quisquat@prlb27.prlb.philips.be (quisquat) (05/15/91)
ISO/IEC JTC 1/SC 27/WG 2 Subject: International Standard ISO/IEC 9796 Title: ISO/IEC DIS 9796 Information technology --- Security techniques --- Digital signature scheme giving message recovery Final review: deadline is 30 of June 1991. Context: One possible and preferred instance of this digital signature scheme is known as the RSA scheme (for odd exponents). Other schemes are possible using even exponents (example: 2 for the verification exponent). Notes: The writing of such a standard is subject to specific rules (ISO). The text is also a compromise between experts taking into account the votes and the comments from the national member bodies. Louis Guillou (CCETT, Rennes) is the effective editor of this DIS. This work is a common task of many international experts. Illustrative examples are given in an annex. -------------- From the text: -------------- Contents Foreword Introduction 1 Scope 2 Definitions 3 Symbols and abbreviations 4 General overview 5 Signature process 6 Verification process Annexes A Example of a public-key system for digital signature B Illustrative examples related to annex A C Some precautions taken against various potential attacks related to annex A D Bibliography Introduction A digital signature in electronic exchange of information is a counterpart to a handwritten signature in classical mail. Most digital signature schemes are based upon a particular public-key system. Any public-key system includes three basic operations: --- a process producing pair of keys: a secret key and a public key; --- a process using a secret key; --- a process using a public key. In any public-key digital signature scheme, the secret key is involved in a signature process for signing messages, and the public key is involved in a verification process for verifying signatures. A pair of keys for a digital signature scheme thus consists of a "secret signature key" and a 'public verification key". Two types of digital signature schemes are clearly identified. --- When the verification process needs the message as part of the input, the scheme is named "a signature scheme with appendix". The use of a hash-function is involved in the calculation of the appendix. --- When the verification process reveals the message together with its specific redundancy (sometimes called the "shadow of a message"), the scheme is named "a signature scheme giving message recovery". This International Standard specifies a scheme for digital signature of messages of limited length. This digital signature scheme allows a minimal resource requirement for verification. It does not involve the use of a hash-function and it avoids the known attacks against the generic algorithm in use. [Note: For instance, the subtle and efficient attack formulated by Don Coppersmith against annex D of CCITT X.509, alias ISO/IEC 9594-8, is not possible here.] [...] 1 Scope This International Standard specifies a digital signature scheme giving message recovery for messages of limited length and using a public-key system. This digital signature scheme includes --- a signature process using a secret signature key and a signature function for signing messages; --- a verification process using a public verification key and a verification function for checking signatures while recovering messages. During the signature process, messages to be signed are padded and extended if necessary. Artificial redundancy is then added, depending upon the message itself. No assumption is made as to the possible presence of natural redundancy in the messages. The artificial redundancy is revealed by the verification process. The removal of this artificial redundancy gives message recovery. [...] -------------- References: - L. Guillou and J.-J. Quisquater, Efficient digital public-key signatures with shadow, Advances in Cryptology --- CRYPTO '87 proceedings, Springer-Verlag, 1988, p. 223. - G. Brassard, How to improve signature schemes, Advances in Cryptology --- EUROCRYPT '89 proceedings, Springer-Verlag, 1990, pp. 16-22. - L. Guillou, J.-J. Quisquater, M. Walker, P. Landrock and C. Shaer, Precautions taken against various potential attacks in ISO/IEC DIS 9796, Advances in Cryptology --- EUROCRYPT '90 proceedings, Springer-Verlag, 1991, pp. 465-473. -------------- Complete copies (English or French) obtainable from your national member body (ANSI, BSI, GMD, AFNOR, ...), or from ISO/IEC, Case postale 56, CH-1211 Geneve 20 - Switzerland. If you are really interested by a copy (paper) of the "final" DRAFT (and to give constructive comments), please send a message to: Jean-Jacques Quisquater (former editor of this DIS; ISO expert) Philips Research Laboratory Belgium Avenue Albert Einstein, 4 B-1348 Louvain-la-Neuve Belgium Fax: +32 10 47 06 99 Email: jjq@prlb.philips.be