CA2381937A1 - Method for generating pseudorandom numbers and a method for electronic sigenature - Google Patents
Method for generating pseudorandom numbers and a method for electronic sigenature Download PDFInfo
- Publication number
- CA2381937A1 CA2381937A1 CA002381937A CA2381937A CA2381937A1 CA 2381937 A1 CA2381937 A1 CA 2381937A1 CA 002381937 A CA002381937 A CA 002381937A CA 2381937 A CA2381937 A CA 2381937A CA 2381937 A1 CA2381937 A1 CA 2381937A1
- Authority
- CA
- Canada
- Prior art keywords
- points
- numbers
- pseudorandom numbers
- elliptic curves
- generating pseudorandom
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
- G06F7/582—Pseudo-random number generators
- G06F7/584—Pseudo-random number generators using finite field arithmetic, e.g. using a linear feedback shift register
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
- H04L9/0656—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Computational Mathematics (AREA)
- Algebra (AREA)
- Storage Device Security (AREA)
- Compression, Expansion, Code Conversion, And Decoders (AREA)
Abstract
The invention relates to a method for generating pseudo random numbers and a method for electronic signatures. According to the inventive method for generating pseudo random numbers, points are determined on at least two different elliptical curves. A pseudo random number is produced respectively by linking the points. The linking of points of different elliptical curves to generate a pseudo random number makes it impossible to deduce the individual elliptical curves on the basis of the pseudo random numbers. The cryptograph ic security of the inventive method is thus tremendously increased because the computation of discrete logarithms is made impossible.
Description
Description Method for generating pseudorandom numbers, and a method for electronic signature The invention relates to a method for generating pseudorandom numbers and a method for electronic signature.
Random numbers are required in cryptography for encoding or signing messages. An overview of the development of cryptography in Germany is given in the article entitled "Vom diplomatischen Code zur Falltiirfunktion" ["From the diplomatic code to the trapdoor function"] by Otto Leiberich, Spektrum der Wissenschaft, June 1999, pages 26 to 34. This describes a previously used worm encryption method or stream encryption method., in the case of which a very long character string that has no sort of internal structure, what is termed a character worm or character stream, is added character by character to a message, the plaintext, that is to be encoded. If these are letters, they are firstly converted into numbers using the scheme a = 0, b = 1, ..., z = 25. So that no numbers larger than 25 result, an addition modulo 26 is carried out. In the computer age, the texts are converted into binary numbers and zeros and ones modular 2 are added. The receiver subtracts the character stream - modulo 26 or 2 - from the received secret text and therefore reobtains the clear text.
The character stream is generated with the aid of random number generators. These were previously based on high-frequency voltage fluctuations of specific tubes, what are termed thyratrons, and later on radioactive decay events.
- la -Since, however, the character streams must in each case be securely transmitted in parallel from the transmitter to the receiver, a substantial throughput of secure data transfer is required.
Random numbers are required in cryptography for encoding or signing messages. An overview of the development of cryptography in Germany is given in the article entitled "Vom diplomatischen Code zur Falltiirfunktion" ["From the diplomatic code to the trapdoor function"] by Otto Leiberich, Spektrum der Wissenschaft, June 1999, pages 26 to 34. This describes a previously used worm encryption method or stream encryption method., in the case of which a very long character string that has no sort of internal structure, what is termed a character worm or character stream, is added character by character to a message, the plaintext, that is to be encoded. If these are letters, they are firstly converted into numbers using the scheme a = 0, b = 1, ..., z = 25. So that no numbers larger than 25 result, an addition modulo 26 is carried out. In the computer age, the texts are converted into binary numbers and zeros and ones modular 2 are added. The receiver subtracts the character stream - modulo 26 or 2 - from the received secret text and therefore reobtains the clear text.
The character stream is generated with the aid of random number generators. These were previously based on high-frequency voltage fluctuations of specific tubes, what are termed thyratrons, and later on radioactive decay events.
- la -Since, however, the character streams must in each case be securely transmitted in parallel from the transmitter to the receiver, a substantial throughput of secure data transfer is required.
Consequently, methods for generating pseudorandom numbers, what are termed pseudorandom number generators, have been developed that can generate a sequence of pseudorandom numbers of substantially any desired length as a function of a key. In the case of the above coding method, this has required only one key to be transmitted secretly between the communication partners, and this is substantially easier to handle than transmitting a complete character stream in each case.
For present day open networks, in particular the Internet, methods have been developed in which two communication partners who wish to communicate with one another for the first time send one another encoded messages. These methods are what are termed asymmetric key methods which are also termed public key methods, in the case of which the receiver publishes his key, what is termed a public key.
One of the best known methods of this type is what is termed the RSA method, in the case of which parts of the key, what are termed key modules, are products of two large prime numbers. The sender of the message knows only the key module, that is to say the product, and can use the latter to encode the message using a specific mathematical function. However, knowledge of the product is insufficient to decode the message, however it is the two prime numbers that are required.
It is only the correct receiver, who has generated the key, that can decode the encoded message with the aid of these prime numbers and a corresponding inverse function.
Given large modules, it is not possible in practice to decompose the key module into its divisors, the two prime numbers, with a normal computational outlay. In "Faktorisierung grof3er Zahlen" ["Factorizing large ' GR 99 P 2593 - 2a -numbers"] by Johannes Buchmann, Spektrum der Wissenschaft, September 1996, pages 80 - 88, the problem of decomposing large numbers into their prime numbers is described in detail and the outlay for decomposing a 129 place number is set forth. This number was decomposed into the individual prime numbers with the aid of 600 volunteers who made their computers available.
A disadvantage of the RSA method is that it is too slow for encoding messages, since ensuring a sufficiently high level of security requires the use of very large numbers - approximately 1000 binary or 300 decimal spaces. Such large numbers are to be raised to the power of others of a similar order of magnitude, and this cannot be performed quickly enough to encode data that are to be transmitted. The RSA method is therefore used only for the encoded transmission of keys, which are to be kept secret, for a conventional method which then accomplishes the actual encoding.
Methods based on elliptic curves have been developed as an alternative to the RSA method. Only elliptic curves over finite fields are relevant for cryptography. These elliptic curves over finite fields form point groups in which an addition and a multiplication are defined that have nothing in common with common addition and multiplication except for the computational rules.
Multiplication on an elliptic curve over a finite field is a one-way function, that is to say in the normal case it is impossible by computation to carry out the inverse - the calculation of what are termed discrete logarithms - whereas multiplication can be executed very simply and quickly. This fact is utilized in the case of the cryptographic methods based on elliptic curves by virtue of the fact that the receiver selects a random number t for himself and uses this random number t and a multiplication by t on the elliptic curve to determine a curve point T. The curve point T
is published as a key, whereas the random number t is kept secret by the receiver. A transmitter can use the curve point T
For present day open networks, in particular the Internet, methods have been developed in which two communication partners who wish to communicate with one another for the first time send one another encoded messages. These methods are what are termed asymmetric key methods which are also termed public key methods, in the case of which the receiver publishes his key, what is termed a public key.
One of the best known methods of this type is what is termed the RSA method, in the case of which parts of the key, what are termed key modules, are products of two large prime numbers. The sender of the message knows only the key module, that is to say the product, and can use the latter to encode the message using a specific mathematical function. However, knowledge of the product is insufficient to decode the message, however it is the two prime numbers that are required.
It is only the correct receiver, who has generated the key, that can decode the encoded message with the aid of these prime numbers and a corresponding inverse function.
Given large modules, it is not possible in practice to decompose the key module into its divisors, the two prime numbers, with a normal computational outlay. In "Faktorisierung grof3er Zahlen" ["Factorizing large ' GR 99 P 2593 - 2a -numbers"] by Johannes Buchmann, Spektrum der Wissenschaft, September 1996, pages 80 - 88, the problem of decomposing large numbers into their prime numbers is described in detail and the outlay for decomposing a 129 place number is set forth. This number was decomposed into the individual prime numbers with the aid of 600 volunteers who made their computers available.
A disadvantage of the RSA method is that it is too slow for encoding messages, since ensuring a sufficiently high level of security requires the use of very large numbers - approximately 1000 binary or 300 decimal spaces. Such large numbers are to be raised to the power of others of a similar order of magnitude, and this cannot be performed quickly enough to encode data that are to be transmitted. The RSA method is therefore used only for the encoded transmission of keys, which are to be kept secret, for a conventional method which then accomplishes the actual encoding.
Methods based on elliptic curves have been developed as an alternative to the RSA method. Only elliptic curves over finite fields are relevant for cryptography. These elliptic curves over finite fields form point groups in which an addition and a multiplication are defined that have nothing in common with common addition and multiplication except for the computational rules.
Multiplication on an elliptic curve over a finite field is a one-way function, that is to say in the normal case it is impossible by computation to carry out the inverse - the calculation of what are termed discrete logarithms - whereas multiplication can be executed very simply and quickly. This fact is utilized in the case of the cryptographic methods based on elliptic curves by virtue of the fact that the receiver selects a random number t for himself and uses this random number t and a multiplication by t on the elliptic curve to determine a curve point T. The curve point T
is published as a key, whereas the random number t is kept secret by the receiver. A transmitter can use the curve point T
to encode his message, which can then be decoded only by the receiver, who knows the random number t on which the curve point T is based.
Such methods based on elliptic curves require substantially less computer power in conjunction with the same security than does the RSA method. Such methods can be implemented in microcomputers such as, for example, in chip cards. Siemens AG markets a chip card with the trade name of SLE44CR80S, in which a signature method is implemented on the basis of elliptic curves.
Random numbers are required, again, to generate the keys, the public key, which the receiver publishes, and its corresponding private key.
The invention is therefore based on the object of using elliptic curves as a basis for creating a method for generating pseudorandom numbers that can be executed easily and quickly and with the aid of which it is possible to generate a large quantity of high-quality random numbers.
This object is achieved by means of a method having the features of claim 1.
The invention is also based on the object of creating a method for electronic signature on the basis of elliptic curves, and of creating a corresponding apparatus, which require less storage space than do known methods and apparatuses for electronic signature on the basis of elliptic curves, and can be implemented on small computer systems, in particular chip cards.
4a -The obj ect is achieved by means of a method having the features of claim 11, and an apparatus having the features of claim 12.
Such methods based on elliptic curves require substantially less computer power in conjunction with the same security than does the RSA method. Such methods can be implemented in microcomputers such as, for example, in chip cards. Siemens AG markets a chip card with the trade name of SLE44CR80S, in which a signature method is implemented on the basis of elliptic curves.
Random numbers are required, again, to generate the keys, the public key, which the receiver publishes, and its corresponding private key.
The invention is therefore based on the object of using elliptic curves as a basis for creating a method for generating pseudorandom numbers that can be executed easily and quickly and with the aid of which it is possible to generate a large quantity of high-quality random numbers.
This object is achieved by means of a method having the features of claim 1.
The invention is also based on the object of creating a method for electronic signature on the basis of elliptic curves, and of creating a corresponding apparatus, which require less storage space than do known methods and apparatuses for electronic signature on the basis of elliptic curves, and can be implemented on small computer systems, in particular chip cards.
4a -The obj ect is achieved by means of a method having the features of claim 11, and an apparatus having the features of claim 12.
Advantageous refinements of the invention are specified in the subclairns.
In the case of the method according to the invention as claimed in claim 1 for generating pseudorandom numbers, pairs of points are determined that lie on at least two different elliptic curves over a finite field, and a random number is determined as a function of in each case one such pair of points.
Since in accordance with the invention use is made of two different elliptic curves, and the pseudorandom number is derived from a pair of points, the two points of the pair lying on different elliptic curves, it is impossible to infer the curve points from the pseudorandom numbers determined in this way. In the case of the use of only a single elliptic curve for deriving pseudorandom numbers, it would be possible to infer the curve points from the pseudorandom numbers by calculating discrete logarithms. It would thereby be possible for third parties to determine the computing rule for the pseudorandom numbers and to predict the further pseudorandom numbers. This would constitute a substantial security risk which is avoided with the aid of the present invention.
The method according to the invention for electronic signature combines a signature method that is known per se with the method according to the invention for generating pseudorandom numbers. The same routines and/or devices can be used both for the signature method and for the generation of the random numbers, it thereby being possible to save substantially on program code and storage space. In addition, an optimization of the EC (= elliptic curve) arithmetic has an advantageous effect both in the case of the generation of the pseudorandom numbers and in the case of the - 5a -immediate execution of the signature method. Effects of synergy are achieved due to this double use of the routines and devices on the basis of elliptic curves.
Furthermore, the pseudorandom numbers generated in accordance with the invention cannot be distinguished from random numbers of a true random number generator, and can be generated with a relatively low computational outlay.
The invention is explained in more detail below by way of example with the aid of the drawings in which, schematically:
Figure 1 shows an elliptic curve over the real numbers, Figure 2 shows an elliptic curve over a finite field, Figure 3 shows the addition of two points on an elliptic curve over the real numbers, Figure 4 shows the points on the elliptic curve y2=x3+2x+9 over the field mod 13, which form a cyclic group with 17 points, Figure 5 shows the method sequence of an exemplary embodiment of the invention in a flowchart, Figure 6 shows the basic principle of the method according to the invention for generating pseudorandom numbers in a flowchart, and Figure 7 shows the structure of a program for executing a signature method according to the invention.
A brief explanation will firstly be given of the mathematical principles for computing on elliptic - 6a -curves. An elliptic curve E over a field K is a curve that can be described by a cubic equation of the following form:
_ 7 _ yz=x3+ax+b, with a and b from K, 4a3+27bz ~ 0. Pairs (x, y) from K x K which satisfy the equation, as well as the formal pair (oo, Oo) are called points on the curve E over K.
An elliptic curve over the real numbers is shown in figure 1. Note that elliptic curves are not ellipses.
Figure 2 shows an elliptic curve over a finite field.
The algebraic term field defines a "number domain" in which it is possible to add, subtract, multiply and divide using the formal computing rules known from the rational numbers. There are infinite fields such as, for example, the rational numbers, the real numbers, the complex numbers, and finite fields. Finite fields are, for example, the field GF(p) of the numbers mod p, p being a prime number, or the field GF(2n) of the binary vectors of the length n. ("GF" stands for "Galois field", which is a synonym for "finite field").
Only elliptic curves over finite fields are relevant to cryptography.
Figure 3 shows the addition of two points Pl, Pz on an elliptic curve over the real numbers, the point P3 being yielded. In this addition, the straight line connecting the points P1 and Pz is formed and its third point of intersection with the elliptic curve is determined.
This point of intersection is reflected at the x-axis and yields the result P3 for the addition of P1 and Pz.
The addition of the points on elliptic curves can be expressed by the following formulas:
x3=rz-xl-xz, Ya=r (xl-xs) -Yi, where r= (yz-Y~) / (xz-x~) , if xl~xz, r= (3x12+a) /2Yi. if P1=Pz ~
_ g _ xi, yi being the coordinates of the point Pi (i=1,2,3).
These formulas also hold for elliptic curves over finite fields.
A multiplication of curve points by whole numbers k is defined by iteration of the point addition:
k*P=P+P+...+P (k-fold sum).
This multiplication of curve points by whole numbers can be executed easily and quickly, whereas the inverse task of calculating what are termed discrete logarithms can normally be solved only with an extraordinary computational outlay. There is no algorithm with a subexponential runtime for this. This point multiplication therefore constitutes a one-way function, for which reason it is used in methods with public keys, what are termed public key methods.
The method according to the invention for generating pseudorandom numbers is explained below with the aid of an exemplary embodiment shown in figure 5.
A first elliptic curve E over the field GF(p) is given by the following equation:
(y2) mod p = (x3 + 6x +
605067903441846547388214966045455206952938406771) mod p, where p =2lso_47=
1461501637330902918203684832716283019655932542929.
p is a prime number with 160 bits.
The elliptic curve E over GF(p) has as group degree #E (GF (p) ) - 7*q, where q=208785948190128988314812461240940947434505754881.
Once again q is a prime number with 128 bits.
The group degree of an elliptic curve is the number of the elements of the point group, that is to say the number of the solutions of the defining equation of the elliptic curve E over GF(p). The larger the maximum prime divisor of the group degree, the more difficult it is to calculate discrete logarithms. The magnitude of the group degrees and of their maximum prime divisors therefore constitutes a quality feature of the method according to the invention, the group degrees preferably being required to be at least 2100 or, better, 2130.
A second elliptic curve E' over GF (p) is given by the following equation:
( y2 ) mod p = ( x3 + 3 x +
168756385740498547400152923318200148712149363991) mode p.
The curve E' is isogenic relative to the curve E, that is to say when the curve E has the form y2=x3+ax+b, the curve E' has the form y2=x3+ac2x+bc3 , with a, b, c from GF(p), c being a quadratic nonresidue modulo p. It holds in the present case for c that:
c= 503145425704462245322517599589013227703324936803.
Substantial advantages are offered by the use of two isogenic curves instead of two arbitrary curves. Thus, the degree of the elliptic curve E' over GF(p) can be derived easily from the group degree of E since, specifically, the sum of the two degrees is 2p+2, the following equation being yielded as a result:
#E' (GF (p} ) - 2p+2 - #E (GF (p) ) In the present case, the result for the group degree of E' is:
#E' (GF (p) ) - 2p+2 - #E (GF (p) ) - 11 * 19 * q' where q'= 4581509834893112596249788202965452687367789347.
q' is a prime number with the length of 152 bits.
Two points P, P' on the curves E, E' are now selected such as, for example:
P =(27,1199480719563308855489368355308026541006624847440) P' =(318,767790262932904318810390534329377261151321453045), and two starting values s, s', for example s=s'=2.
The step S1 from figure 5 is terminated by the determination of the elliptic curves E, E', the points P, P' and the starting values s, s'. The method sequence now carries over to the step S2 , in which the points P, P' are multiplied by s and s', respectively, the result being denoted as PA and PA', respectively.
The multiplication is executed as s-fold or s'-fold addition in accordance with the addition shown in figure 3.
The points PA and PA' are transferred to the rule for determining random bits (step S3). In the present case, the x-coordinates of the two points PA and PA' are combined with XOR and divided by c.
For isogenic elliptic curves E and E', it holds for an arbitrary x from GF(p) that x is either the x-coordinate of two different points on E, or else that x is the x-coordinate of a point on E and cx is the x-- 10a -coordinate of a point on E' , or else that x is not the x-coordinate of a point on E, but cx is the x-coordinate of two points on E'. Thus, when the x-coordinates on E' are divided by c every arbitrary x occurs from GF(p) exactly 2x times as x-coordinate. That is to say, combining an x-coordinate on E with an x-coordinate on E' divided by c is equivalent to combining two arbitrary, random values between 0 and p-1. The pseudorandom bits derived thereby therefore behave like true random bits.
From the step S2, the points PA and PA' are also transferred to the step S4, in which the points P, P' remain unchanged and s or s' is respectively increased by one.
From the step S4, the method sequence transfers once again to the step S2, in which, again, new points PA
and PA' are formed which are then transferred again to the step S3 for calculating further random bits and to the step S4. This method sequence can be repeated multiply, new random bits being generated continuously.
The inventors of the present invention have used the above-described method for generating random members to generate 20 x one million random bits, and have subjected these random bits to various statistical tests. No deviations from true random bits could be established by the tests.
It is essential to the invention that in the step S3 the random number Z is determined from the two points PA and PA' that originate from different elliptic curves E and E'. The combination of the two points PA
and PA' ensures that the pseudorandom numbers generated cannot be used to determine by discrete logarithms the points P and P' on which the calculation of the points PA and PA' is based. It is therefore impossible to infer from the result of S3 the method for generating the points PA, PA' with the aid of the steps S1, S2 and S4, this being represented by the dashed line in figure 5.
The invention is not limited to the exemplary embodiment illustrated in figure 5. It is, for example, possible within the scope of the invention for a different combination of the x-coordinates to be selected in the step S3. Thus, for example, the two x-coordinates can be combined with one another by adding modulo p. Or, alternatively, it is the y-coordinates that are combined. Otherwise the x-coordinates and y-coordinates. It is also possible within the scope of the invention, after each calculation of PA and PA', not permanently prescribed elliptic curves E, E' with points P, P', but new curves E*, E*' and points P*, P*', which are used to calculate the next points PA*
and PA*'. The values s, s' can also be varied arbitrarily per se. All that is essential to the invention is that the values s, s' are whole numbers.
At the beginning of the method, they can be generated, for example, with the aid of a simple random number generator, which need not satisfy high demands. A basic principle of the present invention is illustrated in figure 6, the principle having a loop consisting of the steps S5 and S6, two elliptic curves E, E' , two points P, P' on the two curves and two starting values s, s' being selected in the step S5. The points P, P' are multiplied by s and s', respectively, in the step S6, the result being PA and PA'. With each repetition of the loop S5, S6, at least one of the pairs E, E' or P, P' or s, s' is changed. It is also possible to change two or three pairs using a rule to be stipulated.
With each repetition of the loop, a new pair of numbers PA, PA' is generated and transferred to the method step S7, in the case of which the two points PA and PA' are respectively combined to form a pseudorandom number Z.
. - 12a -Methods on the basis of elliptic curves use the multiplication on elliptic curves as one-way function, for which reason apparatuses for carrying out such methods are provided with routines and devices for arithmetics on elliptic curves. Such methods also require random numbers in order to create the private and public keys. By using the method according to the invention to generate these random numbers, it is possible, on the one hand, to generate pseudorandom numbers that are qualitatively of high value and, on the other hand, the program code can be kept small since the existing routines can be used twice. Substantial resources are saved thereby and the security of the method is substantially enhanced at the same time.
Figure 7 shows the architecture of a program for executing the method according to the invention schematically in a block diagram. The program comprises a part P1 for carrying out the signature method, which has recourse to a program part P2 with the aid of which multiplications are carried out on elliptic curves over finite fields. The program part P1 is supplied by a further program part P3 with random numbers, the program part P3 again having recourse to the program part P2 for multiplication on elliptic curves.
Represented at the program part P1 is a data input current I and a data output current O, it being possible for the data input current to be a message to be signed, and the data output current to be the signature. Furthermore, the program part P1 can output its private and public keys on the data output current O. These functions of the program part P1 correspond to the signature methods and devices known per se on the basis of elliptic curves. The method according to the invention can be used, in particular, in the case of computing devices of low arithmetic capability such as, for example, chip cards, since the corresponding program code is exceptionally compact and the length of the numbers to be processed is substantially shorter - 13a than in the case of an RSA method for the same security level. However, it is also possible to market the programs on electronically readable data media.
In the case of the method according to the invention as claimed in claim 1 for generating pseudorandom numbers, pairs of points are determined that lie on at least two different elliptic curves over a finite field, and a random number is determined as a function of in each case one such pair of points.
Since in accordance with the invention use is made of two different elliptic curves, and the pseudorandom number is derived from a pair of points, the two points of the pair lying on different elliptic curves, it is impossible to infer the curve points from the pseudorandom numbers determined in this way. In the case of the use of only a single elliptic curve for deriving pseudorandom numbers, it would be possible to infer the curve points from the pseudorandom numbers by calculating discrete logarithms. It would thereby be possible for third parties to determine the computing rule for the pseudorandom numbers and to predict the further pseudorandom numbers. This would constitute a substantial security risk which is avoided with the aid of the present invention.
The method according to the invention for electronic signature combines a signature method that is known per se with the method according to the invention for generating pseudorandom numbers. The same routines and/or devices can be used both for the signature method and for the generation of the random numbers, it thereby being possible to save substantially on program code and storage space. In addition, an optimization of the EC (= elliptic curve) arithmetic has an advantageous effect both in the case of the generation of the pseudorandom numbers and in the case of the - 5a -immediate execution of the signature method. Effects of synergy are achieved due to this double use of the routines and devices on the basis of elliptic curves.
Furthermore, the pseudorandom numbers generated in accordance with the invention cannot be distinguished from random numbers of a true random number generator, and can be generated with a relatively low computational outlay.
The invention is explained in more detail below by way of example with the aid of the drawings in which, schematically:
Figure 1 shows an elliptic curve over the real numbers, Figure 2 shows an elliptic curve over a finite field, Figure 3 shows the addition of two points on an elliptic curve over the real numbers, Figure 4 shows the points on the elliptic curve y2=x3+2x+9 over the field mod 13, which form a cyclic group with 17 points, Figure 5 shows the method sequence of an exemplary embodiment of the invention in a flowchart, Figure 6 shows the basic principle of the method according to the invention for generating pseudorandom numbers in a flowchart, and Figure 7 shows the structure of a program for executing a signature method according to the invention.
A brief explanation will firstly be given of the mathematical principles for computing on elliptic - 6a -curves. An elliptic curve E over a field K is a curve that can be described by a cubic equation of the following form:
_ 7 _ yz=x3+ax+b, with a and b from K, 4a3+27bz ~ 0. Pairs (x, y) from K x K which satisfy the equation, as well as the formal pair (oo, Oo) are called points on the curve E over K.
An elliptic curve over the real numbers is shown in figure 1. Note that elliptic curves are not ellipses.
Figure 2 shows an elliptic curve over a finite field.
The algebraic term field defines a "number domain" in which it is possible to add, subtract, multiply and divide using the formal computing rules known from the rational numbers. There are infinite fields such as, for example, the rational numbers, the real numbers, the complex numbers, and finite fields. Finite fields are, for example, the field GF(p) of the numbers mod p, p being a prime number, or the field GF(2n) of the binary vectors of the length n. ("GF" stands for "Galois field", which is a synonym for "finite field").
Only elliptic curves over finite fields are relevant to cryptography.
Figure 3 shows the addition of two points Pl, Pz on an elliptic curve over the real numbers, the point P3 being yielded. In this addition, the straight line connecting the points P1 and Pz is formed and its third point of intersection with the elliptic curve is determined.
This point of intersection is reflected at the x-axis and yields the result P3 for the addition of P1 and Pz.
The addition of the points on elliptic curves can be expressed by the following formulas:
x3=rz-xl-xz, Ya=r (xl-xs) -Yi, where r= (yz-Y~) / (xz-x~) , if xl~xz, r= (3x12+a) /2Yi. if P1=Pz ~
_ g _ xi, yi being the coordinates of the point Pi (i=1,2,3).
These formulas also hold for elliptic curves over finite fields.
A multiplication of curve points by whole numbers k is defined by iteration of the point addition:
k*P=P+P+...+P (k-fold sum).
This multiplication of curve points by whole numbers can be executed easily and quickly, whereas the inverse task of calculating what are termed discrete logarithms can normally be solved only with an extraordinary computational outlay. There is no algorithm with a subexponential runtime for this. This point multiplication therefore constitutes a one-way function, for which reason it is used in methods with public keys, what are termed public key methods.
The method according to the invention for generating pseudorandom numbers is explained below with the aid of an exemplary embodiment shown in figure 5.
A first elliptic curve E over the field GF(p) is given by the following equation:
(y2) mod p = (x3 + 6x +
605067903441846547388214966045455206952938406771) mod p, where p =2lso_47=
1461501637330902918203684832716283019655932542929.
p is a prime number with 160 bits.
The elliptic curve E over GF(p) has as group degree #E (GF (p) ) - 7*q, where q=208785948190128988314812461240940947434505754881.
Once again q is a prime number with 128 bits.
The group degree of an elliptic curve is the number of the elements of the point group, that is to say the number of the solutions of the defining equation of the elliptic curve E over GF(p). The larger the maximum prime divisor of the group degree, the more difficult it is to calculate discrete logarithms. The magnitude of the group degrees and of their maximum prime divisors therefore constitutes a quality feature of the method according to the invention, the group degrees preferably being required to be at least 2100 or, better, 2130.
A second elliptic curve E' over GF (p) is given by the following equation:
( y2 ) mod p = ( x3 + 3 x +
168756385740498547400152923318200148712149363991) mode p.
The curve E' is isogenic relative to the curve E, that is to say when the curve E has the form y2=x3+ax+b, the curve E' has the form y2=x3+ac2x+bc3 , with a, b, c from GF(p), c being a quadratic nonresidue modulo p. It holds in the present case for c that:
c= 503145425704462245322517599589013227703324936803.
Substantial advantages are offered by the use of two isogenic curves instead of two arbitrary curves. Thus, the degree of the elliptic curve E' over GF(p) can be derived easily from the group degree of E since, specifically, the sum of the two degrees is 2p+2, the following equation being yielded as a result:
#E' (GF (p} ) - 2p+2 - #E (GF (p) ) In the present case, the result for the group degree of E' is:
#E' (GF (p) ) - 2p+2 - #E (GF (p) ) - 11 * 19 * q' where q'= 4581509834893112596249788202965452687367789347.
q' is a prime number with the length of 152 bits.
Two points P, P' on the curves E, E' are now selected such as, for example:
P =(27,1199480719563308855489368355308026541006624847440) P' =(318,767790262932904318810390534329377261151321453045), and two starting values s, s', for example s=s'=2.
The step S1 from figure 5 is terminated by the determination of the elliptic curves E, E', the points P, P' and the starting values s, s'. The method sequence now carries over to the step S2 , in which the points P, P' are multiplied by s and s', respectively, the result being denoted as PA and PA', respectively.
The multiplication is executed as s-fold or s'-fold addition in accordance with the addition shown in figure 3.
The points PA and PA' are transferred to the rule for determining random bits (step S3). In the present case, the x-coordinates of the two points PA and PA' are combined with XOR and divided by c.
For isogenic elliptic curves E and E', it holds for an arbitrary x from GF(p) that x is either the x-coordinate of two different points on E, or else that x is the x-coordinate of a point on E and cx is the x-- 10a -coordinate of a point on E' , or else that x is not the x-coordinate of a point on E, but cx is the x-coordinate of two points on E'. Thus, when the x-coordinates on E' are divided by c every arbitrary x occurs from GF(p) exactly 2x times as x-coordinate. That is to say, combining an x-coordinate on E with an x-coordinate on E' divided by c is equivalent to combining two arbitrary, random values between 0 and p-1. The pseudorandom bits derived thereby therefore behave like true random bits.
From the step S2, the points PA and PA' are also transferred to the step S4, in which the points P, P' remain unchanged and s or s' is respectively increased by one.
From the step S4, the method sequence transfers once again to the step S2, in which, again, new points PA
and PA' are formed which are then transferred again to the step S3 for calculating further random bits and to the step S4. This method sequence can be repeated multiply, new random bits being generated continuously.
The inventors of the present invention have used the above-described method for generating random members to generate 20 x one million random bits, and have subjected these random bits to various statistical tests. No deviations from true random bits could be established by the tests.
It is essential to the invention that in the step S3 the random number Z is determined from the two points PA and PA' that originate from different elliptic curves E and E'. The combination of the two points PA
and PA' ensures that the pseudorandom numbers generated cannot be used to determine by discrete logarithms the points P and P' on which the calculation of the points PA and PA' is based. It is therefore impossible to infer from the result of S3 the method for generating the points PA, PA' with the aid of the steps S1, S2 and S4, this being represented by the dashed line in figure 5.
The invention is not limited to the exemplary embodiment illustrated in figure 5. It is, for example, possible within the scope of the invention for a different combination of the x-coordinates to be selected in the step S3. Thus, for example, the two x-coordinates can be combined with one another by adding modulo p. Or, alternatively, it is the y-coordinates that are combined. Otherwise the x-coordinates and y-coordinates. It is also possible within the scope of the invention, after each calculation of PA and PA', not permanently prescribed elliptic curves E, E' with points P, P', but new curves E*, E*' and points P*, P*', which are used to calculate the next points PA*
and PA*'. The values s, s' can also be varied arbitrarily per se. All that is essential to the invention is that the values s, s' are whole numbers.
At the beginning of the method, they can be generated, for example, with the aid of a simple random number generator, which need not satisfy high demands. A basic principle of the present invention is illustrated in figure 6, the principle having a loop consisting of the steps S5 and S6, two elliptic curves E, E' , two points P, P' on the two curves and two starting values s, s' being selected in the step S5. The points P, P' are multiplied by s and s', respectively, in the step S6, the result being PA and PA'. With each repetition of the loop S5, S6, at least one of the pairs E, E' or P, P' or s, s' is changed. It is also possible to change two or three pairs using a rule to be stipulated.
With each repetition of the loop, a new pair of numbers PA, PA' is generated and transferred to the method step S7, in the case of which the two points PA and PA' are respectively combined to form a pseudorandom number Z.
. - 12a -Methods on the basis of elliptic curves use the multiplication on elliptic curves as one-way function, for which reason apparatuses for carrying out such methods are provided with routines and devices for arithmetics on elliptic curves. Such methods also require random numbers in order to create the private and public keys. By using the method according to the invention to generate these random numbers, it is possible, on the one hand, to generate pseudorandom numbers that are qualitatively of high value and, on the other hand, the program code can be kept small since the existing routines can be used twice. Substantial resources are saved thereby and the security of the method is substantially enhanced at the same time.
Figure 7 shows the architecture of a program for executing the method according to the invention schematically in a block diagram. The program comprises a part P1 for carrying out the signature method, which has recourse to a program part P2 with the aid of which multiplications are carried out on elliptic curves over finite fields. The program part P1 is supplied by a further program part P3 with random numbers, the program part P3 again having recourse to the program part P2 for multiplication on elliptic curves.
Represented at the program part P1 is a data input current I and a data output current O, it being possible for the data input current to be a message to be signed, and the data output current to be the signature. Furthermore, the program part P1 can output its private and public keys on the data output current O. These functions of the program part P1 correspond to the signature methods and devices known per se on the basis of elliptic curves. The method according to the invention can be used, in particular, in the case of computing devices of low arithmetic capability such as, for example, chip cards, since the corresponding program code is exceptionally compact and the length of the numbers to be processed is substantially shorter - 13a than in the case of an RSA method for the same security level. However, it is also possible to market the programs on electronically readable data media.
Claims (12)
1. A method for generating pseudorandom numbers in the case of which at least two points (P, P') of at least two different elliptic curves (E, E') are determined over a finite field (GF), and a pseudorandom number is generated by combining these points (P, P').
2. The method for generating pseudorandom numbers as claimed in claim 1, characterized in that a pair of points (P, P') is determined in each case in order to determine the pseudorandom number, the same two elliptic curves (E, E') being used in each case to determine the individual pairs.
3. The method for generating pseudorandom numbers as claimed in claim 2, characterized in that the two elliptic curves (E, E') are mutually isogenic.
4. The method for generating pseudorandom numbers as claimed in one of claims 1 to 3, characterized in that the points (P, P') of the first pair are determined as a function of two starting values (s, s').
5. The method for generating pseudorandom numbers as claimed in claim 4, characterized in that the points (P, P') of the further pairs are determined by varying the starting values in accordance with a predetermined rule.
6. The method for generating pseudorandom numbers as claimed in one of claims 1 to 4, characterized in that the further pairs of points (P, P') are determined by varying the elliptic curves and/or the points (P, P') according to a predetermined rule.
7. The method for generating pseudorandom numbers as claimed in one of claims 1 to 6, characterized in that the coordinates of the two points (P, P') are combined with one another to determine a random number.
8. The method for generating pseudorandom numbers as claimed in claim 7, characterized in that the x-coordinates of the two points (P, P') are combined with one another, the two elliptic curves (E, E') being isogenic.
9. The method for generating pseudorandom numbers as claimed in one of claims 1 to 8, characterized in that the point groups (E(GF (p)), E'(GF (P))) of the elliptic curves (E, E') over a finite field GF (p) have group orders (q or q') of at least 2 100 and preferably at least 2 130.
10. The method for generating pseudorandom numbers as claimed in one of claims 1 to 9, characterized in that the elliptic curves are defined over the finite field GF(p), p being a prime number that is greater than 3.
11. The method for electronic signature on the basis of elliptic curves, in which the keys are generated on the basis of random numbers, characterized in that the random numbers are determined using a method of claims 1 to 10.
12. The apparatus for carrying out the method for electronic signature on the basis of elliptic curves as claimed in claim 11, having a device for carrying out multiplications in the point group of an elliptic curve (E, E') over a finite field (GF(p)), a device for signing that uses the device for carrying out the multiplications, and a device for generating pseudorandom numbers using the method as claimed in one of claims 1 to 9, this device also using the device for carrying out the multiplication.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE19939059.2 | 1999-08-18 | ||
| DE19939059 | 1999-08-18 | ||
| PCT/DE2000/002776 WO2001013218A1 (en) | 1999-08-18 | 2000-08-16 | Method for generating pseudo random numbers and method for electronic signatures |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2381937A1 true CA2381937A1 (en) | 2001-02-22 |
Family
ID=7918727
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002381937A Abandoned CA2381937A1 (en) | 1999-08-18 | 2000-08-16 | Method for generating pseudorandom numbers and a method for electronic sigenature |
Country Status (4)
| Country | Link |
|---|---|
| EP (1) | EP1222527A1 (en) |
| JP (1) | JP2003507761A (en) |
| CA (1) | CA2381937A1 (en) |
| WO (1) | WO2001013218A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2256702A1 (en) | 2009-05-28 | 2010-12-01 | Dmitri Pakhomov | Portable card writer, card system and method of using a protable card writer |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7646872B2 (en) | 2004-04-02 | 2010-01-12 | Research In Motion Limited | Systems and methods to securely generate shared keys |
| WO2006076804A1 (en) * | 2005-01-21 | 2006-07-27 | Certicom Corp. | Elliptic curve random number generation |
| FR2897451A1 (en) * | 2006-02-13 | 2007-08-17 | France Telecom | CRYPTOGRAPHY DEVICE AND METHOD FOR GENERATING PSEUDO-RANDOM NUMBERS |
| DE102006017911B4 (en) | 2006-04-18 | 2023-01-26 | creditPass GmbH | Electronic payment system and method for carrying out a payment transaction |
| WO2010019593A1 (en) | 2008-08-11 | 2010-02-18 | Assa Abloy Ab | Secure wiegand communications |
| US10452877B2 (en) | 2016-12-16 | 2019-10-22 | Assa Abloy Ab | Methods to combine and auto-configure wiegand and RS485 |
-
2000
- 2000-08-16 EP EP00958257A patent/EP1222527A1/en not_active Withdrawn
- 2000-08-16 JP JP2001517250A patent/JP2003507761A/en not_active Withdrawn
- 2000-08-16 CA CA002381937A patent/CA2381937A1/en not_active Abandoned
- 2000-08-16 WO PCT/DE2000/002776 patent/WO2001013218A1/en not_active Application Discontinuation
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2256702A1 (en) | 2009-05-28 | 2010-12-01 | Dmitri Pakhomov | Portable card writer, card system and method of using a protable card writer |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2001013218A1 (en) | 2001-02-22 |
| JP2003507761A (en) | 2003-02-25 |
| EP1222527A1 (en) | 2002-07-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP3862500B2 (en) | High-speed elliptic curve encryption method and apparatus by direct embedding method | |
| Khalique et al. | Implementation of elliptic curve digital signature algorithm | |
| EP2279579B1 (en) | A closed galois field cryptographic system | |
| US8184803B2 (en) | Hash functions using elliptic curve cryptography | |
| JPS5950068B2 (en) | public key cryptographic device | |
| KR20000071078A (en) | Cyclotomic polynomial construction of discrete logarithm cryptosystems over finite fields | |
| Reyad | Text message encoding based on elliptic curve cryptography and a mapping methodology | |
| Dawahdeh et al. | A new modification for menezes-vanstone elliptic curve cryptosystem | |
| Murthy et al. | Cryptographic applications of Brahmagupta-Bha/spl tilde/skara equation | |
| US6480606B1 (en) | Elliptic curve encryption method and system | |
| Boruah et al. | Implementation of ElGamal Elliptic Curve Cryptography over prime field using C | |
| Hwu et al. | An efficient identity-based cryptosystem for end-to-end mobile security | |
| Nabil et al. | Hardware implementation of elliptic curve digital signature algorithm (ECDSA) on Koblitz curves | |
| CA2381937A1 (en) | Method for generating pseudorandom numbers and a method for electronic sigenature | |
| KR100326226B1 (en) | Method of Generating Matix Group Public Key | |
| JP3706398B2 (en) | Signature, authentication and secret communication method using elliptic curve | |
| Lakshmivarahan | Algorithms for public key cryptosystems: theory and application | |
| Thomas et al. | Analysis of elliptic curve scalar multiplication in secure communications | |
| Gopalakrishna et al. | IMPLEMENTATION OF DOUBLE ENCRYPTION USING ELGAMAL AND KNAPSACK ALGORITHM ON FPGA FOR NODES IN WIRELESS SENSOR NETWORKS | |
| McCullagh | Crytographic applications of bilinear maps | |
| Pittner | Design and Hardware Implementation of an Elliptic Curve Cryptography | |
| JPH11161164A (en) | Public key cipher system, ciphering device, and deciphering device | |
| Lalmohan et al. | Design and Implementation of Secure Stream Cipher based on Elliptic Curves on Time Shared Basis | |
| Nagaraju et al. | Efficient design and FPGA implementation of ECPBSG algorithm for a secure communication applications | |
| JP2003513312A (en) | A method for multiplication of factors by scalar |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Discontinued |