EP1277307A1 - Cryptography method on elliptic curves - Google Patents
Cryptography method on elliptic curvesInfo
- Publication number
- EP1277307A1 EP1277307A1 EP01927999A EP01927999A EP1277307A1 EP 1277307 A1 EP1277307 A1 EP 1277307A1 EP 01927999 A EP01927999 A EP 01927999A EP 01927999 A EP01927999 A EP 01927999A EP 1277307 A1 EP1277307 A1 EP 1277307A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- point
- curve
- algorithm
- hazard
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/08—Randomization, e.g. dummy operations or using noise
Definitions
- the present invention relates to a cryptographic method on an elliptical curve. Such a method is based on the use of a public key algorithm, and can be applied to the generation of probabilistic digital signatures of a message and / or to a key exchange protocol and / or to an algorithm encryption of a message.
- An algorithm for generating and verifying digital signatures consists in calculating one or more integers, generally a pair, called the signature and associated with a given message in order to certify the identity of the signatory and the integrity of the signed message.
- the signature is said to be probabilistic when the algorithm calls for a hazard in the generation of the signature, this hazard being secret and regenerated with each new signature.
- the same message transmitted by the same user can have several distinct signatures.
- the key exchange protocol and encryption algorithms also use a secret and regenerated random k with each new application of the algorithm.
- Addition or subtraction operations are performed on the points P of the curve E.
- ECDSA from the English Elliptic Curve Digital Standard Algorithm
- the parameters of the ECDSA are:
- the secret key d is a random number fixed between 0 and N-l, and the public key Q is linked to d by the scalar multiplication relation
- the ECDSA signature of m is the pair of integers (r, s) included in the interval [1, N- l] and defined as follows: let k be a random number chosen in the interval [1, ⁇ -l ], k being a hazard regenerated at each signature;
- - s k _1 (h (m) + dr) mod N; with h (m) the result of applying a hash function h, which is a pseudo-random cryptographic function, to the initial message m.
- the generation of the signature (r, s) was carried out with the secret key d and a secret and different random number k for each signature, and its verification with the parameters of the public key.
- d secret key
- k secret and different random number
- the subject of the present invention is a method of cryptography on an elliptical curve which makes it possible to further reduce the number of additions of scalar multiplication.
- the invention relates more particularly to a cryptography method for the generation of probabilistic digital signatures and / or for a key exchange protocol and / or for an encryption algorithm, said method being based on the use of an algorithm with public key on elliptical curve
- the cryptographic algorithm for generating a probabilistic digital signature is the ECDSA (from the English Elliptic Curve Digital Standard Algorithm).
- the cryptographic key exchange protocol algorithm is the ECDH (from the English Elliptic Curve Diffie-Hellmann).
- the number t of couples (ki, Pi) stored is between 35 and 45.
- the number of iterations of the loop (niter) is fixed between 10 and 12.
- the size of the mathematical body n on which the Koblitz curve is defined is equal to 163.
- the invention also relates to a secure device, of the chip card type, or a computing device, of the computer type provided with encryption software, comprising an electronic component capable of implementing the signature method according to the invention.
- the method according to the invention has the advantage of reducing the computation time of the scalar product of P by k, which constitutes an essential step in the implementation of a method of cryptography on an elliptical curve, on the one hand by generating the hazard k simultaneously with the computation of the scalar product kP and on the other hand by reducing the number of addition operations by the precomputation of couples ki,
- the signature (r, s) is then generated according to the conventional procedure of the ECDSA, or of another algorithm exploiting elliptic curves of Koblitz, with the values of k and C defined according to the method of the invention.
- n ⁇ te r is fixed between 10 and 12 iterations.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Algebra (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Complex Calculations (AREA)
- Storage Device Security (AREA)
Abstract
The invention concerns a cryptography method for generating probabilistic digital signatures and/or for a key-exchange a protocol and/or for an encryption algorithm, said method being based on the use of a public key algorithm on abnormal binary elliptic curve (E) (Koblitz curve) whereon a point P (x, y) is selected, pairs (k>i<, P>i<) being stored with P>i< the point corresponding to the scalar multiplication of the point P by k>i<, said method comprising steps which consist in generating a random variable (k) and in calculating a point C corresponding to the scalar multiplication of P by k (C = k.P). The invention is characterised in that the generation of said random variable (k) and the calculation of the point C are performed simultaneously.
Description
PROCEDE DE CRYPTOGRAPHIE SUR COURBES ELLIPTIQUES ELLIPTICAL CURVE CRYPTOGRAPHY PROCESS
La présente invention concerne un procédé de cryptographie sur courbe elliptique. Un tel procédé est basé sur l'utilisation d'un algorithme à clé publique, et peut s'appliquer à la génération de signatures numériques probabilistes d'un message et/ou à un protocole d'échange de clé et/ou à un algorithme de chiffrement d'un message.The present invention relates to a cryptographic method on an elliptical curve. Such a method is based on the use of a public key algorithm, and can be applied to the generation of probabilistic digital signatures of a message and / or to a key exchange protocol and / or to an algorithm encryption of a message.
Un algorithme de génération et de vérification de signatures numériques consiste à calculer un ou plusieurs entiers, en général une paire, appelés la signature et associés à un message donné afin de certifier l'identité du signataire et l'intégrité du message signé. La signature est dite probàbiliste lorsque l'algorithme fait appel à un aléa dans la génération de la signature, cet aléa étant secret et régénéré à chaque nouvelle signature. Ainsi, un même message transmis par un même utilisateur peut avoir plusieurs signatures distinctes.An algorithm for generating and verifying digital signatures consists in calculating one or more integers, generally a pair, called the signature and associated with a given message in order to certify the identity of the signatory and the integrity of the signed message. The signature is said to be probabilistic when the algorithm calls for a hazard in the generation of the signature, this hazard being secret and regenerated with each new signature. Thus, the same message transmitted by the same user can have several distinct signatures.
Les algorithmes de protocole d'échange de clé et de chiffrement utilisent également un aléa k secret et régénéré à chaque nouvelle application de l'algorithme.The key exchange protocol and encryption algorithms also use a secret and regenerated random k with each new application of the algorithm.
Les algorithmes de cryptographie à clé publique sur courbes elliptiques sont de plus en plus utilisés. Un tel algorithme est basé sur l'utilisation de points P(x,y) d'une courbe E vérifiant la relation : y2 + xy = x3 + ax2 + b avec a et b, deux éléments d'un corps fini.Public key cryptography algorithms on elliptical curves are increasingly used. Such an algorithm is based on the use of points P (x, y) of a curve E verifying the relation: y 2 + xy = x 3 + ax 2 + b with a and b, two elements of a finite field .
Des opérations d'addition ou de soustraction sont effectuées sur les points P de la courbe E. L'opération consistant à additionner k fois le même point P est appelée la multiplication scalaire de P par k, et
correspond à un point C de la courbe elliptique défini par C(x',y')= k-P(x,y).Addition or subtraction operations are performed on the points P of the curve E. The operation consisting in adding k times the same point P is called the scalar multiplication of P by k, and corresponds to a point C on the elliptical curve defined by C (x ', y') = kP (x, y).
Un exemple d'un tel algorithme peut être illustré par le ECDSA (de l'anglais Elliptic Curve Digital Standard Algorithm) qui est un algorithme de génération et vérification de signatures numériques probabilistes. Les paramètres du ECDSA sont :An example of such an algorithm can be illustrated by the ECDSA (from the English Elliptic Curve Digital Standard Algorithm) which is an algorithm for generation and verification of probabilistic digital signatures. The parameters of the ECDSA are:
- E, une courbe elliptique définie sur l'ensemble Zp, le nombre de points de la courbe E étant divisible par un grand premier N, en général- E, an elliptical curve defined on the set Z p , the number of points of the curve E being divisible by a large prime N, in general
N>2160,N> 2,160 ,
P(x,y), un point donné de la courbe elliptiqueP (x, y), a given point on the elliptical curve
E,E,
La clé secrète d est un nombre aléatoirement fixé entre 0 et N-l, et la clé publique Q est liée à d par la relation de multiplication scalaireThe secret key d is a random number fixed between 0 and N-l, and the public key Q is linked to d by the scalar multiplication relation
Q(xι,Yι)=d-P(x,y) .Q (xι, Yι) = d-P (x, y).
Soit m, le message à envoyer. La signature ECDSA de m est la paire d'entiers (r,s) compris dans l'intervalle [1, N- l] et définis comme suit : soit k, un nombre aléatoire choisi dans l'intervalle [1, Ν-l] , k étant un aléa régénéré à chaque signature ;Let m be the message to send. The ECDSA signature of m is the pair of integers (r, s) included in the interval [1, N- l] and defined as follows: let k be a random number chosen in the interval [1, Ν-l ], k being a hazard regenerated at each signature;
Calcul du point C obtenu par la multiplication scalaire C (x' ,y' ) =k-P (x,y) ;Calculation of point C obtained by scalar multiplication C (x ', y') = k-P (x, y);
- r = x' mod N ;- r = x 'mod N;
- s = k_1( h (m) + d-r) mod N ; avec h (m) le résultat de l'application d'une fonction de hachage h, qui est une fonction cryptographique pseudo aléatoire, au message initial m.- s = k _1 (h (m) + dr) mod N; with h (m) the result of applying a hash function h, which is a pseudo-random cryptographic function, to the initial message m.
La vérification de la signature s'effectue, à l'aide des paramètres publics (E,P,N,Q), comme suit :The verification of the signature is carried out, using public parameters (E, P, N, Q), as follows:
On réalise des calculs intermédiaires :We perform intermediate calculations:
- w = s"1 mod N ;
- w = s "1 mod N;
- u2 = r-w mod Ν ;- u 2 = rw mod Ν;
On réalise une opération d'addition et de multiplication scalaire en calculant le point de la courbe E correspondant à uxP + u2Q = (xo/Yo) ;We carry out an operation of scalar addition and multiplication by calculating the point of the curve E corresponding to u x P + u 2 Q = (xo / Yo);
On vérifie si v = x0 mod Ν D r.We check if v = x 0 mod Ν D r.
Si cette égalité est vrai, la signature est authentique .If this equality is true, the signature is authentic.
La génération de la signature (r,s) a été réalisée avec la clé secrète d et un nombre aléatoire k secret et différent pour chaque signature, et sa vérification avec les paramètres de la clé publique. Ainsi, n'importe qui peut authentifier une carte et son porteur sans détenir sa clé secrète. Le coût d'exécution d'un tel algorithme de signature sur courbe elliptique est directement lié à la complexité et la rapidité de l'opération de multiplication scalaire pour définir la point C=k-P.The generation of the signature (r, s) was carried out with the secret key d and a secret and different random number k for each signature, and its verification with the parameters of the public key. Thus, anyone can authenticate a card and its holder without holding their secret key. The cost of executing such a signature algorithm on an elliptical curve is directly linked to the complexity and speed of the scalar multiplication operation to define the point C = k-P.
Des améliorations au procédé de cryptographie sur courbes elliptiques ont été mises au point pour faciliter et accélérer cette opération de multiplication scalaire. En particulier, l'article de J.A. Solinas « An Improved Algorithm for Arithmetic on a Family of Elliptic Curves » paru dans Proceedings of Crypto'97, Springer Verlag, décrit une amélioration possible.Improvements to the cryptographic process on elliptic curves have been developed to facilitate and accelerate this scalar multiplication operation. In particular, the article by J.A. Solinas "An Improved Algorithm for Arithmetic on a Family of Elliptic Curves" published in Proceedings of Crypto'97, Springer Verlag, describes a possible improvement.
Afin d'accélérer le procédé de calcul d'une multiplication scalaire dans le cadre d'un algorithme sur courbe elliptique E, il a ainsi été envisagé de travailler sur une famille particulière de courbes elliptiques, dites courbes elliptiques binaires anormales ou courbes de Koblitz, sur lesquelles un opérateur particulier est disponible, appelé opérateur
de Frobenius, permettant de calculer plus rapidement les opérations de multiplication scalaire.In order to accelerate the method of calculating a scalar multiplication within the framework of an algorithm on elliptic curve E, it was thus envisaged to work on a particular family of elliptic curves, called abnormal binary elliptic curves or Koblitz curves, on which a particular operator is available, called operator of Frobenius, allowing to calculate scalar multiplication operations more quickly.
Les courbes de Koblitz sont définit sur l'ensemble mathématique GF(2n) par la relation : y2 + xy = x3 + ax2 + 1 avec ae{θ,l}Koblitz curves are defined on the mathematical set GF (2 n ) by the relation: y 2 + xy = x 3 + ax 2 + 1 with ae {θ, l}
L'opérateur de Frobenius t est définit comme : τ[P(x,y)] = (x2,y2) avec la relation τ2+2 =(-l)1-aτThe operator of Frobenius t is defined as: τ [P (x, y)] = (x 2 , y 2 ) with the relation τ 2 +2 = (- l) 1-a τ
Appliquer l'opérateur τ à un point donné P de la courbe E constitue une opération rapide car on travaille dans l'ensemble mathématique GF(2n), n étant la taille du corps fini, par exemple n=163.Applying the operator τ to a given point P on the curve E is a quick operation because we are working in the mathematical set GF (2 n ), n being the size of the finite body, for example n = 163.
Afin de faciliter le calcul de la multiplication scalaire C(xι,yι)= k-P(x,y), on décompose l'entier k de manière à revenir à des opérations d'addition et de soustraction. On définit ainsi la forme non adjacente de l'entier k par le NAF (de l'anglais Non Adjacent Form) qui consiste à écrire un entier k sous la forme d'une somme : k = ∑(i=0 à 1-1) ei21 avec eie{-l,0,l} et l≤n. Dans le cas d'une courbe elliptique de Koblitz, le NAF peut être exprimé à l'aide de l'opérateur de Frobenius : k = ∑(i=0 à 1) eiτ1 In order to facilitate the calculation of the scalar multiplication C (xι, yι) = kP (x, y), the integer k is decomposed so as to return to operations of addition and subtraction. We thus define the nonadjacent form of the integer k by the NAF (from the English Non Adjacent Form) which consists in writing an integer k in the form of a sum: k = ∑ (i = 0 to 1-1 ) e i 2 1 with eie {-l, 0, l} and l≤n. In the case of an elliptical Koblitz curve, the NAF can be expressed using the operator of Frobenius: k = ∑ (i = 0 to 1) eiτ 1
Ainsi, l'opération de multiplication scalaire de P par k revient à appliquer l'opérateur de Frobenius au point P, ce qui est facile et rapide.Thus, the scalar multiplication operation of P by k amounts to applying the Frobenius operator to the point P, which is easy and quick.
En outre, le calcul de la multiplication scalaire k-P peut être encore accéléré par le précalcul et la mémorisation de quelques couples (ki, Pi= ki-P), ces couples pouvant avantageusement être stockés dans la mémoire du dispositif mettant en œuvre l'algorithme de signature. On rappelle en effet que P fait parti des paramètres publics de la clé de l'algorithme de signature.
Pour un aléa k de 163 bits, on peut ainsi, en stockant 42 couples de multiplication scalaire (ki,Pι), réduire le nombre d'opérations d'addition/soustraction à 19 au lieu de 52 sans aucun précalcul.In addition, the calculation of the scalar multiplication kP can be further accelerated by the precalculation and the memorization of a few couples (ki, Pi = ki-P), these couples being able advantageously to be stored in the memory of the device implementing the algorithm. signature. It is indeed recalled that P is part of the public parameters of the key of the signature algorithm. For a random k of 163 bits, it is thus possible, by storing 42 pairs of scalar multiplication (ki, Pι), to reduce the number of addition / subtraction operations to 19 instead of 52 without any precalculation.
La présente invention a pour objet un procédé de cryptographie sur courbe elliptique qui permet de réduire davantage le nombre d'additions de la multiplication scalaire. L'invention concerne plus particulièrement un procédé de cryptographie pour la génération de signatures numériques probabilistes et/ou pour un protocole d'échange de clé et/ou pour un algorithme de chiffrement, ledit procédé étant basé sur l'utilisation d'un algorithme à clé publique sur courbe elliptiqueThe subject of the present invention is a method of cryptography on an elliptical curve which makes it possible to further reduce the number of additions of scalar multiplication. The invention relates more particularly to a cryptography method for the generation of probabilistic digital signatures and / or for a key exchange protocol and / or for an encryption algorithm, said method being based on the use of an algorithm with public key on elliptical curve
(E) binaire anormale (Courbe de Koblitz) sur laquelle un point P(x,y) est sélectionné, des couples (ki,Pi) étant mémorisés avec Pi le point correspondant à la multiplication scalaire du point P par ki, ledit procédé comprenant des étapes consistant à générer un aléa k et à calculer un point C correspondant à la multiplication scalaire de P par k (C=k*P), caractérisé en ce que la génération dudit aléa k et le calcul du point C sont effectués simultanément. Selon une application, l'algorithme cryptographique de génération d'une signature numérique probabiliste est le ECDSA (de l'anglais Elliptic Curve Digital Standard Algorithm) .(E) abnormal binary (Koblitz curve) on which a point P (x, y) is selected, couples (ki, Pi) being memorized with Pi the point corresponding to the scalar multiplication of the point P by ki, said method comprising steps consisting in generating a random k and calculating a point C corresponding to the scalar multiplication of P by k (C = k * P), characterized in that the generation of said random k and the calculation of point C are carried out simultaneously. According to one application, the cryptographic algorithm for generating a probabilistic digital signature is the ECDSA (from the English Elliptic Curve Digital Standard Algorithm).
Selon une autre application, l'algorithme cryptographique de protocole d'échange de clé est le ECDH (de l'anglais Elliptic Curve Diffie-Hellmann) .According to another application, the cryptographic key exchange protocol algorithm is the ECDH (from the English Elliptic Curve Diffie-Hellmann).
Selon une caractéristique, le procédé est basé sur l'utilisation d'une courbe de Koblitz définie sur l'ensemble mathématique GF(2n) sur laquelle un opérateur
dit de Frobenius τ [P (x,y) ] = (x2,y2) est disponible, le procédé étant caractérisé en ce qu'il comporte les étapes suivantes : initialiser l'aléa k=0 et le point C=0, - réaliser une boucle pour j allant de 1 à niter# ladite boucle consistant à : générer les aléas suivants à chaque nouvelle itération :According to one characteristic, the method is based on the use of a Koblitz curve defined on the mathematical set GF (2 n ) on which an operator called Frobenius τ [P (x, y)] = (x 2 , y 2 ) is available, the method being characterized in that it comprises the following steps: initialize the hazard k = 0 and the point C = 0 , - carry out a loop for j going from 1 to ni te r # said loop consisting in: generating the following hazards at each new iteration:
- a, compris entre 0 et n, avec n la taille du corps fini sur lequel la courbe est définie,- a, between 0 and n, with n the size of the finite body on which the curve is defined,
- u {-1,1}, i compris entre 0 et t, avec t le nombre de couples (ki,Pi) mémorisés, - calculer le point Cj =Cj_ι+ u-τa-Pι- u {-1,1}, i between 0 and t, with t the number of couples (ki, Pi) memorized, - calculate the point Cj = Cj_ι + u-τ a -Pι
- générer l'aléa kj = kj-χ + u-ki-τa convertir k en entier en fin de boucle, présenter simultanément l'aléa k et le point C=k-P. Selon une caractéristique, le nombre t de couples (ki,Pi) mémorisés est compris entre 35 et 45.- generate the hazard kj = kj-χ + u-ki-τ to convert k to an integer at the end of the loop, simultaneously present the hazard k and the point C = kP. According to one characteristic, the number t of couples (ki, Pi) stored is between 35 and 45.
Selon une autre caractéristique, le nombre d'itérations de la boucle (niter) est fixé entre 10 et 12. Selon une autre caractéristique, la taille du corps mathématique n sur lequel la courbe de Koblitz est définie est égale à 163.According to another characteristic, the number of iterations of the loop (niter) is fixed between 10 and 12. According to another characteristic, the size of the mathematical body n on which the Koblitz curve is defined is equal to 163.
L'invention concerne également un dispositif sécurisé, de type carte à puce, ou un dispositif de calcul, de type ordinateur muni d'un logiciel de chiffrement, comportant un composant électronique apte à mettre en œuvre le procédé de signature selon 1' invention.
Le procédé selon l'invention présente l'avantage de réduire le temps de calcul du produit scalaire de P par k, qui constitue une étape essentielle dans la mise en œuvre d'un procédé de cryptographie sur courbe elliptique, d'une part en générant l'aléa k simultanément au calcul du produit scalaire k-P et d'autre part en réduisant le nombre d'opérations d'additions par le précalcul de couples ki,
The invention also relates to a secure device, of the chip card type, or a computing device, of the computer type provided with encryption software, comprising an electronic component capable of implementing the signature method according to the invention. The method according to the invention has the advantage of reducing the computation time of the scalar product of P by k, which constitutes an essential step in the implementation of a method of cryptography on an elliptical curve, on the one hand by generating the hazard k simultaneously with the computation of the scalar product kP and on the other hand by reducing the number of addition operations by the precomputation of couples ki,
Les particularités et avantages de l'invention apparaîtront plus clairement à la lecture de la description qui suit faite en référence à l'algorithme ECDSA et donnée à titre d'exemple illustratif et non limitatif. Le procédé selon l'invention peut en effet être également appliqué à un protocole d'échange de clé ou à un algorithme de chiffrement par exemple.The features and advantages of the invention will appear more clearly on reading the following description made with reference to the ECDSA algorithm and given by way of illustrative and nonlimiting example. The method according to the invention can indeed also be applied to a key exchange protocol or to an encryption algorithm for example.
Soit E, une courbe elliptique de Koblitz définie sur l'ensemble GF(2n) avec n=163, la taille du corps mathématique sur lequel on travail, et soit P(x,y) un point donné de cette courbe . L'opérateur de Frobenius τ [P (x,y) ] = (x2,y2) est alors disponible et constitue une opération rapide étant donné le corps GF(2n) sur lequel on travaille.Let E be an elliptical Koblitz curve defined on the set GF (2 n ) with n = 163, the size of the mathematical body on which we are working, and let P (x, y) be a given point on this curve. The operator of Frobenius τ [P (x, y)] = (x 2 , y 2 ) is then available and constitutes a rapid operation given the body GF (2 n ) on which we are working.
On calcul dans un premier temps un certain nombre de couples (ki, Pi=k-P) qui sont mémorisés dans le composant mettant en œuvre le procédé de signature (un micro-contrôleur de carte à puce par exemple) . On fixe le nombre de couples à t compris entre 35 et 45 qui constitue un compromis entre la place mémoire occupée et l'accélération souhaitée du procédé de calcul de génération de la signature.We first calculate a number of pairs (ki, Pi = k-P) which are stored in the component implementing the signature process (a micro-controller of a smart card for example). The number of couples at t is fixed between 35 and 45 which constitutes a compromise between the memory space occupied and the desired acceleration of the calculation process for generating the signature.
Le procédé selon la présente invention consiste à accélérer le procédé de génération d'une signature probabiliste en utilisant des couples (ki,Pi)
précalculés et mémorisés en en générant l'aléa k en même temps que le calcul du point C=k-P.The method according to the present invention consists in accelerating the method of generating a probabilistic signature using couples (ki, Pi) precalculated and memorized by generating the hazard k at the same time as the calculation of the point C = kP.
Dans un premier temps les valeurs de C et k sont initialisés à 0. On réalise alors une boucle sur j de niter itérations qui effectue les opérations suivantes : génération des aléas suivants à chaque nouvelle itération de j : r, compris entre 0 et n, - u {-1,1}, i compris entre 0 et t, calcul de Cj = Cj-i + u-τr-Pι calcul de kj = kj-i + u*ki-τr On obtient alors en sortie de la boucle, l'aléa k que l'on convertit en entier, et le point C correspondant à la multiplication scalaire de P par k.Initially the values of C and k are initialized to 0. We then carry out a loop on j to nite iterations which performs the following operations: generation of the following hazards at each new iteration of j: r, between 0 and n, - u {-1,1}, i between 0 and t, calculation of Cj = Cj-i + u-τ r -Pι calculation of kj = kj-i + u * ki-τ r We then obtain at the output of the loop, the hazard k which is converted to an integer, and the point C corresponding to the scalar multiplication of P by k.
La signature (r,s) est ensuite générée selon la procédure classique du ECDSA, ou d'un autre algorithme exploitant des courbes elliptiques de Koblitz, avec les valeurs de k et C définis selon le procédé de l' invention.The signature (r, s) is then generated according to the conventional procedure of the ECDSA, or of another algorithm exploiting elliptic curves of Koblitz, with the values of k and C defined according to the method of the invention.
La génération de k simultanément au calcul du point C permet d'accélérer le procédé de génération de signature, en particulier en réduisant le nombre d'additions nécessaire au calcul de la multiplication scalaire de P par k. Le nombre d'additions pour le calcul du point C est en effet de iter -1-The generation of k simultaneously with the calculation of point C makes it possible to speed up the signature generation process, in particular by reducing the number of additions necessary for the calculation of the scalar multiplication of P by k. The number of additions for the calculation of point C is indeed iter -1-
Selon le degré de sécurité et les performances souhaitées, on fixe nιter compris entre 10 et 12 itérations.Depending on the degree of security and the desired performance, nι te r is fixed between 10 and 12 iterations.
Ainsi, avec k un entier de 163 bits et en mémorisant environ 40 couples (ki,Pι), on peut calculer la multiplication scalaire k-P en effectuant seulement 9 à 11 opérations d'additions.
Thus, with k an integer of 163 bits and by memorizing approximately 40 pairs (ki, Pι), one can calculate the scalar multiplication k-P by performing only 9 to 11 addition operations.
Claims
1. Procédé de cryptographie pour la génération de signatures numériques probabilistes et/ou pour un protocole d'échange de clé et/ou pour un algorithme de chiffrement, ledit procédé étant basé sur l'utilisation d'un algorithme à clé publique sur courbe elliptique1. Cryptography method for the generation of probabilistic digital signatures and / or for a key exchange protocol and / or for an encryption algorithm, said method being based on the use of a public key algorithm on an elliptical curve
(E) binaire anormale (Courbe de Koblitz) sur laquelle un point P(x,y) est sélectionné, des couples (ki,Pι) étant mémorisés avec Pi le point correspondant à la multiplication scalaire du point P par ki, ledit procédé comprenant des étapes consistant à générer un aléa (k) et à calculer un point C correspondant à la multiplication scalaire de P par k (C=k-P), caractérisé en ce que la génération dudit aléa (k) et le calcul du point C sont effectués simultanément .(E) abnormal binary (Koblitz curve) on which a point P (x, y) is selected, couples (ki, Pι) being stored with Pi the point corresponding to the scalar multiplication of the point P by ki, said method comprising steps consisting in generating a hazard (k) and in calculating a point C corresponding to the scalar multiplication of P by k (C = kP), characterized in that the generation of said hazard (k) and the calculation of point C are carried out simultaneously .
2. Procédé selon la revendication 1, caractérisé en ce que l'algorithme cryptographique pour la génération d'une signature numérique probabiliste est le ECDSA (de l'anglais Elliptic Curve Digital Standard Algorithm).2. Method according to claim 1, characterized in that the cryptographic algorithm for the generation of a probabilistic digital signature is the ECDSA (from the English Elliptic Curve Digital Standard Algorithm).
3. Procédé selon la revendication 1, caractérisé en ce que 1 ' algorithme de cryptographie de protocole d'échange de clé est le ECDH (de l'anglais Elliptic Curve Diffie-Hellmann) .3. Method according to claim 1, characterized in that the key exchange protocol cryptography algorithm is the ECDH (from the English Elliptic Curve Diffie-Hellmann).
4. Procédé selon l'une quelconques des revendications précédentes, le procédé étant basé sur l'utilisation d'une courbe de Koblitz (E) définie sur l'ensemble mathématique GF(2n) sur laquelle un opérateur dit de Frobenius τ [P (x,y) ] = (x2,y2) est disponible, caractérisé en ce qu'il comporte les étapes suivantes : initialiser l'aléa k=0 et le point C=0, réaliser une boucle pour j allant de 1 à niter ladite boucle consistant à : générer les aléas suivants à chaque nouvelle itération de j :4. Method according to any one of the preceding claims, the method being based on the use of a Koblitz curve (E) defined on the mathematical set GF (2 n ) on which an operator called Frobenius τ [P (x, y)] = (x 2 , y 2 ) is available, characterized in that it comprises the following stages: initialize the hazard k = 0 and the point C = 0, make a loop for j ranging from 1 to deny said loop consisting in: generating the following hazards at each new iteration of j:
- a, compris entre 0 et n, avec n la taille du corps fini sur lequel la courbe (E) est définie,- a, between 0 and n, with n the size of the finite body on which the curve (E) is defined,
- u {-1,1}, - i compris entre 0 et t, avec t le nombre de couples (ki,Pi) mémorisés, calculer le point C =Cj-ι+ u-τa-Pi générer l'aléa kj = kj_ι + u-ki"ca convertir k en entier en fin de boucle, - présenter simultanément l'aléa k et le point C=k-P.- u {-1,1}, - i between 0 and t, with t the number of couples (ki, Pi) memorized, calculate the point C = Cj-ι + u-τ a -Pi generate the hazard kj = kj_ι + u-ki "c to convert k to an integer at the end of the loop, - present the hazard k and the point C = kP simultaneously.
5. Procédé selon la revendication 4, caractérisé en ce que le nombre (t) de couples ( i,Pi) mémorisés est compris entre 35 et 45.5. Method according to claim 4, characterized in that the number (t) of couples (i, Pi) stored is between 35 and 45.
6. Procédé selon la revendication 4, caractérisé en ce que le nombre d' itérations de la boucle (niter) est fixé entre 10 et 12.6. Method according to claim 4, characterized in that the number of iterations of the loop (ni ter ) is fixed between 10 and 12.
7. Procédé selon la revendication 4, caractérisé en ce que la taille du corps mathématique n sur lequel la courbe de Koblitz (E) est définie est égale à 163.7. Method according to claim 4, characterized in that the size of the mathematical body n on which the Koblitz curve (E) is defined is equal to 163.
8. Dispositif sécurisé, de type carte à puce, caractérisé en ce qu'il comporte un composant électronique apte à mettre en œuvre le procédé de signature selon les revendications 1 à 7. 8. A secure device, of the smart card type, characterized in that it comprises an electronic component capable of implementing the signature method according to claims 1 to 7.
9. Dispositif de calcul, de type ordinateur muni d'un logiciel de chiffrement, caractérisé en ce qu'il comporte un composant électronique apte à mettre en œuvre le procédé de signature selon les revendications 1 à 7. 9. Calculation device, of the computer type provided with encryption software, characterized in that it comprises an electronic component capable of implementing the signature process according to claims 1 to 7.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0005006 | 2000-04-18 | ||
FR0005006A FR2807898B1 (en) | 2000-04-18 | 2000-04-18 | ELLIPTICAL CURVE CRYPTOGRAPHY PROCESS |
PCT/FR2001/001195 WO2001080481A1 (en) | 2000-04-18 | 2001-04-18 | Cryptography method on elliptic curves |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1277307A1 true EP1277307A1 (en) | 2003-01-22 |
Family
ID=8849392
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP01927999A Withdrawn EP1277307A1 (en) | 2000-04-18 | 2001-04-18 | Cryptography method on elliptic curves |
Country Status (8)
Country | Link |
---|---|
US (1) | US7218735B2 (en) |
EP (1) | EP1277307A1 (en) |
JP (1) | JP2004501385A (en) |
CN (1) | CN1425231A (en) |
AU (1) | AU2001254878A1 (en) |
FR (1) | FR2807898B1 (en) |
MX (1) | MXPA02010310A (en) |
WO (1) | WO2001080481A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102546162A (en) * | 2010-12-29 | 2012-07-04 | 北京数字太和科技有限责任公司 | Data safety processing method |
Families Citing this family (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7308096B2 (en) * | 2000-05-30 | 2007-12-11 | Hitachi, Ltd. | Elliptic scalar multiplication system |
CN102868528B (en) * | 2003-10-28 | 2015-09-09 | 塞尔蒂卡姆公司 | A kind of equipment of the generation verified of public-key cryptography and corresponding authentication center |
US9621539B2 (en) * | 2004-01-30 | 2017-04-11 | William H. Shawn | Method and apparatus for securing the privacy of a computer network |
EP1747638B1 (en) * | 2004-04-30 | 2016-08-31 | BlackBerry Limited | Systems and methods to securely generate shared keys |
US7483533B2 (en) * | 2004-08-05 | 2009-01-27 | King Fahd University Of Petroleum | Elliptic polynomial cryptography with multi x-coordinates embedding |
US7483534B2 (en) * | 2004-08-05 | 2009-01-27 | King Fahd University Of Petroleum | Elliptic polynomial cryptography with multi y-coordinates embedding |
US7607019B2 (en) * | 2005-02-03 | 2009-10-20 | Apple Inc. | Small memory footprint fast elliptic encryption |
ATE533103T1 (en) * | 2005-01-18 | 2011-11-15 | Certicom Corp | ACCELERATED VERIFICATION OF DIGITAL SIGNATURES AND PUBLIC KEYS |
CA2594670C (en) * | 2005-01-21 | 2014-12-23 | Certicom Corp. | Elliptic curve random number generation |
CA2542556C (en) * | 2005-06-03 | 2014-09-16 | Tata Consultancy Services Limited | An authentication system executing an elliptic curve digital signature cryptographic process |
US7587047B2 (en) * | 2005-06-22 | 2009-09-08 | Apple Inc. | Chaos generator for accumulation of stream entropy |
US8165286B2 (en) * | 2008-04-02 | 2012-04-24 | Apple Inc. | Combination white box/black box cryptographic processes and apparatus |
EP2151947A1 (en) * | 2008-08-05 | 2010-02-10 | Irdeto Access B.V. | Signcryption scheme based on elliptic curve cryptography |
CN101582170B (en) * | 2009-06-09 | 2011-08-31 | 上海大学 | Remote sensing image encryption method based on elliptic curve cryptosystem |
US10129026B2 (en) * | 2016-05-03 | 2018-11-13 | Certicom Corp. | Method and system for cheon resistant static diffie-hellman security |
US10361855B2 (en) * | 2016-05-27 | 2019-07-23 | Nxp B.V. | Computing a secure elliptic curve scalar multiplication using an unsecured and secure environment |
EP3573041A4 (en) * | 2017-01-18 | 2020-06-03 | Nippon Telegraph And Telephone Corporation | Secure computation method, secure computation system, secure computation device, and program |
EP3376705A1 (en) * | 2017-03-17 | 2018-09-19 | Koninklijke Philips N.V. | Elliptic curve point multiplication device and method in a white-box context |
KR102328896B1 (en) * | 2020-11-10 | 2021-11-22 | 주식회사 아톰릭스랩 | Crypto Key distribution and recovery method for 3rd party managed system |
KR102329580B1 (en) * | 2020-11-10 | 2021-11-23 | 주식회사 아톰릭스랩 | Crypto Key distribution and recovery method for multiple 3rd parties managed systems |
KR102536397B1 (en) * | 2022-10-26 | 2023-05-26 | 주식회사 시옷 | Signature verification method performed in a computing device and a computing device performing the same method |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5999626A (en) * | 1996-04-16 | 1999-12-07 | Certicom Corp. | Digital signatures on a smartcard |
US5854759A (en) * | 1997-05-05 | 1998-12-29 | Rsa Data Security, Inc. | Methods and apparatus for efficient finite field basis conversion |
US6304658B1 (en) * | 1998-01-02 | 2001-10-16 | Cryptography Research, Inc. | Leak-resistant cryptographic method and apparatus |
CA2257008C (en) * | 1998-12-24 | 2007-12-11 | Certicom Corp. | A method for accelerating cryptographic operations on elliptic curves |
US6611597B1 (en) * | 1999-01-25 | 2003-08-26 | Matsushita Electric Industrial Co., Ltd. | Method and device for constructing elliptic curves |
-
2000
- 2000-04-18 FR FR0005006A patent/FR2807898B1/en not_active Expired - Fee Related
-
2001
- 2001-04-18 CN CN01808226A patent/CN1425231A/en active Pending
- 2001-04-18 MX MXPA02010310A patent/MXPA02010310A/en unknown
- 2001-04-18 EP EP01927999A patent/EP1277307A1/en not_active Withdrawn
- 2001-04-18 US US10/257,129 patent/US7218735B2/en not_active Expired - Fee Related
- 2001-04-18 AU AU2001254878A patent/AU2001254878A1/en not_active Abandoned
- 2001-04-18 WO PCT/FR2001/001195 patent/WO2001080481A1/en not_active Application Discontinuation
- 2001-04-18 JP JP2001576610A patent/JP2004501385A/en active Pending
Non-Patent Citations (1)
Title |
---|
See references of WO0180481A1 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102546162A (en) * | 2010-12-29 | 2012-07-04 | 北京数字太和科技有限责任公司 | Data safety processing method |
Also Published As
Publication number | Publication date |
---|---|
JP2004501385A (en) | 2004-01-15 |
US20030152218A1 (en) | 2003-08-14 |
FR2807898A1 (en) | 2001-10-19 |
FR2807898B1 (en) | 2002-06-28 |
US7218735B2 (en) | 2007-05-15 |
AU2001254878A1 (en) | 2001-10-30 |
MXPA02010310A (en) | 2003-04-25 |
CN1425231A (en) | 2003-06-18 |
WO2001080481A1 (en) | 2001-10-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1277307A1 (en) | Cryptography method on elliptic curves | |
EP1166494B1 (en) | Countermeasure procedures in an electronic component implementing an elliptical curve type public key encryption algorithm | |
FR2759226A1 (en) | PROTOCOL FOR VERIFYING A DIGITAL SIGNATURE | |
US7835517B2 (en) | Encryption processing apparatus, encryption processing method, and computer program | |
WO2005099150A2 (en) | Public key cryptographic methods and systems | |
CA2712180A1 (en) | Countermeasure method and devices for asymmetrical cryptography with signature diagram | |
WO2000059157A1 (en) | Countermeasure method in an electric component implementing an elliptical curve type public key cryptography algorithm | |
EP3776305B1 (en) | Using cryptographic blinding for efficient use of montgomery multiplication | |
EP2572470A1 (en) | Method of obtaining encryption keys, corresponding terminal, server, and computer program products. | |
EP0909495B1 (en) | Public key cryptography method | |
WO2002051065A1 (en) | Method for enhancing security of public key encryption schemas | |
EP1456998A1 (en) | Cryptographic method for distributing load among several entities and devices therefor | |
FR2814619A1 (en) | METHOD OF ENCODING LONG MESSAGES SCHEMES OF ELECTRONIC SIGNATURE BASED ON RSA | |
EP0980607A1 (en) | Pseudo-random generator based on a hash coding function for cryptographic systems requiring random drawing | |
FR2856538A1 (en) | COUNTERMEASURE METHOD IN AN ELECTRONIC COMPONENT USING A CRYPTOGRAPHIC ALGORITHM OF THE PUBLIC KEY TYPE | |
FR2842052A1 (en) | CRYPTOGRAPHIC METHOD AND DEVICES FOR REDUCING CALCULATION DURING TRANSACTIONS | |
WO2002001343A1 (en) | Countermeasure methods in an electronic component using a koblitz elliptic curve public key cryptographic algorithm | |
EP1998492A1 (en) | Method for calculating compressed RSA moduli | |
WO2001097009A1 (en) | Method for cryptographic calculation comprising a modular exponentiation routine | |
FR3010562A1 (en) | DATA PROCESSING METHOD AND ASSOCIATED DEVICE | |
WO2003021864A2 (en) | Method of reducing the size of an rsa or rabin signature | |
Campbell | Masters Project: Efficient Encryption on Limited Devices | |
FR2829597A1 (en) | Encryption method for use with authentication of electronic devices, especially smart cards, whereby the exponentiation factor is protected by dividing it into two terms that are processed separately | |
CN106850223A (en) | A kind of private key acquisition methods of the common key cryptosystem based on information leakage | |
FR2797126A1 (en) | METHOD OF IMPROVING THE PERFORMANCE OF THE MULTIPLICATION OPERATION ON FINISHED BODY OF CHARACTERISTIC 2 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20021118 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR |
|
AX | Request for extension of the european patent |
Free format text: AL;LT;LV;MK;RO;SI |
|
17Q | First examination report despatched |
Effective date: 20070824 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20080104 |