CA2306468A1 - Signature verification for elgamal schemes - Google Patents
Signature verification for elgamal schemes Download PDFInfo
- Publication number
- CA2306468A1 CA2306468A1 CA002306468A CA2306468A CA2306468A1 CA 2306468 A1 CA2306468 A1 CA 2306468A1 CA 002306468 A CA002306468 A CA 002306468A CA 2306468 A CA2306468 A CA 2306468A CA 2306468 A1 CA2306468 A1 CA 2306468A1
- Authority
- CA
- Canada
- Prior art keywords
- signature
- mod
- value
- calculating
- verify
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/3013—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
Abstract
A signature verification protocol is provided for ElGamal-like signature schemes. The digital signature verification scheme allows the signor of the message to verify the digital signature without using the public key. Generally the signors computer system has a private key d and a public key y derived from an element g and the private key d. The method comprises the steps of in the computer system signing a message m by generating a first signature component by combining the element g, the signature parameter k according to a first mathematical function and generating a second signature component by mathematically combining the first signature component with the private key d, the message m and the signature parameter k, and the signor verifying the signature by recovering a value k from the signature components without using the public key y and utilizing the recovered value k' in the first mathematical function to derive a value r' in order to verify the signature parameter k and k' are equivalent, thereby verifying the signature. This signature verification applies to all ElGamal-type signatures and works in any group and in particular elliptic curve groups. The signature verification method is of particular use in devices having limited computational power such as 'smart cards' or where a large number of verifications are to be performed by the signor.
Description
WO 99/23781 I'CT/CA98/U1018 Signature Verification ' For ElGamal Schemes This invention relates to a method of accelerating digital signature verification operations performed in a finite field and in particul~~r to a method for use with processors having limited computing power.
Background of tile Invention One of the functions performed by a cryptosystem is the computation of digital signatures that are used to confirm that a particular party has originated a message and that the contents have not been altered during transmission. A widely used set of signature protocols utilizes the ElGamal public key signature scheme that signs a message with the sender's private key. The recipient may then recover the message wish the sender's public key. The ElGamal scheme gets its security from calculating discrete logarithms in a finite field. Furthermore, the ElGamal-type signatures work in any group and in particular elliptic curve groups. For example given the elliptic curve l,~roup E(Fq) then for P E E(Fy) and Q= aP the discrete logarithm problem reduces to finding the integer a. Thus these cryptosystems can be computationally intensive.
Various protocols exist for implementing such a scheme. For example, a digital signature algorithm DSA is a variant of the ElGamal scheme. In these schemes a pair of correspondent entities A and B each create a public key and a corresponding private key.
The entity A signs a message m of arbitrary length. The entity B can verify this signature by using A's public key. In each case however, both the sender, entity A, and the recipient, entity B, are required to perform a computationally intensive operations to ?5 generate and verify the signature respectively. Where either party has adequate computing power this does not present a particular problem but where one or both the parties have limited computing power, such as in a "Snarl card " application, the computations may introduce delays in the signature and verification process.
There are also circumstances where the signor is required to verify its own signature. For example in a public key cryptographic system, the distribution of keys is easier than that of a symmetric key system. However, the integrity of public keys is critical. Thus the entities in such a system may use a trusted third party to certify the public key of each entity. This third parry may be a certifying authority ((~A), that has a WO 99/23781 PC'r/CA98/01018 private signing aigoritiun ST and a verification algoritlun VT assumed to be-known by all entities. In its simplest form the CA provides a certificate binding the identity of an entity to its public key. This may consisi of sigmmg a message consisting of an identifier and the entity's authenticated public key. From time to time however the CA may wish to S authenticate or verify its own certificates. Thus in these instances it would be convenient to implement an improved signature verification algorithm to speed up this verification process.
Summary of the Invention 1 U It is therefore an object of the present invention to provide a method of fast signature verification.
This invention seeks to provide a digital signature verification method, which may he implemented relatively efficiently by a signor on a processor with limited processing capability, such as a smart card or where frequent verifications are performed such as a 15 certification authority.
In accordance with this invention there is provided a method of verifying a digital signature generated by a signor in a computer system, the sigrtor having a private key d and a public key y, derived from an element g and the private key d the method comprising the steps of:
2p a) in the computer system signing a message m by;
b) generating a first signature component by combining at least the element g and the signature parameter k according to a first mathematical fitnction;
c) generating a second signature component by mathematically combining the first signature component with the private key d, the message rn and the ?5 signature parameter k; and tl~e signor verifying the signature by:
d) recovering a value k' from the signature without using the public key y, and ;
e) utilizing the recovered value k' in the first mathematical function to derive a value ~' to verify the signature parameter k and k' are eduivalent.
Brief Description of the Drawings Embodiments of the present invention will now he described by way of example only with reference to the accompanying drawings in which:
Figure 1 is a schematic representation of a communication system; and Figure 2 is a flow chart showing a signature algorithm according to the present tnvenUon.
Detailed Description of a Preferred Imhodiment For the sake of convenience in the following discussion we use the rnultiplicative notation, although ElGamal-type signatures work in any group and in particular in elliptic cun~e groups.
Referring therefore to Figure 1, a data conutrunication system 10 includes a pair of correspondents, designated as a sender A(12), and a recipient 13(14), who are connected by a communication channel 16. Each of the correspondents A and B (12,14) includes an encryption unit 18,20 respectively that may process digital information and prepare it for transmission through the channel 16 as will be described below.
In accordance with a general embodiment, the sender A assembles a data string, which includes amongst others the public key y of the sender, a message m, the sender's short-terns public key k and signature S of the sender A. When assembled the data string is sent over the channel 16 to the intended recipient I3, who then verifies the signature using A's public key. This public key inforniation may be obtained from a certification authority (C.'A) 24 or sometimes is set with the message. 'the CA generally has a public file of the entity's public key and identification.
For key generation in the ElGamal signature scheme, each correspondent A and B
2S creates a public key and corresponding private key. In order to set up ilre scheme, tlm entities A and Q select primes p and q such chat q divides p-1. A g is selected such that it is an element of order q in ly, and tire group used is ~g°, g', g-,...g'''t.
The digital signature algorithm (I)SA) which is a special case of the CI(~amal scheme, key generation is performed by selecting a random integer cl in the interval [1, cl-1 J and computing y=g'~ mod p. In the DSA the public key information is p, d, g, y) arul the private key is cl, while in the general ElGamal scheme the public key information is (1>> g, Y) uncl the private key is cl.
WO 99123781 PCTlCA98/01018 We consider firstly a signature scheme such as the DSA in which the signature components r and s are given by:
r = (g" mod p) mod q ; and s = k-'(It(1)r)+dr)mod q where typically:
d is a random integer, the signors private key and is typically 160-bits;
p is typically a 1024-bit prime;
~J is a 160-bit prime where g divides p-1;
g is the generator such that y = g'r mod p ;
1 () h(m) is typically a S1-lA-1 hash of the message nr;
k is a randomly chosen 1 ci0-bit value for each signature; arid the signature for m is the pair (r, s).
Normally to verify A's signature (r, s) on the message nr, the recipient B
should obtain A's authentic public key (p, q, g, y), and verify that 0< r < q and 0 <
s < q. Next the values m = s~' mod q and h(m) are computed. This is followed by computing u,=w h(m) mod q and u2= r w mod q and v = (g~' y"'' mod p) mod q. The signature is accepted if and only if v = r. It may be seen therefore that in some cases if the owner of the signature wants to verify its own signature ai a later stage it may be time consuming to retrieve the public key information and perform the steps above, particularly since the signor is verifying its own signature.
Thus, in order to implement fast signature verification using tire private key d, it may be seen that the verifier, in this case the original signor, has knowledge of p, q, g, y, h(m), r and s. Thus the verifier need only recover the (secret) per signature value k used and verify this value of k thus obtained in order to verify the sig~r~ature.
The verifier thus calculates z = (h(m) + dr) mod d . The value z' is calculated by inverting z mod q. Next calculate k'-' = s(z--' )modq and calculate k' by inverting k'-' modq . The verifier then evaluates r = g"~ mod p mod y this verifies k = k'. Thus it may be seen that this verillCatl()r7 Step rlSl'.S d not y and many of the calculations above can be sped up using pre-computed tables.
a Next we consider an alternate ElGamal signature method shown in figure 2 as having signature components (s, e) where:
r=g' mode;
a = h(mI r) where ~~ indicates concantenation; and $ s=(de+k)modp The signature components are s and a where p is a large public prime, g is a public generator, m is a message, h is a hash fllIlCttOrl, d is a private key, y - g ° rnod E: is a public key and k is a secret random integer.
In fast signature verification using the private key d we once again assume knowledge of p, g, y, h, m, r, a and d. Thus the verifier need only recover the k value used and verify k in order to verify the signature. rfhus the verifier calculates k'= (s - de) mod p , r'= g=" mod p and e' = h(m~~r'). if a = e' this verifies k = k'.
Thus it may be seen that an advantage of the present invention is where a signor signs data which for example may reside on the signors computer. This can be later verified without use of the correponding public key, instead the signor can use its private key to verify the data. This is also very useful for some applications with limited computational power such as smartcards.
In a data communication system that includes a certifying authority, the certifying authority (CA) or key distribution centre would sign data frequently before it is installed 2U into the various communications systems and then could verity the signatures later. Thus the CA does not require the public key information to verify the signatures but simply uses the private key to verify, as all ttae other parameters are stored within the secure boundary of the signor.
A further application is in the verification of software such in pay-per-use software applications.
While the invention has been described in connection with specific embodiments thereof and in specific uses, various modifications thereol~will occur to those skilled in the art without departing from the spirit of the invention as set forth in the appended claims. Ivor example, in ilre above description of preferred embodiments, use is made of multiplicative notation however the method of the subject invention may be equally well duscriUeci utilizing additive notation. It is well known for example drat the elliptic cun~e algorithm equivalent of the DSA, i.e: ECDSA is the elliptic curv.~e analog of a discrete logorithm algorithm that is usually described in a setting of F ~, , the multiplicative group of the integers modulo a prime. There is correspondence between the elements and operations of tire group F P and the elliptic curve group E(Fy). Furthermore, this signature technique is equally well applicable to functions perforn~ed in a field defined over F2"
The present invention is thus generally concerned with an encryption method and system and particularly an elliptic curve encryption method and system in which finite field elements is multiplied in a processor efficient manner. The encryption system can comprise any suitable processor unit such as a suitably programmed general-purpose computer.
(i
Background of tile Invention One of the functions performed by a cryptosystem is the computation of digital signatures that are used to confirm that a particular party has originated a message and that the contents have not been altered during transmission. A widely used set of signature protocols utilizes the ElGamal public key signature scheme that signs a message with the sender's private key. The recipient may then recover the message wish the sender's public key. The ElGamal scheme gets its security from calculating discrete logarithms in a finite field. Furthermore, the ElGamal-type signatures work in any group and in particular elliptic curve groups. For example given the elliptic curve l,~roup E(Fq) then for P E E(Fy) and Q= aP the discrete logarithm problem reduces to finding the integer a. Thus these cryptosystems can be computationally intensive.
Various protocols exist for implementing such a scheme. For example, a digital signature algorithm DSA is a variant of the ElGamal scheme. In these schemes a pair of correspondent entities A and B each create a public key and a corresponding private key.
The entity A signs a message m of arbitrary length. The entity B can verify this signature by using A's public key. In each case however, both the sender, entity A, and the recipient, entity B, are required to perform a computationally intensive operations to ?5 generate and verify the signature respectively. Where either party has adequate computing power this does not present a particular problem but where one or both the parties have limited computing power, such as in a "Snarl card " application, the computations may introduce delays in the signature and verification process.
There are also circumstances where the signor is required to verify its own signature. For example in a public key cryptographic system, the distribution of keys is easier than that of a symmetric key system. However, the integrity of public keys is critical. Thus the entities in such a system may use a trusted third party to certify the public key of each entity. This third parry may be a certifying authority ((~A), that has a WO 99/23781 PC'r/CA98/01018 private signing aigoritiun ST and a verification algoritlun VT assumed to be-known by all entities. In its simplest form the CA provides a certificate binding the identity of an entity to its public key. This may consisi of sigmmg a message consisting of an identifier and the entity's authenticated public key. From time to time however the CA may wish to S authenticate or verify its own certificates. Thus in these instances it would be convenient to implement an improved signature verification algorithm to speed up this verification process.
Summary of the Invention 1 U It is therefore an object of the present invention to provide a method of fast signature verification.
This invention seeks to provide a digital signature verification method, which may he implemented relatively efficiently by a signor on a processor with limited processing capability, such as a smart card or where frequent verifications are performed such as a 15 certification authority.
In accordance with this invention there is provided a method of verifying a digital signature generated by a signor in a computer system, the sigrtor having a private key d and a public key y, derived from an element g and the private key d the method comprising the steps of:
2p a) in the computer system signing a message m by;
b) generating a first signature component by combining at least the element g and the signature parameter k according to a first mathematical fitnction;
c) generating a second signature component by mathematically combining the first signature component with the private key d, the message rn and the ?5 signature parameter k; and tl~e signor verifying the signature by:
d) recovering a value k' from the signature without using the public key y, and ;
e) utilizing the recovered value k' in the first mathematical function to derive a value ~' to verify the signature parameter k and k' are eduivalent.
Brief Description of the Drawings Embodiments of the present invention will now he described by way of example only with reference to the accompanying drawings in which:
Figure 1 is a schematic representation of a communication system; and Figure 2 is a flow chart showing a signature algorithm according to the present tnvenUon.
Detailed Description of a Preferred Imhodiment For the sake of convenience in the following discussion we use the rnultiplicative notation, although ElGamal-type signatures work in any group and in particular in elliptic cun~e groups.
Referring therefore to Figure 1, a data conutrunication system 10 includes a pair of correspondents, designated as a sender A(12), and a recipient 13(14), who are connected by a communication channel 16. Each of the correspondents A and B (12,14) includes an encryption unit 18,20 respectively that may process digital information and prepare it for transmission through the channel 16 as will be described below.
In accordance with a general embodiment, the sender A assembles a data string, which includes amongst others the public key y of the sender, a message m, the sender's short-terns public key k and signature S of the sender A. When assembled the data string is sent over the channel 16 to the intended recipient I3, who then verifies the signature using A's public key. This public key inforniation may be obtained from a certification authority (C.'A) 24 or sometimes is set with the message. 'the CA generally has a public file of the entity's public key and identification.
For key generation in the ElGamal signature scheme, each correspondent A and B
2S creates a public key and corresponding private key. In order to set up ilre scheme, tlm entities A and Q select primes p and q such chat q divides p-1. A g is selected such that it is an element of order q in ly, and tire group used is ~g°, g', g-,...g'''t.
The digital signature algorithm (I)SA) which is a special case of the CI(~amal scheme, key generation is performed by selecting a random integer cl in the interval [1, cl-1 J and computing y=g'~ mod p. In the DSA the public key information is p, d, g, y) arul the private key is cl, while in the general ElGamal scheme the public key information is (1>> g, Y) uncl the private key is cl.
WO 99123781 PCTlCA98/01018 We consider firstly a signature scheme such as the DSA in which the signature components r and s are given by:
r = (g" mod p) mod q ; and s = k-'(It(1)r)+dr)mod q where typically:
d is a random integer, the signors private key and is typically 160-bits;
p is typically a 1024-bit prime;
~J is a 160-bit prime where g divides p-1;
g is the generator such that y = g'r mod p ;
1 () h(m) is typically a S1-lA-1 hash of the message nr;
k is a randomly chosen 1 ci0-bit value for each signature; arid the signature for m is the pair (r, s).
Normally to verify A's signature (r, s) on the message nr, the recipient B
should obtain A's authentic public key (p, q, g, y), and verify that 0< r < q and 0 <
s < q. Next the values m = s~' mod q and h(m) are computed. This is followed by computing u,=w h(m) mod q and u2= r w mod q and v = (g~' y"'' mod p) mod q. The signature is accepted if and only if v = r. It may be seen therefore that in some cases if the owner of the signature wants to verify its own signature ai a later stage it may be time consuming to retrieve the public key information and perform the steps above, particularly since the signor is verifying its own signature.
Thus, in order to implement fast signature verification using tire private key d, it may be seen that the verifier, in this case the original signor, has knowledge of p, q, g, y, h(m), r and s. Thus the verifier need only recover the (secret) per signature value k used and verify this value of k thus obtained in order to verify the sig~r~ature.
The verifier thus calculates z = (h(m) + dr) mod d . The value z' is calculated by inverting z mod q. Next calculate k'-' = s(z--' )modq and calculate k' by inverting k'-' modq . The verifier then evaluates r = g"~ mod p mod y this verifies k = k'. Thus it may be seen that this verillCatl()r7 Step rlSl'.S d not y and many of the calculations above can be sped up using pre-computed tables.
a Next we consider an alternate ElGamal signature method shown in figure 2 as having signature components (s, e) where:
r=g' mode;
a = h(mI r) where ~~ indicates concantenation; and $ s=(de+k)modp The signature components are s and a where p is a large public prime, g is a public generator, m is a message, h is a hash fllIlCttOrl, d is a private key, y - g ° rnod E: is a public key and k is a secret random integer.
In fast signature verification using the private key d we once again assume knowledge of p, g, y, h, m, r, a and d. Thus the verifier need only recover the k value used and verify k in order to verify the signature. rfhus the verifier calculates k'= (s - de) mod p , r'= g=" mod p and e' = h(m~~r'). if a = e' this verifies k = k'.
Thus it may be seen that an advantage of the present invention is where a signor signs data which for example may reside on the signors computer. This can be later verified without use of the correponding public key, instead the signor can use its private key to verify the data. This is also very useful for some applications with limited computational power such as smartcards.
In a data communication system that includes a certifying authority, the certifying authority (CA) or key distribution centre would sign data frequently before it is installed 2U into the various communications systems and then could verity the signatures later. Thus the CA does not require the public key information to verify the signatures but simply uses the private key to verify, as all ttae other parameters are stored within the secure boundary of the signor.
A further application is in the verification of software such in pay-per-use software applications.
While the invention has been described in connection with specific embodiments thereof and in specific uses, various modifications thereol~will occur to those skilled in the art without departing from the spirit of the invention as set forth in the appended claims. Ivor example, in ilre above description of preferred embodiments, use is made of multiplicative notation however the method of the subject invention may be equally well duscriUeci utilizing additive notation. It is well known for example drat the elliptic cun~e algorithm equivalent of the DSA, i.e: ECDSA is the elliptic curv.~e analog of a discrete logorithm algorithm that is usually described in a setting of F ~, , the multiplicative group of the integers modulo a prime. There is correspondence between the elements and operations of tire group F P and the elliptic curve group E(Fy). Furthermore, this signature technique is equally well applicable to functions perforn~ed in a field defined over F2"
The present invention is thus generally concerned with an encryption method and system and particularly an elliptic curve encryption method and system in which finite field elements is multiplied in a processor efficient manner. The encryption system can comprise any suitable processor unit such as a suitably programmed general-purpose computer.
(i
Claims (16)
PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS:
1. A method of verifying a digital signature generated by a signor in a computer system, said signor having a private key d and a public key y, derived from an element g and said private key d said method comprising the steps of:
a) in said computer system signing a message m by;
b) generating a first signature component by combrnmg at least said element g and said signature parameter k according to a first mathematical function;
c) generating a second signature component by mathematically combining said first signature component with said private key d, said message ni and said signature parameter k; and said signor verifying said signature by:
d) recovering a value k' from said signature without using said public key y, and;
e) utilizing said recovered value k' in said first mathematical function to derive a value r' to verify said signature parameter k and k'' are equivalent.
a) in said computer system signing a message m by;
b) generating a first signature component by combrnmg at least said element g and said signature parameter k according to a first mathematical function;
c) generating a second signature component by mathematically combining said first signature component with said private key d, said message ni and said signature parameter k; and said signor verifying said signature by:
d) recovering a value k' from said signature without using said public key y, and;
e) utilizing said recovered value k' in said first mathematical function to derive a value r' to verify said signature parameter k and k'' are equivalent.
2. A method as defined in claim 1, wherein g is an element of order q in a field F P
3. A method as defined in claim 1, wherein g is a point of prime order n in E(F q), such that E is an elliptic curve defined over the field F q.
4. A method as defined in claim 1, wherein said element g is a point on an elliptic curve over a finite field F q.
5. A method as defined in claim 1, said signature parameter k being a randomly selected integer in the interval [1, q-1], and said first signature component having a form defined by r=g~ mod p mod q, wherein p and q are primes such Hurt q divides p-1.
6. A nretlrod as defined in claim 5, includinb calculatinb a value a = h(m) wherein h is a hash function, and wherein said second signature component s - k-1(e +
dr) mod q.
dr) mod q.
7. A method as defined in claim 6, said step of recovering said value k' including:
(a) calculating a value z =(h(m) + dr)mod g;
(b) calculating z-1 inverting z mod q;
(c) calculating k-1 = s(z-1) mod q; and (d) calculating k' by inverting k-1 mod q.
(a) calculating a value z =(h(m) + dr)mod g;
(b) calculating z-1 inverting z mod q;
(c) calculating k-1 = s(z-1) mod q; and (d) calculating k' by inverting k-1 mod q.
8. A method as defined in claim 7, said step of verifying k including the steps of calculating r1 = g k mod p mod q and comparing r1 to r in order to verify k =
k1.
k1.
9. A method as defined in claim 9, including utilizing precomputed tables in said calculations.
10. A method as defined in claim 3, said signature parameter k being a statistically unique and unpredictable integer k selected in an interval [2, n-2] and said first signature component having a form defined by r = x, mod n wherein n is an n co-ordinate of a private key.
11. A method as defined in claim 10, including calculating a value e = h(m) wherein h is a hash function and said second signature component is given by s = k1 (e +
dr) mod n.
dr) mod n.
12. A method as defined in claim 11, said recovering said value k' includes:
(a) calculating a value z = (h(m) + dr) mod n;
(b) calculating z-1 by inverting z mod n;
(c) calculating k-1 = s(z-1) mod n, and (d) calculating k1 by inverting k-1 mod n.
(a) calculating a value z = (h(m) + dr) mod n;
(b) calculating z-1 by inverting z mod n;
(c) calculating k-1 = s(z-1) mod n, and (d) calculating k1 by inverting k-1 mod n.
13. A method as defined in claim 12, said step of verifying k including the steps of calculating r1 = g k mod n and comparing r' to r in order to verify k = k1.
14. A method as defined in claim 2, said signature parameter k being a randomly selected integer in an interval [1, p-1], and said first signature component having a form defined by e = h(m~r) wherein r = g k mod p, h is a hash function and ~
denotes concantenation.
denotes concantenation.
15. A method as defined in claim 14, said second signature component being defined by s = (de + k) mod p.
16. A method as defined in claim 15, said step of recovering said value k' includes:
(a) calculating a value k' = (s-de) mod p;
(b) calculating a value r' = g k mod p;
(c) calculating a value e' = h(m~r'); and (d) comparing said value e' to a in order to verify k' = k.
(a) calculating a value k' = (s-de) mod p;
(b) calculating a value r' = g k mod p;
(c) calculating a value e' = h(m~r'); and (d) comparing said value e' to a in order to verify k' = k.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US96244197A | 1997-10-31 | 1997-10-31 | |
US08-962441 | 1997-10-31 | ||
PCT/CA1998/001018 WO1999023781A1 (en) | 1997-10-31 | 1998-11-02 | Signature verification for elgamal schemes |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2306468A1 true CA2306468A1 (en) | 1999-05-14 |
Family
ID=25505878
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002306468A Abandoned CA2306468A1 (en) | 1997-10-31 | 1998-11-02 | Signature verification for elgamal schemes |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1025674A1 (en) |
JP (2) | JP4307589B2 (en) |
AU (1) | AU1015499A (en) |
CA (1) | CA2306468A1 (en) |
WO (1) | WO1999023781A1 (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP5348148B2 (en) * | 2003-07-25 | 2013-11-20 | 株式会社リコー | COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND PROGRAM |
JP4611680B2 (en) * | 2003-07-25 | 2011-01-12 | 株式会社リコー | COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND PROGRAM |
JP4712326B2 (en) * | 2003-07-25 | 2011-06-29 | 株式会社リコー | COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND PROGRAM |
US9240884B2 (en) | 2003-10-28 | 2016-01-19 | Certicom Corp. | Method and apparatus for verifiable generation of public keys |
CA2555322C (en) | 2004-02-13 | 2014-01-14 | Certicom Corp. | One way authentication |
CN103108325B (en) * | 2011-11-10 | 2018-05-18 | 中兴通讯股份有限公司 | A kind of information secure transmission method and system and access service node |
CN110430044A (en) * | 2019-07-10 | 2019-11-08 | 南京工业大学 | A kind of double layer encryption method based on ElGamal encryption |
CN111262707B (en) * | 2020-01-16 | 2023-04-14 | 余志刚 | Digital signature method, verification method, device and storage medium |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5231668A (en) * | 1991-07-26 | 1993-07-27 | The United States Of America, As Represented By The Secretary Of Commerce | Digital signature algorithm |
US5442707A (en) * | 1992-09-28 | 1995-08-15 | Matsushita Electric Industrial Co., Ltd. | Method for generating and verifying electronic signatures and privacy communication using elliptic curves |
US5475763A (en) * | 1993-07-01 | 1995-12-12 | Digital Equipment Corp., Patent Law Group | Method of deriving a per-message signature for a DSS or El Gamal encryption system |
ATE187588T1 (en) * | 1993-08-17 | 1999-12-15 | R3 Security Engineering Ag | PROCEDURE FOR DIGITAL SIGNATURE AND PROCEDURE FOR KEY AGREEMENT |
CA2228185C (en) * | 1997-01-31 | 2007-11-06 | Certicom Corp. | Verification protocol |
-
1998
- 1998-05-14 JP JP13174398A patent/JP4307589B2/en not_active Expired - Lifetime
- 1998-11-02 WO PCT/CA1998/001018 patent/WO1999023781A1/en not_active Application Discontinuation
- 1998-11-02 JP JP2000519520A patent/JP2001522071A/en active Pending
- 1998-11-02 AU AU10154/99A patent/AU1015499A/en not_active Abandoned
- 1998-11-02 EP EP98952457A patent/EP1025674A1/en not_active Withdrawn
- 1998-11-02 CA CA002306468A patent/CA2306468A1/en not_active Abandoned
Also Published As
Publication number | Publication date |
---|---|
JP4307589B2 (en) | 2009-08-05 |
JPH11174957A (en) | 1999-07-02 |
JP2001522071A (en) | 2001-11-13 |
WO1999023781A1 (en) | 1999-05-14 |
AU1015499A (en) | 1999-05-24 |
EP1025674A1 (en) | 2000-08-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6446207B1 (en) | Verification protocol | |
US7552329B2 (en) | Masked digital signatures | |
CA2130250C (en) | Digital signature method and key agreement method | |
US5231668A (en) | Digital signature algorithm | |
EP2306670B1 (en) | Hybrid digital signature scheme | |
US9800418B2 (en) | Signature protocol | |
CN110138567B (en) | ECDSA (electronic signature system) based collaborative signature method | |
CN112118111A (en) | SM2 digital signature method suitable for threshold calculation | |
Hwang et al. | An untraceable blind signature scheme | |
Sarath et al. | A survey on elliptic curve digital signature algorithm and its variants | |
WO2014205571A1 (en) | Signature protocol | |
CA2306468A1 (en) | Signature verification for elgamal schemes | |
WO2016187689A1 (en) | Signature protocol | |
CN115174102A (en) | Efficient batch verification method and system based on SM2 signature | |
Wang et al. | Signature schemes based on two hard problems simultaneously | |
Kwon et al. | Randomization enhanced blind signature schemes based on RSA | |
EP0854603A2 (en) | Generation of session parameters for el gamal-like protocols | |
CA2892318C (en) | Signature protocol | |
Toradmalle et al. | ELLIPTIC CURVE DIGITAL SIGNATURE WITH FORWARD SECRECY | |
Yoon et al. | A secure and efficient convertible authenticated encryption scheme with message linkages using elliptic curve cryptosystem | |
Sain et al. | Survey on Digital Signature algorithms | |
Al-Absi et al. | Cryptography Survey of DSS and DSA Algorithms |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
FZDE | Discontinued |