WO2003055134A9 - Procede cryptographique permettant de repartir la charge entre plusieurs entites et dispositifs pour mettre en oeuvre ce procede - Google Patents
Procede cryptographique permettant de repartir la charge entre plusieurs entites et dispositifs pour mettre en oeuvre ce procedeInfo
- Publication number
- WO2003055134A9 WO2003055134A9 PCT/FR2002/004366 FR0204366W WO03055134A9 WO 2003055134 A9 WO2003055134 A9 WO 2003055134A9 FR 0204366 W FR0204366 W FR 0204366W WO 03055134 A9 WO03055134 A9 WO 03055134A9
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- evidence
- entity
- integer
- piece
- public key
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Definitions
- the invention relates to the technical field of cryptography, and more precisely to so-called public key cryptography.
- a user holds a pair of keys for a given use.
- Said key pair consists of a private key which this user keeps secret and an associated public key which this user can communicate to other users. For example, if it is a pair of keys dedicated to confidentiality, then the public key is used to encrypt the data, while the secret key is used to decrypt it, that is to say for restore this data in clear.
- Public key cryptography is very useful insofar as, unlike secret key cryptography, it does not require that the interlocutors share the same secret in order to establish a secure communication.
- this advantage in terms of security is accompanied by a disadvantage in terms of performance, because the public key cryptography methods, also called “public key schemes”, are often a hundred or a thousand times slower than the security methods.
- secret key cryptography also called “secret key schemes”. It is therefore a very important challenge to find rapid execution public key cryptography methods, so that they can be implemented in environments with little resources, such as standard microprocessor cards, with or without contact.
- the present invention relates more particularly to the technical field of entity authentication, also called identification, as well as that of message authentication and digital message signature, by means of public key cryptographic techniques.
- entity authentication also called identification
- the authenticated entity called a prover
- the prover uses the secret key to generate an authentication value.
- the authenticating entity called a verifier, only needs the prover's public key to verify the authentication value.
- the invention relates more particularly still to the so-called authentication methods with zero knowledge disclosure or without zero knowledge. This means that authentication takes place according to a protocol which, in a proven way, does not reveal anything about the secret key of the authenticated entity, regardless of the number of uses. It is known, using standard techniques, to deduce from this type of diagrams diagrams of message authentication and digital message signature.
- the invention relates more particularly still to methods whose security is based both on the difficulty of the problem of factorization of whole numbers and of the problem known as the discrete logarithm.
- the invention finds an application in all systems using public key cryptography to secure their elements and / or their transactions, and more particularly in systems where the number of calculations performed by the different parties constitutes for at least the one of them a critical parameter, either because it does not have a coprocessor specialized in cryptographic calculations, often called cryptoprocessor, in order to accelerate them, or because it is likely to perform a large number of calculations simultaneously for example in the case of a central server, or for any other reason.
- a typical application is electronic payment, by bank card or by electronic wallet.
- the payment terminal is located in a public place, which encourages the use of public key cryptography methods, so that it does not store any master key.
- the card is a standard microprocessor card, that is to say that the card is not equipped with a cryptoprocessor, or that the microprocessor secure content in the terminal either standard or both.
- the state of the art currently known makes it possible to achieve one or the other of these objectives, but makes it difficult to achieve both simultaneously, while respecting the constraints of the system. .
- An example of such a constraint is that payment is made in less than a second, or even in less than 150 milliseconds in the case of a contactless transaction, or even in a few milliseconds in the case of a motorway toll. .
- a limitation of all the cryptographic methods known to date is that the number of calculations that each of the parts must perform is fixed by the method itself and cannot be modified. In particular, it is not possible to modulate the distribution of calculations between the prover and a third party party not necessarily trusted, in order to adapt to this or that environment. This prevents the same process from being used in a variety of environments, where the constraints are different.
- the object of the present invention is to specify public key cryptographic methods in which it is possible to distribute a large quantity of calculations between at least two of several entities involved without this distribution modifying the level of security offered by said methods. In the case of an authentication or digital signature process with a public key, the invention is particularly useful for lightening the task of the prover by reducing the number of calculations it performs.
- the invention makes it possible to delegate part of the calculations to another entity, without any trust being necessarily associated with this other entity. More generally, the invention makes it possible to distribute in any way all or part of the calculations between several entities concerned so that the constraints linked to a given application are satisfied.
- the method according to the invention is remarkable in that it comprises a step in which at least one piece of evidence is generated at least in part by open digital processing of a data which does not make it possible to find said private key.
- Open digital processing is understood to mean digital processing which does not benefit from any particular protection against possible intrusions. This open digital processing can be executed by any entity.
- the data previously mentioned is for example an image of said private key.
- This possibility of distribution allows the same cryptographic process to be used in many applications and environments with very varied constraints. In particular, it can allow perform transactions in a reduced time with chips with limited computing capacities.
- Cryptographic methods which use a property of finite groups for example comprising n whole numbers and provided with an internal composition law such as multiplication. It is practically impossible to find an exponent at the origin of an exponentiation, in particular when n is a number made up of at least two very large prime numbers.
- the method according to the invention comprises: a first step in which the first entity generates a first piece of evidence by means of a first random number kept secret by the first entity,
- a fourth step in which a second element of proof is generated by applying to the image of said private key, an open digital processing executable by any entity, so as to allow the second entity to verify a concordance of the first element of proof with the second piece of evidence by applying a first part of said public key to the second piece of evidence and at least a second part of said public key to at least one of said common numbers.
- generation of a common number in association with the first piece of evidence means a generation of common number for which the first piece of evidence must be known beforehand. This generation may be purely random and independent of the first piece of evidence or a function of the first piece of evidence. According to this association, it is impossible to revert to the first piece of evidence when the common number is generated. More specifically:
- the first entity in the first step, the first entity generates the first random number r much greater than any first integer s included in a private key kept secret by the first entity and the first entity generates the first piece of evidence obtained following an elevation to a power modulo n of a first integer G included or not in said public key and whose exponent is the first random number r,
- the first entity in the third step, the first entity generates the image y of said private key by linear combination of the first random number r and of at least one first integer s of private key, a linear combination of which at least one multiplicative coefficient is the or one of the so-called common numbers,
- the second element of proof Y generated is equal to a power modulo n of a second whole number g included or not in said public key and whose exponent is the image y of private key, the second integer g being such that the first integer G of public key is a power modulo n of the second integer g with for exposing a third integer e included in said public key. It will be noted on the one hand that knowledge of the image of the private key generated in the third step does not provide any information on the private key because it is masked by the linear combination with the first random number including the first element of evidence reveals nothing.
- the first entity may have reduced computational resources to execute the fifth step because relatively low values of the third integer and the common number are sufficient for a reliable verification of concordance with the first piece of evidence.
- the fourth step can be performed by the first entity.
- the cost of calculating the power in the fourth step is considerable because the exhibitor is of great value.
- the fourth step is executed by any entity which receives the private key image y from the first entity.
- knowledge of the private key image by any entity does not harm the security of the process.
- Any entity is possibly the second entity or an intermediate entity.
- the fourth step also includes:
- a first sub-step in which the first entity decomposes the image y into a first partial image y 'represented by the u least significant bits of a computer word which represents the image y and into a second partial image y " represented by the most significant bits remaining of said computer word, wherein the first entity generates a first component Y 'and a second component g' of second evidence such as
- the value of y 'then less than the value of y requires only reduced computing resources in the second entity to generate the first component Y' and the second component g '. Since the second partial image and the two components Y ′ and g ′ are sufficient for any entity to generate the second piece of evidence without complete knowledge of the private key image, the security of the process is reinforced. Particularly when the cryptographic method is used to authenticate a dialogue of the first entity with the second entity, the second step is executed by the second entity which, for the first piece of evidence received from the second entity, chooses at least one common number in a security interval and sends said common number to the first entity.
- the concordance is checked when the first element of proof x is equal to the product modulo n of the power of the second element of proof Y whose exponent is the third whole number e and the power of the fourth number integer v included in said public key whose exponent is said common number c.
- the concordance is checked in the fifth step when the first element of proof is equal to a function of the digital message M to which the first element of proof is attached. and of the product modulo n of the power of the second piece of evidence Y whose exponent is the third integer e and the power of the fourth integer v included in said public key whose exponent is said common number c.
- the second step is executed by the first entity which generates at least one common number as a function of the first piece of evidence and of the digital message M to which said number is attached. common.
- the concordance is checked when the common number is equal to a function of the digital message M and of the product modulo n of the power of the second element of proof Y whose exponent is the third whole number e and of the power of the fourth integer v included in said public key whose exponent is said common number c.
- the subject of the invention is also a proving device, a verifying device and an intermediate device, suitable for implementing the cryptographic method.
- a proving device provided with a private key kept secret and protected against any intrusion, to generate proof, a verification of which using a public key associated with said private key makes it possible to guarantee that the proving device is at origin of said proof
- the proving device is remarkable in that it comprises: - calculation means arranged to generate a first piece of evidence from a first random number kept secret in the proving device, and to generate an image of said private key by combining at least a first integer number of private key with the first random number and at least one of several so-called common numbers associated with the first item of evidence, so that it is possible to generate a second item of proof by applying to said private key image, an open digital processing making it possible to verify a concordance of the first piece of evidence with the second piece of evidence by applying a first part of said public key to the second piece of evidence and at least a second part of said public key to at least one
- the calculation means are on the one hand arranged to generate the first random number r much greater than any first integer s included in the private key kept secret, and to generate the first piece of evidence by raising to a power modulo n a first integer G included or not included in said public key with for exposing the first random number r, - the calculation means are on the other hand arranged to generate the image y of said private key by linear combination of the first random number r and at least a first integer s of private key, linear combination of which at least one multiplicative coefficient is the or one of said common numbers.
- Different adaptations of the proving device are preferred depending on the version of the process to be implemented
- the means of communication are also arranged to receive the said common number or numbers after having issued the first piece of evidence.
- the communication means are arranged to transmit the private key image.
- the calculation means are arranged to generate the second piece of evidence.
- the calculation means are arranged to generate at least one common number as a function of the first piece of evidence and of a digital message M to which said common number is attached.
- the calculation means are arranged to generate the first element of proof by raising to a power modulo n a first integer G included or not in said public key and whose exponent is the first random number r.
- the first integer G of public key and a fourth integer v of public key are respectively given by the formulas:
- the first integer G of public key and a fourth integer v of public key are respectively given by the formulas:
- the first integer G of public key and a fourth integer v of public key are respectively given by the formulas:
- the private key comprising several secret numbers si, s2, ...:
- the calculation means are arranged to generate as many common numbers d, c2, ... associated with the first element of proof x,
- the public key specifically comprising the module n whose prime factors are kept secret in the proving device, the calculation means (37) are arranged to calculate the increases in power using a technique known as Chinese remains.
- the proving device is improved when, the public key comprising a quantity k of pre-calculated values of first proof element x, the calculation means are arranged to iterate k times each execution with for each iteration a different value of first proof element .
- the first element of proof is equal to a function f of the power modulo n of the first integer G included or not in said public key and whose exponent is the first random number r.
- the verifier device Considering a verifier device to verify that a proof comes from a proving device provided with a private key kept secret by the proving device, using a public key associated with said private key, the verifier device is remarkable in that it includes:
- the calculation means are arranged to check that the first piece of evidence agrees with a product modulo n of a power of the second piece of evidence Y whose exponent is a third integer e and of a power of a fourth integer v whose exponent is said common number c, the third integer and the fourth integer being included in said public key.
- the calculation means are arranged to choose at least one common number in a security interval after receipt of the first piece of evidence and in that the communication means are arranged to transmit said common number.
- the means of calculation are arranged to declare the agreement verified when the first element of proof x is equal to the product modulo n of the power of the second element of proof Y whose exponent is the third whole number e and of the power of fourth integer v included in said public key whose exponent is said common number c.
- the means of calculation are arranged to declare the match verified when the first piece of evidence is equal to a function of a digital message M to which the first piece of evidence is attached and of the product modulo n of the power of the second piece of evidence Y whose exponent is the third whole number e and the power of the fourth whole number v included in said public key whose exponent is said common number c.
- the means of calculation are arranged to declare the match verified when the common number is equal to a function of a digital message M and of the product modulo n of the power of the second evidence Y whose exponent is the third whole number e and the power of the fourth integer v included in said public key whose exponent is said common number c.
- the calculating means (38) are arranged to choose as many common numbers d, c2, ... for the first piece of evidence x, the calculating means (38) are arranged to check the concordance by as many fourth integers of public key v1, v2, ... by means of equality:
- the calculation means include in memory at least one pre-calculated value of first proof element x considered as part of the public key.
- the means of calculation include in memory a quantity k of pre-calculated values of first element of proof x, the means of communication are arranged to receive k second elements of evidence and the means of calculation are arranged to check a concordance of each second piece of evidence received with a value different from first piece of evidence.
- the means are calculated to perform verification on the result of this function.
- the intermediate device is remarkable in that it comprises calculation means for generating at least one piece of evidence by open digital processing of an image of said private key, said private key image not making it possible to find said private key .
- the device comprises communication means arranged to receive said image y of private key.
- the calculation means are arranged to generate the second element of proof Y by raising to a power modulo n a second integer g included in said public key and whose exponent is the image y of private key.
- the intermediate device comprises communication means arranged to receive a first partial image y 'of private key, a first component Y' and a second component g 'of second piece of evidence and the calculation means are arranged to generate the second element of proof Y by multiplying the first component Y 'by a power of the second component g' with the second partial image y "for exponent.
- the communication means of the intermediate device are arranged to transmit the second piece of evidence Y to a verifier device.
- FIG. 1 shows steps of the authentication method of a second entity by a first entity according to the invention
- FIG. 2 shows a first variant of the authentication method involving an intermediate entity
- FIG. 3 shows a second variant of the authentication method involving an intermediate entity
- FIG. 4 shows steps of message authentication method according to the invention
- FIG. 5 shows steps of method used for a message signature according to the invention.
- the embodiment described below is a method of entity authentication or identification. It allows a prover A to convince a verifier B of its authenticity. This process can be transformed into a message authentication process or digital message signature. Its security is based on the joint difficulty of factoring large integers.
- this method has two options depending on how the calculations are distributed among several entities.
- the public key of the prover then consists of all or part of the quintuplet (n, e, g, G, v), depending on the option chosen, while the private key consists of at least the whole number s, kept secret by the prover.
- the public key can itself be broken down into a generic part in the sense that it is common to several provers and into a specific part in the sense that it is different for each prover.
- the verifier B already knows all the public parameters necessary to verify that proof is given by a second entity, the prover A, namely its identity, its public key, its public key certificate, etc.
- the public key is the triplet (n, e, v) and the authentication of the entity A by the entity B takes place by iterating k times the protocol now described with reference to FIG. 1.
- the entities A and B are computer or smart card type.
- the expression (mod n) means modulo n, that is to say that in a known manner, the result of the calculation is equal to the remainder of the integer division of the result of the operation considered, by the integer n, generally called module .
- the whole number x constitutes a first element of proof because only the entity which generates the random number r, is capable of generating the number x. The random number r is not communicated by the entity that generates it.
- the number r is chosen large enough so that a knowledge of the first integer G and of the module n does not allow the number r to be found from the number x.
- This first element of proof is not sufficient because such an element can be generated from any random number, by any entity if the first integer G is included in the public key. It will be noted that. In the method described with reference to FIG. 1, the integer G is not necessarily included in the public key.
- Receipt by entity B of the first piece of evidence x validates a transition 10 which then activates a second step 11.
- step 11 entity B randomly chooses an integer c in a security interval [0, t - 1] and sends the number c to entity A.
- the number c generated in association with the first piece of evidence by entity B, is common to entities A and B and also to any other entity that infiltrates the dialogue between entities A and B.
- entity A generates an image y of the private key in the form of a linear combination of the number r and the number s whose multiplicative coefficient is the common number c.
- the random number r being very large and not communicated, a knowledge of the image y does not allow to find the product se and consequently, does not allow to find the number s of private key which therefore remains kept secret by the entity A. Only entity A having knowledge of the number s, only entity A can generate an image which integrates the common number c.
- a fourth step 15 is here directly activated following the step
- Receipt by entity B of the second piece of evidence Y validates a transition 16 which then activates a fifth step 17.
- the second piece of evidence Y is such that:
- the probability of not detecting this imposter is equal to 1 / kt.
- the product kt can be chosen relatively small, for example of the order of 2 16 .
- n is included in the specific part of the public key, and if the prime factors of n are known to A, then the first step can be accelerated using the technique known as Chinese remains.
- the first step can be done in advance.
- the k values of x can be part of the public key of A, in which case the protocol begins directly at the second step.
- the calculation of Y can also be carried out by any entity other than A, without loss of security.
- A only calculates y and supplies y to this entity.
- the knowledge of y provides no information on s, since the product is "masked" by the random number r.
- the public key is the quadruplet (n, e, g, v) and the authentication of entity A by entity B takes place by iterating k times the following protocol .
- C denotes any entity other than A.
- step 13 is modified in that the entity A sends the private key image y to an intermediate entity C. As seen above, the image y gives no information on the private key. A reception by the entity C of the image y, validates a transition 14 which then activates the fourth step 15.
- the intermediate entity C is for example implemented in a chip, not necessarily secure, contained in the security device of the prover such as a smart card, in the security device of the verifier such as a terminal of payment, or in another device such as a computer.
- Security resides in the fact that entity C cannot find by itself a suitable value Y, that is to say such that the verification equation is satisfied.
- step 3 the calculation of Y is shared between entities A and C.
- the process takes place in an identical manner to that described with reference to FIG. 1 up to step 13.
- u is a positive integer and y 'is an integer less than 2 U.
- Decomposition is easy to do.
- the first partial image y ' is represented by the u least significant bits of this word.
- the second partial image is represented by the most significant bits remaining of this computer word.
- the fourth step to calculate the second piece of evidence is here broken down into two substeps 18 and 25.
- the first substep 18 is executed by the entity A directly following the step 13.
- entity A also calculates a second component g 'of second piece of evidence according to the formula:
- the entity A sends to the intermediate entity C the two components g ', Y' and the second partial image y ".
- the security is reinforced by the fact that the private key image n ' is not fully disclosed
- the computational burden of Entity A is reduced by the fact that the second piece of evidence is not fully computed by Entity A.
- Step 19 can also be introduced before transition 16 in the examples of FIGS. 1, 2 and 4.
- the previously described protocols can be transformed into message authentication protocols or digital signature schemes.
- FIG. 4 shows process steps which make it possible to authenticate that a message M received by the first entity B, has been sent by the second entity A.
- entity A instead of sending x to entity B, entity A generates a first piece of evidence x 'by applying to the message M together with the number x a function h, for example equal to a cryptographic hash function or including a cryptographic hash function such as: x' ⁇ h (x, M). Entity A then sends the message M and the first piece of evidence x 'to Entity B.
- a function h for example equal to a cryptographic hash function or including a cryptographic hash function such as: x' ⁇ h (x, M).
- Reception by entity B of the first piece of evidence x validates a transition 21 which then activates a second step 11.
- the method then continues in an identical manner to that described with reference to one of FIGS. 1 to 3.
- step 11 entity B randomly chooses an integer c in a security interval [0, t - 1] and sends the number c to entity A.
- the number c generated in association with the first piece of evidence by entity B, is common to entities A and B and also to any other entity that infiltrates the dialogue between entities A and B.
- entity A generates an image y of the private key in the form of a linear combination of the number r and the number s whose multiplicative coefficient is the common number c.
- the random number r being very large and not communicated, a knowledge of the image y does not allow to find the product se and consequently, does not allow to find the number s of private key which therefore remains kept secret by the entity A.
- Only entity A having knowledge of the number s only entity A can generate an image which integrates the common number c.
- the entity A sends the private key image y to an intermediate entity C. As seen above, the image y gives no information on the private key.
- the message signature is independent of the sender.
- the signature of a message M by the entity A remains valid if the entity B receives the message M from any other entity.
- the first element of proof x thus generated does not need to be sent to entity B because there is no need to authenticate a dialogue between units A and B to verify a signature.
- a third step 24 directly following step 23 the entity
- entity A generates an image y of the private key in the form of a linear combination of the number r and the number s whose multiplicative coefficient is the common number c.
- the random number r being very large and not communicated, a knowledge of the image y does not allow to find the product se and consequently, does not allow to find the number s of private key which therefore remains kept secret by the entity A.
- the pair (c ', y) constitutes a signature of the message M because this pair integrates both the message M and an element of private key which guarantees that the entity A is at the origin of this signature.
- Entity A then sends the message M and the signature (c ', y) to entity B or to any other entity.
- Receipt by entity B of the second piece of evidence Y validates a transition 7 which then activates a fifth step 8.
- step 8 entity B calculates as in step 17 a verification value V using the formula:
- the agreement with the first piece of evidence is checked by this equality since the common number c 'generated in step 23, itself matches the first piece of evidence.
- the reception by the entity C of the image y which validates the transition 4 can result from a reception of the message M with its signature (c ′, y) coming from the entity A or from any other entity.
- the reception by the entity C of the image y results from a step 3 activated by the transition 2.
- entity B extracts the image y from the signature to send it to entity C.
- step 6 executed before validation of the transition 7, the entity B extracts the common number c 'from the signature to obtain a number z equal to v c which facilitates the calculation of V in step 8.
- the entities A, B and C described above are materialized respectively in a proving device 30, a verifier device 31 and an intermediate device 32.
- the proving device 30 is for example a microprocessor card such as a credit card, a mobile phone subscriber identification card.
- the checking device 31 is for example a banking terminal or an electronic commerce server, a mobile telecommunication operator equipment.
- the intermediate device 32 is for example an extension of a microprocessor card, a terminal for reading a credit card or an electronic card for a mobile telephone.
- the proving device 30 comprises communication means 34 and calculation means 37.
- the proving device 30 is protected against intrusion.
- the communication means 34 are arranged to emit the first element of proof x in accordance with step 9 described with reference to FIGS. 1 to 3, the image y of private key in accordance with step 13 described with reference to FIGS. 2 and 4, the second piece of evidence Y in accordance with step 15 described with reference to FIG. 1, the first partial image Y 'with the two private key image components g' and y "in accordance with step 18 described with reference to FIG. 3, the message M according to steps 20 or 24 described with reference to FIGS. 4 and 5 or the common number c according to step 24 described with reference to FIG.
- the communication means 34 are also arranged to receive the common number c in accordance with the transition 12 described with reference to FIGS. 1 to 4 when versions of the method to be implemented correspond to the authentic For a version of the process to be implemented corresponding to a signature, the communication means 34 do not need to be arranged to receive the common number c.
- the calculation means 37 are arranged to execute steps 9, 13 and 15 described with reference to Figure 1, steps 9 and 13 described with reference to Figure 2, steps 9, 13 and 18 described with reference to Figure 3, steps 20 and 13 described with reference to Figure 4 or steps 1, 23 and 24 described with reference to Figure 5 depending on the version of the method to be implemented.
- the calculation means 37 comprise a microprocessor and microprograms or combinational circuits dedicated to the calculations described above.
- the checking device 31 includes communication means 35 and calculation means 38.
- the communication means 35 are arranged to transmit one or more common numbers c in accordance with step 11 described with reference to FIGS. 1 to 4 when versions of the process to be implemented correspond to authentication. For a version of the method to be implemented corresponding to a signature, the communication means 35 do not need to be arranged to transmit a common number c.
- the communication means 35 are also arranged to receive the two pieces of evidence x and Y in accordance with the transitions 10 and 16 described with reference to FIGS.
- the communication means 35 are arranged to retransmit the private key image y in accordance with step 3 described with reference to FIG. 5.
- the calculation means 38 are arranged to execute steps 11, 17 and 19 described with reference to Figures 1 to 3, steps 11 and 22 described with reference to Figure 4 or steps 6 and 8 described with reference to Figure 5 . depending on the process version to be implemented.
- the calculation means 38 comprise a microprocessor and microprograms or combinational circuits dedicated to the calculations described above.
- the intermediate device 32 comprises communication means 36 and calculation means 39.
- the communication means 36 are arranged to emit the second piece of evidence Y in accordance with step 15 described with reference to FIGS. 2 and 4, in step 25 described with reference to Figure 3 or step 5 described with reference to Figure 5.
- the communication means 36 are also arranged to receive the private key image y in accordance with the transition 14 described with reference to the figures 2 and 4, the private key image y in accordance with the transition 4 described with reference to FIG. 5 or the partial image y "of private key and the two components g 'and Y' of second piece of evidence in accordance with the transition 14 described with reference to Figure 3.
- the calculation means 39 are arranged to execute step 15 described with reference to Figures 2 or 4, step 25 described with reference to Figure 3 or step 5 d written with reference to FIG. 5. depending on the version of the process to be implemented.
- the calculation means 39 comprise a microprocessor and programs or combinational circuits dedicated to the calculations described above.
- the previously described calculation and communication means are arranged to repeat k times the execution of the previously described steps, each time for a first piece of evidence and a second piece of separate evidence.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/499,563 US7382875B2 (en) | 2001-12-21 | 2002-12-16 | Cryptographic method for distributing load among several entities and devices therefor |
CN028277910A CN1618200B (zh) | 2001-12-21 | 2002-12-16 | 在若干实体与设备间分布负荷的密码法 |
JP2003555732A JP2005513564A (ja) | 2001-12-21 | 2002-12-16 | 負荷を複数のエンティティおよびそのデバイスに分散させるための暗号法 |
EP02799095A EP1456998A1 (fr) | 2001-12-21 | 2002-12-16 | Procede cryptographique permettant de repartir la charge entre plusieurs entites et dispositifs pour mettre en oeuvre ce procede |
KR1020047009924A KR100971038B1 (ko) | 2001-12-21 | 2002-12-16 | 다수의 엔티티와 그에 따른 장치에 부하를 분배하는암호화 방법 |
AU2002364321A AU2002364321A1 (en) | 2001-12-21 | 2002-12-16 | Cryptographic method for distributing load among several entities and devices therefor |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR01/16789 | 2001-12-21 | ||
FR0116789A FR2834153B1 (fr) | 2001-12-21 | 2001-12-21 | Procede cryptographique permettant de repartir la charge entre plusieurs entites et dispositifs pour mettre en oeuvre ce procede |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2003055134A1 WO2003055134A1 (fr) | 2003-07-03 |
WO2003055134A9 true WO2003055134A9 (fr) | 2004-07-15 |
Family
ID=8870936
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FR2002/004366 WO2003055134A1 (fr) | 2001-12-21 | 2002-12-16 | Procede cryptographique permettant de repartir la charge entre plusieurs entites et dispositifs pour mettre en oeuvre ce procede |
Country Status (8)
Country | Link |
---|---|
US (1) | US7382875B2 (fr) |
EP (1) | EP1456998A1 (fr) |
JP (1) | JP2005513564A (fr) |
KR (1) | KR100971038B1 (fr) |
CN (1) | CN1618200B (fr) |
AU (1) | AU2002364321A1 (fr) |
FR (1) | FR2834153B1 (fr) |
WO (1) | WO2003055134A1 (fr) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7363492B2 (en) * | 2005-02-25 | 2008-04-22 | Motorola, Inc. | Method for zero-knowledge authentication of a prover by a verifier providing a user-selectable confidence level and associated application devices |
JP4988448B2 (ja) * | 2007-06-25 | 2012-08-01 | 株式会社日立製作所 | 一括検証装置、プログラム及び一括検証方法 |
FR2923305B1 (fr) * | 2007-11-02 | 2011-04-29 | Inside Contactless | Procede et dispositifs de protection d'un microcircuit contre des attaques visant a decouvrir une donnee secrete |
FR2925245B1 (fr) * | 2007-12-12 | 2010-06-11 | Sagem Securite | Controle d'une entite a controler par une entite de controle |
FR2981531A1 (fr) * | 2011-10-14 | 2013-04-19 | France Telecom | Procede de transfert du controle d'un module de securite d'une premiere entite a une deuxieme entite |
FR2992509B1 (fr) * | 2012-06-21 | 2017-05-26 | Commissariat Energie Atomique | Dispositif et procede pour generer une cle de session |
EP3697019A1 (fr) * | 2019-02-12 | 2020-08-19 | Siemens Aktiengesellschaft | Procédé de fourniture d'un élément de preuve du lieu d'origine pour un couple de clé numérique |
CN110517147B (zh) * | 2019-08-30 | 2023-04-14 | 深圳市迅雷网络技术有限公司 | 交易数据处理方法、装置、系统及计算机可读存储介质 |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6226383B1 (en) * | 1996-04-17 | 2001-05-01 | Integrity Sciences, Inc. | Cryptographic methods for remote authentication |
US6092202A (en) * | 1998-05-22 | 2000-07-18 | N*Able Technologies, Inc. | Method and system for secure transactions in a computer system |
US6779111B1 (en) * | 1999-05-10 | 2004-08-17 | Telefonaktiebolaget Lm Ericsson (Publ) | Indirect public-key encryption |
JP2001209308A (ja) * | 2000-01-24 | 2001-08-03 | Advanced Mobile Telecommunications Security Technology Research Lab Co Ltd | 一括署名方法 |
CN1249972C (zh) * | 2000-06-05 | 2006-04-05 | 凤凰技术有限公司 | 使用多个服务器的远程密码验证的系统和方法 |
-
2001
- 2001-12-21 FR FR0116789A patent/FR2834153B1/fr not_active Expired - Fee Related
-
2002
- 2002-12-16 KR KR1020047009924A patent/KR100971038B1/ko not_active IP Right Cessation
- 2002-12-16 US US10/499,563 patent/US7382875B2/en not_active Expired - Fee Related
- 2002-12-16 WO PCT/FR2002/004366 patent/WO2003055134A1/fr active Application Filing
- 2002-12-16 CN CN028277910A patent/CN1618200B/zh not_active Expired - Fee Related
- 2002-12-16 EP EP02799095A patent/EP1456998A1/fr not_active Withdrawn
- 2002-12-16 JP JP2003555732A patent/JP2005513564A/ja active Pending
- 2002-12-16 AU AU2002364321A patent/AU2002364321A1/en not_active Abandoned
Also Published As
Publication number | Publication date |
---|---|
EP1456998A1 (fr) | 2004-09-15 |
CN1618200A (zh) | 2005-05-18 |
US7382875B2 (en) | 2008-06-03 |
KR20040096509A (ko) | 2004-11-16 |
JP2005513564A (ja) | 2005-05-12 |
FR2834153A1 (fr) | 2003-06-27 |
AU2002364321A1 (en) | 2003-07-09 |
CN1618200B (zh) | 2010-05-12 |
US20050220298A1 (en) | 2005-10-06 |
KR100971038B1 (ko) | 2010-07-20 |
FR2834153B1 (fr) | 2004-04-23 |
WO2003055134A1 (fr) | 2003-07-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1459479A2 (fr) | Systeme cryptographique de signature de groupe | |
FR2759226A1 (fr) | Protocole de verification d'une signature numerique | |
FR2760583A1 (fr) | Systeme de verification de cartes de donnees | |
WO2002073876A2 (fr) | Authentification cryptographique par modules ephemeres | |
EP2345202A2 (fr) | Procédé de signature numérique en deux étapes | |
EP1807967B1 (fr) | Procede de delegation securisee de calcul d'une application bilineaire | |
EP0878934B1 (fr) | Procédé d'identification à clé publique utilisant deux fonctions de hachage | |
WO2000062477A1 (fr) | Procede d'authentification et de signature de message utilisant des engagements de taille reduite et systemes correspondants | |
EP2572470B1 (fr) | Procédé d'obtention de clés de chiffrement, terminal, serveur, et produits programmes d'ordinateurs corresupondants. | |
WO2006070092A1 (fr) | Procede de traitement de donnees et dispositif associe | |
WO2003055134A9 (fr) | Procede cryptographique permettant de repartir la charge entre plusieurs entites et dispositifs pour mettre en oeuvre ce procede | |
EP1224765A1 (fr) | Procede de contre-mesure dans un composant electronique mettant en oeuvre un algorithme de cryptographie a cle publique de type rsa | |
WO1997047110A1 (fr) | Procede de cryptographie a cle publique | |
EP1520370B1 (fr) | Procédé et dispositifs cryptographiques permettant d'alleger les calculs au cours de transactions | |
EP1407575B1 (fr) | Procede pour effectuer une tache cryptographique au moyen d'une cle publique | |
EP1325584A1 (fr) | Procede d'encodage de messages longs pour schemas de signature electronique a base de rsa | |
EP0980607A1 (fr) | Generateur pseudo-aleatoire base sur une fonction de hachage pour systemes cryptographiques necessitant le tirage d'aleas | |
EP1325585A1 (fr) | Procede de transmission accelere de signature electronique | |
WO2003021864A2 (fr) | Procede de reduction de la taille d'une signature rsa ou rabin | |
EP1090479A1 (fr) | Procede de verification de signature ou d'authentification | |
FR3143243A1 (fr) | Signature et dechiffrement de message securises par double rsa-crt | |
FR3070517A1 (fr) | Systeme et procede d'authentification et de signature numerique | |
FR2742285A1 (fr) | Procede de realisation d'une transaction electronique | |
WO2003013053A1 (fr) | Procede de determination de la taille d'un alea pour un schema de signature electronique |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
REEP | Request for entry into the european phase |
Ref document number: 2002799095 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2002799095 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2003555732 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10499563 Country of ref document: US Ref document number: 1020047009924 Country of ref document: KR |
|
COP | Corrected version of pamphlet |
Free format text: PAGES 21-23, 27, DESCRIPTION, REPLACED BY CORRECT PAGES 21-23, 27; PAGES 29, 32-38, 42, CLAIMS, REPLACED BY CORRECT PAGES 29, 32-38, 42 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 20028277910 Country of ref document: CN |
|
WWP | Wipo information: published in national office |
Ref document number: 2002799095 Country of ref document: EP |