FR2837335A1 - Cryptographic procedure for portable electronic devices uses iterative Arazi inversion to create RSA algorithm keys from arbitrary inputs - Google Patents

Abstract

A cryptographic procedure uses arbitrary inputs e and l in Arazi inversion to calculate (24) and store a private exponent d so that the product with e the public exponent is congruent to 1 modulo l with selection of a new parameter C (21) based on the product of the previous value c (20) and a number inversible modulo P so that e+Casteriskl is prime if e is tested (23) and found not to be prime. Includes an Independent claim for implementation of the procedure using a computer processor.

Description

<Desc / Clms Page number 1>

The invention relates to the field of cryptography and in particular to public key cryptographic systems.

When it comes to communicating data that we want to keep confidential or that we want to authenticate with a signature, we use public key cryptographic systems.

Either a public transaction or a private transaction takes place.

According to an example of encryption, someone wishing to send a message, first reads a public key attached to the recipient to whom he will address it. It encrypts the message using this public key and transmits it. The recipient, after reception, can decrypt the message and find the original document using their private key.

According to another example of signature, a document is signed by coding it using his private key and the signature is presented with the initial document.

The recipient verifies the signature using the public key associated with the issuer's private key.

Systems allowing these operations are now well known. For example, we know the RSA crypto-system developed by R. Rivest, A.

Shamir and L. Adleman. A complete presentation is found in US Patent 4,405,829 filed in their names.

To carry out these operations, a portable electronic device, such as a microprocessor card, constituting a cryptographic card is used in particular. The code of the cryptographic program is recorded in the ROM read-only memory, and the other data, in particular the private key made up of the couple of the private exponent d and the "module" n, are stored in a non-volatile memory EEPROM. The card can also include a crypto-processor which is a specialized calculation unit, which can process large numbers, for example 1024 bits.

Incidentally, the public key is made up of the pair of the public exponent e and the module n.

The RSA method includes as a preliminary step, before public and private operations can be carried out, the determination of the private exponent d from a given public exponent. For this purpose, we first generate, by means of a random number generator, two

<Desc / Clms Page number 2>

avec e. d = 1 (modulo À(n)) ou d e-I (modulo ,(n . Dans le cas du procédé RSA, la fonction ,(n) est le PPCM (plus petit commun multiple) du couple (p-1, q-1). L'exposant privé d est calculé comme étant la valeur

inverse e'1 de l'exposant public e, modulo ,(n), c'est-à-dire qu'il existe un nombre entier k tel que e. d = 1 + k #(n). prime numbers p and q. Then, starting from a determined function # (n) of the product n = p * q, we determine the private exponent d associated with the exponent e,

with e. d = 1 (modulo À (n)) or d eI (modulo, (n. In the case of the RSA process, the function, (n) is the PPCM (least common multiple) of the couple (p-1, q- 1). The private exponent d is calculated as the value

inverse e'1 of the public exponent e, modulo, (n), i.e. there exists an integer k such that e. d = 1 + k # (n).

When these values are established, one can proceed to the encryption and decryption of messages or else to the signature of a message m by modular exponentiation as is known by the RSA method.

c'est-à-dire le reste de la division de cd par n. More precisely, n and e being the public parameters and p, q, d, the private parameters being in the card for encryption, a message consisting of the number m, included in the interval [1, n-1], becomes , after encryption, c = me, modulo n. At the reception, we find the message m, following

that is, the remainder of the division of cd by n.

In the case of the signature, a message m, at the input of the card, becomes, at the output of the card, the signature s = md modulo n. The recipient, having the public parameters n and e, can verify that, given s and m, the relation se = m modulo n is satisfied.

In order to be able to calculate the private exponent d, in a simple manner, in particular by the Arazi inversion formula, known in the field, the number e, public exponent, is required to be prime, it being understood that e and, (n) are co-prime, that is to say that their PGCD (greatest common divisor) is equal to 1.

If we set L =, (n), Arazi's formula makes it possible to express e-1 modulo L as a function of L- 'modulo e. In addition, if e is prime, then L-1 modulo e = Le-2 modulo e.

<Desc / Clms Page number 3>

 taking into account Fermat's theorem, according to which, for any prime number p, the following relation is verified ap-1 # 1 (modulo p).

We certainly know the extended Euclidean algorithm which allows the determination of the inverse value of the exponent e modulo # (n) independently of the primality of the latter, algorithm according to which, e and L being co-prime (PGCD (e , L) = 1), there are two integers u and v such that ue + vL = 1. However, the implementation of this algorithm by a computer program requires the mobilization of additional memories compared to those necessary for the implementation of the cryptosystem. Its application to microprocessor cards in particular is therefore excluded due to the low memory capacity of the latter.

It would therefore be desirable to have a means allowing the implementation of the RSA cryptosystem in a microprocessor card, or any other equivalent medium, authorizing the choice as public exponent of any number. In particular, one could thus choose relatively low values which are not necessarily primary and improve the processing speed of public operations.

The subject of the invention is therefore a method of public key cryptography of the RSA type which is implemented in a portable electronic device such as a microprocessor card and which does not impose any primacy constraint as to the prior choice of the number representing the public exhibitor e.

This problem is solved by the invention by an RSA type cryptography method, implemented in a portable electronic device with a processor and a memory, comprising the entry of an arbitrary number, public exponent e, and the calculation by the processor of a private exponent d, such that the product of e and d is congruent to 1 modulo # (n), with # (n) = ppcm ((p-1), (q-1)), p and q being prime numbers whose product is equal to n, and its storage in the memory, characterized by the fact that, if e is not prime, we choose a parameter C such that e + C * (n) = ê Let be prime and we calculate the private exponent d from ê.

The invention having to relate to both the implementation of RSA standard mode and other implementations such as for example the CRT implementation which will be discussed in the description below, the applicant intends to extend the scope of his rights to a process of

<Desc / Clms Page number 4>

 cryptography, implemented in a portable electronic device with a processor and a memory, comprising the entry of arbitrary numbers e and # and the calculation by the processor of a number d, such that the product of e and d is congruent to 1 modulo #, and its storage in the memory, characterized by the fact that, if e is not prime, we choose a parameter C such that e + C * # = ê is prime, and we calculate the number d from of ê.

According to another characteristic, the value C is determined by an iterative calculation from an initial value c as an invertible element modulo the product of prime numbers.

The invention also relates to a cryptographic system comprising a central processor and, connected to the processor, means for storing an RSA type cryptographic program, means for storing private cryptographic parameters and working memory means, the processor comprising means for generating private prime numbers (p and q) and means for determining a private exponent (d) from a public exponent according to the relation d # e-1 [modulo ppcm (p -1), (q-1)].

According to a characteristic of the invention, means are provided for, if e is not a prime number, calculating a prime number ê according to the relation ê = e + C [ppcm (p-1), (q- 1)] and means to verify that the number ê is prime.

The invention is described below in more detail, with reference to the accompanying drawing, in which - FIG. 1 represents a block diagram of the cryptographic system of the invention and - FIG. 2 represents the flowchart for determining the prime number ê from the number e.

The implementation of the RSA crypto-system therefore consists in first defining the public and private keys, i.e. the public exponent e, the module n and the private exponent d. These values are interrelated. So

<Desc / Clms Page number 5>

 the private exponent d is the inverse modulo # (n) of the number representing the public exponent e. We choose n as the product of two prime numbers p and q; # (n) is the Carmichael function of these numbers. In the RSA system, this is the PPCM of the pair of numbers p-1 and q-1.

These values being established, and as we have already seen above, we can proceed to the operations of encryption-decryption or signature of messages Considering a digital message m to be coded, of a value less than n.

We observe that, if the value is greater than n, we split the message into as many sub-messages as necessary to fulfill this condition.

We treat the different sub messages separately.

If one wishes to transmit the message in coded form to a third party, one obtains the public key of the latter and one introduces the value m in the cryptographic system which restores a coded value c such that c = me modulo n. The recipient of the coded message can find the initial message by performing the same operation with their private key: m = cdmodulo n.

The system also allows you to sign a document. The issuer of the document m codes it with its private key d; obtains a signature s such that s = mdmodulo n. For a third party to authenticate this signature, it suffices to apply the public key corresponding to the signature and to compare the transformed message with the original message. The resulting messages must be the same.

When the cryptographic system is loaded on a microprocessor card or any other equivalent medium, one is limited in available memory space so that it does not seem possible to apply the means of the prior art to solve the problem of invention, namely the free choice of the public exhibitor as to its primality.

For the record, the formula known as the Arazi inversion formula allows the calculation of the inverse modulo L of a number e, if this number is prime. It is reproduced below, after having been expressed a little differently above: e-1mod L = (1 + L (-L-1 mod e)) / e with pgcd (e, L) = l.

<Desc / Clms Page number 6>

 Insofar as one wishes not to be limited in the selection of the number e, one applies a step of transformation of the number e into a number ê which is prime.

This number ê is defined from the formula ê = e + C * # (n).

car si d e-lmod 1(n), alors d+C*À(n)r1mod ,(n). On choisit C pour que ê soit premier. It allows the calculation of the private exponent d in the same way as the number e,

because if d e-lmod 1 (n), then d + C * To (n) r1mod, (n). We choose C so that ê is prime.

For this purpose, and with reference to Figure 2, we choose a number # equal to a product of prime numbers; preferably they are small. We define (20) a number c co-prime with #.

C = [(c-e)*7(n)n -'] mod II Le nombre C ayant été calculé, on en déduit (22) une valeur pour ê. ê est alors premier avec #. We deduce (21) the number C by the following formula

C = [(ce) * 7 (n) n - '] mod II The number C having been calculated, we deduce (22) a value for ê. ê is then prime with #.

If the number ê is prime with all the small prime numbers, namely: 2.3, 5.7, 11, 13.17, 19.23, etc., then the probability is high that it is prime in absolute terms.

We check (23) the primality T of ê, that is to say if the number ê is prime, according to a method known per se. For example, it may be the Fermat test or the Miller and Rabin test as described in Chapter 4 of the book "Handbook of Applied Cryptography" (AJ Menezes, PC van Oorschot and SA Vanstone, CRC Press, 1997 ).

If it appears that ê is not prime, then we define (20) a new number c from which we calculate a new number ê and, so on, iteratively.

The new number c is preferably the product of the old value c with a number a which is invertible modulo n. The new number e thus obtained is then also invertible modulo n.

<Desc / Clms Page number 7>

A new number ê is determined from the new value of c. If it is not prime, it is repeated until the primality test is positive.

d = [1 + 1(n)(- À(n)ê-2 mod ê)]/ê. Finally, the number ê being prime, we apply to it (24) the modular inversion operation according to Arazi, and we deduce the private exponent d associated with the public exponent e.

d = [1 + 1 (n) (- To (n) ê-2 mod ê)] / ê.

This number having been determined, it is stored in a memory of the microprocessor card. It is preferably a non-volatile EEPROM memory.

We can then use the microprocessor card for encryption or signing documents.

We just exposed the RSA implementation in standard mode.

In accordance with another implementation, the invention is applied to the determination of the private exponent d in the case of an implementation of the RSA crypto-system according to the mode known as CRT (from the theorem Chinese remains).

According to this implementation, we take advantage of the property of the module n to be the product of two prime numbers p and q and of # (n) to be the ppcm of (p-1), (q-1) .

The private exponent d having been determined, partial private exponents-dp and dq are established from d as follows: dp = d mod (p-1) and dq = d mod (q-1).

In the case of a private operation such as determining the signature of a message m by calculating the value s = mdmod n, it appears that if we know both Sp = mdmod p and therefore, according to the theorem of Fermat, Sp = mdp mod p and Sq = md mod q and therefore Sq = mdq mod q, then we can easily determine mdmod n.

<Desc / Clms Page number 8>

 In a portable device where the memory capacity is limited, it is preferable to carry out the calculations on the partial private exponents dp and dq thus defined, since these are twice as short as the exponent d. It is the same for p and q which are twice shorter than n = p. q. It follows that the calculation of s from the values sp and sq is substantially four times faster than the calculation of the signature s, directly from the private exponent d.

Thus, to calculate the signature of a message s = mdmod n, the partial signatures are calculated separately. sp = mdp mod p and
Sq = mdq mod q.

The signature s is then determined by the known method of calculating the Chinese remains. s = CRT (sp, sa) = sq + q * (iq * (sp ~ Sq) mod p) with iq = 1 / q mod p.

We can also calculate s from the number sp according to the expression s = sp + p * (ip * (sq-sp) mod q) with ip == 1 / p mod q.

dp = (1 + (p-l)(-(p-ir2 modêp /êp. La valeur de dq s'obtient de façon similaire en remplaçant les indices p par des indices q. So in CRT mode, you can store in memory in the card only the necessary values p, q, dp, dq, and iq. The partial exponent dp (respectively dq) can also be obtained directly from e and from, (p) = p-1 (respectively # (q) = q-1). The methodology used for the calculation of d applies to the calculation of dp by replacing n by p and # (n) by, (p) = p-1. We set êp = ep + Cp *, (p) with ep = emod (pl) and Cp = (cp - e) (p-1) # (#) modII, where cp is an invertible element modulo #. If êp is prime, then get

dp = (1 + (pl) (- (p-ir2 modêp / êp. The value of dq is obtained in a similar way by replacing the indices p by indices q.

The advantage of direct calculation in CRT mode is, depending on the portable device, increased processing speed and / or memory gain.

<Desc / Clms Page number 9>

Finally, and with reference to FIG. 1, the invention also relates, implanted on a microprocessor card 1, commonly called smart card, a cryptographic system 2, or cryptosystem, comprising a central processor 3 and, connected to the central processor 3 , a memory (ROM) 8 for storing an RSA cryptographic program, a memory (EEPROM) 9 for storing private cryptographic parameters and a memory (RAM) 10 for work. A cryptoprocessor 11 is here also connected to the central processor 3. In the form of software, the central processor 3 comprises a generator 4 of private prime numbers (p and q), means 5 for determining a private exponent (d) from of a public exponent, according to the relation of e-1 [modulo ppcm (p-1, q-1)], means 6 for, if e is not a prime number, calculate a prime number ê according to the relation ê = e + c * [ppcm (p-1), (q-1)] and means 7 to verify that the number ê is prime.

The invention also relates to the same RSA cryptographic program used in CRT mode.

Claims (11)

 CLAIMS 1.- Method of cryptography, implemented in a portable electronic device with a processor and a memory, comprising the entry of arbitrary numbers e and # and the calculation by the processor of a number d, such as the product of e and d is congruent to 1 modulo #, and its storage in the memory, characterized by the fact that, if e is not prime, we choose a parameter C such that e + C * # = ê is prime, and we calculate the number d from ê. 2. - Method according to claim 1, of RSA type, in which e is a public exponent, d is a private exponent, the product of e and d is congruent to 1 modulo # (n), with, (n) = ppcm ((pl) (ql)), p and q being prime numbers whose product is equal to n and C is such that e + C * # (n) = ê. 3. - Method according to claim 1, of type RSA in CRT mode, in which e is a public exponent, dp is a private exponent, the product of e and dp is congruent to 1 mod # (p), with # ( p) = p - 1, p being a prime number and C is such that ep + C * # (p) = ê, with ep = e mod (p - 1). 4. - Method according to one of claims 1 to 3, wherein the number d is stored in a non-volatile memory. 5. - Method according to one of claims 1 to 4, in which the parameter C is determined (21) by an iterative calculation from an initial value c chosen (20) as the product # of prime numbers. 6. - Method according to claim 5, wherein one takes small prime numbers. 7. - Method according to one of claims 5 and 6, wherein one determines

 (21) the value C by application of the formula C = [(c-e) * À À (f1) -1] mod II. 8. - Method according to claim 7 in which as long as ê is not prime (23), C is calculated from a new value of c. 9. - Method according to one of claims 2 to 8, in which the values of two partial private exponents dp and dq calculated from the two values p and q are stored in memory, according to the formulas <Desc / Clms Page number 11>

 10. - Cryptographic system comprising a central processor and, connected to the processor, means for storing an RSA-type cryptographic program, means for storing private cryptographic encryption parameters and working memory means, the processor comprising means for generating private prime numbers (p and q) and means for determining a private exponent (d) from a public exponent according to the relation

 characterized in that means are provided for, if e is not a prime number, calculating a prime number ê according to the relation

 and means for verifying that the number ê is prime. 11.- The system of claim 8, wherein the means of calculating ê and checking the primality of ê are arranged to proceed iteratively.