CN1262830A - Pseudo-random generator based on hash coding function for cryptographic systems requiring random drawing - Google Patents
Pseudo-random generator based on hash coding function for cryptographic systems requiring random drawing Download PDFInfo
- Publication number
- CN1262830A CN1262830A CN 98806980 CN98806980A CN1262830A CN 1262830 A CN1262830 A CN 1262830A CN 98806980 CN98806980 CN 98806980 CN 98806980 A CN98806980 A CN 98806980A CN 1262830 A CN1262830 A CN 1262830A
- Authority
- CN
- China
- Prior art keywords
- key
- cryptographic
- random
- random number
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/409—Device specific authentication in transaction processing
- G06Q20/4097—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
- G06Q20/40975—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/20—Manipulating the length of blocks of bits, e.g. padding or block truncation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Accounting & Taxation (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Finance (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Storage Device Security (AREA)
Abstract
The invention concerns a cryptographic system, normally requiring the drawing of a random number k, which is a whole number. The system is characterised in that it is operated by replacing said random number k by the value h (m/secret) in which h is a hash coding function, m is the message intervening in said system and ''secret'' is a secret unknown to the world outside the cryptographic system. The invention is particularly applicable to communicating media such as smart cards, PCMCIA cards, badges, contactless cards or any other portable medium.
Description
The invention describes a kind of system, this system makes shortage allow the hardware of random number drawing or the signature or the encryption device (being typically microprocessor) of software resource might produce digital signature or the password (being typically DSA, E1-Gama1, Fiat-Shamir and the Guillou-Quisquater of signature, the E1-Gama1 of encryption and McEliece) that needs random number to draw.
The present invention also provide a kind of prevent from cheaply to produce random sequence by cheapness certain threaten (be typically short message encryption and Eurocrypt ' 96 by the article of Coppersmith etc. " the low order powers of related news " and " the little root (small root) of searching single argument modularization equation " in disclosed new attack) reply or protect, this threat makes this random sequence might join in the information to be processed.
The present invention also allows the generation of the fuzzy factor, and using in the context of blank signature or in the pseudo-at random mounting mechanism should the fuzzy factor.
Last the present invention can be used in the IKE of Diffie-Hellman type.
Although the smart card notion has extensively distributed and happy the reception aspect the public, actual on a large scale only the use just occurs several years ago, mainly due to the restriction of the computing capability of blocking.Progress about the non-volatile memory capacity of information has proposed fail safe and circuit engineering (for example EEPROM), card of new generation occurred and such as the more and more ambitious application of new U.S.'s digital signature (DSA) standard very soon.
Realize that as the smart card of medium the maximum constraints of public key algorithm is (often to meet with) equipment that has the generation random number on card.This is because improve that this equipment (being also referred to as generator) proves complicated and often be unsettled (to the outside phenomenon sensitivity of card such as ambient temperature or card applied voltage).Realize this cryptographic system on computers, the quality of the fuzzy random number of other phenomenon that causes by the characteristic of software random generator.Typically, the method for a popular generation random number comprise measurement by the user by institute's elapsed time between twice keyboard.Recent crime case shows and can encourage keyboard to make this generator deviation occur by rogue device that the assailant learns institute's elapsed time between each time keystroke by this rogue device.
The present invention advises a kind of alternative solution that allows to realize cryptographic system, and this cryptographic system need high-quality random number be drawn on software or hardware platform:
1. do not have any random number generator,
2. or produce low-quality random number,
3. or when system designer suspect that extrinsicfactor is by revising outside and built-in function state can destroy the quality of random number the time.
The present invention is used for the various series of cryptographic algorithm.In order to understand the present invention better and in reading over description before the content of claims, the principal character of recalling the used described cryptographic algorithm series of the present invention is useful, the number of these algorithms is six.
First uses the signature scheme that series relates to the E1-Gama1 type.
As being called " based on the public key cryptosystem and the signature scheme of discrete logarithm " in name and at periodical IEEE information theory journal, 1985 the 4th phases, volume IT-31, described in the disclosed article of 469-472 page or leaf, the E1-Gama1 signature algorithm causes some famous signature algorithms: with reference to 4,995,082 Schnorr, or GOST 34-10-Russian Federation DSS in U.S.'s power of patenting; DSA-U.S. DSS.
In case illustrated in the context of DSA, those skilled in the art can be used for the present invention with other a series of algorithms at an easy rate.
After this, it is called the DSA algorithm.
By the DSS of Unite States Standard and technological associations suggestion (DSA, name be called " Digital Signature Algorithm " and United States Patent (USP) 5,231,668) so that for needing digital signature to replace the application of traditional signatures that suitable basis is provided.The DSA signature is two big numbers being represented by binary digit string in the computer.By series of computation rule (DSA) and one group of parameter with might attestation-signatures people identity and the mode of data integrity calculate digital signature.DSA makes generation and certifying signature become possibility.
The signature production method utilizes private key (in order to produce digital signature).Verification method uses corresponding to privacy key but public-key cryptography inequality.Each user has two keys (open, secret).Suppose everyone all to know public-key cryptography and privacy key is underground.Anyone can both rather than use user's privacy key to verify its signature but can not produce signature with user's public-key cryptography.
The parameter of DSA is:
1. prime number modulus p, wherein 2
L-1<p<2
L, 512≤L≤1024, L=64 α, α are any value.
2. prime number modulus q, wherein 2
159<q<2
160, p-1 is the multiple of q.
3. count g, rank q mould p, wherein g=h
(p-1) qMould p, wherein h is any integer of 1<h<p-1.
4. count x, at random or pseudorandom produce.
5. count y, by relational expression: y=g
xMould p definition.
6. count k, at random or pseudorandom produce 0<k<q wherein.
Integer p, q and g can be disclosed system parameters and/or shared by one group of user.Maintain secrecy and the public-key cryptography of signature are respectively x and y.Produce signature and necessary maintaining secrecy with parameter x and y.Be necessary for each signature and produce parameter k again.
For signature information m (hashed value of original document M), signer is used:
R=g
kMould p mould q and s=(m+xr)/k mould q
(r s), wherein is interpreted as mould q (that is, 1/k is number k ', kk '=1 mould q) divided by k to compute signature
For example, if q=5 and k=3,1/k=2 then is because 3 * 2=6=1 mould 5.
As what in the description of DSA, explained, after test r and s ≠ 0, signature (r s) sends to verifier, this verifier computes:
1.w=1/s mould q
2. μ
1=mw mould q
3. μ
2Rw mould q
4.v=g
μ 1y
μ 2Mould p mould q
5. and relatively whether v is equal so that receive or the refusal signature with r
Second series also relates to signature scheme; These schemes are the schemes that obtain from zero disclosure agreement.
The applied second series signature algorithm of the present invention is the scheme that obtains from zero disclosure agreement (be typically sequence number and be respectively 4,748,668 and 5,140,634 at Fiat-Shamir or Guillou-Quisquater that the U.S. patents).In addition, only describe one of them agreement, in case use Guillou and Quisquater algorithm, to expand to other algorithm proof of this series be self-evident in the present invention to those skilled in the art.
The parameter of Guillou-Quisquater algorithm is:
1. two sizes equal the secret prime number p and the q of 256 bits at least, produce these prime numbers with ad hoc fashion, can in the works (by Marc Vauclair translation) " password of application, algorithm, agreement and source code " of the Bruce Schneier that Thomson publishes, find understanding the details that the present invention there is no need;
2. the string ID of open modulus n=pq and expression signer identity;
3. open index v and privacy key B, wherein B ' ID=1 mould n; B parameter must be maintained secrecy;
4. for signature information m, the sender writes random number k, calculates initial marker character T=kv mould n and produces signature:
D=h (T, m) and D=kB
H (T, m)Mould n
5. verifier is by verifying:
D=h (T ', m) come definite authenticity of signing, wherein T '=D
vId
d
The 3rd uses series relates to the public-key cryptography scheme that needs random number.
First cryptographic algorithm that needs random number of Miao Shuing is E1 Gamal subsequently.
The parameter of this algorithm is:
1. index modulus p (at least 512 bits);
2. count g, rank p-1 mould p (that is, wherein for any integer u, 0<u<p-1, gu ≠ 1 mould p);
3. count x, 1≤x≤p-2, at random or pseudorandom produce;
4. count y, by relational expression: y=g
xMould p
5. count k, at random or pseudorandom produce 0<k<q;
Integer p and g are the system parameterss that can be disclosed and/or are shared by one group of user.Public encipherment key is that number y and secret decruption key are number x.
Parameter k is used to produce password, can not be revealed.And, all must produce parameter k again in each encryption.
Message m (encryption of 0≤m≤p-1) be integer to (r, s), wherein:
R=g
kMould p and s=my
kMould q
In order to recover message m, the recipient of password (it has x) calculates:
S/r
xMould p
Here it is accurate m.
Needing second cryptographic algorithm of generation random number is the McEliece scheme, and this scheme is based on the sign indicating number theoretical question, and more accurate saying so uses name to be called a class specific code of Goppa sign indicating number.Common idea is Goppa sign indicating number disguise as linear code; This is that the general linear of decoding but then sign indicating number is the problem of difficulty because there is effective algorithm decoding Goppa sign indicating number.Therefore the recipient who knows information that might camouflage code can come decrypt by the Goppa sign indicating number that decoding obtains.
The parameter of McEliece algorithm (following all formula are interpreted as in GF (2)) is:
1. count n, k and t, system parameters; In the urtext of describing its encipherment scheme, McEliece suggestion n=1024, t=50 and k=524;
2. privacy key comprises:
* correcting t wrong size is that n and dimension are the generator matrix G and the corresponding decoding algorithm of the binary system Goppa sign indicating number of k;
* k * k ties up invertible matrix S at random;
* size is the random permutation matrix P of n;
3. corresponding public-key cryptography comprises:
* sign indicating number equals generator matrix T=SGP of G;
Correction rate t;
4. by calculating with of the encryption of McEliece algorithm to k bit message m:
c=mT+e
Wherein e is the error vector of the Hamming weighting that equals t selected at random.
The deciphering of c is by calculating:
CP
-1=mTP
-1+ eP
-1=mSG+eP
-1Carry out.
Because e is weighting t, eP
-1Also be weighting t.Therefore can correct vector C P with sign indicating number G
-1By decoding, decipher obtains mS, then obtains m, is reversible because decipher is known S and S.
The Quaternary system row relate to the cryptography scheme that need fill at random.
It is very usual wanting encrypted data item at first to fill, and for example increases so that be fixed the data item of length.Can provide the explanation of this aspect by the example of rsa encryption, rsa encryption is by R.Rivest, A.Shamir and L.Adl eman delivered in 1978, and with the title power of patenting of " cryptographic communication system and method ", with reference to US 4,405,829.
Rsa cryptosystem is the big number that shows with binary system or hexadecimal number ring table in the computer.Use series of computation rule (cryptographic algorithm) to calculate this password, when everyone all available one group of parameter of processing, use this computation rule so that the content of cache deal with data by software computing resources (program) and/or hardware computational resource (electronic circuit).In a similar fashion, use series of computation rule (decipherment algorithm) by software or hardware computational resource clear crytpographic key, this computation rule (by the recipient of password) is used for one group of security parameter and password.
Encryption method is used public-key cryptography so that produce password.Decryption method is used corresponding to privacy key but public-key cryptography inequality.Each user has two keys (open, maintain secrecy) and supposes everyone to know public-key cryptography and privacy key is underground.Anyone can both with user's public-key cryptography rather than use the user secret key encryption user message but can not clear crytpographic key.
The parameter of RSA Algorithm is:
1. two sizes are at least the secret prime number p and the q of 256 bits.Produce these prime numbers with ad hoc fashion, can in the works (by Marc Vauclair translation) " password of application, algorithm, agreement and source code " of the Bruce Schneier that Thomson publishes, find understanding the details that the present invention there is no need;
2. open modulus n=pq;
3. a pair of being expressed as (e, index d) as:
Ed=1 mould (p-1) (q-1)
Everyone can both be called the exponent e of " encryption exponent ", but " decryption exponent " d must maintain secrecy.
For encrypting messages m, the sender calculates password c=ms mould n and the recipient deciphers c by calculating m=cs mould n.
In order to select parameter as much as possible, the message of encryption modulus size and do not handle the sender of enciphered message and the recipient between particular kind of relationship generally, provide confidentiality between sender who allows in enciphered message based on the fail safe of factor resolution problem algorithm and the recipient.
On the other hand, (carry out disclosed famous " the low order powers of related news " and " seeking the little root (smallroot) of single argument modularization equation " in the process by Coppersmith etc. at Eurocrypt ' 96 in the Springer-Verlag meeting, with reference to LNCS1070) new attack that proposes shows that the polynomial relation that exists allows to be reflected as effective attack of knowing text between the message with one and identical little finger of toe number encryption, in polynomial relation, between the context of the application of the encryption device that usually is used to encrypt, often occur, because performance reason discloses exponent e=3.
A kind of possible solution is to fill message (but not taking specific precautionary measures) or break various relations between message with random sequence, and this solution depends on to be used and might not always possible solution.
Modification below step 4 is introduced.
For encrypting messages, the sender produces the sequence sr with randomness to a certain degree and calculates password c=(m|s
r) e mould n, symbol | the expression cascade; The recipient fills character by calculating cd mould n deciphering c with by deletion and recovers m.
The correct method of filling message relies on standard, application conditions or required safety grade and changes.
The 5th series relates to the fuzzy factor and blank signature.
The basic function of using in many cipher protocols and scheme that is called primitive by those skilled in the art is the blank signature mechanism of given message.The function of this and patent power open by Chaum (United States Patent (USP) 4,759,063 and European patent 0139313) makes the message that might obtain to sign and does not want signer can read this message.This function need produce the fuzzy factor that the requestor that only bears the signature knows, this fuzzy factor might be hidden message.Used mechanism is for the signature system of E1 Gama1 type and good equally for the signature system of RSA.
In case after the explanation, to be applied to other signature algorithm be self-evident in the present invention for a person skilled in the art in the context of RSA.Blank signature mechanism based on RSA is only described here.
Reuse used symbol in the context of describing the present invention's the 4th application series, define the RSA signature thus:
S=m
dMould n
Usually verify like this:
s
eMould n=(m
d)
eMould n=m
The step that is obtained blank signature by the sender E of message m is:
1.E the generation random number k is calculated blur factor ke mould n and is sent m '=mk to recipient's (or signer)
eMould n;
2. the recipient calculates signature s '=m ' d mould n of m ' and s ' is sent to E.
3.E calculate s '/k=(mk
s) d/k=m
dk
Sd/ k=m
dMould n, and obtain the signature s of m thus.
This technology that multiply by the fuzzy factor also is used for hiding at random context (European patent application EP 91402958.2).
The method of Yin Zanging for example is used for device A and wishes with equipment B subcontract operation but do not wish that operand appears fully to equipment B at random.For example adopt modulus subtraction: A to count the mould n that disguise as reduces to this by the random multiple that it be multiply by modulus.Therefore, if A wishes to obtain c=ab mould n, it can produce random number k, calculates c '=ab+kn (kn camouflage product ab), and c ' is sent to equipment B is used for subtraction.
Equipment B is calculated c ' mould n=ab+kn mould n=c.
Final this technology makes suggestion attack the Kocher that describes at Crypto ' 96 and (" timing that realizes Diffie-Hellman, RSA, DSS and other system is attacked " in the meeting process that Springer-Verlag announces, with reference to LNCS 1109) reply and become possibility, this attack based on the required time of the operation of the secret amplitude of measuring operation so that guess its value itself.
This is because effective response is that operation by the secret amplitude of fuzzy factor operation is so that decorrelation computing time and amplitude.For example (those skilled in the art know how this result is expanded to the related all algorithms of attack under the situation of RSA signature, it should be noted that the calculating of all that requirement) with privacy key processing modulus index, reuse used symbol in the context of describing the present invention's the 4th application series, it satisfies:
1. signer produces random number k and calculates
d′=d+k(p-1)(q-1)
2. then this signer passes through to calculate:
m
D '=m
D+k (p-1) (q-1)=m
d(m
(p-1) (q-1) k=m
dMould n produces the signature of m
The 6th series relates to the key exchange scheme based on the Diffie-Hellman method.
At IEEE information theory journal, volume IT-22, the 6th phase is disclosed and " cryptographic new direction " described first public key algorithm of patent in the U.S. (with reference to 4,200,770).Two participants (or equipment) of security information being agreed by unclassified channel are wished in this method utilization.
The parameter of Difie-Hellman agreement is as follows:
1. agree two open parameters of transmitting apparatus (A) and equipment (B): the prime number p of at least 512 bits and be the integer g of mould p primitive root.Can be in one group of user shared these two parameters.
Protocol procedures is as follows:
In order to share security information, two equipment are carried out following operation:
* device A produces random number x and calculates amplitude X=g
xMould p;
* equipment B produces random number y and calculates amplitude Y=g
yMould p;
* two equipment exchange capacity X and Y each other;
* device A is calculated key=Y
sMould p;
* equipment B is calculated key '=X
yMould p.
Therefore these two equipment are shared amount key '=key=g at protocol terminal
XyThe knowledge of mould p.
These two equipment are by using amount " key " and the message that will encrypt amount of secrecy " key " so that exchange messages each other by cryptochannel as the symmetric encipherment algorithm of parameter subsequently.
After describing different application series of the present invention, wish to point out major advantage of the present invention.
Economic restriction about smart card market need continue research so that improve production cost.This effort is often by using the simple product of most probable to carry out.The solution that this accomplished fact causes a kind of importance to increase gradually, this scheme make and realize that on 8 cheap bit microcontrollers public key algorithm becomes possibility, for example has 80C51 or 68HC05 at the center of microcontroller.
Aspect digital signature or encryption,, also has the ability of compute signature or execution cryptographic operation though the major advantage that the present invention had with respect to former suggestion is do not have randomizer on signature or the encrypted circuit.
For clarity, be necessary to specify the various system keys that proposed and the generation of parameter to be consistent.Therefore will be with reference to existing works and patent so that produce the various elements that signature is differentiated and cryptographic algorithm is necessary that the present invention is proposed as well as possiblely.A practical reference book is that Thomson publishes Bruce Schneier (by Marc Vauclair translation) " password of application, algorithm, agreement and source code ".
The present invention relates to a kind of cryptographic system, need the drawing of random number k usually, this random number is an integer; This system is characterized in that substituting described random number k by consumption h (m|secret) realizes this system, wherein h be hash function, m be the message that occurs in described system and " secret " be outside the cryptographic system the world unknown secret.
More accurate, cryptographic system of the present invention comprises at least:
-public-key cryptography signature system;
-Public Key Cryptographic Systems;
-fill system at random;
-fuzzy the factor produces system;
-IKE.
Comprise in cryptographic system under the situation of public-key cryptography signature system of DSA, Schnorr, E1-Gama1, GOST 34.10 or IEEEECDSA elliptic curve type, upgrade random number (k) by signer when consumption h (m|x) substitutes each signature, wherein x is the privacy key of signer.
Comprise in cryptographic system under the situation of public-key cryptography signature system of Fiat-Shamir or Guillou-Quisquater type, upgrade random number by signer when consumption h (m|B) substitutes each signature, B is that the privacy key and the m of signer is the message that will sign.
Comprise in cryptographic system under the situation of Public Key Cryptographic Systems of E1 Gama1 type, when consumption h (m) substitutes the encrypting messages of each transmission, upgrade random number (k) by the encipherer.
Comprise in cryptographic system under the situation of Public Key Cryptographic Systems of McEliece type, obtain the random error vector e that upgrades when each the encryption by the encipherer from amount h (m).
Comprise in cryptographic system under the situation of the fill system at random that appears at Public Key Cryptographic Systems that the encipherer has the key σ of deciphering person's the unknown and carries out message according to the following step and fill:
A. produce k as much as possible
i=h (m| σ | i) so that cascade k
iThe length of s equals 1/6 (for example under the situation of rsa encryption) of mould n size at least, or produces k=h (m| σ) and with its expansion;
B. form m
r, m wherein
r=SIZE (m) | m| (k
i);
C. encrypt m
rSubstitute m.
Cryptographic system be included in that blank signature produces or the context of camouflage operation at random in produce under the situation of system of the fuzzy factor, consumption h (m| σ) substitutes the random number of being upgraded when the each fuzzy or camouflage operation by the sender (k).
Comprise in cryptographic system under the situation of Diffie-Hellman type IKE that wish to send the equipment use amount h (m| σ) rather than the random secret item of message m, wherein σ is a secret data item.
Under the identical situation of this cryptographic system, described agreement may further comprise the steps at least:
A. first equipment wishes to send message m, calculates b
1=g
H (m| σ)Mould p;
B. second equipment (recipient) produces random number a and calculates b
2=g
aMould p;
C. two devices exchange b
1And b
2, and computation key key=g
Ah (m| σ)Mould p;
D. the first devices encrypt c=f (m, key), wherein f is a symmetric cryptography mechanism;
First equipment sends c to second equipment with its deciphering and recovery m.
Best, communication equipment is smart card, pcmcia card, badge card, non-contact card or any other portable set.
Best, finish the communication that realizes described equipment room of the present invention by switching telecommunication number, radio wave or infrared signal.
Subsequently, the present invention is described in more detailed mode, adopt to describe use once more series practical symbol.
As mentioned above, produce the idea of random number by Hash operation h.Use series for preceding two of the present invention, h will be as the parameter of secret data item (being the privacy key of signer), public data item, the message that will sign.
For tertiary system row, h will only be used as the parameter of the message that will sign.
At last, for other series, h will be as the parameter (after this being expressed as σ) of public data item and secret data item.
More accurately:
-for first series that relates to described E1 Gamal type signature scheme, random number k is according to following generation: k=h (m|x), and wherein m is the hash of the message M that will sign and the privacy key that x is signer.Carry out generation signature (r, remaining step s) in the mode identical with original method.Equally, the checking to the signature that produced remains unchanged.
-obtaining the described second series that obtains described signature scheme for relating to from zero disclosure agreement, k is according to following generation: k=h (m|B), and wherein m is the hash of the message M that will sign and the privacy key that B is signer.Carry out generation signature (d, remaining step D) in the mode identical with original method.Equally, the checking to the signature that produced remains unchanged.
-for the tertiary system row that relate to the described encipherment scheme that needs random number, consider two kinds of situations:
1.E1 Gamal encrypts situation:
-random number k is according to following generation: k=h (m), and wherein m is the message that will encrypt.Then carry out E1 Gamal algorithm in the above described manner.Deciphering also remains unchanged.
2.McEliece encryption situation:
-not from random number, to obtain error vector e, but from h (m), produce this vector, wherein m is the message that will encrypt.It should be noted that e must just in time be Hamming weighting t.A kind of size that obtains from h (m) is for n (considered sign indicating number size) with to be weighted to the mode of vector of t as follows:
-suppose that size sorts with the vector that is weighted to t for n.Then can show meta to this is changed to h (m) (or from the position that h (m) obtains, because this number can surpass according to t, the vector of the binomial of n (t, n) and used hash function) is elected vector e as.
Then carry out the McEliece algorithm in the above described manner.Deciphering also remains unchanged.
And the method for this generation e makes and might solve the problem of encrypting identical message for twice.In fact, (and therefore having two kinds of different error vectors) is unadvisable under the situation of general McEliece, to encrypt identical message twice, because might guess fractional error vector medium, easier subsequently recovery is message clearly.
By the generation of e of the present invention, identical message always has identical encryption.
The present invention is applied to the Quaternary system row in the following manner, and this series relates to the cryptography scheme that need fill at random:
-in accordance with regulations, a kind of safety measure of wisdom is to fill message with random sequence.But the repeatedly encryption with identical message changes as infructescence, then can occur showing the attack of knowing message again.
Use the definite method that produces random number to make that effectively stopping this class phenomenon becomes possibility.This is because (filling length must be 1/6 of n size at least by increase message m as far as possible repeatedly, so because traditional modulus size should filled length between 86 to 171 bits between 512 to 1024 bits) value ki=h (m, σ, i), σ is the secret number of at least 128 bits.Because the identical message that no longer includes any contact between the message and encrypt repeatedly always has identical filling.So all attacks are all impossible.Then by the encryption of sender by following execution message m:
1. produce ki=h as much as possible (m| σ | i) so that the length of cascade kis equals 1/6 of n size at least; Can also preferably use single k=h (m| σ), then expand k before itself and the message cascade;
2. form m
r, m wherein
r=size (m) | m| (kI);
3. calculate password c=m
r eMould n is so that the recipient deciphers c by calculating mr=cd mould n.
Learn the size of m and the significant bit of therefore knowing mr, then the recipient extracts m simply.
For the Quaternary system row that relate to the fuzzy factor and blank signature, consider three kinds of situations:
1. blank situation of signing:
-k is according to following generation: k=h (m| σ), and wherein m is that the message and the σ that will sign is secret data item.Carry out the remaining step that produces blank signature in the mode identical with original method.Equally, the extraction to the signature of m remains unchanged;
2. pretend situation at random:
-k is according to following generation: k=h (a|b| σ), and wherein a and b are that the operand and the σ that will double is secret data item.Carry out the remaining step of camouflage operation at random in the mode identical with original method.Equally, by the recipient modulus subtraction of c ' is remained unchanged;
3. the machine-processed situation of the attack of time is managed in protection based on the measured place:
-under the situation of for example RSA signature, according to following generation (p-1) random multiple k:k=h (m| σ) (q-1), wherein m is that the message and the σ that will sign is secret data item.Carry out the remaining step of camouflage index (d '=d+k (p-1) (q-1)) operation in the mode identical with original method.
The present invention is applied to the 6th series in the following manner, and this series relates to the described key exchange scheme based on the Diffie-Hellman method.
At the cipher key exchange system of Diffie-Hellman type, wish that the equipment that sends message m does not use random number but use amount h (m| σ), wherein σ is the secret data item of fixing.Clearly this method can natural expansion in the agreement all participants.The latter has following step at least:
* wish to send first equipment of message m, calculate X=gh (m| σ) mould p;
* second equipment (recipient) produces random number y and calculates Y=gy mould p;
* two devices exchange X and Y, and computation key key=g yh (m| σ) mould p;
* the first devices encrypt c=f (m, key), wherein f is a symmetric cryptography mechanism;
* first equipment sends c to second equipment with its deciphering and recovery m.
Under the help of Fig. 4, can be more readily understood the present invention at Fig. 1.
Fig. 1 describes the signature of realization system as suggested in the present invention or the structure chart of decryption device.
Fig. 2 describes the checking of realization system as suggested in the present invention or the structure chart of encryption device.
Fig. 3 describes the data by signature device and Authentication devices exchange.
Fig. 4 describes the data by encryption device and deciphering devices exchange.
According to the invention of suggestion, every signature/decryption device (being typically smart card) is by processing unit (CPU), communication interface, random asccess memory (RAM) and/or read-only memory (ROM) and/or can write (can rewrite usually) memory (EPROM or EEPROM) and form.
The CPU of signature/decryption device and/or ROM comprise corresponding to signature/decipherment algorithm (be used to calculate and be used to use hash, multiplication, square, the rule of addition, mould inverse and mould subtraction function) program or the computational resource of step.These operations are certainly combined: for example, the modulus subtraction can directly incorporate in the multiplication.
RAM comprises message M, and this message M is used hash function or produces the computation rule of signature or the computation rule of generation password.According to the regulation that describes below, E (E) PROM comprises parameter m, x and the k of described generation and use at least.
CPU is by the read-write operation of address and data/address bus control communication interface and memory.
Every signature device externally is protected in the environment with the physical protection device.These protective devices are enough to prevent that any unwarranted entering from obtaining privacy key.It is the integrated of chip in security module and the equipment that also has improper voltage and clock frequency as the change of chip outfit energy detected temperatures or light that this respect uses maximum technology at present.Also use particular design technology such as the mixing memory visit.
According to the present invention of suggestion, Authentication devices is made up of processing unit (CPU) and memory resource at least.
CPU is by the read-write operation of address and data/address bus control communication interface and memory.
CPU that authorizes and/or ROM comprise makes realization signature or cryptographic protocol become possible program or computational resource (computation rule and hash, multiplication, exponentiation and modulus subtraction function).(for example, the modulus subtraction can directly incorporate in the multiplication) certainly combined in these operations.
Claims (12)
1. cryptographic system, this system needs the extraction of random number k (random number is an integer) usually, this system is characterized in that replacing described random number k to realize this system by consumption h (m|secret), wherein h be hash function, m be appear at message in the described system and " secret " be outside the cryptographic system the world unknown secret.
2. according to the cryptographic system of claim 1, it is characterized in that this system comprises at least:
-public-key cryptography signature system;
-Public Key Cryptographic Systems;
-fill system at random;
-fuzzy the factor produces system;
-IKE.
3. according to claim 2, the cryptographic system that comprises the public-key cryptography signature system of DSA, Schnorr, E1-Gamal, GOST 34.10 or IEEE ECDSA elliptic curve type, it is characterized in that consumption h (m|x) substitutes the random number of being upgraded by signer (k) when each is signed, wherein x is the privacy key of signer.
4. according to claim 2, the cryptographic system that comprises the public-key cryptography signature system of Fiat-Shamir or Guillou-Quisquater type, it is characterized in that consumption h (m|B) substitutes the random number of being upgraded by signer when each is signed, B is that the privacy key and the m of signer is the message that will sign.
5. according to claim 2, comprise the cryptographic system of the Public Key Cryptographic Systems of E1 Gamal type, it is characterized in that consumption h (m) substitutes the random number of being upgraded when the encrypting messages of each transmission by the encipherer (k).
6. according to claim 2, comprise the cryptographic system of the Public Key Cryptographic Systems of McEliece type, it is characterized in that obtaining the random error vector e that upgrades when each the encryption by the encipherer from amount h (m).
7. according to claim 2, comprise the cryptographic system that appears at the fill system at random in the Public Key Cryptographic Systems, it is characterized in that the encipherer has the key σ of deciphering person's the unknown and is that carrying out message according to the following step fills:
A. produce ki=h as much as possible (m| σ | i) so that the length of cascade kis equals 1/6 (for example under the situation of rsa encryption) of mould n size at least, or produce k=h (m| σ) and with its expansion;
B. form m
r, m wherein
r=size (m) | m| (k
I);
C. encrypt m
rSubstitute m.
8. according to claim 2, the cryptographic system of the system of the fuzzy factor of generation in the context that is included in the generation of blank signature or pretends at random to operate is characterized in that the alternative random number (k) by sender's renewal when bluring or pretending operation at every turn of consumption h (m| σ).
9. according to claim 2, comprise the cryptographic system of Diffie-Hellman type IKE, it is characterized in that wishing to send the equipment use amount h (m| σ) rather than the random secret item of message m, wherein σ is the random secret item.
10. according to the cryptographic system of claim 9, it is characterized in that described agreement may further comprise the steps at least:
A. first equipment wishes to send message m, calculates b
1=g
H (m| σ)Mould p;
B. second equipment (recipient) produces random number a and calculates b
2=g
aMould p;
C. two devices exchange b
1And b
2, and computation key key=g
Ah (m| σ)Mould p;
D. the first devices encrypt c=f (m, key), wherein f is a symmetric cryptography mechanism;
-the first equipment sends c to second equipment with its deciphering and recovery m.
11., it is characterized in that this equipment is that smart card, pcmcia card, badge card, non-contact card or any other communication of portable set are not equipped with according to any one cryptographic system of claim 1 to 10.
12., it is characterized in that realizing the communication of described equipment room by switching telecommunication number, radio wave or infrared signal according to any one cryptographic system of claim 1 to 11.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FR97/06198 | 1997-05-07 | ||
| FR9706198A FR2763194B1 (en) | 1997-05-07 | 1997-05-07 | PSEUDO-RANDOM GENERATOR BASED ON A CHOPPING FUNCTION FOR CRYPTOGRAPHIC SYSTEMS REQUIRING THE PULLING OF ALEAS |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1262830A true CN1262830A (en) | 2000-08-09 |
Family
ID=9507074
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 98806980 Pending CN1262830A (en) | 1997-05-07 | 1998-05-05 | Pseudo-random generator based on hash coding function for cryptographic systems requiring random drawing |
Country Status (7)
| Country | Link |
|---|---|
| EP (1) | EP0980607A1 (en) |
| JP (1) | JP2001507479A (en) |
| CN (1) | CN1262830A (en) |
| AU (1) | AU7659598A (en) |
| CA (1) | CA2288767A1 (en) |
| FR (1) | FR2763194B1 (en) |
| WO (1) | WO1998051038A1 (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2788909B1 (en) * | 1999-01-27 | 2004-02-20 | France Telecom | AUTHENTICATION OR SIGNATURE PROCESS WITH REDUCED NUMBER OF CALCULATIONS |
| FR2814577B1 (en) * | 2000-09-22 | 2003-09-12 | Laurent Francois Ernest Pele | MEMORY CARD READER HOUSING CONNECTABLE TO ANOTHER APPROVED HOUSING TO ENABLE DIALOGUE BETWEEN 2 CHIP CARDS |
| JP4550438B2 (en) * | 2004-01-21 | 2010-09-22 | 三菱電機株式会社 | Authentication device, authentication system, authentication method, and authentication integrated circuit |
| FR2917197B1 (en) * | 2007-06-07 | 2009-11-06 | Thales Sa | METHOD OF MASKING THE RESULT OF A MODULAR MULTIPLICATION OPERATION AND ASSOCIATED DEVICE |
| US9621525B2 (en) * | 2014-06-02 | 2017-04-11 | Qualcomm Incorporated | Semi-deterministic digital signature generation |
| US11120167B2 (en) * | 2019-03-25 | 2021-09-14 | Micron Technology, Inc. | Block chain based validation of memory commands |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5299262A (en) * | 1992-08-13 | 1994-03-29 | The United States Of America As Represented By The United States Department Of Energy | Method for exponentiating in cryptographic systems |
| US5432852A (en) * | 1993-09-29 | 1995-07-11 | Leighton; Frank T. | Large provably fast and secure digital signature schemes based on secure hash functions |
-
1997
- 1997-05-07 FR FR9706198A patent/FR2763194B1/en not_active Expired - Fee Related
-
1998
- 1998-05-05 CA CA002288767A patent/CA2288767A1/en not_active Abandoned
- 1998-05-05 AU AU76595/98A patent/AU7659598A/en not_active Abandoned
- 1998-05-05 EP EP98924379A patent/EP0980607A1/en not_active Withdrawn
- 1998-05-05 WO PCT/FR1998/000901 patent/WO1998051038A1/en not_active Application Discontinuation
- 1998-05-05 JP JP54778798A patent/JP2001507479A/en not_active Abandoned
- 1998-05-05 CN CN 98806980 patent/CN1262830A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| FR2763194A1 (en) | 1998-11-13 |
| AU7659598A (en) | 1998-11-27 |
| JP2001507479A (en) | 2001-06-05 |
| CA2288767A1 (en) | 1998-11-12 |
| EP0980607A1 (en) | 2000-02-23 |
| WO1998051038A1 (en) | 1998-11-12 |
| FR2763194B1 (en) | 2000-07-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7730315B2 (en) | Cryptosystem based on a Jacobian of a curve | |
| US8023647B2 (en) | Password self encryption method and system and encryption by keys generated from personal secret information | |
| CN1249972C (en) | System, methods, and software for remote password authentication using multiple servers | |
| CN1251715A (en) | Cyclotomic polynomial construction of discrete logarithm cryptosystem over finite fields | |
| US20080240443A1 (en) | Method and apparatus for securely processing secret data | |
| CN1729645A (en) | Secure communications | |
| CN1708942A (en) | Secure implementation and utilization of device-specific security data | |
| CN1299545A (en) | User authentication using a virtual private key | |
| CN1679271A (en) | Certificate-based encryption and public key infrastructure | |
| CN101064595A (en) | Computer network safe input authentication system and method | |
| CN1338166A (en) | Public and private key cryptographic method | |
| CN1146676A (en) | Cipher communication method | |
| WO2016155565A1 (en) | Improvements on multivariate digital signature schemes based on hfev- and new applications of multivariate digital signature schemes for white-box encryption | |
| JP2004512570A (en) | Method and apparatus using an insecure cryptographic accelerator | |
| CN1165847C (en) | Computer system for protecting software and method for protecting software | |
| US7424114B2 (en) | Method for enhancing security of public key encryption schemas | |
| Yang et al. | A provably secure and efficient strong designated verifier signature scheme | |
| Heninger | RSA, DH, and DSA in the Wild | |
| CN1411644A (en) | Countermeasure method in electronic component which uses RSA-type public key cryptographic algorithm | |
| CN1262830A (en) | Pseudo-random generator based on hash coding function for cryptographic systems requiring random drawing | |
| US11882101B2 (en) | Methods and devices for generating a symmetric session key for encrypted communication | |
| Murphy et al. | Hardware-software implementation of public-key cryptography for wireless sensor networks | |
| CN1666458A (en) | Cryptographic method and devices for facilitating calculations during transactions | |
| CN1618200A (en) | Cipher method for distributing loads between several entities and equipments | |
| Choi et al. | Hardware implementation of ECIES protocol on security SoC |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: WD Ref document number: 1029879 Country of ref document: HK |