CRYPTOGRAPHY - Signatures
Contents
Signature introduction
At a glance:
- 1976 Idea published by Whit Diffie and Martin Hellman
- 1978 RSA crypto system invented by Rivest, Shamir and Adleman, can be used for encryption and signature
- 1985 ElGamal Signature Scheme invented, later improved by Schnorr
- Today any computationally hard problem can be turned into a signature scheme
- Variants of RSA (RSA-PKCS#1, RSA-PSS) and ElGamal-Schnorr (DSA, ECDSA) dominate applications
By convention, Message Authentication Codes (MACs), generated and verified with the same symmetric key, are not considered as signatures. They do not provide the property of non-repudiation.
Further info at a.o.
Signature scheme
A signature scheme is usually defined as a triplet of algorithms (K; S; V ), where
- K is the Key generation algorithm,
- S is the Signing algorithm and
- V is the Verification algorithm.
K generates pairs (s; v) of keys for the Signing/Verification algorithm.
Only the party knowing s is able to generate a valid signature on m, sig(m), but using V and the corresponding key v (assumed to be public information), anybody can efficiently decide if a given (m; sig(m)) pair is valid.
Note that some schemes, e.g. Identity based schemes, also specify a fourth function, P, that generates parameters.
Fiat-Shamir
The Fiat–Shamir heuristic is a technique for taking an interactive proof of knowledge and creating a digital signature based on it.
It is described in "How To Prove Yourself: Practical Solutions to Identification and Signature Problems", Fiat, Amos; Shamir, Adi, CRYPTO' 86.
This is used a.o. to define Schnorr signatures.
Signature suite
To meet security requirements and to allow signing of more or less arbitrary long messages, a signature scheme requires a hash function, so that the signing/verification algorithms operate on a fixed-size hash of the message. The combination of signature algorithm and hash function is called a signature suite.
With or without message recovery
Some signature schemes enable the whole message, or part of it, to be recovered from the signature. These schemes can be useful in constrained environments because only the non-recoverable part of the message need be stored or transmitted with the signature. As for asymmetric encryption, main choices are whether to use factoring or DLOG based schemes (in the latter case also which group) and what security model/proof (if any) one finds attractive.
Security
Today the most widely used security notion for signatures is called resistance against existential forgery under adaptive chosen message attack. It is similar to that for MACs. Informally, this means that the attacker is allowed to have messages of his own choosing signed by a 'signing oracle', after which the attacker is to provide a single valid (m; sig(m))-pair that he has not seen before.
For more info refer to the NESSIE Security report, available at https://www.cosic.esat.kuleuven.ac.be/nessie/deliverables/D20-v2.pdf
Factorisation
RSA (1977)
RSA is a set of algorithms that can be used for encryption and for signature.
For signatures it can be used either as a scheme with appendix or as a scheme with message recovery.
- Signature scheme with appendix:
- Message + Alice’s private key = Signature (signature does not contain message, use of hash, more efficient for long messages)
- Message + Signature + Alice’s public key = YES/NO
- Signature scheme with message recovery:
- Message + Alice’s private key = Signature (signature contains message)
- Signature + Alice’s public key = YES/NO+Message
It can be observed that:
- RSA is not suited to some applications since signature generation is a costly operation.
- RSA signatures are large, some applications require smaller signature footprints.
- DSA is an algorithm that tries to address this.
Rabin (1979)
DLP-based (discrete logarithm problem)
In any group G, powers bk can be defined for all integers k, and the discrete logarithm logb a is an integer k such that bk = a.
Used in DSA and ECDSA
Elgamal
Based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985.
The ElGamal signature algorithm is rarely used in practice. A variant developed at the NSA and known as the Digital Signature Algorithm (DSA) is more widely used. There are several other variants.
- Taher ElGamal - Wikipedia
- ElGamal signature scheme (1985) - Wikipedia - involves four operations: key generation, key distribution, signing and verification
- Key generation
- Choice of algorithm parameters which may be shared between different users of the system.
- Choose a key length N
- Choose a N-bit prime number p
- Choose a cryptographic hash function H with output length L bits
- Choose a generator g < p of the multiplicative group of integers modulo p, Z_p^*
- The algorithm parameters are (p, g) which may be shared between users of the system
- Computation of a key pair for a user
- Choose an integer x randomly from {1 … p−2}, x is the private key
- Compute y:=g^x mod p, y is the public key
- Key distribution
- The signer should send the public key y to the receiver via a reliable, but not necessarily secret, mechanism.
- The signer should keep the private key x secret.
- Signing of a message m
- Choose an integer as ephemeral key k randomly from {2 … p−2} with k relatively prime to p−1
- Compute r:=g^k mod p
- Compute s:=(H(m)-xr)k^{-1} mod p-1
- In the unlikely event that s=0 start again with a different random k
- The signature is (r,s)
- Verification
- Verify that 0 < r < p, and 0 < s < p-1
- The signature is valid if and only if g^H(m) = y^r r^s mod p
Schnorr
- Schnorr signature scheme (1989) - Wikipedia
- Schnorr signatures have been suggested to be used for challenge response mechanisms in smart cards since the response part of the signature (the value of s) is particularly easy to evaluate since it only requires the computation of a single modular multiplication and a single modular addition.
- Key generation
- Choice of algorithm parameters which may be shared between different users of the system.
- Agreement on a group G of prime order q, with generator g in which the DLP is assumed to be hard. Typically a Schnorr group is used.
- Agreement on a hash function H: {0, 1} → Z_q
- Computation of a key pair for a user
- Choose a private signing key, x from the allowed set
- The public verification key is y=g^x
- Key distribution
- The signer should send the public key y to the receiver via a reliable, but not necessarily secret, mechanism.
- The signer should keep the private key x secret.
- Signing of a message m
- Choose a random k from the allowed set
- Let r=g^k
- Let e = H (r ∥ M) where ∥ denotes concatenation and r is represented as a bit string
- Let s=k-xe
- The signature is the pair (s, e)
- Verification
- Let r_v=g^s y^e
- Let e_v = H(r_v ∥ M)
- If e_v = e then the signature is verified.
Undeniable signatures
In this scheme, a signer possessing a private key can publish a signature of a message.
However, the signature reveals nothing to a recipient/verifier of the message and signature without taking part in either
of two interactive protocols:
- Confirmation protocol, which confirms that a candidate is a valid signature of the message issued by the signer, identified by the public key.
- Disavowal protocol, which confirms that a candidate is not a valid signature of the message issued by the signer.
Refer to Chaum, David; van Antwerpen, Hans (1990) "Undeniable Signatures" and
Chaum, David (1991) "Zero-Knowledge Undeniable Signatures" EUROCRYPT '90.
DSA, ECDSA, EdDSA
- DSA - Wikipedia
- A Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem.
- A variant of the Schnorr and ElGamal signature schemes
- DSA is a signature with appendix algorithm and the signature produced consists of two 160-bit integers r and s
- The integer r is a function of a 160-bit random number k called the ephemeral key which changes with every message
- The integer s is a function of the message, the signer’s private key x, the integer r, the ephemeral key k
- ECDSA - Wikipedia
- By Don Johnson and Alfred Menezes, 1999
- A variant of DSA that uses elliptic curves
- Given a message and its signature, the public key can be recovered. An invalid signature, or a signature from a different message, will result in the recovery of an incorrect public key. The recovery algorithm can only be used to check validity of a signature if the signer's public key (or its hash) is known beforehand.
- EdDSA - Edwards DSA (2011) - Wikipedia
- The Edwards-Curve Digital Signature Algorithm (EdDSA) is a deterministic Schnorr signature variant using twisted Edwards curves rather than Weier-strass curves, at a significant performance gain.
- Ed25519 is a popular if not the most popular instance of EdDSA and is based on the Edwards Curve25519 providing 128-bits of security. Due to its superior efficiency among Elliptic Curve schemes and better security guarantees against side-channel attacks under weak randomness sources, Ed25519 is widely adopted by such protocols as TLS 1.3, SSH, Tor, GnuPGP,Signal and more. It is also the preferred signature scheme of several blockchain systems, such as Corda, Tezos, Stellar, and Libra. For an analysis see Konstantinos Chalkias (SSR2020).
- ed25519 paper and public reference implementation
- Pointcheval Stern signature scheme - Wikipedia
- changes the ElGamal scheme slightly to produce an algorithm which has been proven secure in a strong sense against adaptive chosen-message attacks
- Nyberg–Rueppel Signatures
- based on discrete logarithms in some public finite abelian group G
- provides message recoverable (which many other DL-based algorithms do not)
DH-based (Diffie-Hellman) key exchange
DH problems
There's the DH computational and the decision problem.
The Diffie–Hellman problem is stated informally as follows:
Given an element g and the values of gx and gy, what is the value of gxy? (remember 32 = 9, 33 = 27, 32 * 33 = 243 = 32+3, not 32*3)
External and gap DH
- External and gap DH - Wikipedia
- The external Diffie–Hellman (XDH) assumption is used in ECC.
- XDH implies the existence of two distinct groups ⟨G1, G2⟩ with the following properties:
- The discrete logarithm problem (DLP), the computational Diffie–Hellman problem (CDH), and the computational co-Diffie–Hellman problem are all intractable in G1 and G2.
- There exists an efficiently computable bilinear map (pairing) e ( ⋅ , ⋅ ) : G1 × G2 → GT
- The decisional Diffie–Hellman problem (DDH) is intractable in G1.
- In certain EC subgroups, the existence of an efficiently-computable bilinear map (pairing) can allow for practical solutions to the DDH problem. These groups, referred to as gap Diffie–Hellman (GDH) groups, facilitate a variety of cryptographic protocols, including tri-partite key exchange, identity based encryption, and secret handshakes.
Boneh–Lynn–Shacham (BLS) signatures
- BLS - Boneh–Lynn–Shacham - Wikipedia 'Short signatures from the Weil pairing' - uses gap DH
- Works in a 'gap group', a group in which CDH problem is intractable but DDH problem can be efficiently solved. Non-degenerate, efficiently computable, bilinear pairings permit such groups.
- Let e : G × G → GT be a non-degenerate, efficiently computable, bilinear pairing where G, GT are groups of prime order, r.
Let g be a generator of G.
- Consider an instance of the CDH problem, g, gx, gy. Intuitively, the pairing function e does not help us compute gxy, the solution to the CDH problem. It is conjectured that this instance of the CDH problem is intractable.
- Given gz, we may check if gz = gxy without knowledge of x, y, and z, by testing whether e(gx, gy) = e(g, gz ) holds.
- By using the bilinear property x+y+z times, we see that if e(gx, gy) = e(g, g)xy = e (g, g)z = e(g , gz), then, since GT is a prime order group, xy = z.
- The signature scheme is provably secure (the scheme is existentially unforgeable under adaptive chosen-message attacks) assuming both the existence of random oracles and the intractability of the computational Diffie–Hellman problem in a gap Diffie–Hellman group.
- Boneh and Franklin describe a generic method for converting any Identity-Based Encryption scheme into a signature scheme in 'Identity-based encryption from the Weil pairing' SIAM J. Comput., 32(3):586–615, 2003.'
- Pointcheval and Sanders describe a randomizable signature scheme based on pairings in 'Short Randomizable Signatures' - Proceedings of the Cryptographers Track at the RSA Conference (CT-RSA ’16)
Hash based
One-time signatures (OTS)
- Lamport one-time signatures - 1979
- Both x and y are integers, private key is (x, y), public key is (h(x) | h(y)).
- To sign a single bit:
- if it’s 0, publish (x)
- if it’s 1, publish (y)
- Simple, but don’t use it to sign twice obviously (since you publish x 'half of the time'). Hence it's referred to as OTS.
- To sign multiple bits, hash what you want to sign (so that it has a predictible output length),
for example with SHA-256. Then use 256 key pairs, each consisting of (xn, yn):
- Concatenate all xn, yn to create the private key,
- Concatenate all h(xn) | h(yn) to create the public key,
- If you want to sign (1001102 ...),
- Then publish (y0, x1, x2, y3, y4, x5, ...)
- Ralph Merkle
- Merkle signature scheme - Wikipedia
- A Merkle signature scheme (MSS) consists of the combination of a one-time signature scheme (OTS) to sign the data and
Merkle’s tree authentication scheme which reduces the authenticity of many one-time verification keys to the authenticity
of a single public key.
- Merkle's paper 'A certified digital signature' - 1979
- This paper describes a digital signature system which is "pre-certified," generates signatures of about 1 to 3 kilobytes
(depending on the exact security requirements), requires a few thousand applications of the underlying encryption function per
signature, and only a few kilobytes of memory. If the underlying encryption function takes 10 microseconds to encrypt a block, generating a signature might take 20 milliseconds. The new signature method is called a "tree signature."
- Contents:
- A discussion of one way functions.
- A description of the Lamport-Diffie one time signature.
- An improvement to the Lamport-Diffie one time signature.
- The Winternitz one time signature.
- The W-OTS scheme was proposed by Ralph Merkle in his 1979 paper as an improved version of the Lamport-Diffie OTS
to reduce the size of signatures. Instead of a 'per-bit-signature', he proposed to sign multiple bits at once.
He was inspired by Robert Winternitz, hence the name.
- Some months after Lamport’s publication, Winternitz of the Stanford Mathematics Department proposed to
publish hw(x) instead of publishing (h(x) | h(y)).
- For example choose w=16 and publish h16(x) as public key, still using x as secret key.
- To sign the binary 10012 (equal to 910), publish h9(x).
- A problem now is that a malicious person could see this signature and hash it to create h10(x)
and thus forge a valid signature for 10102 (equal to 1010). However this can be circumvented by
adding a short checksum after the message (which you would have to sign as well).
- A description of tree signatures.
- Winternitz security
- Huelsing's W-OTS+ signatures
- Huelsing's W-OTS+ signatures explained
- XMSS signature - Buchmann, Dahmen and Huelsing
Other hash based signatures
- Leighton-Micali Hash-Based Signatures ('LMS') - RFC 8554 - describes the Leighton and Micali adaptation of the original Lamport-Diffie-Winternitz-Merkle one-time signature system
- Sphincs.cr.yp.to
- SPHINCS-256 is a PQ stateless hash-based signature scheme that signs hundreds of messages per second on a modern 4-core 3.5GHz Intel CPU.
- Signatures are 41 KB, public keys are 1 KB, and private keys are 1 KB.
- SPHINCS-256 is designed to provide long-term 2128 security even against attackers equipped with quantum computers.
- Unlike most hash-based signature schemes, SPHINCS-256 is stateless, allowing it to be a drop-in replacement for current signature schemes.
Few time signatures
Few-times signatures schemes (FTS) include:
- 1994, The Bleichenbacher-Maurer OTS
- 2001, The BiBa OTS
- 2002, HORS
- 2014, HORST (HORS with Trees)
Structure Preserving Signatures
In most signature schemes, the message space consists of integers in Zord(G) for some group G, or of arbitrary strings mapped to either integers in Zord(G) or elements of a group G via a cryptographic hash function. In the latter case, the hash function is often modeled as a random oracle (thus, one effectively signs random group elements).
In contrast, structure-preserving signature (SPS) schemes sign group elements without requiring any prior encoding. SPS are defined over two groups G1 and G2 , equipped with a bilinear map (pairing), and messages are vectors of group elements (from either G1 or G2 or both). Moreover, public keys and signatures also consist of group elements only and signatures are verified by deciding group membership of their elements and evaluating the pairing on elements from the public key, the message and the signature.
Fully SPS schemes also require the secret key to consist of group elements. The main reason for the introduction of SPS was their interoperability with the non-interactive zero-knowledge proof (NIZK) system by Groth and Sahai.
Structure-preserving signatures (SPS) are pairing-based signatures where all the messages, signatures and public keys are group elements, verified by testing equality of products of pairings of group elements.
They are useful building blocks in modular design of cryptographic protocols, in particular in combination with non-interactive zero-knowledge (NIZK) proofs for algebraic relations in a group. SPS have found numerous applications in public-key cryptography, such as blind signatures, group signatures, homomorphic signatures, delegatable anonymous credentials, compact verifiable shuffles, network encoding, oblivious transfer and e-cash.
Lattice based (relevant for PQ)
PQ signatures
Signature types
CL signatures
Signatures with efficient protocols are a form of digital signature invented by Jan Camenisch and Anna Lysyanskaya in 2001.
They highlighted how certain digital signature schemes with suitable algebraic structures are amenable to applications such as anonymous credentials, direct anonymous attestation (DAA), and group signatures. These schemes easily enable the signing of a commitment, typically by being algebraically compatible with a Pedersen commitment, and support very efficient zero-knowledge proofs of knowledge of a valid message-signature pair.
In addition to being secure digital signatures, they need to allow for the efficient implementation of two protocols:
- A protocol for computing a digital signature in a secure two-party computation protocol
- In applications, the first protocol allows a signer to possess the signing key to issue a signature to a user (the signature owner) without learning all the messages being signed or the complete signature
- A protocol for proving knowledge of a digital signature in a zero-knowledge protocol
- The second protocol allows the signature owner to prove that he has a signature on many messages without revealing the signature and only a (possibly) empty subset of the messages
The combination of these two protocols allows for the implementation of digital credential and ecash protocols.
- Signature with efficient protocols- Wikipedia - Camenisch-Lysyanskaya
- Signature with efficient protocols - Camenisch-Lysyanskaya - a basis for anonymous credentials
- a signature scheme for issuing a signature on a committed value (so the signer has no information on the signed value)
- and for providing knowledge of a signature on a committed value
- can be used as a building block for anonymous credential schemes
CL anonymous credentials
And then there's also
- An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation - Camenisch-Lysyanskaya
- (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization.
- (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions.
- (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other.
- plus a new primitive, called circular encryption, which is of independent interest
Blind signatures
Electronic cash
Anonymous (group) signatures
Group signatures, introduced by Chaum and van Heyst, provide anonymity for signers. Any member of the group can sign messages, but the resulting signature keeps the identity of the signer secret.
In some systems there is a third party that can trace the signature, or undo its anonymity, using a special trapdoor. Some systems support revocation where group membershipcan be selectively disabled without affecting the signing ability of unrevoked members.
The relevance of group signatures is indicated by e.g.
- The Trusted Computing effort [29] that, among other things, enables a desktop PC to prove to a remote party what software it is running via a process called attestation.
Group signatures are needed for privacy-preserving attestation.
- The Vehicle Safety Communications (VSC) system from the Department of Transportation in the U.S. embeds short-range transmitters in cars; these transmit status information to other cars in close proximity. For example, if a car executes an emergency brake, all cars in its vicinity are alerted. To prevent message spoofing, all messages in the system are signed by a tamper-resistant chip in each car. (MACs were ruled out for this many-to-many broadcast environment.) Since VSC messages reveal the speed and location of the car, there is a strong desire to provide user privacy so that the full identity of the car sending each message is kept private. Using group signatures, where the group is the set of all cars, we can maintain privacy while still being able to revoke a signing key in case the tamper resistant chip in a car is compromised. Due to the number of cars transmitting concurrently there is a hard requirement that the length of each signature be under 250 bytes
Baric and Pfitzman
First solutions were introduced by Baric and Pfitzman, based on the Strong-RSA assumption, see N. Baric and B. Pfitzman. Collision-free accumulators and fail-stop signature schemes without
trees. In Proceedings of Eurocrypt 1997, pages 480–494. Springer-Verlag, May 1997.
BBS
Boneh, Boyen, and Shacham defined a short group signature scheme, i.e. signer anonymity is provided, and with a standard security level, signatures can be represented in only 250 bytes.
It is based on the Decision Linear assumption (DLIN).
- BBS group signatures - Boneh, Boyen, Shacham, based on the Strong Diffie-Hellman (SDH) assumption in groups with a bilinear map
Their protocol first uses linear encryption in order to define a special type of zero-knowledge proof. Then the Fiat–Shamir heuristic is applied to transform the proof system into a digital signature. They prove this signature fulfills the additional requirements of unforgeability, anonymity, and traceability required of a group signature.
Their proof relies on not only the DLIN assumption but also another assumption called the q-strong Diffie-Hellman assumption. It is proven in the random oracle model.
Apparently BBS signatures were covered by CL signatures (but not under that name and without security proof).
Summary: the Decision Linear Problem in G1 is stated as follows. Given u, v, h, ua, vb, hc ∈ G1 as input, output yes if a + b = c and no otherwise. One can easily show that an algorithm for solving Decision Linear in G1 gives an algorithm for solving DDH in G1. The converse is believed to be false. That is, it is believed that Decision Linear is a hard problem even in bilinear groups where DDH is easy (e.g., when G1 = G2).
The Decision Linear problem gives rise to the Linear encryption (LE) scheme, a natural extension of ElGamal encryption. Unlike ElGamal encryption, Linear encryption can be secure even in groups
where a DDH-deciding algorithm exists.
- In the LE scheme, a user’s public key is a triple of generators u, v, h ∈ G1
- The private key is the exponents x, y ∈ Zp such that ux = vy = h.
- To encrypt a message M ∈ G1, choose random values a, b ∈ Zp, and output the triple (ua, vb, m · ha+b).
- To recover the message from an encryption (T1, T2, T3), the user computes T3/(T1x · T2y).
The underlying building block for the group signature scheme is a protocol for proving possession of a solution to an SDH problem.
MATTR reference implementation (New Zealand)
Microsoft reference implementation
Further:
- BBS standardization effort by the W3C Verifiable Credentials Working group
- RFC draft: draft-irtf-cfrg-bbs-signatures-01, Internet Engineering Task Force, October 2022
- BBS is also a building block for DAA
- BBS is used by Intel SGX’s EPID protocol
Most applications, and the RFC draft, consider the provably-secure version of BBS referred to as BBS+, whose signatures consist of one group element in G1 and two scalars in Zp, where p is the group order.
BBS+
BBS+ signatures are derived from BBS, which was improved on in Constant-Size Dynamic k-TAA as BBS+
The scheme was proposed by Au, Susilo, and Mu, and proved secure under the q-SDH assumption.
BBS+ signatures require a pairing-friendly curve, e.g. BLS12-381.
BBS+ Signatures allow for multi-message signing whilst producing a single output signature. With a BBS signature, a proof of knowledge based proof can be produced where only some of the originally signed messages are revealed at the discretion of the prover.
Threshold signatures
- RSA PKCS#1 (IETF RFC 8017) - RSA Cryptography Specifications Version 2.2
- cryptographic primitives
- encryption schemes
- signature schemes with appendix
- ASN.1 syntax for representing keys and for identifying the schemes
The Cryptographic Message Syntax (CMS) is the IETF's standard for cryptographically protected messages.
It can be used by cryptographic schemes and protocols to sign, digest, authenticate or encrypt data.
It is based on the syntax of PKCS #7, which in turn is based on the Privacy-Enhanced Mail standard.
CMS is used as the key cryptographic component of a.o. S/MIME, PKCS #12 and the RFC 3161 Digital timestamping protocol.
OpenSSL is open source software that can encrypt, decrypt, sign and verify, compress and uncompress CMS documents.
- CMS - Wikipedia
- RFC 5652 Cryptographic Message Syntax (CMS)
- RFC 6268 New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME
- RFC 5753 Using Elliptic Curve Cryptography with CMS
- RFC 5084 Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)
A mechanism for ensuring the authenticity and integrity of Linked Data documents using mathematical proofs.
Not a W3C Standard nor on the W3C Standards Track. Experimental.
Signature standards
Other
XML
- W3C XMLDSIG - the basis for XAdES
- Wikipedia on XMLDSIG
- XML signatures can be used to sign data–a resource–of any type, typically XML documents,
but anything that is accessible via a URL can be signed.
- An XML signature used to sign a resource outside its containing XML document is called a detached signature;
- if it is used to sign some part of its containing document, it is called an enveloped signature;
- if it contains the signed data within itself it is called an enveloping signature.
- XAdES (short for XML Advanced Electronic Signatures) is a set of extensions to XML-DSig recommendation making it suitable for advanced electronic signatures.
W3C and ETSI maintain and update XAdES together.
- XMLDSIG interop report 2001
IETF
- S/MIME - Wikipedia
- S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 8551.
- It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format.
- Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7.
- S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.
- IETF RFC 8551 S/MIME
- IETF draft pairing-friendly curves
- IETF RFC 5091- Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems
- IETF RFC 6090- Fundamental Elliptic Curve Cryptography Algorithms
- IETF RFC 6507- Elliptic Curve-Based Certificateless Signatures for Identity-Based Encryption (ECCSI)
- IETF RFC 6508- Sakai-Kasahara Key Encryption (SAKKE) - IBE
- IETF RFC 6509- MIKEY-SAKKE: Sakai-Kasahara Key Encryption in Multimedia Internet KEYing (MIKEY)
- IETF RFC 9052- COSE: CBOR Object Signing and Encryption (COSE): Structures and Process - for IOT
Other
For more signature standards refer to
Signature verification
IETF PKIX
See also ISO and ETSI.