=================================== == SAMPLE TEST VECTORS FOR P1363 == =================================== This document contains two sample test vectors, one for ECSSA and the other for IFSSA. It is intended that the two examples given in the document will provide a format for people to generate test vectors for each of the schemes defined in P1363 Draft Version 1. If you are interested in generating additional test vectors to be included in the P1363 Annexes, please contact the editor Yiqun Lisa Yin at lisa@rsa.com. All values are represented in hexadecimal. ============================================ Test Vector For ECSSA (Section 8.4 in P1363) ============================================ Note: This example is the same as the example given in H.2.1 of X9.62 in terms of numerical values, while the steps and naming of the variables follow the definitions in P1363. 8.4.1 Setup =========== (1) EC parameters The field F(2^191) is generated by the irreducible polynomial 80000000 00000000 00000000 00000000 00000000 00000201 The elliptic curve is E : y^2 + xy = x^3 + ax^2 + b over F(2^191), where a = 2866537B 67675263 6A68F565 54E12640 276B649E F7526267 b = 2E45EF57 1F00786F 67B0081B 9495A3D9 5462F5DE 0AA185EC Generating point is (without point compression) G = 04 36B3DAF8 A23206F9 C4F299D7 B21A9C36 9137F2C8 4AE1AA0D 765BE734 33B3F95E 332932E7 0EA245CA 2418EA0E F98018FB The order of G is r = 40000000 00000000 00000000 04a20e90 c39067c8 93bbb9a5 The cofactor is k = 2 (2) The signature and verification primitive: ECSP-DSA and ECVP-DSA (3) The message encoding method: EMSA-hash with SHA-1 8.4.2 Signature Generation Function =================================== -- Signer's private/public key pair (s, W) is s = 340562e1 dda332f9 d2aec168 249b5696 ee39d0ed 4d03760f W = sG = (without point compression) 04 5DE37E75 6BD55D72 E3768CB3 96FFEB96 2614DEA4 CE28A2E7 55C0E0E0 2F5FB132 CAF416EF 85B229BB B8E13520 03125BA1 -- Message to sign is M = abc Step 1. Message encoding using EMSA-hash set hash = SHA-1 and maximum length of the output = 160 f = EMSA-hash(M) = A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D Step 2. execute primitive ECSP-DSA (1) select a one time key pair (u, V), where u is in the interval [1,n-1] u = 3eeace72 b4919d99 1738d521 879f787c b590aff8 189d2b69 V = uG = (without point compression) 04 438E5A11 FB55E4C6 5471DCD4 9E266142 A3BDF2BF 9D5772D5 2AD603A0 5BD1D177 649F9167 E6F475B7 E2FF590C 85AF15DA (2) convert x-coordinate of V to an integer i i = 438E5A11 FB55E4C6 5471DCD4 9E266142 A3BDF2BF 9D5772D5 (3) compute c = i mod r. c = 038e5a11 fb55e4c6 5471dcd4 998452b1 e02d8af7 099bb930 (4) compute d = u^{-1} (f + sc) mod r. d = 0c9a08c3 4468c244 b4e5d6b2 1b3c6836 28074160 20328b6e The signature is the two integers (c, d). 8.4.3. Signature Verification Function ====================================== M = abc Step 1. Message encoding using EMSA-hash set hash = SHA-1 and maximum length of the output = 160 f = EMSA-hash(M) = A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D Step 2. perform ECVP-DSA (1) verify that c and d are both in the interval [1, r-1] (2) compute h = d^{-1} mod r, h1 = fh mod r, h2 = ch mod r h = 26dd1779 cf312584 d8baa941 d95262f2 61cf727a 3beac8a7 h1 = 32eefb84 15c0f8a2 72bb9e05 87083d1c 66e01452 d726c742 h2 = 157e5175 1d89c66c bdf44596 8f7f6538 76a18c4b 1240bb5a (3) compute P = h1 G + h2 W h1 G = (without point compression) 04 1A045B0C 26AF1735 9163E9B2 BF1AA57C 5475C320 78ABE159 53ECA58F AE7A4958 783E8173 CF1CA173 EAC47049 DCA02345 h2 W = (without point compression) 04 015CF19F E8485BED 8520CA06 BD7FA967 A2CE0B30 4FFCF0F5 314770FA 4484962A EC673905 4A6652BC 07607D93 CAC79921 P = (without point compression) 04 438E5A11 FB55E4C6 5471DCD4 9E266142 A3BDF2BF 9D5772D5 2AD603A0 5BD1D177 649F9167 E6F475B7 E2FF590C 85AF15DA (4) convert x1 to an integer i i = 438E5A11 FB55E4C6 5471DCD4 9E266142 A3BDF2BF 9D5772D5 (5) compute c' = i mod r. c' = 038e5a11 fb55e4c6 5471dcd4 998452b1 e02d8af7 099bb930 (6) verify that c' = c. Output "Valid." ============================================ Test Vector For IFSSA (Section 10.2 in P1363) ============================================ Note: This example is the same as the example given in D.1 of X9.31 in terms of numerical values, while the steps and naming of the variables follow the definitions in P1363. 10.2.1. Setup ============= (1) the signature and verification primitives: IFSP-RSA2 and IFVP-RSA2 (2) the message encoding method: EMSA-X9.31-hash with SHA-1 10.2.2 Signature Generation Function ==================================== -- Signer's private/public key pair is length of the modulus n is 1024 bits public exponent is e = 3 two prime factors are p = D8CD81F0 35EC57EF E8229551 49D3BFF7 0C53520D 769D6D76 646C7A79 2E16EBD8 9FE6FC5B 606B56F6 3EB11317 A8DCCDF2 03650EF2 8D0CB9A6 D2B2619C 52480F51 q = CC109249 5D867E64 065DEE3E 7955F2EB C7D47A2D 7C995338 8F97DDDC 3E1CA19C 35CA659E DC3D6C08 F64068EA FEDBD911 27F9CB7E DC174871 1B624E30 B857CAAD private exponent is d = 1CCDA20B CFFB8D51 7EE96668 66621B11 822C7950 D55F4BB5 BEE37989 A7D17312 E326718B E0D79546 EAAE87A5 6623B919 B1715FFB D7F16028 FC400774 1961C88C 5D7B4DAA AC8D36A9 8C9EFBB2 6C8A4A0E 6BC15B35 8E528A1A C9D0F042 BEB93BCA 16B541B3 3F80C933 A3B76928 5C462ED5 677BFE89 DF07BED5 C127FD13 241D3C4B modulus n = pq is n = ACD1CC46 DFE54FE8 F9786672 664CA269 0D0AD7E5 003BC642 7954D939 EEE8B271 52E6A947 450D7FA9 80172DE0 64D6569A 28A83FE7 0FA840F5 E9802CB8 984AB34B D5C1E639 9EC21E4D 3A3A69BE 4E676F39 5AAFEF7C 4925FD4F AEE9F9E5 E48AF431 5DF0EC2D B9AD7A35 0B3DF2F4 D15DC003 9846D1AC A3527B1A 75049E3F E34F43BD -- Message to sign is M = abc Step 1. message encoding using EMSA-X9.31-hash (1) set hash = SHA-1 and maximum length of the output = 1023 (2) compute H = hash (M) H = A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D (3) padding P1 = a single octet with value 6B P2 = (1023+1)/8 - 24 octets each with value BB P3 = a single octet with value 33, indicating the hash function is SHA-1 the message representative f = P1 || P2 || BA || H || P3 || CC f = 6BBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBAA999 3E364706 816ABA3E 25717850 C26C9CD0 D89D33CC Step 2. execute primitive IFSP-RSA2 (1) compute t = f^d mod n t = A6B496F4 A802AF90 92F1F561 931D84DB D0B943EF 34C102B9 4DD51AB0 1E1054BC 0E0572A1 FB2DB034 569883F3 82B74E44 9F6C80C4 060FBC0F FBD3A9CA 9D66685B 90873007 D207C1D6 4C692D01 11157BB9 76A4551E 72DDC83C 767A9D75 A4746C51 9B73CE52 C2BFBD1C 3C431D25 4FE8BB43 08FEA486 787F239F D2944390 DA49DE45 (2) Since t > n/2, the signature s = n - t. s = 61D35523 7E2A0586 6867110D 32F1D8D3 C5193F5C B7AC3892 B7FBE89D 0D85DB54 4E136A54 9DFCF752 97EA9ECE 21F08558 93BBF230 99884E5E DAC82EDF AE44AF04 53AB631C CBA5C76E DD13CBD3 D51F37FE 40B9A5DD 64835133 86F5C704 01687DFC 27D1DDAF 6EDBD18C EFAD5CF8 17504C08 F482D262 AD3577AA 2705AAF0 9056578 10.2.3 Signature Verification Function ====================================== Step 1. execute primitive IFVP-RSA2 (1) verify that s is in [0, (n-1)/2] (2) compute t = s^e mod n t = 4116108B 2429942D 3DBCAAB6 AA90E6AD 514F1C29 44800A86 BD991D7E 332CF6B5 972AED8B 8951C3ED C45B7224 A91A9ADE 6CEC842B 53EC853A 2DC470FC DC8EF790 1A062A7D E3066291 7E7EAE02 92ABB37D 9EF433C0 8D6A4193 F32E3E2A 28CF3875 A2353071 FDF1BE79 4F83495B 932778FD 16DC176E 7DE102C9 B298016F 0AB20FF1 (3) Since n - t = 12 mod 16, set f = n - t. f = 6BBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBBBBBB BBBAA999 3E364706 816ABA3E 25717850 C26C9CD0 D89D33CC Step 2. Verify that f is the correct encoding of message M. Output "Valid."