[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Names of algorithms

To: spki@c2.net
Subject: Names of algorithms
From: rivest@theory.lcs.mit.edu (Ron Rivest)
Date: Tue, 01 Apr 97 18:19:30 EST
Cc: blampson@microsoft.com, burt@rsa.com
Sender: owner-spki@c2.net


This note outlines a scheme for naming cryptographic algorithms using
S-expressions rather than a concatenation of byte-strings for the various
components.  I believe this approach is more modular and flexible.  Some
details still need to be worked out, but this note gives the flavor of
the method.  It is based on phone conversations with Carl Ellison and
Burt Kaliski.

The focus here is on digital signature algorithms.  Remember than in
SDSI/SPKI a "principal" IS a key for verifying a signature.  

The proposed format for the name of a signature (verification) algorithm is:
	( <key-type> 
          <hash-alg> 
          <data-format-alg> 
          <signature-alg> 
	)

An example of such an algorithm name is
	( public-key
	  ( md5 )
	  ( pkcs1 )
	  ( rsa ( n &7823fca14457 ) ( e &03 ) )
        )

First, note that the elements are in the order in which they are used: first 
you hash the message, then format the result of the hash for the signature
algorithm, then apply the public-key algorithm.  The second
of these operations may be "no-op" for the identify transformation.

Any of these elements may have further parameters.

The algorithm-type may be either "public-key" (a verification key)
"private-key" (for the private signing key), or "shared-secret-key"
(for computing MAC's based on a shared secret key).  The format of the
remaining items is the same, although it is assumed that a share-secret-key
"signature" algorithm is based on symmetric cryptography, so that the
key must be kept secret.

A collision-resistant hash algorithm is ALWAYS employed.  This
algorithm must produce an output small enough to be used by the latter
processing steps.  The following names are allowed (for now):
	md5
	sha1
(The "no-op" operation is not allowed here, as it is not guaranteed to
produce a short-enough output.)

The data-formatting algorithm takes the hash output value, and prepares
it for signing by appropriate transformations.  The "no-op" value is 
OK here.  The hash algorithm and the data-formatting operation work
together to produce the value "actually signed".  These values include
	pkcs1
	no-op

The signature algorithm specifies the algorithm and parameters necessary
to verify the signature.  The initial algorithms supported for the
public-key algorithms are
	rsa
	dsa
and for the secret-key algorithms hare
	hmac
	cbc-mac
These latter algorithms may have parameters, e.g.
	( cbc-mac ( iv &023456 ) 
                  ( rc5 ( w 64 ) ( r 20 ) ( b 10 ) 
	                ( k &012354769803aaffbbdd ) ) )
or
	( hmac ( sha1 ) )

It is assumed that the signature algorithm produces either a byte string
or an ordered list of byte-strings as output.  (Some algorithms, such as
DSA, have two outputs.)

Obviously, this needs to be fleshed out with further specific algorithm
names and transformations.  

Summary: We propose using four-part S-expressions to name signature algorithms.

Follow-Ups:

Re: Names of algorithms

From: Carl Ellison <cme@cybercash.com>

Re: Names of algorithms

From: Bill Frantz <frantz@netcom.com>

Prev by Date: Implications of the new reduction algorithm
Next by Date: Re: may-delegate (propagation control) proposal: "stop-at-key"
Prev by thread: Implications of the new reduction algorithm
Next by thread: Re: Names of algorithms
Index(es):
- Main
- Thread