FR2850502A1 - Method of authenticating digital signatures using a low cost computer, used in authenticating bankcards or credit cards etc., allows a verifier system to exchange data with a signature system - Google Patents

Abstract

The method includes the signature system A being mounted on a public key (n,g) including an integer module n verifying n=pq, where p and q are first numbers chosen such that the discrete logarithmic problem in the assembly Zn is insoluble in practice, and an integer base g chosen in a group Znasterisk in a manner to present an order s which verifies gs =1 module n, this system signature A having a value of the order such that the secret key is associated to this public key , this public key being disposed with a verifying system B. The number s is chosen in a manner not to be divisible by 2j+1, for an integer j such that 0 is less than or equal to j is less than or equal to M, M being a parameter which is a positive integer or zero.

Description

i

  The present invention relates to public key cryptographic methods and, more specifically, to a digital signature method for enabling a verifier system B to exchange digital data with a system A to test the authenticity of a system. digital data message m exchanged with said system A and a method of authentication or digital identification to enable the verification system B to test the authenticity of the system A. The present invention also relates to a signatory system.

  To secure data exchange over networks, public key cryptography methods are known to provide a high level of security. Their simplicity and their low cost is worth applications like SSL to be widely used for the protection of data exchanged on the Web.

  When a system A and a system B exchange digital data by a network, there is the problem of verifying the authenticity of the sender or the recipient of the exchanged data, to detect cases where the interlocutor is an impostor. For this, there are known methods of authentication or digital identification 20 by which a verification system B can test the authenticity of a system A with which it communicates. In these processes, the system A is provided with a secret key which it is the only one to know and it brings to the verification system B a proof, constructed by calculation, that it possesses this secret key. In addition to protection against forgery, a fundamental property of such a method is the absence of knowledge transfer, that is, the proof provided by system A to system B should not allow system B to find the secret key of system A, even after a large number of iterations of the process.

  Digital signature methods are also known which also solve the problem of verifying the authenticity of an exchanged data message, that is to say also to detect the cases where the message is modified during the transport between the messages. two systems. In these methods, the signatory system A provides by calculation a digital signature which depends on both the secret key and the message, and which enables the verifier system B to test the authenticity of the message. An additional feature of the digital signature is to provide a transferable proof by which any system with the public key of the signatory system A can experience the authenticity of the message. A digital signature is independent of the recipient and verifiable by any recipient receiving the message along with his signature. This characteristic of the digital signature, which distinguishes it in particular from authentication methods, is also called the non-repudiation property.

  It will be appreciated that the digital signature is a separate cryptographic method independent of the encryption methods that can be used to ensure the confidentiality of the message. On the one hand, the signed message can very well be sent in clear to be readable by any recipient, on the other hand, if one wishes to encrypt the message sent, any known encryption method can be used. In addition, it is possible to encrypt a previously signed message or to sign a previously encrypted message without interference between these successive operations. This applies analogously to digital authentication.

  The computational cost required by known public key cryptography techniques hinders their application to certain domains. This results in significant disadvantages, such as the impossibility of producing a real digital signature using a credit card or the impossibility of performing the authentication of an offline credit card with a central server. Indeed, in this case, the verification system is a credit card reader, in which one can store only public data for obvious security reasons. As a result, the security of credit cards and radiotelephones is almost exclusively based on symmetric key cryptography at the moment. Many applications of this type would thus gain security if an authentication or digital signature process was executable by a low-cost smart card or, better still, a simple memory card without a processor.

  To solve this problem, it has been proposed to break down the production of a digital signature in two steps: a preprocessing step, in which preparatory data are generated that are independent of the message to be signed and a termination step of signature, which is done "on the fly" when the message is ready.

  In addition, steps have been taken in the effort to minimize the amount of calculations still to be performed "on the fly." Thus, CP Schnorr, "Efficient Signature Generation by Smart Cards" Journal of Cryptology, 4, 1991 , pp. 161 - 174 proposes a method in which the operations remaining to be performed "on the fly" consist of a modular addition and a single modular multiplication. These operations are reduced to a single regular multiplication in the method proposed by G. Poupard and J. Stern, "Security analysis of a practical authentication and signature generation", Proceedings of Eurocrypt 96, Lecture Notes in Computer Science 1403, Springer-Verlag, pp. 422-436 (1998) In the latter method, referred to as the GPS method below, the suppression of modular multiplications is also advantageous in terms of key length and signature length. To obtain a security level corresponding to 280 elementary operations, a secret key of 160 bits and a signature of 420 bits are enough.

  Takeshi Okamoto, Mitsuru Tada and Atsuko Miyaji's article "An Improved Signature Scheme without Multiplication" in Pre-proceedings of Financial Cryptography 02, describes an authentication method and a digital signature method, in which a signatory system A is provided with a public key (n, g) including an integer module n satisfying n = pq, op and q are selected prime numbers such that the problem of the discrete logarithm in the set Zn is insoluble in practice, and an integer base g chosen from the group Zn * so as to present an order s which satisfies gS = 1 modulo n and 2k-'1 <s <2k. The signatory system A is provided with the value of the order s as a secret key associated with said public key (n, g), while the public key (n, g) is made available to a verification system B. To be authenticated by the system B, the system A performs the following steps: choose an integer r satisfying 0 <r <2a, calculate an integer x satisfying x = gr modulo n and transmit it to the system B, receive in response to a number e chosen by the system B satisfying O <e <2, v calculate the integer y satisfying y = r + (e modulo s) and transmit it to the verifier system B. The verification system B compares the number y received to an upper bound S satisfying S = 2a + 2k to recognize its interlocutor as non-authentic when y> S, and the verifier system B calculates the integer x, = gY-e modulo n from the number y received. The system A is recognized as authentic when y <S and x '= x.

  The digital signature method is derived from this digital authentication method using the technique described by A. Fiat, A. Shamir, "How to prove yourself: practical solutions of identification and signature problems", in Proceedings of Crypto 86, Lecture Notes in Computer Science 263, Springer-Verlag, pp. 181-187 (1987).

  The security of this type of digital signature is based on the deemed non-invertible character of a mathematical operation, that is to say here of the discrete exponentiation operation in the set Zn, which can also be denoted Z / nZ . Within the meaning of the invention, a mathematical operation is deemed to be non-invertible when the calculation consisting of inverting it presents an extreme difficulty, taking into account the existing calculation means. In other words, this is the extreme difficulty of calculating the integer r when we know the integer x. This ensures the secret character of the private key x of the signatory system A. In fact, it is impossible in practice to solve this problem, said discrete logarithm, for relatively large numbers p and q.

  In these methods, which will be referred to as OTM processes below the name of the authors, no multiplication is required in the signature termination or proof of authenticity step. On the other hand, this step requires a modular reduction of the number e, an integer of length b bits, by the secret key s, an integer of length k bits. The calculating cost of this operation obviously depends on the value of the parameters b and k.

  The above method has been proposed with the following parameter values: k = 160, a = 224, b = a + t o f = 24. With these 35 values, the computational cost is small and a signature size reduced to 304 bits is claimed, which would take the advantage over the GPS process.

  However, this method has a security flaw that makes the f = 24 value unacceptable. This flaw stems from the fact that it is enough for an imposter wanting to be authenticated by the verification system B instead of a system A to guess the (C + 1) bits of the strongest weight of e to succeed.

  More precisely, from the point of view of authentication, the impostor can proceed in the following way: - choose, before knowing the number e, a number e 'of the form e' = e12a - '+ e0 with el < 2t + 1 and e0 <2a-1 - randomly choose a number r to calculate a number x by raising g to the power (r-el2a-1), that is: x = g (r-e '+ eO) modulo n - on receipt of the question e of the verifier system B, compare the (f + 1) most significant bits of e with el and, if they are not equal, start again with another value of el.

  As soon as, by chance, el is equal to the (f + 1) most significant bits of e, the imposter is correctly authenticated by returning the number y = r + e0 because the two equations y <S and x = gy-e modulo n are obviously verified.

  Similarly, for an impostor wanting to counterfeit the signature of a message m, one possibility is to: - choose an integer el represented on (f + 1) bits - randomly choose a number r to calculate then a number x (modulo n) by raising g to the power (re, 2al), - compute the number e = H (x, m), H being a cryptographic hash function, - compare the (f + 1) bits of the strongest weight of e with el and start over with another if they are not equal. Once el is equal to the (f + I) most significant bits of e, the signature (x, e, y) is recognized authentic by returning the number y = r + e0.

  Forging a signature or a proof of authenticity according to the OTM methods therefore requires 2t + 1 operations, ie a few minutes of calculation for the value f = 24. As a result, the safety of the OTM processes can only be made acceptable by raising the value of t to minus 80. Indeed, the safety terminal 1 / 2b should be replaced by 1 / 2e in Theorem 4 of the OTM article.

  On the other hand, the parameter a, which defines the bound 2s / 2a of Theorem 5 concerning the absence of knowledge transfer in the OTM article, should be raised to k + 80, since the 2s / 2a terminal concerns a single execution of the method and should therefore be multiplied by the number of authorized signatures or authentications. Under these conditions, the signature termination operation in the OTM method comprises the modular reduction of a number of 320 bits by a number of 160 bits. Based on the performance of the modular reduction functions described by A. Bosselaers et al. "Comparison of Modular Reduction Functions", Proceedings of Crypto 93, Lecture Notes in Computer Science 773, Springer-Verlag (1994), this operation is ultimately estimated to be twice as expensive as the signature termination operation in the GPS method. , at equal security level.

  The signature verification operation of the OTM method also becomes extremely expensive under these conditions.

  The purpose of the invention is to provide authentication and digital signature methods which offer, for a given level of security, advantageous properties in terms of computational cost, speed of execution, especially for signature termination, and signature length or proof of authenticity.

  The invention also aims to provide authentication and digital signature methods executable by devices of low computing power, such as smart cards, radiotelephones, personal digital assistants and the like. The invention also aims to provide authentication and digital signature methods executable by a memory card.

  For this, the invention provides a digital authentication method for enabling a verification system B capable of exchanging digital data with a system A to test the authenticity of said system A, wherein said system A is provided with a public key (n, g) including an integer module n satisfying n = pq, op and q are prime numbers chosen such that the problem of the discrete logarithm in the set Zn is insoluble in practice, and an integer base g chosen in the group 35 Z ,, * so as to present an order s which satisfies gs = l modulo n, said system A being provided with the value of the order s as a secret key associated with said public key (n, g), said public key (n, g) being made available to the verification system B, characterized in that the number s is chosen so as not to be divisible by 2j + 1 for at least one integer j such that 0 <j M , M being a predetermined positive or zero integer parameter, and that: the system A obtains an integer r represented on at least f + M bits, where i is a predetermined positive integer parameter, and an integer x satisfying X = gr modulo n, the system A transmits the number x to the system verifier B, 1 0 the verification system B chooses an integer e represented on at least M + f bits, the verification system B transmits the number e to the system A in response to the number x, the system A calculates from the integers s , e and r an integer y satisfying y = r + Xs, where X is an integer chosen so that the respective binary representations of the numbers e and y are identical over a predetermined portion consisting of t bits having weights such that that M <i, and the system A transmits the number y to the verifier system B, and that the verifier system B performs the steps of: calculating an integer x 'satisfying x' = gy modulo n from the number y received and the public key (n, g), compa the respective binary representations of the number e and the number y received on said predetermined portion, to recognize the system A as non-authentic when two bits e and y; having the same weight i and belonging to said predetermined portion are not equal, comparing the number x 'calculated with the number x received to recognize the system A as non-authentic when x' # x, the system A being recognized as authentic by the system checker B when x = x 'and ej = y1 for all bits of weight i belonging to said predetermined portion.

  The invention also provides a digital signature method for enabling a verifier system B to exchange digital data with a signatory system A to test the authenticity of a digital data message exchanged with said signatory system A, in wherein said signatory system A is provided with a public key (n, g) including an integer module n satisfying n = pq, op and q are selected prime numbers such that the problem of the discrete logarithm in the set Zn is insoluble in practice, and an integer base g selected from the group Z "'* so as to present an order s which satisfies gs = l modulo n, said signatory system A being provided with the value of the order s as a secret key associated with said public key (n, g), said public key (n, g) being made available to the verification system B, characterized in that the number s is chosen so as not to be divisible by 2i ', for at least an integer j such that 0 <j <M "M is a predetermined positive or zero integer parameter, the signatory system A performing the steps of: obtaining an integer r represented on at least f + M bits, t being a parameter predetermined positive integer, and an integer x satisfying 15 x = g modulo n, calculating an integer e = T (x, m) dependent on the message m and the number x by means of a predetermined noninvertible transformation T, the number e being represented on at least f + M bits, calculating from integers s, e and r an integer y satisfying y = r + s, where X is an integer selected so that the respective binary representations of numbers e and y are identical over a predetermined portion consisting of f bits having weights i such that M <i, and transmitting to the verification system B a digital signature including the number y, and that said verifier system B performs the steps of : calculate a name integer e '= T (x', m) depending on the message m and a number x 'with the aid of said non-invertible transformation T, the number e' being represented on at least f + M bits, the number x 'being calculated or received by the verification system B, and comparing the respective binary representations of the calculated number e' and the number y received on said predetermined portion, to recognize the message m exchanged as non-authentic when two bits e1 'and yi having the same weight i and belonging to said predetermined portion are not equal, the message m exchanged being recognized as authentic by the verification system B when the number y received and the number x 'satisfy x' = gy modulo n and that e1 '= yi for all bits of weight i belonging to said predetermined portion.

  The guiding idea of these methods is to replace the modular reduction operation provided in the OTM processes by a matching operation or "dovetailing", which will be described below, or a similar operation. An essential advantage of these methods lies in the low computational cost and, surprisingly, in the ability of such an operation to be performed very efficiently by means of a computer program or with the aid of a wired logic without processor. The step of signing termination or proof of authenticity is thus made faster and available to low-cost systems, such as smart cards. For a given security level, the key length constraints are similar to those of the OTM method, but the number of operations required to form a signature or proof of authenticity is smaller, and even lower than that required. of the GPS process.

  Finally, the method according to the invention makes it possible to obtain digital signatures that are shorter than the known OTM and GPS methods.

  Within the meaning of the invention, a system designates a data processing system provided with calculating means, programmable or not, storage means and a communication interface for exchanging data. Anyone wishing to apply a digital signature or authentication method, as signatory / proof provider or as recipient / verifier, must obviously use such a system. The signatory entity, for example a natural or legal person, and the recipient entity, for example a natural or legal person, are therefore considered to be equivalent to the systems they use, designated respectively by the terms "signatory system A" and "signatory system A". For the purposes of the invention, an integer is a number that can be accurately represented in a binary form. In the binary representation of integers, it is recalled that the weight of a bit is the integer i such that said bit represents the integer 2 '. In other words, one bit has a greater weight than another bit if it represents a larger integer than this other bit. There are several conventions for the binary representation of integers, for example with respect to left-to-right or right-to-left writing, and how to represent the sign. The methods according to the invention apply whatever the convention chosen.

  According to a particular embodiment of the invention, the digital signature transmitted by the signatory system A to the verifier system B consists solely of the number y, and the verifier system B calculates the number x 'from the number y received and the public key - (n, g) so that x '= gY modulo n.

  According to another particular embodiment of the invention, the digital signature transmitted by the signatory system A to the verification system B also comprises the number x, which is received by the verification system B as a number x ', and the verification system B calculates the number z = gy modulo n and compare it to the number x 'received to recognize the message m exchanged as non-authentic when z # x'.

  Preferably, in the authentication method or in the digital signature method, said predetermined portion consists of consecutive bits having weights such that M <i <f + M.

  Advantageously, in the authentication method or in the digital signature method, the order s is chosen such that O <s <2k, k being a predetermined integer parameter satisfying k> ú + M, preferably k> 2t + Mr. Advantageously, the number r is chosen such that O <r <2a, where a is a predetermined integer parameter such that ak- + f + M.

  Advantageously, the number e is calculated such that O <e <2e + M. Thus, the number e is reduced to the smallest possible number of bits.

  Preferably, in the authentication method or in the digital signature method, the verification system B compares the received number y with an upper bound S satisfying S = 2a + 2k + t + M to recognize the message m exchanged, respectively l the identity of the system 30 A, as non-authentic when y> S, the message m exchanged, respectively the identity of the system A, being recognized as authentic by the verification system B under the additional condition that y <S. This additional optional verification step enhances the security of the methods according to the invention against fraud attempts. In particular, an imposter seeking to counterfeit a signature or a proof of authenticity is thus detected if he builds, by another method than the intended operation, a number y longer than the expected length.

  Advantageously, the parameters a and k satisfy a = 4C and k = 2C. These values offer an optimal compromise between, on the one hand, the safety of the processes according to the invention and, on the other hand, their computational cost and the compactness of the exchanged data.

  Preferably, the system A calculates the number y by an iterative method comprising the steps of: (EO) initially choosing a result variable y equal to the number r and an increment s' equal to the number 2M- * sj: (E ) perform a test of equality between two bits e1 and yi having the same weight in the respective bit representations of the number e and the result variable y, starting with the bits of weight M, (E2) adding or not said increment s 'to the result variable y, as a function of a result of said equality test, (E3) recalculating the increment s' by shifting its binary representation by a positive number of positions in the direction of the bit weights (E4) repeat the steps (E1) to (E3) for bits of higher weight in the binary representations of the number e and the result variable y, until the bits of weight i + M are reached. In this way, it is not necessary to explicitly determine the number S. According to one particular embodiment of the invention: in step (E2), the increment s' is added to the result variable y if the bits e, and yI compared in step (E1) are unequal and the result variable y is not modified if bits ei and y; compared in step (E1) are equal, in step (E3), the binary representation of the increment s' of a position in the direction of the increasing bit weights is shifted at each iteration, in step (E4), we repeat the steps (El) to (E3) for the next two bits of weight in the binary representations of the number e and the number y.

  According to a particular embodiment of the invention, said non-invertible transformation T comprises at least the formation of an integer w depending on the message m and the number x, the calculation of the image of said number w by a function of cryptographic hash H taking values between 0 and 2h with h> E + M, and a truncation operation at C + M bits of a result of said cryptographic hash function H. The numbers e and e 'thus verify O <e <2 + M and O <e '<2 n Preferably, the module n, the base g and the order s are generated by said system A, and said signatory system A transmits the module n and the base g to an authority certification that makes said public key available to the verification system B in a certified form.

  The invention also provides a signatory system 10 suitable for implementing the above-mentioned digital signature method, characterized in that it consists of a printed logic circuit including: a first memory register and a second memory register for storing respectively a number e and a number r, a third memory register for storing a number s, a bit comparator having two inputs respectively connected to the first memory register and the second memory register to compare pairs of equal weight in pairs; in said memory registers, a multiplexer having two data inputs respectively connected to said third memory register and to a memory register storing a zero value and a switching line connected to an output of said bit comparator for selecting one of said registers memory according to a result bit produced by said bit comparator and for placing the contents of the selected memory register in an output register of said multiplexer, an adder circuit having two operand inputs respectively connected to said output register and said second memory register and an output connected to said second memory register for Summing a respective one of said registers and replacing a content of said second memory register with a result of said sum, an offset component for shifting one bit in the direction of increasing weight a content of said third memory register, and an interface connected to at least said second memory register for transmitting the contents of said register to a verification system.

  Such a circuit can be made in the form of a low-cost memory card, without a microprocessor. The verification system then includes a corresponding card reader, of known type.

  The invention will be better understood, and other objects, details, features and advantages thereof will become more apparent in the following description of several particular embodiments of the invention, given solely for illustrative purposes and not limiting with reference to the accompanying drawings. In these drawings: FIG. 1 is a schematic functional representation of a device for implementing a digital signature or authentication method according to the invention; FIG. 2 is a schematic functional representation of FIG. a printed circuit suitable for implementing the digital signature method according to the invention.

  FIG. 1 very simply illustrates a data transport network R, for example the Internet, through which a system A, a system B and a system C communicate. The system A is used by an entity which must prove its authenticity, that is, its identity, or prove the authenticity of a digital data message to another entity using System B. System B is used by the entity to verify the authenticity of the data. system A or the authenticity of the message m. The system C is used by a certification authority, that is, a third party trusted by all users.

  Preliminary Phase In a preliminary phase, integer security parameters L, k, a and f are set and known from systems A and B. Their values are chosen according to a desired security level. For example L = 1024, a-320, k = 160 and f = 80 correspond to a level of security recognized as satisfactory at the present time.

  System A obtains a pair of keys comprising a secret key s and a public key (n, g) including an integer module n and an entire base g. These numbers satisfy the following properties O <n <2L, that is to say that n is represented on L bits, n = pq, p and q being prime numbers chosen large enough to make the computation of the logarithm practically unfeasible discreet overall Zn.

  In other words, n is an RSA integer.

  g is an element of the set Zn *.

  O <s <2k, that is, s is represented on k bits.

  s is the order of the element g in the group Zn *, that is to say that gs = 1 modulo n.

s is chosen odd.

  The number s must be known exclusively by the 10 A system. The safest way to achieve this goal is to generate the key pair in system A and store the secret key s in a protected memory of system A. A method for generating such a key pair will be described below.

  The public key (n, g) of the system A is then certified by the certification authority having the server C connected to the network R. This key is then sent to the verification system B in the form of a digital certificate, this exchange may take place at any time before the verification system B begins the verification operations. Such a certificate is known to those skilled in the art and allows the verifier system B to verify that the public key (n, g) belongs to the system A. For example, the certificate is formed by the certification authority by concatenating the public key (n, g) and data discriminatingly identifying system A (name, address, etc.). Any verification system must be familiar with the public key of the certification authority to read the digital certificate. Currently, the public key of the CA is published in a directory accessible to any user.

  Digital Authentication Method For system B to experience the authenticity of System A, these systems perform the following steps: System A randomly chooses an integer r such that 0 <r <2a, i.e. that the integer r is represented on a bits. Preferably, it is verified that r does not start with a number of bits equal to 0 and, in the rare case of this type, the selection of r is repeated. One can also impose r> 2al.

  System A calculates the integer x satisfying x = gr modulo n.

  The system A transmits the number x to the system B. The system B randomly chooses an integer e such that O <e <2e, that is to say that the integer e is represented on f bits.

  System B transmits the number e to system A in response to the number x.

  System A calculates from integers s, e and r an integer y satisfying y = r + Xs, where X is an integer chosen so that the respective binary representations of the numbers e and y are identical over the portion consisting of t bits having the lowest weights, i.e. weights such as O <i <fl. The calculation of it is done by a matching process or "dovetailing" which will be described below.

  System A transmits the number y to System B. Then System B performs the following verification steps.

  System B compares the number y received at the terminal S = 2a + 2k + E. If yÄS, the system A is recognized as non-authentic and the authentication process ends in failure. This step is not required, however.

  Then system B compares the portion made up of f bits 20 having the lowest weights of the binary representation of the number y received with the number e previously chosen. The system A is recognized as not authentic when a bit yi having a weight i such that O <i <t-1 is not equal to the bit of the same weight e1 of the binary representation of the number e.

  Then the system B calculates the integer x '= gy modulo n from the number y received and the public key (n, g) and compares the number x' with the number x previously received. System A is recognized as not authentic when x '# x and the authentication process ends in failure.

  Finally, system A is recognized as authentic by system B when x = x '. If the step of comparing with the terminal S is performed, the additional condition y <S must also be satisfied.

  Digital Signature Method The digital signature method is derived from the authentication method by the known art. The preliminary phase is identical to that of the authentication method and further comprises the choice of a non-invertible transformation T which will be used by the signatory system A and the verification system B. It is assumed that the system A and the system B have exchanged or will exchange a digital data message m and that the system A must produce a digital signature associated with the message m. For example, the message m accompanied by the signature is sent by the system A to the system B, which must check whether the message it receives is authentic. Conversely, the message m may have been transmitted by the system B to the system A, which must acknowledge the message by means of a digital signature.

  To produce the signature, the signatory system A performs the following steps: - choose an integer r such that O <r <2a, that is to say that the integer r is represented on a bit. Preferably, it is verified that r does not begin with a number of bits equal to 0 and, in the rare cases of this type, the selection of r is repeated. We can also impose r> 2.

  calculate the integer x = gr modulo n, calculate an integer e by applying the non-invertible transformation T to the message m and to the number x, ie e = T (x, m). The transformation T is a function with values in the interval [0, 2c [, i.e., the integer e is represented on t bits.

  and calculating an integer y satisfying y = r + Xs, where X is an integer chosen so that, in the binary representation of the number y, the portion consisting of E bits having the lowest weights, that is, the weights i such that 0 <i <ú-1, is identical to the number e. The calculation of it is done by the matching operation or "dovetailing" which will be described below. The signature that system A sends to system B consists of the number y.

  To test the authenticity of the message m received by the system A or the system B, the system B performs the following verification steps: compare the number y received at the terminal S = 24 + 2. If yÄdS, the message m is recognized as non-authentic and the check ends with a failure. This step is not required, however.

  calculate the integer x '= gy modulo n, - calculate the integer e' = T (x ', m) from the message m received or sent by the system B, from the number x' calculated by the system B and of the non-invertible transformation T, - and comparing the portion consisting of t bits having the lowest weights of the binary representation of the received number y with the number e '. The message m exchanged is recognized as non-authentic when a bit yj having a weight i such that O <i <ú-1 is not equal to the bit of the same weight ei of the binary representation of the number e '.

  Finally, the message m exchanged is recognized as authentic by the verification system B under the condition that ej '= yi for all bits of weight i such that O <i <. If the step of comparing with the terminal S is performed, the additional condition y <S must also be satisfied.

  In the non-invertible transformation T, a cryptographic hash function H is used, which is for example one of those defined by the standards MD5 and SHA-1, the result of which is h bits, with h = 128, respectively h = 160. There are several ways to build an appropriate T transformation. For example, we apply the hash function H to a number w obtained by concatenating the number 20 x and the message m, denoted w = xllm, and we truncate the result at f bits, for example by keeping the C bits of lowest weight of the result. Alternatively, one can also calculate H (H (x), m) or H (mllxllm) or else H (H (x), H (m)), etc., and truncate the result to f bits each time. Truncation can be done by keeping bits other than those with the lowest weight. Each time, the non-invertible transformation T is known from systems A and B and makes it impossible to calculate x starting from e and m.

  In an alternative embodiment, the number x is included in the digital signature transmitted by the system A to the system B. In this case, the verifier system B compares the number x that it receives with the number x '= gy modulo n qu it calculates and it recognizes the message m as not authentic when x # & x '. In this variant, the message m exchanged is recognized as authentic by the verification system B under the additional condition x '= x. However, this variant has the disadvantage of lengthening the digital signature of L bits, for example by 1024 bits.

  Preferably, the calculation of the number x by the system A is done in the background, in a pre-processing step, so as to keep in memory a couple (r, x) available for the next signature or the next authentication required . It is also possible to store a reserve of pairs (r, x) in the system A, for example as described in the document FR2716058.

  In an alternative embodiment, the calculation of the number x is not entirely done by the system A, but is subcontracted, at least partially, by one or more assistance systems with which (s) System A communicates. This variant is particularly advantageous when the system A has a reduced computing power, for example in the case of a smart card or a radiotelephone. Preferably, such subcontracting must be carried out without disclosing the number r to third parties. The number r can be chosen by the system A or calculated by the system A from a plurality of antecedents which are transmitted to the system A by the system (s) of assistance. For this, one can refer to the methods described in the French patent application registered under No. 02 02596.

  In terms of security, the probability of counterfeiting the proof of authenticity or the signature there without knowing the secret key is of the order of 2-t and the statistical factor of transfer of knowledge for an execution of the process of authentication is controlled by 2s / 2 -k-. The aforementioned parameter values thus provide a level of security, measured by the probability of being able to authenticate without knowing the secret key s, of the order of 2-80. Compared to the OTM methods, for the same level of security, the aforementioned methods allow the use of a much smaller number e, of the order of 80 bits, so that the total number of bits exchanged is reduced.

  With the aforementioned parameter values, the length of the proof of authenticity or signature is of the order of a bits, since a>> k + f, or about 320 bits. In the authentication method, this length can be further reduced by t bits by omitting to transmit the f bits having the lowest weights in the number y.

  In this case, the system B begins by concatenating the part of the number y received with the number e, to reconstitute the complete number y. In the signature method, it is unnecessary to include the number e in the digital signature, since the number e is deductible from the structure of y, which is also advantageous compared to the OTM method.

  If a slightly lower security level is allowed, the values a = 256, k = 128 and t = 64 can also be adopted. These values are examples considered reasonable at the present time, but more values. Higher levels may be needed in the future, given the increased performance of computers. For example, it is also possible to choose L = 2048 to increase security. However, this results in an increase in the cost of modulo n calculations. The choice of the security parameters L, a, k, and t therefore necessarily results from a compromise between a security level and a computational cost. A choice verifying a = 4 and k = 2- always seems advantageous in this respect. Operation of "dovetailing" For the purposes of the invention, the operation of matching or "dovetailing" is defined in the following manner. Let s be an odd integer. Let e be an integer represented on t bits. Let r be an integer represented on a bit, axis. The result of the matching or "dovetailing" of the pair (re) with respect to the number s, denoted D, (r, e), is equal to the sum of the number r and a small multiple of the number s. , the sum in which the t bits with the lowest point agree with the number e. This operation is used in the authentication method and digital signature method described above to calculate the number y = D, (r, e).

  One way of doing this is to first determine a correct value of the number S. There is a unique modulo solution, namely 1 = (e-r) s-modulo t.

  However, there are algorithms to perform this operation more efficiently, without necessarily explicitly determining the number S. Appendix 1 describes a simple iterative algorithm in a simplified computer language. The notation s "1 means that the binary representation of the number s is shifted by one position in the direction of the increasing bit weights, that is, the number s is multiplied by 2. This algorithm requires on average t / 2 additions of a number of k bits to a number of about a bit If we neglect the few additional additions due to the propagation of the restraint in some pathological cases, the number of additions to 8 bits is the same as in the GPS process.

  Since it is almost as fast to subtract two integers 5 as to add them, the execution time of the operation can be further reduced by optimizing "on the fly", at each iteration, the number of bits of the intermediate result r which are made equal to the corresponding bits of e. Appendix 2 describes a corresponding iterative algorithm, in a simplified computer language, suitable for the case where s = l modulo 4. 10 The case where s = 3 modulo 4 is treated in a similar way.

  In the algorithm of Annex 2, when a bit ri of the temporary result r concides with the corresponding bit ei of the number e, the only operation is to shift the number s by 1 bit in the direction of increasing bit weights. When these two bits ri and es do not concide, an addition or a subtraction is made which makes these two bits coincide with two additional bits, as well as an operation of shifting the number s of 2 bits in the direction of the weights of the two bits. increasing bits. Thus, the average number of additions or subtractions between a number of a bits and a number of k bits to fully execute the algorithm 20 is f / 3, which means that kt / 24 additions of integers out of 8 bits are needed, about 540.

  In comparison, the GPS method requires 800 additions of 8-bit integers. Even if it is possible to similarly optimize the multiplication operation of the GPS method, by introducing subtractions into the conventional multiplication algorithm, it will not be possible to achieve the same efficiency as in the operation. of "dovetailing", because of the existence of deductions that are useless in the "dovetailing" operation.

  Key creation step To generate its personal key pair, system A can proceed as follows: - randomly select two prime numbers p and q each represented on approximately L / 2 bits, and such that the numbers (p- 1) and (qi) are respectively divisible by respective prime factors p 'and q' represented on approximately k / 2 bits. Preferably, we impose p> 2L / 2-1, q2L / 2-, 1p 2-1 and q '> 2k / 2- - choose n = pq, so (p (n) = (p-1) ( q-1), o (p denotes the Euler indicator.

  - choose s = p'q ', so it is necessarily odd. Since s divides (p (n), there is necessarily a subgroup of order s in Zn.

  - randomly select a go element in Zn, * and check if ord (go) = p (n), which is likely. If not, choose another element go - in the positive, choose g = go (p (n) / s * Just like the secret key s, the numbers p and q must be known only by the system A. The system A can store the numbers p and q in a protected memory, for example to be able to optimize the calculation of the number x by the technique of the Chinese remains In a variant, the system A can also erase the numbers p and q after the creation of the keys (n, g) and s.

  There are also other techniques for generating a triplet (n, g, s) suitable. Preferably, s> 2k-i is imposed. On the other hand, if one uses a technique which does not always obtain an odd number, it is possible to weaken this constraint by slightly modifying the signature method and the authentication method described above. . An embodiment corresponding to this case is described below.

  Embodiment with M> O Compared to the above embodiments, an integer parameter M> 0 is added which is fixed and known from the systems A and B. Instead of being odd, it is only required that the number s let not be divisible by 2j + 1, for at least one integer j such that Oj <M. The embodiment in which s must be odd corresponds to the preferential case M = 0.

  The methods described above are modified as follows. The numbers e and e 'are represented on E + M bits and a>> M is selected.

  In the calculation of the number y, the system A performs a modified matching operation, whereby it is the bits of the number y having a weight i such that M <i '<+ M are made equal to the corresponding bits of the number e. For this, in the algorithms described in Annexes 1 and 2, it is only necessary: - to add a step of initialization of the increment, in which the number s is initially shifted by Mj positions in the direction of increasing bit weights , and - replace the value i by the value i + M in the bit indices, that is to say for example that ri is replaced by ri + M.

  In the step of checking the number y, the verification system B then compares the numbers y and e on the portion consisting of bits of weight i such that M <i <t + M. The S terminal; becomes S = 2a + 2k + C + M.

  This variant has the advantage of giving third parties less information about the number s. But this advantage is offset by a disadvantage, which is the increase in the length of the numbers y and e.

  Embodiment with non-consecutive bits With M = 0 or M> O, it is also possible to modify the matching operation or "dovetailing" to concide the binary representations of the numbers e and y on a portion consisting of f non-consecutive bits. For this, in addition to the parameter Y, the systems A and B must know a predetermined batch of t distinct weights greater than or equal to M. The highest weight of the batch is then necessarily greater than or equal to M + L. The numbers e and e 'must be correspondingly elongated to present bits having the highest weight of the predetermined batch. The operations of calculating the number y by the system A and checking the number y by the system B are correspondingly modified to respectively create and check the agreement of the bits of the number y and the number e for each weight i of the batch. predetermined.

  For the calculation of the number y, it is then necessary to modify the algorithm of the appendix 1 to sweep by the index i all the predetermined batch, always progressing towards the weight of increasing bits, and to shift each time the increment s of a number of positions corresponding to the difference between two successive weights in the predetermined batch.

  Hardware Implantation The various described embodiments of the methods can be implemented automatically by a corresponding programming of the A and B systems. The realization of such programming is within the competence of those skilled in the art. For example, the values of the parameters L, k, a, E and M as well as the choice of the non invertible transformation T are fixed in the programming of the systems A and B. Alternatively, these values and this choice can be communicated to the systems. A and B by the certification authority.

  However, the "dovetailing" operation can also be performed efficiently by wired logic. With reference to the algorithm of appendix 1, such wired logic is realized by following, for each iteration of the loop, the following general principles: the bits of the numbers r and e are compared to determine whether add 0 or s to the number r.

  the additions are carried out by means of adders with three inputs of a given size, for example 8 bits.

  Each addition between r and s is performed in parallel on all the 8-bit three-input adders, but the holds are propagated only once between the three-input adders. The remaining holds are reintroduced into the three-input adders during the next iteration. This is made possible by the fact that, when the iteration of rank i is performed in the loop, it suffices that the bit of weight i is correct in the number r. The remaining calculations to complete the additions can therefore be deferred until the next iteration.

  the number s is shifted by one position using a conventional component.

  Because the holds propagate only once at each iteration, each addition between the numbers r and s requires only two clock cycles. Propagation of the remaining holdbacks should be done only once after the main "while-end 30 while" loop. In fact, when using 8-bit adders, it is necessary to carry out the step of propagating the remaining detentions only once every 8 clock cycles. We still get the correct value of r at the end of the calculation. Therefore, at the cost of a more complex clock algorithm, it must be possible to perform the 35 "dovetailing" operation using a wired logic substantially at the same cost as the multiplication operation. of the GPS process.

  FIG. 2 diagrammatically represents an embodiment of the signatory system A, produced in the form of a printed circuit by following the abovementioned principles. A first register 1 is used to store the number e. A second register 2 serves to store the number 5 r. The registers 1 and 2 are connected to a bit comparator 3 for comparing the bits of weight i in the registers 1 and 2. The output of the bit comparator 3 transmits a result bit 0 or. 1 on the switching line 11 of a MUX multiplexer having two inputs, to select one of these two inputs. The first input is connected to a register 4 for storing the number s and the second input is connected to a register 5 storing the number 0. As a function of the output bit of the bit comparator 3, the output register 6 of the The multiplexer Mux receives the number s or 0. The adder circuit 7 consists of a series of three-input adders whose connections relating to the propagation of the detentions are not represented. The two operand inputs of the adder circuit 7 are respectively connected to the registers 2 and 6. The output adder circuit 7 is connected to the register 2 to replace the contents of the register 2 by the result of the addition.

  As mentioned above, this result can be more or less complete with respect to its most significant bits, depending on how the holds are propagated at each iteration. The offset component 8 serves to shift by one bit the contents of the register 4 at each iteration. After calculating the number y, which replaces the number r in register 2 at the end of the main loop, the contents of register 4 are reset to the value s by appropriate offset operations or by loading the number s from a permanent memory 12. There is also an interface 10 connected to the register 2 for transmitting the final content of this register, namely the digital signature, to the verification system B. The calculation of the number e placed in the register 1 is performed 30 by a printed circuit known in itself performing the hashing of two operands, namely the number x and the message m, which are stored in corresponding memory registers, not shown.

  Such a printed circuit board is placed in a carrier to form a conventional format memory card. The interface 10 comprises electrical contacts for cooperating with the read head of a corresponding card reader, which may for example be included in the verification system B. According to a particularly simple embodiment, a plurality of pairs of numbers ( r, x) are loaded in advance in the memory registers of the card to be able to perform a corresponding number of signatures.

  Although the invention has been described in connection with several particular embodiments, it is quite obvious that it is in no way limited thereto and that it comprises all the technical equivalents of the means described and their combinations if they are are within the scope of the invention.

  Annex 1: bitwise "dovetailing" algorithm Inputs r, e, s Outputs Ds (r, e) replaces ri <- O while i <lel do if ri # ei then r <- r + s end if s <- s << l 10 i <i + l end while Appendix 2: two-bit dovetailing algorithm Inputs r, e, s Outputs Ds (r, e) replaces ri <-O while i <lel do if ri = ei then s <-s <"l 20 i-i + i else if i = <lel-1 then r <-r + if <-i + l 25 else t = (2ri + l + ri-2ej + l-ei) modulo 4 ift = 1 then r <- rs else r-r + s end if s - s << 2 i <-i + 2 endif 35 endif while

Claims (18)

  A digital signature method for enabling a verifier system B to exchange digital data with a signatory system A to test the authenticity of a digital data message exchanged with said signatory system A, wherein said signatory system A is provided with a public key (n, g) including an integer module n satisfying n = pq, op and q are selected prime numbers such as the logarithm problem; Discrete in the set Zn is insoluble in practice, and an integer base g chosen in the group Zn * so as to present an order s which satisfies gs = 1 modulo n, said signatory system A being provided with the value of the as a secret key associated with said public key (n, g), said public key (n, g) being made available to the verification system B, characterized in that the number s is chosen so as not to be divisible by 2i + ', for at least one integer j such that 05j <M, M being a predetermined positive or zero integer parameter, the signatory system A performing the steps of: obtaining an integer r represented on at least E + M bits, f being a predetermined positive integer parameter, and an integer x satisfying x = g modulo n, calculating an integer e = T (x, m) dependent on the message m and the number x using a predetermined non-invertible transformation T, the number e being represented on at least f + M bits, calculating from integers s, e and r an integer y satisfying y = r + ls, where X is an integer chosen so that the respective binary representations of the numbers e and y are identical to a predetermined portion consisting of f bits having weights i such that M <i, and transmitting to the verification system B a digital signature including the number y, and that said verifier system B performs the steps of calculating an integer e ' = T (x ', m) depending on the message m and a number x' with the aid of said non-invertible transformation T, the number 35 e 'being represented on at least f + M bits, the number x' being calculated or received by the verification system B, and comparing the respective binary representations of the number e 'calculated and the number y received on said predetermined portion, to recognize the message m exchanged as non-authentic when two bits ei' and yi having the same weight i and apart nt to said predetermined portion are not equal, the message m exchanged being recognized as authentic by the verification system B when the number y received and the number x 'satisfy x' = gY modulo n and ej '= yi for all the bits of weight i belonging to said predetermined portion.   2. Method according to claim 1, characterized in that the digital signature transmitted by the signatory system A to the verification system B consists only of the number y, and that the verification system B calculates the number x 'from the number received there and the public key (n, g) so that x '= gy modulo n.   3. Method according to claim 1, characterized in that the digital signature transmitted by the signatory system A to the verification system B also comprises the number x, which is received by the verification system B as a number x ', and that said The verification system B calculates the number z = gy modulo n and compares it with the number x '20 received to recognize the message m exchanged as non-authentic when z # x'.   4. Method according to one of claims 1 to 3,   characterized in that said predetermined portion consists of t consecutive bits having weights i such that M <i <t + M.   5. Method according to claim 4, characterized in that the order s is chosen such that 0 <s <2k, where k is a predetermined integer parameter satisfying k> t + M, that the number r is chosen such that O < r <2a, where a is a predetermined integer parameter such that a> k + t + M, and the number e is calculated such that O <e <2e + M.   6. Method according to claim 5, characterized in that the verification system B compares the received number y to an upper bound S satisfying S = 2a + 2k + t + M to recognize the message m exchanged as non-authentic when y> S the message m exchanged being recognized as authentic by the verification system B under the additional condition that y <S.   7. Method according to claim 5 or 6, characterized in that the parameters δ, a and k satisfy a = 4f and k = 2f.   8. Method according to one of claims 4 to 7,   characterized in that the signatory system A calculates the number y by an iterative method comprising the steps of: (E0) initially selecting a result variable y equal to the number r and an increment s' equal to the number 2M-is: ( El) perform a test of equality between two bits ei and yi having the same weight in the respective binary representations of the number e and the result variable y, starting with the bits of weight M, (E2) add or not said increment s 'to the result variable y, as a function of a result of said equality test, (E3) recalculating the increment s' by shifting its binary representation by a positive number of positions in the direction of the weights of Increasing bit (E4) Repeat steps (E1) to (E3) for bits of higher weight in the binary representations of the number e and the result variable y until the bits of weight & + M are reached.   9. Method according to claim 8, characterized in that: in step (E2), the increment s' is added to the result variable y if the bits ei and yi compared in step (E1) are unequal and we do not modify the result variable y if the bits ei and y; compared in step (E1) are equal, in step (E3), the binary representation of the increment s' of a position in the direction of the increasing bit weights is shifted at each iteration. step (E4), the steps (E1) to (E3) for the next two bits of weight are repeated in the binary representations of the number e and the number y.   10. Method according to one of claims 1 to 9, characterized by the fact that M = O.   11. Digital authentication method for enabling a verification system B that can exchange digital data with a system A to test the authenticity of said system A, wherein said system A is provided with a public key (n, g) including an integer module n satisfying n = pq, op and q are selected prime numbers such that the problem of the discrete logarithm in the Zn set is insoluble in practice, and an integer base g chosen from the group Zn * so as to presenting an order s which satisfies gS = l modulo n, said system A being provided with the value of the order s as a secret key associated with said public key (n, g), said public key (n, g) being placed at the disposal of the verification system B, characterized in that the number s is chosen so as not to be divisible by 2J +, for at least one integer j such that 0 <j <M, M being a positive integer parameter predetermined zero, and that the system A procures a n integer shadow r represented on at least t + M bits, t being a predetermined positive integer parameter, and an integer x satisfying x = gr modulo n, the system A transmits the number x to the verification system B, the verification system B selects a integer e represented on at least 15 M + t bits, the verification system B transmits the number e to the system A in response to the number x, the system A calculates from the integers s, e and r an integer y checking there = r +% s, where X is an integer chosen so that the respective binary representations of the numbers e and y are identical over a predetermined portion consisting of E bits having weights i such that M <i, and the system A transmitting the number y to the verification system B, and that the verification system B performs the steps of: calculating an integer x 'satisfying x' = gy modulo n from the number y received and the public key (n, g), compare the binary representations respecti Given the number e and the number y received on said predetermined portion, to recognize the system A as non-authentic when two bits e i and y i having the same weight i and belonging to said predetermined portion are not equal, compare the number x ' computed at the number x received to recognize the system A as non-authentic when x'-x, the system A being recognized as authentic by the verification system B when x = x 'and that ei = yj for all the bits of weight i belonging to said predetermined portion.   12. Method according to claim 11, characterized in that said predetermined portion consists of consecutive bits having weights i such that M <i <+ M.   13. Method according to claim 12, characterized in that the order s is chosen such that O <s <2k, where k is a predetermined integer parameter satisfying k> t + M, that the number r is chosen such that O <r <2a, where a is a predetermined integer parameter such that a> k + E + M, and the number e is chosen such that O <e <2E + M.   14. The method according to claim 13, characterized in that the verifier system B compares the received number y with an upper bound S satisfying S = 2a + 2k + e + m to recognize the system A as non-authentic when y> S , the system A being recognized as authentic by the verification system B under the additional condition that y <S.   15. The method of claim 13 or 14, characterized in that the parameters f, a and k satisfy a = 4f and k = 2u.   16. Method according to one of claims 12 to 15, characterized in that the system A calculates the number y by an iterative method comprising the steps of: (EO) initially choosing a result variable y equal to the number r and an increment s' equal to the number 2M-sj: (El) perform a test of equality between two bits e, and y; having the same weight in the respective binary representations of the number e and the result variable y, starting with the weight bits M, (E2) adding or not said increment s' to the result variable y, as a function of a result of said equality test, (E3) recalculating the increment s' by shifting its binary representation by a positive number of positions in the direction of the increasing bit weights (E4) repeat steps (E1) to (E3) for bits of greater weight in the binary representations of the number e and the result variable y, until reaching the bits of weight ú + M.   17. Method according to claim 16, characterized in that: in step (E2), the increment s' is added to the result variable y if the bits e1 and yi compared in step (E1). are unequal and the result variable y is not modified if the bits ei and yi compared in step (E1) are equal, in step (E3), the binary representation of the increment is shifted at each iteration. of a position in the direction of the increasing bit weights, in step (E4), the steps (E1) to (E3) for the next two bits of immediately higher weight are repeated in the binary representations of the number e and of the number y.   18. Signatory system (A) for implementing the method according to claim 1, characterized in that it consists of a printed logic circuit including: a first memory register (1) and a second memory register (2 ) for respectively storing a number e and a number r, a third memory register (4) for storing a number s, a bit comparator (3) having two inputs respectively connected to the first memory register (1) and the second register memory device (2) for comparing two by two bits of the same weight in said memory registers, a multiplexer (Mux) having two data inputs respectively connected to said third memory register (4) and to a memory register (5). ) storing a zero value and a switching line (11) connected to an output of said bit comparator (3) to select one of said memory registers (4, 5) as a function of a result bit produced by said comparator of bits (3) and for placing the contents of the selected memory register in an output register (6) of said multiplexer, an adder circuit (7) having two operand inputs connected respectively to said output register (6) and to said second a memory register (2) and an output connected to said second memory register (2) for summing a respective content of said registers (2, 6) and replacing a content of said second memory register (2) by a result of said sum, an offset component (8) for shifting one bit in the direction of increasing weight a content of said third memory register (4), an interface (10) connected to said second memory register (2) for transmitting the contents of said register to a verification system (B).