ISO/IEC 11770-4:2006

INTERNATIONAL ISO/IEC
STANDARD 11770-4
First edition
2006-05-01
Information technology — Security
techniques — Key management —
Part 4:
Mechanisms based on weak secrets
Technologies de l'information — Techniques de sécurité — Gestion de
clés —
Partie 4: Mécanismes basés sur des secrets faibles

Reference number
©
ISO/IEC 2006
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2006
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2006 – All rights reserved

Contents Page
Foreword. iv
1 Scope .1
2 Normative references .2
3 Terms and definitions .2
4 Symbols and notation .6
5 Requirements.8
6 Password-authenticated key agreement 9
6.1 Key Agreement Mechanism 1.10
6.1.1 Prior shared parameters .10
6.1.2 Functions.10
6.1.3 Key agreement operation.12
6.2 Key Agreement Mechanism 2.13
6.2.1 Prior shared parameters .14
6.2.2 Functions.14
6.2.3 Key agreement operation.16
6.3 Key Agreement Mechanism 3.17
6.3.1 Prior shared parameters .17
6.3.2 Functions.17
6.3.3 Key agreement operation.20
7 Password-authenticated key retrieval .21
7.1 Key Retrieval Mechanism 1 .22
7.1.1 Prior shared parameters .22
7.1.2 Functions.22
7.1.3 Key retrieval operation.23
Annex A (normative) Functions for Data Type Conversion.24
Annex B (normative) ASN.1 Module.28
Annex C (informative) Guidance on Choice of Parameters .30
Bibliography .32

© ISO/IEC 2006 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 11770-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Subcommittee SC 27, IT
Security techniques.
ISO/IEC 11770 consists of the following parts, under the general title Information technology — Security
techniques — Key management:
— Part 1: Framework
— Part 2: Mechanisms using symmetric techniques
— Part 3: Mechanisms using asymmetric techniques
— Part 4: Mechanisms based on weak secrets
Further parts may follow.
iv © ISO/IEC 2006 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 11770-4:2006(E)

Information technology — Security techniques — Key
management —
Part 4:
Mechanisms based on weak secrets
1 Scope
This part of ISO/IEC 11770 defines key establishment mechanisms based on weak secrets, i.e., secrets that
can be readily memorized by a human, and hence secrets that will be chosen from a relatively small set of
possibilities. It specifies cryptographic techniques specifically designed to establish one or more secret keys
based on a weak secret derived from a memorized password, while preventing off-line brute-force attacks
associated with the weak secret. More specifically, these mechanisms are designed to achieve one of the
following three goals.
1) Balanced password-authenticated key agreement: Establish one or more shared secret keys
between two entities that share a common weak secret. In a balanced password-authenticated key
agreement mechanism, the shared secret keys are the result of a data exchange between the two
entities, the shared secret keys are established if and only if the two entities have used the same
weak secret, and neither of the two entities can predetermine the values of the shared secret keys.
2) Augmented password-authenticated key agreement: Establish one or more shared secret keys
between two entities A and B, where A has a weak secret and B has verification data derived from a
one-way function of A’s weak secret. In an augmented password-authenticated key agreement
mechanism, the shared secret keys are the result of a data exchange between the two entities, the
shared secret keys are established if and only if the two entities have used the weak secret and the
corresponding verification data, and neither of the two entities can predetermine the values of the
shared secret keys.
NOTE – This type of key agreement mechanism is unable to protect A’s weak secret being discovered by B, but
only increases the cost for an adversary to get A's weak secret from B. Therefore it is normally used between a
client (A) and a server (B).
3) Password-authenticated key retrieval: Establish one or more secret keys for an entity, A,
associated with another entity, B, where A has a weak secret and B has a strong secret associated
with A's weak secret. In an authenticated key retrieval mechanism, the secret keys, retrievable by A
(not necessarily derivable by B), are the result of a data exchange between the two entities, and the
secret keys are established if and only if the two entities have used the weak secret and the
associated strong secret. However, although B’s strong secret is associated with A's weak secret, the
strong secret does not (in itself) contain sufficient information to permit either the weak secret or the
secret keys established in the mechanism to be determined.
NOTE – This type of key retrieval mechanism is used in those applications where A does not have secure
storage for a strong secret, and requires B’s assistance to retrieve the strong secret for her. It is normally used
between a client (A) and a server (B).
This part of ISO/IEC 11770 does not cover aspects of key management such as
⎯ lifecycle management of weak secrets, strong secrets and established secret keys;
⎯ mechanisms to store, archive, delete, destroy, etc. weak secrets, strong secrets, and established secret
keys.
© ISO/IEC 2006 – All rights reserved 1

NOTE – The keys generated or retrieved through the use of weak secrets cannot be more secure against exhaustion than
the sum of the weak secrets themselves. With this proviso, the mechanisms specified in this part of ISO/IEC 11770 are
recommended for practical use in low-security environments.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 10118-3:2004, Information technology — Security techniques — Hash-functions — Part 3: Dedicated
hash-functions
ISO/IEC 11770-1:1996, Information technology — Security techniques — Key management — Part 1:
Framework
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
augmented password-authenticated key agreement
password-authenticated key agreement where entity A uses a password-based weak secret and entity B uses
verification data derived from a one-way function of A's weak secret to negotiate and authenticate one or more
shared secret keys
3.2
balanced password-authenticated key agreement
password-authenticated key agreement where two entities A and B use a shared common password-based
weak secret to negotiate and authenticate one or more shared secret keys
3.3
brute-force attack
attack on a cryptosystem that employs an exhaustive search of a set of keys, passwords or other data
3.4
collision-resistant hash-function
hash-function satisfying the following property: it is computationally infeasible to find any two distinct inputs
which map to the same output
NOTE – Computational feasibility depends on the specific security requirements and environment.
[ISO/IEC 10118-1:2000]
3.5
dictionary attack (on a password-based system)
attack on a cryptosystem that employs a search of a given list of passwords
NOTE – A dictionary attack on a password-based system can use a stored list of specific password values or a stored list
of words from a natural language dictionary.
3.6
domain parameter
data item which is common to and known by or accessible to all entities within the domain
NOTE – The set of domain parameters may contain data items such as hash-function identifier, length of the hash-token,
length of the recoverable part of the message, finite field parameters, elliptic curve parameters, or other parameters
specifying the security policy in the domain.
[ISO/IEC 9796-3:2000]
2 © ISO/IEC 2006 – All rights reserved

3.7
explicit key authentication from A to B
assurance for entity B that A is the only other entity that is in possession of the correct key
NOTE - Implicit key authentication from A to B and key confirmation from A to B together imply explicit key authentication
from A to B.
[ISO/IEC 11770-3:1999]
3.8
hash-function
function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties.
⎯ It is computationally infeasible to find for a given output, an input which maps to this output.
⎯ It is computationally infeasible to find for a given input, a second input which maps to the same output.
NOTE – Computational feasibility depends on the specific security requirements and environment.
[ISO/IEC 10118-1:2000]
3.9
hashed password
result of applying a hash-function to a password
3.10
implicit key authentication from A to B
assurance for entity B that A is the only other entity that can possibly be in possession of the correct key
[ISO/IEC 11770-3:1999]
3.11
key
sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment,
decipherment, cryptographic check function computation, signature calculation, or signature verification)
[ISO/IEC 11770-3:1999]
3.12
key agreement
process of establishing a shared secret key between entities in such a way that neither of them can
predetermine the value of that key
[ISO/IEC 11770-1:1996]
3.13
key confirmation from A to B
assurance for entity B that entity A is in possession of the correct key
[ISO/IEC 11770-3:1999]
3.14
key control
ability to choose the key, or the parameters used in the key computation
[ISO/IEC 11770-1:1996]
3.15
key derivation function
function that utilizes shared secrets and other mutually known parameters as inputs, and outputs one or more
shared secrets, which can be used as keys
© ISO/IEC 2006 – All rights reserved 3

3.16
key establishment
process of making available a shared secret key to one or more entities; key establishment includes key
agreement, key transport and key retrieval
3.17
key management
administration and use of the generation, registration, certification, deregistration, distribution, installation,
storage, archiving, revocation, derivation and destruction of keying material in accordance with a security
policy
[ISO/IEC 11770-1:1996]
3.18
key retrieval
process of establishing a key for one or more entities known as the retrieving entities with the involvement of
one or more other entities who are not necessarily able to access the key after the process, and which
normally requires authentication of the retrieving entity/entities by the other entity/entities
3.19
key token
key establishment message sent from one entity to another entity during the execution of a key establishment
mechanism
3.20
key token check function
function that utilizes a key token and other publicly known parameters as input, and outputs a Boolean value
during the execution of a key establishment mechanism
3.21
key token factor
value that is kept secret and that is used, possibly in conjunction with a weak secret, to create a key token
3.22
key token generation function
function that utilizes a key token factor and other parameters as input, and outputs a key token during the
execution of a key establishment mechanism
3.23
mutual key authentication
assurance for two entities that only the other entity can possibly be in possession of the correct key
3.24
one-way function
function with the property that it is easy to compute the output for a given input but it is computationally
infeasible to find for a given output an input which maps to this output
[ISO/IEC 11770-3:1999]
3.25
password
secret word, phrase, number or character sequence used for entity authentication, which is a memorized
weak secret
3.26
password-authenticated key agreement
process of establishing one or more shared secret keys between two entities using prior shared password-
based information (which means that either both of them have the same shared password or one has the
password and the other has password verification data) and neither of them can predetermine the values of
the shared secret keys
4 © ISO/IEC 2006 – All rights reserved

3.27
password-authenticated key retrieval
key retrieval process where one entity A has a weak secret derived from a password, and the other entity B
has a strong secret associated with A’s weak secret; these two entities, using their own secrets, negotiate a
secret key which is retrievable by A, but not (necessarily) derivable by B
3.28
password-entangled key token
key token which is derived from both a weak secret and a key token factor
3.29
password verification data
data that is used to verify an entity’s knowledge of a specific password
3.30
random element derivation function
function that utilizes a password and other parameters as input, and outputs a random element
3.31
salt
random variable incorporated as secondary input to a one-way or encryption function that is used to derive
password verification data
3.32
secret
value known only to authorized entities
3.33
secret value derivation function
function that utilizes a key token factor, a key token and other parameters as input, and outputs a secret
value, which is used to compute one or more secret keys
3.34
secret key
key used with symmetric cryptographic techniques by a specified set of entities
[ISO/IEC 18033-1:2005]
3.35
strong secret
secret with a sufficient degree of entropy that conducting an exhaustive search for the secret is infeasible,
even given knowledge that would enable a correct guess for the secret to be distinguished from an incorrect
guess
NOTE – This might, for example, be achieved by randomly choosing the secret from a sufficiently large set of possible
values with an even probability distribution.
3.36
weak secret
secret that can be conveniently memorized by a human being; typically this means that the entropy of the
secret is limited, so that an exhaustive search for the secret may be feasible, given knowledge that would
enable a correct guess for the secret to be distinguished from an incorrect guess
© ISO/IEC 2006 – All rights reserved 5

4 Symbols and notation
For the purposes of this document, the following symbols and notation apply.
a , a elliptic curve coefficients
1 2
A, B distinguishing identifiers of entities
b, b bits (i.e. either 0 or 1)
i
BS2I a function that converts a bit string into an integer
c an integer satisfying 1 ≤ c ≤ q – 1
C,C ,C functions for generating a key token based on a password and a key token factor
DL EC
D,D ,D functions for generating a key token based on only a key token factor
DL EC
E an elliptic curve defined by two elliptic curve coefficients, a and a
1 2
F(q) the finite field of cardinality q
FE2I a function that converts a field element into an integer
FE2OS a function that converts a field element into an octet string
g,g ,g ,g elements of multiplicative order r in F(q)
1 a b
G,G ,G points of order r on E over F(q)
a b
g an element of multiplicative order q -1 in F(q)
q-1
GE2OS a function that converts a group element into an octet string; when the group element is a point
X
on E, this function converts the x-coordinate of the point into an octet string and ignores the y-
coordinate
H a hash-function taking an octet string as input and giving a bit string as output, e.g. one of the
dedicated hash-functions specified in ISO/IEC 10118-3
h(x, L ) a hash-function taking an octet string x and an integer L , which indicates the length (in bits) of
K K
output, as input and giving a bit string of length L as output, e.g. one of the dedicated hash-
K
functions specified in ISO/IEC 10118-3
I2FE a function that converts an integer into a field element
I2OS a function that converts an integer into an octet string
I2P a function that converts an integer into a point on the curve E
J,J ,J functions for generating a password verification element from a password
DL EC
k the cofactor that is either the value (q-1)/r in DL domain parameters or the value of #E/r in EC
domain parameters
K a function for deriving a key from a secret value and a key derivation parameter
K ,K ,. secret keys established using a key establishment mechanism
1 2
L the length (in bits) of an established secret key
K
m an integer
M an octet that is represented by values from 00 hex to FF hex
i
mod binary operation, where y = a mod b is defined to be the unique integer y satisfying 0 ≤ y < b and
(a -y) is an integer multiple of b
6 © ISO/IEC 2006 – All rights reserved

n an integer
o , o ', o , o ' bit strings, which are used to specify a key confirmation process
A A B B
OS2I a function that converts an octet string into an integer
p, p odd prime integers
i
P ,P ,. key derivation parameter octet strings
1 2
m
q the number of elements in the finite field F(q). In the EC setting, q is either p or 2 for some
integer m ≥ 1. In the DL setting, q is p
NOTE – this part of ISO/IEC 11770 treats only a prime field or a binary field in the EC setting and only a
prime field in the DL setting, because these cases are widely used and their security properties have been
well-explored.
r the order of the desired group, which is a prime dividing either q – 1 in the DL setting or #E in the
EC setting
R,R ,R , R ,R functions for deriving a random element from a password
1DL 1EC 2DL 2EC
s , s Key token factors of entities A and B respectively, corresponding to key tokens w and w
A B A B
NOTE – the key token factors should be generated at random from a selected range since this maximizes
the difficulty of recovering the key token factor by collision-search methods. Methods of random number
generation are specified in ISO/IEC 18031.
T a function for checking validity of a key token
V,V ,V ,V ,V ,V ,V functions for generating secret values
A B ADL AEC BDL BEC
w , w key tokens or password-entangled key tokens of entities A and B respectively, corresponding to
A B
key token factors s and s ; they are integers in the DL setting and points in the EC setting
A B
[x] × Y multiplication operation in the EC setting that takes an integer x and a point Y on the curve E as
input and produces a point Z on the curve E, where Z = [x] × Y = Y + Y + … + Y adding x -1 times
if x is positive. The operation satisfies [0] × Y = 0 (the point at infinity), and [-x] × Y = [x] × (-Y).
E
z a secret value used to derive the keys; it is an integer in the DL setting and a point in the EC
setting
m
{β , β , …, β } an element of F(s ) where s is either p or 2, and β is an integer satisfying 0 ≤ β ≤ s -1
m-1 m-2 0 i i
π  a password-based octet string which is generally derived from a password or a hashed password,
identifiers for one or more entities, an identifier of a communication session if more than one
session might execute concurrently, and optionally includes a salt value and/or other data
NOTE – It is required to include one or more the entity identifiers and a unique session identifier into the
value of π, in order to avoid that a key establishment mechanism might be vulnerable to an unknown key-
share attack addressed in [TC05].
#E the number of points on the elliptic curve E
|| concatenation operator, defined on octet strings
0 the point at infinity on the elliptic curve E
E
© ISO/IEC 2006 – All rights reserved 7

5 Requirements
It is assumed that the entities are aware of each other’s claimed identities. This may be achieved by the
inclusion of identifiers in information exchanged between the two entities, or it may be apparent from the
context of use of the mechanism.
It is assumed that the entities are aware of a common set of domain parameters, which are used to compute a
variety of functions in the key establishment mechanism. Each mechanism can be used with one of two
different sets of domain parameters, depending on whether the mechanism operates over the multiplicative
group of values in F(q) or over the additive group of elements in an elliptic curve defined over F(q). In the first
case the mechanism is said to operate in the DL (for “discrete logarithm”) setting, and in the second case the
mechanism is said to operate in the EC (for “elliptic curve”) setting.
NOTE – It is fundamentally important to the correct operation of the mechanisms that any domain parameters are held
correctly by each participant. Use by any party of accidentally or deliberately corrupted domain parameters can result in
compromise of the mechanisms, which might allow an unauthorised third party to discover an established secret key.
The two sets of domain parameters are as follows.
A set of DL domain parameters consists of:
F(q) – a specific representation of the finite field on q elements.
q – the number of elements in F(q), which is an odd prime integer.
r – the order of the desired group of elements from the finite field, which is a prime divisor of q -1.
g – an element of multiplicative order r in F(q) (g is called the generator of a subgroup of r elements in F(q)).
g – an element of multiplicative order q -1 in F(q).
q-1
NOTE – a method of generating g can be found in Chapter 4 of [MvV96] and [Ka86].
q-1
k – the value (q-1)/r, also called the cofactor, satisfying k = 2p p …p, for primes p > r, i = 1, 2, …, t.
1 2 t i
Optionally, t = 0.
A set of EC domain parameters consists of:
F(q) – a specific representation of the finite field on q elements.
q – the number of elements in F(q), which is
⎯ p, an odd prime integer, or
m
⎯ 2 for some positive integer m ≥ 1.
a , a – two elliptic curve coefficients, elements of F(q), that define an elliptic curve E.
1 2
E – an elliptic curve defined by two elliptic curve coefficients, a and a . It is defined by one of the following
1 2
two equations
2 3
⎯ Y = X + a X + a over the field F(p),
1 2
2 3 2 m
⎯ Y + XY = X + a X + a over the field F(2 ),
1 2
together with an extra point 0 referred to as the point of infinity.
E
#E - the number of points on E.
8 © ISO/IEC 2006 – All rights reserved

r – the order of the desired group, which is a prime integer dividing #E.
G – a curve point of order r (G is called the generator of a subgroup of r points on E).
n
k – the value #E/r, also called the cofactor, satisfying k = 2 p p …p , for n = {0, 1, 2} and primes p > r, i = 1,
1 2 t i
2, …, t. Optionally, t = 0.
When entities make use of a specified mechanism in the EC setting, it is assumed that the entities are aware
of the form of the point representation, i.e., a point is represented in either compressed, uncompressed or
hybrid form. The specifications in the point representation refer to ISO/IEC 18033-2.
In the mechanism specification of this part of ISO/IEC 11770, the method of random number generation refers

to ISO/IEC 18031 and the method of prime number generation refers to ISO/IEC 18032.

It is also assumed that the entities are aware of a common hash-function H, e.g. one of the dedicated hash-
functions specified in ISO/IEC 10118-3.
6 Password-authenticated key agreement
This clause specifies three password-authenticated key agreement mechanisms. The first mechanism,
specified in clause 6.1, is a balanced password-authenticated key agreement mechanism, which requires the
two entities to share a weak secret. The second and third mechanisms, specified in clauses 6.2 and 6.3
respectively, are augmented password-authenticated key agreement mechanisms, which require one of the
two entities to possess verification data for a weak secret known to the other entity.
All three password-authenticated key agreement mechanisms have the following initialisation process and key
establishment process.
Initialisation process: The two entities involved agree to use a set of valid domain parameters, a set of key
derivation parameters and a set of functions, all of which may be publicly known. The two entities also agree
to use either a shared password-based weak secret which is known only to them, or shared password-based
information that means one entity has a password-based weak secret and the other entity has the
corresponding password verification data.
Key establishment process:
1) Generate and exchange key tokens. The two entities involved each randomly choose one or more key
token factors associated with the domain parameters, create the corresponding key tokens, which
may be associated with the password or password verification data (a key token associated with the
password or password verification data is called a password-entangled key token), and then make the
key tokens available to the other entity.
2) Check validity of key tokens. Depending on the operations for producing key tokens in Step 1, the two
entities involved each choose an appropriate method to validate the received key tokens based on the
domain parameters. If any validation fails, output “invalid” and stop.
3) Derive shared secret keys. The two entities involved each apply certain secret value derivation
functions to their own key token factor, the other entity's key tokens and/or shared password or
password verification data to produce a shared secret value. Each entity further applies a key
derivation function to the shared secret value and the key derivation parameters, to derive one or
more shared secret keys.
4) Check key confirmation. The two entities involved use the shared secret keys established using the
above steps to confirm their awareness of the keys to each other. This step is optional in Mechanism
1 but mandatory in Mechanisms 2 and 3.
© ISO/IEC 2006 – All rights reserved 9

6.1 Key Agreement Mechanism 1
This key agreement mechanism is designed to achieve balanced password-authenticated key agreement,
which establishes one or more shared secret keys between entities A and B with joint key control and prior
sharing of a password-based octet string π. This mechanism provides mutual implicit key authentication and,
optionally, mutual explicit key confirmation.
This mechanism works in both the DL and EC settings.
NOTE – This mechanism is based on the work of [Jab96] and the mechanism called {DL,EC}BPKAS-SPEKE in
[IEEEP1363.2].
6.1.1 Prior shared parameters
The key agreement between two entities A and B takes place in an environment where the two entities share
the following parameters:
⎯ A shared password-based octet string π
⎯ A set of valid domain parameters (either DL domain parameters or EC domain parameters) specified in
Clause 5
⎯ A random element derivation function, R
⎯ A key token generation function, D
⎯ A key token check function, T
⎯ A secret value derivation function, V
⎯ A key derivation function, K
⎯ A Boolean value, b, which indicates whether cofactor multiplication is desired. If b = 1, cofactor
multiplication is desired; otherwise it is not
⎯ One or more key derivation parameter octet strings {P , P , .}, where A and B must agree to use the
1 2
same P values
i
⎯ The length of a shared secret key, L
K
NOTE – Cofactor multiplication is used to map a received key token into a valid group element, i.e. an element in a
selected subgroup of order r. b = 0 is only used in those mechanisms in which it is guaranteed that a received key token is
a valid group element. More detailed discussion on cofactor multiplication can be found in [ISO/IEC 15946-3:2002].
6.1.2 Functions
6.1.2.1 Random element derivation function R
The random element derivation function R operates on an octet string x as input and produces a selected
group element written R(x) as output. Key Agreement Mechanism 1 can be used with any one of the following
four R functions, R , R , R and R :
1DL 1EC 2DL 2EC
⎯ R is suitable for use when the mechanism is used with the DL domain parameters, i.e. it operates over
1DL
the multiplicative group of elements defined over F(q). Given the DL domain parameters (including k and
q) and an octet string input x, R is defined as
1DL
k
R (x) = (BS2I(H(x))) mod q.
1DL
⎯ R is suitable for use when the mechanism is used with the EC domain parameters, i.e. it operates over
1EC
the additive group of elements in an elliptic curve defined over F(q). Given the EC domain parameters
(including k) and an octet string input x, R is defined as
1EC
R (x) = [k] × I2P(BS2I(H(x))).
1EC
10 © ISO/IEC 2006 – All rights reserved

⎯ R is suitable for use when the mechanism is used with the DL domain parameters, i.e. it operates over
2DL
the multiplicative group of elements defined over F(q). Given the DL domain parameters (including q), two
random elements in a subgroup of order r in F(q), g and g , and an octet string input x, R is defined as
a b 2DL
BS2I(H(x))
R (x) = g ∗ g mod q.
2DL a b
⎯ R is suitable for use when the mechanism is used with the EC domain parameters, i.e. it operates over
2EC
the additive group of elements in an elliptic curve defined over F(q). Given the EC domain parameters,
two random elements of a subgroup of order r on E, G and G , and an octet string input x, R is
a b 2EC
defined as
R (x) = G + [BS2I(H(x))] × G .
2EC a b
Functions BS2I (Bit String to Integer conversion) and I2P (Integer to Point conversion) are described in Annex
A.
NOTE 1 – The four choices for the function R allow for different performance characteristics and different security
assumptions. Regarding performance, R permits use where k >> r, but when using a small cofactor k, R is faster than
2 1
R .
NOTE 2 – It is recommended that, if the result of R (x) or R (x) is 1, or if the result of R (x) or R (x) is 0 , output
1DL 2DL 1EC 2EC E
"invalid" and stop. Based on the randomness property of the hash-function H, this case happens with a negligible
probability. However, there is no detected security weakness, because if the function R outputs the value 1 in the DL
setting or the point 0 in the EC setting without stopping, the protocol will abort when running the key token check
E
function T.
6.1.2.2 Key token generation function D
The key token generation function D operates on an integer x and a group element y as input and produces
another group element written D(x, y) as output. Key Agreement Mechanism 1 can be used with either one of
the following D functions, D and D :
DL EC
⎯ D is suitable for use when the mechanism is used with the DL domain parameters, i.e. it operates over
DL
the multiplicative group of elements defined over F(q). Given the DL domain parameters (including q),
and two inputs x from {1, …, r - 1} and an integer y the output of Function R, D is defined as
DL
x
D (x, y) = y mod q.
DL
⎯ D is suitable for use when the mechanism is used with the EC domain parameters, i.e. it operates over
EC
the additive group of elements in an elliptic curve defined over F(q). Given the EC domain parameters,
and two inputs x from {1, …, r - 1} and a point Y the output of Function R, D is defined as
EC
D (x, Y) = [x] × Y.
EC
6.1.2.3 Key token check function T
The key token check function T operates on a group element x as input and produces a Boolean value written
T(x) as output. Key Agreement Mechanism 1 can be used with either one of the following T functions, T and
DL
T :
EC
⎯ T is suitable for use when the mechanism is used with the DL domain parameters, i.e. it operates over
DL
the multiplicative group of elements defined over F(q). Given the DL domain parameters (including q),
and a data string x, T is defined as follows:
DL
⎯ If x does not represent an integer, T (x) = 0.
DL
⎯ If x ≤ 1, T (x) = 0.
DL
⎯ If x ≥ q – 1, T (x) = 0.
DL
© ISO/IEC 2006 – All rights reserved 11

⎯ Else, T (x) = 1.
DL
⎯ T is suitable for use when the mechanism is used with the EC domain parameters, i.e. it operates over
EC
the additive group of elements in an elliptic curve defined over F(q). Given the EC domain parameters
n
(including 0 ), a value n ∈ {0, 1, 2}, such that k = 2 p p …p and a data string X, T is defined as follows:
E 1 2 t EC
⎯ If X does not represent a point on E, T (X) = 0.
EC
n
⎯ If [2 ] × X = 0 , T (X) = 0.
E EC
⎯ Else, T (X) = 1.
EC
6.1.2.4 Secret value derivation function V
The secret value derivation function V operates on an integer x, a selected group element y and a Boolean
value b as input and produces another group element written V(x, y, b) as output. Key Agreement Mechanism
1 can choose one of the following V functions, V and V :
DL EC
⎯ V is suitable for use when the mechanism is used with the DL domain parameters, i.e. it operates over
DL
the multiplicative group of elements defined over F(q). Given the DL domain parameters (including k and
q), and three inputs, x from {1, …, r - 1}, y from {2, …, q - 2} and b from {0, 1}, V is defined as
DL
b
x∗k
V (x, y, b) = y mod q.
DL
⎯ V is suitable for use when the mechanism is used with the EC domain parameters, i.e. it operates over
EC
the additive group of elements in an elliptic curve defined over F(q). Given the EC domain parameters
(including k), and three inputs, x from {1, …, r - 1}, a point Y (≠ 0 ) on the curve E and b from {0, 1}, V is
E EC
defined as
b
V (x, Y, b) = [k ∗ x] × Y.
EC
6.1.2.5 Key derivation function K
The key derivation function K operates on an octet string x , a length (in bits) L of the output of function K,
K
and a key derivation parameter octet string P from {P , P , .} as input, and produces a bit string written K(x,
1 2
P, L ) as output. Key Agreement Mechanism 1 makes use of a one-way function as Function K, i.e., given x, P
K
and L as input, K is defined as
K
K(x, P, L ) = h(x||P, L ).
K
K
NOTE 1 – The output transformation for the hash-functions specified in ISO/IEC 10118-3 is the hash-code H with a given
bit length. See ISO/IEC 10118-3 for the details.
NOTE 2 – The value of L is dependent on applications using the derived key. If the output of the key derivation function K
K
is used as a key for a symmetric cipher, the value of L is the key length of a specific symmetric cipher mechanism.
K
6.1.3 Key agreement operation
This mechanism involves both A and B performing a sequence of up to four steps, numbered A1-A4 and B1-
B4 (for the steps to be followed by A and B respectively). Steps A3, A4, B3 and B4 are optional.
Key token construction (A1)
A performs the following steps:
⎯ compute g = R(π) as a base of its key token,
⎯ choose an integer s randomly from {1, …, r – 1} as its key token factor,
A
⎯ compute w = D(s , g ) as the key token,
A A 1
⎯ make w available to B.
A
12 © ISO/IEC 2006 – All rights reserved

Key token construction (B1)
B performs the following steps:
⎯ compute g = R(π) as a base of its key token,
⎯ choose an integer s randomly from {1, …, r – 1} as its key token factor,
B
⎯ compute w = D(s , g ) as the key token,
B B 1
⎯ make w available to A.
B
Shared secret key derivation (A2)
A performs the following steps:
⎯ receive w from B,
B
⎯ check validity of w using T(w ): if T(w ) = 0, output "invalid" and stop; otherwise, carry on,
B B B
⎯ compute z = V(s , w , b) as a shared secret value,
A B
⎯ compute K = K(GE2OS (z), P , L ) for each key derivation parameter P as a shared secret key.
i X i K i
Shared secret key derivation (B2)
B performs the following steps:
⎯ receive w from A,
A
⎯ check validity of w using T(w ): if T(w ) = 0, output "invalid" and stop; otherwise, carry on,
A A A
⎯ compute z = V(s , w , b) as a shared secret value,
B A
⎯ compute K = K(GE2OS (z), P , L ) for each key derivation parameter P as a shared secret key.
i X i K i
NOTE – No special ordering of steps A1 and B1 or A2 and B2 is specified, other than that logically required by the need to
compute a value before using it, i.e., A2 and B2 must happen after A1 and B1.
Key confirmation (A3 and B3) (optional)
A performs the following steps (A3):
⎯ compute o = H(hex(03)||GE2OS (w )||GE2OS (w )||GE2OS (z)||GE2OS (g )), and
A X A X B X X 1
⎯ make o available to B.
A
B performs the following steps (B3):
⎯ receive o from A,
A
⎯ compute o ' = H(hex(03)||GE2OS (w )||GE2OS (w )||GE2OS (z)||GE2OS (g )), and
A X A X B X X 1
⎯ check if o ≠ o ', output "invalid" and stop.
A A
Key confirmation (B4 and A4) (optional)
B performs the following steps (B4):
⎯ compute o = H(hex(04)||GE2OS (w )||GE2OS (w )||GE2OS (z)||GE2OS (g )), and
B X A X B X X 1
⎯ make o available to A.
B
A performs the following steps (A4):
⎯ receive o from B,
B
⎯ compute o ' = H(hex(04)||GE2OS (w )||GE2OS (w )||GE2OS (z)||GE2OS (g )), and
B X A X B X X 1
⎯ check if o ≠ o ', output "invalid" and stop.
B B
NOTE – Entities A and B are free to choose A3 and B3, or B4 and A4. The only restriction is that B3 must happen after A3
and A4 must happen after B4.
Function GE2OS (Group Element to Octet String conversion) is described in Annex A.
X
NOTE – A group element in this mechanism is a point on the curve E in the EC setting, or an integer in the range [1, q -1]
in the DL setting.
6.2 Key Agreement Mechanism 2
This mechanism is designed to achieve augmented password-authenticated key agreement, which
establishes one or more shared secret keys between entities A and B with joint key control. In the mechanism,
A has a password-based octet string π and B has password verification data v corresponding to π. This
mechanism provides unilateral explicit key authentication, and optionally mutual key confirmation.
This mechanism works in the DL setting.
© ISO/IEC 2006 – All rights reserved 13

NOTE 1 – In applications using augmented password-authentic
...