Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
  • H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Definitions

• the invention relates to the technical field of security of services, and more specifically of electronic message signature, by means of cryptography.
• the electronic signature is a mechanism coming under so-called public key cryptography: the signatory has a secret key and an associated public key. It produces the signature of a message using its secret key. The verifier only needs the public key to verify the signature. More precisely still, the invention relates to group (electronic) signatures.
• a group signature allows members of a group to produce a signature such that the verifier will recognize this
• the group is assigned a unique group public key, while each member of this group is assigned a unique identifier and private key.
• a member of the group can produce a group signature of a message of their choice, which signature can be verified by any entity using the group public key. Verification only tells this entity that the signature was produced by a member of the group, but does not give it any information on the identifier of the member who signed.
• the trusted authority has additional information which enables it to find the identifier of this member, and therefore to lift this anonymity at any time (we say that the trusted authority "opens" the signature).
• Group signatures have many applications, including the following two.
• a first application, described with reference to Figure 1, is given by electronic auctions. They set up three protagonists: an auction server 2, a trusted authority 4 and a client Cl. All of the clients form a group G called "client group".
• a user wishing to register with the group of clients G must contact the trusted authority 4, which provides him with his private key SK. He thus obtains the right to produce a group signature.
• SK his private key
• He thus obtains the right to produce a group signature.
• he can sign each of his auctions anonymously.
• each member of the client group can bid by signing a message containing in particular the product put up for sale and the amount of their bid.
• the auction server 2 can verify the group membership and therefore the validity of the auction simply by verifying the group signature.
• the winner is the one who gives the last bid before the auction.
• the last message received by the auction server is therefore that of the winner.
• the server then addresses this message and the corresponding group signature to the trusted authority 4, which is the only one capable of lifting anonymity and therefore of determining the physical identity of the buyer of the product being auctioned.
• the auctions must be quick. Indeed, they take place for a very short time where sometimes the first who bids at a given price is likely to win the game because he will have reached a level too high for the others. This is why the mechanism for signing your offer should not take too long.
• a second application is anonymous electronic payment. She puts in places four protagonists: a Cl client, a merchant 6, a bank 8 and a trusted authority 4. Each Cl client must register in the system and obtain a private key SK from a group signature scheme before being able to perform his first transaction. To make a payment, the customer must collect electronic PE documents from their bank 8. Remember that an electronic document represents a piece of data (a serial number) digitally signed by the bank. The PE documents that he withdraws are anonymous thanks to the use of a mechanism known as blind signature.
• the expenditure of a PE part at a merchant 6 is done as follows: the customer (Cli in the example) generates a group signature relating to the electronic part PE and transmits the whole (signature and PE) to the merchant . If the document is valid (verification of the bank signature) and the group signature is authentic, the merchant accepts the transaction. At the end of the day (or at the most opportune time), the merchant transmits to the bank the signatures and the documents received as payment for compensation for their value. In case of fraud
• the bank 8 sends the group signature relating to the disputed document to the trusted authority 4 so that it identifies the unscrupulous customer and sanctions the offender.
• a trusted authority 4 responsible for group G generates the encryption and signature keys, then puts the corresponding public keys in a generally accessible place, for example a directory. It keeps the associated private SK keys secret.
• a person determines an identifier (numerical value that the trusted authority can link to the natural or legal person who is a member of the group) and interacts with the trusted authority 4 to obtain a member certificate which is in signs the identifier using the private key SK for signing the trusted authority.
• - action i) encrypt his identifier using the public encryption key of the trusted authority (this part will be used to open the signature if necessary) and - action ii): prove that he knows a certificate of member associated with the clear text included in the cipher (proof that he is indeed part of the group).
• Verification of the signature consists in verifying the proof of knowledge, for example of the zero knowledge type.
• the opening of the signature is the simple decryption of the identifier.
• each signature requires to carry out an encryption (action i) and especially a certain number of proofs of knowledge (action ii) which are in practice very expensive in computation time, since implementing numerous modular exponentiations (for example, it takes about a second per modular exponentiation with a smart card fitted with a cryptoprocessor).
• the present invention aims to set up a group signature scheme which is very rapid, that is to say requiring only very few modular exponentiations (in the examples typically one or two exponentiations at most), while keeping the properties of current group signature schemes (constant signature size, secure scheme, public key unchanged when a new member arrives, etc.).
• group signature scheme which is very rapid, that is to say requiring only very few modular exponentiations (in the examples typically one or two exponentiations at most), while keeping the properties of current group signature schemes (constant signature size, secure scheme, public key unchanged when a new member arrives, etc.).
• computing media with reduced capacity such as smart cards and similar portable communicating devices.
• the invention provides, according to a first object, a group signature system allowing a member of a group to produce, using personalized data, a message accompanied by a signature proving to a check that the message comes from a member of the group, characterized in that the personalized data is presented in an integrated form in an electronic material support.
• the electronic material support also includes encryption means for producing personalized encryption from said personalized data prior to signing the message, means for producing a combination of a message to be signed and the encrypted associated with this message, for example in the form of concatenation of the message with the encrypted, and means for signing the message with the personalized data in the form of encrypted associated with this message.
• the personalized data can be a personal identifier for the member, the electronic material support also integrating an encryption key common to the members of the group, and the encryption means producing an encryption of the identifier with this encryption key.
• the encryption means produce an encryption of the identifier and of a hazard.
• the personalized data can be a diversified encryption key, specific to each member of the group, the encryption means producing an encryption of at least one data, for example a hazard, with the encryption key.
• the encryption means can implement a secret key encryption algorithm, for example the algorithm known by the designation AES (advanced encryption standard), or a public key encryption algorithm, for example the algorithm known by the designation RSA (Rivest, Shamir, Adleman).
• AES advanced encryption standard
• RSA public key encryption algorithm
• the signature means implement a private key signature algorithm, for example the algorithm known by the designation RSA, which can include the so-called PKCS # 1 standard as defined in particular in the document "RSA Cryptography Standard - RSA Laboratories. Draft2 - January 5, 2001".
• RSA private key signature algorithm
• the electronic hardware support is a portable communicating device, in particular a smart card.
• the invention also relates to a method for transmitting a message with a group signature of this message, characterized in that it implements the system according to the first aspect, the signature of the message being produced with a private SK key common to the members of the group and integrating the personalized data produced from the electronic material support, the process providing for transmitting the message thus signed to an auditor without recourse to the provision of proof to the latter of the membership of member of said group, such as a membership certificate or proof of possession of such a certificate.
• the invention relates to a method of verifying a message received with a group signature of this message, the message having been sent in accordance with the method according to the second aspect, characterized in that the verification is carried out by means a public key which corresponds to said private key.
• the invention relates to a method of opening a signature produced by the system according to the first aspect, characterized in that it comprises the steps consisting in:
• the invention relates to a method for preparing an electronic hardware support of the system according to the first aspect, personalized to a member admitted to a group, characterized in that it comprises the steps consisting in:
• FIG. 1, already described is a block diagram illustrating an example of group coding in the context of an auction
• - Figure 2, already described is a block diagram illustrating an example of group coding in the context of purchases by electronic parts;
• FIG. 3 is a diagram for illustrating transactions using a smart card for signing messages according to one invention
• FIG. 4 is a block diagram of the functional elements of a smart card which can be used to carry out group signatures in accordance with the invention
• - Figure 5 is a general flowchart of the functional elements involved in a smart card to achieve group signatures according to one invention
• Figure 6 is a flowchart of a first example of implementation of specific elements vis-à-vis the flowchart of Figure 5;
• FIG. 7 is a flow diagram according to a variant of the first example.
• FIG. 8 is a flow diagram of a second example of implementation of specific elements vis-à-vis the flow diagram of FIG. 5.
• the device which is typically portable such as a smart card or a box incorporating it (for example a mobile telephone terminal), advantageously comprises on the same physical set: personalized data (identifier or diversified encryption key) stored in electronic form, the means for encrypting this data, and the means for carrying out the group signature on the assembly comprising the message to be transmitted and the encryption of the personalized data.
• personalized data identifier or diversified encryption key
• Communication between a member M and a service provider can be done by any known means, for example from his personal computer (PC) 10 via a communication network , such as the Internet, or by a mobile telephone 27 equipped with an external smart card reader 27a, the exchange of data with service providers 2, 6 then taking place over the air 29 via the antenna 27b of the mobile telephone.
• PC personal computer
• the personal computer 10 comprises in particular a central unit 14, a modem card 16 or other interface for communication with the network 12, a display screen 18, and a keyboard 20 with pointing device 22. It also includes a card reader to chip 24 by which the smart card 26 can communicate with its central unit 14 and over the network 12.
• the chip part 26a of the card is preferably of the secure type.
• the services offered by the auction server 2 and the merchant 6 are identical to those described in the context of Figures 1 and 2 respectively, and will not be described again for the sake of brevity. Similarly, their mode of operation with the bank 8 (for the merchant 6) and the trusted authority 4 is substantially the same.
• the trusted authority 4 delivers an identifier z to a member M accepted by it from the group G directly in physical form, in this case in the form of the personalized smart card 26 with a secure chip 26a.
• the registration of the personalized data in a card is carried out by a data exchange protocol via a terminal managed by the trusted authority.
• the personalized data is established and stored within the card during this exchange.
• the trusted authority 4 can also establish the personalized data with an existing smart card as soon as this card is able to allow the loading of data after it is issued. This is particularly the case with multi-purpose cards intended to integrate new applications at any time by loading from a terminal, making it possible to combine several distinct services or functions on a single medium.
• the trusted authority therefore associates a member
• a personalized card 26 is issued to a candidate by the trusted authority 4 when this person fulfills the conditions to become a member of group G, with the usual checks and precautions, like the issuance of a classic bank card.
• the trusted authority notably records the correspondence between the personalized data contained in a card 26 issued and the identity (for example the name) of the person to whom this card has been returned.
• security is based here on the one hand, on a device containing a secure chip 26a and, on the other hand, on a key.
• This can either be shared by all the members M of the group G to generate a group signature when the personalized data is an identifier to be encrypted by this key, or diversified, that is to say specific to the member when it itself constitutes personalized data.
• the detailed aspects of this approach are presented in the following.
• the embodiments of the invention use an ordinary signature scheme S and a probabilistic and semantically secure encryption algorithm (public key or secret key algorithm). Then, the trusted authority 4 responsible for the group generates the signature key (s) SK or the like, then puts the corresponding public key in a directory. It keeps the private signature key secret, then it publishes all the information necessary for the implementation of the encryption algorithm. To become a member, a person obtains from the trusted authority 4 a smart card 26 containing on the one hand, either an identifier z, or a diversified key K (the trusted authority keeping in memory the link between the smart card, identifier z, and the diversified key K as well as the new member M), and on the other hand, the private signature key SK.
• a smart card 26 containing on the one hand, either an identifier z, or a diversified key K (the trusted authority keeping in memory the link between the smart card, identifier z, and the diversified key K as well as the new member M), and on the other hand, the private
• the card also has all the information necessary for encryption using the algorithm provided by the trusted authority. Provided with this set of elements integrated in the smart card 26, the member M can, using the latter, sign a message m on behalf of the group G, this signature S being able to be opened by the trusted authority (and by it alone) if necessary.
• the member uses his smart card which will take the message m as input.
• the card will initially carry out a member-specific encryption using the encryption algorithm of the trusted authority, then sign the message consisting of at least the initial message m and the encryption obtained previously, this signature being produced using the shared private signature key it has in memory.
• the smart card 26 sends the recipient 2, 6 (verifier) the message, the encryption and the signature.
• Signature verification simply involves verifying the signature generated by the shared private key, using the corresponding public key.
• the opening of the signature by the trusted authority 4 consists in deciphering the personalized data and in finding the correspondence with the identity of the owner of the smart card 26. The result is very fast at the card level, since at the time of signature S there is only one encryption and one signature to be made (and therefore at most two modular exponentiations).
• the link between the identifier and the message is created by cryptographic mechanisms
• the invention uses a hardware approach with security based on that of an object, advantageously secure, in this case the smart card 26.
• FIG. 4 represents in the form of a simplified block diagram the functional elements according to a possible architecture of the smart card 26. These elements include: a microprocessor 28 ensuring the management of internal functions and the execution of application programs of the card. It may include in particular a
• RAM random access memory
• EEPROM electrically erasable programmable read-only memory
• This memory is used in particular for the storage of long-term data after the card manufacturing, for example personalized card data, software code linked to the algorithms used, etc. ; a frozen memory 34 of the ROM "mask” type, programmed with immutable data during its manufacturing process with the idea of masks.
• This memory records in particular the internal management code of the card, but can also store encryption data common to the members of the group. The sharing of the data storage between the EEPROM 32 and ROM mask 34 memories is at the discretion of the designer;
• a communication interface 36 by which the card exchanges data with the external environment, such as the card reader 24 or 27a; and - an internal bus 38 which connects the aforementioned elements.
• FIG. 5 The general principle of the operation of the card 26 for signing messages is shown in FIG. 5.
• This figure includes a frame inside which all the elements - data or actions - are located within the smart card itself, hence its designation 26.
• the personalized data is in the form of an identifier z.
• the card 26 For each message m to be transmitted which must bear the group signature S, the card 26 submits its own identifier z (box B1) to an encryption algorithm (generic designation E) (box B2).
• the box Bl is shown in dotted lines, being an element which can be deleted if a diversified key Kz is used. Concretely, this action consists in making the microprocessor 28 execute the code of the algorithm E read from the EEPROM 32 and, if necessary, from the mask ROM memory 34, with insertion, as a parameter, of the identifier z read internally from a memory on the card, for example the EEPROM memory 32.
• the algorithm E also involves at least one other parameter, such as a random number and an encryption key, as described below with reference to the examples.
• the card receives the message m to be signed on its communication interface 36 and saves it temporarily in the RAM memory 32 (box B4).
• This operation consists in producing a binary sequence comprising the continuation of the bits of the message m followed / preceded by the bits of the cipher.
• the concatenation is then supplied to me as a parameter to another algorithm, known as the signature algorithm.
• this operation consists in having the microprocessor 28 execute the code of the algorithm Sig read from the EEPROM 32 and, if necessary, from the mask ROM 34, with insertion, as a parameter, of a firstly the signature key SK, read internally from a memory of the card, for example the EEPROM memory 32, and secondly the concatenation m 'read from the memory RAM 30.
• the authenticated signature S of the message m thus produced by this algorithm Sig is then transmitted as an output to the communication interface 36 of the card 26 for exploitation in the context of the group transaction system G. More particularly, the signature produced with the private signature key SK on the operand m ', ie Sig S ⁇ ( ⁇ .'), forms a set transmitted from the computer personal 10 or mobile phone 27 to a service provider 2 or 6.
• the latter acting as "verifier", can establish whether the message m extracted from the signature Sig s ⁇ (m ') actually comes from an authentic card 26 by means of a verification algorithm (generic designation Ver PK (m ', S)) and a public key PK made available by the trusted authority 4.
• Ver PK Generic designation Ver PK (m ', S)
• public key PK made available by the trusted authority 4. This algorithm is dichotomous in nature, producing a yes / no response.
• Table I list of entities used by a member M (map 26), a verifier V and the trusted authority for the general embodiment.
• Example 1 embodiment based on the A ⁇ S encryption algorithm and RSA signature
• the signature scheme chosen is the RSA algorithm.
• the module will be noted n, the private key is SK and corresponds to the shared key; the public key is PK.
• the encryption algorithm chosen in the example is AES (from the English "advanced encryption standard") which is therefore a secret key algorithm.
• K the associated key. In this illustrated case, it is a key shared among all the members M of the group G.
• the trusted authority publishes PK and keeps all the other keys secret.
• the AES encryption algorithm B2 ′ accepts as input parameter: i) the identifier z (box Bl), ii) a secret encryption key K (box B8) shared among all the members M admitted to group G and stored in the EEPROM memory 32 and iii) a random r (box B9).
• the latter is a random number of a predetermined binary length, generated within the card 26 by means of a software code executed by the microprocessor 28.
• the random number r is renewed at each message signature m.
• the AES algorithm then produces the encrypted C of the identifier and of the random number r with AES and the secret key K (box B3 ').
• Table II summarizes the entities used by the different protagonists of group G according to the first example:
• Table II list of elements used by a member M (card 26), a verifier V and the trusted authority according to example 1.
• the trusted authority When a new member arrives in the group, the trusted authority creates a new smart card for him and places in his memory n, SK and K as well as a value z (the member's identifier). It notes in its database that the value z is associated with this new member.
• the pair (S, C) is the group signature of the message m. The verifier only needs n and PK to verify that the signature comes from a member of the group.
• the trusted authority wishes to open the signature, it will only have to use the AES algorithm and the K key (it does not need the r hazard to decrypt) to obtain z and look in its database of data that corresponds to z.
• a variant raising the level of security consists in choosing the encryption key Kz diversified according to the identifier, and in encrypting only the hazard r, that is to say of assigning a different key Kz for each member M of the group G.
• the identifier z is dispensed with as such, this being no longer necessary for individualizing the card 26: the individualization is obtained instead directly by the key diversified encryption Kz (box B8) because it is individual.
• this variant is implemented in a manner analogous to the first example, but by introducing as a parameter in the encryption algorithm (this one can always be the algorithm
• box B9 box B1 being naturally deleted.
• the resulting C number is treated in the same way
• the opening phase then consists of testing all the existing encryption keys until you find the correct one.
• Example 2 embodiment based on the RSA encryption algorithm and RSA signature
• the signature scheme chosen is once again the RSA algorithm.
• the module will be noted n, the secret key is SK and corresponds to the shared key; the public key is PK.
• the encryption algorithm is asymmetrical this time since it is the RSA cryptosystem as described in the aforementioned standard.
• the module will be noted n '.
• the public encryption key is e and the associated private key is d.
• the trusted authority When a new member M arrives in group G, the trusted authority produces a new smart card 26 or loads data into an existing card and places in memory n, n ', e and SK, as well as 'a z value (member ID). She notes in her database that the value z is associated with this new member. When this member wishes to sign a message, he inserts his card 26 into a reader 24 or 27a and asks him to sign the message m. At first, the card will encrypt its identifier z using the RSA cryptosystem
• the pair (S, C) is the group signature of the message m.
• Table III summarizes the entities used by the different protagonists of group G according to the first example:
• Table III list of elements used by a member M (card 26), a verifier V and the trusted authority according to example 2.
• the trusted authority 4 If the trusted authority 4 wishes to open the signature, it calculates C d mod p to fall on z ', then on z (the transformation between z and z' does not require knowledge of the hazard r and is fully described by the aforementioned standard.
• the second example also makes it possible to split the authority in two, as described in the context of the first example.
• the invention has a remarkable advantage in terms of calculation costs, since it suffices to have at the level of the card 26 just an encryption algorithm and a signature algorithm, which together only require two modular exponentiations.
• the invention allows many variants both in terms of hardware, cryptographic, software, communication between stakeholders, and in terms of applications.
• the signature of messages can be carried out by any suitable device which does not necessarily fall under the technology of smart cards, such as specific portable objects, communicating personal assistants, resources of a mobile telephone, etc.
• Communication between an M member and a service provider can also be done by local, cable, wireless, infrared or other links.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Storage Device Security (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=8871037

Family Applications (1)

Country Status (6)

Families Citing this family (150)

Citations (1)

Family Cites Families (6)

• 2001
  • 2001-12-27 FR FR0116950A patent/FR2834403B1/fr not_active Expired - Fee Related
• 2002
  • 2002-12-20 EP EP02805804A patent/EP1459479A2/de not_active Withdrawn
  • 2002-12-20 US US10/500,311 patent/US7673144B2/en not_active Expired - Fee Related
  • 2002-12-20 AU AU2002364678A patent/AU2002364678A1/en not_active Abandoned
  • 2002-12-20 WO PCT/FR2002/004502 patent/WO2003056750A2/fr active Application Filing
  • 2002-12-20 JP JP2003557142A patent/JP4116971B2/ja not_active Expired - Fee Related

Patent Citations (2)

Also Published As

Similar Documents

Legal Events