ISO/IEC 11770-3:2015

INTERNATIONAL ISO/IEC
STANDARD 11770-3
Third edition
2015-08-01
Information technology — Security
techniques — Key management —
Part 3:
Mechanisms using asymmetric
techniques
Technologies de l’information — Techniques de sécurité — Gestion de
clés —
Partie 3: Mécanismes utilisant des techniques asymétriques
Reference number
©
ISO/IEC 2015
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Symbols and abbreviations . 7
5 Requirements . 9
6 Key derivation functions . 9
7 Cofactor multiplication . 9
8 Key commitment .10
9 Key confirmation .11
10 Framework for key management .12
10.1 General .12
10.2 Key agreement between two parties .12
10.3 Key agreement between three parties.12
10.4 Secret key transport .13
10.5 Public key transport .13
11 Key agreement .14
11.1 Key agreement mechanism 1.14
11.2 Key agreement mechanism 2.15
11.3 Key agreement mechanism 3.16
11.4 Key agreement mechanism 4.18
11.5 Key agreement mechanism 5.18
11.6 Key agreement mechanism 6.19
11.7 Key agreement mechanism 7.21
11.8 Key agreement mechanism 8.22
11.9 Key agreement mechanism 9.23
11.10 Key agreement mechanism 10 .24
11.11 Key agreement mechanism 11 .25
11.12 Key agreement mechanism 12 .26
12 Secret key transport .27
12.1 Secret key transport mechanism 1 .27
12.2 Secret key transport mechanism 2 .28
12.3 Secret key transport mechanism 3 .30
12.4 Secret key transport mechanism 4 .32
12.5 Secret key transport mechanism 5 .33
12.6 Secret key transport mechanism 6 .35
13 Public key transport .36
13.1 Public key transport mechanism 1 .36
13.2 Public key transport mechanism 2 .37
13.3 Public key transport mechanism 3 .38
Annex A (normative) Object identifiers .40
Annex B (informative) Properties of key establishment mechanisms .47
Annex C (informative) Examples of key derivation functions .49
Annex D (informative) Examples of key establishment mechanisms .56
Annex E (informative) Examples of elliptic curve based key establishment mechanisms.60
© ISO/IEC 2015 – All rights reserved iii

Annex F (informative) Example of bilinear pairing based key establishment mechanisms .68
Annex G (informative) Secret key transport .71
Annex H (informative) Patent information .76
Bibliography .80
iv © ISO/IEC 2015 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, Security
techniques.
This third edition cancels and replaces the second edition (ISO/IEC 11770-3:2008 with
ISO/IEC 11770-3/Cor1:2009), which has been technically revised.
ISO/IEC 11770 consists of the following parts, under the general title Information technology — Security
techniques — Key management:
— Part 1: Framework
— Part 2: Mechanisms using symmetric techniques
— Part 3: Mechanisms using asymmetric techniques
— Part 4: Mechanisms based on weak secrets
— Part 5: Group key management
— Part 6: Key derivation
Further parts may follow.
© ISO/IEC 2015 – All rights reserved v

Introduction
This part of ISO/IEC 11770 describes schemes that can be used for key agreement and schemes that can
be used for key transport.
Public key cryptosystems were first proposed in the seminal paper by Diffie and Hellman in 1976. The
security of many such cryptosystems is based on the presumed intractability of solving the discrete
logarithm problem over certain finite fields. Other public key cryptosystems such as RSA are based on
the difficulty of the integer factorization problem.
A third class of public key cryptosystems is based on elliptic curves. The security of such a public
key system depends on the difficulty of determining discrete logarithms in the group of points of an
elliptic curve. When based on a carefully chosen elliptic curve, this problem is, with current knowledge,
much harder than the factorization of integers or the computation of discrete logarithms in a finite
field of comparable size. All known general purpose algorithms for determining elliptic curve discrete
logarithms take exponential time. Thus, it is possible for elliptic curve based public key systems to
use much shorter parameters than the RSA system or the classical discrete logarithm based systems
that make use of the multiplicative group of some finite field. This yields significantly shorter digital
signatures, as well as system parameters, and allows for computations using smaller integers.
This part of ISO/IEC 11770 includes mechanisms based on the following:
— finite fields;
— elliptic curves;
— bilinear pairings.
The International Organization for Standardization (ISO) and International Electrotechnical
Commission (IEC) draw attention to the fact that it is claimed that compliance with this International
Standard may involve the use of patents.
ISO and IEC take no position concerning the evidence, validity and scope of these patent rights.
The holders of these patent rights have assured ISO and IEC that they are willing to negotiate licences
under reasonable and non-discriminatory terms and conditions with applicants throughout the world.
In this respect, the statements of the holders of these patent rights are registered with ISO and IEC.
Information may be obtained from those in Annex H.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights other than those identified above. ISO and IEC shall not be held responsible for identifying
any or all such patent rights.
ISO (www.iso.org/patents) and IEC (http://patents.iec.ch) maintain on-line databases of patents
relevant to their standards. Users are encouraged to consult the databases for the most up to date
information concerning patents.
vi © ISO/IEC 2015 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 11770-3:2015(E)
Information technology — Security techniques — Key
management —
Part 3:
Mechanisms using asymmetric techniques
1 Scope
This part of ISO/IEC 11770 defines key management mechanisms based on asymmetric cryptographic
techniques. It specifically addresses the use of asymmetric techniques to achieve the following goals.
a) Establish a shared secret key for use in a symmetric cryptographic technique between two entities
A and B by key agreement. In a secret key agreement mechanism, the secret key is computed as
the result of a data exchange between the two entities A and B. Neither of them should be able to
predetermine the value of the shared secret key.
b) Establish a shared secret key for use in a symmetric cryptographic technique between two entities
A and B via key transport. In a secret key transport mechanism, the secret key is chosen by one
entity A and is transferred to another entity B, suitably protected by asymmetric techniques.
c) Make an entity’s public key available to other entities via key transport. In a public key transport
mechanism, the public key of entity A shall be transferred to other entities in an authenticated way,
but not requiring secrecy.
Some of the mechanisms of this part of ISO/IEC 11770 are based on the corresponding authentication
[6]
mechanisms in ISO/IEC 9798-3.
This part of ISO/IEC 11770 does not cover certain aspects of key management, such as
— key lifecycle management,
— mechanisms to generate or validate asymmetric key pairs, and
— mechanisms to store, archive, delete, destroy, etc. keys.
While this part of ISO/IEC 11770 does not explicitly cover the distribution of an entity’s private key
(of an asymmetric key pair) from a trusted third party to a requesting entity, the key transport
mechanisms described can be used to achieve this. A private key can in all cases be distributed with
these mechanisms where an existing, non-compromised key already exists. However, in practice the
distribution of private keys is usually a manual process that relies on technological means such as
smart cards, etc.
This part of ISO/IEC 11770 does not specify the transformations used in the key management
mechanisms.
NOTE To provide origin authentication for key management messages, it is possible to make provisions
for authenticity within the key establishment protocol or to use a public key signature system to sign the key
exchange messages.
2 Normative references
The following referenced documents, in whole or in part, are normatively referenced in this document
and are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
© ISO/IEC 2015 – All rights reserved 1

ISO/IEC 10118 (all parts), Information technology — Security techniques — Hash-functions
ISO/IEC 11770-1, Information technology — Security techniques — Key management — Part 1: Framework
ISO/IEC 15946-1, Information technology — Security techniques — Cryptographic techniques based on
elliptic curves — Part 1: General
ISO/IEC 18031, Information technology — Security techniques — Random bit generation
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
asymmetric cryptographic technique
cryptographic technique that uses two related transformations, a public transformation (defined by the
public key) and a private transformation (defined by the private key), and has the property that given
the public transformation, then it is computationally infeasible to derive the private transformation
Note 1 to entry: A system based on asymmetric cryptographic techniques can either be an encryption system,
a signature system, a combined encryption and signature system, or a key agreement scheme. With asymmetric
cryptographic techniques there are four elementary transformations: signature and verification for signature
systems, encryption and decryption for encryption systems. The signature and the decryption transformations
are kept private by the owning entity, whereas the corresponding verification and encryption transformations
are published. There exist asymmetric cryptosystems (e.g. RSA) where the four elementary functions can be
achieved by only two transformations: one private transformation suffices for both signing and decrypting
messages, and one public transformation suffices for both verifying and encrypting messages. However, since this
does not conform to the principle of key separation, throughout this part of ISO/IEC 11770 the four elementary
transformations and the corresponding keys are kept separate.
3.2
asymmetric encryption system
system based on asymmetric cryptographic techniques whose public transformation is used for
encryption and whose private transformation is used for decryption
3.3
asymmetric key pair
pair of related keys where the private key defines the private transformation and the public key defines
the public transformation
3.4
certification authority
CA
centre trusted to create and assign public key certificates
3.5
collision-resistant hash-function
hash-function satisfying the following property: it is computationally infeasible to find any two distinct
inputs which map to the same output
[SOURCE: ISO/IEC 10118-1:2000, 3.2]
3.6
decryption
reversal of a corresponding encryption
[SOURCE: ISO/IEC 11770-1:2010, 2.6]
2 © ISO/IEC 2015 – All rights reserved

3.7
digital signature
data unit appended to, or a cryptographic transformation of, a data unit that allows a recipient of the
data unit to verify the origin and integrity of the data unit and protect the sender and the recipient of
the data unit against forgery by third parties, and the sender against forgery by the recipient
3.8
distinguishing identifier
information which unambiguously distinguishes an entity
[SOURCE: ISO/IEC 11770-1:2010, 2.9]
3.9
encryption
(reversible) transformation of data by a cryptographic algorithm to produce ciphertext, i.e. to hide the
information content of the data
[SOURCE: ISO/IEC 11770-1:2010, 2.10]
3.10
entity authentication
corroboration that an entity is the one claimed
[SOURCE: ISO/IEC 9798-1:2010, 3.14]
3.11
entity authentication of entity A to entity B
assurance of the identity of entity A for entity B
3.12
explicit key authentication from entity A to entity B
assurance for entity B that entity A is the only other entity that is in possession of the correct key
Note 1 to entry: Implicit key authentication from entity A to entity B and key confirmation from entity A to entity
B together imply explicit key authentication from entity A to entity B.
3.13
forward secrecy with respect to entity A
property that knowledge of entity A’s long-term private key subsequent to a key agreement operation
does not enable an opponent to recompute previously derived keys
3.14
forward secrecy with respect to both entity A and entity B individually
property that knowledge of entity A’s long-term private key or knowledge of entity B’s long-term private
key subsequent to a key agreement operation does not enable an opponent to recompute previously
derived keys
Note 1 to entry: This differs from mutual forward secrecy in which knowledge of both entity A’s and entity B’s
long-term private keys do not enable recomputation of previously derived keys.
3.15
hash-function
function which maps strings of bits to fixed-length strings of bits, satisfying the following two
properties:
— it is computationally infeasible to find for a given output, an input which maps to this output;
— it is computationally infeasible to find for a given input, a second input which maps to the same
output
Note 1 to entry: Computational feasibility depends on the specific security requirements and environment.
© ISO/IEC 2015 – All rights reserved 3

Note 2 to entry: For the purposes of this standard all hash-functions are assumed to be collision-resistant
(see 3.5).
[SOURCE: ISO/IEC 10118-1:2000, 3.5]
3.16
implicit key authentication from entity A to entity B
assurance for entity B that entity A is the only other entity that can possibly be in possession of the
correct key
3.17
key
sequence of symbols that controls the operation of a cryptographic transformation (e.g. encryption,
decryption, cryptographic check function computation, signature calculation, or signature verification)
[SOURCE: ISO/IEC 11770-1:2010, 2.12]
3.18
key agreement
process of establishing a shared secret key between entities in such a way that neither of them can
predetermine the value of that key
Note 1 to entry: By predetermine it is meant that neither entity A nor entity B can, in a computationally efficient
way, choose a smaller key space and force the computed key in the protocol to fall into that key space.
3.19
key commitment
process of committing to use specific keys in the operation of a key agreement scheme before revealing
the specified keys
3.20
key confirmation from entity A to entity B
assurance for entity B that entity A is in possession of the correct key
3.21
key control
ability to choose the key or the parameters used in the key computation
3.22
key derivation function
function that outputs one or more shared secrets, for use as keys, given shared secrets and other
mutually known parameters as input
3.23
key establishment
process of making available a shared secret key to one or more entities, where the process includes key
agreement and key transport
3.24
key token
key management message sent from one entity to another entity during the execution of a key
management mechanism
3.25
key transport
process of transferring a key from one entity to another entity, suitably protected
3.26
message authentication code
MAC
4 © ISO/IEC 2015 – All rights reserved

string of bits which is the output of a MAC algorithm
[1]
Note 1 to entry: A MAC is sometimes called a cryptographic check value (see for example ISO 7498-2 ).
[SOURCE: ISO/IEC 9797-1:2011, 3.9]
3.27
Message Authentication Code algorithm
MAC algorithm
algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings
of bits, satisfying the following two properties:
— for any key and any input string, the function can be computed efficiently;
— for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to
compute the function value on any new input string, even given knowledge of a set of input strings
and corresponding function values, where the value of the ith input string might have been chosen
after observing the value of the first i – 1 function values (for integers i > 1)
Note 1 to entry: A MAC algorithm is sometimes called a cryptographic check function (see for example
[1]
ISO 7498-2 ).
Note 2 to entry: Computational feasibility depends on the user’s specific security requirements and environment.
[SOURCE: ISO/IEC 9797-1:2011, 3.10]
3.28
mutual entity authentication
entity authentication which provides both entities with assurance of each other’s identity
3.29
mutual forward secrecy
property that knowledge of both entity A’s and entity B’s long-term private keys subsequent to a key
agreement operation does not enable an opponent to recompute previously derived keys
3.30
one-way function
function with the property that it is easy to compute the output for a given input but it is computationally
infeasible to find an input which maps to a given output
3.31
prefix free representation
representation of a data element for which concatenation with any other data does not produce a valid
representation
3.32
private key
key of an entity’s asymmetric key pair that is kept private
Note 1 to entry: The security of an asymmetric system depends on the privacy of this key.
[SOURCE: ISO/IEC 11770-1:2010, 2.35]
3.33
public key
key of an entity’s asymmetric key pair which can usually be made public without compromising security
Note 1 to entry: In the case of an asymmetric signature system, the public key defines the verification
transformation. In the case of an asymmetric encryption system, the public key defines the encryption
transformation, conditional on the inclusion of randomisation elements. A key that is “publicly known” is not
necessarily globally available. The key can only be available to all members of a pre-specified group.
[SOURCE: ISO/IEC 11770-1:2010, 2.36]
© ISO/IEC 2015 – All rights reserved 5

3.34
public key certificate
public key information of an entity signed by the certification authority and thereby rendered
unforgeable
3.35
public key information
information containing at least the entity’s distinguishing identifier and public key, but can include
other static information regarding the certification authority, the entity, restrictions on key usage, the
validity period, or the involved algorithms
3.36
secret key
key used with symmetric cryptographic techniques by a specified set of entities
3.37
sequence number
time variant parameter whose value is taken from a specified sequence which is non-repeating within
a certain time period
[SOURCE: ISO/IEC 11770-1:2010, 2.44]
3.38
signature system
system based on asymmetric cryptographic techniques whose private transformation is used for
signing and whose public transformation is used for verification
3.39
third party forward secrecy
property that knowledge of a third party’s private key subsequent to a key agreement operation does
not enable an opponent to recompute previously derived keys
Note 1 to entry: Instead of third party forward secrecy, master key forward secrecy is also used in Reference
[19].
3.40
time stamp
data item which denotes a point in time with respect to a common time reference
3.41
time-stamping authority
trusted third party trusted to provide a time-stamping service
[SOURCE: ISO/IEC 13888-1:2009, 3.58]
3.42
time variant parameter
data item used to verify that a message is not a replay, such as a random number, a time stamp or a
sequence number
Note 1 to entry: If a random number is used. then this is as a challenge in a challenge-response protocol. See also
ISO/IEC 9798-1:2010, Annex B.
[SOURCE: ISO/IEC 9798-1:2010, 3.36]
3.43
trusted third party
security authority or its agent, trusted by other entities with respect to security related activities
[SOURCE: ISO/IEC 9798-1:2010, 3.38]
6 © ISO/IEC 2015 – All rights reserved

4 Symbols and abbreviations
The following symbols and abbreviations are used in this part of ISO/IEC 11770.
A, B, C distinguishing identifiers of entities
BE encrypted data block
BS signed data block
CA certification authority
Cert entity A’s public key certificate
A
D entity A’s private decryption transformation function
A
d entity A’s private decryption key
A
2 3
E elliptic curve, either given by an equation of the form Y = X + aX + b over
m
the field GF(p ) for p>3 and a positive integer m, by an equation of the form
2 3 2 m 2
Y + XY = X + aX + b over the field GF(2 ), or by an equation of the form Y =
3 2 m
X + aX + b over the field GF(3 ), together with an extra point O referred to
E
m m m
as the point at infinity, which is denoted by E/GF(p ), E/GF(2 ), or E/GF(3 ),
respectively
E entity A’s public encryption transformation function
A
e entity A’s public encryption key
A
F key agreement function
F(h,g) key agreement function using as input a factor h and a common element g
FP key agreement function based on pairing
G point on E with order n
g common element shared publicly by all the entities that use the key agree-
ment function F
gcd(a,b) greatest common divisor of two integers a and b
m m m m m m
GF(p ), GF(2 ), GF(3 ) finite field with p , 2 , 3 elements for a prime p>3 and a positive integer m
h entity A’s private key agreement key
A
hash hash-function
j cofactor used in performing cofactor multiplication
K secret key for a symmetric cryptosystem
K secret key shared between entities A and B
AB
NOTE 1 In practical implementations the shared secret key should be subject to further processing before it
can be used for a symmetric cryptosystem.
kdf key derivation function
KT key token
KT entity A’s key token
A
© ISO/IEC 2015 – All rights reserved 7

KT key token sent by entity A after processing phase i
Ai
l supplementary value used in performing cofactor multiplication
M data message
MAC Message Authentication Code
MAC (Z) output of a MAC algorithm when using as input the secret key K and an arbi-
K
trary data string Z
MQV Menezes-Qu-Vanstone
n prime divisor of the order (or cardinality) of an elliptic curve E over a finite
field
O elliptic curve point at infinity
E
P point on an elliptic curve E
p entity A’s public key-agreement key
A
pairing pairing defined over an elliptic curve and used in FP
parameters parameters used in the key derivation function
PKI entity A’s public key information
A
P public key-agreement key in an elliptic curve of entity X
X
m
q prime power p for some prime p ≠ 3 and some integer m ≥ 1
r random number generated in the course of a mechanism
r random number issued by entity A in a key agreement mechanism
A
S , S , S sets of elements
1 2 3
S entity A’s private signature transformation function
A
s entity A’s private signature key
A
T trusted third party
Texti i th optional text, data or other information that may be included in a data
block, if desired
TVP time-variant parameter such as a random number, a time stamp, or a
sequence number
V entity A’s public verification transformation function
A
v entity A’s public verification key
A
w one-way function
X(P) x-coordinate of a point P
√q square root of a positive number q
#E order (or cardinality) of an elliptic curve E
8 © ISO/IEC 2015 – All rights reserved

|| concatenation of two data elements
smallest integer greater than or equal to the real number x
x
 
∑ digital signature
π(P) ρ/2 ρ/2
   
(X(P) mod 2 ) + 2 where ρ =log n and X(P) is the x-coordinate of
 
the point P
NOTE 2 No assumption is made on the nature of the signature transformation. In the case of a signature
system with message recovery, S (M) denotes the signature ∑ itself. In the case of a signature system with
A
appendix, S (M) denotes the message M together with the signature ∑.
A
NOTE 3 The keys of an asymmetric cryptosystem are denoted by lower case letters (indicating its function)
indexed with the identifier of its owner, e.g., the public verification key of entity A is denoted by v . The
A
corresponding transformations are denoted by upper case letters indexed with the identifier of their owner, e.g.,
the public verification transformation of entity A is denoted by V .
A
5 Requirements
It is assumed that the entities involved in a mechanism are aware of each other’s claimed identities.
This may be achieved by the inclusion of identifiers in information exchanged between the two entities,
or it may be apparent from the context of use of the mechanism. Verifying the identity means checking
that a received identifier field agrees with some known (trusted) or expected value.
If a public key is registered with an entity, then that entity shall make sure that the entity who registers
the key is in possession of the corresponding private key (see ISO/IEC 11770-1 for further guidance on
key registration).
6 Key derivation functions
The use of a shared secret as derived in Clause 10 as a key for a symmetric cryptosystem without further
processing is not recommended. It will often be the case that the form of a shared secret established
as a result of using a mechanism specified in this part of ISO/IEC 11770 will not conform to the form
needed for a specific cryptographic algorithm, so some processing will be needed. Moreover, the shared
secret (often) has arithmetic properties and relationships that might result in a shared symmetric key
not being chosen from the full key space. It is therefore advisable to pass the shared secret through
a key derivation function, e.g. involving the use of a hash function. The use of an inadequate key
derivation function could compromise the security of the key agreement scheme with which it is used.
It is recommended to use a one-way function as a key derivation function.
A key derivation function produces keys that are computationally indistinguishable from randomly
generated keys. The key derivation function takes as input a shared secret and a set of key derivation
parameters and produces an output of the desired length.
In order for the two parties in a key establishment mechanism to agree on a common secret key, the key
derivation function shall be agreed upon (see ISO/IEC 11770-6 for further guidance on key derivation
functions).
Annex C provides examples of key derivation functions.
7 Cofactor multiplication
This clause applies only to mechanisms using elliptic curve cryptography. The key agreement
mechanisms in Clause 11 and the key transport mechanisms in Clauses 12 and 13 require that the user’s
private key or key token be combined with another entity’s public key or key token. If the other entity’s
© ISO/IEC 2015 – All rights reserved 9

public key or key token is not valid (i.e., it is not a point on the elliptic curve, or is not in the subgroup of
order n), then performing this operation may result in some bits of the private key being leaked to an
attacker. One example of such an attack is known as the ‘small subgroup attack’.
NOTE 1 The small subgroup attack is described in [37].
In order to prevent the ‘small subgroup attack’ and similar attacks, one option is to validate public keys
and key tokens received from the other party using public key validation, as specified in ISO/IEC 11770-
1.
As an alternative to public key validation, a technique called cofactor multiplication as specified in
Clause 11 can be used. The values j and l, defined below, are used in cofactor multiplication.
If cofactor multiplication is used, there are two options:
— If compatibility with entities not using cofactor multiplication is not required, then let j = #E / n
and l = 1. If this option is chosen, both parties involved shall agree to use this option; otherwise the
mechanism will not work.
— If compatibility with entities not using cofactor multiplication is required, then let j = #E / n and l =
-1
j mod n.
-1
NOTE 2 The value j mod n will always exist since n is required to be greater than 4√q and
therefore gcd(n, j) = 1.
If cofactor multiplication is not required, then let j = l = 1.
Regardless of whether or not cofactor multiplication is used, if the shared key (or a component of the
shared key) evaluates to the point at infinity (O ), then the user shall assume that the key agreement
E
procedure has failed.
It is particularly appropriate to perform public key validation or cofactor multiplication in the following
cases:
— if the entity’s public key is not authenticated;
— if the key token is not authenticated;
— if the user’s public key is intended for a long-term use.
If the other entity’s public key is authenticated and the cofactor is small, then the amount of information
that can be leaked is limited. Thus, it may not always be necessary to perform these tests.
8 Key commitment
Clause 11 describes key agreement mechanisms in which the established key is the result of applying a
one-way function to the private key-agreement keys. However, one entity may know the other entity’s
public key or key token prior to choosing their private key. As a result, such an entity can control the
s
value of s bits in the established key, at the cost of generating 2 candidate values for their private key-
agreement key in the time interval between discovering the other entity’s public key or key token and
[31]
choosing their own private key.
One way to address this concern (if it is a concern) at the cost of one additional message/pass in the
protocol is through the use of key commitment. Key commitment can be performed by having the first
entity hash the public key or key token and send the hash-code to the second entity; the second entity
then replies with its public key or key token, and the first entity replies with its public key or key token.
The second entity can now hash it and verify that the result is equal to the hash-code sent earlier.
10 © ISO/IEC 2015 – All rights reserved

9 Key confirmation
Explicit key confirmation is the process of adding additional messages to a key establishment protocol
providing implicit key authentication, so that explicit key authentication and entity authentication are
provided. Explicit key confirmation can be added to any method that does not possess it inherently.
Key confirmation is typically provided by exchanging a value that can (with very high probablity) only
be calculated correctly if the key establishment calculations were successful. Key confirmation from
entity A to entity B is provided by entity A calculating a value and sending it to entity B for confirmation
of entity A’s correct calculation. If mutual key confirmation is desired, then each entity sends a different
value to the other.
Key confirmation is often provided by subsequent use of an established key, and if something is wrong
then it is immediately detected. This is called implicit key confirmation. Explicit key confirmation in this
case may be unnecessary. If one entity is not online (for example, in one-pass protocols used in store and
forward (email) scenarios), then it is simply not possible for the other entity to obtain key confirmation.
However, sometimes a key is established yet used only later (if at all), or the entity performing the key
establishment process may simply not know if the resulting key will be used immediately or not. In
these cases, it is often desirable to use a method of explicit key confirmation, as it may otherwise be too
late to correct an error once detected. Explicit key confirmation can also be seen as a way of “firming
up” security properties during the key establishment process and may be warranted if a conservative
protocol design is deemed appropriate.
An example method of providing key confirmation using a MAC is as follows:
Entities A and B first perform one of the key establishment procedures specified in Clauses 11 and 12
of this part of ISO/IEC 11770. As a result, they expect to share a secret MAC key K . They then perform
AB
the following procedure.
— Entity B forms the message M, an octet string consisting of the message identifier octet 0x02, entity
B’s identifier, entity A’s identifier, the octet string KT corresponding to entity B’s key token (omitted
B
if not present), the octet string KT corresponding to entity A’s key token (omitted if not present),
A
the octet string p corresponding to entity B’s public key-establishment key (omitted if not present),
B
the octet string p corresponding to entity A’s public key-establishment key (omitted if not present)
A
and, if present, optional additional Text1, i.e.:
M = 02||B||A||KT ||KT ||p ||p ||Text1, where 0x02 is the message number.
B A B A
— Entity B calculates K = kdf(K ), and then calculates MAC (M) for the message M under the
B AB KB
(supposedly) shared secret key K for an appropriate MAC scheme.
B
— Entity B sends the message M and MAC (M) to entity A.
KB
— Entity A calculates K = kdf(K ), computes MAC (M) using the received message M, and verifies
A AB KA
MAC (M)= MAC (M).
KB KA
— Assuming the MAC verifies, entity A has received key confirmation from entity B (that is, entity A
knows that K equals K ). If mutual key confirmation is desired, entity A continues the protocol and
A B
forms the message M’ as the octet string consisting of the message identifier octet 0x03, entity A’s
identifier, entity B’s identifier, the octet string KT corresponding to enti
...