ISO/IEC 14888-3:2006/Amd 1:2010
(Amendment)Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms — Amendment 1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm
Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms — Amendment 1: Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm
Technologies de l'information — Techniques de sécurité — Signatures numériques avec appendice — Partie 3: Mécanismes basés sur un logarithme discret — Amendement 1: Algorithme de signature numérique russe de courbe elliptique, algorithme de signature numérique schnorr, algorithme de signature numérique schnorr de courbe elliptique, et algorithme de signature numérique schnorr totale de courbe elliptique
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 14888-3
Second edition
2006-11-15
AMENDMENT 1
2010-06-15
Information technology — Security
techniques — Digital signatures with
appendix —
Part 3:
Discrete logarithm based mechanisms
AMENDMENT 1: Elliptic Curve Russian
Digital Signature Algorithm, Schnorr Digital
Signature Algorithm, Elliptic Curve Schnorr
Digital Signature Algorithm, and Elliptic
Curve Full Schnorr Digital Signature
Algorithm
Technologies de l'information — Techniques de sécurité — Signatures
numériques avec appendice —
Partie 3: Mécanismes basés sur un logarithme discret
AMENDEMENT 1: Algorithme de signature numérique russe de courbe
elliptique, algorithme de signature numérique schnorr, algorithme de
signature numérique schnorr de courbe elliptique, et algorithme de
signature numérique schnorr totale de courbe elliptique
Reference number
ISO/IEC 14888-3:2006/Amd.1:2010(E)
©
ISO/IEC 2010
---------------------- Page: 1 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Amendment 1 to ISO/IEC 14888-3:2006 was prepared by Joint Technical Committee ISO/IEC JTC 1,
Information technology, Subcommittee SC 27, IT Security techniques.
Amendment 1 to ISO/IEC 14888-3:2006 introduces four digital signature algorithms: Elliptic Curve Russian
Digital Signature Algorithm (EC-RDSA), Schnorr Digital Signature Algorithm (SDSA), Elliptic Curve Schnorr
Digital Signature Algorithm (EC-SDSA), and Elliptic Curve Full Schnorr Digital Signature Algorithm (EC-
FSDSA). Object identifiers, test vectors, a comparison of certificate-based mechanisms, and claimed features
for choosing a mechanism are given.
© ISO/IEC 2010 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
Information technology — Security techniques — Digital
signatures with appendix —
Part 3:
Discrete logarithm based mechanisms
AMENDMENT 1: Elliptic Curve Russian Digital Signature Algorithm,
Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital
Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature
Algorithm
Page 1, Clause 2
In the second normative reference, replace “1998” with “2008”.
Page 3, Clause 4
Add the following to the end of the list of symbols:
Π y-value of Π
Y
F a finite field
F a finite field of prime order p
P
*
Z a multiplicative group over F
P P
Page 27, Clause 6
Add the following subclauses after 6.6.4.6:
6.7 EC-RDSA
6.7.1 Introduction to EC-RDSA
EC-RDSA (Elliptic Curve Russian Digital Signature Algorithm) is a signature mechanism with verification key
Y = [X]G; that is, the parameter D is equal to 1. The message is prepared such that M is empty and M is
1 2
the message to be signed, i.e., M = M. The coefficients (A, B, C) of the EC-RDSA signature equation are set
2
as follows:
(A, B, C) = (T ,T , -S),
1 2
where (,TT ) = (H, R) and H = h(M) is the hash-code of message M, converted to an integer as described in
12
6.7.4.5.
The witness function is defined by the formula
R = FE2I(Π ) mod q.
X
© ISO/IEC 2010 – All rights reserved 1
---------------------- Page: 4 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
Thus the signature equation becomes
HK + RX - S ≡ 0 (mod q).
NOTE EC-RDSA stands for Elliptic Curve Russian Digital Signature Algorithm. The mechanism is taken from a Russian
State Standard [36]. The notation here has been changed from GOST R 34.10-2001 to conform with the notation used in
ISO/IEC 14888.
6.7.2 Parameters
p a prime
E an elliptic curve group over the field GF()p
#E the cardinality of E
q a prime divisor of #E
G a point on the elliptic curve of order q
Hash-function identifier or OID with specified hash-function.
All these parameters can be public and can be common to a group of users.
6.7.3 Generation of signature key and verification key
The signature key of a signing entity is a secretly generated random or pseudo-random integer X such that 0
< X < q. The parameter D is 1. The corresponding public verification key Y is
Y = [X]G.
A user’s secret signature key X and public verification key Y are normally fixed for a period of time. The
signature key X shall be kept secret.
NOTE The Russian standard for digital signature (GOST R 34.10-2001) does not completely specify the process of
generation of a user’s secret signature key X.
6.7.4 Signature process
6.7.4.1 Producing the randomizer
The signing entity generates a random or pseudo-random integer K such that 0 < K < q.
6.7.4.2 Producing the pre-signature
The input to this stage is the randomizer K, and the signing entity computes
Π = [K]G.
6.7.4.3 Preparing message for signing
The message is prepared such that M is empty and M is the message to be signed, i.e., M = M.
1 2 2
2 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
6.7.4.4 Computing the witness
The signing entity computes R = FE2I(Π ) mod q.
X
6.7.4.5 Computing the assignment
The signing entity computes Hh= ()M . H is then converted to an integer according to conversion rule BS2I
2
in Annex B. If H is equal to 0 mod q, then H is set to 1. The assignment (T , T ) is (BS2I(H), R), if BS2I(H) ≠
1 2
0 (mod q), or (1, R) otherwise.
6.7.4.6 Computing the second part of the signature
The signature is (R, S) where R is computed as given in 6.7.4.4, and
S = RX + KH mod q.
The signer should check whether R = 0 or S = 0. If either R = 0 or S = 0, a new value of K should be
generated and the signature should be recalculated.
6.7.4.7 Constructing the appendix
The appendix will be the concatenation of (R, S) and an optional text field text, i.e. it will equal ((RS,|)|text).
6.7.4.8 Constructing the signed message
A signed message is the concatenation of the message M and the appendix
MR|| (( ,S) ||text).
6.7.5 Verification process
6.7.5.1 Retrieving the witness
The verifier retrieves the witness R and the second part of the signature S from the appendix. The verifier then
checks whether 0 < R < q and 0 < S < q; if either condition does not hold, the signature shall be rejected.
6.7.5.2 Preparing message for verification
The verifier retrieves M from the signed message and divides the message into two parts M and M . M will
1 2 1
be empty and M = M.
2
6.7.5.3 Retrieving the assignment
This stage is identical to 6.7.4.5. The inputs to the assignment function consist of the witness R from 6.7.5.1
and M from 6.7.5.2. The assignment TT= ( ,T ) is recomputed as the output from the assignment function
2 12
given in 6.7.4.5.
© ISO/IEC 2010 – All rights reserved 3
---------------------- Page: 6 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
6.7.5.4 Recomputing the pre-signature
The inputs to this stage are system parameters, the verification key Y, the assignment TT=(,T ) from
12
6.7.5.3, and the second part of the signature S from 6.7.5.1. The verifier obtains a recomputed value Π of the
pre-signature by computing it using the formula
−−11
Π=−[mTT odq]Y+[T S modq]G.
12 1
6.7.5.5 Recomputing the witness
The computations at this stage are the same as in 6.7.4.4. The verifier executes the witness function. The
input is Π from 6.7.5.4. The output is the recomputed witness R.
6.7.5.6 Verifying the witness
The verifier compares the recomputed witness, R from 6.7.5.5 to the retrieved version of R from 6.7.5.1. If
R = R, then the signature is verified.
6.8 SDSA
6.8.1 Introduction to SDSA
*
SDSA (Schnorr Digital Signature Algorithm) is a signature mechanism with E = Z , p a prime, and q a prime
P
dividing p-1. The parameter D is equal to 1. The message is prepared such that M is the message to be
1
signed, i.e., M = M, and M is empty. The witness function is defined by setting R equal to a hash-code. The
1 2
assignment function is defined by setting T = -1 and T equal to the negative of the integer which is obtained
1 2
by converting R to an integer according to the conversion rule, BS2I, given in Annex B and then reducing
modulo q.
The coefficients (A, B, C) of the SDSA signature equation are set as follows
(A, B, C) = (,TT,S).
12
Thus the signature equation becomes
-K+ T X+S ≡ 0 (mod q).
2
6.8.2 Parameters
αα−1
p a prime, where 22<
ββ−1
q a prime divisor of p -1, where 22<
G a generator of the subgroup of order q, such that 1 < G < q.
Four choices for the pair (α, h) are allowed in SDSA, namely (1024, SHA-1), (2048, SHA-224), (2048, SHA-
256), and (3072, SHA-256). Corresponding β should be selected according to α in 5.1.3.1, Table 1.
The integers p, q, and G can be public and can be common to a group of users.
The parameters p, q and G are generated as specified in Annex D. The parameters p and q can be generated
using the prime generation techniques given in ISO/IEC 18032.
NOTE 1 It is recommended that all users check the proper generation of the SDSA public parameters according to
FIPS PUB 186-3.
4 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
NOTE 2 SHA-1 has recently been demonstrated to provide less than 80 bits of security for digital signatures. The use
of SHA-1 is not recommended for the generation of digital signatures.
6.8.3 Generation of signature key and verification key
The signature key of a signing entity is a secretly generated random or pseudo-random integer X such that 0
< X < q. The parameter D is 1. The corresponding public verification key Y is
X
Y = G mod p.
A user's secret signature key X and public verification key Y are normally fixed for a period of time. The
signature key X shall be kept secret.
6.8.4 Signature process
6.8.4.1 Producing the randomizer
The signing entity computes a random or pseudo-random integer K such that 0 < K < q.
6.8.4.2 Producing the pre-signature
The input to this stage is the randomizer K, and the signing entity computes
K
Π = G mod p.
6.8.4.3 Preparing message for signing
The message is prepared such that M is the message to be signed, i.e., M = M, and M is empty.
1 1 2
6.8.4.4 Computing the witness
The signing entity computes the witness R as the hash-code of the pre-signature Π and the first part of the
message M
1
R =h(Π||M).
6.8.4.5 Computing the assignment
The witness R is converted to an integer according to conversion rule, BS2I, in Annex B and then reducing
modulo q. The assignment (T1, T2) is (-1, -BS2I(R) mod q).
6.8.4.6 Computing the second part of the signature
The signature is (R, S) where S = (K + BS2I(R)X) mod q.
As an option, one may wish to check if R = 0 or S = 0. If either R = 0 or S = 0, a new value of K should be
generated and the signature should be recalculated. (It is extremely unlikely that R = 0 or S = 0 if signatures
are generated properly).
6.8.4.7 Constructing the appendix
The appendix will be the concatenation of (R, S) and an optional text field text.
© ISO/IEC 2010 – All rights reserved 5
---------------------- Page: 8 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
6.8.4.8 Constructing the signed message
A signed message is the concatenation of the message, M, and the appendix
MR|| (( ,S) ||text).
6.8.5 Verification process
The verifying entity acquires the necessary data items required for the verification process.
6.8.5.1 Retrieving the witness
The verifier retrieves the witness R and the second part of the signature S from the appendix. The verifier
checks to see that R is a non-zero string within the range of the hash function and that 0 < S < q.
6.8.5.2 Preparing message for verification
The verifier retrieves M from the signed message and divides the message into two parts M and M , such
1 2
that M = M and M is empty.
1 2
6.8.5.3 Retrieving the assignment
The input to the assignment function consists of the witness R from 6.8.5.1. The assignment
T = (TT, ) = (-1, -BS2I(R) mod q).
12
6.8.5.4 Recomputing the pre-signature
The inputs to this stage are domain parameters, verification key Y, assignment TT= ( ,T )from 6.8.5.3 and
12
second part of the signature S from 6.8.5.1. The verifier obtains a recomputed value Π ' of the pre-signature
by computing it using the formula
(T mod q) (-ST mod q)
2 1
Π '=Y G mod p.
6.8.5.5 Recomputing the witness
The computations at this stage are the same as in 6.8.4.4 and 6.8.4.5. The verifier executes the witness
function. The input is Π ' from 6.8.5.4 and M from 6.8.5.2. The output is the recomputed witness R' which is
1
the hash-code of the recomputed pre-signature Π ' and the message M.
6.8.5.6 Verifying the witness
The verifier compares the recomputed witness, R' from 6.8.5.5 to the retrieved version of R from 6.8.5.1. If
RR',= then the signature is verified.
6 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
6.9 EC-SDSA
6.9.1 Introduction to EC-SDSA
EC-SDSA (Elliptic Curve Schnorr Digital Signature Algorithm) is a signature mechanism with verification key Y
= [X]G; that is, the parameter D is equal to 1. The message is prepared such that M is empty and M = M
2 1
the message to be signed. The witness R is computed as hash-code
R = h(FE2BS(Π ) || FE2BS(Π ) || M).
X Y
NOTE This specification of EC-SDSA generates the witness by hashing the concatenation of the x-coordinate, the y-
coordinate and the message. However, the mechanism would remain secure even if the y-coordinate was omitted from
the hash computation. As a result, future versions of this standard may permit the omission of the y-coordinate from the
hash calculation to improve performance.
The coefficients (A, B, C) of the EC-SDSA signature equation are set as follows:
(A, B, C) = (,TT,S),
12
where (TT, ) = (-1, -BS2I(R) mod q).
12
Thus the signature equation becomes:
-K+ T X+S ≡ 0 (mod q).
2
6.9.2 Parameters
F a finite field
E elliptic curve group over the field F
#E cardinality of E
q prime divisor of #E
G a point of order q on the elliptic curve
Hash-function identifier or OID with specified hash-function.
All these parameters can be public and can be common to a group of users.
NOTE It is recommended that all users check the proper generation of the public parameters according to X9.62 [5].
6.9.3 Generation of signature key and verification key
The signature key of a signing entity is a secretly generated random or pseudo-random integer X such that 0
< X < q. The parameter D is 1. The corresponding public verification key Y is Y = [X]G.
A user's secret signature key X and public verification key Y are normally fixed for a period of time. The
signature key X shall be kept secret.
6.9.4 Signature process
6.9.4.1 Producing the randomizer
The signing entity computes a random or pseudo-random integer K such that 0 < K < q.
© ISO/IEC 2010 – All rights reserved 7
---------------------- Page: 10 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
6.9.4.2 Producing the pre-signature
The input to this stage is the randomizer K, and the signing entity computes Π = [K]G.
6.9.4.3 Preparing message for signing
The message is prepared such that M is the message to be signed, i.e., M = M, and M is empty.
1 1 2
6.9.4.4 Computing the witness
The signing entity computes the witness R = h(FE2BS(Π )||FE2BS(Π )||M).
X Y
6.9.4.5 Computing the assignment
The witness R is converted to an integer according to conversion rule, BS2I, in Annex B and then reducing
modulo q.
The assignment (T1, T2) is (-1, -BS2I(R) mod q).
6.9.4.6 Computing the second part of the signature
The signature is (R, S) where S = (K + BS2I(R)X) mod q.
As an option, one may wish to check if R = 0 or S = 0. If either R = 0 or S = 0, a new value of K should be
generated and the signature should be recalculated. (It is extremely unlikely that R = 0 or S = 0 if signatures
are generated properly).
6.9.4.7 Constructing the appendix
The appendix will be the concatenation of (R, S) and an optional text field, text.
6.9.4.8 Constructing the signed message
A signed message is the concatenation of the message, M, and the appendix:
MR|| (( ,S) ||text).
6.9.5 Verification process
The verifying entity acquires the necessary data items required for the verification process.
6.9.5.1 Retrieving the witness
The verifier retrieves the witness R and the second part of the signature S from the appendix. The verifier first
checks to see that R is a non-zero string within the range of the hash function and 0 < S < q; if either condition
is violated the signature shall be rejected.
8 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
6.9.5.2 Preparing message for verification
The verifier retrieves M from the signed message and divides the message into two parts M and M , such
1 2
that M = M and M is empty.
1 2
6.9.5.3 Retrieving the assignment
The input to the assignment function consists of the witness R from 6.9.5.1. The assignment T = (,TT)=
12
(-1, -BS2I(R) mod q).
6.9.5.4 Recomputing the pre-signature
The inputs to this stage are system parameters, verification key Y, assignment TT= ( ,T ) from 6.9.5.3 and
12
second part of the signature S from 6.9.5.1. The verifier obtains a recomputed value Π ' of the pre-signature
by computing it using the formula
Π ' = [-ST mod q]G + [T mod q]Y.
1 2
6.9.5.5 Recomputing the witness
The computations at this stage are the same as in 6.9.4.4 and 6.9.4.5. The verifier executes the witness
function from 6.9.4.4. The input is Π ' from 6.9.5.4. The output is the recomputed witness R' which is the
hash-code of the recomputed pre-signature Π ' and the message M.
6.9.5.6 Verifying the witness
The verifier compares the recomputed witness, R ' from 6.9.5.5 to the retrieved version of R from 6.9.5.1. If
RR',= then the signature is verified.
6.10 EC-FSDSA
6.10.1 Introduction to EC-FSDSA
EC-FSDSA (Elliptic Curve Full Schnorr Digital Signature Algorithm) is a signature mechanism with verification
key Y = [X]G; that is, the parameter D is equal to 1. The message is prepared such that M is empty and M =
1 2
M the message to be signed. The witness R is computed as
R = FE2BS(Π )||FE2BS(Π ).
X Y
A, B, C) of the EC-FSDSA signature equation are set as follows
The coefficients (
(A, B, C) = (,TT,S),
12
where T = (TT, ) = (-1, -BS2I(h(R||M)) mod q).
12
Thus, the signature equation becomes
-K +T X + S ≡ 0 (mod q).
2
© ISO/IEC 2010 – All rights reserved 9
---------------------- Page: 12 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
6.10.2 Parameters
F a finite field
E an elliptic curve group over the field F
#E the cardinality of E
q a prime divisor of #E
G a point of order q on the elliptic curve E
Hash function identifier or OID with specified hash function.
All these parameters can be public and can be common to a group of users.
NOTE It is recommended that all users check the proper generation of the public parameters according to X9.62[5].
6.10.3 Generation of signature key and verification key
The signature key of a signing entity is a secretly generated random or pseudo-random integer X such that 0
< X < q. The parameter D is 1. The corresponding public verification key Y is Y = [X]G.
A user's secret signature key X and public verification key Y are normally fixed for a period of time. The
signature key X shall be kept secret.
6.10.4 Signature process
6.10.4.1 Producing the randomizer
The signing entity computes a random or pseudo-random integer K such that 0 < K < q.
6.10.4.2 Producing the pre-signature
The input to this stage is the randomizer K, and the signing entity computes Π = [K]G.
6.10.4.3 Preparing message for signing
The message is prepared such that M is the message to be signed, i.e., M = M, and M is empty.
2 1
6.10.4.4 Computing the witness
The signing entity computes R = FE2BS(Π )||FE2BS(Π ).
X Y
6.10.4.5 Computing the assignment
The signing entity computes the hash code h(R||M). Afterwards, the hash code is converted to an integer
according to conversion rule, BS2I, in Annex B and then reduced modulo q. The assignment (T1, T2) is (-1, -
BS2I(h(R||M)) mod q).
10 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
6.10.4.6 Computing the second part of the signature
The signature is (R, S) where S = (K+BS2I(h(R||M))X mod q).
As an option, one may wish to check if R = 0 or S = 0. If either R = 0 or S = 0, a new value of K should be
generated and the signature should be recalculated. (It is extremely unlikely that R = 0 or S = 0 if signatures
are generated properly).
6.10.4.7 Constructing the appendix
The appendix will be the concatenation of (R,S) and an optional text field, text.
6.10.4.8 Constructing the signed message
A signed message is the concatenation of the message, M, and the appendix:
((MR|| ,S) ||text).
6.10.5 Verification process
The verifying entity acquires the necessary data items required for the verification process.
6.10.5.1 Retrieving the witness
The verifier retrieves the witness R and the second part of the signature S from the appendix. The verifier first
checks to see that R represents a point on E and 0 < S < q; if either condition is violated the signature shall be
rejected.
6.10.5.2 Preparing message for verification
The verifier retrieves M from the signed message and divides the message into two parts M and M , such
1 2
that M = M and M is empty.
2 1
6.10.5.3 Retrieving the assignment
The input to the assignment function is computed as in 6.10.4.5 from the witness R from 6.10.4.4 and the
message M from 6.10.4.3. The assignment is given by T = (TT, ) = (-1, -BS2I(h(R||M)) mod q).
12
6.10.5.4 Recomputing the pre-signature
The inputs to this stage are system parameters, verification key Y, assignment TT= ( ,T ) from 6.10.5.3 and
12
second part of the signature S from 6.10.5.1. The verifier obtains a recomputed value Π ' of the pre-signature
by computing it using the formula
Π ' = [-ST mod q]G + [T mod q]Y.
1 2
6.10.5.5 Recomputing the witness
The computations at this stage are the same as in 6.10.4.4. The verifier executes the witness function. The
input is Π ' from 6.10.5.4. The output is the recomputed witness R'.
© ISO/IEC 2010 – All rights reserved 11
---------------------- Page: 14 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
6.10.5.6 Verifying the witness
The verifier compares the recomputed witness, R ' from 6.10.5.5 to the retrieved version of R from 6.10.5.1. If
RR',= then the signature is verified.
Page 33, Annex A
Replace all text after the first paragraph with the following:
DigitalSignatureWithAppendixDL {
iso(1) standard(0) digital-signature-with-appendix (14888) part(3)
asn1-module(1) discrete-logarithm-based-mechanisms(0) }
DEFINITIONS EXPLICIT TAGS ::= BEGIN
-- EXPORTS All; --
IMPORTS
HashFunctions
FROM DedicatedHashFunctions {
iso(1) standard(0) encryption-algorithms(10118) part(3) asn1-module(1)
dedicated-hash-functions(0) } ;
OID ::= OBJECT IDENTIFIER -- alias
-- Synonyms --
id-dswa-dl OID ::= {
iso(1) standard(0) digital-signature-with-appendix(14888) part3(3)
algorithm(0) }
-- Assignments --
id-dswa-dl-DSA OID ::= { iso(1) member-body(2) us(840) ansi-x9-57(10040)
x9cm(4) dsa-with-sha1(3) }
id-dswa-dl-KCDSA OID ::= { id-dswa-dl kcdsa(2) }
id-dswa-dl-PVS OID ::= { id-dswa-dl pvs(3) }
id-dswa-dl-EC-DSA OID ::= { iso(1) member-body(2) us(840) ansi-x9-62(10045)
signatures(4) ecdsa-with-SHA1(1) }
id-dswa-dl-EC-KCDSA OID ::= { id-dswa-dl ec-kcdsa(5) }
id-dswa-dl-EC-GDSA OID ::= { id-dswa-dl ec-gdsa(6) }
id-dswa-dl-IBS-1 OID ::= { id-dswa-dl ibs-1(7) }
id-dswa-dl-IBS-2 OID ::= { id-dswa-dl ibs-2(8) }
id-dswa-dl-EC-RDSA OID ::= { id-dswa-dl ec-rdsa(9) }
id-dswa-dl-SDSA OID ::= { id-dswa-dl sdsa(10) }
id-dswa-dl-EC-SDSA OID ::= { id-dswa-dl ec-sdsa(11) }
id-dswa-dl-EC-FSDSA OID ::= { id-dswa-dl ec-fsdsa(12) }
DigitalSignatureWithAppendix ::= SEQUENCE {
algorithm ALGORITHM.&id({DSAlgorithms}),
parameters ALGORITHM.&Type({DSAlgorithms}{@algorithm}) OPTIONAL
}
12 © ISO/IEC 2010 – All rights reserved
---------------------- Page: 15 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
DSAlgorithms ALGORITHM ::= {
dswa-dl-DSA |
dswa-dl-KCDSA |
dswa-dl-PVS |
dswa-dl-EC-DSA |
dswa-dl-EC-KCDSA |
dswa-dl-EC-GDSA |
dswa-dl-IBS-1 |
dswa-dl-IBS-2 |
dswa-dl EC-RDSA |
dswa-dl SDSA |
dswa-dl EC-SDSA |
dswa-dl EC-FSDSA,
. -- Expect additional algorithms --
}
dswa-dl-DSA ALGORITHM ::= {
OID id-dswa-dl-DSA PARMS NullParms
}
dswa-dl-KCDSA ALGORITHM ::= {
OID id-dswa-dl-KCDSA PARMS HashFunctions
}
dswa-dl-PVS ALGORITHM ::= {
OID id-dswa-dl-PVS PARMS HashFunctions
}
dswa-dl-EC-DSA ALGORITHM ::= {
OID id-dswa-dl-EC-DSA PARMS NullParms
}
dswa-dl-EC-KCDSA ALGORITHM ::= {
OID id-dswa-dl-EC-KCDSA PARMS HashFunctions
}
dswa-dl-EC-GDSA ALGORITHM ::= {
OID id-dswa-dl-EC-GDSA PARMS HashFunctions
}
dswa-dl-IBS-1 ALGORITHM ::= {
OID id-dswa-dl-IBS-1 PARMS HashFunctions
}
dswa-dl-IBS-2 ALGORITHM ::= {
OID id-dswa-dl-IBS-2 PARMS HashFunctions
}
dswa-dl-EC-RDSA ALGORITHM ::= {
OID id-dswa-dl-EC-RDSA PARMS HashFunctions
}
dswa-dl-SDSA ALGORITHM ::= {
OID id-dswa-dl-SDSA PARMS HashFunctions
}
dswa-dl-EC-SDSA ALGORITHM ::= {
OID id-dswa-dl-EC-SDSA PARMS HashFunctions
}
dswa-dl-EC-FSDSA ALGORITHM ::= {
OID id-dswa-dl-EC-FSDSA PARMS HashFunctions
}
© ISO/IEC 2010 – All rights reserved 13
---------------------- Page: 16 ----------------------
ISO/IEC 14888-3:2006/Amd.1:2010(E)
NullParms ::= NULL
-- Cryptographic algorithm identification --
ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL
}
WITH SYNTAX { OID &id [PARMS &Type] }
END -- DigitalSignatureWithAppendixDL --
NOTE 1 - Alternative OIDs for KCDSA presented in KCAC.TG.OID are as follows:
{iso(1) member-body(2) korea(410) kisa(20004) npki-alg(1) kcdsa1(21)}
- KCDSA
{iso(1) member-body(2) korea(410) kisa(20004) npki-alg(1) kcdsa1WithHAS160(22)}
- KCDSA with HAS160, where the HA
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.