HK1069696B - Method of producing a cryptographic unit for an asymmetric cryptographic system using a discrete logarithm function - Google Patents

Method of producing a cryptographic unit for an asymmetric cryptographic system using a discrete logarithm function Download PDF

Info

Publication number
HK1069696B
HK1069696B HK05102547.9A HK05102547A HK1069696B HK 1069696 B HK1069696 B HK 1069696B HK 05102547 A HK05102547 A HK 05102547A HK 1069696 B HK1069696 B HK 1069696B
Authority
HK
Hong Kong
Prior art keywords
entity
integer
value
encryption
key
Prior art date
Application number
HK05102547.9A
Other languages
Chinese (zh)
Other versions
HK1069696A1 (en
Inventor
M.杰罗特
Original Assignee
法国电信局
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from FR0110938A external-priority patent/FR2828780B1/en
Application filed by 法国电信局 filed Critical 法国电信局
Publication of HK1069696A1 publication Critical patent/HK1069696A1/en
Publication of HK1069696B publication Critical patent/HK1069696B/en

Links

Description

Method for generating encryption unit of asymmetric encryption system by using discrete logarithm function
The present invention relates to the field of encryption technology, and in particular to encryption of so-called asymmetric or public keys.
In this type of encryption, each user retains a pair of keys for a given purpose, including a secret key and an associated public key.
For example, if a key pair dedicated to confidentiality is being processed, the data are encrypted using a public key, while they are decrypted using a secret key, i.e., they are decoded. If a key pair dedicated to data authenticity is being processed, the data is digitally signed using the secret key and the digital signature is verified using the public key. Other uses (entity authentication, key exchange, etc.) are also possible.
Unlike secret key encryption, public key encryption is very useful because it does not require the involved users to share a secret in order to establish secure communications. However, this security advantage comes with a performance disadvantage, since for equal resources, public key encryption methods (also called "public key schemes") are typically one hundred or one thousand times slower than so-called secret key encryption methods (also called "secret key schemes"). Therefore, to achieve reasonable computation times, the circuit cost to implement these algorithms is typically high.
This is particularly true for the so-called RSA Digital encryption and signature scheme (see "A Method for organizing Digital Signatures and Public-KeyCryptosystems" written by R.L. rivest, A.Shamir and L.M. Adleman, published under the "Communications of the ACM", Vol.21, No. 2, p.120-. This approach relies on the difficulty of integer factorization problems: assuming that a large integer (typically greater than 1000 bits in a radix-2 representation) is equal to the product of two or more quality factors of comparable size, there is no efficient process for reproducing these quality factors. The calculations performed in this scheme therefore involve a large number. They cannot be executed in less than 1 second on a chip card unless the latter is equipped with a dedicated crypto coprocessor, which increases its cost considerably. Furthermore, since the efficiency of the factorization process grows quite rapidly over time, the key length needs to be modified upwards, compromising performance.
Thus creating the problem of reducing the cost of the chip implementing the public key scheme.
There are two main approaches to dealing with this problem. The first approach consists in specifying a new encryption scheme, preferably (but not necessarily) based on other problems than factorization, which may greatly accelerate computation time. This approach has been explored many times and has produced a variety of results. However, in most cases, either the improvement compared to RSA is not sufficient to envisage substitution therein, or security has not been established sufficiently well.
The second method is to manufacture chips in large quantities so that the cost thereof can be greatly reduced. This is the case that may occur with RSA if the international banking organisation confirms that the scheme is used for future chip-based bank cards. However, the cost of RSA chips is initially too high, and the cost can still be considerable regardless of how many chips are manufactured.
It should be noted that many public key cryptography schemes commonly use integer operations as basic operations, such as modular multiplication (ab (modulo n)), modular division (a/b (modulo n)), or modular exponentiation (a)b(modulo n)), where a, b, and n are integers. However, these operations are not exactly the same. Thus, each time the encryption scheme is modified, it is necessary to change the program or circuit of the secure device that performs the encryption calculation.
It is an object of the present invention to reduce the cost of a public key encryption unit by combining the two methods described above.
The invention therefore proposes a method for generating an encryption unit associated with an integer secret key s in an asymmetric encryption system, in which said encryption unit is associated with an integer secret key sThe element is provided with a component which is generated independently of the cryptographic system and which is adapted to give the integer y a combination between several integer operands, said several integer operands comprising a random number r, a secret key s and at least one further operand (a, b). After the selection of the encryption system by associating a public key with a secret key s, the encryption unit is provided with a generator of sequences of encrypted data, wherein the public key comprises a first element G of a set G for performing multiplication operations, each sequence of encrypted data comprising a random number r as an operand of the component and an element G depending on the set GrIs given by the unit together with the integer y.
A component, which may consist of one or more circuit parts or one or more software modules, applies a very fast execution of the basic encryption item, which is advantageous for a large number of different encryption schemes: authentication, signing, key exchange mechanisms, etc., which use diversity mathematical objects (possibly defining sets G of various discrete logarithmic functions and multiplication operations).
Because the assembly is common to a large number of mechanisms, industrial development and manufacturing costs can be better reduced. The basic units (e.g. chip cards) suitable for the assembly can advantageously be produced in large numbers, provided that these units are suitable for all solutions of the relevant family and that they generally achieve the properties required for these or such applications.
More specifically, the public key further comprises an element v of the set G, such that v ═ GsOr v ═ g-s. This approach enables the encryption unit to apply the entire family of schemes according to the generalized discrete logarithm problem. This problem is broadly specified as follows: let G be the set that is multiplied (i.e. the product of a and b, from two elements a and b, linked as the element denoted "a.b", or simply "ab", the G being an element of G, u being a (large) integer, and w being an element of G, defined as w ═ Gu(i.e., product gg... g according to u occurrences of g); it is practically impossible to reproduce u from g and w.
European patent No. 0666664 describes an exemplary electronic signature scheme of this type, where G is a set of integers greater than or equal to 0 and less than n, and the multiplication element is the common product of the integers, modulo n.
According to the method of the invention, if it occurs, for a given set G and a certain multiplication, a more efficient discrete logarithm calculation algorithm is found than known algorithms, which is sufficient to change the set in which the calculations are performed and/or the multiplication in order to reproduce the desired level of security.
The discrete logarithm problem may be specified a priori within any set of operations performed. However, in order for it to perform index calculation in a short time and provide a result of a small size, some attribute is required, such as that the most suitable set is a group at present. A group always contains, among other attributes, one neutral element, i.e. the element denoted as epsilon (or simply 1), so that the products epsilon a and a epsilon are equal to a, the same for any element a. Furthermore, each element has an inverse number in the group, denoted as a-1Even if the product a-1A and a.a-1All equal to epsilon. Common examples of groups used in encryption are circles or ranges of integers and elliptic curves.
It is thus possible to define an encryption component that does not depend in any way on the group concerned, or on the set G under consideration. This means first of all that this component does not act on the elements of the set itself. This also means that it does not depend on the characteristics of the group nor on the element G under consideration, in particular on the order of G within G, i.e. satisfies GqQ (if present) is the smallest non-zero integer of epsilon.
In the preferred embodiment of the invention, the combination acted on by the components consists of only a small number of inter-integer additions, subtractions and multiplications, none of which is linked in any way to the characteristics of G and G. In particular, the form of this combination may be that of y ═ ar + bs, where a and b are two further integer operands. A further simplification is to make a-1 or b-1.
One advantage of choosing this component is its speed: if only a small number of multiplications (1 or 2) are to be performed, the component will have a high speed (a few microseconds) and can be incorporated in any environment, especially in low cost microprocessor cards.
The generator of the encrypted data sequence can be constructed by calculating the exponent on the set G by associating a random number with a modulus.
However, in a preferred embodiment of the method, the generator of the encrypted data sequence comprises a programmable memory for receiving the pre-computed pairs r, x or r, gr}. In this way, the encryption unit can be completely manufactured completely independently of the set G and of the multiplication elements employed. It is only necessary to combine the secret key s with the pre-computed pair r, x or r, grCertain numbers of (1) } are written into the programmable memory. In operation, the common components perform the only computations required at the encryption unit level.
The possibility of using the cell autonomously can further improve development and manufacturing cost reductions, since the same circuit (not just the same part of the circuit) can be used in various target applications. Furthermore, the components perform very quickly to be able to be installed in very low cost circuitry and therefore in an autonomous mode, be installed in a very inexpensive unit, such as a conventional microprocessor card, with or without contact.
A further advantage of this autonomy is that it may be possible to change the encryption scheme, for example because the latter has been corrupted (i.e. because an attack has been found to greatly reduce the level of security it provides), without having to develop and manufacture another circuit, thus saving productivity.
Furthermore, if a cell uses a value x, its length does not change over time (e.g., because it is from g)rThe calculation of (c) thus involves a predefined hash function), then the length of the other keys used may be changed while preserving the same scheme without having to develop and fabricate another circuit.
Furthermore, in the last two cases there is no reason not only to develop and manufacture another circuit, but if the latter is suitably designed, there is no need to even change the security devices (e.g. chip cards) containing them, even after they have been employed. This advantage is very significant, since changing the circuit or the program of the circuit in the already functioning safety device (or the safety device itself) is always a very expensive operation.
The present invention can be advantageously used by the following organizations: semiconductor manufacturers producing security chips, industries producing security devices from these chips, such as chip embedding (contact or contactless chip cards), and organizations (banks, telecommunications, truck drivers, etc.) employing such devices, for which the replacement of cryptographic units causes high development, manufacturing, management or maintenance costs.
In summary, the present invention creates a family of public key encryption schemes using the discrete logarithm problem, where one entity performs a computation consisting of at most a small number of integer additions, subtractions and multiplications, which is common to all schemes of the family. The calculation preferably represents most of the calculations to be performed by the entity, as most of the other calculations may be performed in advance.
Further characteristics and advantages of the invention will become more apparent from the following description of a non-limiting exemplary embodiment with reference to the attached drawings, in which fig. 1 and 4 are schematic views of an encryption unit produced according to the invention.
Consider now that the entity authentication protocol family, extended to message authentication and digital signature of a message, and the protocol family for exchanging keys, all implement a common component. It is assumed that the public key authenticity of entity a used by another entity B has been previously confirmed by this entity B.
Let G be the set that is multiplied and G be an element of G. The secret key of entity a is the integer s. It should be noted that the size of this integer s(the number of bits of its base 2 decomposition) is independent of G and G. The public key associated with s of entity a is the pair { g, v }, where v-gs
In an exemplary embodiment of the invention, the verification of entity a by entity B proceeds as follows:
a randomly choosing an integer r, and calculating x ═ grAnd sending x to B;
b randomly selecting two integer operands a and B and sending the integer operands a and B to A;
a calculates y ar + bs and sends y to B;
b check gy=xavb
Many variations of this basic protocol are possible as it applies to message authentication and digital message signing:
either a or b may be fixed in advance at a non-zero value (e.g., a-1), in which case this operand does not have to be sent and the combination y-ar + bs now involves only multiplication;
y ar + bs may be replaced by y ar-bs, and the check equation is: gyvb=xa
Y ar + bs may be replaced by y bs ar, and the check equation is: gyxa=vb
Y-ar + bs may be replaced by y-ar-bs, and the check equation is: gyxavb=1
If G is a group, the sign of the secret key s may be inverted, i.e. take v-G-s=(gs)-1Wherein the check formula becomes: gyvb=xa(ii) a This option can of course be combined with any of the above-mentioned variations;
in the check formula the form is gyvbIn each case, let a be 1 and x be grCan use x=f(gr) Instead, where f is a function, e.g., equal to (or including) a cryptographic hash function; the check equation then becomes: f (g)yvb)=x;
-also in the check formula the form gyvbIn each case of x, assuming that a is 1, if M is a message to be validated by a, x is grX ═ f (g) can be usedrM), where f is a function, e.g., equal to (or including) a cryptographic hash function; the check equation then becomes: f (g)yvbM) ═ x; the obtained protocol is a message authentication protocol;
-also in the check formula the form gyvbIn each case of x, assuming that a is 1, if M is a message to be validated by a, x is grX ═ f (g) can be usedrM), where f is a function, e.g. equal to (or including) the cryptographic hash function, then b ═ h (x) is calculated, where h is a function without special cryptographic properties, e.g. an identity; in this case, step 2 no longer involves entity a; the check formula becomes: f (g)yvh(x)M) ═ x; the obtained protocol is a digital message signature protocol (reproducing the obtained electronic signature scheme described in european patent No. 0666664, in the particular case where G is a set of non-negative integers smaller than n and the operation is multiplicative modulo n).
Note that in step 3, entity a only needs to perform one integer addition and one or two integer multiplications. Note also that the combination is independent of the selected set G. Finally, it is noted that other calculations that a needs to perform (x ═ g) may be performed in advancerOr f (g)r)). It is therefore possible to pre-calculate some number of grThe values (with or without the function f applied) are then stored in a programmable memory together with the corresponding random number r.
The private key s 'of the complementing entity B and the related public keys g', v 'are obtained according to the same rules as the entity a, according to the same parameters, g' ═ g: g ═ v ═ gs' the key exchange protocol may be defined as follows:
a randomly selects an integer r, and calculates x ═ grAnd sending x to B; a calculates a common key K ═ v'r(=gsr);
B randomly selecting two integer operands a and B and sending them to A;
a calculates y ar + bs and sends y to B.
B check gy=xavb. B, calculating a common key: k ═ xs’(=grs’)
The protocol enables on the one hand the exchange of keys according to the Diffie-Hellman scheme and on the other hand the key exchange is authenticated on either side. Common Key K may also be calculated as v'rIs determined as a predetermined function of.
Note also that in step 3, entity a need only perform one integer addition and one or two integer multiplications. Note also that this combination is independent of the selected set G. Finally, note that the other calculations that a needs to perform must be performed in advance. It is therefore possible to pre-calculate some number of x and K values which are then stored in the programmable memory.
Thus, by developing a program or circuit implementing the individual function y ═ ar + bs (or one of the alternatives mentioned above), basic software or hardware blocks are obtained which can be used in different encryption schemes, implementing different tasks such as authentication, key exchange, etc. The scheme for achieving a given task may even be modified during the lifetime of the safety device, which comprises the program or the circuit. For example, it is possible to replace the verification scheme with another scheme, or to keep the same scheme but change the set or group G in which the calculations are performed. In fact, these modifications will only affect the pre-computed values, not the components themselves.
Fig. 1 diagrammatically shows an exemplary encryption unit a produced in accordance with the invention. The unit is composed of a chip having an area 10, access to the area 10 being protected by techniques known to those skilled in the art.
The protected area 10 comprises a programmable memory 11 for receiving, on the one hand, the secret key s of the unit a (area 12) and, on the other hand, the pair r, G determined independently of s once the set G and its multiplication operations have been defined (area 13)r}. The protected region 10 also includes a component 15 for calculating the integer y ar + bs as a function of: a random number r received from the memory area 13, a secret key s received from the memory area 12 and two further operands a, b provided by the control module 16.
Several pairs r, g are stored in the area 13rVarious ways of } are possible. Each r value and each grThe values may all be stored in a table of r and g values in the same pairrThere is a correlation match between the values. In a microcircuit with a limited memory size, it is advantageous to have a simple index with each grThe values are correlated in order to save memory space required to store several r values, which is typically large. Each value of r is derived from an initial value r by a pseudo-random generator0And pre-computed from the corresponding index, to pre-compute and store g for that indexrThe value is obtained. The programmable memory 11 then comprises a pseudo-random generator and an initial value r0So as to receive each r value from the corresponding index by activating the pseudo-random generator without storing it all, so as to make it match g by virtue of the indexrThe values are correlated.
In response to an authentication request issued by the remote entity B, the control module 16 commands the memory area 13 to give the integer r addressed to the component 15, and the related element G of the set GrThe latter constitutes the value x sent to entity B. The component 15 is furthermore given further operands a, B received from the entity B by the control module 16, and the integer y returned by the component is then passed to the entity B by the control module 16. Entity B learning the public keys g, v will be able to pass the check formula gy=xavbTo verify a.
In the variant of fig. 2, unit a is used to authenticate message M. The protected area 10 and the control module 16 are substantially the same as in the example of fig. 1, with the fixed a being 1. The protected area 10 is supplemented with a hashing module 18, which applies a predetermined cryptographic hashing function f. The argument of this function f is the element g from the memory area 13rAnd a message M to be verified provided by the control module 16. The result x is addressed to the control module 16, which the control module 16 passes to entity B.
The hash module 18 may also be present in the embodiment according to fig. 1 without an argument M (or with a default value for the argument) in order to produce a key value x having a size specified independently of the set G.
It can thus be seen that the same circuit is suitable for both applications.
The same is true for the unit according to fig. 3, which is used for signing the message M, i.e. independently of the entity that may check the signature. If the result x given by the hashing module 18 is in integer form, it can be provided to the component 15 as operand b. It is also possible to apply the function h to it in advance, as described above.
In the embodiment according to fig. 4, the memory area 13 also associates with each random number r a secret session key K determined as a function of the public key g, v' (and therefore must be known beforehand) of the entity B: k ═ v' r. This session key K is addressed to a secret key encryption unit 20, which unit 20 operates in a conventional manner according to a symmetric encryption algorithm so as to be available for communication with entity B. The latter passes the check formula gy=xavbOr one of the aforementioned variants, ensures the integrity of the secret key K.

Claims (10)

1.A method of encryption in an asymmetric encryption system using an integer secret key s, characterized in that said secret key s is associated with a public key comprising a first element g and a second element v g and is given an integer value y in a component (15) comprised in a first entity and constructed independently of said encryption systemsOr v ═ g-sThe presenting includes:
the first entity randomly selects an integer r, according to the element G belonging to the set G to be multipliedrTo calculate a value x and to calculate the value xSending the value x to a second entity external to the first entity;
the second entity randomly selecting two further integer operands a and b and sending the further integer operands to the first entity;
-said component (15) in said first entity calculating said integer value from y ═ ar + bs, y ═ ar-bs, y ═ bs-ar or y ═ ar-bs and sending said integer value y to said second entity; and
the second entity uses a check formula g corresponding to the calculation formula y ar + bs, y ar-bs, y bs-ar or y ar-bs, respectivelyy=xavb、gyvb=xa、gyxa=vbOr gyxavbThe check is performed 1.
2. The method of claim 1, further comprising receiving a pre-computed { r, x } or { r, g [ ]rAnd (9) pairs.
3. The method of claim 1 wherein the further operands a and b are received from a control module to which the value x and integer y are sent.
4. The method of claim 1 wherein one of the further operands, a, is equal to 1.
5. The method of claim 4, wherein the set G of multiplication operations has a group structure.
6. A method as claimed in claim 5, characterized in that the component (15) is arranged such that a further operand b is received from the control module to which the value x and the integer y are sent, and in that the value x is obtained as the element grIncludes applying a hash function.
7. A method according to claim 5, wherein said component (15) is arranged such that the further operand b is received from a control module to which the value x and the integer y are sent, and wherein the value x is a function of the element gr and the content of a message (M) to be validated by a device comprising said first entity implementing the cryptographic method, said control module being included in said second entity.
8. The method of claim 5, wherein a further operand b is computed as a function of the value x, and the value x is the element grAnd the content of the message (M): x ═ f (g)rM), the message (M) being intended to be verified by a device comprising said first entity implementing the encryption method.
9. The method of claim 1, wherein the first entity is provided with means for communicating with a second entity to which the value x and the integer y are sent, the second entity being associated with another integer secret key s', and the method further comprises: associating a public key (G ', v') with the secret key s ', the public key (G', v ') comprising an element G' G and a further element v 'of the set G, such that v' Gs'wherein the triplet r, x, K or r, G is formed by the random number r, said value x and a common key K dependent on the element v' r of the set Gr,v’rThe triplet is not sent to the second entity.
10. The method of claim 9, further comprising receiving a pre-computed triplet { r, x, K } or { r, g }r,v’r}。
HK05102547.9A 2001-08-20 2002-08-16 Method of producing a cryptographic unit for an asymmetric cryptographic system using a discrete logarithm function HK1069696B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR01/10,938 2001-08-20
FR0110938A FR2828780B1 (en) 2001-08-20 2001-08-20 METHOD FOR PRODUCING A CRYPTOGRAPHIC UNIT FOR AN ASYMMETRIC CRYPTOGRAPHY SYSTEM USING A DISCREET LOGARITHM FUNCTION
PCT/FR2002/002896 WO2003017569A1 (en) 2001-08-20 2002-08-16 Method of producing a cryptographic unit for an asymmetric cryptographic system using a discrete logarithm function

Publications (2)

Publication Number Publication Date
HK1069696A1 HK1069696A1 (en) 2005-05-27
HK1069696B true HK1069696B (en) 2008-08-01

Family

ID=

Similar Documents

Publication Publication Date Title
Caelli et al. PKI, elliptic curve cryptography, and digital signatures
US20080240443A1 (en) Method and apparatus for securely processing secret data
US8374345B2 (en) Data processing system and data processing method
US7100051B1 (en) Public-key signature methods and systems
US20100172493A1 (en) Method and device for processing data
US6088798A (en) Digital signature method using an elliptic curve, a digital signature system, and a program storage medium having the digital signature method stored therein
Ge et al. A direct anonymous attestation scheme for embedded devices
JP4137385B2 (en) Encryption method using public and private keys
JP7091322B2 (en) Composite digital signature
US20080205638A1 (en) Method for elliptic curve scalar multiplication
JP2010277085A (en) Protection of prime number generation in rsa algorithm
US20080273695A1 (en) Method for elliptic curve scalar multiplication using parameterized projective coordinates
US20030152218A1 (en) Cryptography method on elliptic curves
CN100380861C (en) Method for generating encryption unit of asymmetric encryption system using discrete logarithm function
US8102998B2 (en) Method for elliptic curve scalar multiplication using parameterized projective coordinates
US20010048742A1 (en) Countermeasure method in an electronic component using a public key cryptography algorithm on an elliptic curve
US7286666B1 (en) Countermeasure method in an electric component implementing an elliptical curve type public key cryptography algorithm
US5946397A (en) Method of cryptography with public key based on the discrete logarithm
KR101107565B1 (en) Zero-knowledge proof cryptography methods and devices
US7912216B2 (en) Elliptic curve cryptosystem optimization using two phase key generation
Misarsky How (not) to design RSA signature schemes
US20010036267A1 (en) Method for generating electronic keys from integer numbers prime with each other and a device for implementing the method
CN101465726B (en) Anti-deciphering method for secret key and controller and storage device for executing the method
US11616994B2 (en) Embedding information in elliptic curve base point
HK1069696B (en) Method of producing a cryptographic unit for an asymmetric cryptographic system using a discrete logarithm function