EP1277307A1 - Cryptography method on elliptic curves - Google Patents

Cryptography method on elliptic curves

Info

Publication number
EP1277307A1
EP1277307A1 EP01927999A EP01927999A EP1277307A1 EP 1277307 A1 EP1277307 A1 EP 1277307A1 EP 01927999 A EP01927999 A EP 01927999A EP 01927999 A EP01927999 A EP 01927999A EP 1277307 A1 EP1277307 A1 EP 1277307A1
Authority
EP
European Patent Office
Prior art keywords
point
curve
algorithm
hazard
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP01927999A
Other languages
German (de)
French (fr)
Inventor
Jean-Sébastien CORON
Christophe Tymen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gemplus SA
Original Assignee
Gemplus Card International SA
Gemplus SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemplus Card International SA, Gemplus SA filed Critical Gemplus Card International SA
Publication of EP1277307A1 publication Critical patent/EP1277307A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • G06F7/725Finite field arithmetic over elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise

Definitions

  • the present invention relates to a cryptographic method on an elliptical curve. Such a method is based on the use of a public key algorithm, and can be applied to the generation of probabilistic digital signatures of a message and / or to a key exchange protocol and / or to an algorithm encryption of a message.
  • An algorithm for generating and verifying digital signatures consists in calculating one or more integers, generally a pair, called the signature and associated with a given message in order to certify the identity of the signatory and the integrity of the signed message.
  • the signature is said to be probabilistic when the algorithm calls for a hazard in the generation of the signature, this hazard being secret and regenerated with each new signature.
  • the same message transmitted by the same user can have several distinct signatures.
  • the key exchange protocol and encryption algorithms also use a secret and regenerated random k with each new application of the algorithm.
  • Addition or subtraction operations are performed on the points P of the curve E.
  • ECDSA from the English Elliptic Curve Digital Standard Algorithm
  • the parameters of the ECDSA are:
  • the secret key d is a random number fixed between 0 and N-l, and the public key Q is linked to d by the scalar multiplication relation
  • the ECDSA signature of m is the pair of integers (r, s) included in the interval [1, N- l] and defined as follows: let k be a random number chosen in the interval [1, ⁇ -l ], k being a hazard regenerated at each signature;
  • - s k _1 (h (m) + dr) mod N; with h (m) the result of applying a hash function h, which is a pseudo-random cryptographic function, to the initial message m.
  • the generation of the signature (r, s) was carried out with the secret key d and a secret and different random number k for each signature, and its verification with the parameters of the public key.
  • d secret key
  • k secret and different random number
  • the subject of the present invention is a method of cryptography on an elliptical curve which makes it possible to further reduce the number of additions of scalar multiplication.
  • the invention relates more particularly to a cryptography method for the generation of probabilistic digital signatures and / or for a key exchange protocol and / or for an encryption algorithm, said method being based on the use of an algorithm with public key on elliptical curve
  • the cryptographic algorithm for generating a probabilistic digital signature is the ECDSA (from the English Elliptic Curve Digital Standard Algorithm).
  • the cryptographic key exchange protocol algorithm is the ECDH (from the English Elliptic Curve Diffie-Hellmann).
  • the number t of couples (ki, Pi) stored is between 35 and 45.
  • the number of iterations of the loop (niter) is fixed between 10 and 12.
  • the size of the mathematical body n on which the Koblitz curve is defined is equal to 163.
  • the invention also relates to a secure device, of the chip card type, or a computing device, of the computer type provided with encryption software, comprising an electronic component capable of implementing the signature method according to the invention.
  • the method according to the invention has the advantage of reducing the computation time of the scalar product of P by k, which constitutes an essential step in the implementation of a method of cryptography on an elliptical curve, on the one hand by generating the hazard k simultaneously with the computation of the scalar product kP and on the other hand by reducing the number of addition operations by the precomputation of couples ki,
  • the signature (r, s) is then generated according to the conventional procedure of the ECDSA, or of another algorithm exploiting elliptic curves of Koblitz, with the values of k and C defined according to the method of the invention.
  • n ⁇ te r is fixed between 10 and 12 iterations.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Complex Calculations (AREA)
  • Storage Device Security (AREA)

Abstract

The invention concerns a cryptography method for generating probabilistic digital signatures and/or for a key-exchange a protocol and/or for an encryption algorithm, said method being based on the use of a public key algorithm on abnormal binary elliptic curve (E) (Koblitz curve) whereon a point P (x, y) is selected, pairs (k>i<, P>i<) being stored with P>i< the point corresponding to the scalar multiplication of the point P by k>i<, said method comprising steps which consist in generating a random variable (k) and in calculating a point C corresponding to the scalar multiplication of P by k (C = k.P). The invention is characterised in that the generation of said random variable (k) and the calculation of the point C are performed simultaneously.

Description

PROCEDE DE CRYPTOGRAPHIE SUR COURBES ELLIPTIQUES ELLIPTICAL CURVE CRYPTOGRAPHY PROCESS
La présente invention concerne un procédé de cryptographie sur courbe elliptique. Un tel procédé est basé sur l'utilisation d'un algorithme à clé publique, et peut s'appliquer à la génération de signatures numériques probabilistes d'un message et/ou à un protocole d'échange de clé et/ou à un algorithme de chiffrement d'un message.The present invention relates to a cryptographic method on an elliptical curve. Such a method is based on the use of a public key algorithm, and can be applied to the generation of probabilistic digital signatures of a message and / or to a key exchange protocol and / or to an algorithm encryption of a message.
Un algorithme de génération et de vérification de signatures numériques consiste à calculer un ou plusieurs entiers, en général une paire, appelés la signature et associés à un message donné afin de certifier l'identité du signataire et l'intégrité du message signé. La signature est dite probàbiliste lorsque l'algorithme fait appel à un aléa dans la génération de la signature, cet aléa étant secret et régénéré à chaque nouvelle signature. Ainsi, un même message transmis par un même utilisateur peut avoir plusieurs signatures distinctes.An algorithm for generating and verifying digital signatures consists in calculating one or more integers, generally a pair, called the signature and associated with a given message in order to certify the identity of the signatory and the integrity of the signed message. The signature is said to be probabilistic when the algorithm calls for a hazard in the generation of the signature, this hazard being secret and regenerated with each new signature. Thus, the same message transmitted by the same user can have several distinct signatures.
Les algorithmes de protocole d'échange de clé et de chiffrement utilisent également un aléa k secret et régénéré à chaque nouvelle application de l'algorithme.The key exchange protocol and encryption algorithms also use a secret and regenerated random k with each new application of the algorithm.
Les algorithmes de cryptographie à clé publique sur courbes elliptiques sont de plus en plus utilisés. Un tel algorithme est basé sur l'utilisation de points P(x,y) d'une courbe E vérifiant la relation : y2 + xy = x3 + ax2 + b avec a et b, deux éléments d'un corps fini.Public key cryptography algorithms on elliptical curves are increasingly used. Such an algorithm is based on the use of points P (x, y) of a curve E verifying the relation: y 2 + xy = x 3 + ax 2 + b with a and b, two elements of a finite field .
Des opérations d'addition ou de soustraction sont effectuées sur les points P de la courbe E. L'opération consistant à additionner k fois le même point P est appelée la multiplication scalaire de P par k, et correspond à un point C de la courbe elliptique défini par C(x',y')= k-P(x,y).Addition or subtraction operations are performed on the points P of the curve E. The operation consisting in adding k times the same point P is called the scalar multiplication of P by k, and corresponds to a point C on the elliptical curve defined by C (x ', y') = kP (x, y).
Un exemple d'un tel algorithme peut être illustré par le ECDSA (de l'anglais Elliptic Curve Digital Standard Algorithm) qui est un algorithme de génération et vérification de signatures numériques probabilistes. Les paramètres du ECDSA sont :An example of such an algorithm can be illustrated by the ECDSA (from the English Elliptic Curve Digital Standard Algorithm) which is an algorithm for generation and verification of probabilistic digital signatures. The parameters of the ECDSA are:
- E, une courbe elliptique définie sur l'ensemble Zp, le nombre de points de la courbe E étant divisible par un grand premier N, en général- E, an elliptical curve defined on the set Z p , the number of points of the curve E being divisible by a large prime N, in general
N>2160,N> 2,160 ,
P(x,y), un point donné de la courbe elliptiqueP (x, y), a given point on the elliptical curve
E,E,
La clé secrète d est un nombre aléatoirement fixé entre 0 et N-l, et la clé publique Q est liée à d par la relation de multiplication scalaireThe secret key d is a random number fixed between 0 and N-l, and the public key Q is linked to d by the scalar multiplication relation
Q(xι,Yι)=d-P(x,y) .Q (xι, Yι) = d-P (x, y).
Soit m, le message à envoyer. La signature ECDSA de m est la paire d'entiers (r,s) compris dans l'intervalle [1, N- l] et définis comme suit : soit k, un nombre aléatoire choisi dans l'intervalle [1, Ν-l] , k étant un aléa régénéré à chaque signature ;Let m be the message to send. The ECDSA signature of m is the pair of integers (r, s) included in the interval [1, N- l] and defined as follows: let k be a random number chosen in the interval [1, Ν-l ], k being a hazard regenerated at each signature;
Calcul du point C obtenu par la multiplication scalaire C (x' ,y' ) =k-P (x,y) ;Calculation of point C obtained by scalar multiplication C (x ', y') = k-P (x, y);
- r = x' mod N ;- r = x 'mod N;
- s = k_1( h (m) + d-r) mod N ; avec h (m) le résultat de l'application d'une fonction de hachage h, qui est une fonction cryptographique pseudo aléatoire, au message initial m.- s = k _1 (h (m) + dr) mod N; with h (m) the result of applying a hash function h, which is a pseudo-random cryptographic function, to the initial message m.
La vérification de la signature s'effectue, à l'aide des paramètres publics (E,P,N,Q), comme suit :The verification of the signature is carried out, using public parameters (E, P, N, Q), as follows:
On réalise des calculs intermédiaires :We perform intermediate calculations:
- w = s"1 mod N ; - w = s "1 mod N;
- u2 = r-w mod Ν ;- u 2 = rw mod Ν;
On réalise une opération d'addition et de multiplication scalaire en calculant le point de la courbe E correspondant à uxP + u2Q = (xo/Yo) ;We carry out an operation of scalar addition and multiplication by calculating the point of the curve E corresponding to u x P + u 2 Q = (xo / Yo);
On vérifie si v = x0 mod Ν D r.We check if v = x 0 mod Ν D r.
Si cette égalité est vrai, la signature est authentique .If this equality is true, the signature is authentic.
La génération de la signature (r,s) a été réalisée avec la clé secrète d et un nombre aléatoire k secret et différent pour chaque signature, et sa vérification avec les paramètres de la clé publique. Ainsi, n'importe qui peut authentifier une carte et son porteur sans détenir sa clé secrète. Le coût d'exécution d'un tel algorithme de signature sur courbe elliptique est directement lié à la complexité et la rapidité de l'opération de multiplication scalaire pour définir la point C=k-P.The generation of the signature (r, s) was carried out with the secret key d and a secret and different random number k for each signature, and its verification with the parameters of the public key. Thus, anyone can authenticate a card and its holder without holding their secret key. The cost of executing such a signature algorithm on an elliptical curve is directly linked to the complexity and speed of the scalar multiplication operation to define the point C = k-P.
Des améliorations au procédé de cryptographie sur courbes elliptiques ont été mises au point pour faciliter et accélérer cette opération de multiplication scalaire. En particulier, l'article de J.A. Solinas « An Improved Algorithm for Arithmetic on a Family of Elliptic Curves » paru dans Proceedings of Crypto'97, Springer Verlag, décrit une amélioration possible.Improvements to the cryptographic process on elliptic curves have been developed to facilitate and accelerate this scalar multiplication operation. In particular, the article by J.A. Solinas "An Improved Algorithm for Arithmetic on a Family of Elliptic Curves" published in Proceedings of Crypto'97, Springer Verlag, describes a possible improvement.
Afin d'accélérer le procédé de calcul d'une multiplication scalaire dans le cadre d'un algorithme sur courbe elliptique E, il a ainsi été envisagé de travailler sur une famille particulière de courbes elliptiques, dites courbes elliptiques binaires anormales ou courbes de Koblitz, sur lesquelles un opérateur particulier est disponible, appelé opérateur de Frobenius, permettant de calculer plus rapidement les opérations de multiplication scalaire.In order to accelerate the method of calculating a scalar multiplication within the framework of an algorithm on elliptic curve E, it was thus envisaged to work on a particular family of elliptic curves, called abnormal binary elliptic curves or Koblitz curves, on which a particular operator is available, called operator of Frobenius, allowing to calculate scalar multiplication operations more quickly.
Les courbes de Koblitz sont définit sur l'ensemble mathématique GF(2n) par la relation : y2 + xy = x3 + ax2 + 1 avec ae{θ,l}Koblitz curves are defined on the mathematical set GF (2 n ) by the relation: y 2 + xy = x 3 + ax 2 + 1 with ae {θ, l}
L'opérateur de Frobenius t est définit comme : τ[P(x,y)] = (x2,y2) avec la relation τ2+2 =(-l)1-aτThe operator of Frobenius t is defined as: τ [P (x, y)] = (x 2 , y 2 ) with the relation τ 2 +2 = (- l) 1-a τ
Appliquer l'opérateur τ à un point donné P de la courbe E constitue une opération rapide car on travaille dans l'ensemble mathématique GF(2n), n étant la taille du corps fini, par exemple n=163.Applying the operator τ to a given point P on the curve E is a quick operation because we are working in the mathematical set GF (2 n ), n being the size of the finite body, for example n = 163.
Afin de faciliter le calcul de la multiplication scalaire C(xι,yι)= k-P(x,y), on décompose l'entier k de manière à revenir à des opérations d'addition et de soustraction. On définit ainsi la forme non adjacente de l'entier k par le NAF (de l'anglais Non Adjacent Form) qui consiste à écrire un entier k sous la forme d'une somme : k = ∑(i=0 à 1-1) ei21 avec eie{-l,0,l} et l≤n. Dans le cas d'une courbe elliptique de Koblitz, le NAF peut être exprimé à l'aide de l'opérateur de Frobenius : k = ∑(i=0 à 1) eiτ1 In order to facilitate the calculation of the scalar multiplication C (xι, yι) = kP (x, y), the integer k is decomposed so as to return to operations of addition and subtraction. We thus define the nonadjacent form of the integer k by the NAF (from the English Non Adjacent Form) which consists in writing an integer k in the form of a sum: k = ∑ (i = 0 to 1-1 ) e i 2 1 with eie {-l, 0, l} and l≤n. In the case of an elliptical Koblitz curve, the NAF can be expressed using the operator of Frobenius: k = ∑ (i = 0 to 1) eiτ 1
Ainsi, l'opération de multiplication scalaire de P par k revient à appliquer l'opérateur de Frobenius au point P, ce qui est facile et rapide.Thus, the scalar multiplication operation of P by k amounts to applying the Frobenius operator to the point P, which is easy and quick.
En outre, le calcul de la multiplication scalaire k-P peut être encore accéléré par le précalcul et la mémorisation de quelques couples (ki, Pi= ki-P), ces couples pouvant avantageusement être stockés dans la mémoire du dispositif mettant en œuvre l'algorithme de signature. On rappelle en effet que P fait parti des paramètres publics de la clé de l'algorithme de signature. Pour un aléa k de 163 bits, on peut ainsi, en stockant 42 couples de multiplication scalaire (ki,Pι), réduire le nombre d'opérations d'addition/soustraction à 19 au lieu de 52 sans aucun précalcul.In addition, the calculation of the scalar multiplication kP can be further accelerated by the precalculation and the memorization of a few couples (ki, Pi = ki-P), these couples being able advantageously to be stored in the memory of the device implementing the algorithm. signature. It is indeed recalled that P is part of the public parameters of the key of the signature algorithm. For a random k of 163 bits, it is thus possible, by storing 42 pairs of scalar multiplication (ki, Pι), to reduce the number of addition / subtraction operations to 19 instead of 52 without any precalculation.
La présente invention a pour objet un procédé de cryptographie sur courbe elliptique qui permet de réduire davantage le nombre d'additions de la multiplication scalaire. L'invention concerne plus particulièrement un procédé de cryptographie pour la génération de signatures numériques probabilistes et/ou pour un protocole d'échange de clé et/ou pour un algorithme de chiffrement, ledit procédé étant basé sur l'utilisation d'un algorithme à clé publique sur courbe elliptiqueThe subject of the present invention is a method of cryptography on an elliptical curve which makes it possible to further reduce the number of additions of scalar multiplication. The invention relates more particularly to a cryptography method for the generation of probabilistic digital signatures and / or for a key exchange protocol and / or for an encryption algorithm, said method being based on the use of an algorithm with public key on elliptical curve
(E) binaire anormale (Courbe de Koblitz) sur laquelle un point P(x,y) est sélectionné, des couples (ki,Pi) étant mémorisés avec Pi le point correspondant à la multiplication scalaire du point P par ki, ledit procédé comprenant des étapes consistant à générer un aléa k et à calculer un point C correspondant à la multiplication scalaire de P par k (C=k*P), caractérisé en ce que la génération dudit aléa k et le calcul du point C sont effectués simultanément. Selon une application, l'algorithme cryptographique de génération d'une signature numérique probabiliste est le ECDSA (de l'anglais Elliptic Curve Digital Standard Algorithm) .(E) abnormal binary (Koblitz curve) on which a point P (x, y) is selected, couples (ki, Pi) being memorized with Pi the point corresponding to the scalar multiplication of the point P by ki, said method comprising steps consisting in generating a random k and calculating a point C corresponding to the scalar multiplication of P by k (C = k * P), characterized in that the generation of said random k and the calculation of point C are carried out simultaneously. According to one application, the cryptographic algorithm for generating a probabilistic digital signature is the ECDSA (from the English Elliptic Curve Digital Standard Algorithm).
Selon une autre application, l'algorithme cryptographique de protocole d'échange de clé est le ECDH (de l'anglais Elliptic Curve Diffie-Hellmann) .According to another application, the cryptographic key exchange protocol algorithm is the ECDH (from the English Elliptic Curve Diffie-Hellmann).
Selon une caractéristique, le procédé est basé sur l'utilisation d'une courbe de Koblitz définie sur l'ensemble mathématique GF(2n) sur laquelle un opérateur dit de Frobenius τ [P (x,y) ] = (x2,y2) est disponible, le procédé étant caractérisé en ce qu'il comporte les étapes suivantes : initialiser l'aléa k=0 et le point C=0, - réaliser une boucle pour j allant de 1 à niter# ladite boucle consistant à : générer les aléas suivants à chaque nouvelle itération :According to one characteristic, the method is based on the use of a Koblitz curve defined on the mathematical set GF (2 n ) on which an operator called Frobenius τ [P (x, y)] = (x 2 , y 2 ) is available, the method being characterized in that it comprises the following steps: initialize the hazard k = 0 and the point C = 0 , - carry out a loop for j going from 1 to ni te r # said loop consisting in: generating the following hazards at each new iteration:
- a, compris entre 0 et n, avec n la taille du corps fini sur lequel la courbe est définie,- a, between 0 and n, with n the size of the finite body on which the curve is defined,
- u {-1,1}, i compris entre 0 et t, avec t le nombre de couples (ki,Pi) mémorisés, - calculer le point Cj =Cj_ι+ u-τa-Pι- u {-1,1}, i between 0 and t, with t the number of couples (ki, Pi) memorized, - calculate the point Cj = Cj_ι + u-τ a -Pι
- générer l'aléa kj = kj-χ + u-ki-τa convertir k en entier en fin de boucle, présenter simultanément l'aléa k et le point C=k-P. Selon une caractéristique, le nombre t de couples (ki,Pi) mémorisés est compris entre 35 et 45.- generate the hazard kj = kj-χ + u-ki-τ to convert k to an integer at the end of the loop, simultaneously present the hazard k and the point C = kP. According to one characteristic, the number t of couples (ki, Pi) stored is between 35 and 45.
Selon une autre caractéristique, le nombre d'itérations de la boucle (niter) est fixé entre 10 et 12. Selon une autre caractéristique, la taille du corps mathématique n sur lequel la courbe de Koblitz est définie est égale à 163.According to another characteristic, the number of iterations of the loop (niter) is fixed between 10 and 12. According to another characteristic, the size of the mathematical body n on which the Koblitz curve is defined is equal to 163.
L'invention concerne également un dispositif sécurisé, de type carte à puce, ou un dispositif de calcul, de type ordinateur muni d'un logiciel de chiffrement, comportant un composant électronique apte à mettre en œuvre le procédé de signature selon 1' invention. Le procédé selon l'invention présente l'avantage de réduire le temps de calcul du produit scalaire de P par k, qui constitue une étape essentielle dans la mise en œuvre d'un procédé de cryptographie sur courbe elliptique, d'une part en générant l'aléa k simultanément au calcul du produit scalaire k-P et d'autre part en réduisant le nombre d'opérations d'additions par le précalcul de couples ki, The invention also relates to a secure device, of the chip card type, or a computing device, of the computer type provided with encryption software, comprising an electronic component capable of implementing the signature method according to the invention. The method according to the invention has the advantage of reducing the computation time of the scalar product of P by k, which constitutes an essential step in the implementation of a method of cryptography on an elliptical curve, on the one hand by generating the hazard k simultaneously with the computation of the scalar product kP and on the other hand by reducing the number of addition operations by the precomputation of couples ki,
Les particularités et avantages de l'invention apparaîtront plus clairement à la lecture de la description qui suit faite en référence à l'algorithme ECDSA et donnée à titre d'exemple illustratif et non limitatif. Le procédé selon l'invention peut en effet être également appliqué à un protocole d'échange de clé ou à un algorithme de chiffrement par exemple.The features and advantages of the invention will appear more clearly on reading the following description made with reference to the ECDSA algorithm and given by way of illustrative and nonlimiting example. The method according to the invention can indeed also be applied to a key exchange protocol or to an encryption algorithm for example.
Soit E, une courbe elliptique de Koblitz définie sur l'ensemble GF(2n) avec n=163, la taille du corps mathématique sur lequel on travail, et soit P(x,y) un point donné de cette courbe . L'opérateur de Frobenius τ [P (x,y) ] = (x2,y2) est alors disponible et constitue une opération rapide étant donné le corps GF(2n) sur lequel on travaille.Let E be an elliptical Koblitz curve defined on the set GF (2 n ) with n = 163, the size of the mathematical body on which we are working, and let P (x, y) be a given point on this curve. The operator of Frobenius τ [P (x, y)] = (x 2 , y 2 ) is then available and constitutes a rapid operation given the body GF (2 n ) on which we are working.
On calcul dans un premier temps un certain nombre de couples (ki, Pi=k-P) qui sont mémorisés dans le composant mettant en œuvre le procédé de signature (un micro-contrôleur de carte à puce par exemple) . On fixe le nombre de couples à t compris entre 35 et 45 qui constitue un compromis entre la place mémoire occupée et l'accélération souhaitée du procédé de calcul de génération de la signature.We first calculate a number of pairs (ki, Pi = k-P) which are stored in the component implementing the signature process (a micro-controller of a smart card for example). The number of couples at t is fixed between 35 and 45 which constitutes a compromise between the memory space occupied and the desired acceleration of the calculation process for generating the signature.
Le procédé selon la présente invention consiste à accélérer le procédé de génération d'une signature probabiliste en utilisant des couples (ki,Pi) précalculés et mémorisés en en générant l'aléa k en même temps que le calcul du point C=k-P.The method according to the present invention consists in accelerating the method of generating a probabilistic signature using couples (ki, Pi) precalculated and memorized by generating the hazard k at the same time as the calculation of the point C = kP.
Dans un premier temps les valeurs de C et k sont initialisés à 0. On réalise alors une boucle sur j de niter itérations qui effectue les opérations suivantes : génération des aléas suivants à chaque nouvelle itération de j : r, compris entre 0 et n, - u {-1,1}, i compris entre 0 et t, calcul de Cj = Cj-i + u-τr-Pι calcul de kj = kj-i + u*ki-τr On obtient alors en sortie de la boucle, l'aléa k que l'on convertit en entier, et le point C correspondant à la multiplication scalaire de P par k.Initially the values of C and k are initialized to 0. We then carry out a loop on j to nite iterations which performs the following operations: generation of the following hazards at each new iteration of j: r, between 0 and n, - u {-1,1}, i between 0 and t, calculation of Cj = Cj-i + u-τ r -Pι calculation of kj = kj-i + u * ki-τ r We then obtain at the output of the loop, the hazard k which is converted to an integer, and the point C corresponding to the scalar multiplication of P by k.
La signature (r,s) est ensuite générée selon la procédure classique du ECDSA, ou d'un autre algorithme exploitant des courbes elliptiques de Koblitz, avec les valeurs de k et C définis selon le procédé de l' invention.The signature (r, s) is then generated according to the conventional procedure of the ECDSA, or of another algorithm exploiting elliptic curves of Koblitz, with the values of k and C defined according to the method of the invention.
La génération de k simultanément au calcul du point C permet d'accélérer le procédé de génération de signature, en particulier en réduisant le nombre d'additions nécessaire au calcul de la multiplication scalaire de P par k. Le nombre d'additions pour le calcul du point C est en effet de iter -1-The generation of k simultaneously with the calculation of point C makes it possible to speed up the signature generation process, in particular by reducing the number of additions necessary for the calculation of the scalar multiplication of P by k. The number of additions for the calculation of point C is indeed iter -1-
Selon le degré de sécurité et les performances souhaitées, on fixe nιter compris entre 10 et 12 itérations.Depending on the degree of security and the desired performance, nι te r is fixed between 10 and 12 iterations.
Ainsi, avec k un entier de 163 bits et en mémorisant environ 40 couples (ki,Pι), on peut calculer la multiplication scalaire k-P en effectuant seulement 9 à 11 opérations d'additions. Thus, with k an integer of 163 bits and by memorizing approximately 40 pairs (ki, Pι), one can calculate the scalar multiplication k-P by performing only 9 to 11 addition operations.

Claims

REVENDICATIONS
1. Procédé de cryptographie pour la génération de signatures numériques probabilistes et/ou pour un protocole d'échange de clé et/ou pour un algorithme de chiffrement, ledit procédé étant basé sur l'utilisation d'un algorithme à clé publique sur courbe elliptique1. Cryptography method for the generation of probabilistic digital signatures and / or for a key exchange protocol and / or for an encryption algorithm, said method being based on the use of a public key algorithm on an elliptical curve
(E) binaire anormale (Courbe de Koblitz) sur laquelle un point P(x,y) est sélectionné, des couples (ki,Pι) étant mémorisés avec Pi le point correspondant à la multiplication scalaire du point P par ki, ledit procédé comprenant des étapes consistant à générer un aléa (k) et à calculer un point C correspondant à la multiplication scalaire de P par k (C=k-P), caractérisé en ce que la génération dudit aléa (k) et le calcul du point C sont effectués simultanément .(E) abnormal binary (Koblitz curve) on which a point P (x, y) is selected, couples (ki, Pι) being stored with Pi the point corresponding to the scalar multiplication of the point P by ki, said method comprising steps consisting in generating a hazard (k) and in calculating a point C corresponding to the scalar multiplication of P by k (C = kP), characterized in that the generation of said hazard (k) and the calculation of point C are carried out simultaneously .
2. Procédé selon la revendication 1, caractérisé en ce que l'algorithme cryptographique pour la génération d'une signature numérique probabiliste est le ECDSA (de l'anglais Elliptic Curve Digital Standard Algorithm).2. Method according to claim 1, characterized in that the cryptographic algorithm for the generation of a probabilistic digital signature is the ECDSA (from the English Elliptic Curve Digital Standard Algorithm).
3. Procédé selon la revendication 1, caractérisé en ce que 1 ' algorithme de cryptographie de protocole d'échange de clé est le ECDH (de l'anglais Elliptic Curve Diffie-Hellmann) .3. Method according to claim 1, characterized in that the key exchange protocol cryptography algorithm is the ECDH (from the English Elliptic Curve Diffie-Hellmann).
4. Procédé selon l'une quelconques des revendications précédentes, le procédé étant basé sur l'utilisation d'une courbe de Koblitz (E) définie sur l'ensemble mathématique GF(2n) sur laquelle un opérateur dit de Frobenius τ [P (x,y) ] = (x2,y2) est disponible, caractérisé en ce qu'il comporte les étapes suivantes : initialiser l'aléa k=0 et le point C=0, réaliser une boucle pour j allant de 1 à niter ladite boucle consistant à : générer les aléas suivants à chaque nouvelle itération de j :4. Method according to any one of the preceding claims, the method being based on the use of a Koblitz curve (E) defined on the mathematical set GF (2 n ) on which an operator called Frobenius τ [P (x, y)] = (x 2 , y 2 ) is available, characterized in that it comprises the following stages: initialize the hazard k = 0 and the point C = 0, make a loop for j ranging from 1 to deny said loop consisting in: generating the following hazards at each new iteration of j:
- a, compris entre 0 et n, avec n la taille du corps fini sur lequel la courbe (E) est définie,- a, between 0 and n, with n the size of the finite body on which the curve (E) is defined,
- u {-1,1}, - i compris entre 0 et t, avec t le nombre de couples (ki,Pi) mémorisés, calculer le point C =Cj-ι+ u-τa-Pi générer l'aléa kj = kj_ι + u-ki"ca convertir k en entier en fin de boucle, - présenter simultanément l'aléa k et le point C=k-P.- u {-1,1}, - i between 0 and t, with t the number of couples (ki, Pi) memorized, calculate the point C = Cj-ι + u-τ a -Pi generate the hazard kj = kj_ι + u-ki "c to convert k to an integer at the end of the loop, - present the hazard k and the point C = kP simultaneously.
5. Procédé selon la revendication 4, caractérisé en ce que le nombre (t) de couples ( i,Pi) mémorisés est compris entre 35 et 45.5. Method according to claim 4, characterized in that the number (t) of couples (i, Pi) stored is between 35 and 45.
6. Procédé selon la revendication 4, caractérisé en ce que le nombre d' itérations de la boucle (niter) est fixé entre 10 et 12.6. Method according to claim 4, characterized in that the number of iterations of the loop (ni ter ) is fixed between 10 and 12.
7. Procédé selon la revendication 4, caractérisé en ce que la taille du corps mathématique n sur lequel la courbe de Koblitz (E) est définie est égale à 163.7. Method according to claim 4, characterized in that the size of the mathematical body n on which the Koblitz curve (E) is defined is equal to 163.
8. Dispositif sécurisé, de type carte à puce, caractérisé en ce qu'il comporte un composant électronique apte à mettre en œuvre le procédé de signature selon les revendications 1 à 7. 8. A secure device, of the smart card type, characterized in that it comprises an electronic component capable of implementing the signature method according to claims 1 to 7.
9. Dispositif de calcul, de type ordinateur muni d'un logiciel de chiffrement, caractérisé en ce qu'il comporte un composant électronique apte à mettre en œuvre le procédé de signature selon les revendications 1 à 7. 9. Calculation device, of the computer type provided with encryption software, characterized in that it comprises an electronic component capable of implementing the signature process according to claims 1 to 7.
EP01927999A 2000-04-18 2001-04-18 Cryptography method on elliptic curves Withdrawn EP1277307A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR0005006A FR2807898B1 (en) 2000-04-18 2000-04-18 ELLIPTICAL CURVE CRYPTOGRAPHY PROCESS
FR0005006 2000-04-18
PCT/FR2001/001195 WO2001080481A1 (en) 2000-04-18 2001-04-18 Cryptography method on elliptic curves

Publications (1)

Publication Number Publication Date
EP1277307A1 true EP1277307A1 (en) 2003-01-22

Family

ID=8849392

Family Applications (1)

Application Number Title Priority Date Filing Date
EP01927999A Withdrawn EP1277307A1 (en) 2000-04-18 2001-04-18 Cryptography method on elliptic curves

Country Status (8)

Country Link
US (1) US7218735B2 (en)
EP (1) EP1277307A1 (en)
JP (1) JP2004501385A (en)
CN (1) CN1425231A (en)
AU (1) AU2001254878A1 (en)
FR (1) FR2807898B1 (en)
MX (1) MXPA02010310A (en)
WO (1) WO2001080481A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546162A (en) * 2010-12-29 2012-07-04 北京数字太和科技有限责任公司 Data safety processing method

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7308096B2 (en) * 2000-05-30 2007-12-11 Hitachi, Ltd. Elliptic scalar multiplication system
EP1687931B1 (en) 2003-10-28 2021-12-29 BlackBerry Limited Method and apparatus for verifiable generation of public keys
US9621539B2 (en) * 2004-01-30 2017-04-11 William H. Shawn Method and apparatus for securing the privacy of a computer network
WO2005107141A1 (en) * 2004-04-30 2005-11-10 Research In Motion Limited Systems and methods to securely generate shared keys
US7483533B2 (en) * 2004-08-05 2009-01-27 King Fahd University Of Petroleum Elliptic polynomial cryptography with multi x-coordinates embedding
US7483534B2 (en) * 2004-08-05 2009-01-27 King Fahd University Of Petroleum Elliptic polynomial cryptography with multi y-coordinates embedding
US7607019B2 (en) * 2005-02-03 2009-10-20 Apple Inc. Small memory footprint fast elliptic encryption
JP5068176B2 (en) * 2005-01-18 2012-11-07 サーティコム コーポレーション Enhanced verification of digital signatures and public keys
JP5147412B2 (en) * 2005-01-21 2013-02-20 サーティコム コーポレーション Elliptic curve random number generation
CA2542556C (en) 2005-06-03 2014-09-16 Tata Consultancy Services Limited An authentication system executing an elliptic curve digital signature cryptographic process
US7587047B2 (en) * 2005-06-22 2009-09-08 Apple Inc. Chaos generator for accumulation of stream entropy
US8165286B2 (en) * 2008-04-02 2012-04-24 Apple Inc. Combination white box/black box cryptographic processes and apparatus
EP2151947A1 (en) * 2008-08-05 2010-02-10 Irdeto Access B.V. Signcryption scheme based on elliptic curve cryptography
CN101582170B (en) * 2009-06-09 2011-08-31 上海大学 Remote sensing image encryption method based on elliptic curve cryptosystem
US10129026B2 (en) * 2016-05-03 2018-11-13 Certicom Corp. Method and system for cheon resistant static diffie-hellman security
US10361855B2 (en) * 2016-05-27 2019-07-23 Nxp B.V. Computing a secure elliptic curve scalar multiplication using an unsecured and secure environment
EP4167213B1 (en) * 2017-01-18 2024-03-13 Nippon Telegraph And Telephone Corporation Secret computation method, secret computation system, secret computation apparatus, and program
EP3376705A1 (en) * 2017-03-17 2018-09-19 Koninklijke Philips N.V. Elliptic curve point multiplication device and method in a white-box context
KR102328896B1 (en) * 2020-11-10 2021-11-22 주식회사 아톰릭스랩 Crypto Key distribution and recovery method for 3rd party managed system
KR102329580B1 (en) * 2020-11-10 2021-11-23 주식회사 아톰릭스랩 Crypto Key distribution and recovery method for multiple 3rd parties managed systems
KR102536397B1 (en) * 2022-10-26 2023-05-26 주식회사 시옷 Signature verification method performed in a computing device and a computing device performing the same method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5999626A (en) * 1996-04-16 1999-12-07 Certicom Corp. Digital signatures on a smartcard
US5854759A (en) * 1997-05-05 1998-12-29 Rsa Data Security, Inc. Methods and apparatus for efficient finite field basis conversion
ATE325478T1 (en) * 1998-01-02 2006-06-15 Cryptography Res Inc LEAK RESISTANT CRYPTOGRAPHIC METHOD AND APPARATUS
CA2257008C (en) * 1998-12-24 2007-12-11 Certicom Corp. A method for accelerating cryptographic operations on elliptic curves
US6611597B1 (en) * 1999-01-25 2003-08-26 Matsushita Electric Industrial Co., Ltd. Method and device for constructing elliptic curves

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0180481A1 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546162A (en) * 2010-12-29 2012-07-04 北京数字太和科技有限责任公司 Data safety processing method

Also Published As

Publication number Publication date
US7218735B2 (en) 2007-05-15
WO2001080481A1 (en) 2001-10-25
JP2004501385A (en) 2004-01-15
MXPA02010310A (en) 2003-04-25
US20030152218A1 (en) 2003-08-14
FR2807898A1 (en) 2001-10-19
FR2807898B1 (en) 2002-06-28
CN1425231A (en) 2003-06-18
AU2001254878A1 (en) 2001-10-30

Similar Documents

Publication Publication Date Title
EP1277307A1 (en) Cryptography method on elliptic curves
EP1166494B1 (en) Countermeasure procedures in an electronic component implementing an elliptical curve type public key encryption algorithm
FR2759226A1 (en) PROTOCOL FOR VERIFYING A DIGITAL SIGNATURE
US7835517B2 (en) Encryption processing apparatus, encryption processing method, and computer program
WO2007074149A1 (en) Cryptographic method comprising a modular exponentiation secured against hidden-channel attacks, cryptoprocessor for implementing the method and associated chip card
WO2005099150A2 (en) Public key cryptographic methods and systems
WO2000059157A1 (en) Countermeasure method in an electric component implementing an elliptical curve type public key cryptography algorithm
CA2712180A1 (en) Countermeasure method and devices for asymmetrical cryptography with signature diagram
EP1904921A1 (en) Cryptographic method for securely implementing an exponentiation and related component
WO2006070092A1 (en) Data processing method and related device
WO2011144554A1 (en) Method of obtaining encryption keys, corresponding terminal, server, and computer program products.
EP0909495B1 (en) Public key cryptography method
EP1350357A1 (en) Method for enhancing security of public key encryption schemas
EP1456998A1 (en) Cryptographic method for distributing load among several entities and devices therefor
FR2814619A1 (en) METHOD OF ENCODING LONG MESSAGES SCHEMES OF ELECTRONIC SIGNATURE BASED ON RSA
EP0980607A1 (en) Pseudo-random generator based on a hash coding function for cryptographic systems requiring random drawing
FR2856538A1 (en) COUNTERMEASURE METHOD IN AN ELECTRONIC COMPONENT USING A CRYPTOGRAPHIC ALGORITHM OF THE PUBLIC KEY TYPE
FR2842052A1 (en) CRYPTOGRAPHIC METHOD AND DEVICES FOR REDUCING CALCULATION DURING TRANSACTIONS
EP1998492A1 (en) Method for calculating compressed RSA moduli
WO2001097009A1 (en) Method for cryptographic calculation comprising a modular exponentiation routine
WO2002001343A1 (en) Countermeasure methods in an electronic component using a koblitz elliptic curve public key cryptographic algorithm
CN106850223B (en) Private key obtaining method of public key cryptosystem based on information leakage
FR3010562A1 (en) DATA PROCESSING METHOD AND ASSOCIATED DEVICE
Sharma et al. ECC Cipher Processor Based On Knapsack Algorithm
WO2003021864A2 (en) Method of reducing the size of an rsa or rabin signature

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20021118

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

17Q First examination report despatched

Effective date: 20070824

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20080104