EP1820297A1 - Procédé de génération de signature avec preuve de sécurité "tight", procédé de vérification et schéma de signature associés basés sur le modèle de diffie-hellman - Google Patents
Procédé de génération de signature avec preuve de sécurité "tight", procédé de vérification et schéma de signature associés basés sur le modèle de diffie-hellmanInfo
- Publication number
- EP1820297A1 EP1820297A1 EP05858607A EP05858607A EP1820297A1 EP 1820297 A1 EP1820297 A1 EP 1820297A1 EP 05858607 A EP05858607 A EP 05858607A EP 05858607 A EP05858607 A EP 05858607A EP 1820297 A1 EP1820297 A1 EP 1820297A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- signature
- during
- mod
- message
- coupon
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 73
- 238000012795 verification Methods 0.000 title claims abstract description 15
- 230000006870 function Effects 0.000 claims abstract description 21
- 238000010586 diagram Methods 0.000 claims description 7
- 241000122205 Chamaeleonidae Species 0.000 description 8
- 238000006243 chemical reaction Methods 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 230000005477 standard model Effects 0.000 description 3
- 238000005242 forging Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 239000002131 composite material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/68—Special signature format, e.g. XML format
Definitions
- the invention relates to proven electronic signature methods based on the Diffie-Hellman problem.
- the invention also relates to verification methods and associated signature schemes. Certain methods according to the invention can be implemented "on the fly", which allows the rapid generation of an electronic signature once certain pre-calculations have been carried out. This makes the invention particularly useful in the context of portable objects with low computing resources such as a smart card.
- An electronic signature of a message is one or more numbers depending both on a secret key known only to the person signing the message, and on the content of the message to be signed.
- An electronic signature must be verifiable: it must be possible for a third person to verify the validity of the signature, without knowledge of the secret key of the person signing the message being required.
- a signature scheme includes a set of three processes (GEN_S, SIGN_S, VER_S):
- GEN_S is a process for generating public and private keys
- SIGN_S is a signature generation process
- VER_S is a signature verification process. There are many electronic signature schemes. The most famous are:
- the RSA signature scheme this is the most widely used electronic signature scheme. Its security is based on the difficulty of factoring large numbers.
- Rabin's signature scheme its security is also based on the difficulty of factoring large numbers.
- the signature scheme of the El-Gamal type its security is based on the difficulty of the problem of the discrete logarithm.
- the problem of the discrete logarithm consists in determining, if it exists, an integer x such that y ⁇ g x with y and g two elements of a set E having a group structure.
- the random oracle model is an ideal model in which any hash function is considered perfectly random.
- a hash function is not a perfectly random object, it is generally considered that a proof in the model of the random oracle is an indication that the diagram is correctly constructed, but that this does not give a perfect guarantee of the safety of the diagram during its practical use.
- Loose evidence uses an attacker and solves the difficult problem with a low probability compared to that of the attacker.
- "tight" proof solves the problem with a probability very close to that of the attacker. So “tight” proof is a much better guarantee of security for a signature scheme.
- the EDL scheme includes the key generation method, the signature method and the verification method described below.
- I Is • p, a prime integer of I
- H M x ⁇ 0, l ⁇ Mr
- the signature process makes it possible to sign a message me M. For this, we first generate a random integer r of
- the verification process makes it possible to verify that a signature (z, r, s, c) is indeed the signature of a message m 6 M.
- h ' H (m, r)
- u' g s . y ⁇ c mod p
- v ' h' s .z ⁇ c mod p.
- the EDL signature scheme provides a signature of I IpI I + 2
- 111 and already have a comfortable level of security.
- a signature scheme is of the “on the fly” type when the generation of the signature can be broken down into two distinct phases: a first so-called precomputation phase, during which a piece of data (called coupon) independent of the message to be signed is pre-calculated, and the signature generation phase proper, during which a signature of a message m is calculated using the pre-calculated data, this last phase must be able to be executed quickly.
- the same coupon can only be used once.
- Signature patterns "on the fly” are therefore particularly useful in the context of portable objects with low computing resources such as a smart card. Such schemes allow the rapid generation of the signature by the portable object, whereas this would not be possible for a conventional signature scheme requiring much greater computing resources.
- the EDL scheme in its initial version is not intended to be implemented "on the fly", using coupons.
- the above conversion method can be used for the EDL scheme, to obtain a signature "on the fly” with proof of signature "tight" in the random oracle model.
- the downside of the conversion method is that it doubles the size of the public key as well as the size of the signature, and that it also increases the time for verifying the signature. The total generation time of the signature (pre-calculation + generation) is itself increased.
- the aim of the invention is to propose new signature methods based on the Diffie-Hellman problem, as secure as the EDL signing process (that is, having "tight” proof of security), but which produce shorter signatures than the EDL process.
- certain methods according to the invention can be put into a form “on the fly” using coupons, which is much faster than the EDL method.
- the invention also proposes, for each signature method according to the invention, a verification method and an associated signature scheme.
- a method according to the invention implements a set of parameters, in particular:
- the method of electronic signature of a message m according to the invention comprises the following steps, consisting in:
- E3 produce an electronic signature of the message m equal to (z, s, c).
- the signature (z, s, c) produced comprises only three numbers z, s and c and has a size equal to
- 111 bits.
- step El is carried out one or more times and a coupon (k, u, v, h, z) is stored at the end of each step El, then
- steps E2 and E3 are then carried out for each message m to be signed using a coupon (k, u, v, h, z) stored during the initialization step.
- step El is carried out one or more times and a coupon (k, u, v, z) is stored at the end of each step El, then
- the two embodiments have no additional cost (in terms of material resources or computation time) for the person who verifies the signature obtained, since he does not need to compute a chameleon-type hash function based on an exponentiation.
- the second embodiment uses smaller coupons to memorize:
- the coupons include five numbers, ie a total of 4.
- the coupons comprise four numbers, ie in total 3.
- the calculation time of the signature is a little longer than in the first embodiment, because it is necessary to recalculate h.
- step El is carried out one or more times and a coupon (k, z, t) is stored at the end of each step El, then
- steps E2 and E3 are then carried out for each message m to be signed using a coupon (k, z, t) stored during the initialization step.
- the coupon is even smaller here (only three numbers, totaling
- this variant with coupon has no cost for the person verifying the signature: it does not need to calculate a hash function of chameleon type based on multi-exponentiation.
- the so-called “on-line” steps that is to say the steps E2, E3 carried out when a signature is desired, include only the calculation of a hash function, of a modular addition and multiplication, which is equivalent to the most efficient signature methods (in terms of computation time) known to date, in particular the Schnorr methods , Girault-Poupard-Stern or Poupard-Stern.
- This fourth embodiment is in practice an improvement of the conventional EDL method, a little different from the other three embodiments.
- this embodiment cannot be implemented on the fly in a simple manner and without additional cost, unlike the first three embodiments.
- the invention also relates to a method for verifying an electronic signature (z, s, c) of a message m obtained by a signature method according to the invention as described above. If the signature method is implemented according to the first or the second embodiment, the associated verification method comprises the following steps, consisting in:
- the associated verification method comprises the following steps, consisting in:
- the associated verification method comprises the following steps, consisting in:
- the invention relates to an electronic signature diagram with proven "tight" security in the random oracle model, during which successively:
- the invention finally relates to a portable electronic component comprising means for implementing a signature method and / or a verification method and / or a signature scheme according to the invention.
- Such an electronic component is for example a smart card, or else a secure electronic chip (in English TPM for Trusted Platform Module) intended for use in a conventional computer of the non-secure PC type.
- a secure electronic chip in English TPM for Trusted Platform Module
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0411789A FR2877788B1 (fr) | 2004-11-05 | 2004-11-05 | Procede de generation de signature avec preuve de securite "tight", procede de verification et schema de signature associes bases sur le modele de diffie-hellman |
PCT/EP2005/055347 WO2007065468A1 (fr) | 2004-11-05 | 2005-10-18 | Procédé de génération de signature avec preuve de sécurité 'tight', procédé de vérification et schéma de signature associés basés sur le modèle de diffie-hellman |
Publications (1)
Publication Number | Publication Date |
---|---|
EP1820297A1 true EP1820297A1 (fr) | 2007-08-22 |
Family
ID=34952518
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP05858607A Withdrawn EP1820297A1 (fr) | 2004-11-05 | 2005-10-18 | Procédé de génération de signature avec preuve de sécurité "tight", procédé de vérification et schéma de signature associés basés sur le modèle de diffie-hellman |
Country Status (4)
Country | Link |
---|---|
US (1) | US20090138718A1 (fr) |
EP (1) | EP1820297A1 (fr) |
FR (1) | FR2877788B1 (fr) |
WO (1) | WO2007065468A1 (fr) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100280873A1 (en) * | 2009-04-30 | 2010-11-04 | Bryant Justin K | Electronic coupon storage and manipulation system and method |
EP3876155B1 (fr) | 2020-03-02 | 2023-02-22 | Nxp B.V. | Dispositif rfid et procédé de fonctionnement d'un dispositif rfid |
US20230224165A1 (en) | 2020-06-02 | 2023-07-13 | Nec Corporation | Signature verification system, signature apparatus, signature verification method, and program |
JP7452646B2 (ja) | 2020-06-02 | 2024-03-19 | 日本電気株式会社 | 署名検証システム、署名検証方法、およびプログラム |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080082446A1 (en) * | 1999-10-01 | 2008-04-03 | Hicks Christian B | Remote Authorization for Unlocking Electronic Data System and Method |
US7020776B2 (en) * | 2000-06-22 | 2006-03-28 | Microsoft Corporation | Cryptosystem based on a Jacobian of a curve |
EP1815636B1 (fr) * | 2004-11-11 | 2012-02-22 | Certicom Corp. | Nouvelle fonction a sens unique avec trappe sur des courbes elliptiques, et application pour permettre le chiffrement asymetrique et des signatures plus courtes |
-
2004
- 2004-11-05 FR FR0411789A patent/FR2877788B1/fr not_active Expired - Fee Related
-
2005
- 2005-10-18 EP EP05858607A patent/EP1820297A1/fr not_active Withdrawn
- 2005-10-18 WO PCT/EP2005/055347 patent/WO2007065468A1/fr active Application Filing
- 2005-10-18 US US11/667,062 patent/US20090138718A1/en not_active Abandoned
Non-Patent Citations (1)
Title |
---|
See references of WO2007065468A1 * |
Also Published As
Publication number | Publication date |
---|---|
WO2007065468A1 (fr) | 2007-06-14 |
US20090138718A1 (en) | 2009-05-28 |
FR2877788A1 (fr) | 2006-05-12 |
FR2877788B1 (fr) | 2007-01-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2296086B1 (fr) | Protection d'une génération de nombres premiers contre des attaques par canaux cachés | |
WO2007074149A1 (fr) | Procédé cryptographique comprenant une exponentiation modulaire sécurisée contre les attaques à canaux cachés, cryptoprocesseur pour la mise en oeuvre du procédé et carte à puce associée | |
EP2415199B1 (fr) | Procede pour effectuer une tache cryptographique dans un composant electronique | |
EP0346180B1 (fr) | Dispositif de communication sécurisée de données | |
EP3334121A1 (fr) | Procédé de génération d'une signature électronique d'un document associé à un condensat | |
EP1145483B1 (fr) | Procede d'authentification ou de signature a nombre de calculs reduit | |
WO2006103149A1 (fr) | Procede et dispositif cryptographique permettant de proteger les logiques de cles publiques contre les attaques par faute | |
EP1820297A1 (fr) | Procédé de génération de signature avec preuve de sécurité "tight", procédé de vérification et schéma de signature associés basés sur le modèle de diffie-hellman | |
FR2748877A1 (fr) | Protocole de signature numerique a largeur de bande reduite | |
EP0909495B1 (fr) | Procede de cryptographie a cle publique | |
WO2006030107A1 (fr) | Procede de traitement de donnees, entite electronique et carte a microcircuit, notamment pour dechiffrer ou signer un message de façon securisee | |
EP0963638B1 (fr) | Procede de signature numerique | |
EP0666664B1 (fr) | Procédé de signature numérique et d'authentification de messages utilisant un logarithme discret avec un nombre réduit de multiplications modulaires | |
FR2752122A1 (fr) | Procede d'authentification a nombre reduit de bits transmis | |
EP1520370B1 (fr) | Procédé et dispositifs cryptographiques permettant d'alleger les calculs au cours de transactions | |
EP2587716A1 (fr) | Procédé de signature cryptographique de messages, procédé de vérification de signature et dispositifs de signature et de vérification correspondants | |
EP0980607A1 (fr) | Generateur pseudo-aleatoire base sur une fonction de hachage pour systemes cryptographiques necessitant le tirage d'aleas | |
WO1998037662A1 (fr) | Systeme cryptographique comprenant un systeme de chiffrement et de dechiffrement et un systeme de sequestre de cles, et les appareils et dispositifs associes | |
EP4239944A1 (fr) | Procédé de signature cryptographique d'une donnée, dispositif électronique et programme d'ordinateur associés | |
WO2006045660A2 (fr) | Procede de generation de signature a la volee avec preuve de securite | |
FR3143243A1 (fr) | Signature et dechiffrement de message securises par double rsa-crt | |
WO2000064097A1 (fr) | Procede de verification de signature ou d'authentification | |
FR2842968A1 (fr) | Procede d'obtention d'une signature electronique possedant une garantie sur sa securite | |
WO2003013053A1 (fr) | Procede de determination de la taille d'un alea pour un schema de signature electronique | |
WO2006064112A2 (fr) | Procédé de traitement de données utilisant une fonction de couplage et dispositif associé |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL BA HR MK YU |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/32 20060101AFI20070807BHEP |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: CHEVALLIER-MAMES, BENOIT |
|
17P | Request for examination filed |
Effective date: 20071214 |
|
RBV | Designated contracting states (corrected) |
Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
DAX | Request for extension of the european patent (deleted) | ||
17Q | First examination report despatched |
Effective date: 20080407 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20090818 |