Hubbry Logo
IEEE P1363IEEE P1363Main
Open search
IEEE P1363
Community hub
IEEE P1363
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
IEEE P1363
IEEE P1363
IEEE P1363
View on Wikipedia
from Wikipedia

IEEE P1363 is an Institute of Electrical and Electronics Engineers (IEEE) standardization project for public-key cryptography. It includes specifications for:

  • Traditional public-key cryptography (IEEE Std 1363-2000 and 1363a-2004)
  • Lattice-based public-key cryptography (IEEE Std 1363.1-2008)
  • Password-based public-key cryptography (IEEE Std 1363.2-2008)
  • Identity-based public-key cryptography using pairings (IEEE Std 1363.3-2013)

The chair of the working group as of October 2008 is William Whyte of NTRU Cryptosystems, Inc., who has served since August 2001. Former chairs were Ari Singer, also of NTRU (1999–2001), and Burt Kaliski of RSA Security (1994–1999).

The IEEE Standard Association withdrew all of the 1363 standards except 1363.3-2013 on 7 November 2019.[1]

Traditional public-key cryptography (IEEE Std 1363-2000 and 1363a-2004)

[edit]

This specification includes key agreement, signature, and encryption schemes using several mathematical approaches: integer factorization, discrete logarithm, and elliptic curve discrete logarithm.

Key agreement schemes

[edit]

Signature schemes

[edit]
  • DL/ECSSA (Discrete Logarithm/Elliptic Curve Signature Scheme with Appendix): Includes four main variants: DSA, ECDSA, Nyberg-Rueppel, and Elliptic Curve Nyberg-Rueppel.
  • IFSSA (Integer Factorization Signature Scheme with Appendix): Includes two variants of RSA, Rabin-Williams, and ESIGN, with several message encoding methods. "RSA1 with EMSA3" is essentially PKCS#1 v1.5 RSA signature; "RSA1 with EMSA4 encoding" is essentially RSA-PSS; "RSA1 with EMSA2 encoding" is essentially ANSI X9.31 RSA signature.
  • DL/ECSSR (Discrete Logarithm/Elliptic Curve Signature Scheme with Recovery)
  • DL/ECSSR-PV (Discrete Logarithm/Elliptic Curve Signature Scheme with Recovery, Pintsov-Vanstone version)
  • IFSSR (Integer Factorization Signature Scheme with Recovery)

Encryption schemes

[edit]

Lattice-based public key cryptography (IEEE Std 1363.1-2008)

[edit]

Password-based public-key cryptography (IEEE Std 1363.2-2008)

[edit]

This document includes a number of password-authenticated key agreement schemes, and a password-authenticated key retrieval scheme.

  • BPKAS-PAK (Balanced Password-Authenticated Key Agreement Scheme, version PAK)
  • BPKAS-PPK (version PPK)
  • BPKAS-SPEKE (version SPEKE)
  • APKAS-AMP (Augmented Password-Authenticated Key Agreement Scheme, version AMP)
  • APKAS-BSPEKE2 (version BSPEKE2)
  • APKAS-PAKZ (version PAKZ)
  • APKAS-SRP3 and SRP6 (version Secure Remote Password (SRP) 3 and 6)
  • APKAS-SRP5 (version Secure Remote Password (SRP) 5)
  • APKAS-WSPEKE (version WSPEKE)
  • PKRS-1 (Password Authenticated Key Retrieval Scheme, version 1)

Identity-based public key cryptography based on pairings (IEEE Std 1363.3-2013)

[edit]

This standard was published on 15 November 2013. It includes techniques for identity-based encryption, signatures, signcryption, key agreement, and proxy re-encryption, all based on bilinear pairings.

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

IEEE P1363

View on Grokipedia
from Grokipedia
IEEE P1363 is an IEEE standardization project that produced IEEE Std 1363-2000, a comprehensive specification for public-key cryptography techniques, including mathematical primitives for secret value (key) derivation, public-key encryption, and digital signatures, along with associated cryptographic parameters, public keys, and private keys. The standard draws from three primary families of algorithms: discrete logarithm-based systems (such as Diffie-Hellman key agreement and DSA signatures), elliptic curve cryptography variants, and integer factorization-based systems (such as RSA). Published on August 29, 2000, it serves as a foundational reference for applications seeking interoperable public-key methods without restricting to specific hardware or systems. The purpose of IEEE P1363 is to promote secure and efficient by providing selectable components for key agreement, encryption, and , ensuring compatibility across diverse implementations. It includes detailed protocols for operations like key derivation functions and mask generation, often leveraging hash functions for enhancements. As of , the core standard was approved, with ongoing work on supplements such as P1363a for additional techniques. Subsequent developments expanded the framework: IEEE Std 1363a-2004 amended the original by adding more public-key methods, including password-authenticated and additional signature schemes. Related standards include IEEE 1363.1-2008 for lattice-based public-key cryptography, IEEE 1363.2-2008 for password-based public-key techniques, and IEEE 1363.3-2013 for using pairings. IEEE 1363-2000 itself is now classified as inactive-reserved, indicating it remains a valid reference but is no longer actively maintained.

Introduction

Purpose and Scope

The IEEE P1363 project, initiated in 1994 by the , represents a comprehensive effort to specify common public-key and schemes, enabling across diverse vendor implementations in secure communications systems. The primary goals of the P1363 series are to deliver vendor-neutral specifications for essential operations such as key derivation, , digital signatures, and key agreement, thereby supporting the design of secure systems while avoiding endorsement of any specific algorithms or proprietary methods. This approach allows applications to select from a variety of techniques to achieve security services including data confidentiality, , and entity authentication, serving as a foundational reference rather than a prescriptive mandate. In terms of scope, the standards cover mathematical primitives, protocol frameworks, and security parameters essential for , with deliberate exclusions of implementation details, hardware specifics, or optimizations to maintain broad applicability. The series supplements but does not replace specialized standards like NIST FIPS 186 for digital signatures, instead focusing on a wider array of PKC techniques developed in parallel by overlapping expert groups.

Architectural Framework

The IEEE P1363 architectural framework provides a unified structure for specifying public-key cryptographic techniques, emphasizing modularity to enable the interchange of primitives across different mathematical domains such as discrete logarithms (DL), elliptic curves (EC), and . This design facilitates the creation of interoperable implementations by defining common building blocks and processes that can be mixed and matched without altering the overall protocol integrity. Core components include domain parameters, which consist of fixed values like prime moduli or curve coefficients essential for scheme operations, ensuring all parties use consistent settings for security and compatibility. Key pair generation involves selecting a private key dd from a specified range and deriving the corresponding public key ee through primitive operations, such as exponentiation in finite fields (e.g., e=gdmodpe = g^d \mod p for DL systems). Primitive operations encompass basic mathematical functions like modular exponentiation, field arithmetic, and conversion routines, while security models define adversarial assumptions, such as IND-CCA (indistinguishability under chosen-ciphertext attack) for encryption schemes to guarantee robustness against adaptive attacks. Notation standards employ consistent symbols throughout: private keys as dd, public keys as ee, messages as mm, and ciphertexts as cc, with operations denoted mathematically (e.g., exponentiation as e^e). For interoperability, octet-string representations convert abstract mathematical elements into byte sequences using primitives like I2OSP (Integer-to-Octet-String Primitive) and OS2IP (Octet-String-to-Integer Primitive), allowing seamless integration with software and hardware systems. The framework for scheme specification outlines standardized steps: first, validate domain parameters (e.g., checking primality of moduli with sizes like bits for 80-bit levels); then, generate and validate key pairs; followed by encoding rules for inputs and outputs to ensure deterministic representations. Parameter sets include examples such as -bit primes for DL schemes or 192-bit EC curves, tying key sizes directly to targeted strengths to guide implementers in selecting appropriate configurations.

History and Development

Working Group Formation

The IEEE P1363 was formed in 1994 under the sponsorship of the IEEE Microprocessor Standards Committee (MSC), with its first meeting held in of that year. The project was initially titled "Standard for RSA, Diffie-Hellman, and Related ," reflecting its focus on standardizing foundational public-key techniques amid the rapid growth of applications in the mid-1990s. This effort was motivated by the increasing demand for interoperable cryptographic standards to support secure communications, as well as challenges posed by U.S. export controls on encryption technologies that hindered global adoption and compatibility. The working group was chaired by Burt Kaliski of RSA Laboratories from 1994 to 1999, with key roles filled by vice-chair Terry Arnold, secretary Roger Schlafly, and editor Yiqun Lisa Yin, fostering contributions from both industry leaders like RSA Labs and academic researchers through meetings often held at cryptography such as Eurocrypt and Crypto. Subsequent chairs included Ari Singer from 1999 to 2001 and William Whyte from 2001 onward. An open call for submissions began in 1995, following the resolution of patent issues, inviting proposals to unify diverse public-key approaches into a cohesive framework. Early milestones included the settlement of technical issues by 1996 and the circulation of initial drafts in 1997, which emphasized integrating established schemes like and systems while addressing needs. These drafts laid the groundwork for a comprehensive standard, later expanding to include advanced topics such as .

Key Publications and Amendments

The IEEE P1363 series began with the core standard IEEE Std 1363-2000, published on August 29, 2000, which specifies common public-key cryptographic techniques including mathematical primitives for secret value derivation, encryption, and digital signatures based on traditional problems such as and discrete logarithms. This standard received ANSI approval on July 27, 2000, marking its formal recognition as a national standard. An amendment, IEEE Std 1363a-2004, was published on September 2, 2004, extending the original standard by incorporating additional techniques, particularly elliptic curve cryptography to address discrete logarithm problems over elliptic curves. Subsequent standards in the series built upon these foundations. IEEE Std 1363.1-2008, focused on lattice-based public-key cryptography, was published on March 10, 2009. IEEE Std 1363.2-2008, addressing password-based public-key cryptographic techniques for authentication and key establishment, followed with publication on January 29, 2009. The series concluded its major extensions up to 2013 with IEEE Std 1363.3-2013, which specifies identity-based cryptographic techniques using pairings, published on November 15, 2013. The development of these standards followed the IEEE consensus process, where each extension began with Project Authorization Request (PAR) approvals from the IEEE Standards Board—for instance, the PAR for P1363.3 was approved on September 22, 2005—followed by drafting, multiple rounds of balloting for technical review, and final board approval before publication. As of November 7, 2019, IEEE Std 1363-2000, 1363a-2004, 1363.1-2008, and 1363.2-2008 were classified as inactive-reserved. IEEE Std 1363.3-2013 followed on March 21, 2024.

Traditional (IEEE 1363-2000 and 1363a-2004)

Key Agreement Schemes

The key agreement schemes specified in IEEE Std 1363-2000 provide mechanisms for two parties to establish a key over an insecure channel using traditional based on the problem. These schemes are foundational for secure communication, enabling the derivation of symmetric keys for subsequent or other purposes. The primary primitive is the Diffie-Hellman (DH) protocol, which operates in a defined by a large prime modulus pp and a generator gg. In the basic DH key agreement (DL/ECKAS-DH1), two parties, , agree on domain parameters including the prime pp, a prime qq dividing p1p-1, and a generator gg of order qq. Alice selects a private key xAx_A and computes her public key yA=gxAmodpy_A = g^{x_A} \mod p, while Bob does likewise with private key xBx_B and public key yB=gxBmodpy_B = g^{x_B} \mod p. They exchange public keys, and each computes the Z=gxAxBmodpZ = g^{x_A x_B} \mod p (or equivalently gxByAmodpg^{x_B y_A} \mod p) using . This ZZ, an integer in [1,p1][1, p-1], forms the basis for key derivation. Authenticated variants enhance the basic DH to provide and resistance to man-in-the-middle attacks. The Station-to-Station (STS) protocol extends DH by incorporating digital signatures on ephemeral public keys and the , ensuring both parties confirm possession of the private keys and the agreed secret, thus achieving key confirmation. Similarly, the Menezes-Qu-Vanstone (MQV) protocol uses a combination of ephemeral and static keys for efficiency, computing the shared secret as Z=g(xA+sAyB)(xB+sByA)modpZ = g^{(x_A + s_A y_B)(x_B + s_B y_A)} \mod p, where sAs_A and sBs_B are scalars derived from static private keys, and includes implicit through key confirmation steps. These variants mitigate vulnerabilities in unauthenticated DH, such as impersonation, by binding the key agreement to pre-established public keys. Parameter selection is critical for , with IEEE Std 1363-2000 recommending primes pp of at least bits and qq of at least 160 bits to ensure computational resistance to attacks. The choice of pp and gg must support a large prime-order to prevent small-subgroup attacks, and domain parameters should be validated for correctness. considerations emphasize protection against man-in-the-middle attacks through authentication in variants like STS and MQV, as well as cofactor multiplication in some schemes to handle invalid inputs. Key derivation integrates hash functions to transform the shared secret ZZ into a usable key, using the key derivation function KDF1 specified in Clause 13, which applies a hash (e.g., SHA-1) iteratively to produce an octet-string output of specified length. This ensures the derived key is uniformly distributed and suitable for symmetric cryptography, with the output formatted as a fixed-length bit string convertible to octets. Elliptic curve variants of these schemes, such as EC-DH, are included in IEEE Std 1363-2000 for improved efficiency, with additional techniques in IEEE Std 1363a-2004.

Signature Schemes

The IEEE P1363-2000 standard specifies digital signature schemes based on the problem and the problem to provide , , and in . These schemes operate within a hash-then-sign paradigm, where a digest is computed before applying the underlying primitive, ensuring efficiency for long messages. The standard emphasizes provable security properties, including existential unforgeability under chosen- attacks (EUF-CMA), where an adversary cannot produce a valid on a new even after querying a signing oracle. RSA-based signatures in IEEE P1363-2000 rely on the RSA primitive, where key generation produces a modulus n=pqn = p q of 1024 to 2048 bits, a public exponent ee, and private exponent d=e1modϕ(n)d = e^{-1} \mod \phi(n), with pp and qq being strong primes differing by at least 21002^{100}. To mitigate deterministic padding vulnerabilities, the standard incorporates the Probabilistic Signature Scheme (PSS) as the encoding method, which introduces randomness via a salt and masks the padded message using a hash function and XOR operations for EUF-CMA security in the random oracle model. The signing process computes the padded encoding mm' of the message mm and hash, then derives the signature as s=(m)dmodn.s = (m')^d \mod n. Verification recovers m=semodnm' = s^e \mod n, applies unpadding and checks against the recomputed hash and salt length, rejecting if parameters like 0<s<n0 < s < n or modulus size fail. This approach resists existential forgery by ensuring the padding's probabilistic nature thwarts chosen-message attacks. Discrete logarithm-based signatures, such as the (DSA), are also defined in IEEE P1363-2000 using domain parameters including a large prime pp ( bits), a order qq (160 bits), and generator gg. selects private key x[1,q1]x \in [1, q-1] and computes public key y=gxmodpy = g^x \mod p. Signing involves a random k[1,q1]k \in [1, q-1], yielding r=(gkmodp)modq,s=k1(H(m)+xr)modq,r = (g^k \mod p) \mod q, \quad s = k^{-1} (H(m) + x r) \mod q, where HH is a secure like , and the signature is the pair (r,s)(r, s) provided rr and ss are nonzero. Verification confirms domain parameters, recomputes w=s1modqw = s^{-1} \mod q, and checks if (gH(m)wyrwmodp)modq=r(g^{H(m) w} y^{r w} \mod p) \mod q = r, rejecting invalid ranges to uphold EUF-CMA security under the assumption. Elliptic curve variants, including the (ECDSA), are specified in IEEE Std 1363-2000, using NIST-recommended curves like P-256 with prime field order around 256 bits for equivalent security to 3072-bit RSA. ECDSA selects private key d[1,n1]d \in [1, n-1] and public key Q=dGQ = d G, where GG is the base point of order nn. Signing uses ephemeral kk, computing r=x(kG)modn,s=k1(H(m)+dr)modn,r = x(k G) \mod n, \quad s = k^{-1} (H(m) + d r) \mod n, with verification analogous to DSA: compute u1=H(m)s1modnu_1 = H(m) s^{-1} \mod n, u2=rs1modnu_2 = r s^{-1} \mod n, and check if the x-coordinate of u1G+u2Qu_1 G + u_2 Q modulo nn equals rr, ensuring parameter validity and EUF-CMA resistance via the elliptic curve problem. These additions enable more efficient signatures for resource-constrained environments while maintaining compatibility with the core framework.

Encryption Schemes

IEEE P1363 specifies public-key encryption schemes within the traditional framework of IEEE Std 1363-2000 and its amendment IEEE Std 1363a-2004, focusing on through asymmetric encryption primitives based on and discrete logarithms. These schemes provide mechanisms for encrypting messages directly or deriving keys for symmetric encryption, emphasizing and security against chosen-plaintext attacks (IND-CPA). The standards define encoding methods, including and hashing auxiliaries, to achieve while supporting various underlying hard problems. The RSA encryption scheme, rooted in the difficulty of , forms a core component for direct message . A message mm is first padded using (OAEP), which incorporates a and hash functions to prevent deterministic attacks and ensure probabilistic . The padded message is then raised to the public exponent ee modulo the modulus nn, yielding the c=(mpadding)emodnc = (m || \text{padding})^e \mod n, where (n,e)(n, e) constitutes the recipient's public key. OAEP padding provides under the RSA assumption in the model, making the scheme IND-CPA secure. Decryption reverses this using the private exponent dd, extracting the original message after unpadding. This approach supports message sizes up to the bit length of nn minus padding overhead. For discrete logarithm-based encryption, IEEE P1363 includes the ElGamal scheme and its integrated variant DLIES (Discrete Log Integrated Encryption Scheme). In basic ElGamal, encryption of a message mm under public key (p,g,y)(p, g, y)—where pp is prime, gg generates a subgroup, and y=gxmodpy = g^x \mod p for private key xx—involves selecting a random ephemeral kk and computing the ciphertext pair (c1,c2)(c_1, c_2), with c1=gkmodpc_1 = g^k \mod p and c2=mykmodpc_2 = m \cdot y^k \mod p. This multiplicative structure ensures IND-CPA security assuming the decisional Diffie-Hellman problem's hardness. DLIES extends this into a hybrid construction, deriving a symmetric key from the ephemeral shared secret for further message protection. IEEE Std 1363a-2004 incorporates variants, such as ECIES ( ), an ElGamal analog over including efficient Koblitz curves for reduced computation. In ECIES, an ephemeral scalar kk generates a point c1=kGc_1 = k \cdot G on the , from which a derives a symmetric key via a (KDF); the message is then encrypted symmetrically to form c2c_2. Koblitz curves, defined over binary fields with specific forms like y2+xy=x3+ax2+1y^2 + x y = x^3 + a x^2 + 1, enable faster using Frobenius endomorphisms, supporting the same IND-CPA security as prime-field counterparts but with smaller key sizes. Hybrid modes are integral to practical deployment in IEEE P1363, combining public-key operations with symmetric to handle arbitrary-length messages efficiently. For instance, the public-key component (e.g., RSA or ElGamal) encrypts or derives a short symmetric key, which is used to encrypt the bulk message via a like AES in a mode such as CBC or GCM. Key derivation functions, such as those based on hash or , expand the into and integrity keys, while mechanisms like AES key wrap secure the symmetric key itself during transport. This hybrid paradigm leverages the strengths of both asymmetric () and symmetric (speed) , with security inherited from the underlying . Security parameters in the standards are calibrated to achieve specific strength levels, such as 80-bit (legacy applications) and 128-bit (current recommendations), dictating key sizes: for RSA, moduli of 1024 bits for 80-bit and 3072 bits for 128-bit; for DL/ElGamal, primes of 1024 bits and 3072 bits respectively; and for ECIES, curve orders around 256 bits for 128-bit . These levels ensure resistance to known attacks, with annexes providing sets and rationale based on computational effort estimates.

Lattice-Based Public-Key Cryptography (IEEE 1363.1-2008)

Primitive Operations

in IEEE 1363.1-2008 relies on , which are discrete additive subgroups of generated by integer linear combinations of a set of basis vectors. An Λ\Lambda in Rn\mathbb{R}^n is defined as Λ={i=1mziviziZ}\Lambda = \{ \sum_{i=1}^m z_i \mathbf{v}_i \mid z_i \in \mathbb{Z} \}, where {v1,,vm}\{\mathbf{v}_1, \dots, \mathbf{v}_m\} are linearly independent basis vectors with integer coordinates. These structures provide the foundational hardness assumptions for the primitives, as solving certain problems over lattices is computationally intractable even for quantum computers. The security of the specified techniques stems from well-established hard problems over lattices, including the Shortest Vector Problem (SVP). SVP requires finding the shortest nonzero vector in a lattice given a basis, a problem proven to be NP-hard in the worst case and central to schemes like standardized in the document. Key primitive operations include sampling for and modulus reduction for computations in Zq\mathbb{Z}_q. Modulus reduction ensures all operations remain within Zq\mathbb{Z}_q by computing residues modulo qq, facilitating efficient arithmetic in lattice schemes. These operations underpin the efficiency and security of the primitives. Parameter recommendations in IEEE 1363.1-2008 balance and , with dimension nn typically in the range 400–800 and modulus q=2048211q = 2048 \approx 2^{11} providing estimates of at least 128 bits against lattice attacks as of , as in the EESxxxEP1 sets (e.g., n=439, q=2048 for ~128 bits). For instance, the EES613EP1 parameters use n=613, q=2048, and small coefficients (d_f=55, d_g=204) to achieve ~128-bit while keeping key sizes manageable. Higher security levels scale n up to around 743 for ~256 bits. estimates should be re-evaluated with current techniques. The standard focuses on NTRU-based using rings over Zq/(xN1)\mathbb{Z}_q/(x^N - 1) (product form) for in multiplication, applied to and protocols.

Cryptographic Schemes

The cryptographic schemes in IEEE Std 1363.1-2008 apply lattice-based to construct practical protocols for and digital signatures, emphasizing resistance to quantum attacks through reliance on the hardness of lattice problems such as the Shortest Vector Problem (SVP). These schemes supplement traditional public-key methods by offering efficient alternatives with compact key and message sizes, suitable for resource-constrained environments, while providing provable under worst-case lattice assumptions. The standard primarily specifies for and NTRUSign for signatures, with parameter sets achieving levels up to 256 bits as estimated in 2015. IEEE 1363.1-2008 is now inactive-reserved, and updated NTRU variants are being standardized in NIST PQC as of 2024. Encryption schemes in the standard feature NTRU-like constructions, such as , which uses lattice decoding for decryption. In these protocols, a sender generates a short added to a multiple of the receiver's public key , allowing the receiver to recover the message via decoding on the lattice defined by their private key; this process leverages the structure of ideal lattices for efficiency. Security is based on the hardness of approximate-SVP, ensuring (CCA) resistance when combined with appropriate padding like the New Authentication of a (NAEP) method, which masks messages to prevent timing or statistical attacks. Efficiency metrics include ciphertext sizes of approximately 350 bytes for 128-bit security estimates (e.g., using N=439, q=2048 parameters), with decryption times under 1 ms on standard hardware, making them viable for key encapsulation in hybrid systems. Both variants are quantum-resistant, as SVP remains hard against . Digital signature schemes draw from NTRU constructions, exemplified by NTRUSign, which generates signatures as short vectors in the lattice orthogonal to the public key, ensuring unforgeability through to mask the signer's private basis. During signing, a short preimage is found for a hash of the using the private key, then adjusted via centered binomial sampling to produce a whose distribution hides lattice information; verification checks the norm and from the public basis. This rejection mechanism provides EUF-CMA security under SVP assumptions, with proofs showing that forging requires solving hard lattice instances. Efficiency is highlighted by sizes around 1 KB for 128-bit security estimates (e.g., N=439 parameters yielding 4N ternary coefficients), though larger than NTRU keys, and signing/verification times of 10-100 ms, outperforming other early lattice signatures in speed while maintaining quantum resistance. The standard specifies countermeasures against attacks, such as basis delinearization, to preserve security margins. Key agreement schemes in the standard utilize NTRU-based key transport or encapsulation, where parties use public keys to securely exchange shared secrets, enabling unauthenticated or authenticated variants when combined with signatures. Security reduces to lattice hardness, providing resistance to man-in-the-middle attacks in authenticated modes. These schemes support key derivation functions specified in the standard for generation, with efficiency comparable to classical methods.

Password-Based Public-Key Cryptography (IEEE 1363.2-2008)

IEEE Std 1363.2-2008, approved 26 September 2008 and published 29 January 2009, is now inactive-reserved.

Authentication Techniques

IEEE 1363.2-2008 specifies password-authenticated key agreement schemes (PKAS) that enable mutual authentication between parties using low-entropy passwords, integrating these with public-key primitives to derive shared secrets securely. These authentication techniques are divided into verifier-based and balanced categories, both designed to prevent unauthorized access even if passwords are weak, by entangling password information with cryptographic operations in discrete logarithm (DL) or elliptic curve (EC) domains. Verifier-based password-authenticated key exchange (PAKE), also known as augmented PAKE, allows the server to store password verification data (PVD) rather than the plaintext password, mitigating risks from database compromises. In this approach, the server computes and stores a verifier such as v=g\hash(s,\pw)v = g^{\hash(s, \pw)}, where gg is a generator, ss is a salt, \pw\pw is the password, and \hash\hash is a hash function, ensuring the verifier reveals no direct information about the password. Protocols like Secure Remote Password (SRP) variants (e.g., SRP3, SRP6, SRP5) exemplify this, where the client and server exchange password-entangled public keys, and the client proves knowledge of the password via a zero-knowledge proof embedded in the key exchange, without transmitting the password itself. This setup supports unilateral or mutual authentication, with the shared secret derived using a secret value derivation primitive (SVDP) such as SVDP-AMP, resistant to server impersonation even if the verifier is stolen. Balanced PAKE protocols provide where both parties hold the same password-derived information, without a central verifier, making them suitable for scenarios. In schemes like (Simple Password Exponential Key Exchange), both parties use a random element derivation primitive (REDP) to generate a password-dependent generator gg^\star from the password, then perform a Diffie-Hellman-like exchange to compute entangled public keys wAw_A and wBw_B, yielding a z=g\pwabz = g^{\pw \cdot a \cdot b} (in DL terms), where aa and bb are ephemeral private keys. This ensures symmetric treatment of parties and prevents one-sided guessing attacks, with confirmed through optional key messages. Variants like BSPEKE2 and WSPEKE enhance efficiency and resistance to small subgroup attacks by incorporating cofactor multiplications and order validation. Security models for these techniques emphasize protection against offline dictionary attacks, where an eavesdropper cannot verify password guesses without interacting with the legitimate parties, limiting attackers to at most one attempt per protocol run. Both verifier-based and balanced schemes achieve this through password entanglement in the exponent, requiring computational effort equivalent to the discrete logarithm problem for each guess. Entropy requirements stipulate that passwords should provide sufficient uncertainty—ideally at least 128 bits of entropy for high-security applications—though the standards accommodate lower-entropy inputs via salting and hashing to thwart brute-force and precomputation attacks, with applications enforcing rate-limiting for online guesses. These authentication methods integrate seamlessly with public-key primitives from IEEE 1363, such as password-entangled public (PEPKGP) and SVDP, allowing hybrid use with Diffie-Hellman or operations in safe prime groups to avoid Pohlig-Hellman vulnerabilities. Key confirmation steps, using key confirmation functions (KCF) like KCF1 on the ZZ and public keys, ensure both parties verify the exchange's integrity, mandatory in unilateral verifier-based schemes and optional in balanced ones. Error handling addresses low-entropy passwords by aborting on invalid public keys, detecting small elements through order checks, and recommending domain parameters with large prime orders (e.g., [q](/page/Q)[q](/page/Q) of at least 256 bits) to maintain even with weak inputs.

Key Establishment Techniques

IEEE 1363.2-2008 specifies password-authenticated key exchange (PAKE) protocols as a core component of its key establishment techniques, enabling two parties to derive a shared session key securely using a low-entropy password without transmitting the password in the clear. These protocols leverage public-key cryptography to mitigate offline dictionary attacks, where an eavesdropper cannot feasibly compute the shared key from captured messages alone. Balanced PAKE schemes, such as BPKAS-PAK and BPKAS-SPEKE, involve symmetric roles for the client and server, using ephemeral keys entangled with the password to compute a shared secret value Z via primitives like SVDP-PAK2. For instance, in BPKAS-PAK, the shared secret is derived as z=GE2SVFEP((wm1)s)z = GE2SVFEP((w \cdot \star_m^{-1})^s), where w represents password-derived elements and s is an ephemeral exponent, ensuring the protocol resists passive and active attacks. Augmented key transport schemes in the standard, such as APKAS-AMP and APKAS-SRP6, address asymmetric scenarios where the server stores one-way verification data (e.g., vv^\star) to authenticate the client without exposing the . In these methods, the client generates and encrypts a using a -derived , which the server decrypts after verification, providing key transport rather than pure agreement. Protocols like APKAS-PAKZ extend this by incorporating -entangled public keys (w_C, w_S) to compute Z, similar to contributions in the IEEE P1363.2 development such as PAKZ, which influenced later standards like J-PAKE for multi-party of ephemeral values. These augmented approaches enhance protection against server compromise by avoiding direct use in exchanges. Key derivation in IEEE 1363.2-2008 employs hash-based functions like KDF1 and KDF2 to produce session keys from the shared secret Z, other parameters, and ephemeral keys, akin to for extracting and expanding pseudorandom keys while incorporating . is achieved through ephemeral exponents in both balanced and augmented schemes, ensuring that compromise of long-term password data does not reveal prior session keys. The standard mandates multi-round protocols, often four-pass with key via KCF1, to mitigate partition attacks where an adversary exploits parallel sessions; for example, BPKAS-PPK uses dual mask elements (T,R\star_T, \star_R) across rounds to bind exchanges securely. Parameter sets are defined supporting levels such as 80-bit (1024-bit prime q with 160-bit order r) and 112-bit (2048-bit q with at least 224-bit r), using hash functions outputting sufficient octets (e.g., ≥20 for ) to support these levels without exhaustive enumeration. Post-exchange, hash chains may further process Z for additional key material, prioritizing conceptual over specific implementations.

Identity-Based Public-Key Cryptography (IEEE 1363.3-2013)

Pairing-Based Primitives

Pairing-based primitives form the mathematical foundation for identity-based cryptographic techniques in IEEE Std 1363.3-2013, relying on bilinear mappings over elliptic curves to enable efficient computations in identity-based schemes. A bilinear pairing is defined as an efficiently computable, nondegenerate bilinear map e:G1×G2GTe: G_1 \times G_2 \to G_T, where G1G_1, G2G_2, and GTG_T are cyclic groups of prime order rr, satisfying bilinearity: e(aP,bQ)=e(P,Q)abe(aP, bQ) = e(P, Q)^{ab} for generators PG1P \in G_1, QG2Q \in G_2, and scalars a,bZra, b \in \mathbb{Z}_r^*, along with non-degeneracy to ensure the map is not trivially the identity. These pairings are typically constructed using Weil or Tate pairings on elliptic curves over finite fields, with the embedding degree kk being the smallest integer such that rr divides qk1q^k - 1, where qq is the base field size. The groups involved are subgroups of elliptic curve points: G1G_1 and G2G_2 as s of order rr in E(Fq)E(\mathbb{F}_q) and its extension E(Fqk)E(\mathbb{F}_{q^k}), respectively, while GTG_T is a multiplicative of Fqk\mathbb{F}_{q^k}^*. Parameters include the field characteristic qq, curve equation (e.g., supersingular curves like y2=x3+1y^2 = x^3 + 1 over Fq\mathbb{F}_q with q2(mod3)q \equiv 2 \pmod{3}), embedding degree kk (typically 6–12 for balancing efficiency and ), and prime order rr of approximately 256 bits for 128-bit levels, aligned with NIST SP 800-57 guidelines. Supersingular curves (embedding degrees 2, 4, or 6) and ordinary curves such as MNT (Miyaji–Nakabayashi–Takano) or BN (Barreto–Naehrig) curves (embedding degree 12) are recommended, with base field sizes scaling to 3072 bits for qq at 128-bit to resist attacks on the problem. Primitive operations include hash-to-point maps, which deterministically map identities or strings to points in G1G_1 or G2G_2 (e.g., using protocols like PHF-SS for supersingular curves to compute QID=HashToPoint(ID)Q_{ID} = \text{HashToPoint}(ID)), ensuring identities bind securely to group elements without collisions. Key extraction derives private keys from public identities via a master secret, such as computing dID=sQIDd_{ID} = s \cdot Q_{ID} where ss is the master key and QID=H(ID)Q_{ID} = H(ID) is the hashed identity point, or more generally KM=tQjK_M = t Q_j with t=(M+s)1modrt = (M + s)^{-1} \mod r for server-assisted extraction. Pairing computation is performed efficiently using algorithms like the Miller algorithm for or Ate pairings, with optimizations for reduced pairings to output in GTG_T, achieving computational efficiency through distortion maps on supersingular curves and compression techniques that reduce output size by factors of 2 or 3 when kk is even or divisible by 3. Security of these rests on the of the Bilinear Diffie-Hellman (BDH) assumption, where given P,aP,bPG1P, aP, bP \in G_1 and QG2Q \in G_2, computing e(P,Q)abGTe(P, Q)^{ab} \in G_T is infeasible, alongside related problems like the Computational Bilinear Diffie-Hellman Problem (BDHP) and q-BDHI. Specified parameters, such as 256-bit rr and embedding degrees of 6–12 over 256-bit base fields for initial setups, ensure at least 128-bit against generic attacks, with full parameter sets provided for NIST levels up to 256 bits.

Identity-Based Schemes

Identity-based schemes in IEEE 1363.3-2013 leverage bilinear pairings to enable cryptographic protocols where a user's public key is directly derived from their identity string, eliminating the need for certificates. A trusted Private Key Generator (PKG) generates a master secret key sZps \in \mathbb{Z}_p^* and corresponding public parameters, including a generator PP and R=sPR = sP. For any user with identity IDID, the PKG computes the user's private key d=sQIDd = s Q_{ID}, where QIDQ_{ID} is a hash of IDID mapped to a point on the elliptic curve. These schemes support security levels aligned with NIST recommendations, from 80 to 256 bits, but like earlier IEEE 1363 components, the standard was placed in inactive-reserved status on March 21, 2024. Identity-based encryption (IBE) allows encryption to an arbitrary identity without prior . The standard specifies the Boneh-Franklin scheme as a core primitive, where the sender encrypts a mm to recipient identity IDBID_B by first computing QIDB=H1(IDB)Q_{ID_B} = H_1(ID_B), selecting random rZpr \in \mathbb{Z}_p^*, and forming the ciphertext as (rP,H2(e(QIDB,R)r)m)(rP, H_2(e(Q_{ID_B}, R)^r) \oplus m), where R=sPR = sP is the master public key and dB=sQIDBd_B = s Q_{ID_B} is the recipient's private key issued by the PKG. Decryption recovers mm by computing H2(e(rP,dB))H_2(e(rP, d_B)) and XORing with the second component. This scheme achieves chosen-ciphertext security in the model under the Bilinear Diffie-Hellman assumption, with parameters selected for efficiency over supersingular curves. For digital signatures, identity-based signatures (IBS) use the identity as the verification key, with the signer employing their private key dA=sQIDAd_A = s Q_{ID_A}. The BLMQ IBS scheme, integrated into the standard, provides security under the q-BDHI assumption. It involves setup of public parameters, key extraction by the , signing by choosing random values and computing points in the group, and verification using bilinear pairings on hashed message values and the signer's identity point. This ensures authenticity without certificates, suitable for applications requiring lightweight . Identity-based key agreement (IB-KA) protocols enable two parties, say AA and BB with identities IDAID_A and IDBID_B, to derive a using their private keys dA=sQIDAd_A = s Q_{ID_A} and dB=sQIDBd_B = s Q_{ID_B}. The standard includes protocols like the Wang scheme, where parties exchange ephemeral values and compute the shared key via pairings, such as K=e(dA,QIDB+rBP)=e(QIDA,dB+rBR)K = e(d_A, Q_{ID_B} + r_B P) = e(Q_{ID_A}, d_B + r_B R), ensuring and under the Bilinear Diffie-Hellman assumption. These derive session keys directly from identities, supporting hybrid constructions for confidentiality. Signcryption schemes in the standard combine signing and encryption into a single efficient step, providing both authenticity and . For instance, hybrid signcryption protocols first apply an IBS like BLMQ to sign the message and ephemeral values, then encrypt the signature and message using IBE to the recipient's identity, yielding compact ciphertexts verifiable and decryptable with dBd_B. The BLMQ signcryption primitive exemplifies this, producing a tuple (c,σ)(c, \sigma) where cc encrypts mm under IDBID_B and σ\sigma is a pairing-verifiable tag on mm using dAd_A, secure against insider attacks under the q-Bilinear Diffie-Hellman Inversion assumption. This approach reduces computational overhead compared to separate sign-then-encrypt operations.

References

  1. https://standards.ieee.org/standard/1363-2000.html
  2. https://csrc.nist.gov/csrc/media/events/key-management-workshop-2001/documents/p1363.pdf
  3. https://ieeexplore.ieee.org/document/1335427/
  4. https://standards.ieee.org/ieee/1363.1/3074/
  5. https://ieeexplore.ieee.org/document/891000/
  6. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf
  7. https://csrc.nist.gov/files/pubs/fips/186-4/final/docs/comments-received-fips186-4-december-2015.pdf
  8. https://www.secg.org/sec1-v2.pdf
  9. https://www.brookings.edu/articles/a-brief-history-of-u-s-encryption-policy/
  10. https://csrc.nist.gov/files/pubs/conference/1997/10/10/proceedings-of-the-20th-nissc-1997/final/docs/754.pdf
  11. https://standards.ieee.org/ieee/1363a/2050/
  12. https://ieeexplore.ieee.org/document/4800404
  13. https://standards.ieee.org/ieee/1363.2/4376/
  14. https://ieeexplore.ieee.org/document/4773330
  15. https://standards.ieee.org/ieee/1363.3/3822/
  16. https://ieeexplore.ieee.org/document/6662370
  17. https://standards.ieee.org/ieee/1363/2049/
  18. https://www.cs.ucdavis.edu/~rogaway/papers/exact.html
  19. https://eprint.iacr.org/2000/060.pdf
  20. https://cseweb.ucsd.edu/~mihir/papers/dhies.pdf
  21. https://link.springer.com/chapter/10.1007/11818175_8
  22. https://cims.nyu.edu/~regev/papers/lwesurvey.pdf
  23. https://eprint.iacr.org/2015/708
  24. https://pmc.ncbi.nlm.nih.gov/articles/PMC8914960/
  25. https://eprint.iacr.org/2008/361
  26. https://csrc.nist.gov/projects/post-quantum-cryptography
  27. https://webpages.charlotte.edu/yonwang/1363.2-2008.pdf
  28. https://eprint.iacr.org/2001/090.pdf
  29. https://eprint.iacr.org/2005/108.pdf
Add your contribution
Related Hubs
User Avatar
No comments yet.