WO2016187689A1 - Protocole de signature - Google Patents
Protocole de signature Download PDFInfo
- Publication number
- WO2016187689A1 WO2016187689A1 PCT/CA2015/050476 CA2015050476W WO2016187689A1 WO 2016187689 A1 WO2016187689 A1 WO 2016187689A1 CA 2015050476 W CA2015050476 W CA 2015050476W WO 2016187689 A1 WO2016187689 A1 WO 2016187689A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- signature
- session
- message
- private key
- key
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
Definitions
- the present invention relates to data communication systems and protocols utilized in such systems.
- Data communication systems are used to exchange information between devices.
- the information to be exchanged comprises data that is organized as strings of digital bits formatted so as to be recognizable by other devices and to permit the information to be processed and/or recovered.
- the exchange of information may occur over a publically accessible network, such as a communication link between two devices, over a dedicated network within an organization, or may be between two devices within the same dedicated component, such as within a computer or point of sale device.
- a publically accessible network such as a communication link between two devices
- a dedicated network within an organization or may be between two devices within the same dedicated component, such as within a computer or point of sale device.
- the devices may range from relatively large computer systems through to telecommunication devices, cellular phones, monitoring devices, sensors, electronic wallets and smart cards, and a wide variety of devices that are connected to transfer data between two or more of such devices.
- a large number of communication protocols have been developed to allow the exchange of data between different devices.
- the communication protocols permit the exchange of data in a robust manner, often with error correction and error detection functionality, and for the data to be directed to the intended recipient and recovered for further use.
- a number of techniques collectively referred to as encryption protocols and authentication protocols have been developed to provide the required attributes and ensure security and/or integrity in the exchange of information. These techniques utilize a key that is combined with the data.
- Cryptosystems There are two main types of cryptosystems that implement the protocols, symmetric key cryptosystems and asymmetric or public-key cryptosystems.
- symmetric key cryptosystem the devices exchanging information share a common key that is known only to the devices intended to share the information.
- Symmetric key systems have the advantage that they are relatively fast and therefore able to process large quantities of data in a relatively short time, even with limited computing power.
- the keys must be distributed in a secure manner to the different devices, which leads to increased overhead and vulnerability if the key is compromised.
- Public-key cryptosystems utilize a key pair, one of which is public and the other private, associated with each device.
- the public key and private key are related by a "hard" mathematical problem so that even if the public key and the underlying problem are known, the private key cannot be recovered in a feasible time.
- One such problem is the factoring of the product of two large primes, as utilized in RSA cryptosystems.
- Another is the discrete log problem in a finite cyclic group.
- a generator, a, of the underlying group is identified as a system parameter and a random integer, k, generated for use as a private key.
- Different groups may be used in discrete log cryptosystems including the multiplicative group of a finite field, the group of integers in a finite cyclic group of order p, usually denoted Zp* and consisting of the integers 0 to p-1.
- Public-key cryptosystems reduce the infrastructure necessary with symmetric key cryptosystems.
- a device generates a key pair by obtaining an integer k, which is used as a private key and performing a k-fold group operation to generate the corresponding public-key. In an elliptic curve group, this would be kP.
- the public-key is published so it is available to other devices.
- Devices may then use the key pair in communications between them. If one device wishes to encrypt a message to be sent to another device, it uses the public key of the intended recipient in an encryption protocol. The message may be decrypted and recovered by the other device using the private key.
- the device may also use the key pair in a digital signature protocol.
- the message is signed using the private key k and other devices can confirm the integrity of the message using the public key kP.
- a digital signature is a computer readable data string (or number) which associates a message with the author of that data string.
- a digital signature generation algorithm is a method of producing digital signatures.
- Digital signature schemes are designed to provide the digital counterpart to handwritten signatures (and more).
- a digital signature is a number dependent on some secret known only to the signer (the signer's private key), and, additionally, on the contents of the message being signed.
- a digital signature scheme with appendix which requires the original message as input into the verification process.
- a digital signature scheme with message recovery which does not require the original message as input to the verification process. Typically the original message is recovered during verification.
- a digital signature scheme with partial message recovery which requires only a part of the message to be recovered.
- the present application is concerned with asymmetric digital signatures schemes with appendix.
- asymmetric means that each entity selects a key pair consisting of a private key and a related public key. The entity maintains the secrecy of the private key which it uses for signing messages, and makes authentic copies of its public key available to other entities which use it to verify signatures.
- Appendix means that a cryptographic hash function is used to create a message digest of the message, and the signing transformation is applied to the message digest rather than to the message itself.
- a digital signature must be secure if it is to fulfill its function of non-repudiation.
- Various types of attack are known against digital signatures.
- the types of attacks on Digital Signatures include:
- An adversary is able to forge a signature for at least one message.
- Digital signature schemes can be used to provide the following basic cryptographic services: data integrity (the assurance that data has not been altered by unauthorized or unknown means), data origin authentication (the assurance that the source of data is as claimed), and non-repudiation (the assurance that an entity cannot deny previous actions or commitments). Digital signature schemes are commonly used as primitives in cryptographic protocols that provide other services including entity authentication, authenticated key transport, and authenticated key agreement.
- Integer Factorization (IF) schemes which base their security on the intractability of the integer factorization problem. Examples of these include the RSA and Rabin signature schemes.
- Discrete Logarithm (DL) schemes which base their security on the intractability of the (ordinary) discrete logarithm problem in a finite field. Examples of these include the EIGamal, Schnorr, DSA, and Nyberg-Rueppel signature schemes.
- One signature scheme in wide spread use is the elliptic curve digital signature algorithm (ECDSA). To generate the signature it is necessary to hash the message and generate a public session key from a random integer.
- One signature component is obtained by a modular reduction of one co-ordinate of the point representing the public session key, and the other signature component combines the hash and private keys of the signer. This requires inversion of the session private key, which may be relatively computationally intensive.
- Verification requires the hashing of the message and inversion of the other component.
- Various mathematical techniques have been developed to make the signing and verification efficient, however the hashing and modular reduction remain computationally intensive.
- a method for generating an elliptic curve cryptographic signature comprising a first component and a second component for a message using a long term private key, a session private key and a session public key generated from the session private key, the method comprising: generating a first signature component using an x coordinate of the session public key and the message; generating a second signature component by combining the long term private key and the first signature component to provide a first result, subtracting the first result from the session private key to provide a second result, and combining the second result with the session private key.
- a cryptographic correspondent device comprising a processor and a memory, the memory having stored thereon a long term private key, the device further having associated therewith a cryptographic corresponding long term public key generated using the long term private key and a cryptographic generator, and an identity, the memory further having stored thereon computer instructions which when executed by the processor cause the processor to implement a elliptic curve cryptographic signature scheme comprising: generating a session private key and cryptographic corresponding session public key; generating a first signature component using an x co-ordinate of the session public key and the message ; and generating a second signature component by combining the long term private key and the first signature component to provide a first result, subtracting the first result from the session private key to provide a second result, and combining the second result with the session private key.
- a signature may be verified by: reconstructing the session public key from the signature components, a long term public key corresponding to the long term private key, and a base point generator; recovering the x co-ordinate of the reconstructed session public key; generating an intermediate component from the first signature component and the message; and verifying the signature by comparing the intermediate component and the recovered x co-ordinate of the session public key.
- Figure 1 is a schematic representation of a data communication system
- Figure 2 is a representation of a device used in the data communication system of Figure 1 ;
- Figure 3 is a flow chart showing the protocol implemented between a pair of devices shown in Figure 1.
- a data communication system 10 includes a plurality of devices 12 interconnected by communication links 14.
- the devices 12 may be of any known type including a computer 12a, a server 12b, a cellphone 12c, ATM 12d, and smart card 12e.
- the communication links 14 may be conventional fixed telephone lines, wireless connections implemented between the devices 12, near field communication connections such as Blue tooth or other conventional form of communication.
- the devices 12 will differ according to their intended purpose, but typically, will include a communication module 20 (figure 2) for communication to the links 14.
- a memory 22 provides a storage medium for non-transient instructions to implement protocols and to store data as required.
- An arithmetic logic unit (ALU) 26 is provided to perform the arithmetic operations instruction by the memory 22 using data stored in the memories 22, 24.
- a random or pseudo random number generator 28 is also incorporated to generate bit strings representing random numbers in a cryptographically secure manner.
- the memory 22 also includes an instruction set to condition the ALU 26 to perform a block cipher algorithm, such as an AES block cipher, as described more fully below.
- the device 12 illustrated in Figure 2 is highly schematic and representative of a conventional device used in a data communication system.
- the memory 22 stores system parameters for the cryptosystem to be implemented and a set of computer readable instructions to implement the required protocol.
- elliptic curve domain parameters consist of six quantities q, a, b, P, n, and h, which are:
- the cofactor h which is the number such that hn is the number of points on the elliptic curve.
- the parameters will be represented as bit strings, and the representation of the base point P as a pair of bit strings, each representing an element of the underlying field. As is conventional, one of those strings may be truncated as the full representation may be recovered from the other co-ordinate and the truncated representation.
- the secure memory module 24 contains a bit string representing a long term private key d, and the corresponding public key Q.
- the key Q dP.
- Ephemeral values computed by the ALU may also be stored within the secure module 24 if their value is intended to be secret.
- a digital signature protocol is required when one of the devices 12 sends a message, m, to one or more of the other devices, and the other devices need to be able to authenticate the message.
- the message may, for example, be a document to be signed by all parties, or may be an instruction to the ATM 12d to transfer funds.
- each device will be identified as an entity, such as Alice or Bob, as is usual in the discussion of cryptographic protocols, or as a correspondent. It will be understood however that each entity is a device 12 performing operations using the device exemplified in figure 2.
- the entity Alice composes a message m which is a bit string representative of the information to be conveyed to another entity Bob.
- the signature scheme takes as its input the message, m, and the signer's (Alice's) private key d, which is an integer.
- the verification scheme takes as input the message, m, the signer's public key, Q, which is an element of the group generated by the generating point P, and a purported signature on message by the signer.
- the signature comprises a pair of signature components, computed by the signer and sent to the recipients, usually with the message, m.
- the value k is the ephemeral (or, short term or session) private key of Alice.
- the ephemeral public key K is represented by a pair of bits strings, x,y, both of which are elements of the underlying field, as shown at block 304.
- the component s is an integer
- the signature on the message m is the pair of components r, s.
- the message m is sent by Alice, together with the signature (r,s) to Bob, using the communication module 20.
- K' s'(1-s') "1 P+r'(1-sy 1 Q.
- (r',s') is the signature received by Bob
- Q is the public key of Alice, which has been obtained from a trusted source, such as a certificate signed by a Certificate Authority ("CA”) and sent by Alice to Bob.
- CA Certificate Authority
- the x co-ordinate x' of the point K' is obtained and, at block 318, compared to (r' - e) (mod n), and if they are the same, the signature is verified, as shown at block 320. If not, the signature is rejected and the message may be considered invalid, as shown at block 322.
- the verification protocol requires: a. Check that r' and s' are in the interval [0,n-1], and s' ⁇ 1. If either check fails, then output 'invalid'.
- m). An alternative computation is available, using a block cipher, such as the AES block cipher, to compute r E x (m). In an embodiment, the coordinate x is used as the symmetric encryption key for the block cipher, E, which is performed in the ALU.
Abstract
La présente invention concerne des systèmes de communication de données et des protocoles de chiffrement asymétrique avec un appendice utilisés dans de tels systèmes. Fondamentalement, un système de signature numérique devrait être infalsifiable en cas d'attaque par message choisi. Actuellement, le système de signature généralement utilisé est l'algorithme de signature numérique à courbe elliptique (ECDSA) ; cependant, il nécessite une inversion d'une clé privée de session, ce qui peut être relativement intensif en calculs. Ainsi, une signature peut être vérifiée en générant un composant intermédiaire à partir d'un premier composant de signature et d'un message ; et en vérifiant la signature en comparant le composant intermédiaire et une coordonnée x récupérée de la clé publique de session.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CA2015/050476 WO2016187689A1 (fr) | 2015-05-26 | 2015-05-26 | Protocole de signature |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CA2015/050476 WO2016187689A1 (fr) | 2015-05-26 | 2015-05-26 | Protocole de signature |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016187689A1 true WO2016187689A1 (fr) | 2016-12-01 |
Family
ID=57392300
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CA2015/050476 WO2016187689A1 (fr) | 2015-05-26 | 2015-05-26 | Protocole de signature |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2016187689A1 (fr) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106506156A (zh) * | 2016-12-15 | 2017-03-15 | 北京三未信安科技发展有限公司 | 一种基于椭圆曲线的分布式门限签名方法 |
CN113541926A (zh) * | 2020-04-14 | 2021-10-22 | 成都天瑞芯安科技有限公司 | Sm2三方联合签名方法与系统 |
CN113922958A (zh) * | 2021-12-15 | 2022-01-11 | 深圳市财富趋势科技股份有限公司 | 基于生物识别和sm2协同密码算法的密码保护方法及装置 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120096273A1 (en) * | 2010-10-15 | 2012-04-19 | Certicom Corp. | Authenticated encryption for digital signatures with message recovery |
US20130170644A1 (en) * | 2010-09-17 | 2013-07-04 | Robert John Lambert | Mechanism for Managing Authentication Device Lifecycles |
US20150006900A1 (en) * | 2013-06-27 | 2015-01-01 | Infosec Global Inc. | Signature protocol |
-
2015
- 2015-05-26 WO PCT/CA2015/050476 patent/WO2016187689A1/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130170644A1 (en) * | 2010-09-17 | 2013-07-04 | Robert John Lambert | Mechanism for Managing Authentication Device Lifecycles |
US20120096273A1 (en) * | 2010-10-15 | 2012-04-19 | Certicom Corp. | Authenticated encryption for digital signatures with message recovery |
US20150006900A1 (en) * | 2013-06-27 | 2015-01-01 | Infosec Global Inc. | Signature protocol |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106506156A (zh) * | 2016-12-15 | 2017-03-15 | 北京三未信安科技发展有限公司 | 一种基于椭圆曲线的分布式门限签名方法 |
CN113541926A (zh) * | 2020-04-14 | 2021-10-22 | 成都天瑞芯安科技有限公司 | Sm2三方联合签名方法与系统 |
CN113922958A (zh) * | 2021-12-15 | 2022-01-11 | 深圳市财富趋势科技股份有限公司 | 基于生物识别和sm2协同密码算法的密码保护方法及装置 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9800418B2 (en) | Signature protocol | |
US6446207B1 (en) | Verification protocol | |
McGrew et al. | Fundamental elliptic curve cryptography algorithms | |
US9705683B2 (en) | Verifiable implicit certificates | |
Vaudenay | The security of DSA and ECDSA: Bypassing the standard elliptic curve certification scheme | |
US20130019099A1 (en) | Strengthened Public Key Protocol | |
US9088419B2 (en) | Keyed PV signatures | |
WO2014205570A1 (fr) | Protocole d'agrément de clé | |
Tanwar et al. | Efficient and secure multiple digital signature to prevent forgery based on ECC | |
US20150006900A1 (en) | Signature protocol | |
US20160352689A1 (en) | Key agreement protocol | |
Waheed et al. | Novel blind signcryption scheme for e-voting system based on elliptic curves | |
Kuppuswamy et al. | A new efficient digital signature scheme algorithm based on block cipher | |
WO2016187689A1 (fr) | Protocole de signature | |
Huang et al. | Partially blind ECDSA scheme and its application to bitcoin | |
Chande et al. | An improvement of a elliptic curve digital signature algorithm | |
JP4307589B2 (ja) | 認証プロトコル | |
WO2016187690A1 (fr) | Protocole d'agrément de clé | |
Kwon | Virtual software tokens-a practical way to secure PKI roaming | |
CA2892318C (fr) | Protocole de signature | |
Wang | Signer‐admissible strong designated verifier signature from bilinear pairings | |
Bashir | Analysis and Improvement of Some Signcryption Schemes Based on Elliptic Curve | |
Huang et al. | Convertible Multi-authenticated Encryption Scheme for Data Communication. | |
Manoj et al. | Online Document Repository System | |
Foster | Study and Implementation of Algorithms for Digital Signatures in Network Security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15892808 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15892808 Country of ref document: EP Kind code of ref document: A1 |