MXPA99010196A - Pseudo-random generator based on a hash coding function for cryptographic systems requiring random drawing - Google Patents

Abstract

The invention concerns a cryptographic system, normally requiring the drawing of a random number k, which is a whole number. The system is characterised in that it is operated by replacing said random number k by the value h (m/secret) in which h is a hash coding function, m is the message intervening in said system and"secret"is a secret unknown to the world outside the cryptographic system. The invention is particularly applicable to communicating media such as smart cards, PCMCIA cards, badges, contactless cards or any other portable medium.

Description

A PSEUDOALEATORY GENERATOR BASED ON A FUNCTION RANDOM VERIFICATION FOR CRITICAL CRYSTAL SYSTEMS THAT REQUIRE THE DRAWING OF NUMBERS RANDOMS DESCRIPTION OF THE INVENTION The present invention describes a system that makes it possible to generate digital signatures or cryptograms that require the drawing or obtaining of random numbers (typically DSA, El-Gamal, Fiat-Shamir and Guillou-Quisquater for signatures, El-Gamal and McEliece for coding) , by means of signature or coding devices (typically microprocessors) that lack resources of physical equipment (hardware) or computer hardware (software) allowing the obtaining of random numbers. It also provides a response, or defense, against certain threats, (typically the encoding of short messages and the recent attacks published by Coppers ith and collaborators to Eurocrypt '96 in the articles "Low Exponent wi th Rela ted Message" and "Finding a small root of a uni varied modular equa ti on ") by the generation of low cost, for example, cheap, a random sequence that makes it possible to add to the information that is going to be processed. This also allows the generation of darkening factors, used within the context of a signature or blank identification or random masking mechanisms. Finally, it can be used in the Diffie-Hellman type key exchange protocols. Despite a very widespread distribution and a good acceptance of the concept of smart card by the public, most of the practical applications appeared only a few years ago, mainly due to the limitations in the computational power of the cards. Advances with respect to non-volatile storage capacity for information, security and circuit technology (eg EEPROM) are promoting the rapid emergence of new and increasingly ambitious card and application generations such as the new Signature standard or North American digital identification (DSA).

A major limitation of smart cards as a means to implement public key algorithms is the need (often found) to have a device that generates random numbers on board the card. This is because the refinement of such a device, also referred to as a generator, proves to be complex and often unstable (sensitivity to phenomena external to the card, such as the ambient temperature or the voltage applied to the card). Where such cryptographic systems are implemented in a computer, other phenomena, due to the very varied nature of the random generators of the computer hardware, interfere with the quality of the random numbers. Typically, a very popular method of generating random numbers consists of measuring the time elapsed between two oppressions on the keyboard by the user. Recent cases of fraud show that this type of generator can be diverted by the simulation of the keyboard by means of a fraudulent device in which the time elapsed between the various keystrokes is known by the attacker.

The present invention proposes a substitute solution that allows the implementation of cryptographic systems that require the extraction of a good quality random number on the platforms of the computer hardware (software) or the hardware (hardware): 1. that does not have any means of generating random numbers, 2. or that generates random numbers of poor quality, 3. or when the system designer suspects that external elements could compromise the quality of random numbers by modifying the external and internal operating conditions . The present invention applies to various families of cryptographic algorithms. For a better understanding of the invention and before examining the content of the claims in the description, it is useful to emphasize the main characteristics of the families of cryptographic algorithms to which the invention applies, these being six in number.

The first family of application refers to the signature or identification schemes of the El-Gamal type. The signature or identification algorithm El-Ga al, described in the article entitled "A publ i c-key 'cryptosystem and a_ signa ture scheme based on di cryte l ogari thms" and published in the journal TEEE Transactions on Informa ti on Theory , Vol. IT-31, No. 4, 1985, pp. 469-472, has given rise to a number of known signature or identification algorithms: Schnorr, patented in the United States under reference number 4,995,082, or GOST 34-10 Russian federal digital signature standard, DSA-digital signature standard North American. Once illustrated within the context of DSA, the application of the present invention to other algorithms of the same family can be easily implemented by those skilled in the art. Subsequently, this refers to the DSA algorithm. The Digital Signature or Identification Standard (the DSA, US Patent No. 5,231,668 entitled "Digital Signature Algorithm") was proposed by the US National Institute of Standards and Technology in order to provide a suitable base for applications that require a digital signature or identification instead of conventional signatures. A DSA signature is a pair of large numbers represented on a computer by strings of binary digits. The digital signature is calculated by means of a series of calculation rules (the DSA) and a group of parameters in a way that makes it possible to certify the identity of the signatory or subscriber and the integrity of the data. The DSA makes it possible to generate and verify signatures or identifications. The signature generation method makes use of a private key '(in order to produce a digital signature). The verification method uses a public key that corresponds to the secret key, but is not identical to it. Each user has a pair of keys (public, secret). It is assumed that secret keys are known to all while secret keys are never described. Any person has the ability to verify the signature or identification of a user using their public key, but the signatures can not be generated in a different way to the use of the user's secret key. The parameters of the DSA are: 1. A main module p such that 2L_1 < p < 2L for 512 < L < 1024 and L = 64a for any a. 2. A main module q such that 2150 < q < 2160 and p-1 is a multiple of q. 3. A number g, of order q module p such that g = h < p_1, q mod p, where h is an integer that verifies 1 < h < p-1 4. A number x, randomly generated or pseudo-randomly. 5. A number and defined by the relationship: y = gx mod p. 6. A randomly generated or pseudo-randomly generated number such that 0 < k < q. The integers p, q and g are parameters of the system capable of being published and / or shared by a group of users. The secret and public keys of a signatory or subscriber are respectively x and y. The parameters x and k are used to generate the signature and must be kept secret. The parameter k must be generated for each signature. In order to sign a message m (the random check value of an initial file, M), the signatory calculates the signature (r, s) by: r = gk mod p mod q y. s = (m + x r) / k mod q, where the division by k is understood as the modulus q (for example, 1 / k is the number k 'such that k k' = 1 mod q). For example, if q = 5 and k = 3 then 1 / k = 2 since 3 x 2 = 6 = 1 mod 5. After having proved that r and s? 0, as explained in the description of the DSA, the signature or identification (r, s) is sent to the tester which calculates: 1. w = l / s mod q 2. Ui = mw mod q 3. u2 = rw mod q 4. v - gul yu2 mod p mod q and compare if v and r are equal in order to accept or reject the signature or identification.

The second family also refers to the signature schemes, these are schemes derived from the zero description protocols. A second family of signature algorithms to which the invention applies, are those derived from the zero description protocols (typically Fiat-Shamir or Guillou-Quisquater patented in the United States respectively under references 4,748,668 and 5,140,634). Also, only one of these protocols will be described. Once applied to the algorithm of Guillou and Quisquater, the extension of the invention to other algorithms in this family, proves to be self-evident for the experts in the field. The parameters of the Guillou-Quisquater algorithm are: 1. The two secret prime numbers p and q equal in size to at least 256 bits; these prime numbers are generated in a particular way, the detail of which is not essential for the understanding of the present invention, but can nonetheless be found in the work "Applied Cryptography Algorithm, Protocols and Source Codes" by Bruce Schneier ( Translation by Marc Vauclair), Thomson Publishing; 2. A public module n = p q and a string or ID that represents the identity of the signatory; 3. A public exponent v and a secret key B such that Bv ID = 1 mod n; parameter B must remain secret; 4. In order to sign the message m, the sender obtains a random number k, calculates the initial marker T = kv mod n and generates the signature or identification; d = h (T, m) and D = k Bh (T 'm) mod n; 5. The verifier ensures the authenticity of the signature by verifying that: d = h (T ', m) with T' = Dv Idd The third family of application refers to the public key coding or encryption schemes that require a random number The first coding algorithm that requires a random number described subsequently, is that of El-Gamal. The parameters of this algorithm are: 1. A main module p (of at least 512 bits); 2. A number g, of order p-1 module p (for example such that, for any integer u, 0 <u <lpl, gu? 1 mod p; 3. A number x, 1 = x < p-2, randomly generated or pseudo-randomly 4. A number and defined by the relation: y = gx mod p 5. A randomly generated or pseudo-randomly generated number k such that 0 <k <q. integers pyg are system parameters capable of being published, and / or shared by a group of users.The public encoding key is the number y, and the secret encoding key is the number x.The parameter k is used to generate the In addition, it must be generated in each encoding The coding of a message m, 0 <m <p-1, is the entire pair (r, s), where: R = gx mod pys = m and k mod q In order to retrieve the message m, the receiver of the cryptograms (who has x) calculates: s / rx mod p, which is precisely m. n second algorithm of coding that requires the generation of a random number is the McEliece scheme, based on a problem of code theory, more precisely using a particular class of codes known by the name of Goppa codes. The general idea is to mask a Goppa code like any linear code; this is because there is an efficient algorithm for decoding a Goppa code but on the other hand the decoding of a general linear code is a difficult problem. The receiver, knowing the information that makes it possible to disguise or mask the code, can therefore decipher the message by decoding the obtained Goppa code. The parameters of the McEliece algorithm (it is understood that all the following formulas that are in GF (2)) are: 1. The numbers n, k and t, the parameters of the system; In the original article describing his coding scheme, McEliece proposes n = 1024, t = 50 and k = 524; 2. A secret key composed of: * A generator matrix G of a binary Goppa code of size n and dimension k that corrects t errors and the corresponding decoding algorithm; * A random invertible matrix S of dimension k x k; * A random permutation matrix P of size n; 3. A corresponding public key composed of: * The generating matrix T = SGP of a code equivalent to G; * The rate or proportion of correction t; 4. The coding by the McEliece algorithm of a message m of k bits is made by calculating: c = mT + e where c is a randomly chosen error vector of Hamming weight equal to t. The description of c is made by calculating: CP "1 = m TP" 1 + eP "1 = mSG + eP" 1 Since e is the weight t, eP-1 is also of weight t. The vector cP "1 is therefore correctable by the code G. By decoding, the decoder obtains S, and then m, since it knows that S and G are invertible.The fourth family refers to the cryptographic schemes that require random stuffing It is not uncommon that the data to be coded must first be filled in, for example, added in order to obtain an item or data item of a fixed size.The illustration of this aspect can be given by the example of the RSA coding, published in 1978 by R. Rivest, A. Shamir and L. Adleman, and then patented under the title "System and Method of Cryptographic Communications" 'and the North American reference US 4, 405, 829. An RSA cryptogram is a large number represented on a computer by strings of binary or hexadecimal digits.The cryptogram is calculated by means of a computational computing resource (a program) and / or a calculation resource of physical equipment. co (an electronic circuit) using a series of calculation rules (the coding algorithm) which have to be applied to the processing time of a group of parameters accessible to all, in order to hide the content of the processed data. In an analogous way, the cryptogram is deciphered by means of a calculation resource of computer logic or physical equipment using a series of calculation rules (the decryption algorithm) applied (by the receiver of the cryptogram) to a group of secret parameters and the cryptogram. The coding method makes use of a public key in order to produce the cryptogram. The decoding or decryption method uses a private key that corresponds to the secret key, but is not identical to it. Each user has a pair of keys (public, secret) and it is assumed that public keys are known to everyone while secret keys are never disclosed. Anyone has the ability to encrypt a message for a user, using the public key of the last one, but cryptograms can not be encoded in a different way than using the user's secret key. The parameters of the RSA algorithm are: 1. Two secret prime numbers p 'and q equal in size to at least 256 bits. These prime numbers are generated in a particular way, the detail of which is not essential for the understanding of the present invention, but nevertheless can be found in the work "Appli ed Cryptography, Algor i thms, Protocol s and Source Codes" by Bruce Schneier (Translation by Marc Vauclarir), Thompson Publishing; 2. a public module n = p q; 3. A pair of exponents denoted (e, d) such that: ed = 1 mod (p-1) (q-1) • The exponent e, referred to as the "coding or encryption" code, is accessible to all, while that the "decoding exponent" d must remain secret. In order to encrypt the message m, the sender calculates the cryptogram c = me mod n and the receiver deciphers c by calculating m = cd mod n. The security of the algorithm, based on the problem of factoring, allows, for a choice of parameters performed as much as possible, the provision, in the general case of the encryption of messages of the size of the module and that have no particular relationship between them , of the confidentiality between the sender and the recipient of the encoded information. On the other hand, recent attacks presented by Coppersmith and collaborators in Eurocrypt 96 (mainly, in "Low Expose t wi th Rel a ted Mesage" and "Finding a small root of a variety of modular equations" published in the Springer conference proceedings -Verlag under the reference LNCS 1070) show that the existence of polynomial relationships between the messages coded with one and the same exponent of small size, which can occur a lot within the context of an application where the coding device in general uses, for coding, a public exponent e = 3 for operational reasons, allows effective attacks that reveal clear text. A possible answer is to fill in the message with a random sequence (but taking certain precautions) or break any relationship between the messages, which, depending on the application, is not always possible.

The following modification will then be introduced in step 4: In order to encode the message, the sender generates a sequence sr that has a certain degree of randomness and calculates the cryptogram c = (m | sr) e mod n, the sign I indicates the concatenation; the receiver decodes c when calculating cd mod n and retrieves m when removing the padding. The exact methods for filling the messages may vary depending on the standards, the application requirements or the level required for security. The fifth family refers to darkening factors and blank signatures. A basic functionality, termed as primitive by those skilled in the art, used in many cryptographic protocols and schemes is the target signaling mechanism of a given message. This functionality described and patented by Chau (US Patent No. 4,759,063 and European Patent No. 0139313) makes it possible to have a signed or signed message without the signatory able to read the message. This requires the generation of a darkening factor, making it possible to hide the message, known only to the applicant of the signature. The mechanism used applies equally well to the signature schemes of the El Gamal type as for those of the RSA. Once illustrated within the context of the RSA, the application of the present invention to other signature algorithms proves to be self-evident to those skilled in the art. Only the blank signature mechanism based on the RSA will be described here. Taking again the notation used within the context of the description of the fourth application family of the invention, the signature RSA is defined in this way: m mod n; Verification is naturally carried out: mod n = (md) e mod n = m. The steps of obtaining a blank signature by the sender E of a message m are: 1. E generates a random number k, calculates the obscuration factor ka mod n and sends m '= mke mod n to the receiver or (signer); 2. The receiver calculates s '= m' d mod n which is the signature of m 'and sends s' to E; 3. E computes s' / k = (mke) d / k = mdked / k - md mod n, and therefore obtains the signature s from m. This technique of multiplication by means of a darkening factor is also used within the context of random masking (European patent application EP 91402958.2). The method of random masking is used for example where a device A wishes to outsource operations to a device B while not wanting to fully reveal the operands to it. Let us have for example a modular reduction operation: A can camouflage the number to be the reduced module n by multiplying it by a random multiple of the module. Thus, if A wishes to obtain c = ab mod n, it can generate a random number k, calculate c '= ab + kn (kn masks product ab), and send c' to device B for reduction. Device B calculates c 'mod n = ab + kn mod n = c. This technique finally makes it possible to propose a response to the Kocher attacks described in Crypto 96. { "Timing at tacks on Impl ement of Diffi e-Hellman, RSA, DSS and Other Sys t ems", conference proceedings published in Springer-Verlag under reference LNCS 1109) which are based on the measurement of time required by operations that manipulate secret quantities, in order to find the value of them. This is because an effective response is the multiplication, by a darkening factor, of the manipulated secret quantities in order to de-correlate the calculation time and the magnitude. In the case of the RSA signature for example (the experts in the art will know how to extend this result to all the algorithms related by the attack, mainly all those that involve the calculation of a modular exponential with a secret exponent), taking again the notation used within the context of the description of the fourth family of application of the invention, it is sufficient that: 1. the signer generates a random number k and calculate: d '= d + k (p-l) (q-1) 2 this will generate immediately the signature of m when calculating: m i, = md + kfp-L) (q 1) md (m (P 1) (q 1)) k = m mod The sixth family refers to key exchange schemes based on the Diffie-HelIman method. The Diffie-Hellman key exchange algorithm is the first public-key algorithm described in "New Direc ti ons in Cryp tography "published in IEEE Transactions on Information Thecry, Vol. IT-22, No. 6 and patented in the United States under reference 4,200,700 The method uses two participants (or apparatuses) who wish to agree on secret information to The Diffie-Hellman protocol parameters are as follows: 1. Two public parameters on which the sending device (A) and the device (B) agree: a prime number p of at least 512 bits and an integer g, a primitive root of modulo p.These two parameters may possibly be common to a group of users; The protocol progresses as follows: In order to share secret information, the two devices carry out the following operations: • device A generates a random number x and calculates the quantity X = gx mod p); • apparatus B generates a random number y, and calculates the quantity Y = g? mod p; • the two devices exchange the quantities X and Y with one another; • device A calculates the key = Yx mod p; • device B calculates the key '= X and mod p.

The two devices share in this way at the end of the protocol, the knowledge of the key quantity '= key = g and mod p. The two devices can subsequently use the "key" of secret quantity in order to exchange it with other messages through a secure channel, by means of a symmetric coding algorithm taking as parameters the "key" quantity and the message that goes to be coded Following the description of the different families of application of the invention, it is desirable to specify the main advantages of the invention. The economic constraints related to the smart card market involve continuous search with a view to improving production costs. This effort often comes through the use of the simplest possible products. This established fact results in a constantly growing importance for solutions that make it possible to implement public key algorithms on cheap 8-bit microcontrollers, with an 80C51 or 68HC05, for example, in its core. The main advantage of the method of the invention compared to the preceding proposals with respect to digital signatures, or coding, lies in the ability to calculate the signatures or perform coding operations without, but not entirely, requiring a number generator random on board the signature or coding circuit. For clarity of the description, it is necessary to specify that the generation of the keys and parameters of the various systems presented remains identical. The usual works and patents will therefore be referred to in order to generate, as much as possible, the various elements necessary for the signature, authentication and coding algorithms presented in the invention. A practical reference work can be "Appli ed Cryptography Algorithms, Protocol s and Source Codes," by Bruce Scheier (Thomson Publishing), Thomson Publishing The present invention relates to a cryptographic system, which normally requires obtaining or drawing of a random number k, the random number being a whole number, the system is characterized because it is implemented by the replacement of the random number k by the quantity h (m | secret) where h is a random check function, m is the message what occurs in said system and "secret" is an unknown item or secret article for the world outside the cryptographic system More precisely, the cryptographic system of the present invention comprises at least: - a public key signature system; a public key coding system; - a random filling system; a factor generation system. darkening; a key exchange protocol. In the case of a cryptographic system comprising a public key signature system of the type DSA, Schnorr, El-Gamal, GOST 34.10 or the IEE ECDSA elliptic curve standard, the random number (k) renewed by the signatory at the time of each signature is replaced by the quantity h (m | x), where x is the secret key of the signatory. In the case of a cryptographic system comprising a public key signature system of the Fiat-Schamir or Guillou-Quisquater type, the random number renewed by the signatory at the time of each signature is replaced by the quantity h (m | B), B being the secret key of the signatory and the message that is going to be signed or signed. In the case of a cryptographic system comprising a public key coding system of the El Gamal type, the random number (k) renewed by the encoder at the time of each sending of a coded message is replaced by the amount h (m) .

In the case of a cryptographic system comprising a public key coding system of the McEliece type, the random error vector e renewed by the encoder in each coding is derived from the quantity h (m), where m is the message that it's going to be encoded. In the case of a cryptographic system comprising a random filling system that occurs in a public-key coding system, the encoder has an unknown key for the decoder and where the filling of the messages is carried out according to the following steps: a. Generate as many ki = h (m | s | i) as necessary so that the length of the concatenated kis is at least equal to one sixth of the module size n (in the case of coding) RSA for example), or generate k = h (m | s) and expand it; b. Form m ^ such that m.r size () | m | (ki); c. Encode mr instead of m. In the case of a cryptographic system comprising a system for the generation of a darkening factor within the context of a blank signature generation or a random masking operation, the random number (k) renewed by the sender at the time of each darkening or of the masking operation, is replaced by the quantity h (m | s). In the case of a cryptographic system comprising a Diffie-Hellman key exchange protocol, an apparatus that wishes to send a message m uses, instead of a random secret insert, the quantity h (m | s) where s is the secret data entry. In this same case of this cryptographic system, the mentioned protocol has at least the following steps: a. A first device, which wishes to send the message m, calculates bi = gh (m | s) mod p, b. A second device, the receiver, generates a random number a and calculates b2 = ga mod p; c. The two devices exchange i and b2, and calculate the key = gah (m | sl mod p; d) The first device codes c = f (m, key) where f is a symmetric encoding mechanism; The first device sends c to the second device which decodes it and retrieves m. Preferably, the communication devices are smart cards, PCMCIA cards, identification cards, contactless cards or any other portable device or device. Preferably, the communication between said devices or apparatuses implementing the invention is carried out by means of exchanges of electronic signals, radio waves or infrared signals. Subsequently, the invention is presented in a more detailed manner, taking again the notations used in the description of the application families. As previously stated, the idea is to generate a random number by a random check operation h. For the first two families of applications of the invention, h will take as parameters a subsection of secret data, namely the secret key of the signatory, and a subsection of public data, the message that will be signed.

For the third family, h will take as a parameter only the message that will be signaled. Finally, for the other families, h will take as parameters a subsection of public data and a subsection of secret data (denoted s subsequently). More precisely: - for the first family concerning the signature schemes of the El-Gamal type, the random number k is generated as follows: k = h (m | x) where m is the random message check M that has to be signed and Xi the secret key of the signatory. The rest of the generation of the signature (r, s) is performed in a manner identical to the original method. Similarly, the verification of the generated signature remains unchanged. - for the second family concerning the signature schemes derived from the zero description protocols, k is generated as follows: k = h (m | ß) with m which is the random check of the message M that has to be signed and B , the secret key of the signatory. The rest of the generation of the signature (d, D) is done in a manner identical to the original method. Similarly, the verification of the generated signature remains unchanged. - for the third family concerning the coding schemes that require a random number, two cases must be considered: 1. The case of El Gamal type coding: - the random number k is generated as follows: k = h (m) with m that is the message that has to be encoded. Next, the El Gamal algorithm is performed in the manner previously described. The coding also remains unchanged. 2. The case of McEliece coding: - instead of deriving the error vector e from a random number, it is generated from h (m), where m is the message to be encoded. It should be noted that e must be exactly the Hamming weight t. One way to derive a vector of size n (the size of the code under consideration) and the weight t of h (m) is as follows: - let us assume that the vectors of size n and weight t have been ordered. The vector in this list that is in the position h (m) (or a position derived from h (m), since this number can exceed the binomial (t, n), depending on t, n, and the check function randomly used) can then be chosen as vector e. The MacEliece algorithm is performed in the manner previously described. The decoding also remains unchanged. In addition, this method of generating e makes it possible to solve the problem of coding one and the same message twice. In fact, in the generic case of McEliece, it is unwise to code one and the same message twice (and therefore with two different error vectors), since it is possible to assume part of the error vector medium, and subsequently recover the clear message easier. With the generation of e of the present invention, one and the same message will always have the same encoding. The invention applies as follows for the fourth family, which refers to the cryptographic schemes that require random stuffing: as specified, a recommended security measure is to fill the messages with a random sequence. But again here, if the sequence varies by a number of encodings of one and the same message, it is possible again an attack that reveals the clear message. The use of the deterministic method of generating a random number makes it possible to effectively stop this type of phenomenon. This is because, by adding the message m as many times as necessary (the length of the padding must be at least 1/6 of the size of n, which is between 86 and 171 bits for conventional module sizes ranging from 512 at 1024 bits) the values i = h (m, s, i), where s is a secret number of at least 128 bits, all the attacks become impossible since there is no longer any relationship between the messages and also, one and the same encoded message a number of times will always be with the same padding. The coding of a message m is then performed as follows by the sender: 1. Generate as many ki = h (m | s | i) as necessary so that the length of the concatenated iS is at least equal to 1/6 of the size of n; it may also be preferred to use a simple k = h (m | s), and then expand k before concatenating it with the message; 2. Form mr such that mr = size (m) [| . { ki }; Calculate the cryptogram c mE mod n so that the receiver deciphers c when calculating mr = cd mod n. The receiver just simply extracts m, knowing its size, and therefore the significant bits of mr. For the fifth family concerning the darkening factors and blank signatures, three cases have to be considered: 1. The case of the blank signature: - k is generated as follows: k = h (m | s) with m the message that has to be signed and a subsection of secret data. The rest of the generation of the blank signature is performed in a manner identical to the original method. Similarly, the extraction of the signature of m remains unchanged; 2. The case of random masking: - k is generated as follows: k = h (a | b | s) with a and b which are the operands that are going to be multiplied, and s a subsection of secret data. The rest of the random masking operation is performed in a manner identical to the original method. Similarly, the modular reduction of c 'by the receptor remains unchanged; 3. The case of mechanisms for protection against attacks based on the time measurement of a process: in the case of the RSA signature for example, the random manifold k of (p-1) (q-1) is generated as follows : k = h (m | s) with m which is the message that will be signaled, and s a subsection of secret data. The rest of the exponent's masking operation (d '= d + k (p-l) (q-1)) is performed in a man identical to the original method. The invention applies in the following manner to the sixth family, which refers to key exchange schemes based on the Diffie-Hell an method. In the key exchange system of the Diffie-Hellman type, the device also referred to as the device, which wishes to send a message m, uses, instead of a random number, the quantity h (m | s) where s is a fixed secret data entry. Obviously this method can be extended naturally to all participants in the protocol. The latter has, at least, the following steps: • a first device, which wishes to send the message m, calculates X = gh (m | s) mod p; • a second device, the receiver, generates a random number y, and calculates Y = g? mod p; • the two devices exchange X and y, and calculate key = gyh (m | s) mod p; • the first device encodes c = f (m, key) where f is a symmetric encoding mechanism; • the first device sends c to the second device which decrypts it and retrieves m. The invention will be easier to understand with the help of Figures 1 to 4 / Figure 1 describes the organizational diagram of the signature or decoding apparatus that implements the system proposed by the present invention. Figure 2 describes the organizational diagram of a verification or coding apparatus that implements the system proposed by the present invention.

Figure 3 describes the data exchanged by the signature device and the verification device. Figure 4 describes the data exchanged by the coding device and the decoding device.

According to the present invention, each signature / decoding apparatus (typically a smart card) is composed of a processing unit (CPU), a communications interconnect, a random access memory (RAM) and / or a read-only memory (ROM) and / or a writable or recordable memory (in general rewritable) (EPROM or EEPROM). The CPU and / or ROM of the signature / decoding apparatus contains programs or calculation resources corresponding to the steps of the signature / decoding algorithm (rules for the calculation for the use of random checking, multiplication, squared elevation, addition, modular inverse and modular reduction function). Some of these operations can be grouped together: for example, modular reduction can be directly integrated into multiplication. The RAM contains the message M to which the random check function or the calculation rules for generating the signature or the calculation rules for the generation of the cryptogram are applied. The E (E) PROM contains at least the parameters m, x and k generated and used as specified in the following description. The CPU controls, via the address and the collective buses or data buses, the communication interconnection, and the read and write operations in memory. Each signature device is protected from the external world by physical protective mechanisms. These protective mechanisms should be sufficient to prevent any unauthorized entity from obtaining the secret key. The techniques most used today in this regard are the integration of the microcircuit or chip in a security module and the equipment of the microcircuits with devices capable of detecting variations in temperature or light, as well as abnormal voltages and frequencies of clock. Particular design techniques, such as mixing access to memory, are also used. According to the proposed invention, the verification apparatus is composed of a minimum of one processing unit (CPU) and memory resources. The CPU controls, via the address and the collective buses or data buses, the communication interconnection, and the read and write operations in memory. The CPU and / or the ROM of the authority contain programs or calculation resources that make it possible to implement the signature or coding protocol (rules of calculation and random verification, multiplication, exponentiation and modular reduction function). Some of these operations can be grouped together (for example, the modular reduction can be directly integrated in the multiplication).

Claims (12)

1. A cryptographic system, which normally requires the drawing or obtaining a random number k, the random number being a whole number, characterized the system because it is implemented by replacing the random number k with the quantity h (m | secret) where h is a random check function, m is the message that occurs in the system and "secret" is a secret item unknown to the world outside the cryptographic system.

2. A cryptographic system according to claim 1, characterized in that it comprises at least: - a public key signature system; - a public key coding system; - a random filling system; - a darkening factor generation system, a key exchange protocol.

3. A cryptographic system comprising a public key signature system of the type DSA, Schnorr, El-Gamal, GOST 34.10 or the standard of the IEEE ECDSA elliptic curve, according to claim 2, characterized in that the renewed random member (k) by the signatory at the time of each signature is replaced by the quantity h (m | x), where x is the secret key of the signatory.

4. A cryptographic system comprising a public key signature system of the type of Fiat-Shamir or Guillou-Quisquater, according to claim 2, characterized in that the random number renewed by the signatory at the date of each signature is replaced by the quantity h (m | B), where B is the secret key of the signatory and m the message to be signed.

5. A cryptographic system comprising a public key signature system of the type El Gamal, according to claim 2, characterized in that the random number k renewed by the encoder at the time of each sending of a coded message, is replaced by the quantity h (m),

6. A cryptographic system comprising a public key coding system of the McEliece type, according to claim 2, characterized in that the random error vector e renewed by the encoder in each coding is derived from the quantity h (m), where m is the message that will be encoded.

7. A cryptographic system comprising a random filling system that occurs in a public key coding system, according to claim 2, characterized in that the encoder has an unknown key s for the decoder, and because the filling of the messages is carried performed according to the following steps: a. generate as many ki = h (m | s | i) as necessary, so that the length of the concatenated kiS is at least equal to 1/6 the size of module n (in the case of RSA coding for example), or generate k = h (m | s) and expand it; b. form mr such that mr = size (m) | m | (ki); c. Encode mr instead of m.

8. A cryptographic system comprising a system for the generation of a darkening factor within the context of a blank signature generation or a random masking operation, according to claim 2, characterized in that the random number k renewed by the sender at time of each darkening or masking operation is replaced by the quantity h (m) | s).

9. A cryptographic system comprising a key exchange protocol system of the Diffie-Hellman type, according to claim 2, characterized in that an apparatus or device that wishes to send a message m uses, instead of a random secret item, the quantity h (m | s) where s is a secret data entry.

10. A cryptographic system according to claim 9, characterized in that the protocol has at least the following steps: a. a first device, which wishes to send the message m, calculates bi = gh (m | s) mod p; b. a second device, the receiver, generates a random number a and calculates b2 = ga mod p; c. the two apparatuses exchange i and b2, and calculate the key = ga h (m | s) mod p; d. the first apparatus encodes c = f (m, key) where f is a symmetric encoding mechanism. the first device sends c to the second device which decrypts it and retrieves m.

11. A cryptographic system according to any of claims 1 to 10, characterized in that the apparatuses are communications devices, smart cards, PCMCIA cards, identification cards, contactless cards or any other portable device.

12. A cryptographic system according to any of the claims 1 to 11, characterized in that the communication between the devices that implement it is carried out by means of exchange of electronic signals, radio waves or infrared signals.