ESIGN-D Specication
NTT Information Sharing Platform Laboratories,
NTT Corporation
August 19, 2002
Contents
1 Introduction
3
2 Notation
4
3 Data types and conversions
3.1
3.2
3.3
3.4
3.5
3.6
Integer-to-BitString Conversion(I2BSP) . . . .
BitString-to-Integer Conversion(BS2IP) . . . .
BitString-to-OctetString Conversion(BS2OSP)
OctetString-to-BitString Conversion(OS2BSP)
Integer-to-OctetString Conversion(I2OSP) . . .
OctetString-to-Integer Conversion(OS2IP) . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4
4
5
6
6
7
7
4 Key types
8
5 Cryptographic primitives
8
4.1
4.2
5.1
5.2
5.3
ESIGN-D private key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ESIGN-D public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
KGP-ESIGN-D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SP-ESIGN-D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VP-ESIGN-D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8
8
8
9
10
6 Signature schemes with appendix
10
7 Encoding methods
11
6.1
7.1
SSA-ESIGN-D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.1.1 Signature generation operation . . . . . . . . . . . . . . . . . . . . . . . .
6.1.2 Signature verication operation . . . . . . . . . . . . . . . . . . . . . . . .
EMSA-ESIGN-D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.1.1 Encoding operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.1.2 Verication operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8 Auxiliary techniques
8.1
8.2
Hash functions . . . . . .
8.1.1 SHA-1 . . . . . . .
Mask generation functions
8.2.1 MGF1 . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
10
10
11
11
11
12
12
12
12
12
13
A Security requirements of parameters
15
B Recommended values of parameters
15
2
1 Introduction
This document provides a specication for implementing ESIGN-D. It is an improved version of
ESIGN-TSH specied in IEEE P1363a / D10 [1], which was suggested by [2].
ESIGN-D is secure against chosen message attacks (CMA) and ESIGN-TSH is secure against
single occurrence chosen message attacks (SO-CMA) that is weaker than CMA.
In this document, SSA-ESIGN-D-Sign and SSA-ESIGN-D-Verify describe the algorithms of ESIGN-D. They consist of
cryptographic primitives
{ Key generation primitive: KGP-ESIGN-D,
{ Signtature primitive: SP-ESIGN-D,
{ Verication primitive: VP-ESIGN-D, and
an encoding method
{ EMSA-ESIGN-D.
3
2 Notation
bit
bit string
octet
octet string
R
Z
N
a := b
(B0 ; B1 ; : : : ; Bi01 )2
(M0; M1; : : : ; Mi01 )256
f0; 1gi
f0; 1g3
f0; 1; : : : ; 255g3
dy e
by c
[X ]y
GCD(a; b)
ajb
a mod m
a01 mod m
N
[1 f0; 1g .
i
f0; 1; : : : ; 255gi
k
one of the two symbols 0 or 1.
an ordered sequence of bits.
one of the integers from 0 to 255.
an ordered sequence of octets.
the set of real numbers.
the set of integers.
the set of positive integers.
assign b to a.
a bit string of length i, for example, (0; 1; 0; 0)2 .
an octet string of length i, for example, (170; 255; 0)256 .
if i 2 , then the set of all bit strings of length i. if i = 0, then
empty bit string.
i=0
N
if i 2 , then the set of all octet strings of length i. if i = 0, then
empty octet string.
[1 f0; 1; : : : ; 255g .
i
i=0
a concatenation operator for two bit strings or for two octet strings,
for example, (0; 1; 0; 0)2 k (1; 1; 0)2 = (0; 1; 0; 0; 1; 1; 0)2 for bit strings,
(170; 255)256 k (0; 20)256 = (170; 255; 0; 20)256 for octet strings. The
operator is often omitted.
for y 2 , the least integer greater than or equal to y.
for y 2 , the greatest integer less than or equal to y.
for y 2 , the rightmost y bits of a bit string X .
for a 2 , b 2 , the greatest common divisor of a and b.
for a 2 , b 2 , a divides b.
for a 2 , m 2 , the least nonnegative integer b which satises
mj(b 0 a).
for a 2 , m 2 , the least nonnegative integer b which satises
ab mod m = 1.
R
R
N
N
Z
Z
Z
N
Z
N
N
3 Data types and conversions
The schemes specied in this document involve operations using several dierent data types.
Figure 1 illustrates which conversions are needed and where they are described.
3.1 Integer-to-BitString Conversion(I2BSP)
Integers should be converted to bit strings as described in this section. Informally, the idea is
to represent the integer in binary. Formally, the conversion routine, I2BSP(x; l), is specied as
follows:
Input:
Output:
Errors:
Steps:
x an integer to be converted, a nonnegative integer
l
the bit length of the output, a nonnegative integer
B a bit string of length l bits
INVALID
4
'
$
& %
n=
l
8
; Mi 2 f0; 1; : : : ; 255g
Octet String
M = M0 M1 1 1 1 Mn01
6
M
; l)
I2O
SP
OS
(
2 IP x ; l )
(
7
/
OS2BSP(M; l)
SoSS
SS
SS
SS
SS
SS
S Sw
S
BS2OSP(B; l)
Nonnegative
Integer x
x;
(
SP
; l)
(B
I2B
2IP
BS
l)
?
Bit String
B = B0B1 1 1 1 Bl01
Bi 2 f0; 1g
Figure 1: Conversion between data types
1. If l = 0, output an empty bit string and stop.
2. If x 2l , assert INVALID and stop.
3. Determine the x's base-2 representation, xi 2 f0; 1g such that
x = xl01 2l01 + xl02 2l02 + 1 1 1 + x12 + x0 :
4. For 0 i l 0 1, set Bi := xl010i , and let
B := B0 B1 1 1 1 Bl01 :
5. Output B .
3.2 BitString-to-Integer Conversion(BS2IP)
Bit strings should be converted to integers as described in this section. Informally, the idea is
simply to view the bit string as the base-2 representation of the integer. Formally, the conversion
routine, BS2IP(B; l), is specied as follows:
Input:
Output:
Steps:
B
l
x
a bit string to be converted
the bit length of B , a nonnegative integer
a nonnegative integer
5
Convert B = B0B1 1 1 1 Bl01 to an integer x as follows:
1. If l = 0, output 0 and stop.
2. View each Bi as an integer in f0; 1g, set xi := Bi for 0 i l 0 1, and let
0
X
2 00
1
l
x :=
(l 1
i)
xi :
i=0
3. Output x.
3.3 BitString-to-OctetString Conversion(BS2OSP)
Bit strings should be converted to octet strings as described in this section. Informally, the idea
is to pad the bit string with 0's on the left to make its length a multiple of 8, then chop the
result up into octets. Formally, the conversion routine, BS2OSP(B; l), is specied as follows:
Input:
B
l
Output: M
Steps:
a bit string to be converted
the bit length of B , a nonnegative integer
an octet string of length n =
l
8
octets
Convert the bit string B = B0 B1 1 1 1 Bl01 to an octet string M = M0 M1 1 1 1 Mn01 as follows:
1. If l = 0, output an empty octet string and stop.
2. For 0 < i n 0 1, let:
Mi := Bl0808(n010i) Bl0708(n010i) 1 1 1 Bl0108(n010i) :
3. Set
M0 :=
( B B 111B
0
1
7
ZB0B1 1 1 1 Bl+708n
(8n 0 l = 0)
;
(8n 0 l 6= 0)
where Z is an all zero bit string of length 8n 0 l (Z = (0; 0; : : : ; 0)2).
4. Output M .
3.4 OctetString-to-BitString Conversion(OS2BSP)
Octet strings should be converted to bit strings as described in this section. Informally, the idea is
simply to view the octet string as a bit string. Formally, the conversion routine, OS2BSP(M; l),
is specied as follows:
Input:
M
an octet string of length n =
l
the bit length of the output,
a bit string of length l bits
Output: B
Steps:
l
octets to be converted
8
a nonnegative integer
Convert the octet string M = M0M1 1 1 1 Mn01 to a bit string B = B0 B1 1 1 1 Bl01 as follows:
6
1. If l = 0, output an empty bit string and stop.
2. For 0 < i n 0 1, set:
Bl0808(n010i) Bl0708(n010i) 1 1 1 Bl0108(n010i) := Mi :
3. For 0 j l + 7 0 8n, set Bj := Zj +8n0l , where Z0 Z1 1 1 1 Z7 := M0.
4. Output B .
3.5 Integer-to-OctetString Conversion(I2OSP)
Integers should be converted to octet strings as described in this section. Informally, the idea
is to represent the integer in binary and then convert the resulting bit string to an octet string.
Formally, the conversion routine, I2OSP(x; l), is specied as follows:
Input:
x
l
an integer to be converted, a nonnegative integer
the bit length of x, a nonnegative integer
l
Output: M an octet string of length n =
octets
8
Errors: INVALID
Steps:
1. If l = 0, output an empty octet string and stop.
2. If x 2l , assert INVALID and stop.
3. Determine the x's base-256 representation, xi 2 f0; : : : ; 255g such that
x = xn01 28(n01) + xn02 28(n02) + 1 1 1 + x128 + x0 :
4. For 0 i n 0 1, set Mi := xn010i , and let
M := M0 M1 1 1 1 Mn01 :
5. Output M .
3.6 OctetString-to-Integer Conversion(OS2IP)
Octet strings should be converted to integers as described in this section. Informally, the idea
is simply to view the octet string as the base-256 representation of the integer. Formally, the
conversion routine, OS2IP(M; l), is specied as follows:
Input:
Output:
Steps:
M
l
x
an octet string of length n =
l
octets to be converted
8
the bit length of x, a nonnegative integer
a nonnegative integer
Convert M = M0 M1 1 1 1 Mn01 to an integer, x, as follows:
1. If l = 0, output 0 and stop.
2. View each Mi as an integer in f0; : : : ; 255g, set xi := Mi for 0 i l 0 1, and let
x :=
X0 2
n
1
8(n010i)
i=0
3. Output x.
7
xi mod 2l :
4 Key types
In this section, two types of keys are dened: ESIGN-D private key and ESIGN-D public key,
both of which are employed in the primitives and schemes.
4.1 ESIGN-D private key
An ESIGN-D private key is the 6-tuple (p; q; n; pLen ; e; seed), where the components have the
following meanings:
2pLen 01 < p < 2pLen .
p, the rst factor, a prime number,
q , the second factor,
n, the modulus, a positive integer,
pLen ,
2pLen 01 < q < 2pLen and q 6= p.
a prime number,
23pLen 01 < n < 23pLen and n = p2q .
the security parameter, a positive integer.
e, the exponent, a positive integer.
seed, the index to a pseudo-random function, a nonnegative integer,
22pLen .
0 seed <
Valid ESIGN-D private key We call a private key (p; q; n; pLen ; e; seed) \valid" if it satises
all the above conditions.
4.2 ESIGN-D public key
An ESIGN-D public key is the 3-tuple (n; pLen ; e), where the components have the following
meanings:
n, the modulus, a positive integer,
pLen ,
23pLen 01 < n < 23pLen and n = p2q .
the security parameter, a positive integer.
e, the exponent, a positive integer.
Valid ESIGN-D public key We call a public key (n; pLen ; e) \valid" if it satises all the
above conditions.
5 Cryptographic primitives
In this section, three cryptographic primitives are specied.
5.1 KGP-ESIGN-D
KGP-ESIGN-D(k; e) is dened as follows:
Input:
Output:
Steps:
k
e
PK
SK
security parameter, a positive integer
public exponent, a positive integer
ESIGN-D public key (n; pLen ; e)
ESIGN-D private key (p; q; n; pLen ; e; seed)
8
1. Choose two odd primes p, q such that 2k01 < p < 2k , 2k01 < q < 2k , p 6= q , 23k01 p2q < 23k .
2. Compute n := p2 q.
3. Set pLen := k.
4. Generate a random integer
seed 2 f0; 1; : : : ; 22k 0 1g
5. Output P K = (n; pLen ; e), SK = (p; q; n; pLen ; e; seed).
5.2 SP-ESIGN-D
SP-ESIGN-D(SK; f ) is dened as follows:
System parameters: Hash
Input:
Output:
Errors:
Steps:
hash function
hLen length in bits of the hash function output, a positive integer
MGF mask generation function
SK
ESIGN-D private key (p; q; n; pLen ; e; seed)
f
message representative, an integer, 0 f < 2pLen 01
s
signature representative, an integer, 0 s < n
INVALID
1. If the message representative f does not satisfy 0 f < 2pLen 01 , assert INVALID and stop.
2. Compute z := f 1 22pLen .
3. Set c := 0.
4. Set c := c + 1.
5. If c 232 , assert INVALID and stop.
6. Compute
r := OS2IP(MGF (I2OSP(seed; 2pLen ) k I2OSP(f; pLen 0 1) k I2OSP(c; 32);
2pLen ); 2pLen ):
7. If r pq , go back to step 4.
8. Compute := (z 0 re ) mod n.
9. Let (w0 ; w1) be
w0 :=
w1
;
pq
:= w0pq 0 :
10. If w1 22pLen 01, go back to step 4.
11. If r mod p = 0, go back to step 4.
12. Let t := w0 (er e01 )01 mod p, and compute s := r + tpq.
13. Output s.
9
Note: If private key SK is not valid, the performance of this function is not guaranteed.
5.3 VP-ESIGN-D
VP-ESIGN-D(P K; s) is dened as follows:
Input:
Output:
Errors:
Steps:
P K ESIGN-D public key (n; pLen ; e)
s
signature representative, an integer, 0 s < n
f
message representative, an integer, 0 f < 2pLen 01
INVALID
1. If the signature representative s does not satisfy 0 s < n, assert INVALID and stop.
2. Compute t := se mod n.
3. Compute f :=
t
22pLen
.
4. If f does not satisfy 0 f < 2pLen01 , assert INVALID and stop.
5. Output f .
Note: If n 23pLen01 or n 23pLen , the performance of this function is not guaranteed.
6 Signature schemes with appendix
6.1 SSA-ESIGN-D
SSA-ESIGN-D combines the SP-ESIGN-D and VP-ESIGN-D primitives with the EMSAESIGN-D encoding method.
6.1.1 Signature generation operation
SSA-ESIGN-D-Sign(SK; M ) is dened as follows:
Input:
Output:
Errors:
Steps:
SK signer's ESIGN-D private key
M
message to be signed, an octet string
s
signature representative, an integer, 0 s < n
INVALID
1. Apply the EMSA-ESIGN-D-Encode operation (Section 7.1.1) to the message M to
produce an integer message representative f :
f := EMSA-ESIGN-D-Encode(M; pLen 0 1):
If the encoding operation asserts INVALID, then assert INVALID and stop.
2. Apply the SP-ESIGN-D signature primitive (Section 5.2) to the private key SK and the
message representative f to produce an integer signature representative s:
s := SP-ESIGN-D(SK; f ):
3. Output the signature representative s.
10
6.1.2 Signature verication operation
SSA-ESIGN-D-Verify(P K; M; s) is dened as follows:
Input:
Output:
Steps:
P K signer's ESIGN-D public key
M
message whose signature is to be veried, an octet string
s
signature to be veried, an integer, 0 s < n
VALID SIGNATURE or INVALID SIGNATURE
1. Apply the VP-ESIGN-D verication primitive (Section 5.3) to the public key P K and
the signature representative s to produce an integer message representative f 0 :
f 0 := VP-ESIGN-D(P K; s):
If the
stop.
VP-ESIGN-D primitive asserts INVALID, then output INVALID SIGNATURE and
2. Apply the EMSA-ESIGN-D-Verify operation (Section 7.1.2) to the message M and the
message representative f 0 to determine whether they are consistent:
Result := EMSA-ESIGN-D-Verify(M; f 0 ; pLen 0 1):
If Result is CONSISTENT, then output VALID SIGNATURE.
Otherwise, output INVALID SIGNATURE.
7 Encoding methods
7.1 EMSA-ESIGN-D
7.1.1 Encoding operation
EMSA-ESIGN-D-Encode(M; l) is dened as follows:
System parameters: Hash
hash function
length in bits of the hash function output, a positive integer
MGF mask generation function
M
message to be encoded, an octet string
l
the bit length of the encoded message, a positive integer
f
encoded message representative, a nonnegative integer
INVALID
hLen
Input:
Output:
Errors:
Steps:
1. If the length of M is greater than the input limitation for the hash function, assert INVALID
and stop.
2. Apply the hash function to the message M to produce a hash value H of length
octets:
H := Hash (M ):
11
hLen 8
3. Apply the mask generation function to H to produce an octet string T of length
octets:
l
8
T := MGF (H; l):
4. Convert the octet string T to an integer f :
f := OS2IP(T; l):
5. Output f .
7.1.2 Verication operation
EMSA-ESIGN-D-Verify(M; f; l) is dened as follows:
System parameters: Hash
Input:
Output:
Errors:
Steps:
hash function
hLen length in bits of the hash function output, a positive integer
MGF mask generation function
M
message to be encoded, an octet string
f
encoded message representative, a nonnegative integer
l
the bit length of f , a positive integer
CONSISTENT
INVALID
1. Produce an integer message representative f 0 :
f 0 := EMSA-ESIGN-D-Encode(M; l):
2. If f is equal to f 0 , then output CONSISTENT. Otherwise assert INVALID.
8 Auxiliary techniques
This section gives several examples of the techniques that support the functions described in
this document.
8.1 Hash functions
One hash function is recommended for the encoding methods in this document:
SHA-1.
8.1.1 SHA-1
SHA-1 is dened in FIPS PUB 180-1 [3]. The output length of SHA-1 is 160 bits, and the
operation block size is 512 bits.
8.2 Mask generation functions
One mask generation function is recommended for the encoding methods in this document:
MGF1 [4].
12
8.2.1 MGF1
MGF1 is a mask generation function based on a hash function.
MGF1(M; l) is dened as follows:
System parameters: Hash
Input:
M
l
hash function
length in bits of the hash function output, a positive
integer
seed from which mask is generated, an octet string
the bit length of the output, a positive integer
Output:
Errors:
Steps:
mask
mask, an octet string of length
hashLen
INVALID
l
8
octets
1. Let l0 be the bit length of M . If l0 + 32 is greater than the input limitation for the hash
function, assert INVALID and stop.
l
.
2. Let cThreshold :=
hashLen
3. Let M 0 be the empty octet string.
4. Let counter := 0.
(a) Convert the integer counter to an octet string C of length 32 bits:
C := I2OSP(counter ; 32):
(b) Concatenate M and C , and apply the hash function to the result to produce a hash
hashLen
octets:
value H of length
8
H := Hash (M k C ):
(c) Concatenate M 0 and H to the octet string M 0 :
M 0 := M 0 k H:
(d) Let counter := counter + 1. If counter < cThreshold , go back to step 4a.
5. Let mask be the leftmost
l
8
octets of the octet string M 0 :
mask := M00 M10 1 1 1 Md0l=8e01 :
6. Output mask .
References
[1] IEEE P1363a / D10 (Draft Version 10), \Standard Specications for Public Key Cryptography: Additional Techniques," , IEEE, to be appeared.
13
[2] \How to repair ESIGN," Louis Granboulan, Cryptology ePrint Archive 2002/74, available
from http://eprint.iacr.org/
[3] FIPS PUB 180-1, \Secure Hash Standard (SHS)," U.S. Department of Commerce / National
Institute of Standards and Technology, April 17, 1995.
[4] RSA Laboratories, \PKCS #1 v2.1: RSA Encryption Standard," draft 2, January 5, 2001.
14
Appendix
A Security requirements of parameters
Security requirements of ESIGN-D parameters are the following:
2k=4
k 342
3k
e (bit length of n 1024)
2
B Recommended values of parameters
Recommended values of ESIGN-D parameters are the following:
k
e
Hash
hLen
MGF
= 512 or 1024
(bit length of n = 1536 or 3072)
= 65537
=
SHA-1
= 160
=
MGF1
(SHA-1, hashLen = 160)
15