MXPA99007515A - Cyclotomic polynomial construction of discrete logarithm cryptosystems over finite fields - Google Patents

Abstract

Cyclotomic polynomials are used to construct subgroups of multiplicative groups of finite fields that allow very efficient implementation of discrete logarithm based public key cryptosystems, including public key encryption schemes and digital signature schemes. A field is represented with an optimal normal basis, and a generator of a subgroup of the multiplicative group of the field is used to form a public key.

Description

CONSTRUCTION OF SYNTHETIC CYCLOTOMIC POLYINOMIES ENCRYPTION LOGARÍTMICOS DISCRETOS SOBRE CAMPOS FINITES BACKGROUND OF THE INVENTION The present invention relates to security, encryption and generation of data and the use of electronic signatures to verify the identity of the communicating party. Most public key encryption systems involve either a factoring problem or a discrete logarithm (LD) problem. The problem of factoring is that, given a non-prime number, it finds its complete factorization in prime numbers. The problem with LD is that, given a group G generated by g and an element h in G, there is an integer m such as gm = h, that is, it evaluates logg h. Several schemes proposed for public key encryption systems fall into the computational difficulty of finding an LD in a multiplication group of a finite field. Public key encryption systems encompass encryption schemes for public keys and digital electronic signature schemes. Let's assume that each user has a public key and a private key, which is not necessarily real for all schemes, and that part A wants to send a secure message to part B In the public key encryption scheme, the part A uses the public key of part B for encryption and then part B uses its own public and private keys to decrypt it. In a digital electronic signature scheme part A uses its own public and private keys to prepare a message and part B uses the public key of part A to receive the message That is, to prepare the message, in a public key encryption scheme, the sending party uses the information of the part that is received, while in a digital electronic signature scheme , the sending party uses its own information in code To receive the message, in a scheme of encryption of public keys, the receiving party uses its own information e key, while in a digital electronic signature scheme, the receiving party uses the key information of the sending party. The normal digital electronic signature schemes have three steps starting from the generating system of the digital electronic signature by a sending party. and verification of digital electronic signature by a receiving party System startup is assumed to occur either before digitally signing or encrypting a message Generally during the start of the public key encryption system based on LD a prime number is selected and Use to obtain a generator for a group, then select a random number and use it as an exponent for the generator in order to produce a resulting value in the finite field. The determination of the random number when only the generator and the value are known. resulting is a problem of LD The consequences of starting the system are a public key and a private key A public key is assumed to be public knowledge and comprises the prime number the generator, the resulting value and possibly other parameters A private key is assumed to be known only by the sending party and comprises the random number During the generation of the digital electronic signature of a public key encryption system based on LD, a second random number is chosen and used as an exponent for the generator in order to produce a second value resulting in the finite field The determination of the second random number when only the generator is known and the second resulting value is a problem of LD Then a third value is obtained based on the private key, in the message that is electronically digitally signed and the second resulting value The consequence of the generation of electronic signature digital is a digital electronic signature that includes the third value and at least one other parameter During the verification of the digital electronic signature of a public key encryption system based on LD, the public key and the third portion of the value of the digital electronic signature are combined exponentially to produce a fourth result. If the fourth result is equal to at least one other parameter of the digital electronic signature, then the digital electronic signature is considered valid. portions of exponentiation of the system start-up, the generation of the digital electronic signature and the verification of the digital electronic signature are computationally expensive and delayed Techniques are sought that will reduce the computational load to an authorized user, particularly during the generation of the digital electronic signature , while maintaining the computational difficulty for an unauthorized user COMPENDIUM OF THE INVENTION In accordance with an aspect of this invention, a method and apparatus for determining public and private keys for a public key encryption system comprises selecting a first prime number getting a ciclotomico polynomial evaluated in the first number obtaining a second prime number that is a factor of the cyclotomic polynomial evaluated in the first prime number, finding a generator of a subgroup of a multiplication group of a finite field the order of the subgroup being the second prime number obtaining a public value based on the generator and a selected whole number forming the public key to include the first and second prime numbers, the generator and the public value and forming the private key to include the selected whole number According to an additional aspect of In this invention, the finite field can be represented with an optimal normal base. According to a different aspect of this invention, second prime number q satisfies (log2 q) + 1 »B, where B is a predetermined number of bits. In accordance with another aspect of this invention, a control integer t 'is selected and the cyclotomic polynomial is the cyclotomic polynomial i'th and the public key includes the control integer t'. According to yet another aspect of this invention, a method for generating a digital electronic signature for a message additionally selects a second integer, obtains a first electronic signature value based on the second integer and the generator, obtains a second value of electronic signature based on the first electronic signature value and the message and form a digital electronic signature to include the first and second electronic signature values. A method for verifying a digital electronic signature thus formed for a message finds a reverse integer that is the inverse of the second value of the electronic signature, finds a first intermediary value based on the reverse integer number and the message, finds a second value of intermediary based on the inverse integer and the first value of the electronic signature, finds a third intermediate value based on the generator, the public value and the first and second intermediate values and determines that the electronic signature is valid when the third intermediate value is equal to the first value of the electronic signature.

A method to determine a shared key for a key encryption system selects a first prime number, obtains a cyclotomic polynomial evaluated in the first prime number, obtains a second prime number that is a factor of the cyclotomic polynomial evaluated in the first prime number, find a generator of a subgroup of a multiplication group of a finite field the order of the subgroup being the second prime number, select an integer number, receive an intermediate value that is based on the generator and form the shared key as a function of the value intermediary and the integer A method to ensure the communication of a message selects a first prime number obtains a cyclotomic polynomial evaluated in the first prime number, obtains a second prime number that is a factor of the cyclotomic polynomial evaluated in the first prime number, finds a generator of a subgroup of a multiplication group of a finite field, and The order of the subgroup being the second prime number selects a whole number receives an intermediate value that is based on the generator forms the shared key as a function of the intermediate value and the integer number and uses the shared key to implement the message A method to ensure the communication of a message receives an enclosed message that has been implemented using a shared key formed as a function of an intermediate value and a selected integer, the intermediate value being based on a generator of a subgroup of a multiplication group of a finite field , the order of the subgroup being a second prime number that is a factor of a cyclotomic polynomial evaluated in a first prime number and disables the enciphered message using the shared key A method to ensure the communication of a message selects a first prime number, obtains a cyclotomic polynomial evaluated in the first prime number, gets a second a prime number that is a factor of the cyclotomic polynomial evaluated in the first prime number, finds a generator of a subgroup of a multiplication group of a finite field, the order of the subgroup being the second prime number obtains a public value based on the generator , a first integer, selects a second integer, finds a first value, based on the generator of the second integer, finds a second value based on the message, the public value and the second integer and forms a second message implemented for the first and second implemented values A method for ensuring the communication of a message receives an enclosed message formed from a first value entered and a second value enclosed the first value entered being based on a first integer number and a generator of a subgroup of a group of multiplication of a finite field the order of the subgroup being a second prime number that is a factor of a cyclotomic polynomial evaluated in a first prime number, the second value entered based on the message, the first integer and a public value based on the generator and a second integer, find a first intermediate value based on the first value encpptado and a private key, the private key being based on the generator and decrypting the enciphered message based on the second value encpptado and the first intermediary value It is not intended that the invention be summarized here in its entirety If not, the characteristics additional aspects and advantages of the invention are displayed in, or are apparent from the following description and drawings BRIEF DESCRIPTION OF THE DRAWINGS Figure 1A is a flow chart illustrating the start-up of the system according to the EIGamal scheme, Figure 1B is a flow chart that illustrates the generation of an electronic signature according to the EIGamal scheme, Figure 1C, is a flow graph What illustrates the electronic signature verification in accordance with the EIGamal scheme? Figure 2A is a flow chart illustrating the start-up of the system according to the DS schemes? Figure 2B is a flow graph q_, and illustrates the generation of electronic signature according to Schnorr scheme, Figure 2C is a flow chart illustrating the verification of electronic smoke according to the Schnorr esa.ema Figure 2D, is a flow chart illustrating the generation of electronic signature according to the DSA scheme, Figure 2E, is a flow chart illustrating the electronic signature verification according to the DSA scheme, Figure 3A, is a flow chart illustrating the start of the system according to the ECDSA scheme, Figure 3B is a flow chart illustrating the generation of electronic signature according to the ECDSA scheme Figure 3C is a flow chart illustrating the verification of the electronic signature according to the ECDSA scheme Figure 4A is a flow chart illustrating the start-up of the system according to the present invention, Figure 4B is a flow chart illustrating the generation of signature on the Figure 4C, is a flow chart illustrating electronic signature verification according to the present invention, Figure 4D, is a table of coefficients of cyclotomic polynomials Figure 4E, is a graph flow diagram illustrating a DES system boot according to the present invention, FIG. 4F is a flow chart illustrating the startup system of the DES system according to the present invention. FIG. 4G is a flow chart illustrating the triggering of the DES system startup according to the present invention. FIG. 4H is a flow chart illustrating the encryption for starting the EIGamal system according to the present invention. FIG. 4J is a graph of flow illustrating the triggering for the start-up of the EIGamal system according to the present invention, Figure 5A, is a table of results for comparing the The generation of electronic signature of the schemes for public key encryption systems, Figure 5B, is a table of results to compare the performance of electronic signature verification of the schemes for public key encryption systems, the Figure 6 is a graph that shows the message of encpptado and desencpptado to obtain the performance results of Figures 5A and 5B Figures 7A-11D, are graphs that show the public key, the private key the electronic signature and the parameter of generation of electronic signature k for each of the public key allocation systems in the examples used to obtain the performance results of Figures 5A and 5B and Figure 12 is a block diagram of an environment in which implementing the present invention DETAILED DESCRIPTION OF THE PREFERRED MODALITIES The cyclotomic polynomials are used to construct subgroups of multiplication groups. Ion of finite fields that allow very efficient implementation of the discrete logarithm based on public key encryption systems, including public key encryption systems and digital electronic signature schemes A field is represented with an optimal normal base and a generator a subgroup of the field multiplication group is used to form a public key Depending on the type of application and implementation, encryption of public keys according to the cyclotomatic scheme can be up to three times faster than schemes using more conventional choices of subgroups or finite fields The proposed digital electronic signature schemes include the EIGamal scheme, as exhibited in "A pubhc key cryptosystem and a signature scheme based on discrete logapthms", IEEE Trans, Info Tech, 31, 469-472, 1985, the Schnorr scheme, as exhibited in CP Schnorr, "Efficient signature generation by smart cards J Cryptology 4, 161-174, 1991, the digital electronic signature algorithm (DSA) scheme as exhibited in US Patent No. 5,231., 668 (Kravitz), 'digital signature algopthm July 27, 1993, and the elliptical curved digital electronic signature algorithm scheme (ECDSA for its acronym in English) as exhibited in Agnew and others, "An implementation for a fast pubhc key crysptosystem 'J Cryptology 3, 63-79, 1991 DSA is incorporated into the Digital Signature Standards of the United States Government These proposed schemes are treated and compared with the present cyclotomic scheme as used in a digital electronic signature scheme Terminology m a message that will be signed, consisting of binary sequence p a prime number q a prime factor of p-1 L the length in bits of p, practically, L determines the security level of LD B the length in bits of q, practically, B determines the level of safety of the subgroup of LD F (p) the field of elements p, represented by the group { 0,1, p-1.}. of less residuals in the module p F (p) * multiplication group of F (p) = (F (p) -0 H (*) a function "hash" Coalition-resistant cryptography that maps binary sequences to non-negative integers of an almost predetermined number of bits EIGamal System Boot Figure 1A shows the steps carried out for each user used during the startup of the electronic signature system according to the scheme EIGamal process This process was carried out by a processor of a digital computer for general uses. Alternatively this process can be carried out by means of a printed circuit board for special uses used together with a computer for general use, or by a "card "intelligent" that is, a portable device the size of a credit card that includes a microprocessor In step 102, a prime number q, which has L-1 bits is selected In step 104, a value of p = 2q is calculated + 1 In step 106, a test is performed to determine if p is a prime number Since q has L-1 bits, p has L bits If p is not n mere prime, the process returns to step 102 and selects another prime number If p is prime, the process proceeds to step 108 and randomly selects an element g of the multiplication step F (p) * of the field of F (p) of elements p In step 110 a test is performed to determine if g2? 1 and gq = 1 in F (p) If any of these tests fail the process returns to step 108 and selects another element of F (p) * as the element g g2 = 1 and gq = 1 in F (p), then the element g is a generator of the multiplication group F (p) * of the field F (p) Instead of the procedure described in steps 102-110, they can be used other procedures to locate an F (p) field and a generator g After locating a generator g the process proceeds to step 112 and randomly selects a value on the scale 2 <; _ a < _ p-2 In step 114, the process finds that y = ga in F (p). The result of the system startup is a public key (p, g, y) and a private key (a). The public key has the length of 3L bits. The private key has the length of L bits. Finding the private key (a) of the public key (p, g, y) is a discrete logarithmic (LD) problem in the F (p) field and it is considered difficult if p is large enough. Currently, the appropriate difficulty occurs when the length of p is L bits, L = 1024 and when a prime factor of p-1 has at least 160 bits. As the power of the computer is more accessible, these parameters will increase, to maintain the computation for an unauthorized user. EIGamal Electronic Signature Generation Figure 1B shows the steps carried out by a party that generates an electronic signature for a particular document in accordance with the EIGamal scheme. The document is considered to be a sequence of bits m. In practice, the generation is a processor of a digital computer for general purposes. In some embodiments, the processor may be a digital computer for special use, such as a smart card. In step 122. an integer k is randomly selected on the scale of 2 < k < p-2 with the greatest common divisor (DCM) of k and p-1 being 1. that is, k is selected so that it is co-prime with p-1.

In step 124, k1 module p-1 is found, that is, the value satisfying (k) (k1) = 1 module p-1 In step 126, the value r = gk in F (p) is obtained, with r on the scale of < _ r < _ p-1 In step 128, the value s = k 1 (H (m) -ar) module p-1 is calculated, s being on the scale of < s < p-2 H (*) is a cryptographic hash function agreed by all system users For example a suitable normal cryptographic hash function is the SHA-1 Secure hash algorithm as defined in FIPS 180-1, April 17, 1995 available from National Technical Information Service, Sppngfield Virginia The result of the generation of electronic signature is a digital electronic signature (rs) The electronic signature has a length of 2L bits Only the processor of the private key (a) can properly sign the messages The discretion of the private key (a) is again protected by a problem of LD if k could be calculated from r by calculating the discrete logarithm logg r in F (p), then k 1 could be calculated which it might be possible to derive the private key (a) from smyk 'Consequently, it is important that a particular value be kept private and not used again. Digital Signature Verification EIGamal Figure 1C shows the steps carried out by a party that recites a document that has been signed or electronically in accordance with the EIGamal scheme to determine if the signature is valid The receiving party is assumed to have a message (m) and a corresponding digital electronic signature (r, s) that was obtained as in Figure 1B and a public key (p, g, y) that was obtained as in Figure 1A and that was used to obtain the signature (r, s) In practice, the The receiving part is a processor of a general-purpose digital computer. In some embodiments, the processor may be a digital computer for a special purpose, such as a smart card. In step 134, the process determines whether the value of r is on the scale 1 < _ r < If not, in step 142 it is determined that the electronic signature is invalid. If r is on the appropriate scale, then in step 126, the value v, = yrr9 is calculated. Then in step 138, the value v2 = gH, p in F (p) In step 140, a test is performed to determine if v, = v2 If not in step 142, it is determined that the electronic signature is invalid If so in step 144, it is determined that the electronic signature is valid Schnorr System Start / DSA Figure 2A, shows the steps that must be performed by each user during the start of an electronic signature system according to the Schnorr scheme The Schnorr scheme addresses the use of a small subgroup of the multiplication group of a prime field of great characteristics, in order to make the electronic signature shorter and the exponentiation faster, since short exponents are used. If the order of the subgroup is prime and sufficiently large, then the use of subgroup n or affects the safety of the scheme The system start for the DSA scheme is identical to the system start for the Schnorr scheme, except that the DSA scheme specifies the values for the length of certain parameters (B and L), as explained further on In step 202, a prime number q of length B bits is chosen In the DSA scheme, B is specified to be 160 In step 204, an integer k is randomly chosen Preferably, k has a length of 250- 864 bits to provide sufficient security against an unauthorized user, but this will increase as the processing power increases. In step 206, a value p = kq + 1 of length L bits is calculated In the scheme DSA L is specified by be 512 + T64 for 0 < _ i _ 8, i being an integer In step 208, a test is performed to determine if p is a prime number If p is not a prime number, the process returns to step 204 and selects another whole number k 1 If p is a Prime number, the process proceeds to step 210 and randomly selects the element h of F (p) * In step 212, a value g = h (1) / q is obtained in F (p) In step 214, a test is performed for determine if g? 1 in F (p) If the test fails, ie g = 1, the process returns to step 210 and selects another element of F (p) * as the value h If g ^ 1 in F (p) ) then the generator g has been located for a small subgroup g of the multiplication group of a prime field F (p) with large characteristics The generator g is in the order q, given that g? 1 in F (p), gq = 1 Instead of the procedure described in steps 202-214, other methods can be used to locate a generator g After locating a generator g, the process proceeds to step 216 and randomly selects a value on the scale of 2 <.; a < q-1 It will be appreciated that this scale is smaller than the corresponding scale in step 112 of Figure 1A for the EIGamal scheme In step 218 the process finds that y = ga in F (p) Finding the value of a, given yyg is a discrete logarithm (LD) problem as discussed before The result of the system startup is a public key (pgyq) and a private key (a) The public key has a length of 3 L + B bits The private key has a length B bits To find the private key (a) of the public key (p, g, y, g), it is necessary to solve an LD problem in the F (p) field or an LD problem in the G subgroup of F (p) * generated by g The problem of LD in the field F (p), which has cardinality p, where p is a prime number that has a length of L bits and that is a prime factor of p-1 which has a length of at least B bits, is thought to be currently accessible The problem of LD in the subgroup G of F (p) *, the subgroup G being in the order of q, having a length of at least 8 bits, it is currently thought that it is not feasible. Generation of Schnorr Electronic Signature Figure 2B shows the steps performed by a party that generates an electronic signature for a particular document according to the Schnorr scheme In practice, the generating part is a processor of a general-purpose digital computer. In some embodiments, the processor may be a digital computer for special use, such as a smart card. In step 224, an integer k is randomly selected at the scale 2 < _ k < , q-1 The corresponding step for the EIGamal scheme, step 122 of Figure 1B, uses an upper limit of p-2 for the scale k Since p > > q, a public key encryption system according to Schnorr will have smaller elements than a public key encryption system according to EIGamal. For example, when it has a length of 160 bits, p has a length of approximately 1024 bits. step 226, the value r = gk in F (p) is obtained, with r on the scale of 1 < r < p-1 Since p > > q, the calculation in step 226 is faster than the corresponding calculation 126 of Figure 1B, ie a public key encryption system according to EIGamal In step 228, the value e = H (m) ie, the hash function is applied to the concatenation of the message m and the electronic signature element r is obtained The cryptographic hash function H (*) is assumed to give length values in most of the B bits In step 230 the value s = (ae + k) of the module q is calculated with s on the scale of 0 < s. q-1 The result of the generation of electronic signatures is a digital electronic signature (s, e) The electronic signature has a length of 2B bits Verification of the Schnorr Electronic Signature Figure 2C shows the steps taken by a party that receives a document that has been electronically signed according to the Schnorr scheme to determine if the signature is valid The receiving party is assumed to have a message (m) and a corresponding digital electronic signature (se) that was obtained as in Figure 2B and a public key (pgyq) that was obtained as in Figure 2A and which was used to obtain the signature (se) In practice the receiving party is a processor of a digital computer for general use. In some embodiments, the processor may be in a digital computer for special use, such as a smart card. In step 236, the value v = gsy'e in F (p) was calculated. Then, in step 238, the value e '= H (m || v) was calculated. In step 240, a test was performed to determine if e = e ', if not, in step 242, the electronic signature is determined invalid. If so, in step 244, the electronic signature is determined valid. Generation of the Electronic Signature of DSA Figure 2D shows the steps performed by a party that generates an electronic signature for a particular document according to the DSA scheme. In practice, the generation part is a processor of a digital computer for general use. In some embodiments, the processor may be in a digital computer for a special use, such as a smart card. In step 324, an integer k is randomly selected on the scale of 2 <; k 5. q-1. In step 326, we find k "1 of the module q, that is, the value that complies with (k) (k'1) = 1 of the module q.In step 328. we obtain the value u = gk in the subgroup G, generated by g, of F (p) *, where u is on the scale 1 < _ u = .p-1 In step 330. the value is calculated r = u of the module q. The value s = k "1 (H (m) + ar) of the module q is calculated. s being on the scale of 0 < _ s 5. q-1.

In step 333, a test is performed to determine if s = 0 If so, then the processing returns to step 324 to select a new value of the integer k If s? 0, then continue the procedure to step 324 and finish The result of the generation of the electronic signature is a digital electronic signature (r, s) The signature has a length of 2B bits DSA Signature Verification Figure 2E shows the steps carried out by a party receiving a document that has been electronically signed according to the DSA scheme to determine whether the signature is valid The receiving party is assumed to have a message (m) and a corresponding digital electronic signature (r, s) that is obtained as in Figure 2D and a public key (pg, y, q) that is obtained as in Figure 2A and that is used to generate the signature (r, s) In practice, the receiving party is a processor of a general-purpose digital computer In some embodiments, the processor may be in a special-purpose digital computer such as a smart card In step 238 the process determines whether the value of r is an integer on the scale of < _ r 5. q-1 If not in step 352, the electronic signature is determined invalid If r is on the appropriate scale then in step 340 the process determines that the value of s is an integer number in the scale of 1 < s < q-1 If not, in step 352, the signature is determined invalid If s is on the appropriate scale, then in step 342, an integer w is the inverse of s, that is, ws = 1 of the module q, is obtained In step 344, the value of u1 = wH (tn) of the module q is calculated, and the value of u2 = wr of the module q is also calculated. In step 346, the value c = gulyu2 is obtained in the subgroup G, generated by g, of F (p) *, s being on the scale of 1 < c =. p-1 In step 348, the value v = c of the module q is calculated In step 350, a test is performed to determine if v = r, otherwise, in step 352, the signature is determined invalid If so , in step 354, the signature is determined valid ECDSA System Startup Figure 3A shows the steps that are performed during the startup of an electronic signature system according to the ECDSA scheme Steps 402-416 are carried out globally, that is, for all users, and therefore needs to be performed only once. Steps 420-424 are carried out for each user. The ECDSA system is aimed at the use of a large extension of the two-element field. a normal base of the extension field (see RC Mullin and others "Optimal normal bases in GF (p) Discrete Appl Math, 22 149-11 1988/89) multiplication is very fast and quadrature is performed by the circular change so that exponentiation is carried out efficiently, however, hardware implementation is required In addition, fields of two characteristics are thought to be more vulnerable to attacks than other fields of comparative sizes In step 402, an integer t > 160 is selected with t e F (2l), that is, t is on the 160 < _ t < _ 240 The ECDSA scheme uses a broad finite field of the system F (2l) of elements 21, where it is assumed that t = B In step 404 the coefficients a, ß, and F (2l) are selected for the curve E = Y2 + XY = X3 + aX2 + ß The ECDSA scheme involves the use of an optimal normal base to represent the elements of F (2 ') over a subfield of F (2l) The use of the curve E means the use of its optimal normal basis. In step 406, μ is calculated. The value of μ is a number plus the number of different pairs (xy) satisfying E, where x and F (2 () That is, the group of E has the order of μ Another way of saying this is that μ is the cardmahdad of the curved group In step 408 the factors of μ are obtained In step 410 a test was performed to determine if there is a prime factor of u that has minus 140 bits If not, then the processing returns to step 404 and selects a new elliptic curve E If there is a prime factor of u that has at least 140 bits, then in step 412 q is set equal to this prime factor It will be appreciated that q is a prime divisor of the order of the group of the elliptic curve E Preferably, q has a length of at least 140 bits In step 414, a point h on the curve E, that is, h (x0, y0), is selected so that (μ / q). h? I, where I is the identity element on the curve E The symbol s indicates the multiplication scale on the curve E The group of E has the order of μ and q divides μ In step 416 the point g on the curve E is chosen as g = (μ / q) h on the curve E The point g on the curve E is in the order of q The point g on the curve E generates the group G, which is a subgroup of the group of the curve The result of steps 402-416 is a global public key (a, ß, t, qg) The length of the global public key is not as important, given that everyone knows them and does not vary by the individual encpptado or desencpptado part For each user , in step 420, a value a on the scale of 2 to q-1 is randomly selected. In step 422 the point P on the curve E, ie, P (x- ?, y.) is selected so that P = azg on curve E The result of steps 420-422 is a specific public key (P) of length B + 1 bits and a private key (a) of length in most B bits Although the keys are small in the ECDSA scheme this scheme is computationally expensive To find the private key (a) of the user's specific public key (P) it is necessary to solve an LD problem in the group associated with the E curve or an LD problem in subgroup G of the group associated with curve E. The problem of LD in a curve group on a cardinality field 2l, where t >; _160, currently it is thought that it is not feasible for the supports of encryption systems of the elliptical curve. The problem of LD in subgroup G in the order of q in the group of the curve, where q has at least 140 bits, is currently thought to be not feasible by the supporters of electric curve encryption systems. Generation of the Electronic Signature of ECDSA Figure 3B shows the steps performed by a party that generates an electronic signature for a particular document according to the ECDSA scheme. In practice, the generation part is a processor of a digital computer for general use. In some embodiments, the processor may be in a digital computer for special use, such as a smart card. In step 428. an integer k is randomly selected in the scale 2 < _ k q-2. In step 420, we find k'1 of the module q, that is, the value which satisfies (k) (k "1) = 1 of the module q.In step 432. the point u on the curve E. say, u (x2, y2) is found so that u = k.g on curve E.

In step 434, an integer r =? (X2) of the module q is obtained, r being on the scale 0 < _ r < _ q-1 The function of - / (*) is a fixed and efficiently computed bijection between the finite field F (2l) and the set. { 0, 1,, 2l-1} of integers This bijection is known to all users of the system In step 435, a test was performed to determine if r = 0 If so, then the process returns to step 428 to select a new value of the whole number k If r ^ 0, then the procedure proceeds to step 436 In step 436, the value s = k 1 (H (m) + ar) of the module qs being calculated on the scale of 0 < _ s =. q-1 In step 437 a test was performed to determine if s = 0 If so, then the process returns to step 428 to select a value for the integer k If s = * 0, then the procedure continues to step 438 The result of the generation of electronic signature is a digital electronic signature (r, s) The electronic signature has a length of almost 2B bits Verification of the ECDSA Signature Figure 3C shows the steps taken by a party receiving an electronic signature. document that has been electronically signed according to the ECDSA scheme to determine if the signature is valid The receiving party is assumed to have a message (m) and a corresponding digital electronic signature (rs) that is obtained as in Figure 3B and a public key that learns (u ß tqg) and (P) that is obtained as in Figure 3A and that is used to obtain the signature (r, s) In practice, the receiving part of a processor of a digital computer of general use On to In some embodiments, the processor may be in a digital computer for a special use, such as a smart card. In step 442, the process determines that the value of r is an integer in the scale of 1 < r < q-1 If not, in step 456, the electronic signature is determined invalid If r is on the appropriate scale, then in step 444, the process determines that the value of s is an integer on the scale of 1 < _ s _ 1-1 If not, in step 456 the electronic signature is determined invalid If S is on the appropriate scale, then in step 446, an integer w that is the inverse of s, that is, ws = 1 of the module q is obtained In step 448, the value of u1 = wH (tn) of the module q is calculated, and the value of u2 = wr of the module q is also calculated in step 450, the point c on the curve E, that is, c (x3 y3) = (u1 g) & (u2 _ P) on the curve E is obtained The symbol = • indicates the addition of the curve E In step 452 the value v = / _ (x 3) of the module q is calculated, v being on the scale 0 < _ v q-1 In step 454 a test is performed to determine if v = r If not in step 456 the signature is determined invalid If so in step 458 the signature is determined to be valid Start of the Cyclotomic System The Figure 4A shows the steps to be enhanced by each user during the start-up of an electronic signature system according to the present cyclotomic scheme One purpose of the process described in Figure 4A is to find a generator g of a subgroup of the multiplication group F (pl ) * of the finite field F (pl) so that g satisfies both a desired Discrete Logarithm Safety Level, which determines the choice of L, a Logarithm Safety Level Describes the desired Subgroup, which determines the choice of B, and so that there is a normal optimal basis for F (pl) over F (p) The cyclotomic scheme uses subgroups, such as the Schnorr scheme, and also uses optimal normal bases, such as the ECDSA scheme The use of subgroups gives as a result of short signatures and short exponents The use of optimal normal bases results in efficient exponentiation Consequently, an implementation of a software of the cyclotomic scheme is substantially faster than a software implementation of the Schnorr scheme Let R be of a root size The value of R depends on the machine and is chosen in such a way that it is small enough for the calculation of module p to proceed quickly enough so that exponentiation can proceed quickly. Larger values of p result in smaller values of t and since the operations of (t ') 2 by multiplication in the field F (p') are required, small values of t 'are also desired. Also, large p values expand the choices of enciption systems that can be constructed. For currently available 32-bit architecture general-purpose computers, R = 32 is an appropriate value for most architectures. new 64-b? ts, R = 64 is a suitable value In other embodiments, other R values are suitable and are not necessarily equal to the word length (in bits) of a computer practicing the technique of the present invention In step 502, an integer of t and integers t, s is chosen so that O s is equal to R and s is not smaller than R, such as, 0 8R <; _ s < _ R Larger s lead to higher efficiency The s of integers are used to restrict the size of a prime number p (see below) For example 25 s 32 (??) t > 1, preferably so that t 'has a factor t > 1 for which t + 1 is a prime number and t '/ t is small, v gr t' / t < 5 The use of the integer control number t 'allows a wider variety of choices for the number of bits in the prime number p as it refers to the desired Discrete Logarithm Safety Level that is reflected in L. More particularly the value of the number prime p that depends on the value ae that depends on the machine as explained above The integer control number t 'is approximately equal to L divided by the number of bits in the prime number p As noted, t + 1 must be a prime number Ideally, t '= t However, a value of t' has a factor t > 1 for which t + 1 is a prime number and t / 1 is small That is, the use of t ', in addition to t, provides more flexibility (ni) t' * s is almost L, and (iv) F (t ) * is at least B but is not much less than B so that the prime factor q (see step 510) is easy enough to find, that is, F (t ') * s = B The function F (t) is Euler's phi function namely, the number of positive integers < which are co-ppmos with t In step 504 a prime number is selected and selected in such a way that (log2 p) + 1 = s, and t '* ((log2 p) + 1) > _ L In step 506. a test is performed to determine if p is a primitive root modulus t + 1 of F (t + 1) * that is, where the module p t + 1 generates F (t + 1) * Specifically this test can be carried out by calculating the module p 't + 1 for each number enter i 1 £ i £ t and checking that the different numbers are obtained If not then the process returns to step 504 to select another prime number p If p is a modulus of primitive root t + 1 then in step 508 the polynomial ciclotomico t -th evaluated in p F. (p), we obtain The irreducible factopzacion of X -1 in Z [X] is given by Xl-1 = lld | tFd (X) where Fd (X) is the cyclotomic polynomial of d-th, as explained in H Riesel, Prime Numbers and Computer Methods for Factopzation, Birkhauser 1875 Factor F. (X) is the only irreducible factor of X '- 1 that does not appear in the factopzation of Xs-1 for divisors s of t, with s < t One way to obtain Fd (X) is by using the factopzation identity shown above. Another way to obtain Fd (X) is by closing the coefficients C1 0 £ i t-1 m of Fd (X) = ct. X1 1 + ct 2Xt 2 + + c-iX + c0 in a table of coefficients of cyclotomic polynomials, such as in the table of Figure 4D Using the table in Figure 4D it will be noted that for example, F, 8 (X) = X6 -X3 + 1 and that F5 (X) = X18 - X9 + 1 In step 510 a large prime factor q of F, (p) is obtained Because the subgroup is used in the cyclotomical scheme and is constructed as described later has the order q and q is a divisor of F. (p) the corresponding LD calculation is difficult for an unauthorized person In step 512 a test was performed to determine if (log2 q) + 1 > B This condition ensures that it is possible to construct a large enough subgroup of the multiplication group F (p) "of F (p) that can not be embedded in a real subfield of F (p) In other words, to solve the LD problem , that is, to find a value a, given y and g, it is necessary to solve a problem of LD in the whole field F (p ') or in the subgroup generated by g, but, the problem of LD can not be reduced to a problem of LD in a real subfield of F (p '), so that the computational difficulty is not reduced for an unauthorized part Also, combining the condition of step 502 that (t') * s = -B with the condition of step 512 that (log2 q) + 1> B, results in a situation in which (log2 q) + 1 ~ B It is an important aspect of the present invention that q is a divisor of Ft (p) and that (log2) q) + 1 = .B If (log2 q) + 1 <B, the process returns to step 504 to select another prime number p If (log2 p) + 1> B, then in step 514, an optimal normal base is obtained at i =. { 1, 2 t} , on F (pl / t), each a 'being a zero of ft (X) = (X1'1 - 1) / (X-1) = X * + X' 1 + + X + 1 Case 1 If there is and t '= t then F (pl t) is represented by the integers of the p module, and p-th being actid in F (pl) does not require any operation in F (pl) in its p-th action is simply a permutation of the base elements a1 and therefore is computationally not expensive Therefore, the multiplication and squared in F (pl) can be carried out very easily Case 2 If there exists t '? t then the elements of F (pl ") are represented using a convenient base on F (p) In this case, the action of p-th requires only a very small number of operations on F (p ') and multiplication and Squared eleon in F (p ') can be carried out efficiently If t' / t is small, then the difference in the arithmetic in F (pl) in implementations of system of encpptación is not legible as between case 1 and case 2 Case 3 If t does not exist, then F (pl) is represented in any convenient way, preferably using a minimum polynomial to perform squared multiplication in fast F (pl) In step 516 an element b of F (p ') is randomly selected In step 518 a value is obtained The calculation of g is very efficient because an optimal normal base is used to represent F (p ') (and ±) g = b in F (P " In step 520, a test is performed to determine if g? 1 in F (p ') If not, that is, g = 1, then the process returns to step 516 to select another element of b If g = 1 then g is the generator of the subgroup G of the multiplication group F (p) "of the finite field F (p) The subgroup G is in the order of q In step 522 it is selected randomly a value on the scale from 2 to q-2 In step 524, a value of y = ga is calculated in F (p ') Finding a value A, giving yyg, is a problem of LD The result of starting the system is a public key (p, g, y, q, t ') and a private key (a) The parameters g and y are represented using optimal normal bases The public key has length of 2L + B + 64 bits The private key has length of B bits Security is guaranteed as in the Schnorr scheme, and by the fact that the subgroup G has the order q, where q is a prime factor that has a length of at least B bits of the cyclotomic polynomial t'-th evaluated in p that G can not effectively embed itself in an appropriate subfield of F (pl) As explained earlier, in the cyclotomic scheme, the activation of p-th is computationally "acyl", since it only involves rearranging the elements of the normal base This is an important computational advantage of the cyclotomic scheme The computation in the cyclotomic scheme involves short rows of length (log2 b) of bits, which is suitable for the implementation of a software while the ECDSA scheme involves long rows of length e 1 bit that is more suitable for the implementation of a hardware That is, the field of connection to earth cyclotomico F (p) has ele rentos (I og 2 p) bits of length, while the field of connection to earth of ECDSA F (2) has elements of 1 bit length Generation of Cyclotomic Signature Figure 4B shows the steps carried out by the partial generation of an electronic signature for a particular document according to the cyclotomic scheme In practice, the generation part is a processor of a general purpose digital computer In some embodiments the processor may be in a special-purpose digital computer, such as a smart card In step 530, an integer k is randomly selected in the scale 2 £ k £ q -2 In step 532 that of the module q of k 1 is found, that is, the value that satisfies ei of the module q of (k) (k 1) In step 534 there is a value of u = gk in F ( p ') In step 536 you get a nume The whole modulo of r =? (u) r being on the scale of 0 £ r £ q-1 The function? (*) is a fixed and efficiently computable biyection between the finite field F (pl) and the set. { 0.1, p '-1} of integers This bijection is known to all users of the system This is a different bijection than that used in step 434 of Figure 3B for the ECDSA scheme In step 537 a test was performed to determine if r = 0, if so the process then proceeds to step 530 to select a new value for the number entered k If r? 0, then the procedure follows step 538. In step 538, the value of the module q is calculated from 1 (H (m) + ar), s being on the scale of 0 £ s £ q-1 In step 539 , a test is performed to determine if s = 0 If so, then the process returns to step 530 to select a new value of the integer k If s = 0 then the process proceeds to step 540 and ends The result of the generation of electronic signature is a digital electronic signature (r, s) The signature has a length of 2B bits Cyclotomic Signature Verification Figure 4C shows the steps carried out by a party that receives a document that has been electronically signed according to the cyclotomic scheme to determine if the signature is valid receiver is assumed to have a message (m) and a corresponding digital electronic signature (r, s) that is obtained as in Figure 4B, and a public key (p, gyq, t ') that is obtained as in Figure 4A and that was used to generate the signature (r, s) In practice, the receiving party is a processor of a digital computer for general use In some embodiments, the processor may be in a digital computer for special use, such as or a smart card In step 544, the process determines whether the value of r is an integer in the scale of 1 £ r £ q-1 If not, in step 558, the signature is determined invalid If r is in the appropriate scale, then in step 546, the process determines whether the value s is an integer in the scale of 1 5. s £ q-1 If not, in step 558, the signature is determined invalid If S is in the appropriate scale, then in step 548, an integer w that is the inverse of s, that is, of the module q ws = 1 is obtained In step 550, the value of u1 = wH (m) of the module q is calculated and the value of u2 = wr of the module q is calculated In step 552, the value v '= gu'yu2 is calculated in F (pl) In step 554, we find the value of the module q of v =? (v ') In step 556, a test is performed to determine if v = r If not in step 558, the signature is invalidated If so, in step 560 the signature is determined valid Cyclotomic Alternatives The applicability of the cyclot scheme mico is not limited to an electronic signature system as described above. The cyclotomic scheme can be used in any computing system that is based for its security on the difficulty of the LD problem, for example a Diffie-Hellman key exchange scheme. an outline of public key codes of EIGamal or digital signature generation and verification schemes as in the EIGamal Schnorr and DSA schools. The proposed planning schemes include the Data Encryption Standard (DES), as described in exhibited in FIPS 46-2, 1993, available from the National Technical Information Service, Sppngfield, Virginia, and the EIGamal scheme, as exhibited in T EIGamal, "A pubhc key cpptosystems and a signature scheme based on discrete logapthms", IEEE, Trans Info Tech, 31, 469-472, 1985 The application of the cyclotomic scheme to these proposed systems is discussed below. Users who practice the techniques described below know You have a general-purpose digital computer programmed to perform these techniques. Alternatively, these techniques can be carried out by a printed circuit board for special use used in conjunction with a general-purpose computer, or by a smart card. say, a portable device of credit card size including a microprocessor FIG. 4E is a flow chart illustrating a startup of the DES system according to the present invention. In particular, FIG. 4F shows a Diffie key exchange scheme. -Hellman modified by the application of a cyclotomic scheme In step 600 the users are assumed to have a globally shared public key (pgqt) according to steps 500-520 of Figure 4A In contrast in the EIGamal Schnorr DSA scheme and of cyclotomic digital electronic signature discussed earlier, each user is associated with a public key and a private key, that is, that there is no public key shared globally. When the parties? and 0 want to communicate, then they must initially exchange information to establish a shared key. As illustrated in Figure 4E, in step 602, the part? randomly select a value a? on the scale 2 £ to £ q-2, and in step 604, you find Y. = g in F (P) In step 606, the part? send ys to the party? In step 608, the part? receives and "of the part? In step 610, the part? calculates o =? (y. ,,,) in F (p) The function / (*) is the fixed and efficiently computable bijection between the finite field F (p ') and the set. { 0 1 ..., p '-1} of integers that was used in step 536 of Figure 4B. While it is not absolutely necessary to apply the function? (*), It is preferred, so that it converts an element represented in an optimal normal basis from a finite field to an ordinary whole number. Similarly, in step 603, the part? randomly select a value a "on the scale of 2 £ a" £ q-2 and at step 605 find y «, = gaa on F (p ') In step 607, the part? send and "to the party? In step 600, the part? receives and part? In step 611, the part? calculates I? (and. "°) in F (pl) In part 612, the parties? Y ? have established a shared key (y0) The calculations have taken place in the subgroup generated by g It will be appreciated that an unauthorized party needs to solve a problem of LD to de-communicate a communication between the parties? or ? Figure 4F is a flow chart illustrating encryption for the bootstrap DES system according to the present invention Essentially, in step 622, one of the parts? Y ? uses its shared key (y0) to implement a message Figure 4G is a flow chart illustrating the triggering of the DES system boot according to the present invention Essentially in step 632, the other parts \ Y ? use their shared key (y0) to decrypt the message that was enforced in step 622 For an EIGamal public key encipption scheme, which is different from the EIGamal digital electronic signature scheme discussed above, suppose that they have carried out steps 500- 526 shown in Figure 4A to obtain a public key (p, gyqt) and a private key (a) for each user It will be appreciated that an unauthorized user would need to determine the private key (a) to decrypt an encrypted message, which requires solving an LD problem. Figure 4H is a flow chart illustrating the encryption of the ElGamal system boot according to a cyclotomic scheme. In step 702, a part decrypting a message randomly selects an integer k on the scale 2 £ k £ q-2. In step 704, a value of? = gk in F (p ') is obtained. In step 706, a value of? =? ~ 1 (m) * in F (p '). The function? "1 (*) is the inverse of the function? (*) That I used in step 536 of Figure 4B.The consequence, in step 708, is an encrypted message (and.?). Figure 4J is a flow chart illustrating the decryption of the ElGamal system boot according to the cyclotomic scheme In step 722. a party wishes to decrypt the encrypted message (and,?) finds a value =? q "a in F (p. *) and in step 724, find a value // = ?? in F (p '). In step 726, an unencrypted message m 'is obtained as m' =? (?) In. { 0. 1, ... p1} . All exponentiation takes place in the subgroup generated by g. Performance Comparison Figure 5A is a table of results to compare the performance of the generation of electronic signatures for public key encryption systems. The compared schemes were ElGamal. Schnorr. DSA and cyclotomic using software implementations. The ECDSA scheme was not evaluated since it requires it to be effective in the implementation of hardware. Since parameter B is not relevant to the ElGamal scheme, case "C" and "D" are identical to the ElGamal scheme.

As a practical matter, the DSA scheme allows only B = 160 and L = 512 + i * 64 for 0 £ i £ 8. which corresponds only to cases "A" and "C". In the examples, unique integers were used and were taken as the p-1 module for ElGamal and the q module for others. The 'hash' function was not used. Since the calculation time for the hash function is negligible, the omission of the function 'hash' does not distort performance results. In particular, Figure 5A shows operation times in seconds on a Pentium 166 MHz processor, using a Software implementation for each scheme. An improvement in performance due to the use of subgroups is observed when going from the ElGamal scheme to the Schnorr scheme. The performance of the DSA scheme is almost identical to the performance of the Schnorr scheme. An additional performance improvement due to the use of optimal normal bases is observed when going from the Schnorr scheme to the cyclotomic scheme. In particular, for the examples in Figure 5A, the cyclotomic scheme results in performance that is roughly three times faster than the performance of the Schnorr scheme. Figure 15B is a table of results for comparing the performance of electronic signature verification. The schemes for public key encryption systems for the examples reported in the table of Figure 5A As with the generation of electronic signatures, the cyclotomic scheme results in performance that is approximately three times faster than the performance of the scheme. Schnorr Figure 6 is a graph showing the signed message and the verified electronic signature to obtain the performance results of Figures 5A and 5B. Figures 7A-11D are graphs showing the public key, private key, electronic signature and parameter of signature generation k, for each public key encryption system in the examples used for to obtain the performance results of Figures 5A and 5B The time control results were generated by averaging the results for ten different representative messages In practice the electronic signature generation parameter is not exchanged between the parties here included so that the results can be reproduced conveniently For the cyclotomic scheme the values of gyy are given in the base of a '1 £ i £ t' on F (p) For the other systems, the values are in decimal representation Comparing the examples, it will be observed that The ElGamal scheme (Figures, 7A, 8A, 9A, 10A, 11A) uses the larger values, while the cyclotomic scheme (Figures, 7D, 8D, 9D, 10D, 11 D) uses the shorter values. of data increases going from case "A" to case "E" in Figures 5A and 5B, the length of the values in all the schemes is increased Figure 12 is a block diagram of an environment in which the Implement the cyclotomic scheme The general purpose computer 10 includes the cryptographic processor 11, the communication interface 12, the main processor 13, memory 14, communication bus 15 and communication line 16 Memory 14 can include RAM, ROM, disk magnetic, optical disk and any other memory means The communication line 16 can be a wire line, a wireless RF line an optical line or any other communication means The smart card 20 includes the processor 21, memory 22, interface of communications 23, communications bus 24 and communication line 25 The general purpose computer 10 and the smart card 20 are coupled to the communication channel 30 The central installation 40 is also coupled, via the communication line 41 to the communication channel 30 The central installation 40 includes hardware and appropriate processing software to practice the cyclotomic scheme or, as will be appreciated with reference to the general purpose computer 10 and smart card 20 The general purpose computer 10 runs the software stored in the memory 14 which includes calls that are routed by the main processor 13 to the cyclographic processor 11, which it includes enough memory to operate according to the cyclotomic scheme. The smart card 20 executes the software stored in the memory 22 according to the cyclotonic scheme. The central installation 40 functions to generate the global information and distribute it to all the parts using the cyclotomic scheme A example of global information is the public key described in step 600 of Figure 4E Although an illustrative embodiment of the present invention and various modifications thereof, have been described in detail herein with reference to the accompanying drawings, it will be understood that the invention is not limited to this precise modality and the modifications described and that several changes can be made without further modifications thereto or someone skilled in the art without departing from the scope of the invention as defined in the appended claims

Claims (1)

1. CLAIMS 1 A method for determining a public key for an encryption system of discrete logarithms, comprising the steps of selecting a first prime number (504), obtaining a cyclotomic polynomial evaluated in the first prime number (508), obtaining a second prime number which is a cyclotomic polynomial factor evaluated in the ppmer prime number (510), find a generator of the subgroup of a multiplication group of a finite field the order of the group being the second prime number (518), and form the public key for include the first and second prime numbers and the generated 526) 2 The method of claim 1, further comprising the step of representing the finite field with an optimal normal base 3 The method of claim 1, wherein the second prime number is satisfies (log2 p) + 1 - S where B is a predetermined number of bits 4 The method of claim 1, further comprising the step of selecting an integer number of control t ', and where the cyclotomic polynomial is the cyclotomic polynomial f'-th and the public key includes the integer control t 5 A method to generate a digital electronic signature for a message using the public key formed according to the The method of claim 1, comprising the steps of obtaining a public value based on the generator and a first integer (524) selecting a second integer number (530), obtaining a "first electronic signature value based on the second integer and the generator (536) obtain a second electronic signature value based on the first electronic signature value and the message (538) and form the digital electronic signature to include the first and second electronic signature values (540) 6 The method of the claim 5 further comprising the step of representing the finite field with an optimal normal base 7 The method of claim 5 wherein the second prime number q satisfies (log p) + 1 - 8 wherein B is a predetermined number of bits 8 The method of claim 5 further comprising the step of selecting a control integer integer t, and wherein the cyclotomic polynomial is the cycletomial polynomial r'-th The method of claim 5 wherein the first electronic signature value is based on a bijection of the generator arising for the power of the second integer number. The method of claim 5, wherein the second electronic signature value is based on the combination of the ppmer signature value with a cryptographic hash function of the message 11 A method for verifying a digital electronic signature for a message, the digital electronic signature being formed according to the method of claim 5, comprising the steps of finding a reverse integer which is the inverse of the second electronic signature value (548) finding a first intermediate value based on the integer inverse number and the nsaje (550 ul), find a second intermediate value based on the inverse integer number and the first electronic signature value (550 u2) find a third intermediate value based on the generator, the public value and the first and second intermediate values (554) ) determine that the signature is valid when the third intermediate value is equal to the first electronic signature value (556) 12 The method of claim 11 where the third intermediate value is a bijection of the generator emerged for the power of the ppmer intermediate value multiplied by the public value arising from the power of the second intermediate value 13 A method for determining a shared key using the public key according to the method of claim 1, comprising the step of selecting an integer number (602) to receive an intermediate value that is based on the generator (608), and form the shared key as a function of the intermediate value and the number whole (610) 14 The method of claim 13, further comprising the step of representing the finite field with an optimal normal base. The method of the claim, which further comprises the steps of finding a second intermediate value that is based on the generator and the integer number (604) and sending the second intermediate value to a part that shares the shared key (606) 16 A method to ensure the communication of A message using the shared key formed according to the method of claim 13, comprising the steps of implementing the message using the shared key. The method of claim 16, further comprising the step of representing finite with an optimal normal base. A method for securing communication of a message, comprising the steps of receiving an enclosed message that has been implemented using the shared key formed according to claim 13, and unencrypting the enciphered message using the shared key 19 The method for securing the communication of a message using the shared key formed according to the method of claim 1 comp yielding the steps of obtaining a public value based on the generator and a first integer number (524), selecting a second integer number (702), finding a first value based on the generator and the second number entered (704), finding a second encoded value based on the message, the public value and the second integer number (706), and forming an enciphered message of the first and second encoded values (708) The method of claim 19, further comprising the step of representing the finite field with an optimal normal base 21 A method for securing communication of a message, comprising the steps of receiving an enclosed message that has been implemented using the public key according to claim 1, finding a first intermediate value based on the first value entered and a private key, the private key being based on the generator (724), and decrypting the message based on the second value encpptado and the first intermediary value (726) 22 An apparatus for determining a public key for a discrete logarithm encryption system comprising means for selecting a first prime number, means for obtaining a cyclothomic polynomial evaluated in the first prime number and means for obtaining a second number cousin that is a factor of the cyclotomic polynomial evaluated in the first prime number, means to find a generator of a subgroup of a multiplication group of a finite field, the order of the subgroup being the second prime number, and means to form the public key to include the first and second prime numbers and the generator. 23. The apparatus of claim 22, further comprising means for representing the finite field with an optimal normal basis. The apparatus of claim 22 wherein the second prime number q satisfies (log2 p) + 1 - B where B is a predetermined number of bits. 25. The apparatus of claim 22, further comprising the step of selecting an integer control number t ', and wherein the cyclotomic polynomial is the cyclotomic polynomial í'-th and the public key includes the integer control number 77 26 The method of claim 1, further comprising the step of obtaining a public value based on the generator and a second integer and wherein the public key also includes the public value. The method of claim 1, further comprising the step of forming a private key that includes the selected whole number (526). 28. The apparatus of claim 22, further comprising means for obtaining a public value based on the generator and a selected integer and where the public key also includes the public value. 29. The apparatus of claim 22, further comprising means for forming a private key including the selected integer.