EP4158842A1 - Verfahren zur ableitung einer teilsignatur mit partieller überprüfung - Google Patents

Verfahren zur ableitung einer teilsignatur mit partieller überprüfung

Info

Publication number
EP4158842A1
EP4158842A1 EP21734891.1A EP21734891A EP4158842A1 EP 4158842 A1 EP4158842 A1 EP 4158842A1 EP 21734891 A EP21734891 A EP 21734891A EP 4158842 A1 EP4158842 A1 EP 4158842A1
Authority
EP
European Patent Office
Prior art keywords
messages
signature
subset
verification
elements
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP21734891.1A
Other languages
English (en)
French (fr)
Inventor
Olivier Sanders
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Orange SA
Original Assignee
Orange SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Orange SA filed Critical Orange SA
Publication of EP4158842A1 publication Critical patent/EP4158842A1/de
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Definitions

  • the present invention relates to the general field of telecommunications and more specifically relates to the securing of exchanges between communication devices using cryptographic techniques such as electronic signature techniques.
  • the electronic signature is a crypto graphic tool which makes it possible to authenticate any digital data, thus acting as the equivalent of a traditional handwritten signature.
  • This technique is omnipresent in our daily life and has led to a profusion of work in cryptography around the notion of anonymous authentication, where the goal is to reduce the information revealed during each authentication to the strict minimum.
  • Certain technologies resulting from this work are now widely deployed, for example in most laptops, under the name DAA (for “Direct Anonymous Attestation”) or in certain processors under the name of EPID (for “ Enhanced Privacy IDentity ”).
  • this one contains about n ⁇ 2 (or n 2 ) elements for a system supporting n attributes. This can prove to be prohibitive for large values of n: transmission of the public key to the stakeholders, volume necessary to store this public key, complexity of the initial calculation of the key.
  • One of the aims of the invention is to remedy the shortcomings / drawbacks of the state of the art, and / or to make improvements thereto.
  • the invention proposes a method of deriving a partial signature for a subset of a set of messages, called a subset of messages, said partial signature being intended to prove the validity of a signature of the set of messages for the messages of the subset of messages, said method, implemented by an entity for deriving a partial signature, comprising:
  • a verification entity sending to a verification entity a partial signature specific to the subset of messages, said partial signature comprising a constant number of elements comprising at least the elements of the signature of the set of anonymized messages, the first verification element and the second verification element, said signature partial being intended to be verified with only the messages of the subset of messages, characterized in that the second verification element is a function of derived values calculated from at least the other elements of the partial signature.
  • the method of deriving a partial signature has the same advantages as the mechanism described in PKC 2020: the signature obtained is of constant size, regardless of the value of n and the size of the subset of messages, and it It is not necessary to know the messages not taken into account, that is to say those which are not part of the message subset, in order to verify the signature.
  • the schema offers all the security properties usually expected from this type of schema, as well as the ability to prove relationships on data.
  • the method of the present invention improves the efficiency of this mechanism with a public key of considerably reduced size, of the order of 3n elements.
  • the complexity of the process is said to be linear while the complexity of the PKC 2020 mechanism is said to be quadratic (at n ⁇ 2).
  • the computation of the values derived from the second verification element comprises: for any i of I, the application of a function H taking any character string as input and returning a non-zero scalar, said H function being applied to the elements of the signature of the set of anonymized messages, to the first verification element, to the subset I and i.
  • the function H makes it possible to calculate the derived values used in the calculation of the second verification element. It takes as input any string of characters and returns a non-zero scalar. We understand that an attacker who would modify a or more of the other elements of the signature would not provide a positive verification of the partial signature. Indeed, the derived values calculated from modified values of the signature, and / or compensated by modified values of the first and / or second verification element would then necessarily be different.
  • the function H taking any character string as input and returning a non-zero scalar is a one-way function.
  • the function H is a one-way function, that is to say a function which can easily be calculated but which is difficult to reverse.
  • the H function is a crypto graphical hash function, such as SHA-256.
  • the method of deriving a partial signature comprises beforehand a generation of a secret key and of an associated public key in a bilinear environment, said environment designating a first group. Gl, a second group G2 and a third group GT of order p, as well as a bilinear map e, taking as input an element of the first group Gl, an element of the second group G2 and with values in the third group GT, i.e. g, respectively h, an element of the first group G1, respectively of the second group G2, said generation comprising:
  • G_i g ⁇ ⁇ b ⁇ i], for all 1 ⁇ i ⁇ n and n + 2 ⁇ i ⁇ 2n,
  • B_i h ⁇ ⁇ b ⁇ i], for any 1 ⁇ i ⁇ n, the public key (Kp) is made up of g, h, G_i, A, and B_i and the function for calculating the derived values.
  • the generation of the pair of keys Ks / Kp of the signer requires the generation of only two scalars, a and b, the latter being involved at different powers in the elements of the public key.
  • the signer generated n + 1 random scalars used in particular to construct elements essential for the derivation of the signature but which weighed heavily on the size of the public key because they were n ⁇ 2-n (or n 2 -n).
  • the public key used in the method for deriving a partial signature described here consists only of 2n elements of G1 and n + 2 elements of G2.
  • the public key of the PKC 2020 mechanism consists of (n ⁇ 2 + h + 2) / 2 (or (n 2 + n + 2) / 2) elements of G1 and n elements of G2.
  • the process of a partial signature therefore goes from a quadratic complexity to a linear complexity.
  • the derivation of the partial signature for the subset I of the set ⁇ 1, ..., n] of messages comprises:
  • the first verification element is very similar, in its calculation, to an element of the partial signature of the PKC 2020 scheme.
  • the calculation of the second verification element does not find its equivalent in the PKC 2020 mechanism, in particular because it is calculated from derived values. This difference is due to the use of fewer scalars compared to the other mechanism, which lead to fewer elements in the public key, but also to the adequate use of the derived values mentioned above which allows to reduce the number of elements of this public key while preserving the security of the process.
  • the invention also relates to a method for verifying a partial signature for a subset of a set of messages, called a subset of messages, said partial signature being intended to prove the validity of 'a signature of the set of messages for the messages of the subset of messages, said method, implemented by an entity for verifying a partial signature, comprising:
  • said partial signature comprising a constant number of elements comprising at least the anonymized elements of the signature of the set of messages, a first verification element calculated from the messages of the set other than those of the message subset and a second verification element intended to prove that the first verification element is well formed, the second verification element being a function of values derived from at least the other elements of the partial signature,
  • first equation comprising the messages of the subset of messages, the elements of the signature of the set of messages, the first element of verification and elements of the public key
  • second equation comprising the first element of signature verification, the second element of signature verification, elements of the public key and the derived values.
  • the verification method described here is inseparable from the method of deriving a partial signature described above. Obviously, the use of derived values in the calculation of the partial signature is logically found in the verification process which also differs from the partial signature verification of the PKC 2020 mechanism.
  • a secret key and a public key have been generated beforehand in a bilinear environment for a signing entity, said environment designating a first group. Gl, a second group G2 and a third group GT of order p, as well as a bilinear map e, taking as input an element of the first group Gl, an element of the second group G2 and with values in the third group GT, i.e. g, respectively h, an element of the first group G1, respectively of the second group G2, said generation of the secret key and of the public key comprising:
  • G_i g ⁇ ⁇ b ⁇ i ⁇ , for all 1 ⁇ i ⁇ n and n + 2 ⁇ i ⁇ 2n,
  • B_i h ⁇ ⁇ b ⁇ i ⁇ , for any 1 ⁇ i ⁇ n, g, h, G_i, A, and B_i and the function for calculating derived values, noted H, forming the public key, the verification of the signature partial, noted (s'_1, s'_2, s'_3, s'_4), received by the verification entity comprising for a subset I of a set ⁇ 1, ..., n ⁇ , l 'set of messages being denoted ⁇ m_1, ..., m_n ⁇ , let m_i be the messages of the subset of messages:
  • the invention also relates to an entity for deriving a partial signature intended to derive a partial signature for a sub-set of a set of messages, called a sub-set of messages, said partial signature being intended for proving the validity of a signature of the set of messages for the messages of the subset of messages, said partial signature derivation entity, comprising:
  • - reception means arranged to receive the set of messages and a signature of said set of messages, said signature comprising signature elements of the set of messages
  • the first generation means arranged to generate anonymized elements of the signature
  • - second generation means arranged to generate a first verification element calculated from the messages of the set other than those of the subset of messages
  • - third generation means arranged to generate a second verification element intended to prove that the first verification element is well formed
  • sending means arranged to send to a verification entity a partial signature specific to the subset of messages, said partial signature comprising a constant number of elements comprising at least the elements of the signature of the set of messages anonymized, the first verification element and the second verification element, said partial signature being intended to be verified with only the messages of the subset of messages, characterized in that the second verification element is a function of derived values calculated from at least the other elements of the partial signature.
  • the invention also relates to an entity for verifying a partial signature, intended to verify a partial signature for a subset of a set of messages, called a subset of messages, said partial signature being intended to prove the validity of a signature of the set of messages for the messages of the subset of messages, said partial signature verification entity comprising:
  • - first reception means arranged to receive the subset of messages and a partial signature specific to the subset of messages, said partial signature comprising a constant number of elements comprising at least the anonymized elements of the signature of the set of messages, a first verification element calculated from the messages of the set other than those of the message subset and a second verification element intended to prove that the first verification element is well formed, the second verification element being a function of values derived from at least the other elements of the partial signature,
  • - calculation means arranged to calculate derived values by means of a function for calculating derived values
  • verification means arranged to verify a first equation and a second equation, said first equation comprising the messages of the subset of messages, the elements of the signature of the set of messages, the first verification element and elements of the public key, the second equation comprising the first element of signature verification, the second element of signature verification, elements of the public key and the derived values.
  • the invention also relates to a partial signature derivation and verification system comprising:
  • the invention also relates to a use of a partial signature derivation and verification system as described above in an anonymous accreditations system.
  • the invention also relates to a computer program on a data medium and loadable into the memory of a computer, comprising program code instructions intended to control the execution of the steps of the derivation method. vation of a partial signature as described above, when the program is executed on said computer.
  • the invention also relates to a data medium in which the preceding program is recorded.
  • the invention also relates to a computer program on a data medium and loadable into the memory of a computer, comprising program code instructions intended to control the execution of the steps of the verification method. - partial signature cation introduced previously, when the program is executed on said computer.
  • the invention also relates to a data medium in which the above program is recorded.
  • FIG 1 shows the steps of a method for deriving a partial signature and for verifying the partial signature for a subset of a set of messages, according to an exemplary embodiment
  • FIG 2 is a schematic representation of an entity for deriving a partial signature capable of implementing the steps of the method for deriving a partial signature for a subset of messages, according to an exemplary embodiment
  • FIG 3 is a schematic representation of an entity for verifying a partial signature capable of implementing the steps of the method for verifying a partial signature for a subset of messages, according to an exemplary embodiment.
  • the signature scheme described here operates in a bilinear environment which designates three groups, usually denoted Gl, G2 and GT, of order p, as well as a bilinear application e called "bilinear coupling" taking as input an element of the group Gl and an element of group G2 and with values in group GT.
  • This type of environment has become classic in cryptography and can be implemented very efficiently. It should be noted that the roles of G1 and G2 are perfectly interchangeable.
  • the term “scalar” here designates any integer between 0 and p - 1, p being the order of the groups mentioned above.
  • the signature scheme is based on a system which includes several entities:
  • the signatory entity 10 is a computer device which includes code instructions for implementing those of the steps of the method of deriving a partial signature implemented by the signatory entity 10,
  • the entity 11 for deriving a partial signature is a computer device which includes code instructions for implementing those of the steps of the method for deriving a partial signature implemented by the entity 11 for deriving a partial signature. '' a partial signature,
  • the entity 12 for verifying a partial signature is a computer device which comprises code instructions for implementing those of the steps of the method for deriving a partial signature implemented by the entity 12 for verifying d. 'a partial signature.
  • a signing entity can also act as the derivation entity of a partial signature.
  • a signatory entity may also be required to play the role of verification entity of a partial signature.
  • n denotes the maximum number of data that can be signed at a time.
  • such messages could be his name, address, date of birth, etc.
  • the signing entity 10 In a prior key generation step E10, the signing entity 10 generates for the signature scheme, a pair of secret / public keys Ks / Kp.
  • the generation of keys can be implemented by a dedicated entity for generating keys, distinct from the signing entity 10, the keys, and in particular the secret key then being transmitted to the signatory entity 10 in a secure manner, according to known methods not presented here.
  • g respectively h, be a random element of the group Gl, respectively of the group G2
  • the signatory entity 10 controls the generation of two scalars a and b and calculates the following elements:
  • the public key Kp is formed of the elements g, h, A, B_i and G_i, for the indices mentioned above.
  • the public key also defines a function, denoted H, intended to freeze the data to which it applies. More precisely, applying the function H to data produces a commitment on these data (one speaks of “commitment” in English).
  • Function H takes any character string as input and returns a non-zero scalar.
  • the function H is a one-way function.
  • a one-way function is a function which can easily be calculated but which is difficult to reverse.
  • the function H is a cryptographic hash function, such as SHA-256 (standing for “Secure Hash Algorithm).
  • the secret key Ks of the signer in the signature system consists only of the scalars a, b.
  • Kp (g, h, A, B_i, G_i, H)
  • the public key Kp is then published or transmitted, here by the signing entity 10. Note that the cost inherent in this publication or in this transfer. mission is considerably reduced, in particular compared to the solution described at PKC 2020: “Efficient Redactable Signature and Application to Anonymous Credentials”, Olivier Sanders, due to the size of the public key Kp.
  • the public key Kp is in fact made up of 2n elements of G1 and n + 2 elements of G2, against (n ⁇ 2 + n + 2) / 2 elements for the protocol described in PKC 2020.
  • the signature scheme described here thus makes it possible to verify very effectively the validity of a signature on any subset of messages. This efficiency is based in particular on the public key, the number of elements of which is drastically reduced compared to the mechanism described in PKC 2020.
  • the signing entity 10 can also sign messages of size n ', with n' ⁇ n with this same pair of keys, that is to say, without regenerating a pair of keys.
  • the message of size n 'to be signed is completed with ‘0' until a message of size n is obtained, and the signing entity 10 then uses its pair of keys Ks / Kp to sign it.
  • the signing entity 10 sends the signature (s_1, s_2) of the set of n messages to the entity 11 for deriving a partial signature as well as the set of n messages ⁇ m_1, ..., m_n ⁇ .
  • the entity 11 for deriving a partial signature receives, in a sub-step E12-1 for receiving a step E12 for deriving a partial signature, the signature (s_1, s_2) of this set of n messages as well as the set of n messages ⁇ m_1, ..., m_n ⁇ .
  • the step E12 of deriving a partial signature makes it possible to derive from the signature on the n messages received during step E12-1, a signature called hereinafter “partial signature” on any sub. -set of n messages.
  • the set of indices of the messages of this subset is designated by I in what follows.
  • the entity 11 for deriving a partial signature generates, in a sub-step E1 2-2 for generating anonymized elements of the signature (the term “randomized” is used in English), a scalar t , potentially equal to 0, as well as a non-zero random scalar r.
  • the scalars t and r are intended to anonymize the signature.
  • This third element of the signature s'_3 constitutes a first element for verifying the partial signature.
  • a fourth signature element s'_4 entity 11 calculates a fourth signature element s'_4.
  • the symbol "Il" denotes the conca - character string tenation.
  • each of the elements c_i is a non-zero scalar.
  • the values c_i, obtained by applying the function H, constitute values derived from the elements of the signature s'_1, s'2 and s'3.
  • the derived values freeze in a way the elements of the signature.
  • This fourth element of the signature s'_4 constitutes the second element of verification of the partial signature.
  • the partial signature is then (s'_1, s'_2, s'_3, s'_4).
  • the partial signature is specific to messages m_i, with i in I and is intended to be used to verify the validity of the signature of this subset of messages m_i on the basis of the signature of the n messages (s_1, s_2 ), and with only messages from the message subset.
  • the indices of the elements G of the second signature verification element s'_4 are different from n + 1. All the elements necessary for the signature verification are therefore present. in the public key Kp. Note that in an exemplary embodiment where the value of the scalar t is set to 0, the signature system guarantees the authenticity of the signed messages but loses its anonymity properties. This exemplary embodiment is therefore particularly indicated in a context where the property of anonymity is not desired.
  • step E12-4 of deriving a second verification element the partial signature derivation entity 11 calculates, or derives, the second verification element s' _4.
  • This second verification element s'_4 is intended to prove that the first verification element s'_3 is valid, that is to say that it is well formed.
  • the second verification element s'_4 makes it possible to show that the first verification element s'_3, calculated from the hidden messages, is well formed, i.e. it cannot be used for cheat on the value of the messages m_i, for i in I, which are presented to the partial signature verification entity 12.
  • a next sending sub-step E12-5 which constitutes the end of the step E12 for generating a partial signature
  • the entity 11 for deriving a partial signature sends to the entity 12 verification of the partial signature (s'_1, s'_2, s'_3, s'_4) and the subset of messages m_i, with i in I.
  • the partial signature is of constant size and includes few elements, in this case four. Note also that only the messages of the message subset ⁇ m_i ⁇ , with i in I, are transmitted. The verification entity 12 therefore does not need to know the set of messages ⁇ m_1, ..., m_n] or of the messages which would be linked by construction to messages of the subset of messages, such as eg for age, date of birth.
  • the entity 12 for verifying a partial signature receives from the entity 11 for deriving a partial signature the sub- set of messages ⁇ m_i ⁇ , with i in I, and the partial signature (s'_1, s'_2, s'_3, s'_4) generated.
  • the entity 12 for verifying a partial signature in a preliminary step
  • a signature obtained during the signature step Eli and then derived during the step E12 for deriving a partial signature is necessarily valid with regard to the signature verification step E15. Indeed :
  • the signature verification implemented by the partial signature verification entity 12 during the prior step E14 of calculating the derived values and of the signature verification step E15 would be implemented directly on non-partial signatures, that is to say on signatures obtained at the end of the signature step Eli
  • the method of deriving a partial signature, and the associated verification method are of interest for all use cases requiring authentication, whether anonymous or not. More precisely, they apply in cases where several data are certified but where it is frequent to need to verify the authenticity of only some of them.
  • a database potentially containing millions of data items is certified.
  • a person wishes to retrieve data from this database they only need to verify the authenticity of this data.
  • a traditional signature system it would have to recover the entire database to perform this verification.
  • the signature would be short and the verification efficient, but the public key would contain trillions of items.
  • the method of deriving a partial signature and the associated verification method described here the same advantages would be retained but with a much shorter public key.
  • the transmission of the public key and its storage by this person are much more efficient, while retaining undeniable security properties.
  • the methods for deriving and verifying a partial signature described above are particularly suitable for use in anonymous certificates or accreditations.
  • An anonymous certificate makes it possible to prove a property or a right linked to its holder, without revealing the identity of the latter. It protects the privacy of the anonymous accreditation holder by providing the property of anonymity and non-traceability. It takes the form here of a cryptographic datum: the partial signature, which can be shown by its holder, here the partial signature derivation entity 11, to an organization, here the partial signature verification entity 12. , to prove a property linked to its identity.
  • the entity 11 for deriving a partial signature is computer equipment, such as a computer.
  • the entity 11 for deriving a partial signature comprises:
  • a processing unit or processor 110 or “CPU” (standing for “Central Processing Unit”), intended to load instructions into memory, to execute them, to carry out operations;
  • the storage memory 112 is designed to store a software module for deriving a partial signature which comprises code instructions for implementing the steps of the method for deriving a partial signature as described above and which are implemented by the entity 11 for deriving a partial signature.
  • 112 is also arranged to store the secret key Ks of the signature scheme in a secure area.
  • the partial signature derivation entity 11 also comprises:
  • reception module 113 adapted to receive the set of messages ⁇ m_1, ..., m_n] and a signature of said set of messages, said signature comprising signature elements (s_1, s_2) of the set of messages.
  • a first generation module 114 designed to generate anonymized elements of the signature (s'_1, s'_2).
  • the first generation module 114 is designed to implement step E12-2 for generating anonymized elements of the signature of the method for deriving a partial signature as described above;
  • a second generation module 115 arranged to generate a first verification element s'_3 calculated from the messages other than those of the subset of messages.
  • the second generation module 114 is arranged to implement step E12-3 for generating a first verification element of the method of deriving a partial signature as described above;
  • a third generation module 116 arranged to generate a second verification element s'_4 intended to prove that the first verification element is well formed.
  • the third generation module 116 is suitable for implementing step E12-4 generating a second element for verifying the method for deriving a partial signature as described above;
  • a sending module 117 designed to send to a verification entity 12 a partial signature specific to the subset of messages.
  • the partial signature comprises a constant number of elements: at least the elements of the signature of the set of anonymized messages (s'_1, s'_2), the first verification element s'_3 and the second verification element s '_4.
  • the partial signature is intended to be verified with only messages in the message subset.
  • the second verification element s'_4 is a function of derived values calculated from at least the other elements of the signature.
  • the sending module 117 is suitable for implementing the sub-step E12-5 for sending the step E12 for deriving a partial signature of the method for deriving a partial signature as described above.
  • the reception module 113, the first generation module 114, the second generation module 115, third generation module 116 and the sending module 117 are preferably software modules comprising software instructions for implementing those. steps of the method for deriving a partial signature implemented by the entity 11 for deriving a partial signature.
  • the invention therefore also relates to:
  • a computer program comprising instructions for implementing the steps of the method for deriving a partial signature as described above and implemented by the entity for deriving a partial signature when this program is executed by a processor of the device for deriving a partial signature,
  • the entity 12 for verifying a partial signature is computer equipment, such as a computer. computer.
  • the entity 12 for verifying a partial signature comprises:
  • a processing unit or processor 120 intended to load instructions into memory, to execute them, to carry out operations;
  • the storage memory 122 is designed to store a software module for verifying a partial signature as generated by the entity 11 for deriving a partial signature.
  • the software module comprises code instructions for implementing the steps of the method for verifying a partial signature as described above and which are implemented by the entity 12 for verifying a partial signature.
  • the storage memory 122 is also designed to store the public key Kp of the signature scheme in a storage area.
  • the entity 12 for verifying a partial signature also comprises:
  • a reception module 123 designed to receive the subset of messages and a partial signature (s'_1, s'_2, s'_3, s'_4) specific to the subset of messages.
  • Said partial signature comprises a constant number of elements: at least the anonymized elements of the signature of the set of messages (s'_1, s'_2), a first verification element s'_3 calculated from the messages of the set other than those of the message subset and a second verification element s'_4 intended to prove that the first verification element is well formed.
  • the second verification element s'_4 is a function of values derived from at least the other elements of the partial signature.
  • the first reception module is suitable for implementing step E14 for receiving the method for deriving a partial signature as described above;
  • a calculation module 124 designed to calculate derived values by means of a function for calculating derived values.
  • the calculation module 124 is suitable for implementing step E14 for calculating the values derived from the method of deriving a partial signature as described above;
  • the verification module 125 designed to verify a first equation and a second equation.
  • the first equation includes the messages of the message subset, the elements of the signature of the message set, the first verification element, and elements of the public key.
  • the second equation includes the first signature verification element, the second signature verification element, public key elements and the derived values.
  • the verification module 125 is designed to implement the verification step E15 of the method for deriving a partial signature as described above.
  • the reception module 123, the calculation module 124 and the verification module 125 are preferably software modules comprising software instructions. to implement those of the steps of the method for deriving a partial signature implemented by the entity 12 for verifying a partial signature.
  • the invention therefore also relates to:
  • a computer program comprising instructions for implementing the steps of the method for deriving a partial signature as described above and implemented by the entity for verifying a partial signature when this program is executed by a processor of the device 12 for verifying a partial signature
  • the invention also relates to a system for deriving a partial signature and for verification which comprises:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Computing Systems (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Storage Device Security (AREA)
EP21734891.1A 2020-05-29 2021-05-31 Verfahren zur ableitung einer teilsignatur mit partieller überprüfung Pending EP4158842A1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR2005704A FR3111037B1 (fr) 2020-05-29 2020-05-29 Procédé de dérivation d’une signature partielle avec vérification partielle
PCT/FR2021/050983 WO2021240120A1 (fr) 2020-05-29 2021-05-31 Procede de derivation d'une signature partielle avec verification partielle

Publications (1)

Publication Number Publication Date
EP4158842A1 true EP4158842A1 (de) 2023-04-05

Family

ID=72801578

Family Applications (1)

Application Number Title Priority Date Filing Date
EP21734891.1A Pending EP4158842A1 (de) 2020-05-29 2021-05-31 Verfahren zur ableitung einer teilsignatur mit partieller überprüfung

Country Status (4)

Country Link
US (1) US20230198778A1 (de)
EP (1) EP4158842A1 (de)
FR (1) FR3111037B1 (de)
WO (1) WO2021240120A1 (de)

Also Published As

Publication number Publication date
FR3111037A1 (fr) 2021-12-03
WO2021240120A1 (fr) 2021-12-02
FR3111037B1 (fr) 2023-05-26
US20230198778A1 (en) 2023-06-22

Similar Documents

Publication Publication Date Title
WO2009130089A1 (fr) Procede de diffusion securisee de donnees numeriques vers un tiers autorise
FR2735307A1 (fr) Systeme d'identification a cle
CA2895189C (fr) Signature de groupe utilisant un pseudonyme
FR2922702A1 (fr) Securisation de fichiers informatiques telechargeables sur un aeronef basee sur l'identite d'entites, procede d'authenfication, systeme et aeronef associes
WO2002073876A2 (fr) Authentification cryptographique par modules ephemeres
WO2009130088A1 (fr) Terminal d'authentification forte d'un utilisateur
WO2019115943A1 (fr) Technique de protection d'une clé cryptographique au moyen d'un mot de passe utilisateur
EP3965361B1 (de) Datenaustausch zwischen einem client und einem fernen gerät, z.b. ein geschützten modul
EP1949590A1 (de) Verfahren zum sicheren deponieren digitaler daten, diesbezügliches verfahren zum wiederherstellen digitaler daten, diesbezügliche einrichtungen zum implementieren von verfahren und system mit den einrichtungen
EP4158842A1 (de) Verfahren zur ableitung einer teilsignatur mit partieller überprüfung
EP4012972A1 (de) Methode zur selektiven weitergabe von daten über eine blockchain
EP4315741A1 (de) Verwaltung von zugriffsrechten auf digitale dateien mit möglicher delegierung der rechte
EP3857810B1 (de) Kryptografisches verfahren zum sicheren vergleich zweier geheimer daten x und y
EP3842970B1 (de) Verfahren zur überprüfung des passworts eines dongles, entsprechendes computerprogramm, benutzerendgerät und entsprechender dongle
EP4042633A1 (de) Verfahren zum ableiten einer teilsignatur mit partieller verifikation
EP3863219A1 (de) Verfahren und vorrichtung zur auswertung der übereinstimmung von durch verschlüsselung geschützten strukturierten datensätzen
FR2898423A1 (fr) Procede securise de configuration d'un dispositif de generation de signature electronique.
EP0923829A2 (de) Einrichtung zum gesicherten datenaustausch
WO2023203301A1 (fr) Procédé et système de gestion des droits d'accès dans une transaction équitable de données numériques
WO2014199071A1 (fr) Procede et systeme de delegation d'un calcul d'une valeur de couplage bilineaire a un serveur de calcul
EP1992104B1 (de) Authentifizierung einer computervorrichtung auf benutzerebene
WO2012085047A1 (fr) Procede d'authentification multimodale a seuil et generation de cle unimodale
EP1642413A1 (de) Verfahren zur verschlüsselung/entschlüng einer nachricht sowie dazugehörige vorrichtung
FR3049086A1 (fr) Procede d'authentification biometrique sans divulgation de mesures biometriques d'un individu et adapte pour securiser des transactions a travers un reseau informatique decentralise
FR2949932A1 (fr) Procede cryptographique d'abonnement anonyme a un service

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20221214

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
RAP3 Party data changed (applicant data changed or rights of an application transferred)

Owner name: ORANGE