USRE42517E1 - Authenticating or signature method with reduced computations - Google Patents

Authenticating or signature method with reduced computations Download PDF

Info

Publication number
USRE42517E1
USRE42517E1 US12/393,959 US39395900A USRE42517E US RE42517 E1 USRE42517 E1 US RE42517E1 US 39395900 A US39395900 A US 39395900A US RE42517 E USRE42517 E US RE42517E
Authority
US
United States
Prior art keywords
modulo
parameter
prover
mod
opening
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
US12/393,959
Inventor
Marc Girault
Jean-Claude Pailles
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Callahan Cellular LLC
Original Assignee
Phentam Dire LLC NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Phentam Dire LLC NV filed Critical Phentam Dire LLC NV
Assigned to PHENTAM DIRE NV, LLC reassignment PHENTAM DIRE NV, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: FRANCE TELECOM SA
Application granted granted Critical
Publication of USRE42517E1 publication Critical patent/USRE42517E1/en
Assigned to CALLAHAN CELLULAR L.L.C. reassignment CALLAHAN CELLULAR L.L.C. MERGER (SEE DOCUMENT FOR DETAILS). Assignors: PHENTAM DIRE NV, LLC
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs

Definitions

  • the present invention relates to an authentication or signature process with a reduced calculations set.
  • the invention relates to the public key cryptography domain.
  • the entity to be authenticated the prover—possesses a secret key and an associated public key.
  • the authenticating entity the verifier—only needs this public key to achieve the authentication.
  • the process relates to the set of processes called “zero-knowledge Protocols”, i.e. without any communication of knowledge.
  • the authentication is carried out following a protocol that, as it is recognized, and under assumptions considers as perfectly reasonable by the scientific community, discloses nothing about the secret key of the prover.
  • the invention relates to zero-knowledge processes based on factoring problems (i.e. on the difficulty to factor large integers into a product of prime numbers).
  • the invention is applicable in every system where it is necessary to authenticate parties or messages, or to sign messages, in particular in systems where the amount of calculations to be carried out by the prover is critical. This is especially the case for cards that use a standard microprocessor or low cost cards, with no arithmetic coprocessor (which are often called cryptoprocessor) where cryptographic calculations must be accelerated.
  • a typical application of the invention is the electronic purse that requires a very high security level while discarding the use of a cryptoprocessor, either because of the cost or for technical reasons (for example the use of a contactless interface), or both.
  • next generation tele-card whose cost constraints are by far stricter than those of the electronic purse.
  • c a pseudo-random function
  • h a pseudo-random function
  • x x
  • M the symbol
  • Some protocols may involve several openings.
  • B sends to A a parameter e selected at random (the “question”). It is the second step.
  • A sends to B an “answer” y that is in coherence with the question e, the opening c and the secret key of A (third step).
  • n is a compound number that is hard to factor. This number is said to be of the universal type, generated by a trustworthy third party. It is stored and used by all authorised entities.
  • the “universal” character of n implies that it is a large number (usually 1024 bits), as breaking the factoring of n should compromise the secret keys of all accredited users.
  • modulus n being an individual parameter (in other words each user owns his own n value), this selection may be exploited in the following two ways (which may be advantageously combined):
  • n lower than the currently used values typically lower than 1000 bits and for example, ranging between 700 and 800 bits
  • breaking the factoring of n only compromises the secret key of the related user and in no way the secret keys of other users; this modification alone reduces the duration of calculations carried out modulo n by 40%
  • the user may use the Chinese remainders technique to further reduce the duration of modulo n calculations by 40%, when there are two prime factors; this reduction may be increased when using several prime factors (typically 3 or 4).
  • the modulo n calculations can then be reduced by 60%, that is a factor 2, at least.
  • the aforementioned entities may be, for example, micro-circuit cards, electronic purses, telecards, and so on . . .
  • the zero-knowledge information exchanges and the cryptographic calculations are as follows:
  • the size of the number n, expressed in number of bits, is less than 1000. For example, it may be between 700 and 800.
  • the present invention also relates to a message signature process to be used by an entity called a “signatory”, this entity being provided with a public key v and a secret key s , which are related by a modulo n operation, where n is an integer called modulus and t is a parameter, a process in which the signatory calculates an opening c that is notably a function of the message to be signed and a number y that is a function of the secret key, transmits the numbers y and c that are the signature and the message, the process being characterised in that the modulus n is specific to the signatory.
  • the signatory selects an integer r at random between 1 and n ⁇ 1, calculates a parameter x equal to r t (mod n), calculates a number c that is a function of the parameter x and of the message to be signed, calculates a number y using the secret key s , as a function of numbers r and e , then transmits the numbers c and y as signature.
  • the universal parameters of the GUILLOU-QUISQUATER protocol are the modulus n , products of prime numbers, comprising at least 1024 bits, and an integer value t .
  • the retained security level is u (lower than or equal to t , commonly equal to t )
  • t is the only universal parameter.
  • the public key is (n,v), where n has at least 768 bits.
  • the secret key may include prime factors from n to take advantage of the second aspect of the invention.
  • the parameter t may be included in the public key (in this case, there is no longer any universal parameter).
  • the authentication of Alice by Bob is performed as described above, but with faster calculations, which results from a smaller modulus n.
  • the gain factor resulting from only one modular multiplication affects the complete set of calculations completed by Alice when carrying out the protocol. This should be the same, for example, with Fiat-Shamir or Girault protocols (in the latter case, no gain should be expected in step 3, as there is no modular computation, but the execution time of this step is negligible with respect to the modular exponentiation of the first one).
  • the invention may also be implemented by the Chinese remainders technique, which consists of calculating the values modulo n of the prime factors of n. As these numbers are inevitably smaller, these operations are quickly done. The result modulo n is still to be obtained through a “reconstitution” operation.
  • This technique is described in the article of J. J QUISQUATER and C. COUVREUR entitled (Fast Decipherment algorithm for RSA public-key crypto-system” published in “Electronic Letters”, vol. 18, October 1982, pp. 905-907.
  • the method of Chinese remainders leads to an acceleration of calculations by a factor ranging from 3 to 4 in the first case, and from 1.5 to 2 in the second case, when the number of prime factors (assumed to be of similar sizes) is larger than 2 and equal to k; the acceleration factor is nearing k 2 in the first case and close to k in the second case.

Abstract

Authentication and signature process with reduced number of calculations.
The process involves a first entity called the “prover”, which possesses a public key v and a secret key s, these keys verify the relation v=s−t (mod n), where n is an integer called modulus and t is a parameter, and a second entity called a “verifier”, which knows the public key v. This process implies exchange of information following a “zero-knowledge protocol” between the verifier and the prover and cryptographic calculations on this information, some calculations being carried out “modulo n”. The process of the invention is characterised by the fact that the modulus n is specific to the prover that communicates this modulus to the verifier.

Description

TECHNICAL DOMAIN
The present invention relates to an authentication or signature process with a reduced calculations set.
More precisely, the invention relates to the public key cryptography domain. Following this process, the entity to be authenticated—the prover—possesses a secret key and an associated public key. The authenticating entity—the verifier—only needs this public key to achieve the authentication.
Even more precisely, the process relates to the set of processes called “zero-knowledge Protocols”, i.e. without any communication of knowledge. According to this kind of process, the authentication is carried out following a protocol that, as it is recognized, and under assumptions considers as perfectly reasonable by the scientific community, discloses nothing about the secret key of the prover.
To be even more precise, the invention relates to zero-knowledge processes based on factoring problems (i.e. on the difficulty to factor large integers into a product of prime numbers).
The invention is applicable in every system where it is necessary to authenticate parties or messages, or to sign messages, in particular in systems where the amount of calculations to be carried out by the prover is critical. This is especially the case for cards that use a standard microprocessor or low cost cards, with no arithmetic coprocessor (which are often called cryptoprocessor) where cryptographic calculations must be accelerated.
A typical application of the invention is the electronic purse that requires a very high security level while discarding the use of a cryptoprocessor, either because of the cost or for technical reasons (for example the use of a contactless interface), or both.
Another possible application is the next generation tele-card, whose cost constraints are by far stricter than those of the electronic purse.
PRIOR ART
A number of zero-knowledge identification processes have been published. For example:
    • The FIAT-SHAMIR protocol described in the article by A. FIAT and A. SHAMIR entitled “how to prove yourself: Practical solutions to identification and signature problems”, published in “Advances in Cryptology: Proceedings of CRYPTO'86, Lecture Notes in Computer Science”, vol. 263, Springer-Verlag, Berlin, 1987, pp. 186-194,
    • The GUILLOU-QUISQUATER protocol, described in the article by L. C. GUILLOU and J. J. QUISQUATER, entitled “A practical zero-knowledge protocol fitted to security microprocessors minimizing both transmission and memory,” published in “Advances in Cryptology: Proceedings of EUROCRYPT '88; Lecture notes in Computer Sciences, vol. 330, Springer-Verlag, Berlin, 1988, pp. 123-128,
    • The GIRAULT protocol described in the French patent application FR-A-2 176 058, based on the discrete logarithm problem.
Generally speaking, most zero-knowledge identification (or message authentication) protocols involve three steps. For the sake of simplicity, we shall assume that the verifier B already knows all the public parameters related to the prover A, i.e. its identity, its public key and so on.
As a first transaction, A supplies B with a value “c” called “opening”, image through a pseudo-random function h of a parameter x (itself derived from a number r selected by A at random), as well as with the message to be authenticated or signed: c=h(x,[M]), where the symbol [M] means that M is optional. This is the first step. Some protocols may involve several openings.
During a second transaction, B sends to A a parameter e selected at random (the “question”). It is the second step.
During a third transaction, A sends to B an “answer” y that is in coherence with the question e, the opening c and the secret key of A (third step).
Then B checks the received answer. More precisely, B recalculates x from the elements y, e and v using the relation x=φ(y,e,v) and verifies that c=h(φ(v,e,y),[M]), which is the fourth step.
When there is no message to authenticate, the use of the pseudo-random function h is optional. In this case, c=x is convenient. The verification consists of checking that x=φ(y,e,v).
In some protocols, there are one or two more transaction(s) between the verifier and the prover.
For a message signature, the two first steps are discarded, as the parameter e is made equal to c; A then successively and only calculates c, e(=c) and y.
The number u of questions to be answered depends directly on the desired protocol security level. This level is defined as the probability p of detecting an impostor. (i.e. an entity C that fraudulently mimics A). It is measured by a parameter k whose value is related to p by the relation p=1−2−k. In other words, the impostor only has 1 chance in 2 k of succeeding. It can be demonstrated in the present case that if a protocol relies on a difficult mathematical calculation, and if the openings are of adequate length, the length of u must simply equal k bits. A typical value of k is 32, which gives the impostor one chance in 4 billion to be successful. In applications where the failure of an identification may have very harmful consequences (e.g. legal proceedings), this length may be reduced to a few bits.
For protocols using factoring, the calculation of x in terms of r, or the calculation of y in terms of e, or both, involve(s) operations modulo n, where n is a compound number that is hard to factor. This number is said to be of the universal type, generated by a trustworthy third party. It is stored and used by all authorised entities. The “universal” character of n implies that it is a large number (usually 1024 bits), as breaking the factoring of n should compromise the secret keys of all accredited users.
In their basic versions, none of the above mentioned protocols can be implemented in an application that has to comply with severe specifications (low cost, low sophistication), as described in the previous section, as the required calculations could not be performed by a microprocessor card without a cryptoprocessor.
Though the French patent application FR-A-2 752 122 describes an optimization of these protocols, it is restricted to protocols involving the discrete logarithm method following a mode called “with pre-calculations” that has the drawback of implying regularly scheduled reloads.
The document from J. BRANDT et al. entitled “zero-knowledge Authentication scheme with Secret Key Exchange” published in Advances in Cryptology, Crypto 88 Proceedings, XP 000090662, pp. 583-588, describes a zero-knowledge authentication scheme with exchange of secret keys between two users, a scheme wherein the prover calculates its own modulus n=pq and carries out an operation of the type md (mod n).
The present invention aims to reduce the number of calculations to be carried out by the prover when using zero-knowledge identification (or message signature or authentication) protocols involving factoring, the gain being liable to reach a factor 2 or 3 when using a particular operation v=s−t (mod n).
It also makes possible—and in particular when coupled with the GUILLOU-QUISQUATER protocol—the fast completion of an identification (or message authentication or signature) with public key included in a low cost standard microcircuit card, for applications such as the electronic purse or next generation telecard.
DESCRIPTION OF THE INVENTION
The modulus n being an individual parameter (in other words each user owns his own n value), this selection may be exploited in the following two ways (which may be advantageously combined):
1) first by retaining a length of n lower than the currently used values (typically lower than 1000 bits and for example, ranging between 700 and 800 bits); this is possible as breaking the factoring of n only compromises the secret key of the related user and in no way the secret keys of other users; this modification alone reduces the duration of calculations carried out modulo n by 40%;
2) If the user has stored the prime factors of n in the memory of his security device, he may use the Chinese remainders technique to further reduce the duration of modulo n calculations by 40%, when there are two prime factors; this reduction may be increased when using several prime factors (typically 3 or 4).
On the whole, the modulo n calculations can then be reduced by 60%, that is a factor 2, at least.
Precisely, the invention relates to a process of identification involving a first entity called a “prover”, owning a public key v and a secret key s, these keys being related by a modulo n calculation, where n is an integer called modulus, specific to the prover, and a second entity called a “verifier”, which knows the public key v, these entities being provided with means to exchange information in a zero-knowledge context and to carry out cryptographic calculations on this information, some calculations being performed in the modulo n mode, the process being characterised by the fact that the modulus of the modulo n operation expressed as v=s−t (mod n), t being a parameter.
The aforementioned entities may be, for example, micro-circuit cards, electronic purses, telecards, and so on . . .
Following a preferred implementation, the zero-knowledge information exchanges and the cryptographic calculations are as follows:
    • the prover selects one (several) integer(s) r at random ranging between 1 and n−1 and calculates one (several) parameter(s) x equal to rt (mod n), then one (several) number(s) c called opening(s) that is (are) one (several) function(s) of this (these) parameter(s) and possibly of a message (M), and sends this (these) opening(s) to the verifier;
    • the verifier entity receives the opening(s) c, selects one number e at random called “question” and sends this question to the prover;
    • the prover receives the question e, carries out one (several) calculation(s) using this question e and the secret key s, the result of this (these) calculation(s) yielding one (several) answer(s) y, and sends this (these) answer(s) to the verifier.
    • The verifier receives the answer(s) y, carries out one calculation using the public key v and the modulus n, and checks with a modulo n calculation that the result is coherent with the received opening(s).
The size of the number n, expressed in number of bits, is less than 1000. For example, it may be between 700 and 800.
The present invention also relates to a message signature process to be used by an entity called a “signatory”, this entity being provided with a public key v and a secret key s, which are related by a modulo n operation, where n is an integer called modulus and t is a parameter, a process in which the signatory calculates an opening c that is notably a function of the message to be signed and a number y that is a function of the secret key, transmits the numbers y and c that are the signature and the message, the process being characterised in that the modulus n is specific to the signatory.
Following a preferred implementation, the signatory selects an integer r at random between 1 and n−1, calculates a parameter x equal to rt (mod n), calculates a number c that is a function of the parameter x and of the message to be signed, calculates a number y using the secret key s, as a function of numbers r and e, then transmits the numbers c and y as signature.
DETAILED DESCRIPTION OF PARTICULAR IMPLEMENTATIONS FOR THE INVENTION
In the following description, the invention is assumed to be combined with the protocol GUILLOU-QUISQUATER, as an example. It is clear that the invention is not restricted to this protocol.
Note that the universal parameters of the GUILLOU-QUISQUATER protocol are the modulus n, products of prime numbers, comprising at least 1024 bits, and an integer value t.
The public key v and the secret key s verify the relation v=s−t (mod n).
The retained security level is u (lower than or equal to t, commonly equal to t)
The authentication of A by B, which are named Alice and Bob, following the usual terminology, is completed as follows:
1. Alice selects r within the range [1,n−1], calculates x=rt (mod n) then c=h(x,[M]) and sends c to Bob.
2. Bob selects e within the range [1,u−1] and sends e to Alice.
3. Alice calculates y=rse (mod n) and sends y to Bob.
4. Bob calculates x=ytve (mod n) and verifies that c=h(x, [M])
When no message is to be authenticated, it is optional to involve the pseudo random function h: c=x can be used. The verification then consists of checking that x=ytve (mod n).
In the protocol modified in accordance with the invention, t is the only universal parameter.
The public key is (n,v), where n has at least 768 bits. The public key v and the secret key of Alice satisfy the relation v=s−t (mod n).
The secret key may include prime factors from n to take advantage of the second aspect of the invention.
The parameter t may be included in the public key (in this case, there is no longer any universal parameter).
The security level retained by Alice and Bob is u (lower than or equal to t; usually u=t).
The authentication of Alice by Bob is performed as described above, but with faster calculations, which results from a smaller modulus n.
As all Alice's calculations are carried out modulo n, the gain factor resulting from only one modular multiplication affects the complete set of calculations completed by Alice when carrying out the protocol. This should be the same, for example, with Fiat-Shamir or Girault protocols (in the latter case, no gain should be expected in step 3, as there is no modular computation, but the execution time of this step is negligible with respect to the modular exponentiation of the first one).
The invention may also be implemented by the Chinese remainders technique, which consists of calculating the values modulo n of the prime factors of n. As these numbers are inevitably smaller, these operations are quickly done. The result modulo n is still to be obtained through a “reconstitution” operation. This technique is described in the article of J. J QUISQUATER and C. COUVREUR entitled (Fast Decipherment algorithm for RSA public-key crypto-system” published in “Electronic Letters”, vol. 18, October 1982, pp. 905-907.
Let's consider the case when n is the product of two prime factors p and q.
From the Bezout theorem, it is known that two integers exists, such as ap+bq=1
To calculate y=xe (mod n), we start by reducing x modulo each prime factor by calculating xp=x (mod p) and xq=x (mod q). We also reduce e modulo (p−1) and (q−1) by calculating ep=e modulo (p−1) and eq=e (modulo q−1) (in the protocol of Quillou-Quisquater, e is always lower than e−1 and q−1, then ep=eq=e.
We then calculate yp=xp e p (mod p) and yq=xq e q (mod q). When p and q are of similar size, each of these calculations is about 8 times faster than the calculation y=xe (mod n) when e and n are of similar size (first case); 4 times faster when the size of e is lower than or equal to the size of p (second case as, for example, in the algorithm). The set of two calculations is then either 4 times faster or 2 times faster.
y is still to be reconstructed from yp and yq, which is carried out using the relation:
xy=yp+ap(yq−yp)(mod n)
On the whole, the method of Chinese remainders leads to an acceleration of calculations by a factor ranging from 3 to 4 in the first case, and from 1.5 to 2 in the second case, when the number of prime factors (assumed to be of similar sizes) is larger than 2 and equal to k; the acceleration factor is nearing k2 in the first case and close to k in the second case.

Claims (12)

1. An authentication process involving a first device, which possesses a public key v and a secret key s, the public and secret keys being related by an operation modulo n, where n is an integer, the modulus n being specific to the first device, and a second device, which knows the public key v, the first and second entities devices being provided with means to exchange zero-knowledge information and to carry out cryptographic calculations on the zero-knowledge information, calculations being carried out modulo n wherein in the process the modulo n operation is of v=s−t (mod n), t being a parameter and in that the modulo n calculations are performed according to the “Chinese remainders” method and in that the modulus n is the product of two primes of similar size.
2. A process according to claim 1, wherein the information exchanges are of zero-knowledge and wherein the cryptographic calculations are completed as follows:
the first device selects are at least one integer r at random ranging between 1 and n−1 and calculates at least one parameter x equal to rt (mod n), then at least one number c that is at least one function of the at least one of a parameter and a message and sends the at least one number c to the second device;
the second device receives the at least number c, selects at least one number e at random, and sends the at least one number e to the first device;
the first device receives the at least one number e, carries out at least one calculation using the at least one number e and the secret key s, the result of the at least one calculation yielding at least one answer y, and sends the at least one answer y to the second device;
the second device receives the at least one answer y, carries out one calculation using the public key v and the modulus n, and checks with a modulo n operation that the result of the one calculation is coherent with the received at least one number c.
3. A process according to claim 2, wherein a size of the number n, expressed in number of bits, is less than 1,000.
4. A process according to claim 3, wherein a size of the number n is between 700 and 800.
5. A message signature process configured for a device provided with a public key v and a secret key s, the public and private keys being related by a modulo n calculation, where n is an integer, which is specific to the device, the process utilizing means configured to calculate at least one number c that is a function of a message M to be signed, configured to calculate at least one number y that is a function of the secret key s, and configured to transmit the numbers y and c that are the signature of the message and the message M, wherein the modulo n operation is v=s−t (mod n), t being a parameter wherein the modulo n calculations are performed according to the “Chinese remainders” method and in that the modulus n is the product of two primes of similar size.
6. A message signature process according to claim 5, wherein the device selects an integer r at random between 1 and n−1, calculates a parameter x equal to rt (mod n), calculates at least one number e that is a function of parameter x and the message M to be signed, calculates the at least one number y using its secret key s, said at least one number y being a function of numbers r and e, and transmits the numbers c and y as the signature.
7. A method of authentication, the method comprising:
generating and sending an opening c by a prover device, wherein generating an opening c comprises:
calculating modulo n, wherein n is an integer specific to the prover device, and is a product of prime numbers;
selecting randomly a number r between 1 and n−1;
calculating a parameter x equal to rt (mod n), where t is a parameter; and
calculating the opening c based at least in part on the parameter x;
receiving a question e by the prover device, in response to the sending of the opening c;
generating and sending a result y by the prover device to enable the prover device to be authenticated based on the result y and a public key v associated with a secret key s possessed by the prover device, wherein generating a result y is based at least in part on the question e and the secret key s, and comprises calculating modulo n;
wherein calculating modulo n comprises using a “Chinese remainders” method.
8. A prover device for an authentication process, the prover device comprising:
a storage device configured to store a secret key s possessed by the prover device; and
a processor coupled to the storage device, and configured to generate an opening c, and cause the prover device to send the opening c, wherein generation of an opening c comprises:
calculation of modulo n, wherein n is an integer specific to the prover device, and is a product of prime numbers;
random selection of a number r between 1 and n−1;
calculation of a parameter x equal to rt (mod n), where t is a parameter; and
calculation of the opening c based at least in part on the parameter x;
control the prover device in receiving a question e, in response to the sending of the opening c;
generate and cause the prover device to send a result y to enable the prover device to be authenticated based on the result y and a public key v associated with the secret key s, wherein generation of a result y is based at least in part on the question e and the secret key s, and comprises calculation of modulo n;
wherein calculation of modulo n comprises using a “Chinese remainders” method, and at least two prime factors of n.
9. An article of manufacture comprising a non-transitory computer readable medium, and instructions stored in the non-transitory computer readable medium, wherein the instructions if executed on a prover device causes the prover device to perform an authentication method, the method comprising:
generating and sending an opening c by the prover device, wherein generating an opening c comprises:
calculating modulo n, wherein n is an integer specific to the prover device, and is a product of prime numbers;
selecting randomly a number r between 1 and n−1;
calculating a parameter x equal to rt (mod n), where t is a parameter; and
calculating the opening c based at least in part on the parameter x;
receiving a question e by the prover device, in response to the sending of the opening c;
generating and sending a result y by the prover device to enable the prover device to be authenticated based on the result y and a public key v associated with a secret key s possessed by the prover device, wherein generating a result y is based at least in part on the question e and the secret key s, and comprises calculating modulo n;
wherein calculating modulo n comprises using a “Chinese remainders” method, and at least two prime factors of n.
10. The method of claim 7, wherein generating a result y comprises calculating y equal to rse (mod n).
11. The prover device of claim 8, wherein the processor is configured to calculate y by calculating rse (mod n).
12. The article of claim 9, wherein generating a result y comprises calculating y equal to rse (mod n).
US12/393,959 1999-01-27 2000-01-26 Authenticating or signature method with reduced computations Expired - Fee Related USRE42517E1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR9900887A FR2788909B1 (en) 1999-01-27 1999-01-27 AUTHENTICATION OR SIGNATURE PROCESS WITH REDUCED NUMBER OF CALCULATIONS
FR9900887 1999-01-27
PCT/FR2000/000174 WO2000045549A1 (en) 1999-01-27 2000-01-26 Authenticating or signature method with reduced computations

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US09889557 Reissue 2001-07-27

Publications (1)

Publication Number Publication Date
USRE42517E1 true USRE42517E1 (en) 2011-07-05

Family

ID=9541270

Family Applications (2)

Application Number Title Priority Date Filing Date
US09/889,557 Ceased US7184547B1 (en) 1999-01-27 2000-01-26 Authenticating or signature method with reduced computations
US12/393,959 Expired - Fee Related USRE42517E1 (en) 1999-01-27 2000-01-26 Authenticating or signature method with reduced computations

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US09/889,557 Ceased US7184547B1 (en) 1999-01-27 2000-01-26 Authenticating or signature method with reduced computations

Country Status (9)

Country Link
US (2) US7184547B1 (en)
EP (1) EP1145483B1 (en)
JP (1) JP4945026B2 (en)
AT (1) ATE226773T1 (en)
CA (1) CA2360953C (en)
DE (1) DE60000649T2 (en)
ES (1) ES2184691T3 (en)
FR (1) FR2788909B1 (en)
WO (1) WO2000045549A1 (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7006999B1 (en) 1999-05-13 2006-02-28 Xerox Corporation Method for enabling privacy and trust in electronic communities
US8239917B2 (en) * 2002-10-16 2012-08-07 Enterprise Information Management, Inc. Systems and methods for enterprise security with collaborative peer to peer architecture
US7840806B2 (en) * 2002-10-16 2010-11-23 Enterprise Information Management, Inc. System and method of non-centralized zero knowledge authentication for a computer network
US6883706B2 (en) 2003-05-05 2005-04-26 International Business Machines Corporation Point-of-sale bill authentication
US7797192B2 (en) 2003-05-06 2010-09-14 International Business Machines Corporation Point-of-sale electronic receipt generation
US7245718B2 (en) * 2003-08-26 2007-07-17 Mitsubishi Electric Research Laboratories, Inc. Low bandwidth zero knowledge authentication protocol and device
US7467401B2 (en) * 2004-08-12 2008-12-16 Avatier Corporation User authentication without prior user enrollment
US20080080707A1 (en) * 2006-09-29 2008-04-03 Shay Gueron RSA signature authentication with reduced computational burden
US8615649B2 (en) * 2010-09-21 2013-12-24 International Business Machines Corporation Use of a private key to encrypt and decrypt a message
CN105721166B (en) * 2016-03-03 2018-09-21 武汉大学 A kind of Identity verification protocol method for building up of quantum calculation safety
WO2018228732A1 (en) * 2017-06-14 2018-12-20 Gemalto Sa Method for mutual symmetric authentication between a first application and a second application
DE102022202824A1 (en) 2022-03-23 2023-01-19 Vitesco Technologies GmbH Method for detecting manipulation of transmission measurement signals of a sensor unit of a system and system

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0325238A2 (en) 1988-01-19 1989-07-26 Yeda Research And Development Company Limited Improved variants of the Fiat-Shamir identification and signature scheme
WO1989011706A1 (en) 1988-05-19 1989-11-30 Ncr Corporation Method and device for authentication
US4964164A (en) * 1989-08-07 1990-10-16 Algorithmic Research, Ltd. RSA computation method for efficient batch processing
US5140634A (en) * 1987-09-07 1992-08-18 U.S Philips Corporation Method and apparatus for authenticating accreditations and for authenticating and signing messages
US5218637A (en) 1987-09-07 1993-06-08 L'etat Francais Represente Par Le Ministre Des Postes, Des Telecommunications Et De L'espace Method of transferring a secret, by the exchange of two certificates between two microcomputers which establish reciprocal authorization
FR2716058A1 (en) 1994-02-04 1995-08-11 France Telecom Digital signature and message authentication method using discrete logarithm.
JPH08149124A (en) 1994-03-07 1996-06-07 Nippon Telegr & Teleph Corp <Ntt> Information delivery method and system utilizing zero intelligence proof protocol
FR2752122A1 (en) 1994-07-28 1998-02-06 France Telecom Reduced bit authentification method for zero knowledge public key encryption
US5787178A (en) * 1995-04-12 1998-07-28 Deutsche Telekom Ag Computerized method for signing a message
WO1998042173A2 (en) 1997-03-24 1998-10-01 Fd Finanssidata Oy Use of banking services in a digital cellular radio system
WO1998051038A1 (en) 1997-05-07 1998-11-12 Gemplus S.C.A. Pseudo-random generator based on a hash coding function for cryptographic systems requiring random drawing
JPH118616A (en) 1997-06-17 1999-01-12 Dainippon Printing Co Ltd Ic card having provision against attack taking advantage of failure

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5140634A (en) * 1987-09-07 1992-08-18 U.S Philips Corporation Method and apparatus for authenticating accreditations and for authenticating and signing messages
US5218637A (en) 1987-09-07 1993-06-08 L'etat Francais Represente Par Le Ministre Des Postes, Des Telecommunications Et De L'espace Method of transferring a secret, by the exchange of two certificates between two microcomputers which establish reciprocal authorization
EP0325238A2 (en) 1988-01-19 1989-07-26 Yeda Research And Development Company Limited Improved variants of the Fiat-Shamir identification and signature scheme
WO1989011706A1 (en) 1988-05-19 1989-11-30 Ncr Corporation Method and device for authentication
US4964164A (en) * 1989-08-07 1990-10-16 Algorithmic Research, Ltd. RSA computation method for efficient batch processing
FR2716058A1 (en) 1994-02-04 1995-08-11 France Telecom Digital signature and message authentication method using discrete logarithm.
JPH08149124A (en) 1994-03-07 1996-06-07 Nippon Telegr & Teleph Corp <Ntt> Information delivery method and system utilizing zero intelligence proof protocol
FR2752122A1 (en) 1994-07-28 1998-02-06 France Telecom Reduced bit authentification method for zero knowledge public key encryption
US5787178A (en) * 1995-04-12 1998-07-28 Deutsche Telekom Ag Computerized method for signing a message
WO1998042173A2 (en) 1997-03-24 1998-10-01 Fd Finanssidata Oy Use of banking services in a digital cellular radio system
WO1998051038A1 (en) 1997-05-07 1998-11-12 Gemplus S.C.A. Pseudo-random generator based on a hash coding function for cryptographic systems requiring random drawing
JPH118616A (en) 1997-06-17 1999-01-12 Dainippon Printing Co Ltd Ic card having provision against attack taking advantage of failure

Non-Patent Citations (26)

* Cited by examiner, † Cited by third party
Title
A. Fiat, et al., Advances in Cryptology-Crypto '86 Proceedings, pp. 186-194, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems", Aug. 11-15, 1986.
Brandt et al., "Zero-Knowledge Authentication Scheme with Secret Key Exchange", Advances in Cyptology-Crypto '88 Proceedings, pp. 583-588, Aug. 21-25, 1988.
Fiat et al., "How to Prove Yourself: Practical Solutions to Identification and Signature Problems", Advances in Cyptology-Crypto '86 Proceedings, pp. 1806-194, Aug. 11-16, 1986.
Final Office Action mailed Jan. 18, 2006, for U.S. Appl. No. 09/889,557.
Final Office Action mailed May 27, 2005, for U.S. Appl. No. 09/889,557.
Guillou et al., "A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory", Advances in Cryptology-Eurocrypt '88 pp. 123-128, May 25-27, 1988.
H-P. Konigs, IEEE Communications Magazine, vol. 29, No. 6, pp. 42-48, "Cryptographic Identification Methods for Smart Cards in the Process of Standardization", Jun. 1991.
International Preliminary Examination Report received by WIPO on Dec. 21, 2000, for PCT App. PCT/FR00/00174.
International Search Report mailed Feb. 25, 2000, for PCT App. PCT1FR00/00174.
J. Brandt, et al., Advances in Cryptology-Crypto '88 Proceedings, pp. 583-588, "Zero-Knowledge Authentication Scheme with Secret Key Exchange", Aug. 21-25, 1988.
J-J. Quisquater, et al., Electronics Letters, vol. 18, No. 21, pp. 905-907, "Fast Decipherment Algorithm for RSA Public-Key Cryptosystem", Oct. 14, 1982.
Königs, "Cryptographic Identification Methods for Smart Cards in the Process of Standardization", IEEE Communications Magazine, vol. 29, No. 6, pp. 42-48, Jun. 1991.
L. C. Guillou, et al, Advances in Cryptology-Eurocrypt '88, pp. 123-128, "A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory", May 25-27, 1988.
Notice of Allowance mailed Nov. 2, 2006, for U.S. Appl. No. 09/889,557.
Notice of Reasons for Rejection for Japanese App. 2000-596695 mailed Apr. 23, 2010.
Office Action for JP App. 2000-596695 dated Feb. 24, 2011, including Concise Explanation of Relevance (4 pgs.).
Office Action mailed Jan. 31, 2005, for U.S. Appl. No. 09/889,557.
Office Action mailed Sep. 27, 2005, for U.S. Appl. No. 09/889,557.
Preliminary Search Report dated Dec. 28, 1999 for FR App. 9900887.
Quisquater et al., "Fast Decipherment Algorithm for RSE Public-Key Cryptosystem", Electronics Letters, vol. 18, No. 21, pp. 905-907, Oct. 14, 1982.
Scheiner, Bruce, Applied Cryptography-Protocvols, Algorithms, and Source Code in C(Second Edition), John Wiley & Sons, Inc(1996): pp. 249-250. *
Scheiner, Bruce. "Public-Key Algorithms: RSA." Applied Cryptography: Protocols, Algorithms and Source Code in C. New York: John Wiley & Sons, 1996. pp. 470. *
Schenier, Bruce. "Mathematical Background: Number Theory." Applied Cryptography: Protocols, Algorithms and Source Code in C. New York: John Wiley & Sons, 1996. pp. 249-250. *
Schneier, "Mathematical Background: Number Theory", Applied Cryptography- Protocols, Algorithms, and Source Code in C (Second Edition) New York: John Wiley & Sones, 1996 pp. 249-250.
Schneier, "Public Key Algorithms: RSA", Applied Cryptography-Protocols, Algorithms, and Source Code in C (Second Edition) New York: John Wiley & Sones, 1996 pp. 470.
Schneier, Bruce. Applied Cryptography, "Number Theory". New York, NY, 1996, 244-80. *

Also Published As

Publication number Publication date
DE60000649D1 (en) 2002-11-28
EP1145483B1 (en) 2002-10-23
FR2788909A1 (en) 2000-07-28
JP4945026B2 (en) 2012-06-06
FR2788909B1 (en) 2004-02-20
CA2360953A1 (en) 2000-08-03
JP2002536875A (en) 2002-10-29
ATE226773T1 (en) 2002-11-15
US7184547B1 (en) 2007-02-27
WO2000045549A1 (en) 2000-08-03
DE60000649T2 (en) 2003-08-07
CA2360953C (en) 2007-08-14
ES2184691T3 (en) 2003-04-16
EP1145483A1 (en) 2001-10-17

Similar Documents

Publication Publication Date Title
Nick et al. MuSig-DN: Schnorr multi-signatures with verifiably deterministic nonces
US7716484B1 (en) System and method for increasing the security of encrypted secrets and authentication
Okamoto Provably secure and practical identification schemes and corresponding signature schemes
Lim et al. A key recovery attack on discrete log-based schemes using a prime order subgroup
EP1050133B1 (en) Leak-resistant cryptographic method and apparatus
MacKenzie et al. Networked cryptographic devices resilient to capture
US5146500A (en) Public key cryptographic system using elliptic curves over rings
US6813354B1 (en) Mixing in small batches
US5299263A (en) Two-way public key authentication and key agreement for low-cost terminals
CA2262549C (en) Accelerating public-key cryptography by precomputing randomly generated pairs
US6757825B1 (en) Secure mutual network authentication protocol
Young et al. The prevalence of kleptographic attacks on discrete-log based cryptosystems
US7228418B1 (en) Authentication and signature method for messages using reduced size of binary units of information content and corresponding systems
USRE42517E1 (en) Authenticating or signature method with reduced computations
US7248692B2 (en) Method of and apparatus for determining a key pair and for generating RSA keys
Kwon Virtual software tokens-a practical way to secure PKI roaming
US20050220298A1 (en) Cryptographic method for distributing load among several entities and devices therefor
Blake-Wilson Information security, mathematics, and public-key cryptography
EP1691501A1 (en) Leak-resistant cryptography method an apparatus
Zheng Signcryption or how to achieve cost (signature & encryption)<< cost (signature)+ cost (encryption)
Tso et al. Practical strong designated verifier signature schemes based on double discrete logarithms
Juang et al. A VERIGIABLE MULTI-AUTHORITIES SECRET ELECTION ALLOWING ABSTAINING FROM VOTING
Barthe et al. A machine-checked formalization of the random oracle model
Lin et al. A server-aided computation protocol for RSA enciphering algorithm
Dissanayake Identification to Fake Messages with Two PKCs

Legal Events

Date Code Title Description
AS Assignment

Owner name: PHENTAM DIRE NV, LLC, DELAWARE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:FRANCE TELECOM SA;REEL/FRAME:024858/0861

Effective date: 20081217

CC Certificate of correction
FPAY Fee payment

Year of fee payment: 8

AS Assignment

Owner name: CALLAHAN CELLULAR L.L.C., DELAWARE

Free format text: MERGER;ASSIGNOR:PHENTAM DIRE NV, LLC;REEL/FRAME:037358/0797

Effective date: 20150827

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY