Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
  • H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
  • H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/30—Compression, e.g. Merkle-Damgard construction
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/80—Wireless

Definitions

• the invention relates to a method for generating electronic keys for a public key cryptography method. It also relates to a secure portable object implementing the method.
• the invention relates more particularly to the generation of keys of an RSA type cryptographic system and their storage on a secure object with a view to their use in an application requiring security.
• the invention is particularly applicable to secure objects having no significant memory resource such as electrically programmable memory, or powerful computing resources as is the case for smart cards.
• An application of the invention is electronic commerce via a mobile phone.
• the keys can be found on the SIM card of the phone.
• this RSA cryptography protocol allows the encryption of information and / or authentication between two entities and / or the electronic signature of messages.
• the RSA cryptography protocol is the most used because it has properties that allow it to be used both in encryption and in signature generation.
• the RSA cryptography system includes a "public" algorithm performing the encryption or signature verification function and a "private” algorithm performing the decryption or signature generation function. Its security is based on the difficulty of factoring a large public integer N which is the product of two large prime numbers p and q, the couple (p, q) entering into the calculation of the secret key d used by the decryption function or by the function for calculating a signature.
• Parameters p and q They are generated at the end of a time-consuming calculation. They are generally the same length (even
• This length is conventionally 512 bits.
• this length can range from 512 bits to 2048, 2048 bits being envisaged for the future.
• N is the public module and is calculated from the following relation:
• the key of the algorithm is said to be of length i, when the public module N is of length i. This length is set by the application (or service provider).
• each service provider When several applications are planned, each service provider provides its public exponent e and the length of the public module N, so that the corresponding private key d can be generated.
• N p * q an integer of length 2.
• the portable object stores sets of keys and certificates corresponding to each application likely to be used, without knowing whether these keys will be really useful later.
• a large memory location is used unnecessarily. For example 0.3 Kbytes are required for an RSA key of 1024bits module, while the current cards have at most 32 Kbytes of programmable memory.
• a large number of certificates are purchased from the trusted entity which is expensive. The ultimate but equally important disadvantage is that it is not possible to add new keys as new applications could be considered.
• the calculation can be carried out within the secure object. This solves the first drawback of the previous solution but creates a heavy processing at the level of the secure object which has a low computing capacity.
• this solution still has the second drawback of the previous solution, namely the need for memory resource.
• the present invention aims to solve these problems.
• an object of the present invention relates to a method for generating electronic keys for a public key cryptography method by means of an electronic device, mainly characterized in that it comprises two dissociated calculation steps:
• step A1) consists in calculating pairs of prime numbers (p, q) without knowledge of the public exponent e or of the length 1 of the key, by using a parameter ⁇ which is the product of small prime numbers.
• the couple (P q) obtained in step A has a maximum probability of being able to correspond to a future couple
• step B (e, l) and will calculate a key d during the implementation of step B.
• the calculation A1) also takes into account the fact that a high probability of being part of the set ⁇ 3, 17, ..., 2 16 + 1 ⁇ , we use for that in the calculation of step A, a seed ⁇ which makes it possible to calculate not couples (P / q) but a representative value called image of couples (p, q).
• Storage A-2) then consists in memorizing this image. This saves memory space since an image is smaller than a prime number p or q, for example 32 bytes compared to 128 bytes.
• couples (p, q) are calculated for different probable couples (e, l).
• the parameter ⁇ will contain the usual values of e, for example 3, 17.
• step A-1 comprises an operation of compressing the calculated pairs (p, q) and step A-2) then consists in storing the compressed values thus obtained.
• Step B includes verifying the following conditions for a given couple (e,):
• step B comprises, for a couple (p, q) obtained in step A, and a given couple (e, l):
• the subject of the invention is also a portable secure object capable of generating electronic keys d of an RSA-type cryptography algorithm, characterized in that it comprises at least:
• Communication means to receive at least one couple (e, l), - A memory for storing the results of a step A consisting of:
• the portable secure object also comprises a program for the implementation of step A, steps A and B being dissociated over time.
• the portable secure object may be constituted by a smart card.
• the generation of keys is done in two separate steps.
• the first Step A includes a calculation of pairs of prime numbers (p, q) or of values representative of pairs of prime numbers called an image.
• the couples (p, q) obtained are stored. This calculation is cumbersome and it is all the more cumbersome if a conventional prime number generation algorithm is used.
• a preferred embodiment for implementing this step makes it possible to lighten the calculations and to limit the memory space necessary for the storage of the couples (p, q) obtained by storing an image of these couples. .
• the second Step B comprises the calculation proper of the key d from the results of step A and the knowledge of the couple (e, l).
• This calculation includes, for a couple (p, q) obtained in step A, and a given couple (e, l):
• the first step which corresponds to a relatively cumbersome calculation compared to the second step, can be executed by a body other than the card to puce for example by a server.
• the results of the calculation of this first step may be loaded onto a smart card at the time of personalization.
• the calculation of step A can also be done by the card itself at any time which does not bother the user of this card. For example, this calculation can be done when personalizing the card or later: In practical terms, when using the card,. To obtain a service, if a private key is required, then the public key is provided by the service provider (possibly remotely if it is not already stored in the card) in order to generate the private key.
• This generation step (step B of calculation) is carried out quickly by the card.
• the generation of a private key can be done on board, ie by the card itself with a gain of a factor of 10 in execution time compared to the key generation methods known to date. .
• step A we will describe in the following a preferred embodiment for the implementation of step A.
• This embodiment is particularly advantageous for boarding a smart card because it allows to optimize both the memory space but also the calculation time.
• min (p) min (q) is between 2, * 0 u -l and N, and max (p) max (q) is between N and 2 l as requested.
• This parameter ⁇ is the product of small prime numbers in which we can find in particular 3, 17, 2 16 + 1 'prime numbers generally used as public exponents.
• the first phase of the method consists in generating and recording a prime number k of short length with respect to the length of an RSA key in the interval of whole numbers ⁇ , ...., ⁇ -l ⁇ , (k , ⁇ ) being co-first, ie having no common factor.
• the second phase then consists in starting from this number k to construct the first candidate q which satisfies the condition of being co-first with ⁇ .
• this first candidate does not satisfy this condition, then it is updated, that is to say that another candidate is chosen until a value of q satisfying the condition is found.
• One way to test the primacy of a number is for example to use the Rabin-Miller test.
• a simple way to implement this algorithm can consist, for each envisaged RSA key length, of storing the values of k and j so as to re-construct q.
• step 2 Rather than choosing a random number j as indicated in step 2) another embodiment can consist in constructing j from a short random number.
• This execution mode makes it possible to considerably reduce the memory space requirements because there is only to store the values of ⁇ and k in memory EEPROM.
• the value of ⁇ is in ROM (in the calculation program).
• k ( D ) [PRNG 2 ( ⁇ ) + b PRNG3 ( ⁇ ) (PRNG 2 ( ⁇ ) ⁇ ( ⁇ , -l)] (mod ⁇ ) b being an element of order ⁇ (II) belonging to Z * ff-
• f is equal to 2 8 . This means that f can be coded on 1 byte or 8 bytes.
• a last mode of execution making it possible to reduce the memory space consists in storing in the calculation program, that is to say in program memory, several values of ⁇ and the corresponding values of ⁇ ( ⁇ ) for different lengths of keys considered. We can notice that a large value of ⁇ leads to the smallest values for f.
• the program implementing the card process does not need to know a priori the public exhibitor e. This exhibitor can therefore be supplied at any time by an application loaded into the card. However, we know that for most applications (more than 95%), the values of e used are the values ⁇ 3, 17, 2 16 + l ⁇ .
• the condition required for k ( 0 ) can be obtained by the Chinese remainder theorem.
• step A1 another alternative may consist for step A1) in calculating pairs of prime numbers (p, q) for different probable pairs (e, l).
• the invention proposes a method in two dissociated steps, the second step very fast compared to known solutions, can be executed in real time. This process is also inexpensive in memory space.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computing Systems (AREA)
• Theoretical Computer Science (AREA)
• Mobile Radio Communication Systems (AREA)
• Storage Device Security (AREA)
• Calculators And Similar Devices (AREA)

Applications Claiming Priority (3)

Publications (1)

Family

ID=29719931

Family Applications (1)

Country Status (6)

Families Citing this family (8)

Family Cites Families (18)

• 2002
  • 2002-06-19 FR FR0207688A patent/FR2841411B1/fr not_active Expired - Fee Related
• 2003
  • 2003-06-18 US US10/518,639 patent/US20050226411A1/en not_active Abandoned
  • 2003-06-18 JP JP2004514946A patent/JP4765108B2/ja not_active Expired - Fee Related
  • 2003-06-18 WO PCT/FR2003/001871 patent/WO2004002058A2/fr not_active Ceased
  • 2003-06-18 AU AU2003258815A patent/AU2003258815A1/en not_active Abandoned
  • 2003-06-18 EP EP03760742A patent/EP1523823A2/de not_active Withdrawn

Non-Patent Citations (3)

Also Published As

Similar Documents

Legal Events