KR100676461B1 - Method, system, device for proving the authenticity of an entity and/or the integrity and/or the authenticity of a message using specific prime factors - Google Patents

Abstract

Verification is provided by the following parameters. That is, an open module n formed by the product of f prime factors p _i with f>2; And an open index v; And m radix g _i with m> 1. Radix g _i is the two formulas (1) and (2) released by x in other words, x ² ≡g _i mod n and x ² ≡g _i mod n is an integer coefficient (modulo) of n jeongsuhwan (ring) So that, and

이 공개 지수 v가 v=2^k이고, k는 보안 파라미터(security parameter)들인 경우, 정수 계수 n의 정수환에서 x로 풀릴 수 있도록된다.Equation (3):

If this open index v is v = 2 ^k and k are security parameters, then it can be solved by x in the integer ring of integer coefficient n.

Authentication, Validation, Integrity, Entity, GQ2, RSA

Description

Entity, system, device for proving the authenticity of an entity and / or the integrity and / or the authenticity of a message using specific prime factors}

The present invention relates to the technical field of methods, systems and apparatus designed to verify the authenticity of an entity, the integrity and / or authenticity of a message.

EP 0 311 470 B1 (inventor; Louis Guillou and Jean-Jacques Quisquater) describes this method. The patent will now be referred to using the terms "GQ patent" or "GQ method", filed by France Telecom, TDF and Mathrizk and filed on the same day as the inventors of this application, Louis Guillou and Jean-Jacques Quisquater. A new variant of "GQ technology" will be described as "GQ2", "GQ2 invention" or "GQ2 technique". The features of this application will be mentioned again as needed in the detailed description below.

According to the GQ technique, an entity known as a "trusted authority" assigns an identity to each entity called "witness" and computes its RSA signature. In the individualized process, the trusted authority gives witnesses identity and signature. The witness then declares, "Here is my identity, I have found the signature of the RSA." Without disclosing the fact, the witness certifies that he knows the RSA signature of the identity. Even if the RSA public identification key is distributed by a trusted authority, an entity known as a "controller" is not provided with the information of the identification key and verifies that the RSA signature matches the declared identity. The mechanism using the GQ technique is done "without information transfer". According to the GQ technique, the witness does not know the RSA secret key that a trusted authority uses to sign numerous identifiers.

The GQ technique described above uses RSA technology. However, while the RSA technique depends precisely on the factorization of the coefficient n, this dependency is not equivalent. In other words, it is by no means equivalent, as is manifested in so-called multiplicative attacks against the various standards of digital signatures that implement RSA technology.

The purpose of the GQ2 technique is twofold. One is to improve the inherent performance of the RSA technique, and the other is to solve the inherent problems of the RSA technique. The information of the GQ2 secret key is equivalent to the information of the factorization of the coefficient n. Any attack on the triplet GQ2 results in a factorization of coefficient n. In this case, an equivalence relationship is established. By using the GQ2 technique, the workload is reduced for signing or self-certifying entities and control entities. By preferably using factoring in terms of security and performance, the GQ2 technique can overcome the disadvantages of the RSA technique.

The GQ technique implements a modulo operation of a number of 512 bits or more. The operation is related to a number having a magnitude substantially equal to a power of 2 ¹⁶ +1 powers. In particular, in the field of bank cards, existing microelectronic infrastructures use monolithic self-programmable microprocessors without computational coprocessors. Workload associated with multi-computation applications belonging to the same method as the GQ technique causes calculation time, which in some cases makes the consumer uncomfortable paying using a bank card at the time of purchase. It is conceivable here that, in improving the security of payment cards, banks may face problems that are particularly difficult to solve. Indeed, two obviously contradictory problems must be solved. That is, on the one hand, increasing the security by using increasingly long and clear keys on each card, while on the other hand, ensures that the workload does not cause excessive computation time for the user. This problem is particularly serious because it is also necessary to pay attention to existing infrastructure and existing microprocessor architectures.

While the GQ2 technique increases security, it provides a solution to this problem.

The GQ2 technique uses factors that have special characteristics. There are a variety of existing techniques for providing these prime factors. An object of the present invention is a method for the systematic provision of such prime factors. Its purpose also relates to applications that can be made with these arguments in the use of the GQ2 technique. It is emphasized that these particular prime factors and the method used to obtain them can be used in the field of GQ2 techniques.

The present invention addresses the following points in the controller entity:

-The authenticity of the entity and / or

Integrity of message M associated with said entity

It can be applied to the method for verifying

This verification is established by all or some of the following parameters or their derivatives:

a public coefficient n composed of the product of f prime factors p ₁ , p ₂ , ..., p _f (f is greater than or equal to 2);

Public exponent v;

m different integer radix g ₁ , g ₂ , ..., g _m (m is greater than or equal to 1)

The radix gi is represented by two equations (1) and (2): that is, x ² ≡g _i mod n and x ² i- g _i mod n are integers in a ring of modulo n Unresolved, and

이 정수 계수 n의 정수환에서 x로 풀릴 수 있도록 된다.Equation (3):

It can be solved by x in the integer ring of this integer coefficient n.

The method according to the invention is used to generate _f prime factors p ₁ , p ₂ ,..., P _f , whereby the above formulas (1), (2) and (3) are satisfied. The method according to the invention

M different integer radix g ₁ , g ₂ , ..., g _m ,

The size of the coefficient n,

The magnitude of _f prime factors p ₁ , p ₂ , ..., p _f

The first step is to select.

The method relates to the case where the public index v has the format v = 2 ^k and k is a security parameter greater than one. The security variable k is also chosen as a prime number. The special value of the index v is one of the essential features of the GQ2 technique.

Preferably, m different integer radix g ₁ , g ₂ , ..., g _m are selected from at least some of the first integers. Also preferably, the authentication variable k is a small integer, in particular less than 100. Advantageously, the magnitude of the coefficient n is greater than several hundred bits. In addition, f prime factors p ₁ , p ₂ , ..., p _f have a size close to the size of the coefficient n divided by the number f of the factors.

According to an important feature of the method according to the invention, the f prime factors p ₁ , p ₂ ,..., P _f are not selected in any unspecified method. Among the f prime factors p ₁ , p ₂ , ..., p _f , any number of them is selected: e is associated with 1 modulo 4. e can be zero. If e is zero, then the coefficient n is referred to as a basic modulus hereinafter. If e> 0, then the coefficient n is called the combined modulus below. fe different prime factors are chosen to be associated with 3 modulo 4. fe is at least equal to two.

Selection of f-e prime factors associated with 3 modulo 4

To generate _fe prime factors p ₁ , p ₂ , ..., p _fe related to 3 modulo 4, the following steps are used:

The first prime factor p ₁ associated with -3 modulo 4 is selected, and then

The second prime factor p ₂ is chosen to be complementary to p ₁ with respect to the base g ₁ .

To select the argument p _{i + 1} , the following procedure, which is divided into two cases, is used.

(1) if i> m

If i> m, the factor p _{i + 1} associated with 3 modulo 4 is selected.

(2) when i ≤ m

If i ≤ m, the profile of g _i for i first prime factors p ₁ is calculated (Profile _i (g _i )):

If Profile _i (g _i ) is flat, the argument p _{i + 1} is chosen such that p _{i + 1} is complementary to p _{1 for} g _i ,

Otherwise, of the i-1 radix g ₁ , g ₂ , ..., g _i-1 and all of their multiplicative combinations, the number called g below is Profile _i (g) = Profile _i (g _i ) is selected and then p _{i + 1} is selected to be Profile _{i + 1} (g _i ) ≠ Profile _{i + 1} (g).

The terms "complementary", "profile" and "flat profile" have the meanings defined in the detailed description.

To select the last prime factor p _fe , the following procedure is used, divided into three cases.

(1) when f-e-1> m,

If fe-1> m, p _fe associated with 3 modulo 4 is selected.

(2) when f-e-1 = m,

If fe-1 = m, Profile _fe-1 (g _m ) for the first fe-1 prime factors from p ₁ to p _fe-1 is calculated.

If Profile _fe-1 (g _m ) is flat, then the argument p _fe-1 is chosen to be complementary to p ₁ for g _m ,

● Otherwise, the procedure specified below will follow.

Of the m-1 radix from g ₁ to g _m-1 and all their multiplicative combinations, the number called g below is selected such that Profile _i (g) = Profile _i (g _i ), Then p _fe is chosen to be Profile _fe (g) ≠ Profile _fe (g _m ).

(3) when f-e-1 <m,

When fe-1 <m, p _fe is selected to satisfy the following two conditions. (3.1) First state

p_OneP_fe-1 Profile of f-e-1 first prime factors up to_fe-1(g_fe-1) Is calculated and two cases are considered. In these two cases, the first state is changed.

If Profile _fe-1 (g _fe-1 ) is flat, the argument p _fe is chosen to satisfy the first state that is complementary to p ₁ for g _fe-1 (the first state by the first case). ) Otherwise, of the fe-1 radix from g ₁ to g _m-1 and all of their multiplicative combinations, the number called g below is Profile _i (g) = Profile _fe-1 (g _{fe- 1} ), and then p _fe is chosen to be Profile _fe (g) ≠ Profile _fe (g _m ). (First state by second case)

(3.2) Second state

Of all the last radixes from g _fe to g _m , a number whose flat, Profile _fe-1 (g _i ) is flat, is selected and p _fe is complementary to p ₁ for each selected radix. It is chosen to satisfy the second condition of being an enemy. (Second state)

Selection of the e prime factor associated with 1 modulo 4

In order to generate the e prime factors associated with 1 modulo 4, each prime factor value p from p _fe to p _f is computed by the following two consecutive tests.

(1) first test

The Regendre symbol is calculated for each radix gi from g1 to gm with respect to the candidate prime factor value p,

If the genre symbol is -1, the candidate value p is rejected,

If the genre symbol is +1, the operation of the candidate value p passes to the next radix and, if the last radix is considered, passes to the second test.

(2) second test

Is an integer t is divided into p-1 is by 2 ^t is calculated so that is not divided by 2 ^{t + 1,} then the integer s is calculated so that the s = (p-1 + 2 ^t) / 2 ^{t + 1} .

The key <s, p> is applied to each public value G _i to get the result r

That is, r ≡ G _i ^s mod p.

If r equals g _i or -g _i , the second test continues to pass the public value G _{i + 1} below.

If r is different from g _i or -g _i , then the argument u is computed under the application of the following algorithm specified at index ii in the range 1 to t-2. The algorithm uses two variables: that is, initialized by r as well as the integer b obtained by applying the key <(p-1) / 2 ^t , p> to the non-secondary surplus of CG (p). Use jj = 2 ⁱⁱ with values between w and 2 to 2 ^t-2 . The algorithm is configured to repeat the following sequence as necessary:

Step 1: w ² / G _i (mod p) is calculated.

Step 2: The result is raised to the power of 2 ^t-ii-1 . Two cases are considered.

First case

If +1 is obtained, then pass to the next public value Gi + 1 and a second test is done on that public value.

Second case

If -1 is obtained, jj = 2 ⁱⁱ is calculated, then w is replaced by wb ^jj (mod p). The algorithm then continues with the next value with index ii.

At the end of the algorithm, the value of the variable jj is used to calculate the integer u by the relationship jj = 2 ^tu and the representation of tu is calculated. Two cases occur:

If t-u <k, the candidate value p is rejected

If tu> k, the operation of candidate value p continues with passing to the next public value G _{i + 1} and continues with the second test.

At the end of the second test, at all m public values G _i , if it is not rejected, the candidate value p is taken as a prime factor associated with 1 modulo 4.

Application of GQ2 to Public and Secret Values.

The invention also relates to a method (GQ2 method) which makes it possible to apply the above-described method and to generate f prime factors of p ₁ , p ₂ , ..., p _f with special characteristic values; The method for the application of the above-described method to the controller entity

The authenticity of the entity or (and)

To verify the integrity of message M associated with the entity.

This verification is done by all or some of the following variables or their derivatives:

m pairs of secret values Q ₁ , Q ₂ , ..., Q _m and the public values G ₁ , G ₂ , ..., G _m (m is 1 or more),

-a public coefficient n (f is greater than or equal to 2) composed of the product of _f prime factors p ₁ , p ₂ , ..., p _f ,

-Public index v.

The coefficient, the exponent and the value are G _i .Q _i ^v ≡1 mod n or G _i It is related by the expression ≡Q _i ^v mod n. The index v becomes v = 2 ^k , where k is a security parameter greater than one.

The published value G _i is the square g _i ² of base number g _i less than _f prime factors p ₁ , p ₂ , ..., p _f , and the radix g _i is two expressions, x ² μg _i mod n and x ² ≡- g _i mod n cannot be solved with x in the integer ring of integer coefficient n, and the expression x ^v ≡g _i ² mod n can be solved as x in the integer ring of integer coefficient n.

The method implements an entity called witness in the next step. The evidence shows that the parameters of Chinese surplus of f prime factors p _i and / or prime factors and / or publication coefficients n and / or the m secret values Q _i , and / or their secret values Q _i and / or their disclosures F · m components Q _{i, j} (Q _{i, j} ≡ Q _i mod p _j ) of the exponent v are provided.

The evidence is that R in the integer ring of integer coefficient n Vr ^v perform the operation of mod n, or R _i 연산 r _i ^v mod p _i and then apply the difference surplus method-where r is a random value where 0 <r <n and r _i is 0 <r _i <p _i , Compute each of the commitments R by a random value associated with the decimal P _i and each r _i belongs to a collection of random values {r ₁ , r ₂ , ..., r _i }.

The evidence receives one or more challenges d, each including an integer d _i called m initial challenges, the evidence being based on each challenge d, D? R Q ₁ ^d ₁ Q ₂ ^d ₂ . Q _m ^dm Performs a mod n operation, or D _i ≡ r _i Q _{i, 1} ^d1 Q _{i, 2} ^d2 Q _{i, m} ^dm Compute the response D by executing the operation of mod p _i and then applying the Chinese excess method.

The method allows the response D to be equal to the number of the challenge d and the commitment R such that the group of R, d, D forms a triplet referred to as {R, d, D}.

Preferably, the secret value as described above, _{Q 1, Q 2, ...,} Q m and public values G _1, G _2, ..., in order to use a pair of G _m, the method prime factors p ₁ , p ₂ , ..., p _f and / or variables of Chinese surpluses, radix g ₁ , g ₂ , ..., g _m and / or published values G ₁ , G ₂ , ..., G _m To,

Compute the secret values Q ₁ , Q ₂ , ..., Q _m by extracting the kth square root of Gi's coefficient n or by taking the inverse of the kth square root of Gi's coefficient n for,

Or, it is used to calculate that f · m secret components Q _{i, j} of secret values Q ₁ , Q ₂ , ..., Q _m become Q _{i, j} ≡Q _i (mod pj).

More preferably, the f · m secret components Q _{i, j of} secret values Q ₁ , Q ₂ , ..., Q _m

To calculate

-Is applied to compute z such that the key <s, p _j > is z _{i i} ^s mod p _j :

And t and u values are used.

The t and u values are calculated as above when p _j is associated with 1 modulo 4. The values are taken such that p _j corresponds to one value (t = 1) and zero value (u = 0) associated with 3 modulo 4.

If u is 0, zz is the same as z, or zz the z of (mod pj) and one in min 2 ^ii-t 2 ^ii-th circle of the (k, t) ii unit circle (unity) in the range up to Consider being equal to the product of each of the primitive roots.

If u is positive, consider zz to be equal to the product of (mod pj) of za and each of the 2 ^k 2 ^k th roots of unitity, and at the end of the algorithm used in paragraph 10, This will specify the value of the variable w.

At least one component value Q _{i, j} is deduced therefrom. Expression G _i When iQ _i ^v mod n is used, it is equal to zz, and when the equation G _i .Q _i ^v ≡1 mod n is used, it is equal to the inverse of zz modulo p _j of zz.

In FIG. 1A, 1D shows the "multiply by CG (p) square" function by a directional graph where the non-zero component of p-1 of each field finds its location. That is, the non-qudratic residues are white and the quadratic residues are black; Of the secondary surpluses, the odd parity rank component is a circle.

Each of these figures shows the following.

1A: p is associated with 3 (mod 4);

1B: p is associated with 5 (mod 8);

1C: p is associated with 9 (mod 16);

1D: p is associated with 17 (mod 32);

The purpose of the GQ technique is: not only the digital signature of entities and messages, but also the dynamic authenticity of associated messages.

The standard version of the GQ technique is to use the RSA technique. However, while the RSA technique depends precisely on the factorization of the coefficient n, this dependency is not equivalent. In other words, it is by no means equivalent, as is manifested in so-called multiplicative attacks against the various standards of digital signatures that implement RSA technology.

In the technique of GQ2, the present invention is particularly concerned with the generation of sets of GQ2 keys designed to provide dynamic authentication and digital signature. The GQ2 technique does not use the RSA technique. The purpose is twofold. One is to improve the inherent performance of the RSA technique, and the other is to solve the inherent problems of the RSA technique. The GQ2 secret key is a factorization of the coefficient n. Any attack on the triplet GQ2 is the sum of the factorizations of the coefficients n. In this case, the same point exists. By using the GQ2 technique, the workload is reduced for signing or self-certifying entities and control entities. The preferred use of factoring in terms of security and performance makes the GQ2 technique comparable to the RSA technique.

The GQ2 technique uses one or more integers less than one, for example m small integers (m ≧ 1), called radix and used for gi. Then, the public verification key <v, n> is selected as follows. The open validation index v is 2 ^k and k is a small integer greater than 1 (k≥2). The open coefficient n is the product of at least two prime factors greater than the radix, for example p _j . The f prime factors (f≥2) p ₁ , p ₂ , ..., p _f are used. The f prime factor is selected such that the open coefficient n has the following characteristics with respect to each of the m radix from g1 to gm.

First, equations (1) and (2) cannot be solved for x in the integer ring of the modulo n, which means that g _i and -g _i are two non-secondary It's called mod n.

x ² ≡g _i (mod n) (1)

x ² ≡- g _i (mod n) (2)

Second, equation (3) can be solved by x in the integer ring of integer coefficient n.

(3)

(3)

In the following, these properties are also called GQ2 principle.

Since the public verification key <v, n> is fixed according to the base of g ₁ to g _m of m ≥ ₁ , each base g _i is a pair of GQ2 constituting the public value G _i and the secret value Q _i . Determine the value, that is, m pairs from G ₁ Q ₁ to G _m Q _m . The public value G _i is the square of the base g _i and gives the value G _i = g _i ² . The secret value Q _i is one of the solutions of equation (3) or an inverse (mod n) of such a solution.

Just as the coefficient n is split into f prime factors, the integer ring of integer coefficient n is split into f Galois fields from CG (p ₁ ) to CG (p _f ). Below are projections of equations (1), (2) and (3) of CG (pj).

x ² ≡gi (mod n) (1.a)

x ² ≡- gi (mod n) (2.b)

(3.c)

(3.c)

Each secret value Q _i may be represented by one secret component of one prime factor, that is, f secret components of Q _ij ijQ _i (mod p _j ). Each secret component Q _ij is the solution to equation (3.a) or an inverse of such solution (mod p _j ). After all possible solutions of each equation (3.a) have been computed, the Chinese remainder technique yields the possible values of each secret value Q _i based on the f elements of Q _{i, 1} to Q _{i, f} . Make them. In other words, let Q _i = significant surplus (Q _{i, 1} , Q _{i, 2} , ..., Q _{i, f} ) to obtain all possible solutions of equation (3).

The following is the Chinese surplus technique. 0 sets the <a <mutually prime number (prime number) a and b of the two positive and, from 0 to a-1 of X _a and X _b is from 0 to b-1, two factors that b. It is necessary to determine X = Chinese surplus (X _a , X _b ). That is, _a ≡X X (mod a) and _b ≡X X (mod b) is, in a 0 and b is - a yuilsu to 1 (unique number) X. The Chinese surplus parameter is α≡ {b (mod a)} ⁻¹ (mod a). The Chinese surplus operation is ε≡X _b (mod a); δ = X _a -ε; If δ is negative, δ replaces δ + a; γ ≡ α · δ (mod a); X = a and γ b + X _b.

When arranging prime factors in ascending order from the smallest p ₁ to the largest p _f , the Chinese surplus parameter is the first Chinese surplus parameter α≡ {p ₂ (mod p ₁ )} ⁻¹ (mod p _1). ), And the second difference residual parameter β≡ {p ₁ · p ₂ (mod p ₃ )} ⁻¹ (mod p ₃ ), and the i difference coefficient surplus parameter λ≡ {p ₁ · p ₂ . P _i-1 (mod p _i )} ^-1 (mod p _i ) and the like. Finally, in the f-1 difference surplus operation, the first result (mod p ₂ times p ₁ ) can be obtained as the first parameter, and the second result (mod p ₁ · p ₂ times p ₁ ) is obtained as the second parameter. In this way, the result (mod p ₁ ... P _f-1 times p _f ), i.e. (mod n), can be obtained.

It is an object of the present invention to provide a method for any generation of an array of GQ2 keys in all possible arrays, namely:

Any generation of moduli in all possible GQ2 moduli, ie in each m radix g _i , equations (1) and (2) have the formula (3) having one of them cannot be solved by x in the integer ring of integer coefficient n,

Calculate all possible solutions for each of equations (3.a). The Chinese surplus technique makes it possible to obtain a secret value from each array of f components from Q _{i, 1} to Q _{i, f} , so as to obtain the solution of x for equation (3) among the possible equations.

Q _i = Chinese surplus (Q _{i, 1} , Q _{i, 2} , ..., Q _{i, f} )

In order to understand the problem, and then to understand the solution given to it, that is, in the present invention, the application of the principles of the GQ2 technique must first be analyzed. Begin by recalling the definition of the coefficients in the Galois field to study the functions of "multiply by CG (p) squared" and "take square root of squared excess of CG (p)". The presence and number of solutions of x of CG (p) are then analyzed for equations (1.a), (2.a) and (3.a).

Rank of components of CG (p)

Consider an odd prime number p and a positive prime a less than p. Then qualify {X}.                 

{X} ≡ {x ₁ = a; puis, pour i≥1, x _{i + 1} ≡ax _i (mod p)}

Compute the index i + p and use Fermat's theorem.

x _{i + p} = a ^p x _i ≡ax _i ≡x _{i + 1} (mod p)

As a result, the period of sequence {X} is either p-1 or a divider of p-1. This period depends on the value of a. By definition, this period is called "rank of a (mod p)". External index of unitity in sequence {X}.

X _{rank (a, p)} ≡1 (mod p)

For example, (p-1) / 2 is an odd prime number p 'and Galois field CG (p) consists of a single component with rank 1: 1, if it is a single component with rank 2. If it is a p'-1 component of rank p ', and a p'-1 component of rank 2p', ie, a component of p-1 rank, it is -1.

The components of CG (p) having a rank of p-1 are called primitive elements or, in turn, generators of CG (p). The name is due to the fact that their successive powers in CG (p), i.e., the sequence {X} from 1 to p-1 form the substitution of all non-zero components in CG (p). Is caused.

According to the primitive component y of CG (p), the rank of component y ⁱ (mod p) is calculated as a function of i and p-1. When i is a prime number with p-1, it is p-1. When p-1 is divided by i, it is (p-1) / i. In all cases, (p-1) / pgcd (p-1, i).

Euler functions are referenced by φ. By definition, since n is a positive integer, Φ (n) is a positive integer less than n and primed with n. In field CG (p), therefore, φ (p-1) primitive elements.

According to the method described above, the basis of the RSA technique is below. The open coefficient n is the product of the f prime factors from p ₁ to p _f , where f ≧ 2, and for each prime factor p _j , the open index v is a prime number of p _j −1. The key <v, p _j > depends on the rank of the components of CG (pj): ie replace them. Inverse substitution is obtained at <s _j , p _j > such that v · s _j −1 is divided by p _j −1.

Square and square root of CG (p)

The x and px components have the same square in CG (p). The key <2, p> does not substitute a component of CG (p) because p-1 is an even value. For each of a small number of p, let the integer defined as follows: t: p-1 is divided by 2 ^t does not divided by 2 ^{t + 1,} i.e., p is ^{2 t +1 (mod 2 t +} 1) and Associated. For example, when p is associated with 3 (mod 4), t = 1; when p is associated with 5 (mod 8), t = 2; when p is associated with 9 (mod 16), t = 3; When p is associated with 17 (mod 32), t = 4. Each odd prime is shown in only one category. That is, p is seen in the t-th category. Indeed, if we assume a fairly large number of consecutive primes, approximately one of the two will be in the first category, one of the four will be in the second, one of the eight, the third of the sixteen, the fourth, and so on. Will be in category. In short, one of 2 ^t is on average in the t th category.

Consider the "raise by square of CG (p)" function according to the parity of the rank discussed above.

There is only one fixed component. That is 1. The square of the other components of the odd parity rank is the other component of the same rank . As a result, the key <2, p> is replaced by all of its (p-1) / 2 ^t odd parity rank components. The number of substitutions is by factorization of (p-1) / 2 ^t . For example, when (p-1) / 2 ^t is a prime p ', there is a large substitution cycle consisting of the p'-1 component.

The square of any even parity rank component is another component whose rank is divided into two . As a result, the even parity rank component is distributed to the (p-1) / 2 ^t branches. Each non-zero component with an odd parity rank includes a branch consisting of 2 ^t -1 components of length t, i.e., the components of the rank are divided by 2 and not divided by 4. And if t≥2, the two components of the rank are divided by 4 and not divided by 8, and if t≥3, the four components of the rank are divided by 8 and not divided by 16, and if t≥ If 4, the eight components of the rank are divided by 16 and not by 32. The 2 ^t-1 ends of each branch are non-qudratic residues; Their rank is divided by 2 ^t .

In FIG. 1A, 1D illustrates the function of " squared in CG (p) " by a directional graph where the non-zero component of p-1 of each field finds its location. That is, the non-qudratic residues are white and the quadratic residues are black; Of the secondary surpluses, the odd parity rank component is a circle.

Each of these figures shows the following.

1A: p is associated with 3 (mod 4);

1B: p is associated with 5 (mod 8);

1C: p is associated with 9 (mod 16);

1D: p is associated with 17 (mod 32);

Now let's look at how to compute the solution of the expression x ² ≡a (mod p) as x. Where a is the secondary surplus of CG (p), ie, how to find the square root of CG (p). Of course, there are many ways to achieve the same result. Henry Cohen's "A Course in Computation Algebric Number Theory" (Berlin, Spragg, 1993, pages 31-36), and "Graduate Text in Mathematics." (vol. 138).

Compute the integer s = (p-1 + 2 ^t ) / 2 ^{t + 1} to generate the key <s, p>. If p is associated with 3 (mod 4), set it to <(p + 1) / 4, p>, if p is associated with 5 (mod 8), set it to <(p + 3) / 8, p>, If p is associated with 9 (mod 16), it is set to <(p + 7) / 16, p>, and if p is associated with 17 (mod 32), it is set to <(p + 15) / 32, p>.

The key <s, p> is given the square root of the odd parity rank of any odd parity rank component. In fact, in CG (p), r ² / a is equal to a multiplied by power (2 (p-1 + 2 ^t ) / 2 ^{t + 1} ) -1 = (p-1) / 2 ^t . As a result, when a is in cycle, the key <s, p> is converted into a solution called w. Another solution is pw.

In general, the key <s, p> is converted to any secondary surplus a in the first estimate of the solution called r. The following represent two key points of the approximate sketch of the method for the step-by-step proof of estimation with the square root of a.

Firstly, since a is a secondary surplus, the key <2 ^t-1 , p> obviously converts r ² / a to 1.

Second, one can assume that we know the non-secondary surplus of CG (p) named y; The key <(p-1) / 2 ^t , p> converts y into a component called b. That is, the 2 ^t-1 th root of -1. In fact, y ^{(p-1) / 2} ≡-1 (mod p). As a result, in CG (p), the 2 ^t 2 ^t th multiplication group of the unitity is of the same type as the multiplication group of the power of b in the exponent of 1 to 2 ^t .

To approach the square root of a, r ² / a is raised to 2 ^t-2 (mod p): the result is either +1 or -1. If the result is +1, the new estimate is r; otherwise, the result is -1, b · r (mod p). As a result, the key <2 ^t-2 , p> surely converts the new estimate to one. It is possible to access the required value continuously. That is, in the next step, adjustments can be made by multiplying by b ² (mod p) if necessary.

The algorithm below makes a continuous estimate reaching the square root of a from the integers r and b defined above; It uses two integer variables. I.e., the jj hypotheses in w and 2 to 2 ^t-2 initialized by r to represent a continuous estimate.

In the i range from 1 to t-2, the following sequence is repeated.

Calculate w ² / a (mod p) and multiply the result by 2 ^ti-1 (mod p). That is, +1 or -1 is obtained. If -1 is obtained, calculate jj = 2 ⁱ and then replace w with wb ^jj (mod p). If +1 is obtained, do nothing.

At the end of the calculation, w and pw are the two square roots of a in CG (p). In addition, the rank of a in CG (p) can be divided by 2 ^t / jj and not by 2 ^{t + 1} / jj. This relationship is shown further below.

Analysis of the principle of the GQ2 technique in CG (p)

Take two integers g greater than 1 and k, a prime number p greater than g. Analyze the presence and number of solutions of x in CG (p) in equations (1.a), (2.a) and (3.a).

In the Galois field CG (p), distinguish other cases that depend on the value of t, according to two powers dividing p-1. It can be recalled that p-1 can be divided by 2 ^t and not by 2 ^{t + 1} , that is, p is associated with 2 ^t +1 (mod 2 ^{t + 1} ). The above analysis gives us a fairly accurate concept of the problem as well as the proximity.

When t = 1, p is associated with 3 (mod 4). The Legendre symbols of g and -g associated with p are different. That is, any secondary surplus of CG (p) has two square roots in CG (p). One is secondary surplus and the other is non-secondary surplus. First, one of the two equations (1.a) or (2.a) has two solutions of x in CG (p) and no one. Second, equation (3.a) has two solutions to x in CG (p) whatever k value.

When t = 2 , p is associated with 5 (mod 8). Two cases occur depending on the Regendre symbol of g associated with p. When the symbol is equal to -1, g and -g are both non-secondary surpluses of CG (p). The three equations (1.a), (2.a) and (3.a) do not have a solution of x in CG (p). If the symbol is +1, g and -g are two secondary surpluses of CG (p), and each formula (1.a) and (2.a) has two solutions of x in CG (p). Additionally, the rank of g ² in CG (p) is an odd parity value that reflects whatever k value is, and equation (3.a) is of x in CG (p) with only one of which has an odd parity rank. Has four solutions.

Figure 2 shows the solution of equation (3.a) where t = 2, p is associated with 5 (mod 8) and k = 6. Note that, for p associated with 5 (mod 8), the Legendre symbol of 2 is equal to -1. 2 ^{(p-1) / 4} (mod p) is the square root of -1. therefore,

; 따라서 (2|p)=-1 이고,

; So (2 | p) =-1,

; 그러므로 b²≡-1(mod p) 이다.

; Therefore b ² ≡-1 (mod p).

When t = 3 , p is associated with 9 (mod 16). Consider the Legendre symbol of g associated with p. When the symbol is -1, g and -g are two non-secondary surpluses of CG (p). The three equations (1.a), (2.a) and (3.a) do not have a solution of x in CG (p). If the symbol is +1, g and -g are two secondary surpluses of CG (p), and each formula (1.a) and (2.a) has two solutions of x in CG (p). The presence of the solution of x in equation (3.a) depends on the rank of g ² in CG (p). The rank is an odd parity value or divided by two and not divided by four. When the rank of g ² in CG (p) is divided by 2 and not by 4, equation (3.a) has four solutions to x in CG (p) when k = 2; k≥3 If the rank of g ² in CG (p) is an odd parity value, equation (3.a) has four solutions to x in CG (p) when k = 2, and eight solutions when k≥3. . In both cases, only one value is an odd parity value.

When t = 4 , p is associated with 17 (mod 32). Consider the Legendre symbol of g associated with p. When the symbol is -1, g and -g are two non-secondary surpluses of CG (p). The three equations (1.a), (2.a) and (3.a) do not have a solution of x in CG (p). If the symbol is +1, g and -g are two secondary surpluses of CG (p), and each formula (1.a) and (2.a) has two solutions of x in CG (p). The presence of the solution of x in equation (3.a) depends on the rank of g ² in CG (p). The rank is an odd parity value or divided by 2 or 4 and not divided by 8. When the rank of g ² in CG (p) is divided by 2 and not by 8, equation (3.a) has four solutions to x in CG (p) when k = 2; k≥3 If the rank of g ² in CG (p) is divided by 2 and not by 4, equation (3.a) has four solutions to x in CG (p) when k = 2, and k If = 3 there are eight solutions; If k≥4, there is no harm. If the rank of g ² in CG (p) is an odd parity value, Equation (3.a) has four solutions to x in CG (p) when k = 2, and eight solutions when k≥3. If k≥4, we have 16 solutions. In all three cases, only one value is an odd parity value.

Other cases are the same, such as when p is associated with 1 (mod 4) and can be summarized below.

If p is associated with 1 (mod 4 ), consider the Regendre symbol of g associated with p. When the symbol is -1, g and -g are two non-secondary surpluses of CG (p). The three equations (1.a), (2.a) and (3.a) do not have a solution of x in CG (p). If the symbol is +1, g and -g are two secondary surpluses of CG (p), and each formula (1.a) and (2.a) has two solutions of x in CG (p). Define the integer u. The rank of g ² in CG (p) can be divided by 2 ^u , but not by 2 ^{u + 1} . The value of u is between t-1 possible values from 0 to t-2. The presence and number of solutions of x in CG (p) for equation (3.a) depends on k, t and u values. If u is positive and k is greater than tu, then equation (3.a) has no solution of x in CG (p). If u is zero and k is greater than t, equation (3.a) has 2 ^t solutions of x in CG (p). If k is greater than or equal to tu, equation (3.a) has 2 ^k solutions of x in CG (p).

Application of the GQ2 principle to the ring of integer modulo

In order to ensure that each of the equations (1) and (2) does not have a solution of x in the ring of integer coefficients n, the equations (1.a) and (2. 2) in at least one prime factor p from p ₁ to p _f . a) It is necessary to ensure that each does not have a solution of x in CG (p).

For equation (3) to have a solution of x in the integer ring of integer coefficients n, then for each prime factor p from p ₁ to p _f , let equation (3.a) have the solution of x in CG (p). Should be.

Equation (3) is one of the bases g from g ₁ to g _m , where the prime factor p associated with 1 (mod 4) is -Legendre symbol g associated with -p is equal to -1; Or the Legendre symbol g associated with p is one of the same as +1-interfering with being positive u and greater than tk. In order to enable the prime factor p associated with 1 (mod 4), with respect to the two integers t and u defined above, one of the following two states is satisfied in each of the bases g from g ₁ to g _m : It is necessary. The rank of g ² in CG (p) is an odd parity rank in CG (p), i.e. u = 0, or the rank of g ² in CG (p) is an even parity in CG (p), regardless of the value of k. Rank value. That is, it satisfies the condition of u> 0 and u + k ≦ t.

The product of the prime factors associated with 1 (mod 4) cannot satisfy all of the principles of the GQ2 technique. Each GQ2 coefficient has at least two prime factors associated with 3 (mod 4), so that in each radix g, the Regendre symbol g associated with one of these arguments is associated with the other. to be different from g. When all prime factors are associated with 3 (mod 4), we can say that the GQ2 coefficient is basic. By adding at least two prime factors associated with 3 (mod 4), one can say that when the coefficient includes one or more prime factors associated with 1 (mod 4), the coefficient GQ2 is combined.

Systematic Construction of Moduli GQ2

Initially, it is necessary to fix so that the entire limits are indicated by the coefficient n. That is, the number of most significant consecutive bits in 1 (generally at least one of 16 or 32 bits), as well as the size expressed in bits (e.g., 512 or 1024 bits), f prime factors and e (possibly Zero prime factor must be associated with 1 (mod 4); Another prime factor, at least two of the fe arguments, must be associated with 3 (mod 4). The coefficient n is the product of f prime factors of the same magnitude. when e = 0, the base coefficient GQ2 is obtained; When e> 0, the coupling coefficient GQ2 is obtained. The base coefficient is the product of the prime factors, all of which are associated with 3 (mod 4). Therefore, the coupling coefficient GQ2 can be viewed as the product of the base coefficient GQ2 multiplied by one or more other prime factors associated with 1 (mod 4). First of all, prime factors associated with 3 (mod 4) are generated. Then if e> 0, the prime factor associated with 1 (mod 4) is generated.

For the effect of the construction of GQ2 moduli, it is certainly better to select each candidate value before finding if it is a prime value.

The radix, referred to g ₁ , g ₂ , ... are generally the first radix: 2,3,5,7, ... If there is no opposite, m bases are m primes. G ₁ = 2, g ₂ = 3, g ₃ = 5, g ₄ = 7, ... However, the following points should be noted. That is, if an argument associated with 5 (mod 8) is expected, 2 should be avoided; If public key <3, n> is used as the RSA public authentication key, 3 should be avoided.

Selection of f-e prime factors associated with mod 4

Based on the second argument, the program requires and uses one radix per argument. In the selection of the last argument associated with 3 (mod 4), the program looks for other radix, that is, if m is greater than or equal to _{fe and} in this case requires and considers the last radix from g _fe to g _m . To formulate the choice of prime factors associated with mod 4, we introduce the term profile. The profile characterizes an integer g for a set of prime factors greater than g and associated with 3 (mod 4).

If the integer g has the same Regendre symbol for two prime factors, the prime factors are said to be equivalent to g. Otherwise, it is said to be complementary with respect to g.

The profile of integer g, used in porfile _f (g), for _f prime factors p _1, p ₂ , ..., p _f is a sequence of f bits, one bit per prime factor. . The first bit is equal to 1; Each subsequent bit is a value equal to 1 or 0 depending on whether the next argument is equal to p1 or complementary with respect to g.

When all bits in the profile are equal to 1, say the profile is flat. In this case, all of the Regendre symbols of g are equal to +1 or equal to -1. If the profile of g is not flat, equations (1) and (2) cannot be solved in the ring of integer coefficients n.

By definition, the profile of g for a single prime number associated with 3 (mod 4) is always flat. This is used to generalize the algorithm of selection of prime factors associated with 3 (mod 4).

When the profiles of the two radixes g ₁ and g ₂ are different (which indicates that at least three prime factors are associated with 3 (mod 4)), the information of the two secret values Q1 and Q2 is two different coefficients of n. Induces information of partitioning. For small radix primes, the program ensures that the 2 ^fe-1 -1 multiplication combinations of the fe-1 reference primes are all different. That is, take all possible values. The term profile does not extend to the prime factors associated with 1 (mod 4).

First prime factor p ₁ associated with 3 (mod 4): Each candidate value must be associated with 3 (mod 4) without any special restrictions.

Second prime factor p ₂ associated with 3 (mod 4) considered as the first radix g1: Each candidate value must be complementary to p ₁ with respect to g ₁ .

Third prime factor p ₃ associated with 3 (mod 4) considered as second base g ₂ : According to the profile of g _{2 for} the two first prime factors p ₁ and p ₂ , two cases occur. If profile ₂ (g ₂ ) is flat, each candidate value should be complementary to p ₁ with respect to g ₂ . Otherwise, profile ₂ (g ₁ ) = profile ₂ (g ₂ ); You must ensure that each candidate value is profile ₃ (g ₁ ) ≠ profile ₃ (g ₂ ).

Selection of the i th prime p _{i + 1} associated with 3 (mod 4) considered as radix g _i : According to the i first prime factors p ₁ , p ₂ , ..., p _i , two cases occur . If profile _i (g _i ) is flat, then each candidate value should be complementary to p ₁ with respect to g _i . Otherwise, i-1 radix g ₁ , g ₂ , ..., g _i-1 and all of their multiplicative combinations g ₁ · g ₂ , ..., g ₁ · g ₂ . ... G among g _i-1 , ie in 2 ^i-1 −1 integers of all the above, there is only one integer g such that profile _i (g _i ) = profile _i (g); We must ensure that each candidate value is then profile _{i + 1} (g _i ) ≠ profile _{i + 1} (g).

Finally prime factors p _fe is associated to 3 (mod 4) to be considered as any other odd number of g to _m in the _radix-fe g ₁ and g _fe: limited by the rider gf-e-1 are considered, as described above. In addition, when m is equal to or greater than fe, each candidate value should provide a non-flat profile for the last radix from g _fe to g _m associated with fe prime _factors . Each candidate value should be complementary to p ₁ for all values of g _i flat for profile _fe-1 (g _i ).

In summary, the prime factors associated with 3 (mod 4) are chosen as functions of each other.

In the i range from 0 to fe-1, in order to select the i + 1 th prime factor associated with 3 (mod 4), the candidate value p _{i + 1} must pass the following tests.

If i> m or i = 0, the candidate value p _{i + 1} has no other constraint; Therefore it can be chosen.

If 0 <i ≤ m, the candidate value p _{i + 1} must take into account the i th base g _i . The profile _i (g _i ) of the radix g _i associated with the first prime factors _i from p ₁ to p _i is calculated. Based on the above results, only one of the following two cases occurs.

If the profile is flat, the candidate value pi + 1 should be complementary to p1 with respect to gi; Otherwise, the value is rejected.

Otherwise, there is only one number called g such that among the i-1 radix and all of the multiplicative combinations there is profile _i (g) = profile _i (g _i ); Each candidate value p _{i + 1} must then be profile _{i + 1} (g) ≠ profile _{i + 1} (g _i ); Otherwise, the value is rejected.

If i + 1 = fe and i <m, i.e. if radix remains, to select the last prime factors from g _fe to g _m associated with 3 (mod 4) that have not yet been considered, the candidate value p _fe is Should be taken into account. That is, among these radix, a profile whose profile _fe-1 (g _i ) is flat is selected; The candidate value p _fe must be complementary to p ₁ in relation to the respective selected radix; Otherwise they must be rejected.

If the above tests have been successfully completed, the candidate value is selected.

Selection of e prime factors associated with 1 (mod 4)

Each candidate value p associated with 1 (mod 4) must satisfy the following conditions for each radix from g ₁ to g _m .

Compute the Regendre symbol for each radix g _i associated with p. If the symbol is equal to -1, then reject the candidate value p and go to another candidate value. If the symbol is equal to +1, the calculation of the candidate value is continued. If the integer 2 is used as an odd number, all candidate values associated with 5 (mod 8) must be eliminated: that is, the odd number 2 is incompatible with the argument associated with 5 (mod 8).

Compute the integer s = (p-1 + 2 ^t ) / 2 ^{t + 1} to produce the key <s, p>. Apply key <s, p> to each public value G _i to get the result r. Two cases occur.

If r is equal to g _i or -g _i , then u = 0 In this case, Gi is in cycle. Note the trivial case: if p is associated with 5 (mod 8) and the genre symbol of g _i associated with p is equal to +1, then G _i is in cycle. Recall that G _i = 4 is not possible in this case.

If r is not equal to g _i or -g _i , then u> 0. Note that the key <(p-1) / 2 ^t , p> converts all non-quadratic residues y to component b, which is the 2 ^t th primitive root of the unit circle. The algorithm below calculates u from r and b by using two integer variables, w being initialized by r and jj taking a value between 2 and 2 ^t-2 .

At i through t-2, repeat the sequence below.

Calculate w ² / Gi (mod p _j ) and multiply the result by 2 ^ti-1 (mod p _j ): the result is +1 or -1. If the result is -1, calculate jj = 2 ⁱ , and then replace w with wb ^jj (mod p _j ). If +1 is obtained, do nothing.

At the end of the calculation, the variable w has a value of g _i or -g _i . In addition, we find that the Gi rank in CG (p) is divided by 2 ^t / jj, but not by 2 ^{t + 1} / jj, ie jj determines u by jj = 2 ^tu . If v is greater than jj, i.e., k> tu, the candidate value is rejected and goes to another candidate value. If v is less than or equal to jj, i.e., k &lt; tu, then the calculation of the candidate value is continued.

If f prime factors are generated, then the open coefficient n is the product of f prime factors p ₁ , p ₂ , .. p _f . An unsigned integer n can be represented by two sequences; This sequence represents the restrictions imposed at the beginning of the program on the size of the bits and the number of consecutive most significant bits in one. The choice of prime factors provides the following properties of the coefficient n for each of the m bases g ₁ , g ₂ , .. g _m . In addition, equations (1) and (2) do not have a solution with respect to x in the ring of integer coefficients n. Second, equation (3) has a solution for x in the integer ring of integer coefficients n.

In summary, the prime factors associated with 1 (mod 4) are chosen independently of each other.

Whereas the arguments associated with 3 (mod 4) take into account the gradual order, each prime factor associated with each 1 (mod 4) must take into account all the restrictions dictated by the respective radix. Each prime factor associated with 1 (mod 4), ie p from p _fe to p _f , must be successfully tested in two steps:

1) Step (1) must be performed successfully for each of the m radix from g1 to gm.

The genre symbol of the current radix g for the candidate value p is calculated. Only one of the following two cases occurs. In other words, if the sign is equal to -1, the candidate value is rejected. Otherwise (if the symbol is +1), the test continues along step (1) for the radix g to pass the test.

If the candidate value is acceptable to all m bases, the operation goes to step (2).

2) Step (2) must be performed successfully for each of the m public values of Gm in G1.

The integer t is calculated so that p-1 can be divided by 2 ^t , but not by 2 ^{t + 1} , and then the integer s = (p-1 + 2 ^t ) / 2 ^{t + 1} is calculated And generate keys <s, p>. The key <s, p> is applied to G = g2 to get the result r, that is: r ≡G ^s (mod p). According to the result, only one of the following states occurs.

a) If r is equal to g or -g, then u = 0, and the test of the candidate value continues to pass the public value G below in step (2).

b) Otherwise, the algorithm below applies to r as well as the integer b obtained by applying two integer variables-the key <(p-1) / 2 ^t , p> to the non-secondary surplus of CG (p). In using w and jj − taking a value between 2 and 2 ^{t −2} , the positive u is calculated to take one of the values from 1 to t −2.

At index ii in the range 1 to t-2, the following operation is repeated.

That is, w ² / G (mod p) is calculated and the key <(p-1) / 2 ^t , p> is applied so that the result gets a +1 or -1 value. (Otherwise, the candidate value is proof that it is not a prime factor.) If the result is -1, jj = 2 ⁱⁱ is calculated and c≡b ^jj , then w is replaced by wc (mod p), Then pass to the next index ii. If +1 is obtained, then pass to the next index ii.

At the end of the algorithm, the value of the variable jj defines u by the relationship jj = 2 ^tu ; The value in the variable w is the square root of G, ie g or -g. (Otherwise, it is evidence that the candidate value is not a prime factor.) Two cases occur.

If t-u <k, the candidate value p is rejected because the branch where G occurs is not long enough.

If t-u? K, then the value of the candidate value continues to the next published value G following step (2).

If the candidate value is acceptable for all m public values, it is taken as a prime factor associated with 1 (mod 4).

Calculation of related values

To get the secret components, first calculate all the solutions of equation (3.a) through the two simplest and most recent cases before looking at the general case.

In each prime factor pj associated with 3 (mod 4) , the key <(p _j +1) / 4, p _j > gives the second square root of any secondary surplus. From this, the method is inferred to calculate the solution of equation (3.a). In other words,

s _j ≡ ((p _j +1) / 4) ^k (mod (p _j −1) / 2); ^{_{And, Q i, j ≡G i sj}} (mod p j)

Or otherwise mod pj of the same year. In other words,

s _j ≡ (p _j -1) / 2-((p _j +1) / 4) ^k (mod (p _j -1) / 2); And Q _{i, j} ≡G _i ^sj (mod p _j ).

In CG (p) there are only two square roots of unity (ie +1 and -1); Therefore, two solutions of x in equation (3.a). That is, Q _{i, j} and p _j -Q _{i, j} are the squares of the same G _i (mod p _j ).

In each prime factor pj associated with 5 (mod 8) , the key <(p _j +1) / 4, p _j > is given the root root of the odd parity rank of any odd parity rank component. From this, the method is inferred to calculate the solution of equation (3.a). In other words,

s _j ≡ ((p _j +3) / 8) ^k (mod (p _j −1) / 4); ^{_{And, Q i, j ≡G i sj}} (mod p j)

Or otherwise mod pj of the same year. In other words

s _j ≡ (p _j -1) / 4-((p _j +3) / 8) ^k (mod (p _j -1) / 4); And Q _{i, j} ≡G _i ^sj (mod p _j ).

In CG (p) there are only four square roots of unity; Therefore, the four solutions of x in equation (3.a). Note that 2 ^{(pj-1) / 4} (mod p _j ) is the square root of -1 because the 2nd genre de sign for p associated with 5 (mod 8) is equal to -1. If Q _{i, j} is a solution, then p _j -Q _{i, j} is another solution, as is the product of (mod pj) of Q _{i, j} and the square root of -1.

In the prime factor pj associated with 2t + 1 (mod 2t + 1) , the key <(p _j -1 + 2 ^t ) / 2 ^{t + 1} , p _j > gives the odd parity square root of any odd parity rank component. . Thus, the solution of equation (3.a) can be calculated.

To generate the key <s _j , p _j >, firstly the integer s _j ≡ ((p _j -1 + 2 ^t ) / 2 ^{t + 1} ) ^k (mod (p _j -1) / 2 ^t ) Calculate

When the key <(p _j -1 + 2 ^t ) / 2 ^{t + 1} , p _j > converts G _i to g _i or -g _i , the rank of G _i is the odd parity value of CG (p) ( u = 0). Then, the key <s _j , p _j > converts G _i to z. This is the odd parity rank solution of equation (3.a). Depending on the value of t and k, there is still another solution of min (2 ^k −1,2 ^t −1) in one or more branches. The branch of z ² derives another solution: that is p _j -z If t ≥2, the branch of z ⁴ is two different solutions: that is, the product of z square root of -1 and z, Each of the two primitive fourth roots of the unitity.

If y is a non-quadratic residue of CG (p), y ^{(pj-1) / 4} (mod pj) is the square root of -1. In general, in the i selection of values from 1 to min (k, t), the branch of the 2 ⁱ th power of z has 2 ^i-1 solutions: that is, 2 ⁱ of the unit circle. the product of ^-1 of raw 2 ^i-th root (fourth primitive roots) of (mod p _j) of each and z.

(mod pj)이다.If y is a CG (p) a secondary non-redundant (non-quadratic residue) of the case, the y ^{_{(p j -1) / 2 i}} 2 i -th raw near-power is called the c (fourth primitive roots) of. The 2 ^i-1 to 2 ⁱ primitive fourth roots of the unitity are the odd parit powers of c: c, c ³ (mod pj), c ⁵ (mod pj), and so on. ..,

(mod pj).

(mod pj)이고,

(mod pj)가 1과 같다. G_i가 위치한 브랜치에서의 2^k 해는 이러한 근들 각각에서 z의 (mod p_j)의 곱들이다. The key ^{_{<(p j -1 + 2 t}} ) / 2 t + 1, p j> is the conversion to the G _i and g _{i i} -g integer r not the rank of G _i is CG (p) - An even parity value (u> 0) is obtained. Then, if Gi is located in a fairly long branch, i.e. t> k + u, there are 2 ^k solutions in the branch where Gi is located. In order to calculate the 2 ^k th root, it is sufficient to repeat the above-mentioned square root calculation algorithm by k rank times, and the square root of successive results close to solution z can be calculated. This calculation can of course be optimized to directly access the 2 ^k th root and then it is possible to adjust the 2 ^k th root estimate in a single operation to obtain the solution z. To get all other solutions, it should be noted that y is the non-secondary surplus of CG (p _j ), and then 2k of the unitity of (p _j -1) / 2 ^k powers of y called d. First primitive root. The 2 ^k 2 ^k th roots of the unit circle are successive powers of d: d, d ² (mod pj), d ³ (mod pj), ...,

(mod pj),

(mod pj) is equal to one. The 2 ^k solution at the branch where G _i is located is the product of (mod p _j ) of z in each of these roots.

In summary, to calculate the components for prime factors p and base g with known k, t and u, the following scheme is used:

1) An integer is calculated: ie to calculate the key <s, p>

Calculate s ≡ (p-1 + 2 ^t ) / 2 ^{t + 1} ) ^k (mod (p-1) / 2 ^t ). Then, the key <s, p> is applied to G to obtain z ≡ G ^s (mod p). Depending on the u value, it passes to step (2) or step (3).

2) If u = 0, then z is the odd parity solution of equation (3.a). There are still min (2 ^k −1,2 ^t −1) other even parity rank solutions above one or more branches, and very precisely min (k, t) other branches. In the i range of 1 to min (k, t), the 2 ⁱ th power of z has 2 ^i-1 solutions: that is, they are the 2 ^i-1 2 ⁱ th primitive roots of each unit circle. The product of (primitive roots of unity) and (mod p) of z. The general solution of equation (3.a) is represented by zz. The operation continues with step (4).

3) If u> 0, then all solutions in equation (3.a) are even parity solutions. There are 2 ^k solutions and all are in the branch where G is located; That is, tu ≥ k. To compute the solution, the algorithm below is initialized by z as well as the integer b obtained by applying the key <(p-1) / 2 ^t , p> to the non-secondary surplus of CG (p) And jj with a value between 2 and 2 ^t-2 .

The following sequence is repeated by the number of k ranks.

In the range of index ii from 1 to t-2, the following operation is repeated: i.e. w ² / G (mod p) is calculated and the key <2 ^t-ii-1 , p> has a result of +1 or -1 Applied to get the value. (Otherwise, the candidate value is proof that it is not a prime number.) If the result is -1, jj = 2 ⁱⁱ is calculated, c≡b ^jj , and then w is replaced by wc (mod p). , And then pass to the next index ii. If +1 is obtained, then pass to the next index ii.

At the end of the algorithm, the variable w has a za value. The 2 ^k solutions in the branch where G is located are the product of each of the 2 ^kth roots of the unit circle and (mod p) of za. The general solution of equation (3.a) is represented by zz. The operation goes to step (4).

4) With known zz, the component value is deduced therefrom: that is, the inverse value of the zz modulo p when the equation GQ ^v ≡1 (mod n) is used, and the equation G ≡Q ^v (mod n) is used. When the zz value.

Caution There are various ways to obtain secret components and secret values. If a set of f components is known, i.e. at f components of a given radix, the Chinese remainder technique is used to calculate the corresponding secret value. It can be seen that at a given publication value G and coefficient n, it is possible to have many possible secret values Q. when n is the product of two prime factors associated with 3 (mod 4), there are 4 of them; when n is the product of three prime factors associated with 3 (mod 4), there are eight of them; When n is the product of two prime factors associated with 3 (mod 4) and one prime factor associated with 5 (mod 8), there are 16 of them. The use of these multiple values can complicate the attacks by analyzing the electrical consumption of the chip card using GQ2.

As t increases, the program becomes more and more complicated in rare cases. That is, the prime numbers are divided by the following average values: t = 1 in one of the two, t = 2 in one of the four, t = 3 in one of the eight, and so on. In addition, the limitations by the m radix make the candidate values increasingly unacceptable. In any case, the combined moduli certainly form part of the GQ2 technique; The form of the GQ2 coefficients affects dynamic authentication and digital signature protocols .

FIG. 3 shows G _i = g _i ² in a cycle with a prime factor p associated with 9 (mod 16), ie t = 3, u = 0 as well as k ≧ 3.

b ≡

b ⁸ ≡1 (mod p)

b ⁴ ≡-1 (mod p)

It should be noted that

FIG. 4 shows G _i = g _i ² in a cycle with prime factor p associated with 65 (mod 128), ie k = 4 and u = 2 as well as t = 6.

k = 6, v = 64, m = 3, three bases: g ₁ = 3, g ₂ = 5, g ₃ = 7, and f = 3, that is, a factor with three prime factors: 3 (mod 4 There is a first combination of keys of GQ2 with two associated with) and one associated with 5 (mod 8). g = 2 is not compatible with the prime factors associated with 5 (mod 8).

Below are other possible values of the component related to p3 associated with 5 (mod 8).

Below is the square root of -1 in CG (p): c = 2 ^{(p3-1) / 4} (mod p ₃ ) =

Below is the second set of GQ2 keys, which are k = 9, v = 512, m = 2, and the two radixes g1 = 2 and g2 = 3, and f = 3, three associated with 3 (mod 4) Gives the prime factors of.

The present invention describes a method for generating a set of GQ2 keys, ie, pairs of moduli n and public and secret values G and Q, each with an index v equal to ^2k . This set of keys uses a method configured to verify the authenticity of an entity and / or the integrity and / or authenticity of a message.

In an application filed by French Telecom, TDF and Mathrizk, and filed on the same day as the inventor of the invention, Louis Guillou and Jean-Jacques Quisquater, the method is configured to verify the authenticity of the entity and / or the integrity and / or authenticity of the message. , Systems, and devices are claimed. These two applications are incorporated herein by reference.

Claims (24)

delete delete delete delete delete delete delete delete delete delete delete delete In a system that produces an asymmetric cryptographic key, the key is a secret value Q ₁ , Q ₂ , ..., Q _m and m public values G ₁ , G ₂ , ..., G _{m with m≥1.} The system includes: A processor; And A storage device coupled to the processor that stores a set of instructions that are executed to cause the processor to be executed in the following order, the order in which the processor is executed: Selecting a security parameter k that is an integer greater than one; Is a public integer equal to the product of at least two prime factors p ₁ , p ₂ , ..., p _f , and at least two prime factors of the prime factors p ₁ and p ₂ are p ₁ ≡ 3 mod 4 and p ₂ ≡ 3 checking the coefficient n, which becomes equal to mod 4; Each radix g _i (when i = 1,2, ..., m) is an integer greater than 1 and is the remainder of the integer divisor divided by the coefficient n, with p ₂ equaling p ₁ for one of the radix. Selecting _m radix g ₁ , g ₂ , ..., g _m , as complementary; when i = 1,2, ..., m G _i ≡g _i ² calculating the public value G _i by mod n; And When i = 1,2, ..., m, the open index v is equal to v = 2 ^k and G _i .Q _i ^v ≡1 mod n or G _i ≡Q _i ^v A system for generating an asymmetric cryptographic key comprising the step of calculating the secret value Q _i by one of the formulas: The method of claim 13, The system is characterized in that the number of prime factors (fe) (where e ≧ 0) of the coefficient n congruent with 3 mod 4 is greater than 2, and the prime factors p _{j + 1} congruent with 3 mod 4 (2 ≦ _j When ≤m) Calculating Profile _j (g _j ), which is a profile of g _j for the prime factors p ₁ , p ₂ ,..., P _f , and If Profile _j (g _j ) is flat, then the prime factor p _{j + 1} is selected such that p _{j + 1} is complementary to p ₁ for g _j ; Otherwise, the number g is selected from (j-1) radix g ₁ , g ₂ , ..., g _m and all their multiplication combinations, where Profile (g _j ) is equal to Profile _j (g _j ), Then p _{j + 1} is chosen such that Profile _{j + 1} (g _j ) and Profile _j (g) are not equal, where the last prime factor P _fe congruent with 3 mod 4 is _fe ≦ m, where _fe ≦ m An asymmetry characterized in that for every radix g _i such that _≤ m and its profile Profile _fe-1 (g _i ) is flat, P _fe is checked repeatedly according to the selected step as complementary to P ₁ System for generating a cryptographic key. The method of claim 13, The system wherein the number e of the prime factors of the coefficient n, congruent with 1 mod 4, is equal to at least 1, and each of the prime factors is examined according to the following steps: The prime candidate value p is selected such that the Legendre symbol of each radix g _i for p (when i = 1,2, ..., m) is equal to +1, p-1 a is a constant t is calculated so as not to divide by 2 ^{t + 1} is divided by 2 ^t, The integer s is calculated such that s = (p-1 + 2 ^t ) / 2 ^{t + 1} , When h is the remainder of the integer not divided by the coefficient p, the integer b is b≡

is calculated to be mod p, When i = 1,2, ..., m the integer m is calculated to be r _i ≡g _i ^2s , The integer u is initialized to have a value of 0, The following series of steps are repeated if i is initialized to have a value of 1: The integer w is initialized to have a value of w = r _i , If r _i = ± g _i , the value of i is increased and a series of steps by the new value of i is continued if i <m, on the other hand the candidate fractional value p is i the coefficient is recognized as an argument of n, If r _i ≠ ± g _i , The integer jj is initialized to have a value of 1, The following series of steps are performed repeatedly if the integer jj is initialized to 1: x≡w ² / g _i ² mod p is calculated, y≡

mod p is calculated, and If y = + 1, the series of processes ends at the current value of ii, If y = -1, jj is assigned a value of jj = 2 ⁱⁱ , and the number w is assigned a new value equal to the existing value multiplied by the b ^jj modulo p, and while ii <t-2, the ii value is increased and a new iteration is repeated for the new ii value, If ii = t-2, the value of the number u is updated according to jj = 2 ^tu , and If t-u <k, the candidate fractional value p is rejected in the factor of the coefficient n, If tu> k, the value of i is increased and a series of steps by the new value of i is continued if i <m, on the other hand the candidate fractional value p is i of the coefficient n A system for generating an asymmetric cryptographic key, characterized by consisting of what is recognized as an argument. The method of claim 15, The system includes, among them, the secret values Q ₁ , Q _{2 ,.} In order to compute the f · m secret components Q _{i, j} the following steps are carried out for each pair (i, j): The integer t is checked to equal 1 if p _j is congruent to 3 mod 4 and to determine the value for t according to claim 15 if P _j is congruent to 1 mod 4, The integer u is checked so that if p _j is congruent with 3 mod 4 and equals 0 and if P _j is congruent with 1 mod 4 the integer u is checked to determine the value for u according to claim 15, When s = (p-1 + 2 ^t ) / 2 ^{t + 1} , the value of the integer z is calculated such that z≡G _i ^s , All numbers zz are considered as follows: If u = 0, then i is a value in the range from 1 to the minimum value of k, t (min (k, t)), then the exponential power is equal to zz = z or 2 ^ii-1 , 2 ⁱⁱ , respectively. Zz equal to the product of the modulo p _j of z (root of unity), If u> 0, when za is a value determined for w according to claim 15, zz equals the product of the modulo p _j of za, which is 1 when 2 ^k and 2 ^k exponential powers are respectively, and For each of a number zz, ten thousand and one G _i ^v _i ≡Q When using the expression mod n value of the element Q _{i, j} is Q _{i, j} is determined so as to have the same value as the zz, or if G _{i and} Q _i ^v A system for generating an asymmetric cryptographic key having a characteristic that is determined to have a value equal to the inverse of the zz modulo pj when an expression of ≡1 mod n is used for the value of i. A computer-readable storage medium storing instructions for generating an asymmetric cryptographic key, wherein the key is a secret value Q ₁ , Q ₂ , ..., Q _m and m public values G, each of m≥1. ₁ , G ₂ , ..., G _m , with the following order: Selecting a security parameter k that is an integer greater than one; Is a public integer equal to the product of at least two prime factors p ₁ , p ₂ , ..., p _f , and at least two prime factors of the prime factors p ₁ and p ₂ are p ₁ ≡ 3 mod 4 and p ₂ ≡ 3 checking the coefficient n, which becomes equal to mod 4; Each radix g _i (when i = 1,2, ..., m) is an integer greater than 1 and is the remainder of the integer divisor divided by the coefficient n, with p ₂ equaling p ₁ for one of the radix. Selecting _m radix g ₁ , g ₂ , ..., g _m , as complementary; when i = 1,2, ..., m G _i ≡g _i ² calculating the public value G _i by mod n; And When i = 1,2, ..., m, the open index v is equal to v = 2 ^k and G _i .Q _i ^v ≡1 mod n or G _i ≡Q _i ^v A computer readable storage medium storing instructions executed to be executed in accordance with the order of calculating the secret value Q _i by one of the formulas n mod n. The method of claim 17, A computer-readable storage medium storing the instructions, wherein the number fe (where e≥0) of the prime factor n of the coefficient n, which is congruent with 3 mod 4, is greater than 2 and said congruent with 3 mod 4 The prime factor p _{j + 1} (when 2≤j≤m) is: Calculating Profile _j (g _j ), which is a profile of g _j for the prime factors p ₁ , p ₂ ,..., P _f , and If Profile _j (g _j ) is flat, then the prime factor p _{j + 1} is selected such that p _{j + 1} is complementary to p ₁ for g _j ; Otherwise, the number g is selected from (j-1) radix g ₁ , g ₂ , ..., g _m and all their multiplication combinations, where Profile (g _j ) is equal to Profile _j (g _j ), Then p _{j + 1} is chosen such that Profile _{j + 1} (g _j ) and Profile _j (g) are not equal, where the last prime factor P _fe congruent with 3 mod 4 is _fe ≦ m, where _fe ≦ m Computer, characterized in that for every said radii g _i such that _≤ m and its profile Profile _fe-1 (g _i ) is flat, P _fe is checked repeatedly according to the steps selected as complementary to P ₁ Readable storage medium. The method of claim 17, A computer-readable storage medium storing the instructions, wherein the number e of the prime factors of the coefficient n, congruent with 1 mod 4, is equal to at least 1, and each of the prime factors is examined according to the following steps: The prime candidate value p is selected such that the Legendre symbol of each radix g _i for p (when i = 1,2, ..., m) is equal to +1, p-1 a is a constant t is calculated so as not to divide by 2 ^{t + 1} is divided by 2 ^t, The integer s is calculated such that s = (p-1 + 2 ^t ) / 2 ^{t + 1} , When h is the remainder of the integer not divided by the coefficient p, the integer b is b≡

is calculated to be mod p, When i = 1,2, ..., m the integer m is calculated to be r _i ≡g _i ^2s , The integer u is initialized to have a value of 0, The following series of steps are repeated if i is initialized to have a value of 1: The integer w is initialized to have a value of w = r _i , If r _i = ± g _i , the value of i is increased and a series of steps by the new value of i is continued if i <m, on the other hand the candidate fractional value p is i the coefficient is recognized as an argument of n, If r _i ≠ ± g _i , The integer jj is initialized to have a value of 1, The following series of steps are performed repeatedly if the integer jj is initialized to 1: x≡w ² / g _i ² mod p is calculated, y≡

mod p is calculated, and If y = + 1, the series of processes ends at the current value of ii, If y = -1, jj is assigned a value of jj = 2 ⁱⁱ , and the number w is assigned a new value equal to the existing value multiplied by the b ^jj modulo p, and while ii <t-2, the ii value is increased and a new iteration is repeated for the new ii value, If ii = t-2, the value of the number u is updated according to jj = 2 ^tu , and If t-u <k, the candidate fractional value p is rejected in the factor of the coefficient n, If tu> k, the value of i is increased and a series of steps by the new value of i is continued if i <m, on the other hand the candidate fractional value p is i of the coefficient n A computer-readable storage medium, consisting of what is accepted as an argument. The method of claim 19, A computer readable storage medium storing the instructions includes, among others, the secret values Q ₁ , Q ₂ ,..., Q _m . In order to compute the f · m secret components Q _{i, j} the following steps are carried out for each pair (i, j): If ten thousand and one is p _j 3 mod 4 and the joint to be equal to 1 and if _j If the P 1 mod 4 and the joint so that the value for t the set according to claim 19 wherein t is an integer being examined, If p _j is congruent with 3 mod 4 then the integer u is checked to be equal to 0 and if P _j is congruent with 1 mod 4 so that the value for u is determined according to claim 19, When s = (p-1 + 2 ^t ) / 2 ^{t + 1} , the value of the integer z is calculated such that z≡G _i ^s , All numbers zz are considered as follows: If u = 0, then i is a value in the range from 1 to the minimum value of k, t (min (k, t)), then the exponential power is equal to zz = z or 2 ^ii-1 , 2 ⁱⁱ , respectively. Zz equal to the product of the modulo p _j of z (root of unity), If u> 0, when za is a value determined for w according to claim 19, zz equals the product of the modulo p _j of za, which is 1 when 2 ^k and 2 ^k exponential powers, respectively, and For each of a number zz, ten thousand and one G _i ^v _i ≡Q When using the expression mod n value of the element Q _{i, j} is Q _{i, j} is determined so as to have the same value as the zz, or if G _{i and} Q _i ^v A computer-readable storage medium having a feature that is determined to have a value equal to the inverse of the zz modulo pj when the expression of ≡1 mod n is used for the value i. In a process using a computer to generate an asymmetric cryptographic key, the key is a secret value Q ₁ , Q ₂ , ..., Q _m and m public values G ₁ , G ₂ ,. The process using a computer comprising .., G _m comprises: A processor; And A storage device coupled to the processor that stores a set of instructions that are executed to cause the processor to be executed in the following order, the order in which the processor is executed: Selecting a security parameter k that is an integer greater than one; Is a public integer equal to the product of at least two prime factors p ₁ , p ₂ , ..., p _f , and at least two prime factors of the prime factors p ₁ and p ₂ are p ₁ ≡ 3 mod 4 and p ₂ ≡ 3 checking the coefficient n, which becomes equal to mod 4; Each radix g _i (when i = 1,2, ..., m) is an integer greater than 1 and is the remainder of the integer divisor divided by the coefficient n, with p ₂ equaling p ₁ for one of the radix. Selecting _m radix g ₁ , g ₂ , ..., g _m , as complementary; when i = 1,2, ..., m G _i ≡g _i ² calculating the public value G _i by mod n; And When i = 1,2, ..., m, the open index v is equal to v = 2 ^k and G _i .Q _i ^v ≡1 mod n or G _i Computing the secret value Q _i by one of the formulas: ≡Q _i ^v mod n. The method of claim 21, The process using the computer, wherein the number of prime factors (fe) (where e ≧ 0) of the coefficient n congruent with 3 mod 4 is greater than 2, and the prime factors p _{j + 1} congruent with 3 mod 4 (When 2≤j≤m): Calculating Profile _j (g _j ), which is a profile of g _j for the prime factors p ₁ , p ₂ ,..., P _f , and If Profile _j (g _j ) is flat, then the prime factor p _{j + 1} is selected such that p _{j + 1} is complementary to p ₁ for g _j ; Otherwise, the number g is selected from (j-1) radix g ₁ , g ₂ , ..., g _m and all their multiplication combinations, where Profile (g _j ) is equal to Profile _j (g _j ), Then p _{j + 1} is chosen such that Profile _{j + 1} (g _j ) and Profile _j (g) are not equal, where the last prime factor P _fe congruent with 3 mod 4 is _fe ≦ m, where _fe ≦ m Computer, characterized in that for every said radii g _i such that _≤ m and its profile Profile _fe-1 (g _i ) is flat, P _fe is checked repeatedly according to the steps selected as complementary to P ₁ Processing using The method of claim 21, The processing using the computer, wherein the number e of the prime factors of the coefficient n, which is congruent with 1 mod 4, is equal to at least 1, and each of the prime factors is examined according to the following steps: The prime candidate value p is selected such that the Legendre symbol of each radix g _i for p (when i = 1,2, ..., m) is equal to +1, p-1 a is a constant t is calculated so as not to divide by 2 ^{t + 1} is divided by 2 ^t, The integer s is calculated such that s = (p-1 + 2 ^t ) / 2 ^{t + 1} , When h is the remainder of the integer not divided by the coefficient p, the integer b is b≡

is calculated to be mod p, When i = 1,2, ..., m the integer m is calculated to be r _i ≡g _i ^2s , The integer u is initialized to have a value of 0, The following series of steps are repeated if i is initialized to have a value of 1: The integer w is initialized to have a value of w = r _i , If r _i = ± g _i , the value of i is increased and a series of steps by the new value of i is continued if i <m, on the other hand the candidate fractional value p is i the coefficient is recognized as an argument of n, If r _i ≠ ± g _i , The integer jj is initialized to have a value of 1, The following series of steps are performed repeatedly if the integer jj is initialized to 1: x≡w ² / g _i ² mod p is calculated, y≡

mod p is calculated, and If y = + 1, the series of processes ends at the current value of ii, If y = -1, jj is assigned a value of jj = 2 ⁱⁱ , and the number w is assigned a new value equal to the existing value multiplied by the b ^jj modulo p, and while ii <t-2, the ii value is increased and a new iteration is repeated for the new ii value, If ii = t-2, the value of the number u is updated according to jj = 2 ^tu , and If t-u <k, the candidate fractional value p is rejected in the factor of the coefficient n, If tu> k, the value of i is increased and a series of steps by the new value of i is continued if i <m, on the other hand the candidate fractional value p is i of the coefficient n A computer-assisted process, consisting of what is accepted as an argument. The method of claim 23, wherein The process using the computer includes the secret values Q ₁ , Q _{2 ,.} In order to compute the f · m secret components Q _{i, j} the following steps are carried out for each pair (i, j): The integer t is checked so that if p _j is congruent with 3 mod 4 and equals 1 and if P _j is congruent with 1 mod 4 the integer t is determined so that the value for t is determined according to claim 23, If p _j is congruent with 3 mod 4 then the integer u is checked to be equal to 0 and if P _j is congruent with 1 mod 4 the value for u is determined according to claim 23, When s = (p-1 + 2 ^t ) / 2 ^{t + 1} , the value of the integer z is calculated such that z≡G _i ^s , All numbers zz are considered as follows: If u = 0, then i is a value in the range from 1 to the minimum value of k, t (min (k, t)), then the exponential power is equal to zz = z or 2 ^ii-1 , 2 ⁱⁱ , respectively. Zz equal to the product of the modulo p _j of z (root of unity), If u> 0, when za is a value determined for w according to claim 23, zz is equal to the product of the modulo p _j of za, which is 1 when 2 ^k and 2 ^k exponential powers are respectively, and For each of a number zz, ten thousand and one G _i ^v _i ≡Q When using the expression mod n value of the element Q _{i, j} is Q _{i, j} is determined so as to have the same value as the zz, or if G _{i and} Q _i ^{v A} process using a computer with a characteristic that if the expression ≡1 mod n is used for the value i, it is determined to have a value equal to the inverse of the modulo pj.

Images