technical report - sejongdasan.sejong.ac.kr/~chlim/pub/fs-tr00-13.pdf · technical report / 1 , 1 1...

FS-TR00-13 Dec. 22, 2000 (82 pages)

Technical Report

��/��

�� 1,�� 1

1 �� 372-2��( �)��

e-mail: {dhlee, chlim}@future.co.kr

Abstract(��)

�� !�� "#$��%&'�() ��*��+�%&,-� �(.*��/�

01%&2&�� 3456#7 ��89 ��: ��!�� ;< ��=>�� =>�� (. ��?@%& �� AB�

C��%&��;<��=>�� "��D6. �� (.*��E��:��F1��,!��;<, MAC, !"�GH�� ,H�#� I�,H��H�JK=>� �(.*��,LM*�(.�N6�!�;<"�#� ��;<�$�+�%&O6P<#$ ��*�56�$�D6.

(��)�� !"Cryptography & Network Security Center, Future Systems, Inc.(http://www.future.co.kr, http://www.future.co.kr/cnscenter)

%&'?@/%�&�� (.*��01%&2&��!�

��, ��

�� 372-2��( �)��,��Q6

email : {dhlee, chlim}@future.co.kr

2000'(( 12�� 22��)

�#$

�� 1�� %& �� 2

�� 2�� '��(��/�� 32.1 �� (.*��)�� Sכ� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1.1 64'�F1�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.1.2 128'�F1�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.1.3 ��F1�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2 ��*� ��T>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.1 ECBT>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.2 ECB-CTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.3 CBCT>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.4 CBC-PADT>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.5 CBC-CTST>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.2.6 OFBT>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.2.7 CFBT>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.2.8 CounterT>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

�� 3�� 10

�� 4�� MAC�� 124.1 HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.2 KMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.3 CBC-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.3.1 ISO/IEC 9797-1� CBC-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.3.2 RIPE-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.3.3 XCBC-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4.4 UMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174.4.1 UHASH-32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194.4.2 UHASH-16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

�� 5�� /��)�(�כ�� 225.1 VW��Q6��&*+(� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245.2 RSAES-PKCS#1-v1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245.3 RSAES-OAEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245.4 Mask Generation Funcion(MGF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

i

�� 6�� &%�)�(�כ�� 266.1 RSASSA-PKCS#1-v1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266.2 RSASSA-PSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276.3 EMSR3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286.4 DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306.5 KCDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306.6 DSAX� KCDSA�'�() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

�� 7�� (��*� �� 327.1 VW��Q6��&*+(� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337.2 Diffie-HellmanY6Z6[�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337.3 Diffie-HellmanH�#� I�01%&2&�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

7.3.1 Static-Static DH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347.3.2 Ephemeral-Static DH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347.3.3 Ephemeral-Ephemeral DH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357.3.4 MQV1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357.3.5 MQV2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

7.4 Shared secret+�%&\��Master secret�"�#� � . . . . . . . . . . . . . . . . . . . . . . . . . . 367.4.1 X9.42 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367.4.2 RFC 2631 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377.4.3 IEEE P1363� KDF1/� IEEE P1363a�KDF2 . . . . . . . . . . . . . . . . . . . . . 37

�� 8�� כ��$+�� 388.1 JK��+��GכS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388.2 Q6�� !',,(��GכS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398.3 VW��Q6��&*+(� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

8.3.1 ��;<X� octet string�*+(� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408.3.2 '�F1%�)/� octet string�*+(� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408.3.3 ��;<X�'�F1%�)�*+(� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408.3.4 JK��+��]̂X� octet string�*+(� . . . . . . . . . . . . . . . . . . . . . . . . . . 418.3.5 JK��+��]̂-�� ;<%&*+(� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418.3.6 Q6�� !',,(� -�/� octet string�*+(� . . . . . . . . . . . . . . . . . . . . . . . . . . 41

8.4 ECDSA(Elliptic Curve DSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428.5 ECKCDSA(Elliptic Curve KCDSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428.6 Elliptic Curve Diffie-Hellman (ECDH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448.7 Shared secret+�%&\��Master secret"�#� � . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

�� 9�� (�,-./(key derivation)�� 479.1 SSL 3.0/� TLS 1.0�H�JK=>��;< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479.2 IPSec IKE�H�JK=>��;< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499.3 _��U�� ̀�.��+H�JK=>��;< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

9.3.1 PKCS#5 PBKDF1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509.3.2 PKCS#5 PBKDF2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519.3.3 PKCS#12 PBKDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

�� 10�� (��(Key Wrap)�� 5210.1 !"�GH��-��+ Key Wrap(key transport) . . . . . . . . . . . . . . . . . . . . . . . . 5210.2 ��-��+ Key Wrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5210.3 Password-based Key Wrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

�� 11�� 0$ ��1�� 2� 53

�� 55

ii

34�� A UMAC 60A.1 UHASH-32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

A.1.1 L1-HASH-32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60A.1.2 L2-HASH-32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61A.1.3 POLY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62A.1.4 L3-HASH-32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

A.2 UHASH-16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63A.2.1 L1-HASH-16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63A.2.2 L2-HASH-16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64A.2.3 L3-HASH-16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

A.3 KDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65A.4 PDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

34�� B ./56��7$8$9�!"�� 66B.1 DSA=>a@��(Y6Z6[�� p, q�"�#� �/�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66B.2 KCDSA=>a@��(Y6Z6[�� p, q, g�"�#� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67B.3 Diffie-Hellman=>a@��(Y6Z6[�� p, q�"�#� � . . . . . . . . . . . . . . . . . . . . . . . . . . 68

B.3.1 X9.42� �� Y6Z6[��"�#� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68B.3.2 IPSec IKE� ��N6��56�� Oakley group�"�#� �!/"0�& . . . . . . . . . . . . . . . . . . 69

B.4 Q6�� !',,(/�H��"�#� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69B.4.1 Fp�#�Q6�� !',,( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69B.4.2 F2m�#�Q6�� !',,( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70B.4.3 H��"�#� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

34�� C Diffie-Hellman(��*� �� 70C.1 X9.42�H�#� I�01%&2&�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

C.1.1 Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70C.1.2 MQV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

C.2 RFC 2631�DH01%&2&�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72C.3 ��(��1�� 01%&2&�� N6��56��T>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . 72C.4 H�#� I�01%&2&��כS�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

34�� D ECDH:� ECMQV 73D.1 X9.63�H�#� I�01%&2&�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

D.1.1 ECDHH�#� I�01%&2&��T>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74D.1.2 ECMQVH�#� I�01%&2&��T>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

D.2 ECDHX� ECMQV�T>U��כS�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74D.3 Q6�� !',,( Key transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

34�� E Algorithm OIDs 76

��#$

1 �� (.*��/�� .�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 '��)H�� (.*��)�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 ��*� ��T>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 !�� (.*��)�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 UMAC�Y6Z6[�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 UMAC�$!�2/(� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 DSAX� KCDSA�H��('�F1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 DSAX� KCDSA�� "�#� �/�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 JK��+��X�Q6�� !',,(�Y6Z6[��'�() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4010 ECDSAX� ECKCDSA�'�() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

iii

;��#$

1 ECB-CTST>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 CBCT>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 CTST>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 OFBT>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 CFBT>U� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 MAC 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 MAC 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 MAC 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 MAC 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1510 RIPE-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1711 XCBC-MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1712 NH-32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2113 NH-16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2214 PKCS#1-OAEP��(bc�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2515 PKCS#1-PSS��(bc�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2816 P1363a EMSR3��(bc�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2917 Q6�� !',,(�3�1�45 : P +Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

iv

Update

• 2001�� 6�� 4��

1. 56�) : Multiprimed�e6.

2. 6.26�) : PKCS#1-PSS-�� PKCS#1 2.1 draft#2� % &=>��f60&1.

3. 6.36�) : remark-�� 6.26�)/�% &=>��*+(��.

4. 8.56�) : ECKCDSA� ��N6��g6 parameter z' >;כ��.

5. PKCS#1, P1363a,)*+(..��2�7�#��(.

6. SHA256, SHA384, SHA512� 34��+ OIDd�e6.

1

�� 1�� %& ��

��$!�2/(� �34 % ,34 ��—�� (.*��/01%&2&��,�!�;<"�#� ��̀,��!/"0�&,��56�*� -��(h&��,ijF1��N6��h&��,�� *�,N6��g6�� *��$��$�—� �7� 56kl,#$m��+\�#� Sכ��898�9�56�̀ %.)S56D6Z6כ8�9( 8.)56e6#$9!&D6.��,$!�2/(��+��:��56�̀�#!��T>;��%&JK�̀ -��(n>��e6"�.S56D6כ(��.��LM8�9� �� (.*��/01%&2&�� 3456#7� -��% &d�(.,�� !�� "#$

�� %&'�() ��*��+�%&,-� �(.*��/� 01%&2&�� 3456#7��89 ��:��!�� ;<��=>��

=>�� (.��?@%&��AB�C��%&��;<��=>�� "��D6.' -34 �� (.*��Z6(.��C�Z6=>#$o-��+!/"#��+�%&��56m�Op� q6Z6��LM$!�2/(� �� r6��e6��

��;< ��+�kl��56��!/"0�&�� s6D6��%& D6t1(.��)\�� 34 �� 2/(��+��+�%& �� "C�

� ,34 .��D6<=1כ� q6Z6��%&'?@ �� %�(&': .;��O6 %�&�� 2/(�.� -�+�%& �=> -�+�%& ��"(.�� #$o-��+1כ��(C�Y6��56134כ�� a�J<8�9כS56D6.�� (.*�� 34!��[�%&'<<(!/"�� (FIPS),[�%&'�� =(>�/(ANSI)�X9, RSA Security Inc.�

PKCS(Public Key Cryptography Standards), IEEE� P1363LM*�(. ISO/IEC�� .��)*+n>56�$�(.,��(��1 �� +�%&�� IETF(Internet Engineering Task Force)� RFC(Request For Comments)X� IETF�working group(SMIME, IPSEC, PKIX, SECSH, TLS)� Internet Draft�$��)*+n>56�$�D6.LM0?1� � �(.*�� 34��+ #� ��/� u2��( � �(.*�� @" Y6��34 Crypto, Eurocrypt, Asiscrypt, FSE(Fast SoftwareEncryption)�$��%&'?@�A�/C�-��)*+n>56�$�D6.�� (.*��34 E��:��F1��,!��;<, MAC, !"�GH�� ,H�#� I�,H��

��H�JK=>� �(.*��,LM*�(.�N6�!�;<"�#� ��;<�$�+�%&O6=6�;<��D6.�� (.*�� )*+(.��+�� B+(�� /��A�/C�� 1� ��*�56�$�D6.

64'�<= : DES, DES3, DESX, RC5, BLOWFISH, FIPS 46-3, FSE’93, FSE’94CAST128, IDEA, SAFER , RC2 RFC 2144, RFC 2268

�� 128'�<= : SEED, CRYPTON, CAST256, TTA�� , FSE’99, RFC 2612,RC6, TWOFISH, RIJNDAEL, MARS, SERPENT AESvwh&Mode of Operation : FIPS 81ECB, CBC, CTS, OFB, CFB, Counter ISO/IEC 8372

��F1�� RC4, SEAL FSE’93, J. of Crpyt.’98

!��;< MD5, SHA1, SHA-256, SHA-384, SHA-512, RFC 1321, FIPS 180-1, FSE’96RMD128, RMD160, RMD256, RMD320, Internet Draft

HAS160, TIGER

MAC��;< HMAC-XXX, KMAC-XXX (XXX :!��;<) RFC 2104, RFC 1826, RFC 1828YYY-MAC (YYY :��), FIPS 113, ISO/IEC 9797-1,XCBC, RIPE-MAC Crypto2000, RIPEUMAC Crypto’99, Internet Draft

!"�GH�� RSA PKCS#1 v2.1(draft)�� DSA, ECDSA, KCDSA, ECKCDSA FIPS186-2, X9.62, TTA��

H�#� I� Diffie-Hellman (DH) PKCS#3, X9.42, RFC 2631Elliptic Curve Diffie-Hellman (EC-DH) X9.63, S/MIME WG Drafts

H�� Key transport, Key wrap RFC 2630, S/MIME WG Drafts

H�JK=> Password-based PKCS#5, PKCS#12, RFC 2510General SSL/TLS, IPSec, IEEE P1363,

IEEE P1363a, X9.42, etc.

�N6�!�;<"�#� � SPRING (( �)�� g6��G0?3��+�N6�!�;<"�#� ��̀)

�� 1: �� (.*��/�� .��

��vw��6�)34 D6��/�' -34 �� +�%&"#$��D6.

2

26�)� �� '��)H��/>�� (.*�� 34��+)�� X� ��F1��%&O6P<#$�� 34456 -��S��56(.)��xכ&%�+��*� ��T>U�� 56#7C�) ��+D6.

36�)� ��#7y$� �(.*�� a@z@C�-�� 7:��56��VWD))*�N6��"��!�� (.*��)��8!�9!�xכ�S��+D6.

4 6�)� �� a@z@C�� {<�*)� �� 56�̀ �#��+ a@z@C� ��(�� bcU�(MAC : Message AuthenticationCode)� 3456#7!��;<-��+HMAC/�KMAC,��-��+CBC-MAC,LM*�(.?�@�45��+UMAC+�%&O6P<#$��C�) ��+D6. CBC-MAC34 ISO 9797-1� ��-��f6:/"+�%&C�) ��56(., RIPE-MAC/� XCBC-MAC [63]=>|��56#7C�) ��+D6.

56�)� �� !"�GH��/>�� (.*��+�%& ]̂��(;<#� !�.��?@-��f6:/"+�%&56�� RSA� �(.*��C�) ��+D6. RSA� �(.*��34 ��(bc��!/"#�� q6Z6�� PKCS#1-v1.5, PKCS#1-OAEP�$�+�%&O6�D6.

66�)� �� !"�GH� �� (.*��C�) ��+D6. !"�GH� �� (.*��34 E��: ]̂��(;<#� !�.��?@-�� f6:/"+�%&56�� RSAX�JK��+��;!�34;< .��?@-��f6:/"+�%&56�� DSA, KCDSA�$��D6. RSA�� (.*��34 ��(bc��!/"#�� q6Z6�� PKCS#1-PSS, EMSR3(P1363a)�$�+�%&O6�D6.#7�̀��KCDSA��+%&'�� +�%&�� 8�9� �� (.*��D6.

76�)� ��H�#� I�01%&2&��%&�� X9.42-��f6:/"+�%&��+Diffie-Hellman Key Agreement Scheme��C�) ��+D6.H�#� I�01%&2&��%&\��E#$%�( Shared secret+�%&Master secret��"�#� �56�� (.*��34 �� (X9.42, RFC 2631, IEEE P1363, IEEE P1363a)s6D6��D6t1D6.

86�)� ��r6z@34�� (.*��+�%& �A�B!*<(.��Q6�� !',,(�� 34��+�GכS-��C�) ��56(., DSA,KCDSA, DH, MQV-��Q6�� !',,(+�%&��CF�( ECDSA, ECKCDSA, ECDH, ECMQV� 34!��8!�456x�C�) ��+D6.

96�)� �� SSL 3.0/TLS 1.0��O6 IPSec IKE�$��D6��+h&$!�01%&2&�� Master secret��JK=>56�� (.*�� 3456#7C�) ��+D6.LM0?1� _��U�-�� ̀�.��+01%&2&�� H�-��JK=>56��;<� 3456#7C�) ��+D6.

106�)� �� key wrap� �(.*��+�%& !"�GH� ��-��+ key transport, �� -��+ keywrap��C�) ��56(.,_��U�-�� ̀�.��+ key wrap=>' -��C�) ��+D6.

116�)� ��N6�!�;<0?3"�#�̀%&�� ( �)�� G0?3��+ SPRING� 3456#7C�) ��+D6.\�� UMAC�g6z@��+C�) ��/�DSA, DH,Q6�� !',,(�=>a@��(Y6Z6[��"�#� �!/"0�&/� X9.42, RFC

2631, X9.63 Diffie-HellmanH�#� I�01%&2&��/�Q6�� !',,(� ��H�#� I� 01%&2&��g6z@��+C�) ��3�1D�E��(D6.\��FGH� ��#7y$�� g6 �}�� (.*�� OID-�� *�56�$�D6.

�� 2�� '��(��/��

2.1 ��

'��)H�� (.*��34 E��:�� (.*��/��F1�� (.*��+�%&O6=6�;<��D6.�� (.*��34 �#$%�( G��.�� (.*�� !�%�( �� (64I�J34 128'�F1)+�%& O6P<#$ ��9!��#%& ��-�� ;<&':56�� (.*��D6 (�� 56�� !/"0�&� q6Z6�� (.*��34 #7y$e6C�T>U�%&�� D6. : 2.26�))*+n>).q6Z6��G��.��34 �� % &��E��̀�I�;<e6"~�O6,LMH�IC�� ,+�J+( -�=;��+!/"0�&+�%&G��.��E��̀�I�;<e6"=>��G��.�� _��(3�1D�E��̀)��56#7�p��+D6.��-��#$ DES, RC2�� 64'�F1��(., TTA�� +�%&%�(&':8�9��( SEEDX� ( �)�� G0?3��+CRYPTON34 128'�F1��D6.�� (.*��34 � �(.*�� q6Z6��#7y$e6C�H��-��' &��D6.��F1�� (.*��34 G��.�� +�%& O6P<C� � ,(. G��.��/� '��)H�%&\�� JK=>�� H� ��F1��(key

stream)��%& XOR(exclusive or)56#7��.��"�#� �56�� (.*��D6 (��: RC4, SEAL).q6Z6��G��.�� _��56C�� ,(.,'��)H�%&\��G��.��>!��$K�H��F1��JK=>56��;<e6"��.S56D6כ()�.� -�+�%&��F1�� '�!�LMLMB=>e6a�J<�6t1D6.

2.1.1 64'�<=� ��

• DES [8]

�� DES�� 56'�F1Z6�� ? @34 H� ��%& ��(!� 89 ��.;� $!�2/(56C� � ,D6(. h&�� 1כ� ��)�.� -��( FN(!��kl, q6Z6�� ̀7� � �� XA� �� 89 ��.;� N6��56C� % �=>�� (."(. ��D6. 34��( IPSec��O6 PKIX

3

BlockName Version Author(s) size Key(bits) Rounds

(bits)

(77) IBM/NSA 64 56 163k3-DES(77) Diffie, Hellman 64 168 48

DES2k3-DES(78) Tuchmann 64 112 48

DESX RSA Lab. 64 56 + 64 × 2 16RC2 (89) Rivest 64 8∼1024 18

w/r/k(94) 2w 8s, 0 ∼ 255RC5

w = 32Rivest

64 (0 ≤ s < 256) 16BLOWFISH (93) Schneier 64 32s, (1 ≤ s ≤ 14) 16

8s, (5 ≤ s ≤ 10) 12CAST128 (95) Adams 64

8s, (11 ≤ s ≤ 16) 16IDEA (91) Lai, Massey, Murphy 64 128 8

64 8SAFER (95) Massey, Knudsen 64

128 10SEED (99) KISA 128 128 16

CRYPTON (99) ( �)�� 128 8s, (0 ≤ s ≤ 32) 12w/r/k(98) 4w r

RC6 w = 32 Rivest, RSA 128 8s, (0 ≤ s < 256) 20TWOFISH (98) Schneier, etc 128 0 ∼ 256 16

128 128,192,256 10,12,14RIJNDAEL (98) Daemen, Rijmen 192 128,192,256 12,12,14

256 128,192,256 14,14,14MARS (98) IBM 128 32s, (4 ≤ s ≤ 39) 32

Anderson, Biham,SERPENT (98) Knudsen 128 0 ∼ 256 32

128 + 32i,CAST256 (98) Adams 128 (i = 0, · · · , 4) 48

RC4 (87) Rivest 8s, (s < 256)Rogaway,

SEAL (93) Coppersmith 160

�� 2: '��)H�� (.*��)��

�$�34\�#� ��G%&*� �� Triple DES-�� DEFAULT�� (.*��+�%&��(.56(.��D6.Three-key Triple DES��a@z@C�M� 34!� 3�G�H�, K1,K2,K3-��N6��56#7D6��/�' -��/>��

��+D6 (C��.��):

C = EK3 (DK2(EK1(M)))

M = DK1(EK2 (DK3(C))).

#7�̀�� K1 = K3��(��J<e6 Two-key Triple DES��D6.r6z@34[�%&'�� ( AES (Advanced Encryp-tion Standard)e6�� "J+(�� (.*�� Triple DES-��34��(!��G%&*� %�&�� +�%&g6*�B 7�:� 1��D6כ�� [99].

DESX�� DES� H� �� ;�� #!� RSAN6� �� N6��!� �>KO( � �(.*�� !"�G�� &%�+1כ� a@z@C�M� 34��+��J,(��M�� Input whitening key K2%&a��L��H�(.,LM�*)/�-�� K1�� DESH�%&N6��56#7 ��+ vw, LM �*)/�-�� D6�� Output whitening key K3%& a��L��H�� !/"0�&��D6 [74].��/>��/� �� *�56J+(D6��/�' -D6:

C = EK1(M ⊕ K2) ⊕ K3

M = DK1(C ⊕ K3) ⊕ K2.

4

• RC2 [34]

RC2�� Ron Riveste6C�)��56#7 RSAN6� ]̂01F1CD#$h&$!�?@P�� %&N6��"D6e6��?@��~��%�&�� +�%&D))*�N6��"�� (.*��8�9�56O6��D6. RC2�� 16'�F1<<(;!�� %&N6��56��%&,N6��g6�'��)H�� {<�� 56�:H�2/(;<� �"EM (Exhaustive key search)� "�7 S��+��;!�>��Bכ(=>-��?@��+��;<�� Effective key size-��Y6Z6[��%&C�) ��+�%&,-[�%&'��?@P��;<Q��?@-��;<��=>��C�)��"��D6.��N6��g6e6�6{<*�F�('��)H�-��N6��5689Z6=> Effective key sizee6 T%&C�) �� 01%&LMNF�� H� 2/(;<� �"EM� "�+��Sכ( >��B 7=>�� 2T+�%& ?@��+�� D6. ��2/(� �� [�%&'�� O+1#$O6�� ?@P��34 T>�< T = 40+�%&C�) ��56#7�p>!� ;<Q�� e6R$�PFQ+�O6, ��?@�� [�%&'� ;<Q��?@=> ~��!�?@"��+��%&34\�#� T = 128%&C�) ��56#7N6��56(.��D6.

• RC5 [88]

RC5 �$�� Rivest� �!� C�)��"#$ D))*� N6��"�� (.*��+�%& H��, ��(��U�N6��2I�)��Z6*� U�;<�$��Y6Z6[��%&C�) ��;<�� Parameterized block cipher��D6.��g6��#� ��e6��34 ��e6 64'�F1(��U�N6��=32)��)AB 12Z6*� U��J+(Q�9#� 56D6(.h&(. ��+�O6, IPSec�$��?@�� 34\�#� 16Z6*� U��$2/(�� %&N6��56(.��D6 [29]. 128'�F1(��U�N6��=64)��%&��~��N6��"C�� ,��D6.

• BLOWFISH [94]

Bruce Schneier� �!�C�)�� %& DESX�' -34 2/(R,S -��( Feistel�n>��O6,N6��g6'��)H�� 7� 56�� S-box-�� N6��56�� 1כ� )��D6 (Key-dependent S-box). Q�9#� x� F�( ��H�-��C��56(.$!�2/(� �� .��?@e6%�T1כ��+�%&� �yl��+�O6,H�e6g6 �f6GH�� Keysetup time��#$S��*��+J+(=>��D6.

• CAST128 [31]

Entrust TechnologiesN6� Carl Adams� �!� C�)�� ,�$�� DESX�' -34 2/(R,S -��( Feistel�n>��D6.H�� 40'�F1\�� 128'�F1�6C� 8'�F19!��#%&C��"kl,H��e6 40'�F1��.;�80'�F1��56��)AB�� 12Z6*� U�-��, 88'�F1��.;� 128'�F1��56��)AB�� 16Z6*� U�-��N6��56=>��(.56(.��D6.

• IDEA [76, 77, 78]

Lai�$��C�)��+ 16'�F1T>TU�Z6?�@�45�� '�,,(R,S<<(;!�+�%&N6��56�� 64'�F1��D6. DES-��34��;<��e6�;��;�9U��+vwh&�56O6%&V�@��(., �̀7� � Feistel-type cipher��/�D6W4 �G%&*� �n>� Z6*� U� ��;<-�� N6��56(. ��#$ �A�� Sכ� #� �� 34.;�� "#$ 3 � �(.*��D6. ��7� 64'�F1 �� 8�9� �� e6�;� $!�2/(��+ � �(.*�� 56O6%& V�@x�kl, 128'�F1� (. �� H�-�� N6��+D6. PGP� ��N6��"��kl�>��+��(��1�� =>vwh&� �(.*��+�%&��Z6��+�O6,[�%&'/�JKH�&� ��)��.��?@e6�-)yl��D6.

• SAFER [83, 84]

SAFER�� James Massey� �!� C�)�� 64'�F1 ��X� 64'�F1 H��-�� C��56�� (.*��+�O6, vw� Key schedule � �(.*�� ;�56#7 128'�F1 H�=> N6�� e6R$�56�: 56�$�D6.Knudsen�� Key schedule � �(.*�� $!�2/(56C� � ,D6�� #� ��/� �� h&D6 �;�� Keyscheduling��?@$!�56#7��$2/(�� %&N6��"(.��D6 (�#� ��#!�� (.*��H�� q6Z6 SAFER-K64, SAFER-K128�$�+�%&\�t1kl, Knudsen� �!��;�� Key scheduling��N6��56�� $2/(�� SAFER-SK64, SAFER-SK128�$�+�%& \�W4 D6.) 64'�F1H�-�� N6�� AB�� 8Z6*� U�-��, 128'�F1H�-��N6��AB�� 10Z6*� U�-��N6��56=>��(."(.��D6.

2.1.2 128'�<=� ��

• SEED [23]

SEED��+%&' ��h&h&��Q6 �� +�%&�G0?3"#$�� TTA�� +�%&?@ ��6�)r6-��0?I(.��%& 128'�F1��X�H��-��C��+D6. Nested Feistel�n>%&C�)��"#$]̂01F1CD#$O656U�CD#$��T>�<� ��!�� 34 ��V.)#$C�O6$!�2/(� �34 J<;<��+1כ�+�%&h&��(D6./�(;<\�.��%&'�4�� %&�G0?3"#$��D6��+�� N6��"(.��D6.

5

• CRYPTON [80]

CRYPTON34 ( �)�� [�.;�{<� � �� r6z@34�� 01%&0WMF1��( AESvwh& !"T>��?@Q��PFQKO(��%& 128'�F1��X� 256'�F1�H��-��C��+D6.�� AESvwh&$!�� Key schedule� ��8!��*)��;< ��+ v1.0�� CRYPTON��D6.)��x��!� -��(56U�CD#$��$��<� �<(.C�)��"��+�kl, ]̂01F1CD#$ -�+�%&=>a�J<X"Y34 � �R$��XYZ;<��D6.56U�CD#$�� ]̂01F1CD#$%&��"#$ ( �)��h&$!�?@P�� N6��"(.��D6.

• RC6 [99, 100]

RivestX� RSAN6e6 !"��G0?3��+ AES 2r6vwh& � �(.*��+�%& RC5X� s6J.�e6C�%& e6*+(�� , H� �� Z6*� U� ;<-�� ' &�� Parameterized block cipher��D6. 128'�F1��(��U�N6��=32)� 34!��(."��Z6*� U�;<�� 20Z6*� U��O6�A�� Security margin��'�() -��6Z6*� U�;<-��89��e6��11כ��56.)(.��D6. 256'�F1�� 34!��~��#� ��#$C�C�� ,�6=;�#� 8!�34 128'�F1��%&>!�N6�� .h&��(D6&%�+1כ��

• TWOFISH [99, 101]

Schneier �$�� G0?3��+ AES 2r6 vwh& � �(.*��+�%& BLOWFISHX� s6J.�e6C�%& Key-dependent S-box-�� N6��56kl, 16Z6*� U�� Feistel �n>%& �� 128'�F1 ��D6. �̀7� �� N6��56�� J<;<��+ <<(;!�� B � �*)�[�� C�)��+ � �(.*��+�%&, )��x� �� q6Z6�� JK<<(� � ��: Keyscheduling��.��D6��(��1כ�+��<=��>;�

• RIJNDAEL [99, 102]

Daemen/� Rijmen� �!� �G0?3"#$ 2000'(( 10�� AES � �(.*��+�%& u2�� ,,( ��"��D6. SPN(Substitution-Permutation Network) �n>� e6*+( ��-�� C��56�� D6. C�� 128, 192, 256'�F1��kl,�� 34!� 128, 192I�J34 256'�F1�H�-�� N6�� ;< ��D6.Z6*� U�;<��H�� !��*) ��"kl, 128'�F1��N6��56��J< 128, 192, 256'�F1H�� 34!�� 10, 12, 14Z6*� U�-��N6��56=>��(."(.��D6.

• MARS [99, 103]

IBM� ��?@$!��+ AES 2r6vwh&� �(.*��+�%& 128'�F1��X�Q�9#� x�F�(e6*+(�� H�-��C��+D6.34\�#� � �̀7� ��n>X��8!�D6W4 �G%&*� �n>%&C�)��"��+�O6,�n>e6>��B 756#7#� ��#$9!&D6��C� -��!*<(.��D6.

• SERPENT [99, 62, 104]

Biham �$�� ?@$!��+ AES 2r6 vwh& � �(.*��+�%& 256'�F1�6C�� H��-�� C��56�� SPN �n>�128'�F1 ��D6. Bit-slice implementation�� $��<� �<(. C�)�� %& 56U�CD#$ ��34 a�J<��56O6 ]̂01F1CD#$� �R$�34 .;�=;�x�V.)#$C��\Z(��D6.

• CAST256 [43]

CAST25634 64'�F1��( CAST128��;�56#7 AESvwh&� �(.*��+�%&?@$!�� 128'�F1��%&, 48Z6*� U��9!� <<(;!� �n>%& ��(!� 56U�CD#$O6 ]̂01F1CD#$ -�+�%& ��!�� 34 .;�=;�x� V.)#$C��\Z(��D6.

2.1.3 ��<=��

• RC4 [93, Chp. 17.1]

1987'(( Rivest� �!�C�)�� e6*+(H��-��C��56��F1��%&[� !"�G��$�+�O6 1994'((��(��1PK��LM[�\� �� +�%& !"�G�� (.*��D6. Netscape Navigator�VW��Q6h&��+�%&N6��"(.��+�kl,D6W4 ��(��1�� =>D))*�N6��"��F1��D6.

• SEAL [89, 90]

�6W4 ]̂01F1CD#$��A�B��%&C�)�� F1��%& 160'�F1H�-��N6��+D6. ]̂01F1CD#$ -��(34��4@"��/>�� -�=;��+� �(.*��O6��(��1�� 0!)%&N6��"C�� ,��D6.

6

2.2 � �� >/?�

�� ̀] � �(.*�� -��56��!/"0�&(*� ��T>U�)� q6Z6��/>��!/"#��r6��e6�!�D6.��6�)� �� N6��"��T>U�� 34!��C�) ��56(.,��T>U�0!)%&)��K ��] D6 [9, 6, 87, 93]. #7�̀�� K��/>�� N6��"��'��)H��(.�� N6��56��+��E��̀�� n'�F1��D6. EK��

K%& ��56�� ;<��(., DK34 K%& >��56�� ;<��D6. P1, . . . ,Pt�� G��.�� (., C1, . . . ,Ct��

��.��D6.

T>U� ��/>�� (i = 1 · · · t) )��

ECB Ci = EK(Pi). ' -34 G��.��34 �/".;�' -34 ��.�� 34�� D6.Pi = DK(Ci).

ECB- (Ct||C′) = EK(Pt−1), Ct−1 = EK(Pt||C′). Ct−2�6C�� ECBT>U�X��).CTS (Pt||C′) = DK(Ct−1), Pt−1 = DK(Ct||C′). _��/� ��%�T+�kla@z@C�]':)/"��)#$O6C�� ,��D6.CBC Ci = EK(Ci−1 ⊕ Pi). ��+��.��>��>��<�G�<<(LMB��

Pi = DK(Ci) ⊕ Ci−1. G��.�� @"��[�23�D6 (C0 = IV).CBC- (Ct||C′) = EK(Ct−2 ⊕ Pt−1), Ct−2�6C�� CBCT>U�X��).CTS Ct−1 = EK((Ct||C′) ⊕ (Pt||0...0)). _��/� ��%�T��a@z@C�-��' -34

(Pt||C′) = (Ct||0...0) ⊕DK(Ct−1), ��.��+�%&*+(�.Pt−1 = Ct−2 ⊕DK(Ct||C′). a@z@C�]':)/"��)#$O6C�� ,��D6.

CFB Ci = Pi ⊕ EK(Ii)〈1...r〉, r'�F14��+D6 (1 ≤ r ≤ n).Ii+1 = (Ii << r) ⊕ (0...0||Ci) h&)�� r = 1, 8, 16, 32, 64, 128��(. I1 = IV��D6.Pi = Ci ⊕ EK(Ii)〈1...r〉, ((Ii−1 << r)�� r'�F1 left-shift-��,Ii+1 = (Ii << r) ⊕ (0...0||Ci) EK(Ii)〈1...r〉�� EK(Ii)� 5̂1 r'�F1-��[�)

OFB Ii = EK(Ii−1), feedback"��' ��כ CFBX�D6t1D6 (I0 = IV).Ci = Pi ⊕ Ii $!�2/(� ��JK%& r = n+�%&>!�N6��.Ii = EK(Ii−1), ��/>��/� ��)56kl,� y$��;��%�T��.Pi = Ci ⊕ Ii. _�)��[��#$��(�� -��[.

Counter Ci = Pi ⊕ EK(Ii), Counter-��e6��H�J+(��+D6.Ii+1 = Ii + 1 (I1 = IV = initial counter)Pi = Ci ⊕ EK(Ii), ��/>��/� ��)56kl,� y$��;��%�T��.Ii+1 = Ii + 1 56U�CD#$��O��9!�� *�e6e6R$�56D6.

�� 3: ��*� ��T>U�

ECBT>U�X� CBCT>U�� ̀] -�+�%&��&9U�a@z@C� ��e6�� I�;<e6"#$�p ��+D6.>!��)��a@z@C�-��/>��56ylJ+(>��?@~�e6R$��+!/"0�&+�%&_��!��p56��VW, CBCT>U�� e6�;�D))*�N6��"��_��!/"0�&�� PKCS_��!/"0�&��D6 (vw6̂�).LMy$O6��y$��+_��N6��56J+(��.��G��.��h&D6��+�� =>89��6�);<��VW,��y$��+��a@z@C�]':)/"��L 7"C�� ,�� ~�� ECBO6 CBCT>U�X�JKN656�:N6��1כ��>;� CTST>U��D6 (ECB-CTS, CBC-CTS).

OFB, CFB �� Counter T>U�� ̀] -�+�%& ��-�� F1�� N6��56�� T>U�%& ��U�F̀�"��' q6W4��D6t1klכ)�� r6��e6��̀��56O6, �̀] -��(*� ��T>U��a�J<JKN656D6.

2.2.1 ECB>/?�

ECB (Eletronic Code Book)T>U�� #$%�(G��.��E��̀��( n'�F14��O6P<#$��r6¡�%&��56��!/"0�&��D6.)��;<��+��J<XA� ��)�.� -�+�%&B �N6��"C�� ,��D6.

1. �� : Ci = EK(Pi), (i = 1, . . . , t).

2. >�� : Pi = DK(Ci), (i = 1, . . . , t).

2.2.2 ECB-CTS

CTS (CipherText Stealing)T>U��_��56C�� ,(.��G��.��' -34 ��.��+�%&*+(��;<��*� ��T>U�%&�� ECB-CTST>U�� Pt−2 ��6C�� ECBT>U�%&��56(. Pt−1,Pt ��

7

��D6��/�' -��56#7��.�� Ct−1,Ct-��E��D6 (LM�� 1)*+n>).

pt-1

pt-1

pt

pt

Ct

EK EK

C ' Ct-1

Ct C 'Ct-1

C '

DK DK

C '

LM�� 1: ECB-CTST>U�

2.2.3 CBC>/?�

CBC(Cipher Block Chaining)T>U��f6%&��2/(��.��/��G��.�� XOR(exclusive or)��+vwLM�*)/�-��56#7��.��"�#� �56��!/"0�&��D6.78�� P134 ��̀' Initial)כ Value:IV)X� XOR56#7N6��+D6. IV��'��)%&��"�S��%�TD6כ( (LM�� 2)*+n>).

Pi-1

Pi-1

Pi Pi+1

Pi Pi+1CiCi-1 Ci+1

CiCi-1 Ci+1

KE KE KE KD KD KD

LM�� 2: CBCT>U�

1. �� : Ci = EK(Ci−1 ⊕ Pi), (i = 1, · · · , t, C0 = IV).

2. >�� : Pi = Ci−1 ⊕DK(Ci), (i = 2, · · · , t, C0 = IV).

- Ci��)\�'�F1� ��>��e60?3"�#56J+(>��AB Pi�' 34כ��_��S��e6R$��+' "��34כ(.,Pi+1�' 34כ Ci� ��>��e6"�#F�('�F1� !�=;�56��\�#� >!��f6��D6.q6Z6��,��.��8�956O6��*+(��"J+(G��.��<�G��@"��!*<��D6.

- LMy$O6��/� ��8�9� ��+��G��.��*+(��"J+(LM��vw�T>;��.��@"��!*<��D6.

2.2.4 CBC-PAD>/?�

�� a@z@C�-�� PKCS _�� !� �� I�;<e6 "=>�� _��+ vw CBC T>U�%& ��+D6.>��3�1D�E#7%�(_��?@~��;<��T>U��D6.

PKCS _��34 D6��/� ' -�� #$%�(D6 [26]. !�=;� �� -�� N(= n/8) f6��F1Z6 56(. (64 '�F1 �� J+( N = 8, 128 '�F1 �� J+( N = 16��D6), ��&9U� G��.�� P� f6��F1 ��-�� pLenZ6(. 56g6. PKCS _��34 �#$%�( G��.�� s6C�M�� N − (pLen mod N)� !�=;�56�� f6��F1-��N − (pLen mod N)�G >!��$K 3�1D�E�� /� ��D6. ��, 64 '�F1 �� ( ��J<�� 0x01, 0x0202, · · ·,

8

0x0808080808080808 8�9 56O6-�� _��56�: "(., 128 '�F1 �� ( ��J<�� 0x01, 0x0202, · · ·,0x101010101010101010101010101010108�956O6-��_��56�:�� D6.��-��#$ 128'�F1�� s6C�M�� G��.�� 7f6��F1� a@z@C�e6 N��OD6J+( #7�̀� 0x090909090909090909-��3�1D�E#7 16f6��F1 ��+�%&>!�;��D6.

2.2.5 CBC-CTS>/?�

CBC-CTST>U�� P� ECB-CTST>U�X�s6J.�e6C�%&_��56C�� ,(.��G��.��' -34 ��.��+�%&*+(��;<��*� ��T>U�%& Pt−2 ��6C�� CBCT>U�%&��"(. Pt−1,Pt��D6��/�

' -��.�� Ct−1,Ct%&�� D6 (LM�� 3)*+n>).

pt-1

pt-1

pt

pt 0...0

0...0Ct

Ct

EK EK

C ' Ct-1

Ct C 'Ct-1

C '

DK DK

Ct-2

Ct-2

LM�� 3: CTST>U�

�� >��

Ct−2�6C�� CBCT>U�%&�!�� Pt−2�6C�� CBCT>U�%&�!��(Ct||C′) = EK(Pt−1 ⊕ Ct−2) (Pt||C′) = (Ct||0 . . .0) ⊕DK(Ct−1)Ct−1 = EK((Ct||C′) ⊕ (Pt||0 . . .0)) Pt−1 = Ct−2 ⊕DK(Ct||C′)

2.2.6 OFB>/?�

OFB(Output FeedBack)T>U�� -��F1�� N6��56�̀�#��+!/"0�&��D6. OFB�� )��.;�$!�2/(� �� JK%& full size feedback>!�� C��+D6. s6C�M�� Pt� E��̀e6 �� E��̀h&D6 ��34 ��J<

‘0’��_��56#7��E��̀%&>!�;��D6 (LM�� 4)*+n>).

Pt-1

Ct-1

EK

Pt

Ct

EK

0 Ct-1

Pt-1

EK

Ct

Pt

EK

0

It-1 It It-1 It

LM�� 4: OFBT>U�

1. �� : Ci = Pi ⊕ Ii, (I0 = IV, Ii = EK(Ii−1)).

2. >�� : Pi = Ci ⊕ Ii, (I0 = IV, Ii = EK(Ii−1)).

- Feedback"��#¢� AB.�� CFB T>U�X��Q �*� ��.�� "�#F�( �>��e6 >��ABD6W4 G��.�� @"��[�¢�C�� ,��D6.>!��.��8�956O6�� >��e60?3"�#PFQD6J+(>��"��G��.�� =>34��"��+��>!��>��e60?3"�#��+D6.q6Z6��.;��O6�� /�' -34 digitized analog��(�� % ,��N6�� D6.

9

- >��AB IVe6D6t1J+(2/(��D6W4 G��.��"��%&�.�U��̀' '��כ-�:!��p��+D6.

- OFBT>U�� 0?3"�#"�� key stream34 G��.��/��B9�& -�+�%&0?3"�#"kl#$m� �̀�8!� key stream��.�>��"�̀ AB.�� feedback"��E��̀e6��+��E��̀h&D6��34 ��J<$!�2/(� ��.��?@e6�� D6.q6Z6��56O6��2/(��-�� feedback56#7�p��+D6.

2.2.7 CFB>/?�

CFB(Cipher FeedBack)T>U�� OFBX�s6J.�e6C�%&��-��F1�� N6��56�̀�#��+T>U�%&�� feedback size r34 nh&D6��~�O6' -34 �� ;<e6� �;<��+�O6h&)�� r = 1, 8, 16, 32, 64, (128)��% ,��N6��+D6.��34 9!��#(r'�F1)%&��56�̀AB.�� ijF1��E�X�' -34 �� JK��+!/"0�&��D6.LM�� 534 r = 8'�F1��J<��D6.

EK

ki

Ci

Shift Register

Left-mostr bits

Pi

ki

Pi Ci

Shift Register

Ii

EK

Left-most r bits

Ii

LM�� 5: CFBT>U�

1. �� : Ci = Pi ⊕ ki (ki�� EK(Ii)�.;��# r'�F1), Ii+1 = (Ii << r) ⊕ (0 · · ·0||Ci).

2. >�� : Pi = Ci ⊕ ki, Ii+1 = (Ii << r) ⊕ (0 · · ·0||Ci).

- IV' 34כ'��)��)"�.Se6%�TD6כ( IV' ')+��D6t1Jכ-34 G��.�� 34!��=>D6W4 ��.��"�#� �� D6.

- ��-��#$ 8'�F1T>U�� >!��.��8�956O6��*+(��"��D6(.e6 ��56g6.>��AB��*+(�� .��/� XOR"��G��.��/�*+(�� .�� shift register� ��#$e6��6��O6��AB�6C�� 8��G��.��?@34%&>��"C�� \)/2&1��%כ��, 9��G��.��f6%&>��"C�� ,��D6.��)�.� -�+�%&��+��E��̀e6 n'�F1��(. r'�F1 CFBT>U��)��J<��.�� 1��>�� n/r+1�G��G��.�� @"��[�23�D6.

2.2.8 Counter>/?�

Counter T>U�� n '�F1h&D6 ��34 ��J< "�#�̀�� OFB T>U�� .��?@-�� !��*)��+ ��&%�+1כ� ¡£C�� &9U�� feedback��H��34��( �#$%�( ' ��̀��&%�+כ Counter-�� <<(LMB -�+�%&��56#7H� ��F1��"�#� ��+D6. ��9!��#� H� ��F1�� "�#� �34 O��9!�� *�e6 e6R$�56��%& (.LMB� ��e6 e6R$��+ !/"0�&��D6. #7�̀��Counter��)�.� -�+�%& �#$%�(��̀' ��\&%�+כ��) ��+;<(eg, typically 1)>!��$K4��e656��;<%�)%&aF�!�=>"(.��̀' ��כ Seed%&56��!�;<%�)��N6��!�=>�� D6.

�� 3��

!��;<(HI�J34 Hash%& ��̀)�� &9U� a@z@C�-�� (. �� Q��9U�' &%�+כ � 7:��H��;<%&��VW��Q6�{<�*)� �,a@z@C��(��$��A -�+�%&��O��#e6D)bD6.��AB!��;<� כS�"�� 6�)%&��)!/"�@"� �/��;��+Q�9�"��/�� D6.��)!/"�@"� �34 �#$%�(!��' כ h� 34!�� H(x) = h-��>!��56�� x-��R?S1כ��;!� -�+�%&S��e6R$�56D61כ��(.,Q�9�"��/�� 34 �#$%�( x� 34!� H(x) = H(y)-��>!��56��&9U�a@z@C� y(� x)-��R?S1כ��;!� -�+�%&S��e6R$�56D61כ��D6.

10

��)�.� -�+�%& D))*� }�� !��;<%&�� MD5, SHA1, RMD160, TIGER �$�� D6. SHA-383, SHA-512-��?@XA56(.��T>�<��&9U�a@z@C�-�� 512'�F1��9!��#%&� *�56kl,s6C�M��_��c=>a�J<JKN656D6.

Algorithm Author Output Block No. EndiannessLen.(bits) Len.(bits) Rounds

MD5 Rivest (1991) 128 512 64 LittleSHA1 NIST (1994) 160 512 80 BigSHA-256 NIST (2000) 256 512 64 BigSHA-384 NIST (2000) 384 1024 80 BigSHA-512 NIST (2000) 512 1024 80 BigRMD128 Bosselaers, Dobbertin, 128 512 128 Little

Preneel (1996)RMD160 ′′ 160 512 160 LittleRMD256 ′′ 256 512 128 LittleRMD320 ′′ 320 512 160 LittleHAS160 TTA (1998) 160 512 80 LittleTIGER Anderson, Biham (1996) 192 512 56 Little

�� 4: !�� (.*��)��

• MD5 [25]

MD5�� Riveste6 C�)��+!��;<a#� (MD2, MD4, MD5)8�9� ��e6�;�O68�9� ��&%�+1כ�&9U�a@z@C�-�� 512'�F19!��#%& � *�56#7 u2�� -�+�%& 128'�F1�!��' ��כ �4�� ;<��D6. %�)s62/(�6C�� ~��34\�#� �� D))*�N6��"KO(!��;<��O6,_!�'((2/(Q�9�"��/�� .��?@e6��D6��#� ��O63 ��vw34\�#� �� ̀7� ��XA� ��89��.;�N6��56C�% �=>��(.56(.��D6.

• SHA1 [11]

[�<<(!/" ��\��C�T?3�� ( DSA-��#!��G0?3�� !��;<%& �̀] -�+�%&MD5X�JKN6��+�n>%&C�)��"��+�O6h&D6$!�2/(��+1כ�+�%&��( ��!*<(.��D6. 160'�F1��Q��9U��4kl,34\�#� ��(��1��O6%&'?@/%�&�� DEFAULT!��;<%&N6��56(.��D6.

• SHA-256, SHA-384, SHA-512 [12]

AES� �(.*��H��e6 128, 192, 256'�F1��%&' -34 $!�2/(=>-��' &��!��;<e6כS�$%&� q6Z6�� SHA1/��n>��JKN656C�>!�Q��9U��-�� 256, 384, 512'�F1%&X��(!��;<��D6.�� 34��+#� ��0?3x��#$C�(.��D6.

• RMD128, RMD160 [70]

JKH�&<<(�[� RIPE01%&0WMF1� ��G0?3�� !��;<%&�� 128'�F1, 160'�F1Q��9U��:;�D6. MD5X�JKN6��+/� ��O��9!�%&� *�56#7$!�2/(� ��<�(X"Y��(1כ��O6��!�� 34 .;�=;�x�V.)#$%�(D6. RMD16034 ��(��1�� =>D))*��aF��"(.�� (.*��D6.

• RMD256, RMD320 [109]

RMD256/� RMD32034 �� RMD128/� RMD160��-�� 2I�%&��;��+�2!$&%�+1כ�/(=>��/1כ�)56D6.

• HAS160 [24]

��+%&'R,S��C�T?3�� ( KCDSA��!��;<%&�G0?3�� $�&%�+1כ�� 160'�F1�Q��9U��4��!��;<��D6. MD5X� SHA1��;� -��UV56#7C�)��"��+�kl�� TTA�� +�%&?@ ��8�9� ��D6.

• TIGER [53, 57]

11

64'�F101%&z@�� u2 -��C�)�� !��;<%& 192'�F1�Q��9U��:;�D6. S-box-��+ Tablelookup/��34 ;<�?�@�45�� '�,,(R,S<<(;!�+�%&N6��56kl, 64'�F101%&z@�� a�J<�6W4 LMB=>-��XYZ;<��D6.

�� 4�� MAC��

MAC(Message Authentication Code)34 Y6��)�4�� *+(�� JK{<O6 )��(.;�� >e6�� VW��Q6� {<�*)� ��E�56��VW�� D6. MAC� �(.*��+�%&D6��/�' -34 .1��D6כ�

• ��)�.� -��(!��;<-�� ̀�.� : HMAC, KMAC

• ?�@�45��56�� universal!��;<-�� ̀�.� : UMAC

• ��-�� ̀�.� : CBC-MAC, XCBC, RIPEMAC

4.1 HMAC

HMAC (RFC 2104)34 !��;<-�� N6��56#7 MAC�� "�#� �56�� !/"0�&��D6 [30, 59]. !��;<%&�� MD5,SHA1, RMD160, HAS160, TIGER�$��;<��VW��-�� HZ6(.56g6 (MD5, SHA1� 34��+¤¥��F1=�� RFC 2202-��)*+n>56(., RMD160� 34��+¤¥��F1=�� RFC 2286��)*+n> [32, 35]). ��AB, B-�� H��(f6��F1)Z6(.56J+(, ipad, opad�� 0x36, 0x5C-�� B*,(�1��Z6(.56g6כ�+��<�. (�#� 5�G�!��;<� 34��+ B��T>�< 64��D6).LMy$J+('��)H� K� 34!�� HMAC��D6��/�' -�� +D6.

H( (K ⊕ opad) || H( (K ⊕ ipad) || text ) ).

HMAC� N6��"��H�� ?@��+��%�TD6 1.H��e6 Bf6��F1h&D6? @34 ��J<��H�� ‘0’��3�1D�E#7��e6 Bf6��F1e6"=>��>!�;��D6.��e6 Bf6��F1h&D6��H�' ��!34 �כ H(K)-�� -��+W�� ‘0’��3�1D�E#7��e6 Bf6��F1e6"=>��>!�;��D6.H�� random56�:,,(aF�"#$�p56klMAC��;<� 34��+ !"�X�� M��̀�#!� ��̀ -�+�%&*+(��!� �� 1כ� b'cD6.��e6 !��' �כ ��h&D6��34 ��J<��MAC�$!�2/(� ��V.)#$C��%&N6��.��e6��+D6.��e6!��' ��89 �)/��h&D6��J<��$!�2�כ��e656C�� ,C�>!�H�� randomness-��e6��H��̀�#!�N6��+D6.

MAC+�%&D))*�N6��"��1כ�� truncation��(VW��!��;<�Q��9U�' ��כ)\�'�F1>!�� MAC+�%&N6�� 1��%כ��56��+D6.��!/"0�&� 34��+�;� -�34 !"�X�g6e6!��' +��34 �כ��h&-��)\�>!�� ;<��D61כ��(.9!� -�34 !"�X�g6e6��_��!��p56��'�F1;<e68��#$;��D6�� -��D6. Truncation� 34��+6�)34 -��(��W 34 �6�� 9�&"#$ ��C� � ,C�>!�, truncation�� !��' כ �� 1/2h&D6 ��C� � ,(.(birthday attack bound),80'�F1( !"�X�g6� 34��+ -�6�)��+56��+)h&D6��C�� ,34 ��-��;��+D6.

4.2 KMAC

IPSec� �� IP datagram��(��#!�AH(Authentication Header)-��N6��56��VW��2/(�$2/(�AH([27],RFC1826)� �� Default%& N6��56KO( MAC+�%& !��;<-�� + KMAC�� D6 (LMy$O6 �� !/"0�&34 HMAC��O63 ��vwB �N6��"C�� ,��D6).��-��#$MD5� 34��+ KMAC34 D6��/�' -��;!�� D6 ([28],RFC1828).

K′ = K||(MD5 padding),

Data′ = K′||Data||K,MAC =MD5(Data′)

#7�̀�� MD5 padding34 100...00/� K� ��('�F1)-�� 3�1D�E��VW, K||100...00��-�� 512%&O6d�� O6k$C�e6 448��"=>�� 100...00-��J<,,(3�1D�E��(D6.��AB,u2]̂ 1'�F1� ��u234 512'�F1�6C�3�1D�E��:�� D6.K�� 64'�F1%&��56#73�1D�E��(D6.q6Z6�� K′��('�F1)�� 512�I�;<e6�� D6.

1IPSec� AH/ESP� ��N6��56�� HMAC(HMAC-MD5-96, HMAC-SHA-1-96, HMAC-RIPEMD-160-96)� ��H��-��.�U��!��;<�Q��9U��X�' -34 ��%&N6��56(.��D6 [37, 38, 46].

12

4.3 CBC-MAC

CBC-MAC34 n-'�F1�� CBCT>U�-��+MAC��D6 [10]. CBC-MAC+�%&�� ISO/IEC 9797-1� �� + CBC-MAC/�RIPE01%&0WMF1� �� + RIPE-MAC�$��+�klu2()�� Crypto 2000� �� Kilian-Rogaway� �!�� XCBC-MAC��0?3��"��D6 [7, 20, 63].

ISO 9797-1� ��CBC-MAC� �(.*�� ̀��-�� padding, splitting, initial transformation, iteration,output transformation, truncation �$�� 6 9!��%& O6P<#$�� C�) ��+D6. )��x� initial transformation/�output transformation��n>�[56��!/"0�&� q6Z6��#7y$e6C��MAC� �(.*��+�%&#� ��56(.��D6.LMy$O6 ISO 9797-1� �� 3e6C�� _��!/"0�&��?@��56(. ��C�>!�#$m1כ�� N6��!��p56�� C�� 56C� � ,��O(.�>��+'��)H�-�� JK=>56��!/"0�&=> ��-��?@��e� ��(. #$m1כ��N6��!��p56�� C�-�� 56C� � ,�6��

56��VW#$yl��D6.RIPE-MAC34 ISO 9797-1��f6:/"+�%&��g6��("��+�kl��T>�� %�T¦�(.�� -�+�%&MAC��

�56�� !/"0�&�� ?@��56�$�D6. LMy$O6 RIPE-MAC� �� ISO 9797-1/��D6W4 _��!/"0�&�� N6��56(. ��-�� -��AB*+(R,S�� CBCT>U�-��N6��56#7MAC��56�� -��r6��e6��D6.�>��+�� (.*��=> DESX� 2 key triple-DES-��N6��56=>��56(.��D6.

XCBC-MAC34 VW��e6��I�;<��)AB=>_��#$C�� RIPE-MAC/�Q �*�S��"�+��Sכ(_��%�T¦�(.,s6C�M�� >D6W4 H�%&��56C�� ,��+�%&,-��<<(;!��/;<-��8��$�D6.LM*�(.D6W4 MAC/�Q �*�s6C�M�� >D6W4 H�%&��56C� � ,��34��(� _��R,S§�� q6Z6�� D6W4 Input whiteningH�-��N6��+D6.56O6��H�-��N6��56��%&#7y$�G�H�-��N6��56��MAC� �(.*��h&D6H� scheduling56��8!��8��);<��D6.

4.3.1 ISO/IEC 9797-1��CBC-MAC

1. padding:

Pad1 zero padding: ��E��̀�I�;<e6"=>��56��u2]̂� 0-'�F1%�)��VW��>W4 f�� _��+D6.VW��e6��I�;<��(��J<_��56C�� ,��D6. (9!�,VW��e6 empty string��(��J<��E��̀>!��$K� 0-'�F1%�)��_��+D6.)Pad134 VW�� s6C�M�� ‘0’ '�F1-�� K 7��&56~�O6 %�TdE5+�%&,- MAC' ��כ ' -34 #7y$�G� VW��-��E��;<�� trivial forgery !"�X��e6R$�56D6.q6Z6��_��34 VW��-�� (.��O6VW��s6C�M�� ‘0’'�F1��G;<e6D6t189Z6=>VW��[�e6f6GHC�� ,�� >!�N6��56��+*1��f64כ��56D6.

Pad2 VW��s6C�M�� 1'�F1� ‘1’��3�1D�E��(W�� Pad1/�s6J.�e6C�%&u2]̂� 0-'�F1%�)��_��+D6.u2]̂ 1'�F1��.;�34 _�� D6.

Pad3 J<,,( Pad1/�' -34 !/"0�&+�%&_��+D6 (9!�#7�̀�� empty string� 34��+��XAe6%�TD6)._��"�̀ 2/(� VW�� '�F1 ��-�� LDZ6(. �� AB, LD-�� '�F1%�) L%& *+(�56#7 _�� VW�� f�� D6�� _��+D6.*+(�� '�F1%�) L34 .;��#'�F1� 0'�F1%�)�� I�;<e6"=>��>!�;��D6.��-��#$VW�� D��e6 500'�F1��(. 64'�F1��-��N6��+D6J+(_�� VW�� 576'�F1� [0x00000000 000001F4 || D || (12'�F1� 0-'�F1%�))]�� D6. VW��-�� ;<%�T��J<�� Pad3�� -��;<e6%�TD6. (Pad3� ��VW��e6 2nh&D6

F�(��J<��(.yl56C�� ,��OD6.)

2. splitting:

_�� VW��Q6-�� E��̀%& O6P<#$�� D1, · · · ,Dq� VW��Q6 �� >!�;��D6. Hj�� j-*,(B̈ ��Dj��.��, eK X� dK�� K-��'��)H�%&56��/>��;<Z6(. ��+D6.

3. Initial transformation:

IniTrans1 H1 = eK(D1) : D1�� K%&��56#7 H1��E��D6.

IniTrans2 H1 = eK′′ (eK(D1)) : ��H�e6 K,K′′�<�Ge6"��),S56klJכ(�D1�� K%&��+vwK′′+�%&��56#7 H1��E��D6.

13

4. iteration:

ISO 9797-1� �� i = 2, · · · , q� 34!�� DiX��2/(� ��;!�� 8�98!�' כ Hi−1��56#7 Hi-��

D6��#��/�' -�� CBCT>U�-��N6��!��E��D6.

Hi = eK(Di ⊕Hi−1) for i = 2, · · · , q.

5. Output transformation:

OutTrans1 G = Hq : Hq�� G' .D6+��&%�+כOutTrans2 G = eK′ (Hq) : Hq-�� K′%&��+' ��כ G' .D6+��&%�+כOutTrans3 G = eK(dK′(Hq)) : Hq-�� K′%&>��+' ��D6כ K%&��+' ��כ G' .D6+��&%�+כ

6. truncation:

G�.;��# m'�F1-�� truncate56#7MAC' .D6+��&%�+כ

ISO/IEC 9797-1� q6W4 CBC-MAC��56�̀�#!��J<,,(N6��-��*) ��56(.,�#�z@e6C��_��!/"0�&8�9� 56O6-��,,(aF��+D6. (ISO 9797-1� ��)��0!)x�#$eg(_��h��D6(.56��(.e6%�TD6.)_��*) ��"J+( initial transformation/� output transformation� ,,(aF�� q6Z6 6e6C�� MAC� �(.*��(D6��C�) ��)*+n>)+�%&O6Y��VWLM8�9� 56O6-��,,(aF�56(., MAC�� m��*) ��+D6.��AB, MAC� �(.*�� q6Z6�� IniTrans2I�J34 OutTrans2e6,,(aF�"��J< KX� K′��B9�& -��J+($!�

"��J<e6��D6.LMy$J+(56O6�Master secret+�%&\�� K, K′��JK=>56~�O6 K′�� K%&\��JK=>��+D6.JK=>!/"0�&�� (.*��0!)%&?@��56=>��+D6. (ISO 9797-1� ��H�JK=>!/"0�&�� 56C�� ,(.��>!�?@��56�$�D6.)

ISO/IEC 9797-1�\�� B� ��D6�� 6e6C�� (.*��8�9� ��MAC 4� �(.*�� Pad3X��N6��56=>��(.56(.��D6.

• MAC 1 : IniTrans1 + OutTrans1 (LM�� 6)*+n>).

MAC 1�� Pad1��O6 Pad2�_��!/"0�&+�%&N6��56(., m = n��(��J< xor forgerye6e6R$�56D6. D-��VW��Z656(. D̄-��_�� VW��Z6(.��AB, D̄e6 1��+�%&��#$%�(VW��Z6(.e6 ��+D6.LMy$J+(D� 34��+MAC, M��$!�D6(.e6 ��56J+( [D̄||D̄⊕M]�MAC=>M�� D6. m < n��(��J<=> 2(n−m)/2�G

�,,(aF�� VW�� 34��+MAC' ��כ�J+( !"�X��e6R$�56D6. Pad3�_��N6��56J+(�� !"�X��M��;<��D6.

e e e truncation

MAC

D1D2 Dq

H1 H2 Hq-1

KK K

G = Hq

LM�� 6: MAC 1

MAC 1��$!�2/(� �_��J+(� ��e6�;�UV��56C�>!��34\�#� �� zero padding(Pad1)��+W��MAC 1��N6��56(.,D6W4 T>U��?@%&}�� 0!)%&%�TD6.

• MAC 2 : IniTrans1 + OutTrans2 (LM�� 7)*+n>)

MAC� key' ��&%�+כ KX� K′ �<�Ge6N6��"��VW K′34 KX�D6W4 ' .�p��+D6$#��כ K = K′��J+(MAC1/�s6J.�e6C�%& xor forgery !"�X��e6R$�56D6.

KX� K′��%&��B9�& -��J+( security level��MAC� key sizeh&D6 -�#$C��%& K′/� K34 56O6�Master secret+�%&\��JK=>"~�O6D6��/�' -�� K′�� K%&\��JK=>� �;<��D6.

K′��56��56O6��%& K��f6��F1�� 4�G'�F1-�� complement��+D6.��, Ke6 64'�F1Z6J+(K′ = K ⊕ 0xF0F0F0F0F0F0F0F0%&��+D6.

14

e e e e truncation

MAC

K K K K '

Hq G

D1D2

H1 H2 Hq-1

Dq

LM�� 7: MAC 2


e e e d truncation

MAC

K K K

G

eKK '

HqD1

D2 Dq

H1 H2 Hq-1

LM�� 8: MAC 3

#7�̀�� keye6 KX� K′ �<e6C�e6 N6��"��VW ��34 ��%& ��B9�& -��#$�p ��+D6. >!�� K = K′��J+(MAC 334 MAC 1/�=;�<<(x�' -�6C1כ��:� �;<��D6.


MAC 4�� _�� VW�� 2�G ��.;��) AB -��+D6 (q ≥ 2). #7�̀�� N6��"�� key�� K, K′,K′′ z@ e6C�e6 ��D6. J<,,( IniTrans2� �� H�%& KX� K′-�� N6��56��VW ��%& ��B9�& -��#$�p ��+D6.OutTrans2� ��H�%& K′′-��N6��56��VW134כ�� K′� ��JK=>"#$�p��+D6.LM*�(.z@�G�H��%&D6W4 ' .�p��+D6$#��כ

e e

e

e

e

truncation

MAC

K

K''

K K

K'

G

D1 D2 Dq

H1 H2 Hq-1

Hq

LM�� 9: MAC 4

K′′��%&MAC 2� ��X�' -�� K′��f6��F1s6D6 5̂1 4'�F14�� complement56#7�56~�O6 (K′��64'�F1��J+( K′′ = K′ ⊕ 0xF0F0F0F0F0F0F0F0) !")��Master secret+�%&\��JK=>��;<��D6.

• MAC 5

15

MAC 5��MAC 1�� parallel56�:�<*,(N6��56#7��E��D6. �#$C�� key�� K56O6��kl K%&\��MAC 1� �(.*�� N6��<�G�H� K1/� K2-��JK=>!��N6��56��VW, K1/� K2��%&Q �

Z6�p ��+D6. �� -��( MAC' 34כ K1�� N6��+ MAC1� ' �/כ K2�� N6��+ MAC2� ' ��כ XOR56#7��+D6.

MAC :=MAC1 ⊕MAC2.

H�-�� JK=>56�� !/"0�&+�%& K134 KX� ' -34 ' &%�+כ 56(. K2�� MAC 2� ��X� s6J.�e6C�%& K1�

�� f6��F1� �� 5̂1 4 '�F14�� complement56#7 �56�� !/"0�&(Ke6 64 '�F1��J+( K2 = K1 ⊕0xF0F0F0F0F0F0F0F0)+�%&�56��!/"0�&��(.�>D6W4 !/"0�&34 K1/� K2-�� !")��Master secret+�%&\��JK=>56��!/"0�&��D6.

• MAC 6

MAC 634 MAC 4-�� parallel56�:�<*,(N6��56#7��E��D6. �#$C��H�� (K, K′)��(.��%&\��MAC 4� �(.*�� N6��+�<Z;��H� (K1,K′1)/� (K2,K′2)��JK=>��+D6.

MAC 5X�s6J.�e6C�%& (K1,K′1)-��N6��+MAC 4� �(.*��+�%&MAC1��56(., (K2,K′2)-��N6��+MAC 4� �(.*��+�%&MAC2��56#7 XOR56#7MAC��+D6.

MAC :=MAC1 ⊕MAC2.

(K1,K′1)/� (K2,K′2)��%&,- (K1, K′1)34 (K, K′)+�%&56(. K2 �� K′234 �� K1/� K′1+�%&\��JK=>56��VW,�� f6��F10!)%& *,(' ��6e6J+(�� 5̂1*,(B̈ f6��F1-�� complement56(. LM D6��f6��F1�� LM34%&�<(.,D6��LMD6��f6��F1-�� complement56��!/"#��+�%&JK=>��+D6.�� K1,K′1�� 64'�F1��)AB,K2 = K1 ⊕ 0xFF00FF00FF00FF00, K′2 = K′1 ⊕ 0xFF00FF00FF00FF00��D6.

q6Z6��MAC 6� ��N6��H��T>�< (K1,K′1,K′′1 )/� (K2,K′2,K

′′2 ) 6�Ge6�� D6.

4.3.2 RIPE-MAC

RIPE-MAC34 RIPE01%&0WMF1�56O6%&��g6��(�� CBC-MAC�56O6��D6 [20]. 134כ�� (.*��+�%&)��0!)x�DESX� 2 key triple DES-��N6��+D6. ISO 9797-1��f6:/"+�%&��g6��("��+�kl ISO 9797-1/��Q �*��!/"0�&� ��#$�� 56D6.)��x�_��!/"0�&/�, CBCT>U�\�#� �� ISO 9797-1/��D6t1kl,H�JK=>\�#� �� 56�$�(., truncation��56C�� ,��D6.

RIPE-MAC� �� D6��/� ' -�� _�� +D6. J<,,( ISO 9797-1� Pad2X� ' -�� VW�� s6C�M�� 1'�F1� ‘1’'�F1-��3�1D�E��(.,��-��% &d�=>��56��u2]̂�� ‘0’-'�F1%�)��3�1D�E��(D6.LM*�(._��"�̀2/(�VW��'�F1��-�� LDZ6(.56(.��E��̀-�� n'�F1Z6(.��AB, LD mod 2n-��'�F1%�)

L%&*+(�56#7_�� VW��>W4 f�� D6��_��+D6. (�� RIPE-MAC34 DESO6 2 key triple DES-��N6��56��%& n = 64��D6.)��AB=>"�>S��+��Jכ( L�.;��#'�F1\�#� �� ‘0’-'�F1%�)%&��*� D6._�� VW��-��E��̀34%& D1,D2, · · · ,Dq%&O6P<(.D6��/�' -34 *+(R,S�� CBCT>U�-��N6��56

#7 Hq-��+D6 (LM�� 10)*+n>).

H1 = eK(D1) ⊕D1,

Hi = eK(Di ⊕Hi−1) ⊕Di for i = 2, · · · , q.#7�̀�� ee6 2 key triple-DES ��J+( E,D-�� DES� ��/>�� ;<Z656(. K = K1||K2��Z6(. �� AB,eK(X) = EK1 (DK2(EK1(X)))-��[��+D6.

Hq-��56J+( K′��D6��/�' -��+D6.

K′ =

K ⊕ 0xF0F0F0F0F0F0F0F0, if e = DES,(K′1||K′2), if e = 3DES.

9!�#7�̀�� K′i = Ki ⊕ 0xF0F0F0F0F0F0F0F0��D6.LMy$J+(MAC34 D6��/�' -D6.

MAC = eK′ (Hq).

16

e

D1

K eK

D2

H1 H2 Hq-1

eK

Dq

eK '

Hq

G = MAC

LM�� 10: RIPE-MAC

4.3.3 XCBC-MAC

XCBC-MAC34 ��/;<-�� 8��(.,��H�-�� 56O6>!�N6��56#7 H� scheduling56�� 8!�� 8��(.g6��g6��("��D6. XCBC-MAC34 z@�G�H� (K1,K2,K3)e6"�,S��+VWכ( K134 ��AB"��S��+��Hכ(

��(. K2,K3��VW�� s6C�M�� >!� -��"�� Input whitening H�%&�� VW�� _��!/"0�&� q6Z6�� K2 I�J34 K3e6,,(aF�� D6.q6Z6�� K1��H��(. K2,K3�� n'�F1��D6. K2,K3�� K1+�%&\��JK=>� �"��S%�Tכ( n'�F1� random��+'�F1%�)��D6.��<<(;!��;<-��8��̀�#56#7VW�� _��+�%&,-VW��;<e6��e656C�� ,=>��VW

�� e6 n '�F1� I�;<��) ABX� �6>�� AB%& O6P<#$�� n '�F1� I�;<e6 �6?�( ��J<� >!� u2]̂��‘10 · · ·0’-��3�1D�E#7��VW��-�� n'�F1�I�;<%&>!�;��D6.LMy$J+( RIPE-MAC/�'�()PFQ��AB,��VW��e6 n'�F1�I�;<��J+( XCBC-MAC� ��_��)#$O6C�� ,(., RIPE-MAC� �� 2��_��(‘10 · · ·0’� _��/�VW�� h&_��)��)#$O6��%& 2*,(�� <<(;!��8��);< ��:�� D6 (D6W4 ��J<�� 1*,(�r6��e6�!�D6).

eK1 eK1

H1 H2 Hq-1

eK1

Hq = MAC

K2

eK1 eK1

H1 H2 Hq-1

eK1

Hq = MAC

K3

Dq || 10...0D2D1D2D1 Dq

LM�� 11: XCBC-MAC

_�� VW��-�� E��̀%& O6P<#$ D1,D2, · · · ,Dq%& >!��J+( Hq−1�6C�� IV = 0��( h&)�� CBCT>U�%&�!�%�(D6.s6C�M�� Hq(= MAC)34 _��)#$�!��J<X��)#$O6C�� ,34 ��J<%&O6P<#$D6��/�' -��+D6.

Hq =

eK1 (Hq−1 ⊕Dq ⊕ K2), VW��e6 n'�F1�I�;<��)AB,eK1 (Hq−1 ⊕Dq ⊕ K3), VW��e6 n'�F1�I�;<e6�6>��AB.

RIPE-MAC34 input whitening H�%�T�� Hq-��56(.D61כ��G%&*� ��H� K′��JK=>56#7��+ ��1כ� MAC+�%&56�� &%�+1כ� XCBC-MACh&D6�G%&*� H�� 34��+ ��+*,(� �� <<(;!�� d�e6%& "�Sכ(56(. �>��+ �G%&*� H�-�� "�#� �56�$�+��%& �G%&*� H�� 34��+ H� scheduling��%�&�� "�:�S56כ( �� D6. �.�J+(� XCBC-MAC34 s6C�M��VW�� Input whiteningH�-��a��L�561��%כ��& overheade6%�TD6.

4.4 UMAC

UMAC34 J. Black et el.� �!�� Crypto’99� �� 0?3�� MAC�56O6%& universal hash��;<-�� +MAC��D6 [64, 55]. UMAC34 01%&z@�� q6Z6�� 16'�F1?�@�45��O6 32'�F1?�@�45��+MAC+�%&?�@

17

�45��6t1�:��"��01%&z@�� ̀7� � HMAC��O6 CBC-MACh&D6a�J<�6t1�:�� ;<��D6.��?@%& HMAC-SHA1��O6 CBC-MAC-RC6� '�!� UMAC-32��J<�� 5I� ��=>�6W4 �*)/�-��?@��56(.��D6 [64]. UMAC�Y6Z6[�� 5X�' -D6.

Y6Z6[�� e6R$��+' כ Default C�) ��

w WORD-LEN 2, 4 4 word��(f6��F1)l UMAC-OUTPUT-LEN 1, 2, · · · , 31, 32 8 UMAC�Q��9U��(f6��F1)n L1-KEY-LEN 32, 64, 128, · · · , 228 1024 Layer1�NH� �� *�"��

a@z@C�9!��#(f6��F1)k UMAC-KEY-LEN 16, 32 16 N6��g6H��(f6��F1)s L1-OPERATION-SIGN SIGNED, UNSIGNED UNSIGNED

e ENDIAN-FAVORITE BIG, LITTLE LITTLE

�� 5: UMAC�Y6Z6[��

��Y6Z6[�� #$%�( word��(w)� 3456#7��%& ��!�6�);<��+�klLMAB� UMAC��$2i(34 UMAC-w/l/n/k/s/e%&O6Q6�4(.)��x� default UMAC34 UMAC32Z6(.��+D6 (Default' 34כ�� 5)*+n>).LM*�(. UMAC1634 UMAC-2/8/1024/16/SIGNED/LITTLE��[��+D6. UMAC34 Q��9U�� q6Z6��6/�' -34 $!�2/(� ��e6%�(D6.

UMAC-OUTPUT-LEN (bytes) UMAC��#n>��[!�

2 2−15

4 2−30

8 2−60

16 2−120

�� 6: UMAC�$!�2/(� �

q6Z6�� UMAC32X� UMAC1634 T6� D6 2−60� $!�2/(� �� e6%�(D6. UMAC34 word size >!��$K� ��-��r6¡�%&<<(6�&56#7�!�C��%& UMAC�Q��9U��e6��#$6�);<�� '�¡�56#7$!�2/(!�C�(.UMAC��56��VW�-)*��8!�=>�� '�¡�56#7��e656�:�� D6.LMy$J+( UMAC34 D6��/�' -34 /� ��+�%&��+D6 (UMAC��56��VW"� �#�\+��Sכ(��;<��\�� A� ��

g6z@x�C�) ��+D6).

• INPUT :

K : key string of length UMAC-KEY-LEN bytes.M : message string of length less than 264 bytes.Nonce : nonce string of length 1 to 16 bytes.

• OUTPUT :

AuthTag : string of length UMAC-OUTPUT-LEN bytes.

• STEPS :

1. HashedMessage =

UHASH-32(K,M), if WORD-LEN = 4,UHASH-16(K,M), if WORD-LEN = 2.

2. Pad = PDF(K,Nonce).

3. AuthTag = Pad ⊕HashedMessage.

UHASH��;<��&9U�a@z@C�-��N6��g6H�-��e6C�(. UMAC-OUTPUT-LEN��%&Q��9U�56��;<%& UHASH-32�� 32'�F1 word size01%&z@�� -��"kl UHASH-1634 16'�F1 word size01%&z@�� -��"��;<��D6.��UHASH�� 3��_��(L1-HASH, L2-HASH, L3-HASH)+�%&�� "#$ 3��

18

_��.�>�� -�+�%& -��"#$LM�*)/�e6r6¡�%&<<(6�&"J+(��56�� UMAC-OUTPUT-LENf6��F1��-��Q��

9U��+D6.LM*�(. L1-HASH� �� word size� q6Z6�� NH-32 I�J34 NH-16�� -��"��VW, NH-32�� 32 '�F1�

;<-�� ?�@56#7 64 '�F1� ;<-�� E�� 01%&z@�� % &�: ��g6��( "#$ ��D6. )��x� Intel Streaming SIMD�� 2Z;�� 32'�F14��?�@�� 2�G� 64'�F1��*)/�%& O6Q6XYZ;<��D6. NH-1634 Intel� MMXO6Motorola+�AltiVec�$�/�' -�� 16'�F1 word=�� 3456#7multiply-add<<(;!��56�� CPU� -��[56D6.��&9U�� UMAC-KEY-LENf6��F1�N6��g6 H� K�� _�� "�S��+H�%&��;�56�̀כ( �#��+��;<%& A.3

6�)� KDF-�� 56#7N6��+D6. KDF��N6��g6H�X� index-��e6C�(."��H�-��JK=>56�S��+��>!��$Kכ(��;<%& �� UMAC34 AES� OFBT>U�-�� N6��56#7 KDF-�� 56=>�� "#$��D6 (g6z@��+ KDF� � �(.*��34 \�� A.36�))*+n>).�#� �� PDF��;<��N6��g6H� K-��e6C�(. AES� -��"��H�-��"�#� �56#7 "�#� �� H�-�� e6C�(. Nonce-�� +�%&,- UMAC-OUTPUT-LENf6��F1� H� ��F1�� JK=>56�� ;<��D6 (PDF�� (.*��34 \�� A.46�))*+n>).

• Notations : ��vw�� (.*�� N6��"�� ̀��D6��/�' -+�kl Big-endian�� ̀�� +�%&C�) ��+D6.

length(S) S�f6��F1��.

zeroes(n) n�G� zero-byte%&��#$%�(f6��F1%�).

S[i, · · · , j] S� i*,(B̈\�� j*,(B̈ f6��F1%&��#$%�(\�#� f6��F1%�) (index�� 1\��+D6).

zeropad(S, n) [S||zeroes(i)], [S||zeroes(i)]e6 non-empty��(. length(S)+ ie6 n�I�;<e6"=>��56��u2]̂�G;<� zero-byte-��_��+D6.

prime(x)x prime(x) (decimal) prime(x) (hexadecimal)

19 219 − 1 0x0007FFFF

32 232 − 5 0xFFFFFFFB

36 236 − 5 0x0000000F FFFFFFFB

64 264 − 59 0xFFFFFFFF FFFFFFC5

128 2128 − 159 0xFFFFFFFF FFFFFFFF FFFFFFF FFFFFF61

bit(S, n) S� n*,(B̈ '�F1. (index�� 1\��+D6.)

str2uint(S) ‘String To Unsigned Integer’-��[�56kl S��e6 t'�F1Z6J+( str2uint(S) =∑t

i=1 2t−i∗bit(S, i)��D6.

uint2str(n, i) ‘Unsigned Integer To String’�� [�56kl str2uint(S) = n�� "�� i f6��F1� f6��F1%�) S��D6.

str2sint(S) ‘String To Signed Integer’-�� [�56kl S� ��e6 t '�F1Z6J+( str2uint(S) = −2t−1 ∗bit(S, 1) +

∑ti=2 2t−i ∗ bit(S, i)��D6.

sint2str(n, i) ‘Signed Integer To String’��[�56kl str2sint(S) = n��"�� if6��F1�f6��F1%�) S��D6.

S +n T

=

uint2str(str2uint(S) + str2uint(T) mod 2n, n/8), if L1-OPERATION-SIGN=UNSIGNED,sint2str(str2sint(S) + str2sint(T) mod 2n, n/8), if L1-OPERATION-SIGN=SIGNED.

S ×n T

=

uint2str(str2uint(S) × str2uint(T) mod 2n, n/8), if L1-OPERATION-SIGN=UNSIGNED,sint2str(str2sint(S) × str2sint(T) mod 2n, n/8), if L1-OPERATION-SIGN=SIGNED.

4.4.1 UHASH-32

UHASH-32�� #$%�( H� KX� a@z@C� M+�%&\�� UMAC-OUTPUT-LEN�� HashedMessage-�� 56#7Q��9U��+D6. UHASH-32�� 32'�F1word size� -��"��;<%&��\�#� ��;< L1-HASH-32, L2-HASH-32,L3-HASH-32��%&�� D6.��\�#� ��;<��34 a�*,(;<&':� �ABs6D6N6��g6H� K%&\��JK=>�� G%&*� H�

19

X�a@z@C�M��&9U�+�%&56#7 32'�F1�Q��9U��E��D6.��+*,(��.�>��;<&':��FGHO6J+(D6��G%&*� H�X��)��+a@z@C�M+�%&� ��\��.�>��56#7�G%&*� 32'�F1-��E��D6.��,56O6�H��/�a@z@C�M+�%&\�� L1-HASH-32��;<-��)��56#7 8 ∗ �length(M)/L1-KEY-LEN�f6

��F1��%&� 7:��" 134כ��,.)D6�� L2-HASH-32��;<-��)��56#7 16f6��F1�(. �� %&� 7:��"J+(L3-HASH-32-��~�� s6C�M��+�%& 32'�F1�u2��*)/�-�� E��D6.��H�s6D6 ��E#$%�( 32'�F1��34 r6¡�%&<<(6�&"#$��56�� UMAC-OUTPUT-LENf6��F1-��E��AB�6C� 3��_��r6¡�%&�.�>��;<&':�� D6.�.�>��;<&':� �AB�a@z@C��)56klH��>!��N6��g6H� K%&\�� UMAC�H�JK=>��;< KDF%&"�Sכ(��+��>!��$KJK=>�� D6 (A.16�)/� A.36�))*+n>).��X�' -�� UMAC34 MAC��"�#� ��AB, UHASH-32� ��HashedMessagee6 32'�F19!��#%&r6¡�%&�

!�C��%&MAC�� P\�#� >!��56#7� ��;<=>��D6 (g6z@��+� �(.*��34 \�� A.16�)��)*+n>).

UMAC34 D6W4 MAC/��Q �*�?�@�45��+MAC��(VW134כ�� UHASH-32�\�#� ��;<8�9� �� L1-HASH-32� ��NH-32��;<e6LM�$��=��=;��+D6. NH-32�� 32f6��F1�I�;<e6"��a@z@C�M��&9U�+�%&56#7 8f6��F1�Q��9U��4��;<��D6.

L1-HASH-32��a@z@C�M�� L1-KEY-LENf6��F19!��#%&O6P<#$��9!��#a@z@C�-��NH-32� -�� 8f6��F1-��E(.1כ��r6¡�%&<<(6�&��f�(D6.q6Z6�� L1-HASH-32�Q��9U�34 8 ∗ �length(M)/L1-KEY-LEN�f6��F1e6�� D6.��ABa@z@C��s6C�M��34 L1-KEY-LENf6��F1e6�6>��;<=>��+�kl>!��) 32f6��F1�I�;<e6�6©�J+( 32f6��F1�I�;<e6"=>��s6C�M��FGH� u2]̂�� 0x00��<<(6�&��f�(D6 (A.1.16�))*+n>).

• NH-32(K,M)

K : key string of length L1-KEY-LEN.M : message string with length divisible by 32 bytes.

• (procedure)

1. t = �length(M)/4�.2. M = [M1||M2|| · · · ||Mt]%&O6d��D6.

(for all i = 1, · · · t, length(Mi)=4).

3. [K1||K2|| · · · ||Kt] : the prefix of K.(for all i = 1, · · · t, length(Ki)=4).

4. Y = zeroes(8).

5. i = 1.

6. while i < t, (LM�� 12)*+n>)

(a) Y = Y +64 ((Mi+0 +32 Ki+0) ×64 (Mi+4 +32 Ki+4)).(b) Y = Y +64 ((Mi+1 +32 Ki+1) ×64 (Mi+5 +32 Ki+5)).(c) Y = Y +64 ((Mi+2 +32 Ki+2) ×64 (Mi+6 +32 Ki+6)).(d) Y = Y +64 ((Mi+3 +32 Ki+3) ×64 (Mi+7 +32 Ki+7)).(e) i = i + 8.

7. Y-��Q��9U�.

��X�' -��L1-HASH-32e6.;�34 -�+�%&F�(Q��9U��e6C��%&L2-HASH-32�� ‘polynomial hash function’POLY-��56#7 16f6��F1�(. �� %&� 7:��+D6.J<,,(��&9U�� a@z@C�-��word9!��#%&O6P<#$��word-��D6�/"#��;<%&"�#��+D6.>!��) n-worda@z@C�e6��&9U�"J+(�� i*,(B̈word-�� xn−1r6�/"��;<%&

"�#��56(. xn��;<�� 1%&8!� �56J+( nr6#��D6�/"#��E��;<e6��D6. POLY��D6�/"#�� x� '��)H�-��34��&56#7 �#$%�( ]̂;<%&modular�:;!��561כ��/�] 6�) -�+�%&' -34 �[��D6.#7�̀�� ]̂;< p��&9U�� wordbits%&�*) ��"�� ]̂;<��D6. L2-HASH-32��;!�� *)/�-�� 16f6��F1%&>!�;��D6 (A.1.26�)/� A.1.36�))*+n>).

L3-HASH-32�� L2-HASH-32�Q��9U��( 16f6��F1%&\�� 32'�F1-��Q��9U�56��;<��D6 (A.1.46�))*+n>).

20

M1

K1

M8M7M6M5M4M3M2

K8K7K6K5K4K3K2

+32 +32+32+32+32+32+32+32

64 64 64 64

+64

64-bit Hash result

LM�� 12: NH-32

4.4.2 UHASH-16

UHASH-1634 WORD-LEN=2��%& UHASH-32X�� ̀] 9!��#e6 D6t1��%& � �(.*�� r6��e6 O6C�>!� �̀] -��(� �(.*��n>��~��JKN656D6 (A.26�))*+n>).

L1-HASH-1634 NH-16��;<-�� 56#7a@z@C� M�� 4 ∗ �length(M)/L1-KEY-LEN�f6��F1%&� 7:��56��9!��%& UMAC-OUTPUT-LENh&D6��F�(��%&� 7:��+D6 (A.2.16�))*+n>). NH-16�$�� NH-32X�' -�� 32f6��F1�I�;<e6"��a@z@C�M��&9U�+�%&56C�>!� 8f6��F1e6�6©�Z6 4f6��F1�Q��9U��4��;<��D6.

• NH-16(K,M)

K : key string of length L1-KEY-LEN.M : message string with length divisible by 32 bytes.

• (procedure)

1. t = �length(M)/2�.2. M = [M1||M2|| · · · ||Mt].

(for all i = 1, · · · t, length(Mi)=2).

3. [K1||K2|| · · · ||Kt] : the prefix of K.(for all i = 1, · · · t, length(Ki)=2).

4. Y = zeroes(4).

5. i = 1.

6. while i < t, (LM�� 13)*+n>)

(a) Y = Y +32 ((Mi+0 +16 Ki+0) ×32 (Mi+8 +16 Ki+8)).(b) Y = Y +32 ((Mi+1 +16 Ki+1) ×32 (Mi+9 +16 Ki+9)).(c) Y = Y +32 ((Mi+2 +16 Ki+2) ×32 (Mi+10 +16 Ki+10)).(d) Y = Y +32 ((Mi+3 +16 Ki+3) ×32 (Mi+11 +16 Ki+11)).(e) Y = Y +32 ((Mi+4 +16 Ki+4) ×32 (Mi+12 +16 Ki+12)).(f) Y = Y +32 ((Mi+5 +16 Ki+5) ×32 (Mi+13 +16 Ki+13)).(g) Y = Y +32 ((Mi+6 +16 Ki+6) ×32 (Mi+14 +16 Ki+14)).(h) Y = Y +32 ((Mi+7 +16 Ki+7) ×32 (Mi+15 +16 Ki+15)).

7. Y-��Q��9U�.

21

M1

32-bit Hash result

+16

32

K1

M2

+16

K2

M3

+16

K3

M4

+16

K4

M5

+16

K5

M6

+16

K6

M7

+16

K7

M8

+16

K8

M9

+16

K9

M10

+16

K10

M11

+16

K11

M12

+16

K12

M13

+16

K13

M14

+16

K14

M15

+16

K15

M16

+16

K16

32 32 32 32 32 32 32

32

LM�� 13: NH-16

L1-HASH-1634 L1-HASH-32X�s6J.�e6C�%&a@z@C�M�� L1-KEY-LENf6��F19!��#%&O6P<#$��9!��#a@z@C�-��NH-16� -��56#7 4f6��F1-��E(.��-��r6¡�%&<<(6�&��f�(D6.��X�' -�� L1-HASH-16��.;�34 -�+�%&F�(Q��9U��e6C��%& L2-HASH-16=> L2-HASH-32� ��X�' -34 ‘polynomial hash function’ POLY-��56#7 16f6��F1�(. �� %&� 7:��+D6 (A.2.26�))*+n>).

L3-HASH-1634 L2-HASH-16�Q��9U��( 16f6��F1%&\�� 16'�F1-��Q��9U�56��;<��D6 (A.2.36�))*+n>).

�� 5�� /��)�(�כ��

!"�GH� ��>�� (.*�� e6�;� % ,�� N6��"�� (.*��34 RSA��kl RSA� ��34 34\�#�

PKCS#1� !/"#�� q6W4 D6 [15]. RSA�� ]̂;< p, qe6 �� AB, p, q� ?�@ n = pq-�� 56�̀�� =>n+�%&\�� ]̂;< p, q-�� (;<#� !�56�� 1כ� a�J< #$9!&D6�� N6�� f6:/"�� j�� D6. �� ̀��+�%&�� 1999'(( 8�� 512'�F1(155g6*�) RSA-Challenge�[� �;<e6��(;<#� !�"��D6 [66]. ��01%&LMNF��34 512, 768, 1024'�F1�$��[� �;<��% ,��N6��56(.��VW, 512'�F1(155g6*�)�[� �;<��(;<#� !��#Rg�� +��%&��2/(�$2i(/�� #!��>!�N6��"kl,34\�#� �� 1024'�F1e6�� +�%&N6�� D6.��)�.� -��( RSA ��34 �� ]̂;< p, q� ?�@��( n(= pq)�� 0�&+�%& 56�� T>TU�Z6 <<(;!�� N6��56C�>!�

2�G��.;�� ]̂;<�?�@��0�&+�%&N6��56��multiprime=> PKCS#1 v2.1\��|��"��D6.J<,,(��N6��g6��56��E��̀� ]̂;< r1(= p), r2(= q), · · · , c f-��,,(aF�56#7 n = r1 × · · · × r f��56(.,,,(aF��+ !"�GH�(publicexponent) e ( �%& 3��O6 216 + 1��N6��$%&)� 34��"��G��(H�(private exponent) d-��D6��#��+�%&��;!��+D6 (#7�̀�� lcm34 u2]̂ !"I�;<-��[��+D6).

e · d ≡ 1 (mod lcm(r1 − 1, · · · , r f − 1))

��?@ !"�GH� {n, e}�� !"�G56(.�G��(H� d��g6��(>!��'��)%&8!��+D6.

D6��34 PKCS#1� �� + RSA� !"�GH�X��G��(H�� 34��+ ASN.1 syntax��D6.

RSAPublicKey ::= SEQUENCE {

modulus INTEGER, -- public modulus, n

publicExponent INTEGER -- public exponent, e -- }

RSAPrivateKey ::= SEQUENCE {

version Version,

modulus INTEGER, -- n

publicExponent INTEGER, -- e

privateExponent INTEGER, -- d

22

prime1 INTEGER, -- p

prime2 INTEGER, -- q

exponent1 INTEGER, -- d mod (p-1)

exponent2 INTEGER, -- d mod (q-1)

coefficient INTEGER, -- (inverse of q) mod p

otherPrimeInfos OtherPrimeInfos OPTIONAL -- for multiprime

}

Version ::= INTEGER { two-prime(0), multi(1) }

OtherPrimeInfos ::= SEQUENCE SIZE(1..MAX) OF OtherPrimeInfo

OtherPrimeInfo ::= SEQUENCE {

prime INTEGER, -- ri

exponent INTEGER, -- di = d mod (ri - 1)

coefficient INTEGER -- ti = (inverse of r1*...*r(i-1)) mod ri

}

N6��g6 Ae6 B� �:a@z@C� m(0 < m < n)��!��h&�4(.g6��+D6J+(��.�� c��D6��/�' -�� B� !"�GH� (eB, nB)-��56#7��;!��+D6.

�� : c = meB (mod nB).

B�� A%&\��!*<34 ��.�� c-��g6��(��G��(H� dBX� nB-��56#7D6��/�' -��>��56#7��a@z@

C� m��;<��D6.>�� : m = cdB (mod nB).

�� RSA ��/>��-�� AB�� modular U�L$� <<(;!�� "�,S��+VWכ( �� /� �� 8!�� % ,�� -)*��%&n��(;<#� !�-��6��J<,��>��56~�O6�� AB�� Chinese Remainder Theorem(CRT)��N6��56#7 LMB=>-�� 6t1�: �� ;<=> ��D6. CRT-�� N6��56ylJ+( J<,,( dp = d mod (p − 1), dq = d mod (q − 1)X�qinv = q−1 mod p-��J,(��;!�56#7 �G��(H�%&��;��+D6. Multiprime��C��56��J< ( f > 2), di = dmod (ri − 1)X� ti = (r1 · · · ri−1)−1 mod rie6d�e6%&"� '�/��S56D6.LMy$J+(D6כ(-�� m��;<��D6.

m1 = cdp mod p,

m2 = cdq mod q,

If f > 2, then mi = cdi mod ri, i = 3, · · · , f ,h = (m1 −m2) · qinv mod p,

m = mq + hq.If f > 2, then let R = r1 for i = 3 to f do

Let R = R · ri−2,

Let h = (mi −m) · ti mod ri,

Let m = m + R · hf�G� multiprime�� N6��56#7�#X�' -�� CRT-��N6��56#7 modular U�L$��56��J<h&)��!/"0�&+�%& 1h&D6��Wכ��56!;�� -�(?�@�45��AB,)��0!)��+!/"0�&��N6��56C�� 1��e6כ��56!;��.),��)+�%& f 2I� ��

=>�6t1�:"#$�p56C�>!�u2 -�� ?�@�45+�%&��56J+(G��a*� -�+�%&�� f 1.6I� ��=>�6t1�:�� D6 (��-��#$ 4�G� ]̂;<-��N6��56J+(��J< 9I�, 8�G� ]̂;<-��N6��56J+( 27I�) .a@z@C�-�� (bc�� 56C� � ,(. LM34%& ��/>��56�� 1כ� Raw Encryption��Z6(. ��+D6. Raw Encryp-

tioin34 % ,34 !"�X�� UV��56��%&��?@%&~��N6��"C�� ,C�>!�N6��g6��XA\�%&\��(bc�� a@z@C�-��!*<��O��AB=>��/>��e6e6R$�56=>��56�̀�#56#7�� |��H��J<e6% ,D6.

��?@%&RSA-��PKCS#1�!/"0�&+�%&��56��J<,G��.��AB��J<,,(G��.��M(octet string)��(bc��56#7 EM��>!�� 1כ��.)��;< m+�%&*+(�56#7 c = me (mod n)��!��.�� C%&*+(��+D6.>��

23

��AB��$��̀�+�%&��#$%�(D6.��/� �� G��.��M��(bc��!/"#�� q6Z6��PKCS#1-v1.5X�PKCS#1-OAEP�<e6C�%&O6�D6.

�� : M��(bc��−−−−−−→ EM OS2IP−−−−−−→ m

encryption−−−−−−−−−−−→ c I2OSP−−−−−−→ C

>�� : C OS2IP−−−−−−→ cdecryption−−−−−−−−−−−→ m I2OSP−−−−−−→ EM

��bc��−−−−−−→ M

�#� �� OS2IP, I2OSP�� VW�� Q6��& *+(��c+�%& �� Octet String to Integer Primitive, Integer toOctet String Primitive-��[��+D6.

5.1 @A��!"+$��

PKCS#1� ��?@�VW��-��T>�< octet string+�%&��56#7� *��+D6.q6Z6��a@z@C�-��RSA�RawEn-cryption��;<� -��56�̀ �#!�� octet string�� ;<%& f6ª�� ;<(OS2IP)X� ��;<-�� octet string+�%&f6ª��;<(I2OSP)e6"��>;��.S56D6כ(��34 % ,34 �� LM34%&q6t1(.��D6.

OS2IP�� lf6��F1 octet string EM = (EMl−1 EMl−2 · · · EM0)� �� octet EMi-�� 0� �� 255N6�� ;< mi%&"�#��56#7 OS2IP(EM) =

∑l−1i=0 mi256i+�%&*+(��+D6.��-��#$ EM = 0x 01 23 AB CD��Z6J+(

OS2IP(EM) = 1 ∗ 2563 + 35 ∗ 2562 + 171 ∗ 256 + 205 = 19114957

��D6. I2OSP�� OS2IP��$��;<��(VW��-��C� ��56#7*+(��+D6 (I2OSP(integer, bytelength)).

I2OSP(19114957, 6) = 0x 00 00 01 23 AB CD

�#�� 256l− j−1 ≤ m < 256l− j��( ��;< m�� lf6��F1 octet string+�%&*+(��AB, octet string�.;��# jf6��F1�� 0x00+�%&��*� D6.

5.2 RSAES-PKCS#1-v1.5

RSA� !"�Gmodulus n�E��̀-�� kf6��F1Z6(.e6 ��+D6.LMy$J+(J<,,(G��.��M�� k− 11f6��F1��56e6"#$�p56(.D6��/�' -34 R,S#��+�%& k − 1f6��F1 EM+�%&��(bc��+D6.

EM = [ 02 || PS || 00 ||M ].

#7�̀�� PS�� 8f6��F1 ��.;��(. EM�� k − 1f6��F1e6 "=>�� >!�U�� ‘0x00’ f6��F1e6 |��"C� � ,34 random padding string��D6.LMy$J+( EM�� ;< m = OS2IP(EM) < n+�%&*+(�56(. c = me (mod n)��;!��+D6.��.��34 c-�� C = I2OSP(c, k)%&*+(��E��D6.LMy$O6 PKCS#1-v1.5��(bc��!/"#��34 Bleichenbacher� ,,(aF� ��.�� !"�X�([65])/� Coron et el.� !"

�X�([68])�$�� 56#7$!�2/(� �� #=(>��!*<(.��+��%&��2/(�$2i(/�� #!��>!�N6��56(.�G%&*� ��01%&LMNF�� PKCS#1-OAEP-��N6��56��+*1��f64כ��56D6.

5.3 RSAES-OAEP

PKCS#1-OAEP�� Bellare-Rogaway�!/"#�� ̀��+ ��(bc�� !/"0�&+�%& v2.0\��|��"��D6 [60]. 1כ��34 random oracle model��f6:/"+�%& plaintext-awareness-�� (.*��+�%& PKCS#1-v1.5� ��UV��+R$�� -��(,,(aF��.�� !"�X�� =>$!�2/(��e� >!��6©�Z6��!�� _��J+(� ��=> PKCS#1-v1.5� '�!�~��'�L$k56D6. Random oracle model��[.��.;� -��(�!�;<��;<e6��D6(.e6 ��56(.��!�;<��;<-��56#7$!�2/(��+ �� (.*�� g6��(56�� !/"0�&��% ��+D6. ��?@� �� !��;<-�� + �N6�!�;< ��;<(MGF(Mask Generation Function):D6��6�)� ��vw6̂�)%&34��(56�:�� D6.

PKCS#1-OAEP� ��N6��56�� !��;<� Q��9U�� -�� hLen f6��F1Z6(. ��+D6. PKCS#1� �� !��;<%&MD2, MD5X� SHA1��N6��;<��VWMD2, MD5� 34!��\�#� -��( !"�X�!/"0�&��+��%&�G%&*� ��01%&LMNF�� SHA1��N6��56=>��(.56(.��+�kl Default' �$�כ�� SHA1��D6.

• Parameter :

Hash : Q��9U�� hLenf6��F1��(!��;<.MGF : Mask Generation Function.

24

• INPUT :

M : message to be encoded. (mLen ≤ emLen − 1 − 2hLen)P : encoding parameters, an octet string. (Default : empty).emLen : length in octets of encoded message. (emLen ≥ 2hLen + 1, PKCS#1 RSA�� emLen = k − 1��D6.)

• OUTPUT : EM : encoded message, an octet string of length emLen.

• STEPS : (LM�� 14)*+n>)

SeedSeed

Hash(P)Hash(P)

PS || 01PS || 01

MM

MGFdbMask

dbMask

maskedDBmaskedDB

seedMaskseedMask MGF

maskedSeed

maskedSeed

Hash(P)Hash(P)

PS || 01PS || 01

MMDB =

maskedSeed

maskedSeed maskedDB

maskedDBEM =

LM�� 14: PKCS#1-OAEP��(bc��

1. emLen − 1 − 2hLen −mLenf6��F1 ‘0x00’-f6��F1%�) PS"�#� �.

2. DB = [ Hash(P) || PS || 01 ||M ].

3. hLenf6��F1�!�;<%�) Seed"�#� �.

4. dbMask =MGF(Seed, dbLen).

5. maskedDB = DB ⊕ dbMask.

6. seedMask =MGF(maskedDB, hLen).

7. maskedSeed = Seed ⊕ seedMask.

8. EM = [ maskedSeed || maskedDB ].

>��AB��bc��34 ��(bc��$��̀�+�%&��;<��D6.

1. maskedSeed = EM�.;��# hLenf6��F1.

2. maskedDB = EM�O6k$C�\�#� .

3. Seed = maskedSeed ⊕MGF(maskedDB, hLen).

25

4. DB = dbMask ⊕MGF(Seed, dbLen).

��H�I�:��+DB� 5̂1 hLenf6��F1e6Hash(P)��(C�� 56(. ‘0x00’-padding stringW�� ‘0x01’��C� � ��(padding string�� %�T�� f6%& ‘0x01’�� ;<=> ��)56#7LM O6k$C� \�#� �� G��.�� M+�%& ��;<��D6.>!��)� ��"C�� ,+�J+(��f6W4 ��.��6@�� ;<��D6.

• PKCS#1-OAEP��ASN.1 syntax

RSAES-OAEP-params ::= SEQUENCE {

hashfunc [0] AlgorithmIdentifier {{OAEP-PSSDigestAlgorithms}}

DEFAULT sha1Identifier,

maskGenFunc [1] AlgorithmIdentifier {{pkcs1MGFAlgorithms}}

DEFAULT mgf1SHA1Identifier,

pSourceFunc [2] AlgorithmIdentifier {{pkcs1pSourceAlgorithms}}

DEFAULT pSpecifiedEmptyIdentifier }

5.4 Mask Generation Funcion(MGF)

Mask Generation Function(MGF)��N6�!�;<��;<%&�� #$%�( string�� seed%&56#7 �#$%�(��>!��$K��!�;<%�)��"�#� ��+D6. RSA�� (.*�� PKCS#1-OAEP, RSA�� (.*��8�9�56O6��( PKCS#1-PSSX� P1363a�EMSR3�� (.*��$!�2/(� �34 MGF� randomness� �7� ��+D6.�>��+�� randomness��MGF-�� 56(.��!��;<%&\��>�� 6�)��D6. PKCS#1� ��MGF%&D6��/�' -34 MGF1��N6��56=>��(.56(.��D6.J<,,( Ci = I2OSP(i, 4)Z6(.��+D6.LMy$J+( l ≤ 232� 34!��

MGF1(Z, l) = [ Hash(Z||C0) ||Hash(Z||C1) || · · · ]�.;��# lf6��F1

��D6. MGF1� ��!��;<�� SHA1��N6��+D6.

�� 6�� &%�)�(�כ��

!"�GH�� (.*��+�%&�� RSA�� ,[�%&'<<(!/"�� ( DSA,��+%&'�� ( KCDSA,LM*�(. DSAX� KCDSA�Q6�� !',,(�$2i(��( ECDSA, ECKCDSA�$��D6.LM0?1� %&'?@�� +�%& ISO-9796��+�O6u2()�� !"�X�!/"0�&��%&$!�2/(56C�� ,D61��0כ��?\�� h�D6 [67, 69, 71, 72].

RSA�� (.*��34 h&)�� PKCS#1�!/"#��q6W4 D6. A�� B� �: 1/� nN6��a@z@C� m� 34��+�� s-��g6��(��G��(H� dAX� nA-��56#7��+W��a@z@C� m/�� B� �:h&:;�D6.

�� : s = mdA (mod nA).

B�� A%&\��!*<34 a@z@C� m/�� s-��.;�34!/" A� !"�GH� (eA, nA)-��56#7D6��/�' -�� ;<��D6.

� �� : m = ceA (mod nA).

RSA�� => RSA ��/>��X� s6J.�e6C�%& a@z@C�� (bc�� %�T�� #X� ' -34 !/"0�&+�%& �� 56��Raw Signing34 �� #n>��#Rg�� +��%&XA\�� (bc�� a@z@C�-��!*<�6�� 56��J<��XA� �� N6��56C� � ,�� 1כ� b'cD6. PKCS#1� v2.1 Draft� �� a@z@C�� (bc�� !/"0�&� q6Z6 PKCS#1-v1.5X� PKCS#1-PSS��<e6C�-��?@$!�56(.��(., P1363a� ��a@z@C�\�#� >��e6e6R$��+��(bc��!/"0�&+�%& EMSR3-�� 56(.��D6.

6.1 RSASSA-PKCS#1-v1.5

n�� kf6��F1��)AB,G��.��M� PKCS#1-v1.5��(bc��34 D6��/�' -D6.

EM = [ 01 || PS || 00 || T ]

26

#7�̀�� T��D6�� DER��(bc��+' .��D6כ 2

DigestInfo ::= SEQUENCE {

digestAlgorithm AlgorithmIdentifier,

-- md2, md5, sha1, sha256, sha384, sha512, ...

digest OCTET STRING -- Hash(M) -- }

N6��;<��!��;<%&MD2, MD5, SHA1, SHA256, SHA384, SHA512�$��D6. PS�� EM�� k−1f6��F1%&>!��̀�#��+ k − 1 − tLen − 2f6��F1� ‘0xFF’-f6��F1%�)��D6 (k − 1 − tLen − 2 ≥ 8). ��?@�� 34 m = OS2IP(EM)��56#7 s = md (mod n)��;!��+W�� S = I2OSP(s, k)��"�#� ��+D6.�� 34 �#$%�( (M, S)%&\�� EM = Encoding(M)/�m = se (mod n) = OS2IP(S)e (mod n)��"�#� �56#7D6��m+�%&\�� EM′ = OS2IP(m, k − 1)��>!��#$ EMX�'�()56#7�� +D6.

PKCS#1-v1.5�� 34 PKCS#1-v1.5�� 0?\��%�( UV�� -�34 %�T+�O6 $!�2/(� � �>��+ �� "C�� ,34 � �(.*��D6.LM�� PKCS#1� version 2.1(Draft)� ��\�� PKCS#1-PSSe6?@$!�"��D6.

6.2 RSASSA-PSS

�� 34 Bellare-Rogaway([61])� �!�?@$!�� Probabilistic Signature Scheme(PSS)��(bc��!/"0�&��N6��56�� RSA�� +�%& PKCS#1 v2.1(Draft)� �� PKCS#1-PSS%&?@$!�"��D6 [15]. 134כ�� salt-��N6��56#7��(bc��[!� -��(� �(.*��+�%&>!��l+�%&,-$!�2/(� ��G,,(��+1כ��D6.

RSASSA-PSS��\�e6R,S �� +�%& P1363a� ��?@$!�� \�e6R,S �� (bc�� EMSA4X��)56kl �>��+>��R,S�� (bc��!/"#��( EMSR3(6.36�))� ��>��"��\�#� �a@��C�e6 null-string��(1כ�/��)56D6.

• Parameter :

– Hash : Q��9U�� hLenf6��F1��(!��;< (SHA1��;�).

– MGF : Mask Generation Function.

– sLen : salt� octet��.h&)�� hLen��~�O6 0.

• INPUT :

– M : message to be signed.

– salt : salt value, an octet string of length hLen.

– emBits : maximal bit length of the integer OS2IP(EM). (emBits ≥ 8hLen + 8sLen + 9,��?@%&PKCS#1-PSS� �� emBits = modBits − 1��D6.)

• OUTPUT : EM : encoded message of length emLen = �emBits/8� octets.

• STEPS : (LM�� 15)*+n>).

1. mHash = Hash(M).

2. salt : sLenf6��F1��!�;<%�)"�#� �.

3. M′ = [ 0x00 00 00 00 00 00 00 00 || mHash || salt ].

4. H = Hahs(M′)5. PS : emLen − sLen − hLen − 2f6��F1� ‘0x00’-f6��F1%�)"�#� �.

6. DB = [ PS || 01 || salt ].

7. dbMask =MGF(H, emLen − hLen − 1).


9. maskedDB∗ : maskedDB�.;��# 8emLen − emBits'�F1-�� ‘0’+�%&z@ABS��+D6.2DER (Distinguished Encoding Rules) � �� + 134כ� RSA lab.� “A Layman’s guide to a subset of ASN.1, BER and DER (B.S.

Kaliski Jr.)”��)*+n> [56].

27

Hash

Hash

MGF

M salt

mHash

HdbMask

maskedDB* H bc

maskedDB

DB = padding 2 || salt M' = padding 1 || mHash || salt

T =

LM�� 15: PKCS#1-PSS��(bc��

10. EM = [ maskedDB∗ || H || 0xbc ].

• PKCS#1-PSS��ASN.1 syntax

RSASSA-PSS-params ::= SEQUENCE {

hashFunc [0] AlgorithmIdentifier {{oaepDigestAlgorithms}}

DEFAULT sha1Identifier,

maskGenFunc [1] AlgorithmIdentifier {{pkcs1MGFAlgorithms}}

DEFAULT maf1SHA1Identifier }

6.3 EMSR3

P1363a� �� 56(.��>��R,S�� #��+��(bc��!/"0�&(Encoding Method for Signatures withMessage Recovery)8�9� �� EMSR334 Bellare-Rogaway� PSS-��f6:/"+�%&��+��[!� -��(��(bc��!/"0�&+�%&ISO/IEC 9796-2�a@z@C��\�#� >�� ̀R$��d�e6��+1כ��D6 [5].

EMSR334 a@z@C�-��D6��/�' -��(bc��56#7T-��>!�;��vw,��-�� ;< f%&*+(�56#7Raw RSA signing��;<&':��+D6.a@z@C�M34 >��e6R$��+M1/�>��;<%�T��M2%&O6P<#$��D6.

• Parameter :

– Hash : Q��9U�� hBits'�F1��(!��;<.h&)�� SHA1��O6 RMD160��N6��+D6.

– MGF : Mask Generation Function. h&)��MGF1��N6��+D6. (MGF1� ��N6��56��!��;<��(bc�� N6��56��!��;<X�' -34 ��1��N6כ��+D6.)

– saltBits : salt� bit��.h&)�� hBits��~�O6 0. (�� [!� -��(� �(.*��6?�(�*) �� -��(� �(.*��+�%&56��J<�� saltBits = 0��);<=>��D6.)

• INPUT :

– l : maximum bit length of T (|n| − 1 bits).

28

– M1 : recoverable message bit string of length m1Bits bits.

– M2 : un-recoverable message octet string of length m2Len octets.

• OUTPUT : f : integer of bit length at most l where f ≡ 12 mod 16 or ‘error’.

• STEPS : (LM�� 16)*+n>)

Hash

Hash

MGF

M1M1

M2M2

saltsalt

H2H2

HH

dbMaskdbMask

maskedDB*maskedDB*

HH

bcbc

maskedDBmaskedDB

DB = S || 1 || M1 || saltDB = S || 1 || M1 || salt

M' = C1 || M1 || H2 || saltM' = C1 || M1 || H2 || salt

T =

LM�� 16: P1363a EMSR3��(bc��

1. saltBits'�F1��!�;<%�) salt"�#� �.

2. C1 = I2OSP(m1Bits, 8), H2 = Hash(M2).

3. M′ = [ C1||M1||H2||salt ].

4. H = Hash(M′).5. S : 8�l/8� −m1Bits− saltBits − hBits − 9'�F1 ‘0’-'�F1%�)"�#� �.

6. DB = [ S||1||M1||salt ]. (#7�̀�� ‘1’34 1'�F1��D6. dbBits = 8�l/8� − hBits − 8)

7. dbMask =MGF(H, dbBits).


9. maskedDB∗ : maskedDB�.;��# 8�l/8� − l'�F1-�� ‘0’+�%&z@ABS��+D6.

10. T = [ maskedDB∗||H||0xbc ].

11. f = OS2IP(T).

• Remarks (LM�� 16/� 15�'�()).

– EMSR3� ��a@z@C� M�� M1,M2%&O6P<#$�� /� �� M1��>��;<��=>��56

�$�D6.q6Z6��M1�� empty string+�%&�<J+( EMSA4e6"kl134כ�� 6.26�)� PKCS#1-PSSX��)56D6.

29

6.4 DSA

DSA(Digital Signature Algorithm)��[�%&'<<(!/"�� +�%&C� ��"��+��JK&%�+1כ��$##� ��;!�34;<.��?@�#$yl��$!�2/(� �� ̀�.�+�%&.��(.��D6 [13, 14].JK��+�� Fp�� 0\�� p−1� ��;<%&��#$��(.JK��+��N6��c<<(;!�34 T>�< p-��0�&+�%&56��modular

<<(;!�+�%& ��#$%�(D6. ��;!� 34;< .��?@[.� JK��+�� ?�@�45a#�� F×p = Fp − {0}��Z6(. �� AB, �� ]̂a ∈ F×pX1כ�� x*,(~��m?@?�@��+ b = ax mod p� 34!��, (a, b)>!�+�%&\�� x-��56��.��?@%&��349!�x�#$yl*� .��?@� LMB��+D6. RSA��e6 ��;<�?�@�4534 a�J<��C�>!��.�34%&�< ]̂;<�?�@��(;<#� !�56�� ]̂��(;<#� !�.��?@e6a�J<#$yl*� � �1כ��56��1כ��, DSA�� a-�� x*,(~��m?@?�@56134כ�� C�>!�LM�.�34!/"�@", (a, b)%&\�� x-��56��;!�34;<.��?@e6a�J<#$yl*� .1��D6כ��56��1כ��;!� 34;< .��?@� #$yl��34 f6:/"�� "�� ]̂;< p� E��̀e6 n��;<�� #$yl��%�(D6. )��x� DSA�� pe� >!�

�6©�Z6 p − 1� ]̂��(;<� E��̀� q6Z6�� $!�2/(� �� D6t1�: "��VW, ��?@� Y6Z6[�� ]̂;< p� E��̀-��L = 512 + 64i (i = 0, · · · , 8)'�F1%&56(. p − 1��O6P<�� ]̂;<Y6Z6[�� q�E��̀-�� 160'�F1%&(. ��56#7N6��+D6 (=>a@��(Y6Z6[�� p, q�"�#� �34 \�� B.16�))*+n>).

qe6 p − 1��O6P<��%&JK��+��?�@�45a#� F×p� ��#;<e6 q��(\�#� a#��7� ��+D6.LM8�9��+��]̂-��%&?�oZ6�� ̀] ��]̂ g%&(. ��+D6.LMy$J+( g��#;<e6 q��( F×p�\�#� a#��"�#� �� D6. (p, q, g)-��=>a@��(Y6Z6[��Z6(.56#7 DSA-��N6��56��T>;��N6��g6��(. �� =>a@��(Y6Z6[��-�� (.��D6(.e6 ��+D6. ��;!�34;< .��?@� #$yl�� 56ylJ+( ��N6��g6�� %& �G��(H� x-�� 1 < x < q� ��;<%& (.t1(., !"�GH� y = gx mod p-��;!�56#7 !"�G56J+(�� D6. (g, y)%&\��G��(H� x-��34!;�� 134כ��56�;<.��?@��(.q6Z6��a�J<#$yl*� .��?@e6"#$��)�.� -�+�%&��;<e6%�T1כ��Z6(.e6 ��!�=>{<!/"56D6.LMy$J+(a@z@C�M� 34��+�� (r, s)��D6��/�' -��+D6.J<,,( 0 < k < q��(�!�;< k-��"�#� �56#7D6��

��;!��+D6.

r = (gk mod p) mod q,

s = (k−1(SHA1(M) + xr)) mod q.

��AB>!��) r��O6 se6 0��J+(�G%&*� k-��"�#� �56#7D6��#��;!��.�>��56#7�� (r, s)-��+D6..;�34!/"+�%&\�� !*<34 a@z@C�� 34 D6��/� ' -�� #$%�(D6. J<,,( .;�34!/"� !"�GH� ye6

1/� ge6�6©�kl 〈g〉��]̂��(C��(��+D6.��, 2 ≤ y ≤ p − 1, y � g��(. yq ≡ 1��(��+D6.��8�9#$m�56O6Z6=>��("C�� ,+�J+(��f6W4 !"�GH�e6�6©�D6. ye6� ��"J+(D6��/�' -�� (��+D6.

u1 = (SHA1(M)s−1) mod q,

u2 = rs−1 mod q,

r ?= (gu1 yu2 mod p) mod q.

• DSA�� ASN.1 syntax

Dss-Parms ::= SEQUENCE {

p INTEGER, -- odd prime

q INTEGER, -- prime factor of p-1

g INTEGER -- generator, gˆq = 1 mod p

}

Dss-Sig-Value ::= SEQUENCE {

r INTEGER,

s INTEGER }

DSAPublicKey ::= INTEGER -- public key, Y

6.5 KCDSA

KCDSA(Korean Certificate-based Digital Signature Algorithm)�� +%&' �� +�%& �� 8�9��( �� (.*��+�%&DSAX�s6J.�e6C�%&JK��+��;!�34;<.��?@�#$yl��$!�2/(� �� ̀�.�+�%&.��(.��D6[22].

30

KCDSA�$�� DSAX�s6J.�e6C�%& ]̂;< pe� >!��6©�Z6 p − 1� ]̂��(;<�E��̀� q6Z6��$!�2/(� ��D6t1�:�� D6. KCDSAY6Z6[�� L = 1024 + 256i (i = 0, · · · , 4)'�F1 ]̂;< pX� p − 1��O6P<�� 160 + 32 j ( j =0, · · · , 3)'�F1 ]̂;< q� 34!��, Fp��]̂8�9� �#;<e6 q��(��]̂-��56O6?�oZ6�� gZ656#7�#;<e6 q��( F×p�\�#� a#�� "�#� ��+�%& ��+D6. �� AB, small subgroup !"�X�� M��̀�#56#7 (p − 1)/2q�� ]̂;<��~�O6 -�#$=>]̂��(;<��T>�< qh&D6��p��+D6 ([81],=>a@��(Y6Z6[�� (p, q, g)�"�#� �34 \�� B.26�))*+n>).LMy$J+(N6��g6��34 T>�<' -34 =>a@��(Y6Z6[��%& (p, q, g)-��e6C�(.,��g6�G��(H� 0 < x < q-��,,(aF�56

#7 !"�GH� y = gx−1(mod p)-�� ;!�56#7 !"�G��+D6. #7�̀�� x−1�� Fq� ��]̂%& x−1 (mod q)%& ��;!��+D6.

LM*�(. KCDSAe6 DSAX�D6W4 -�34 b-��!��;<��E��̀('�F1)Z6(.��AB,�� g6� !"�GH� y� 34��+ z = y (mod 2b)e6N6��g6�Y6Z6[�� |�� D6.#7�̀��!��;<�� q�E��̀��56�Q��9U��4��!��;<-��N6��56��VW,�� ($!�)� �� HAS160��N6��56=>��(.56(.��D6 (LMy$O6 SHA1�N6��=>�� .h&��(D6)&%�+1כ��a@z@C�M� 34��+�� (r, s)��D6��/�' -��+D6.J<,,( 0 < k < q��(�!�;< k-��"�#� �56#7D6��;!�

��+D6.

r = H(gk mod p),

s = x(k − r ⊕H(z||M)) mod q.

��AB, gk mod p�� ;<��%&'�F1%�)%&*+(�56#7!��;<� ��&9U��56(., r34 '�F1%�)%&��;��+D6.�>��+ s-��AB, M��'�F1%�)��6©�J+('�F1%�)%&*+(�56(. r ⊕H(z||M)34 '�F1%�)%&��;!��+W�D6�� ;<%&*+(�56#7 s-��+D6.q6Z6�� 34 '�F1%�) r/� ��;< se6�� D6.#7�̀�� s = 0��J+(�G%&*� k-��"�#� �56#7D6�� (r, s)-��+D6. �#$%�( �� AB�� J<,,( �� g6� ��(��-�� (56#7 !"�GH�-�� E(. LM%&\�� z = y

(mod 2b)-�� ;!��+D6. LM*�(. r� ��e6 !��;<� ��X� ' -(. 0 < s < q�� (��+ W�� D6��56#7 �� +D6. �� AB=> "�#� �� ABX�s6J.�e6C�%& "�+��Sכ( ��J< ��;<%�)/� '�F1%�)��%&*+(�� D6.

e = (r ⊕H(z||M)) mod q,

w = ysge mod p,

r ?= H(w).

160'�F1�(. �� E��̀� q-��Y6Z6[��%&' &�� DSA��!��;<%& 160'�F1Q��9U��' &�� SHA1��N6��56��.�J+(� , KCDSA�� 160, 192, 224, 256'�F1�$��D6��+E��̀� q-��Y6Z6[��%&e66�);<��(. q�E��̀��56�Q��9U��' &��!��;<-��N6��56=>��56(.��D6.�� 160'�F1�Q��9U��' &��!��;<>!�� "#$ ��+��%& =;�#� 8!�34 q� E��̀� .;�� %�T�� HAS160�� N6�� &%�+1כ� h&��(D6. 160 '�F1�q-��N6��56��J< DSAX�'�()PFQ��AB,�� "�#� �/� ��LMB=>e6~��' -D6 [82, 21].

• KCDSA��ASN.1 syntax

KCDSASignatureValue ::= SEQUENCE {

R BIT STRING,

S INTEGER }

KCDSAParameters ::= SEQUENCE {

P INTEGER, -- odd prime P=2JQ+1

Q INTEGER, -- odd prime

G INTEGER, -- generator of order Q

J INTEGER OPTIONAL, -- odd prime

validationParms ValidationParms OPTIONAL }

ValidationParms ::= SEQUENCE {

Seed OCTET STRING,

Count INTEGER}

KCDSAPublicKey ::= INTEGER -- public key Y

31

6.6 DSA:� KCDSA��'�BC

Y6Z6[�� !"�GH� �G��(H� �� ' כ !��;<

p : 512 + 64i (0 ≤ i ≤ 8)DSA q : 160 y : � p x < q (r, s) : 320 SHA1

g : � p (y = gx mod p)p : 1024 + 256i (0 ≤ i ≤ 4)

KCDSA q : 160 + 32 j (0 ≤ j ≤ 3) y : � p x < q (r, s) : |h| + |q| HAS160g : � p (y = gx−1 mod p) (SHA1)

�� 7: DSAX� KCDSA�H��('�F1)

k��%&,,(aF�56��!�;<%&'��)%&JKC�!��p56��;<��D6.!��;<��-�� b'�F1Z6(.56J+(,KCDSA� �� g6� !"�GH� y� 3456#7 z = y mod 2b-��56#7N6��g6�Y6Z6[��1כ��56�| �

�� DSAX�D6t1D6. KCDSA�� ̀] -�+�%& HAS160��!��;<%&N6��56=>��(.56(.��+�O6, SHA1/�=>N6��e6R$��h&��(D6&%�+1כ�� (KISA� �� KCDSAwithSHA1� 34��+ OID=>!*<�6j��.;�§��).

�� "�#� � ��

k ∈r {1, · · · , q − 1}DSA r = (gk mod p) mod q r ?

= (gs−1H(M)yrs−1 mod p) mod qs = (k−1(H(M) + xr)) mod qk ∈r {1, · · · , q − 1}

KCDSA r = H(gk mod p) r ?= H(ysgr⊕H(z||M) mod p)

s = x(k − r ⊕H(z||M)) mod q

�� 8: DSAX� KCDSA�� "�#� �/��

�� 7�� (��*� ��

!"�GH� ��/>�� (.*��34 '��)H� ��/>�� (.*�� '�!��/>��8!�� a�J<�>�� -)*��%&��?@�VW��Q6-�� !"�GH��/>�� (.*��+�%&2/(LM�56�̀��#$yl*� ��)��D6.LMy$O6'��)H�� (.*��+�%& ��/>��-�� 56�̀�#!�� )��(56(. �� %&e6 T6�>!�� (.�� '��)H�-�� e6C�(. ��#$�p ��+D6��

2/(?@n>Fp(��"��!<��1כ��.S56D6כ(��H��̀�#56#7'��)H�� (.*��+�%&��?@VW��Q6-��/>��-��56C�>!��-��#��+'��)H�� !"�GH�� (.*��+�%&��%&()�56�:�� D6.��AB,()�"��'��)H�e6��?@�VW��-��/>��ABN6��56��'��)H��(��J<�� RSAX�' -34 !"

�GH� ��/>�� (.*��+�%& '��)H�-�� 2/(LM�� ;<=> ��D6 (key transport : 10.16�)� !"�GH� ��-�� + key wrap)*+n>).LMy$O6134כ�� )��(56��+f�� )!/" -�+�%&'��)H�-�� 56��9!� -��+��%&Diffie-Hellman� �(.*��$��56#7��%&.;�34!/"� �:"� +��Sכ(��h&-��()�56#7 Shared secret-��"�#� �56��!/"0�&��H�#� I�01%&2&��(key agreement scheme)��D6.��X�' -��H�#� I�01%&2&��34 Shared secret��%& agreement56��/� ��/� !"JK�� secret��56#7

"�S��+Masterכ( secret��O6 KEK(key encryption key)-��JK=>56�� Key derivation/� ��+�%&E��:O6=6�;<��D6. Shared secret��56��/� ��34 =>a@��(Y6Z6[�� 34��+N6��g6�H�-��(. ��H�-��N6��56��C�,I�J34 ��H�-��"�#� �56#7N6��56�� C��$�� q6Z6��_!�e6C�!/"#��+�%& O6Y�#$�� "#$��D6.LMy$O6 Mastersecret/KEK-��"�#� �56�� (.*��34 �� , X9.42, RFC 2631, P1363, P1363a��O6 SSL, IPSec�$��G0!)01%&2&�� q6Z6T>�<!/"0�&��D6t1D6.��H�I�:56#7"�#� �� Master secret/KEK��?@VW��-��56(.MAC��"�#� ��;<��'��)H�

��JK=>56��/� ��(96�)�H�JK=>��;<� ��g6z@x� �̀6̂�)��O6 CEK(content encryption key)-��56#72/(LM�56��/� ��(10.26�)� key wrapping algorithm� ��g6z@x� �̀6̂�)�$��)��!��?@�� N6�� D6.

32

H� #� I� 01%&2&��%&�� %& Diffie-Hellman Key Agreement Scheme/� Q6�� !',,( Diffie-Hellmanscheme+�%&�� D6 [1, 45, 4, 3]. Diffie-Hellman!/"#��34 DSA/KCDSAX�s6J.�e6C�%&JK��+��;!�34;<.��?@�#$yl��$!�2/(� ��f6:/"+�%&��+H�#� I�!/"#��D6.�� "#$��!/"#��34 \�� C6�)� ��89g6z@x�D6��(.,] 6�)� ��D))*�}��34�� -��( Diffie-HellmanH�#� I�01%&2&��# �%&C�) ��56�̀%&��+D6.

7.1 @A��!"+$��

Diffie-Hellman� �(.*�� => ��;<X� octet string��%&*+(�!� ��;<��"�.S56D6כ( S/MIME�RFC 2631/� P1363� �� PKCS#1� ��X�' -34 I2OSPX�OS2IP-��N6��+D6 (5.16�))*+n>).LMy$O6 X9.42� ��D6>!� ��;<-�� octet string+�%&*+(��AB PKCS#1/��Q �*��-��C� ��56C�� ,(.u2]̂��+�e6R$��+��%&*+(�56��;< oct-��N6��+D6.��-��J+(

oct(19114957) = 0x 01 23 AB CD

X�' -D6.�� 256l−1 ≤ Z < 256l��J+( lf6��F1 octet string+�%&*+(�� D6.

7.2 Diffie-Hellman7$8$9�!"

DHR,SH�#� I�01%&2&�� N6��56��Y6Z6[��E��:�<��%&O6=6�;<��D6. 5̂1B̈�� PKCS#3 [16]O6Oakley group [42]�$�� N6��&%�+1כ��56 ]̂;< pX� �̀] ��]̂ g,LM*�(. optional56�: U�L$�<<(;!��!�� #!� exponent�'�F1;<-��?@��+56�̀�#��+ ExponentBits%&�� D6.

PKCS3DHParameters ::= SEQUENCE {

p INTEGER, -- odd prime

g INTEGER, -- base

ExponentBits INTEGER OPTIONAL }

��J<$!�2/(� �/��!�� X"Y��);<��=>�� OakLey group� �� p = 2q+ 1 (p, q��T>�< ]̂;<)R,S§�� ]̂;<X� �̀] �� g = 2-��N6��;<��D6 (Oakley group34 �/".;� 2e6�#;< q-��e6C�kl, p = 11 mod 24-��>!��56�� ]̂;< p = 2q + 1� 34!��/".;� 2e6 F×p�"�#� �� D6.56�W ��i,(R,S§�� ]̂;<-��"�#� �56��VW�� .;�=;��+ % ,34 ��8!�� Sכ̂[D6). �>��+ gr mod p-�� ;!�� AB r34 ExponentBits '�F1 E��̀%& CDj3]�56�:"�#� �� D6.��+\Z( DHY6Z6[��%& DSAO6 KCDSA� ��X�' -34 p, q, g (q|p − 1, gq = 1 mod p)-��N6��;<=>��D6.

X9.42e6��i,(JKR,S� DHY6Z6[��-��N6��56(.��VW, subprime q�E��̀�� 160'�F1��.;��N6��56=>��(.56(.��D6.

X9_42DHParameters ::= SEQUENCE {

p INTEGER, -- odd prime p=jq+1

g INTEGER, -- base of order q

q INTEGER, -- subprime q

j INTEGER OPTIONAL, -- cofactor j=(p-1)/q

validatioinParms ValidationParms OPTIONAL }

ValidationParms ::= SEQUENCE {

seed BIT STRING OPTIONAL, -- seed for prime generation

pGenCounter INTEGER OPTIONAL } -- parameter verification

�� JKR,S� DH Y6Z6[��-�� N6��56�� J<�� exponent <<(;!�34 �/".;� mod q%& ��#$kl, cofactor j =(p − 1)/qe6 qh&D6 ��34 ]̂;<-�� |��56�� J< small subgroup attack� UV�� ;< ��D6 [81]. vw6̂�56��MQVH�#� I�!/"#��34 ��i,(JKR,S�Y6Z6[��>!��N6��;<��D6.

7.3 Diffie-Hellman(��*� ��

�� (��1 h&$!� �� 34\�#� Oakley group�� DH Y6Z6[��%& N6��56#7 e6�;� 8!�9!��+ Static-Static DH��O6 Ephemeral-Ephemeral DH!/"#�� %&��+D6.LMy$O6 DHR,S�H�#� I�!/"#��e6

33

�;�|+�� -�+�%&g6z@x�� +%&'?@�� 34 ANSI X9.42%&��(��1�� =>�� C�� -� -��e656(.��D6.#7�̀��=> X9.42-��f6:/"+�%&D))*�N6��"��34�� -��( Diffie-Hellman!/"#�� ̀6̂�56�̀%&��+D6. X9.42� �� p�'�F1��-�� 256�I�;<%& 512��.;�+�%&C�) ��56(., p − 1��O6P<�� ]̂;< q� '�F1��-�� 160��.;�+�%&C�) ��D6W4�1��XAכ�+��?@��+��%�TD6 (=>a@��(Y6Z6[�� (p, q)�"�#� �34 \�� B.36�))*+n>). �̀] ��]̂ g��34\�#� ��J< F×p� ��#;<e6 q��(CDj3]��+��]̂%&,,(aF��+D6.N6��g6� !"�GH�/�G��(H�Z;�34 E��: !"��(�� CA%&\��(��-��!*<�6 N6��56��(. ��H� Z;�/�� 01%&

2&�� "��56#7 �#�":� q6Z6CDj3]�56�Sכ(N6��56��H�Z;��D6.#7�̀��N6��g6 i�(. ��H�Z;�/��H�Z;��D6��/�' -34 �̀��%&N6��56�̀%&��+D6.

• Static private/public key pair: (xi, yi) such that xi ∈ [2, q) and yi = gxi mod p.

• Ephemeral private/public key pair: (ri, ti) such that ri ∈ [2, q) and ti = gri mod p.

vw6̂�56�� Diffie-HellmanH� #� I�!/"#�� (. �� DHY6Z6[�� (p, q, g)X��(�� $��)��!� ��(�� .;�34!/"�(. ��H��$�34 T>;��N6��g6�� (.��D6(.e6 ��+D6.

7.3.1 Static-Static DH

N6��g6 A N6��g6 B

xA ∈ {2, · · · , q − 1}yA = gxA mod p

xB ∈ {2, · · · , q − 1}yB = gxB mod p

Z = yxAB mod p Z = yxB

A mod p

#7�̀��N6��"��H� (xi, yi)��N6��g6 ie6CA(Certificate Authority)%&\��0?3 G@!*<34 ��(�� |��"#$��(. ��H��D6.q6Z6��N6��g6��34 H�-��"�#� ��"�1��6כ��56 �:H�-��2/(Q�Se6%�T(.,.;�34!/"כ(©�Z6��(��>!�2/(Q �56J+(�� D6.q6Z6��!/"#��34 N6��g6��8!��)��(��"�+��!S%�T��e6�;�8!�9כ( DHR,SH�#� I�!/"#��O6,�/".;�(. ��H�-��N6��56��%& Shared secret�$��/".;��)56D6.34\�#� ��?@��01%&2&�� z@,+(8�9��%&()�"�� timestampO6 random number, counter�$�� time-varying parameter��56#7�� Shared secret+�%&\��Master secret��O6KEK-��"�#� ��+D6.LMy$O6 Perfect ForwardSecrecy (PFS:��2/(� Shared secret��«>Q��"89Z6=>LMvw�H�#� I�/� �� E��z@,+(H��$!�2/(� �� @"��[�E�);<%�T#$�p��+D6�� 6�))e68�9כS��+�� N6��56C�� ,�6�p��+D6.

X9.42� dhStatic scheme, RFC 2631� Static-Static DH, SSL/TLS ciphersuite 8�9� �� SSL DH ...O6TLS DH ... �$��H�#� I�!/"#�� !�=;�� D6.

7.3.2 Ephemeral-Static DH

N6��g6 A N6��g6 B

rA ∈ {2, · · · , q − 1}tA = grA mod p

xB ∈ {2, · · · , q − 1}yB = gxB mod p

−−−−−→tA

Z = yrAB mod p Z = txB

A mod p

Ephemeral-Static DH��LM�/;<��(g6��$��D6t1D6.;<��(g6��(. ��H�>!��N6��56��%&LM��(g6��;<��(g6� !"�GH�-�� ;<��(g6��(��%&\�� E��;<��(.,LM��(g6�� )��(��AB s6D6��H� (r, t)-��"�#� �56#7;<��(g6� �:h&:;�D6.q6Z6��;<��(g6��8!�6�& -�+�%&��(��e6R$�56O6LM��(g6��(�� ̀R$�34 2/(��%�TD6.

34

��!/"#��34 '��LM��(g6��(�� ̀R$�34 %�TC�>!�a�*,(��%&D6W4 !"JKH�-��"�#� ��;<��(.,�>��+ !"�GH�� =>��+ ;<��(g6>!�� !"JKH�-�� ;!�56#7a@z@C�-��k�� ;<��:56��%& e-mail securityX�' -34 ��)!/"�@")��(� -��[��+!/"#��D6. RFC 2630 - Cryptographic Message Syntac(CMS) [44] -� q6t1J+( CMS-��56��J<H�()�� (.*��+�%&�.�U�� Ephemeral-Static DH-��56=>��"#$��D6.

RFC 2631� Ephemeral-Static DHX� SSL/TLS� ciphersuite8�9� ��;<��(g6(��$)e6(. ��H�-��N6��56�� SSL DHE ...O6 TLS DHE ...�$��H�#� I�!/"#�� !�=;��+D6.

7.3.3 Ephemeral-Ephemeral DH

N6��g6 A N6��g6 B

rA ∈ {2, · · · , q − 1}tA = grA mod p

rB ∈ {2, · · · , q − 1}tB = grB mod p

tB←−−−−−−−−−−→tA

Z = trAB mod p Z = trB

A mod p

Ephemeral-Ephemeral DH��<N6��g6T>�<��H�>!��N6��56#7a�*,(CDj3]��+ !"JKH�-��"�#� ��+D6.LMy$O6N6��g6��(�� ̀R$��2/(��%�T+��%&��01%&2&��g6��>!�+�%&�� 2/(��+H�#� I�-��;<��%�TD6.34\�#� ��J< ��C�T?3�� 56#7 ��%&()�"�� a@z@C�-�� 56#7h&�4�� (�� ̀R$�� *)�[��N6

��+D6.��?@%& Oakley key determination protocol [42], IPSec� Internet key exchange (IKE) [41], SSH

[52] �$� 34\�#� � ��(��1 �� ̀ O6��34%&� ��(��!/"0�&/� �� Ephemeral-ephemeral DH-��N6��56(. ��D6. �>��+ SSL/TLS� ciphersuite 8�9� �� n��Z6��<,(F1X� ��$ T>�< (. ��H�-�� N6��56C� � ,��SSL DHE ..., TLS DHE ...��O6 DH anon ...=>#7�̀� !�=;�� D6. X9.42� dhEphem scheme34 =>a@��(Y6Z6[�� (p, q, g)=>��%&"�#� �56#7N6��56C�>!�34\�#� ��(��1�� 01%&2&�� (. ��=>a@��(Y6Z6[��-��N6��+D6.

7.3.4 MQV1

MQV� �(.*��34 Menezes-Qu-Vanstone� ��+ DH� �(.*��;< �� (.*��D6.

N6��g6 A N6��g6 B

xA, rA ∈ {2, · · · , q − 1}yA = gxA mod ptA = grA mod p

xB ∈ {2, · · · , q − 1}yB = gxB mod p

−−−−−→tA

t̄A = (tA mod 2w) + 2w

sA = (rA + t̄AxA) mod qZ = ysA

B mod p


Z = (tAyt̄AA )xB mod p

�#� �� q�'�F1;<-�� |q|Z6(.��AB, w = �|q|/2��D6. MQV134 Ephemeral-Static DH� ��LM�/;<��(g6e6�#� "#$�� 1-pass01%&2&��%& e-mail/�' -34 �� -��[56D6.LMy$O6 Ephemeral-Static DH/��Q �*�LM��(g6��(. ��H�/��H�Z;��T>�<N6��56#72/(LM� ��h&�� Shared secret��"�#� �56kl,;<��(g6��LM��(g6%&\��!*<34 2/(LM� ��h&X�g6��(�(. ��H�>!�+�%& Shared secret��56�:�� D6.q6Z6��a�*,(��%&D6W4 CDj3]�

35

��+ Shared secret��;<��e� >!��6©�Z6�<N6��g6e6T>�<(. ��H�-��N6��56��%&Z;�!/"��%&-��(��;<��D6��;� -��D6.

7.3.5 MQV2

N6��g6 A N6��g6 B

xA, rA ∈ {2, · · · , q − 1}yA = gxA mod ptA = grA mod p

xB, rB ∈ {2, · · · , q − 1}yB = gxB mod ptB = grB mod p

tB←−−−−−−−−−−→tA


sA = (rA + t̄AxA) mod qt̄B = (tB mod 2w) + 2w

Z = (tByt̄BB )sA mod p

t̄B = (tB mod 2w) + 2w

sB = (rB + t̄BxB) mod qt̄A = (tA mod 2w) + 2w

Z = (tAyt̄AA )sB mod p

MQV2�� Ephemeral-ephemeral DH� �� < N6��g6e6 T>�< )��(�� )��!� �� !"�GH�-�� ()�56��2-pass01%&2&��D6. LMy$O6 Ephemeral-ephemeral DH/�� Q �*� �< N6��g6 T>�< (. ��H�=> �� N6��56#7 Shared secret��"�#� ��+D6.q6Z6�� PFSX��(��̀R$��T>�<' &(.��01%&2&��D6.

7.4 Shared secretD=��34!"Master secret��

Diffie-Hellman� �(.*��I�J34 MQV� �(.*��+�%&\�� Shared secret Z-��56J+(1כ��+�%&\��MastersecretI�J34 Key encryption key (KEK)-��JK=>56��VW, X9.42, RFC 2631, P1363, P1363a(D6)�$�T>�<JK=>!/"0�&� r6��e6��D6 [1, 45, 5]. RFC 263134 X9.42� f6:/"��j1כ��+�%& �̀] � �(.*��/�Y6Z6[��"�#� �\�#� 34 ' -C�>!� Shared secret+�%&\�� KEK-�� JK=>�� AB "�+��Sכ( OtherInfo8�9 X9.42� ��,,(aF�+�%& j�� _!�_!� field-��.�U��|��56=>��56(.,�>��+_!�_!� field��34 .��?@56�$�D6.LM*�(. X9.42� �� OtherInfo�� field-��LM34%&<<(6�&56C�>!� RFC 2631� ��-��DER��(bc��+' �56��N6כ�� -��D6t1D6. P1363� �� )�.� -��( KDF1�� 56�$�(., P1363a� �� KDF2-�� N6��56#7 Shared secret+�%&\�� Mastersecret��JK=>��+D6.

7.4.1 X9.42

X9.42� �� Shared secret Z-�� octet string ZZ%& *+(��AB, u2]̂��+� e6R$��+ ��%& *+(�56��

ZZ=oct(Z)-��N6��+D6 [1] (D6W4 !/"#�� I2OSP��;<-��56#7��) ��(p��)� octet string+�%&*+(��+D6). X9.42� ��JK=>��H��H�JK=>��;<��&9U�+�%&N6��"�� AlgorithmID� �!��*) �� D6.AlgorithmID�� (.*�� kBits'�F1�H�-��"� '�/��S%&��+D6J+(,D6כ(-��"��S��+>!��$Kכ( Ki��<<(

6�&56#7.;��# kBits-��UV56#7Master secret K%&Q��9U��+D6. Default!��;<�� SHA1��D6.

Ki = H(ZZ||OtherInfoi),K = [K1||K2|| · · · ]�.;��# kBits'�F1.

#7�̀�� Counteri�� i-�� 32'�F1%& ��+ 1��klכ� (e.g. Counter1 = 0x00000001), OtherInfoi�� D6��/�' -�� #$%�(D6:

OtherInfoi = [AlgorithmID||Counteri||partyAInfo||partyBInfo||suppPrivInfo||suppPubInfo]

36

#7�̀�� AlgorithmID�� Master secret Ke6 N6�� (.*�� OID��kl partyAInfo, partyBInfo,suppPubInfo, suppPrivInfo�$�34 T>�< ,,(aF� -�+�%& N6�� e6R$��+ ' �כ��%&, partyAInfo, partyBInfo�� party A, B� 34��+ !"�G ��h&-�� O6Q6�4(., suppPrivInfo�� f�� T>�< � �(.�� '��) ��h&,suppPubInfo��f��T>�<� �(.�� !"�G ��h&-��O6Q6:;�D6.

7.4.2 RFC 2631

RFC 2631 [45]�H�JK=>��X9.42-��f6:/"+�%&56O6, X9.42X��Q �*��.;�� #!� optional��+"�)U�� 34��+ ��+' ��56�$ ��Cכ�(.�>��+ DER��(bc��N6��56=>��56�$�D6.J<,,( Shared secret Z-��octet string ZZ%&*+(�56��VW, X9.42X��Q �*� octet��-�� pX�' -=>��!��p��+D6.��, ZZ = I2OSP(Z,pLen)e6�� D6 (>!��) pe6 1024'�F1Z6J+( ZZ�� 128f6��F1).�>��+N6��56�� OtherInfo��X9.42X��Q �*�D6�� DER��(bc��+' :��D6כ

OtherInfo ::= SEQUENCE {

keyInfo KeySpecificInfo,

partyAInfo [0] OCTET STRING OPTIONAL,

-- random sring provided by the sender

-- if provided, it MUST be 512 bits

suppPubInfo [2] OCTET STRING

-- length of the generated KEK(Key-Encryption-Key) in bits

-- as a 32 bit number. e.g for 3DES, it would be 00 00 00 C0

}

KeySpecificInfo ::= SEQUENCE {

algorithm OBJECT IDENTIFIER,

-- OID of the CEK(Content-Encryption-Key) wrapping algorithm

-- with which this KEK will be used

counter OCTET STRING SIZE (4..4) }

OtherInfoi-�� counteri-��N6��56#7 DER��(bc��+1כ��Z6(.56(., counteri-�� i-�� 4f6��F1%&��.)1��Z6כ�+��AB (e.g. counter1 = 0x00000001), Master secret K��D6��/�' -��+D6.!��;<%&��SHA1��N6��+D6.

Ki = H(ZZ||OtherInfoi),K = [K1||K2|| · · · ]�.;��# suppPubInfo'�F1.

7.4.3 IEEE P1363��KDF1E� IEEE P1363a��KDF2

IEEE P1363� KDF134 ��)�.� -��( H� JK=> ��;<%& Shared secret/� Y6Z6[�� P-�� &9U�+�%& !��;<��>!��$K�Q��9U��4��;<��D6 [4]. KDF1� N6��"��!��;<%&�� SHA1��O6 RMD160�$��D6.Shared secret34 octet string Z%&��&9U��"klDH� �(.*��+�%& !"JK�� Shared secret��JK��+��]̂��(��J< octet string+�%&*+(��+D6 (��AB octet string��JK��+��E��̀).Y6Z6[��$�� octet string P%&XA\�%&\��&9U�!*<��' ��D6.LMy$J+(Masterכ secret34 D6��/�' -��+ octet string��D6.

K = Hash(Z||P).

P1363a (Draft 6)� KDF2�� KDF1/�� Q �*� �� -�+�%& Master secret� �� 34��+ ��h& kBits-��&9U�+�%& !*<�6�� LM ��>!��$K Q��9U�56�� ;<��D6 [5] (X9.42X� RFC 2631� �� OtherInfo� Mastersecret��N6�� (.*�� AlgorithmIDe6|��"#$��#$��H��-�� +D6). KDF2�� KDF1/�s6J.�e6C�%& �#$%�(��&9U�' Shared)כ secret,Y6Z6[��)��!��56#7�56C�>!�¬6*� ��e6|��"#$!��;<�Q��9U��.;��Master secret��JK=>��;<��D6.N6��;<��!��;<%&�� SHA1, RMD160�$��D6.

Ki = Hash(ZB||CBi||PB),K = [K1||K2|| · · · ]�.;��# kBits'�F1.

37

#7�̀�� ZB, PB�� Shared secret,Y6Z6[��'�F1%�)��[�56(., CBi�� i-�� 32'�F1%& ��+'�F1%�)��D6 (e.g. CB1 = 0x00000001). LM*�(. Shared secret Z�� J,(�� I2OSP(Z, pLen)+�%& JK��+�� E��̀�octet string Z+�%&*+(�"(., Z�� octet-��LM34%& 8'�F1�'�F1%�)%&*+(�56#7'�F1%�) ZB%&>!�;��D6.

Diffie-Hellman� �(.*�� 56�� h&$!� 01%&2&��%&�� SSL/TLSX� IPSec�$�� ;< ��VW, ��$��H�-��JK=>56��!/"0�&��D6t1D6.�� 34!�� 96�)� ��D6��̀%&��+D6.

�� 8�� כ��$+��

8.1 ,-�� )��

Q6�� !',,(�� "#$��JK��+�� q6Z6��Q6�� !',,(34 ��%&D6W4 R,S§�-��' &�:"kl��!/"0�&=>r6��e6

��D6.E��:JK��+��;<(characteristic)� q6Z6��;<e6 3��.;�� ]̂;< p��)ABX� 2��)AB%&O6P<��VW, 2��)AB�� F2m��(., p��)AB��D6�� FpX� Fpm+�%&�#� ��+D6 ([2, 3, 4, 85, 91]�$�)*+n>).Fp��(��J<�� Fp��]̂-�� {0, 1, · · · , p− 1}6�&�[��]̂��(h&)�� ;<%&��;<��+�kl Fp�#� ��

N6��c<<(;!�34 p-��0�&+�%&' &��h&)��modular<<(;!�+�%&O6Q6XYZ;<��D6.LMy$O6��;<e6 2��( F2m (m > 1)��(��J<� ��LM��]̂-�� F2-��;<%&' &�� m − 1r6��56�D6�/"#��+�%&

,- ��;< ��D6.LMi,(VW D6�/"#��+�%& ��56�̀�#!�� J,(�� JK��+��-�� O6Q6�4�� ̀��X� �̀��D6�/"#��*) ��56#7�pLM� q6Z6��JK��+��]̂��!/"0�&��*) ��"��%&JK��+��]̂-��56��!/"0�&/�

LMN6��c<<(;!�34 �̀��X� �̀��D6�/"#�� !��*) �� D6.JK��+�� F2m� �̀�� D6�/"#�� ̀��(Polynomial Basis: PB)X� �� ̀��(Normal Basis: NB)%& O6Y�

��VW, D6�/"#�� ̀�� {xm−1, xm−2, · · · , 1}��JK��+�� ̀��%& .�� .1��D6כ� ��AB, JK��+�� ̀�� D6�/"#��,,(aF�� AB �/"� �G;<-�� e6R$��+ ��+ -��:56J+( JK��+�� <<(;!�� !� -�+�%& �� ;< ��+��%& �/"�� 3�G��(trinomial(xm+ xk+ 1)��O6�/"�� 5�G��( pentanomial(xm+ xk3 + xk2 + xk1 + 1)��N6��+D6.LM8�9� ��=> F2m��

�̀��( trinomial��e6C�J+(LM8�9� ��e6�;��34 k-��,,(aF�56#7 �̀��D6�/"#��+�%&.��(., trinomial��%�T��J< pentanomial� ��,,(aF�56��VW k1��e6�;��:,,(aF�56(.LMW�� r6¡�%& k2, k3-��:,,(aF��+D6.3 JK��+��]̂ a ∈ F2m�� PB� ��D6�/"#�� a(x) = am−1xm−1 + am−2xm−2 + · · · + a0 ∈ F2[x]+�%&��" 134כ��.)D6��'�F1%�) a = (am−1am−2 · · · a0)+�%&O6Q6XYZ;<��D6.3�1�4534 ��'�F1%�)� 34!�� XOR��(.,?�@�4534 �̀��D6�/"#��0�&+�%&56��modular<<(;!�+�%&O6Q6XYZ;<e6��D6. �� ̀�� F2m��+��]̂ α ∈ F2m� 34!�� {α, α2, · · · , α2m−1}e6 �̀��-��J<-��% ��+D6.1כ��

�� ̀��%&N6��AB,JK��+��]̂ a ∈ F2m�� ̀�� D6�/"#�� a = a0α+ a1α2 + · · ·+ am−1α2m−1+�%&

��" 134כ��.)D6��'�F1%�) a = (a0a1 · · · am−1)%&O6Q6XYZ;<��D6.LMy$J+(��]̂�?@?�@34 9!��̀�x�'�F1%�)��>W4 f��+�%&��+'�F14�� circular rotation561כ��+�%&��;!��a�J<��D6.LMy$O6��)�.� -��(?�@�4534 h&)��a�J< >��B 756�:"��VW, )��0!)��+��J<� �� h&)�� D6�/"#�� ̀�� ;!�h&D6 ��<�( ��!� -��(��J<e6 ��D6 (Gaussian Normal Basis:GNB). GNB� �� ?�@�4534 �̀�� D6�/"#�� + modular ?�@�45�� 56�� 1כ��6©�Z6)��0!)��+R,S§�� (.*��7� ��56#7 a�J<��!� -�+�%&��;!��;<e6��D6 (��AB�� ̀�� D6�/"#�� "�.(S%�TD6כ(Fpm34 ��)�.� -��(JK��+��-��)��BS!��q��;<��D6.��?@%& p > 3��)AB, m = 1��Z6(.56~�O6 p = 2Z6(.56

J+(� P��<��JK��+��-��T>�<|��+D6.LMy$O6#7�̀��D6�� Fpm34 Fp�JK��+��34��%&�� p > 3��(. m > 1��( ��J<>!�� q6%&"�#��+D6. 134כ�� %& �6W4 <<(;!�� A�B -�+�%& ��+ Optimal ExtensionField(OEF)-��O6Q6�4��VW, ]̂;< p-��L �� CPU�word size(32'�F1I�J34 64'�F1) ��=>%&56#7D6��<� �6�)��>!��56��J<-��[��+D6 [58].

1. p��N6Messene ]̂;< : p = 2n ± c (log2 c ≤ n/2).

2. Fp�#� �� mr6� �̀�� 2�/"D6�/"#�� xm − we67� ��+D6. 4

��y$��+ OEF-��N6��56J+( JK��+��<<(;!��!� -��(��e6R$�56(.,�>��+Q6�� !',,(� �� FrobeniusN6.;��;<��;� -��#$�� A�B!*<(.��D6.LMy$O6��Y6Z6[��"�#� �!/"0�&��O6 �̀��X� �̀��D6�/"#��,,(aF��$�� 34��+�� 6��s6B+("C�� ,34 .;�§��D6.

3FIPS 186-2/� P1363[A.8]� �� .�34%& k3-�� J,(�� e6�;� ��: ,,(aF��+ W�, r6¡�%& k2, k1�̀��%& e6�;� ��: ,,(aF��+D6. ��?@%&m ≤ 1000� 34!�� ̀��( trinomial��O6 pentanomial��7� ��+D6.

4xm − we6 Fp�#� �� ̀��)"� �SQ�9#כ(n>Fp(34 “e-�� Fp� ��#;<Z6(.��AB, m�� ]̂��(;<e6 e-��O6P<C�>!� (p − 1)/e-��O6P<C�� ,��D6.>!��) m�� 4�I�;<��)AB�� p− 1=> 4�I�;<��D6.”��D6 [79, Thm. 3.75]. q6Z6�� w-�� Fp�"�#� ��+�%&,,(aF�56(. m�� p− 1��O6P<J+( xm − w�� Fp�#� �� ̀��D6�/"#��D6.

38

Fpm ��]̂=> F2m��J<X�s6J.�e6C�%& Fp��]̂-��;<%&' &�� m− 1r6��56�D6�/"#��+�%&,-��;<��D6. Fpm��]̂ a ∈ Fpm� 34!��D6�/"#�� a(x) = am−1xm−1 + · · · + a0 ∈ Fp[x]+�%&�� D6.D61כ�� octet string+�%&*+(� 134כ��56W�� 8.3.46�)� ��D6r� D6.

8.2 ��(��כ��$+

p > 3��)AB, q = pI�J34 q = pm ��Z6(.56J+( Fq�#� �� Q6�� !',,(34 D6��/�' -34 #��+�%& �� D6.

E(Fq) : y2 = x3 + ax + b, (a, b ∈ Fq, 4a2 + 27b3 � 0 in Fq).

F2m�#� �� Q6�� !',,(+�%&��D6��N6��+D6.

E(F2m) : y2 + xy = x3 + ax2 + b, (a, b ∈ F2m , b � 0)

Q6�� !',,(34 �#�#��>!��56�� (x, y) ∈ F × F��6�&�[/��{<��+ -�(point at infinity)��Z6(.56��)��0!)��+ -� O-��|��+6�&�[��% ��+D6.

PQ

P + Q

LM�� 17: Q6�� !',,(�3�1�45 : P +Q

Q6�� !',,(�#� -��N6�� LM�� 17/�' -��3�1�45�� ;<��+�kl��AB, O��9!��#��"#$��34 3�1�45� 34��+()�a#��r� D6 (g6z@��+Q6�� !',,(� �� +�4��34 [75, 85, 96]��)*+n>)Q6�� !',,(�� + �� (.*��34 Q6�� !',,(.;�� ;!� 34;< .��?@� #$yl�� + .1��D6כ�

JK��+��;!�34;<.��?@� ��Q6�� !',,(� ��=>��;!�34;<.��?@-�� ;<��VW,1�$כ��a�J<#$yl*� .��?@%&� �yl��+�kl% ,34 N64*+��JK��+��#� ��;!�34;<.��?@h&D689#$yl*� .��?@%&"�#��56

(.��D6.q6Z6��JK��+��h&D6��<�(��34 E��̀�H�-��N6��56J+(��=>' -34 $!�2/(� ��E��;<��;� -��D6.Q6�� !',,(��;!�34;<.��?@��JK��+��X�'�L$k56�: �� D6.��Q6�� !',,(�#� -� X ∈ E(Fq)-�� m

*,(3�1�45��+ Y = mX� 3456#7, (X,Y)>!�+�%&\��m��56��.��?@e6Q6�� !',,(� ��;!�34;<.��?@��D6.JK��+��;!�34;<.��?@X�s6J.�e6C�%&Q6�� !',,(�3�1�4534 a�J<��C�>!�LM�.�34��a�J<#$yl*� .��?@� LMB��+D6.��)�.� -�+�%&JK��+��;!�34;<.��?@h&D6��Q6�� !',,(��;!�34;<.��?@e6��<�(#$yl*� .��?@%&#7~�C�(.��D6. 5

q = pm (p = 2 �>�� p > 3)��Z6(. �� AB, Q6�� !',,(� Y6Z6[��%&�� (E(Fq), n,G)e6 ��D6. #7�̀��G = (gx, gy) ∈ E(Fq)�� E(Fq)�\�#� a#��"�#� ��klLM�#;<e6 n��D6.��AB, n34 2160'�F1��.;��( ]̂;<e6

"#$�p56kl n > 4√

qe6"#$�p��+D6.LM*�(.Q6�� !',,( E��MOVn>Fp(��O6 anomalousn>Fp(��>!��56��

5JK��+�� ;!� 34;< .��?@�� index calculusZ6�� subexponential� �(.*�� C�>!�, Q6�� !',,(� �� subexponential� �(.*��6C�� ylC�C�� ,��OD6. Index calculus�!/"0�&��Q6�� !',,(� -��;<��C�>!��/� -��C�� ,��0?\�� h�D6 [97, 73].

39

!',,(��N6��!��=>$!�� D6. 6 LM*�(. m > 1��)AB, (a, b)e6 Fpmh&D6��<�(��34 \�#� ��]̂e6"J+($!�2/(

��+Q6�� !',,(��"C�� ,+��%&��!��p��+D6 (Q6�� !',,(�"�#� �34 \�� B.4.16�), B.4.26�))*+n>).LMy$J+(N6��g6��G��(H� 1 < d < n − 1-��%&"�#� �56#7, !"�GH� Q = dG-��56#7 !"�G��+D6.D6�� 9��JK��+��X�Q6�� !',,(�Y6Z6[��-��'�()!�X"c34 .1��D6כ�

JK��+��?�@�45a#� (F×p ) Q6�� !',,( (E(Fq))

a#��]̂ ��;< {1, · · · , p − 1} !/" ��#��>!��56�� (x, y)��6�&�["�#� �� g G�#;< q n<<(;!� modular?�@�45 Q6�� !',,(�3�1�45

�G��(H� x ∈ {2, · · · q − 1} d ∈ {2, · · · ,n − 2} !"�GH� y = gx mod p Q = dG = G + · · · +G (d times)

��;!�%&LM �#$%�( (g, y)%&\�� y = gx mod p-�� #$%�( (G,Q)%&\�� Q = dG-��>!��56�� x-��56�̀ >!��56�� d-��56�̀

�� 9: JK��+��X�Q6�� !',,(�Y6Z6[��'�()

8.3 @A��!"+$��

Q6�� !',,(� �(.*�� ;<X� octet string/��*+(�(5.16�), 7.16�))*+n>)e� >!��6©�Z6,JK��+��]̂X�octet string/��*+(�LM*�(.Q6�� !',,(�#� -�/� octet string/��*+(��$��"��)+*��S56D6.D6כ(��c34 X9.62, X9.63, P1363� ��T>�< -�� D6.

8.3.1 �� 1�:� octet string��

Q6�� !',,(� �� ;<X� octet stringN6��*+(�34 PKCS#1 (5.16�))/�' -34 I2OSPX� OS2IP-��N6��+D6.��-��#$

I2OSP(19114957, 6) = 0x 00 00 01 23 AB CD,

OS2IP(0x 01 23 AB CD) = 1 ∗ 2563 + 35 ∗ 2562 + 171 ∗ 256 + 205 = 19114957.

8.3.2 '�<=��E� octet string��

t'�F1�'�F1%�)�� octet string+�%&*+(�(BS2OSP)��AB�� l = �t/8�f6��F1� octet string+�%&*+(�� D6.J<,,( 8l− t'�F1� ‘0’-'�F1%�)��*+(�56(.g656��'�F1%�)�� f�� _��56#7'�F1;<-�� 8�I�;<e6"=>��>!��#$�� 8'�F14�� 1 octet%&*+(��+D6.�.�34%& lf6��F1� octet string��'�F1%�)%&*+(�(OS2BSP)��AB��*+(�"�� t-��C� ��56#7*+(��+

D6.��AB� t�� l = �t/8��>!��56#7�p56(. octet string�u2.;��#f6��F1�.;��# 8l− t'�F1�� ‘0’-'�F1%�)��#$�p��+D6.��n>Fp(��>!��56J+(u2.;��#f6��F1��.;��# 8l − t'�F1-��?@XA56(.O6k$C�'�F1-��'�F1%�)%&f6ª�(.O6k$C�f6��F1��34 LM34%& 8'�F1�'�F1%�)%&*+(��+D6.

8.3.3 �� 1�:�'�<=��

��;<-��'�F1%�)%&*+(�56ylJ+(*+(�"�� t-��C� ��56#7*+(��+D6. ��;< x-�� t'�F1�'�F1%�)%&*+(�56ylJ+( x < 2t-��>!��!��p56(. x-��D6��/�' -��%�(2/(�G��+D6.

x = xt−12t−1 + xt−22t−2 + · · · + x0, xi ∈ {0, 1}.LMy$J+( I2BSP(x, t) = (xt−1xt−2 · · · x0)��D6. ()*+(. : I2BSP(x, t) = OS2BSP(I2BSP(x, �t/8�), t))'�F1%�)�� ;<%&*+(�56�� BS2IP��#��;<��$��;<��D6.

6Q6�� !',,(�� supersingular !',,(��J+( MOV !"�X��e6R$�56kl anomalous !',,(��J+( Smart, Semaev, Satoh-Araki� !"�X��e6R$�56D6 [86, 98, 95, 92].

40

8.3.4 ,-�� F/:� octet string��

JK��+�� Fq��]̂ a-�� octet string+�%&*+(�56��VW�� q��;<X�m� q6Z6��D6W4 !/"0�&��N6��+D6.

• qG$ 2H�I$��F/1� p��JK

JK��+��]̂-�� ;<%&��;<��+��%& 8.3.16�)� I2OSP-��N6��56#7 octet string+�%&*+(��+D6.

I2OSP(a, �log256 q�).

• q = 2m��JK

8.16�)�!/"0�&+�%&J,(�� a-�� ̀�� q6Z6��'�F1%�) b%&*+(��+W�� 8.3.26�)� BS2OSP-��N6��56#7octet string+�%&*+(��+D6.

BS2OSP(b).

• q = pm m > 1��JK

JK��+�� Fpm� �̀�� P1363�$�� D6�/"#�� ̀��>!��D6��(.��D6. 8.16�)�!/"0�&+�%& a-��J,(��D6�/"#�� a(x)%&*+(�56(. x34��( p-��34��&56#7��;!��+ ��;<� 3456#7 I2OSP-��N6��56#7D6��/�' -��*+(��+D6.

I2OSP(a(p), �log256 q�).

�.�34%& octet string��JK��+��]̂%&*+(�(OS2FEP)56134כ�� q = p��)AB�� OS2IPX�' -(. q = 2m��)

AB�� OS2FEP(M)=OS2BSP(M,m)��D6. q = pm��( ��J<�� octet string�� ;<%& *+(��+ ��1כ� p-%�(0�&+�%&2/(�G��+��;<-��56#7��JK��+��]̂-��]̂-��56��D6�/"#��E��;<��D6.

8.3.5 ,-�� F/� �� 1��

Fp��]̂�� ;<��%&*+(��"�.Se6%�TD6כ( F2m��]̂ ae6'�F1%�) (am−1am−2 · · · a0)��Z6J+( ��;<%&�*+(�34 D6��/�' -D6:

FE2IP(a) =m−1∑i=0

2iai.

LM*�(. Fpm��]̂ ae6 am−1xm−1 + am−2xm−2 + · · · + a0, (ai ∈ Fp)��Z6J+( ��;<%&�*+(�34 D6��/�' -D6:

FE2IP(a) =m−1∑i=0

piai.

8.3.6 ��כ��$+��E� octet string��

Point at infinity O�� 0x00+�%&*+(�� D6.Q6�� !',,(� -� P = (px, py) � O�� 7:��,'�� 7:��, hybrid�z@e6C� �� !/"0�&8�9 56O6� !/"0�&+�%& octet string/� ��%& *+(�� D6. � 7:��34 py-�� LM34%& N6��56C� � ,(.

56O6� '�F1 p̃y%& py� 34��+ ��h&>!�� O6Q6�4#$ pye6 "�+��Sכ( ��J< pxX� p̃y%&\�� py-�� ;!�56�� !/"0�&��

D6. l = �log256 q��Z6(.56J+( O��6?�(�� -�34 � 7:��(��J< l + 1f6��F1� octet string PO%&*+(�"(.'�� 7:��/� hybrid��34 2l + 1f6��F1� octet string PO%&*+(�� D6.

1. px-�� octet string X1+�%&*+(��+D6.

2. � 7:��(��J< : p̃y = 0��J+( PC = 02��(. p̃y = 1��J+( PC = 03��D6.LMy$J+( PO = [PC || X1].

3. '�� 7:��(��J< : py-�� octet string Y1+�%&*+(�56(. PC = 04��D6.LMy$J+( PO = [PC || X1 || Y1].

4. hybrid��( ��J< : py-�� octet string Y1+�%& *+(��+D6. p̃y = 0��J+( PC = 06��(. p̃y = 1��J+(PC = 07��D6.LMy$J+( PO = [PC || X1 || Y1].

41

8.4 ECDSA(Elliptic Curve DSA)

ECDSA(Elliptic Curve DSA)�� DSA�Q6�� !',,(*+(R,S+�%& X9.62%&�� "��D6 [2]. q6Z6��] 6�) -��(� �(.*��34 JK��+��#� �� DSAX��)56D6.

ECDSA�=>a@��(Y6Z6[��D6��/�' -D6.

• field size

– q = p��)AB: p.

– q = 2m ��)AB:m: field size.basis type: Gauss Normal Basis(GNB), Trinomial Polynomial Basis(TPB), Pentanomial Poly-nomial Basis(PPB).basis parameter: type� q6W4 �̀��D6�/"#�� h&.

• D6��#��>!��56�� (a, b).

E(Fq) : y2 = x3 + ax + b, if q = p (p > 3),E(Fq) : y2 + xy = x3 + ax2 + b, if q = 2m.

• "�#� �� G ∈ E.

• G��#;< n. ��AB, n > 2160, n > 4√

q��#$�p��+D6.

• (,,(aF�Y6Z6[��) cofactor h = #(E)/n.

• (,,(aF�Y6Z6[��) 160'�F1��.;�� SEED. 134כ��Q6�� !',,(��%&"�#� �56��J<� LM1כ�� 56�̀�#!�"��]S��+Y6Z6כ(��D6.

�� g6�� H�/� ��H�Z;�� (d,Q), 0 < d < q, Q = dGZ656J+(,a@z@C�M� 34��+�� 34 D6��/�' -��;!�� ;<Z;� (r, s)%&�� D6 (r� �� x1 = FE2IP(x1)��(. s� ��!��;< H�� SHA1��N6��+D6):

(x1, y1) = kG, where k ∈ [1, n),

r = x1 mod n,

s = (k−1(H(M) + dr)) mod n.

��AB>!��) r��O6 se6 0��J+(�G%&*� k-��"�#� �56#7D6�� (r, s)-��+D6.�� 34 D6��/�' -��#$%�(D6:

u1 = (H(M)s−1) mod n,

u2 = rs−1 mod n,

(x1, y1) = u1G + u2Q,

r ?= x1 mod n.

8.5 ECKCDSA(Elliptic Curve KCDSA)

ECKCDSA�� KCDSA-�� Q6�� !',,( �#� � �(.*��+�%& ��C~� X"c34 &%�+1כ� �� %�&�� %�(&': 8�9� ��D6.] 6�) -��(� �(.*��34 JK��+��#� �� KCDSAX��)56O6Y6Z6[�� z��;!�!/"0�&� 34��+�[�e6"�.S56D6כ( ECKCDSA� ��D6W4 Q6�� !',,(� �(.*�� 34��+�� /��Q �*�Q6�� !',,(�JK��+��e6p > 3��)AB, Fpm-��|��56(.��D6.

ECKCDSA�=>a@��(Y6Z6[��D6��/�' -D6.

• field size

– q = p��)AB: p.

42

– q = 2m ��)AB:m: field size.basis type: Gauss Normal Basis(GNB), Trinomial Polynomial Basis(TPB), Pentanomial Poly-nomial Basis(PPB).basis parameter: type� q6W4 �̀��D6�/"#�� h&.

– q = pm ��)AB:(m, p): field size.basis type: Binomial Polynomial Basis(BPB), TPB.basis parameter: type� q6W4 �̀��D6�/"#�� h&.

• D6��#��>!��56�� (a, b).

E(Fq) : y2 = x3 + ax + b, if q = p or q = pm (p > 3),E(Fq) : y2 + xy = x3 + ax2 + b, if q = 2m.

• "�#� �� G ∈ E.

• G��#;< n. ��AB, n > 2160, n > 4√

q��#$�p��+D6.

• (,,(aF�Y6Z6[��) cofactor h = #(E)/n.

• (,,(aF�Y6Z6[��) 160'�F1��.;�� SEED. 134כ��Q6�� !',,(��%&"�#� �56��J<� LM1כ�� 56�̀�#!�"��]S��+Y6Z6כ(��D6.

�� H�/� ��H�Z;�� (d,Q), 0 < d < n, Q = (d−1 mod n)G = (qx, qy)Z6(.��AB, Cert Data��N6��g6�� H�%&\��D6��/�' -��E��;<��' .��D6כ

Cert Data = I2BSP(FE2IP(qx) + q · FE2IP(qy), 8�|q|/4�).LMy$J+( Y6Z6[�� z�� Q�9�"��/"� �� e66�) "�Se6כ( %�T�� !��;< H2-�� N6��56#7 D6��/� ' -�� +

D6. (H2%&�� /� �� N6�� Q�9�"��/"� ��' &��!��;< H-��N6��;<=>��D6.)

z = H2(Cert Data).

JK��+�� ]̂ x1-�� t'�F1� '�F1%�)%& *+(��+ ��1כ� x1 = OS2BSP(FE2OSP(x1), t)Z6(. 56J+( a@z@C�M� 34��+ ECKCDSA�� 34 D6��/� ' -�� "�#� �� '�F1%�) r/� ��;< s%& �� (r, s)��D6 (!��;< H��default%&HAS160��N6��56(. SHA1=>N6��;<��D6.):

(x1, y1) = kG, where k ∈ [1, n),

r = H(x1),

s = d(k − (r ⊕H(z||M))) mod n.

�#� �� s-��AB, r ⊕H(z||M)34 ��'�F1%�)��'�F19!��#%& XOR��+W�� D6�� ;<%&*+(�56#7��;!��+D6.�� 34 D6��/�' -��#$%�(D6:

e = (r ⊕H(z||M)) mod n,(x1, y1) = sQ + eG,

r ?= H(x1).

�� 10� �� ECDSAX� ECKCDSA��G��(H�/ !"�GH�X�� "�#� �/� ��'�()!�X"c��OD6.

43

�G��(H�/ !"�GH� ��

ECDSA (d,Q) k ∈r Z×n u1 = (H(M)s−1) mod n

Q = dG (x1, y1) = kG u2 = rs−1 mod n= (qx, qy) r = x̄1 mod n (x1, y1) = u1G + u2Q

s = (k−1(H(M) + dr)) mod n r ?= x̄1 mod n

ECKCDSA (d,Q) k ∈r Z×n e = (r ⊕H(z||M)) mod n

Q = (d−1 mod n)G (x1, y1) = kG (x1, y1) = sQ + eG

= (qx, qy) r = H(x̄1) r ?= H(x̄1)

s = d(k − (r ⊕H(z||M))) mod n

�� 10: ECDSAX� ECKCDSA�'�()

8.6 Elliptic Curve Diffie-Hellman (ECDH)

ECDHX� ECMQV�� Diffie-Hellman� �(.*��/� MQV-��Q6�� !',,(�#%&��CF�(1כ�+�%& X9.63+�%&�� 8�9� ��D6 [3]. X9.63� �� N6��56�� =>a@��( Y6Z6[�� ECDSA� �� =>a@��( Y6Z6[��X� ' -(., D6>!�X9.62� ��,,(aF�Y6Z6[��%&N6��56�� cofactor h = |E|/n�� small subgroup !"�X��M��̀�#!�"�);< -�+�%&N6�� D6.�̀] -��( ECDH��N6��g6��G��(H�/ !"�GH�Z;� (d,Q), 1 < d < n−1, Q = dGZ6��AB,�<N6��g6A,B

8!�� Shared secret34 Z = hdAdBG = hdAQB = hdBQA� x ̂�� zx ∈ Fqe6�� D6.JK��+�� Diffie-Hellman� �(.*��/� s6J.�e6C�%& N6��g6� H�e6 (. ��H� (d,Q)��(C�I�J34 ��H� (r,T)��(C�� q6Z6 #7y$e6C� *+(R,S�� ECDH, ECMQV� �(.*��7� ��+D6 (#7y$e6C�� (.*�� 34��+g6z@��+�4��34 7.36�)�JK��+��Diffie-Hellman� �(.*��/�\��D6�)��)*+n>).��N6��g6��=>a@��(Y6Z6[�� (n,G,E(Fq), h)-��T>�<� �(.��D6(.e6 ��+D6.

• Static-Static ECDH

N6��g6 A N6��g6 B

dA ∈ {2, · · · , n − 2}QA = dAG

dB ∈ {2, · · · , q − 2}QB = dBG

Z = hdAQB Z = hdBQA

JK��+��.;�� Static-Static DH� 34��56��Q6�� !',,(*+(R,S+�%& X9.63� Static Unified Model� !�=;��+D6.

• Ephemeral-Static ECDH

N6��g6 A N6��g6 B

rA ∈ {2, · · · , n − 2}TA = rAG

dB ∈ {2, · · · , q − 2}QB = dBG

−−−−−→TA

Z = hrAQB Z = hdBTA

44

JK��+��.;�� Ephemeral-Static DH� 34��56��Q6�� !',,(*+(R,S+�%& X9.63� 1-Pass Diffie-Hellman!/"#�� !�=;��+D6.134כ�� S/MIME Working group� CMS� �� +�%&?@$!�"(.��D6 [48].

• Ephemeral-Ephemeral ECDH

N6��g6 A N6��g6 B

rA ∈ {2, · · · , n − 2}TA = rAG

rB ∈ {2, · · · , q − 2}TB = rBG

TA−−−−−→←−−−−−TB

Z = hrATB Z = hrBTA

JK��+��.;�� Ephemeral-Ephemeral DH� 34��56��Q6�� !',,(*+(R,S+�%& X9.63� Ephemeral Uni-fied Model� !�=;��+D6. LMy$O6 X9.63� ��%& "�#� ��+ =>a@��( Y6Z6[�� 34!�� H�-��"�#� ��+D6.

• ECMQV1

ECMQV� �(.*��34 JK��+��MQV-��Q6�� !',,(�#%&��CF�(1כ�+�%&JK��+�� MQV� �� t̄� !�=;�56�� ;<-�� G%&�� +D6. G� �#;< n� '�F1;<-�� fZ6(. �� AB, ��;< av f-�� av f (Q) = (qx

mod 2� f/2�)+ 2� f/2�X�' -�� +D6. ECMQV134 LM��(g6��(. ��H� (dA,QA)X��H� (rA,TA)��<Z;��H�-��e6C��.�J+(� ;<��(g6��(. ��H� (dB,QB)>!��e6C�(.��D6.

N6��g6 A N6��g6 B

dA, rA ∈ {2, · · · , n − 2}QA = dAGTA = rAG

dB ∈ {2, · · · , q − 2}QB = dBG

TA−−−−−→iA = rA + av f (TA) · dA mod nZ = (h · iA)(QB + av f (QB)QB)

iB = dB + av f (QB) · dB mod nZ = (h · iB)(TA + av f (TA)QA)

X9.63� 1-Pass MQV � �(.*�� !�=;��+D6. Ephemeral-Static ECDHX� �� S/MIME workinggroup� CMS� �� +�%&?@$!�"(.��D6 [48].

• ECMQV2

ECMQV2��LM�;<��(g6T>�<(. ��H�,��H��<Z;��H�-��e6%�(D6. X9.63� Full MQV� !�=;��+D6.

45

N6��g6 A N6��g6 B

dA, rA ∈ {2, · · · , n − 2}QA = dAGTA = rAG

dB, rB ∈ {2, · · · , q − 2}QB = dBGTB = rBG

TA−−−−−→←−−−−−TB

iA = rA + av f (TA) · dA mod nZ = (h · iA)(TB + av f (TB)QB)

iB = rB + av f (TB) · dB mod nZ = (h · iB)(TA + av f (TA)QA)

8.7 Shared secretD=��34!"Master secret��

X9.63� �� Shared secret zx%&\��Master secret��D6��/�' -��56=>�� 56(.��D6.J<,,(JK��+��]̂ zx-��'�F1%�) Z%&*+(��+D6.'�F1�� log2(q)�'�F1��D6.

• INPUT :

Z : bit string of secret value.keydatalen : length in bits of the keying data to be generated.SharedInfo : optional value which consists of some data shared by two entities.

• OUTPUT : KeyData of length keydatalen bits.

• STEPS :

Counteri-�� i-�� 32'�F1%&��+' �.)��Z6כ�AB KeyData��D6��/�' -��;!�� D6:

Hashi = H(Z||counteri||[SharedInfo]),KeyData = Hash1 ||Hash2 || · · · ||Hash�keyLen/HLen�.

s6C�M�� !��' �� כ "��S%�Tכ( \�#� 34 �$F3�D6. �� AB, !��;<%&�� ANSI� ��L$��(�� )+1��Jכ� #$m��q;��1כ��;<��D6(."#$��+�O6��%&�� SHA1��JK��)56D6.

S/MIME� working draft “draft-ietf-smime-ecc-02.txt”� �� SharedInfo-��D6�� DER ��(bc��+56&%�+1כ�(.��D6 [48].

ECC-CMS-SharedInfo ::= SEQUENCE {

keyInfo AlgorithmIdentifier,

-- oid of the key-encryption algorithm and NULL parameters

entityUInfo [0] EXPLICIT OCTET STRING OPTIONAL,

-- additional keying material supplied by the sending agent

-- with ECDH and CMS, it is ukm(user key material}

-- with ECMQV and CMS, it is addedukm

suppPubInfo [2] EXPLICIT OCTET STRING

-- length of the generated KEK, in bits,

-- represented as a 32 bit number

}

P1363��O6 P1363a� ��H�JK=>��;<%& 7.4.36�)� KDF1��O6 KDF2-��N6��+D6 [4, 5].

46

�� 9�� (�,-./(key derivation)��

H�JK=>� �(.*��34 H�()�� (.*��)��56#7��E34 Shared secret��O6_��U�%&\��!�=;�� (.*�� "��'+��Sכ()H�(+IV)-��JK=>56�� (.*��D6. Diffie-Hellman� �(.*��/� ECDH� �(.*��+H�#� I�01%&2&��%&\��E34 Shared secret+�%&Master secret��"�#� 134כ��56�� 7.46�)/� 8.76�)��)*+n>56(.��6�)� ��"�#456��+D6.

SSL 3.0��O6 TLS 1.0� �� $X� n��Z6��<,(F1e6 Handshake/� �� RSA transport%& (Client%&\�� Server%&) 2/(LM�56~�O6 Static-static DH I�J34 Ephemeral-ephemeral DH�� 56#7 ��;!��

pre master secret-��56#7 master secret/��?@VW��-��/>��56��VW"��'+��Sכ()H�, MACH��$��"�#� �56�:�� D6 [54, 33].

IPSec IKE�� Phase 1/� Phase 2� �< 01%&2&��%& �� "��VW, Phase 1� �� (��!/"0�&� q6Z6��SKEYID-�� "�#� �56�� !/"0�&�� D6t1D6. SKEYID%&\�� Phase 1 01%&2&�� a@z@C�� h&��56��VW N6��SKEYID e, SKEYID aX�, Phase 2� Derivation key%&N6�� SKEYID d-��"�#� ��+D6.��?@ AHO6 ESP01%&2&�� N6��56��H�� Phase 2�H�#� I�/� ��)��!�()�� h&X� SKEYID d%&\��JK=>�� D6._��U�%&\��H�-��JK=>56��J<_��U��O6�4��+��e6��+��%&N62/(#�� !"�X� (dictio-

nary attack)� UV��56(.,q6Z6��-��h&�� 56��!/"0�&��"�,PBKDF1�S56D6.q6Z6��PKCS#5כ( PBKDF2X�PKCS#12� PBKDF�� saltX� iteration count-��N6��+D6 [17, 19]. Salt��56O6�_��U�� 34!�H�-��#7y$�G34��H��!/"0�&+�%&>!�� 64'�F1� salt-��N6��+D6J+( !"�X�g6e656O6�_��U�� 3456#7 264�

H�-��[�*��;!�!��p56��%& !"�X�� ?@��+��8��;<��D6. Iteration count(u2]̂ 1000��.;��;�)��H�-��JK=>��AB#$eg(/� ��.�>��+�%&,-H�"�#� �� U��'��e6�� !"�X� 1��%כ��#$9!&�:56��+D6.��H�I�:N6��g6�$!�2/(� ��_��U�� 7� !�� _��U�-��h&��56��$��{<�+1h&D6

.S56D6כ8�9<=

9.1 SSL 3.0E� TLS 1.0��(�,-./�� 1�

TLS 1.034 SSL 3.0� �*) -�� h&�� + ,VW)��1כ� )��x� H� JK=> \�#� � �� r6��e6 ��D6. SSL 3.0� �� pre master secret+�%&\�� master secret�� JK=>56~�O6, JK=>�� master secret+�%& H� ��"�#� �� AB, MD5X� SHA-�� + !��' ��כ <<(6�&56#7 ��+D6 [54]. TLS 1.0� �� g6�� +PRF(Pseudo Random Function)-�� N6��56�� &%�+1כ� f6GH��D6 [33]. SSL, TLS T>�< master secret34 48f6��F1�(. �� -��' &��D6.

PM : pre master secret, M : master secret, CR : ClientHello� �� random, SR : ServerHello� �� random��Z6(.56g6.

• pre master secretD=��34!" master secret�� :

– SSL 3.0

master secret =MD5(PM || SHA(‘A’||PM||CR||SR)) ||MD5(PM || SHA(‘BB’||PM||CR||SR)) ||MD5(PM || SHA(‘CCC’||PM||CR||SR)).

– TLS1.0

master secret = PRF(PM, ‘master secret’,CR||SR)�.;��# 48f6��F1

#7�̀�� PRF��N6�!�;<��;<(Pseudo Random Function)+�%&D6��/�' -�� D6.

PRF(secret, label, seed)= P MD5(S1, label||seed)⊕ P SHA1(S2, label||seed),

(S1 : First half of the secret, S2 : Second half of the secret. >!��) secret�f6��F1;< LSe6s,t;<

Z6J+( S134 secret�.;��# �LS/2�f6��F1��(. S2��56�# �LS/2�f6��F1��D6.��, secret�e6*� VWf6��F1e6 S1�s6C�M��f6��F1X� S2� 5̂1f6��F1��f�� |��"=>�� +D6.)

47

P hash(secret, seed)= HMAC hash(secret, A(1)||seed) ||HMAC hash(secret, A(2)||seed) || · · · ,

(A(0) = seed, A(i) =HMAC hash (secret, A(i-1)).)

• (�� :��?@a@z@C��O6MAC��;!�� N6�� H�-��JK=>56��;<%&!�=;�� (.*�� "� '�/��H�-��D6�S��+��>!��$Kכ(-��;!��+D6.

– SSL 3.0

key block =MD5(M || SHA(‘A’||M||SR||CR)) ||MD5(M || SHA(‘BB’||M||SR||CR)) ||MD5(M || SHA(‘CCC’||M||SR||CR)) ||· · · .

��?@%&"��S��+Hכ(#� key block�.;��#f6��F1\��r6¡�%&"�S��+��(cipherכ( suite� �� )>!��$KD6��/�' -��O6P<#$��N6��+D6.

client_write_MAC_secret[CipherSpec.hash_size]

server_write_MAC_secret[CipherSpec.hash_size]

client_write_key[CipherSpec.key_material]

server_write_key[CipherSpec.key_material]

#7�̀�6C�� exportable� �(.*��/� non-exportable� �(.*��)56(. non-exporttable��(��J<�� key block+�%&\��LMB��#$�� IV-��D6��/�' -��+D6.

client_write_IV[CipherSpec.IV_size] /* non-export ciphers */

server_write_IV[CipherSpec.IV_size] /* non-export ciphers */

Exportable� �(.*��34 ��$X�n��Z6��<,(F1� write key-��G%&�� D6��/� ' -��;!�56(. IV=> key block+�%&\��56C�� ,(.D6��/�' -��;!�56��VW, MD5�Q��9U�� .;��#f6��F1� ��"� S��+��>!��$KBכ(�Z6�4#$N6��+D6.

final_client_write_key

= MD5(client_write_key || ClientHello.random || ServerHello.random);

final_server_write_key

= MD5(server_write_key || ServerHello.random || ClientHello.random);

client_write_IV = MD5(ClientHello.random || ServerHello.random);

server_write_IV = MD5(ServerHello.random || ClientHello.random);

– TLS1.0key block = PRF(M, ‘key expansion’, SR||CR).

TLS� ��=> SSL/� s6J.�e6C�%& exportable � �(.*��/� non-exportable � �(.*��+�%& O6P<#$��H�-��+D6.

client_write_MAC_secret[SecurityParameters.hash_size]

server_write_MAC_secret[SecurityParameters.hash_size]

client_write_key[SecurityParameters.key_material_length]

server_write_key[SecurityParameters.key_material_length]

client_write_IV[SecurityParameters.IV_size] /* non-export ciphers */

server_write_IV[SecurityParameters.IV_size] /* non-export ciphers */

Exportable� �(.*�� 34!��D6��;!��+D6.

48

final_client_write_key =

PRF(SecurityParameters.client_write_key, "client write key",

SecurityParameters.client_random ||

SecurityParameters.server_random);

final_server_write_key =

PRF(SecurityParameters.client_server_key, "server write key",

SecurityParameters.client_random ||


iv_block = PRF("", "IV block", SecurityParameters.client_random ||


client_write_IV[SecurityParameters.IV_size]

server_write_IV[SecurityParameters.IV_size]

�#� IV�� iv block�.;��#f6��F1\��r6¡�%&��E��D6.

9.2 IPSec IKE��(�,-./�� 1�

IPSec IKE [41]�� Phase 1/� Phase 2��<01%&2&��%&�� D6. Phase 134 �< IPSec entity8!�� long-termsecure channel��( ISAKMP SA-��C�) ��56�̀�#!�N6��"kl, Phase 201%&2&��34 ISAKMP SA�h&��6��?@h&$!�01%&2&��( AH [36]O6 ESP [39]� ��N6�� Protocol SA-��C�) ��56�̀�#!�N6�� D6.�6�� Phase� ��H�JK=>!/"0�&��8!�456x� �̀6̂��+D6 (ISAKMPX� IKE [40, 41])*+n>).

• Phase 1L6%&�� (� ,-./: Phase 1� �� (��!/"0�&(signature, public key encryption, pre-sharedkey)� q6Z6 SKEYID-��"�#� �56��!/"0�&��D6��/�' -��D6t1D6 [41].

SKEYID =

PRF(Nib||Nrb, gxy), for signature,PRF(hash(Nib||Nrb), CKY-I||CKY-R), for public key encryption,PRF(pre-shared-key,Nib||Nrb), for pre-shared key.

– PRF(key,msg) : keyed Pseudo Random Function (N6�� PRF-��=(>.;��;<=>��(.%�T+�J+(=(>.;�� !�� (.*��+HMAC��N6��).

– Nib, NrB : �� initiatorX� responder�Nonce payload� body\�#� .

– gxy : Diffie-Hellman Shared secret

– CKY-I, CKY-R :�� initiatorX� responder� ISAKMP!�89� cookie\�#� .

#7�̀��"�+��Sכ( SKEYID��e6 PRF�Q��9U��h&D6? @+�J+( PRFQ��9U��.;��#\�#� +�%& SKEYID-��.��(.,��J+(D6��/�' -34 !/"0�&+�%&��;�56#7"��-��.H�-��E��D6�S��+��>!��$Kכ(��#$ pre-sharedkey��(�� 34��+ SKEYID-��+D6(.56g6.

block1 = PRF(pre-shared-key,Nib||Nrb)

block2 = PRF(pre-shared-key, block1||Nib||Nrb)

block3 = PRF(pre-shared-key, block2||Nib||Nrb)...

SKEYID = block1||block2||block3|| · · · .

��)9!� SKEYIDe6�!�C�J+(D6��/�' -34 3�G�H�-�� SKEYID%&\��JK=>��+D6 (H��#X�' -34 !/"0�&+�%&��;�e6R$�).

SKEYID d = PRF(SKEYID, gxy||CKY-I||CKY-R||0)

SKEYID a = PRF(SKEYID, SKEYID d||gxy||CKY-I||CKY-R||1)

SKEYID e = PRF(SKEYID, SKEYID a||gxy||CKY-I||CKY-R||2)

49

�#� �� 0, 1, 2�� 56O6� octet%& ��56kl gxy�� Phase 1� �� %& ()�"�� Key Exchage(KE)payload� |��"#$�� ephemeral DH !"�GH�%&\��;<��D6. SKEYID d�� Phase 2� ��H�JK=>� N6��56(. SKEYID a�� phase 2�a@z@C�-��(��ABN6��+D6. SKEYID e�� ISAKMP SA�a@z@C�-��ABN6��56��H�-��JK=>56��VW,"��S��+Hכ( Ka��e6 SKEYID eh&D6? @+�J+(.;��#\�#� +�%&H�-��.��(.��J+(D6��/�' -��+D6 (#7�̀�� 034 56O6� octet��D6).

K1 = PRF(SKEYID e, 0),

K2 = PRF(SKEYID e, K1),

K3 = PRF(SKEYID e, K2),

· · ·Ka = K1||K2||K3|| · · ·

• Phase 2L6%&��(�,-./: Phase 2� ��?@ AHO6 ESP01%&2&�� N6��H��( KEYMAT��D6��/�' -�� SKEYID dX� Phase 2� ��h&��56#7JK=>��+D6.

K1 = PRF(SKEYID d, [gxyqm||]protocol||SPI||Nib||Nrb)

K2 = PRF(SKEYID d,K1||[gxyqm||]protocol||SPI||Nib||Nrb)

K3 = PRF(SKEYID d,K2||[gxyqm||]protocol||SPI||Nib||Nrb)

...

KEYMAT = K1||K2||K3|| · · · .#7�̀�� [gxy

qm]�� Phase 201%&2&��( quick mode� �� Optional56�:()�"�� KE� |��"#$��ephemeral DH !"�GH�%&\��;<�� Shared secret��(., protocol/�SPI��Proposal payload8�9� ��=(>.;�� Transform� ��E34 ' �כ��D6.

9.3 M��?�L62��(�,-./�� 1�

_��U�%&\�� '��)H�-�� JK=>56�� !/"0�&+�%& B � � �yl%�( 134כ� PKCS#5� PBKDF1/� PBKDF2, LM*�(.PKCS#12� PBKDFe6��D6 [17, 19].

9.3.1 PKCS#5 PBKDF1

PBKDF134 MD2, MD5, SHA1/�' -34 !��;<-��N6��56#7D6��/�' -��H�-��JK=>��+D6 [17].

• Option : Hash : !��;< (MD2, MD5, SHA1).

• INPUT :

P :_��U�.S : salt (8f6��F1).c :�.�>��-;< (�� ;<).dkLen :��56��H��(9!��#��f6��F1).

• OUTPUT : DK :JK=>�� H�

• STEPS :

1. DK��e6!��;<��h&D6E�J+( “derived key too long”��Q��9U�56(.��®̄��+D6.

2. D6��/�' -�� P||S-��+vw Hash-�� c*,(�.�>��!��"�S��+��>!��$Kכ( DK-��E��D6.

T1 = Hash(P||S),

T2 = Hash(T1),

. . .

DK = Hash(Tc−1)� dkLenf6��F1.

50

9.3.2 PKCS#5 PBKDF2

PBKDF2��H�JK=>/� �� N6�!�;<��;<-��N6��+D6. H��?@��+��%�T+�kl�N6 �!�;<��;<��n>� q6Z6u234��e6?@��+�� D6 [17].

• Option : PRF :�N6�!�;<��;< (hLen : PRF�Q��9U��)

• INPUT :

P :_��U�.S : salt.c :�.�>��-;<.

dkLen :��56��H��(9!��#��f6��F1 : ≤ (232 − 1) × hLen).

• OUTPUT : DK :JK=>�� H�

• STEPS :

1. >!�� dkLen > (232 − 1) × hLen��J+( “derived key too long”��Q��9U�56(.��®̄��+D6.

2. l = �dkLen/hLen�, r = dkLen − (l − 1) × hLen.

3. �6��X�' -��H��;!��+D6.

Ti = F(P, S, c, i) = U1 ⊕U2 ⊕ · · · ⊕Uc, (i = 1, · · · , l),U1 = PRF(P, S||INT(i)),

Uj = PRF(P,Uj−1), ( j = 2, · · · , c).

4. DK�� T1||T2|| · · · ||Tl〈0 . . . r − 1〉e6�� D6.

#7�̀�� PRF�� HMAC��N6��56(., INT(i)�� ;< i-�� 4f6��F1%&��.1��D6כ�+��

9.3.3 PKCS#12 PBKDF

PKCS#12�PBKDF�� #$%�(!��;<,_��U�X� salt%&\��N6�!�;<'�F1-��"�#� �56#7, ID' כ� q6Z6�� '��)H�O6 IV, MACH�-�� "�#� ��+D6 [19]. PKCS#5� ��_��U�-��9!��̀��+ f6��F1%�)%&h&C�>!� PKCS#12� ��_��U�-��NULL%&FGHO6�� BMPstring��N6��+D6.��-��J+( 6.��g6�_��U� “Beavis”e6��D6J+(D6��/�' -34 14f6��F1%�)�� D6.

0x00 0x42 0x00 0x65 0x00 0x61 0x00 0x76 0x00 0x69 0x00 0x73 0x00 0x00

H-�� !��;<Z6 56(. H� Q��9U�� ('�F1)-�� uZ6 56(. a@z@C� ��&9U��('�F1)-�� vZ6 56g6. ��-��#$ MD2��J<�� u = 128, v = 512e6�� D6.LM*�(. uX� v�' ��כ 0�� 6?�( 8� I�;<��kl _��U�X�salt=> 8�I�;<Z6e6 ��+D6._��U�X� salt�'�F1;<-�� pX� s%&��56�̀%&56g6.LM*�(. n34 �56(.g656��N6�!�;<�'�F1;<Z6(.56J+(D6��/� ��~��56��' .��E��D6כ (ID��+f6��F1;<%& ID = 1 : '��)H�, ID = 2 : IV, ID = 3 : MACH�-��[�)

1. v/8�G� ID-��.�>��<<(6�&56#7 D-��E��D6.

2. Salt-��.�>��<<(6�&56#7 v · �s/v�'�F1� S-��E��D6.<<(6�&��ABs6C�M�� salt� ��56��'�F1;<� q6Z6 truncate� �;<��D6.>!�� salte6 empty��J+( S=> emptye6�� D6.

3. _��U�-��.�>��<<(6�&56#7 v · �p/v�'�F1� P-��E��D6.<<(6�&��ABs6C�M��_��U�� 56��'�F1;<� q6Z6 truncate� �;<��D6.>!��_��U�e6 empty��J+( P=> emptye6�� D6.

4. I = S||P, c = �n/u��Z656g6.

5. i = 1, 2, . . . , c,� 34!�D6��/� ��;<&':��+D6.

a) Ai = Hr(D||I)Z656g6.J<*+(34 D||I-�� r*,(!��+' .��D6כ i.e, H(H(H(. . .H(D||I))))

51

b) Ai-��.�>��<<(6�&56#7 v'�F1� B-��E��D6.<<(6�&��ABs6C�M�� Ai� ��"� �#�\+��Sכ(��?@XA56(.

truncate��+D6.

c) k = �s/v� + �p/v�Z656g6.LMy$J+( I-�� v-'�F1�� I0, I1, . . . , Ik−1��<<(6�&"#$��R,S§�%&"�#

��;<��D6.LMi,(vw� �� j� 3456#7D6��;!�56#7�G%&*� I-��>!�;��D6.

Ij = Ij + B + 1 mod 2v.

6. A = A1||A2|| · · · ||Ac�� n'�F1>!��Q��9U��+D6.

�� 10�� (��(Key Wrap)��

Cryptographic Message Syntax(CMS)�� ,� 7:��,��(��,��.��$�� 34��+�.�� 1��D6כ�+�� [44].CMS� q6t1J+(��?@�a@z@C�-��%&2/(LM��ABN6��56��'��)H�� (.*��H� CEK(Content Encryp-tion Key)-�� !"�GH� � �(.*��+�%& ��56#7 2/(LM�56~�O6(key trasport), J<,,( KEK(Key EncryptionKey)-��H�#� I�01%&2&��%&��%&[�*�()�56~�O6I�J34 _��U�%&\��JK=>56#7, CEK-�� KEK-��N6��56�� key wrap� �(.*��+�%&��56#72/(LM�56�:�� D6. Key wrap� �(.*��34 SSL/TLS� ��LM�;<��(g6e6��%& interactive56�:H�-��()�"�#� �56��01%&2&��h&D6�� e-mail/�' -34 S/MIME�� %&}��!/"#��D6.

Key wrap � �(.*�� h&)�� J< ��?@� a@z@C�-�� 56�� (.*��/� CEK-�� 56�� (.*��34 ��%&' -C�>!� 40'�F1� RC2 CEK-�� 168'�F1� 3DESO6I�J34 128'�F1� RC2%&��;<=>��D6.

10.1 ��)�(�כ�� Key Wrap(key transport)

!"�GH�� (.*��+H��2/(LM�� (.*��34 h&)��/>�� (.*��/�' -D6. CMS� �� RSA transport� �(.*��34 PKCS#1 v1.5-��N6��+D6 [44]. LMy$O6 PKCS# v1.5��,,(aF��.�� !"�X�� UV�� -��+��%& PKCS#1 v2.0� �� PKCS#1-OAEPe6?@$!�"��1כ��.)�� CMS� �� key transport� �(.*��+�%&N6��"�!$@?��1כ��56��D6 [49].

10.2 � �� Key Wrap

CMS� �� 56�� key wrap� �(.*�� N6��56�� 64'�F1��-��N6��56(. CBCT>U�%&��+D6. Key wrap� �(.*��34 �̀] -�+�%& CEK�� (.*��/�' -34 � �(.*��D6.)��x� CMS-��q6t1�� .�U�� 3DES CEK-�� 3DES%& key wrapping56�� (.*��|��56#7��!��p��+D6.LMH�IC�>!� KEK�� (.*��(key wrap� �(.*��)/� CEK�� (.*��%&D6W4 56"/!>}<=-,��1כ�D6.��-��#$ 40'�F1� RC2 CEK-�� 168'�F1� 3DESO6 128'�F1� RC2%&��56#7=>�� D6.��-��+ key wrap� �(.*��34 CEK�� (.*�� DESX�' -��(. �� H��-��' &��

J<� '�!� RC2X�' -��e6*+( -��(H��-��' &��J<�� CEK�� 34��+ ��h&e6|��"#$�p56��%&�<��e6��%&��8!�D6t1D6.

• �� CEK

(. �� H�-��N6��56�� (.*��34 DES, 3DES, DESX, IDEA�$��D6 [44, 50]. ��AB, DES,3DES, DESXH��J<�� H�� parity'�F1-�� odd parity check '�F1%& z@ABS56#7 H��-�� 64'�F1�I�;<%&>!�;��D6.

– ICV(Integrity Check Value) = SHA1(CEKPAD)�.;��# 8f6��F1.

– CEKICV = CEK || ICV.

• G$�� CEK

e6*+(�� H�-��N6��56�� (.*��34 RC2, CAST-128�$��D6 [44, 47]. #7�̀�� CEKX� KEK��' 56��+*1��f64כ��56<=-D6.

– CEK��(octet)-�� LENGTHZ6(.��+D6.

52

– LCEK = LENGTH || CEK.

– LCEKPAD = LCEK || PAD.

– ICV = SHA1(LCEKPAD)�.;��# 8f6��F1.

– LCEKPADICV = LCEKPAD || ICV.

�#� �� PAD-��3�1D�E��)AB, LCEKPAD��e6 8f6��F1�I�;<e6"=>��56��u2]̂��!�;<_��+D6.

CEKICVO6 LCEKPADICV-�� CEK-string��Z6(.56g6.LMy$J+(D6��/�' -�� KEK%& CEK-string��+D6.#7�̀�� KEK��H�#� I�01%&2&��)��!��%&()�"~�O6[�*�#� I�� D6.

1. 8f6��F1�!�;< IV-��"�#� ��+D6.

2. TEMP1 = EncKEK(CEK-string, IV).

3. TEMP2 = IV || TEMP1.

4. TEMP3-�� TEMP2� octet string� �̀��-��.D6+��&%�+1כ�+��&34%�.

5. Ciphertext = EncKEK(TEMP3, IV2).IV2 = 0x4A DD A2 2C 79 E8 21 05.

10.3 Password-based Key Wrap

N6��g6�_��U�%&\��H�JK=>��;<-��)��56#7 KEK-��>!��#$��'��)H�� (.*��+�%& CEK-��56��;<��D6 [51]. ��AB, IVe6"��\&%�\S56J+(XAכ( IV-��&9U��+D6.��)�.� -�+�%& CEK�� (.*��/� key wrap� �(.*��' -��"�.S��%�TD6כ(

KEK�� PBKDF2-��56#7JK=>��+D6 (9.26�))*+n>).JK=>�� KEK%& CEK-��AB, CMS-��q6t1�� password-based key wrap�� .�U�� CBCT>U�� 3DES� �(.*��|��56#7�p56(. CBCT>U�� RC2� �(.*��34 |��56=>��;�56(.��D6. Key wrap34 D6��/�' -��#$%�(D6.

1. CEK byte count : CEK�f6��F1;<(1f6��F1).

2. check value : CEK� 5̂1 3f6��F1-��T>�<��'�F10!)%& complement��+1כ�.

3. formatted CEK = (CEK byte count) || (check value) || CEK || (padding if required).

4. padding : �#� formatted CEK��e6 key wrap� N6��"�� E��̀�I�;<e6"kl -�#$=>�<��E��̀e6"=>��56��!�;<%�)��D6.

5. DK%&\��E34 KEK-��N6��56#7 formatted CEK-��+D6 ("�+��Sכ( IV��XA\�%&\��&9U�).

6. �#��.�� s6C�M�� IV%&56#7 KEK-��H�%&D6��+*,(�#��.��+D6(��8�9��).

�� 11�� 0$ ��1�� 2�

SPRING34 ( �)�� G0?3��+�N6�!�;<"�#� ��̀(Pseudo-Random Number Generator)%& ( �)�� G0?3��+��Z6��°1y$*� CrypTool� ��N6��"(.��D6. SPRING34 N6��(OS,56U�CD#$)� q6Z6�� ;< �� noise source��a�J<D6��56(., AB%&��e6R$��+ noise sourcee6?@��+"#$��J<-��(.yl56#7e6R$��+��+T>;��N6�� !")�� -�+�%&N6��;<��=>��C�)��"��D6.

SPRING34 �<�G� 128'�F1 Secret Internal State*+(;< S1, S2-��' &��D6. S1, S2e6«>Q��"J+(LMvw"�#� �

"��T>;��!�;<e6«>Q��"��%& S1, S2��) ��8!��C�O6~�O6I�J34 ��) �� !�;<-��0?3"�#��f�(vw� �G

%&*� Seed-��56#7��C�) ��!� �#$�p��+D6.�>��+�� S1, S2e6«>Q��"89Z6=>/�~��!�;<-�� ;<%�T

�:56�̀�#!�� S1, S27�#��(/� ��)!/"�@"��;<-��)��!��)#$O6�p��+D6. S1, S2��L ��4��B 7��

53

O6$!�2/(56�:��;�� '��)H��$�+�%&\��E34 Seed-��!��;<%&!��56#7"�#� �56~�O6, 128'�F1��%& CBC-MAC��"�yl"�#� ��+D6.#7�̀��N6��;<��!��;<%&�� 128'�F1Q��9U��MD5O6 160'�F1Q��9U�� SHA1, RMD160, HAS160/� 192'�F1Q��9U�� TIGERe6��VW, 160'�F1O6 192'�F1��J<��Q��9U�� !��' �כ 5̂1 128'�F1-��N6��+D6.��e6R$��+ 128'�F1��%&�� SEED, CRYPTON, RC6,TWOFISH, RIJNDAEL, MARS, SERPENT, CAST256�$��N6��;<��D6.

SPRING� ��N6��"��*+(;<��('�F1)��D6��/�' -D6.

|S1| = |S2| = |T1| = |T2| = |U1| = |U2| = 128, |PAD1| = |PAD2| = 512 I�J34 128.

#7�̀�� PAD1,PAD2�� 0x36, 0x5C-��, !��;<-�� N6��56�� J<�� 64*,( �.�>��+ 512 '�F1%�)��(.CBC-MAC��N6��56��J<�� 16*,(�.�>��+ 128'�F1%�)��D6.��;< f-��D6��/�' -�� +D6.

f (x, y) =

h(x||y), !��;<-��+�!�;<0?3"�#

CBC-MAC(x, y), CBC-MAC��+�!�;<0?3"�#: x�� key, y�� data

SPRING��/� ��34 D6��/�' -D6:

1. Noise Gathering : Seed-��;<6�&��+D6. Seed��u2]̂��+ 256'�F1��.;��G�F1%&��-��' &=>��!��p56��%&e6R$��+��+% ,34 noise source%&\�� Seed-��E=>��+D6.8�9כS��+H��"�#� ��#!��N6��g6%&\��XA\��&9U�(H��&9U��O6,s6J<��)��!*<��;<=>��D6.

2. State Initilization : S1, S2-��̀��+D6 (SPRING��̀��+*,(>!�"�.(Sכ(

Seed← NoiseGathering

S1 ← f (PAD1, Seed)

S2 ← f (PAD2, Seed)

3. Output Generation : �!�;<-��"�#� �56#7 RandPool� ��*� vw"��S��+��>!��$K4כ(Q��9U�56(.T>g6Z6��J<��D6�� RandPool��J<��/� ��.�>��+D6.

(a) Initial State Update :

S← S1 ⊕ S2

T1 ← f (S1 ⊕ PAD1, S)

T2 ← f (S2 ⊕ PAD2, S)

(b) Generate Random Pool : (RandPool Size)/32*,(�.�>��+D6.

U1 ← f (S1 ⊕ PAD1,T2)

U2 ← f (S2 ⊕ PAD2,T1)

RandPool← RandPool||(U1 ⊕U2)

T1 ← f (S1 ⊕ PAD1,U2)

T2 ← f (S2 ⊕ PAD2,U1)

RandPool← RandPool||(T1 ⊕ T2)

(c) Final State Update :

S1 ← f (S1 ⊕ PAD1,T2)

S2 ← f (S2 ⊕ PAD2,T1)

4. State Update : "� �*&% q6Z6��G�Sכ( Seed-��!*<�6�� S1, S2-��7�#��(��f�(D6. (Si = 0��J+(� P� StateInitialization/�' -D6.)

Si ← f (Si ⊕ PADi, Seed) for i = 1, 2.

5. Reseed Control : Seed-��C�) ��56��n>Fp(34 ��) ��8!��/�56~�O6I�J34 ��) ��!�;<-��0?3"�#��f�(��J<��D6.

54

��

[1] X9.42 : Public key cryptography for the financial services industry: Agreement of symmetric keyson using Diffie-Hellman and MQV algorithms, ANSI, X9.42-1998 draft, Oct. 1998.

[2] X9.62 : Public key cryptography for the financial services industry: The elliptic curve digitalsignature algorithm (ECDSA), ANSI, X9.62-1998, approved Jan. 1999.

[3] X9.63 : Public key cryptography for the financial services industry: Key agreement and keytransprot using elliptic curve cryptography, ANSI, X9.63-199x draft, Jan. 1999.

[4] P1363 : Standard specifications for public key cryptography, D13, IEEE, Nov. 1999.

[5] P1363a : Standard Specifications For Public Key Cryptography: Additional Techniques, D8, IEEE,April 27, 2001.

[6] ISO/IEC 8372 : Information Processing - Modes of operation for 64-bit block cipher algorithm,ISO, 1987.

[7] ISO/IEC 9797-1 : Information Technology - Security Techniques - Message Authentication Codes(MACs) - Part 1: Mechanisms Using a Block Cipher, ISO, Dec. 1999.

[8] FIPS PUB 46-3 : Data Encryption Standard (DES), NIST, Oct. 1999.

[9] FIPS PUB 81 : DES Modes of Operation, NIST, Dec. 1980.

[10] FIPS PUB 113 : Computer Data Authentication, NIST, May 1985.

[11] FIPS PUB 180-1 : Secure Hash Standard, NIST, May 1993.

[12] FIPS draft : Secure Hash Standard, NIST, Oct. 2000.

[13] FIPS PUB 186 : Digital signature standard(DSS), NIST, May 1994.

[14] FIPS PUB 186-2 : Digital signature standard(DSS), NIST, Jan. 2000.

[15] PKCS#1: Public Key Cryptography Standard, v2.1(Draft 2), RSA Lab., January 5, 2001.

[16] PKCS#3: Diffie-Hellman key agreement standard, v1.4, RSA Lab., Nov. 1993.

[17] PKCS#5: Password-based cryptography, v2.0, RSA Lab., Mar. 1999.

[18] PKCS#7: Cryptographic message syntax standard, v1.5, RSA Lab., Nov. 1993.

[19] PKCS#12: Personal information exchange syntax standard, v1.0, RSA Lab., Jun. 1999.

[20] RIPE: Integrity primitives for secure information systems, Final report of RACE Integrity PrimitiveEvaluation RIPE-RACE 1040, LNCS 1007, Springer-Verlag, 1995.

[21] KCDSA Task Force Team, The Korean Certificate-based Digital Signature Algorithm, Submissionto IEEE P1363a, Aug. 1998.

[22] ��+%&' ��h& )��( �̀6̂� =(>�/(TTA), \�e6R,S 2/(g6�� !/"#�� - ?@2\� : ��(�� 2/(g6�� (.*�� (Digital signature mechanism with appendix - Part : 2 Certificate based digital signaturealgorithm), ��h&)��(9!�� , Jul. 2000.

[23] ��+%&' ��h& )��( �̀6̂� =(>�/(TTA), 128'�F1 �� (.*�� (128-bit symmetric block ci-pher(SEED)), ��h&)��(9!�� , Sep. 1999.

[24] ��+%&' ��h&)��( �̀6̂�=(>�/(TTA),!��;<�� -?@2\� :!��;<� �(.*��(HAS-160) (Hash Func-tion Standard - Part 2 : Hash Function Algorithm(HAS-160)), ��h&)��(9!�� , Nov. 1998.

55

[25] RFC 1321 : The MD5 Message-Digest Algorithm, R. Rivest, 1992.

[26] RFC 1423 : Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, andIdentifiers, D. Balenson, 1993.

[27] RFC 1826 : IP Authentication Header, R. Atkinson, Aug. 1995.

[28] RFC 1828 : IP Authentication using Keyed MD5, P. Metzger and W. Simpson, 1995.

[29] RFC 2040 : The RC5, RC5-CBC, RC5-CBC-pad, and RC5-CTS Algorithm, R. Baldwin and R. Rivest,Oct. 1996.

[30] RFC 2104 : HMAC: Keyed-Hashing for Message Authentication, H. Krawczyk, M. Bellare andR. Canetti, Feb. 1997.

[31] RFC 2144 : The CAST-128 encryption algorithm, C. Adams, May 1997.

[32] RFC 2202 : Test cases for HMAC-MD5 and HMAC-SHA-1, P. Cheng and R. Glenn, Sep. 1997.

[33] RFC 2246 : The TLS protocol version 1.0, T. Dierks and C. Allen, Jan. 1999.

[34] RFC 2268 : A Description of the RC2(r) Encryption Algorithm, R. Rivest, Mar. 1998.

[35] RFC 2286 : Test cases for HMAC-RIPEMD160 and HMAC-RIPEMD128, J. Kapp, Feb. 1998.

[36] RFC 2402 : IP Authentication Header, S. Kent and R. Atkinson, Nov. 1998.

[37] RFC 2403 : The Use of HMAC-MD5-96 within ESP and AH, C. Madson and R. Glenn, Nov. 1998.

[38] RFC 2404 : The Use of HMAC-SHA-1-96 within ESP and AH, C. Madson and R. Glenn, Nov. 1998.

[39] RFC 2406 : IP Encapsulating Security Payload (ESP), S. Kent and R. Atkinson, Nov. 1998.

[40] RFC 2408 : Internet Security Association and Key Management Protocol (ISAKMP), D. Maughan,M. Schertler, M. Schneider and J. Turner, Nov. 1998.

[41] RFC 2409 : The internet key exchange(IKE), D. Harkins and D. Carrel, Nov. 1998.

[42] RFC 2412 : The OAKLEY key determination protocol, H. Orman, Nov. 1998.

[43] RFC 2612 : The CAST-256 encryption algorithm, C. Adams, Jun. 1999.

[44] RFC 2630 : Cryptographic message syntax, R. Housley, Jun. 1999.

[45] RFC 2631 : Diffie-Hellman key agreement method, E. Rescorla, Jun. 1999.

[46] RFC 2857 : The Use of HMAC-RIPEMD-160-96 within ESP and AH, A. Keromytis and N. Provos,June 2000.

[47] RFC 2984 : Use of the CAST-128 algorithm in CMS, C. Adams, Oct. 2000.

[48] Internet Draft : Use of ECC Algorithms in CMS, S. Blake-Wilson and D. R. L. Brown, S/MIMEworking group “draft-ietf-smime-ecc-02.txt”, Sep. 2000.

[49] Internet Draft : Use of the RSAES-OAEP key transport algorithm in CMS, R. Housley, S/MIMEworking group “draft-ietf-smime-cms-rsaes-oaep-02.txt”, Nov. 2000.

[50] Internet Draft : Use of the IDEA encryption algorithm in CMS, S. Teiwes, P. Hartmann andD. Kuenzi, S/MIME working group “draft-ietf-smime-idea-08.txt”, Nov. 2000.

[51] Internet Draft : Password-based encryption for S/MIME, P. Gutmann, S/MIME working group“draft-ietf-smime-password-03.txt”, Oct. 2000.

56

[52] Internet Draft : Diffie-Hellman group exchange for the SSH transport layer protocol, M. Friedl,N. Provos and W. A. Simpson, “draft-provos-secsh-dh-group-exchange-00.txt”, May 2000.

[53] Internet Draft : Tiger: A fast new hash function, R. Anderson and E. Biham,http://www.cs.technion.ac.il/∼biham/Reports/Tiger/tiger/tiger.html, 1996.

[54] Internet Draft : The SSL protocol version 3.0, A. Freier, P. Karlton and P. Kocher,http://home.netscape.com/eng/ssl3/draft302.txt, Nov. 1996.

[55] Internet Draft : UMAC: Message authenticaiton code using universal hashing, T. Krovetz, J. Black,S. Halevi, A. Hevia, H. Krawczyk and P. Rogaway,http://www.cs.ucdavis.edu/∼rogaway/umac/draft-krovetz-umac-01.txt, Nov. 2000.

[56] Technical Report : A Layman’s Guide to a Subset of ASN.1, BER, and DER, B. S. Kaliski Jr., RSAlab. Technical Report, 1993.

[57] R. Anderson and E. Biham, Tiger: A fast new hash function, Fast Software Encryption, LNCS 1039,Springer-Verlag, 1996, pp. 89–98.

[58] D. V. Bailey and C. Paar, Optimal extension fields for fast arithmetic in public-key algorithms,Advances in Cryptology-Crypto’98, LNCS 1462, 1998, pp. 472–485.

[59] M. Bellare, R. Canetti and H. Krawczyk, Keying hash functions for message authentication,Advances in Cryptology-Crypto’96, LNCS 1109, Springer-Verlag, 1996, pp. 1–15.

[60] M. Bellare and P. Rogaway, Optimal asymmetric encryption, Advances in Cryptology-Eurocrypt’94,LNCS 950, Springer-Verlag, 1994, pp. 92–111.

[61] M. Bellare and P. Rogaway, The exact security of digital signatures – How to sign with RSA andRabin, Advances in Cryptology-Eurocrypt’96, LNCS 1070, Springer-Verlag, 1996, pp. 399–416.

[62] E. Biham, R. Anderson and L. R. Knudsen, Serpent: A new block cipher proposal, Fast SoftwareEncryption, LNCS 1372, Springer-Verlag, 1998, pp. 222–238.

[63] J. Black and P. Rogaway, CBC MACs for arbitrary-length messages: The three-key constructions,Advances in Cryptology-Crypto 2000, LNCS 1880, Springer-Verlag, 2000, pp. 197–215.

[64] J. Black, S. Halevi, H. Krawczyk, T. Krovetz and P. Rogaway, UMAC: Fast and secure messageauthentication, Advances in Cryptology-Crypto’99, LNCS 1666, Springer-Verlag, 1999, pp. 216–233.

[65] D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryptionstandard PKCS#1, Advances in Cryptology-Crypto’98, LNCS 1462, Springer-Verlag, 1998, pp. 1–12.

[66] S. Cavalla, B. Dodson, A. K. Lensta, W. Loien, P. L. Montgomery, B. Murphy, H. te Riele, K. Aardal,J. Gilchrist, P. Leyland, J. Marchand, F. Morain, A. Muffett, C. Putnam, C. Putnam, and P. Zim-mermann, Factorization of a 512-bit RSA modulus, Advances in Cryptology-Eurocrypt 2000, LNCS1807, Springer-Verlag, 2000, pp. 1–18.

[67] D. Coppersmith, S. Halevi, and C. Jutla, ISO 9796-1 and the new forgery strategy, 1999.http://grouper.ieee.org/groups/1363/Research.

[68] J.-S. Coron, M. Joye, D. Naccache, and P. Paillier, New attacks on PKCS#1 v1.5 encryption, Advancesin Cryptology-Eurocrypt 2000, LNCS 1807, Springer-Verlag, 2000, pp. 369–381.

[69] J.-S. Coron, D. Naccache, and J. P. Stern, On the security of RSA padding, Advances in Cryptology-Crypto’99, LNCS 1666, Springer-Verlag, 1999, pp. 1–18.

[70] H. Dobbertin, A. Bosselaers, and B. Preneel, RIPEMD-160: A strengthened version of RIPEMD,Fast Software Encryption, LNCS 1039, Springer-Verlag, 1996, pp. 71-82.

57

[71] M. Girault and J.-F. Misarsky, Cryptanalysis of countermeasures proposed for repairing ISO 9796-1, Advances in Cryptology-Eurocrypt 2000, LNCS 1807, Springer-Verlag, 2000, pp. 81–90.

[72] F. Grieu, A chosen messages attack on the ISO/IEC 9796-1 signature scheme, Eurocrypt 2000, LNCS1807, Springer-Verlag, 2000, pp. 70–80.

[73] J. Jacobson, N. Koblitz, J. H. Silverman, A. Stein and E. Teske, Analysis of the Xedni calculusattack, Designs, Codes and Cryptography 20(1), 2000, pp. 41–64.

[74] J. Kilian and P. Rogaway, How to protect DES against exhaustive key search, Advances in Cryptology-Crypt’96, LNCS 1109, Springer-Verlag, 1996, pp. 252–267.

[75] N. Koblitz, A Course in Number Theory and Cryptography, GTM 114, Springer-Verlag, 1994.

[76] X. Lai, On the design and security of block ciphers, ETH Series in Information Processing vol 1, 1992.

[77] X. Lai, J. L. Massey, A proposal for a new block encryption standard, Advances in Cryptology-Eurocrypt’90, LNCS 473, Springer-Verlag, 1990, pp. 389–404.

[78] X. Lai, J. L. Massey and S. Murphy, Markov ciphers and differential cryptanalysis, Advances inCryptology-Eurocrypt’91, LNCS 547, Springer-Verlag, 1991, pp. 17–38.

[79] R. Lidl and H. Niederreiter, Finite Fields, Encyclopedia of Math. and its Appl. vol 20, Addison-Wesley Publishing Company, 1983.

[80] C. H. Lim, A revised version of CRYPTON : CRYPTON v1.0, Fast Software Encryption, LNCS 1636,Springer-Verlag, 1999, pp.46–59.

[81] C. H. Lim and P. J. Lee, A key recovery attack on discrete log based schemes using a prime ordersubgroup, Advances in Cryptology-Crypto’97, LNCS 1294, Springer-Verlag, 1997, pp. 249–263.

[82] C. H. Lim and P. J. Lee, A study on the proposed Korean digital signature algorithm, Advances inCryptology-Asiacrypt’98, LNCS 1514, Springer-Verlag, 1998, pp. 175–186.

[83] J. L. Massey, SAFER K-64: A byte-oriented block-ciphering algorithm, Fast Software Encryption,LNCS 809, Springer-Verlag, 1993, pp. 1–17.

[84] J. L. Massey, SAFER K-64: One year later, Fast Software Encryption, LNCS 1008, Springer-Verlag,1994, pp. 212–241.

[85] A. J. Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publisher, 1993.

[86] A. J. Menezes, T. Okamoto and S. A. Vanstone, Reducing elliptic curve logarithms to logarithmsin a finite field, IEEE Trans. on Info. Theory 39(5), pp. 1639–1646 Sep. 1993.

[87] A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press,1997.

[88] R. Rivest, The RC5 encryption algorithm, Fast Software Encryption’94, LNCS 1008, Springer-Verlag,1994, pp. 86–96.

[89] P. Rogaway and D. Coppersmith, A software-optimized encryption algorithm, Fast Software En-cryption, LNCS 809, Springer-Verlag, 1993, pp. 56–63.

[90] P. Rogaway and D. Coppersmith, A software-optimized encryption algorithm, Journal of Cryptol-ogy, 11(4), 1998, pp. 273-287.

[91] M. Rosing, Implementing Elliptic Curve Cryptography, Manning Publications, 1999.

[92] T. Satoh and K. Araki, Fermat quotient and the polynomial time discrete log algorithm for anoma-lous elliptic curves, Commentarii Math. Univ. St. Pauli 47, 1998, pp. 81-92.

58

[93] B. Schneier, Applied Cryptography, John Wiley & Sons, 1996.

[94] B. Schneier, Description of a new variable-length key, 64-bit block cipher (Blowfish), Fast SoftwareEncryption, LNCS 809, Springer-Verlag, 1993, pp. 191–204.

[95] I. Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve incharacteristic p, Math. of Comp. 67, 1998, pp. 353–356.

[96] J. H. Silverman, The Arithmetic of Elliptic Curves, GTM 106, Springer, 1986.

[97] J. H. Silverman and J. Suzuki, Elliptic curve discrete logarithms and the index calculus, Advancesin Cryptology-Asiacrypt’98, LNCS 1514, Springer-Verlag, 1998, pp. 110–125.

[98] N. Smart, The discrete logarithm problem on elliptic curves of trace one, J. of Cryptology 12, 1999,pp. 193–196.

[99] AES Home page, http://csrc.nist.gov/encryption/aes.

[100] RC6, http://www.rsasecurity.com/rsalabs/aes/

[101] TWOFISH, http://www.counterpane.com/twofish.html

[102] RIJNDAEL, http://www.esat.kuleuven.ac.be/∼rijmen/rijndael/[103] MARS, http://www.research.ibm.com/security/mars.html

[104] SERPENT, http://www.cl.cam.ac.uk/∼rja14/serpent.html[105] Request For Comments(RFC), http://www.ietf.org/rfc.html.

[106] IPSec Working Group, http://www.ietf.org/html.charters/ipsec-charter.html

[107] S/MIME Working Group, http://www.ietf.org/html.charters/smime-charter.html

[108] PKIX Working Group, http://www.ietf.org/html.charters/pkix-charter.html

[109] RIPEMD, http://www.esat.kuleuven.ac.be/∼bosselae/ripemd160.html

59

34�� A UMAC

�� (.*�� N6��"�� ̀��] .�� ̀��X�' -D6.

A.1 UHASH-32

UHASH-32��;<�� #$%�( H� KX� a@z@C� M+�%&\�� HashedMessage-�� 56#7Q��9U�56��VW, L1-HASH,L2-HASH(L1-HASH� Q��9U�� 8 f6��F1 ��) AB�� "�#456$%&), L3-HASH-�� r6¡�%& ��+*,(4�� ;<&':�� ABs6D6word size(32'�F1)4��O6P<#$��Q��9U�56#7r6¡�%&<<(6�&��H��;<��D6.q6Z6��MAC�� P\�#� >!��56#7� ��;<=>��D6.

• UHASH-32(K,M)

K : key string of length UMAC-KEY-LEN.M : message string of length less than 264 bytes.

• (procedure)

1. streams = �UMAC-OUTPUT-LEN / WORD-LEN�.2. N6��g6H� K%&\��\�#� ��;<� ��N6�� T>;��H��JK=>(A.36�)� KDFN6��).

L1Key = KDF(K, 0, L1-KEY-LEN+ 16 ∗ (streams − 1)),

L2Key = KDF(K, 1, 24 ∗ streams),

L3Key1 = KDF(K, 2, 64 ∗ streams),

L3Key2 = KDF(K, 3, 4 ∗ streams).

3. Y : empty string.

4. For i from 1 to streams,

(a)

L1Keyi = L1Key[16 ∗ (i − 1) + 1, · · · , 16 ∗ (i − 1) + L1-KEY-LEN],

L2Keyi = L2Key[24 ∗ (i − 1) + 1, · · · , 24 ∗ i],L3Key1i = L2Key1[64 ∗ (i − 1) + 1, · · · , 64 ∗ i],

L3Key2i = L3Key2[4 ∗ (i − 1) + 1, · · · , 4 ∗ i].

(b) A = L1-HASH-32(L1Keyi,M).(L1-HASH-32��A.1.16�)� ��C�) ��+D6.)

(c) B =

zeroes(8)||A, if length(M) ≤ L1-KEY-LEN,L2-HASH-32(L2Keyi,A), otherwise.

(L2-HASH-32��A.1.26�)� ��C�) ��+D6.)(d) C = L3-HASH-32(L3Key1i, L3Key2i,B).

(L3-HASH-32��A.1.46�)� ��C�) ��+D6.)(e) Y = Y||C.

5. Y = Y[1, · · · , UMAC-OUTPUT-LEN].

A.1.1 L1-HASH-32

L1-HASH-32��NH-32��;<-��56#7a@z@C�M�� 8 ∗ �length(M)/L1-KEY-LEN�f6��F1%&� 7:��56��9!��%&h&)�� UMAC-OUTPUT-LENh&D6��F�(��%&� 7:�� D6.

• L1-HASH-32(K,M)

K : key string of length L1-KEY-LEN.M : message string of length less than 264 bytes.

60

• (procedure)

1. t = �length(M)/L1-KEY-LEN�.2. M = [M1||M2|| · · · ||Mt]%&O6d��D6.

(for all 0 < i < t, length(Mi)=L1-KEY-LEN)

3. Len = uint2str(8 ∗ L1-KEY-LEN, 8).


5. For i from 1 to t − 1,

(a) if ENDIAN-FAVORATE = LITTLE then Mi = ENDIAN-SWAP(Mi).(b) Y = Y||(NH-32(K,Mi) +64 Len).

6. Len = uint2str(8 ∗ length(Mt), 8).

7. Mt = zeropad(Mt, 32).

(a) if ENDIAN-FAVORATE = LITTLE then Mt = ENDIAN-SWAP(Mt).(b) Y = Y||(NH-32(K,Mt) +64 Len).

8. Y-��Q��9U�.

NH-32��] .��C�) ��)*+n>.

A.1.2 L2-HASH-32

L1-HASH-32e6.;�34 -�+�%&F�(Q��9U��e6C��%& L2-HASH-32�� ‘polynomial hash function’ POLY-��56#7 16f6��F1�(. �� %&� 7:��+D6.

• L2-HASH-32(K,M)

K : key string of length 24 bytes.M : string of length less than 264 bytes.

• (procedure)

1. Mask64 = uint2str(0x01FFFFFF01FFFFFF, 8).

2. Mask128 = uint2str(0x01FFFFFF01FFFFFF01FFFFFF01FFFFFF, 16).

3. k64 = str2uint(K[1, · · · , 8] ∧Mask64).

4. k128 = str2uint(K[9, · · · , 24] ∧Mask128).

5. if length(M) ≤ 217 then

y = POLY(64, 264 − 232, k64,M).

6. else

(a) M1 =M[1, · · · , 217].(b) M2 =M[217 + 1, · · · , length(M)].(c) M2 = zeropad(M2||uint2str(0x80, 1), 16).(d) y = POLY(64, 264 − 232, k64,M1).(e) y = POLY(128, 2128 − 296, k128,uint2str(y, 16)||M2).

7. Y = uint2str(y, 16)-��Q��9U�.

61

A.1.3 POLY

�#� A.1.2� ��N6�� POLY��;<��D6��/�' -�� D6.134כ�� W�� A.2.2� ��=>' -��N6�� D6.

• POLY(wordbits,maxwordrange, k,M)

wordbits : positive integer divisible by 8.maxwordrange : positive integer less than 2wordbits.k : integer in the range {0, · · · ,prime(wordbits) − 1}.M : string with length divisible by wordbits/8 bytes.

• (procedure)

1. wordbytes = wordbits/8.

2. p = prime(wordbits).

3. o f f set = 2wordbits − p.

4. marker = p − 1.

5. n = �length(M)/wordbytes�.6. M = [M1||M2|| · · · ||Mn]+�%&>!�;��D6.

(for all 1 ≤ i ≤ n, length(Mi) = wordbytes.)

7. y = 1.

8. For i from 1 to n,

(a) m = str2uint(Mi).(b) if m ≥ maxwordrange then

i. y = (k ∗ y +marker) mod p.ii. y = (k ∗ y + (m − o f f set)) mod p.

(c) elsey = (k ∗ y +m) mod p.

9. y-��Q��9U�.

A.1.4 L3-HASH-32

L3-HASH-32�� L2-HASH-32�Q��9U��( 16f6��F1%&\�� 32'�F1-��Q��9U�56��;<��D6.

• L3-HASH-32(K1,K2,M)

K1 : key string of length 64 bytes.K2 : key string of length 4 bytes.M : string of length 16 bytes.

• (procedure)

1. y = 0.

2. For i from 1 to 8,

(a) Mi =M[2 ∗ (i − 1) + 1, · · · , 2 ∗ i],(b) Ki = K1[8 ∗ (i − 1) + 1, · · · , 8 ∗ i],(c) mi = str2uint(Mi),(d) ki = str2uint(Ki) mod prime(36).

3. y = (m1 ∗ k1 + · · · +m8 ∗ k8) mod prime(36).

4. y = y mod 232.

5. Y = uint2str(y, 4).

6. Y = Y ⊕ K2-��Q��9U�.

62

A.2 UHASH-16

UHASH-1634 WORD-LEN=2��%& UHASH-32X�� ̀] 9!��#e6 Q �Z6�� (.*�� r6��e6 O6C�>!� �̀] -��(� �(.*��n>��~��JKN656D6.

• UHASH-16(K,M)

K : key string of length UMAC-KEY-LEN.M : message string of length less than 264 bytes.

• (procedure)

1. streams = �UMAC-OUTPUT-LEN / WORD-LEN�.2. N6��g6H� K%&\��\�#� ��;<� ��N6�� T>;��H��JK=>.

L1Key = KDF(K, 0, L1-KEY-LEN+ 16 ∗ (streams − 1)),

L2Key = KDF(K, 1, 28 ∗ streams),

L3Key1 = KDF(K, 2, 32 ∗ streams),

L3Key2 = KDF(K, 3, 2 ∗ streams).


4. For i from 1 to streams,

(a)

L1Keyi = L1Key[16 ∗ (i − 1) + 1, · · · , 16 ∗ (i − 1) + L1-KEY-LEN],

L2Keyi = L2Key[28 ∗ (i − 1) + 1, · · · , 28 ∗ i],

L3Key1i = L2Key1[32 ∗ (i − 1) + 1, · · · , 32 ∗ i],L3Key2i = L3Key2[2 ∗ (i − 1) + 1, · · · , 2 ∗ i].

(b) A = L1-HASH-16(L1Keyi,M).

(c) B =

zeroes(12)||A, if length(M) ≤ L1-KEY-LEN,L2-HASH-16(L2Keyi,A), otherwise.

(d) C = L3-HASH-16(L3Key1i, L3Key2i,B).(e) Y = Y||C.

5. Y = Y[1, · · · , UMAC-OUTPUT-LEN].

A.2.1 L1-HASH-16

L1-HASH-1634 NH-16��;<-��56#7a@z@C�M�� 4 ∗ �length(M)/L1-KEY-LEN�f6��F1%&� 7:��56��9!��%& UMAC-OUTPUT-LENh&D6��F�(��%&� 7:��+D6.

• L1-HASH-16(K,M)

K : key string of length L1-KEY-LEN.M : message string of length less than 264 bytes.

• (procedure)

1. t = �length(M)/L1-KEY-LEN�.2. M = [M1||M2|| · · · ||Mt]%&O6d��D6.

(for all 0 < i < t, length(Mi)=L1-KEY-LEN.)

3. Len = uint2str(8 ∗ L1-KEY-LEN, 4).


63

5. For i from 1 to t − 1,

(a) if ENDIAN-FAVORATE = LITTLE then Mi = ENDIAN-SWAP(Mi).(b) Y = Y||(NH-16(K,Mi) +32 Len).

6. Len = uint2str(8 ∗ length(Mt), 4).

7. Mt = zeropad(Mt, 32).

(a) if ENDIAN-FAVORATE = LITTLE then Mt = ENDIAN-SWAP(Mt).(b) Y = Y||(NH-16(K,Mt) +32 Len).

8. Y-��Q��9U�.

NH-1634 ] .��C�) ��)*+n>.

A.2.2 L2-HASH-16

L1-HASH-16��.;�34 -�+�%&F�(Q��9U��e6C��%& L2-HASH-16=> L2-HASH-32� ��X�' -34 ‘polynomialhash function’ POLY-��56#7 16f6��F1�(. �� %&� 7:��+D6.

• L2-HASH-16(K,M)

K : key string of length 28 bytes.M : string of length less than 264 bytes.

• (procedure)

1. Mask32 = uint2str(0x01FFFFFF, 4).

2. Mask64 = uint2str(0x01FFFFFF01FFFFFF, 8).

3. Mask128 = uint2str(0x01FFFFFF01FFFFFF01FFFFFF01FFFFFF, 16).

4. k32 = str2uint(K[1, · · · , 4] ∧Mask32).

5. k64 = str2uint(K[5, · · · , 12] ∧Mask64).

6. k128 = str2uint(K[13, · · · , 28] ∧Mask128).

7. if length(M) ≤ 211 then

y = POLY(32, 232 − 6, k32,M).

8. else if length(M) ≤ 233 then

(a) M1 =M[1, · · · , 211].(b) M2 =M[211 + 1, · · · , length(M)].(c) M2 = zeropad(M2||uint2str(0x80, 1), 8).(d) y = POLY(32, 232 − 6, k32,M1).(e) y = POLY(64, 264 − 232, k64,uint2str(y, 8)||M2).

9. else

(a) M1 =M[1, · · · , 211].(b) M2 =M[211 + 1, · · · , 233].(c) M3 =M[233 + 1, · · · , length(M)].(d) M3 = zeropad(M3||uint2str(0x80, 1), 16).(e) y = POLY(32, 232 − 6, k32,M1).(f) y = POLY(64, 264 − 232, k64,uint2str(y, 8)||M2).(g) y = POLY(128, 2128 − 296, k128,uint2str(y, 16)||M3).

10. Y = uint2str(y, 16)-��Q��9U�.

�#� ��N6�� POLY��;<�� A.1.36�)� �� POLY��;<��D6.

64

A.2.3 L3-HASH-16

L3-HASH-1634 L2-HASH-16�Q��9U��( 16f6��F1%&\�� 16'�F1-��Q��9U�56��;<��D6.

• L3-HASH-16(K1,K2,M)

K1 : key string of length 32 bytes.K2 : key string of length 2 bytes.M : string of length 16 bytes.

• (procedure)

1. y = 0.

2. For i from 1 to 8,

(a) Mi =M[2 ∗ (i − 1) + 1, · · · , 2 ∗ i].(b) Ki = K1[4 ∗ (i − 1) + 1, · · · , 4 ∗ i].(c) mi = str2uint(Mi).(d) ki = str2uint(Ki) mod prime(19).

3. y = (m1 ∗ k1 + · · · +m8 ∗ k8) mod prime(19).

4. y = y mod 216.

5. Y = uint2str(y, 2).

6. Y = Y ⊕ K2-��Q��9U�.

A.3 KDF

UMAC� ��N6��g6H� K-�� \�#� ��;<� ��N6�� sub key string+�%& JK=>56��;< KDFe6 "�Sכ(56D6. KDF��$��34 N6��g6H� K-��&9U�+�%&56#7��56��(numbytesf6��F1)��N6�!�;<%�)��"�#� ��+D6. UMAC� �� KDF%& AES-��56��VW, N6��g6 H� K-�� AES� ��H�%& 56(. NULL G��.��OFBT>U�%&��56#7��56��H��F1��"�#� ��+D6.��AB, IV�� index%&��&9U�!*<��D6.#7�̀�� UMAC-KEY-LEN�� 8 ��J+( 128 '�F1 H�/128'�F1 �� AES-�� N6��56kl, UMAC-KEY-LEN�� 16

��J+( 256'�F1H�/128'�F1�� AES-��N6��+D6.

• KDF(K, index, numbytes)

K : key string for AES of length UMAC-KEY-LEN.index : non-negative integer less than 256.numbytes : length of output (positive integer).

• (procedure)

1. n = �numbytes/16�.2. T = zeroes(15)||uint2str(index, 1).


4. For i from 1 to n,

(a) T = AESK(T).(b) Y = Y||T.

5. Y = Y[1, · · · , numbytes]-��Q��9U�.

65

A.4 PDF

PDF��N6��g6H� KX� Nonce-��&9U�+�%&56#7 UMAC-OUTPUT-LENf6��F1��N6�!�;<%�)��Q��9U�56��;<��D6.

• PDF(K,Nonce)

K : key string for AES of length UMAC-KEY-LEN bytes.Nonce : string of length 1 to 16 bytes.

• (procedure)

1. Nonce = Nonce||zeroes(16 − length(Nonce)).

2. if UMAC-OUTPUT-LEN ≤ 8 then

(a) i = �16/UMAC-OUTPUT-LEN�.(b) numlowbits = �log2(i)�.(c) nlowbitsnum = str2uint(Nonce) mod 2numlowbits.(d) Nonce = Nonce ⊕ uint2str(nlowbitsnum, 16).(e) K′ = KDF(K, 128, UMAC-KEY-LEN).(f) T = AESK′(Nonce).(g) Y = T[nlowbitsnum ∗ UMAC-OUTPUT-LEN+ 1, · · · , (nlowbitsnum + 1) ∗ UMAC-OUTPUT-LEN].

3. else

(a) K1 = KDF(K, 128, UMAC-KEY-LEN).(b) K2 = KDF(K, 129, UMAC-KEY-LEN).

(c) Y =

AESK1 (Nonce), if UMAC-OUTPUT-LEN≤ 16,AESK1 (Nonce)||AESK2 (Nonce), otherwise.

(d) Y = Y[1, · · · , UMAC-OUTPUT-LEN].4. Y-��Q��9U�.

34�� B ./56��7$8$9�!"��

B.1 DSA./56��7$8$9�!" p, q�� E�!��

DSA�Y6Z6[�� p, q��N6��g6�� ;<��=>��D6��/�' -�� SEEDX�!��;< SHA1-��56#7�!�;<-�� "�#� �56#7 ]̂;<_.� ��¤¥��F1-�� ~�23�D6.�� AB, N6��"�� ]̂;<_.� ��¤¥��F1�� Rabin-Miller�!/"#��+�%& 40*,(��.;�� .�>��¤¥��F1-��~�� [� �;<e6 ]̂;<%&_.� �� [!�� 2−80 ��56%& ��+D6.#7�̀�� N6��56��=>a@��(Y6Z6[��"�#� �!/"0�&34 FIPS-186�!/"0�&��q6t1(.��(.,134כ�� X9.42� �� 56��=>a@��(Y6Z6[��"�#� ��)��0!)��+��J<��D6 [13, 14, 1].

g�� 1 9!�� "�#� �� SEED�'�F1;<%&�� 160��.;��Z6(.56J+( g '�F1� '�F1%�)/� ��;<�� D6��/�' -��%&*+(�� D6 (xi = 0, 1, 0 ≤ x < 2g).

(x1, x2, · · · , xg)←→ x = x12g−1 + x22g−2 + · · · + xg.

L = 512 + 64i� 34!�� L − 1 = 160n + b (0 ≤ b < 160)Z6(.��+D6.

1. 160'�F1��.;��!�;<%�) SEED"�#� �. SEED�'�F1;<-�� gZ6��+D6.7

2. U = SHA1(SEED) ⊕ SHA1((SEED + 1) mod 2g). 8

3. q = U ∨ 2159 ∨ 1.#7�̀�� ∨�� inclusive OR��;<��D6.LMy$J+( 2159 < q < 2160 e6�� D6.

7X9.30/� X9.42(m = 160��)AB)� �� SEED-�� 160'�F1%&(. ��+D6. g = 1608X9.30/� X9.42(m = 160��)AB)� �� mod<<(;!��%�TD6.

66

4. qe6 ]̂;<��(C�¤¥��F156#7�6©�J+(D6�� 19!��\��D6��.�>��+D6.

5. counter = 0, o f f set = 2Z6(.��+D6.

6. k = 0, · · · , n� 34!�� Vk = SHA1((SEED + o f f set + k) mod 2g). 9

7.

W = V0 + V12160 + V22160·2 + · · · + Vn−12160(n−1) + (Vn mod 2b)2160n,

X =W + 2L−1

LMy$J+( 0 ≤W < 2L−1��%& 2L−1 ≤ X < 2L�� D6..

8. c = X mod 2qZ6(.56#7, p = X − (c − 1)��Z6��+D6.LMy$J+( p ≡ 1 mod 2q��D6.

9. >!��) p < 2L−1��J+( 119!��%& l̀�#$8!�D6.

10. pe6 ]̂;<��(C�¤¥��F156#7 ]̂;<Z6(._.� ��"J+( 139!��%& l̀�#$8!�D6.

11. counter = counter + 1, o f f set = o f f set + n + 1.

12. >!��) counter ≥ 4096��J+( 19!��\��D6��.�>��+D6. counter < 4096��J+( 69!��\��D6��.�>��+D6.

13. SEEDX� counter-��;�56#7��vw� p, q�"�#� ��(��;<��=>��+D6.

p, q-��%&"�#� �!��h��D6J+(, p, q-��!*<34 .;�34!/"34 !*<34 p, q� 34!��$!�2/(��+ ]̂;<��(C��6?�(C�-�� ;<e6%�T�:�� D6.D6��% �!��.;�34!/"��;!�%&LM-��:u��;<��=>a@��(Y6Z6[��-��"�#� �56#7=>LM1כ�� (�� ;<e6 %�TD6. q6Z6�� =>a@��( Y6Z6[��-�� %& "�#� �56C� � ,(. �#X� ' -�� %& SEED-��"�#� �56#7 =>a@��(Y6Z6[��-�� "�#� �56J+( ��vw� �#$%�( SEED%&=>a@��( Y6Z6[��-�� D6��"�#� �56#7 ��)��+ counterX� p, q-��"�#� ��;<��C�� ;<��:�� D6.

B.2 KCDSA./56��7$8$9�!" p, q, g��

=>a@��(Y6Z6[��-��"�#� ��AB"�+��Sכ( ]̂;<_.� ��34 Rabin-Miller_.� ��0�&��N6��56kl 40*,(��.;��.�>��¤¥��F1-��56#7�[� �;<-�� ]̂;<%&_.� ��[!�� 2−80��56%&��+D6.�!�;<"�#� ��AB,"��!��>;��!+��Sכ(��;<-��N6��;<=>��D6.J<,,(34 N6��56��!��;<-�� HAS160��Z6(.e6 ��56(.D6��/�' -�� #$%�(seed%&\�� n'�F1�!�;<%�)��"�#� �56��N6�!�;<��;< PRNG-�� +D6. (k = �n/160�, r = n mod 160)

PRNG(seed, n) = V0 + V12160 + · · · + Vk−12160(k−1) + Vk2160k

Vi = HAS160(seed||i) for i = 0, 1, · · · , k − 1,

Vk = HAS160(seed||k) mod 2r

#7�̀�� seedX��<<(6�&"�� i, k�� 8'�F1;<%&��"(.,"� >S��+��Jכ(��;<%�)/�'�F1%�)��%&*+(�� D6."�#� �56(.g656�� p, q�'�F1;<-�� α, βZ6(.56(.D6��/�' -34 9!��-��~��, p = 2 jq + 1�� 9�&56

=>��"�#� ��+D6 [22].

1. β'�F1E��̀��'�F1%�) Seed-��,,(aF��+D6.

2. U = PRNG(Seed, α − β − 4).

3. j = 2α−β−4 ∨U ∨ 1.

4. j-�� ]̂;<_.� ��56#7 ]̂;<e6�6©�J+( 19!��%&8!�D6.

5. Count = 0.

6. Count← Count + 1.9X9.30/� X9.42(m = 160��)AB)� �� mod<<(;!��%�TD6.

67

7. Count > 224��J+( 19!��%&8!�D6.

8. U = PRNG(Seed||Count, β).

9. q = 2β−1 ∨U ∨ 1.

10. p = 2 jq + 1�'�F1;<e6 αh&D6E�J+( 69!��%&8!�D6.

11. q-�� ]̂;<_.� ��56#7 ]̂;<e6�6©�J+( 69!��%&8!�D6.

12. p-�� ]̂;<_.� ��56#7 ]̂;<e6�6©�J+( 69!��%&8!�D6.

13. (p, q, j)X� Seed-��;�Q��9U��+D6.

#7�̀��N6��"�� Count�� 4f6��F1�'�F1%�)%&��"��' .��D6כF×p��#;< q��(\�#� a#��"�#� �� g��"�#� �� =>a@��(Y6Z6[�� (p, q, j)%&\��D6��/�' -��+D6.��

�%& 1 < r < p��( r��"�#� �56#7 g = r2 j (mod p)-��;!�56#7 g � 1��J+(�� D6.=>a@��(Y6Z6[��N6��g6�� Seed%&\�� (p, q, j)�"�#� �� ;<��+�kl gq (mod p)��(��

;<��D6.

B.3 Diffie-Hellman./56��7$8$9�!" p, q��

B.3.1 X9.42L6%&�� 7$8$9�!"��

Diffie-Hellman � �(.*�� =>a@��( Y6Z6[�� "�#� �34 DSA =>a@��( Y6Z6[�� "�#� �� )�.��+ ��1כ�Z6(. �� ;< ��D6 [1, 13]. (L�� 512� �� 1024N6�� 64� I�;<��(. m = 160��Z6(. 56J+( 6.4.16�)� !/"0�&/�~��' -D6.)LMy$J+("�#� �56(.g6 56�� ]̂;< p, q�'�F1;<-�� L,m��Z6(.56��VW, L34 512��.;��(.256�I�;<Z6(.56(. m34 160��.;�+�%&!��p��+D6. (Y6Z6[��"�#� �34 X9.42X� RFC2631�!/"0�&��q6W4 D6.�<!/"0�&34 ��m� �� 29!��-��?@XA56(.��T>�<' -D6.)

1. m′ = �m/160�, L′ = �L/160�,N = �L/1024�%&��̀��+D6.

2. ��!�;<%�) seed-��"�#� �56��VW, X9.42� �� |seed| = m��(. RFC2631� �� |seed| ≥ m��D6.

3. q = 0+�%&��̀��+D6.

4. i = 0, · · · ,m′ − 1�6C�

q = q + (SHA1(seed + i) ⊕ SHA1(seed +m′ + i)2160i

-��;!��+D6.

5. q = (q ∨ 2m−1 ∨ 1) mod 2m ��Z6(.56J+( q�� m'�F1�s,t;<e6�� D6.

6. qe6 ]̂;<��(C�¤¥��F156#7�6©�J+( 29!��%&e6��G%&*� seed%&�.�>��+D6.

7. pgenCounter = 0+�%&��̀��+D6.

8. R = seed + 2m′ + (L′ · pgenCounter)Z6(.��+D6.

9. p = 0+�%&��̀��+D6.

10. i = 0, · · · , L′ − 1�6C�p = p + SHA1(R + i)2160i

-��;!��+D6.

11. p = (p ∨ 2L−1) mod 2L ��Z6(.56J+( p�� L'�F1�;<e6�� D6.

12. pe6 ]̂;<��(C�¤¥��F156#7 ]̂;<Z6J+( (p, q, seed, pgenCounter)-��;�56(.FGH:;�D6.

13. pe6 ]̂;<e6�6©�J+( pgenCounter = pgenCounter + 1.

14. >!��) pgenCounter < 4096N��J+( 89!��%&�"��6e6��G%&*� p-��"�#� �56(.�6©�J+( �� -��Q��9U�

56(.FGH:;�D6.

68

B.3.2 IPSec IKEL6%&0$��N$�� Oakley group�� "#�$��

IPSec IKE� �� N6��56�� Diffie-Hellman Y6Z6[�� Oakley key determination protocol (RFC 2412[42])� �� + Oakley group��N6��+D6. RFC 2412�� 768, 1024, 1536'�F1� ]̂;< p-��"�#� �56��!/"0�&/� LM ��-�� ?@��56(. ��D6 [42, 41]. �� J< q�� /".;� (p − 1)/2��kl�#;< q��( \�#� a#�� "�#� �� g�� /".;�2e6�� D6.

p-��"�#� ��AB,u2.;��# 64'�F1X�u256�# 64'�F1-�� 1%&>!�;��D6.��H�I�:56J+(��!� -��(<<(;!��e6R$�!�C��;� -��D6.O6k$C�e6*� VW\�#� 34 �� !� π-��%�(2/(�G��+' ��&%�+כ�D)I��D6. π' ��G)/2�כ)�.� -�+�%& uniform��+ random;<Z6(.h&�6=>{<!/"56��%&��!/"0�&+�%&��:�!�;<%�)��E��;<��D6.��-��#$ 768'�F1� ]̂;< p-��>!��(.g656J+(

p = 2768 − 2704 + 264(2638π + counter) − 1

� �� counter' ��)+��56J)+*��כ pe6 ]̂;<e6"=>��56J+(�� D6.��AB, pe� >!��6©�Z6 q = (p − 1)/2=>�� ]̂;<e6"=>��56�� counter' +��$��R?S��D6.(��yכ ]̂;<�Z;�

(q, 2q + 1)�� Sophie Germain ]̂;<Z;��Z6(. \�W4 D6.) ��y$��+ ]̂;< (p, q)� 34!�� p ≡ 7 mod 8��%&〈2〉��#;<e6 q��( F×p�\�#� a#�� D6 (p − 1 � 〈2〉).

��?@� Oakley group��D6��/�' -D6.

1. 768'�F1 : p = 2768 − 2704 + 264(2638π + 149686)− 1.

2. 1024'�F1 : p = 21024 − 2960 + 264(2894π + 129093)− 1.

3. 1536'�F1 : p = 21536 − 21472 + 264(21406π + 741804)− 1.

B.4 ��)��Eכ��$+

B.4.1 Fp��כ��$+��

Q6�� !',,(34 ��]̂ (a, b)-��,,(aF�56#7LM�#;<-��;<=>��(.,I�J34 CM !',,(��56��!/"0�&��D6 [2, 3]. ��%& !',,(��"�#� �56��!/"0�&34 D6��/�' -D6.J<,,(, t = �log2 p�, s = �(t − 1)/160�, h = t− 160sZ656g6. 10

1. 160'�F1��.;��'�F1%�) SEED-��"�#� �56#7 g-�� SEED�'�F1;<Z6(.��+D6. 11

2. c0-�� SHA1(SEED)�56�# h'�F1Z6(.��+D6.

3. W0 = c0 ∧ (2h−1 − 1) : c0� 5̂1'�F1-�� 0+�%&>!�;��D6.

4. Wi = SHA1((SEED + i) mod 2g), (i = 1, · · · , s).

5. W = (W0 ||W1 || · · · ||Ws) = (w1w2 · · ·wt).

6. r =∑t

i=1 wi2t−i (< p).

7. >!��) 4r + 27 ≡ 0 mod pZ6J+( 19!��\��D6��+D6.

8. ��%& rb2 ≡ a3 mod pe6� �9�&56�� (a, b)-��,,(aF��+D6.

9. E : y2 = x3 + ax + b��(., (SEED, a, b)-��Q��9U��+D6.

10P1363 [A.12.4]� ��!��;<%& SHA1%&(. ��56C�� ,(.D6��+!��;<-��N6��;<��=>��56�$�D6.!��;< H�Q��9U��-�� B'�F1Z6(.��AB, s = �(t − 1)/B�, h = t − Bse6"kl, SEED%& B'�F1��.;��,,(aF��+D6.

11FIPS 186-2� �� SEED-�� 160'�F1%&(. ��56#7,,(aF��+D6. (g = 160)D6W4 9!��T>�<' -D6.

69

B.4.2 F2m��כ��$+��

�#X� s6J.�e6C�%& CM !',,(�� 56#7 �#;<-�� 56~�O6, Weil� ��*�-�� + !/"0�&+�%& �#;<-�� ;<=> ��(., D6��/� ' -�� %& Q6�� !',,(�� "�#� �56#7 �#;<-�� 6�& ��;!�� ;<=> ��D6 [2, 3]. t = m,s = �(t − 1)/160�, h = t − 160sZ6(.56g6. 12

1. 160'�F1��.;��'�F1%�) SEED-��"�#� �56#7 g-�� SEED�'�F1;<Z6(.��+D6.13

2. b0-�� SHA1(SEED)�56�# h'�F1Z6(.��+D6.

3. bi = SHA1((SEED + i) mod 2g), (i = 1, · · · , s).

4. b = (b0 || b1 || · · · || bs).

5. b = 0��J+( 19!��\��D6��+D6.

6. a ∈ F2m��%&,,(aF��+D6.LMy$J+( E : y2 + xy = x3 + ax2 + b��D6.

7. (SEED, a, b)-��Q��9U��+D6.

B.4.3 (��

��+Q6�� !',,(��#;<-�� uZ656#7 ]̂;<_.� ��+D6.>!��) ue6�� ]̂;<-��|��56(.�� near prime��6©�J+(D6�� \��G%&*� Q6�� !',,(��"�#� �56=>��+D6. ue6 near prime��(��J<J+( u = hn (h�� smoothnumber, n34 probable prime��(. n > 2160, n > 4

√q��#$�p��+D6. q�� pI�J34 2m.)��Z6(.56(. Ee6MOV

!"�X�� $!�2/(��+ !',,(��(C�, anomalous !',,(�� 6?�(C�-�� N6��+D6. >!��) MOV !"�X�� + !',,(��~�O6,anomalous !',,(��J+(�G%&*� Q6�� !',,(��"�#� �56=>��+D6.�6©�J+( n��#;<%&' &�� E��]̂ G-��%&,,(aF��+D6.LMy$J+(N6��g6��G��(H� 0 < d < n-��%&"�#� �56#7, !"�GH� Q = dG-��56#7 !"�G��+D6.

34�� C Diffie-Hellman(��*� ��

C.1 X9.42��(��*� ��

Diffie-Hellman � �(.*�� N6��g6e6 N6�� =>a@��( Y6Z6[�� T>;�� N6��g6e6 !")��+�%& !"JK56��(. �� Y6Z6[��(SDP:Static Domain Parameters) (ps, qs, gs)e6��(.,T>U�� q6Z6��"��Sכ(�ABs6D6"�#� �56#7N6��56��Y6Z6[��(EDP:Ephemeral Domain Parameters) (pe, qe, ge)e6��D6.#$m��J<;��C�.;�34!/"�=>a@��(Y6Z6[�� \��!/"0�&(B.3.16�))+�%&"�#� �"#$� ��;<��=>�� 56~�O6,?@.��(��̀�� +�%&\��(��!*<34 �)/1��#$�p>!�$!�2כ��h&�;�!*<��;<��D6.

X9.42� �� 56(.�� Diffie-Hellman� �(.*�� Shared sectet+�%&\��Master secrete� >!��6©�Z6 MacKey-��>D6W4 !/"0�&+�%&JK=>56(.N6��g6� ID, !"�GH��$�+�%&\�� MacData-��>!��#$��JK=>�� MacKey-��e6C�(. SHA1+�%&HMAC��56#7MacTag-��"�#� ��+D6.

C.1.1 Diffie-Hellman

(x, y)�� SDP� 3456#7��N6��g6s6D6 (. ��56#7N6��56�� (�G��(H�, !"�GH�)��(. (r, t)�� SDPI�J34 EDP� 3456#7"��Sכ(�ABs6D6��%&"�#� ��+�� (�G��(H�, !"�GH�)-��O6Q6:;�D6.

• dhStatic : SDP%&"�#� �� (. ��H� (x, y)-��N6��56#7D6��/�' -�� Shared secret Z-��()��+D6.

Z = gxAxBs mod ps,

= yxBA mod ps (B��;!�),

= yxAB mod ps (A��;!�).

12P1363 [A.12.6]� ��!��;<%& SHA1%&(. ��56C�� ,(.D6��+!��;<-��N6��;<��=>��56�$�D6.!��;< H�Q��9U��-�� B'�F1Z6(.��AB, s = �(t − 1)/B�, h = t − Bse6"kl, SEED%& B'�F1��.;��,,(aF��+D6.

13FIPS 186-2� �� SEED-�� 160'�F1%&(. ��56#7,,(aF��+D6. (g = 160)D6W4 9!��T>�<' -D6.

70

LMy$J+( Shared secret ZZ-��56#7�� MacKeyX�Master secret K-�� E��D6. ��E34 MacKey-��N6��56#7g6��(/�.;�34!/"� !"�GH� ��h&� 34��+MacTag-��+D6.

dhStaticT>U�� %&� (. �� !"�GH�� .;�34!/"� ��(��$�+�%&\�� e6C�(. ��D6(. e6 ��56(.N6��g6N6�� ?@%&()�"��VW��%�TD6.

• dhEphem : EDP%&"�#� �� H� (xe, ye)-��N6��56#7D6��/�' -�� Shared secret Z-��()��+D6.

Z = grArBe mod pe,

= trBA mod pe (B��;!�),

= trAB mod pe (A��;!�).

LMy$J+( Shared secret ZZ-��56#7�� MacKeyX�Master secret K-�� E��D6. ��E34 MacKey-��N6��56#7g6��(/�.;�34!/"� !"�GH� ��h&� 34��+MacTag-��+D6.

• dhHybrid1 : ��N6��g6�� SDP%&"�#� �� <Z;��H� (x, y)X� (r, t)-��' &��D6.��g6��H� (r, t)-��56#7 Ze = grArB

s (mod ps)-�� 56(., (. ��H� (x, y)-�� 56#7 Zs = gxAxBs (mod ps)-�� 56#7

Shared secret ZZ = [oct(Ze)||oct(Zs)]-��+D6. LMy$J+( ZZ� �� MacKeyX�Master secretK-��E(.,��E34 MacKey-��N6��56#7g6��(/�.;�34!/"� !"�GH� ��h&� 34��+MacTag-��+D6.

• dhHybrid2 : ��N6��g6�� SDP%&"�#� �� (. ��H� (x, y)X� EDP%&"�#� �� H� (r, t)-��' &��D6.��g6� EDPX��H� (r, t)-��56#7 Ze = grArB

e (mod pe)-��56(., SDPX�(. ��H� (x, y)-��56#7 Zs = gxAxB

s (mod ps)-��56#7 Shared secret ZZ = [oct(Ze)||oct(Zs)]-��+D6.LMy$J+( ZZ� �� MacKeyX�Master secret K-��E(.,��E34 MacKey-��N6��56#7g6��(/�.;�34!/"� !"�GH� ��h&� 34��+MacTag-��+D6.

C.1.2 MQV

MQV��Menezes-Qu-Vanstone� ��+ Diffie-Hellman�;< �� (.*��D6. X9.42� ��D6��/�' -��<e6C��MQV-��+H�#� I�01%&2&�� +D6.

• MQV2 : MQV2��N6��g6e6 SDP (p, q, g)-��e6C�(.(. ��H� (x, y)X��a@z@C�s6D6��H�(r, t)-��"�#� ��+D6.��AB, w = |q|/2Z6(.��+D6.LMy$J+(N6��g6 A,B��D6��/�' -�� !"JK secret Z-��()��+D6.

N6��g6 A N6��g6 B

rA ∈ {2, · · · , q − 1}tA = grA mod p��H� : (rA, tA)

rB ∈ {2, · · · , q − 1}tB = grB mod p��H� : (rB, tB)

tB←−−−−−−−−−−→tA


sA = (rA + t̄AxA) mod qt̄B = (tB mod 2w) + 2w

Z = (tByt̄BB )sA mod p

t̄B = (tB mod 2w) + 2w

sB = (rB + t̄BxB) mod qt̄A = (tA mod 2w) + 2w

Z = (tAyt̄AA )sB mod p

• MQV1 : MQV134 MQV2X�s6J.�e6C�%& SDP-��e6C�(.(. ��H�X��H�-��"�#� �56#7N6��+D6.LMy$O6 MQV2X�� Q �*� Initiator IX� Recipient R� �$�� %& D6t1D6. I�� (. ��H�X� ��H�-�� T>�< N6��56�� .�J+(� R34 (. ��H�>!�� N6��+D6. #7�̀�� H�� (. �� =>a@��( Y6Z6[��-�� e6C�(."�#� ��+D6. secret Z�� IX� R��D6��/�' -��+D6.

71

Initiator Recipientt̄I = (tI mod 2w) + 2w,sI = (rI + t̄IxI) mod q, t̄I = (tI mod 2w) + 2w

,Z = ysI

R mod p. Z = (tI yt̄II )xR mod p.

C.2 RFC 2631��DH ��

• Ephemeral-Static Mode : Ephemeral-StaticT>U�� SDP (p, q, g)� 3456#7;<��(g6(B)��(. ��H� (xB, yB)-��N6��56��.�J+(� LM��(g6(A)��h&�4��a@z@C�s6D6�G%&*� ��H� (rA, tA)-��"�#� ��+D6.q6Z6�� LM��(g6>!� g6��(� �� !"�GH�-�� .;�34!/"� �: 2/(Q �56J+( "(. ;<��(g6�� VW��-�� h&XYZ "�Sכ(

e6%�T��T>U��D6.

Shared secret Z��D6��/�' -��;<��D6.

Z = grAxB mod p,= txB

A mod p (B��;!�),

= yrAB mod p (A��;!�).

X9.42X��Q �*� Z%&\�� MacKey�$��"�#� �56C�� ,(.q6Z6��MacTag-��"�#� �56C�� ,��D6.

RFC 2630 - Cryptographic Message Syntax (CMS) -� q6t1J+( CMS-��56��J< H�()�� (.*��+�%&�.�U�� Ephemeral-Static Diffie-Hellman��56=>��"#$��D6.

• Static-Static Mode : Static-StaticT>U�� ̀] -�+�%& X9.42� dhStatic/�' -D6.D6>!�MacTag-��"�#� �56C�� ,��D61כ��D6t1D6.

C.3 ��!" �%�� L6%&0$��N$��>/?�

IPSec�� '��v��+ SSH, Oakley key determination 01%&2&�� $�� N6��56�� T>U�%& Ephemeral-Ephemeral T>U�e6 ��D6. �� T>U�� LM�/;<��(g6 T>�< SDP%& \�� H�>!�� "�#� �56#7 Shared secretZ = grArB

s mod ps-��56��T>U��D6 [41]. 134כ�� X9.42��=>a@��(Y6Z6[��-��N6��56�� dhEphem/��Q �*�(. ��=>a@��(Y6Z6[�� 34!�

��H�-��"�#� �56#7N6��56��T>U��D6.(. ��H�-��N6��56C�� ,+��%& Ephemeral-EphemeralT>U�g6��%&N6��g6��(��;<e6%�T(.D6W4 ��(��̀R$��"�.S56D6כ(

C.4 (��*� ��

�6�� (x, y)�� (. �� (�G��(H�, !"�GH�), (r, t)�� (�G��(H�, !"�GH�)-�� O6Q6:;�D6 (#7�̀��y = gx mod p, t = gr mod p). �>��+ (x, y)�� (. �� =>a@��( Y6Z6[��(SDP)-�� e6C�(. "�#� �56(. SDP-(r, t)X� EDP-(r, t)�� SDPX��=>a@��(Y6Z6[��(EDP)-��e6C�(."�#� .1��O6Q6:;�D6כ�+��(. ��H�� )��(56�� 8�9� ()�"�� 1כ� �6©�Z6 .;�34!/"� CA(Certificate Authority)%&\�� !*<34 ��(

��%&\��E��;<��H��D6.��H��)��(56�� ̀�8!�s6D6a�*,(�G-�m�:"�#� �"��H�-��[��+D6.D6�� T>U�� N6��56��=>a@��( Y6Z6[�� X�N6��g6e6 N6��56�� H��O6Q6:;� ��D6.(X9.42� dhStaticT>U�X� RFC2631� Static-StaticT>U�� dhStatic��MAC��"�#� ��.)XA56@?��1כ��56' -D6.)

SDP EDP LM��(g6 LM��(g6 ;<��(g6 ;<��(g6

(. ��H� ��H� (. ��H� ��H�

dhStatic © × (xi, yi) × (xj, yj) ×dhEphem × © × EDP-(ri, ti) × EDP-(rj, tj)

dhHybrid1 © × (xi, yi) SDP-(ri, ti) (xj, yj) SDP-(rj, tj)dhHybrid2 © © (xi, yi) EDP-(ri, ti) (xj, yj) EDP-(rj, tj)

Ephem-Stat © × × SDP-(ri, ti) (xj, yj) ×Ephem-Ephem © × × SDP-(ri, ti) × SDP-(rj, tj)

MQV1 © × (xi, yi) SDP-(ri, ti) (xj, yj) ×MQV2 © × (xi, yi) SDP-(ri, ti) (xj, yj) SDP-(rj, tj)

72

D6��LM��(g6e6 ��%&2/(Q �56�� VW��X��?@%& ��E34 !"JK secret' �;:��O6Q6כ ��D6.#7�̀��gc��T>�< gc mod p-��[��+D6.

LM��(g6→;<��(g6 ;<��(g6→LM��(g6 !"JK secret

dhStatic × × gxixjs

dhEphem ti tj grirje

dhHybrid1 ti tj grirjs ||gxixj

s

dhHybrid2 ti tj grirje ||gxixj

s

Ephem-Stat ti × grixjs

Ephem-Ephem ti tj grirjs

MQV1 ti × z1

MQV2 ti tj z2

MQV� �� t̄ = (t mod 2|q|/2) + 2|q|/2, s = (r + t̄x) mod qZ6(.��AB,D6��/�' -�� z1, z2-��+D6.

z1 = gxj(ri+t̄ixi) =

ysi

j , LM��(g6��;!�,(tiyt̄i

i

)xj, ;<��(g6��;!�,

z2 = g(ri+t̄ixi)(rj+t̄ jxj) =

(tjy

t̄j

j

)xi

, LM��(g6��;!�,(tiyt̄i

i

)xj, ;<��(g6��;!�.

34��D ECDH:� ECMQV

D.1 X9.63��(��*� ��

• �̀] ECDH�� (.*��

Z = hdAdBG =

hdAQB, A��;!�,hdBQA, B��;!�.

Shared secret34 Z� x ̂�� zx ∈ Fq��D6.

• �̀] ECMQV�� (.*��

G��#;< n�'�F1;<-�� fZ6(.��AB,JK��+�� MQV� �� t̄� !�=;�56��;< av f-�� av f (Q) = (qx

mod 2� f/2�) + 2� f/2�X�' -�� +D6.��N6��g6��<Z;��H� (d1,Q1), (d2,Q2)-��e6C�(.��D6. (T>U�� q6Z6��<Z;��H�e6' -��;<=>��(.,�<Z;��H�8�956O6��(. ��H�O6k$C�56O6��H�%&��%&D6-��;<=>��D6.)

iA = d2,A + av f (Q2,A) × d1,A mod n,

iB = d2,B + av f (Q2,B) × d1,B mod n,

Z =

{(h · iA)(Q2,B + av f (Q2,B)Q1,B), A��;!�,(h · iB)(Q2,A + av f (Q2,A)Q1,A), B��;!�.

Shared secret34 Z� x ̂�� zx ∈ Fq��D6.

• MAC� �(.*��

ECDHX� ECMQV� ��MacTag-��!��p56��T>U��D6. X9.63� ��)��0!)x�MAC� �(.*�� 56C�� ,(. 80'�F1��.;��$!�2/(� ��' &�� ̀7� �MAC� �(.*��N6��;<��=>��56�$�D6.N6��e6R$��+� �(.*��+�%&�� HMAC�$��e6R$�56D6.

73

D.1.1 ECDH(��*� ��>/?�

EDP�� Ephemeral Domain Parameter, SDP�� Static Domain Parameter-��O6Q6�4(., (de,Qe)��H�,(ds,Qs)�� (. ��H�-�� O6Q6�4�� VW, )��x� SDP-(de,Qe)X� EDP-(de,Qe)�� SDP, EDP� 34��+ ��H�-��O6Q6:;�D6.LM*�(. SigDPX� (dsig,Qsig)�� "�#� �/��(��#��+=>a@��(Y6Z6[��X�LM� q6W4 H�-��O6Q6:;�D6. I,R�� initiatorX� responder-�� O6Q6:;�D6. (Shared secret+�%& \�� H� �� "�#� �56�� 134כ�D.1.1.36�)��)*+n>.)

• Ephemeral Unified Model : EDP-(de,Qe)%&\�� Shared secret Ze-��56#7 KeyData-��E��D6.

• 1-Pass Diffie-Hellman : I�� SDP-(de,Qe)-�� "�#� �56#7N6��56(., R34 (ds,Qs)-�� N6��+D6.��%&\�� Z-��56#7 KeyData-��E��D6.

• Static Unified Model : (ds,Qs)%&\�� Shared secret Zs-��56#7 KeyData-��E��D6.

• Combined Unified Model with Key Confirmation : (ds,Qs)%& \�� Zs-�� 56#7 MacKey-�� E��D6. MacKey-�� N6��56#7 g6��(/� .;�34!/"� ephemeral !"�GH�� 34��+ MAC�� "�#� �/��(��+D6.14

EDP-(de,Qe)%&\�� Ze-��56#7 KeyData-��E��D6.

• 1-Pass Unified Model : I�� SDP-(de,I,Qe,I), (ds,I,Qs,I)-�� T>�< N6��56(., R34 (ds,R,Qs,R)>!�� N6��+D6. SDP-(de,I,Qe,I)X� (ds,R,Qs,R)%& \�� Ze-�� 56(., (ds,I,Qs,I)X� (ds,R,Qs,R)%& \�� Zs-�� 56#7Shared secret Z = [Ze||Zs]/��%&\�� KeyData-��E��D6.

• Full Unified Model : I,RT>�< EDP-(de,Qe), ds,Qs-��N6��+D6.��, EDP-(de,Qe)%&\�� Ze-��56(., (ds,Qs)%&\�� Zs-��56#7 !"JK secret Z = [Ze||Zs]/��%&\�� KeyData-��E��D6.

• Full Unified Model with Key Confirmation : Full Unified Model/�' -�� Shared secret Z-��56#7��%&\��MacKey + KeyData-��E��D6. MacKey-��N6��56#7g6��(/�.;�34!/"�� !"�GH�� 34��+MAC��"�#� �/��(��+D6.

• Statioin to Station : EDP-(de,Qe)%& \�� Ze-�� 56(., ��%&\�� MacKey + KeyData-�� E��D6. SigDP-(dsig,Qsig)-�� N6��56#7 g6��(/� .;�34!/"� !"�GH� Qe� 34!�� "�#� �/��(��+D6.15

MacKey-��N6��56#7g6��(/�.;�34!/"� !"�GH�� 34��+MAC��"�#� �/��(��+D6.

D.1.2 ECMQV(��*� ��>/?�

EDP, SDP, (de,Qe), (ds,Qs), I,R34 ECDH��J<X�' -D6.

• 1-Pass MQV : I�� (d1,Q1)34 (. ��H�%& (d2,Q2)�� SDP� 34��+ ��H�%&N6��56(., R34 T6�D6 56O6�(. ��H�%&N6��+D6. ECMQV� �!�� Z-��56#7 KeyData-��E��D6.

• Full MQV : R� (d2,Q2)-�� SDP� 34��+ ��H�%& N6��56�� 1כ� 1-Pass MQVX� D6t1D6. �$��ECMQV� �!�� Z-��56#7 KeyData-��E��D6.

• Full MQV with Key Confirmation : Full MQVX��)56�: Z-��56#7MacKey + KeyData-��E��D6. MacKey-��N6��56#7g6��(/�.;�34!/"� ephemeral !"�GH�� 34��+MAC��"�#� �/��(��+D6.

D.2 ECDH:� ECMQV��>/?��

Ephemeral Domain Parameter(EDP)��Q6�� !',,(� �̀��(JK��+��,Q6�� !',,(,"�#� ��/��#;<T>�<-��%&"�#� �56��=>a@��(Y6Z6[��-��[��+D6. (d,Q)��(. ��H� (r,T)��H�-��O6Q6:;�D6.

14#7�̀��N6��56��MAC� �(.*��+�%&h&)�� 2-key DESO6 HMAC�$��e6R$�56D6.15#7�̀��N6��56�� 34 ECDSA��D6.

74

SDP EDP SigDP LM��(g6 LM��(g6 ;<��(g6 ;<��(g6

(. ��H� ��H� (. ��H� ��H�

EphemUM × © × × EDP-(ri,Ti) × EDP-(rj,Tj)1-PassDH © × × × SDP-(ri,Ti) (dj,Qj) ×StatUM © × × (di,Qi) × (dj,Qj) ×

CombUMwithKC © © × (di,Qi) EDP-(ri,Ti) (dj,Qj) EDP-(rj,Qj)1-PassUM © × × (di,Qi) SDP-(ri,Ti) (dj,Qj) ×

FullUM © © × (di,Qi) EDP-(ri,Ti) (dj,Qj) EDP-(rj,Tj)FullUMwithKC © © × (di,Qi) EDP-(ri,Ti) (dj,Qj) EDP-(rj,Tj)

StoS × © © × EDP-(ri,Ti) × EDP-(rj,Tj)

1-Pass MQV © × × (di,Qi) SDP-(ri,Ti) (djQj) ×Full MQV © © × (di,Qi) EDP-(ri,Ti) (dj,Qj) EDP-(rj,Tj)

Full MQV with KC © © × (di,Qi) EDP-(ri,Ti) (dj,Qj) EDP-(rj,Tj)

D6�� LM�/;<��(g6e6 ��%& ()�56�� VW��X� LM� q6W4 !"JK Z' ��כ O6Q6:;� .1��D6כ� #7�̀�� ?@Shared secret34 Z� x̂�� zx-�� octet string+�%& *+(��+ ��1כ� % ��+D6. (Ze||Zs��( ��J<�� x̂��-��octet string+�%&*+(�56#7<<(6�&��f�(D6.)�> �6�� CombUMwithKC� �� (. ��H�%& ��E34 Zs = hsdidjGs%&�� MacTag-�� "�#� �56�� VW "�Sכ(

��+ MacKey>!�� "�#� �56(. Ze%& KeyData-�� "�#� ��+D6. FullUMwithKC� �� Ze||Zs%& \�� MacKeyX�KeyData-�� "�#� ��+D6.��AB,��%&2/(LM�"��VW��8�9� �� [Text]�� optional' .��D6כ

LM��(g6→;<��(g6 ;<��(g6→LM��(g6 !"JK Z

EphemUM Ti Tj herirjGe

1-PassDH Ti × hsridjGs

StatUM × × hsdidjGs

CombUMwithKC Ti, [Texti],MagTagi Tj, [Textj],MagTagj herirjGe

1-PassUM Ti × (hsridjGs)||(hsdidjGs)FullUM Ti Tj (herirjGe)||(hsdidjGs)

FullUMwithKC Ti, [Texti],MagTagi Tj, [Textj],MagTagj (herirjGe)||(hsdidjGs)StoS Ti, [Texti],MagTagi, Tj, [Textj],MagTagj, herirjGe

(rsigi , ssigi ) (rsigj , ssigj )

1-Pass MQV Ti × Z1

Full MQV Ti × Z2

Full MQV with KC Ti, [Texti],MagTagi Tj, [Textj],MagTagj Z3

�̀] MQV� �� Ae6 LM��(g6, Be6 ;<��(g6Z6(. �� AB, �#� �� Z134 (d1,A,Q1,A) = (di,Qi), (d2,A,Q2,A) =(ri,Ti), (d1,B,Q1,B) = (d2,B,Q2,B) = (dj,Qj)%&��;!��+' .��D6כLM*�(. Z2X� Z3�� (d1,A,Q1,A) = (di,Qi), (d2,A,Q2,A) = (ri,Ti), (d1,B,Q1,B) = (dj,Qj), (d2,B,Q2,B) =

(rj,Tj)%&��;!��+' .��D6כ

S/MIME�WG� Internet Draft “draft-ietf-smime-ecc-02.txt”� ��X9.63�#7y$e6C�T>U�8�9� �� 1-Pass DHT>U�X� 1-Pass MQV-��N6��D6.)�56!$@?&%�+1כ��56 [48].

D.3 ��כ��$+ Key transport

X9.63� �� Shared secret+�%& CEK-�� "�#� �56#7 2/(LM�56�� key transport � �(.*�� 56(. ��VW,RSAX� ' -34 !"�GH� �� (.*�� 56C� � ,(. Q6�� !',,(�� 56#7 key transport� N6��56��encryption� �(.*�� 56(.��D6.Q6�� !',,(��56#7 encryption��;<��H�#� I�01%&2&��8�9� �� 1-Pass DH-��56#7��+D6.

CEK-�� 56�̀ �#!�� J<,,( LM��(g6�� !"�GH�-�� "�#� �56(. ;<��(g6� (. �� !"�GH�-�� 56#7Shared secret��;<��(.(1-Pass DH), Shared secret/�H�JK=>��;<-��56#7 CEK-��|��+VW��>!��$K�H��F1��JK=>56#7��F1��X�s6J.�e6C�%& XOR56#7��.��56��!/"#��

75

��D6.LMy$J+(g6��(�� !"�GH�X��.��;<��(g6� �:h&�4J+(;<��(g6��' -34 !/"0�&+�%&H��F1��JK=>56#7��.��!��B��;<��+��%& CEK-�� ;<��:�� D6.

34�� E Algorithm OIDs

secsig OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) }

desECB OBJECT IDENTIFIER ::= { secsig algorithm(2) 6 }

desCBC OBJECT IDENTIFIER ::= { secsig algorithm(2) 7 }

desOFB OBJECT IDENTIFIER ::= { secsig algorithm(2) 8 }

desCFB OBJECT IDENTIFIER ::= { secsig algorithm(2) 9 }

desMAC OBJECT IDENTIFIER ::= { secsig algorithm(2) 10 }

SHA-1 OBJECT IDENTIFIER ::= { secsig algorithm(2) 26 }

NISTAlgorithm OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country (16) us (840)

organization(1) gov(101) csor(3) nistalgorithm(4) }

id-SHA256 OBJECT IDENTIFIER ::= { hashalgs(2) 1 }



id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6)

internet(1) security(5) mechanisms(5) pkix(7) }

id-dhPop-static-HMAC-SHA1 OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 3}

id-alg-dhPOP OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 4}

id-dh-sig-hmac-sha1 OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 3}

ideaECB OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) usdod(6)

oid(1) private(4) enterprises(1) ascom(188)

systec(7) security(1) algorithms(1) 1 }

ideaCBC OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 188 7 1 1 2 }

ideaCFB OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 188 7 1 1 3 }

ideaOFB OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 188 7 1 1 4 }

id-alg-CMSIDEAwrap OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 188 7 1 1 6 }

hMAC-SHA1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6)

internet(1) security(5) mechanisms(5) 8 1 2 }

cast5CBC OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) nt(113533)

nsn(7) algorithms(66) 10 }

cast5MAC OBJECT IDENTIFIER ::= { 1 2 840 113533 7 66 11 }

cast5CMSkeywrap OBJECT IDENTIFIER ::= { 1 2 840 113533 7 66 15 }

passwordBasedMac OBJECT IDENTIFIER ::= { 1 2 840 113533 7 66 13 }

dHBasedMac OBJECT IDENTIFIER ::= { 1 2 840 113533 7 66 30 }

x9-57 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 10040 }

ansi-x9-62 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 10045 }

ansi-x942 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 10046 }

id-dsa OBJECT IDENTIFIER ::= { x9-57 x9algorithm(4) 1 }

id-dsa-with-sha1 OBJECT IDENTIFIER ::= { x9-57 x9algorithm(4) 3 }

dhpublicnumber OBJECT IDENTIFIER ::= { ansi-x942 number-type(2) 1 }

dh-public-number OBJECT IDENTIFIER ::= { ansi-x942 number-type(2) 1 }

id-ecPublicKey OBJECT IDENTIFIER ::= { ansi-x9-62 keyType(2) 1 }

ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { ansi-x9-62 signatures(4) 1 }

x9-63-scheme OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) tc68(133)

country(16) x9(840) x9-63(63) schemes(0) }

dhSinglePass-stdDH-sha1kdf-scheme OBJECT IDENTIFIER ::= { x9-63-scheme 2 }

76

dhSinglePass-cofactorDH-sha1kdf-scheme OBJECT IDENTIFIER ::= { x9-63-scheme 3 }

mqvSinglePass-sha1kdf-scheme OBJECT IDENTIFIER ::= { x9-63-scheme 16 }

rsadsi OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 113549 }

pkcs OBJECT IDENTIFIER ::= { rsadsi 1 }

pkcs-1 OBJECT IDENTIFIER ::= { pkcs 1 }




rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }

md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }

md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }

sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 }

id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 }

id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 }

id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 }




pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= { pkcs-5 1 }

pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= { pkcs-5 3 }

pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= { pkcs-5 4 }

pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= { pkcs-5 6 }

pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= { pkcs-5 10 }

pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= { pkcs-5 11 }

id-PBKDF2 OBJECT IDENTIFIER ::= { pkcs-5 12 }

id-PBES2 OBJECT IDENTIFIER ::= { pkcs-5 13 }

pkcs-12PbeIds OBJECT IDENTIFIER ::= { pkcs-12 1 }

pbeWithSHAAnd128BitRC4 OBJECT IDENTIFIER ::= { pkcs-12PbeIds 1 }

pbeWithSHAAnd40BitRC4 OBJECT IDENTIFIER ::= { pkcs-12PbeIds 2 }

pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= { pkcs-12PbeIds 3 }

pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= { pkcs-12PbeIds 4 }

pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= { pkcs-12PbeIds 5 }

pbewithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= { pkcs-12PbeIds 6 }

smime OBJECT IDENTIFIER ::= { pkcs-9 16 }

id-alg-ESDH OBJECT IDENTIFIER ::= { smime alg(3) 5 }

id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { smime alg(3) 6 }

id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { smime alg(3) 7 }

digestAlgorithm OBJECT IDENTIFIER ::= { rsadsi 2 }

md5 OBJECT IDENTIFIER ::= { digestAlgorithm 5 }

id-hmacWithSHA1 OBJECT IDENTIFIER ::= { digestAlgorithm 7 }

encryptionAlgorithm OBJECT IDENTIFIER ::= { rsadsi 3 }

rc2-cbc OBJECT IDENTIFIER ::= { encryptionAlgorithm 2 }

des-EDE3-CBC OBJECT IDENTIFIER ::= { encryptionAlgorithm 7 }

rc5-CBC-PAD OBJECT IDENTIFIER ::= { encryptionAlgorithm 9 }

ripemd OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)

teletrust(36) algorithm(3) }

ripemd-160 OBJECT IDENTIFIER ::= { ripemd hashAlgorithm(2) 1 }



77

rsaSignatureWithripemd160 OBJECT IDENTIFIER ::= { ripemd signatureAlgorithm(3) 1 2 }



kisa OBJECT IDENTIFIER ::= { iso(1) member-body(2) korea(410) 200004 }

kisa-algorithm OBJECT IDENTIFIER ::= { kisa 1 }

kcdsa OBJECT IDENTIFIER ::= { kisa-algorithm 1 }

has160 OBJECT IDENTIFIER ::= { kisa-algorithm 2 }

seedECB OBJECT IDENTIFIER ::= { kisa-algorithm 3 }

seedCBC OBJECT IDENTIFIER ::= { kisa-algorithm 4 }

seedOFB OBJECT IDENTIFIER ::= { kisa-algorithm 5 }

seedCFB OBJECT IDENTIFIER ::= { kisa-algorithm 6 }

seedMAC OBJECT IDENTIFIER ::= { kisa-algorithm 7 }

kcdsaWithHAS160 OBJECT IDENTIFIER ::= { kisa-algorithm 8 }

kcdsaWithSHA1 OBJECT IDENTIFIER ::= { kisa-algorithm 9 }

seedECBWithHAS160 OBJECT IDENTIFIER ::= { kisa-algorithm 10 }

seedCBCWithHAS160 OBJECT IDENTIFIER ::= { kisa-algorithm 11 }

seedOFBWithHAS160 OBJECT IDENTIFIER ::= { kisa-algorithm 12 }

seedCFBWithHAS160 OBJECT IDENTIFIER ::= { kisa-algorithm 13 }

seedECBWithSHA1 OBJECT IDENTIFIER ::= { kisa-algorithm 14 }

seedCBCWithSHA1 OBJECT IDENTIFIER ::= { kisa-algorithm 15 }

seedOFBWithSHA1 OBJECT IDENTIFIER ::= { kisa-algorithm 16 }

seedCFBWithSHA1 OBJECT IDENTIFIER ::= { kisa-algorithm 17 }

rsaWithHAS160 OBJECT IDENTIFIER ::= { kisa-algorithm 20 }

kcdsa1 OBJECT IDENTIFIER ::= { kisa-algorithm 21 }

kcdsa1WithHAS160 OBJECT IDENTIFIER ::= { kisa-algorithm 22 }

kcdsa1WithSHA1 OBJECT IDENTIFIER ::= { kisa-algorithm 23 }

78

technical report - sejongdasan.sejong.ac.kr/~chlim/pub/fs-tr00-13.pdf · technical report / 1 , 1 1...

Documents