IEEE HomeSearch IEEE ShopWeb Account Contact IEEE IEEE
MembershipPublicationsServicesStandardsConferencesCareers/Jobs
IEEE-SA IEEE-SA Member Area Search our standards database for Abstract, Sponsor, Status, Contact,Ordering and Historical information. IEEE-SA Standards Association
Products & ServicesIEEE-SA MembershipStandards DevelopmentNews & InformationnavFillerHOMEHOME Icon

IEEE Std 1363-2000 IEEE Standard Specifications for Public-Key Cryptography -Description

Abstract: This standard specifies common public-key cryptographic techniques, including mathematical primitives for secret value (key) derivation, public-key encryption, and digital signatures, and cryptographic schemes based on those primitives. It also specifies related cryptographic parameters, public keys, and private keys. The purpose of this standard is to provide a reference for specifications on a variety of techniques from which applications may select.

Keywords: digital signature, encryption, key agreement, public-key cryptography

Content +

  • 1. Overview
    • 1.1 Scope
    • 1.2 Purpose
    • 1.3 Organization of the document
      • 1.3.1 Structure of the main document
      • 1.3.2 Structure of the annexes
  • 2. References
  • 3. Definitions
  • 4. Types of cryptographic techniques
    • 4.1 General model
    • 4.2 Primitives
    • 4.3 Schemes
    • 4.4 Additional methods
    • 4.5 Table summary
  • 5. Mathematical conventions
    • 5.1 Mathematical notation
    • 5.2 Bit strings and octet strings
    • 5.3 Finite fields
      • 5.3.1 Prime finite fields
      • 5.3.2 Characteristic two finite fields
    • 5.4 Elliptic curves and points
    • 5.5 Data type conversion
      • 5.5.1 Converting between integers and bit strings (I2BSP and BS2IP)
      • 5.5.2 Converting between bit strings and octet strings (BS2OSP and OS2BSP)
      • 5.5.3 Converting between integers and octet strings (I2OSP and OS2IP)
      • 5.5.4 Converting between finite field elements and octet strings (FE2OSP and OS2FEP)
      • 5.5.5 Converting finite field elements to integers (FE2IP)
  • 6. Primitives based on the discrete logarithm problem
    • 6.1 The DL setting
      • 6.1.1 Notation
      • 6.1.2 DL domain parameters
      • 6.1.3 DL key pairs
    • 6.2 Primitives
      • 6.2.1 DLSVDP-DH
      • 6.2.2 DLSVDP-DHC
      • 6.2.3 DLSVDP-MQV
      • 6.2.4 DLSVDP-MQVC
      • 6.2.5 DLSP-NR
      • 6.2.6 DLVP-NR
      • 6.2.7 DLSP-DSA
      • 6.2.8 DLVP-DSA
  • 7. Primitives based on the elliptic curve discrete logarithm problem
    • 7.1 The EC setting
      • 7.1.1 Notation
      • 7.1.2 EC domain parameters
      • 7.1.3 EC key pairs
    • 7.2 Primitives
      • 7.2.1 ECSVDP-DH
      • 7.2.2 ECSVDP-DHC
      • 7.2.3 ECSVDP-MQV
      • 7.2.4 ECSVDP-MQVC
      • 7.2.5 ECSP-NR
      • 7.2.6 ECVP-NR
      • 7.2.7 ECSP-DSA
      • 7.2.8 ECVP-DSA
  • 8. Primitives based on the integer factorization problem
    • 8.1 The IF setting
      • 8.1.1 Notation
      • 8.1.2 Domain parameters in the IF family
      • 8.1.3 Keys in the IF family
    • 8.2 Primitives
      • 8.2.1 IF private-key operation
      • 8.2.2 IFEP-RSA
      • 8.2.3 IFDP-RSA
      • 8.2.4 IFSP-RSA1
      • 8.2.5 IFVP-RSA1
      • 8.2.6 IFSP-RSA2
      • 8.2.7 IFVP-RSA2
      • 8.2.8 IFSP-RW
      • 8.2.9 IFVP-RW
  • 9. Key agreement schemes
    • 9.1 General model
    • 9.2 DL/ECKAS-DH1
      • 9.2.1 Scheme options
      • 9.2.2 Key agreement operation
    • 9.3 DL/ECKAS-DH2
      • 9.3.1 Scheme options
      • 9.3.2 Key agreement operation
    • 9.4 DL/ECKAS-MQV
      • 9.4.1 Scheme options
      • 9.4.2 Key agreement operation
  • 10. Signature schemes
    • 10.1 General model
    • 10.2 DL/ECSSA
      • 10.2.1 Scheme options
      • 10.2.2 Signature generation operation
      • 10.2.3 Signature verification operation
    • 10.3 IFSSA
      • 10.3.1 Scheme options
      • 10.3.2 Signature generation operation
      • 10.3.3 Signature verification operation
  • 11. Encryption schemes
    • 11.1 General model
    • 11.2 IFES
      • 11.2.1 Scheme options
      • 11.2.2 Encryption operation
      • 11.2.3 Decryption operation
  • 12. Message-encoding methods
    • 12.1 Message-encoding methods for signatures with appendix
      • 12.1.1 EMSA1
      • 12.1.2 EMSA2
    • 12.2 Message-encoding methods for encryption
      • 12.2.1 EME1
  • 13. Key derivation functions
    • 13.1 KDF1
  • 14. Auxiliary functions
    • 14.1 Hash functions
      • 14.1.1 SHA-1
      • 14.1.2 RIPEMD-160
    • 14.2 Mask generation functions
      • 14.2.1 MGF1
  • Annex A Number-theoretic background
    • A.1 Integer and modular arithmetic: overview
      • A.1.1 Modular arithmetic
      • A.1.2 Prime finite fields
      • A.1.3 Composite moduli
      • A.1.4 Modular square roots
    • A.2 Integer and modular arithmetic: algorithms
      • A.2.1 Modular exponentiation
      • A.2.2 The extended Euclidean algorithm
      • A.2.3 Evaluating Jacobi symbols
      • A.2.4 Generating Lucas sequences
      • A.2.5 Finding square roots modulo a prime
      • A.2.6 Finding square roots modulo a power of 2
      • A.2.7 Computing the order of a given integer modulo a prime
      • A.2.8 Constructing an integer of a given order modulo a prime
      • A.2.9 An implementation of IF signature primitives
    • A.3 Binary finite fields: overview
      • A.3.1 Finite fields
      • A.3.2 Polynomials over finite fields
      • A.3.3 Binary finite fields
      • A.3.4 Polynomial basis representations
      • A.3.5 Normal basis representations
      • A.3.6 Checking for a Gaussian normal basis
      • A.3.7 The multiplication rule for a Gaussian normal basis
      • A.3.8 A Multiplication algorithm for a Gaussian normal basis
      • A.3.9 Binary finite fields (continued from A.3.3)
      • A.3.10 Parameters for common key sizes
    • A.4 Binary finite fields: algorithms
      • A.4.1 Squaring and square roots
      • A.4.2 The squaring matrix
      • A.4.3 Exponentiation
      • A.4.4 Division
      • A.4.5 Trace
      • A.4.6 Half-trace
      • A.4.7 Solving quadratic equations over GF (2m)
    • A.5 Polynomials over a finite field
      • A.5.1 Exponentiation modulo a polynomial
      • A.5.2 GCDs over a finite field
      • A.5.3 Factoring polynomials over GF (p) (special case)
      • A.5.4 Factoring polynomials over GF (2) (special case)
      • A.5.5 Checking polynomials over GF (2r) for irreducibility
      • A.5.6 Finding a root in GF (2m) of an irreducible binary polynomial
      • A.5.7 Embedding in an extension field
    • A.6 General normal bases for binary fields
      • A.6.1 Checking for a normal basis
      • A.6.2 Finding a normal basis
      • A.6.3 Computing the multiplication matrix
      • A.6.4 Multiplication
    • A.7 Basis conversion for binary fields
      • A.7.1 The change-of-basis matrix
      • A.7.2 The field polynomial of a Gaussian normal basis
      • A.7.3 Computing the change-of-basis matrix
      • A.7.4 Conversion to a polynomial basis
    • A.8 Bases for binary fields: tables and algorithms
      • A.8.1 Basis table
      • A.8.2 Random search for other irreducible polynomials
      • A.8.3 Irreducibles from other irreducibles
      • A.8.4 Irreducibles of even degree
      • A.8.5 Irreducible trinomials
    • A.9 Elliptic curves: overview
      • A.9.1 Introduction
      • A.9.2 Operations on elliptic curves
      • A.9.3 Elliptic curve cryptography
      • A.9.4 Analogies with DL
      • A.9.5 Curve orders
      • A.9.6 Representation of points
    • A.10 Elliptic curves: algorithms
      • A.10.1 Full addition and subtraction (prime case)
      • A.10.2 Full addition and subtraction (binary case)
      • A.10.3 Elliptic scalar multiplication
      • A.10.4 Projective elliptic doubling (prime case)
      • A.10.5 Projective elliptic addition (prime case)
      • A.10.6 Projective elliptic doubling (binary case)
      • A.10.7 Projective elliptic addition (binary case)
      • A.10.8 Projective full addition and subtraction
      • A.10.9 Projective elliptic scalar multiplication
    • A.11 Functions for elliptic curve parameter and key generation
      • A.11.1 Finding a random point on an elliptic curve (prime case)
      • A.11.2 Finding a random point on an elliptic curve (binary case)
      • A.11.3 Finding a point of large prime order
      • A.11.4 Curve orders over small binary fields
      • A.11.5 Curve orders over extension fields
      • A.11.6 Curve orders via subfields
    • A.12 Functions for elliptic curve parameter and key validation
      • A.12.1 The MOV condition
      • A.12.2 The Weil pairing
      • A.12.3 Verification of cofactor
      • A.12.4 Constructing verifiably pseudo-random elliptic curves (prime case)
      • A.12.5 Verification of elliptic curve pseudo-randomness (prime case)
      • A.12.6 Constructing verifiably pseudo-random elliptic curves (binary case)
      • A.12.7 Verification of elliptic curve pseudo-randomness (binary case)
      • A.12.8 Decompression of y coordinates (prime case)
      • A.12.9 Decompression of y coordinates (binary case)
      • A.12.10 Decompression of x coordinates (binary case)
    • A.13 Class group calculations
      • A.13.1 Overview
      • A.13.2 Class group and class number
      • A.13.3 Reduced class polynomials
    • A.14 Complex multiplication
      • A.14.1 Overview
      • A.14.2 Finding a nearly prime order over GF (p)
      • A.14.3 Finding a nearly prime order over GF (2m)
      • A.14.4 Constructing a curve and point (prime case)
      • A.14.5 Constructing a curve and point (binary case)
    • A.15 Primality tests and proofs
      • A.15.1 A Probabilistic primality test
      • A.15.2 Testing a randomly generated integer for primality
      • A.15.3 Validating primality of a given integer
      • A.15.4 Proving primality
      • A.15.5 Testing for near primality
      • A.15.6 Generating random primes
      • A.15.7 Generating random primes with congruence conditions
      • A.15.8 Strong primes
    • A.16 Generation and validation of parameters and keys
      • A.16.1 An algorithm for generating DL parameters (prime case)
      • A.16.2 An algorithm for validating DL parameters (prime case)
      • A.16.3 An algorithm for generating DL parameters (binary case)
      • A.16.4 An algorithm for validating DL parameters (binary case)
      • A.16.5 An algorithm for generating DL keys
      • A.16.6 Algorithms for validating DL public keys
      • A.16.7 An algorithm for generating EC parameters
      • A.16.8 An algorithm for validating EC parameters
      • A.16.9 An algorithm for generating EC keys
      • A.16.10 Algorithms for validating EC public keys
      • A.16.11 An algorithm for generating RSA keys
      • A.16.12 An algorithm for generating RW keys
  • Annex B Conformance
    • B.1 General model
    • B.2 Conformance requirements
    • B.3 Examples
      • B.3.1 DLSP-DSA
      • B.3.2 DLSSA signature verification
      • B.3.3 IFSP-RSA2
      • B.3.4 IFSSA signature verification
  • Annex C Rationale
    • C.1 General
      • C.1.1 Why are there three families of cryptographic techniques?
      • C.1.2 Why are primitives and schemes separated?
      • C.1.3 How were the decisions made regarding the inclusion of individual schemes?
      • C.1.4 Why are constraints on key sizes not specified?
      • C.1.5 Why are message-encoding methods for encryption and signature needed?
      • C.1.6 Why are key derivation functions needed?
      • C.1.7 Why are data formats for input/output, keys, and domain parameters not normative?
    • C.2 Keys and domain parameters
      • C.2.1 Why have two types of fields for the DL and EC families?
      • C.2.2 Why allow multiple representations for GF (2m)?
    • C.3 Schemes
      • C.3.1 For the DL and EC families, why have three key agreement schemes (-DH1, -DH2, and -MQV)?
      • C.3.2 For the DL and EC families, why have the “compatibility” option for the DHC and MQVC primitives?
      • C.3.3 For the EC and DL families, why have both DSA and NR signature schemes with appendix?
      • C.3.4 For the DL and EC families, why are there no signature schemes with message recovery?
      • C.3.5 For the DL and EC families, why are there no encryption schemes?
      • C.3.6 For the IF family, why have both RSA and RW signature schemes?
      • C.3.7 For the IF family, why are there no signature schemes with message recovery?
      • C.3.8 For the IF family, why are there no key agreement schemes?
  • Annex D Security considerations
    • D.1 Introduction
    • D.2 General principles
    • D.3 Key management considerations
      • D.3.1 Generation of domain parameters and keys
      • D.3.2 Authentication of ownership
      • D.3.3 Validation of domain parameters and keys
      • D.3.4 Cryptoperiod and protection lifetime of domain parameters and keys
      • D.3.5 Usage restrictions
      • D.3.6 Storage and distribution methods
    • D.4 Family-specific considerations
      • D.4.1 DL Family
      • D.4.2 EC family
      • D.4.3 IF family
    • D.5 Scheme-specific considerations
      • D.5.1 Key agreement schemes
      • D.5.2 Signature schemes
      • D.5.3 Encryption schemes
    • D.6 Random number generation
      • D.6.1 Random seed
      • D.6.2 Pseudo-random bit generation
    • D.7 Implementation considerations
  • Annex E Formats
    • E.1 Overview
    • E.2 Representing basic data types as octet strings
      • E.2.1 Integers (I2OSP and OS2IP)
      • E.2.2 Finite field elements (FE2OSP and OS2FEP)
      • E.2.3 Elliptic curve points (EC2OSP and OS2ECP
      • E.2.4 Polynomials over GF (2) (PN2OSP and OS2PNP)
    • E.3 Representing outputs of schemes as octet strings
      • E.3.1 Output data format for DL/ECSSA
      • E.3.2 Output data format for IFSSA
      • E.3.3 Output data format for IFES
  • Annex F Bibliography

links: [Standard Status] - [Purchase] - [PDF*] - [Bus Architecture Collection - Description]

available for Standards Online Bus Architecture Collection subscribers only
spacer

Copyright ©2004 IEEE-SA
Contact IEEE-SA
(m.v.rodriguez@ieee.org)
URL: http://standards.ieee.org/reading/ieee/std_public/description/busarch/1363-2000_desc.html

 spacer