WO1999023781A1 - Signature verification for elgamal schemes - Google Patents

Signature verification for elgamal schemes Download PDF

Info

Publication number
WO1999023781A1
WO1999023781A1 PCT/CA1998/001018 CA9801018W WO9923781A1 WO 1999023781 A1 WO1999023781 A1 WO 1999023781A1 CA 9801018 W CA9801018 W CA 9801018W WO 9923781 A1 WO9923781 A1 WO 9923781A1
Authority
WO
WIPO (PCT)
Prior art keywords
signature
mod
value
calculating
verify
Prior art date
Application number
PCT/CA1998/001018
Other languages
French (fr)
Inventor
Donald B. Johnson
Scott A. Vanstone
Original Assignee
Certicom Corp.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Certicom Corp. filed Critical Certicom Corp.
Priority to CA002306468A priority Critical patent/CA2306468A1/en
Priority to EP98952457A priority patent/EP1025674A1/en
Priority to JP2000519520A priority patent/JP2001522071A/en
Priority to AU10154/99A priority patent/AU1015499A/en
Publication of WO1999023781A1 publication Critical patent/WO1999023781A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3013Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • G06F7/725Finite field arithmetic over elliptic curves

Definitions

  • This invention relates to a method of accelerating digital signature verification operations performed in a finite field and in particular to a method for use with processors having limited computing power.
  • One of the functions performed by a cryptosystem is the computation of digital signatures that are used to confirm that a particular party has originated a message and that the contents have not been altered during transmission.
  • a widely used set of signature protocols utilizes the ElGamal public key signature scheme that signs a message with the sender's private key. The recipient may then recover the message with the sender's public key.
  • the ElGamal scheme gets its security from calculating discrete logarithms in a finite field.
  • these cryptosystems can be computationally intensive.
  • a digital signature algorithm DSA is a variant of the ElGamal scheme.
  • a pair of correspondent entities A and B each create a public key and a corresponding private key.
  • the entity A signs a message m of arbitrary length.
  • the entity B can verify this signature by using A's public key.
  • both the sender, entity A, and the recipient, entity B are required to perform a computationally intensive operations to generate and verify the signature respectively.
  • either party has adequate computing power this does not present a particular problem but where one or both the parties have limited computing power, such as in a "Smart card " application, the computations may introduce delays in the signature and verification process.
  • the signor is required to verify its own signature.
  • a public key cryptographic system the distribution of keys is easier than that of a symmetric key system.
  • the integrity of public keys is critical.
  • the entities in such a system may use a trusted third party to certify the public key of each entity.
  • This third party may be a certifying authority (C A), that has a private signing algorithm S ⁇ and a verification algorithm V ⁇ assumed to be-known by all entities.
  • the CA provides a certificate binding the identity of an entity to its public key. This may consist of signing a message consisting of an identifier and the entity's authenticated public key. From time to time however the CA may wish to authenticate or verify its own certificates. Thus in these instances it would be convenient to implement an improved signature verification algorithm to speed up this verification process.
  • This invention seeks to provide a digital signature verification method, which may be implemented relatively efficiently by a signor on a processor with limited processing capability, such as a smart card or where frequent verifications are performed such as a certification authority.
  • a method of verifying a digital signature generated by a signor in a computer system comprising the steps of: a) in the computer system signing a message m by; b) generating a first signature component by combining at least the element g and the signature parameter k according to a first mathematical function; c) generating a second signature component by mathematically combining the first signature component with the private key d, the message m and the signature parameter k; and the signor verifying the signature by: d) recovering a value k' from the signature without using the public key y, and ; e) utilizing the recovered value k' in the first mathematical function to derive a value r' to verify the signature parameter k and k are equivalent.
  • Figure 1 is a schematic representation of a communication system
  • Figure 2 is a flow chart showing a signature algorithm according to the present invention.
  • a data communication system 10 includes a pair of correspondents, designated as a sender A(12), and a recipient B(14), who are connected by a communication channel 16.
  • Each of the correspondents A and B (12,14) includes an encryption unit 18,20 respectively that may process digital information and prepare it for transmission through the channel 16 as will be described below.
  • the sender A assembles a data string, which includes amongst others the public key v of the sender, a message m, the sender's short-term public key k and signature S of the sender A.
  • the data string is sent over the channel 16 to the intended recipient B, who then verifies the signature using A's public key.
  • This public key information may be obtained from a certification authority (CA) 24 or sometimes is set with the message.
  • CA generally has a public file of the entity's public key and identification.
  • each correspondent A and B creates a public key and corresponding private key.
  • the entities A and B select primes p and q such that q divides p-1.
  • a g is selected such that it is an element of order q in F p and the group used is ⁇ g°, g 1 , g 2 ,...g q ⁇ ' ⁇ .
  • the public key information is (p, q, g, y) and the private key is d
  • the public key information is (p, g, y) and the private key is d.
  • the recipient B Normally to verify A's signature (r, s) on the message m, the recipient B should obtain A's authentic public key (p, q, g, y), and verify that 0 ⁇ r ⁇ q and 0 ⁇ s ⁇ q.
  • the verifier in this case the original signor, has knowledge of p, q, g, y, (m), r and s.
  • the verifier need only recover the (secret) per signature value k used and verify this value of k thus obtained in order to verify the signature.
  • the value z ⁇ ' is calculated by inverting z mod q.
  • k' ⁇ ] s(z ⁇ )modq and calculate /c' by inverting k' '1 modq .
  • the signature components are s and e where p is a large public prime, g is a public generator, m is a message, h is a hash function, d is a private key, y - g d mod p is a public key and k is a secret random integer.
  • an advantage of the present invention is where a signor signs data which for example may reside on the signors computer. This can be later verified without use of the correponding public key, instead the signor can use its private key to verify the data. This is also very useful for some applications with limited computational power such as smartcards.
  • the certifying authority or key distribution centre would sign data frequently before it is installed into the various communications systems and then could verify the signatures later.
  • the CA does not require the public key information to verify the signatures but simply uses the private key to verify, as all the other parameters are stored within the secure boundary of the signor.
  • a further application is in the verification of software such in pay-per-use software applications.
  • the present invention is thus generally concerned with an encryption method and system and particularly an elliptic curve encryption method and system in which finite field elements is multiplied in a processor efficient manner.
  • the encryption system can comprise any suitable processor unit such as a suitably programmed general-purpose computer.

Abstract

A signature verification protocol is provided for ElGamal-like signature schemes. The digital signature verification scheme allows the signor of the message to verify the digital signature without using the public key. Generally the signors computer system has a private key d and a public key y derived from an element g and the private key d. The method comprises the steps of in the computer system signing a message m by generating a first signature component by combining the element g, the signature parameter k according to a first mathematical function and generating a second signature component by mathematically combining the first signature component with the private key d, the message m and the signature parameter k, and the signor verifying the signature by recovering a value k from the signature components without using the public key y and utilizing the recovered value k' in the first mathematical function to derive a value r' in order to verify the signature parameter k and k' are equivalent, thereby verifying the signature. This signature verification applies to all ElGamal-type signatures and works in any group and in particular elliptic curve groups. The signature verification method is of particular use in devices having limited computational power such as 'smart cards' or where a large number of verifications are to be performed by the signor.

Description

Signature Verification For ElGamal Schemes
This invention relates to a method of accelerating digital signature verification operations performed in a finite field and in particular to a method for use with processors having limited computing power.
Background of the Invention
One of the functions performed by a cryptosystem is the computation of digital signatures that are used to confirm that a particular party has originated a message and that the contents have not been altered during transmission. A widely used set of signature protocols utilizes the ElGamal public key signature scheme that signs a message with the sender's private key. The recipient may then recover the message with the sender's public key. The ElGamal scheme gets its security from calculating discrete logarithms in a finite field. Furthermore, the ElGamal-type signatures work in any group and in particular elliptic curve groups. For example given the elliptic curve group E(Fq) then for P e E(Fq) and Q= aP the discrete logarithm problem reduces to finding the integer a. Thus these cryptosystems can be computationally intensive.
Various protocols exist for implementing such a scheme. For example, a digital signature algorithm DSA is a variant of the ElGamal scheme. In these schemes a pair of correspondent entities A and B each create a public key and a corresponding private key. The entity A signs a message m of arbitrary length. The entity B can verify this signature by using A's public key. In each case however, both the sender, entity A, and the recipient, entity B, are required to perform a computationally intensive operations to generate and verify the signature respectively. Where either party has adequate computing power this does not present a particular problem but where one or both the parties have limited computing power, such as in a "Smart card " application, the computations may introduce delays in the signature and verification process.
There are also circumstances where the signor is required to verify its own signature. For example in a public key cryptographic system, the distribution of keys is easier than that of a symmetric key system. However, the integrity of public keys is critical. Thus the entities in such a system may use a trusted third party to certify the public key of each entity. This third party may be a certifying authority (C A), that has a private signing algorithm Sτ and a verification algorithm Vτ assumed to be-known by all entities. In its simplest form the CA provides a certificate binding the identity of an entity to its public key. This may consist of signing a message consisting of an identifier and the entity's authenticated public key. From time to time however the CA may wish to authenticate or verify its own certificates. Thus in these instances it would be convenient to implement an improved signature verification algorithm to speed up this verification process.
Summary of the Invention It is therefore an object of the present invention to provide a method of fast signature verification.
This invention seeks to provide a digital signature verification method, which may be implemented relatively efficiently by a signor on a processor with limited processing capability, such as a smart card or where frequent verifications are performed such as a certification authority.
In accordance with this invention there is provided a method of verifying a digital signature generated by a signor in a computer system, the signor having a private key d and a public key y, derived from an element g and the private key d the method comprising the steps of: a) in the computer system signing a message m by; b) generating a first signature component by combining at least the element g and the signature parameter k according to a first mathematical function; c) generating a second signature component by mathematically combining the first signature component with the private key d, the message m and the signature parameter k; and the signor verifying the signature by: d) recovering a value k' from the signature without using the public key y, and ; e) utilizing the recovered value k' in the first mathematical function to derive a value r' to verify the signature parameter k and k are equivalent. Brief Description of the Drawings
Embodiments of the present invention will now be described by way of example only with reference to the accompanying drawings in which:
Figure 1 is a schematic representation of a communication system; and Figure 2 is a flow chart showing a signature algorithm according to the present invention.
Detailed Description of a Preferred Embodiment
For the sake of convenience in the following discussion we use the multiplicative notation, although ElGamal-type signatures work in any group and in particular in elliptic curve groups.
Referring therefore to Figure 1, a data communication system 10 includes a pair of correspondents, designated as a sender A(12), and a recipient B(14), who are connected by a communication channel 16. Each of the correspondents A and B (12,14) includes an encryption unit 18,20 respectively that may process digital information and prepare it for transmission through the channel 16 as will be described below.
In accordance with a general embodiment, the sender A assembles a data string, which includes amongst others the public key v of the sender, a message m, the sender's short-term public key k and signature S of the sender A. When assembled the data string is sent over the channel 16 to the intended recipient B, who then verifies the signature using A's public key. This public key information may be obtained from a certification authority (CA) 24 or sometimes is set with the message. The CA generally has a public file of the entity's public key and identification.
For key generation in the ElGamal signature scheme, each correspondent A and B creates a public key and corresponding private key. In order to set up the scheme, the entities A and B select primes p and q such that q divides p-1. A g is selected such that it is an element of order q in Fp and the group used is {g°, g1, g2,...gq~'} .
The digital signature algorithm (DSA) which is a special case of the ElGamal scheme, key generation is performed by selecting a random integer d in the interval [1, q- 1] and computing y=gd mod p. In the DSA the public key information is (p, q, g, y) and the private key is d, while in the general ElGamal scheme the public key information is (p, g, y) and the private key is d. We consider firstly a signature scheme such as the DSA in which the" signature components r and s are given by: r = (gk mod p)modq ; and
Figure imgf000006_0001
where typically:
-Z is a random integer, the signors private key and is typically 160-bits; p is typically a 1024-bit prime; q is a 160-bit prime where q divides p-\ g is the generator such that y = gd mod p ; h{m) is typically a SHA-1 hash of the message m; k is a randomly chosen 160-bit value for each signature; and the signature for m is the pair (r, s). Normally to verify A's signature (r, s) on the message m, the recipient B should obtain A's authentic public key (p, q, g, y), and verify that 0< r < q and 0 < s < q. Next the values w = s"1 mod q and h(m) are computed. This is followed by computing «,=w h(m) mod q and u2= rw mod q and v = (gul y"2 mod p) mod q. The signature is accepted if and only if v = r. It may be seen therefore that in some cases if the owner of the signature wants to verify its own signature at a later stage it may be time consuming to retrieve the public key information and perform the steps above, particularly since the signor is verifying its own signature.
Thus, in order to implement fast signature verification using the private key d, it may be seen that the verifier, in this case the original signor, has knowledge of p, q, g, y, (m), r and s. Thus the verifier need only recover the (secret) per signature value k used and verify this value of k thus obtained in order to verify the signature. The verifier thus calculates z = (h(m) + dr)modq . The value z~' is calculated by inverting z mod q. Next calculate k'~] = s(z^ )modq and calculate /c' by inverting k''1 modq . The verifier then evaluates r - gk' mod p mod q this verifies k = k'. Thus it may be seen that this verification step uses d not y and many of the calculations above can be sped up using pre-computed tables. Next we consider an alternate ElGamal signature method shown in figure 2 as having signature components (s, e) where: r = gk mod/? ; e = b(m|r) where || indicates concatenation; and s = (de + k) mod p
The signature components are s and e where p is a large public prime, g is a public generator, m is a message, h is a hash function, d is a private key, y - gd mod p is a public key and k is a secret random integer.
In fast signature verification using the private key d we once again assume knowledge of p, g, y, h, m, r, e and d. Thus the verifier need only recover the k value used and verify k in order to verify the signature. Thus the verifier calculates k'= (s - de)modp , r'= gk' mod p and e' = h(m||r'). If e = e1 this verifies k = k'.
Thus it may be seen that an advantage of the present invention is where a signor signs data which for example may reside on the signors computer. This can be later verified without use of the correponding public key, instead the signor can use its private key to verify the data. This is also very useful for some applications with limited computational power such as smartcards.
In a data communication system that includes a certifying authority, the certifying authority (CA) or key distribution centre would sign data frequently before it is installed into the various communications systems and then could verify the signatures later. Thus the CA does not require the public key information to verify the signatures but simply uses the private key to verify, as all the other parameters are stored within the secure boundary of the signor.
A further application is in the verification of software such in pay-per-use software applications.
While the invention has been described in connection with specific embodiments thereof and in specific uses, various modifications thereof will occur to those skilled in the art without departing from the spirit of the invention as set forth in the appended claims. For example, in the above description of preferred embodiments, use is made of multiplicative notation however the method of the subject invention may be equally well described utilizing additive notation. It is well known for example that the elliptic curve algorithm equivalent of the DSA, i.e. ECDSA is the elliptic curve analog of a discrete logorithm algorithm that is usually described in a setting of F * , the multiplicative group of the integers modulo a prime. There is correspondence between the elements and operations of the group F* and the elliptic curve group E(Fq). Furthermore, this signature technique is equally well applicable to functions performed in a field defined over F
The present invention is thus generally concerned with an encryption method and system and particularly an elliptic curve encryption method and system in which finite field elements is multiplied in a processor efficient manner. The encryption system can comprise any suitable processor unit such as a suitably programmed general-purpose computer.

Claims

THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS:
1, A method of verifying a digital signature generated by a signor in a computer system, said signor having a private key d and a public key y, derived from an element g and said private key d said method comprising the steps of: a) in said computer system signing a message m by; b) generating a first signature component by combining at least said element g and said signature parameter k according to a first mathematical function; c) generating a second signature component by mathematically combining said first signature component with said private key d, said message m and said signature parameter k; and said signor verifying said signature by: d) recovering a value k' from said signature without using said public key y, and; e) utilizing said recovered value k' in said first mathematical function to derive a value r' to verify said signature parameter k and K are equivalent.
2. A method as defined in claim 1 , wherein g is an element of order q in a field F * .
3. A method as defined in claim 1 , wherein g is a point of prime order n in E(Fq), such that E is an elliptic curve defined over the field Fq.
4. A method as defined in claim 1 , wherein said element g is a point on an elliptic curve over a finite field F 1 ΓÇ₧
5. A method as defined in claim 1, said signature parameter k being a randomly selected integer in the interval [1, q-1], and said first signature component having a form defined by r=^ mod ? mod q, wherein ) and q are primes such that q divides p-1.
6. A method as defined in claim 5, including calculating a value e = h(m) wherein h is a hash function, and wherein said second signature component s = Af'(e + dr) mod q.
7. A method as defined in claim 6, said step of recovering said value k' including:
(a) calculating a value z =(Λ(m) + dr)mod q;
(b) calculating z ' inverting z mod q (c) calculating KΛ = s(z"') mod q; and
(d) calculating c* by inverting k'mod q.
8. A method as defined in claim 7, said step of verifying k including the steps of calculating r' = g*' mod ? mod q and comparing r' to r in order to verify k = k'.
9. A method as defined in claim 9, including utilizing precomputed tables in said calculations.
10. A method as defined in claim 3, said signature parameter k being a statistically unique and unpredictable integer k selected in an interval [2, n-2] and said first signature component having a form defined by r = x, mod n wherein n is an n co-ordinate of a private key.
11. A method as defined in claim 10, including calculating a value e = h(m) wherein h is a hash function and said second signature component is given by s ΓÇö k'1 (e + dr) mod n.
12. A method as defined in claim 11 , said recovering said value k' includes:
(a) calculating a value z = (h(m) + dr) mod n;
(b) calculating z"1 by inverting z mod n; (c) calculating k'"1 = s(z"!) mod n, and
(d) calculating k' by inverting k"1 mod n.
13. A method as defined in claim 12, said step of verifying k including the steps of calculating r' - g*' mod n and comparing r' to r in order to verify k = k'.
14. A method as defined in claim 2, said signature parameter k being a randomly selected integer in an interval [1, p-1], and said first signature component having a form defined by e = h(m||r) wherein r = gk mod p, h is a hash function and || denotes concantenation.
15. A method as defined in claim 14, said second signature component being defined by s = (de + k) mod p.
16. A method as defined in claim 15, said step of recovering said value k' includes:
(a) calculating a value k' = (s-de) mod p;
(b) calculating a value r' = gk mod p; (c) calculating a value e' = h(m||r'); and
(d) comparing said value e' to e in order to verify k' = k.
PCT/CA1998/001018 1997-10-31 1998-11-02 Signature verification for elgamal schemes WO1999023781A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CA002306468A CA2306468A1 (en) 1997-10-31 1998-11-02 Signature verification for elgamal schemes
EP98952457A EP1025674A1 (en) 1997-10-31 1998-11-02 Signature verification for elgamal schemes
JP2000519520A JP2001522071A (en) 1997-10-31 1998-11-02 Signature verification for ElGamal scheme
AU10154/99A AU1015499A (en) 1997-10-31 1998-11-02 Signature verification for elgamal schemes

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US96244197A 1997-10-31 1997-10-31
US08/962,441 1997-10-31

Publications (1)

Publication Number Publication Date
WO1999023781A1 true WO1999023781A1 (en) 1999-05-14

Family

ID=25505878

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA1998/001018 WO1999023781A1 (en) 1997-10-31 1998-11-02 Signature verification for elgamal schemes

Country Status (5)

Country Link
EP (1) EP1025674A1 (en)
JP (2) JP4307589B2 (en)
AU (1) AU1015499A (en)
CA (1) CA2306468A1 (en)
WO (1) WO1999023781A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8713321B2 (en) 2003-10-28 2014-04-29 Certicom Corp. Method and apparatus for verifiable generation of public keys
CN110430044A (en) * 2019-07-10 2019-11-08 南京工业大学 A kind of double layer encryption method based on ElGamal encryption
CN111262707A (en) * 2020-01-16 2020-06-09 余志刚 Digital signature method, verification method, device and storage medium

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4611680B2 (en) * 2003-07-25 2011-01-12 株式会社リコー COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND PROGRAM
JP4712326B2 (en) * 2003-07-25 2011-06-29 株式会社リコー COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND PROGRAM
JP5348148B2 (en) * 2003-07-25 2013-11-20 株式会社リコー COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND PROGRAM
ATE490619T1 (en) 2004-02-13 2010-12-15 Certicom Corp ONE-SIDED AUTHENTICATION
CN103108325B (en) * 2011-11-10 2018-05-18 中兴通讯股份有限公司 A kind of information secure transmission method and system and access service node

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5231668A (en) * 1991-07-26 1993-07-27 The United States Of America, As Represented By The Secretary Of Commerce Digital signature algorithm
EP0639907A1 (en) * 1993-08-17 1995-02-22 R3 Security Engineering AG Digital signature method and key agreement method
US5442707A (en) * 1992-09-28 1995-08-15 Matsushita Electric Industrial Co., Ltd. Method for generating and verifying electronic signatures and privacy communication using elliptic curves
US5475763A (en) * 1993-07-01 1995-12-12 Digital Equipment Corp., Patent Law Group Method of deriving a per-message signature for a DSS or El Gamal encryption system
GB2321834A (en) * 1997-01-31 1998-08-05 Certicom Corp Cryptographic signature verification using two private keys.

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5231668A (en) * 1991-07-26 1993-07-27 The United States Of America, As Represented By The Secretary Of Commerce Digital signature algorithm
US5442707A (en) * 1992-09-28 1995-08-15 Matsushita Electric Industrial Co., Ltd. Method for generating and verifying electronic signatures and privacy communication using elliptic curves
US5475763A (en) * 1993-07-01 1995-12-12 Digital Equipment Corp., Patent Law Group Method of deriving a per-message signature for a DSS or El Gamal encryption system
EP0639907A1 (en) * 1993-08-17 1995-02-22 R3 Security Engineering AG Digital signature method and key agreement method
GB2321834A (en) * 1997-01-31 1998-08-05 Certicom Corp Cryptographic signature verification using two private keys.

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
MENEZES A J ET AL: "Elliptic Curve Cryptosystems and Their Implementation", JOURNAL OF CRYPTOLOGY, vol. 6, no. 4, 1992, pages 209 - 224, XP002069135 *
MIYAJI A: "Elliptic Curves Suitable for Cryptosystems", IEICE TRANSACTIONS ON FUNDAMENTALS OF ELECTRONICS, COMMUNICATIONS AND COMPUTER SCIENCES, vol. E77-A, no. 1, 1 January 1994 (1994-01-01), pages 98 - 104, XP000439669 *
SCHNORR C P: "EFFICIENT IDENTIFICATION AND SIGNATURES FOR SMART CARDS", LECTURE NOTES IN COMPUTER SCIENCE, 20 August 1989 (1989-08-20), pages 239 - 252, XP002052048 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8713321B2 (en) 2003-10-28 2014-04-29 Certicom Corp. Method and apparatus for verifiable generation of public keys
US9160530B2 (en) 2003-10-28 2015-10-13 Certicom Corp. Method and apparatus for verifiable generation of public keys
US9240884B2 (en) 2003-10-28 2016-01-19 Certicom Corp. Method and apparatus for verifiable generation of public keys
US9967239B2 (en) 2003-10-28 2018-05-08 Certicom Corp. Method and apparatus for verifiable generation of public keys
CN110430044A (en) * 2019-07-10 2019-11-08 南京工业大学 A kind of double layer encryption method based on ElGamal encryption
CN111262707A (en) * 2020-01-16 2020-06-09 余志刚 Digital signature method, verification method, device and storage medium
CN111262707B (en) * 2020-01-16 2023-04-14 余志刚 Digital signature method, verification method, device and storage medium

Also Published As

Publication number Publication date
CA2306468A1 (en) 1999-05-14
JPH11174957A (en) 1999-07-02
AU1015499A (en) 1999-05-24
JP4307589B2 (en) 2009-08-05
JP2001522071A (en) 2001-11-13
EP1025674A1 (en) 2000-08-09

Similar Documents

Publication Publication Date Title
CA2228185C (en) Verification protocol
US7996676B2 (en) Masked digital signatures
US10326598B2 (en) Method for generating a message signature from a signature token encrypted by means of a homomorphic encryption function
US5600725A (en) Digital signature method and key agreement method
EP2306670B1 (en) Hybrid digital signature scheme
US20140229730A1 (en) Implicit certificate scheme
US9800418B2 (en) Signature protocol
CN100440776C (en) Elliptic curve signature and signature verification method and apparatus
Jeng et al. An ECC-based blind signature scheme
CN112118111A (en) SM2 digital signature method suitable for threshold calculation
Hwang et al. An untraceable blind signature scheme
US6097813A (en) Digital signature protocol with reduced bandwidth
US20150006900A1 (en) Signature protocol
US6499104B1 (en) Digital signature method
WO1999023781A1 (en) Signature verification for elgamal schemes
WO2016187689A1 (en) Signature protocol
US20090138718A1 (en) Method of generating a signature with &#34;tight&#34; security proof, associated verification method and signature scheme based on the diffie-hellman model
CN115174102A (en) Efficient batch verification method and system based on SM2 signature
KR100194638B1 (en) Additional Digital Signature Method Using Personally Identifiable Information
Kwon et al. Randomization enhanced blind signature schemes based on RSA
EP0854603A2 (en) Generation of session parameters for el gamal-like protocols
CA2892318C (en) Signature protocol
Lin et al. Self-certified proxy convertible authenticated encryption scheme

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HR HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref document number: 2306468

Country of ref document: CA

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 1998952457

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: KR

WWP Wipo information: published in national office

Ref document number: 1998952457

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWW Wipo information: withdrawn in national office

Ref document number: 1998952457

Country of ref document: EP