
(Main)Information technology — Security techniques — Blind digital signatures — Part 2: Discrete logarithm based mechanisms
Information technology — Security techniques — Blind digital signatures — Part 2: Discrete logarithm based mechanisms
ISO/IEC 18370-2:2016 specifies blind digital signature mechanisms, together with mechanisms for three variants of blind digital signatures. The variants are blind digital signature mechanisms with partial disclosure, blind digital signature mechanisms with selective disclosure and traceable blind digital signature mechanisms. The security of all the mechanisms in ISO/IEC 18370-2:2016 is based on the discrete logarithm problem. For each mechanism, ISO/IEC 18370-2:2016 specifies the following: - the process for generating the keys of the entities involved in these mechanisms; - the process for producing blind signatures; - the process for verifying signatures. ISO/IEC 18370-2:2016 specifies another process specific to blind signature mechanisms with selective disclosure, namely, the following: - the presentation process. Furthermore, ISO/IEC 18370-2:2016 specifies other processes specific to traceable blind signature mechanisms, namely, the following: a) the process for tracing requestors; b) the process for tracing signatures; c) the requestor tracing evidence evaluation process (optional); d) the signature tracing evidence evaluation process (optional).
Technologie de l'information — Techniques de sécurité — Signatures numériques en aveugle — Partie 2: Mécanismes fondés sur le logarithme discret
General Information
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 18370-2
First edition
2016-07-01
Information technology — Security
techniques — Blind digital
signatures —
Part 2:
Discrete logarithm based mechanisms
Technologie de l’information — Techniques de sécurité — Signatures
numériques en aveugle —
Partie 2: Mécanismes fondés sur le logarithme discret
Reference number
ISO/IEC 18370-2:2016(E)
©
ISO/IEC 2016
---------------------- Page: 1 ----------------------
ISO/IEC 18370-2:2016(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 18370-2:2016(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols . 3
5 General requirements . 4
6 Blind signature mechanisms . 4
6.1 General . 4
6.2 Mechanism 1 . 4
6.2.1 Security parameters . 4
6.2.2 Key generation process . 5
6.2.3 Blind signature process. 5
6.2.4 Verification process . 6
7 Blind signature mechanisms with partial disclosure . 6
7.1 General . 6
7.2 Mechanism 2 . 6
7.2.1 Security parameters . 6
7.2.2 Key generation process . 6
7.2.3 Blind signature process with partial disclosure . 7
7.2.4 Verification process . 8
7.3 Mechanism 3 . 8
7.3.1 Symbols . 8
7.3.2 Key generation process . 8
7.3.3 Blind signature process with partial disclosure . 9
7.3.4 Verification process . 9
8 Blind signature mechanisms with selective disclosure .10
8.1 General .10
8.2 Mechanism 4 .10
8.2.1 Security parameters .10
8.2.2 Key generation process .10
8.2.3 Blind signature process with selective disclosure .10
8.2.4 Presentation process .12
8.2.5 Verification process .12
9 Traceable blind signature mechanisms .13
9.1 General .13
9.2 Mechanism 5 .13
9.2.1 Symbols .13
9.2.2 Key generation process .13
9.2.3 Traceable blind signature process .14
9.2.4 Verification process .16
9.2.5 Requestor tracing process .16
9.2.6 Signature tracing process .17
9.2.7 Requestor tracing evidence evaluation process .17
9.2.8 Signature tracing evidence evaluation process .17
Annex A (normative) Object identifiers .19
Annex B (normative) Conversion functions .20
Annex C (normative) Group description .21
Annex D (informative) Special hash-functions.22
© ISO/IEC 2016 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 18370-2:2016(E)
Annex E (informative) Security considerations and comparison of blind signature mechanisms .24
Annex F (informative) Numerical examples .26
Bibliography .78
iv © ISO/IEC 2016 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 18370-2:2016(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, IT Security techniques.
ISO/IEC 18370 consists of the following parts, under the general title Information technology — Security
techniques — Blind digital signatures:
— Part 1: General
— Part 2: Discrete logarithm based mechanisms
Further parts may follow.
© ISO/IEC 2016 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 18370-2:2016(E)
Introduction
Blind digital signature mechanisms are a special type of digital signature mechanism, as specified in
ISO/IEC 9796 (all parts) and ISO/IEC 14888, which allow a user (a requestor) to obtain a signature from
a signer of the user’s choice, without giving the signer any information about the message that is signed
or the resulting signature.
In some mechanisms, the signer does not completely lose control over the signed message since the
signer can include explicit information in the resulting signature under an agreement with the
requestor. These types of blind signatures are called blind signatures with partial disclosure.
Other mechanisms allow a requestor to receive a blind signature on a message not known to the signer
but the choice of the message is restricted and needs to conform to certain rules. Such mechanisms are
called blind signature mechanisms with selective disclosure.
Depending on the mechanism, it may be possible for an authorized entity to trace a signature to the
requestor who requested it. Such an entity can either identify a signature that resulted from a given
signature request (signature tracing), or link a signature to the receiver who requested it (requestor
tracing). Blind signature mechanisms with tracing features are called traceable blind signature
mechanisms.
ISO/IEC 18370 specifies blind digital signature mechanisms, as well as three variants: blind digital
signature mechanisms with partial disclosure, blind digital signature mechanisms with selective
disclosure and traceable blind digital signature mechanisms. ISO/IEC 18370-1 specifies principles and
requirements for these mechanisms. This part of ISO/IEC 18370 specifies several specific instances of
these mechanisms.
The security of blind digital signature mechanisms and their variants depends on computational
problems believed to be intractable, i.e. problems for which, given current knowledge, finding a solution
is computationally infeasible, such as the integer factorization problem or the discrete logarithm
problem in an appropriate group. The mechanisms specified in this part of ISO/IEC 18370 are based on
the latter problem.
ISO/IEC 18370 does not specify mechanisms for key management or for certification of public keys. A
variety of means are available for obtaining a reliable copy of the public verification key, e.g. a public
key certificate. Techniques for managing keys and certificates are outside the scope of ISO/IEC 18370.
For further information, see ISO/IEC 9594-8, ISO/IEC 11770-3 and ISO/IEC 15945.
This part of ISO/IEC 18370 specifies mechanisms that use a collision resistant hash-function to hash
the message to be blindly signed. ISO/IEC 10118 specifies hash-functions.
The generation of key pairs requires random bits and prime numbers. The generation of signatures
requires random bits. Techniques for producing random bits and prime numbers are outside the scope
of ISO/IEC 18370. For further information, see ISO/IEC 18031 and ISO/IEC 18032.
vi © ISO/IEC 2016 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 18370-2:2016(E)
Information technology — Security techniques — Blind
digital signatures —
Part 2:
Discrete logarithm based mechanisms
1 Scope
This part of ISO/IEC 18370 specifies blind digital signature mechanisms, together with mechanisms
for three variants of blind digital signatures. The variants are blind digital signature mechanisms with
partial disclosure, blind digital signature mechanisms with selective disclosure and traceable blind
digital signature mechanisms. The security of all the mechanisms in this part of ISO/IEC 18370 is based
on the discrete logarithm problem.
For each mechanism, this part of ISO/IEC 18370 specifies the following:
— the process for generating the keys of the entities involved in these mechanisms;
— the process for producing blind signatures;
— the process for verifying signatures.
This part of ISO/IEC 18370 specifies another process specific to blind signature mechanisms with
selective disclosure, namely, the following:
— the presentation process.
Furthermore, this part of ISO/IEC 18370 specifies other processes specific to traceable blind signature
mechanisms, namely, the following:
a) the process for tracing requestors;
b) the process for tracing signatures;
c) the requestor tracing evidence evaluation process (optional);
d) the signature tracing evidence evaluation process (optional).
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 10118 (all parts), Information technology — Security techniques — Hash-functions
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 18370-1 and the
following apply.
3.1
abelian group
group (G, *) such that a * b = b * a for every a and b in G
© ISO/IEC 2016 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 18370-2:2016(E)
3.2
cyclic group
group G of n elements that contains an element a in G, called the generator, of order n
[SOURCE: ISO/IEC 14888-3:2006, 3.2]
3.3
elliptic curve over a finite field
set E of points P = (x, y), where x and y are elements of the finite field (3.6), that satisfy a certain equation,
together with an extra point referred to as the point at infinity
Note 1 to entry: In this part of ISO/IEC 18370, only finite fields containing exactly q elements for a prime q > 3
are considered. In this case, the equation that every point P = (x, y) of E (other than the point at infinity) should
2 3 3 2
satisfy is of the form y = x + ax + b. The finite field elements a and b should satisfy 4a + 27b ≠ 0 (where 0 is
F F
the additive identity element of the finite field).
Note 2 to entry: The set of points E, together with an appropriately defined operation, forms a finite commutative
group (3.5), where the point at infinity is the identity element.
3.4
field
set of elements S and a pair of operations (+,*) defined on S, such that: i) a * (b + c) = a * b + a * c for
every a, b and c in S, ii) S together with + forms an abelian group (3.1) (with identity element 0), and iii)
S excluding 0 together with * forms an abelian group
3.5
finite commutative group
abelian group (3.1) (G, *) with a finite number of elements
0 n+1 n
Note 1 to entry: If a = e, and a = a * a (for n ≥ 0) is defined recursively, the order of a ∈ G is the least positive
n
integer n, such that a = e.
Note 2 to entry: In some cases, such as when G is the set of points on an elliptic curve, arithmetic in the finite set
G is described using additive notation.
3.6
finite field
field (3.4) such that the underlying set of elements is finite
m
Note 1 to entry: For any positive integer, m and a prime p, there exists a finite field containing exactly q = p
elements. This field is unique up to an isomorphism and is denoted by F .
q
[SOURCE: ISO/IEC 18033-2:2006, 3.21]
3.7
group
set of elements G and an operation * defined on the set of elements such that: i) (a * b) * c = a * (b * c) for
every a, b and c in G, ii) there exists an identity element, e in G, such that a * e = e * a = a for every a in G,
-1 -1 -1
and iii) for every a in G, there exists an inverse element, a in G, such that a * a = a * a = e
3.8
security parameters
variables that determine the security strength of a mechanism
2 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 18370-2:2016(E)
4 Symbols
a ∈ A indicates that element a is in set A
a ‖ b concatenation of data items a and b in the order specified. In cases where the result of
concatenating two or more data items is input to a cryptographic algorithm as part of one
of the mechanisms specified in this part of ISO/IEC 18370, this result shall be composed
so that it can be uniquely resolved into its constituent data strings, i.e. so that there is no
possibility of ambiguity in interpretation. This latter property could be achieved in a vari-
ety of different ways, depending on the application. For example, it could be guaranteed by
a) fixing the length of each of the substrings throughout the domain of use of the mecha-
nism, or b) encoding the sequence of concatenated strings using a method that guarantees
[1]
unique decoding, e.g. using the distinguished encoding rules defined in ISO/IEC 8825-1 .
A ⊆ B indicates that the set A is a subset of or equal to set B
A \ B when A and B are sets, this represents the set of elements present in A but not in B.
|D| bit length of D if D is a bit string, or bit size of D if D is a non-negative number (i.e. 0 if D = 0,
i − 1 i
or the unique integer i such that 2 ≤ D < 2 if D > 0).
E an elliptic curve over the finite field F , for a prime p > 3
p
E(F ) the set of all points (x, y), x ∈ F , y ∈ F , which satisfy the defining equation of the curve E,
p p p
together with the point at infinity, O
E
#E(F ) the order (or cardinality) of E(F )
p p
F the finite field containing exactly p elements
p
g a generator of G
q
gcd(N , N ) the greatest common divisor of integers N and N
1 2 1 2
G a cyclic group of prime order q. For uniformity, the multiplicative notation is used
q
throughout. As such, when using the elliptic curve construction, it should be understood
that ab represents the group addition of points a and b, that a/b represents the group ad-
b
dition of the point a to the additive inverse of the point b, and that a represents the scalar
multiplication of point a by the integer b.
NOTE This part of ISO/IEC 18370 considers two constructions for the group G , in which
q
it is infeasible to compute discrete logarithms. The first is based on a subgroup of a finite
field, and the second is based on elliptic curves over a finite field F , where q is a prime
q
number. Details of these two constructions are provided in Annex C.
H a cryptographic hash-function
I a set of integers
[n]P scalar multiplication operation that takes a positive integer n and a point P on the elliptic
curve E as input and produces as output another point Q on the elliptic curve E, where
Q = [n]P = P + P +…+ P added n - 1 times. The operation satisfies [0]P = O (the point at
E
infinity), and [−n]P = [n](−P).
O the point at infinity on the elliptic curve E
E
P + Q the elliptic curve sum of points P and Q
q a prime number satisfying |q| = l where l is a security parameter
q q
© ISO/IEC 2016 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 18370-2:2016(E)
Z the set of integers in [0, p − 1] with arithmetic defined modulo p
p
*
Z the set of integers U with 0 < U < N and gcd(U, N) = 1, with arithmetic defined modulo N
N
∏ a product of the values a for which i ∈ I
(i ∈ I) i i
[x, y] the set of integers from x to y inclusive, if x, y are integers satisfying x ≤ y
an ordered list of values to be hashed
...
5 General requirements
In order to use any of the mechanisms specified in this part of ISO/IEC 18370, the following requirements
shall be met.
— Each entity involved in a blind signature mechanism shall be aware of the public domain parameters.
— Each entity shall have access to an authentic copy of the necessary public keys, such as the public
verification key.
— Each requestor in a traceable blind signature mechanism shall have a distinguishing identifier that
is unambiguously bound to the private requestor key. The distinguishing identifier for a requestor
can be the public requestor key.
— Both signer and requestor shall have the means to generate integers uniformly at random from a
given range. Techniques for generation of sequences of random bits are specified in ISO/IEC 18031.
A method for converting a string of bits to an integer in a given range is specified in Annex B.
— A collision-resistant hash-function such as one of those specified in ISO/IEC 10118 shall be used.
Before issuing a blind signature, the signer might wish to authenticate the requestor. ISO/IEC 18370 does
not specify mechanisms for entity authentication. For this purpose, the use of one of the mechanisms
specified in ISO/IEC 9798 is recommended.
For traceable blind signature mechanisms, this part of ISO/IEC 18370 does not specify in which
circumstances a requestor tracing process or a signature tracing process is used.
6 Blind signature mechanisms
6.1 General
Clause 6 specifies a blind signature mechanism.
NOTE The mechanism in Clause 6 is based on Reference [23] and the associated security analysis is given in
Reference [26].
6.2 Mechanism 1
6.2.1 Security parameters
The following symbols apply in the specification of this mechanism:
— k, l : security parameters.
q
The parties should agree on the security parameters in use. Guidance for parameter choice is given in
Annex E.
4 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 18370-2:2016(E)
6.2.2 Key generation process
The key generation process of a blind signature mechanism consists of the following procedures:
a) generating domain parameters;
b) generating a private signature key and a public verification key.
The first procedure is executed once when the domain is set up. The second procedure is executed for
each signer within the domain, where the outputs are a private signature key and the corresponding
public verification key.
The set of domain parameters includes the following parameters:
— q: a prime number where |q| = l ;
q
— G : a cyclic group of prime order q;
q
— g : a random generator of G ;
1 q
— g : a random generator of G different from g ;
2 q 1
NOTE 1 An example of recommended parameters for typical security levels is provided in E.2.
NOTE 2 A method for selecting random generators is given in ISO/IEC 14888-3:2006, D.2.2.
— H: a hash-function that outputs a k-bit message digest.
The pair of keys of the signer is computed as follows.
a) The signer picks two integers, x and x , uniformly at random from the range [1, q − 1].
1 2
−−xx
12
b) The signer computes yg= g .
12
The signature key is the pair (x , x ) and the verification key is y.
1 2
6.2.3 Blind signature process
A blind signature process is an interactive protocol between a signer and a requestor. By executing the
signing protocol, the requestor obtains a valid signature of a message of the requestor’s choice in such a
way that the signer learns nothing about the message or the resulting signature.
The signature process involves the following steps. The message to be blindly signed is denoted by m,
*
where m ∈ {0, 1} .
a) The signer picks two integers, w and w , uniformly at random from the range [0, q − 1].
1 2
ww
12
b) The signer computes ag= g .
12
c) The signer sends a to the requestor.
d) The requestor receives a from the signer.
e) The requestor picks an integer α uniformly at random from the range [0, q − 1].
f) The requestor picks an integer β uniformly at random from the range [0, q − 1].
g) The requestor picks an integer γ uniformly at random from the range [0, q − 1].
α β −γ
h) The requestor computes a′ = a g g y .
1 2
i) The requestor computes c′ = H(m ‖ a′).
j) The requestor computes c = c′ + γ mod q.
© ISO/IEC 2016 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 18370-2:2016(E)
k) The requestor sends c to the signer.
l) The signer receives c from the requestor.
m) The signer computes r = w + c x mod q.
1 1 1
n) The signer computes r = w + c x mod q.
2 2 2
o) The signer sends r and r to the requestor.
1 2
p) The requestor receives r and r from the signer.
1 2
q) The requestor checks that the values r and r have been correctly computed by verifying that
1 2
rr c
12
ag= gy . If this verification fails, the requestor outputs reject and stops.
12
r) The requestor computes r ′ = r + α mod q.
1 1
s) The requestor computes r ′ = r + β mod q.
2 2
t) The requestor sets the signature to σ = (c′, r ′, r ′).
1 2
6.2.4 Verification process
On input of a message, m, a signature σ = (c′, r ′, r ′), domain parameters, and the verification key, y, the
1 2
verification process involves the following steps.
rr
c
12′′ ′
′′
a) The verifier computes ag= gy .
12
b) The verifier computes
...
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 18370-2
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2015-02-09 2015-05-09
Information technology — Security techniques — Blind
digital signatures —
Part 2:
Discrete logarithm based mechanisms
Technologie de l’information — Techniques de sécurité — Signatures numériques en aveugle —
Partie 2: Mécanismes fondés sur le logarithme discret
ICS: 35.040
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 18370-2:2014(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2014
---------------------- Page: 1 ----------------------
ISO/IEC DIS 18370-2:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 18370-2
Contents Page
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Symbols and abbreviated terms . 3
5 General requirements . 4
6 Blind signature mechanisms . 4
6.1 General . 4
6.2 Mechanism 1 . 4
6.2.1 Security parameters . 4
6.2.2 Key generation process . 4
6.2.3 Blind signature process. 5
6.2.4 Verification process . 6
7 Blind signature mechanisms with partial disclosure . 6
7.1 General . 6
7.2 Mechanism 2 . 6
7.2.1 Security parameters . 6
7.2.2 Key generation process . 6
7.2.3 Blind signature process with partial disclosure . 7
7.2.4 Verification process . 8
7.3 Mechanism 3 . 8
7.3.1 Symbols . 8
7.3.2 Key generation process . 8
7.3.3 Blind signature process with partial disclosure . 9
7.3.4 Verification process . 10
8 Blind signature mechanisms with selective disclosure . 10
8.1 General . 10
8.2 Mechanism 4 . 10
8.2.1 Security parameters . 10
8.2.2 Key generation process . 10
8.2.3 Blind signature process with selective disclosure . 11
8.2.4 Presentation process . 12
8.2.5 Verification process . 13
9 Traceable blind signature mechanisms . 13
9.1 General . 13
9.2 Mechanism 5 . 14
9.2.1 Symbols . 14
9.2.2 Key generation process . 14
9.2.3 Traceable blind signature process . 15
9.2.4 Verification process . 17
9.2.5 Requestor tracing process . 17
9.2.6 Signature tracing process . 18
9.2.7 Requestor tracing evidence evaluation process . 18
9.2.8 Signature tracing evidence evaluation process . 18
Annex A (normative) Object identifiers . 20
Annex B (normative) Conversion functions . 21
© ISO/IEC 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 18370-2
B.1 Conversions between bit strings and integers: BS2IP and I2BSP .21
Annex C (normative) Group description .22
Annex D (informative) Special hash functions .23
D.1 Hash function with larger output length: HL .23
D.2 Hashing to an element of a prime field: HBS2PF .23
D.3 Hashing to a point on an elliptic curve: HBS2ECP .23
D.4 Hashing to an element of a cyclic group: HBS2CG .23
Annex E (informative) Security considerations and comparison of blind signature mechanisms .25
E.1 Descriptions of mathematical assumptions .25
E.1.1 General .25
E.1.2 The discrete logarithm (DL) assumption .25
E.1.3 The decisional Diffie-Hellman (DDH) assumption .25
E.2 Guidance for parameters choice .25
E.2.1 Key sizes .25
E.2.2 Hash algorithm selection and digest sizes .25
E.2.3 Random number generation .26
E.3 Symbols and abbreviated terms for comparing each mechanism .26
E.4 Comparison of each mechanism .26
Annex F (informative) Numerical examples .27
F.1 Mechanism 1 .27
F.1.1 Generation of domain parameters .27
F.1.2 Generation of signature key and verification key .28
F.1.3 Blind signature process .29
F.1.4 Verification process .31
F.2 Mechanism 2 .31
F.2.1 Finite field based domain parameters .31
F.2.2 Elliptic curve based domain parameters .36
F.3 Mechanism 3 .38
F.3.1 Finite field based domain parameters .38
F.3.2 Elliptic curve based domain parameters .42
F.4 Mechanism 4 .44
F.4.1 Finite field based domain parameters .44
F.4.2 Elliptic curve based domain parameters .46
F.5 Mechanism 5 .48
F.5.1 Finite field based domain parameters .48
F.5.2 Elliptic curve based domain parameters .62
Bibliography .68
iv © ISO/IEC 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 18370-2
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 18370-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
ISO/IEC 18370 consists of the following parts, under the general title Information technology — Security
techniques — Blind digital signatures:
Part 1: General
Part 2: Discrete logarithm based mechanisms
Further parts may follow.
© ISO/IEC 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC DIS 18370-2
Introduction
Blind digital signature mechanisms are a special type of digital signature mechanism, as specified in ISO/IEC
9796 and ISO/IEC 14888, which allow a user (a requestor) to obtain a signature, from a signer of the user’s
choice, without giving the signer any information about the actual message or the resulting signature.
In some mechanisms, the signer does not completely lose control over the signed message since the signer
can include explicit information in the resulting signature under an agreement with the requestor. These types
of blind signatures are called blind signatures with partial disclosure.
Other mechanisms allow a requestor to receive a blind signature on a message not known to the signer but
the choice of the message is restricted and must conform to certain rules. They are called blind signature
mechanisms with selective disclosure.
Depending on the mechanism, it may be possible for an authorized entity to trace a signature to the requestor
who requested it. Such an entity can either identify a signature that resulted from a given signature request
(signature tracing), or link a signature to the receiver who requested it (requestor tracing). Blind signature
mechanisms with tracing features are called traceable blind signature mechanisms.
ISO/IEC 18370 specifies blind digital signature mechanisms as well as three of their variants: blind digital
signature mechanisms with partial disclosure, blind digital signature mechanisms with selective disclosure and
traceable blind digital signature mechanisms. ISO/IEC 18370-1 specifies principles and requirements for these
mechanisms. ISO/IEC 18370-2 specifies several specific instances of these mechanisms.
The security of blind digital signature mechanisms and their variants depends on computational problems
believed to be intractable, i.e. problems for which, given current knowledge, finding a solution is
computationally infeasible, such as the integer factorization problem and the discrete logarithm problem in an
appropriate group. The mechanisms specified in this part of ISO/IEC 18370 are based on the latter problem.
ISO/IEC 18370 does not specify mechanisms for key management or for certification of public keys. A variety
of means are available for obtaining a reliable copy of the public verification key, e.g., a public key certificate.
Techniques for managing keys and certificates are outside the scope of ISO/IEC 18370. For further
information, see ISO/IEC 9594-8, ISO/IEC 11770-3 and ISO/IEC 15945.
The mechanisms specified in this document use a collision resistant hash-function to hash the message to be
blindly signed. ISO/IEC 10118 specifies hash-functions.
The generation of key pairs requires random bits and prime numbers. The generation of signatures requires
random bits. Techniques for producing random bits and prime numbers are outside the scope of ISO/IEC
18370. For further information, see ISO/IEC 18031 and ISO/IEC 18032.
vi © ISO/IEC 2014 – All rights reserved
---------------------- Page: 6 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 18370-2
Information technology — Security techniques — Blind digital signatures
— Part 2: Discrete logarithm based mechanisms
1 Scope
This part of ISO/IEC 18370 specifies blind digital signature mechanisms, together with mechanisms for three
variants of blind digital signatures . The variants are blind digital signature mechanisms with partial disclosure,
blind digital signature mechanisms with selective disclosure and traceable blind digital signature mechanisms.
The security of all the mechanisms in this part of ISO/IEC 18370 is based on the discrete logarithm problem.
For each mechanism, this part of ISO/IEC 18370 specifies:
the process for generating the keys of the entities involved in these mechanisms;
the process for producing blind signatures;
the process for verifying signatures.
This part of ISO/IEC 18370 specifies another process specific to blind signature mechanisms with selective
disclosure, namely:
the presentation process.
Furthermore, this part of ISO/IEC 18370 specifies other processes, specific to traceable blind signature
mechanisms, namely:
the process for tracing requestors
the process for tracing signatures
the requestor tracing evidence evaluation process (optional); and,
the signature tracing evidence evaluation process (optional).
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 10118 (all parts), Information technology — Security techniques — Hash-functions
ISO/IEC 18370-1, Information technology — Security techniques — Blind digital signatures — Part 1: General
© ISO/IEC 2014 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC DIS 18370-2
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 18370-1 and the following apply.
3.1
cyclic group
group Ε of n elements that contains an element a ∈ Ε, called the generator, of order n.
[SOURCE: ISO/IEC 14888-3:2006, 3.2]
3.2
finite commutative group
finite set Ε with the binary operation "∗" such that
for all a, b, c ∈ Ε, (a ∗ b)∗ c = a ∗ (b ∗ c)
there exists e ∈ Ε with e ∗ a = a for all a ∈ Ε
for all a ∈ Ε there exists b ∈ Ε with b ∗ a = e
for all a, b ∈ Ε , a ∗ b = b ∗ a
0 n+1 n
Note 1 to entry If a = e, and a = a ∗ a (for n ≥ 0) is defined recursively, the order of a ∈ Ε is the least positive
n
integer n such that a = e.
Note 2 to entry In some cases, such as when Ε is the set of points on an elliptic curve, arithmetic in the finite set Ε is
described using additive notation.
[SOURCE:ISO/IEC 14888-3:2006, 3.1]
3.3
pairing
function which takes two elements, P and Q, from an elliptic curve cyclic group over a finite field, G , as input,
1
and produces an element from another cyclic group over a finite field, G , as output, and which has the
2
following two properties (where we assume that the cyclic groups G and G have order q, for some prime q,
1 2
and for any two elements P, Q, the output of the pairing function is written as )
Bilinearity: if P, P , P , Q, Q , Q are elements of G and a is an integer satisfying 1 ≤ a ≤ q – 1, then
1 2 1 2 1
< P + P , Q> = < P , Q> ∗ < P , Q>,
1 2 1 2
< P, Q + Q > = < P, Q > ∗ < P, Q >,
1 2 1 2
a
< [a]P, Q> = < P, [a]Q> = < P, Q> .
Non-degeneracy: if P is a non-identity element of G , ≠ 1.
1
[SOURCE:ISO/IEC 14888-3:2006, 3.3]
3.4
security parameters
variables that determine the security strength of a mechanism
2 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC DIS 18370-2
4 Symbols and abbreviated terms
For the purpose of this part of ISO/IEC 18370, the following symbols and abbreviations apply.
a ∈ A indicates that element a is in set A.
a || b concatenation of a and b in the order specified.
A ⊆ B indicates that the set A is a subset of or equal to set B.
A \ B when A and B are sets, this represents the set of elements present in A but not in B.
D bit length of D if D is a bit string, or bit size of D if D is a number (i.e., 0 if D = 0, or the unique
i – 1 i
integer i such that 2 ≤ D < 2 if D > 0).
E An elliptic curve over the field F for a prime p > 3
p
E(F ) The set of all points (x, y), x ∈ F , y ∈ F which satisfy the defining equation of the curve, together
p
p p
with the point at infinity O
E
#E(F ) The order (or cardinality) of E(F )
p p
F The finite field consisting of exactly q elements
q
g a generator of G
q
gcd(N , N ) the greatest common divisor of integers N and N
1 2 1 2
G a cyclic group of prime order q. For uniformity, the multiplicative notation of the subgroup
q
construction is used throughout. As such, when using the elliptic curve construction it should be
understood that ab represents the group addition of points a and b, that a/b represents the group
b
addition of the point a to the additive inverse of the point b, and that a represents the scalar
multiplication of point a by the integer b.
H a cryptographic hash function
I a set of integers
[n]P multiplication operation that takes a positive integer n and a point P on the curve E as input and
produces as output another point Q on the curve E, where Q = [n]P = P + P +…+ P added n – 1
times. The operation satisfies [0]P = O (the point at infinity), and [-n]P = [n](-P).
E
O the point at infinity on the elliptic curve E
E
P + Q the elliptic curve sum of points P and Q
q a prime number of size l -bit
q
Z the set of integers in [0, p - 1]. with arithmetic defined modulo p
p
*
Z the set of integers U with 0 < U < N and gcd(U, N) = 1, with arithmetic defined modulo N
N
(a|p) The Legendre symbol of a and p where a is an integer and p is an odd prime number
∏ a product of the values a for which i ∈ I.
(i ∈ I) i i
[x, y] the set of integers from x to y inclusive, if x, y are integers satisfying x ≤ y.
© ISO/IEC 2014 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC DIS 18370-2
<.,.> a bilinear and non-degenerate pairing
⟨…⟩ an ordered list of values to be hashed
NOTE This part of ISO/IEC 18370 considers two constructions for the group G in which it is infeasible to compute
q
discrete logarithms. The first is based on a subgroup of a finite field, and the second is based on elliptic curves over a
prime field. Details of these two constructions are provided in Annex C.
5 General requirements
In order to use any of the mechanisms specified in this part of ISO/IEC 18370, the following requirements
must be met:
Each entity involved in a blind signature mechanism shall be aware of the public domain parameters;
Each entity shall have access to an authentic copy of the necessary public keys, such as the public
verification key; and,
Each requestor, in a traceable blind signature mechanism, shall have a distinguishing identifier that is
unambiguously bound to the private requestor key. The distinguishing identifier for a requestor can be the
public requestor key.
Before issuing a blind signature, the signer may authenticate the requestor. ISO/IEC 18370 does not specify
mechanisms for entity authentication. For this purpose, the use of one of the mechanisms specified in
ISO/IEC 9798 is recommended.
For traceable blind signature mechanisms, this standard does not specify in which circumstances a requestor
tracing process or a signature tracing process should be used.
6 Blind signature mechanisms
6.1 General
This clause specifies a blind signature mechanism.
NOTE The mechanism in this section is based on [19] and the associated security analysis is given in [22].
6.2 Mechanism 1
6.2.1 Security parameters
The following symbols apply in the specification of this mechanism.
k, l : security parameters;
q
6.2.2 Key generation process
The key generation process of a blind signature mechanism consists of the following procedures:
generating domain parameters; and,
generating a private signature key and a public verification key.
The first procedure is executed once when the domain is set up. The second procedure is executed for each
signer within the domain. The outputs are a private signature key and the corresponding public verification key.
4 © ISO/IEC 2014 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC DIS 18370-2
6.2.2.1 Generation of domain parameters
The set of domain parameters includes the following parameters:
q a prime number of size l -bit;
q
G , a cyclic group of prime order q;
q
g a random generator of G ;
1 q
g a random generator of G different from g .
2 q 1
NOTE An example of recommended parameters for typical security levels is provided in Annex E.2.
H: a hash function that outputs k-bit message digest.
6.2.2.2 Generation of signature key and verification key
The signer computes a signature key as follows:
a) The signer randomly picks two integers x , x from [1, q-1]
1 2
-x -x
1 2
b) The signer computes y = g g
1 2
The signature key is the pair (x , x ) and the verification key is y.
1 2
6.2.3 Blind signature process
A blind signature process is an interactive protocol between a signer and a requestor. By executing the
signing protocol, the requestor obtains a valid signature of a message of the requestor's choice in such a way
that the signer learns nothing about the message and the resulting signature.
The signature process involves the following steps. The message to be blindly signed is denoted by m where
*
m ∈ {0, 1} .
a) The signer randomly picks two integers w , w ∈ [0, q - 1]
1 2
w w
1 2
b) The signer computes a = g g
1 2
c) The signer sends a to the requestor
d) The requestor receives a from the signer
e) The requestor chooses a random integer α ∈ [0, q - 1]
f) The requestor chooses a random integer β ∈ [0, q - 1]
g) The requestor chooses a random integer γ ∈ [0, q - 1]
α β -γ
h) The requestor computes a' = a g g y
1 2
i) The requestor computes c' = H(m || a')
j) The requestor computes c = c' + γ mod q
k) The requestor sends c to the signer
l) The signer receives c from the requestor
© ISO/IEC 2014 –
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.