US20140281538A1 - Accelerated signature verification on an elliptic curve - Google Patents

Accelerated signature verification on an elliptic curve Download PDF

Info

Publication number
US20140281538A1
US20140281538A1 US14/288,148 US201414288148A US2014281538A1 US 20140281538 A1 US20140281538 A1 US 20140281538A1 US 201414288148 A US201414288148 A US 201414288148A US 2014281538 A1 US2014281538 A1 US 2014281538A1
Authority
US
United States
Prior art keywords
public key
supplementary information
point
key operation
coordinate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/288,148
Inventor
Scott A. Vanstone
Donald B. Johnson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Certicom Corp
Original Assignee
Certicom Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Certicom Corp filed Critical Certicom Corp
Priority to US14/288,148 priority Critical patent/US20140281538A1/en
Assigned to CERTICOM CORP. reassignment CERTICOM CORP. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JOHNSON, DONALD B., VANSTONE, SCOTT A.
Publication of US20140281538A1 publication Critical patent/US20140281538A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • G06F7/725Finite field arithmetic over elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present invention relates to public key data communication systems.
  • Public key data communication systems are used to transfer information between a pair of correspondents. At least part of the information exchanged is enciphered by a predetermined mathematical operation by the sender and the recipient may perform a complementary mathematical operation to decipher the information.
  • a typical example of such a system is a digital signature protocol. Digital signatures are used to confirm that a message has been sent by a particular party and that the contents have not been altered during transmission.
  • a widely used set of signature protocols utilizes the El Gamal public key signature scheme that signs a message with the sender's private key. The recipient may then recover the message with the sender's public key.
  • Public key schemes may be implemented using one of a number of multiplicative groups in which the discrete log problem appears intractable but a particularly robust implementation is that utilizing the characteristics of points on an elliptic curve over a finite field.
  • This implementation has the advantage that the requisite security can be obtained with relatively small orders of field compared with, for example, implementations in Zp* and therefore reduces the bandwidth required for communicating the signatures.
  • a signature component s has the form:
  • P is a point on the curve which is a predefined parameter of the system
  • k is a random integer selected as a short term private or session key
  • n is the order of the curve.
  • the sender sends to the recipient a message including m, s, and R and the signature is verified by computing the value ⁇ (sP-eQ) which should correspond to R. If the computed values correspond then the signature is verified.
  • a method for performing at least one public key operation at a computing device in a communication system said public key operation operable using information pertaining to at least one coordinate of a point on an elliptic curve defined over a finite field, the method comprising: obtaining supplementary information pertaining to at least one coordinate of a multiple of said point, said multiple defined by scalar multiplication on said elliptic curve; and utilizing said supplementary information to perform said public key operation.
  • a method at a computing device in a communication system to facilitate at least one public key operation at a second computing device in said communication system, said public key operation operable using information pertaining to at least one coordinate of a point on an elliptic curve defined over a finite field, the method comprising: obtaining supplementary information pertaining to at least one coordinate of a multiple of said point, said multiple defined by scalar multiplication on said elliptic curve; and providing said supplementary information to said second computing device for use in performing said public key operation.
  • Computer readable media and computing devices for performing the above methods are also provided.
  • FIG. 1 is a schematic representation of a communication system
  • FIG. 2 is a representation of the data transmitted over the communication system in a first embodiment
  • FIG. 3 is a flow chart showing the steps in verifying a signature transmitted over the system of FIG. 1 using the data format of FIG. 2 ;
  • FIG. 4 is a flow chart showing the verification according to a second embodiment
  • FIG. 5 is a representation of the data transmitted over the communication system in a third embodiment.
  • FIG. 6 is a flow chart showing the steps of verifying the signature sing the data format of FIG. 5 .
  • a data communication system 10 includes a pair of correspondents, designated as a sender 12 , and a recipient 14 , who are connected by a communication channel 16 .
  • Each of the correspondents 12 , 14 includes an encryption unit 18 , 20 respectively that may process digital information and prepare it for transmission through the channel 16 as will be described below.
  • Each of the correspondents 12 , 14 also includes a computational unit 19 , 21 respectively to perform mathematical computations related to the encryption units 18 , 20 .
  • the computational power of the units 19 , 21 will vary according to the nature of the correspondents 12 , 14 but for the purpose of the present disclosure, it will be assumed that the unit 19 has greater power than that of unit 21 , which may in fact be a Smart card or the like.
  • the sender 12 assembles a data string 22 shown schematically in FIG. 2 .
  • the data string 22 includes a certificate 24 from the certifying authority CA that includes the an identifier I.D. of the sender; a time stamp T; the public key Q of the sender, a string of bits y′ representing supplementary information; the signature component sauth of the certifying authority; and the short term public key Rauth of the certifying authority.
  • the data string 22 also includes a senders certificate 26 that includes the message m, the senders short term public key R and the signature component s of the sender.
  • the string of bits y′ included in the certificate 24 is obtained from the computational unit 19 .
  • the unit 19 performs at least part of the mathematical operations required to verify the signature at the recipient 14 and extracts from the computations the supplementary information y′.
  • the data string 22 is sent over the channel 16 to the intended recipient 18 .
  • sP-eQ must be computed and compared with R.
  • the certifying authorities signature component sauth is of similar form with its message m composed of the identifier I.D., time T and the sign bits y′.
  • the first step in the verification by the recipient 14 is to retrieve the value of Q and the sign bits y′ from the certificate 24 using the certifying authorities public key.
  • a hash value e′ is also computed from the message m and the coordinates of the point R in the senders certificate 26 .
  • the recipient 14 is then able to perform the verification by computing sP and e′Q.
  • the computational unit 21 has limited computing power and the computation of sP and e′Q may be time-consuming.
  • One or more of a number of enhancements are therefore adopted to facilitate the verification.
  • P is a long-term system parameter.
  • Values corresponding to integral multiples of P may be stored at the recipient 14 in lookup tables indicated at 28 in FIG. 1 .
  • the integer corresponding to s is thus located in table 28 and the value sP retrieved to provide a first component of the verification.
  • e′ is treated as a binary representation of an integer with each bit indicative of a coefficient of successive values of 2j.
  • the computational unit 19 at sender 12 is used to double successively the point Q so that the coordinates of 2jQ are obtained.
  • the most significant bit of the y coordinate indicates the “sign” of the y coordinate and a string of bits representing the signs of the y coordinates of the successively doubled points is incorporated as the supplementary information y′ in the certificate 24 .
  • the x coordinate of the point Q is successively doubled by applying the equation noted above so that the x coordinates of successive values of 2jQ are obtained.
  • the binary representation of e′ indicates that a value of 2jQ is required (ie. where the coefficient is “1”)
  • the corresponding value of the y coordinate is determined by substitution in the underlying curve.
  • Two possible values of the y coordinate are obtained and the appropriate value is determined by reference to the sign bits y′ retrieved from the certificate 24 . Accordingly, the computation of the y coordinate that requires an inversion is avoided.
  • each pair of coordinates for the coefficients of 2jQ may be combined to provide the value for e′Q and combined with sP to obtain sP-e′Q. This is then compared with the recovered value of R for verification.
  • sP may be computed in a manner similar to e′Q with the inclusion of additional sign bits for the y coordinates of 2jP in the certificate 24 . It is, however, believed to be preferable to utilize the lookup tables 28 where practical.
  • FIG. 3 Upon receipt of the data string 22 , the recipient 14 recovers the affine coordinates (x, y) of the point Q and converts them into projective coordinates (x, y, z) by replacing x with x/z and y with y/z.
  • “b” is the constant associated with the underlying curve and can be chosen suitably small, i.e. one word.
  • the x and z values for 2Q may be used in a similar manner to obtain the values of x and z for 4Q. This may be repeated up to 2tQ so that the t sets of projective coordinates each representing the x and z coordinates of a respective one of 2jQ 0 ⁇ j ⁇ t are obtained.
  • Each of the projective x coordinates is converted into a corresponding affine coordinate by dividing the x coordinate by the z coordinate.
  • the x coordinate of the respective values of 2jQ can then be used where necessary in the representation of e′ to obtain the corresponding y coordinates by substitution in the equation representing the underlying curve.
  • the corresponding y value is obtained by inspection of the sign bits y′ included in the data string 22 which indicates the appropriate value.
  • the values for 2jQ can be substituted in the binary representation of e and the resultant value of eQ obtained.
  • the representation of e will be a string of 1′s and 0′s, only those values having a coefficient of 1 need be combined to simplify the computation further.
  • the result may then be combined with the value of sP and compared with the retrieved value of R to obtain a verification.
  • the above procedure may be modified with an increase in bandwidth by forwarding in the certificate the x coordinate of Q and each of the y coordinates of 2jQ. Some of these will of course be redundant depending on the representation of e′. However, in this manner the computation of the y coordinates is avoided but the length of the message is increased. This may be acceptable, particularly where limited computing power is available at the recipient.
  • the message could be modified to include both the x and y coordinates for each value of 2jQ with the attendant redundancy. This has the effect of minimizing the computation of eQ but does increase the message length.
  • FIGS. 5 and 6 A further embodiment is shown in FIGS. 5 and 6 where combing is used to facilitate the computation of eQ. If e is a t bit binary number, it may be represented as a k-fold matrix having k columns and t/k rows. If the sum of each column is V1, V2, V3 . . . Vk, then
  • Each of the columns may have one of 2t/k combinations of bits. Each combination will produce a particular value ⁇ 1, ⁇ 2, ⁇ 3 etc. for V which has to be multiplied by the point Q to obtain the coordinates of the point 2jVjQ.
  • the certificate 24 is thus modified to include in an ordered, retrievable manner the coordinates of the 2t/k possible points resulting from the combination of bits in the columns which have been pre-computed by the sender 12 .
  • the recipient 14 extracts the message m and point R to obtain a recovered value for e.
  • This bit string is arranged in a k-fold matrix of established configuration and the bit combination of the most significant column determined. The coordinates of the point resulting from this combination is obtained from the certificate 24 , and doubled.
  • the point corresponding to the bit combination in the next most significant column is retrieved and added to the result of the previous doubling. This is then doubled and the procedure repeated until e′Q is computed. In this way a reduced number of point additions is required, a maximum of 2k, and the bandwidth required to transmit the information is reduced.
  • the sign bit string y′ may be utilized to provide the sign bits of the y coordinates of the doubled points and added points to facilitate the computation.
  • the data string 22 includes additional information that may be utilized to facilitate the computation of the value eQ.
  • the integrity of the signature is not compromised as the information could be computed from the contents of the data string as part of the verification process.
  • the value of e with which the information is subsequently used is derived from the received data string so that tampering with the senders certificate would produce an incorrect verification.
  • the additional information is contained within the certifying authorities certificate and forms part of the signature component and so that it cannot be substituted by an attacker without detection.
  • each embodiment the verification of a signature is facilitated by forwarding information to the recipient in addition to that required for verification and which facilitates the verification computation.
  • one of those correspondents could be a certifying authority or trusted intermediary.
  • the CA receives a message from an originating correspondent, computes the supplementary information, assembles the data string and forwards the data string to the recipient. In this manner, the public key exchange between a pair of correspondents each having limited computing power may be facilitated.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Physics (AREA)
  • Computing Systems (AREA)
  • Computational Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Algebra (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)
  • Collating Specific Patterns (AREA)

Abstract

A public key encryption system exchanges information between a pair of correspondents. The recipient performs computations on the received data to recover the transmitted data or verify the identity of the sender. The data transferred includes supplementary information that relates to intermediate steps in the computations performed by the recipient.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application is a continuation of U.S. patent application No. 13/557,968 filed on Jul. 25, 2012 (now U.S. Pat. No. 8,738,912), which is a continuation of U.S. patent application No. 13/079,116 filed on Apr. 4, 2011 (now U.S. Pat. No. 8,312,283), which is a continuation of U.S. patent application Ser. No. 12/216,926 filed on Jul. 11, 2008 (now U.S. Pat. No. 7,930,549), which is a continuation of U.S. patent application Ser. No. 10/172,509 filed on Jun. 17, 2002 (now U.S. Pat. No. 7,415,611), which is a continuation of U.S. patent application Ser. No. 08/953,637 filed on Oct. 17, 1997 (now U.S. Pat. No. 6,424,712), all of which are incorporated herein by reference.
    • FIELD OF THE INVENTION
  • The present invention relates to public key data communication systems.
    • BACKGROUND OF THE INVENTION
  • Public key data communication systems are used to transfer information between a pair of correspondents. At least part of the information exchanged is enciphered by a predetermined mathematical operation by the sender and the recipient may perform a complementary mathematical operation to decipher the information.
  • A typical example of such a system is a digital signature protocol. Digital signatures are used to confirm that a message has been sent by a particular party and that the contents have not been altered during transmission.
  • A widely used set of signature protocols utilizes the El Gamal public key signature scheme that signs a message with the sender's private key. The recipient may then recover the message with the sender's public key.
  • Various protocols exist for implementing such a scheme and some have been widely used. In each case however the recipient is required to perform a computation to verify the signature. Where the recipient has adequate computing power this does not present a particular problem but where the recipient has limited computing power, such as in a “Smart card” application, the computations may introduce delays in the verification process.
  • Public key schemes may be implemented using one of a number of multiplicative groups in which the discrete log problem appears intractable but a particularly robust implementation is that utilizing the characteristics of points on an elliptic curve over a finite field. This implementation has the advantage that the requisite security can be obtained with relatively small orders of field compared with, for example, implementations in Zp* and therefore reduces the bandwidth required for communicating the signatures.
  • In a typical implementation a signature component s has the form:

  • s=ae+k (mod n)
  • where:
    P is a point on the curve which is a predefined parameter of the system
    k is a random integer selected as a short term private or session key, and has a corresponding short term public key R=kP
    a is the long term private key of the sender and has a corresponding public key aP=Q
    e is a secure hash, such as the SHA hash function, of a message m and short term public key R, and
    n is the order of the curve.
  • The sender sends to the recipient a message including m, s, and R and the signature is verified by computing the value−(sP-eQ) which should correspond to R. If the computed values correspond then the signature is verified.
  • In order to perform the verification it is necessary to compute a number of point multiplications to obtain sP and eQ, each of which is computationally complex. Other protocols, such as the MQV protocols require similar computations when implemented over elliptic curves which may result in slow verification when the computing power is limited.
  • Typically, the underlying curve has the form y2+xy=x3+ax+b and the addition of two points having coordinates (x1,y1) and (x2,y2) results in a point (x3,y3) where:
  • x 3 = ( y 1 y 2 x 1 x 2 ) 2 y 1 y 2 x 1 x 2 x 1 x 2 a ( P Q ) y 3 = ( y 1 y 2 x 1 x 2 ) ( x 1 x 3 ) x 3 y 1 ( P Q )
  • The doubling of a point i.e. P to 2P, is performed by adding the point to itself so that
  • y 3 = { x 1 2 ( x 1 y 1 x 1 ) } x 3 x 3 x 3 = x 1 2 b x 1 2
  • It will be appreciated that successive doubling of the point Q produces values for 2Q, 22Q, 23Q . . . 2jQ and that these values may be substituted in the binary representation of the hash value e and added using the above equations to provide the value eQ. At most this would require t doublings and t point additions for a t bit representation of e. Similarly the point P may be doubled successively and the values substituted in the representation of s to obtain sP. However, the generation of each of the doubled points requires the computation of both the x and y coordinates and the latter requires a further inversion. These steps are computationally complex and therefore require either significant time or computing power to perform. Substitution in the underlying curve to determine the value of y is not practical as two possible values for y will be obtained without knowing which is intended.
  • It is therefore an object of the present invention to provide a method and apparatus in which the above disadvantages are obviated or mitigated.
    • SUMMARY
  • There is provided a method for performing at least one public key operation at a computing device in a communication system, said public key operation operable using information pertaining to at least one coordinate of a point on an elliptic curve defined over a finite field, the method comprising: obtaining supplementary information pertaining to at least one coordinate of a multiple of said point, said multiple defined by scalar multiplication on said elliptic curve; and utilizing said supplementary information to perform said public key operation. There is also provided a method at a computing device in a communication system to facilitate at least one public key operation at a second computing device in said communication system, said public key operation operable using information pertaining to at least one coordinate of a point on an elliptic curve defined over a finite field, the method comprising: obtaining supplementary information pertaining to at least one coordinate of a multiple of said point, said multiple defined by scalar multiplication on said elliptic curve; and providing said supplementary information to said second computing device for use in performing said public key operation. Computer readable media and computing devices for performing the above methods are also provided.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Embodiments of the present invention will now be described by way of example only with reference to the accompanying drawings, in which
  • FIG. 1 is a schematic representation of a communication system;
  • FIG. 2 is a representation of the data transmitted over the communication system in a first embodiment;
  • FIG. 3 is a flow chart showing the steps in verifying a signature transmitted over the system of FIG. 1 using the data format of FIG. 2;
  • FIG. 4 is a flow chart showing the verification according to a second embodiment;
  • FIG. 5 is a representation of the data transmitted over the communication system in a third embodiment; and
  • FIG. 6 is a flow chart showing the steps of verifying the signature sing the data format of FIG. 5.
    •  DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • Referring therefore to FIG. 1, a data communication system 10 includes a pair of correspondents, designated as a sender 12, and a recipient 14, who are connected by a communication channel 16. Each of the correspondents 12,14 includes an encryption unit 18,20 respectively that may process digital information and prepare it for transmission through the channel 16 as will be described below. Each of the correspondents 12,14 also includes a computational unit 19,21 respectively to perform mathematical computations related to the encryption units 18,20. The computational power of the units 19,21 will vary according to the nature of the correspondents 12,14 but for the purpose of the present disclosure, it will be assumed that the unit 19 has greater power than that of unit 21, which may in fact be a Smart card or the like.
  • In accordance with a first embodiment, the sender 12 assembles a data string 22 shown schematically in FIG. 2. The data string 22 includes a certificate 24 from the certifying authority CA that includes the an identifier I.D. of the sender; a time stamp T; the public key Q of the sender, a string of bits y′ representing supplementary information; the signature component sauth of the certifying authority; and the short term public key Rauth of the certifying authority. The data string 22 also includes a senders certificate 26 that includes the message m, the senders short term public key R and the signature component s of the sender. The string of bits y′ included in the certificate 24 is obtained from the computational unit 19. The unit 19 performs at least part of the mathematical operations required to verify the signature at the recipient 14 and extracts from the computations the supplementary information y′. When assembled, the data string 22 is sent over the channel 16 to the intended recipient 18.
  • For simplicity it will be assumed that the signature component s of the sender 12 is of the form s=ae+k (mod n) as discussed above, although it will be understood that other signature protocols may be used. To verify the signature, sP-eQ must be computed and compared with R.
  • The certifying authorities signature component sauth is of similar form with its message m composed of the identifier I.D., time T and the sign bits y′.
  • The first step in the verification by the recipient 14 is to retrieve the value of Q and the sign bits y′ from the certificate 24 using the certifying authorities public key. A hash value e′ is also computed from the message m and the coordinates of the point R in the senders certificate 26. The recipient 14 is then able to perform the verification by computing sP and e′Q.
  • However, as noted above, the computational unit 21 has limited computing power and the computation of sP and e′Q may be time-consuming.
  • One or more of a number of enhancements are therefore adopted to facilitate the verification. In a first embodiment, use is made of the fact that P is a long-term system parameter. Values corresponding to integral multiples of P may be stored at the recipient 14 in lookup tables indicated at 28 in FIG. 1. The integer corresponding to s is thus located in table 28 and the value sP retrieved to provide a first component of the verification.
  • The value of Q will vary from sender to sender and accordingly it is not practical to pre-compute the possible values of e′Q in a manner similar to sP. To facilitate the computation of e′Q, e′ is treated as a binary representation of an integer with each bit indicative of a coefficient of successive values of 2j. The computational unit 19 at sender 12 is used to double successively the point Q so that the coordinates of 2jQ are obtained. The most significant bit of the y coordinate indicates the “sign” of the y coordinate and a string of bits representing the signs of the y coordinates of the successively doubled points is incorporated as the supplementary information y′ in the certificate 24. To compute the value of e′Q at the recipient 14, the x coordinate of the point Q is successively doubled by applying the equation noted above so that the x coordinates of successive values of 2jQ are obtained. Where the binary representation of e′ indicates that a value of 2jQ is required (ie. where the coefficient is “1”), the corresponding value of the y coordinate is determined by substitution in the underlying curve. Two possible values of the y coordinate are obtained and the appropriate value is determined by reference to the sign bits y′ retrieved from the certificate 24. Accordingly, the computation of the y coordinate that requires an inversion is avoided.
  • Having obtained each pair of coordinates for the coefficients of 2jQ, they may be combined to provide the value for e′Q and combined with sP to obtain sP-e′Q. This is then compared with the recovered value of R for verification.
  • It will be appreciated that sP may be computed in a manner similar to e′Q with the inclusion of additional sign bits for the y coordinates of 2jP in the certificate 24. It is, however, believed to be preferable to utilize the lookup tables 28 where practical.
  • Although the above procedure reduces the computational complexities, the computation of the x coordinate still requires an inversion. Inversion is relatively costly and to facilitate the computation, the process of FIG. 3 is modified as shown in FIG. 4. Upon receipt of the data string 22, the recipient 14 recovers the affine coordinates (x, y) of the point Q and converts them into projective coordinates (x, y, z) by replacing x with x/z and y with y/z.
  • The value of the x and z coordinates of the point 2Q can then be calculated using the relationship in that 2(x1, y1, z1)=(x2, y2, z2) where

  • x 2 =x 1 4 +z 1 4 b and

  • z 2=(x 1 z 1)2
  • “b” is the constant associated with the underlying curve and can be chosen suitably small, i.e. one word.
  • Once the x and z values for 2Q have been computed, they may be used in a similar manner to obtain the values of x and z for 4Q. This may be repeated up to 2tQ so that the t sets of projective coordinates each representing the x and z coordinates of a respective one of 2jQ 0≦j≦t are obtained.
  • Each of the projective x coordinates is converted into a corresponding affine coordinate by dividing the x coordinate by the z coordinate. The x coordinate of the respective values of 2jQ can then be used where necessary in the representation of e′ to obtain the corresponding y coordinates by substitution in the equation representing the underlying curve. The corresponding y value is obtained by inspection of the sign bits y′ included in the data string 22 which indicates the appropriate value.
  • With each of the coordinates obtained, the values for 2jQ can be substituted in the binary representation of e and the resultant value of eQ obtained. As the representation of e will be a string of 1′s and 0′s, only those values having a coefficient of 1 need be combined to simplify the computation further. The result may then be combined with the value of sP and compared with the retrieved value of R to obtain a verification.
  • It will be seen, therefore, that a verification is obtained without requiring an inversion at each addition to obtain the successive x coordinates which facilitates the verification process. The computation of the values of 2jQ can be readily obtained if the elliptic curve is implemented over the field GF2 when represented in normal basis representation. In this case, the computation of x14 and z14 is obtained by two cyclic shifts of the representation of the respective coordinates. After multiplying with “b”, the result is XOR'd to obtain the value of the resultant x coordinate. Similarly, the value of the z coordinate can be obtained from a cyclic shift of the product of x1 and z1.
  • The above procedure may be modified with an increase in bandwidth by forwarding in the certificate the x coordinate of Q and each of the y coordinates of 2jQ. Some of these will of course be redundant depending on the representation of e′. However, in this manner the computation of the y coordinates is avoided but the length of the message is increased. This may be acceptable, particularly where limited computing power is available at the recipient.
  • As a further variant, the message could be modified to include both the x and y coordinates for each value of 2jQ with the attendant redundancy. This has the effect of minimizing the computation of eQ but does increase the message length.
  • A further embodiment is shown in FIGS. 5 and 6 where combing is used to facilitate the computation of eQ. If e is a t bit binary number, it may be represented as a k-fold matrix having k columns and t/k rows. If the sum of each column is V1, V2, V3 . . . Vk, then

  • e=V 1+2V 2+22 V 3+. . .+2k-2 V k-1+2k-1 V k, and

  • eQ=V 1 Q+2V 2 Q+22 V 3 Q+. . . +2k-2 V k-1 Q+2k-1 V k Q
  • Each of the columns may have one of 2t/k combinations of bits. Each combination will produce a particular value Σ1, Σ2, Σ3 etc. for V which has to be multiplied by the point Q to obtain the coordinates of the point 2jVjQ. The certificate 24 is thus modified to include in an ordered, retrievable manner the coordinates of the 2t/k possible points resulting from the combination of bits in the columns which have been pre-computed by the sender 12. Upon receipt, the recipient 14 extracts the message m and point R to obtain a recovered value for e. This bit string is arranged in a k-fold matrix of established configuration and the bit combination of the most significant column determined. The coordinates of the point resulting from this combination is obtained from the certificate 24, and doubled. The point corresponding to the bit combination in the next most significant column is retrieved and added to the result of the previous doubling. This is then doubled and the procedure repeated until e′Q is computed. In this way a reduced number of point additions is required, a maximum of 2k, and the bandwidth required to transmit the information is reduced. The sign bit string y′ may be utilized to provide the sign bits of the y coordinates of the doubled points and added points to facilitate the computation.
  • In each of the above cases, the data string 22 includes additional information that may be utilized to facilitate the computation of the value eQ. In each case however the integrity of the signature is not compromised as the information could be computed from the contents of the data string as part of the verification process. The value of e with which the information is subsequently used is derived from the received data string so that tampering with the senders certificate would produce an incorrect verification. The additional information is contained within the certifying authorities certificate and forms part of the signature component and so that it cannot be substituted by an attacker without detection.
  • It will be seen therefore that in each embodiment the verification of a signature is facilitated by forwarding information to the recipient in addition to that required for verification and which facilitates the verification computation. It will be appreciated that while the embodiments describe the operation between a pair of correspondents, one of those correspondents could be a certifying authority or trusted intermediary. The CA receives a message from an originating correspondent, computes the supplementary information, assembles the data string and forwards the data string to the recipient. In this manner, the public key exchange between a pair of correspondents each having limited computing power may be facilitated.
  • The above embodiments have been described in the context of a signature verification protocol. However, the techniques may be utilized on other public key operations such as key agreement or key transport protocols. Examples of these protocols are the MQV protocols or protocols set out in IEEE P 21363 draft standard. In such protocols, it is typically necessary to generate a scaled multiple of a point on the curve, i.e. kP where k is an integer and P is a point on the curve. Accordingly, the information transferred between correspondents may be modified to include supplementary information to facilitate the computations involved in such protocols.

Claims (20)

1. A method for performing at least one public key operation at a computing device in a communication system, said public key operation operable using information pertaining to at least one coordinate of a point on an elliptic curve defined over a finite field, the method comprising:
obtaining supplementary information pertaining to at least one coordinate of a multiple of said point, said multiple defined by scalar multiplication on said elliptic curve; and
utilizing said supplementary information to perform said public key operation.
2. The method of claim 1, wherein the supplementary information pertains to at least one coordinate of one or more points on the elliptic curve obtainable by successively doubling said point.
3. The method of claim 1, wherein said point is a system parameter of said communication system.
4. The method of claim 1, wherein said point is a public key of a second computing device in said communication system.
5. The method of claim 1, wherein the supplementary information comprises at least one of a pair of coordinates for a plurality of multiples of said point.
6. The method of claim 1, wherein said information is additionally utilized to perform the public key operation.
7. The method of claim 1, wherein said public key operation comprises verifying a signature, and said method further comprises receiving said signature.
8. The method of claim 1, wherein said public key operation comprises deriving a secret key using a key agreement protocol.
9. The method of claim 1, wherein said computing device obtains said supplementary information by receiving a certificate comprising said supplementary information.
10. The method of claim 1, wherein said computing device obtains said supplementary information from a second computing device in said communication system.
11. The method of claim 1, wherein said supplementary information is used to facilitate at least one intermediate operation in said public key operation.
12. The method of claim 1, wherein the supplementary information comprises an indication as to which of a pair of possible values resulting from an intermediate operation in said public key operation is an intended value.
13. The method of claim 11, wherein said at least one intermediate operation comprises utilizing said supplementary information to determine at least one affine coordinate of said multiple of said point.
14. The method of claim 2, wherein the supplementary information comprises at least one coordinate of each of said one or more points obtainable by successfully doubling said point, and said public key operation utilizes a portion of said supplementary information.
15. The method of claim 1, wherein said supplementary information is obtained from a table stored at said computing device.
16. The method of claim 13, wherein said supplementary information is utilized to determine said affine coordinate from two possible values, said possible values obtained by processing projective coordinates of said multiple of said point.
17. The method of claim 1, wherein said obtaining comprises obtaining a signed copy of said supplementary information.
18. A non-transitory computer-readable medium comprising instructions that are operable when executed by one or more processors to execute operations for performing at least one public key operation, said public key operation operable using information pertaining to at least one coordinate of a point on an elliptic curve defined over a finite field, the operations comprising:
obtaining supplementary information pertaining to at least one coordinate of a multiple of said point, said multiple defined by scalar multiplication on said elliptic curve; and
utilizing said supplementary information to perform said public key operation.
19. A computing device operable to perform at least one public key operation, said public key operation operable using information pertaining to at least one coordinate of a point on an elliptic curve defined over a finite field, the computing device comprising:
one or more processors configured to:
obtain supplementary information pertaining to at least one coordinate of a multiple of said point, said multiple defined by scalar multiplication on said elliptic curve; and
utilize said supplementary information to perform said public key operation.
20. A method at a computing device in a communication system to facilitate at least one public key operation at a second computing device in said communication system, said public key operation operable using information pertaining to at least one coordinate of a point on an elliptic curve defined over a finite field, the method comprising:
obtaining supplementary information pertaining to at least one coordinate of a multiple of said point, said multiple defined by scalar multiplication on said elliptic curve; and
providing said supplementary information to said second computing device for use in performing said public key operation.
US14/288,148 1997-10-17 2014-05-27 Accelerated signature verification on an elliptic curve Abandoned US20140281538A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/288,148 US20140281538A1 (en) 1997-10-17 2014-05-27 Accelerated signature verification on an elliptic curve

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US08/953,637 US6424712B2 (en) 1997-10-17 1997-10-17 Accelerated signature verification on an elliptic curve
US10/172,509 US7415611B2 (en) 1997-10-17 2002-06-17 Accelerated signature verification on a elliptic curve
US12/216,926 US7930549B2 (en) 1997-10-17 2008-07-11 Accelerated signature verification on an elliptic curve
US13/079,116 US8312283B2 (en) 1997-10-17 2011-04-04 Accelerated signature verification on an elliptic curve
US13/557,968 US8738912B2 (en) 1997-10-17 2012-07-25 Accelerated signature verification on an elliptic curve
US14/288,148 US20140281538A1 (en) 1997-10-17 2014-05-27 Accelerated signature verification on an elliptic curve

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13/557,968 Continuation US8738912B2 (en) 1997-10-17 2012-07-25 Accelerated signature verification on an elliptic curve

Publications (1)

Publication Number Publication Date
US20140281538A1 true US20140281538A1 (en) 2014-09-18

Family

ID=25494301

Family Applications (6)

Application Number Title Priority Date Filing Date
US08/953,637 Expired - Lifetime US6424712B2 (en) 1997-10-17 1997-10-17 Accelerated signature verification on an elliptic curve
US10/172,509 Expired - Fee Related US7415611B2 (en) 1997-10-17 2002-06-17 Accelerated signature verification on a elliptic curve
US12/216,926 Expired - Fee Related US7930549B2 (en) 1997-10-17 2008-07-11 Accelerated signature verification on an elliptic curve
US13/079,116 Expired - Fee Related US8312283B2 (en) 1997-10-17 2011-04-04 Accelerated signature verification on an elliptic curve
US13/557,968 Expired - Fee Related US8738912B2 (en) 1997-10-17 2012-07-25 Accelerated signature verification on an elliptic curve
US14/288,148 Abandoned US20140281538A1 (en) 1997-10-17 2014-05-27 Accelerated signature verification on an elliptic curve

Family Applications Before (5)

Application Number Title Priority Date Filing Date
US08/953,637 Expired - Lifetime US6424712B2 (en) 1997-10-17 1997-10-17 Accelerated signature verification on an elliptic curve
US10/172,509 Expired - Fee Related US7415611B2 (en) 1997-10-17 2002-06-17 Accelerated signature verification on a elliptic curve
US12/216,926 Expired - Fee Related US7930549B2 (en) 1997-10-17 2008-07-11 Accelerated signature verification on an elliptic curve
US13/079,116 Expired - Fee Related US8312283B2 (en) 1997-10-17 2011-04-04 Accelerated signature verification on an elliptic curve
US13/557,968 Expired - Fee Related US8738912B2 (en) 1997-10-17 2012-07-25 Accelerated signature verification on an elliptic curve

Country Status (6)

Country Link
US (6) US6424712B2 (en)
EP (1) EP1025673B1 (en)
JP (1) JP4453996B2 (en)
AU (1) AU9525698A (en)
DE (1) DE69838258T2 (en)
WO (1) WO1999021320A1 (en)

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2321741B (en) 1997-02-03 2000-10-04 Certicom Corp Data card verification system
US6424712B2 (en) * 1997-10-17 2002-07-23 Certicom Corp. Accelerated signature verification on an elliptic curve
US6704867B1 (en) * 1999-03-30 2004-03-09 Bitney Bowes, Inc. Method for publishing certification information representative of selectable subsets of rights and apparatus and portable data storage media used to practice said method
US6847951B1 (en) 1999-03-30 2005-01-25 Pitney Bowes Inc. Method for certifying public keys used to sign postal indicia and indicia so signed
US6738899B1 (en) * 1999-03-30 2004-05-18 Pitney Bowes Inc. Method for publishing certification information certified by a plurality of authorities and apparatus and portable data storage media used to practice said method
US7249259B1 (en) * 1999-09-07 2007-07-24 Certicom Corp. Hybrid signature scheme
AU2001267198A1 (en) 2000-06-09 2001-12-17 Certicom Corp. A method for the application of implicit signature schemes
US20040001590A1 (en) * 2002-06-27 2004-01-01 Eisentraeger Anne Kirsten Efficient elliptic curve double-and-add calculator
US7961874B2 (en) * 2004-03-03 2011-06-14 King Fahd University Of Petroleum & Minerals XZ-elliptic curve cryptography with secret key embedding
US7961873B2 (en) * 2004-03-03 2011-06-14 King Fahd University Of Petroleum And Minerals Password protocols using XZ-elliptic curve cryptography
US7379546B2 (en) * 2004-03-03 2008-05-27 King Fahd University Of Petroleum And Minerals Method for XZ-elliptic curve cryptography
US7646872B2 (en) * 2004-04-02 2010-01-12 Research In Motion Limited Systems and methods to securely generate shared keys
US8396213B2 (en) 2005-01-21 2013-03-12 Certicom Corp. Elliptic curve random number generation
EP2565811B1 (en) 2006-07-18 2016-02-03 Certicom Corp. System and method for authenticating a gaming device
CA2693133C (en) * 2007-07-17 2014-10-14 Certicom Corp. Method and system for generating implicit certificates and applications to identity-based encryption (ibe)
CA2698000C (en) * 2007-09-04 2015-10-27 Certicom Corp. Signatures with confidential message recovery
CN102318260B (en) * 2008-12-16 2016-04-20 塞尔蒂卡姆公司 The acceleration of key agreement protocol
US8184803B2 (en) 2008-12-29 2012-05-22 King Fahd University Of Petroleum And Minerals Hash functions using elliptic curve cryptography
US20100169658A1 (en) * 2008-12-30 2010-07-01 Lahouari Ghouti Elliptic curve-based message authentication code
US8189775B2 (en) * 2010-02-18 2012-05-29 King Fahd University Of Petroleum & Minerals Method of performing cipher block chaining using elliptic polynomial cryptography
DE102013108713B8 (en) * 2013-08-12 2016-10-13 WebID Solutions GmbH Method for verifying the identity of a user

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5442707A (en) * 1992-09-28 1995-08-15 Matsushita Electric Industrial Co., Ltd. Method for generating and verifying electronic signatures and privacy communication using elliptic curves

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5005200A (en) * 1988-02-12 1991-04-02 Fischer Addison M Public key/signature cryptosystem with enhanced digital signature certification
US5351297A (en) * 1991-06-28 1994-09-27 Matsushita Electric Industrial Co., Ltd. Method of privacy communication using elliptic curves
US5497423A (en) * 1993-06-18 1996-03-05 Matsushita Electric Industrial Co., Ltd. Method of implementing elliptic curve cryptosystems in digital signatures or verification and privacy communication
JP3339688B2 (en) * 1993-12-01 2002-10-28 アールピーケイ ニュージーランド リミテッド Non-deterministic mixture generator stream encryption system
KR950015177B1 (en) * 1993-12-06 1995-12-23 한국전기통신공사 Modulo-reduction method using pre-calculuted table
US6157721A (en) * 1996-08-12 2000-12-05 Intertrust Technologies Corp. Systems and methods using cryptography to protect secure computing environments
US5761305A (en) * 1995-04-21 1998-06-02 Certicom Corporation Key agreement and transport protocol with implicit signatures
CN1104118C (en) * 1995-05-19 2003-03-26 西门子公司 Process for computer-controlled exchange of cryptographic keys between first and second computer unit
US5638447A (en) * 1996-05-15 1997-06-10 Micali; Silvio Compact digital signatures
US6782100B1 (en) * 1997-01-29 2004-08-24 Certicom Corp. Accelerated finite field operations on an elliptic curve
US6424712B2 (en) * 1997-10-17 2002-07-23 Certicom Corp. Accelerated signature verification on an elliptic curve
US6279110B1 (en) * 1997-11-10 2001-08-21 Certicom Corporation Masked digital signatures

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5442707A (en) * 1992-09-28 1995-08-15 Matsushita Electric Industrial Co., Ltd. Method for generating and verifying electronic signatures and privacy communication using elliptic curves

Also Published As

Publication number Publication date
US8312283B2 (en) 2012-11-13
DE69838258T2 (en) 2008-05-08
US20010046291A1 (en) 2001-11-29
US6424712B2 (en) 2002-07-23
US7930549B2 (en) 2011-04-19
US20120290836A1 (en) 2012-11-15
JP4453996B2 (en) 2010-04-21
WO1999021320A1 (en) 1999-04-29
US8738912B2 (en) 2014-05-27
US7415611B2 (en) 2008-08-19
US20110231664A1 (en) 2011-09-22
DE69838258D1 (en) 2007-09-27
US20090077384A1 (en) 2009-03-19
US20030041247A1 (en) 2003-02-27
EP1025673A1 (en) 2000-08-09
AU9525698A (en) 1999-05-10
JP2001521196A (en) 2001-11-06
EP1025673B1 (en) 2007-08-15

Similar Documents

Publication Publication Date Title
US8738912B2 (en) Accelerated signature verification on an elliptic curve
US7552329B2 (en) Masked digital signatures
CA2130250C (en) Digital signature method and key agreement method
US7472276B2 (en) Data card verification system
US8462944B2 (en) Method of public key generation
US6782100B1 (en) Accelerated finite field operations on an elliptic curve
US20160352525A1 (en) Signature protocol
US20150006900A1 (en) Signature protocol
WO2016187689A1 (en) Signature protocol
CA2306282C (en) Accelerated signature verification on an elliptic curve
JPH09160492A (en) Signature system
CA2892318C (en) Signature protocol
JP2005072650A (en) Device to be verified, verifying device, method of being verified, and verifying method

Legal Events

Date Code Title Description
AS Assignment

Owner name: CERTICOM CORP., CANADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:VANSTONE, SCOTT A.;JOHNSON, DONALD B.;REEL/FRAME:033056/0665

Effective date: 19970929

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION