AU743461B2 - Cryptographic communication process - Google Patents

Cryptographic communication process Download PDF

Info

Publication number
AU743461B2
AU743461B2 AU65420/00A AU6542000A AU743461B2 AU 743461 B2 AU743461 B2 AU 743461B2 AU 65420/00 A AU65420/00 A AU 65420/00A AU 6542000 A AU6542000 A AU 6542000A AU 743461 B2 AU743461 B2 AU 743461B2
Authority
AU
Australia
Prior art keywords
image
polynomial
message
degree
branches
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
AU65420/00A
Other versions
AU6542000A (en
Inventor
Jacques Patarin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CP8 Technologies SA
Original Assignee
CP8 Transac
Bull CP8 SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CP8 Transac, Bull CP8 SA filed Critical CP8 Transac
Priority to AU65420/00A priority Critical patent/AU743461B2/en
Publication of AU6542000A publication Critical patent/AU6542000A/en
Application granted granted Critical
Publication of AU743461B2 publication Critical patent/AU743461B2/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Description

AUSTRALIA
Patents Act 1990 CP8 TRANSAC
ORIGINAL
COMPLETE SPECIFICATION STANDARD PATENT Invention Title: Cryptographic communication process The following statement is a full description of this invention including the best method of performing it known to us:- 1 The invention relates to an asymmetrical cryptographic 2 communication process for processing messages and protecting 3 communications between interlocutors. It can be used to encipher 4 messages asymmetrically or to sign them, also asymmetrically. It can also be used in asymmetric authentication.
6 A well-known first solution was developed in 1977. This 7 solution was the subject of US patent 4,405,829 filed by the 8 inventors Rivest, Shamir and Adleman on December 14, 1977. This 9 solution, commonly called RSA from the names of the inventors, LO uses two types of keys. The first key (Kp) allows the !1 enciphering of messages and the second (Ks) allows their .2 deciphering. This process, which is known throughout the world, .3 is the basis for asymmetric cryptography, so called because the 14 keys for enciphering and deciphering are different. In the same network, each member possesses a pair of keys. The first .6 (Kp i is public and can therefore be known by anyone; the second Ks) is secret and must never be communicated.
An enciphered communication between two interlocutors (1) 9 and in the same network is carried out in the following way: and communicate their public keys (Kpl) and (Kp 2 to one another ahead of time; then, when desires to send a message 22 to he enciphers the message with the key (Kp 2 and once 13 this message is received by it can only be deciphered with S' .4 the aid of the secret key (Ks 2 held by Enciphering: M' RSA Kp 2 Deciphering: M RSA Ks 2 ."27 When desires to send a message to he enciphers it 28 using the public key belonging to and he deciphers with his own secret key (Ksl).
The RSA process can also be used for signature: the message 31 is then enciphered with an individual's secret key and the 32 enciphered message, called a signature is then transmitted with 33 the message in unenciphered form; the receiver of the message la 1 requests an authority for the individual's public key and uses it 2 to decipher the signature; if the deciphered text corresponds to 3 the unenciphered message, the signature is authentic.
4 This cryptographic communication process has several drawbacks. The numbers to be manipulated are quite large 6 (typically 512 bits at present), which requires numerous 7 calculations to be performed and leads to signatures which are 8 very long. Moreover, the security of RSA would be compromised if 9 new breakthroughs in factorization were to be achieved.
Other asymmetrical cryptographic communication processes 11 have been suggested for performing the functions of asymmetric 12 enciphering or signature of messages, such as those which use 13 "knapsack"-based algorithms or the MATSUMOTO-IMAI algorithm.
14 However, these two examples have been shown to have a degree of security which is entirely insufficient.
16 The present invention proposes a solution which does not have the drawbacks of these two examples, but which retains a 18 certain number of their advantages. The present invention uses a 9 novel algorithm called a "Hidden Fields Algorithm" or HFE (Hidden Fields Equation) which, like RSA, can be used for the functions of authentication, enciphering and signature. Moreover, while 22 RSA is chiefly based on the problem of factorizing large numbers, the HFE algorithm is based on a completely different problem: the solving of multivariable low degree equations (typically with a degree of 2 or It must be noted that the MATSUMOTO-IMAI algorithm also had this property but, as already indicated, it has been shown to have a degree of security which is entirely 28 insufficient, which renders it unsuitable for utilization in a 29 cryptographic communication process. The author of the present invention is also the person who discovered that the MATSUMOTO- 31 IMAI algorithm was not cryptographically solid.
32 Among the novel elements which can contribute to the 33 solidity of the HFE algorithm are the fact that this algorithm is 34 not necessarily bijective, and the fact that it can use very general polynomial equations.
1 Another advantage which arises from the invention is the 2 ability of the HFE algorithm to calculate ultrashort signatures 3 (less than 200 bits), whereas the shortest asymmetric signatures 4 known at present are on the order of 220 or 320 bits (obtained with the aid of the SCHNORR algorithm or the DSS algorithm.
6 These algorithms can be used for signature or authentication 7 only, not for enciphering/deciphering). It is preferable to use 8 at least 512 bits when using RSA.
9 Definitions: 0 1. An "extension" with a degree of N of a ring A is any 1 isomorphic algebraic structure with in which A(X] is 2 the ring of the polynomials with an indeterminant on A, and in .3 which g(X) is a polynomial with a degree of n.
.4 A particularly advantageous case is the one in which A is a finite field Fq and g is an irreducible polynomial with a degree .6 of n on Fq. In this case, is a finite isomorphic field with Fqn.
A "base" of an extension L of A with a degree of n is a family of n elements of L2, (el, e 2 en), such that every element e of Ln is expressed in a unique way in the form 22 n e aie with aeA.
g. i=1 *6 To this end, the invention relates to a cryptographic communication process which transforms a value represented by 28 elements of a finite ring into an image value (Y) represented by elements of the ring characterized in that: 31 a) each element of the image value is in the form 32 of public polynomial equation with a low degree which is 33 greater than or equal to 2 (typically D 2 or 3) composed of the 34 elements of the value b) the image value can also be obtained from the value 1 through a transformation comprising the following steps, at 2 least some of which require the knowledge of a cryptographic 3 secret: 4 bl) applying to the value a first secret polynomial transformation having a degree 1 composed of the elements 6 of the value in order to obtain a first image (Ii) with (n) 7 elements; 8 b2) forming one or more branches, each of which branches is 9 composed of elements of the first image (II) (for example, the first branch comprises the n, first elements of II, the second 11 branch comprises the n 2 subsequent elements, etc., or the same 12 element could also be present in several branches), and 13 in at least one (or possibly all) of the branches, the 14 elements of the branch are considered to represent a variable or a small number of variables xk) 16 belonging to an extension with a degree W of the ring (K) 7 with W*k and applying to at least this branch a 8 transformation defined as follows: fe:LL Xk y yk) .*21 noting that is the image of 22 xk) from the transformation fe, with fe verifying the following two properties: -b2.1) in a base of the ring extension each component of the image yk) is expressed in the form of a polynomial composed of the components of x", k) in this base, which polynomial has a total degree less 28 than or equal to the degree of the public polynomial equation; -b2.2) expressed in the ring extension the 31 transformation is such that it is possible (except perhaps 32 for certain entries, the number of which is negligible relative 33 to the total number of entries) to calculate the antecedents of 34 (fe) when they exist (this calculation is carried out either by means of an exhaustive search when n, is very small, or by using 1 a mathematical algorithm for solving this type of polynomial 2 equation in finite rings); 3 and of applying, to the other possible branches, 4 polynomial transformations with a degree less than or equal to the degree formed of the components with value in the ring 6 7 b3) a (secret or public) polynomial with a degree less than 8 or equal to is added at the output of the branch thus 9 transformed or the other branches, which polynomial depends only on the variables of the branches situated immediately ahead of 11 this branch (this step is not mandatory; it is possible to add 12 the null polynomial).
13 b4) with the branch thus transformed, or the plurality of 14 branches thus transformed then concatenated (that is, grouped), constituting a second image (I2); 16 b5) applying to the second image (12) a second secret 17 polynomial transformation having a degree 1 composed of the 18 elements of the second image (12) in order to obtain a third 19 image (13) having a determined number of elements; and b6) selecting elements from among the set of elements 1 in the third image (13) to form the image value (for example 22 the first Is; or in certain variants, selecting all the elements of 13, in which case Y 13).
eeoc The invention also relates to an asymmetric signature verification process and an asymmetric authentication process 27 which use the above-mentioned communication process.
28 S 9 Other details and advantages of the invention [missing verb) 30 in the course of the following description of several preferred 31 but non-limiting embodiments, in reference to the appended 32 drawings, in which: 33 Fig. 1 shows the concatenation of the transformations used 34 to process a message; Fig. 2 shows a communication device used to execute the 1 enciphering/deciphering of a message; and 2 Fig. 3 shows this same device, used to execute the signature 3 of a message and its verification.
4 First, before the invention is presented, a brief mathematical review specifically related to the properties of 6 finite fields will be provided.
7 Description and properties of finite fields.
8 1) Function f: 9 Let K be a finite field with a cardinal q and a .0 characteristic p (typically, though not necessarily, q p 2).
.1 let LN be an extension of K with a degree of N, let ij, ai and lo 2 be elements of let 8i, 9,j and j be integers, and let f be 3 the following application: t4
L
j Bi, *xQ+P Zia i
X
s Jo '6 in which Q qe 1 p =q ,j and S q' 7 in which f is a polynomial composed of x and is the '"18 multiplication function. It will be noted that Q, P and S may 9 possibly designate several values in this cryptograph, since O there can be several 0 j 9 j and E ""22 Moreover, for any integer 1, x x q is a linear 3 application of LN LN. Therefore f is a quadratic function.
o If B is a base of then the expression of f in the base B 26 is: 27 f(x 1 X (P(X P(x XN)) 28 in which P 1 P, are polynomials with a total degree of 2 composed of N variables xl, XN.
0 The polynomials P1, P, are calculated by using a 31 representation of LN. A representation of LN is typically the 32 datum of an irreducible polynomial iN on K, with the degree 33 N, which makes it possible to identify LN with It 34 is then easy to calculate the polynomials P1, P,.
1 2) Inversion of f.
2 Let M be the degree in x of the polynomial f. f is not 3 necessarily a bijection of L L; however: 4 1) with being an element of there are known algorithms which make it relatively easy to find all the values 6 of x in L (if any exist) such that f(x) a, when p is not too 7 large (for example for M z1,000)].
8 2) Furthermore, for each of there are at most "J" 9 solutions in x of f(x) a.
3) In some cases, f can be bijective.
11 12 Basic HFE algorithm for the enciphering/deciphering system.
13 A first version of the novel HFE algorithm will now be 14 described. This version is not limiting, and more general versions are presented in subsequent sections.
16 A field K, comprising q p' elements, is public. Each 17 message is composed of n elements of K. For example, if p 2, each message has n m bits. n is also public. n is separated ':19 into d integers: n n +nd.
Each of these integers ne(l e d) is associated with an extension Lne of the field K with the degree n, (the symbol means "less than or equal to").
23 Let "word" be a value represented by components of K. For .24 example, an element of Lne, (1 e can be represented as a word with a length ne. In the enciphering mechanism to be 26 described here, quadratic functions fd, which are :27 analogous to the function f described above will be used, with 28 N n i for fl, N n 2 for f 2 etc. These functions will generate 29 d words. These d words will then be combined into one word with :30 a length n.
31 32 The secret objects are: 33 1) two affine bijective transformations s and t of 34 These affine bijections can be represented in a base by polynomials with a degree equal to 1 and with 1 coefficients in K.
2 2) the separation of n into d integers: n n, n d 3 3) The representation of the fields Ln,, Lnd. These 4 "representations" are the result of a choice of d irreducible polynomials. Tn. is noted as the isomorphism from K"n to Lne 6 described by this representation, with e such that 1 e d.
7 4) The quadratic functions fl, fd are of the same type 8 as the function f described in the paragraph entitled "function 9 f" (using N n, and 1 e d).
11 First note: all these objects are secret a priori, but in 12 fact the objects in points and 4) above can also be 13 public a priori. In effect, the security of the algorithm 14 resides chiefly in the secret transformations s and t.
Second note: s and t are bijective applications, but they 16 can also be "quasi bijective", meaning that they can be 17 applications which have no more than a few antecedents.
.:18 19 The enciphering mechanism is described in Fig. 1. The 20 sequence of operations runs from top to bottom. The affine e 21 bijective transformation s of K" occurs first.
22 The functions pl, 1d are projection functions of 23 Kne (in which 1 e and p is the inverse 24 concatenation function. In a way, the functions p, d separate the n elements into d "branches".
•26 27 The isomorphism Tne is applied from the various fields K" to 28 the various field representations Lnl, Lnd, then the 29 quadratic functions fl, fd are respectively applied from Ln 1 :30 Lnd to Ln Lnd. Next, the inverse isomorphism (Tn,) is 31 applied from the various field representations Ln, Lnd to 32 the various fields Kn'.
33 34 Next, the inverse concatenation function p is applied from K"n to Finally, the affine bijective transformation t of 1 Kn, which has a general form similar to the 2 transformation s, occurs.
3 4 F 2 is a function with a degree less than or equal to (D) which depends on the variables of the block furthest to the left.
6 More generally, F i (2 i d) is a function with a degree less 7 than or equal to which depends on the variables of the blocks 8 1, 2, i-I.
9 NOTE: These functions F 2
F
d produce a Feistel diagram 0 in blocks. Often they are not used in the HFE algorithm, in .1 which case F 2 Fd 0.
2 .3 It must be noted, and this is an important point, that the .4 composition of all these operations generates a quadratic function when this function is expressed by means of its 6 components in a base. Therefore, this function can be given by n .7 polynomials (P 1 Pn) with coefficients in K, which polynomials make it possible to calculate the enciphered text (y) 9 as a function of the unenciphered text x.
0 The public objects are: 1) The field K of 1 p" elements, and the length n of the 53 messages.
2) The n polynomials (P 1 composed of n variables of K. Thus, anyone can encipher a message (the enciphering algorithm is quite public, in conformity with the characteristics 7 of the invention claimed).
S'8 29 Moreover, deciphering is possible if the secret objects are .0 known. In effect, it is then possible to invert all the 31 operations described in Fig. 1. Thus, the inversion of the 32 functions fe consists of solving a polynomial equation with an 33 unknown in the field Lne, as indicated for f in the paragraph 34 above entitled "inversion of It must be noted, however, that fe is not necessarily bijective. It is then possible to obtain 1 several antecedents. In this case, the choice of the 2 unenciphered text will be determined with the aid of a redundancy 3 inserted into the unenciphered text, and the deciphered text will 4 be the one which contains this redundancy. If the functions are not bijective, it will be necessary to consider inserting this 6 redundancy into the unenciphered message systematically.
7 8 Example of utilization of the algorithm in signature.
9 Two cases must be considered: 11 The functions are bijective.
12 If H is the result of the "hash" function applied to a 13 message to be signed (for example, H has a format of 128 bits), 14 then the signature S is S HFE 1 Thus, due to the fact that the HFE enciphering function is 16 public, anyone can verify the signature by executing: H' HFE 17 and by verifying that H' H. The sender of the signature must obviously know the secret in order to calculate S.
'19 The functions are not bijective.
:21 In this case, it is possible to choose a number of bits at the input of HFE which is greater than the number of bits at the 23 output, in order to be almost certainly able to calculate :24 antecedents using the HFE algorithm.
For example, H could be expressed in 128 bits and S in 26 128+20 148 bits.
27 *28 Specific cases of implementation.
29 There are several ways to execute the HFE algorithm, all of which offer great advantages related to its practical execution 31 and implementation.
32 33 The case of algorithm with only one branch (that is: with 34 d 1).
This version has only one (large) branch and therefore, in 1 each equation, all the variables that is, all the bits of the 2 message are involved. Taking into account the large size of 3 this branch, this form of execution does not have the potential 4 weaknesses of branches of small size.
6 The case of small branches with the same function f.
7 This particular case involves small branches, for example 8 with values of 12 bits, and the same function f. This version is 9 particularly advantageous because it can easily be implemented in small central processors contained, for example, in chip cards, 11 and its implementation is possible with the aid of a program or a 12 mathematical coprocessor.
13 14 First variant of the HFE algorithm The function f used in each branch, as already described in 16 this document, is a polynomial equation with a.single variable x 17 in a finite field. Expressed in a base, this function f is expressed as an equation with a total degree equal to two.
A9 In fact, another type of function f can be used which differs slightly from the general model defined previously. This novel type consists of choosing for f a function which depends on several finite field variables, for example two variables x, and 23 x 2 such that, in a base, the expression as a function of 4 coordinates retains a total degree equal to two and that it is always possible to recalculate the antecedents of a given value 26 of f when they exist.
se.27 This variant will be better understood through the numeric example below. Consider a branch of the algorithm with values of 29 64 bits and with p 2. In the variant, let f depend on two variables x and x' of 32 bits each, with f(x, such fee*: 31 that: 32 (y x 4 x x' x' (1) 33 34 y x 17 4 x' x' 3 (2) 12 1 (noting that the use of this exact function is not necessarily 2 recommended, and is given only as an example).
3 4 In order to determine the pair from it is possible, for example, to proceed in the following way: 6 From the equation extract: x' (y-x 4 1) (3) 7 Hence, from the equation extract: 8 y'(x 1) 3 x 17 (x 1) 3 x 4 (y x 4 1) 2 (y x4) 3 (4) 9 Note that is a polynomial equation with a single variable x. As indicated above, mathematicians already know some L1 general methods for solving this type of equation, and thus it .2 possible to solve which makes it possible to define the .3 values of x which solve the equation; then, by substituting these 14 values for x in the equation the value of x' may be deduced.
6 NOTE: The currently known techniques for solving equations with several variables in finite fields make it possible to 1 L8 correctly solve other types of equations than the one illustrated in this example. In particular, equations in which it is not 0 necessary to express a variable as a function of the others and .1 replace it.
22 23 Second variant of the HFE algorithm 14 Of course, the description of the HFE algorithm and its variants does not limit the invention claimed to the utilization 37 of polynomial equations with only one degree: the degree 2. It 28 is entirely possible to use the degree 3; in this case there is a 29 public form with the degree 3.
31 Likewise, the degree 4 or even 5 is possible. However, it 32 is necessary for the degree to be low enough so that the public 33 equations resulting from them remain easy for a computer to store 34 and to calculate.
13 1 The choice of parameters is also important in order to 2 ensure maximum security and to elude, as much as possible, any 3 attack of cryptanalysis. Thus, for security reasons, it is 4 preferable that: 1) in each branch, there is at least one variable of 32 6 bits, and preferably at least 64 bits, 7 2) there are no equations with the form: Zyijxiy. Zaix i 13B.y 8 60 0 in which at least one of the coefficients yij, ai, B8 or 9 60 are non null and, which are always verified if the yj .0 coefficients are the components of the enciphered text and the xi L1 coefficients are the components of the unenciphered text. NOTE: 12 among other things, it was because such a condition was not .3 verified that the Matsumoto-Imai algorithm cited above was 4 revealed to be not entirely secure.
.6 3) there is no equation with the form: .7 Yijk xiYjY k Zaij xiY j Z3ij YjYk Zixi Zuy, 60 0 8 that is, with a total degree of 3 and with a degree of 1 in x, *9 4) more generally, for security purposes, it is preferable *0 that there be no equation with a "low" degree which is always 1 verified between the coordinates of the unenciphered and 22 enciphered messages, except for the linear combinations of the products of the public equations in small polynomials).
4 Third variant of the HFE algorithm ."*216 It has been indicated that in order to use the HFE algorithm 3.7 when the function is not bijective, it is possible to introduce 28 redundancy into the unenciphered text.
29 There is another possibility: in effect, it is possible for the size of the enciphered value Y to be greater than the size of 31 the unenciphered value X if new elements of K are inserted into 32 the enciphered value. These new elements are also the ones which 33 result from equations with a degree of two formed of the 34 components of X. More generally, using the notations in Fig. 1, the same element of s(x) could be transmitted to several 1 branches. It is also possible to add one or more branches 2 composed of arbitrary equations with a degree of two into a base, 3 in which case these additional branches are used to distinguish 4 the correct antecedent of the other branches.
6 Fourth variant of the HFE algorithm 7 Instead of making public all the equations which result in 8 the final function in Fig. 1, one or more of them can be kept 9 secret. This means that, instead of making (P, P) public, it is possible to make only part of these equations 11 public, in which case the enciphering is carried out by 12 calculating only the public polynomials.
13 In deciphering, all the possible values for the non-public 14 polynomials Pi are tried, which provides several possible "5 deciphered messages a priori, and the correct message is marked '16 as before: either by the introduction of redundancy into the unenciphered message, or by means of the method indicated in the third variant.
NOTE: the fact that one or more public equations are thus 20 eliminated can in some cases make it even more difficult to 21 discover the structure of the fields hidden by the HFE algorithm.
22 23 Explanation of Fig. 2 24 Fig. 2 schematically illustrates an example of the enciphering/deciphering system using the cryptographic algorithm *.26 described above.
7 28 Suppose there are two individuals A and B belonging to the 29 same communications network, each of whom has a respective message sending/receiving device 1, 2. This device includes 31 calculation means, for example a computer, designed to carry out 32 the enciphering/deciphering of messages, and storage means. At 33 least part of these calculation or storage means can be located 34 in a portable object which incorporates a microprocessor or micro-wired logic circuits which define areas to which access is 1 controlled, and can therefore contain secret information such as 2 cryptographic keys (see, for example, the portable object 3 described in French patent No. 2.401.459).
4 Each device incorporates the HFE algorithm as described 6 above, particularly in the form of a program, as well as the 7 inverse algorithm HFE 1 8 9 The two devices are linked to one another by means of a communication line 3.
11 12 Both individuals A and B possess a pair of keys, 13 respectively: a public'key CpA and Cp B and a secret key CsA and 14 Cs 5 correlated with the corresponding public key CpA or Cp 8 If A and B do not have the means to calculate the pairs of keys, this 16.:I6 calculation could be done by the network, giving it a certain authority with regard to each member of the network. If these two individuals want to dialogue with one another in a protected 19 mode, that is, without anyone's being able to understand the data .0 exchanged, then they will implement the following procedure: '21 The individual A sends B his public key CpA, and. B sends A 22 his public key Cp 8 In a variant, the network can hold the public keys of all the members in primary storage and communicate 24 them to the members on request. Once A has received the public key CpB, A will use it to encipher, with the aid of the 26 cryptographic algorithm HFE, a message M which he desires to send to B, and a message This message, once it is received by B, 28 is deciphered with the aid of the cryptographic algorithm HFE-1 29 and the secret key Cs'. Only B can decipher the message, since he is the only member of the network to possess this key. For 31 the transmission of messages from B to A, the procedure is 32 completely analogous.
33 34 Explanation of Fig. 3 Fig. 3 schematically illustrates an example of the 16 1 utilization of the system in Fig. 2 to implement a calculation 2 and signature verification procedure which uses the cryptographic 3 algorithm described above.
4 In this case, it is necessary that the transmission of 6 messages be carried out with authentication, that is, that the 7 receiver of the message M be able to ascertain that the message 8 comes from a certain person. For example, suppose that A wants 9 to send B an authenticated message. The two interlocutors will implement the following procedure: 11 12 First, the individual A will send B his public key CpA or, 13 in a variant, B can also request this key from the network.
14 Then, A will encipher the message with his own secret key CsA and the cryptographic algorithm HFE 1 The result obtained is called S'16 the signature S of the message. Then, the message (which in this 17 case travels unencrypted) and its signature are sent to B. B 8 deciphers the signature with the aid of the cryptographic e 19 algorithm HFE and the public key CpA, which he received 20 previously. The result obtained, notated must be the same as ":21 the received message M. If this is in fact the case, it proves 22 that the signature was calculated with the aid of the secret key 23 CSA and therefore that the message does in fact come from A, the 24 only member of the network to possess this key.
o 25 A known improvement of this system consists of calculating 26 not only the signature of the message, but the signature of a .27 concentration of the message. Thus, using a "hash" function, a 28 relatively large message can be compressed into a datum H which 29 is characteristic of the message. This "hash" function-can be implemented using standard hash functions (such as MD5 or SHA).
31 32 In summary, the invention results in the following 33 discoveries: 34 1. The inventor has shown (cf document Crypto '95, pages 248 through 261) that the initial algorithm by Matsumoto and Imai 17 1 was not cryptographically solid. This algorithm consisted of 2 "hiding" a bijection f with the form f(b) a 1 in which Q q6 3 by means of two affine transformations s and t.
4 2. The inventor has shown that it is possible to use much more general functions for f. In effect, the inventor has shown, 6 on the one hand, that it was possible to use non bijective 7 functions f, and on the other hand that it was possible to use 8 the fact that it was known how to calculate antecedents for very 9 diverse families of polynomials, for example by using PGCD calculations of polynomials or resultants of polynomials, or by 11 using GR6BNER bases.
12 3. It is necessary for at least one of the branches not to 13 be too small. In effect, the inventor discovered that small S14 branches lead to weak HFE algorithms.
4. Moreover, the inventor noted that it is sometimes possible to select only some of the elements which constitute the third image (13) resulting from the transformation of the second image (12) by means of the second secret polynomial 19 transformation.

Claims (2)

  1. 2.7 noting that yk) is the image of 28 xk) from the transformation fe, with fe verifying the following .:29 two properties: -b2.1) in a base of the extension (Lw) of the ring, each 31 component of the image y' yk) is expressed in the o"32 form of a polynomial composed of the components of x", 33 x k in this base, which polynomial has a total degree less than or equal to said degree of the public polynomial p5 equation; 36 -b2.2) expressed in the extension of the ring, the 37 transformation (fe) is such that it is possible to calculate the 38 antecedents of (fe) when they exist, except perhaps for certain 39 entries, the number of which is negligible relative to the total number of entries. 41 and applying to the other potential branches polynomial 42 transformations with a degree less than or equal to said degree 43 composed of the components with value in the ring 44 .b3) which branch thus transformed, or the plurality of branches thus transformed, then concatenated, constitutes a 46 second image (12); 47 b4) applying to the second image (12) a second secret 48 polynomial transformation having a degree 1 composed of the 49 elements of the second image (12) in order to obtain a third image (13) having a determined number of elements; and 51 b5) selecting elements from among the set of elements 52 in the third image (13) to form said image value 1 10. The process according to claim 9, in which a polynomial 2 with a degree less than or equal to is added at the output of 3 the branch thus transformed or other branches, which polynomial 4 depends only on the variables of the branches situated immediately ahead of this branch. l 11. The process according to claim 9, in which the first image (II) has several branches, one of which branches 3 manipulates values of at least 32 bits. 1
  2. 12. A process for the asymmetric signature of a message (X) and for the verification of this signature, characterized in that 3 the signature is obtained by applying to the message, or to a *4 public transformation of the message, a transformation which corresponds to the inverse transformation of that which is the .6 subject of the process in claim 1 or claim 9, and in that the verification consists of checking that a result is obtained o'8 which conforms to predetermined relations linked to the message 9 to be signed. DATIIED THIS tenth day of October 2000 CP8 TRANSAC Patent Attorneys for the Applicant:- F B RICE CO
AU65420/00A 1995-07-27 2000-10-10 Cryptographic communication process Ceased AU743461B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU65420/00A AU743461B2 (en) 1995-07-27 2000-10-10 Cryptographic communication process

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR9509179 1995-07-27
AU65420/00A AU743461B2 (en) 1995-07-27 2000-10-10 Cryptographic communication process

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
AU60755/96A Division AU6075596A (en) 1995-07-27 1996-07-26 Cryptographic communication process

Publications (2)

Publication Number Publication Date
AU6542000A AU6542000A (en) 2000-12-14
AU743461B2 true AU743461B2 (en) 2002-01-24

Family

ID=3750029

Family Applications (1)

Application Number Title Priority Date Filing Date
AU65420/00A Ceased AU743461B2 (en) 1995-07-27 2000-10-10 Cryptographic communication process

Country Status (1)

Country Link
AU (1) AU743461B2 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4405829A (en) * 1977-12-14 1983-09-20 Massachusetts Institute Of Technology Cryptographic communications system and method
US5537475A (en) * 1994-02-01 1996-07-16 Micali; Silvio Efficient digital signature algorithm and use thereof technical field
US5577124A (en) * 1995-03-09 1996-11-19 Arithmetica, Inc. Multi-purpose high speed cryptographically secure sequence generator based on zeta-one-way functions

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4405829A (en) * 1977-12-14 1983-09-20 Massachusetts Institute Of Technology Cryptographic communications system and method
US5537475A (en) * 1994-02-01 1996-07-16 Micali; Silvio Efficient digital signature algorithm and use thereof technical field
US5577124A (en) * 1995-03-09 1996-11-19 Arithmetica, Inc. Multi-purpose high speed cryptographically secure sequence generator based on zeta-one-way functions

Also Published As

Publication number Publication date
AU6542000A (en) 2000-12-14

Similar Documents

Publication Publication Date Title
US5790675A (en) Cryptographic communication process
Hellman An overview of public key cryptography
Moore Protocol failures in cryptosystems
US5365589A (en) Method and apparatus for encryption, decryption and authentication using dynamical systems
Kasgar et al. A review paper of message digest 5 (MD5)
US6111952A (en) Asymmetrical cryptographic communication method and portable object therefore
Simmons Secure communications and asymmetric cryptosystems
El-Zoghdy et al. How good is the DES algorithm in image ciphering
Sakib Analysis of Fundamental Algebraic Concepts and Information Security System
AU743461B2 (en) Cryptographic communication process
Brincat et al. New CBC-MAC forgery attacks
JPH10340048A (en) Hash value generating method, data ciphering method, data deciphering method, hash value generating device data ciphering device, and data deciphering device
Nakahara Jr Lai-Massey Cipher Designs: History, Design Criteria and Cryptanalysis
Oguntunde et al. A comparative study of some traditional and modern cryptographic techniques
ALMashrafi Analysis of stream cipher based authenticated encryption schemes
Schmied Cryptology for Engineers: An Application-Oriented Mathematical Introduction
KR101259934B1 (en) Learning System for RSA Cryptography Algorithm Education and Self-study method
US20110142226A1 (en) Method of generating pseudo-random bit strings
Sarlabous Introduction to cryptography
Preneel An introduction to cryptology
JP3668138B2 (en) Signed ciphertext conversion method, verification method thereof, and apparatus thereof
Brincat On the use of RSA as a secret key cryptosystem
Sarlabous Intelligence is found in many places L'intelligence se trouve dans beaucoup endroits Intelligenz findet sich an vielen Plaetzen...-Jorgito
JPH02165186A (en) Ic card device
Procter The design and analysis of symmetric cryptosystems

Legal Events

Date Code Title Description
FGA Letters patent sealed or granted (standard patent)
PC Assignment registered

Owner name: CP8 TECHNOLOGIES

Free format text: FORMER OWNER WAS: CP8 TRANSAC