1 Scope
2 Normative references
     2.1 Identical Recommendations | International Standards
     2.2 Paired Recommendations | International Standards equivalent in technical content
     2.3 Recommendations
     2.4 International Standards
     2.4 Additional references
3 Definitions
     3.1 Terms defined elsewhere
     3.2 Terms defined in this Recommendation | International Standard
4 Abbreviations
5 Conventions
6 Cybersecurity considerations for communication networks
     6.1 The challenge of large information and communication technology (ICT) networks
     6.2 Connection-mode communication
          6.2.1 General
          6.2.2 Association establishment phase
          6.2.3 Data transfer phase
          6.2.4 Association termination phase
     6.3 Security services
7 Overview of cryptographic algorithms
     7.1 Introduction
     7.2 Formal specification of cryptographic algorithms
     7.3 Security properties of crypto graphic algorithms
     7.4 Security strength
     Security Strength
     7.5 One-way functions
     7.6 Random number generation and entropy
8 Symmetric-key algorithms
     8.1 General
     8.2 Symmetric key encryption
     8.3 Authenticated encryption with associated data (AEAD)
     8.4 Symmetric key requirements
9 Hash algorithms
10 Public key and asymmetric cipher
     10.1 Public-key cryptography
     10.2 Asymmetric cipher
11 Public key and digital signature algorithms
     11.1 General
12 Key establishment algorithms
13 Integrity check value (ICV) algorithms
14 Post-quantum cryptography considerations
     14.1 General considerations
     14.2 Crypto agility
     14.3 Quantum computers and cryptographic algorithm migration
     14.4 Possible attacks by use of quantum computers
          14.4.1 Symmetric cryptographic algorithms
          14.4.2 Asymmetric cryptographic algorithms
     14.5 Mathematic behind post-quantum cryptography
15 Hardware security modules
16 Public-key infrastructure establishment
17 Public-key certificates
     17.1 General
     17.2 The identity and role of the certification authority
     17.3 Distinguished name considerations
     17.4 Content of the basic structure of a public-key certificate
          17.4.1 General
          17.4.2 Version component
          17.4.3 Serial number component
          17.4.4 Signature component
          17.4.5 Issuer component
          17.4.6 Validity component
          17.4.7 Subject component
          17.4.8 Subject public-key information
          17.4.9 Issuer unique ID and subject unique ID
     17.5 Extensions for public-key certificates
          17.5.1 Some considerations on extensions to public-key certificates and other data types
          17.5.2 Basic constraints extension
          17.5.3 Key usage extension
          17.5.4 Subject alternative name extension
          17.5.5 Authority information access extension
          17.5.6 Authority key identifier extension
          17.5.7 Subject key identifier extension
          17.5.8 No revocation information available extension
          17.5.9 Subject alternative public-key info extension
          17.5.10 Alternative signature algorithm extension
          17.5.11 Alternative signature value extension
          17.5.12 Subject directory attribute extension type
     17.7 Chaining of public-key certificates
          17.7.1 Name chaining
          17.7.2 Key identifier chaining
18 Certificate life-cycle management
     18.1 General
     18.2 Validity of certificates to be installed or reviewed
     18.3 Local policy with respect to invalid certificates
19 Machine identity and machine-to-machine communication
20 Trust establishment
     20.1 General
     20.2 Single public-key infrastructure domain
     20.3 Trust establishment between two public-key infrastructure domains
     20.4 A worldwide federated public-key infrastructure
     20.5 Trust anchor compromise
21 PKI configurations
     21.1 Introduction
     21.2 Public-key infrastructure (PKI) components
22 PKI establishment
     22.1 Human resources
          22.1.1 Public-key infrastructure knowledge
          22.1.2 Cryptographic algorithm knowledge
     22.2 IETF public-key infrastructure specifications
          22.2.1 Enrolment over Secure Transport (EST)
          22.2.2 Internet X.509 PKI Certificate Management Protocol (CMP)
          22.2.3 Certificate Management over CMS (CMC)
23 Revocation of public-key certificates
     23.1 Certificate revocation lists (CRLs)
     23.2 Online certificate status protocol (OCSP)
Annex A  Cryptographic primitives
     A.1 Block cipher algorithms
          A.1.1 Block cipher functions and block cipher operation modes
          A.1.2 Feistel cipher structure
               A.1.2.1 Introduction
               A.1.2.2 The classic Feistel structure
               A.1.2.3 Additional specification for algorithms based on the Feistel cipher structure
               A.1.2.4 Other Feistel structures
          A.1.3 Advanced encryption standard
               A.1.3.1 General
               A.1.3.2 The octet substitution layer
               A.1.3.3 The shift rows layer
               A.1.3.4 The mix columns layer
               A.1.3.5 The add round key layer
               A.1.3.6 Generation of subkeys
          A.1.4 ShāngMi 4 (SM4) block cipher algorithm
               A.1.4.1 The ShāngMi 4 (SM4) unbalanced Feistel structure
               A.1.4.2 The F round function
               A.1.4.3 Nonlinear transformation
               A.1.4.4 Linear transformation
               A.1.4.5 The F function result
               A.1.4.6 The key expansion
          A.1.5 Operation modes for block cipher symmetric-key algorithms
               A.1.5.1 Overview of block cipher operation mode
               A.1.5.2 Electronic codebook (ECB) operation mode
               A.1.5.3 Cipher block chaining (CBC) operation mode
               A.1.5.4 Cipher feedback (CFB) operation mode
               A.1.5.5 Output feedback operation mode
               A.1.5.6 Counter operation mode
               A.1.5.7 Padding
     A.2 Authenticated encryption with associated data (AEAD) algorithms
          A.2.1 General
          A.2.2 Galois/counter mode (GCM)
               A.2.2.1 General
               A.2.2.2 GCM encryption
               A.2.2.3 Formatting of associated data
               A.2.2.4 Formatting of the encrypted payload
               A.2.2.5 Structure of counter blocks
          A.2.3 Counter with CBC-MAC (CCM)
               A.2.3.1 General
               A.2.3.2 CCM encryption
               A.2.3.3 Format of block ,    -    .
               A.2.3.4 Formatting of associated data
               A.2.3.5 Formatting of the payload
               A.2.3.6 Structure of counter blocks
               A.2.3.7 CCM decryption
     A.3 Cryptographic hash algorithms
          A.3.1 General
          A.3.2 Merkle-Damgaard construction
               A.3.2.1 General
               A.3.2.2 Padding of messages
                    A.3.2.2.1 Padding scheme
                    A.3.2.2.2 Padding for 64 bits length field
                    A.3.2.2.3 Padding for 128 bits length field
               A.3.2.3 Compression function
               A.3.2.4 Requirements on hash functions
          A.3.3 The SHA-2 series of hash algorithms
               A.3.3.1 Referenced specifications
               A.3.3.2 The SHA-2 series overview
               A.3.3.3 SHA-2 formal specifications
               A.3.3.4 SHA-224 and SHA-256 algorithms
               A.3.3.5 SHA-384 and SHA-512 algorithms
               A.3.3.6 SHA-512/224 and SHA-512/256 algorithms
          A.3.4 The Kᴇᴄᴄᴀᴋ (sponge) algorithms
          A.3.5 SHA-3 series of hash algorithms
               A.3.5.1 SHA-3 characteristics
               A.3.5.2 SHA-3 formal specifications
                    A.3.5.2.1 Introduction
                    A.3.5.2.2 SHA3-224 specification
                    A.3.5.2.3 SHA3-256 specification
                    A.3.5.2.4 SHA3-384 specification
                    A.3.5.2.5 SHA3-512 specification
                    A.3.5.2.6 SHAKE-128 and SHAKE-256 specifications
                    A.3.5.2.7 SHAKE-128-len and SHAKE-256-len specifications
          A.3.6 ShāngMi 3 (SM3) hash algorithm
               A.3.6.1 General
               A.3.6.2 Padding method
               A.3.6.3 SM3 formal specification
     A.4 The RSA crypto system
          A.4.1 General about the RSA crypto system
          A.4.2 Key generation
          A.4.3 Security considerations
     A.5 Asymmetric encryption
          A.5.1 General
          A.5.2 RSA asymmetric cipher
               A.5.2.1 Introduction
               A.5.2.2 RSA encryption schemes – optimal asymmetric encryption padding (RSAES-OAEP)
               A.5.2.3 RSA encryption schemes – public-key cryptography standards (RSAES-PKCS) V1.5
     A.6 Public-key algorithms including digital signature algorithms
          A.6.1 General
          A.6.2 The RSA digital signature system
               A.6.2.1 General
               A.6.2.2 RSA signature scheme with appendix – probabilistic signature scheme (RSASSA-PSS)
               A.6.2.3 Signature generation and verification
          A.6.3 The DSA public-key algorithm
          A.6.4 The elliptic curve digital signature algorithms (ECDSA)
               A.6.4.1 General
               A.6.4.2 Defined curves
               A.6.4.3 Key generation
               A.6.4.4 Security considerations
               A.6.4.5 Digital signature generation
               A.6.4.6 Digital signature verification
               A.6.4.7 Formal specifications of digital signature algorithms
          A.6.5 SM2 algorithm
          A.6.6 The Edwards-curve digital signature algorithms
               A.6.6.1 General
               A.6.6.2 Defined curves
               A.6.6.3 Point encoding and decoding
               A.6.6.4 Key pair generation
               A.6.6.5 Digital signature generation
               A.6.6.6 Signature verification
               A.6.6.7 Security issues
               A.6.6.8 Formal specifications of digital signature algorithms
     A.7 Key establishment algorithms
          A.7.1 Introduction
          A.7.2 RSA symmetric key encapsulation
          A.7.3 The Diffie-Hellman key agreement method
               A.7.3.1 General
               A.7.3.2 Finite field cryptography Diffie-Hellman key agreement
               A.7.3.3 Elliptic curve Diffie-Hellman key agreement
                    A.7.3.3.1 Procedure
                    A.7.3.3.2 Formal specification
               A.7.3.4 X25519 and X448 Diffie-Hellman key agreement
                    A.7.3.4.1 Procedure
                    A.7.3.4.2 Formal specification
               A.7.3.5 Man-in-the-middle attack
          A.7.4 Key derivation function
               A.7.4.1 General
               A.7.4.2 HMAC-based extract-and-expand key derivation function
     A.8 Integrity check value (ICV) algorithms
          A.8.1 Introduction
          A.8.2 Keyed-hash message authentication code (HMAC)
               A.8.2.1 Introduction
               A.8.2.2 Specification of keyed hashing
          A.8.3 Cipher-based message authentication code (CMAC)
               A.8.3.1 General
               A.8.3.2 Formal specification
          A.8.4 Kᴇᴄᴄᴀᴋ message authentication code (KMAC)
               A.8.4.1 General
                    A.8.4.1.1 Integer to character string encoding
                    A.8.4.1.2 String encoding
                    A.8.4.1.3 Padding
               A.8.4.2 Input message constructions
               A.8.4.3 KMAC formal specifications
          A.8.5 Galois message authentication code (GMAC) algorithm
Annex B  Basic mathematic concepts for cryptographic algorithms
     B.1 Introduction to basic mathematic
          B.1.1 Scope of annex
          B.1.2 The prime number, the semiprime and the coprime number concepts
          B.1.3 Greatest common divisor
          B.1.4 The logarithm concept
          B.1.5 Operations on matrices
          B.1.6 Least common multiple
          B.1.7 Bitwise logical operations
               B.1.7.1 Bitwise NOT logical operation
               B.1.7.2 Bitwise AND logical operation
               B.1.7.3 Bitwise OR logical operation
               B.1.7.4 Bitwise Exclusive-OR logical operation
          B.1.8 Bit masking
     B.2 Modular arithmetic
     B.3 Group theory
          B.3.1 Introduction
          B.3.2 Notation
          B.3.3 Additive group of integers
          B.3.4 Multiplicative group of integers
          B.3.5 Cyclic groups
          B.3.6 The discrete logarithm problem
          B.3.7 Generalized discrete logarithm problem
          B.3.8 Subgroup
          B.3.9 Order of group and order of element
          B.3.10 Ways to resolve or attack the discrete logarithm problem
               B.3.10.1 General
               B.3.10.2 Brute-force attack
               B.3.10.3 Square root attack
               B.3.10.4 Index calculus attacks
     B.4 Finite fields (Galois field)
          B.4.1 General
          B.4.2 Prime fields
          B.4.3 Binary fields GF(2ᵐ)
               B.4.3.1 Polynomials as elements
               B.4.3.2 GF(2³) binary field
               B.4.3.3 GF(2⁸) binary field
               B.4.3.4 Addition and subtraction in GF(2ᵐ)
               B.4.3.5 Multiplication in GF(2ᵐ)
               B.4.3.6 Inversion in GF(2ᵐ)
               B.4.3.7 Irreducible polynomials
               B.4.3.8 Cyclic group of polynomials
     B.5 Overview of Elliptic curve cryptography
          B.5.1 Reasons for using elliptic curve cryptography
          B.5.2 Overview of polynomial forms for defining elliptic curves
          B.5.3 Variants of the Weierstrass form
          B.5.4 The Montgomery form
          B.5.5 The twisted Edwards curves
     B.6 Elliptic curve cryptography for short-Weierstrass form
          B.6.1 Definition of curves based on the Weierstrass form
          B.6.2 Defining group over elliptic curve
               B.6.2.1 General
               B.6.2.2 Group operation
               B.6.2.3 Scalar multiplication of point on elliptic curve
               B.6.2.4 Adding two points with the same x-coordinate
               B.6.2.5 Verification of group characteristics
               B.6.2.6 Scalar multiplication and elliptic-curve discrete logarithm problem
               B.6.2.7 Subgroups
               B.6.2.8 Domain parameters
     B.7 Montgomery elliptic curve cryptography
          B.7.1 Introduction
          B.7.2 Curve25519 and Ed25519
          B.7.3 Curve448 and Ed448
          B.7.4 The Montgomery curves
          B.7.5 The Edwards curves
     B.8 Conversion techniques
          B.8.1 General
          B.8.2 Bit string-to-integer conversion and binary length of integer
          B.8.3 Integer-to-bit string conversion
          B.8.4 Octet string to integer conversion
          B.8.5 Integer-to-octet string conversion
          B.8.6 Bitstring-to-octet string conversion
     B.9 Miscellaneous formulae
          B.9.1 Introductions
          B.9.2 The Euclidean algorithm
          B.9.3 The extended Euclidean algorithm
               B.9.3.1 Main application of the Euclidean algorithm
               B.9.2.2 First step of computing the extended Euclidean algorithm
          B.9.3 Fermat's little theorem
          B.9.4 Lagrange's theorem
          B.9.5 Euler's phi function
     B.10 Endianness (big endian vs. little endian)
     B.11 Selected attacks on cryptographic algorithms
          B.11.1 Side-channel attack
          B.11.2 Square root attack
Annex C  Alphabetical list of cryptographic concepts and definitions
Bibliography