ISO/IEC JTC 1/SC 27/WG 2 - Cryptography and security mechanisms

This document specifies definitions, terminology and processes for secure multiparty computation and related technology, in order to establish a taxonomy and enable interoperability. In particular, this document defines the processes involved in cryptographic mechanisms which compute a function on data while the data are kept private; the participating parties; and the cryptographic properties. The terminology contained in this document is common to the ISO/IEC 4922 series.

This document specifies one method for authenticated encryption suitable for applications requiring lightweight cryptographic mechanisms. This method processes a data string with the following security objectives: a) data confidentiality, i.e. protection against unauthorized disclosure of data, b) data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified. Optionally, this method can provide data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator. The method specified in this document is based on a lightweight stream cipher, and requires the parties of the protected data to share a secret key for this algorithm. Key management is outside the scope of this document. NOTE Key management techniques are defined in the ISO/IEC 11770 series.

This document specifies tweakable block ciphers. A tweakable block cipher is a family of n-bit permutations parametrized by a secret key value and a public tweak value. Such primitives are generic tools that can be used as building blocks to construct cryptographic schemes such as encryption, Message Authentication Codes, authenticated encryption, etc. A total of five different tweakable block ciphers are defined. They are categorized in Table 1.

The ISO/IEC 15946 series specifies public-key cryptographic techniques based on elliptic curves described in ISO/IEC 15946-1. This document defines elliptic curve generation techniques useful for implementing the elliptic curve based mechanisms defined in ISO/IEC 29192‑4, ISO/IEC 9796‑3, ISO/IEC 11770‑3, ISO/IEC 14888‑3, ISO/IEC 18033‑2 and ISO/IEC 18033‑5. This document is applicable to cryptographic techniques based on elliptic curves defined over finite fields of prime power order (including the special cases of prime order and characteristic two). This document is not applicable to the representation of elements of the underlying finite field (i.e. which basis is used).

This document provides general descriptions and specifications of anonymous entity authentication mechanisms based on blind digital signatures.

This document defines key management mechanisms based on asymmetric cryptographic techniques. It specifically addresses the use of asymmetric techniques to achieve the following goals. a) Establish a shared secret key for use in a symmetric cryptographic technique between two entities A and B by key agreement. In a secret key agreement mechanism, the secret key is computed as the result of a data exchange between the two entities A and B. Neither of them is able to predetermine the value of the shared secret key. b) Establish a shared secret key for use in a symmetric cryptographic technique between two entities A and B via key transport. In a secret key transport mechanism, the secret key is chosen by one entity A and is transferred to another entity B, suitably protected by asymmetric techniques. c) Make an entity's public key available to other entities via key transport. In a public key transport mechanism, the public key of entity A is transferred to other entities in an authenticated way, but not requiring secrecy. Some of the mechanisms of this document are based on the corresponding authentication mechanisms in ISO/IEC 9798‑3. This document does not cover certain aspects of key management, such as: — key lifecycle management; — mechanisms to generate or validate asymmetric key pairs; and — mechanisms to store, archive, delete, destroy, etc., keys. While this document does not explicitly cover the distribution of an entity's private key (of an asymmetric key pair) from a trusted third party to a requesting entity, the key transport mechanisms described can be used to achieve this. A private key can in all cases be distributed with these mechanisms where an existing, non-compromised key already exists. However, in practice the distribution of private keys is usually a manual process that relies on technological means such as smart cards, etc. This document does not specify the transformations used in the key management mechanisms. NOTE To provide origin authentication for key management messages, it is possible to make provisions for authenticity within the key establishment protocol or to use a public key signature system to sign the key exchange messages.

This document is general in nature and provides definitions that apply in subsequent parts of the ISO/IEC 18033 series. It introduces the nature of encryption and describes certain general aspects of its use and properties.

This document specifies mechanisms that generate, renew, and verify independent time-stamps. In order to verify an independent time-stamp token, time-stamp verifiers do not need access to any other time-stamp tokens. That is, such time-stamp tokens are not linked.

This document specifies mechanisms for cross-domain password-based authenticated key exchange, all of which are four-party password-based authenticated key exchange (4PAKE) protocols. Such protocols let two communicating entities establish a shared session key using just the login passwords that they share with their respective domain authentication servers. The authentication servers, assumed to be part of a standard public key infrastructure (PKI), act as ephemeral certification authorities (CAs) that certify key materials that the users can subsequently use to exchange and agree on as a session key. This document does not specify the means to be used to establish a shared password between an entity and its corresponding domain server. This document also does not define the implementation of a PKI and the means for two distinct domain servers to exchange or verify their respective public key certificates.

This document specifies MAC algorithms that use a secret key and a hash-function (or its round-function or sponge function) to calculate an m-bit MAC. These mechanisms can be used as data integrity mechanisms to verify that data has not been altered in an unauthorized manner. NOTE A general framework for the provision of integrity services is specified in ISO/IEC 10181‑6.

This document specifies properties of cryptographic mechanisms to redact authentic data. In particular, it defines the processes involved in those mechanisms, the participating parties, and the cryptographic properties.

This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms. Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups: — probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime; — deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates. Secondly, this document specifies methods to generate prime numbers. Again, both probabilistic and deterministic methods are presented. NOTE It is possible that readers with a background in algorithm theory have already had previous encounters with probabilistic and deterministic algorithms. The deterministic methods in this document internally still make use of random bits (to be generated via methods described in ISO/IEC 18031), and "deterministic" only refers to the fact that the output is correct with probability one. Annex A provides error probabilities that are utilized by the Miller-Rabin primality test. Annex B describes variants of the methods for generating primes so that particular cryptographic requirements can be met. Annex C defines primitives utilized by the prime generation and verification methods.

This document specifies five methods for authenticated encryption, i.e. defined ways of processing a data string with the following security objectives: — data confidentiality, i.e. protection against unauthorized disclosure of data; — data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified; — data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator. All five methods specified in this document are based on a block cipher algorithm, and require the originator and the recipient of the protected data to share a secret key for this block cipher. Key management is outside the scope of this document. Key management techniques are defined in ISO/IEC 11770 (all parts). Four of the mechanisms in this document, namely mechanisms 3, 4, 5 (AAD variant only) and 6, allow data to be authenticated which is not encrypted. That is, these mechanisms allow a data string that is to be protected to be divided into two parts, D, the data string that is to be encrypted and integrity-protected, and A (the additional authenticated data) that is integrity-protected but not encrypted. In all cases, the string A can be empty. NOTE Examples of types of data that can need to be sent in unencrypted form, but whose integrity is to be protected, include addresses, port numbers, sequence numbers, protocol version numbers and other network protocol fields that indicate how the plaintext is to be handled, forwarded or processed.

This document specifies mechanisms to establish shared symmetric keys between groups of entities. It defines: — symmetric key-based key establishment mechanisms for multiple entities with a key distribution centre (KDC); and — symmetric key establishment mechanisms based on a general tree-based logical key structure with both individual rekeying and batch rekeying. It also defines key establishment mechanisms based on a key chain with group forward secrecy, group backward secrecy or both group forward and backward secrecy. This document also describes the required content of messages which carry keying material or are necessary to set up the conditions under which the keying material can be established. This document does not specify information that has no relation with key establishment mechanisms, nor does it specify other messages such as error messages. The explicit format of messages is not within the scope of this document. This document does not specify the means to be used to establish the initial secret keys required to be shared between each entity and the KDC, nor key lifecycle management. This document also does not explicitly address the issue of interdomain key management.

This document serves as a general model for subsequent parts specifying non-repudiation mechanisms using cryptographic techniques. The ISO/IEC 13888 series provides non-repudiation mechanisms for the following phases of non-repudiation: — evidence generation; — evidence transfer, storage and retrieval; and — evidence verification. Dispute arbitration is outside the scope of the ISO/IEC 13888 series.

This document specifies mechanisms for the provision of specific, communication-related, non‑repudiation services using asymmetric cryptographic techniques.

This document specifies three block ciphers suitable for applications requiring lightweight cryptographic implementations: — PRESENT: a lightweight block cipher with a block size of 64 bits and a key size of 80 or 128 bits; — CLEFIA: a lightweight block cipher with a block size of 128 bits and a key size of 128, 192 or 256 bits; — LEA: a lightweight block cipher with a block size of 128 bits and a key size of 128, 192 or 256 bits.

This document specifies MAC algorithms suitable for applications requiring lightweight cryptographic mechanisms. These mechanisms can be used as data integrity mechanisms to verify that data has not been altered in an unauthorized manner. They can also be used as message authentication mechanisms to provide assurance that a message has been originated by an entity in possession of the secret key. The following MAC algorithms are specified in this document: a) LightMAC; b) Tsudik's keymode; c) Chaskey-12.

This document specifies broadcast authentication protocols, which are protocols that provide data integrity and entity authentication in a broadcast setting, i.e. a setting with one sender transmitting messages to many receivers. To provide entity authentication, there needs to be a pre-existing infrastructure which links the sender to a cryptographic secret. The establishment of such an infrastructure is beyond the scope of this document.

This document specifies entity authentication mechanisms using authenticated encryption algorithms. Four of the mechanisms provide entity authentication between two entities where no trusted third party is involved; two of these are mechanisms to unilaterally authenticate one entity to another, while the other two are mechanisms for mutual authentication of two entities. The remaining mechanisms require an on-line trusted third party for the establishment of a common secret key. They also realize mutual or unilateral entity authentication. Annex A defines Object Identifiers for the mechanisms specified in this document.

This document specifies the following mechanisms for homomorphic encryption. — Exponential ElGamal encryption; — Paillier encryption. For each mechanism, this document specifies the process for: — generating parameters and the keys of the involved entities; — encrypting data; — decrypting encrypted data; and — homomorphically operating on encrypted data. Annex A defines the object identifiers assigned to the mechanisms specified in this document. Annex B provides numerical examples.

This document specifies entity authentication mechanisms using digital signatures based on asymmetric techniques. A digital signature is used to verify the identity of an entity. Ten mechanisms are specified in this document. The first five mechanisms do not involve an on-line trusted third party and the last five make use of on-line trusted third parties. In both of these two categories, two mechanisms achieve unilateral authentication and the remaining three achieve mutual authentication. Annex A defines the object identifiers assigned to the entity authentication mechanisms specified in this document.

This document specifies digital signature mechanisms with appendix whose security is based on the discrete logarithm problem. This document provides — a general description of a digital signature with appendix mechanism, and — a variety of mechanisms that provide digital signatures with appendix. For each mechanism, this document specifies — the process of generating a pair of keys, — the process of producing signatures, and — the process of verifying signatures. Annex A defines object identifiers assigned to the digital signature mechanisms specified in this document, and defines algorithm parameter structures. Annex B defines conversion functions of FE2I, I2FE, FE2BS, BS2I, I2BS, I2OS and OS2I used in this document. Annex D defines how to generate DSA domain parameters.

This document specifies dedicated hash-functions, i.e. specially designed hash-functions. The hash-functions in this document are based on the iterative use of a round-function. Distinct round-functions are specified, giving rise to distinct dedicated hash-functions. The use of Dedicated Hash-Functions 1, 2 and 3 in new digital signature implementations is deprecated. NOTE As a result of their short hash-code length and/or cryptanalytic results, Dedicated Hash-Functions 1, 2 and 3 do not provide a sufficient level of collision resistance for future digital signature applications and they are therefore, only usable for legacy applications. However, for applications where collision resistance is not required, such as in hash-functions as specified in ISO/IEC 9797‑2, or in key derivation functions specified in ISO/IEC 11770‑6, their use is not deprecated. Numerical examples for dedicated hash-functions specified in this document are given in Annex B as additional information. For information purposes, SHA-3 extendable-output functions are specified in Annex C.

This document defines key establishment mechanisms using symmetric cryptographic techniques. This document addresses three environments for the establishment of keys: Point-to-Point, Key Distribution Centre (KDC), and Key Translation Centre (KTC). It describes the required content of messages which carry keying material or are necessary to set up the conditions under which the keying material can be established. This document does not indicate other information which can be contained in the messages or specify other messages such as error messages. The explicit format of messages is not within the scope of this document. This document does not specify the means to be used to establish initial secret keys; that is, all the mechanisms specified in this document require an entity to share a secret key with at least one other entity (e.g. a TTP). For general guidance on the key lifecycle, see ISO/IEC 11770-1. This document does not explicitly address the issue of inter-domain key management. This document also does not define the implementation of key management mechanisms; products complying with this document are not necessarily compatible.

ISO/IEC 11770-4:2017 defines key establishment mechanisms based on weak secrets, i.e. secrets that can be readily memorized by a human, and hence, secrets that will be chosen from a relatively small set of possibilities. It specifies cryptographic techniques specifically designed to establish one or more secret keys based on a weak secret derived from a memorized password, while preventing offline brute-force attacks associated with the weak secret. ISO/IEC 11770-4:2017 is not applicable to the following aspects of key management: - life-cycle management of weak secrets, strong secrets, and established secret keys; - mechanisms to store, archive, delete, destroy, etc. weak secrets, strong secrets, and established secret keys.

ISO/IEC 19592-2:2017 specifies cryptographic secret sharing schemes.

ISO/IEC 20009-4:2017 specifies anonymous entity authentication mechanisms based on weak secrets. The precise operation of each mechanism is specified, together with details of all inputs and outputs. This document is applicable to situations in which the server only verifies that the user belongs to a certain user group without obtaining any information that can be used to identify the user later on.

ISO/IEC 10116:2017 data during transmission or in storage). The defined modes only provide protection of data confidentiality. Protection of data integrity is not within the scope of this document. Also, most modes do not protect the confidentiality of message length information. NOTE 1 Methods for protecting the integrity of data using a block cipher are provided in ISO/IEC 9797-1. NOTE 2 Methods for simultaneously protecting the confidentiality and integrity of data are provided in ISO/IEC 19772. ISO/IEC 10116:2017 specifies the modes of operation and gives recommendations for choosing values of parameters (as appropriate). NOTE 3 The modes of operation specified in this document have been assigned object identifiers in accordance with ISO/IEC 9834. The list of assigned object identifiers is given in Annex A. In applications in which object identifiers are used, the object identifiers specified in Annex A are to be used in preference to any other object identifiers that can exist for the mode concerned. NOTE 4 Annex B contains comments on the properties of each mode and important security guidance.

ISO 18370-1:2016 specifies principles, including a general model, a set of entities, a number of processes, and general requirements for blind digital signature mechanisms, as well as the following variants of blind digital signature mechanisms: - blind signature mechanisms with partial disclosure; - blind signature mechanisms with selective disclosure; - traceable blind signature mechanisms. It also contains terms, definitions, abbreviated terms and figure elements that are used in all parts of ISO/IEC 18370. See Annex A for a comparison on the blind digital signature mechanisms.

ISO/IEC 19592-1:2016 specifies cryptographic secret sharing schemes and their properties. This document defines the parties involved in a secret sharing scheme, the terminology used in the context of secret sharing schemes, the parameters and the properties of such a scheme.

ISO/IEC 10118-1:2016 specifies hash-functions and is therefore applicable to the provision of authentication, integrity and non-repudiation services. Hash-functions map strings of bits of variable (but usually upper bounded) length to fixed-length strings of bits, using a specified algorithm. They can be used for - reducing a message to a short imprint for input to a digital signature mechanism, and - committing the user to a given string of bits without revealing this string. NOTE The hash-functions specified in ISO/IEC 10118 (all parts) do not involve the use of secret keys. However, these hash-functions may be used, in conjunction with secret keys, to build message authentication codes. Message Authentication Codes (MACs) provide data origin authentication as well as message integrity. Techniques for computing a MAC using a hash-function are specified in ISO/IEC 9797‑2 [1]. ISO/IEC 10118-1:2016 contains definitions, symbols, abbreviations and requirements that are common to all the other parts of ISO/IEC 10118. The criteria used to select the algorithms specified in subsequent parts of ISO/IEC 10118 are defined in Annex B of this document.

ISO/IEC 11770-6:2016 specifies key derivation functions, i.e. functions which take secret information and other (public) parameters as input and output one or more "derived" secret keys. Key derivation functions based on MAC algorithms and on hash-functions are specified.

ISO/IEC 29192-5:2016 specifies three hash-functions suitable for applications requiring lightweight cryptographic implementations. - PHOTON: a lightweight hash-function with permutation sizes of 100, 144, 196, 256 and 288 bits computing hash-codes of length 80, 128, 160, 224, and 256 bits, respectively. - SPONGENT: a lightweight hash-function with permutation sizes of 88, 136, 176, 240 and 272 bits computing hash-codes of length 88, 128, 160, 224, and 256 bits, respectively. - Lesamnta-LW: a lightweight hash-function with permutation size 384 bits computing a hash-code of length 256 bits. The requirements for lightweight cryptography are given in ISO/IEC 29192‑1.

ISO/IEC 15946-1:2016 describes the mathematical background and general techniques necessary for implementing the elliptic curve cryptography mechanisms defined in ISO/IEC 15946‑5, ISO/IEC 9796‑3, ISO/IEC 11770‑3, ISO/IEC 14888‑3, ISO/IEC 18033‑2 and other ISO/IEC standards. ISO/IEC 15946-1:2016 does not specify the implementation of the techniques it defines. For example, it does not specify the basis representation to be used when the elliptic curve is defined over a finite field of characteristic two. Thus, interoperability of products complying with ISO/IEC 15946-1:2016 will not be guaranteed.

ISO/IEC 18370-2:2016 specifies blind digital signature mechanisms, together with mechanisms for three variants of blind digital signatures. The variants are blind digital signature mechanisms with partial disclosure, blind digital signature mechanisms with selective disclosure and traceable blind digital signature mechanisms. The security of all the mechanisms in ISO/IEC 18370-2:2016 is based on the discrete logarithm problem. For each mechanism, ISO/IEC 18370-2:2016 specifies the following: - the process for generating the keys of the entities involved in these mechanisms; - the process for producing blind signatures; - the process for verifying signatures. ISO/IEC 18370-2:2016 specifies another process specific to blind signature mechanisms with selective disclosure, namely, the following: - the presentation process. Furthermore, ISO/IEC 18370-2:2016 specifies other processes specific to traceable blind signature mechanisms, namely, the following: a) the process for tracing requestors; b) the process for tracing signatures; c) the requestor tracing evidence evaluation process (optional); d) the signature tracing evidence evaluation process (optional).

ISO/IEC 18033-5:2015 specifies identity-based encryption mechanisms. For each mechanism the functional interface, the precise operation of the mechanism, and the ciphertext format are specified. However, conforming systems may use alternative formats for storing and transmitting ciphertexts.