EP2277279A1

EP2277279A1 - Method for encoded data exchange, and communication system

Info

Publication number: EP2277279A1
Application number: EP09749677A
Authority: EP
Inventors: Michael Braun; Anton Kargl; Bernd Meyer
Original assignee: Siemens AG
Current assignee: Siemens AG
Priority date: 2008-05-20
Filing date: 2009-03-24
Publication date: 2011-01-26
Also published as: EP2124382A1; WO2009141187A1; CN102037675A; US20110107097A1

Abstract

The invention relates to a method for encoded data exchange between users of a communication system with the help of a cryptographic process based on elliptic curves. In said method, the second user calculates a scalar multiplication at the request of a first user, and only part of the result of the scalar multiplication is sent back to the first user as a response. The invention also relates to a communication system.

Description

description

Method for encrypted data exchange and communication system

The invention relates to a method for encrypted data exchange between subscribers of a communication system and a communication system.

The present invention is in the field of communication technology and in particular in the field of contactless communication for the purpose of identification. Although applicable in principle to any communication systems, the present invention and the problem on which it is based are described below with reference to so-called RFID systems.

Communication systems and their applications explained. RFID stands for "Radio Frequency Identification". For the general background of this RFID technology reference is made to the "RFID Handbook" by Klaus Finkenzeller, Hansa-Verlag, third updated edition, 2002.

In RFID systems known today, an electromagnetic signal emitted by a base station (or reading station or reader) is typically picked up by a passive transponder (or tag) which uses it to obtain the energy required in the transponder. In most UHF or microwave-based RFID systems, in addition to this unidirectional energy transmission, a typically bi-directional data communication based on a so-called challenge / response method is also carried out. The base station continuously sends out request signals (data request, challenge), which are only answered when a corresponding transponder is within the effective range of this base station. In this case, the transponder located in the immediate vicinity of the base station reacts with a

Response signal. Such RFID transponders are used, for example, for marking objects, such as goods, documents and the like. In contrast to conventional wire-based data communication, data communication between the base station and a corresponding transponder takes place almost independently and to a certain extent in the background without a user having to be present at all. This means that the data communication is recorded as soon as an authenticated transponder is within the effective range of the associated base station. While, for example, when reading out a data carrier, such as a floppy disk, a USB stick or the like, the user must consciously bring this into contact with a corresponding reading device and, in the case of a wired data communication, also consciously initiate the data communication from the user this is not the case with RFID-based wireless data communication.

This has some significant advantages, e.g. in the identification in the logistics sector, in department stores, etc. However, this technology of RFID-based data communication also has some disadvantages that must be considered in many applications.

Such a problem relates to the reading of data contained in an RFID transponder by an unauthorized user (attacker), in particular if this data is security-critical data. For these reasons, an RFID-based data communication system also typically includes a security mechanism that secures, for example, data communication by modulating a security code from the base station to the transmit signal, which can then be decoded and evaluated by the transponders allowed to communicate with the data. After successful evaluation, the transponder allowed on the data communication sends a response signal, which also contains a security code, back to the base station, which can then be evaluated for authentication of the transponder in the base station. By means of this authentication, it is ensured in the base station that unnoticed no unauthorized user can couple into the data communication and thus read security-critical data.

An essential constraint in transponder-based data communication is that the simplest and quickest possible data communication between base station and transponder should take place. On the one hand, this is due to the fact that the transponder typically has only low resources, that is, on the one hand, low energy resources and, on the other hand, low memory and computational resources, so that the smallest possible amount of data should typically be evaluated and authenticated during authentication. On the other hand, this authentication should also be carried out as quickly as possible, since, especially in the case of dynamic RFID-based data communication systems, the transponder to be authenticated is very often within the range of action of the respective base station for only a small amount of time. Within this short period of time, on the one hand, a data communication connection must be set up, authenticated, and then the data exchanged.

To ensure the data communication between base station and transponder, for example, a cryptographically secured data communication based on asymmetric cryptographic methods can take place. Essential for these cryptographic encryption methods is that a reversal, that is, a determination of the private key from the public key, in a reasonable time with the available computing capacity is hardly manageable.

It has proven to be advantageous to use cryptographic encryption algorithms based on elliptic curves, since these provide high security with short key lengths. Such cryptographic encryption Selection procedures based on elliptic curves are very efficient, which is in particular due to the fact that, in contrast to other known cryptographic methods, no attack method with subexponential propagation time is known in these methods. In other words, this means that the security gain per bit of the security parameters used is higher in the case of elliptic curve-based methods and thus significantly shorter key lengths can be used for practical applications. Thus, cryptographic methods based on elliptic curves are more efficient and require a lower bandwidth for the transmission of the system parameters than other cryptographic methods with a comparable degree of achievable security.

The cryptographic methods thus represent a compromise between the security to be expected and the computational effort involved in encrypting data.

In the German patent application DE 101 61 138 Al is shown that a determination of the scalar multiple of a

Point alone on the basis of the X coordinate of this point already without consulting the Y coordinate is possible. Corresponding calculation rules are also described for any body in this document. As a result, much more efficient implementations of point arithmetic, such as a Montgomery ladder, can be achieved for scalar multiplications, a lower number of body multiplies per point addition, and a smaller number of registers for dot representation of the intermediate results.

European Patent Application EP 1 675 300 A1 describes an authentication method between subscribers of a communication system in which, using bilinear mappings, a cryptographic encryption of the data communication between the subscribers of the communication system takes place. This cryptographically secured data communication is based on elliptic curves using a challenge-response method. The publication "The Static-Diffie-Hellman Problem" by Daniel RL Brown and Robert P. Gallant of June 23, 2005 describes a new attack on cryptographic methods whose security is based on the discrete logarithm problem in a finite group. This is particularly applicable to elliptic curves. The described attack can then be carried out efficiently if an attacker has a device available (called "oracle" in the literature) which contains a secret scalar s and the attacker is given the result of the calculation T = sU when an arbitrary point U is entered. So the result point T of scalar multiplication, returns. In particular, the attack requires a sequence of points PO, Pl, P2,..., Pn on the elliptic curve, where Pj_ = SP-J __; L. This attacker scenario is given in particular in the method described in the German patent application DE 101 61 138 A1, which is particularly suitable for applications on systems with limited storage space and low available computing power.

Against this background, the object of the present invention is to provide an authentication for wireless data communication, which is not compromised by the attack disclosed above. Furthermore, the object of the invention to provide an authentication for a wireless data communication, for which in particular a lower computational effort with consistently high security is needed and which is especially fast.

According to the invention, this object is achieved by a method having the features of patent claim 1 and / or by a communication system having the features of patent claim 20.

Accordingly, it is provided:

A method for encrypted data exchange between subscribers (2, 3) of a communication system (1) using Use of cryptography based on elliptic curves, in which a result of a first scalar multiplication is calculated on the basis of a request from a first subscriber (2) from the second subscriber (3). With the aid of a noninjective mapping, a function value is determined from the result of the scalar multiplication, so that the function value does not allow a clear conclusion on the result. Finally, the determined function value is sent in response back to the first subscriber (2).

A communication system for the authentication of the participants of the communication system using an encryption method according to the invention.

The idea on which the present invention is based, in the case of authentication between two subscribers of a communication system and, in particular, when a reply signal is transmitted from a transponder back to a base station, feeds the data to be transmitted back to a non-injective image, so that the data thus determined Function values do not allow a clear conclusion on the result. The fact that, for example, the complete x-coordinate of the result point is no longer output, but a function value calculated therefrom, which no longer allows a clear reconstruction of the x-coordinate, the iteration of the scalar multiplication using the oracle is no longer possible for the described attack and the attack is repelled.

In a particularly advantageous embodiment of the present invention, in the authentication between two subscribers of a communication system and in particular in the transmission of a response signal from a transponder back to a base station, this data to be transmitted back to the non-injective image is reduced.

In the authentication of a transponder by a base station is typically a on a Challenge-Response- Method based authentication protocol used. According to this authentication protocol, for example, the transponder calculates a scalar multiplication in response to a request from the base station and, as a result, obtains an x-coordinate in an affine representation. In previously known methods, the transponder returned the complete affine x-coordinate as a response signal to the base station during retransmission of the response.

The finding underlying the advantageous embodiment of the invention consists in the fact that the transponder does not have to send the complete values back to the base station for the transmission of the affine representation of the x-coordinate. Rather, it is sufficient if the value is at least partially returned. Even with this almost incomplete answer then the base station is still able to make an authentication with relatively high security.

In a further advantageous embodiment of the present invention, for example, the transponder calculates a scalar multiplication in response to a request from the base station and, as a result, obtains an x-coordinate in a projective representation. This projective representation contains two values (X, Z) that can be displayed in binary representation next to one another. In previously known methods both values, that is, the pair (X, Z) of the x-coordinate, were sent back to the base station as response signal by the transponder in the retransmission of the response.

The finding underlying the advantageous embodiment of the invention consists in the fact that the transponder does not have to send both values back to the base station for the transmission of the projective representation of the x-coordinate. Rather, it is sufficient if only one of these two values is completely returned and the second value in each case at least partially returned. Even with this almost incomplete answer is then the base station still able to authenticate with relatively high security.

The particular advantage of both listed embodiments is that it allows the response data transmitted back from the transponder to be reduced, which reduces the total amount of response data to be transmitted for authentication. As a result, the transponder requires less time for retransmission, authentication and the associated computation operations. In addition, in these embodiments as well, the Static Diffie Hellman attack is rejected because the complete x-coordinate of the result point is no longer output in affine or projective representation, and thus the iteration of scalar multiplication using the oracle required for the described attack is no longer possible. Overall, this makes the entire authentication process significantly easier and faster, without any loss of security during authentication.

For example, the transponder transmits only a part, for example half, of the value of the affine x-coordinate or of one of the two values of the projectively represented x-coordinate. According to the invention this is realized in that, for example, only the upper part or the upper half or the lower part or the lower half of the corresponding calculated value of the x-coordinate is transmitted back. The base station then checks whether this part or half of the value coincides with the corresponding part or half of the value corresponding to this calculated value. Only if the part or half of the bits are identical, the transponder that transmits the response data is accepted as authentic by the base station. The authentication method according to the invention with the variant of the data reduction in certain applications of the transponder, in which the transponder transmits projectively represented coordinates in response, has various advantages:

The amount of bits to be transmitted in the x-coordinate in the projective representation is significantly reduced. In the case mentioned above, in which only half of the bits of one of the two values is transmitted, the total amount of data to be transmitted is then reduced by half in the affine case and by one fourth in the projective case.

The data reduction causes only a negligible reduction in security in many applications, such as in the authentication protocol specified in the present patent application. It is a well-known result of cryptography that an elliptic curve suitable for cryptographic applications over a finite field GF (2 ^d ) provides only a security of 2 ^{d / 2} . That is, although elements of the body having a length of d bits are used, the security of this type of authentication using a public key corresponds to only a key length of d / 2. Thus, from the point of view of an unauthorized user, it is just as difficult to break the authentication procedure and thereby access the secret key of the transponder, as in the case of the above-described authentication method according to the invention with a reduced amount of data, to provide a valid answer during the response retransmission. Depending on the application and the security requirement specified there or also required, it is possible to further reduce the number of bits of the x-coordinate proportionately transmitted by the transponder to the base station.

The non-transmitting bits represent a randomly generated secret known only to the transponder and the base station involved in the data communication. These Untransmitted bits can be used, for example, as keys in subsequent protocol steps of the authentication method according to the invention. This means that in the inventive authentication method with data reduction by only partial transmission of x-

Coordinates the protocol for (one-sided) authentication to a protocol for (one-sided) authentication with key agreement is extended.

In a variant of the authentication method according to the invention, if the transponder can perform divisions in the finite field and thus calculate the affine representation of the coordinates of the response, the authentication method can also be applied to the affine value in the manner described. In this case, the number of bits to be transmitted also reduces significantly, typically to half of the bits to be transmitted.

Advantageous embodiments and further developments of the invention düng emerge from the other dependent claims and from the description in conjunction with the figures of the drawing.

The invention will be explained in more detail with reference to the embodiments indicated in the drawings. Showing:

Fig. Ia, Ib examples of an elliptic curve;

Fig. 2 is an example of addition using an elliptic curve;

3 shows the structure of a communication system according to the invention on the basis of a block diagram; 4 shows a flow diagram for the representation of the inventive authentication method on the basis of elliptic curves;

5a-5c are schematic representations for explaining the

Method for data reduction of the response data and the method for comparing this data-reduced response data with calculated response data.

In the figures of the drawing are identical and functionally identical elements, features and signals, unless otherwise stated, provided with the same reference numerals.

The authentication method according to the invention has a new security protocol, which is based on an arithmetic for elliptic curves. Before describing the authentication method according to the invention, therefore, the most important properties of elliptic curves will first be explained with reference to FIGS. 1a and 1b.

An elliptic curve over a finite field (Galois-FeId) GF (2 ^d ) is the zero set of the cubic equation

y ² + xy = y ³ + ax ² + b. (1)

Here x and y denote variables and the coefficients a and b with b ≠ O denote coefficients in the Galois field GF (2 ^d ).

In FIGS. 1a and 1b, two elliptic curves are shown as an example over the real numbers.

With the addition of an infinitely distant point as a neutral element, this set of zeros forms an additive group whose group law can be geometrically interpreted, at least for elliptic curves, over the real bodies. Such an additive group consists of a set of numbers and an addition (group operation). In addition, there are This group is a neutral element that does not change its value (for example, zero) when added to a number from the set of numbers. Furthermore, an inverse element exists for each value of the number set, so that when the corresponding value is added to the inverse element, the neutral element is obtained. Two results from the algebraic geometry are essential (see FIG. 2):

Each line intersects an elliptic curve in three points that are not necessarily different. For two, not necessarily different points, a third point can be calculated so that the sum of the three points represents the neutral element. If P and Q (with P ≠ - Q) are two points and g is the straight line through these points P, Q, then this line g intersects the elliptic curve at a third point R. By mirroring R at the X-axis one obtains S = P + Q. For the case P = -Q the slope of g is infinite and the third intersection R is the infinite far point.

Analogous to the definition of scalar multiplication in vector spaces, scalar multiplication is defined on elliptic curves. Let P be a point of an elliptic curve and let k be a natural number. The scalar multiplication k * P corresponds to a k-times addition of P to itself. This scalar multiplication k * P forms the essential building block in cryptographic systems based on elliptic curves. For cryptographically strong elliptic curves, scalar multiplication is a one-way function, ie it can be calculated in polynomial time, but according to current research and technology, it can only be inverted in exponential time. An efficient algorithmic reconstruction of the scalar is therefore difficult to imagine. This one-way function forms the basis for cryptographic authentication methods based on elliptic curves.

A well-known method for implementing such scalar magnifications based on elliptic curves is the so-called Montgomery ladder or Montgomery algorithm. The Montgomery ladder can be implemented in such a way that only the x-coordinate of P and only additions and multiplications in the Galois field GF (2 ^d ) are used to calculate the x-coordinate of a scalar multiple of a point P. There are no elaborate inversions required here. The two-sided authentication method according to the invention described below is based on this Montgomery algorithm.

Before the two-sided authentication method according to the invention is described, the basic structure of a communication system according to the invention is first explained in more detail below with reference to the block diagram in FIG.

In Fig. 3, reference numeral 1 denotes a communication system, for example, an RFID communication system. The RFID communication system 1 contains a first subscriber (base station 2) and at least one second subscriber (transponder 3). Base station 2 and transponder 3 are in a bidirectional communicative connection via a wireless communication link 4. The communication system 1 can be designed, for example, as a so-called master-slave communication system 1, wherein the base station 2 acts as a master, for example, and the transponder or transponders 3, for example, each as a slave.

The base station 2 comprises a control device 5, a transmitting / receiving device 6 and a transmitting / receiving antenna 7. In the same way, the transponder also comprises a control device 8, a transmitting / receiving device 9 and a common transmitting / receiving antenna 10.

The transmitting / receiving antennas 7, 10 can be designed as inductive coil antennas or else as dipole antennas.

In the respective control devices 5, 8, the flow of data communication is controlled. Typically, this contains se control device for this purpose, a computing device (arithmetic unit, CPU), in which the arithmetic operations are performed in particular for the authentication. The control devices 5, 8 can be designed, for example, as a program-controlled device, such as, for example, as a microcontroller or microprocessor, or else implemented in a hard-wired logic circuit.

The control device 5 of the base station 2 is designed to transmit high-frequency carrier signals 11 to the antenna 10 of the transponder 3 via the antenna 7. In the same way, the control device 8 and the transceiver 9 of the transponder 3 are designed to send back corresponding response signals 12 to the base station 2 in response to the transmitted carrier signals 11.

The base station 2 also has an evaluation device 14. This evaluation device 14 is arranged in the receiving path 21 of the base station 2 and arranged downstream of the receiver of the transmitting / receiving device 6. In the same way, the transponder 3 has an evaluation device 15 in the reception path 23 of the transponder 3. In the respective evaluation devices 14, 15, the evaluation of the received data of a data communication takes place.

According to the invention, both the base station 2 and the transponder 3 now have an authentication module 16, 17, which are arranged between the respective transmitting / receiving device 6, 9 and control device 5, 8 of the base station 2 or of the transponder 3. These authentication modules 16, 17 are designed here as separate modules. Preferably, however, a respective authentication module 16, 17 is part of the respective control device 5, 8.

An authentication module 16, 17 further comprises a memory 18, 19, in which, for example, data, keys or the like, which are required for the authentication or must be cached, are stored. The Memories 18, 19 typically include a RAM memory in which, for example, computational results are stored. Additionally or alternatively, these memories 18, 19 may also comprise a non-volatile memory, such as EEPROM or flash memory, in which system parameters, parameters of the various communication participants, such as a subscriber-specific private key, a public key, a subscriber-specific certificate or like, are stored.

The principle of the authentication method (or authentication protocol) according to the invention is explained by way of example with reference to the schematic representations in FIGS. 4 and 5.

4 schematically shows the base station 2 and the transponder 3 of the communication system 1, wherein only the authentication modules 16, 17 and the memory devices 18, 19 are shown there within these devices 2, 3. It is assumed that public keys are stored in the base station-side memory device 18 and that in the memory device 19 of the transponder 3 its certificate, the transponder-side secret key and possibly the public key are stored.

An example of the inventive authentication method based on elliptic curves will now be described with reference to the flow chart in FIG. 4.

The following parameters are specified as system parameters, ie as parameters that apply to the entire communication system 1 and thus to the entire authentication.

- It is given a suitable elliptic curve. xp denotes an affine x-coordinate of the base point P on the elliptic curve. xS designates a public, ie the base station and the transponder known key for signature verification. The following parameters are provided for the transponder 3: ξT denotes the transponder-side secret key, which therefore the base station 2 does not know. - xT, rT, sT denote the certificate Z of the transponder 2, where xT denotes the public key (affine x-coordinate of the point T = ξT * P) and rT, sT the signature of xT, verifiable by the public key xS.

The authentication method illustrated in FIG. 4 is carried out as follows:

In steps 1) - 3), the base station 2 generates the request C = xl (C = Challenge). For this purpose, a value rl is randomly chosen. The base station 2 then calculates from this value r1 and the system parameter xp the query (X1, Z1) which represents the projective x-coordinate of the point P1 (Pl = r1 * P). From these two values X1, Z1 the affine x-coordinate x1 calculated as a request is calculated by a division. This query xl represents the x

Coordinate of the point Pl = rl * P for a random scalar.

The base station 2 sends this request C = xl in step 4) to the transponder 3.

In step 5), the response R (R = response) is calculated. For this purpose, the transponder 3 calculates the corresponding response data R = (X2, Z2) for the query x1, which represent the projective x-coordinates of the point P2 = ξT * Pl = ξT * (rl * P).

In step 6), the response data R = (X2, Z2) generated by the transponder 3, which represent a randomly selected projective representation of the x-coordinate of the point P2, are converted to R ^λ = (X2 ', Z2 ) reduced. According to the invention, a data reduction is thus carried out here at one of these two values (X2, Z2) in method step 6). In step 7), the response data R ^λ = (X2 ', Z2) generated by the transponder 3 are sent back to the base station 2 together with the certificate Z = xT, rT, sT of the transponder 3.

The base station 2 checks the certificate Z = xT, rT, sT of the transponder 3 in step 8). If the certificate Z is not valid, then the base station 2 rejects the transponder 3 as not authentic.

In steps 9) and 10), the base station 2 checks the response of the transponder 3. The base station 2 calculates the calculated projective x-coordinate (X3, Z3) of the point P3 = rl * xT = rl * (ξT * P) and checks in this case, whether the data (X2 ', Z2) transmitted by the transponder 3 with the data (X3, Z3) generated in the base station 2 can be projective coordinates of the same point. This is the case if and only if the results of scalar multiplications are:

F (Z2 * X3 / Z3) = X2 ',

where F represents the same non-injective mapping that the transponder 3 used in step 6) to compute the response data R "= (X2 ', Z2) In the described embodiment, a data reduction on the calculated value will likewise be effected in the same way Z2 * X3 / Z3 executed, as this was done in step 6) in the transponder 3).

If this relationship applies, then the transponder 3 is authentic. If this is not the case, then the base station 2 rejects the transponder 3 sending the response data R 'as not authentic.

What is essential here is that the generation of the request C and the answer R, R 'and the corresponding certificates Z are specified such that the corresponding authentication protocol based on elliptic curves over the Galois field GF ( ^2d ) can be performed.

In previously known methods, the entire x-coordinate (X2, Z2) of the point P2 was transmitted back to the base station, that is, from this x-coordinate, both values X2, Z2 of the response R were completely retransmitted. The base station 2 was able to dispense with the application of the non-inj ective transformation for data reduction in the examination of the response R and the connection required for the test had the form X2 * Z3 = X3 * X2. This has after step 5) immediately the step 7) connected. According to the invention, an additional method step 6) is now provided between steps 5) and 7). This additional process step 6) denotes a data reduction step. In this method step 6), the response data R = (X2, Z2) generated by the transponder 3, which represent a randomly selected projective representation of the x-coordinate of the point P2, are reduced by applying a noninjective transformation. According to the invention, a data reduction is thus carried out here at one of these two values (X2, Z2) in method step 6).

In the exemplary embodiment in FIG. 5, it is assumed that a data reduction is carried out at the first value X2 of the projective representation of the x-coordinate (X2, Z2), so that the x-coordinate now contains the two values (X2 ^λ , Z2). and X2 ^{λ has} a data-reduced content compared to the value X2. This data-reduced response R ^λ = (X 2 ^λ , Z 2) is then sent in the method step 7) from the transponder 3 to the base station 2 together with the certificate Z of the transponder 3.

It goes without saying that instead of a data reduction of the first value X2 of the x-coordinate, a data reduction of the respective second value Z2 can be carried out additionally or alternatively. The base station 2 then checks whether the number (X3, Z3) calculated in the base station 2 agrees with the response R "sent by the transponder 3. Since this response R ^λ = (X2 ^λ , Z2) is not complete, but is reduced in data , becomes only the corresponding part of the term

X3 * Z2 / Z3 obtained by applying the non-injective transformation is checked with the component of the response X2 ^λ . Only if this corresponding part of the number X3 * Z2 / Z3 coincides with X2 ^{λ in the} exemplary embodiment, then the transponder 3 is accepted as authentic by the base station 2.

In the following, this method for data reduction and the corresponding method for comparing these data-reduced values will be briefly explained with reference to schematic representations in FIGS. 5a-5c:

FIG. 5 a shows the x-coordinate or number 30 generated by method step 5). FIG. 5 a shows the structure of the number 30 first. This number 30 contains two numerical values X2, Z2. This x-coordinate 30 and thereby their values X2, Z2 are shown here in binary coding. It is assumed that each of the two values X2, Z2 is eight bits wide and these two eight-bit wide values X2, Z2 are arranged directly adjacent to each other. The entire x

Coordinate 30 is thus 16 bits wide. In the example shown, the value X2 of this number 30 is subdivided into an upper, four-bit-wide half 32 with the bit sequence 1010 and a lower four-bit-wide half 33 with the bit sequence 1011. The value Z2 of the number 30 also has two half-thieves 34, 35 with the bit sequences Olli and 0101.

In method step 6), a data-reduced number 31 having the values X2 ^λ , Z2 is generated from the number 30. For this purpose, for example, the upper half 32 of the value X2 for the generation of the data-reduced number 31 is neglected, that is to say the data-reduced number 31 has only the lower half 33 of the value X2 and the complete value Z2. After the data reduction in step 6), the data-reduced x-coordinate 31 contains only the lower half 33 of the value X2 and both halves 34, 35 of the value Z2. The upper half 32 of the value X2 is no longer part of the data-reduced x-coordinate 31 and thus is not transmitted back from the transponder 3 to the base station 2.

In the example shown in FIG. 5, the upper half 32 was neglected for the data-reduced x-coordinate 31. Of course, it would also be conceivable to neglect here the lower half 33 of the value X2 or one of the two halves 34, 35 of the value Z2. In addition, exactly half of the value X2 and thus four bits of the eight-bit content of the value X2 were neglected in each case. It would be conceivable here to have any data reduction of the value X2 different from 0, that is, it would also be conceivable to neglect, for example, only one bit up to seven bits of the value X2 for the generation of the data-reduced x-coordinate. It would also be conceivable to apply further non-injective maps of elements of the finite field which can not be easily realized by neglecting bits of one of the values of the projective representation.

The method step 10) will now be described with reference to FIG. 5c. In the authenticity check, the number 37 is first calculated from the values X3, Z3 and the value Z3 contained in the response of the transponder 3 by the formula X3 * Z2 / Z3. The number 37 is again divided into two halves, the numbers 38 and 39. The verification of authenticity is now not by comparing the two pairs of numbers 32,33 and 38,39, but it is only the number 33 compared with the number 39.

In the present case of FIG. 5, the bit content of the section 33 is identical to the respective bit content of the section 39, so that in this case the base station 2 the corresponding transponder 3, the data reduced number 31 sent as authenticated. This, although the upper portion 32 of the value X2 is not compared with the upper portion 38 of the corresponding value X3 * Z2 / Z3. It is based on the knowledge that, in particular with very large bit width of the numbers to be compared, it is already sufficient to transmit only a part of these values and to compare them with the corresponding part. If these sections compared with each other agree, then one can assume with very high probability that the corresponding pairs of numbers 32,33 and 38,39 are identical.

Although the present invention has been described above with reference to a preferred embodiment, it is not limited thereto, but can be modified in various ways.

In particular, the invention is not limited exclusively to RFID systems, but can also be extended, for example, to the item identification (item identification). Frequently, such parts need not be clearly identified. Here it is also often sufficient that the presence of, for example, a faulty part can be excluded. This is usually also referred to as ambiguous identification. When operating the transponder in this context, this has the function of a sensor. Thus, the invention also expressly relates to such sensors in which a communication for reading and writing data of a data carrier or sensor are made.

Also, the invention is intended to refer to any data communication systems that are not necessarily RFID systems and that are not necessarily wirelessly configured.

In FIGS. 3 and 4, for better clarity, the structure of the RFID system and in particular of the Transponders and the base station deliberately shown greatly simplified. It goes without saying that the base station and the corresponding transponder can also contain the functional units required for data communication between base station and transponder, such as demodulator, modulator, power supply, synchronization device, decoder and the like.

In FIGS. 3 and 4, a distinction was made between the control device, the evaluation device and the authentication module. It goes without saying that these devices or parts thereof e.g. Part of the control device may be or may be formed separately from it.

It should also be noted that both the base station and the transponder can have a single transceiver and an associated transceiver antenna. Of course, it would also be conceivable for the base station and / or the transponder to have separate transmitting / receiving devices and, in particular, a transmitting antenna and a separate receiving antenna.

The above-described data communication system and data communication method have been described by the "reader-talk-first" principle. It would also be conceivable, of course, the principle of "day-talks-first", in which the base station is initially waiting for a request from a transponder. However, this second mentioned principle has a worse reaction time, so that especially in modern so-called "long-range" data communication systems, as used for example in RFID, preferably the "reader-talks-first" - principle is used.

It goes without saying that the authentication method according to the invention described with reference to FIG. 5 is to be understood merely as an example. Of course, there were the individual process steps and applied Modify and modify mathematical operations in the context of the invention, for example by functionally identical or alternative method steps.

It should also be noted that the numbers and bit widths given are to be understood as examples only and should in no case limit the invention to them. In particular, it would also be conceivable to use a larger or a smaller bit width for the respective values. Moreover, the different sections of a value do not have to have the same bit width, but may be different. The same applies to the bit width of the two values X, Z of a respective projective x-coordinate.

The publication "The Static-Diffie-Hellman Problem" by Daniel R. L. Brown and Robert P. Gallant of June 23, 2005 describes a new attack on cryptographic methods whose security is based on the discrete logarithm problem in a finite group. This is particularly applicable to elliptic curves. The described attack can then be carried out efficiently if an attacker has a device available (called "oracle" in the literature) which contains a secret scalar s and the attacker is given the result of the calculation T = sU when an arbitrary point U is entered. So the result point T of scalar multiplication, returns. In particular, the attack requires a sequence of points PO, Pl, P2, ... Pn on the elliptic curve, where Pj_ = SP-J __; L. This attacker scenario is given in particular in the described RFID tag. The described RFID tag is exactly the technical realization of such an oracle.

In the case of the authentication protocol of the described RFID tag, the tag calculates a scalar multiplication and as a result obtains the x-coordinate in a randomly selected projective representation (X2, Z2). So far, the whole pair (X2, Z2) has been sent back to the terminal as a response. The SI- The authenticity of the authentication protocol against the static-Diffie-Hellman attack has been up to now ensured by the properties of the elliptic curves used. To ward off the static-Diffie-Hellman attack elliptic curves were therefore used whose orders contain so-called strong prime divisors. Within these cyclic subsets of the finite point groups generated by strong primers, the cryptographic applications were performed.

The method according to the invention is advantageously suitable for warding off such "static-diffie-hellman attacks". The RFID tag, as in the embodiment described above, returns only part of the calculated bits from one of the values X2, Z2. The terminal then checks to see if the corresponding bits of the number X3 * Z2 / Z3 match the returned bits. If the bits are identical, the RFID tag is accepted as authentic. This reduces the amount of bits to be transmitted in the response (X2, Z2) and prevents the affine x-

The coordinate of the result can be reconstructed and used for a new call of scalar multiplication in order to generate the sequence of points PO, Pl, P2,..., Pn described above for an attack.

Since the complete x-coordinate of the result point is no longer output, the iteration of the scalar multiplication using the oracle required for the described attack is no longer possible and the attack is averted. In general, if an attacker gets only part of the x-coordinate of the result point, there are very many values that can occur as the x-coordinate of a point and still match the part known to the attacker. If an attacker attempts to perform the described attack on all possible points whose x coordinates match the output pieces, the number of possible score sequences grows exponentially with the number of iterations and quickly becomes inefficient. In order to ward off the described attack, it is sufficient in practice if some bits of a coordinate of the result are already cut off and only a few continuations to x coordinates of points are possible.

Thus, in addition to data reduction, the method according to the invention additionally offers the advantage that an implicit protection against the static-Diffie-Hellman attack is achieved. The fact that an attacker can no longer iterate the calculations of the oracle, the described attack is no longer possible. In particular, no elliptic curves need to be used whose orders have strong primes.

Claims

claims

1. A method for encrypted data exchange between subscribers (2, 3) of a communication system (1) using cryptography based on elliptic curves, wherein upon a request from a first subscriber (2) from the second subscriber (3) a result a first scalar multiplication is calculated,

whereby a function value is determined from the result of the scalar multiplication with the aid of a non-injective mapping, so that the function value does not permit a clear conclusion on the result,

- wherein the function value in response to the first participant (2) is sent.

2. The method of claim 1, wherein

- as a function value, a part of the result of the scalar multiplication is determined and sent in response back to the first participant (2), - wherein the answer contains an x-coordinate of a point on the elliptic curve, and

where only part of the x-coordinate contained in the response is sent.

3. The method of claim 1, wherein

a part of the result of the scalar multiplication is determined as a function value and sent back to the first user (2) in response,

- where the answer contains a y-coordinate of a point on the elliptic curve, and

where only part of the y-coordinate contained in the response is sent.

4. The method according to claim 1, characterized in that the query contains the x-coordinate of a point on the elliptic curve.

5. The method according to any one of claims 1 to 4, characterized in that the coordinates are in binary form.

6. The method according to any one of claims 1 to 5, characterized in that the x or y coordinate contained in the query and / or the response of the point on the elliptic curve is present in a projective representation.

7. The method according to any one of claims 1 to 6, characterized in that the coordinate of the point in binary representation is a number which contains a first and a second value, which are displayed in a binary representation lined up.

8. The method according to claim 7, characterized in that only a part of the bits of at least one of the two values is sent back.

9. The method according to claim 7 or 8, characterized in that half of the bits of at least one of the two values is sent back.

10. The method according to any one of claims 7 to 9, characterized in that based on the MSB bit, an upper bit area of the bits, in particular an upper half of the bits of at least one of the two values is sent back.

11. The method according to any one of the preceding claims, characterized in that the first subscriber (2) checks the received response of the second subscriber (3) on their authenticity.

12. The method according to any one of the preceding claims, characterized in that the first participant (2) checks whether the data contained in the response and the data of the result of a second Skalarmultiplikation are coordinates of the same point.

13. Method according to one of the preceding claims, characterized in that the first participant (2) compares the data contained in the response with a result of a second scalar multiplication and that the first participant (2) accepts the second participant (3) as authentic, if corresponding data of the answer and the result of the second scalar multiplication coincide with each other.

14. Method according to claim 13, characterized in that, for the comparison of the data of the response with the result of the second scalar multiplication, only those parts of the result of the second scalar multiplication which are the part of the second user (3) are used to the first user (2) answer sent.

15. The method according to any one of the preceding claims, characterized in that that part of the result of the first scalar multiplication, which is not transmitted back in response, a randomly generated and at least one of the two participants (2, 3), preferably both participants (2, 3) known result, which is useful as a secret key in subsequent process steps.

16. The method according to any one of the preceding claims, characterized in that the method is based on a challenge-response method authentication method for authentication of the second subscriber (3) relative to the first subscriber (2) and / or vice versa.

17. The method according to any one of the preceding claims, characterized in that the request of the first subscriber (2) is independent of the key of the second subscriber (3).

18. The method according to any one of the preceding claims, characterized in that as system parameters of the communication system (1) an elliptic curve suitable for cryptographic methods and an affine x-coordinate of a base point of the elliptic curve and a public key for signature verification are provided.

19. The method according to any one of the preceding claims, characterized in that as a parameter of the second subscriber (3) only a second subscriber (3) known key and a certificate of the second subscriber (3) are provided.

20. The method according to claim 18, characterized in that the certificate of the second subscriber is transmitted by the second subscriber (3) together with the answer, which is carried out in the first subscriber on its validity using a public, both participants known key ,

21. Communication system (1) for authentication of the subscribers (2, 3) of the communication system (1) using a cryptography according to one of the preceding claims.

22. System according to claim 21, characterized in that a first participant (2) and at least a second

Subscriber (3) are provided, which are in data-communicative connection (4) to each other, wherein the first and second Participants (2, 3) each have an authentication module (16, 17) for an authentication.

23. System according to claim 22, characterized in that the authentication module (16, 17) of a respective subscriber (2, 3) has a computing device which is provided for calculations, checks and authentications within the respective authentication module (16, 17).

24. System according to one of the preceding system-related claims, characterized in that each participant (2, 3) has a memory (18, 19) up, in which the system parameters and each of these participants (2, 3) associated parameters are stored ,

25. System according to one of the preceding system-related claims, characterized in that the first and second participants (2, 3) are communication participants of the communication system (1), in particular of a communication system (1) designed as an RFID system.

26. System according to one of the preceding system-related claims, characterized in that the first subscriber (2) a base station (2) and the second subscriber (3) a transponder (3), in particular a passive or semi-passive or active transponder (3), is