EP0731941A1 - Datenprüfsystem und -verfahren - Google Patents

Datenprüfsystem und -verfahren

Info

Publication number
EP0731941A1
EP0731941A1 EP95904152A EP95904152A EP0731941A1 EP 0731941 A1 EP0731941 A1 EP 0731941A1 EP 95904152 A EP95904152 A EP 95904152A EP 95904152 A EP95904152 A EP 95904152A EP 0731941 A1 EP0731941 A1 EP 0731941A1
Authority
EP
European Patent Office
Prior art keywords
generator
challenge
signature key
card
key generator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP95904152A
Other languages
English (en)
French (fr)
Other versions
EP0731941A4 (de
Inventor
Benjamin Arazi
Carmi David Gressel
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fortress U&T Ltd
Original Assignee
Fortress U&T Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fortress U&T Ltd filed Critical Fortress U&T Ltd
Publication of EP0731941A1 publication Critical patent/EP0731941A1/de
Publication of EP0731941A4 publication Critical patent/EP0731941A4/de
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Definitions

  • the present invention relates to systems for verifying the authenticity of integrated-circuit cards and verifying the authenticity of data sent by integrated-circuit cards.
  • Identity-based digital signature techniques are well known in the art of information integrity.
  • An example for such a technique is the Fiat-Shamir method [A. Fiat and A. Shamir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems", Advances in Cryptology - Crypto '86, Springer- Verlag LNCS 263, pp. 186-194, 1987].
  • D is a numerical data sent by a user
  • identity-based digital signature techniques enable that user to generate a numerical value G, such that the recipient of the pair ⁇ D;G ⁇ can verify that this pair was originated by that user.
  • G When generating G, the user has a private key S, known only to him.
  • ID denote the numerical value of the identification details of the user.
  • ID is also sent together with the pair ⁇ D;G ⁇ .
  • the recipient uses ID as a reference information.
  • the knowledge of ID should not enable the recovery of S or the generation of G by any party beside that user.
  • Knowledge of many pairs ⁇ D;G ⁇ generated by the same user, or even selecting specific messages D, should still not enable generating, on behalf of that user, any new pairs ⁇ D;G ⁇ .
  • the recipient who has to establish the authenticity of a received pair ⁇ D;G ⁇ , needs some other non-secret information which is publicly known and which is associated with an authorized center that controls the entire system. This demand follows from the observation that the privacy of an entire system cannot "lift itself with its own bootstraps", and there must be a trusted supervision.
  • AA denote the authorized center. Any recipient in a network that is controlled by AA, that will need to verify the authenticity of messages sent by users, is given a universal public reference information RA that only AA can generate. Furthermore, AA keeps to himself a certain system private key SA associated with RA. Whereas the form by which RA and SA are realized can be different for different applications, the need for having such values is a constitutional feature.
  • the card issuing process comprises the authorized issuing party AA, which issues to each card its ID number and its private key S which is associated with ID, where this association is a system private key, denoted hereinbefore as SA. ID and S are then stored in the card by AA.
  • Verifying that data sent by the card is authentic. That is, making sure that data sent by the card is associated with the serial number or other identifying details of the card.
  • Fig. 1A shows a prior art card [M. Meyerstein, "The Disposable Telephone Card Comes of Age", Smart-Card 94 Conference, London, England] operative to verify the authenticity of data sent by the card.
  • the card comprises three registers which store data D, the ID details of the card, and the private key S of the card. The latter is stored in a secured memory.
  • the card also carries out a highly non-linear one-way transformation H which converts three input values into a single output.
  • Verifying the authenticity of data D sent by a card is established by asking the card to prove that D and ID are submitted by the card which stores the private key S associated with ID.
  • the value S is never revealed openly, and the proof does not provide any information about S.
  • the card proves that it possesses S by responding to a challenge C generated randomly by the interrogating terminal.
  • C the card enters C, D and S as inputs to the transformation H.
  • the output G of the transformation H is sent to the interrogating terminal together with ID and D.
  • the interrogating terminal should be able to generate independently a value G 1 , such that G' equals to the received G if the card possesses the genuine S associated with ID. This way, the interrogating terminal is able to verify the authenticity of the data D sent by the card.
  • Fig. IB shows a card operative to verify the card's authenticity, which is based on the prior art card shown in Fig. 1A.
  • the card comprises two registers which store the ID details of the card (usually a serial number) , and the private key S of the card. The latter is stored in a secured memory, which is unreadable from the outside and submits its contents only to an internal processor.
  • the card also carries out a highly non-linear one-way transformations H which converts two input values into a single output.
  • Verifying the authenticity of a card is established by asking the card to prove .that it stores the private key S associated with ID.
  • the value S is never revealed openly, and the proof does not provide any information about S.
  • the card proves that it possesses S by responding to a challenge C generated randomly by the interrogating terminal.
  • C the card enters C and S into the transformation H.
  • the output G from the transformation H is sent to the interrogating terminal together with ID.
  • the interrogating terminal should be able to generate independently a value G', such that G' equals to the received G if the card possesses the genuine S associated with ID. This way, the interrogating terminal is able to verify the authenticity of the card.
  • One approach is to have an on-line communication with a secured center. There S is recovered and the same operation which was performed in the card is also performed in the secured center, enabling the generation of G' which is sent back to the interrogating terminal and compared to G in the interrogating terminal.
  • the need for an on-line communication with the authorized center is a major drawback of this method.
  • Another approach for generating G' concerns off-line operations.
  • the interrogating terminal itself should be able to generate G' from the information it received from the card, without any secret stored in the interrogating terminal.
  • the present invention seeks to provide a method for secure off-line IC-card authenticity verification and the verification of the authenticity of data sent by the card. That is, the invention offers a way under which an interrogating terminal has the knowledge to generate the hereinbefore described value G', based on the information it receives from the card, and this without having an on-line communication with an authorized center.
  • the invention pursues digital signature methods in which the system private key is embedded within a publicly available domain, using logic protection methods. That is, the difficulty of recovering the system private key is modeled by computational methods.
  • the IC-card authenticity verification system preferably comprises:
  • apparatus located at said center for attributing to each IC-card a specific reference datum (ID) ; apparatus for generating at said center a private key (S) specific to that IC-card, the latter being derived from applying said first transformation T to said reference datum;
  • each IC-card located at each IC-card for registering said reference datum and private key; second apparatus, provided to all IC-cards, each IC-card being provided with this same apparatus, for effecting a second transformation H of digital data, deriving a single output from two inputs; one of the inputs being a challenge C received from an interrogating terminal and the other input being the private key S; the output of the transformation H being a value G sent to the interrogating terminal;
  • - apparatus located at said center for attributing to each IC-card a specific reference datum (ID) ; apparatus for generating at said center a private key (S) specific to that IC-card, the latter being derived from applying said first transformation T to said reference datum; memory apparatus located at each IC-card for registering said reference ID, said private key S and data (D) to be sent to interrogating terminals and whose authenticity is to be verified at said terminal;
  • each IC-card being provided with the same apparatus, for effecting a second transformation H of digital data, deriving a single output from three inputs; one of the inputs being a challenge C received from an interrogating terminal, the other input being the private key S and the third input being the data D whose authenticity is to be verified at said interrogating terminal; the output of the transformation H being a value G sent to the interrogating terminal; third apparatus, provided to each interrogating terminal from said authorized center, for effecting a third transformation ATH of digital data, deriving two outputs from three inputs, said third transformation being equivalent to the merging of three transformations A, T, H, the latter two being said first and second transformations and A being a one-way transformation; the transformation A having two inputs one being the ID value of the interrogated IC-card and the other being a random number R, where said two inputs to the transformation A also form two inputs to said apparatus for effecting the third transformation ATH, the single output
  • a system for verifying authenticity of a message transmitted by a message transmitting facility the message transmitting facility being operative to store an ID (identification number) and a private key S, and including a first signature key generator operative to generate a first signature key by combining a challenge, the private key, and the message
  • the system including a message transmitting facility interface operative to receive the ID, the message and the first signature key from the message transmitting facility, a second signature key generator operative to generate a second signature key by combining a random number, the ID and the message, a challenge generator operative to generate the challenge from the random number such that the random number cannot be extracted from the challenge and to transmit the challenge to the message transmitting facility, and a signature key comparator operative to compare the first and second signature keys and to provide an output indication of authenticity based on the results of the comparison.
  • the message transmitting facility includes an IC-card including a message memory storing the message to be transmitted to the system and to be verified by the system, an identification number memory storing an identification number ID characterizing the card, and a secure private key memory storing a private key S associated with the identification number ID via a system private transformation and in which the first signature key generator is realized in the form of a three-input one ⁇ way transformer.
  • the challenge generator generates the challenge from the random number and from the identification number ID of the message transmitting facility.
  • any third signature key generated by employing the signature key generator to combine the challenge, the identification number ID and the message is not similar to the first signature key.
  • a system for verifying authenticity of an ID (identification number) transmitting facility the ID transmitting facility being operative to store the ID and a private key S, and including a first signature key generator operative to generate a first signature key by combining a challenge and the private key
  • the system including an ID transmitting facility interface operative to receive the ID and the first signature key from the ID transmitting facility, a second signature key generator operative to generate a second signature key by combining a random number and the ID, a challenge generator operative to generate the challenge from the random number such that the random number cannot be extracted from the challenge and to transmit the challenge to the ID transmitting facility, and a signature key comparator operative to compare the first and second signature keys and to provide an output indication of authenticity based on the results of the comparison.
  • the ID transmitting facility includes an IC-card including an identification number memory storing an identification number ID characterizing the card to be transmitted to the system and to be verified by the system, and a secure private key memory storing a private key S associated with the identification number ID via a system private transformation and in which the first signature key generator is realized in the form of a two-input one-way transformer.
  • the challenge generator generates the challenge from the random number and from the identification number ID of the ID transmitting facility.
  • any third signature key generated by employing the signature key generator to combine the challenge and the identification number ID is not similar to the first signature key.
  • the second signature key generator includes the challenge generator, a private key generator operative to generate the private key by transforming the ID number, and a third signature key generator which is the same as the first signature key generator and operative to receive the challenge, the transformed ID number and the received message.
  • the second signature key generator includes the challenge generator, a private key generator operative to generate the private key by transforming the ID number, and a third signature key generator which is the same as the first signature key generator and operative to receive the challenge and the transformed ID number.
  • the challenge generator, the third signature key generator and the private key generator are combined into a single transformer.
  • each of the challenge generator, the first signature key generator, the second signature key generator, the third signature key generator and the private key generator includes an electronic circuit.
  • At least one of the challenge generator, the first signature key generator, the second signature key generator, the third signature key generator and the private key generator includes an electronic circuit.
  • each of said challenge generator, said first signature key generator, said second signature key generator, said third signature key generator and said private key generator comprises an electronic circuit
  • the single transformer includes an electronic circuit including a logic design combination of the challenge generator, the private key generator and the third signature key generator.
  • At least one of the challenge generator, the first signature key generator, the second signature key generator, the .third signature key generator and the private key generator are implemented in software.
  • Fig. 1A illustrates the structure of a prior art card intended to facilitate the verification of the authenticity of data sent by the card
  • Fig. IB illustrates the structure of a prior art card intended to facilitate authenticity verification of the card itself
  • Fig. 2A illustrates a transformation T which may be employed as the system private key, generally denoted hereinbefore as SA, used by the authorized center when generating the private key S of an IC-card, based on the ID value of the card;
  • SA system private key
  • Fig. 2B illustrates a two-input transformation H
  • Fig. 2C illustrates the internal structure of a transformation TH which is executed at a terminal that interrogates the IC-card;
  • Fig. 3 illustrates a process for verifying the authenticity of data sent by an IC-card, operative in accordance with one alternative embodiment of the present invention
  • Fig. 4 illustrates a process, operative in accordance with one alternative embodiment of the present invention, for generating, at the premises of the authorized center, a signature G which attests to the authenticity of a message D that is intended to a specific card, and subsequent verifications which may be performed at the card;
  • Fig. 5 illustrates a process, operative in accordance with one alternative embodiment of the present invention, for generating, at the premises of the authorized center, a signature G which attests to the authenticity of a message D that is intended for any terminal which interrogates cards;
  • Fig. 6A illustrates the internal structure of a two-input transformation ATH
  • Fig. 6B illustrates a three-input transformation H
  • Fig. 6C illustrates the internal structure of a three-input transformation ATH
  • Fig. 7 illustrates a preferred process for authenticity verification of an IC-card
  • Fig. 8 illustrates a process for verifying the authenticity of data sent by an IC-card, operative according to a preferred embodiment of the present invention
  • Fig. 9 illustrates a process for generating, at the premises of the authorized center, a signature G which attests the authenticity of a message D that is intended to a specific card, and subsequent verifications which may be performed at the card, according to a preferred embodiment of the invention
  • Fig. 10 illustrates a preferred process for generating, at the premises of the authorized center, a signature G which attests the authenticity of a message D that is intended to a specific card, and subsequent verifications which may be performed at the card, with prevention of re-play of a previous valid message;
  • Fig. 11 illustrates a process for generating, at the premises of the authorized center, a signature G which attests the authenticity of a message D that is intended for any terminal which interrogates cards, according to a preferred embodiment of the invention
  • Fig. 12A illustrates in block diagram form the method of "chaining Boolean identities" used for implementing one embodiment of the invention
  • Fig. 12B illustrates a preferred implementation of the method of Fig. 12A
  • Figs. 13A, 13B and 13C illustrate in further details the process of chaining Boolean . identities;
  • Figs. 14A and 14B illustrates the Karnaugh maps used for generating an irreducible Boolean identity
  • Figs. 15A and 15B illustrate a merging of separate circuits T and H into one integrated circuit TH in accordance with a preferred embodiment of the present invention.
  • the field of the invention relates to a method and device which implement IC-card authenticity verification and the verification of the authenticity of messages sent by an IC-card, off-line, without a secret stored in the interrogating terminal and without a system secret stored in the card.
  • the method and the system implement a pure identity-based digital signature based on cascading one-way transformations in an inseparable way.
  • the present invention preferably includes at least some and preferably all of the following seven features:
  • the method provides a small communication overhead. Generating, by illegal means, a valid response to be sent on behalf of an IC-card is substantially as complex and time consuming as a brute force guessing of the response.
  • the method provides a small storage overhead. Breaking, computationally, the private key stored at the IC-card is no less complex than a brute force guess of the key, for any key-length.
  • the method and system are based on a pure identity-based digital signature. That is, the public reference information of a card equals its ID details.
  • the IC-card is universal. Any vendor (a telecom company, a bank, a home TV company) can use the same fabricated card. This also means that whenever it is necessary for the vendor to change privacy parameters of the system, the change in the card is reduced to changing one stored value.
  • the card is a reloadable debit card, a reloadable payphone card or a home TV card which needs subscription updating
  • the trivial transformation and minimal memory in the card still enable the card to verify that a command is sent to it by an authorized center and that the command is intended only for that specific card.
  • Any terminal which verifies the authenticity of IC-cards or the authenticity of messages sent by IC-cards, can also verify the signature of the authorized center on messages intended to all terminals.
  • the invention provides a new method and system for verifying the authenticity of IC-cards or the authenticity of messages sent by IC-cards such that all the above seven features are satisfied.
  • One embodiment of the invention involves three computational transformations which may be implemented electronically. The following are the three said computational transformations:
  • T - a one-way transformation which acts as the system private key, and which was generally denoted hereinbefore as SA.
  • SA system private key
  • Such a transformation does not necessarily have a known inverse.
  • the form of this transformation is shown in Fig. 2A.
  • H - a two-input one-way non-linear transformation, such as a hash transformation, known to all the parties involved.
  • the transformation is not commutative, (i.e., (H(x, y) is not equal (H(y, x) . )
  • the form of a preferred embodiment of such a transformation is shown in Fig. 2B.
  • the corresponding transformation circuits are preferably logic circuits, inputs and outputs of which are binary vectors.
  • Treating T and H as logic circuits the block which is framed in Fig. 2C is a single circuit which consists of the merging of T and H.
  • This circuit has the two binary vectors x and y as its inputs, yielding a single output vector.
  • the internal structure of the circuit does not have to consist of the discrete cascading of T and H, as long as its behavior is equivalent to the functioning (H(x, T(y)) .
  • T and H are merged, by the authorized agent AA, into the single circuit representing the function TH.
  • the purpose of the merging is to prevent the recovery of T, given the circuit which perform the combined transformation TH and given the functioning (input-output behavior) of the transformation H.
  • the implementation of the merging of T and H into one circuit representing the function TH is discussed in detail with reference to Figs. 12, 13A, 13B, 13C, 14A and 14B.
  • the reference information RA defined hereinbefore is the circuit that implements the transformation TH. According to its definition, RA is distributed to all the parties that will need to interrogate IC-cards. In the pay-phone scenario, the circuit that implements the transformation TH is installed in all the pay-phones.
  • the card is provided by the authorized agent AA with a pair of private key and ID number ⁇ S; ID ⁇ . In the present implementation, this pair is generated by AA based on the relation
  • a method of verifying data sent by a card which has the private key S and identification number ID is illustrated in Pig. 3.
  • the method of Fig. 3 is similar to the one described in Fig. IB. The difference between said two methods is due to the fact that the implementation in Fig. 3 is independent of a challenge received from the interrogating terminal and the challenge input to H is replaced by data input. From a functional point of view the input ID is transformed by T, inside the verifying terminal, yielding internally the value S. The operation performed next in the terminal, performing the transformation H with two inputs, is identical to that performed by the card when it generated G. The value G' obtained by the verifying terminal therefore equals G if ID and D were genuinely submitted by the card that possesses the value S associated with ID.
  • the system private key is the association between S and ID, known to the authorized agent AA which stores these values in a card, during its initiation.
  • this system private key is the transformation T. If, for any reason, there is a need to change T, it is of course necessary for the agent AA to design a new circuit which implements TH. This circuit is subsequently distributed to all the terminals that have to verify signatures. However, H is not changed, meaning that a change in T does not necessitate a hardware change in the circuit distributed to a card.
  • the change in T just causes a change in the way S is derived from ID, where S is a value stored in the card and it has no effect on the hardware (ID, which is the other value stored in the card, equals the identification details of the card and therefore remains unchanged) .
  • Fig. 4 describes a signature system in which a message D is sent from an authorized agent AA to a card.
  • the details of the system private key T are known to the authorized center AA.
  • the order of the two inputs to H is interchanged in Fig. 4, when compared to the implementation of Fig. 3. In case the order of the two inputs is not interchanged, the card can generate G, by using the circuit TH, in the same way the authorized center AA generates G, by using T. On the other hand, using the method depicted in Fig.
  • G' G assures the card that the originator of the pair ⁇ D; G ⁇ must have made an explicit use of S, and therefore it must be the authorized agent AA, which alone knows how to recover S from ID. Furthermore, only that specific card is able to make this verification, which needs the value S. To conclude, only the authorized center AA can send the described pair ⁇ D; G ⁇ and only that card can verify the authenticity of this pair.
  • the terminal can verify the signature of the card based on a universal circuit which implements the transformation TH.
  • the latter circuit which plays the role of the reference information RA, is supplied to the terminal by the authorized center AA.
  • AA generates a signature by making use of its knowledge of the system private key T.
  • the terminal is verifying the signature of AA by assuring that the sender really knows T.
  • a way for implementing this procedure is shown in Fig. 5.
  • the non- secret circuit H is assumed to be installed at the terminal in this application.
  • the presented signature method satisfies the basic definition of a digital signature, which also means that the signature can stand in court if and when the signer denies that he generated the pair ⁇ D; G ⁇ .
  • This issue is, of course, academic, in the pay-phone scenario. In this case the judge can generate his own N and make the same verification process described above, convincing himself that only AA could compute G from D.
  • a preferred embodiment of the invention uses five transformations that convert an input binary block, or several input binary blocks, into a single output block.
  • T - a one-way transformation which acts as the system private key, and which was generally denoted hereinbefore as SA.
  • SA The form of this transformation is shown in Fig. 2A.
  • Such a transformation does not necessarily have a known inverse .
  • a two-input transformation H - a highly non ⁇ linear two-input one-way transformation known to all the parties involved. The form of this transformation is shown in Fig. 2B.
  • a two-input transformation ATH - a two-input two-output transformation which consists of merging three transformations, two of which are T and H and the third one is a further highly non-linear one-way transformation A.
  • the form of this transformation is shown in Fig. 6A.
  • a three-input transformation H - a highly non ⁇ linear one-way transformation known to all the parties involved.
  • the form of this transformation is shown in Fig. 6B.
  • a three-input transformation ATH - a three- input two-output transformation which consists of merging three transformations, two of which are T and H and the third one is a further highly non-linear one-way transformation A.
  • the form of this transformation is shown in Fig. 6C.
  • the first three transformations can be carried out by means known in prior art such as [C. Adams and S. Tavares, "The Structured Design of Cryptographically Good S-Boxes", J. of Cryptology, vol. 3, no. 1, pp. 27- 41, 1990] referenced above.
  • One preferred embodiment of the invention concerns devising the functioning of the fourth and fifth transformations and a method for constructing them by electronic apparatus.
  • the transformations are preferably implemented as logic circuits, the inputs and outputs of which are binary vectors.
  • Treating A, T and H as logic circuits the block which is framed in Figs. 6B and 6C is a single circuit which consists of the hardware merging of A, T and H.
  • the internal structure of the circuit ATH does not consist of the discrete cascading of A, T and H, but is rather obtained by applying logic transformations on the discrete structure, such that the internal conduction lines in the discrete structure do not exist in practice.
  • the implementation of the merging of A, T and H into one circuit representing the function ATH is discussed in detail with reference to Figs. 12, 13A, 13B, 13C, 14A and 14B.
  • a two-input one-way transformation H is installed in all IC-cards that will ever need to prove their authenticity.
  • a three-input one-way transformation H is installed in all IC-cards that will ever need to prove the authenticity of data sent by them.
  • the circuit that implements the transformation ATH is distributed to all the terminals that will need to interrogate IC-cards.
  • a two-input circuit is distributed to the terminals that will need to verify the authenticity of IC-cards.
  • a three-input circuit is distributed to the terminals that will need to verify the authenticity of data sent by IC-cards.
  • the circuit that implements the transformation ATH is the reference information RA, defined hereinbefore.
  • Fig. 7 The process of authenticity verification of an IC-card is shown in Fig. 7.
  • the interrogating terminal verifies that a card, which submits its ID, possesses the private key S associated with ID.
  • the terminal first receives the ID value which is entered from the card, together with a random input R which is generated in the terminal, into the terminal's circuit.
  • the output C of ATH is a challenge which is sent to the card.
  • the card responds with a value G which is compared to the value G', where the latter is independently generated by the terminal.
  • G' may be already available at the verifying side before G is received. An equality between G' and G assures the terminal that the interrogated card has at its possession the private key S associated with ID.
  • Fig. 8 The process of verifying the authenticity of data D sent by an IC-card is shown in Fig. 8.
  • the interrogating terminal verifies that values ID and D, submitted by a card, were both submitted by a card that possesses the private key S associated with ID.
  • the process shown in Fig. 8 is an extension of the card authentication process of Fig. 7. The difference lies in the fact that a three-input transformation H is used, where the additional input is the message D.
  • the value G is generated in the card based on C and S, while G 1 is generated in the terminal based on R and ID.
  • a party that possesses the universal non-secret transformation H and intercepts the publicly exchanged values ID and C cannot generate G since it does not know S, which is isolated from the publicly known ID by the unknown function T.
  • the circuit ATH is also publicly known, an outside party can try to generate G' and transmit it to the terminal on behalf of the interrogated card.
  • the terminal will then be lead to assume that the response supposedly sent by the card is authentic, since the comparator will compare G' to G', yielding a 'yes' answer for sure.
  • the system private key SA is hidden in some sense within the publicly available RA, where the difficulty in recovering SA from RA should be based on that of trying to solve an intractable problem. That is, the system private key is there, but it should be computationally infeasible to recover it.
  • the system private key SA is the transformation T which is hidden, based on logic complexity, within the publicly available transformation ATH which acts as RA. In view of the above, this does not present any exception and does not pose a threat of a type which is not met in other digital signature methods.
  • FIG. 9 A process of sending from the authorized center AA a message D which is specifically intended to a certain card whose identification details are ID, and the subsequent verifications performed at the card's premises, is shown in Fig. 9.
  • G 1 G assures the card that the originator of the pair ⁇ D; G ⁇ made an explicit use of S, and therefore he must be the authorized center AA, who knows how to recover S from ID. Furthermore, only the card whose identification details are ID was able to make this verification, which again needs the value S.
  • the procedure described before of sending a message D from the authorized center AA to a card can be intended, in practice, to reload debit cards.
  • D is the command for reloading a specific value.
  • a party who has good reasons to reload a card by illegal means, thereby actually printing money can re-play a valid reloading message sent previously to a card.
  • Fig. 10 depicts a way of preventing a reloading by re-play of an old valid message.
  • the one-way transformation H has three inputs, where the additional input is intended for a random value R, internally generated in the card. Following the procedure shown in the drawing, it is clear that a re-play will not work, since the internal circuitry in the card forces the value G' to be dependent on the present R.
  • a process of signing at the premises of the authorized center AA a message whose authenticity is intended to be verified by any terminal, and the subsequent verification process at a terminal, is described in Fig. 11.
  • the terminal proves to itself that the message was sent by a party that knows the system private key T.
  • a terminal uses its circuit ATH, which plays the role of the public key RA of AA, supplied by AA to all the intended verifying terminals.
  • the terminal further uses the transformation H (which is also a universal non- secret transformation) .
  • the right output from ATH is the value H(A(R,D), T(D)) . This value is also generated at the output of H. The validity of D is proved to be correct if the two inputs to the comparator equal.
  • the merging of the transformations A, T and H into the transformation ATH forms the privacy of the system. It is done by the authorized agent AA, where the purpose of the merging is to wipe out all trace of the original separate structure.
  • FIG. 12A illustrates in block diagram form the method of "chaining Boolean identities" used for implementing one embodiment of the invention.
  • each circle defines a group of gates which is transformed into another group that performs the same functioning.
  • the meanings of the two 'types' indicated in the drawing is clarified later.
  • the circles partially overlap, showing that each group, starting with the second group, contains some gates obtained at a preceding step.
  • Chains of the described form are to be activated hundreds of times, in all directions, covering numerous times all the original gates of the separate T and H circuits or the transformed versions of the original gates.
  • the Boolean identities used in the process can either leave the same number of gates as in the original group, or change this number.
  • the identities used in the last generated chains will be intended towards decreasing the number of gates.
  • the described process is similar to "kneading the dough", finally leading to the circuit TH where all traces of the original separate structure are wiped out.
  • Fig. 12A also treats two "types" of chainings.
  • “Type 1” chains 50 represents chains in which the first group is a border group, containing gates from both the circuits T and H. The chain then propagates either into the circuit T or H. Chains of "type 1" are generated first when integrating the two circuits into the combined circuit TH.
  • “Type 2" chains 55 are generated at a later step of the process.
  • the purpose of forming the described chains is to cause a strong inter-dependence among all the gates in the combined circuit TH.
  • the grouping of gates within one link of a chain is intended to form a situation in which gates from a preceding link cause a change in the structure of many other gates in the new link.
  • FIG. 12B A preferred implementation of the method of Fig. 12A is illustrated in Fig 12B, where each circle defines a group of gates which is transformed into another group that performs the same functioning. The circles partially overlap, showing that each group, from the second onwards, contains some gates obtained at a preceding step.
  • the purpose of forming the described chains is to cause a strong inter-dependence among all the gates in the combined transformation ATH.
  • the grouping of gates within one link of a chain is intended to form a situation in which gates from a preceding link cause a change in the structure of many other gates in the new link.
  • Figs. 13A, 13B and 13C further clarify the process of chaining Boolean identities.
  • the gates are grouped within a first link 100, which is link #i of a chain, which chain includes a gate 105, the gate 105 forming an implicant a'b' .
  • the gate 105 also belongs to a second link 110, which is link #(i+l). Due to transformations performed within the first link 100, the implicant a'b' changes to ab, as shown in Fig. 13B.
  • the other gates in the second link 110 also change, as shown in Fig. 13C, which implements the function ab + a'c + b'c' that logically equals the above function f(a,b,c) . That is, a change in the first link 100, link #i, propagated to the second link 110, link #(i+l), through the common gate 105.
  • Each of the three implicants of which this function consists is formed by joining two maxterms, as shown in the drawing.
  • Fig. 14B depicts another way of defining the same function, based on the implicants ab + a'c + b'c'. These are formed by joining pairs of maxterms in a different way, as shown by the dotted grouping.
  • FIG. 15A and 15B illustrate a merging of separate circuits T and H into one integrated circuit TH in accordance with a preferred embodiment of the present invention.
  • Fig. 15 further demonstrates an integration of circuits T and H into one TH circuit. It is important to note that the border between the two original circuits T and H is totally wiped in the resultant circuit TH.
  • the transformations T, H, A and ATH can be computational transformations. Or, these transformations can be implemented in hardware by sequential machines. In this case the merging of and H into the circuit ATH can be based on design considerations other than Boolean chainings.
  • the hardware implementation described above may be transformed into software by replacing each circuit with a program executing the same operation.
  • the software components of the present invention may, if desired, be implemented in ROM (read-only memory) form.
  • the software components may, generally, be implemented in hardware, if desired, using conventional techniques.
EP95904152A 1993-11-29 1994-11-29 Datenprüfsystem und -verfahren Withdrawn EP0731941A4 (de)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
IL10778993 1993-11-29
IL10778993A IL107789A0 (en) 1993-11-29 1993-11-29 Data verification system and method
PCT/US1994/013645 WO1995014968A1 (en) 1993-11-29 1994-11-29 Data verification system and method

Publications (2)

Publication Number Publication Date
EP0731941A1 true EP0731941A1 (de) 1996-09-18
EP0731941A4 EP0731941A4 (de) 1999-03-17

Family

ID=11065522

Family Applications (1)

Application Number Title Priority Date Filing Date
EP95904152A Withdrawn EP0731941A4 (de) 1993-11-29 1994-11-29 Datenprüfsystem und -verfahren

Country Status (3)

Country Link
EP (1) EP0731941A4 (de)
IL (1) IL107789A0 (de)
WO (1) WO1995014968A1 (de)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IL119486A0 (en) * 1996-10-24 1997-01-10 Fortress U & T Ltd Apparatus and methods for collecting value
SE0002416L (sv) * 2000-06-27 2001-12-28 Tds Todos Data System Ab Förfarande och anordning för kommunikation

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0037762A1 (de) * 1980-04-09 1981-10-14 COMPAGNIE INTERNATIONALE POUR L'INFORMATIQUE CII - HONEYWELL BULL (dite CII-HB) Verfahren und System zur Übertragung signierter Nachrichten
EP0077238A1 (de) * 1981-10-09 1983-04-20 Bull S.A. Verfahren und Einrichtung zum Feststellen der Authentizität der Unterschrift einer unterschriebenen Nachricht
EP0292247A2 (de) * 1987-05-19 1988-11-23 THE GENERAL ELECTRIC COMPANY, p.l.c. Authentifizierer
US5016274A (en) * 1988-11-08 1991-05-14 Silvio Micali On-line/off-line digital signing
EP0427465A2 (de) * 1989-11-09 1991-05-15 AT&T Corp. Sicherheitssystem ohne Datenbank
DE4138861A1 (de) * 1991-11-26 1992-10-01 Siemens Nixdorf Inf Syst Verfahren zur gegenseitigen authentifikation eines elektronischen partners mit einem kommunikationssystem

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4650975A (en) * 1984-08-30 1987-03-17 Casio Computer Co., Ltd. IC card and an identification system thereof
GB2168514A (en) * 1984-12-12 1986-06-18 Ibm Security module
US4799061A (en) * 1985-11-18 1989-01-17 International Business Machines Corporation Secure component authentication system
FR2601795B1 (fr) * 1986-07-17 1988-10-07 Bull Cp8 Procede pour diversifier une cle de base et pour authentifier une cle ainsi diversifiee comme ayant ete elaboree a partir d'une cle de base predeterminee, et systeme pour la mise en oeuvre
US5218637A (en) * 1987-09-07 1993-06-08 L'etat Francais Represente Par Le Ministre Des Postes, Des Telecommunications Et De L'espace Method of transferring a secret, by the exchange of two certificates between two microcomputers which establish reciprocal authorization
US4879747A (en) * 1988-03-21 1989-11-07 Leighton Frank T Method and system for personal identification
CA1321649C (en) * 1988-05-19 1993-08-24 Jeffrey R. Austin Method and system for authentication
DE58909106D1 (de) * 1988-07-20 1995-04-20 Syspatronic Ag Spa Datenträger-gesteuertes Endgerät in einem Datenaustauschsystem.
FR2651347A1 (fr) * 1989-08-22 1991-03-01 Trt Telecom Radio Electr Procede de generation de nombre unique pour carte a microcircuit et application a la cooperation de la carte avec un systeme hote.
US5144667A (en) * 1990-12-20 1992-09-01 Delco Electronics Corporation Method of secure remote access

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0037762A1 (de) * 1980-04-09 1981-10-14 COMPAGNIE INTERNATIONALE POUR L'INFORMATIQUE CII - HONEYWELL BULL (dite CII-HB) Verfahren und System zur Übertragung signierter Nachrichten
EP0077238A1 (de) * 1981-10-09 1983-04-20 Bull S.A. Verfahren und Einrichtung zum Feststellen der Authentizität der Unterschrift einer unterschriebenen Nachricht
EP0292247A2 (de) * 1987-05-19 1988-11-23 THE GENERAL ELECTRIC COMPANY, p.l.c. Authentifizierer
US5016274A (en) * 1988-11-08 1991-05-14 Silvio Micali On-line/off-line digital signing
EP0427465A2 (de) * 1989-11-09 1991-05-15 AT&T Corp. Sicherheitssystem ohne Datenbank
DE4138861A1 (de) * 1991-11-26 1992-10-01 Siemens Nixdorf Inf Syst Verfahren zur gegenseitigen authentifikation eines elektronischen partners mit einem kommunikationssystem

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of WO9514968A1 *

Also Published As

Publication number Publication date
WO1995014968A1 (en) 1995-06-01
EP0731941A4 (de) 1999-03-17
IL107789A0 (en) 1995-03-15

Similar Documents

Publication Publication Date Title
Brassard et al. Minimum disclosure proofs of knowledge
Diffie et al. Authentication and authenticated key exchanges
EP0385511B1 (de) Geheimübertragungsschlüsselverteilungssystem
Jakobsson et al. Revokable and versatile electronic money
De Santis et al. Robust non-interactive zero knowledge
US5323146A (en) Method for authenticating the user of a data station connected to a computer system
US6985583B1 (en) System and method for authentication seed distribution
EP0348812B1 (de) Verfahren und Vorrichtung zur Authentifizierung
US4633036A (en) Method and apparatus for use in public-key data encryption system
CA1279709C (en) Key distribution method
US7359507B2 (en) Server-assisted regeneration of a strong secret from a weak secret
CN109728906B (zh) 基于非对称密钥池的抗量子计算非对称加密方法和系统
EP0292790A2 (de) Steuerung der Anwendung von Geheimübertragungsschlüsseln durch in einer Erzeugungsstelle hergestellte Steuerwerte
EP0661845B1 (de) System und Verfahren zur Nachrichtenauthentisierung in einem nicht-schmiedbaren Kryptosystem mit öffentlichen Schlüssel
JP2001313634A (ja) 通信方法
GB2321741A (en) Verification of electronic transactions
CN109921905B (zh) 基于私钥池的抗量子计算密钥协商方法和系统
US7313697B2 (en) Method for authentication
CN109787758A (zh) 基于私钥池和Elgamal的抗量子计算MQV密钥协商方法和系统
Louridas Some guidelines for non-repudiation protocols
USRE42517E1 (en) Authenticating or signature method with reduced computations
Harn et al. ID-based cryptographic schemes for user identification, digital signature, and key distribution
Burmester et al. A progress report on subliminal-free channels
EP0731941A1 (de) Datenprüfsystem und -verfahren
Kwon Virtual software tokens-a practical way to secure PKI roaming

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 19960529

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LI LU MC NL PT SE

A4 Supplementary search report drawn up and despatched

Effective date: 19990201

AK Designated contracting states

Kind code of ref document: A4

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LI LU MC NL PT SE

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 19980416