FR2729807A1 - Public key electronic digital signature based on automatically validated identification data - Google Patents

Abstract

The system is initialised by selecting a modulo n under certain constraints, and two other numbers generated using modulo n arithmetic to form a triplet. A primitive element (b) is selected for modulo (f), satisfying b<f>(mod n)=1. The pair (b,f) are combined with the triplet of the previous stage to form public keys. Two secret keys (p' and q') are selected. Verification information is computed from this combination of values and a random number in the range 0 to f-1 is processed with the same information. The signature includes this random number.

Description

The present invention relates to a digital electronic signature method, based on automatically certified identification information, and more particularly the application of the concept of automatically certified public key to a method based on identification.

Generally, information processing, which uses a computer system, depends largely on the development of software and semiconductor devices. A computerized society, where all business is handled by computer with the development of information processing techniques and sophisticated information communication techniques, is emerging.

Therefore, all business is carried out in accordance with the computerized society. One of these is a digital electronic signature. The digital electronic signature consists of electronically creating a signature and a mark.

There are two methods for removing the public key repertoire from conventional public key methods, one of them being the identification based method and the other being the certification based method.

In the certification-based method, a trust center publishes its public key and gives a user A its signature S of the identity pair Id and public key
PK of A. User A addresses (IdA, PRIA, S) to the verifier who verifies the validity of PK by verifying the signature S of the trust center for (IdA, PKA) instead of finding PKA through IdA of the directory of public keys.

However, in the identification-based method, the public key is replaced by the value indicating the identity of the user.

In general, the main difference between the certification-based process and the identification-based process is as follows 1) Any public key system can be converted
in the variant based on certification by the same
technical, while each public key system
requires a special technique for the conversion
in the variant based on identification.

2) The trust center of the certification-based process
tion does not know the secret key of each user,
while the trust center of the process based on
identification generates and knows the secret key of
each user.

3) The form of the public key that a user keeps and
address to the verifier in the process based on the
certification is longer than that in the process
based on identification.

M. Girault proposes a "paradoxical" method based on identification. However, because his method uses the certificate, his method is not really an identification-based method.

Also, Mr. Girault introduced the notion of automatically certified public key, which is an intermediate method between the process based on certification and the process based on identification. In the automatically certified public key method, the certificate is just the public key, that is, there is no separate certificate.

And he defined the confidence levels as follows - Level 1
The trust center knows the secret key of the user.
sateur and, therefore, he can pass himself off as
every user at any time without being detected.

- Level 2
The trust center does not know the secret key of
the user. However, the trust center can
still pretend to be the user in engen
with false certificates.

- Level 3
The trust center does not know the secret key of
user and he cannot pretend to be
user without being detected.

We begin with a brief review of terminologies and results of the present invention.

For given positive integers y and n, an integer z is a ye-residue if gcd (z, n) = l and there is an integer x such that ZEXY mod n, unye-non-residue otherwise.

The ye-residue problem (ye-RP) refers to the problem of determining the ye-residue of the given element zszn, where n is the set of integers less than n between 0 and n.

When n is a prime number, the problem can still be solved. However, for a given composite integer n, the factorization of which is not known, this problem is considered very difficult. If y is 2, the problem is denotes quadratic residue problem, which is applied to many coded protocols.

We designate a triplet (n, y, y) as acceptable if n, y and y satisfy the following three conditions (i) n is the product of powers of different numbers
first odd, i.e. n = nln2 ... nt, where
each ni is a power of a prime number
odd.

(ii) y is an odd integer greater than 2 with
gcd (&gamma;,# (nl)) = 1 for just a 1 # 1 # t, and gcd (&gamma;,
# (ni)) = 1 for all i # 1, 1 # 1 # t. For a purpose
for simplicity, we will assume that 1 = 1.

(iii) y is an element of Zn *, satisfying
ty = h1bl &gamma; + e # hjbj mod n,
j = 2
where o <e <&gamma;, gcd (e, &gamma;) = 1, 1 # bj # # (nj) for
each i # 1, 1 S j S t, and <hl, h2, ..., ht> is a
generator vector for Zn
If a triple (n, y, y) is acceptable, there is a unique i such that z = yi x &gamma; mod n for each z in Zn *. We denote i the class indicator of z with respect to the acceptable triplet (n, y, y).

There are two other issues closely related to ye-RP.

To be complete, three problems are formally defined as follows * (1) ye-RP: n, y and an element Zn given, decide if
z is or is not a ye-residue (mod n).

(2) A class indicator comparison problem: a
acceptable triplet (n, r, y) and two elements z1, z2 # Zn *
given, judge if zl and z2 present the same
class indicator with respect to (n, y, y).

(3) A class indicator search problem: a
acceptable triplet (n, y, y) and an element Z # Zn * being
given, find the class indicator of z with respect to
at (n, y, y).

Zheng proved that the previous definitions present the following relations (a) ye-RP and the indicator comparison problem of
class are equivalent.

(b) ye-RP and the indicator comparison problem of
class can be reduced to the search problem
class indicator.

(c) ye-RP and the indicator comparison problem of
class are equivalent for the search problem
of class indicator when y = O (poly (k)), where poly (.)
corresponds to a polynomial.

And he considers that ye-RP with a large y does not seem to be applicable to construct a probability encoding.

Mr. Girault introduced the notion of automatically certified public key, which is an intermediate method between the process based on certification and the process based on identification.

In public key methods, each user has a key pair (s, P). The first key, s, is a secret key, known only to this user. The second key, P, is a public key, which anyone can know.

By definition, public keys should not be protected in a confidential manner. On the contrary, they should be able to be as accessible as possible. But this "publicity" makes them particularly vulnerable against active attacks, such as for example the substitution of a "false" public key for a "true" public key in a directory. This is why, in addition to the key pair (s, P) and its identification string (or identity)
I, the attributes of a user must also contain a "certificate" G which is really the public key of user I, and not that of an impostor r '.

In certification-based processes, the certificate
G takes the form of a digital signature of the pair (s,
P) calculated and issued by the trust center. In such a case, the four attributes (I, s, P and G) are distinct: three are public (I, P and G) and must be available in a register.

In identification-based methods, the public key is nothing other than identity I (i.e. P = I).

And the certificate is nothing more than the secret key itself (i.e. G = s), so only two attributes exist (I and s) instead of four.

In automatically certified public key methods, the certificate is equal to the public key (i.e. G = P), which therefore can be designated as automatically certified, and each user has three attributes (I, s and P).

In the present invention, a new type of method is proposed, with automatically certified identification information, which applies the notion of automatically certified public key to the case where the public key is only the identification information. In the proposed methods, the certificate, the public key and the identity are the same (i.e. G = P = I), and each user has two attributes (I and s), as in the methods based on identification.

And the essential difference between the identification-based method and the automatically certified identification information method is the level of trust.

Thus, the identification-based process reaches level 1, while our automatically certified identification information process reaches level 3.

An object of the present invention is to provide a new method for signing a digital electronic signature, based on automatically certified identification information, which applies the notion of automatically certified public key to the case in which the public key is only information. identification.

Another object of the present invention is to provide a new method for a truly "paradoxical" identification method, the trust center not knowing the secret key of each user, a corresponding signature method and an exchange protocol. based on identification, so that each user can choose their own secret key as if it is an identification-based process (it is not a certification-based process), using the notion of automatically certified credentials.

To this end, according to the invention, the method for signing a digital electronic signature in a communication system comprising the equipment of a computer network comprising a certain number of personal computers connected to each user and a central computer, is remarkable in terms of what it presents the following steps - we initialize the system as follows
1) we select a modulo n (n = pq, p = 2Ydfp '+ l, q = 2fq' + 1)
where f, p 'and q' are distinct prime numbers
satisfying gcd (y, q ') = l and gcd (y, f) = l and y is a
constant odd number d
2) we consider y as y non residue (mod n)
d
3) we select (n, yd, y) as an acceptable triplet;
4) we select a primitive element b (odd number
constant) for modulo f, satisfying bf (mod n) = l ;;
and
5) we select n, Y d, y, b and f as public keys
ques and p 'and q' as secret keys in the
center, respectively - we select a secret key s in a user and we
calculate bs (mod n) after selecting an identity I
as a public key, and I and bs (mod n) are sent to the system; - we calculate a piece of verification information i and x and we
sends the calculated verification information i and x to the user - select a random integer r and calculate
an intermediate value v of the signature and a function
digital e = h (v, m) and we compute information of
signature z in the user - send z, i, x, e to a verifier; and - an intermediate verification value v 'is calculated and
the numerical function e '= h (v', m), and we check that e = e '
in the verifier.

In addition, according to the invention advantageously the verification information i and x in the system
satisfies the following equation
I = b Sy-i (mod n); and or
if ~ yd - the random number r is selected from a range
from 0 to fl; and / or - the intermediate value of the signature v satisfies
the following equation
v = br; and / or the signature information z satisfies the equation
next
z = r + se (mod f); and / or - the intermediate verification value v 'satisfies
the following equation
v '= (Iyix &gamma; d) ebz (mod n); and / or - the verification information I in the system satisfies
to the following equation
d
I = byxy (mod n); and / or - the verification information I in the system satisfies
to the following equation:
I = bsy-ix &gamma; d (mod n).

Other objects, characteristics and advantages of the invention, its organization, its construction and its mode of operation are specified in the following detailed description, with reference to the drawing.

Figure 1 is a schematic view showing the system according to the present invention.

Figures 2A and 2B are block diagrams illustrating an automatically certified identification method according to the present invention.

The present invention demonstrates that the above-mentioned ye-RP and the class indicator comparison problem can be extended to the relation (c ') specified below.

(c ') ye-RP and the class indicator comparison problem are equivalent to the class indicator search problem when Y = (O (polyl (k)) O (poly2 (k)), where polyl ( .) and poly2 (.) relate to polynomials.

First, Figure 1 shows a system according to the present invention. The system includes a plurality of personal computers 13 connected to each of the users, a computer 12 which serves as a center, and a computer network 11 connected to computers 12 and 13.

The present invention can be applied to a one-way communication network and other network architectures, of a non-communication type.

The safety of the invention is based on the difficulty of the re-residue problem and the discrete logarithm problem, simultaneously. Also, the present invention achieves confidence level 3.

Figures 2A and 2B show a signature method according to the present invention.

We consider n as the product of two prime numbers p and q such that p = 2 &gamma; dfp '+ 1 and q = 2fq' + l, where f, p 'and q' are distinct integers and gcd (y, q ') = l, gcd (y, f) = l.

We consider that y is a (&gamma; d) e-non-residue mod n and (n, &gamma; d, y) is an acceptable triplet, and the order of b modulo n is f, in step 21.

The trust center public key is (n, &gamma; d, y, b, f) and the trust center secret key is a pair (p ', q').

Each user chooses a secret key s, lower & f, and addresses the identity I and b5 to the trust center, in step 22.

Then, the trust center, in step 23, calculates i and x, where i is the class indicator of (lb5) -i (mod n) and
I = b-sy-1x- &gamma; d. The equations I = bsyix &gamma; d (mod n) and I = bsy-ix &gamma; d (mod n) are equivalent to the equation I = b-sy-ix- &gamma; d. And the
trust center addressesi and x to user I. Here, i and x must not be secret, ie the only secret key of the user is s.

When user A wishes to show himself to another user B, the protocol is as follows 1) User A chooses a random integer r in
the interval [0, fl] in step 24, calculate v = br (mod n)
and sends its identity I and v to the verifier in step
25.

2) User B chooses a random integer e from
the interval [0, 2t-1] (where, t is typically located between
20 and 70) and the address to user A.

3) User A calculates z = r + se (mod f) and addresses z, i and
x to user B in step 26. d 4) User B checks that (IyiXY) ebZ (mod n) = v
step 28.

It can be shown that - user A will be accepted by user B at a
probability approximately equal to 1 (complete state), - an impostor, who does not know s, will be detected at the
probability 1-2 t (good condition), - the protocol hardly reveals anything concerning
s (minimum knowledge).

Note that there is no certificate to verify, that is to say the identity I is just the public key and the certificate.

Of course, the trust center can always calculate "false" secret keys linked to user A, by choosing a number s' and by calculating i 'and x'. However, since only the trust center is able to calculate the indicator i and x, the existence of two different i, i 'and x, x' for the same user is in itself proof that the trust center s' is mistaken.

This shows that the invention achieves confidence level 3, unlike the method based on identification which is found in confidence level 1.

When user A wishes to sign the message m, the protocol is as follows 1) User A chooses a random integer r in
the interval, it calculates v = br (mod n) and e = h (v, m), where h
is a numeric function, in step 25.

2) User A calculates z = r + se (mod f) and addresses z, i, x
and e to user B, in steps 26 and 27. iy e2 3) User B calculates the value v such that (Iyix &gamma; d) eb2
(mod n) = v, at step 28.

4) User B checks that e = h (v, m), in step 29.

It can be demonstrated that - User B will accept valid signature 1 (state
complete), - an impostor, who does not know s, cannot generate
a valid signature (good condition).

Finally, the key exchange protocol based on the identification of the invention is described.

When user A and user B wish to share a secret key, the protocol is as follows 1) User A addresses IA, iA, XA to user B and
user B addresses IB, iB, XB to user A.

4) User A and user B can get a
common secret key K such that K = (I AyiA XA &gamma; d) sB = (IByiB XB &gamma; d) SA = B-sAsB mod n.

This protocol is clearly linked to that of "Diffie
Hellman ", but unlike the latter, he assures
user A that he shares K with user B, and
Conversely.

Claims (8)

1. Method for signing a digital electronic signature in a communication system comprising the equipment of a computer network comprising a certain number of personal computers connected to each user and a central computer, characterized in that it has the following steps - we initialize the system as follows 1) we select a modulo n (n = pq, p = 2 &gamma; dfp '+ 1, q = 2fq' + 1) where f, p 'and q' are distinct prime numbers satisfying gcd (Y, q ') = l and gcd (Y, f) = if there is a constant odd number 2) we consider y as (&gamma; d) -non residue (mod n) ;; d 3) we select (n, yod, y) as an acceptable triplet 4) we select a primitive element b (odd number constant) for modulo f, satisfying b f (mod n) = l and D 5) we select n, y, y, b and f as public keys. ques and p 'and q' as secret keys in the center, respectively - we select a secret key s in a user and we calculate bs (mod n) after selecting an identity I as a public key, and we address I and bs (mod n) to the system - we compute verification information i and x and we sends the calculated verification information i and x to the user - select a random integer r and calculate an intermediate value v of the signature and a function digital e = h (v, m) and we compute information of signature z in the user - send z, i, x, e to a verifier; and - an intermediate verification value v 'is calculated and the numerical function e '= h (v', m), and we check that e = e ' in the verifier. 2. Method according to claim 1, characterized in that the verification information i and x in the system satisfies the following equation -s -i ~ d I = b y x Y (mod n). 3. Method according to claim 1, characterized in that the random integer r is selected from a range of 0 to f-1. 4. Method according to claim 1, characterized in that the intermediate value of the signature v satisfies the following equation v = br. 5. Method according to claim 1, characterized in that the signature information z satisfies the following equation: = r + se (mod f). 6. Method according to claim 1, characterized in that the intermediate verification value v 'satisfies the following equation v '= (IyixY) ebz (mod n). 7. Method according to claim 1, characterized in that the verification information I in the system satisfies the following equation: I = bsyix &gamma; d (mod n). 8. Method according to claim 1, characterized in that the verification information I in the system satisfies the following equation: I = bsy-ix &gamma; d (mod n).