quisquat@prlb27.prlb.philips.be (quisquat) (05/15/91)
ISO/IEC JTC 1/SC 27/WG 2
Subject: International Standard ISO/IEC 9796
Title: ISO/IEC DIS 9796
Information technology --- Security techniques
--- Digital signature scheme giving message recovery
Final review: deadline is 30 of June 1991.
Context: One possible and preferred instance of this digital signature scheme
is known as the RSA scheme (for odd exponents). Other schemes are
possible using even exponents (example: 2 for the verification exponent).
Notes: The writing of such a standard is subject to specific rules (ISO).
The text is also a compromise between experts taking into account
the votes and the comments from the national member bodies.
Louis Guillou (CCETT, Rennes) is the effective editor of this DIS.
This work is a common task of many international experts.
Illustrative examples are given in an annex.
--------------
From the text:
--------------
Contents
Foreword
Introduction
1 Scope
2 Definitions
3 Symbols and abbreviations
4 General overview
5 Signature process
6 Verification process
Annexes
A Example of a public-key system for digital signature
B Illustrative examples related to annex A
C Some precautions taken against various potential attacks
related to annex A
D Bibliography
Introduction
A digital signature in electronic exchange of information is a counterpart
to a handwritten signature in classical mail.
Most digital signature schemes are based upon a particular public-key system.
Any public-key system includes three basic operations:
--- a process producing pair of keys: a secret key and a public key;
--- a process using a secret key;
--- a process using a public key.
In any public-key digital signature scheme, the secret key is involved in a
signature process for signing messages, and the public key is involved in a
verification process for verifying signatures. A pair of keys for a digital
signature scheme thus consists of a "secret signature key" and a 'public
verification key".
Two types of digital signature schemes are clearly identified.
--- When the verification process needs the message as part of the input,
the scheme is named "a signature scheme with appendix". The use of a
hash-function is involved in the calculation of the appendix.
--- When the verification process reveals the message together with its
specific redundancy (sometimes called the "shadow of a message"), the
scheme is named "a signature scheme giving message recovery".
This International Standard specifies a scheme for digital signature of
messages of limited length.
This digital signature scheme allows a minimal resource requirement for
verification. It does not involve the use of a hash-function and it avoids the
known attacks against the generic algorithm in use.
[Note: For instance, the subtle and efficient attack formulated by Don Coppersmith
against annex D of CCITT X.509, alias ISO/IEC 9594-8, is not possible here.]
[...]
1 Scope
This International Standard specifies a digital signature
scheme giving message recovery for messages of limited
length and using a public-key system.
This digital signature scheme includes
--- a signature process using a secret signature key
and a signature function for signing messages;
--- a verification process using a public verification key
and a verification function for checking signatures
while recovering messages.
During the signature process, messages to be signed are
padded and extended if necessary. Artificial redundancy is
then added, depending upon the message itself. No
assumption is made as to the possible presence of natural
redundancy in the messages. The artificial redundancy is
revealed by the verification process. The removal of this
artificial redundancy gives message recovery.
[...]
--------------
References:
- L. Guillou and J.-J. Quisquater,
Efficient digital public-key signatures with shadow,
Advances in Cryptology --- CRYPTO '87 proceedings,
Springer-Verlag, 1988, p. 223.
- G. Brassard,
How to improve signature schemes,
Advances in Cryptology --- EUROCRYPT '89 proceedings,
Springer-Verlag, 1990, pp. 16-22.
- L. Guillou, J.-J. Quisquater, M. Walker, P. Landrock and C. Shaer,
Precautions taken against various potential attacks in ISO/IEC DIS 9796,
Advances in Cryptology --- EUROCRYPT '90 proceedings,
Springer-Verlag, 1991, pp. 465-473.
--------------
Complete copies (English or French) obtainable from your national
member body (ANSI, BSI, GMD, AFNOR, ...), or from
ISO/IEC, Case postale 56, CH-1211 Geneve 20 - Switzerland.
If you are really interested by a copy (paper) of the "final" DRAFT
(and to give constructive comments), please send a message to:
Jean-Jacques Quisquater (former editor of this DIS; ISO expert)
Philips Research Laboratory Belgium
Avenue Albert Einstein, 4
B-1348 Louvain-la-Neuve
Belgium
Fax: +32 10 47 06 99
Email: jjq@prlb.philips.be