Beruflich Dokumente
Kultur Dokumente
X9.632001
Public Key Cryptography for the Financial Services
Industry
Key Agreement and Key Transport Using Elliptic
Curve Cryptography
Secretariat:
Accredited Standards Committee X9, Inc.
Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
Foreword
Business practice has changed with the introduction of computer-based technologies. The
substitution of electronic transactions for their paper-based predecessors has reduced costs and
improved efficiency. Trillions of dollars in funds and securities are transferred daily by
telephone, wire services, and other electronic communication mechanisms. The high value or
sheer volume of such transactions within an open environment exposes the financial community
and its customers to potentially severe risks from the accidental or deliberate disclosure,
alteration, substitution, or destruction of data. These risks are compounded by interconnected
networks, and the increased number and sophistication of malicious adversaries. Electronically
communicated data may be secured through the use of symmetrically keyed encryption
algorithms (e.g. ANSI X9.52, Triple-DEA) in combination with public-key cryptography-based
key management techniques.
This standard, X9.63-2001, Public Key Cryptography For The Financial Services Industry: Key
Agreement and Key Transport Using Elliptic Curve Cryptography, defines a suite of
mechanisms designed to facilitate the secure establishment of cryptographic data for the keying
of symmetrically keyed algorithms (e.g. DEA, TDEA). These mechanisms are based on the
elliptic curve analogue of the Diffie-Hellman key agreement mechanism [4]. Because the
mechanisms are based on the same fundamental mathematics as the Elliptic Curve Digital
Signature Algorithm (ECDSA) (see [7]), additional efficiencies and functionality may be
obtained by combining these and other cryptographic techniques.
While the techniques specified in this standard are designed to facilitate key management
applications, the standard does not guarantee that a particular implementation is secure. It is the
responsibility of the financial institution to put an overall process in place with the necessary
controls to ensure that the process is securely implemented. Furthermore, the controls should
include the application of appropriate audit tests in order to verify compliance.
The users attention is called to the possibility that compliance with this standard may require the
use of an invention covered by patent rights. By publication of this standard, no position is taken
with respect to the validity of potential claims or of any patent rights in connection therewith.
The patent holders have, however, filed a statement of willingness to grant a license under these
rights on reasonable and nondiscriminatory terms and conditions to applicants desiring to obtain
such a license. Details may be obtained from the X9 Secretariat,
Copyright 2001 by Accredited Standards Committee X9, Inc.
All rights reserved.
No part of this publication may be reproduced in any form, in an electronic retrieval system or
otherwise, without prior written permission of the publisher. Printed in the United States of
America
-iLicensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
Suggestions for the improvement or revision of this standard are welcome. They should be sent
to Accredited Standards Committee X9, Inc., P.O. Box 4035, Annapolis, Maryland, 21403
USA.
This standard was processed and approved for submittal to ANSI by the Accredited Standards
Committee on Financial Services, X9. Committee approval of the standard does not necessarily
imply that all the committee members voted for its approval.
At the time that this standard was approved, the X9 Committee had the following members:
Harold G. Deal, X9 Chairman, BB&T
Vincent DeSantis, X9 Vice Chairman, New York Clearing House
Cynthia L. Fuller, Managing Director
Darlene J. Schubert, Program Manager
The X9 committee had the following members:
Organization
Representative
ANSI X9.63-2001
ANSI X9.63-2001
Organization Represented
Representative
ANSI X9.63-2001
ANSI X9.63-2001
- vi Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
Organization
Representative
- vii Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
Contents
SCOPE ............................................................................................................................................................... 1
GENERAL............................................................................................................................... ........................ 13
THE SCHEMES IN THIS STANDARD ................................................................................................................. 13
IMPLEMENTING THE SCHEMES SECURELY ..................................................................................................... 14
ANNEXES....................................................................................................................................................... 15
- viii Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
- ix Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
8.5.4
Combined Unified Model with Key Confirmation Scheme................................................................ 105
8.5.5
1-Pass Unified Model Scheme .......................................................................................................... 106
8.5.6
Full Unified Model Scheme............................................................................................................... 106
8.5.7
Full Unified Model with Key Confirmation Scheme ......................................................................... 107
8.5.8
Station-to-Station Scheme ................................................................................................................. 107
8.5.9
1-Pass MQV Scheme......................................................................................................................... 108
8.5.10 Full MQV Scheme ............................................................................................................................. 108
8.5.11 Full MQV with Key Confirmation Scheme........................................................................................ 108
8.5.12 1-Pass Key Transport Scheme .......................................................................................................... 108
8.5.13 3-Pass Key Transport Scheme .......................................................................................................... 109
8.6 KEY DERIVATION SYNTAX .......................................................................................................................... 109
8.7 ASN.1 MODULE .......................................................................................................................................... 111
ANNEX A (NORMATIVE) NORMATIVE NUMBER-THEORETIC ALGORITHMS.................................. 118
A.1 AVOIDING CRYPTOGRAPHICALLY WEAK CURVES ...................................................................................... 118
A.1.1 The MOV Condition .......................................................................................................................... 118
A.1.2 The Anomalous Condition................................................................................................................. 119
A.2 PRIMALITY ............................................................................................................................... ................... 119
A.2.1 A Probabilistic Primality Test............................................................................................ ............... 119
A.2.2 Checking for Near Primality............................................................................................................. 120
A.3 ELLIPTIC CURVE ALGORITHMS ................................................................................................................... 121
A.3.1 Finding a Point of Large Prime Order ............................................................................................. 121
A.3.2 Selecting an Appropriate Curve and Point ....................................................................................... 121
A.3.3 Selecting an Elliptic Curve Verifiably at Random ............................................................................ 123
A.3.4 Verifying that an Elliptic Curve was Generated at Random............................................................. 124
A.4 PSEUDORANDOM NUMBER GENERATION .................................................................................................... 126
A.4.1 Algorithm Derived from FIPS 186 ........................................................................................... ......... 126
ANNEX B (INFORMATIVE) MATHEMATICAL BACKGROUND ................................................................ 128
B.1 THE FINITE FIELD FP ................................................................................................................................... 128
B.2 THE FINITE FIELD F2M.................................................................................................................................. 129
B.2.1 Polynomial Bases.............................................................................................................................. 129
B.2.2 Trinomial and Pentanomial Bases .................................................................................................... 132
B.2.3 Normal Bases .................................................................................................................................... 132
B.2.4 Gaussian Normal Bases .................................................................................................................... 133
B.3 ELLIPTIC CURVES OVER FP .......................................................................................................................... 134
B.4 ELLIPTIC CURVES OVER F2M ........................................................................................................................ 136
ANNEX C (INFORMATIVE) TABLES OF TRINOMIALS, PENTANOMIALS, AND GAUSSIAN NORMAL
BASES...................................................................................................................................................................... 140
C.1
C.2
C.3
C.4
-xLicensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
- xi Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
J.2
- xii Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
Figures
Figure 1 Data Types and Conversion Conventions.................................................................... 24
Figure 2 - Ephemeral Unified Model Scheme...............................................................................48
Figure 3 - 1-Pass Diffie-Hellman Scheme.....................................................................................50
Figure 4 - Static Unified Model Scheme.......................................................................................53
Figure 5 - Combined Unified Model with Key Confirmation Scheme.........................................55
Figure 6 - 1-Pass Unified Model Scheme......................................................................................60
Figure 7 - Full Unified Model Scheme..........................................................................................63
Figure 8 - Full Unified Model with Key Confirmation Scheme....................................................66
Figure 9 - Station-to-Station Scheme.............................................................................................71
Figure 10 - 1-Pass MQV Scheme..................................................................................................76
Figure 11 - Full MQV Scheme......................................................................................................79
Figure 12 - Full MQV with Key Confirmation Scheme................................................................82
Figure 13 - 1-Pass Key Transport Scheme....................................................................................88
Figure 14 - 3-Pass Key Transport Scheme....................................................................................91
- xiii Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
Tables
Table C-1 The type of GNB that shall be used for F2m. ........................................................... 140
Table C-2 Irreducible trinomials xm + xk + 1 over F2................................................................ 142
Table C-3 Irreducible pentanomials xm + xk3 + xk2 + xk1 + 1 over F2. ...................................... 143
Table C-4 Values of m for which the field F2m has both an ONB and a TPB over F2............. 144
Table G-1 Fp* and E(Fq) Group Information............................................................................ 181
Table G-2 Comparison of Notation in ANSI X9.42 and ANSI X9.63 .................................... 181
Table G-3 ANSI X9.42 and ANSI X9.63 Setup ...................................................................... 182
Table G-4 ANSI X9.42 and ANSI X9.63 Key Generation ...................................................... 183
Table G-5 Comparison of the Full Unified Model Scheme ..................................................... 183
Table H-1 - Computing power required to compute logarithms with the Pollard- method...... 186
Table H-2 Attributes Provided by Key Establishment Schemes.............................................. 194
Table H-3 Guidelines on Aligning Elliptic Curve Size and Symmetric Key Size................... 197
Table H-4 - Validation Methods and the Risks they Mitigate .................................................... 203
- xiv Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Scope
2.1
addition rule
An addition rule describes the addition of two elliptic curve points P1 and P2 to produce a third
elliptic curve point P3. (See Annexes B.3 and B.4.)
associate value
Given an elliptic curve point and corresponding elliptic curve parameters, the associate value is
an integer associated with the point. (See Section 5.6.1.)
asymmetric cryptographic algorithm
A cryptographic algorithm that uses two related keys, a public key and a private key; the two
keys have the property that, given the public key, it is computationally infeasible to derive the
private key.
-1Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
auxiliary function
An auxiliary function is a transformation that forms part of a cryptographic scheme but is
auxiliary rather than central to the goal of the scheme.
base point (G)
A selected point on an elliptic curve of large prime order n.
basis
A representation of the elements of the finite field F2m. Two special kinds of basis are polynomial
basis and normal basis. (See Annex B.2.)
binary polynomial
A polynomial whose coefficients are in the field F2. When adding, multiplying, or dividing two
binary polynomials, the coefficient arithmetic is performed modulo 2.
bit string
A bit string is an ordered sequence of 0s and 1s.
certificate
The public key and identity of an entity together with some other information, that is rendered
unforgeable by signing the certificate with the private key of the Certification Authority which
issued that certificate. In this Standard, the term certificate will mean a public-key certificate.
Certification Authority (CA)
A Center trusted by one or more entities to create and assign certificates.
challenge
Data sent from entity U to entity V during an execution of a protocol that, in part, determines Vs
response. In this Standard, challenges will be bit strings at least 80 bits in length.
characteristic of a finite field
If a finite field has 2m elements, its characteristic is 2. If a finite field has p elements, where p is
prime, its characteristic is p.
characteristic 2 finite field
A finite field containing 2m elements, where m 1 is an integer. In this Standard, only
characteristic 2 fields containing 2m elements with m prime are used.
cofactor
The integer h = #E(Fq)/n, where #E(Fq) is the order of the elliptic curve E, and n is the order of
the base point.
compressed form
Octet string representation for an elliptic curve point using the point compression technique
described in Section 4.2. (See also Section 4.3.6.)
cryptographic hash function
A (mathematical) function which maps values from a large (possibly very large) domain into a
smaller range. The function satisfies the following properties:
1.
(one-way) it is computationally infeasible to find any input that maps to any pre-specified
output;
-2Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
(collision free) it is computationally infeasible to find any two distinct inputs that map to
the same output.
2.
3.
cryptographic protocol
A cryptographic scheme in which an ordered sequence of sets of data is passed between two
entities during an ordinary operation of the scheme.
cryptographic scheme
A cryptographic scheme consists of an unambiguous specification of a set of transformations that
are capable of providing a cryptographic service when properly implemented and maintained.
cryptography
The discipline that embodies principles, means and methods for the transformation of data in
order to hide its information content, prevent its undetected modification, prevent its
unauthorized use, or a combination thereof.
cryptoperiod
The time span during which a specific key is authorized for use or in which the keys for a given
system may remain in effect.
cyclic group
The group of points E(Fq) is said to be cyclic if there exists a point PE(Fq) of order n, where n
= #E(Fq). In this case, E(Fq) = {kP: 0 k n-1}, i.e. E(Fq) can be expressed as the set of all
scalar multiples of P.
data confidentiality
The assurance provided to entity U that data is unintelligible to entities other than U and V.
data integrity
The assurance provided to entity U that data has not been modified by entities other than U and
V.
data origin authentication
The assurance provided to entity U that data is from V.
digital signature
The result of a cryptographic transformation of data that, when properly implemented, provides
the services of:
1.
origin authentication,
2.
ANSI X9.63-2001
ANSI X9.63-2001
signer non-repudiation.
EC
Elliptic curve.
ECDLP
Elliptic Curve Discrete Logarithm Problem. (See Annex H.)
ECDSA
Elliptic Curve Digital Signature Algorithm.
elliptic curve
An elliptic curve over Fq is a set of points that satisfy a certain equation specified by two
parameters a and b, which are elements of the field Fq. (See Section 4.2.)
elliptic curve key pair (Q, d)
Given particular elliptic curve domain parameters, an elliptic curve key pair consists of an
elliptic curve public key (Q) and the corresponding elliptic curve private key (d).
elliptic curve private key (d)
Given particular elliptic curve domain parameters, an elliptic curve private key, d, is a
statistically unique and unpredictable integer in the interval [1, n-1], where n is the prime order
of the base point G.
elliptic curve public key (Q)
Given particular elliptic curve domain parameters, and an elliptic curve private key d, the
corresponding elliptic curve public key, Q, is the elliptic curve point Q = dG, where G is the base
point. Note that Q will never equal O, since 1 d n-1.
elliptic curve domain parameters
Elliptic curve domain parameters are comprised of a field size q, an indication FR of the basis
used (in the case q = 2m), an optional SEED, two elements a, b in Fq that define an elliptic curve
E over Fq, a point G = (xG,yG) of prime order in E(Fq), the order n of G, and the cofactor h.
See Sections 5.1.1.1 and 5.1.2.1 for a complete specification of elliptic curve domain parameters.
elliptic curve point
If E is an elliptic curve defined over a field Fq, then an elliptic curve point P is either: a pair of
field elements (xP, yP) (where xP, yP Fq) such that the values x = xP and y = yP satisfy the
equation defining E, or a special point O called the point at infinity. O is the identity element of
the elliptic curve group.
encryption scheme
An encryption scheme is a cryptographic scheme capable of providing data confidentiality.
entity
A party involved in the operation of a cryptographic system.
entity authentication
The assurance provided to entity U that entity U has been involved in a real-time communication
with entity V.
-4Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
ephemeral
Ephemeral data is relatively short-lived. In this Standard, ephemeral data is data specific to one
execution of a cryptographic scheme.
explicit key authentication
The assurance provided to entity U that only entities U and V are possibly capable of computing
the session key and that the entities U and V are actually capable of computing the session key.
forward secrecy
The assurance provided to an entity U that the session key established between entities U and V
will not be compromised by the compromise of either entitys static private key in the future.
Also known as perfect forward secrecy.
Gaussian normal basis (GNB)
A type of normal basis that can be used to represent the elements of the finite field F2m. (See
Section 4.1.2.2.)
hash function
See cryptographic hash function.
hash value
The result of applying a cryptographic hash function to a bit string.
hybrid form
Octet string representation for both the compressed and uncompressed forms of an elliptic curve
point. (See Section 4.3.6.)
implicit key authentication
The assurance provided to entity U that only entities U and V are possibly capable of computing
the session key.
initiator
An entity involved in an operation of a protocol that sends the first exchange of the protocol.
irreducible binary polynomial
A binary polynomial f(x) is irreducible if it cannot be factored into a product of two or more
binary polynomials, each of degree less than the degree of f(x).
key
See cryptographic key.
key agreement scheme
A key agreement scheme is a key establishment scheme in which the keying data established is a
function of contributions provided by both entities in such a way that neither party can
predetermine the value of the keying data.
key-compromise impersonation resilience
The assurance provided to entity U during an execution of a key establishment scheme that the
compromise of Us static private key has not enabled the impersonation of V to U.
key confirmation
The addition of flows to a key establishment scheme providing implicit key authentication so
that explicit key authentication is provided.
-5Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
ANSI X9.63-2001
ANSI X9.63-2001
order of a point
The order of a point P is the smallest positive integer n such that nP = O (the point at infinity).
owner
The entity whose identity is associated with a private/public key pair.
pass
A pass in a protocol is a set of data sent from entity U to entity V or received by U from V at a
particular stage of an operation of the protocol.
pentanomial
A polynomial of the form xm + xk3 +xk2 +xk1+ 1, where 1 k1 < k2 < k3 m-1.
pentanomial basis (PPB)
A type of polynomial basis that can be used to represent the elements of the finite field F2m. (See
Annex B.2.2.)
point compression
Point compression allows a point P = (xP, yP) to be represented compactly using xP and a single
additional bit ~
y P derived from xP and yP.(See Section 4.2.)
polynomial basis (PB)
A type of basis that can be used to represent the elements of the finite field F2m. (See Annex
B.2.1.)
prime finite field
A finite field containing p elements, where p is an odd prime number.
private key
In an asymmetric (public-key) system, that key of an entitys key pair that is known only by that
entity.
protocol
See cryptographic protocol.
public key
In an asymmetric (public-key) system, that key of an entitys key pair that is publicly known.
reduction polynomial
The irreducible binary polynomial f(x) of degree m that is used to determine a polynomial basis
representation of F2m.
responder
An entity involved in an operation of a protocol that does not send the first flow of the protocol.
scalar multiplication
If k is a positive integer, then kP denotes the point obtained by adding together k copies of the
point P. The process of computing kP from P and k is called scalar multiplication.
SEED
Random value input into a pseudo-random bit generator (PRBG) or pseudo-random number
generator (PRNG) algorithm.
-7Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
session key
A key established by a key establishment scheme.
shared secret value
An intermediate value in a key establishment scheme from which keying data is derived.
signature scheme
A signature scheme is a cryptographic scheme capable of providing data origin authentication,
data integrity, and non-repudiation.
static
Static data is relatively long-lived. In this Standard, static data is data common to a number of
executions of a cryptographic scheme.
statistically unique
For the generation of n-bit quantities, the probability of two values repeating is less than or equal
to the probability of two n-bit random quantities repeating. Thus, an element chosen from a finite
set of 2n elements is said to be statistically unique if the process that governs the selection of this
element provides a guarantee that for any integer L2n the probability that all of the first L
selected elements are different is no smaller than the probability of this happening when the
elements are drawn uniformly at random from the set. The latter probability is equal to
(2n!)/((2n-L)!2nL).
symmetric cryptographic scheme
A cryptographic scheme in which each transformation is controlled by the same key.
trinomial
A polynomial of the form xm + xk + 1, where 1 k m-1.
trinomial basis (TPB)
A type of polynomial basis that can be used to represent the elements of the finite field F2m. (See
Annex B.2.2.)
type I ONB
A kind of optimal normal basis. (See Section 4.1.2.2.)
type II ONB
A kind of optimal normal basis. (See Section 4.1.2.2.)
uncompressed form
Octet string representation for an uncompressed elliptic curve point. (See Section 4.3.6.)
unknown key-share resilience
The assurance provided to entity U that, if entities U and V share a session key, V does not
mistakenly believe the session key is shared with an entity other than U.
valid elliptic curve domain parameters
A set of elliptic curve domain parameters that have been validated using the method specified
in Section 5.1.1.2 or Section 5.1.2.2.
XOR
Bitwise exclusive-or (also bitwise addition mod 2) of two bit strings of the same bit length.
-8Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
x-coordinate
The x-coordinate of an elliptic curve point, P =(xP, yP), is xP.
y-coordinate
The y-coordinate of an elliptic curve point, P =(xP, yP), is yP.
2.2
x, x
[X]
Indicates that the inclusion of the bit string or octet string X is optional.
[x, y]
x mod n
a, b
avf(P)
MOV threshold. A positive integer B such that taking discrete logarithms over
FqB is at least as difficult as taking elliptic curve logarithms over Fq. For this
Standard, B shall be 20.
E(Fq)
The set of all points on an elliptic curve E defined over Fq and including the point
at infinity O.
#E(Fq)
If E is defined over Fq, then #E(Fq) denotes the number of points on the curve
(including the point at infinity O). #E(Fq) is called the order of the curve E.
ANSI X9.63-2001
ANSI X9.63-2001
F2m
Fp
Fq
The finite field containing q elements. For this Standard, q shall either be an odd
prime number (q = p, p > 3) or a power of 2 (q = 2m).
FR
Field representation indicator. An indication of the basis used for representing the
elements of Fq. FR is NULL if the field is Fp, or F2m with a GNB representation. If
the field is F2m with a polynomial basis representation, then FR is the reduction
polynomial (a trinomial or a pentanomial).
gcd(x, y)
h = #E(Fq)/n, where n is the order of the base point G. h is called the cofactor.
lmax
log2 x
mod
Modulo.
mod f(x)
Arithmetic modulo the polynomial f(x). If f(x) is a binary polynomial, then all
coefficient arithmetic is performed modulo 2.
mod n
The order of the base point G. For this Standard, n shall be greater than 2160 and
greater than 4 q , and shall be a prime number. n is the primary security
parameter. See Annex H for more information.
A special point on an elliptic curve, called the point at infinity. This is the additive
identity of the elliptic curve group.
An EC point.
ANSI X9.63-2001
ANSI X9.63-2001
rmin
Lower bound on the desired (prime) order n of the base point G. For this Standard
rmin shall be >2160.
In the probabilistic primality test (Annex A.2.1), the number of independent test
rounds to execute. For this Standard, T shall be 50.
Tr
U, V, U1, U2
xP
||X||
X||Y
Concatenation of two strings X and Y. Both X and Y are either bit strings, or octet
strings.
XY
Bitwise exclusive-or (also bitwise addition mod 2) of two bit strings X and Y of
the same bit length.
yP
~
yP
z or Z
Zp
Subscript notation is used to indicate the association of a value to a particular entity, to indicate
the life expectancy of a value, or to indicate the association of a value to a particular scheme. For
example:
Occasionally, subscript notation is also used to indicate a counter value associated with some
data, or to indicate the base in which a particular value is being expressed if there is some
possibility of ambiguity. For example, Hash1 denotes the value of Hashi when the counter i has
value 1, and 0116 denotes that the value 01 is written in hexadecimal.
- 11 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
With the exception of notation that has been well-established in other documents, where possible
in this Standard, capital letters will be used in variable names that denote bit strings or octet
strings, and capital letters will be excluded from variable names that denote field elements or
integers. For example, d is used to denote the integer that specifies an EC private key, and
MacData is used to denote the bit string to be tagged using a MAC scheme.
Primed variables denote variables that have been received and whose validity may not have been
verified. For example, MacTag denotes the purported tag on MacData, and Qe,V denotes the
purported ephemeral EC public key of entity V.
2.3
Normative References
The following standards contain provisions that, through reference in this text, constitute
provisions of this American National Standard. At the time of publication, the editions indicated
were valid. All standards are subject to revision, and parties to agreements based on this
American National Standard are encouraged to investigate the possibility of applying the most
recent editions of the standards indicated below. Accredited Standards Committee X9 (ASC X9)
maintains a register of currently valid financial industry standards.
1.
2.
3.
ANSI X9.30-1993, Part 2: Public Key Cryptography Using Irreversible Algorithms for
the Financial Services Industry: The Secure Hash Algorithm 1 (SHA-1) (Revised).
4.
ANSI X9.62-1999, Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm (ECDSA).
5.
6.
7.
8.
9.
10.
ANSI X9.63-2001
ANSI X9.63-2001
11.
Application
3.1
General
The explosion in the use of electronic media to expedite commerce and financial transactions in
recent years has led to the need for well-established cryptographic schemes that can provide
services such as data integrity and data confidentiality.
Symmetric schemes such as Triple DEA make an attractive choice for the provision of these
services - systems using symmetric techniques are efficient, and their security requirements are
well-understood. Furthermore, these schemes have been standardized (for example in [1] and
[2]) to facilitate interoperability between systems.
However, the major drawback with the implementation of such schemes is that any two
communicating entities must establish a shared secret key in advance. As the size of a system or
the number of entities using a system explodes, this can lead to a key management problem.
An attractive solution to this key management problem is for a system to employ asymmetric
techniques that allow any pair of entities to establish a shared secret key suitable for use by a
symmetric scheme despite the fact that the two entities may never have previously engaged in a
secure communication together.
Such asymmetric techniques are known as asymmetric key establishment schemes.
3.2
This Standard specifies asymmetric key establishment schemes. Both key agreement and key
transport schemes are specified. The operation of each of the schemes employs arithmetic
operations in the group of points on an elliptic curve defined over a finite field.
The asymmetric key establishment schemes in this Standard are used by an entity U who wishes
to establish a symmetric key with another entity V. Each entity has an EC key pair. If U and V
simultaneously execute a scheme with corresponding keying material as input, then at the end of
the execution of the scheme, U and V will share keying data. The keying data can then be used to
supply keys for symmetric algorithms. The precise method used to supply keys for symmetric
algorithms from the keying data (for example setting parity bits or supplying three keys for
Triple DEA) is beyond the scope of this Standard.
- 13 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
This Standard specifies a variety of asymmetric key establishment schemes. Each of the
mechanisms, when implemented securely and embedded within a cryptographic system in an
appropriate manner, is capable of providing two entities with a shared secret key suitable for use
in symmetric algorithms like Triple DEA.
A variety of schemes are specified because of the wide variety of services that it may or may not
be desirable for a key establishment scheme to provide, depending on the environment in which
the scheme is going to be used. The secret key may be agreed upon by both entities or
transported from one entity to the other. Known-key security may be more or less desirable. Any
combination of the services of entity authentication, key-compromise impersonation, and
forward secrecy may be required. These are implementation specific decisions that this Standard
attempts to facilitate.
However, this Standard recommends that any implementation of the schemes specified provides
explicit key authentication of any key established using the key establishment schemes. Many of
the schemes specified here do not directly provide explicit key authentication, and thus, these
schemes should be embedded in systems in such a way that explicit key authentication is
additionally provided unless it is determined that explicit key authentication is not required. For
each of the schemes specified here, one extension of the scheme supplying key confirmation is
provided as an example of how explicit key confirmation may be provided. Further examples can
be found in ANSI X9.70 [8].
In the specification of each of the schemes, equivalent computations that result in identical
output are allowed.
The schemes in this Standard employ other cryptographic transformations in their operation. The
transformations used are: the DEA-based MAC specified in [2], the Triple Data Encryption
Algorithm (TDEA) specified in [5], the Secure Hash Algorithm (SHA-1) specified in [3], the
Elliptic Curve Digital Signature Algorithm (ECDSA) specified in [7], and HMAC specified in
[9].
3.3
During the description of each scheme specified in this Standard, a list of prerequisites for the
operation of the scheme is given. These prerequisites must be satisfied by any implementation of
the scheme.
Two common prerequisites for the implementation of schemes in this Standard are that: (1) all
entities involved in the use of the schemes are provided with an authentic copy of the elliptic
curve parameters being used; and (2) that every entity can obtain a genuine copy of every other
entitys static public key. The latter binding between an entity and its static public key may be
accomplished by using a Certification Authority that generates a certificate in accordance with
the procedures specified in [6]. The binding between an entity and its static public key shall
include checking that the entity possesses the corresponding private key. (The process of
checking that an entity possesses its private key is often known as proof of possession.)
- 14 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
However, satisfying the stated prerequisites is not enough to ensure the security of an
implementation.
The secure implementation of the schemes in this Standard is also dependent upon:
1.
2.
3.
Note that this includes the secure destruction of any ephemeral values involved in the operation
of a scheme. Note also, however, that the effect of some of the most common breaches in the
above requirements may be minimized by the selection of an appropriate scheme that provides,
for example, the service of forward secrecy or known-key security.
Finally, the secure implementation of the schemes does not guarantee the security of the
operation of the implementation. It is the responsibility of the system manager to put an overall
process in place with the necessary controls to ensure secure operations. The controls should
include the application of appropriate audit tests in order to verify compliance with this Standard.
3.4
Annexes
The annexes to this Standard provide additional requirements and information on the schemes
and primitives specified in this Standard and their implementation.
The following normative annex is an integral part of the standard which, for reasons of
convenience, is placed after all other normative elements.
Annex
A
Contents
Normative Number-Theoretic Algorithms
The following informative annexes give additional information that may be useful to
implementers of this Standard.
- 15 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Annex
Contents
Mathematical Background
Security Considerations
Examples
References
Mathematical Conventions
This section describes certain conventions that shall be used for the representation of
mathematical objects such as finite field elements (Section 4.1), and elliptic curves and elliptic
curve points (Section 4.2). Section 4.3 contains methods for data type conversions.
Throughout this section implementations with different internal representations that produce
equivalent results are allowed.
4.1
This section describes the representations that shall be used for the purposes of conversion for
the elements of the underlying finite field Fq. For this Standard, q shall either be an odd prime (q
= p, p > 3) or a prime power of 2 (q = 2m, m prime).
Mathematics background and examples are provided in Annex B.
- 16 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
2.
3.
The addition of field elements is integer addition modulo p: that is, if a, bFp, then a + b
= (a + b) mod p.
4.
The multiplication of field elements is integer multiplication modulo p: that is, if a, bFp,
then ab = (ab) mod p.
4.1.2.1
ANSI X9.63-2001
ANSI X9.63-2001
{xm-1, xm-2, , x,1} forms a basis of F2m over F2, called a polynomial basis. The elements of F2m
are the bit strings of a bit length which is exactly m. A typical element a F2m is represented by
the bit string a = (am-1am-2 a1a0), which corresponds to the polynomial a(x) = am-1xm-1 + am-2xm-2
++ a1x + a0.
1.
The multiplicative identity element (1) is represented by the bit string (00001).
2.
The additive identity or zero element (0) is represented by the bit string of all 0s.
3.
The addition of two field elements is accomplished by XORing the bit strings.
4.
The multiplication of field elements a and b is defined as follows. Let r(x) be the
remainder polynomial obtained upon dividing the product of the polynomials a(x) and
b(x) by f(x) over F2 (i.e. the coefficient arithmetic is performed modulo 2). Then ab is
defined to be the bit string corresponding to the polynomial r(x).
See Annex B.2.1 for further details and an example of a polynomial basis representation.
A trinomial over F2 is a polynomial of the form xm + xk + 1, where 1 k m-1. A pentanomial
over F2 is a polynomial of the form xm + xk3 + xk2 + xk1 + 1 where 1 k1 < k2 < k3 m-1.
A trinomial basis representation of F2m is a polynomial basis representation determined by an
irreducible trinomial f(x) = xm + xk + 1 of degree m over F2. Such trinomials only exist for
certain values of m. Table C-2 in Annex C lists an irreducible trinomial of degree m over F2 for
each prime m, 160 m 2000, for which an irreducible trinomial of degree m exists. For each
such m, the table lists the smallest k for which xm + xk + 1 is irreducible over F2.
A pentanomial basis representation of F2m is a polynomial basis representation determined by an
irreducible pentanomial f(x) = xm + xk3 + xk2 + xk1 + 1 of degree m over F2. Such pentanomials
exist for all values of m 4. Table C-3 in Annex C lists an irreducible pentanomial of degree m
over F2 for each prime m, 160 m 2000, for which an irreducible trinomial of degree m does
not exist. For each such m, the table lists the triple (k1, k2, k3) for which (i) xm + xk3 + xk2+ xk1 + 1
is irreducible over F2; (ii) k3 is as small as possible; (iii) for this particular value of k3, k2 is as
small as possible; and (iv) for these particular values of k3 and k2, k1 is as small as possible.
If a polynomial basis representation is used for F2m where there exists an irreducible
trinomial of degree m over F2, then the reduction polynomial f(x) shall be an irreducible
trinomial of degree m over F2. To maximize the chances for interoperability, the
reduction polynomial used should be xm + xk + 1 for the smallest possible k. Examples of
such polynomials are given in Table C-2 in Annex C.
2.
If a polynomial basis representation is used for F2m where there does not exist an
irreducible trinomial of degree m over F2, then the reduction polynomial f(x) shall be an
- 18 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
4.1.2.2
>
m1
C, where F
2m.
Normal basis representations have the computational advantage that squaring an element can be
done very efficiently (see Annex B.2.3). Multiplying distinct elements, on the other hand, can be
cumbersome in general. For this reason, it is common to use a class of normal bases, called
Gaussian normal bases, for which multiplication is both simpler and more efficient.
Gaussian normal bases (GNB) for F2m exist whenever m is not divisible by 8. The type of a
Gaussian normal basis is a positive integer measuring the complexity of the multiplication
operation with respect to that basis. Generally speaking, the smaller the type, the more efficient
the multiplication. For a given m and T, the field F2m can have at most one Gaussian normal basis
of type T. Thus, it is proper to speak of the type T Gaussian normal basis over F2m.
The Gaussian normal bases of types 1 and 2 have the most efficient multiplication rules of all
normal bases. For this reason, they are called optimal normal bases. The type 1 Gaussian normal
bases are called Type I optimal normal bases, and the type 2 Gaussian normal bases are called
Type II optimal normal bases. (Note that Type I optimal normal bases cannot exist over F2m, m
odd, as in this Standard.)
The elements of the finite field F2m are the bit strings of length exactly m bits. A typical element
a F2m is represented by the bit string a = (a0a1am-2am-1).
1.
The multiplicative identity element (1) is represented by the bit string of all 1s.
2.
The additive identity element or zero element (0) is represented by the bit string of all
0s.
3.
The addition of two field elements is accomplished by XORing the bit strings.
4.
- 19 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Table C-1 in Annex C lists the type of the GNB that shall be used for F2m for each prime m, 160
m 2000.
4.1.2.2.1
For any (odd) prime m, the following algorithm tests for the existence of a Gaussian normal basis
for F2m of a given type.
Input: A prime integer m > 2; an even positive integer T.
Output: If a type T Gaussian normal basis for F2m exists, the message true; otherwise, false.
1.
Set p = Tm + 1.
2.
If p is not prime, then output false and stop. (See Annex A.2.1.)
3.
4.
Set h = Tm / k.
5.
6.
4.1.2.2.2
The following procedure produces the rule for multiplication with respect to a given Gaussian
normal basis.
Input: A prime integer m > 2 and an integer T for which there exists a type T Gaussian normal
basis B for F2m.
Output: An explicit formula c0 = F (a, b) for the first coordinate of the product of two elements
a and b with respect to B.
1.
Set p = Tm + 1.
2.
3.
Set w = 1.
3.2
For j from 0 to T1 do
- 20 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
3.2.1
Set n = w.
3.2.2
For i from 0 to m1 do
3.2.2.1 Set F (n) = i.
3.2.2.2 Set n = 2n mod p.
3.2.3
4.
Set w = uw mod p.
c0 = F(a, b) =
a 0
k =1
4.1.2.2.3
5 bF 0 p k 5
F k +1
The formula given in Section 4.1.2.2.2 for c0 can be used to multiply field elements as follows.
For
u = (u0 u1 um1), v = (v0 v1 vm1),
let F(u, v) be the expression derived with c0 = F (a, b).
Then the product (c0 c1 . . . cm1) = (a0 a1 . . . am1) (b0 b1 . . . bm1) can be computed as follows.
1.
2.
3.
For k from 0 to m 1 do
3.1
3.2
4.
4.2
An elliptic curve E defined over Fq is a set of points P = (xP, yP) where xP and yP are elements of
Fq that satisfy a certain equation, together with the point at infinity denoted by O. Fq is
sometimes called the underlying field.
- 21 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
If q = p is an odd prime (so the underlying field is Fp) and p > 3, then a and b shall satisfy 4a3 +
27b2 / 0 (mod p), and every point P = (xP, yP) on E (other than the point O) shall satisfy the
following equation in Fp:
yP2 = xP3 + axP + b.
If q = 2m is a power of 2 (so the underlying field is F2m), then b shall be non-zero in F2m, and
every point P = (xP, yP) on E (other than the point O) shall satisfy the following equation in F2m:
yP2 + xPyP = xP3 + axP2 + b.
For further background on elliptic curves, see Annexes B.3 and B.4.
An elliptic curve point P (which is not the point at infinity O) is represented by two field
elements, the x-coordinate of P and the y-coordinate of P: P =(xP, yP). The point can be
represented compactly by storing only the x-coordinate xP and a certain bit ~
y P derived from the
x-coordinate xP and the y-coordinate yP. The next subsections describe the technique that shall be
used to recover the full y-coordinate yP from xP and ~
y P , if point compression is used.
2.
Compute a square root of mod p. (See Annex D.1.4.) It is an error if the output of
Annex D.1.4 is no square roots exist.
3.
4.2.2 Point Compression Technique for Elliptic Curves over F2m (Optional)
Let P = (xP, yP) be a point on the elliptic curve E: y2 + xy = x3 + ax2 + b defined over a field F2m.
Then ~
y P is defined to be 0 if xP = 0; if xP 0, then ~
y P is defined to be the rightmost bit of the
-1
field element yPxP .
When the x-coordinate xP of P and the bit ~
y P are provided, then yP can be recovered as follows.
1.
If xP = 0, then yP = b2
m-1
Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
4.3
ANSI X9.63-2001
2.2.
Find a field element z such that z2 + z = using the algorithm described in Annex
D.1.6. It is an error if the output of Annex D.1.6 is no solutions exist.
2.3.
Let ~
z be the rightmost bit of z.
2.4.
If ~
z , then set z = z + 1, where 1 is the multiplicative identity.
yP ~
2.5.
Compute yP = xPz.
Data Conversions
The data types in this Standard are octet strings, integers, field elements and elliptic curve points.
Figure 1 provides a cross-reference for the sections, defining conversions between data types that
shall be used in the algorithms specified in this Standard. The number on a line is the section
number where the conversion technique is specified. Examples of conversions are provided in
Annex J.
2.
2 0
k
x=
8 k i
5M .
i
i =1
- 23 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
1.
2.
2 0
k
x=
8 k i
5M .
i
i =1
Field
Element
Section 4.3.5
Section 4.3.4
Section 4.3.3
Octet
String
Section 4.3.1
Integer
Section 4.3.2
Section 4.3.6
Section 4.3.7
Point
If q is an odd prime, then must be an integer in the interval [0, q - 1]; shall be
converted to an octet string of length l octets using the technique specified in Section
4.3.1.
2.
If q = 2m, then must be a bit string of length m bits. Let s1, s2, , sm be the bits of
from leftmost to rightmost. Let S1, S2, , Sl be the octets of S from leftmost to rightmost.
The rightmost bit sm shall become the rightmost bit of the last octet Sl, and so on through
- 24 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
the leftmost bit s1, which shall become the (8l - m + 1)th bit of the first octet S1. The
leftmost (8l - m) bits of the first octet S1 shall be zero.
2.
If q = 2m, then shall be a bit string of length m bits. Let s1, s2, , sm be the bits of
from leftmost to rightmost. Let S1, S2, , Sl be the octets of S from leftmost to rightmost.
The rightmost bit of the last octet Sl shall become the rightmost bit sm, and so on through
the (8l m + 1)th bit of the first octet S1, which shall become the leftmost bit s1. The
leftmost (8l - m) bits of the first octet S1 are not used.
2.
If q = 2m, then must be a bit string of length m bits. Let s1, s2, , sm be the bits of
from leftmost to rightmost. shall be converted to an integer x satisfying:
20
m
x=
mi
5s .
i
i =1
compressed form.
- 25 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
uncompressed form.
3.
hybrid form.
ANSI X9.63-2001
NOTE The hybrid form contains information of both compressed and uncompressed forms. It allows an implementation to
convert to either compressed form or to uncompressed form.
Input: An elliptic curve point P = (xP ,yP), not the point at infinity.
Output: An octet string PO of length l + 1 octets if the compressed form is used, or of length 2l
+1 octets if the uncompressed or hybrid form is used. (l = (log2 q)/8.)
1.
Convert the field element xP to an octet string X1. (See Section 4.3.3.)
2.
3.
4.
2.1.
2.2.
2.3.
Convert the field element yP to an octet string Y1. (See Section 4.3.3.)
3.2.
3.3.
Convert the field element yP to an octet string Y1. (See Section 4.3.3.)
4.2.
4.3.
4.4.
ANSI X9.63-2001
ANSI X9.63-2001
1.
2.
3.
4.
5.
3.1.
Verify that PC is either 02 or 03. (It is an error if this is not the case.)
3.2.
3.3.
4.2.
Verify that PC is either 06 or 07. (It is an error if this is not the case.)
5.2.
Perform either step 5.2.1 or step 5.2.2, and then proceed to step 6:
5.2.1. Convert Y1 to a field element yP. (See Section 4.3.4.)
5.2.2. Set the bit ~
y P to be equal to 0 if PC = 06, or 1 if PC = 07. Convert (xP,
~
y P ) to an elliptic curve point (xP, yP). (See Section 4.2.)
6.
If q is a prime, verify that yP2 = xP3 + axP + b (mod p). (It is an error if this is not the
case.)
If q = 2m, verify that yP2 + xPyP = xP3 + axP2 + b in F2m. (It is an error if this is not the
case.)
7.
Cryptographic Ingredients
This section specifies the various cryptographic ingredients that are required by the key
agreement and key transport schemes. These ingredients include primitives, auxiliary functions,
and schemes.
- 27 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
These ingredients are also employed by various other ANSI standards - for example [8].
Some primitives, auxiliary functions, and schemes have prerequisites. These are conditions that
must be satisfied by an implementation of that ingredient. However, the specification of
mechanisms that provide the prerequisites is beyond the scope of this Standard.
5.1
This section specifies the primitives that shall be used to generate and validate EC domain
parameters.
In this Standard, EC domain parameters will be shared by a number of entities using a particular
system. In some schemes, different parameter sets may be used for calculations involving the
entities static keys and for calculations involving the entities ephemeral keys, and in other
schemes, the same parameter set must be used for both ephemeral and static key calculations. A
specific set of EC domain parameters may be used for more than one key establishment scheme,
asymmetric encryption scheme, or signature scheme; however, it is recommended that the same
key pair should not be used for any two or more of these schemes.
In all cases, the EC domain parameters may be public; the security of the system does not rely on
these parameters being secret.
The primitives specified in this section allow EC domain parameters to be generated in any
manner subject to some security constraints. The primitives optionally support an additional
feature that allows EC domain parameters to be generated verifiably at random.
The primitives specified differ depending on the characteristic of the underlying field. Thus,
Section 5.1.1 describes the primitives that shall be used for parameter generation and validation
in the case that the underlying field is Fp, and Section 5.1.2 describes the primitives that shall be
used in the case that the underlying field is F2m.
The parameter generation primitives will be used whenever EC domain parameters are generated
for a system. Furthermore, many of the schemes specified in this Standard require a valid set of
EC domain parameters to be held by each entity involved in the operation of the scheme. Thus,
in all cases, the generator of the system parameters shall use the appropriate parameter validation
primitive to check the validity of the generated parameters. The validation primitives may
additionally be used by the entities using the parameters to check their validity.
Note that in all cases, n is the primary security parameter. In general, as n increases, the security
of the EC scheme also increases. See Annex H for more information.
- 28 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
5.1.1 Primitives for Elliptic Curve Domain Parameter Generation and Validation
over Fp
5.1.1.1
Choose a prime p with p>3 as the field size, a lower bound rmin for the point order, a trial
division bound lmax, and an MOV threshold B. (See Annex H for advice on the
implications of these decisions.)
2.
Select EC domain parameters using the method described in Annex A.3.2 on input p, rmin,
and lmax.
The field size q = p that defines the underlying finite field Fq, where p>3 shall be a prime
number.
2.
3.
(Optional) A bit string SEED of length at least 160 bits if the elliptic curve was randomly
generated in accordance with Annex A.3.3.
4.
Two field elements a and b in Fq that define the equation of the elliptic curve E: y2 =
x3+ax+b.
5.
Two field elements xG and yG in Fq that define a point G=(xG,yG) of prime order on E
(note that G O).
6.
The order n of the point G (it must be the case that n>2160 and n>4 q ).
7.
5.1.1.2
The following transformation shall be used to validate EC domain parameters over Fp.
- 29 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Input: The input of the validation transformation is a purported set of EC domain parameters
consisting of p, FR, a, b, G =(xG,yG), n, and h, and optionally the purported seed
SEED used in the generation process.
Actions: The following checks are made:
1.
2.
3.
4.
If SEED is provided, verify that SEED is a bit string of length at least 160 bits, and that
a and b were suitably derived from SEED. (See Annex A.3.4.)
5.
6.
7.
8.
9.
10.
Verify that the MOV and Anomalous conditions hold. (See Annex A.1.)
Output: If any of the above verifications has failed, then output invalid and reject the EC
domain parameters. Otherwise, output valid, and accept the EC domain parameters.
NOTE Step 9 of the above transformation (and also step 9 of Section 5.1.2.2) verifies that the value of the purported cofactor
h is correct in the case that n>4q. The case that n 4q is excluded; there are methods for verifying the cofactor h in this
case, but these methods are not described because the general methods are cumbersome. Elliptic curves used in practice usually
have n q so that the condition n>4q will be satisfied.
5.1.2 Primitives for Elliptic Curve Domain Parameter Generation and Validation
over F2m
5.1.2.1
EC domain parameters over F2m shall be generated using the following routine.
Input: This routine does not take any input.
Actions: The following actions are taken:
- 30 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
1.
Choose a field size 2m with m prime, a lower bound rmin for the point order, a trial
division bound lmax, and an MOV threshold B. (See Annex H for advice on the
implications of these decisions.)
2.
Choose a basis for representing the elements of F2m (either TPB, PPB, or GNB). If TPB
or PPB is chosen, also choose an appropriate reduction polynomial f(x) of degree m over
F2 to use. (See Section 4.1.2.)
3.
Select EC domain parameters using the method described in Annex A.3.2 on input 2m,
rmin, and lmax.
The field size q=2m with m prime that defines the underlying finite field Fq.
2.
An indication FR of the basis used to represent the elements of the field: NULL if the
basis is a GNB, or a reduction polynomial f(x) of degree m over F2 if the basis is a
polynomial basis.
3.
(Optional) A bit string SEED of length at least 160 bits, if the EC was randomly
generated in accordance with Annex A.3.3.
4.
Two field elements a and b in Fq that define the equation of the elliptic curve E: y2+xy =
x3+ax2+b.
5.
Two field elements xG and yG in Fq that define a point G=(xG,yG) of prime order on E
(note that GO).
6.
The order n of the point G (it must be the case that n>2160 and n>4q).
7.
5.1.2.2
The following transformation shall be used to validate EC domain parameters over F2m.
Input: The input of the validation transformation is a purported set of EC domain parameters
consisting of q=2m, FR, a, b, G=(xG,yG), n, h, and optionally the purported seed
SEED used in the generation process.
Actions: The following checks are made:
1.
2.
ANSI X9.63-2001
ANSI X9.63-2001
irreducible over F2. (See Table C-2 or Annex D.2.4.) If f(x) is a pentanomial, then verify
that an irreducible trinomial of degree m does not exist, and that f(x) is irreducible over
F2. (See Table C-3 or Annex D.2.4.)
3.
4.
If SEED is provided, verify that SEED is a bit string of length at least 160 bits, and that
b was suitably derived from SEED. (See Annex A.3.4.)
5.
6.
7.
8.
9.
10.
Verify that the MOV and Anomalous conditions hold. (See Annex A.1.)
Output: If any of the above verifications has failed, then output invalid and reject the EC
domain parameters. Otherwise, output valid, and accept the EC domain parameters.
5.2
This section specifies the primitives that shall be used to generate the entities EC key pairs and
to validate the entities EC public keys.
The key pair generation primitive is used during the generation of entities key pairs. In some
schemes, the primitive is used to produce static key pairs, and in other schemes, the primitive is
used to produce ephemeral key pairs.
Public key validation is used during the validation of an entitys public keys. Sometimes this
validation process will be carried out by a trusted Center such as a Certification Authority that
wishes to bind an entity to its static public key. At other times, this process will be carried out by
an entity who wishes to validate the purported ephemeral public key of another entity.
- 32 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Input: The input of the generation transformation is a valid set of EC parameters D = (q, FR, a,
b, SEED, G, n, h). Note that it is assumed that the parameters have been validated using
the primitives described in Sections 5.1.1.2 and 5.1.2.2.
Actions: The following actions are taken:
1.
2.
Output: The key pair (d,Q), where Q is the public key and d is the private key.
U performs explicit public key validation of the public key itself by using the appropriate
technique described in Section 5.2.2.1 or 5.2.2.2.
2.
U performs implicit public key validation of the public key itself by generating the public
key itself using trusted routines.
3.
U receives assurance that a party trusted for the lifetime of any key combined with the
public key being validated using the Diffie-Hellman primitives defined in Section 5.4 or
the MQV primitive defined in Section 5.5, has validated the public key by using the
appropriate technique described in Section 5.2.2.1 or 5.2.2.2.
- 33 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
U receives assurance that a party trusted for the lifetime of any key combined with the
public key being validated using the Diffie-Hellman primitives defined in Section 5.4 or
the MQV primitive defined in Section 5.5, has implicitly validated the public key by
generating the public key itself using trusted routines.
Typically, when U accepts assurance from another party, that party is a CA. However on
occasion, U may accept the assurance of another entity as well as a CA. For example in the
Station-to-Station scheme, U receives an ephemeral public key from V in a string that has been
signed by Vs certified signature key. U combines the public key with its own ephemeral public
key using the Diffie-Hellman primitive. It is acceptable for U to accept the validity of the
received ephemeral public key based on the knowledge that V generated the key, because V is
trusted for the lifetime of Us ephemeral public key. When the scheme itself does not provide the
appropriate assurance, the communication protocol that contains the scheme may provide the
assurance.
5.2.2.1
An EC public key shall be validated in the following manner, when the public key will be used
by the standard Diffie-Hellman primitive:
Input: The input of the validation transformation is a valid set of EC domain parameters D = (q,
FR, a, b, SEED, G, n, h), together with the purported public key Q=(xQ,yQ). Note that it
is assumed that the parameters have been validated using the primitives described in
Sections 5.1.1.2 and 5.1.2.2.
Actions: The following checks are made:
1.
2.
Verify that xQ and yQ are elements in the field Fq. (That is, verify that xQ and yQ are
integers in the interval [0,p-1] in the case that q=p is an odd prime, or that xQ and yQ are
bit strings of length m bits in the case that q=2m.)
3.
If q=p is an odd prime, verify that (yQ)2 (xQ)3+axQ+b (mod p). If q=2m, verify that
(yQ)2+xQyQ = (xQ)3+a(xQ)2+b in F2m.
4.
Output: If any one of the above verifications fail, then output invalid and reject the public key.
Otherwise, output valid and accept the public key.
NOTE If there is more than one public key available, the existence of two identical keys may also be checked. That is, it may
be checked that no two public keys Q1 and Q2 associated with the same elliptic curve domain parameters are equal.
- 34 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
An EC public key shall be validated in the following manner, when the public key will be used
by the cofactor Diffie-Hellman primitive or the MQV primitive:
Input: The input of the embedded validation transformation is a valid set of EC domain
parameters D = (q, FR, a, b, SEED, G, n, h), together with the purported public key
Q=(xQ,yQ). Note that it is assumed that the parameters have been validated using the
primitives described in Sections 5.1.1.2 and 5.1.2.2.
Actions: The following checks shall be made:
1.
2.
Verify that xQ and yQ are elements in the field Fq. (That is, verify that xQ and yQ are
integers in the interval [0,p-1] in the case that q=p is an odd prime, or that xQ and yQ are
bit strings of length m bits in the case that q=2m.)
3.
If q=p is an odd prime, verify that (yQ)2 (xQ)3+axQ+b (mod p). If q=2m, verify that
(yQ)2+xQyQ = (xQ)3+a(xQ)2+b in F2m.
Output: If any one of the above verifications has failed, then output invalid and reject the
public key. Otherwise, output valid and accept the public key.
5.3
This section specifies the primitive that shall be used to generate challenges to be used by the
schemes in this Standard.
The challenge generation primitive is used to generate challenges in the 3-pass key transport
scheme specified in Section 7.2.
Challenges shall be generated using the following transformation:
Input: An integer challengelen that is the length in bits of the challenge required. challengelen
shall be 80.
Actions: Select a statistically unique and unpredictable bit string Challenge of length
challengelen. It is acceptable to use a random or a pseudorandom string. If a
pseudorandom string is used, it shall be generated using one of the procedures of Annex
A.4 or of an ANSI X9 approved standard. If a pseudorandom number is used, optional
information to store with the challenge are the seed values and the particular
pseudorandom generation method used. Storing this optional information allows the
auditing of the challenge generation process.
- 35 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
If a pseudorandom generation method is used, the seed values used in the generation of
Challenge may be determined by internal means, may be supplied by the caller, or both this is an implementation choice.
Output: The bit string Challenge.
5.4
Diffie-Hellman Primitives
This section specifies the two Diffie-Hellman primitives that shall be used by the key
establishment schemes in this Standard.
These primitives derive a shared secret value from a secret key owned by an entity U1 and a
public key owned by an entity U2 when the keys share the same elliptic curve domain
parameters. If two entities both correctly execute the same primitive with corresponding keys as
inputs, the same shared secret value will be produced.
Two primitives are specified here: a standard Diffie-Hellman primitive and a modified DiffieHellman primitive. The standard Diffie-Hellman primitive produces a shared secret value in the
traditional manner. The modified Diffie-Hellman primitive also produces a shared secret value,
but has been modified to resist small subgroup attacks in a way that may in some cases be
particularly efficient. (See [43].)
2.
The public key Q2 shall have been validated as specified in Section 5.2.2.
Actions: The following actions are taken:
1.
2.
3.
ANSI X9.63-2001
ANSI X9.63-2001
2.
The public key Q2 shall have been validated as specified in Section 5.2.2.
Actions: The following actions are taken:
1.
2.
3.
5.5
MQV Primitive
This section specifies the MQV primitive that shall be used by the key agreement schemes
specified in this Standard.
This primitive derives a shared secret value from two secret keys owned by an entity U1 and two
public keys owned by an entity U2 when all the keys share the same elliptic curve domain
parameters. If the two entities both correctly execute this primitive with corresponding keys as
inputs, the same shared secret value will be produced.
The calculation of the shared secret value incorporates co-factor multiplication. Co-factor
multiplication is computationally efficient and helps to prevent security problems like small
subgroup attacks (see [43]).
The shared secret value shall be calculated as follows:
- 37 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
2.
The key pairs (d1,Q1) and (d2,Q2) shall have been generated using the key pair generation
primitive specified in Section 5.2.1. The public keys Q3 and Q4 shall have been validated as
specified in Section 5.2.2.
Actions: The following actions are taken:
1.
2.
3.
4.
5.6
Auxiliary Functions
This section specifies three types of auxiliary functions that are used by some of the key
agreement schemes and key transport schemes specified in this Standard: associate value
functions, cryptographic hash functions and key derivation functions.
- 38 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
The associate value function will be used to compute an integer associated with an elliptic curve
point. The bit length of the integer is approximately half the bit length of the field elements
associated with the elliptic curve point.
The associate value function is used by the MQV family of key agreement schemes specified in
Section 6.
The associate value function shall be calculated as follows:
Input: The input to the associate value function is:
1.
2.
2.
3.
Calculate:
avf(P) = xP + 2f/2.
ANSI X9.63-2001
ANSI X9.63-2001
Input: The input to the hash function is a bit string Data of length less than maxhashlen bits.
Actions: Calculate the hash value Hash corresponding to Data using the established hash
function. This process is denoted by:
Hash=H(Data)
where H denotes the established hash function.
Output: The bit string Hash of length hashlen bits.
Note that the hash function operates on bit strings of length less than maxhashlen bits. For
example, SHA-1 operates on bit strings of length less than 264 bits. It is assumed that all hash
function calls are on bit strings of length less than maxhashlen bits. Any scheme attempting to
call the hash function on a bit string of length greater than or equal to maxhashlen bits shall
output invalid and stop.
2.
An integer keydatalen that is the length in bits of the keying data to be generated.
keydatalen shall be less than hashlen(2321)
3.
(Optional) A bit string SharedInfo that consists of some data shared by the two entities
intended to share the secret value Z.
- 40 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Ingredients: The key derivation function employs one of the hash functions specified in Section
5.6.2.
Actions: The key derivation function is computed as follows:
1.
2.
2.2
Increment counter.
2.3
Increment i.
3.
Let HHashj denote Hashj if keydatalen/hashlen is an integer, and let it denote the
(keydatalen - (hashlenj)) leftmost bits of Hashj otherwise.
4.
5.7
MAC schemes
This section specifies the tagging transformation and the tag checking transformation associated
with the message authentication code (MAC) schemes that shall be used by the schemes in this
Standard.
Each MAC scheme is used as follows. The sender uses the tagging transformation to compute
the tag on some data. The recipient, after being sent the data and tag, checks the validity of the
tag using the tag checking transformation.
The MAC schemes is used by some key agreement schemes to provide key confirmation, and by
the asymmetric encryption scheme in Section 5.8.
Any ANSI-approved MAC that offers 80 bits of security or more may be used, i.e. any ANSIapproved MAC that uses keys of length 80 bits or more and that outputs tags of length 80 bits or
more. Possibilities therefore include HMAC specified in ANSI X9.71 [9].
- 41 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
The appropriate choice of MAC scheme in a particular application will depend on the operating
environment. Issues involved in the decision will often include security requirements and
available cryptographic primitives.
The MAC scheme is specified as follows.
Prerequisites: The prerequisite for the operation of the MAC scheme is that an ANSI-approved
MAC scheme has been chosen. The length in bits of the keys used by the MAC scheme is
denoted by mackeylen.
2.
2.
3.
Actions: Calculate the tag for MacData under the key MacKey as:
- 42 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
MacTag = MACMacKey(MacData)
using the tagging transformation of the established ANSI-approved MAC.
Output: If MacTag=MacTag output valid; otherwise, output invalid.
5.8
This section specifies the asymmetric encryption scheme that shall be used by the schemes in
this Standard.
The asymmetric encryption scheme is used as follows. The sender uses the encryption
transformation of the scheme to encrypt some data. The recipient, after being sent the encrypted
data, decrypts the encrypted data using the decryption transformation of the scheme.
The asymmetric encryption scheme is used by the key transport schemes specified in Section 7.
The asymmetric encryption scheme supported is the Elliptic Curve Integrated Encryption
Scheme (ECIES). ECIES is specified as follows.
Prerequisites: The prerequisite for the operation of the Elliptic Curve Integrated Encryption
Scheme is a set of EC domain parameters D = (q, FR, a, b, SEED, G, n, h). The
parameters shall have been generated using the parameter generation primitives in
Sections 5.1.1.1 and 5.1.2.1. Furthermore, the parameters shall have been validated using
the parameter validation primitives in Sections 5.1.1.2 and 5.1.2.2. In addition, entities
using the scheme shall have established whether to use the standard Diffie-Hellman
primitive specified in Section 5.4.1 or the modified Diffie-Hellman primitive specified in
Section 5.4.2, and shall have established which ANSI-approved MAC scheme specified
in Section 5.7 will be used. The length in bits of the keys used by the established MAC
scheme will be denoted by mackeylen. Finally, an ANSI-approved hash function shall
have been chosen for use with the key derivation function.
2.
3.
(Optional) Two bit strings of data, SharedData1 and SharedData2, which are shared by
the sender and the recipient.
- 43 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
The EC public key Q shall correspond to the EC domain parameters D. Q may have been
validated as specified in Section 5.2.2.
Ingredients: The encryption transformation employs the key pair generation primitive specified
in Section 5.2.1, one of the Diffie-Hellman primitives specified in Section 5.4, the
tagging transformation of the established MAC scheme specified in Section 5.7, and the
key derivation function specified in Section 5.6.3.
Actions: Encrypt the bit string EncData as follows:
1.
2.
3.
Use the established Diffie-Hellman primitive defined in Section 5.4 to derive a shared
secret value zFq from de and Q. If the Diffie-Hellman primitive outputs invalid, output
invalid and stop.
4.
Convert zFq to a bit string Z using the convention specified in Section 4.3.3.
5.
Use the key derivation function defined in Section 5.6.3 with the established hash
function to generate keying data KeyData of bit length encdatalen+mackeylen from Z and
[SharedData1].
6.
Parse KeyData as an encryption key EncKey of bit length encdatalen and a MAC key
MacKey of bit length mackeylen, i.e. parse KeyData as:
KeyData = EncKey||MacKey.
7.
8.
ANSI X9.63-2001
ANSI X9.63-2001
1.
2.
3.
(Optional) Two bit strings of data, SharedData1 and SharedData2, which are shared by
the sender and the recipient.
The private key d shall have been generated using the key pair generation primitive specified in
Section 5.2.1.
Ingredients: The decryption transformation employs public key validation as specified in
Section 5.2.2, one of the Diffie-Hellman primitives specified in Section 5.4, the tag
checking transformation of the established MAC scheme specified in Section 5.7, and the
key derivation function specified in Section 5.6.3.
Actions: Decrypt the bit string QE||MaskedEncData||MacTag consisting of the encoding of a
purported elliptic curve point Qe, a bit string MaskedEncData of length
maskedencdatalen, and a bit string MacTag of the appropriate length as follows:
1.
Convert QE to an elliptic curve point Qe using the convention specified in Section 4.3.7.
2.
Validate the ephemeral public key Qe using public key validation as specified in Section
5.2.2. If the validation primitive outputs invalid, output invalid and stop.
3.
Use the established Diffie-Hellman primitive defined in Section 5.4 to derive a shared
secret value zFq from d and Qe. If the Diffie-Hellman primitive outputs invalid,
output invalid and stop.
4.
Convert zFq to a bit string Z using the convention specified in Section 4.3.3.
5.
Use the key derivation function specified in Section 5.6.3 with the established hash
function to generate keying data KeyData of bit length maskedencdatalen+mackeylen
from Z and [SharedData1].
6.
Parse KeyData as an encryption key EncKey of bit length maskedencdatalen and a MAC
key MacKey of bit length mackeylen, i.e. parse KeyData as:
KeyData = EncKey||MacKey.
7.
8.
ANSI X9.63-2001
5.9
ANSI X9.63-2001
Signature Scheme
This section specifies the signature scheme that shall be used by the schemes in this Standard.
The signature scheme is used as follows. The sender uses the signing transformation to compute
a signature on some data. The recipient, after being sent the data and signature, checks the
validity of the signature using the verifying transformation.
The signature scheme is used by the Station-to-Station scheme specified in Section 6.8 and the 3pass key transport scheme specified in Section 7.2.
The signature scheme supported is the Elliptic Curve Digital Signature Algorithm (ECDSA).
ECDSA is specified in [7]. ECDSA shall be implemented as specified in [7].
Prerequisites: The prerequisite for the operation of the ECDSA is a set of EC domain
parameters D = (q, FR, a, b, SEED, G, n, h). The parameters shall have been generated
using the parameter generation primitives in Sections 5.1.1.1 and 5.1.2.1. Furthermore,
the parameters shall have been validated using the parameter validation primitives in
Sections 5.1.1.2 and 5.1.2.2.
2.
The private key d shall correspond to the EC parameters D, and shall have been generated using
the primitive specified in Section 5.2.1.
Actions: Compute the integers rsig and ssig that comprise the signature on SignData as specified
in [7].
Output: The pair of integers rsig and ssig.
- 46 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
2.
A pair of integers rsig and ssig, which are the purported signature of SignData.
3.
The public key Q shall correspond to the EC parameters D, and may have been validated as
specified in Section 5.2.2.
Actions: Verify the purported signature using the verification transformation specified in [7].
Output: Output valid if the verification transformation confirms that rsig and ssig are a valid
signature of SignData; otherwise, output invalid.
This section describes the key agreement schemes specified in this Standard.
In each case, the key agreement scheme is used by an entity who wishes to agree on keying data
with another entity. In some cases, the schemes specified are symmetric (i.e., analogous
computations are performed by the two entities), and so it suffices to describe just one
transformation in terms of two entities U and V. In an execution of a symmetric key agreement
scheme, it is possible that the two participating entities execute the transformation
simultaneously in this case neither entity can be identified as the initiator (or responder). If two
entities A1 and A2 wish to agree on keying data using a symmetric scheme, A1 executes the
transformation with U=A1 and V=A2, while A2 executes the transformation with U=A2 and V=A1.
In other cases, the schemes are asymmetric (i.e., different computations are performed by the
two entities), and so it is necessary to describe two transformations, one of which is undertaken
by U if U is the initiator, and one of which is undertaken by V if V is the responder.
In the specification of each transformation, equivalent computations that result in identical
output are allowed.
Each of the key agreement schemes has certain prerequisites. These are conditions that must be
satisfied by an implementation of the scheme. However the specification of mechanisms that
provide these prerequisites is beyond the scope of this Standard. There are no secrecy
requirements for the choices that may have to be made in the prerequisites (e.g., choice of hash
function, Diffie-Hellman primitive, MAC algorithm, elliptic curve point representation).
Annex H provides guidance on the selection and use of the key agreement schemes. Annex H.4.4
provides guidance for selecting parameter sizes for the various cryptographic components of a
key agreement scheme including n, hashlen, and mackeylen.
- 47 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Each scheme is described in two ways. First a flow diagram of the ordinary operation of the
scheme between two entities U and V is provided. This flow diagram is for descriptive purposes
only. Then a formal specification is given which describes the actions that the entities must take
to use the scheme to establish keying data.
The flow diagrams are intended to aid in the understanding of the mechanics of the ordinary
operation of the schemes in which flows are faithfully relayed between two entities. Note that in
real-life, there is no reason to assume that flows are relayed faithfully between two
entitiesthat is why the schemes must be formally specified in a more technical fashion.
When examining the flow diagrams, the following points should be noted:
For clarity of exposition, optional fields such as Text and SharedData are omitted.
kdf(Z) denotes the output of the key derivation function specified in Section 5.6.3 called
on input Z.
The key agreement schemes may involve input, output, or actions marked as optional. Optional
input and output fields are fields that may or may not be present in implementations of the
schemes. The schemes are designed to function whether or not these fields are present. However,
if optional shared data (SharedData, SharedData1, SharedData2) is used, then both
communicating parties must use the same data in order to derive the same keying data. Optional
shared data is allowed to permit flexibility to higher-level protocols that use the key agreement
scheme. Specifying the form of the shared data, and mechanisms for sharing the data, are beyond
the scope of this Standard. Optional actions are actions that may or may not be performed by
implementations. The schemes are designed to function whether or not these actions are
performed.
- 48 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qe,U
V
Qe,V
Ze = [h]de,UQe,V
Ze = [h]de,VQe,U
KeyData = kdf(Ze)
KeyData = kdf(Ze)
6.1
This section specifies the ephemeral Unified Model scheme. Figure 2 illustrates the messaging
involved in the use of the ephemeral Unified Model scheme.
The scheme is symmetric, so only one transformation is specified. An entity uses this
transformation to agree on keying data with another entity no matter whether they are the
initiator or the responder.
If two entities U and V execute the transformation with the corresponding keying material, then
U and V will compute the same keying data.
Prerequisites: The following are the prerequisites for the use of the scheme: Each entity has an
authentic copy of the systems elliptic curve domain parameters De = (qe, FRe, ae, be,
SEEDe, Ge, ne, he) to be used with ephemeral keys. These parameters shall have been
generated using the parameter generation primitives in Sections 5.1.1.1 and 5.1.2.1.
Furthermore, the parameters shall have been validated using the parameter validation
primitives in Sections 5.1.1.2 and 5.1.2.2. In addition, entities using the scheme shall
have established whether to use the standard Diffie-Hellman primitive specified in
Section 5.4.1 or the modified Diffie-Hellman primitive specified in Section 5.4.2. Finally,
entities using the scheme shall have established which ANSI-approved hash function to
use with the key derivation function.
Note that validation of the EC domain parameters De has not necessarily been carried out by U,
but may instead have been carried out by a party trusted by U. Note also that the subscript e is a
slight abuse of notation. It is used to indicate that the parameters are associated with ephemeral
key pairs rather than to indicate that the parameters themselves are ephemeral.
- 49 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
An integer keydatalen, which is the length in bits of the keying data to be generated.
2.
(Optional) A bit string SharedData of length shareddatalen bits, which consists of some
data shared by U and V.
Ingredients: The key agreement transformation employs the key pair generation primitive in
Section 5.2.1, public key validation in Section 5.2.2, one of the Diffie-Hellman primitives
in Section 5.4, and the key derivation function in Section 5.6.3.
Actions: Keying data shall be derived as follows:
1.
Exchange ephemeral EC public keys: Use the key pair generation primitive in Section
5.2.1 to generate an ephemeral key pair (de,U,Qe,U) for the parameters De. Send Qe,U to V.
Receive from V an ephemeral EC public key Qe,V purportedly owned by V. If this value
is not received, output invalid and stop.
2.
Verify that Qe,V is a valid key for the parameters De as specified in Section 5.2.2. If the
validation primitive rejects the key, output invalid and stop.
3.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zeFq from the private key de,U, the purported public key Qe,V, and the parameters
De. If the primitive outputs invalid, output invalid and stop.
4.
5.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Ze and
the shared data [SharedData].
Output: The bit string KeyData as the keying data of length keydatalen bits.
6.2
- 50 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qs,V
V
Qe,U
Z = [h]de,UQs,V
Z = [h]ds,VQe,U
KeyData = kdf(Z)
KeyData = kdf(Z)
Each entity has an authentic copy of the systems elliptic curve domain parameters D =
(q, FR, a, b, SEED, G, n, h). These parameters shall have been generated using the
parameter generation primitives in Sections 5.1.1.1 and 5.1.2.1. Furthermore, the
parameters shall have been validated using the parameter validation primitives in
Sections 5.1.1.2 and 5.1.2.2.
2.
Each entity who acts as a responder shall be bound to a static key pair associated with the
systems elliptic curve domain parameters D. The binding process shall include the
validation of the static public key as specified in Section 5.2.2.
3.
Each entity shall have established whether to use the standard Diffie-Hellman primitive
specified in Section 5.4.1 or the modified Diffie-Hellman primitive specified in Section
5.4.2.
- 51 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function.
An integer keydatalen, that is the length in bits of the keying data to be generated.
2.
(Optional) A bit string SharedData of length shareddatalen bits, that consists of some
data shared by U and V.
Ingredients: The initiator transformation employs the key pair generation primitive in Section
5.2.1, one of the Diffie-Hellman primitives in Section 5.4, and the key derivation function
in Section 5.6.3.
Actions: Keying data shall be derived as follows:
1.
Use the key pair generation primitive in Section 5.2.1 to generate an ephemeral key pair
(de,U,Qe,U) for the parameters D. Send Qe,U to V.
2.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zFq from the private key de,U, the static public key Qs,V, and the parameters D. If
the primitive outputs invalid, output invalid and stop.
3.
4.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Z and
the shared data [SharedData].
Output: The bit string KeyData as the keying data of length keydatalen bits.
ANSI X9.63-2001
ANSI X9.63-2001
2.
An integer keydatalen which is the length in bits of the keying data to be generated.
3.
(Optional) A bit string SharedData of length shareddatalen bits which consists of some
data shared by U and V.
Ingredients: The key agreement transformation employs public key validation in Section 5.2.2,
one of the Diffie-Hellman primitives in Section 5.4, and the key derivation function in
Section 5.6.3.
Actions: Keying data shall be derived as follows:
1.
Verify that Qe,U is a valid key for the parameters D as specified in Section 5.2.2. If the
validation primitive rejects the key, output invalid and stop.
2.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zFq from the private key ds,V, the purported public key Qe,U, and the parameters
D. If the primitive outputs invalid, output invalid and stop.
3.
4.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Z and
the shared data [SharedData].
Output: The bit string KeyData as the keying data of length keydatalen bits.
6.3
- 53 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qs,U
V
Qs,V
Zs = [h]ds,UQs,V
Zs = [h]ds,VQs,U
KeyData = kdf(Zs)
KeyData = kdf(Zs)
Each entity has an authentic copy of the systems elliptic curve domain parameters Ds =
(qs, FRs, as, bs, SEEDs, Gs, ns, hs) to be used with static keys. These parameters shall have
been generated using the parameter generation primitives in Sections 5.1.1.1 and 5.1.2.1.
Furthermore, the parameters shall have been validated using the parameter validation
primitives in Sections 5.1.1.2 and 5.1.2.2.
2.
Each entity shall be bound to a static key pair associated with the systems elliptic curve
domain parameters Ds to be used with static keys. The binding process shall include the
validation of the static public key as specified in Section 5.2.2.
3.
Each entity shall have established whether to use the standard Diffie-Hellman primitive
specified in Section 5.4.1 or the modified Diffie-Hellman primitive specified in Section
5.4.2.
4.
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function.
- 54 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Note that validation of Qs,V has not necessarily been carried out by U, but may instead have been
carried out, for example, by the CA issuing a certificate that binds V and Qs,V.
U shall execute the following transformation to agree on keying data with V. U shall obtain an
authentic copy of Vs static public key Qs,V.
Input: The input to the key agreement transformation is:
1.
An integer keydatalen that is the length in bits of the keying data to be generated.
2.
(Optional) A bit string SharedData of length shareddatalen bits that consists of some
data shared by U and V.
Ingredients: The key agreement transformation employs one of the Diffie-Hellman primitives in
Section 5.4 and the key derivation function in Section 5.6.3.
Actions: Keying data shall be derived as follows:
1.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zsFq from the private key ds,U, the public key Qs,V, and the parameters Ds. If the
primitive outputs invalid, output invalid and stop.
2.
3.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Zs and
the shared data [SharedData].
Output: The bit string KeyData as the keying data of length keydatalen bits.
6.4
This section specifies the combined Unified Model with key confirmation scheme. The scheme
is a hybrid of the ephemeral Unified Model scheme and the static Unified Model scheme in
which a MAC is used to provide key confirmation.
- 55 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qs,U
Qs,V
Qe,U
V
Qe,V, MACMacKey(0216 || V || U || QEV || QEU)
Zs = [h]ds,VQs,U
MacKey = kdf(Zs)
MacKey = kdf(Zs)
Ze = [h]de,UQe,V
Ze = [h]de,VQe,U
KeyData = kdf(Ze)
KeyData = kdf(Ze)
- 56 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
1.
Each entity has an authentic copy of the systems elliptic curve domain parameters De =
(qe, FRe, ae, be, SEEDe, Ge, ne, he) to be used with ephemeral keys. These parameters shall
have been generated using the parameter generation primitives in Sections 5.1.1.1 and
5.1.2.1. Furthermore, the parameters shall have been validated using the parameter
validation primitives in Sections 5.1.1.2 and 5.1.2.2.
2.
U has an authentic copy of the systems elliptic curve domain parameters Ds = (qs, FRs,
as, bs, SEEDs, Gs, ns, hs) to be used with static keys. These parameters shall have been
generated using the parameter generation primitives in Sections 5.1.1.1 and 5.1.2.1.
Furthermore, the parameters shall have been validated using the parameter validation
primitives in Sections 5.1.1.2 and 5.1.2.2.
3.
Each entity shall be bound to a static key pair associated with the systems elliptic curve
domain parameters Ds to be used with static keys. The binding process shall include the
validation of the static public key as specified in Section 5.2.2. The key binding shall
include a unique identifier for each entity (e.g. distinguished names). All identifiers shall
be bit strings of the same length entlen bits. Entity Us identifier will be denoted by the
bit string U. Entity Vs identifier will be denoted by the bit string V.
4.
Each entity shall have established whether to use the standard Diffie-Hellman primitive
specified in Section 5.4.1 or the modified Diffie-Hellman primitive specified in Section
5.4.2.
5.
Each entity shall have decided which ANSI-approved MAC scheme to use as specified in
Section 5.7. mackeylen is used to denote the length of the keys used by the MAC scheme
chosen.
6.
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function.
7.
Each entity shall have decided how to represent elliptic curve points as octet strings (i.e.,
compressed form, uncompressed form, or hybrid form).
An integer keydatalen that is the length in bits of the keying data to be generated.
2.
(Optional) A bit string SharedData1 of length shareddata1len bits and a bit string
SharedData2 of length shareddata2len bits that consist of some data shared by U and V.
- 57 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Ingredients: The initiator transformation employs the key pair generation primitive in Section
5.2.1, public key validation in Section 5.2.2, one of the Diffie-Hellman primitives in
Section 5.4, the key derivation function in Section 5.6.3, and one of the MAC schemes in
Section 5.7.
Actions: Keying data shall be derived as follows:
1.
Use the key pair generation primitive in Section 5.2.1 to generate an ephemeral key pair
(de,U,Qe,U) for the parameters De. Send Qe,U to V.
2.
Receive from V an ephemeral public key Qe,V purportedly owned by V, an optional bit
string Text1, and a purported tag MacTag1. If these values are not received, output
invalid and stop.
3.
Verify that Qe,V is a valid key for the parameters De as specified in Section 5.2.2. If the
validation primitive rejects the key, output invalid and stop.
4.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zsFq from the private key ds,U, the public key Qs,V, and the parameters Ds. If the
primitive outputs invalid, output invalid and stop.
5.
6.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data MacKey of length mackeylen bits from the shared secret value Zs and
the shared data [SharedData1].
7.
Convert Qe,U and Qe,V to octet strings QEU and QEV using the established convention in
Section 4.3.6. Form the bit string consisting of the octet 0216, Vs identifier, Us
identifier, the bit string QEV, the bit string QEU, and (if present) Text1:
MacData1 = 0216 || V || U || QEV || QEU || [Text1].
8.
Verify that MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation of the appropriate MAC scheme specified in Section 5.7. If the
tag checking transformation outputs invalid, output invalid and stop.
9.
Form the bit string consisting of the octet 0316, Us identifier, Vs identifier, the bit string
QEU corresponding to Us ephemeral public key, the bit string QEV corresponding to
Vs purported ephemeral public key, and optionally a bit string Text2:
MacData2 = 0316 || U || V || QEU || QEV || [Text2].
10.
Calculate the tag MacTag2 on MacData2 under the key MacKey using the tagging
transformation of the appropriate MAC scheme specified in Section 5.7:
MacTag2 = MACMacKey(MacData2).
- 58 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
If the tagging transformation outputs invalid, output invalid and stop. Send MacTag2
and if present Text2 to V.
11.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zeFq from the private key de,U, the purported public key Qe,V, and the parameters
De. If the primitive outputs invalid, output invalid and stop.
12.
13.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Ze and
the shared data [SharedData2].
Output: The bit string KeyData as the keying data of length keydatalen bits.
2.
An integer keydatalen that is the length in bits of the keying data to be generated.
3.
(Optional) A bit string SharedData1 of length shareddata1len bits and a bit string
SharedData2 of length shareddata2len bits that consist of some data shared by U and V.
Ingredients: The responder transformation employs the key pair generation primitive in Section
5.2.1, public key validation in Section 5.2.2, one of the Diffie-Hellman primitives in
Section 5.4, the key derivation function in Section 5.6.3, and one of the MAC schemes in
Section 5.7.
Actions: Keying data shall be derived as follows:
1.
Verify that Qe,U is a valid key for the parameters De as specified in Section 5.2.2. If the
primitive rejects the key, output invalid and stop.
2.
Use the key pair generation primitive in Section 5.2.1 to generate an ephemeral key pair
(de,V,Qe,V) for the parameters De.
3.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zsFq from the private key ds,V, the public key Qs,U, and the parameters Ds. If the
primitive outputs invalid, output invalid and stop.
4.
ANSI X9.63-2001
ANSI X9.63-2001
5.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data MacKey of length mackeylen bits from the shared secret value Zs and
the shared data [SharedData1].
6.
Form the bit string consisting of the octet 0216, Vs identifier, Us identifier, the bit string
QEV corresponding to Vs ephemeral public key, the bit string QEU corresponding to
Us purported ephemeral public key, and optionally a bit string Text1:
MacData1 = 0216 || V || U || QEV || QEU || [Text1].
7.
Calculate the tag MacTag1 for MacData1 under the key MacKey using the tagging
transformation of the appropriate MAC scheme specified in Section 5.7.
MacTag1 = MACMacKey(MacData1).
If the tagging transformation outputs invalid, output invalid and stop. Send to U the
ephemeral public key Qe,V, bit string Text1 (if present), and MacTag1.
8.
Then receive from U an optional bit string Text2 and a purported tag MacTag2. If this
data is not received, output invalid and stop.
9.
Convert Qe,U and Qe,V to octet strings QEU and QEV using the established convention in
Section 4.3.6. Form the bit string consisting of the octet 0316, Us identifier, Vs
identifier, the bit string QEU, the bit string QEV, and the bit string Text2 (if present):
MacData2 = 0316 || U || V || QEU || QEV || [Text2].
10.
Verify that MacTag2 is the valid tag on MacData2 under the key MacKey using the tag
checking transformation of the appropriate MAC scheme specified in Section 5.7. If the
tag checking transformation outputs invalid, output invalid and stop.
11.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zeFq from the private key de,V, the purported public key Qe,U, and the parameters
De. If the primitive outputs invalid, output invalid and stop.
12.
13.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Ze and
the shared data [SharedData2].
Output: The bit string KeyData as the keying data of length keydatalen bits.
NOTE: The Combined Unified Model with Key Confirmation scheme only provides implicit key confirmation. That is each party
only gets the assurance that the other party can compute Ze, and not the assurance that the other party actually has computed Ze.
- 60 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qs,U
Qs,V
Qe,U
Ze = [h]de,UQs,V
Ze = [h]ds,VQe,U
Zs = [h]ds,UQs,V
Zs = [h]ds,VQs,U
6.5
Each entity has an authentic copy of the systems elliptic curve domain parameters D =
(q, FR, a, b, SEED, G, n, h). These parameters shall have been generated using the
parameter generation primitives in Sections 5.1.1.1 and 5.1.2.1. Furthermore, the
parameters shall have been validated using the parameter validation primitives in
Sections 5.1.1.2 and 5.1.2.2.
- 61 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
2.
Each entity shall be bound to a static key pair associated with the systems elliptic curve
domain parameters D. The binding shall include the validation of the static public key as
specified in Section 5.2.2.
3.
Each entity shall have established whether to use the standard Diffie-Hellman primitive
specified in Section 5.4.1 or the modified Diffie-Hellman primitive specified in Section
5.4.2.
4.
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function.
An integer keydatalen which is the length in bits of the keying data to be generated.
2.
(Optional) A bit string SharedData of length shareddatalen bits which consists of some
data shared by U and V.
Ingredients: The initiator transformation employs the key pair generation primitive in Section
5.2.1, one of the Diffie-Hellman primitives in Section 5.4, and the key derivation function
in Section 5.6.3.
Actions: Keying data shall be derived as follows:
1.
Use the key pair generation primitive in Section 5.2.1 to generate an ephemeral key pair
(de,U,Qe,U) for the parameters D. Send Qe,U to V.
2.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zeFq from the private key de,U, the public key Qs,V, and the parameters D. If the
primitive outputs invalid, output invalid and stop.
3.
4.
Use the established Diffie-Hellman primitive in 5.4 to derive a shared secret value zsFq
from the private key ds,U, the public key Qs,V, and the parameters D. If the primitive
outputs invalid, output invalid and stop.
5.
6.
- 62 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Z and
the shared data [SharedData].
Output: The bit string KeyData as the keying data of length keydatalen bits.
2.
An integer keydatalen that is the length in bits of the keying data to be generated.
3.
(Optional) A bit string SharedData of length shareddatalen bits that consists of some
data shared by U and V.
Ingredients: The responder transformation employs public key validation as specified in Section
5.2.2, one of the Diffie-Hellman primitives in Section 5.4, and the key derivation function
in Section 5.6.3.
Actions: Keying data shall be derived as follows:
1.
Verify that Qe,U is a valid key for the parameters D as specified in Section 5.2.2. If the
primitive rejects the key, output invalid and stop.
2.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zeFq from the private key ds,V, the purported public key Qe,U, and the parameters
D. If the primitive outputs invalid, output invalid and stop.
3.
4.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zsFq from the private key ds,V, the public key Qs,U, and the parameters D. If the
primitive outputs invalid, output invalid and stop.
5.
6.
7.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Z and
the shared data [SharedData].
- 63 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qs,U
Qs,V
V
Qe,U
Qe,V
Ze = [h]de,UQe,V
Ze = [h]de,VQe,U
Zs = [h]ds,UQs,V
Zs = [h]ds,VQs,U
6.6
Each entity has an authentic copy of the systems elliptic curve domain parameters De =
(qe, FRe, ae, be, SEEDe, Ge, ne, he) to be used with ephemeral keys. These parameters shall
have been generated using the parameter generation primitives in Sections 5.1.1.1 and
- 64 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
5.1.2.1. Furthermore, the parameters shall have been validated using the parameter
validation primitives in Sections 5.1.1.2 and 5.1.2.2.
2.
Each entity has an authentic copy of the systems elliptic curve domain parameters Ds =
(qs, FRs, as, bs, SEEDs, Gs, ns, hs) to be used with static keys. These parameters shall have
been generated using the parameter generation primitives in Sections 5.1.1.1 and 5.1.2.1.
Furthermore, the parameters shall have been validated using the parameter validation
primitives in Sections 5.1.1.2 and 5.1.2.2.
3.
Each entity shall be bound to a static key pair associated with the systems elliptic curve
domain parameters Ds to be used with static keys. The binding process shall include the
validation of the static public key as specified in Section 5.2.2.
4.
Each entity shall have established whether to use the standard Diffie-Hellman primitive
specified in Section 5.4.1 or the modified Diffie-Hellman primitive specified in Section
5.4.2.
5.
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function.
U shall execute the following transformation to agree on keying data with V. U shall obtain an
authentic copy of Vs static public key Qs,V.
Input: The input to the key agreement transformation is:
1.
An integer keydatalen that is the length in bits of the keying data to be generated.
2.
(Optional) A bit string SharedData of length shareddatalen bits that consists of some
data shared by U and V.
Ingredients: The key agreement transformation employs the key pair generation primitive in
Section 5.2.1, public key validation in Section 5.2.2 or the embedded public key
validation primitive in Section 5.2.3, one of the Diffie-Hellman primitives in Section 5.4,
and the key derivation function in Section 5.6.3.
Actions: Keying data shall be derived as follows:
1.
Exchange ephemeral EC public keys: Use the key pair generation primitive in Section
5.2.1 to generate an ephemeral key pair (de,U,Qe,U) for the parameters De. Send Qe,U to V.
Receive from V an ephemeral EC public key Qe,V purportedly owned by V. If this value
is not received, output invalid and stop.
2.
Verify that Qe,V is a valid key for the parameters De as specified in Section 5.2.2. If the
validation primitive rejects the key, output invalid and stop.
3.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zeFq from the private key de,U, the purported public key Qe,V, and the parameters
De. If the primitive outputs invalid, output invalid and stop.
- 65 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
4.
5.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zsFq from the private key ds,U, the public key Qs,V, and the parameters Ds. If the
primitive outputs invalid, output invalid and stop.
6.
7.
8.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Z and
the shared data [SharedData].
Output: The bit string KeyData as the keying data of length keydatalen bits.
6.7
This section specifies the full Unified Model with key confirmation scheme. The scheme adds
flows to the full Unified Model scheme so that explicit key authentication may be supplied. A
MAC scheme is used to provide key confirmation.
- 66 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qs,U
Qs,V
Qe,U
V
Qe,V, MACMacKey(0216 || V || U || QEV || QEU)
Ze = [h]de,VQe,U
Zs = [h]ds,UQs,V
Zs = [h]ds,VQs,U
MacKey || KeyData
= kdf(Ze || Zs)
MacKey || KeyData
= kdf(Ze || Zs)
- 67 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
1.
Each entity has an authentic copy of the systems elliptic curve domain parameters De =
(qe, FRe, ae, be, SEEDe, Ge, ne, he) to be used with ephemeral keys. These parameters shall
have been generated using the parameter generation primitives in Sections 5.1.1.1 and
5.1.2.1. Furthermore, the parameters shall have been validated using the parameter
validation primitives in Sections 5.1.1.2 and 5.1.2.2.
2.
Each entity has an authentic copy of the systems elliptic curve domain parameters Ds =
(qs, FRs, as, bs, SEEDs, Gs, ns, hs) to be used with static keys. These parameters shall have
been generated using the parameter generation primitives in Sections 5.1.1.1 and 5.1.2.1.
Furthermore, the parameters shall have been validated using the parameter validation
primitives in Sections 5.1.1.2 and 5.1.2.2.
3.
Each entity shall be bound to a static key pair associated with the systems elliptic curve
domain parameters Ds to be used with static keys. The binding process shall include the
validation of the static public key as specified in Section 5.2.2. The key binding shall
include a unique identifier for each entity (e.g. distinguished names). All identifiers shall
be bit strings of the same length entlen bits. Entity Us identifier will be denoted by the
bit string U. Entity Vs identifier will be denoted by the bit string V.
4.
Each entity shall have established whether to use the standard Diffie-Hellman primitive
specified in Section 5.4.1 or the modified Diffie-Hellman primitive specified in Section
5.4.2.
5.
Each entity shall have decided which ANSI-approved MAC scheme to use as specified in
Section 5.7. mackeylen will denote the length of the keys used by the chosen MAC
scheme.
6.
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function.
7.
Each entity shall have decided how to represent elliptic curve points as octet strings (i.e.,
compressed form, uncompressed form, and hybrid form).
An integer keydatalen that is the length in bits of the keying data to be generated.
2.
(Optional) A bit string SharedData of length shareddatalen bits that consists of some
data shared by U and V.
- 68 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Ingredients: The initiator transformation employs the key pair generation primitive in Section
5.2.1, public key validation in Section 5.2.2, the Diffie-Hellman primitive in Section 5.4,
the key derivation function in Section 5.6.3, and one of the MAC schemes in Section 5.7.
Actions: Keying data shall be derived as follows:
1.
Use the key pair generation primitive in Section 5.2.1 to generate an ephemeral key pair
(de,U,Qe,U) for the parameters De. Send Qe,U to V.
2.
Then receive from V an ephemeral public key Qe,V purportedly owned by V, an optional
bit string Text1, and a purported tag MacTag1. If these values are not received, output
invalid and stop.
3.
Verify that Qe,V is a valid key for the parameters De as specified in Section 5.2.2. If the
validation primitive rejects the key, output invalid and stop.
4.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zeFq from the private key de,U, the purported public key Qe,V, and the parameters
De. If the primitive outputs invalid, output invalid and stop.
5.
6.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zsFq from the private key ds,U, the public key Qs,V, and the parameters Ds. If the
primitive outputs invalid, output invalid and stop.
7.
8.
9.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KKeyData of length mackeylen+keydatalen bits from the shared secret
value Z and the shared data [SharedData].
10.
Parse the leftmost macdatalen bits of KKeyData as a MAC key MacKey and the
remaining bits as keying data KeyData.
11.
Convert Qe,U and Qe,V to octet strings QEU and QEV using the established convention in
Section 4.3.6. Form the bit string consisting of the octet 0216, Vs identifier, Us
identifier, the bit string QEV, the bit string QEU, and Text1 (if present):
MacData1 = 0216 || V || U || QEV || QEU || [Text1].
12.
Verify that MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation of the appropriate MAC scheme specified in Section 5.7. If the
tag checking transformation outputs invalid, output invalid and stop.
- 69 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Form the bit string consisting of the octet 0316, Us identifier, Vs identifier, the bit string
QEU corresponding to Us ephemeral public key, the bit string QEV corresponding to
Vs purported ephemeral public key, and optionally a bit string Text2:
MacData2 = 0316 || U || V || QEU || QEV || [Text2].
14.
Calculate the tag MacTag2 on MacData2 under the key MacKey using the tagging
transformation of the appropriate MAC scheme specified in Section 5.7:
MacTag2 = MACMacKey(MacData2).
If the tagging transformation outputs invalid, output invalid and stop. Send MacTag2
and if present Text2 to V.
Output: The bit string KeyData as the keying data of length keydatalen bits.
2.
An integer keydatalen that is the length in bits of the keying data to be generated.
3.
(Optional) A bit string SharedData of length shareddatalen bits that consists of some
data shared by U and V.
Ingredients: The responder transformation employs the key pair generation primitive in Section
5.2.1, public key validation in Section 5.2.2, one of the Diffie-Hellman primitives in
Section 5.4, the key derivation function in Section 5.6.3, and one of the MAC schemes in
Section 5.7.
Actions: Keying data shall be derived as follows:
1.
Verify that Qe,U is a valid key for the parameters De as specified in Section 5.2. If the
validation primitive rejects the key, output invalid and stop.
2.
Use the key pair generation primitive in Section 5.2.1 to generate an ephemeral key pair
(de,V,Qe,V) for the parameters De.
3.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zeFq from the private key de,V, the purported public key Qe,U, and the parameters
De. If the primitive outputs invalid, output invalid and stop.
- 70 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
4.
5.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value zsFq from the private key ds,V, the public key Qs,U, and the parameters Ds. If the
primitive outputs invalid, output invalid and stop.
6.
7.
8.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KKeyData of length mackeylen+keydatalen bits from the shared secret
value Z and the shared data [SharedData].
9.
Parse the leftmost mackeylen bits of KKeyData as a MAC key MacKey and the remaining
bits as keying data KeyData.
10.
Convert Qe,Uand Qe,V to octet strings QEU and QEV using the established convention in
Section 4.3.6. Form the bit string consisting of the octet 0216, Vs identifier, Us
identifier, the bit string QEV, the bit string QEU, and optionally a bit string Text1:
MacData1 = 0216 || V || U || QEV || QEU || [Text1].
11.
Calculate the tag MacTag1 for MacData1 under the key MacKey using the tagging
transformation of the appropriate MAC scheme specified in Section 5.7.
MacTag1 = MACMacKey(MacData1).
If the tagging transformation outputs invalid, output invalid and stop. Send to U the
ephemeral public key Qe,V, the bit string Text1 (if present), and MacTag1.
12.
Then receive from U an optional bit string Text2 and a purported tag MacTag2. If this
data is not received, output invalid and stop.
13.
Form the bit string consisting of the octet 0316, Us identifier, Vs identifier, the bit string
QEU corresponding to Us purported ephemeral public key, the bit string QEV
corresponding to Vs ephemeral public key, and if present the bit string Text2:
MacData2 = 0316 || U || V || QEU || QEV || [Text2].
14.
Verify that MacTag2 is the valid tag on MacData2 under the key MacKey using the tag
checking transformation of the appropriate MAC scheme specified in Section 5.7. If the
tag checking transformation outputs invalid, output invalid and stop.
Output: The bit string KeyData as the keying data of length keydatalen bits.
- 71 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qsig,U
Qsig,V
Qe,U
V
Qe,V, MACMacKey( QEV || QEU || U ),
SIGdsig,V( QEV || QEU || U )
MACMacKey( QEU || QEV || V ),
SIGdsig,U( QEU || QEV || V )
Ze = [h]de,UQe,V
Ze = [h]de,VQe,U
MacKey || KeyData
= kdf(Ze)
MacKey || KeyData =
kdf(Ze)
6.8
Station-to-Station Scheme
This section specifies the Station-to-Station scheme. The scheme uses a signature scheme to
authenticate the ephemeral Unified Model scheme and provide mutual explicit key
authentication.
Figure 9 illustrates the messaging involved in the use of the Station-to-Station scheme.
The scheme is asymmetric, so two transformations are specified. U uses the transformation
specified in Section 6.8.1 to agree on keying data with V if U is the protocols initiator, and V
uses the transformation specified in Section 6.8.2 to agree on keying data with U if V is the
protocol's responder.
The essential difference between the role of the initiator and the role of the responder is merely
that the initiator sends the first pass of the exchange.
- 72 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Each entity has an authentic copy of the systems elliptic curve domain parameters De =
(qe, FRe, ae, be, SEEDe, Ge, ne, he) to be used with ephemeral keys. These parameters shall
have been generated using the parameter generation primitives in Sections 5.1.1.1 and
5.1.2.1. Furthermore, the parameters shall have been validated using the parameter
validation primitives in Sections 5.1.1.2 and 5.1.2.2.
2.
Each entity has an authentic copy of the systems elliptic curve domain parameters Dsig =
(qsig, FRsig, asig, bsig, SEEDsig, Gsig, nsig, hsig) to be used with a signature scheme. These
parameters shall have been generated using the parameter generation primitives in
Sections 5.1.1.1 and 5.1.2.1. Furthermore, the parameters shall have been validated using
the parameter validation primitives in Sections 5.1.1.2 and 5.1.2.2.
3.
Each entity shall be bound to a static signing key pair associated with the systems
elliptic curve domain parameters Dsig for signing. The binding process may include the
validation of the public signature as specified in Section 5.2.2. The key binding shall
include a unique identifier for each entity (e.g. distinguished names). All identifiers shall
be bit strings of the same length entlen bits. Entity Us identifier will be denoted by the
bit string U. Entity Vs identifier will be denoted by the bit string V.
4.
Each entity shall have established whether to use the standard Diffie-Hellman primitive
specified in Section 5.4.1 or the modified Diffie-Hellman primitive specified in Section
5.4.2.
5.
Each entity shall have decided which ANSI-approved MAC scheme to use as specified in
Section 5.7. mackeylen will denote the length of the keys used by the MAC scheme
chosen.
6.
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function.
7.
Each entity shall have decided how to represent elliptic curve points as octet strings (i.e.,
compressed form, uncompressed form, or hybrid form).
- 73 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
1.
An integer keydatalen that is the length in bits of the keying data to be generated.
2.
(Optional) A bit string SharedData of length shareddatalen that consists of some data
shared by U and V.
Ingredients: The initiator transformation employs the key pair generation primitive in Section
5.2, public key validation in Section 5.2.2, one of the Diffie-Hellman primitives in
Section 5.4, the key derivation function in Section 5.6.3, one of the MAC schemes in
Section 5.7, and the signature scheme specified in Section 5.9.
Actions: Keying data shall be derived as follows:
1.
Use the key pair generation primitive in Section 5.2.1 to generate an ephemeral key pair
(de,U, Qe,U) for the parameters De. Send Qe,U to V .
2.
Then receive from V an ephemeral public key Qe,V purportedly owned by V, a pair of
integers rsig1 and ssig1 purporting to be a signature, a purported tag MacTag1, and an
optional bit string Text1. If this data is not received, output invalid and stop.
3.
Verify that Qe,V is a valid key for the parameters De as specified in Section 5.2. If the
validation primitive rejects the key, output invalid and stop.
4.
Convert Qe,U and Qe,V to octet strings QEU and QEV using the established convention in
Section 4.3.6. Form the bit string consisting of the bit string QEV, the bit string QEU,
Us identifier, and Text1 (if present):
Data1 = QEV || QEU || U || [Text1].
5.
Verify that rsig1 and ssig1 are a valid signature of Data1 under Vs public signature key
Qsig,V corresponding to the EC domain parameters Dsig, using the verifying transformation
of the signature scheme in Section 5.9. If the verifying transformation outputs invalid,
output invalid and stop.
6.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value ze in Fq from the private key de,U, the purported ephemeral public key Qe,V, and the
parameters De. If the primitive outputs invalid, output invalid and stop.
7.
8.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KKeyData of length mackeylen+keydatalen bits from the shared secret
value Ze and the shared data [SharedData].
9.
Parse the leftmost macdatalen bits of KKeyData as a MAC key MacKey and the
remaining bits as keying data KeyData.
- 74 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
10.
Verify that MacTag1 is the tag for Data1 under the key MacKey using the tag checking
transformation of the appropriate MAC scheme specified in Section 5.7. If the tag
checking transformation outputs invalid, output invalid and stop.
11.
Form the bit string consisting of the bit string QEU corresponding to Us ephemeral
public key, the bit string QEV corresponding to Vs purported ephemeral public key, Vs
identifier, and, optionally, a bit string Text2:
Data2 = QEU || QEV || V || [Text2].
12.
Sign Data2 using Us private signing key dsig,U corresponding to the parameters Dsig,
using the signing transformation of the signature scheme in Section 5.9. If the signing
transformation outputs invalid, output invalid and stop. Otherwise the signing
transformation outputs the integers rsig2 and ssig2 as the signature of Data2.
13.
Calculate the tag MacTag2 on Data2 under the key MacKey using the tagging
transformation of the appropriate MAC scheme specified in Section 5.7:
MacTag2 = MACMacKey(Data2).
If the tagging transformation outputs invalid, output invalid and stop. Send rsig2,
ssig2, MacTag2 and Text2 (if present) to V.
Output: The bit string KeyData as the keying data of length keydatalen bits.
2.
An integer keydatalen that is the length in bits of the keying data to be generated.
3.
(Optional) A bit string SharedData of length shareddatalen that consists of some data
shared by U and V.
Ingredients: The responder transformation employs the key pair generation primitive in Section
5.2., public key validation in Section 5.2.2, one of the Diffie-Hellman primitives in
Section 5.4, the key derivation function in Section 5.6.3, one of the MAC schemes in
Section 5.7, and the signature scheme specified in Section 5.9.
Actions: Keying data shall be derived as follows:
- 75 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
1.
Verify that Qe,U is a valid key for the parameters De as specified in Section 5.2. If the
validation primitive rejects the key, output invalid and stop.
2.
Use the key pair generation primitive in Section 5.2.1 to generate an ephemeral key pair
(de,V; Qe,V) for the parameters De.
3.
Use the established Diffie-Hellman primitive in Section 5.4 to derive a shared secret
value ze in Fq from the private key de,V, the purported public key Qe,U, and the parameters
De. If the primitive outputs invalid, output invalid and stop.
4.
5.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KKeyData of length mackeylen+keydatalen bits from the shared secret
value Ze and the shared data [SharedData].
6.
Parse the leftmost macdatalen bits of KKeyData as a MAC key MacKey and the
remaining bits as keying data KeyData.
7.
Convert Qe,U and Qe,V to octet strings QEU and QEV using the established convention in
Section 4.3.6. Form the bit string consisting of the bit string QEV, the bit string QEU,
Us identifier, and, optionally, a bit string Text1:
Data1 = QEV || QEU || U || [Text1].
8.
Sign Data1 using Vs private signing key dsig,V corresponding to the parameters Dsig, using
the signing transformation of the signature scheme in Section 5.9. If the signing
transformation outputs invalid, output invalid and stop. Otherwise the signing
transformation outputs the integers rsig1 and ssig1 as the signature of Data1.
9.
Calculate the tag MacTag1 on Data1 under the key MacKey using the tagging
transformation of the appropriate MAC scheme specified in Section 5.7:
MacTag1 = MACMacKey(Data1).
If the tagging transformation outputs invalid, output invalid and stop. Send Qe,V, rsig1,
ssig1, MacTag1 and if present Text1 to U.
10.
Then receive from U a pair of integers rsig1 and ssig1 purporting to be a signature, a
purported tag MacTag2, and an optional bit string Text2. If these values are not received,
output invalid and stop.
11.
Form the bit string consisting of the bit string QEU corresponding to Us purported
ephemeral public key, the bit string QEV corresponding to Vs ephemeral public key, Vs
identifier, and the bit string Text2 (if present):
Data2 = QEU || QEV || V || [Text2].
- 76 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qs,U
Qs,V
Qe,U
implicitsigU = de,U + avf(Qe,U) ds,U
R = h implicitsigU
( Qs,V + avf(Qs,V) Qs,V )
R = h implicitsigV
( Qe,U + avf(Qe,U) Qs,U )
Z = xR
Z = xR
KeyData = kdf(Z)
KeyData = kdf(Z)
Verify that rsig2 and ssig2 are a valid signature of Data2 under Us public signature key
Qsig,U corresponding to the EC domain parameters Dsig, using the verifying transformation
of the signature scheme in Section 5.9. If the verifying transformation outputs invalid,
output invalid and stop.
13.
Verify that MacTag2 is the tag for Data2 under the key MacKey using the tag checking
transformation of the appropriate MAC scheme specified in Section 5.7. If the tag
checking transformation outputs invalid, output invalid and stop.
Output: The bit string KeyData as the keying data of length keydatalen bits.
6.9
- 77 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
uses the transformation specified in Section 6.9.2 to agree keying data with U if V is the
protocols responder.
The essential difference between the role of the initiator and the role of responder in the scheme
is that the initiator contributes an ephemeral key pair, but the responder does not.
If U executes the initiator transformation, and V executes the responder transformation with the
corresponding keying material as input, then U and V will compute the same keying data.
Prerequisites: The following are the prerequisites for the use of the scheme:
1.
Each entity has an authentic copy of the systems elliptic curve domain parameters D =
(q, FR, a, b, SEED, G, n, h). These parameters shall have been generated using the
parameter generation primitives in Sections 5.1.1.1 and 5.1.2.1. Furthermore, the
parameters shall have been validated using the parameter validation primitives in
Sections 5.1.1.2 and 5.1.2.2.
2.
Each entity shall be bound to a static key pair associated with the systems elliptic curve
domain parameters D. The binding process shall include the validation of the static public
key as specified in Section 5.2.2.
3.
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function.
An integer keydatalen that is the length in bits of the keying data to be generated.
2.
(Optional) A bit string SharedData of length shareddatalen bits that consists of some
data shared by U and V.
Ingredients: The initiator transformation employs the key pair generation primitive in Section
5.2.1, the MQV primitive in Section 5.5, the associate value function in Section 5.6.1,
and the key derivation function in Section 5.6.3.
Actions: Keying data shall be derived as follows:
1.
Use the key pair generation primitive in Section 5.2.1 to generate an ephemeral key pair
(de,U,Qe,U) for the parameters D. Send Qe,U to V.
- 78 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
2.
Use the MQV primitive in Section 5.5 to derive a shared secret value zFq from the key
pairs (d1,Q1)=(ds,U,Qs,U) and (d2,Q2)=(de,U,Qe,U), the public key Q3=Q4=Qs,V, and the
parameters D. If the MQV primitive outputs invalid, output invalid and stop.
3.
4.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Z and
the shared data [SharedData].
Output: The bit string KeyData as the keying data of length keydatalen bits.
2.
An integer keydatalen that is the length in bits of the keying data to be generated.
3.
(Optional) A bit string SharedData of length shareddatalen bits that consists of some
data shared by U and V.
Ingredients: The responder transformation employs public key validation in Section 5.2.2, the
MQV primitive in Section 5.5, the associate value function in Section 5.6.1, and the key
derivation function in Section 5.6.3.
Actions: Keying data shall be derived as follows:
1.
Verify that Qe,U is a valid key for the parameters D as specified in Section 5.2.2. If the
primitive rejects the key, output invalid and stop.
2.
Use the MQV primitive in Section 5.5 to derive a shared secret value zFq from the key
pair (d1,Q1)=(d2,Q2)=(ds,V,Qs,V), the public keys Q3=Qs,U and Q4=Qe,U, and the
parameters D. If the MQV primitive outputs invalid, output invalid and stop.
3.
4.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Z and
the shared data [SharedData].
Output: The bit string KeyData as the keying data of length keydatalen bits.
- 79 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qs,U
Qs,V
Qe,U
V
Qe,V
R = h implicitsigU
( Qe,V + avf(Qe,V) Qs,V )
R = h implicitsigV
( Qe,U + avf(Qe,U) Qs,U )
Z = xR
Z = xR
KeyData = kdf(Z)
KeyData = kdf(Z)
Each entity has an authentic copy of the systems elliptic curve domain parameters D =
(q, FR, a, b, SEED, G, n, h). These parameters shall have been generated using the
- 80 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Each entity shall be bound to a static key pair associated with the systems elliptic curve
domain parameters D. The binding process shall include the validation of the static public
key as specified in Section 5.2.2.
3.
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function.
U shall execute the following transformation to agree on keying data with V. U shall obtain an
authentic copy of Vs static public key Qs,V.
Input: The input to the key agreement transformation is:
1.
An integer keydatalen that is the length in bits of the keying data to be generated.
2.
(Optional) A bit string SharedData of length shareddatalen bits that consists of some
data shared by U and V.
Ingredients: The key agreement transformation employs the key pair generation primitive in
Section 5.2.1, public key validation in Section 5.2.2, the MQV primitive in Section 5.5,
the associate value function in Section 5.6.1, and the key derivation function in Section
5.6.3.
Actions: Keying data shall be derived as follows:
1.
Exchange ephemeral EC public keys: Use the key pair generation primitive in Section
5.2.1 to generate an ephemeral key pair (de,U,Qe,U) for the parameters D. Send Qe,U to V.
Receive from V an ephemeral EC public key Qe,V purportedly owned by V. If this value
is not received, output invalid and stop.
2.
Verify that Qe,V is a valid key for the parameters D as specified in Section 5.2.2. If the
validation primitive rejects the key, output invalid and stop.
3.
Use the MQV primitive in Section 5.5 to derive a shared secret value zFq from the key
pairs (d1,Q1)=(ds,U,Qs,U) and (d2,Q2)=(de,U,Qe,U), the public keys Q3=Qs,V and Q4=Qe,V,
and the parameters D. If the MQV primitive outputs invalid, output invalid and stop.
4.
5.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KeyData of length keydatalen bits from the shared secret value Z and
the shared data [SharedData].
Output: The bit string KeyData as the keying data of length keydatalen bits.
- 81 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qs,U
Qs,V
Qe,U
V
Qe,V, MACMacKey(0216 || V || U || QEV || QEU)
R = h implicitsigU
( Qe,V + avf(Qe,V) Qs,V )
R = h implicitsigV
( Qe,U + avf(Qe,U) Qs,U )
Z = xR
Z = xR
MacKey || KeyData
= kdf(Z)
MacKey || KeyData
= kdf(Z)
ANSI X9.63-2001
ANSI X9.63-2001
The essential difference between the role of the initiator and the role of the responder is merely
that the initiator sends the first pass of the exchange.
If U executes the initiator transformation, and V executes the responder transformation with the
corresponding keying material as input, then U and V will compute the same keying data.
Prerequisites: The following are the prerequisites for the use of the scheme:
1.
Each entity has an authentic copy of the systems elliptic curve domain parameters D =
(q, FR, a, b, SEED, G, n, h). These parameters shall have been generated using the
parameter generation primitives in Sections 5.1.1.1 and 5.1.2.1. Furthermore, the
parameters shall have been validated using the parameter validation primitives in
Sections 5.1.1.2 and 5.1.2.2.
2.
Each entity shall be bound to a static key pair associated with the systems elliptic curve
domain parameters D. The binding process shall include the validation of the static public
key as specified in Section 5.2. The key binding shall include a unique identifier for each
entity (e.g. distinguished names). All identifiers shall be bit strings of the same length
entlen bits. Entity Us identifier will be denoted by the bit string U. Entity Vs identifier
will be denoted by the bit string V.
3.
Each entity shall have decided which ANSI-approved MAC scheme to use as specified in
Section 5.7. mackeylen denotes the length of keys used by the chosen MAC scheme.
4.
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function.
5.
Each entity shall have decided how to represent elliptic curve points as octet strings (i.e.,
compressed form, uncompressed form, or hybrid form).
An integer keydatalen that is the length in bits of the keying data to be generated.
2.
(Optional) A bit string SharedData of length shareddatalen bits that consists of some
data shared by U and V.
Ingredients: The initiator transformation employs the key pair generation primitive in Section
5.2.1, public key validation in Section 5.2.2, the MQV primitive in Section 5.5, the
associate value function in Section 5.6.1, the key derivation function in Section 5.6.3, and
one of the MAC schemes in Section 5.7.
- 83 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Use the key pair generation primitive in Section 5.2.1 to generate an ephemeral key pair
(de,U,Qe,U) for the parameters D. Send Qe,U to V.
2.
Then receive from V an ephemeral public key Qe,V purportedly owned by V, an optional
bit string Text1, and a purported tag MacTag1. If these values are not received, output
invalid and stop.
3.
Verify that Qe,V is a valid key for the parameters D as specified in Section 5.2.2. If the
validation primitive rejects the key, output invalid and stop.
4.
Use the MQV primitive in Section 5.5 to derive a shared secret value zFq from the key
pairs (d1,Q1)=(ds,U,Qs,U) and (d2,Q2)=(de,U,Qe,U), the public keys Q3=Qs,V and Q4=Qe,V,
and the parameters D. If the MQV primitive outputs invalid, output invalid and stop.
5.
6.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KKeyData of length mackeylen+keydatalen bits from the shared secret
value Z and the shared data [SharedData].
7.
Parse the leftmost mackeylen bits of KKeyData as a MAC key MacKey and the remaining
bits as keying data KeyData.
8.
Convert Qe,U and Qe,V to octet strings QEU and QEV using the established convention in
Section 4.3.6. Form the bit string consisting of the octet 0216, Vs identifier, Us
identifier, the bit string QEV, the bit string QEU, and if present Text1:
MacData1 = 0216 || V || U || QEV || QEU || [Text1].
9.
Verify that MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation of the appropriate MAC scheme specified in Section 5.7. If the
tag checking transformation outputs invalid, output invalid and stop.
10.
Form the bit string consisting of the octet 0316, Us identifier, Vs identifier, the bit string
QEU corresponding to Us ephemeral public key, the bit string QEV corresponding to
Vs purported ephemeral public key, and optionally a bit string Text2:
MacData2 = 0316 || U || V || QEU || QEV || [Text2].
11.
Calculate the tag MacTag2 on MacData2 under the key MacKey using the tagging
transformation of the appropriate MAC scheme specified in Section 5.7:
MacTag2 = MACMacKey(MacData2).
If the tagging transformation outputs invalid, output invalid and stop. Send MacTag2
and if present Text2 to V.
- 84 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Output: The bit string KeyData as the keying data of length keydatalen bits.
2.
An integer keydatalen that is the length in bits of the keying data to be generated.
3.
(Optional) A bit string SharedData of length shareddatalen bits that consists of some
data shared by U and V.
Ingredients: The responder transformation employs the key pair generation primitive in Section
5.2.1, public key validation in Section 5.2.2, the MQV primitive in Section 5.5, the
associate value function in Section 5.6.1, the key derivation function in Section 5.6.3, and
one of the MAC schemes in Section 5.7.
Actions: Keying data shall be derived as follows:
1.
Verify that Qe,U is a valid key for the parameters D as specified in Section 5.2.2. If the
validation primitive rejects the key, output invalid and stop.
2.
Use the key pair generation primitive in Section 5.2.1 to generate an ephemeral key pair
(de,V,Qe,V) for the parameters D.
3.
Use the MQV primitive in Section 5.5 to derive a shared secret value zFq from the key
pairs (d1,Q1)=(ds,V,Qs,V) and (d2,Q2)=(de,V,Qe,V), the public keys Q3=Qs,U and Q4=Qe,U,
and the parameters D. If the MQV primitive outputs invalid, output invalid and stop.
4.
5.
Use the key derivation function in Section 5.6.3 with the established hash function to
derive keying data KKeyData of length mackeylen+keydatalen bits from the shared secret
value Z and the shared data [SharedData].
6.
Parse the leftmost mackeylen bits of KKeyData as a MAC key MacKey and the remaining
bits as keying data KeyData.
7.
Convert Qe,U and Qe,V to octet strings QEU and QEV using the established convention in
Section 4.3.6. Form the bit string consisting of the octet 0216, Vs identifier, Us
identifier, the bit string QEV, the bit string QEU, and, optionally, a bit string Text1:
MacData1 = 0216 || V || U || QEV || QEU || [Text1].
- 85 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Calculate the tag MacTag1 for MacData1 under the key MacKey using the tagging
transformation of the appropriate MAC scheme specified in Section 5.7.
MacTag1 = MACMacKey(MacData1).
If the tagging transformation outputs invalid, output invalid and stop. Send to U the
ephemeral public key Qe,V, if present the bit string Text1, and MacTag1.
9.
Then receive from U an optional bit string Text2 and a purported tag MacTag2. If this
data is not received, output invalid and stop.
10.
Form the bit string consisting of the octet 0316, Us identifier, Vs identifier, the bit string
QEU corresponding to Us purported ephemeral public key, the bit string QEV
corresponding to Vs ephemeral public key, and the bit string Text2 (if present):
MacData2 = 0316 || U || V || QEU || QEV || [Text2].
11.
Verify that MacTag2 is the valid tag on MacData2 under the key MacKey using the tag
checking transformation of the appropriate MAC scheme specified in Section 5.7. If the
tag checking transformation outputs invalid, output invalid and stop.
Output: The bit string KeyData as the keying data of length keydatalen bits.
This section describes the key transport schemes specified in this Standard.
In each case, the key transport scheme is used by an entity who wishes to send keying data to
another entity. Both schemes specified are asymmetric (i.e., different computations are
performed by the two entities), so it is necessary to describe two transformations, one of which is
undertaken by U if U is the initiator, and one of which is undertaken by V if V is the responder.
In the specification of each transformation, equivalent computations that result in identical
output are allowed.
Each of the key transport schemes has certain prerequisites. These are conditions that must be
satisfied by an implementation of the scheme. However, the specification of mechanisms that
provide these prerequisites is beyond the scope of this Standard. There are no secrecy
requirements for the choices that may have to be made in the prerequisites (e.g., choice of hash
function, Diffie-Hellman primitive, MAC algorithm, length of challenge).
Annex H provides guidance on the selection and use of the key transport schemes. Annex H.4.4
provides guidance for selecting parameter sizes for the various cryptographic components of a
key transport scheme including n, hashkeylen, mackeylen, and challengelen.
- 86 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Each key transport scheme is described in two ways. First, a flow diagram of the ordinary
operation of the scheme between two entities U and V is provided. This flow diagram is for
illustrative purposes only. Then a formal specification is given that describes the actions that the
entities must take to use the scheme to establish keying data.
These flow diagrams are intended to aid in the understanding of the mechanics of the ordinary
operation of the schemes in which flows are relayed faithfully between two entities. Note that in
real-life, there is no reason to assume that flows are relayed faithfully between two entities; that
is why the schemes must be formally specified in a more technical fashion.
When examining the flow diagrams, the following points should be noted:
For clarity of exposition, optional fields such as Text and SharedData are omitted.
kdf(Z) denotes the output of the key derivation function specified in Section 5.6.3 on
input Z.
ENC and DEC, respectively, denote the encryption and decryption transformations
associated with the asymmetric encryption scheme specified in Section 5.8. The
subscripts immediately following ENC and DEC denote the keys being used in the
operation of the appropriate transformation. Similarly, SIG denotes the signing
transformation associated with the ECDSA signature scheme specified in Section 5.9,
and MAC denotes the tagging transformation of one of the MAC schemes specified in
Section 5.7.
The key transport schemes may involve input, output, or actions marked as optional. Optional
input and output fields are fields that may or may not be present in implementations of the
schemes. The schemes are designed to function whether or not these fields are present. However,
if optional shared data (SharedData1, SharedData2) is used, then both communicating parties
must use the same data in order to derive the same keying data. Optional shared data is allowed
to permit flexibility to higher-level protocols that use the key agreement scheme. Specifying the
form of the shared data, and mechanisms for sharing the data, are beyond the scope of this
Standard. Optional actions are actions that may or may not be performed by implementations.
The schemes are designed to function whether or not these actions are performed.
7.1
- 87 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qenc,V
V
ENCQenc,V( U || KeyData )
KeyData = KeyData
U || KeyData =
DECdenc,V( ENCQenc,V( U || KeyData ) )
KeyData = KeyData
Each entity has an authentic copy of the systems elliptic curve domain parameters D =
(q, FR, a, b, SEED, G, n, h) to be used with the asymmetric encryption scheme. These
parameters shall have been generated using the parameter generation primitives in
Sections 5.1.1.1 and 5.1.2.1. Furthermore, the parameters shall have been validated using
the parameter validation primitives in Sections 5.1.1.2 and 5.1.2.2.
2.
Each entity who acts as a responder shall be bound to a static encryption key pair
associated to the systems elliptic curve domain parameters D. The binding process may
include the validation of the public key as specified in Section 5.2.2.
3.
Each entity who acts as an initiator shall be bound to a unique identifier (e.g.
distinguished names). All identifiers shall be bit strings of the same bitlength entlen.
Entity Us identifier will be denoted by the bit string U.
- 88 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
4.
Each entity shall have established whether to use the standard Diffie-Hellman primitive
specified in Section 5.4.1 or the modified Diffie-Hellman primitive specified in Section
5.4.2 with the asymmetric encryption scheme.
5.
Each entity shall have chosen an ANSI-approved MAC scheme for use with the
asymmetric encryption scheme. mackeylen denotes the length of keys used by the
selected MAC scheme.
6.
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function during encryption and decryption.
A bit string KeyData of length keydatalen bits that is the keying data to be transported.
2.
(Optional) Two bit strings SharedData1 and SharedData2 that consist of some data shared
by U and V.
Form the bit string consisting of Us identifier, the keying data KeyData, and, optionally,
a bit string Text:
EncData = U || KeyData || [Text].
2.
Encrypt EncData under Vs static public encryption key Qenc,V corresponding to the EC
domain parameters D, with the optional inputs SharedData1 and SharedData2, using the
encryption transformation of the asymmetric encryption scheme in Section 5.8. If the
encryption transformation outputs invalid, output invalid and stop. Otherwise the
encryption transformation outputs a bit string EncryptedData as the encryption of
EncData.
3.
Send EncryptedData to V.
Output: The bit string KeyData of length keydatalen bits as the keying data.
NOTE Including a key counter field in the optional Text field may help to prevent known key attacks.
- 89 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
2.
An integer keydatalen that is the length in bits of the keying data to be generated.
3.
(Optional) Two bit strings SharedData1 and SharedData2 that consist of some data shared
by U and V.
Decrypt the bit string EncryptedData using Vs static private decryption key denc,V
corresponding to the EC domain parameters D, with the optional inputs SharedData1 and
SharedData2, using the decryption transformation of the asymmetric encryption scheme
in Section 5.8. If the decryption transformation outputs invalid, output invalid and
stop. Otherwise, the decryption transformation outputs a bit string EncData of length
encdatalen bits as the decryption of the bit string.
2.
3.
Parse the first entlen bits of EncData as the purported identifier U of U, and the next
keydatalen bits of EncData as keying data KeyData.
4.
Output: The bit string KeyData of length keydatalen bits as the keying data.
7.2
This section specifies the 3-pass transport scheme. The scheme uses a signature scheme to
provide explicit key authentication for a session key transported using the 1-pass transport
scheme specified in Section 7.1.
- 90 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Qenc,U, Qsig,U
Qsig,V
ChalU
V
ChalV, ENCQenc,U( V || KeyData ),
SIGdsig,V( ChalV || ChalU || U || ENCQenc,U( V || KeyData ) )
KeyData = KeyData
KeyData = KeyData
Each entity has an authentic copy of the systems elliptic curve domain parameters Denc =
(qenc, FRenc, aenc, benc, SEEDenc, Genc, nenc, henc) to be used with the asymmetric encryption
- 91 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
scheme. These parameters shall have been generated using the parameter generation
primitives in Sections 5.1.1.1 and 5.1.2.1. Furthermore, the parameters shall have been
validated using the parameter validation primitives in Sections 5.1.1.2 and 5.1.2.2.
2.
Each entity has an authentic copy of the systems elliptic curve domain parameters Dsig =
(qsig, FRsig, asig, bsig, SEEDsig, Gsig, nsig, hsig) to be used with the signature scheme. These
parameters shall have been generated using the parameter generation primitives in
Sections 5.1.1.1 and 5.1.2.1. Furthermore, the parameters shall have been validated using
the parameter validation primitives in Sections 5.1.1.2 and 5.1.2.2.
3.
Each entity shall be bound to a static signing key pair associated with the systems
elliptic curve domain parameters Dsig for signing. The binding process may include the
validation of the public signature as specified in Section 5.2.2. The key binding shall
include a unique identifier for each entity (e.g. distinguished names). All identifiers shall
be bit strings of the same bitlength entlen. Entity Us identifier will be denoted by the bit
string U. Entity Vs identifier will be denoted by the bit string V.
4.
Each entity who acts as an initiator shall be bound to a static encryption key pair
associated with the systems elliptic curve domain parameters Denc for encryption. The
binding process may include the validation of the public encryption key as specified in
Section 5.2.2.
5.
Each entity shall have established whether to use the standard Diffie-Hellman primitive
specified in Section 5.4.1 or the modified Diffie-Hellman primitive specified in Section
5.4.2 with the asymmetric encryption scheme.
6.
Each entity shall have chosen an ANSI-approved MAC scheme for use with the
asymmetric encryption scheme. mackeylen denotes the length of keys used by the
selected MAC scheme.
7.
Each entity shall have chosen an ANSI-approved hash function for use with the key
derivation function during encryption and decryption.
8.
Each entity shall have decided the length of the challenges to be used. challengelen
denotes the length chosen. Note that challengelen must be 80.
An integer keydatalen that is the length in bits of the keying data to be generated.
- 92 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
(Optional) Two bit strings SharedData1 and SharedData2 that consist of some data shared
by U and V.
Ingredients: The initiator transformation employs the challenge generation primitive specified
in Section 5.3, the signature scheme specified in Section 5.9, and the decryption
transformation of the asymmetric encryption scheme in Section 5.8.
Actions: Keying data shall be derived as follows:
1.
Use the challenge generation primitive in Section 5.3 to generate a challenge ChallengeU
of length challengelen bits. Send ChallengeU to V.
2.
3.
Verify that ChallengeV is a bit string of length challengelen bits. If not, output invalid
and stop.
4.
Decrypt the bit string EncryptedData using Us private decryption key denc,U
corresponding to the EC domain parameters Denc, with the optional inputs SharedData1
and SharedData2, using the decryption transformation of the asymmetric encryption
scheme in Section 5.8. If the decryption transformation outputs invalid, output invalid
and stop. Otherwise, the decryption transformation outputs a bit string EncData of length
encdatalen bits as the decryption of the bit string.
5.
6.
Parse the first entlen bits of EncData as the purported identifier V of V, and the next
keydatalen bits of EncData as keying data KeyData.
7.
8.
Form the bit string consisting of ChallengeV, ChallengeU, Us identifier, the bit string
EncryptedData, and Text1 (if present):
SignData1 = ChallengeV || ChallengeU || U || EncryptedData || [Text1].
9.
Verify that rsig1 and ssig1 are a valid signature of SignData1 under Vs public signature
key Qsig,V corresponding to the EC domain parameters Dsig, using the verifying
transformation of the signature scheme in Section 5.9. If the verifying transformation
outputs invalid, output invalid and stop.
10.
Form the bit string consisting of ChallengeU, ChallengeV, Vs identifier, and optionally a
bit string Text_2:
SignData2 = ChallengeU || ChallengeV || V || [Text2].
- 93 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
11.
Sign SignData2 using Us private signing key dsig,U corresponding to the parameters Dsig,
using the signing transformation of the signature scheme in Section 5.9. If the signing
transformation outputs invalid, output invalid and stop. Otherwise, the signing
transformation outputs the integers rsig2 and ssig2 as the signature of SignData2.
12.
Send to V the bit string Text2 (if present), rsig2 and ssig2.
2.
A bit string KeyData of length keydatalen bits that is the keying data to be transported.
3.
(Optional) Two bit strings SharedData1 and SharedData2 that consist of some data shared
by U and V.
Ingredients: The responder transformation employs the challenge generation primitive specified
in Section 5.3, the signature scheme specified in Section 5.9, and the encryption
transformation of the asymmetric encryption scheme in Section 5.8.
Actions: Keying data shall be derived as follows:
1.
Verify that ChallengeU is a bit string of length challengelen bits. If not, output invalid
and stop.
2.
Use the challenge generation primitive in Section 5.3 to generate a challenge ChallengeV
of length challengelen bits.
3.
Form the bit string consisting of Vs identifier, KeyData, and, optionally, a bit string
Text1:
EncData = V || KeyData || [Text1].
4.
Encrypt EncData under Us public encryption key Qenc,U corresponding to the EC domain
parameters Denc, with the optional inputs SharedData1 and SharedData2, using the
encryption transformation of the asymmetric encryption scheme in Section 5.8. If the
encryption transformation outputs invalid, output invalid and stop. Otherwise, the
encryption transformation outputs a bit string EncryptedData as the encryption of
EncData.
- 94 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Form the bit string consisting of ChallengeV, ChallengeU, Us identifier, the bit string
EncryptedData, and optionally a bit string Text1:
SignData1 = ChallengeV || ChallengeU || U || EncryptedData || [Text1].
6.
Sign SignData1 using Vs private signing key dsig,V corresponding to the parameters Dsig,
using the signing transformation of the signature scheme in Section 5.9. If the signing
transformation outputs invalid, output invalid and stop. Otherwise the signing
transformation outputs the integers rsig1 and ssig1 as a signature of SignData1.
7.
Send ChallengeV, the bit string EncryptedData, Text1 (if present), and rsig1 and ssig1 to
U.
8.
Then receive from U an optional bit string Text2, and a purported signature rsig2 and
ssig2. If this data is not received, output invalid and stop.
9.
Form the bit string consisting of ChallengeU, ChallengeV, Vs identifier, and Text2 (if
present):
SignData2 = ChallengeU || ChallengeV || V || [Text2].
10.
Verify that the pair rsig2 and ssig2 is a valid signature of SignData2 under Us public
signature key Qsig,U corresponding to the EC domain parameters Dsig, using the verifying
transformation of the signature scheme in Section 5.9. If the verifying transformation
outputs invalid, output invalid and stop.
ASN.1 Syntax
Several different types of information may need to be conveyed during the operation of the
schemes specified in this Standard. This section provides Abstract Syntax Notation One (ASN.1)
syntax that may be used to convey this information.
While it is not required that scheme-related information be represented with ASN.1 syntax, if it is
so represented, then the syntax used shall be as defined here. In addition, while it is likely that
the ASN.1 definitions provided will be encoded using the Distinguished Encoding Rules (DER),
other encoding rules may also be used.
The object identifier ansi-X9-63 represents the root of the tree containing all object identifiers
defined in this Standard and has the following value:
ansi-X9-63 OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) tc68(133) country(16) x9(840)
x9Standards(9) x9-63(63)
}
- 95 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
As far as possible, the syntax specified in this section follows the syntax specified for elliptic
curve cryptographic schemes in ANSI X9.62 [7], and IETF PKIX [14].
8.1
This section provides the abstract syntax definitions for the finite fields defined in this Standard.
These definitions are used when conveying elliptic curve domain parameters as specified in
Section 8.3.
A finite field shall be identified by a value of type FieldID{}:
FieldID { FIELD-ID:IOSet } ::= SEQUENCE {
-- Finite field
fieldType
FIELD-ID.&id({IOSet}),
parameters
FIELD-ID.&Type({IOSet}{@fieldType})
}
FieldTypes FIELD-ID ::= {
{ Prime-p
IDENTIFIED BY prime-field } |
{ Characteristic2Set
IDENTIFIED BY characteristic-two-field },
FieldID{} is a parameterized type composed of two components, fieldType and parameters. These
components are specified by the fields &id and &Type, which form a template for defining sets
of information objects, instances of the class FIELD-ID. This class is based on the useful
information object class TYPE-IDENTIFIER, described in ISO/IEC 8824-2, Annex A. In an
instance of FieldID{}, fieldType will contain an object identifier value that uniquely identifies
the type contained in parameters. The effect of referencing fieldType in both components of
the FieldID{} sequence is to tightly bind the object identifier and its type.
The information object set FieldTypes is used as the single parameter in a reference to type
FieldID{} when conveying the identification of a finite field during the operation of the schemes.
It contains two objects. Each object, which represents a finite field type, contains a unique object
identifier and its associated type. The values of these objects define all of the valid values that
may appear in an instance of FieldID{} when it is constrained by FieldTypes (as it is in this
Standard).
The object identifier id-fieldType represents the root of a tree containing the object identifiers
of each field type. It has the following value:
id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1) }
where:
ansi-X9-62 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) ansi-x9-62(10045)
}
- 96 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
The object identifiers prime-field and characteristic-two-field name the two kinds of fields
defined in this Standard. They have the following values:
prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
characteristic-two-field OBJECT IDENTIFIER ::= { id-fieldType 2 }
Each of these unique object identifiers is associated with one ASN.1 type, Prime-p and
Characteristic-two{}, which specify the precise finite field in use. These types are defined below.
When conveying the identification of a finite field Fp, where p is an odd prime, the number p is
conveyed as the value of the type Prime-p.
Prime-p ::= INTEGER
-- Field size p
When conveying the identification of a finite field F2m, the following syntax is used.
Characteristic-two{CHARACTERISTIC-TWO:IOSet} ::= SEQUENCE {
m
INTEGER,
-- Field size 2^m, m prime
basis
CHARACTERISTIC-TWO.&id({IOSet}),
parameters
CHARACTERISTIC-TWO.&Type({IOSet}{@basis})
}
CHARACTERISTIC-TWO ::= TYPE-IDENTIFIER
In any instance of type Characteristic-two{}, the value of m specifies the prime degree of the
field, the value of basis specifies the type of representation used (ONB,TPB, or PPB), and the
value parameters specifies additional information associated with the basis type.
The information object set F2mBasisTypes is used as the single parameter in a reference to type
Characteristic-two{} when conveying the identification of a characteristic-two finite field during
the operation of the schemes. It holds three objects. Each object, which represents a basis type
for characteristic-two finite fields, contains a unique OID and its associated type. The values of
these objects define all of the valid values that may appear in an instance of Characteristic-two{}.
The objects are defined as follows.
F2mBasisTypes CHARACTERISTIC-TWO::= {
{ NULL
IDENTIFIED BY
gnBasis } |
{ Trinomial
IDENTIFIED BY
tpBasis } |
{ Pentanomial
IDENTIFIED BY
ppBasis } ,
The object identifier id-characteristic-two-basis represents the root of the tree containing the
object identifiers for each type of basis for the characteristic-two finite fields. It has the following
value:
id-characteristic-two-basis OBJECT IDENTIFIER ::= {
characteristic-two-field basisType(3)
}
- 97 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
The object identifiers gnBasis, tpBasis and ppBasis name the three kinds of basis for
characteristic-two finite fields defined in this Standard. They have the following values:
gnBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 1 }
tpBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 2 }
ppBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 3 }
Each of these OIDs is associated with one ASN.1 type: NULL, Trinomial, or Pentanomial. The
types Trinomial and Pentanomial are defined below. When conveying the use of a Gaussian
normal basis, no additional information needs to be conveyed, so the type NULL is used.
When conveying the use of a trinomial basis with reduction polynomial xm + xk + 1, the integer k
is conveyed as the value of the type Trinomial.
Trinomial ::= INTEGER
When conveying the use of a pentanomial basis with reduction polynomial xm+xk1+xk2+xk3+1, the
integers k1, k2, and k3 are conveyed as the values k1, k2, and k3 of the type Pentanomial.
Pentanomial ::= SEQUENCE {
k1
INTEGER,
k2
INTEGER,
k3
INTEGER
}
8.2
This section provides the definitions for finite field elements and elliptic curve points defined in
this Standard. These definitions are used when conveying elliptic curve domain parameters as
specified in Section 8.3 and when conveying elliptic curve public keys as specified in Section
8.4.
A finite field element shall be represented by a value of type FieldElement:
FieldElement ::= OCTET STRING
The value of FieldElement shall be the octet string representation of the field element following
the conversion routine in Section 4.3.3.
An elliptic curve point shall be represented by a value of type ECPoint:
ECPoint ::= OCTET STRING
The value of ECPoint shall be the octet string representation of the elliptic curve point following
the conversion routine in Section 4.3.6.
- 98 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
8.3
ANSI X9.63-2001
This section provides the definitions for the elliptic curve domain parameters defined in this
Standard. These definitions are used, for example, when conveying the elliptic curve domain
parameters associated with an elliptic curve public key within an X.509 certificate as described
in Section 8.4.
Elliptic curve domain parameters shall be represented by a value of type ECParameters.
ECParameters ::= SEQUENCE {
version
INTEGER { ecpVer1(1) } (ecpVer1),
fieldID
FieldID {{FieldTypes}},
curve
Curve,
base
ECPoint,
order
INTEGER,
cofactor
INTEGER OPTIONAL,
...
}
Curve ::= SEQUENCE {
a
b
seed
}
FieldElement,
FieldElement,
BIT STRING OPTIONAL
specifies the version number of the elliptic curve domain parameters. It shall
have the value 1 for this version of the Standard. The notation above creates an INTEGER
named ecpVer1 and gives it a value of one. It is used to constrain version to a single
value.
identifies the finite field Fq over which the elliptic curve is defined. Finite fields
are represented by values of the parameterized type FieldID{}, constrained to the values of
the objects defined in the information object set FieldTypes.
base
order specifies
version
fieldID
specifies the base point G on the elliptic curve. The base point shall be represented
as a value of type ECPoint.
the order n of the base point G.
cofactor
- 99 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
8.4
ANSI X9.63-2001
This section provides the syntax for the elliptic curve public keys defined in this Standard.
These definitions are used, for example, when conveying an elliptic curve public key (along with
the associated elliptic curve domain parameters) within an X.509 certificate. The most common
method is found within X.509 certificates, where the public key is specified within the type
SubjectPublicKeyInfo, defined as follows.
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm
AlgorithmIdentifier {{ECPKAlgorithms}},
subjectPublicKey
BIT STRING
}
Note that when using the object identifiers ecPublicKeyType and ecdsa-SHA1, the inclusion of
the parameters is mandatory.
The type subjectPublicKeyInfo is used as follows.
algorithm indicates the type of public key being conveyed - it includes an identifier for the key
type and any associated parameters.
- 100 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
The identifier ecPublicKeyType indicates an elliptic curve public key. (Note that this identifier is
used for all elliptic curve public keys. The usage of a given key may be delimited by the
keyUsage and extendedKeyUsage extensions within X.509 certificates.)
id-ecPublicKey OBJECT IDENTIFIER ::= { id-publicKeyType 1 }
where:
id-publicKeyType OBJECT IDENTIFIER ::= { ansi-X9-62 keyType(2) }
The parameters associated with elliptic curve public keys are conveyed via the type Parameters
as a choice of three alternatives. This allows a detailed specification of all required values using
a choice of ecParameters, the use of a namedCurve as an object identifier substitute for a
particular set of elliptic curve domain parameters, or implicitlyCA to indicate that the parameters
are explicitly defined elsewhere.
Parameters{CURVES:IOSet} ::= CHOICE {
ecParameters
ECParameters,
namedCurve
CURVES.&id({IOSet}),
implicitlyCA
NULL
}
The valid values for the namedCurve choice are constrained to those within the class CURVES.
CURVES ::= CLASS {
&id
}
WITH SYNTAX { ID &id }
The information object set ANSICurveNames may be used by other standards and by
implementations to indicate that the allowed values of CURVES are restricted to the example
elliptic curve domain parameters defined in Annexes J.4 and J.5 of this Standard. Each curve
object is represented as a unique object identifier value.
ANSICurveNames CURVES ::= {
{ ID ansit163k1 } |
-- J.4.1,
{ ID ansit163r1 } |
-- J.4.1,
{ ID ansit163r2 } |
-- J.4.1,
{ ID ansit193r1 } |
-- J.4.2,
{ ID ansit193r2 } |
-- J.4.2,
{ ID ansit233k1 } |
-- J.4.3,
{ ID ansit233r1 } |
-- J.4.3,
{ ID ansit239k1 } |
-- J.4.4,
{ ID ansit283k1 } |
-- J.4.5,
{ ID ansit283r1 } |
-- J.4.5,
{ ID ansit409k1 } |
-- J.4.6,
{ ID ansit409r1 } |
-- J.4.6,
{ ID ansit571k1 } |
-- J.4.7,
{ ID ansit571r1 } |
-- J.4.7,
{ ID ansip160k1 } |
-- J.5.1,
{ ID ansip160r1 } |
-- J.5.1,
{ ID ansip160r2 } |
-- J.5.1,
example 1 -example 2 -example 3 -example 1 -example 2 -example 1 -example 2 -example 1 -example 1 -example 2 -example 1 -example 2 -example 1 -example 2 -example 1 -example 2 -example 3 --
- 101 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
{ ID ansip192k1 } |
-- J.5.2, example 1 -{ ID ansip192r1 } |
-- J.5.2, example 2 -{ ID ansip224k1 } |
-- J.5.3, example 1 -{ ID ansip224r1 } |
-- J.5.3, example 2 -{ ID ansip256k1 } |
-- J.5.4, example 1 -{ ID ansip256r1 } |
-- J.5.4, example 2 -{ ID ansip384r1 } |
-- J.5.5, example 1 -{ ID ansip521r1 } ,
-- J.5.6, example 1 -
-- Additional curves may be added later -}
Here, curve identifier names are prefixed by ansi to indicate that they are specified for use in
ANSI standards, followed by a single letter to indicate a type of finite field, t for characteristic
two, or p for prime characteristic. The next three characters are numeric digits that indicate the
field size in bits. The final two characters indicate how the curve was selected and the example
number. For the curve selection character, an r indicates a curve whose coefficients were
selected verifiably at random using a seeded hash. A k indicates a Koblitz curve that facilitates
especially efficient implementation.
The object identifier for the example curves are defined as follows.
ansit163k1 OBJECT IDENTIFIER ::= { secgCurve 1 }
ansit163r1 OBJECT IDENTIFIER ::= { secgCurve 2 }
ansit163r2 OBJECT IDENTIFIER ::= { secgCurve 15 }
ansit193r1 OBJECT IDENTIFIER ::= { secgCurve 24 }
ansit193r2 OBJECT IDENTIFIER ::= { secgCurve 25 }
ansit233k1 OBJECT IDENTIFIER ::= { secgCurve 26 }
ansit233r1 OBJECT IDENTIFIER ::= { secgCurve 27 }
ansit239k1 OBJECT IDENTIFIER ::= { secgCurve 3 }
ansit283k1 OBJECT IDENTIFIER ::= { secgCurve 16 }
ansit283r1 OBJECT IDENTIFIER ::= { secgCurve 17 }
ansit409k1 OBJECT IDENTIFIER ::= { secgCurve 36 }
ansit409r1 OBJECT IDENTIFIER ::= { secgCurve 37 }
ansit571k1 OBJECT IDENTIFIER ::= { secgCurve 38 }
ansit571r1 OBJECT IDENTIFIER ::= { secgCurve 39 }
ansip160k1 OBJECT IDENTIFIER ::= { secgCurve 9 }
ansip160r1 OBJECT IDENTIFIER ::= { secgCurve 8 }
ansip160r2 OBJECT IDENTIFIER ::= { secgCurve 30 }
ansip192k1 OBJECT IDENTIFIER ::= { secgCurve 31 }
ansip192r1 OBJECT IDENTIFIER ::= { primeCurve 1 }
- 102 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
where:
secgCurve OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) certicom(132) curve(0)
}
and:
primeCurve OBJECT IDENTIFIER ::= { ansi-X9-62 curves(3) prime(1)}
Finally, subjectPublicKey contains the actual elliptic curve public key. The public key (a value
of type ECPoint, which is an OCTET STRING) is mapped to a subjectPublicKey (a value of type
BIT STRING) as follows: the most significant bit of the OCTET STRING value becomes the most
significant bit of the BIT STRING value, etc.; the least significant bit of the OCTET STRING
becomes the least significant bit of the BIT STRING. Note that when DER-encoding is being used,
this means that the raw public key value without prepended DER-encoding tag and length octets
is placed in subjectPublicKey.
8.5
Scheme Syntax
This section provides abstract syntax definitions for the schemes defined in this standard. These
definitions are used when identifying the schemes in the messaging associated with the schemes.
They may also be used in the extended key usage field of an X.509 certificate containing a static
public key associated with the schemes.
The schemes are identified by a value of type KeyExchangeSchemeOID, defined as follows.
KeyExchangeSchemeOID ::=
KEY-EXCHANGE.&id({X963KeyExchangeSchemes})
Using this syntax, the schemes are identified by an object identifier constrained to lie in the set
defined by X963KeyExchangeSchemes.
- 103 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
The remainder of this section specifies the object identifiers for specific schemes. The tree of
these object identifiers is represented by the object identifier x9-63-scheme. It has the following
value.
x9-63-scheme OBJECT IDENTIFIER ::= { ansi-X9-63 schemes(0) }
The Ephemeral Unified Model scheme shall be identified by the object identifier umEphemeralcofactorDH-sha1-scheme when used with the cofactor Diffie Hellman primitive and the key
derivation function based on SHA-1. This object identifier is defined as follows.
umEphemeral-cofactorDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 1
}
- 104 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
The 1-Pass Diffie-Hellman scheme is identified by the object identifier dhSinglePasscofactorDH-sha1kdf-scheme when used with the cofactor Diffie-Hellman primitive and the key
derivation function based on SHA-1. This object identifier is defined as follows.
dhSinglePass-cofactorDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 3
}
The Static Unified Model scheme shall be identified by the object identifier umStaticcofactorDH-sha1kdf-scheme when used with the cofactor Diffie-Hellman primitive and the key
derivation function based on SHA-1. This object identifier is defined as follows.
umStatic-cofactorDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 5
}
- 105 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
The Combined Unified Model with Key Confirmation scheme shall be identified by the object
identifier umKeyConfirm-cofactorDH-sha1kdf-hmac-scheme when used with the cofactor DiffieHellman primitive and the key derivation function based on SHA-1 and HMAC with SHA-1.
This object identifier is defined as follows.
umKeyConfirm-cofactorDH-sha1kdf-sha1hmac-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 7
}
The 1-Pass Unified Model scheme shall be identified by the object identifier umSinglePasscofactorDH-sha1kdf-scheme when used with the cofactor Diffie-Hellman primitive and the key
derivation function based on SHA-1. This object identifier is defined as follows.
umSinglePass-cofactorDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 9
}
The Full Unified Model scheme shall be identified by the object identifier umFull-cofactorDHsha1kdf-scheme when used with the cofactor Diffie-Hellman primitive and the key derivation
function based on SHA-1. This object identifier is defined as follows.
- 106 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
The Full Unified Model with Key Confirmation scheme shall be identified by the object
identifier umFullConfirm-cofactorDH-sha1kdf-sha1hmac-scheme when used with the cofactor
Diffie-Hellman primitive and the key derivation function based on SHA-1 and HMAC with
SHA-1. This object identifier is defined as follows.
umFullConfirm-cofactorDH-sha1kdf-sha1hmac-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 13
}
The Station-to-Station scheme shall be identified by the object identifier station-to-stationcofactorDH-sha1kdf-sha1hmac-ecdsa-scheme when used with the cofactor Diffie-Hellman
primitive, the key derivation function based on SHA-1, HMAC with SHA-1, and ECDSA. This
object identifier is defined as follows.
station-to-station-cofactorDH-sha1kdf-sha1hmac-ecdsa-scheme
OBJECT IDENTIFIER ::= {
x9-63-scheme 15
}
- 107 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
- 108 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
8.6
This section provides ASN.1 syntax that may be used to encode input to the key derivation
function specified in Section 5.6.3. Note that the use of ASN.1 syntax for this purpose is optional
however, the use of ASN.1 syntax in this scenario can help to ensure that the encoding of
information fields is unambiguous.
The input to the key derivation function includes a bit string SharedInfo. SharedInfo may contain
a value of type X963SharedInfo as defined below. In this event, the octet string value of
X963SharedInfo shall be mapped to the bit string SharedInfo by taking the leftmost bit of the
leftmost octet of the value of X963SharedInfo as the leftmost bit of SharedInfo and so on.
X963SharedInfo ::= SEQUENCE {
keyInfo
AlgorithmIdentifier{{ANSISymmetricAlgorithms}},
entityUInfo
[0] OCTET STRING OPTIONAL,
entityVInfo
[1] OCTET STRING OPTIONAL,
suppPubInfo
[2] OCTET STRING OPTIONAL,
suppPrivInfo
[3] OCTET STRING OPTIONAL
}
keyInfo
specifies the symmetric algorithm(s) for which the derived key(s) are to be used.
It is constrained by ANSISymmetricAlgorithms, described below.
entityUInfo,
- 109 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
entityVInfo,
suppPubInfo,
ANSISymmetricAlgorithms delimits
follows.
ANSISymmetricAlgorithms ALGORITHM ::= {
tripleDESalgo |
sha1HMACalgo,
...
-- Additional symmetric algorithms may be added later -}
The type tripleDESalgo indicates that the derived key(s) will be used by the Triple DES
algorithm.
TripleDESkeys ::= INTEGER {
oneKey (1),
twoKeys (2),
threeKeys (3)
}
( oneKey | twoKeys | threeKeys )
tripleDESalgo ALGORITHM ::= {
OID tripleDES PARMS TripleDESkeys
}
tripleDES OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) ansi-x942(10046) algorithms(1) triple-des(2)
}
The type hMAC-SHA1 indicates that the derived key(s) will be used by the HMAC algorithm with
SHA-1.
sha1HMACalgo ALGORITHM ::= {
OID sha1HMAC PARMS INTEGER
}
sha1HMAC OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) 8 1 2
}
(The INTEGER parameter indicates the size of the HMAC key being used - for example, the value
160 indicates that 160-bit HMAC keys are being derived.)
- 110 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
8.7
ANSI X9.63-2001
ASN.1 Module
The following ASN.1 module contains all the syntax defined in this Standard.
ANSI-X9-63 {
iso(1) identified-organization(3) tc68(133) country(16) x9(840)
x9Standards(9) x9-63(63) module(1) 1
}
DEFINITIONS EXPLICIT TAGS ::= BEGIN
--- X9.63 Key Agreement and Key Transport using ECC.
--- EXPORTS All;
---- Import the required types.
-IMPORTS
--- The following are imported from ANSI X9.62-1998
-CURVES, ECParameters, id-ecPublicKey, id-publicKeyType, primeCurve
FROM ANSI-X9-62;
--- ANSI X9.63 arc:
-ansi-X9-63 OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) tc68(133) country(16) x9(840)
x9Standards(9) x9-63(63)
}
- 111 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
- 112 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
station-to-station-cofactorDH-sha1kdf-sha1hmac-ecdsa-scheme
OBJECT IDENTIFIER ::= {
x9-63-scheme 15
}
mqvSinglePass-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 16
}
mqvFull-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 17
}
mqvFullConfirm-sha1kdf-sha1hmac-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 18
}
onePassTransport-stdDH-sha1kdf-sha1hmac-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 19
}
onePassTransport-cofactorDH-sha1kdf-sha1hmac-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 20
}
threePassTransport-stdDH-sha1kdf-sha1hmac-ecdsa-scheme
OBJECT IDENTIFIER ::= {
x9-63-scheme 21
}
threePassTransport-cofactorDH-sha1kdf-sha1hmac-ecdsa-scheme
OBJECT IDENTIFIER ::= {
x9-63-scheme 22
}
- 113 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
- 114 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
- 115 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
}
ansit163k1 OBJECT IDENTIFIER ::= { secgCurve 1 }
ansit163r1 OBJECT IDENTIFIER ::= { secgCurve 2 }
ansit163r2 OBJECT IDENTIFIER ::= { secgCurve 15 }
ansit193r1 OBJECT IDENTIFIER ::= { secgCurve 24 }
ansit193r2 OBJECT IDENTIFIER ::= { secgCurve 25 }
ansit233k1 OBJECT IDENTIFIER ::= { secgCurve 26 }
ansit233r1 OBJECT IDENTIFIER ::= { secgCurve 27 }
ansit239k1 OBJECT IDENTIFIER ::= { secgCurve 3 }
ansit283k1 OBJECT IDENTIFIER ::= { secgCurve 16 }
ansit283r1 OBJECT IDENTIFIER ::= { secgCurve 17 }
ansit409k1 OBJECT IDENTIFIER ::= { secgCurve 36 }
ansit409r1 OBJECT IDENTIFIER ::= { secgCurve 37 }
- 116 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
- 117 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Annex A
(normative)
Normative Number-Theoretic Algorithms
A.1
Two conditions, the MOV condition and the Anomalous condition, are described in order to
ensure that a particular elliptic curve is not vulnerable to two known attacks on special instances
of the elliptic curve discrete logarithm problem.
Set t = 1.
2.
For i from 1 to B do
3.
2.1.
Set t = tq mod n.
2.2.
Output true.
- 118 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
A.2
Primality
2.
For j from 1 to T do
2.1.
2.2.
Set b = aw mod n.
2.3.
2.4.
Set b = b2 mod n.
- 119 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
3.
ANSI X9.63-2001
2.4.2
2.4.3
2.4.4
Next i.
2.5.
2.6.
Next j.
If the algorithm outputs composite, then n is a composite integer. The probability that the
algorithm outputs probable prime when n is a composite integer is less than 2-2T. Thus, the
probability of an error can be made negligible by taking a large enough value for T. For this
Standard, a value of T 50 shall be used.
Set n = u, h = 1.
2.
2.2.
While (l divides n)
2.3.
2.2.1
2.2.2
Next l.
3.
If n is a probable prime (see Annex A.2.1), then output h and n and stop.
4.
ANSI X9.63-2001
A.3
ANSI X9.63-2001
2.
Set G = hR.
3.
If G = O, then go to Step 1.
4.
Set Q = nG.
5.
6.
Output G.
ANSI X9.63-2001
ANSI X9.63-2001
Otherwise, use any alternative technique to select a, b Fq that define an elliptic curve of
known order u.
2.
In the case that q is a prime, verify that (4a3+27b2) / 0 (mod p). The curve equation for
E is:
y2 = x3 + ax + b.
In the case that q = 2m, verify that b 0. The curve equation for E is:
y2 + xy = x3 + ax2 + b.
3.
Test u for near primality using the technique defined in Annex A.2.2. If the result is not
nearly prime, then go to Step 1. Otherwise, u = hn, where h is lmax-smooth, and n rmin,
n>4q is a probable prime.
4.
Check the MOV condition (see Annex A.1.1) with inputs B 20, q, and n. If the result is
false, then go to Step 1.
Check the Anomalous condition (see Annex A.1.2). If the result is false, then go to
Step 1.
5.
6.
Output the curve E, (optional) SEED, the point G, the order n, and the cofactor h.
NOTES:
1. rmin is selected so that rmin > 2160. The security level of the resulting elliptic curve discrete logarithm problem can be increased
by selecting a larger rmin (e.g. rmin > 2200).
2. If q is prime, then the order u of an elliptic curve E over Fq satisfies q+12q< u < q+1+2q. Hence for a given q, rmin should
be q+1-2q.
3. If q = 2m, then the order u of an elliptic curve E over Fq satisfies q+12q< u < q+1+2q, and u is even. Hence for a given q,
rmin should be (q+12q)/2.
4. lmax is typically a small integer (e.g. lmax = 255).
5. The order #E(Fq) can be computed by using Schoof's algorithm [62]. Although the basic algorithm is quite computationally
expensive, several dramatic improvements and extensions of this method have been discovered in r ecent years. Currently, it is
feasible to compute orders of elliptic curves over Fp, where p is as large as 10499. For elliptic curves over F2m a new algorithm due
to Satoh (see [27]) can be used to select cryptographically suitable elliptic curves over fields as large as F2256 in a few seconds on
a workstation.
6. Another technique for selecting an elliptic curve of known order is to use the Complex Multiplication (CM) method. This
method is described in detail in Annex E.
Annex J presents sample elliptic curves that may be used to ensure the correct implementation of
this Standard.
- 122 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
A.3.3.1
Choose an arbitrary bit string SEED of bit length at least 160 bits. Let g be the length of
SEED in bits.
2.
Compute H = SHA-1(SEED), and let b0 denote the bit string of length h bits obtained by
taking the h rightmost bits of H.
3.
4.
5.
If b = 0, then go to step 1.
6.
7.
8.
A.3.3.2
- 123 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Output: A bit string SEED and field elements a, b Fp that define an elliptic curve over Fp.
Let t = log2 p, s = (t 1)/160, and h = t 160s.
1.
Choose an arbitrary bit string SEED of bit length at least 160 bits. Let g be the length of
SEED in bits.
2.
Compute H = SHA-1(SEED), and let c0 denote the bit string of length h bits obtained by
taking the h rightmost bits of H.
3.
Let W0 denote the bit string of length h bits obtained by setting the leftmost bit of c0 to 0.
(This ensures that r < p.)
4.
5.
Let W be the bit string obtained by the concatenation of W0, W1,, Ws as follows:
W = W0 || W1 || ... || Ws.
6.
Let w1, w2, . . . , wt be the bits of W from leftmost to rightmost. Let r be the integer
t
r = wi 2 t i .
i =1
7.
Choose integers a, b Fp such that rb2 a3 (mod p). (It is not necessary that a and b be
chosen at random.)
8.
9.
10.
- 124 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Input: A bit string SEED, the field F2m, and a field element bF2m.
Output: Acceptance or rejection of the input parameters.
Let t = m, s = (t 1)/160, and h = t 160s.
1.
Compute H = SHA-1(SEED), and let b0 denote the bit string of length h bits obtained by
taking the h rightmost bits of H.
2.
3.
4.
A.3.4.2
Input: A bit string SEED, the field Fp, and field elements a, bFp.
Output: Acceptance or rejection of the input parameters.
Let t = log2 p, s = (t 1)/160, and h = t 160s.
1.
Compute H = SHA-1(SEED), and let c0 denote the bit string of length h bits obtained by
taking the h rightmost bits of H.
2.
Let W0 denote the bit string of length h bits obtained by setting the leftmost bit of c0 to 0.
3.
4.
Let W be the bit string obtained by the concatenation of W0, W1,, Ws as follows:
W = W0 || W1 || ... || Ws.
5.
Let w1, w2, . . . , wt be the bits of W from leftmost to rightmost. Let r be the integer
t
r = wi 2 t i .
i =1
- 125 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
6.
A.4
Any implementation of this standard requires the ability to generate random or pseudorandom
integers. These randomly or pseudorandomly generated integers are selected to be between 1 and
n-1 inclusive, where n is a prime number. If pseudorandom numbers are desired, they shall be
generated by the techniques given in this section or in an ANSI X9 approved standard.
2.
Choose a new, secret value for the seed-key, XKEY. (XKEY is of length b bits.)
3.
4.
ANSI X9.63-2001
ANSI X9.63-2001
NOTES:
1.
The optional user input XSEEDi,j in step 4.1.1 permits a user to augment the seed-key XKEY with random or pseudorandom
numbers derived from alternate sources. The values of XSEEDi,j must have the same security requirements as the seed-key
XKEY. That is, they must be protected from unauthorized disclosure and be unpredictable.
2.
SHA-1 was designed to provide 80 bits of security. Thus if SHA-1 is used to construct G as specified in Annex A.4.1.1, then
the resulting pseudorandom number generator cannot be guaranteed to provide more than 80 bits of security.
A.4.1.1
G(t,c) may be constructed using steps (a)-(e) in Annex 3.3 of ANSI X9.30 Part 2 [3]. Before
executing these steps, {Hj} and M1 must be initialized as follows:
1.
Initialize the {Hj} by dividing the 160-bit value t into five 32-bit segments as follows:
t = t0 || t1 || t2 || t3 || t4.
Then Hj = tj for j = 0 through 4.
2.
There will be only one message block, M1, which is initialized as follows:
M1 = c || 0512-b.
(The first b bits of M1 contain c, and the remaining (512-b) bits are set to zero.)
Then steps (a) through (e) of Section 3.3 of ANSI X9.30 Part 2 [3] are executed, and G(t,c) is the
160-bit string represented by the five words:
H0 || H1 || H2 || H3 || H4
at the end of step (e).
- 127 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Annex B
(informative)
Mathematical Background
B.1
Let p be a prime number. There are many ways to represent the elements of the finite field with p
elements. The most commonly used representation is the one defined in this section.
The finite field Fp is comprised of the set of integers:
{0,1,2,..., p1}
with the following arithmetic operations:
Let Fp* denote all the non-zero elements in Fp. In Fp, there exists at least one element g such that
any non-zero element of Fp can be expressed as a power of g. Such an element g is called a
generator (or primitive element) of Fp*. That is:
Fp* = {gi : 0 i p2}.
The multiplicative inverse of a = gi Fp* , where 0 i p 2, is:
a-1 = gp-1-i.
0 1
0 0 0
1 0 1
- 128 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
2.
B.2
50 = 1
51 = 5
52 = 2
53 = 10
54 = 4
55 = 20
56 = 8
57 = 17
58 = 16
59 = 11
510 = 9
511 = 22
512 = 18
513 =21
514 = 13
515 = 19
516 = 3
517 = 15
518 = 6
519 =7
520 = 12
521 = 14
522 =1.
There are many ways to construct a finite field with 2m elements. The field F2m can be viewed as
a vector space of dimension m over F2. That is, there exist m elements 0,1, ,m-1 in F2m such
that each element F2m can be uniquely written in the form:
ANSI X9.63-2001
ANSI X9.63-2001
more polynomials over F2, each of degree less than m. f(x) is called the reduction polynomial.
The finite field F2m is comprised of all polynomials over F2 of degree less than m:
F2m = {am-1xm-1 + am-2xm-2 + ... + a1x + a0 : ai {0,1}}.
The field element (am-1xm-1 + am-2xm-2 + ... + a1x + a0) is usually denoted by the bit string
(am-1...a1a0) of length m, so that:
F2m = {(am-1... a1a0): ai {0,1}}.
Thus, the elements of F2m can be represented by the set of all bit strings of length m. The
multiplicative identity element (1) is represented by the bit string (0001), while the zero
element is represented by the bit string of all 0s.
Field elements are added and multiplied as follows:
B.2.1.1
Field addition
B.2.1.2
Field multiplication
ANSI X9.63-2001
ANSI X9.63-2001
i
F2m* = {g : 0 i 2m - 2}.
m-1-i
(1000)
(0100)
(1100)
(0010)
(1010)
(0110)
(1110)
(0001)
(1001)
(0101)
(1101)
(0011)
(1011)
(0111)
(1111).
2x
72
+ x2 + 1 x3 + 1 = x6 + x5 + x2 +1
7 2
+ x + 1 mod f 0 x 5
72
= x4 + x + 1 x2 + x + x3 + x2 + x + 1
= x3 + x2
i.e., x3 + x2 + x +1 is the remainder when (x3 + x2 +1) (x3 +1) is divided by f(x).
The multiplicative identity is (0001).
F 24 can be generated by the element = x. The powers of are:
*
0 = (0001)
4 = (0011)
8 = (0101)
12 = (1111)
1 = (0010)
5 = (0110)
9 = (1010)
13 = (1101)
2 = (0100)
6 = (1100)
10 = (0111)
14 = (1001).
3 = (1000)
7 = (1011)
11 = (1110)
- 131 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
{, 2, 2 , ..., 2
m-1
},
where F2m. Such a basis always exists. Given any field element F2m, we can write
m 1
= ai 2 , where ai {0,1}. This element is denoted by the binary string (a0a1. . . am-1) of
i
i= 0
length m, so that:
F2m = {(a0a1am-1): ai {0,1}}.
Note that, by convention, the ordering of bits is different from that of a polynomial basis
representation (Annex B.2.1).
The multiplicative identity element (1) is represented by the bit string of all 1s (11. . .11), while
the zero element is represented by the bit string of all 0s.
Since squaring is a linear operator in F2m, we have:
m 1
4 9
2 = ai2 2
i= 0
m 1
m 1
= ai2 2 = ai 1 2 = am 1a0 ! am 2 ,
i=0
i +1
i=0
- 132 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
with indices reduced modulo m. Hence, a normal basis representation of F2m is advantageous
because squaring a field element can then be accomplished by a simple rotation of the vector
representation, an operation that is easily implemented in hardware.
Example 4: The finite field F24 using a Gaussian normal basis representation.
As in Example 3, the elements of F24 are the binary 4-tuples:
(0000)
(0001)
(0010)
(0011)
(0100)
(0101)
(0110)
(0111)
(1000)
(1001)
(1010)
(1011)
(1100)
(1101)
(1110)
(1111).
F (5) = 1
F (9) = 0
F (2) = 1
F (6) = 1
F (10) = 2
F (3) = 0
F (7) = 3
F (11) = 3
F (4) = 2
F (8) = 3
F (12) = 2.
ANSI X9.63-2001
ANSI X9.63-2001
B.3
Let p > 3 be a prime number. Let a, b Fp be such that 4a3 + 27b2 0 in Fp. An elliptic curve
E(Fp) over Fp defined by the parameters a and b is the set of solutions (x, y), for x,y Fp, to the
equation: y2 = x3 + ax + b, together with an extra point O, the point at infinity. The number of
points in E(Fp) is denoted by #E(Fp). The Hasse Theorem tells us that:
p+12p #E(Fp) p+1+2p.
The set of points E(Fp) forms a group with the following addition rules:
1.
O + O = O.
- 134 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
2.
3.
(x, y) + (x,-y) = O for all (x, y) E(Fp) (i.e., the negative of the point (x, y) is -(x, y) = (x,y)).
4.
(Rule for adding two distinct points that are not inverses of each other)
Let (x1,y1) E(Fp) and (x2,y2) E(Fp) be two points such that x1 x2.
Then (x1,y1) + (x2,y2) = (x3,y3), where:
x3 = 2x1x2, y3 = (x1 x3)y1, and =
5.
y2 y1
.
x2 x1
3x12 + a
.
2 y1
The group E(Fp) is abelian, which means that P1+P2 = P2+P1 for all points P1 and P2 in E(Fp).
The curve is said to be supersingular if #E(Fp) = p+1; otherwise, it is non-supersingular. Only
non-supersingular curves shall be in compliance with this standard (see Annex H).
(0,22)
(6,19)
(13,7)
(1,7)
(7,11)
(13,16)
(1,16)
(7,12)
(17,3)
(3,10)
(9,7)
(17,20)
(3,13)
(9,16)
(18,3)
(4,0)
(11,3)
(18,20)
(5,4)
(11,20)
(19,5)
(5,19)
(12,4)
(19,18).
The solutions were obtained by trial and error. The group E(F23) has 28 points (including the
point at infinity O). The following are examples of the group operation.
1.
y2 y1 7 10 3 1
= 11 F23,
=
=
=
x2 x1
93
6
2
- 135 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
x3 = 2 - x1 - x2 = 112 - 3 - 9 = 6 - 3 - 9 = -6 = 17,
y3 = (x1 - x3) - y1 = 11(3 - 17) - 10 = 11(9) - 10 = 89 = 20.
Therefore, P1 + P2 = (17, 20).
2.
2 7
2
3 x12 + a 3 3 + 1 5 1
=
=
= = 6,
2 y1
20
20 4
x3 = 2 - 2x1 = 62 - 6 = 30 = 7,
y3 = (x1 - x3) - y1 = 6(3 - 7) - 10 = -24 - 10 = -11 = 12.
Therefore, 2P1 = (7, 12).
B.4
A non-supersingular elliptic curve E(F2m) over F2m defined by the parameters a, b F2m, b 0,
is the set of solutions (x, y), xF2m, yF2m, to the equation y2 + xy = x3 + ax2 + b, together with
an extra point O, the point at infinity. The number of points in E(F2m) is denoted by #E(F2m).
The Hasse Theorem tells us that:
q + 1 2q #E(F2m) q + 1 + 2q,
where q = 2m. Furthermore, #E(F2m) is even.
The set of points E(F2m) forms a group with the following addition rules:
1.
O + O = O.
2.
3.
(x, y) + (x, x + y) = O for all (x, y) E(F2m) (i.e., the negative of the point (x, y) is
( x , y ) = (x, x + y)).
4.
(Rule for adding two distinct points that are not inverses of each other)
Let (x1, y1) E(F2m) and (x2, y2) E(F2m) be two points such that x1 x2. Then
(x1, y1) + (x2, y2) = (x3, y3), where:
- 136 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
y1 + y2
.
x1 + x2
y1
.
x1
The group E(F2m) is abelian, which means that P1 + P2 = P2 + P1 for all points P1 and P2 in
E(F2m).
Two examples of elliptic curves over F24 are provided below. Example 6 uses a trinomial basis
representation for the field, and Example 7 uses an optimal normal basis representation.
0 = (0001)
4 = (0011)
8 = (0101)
12 = (1111)
1 = (0010)
5 = (0110)
9 = (1010)
13 = (1101)
2 = (0100)
6 = (1100)
10 = (0111)
14 = (1001)
3 = (1000)
7 = (1011)
11 = (1110)
15 = 0 = (0001).
Consider the non-supersingular elliptic curve over F24 with defining equation:
y2 + xy = x3 + 4x2 + 1.
Here, a = 4 and b = 1. The notation for this equation can be expressed as follows, since the
multiplicative identity is (0001):
(0001) y2 + (0001) xy = (0001) x3 + (0011) x2 + (0001).
Then the solutions over F24 to the equation of the elliptic curve are:
(6, 8)
(0, 1)
(1, 6)
(1, 13)
(3, 8)
(3, 13)
(5, 3)
(5, 11)
(6, 14)
(9, 10)
(9, 13)
(10, 1)
(10, 8)
(12, 0)
(12, 12).
- 137 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
The group E(F24 ) has 16 points (including the point at infinity O). The following are examples
of the group operation.
1.
Let P1 = (x1, y1) = (6, 8), P2 = (x2, y2) = (3, 13), and P1 + P2 = (x3, y3). Then:
=
y1 + y2 8 + 13
=
= ,
x1 + x2 6 + 3
x3 = 2 + + x1+ x2 + a = 2 + + 6 + 3 + 4 = 1,
y3 = (x1 + x3) + x3 + y1 = (6 + 1) +1 + 8 = 13.
2.
y1
8
= 6 + 6 = 3,
x1
x3 = 2 + + a = 6 + 3 + 4 = 10 ,
y3 = x12 + (+1)x3 = 12 + (3+1)10 = 8.
0 = (1111)
1 = (1100)
2 = (0110)
3 = (0100)
4 = (0011)
5 = (1010)
6 = (0010)
7 = (0111)
8 = (1001)
9 = (1000)
10 = (0101)
11 = (1110)
12 = (0001)
13 = (1101)
14 = (1011)
15 = 0 = (1111).
ANSI X9.63-2001
ANSI X9.63-2001
(, 0)
(,)
(3, 5)
(3, 11)
(4, 3)
(5, 3)
(5, 11)
(6, 0)
(6, 6)
(8, 3)
(8, 13)
(11, 0)
(11, 11)
(12, 8)
(12, 9)
(13, 2)
(13, 14).
(4, 7)
Since there are 19 solutions to the equation in F24 , the group E(F24 ) has 19 + 1 = 20 elements
(including the point at infinity). This group turns out to be a cyclic group. If G = (3, 5) and the
addition formulae is used, then:
1G = (3, 5)
2G = (4, 3)
3G = (13, 2)
4G = (, 0)
5G = (12, 8)
6G = (8, 3)
7G = (11, 0)
8G = (5, 11)
9G = (6, 0)
10G = (0, 9)
- 139 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
15G = (12, 9)
20G = O.
ANSI X9.63-2001
ANSI X9.63-2001
Annex C
(informative)
Tables of Trinomials, Pentanomials, and Gaussian Normal
Bases
C.1
type
4
14
173
179
181
191
193
197
199
211
223
227
229
233
239
241
251
257
263
269
271
277
281
283
293
307
311
313
317
331
337
2
2
6
2
4
18
4
10
12
24
12
2
2
6
2
6
6
8
6
4
2
6
2
4
6
6
26
6
10
type
type
type
347
349
353
359
367
373
379
383
389
397
401
409
419
421
431
433
439
443
449
457
461
463
467
479
487
491
499
503
509
521
523
6
10
14
2
6
4
12
12
24
6
8
4
2
10
2
4
10
2
8
30
6
12
6
8
4
2
4
6
2
32
10
541
547
557
563
569
571
577
587
593
599
601
607
613
617
619
631
641
643
647
653
659
661
673
677
683
691
701
709
719
727
733
18
10
6
14
12
10
4
14
2
8
6
6
10
8
4
10
2
12
14
2
2
6
4
8
2
10
18
4
2
4
10
739
743
751
757
761
769
773
787
797
809
811
821
823
827
829
839
853
857
859
863
877
881
883
887
907
911
919
929
937
941
947
4
2
6
16
2
10
6
6
6
2
10
8
10
14
10
12
4
8
22
6
16
18
4
6
6
2
4
8
6
6
6
- 140 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Table C-1.b: The type of GNB that shall be used for F2m.
type
type
type
type
953
967
971
977
983
991
997
1009
1013
1019
1021
1031
1033
1039
1049
1051
1061
1063
1069
1087
1091
1093
1097
1103
1109
1117
1123
1129
1151
1153
1163
1171
1181
1187
1193
1201
2
16
6
8
14
18
4
10
2
2
10
2
4
4
2
12
6
4
10
4
6
4
14
2
12
6
4
4
6
22
32
6
12
8
6
6
1213
1217
1223
1229
1231
1237
1249
1259
1277
1279
1283
1289
1291
1297
1301
1303
1307
1319
1321
1327
1361
1367
1373
1381
1399
1409
1423
1427
1429
1433
1439
1447
1451
1453
1459
1471
12
24
2
2
16
16
10
14
20
10
6
2
10
4
20
16
8
18
6
4
6
8
12
6
18
2
4
6
4
6
2
24
2
4
10
16
1481
1483
1487
1489
1493
1499
1511
1523
1531
1543
1549
1553
1559
1567
1571
1579
1583
1597
1601
1607
1609
1613
1619
1621
1627
1637
1657
1663
1667
1669
1693
1697
1699
1709
1721
1723
2
10
6
10
14
2
2
14
6
4
4
6
2
4
8
4
2
4
2
6
10
6
8
18
18
38
16
4
8
10
6
8
12
12
20
10
1733
1741
1747
1753
1759
1777
1783
1787
1789
1801
1811
1823
1831
1847
1861
1867
1871
1873
1877
1879
1889
1901
1907
1913
1931
1933
1949
1951
1973
1979
1987
1993
1997
1999
2
22
10
4
18
4
12
6
10
12
2
6
6
6
40
10
8
6
8
4
2
2
6
14
2
12
18
22
2
20
4
6
44
10
- 141 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
C.2
ANSI X9.63-2001
- 142 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
C.3
ANSI X9.63-2001
- 143 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
C.4
ANSI X9.63-2001
Table of Fields F2m which have both an ONB and a TPB over F2
Table C-4 Values of m, 160 d m d 2000, for which the field F2m has both an ONB and a
TPB over F2.
191
233
239
281
359
431
593
641
719
743
761
809
911
953
1031
1049
1103
1223
1289
1409
1481
1511
- 144 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
1559
1583
1601
1889
ANSI X9.63-2001
ANSI X9.63-2001
Annex D
(informative)
Informative Number-Theoretic Algorithms
D.1
2.
Let e = erer-1...e1e0 be the binary representation of e, where the most significant bit er of e
is 1.
3.
Set x = g.
4.
5.
4.1.
Set x = x2.
4.2.
Output x.
There are several variations of this method that can be used to speed up the computations. One
such method that requires some precomputations is described in [22]. See also Knuth [47].
ANSI X9.63-2001
ANSI X9.63-2001
2.
Output c.
Set = P2 - 4Q.
2.
3.
Set U = 1, V = P.
4.
+ U 2
7 mod p).
4.2.
5.
Output U and V.
ANSI X9.63-2001
ANSI X9.63-2001
If g = 0, then there is one square root (mod p), namely y = 0. If g 0, then g has either 0 or 2
square roots (mod p). If y is one square root, then the other is p-y.
The following algorithm determines whether g has square roots (mod p) and, if so, computes
one. The algorithm is used in Section 4.2.1 and Annex D.3.1.
Input: An odd prime p, and an integer g with 0 < g < p.
Output: A square root (mod p) of g if one exists; otherwise, the message no square roots exist.
Algorithm 1: for p 3 (mod 4), that is p = 4u + 3 for some positive integer u.
1.
2.
Compute z = y2 mod p.
3.
2.
3.
4.
Compute z = y2 mod p.
5.
Set Q = g.
2.
3.
4.
5.
If U / 1 (mod p), then output the message no square roots exist and stop.
6.
Go to Step 2.
- 147 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Tr() = + 2 + 2 + ... + 2
m-1
The value of Tr() is 0 for half the elements of F2m, and 1 for the other half. The trace can be
computed as follows. The methods are used in Annex D.1.6.
Normal basis representation used for elements of F2m:
If has representation (0 1... m-1), then:
Tr() = 0 1 ... m-1.
Polynomial basis representation used for elements of F2m:
1.
Set T = .
2.
For i from 1 to m - 1 do
2.1.
3.
T = T 2 + .
Output T.
m-1
+ 2 + 2 + ... + 2 .
If F2m is represented by a polynomial basis, the half-trace can be computed efficiently as follows.
The method is used in Annex D.1.6.
1.
Set T = .
2.
3.
2.1.
T = T 2.
2.2.
T = T 2 + .
Output T.
ANSI X9.63-2001
ANSI X9.63-2001
z2 + z =
has 2-2T solutions over F2m , where T = Tr(). Thus, there are either 0 or 2 solutions. If = 0,
then the solutions are 0 and 1. If 0 and z is a solution, then the other solution is z+1.
The following algorithms determine whether a solution z exists for a given , and if so, computes
one. The algorithms are used in point compression (see Section 4.2.2) and in Annex D.3.1.
Input: A field F2m along with a basis for representing its elements; and an element 0.
Output: An element z for which z2 + z = if any exist; otherwise, the message no solutions
exist.
Algorithm 1: for normal basis representation.
1.
2.
Set z0 = 0.
3.
Set zi = zi-1 i.
4.
5.
Compute = z2 + z.
6.
2.
Compute = z2 + z.
3.
ANSI X9.63-2001
ANSI X9.63-2001
1.
2.
3.
4.
Output true.
Set b = g and j = 1.
2.
3.
4.
Output j.
2.
3.
4.
- 150 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
D.2
ANSI X9.63-2001
2.
While b(t) 0
3.
2.1.
2.2.
2.3.
2.
2.2.
- 151 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
3.
2.4.
2.5.
2.6.
If 2deg(h) > deg(g), then set g(t) = g(t)/h(t); else g(t) = h(t).
Output g(0).
1.2.
1.3.
0 j m
m jEm+ j
u 2 , b = w 2 ,
i
- 152 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ek =
exp
j =0
ANSI X9.63-2001
2 u i .
p
k
1t e 6 .
m
g (t) =
k =1
Let be a root of f(t) computed with respect to B1. ( can be computed using the
technique defined in Annex D.2.2.)
3.
=
0,1
1,1
#
m 1,1
0,0
1, 0
#
m 1, 0
! 0, m 1
! 1,m 1
%
#
" m 1,m 1
"#
##
#$
2
= 2
= 2
7
7
7
1 = 0, 0 0,1! 0,m 1
1, 0
1,1! 1,m 1
2, 0
2,1! 2, m 1
m 1 = m 1, 0 m 1,1! m 1, m 1
with respect to B1. (The entries i,j are computed by repeated multiplication by .)
3.2.
- 153 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
2
= 2
= 2
ANSI X9.63-2001
7
7
7
= 0, 0 0,1! 0, m 1
2
4
m1
1, 0
1,1! 1, m 1
2,0
2,1! 2, m 1
= m 1, 0 m 1,1! m 1, m 1
with respect to B1. (The entries i,j are computed by repeated squaring of .)
4.
If an element has representation ( 0 1... m-1) with respect to B2, then its representation
with respect to B1 is
( 0 1... m-1) = ( 0 1... m-1) .
If an element has representation (01...m-1) with respect to B1, then its representation
with respect to B2 is
( 0 1... m-1) = ( 0 1... m-1) 1,
where 1denotes the mod 2 inverse of .
Example:
Suppose that B1 is the polynomial basis (mod t4 + t +1), and B2 is the Type I optimal normal basis
for F24 . Then f(t) = t4 + t3 + t2 + t + 1, and a root is given by = (1100) with respect to B1. Then:
= (1100)
2 = (1111)
4 = (1010)
8 = (1000)
so that:
1
=
1 1 1
1 0 1
!1
"#
1
#
0#
#
0$
1 0 0
0 0
and:
- 154 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
0
1 =
"#
1
#.
1#
#
1$
0 0 1
1 0 0
0 0 1
!1
ANSI X9.63-2001
1 1
If = (1001) with respect to B2, then its representation with respect to B1 is:
(0100) = (1001) .
If = (1011) with respect to B1, then its representation with respect to B2 is:
(1101) = (1011)
2.
Set u(x) = x.
3.
3.2.
3.3.
4.
Output true.
D.3
- 155 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
2.
Set = x3 + ax + b mod p.
3.
4.
Apply the appropriate algorithm from Annex D.1.4 to look for a square root (mod p) of
.
5.
If the output of Step 4 is no square roots exist, then go to Step 1. Otherwise, the output
of Step 4 is an integer y with 0 < y < p such that y2 (mod p).
6.
2.
3.
Set = x3 + ax2 + b.
4.
5.
Set = x-2 .
6.
Apply the appropriate algorithm from Annex D.1.6 to look for an element z for which z2
+ z = .
m-1
- 156 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
7.
If the output of Step 6 is no solutions exist, then go to Step 1. Otherwise, the output of
Step 6 is a solution z.
8.
Set y = xz.
9.
Set e = k mod n, where n is the order of P. (If n is unknown, then set e = k instead.)
2.
Let hr hr-1 ...h1 h0 be the binary representation of 3e, where the leftmost bit hr is 1.
3.
4.
Set R = P.
5.
6.
5.1.
Set R = 2R.
5.2.
5.3.
Output R.
Note: To subtract the point (x, y), just add the point (x, -y) (for the field Fp) or (x, x + y) (for the
field F2m).
There are several variations of this method that can be used to speed up the computations. One
such method that requires some precomputations is described in [22]. See also Knuth [47].
- 157 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Annex E
(informative)
Complex Multiplication (CM) Elliptic Curve Generation
Method
This Annex describes a method for generating an elliptic curve with a known order. The method
may be used for selecting an appropriate elliptic curve and point (see Annex A.3.2).
E.1
This section provides some number-theoretic algorithms that are used in Annexes E.2 and E.3.
These algorithms are not used in any other sections of this Standard.
a
If p > 2 is prime, and a is any integer, then the Legendre symbol p is defined as follows. If p
a
a
divides a, then p = 0. If p does not divide a, then p equals 1 if a is a square modulo p, and
equals 1 otherwise. (Despite the similarity in notation, a Legendre symbol should not be
confused with a rational fraction; the distinction must be made from the context.)
a
The Jacobi symbol n is a generalization of the Legendre symbol. If n > 1 is odd with prime
factorization:
t
n = piei ,
i =1
a = a
n p
t
i =1
ei
- 158 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
a
where the symbols pi are Legendre symbols. (Despite the similarity in notation, a Jacobi
symbol should not be confused with a rational fraction; the distinction must be made from the
context.)
The values of the Jacobi symbol are 1 if a and n are relatively prime, and 0 otherwise. The
values 1 and 1 are achieved equally often (unless n is a square, in which case the value 1 does
not occur at all).
The following algorithm efficiently computes the Jacobi symbol.
Input: An integer a and an odd integer n > 1.
a
2.
Set x = a, y = n, J = 1.
3.
4.
5.
4.1
Set x = y x.
4.2.
While 4 divides x
5.1
6.
Set x = x/4.
If 2 divides x, then
6.1
Set x = x/2.
6.2
7.
8.
9.
Switch x and y.
10.
Go to Step 3.
If n is equal to a prime p, the Jacobi symbol can also be found efficiently using exponentiation
via:
- 159 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
a (p1)/2
mod p.
p = a
E.1.2 Finding Square Roots Modulo a Power of 2
If r > 2 and a < 2r is a positive integer congruent to 1 modulo 8, then there is a unique positive
integer b less than 2r2 such that b2 a (mod 2r). The number b can be computed efficiently using
the following algorithm. The binary representations of the integers a, b, h are denoted as
a = ar1...a1a0,
b = br1...b1b0,
h = hr1...h1h0.
Input: An integer r > 2, and a positive integer a 1 (mod 8) that is less than 2r.
Output: The positive integer b that is less than 2r2, such that b2 a (mod 2r).
1.
Set h = 1.
2.
Set b = 1.
3.
For j from 2 to r 2 do
If hj+1 aj+1, then
Set bj = 1.
If j < r/2
then h = (h + 2j+1b 22j) mod 2 r.
else h = (h + 2j+1b) mod 2 r.
4.
5.
Output b.
ANSI X9.63-2001
ANSI X9.63-2001
1.
Let k = kr kr1 ... k1 k0 be the binary representation of k, where the most significant bit kr
of k is 1.
2.
3.
4.
3.1
3.2
Output u(t).
2.
2.2
3.
1) / 2
mod g(t).
2.3
2.4
2.5
If 2 deg(h) > deg(g), then set g(t) = g(t) / h(t); else g(t) = h(t).
Output g(t).
- 161 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
2.
2.2
2.3
For i from 1 to d 1 do
2.3.1
2.4
2.5
2.6
If 2 deg(h) > deg(g), then set g(t) = g(t) / h(t); else g(t) = h(t).
3.
Output g(t).
E.2
The following computations are necessary for the complex multiplication technique described in
Annex E.3.
E.2.1 Overview
A reduced symmetric matrix is one of the form
S=
A B
B C
ANSI X9.63-2001
ANSI X9.63-2001
1.
gcd(A, 2B, C) = 1,
2.
|2B| A C,
3.
2.
3.
For B from 0 to s do
D/3.
3.1.
3.2.
For i from 1 to r do
3.2.1. Set C = (D + B 2) / Ai.
3.2.2. If gcd(Ai, 2B, C) = 1, then
add [Ai, B, C] to list.
if 0 < 2B < Ai < C, then add [Ai, B, C] to list.
4.
Output list.
- 163 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
D + B2 .
ANSI X9.63-2001
ANSI X9.63-2001
Example:
D = 71. Check that 0 B < 5.
F( z ) = 1 + ( 1) j z ( 3 j
j =1
j )/ 2
+ z (3 j
+ j )/ 2
= 1 z z 2 + z 5 + z 7 z12 z15 +!
and:
= exp
D + Bi
.
A
Let:
0(A, B, C) = 1/24 F() / F( 2),
1(A, B, C) = 1/24 F() / F( 2),
2(A, B, C) = 2 1/12F( 4) / F( 2).
Note: Since < e 3 / 2 0.0658287 , the series F(z) used in computing the numbers J(A, B, C)
converges as quickly as a power series in e 3 / 2 .
- 164 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
( A 2 1)/ 8
( C 2 1)/ 8
= e iK/24.
If [A1, B1, C1], ..., [Ah ,Bh ,Ch] are the reduced symmetric matrices of (positive squarefree)
determinant D, then the reduced class polynomial for D is:
h
wD(t) =
- 165 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Note: The above computations must be performed with sufficient accuracy to identify each
coefficient of the polynomial wD(t). Since each such coefficient is an integer, this means that the
error incurred in calculating each coefficient should be less than 1/2.
Example:
w71(t) =
t 1 f (1,0,71)
2
t e f (3,1,24) t e f (3,1,24)
2
2
t e f (8,1,9) t e f (8,1,9)
2
2
t + e f (5,2,15) t + e f (5,2,15)
2
2
0
i / 8
i / 8
23i / 24
23i / 24
5 i /12
5 i /12
(t 2.13060682983889533005591468688942503...)
(t (0.95969178530567025250797047645507504...) +
(0.34916071001269654799855316293926907...) i)
(t (0.95969178530567025250797047645507504...)
(0.34916071001269654799855316293926907...) i)
(t + (0.7561356880400178905356401098531772...) +
(0.0737508631630889005240764944567675...) i)
(t + (0.7561356880400178905356401098531772...)
(0.0737508631630889005240764944567675...) i)
(t + (0.2688595121851000270002877100466102...)
(0.84108577401329800103648634224905292...) i)
(t + (0.2688595121851000270002877100466102...) +
(0. 84108577401329800103648634224905292...) i)
t 7 2t 6 t 5 + t 4 + t 3 + t 2 t 1.
- 166 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
E.3
ANSI X9.63-2001
Complex Multiplication
E.3.1 Overview
If E is a non-supersingular elliptic curve over Fq of order u, then:
Z = 4q (q+1u)2
is positive by the Hasse Theorem (see Annex C.3 and Annex C.4). Thus, there is a unique
factorization:
Z = DV2
where D is squarefree (i.e. contains no square factors). Thus, for each non-supersingular elliptic
curve over Fq of order u, there exists a unique squarefree positive integer D such that:
(*)
4q = W 2 + DV 2,
(**)
u=q+1W
Step 1:
- 167 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Step 2:
(Annex E.3.4 and Annex E.3.5, Constructing a Curve and Point):
Given D, k and r, construct an elliptic curve over Fq and a point of order r.
E.3.2.1
Congruence Conditions
A squarefree positive integer D can be a CM discriminant for p only if it satisfies the following
congruence conditions. Let:
##
$
( p + 1)2
K=
.
rmin
ANSI X9.63-2001
ANSI X9.63-2001
E.3.2.2
Input: A prime p and a squarefree positive integer D satisfying the congruence conditions from
Annex E.3.2.1.
Output: If D is a CM discriminant for p, an integer W such that:
4p = W 2 + DV 2
for some V. (In the cases D = 1 or 3, the output also includes V.) If not, the message not
a CM discriminant.
1.
Apply the appropriate technique from Annex D.1.4 to find a square root modulo p of D
or determine that none exist.
2.
If the result of Step 1 indicates that no square roots exist, then output not a CM
discriminant and stop. Otherwise, the output of Step 1 is an integer B modulo p.
3.
Let A = p and C = (B 2 + D) / p.
- 169 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
4.
Let S =
5.
5.2.
##
$
1
.
B 1
+ .
C 2
!
0
Let T =
1
Let =
5.3.
Replace U by T 1U.
5.4.
6.
7.
X .
Y
8.
9.
10.
11.
E.3.2.3
Input: A prime p, a trial division bound lmax, and lower bound rmin for the base point order.
Output: A squarefree positive integer D, a prime r with rmin r, and a smooth integer k such that
u = kr is the order of an elliptic curve modulo p with complex multiplication by D.
1.
Choose a squarefree positive integer D that has not already been chosen during this
execution of the algorithm, satisfying the congruence conditions of Annex E.3.2.1.
D
p using Annex E.1.1. If J = 1 then go to Step 1.
2.
3.
- 170 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
p
For each l, compute the Jacobi symbol J = l using Annex E.1.1. If J = 1 for some l,
then go to Step 1.
5.
Test whether D is a CM discriminant for p using Annex E.3.2.2. If the result is not a CM
discriminant, go to Step 1. (Otherwise, the result is the integer W, along with V if D = 1
or 3.)
6.
7.
Test each order for near-primality (Annex A.2.2.) If any order is nearly prime, output (D,
k, r) and stop.
8.
Go to Step 1.
Example:
Let p = 2192 264 1. Then:
p = 4X 2 2XY +
1+ D 2
Y and p + 1 (4X Y) = r
4
where D = 235,
X = 31037252937617930835957687234,
Y = 5905046152393184521033305113,
and r is the prime:
r = 6277101735386680763835789423337720473986773608255189015329.
Thus, there is a curve modulo p of order r having complex multiplication by D.
- 171 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
E.3.3.1
2.
3.
Let S =
4.
4.2
5.
##
$
1
.
B 1
+ .
C 2
!
0
Let T =
1
Let =
4.3
Replace U by T 1U.
4.4
X .
Y
6.
7.
8.
- 172 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Input: A field degree d, a trial division bound lmax, and lower bound rmin for the base point order.
Output: A squarefree positive integer D, a prime r with rmin r, and a smooth integer k such that
u = kr is the order of an elliptic curve over F2d with complex multiplication by D.
1.
Choose a squarefree positive integer D 7 (mod 8) that has not already been chosen
during this execution of the algorithm.
2.
3.
4.
5.
Test whether D is a CM discriminant for 2d via Annex E.3.3.1. If the result is not a CM
discriminant, go to Step 1. (Otherwise, the result is the integer W.)
6.
7.
Test each order for near-primality via Annex A.2.2. If any order is nearly prime, output
(D, k, r) and stop.
8.
Go to Step 1.
Example:
Let q = 2155. Then:
4q = X 2 + DY 2 and q + 1 X = 4r
where:
D = 942679,
X = 229529878683046820398181,
Y = 371360755031779037497,
and r is the prime:
r = 11417981541647679048466230373126290329356873447.
Thus, there is a curve over Fq of order 4r having complex multiplication by D.
- 173 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
E.3.4.1
Given a prime p and a CM discriminant D, the following technique produces an elliptic curve y2
= x3 + a0x + b0 modulo p with CM by D. (Note that there are at least two possible orders among
curves with CM by D. The curve constructed here will have the proper CM, but not necessarily
the desired order. This curve will be replaced in Annex E.3.4.2 by one of the desired order.)
For nine values of D, the coefficients of E can be written down at once:
a0
b0
30
56
35
98
11
264
1694
19
152
722
43
3440
77658
67
29480
1948226
163
8697680
9873093538
2.
ANSI X9.63-2001
ANSI X9.63-2001
If W is even, then use Annex E.1.4 with d = 1 to compute a root s of wD(t) modulo p. Let:
V = (1)D 2 4I/K s 24/(GK) mod p,
where G, I and K are as in Annex E.2.3. Finally, let:
a0 = 3(V + 64)(V + 16) mod p,
b0 = 2(V + 64)2 (V 8) mod p.
4.
If W is odd, then use Annex E.1.4 with d = 3 to find a cubic factor g (t) of wD(t) modulo
p. Perform the following computations, in which the coefficients of the polynomials are
integers modulo p.
V (t ) =
Example:
If D = 235, then:
wD(t) = t 6 10t 5 + 22t 4 24t 3 + 16t 2 4t + 4.
If p = 2192 264 1, then:
wD(t) (t 3 (5 + )t 2 + (1 )t 2) (t 3 (5 )t 2 + (1 + )t 2) (mod p),
where = 1254098248316315745658220082226751383299177953632927607231. The
resulting coefficients are:
- 175 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
a0 = 2089023816294079213892272128,
b0 = 36750495627461354054044457602630966837248.
Thus, the curve y 2 x 3 + a0x 2 + b0 modulo p has CM by D = 235.
E.3.4.2
2.
3.
4.
If the output of Annex A.3.1 is wrong order, then output the message wrong order
and stop.
5.
The method of selecting in the first step of this algorithm depends on the kind of coefficients
desired. Two examples follow.
If there is no restriction on the coefficients, then choose at random. If the output is the
message wrong order, then repeat the algorithm until a set of parameters a, b, G is
- 176 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
obtained. This will happen for half the values of , unless D = 1 (one-quarter of the
values) or D = 3 (one-sixth of the values).
E.3.5.1
Input: A field F2m, a CM discriminant D for 2m, and the desired curve order u=hn.
Output: a and b such that the elliptic curve:
y2 + xy = x3 + ax2 + b
over F2m has order u.
1.
2.
3.
4.
If 3 divides D
then set b =
else set b = 3.
5.
6.
Example:
If D = 942679, then:
wD(t) 1 + t2 + t6 + t10 + t12 + t13 + t16 + t17 + t20 + t22 + t24 + t27 + t30 + t33 + t35 + t36 + t37 +
t41 + t42 + t43 + t45 + t49 + t51 + t54 + t56 + t57 + t59 + t61 + t65 + t67 + t68 + t69 + t70 +
t71 + t72 + t74 + t75 + t76 + t82 + t83 + t87 + t91 + t93 + t96 + t99 + t100 + t101 + t102 + t103
- 177 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
+ t106 + t108 + t109 + t110 + t114 + t117 + t119 + t121 + t123 + t125 + t126 + t128 + t129 + t130
+ t133 + t134 + t140 + t141 + t145 + t146 + t147 + t148 + t150 + t152 + t154 + t155 + t157 + t158
+ t160 + t161 + t166 + t167 + t171 + t172 + t175 + t176 + t179 + t180 + t185 + t186 + t189 + t190
+ t191 + t192 + t195 + t200 + t201 + t207 + t208 + t209 + t210 + t211 + t219 + t221 + t223 + t225
+ t228 + t233 + t234 + t235 + t237 + t238 + t239 + t241 + t242 + t244 + t245 + t248 + t249 + t250
+ t252 + t253 + t255 + t257 + t260 + t262 + t263 + t264 + t272 + t273 + t274 + t276 + t281 + t284
+ t287 + t288 + t289 + t290 + t292 + t297 + t299 + t300 + t301 + t302 + t304 + t305 + t306 + t309
+ t311 + t312 + t313 + t314 + t317 + t318 + t320 + t322 + t323 + t325 + t327 + t328 + t329 + t333
+ t335 + t340 + t341 + t344 + t345 + t346 + t351 + t353 + t354 + t355 + t357 + t358 + t359 + t360
+ t365 + t366 + t368 + t371 + t372 + t373 + t376 + t377 + t379 + t382 + t383 + t387 + t388 + t389
+ t392 + t395 + t398 + t401 + t403 + t406 + t407 + t408 + t409 + t410 + t411 + t416 + t417 + t421
+ t422 + t423 + t424 + t425 + t426 + t429 + t430 + t438 + t439 + t440 + t441 + t442 + t443 + t447
+ t448 + t450 + t451 + t452 + t453 + t454 + t456 + t458 + t459 + t460 + t462 + t464 + t465 + t466
+ t467 + t471 + t473 + t475 + t476 + t481 + t482 + t483 + t484 + t486 + t487 + t488 + t491 + t492
+ t495 + t496 + t498 + t501 + t503 + t505 + t507 + t510 + t512 + t518 + t519 + t529 + t531 + t533
+ t536 + t539 + t540 + t541 + t543 + t545 + t546 + t547 + t548 + t550 + t552 + t555 + t556 + t557
+ t558 + t559 + t560 + t563 + t565 + t566 + t568 + t580 + t585 + t588 + t589 + t591 + t592 + t593
+ t596 + t597 + t602 + t604 + t606 + t610 + t616 + t620 (mod 2).
This polynomial factors into 4 irreducibles over F2, each of degree 155. One of these is:
p(t) = 1 + t + t2 + t6 + t9 + t10 + t11 + t13 + t14 + t15 + t16 + t18 + t19 + t22 + t23 + t26 + t27 +
t29 + t31 + t49 + t50 + t51 + t54 + t55 + t60 + t61 + t62 + t64 + t66 + t70 + t72 + t74 + t75 +
t80 + t82 + t85 + t86 + t88 + t89 + t91 + t93 + t97 + t101 + t103 + t104 + t111 + t115 + t116 +
t117 + t118 + t120 + t121 + t123 + t124 + t126 + t127 + t128 + t129 + t130 + t131 + t132 + t134 +
t136 + t137 + t138 + t139 + t140 + t143 + t145 + t154 + t155.
If t is a root of p(t), then the curve:
y 2+xy = x 3 + t3
over F2155 has order 4r, where r is the prime:
r = 11417981541647679048466230373126290329356873447.
E.3.5.2
Input: A field size F2m, an appropriate D, the corresponding k and r from Annex E.3.3.2.
Output: A curve E over F2m and a point G on E of order r.
1.
2.
Find a point G of order r via Annex A.3.1. (In the notation of Annex A.3.1, h = k and n =
r.)
- 178 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
- 179 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Annex F
(informative)
An Overview of Elliptic Curve Systems
Many public-key cryptographic systems are based on exponentiation operations in large finite
groups. The cryptographic strength of these systems is derived from the believed computational
intractability of computing logarithms in these groups. The most common groups are the
multiplicative groups of Zp (the integers modulo a prime p) and F2m (characteristic 2 finite fields).
The primary advantages of these groups are their rich theory, easily understood structure, and
straightforward implementation. However, they are not the only groups that have the requisite
properties. In particular, the mathematical structures known as elliptic curves have the requisite
mathematical properties, a rich theory, and are especially amenable to efficient implementation
in hardware or software.
The algebraic system defined on the points of an elliptic curve provides an alternate means to
implement cryptographic schemes based on the discrete logarithm problem. These protocols are
described in the literature in the algebraic system Zp, the integers modulo p, where p is a prime.
For example, ANSI X9.42 [4] describes a suite of key agreement mechanisms based on the
Diffie-Hellman scheme defined over Zp. These mechanisms can also be defined over the points
on an elliptic curve.
Elliptic curve systems as applied to ElGamal protocols were first proposed in 1985
independently by Neil Koblitz from the University of Washington, and Victor Miller, who was
then at IBM, Yorktown Heights. The security of the cryptosystems using elliptic curves hinges
on the intractability of the discrete logarithm problem in the algebraic system. Unlike the case of
the discrete logarithm problem in finite fields, or the problem of factoring integers, there is no
subexponential-time algorithm known for the elliptic curve discrete logarithm problem. The best
algorithm known to date takes fully exponential time.
Associated with any finite field Fq, there are on the order of q different (up to isomorphism)
elliptic curves that can be formed and used for the cryptosystems. Thus, for a fixed finite field
with q elements and with a large value of q, there are many choices for the elliptic curve group.
Since each elliptic curve operation requires a number of more basic operations in the underlying
finite field Fq, a finite field may be selected with a very efficient software or hardware
implementation, and there remain an enormous number of choices for the elliptic curve.
This Standard describes the implementation of a suite of key establishment schemes that use
elliptic curves over a finite field Fq, where q is either a prime number or equal to 2m for some
positive integer m.
- 180 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
Annex G
(informative)
Comparison of Elliptic Curves and Finite Field Groups
The elliptic curve key establishment schemes described in this Standard can also be described in
the more traditional setting of Fp* (also denoted Zp*), the multiplicative group of the integers
modulo a prime. For example, many of the key agreement schemes are elliptic curve analogs of
the schemes described in ANSI X9.42 [4].
The following tables show the correspondence between the elements and operations of the group
Fp* and the elliptic curve group E(Fq), as well as the correspondence between the language of
ANSI X9.42 and the language of this Standard.
Table G-1 compares the basic properties of the two underlying groups: Fp* and E(Fq).
Fp*
E(Fq)
Group elements
Group operation
Multiplication modulo p
Addition of points
Notation
Elements: g1, g2
Elements: P1, P2
Multiplication: g1 g2
Addition: P1 + P2
Exponentiation: gk
Discrete logarithm
problem
Diffie-Hellman
problem
Table G-2 compares the notation used to describe analogous key agreement schemes in two
ANSI standards: ANSI X9.42 [4] and this Standard.
ANSI X9.63-2001
ANSI X9.63-2001
X9.42
X9.63
Notation
Notation
#E(Fq)
ds
Qs
de
Qe
Table G-3 continues the comparison between ANSI X9.42 and this Standard. In the table, the
procedures for setting up the key agreement schemes are compared.
X9.63 Setup
2. g is an element of order q in
Fp*.
Table G-4 compares the key generation procedure used by ANSI X9.42 and this Standard.
- 182 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
ANSI X9.63-2001
2. Compute y = gx mod p.
2. Compute Q = dG.
Finally Table G-5 looks more closely at one particular scheme that is specified in both ANSI
X9.42 and this Standard: the full Unified Model scheme.
X9.63
- 183 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Annex H
(informative)
Security Considerations
This appendix is provided as an initial guidance for implementors of this Standard. This
information should be expected to change over time. Implementors should review the current
state-of-the-art in attacks on the schemes at the time of implementation.
Annex H.1 summarizes the best attacks known on the elliptic curve discrete logarithm problem,
which is the basis for the security of all elliptic curve systems. Annexes H.2 and H.3 discuss
security issues for elliptic curve domain parameters and elliptic curve key pairs, respectively.
The security considerations discussed in Annexes H.1, H.2, and H.3 affect all elliptic curve
systems. Annex H.4 discusses security issues specific to key establishment schemes and, in
particular, the suite of key establishment schemes in this Standard. Annex H.5 discusses issues
related to validation of implementations of the schemes in this Standard.
H.1
Let E be an elliptic curve defined over a finite field Fq. Let GE(Fq) be a point of order n, where
n is a prime number and n>2160.
The elliptic curve discrete logarithm problem (ECDLP) is the following: given E, G and
Q E(Fq), determine the integer l, 0 l n-1, such that Q = lG, provided that such an integer
exists.
The ECDLP can be solved by exhaustive search, i.e., by exhaustively trying integers l in the
interval [0,n-1]. The best general algorithms known to date for ECDLP are the Pollard-
method [60] and the Pollard- method [60]. The Pollard- method takes about n / 2 steps,
where each step is an elliptic curve addition. The Pollard- method can be parallelized (see
[65]) so that if m processors are used, then the expected number of steps by each processor
before a single discrete logarithm is obtained is ( n / 2 ) / m . The Pollard- method takes about
2 n steps. It can also be parallelized (see [65]) so that if m processors are used, then the
expected number of steps by each processor before a single discrete logarithm is obtained is
about (2 n ) / m . Note that although exhaustive search can also be effectively parallelized, its
expected running time with m processors is only n/(2m) steps when l is chosen uniformly at
random from [0,n-1].
Some special classes of elliptic curves, including supersingular curves, have been prohibited in
this Standard by the requirement of the MOV condition (see Annex A.1.1). These curves have
- 184 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
been prohibited because there is a method for efficiently reducing the discrete logarithm problem
in these curves to the discrete logarithm problem in a finite field.
Also, the special class of elliptic curves called Fq-anomalous curves have been prohibited by the
requirement of the Anomalous condition (see Annex A.1.2) because there is an efficient
algorithm for computing discrete logarithms in E(Fq) where E is an anomalous curve over Fq (i.e.
#E(Fq) = q).
Finally, curves defined over F2m with m composite have been prohibited because of concerns
that these curves may be insecure.
In April 1998, Gallant, Lambert, and Vanstone [29], and Wiener and Zuccherato [66] showed
that the best algorithms known for the ECDLP (including Pollard- ) can be sped up by a factor
of 2 . Thus the expected running time of the Pollard- method with this speedup is n / 4
steps. They also showed that if E is an elliptic curve defined over F2e , then the best algorithm
known for the ECDLP in E(F2ed) can be sped up by a factor of
2d .
For example, the Koblitz curve (also called a binary anomalous curve) E: y2+xy = x3+x2+1 has
the property that #E(F2163) = 2n, where n is a 162-bit prime. The ECDLP in E(F2163) can be
solved in about 277 elliptic curve operations, which is 16 times less work than the 281 elliptic
curve operations required to solve the ECDLP for a random curve of similar order. A field
operation in F2163 takes about the same time as a SHA-1 operation, and it takes about 6 field
operations to do an elliptic curve operation and about 2 more field operations to operate in the
equivalence relation posited by the above improved algorithm. Hence, it turns out that the
improved algorithm takes roughly the same amount of work as it does to find a collision in SHA1.
To guard against existing attacks on ECDLP, one should select an elliptic curve E over Fq such
that:
1.
2.
Furthermore, to guard against possible future attacks against special classes of non-supersingular
curves, it is prudent to select an elliptic curve at random. Annex A.3.3 describes a method for
selecting an elliptic curve verifiably at random.
- 185 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Size of n
(in bits)
n / 4
MIPS years
163
160
280
8.5 x 1011
191
186
293
7.0 x 1015
239
234
2117
1.2 x 1023
359
354
2177
1.3 x 1041
431
426
2213
9.2 x 1051
Note: The strength of any cryptographic algorithm relies on the best methods that are known to
solve the hard mathematical problem that the cryptographic algorithm is based upon. The
discovery and analysis of the best methods for any hard mathematical problem is a continuing
research topic. Users of this Standard should monitor the state of the art in solving the ECDLP,
as it is subject to change. The purpose of the above discussion is to describe the current (2001)
state of knowledge regarding attacks on the ECDLP.
ANSI X9.63-2001
X9.63-2001
study of such a possibility. In their 1994 study, they estimated that if n 10 36 2120 , then a
machine with m = 325,000 processors that could be built for about $10 million would compute a
single discrete logarithm in about 35 days.
It must be emphasized that these estimates were made for specific elliptic curve domain
parameters having n 10 36 2120 . This Standard mandates that the parameter n should satisfy
n > 2160 10 48 .
Hence, hardware attacks for a parallel-search of elliptic curve discrete logarithms appears
infeasible (taking both cost and time into account) when the elliptic curve domain parameters
have n>2160.
- 187 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Extrapolating these conclusions to the case of elliptic curves, n should be at least 150 bits for
short-term security, and at least 180 bits for medium-term security. This extrapolation is justified
by the following considerations:
1.
Exhaustive search through a k-bit symmetric-key cipher takes about the same time as the
Pollard- or Pollard- algorithms applied to an elliptic curve having a 2k-bit parameter
n.
2.
Both exhaustive search with a symmetric-key cipher and the Pollard- and Pollard-
algorithms can be parallelized with a linear speedup.
3.
A basic operation with elliptic curves (addition of two points) is computationally more
expensive than a basic operation in a symmetric-key cipher (encryption of one block).
4.
In both symmetric-key ciphers and elliptic curve systems, a break has the same effect:
it recovers a single private key.
In 2000, Lenstra and Verhuel [51] (based on their assumptions) estimated that 80 bits of
(symmetric key) security will be breakable in 2012. They also estimate that ECC keysizes of 161
bits will be breakable in 2020 if one assumes that no general advances will be made in attacking
the ECDLP, and in 2010 if one assumes that some advances will be made. Since ANSI X9 has a
mandatory 5 year review cycle for all standards, this will allow sufficient time to increase
minimum keysize requirements as needed.
H.2
Elliptic curve domain parameters are comprised of a field size q, an indication FR of basis used,
an optional SEED if the elliptic curve was generated verifiably at random using the method of
Annex A.3.3, two elements a, b in Fq that define an elliptic curve E over Fq, a point G=(xG , yG)
of prime order in E(Fq), the order n of G, and the cofactor h. See Sections 5.1.1.1 and 5.1.2.1 for
a more detailed description of elliptic curve domain parameters.
1.
Choice of basis. The basis of F2m specifies the method of interpreting the bit strings that
make up the elements of F2m. There are two choices for the basis allowed in this
Standard: a polynomial basis and a normal basis. The choice of basis is not a security
consideration, but all users of a set of elliptic curve domain parameters must use the same
basis externally. (Implementations with different internal representations that produce
equivalent results are allowed.).
2.
Use of the canonical seeded hash (Annex A.3.3) to determine the elliptic curve equation
(described by a and b). For discrete logarithm based schemes, there is the possibility that
a particularly poor choice of domain parameters could lead to an attack. To address this,
DSA, for example, requires the use of a canonical seeded hash to generate the domain
parameters p and q, as this provides an assurance that p and q were generated arbitrarily.
- 188 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
The analogous attack on elliptic curve based schemes does not apply, as there are no
known poor choices for the elliptic curve domain parameters that are not already
excluded by this Standard. However, the use of the canonical seeded hash can help
mitigate fears about the possibility of new special-purpose attacks which might be
discovered in the future.
The use of a specific elliptic curve may allow performance improvements over the use of
an arbitrary elliptic curve. For these reasons, this Standard allows both the choice of a
particular elliptic curve or the generation of an arbitrary curve through the use of a
canonical seeded hash function. An arbitrary curve may be used when security
considerations are so preeminent that the possible performance impact is not a factor in
the decision.
3.
Choice of base point G. The choice of the base point G is not a security consideration as
long as it has a large prime order as required by this Standard. However, all users of a set
of elliptic curve domain parameters must use the same base point.
4.
5.
How large the MOV threshold B (see Annex A.1) should be. The MOV threshold B is a
positive integer B such that taking discrete logarithms over FqB is at least as difficult as
taking elliptic curve discrete logarithms over Fq. For this Standard, B 20. For example,
all elliptic curves over F2191, that are able to be mapped into finite fields with an order up
to around 23800 are eliminated from consideration. The value B = 20 is a conservative
choice and is sufficient to ensure resistance against the reduction attack.
- 189 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
6.
What values to use for lmax and rmin when determining n, the order of the base point G
(see Annex A.3.2). The value rmin is the minimum value that is appropriate for n, the
order of the base point G in the elliptic curve domain parameters. For this Standard, rmin >
2160. For example, if the order of the underlying field is 2191, an appropriate value for rmin
is 2185. When the order of the underlying field is larger, a larger rmin and therefore a
larger n is appropriate. Mitigating the choice is the fact that finding a curve satisfying
stricter requirements will take longer. The trial division bound lmax is the maximum size
of all prime factors of the cofactor h. In this Standard, the order of an elliptic curve will
be a number u such that u = hn, where n is a large prime factor (and the order of the base
point G) and, h is a number whose prime factors are all less than lmax. For example, if the
order of the underlying field is 2191 and rmin is 2185, then an appropriate value for lmax is
64.
7.
H.3
Key Pairs
1.
Associating public keys with elliptic curve domain parameters. It is very important that a
public key be cryptographically bound to its associated elliptic curve domain parameters.
The cryptographic binding of a public key with its associated elliptic curve domain
parameters can be done by a CA, who includes the elliptic curve domain parameters in
the data portion of the public-key certificate.
2.
3.
Public key cryptoperiod considerations. A public key can be considered valid for any
period of time that the associated private key is used.
4.
Repeated private keys. If two users are using the same elliptic curve domain parameters
and somehow generate identical private key values, then a compromise may occur. As
the private key is a value between 1 and n-1 (inclusive), and n is required to be greater
than 2160, a duplicate private key is only expected to happen by chance (due to the
birthday phenomenon) after about 280 key pairs have been generated. As 280 is over 1
million million million million, this is not expected to happen. However, it is possible
- 190 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
that a private key might repeat due to a hardware or software error or a poorly-seeded
pseudorandom number generator. If this occurred, the public key Q would also repeat.
One way to address this concern is to use an ANSI X9 approved random or
pseudorandom generation method. For an example of an ANSI X9 approved
pseudorandom number generation method, see Annex A.4. Otherwise, a service that a
Certificate Authority may choose to provide for users with high security requirements is
to monitor public keys to ensure that there are no duplicates. If a duplicate public key is
detected, then both parties should be told, and each party should determine if there has
been an error, try to determine the cause of the error, decide what corrective action to
take (if any), and regenerate new key pairs.
H.4
This section discusses issues particularly relevant to the security of key establishment schemes.
ANSI X9.63-2001
X9.63-2001
- 192 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
IR indicates that the assurance is provided to U1, no matter whether U1 is the schemes
initiator or responder.
The names of the services have been abbreviated to save space: IKA denotes implicit key
authentication, EKA denotes explicit key authentication, EA denotes entity authentication, K-KS
denotes known-key security, FS denotes forward secrecy, K-CI denotes key-compromise
impersonation resilience, and UK-S denotes unknown key-share resilience.
The provision of these assurances is considered in the case that both U1 and U2 are honest and
have always executed the scheme correctly. The requirement that U1 and U2 are honest is
certainly necessary for the provision of any service by a key establishment scheme: no key
establishment scheme can protect against a dishonest entity who chooses to reveal the session
keyjust as no encryption scheme can guard against an entity who chooses to reveal
confidential data.
- 193 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Section
IKA
EKA EA
K-KS
FS
K-CI UK-S
6.1
IR?1
n/a.
n/a.
6.1
IR
IR
n/a.
n/a.
IR
1-Pass Diffie-Hellman
Scheme
6.2
6.3
IR
IR?4
6.4
IR
IR
IR
IR
IR
IR
6.5
IR
IR?4
6.6
IR
IR?1
IR?2
IR?4
6.7
IR
IR
IR
IR
IR
IR
IR
IR
IR
IR
IR
IR
IR
1-Pass MQV
6.9
IR
Full MQV
6.10
IR
IR
IR?2
IR
6.11
IR
IR
IR
IR
IR
IR
IR
7.1
7.2
IR
IR
IR
IR6
IR
IR
Although schemes like the Full Unified Model scheme and the Full MQV scheme do not
automatically provide explicit key authentication, explicit key authentication is often provided
when the keying data they provide is subsequently used, for example to MAC some data.
Notes:
- 194 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.
The technicality hinges on the definition of what constitutes another session key.
Known-key security is certainly provided if the scheme is extended so that explicit
authentication of all session keys is supplied.
2.
The technicality concerns explicit authentication. Both schemes provide forward secrecy
if explicit authentication is supplied for all session keys. If explicit authentication is not
supplied, forward secrecy cannot be guaranteed.
3.
The 1-pass key transport scheme can easily be implemented in a manner that provides
known-key security when the scheme is used with the elliptic curve augmented
encryption scheme. Simply include a counter in the optional Text field and increment this
counter each time a new session key is transported from U1 to U2. Provided that the
responder checks that the counter has been incremented each time a new session key is
established, this prevents known-key attacks on the scheme involving the replay of
previous flows.
4.
These schemes are believed to provide unknown key-share resilience when knowledge of
the private key is checked during certification of the static public keys.
5.
6.
The 3-pass key transport scheme provides known-key security when used in conjunction
with the elliptic curve augmented encryption scheme.
It is also sometimes of interest to note whether key control resides with the initiator or the
responder of a key transport scheme. Of the key transport schemes specified in this Standard, key
control resides with the initiator in the 1-pass key transport scheme, and with the responder in the
3-pass key transport scheme.
- 195 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.
The output length hashlen of the cryptographic hash function employed (Section 5.6.2).
3.
The key length mackeylen of the MAC scheme employed (Section 5.7).
4.
The length challengelen of the random challenge in the challenge generation primitive
(Section 5.3).
5.
The length of SEED used in elliptic curve generation (Annex A.3.3.1 and Annex
A.3.3.2).
6.
The length of the seed key XKEY in the pseudorandom bit generator (Annex A.4.1).
The best method to discover the value of a key for a symmetric key scheme is key
exhaustion using a few known plaintext/ciphertext pairs. That is, for a 56-bit key, it takes
256 trial encryptions to ensure that the correct key is recovered; for a 128-bit key, it takes
2128 trial encryptions, etc. This is a goal of any symmetric key scheme.
2.
These symmetric key trial encryptions are able to be done in parallel. That is, if m
processors are used to attempt the trial encryptions, the time needed to exhaust the key
space is reduced by a factor of m.
3.
The best method for breaking the key establishment scheme is to discover the private
key. This is a goal of any asymmetric key establishment scheme.
4.
The best method for recovering an EC private key is to solve the particular ECDLP
associated with the key. The best methods to solve the ECDLP are square root methods
that take a number of operations approximately equal to the square root of the order n of
the generator.
5.
These EC operations for solving the ECDLP are able to be done in parallel.
6.
For simplicity, an EC operation is assumed to take the same amount of time as the
symmetric key encryption operation. In practice, this is a very conservative assumption:
all known practical symmetric key algorithms are faster than known practical public key
algorithms.
The above assumptions lead to the guidance that the appropriate EC key size (that is, the size of
n) is about twice the size of the symmetric key. Table H-3 describes the bounds on n, hashlen,
mackeylen, challengelen, SEED length, and XKEY length that should be adopted to ensure that
the EC key establishment key is at least as strong as the symmetric algorithm key being
established.
- 196 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Table H-3 Guidelines on Aligning Parameter Sizes and Symmetric Key Size
Symmetric
key size
(in bits)
Lower
bound
on n
Lower
bound on
hashlen
(in bits)
Lower
bound on
mackeylen
(in bits)
Lower
bound on
challengelen
(in bits)
Lower
bound on
length of
SEED
(in bits)
Lower
bound on
length of
XKEY
(in bits)
80
2160
160
80
80
160
160
112
2224
224
112
112
224
224
128
2256
256
128
128
256
256
192
2384
384
192
192
384
384
256
2512
512
256
256
512
512
Note: Currently, the only ANSI-approved hash function is SHA-1 with an output length of 160
bits. It is expected that ANSI will soon adopt hash functions with output lengths 256, 384, and
512 bits.
- 197 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
The default choice for an application should be to use a scheme that provides as many security
properties documented in Table H-2 as possible to the two communicating parties U1 and U2.
This suggests the use of the Station-to-Station scheme, the full MQV with key confirmation
scheme, or an appropriate ANSI-approved extension to one of the other schemes. The choice
between the Station-to-Station scheme and the full MQV with key confirmation scheme may be
based on other criteria for example if computational efficiency is important, the MQV scheme
with key confirmation may be preferred; if it is important to use only certificates on signature
keys, the Station-to-Station scheme may be preferred. Thus, the default choices are the Stationto-Station scheme and the full MQV with key confirmation scheme.
Some of the other schemes provide the majority of the security properties documented in Table
H-2.
In particular the combined Unified Model with key confirmation scheme and the full Unified
Model with key confirmation scheme may be used in place of the default schemes when the
improved damage limitation in the event of a key compromise provided by a scheme that offers
key-compromise impersonation resilience is not considered advantageous. Thus, the combined
Unified Model with key confirmation scheme and the full Unified Model with key confirmation
scheme may also be considered when key-compromise impersonation resilience is not necessary.
Additionally the analogues of these schemes that do not provide explicit key authentication
specifically the full Unified Model scheme and the full MQV scheme may be used in place of
the default schemes when explicit key authentication is not considered advantageous, or when
explicit key authentication will be provided through the use of the keying data in an appropriate
manner subsequent to the key establishment scheme. Explicit key authentication reinforces
forward secrecy and unknown key-share resilience as observed in Table H-2. Explicit key
authentication also, in general, enables experts to formally analyze a scheme and, therefore,
increases confidence in the security of a scheme. Thus, the full Unified Model scheme and the
full MQV scheme may also be considered when explicit key authentication is not necessary.
Beyond the default choices described above, in a specific application the answer to the question
what purpose are the keys established using the scheme going to be used for? may help further
restrict the list of required security properties.
When the keys established by U1 and U2 are going to be used only to provide data origin
authentication and data integrity (MACing), and not data confidentiality (encryption), forward
secrecy may not be considered advantageous because forward secrecy is primarily used to
protect information encrypted during previous sessions. In this event, the 1-pass Diffie-Hellman
scheme, the static Unified Model scheme, the 1-pass Unified Model scheme, the 1-pass MQV
scheme, the 1-pass key transport scheme, or the 3-pass key transport scheme may be used in
place of the default schemes. Thus, schemes that do not provide forward secrecy may also be
considered when data confidentiality is not required.
When the keys established by U1 and U2 are going to be used only to provide data confidentiality
for data sent from U1 to U2 or to provide data origin authentication and data integrity of data sent
from U2 to U1 (and not data confidentiality of data sent from U2 to U1 or data origin
authentication and data integrity of data sent from U1 to U2), implicit and explicit key
- 198 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
authentication of U1 to U2 may not be considered advantageous. In this event, the 1-pass DiffieHellman scheme or the 1-pass key transport scheme may be used with U1 as the initiator in place
of the default schemes. Note, however, that even in this scenario, mutual implicit or explicit key
authentication can nonetheless enhance the ability to provide other desirable properties like
known-key security and forward secrecy and can enhance resistance to attacks like small
subgroup attacks. Thus, the 1-pass Diffie-Hellman scheme and the 1-pass key transport scheme
may also be considered when only confidentiality from U1 to U2 or authentication of U2 to U1 are
required.
When the keys established by U1 and U2 are not going to be used to provide both data origin
authentication and data confidentiality for any single message, or when other methods (such as
including the senders identity in secured messages) are used to prevent attackers from
masquerading as the sender of a message, unknown key-share resilience may not be considered
advantageous. This is because unknown key-share resilience is primarily used to prevent
attackers from masquerading as the sender of a message that has been authenticated and
encrypted. In this event, the 1-pass Diffie-Hellman scheme, the 1-pass MQV scheme, the full
MQV scheme, or the 1-pass key transport scheme may be used in place of the default schemes.
Note, however, that simply encrypting a message with a block cipher is often used to provide
authentication as well as confidentiality when the message contains redundancy. Thus, schemes
that do not provide unknown key-share resilience may also be considered when no single
message is both encrypted and authenticated.
Beyond the default choices described above, in a specific application the answer to the question
what are the pertinent characteristics of the communicating parties? may highlight limitations
in the abilities of the communicating parties that restrict the security properties that can be
provided.
When it is highly desirable for only one party to be on-line during the execution of the key
establishment scheme, the 1-pass Unified Model scheme may be used in place of the default
schemes. This may be the case in, for example, store-and-forward environments or email
applications. Note that in this event, forward secrecy cannot be provided in the event that the offline partys static key is compromised. Furthermore, known-key security can only be provided to
the off-line party by mechanisms outside the scope of this standard, like the use of timestamps or
shared counters. Thus, the 1-pass Unified Model scheme and the 1-pass MQV scheme may be
considered if it is only possible for one-party to be on-line.
When it highly desirable for neither party to be on-line during the execution of the key
establishment scheme, the static Unified Model scheme may be used in place of the default
schemes. This may be the case in, for example, noticeboard environments. Note that in this event
forward secrecy cannot be provided, and that known-key security can only be provided by
mechanisms outside the scope of this Standard like timestamps or shared counters. Thus, the
static Unified Model scheme may be considered if it is not possible for either party to be on-line.
When the ability of one party to generate ephemeral keys securely is questionable, the 3-pass key
transport scheme may be used with the constrained party as the responder in place of the default
schemes because this makes the secrecy of the session key less dependent on the ability of the
responder to generate random numbers. This may be the case, for example, if one of the parties is
- 199 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
a constrained device like a smart card or a cellular phone. Note that in this event the desirable
feature that the session key cannot be predetermined by either party is not provided. Thus, the 3pass key transport scheme may be considered if one party lacks the ability to confidently
generate secure ephemeral keys.
The guidance in this Annex is based on the conservative principle of providing all sensible
security properties in any given scenario. Based on a risk analysis, the developers of a particular
application may decide that some security properties are not required and, therefore, may select a
different scheme than those recommended by the guidance provided here.
H.5
Validation Issues
Algorithm validation (e.g., for X9.30, X9.31, X9.62) to determine that a specific
algorithm routine runs as expected; and
B.
2.
Private key ownership validation. Also known as proof of possession. This validation
asserts that the owner possesses the corresponding secret key of a public key submitted
for certification. This validation states that It looks like this user owns the private key.
A CA usually conducts these validations, although any trusted user may do it. This
validation mitigates against certain cryptographic attacks that are based on the claimed
owner not knowing the associated private key.
3.
Domain Parameter Validation. These validations assert that the set of elliptic curve
domain parameters is valid. These validations could be conducted by a CA, but any
- 200 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
trusted user may do them. These validations detect inadvertent and deliberate domain
parameter errors. The validations mitigate against attacks based on using invalid domain
parameters.
When implementing this Standard, the generator of a set of elliptic curve domain
parameters must perform parameter validation and ensure that the parameters meet the
elliptic curve domain parameter validation criteria listed in Section 5.1. Whether anyone
else needs to validate the elliptic curve domain parameters is a matter of the trust
relationship between the generator and the user. For example, an untrusted party may
generate a proposed set of elliptic curve domain parameters, and a CA may subsequently
validate the parameters for its potential users. Whether or not it validates elliptic curve
domain parameters should be part of a CAs policy. If a set of elliptic curve domain
parameters is supplied directly to a user in a situation where the user does not know that
they are valid, then the user must validate the parameters before use; not doing so could
leave the user open to the potential of an attack.
4.
Public Key Validation. These validations determine if the candidate public key is actually
cryptographically reasonable. Either the CA or an entity could conduct the validations. In
general, the CA conducts these validations for static (long-term keys), and the recipient
conducts the validation for ephemeral (short-term, normally single use) keys. Public Key
Validation (PKV) assumes that any domain parameters have previously been validated.
The validation states that It looks like this particular public key makes sense.
Public key validation has been specified in this Standard (Section 5.2), including explicit
public key validation routines that check the range and, optionally, the order of a
purported public key to ensure that it is plausible that a private key could logically exist
for this purported public key. The decision whether to do any public key validation and
what kind(s) to do is a cost/benefit decision. Public Key Validation is optional, but doing
some form of validation is recommended, especially for high security and/or high risk
applications. There are two main reasons to consider doing public key validation:
-
- 201 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Ideally, public key validation can be used to demonstrate that the existence of an
associated private key is logically possible, although it (obviously) cannot determine
whether such a private key actually does exist or whether the claimed owner of the
private key is the actual owner; for those purposes, proof of possession (POP) methods
should be done.
Recall that when doing encryption, the encrypters use of a public key occurs before the
owners use of the associated private key to decrypt and recover the message. This
means that an inadvertent error involving the value of the public key may not be detected
until after the owner actually uses the associated private key, which should be assumed to
be too late to detect such an error. Most primitives specified in this standard are not
defined when the associated public key(s) is/are invalid. Implementations should
therefore appropriately address the possibility that a candidate public key is invalid. The
main risks are failure of the implementation, resulting in an error state, and/or loss of
confidentiality of the data and/or loss of ability to recover the encrypted data.
The risk of implementation failure can be ameliorated by appropriate handling of error
cases and/or by ensuring the validity of public keys. The risk of loss of confidentiality or
loss of ability to recover encrypted data can be addressed by ensuring the validity of the
public keys. However, note that just because a public key is valid does not mean it is
secure, there are other considerations involved, such as ensuring the key pair was selected
from a large enough keyspace and whether the private key is protected properly.
Furthermore, the recipient of an encrypted message may decrypt it and reveal it to others
that were not intended by the sender to see it. Therefore, appropriate use of FIPS 140-1
implementation validation and random number generation validation are recommended.
- 202 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Conducted by
An independent
laboratory
Whats Validated
1. Algorithm works
as specified
Whats mitigated
Inadvertent
implementation
errors
2. Random number
generator
operates as
required
Private key
ownership
CA or its delegate
or the user
(recipient)
Masquerade attacks
(the purported
owner of the public
key does not know
the corresponding
private key)
Domain parameter
validation
CA or its delegate
or the user
(recipient)
The domain
parameters are
suitable for
cryptographic use
Cryptographic
attacks based on
out of range
parameters
Public key
validation
CA or its delegate
or the user
(recipient)
- 203 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Annex I
(informative)
Alignment with Other Standards
One of the central goals of the standardization process is to promote interoperability while
providing security. Conformance between standards is crucial for achieving this task.
Therefore, this Standard attempts to provide conformance with as many of the other relevant
standards as possible.
Within ANSI, the Standard is directly aligned with ANSI X9.42 [4], and this Standard describes
many of the analogous key agreement protocols described in ANSI X9.42. In this instance,
actual one-to-one correspondence is not the relevant issue, because the respective standards
describe the schemes in different algebraic settings - ANSI X9.42 describes schemes in the
algebraic setting of the multiplicative group of a finite field, while in this Standard, schemes are
described in the additive group of the points on an elliptic curve.
IEEE 1363-2000 [30] (and its proposed addendum, IEEE P1363A [31]) is a prominent publickey standardization effort. IEEE 1363-2000 specifies a number of elliptic curve schemes, and
this Standard is designed so that anyone implementing one of the key agreement schemes
specified will automatically be conformant with the relevant schemes in IEEE 1363-2000. In the
case of the Unified Model schemes, conformance is with either the DH1 or DH2 scheme in IEEE
1363-2000. In the case of the MQV schemes, conformance is with the IEEE 1363-2000 MQV
schemes.
Of the FIPS standards, the most relevant is FIPS 196 [26], which specifies entity authentication
schemes that employ any FIPS approved signature scheme. An implementation of the 3-pass key
transport scheme specified in this Standard should conform with the requirements of FIPS 196.
The appropriate ISO/IEC standards are ISO/IEC 11770-3 [39] and ISO 9798-3 [38], and ISO
15946-3 [42]. These standards respectively discuss asymmetric key establishment schemes,
asymmetric schemes providing entity authentication, and elliptic curve based key establishment
schemes. ISO 15946-3 [42] gives a broad specification without specifying security requirements,
while this Standard gives a very detailed specification with specific minimum security
requirements including minimum key lengths. The schemes specified in this Standard are
conformant with the related schemes in ISO 15946-3. A number of the key agreement schemes
specified here and in particular the Station-to-Station scheme, are likely to conform with ISO
11770-3, although since ISO 11770-3 is specified in a mechanism independent manner, precise
details of conformance are sometimes hard to ascertain The Station-to-Station scheme also
conforms with ISO 9798-3. Easier to gauge are the key transport schemes. The 1-pass transport
scheme in this Standard is conformant with key transport mechanism 1 in ISO 11770-3, and the
3-pass transport scheme is conformant with key transport mechanism 5 in ISO 11770-3. The 3pass transport scheme also conforms with the corresponding mechanism in ISO 9798-3.
- 204 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Annex J
(informative)
Examples
This annex contains 5 parts.
-
Annex J.2 presents examples of the Key Agreement schemes described in Section 6 over the
field F2m .
Annex J.3 presents examples of the Key Agreement schemes described in Section 6 over the
field Fp.
Annex J.4 presents sample elliptic curves over the field F2m with domain parameters for m =
163, 193, 233, 239, 283, 409, and 571.
Annex J.5 presents sample elliptic curves over the field Fp with domain parameters for 160bit, 192-bit, 224-bit, 256-bit, 384-bit, and 521-bit primes.
J.1
The following are examples of the data conversion techniques that shall be used in this Standard
(See Figure 1).
ANSI X9.63-2001
X9.63-2001
2.
2.
Input: p = 1461501637330902918203684832716283019651637554291
and the curve E: y2 = x3+ax+b, where:
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFAC70,
b = B4E134D3 FB59EB8B AB572749 04664D5A F50388BA,
and the point P = (xP, yP), where:
xP = 770583243196400293316427305222217463947576732373
yP = 629046656899823137693886377666819845291423047061
Output: (compressed form)
PO = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
- 206 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Input: q = 2163,
and the irreducible polynomial which generates F21 6 3 :
f = 8 00000000 00000000 00000000 00000000 000000C9,
and the curve E: y2+xy = x3+ax2+b over F2163, where:
a = 07 B6882CAA EFA84F95 54FF8428 BD88E246 D2782AE2,
b = 00 13612DCD DCB40AAB 946BDA29 CA91F73A F958AFD9,
and the point is P = (xP , yP), where:
xP =
yP =
Input: p = 1461501637330902918203684832716283019651637554291
and the curve E: y2 = x3+ax+b where:
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFAC70,
b = B4E134D3 FB59EB8B AB572749 04664D5A F50388BA,
and the octet string:
PO = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5.
Output: The point is P = (xP , yP), where:
xP = 770583243196400293316427305222217463947576732373,
yP = 629046656899823137693886377666819845291423047061.
2.
Input: q = 2163,
and the irreducible polynomial which generates F21 6 3 :
f = 8 00000000 00000000 00000000 00000000 000000C9,
- 207 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
J.2
xP =
yP =
This section describes examples of each of the schemes in this Standard when elliptic curve
domain parameters over F2m are used.
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
3.
U and V establish that they will use the modified Diffie-Hellman primitive as specified in
Section 5.4.2.
- 208 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U executes the key agreement transformation to agree on keying data with V as follows:
Input: The input to the key agreement transformation is:
1.
2.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
1.1.
1.2.
3.
U sends Qe,U to V.
2.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret value ze as the x-coordinate of the point Pe using the DiffieHellman primitive specified in Section 5.4.2.
3.1.
U computes:
- 209 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Pe = h de,U Qe,V =
0400D9 7AACA44A 426F73AE DB629004 D8A237E2 8E876901 EE22AE85
BDBB114F DA010ECD 5014C5BB 8AA30A6D
5.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
5.1.
5.2.
U computes:
KeyData = Hash1 = SHA-1(Z1) =
8BB71D26 DFACC5C2 DEDB2286 7097DD65 ECAB14E9
J.2.1.1.2
V simultaneously executes the key agreement transformation to agree on keying data with U as
follows:
Input: The input to the key agreement transformation is:
1.
2.
- 210 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V generates an ephemeral key pair (de,V, Qe,V) using the key generation primitive specified
in Section 5.2.1.
1.1.
1.2.
3.
V sends Qe,V to U.
2.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V computes the shared secret value ze as the x-coordinate of the point Pe using the DiffieHellman primitive specified in Section 5.4.2.
3.1.
V computes:
Pe = h de,V Qe,U =
0400D9 7AACA44A 426F73AE DB629004 D8A237E2 8E876901 EE22AE85
BDBB114F DA010ECD 5014C5BB 8AA30A6D
5.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
5.1.
ANSI X9.63-2001
X9.63-2001
V computes:
KeyData = Hash1 = SHA-1(Z1) =
8BB71D26 DFACC5C2 DEDB2286 7097DD65 ECAB14E9
J.2.1.2
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
3.
U and V establish that they will use the standard Diffie-Hellman primitive as specified in
Section 5.4.1.
J.2.1.2.1
U executes the key agreement transformation to agree on keying data with V as follows:
Input: The input to the key agreement transformation is:
1.
2.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
1.1.
ANSI X9.63-2001
X9.63-2001
de,U = 5321230001203043918714616464614664646674949479949
1.2.
3.
U sends Qe,U to V.
2.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret value ze as the x-coordinate of the point Pe using the DiffieHellman primitive specified in Section 5.4.1.
3.1.
U computes:
Pe = de,U Qe,V =
04048A CBC20B63 3C9774DA E7995AC9 4EE5BF5E F24A2703 6F04EBEB
1F172E00 759A6180 7FDC1CDD 900A405B
5.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
5.1.
5.2.
U computes:
KeyData = Hash1 = SHA-1(Z1) =
97BA1479 CCBC4552 F4C1070F 1AFF495E EAC4DFBD
ANSI X9.63-2001
J.2.1.2.2
X9.63-2001
V simultaneously executes the key agreement transformation to agree on keying data with U as
follows:
Input: The input to the key agreement transformation is:
1.
2.
V generates an ephemeral key pair (de,V, Qe,V) using the key generation primitive specified
in Section 5.2.1.
1.1.
1.2.
3.
V sends Qe,V to U.
2.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V computes the shared secret value ze as the x-coordinate of the point Pe using the DiffieHellman primitive specified in Section 5.4.1.
- 214 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V computes:
Pe = de,V Qe,U =
04048A CBC20B63 3C9774DA E7995AC9 4EE5BF5E F24A2703 6F04EBEB
1F172E00 759A6180 7FDC1CDD 900A405B
5.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
5.1.
5.2.
V computes:
KeyData = Hash1 = SHA-1(Z1) =
97BA1479 CCBC4552 F4C1070F 1AFF495E EAC4DFBD
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified as in Section 5.1.2.2.
2.
V, being the responder in this case, is bound to the static key pair (ds,V, Qs,V), which has
been validated as specified in Section 5.2.2.
- 215 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
4.
U and V establish that they will use the modified Diffie-Hellman primitive as specified in
Section 5.4.2.
J.2.2.1.1
U executes the key agreement transformation to agree on keying data with V. U obtains an
authentic copy of Vs static public key Qs,V.
Input: The input to the initiator transformation is:
1.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
1.1.
1.2.
1.3.
2.
U sends Qe,U to V.
U derives the shared secret field element z using the Diffie-Hellman primitive specified
in Section 5.4.2.
2.1.
- 216 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.2.
2.3.
U sets z = x.
z = 03 0668EEAB 2795D7FA DA6FDF61 C22E639B F625A643
3.
4.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 bits from Z.
4.1.
4.2.
U computes:
KeyData = Hash1 = SHA-1(Z1) =
9C493C41 9449BD60 2771645C 3197BE4F 3710F1D4
J.2.2.1.2
V executes the key agreement transformation to agree on keying data with U as follows:
Input: The input to the responder transformation is:
1.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
- 217 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V derives the shared secret value z using the Diffie-Hellman primitive specified in
Section 5.4.2.
2.1.
2.2.
2.3.
V sets z = x.
z = 03 0668EEAB 2795D7FA DA6FDF61 C22E639B F625A643
3.
4.
V uses the key derivation function specified in Section 5.6.3 and the hash function SHA-1
to generate keying data KeyData of length 160 bits from Z.
4.1.
4.2.
Output: KeyData and the derived keying data of length of 160 bits.
J.2.2.2
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified as in Section 5.1.2.2.
2.
V, being the responder in this case, is bound to the static key pair (ds,V, Qs,V), which has
been validated as specified in Section 5.2.2.
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
- 218 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
4.
U and V establish that they will use the standard Diffie-Hellman primitive as specified in
Section 5.4.1.
J.2.2.2.1
U executes the key agreement transformation to agree on keying data with V. U obtains an
authentic copy of Vs static public key Qs,V.
Input: The input to the initiator transformation is:
1.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
1.1.
1.2.
1.3.
2.
U sends Qe,U to V.
U derives the shared secret field element z using the Diffie-Hellman primitive specified
in Section 5.4.1.
2.1.
2.2.
2.3.
U sets z = x.
- 219 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
4.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 bits from Z.
4.1.
4.2.
U computes:
KeyData = Hash1 = SHA-1(Z1) =
4C612FBB 598F5009 F61FD483 4A30B764 00C7774B
J.2.2.2.2
V executes the key agreement transformation to agree on keying data with U as follows:
Input: The input to the responder transformation is:
1.
2.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V derives the shared secret value z using the Diffie-Hellman primitive specified in
Section 5.4.1.
2.1.
ANSI X9.63-2001
X9.63-2001
2.3.
V sets z = x.
z = 00 21261B8F 1534DF6C 5E6A3496 5090B95C 625CE432
3.
4.
V uses the key derivation function specified in Section 5.6.3 and the hash function SHA-1
to generate keying data KeyData of length 160 bits from Z.
4.1.
4.2.
Output: KeyData and the derived keying data of length of 160 bits.
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
- 221 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
4.
U and V establish that they will use the modified Diffie-Hellman primitive as specified in
Section 5.4.2.
J.2.3.1.1
U obtains an authentic copy of Vs static public key Qs,V and executes the key agreement
transformation to agree on keying data with V as follows:
Input: The input to the key agreement transformation is:
1.
U uses the Diffie-Hellman primitive specified in Section 5.4.2 to derive the shared secret
field element zs.
1.1.
1.2.
1.3.
U sets zs = xs.
zs = 02 8765AE0E EF9BF6C2 AB11A02E 5C6562B3 8B16190F
2.
3.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Zs.
- 222 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
3.2.
J.2.3.1.2
V obtains an authentic copy of Us static public key Qs,U and executes the key agreement
transformation to agree on keying data with U as follows:
Input: The input to the key agreement transformation is:
1.
V uses the Diffie-Hellman primitive specified in Section 5.4.2 to derive the shared secret
field element zs.
1.1.
1.2.
1.3.
V sets zs = xs.
zs = 02 8765AE0E EF9BF6C2 AB11A02E 5C6562B3 8B16190F
2.
3.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Zs.
3.1.
- 223 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
J.2.3.2
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
4.
U and V establish that they will use the standard Diffie-Hellman primitive as specified in
Section 5.4.1.
J.2.3.2.1
U obtains an authentic copy of Vs static public key Qs,V and executes the key agreement
transformation to agree on keying data with V as follows:
Input: The input to the key agreement transformation is:
1.
- 224 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U uses the Diffie-Hellman primitive specified in Section 5.4.1 to derive the shared secret
field element zs.
1.1.
1.2.
1.3.
U sets zs = xs
zs = 04 4649E3F5 BC35F214 8256E8FC D1AAF2CD 066C45CF
2.
3.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Zs.
3.1.
3.2.
J.2.3.2.2
V obtains an authentic copy of Us static public key Qs,U and executes the key agreement
transformation to agree on keying data with U as follows:
Input: The input to the key agreement transformation is:
1.
- 225 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V uses the Diffie-Hellman primitive specified in Section 5.4.1 to derive the shared secret
field element zs.
1.1.
1.2.
1.3.
V sets zs = xs.
zs = 04 4649E3F5 BC35F214 8256E8FC D1AAF2CD 066C45CF
2.
3.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Zs.
3.1.
3.2.
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
- 226 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
Vs identifier:
V = 55736572 20560D0A
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
5.
U and V establish that they will use the modified Diffie-Hellman primitive as specified in
Section 5.4.2.
J.2.4.1.1
U obtains an authentic copy of Vs identifier and Vs public key Qs,V and executes the key
agreement transformation with V as follows:
Input: The input to the initiator transformation is:
1.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: U derives keying data as follows:
1.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
- 227 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.2.
1.3.
U sends Qe,U to V.
2.
3.
4.
3.1.
3.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
4.1.
4.2.
4.3.
U sets zs = xs.
zs = 02 8765AE0E EF9BF6C2 AB11A02E 5C6562B3 8B16190F
5.
6.
U used the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data MacKey of length 160 bits from Zs.
6.1.
6.2
- 228 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
8.
U verifies the tag MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
8.1.
8.2.
9.
10.
U calculates the tag MacTag2 on MacData2 under the key MacKey using the tagging
transformation of the MAC scheme specified in Section 5.7.
10.1.
10.2.
11.
U sends MacTag2 to V.
U computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
11.1.
11.2.
11.3.
U sets ze = xe.
ze = 00 D97AACA4 4A426F73 AEDB6290 04D8A237 E28E8769
12.
13.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
- 229 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
13.2.
J.2.4.1.2
V obtains an authentic copy of Us identifier and Us public key Qs,U and executes the key
agreement transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: V derives keying data as follows:
1.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V generates an ephemeral key pair (de,V, Qe,V) using the key generation primitive specified
in Section 5.2.1.
2.1.
2.2.
3.
V computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
- 230 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
3.2.
3.3.
V sets zs = xs.
zs = 02 8765AE0E EF9BF6C2 AB11A02E 5C6562B3 8B16190F
4.
5.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data MacKey of length 160 bits from Zs.
5.1.
5.2
6.
7.
V calculates the tag MacTag1 on MacData1 under the key MacKey using the tagging
transformation of the MAC scheme specified in Section 5.7.
7.1.
7.2.
8.
9.
10.
V verifies the tag MacTag2 is the tag for MacData2 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
- 231 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
10.2.
11.
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
11.1.
11.2.
11.3.
V sets ze = xe.
ze = 00 D97AACA4 4A426F73 AEDB6290 04D8A237 E28E8769
12.
13.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
13.1.
13.2.
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
- 232 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
5.
U and V establish that they will use the standard Diffie-Hellman primitive as specified in
Section 5.4.1.
J.2.4.2.1
U obtains an authentic copy of Vs identifier and Vs public key Qs,V and executes the key
agreement transformation with V as follows:
Input: The input to the initiator transformation is:
1.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: U derives keying data as follows:
1.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
1.1.
- 233 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.3.
U sends Qe,U to V.
2.
3.
4.
3.1.
3.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.1.
4.1.
4.2.
4.3.
U sets zs = xs.
zs = 04 4649E3F5 BC35F214 8256E8FC D1AAF2CD 066C45CF
5.
6.
U used the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data MacKey of length 160 bits from Zs.
6.1.
6.2
7.
- 234 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U verifies the tag MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
8.1.
8.2.
9.
10.
U calculates the tag MacTag2 on MacData2 under the key MacKey using the tagging
transformation of the MAC scheme specified in Section 5.7.
10.1.
10.2.
11.
U sends MacTag2 to V.
U computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.1.
11.1.
11.2.
11.3.
U sets ze = xe.
ze = 04 8ACBC20B 633C9774 DAE7995A C94EE5BF 5EF24A27
12.
13.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
13.1.
ANSI X9.63-2001
X9.63-2001
J.2.4.2.2
V obtains an authentic copy of Us identifier and Us public key Qs,U and executes the key
agreement transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
The optional bit string SharedData1 and SharedData2 are not present.
Actions: V derives keying data as follows:
1.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V generates an ephemeral key pair (de,V, Qe,V) using the key generation primitive specified
in Section 5.2.1.
2.1.
2.2.
3.
V computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.1.
3.1.
- 236 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
3.3.
V sets zs = xs.
zs = 04 4649E3F5 BC35F214 8256E8FC D1AAF2CD 066C45CF
4.
5.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data MacKey of length 160 bits from Zs.
5.1.
5.2
6.
7.
V calculates the tag MacTag1 on MacData1 under the key MacKey using the tagging
transformation of the MAC scheme specified in Section 5.7.
7.1.
7.2.
8.
9.
10.
V verifies the tag MacTag2 is the tag for MacData2 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
10.1.
ANSI X9.63-2001
X9.63-2001
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.1.
11.1.
11.2.
11.3.
V sets ze = xe.
ze = 04 8ACBC20B 633C9774 DAE7995A C94EE5BF 5EF24A27
12.
13.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
13.1.
13.2.
- 238 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
4.
U and V establish that they will use the modified Diffie-Hellman primitive as specified in
Section 5.4.2.
J.2.5.1.1
U obtains an authentic copy of Vs static public key Qs,V and executes the initiator transformation
to agree on keying data with V as follows:
Input: The input to the initiator transformation is:
1.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
1.1.
1.2.
- 239 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Qe,U = de,U G =
0205 7F8F4671 CFA2BADF 53C57CB5 4E5C48A9 45FF2114
1.3.
2.
U sends Qe,U to V.
U computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
2.1.
2.2.
2.3.
U sets ze = xP.
ze = 03 0668EEAB 2795D7FA DA6FDF61 C22E639B F625A643
3.
4.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
4.1.
4.2.
4.3.
U sets zs = xs.
zs = 02 8765AE0E EF9BF6C2 AB11A02E 5C6562B3 8B16190F
5.
6.
- 240 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U uses the key derivation function in Section 5.6.3 with the hash function SHA-1 to
generate keying data KeyData of length 160 bits from Z.
7.1
7.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.5.1.2
V obtains an authentic copy of Us static public key Qs,U and executes the responder
transformation to agree on keying data with U as follows:
Input: The input to the responder transformation is:
1.
2.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
2.1.
2.2.
2.3.
V sets ze = xP
- 241 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
4.
V computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
4.1.
4.2.
4.3.
V sets zs = xs.
zs = 02 8765AE0E EF9BF6C2 AB11A02E 5C6562B3 8B16190F
5.
6.
7.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Z.
7.1.
7.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.5.2
ANSI X9.63-2001
X9.63-2001
1.
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
4.
U and V establish that they will use the standard Diffie-Hellman primitive as specified in
Section 5.4.1.
J.2.5.2.1
U obtains an authentic copy of Vs static public key Qs,V and executes the initiator transformation
to agree on keying data with V as follows:
Input: The input to the initiator transformation is:
1.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
1.1.
1.2.
- 243 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Qe,U = de,U G =
0205 7F8F4671 CFA2BADF 53C57CB5 4E5C48A9 45FF2114
1.3.
2.
U sends Qe,U to V.
U computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.1.
2.1.
2.2.
2.3.
U sets ze = xP.
ze = 00 21261B8F 1534DF6C 5E6A3496 5090B95C 625CE432
3.
4.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.1.
4.1.
4.2.
4.3.
U sets zs = xs.
zs = 04 4649E3F5 BC35F214 8256E8FC D1AAF2CD 066C45CF
5.
6.
- 244 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U uses the key derivation function in Section 5.6.3 with the hash function SHA-1 to
generate keying data KeyData of length 160 bits from Z.
7.1
7.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.5.2.2
V obtains an authentic copy of Us static public key Qs,U and executes the responder
transformation to agree on keying data with U as follows:
Input: The input to the responder transformation is:
1.
2.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.1.
2.1.
2.2.
2.3.
V sets ze = xP.
- 245 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
4.
V computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.1.
4.1.
4.2.
4.3.
V sets zs = xs.
zs = 04 4649E3F5 BC35F214 8256E8FC D1AAF2CD 066C45CF
5.
6.
7.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Z.
7.1
7.2.
Output: The bit string KeyData as the keying data of length 160 bits.
ANSI X9.63-2001
X9.63-2001
Hellman scheme, while the second example employs the standard version. In the examples, it is
assumed that messages are relayed back and forth faithfully between U and V.
J.2.6.1
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
4.
U and V establish that they will use the modified Diffie-Hellman primitive as specified in
Section 5.4.2.
J.2.6.1.1
U obtains an authentic copy of Vs static public key Qs,V and executes the key agreement
transformation as follows:
Input: the input to the key agreement transformation is:
1.
2.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
- 247 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.2.
1.3.
2.
3.
U sends Qe,U to V.
2.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret field element ze using the Diffie-Hellman primitive in
Section 5.4.2.
3.1.
3.2.
3.3.
U sets ze = xe.
ze = 00 D97AACA4 4A426F73 AEDB6290 04D8A237 E28E8769
4.
5.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
5.1.
5.2.
5.3.
U sets zs = xs.
- 248 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
7.
8.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 octets from Z.
8.1.
8.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.6.1.2
V obtains an authentic copy of Us static public key Qs,U and executes the key agreement
transformation as follows:
Input: the input to the key agreement transformation is:
1.
2.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
1.1.
1.2.
ANSI X9.63-2001
X9.63-2001
3.
V sends Qe,V to U.
2.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V computes the shared secret field element ze using the Diffie-Hellman primitive in
Section 5.4.2.
3.1.
3.2.
3.3.
V sets ze = xe.
ze = 00 D97AACA4 4A426F73 AEDB6290 04D8A237 E28E8769
4.
5.
V computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
5.1.
5.2.
5.3.
V sets zs = xs.
zs = 02 8765AE0E EF9BF6C2 AB11A02E 5C6562B3 8B16190F
6.
- 250 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
8.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 octets from Z.
8.1.
8.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.6.2
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
4.
U and V establish that they will use the standard Diffie-Hellman primitive as specified in
Section 5.4.1.
- 251 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U obtains an authentic copy of Vs static public key Qs,V and executes the key agreement
transformation as follows:
Input: the input to the key agreement transformation is:
1.
2.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
1.3.
2.
3.
U sends Qe,U to V.
2.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret field element ze using the Diffie-Hellman primitive in
Section 5.4.1.
3.1.
3.2.
3.3.
U sets ze = xe.
ze = 04 8ACBC20B 633C9774 DAE7995A C94EE5BF 5EF24A27
- 252 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
5.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.1.
5.1.
5.2.
5.3.
U sets zs = xs.
zs = 04 4649E3F5 BC35F214 8256E8FC D1AAF2CD 066C45CF
6.
7.
8.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 octets from Z.
8.1.
8.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.6.2.2
V obtains an authentic copy of Us static public key Qs,U and executes the key agreement
transformation as follows:
Input: the input to the key agreement transformation is:
- 253 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.
2.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
1.1.
1.2.
1.3.
2.
3.
V sends Qe,V to U.
2.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V computes the shared secret field element ze using the Diffie-Hellman primitive in
Section 5.4.1.
3.1.
3.2.
3.3.
V sets ze = xe.
ze = 04 8ACBC20B 633C9774 DAE7995A C94EE5BF 5EF24A27
4.
5.
V computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.1.
- 254 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
5.2.
5.3.
V sets zs = xs.
zs = 04 4649E3F5 BC35F214 8256E8FC D1AAF2CD 066C45CF
6.
7.
8.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 octets from Z.
8.1
8.2.
Output: The bit string KeyData as the keying data of length 160 bits.
- 255 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
Vs identifier:
V = 55736572 20560D0A
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
5.
U and V establish that they will use the modified Diffie-Hellman primitive as specified in
Section 5.4.2.
J.2.7.1.1
U obtains an authentic copy of Vs identifier and Vs public key Qs,V and executes the key
agreement transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
ANSI X9.63-2001
X9.63-2001
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
1.3.
U sends Qe,U to V.
2.
3.
4.
3.1.
3.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret field element ze using the Diffie-Hellman primitive in
Section 5.4.2.
4.1.
4.2.
4.3.
U sets ze = xe.
ze = 00 D97AACA4 4A426F73 AEDB6290 04D8A237 E28E8769
5.
6.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
6.1.
ANSI X9.63-2001
X9.63-2001
6.2.
6.3.
U sets zs = xs.
zs = 02 8765AE0E EF9BF6C2 AB11A02E 5C6562B3 8B16190F
7.
8.
9.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 bits from Z.
9.1
9.2.
9.3.
9.4.
9.5.
U forms K = Hash1||Hash2.
K = E438CFC7 30AADDCC C03D0B92 E0EC73D7 6A18CF9C 77045C3B B6B737D7
C1762E6B 15C5BB2D 9654F763
10.
11.
- 258 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
12.
U verifies the tag MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
12.1.
12.2.
13.
14.
U sends MacTag2 to V.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.7.1.2
V obtains an authentic copy of Us identifier and Us public key Qs,U and executes the key
agreement transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
- 259 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
2.1.
2.2.
3.
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
3.1.
3.2.
3.3.
V sets ze = xe.
ze = 00 D97AACA4 4A426F73 AEDB6290 04D8A237 E28E8769
4.
5.
V computes shared secret field element zs using the Diffie-Hellman primitive specified in
Section 5.4.2.
5.1.
5.2.
5.3.
V sets zs = xs.
zs = 02 8765AE0E EF9BF6C2 AB11A02E 5C6562B3 8B16190F
6.
- 260 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
8.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 bits from Z.
8.1.
8.2.
8.3.
8.4.
8.5.
V forms K = Hash1||Hash2
K = E438CFC7 30AADDCC C03D0B92 E0EC73D7 6A18CF9C 77045C3B B6B737D7
C1762E6B 15C5BB2D 9654F763
9.
10.
11.
12.
13.
- 261 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
15.
V verifies the tag MacTag2 is the tag for MacData2 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
15.1.
15.2.
MacTag2 = MacTag2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.7.2
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
Vs identifier:
V = 55736572 20560D0A
- 262 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
5.
U and V establish that they will use the standard Diffie-Hellman primitive as specified in
Section 5.4.1.
J.2.7.2.1
U obtains an authentic copy of Vs identifier and Vs public key Qs,V and executes the key
agreement transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
1.3.
U sends Qe,U to V.
2.
3.
4.
3.1.
3.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret field element ze using the Diffie-Hellman primitive in
Section 5.4.1.
4.1.
ANSI X9.63-2001
X9.63-2001
4.3.
U sets ze = xe.
ze = 04 8ACBC20B 633C9774 DAE7995A C94EE5BF 5EF24A27
5.
6.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.1.
6.1.
6.2.
6.3.
U sets zs = xs.
zs = 04 4649E3F5 BC35F214 8256E8FC D1AAF2CD 066C45CF
7.
8.
9.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 bits from Z.
9.1
9.2.
ANSI X9.63-2001
X9.63-2001
9.4.
9.5.
U forms K = Hash1||Hash2
K = 450484C0 7A4774E0 B0D47E4C 3EB2E618 454181B3 9588364B 3C77F160
D4F93D9E 3A1F4C63 2403342D
10.
11.
12.
U verifies the tag MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
12.1.
12.2.
13.
14.
U sends MacTag2 to V.
Output: The bit string KeyData as the keying data of length 160 bits.
- 265 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V obtains an authentic copy of Us identifier and Us public key Qs,U and executes the key
agreement transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
2.1.
2.2.
3.
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.1.
3.1.
3.2.
3.3.
V sets ze = xe.
ze = 04 8ACBC20B 633C9774 DAE7995A C94EE5BF 5EF24A27
4.
ANSI X9.63-2001
X9.63-2001
V computes shared secret field element zs using the Diffie-Hellman primitive specified in
Section 5.4.1.
5.1.
5.2.
5.3.
V sets zs = xs.
zs = 04 4649E3F5 BC35F214 8256E8FC D1AAF2CD 066C45CF
6.
7.
8.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 bits from Z.
8.1.
8.2.
8.3.
8.4.
8.5.
V forms K = Hash1||Hash2
- 267 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
9.
10.
11.
12.
13.
14.
15.
V verifies the tag MacTag2 is the tag for MacData2 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
15.1.
15.2.
MacTag2 = MacTag2.
Output: The bit string KeyData as the keying data of length 160 bits.
- 268 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
Vs identifier:
V = 55736572 20560D0A
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
5.
U and V establish that they will use the modified Diffie-Hellman primitive as specified in
Section 5.4.2.
J.2.8.1.1
U obtains an authentic copy of Vs identifier and Vs public key Qs,V and executes the key
agreement transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
ANSI X9.63-2001
X9.63-2001
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
1.3.
U sends Qe,U to V.
2.
3.
4.
3.1.
3.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
5.
U verifies the signature rsig1, ssig1 using the verifying transformation of the signature
scheme in Section 5.9.
6.
U computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
6.1.
6.2.
6.3.
U sets ze = xe.
ze = 00 D97AACA4 4A426F73 AEDB6290 04D8A237 E28E8769
- 270 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
8.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 octets from Ze.
8.1.
8.2.
8.3.
8.4.
8.5.
9.
10.
U verifies the tag MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
10.1.
10.2.
11.
12.
ANSI X9.63-2001
X9.63-2001
13.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.8.1.2
V obtains an authentic copy of Us identifier and Us public key Qs,U and executes the key
agreement transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
2.1.
2.2.
3.
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
- 272 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
3.2.
3.3.
V sets ze = xe.
ze = 00 D97AACA4 4A426F73 AEDB6290 04D8A237 E28E8769
4.
5.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 octets from Ze.
5.1
5.2.
5.3.
5.4.
5.5.
6.
7.
ANSI X9.63-2001
X9.63-2001
9.
9.2.
10.
11.
12.
V verifies the signature ssig2, rsig2 using the verifying transformation of the primitive
specified in Section 5.9.
13.
V verifies the tag MacTag2 is the tag for MacData2 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
13.1.
13.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.8.2
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
- 274 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
Vs identifier:
V = 55736572 20560D0A
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
5.
U and V establish that they will use the standard Diffie-Hellman primitive as specified in
Section 5.4.1.
J.2.8.2.1
U obtains an authentic copy of Vs identifier and Vs public key Qs,V and executes the key
agreement transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
1.3.
U sends Qe,U to V.
- 275 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.
3.
4.
3.1.
3.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
5.
U verifies the signature rsig1, ssig1 using the verifying transformation of the signature
scheme in Section 5.9.
6.
U computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.1.
6.1.
6.2.
6.3.
U sets ze = xe.
ze = 04 8ACBC20B 633C9774 DAE7995A C94EE5BF 5EF24A27
7.
8.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 octets from Ze.
8.1.
8.2.
8.3.
- 276 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
8.5.
9.
10.
U verifies the tag MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
10.1.
10.2.
11.
12.
13.
13.2.
Output: The bit string KeyData as the keying data of length 160 bits.
- 277 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V obtains an authentic copy of Us identifier and Us public key Qs,U and executes the key
agreement transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
2.1.
2.2.
3.
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.1.
3.1.
3.2.
3.3.
V sets ze = xe.
ze = 04 8ACBC20B 633C9774 DAE7995A C94EE5BF 5EF24A27
4.
ANSI X9.63-2001
X9.63-2001
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 octets from Ze.
5.1
5.2.
5.3.
5.4.
5.5.
6.
7.
8.
9.
9.2.
ANSI X9.63-2001
X9.63-2001
10.
11.
12.
V verifies the signature rsig2, ssig2 using the verifying transformation of the primitive
specified in Section 5.9.
13.
V verifies the tag MacTag2 is the tag for MacData2 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
13.1.
13.2.
Output: The bit string KeyData as the keying data of length 160 bits.
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
- 280 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.2.9.1
U obtains an authentic copy of Vs public key Qs,V and executes the key agreement
transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
1.3.
2.
U sends Qe,U to V.
U derives z from the key pairs (d1,U, Q1,U) = (ds,U, Qs,U), (d2,U, Q2,U) = (de,U, Qe,U) and Q1,V
= Q2,V = Qs,V using the MQV primitive in Section 5.5.
2.1.
2.2.
- 281 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.3.
2.4.
U sets z = x.
z = 05 75EB387D 31E3147B 307CBE46 44759A68 4A2DE7C2
3.
4.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Z.
4.1
4.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.9.2
V obtains an authentic copy of Us public key Qs,U and executes the key agreement
transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V derives z from the key pairs (d1,V, Q1,V) = (d2,V, Q2,V) = (ds,U, Qs,U) and Q1,U = Qs,U Q2,U
= Qe,U using the MQV primitive specified in Section 5.5.
- 282 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.2.
2.3.
2.4.
V sets z = x.
z = 05 75EB387D 31E3147B 307CBE46 44759A68 4A2DE7C2
3.
4.
V uses the key derivation function specified in Section 5.6.3. with the hash function
SHA-1 to generate keying data KeyData of length 160 bits from Z.
4.1
4.2.
Output: The bit string KeyData as the keying data of length 160 bits.
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
- 283 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.2.10.1
U obtains an authentic copy of Vs public key Qs,V and executes the key agreement
transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
2.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
1.3.
U sends Qe,U to V.
- 284 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
3.
X9.63-2001
2.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U derives z from the key pairs (d1,U, Q1,U) = (ds,U, Qs,U), (d2,U, Q2,U) = (de,U, Qe,U) and Q1,V
= Qs,V, Q2,V = Qe,V using the MQV primitive specified in Section 5.5.
3.1.
3.2.
3.3.
3.4.
U sets z = x.
z = 04 7A85CF9F 9E3F0C19 054B0544 D5A71762 0AF27D96
4.
5.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Z.
5.1
5.2.
Output: The bit string KeyData as the keying data of length 160 bits.
- 285 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V obtains an authentic copy of Us public key Qs,U and executes the key agreement
transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
1.1.
1.2.
1.3.
2.
3.
V sends Qe,V to U.
2.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V derives z from the key pairs (d1,V, Q1,V) = (ds,V, Qs,V), (d2,V, Q2,V) = (de,V, Qe,V) and Q1,U =
Qs,U, Q2,U = Qe,U using the MQV primitive specified in Section 5.5.
3.1.
3.2.
- 286 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
3.3.
3.4.
V sets z = x.
z = 04 7A85CF9F 9E3F0C19 054B0544 D5A71762 0AF27D96
4.
5.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Z.
5.1.
5.2.
Output: The bit string KeyData as the keying data of length 160 bits.
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Us identifier:
U = 55736572 20550D0A
- 287 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.2.11.1
U obtains an authentic copy of Vs identifier and Vs public key Qs,V and executes the key
agreement transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
1.3.
2.
U sends Qe,U to V.
- 288 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
4.
X9.63-2001
3.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U derives z from the key pairs (d1,U, Q1,U) = (ds,U, Qs,U), (d2,U, Q2,U) = (de,U, Qe,U) and Q1,V
= Qs,V, Q2,V = Qe,V using the MQV primitive specified in Section 5.5.
4.1.
4.2.
4.3.
4.4.
U sets z = x.
z = 04 7A85CF9F 9E3F0C19 054B0544 D5A71762 0AF27D96
5.
6.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 bits from Z.
6.1
6.2.
6.3.
6.4.
ANSI X9.63-2001
X9.63-2001
7.
8.
9.
U verifies the tag MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
9.1.
9.2.
10.
11.
11.2.
U sends MacTag2 to V.
Output: The bit string KeyData as the keying data of length 160 bits.
J.2.11.2
V obtains an authentic copy of Us public key Qs,U and executes the key agreement
transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
ANSI X9.63-2001
X9.63-2001
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
2.1.
2.2.
2.3.
3.
V sends Qe,V to U.
V derives z from the key pairs (d1,V, Q1,V) = (ds,V, Qs,V), (d2,V, Q2,V) = (de,V, Qe,V) and Q1,U =
Qs,U, Q2,U = Qe,U using the MQV primitive specified in Section 5.5.
3.1.
3.2.
3.3.
3.4.
V sets z = x.
z = 04 7A85CF9F 9E3F0C19 054B0544 D5A71762 0AF27D96
4.
- 291 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 20+20 octets from Z.
5.1.
5.2.
5.3.
5.4.
5.5.
6.
7.
8.
8.2.
V sends MacTag1 to U.
9.
10.
- 292 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V verifies the tag MacTag2 is the tag for MacData2 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
11.1.
11.2.
Output: The bit string KeyData as the keying data of length 160 bits.
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
2.
U and V are bound to static encryption key pairs that have been validated as specified in
Section 5.2.2. The binding of U and V to their keys includes the use of unique identifiers
for each entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
Vs identifier:
V = 55736572 20560D0A
- 293 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
5.
U and V establish that they will use the modified Diffie-Hellman primitive as specified in
Section 5.4.2.
J.2.12.1.1
U obtains an authentic copy of Vs static key Qs,V and executes the key transport scheme with V
as follows:
Input: The input to the initiator transformation is:
1.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: U derives keying data as follows:
1.
2.
U encrypts EncData under Vs static public key Qs,V, using the asymmetric encryption
scheme specified in Section 5.8.
2.1.
2.2.
U establishes a shared secret field element z from de and Qs,V using the DiffieHellman primitive specified in 5.4.2.
2.2.1. U computes P = hdeQs,V = (x, y)
x = 03 0668EEAB 2795D7FA DA6FDF61 C22E639B F625A643
y = 00 0ECAEE58 F80F47CB 6B8ADC20 5784720E 01C6BDEB
2.2.2. U verifies that P is not the point at infinity.
- 294 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.2.3. U sets z = x.
z = 03 0668EEAB 2795D7FA DA6FDF61 C22E639B F625A643
2.3.
U generates keying data KeyData1 of length 384-bits using the key derivation
function defined in Section 5.6.3. U computes KeyData1=Hash1||Hash2||Hash3,
where Hashi = SHA-1(Z||counter).
Hash1 = 9C493C41 9449BD60 2771645C 3197BE4F 3710F1D4
Hash2 = 667043D7 B33D90C5 249E3029 26E01D60 91B975A2
Hash3 = A95D3443 E8E8A649 E3D34EEC C076DDDF A6AAEF59
KeyData1 = 9C493C41 9449BD60 2771645C 3197BE4F 3710F1D4 667043D7
B33D90C5 249E3029 26E01D60 91B975A2 A95D3443 E8E8A649
2.4.
2.6.
2.7.
3.
U sends EncryptedData to V.
Output: The bit string KeyData of length 160-bits as the keying data.
J.2.12.1.2
V obtains an authentic copy of Us identifier and executes the key transport scheme as follows:
- 295 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: V derives keying data as follows:
1.
1.2.
V establishes a shared secret field element z from ds,V and Qe using the DiffieHellman primitive specified in 5.4.2.
1.2.1. V Computes P = hds,VQe = (x, y)
x = 03 0668EEAB 2795D7FA DA6FDF61 C22E639B F625A643
y = 00 0ECAEE58 F80F47CB 6B8ADC20 5784720E 01C6BDEB
1.2.2. V verifies that P is not the point at infinity.
1.2.3. V sets z = x.
z = 03 0668EEAB 2795D7FA DA6FDF61 C22E639B F625A643
1.3.
V generates the keying data KeyData1 of length 384-bits using the key derivation
function specified in Section 5.6.3. V computes KeyData1 = Hash1||Hash2||Hash3,
where Hashi = SHA-1(Z||counter).
Hash1 = 9C493C41 9449BD60 2771645C 3197BE4F 3710F1D4
Hash2 = 667043D7 B33D90C5 249E3029 26E01D60 91B975A2
Hash3 = A95D3443 E8E8A649 E3D34EEC C076DDDF A6AAEF59
- 296 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.6.
V verifies the tag MacTag is the tag for MacData under the key MacKey using
the tag checking transformation specified in Section 5.7.2.
1.6.1. V computes the tag MacTag using MacData = MaskedEncData as
specified in Section 5.7.
MacTag = E133D74D 5D80BED8 8ECAEE2B 8F45A660 69EC7733
1.6.2. V verifies that MacTag = MacTag.
2.
3.
V parses the first entlen bits of EncData as U and next keydatalen bits as KeyData.
U = 55736572 20550D0A
KeyData = 8BB71D26 DFACC5C2 DEDB2286 7097DD65 ECAB14E9
4.
Output: The bit string KeyData of length 160-bits as the keying data.
J.2.12.2
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1. These parameters have been generated as specified in Section 5.1.2.1 and validated
as specified in Section 5.1.2.2.
- 297 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qs,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qs,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
Vs identifier:
V = 55736572 20560D0A
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
5.
U and V establish that they will use the standard Diffie-Hellman primitive as specified in
Section 5.4.1.
J.2.12.2.1
U obtains an authentic copy of Vs static key Qs,V and executes the key transport scheme with V
as follows:
Input: The input to the initiator transformation is:
1.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: U derives keying data as follows:
1.
- 298 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U encrypts EncData under Vs static public key Qs,V , using the asymmetric encryption
scheme specified in Section 5.8.
2.1.
2.2.
U establishes a shared secret field element z from de and Qs,V using DiffieHellman primitive specified in 5.4.1.
2.2.1. U computes P= deQs,V =(x, y)
x = 00 21261B8F 1534DF6C 5E6A3496 5090B95C 625CE432
y = 00 AD5A0369 ED903513 DEB18B2F F19963BB 00AF65E9
2.2.2. U verifies that P is not the point at infinity.
2.2.3. U sets z = x.
z = 00 21261B8F 1534DF6C 5E6A3496 5090B95C 625CE432
2.3.
U generates keying data KeyData1 of length 384-bits using the key derivation
function specified in Section 5.6.3. U computes KeyData1 = Hash1||Hash2||Hash3, where
Hashi = SHA-1(Z||counter).
Hash1 = 4C612FBB 598F5009 F61FD483 4A30B764 00C7774B
Hash2 = 1AA92E9D 4754FD35 FA882CC1 CA82C475 7D0FDA1C
Hash3 = 03957BE7 59475250 2A9DEB72 947141DC F4DBC304
KeyData1= 4C612FBB 598F5009 F61FD483 4A30B764 00C7774B 1AA92E9D
4754FD35 FA882CC1 CA82C475 7D0FDA1C 03957BE7 59475250
2.4.
03957BE7 59475250
- 299 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.6.
2.7.
3.
U sends EncryptedData to V.
Output: The bit string KeyData of length 160-bits as the keying data.
J.2.12.2.2
V obtains an authentic copy of Us identifier and executes the key transport scheme as follows:
Input: The input to the key agreement transformation is:
1.
2.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: V derives keying data as follows:
1.
1.2.
V establishes a shared secret field element z from ds,V and Qe using the standard
Diffie-Hellman primitive specified in 5.4.1.
1.2.1. V Computes P = ds,VQe = (x,y)
- 300 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V generates a keying data KeyData1 of length 384-bits using the key derivation
function specified in Section 5.6.3. V computes KeyData1 = Hash1||Hash2||Hash3,
where Hashi = SHA-1(Z||counter).
Hash1 = 4C612FBB 598F5009 F61FD483 4A30B764 00C7774B
Hash2 = 1AA92E9D 4754FD35 FA882CC1 CA82C475 7D0FDA1C
Hash3 = 03957BE7 59475250 2A9DEB72 947141DC F4DBC304
KeyData1 = 4C612FBB 598F5009 F61FD483 4A30B764 00C7774B 1AA92E9D
4754FD35 FA882CC1 CA82C475 7D0FDA1C 03957BE7 59475250
1.4.
1.6.
2.
3.
V parses the first entlen bits of EncData as U and the next keydatalen bits as KeyData.
- 301 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U = 55736572 20550D0A
KeyData = 8BB71D26 DFACC5C2 DEDB2286 7097DD65 ECAB14E9
4.
Output: The bit string KeyData of length 160-bits as the keying data.
J.2.13 3-Pass Key Transport Scheme
This section describes two examples of the use of the 3-Pass Key Transport scheme specified in
Section 7.2 by entities U and V. The first example uses the cofactor implementation of the DiffieHellman scheme, while the second example employs the standard version. In the examples, it is
assumed that messages are relayed back and forth faithfully between U and V.
J.2.13.1
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1 with asymmetric encryption scheme and signature scheme. These parameters have
been generated as specified in Section 5.1.2.1 and validated as specified in Section
5.1.2.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public encryption key is the key pair (denc,U, Qenc,U):
denc,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qenc,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Us public signing key is the key pair (dsig,U, Qsig,U):
dsig,U = BBA1D480 192C34D6 05184E56 133A3424 622B195E
Qsig,U = 0304 F20C4401 D8B0DD30 6ED5704B 7417EB1F 1AFFFF12
Us identifier:
U = 55736572 20550D0A
Vs public encryption key is the key pair (denc,V, Qenc,V):
denc,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qenc,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
- 302 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
5.
U and V establish the following lengths in bits: entlen = 64, mackeylen =160,
challengelen =160.
6.
U and V establish that they will use the modified Diffie-Hellman primitive as specified in
Section 5.4.2.
J.2.13.1.1
U obtains an authentic copy of Vs static signing public key Qsig,V and Vs identifier, then
executes the key transformation with V as follows:
Input: The input to the initiator transformation is:
1.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: U derives keying data as follows:
1.
2.
3.
4.
- 303 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U establishes a shared secret field element z from denc,U and Qe using the
modified Diffie-Hellman primitive specified in 5.4.2.
4.2.1. U computes P = hdenc,UQe = (x, y)
x = 04 E3826842 44C04893 45699F03 43363DE0 E136F8BC
y = 01 13A9974B 8B2B7EF5 FBF23E62 5454EC44 88BA6362
4.2.2. U verifies that P is not the point at infinity.
4.2.3. U sets z = x.
z = 04 E3826842 44C04893 45699F03 43363DE0 E136F8BC
4.3.
U generates keying data KeyData1 of length 384-bits using the key derivation
function defined in Section 5.6.3. U computes KeyData1 = Hash1||Hash2||Hash3,
where Hashi = SHA-1(Z||counter).
Hash1 = D1F3B762 3ED523C0 15614758 704F8076 15222B79
Hash2 = 21BFA06D 668361F0 72195798 01E25A11 196B2CEE
Hash3 = 25C7D15D B2E509CB D46AF5BF 16C1E805 4CB97683
KeyData1= D1F3B762 3ED523C0 15614758 704F8076 15222B79 21BFA06D
668361F0 72195798 01E25A11 196B2CEE 25C7D15D B2E509CB
4.4.
4.6.
U verifies the MacTag using the tag checking transformation specified in Section
5.7.2.
- 304 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
6.
U parses the first entlen bits of EncData as the purported identifier V of V and next
keydatalen bits of EncData as keying data KeyData.
V = 55736572 20560D0A
KeyData = 8BB71D26 DFACC5C2 DEDB2286 7097DD65 ECAB14E9
7.
U verifies V = V, OK.
8.
9.
U verifies that rsig1 and ssig1 are Vs signature on SignData1 using the signature scheme
specified in Section 5.9.
10.
11.
U signs SignData2 using Us private signing key dsig,U as specified in Section 5.9.
rsig2 = 01 40CA54A6 4474606E C63F5DC8 AFFC2E14 A8ACF423
ssig2 = 03 A2BEAD87 78CD10B6 4B67B02E 3AF692C8 FCF77508
12.
V obtains an authentic copy of Us static signing public key Qsig,U, and Us identifier, then
executes the key transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
- 305 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: V derives keying data as follows:
1.
2.
3.
4.
V encrypts EncData under Us static public encryption key Qenc,U , using the asymmetric
encryption scheme specified in Section 5.8.
4.1.
4.2.
V establishes a shared secret field element z from de and Qenc,U using the modified
Diffie-Hellman primitive specified in 5.4.2.
4.2.1. V computes P = hdeQenc,U = (x, y)
x = 04 E3826842 44C04893 45699F03 43363DE0 E136F8BC
y = 01 13A9974B 8B2B7EF5 FBF23E62 5454EC44 88BA6362
4.2.2. V verifies that P is not the point at infinity.
4.2.3. V sets z = x.
z = 04 E3826842 44C04893 45699F03 43363DE0 E136F8BC
4.3.
V generates keying data KeyData1 of length 384-bits using the key derivation
function defined in Section 5.6.3. U computes KeyData1 = Hash1||Hash2||Hash3,
where Hashi = SHA-1(Z||counter).
- 306 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
4.6.
4.7.
5.
6.
V signs SignData1 using Vs private signing key dsig,V as specified in Section 5.9.
rsig1 = 03 7B9D68AE 264C5A89 0E7134C6 895C7B6F 83BF9CC8
ssig1 = 258C86B0 635581AE A312C4BF 1B708A1E 84E2E5C7
7.
8.
- 307 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
9.
10.
V verifies that rsig2 and ssig2 is Us signature on SignData2 using the signature scheme
in Section 5.9.
J.2.13.2
U and V are using the elliptic curve domain parameters over F2163 specified in Annex
J.4.1 with asymmetric encryption scheme and signature scheme. These parameters have
been generated as specified in Section 5.1.2.1 and validated as specified in Section
5.1.2.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public encryption key is the key pair (denc,U, Qenc,U):
denc,U = 03 2FC4C61A 8211E6A7 C4B8B0C0 3CF35F7C F20DBD52
Qenc,U = 0203 5BFBC735 19CC4E01 27F1109D 68D67E03 D44B700D
Us public signing key is the key pair (dsig,U, Qsig,U):
dsig,U = BBA1D480 192C34D6 05184E56 133A3424 622B195E
Qsig,U = 0304 F20C4401 D8B0DD30 6ED5704B 7417EB1F 1AFFFF12
Us identifier:
U = 55736572 20550D0A
Vs public encryption key is the key pair (denc,V, Qenc,V):
denc,V = 02 BD198B83 A667A8D9 08EA1E6F 90FD5C6D 695DE94F
Qenc,V = 0200 06CABC14 BCFF4D88 9B52460B 9749C2FC 943FEDF1
Vs public signing key is the key pair (dsig,V, Qsig,V):
dsig,V = 02 062DC594 3545B4B8 C547BDBF 8A0BF21F B95D06CA
Qsig,V = 0207 87DD49D0 DDD540B0 179D6E3F F4735EEC EF5FCE27
Vs identifier:
- 308 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V = 55736572 20560D0A
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
5.
U and V establish the following lengths in bits: entlen = 64, mackeylen =160,
challengelen =160.
6.
U and V establish that they will use the standard Diffie-Hellman primitive as specified in
Section 5.4.1.
J.2.13.2.1
U obtains an authentic copy of Vs static signing public key Qsig,V and Vs identifier, then
executes the key transformation with V as follows:
Input: The input to the initiator transformation is:
1.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: U derives keying data as follows:
1.
U generates a 160 bit challenge number ChallengeU using the challenge generation
primitive in Section 5.3 and sends it to V.
ChallengeU = 3CFD8321 791BDF06 AF2B6684 B1D60F1E 695ABC88
2.
3.
4.
4.2.
U establishes a shared secret field element z from denc,U and Qe using the DiffieHellman primitive specified in Section 5.4.1.
- 309 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U generates keying data KeyData1 of length 384-bits using the key derivation
function defined in Section 5.6.3. U computes KeyData1 = Hash1||Hash2||Hash3,
where Hashi = SHA-1(Z||counter).
Hash1 = 29E12088 40465827 AC52E0E4 1518DA40 22F86D12
Hash2 = 148C7B79 77128F92 29A489F4 082E8C7B 309C66D1
Hash3 = 74D1A0B3 C536DA64 8C19BE39 9851F2A3 B697CE7E
KeyData1 = 29E12088 40465827 AC52E0E4 1518DA40 22F86D12 148C7B79
77128F92 29A489F4 082E8C7B 309C66D1 74D1A0B3 C536DA64
4.4.
4.6.
5.
- 310 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U parses the first entlen bits of EncData as the purported identifier V of V and the next
keydatalen bits of EncData as keying data KeyData.
V= 55736572 20560D0A
KeyData = 8BB71D26 DFACC5C2 DEDB2286 7097DD65 ECAB14E9
7.
8.
9.
Verifies that rsig1 and ssig1 are Vs signature on SignData1 using the signature scheme
specified in Section 5.9.
10.
11.
U signs SignData2 using Us private signing key dsig,U as specified in Section 5.9.
rsig2= 01 40CA54A6 4474606E C63F5DC8 AFFC2E14 A8ACF423
ssig2= 03 A2BEAD87 78CD10B6 4B67B02E 3AF692C8 FCF77508
12.
V obtains an authentic copy of Us static public signing key and Us identifier, then executes the
key transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
The optional bit strings SharedData1 and SharedData2 are not present.
- 311 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.
3.
4.
V encrypts EncData under Us static public encryption key Qenc,U , using the asymmetric
encryption scheme in Section 5.8.
4.1.
4.2.
V establishes a shared secret field element z from de and Qenc,U using the DiffieHellman primitive specified in Section 5.4.1.
4.2.1. V computes P = deQenc,U = (x, y)
x = 06 BCDEE9EB B5EA4791 B10D4BF3 8A028272 8DD6D8F4
y = 05 C6CC88EF 31E83980 CA0FDE35 0F87E3AF 02FD3DA9
4.2.2. V verifies that P is not the point at infinity.
4.2.3. V sets z = x.
z = 06 BCDEE9EB B5EA4791 B10D4BF3 8A028272 8DD6D8F4
4.3.
V generates keying data KeyData1 of length 384-bits using the key derivation
function defined in Section 5.6.3. V computes KeyData1 = Hash1||Hash2||Hash3,
where Hashi = SHA-1(Z||counter).
Hash1 = 29E12088 40465827 AC52E0E4 1518DA40 22F86D12
Hash2 = 148C7B79 77128F92 29A489F4 082E8C7B 309C66D1
Hash3 = 74D1A0B3 C536DA64 8C19BE39 9851F2A3 B697CE7E
KeyData1 = 29E12088 40465827 AC52E0E4 1518DA40 22F86D12 148C7B79
77128F92 29A489F4 082E8C7B 309C66D1 74D1A0B3 C536DA64
- 312 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
4.6.
4.7.
5.
6.
V signs SignData1 using Vs private signing key dsig,V as specified in Section 5.9.
rsig1 = 03 7B9D68AE 264C5A89 0E7134C6 895C7B6F 83BF9CC8
ssig1 = 02 03ADC22A 70314990 653F87AA EDA3A0E6 86F16777
7.
8.
9.
10.
V verifies that rsig2 and ssig2 are Us signature on SignData2 using the signature scheme
in Section 5.9.
- 313 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
J.3
X9.63-2001
This section describes examples of each of the schemes in this Standard when elliptic curve
domain parameters over Fp are used. In each example, the cofactor Diffie-Hellman scheme
specified in Section 5.4.2 has been used, but as the cofactor is 1 the standard version of the
Diffie-Hellman scheme will produce the same results.
J.3.1 Ephemeral Unified Model Scheme
This section describes an example of the use of the ephemeral Unified Model scheme specified
in Section 6.1 by entities U and V. In the example, it is assumed that messages are relayed back
and forth faithfully between U and V.
Prerequisites: The following prerequisites are established by U and V:
1.
U and V are using the elliptic curve domain parameters over Fp specified in annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified in Section 5.1.1.2.
2.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.3.1.1
U executes the key agreement transformation to agree on keying data with V as follows:
Input: The input to the key agreement transformation is:
1.
2.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
1.1.
ANSI X9.63-2001
X9.63-2001
de,U = 117720748206090884214100397070943062470184499100
1.2.
3.
U sends Qe,U to V.
2.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret value ze as the x-coordinate of the point Pe using the DiffieHellman primitive specified in Section 5.4.2.
3.1.
3.2.
4.
5.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
5.1.
5.2.
- 315 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V simultaneously executes the key agreement transformation to agree on keying data with U as
follows:
Input: The input to the key agreement transformation is:
1.
2.
V generates an ephemeral key pair (de,V, Qe,V) using the key generation primitive specified
in Section 5.2.1.
1.1.
1.2.
3.
V sends Qe,V to U.
2.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V computes the shared secret value ze as the x-coordinate of the point Pe using the DiffieHellman primitive specified in Section 5.4.2.
3.1.
ANSI X9.63-2001
X9.63-2001
xe = 449463531776033716167288974106508917446441212281
ye = 519951960833221638909346997745737933611759949864
3.2.
4.
5.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
5.1.
5.2.
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified as in Section 5.1.1.2.
2.
V, being the responder in this case, is bound to the static key pair (ds,V, Qs,V), which has
been validated as specified in Section 5.2.2.
ds,V = 45FB58A9 2A17AD4B 15101C66 E74F277E 2B460866
Qs,V = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
- 317 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U executes the key agreement transformation to agree on keying data with V. U obtains an
authentic copy of Vs static public key Qs,V.
Input: The input to the initiator transformation is:
1.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
1.1.
1.2.
1.3.
2.
U sends Qe,U to V.
U derives the shared secret field element z using the Diffie-Hellman primitive specified
in Section 5.4.2.
2.1.
2.2.
2.3.
U sets z = x.
z = 1085975864196458062930292015476391094000785247698
3.
4.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 bits from Z.
- 318 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
4.2.
J.3.2.2
V executes the key agreement transformation to agree on keying data with U as follows:
Input: The input to the responder transformation is:
1.
2.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V derives the shared secret value z using the Diffie-Hellman primitive specified in
Section 5.4.2.
2.1.
2.2.
2.3.
V sets z = x.
z = 1085975864196458062930292015476391094000785247698
- 319 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
4.
V uses the key derivation function specified in Section 5.6.3 and the hash function SHA-1
to generate keying data KeyData of length 160 bits from Z.
4.1.
4.2.
Output: KeyData and the derived keying data of length of 160 bits.
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified in Section 5.1.1.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 971761939728640320549601132085879836204587084162
Qs,U = 02 B3039580 73D981F4 42E09A50 9506AF09 DD3A78D0
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 399525573676508631577122671218044116107572676710
Qs,V = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
- 320 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U obtains an authentic copy of Vs static public key Qs,V and executes the key agreement
transformation to agree on keying data with V as follows:
Input: The input to the key agreement transformation is:
1.
U uses the Diffie-Hellman primitive specified in Section 5.4.2 to derive the shared secret
field element zs.
1.1.
1.2.
1.3.
U sets zs = xs.
zs = 299788397944634715806132674187442328057793677109
2.
3.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Zs.
3.1.
3.2.
- 321 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V obtains an authentic copy of Us static public key Qs,U and executes the key agreement
transformation to agree on keying data with U as follows:
Input: The input to the key agreement transformation is:
1.
V uses the Diffie-Hellman primitive specified in Section 5.4.2 to derive the shared secret
field element zs.
1.1.
1.2.
1.3.
V sets zs = xs.
zs = 299788397944634715806132674187442328057793677109
2.
3.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Zs.
3.1.
3.2.
- 322 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified in Section 5.1.1.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 971761939728640320549601132085879836204587084162
Qs,U = 02 B3039580 73D981F4 42E09A50 9506AF09 DD3A78D0
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 399525573676508631577122671218044116107572676710
Qs,V = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
Vs identifier:
V = 55736572 20560D0A
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.3.4.1
U obtains an authentic copy of Vs identifier and Vs public key Qs,V and executes the key
agreement transformation with V as follows:
Input: The input to the initiator transformation is:
1.
ANSI X9.63-2001
X9.63-2001
The optional bit string SharedData1 and SharedData2 are not present.
Actions: U derives keying data as follows:
1.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
1.1.
1.2.
1.3.
U sends Qe,U to V.
2.
3.
4.
3.1.
3.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
4.1.
4.2.
4.3.
U sets zs = xs.
zs = 299788397944634715806132674187442328057793677109
5.
6.
U used the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data MacKey of length 160 bits from Zs.
- 324 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
6.2.
7.
8.
U verifies the tag MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
8.1.
8.2.
9.
10.
U calculates the tag MacTag2 on MacData2 under the key MacKey using the tagging
transformation of the MAC scheme specified in Section 5.7.
10.1.
10.2.
11.
U sends MacTag2 to V.
U computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
11.1.
11.2.
11.3.
U sets ze = xe.
ze = 449463531776033716167288974106508917446441212281
- 325 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
13.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
13.1.
13.2.
J.3.4.2
V obtains an authentic copy of Us identifier and Us public key Qs,U and executes the key
agreement transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
The optional bit string SharedData1 and SharedData2 are not present.
Actions: V derives keying data as follows:
1.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V generates an ephemeral key pair (de,V, Qe,V) using the key generation primitive specified
in Section 5.2.1.
2.1.
- 326 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
3.
V computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
3.1.
3.2.
3.3.
V sets zs = xs.
zs = 299788397944634715806132674187442328057793677109
4.
5.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data MacKey of length 160 bits from Zs.
5.1.
5.2.
6.
7.
V calculates the tag MacTag1 on MacData1 under the key MacKey using the tagging
transformation of the MAC scheme specified in Section 5.7.
7.1.
7.2.
8.
- 327 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
10.
V verifies the tag MacTag2 is the tag for MacData2 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
10.1.
10.2.
11.
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
11.1.
11.2.
11.3.
V sets ze = xe.
ze = 449463531776033716167288974106508917446441212281
12.
13.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to derive keying data KeyData of length 160 bits from Ze.
13.1.
13.2.
- 328 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified in Section 5.1.1.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 971761939728640320549601132085879836204587084162
Qs,U = 02 B3039580 73D981F4 42E09A50 9506AF09 DD3A78D0
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 399525573676508631577122671218044116107572676710
Qs,V = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.3.5.1
U obtains an authentic copy of Vs static public key Qs,V and executes the initiator transformation
to agree on keying data with V as follows:
Input: The input to the initiator transformation is:
1.
U generates an ephemeral key pair (de,U, Qe,U) using the key generation primitive
specified in Section 5.2.1.
1.1.
- 329 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
de,U = 117720748206090884214100397070943062470184499100
1.2.
1.3.
2.
U sends Qe,U to V.
U computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
2.1.
2.2.
2.3.
U sets ze = xP.
ze = 1085975864196458062930292015476391094000785247698
3.
4.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
4.1.
4.2.
4.3.
U sets zs = xs.
zs = 299788397944634715806132674187442328057793677109
5.
6.
- 330 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
7.
U uses the key derivation function in Section 5.6.3 with the hash function SHA-1 to
generate keying data KeyData of length 160 bits from Z.
7.1
7.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.3.5.2
V obtains an authentic copy of Us static public key Qs,U and executes the responder
transformation to agree on keying data with U as follows:
Input: The input to the responder transformation is:
1.
2.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
2.1.
ANSI X9.63-2001
X9.63-2001
2.2.
2.3.
V sets ze = xP.
ze = 1085975864196458062930292015476391094000785247698
3.
4.
V computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
4.1.
4.2.
4.3.
V sets zs = xs.
zs = 299788397944634715806132674187442328057793677109
5.
6.
7.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Z.
7.1
7.2.
Output: The bit string KeyData as the keying data of length 160 bits.
- 332 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified in Section 5.1.1.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 971761939728640320549601132085879836204587084162
Qs,U = 02 B3039580 73D981F4 42E09A50 9506AF09 DD3A78D0
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 399525573676508631577122671218044116107572676710
Qs,V = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.3.6.1
2.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
- 333 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.3.
2.
3.
U sends Qe,U to V.
2.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret field element ze using the Diffie-Hellman primitive in
Section 5.4.2.
3.1.
3.2.
3.3.
U sets ze = xe.
ze = 449463531776033716167288974106508917446441212281
4.
5.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
5.1.
5.2.
5.3.
U sets zs = xs.
zs = 299788397944634715806132674187442328057793677109
6.
- 334 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
8.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 octets from Z.
8.1.
8.2
Output: The bit string KeyData as the keying data of length 160 bits.
J.3.6.2
2.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
1.1.
1.2.
1.3.
2.
V sends Qe,V to U.
ANSI X9.63-2001
3.
X9.63-2001
2.1.
2.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V computes the shared secret field element ze using the Diffie-Hellman primitive in
Section 5.4.2.
3.1.
3.2.
3.3.
V sets ze = xe.
ze = 449463531776033716167288974106508917446441212281
4.
5.
V computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
5.1.
5.2.
5.3.
V sets zs = xs.
zs = 299788397944634715806132674187442328057793677109
6.
7.
- 336 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 octets from Z.
8.1.
8.2.
Output: The bit string KeyData as the keying data of length 160 bits.
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified in Section 5.1.1.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 971761939728640320549601132085879836204587084162
Qs,U = 02 B3039580 73D981F4 42E09A50 9506AF09 DD3A78D0
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 399525573676508631577122671218044116107572676710
Qs,V = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
Vs identifier:
V = 55736572 20560D0A
- 337 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.3.7.1
U obtains an authentic copy of Vs identifier and Vs public key Qs,V and executes the key
agreement transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
1.3.
U sends Qe,U to V.
2.
3.
4.
3.1.
3.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U computes the shared secret field element ze using the Diffie-Hellman primitive in
Section 5.4.2.
4.1.
- 338 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
ye = 519951960833221638909346997745737933611759949864
4.2.
4.3.
U sets ze = xe.
ze = 449463531776033716167288974106508917446441212281
5.
6.
U computes the shared secret field element zs using the Diffie-Hellman primitive
specified in Section 5.4.2.
6.1.
6.2.
6.3.
U sets zs = xs.
zs = 299788397944634715806132674187442328057793677109
7.
8.
9.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 bits from Z.
9.1
9.2.
9.3.
ANSI X9.63-2001
X9.63-2001
9.4.
9.5.
U forms K = Hash1||Hash2
K = 2BC31A6D 0C2E80E1 5E2153EE B6F7B81E 2444FAE3 72457982 FFD52A08
A864ABF7 12DA47F6 64BD41BB
10.
11.
12.
U verifies the tag MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
12.1.
12.2.
13.
14.
U sends MacTag2 to V.
Output: The bit string KeyData as the keying data of length 160 bits.
- 340 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V obtains an authentic copy of Us identifier and Us public key Qs,U and executes the key
agreement transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
2.1.
2.2.
3.
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
3.1.
3.2.
3.3.
V sets ze = xe.
ze = 449463531776033716167288974106508917446441212281
4.
ANSI X9.63-2001
X9.63-2001
V computes shared secret field element zs using the Diffie-Hellman primitive specified in
Section 5.4.2.
5.1.
5.2.
5.3.
V sets zs = xs.
zs = 299788397944634715806132674187442328057793677109
6.
7.
8.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 bits from Z.
8.1.
8.2.
8.3.
8.4.
8.5.
V forms K = Hash1||Hash2
- 342 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
9.
10.
11.
12.
13.
14.
15.
V verifies the tag MacTag2 is the tag for MacData2 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
15.1.
15.2.
MacTag2 = MacTag2.
Output: The bit string KeyData as the keying data of length 160 bits.
- 343 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified in Section 5.1.1.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 971761939728640320549601132085879836204587084162
Qs,U = 02 B3039580 73D981F4 42E09A50 9506AF09 DD3A78D0
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 399525573676508631577122671218044116107572676710
Qs,V = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
Vs identifier:
V = 55736572 20560D0A
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.3.8.1
U obtains an authentic copy of Vs identifier and Vs public key Qs,V and executes the key
agreement transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
- 344 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.2.
1.3.
U sends Qe,U to V.
2.
3.
4.
3.1.
3.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
5.
U verifies the signature rsig1 , ssig1 using the verifying transformation of the signature
scheme in Section 5.9.
6.
U computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
6.1.
6.2.
6.3.
U sets ze = xe.
ze = 449463531776033716167288974106508917446441212281
7.
8.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 octets from Ze.
- 345 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
8.2.
8.3.
8.4.
8.5.
9.
10.
U verifies the tag MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
10.1.
10.2.
11.
12.
13.
ANSI X9.63-2001
X9.63-2001
13.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.3.8.2
V obtains an authentic copy of Us identifier and Us public key Qs,U and executes the key
agreement transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
2.1.
2.2.
3.
V computes the shared secret field element ze using the Diffie-Hellman primitive
specified in Section 5.4.2.
3.1.
ANSI X9.63-2001
X9.63-2001
3.2.
3.3.
V sets ze = xe.
ze = 449463531776033716167288974106508917446441212281
4.
5.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 octets from Ze.
5.1
5.2.
5.3.
5.4.
5.5.
6.
7.
8.
ANSI X9.63-2001
X9.63-2001
9.2.
10.
11.
12.
V verifies the signature rsig2, ssig2 using the verifying transformation of the primitive
specified in Section 5.9.
13.
V verifies the tag MacTag2 is the tag for MacData2 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
13.1.
13.2.
Output: The bit string KeyData as the keying data of length 160 bits.
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified in Section 5.1.1.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 971761939728640320549601132085879836204587084162
Qs,U = 02 B3039580 73D981F4 42E09A50 9506AF09 DD3A78D0
- 349 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.3.9.1
U obtains an authentic copy of Vs public key Qs,V and executes the key agreement
transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
1.3.
2.
U sends Qe,U to V.
U derives z from the key pairs (d1,U, Q1,U) = (ds,U, Qs,U), (d2,U, Q2,U) = (de,U, Qe,U) and Q1,V
= Q2,V = Qs,V using the MQV primitive in Section 5.5.
2.1.
- 350 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.3.
2.4.
U sets z = x.
z = 661408600714511394621972158015558586802175237189
3.
4.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Z.
4.1
4.2.
Output: The bit string KeyData as the keying data of length 160 bits.
J.3.9.2
V obtains an authentic copy of Us public key Qs,U and executes the key agreement
transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
ANSI X9.63-2001
X9.63-2001
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V derives z from the key pairs (d1,V, Q1,V) = (d2,V, Q2,V) = (ds,U, Qs,U) and Q1,U = Qs,U Q2,U
= Qe,U using the MQV primitive specified in Section 5.5.
2.1.
2.2.
2.3.
2.4.
V sets z = x.
z = 661408600714511394621972158015558586802175237189
3.
4.
V uses the key derivation function specified in Section 5.6.3. with the hash function
SHA-1 to generate keying data KeyData of length 160 bits from Z.
4.1
4.2.
Output: The bit string KeyData as the keying data of length 160 bits.
- 352 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified in Section 5.1.1.2.
2.
U and V are bound to static public keys which have been validated as specified in Section
5.2.2. Us public key is the key pair (ds,U, Qs,U):
ds,U = 971761939728640320549601132085879836204587084162
Qs,U = 02 B3039580 73D981F4 42E09A50 9506AF09 DD3A78D0
Vs public key is the key pair (ds,V, Qs,V):
ds,V = 399525573676508631577122671218044116107572676710
Qs,V = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
3.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.3.10.1
U obtains an authentic copy of Vs public key Qs,V and executes the key agreement
transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
2.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
ANSI X9.63-2001
X9.63-2001
3.
U sends Qe,U to V.
2.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U derives z from the key pairs (d1,U, Q1,U) = (ds,U, Qs,U), (d2,U, Q2,U) = (de,U, Qe,U) and Q1,V
= Qs,V, Q2,V = Qe,V using the MQV primitive specified in Section 5.5.
3.1.
3.2.
3.3.
3.4.
U sets z = x.
z = 76343146387326777344320034129452410225517153317
4.
5.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Z.
5.1
5.2.
Output: The bit string KeyData as the keying data of length 160 bits.
- 354 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V obtains an authentic copy of Us public key Qs,U and executes the key agreement
transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
1.1.
1.2.
1.3.
2.
3.
V sends Qe,V to U.
2.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V derives z from the key pairs (d1,V, Q1,V) = (ds,V, Qs,V), (d2,V, Q2,V) = (de,V, Qe,V) and Q1,U =
Qs,U, Q2,U = Qe,U using the MQV primitive specified in Section 5.5.
3.1.
3.2.
- 355 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
3.3.
3.4.
V sets z = x.
z = 76343146387326777344320034129452410225517153317
4.
5.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data KeyData of length 160 bits from Z.
5.1.
5.2.
Output: The bit string KeyData as the keying data of length 160 bits.
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified in Section 5.1.1.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (ds,U, Qs,U):
ds,U = 971761939728640320549601132085879836204587084162
Qs,U = 02 B3039580 73D981F4 42E09A50 9506AF09 DD3A78D0
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (ds,V, Qs,V):
- 356 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
ds,V = 399525573676508631577122671218044116107572676710
Qs,V = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
Vs identifier:
V = 55736572 20560D0A
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
J.3.11.1
U obtains an authentic copy of Vs identifier and Vs public key Qs,V and executes the key
agreement transformation with V as follows:
Input: The input to the key agreement transformation is:
1.
U uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,U, Qe,U).
1.1.
1.2.
1.3.
U sends Qe,U to V.
2.
3.
- 357 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
4.
X9.63-2001
3.1.
3.2.
U checks that Qe,V consists of a pair of field elements and that Qe,V satisfies the
defining equation of the elliptic curve.
U derives z from the key pairs (d1,U, Q1,U) = (ds,U, Qs,U), (d2,U, Q2,U) = (de,U, Qe,U) and Q1,V
= Qs,V, Q2,V = Qe,V using the MQV primitive specified in Section 5.5.
4.1.
4.2.
4.3.
4.4.
U sets z = x.
z = 76343146387326777344320034129452410225517153317
5.
6.
U uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 160 + 160 bits from Z.
6.1
6.2.
6.3.
6.4.
6.5.
ANSI X9.63-2001
X9.63-2001
7.
8.
9.
U verifies the tag MacTag1 is the tag for MacData1 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
9.1.
9.2.
10.
11.
11.2.
U sends MacTag2 to V.
Output: The bit string KeyData as the keying data of length 160 bits.
J.3.11.2
V obtains an authentic copy of Us public key Qs,U, and Us identifier, and executes the key
agreement transformation with U as follows:
Input: The input to the key agreement transformation is:
1.
2.
ANSI X9.63-2001
X9.63-2001
2.
1.2.
V checks that Qe,U consists of a pair of field elements and that Qe,U satisfies the
defining equation of the elliptic curve.
V uses the key pair generation primitive in Section 5.2.1 to generate an ephemeral key
pair (de,V, Qe,V).
2.1.
2.2.
3.
V derives z from the key pairs (d1,V, Q1,V) = (ds,V, Qs,V), (d2,V, Q2,V) = (de,V, Qe,V) and Q1,U =
Qs,U, Q2,U = Qe,U using the MQV primitive specified in Section 5.5.
3.1.
3.2.
3.3.
3.4.
V sets z = x.
z = 76343146387326777344320034129452410225517153317
4.
5.
V uses the key derivation function specified in Section 5.6.3 with the hash function SHA1 to generate keying data K of length 20 + 20 octets from Z.
- 360 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
5.2.
5.3.
5.4.
5.5.
6.
7.
8.
8.2.
9.
10.
11.
V verifies the tag MacTag2 is the tag for MacData2 under the key MacKey using the tag
checking transformation specified in Section 5.7.2.
11.1.
ANSI X9.63-2001
X9.63-2001
11.2
Output: The bit string KeyData as the keying data of length 160 bits.
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1.
These parameters have been generated as specified in Section 5.1.1.1 and validated as
specified in Section 5.1.1.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public key is the key pair (denc,U, Qenc,U):
denc,U = 971761939728640320549601132085879836204587084162
Qenc,U = 02 B3039580 73D981F4 42E09A50 9506AF09 DD3A78D0
Us identifier:
U = 55736572 20550D0A
Vs public key is the key pair (denc,V, Qenc,V):
denc,V = 399525573676508631577122671218044116107572676710
Qenc,V = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
Vs identifier:
V = 55736572 20560D0A
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
- 362 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
U obtains an authentic copy of Vs static key Qenc,V and executes the key transformation with V
as follows:
Input: The input to the initiator transformation is:
1.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: U derives keying data as follows:
1.
2.
U encrypts EncData under Vs static public key Qenc,V , using the asymmetric encryption
scheme in Section 5.8.
2.1.
2.2.
U establishes a shared secret field element z from de and Qenc,V using DiffieHellman primitive specified in Section 5.4.2.
2.2.1. U computes P = deQenc,V =(x,y)
x = BE38D789 BB107CBB 28615A0A 5829A5BD 2BE74DD2
y = BDF43AE0 33796171 C2227888 CF181EDA FEE9A3D8
2.2.2. U verifies that P is not the point at infinity.
2.2.3. U sets z = x.
z = BE38D789 BB107CBB 28615A0A 5829A5BD 2BE74DD2
2.3.
U generates keying data KeyData1 of length 384 bits using the key derivation
function specified in Section 5.6.3. U computes
KeyData1 = Hash1||Hash2||Hash3, where Hashi = SHA-1(Z||counter).
Hash1 = FA596357 40333F13 E317FCDF BE4F1B87 1B725FDD
- 363 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.6.
2.7.
3.
U sends EncryptedData to V.
V obtains an authentic copy of Us identifier and executes the key transformation with U as
follows:
Input: The input to the key agreement transformation is:
1.
2.
ANSI X9.63-2001
X9.63-2001
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: V derives keying data as follows:
1.
1.2.
V establishes a shared secret field element z from denc,V and Qe using DiffieHellman primitive specified in Section 5.4.2.
1.2.1. V computes P = denc,V Qe = (x,y)
x = BE38D789 BB107CBB 28615A0A 5829A5BD 2BE74DD2
y = BDF43AE0 33796171 C2227888 CF181EDA FEE9A3D8
1.2.2. V verifies that P is not the point at infinity.
1.2.3. V sets z = x.
z = BE38D789 BB107CBB 28615A0A 5829A5BD 2BE74DD2
1.3.
V generates keying data KeyData1 of length 384-bits using the key derivation
function defined in Section 5.6.3. V computes KeyData1 = Hash1||Hash2||Hash3,
where Hashi = SHA-1(Z||Counter).
Hash1 = FA596357 40333F13 E317FCDF BE4F1B87 1B725FDD
Hash2 = 77DB0F8E 35B6313B BEF42537 A0B0125D A242D2B8
Hash3 = 413216F7 83519EDA A32E03BA 663DB327 CB2F4025
KeyData1 = FA596357 40333F13 E317FCDF BE4F1B87 1B725FDD 77DB0F8E
35B6313B BEF42537 A0B0125D A242D2B8 413216F7 83519EDA
1.4.
- 365 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
1.6.
V verifies the tag MacTag is the tag for MacData under the key MacKey using
the tag checking transformation specified in Section 5.7.2.
1.6.1. V computes the tag MacTag by MacData = MaskedEncData as specified
in Section 5.7.
MacTag = CBF13096 B0FF4447 4169D8ED E141FA53 5D31E7A7
1.6.2. V verifies that MacTag = MacTag.
2.
3.
V parses the first entlen bits of EncData as U and the next keydatalen bits as KeyData.
U = 55736572 20550D0A
KeyData = 8BB71D26 DFACC5C2 DEDB2286 7097DD65 ECAB14E9
4.
This section describes an example of the use of the 3-Pass Key Transport scheme specified in
Section 7.2 by entities U and V. In the example, it is assumed that messages are relayed back and
forth faithfully between U and V.
Prerequisites: The following prerequisites are established by U and V:
1.
U and V are using the elliptic curve domain parameters over Fp specified in Annex J.5.1
with asymmetric encryption scheme and signature scheme. These parameters have been
generated as specified in Section 5.1.1.1 and validated as specified in Section 5.1.1.2.
2.
U and V are bound to static public keys that have been validated as specified in Section
5.2.2. The binding of U and V to their keys includes the use of unique identifiers for each
entity. Us public encryption key is the key pair (denc,U, Qenc,U):
denc,U = 971761939728640320549601132085879836204587084162
Qenc,U = 02 B3039580 73D981F4 42E09A50 9506AF09 DD3A78D0
Us public signing key is the key pair (dsig,U, Qsig,U):
- 366 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
dsig,U = 140330946839806451244026533820508889770911588974
Qsig,U = 03 CD47CF7C 088D8E4D 8689A8EC 47BA80C8 E4616285
Us identifier:
U = 55736572 20550D0A
Vs public encryption key is the key pair (denc,V, Qenc,V):
denc,V = 399525573676508631577122671218044116107572676710
Qenc,V = 03 86FA25CF 0A09E7DE D3DC5D0B 90DE16DD 731BEAD5
Vs public signing key is the key pair (dsig,V, Qsig,V):
dsig,V = 295388135656307709052857763749318619948879329760
Qsig,V= 02 3A766FDC 129D75BA 02A60A35 80EEC9BA C488958A
Vs identifier:
V = 55736572 20560D0A
3.
U and V are using the ANSI-approved MAC scheme HMAC with SHA-1.
4.
U and V are using the ANSI-approved hash function SHA-1 with the key derivation
function.
5.
U and V establish the following lengths in bits: entlen = 64, mackeylen =160,
challengelen =160.
J.3.13.1
U obtains an authentic copy of Vs static signing public key Qsig,V and Vs identifier, then
executes the key transformation with V as follows:
Input: The input to the initiator transformation is:
1.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: U derives keying data as follows:
1.
ANSI X9.63-2001
X9.63-2001
2.
3.
4.
4.2.
U establishes a shared secret field element z from denc,U and Qe using DiffieHellman primitive define in 5.4.2.
4.2.1. U computes P = denc,U Qe = (x,y)
x = 46FDAF9C 5F4A7261 BD11504F 157D739A 9A225797
y = 18814264 ADEDAD68 E93B6D21 663B1A61 E52204FE
4.2.2. U verifies that P is not the point at infinity.
4.2.3. V sets z = x.
z = 46FDAF9C 5F4A7261 BD11504F 157D739A 9A225797
4.3.
U generates keying data KeyData1 of length 384-bits using the key derivation
function defined in Section 5.6.3. U computes KeyData1 = Hash1||Hash2||Hash3,
where Hashi = SHA-1(Z||counter).
Hash1 = E0446CBF 548EF6C2 78EBA260 09570E8C 97341DEA
Hash2 = C45D69EB BBDCBDE6 876198FB C876BD1A D58E55D4
Hash3 = 82760C1E 10BE53DE E01A88F5 6F282521 02A1D883
KeyData1 = E0446CBF 548EF6C2 78EBA260 09570E8C 97341DEA C45D69EB
BBDCBDE6 876198FB C876BD1A D58E55D4 82760C1E 10BE53DE
4.4.
- 368 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
4.6.
5.
6.
U parses the first entlen bits of EncData as the purported identifier V of V and next
keydatalen bits of EncData as keying data KeyData.
V = 55736572 20560D0A
KeyData = 8BB71D26 DFACC5C2 DEDB2286 7097DD65 ECAB14E9
7.
U verifies V= V, OK.
8.
9.
Verifies that rsig1 and ssig1 is Vs signature on SignData1 using the signature scheme in
Section 5.9.
10.
11.
U signs SignData2 using Us private signing key dsig,U as specified in Section 5.9.
rsig2= 82E70F68 7EE1EA18 4740F6AD E631EBD7 2945DB91
ssig2= 3994F0D1 9FF1287C 89DEEAD1 414ACAB2 B83F8ECE
12.
- 369 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
V obtains an authentic copy of Us identifier, then executes the key transformation with U as
follows:
Input: The input to the key agreement transformation is:
1.
2.
The optional bit strings SharedData1 and SharedData2 are not present.
Actions: V derives keying data as follows:
1.
2.
3.
4.
V encrypts EncData under Us static public encryption key Qenc,U , using the asymmetric
encryption scheme in Section 5.8.
4.1.
4.2.
V establishes a shared secret field element z from de and Qenc,U using the DiffieHellman primitive specified in Section 5.4.2.
4.2.1. V computes P = deQenc,U = (x, y)
x = 46FDAF9C 5F4A7261 BD11504F 157D739A 9A225797
y = 18814264 ADEDAD68 E93B6D21 663B1A61 E52204FE
4.2.2. V verifies that P is not the point at infinity.
- 370 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
4.2.3. V sets z = x.
z = 46FDAF9C 5F4A7261 BD11504F 157D739A 9A225797
4.3.
V generates keying data KeyData1 of length 384-bits using the key derivation
function specified in Section 5.6.3. V computes KeyData1 = Hash1||Hash2||Hash3,
where Hashi = SHA-1(Z||counter).
Hash1 = E0446CBF 548EF6C2 78EBA260 09570E8C 97341DEA
Hash2 = C45D69EB BBDCBDE6 876198FB C876BD1A D58E55D4
Hash3 = 82760C1E 10BE53DE E01A88F5 6F282521 02A1D883
KeyData1 = E0446CBF 548EF6C2 78EBA260 09570E8C 97341DEA C45D69EB
BBDCBDE6 876198FB C876BD1A D58E55D4 82760C1E 10BE53DE
4.4.
4.6.
4.7.
5.
6.
V signs SignData1 using Vs private signing key dsig,V as specified in Section 5.9.
- 371 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
8.
9.
10.
V verifies that rsig2 and ssig2 are Us signature on SignData2 using the signature scheme
in Section 5.9.
J.4
This section presents sample curves over F2m that may be used to ensure the correct
implementation of this Standard. Section J.4.1 gives sample curves over F2163. Section J.4.2
gives sample curves over F2193. Section J.4.3 gives sample curves over F2233. Section J.4.4 gives
a sample curve over F2239. Section J.4.5 gives sample curves over F2283. Section J.4.6 gives
sample curves over F2409. Section J.4.7 gives sample curves over F2571.
J.4.1 3 Examples with m = 163
This section specifies three sample elliptic curves over F2163. The first example specifies
parameters associated with a Koblitz curve. The second example specifies parameters generated
verifiably at random using a modified version of the method found in Annex A.3.3.1. The third
example specifies parameters generated verifiably at random using the method described in
Annex A.3.3.1.
2.
- 372 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Example 1
a=
b=
yG =
Order of G:
n=
The cofactor:
h=
02
Example 2
SEED
a=
b=
For historical reasons the method used to generate E from SEED differs slightly from the method
described in Annex A.3.3.1. Specifically the coefficient b produced from SEED is the reverse of
the coefficient that would have been produced by the method described in Annex A.3.3.1.
yG =
- 373 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
The order of G:
n=
The cofactor:
h=
02
Example 3
SEED
a=
b=
yG =
The order of G:
n=
The cofactor:
h=
02
2.
- 374 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Example 1
SEED
a=
b=
yG =
Order of G:
n=
The cofactor:
h=
02
Example 2
SEED
a=
b=
yG =
Order of G:
n=
The cofactor:
- 375 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
02
2.
Example 1
a=
b=
The cofactor:
h=
04
- 376 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Example 2
SEED
a=
b=
yG =
Order of G:
n=
The cofactor:
h=
02
2.
- 377 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Example
a=
b=
yG =
Order of G:
n=
The cofactor:
h=
04
2.
- 378 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Example 1
a=
b=
yG =
Order of G:
n=
The cofactor:
h=
04
Example 2
SEED
a=
b=
- 379 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Order of G:
n=
The cofactor:
h=
02
2.
Example 1
a=
00
b=
01
yG =
- 380 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Order of G:
n=
330527984395124299475957654016385519914202341482140609642324395022
880711289249191050673258457777458014096366590617731358671
The cofactor:
h=
04
Example 2
SEED
b=
yG =
Order of G:
n=
661055968790248598951915308032771039828404682964281219284648798304
157774827374805208143723762179110965979867288366567526771
The cofactor:
h=
02
- 381 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
2.
Example 1
a = 00
b = 01
Base point G (with point compression):
02 026EB7A8 59923FBC 82189631 F8103FE4 AC9CA297 0012D5D4 60248048
01841CA4 43709584 93B205E6 47DA304D B4CEB08C BBD1BA39 494776FB 988B4717
4DCA88C7 E2945283 A01C8972
yG =
Order of G:
n=
193226876150862917234767594546599367214946366485321749932861762572
575957114478021226813397852270671183470671280082535146127367497406
6617311929682421617092503555733685276673
The cofactor:
h=
04
Example 2
SEED
- 382 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
yG =
Order of G:
n=
386453752301725834469535189093198734429892732970643499865723525145
151914228956042453614399938941577308313388112192694448624687246281
6813070234528288303332411393191105285703
The cofactor:
h=
J.5
02
This section presents sample curves over Fp that may be used to ensure the correct
implementation of this Standard. Section J.5.1 gives sample curves over 160-bit prime fields.
Section J.5.2 gives sample curves over 192-bit prime fields. Section J.5.3 gives sample curves
over 224-bit prime fields. Section J.5.4 gives sample curves over 256-bit prime fields. Section
J.5.5 gives a sample curve over a 384-bit prime field. Section J.5.6 gives a sample curve over a
521-bit prime field.
- 383 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Example 1
Elliptic Curve Domain Parameter Setup
1.
2.
b=
yG =
Order of G:
n=
The cofactor:
h=
01
Example 2
Elliptic Curve Domain Parameter Setup
1.
2.
- 384 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
a=
b=
yG =
Order of G:
n=
The cofactor:
h=
01
Example 3
Elliptic Curve Domain Parameter Setup
1.
2.
a=
b=
- 385 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
yG =
Order of G:
n=
The cofactor:
h=
01
Example 1
Elliptic Curve Domain Parameter Setup
1.
2.
b=
yG =
- 386 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Order of G:
n=
The cofactor:
h=
01
Example 2
Elliptic Curve Domain Parameter Setup
1.
2.
a=
b=
yG =
Order of G:
n=
The cofactor:
h=
01
- 387 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Example 1
Elliptic Curve Domain Parameter Setup
1.
2.
b=
yG =
Order of G:
n=
The cofactor:
h=
01
- 388 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Example 2
Elliptic Curve Domain Parameter Setup
1.
2.
a=
b=
yG =
Order of G:
n=
The cofactor:
h=
01
- 389 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Example 1
Elliptic Curve Domain Parameter Setup
1.
2.
b=
yG =
Order of G:
n=
The cofactor:
h=
01
Example 2
Elliptic Curve Domain Parameter Setup
1.
- 390 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
p = 115792089210356248762697446949407573530086143415290314195533
631308867097853951
2.
a=
b=
yG =
Order of G:
n=
The cofactor:
h=
01
Example
Elliptic Curve Domain Parameter Setup
1.
ANSI X9.63-2001
X9.63-2001
p = 394020061963944792122790401001436138050797392704654466679482
93404245721771496870329047266088258938001861606973112319
2.
a=
b=
yG =
Order of G:
n=
394020061963944792122790401001436138050797392704654466679469052796
27659399113263569398956308152294913554433653942643
The cofactor:
h = 01
J.5.6 An Example with a 521-bit Prime
This section specifies a sample elliptic curve over a 521-bit prime field Fp. The example
specifies parameters generated verifiably at random using the method found in Annex A.3.3.1.
- 392 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Example
Elliptic Curve Domain Parameter Setup
1.
2.
a=
b=
yG =
Order of G:
n=
686479766013060971498190079908139321726943530014330540939446345918
554318339765539424505774633321719753296399637136332111386476861244
0380340372808892707005449
The cofactor:
- 393 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
01
- 394 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
Annex K
(informative)
Bibliography
2.
3.
ANSI X9.30-1993, Part 2: Public Key Cryptography using Irreversible Algorithms for
the Financial Services Industry: The Secure Hash Algorithm 1 (SHA-1)(Revised). 1993.
4.
ANSI X9.42-2001: Public Key Cryptography for the Financial Services Industry:
Agreement of Symmetric Algorithm Keys Using Diffie-Hellman. 2001.
- 395 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
5.
ANSI X9.52-1996: Triple Data Encryption Algorithm Modes of Operation. July, 1998.
6.
ANSI X9.57-1997: Public Key Cryptography for the Financial Services Industry:
Certificate Management. 1997.
7.
ANSI X9.62-1999: Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm (ECDSA). 1998.
8.
9.
10.
11.
12.
13.
14.
L. Bassham, R. Housley, and W. Polk. Algorithms and identifiers for the Internet X.509
Public Key Infrastructure. Internet Engineering Task Force, internet-draft, 2001.
15.
16.
17.
M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing
efficient protocols. In 1st ACM Conference on Computer and Communications Security,
pages 62-73, 1993.
18.
19.
S. Blake-Wilson, D. Johnson, and A.J. Menezes. Key agreement protocols and their
security analysis. In Cryptography and Coding, 6th IMA Conference, Springer-Verlag,
pages 30-45, 1997.
20.
ANSI X9.63-2001
X9.63-2001
21.
D. Boneh and R.J. Lipton. Algorithms for black-box fields and their application to
cryptography. In Advances in Cryptology: Crypto 96, pages 283-297, 1996.
22.
23.
24.
W. Diffie, P.C. van Oorschot, and M.J. Wiener. Authentication and authenticated key
exchanges. Designs, Codes, and Cryptography. 2, pages 107-125, 1992.
25.
26.
FIPS 196. Entity Authentication using Public Key Cryptography. Federal Information
Processing Standards Publication 196, February 18, 1997.
27.
28.
G. Frey and H.-G. Ruck. A remark concerning m-divisibility and the discrete logarithm
problem in the divisor class group of curves. Mathematics of Computation, 62, pages
865-874. 1994.
29.
30.
31.
IEEE P1363A. Standard for Public-Key Cryptography - Addendum. July 11, 1997.
Working Document.
32.
33.
34.
35.
- 397 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
B. Kaliski. MQV vulnerability. Posting to ANSI X9F1 and IEEE P1363 newsgroups.
1998.
46.
47.
48.
N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48, pages 203209, 1987.
49.
50.
- 398 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
51.
A. Lenstra and E. Verheul. Selecting cryptographic key sizes. Proceedings of PKC 2000,
Springer-Verlag, pages 446-465, 2000.
52.
53.
R.J. McEliece. Finite Fields for Computer Scientists and Engineers. Kluwer Academic
Publishers, 1987.
54.
A.J. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers,
1993.
55.
A.J. Menezes, T. Okamoto, and S.A. Vanstone. Reducing elliptic curve logarithms to
logarithms in a finite field. IEEE Transactions on Information Theory, 39, pages 16391646, 1993.
56.
A.J. Menezes, M. Qu, and S.A. Vanstone. Some new key agreement protocols providing
implicit authentication. Workshop record. 2nd Workshop on Selected Areas in
Cryptography (SAC 95), Ottawa, Canada, May 18-19, 1995.
57.
A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone. Handbook of Applied
Cryptography. CRC Press, 1997.
58.
59.
60.
61.
T. Satoh and K. Araki. Fermat quotients and the polynomial time discrete log algorithm
for anomalous elliptic curves. Commentarii Mathematici Universitatis Pauli, 47, pages
81-92, 1998.
62.
R. Schoof. Elliptic curves over finite fields and the computation of square roots mod p.
Mathematics of Computation, 44, pages 483-494, 1987.
63.
64.
N. Smart. The discrete logarithm problem on elliptic curves of trace one. Journal of
Cryptology, 12, pages 193-196, 1999.
65.
P.C. van Oorschot and M. Wiener. Parallel collision search with applications to hash
functions and discrete logarithms. 2nd ACM Conference on Computer and
Communications Security, pages 210-218, ACM Press. 1994.
- 399 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET
ANSI X9.63-2001
X9.63-2001
- 400 Licensed to X9
ANSI Store keycode order/Downloaded: 6/23/2004 10:30:20 AM ET