AU613084B2 - A method and system for authentication of accreditations and of messages with zero-knowledge proof and for the signing of messages, and a station for use in such system, in particular executed as a smart card station - Google Patents
A method and system for authentication of accreditations and of messages with zero-knowledge proof and for the signing of messages, and a station for use in such system, in particular executed as a smart card station Download PDFInfo
- Publication number
- AU613084B2 AU613084B2 AU21971/88A AU2197188A AU613084B2 AU 613084 B2 AU613084 B2 AU 613084B2 AU 21971/88 A AU21971/88 A AU 21971/88A AU 2197188 A AU2197188 A AU 2197188A AU 613084 B2 AU613084 B2 AU 613084B2
- Authority
- AU
- Australia
- Prior art keywords
- accreditation
- verifier
- verified
- identity
- mod
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
- G06Q20/367—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
- G06Q20/3674—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes involving authentication
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/409—Device specific authentication in transaction processing
- G06Q20/4097—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
- G06Q20/40975—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/0806—Details of the card
- G07F7/0813—Specific details related to card security
- G07F7/0826—Embedded security module
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1016—Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/30—Compression, e.g. Merkle-Damgard construction
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Accounting & Taxation (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Finance (AREA)
- Computing Systems (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Credit Cards Or The Like (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Mobile Radio Communication Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Pharmaceuticals Containing Other Organic And Inorganic Compounds (AREA)
- Communication Control (AREA)
- Semiconductor Integrated Circuits (AREA)
- Devices For Checking Fares Or Tickets At Control Points (AREA)
Abstract
Methods and systems for the authentication of accreditation or messages and of message signatures. Instead of using multiple accreditations and an iterative verification process, deep-level accreditation is adopted (high exponent p), and a number D between 0 and p-1 is drawn at random. The verification operations include calculation of the Dth power of the inverse accreditation B. The invention is used particularly for chip cards and more especially for bank cards. <IMAGE>
Description
AU9TRALALT PATENTS ACT 1952 6" 130 8 Form, COMPLETE SPECIFICATION
(ORIGINAL)
FOR OFFICE USE Short Title: Int. Cl: Application Number: Lodged: *Complete Specification-Lodged: Accepted: Lapsed: Published: Related Art: 7th September 1987 France 8712366 Name of Applicant: A'cddress of Applicant: TO BE COMPLETED BY APPLICANT N.V. PHILIPS GLOEILAMPENFABRIEKEN L'ETAT FRANCAIS TELEDIFFUSION DE FRANCE N.V. PHILIPS GLOEILAMPENFABRIEKEN Groer.,7woudseweg 1, 5621 &.Eindhoven, The Netinerlands Actual Inventor:
*HALPGERD-ANE)--MAXW-E-,
P~t-en-t Trade Mark Attorneys,___ Address for Service: 49-51 Yc-r-k Street, Complete Specification for the invention entitled: "A method and system for authentication of accreditations and of messages with zero-knowledge proof and for the signing of messages, and a station for use in such system, in particular nimar tcjrd ta ni fhee6WellgMtuea ncrepi etin including the best method of performing it known to us: II-UC:' S4 PHQ 87.030 1 02.08.1988 A method and system for authentication of accreditations and of messages with zero-knowledge proof and for the signing of messages, and a station for use in such system, in particular executed as a smart card station.
BACKGROUND TO THE INVENTION The invention relates to a method for authentication of accreditations or of messages with zero-knowledge proof and to a method for the signing of messages. The invention also relates to a system for 5 executing such authentication method and signing method and to a station for use in such a system.
The invention finds application in the verification of the authenticity of bank cards referred to as "smart" or, more generaly, of the authenticity of any medium permitting its holder to control an access (to a set of premises, to a safe, to a database, to a computerized system, to a telephone line, etc.). It is also applicable to the verification of the authenticity of messages of any type, that are capable of controlling an opening or a closing, activating or deactivating a system, controlling the starting of an engine, controlling a satellite, triqgerring an alarm etc.. Finally, the invention permits the signing of a message in such a manner that its addressee is assured of its origin, and can in turn convince a third party as to such origin.
DESCRIPTION OF SELECTED PRIOR ART The invention is based on two branches of cryptography, which are public-key cryptography and zero-knowledge-proof verification procedures respectively. For reasons of reference, these two techniques are recalled briefly. Encoding and decoding techniques have developed considerably, inter alia through the availability of data processors and telecommunciation facilities.
In a cryptographic system, a message in clear M is transformed with the aid of a key E, to give an encoded message To the key E corresponds an inverse key D, which permits retrieval of the message in clear by an inverse transformation: Traditionally, the keys E and D are kept secret and are known only to the interlocutors.
PHQ 87.030 2 02.08.1988 A novel cryptographic system has been developed, in which the encoding key is no longer kept secret but is published.
Paradoxically, such revelation does not weaken the security of the system. The reason is that the knowledge of the key E does not, in practice, permit retrieval of the decoding key D. Such encoding function is called a "trap" function which is particularly difficult to invert, except for a person who knows the value of the trap.
The general principles of these systems have been described in the article by W. DIFFIE and M. HELLMANN entitled "'New 10 Directions in Cryptography" in IEEE Trans. on Information Theory, vol.
IT-22, pp. 644-654, Nov. 1976. See also, the article by M. HELLMANN "The Mathematics of Public-Key Cryptography", Scientific American of August so 1979, vol. 241, No. 2, pp. 130-139.
Public-key cryptography may be applied in a particularly 15 effective manner in a system referred to as RSA. This system is described by Martin GARDNER in "A new kind of cipher that would take millions of years to break", Scientific American, August 1977, pp. 120- 121. In the RSA system, the trap function is the factorization of a number into prime components. Factorization is a difficult operation.
For example, several minutes are required to find, manually, the prime o. factors of a modest number of 5 digits, such as 29,083. These numbers are 127 and 229. However, the obtaining of the product of 127 and 229 takes only a few seconds. The asymmetry of such an operation is therefore obvious. Recourse to a computer accelerates the factorization, but the fact remains that in order to factorize a number having two hundred digits the most powerful computers would be required. Thus, in practice, it is not possible to factorize a very large number.
These properties are exploited in the RSA system in the following manner. Two distinct prime numbers are chosen, namely a and b, and the product is formed: N a.b, wherein N may have, for example, 500 bits. Further, an integer p is selected, which is prime with the smallest common multiple of and In order to encode a message, previously put into digital form M, M being in the range between 0 and N-i, the p-th power of M is calculated in the ring of integers modulo N, viz. C=M P mod N. The function "raise to the power p modulo N" then defines a permutation of the integers from 0 to N-1.
In order to decode a message C, it is necessary to PHQ 87.030 3 02.08.1988 extract the p-th root of the encoded message C in the ring of integers modulo N. This operation amounts to raising the number C to the power d, d being the reciprocal of the exponent p modulo the smallest common multiple of the numbers and If the prime factors a and b are not known, the determination of d is impossible and, therefore, the deciphering operation.
For example, selection of a=47 and b=59 gives N=47.59=2773. It is possible to take p=17. The coding key is therefore defined by the two numbers 2773 and 17. In practice, the numbers used 10 are much larger.
9. The encoding of a word M which is presented in the form of the number 920 is as follows: I C 92017 mod 2773 948 mod 2773.
Conversely, in order tc decipher the number 948, use will U 15 be made of an exponent d which is the inverse of 17 modulo 1334, which is the LCM of 46 and 58. This exponent d is 157, since 157 17 2669, i.e. 1 modulo 1334. Thus, deciphering of 948 amounts to calculation of '157 948157 mod 2773, i.e. 920, which is indeed the initial message.
U Thus, in the RSA system, the numbers N and p can themselves be public (reference is then made to the "public power but the numbers a and b must remain secret. Naturally, it is possible to use more than two prime factors in order to form the number N.
The RSA system is described in United States Patent No. 4,405,829 issued on 20th September 1983. Such a system may serve not only to encipher but also to sign a message.
In the context of the signing of messages, an entity considered to emit messages M, being an entity referred to as a signatory, is considered to operate with a public key This entity, in order to sign its messages before transmission, adds a redundancy thereto in order to obtain a component of the ring of integers modulo N, and then raises this component to the power d (inverse of p) modulo N. The entity in question, holding the secret parameters of the public key, that is to say the two prime factors a and b, has knowledge of d. The signed message is therefore S=[Red(M)] d mod N.
In order to verify the signature, the addressee of the message uses the public key p) associated with the emitting entity
I,
,i: PHQ 87.030 4 02.08.1988 and calculates SP mod N, which, by hypothesis, gives once again the component encoding the message M with its redundancy. By retrieving the redundancy, the addressee thus concludes therefrom that the message couJJ have been sent only by the entity which claims to have done this, since only that entity was capable of processing the message in this manner.
The operations of enciphering and of signature can be combined. In this case, the transmitter commences by signing its message while making use of its secret key; then, it enciphers it by making use 10 of the public key of its correspondent. On receipt, the correspondent o deciphers the message with the aid of its secret key, and then Sof authenticates the message by using the public key of the emitter.
0 These techniques of cryptography thus lead to various method of authentication. In order to explain in greater detail this S 15 aspect, there will be taken by way of example the authentication of bank "smart' cards without, this constituting in any sense whatsoever a limitation of the scope of the invention.
oA bank "smart" card possesses an identity, which is constituted by a string of information items such as the serial number of the chip, the number of the bank account, a period of validity and an application code. The card can, on request, present these identity information items, in the form of a sequence of bits forming a word I.
With the aid of redundancy rules, it is possible to form a number J which is twice as long as I, which will be hereinafter designated Red(I)=J. For example, if the number I is written in the form of quartets, each quartet can be supplemented by a redundancy quartet in such a manner as to form as many octets of the HAMMING encoding type.
The number J is frequently referred to as the "shaded" identity, the shadow being constituted by the redundancy which accompanies the identity.
The International Standardization Organization (ISO) has specifically stated these solutions in the note ISO/TC97/SC20/N207 entitled "Digital Signature with Shadow" which became a preliminary draft standard DP9796.
The authority empowered to issue such cards, in the present case the bank, chooses a public-key system It publishes the number N and p, but keeps the factorization of N secret. The shaded i A 1i..
i u--r*xr-i 'PHQ 87030 5.4.91 0*
I
9e"" 9.
.z 9** AX At
O
identity J of each card is then considered as a component of the ring of integers modulo N, The bank can extract therefrom the p-th root in this ring, which, as stated above, requires the knowledge of the prime factors of N, which is the case. This number, hereinafter designated A, is, to some extent, the identity of the card signed by the bank. This is referred to as "accreditaticn". The result of this is, by definition, A=J li P mod N. This eccreditation number may consist of digital numbers or alphabetical or other characters.
Authentication of an accrec.:.tation now amounts to reading the identity of the card, either in the simple form I or in the shaded form J, and then to reading the accreditation A from the card, raising the latter to the power p in the ring of integers modulo N, which is possible because the parameters N and p are known, and, finally, comparing the result, namely A P mod N, with J. If A P mod N is equal to J, then the accreditation A is authentic.
Although this method permits detection of false cards, it nevertheless presents a disadvantage which is that of revealing the accreditation of the authentic cards. A verifier lacking scrupulousness might therefore reproduce cards identical to that which he has just verified (cards which might be referred to as "clones") by reproducing the accreditation which he has read from the authentic card.
Now, the authentication of an accreditation does not, strictly speaking, require the communication of the latter to the verifier, but only the establishment of a conviction that the card has an authentic accreditation.
The problem is, therefore, finally that of demcnstrating that the card has an authentic accreditation, without revealing the latter.
This problem can be resolved by a procedure referred to as "zero-knowledge proof". In such a procedure, the entity which attempts to adduce the proof, the "verified" entity, and the entity which awaits this proof, the "verifier", adopt an interactive and probabilistic behaviour.
By itself, this technique has been described by r_ 'PHQ 87030 6 5.4.91 Shafi GOLDWASSER, Silvio MICALI and Charles RACKOFF in their paper at the "17th ACM Symposium on Theory of Computing, May 1985, this paper being entitled "The knowledge Complexity of Interactive Proof Systems" and published in the Reports, pp.
291-304. The prime examples were found in graph theory.
Adi SHAMIR was the first to think of using this process in theory of numbers, and it might be applied to smart cards in the following manner. This so-called S process is as follows: At the start of the authentication operation, the card proclaims its identity I. The redundancy rules, which are publicly known, permit the deduction of J, twice as long as I, which gives the shaded identity. The card and the verifier both know the numbers N and p published by the card issuer, but only the latter has the factorisation of the 0number N available, which is the trap information used to calculate the accreditations.
The authentication operation is continued by repeating the following processing: the card draws, at random, a component r from the ring of integers modulo N, computes therefrom the p-th power (r P mod N) in the ring, and transmits this powe.: to the verifier in the guise of title T for iteration; the verifier draws, at random, a bit d (0 or 1) to ,'25 interrogate the card in the guise of marker t for d=0 the component r, and for d=l the product of the component r and the accreditation in the ring (r.A mod in other words, if the draw is uncertain, the verified must have available r and r.A mod N, which implies the knowledge of A; the verifier raises the marker t to the power p modulo N, to retrieve for d=0, the title T, and for d=l the product, in the ring, of the title T and the shaded identity J.
Thus, on the one hand, it is necessary to have available the accreditation A in order to possess simultaneously the two possible values of the marker t, viz.
r and rA. On he other hand, the verified cannot deduce from this operation the value A of the accreditation since, even a Aif he requests the verified to supply rA to him, he does not i -t Aj j I I 'PHQ 87030 5.4.91 *0 0 0**
T**
0 *0 0**00* 0 *0 S -2 k
Y
1> I: r know r, which was drawn at random by the verified. The verifier does indeed know rP, supplied by way of title by the verified, but is incapable of extracting therefrom the p-th root modulo N, because he does not know the factorisation of
N.
A verified who does not hold an authentic accreditation might bluff by attempting to guess the draw by the verifier. If he bets on ("tails"), he estimates that the verifier will raise the title to the power p modulo N and that the verifier will compare the result obtained with the title T. In order to convince the verifier, the verified will have to supply by way of title T the marker raised to the power p. If the bluffer bets, on the other hand, on ("heads"), he estimates that the verifier will raise the title to the power p and will then multiply the result obtained by J. In order to be convincing, he therefore must transmit, by way of title T, the marker raised to the power p multiplied by J.
In other words, the verified has one chance in two of giving a correct response if he reverses the chronology of the events, that is to say if he does not first of all determine the title T and then the marker t, but if he bets on the draw by the verifier and if he forms the title a posteriori with the aid of a marker drawn at random.
In this probabilistic process, the chances of the verified guessing the correct response are one in two in each processing, so that, in repeating this processing k times, the chances of the bluffer fall to 1/2 k The safety factory of this authentication process is therefore 2 k, In practice, k is of the order of 16 to 24.
In such a process the number p is small, for example 3. It is also possible to use 2, but in this case certain precautions must be taken in the choice of the prime factors of the number N in order that the function "raise to the square modulo N" should be a permutation on the quadratic residues of the ring of integers modulo N. The numbers a and b must be integers of the form 4x+3; it is recalled that quadratic residues are components which are squares in the ring and the shaded identity J must be 1~1111 'PHQ :87030 5.4.91 capable of being modified in a representative quadratic residue before computing the accreditation. This solution is described in the document already mentioned ISO/TC97/SC20/N207.
The integer N, as in the bank cards of today, may be of the form N=K+2 320 where K is an integer of 240 bits which is published and known to all terminals. Only the issue of cards has the factorisation of N available. It is nevertheless recommended to use larger numbers.
The identity I, as in the bank cards of today, may be a symbol of 160 bits, which is obtained by the chaining of a serial number of the chip of 44 bits, of a bank account number of 76 bits, of an application code of 8bits and of a period of validity of 32 bits. In these circumstances, the '15. shaded identity has 320 bits. The accreditation 0* f ft ft°.t o on ft ft f f ft ft ft tof ftf f i 15 0 0 Li .5S e 2 S 55 Li PHQ 87.030
L
02.08.1988 is then the cube root of this word, modulo N. This is a number of 320 bits.
An improvement to this technique consists in using not the accreditation itself A (A P mod N=J) but its inverse, designated B. The result of this is BPJ mod N=1, which permits simplification of the comparison of the title and of the marker. It is then sufficient to transmit a marker equal to r(dB-d+1), which is equal either to r if d=O or to rB if d=1, and to compute tP(dJ-d+1) mod N in order to find the title T. It is then possible to transmit only a part thereof, for example about one hundred of its bits, or, even better, after a compression by a one-way function.
It is recalled that a compression function causes correspondence between a set of n components and a set of m other components, m being less than n, and such that it is virtually impossible to locate two components having the same image.
BRIEF DESCRIPTION OF THE DRAWINGS The state of the art and the invention are furthermore explained with respect to the following Figures.
Figure 1 represents the abovementioned probabilistic process; Figure 2 likewise illustrates the FS process; Figures 3, 4 likewise illustrate the processes for the techniques S and FS; Figures 5, 6 likewise illustrate a signing process for the techniques S and FS; Further Figures are listed hereinafter.
S
05 25 EXTENSIVE EXPLANATION OF PARTICULAR TECHNIQUES Figure 1 illustrates this process. The arrows extending from left to right represent a transmission from the verified to the verifier (identity I, title T, marker t) and the arrows extending from right to left a transmission in the oppo>.te direction (bit d drawn at random). A draw at random is represented by a circle associated with a question mark. The symbol E signifies "is a member of" and the numbers between brackets designate the set of integers in the range between the two indicated limits, including the limits. The final comparison PHQ 87.030 9 02.08.1988 deciding on the authenticity of the accreditation is schematically represented by an equality sign surmounted by a question mark. The dashed block indicates a set of operations which are executed k times (iteration).
A process which is even further improved has recently been proposed, which makes use of multiple accreditations. This process has been described in the paper by Amos FIAT and Adi SHAMIR, published in the Compte Rendu de CRYPTO' 86, Santa Barbara, CA, USA, August 1986, "How to Prove Yourself Practical Solutions to Identification and Signature Problems", Springer Verlag, Lecture Notes in Computer Science, S.No. 263, pp. 186-194.
Noting several accreditations in the card leads to an S increase in the efficiency of the processing, and to a reduction in the number of iterations required in order to achieve a given level of 15 security in relation to the luck left to the bluffer. In this method, n diversified identities I1 In, are produced, which, supplemented by their shadows, give n shaded diversified identities J1 Jn. The card contains the n inverse accreditations B1 Bn, which verify the relations Ji.Bi mod N=1.
20 In this process, which will be designated as FS, each processing or iteration then becomes the following (taking 2 for the S* public exponent): the card draws at random a component r in the ring of integers modulo N, and then transmits to the verifier 128 bits of the square of 25 this component in the guise of title T; the verifier draws at random a word of ln bits, i.e. bl bn, which he transmits to the card; Sthe card then computes the product of the component r and the inverse accreditations designated by the bits in the words of n bits bl bn. Furthermore, the card transmits in the guise marker, the value t thus obtained: t=r.(b1.B-b1+1). .(bn.Bn-bn+1) mod N the verifier tests this marker t by raising it to the square in the ring, and then by multiplying this square by the diversified shaded identities designated by the bits of the word of n bits, tP.(b1.J1-bl+1). .(bn.Jn-bn+1) mod N.
The authenticity is proven if the published bits of the 'PHQ 87030 10 5.4.91 title T are retrieved.
Any person would be able to draw at random a marker t, and then, in the ring, to raise this to the square and to multiply by a selection of diversified identities in order to form a title T. In fact, if this title is given at the start of the processing, if the question asked is indeed the expected selection, then the marker t is an acceptable response which authenticates the card.
Thus a winning strategy exists for a person who guesses or knows in advance the draw by the verifier.
In order to pass successfully through an iteration, the bluffer must, this time, guess a word of n bits, and no longer just a single bit, as in the GMR process. If the 2 n values are equally probable, the product of the multiplication of the accreditations by the number of iterations reduces exponentially the chances left to the bluffer. The security factor of the authentication operation is then 2 kn At each iteration, the verified transmits, for example, 128 bits (one quarter of the 512 bits) and a component of the ring, and the verifier transmits n bits.
At each iteration, the verifier and the card compute a square and execute a number of multiplications which is equal to the number of bits in the word of n bits (HAMMING weighting).
As another compromise between efficiency of the iteration and the maximum number of multiplications to be executed during the iteration, it is possible to limit the number of one valued bits in the word of n bits, to a certain fraction.
In connection with this technique, reference is made to the paper by Amos FIAT and Adi SHAMIR at the World Congress on Computing and Communications Protection and Security", Paris on 4th 6th March 1987, under the title "Unforgeable Proofs of Identity".
-A
b z^ 's: I j PHQ 87030 11 5.4.91 Figure 2 attached illustrates diagrammatically this FS process, with the same conventions as Figure 1.
These processes for the authentication of accreditation may readily be adapted for the authentication of a message emitted by an entity considered to be accredited. In this case, the title T transmitted by the verified is no longer formed exclusively by r P mod N, as in the preceding case, but also by the message m to be authenticated. More specifically, it is the result obtained by a compression function (alias hash function), designated f, the arguments of which are m and r P mod N.
Figures 3 and 4 show schematically these processes in the case of the techniques S and FS.
s ees% Finally, these techniques may like likewise serve to sign a message. The compression function then plays the part assigned to the draw by the verifier. More r specifically, in the process of type S, the signatory draws :k components r in the ring of integers modulo N, namely rl, Sr2, rk, which will play the part of the various values of r drawn in the course of the k iterations. The signatory raises these integers to the square mod N and computes the compression function f(m, r 2 mod N, rk 2 mod l which provides a number D having as bits dl, d2, j dk. Each bit di of this number plays the part which was .2 played by the bit drawn at random in the process for the authentication of accreditation described herein above. The signatory then forms k markers ti=riB di mod N, with i=1,2 k. The signed message is then a multiplet formed by m, I, dl, dk, tl, tk.
In order to verify such a signed message, the titles tl modulo N are raised to the square and each square is multiplied by Jdi modulo N. A computation is then made of the compression function f(m, tl2Jdl mod N, tk 2 dk mod N), and the result obtained is compared with the number D, i.e.
with the bits dl, d2, dk.
L 'PHQ 87030 5.4,91 When applied to the signing of messages, the number k is larger than in authentication. It often has of the order of 60 to 80 bits and, more precisely, at least bits. In fact, the verification is no longer undertaken in real time, and the fraudulent person therefore has plenty of time to formulate a false signature.
Figures 5 and 6 schematically represent this process in the case of the techniques S and FS, respectively. These techniques of the prior art present certain disadvantages. In particular, the method FS, with the multiplicity of its accreditations, takes up a large space in memory. Moreover, the need to undertake a repetition of the processings extends the duration of the exchanges. Finally, the multiplicity of markers extends the information items to be added to a message in order to sign it.
e 0• *0 .00.
0000 Ilcn, i i PHQ 87.030 02.08.1988 SUMMARY OF THE INVENTION Among other things, it is an object of the invention to remedy this disadvantage. To this end, it utilizes a single accreditation (and no longer multiple accreditations) and a single processing (and no longer a repetition of processings).
More specifically, the subjects of the present invention are a method for the authentication of an accreditation and a method for the authentication of a message, these methods both utilizing on the one hand, the formulation of an accreditation based on the public-key system and, on the other, zero-knowledge proof; a) so far as concerns the operation of the formulation of the *o *e accreditation, it comprises the following operations: an authority to issue accreditations chooses two prime numbers, forms the product of these two numbers, keeps secret these numbers, 15 which then constitute the prime factors of N, chooses an integer p and publishes N and p; eo for each holder of an accreditation, a digital identity I is formed, and is then supplemented by redundancy in order to form a shaded S.r *identity word J, 20 an accreditation A is formulated by the authority by taking the p-th root of the shaded identity in the ring of integers modulo N, (A p mod N=J), into an appropriate medium containing a memory, the authority loads the inverse modulo N of the accreditation A, i.e. a number B 25 referred to as the inverse aqcreditation (BPJ mod this number B constituting the accreditation which is to be authenticated; b) so far as concerns the authentication of the accreditation thus formulated, this operation comprises an interactive and probabilistic digital process of the zero-knowledge proof type and taking place between a medium containing an accreditation, this medium being referred to as "the verified" and an authentication element referred to as "the verifier", this process comprising at least one digital processing comprising the following known operations: the verified draws first a random integer r which is a member of the ring of integers modulo N, the verified raises this integer r to the po Ter p modulo N, the result being a title T, PHQ 87.030 02.08.1988 the verified then issues at least a portion of the bits of the title T, the verifier then draws, at random, a number D and requests the verified to undertake certain oiperations on r and on the inverse accreditation B, these operations being associated with the number D drawn at random by the verifier and being executed in the ring of integers modulo N, the verified issues to the verifier a number t, referred to as the marker, being the result of these operations, the verifier undertakes, in his turn, operations relating to the marker t issued by the verified and to the shaded identity J of the 000000 verified, these operations being themselves also associated with the number D drawn at random by the verifier and undertaken in the ring of 0600 integers modulo N, 15 the verifier compares the result thus obtained with the bits of the title T which the verified had issued at the start of the eS verification process, and acknowledges the authenticity of the accreditation if he retrieves these bits.
0.600The process for the authentication of accreditation 20 according to the invention is characterized in that: a) in the course of the formulation of the accreditation the number p serving to extract the p-th root of the shaded identity (J) chosen to comprise at least ten bits, b) for the authentication of the accreditation the process comprises 25 only a single interactive and probabilistic processing (and not a repetition of such a processing), this single processing consisting of the following operations: the number which the verifier draws at random is an integer D within the range between 0 and p-1 (including the limits), the operation which the verified executes in order to issue a marker t is the product, in the ring of integers modulo N, of the component r which it has itself drawn at random, and the D-th power of the inverse accreditation B, the title being then t=r.BD mod N, the operations which the verifier executes are the product, in the ring of integers modulo N, of the p-th power of the marker t and the D-th power of the shaded identity J, i.e. tPJD mod N, the comparison operation executed by the verifier then relates to PHQ 87.030 14 02.08.1988 the bits of the title T which are issued by the verified and to the bits obtained by the preceding operation, the authenticity of the accreditation being acquired in a single processing since all the bits of the title issued by the verified are retrieved by the verifier in tPJ D mod N.
On the other hand, so far as concerns the process for the Iauthentication of a message, the process according tot he invention is characterized in that: a) in the course of the formulation of the accreditation of the principal, the number p serving to extract the p-th root of the shaded I identity comprises at least ten bits, s for the authentication of the message, the process comprises only a single interactive and prrbabilistic processing (and not a repetition of such a processing), this single processing consisting of the following 15 operations: the number which the verifier draws at random is an integer D within the range between 0 an p-1 (including the limits), the operation which the verified executes in order to issue the *g S. marker t is the product, in the ring of integers modulo N, of the 20 component r which it has itself drawn, and the D-th power of the inverse accreditation B, the marker then being r.BD mod N, the operations which the verifier executes are generating the product, in the ring of integers modulo N, of the p-th power of the marker t, and the D-th power of the shaded identity J, 25 the verifier forms a compression function of the message and of the result of the preceding operations, i.e. f(m, tPJDmod N), the comparison which the verifier executes then relates to the compression function which he has obtained and to the titl i T which the verified has issued to him at the start of the verification process, the authenticity of the message being acquired in a single processing since, at the end of this processing, there is equality between all the bits of the compression function obtained by the verifier and the corresponding bits of the title which are issued by t he verified.
Finally, the subject of the invention is a process for the signing of a message. In this case, the accreditation of the signatory is formulated according to the known public-key process described hereinabove and the signature consists of a known 'PHQ 87030 5.4.91 $:Coe: d g*
*S
00 of* so. t ok Se**SS
S
S.
S
S.
S
55t
S
probabilistic digital processing comprising the following operations: the signatory draws, at random, at least one integer r which is a member of the ring of integers modulo N, the signatory raises this integer r to the power p modulo N, the signatory computes a compression function f by adopting as arguments the message m to be signed and the power rDmodN obtained, the signatory forms at least one marker t by executing certain operations on r and on the inverse accreditation B, these operations being associated with the number D drawn at random and being executed in the ring of integers modulo N, the signatory transmits the message m, its identity I, the word D, the marker or markers t, the total forming a signed message.
The process for the signing of a message according to the invention is characterized in that: a) in the course of the formulation of Ithe accreditation of the signatory the number p serving to extract the p-th root of the shaded identity is chosen to be large and comprises a plurality of tens of bits, b) for the operation of signing the message: the signatory draws, a random single integer r which is a member of the ring of integers module N, the compression function has, as arguments, the message m and the p-th power of r, which provides a number
D,
the sole marker produced by the signatory is the product, in the ring of integers modulo N, of the integer r and the D-th power of the inverse accreditation B, the signatory provides, with the message m, its identity I, the word D and the marker t.
In the first two processes, the number p comprises at least 10 bits and preferably between 16 and 24 bits.
In the process of signing, the number p is larger and comprises a plurality of tens of bits, for example from to 80 bits, or, anyway, at least thirty.
-a iii 'PHQ 87030 1 5 A 5.4.91 The value of p is, in fact, the security factor of an elementary processing. If p is appropriate for the sought object, although only a single comprehensive accreditation is available, it is possible to be content with a single processing.
00*
VO
0 *1,I i0 01, 1
*U
I
PHQ 87.030 16 02.08.1988 BRIEF DESCRIPTION OF THE DRAWINGS (CONTINUED) The invention will be better understood in the light of the description which will follow, which refers to accompanying drawings. These drawings comprise: Figures 1 to 6, already described, which illustrate the process S and FS of the prior art; Figure 7 illustrates the process for the authentication of an accreditation according to the invention; Figure 8 illustrates the process for the authentication of a message according to the invention; Figure 9 illustratees the process for signing a message according .1 to the invention; Figure 10 shows diagrammatically an assembly permitting the implementation of the processes of the invention.
DESCRIPTION OF A PREFERRED EMBODIMENT The conventions used in Figures 7 to 9 are the same as those of Figures 1 to 6. In all cases, the accreditation is obtained by the use of a number p which is large. This accreditation is called d 20 "comprehensive", as opposed to the customary accreditations for which p was of the order of 2 or 3 and which are relatively "superficial" Thus, in the case of smart cards, the following processing is done: the card draws, at random, a component r in the I 25 ring of integers modulo N, and gives, in the guise of title T, 128 bits of the public power of this component (rp mod N); the verifier draws, at random, an exponent D from 0 to p-1 and transmits it to the card; the card computes the marker t which is the product (in the ring) of the component r and the D-th power of the accreditation B (t=r.B D mod N); the verifier computes, in the ring, the product of the p-th power of the marker t and the D-th power of the shaded identity J, i.e.
tp.J D mod N.
The proof is accepted if all the published bits of the title T are thus retrieved.
Any one that has guessed the question of the verifier PHQ 87.030 17 02.08.1988 (the exponent D) can draw, at random, a marker t, and then undertake in advance the computations of the ve:ifier, that is to say form the product, in the ring, of the marker t to the exponent p and the shaded identity J to the exponent D. If the title T is given at the start of the iteration, and if the question posed is indeed D, then the marker t is an acceptable response.
This reasoning, indicating a winning strategy for the person guessing, shows that it is not possible to distinguish data originating from the recording of a successful operation and data originating from a masquerade constructed by inverting the chronology of the iteration, that is to say by choosing the exponents before the titles. The verifier collects information items which are impossible to distinguish from those which he could have produced alone, without
OS..
Sinteraction with the verified, which shows that the accreditation does 15 indeed remain secret in the card.
In order to complete successfully an authentication °oo processing, the bluffer must guess an exponent D. If the p-values of D are equally probable, the chance left to the bluffer is 1/p. The security factory is therefore p.
4 •20 In such a processing, the verified transmits approximately one hundred bits and a component of the ring; the verifier transmits an exponent In order to complete a processing, the verified computes, first of all, the public power of the component r drawn at random, and then the product of this component r and the D-th 25 power of the accreditation B. The ve-ifier undertakes slightly less computation for the purpose of retrieving the title T, since he can intelligently combine the power computations: the D-th power of the shaded identity J and the p-th power of the marker t.
If the exponent p has the value of 216, then the exponent D is a number having 16 bits. Thus, in a single processing, with a security factor of 216, i.e. 65536, the verified computes in the ring 16 squares, and then 16 squares and a mean of 8 multiplications. The verifier computes only 16 squares and proceeds, on average, with 8 multiplications.
The process for the authentication of a message is illustrated in Figure 8 with the same conventions, the difference in relation to Figure 7 consisting solely in the formation of the
L
h. A: PHQ 87.030 18 02.08.1988 compression function f.
In order to sign a message, the holder of the accreditation B of comprehensiveness p commences by drawing, at random, a component r in the ring, and then computes the public power of the component r(r p mod He then produces an exponent D by virtue of the compression function f applied to the concatenation of the message m and of the public power of the component r. The marker t is the product of the component r and the D-th power of the accreditation B. The signed message is the concatenation of the identity I, of the message m, of the exponent d and of the marker t.
In order to verify a signature, the verifier computes in the ring the product of the marker t to the power p and the shaded identity J (reconstructed from the proclaimed identity I) to the power D 6*° a. in order to reconstitute what must be the public power of the component 15 r. Finally, the verifier must retrieve the exponent D by applying the function f to the concatenation of the message and of the reconstituted 6e public power. This is illustrated in Figure 9.
If p is written in 64 arbitrary bits, the signatory undertakes approximately 192 multiplications in the ring (he must o 20 compute successively two powers with exponents of 64 bits without being able to combine them) in order to complete the operation. This s complexity is already markedly less than that of the RSA process: 768 multiplications, on average, for an exponential modulo a composite number in 512 bits, and 1536 for a composite number in 1024 bits.
25 If p is written in 64 arbitrary bits, the verifier undertakes only approximately 112 multiplications, since he combines his operations into 64 squares and three times 16 multiplications, on average, in order to compute a single step tP.JD mod N. It is fortunate that the authentication is simpler than the formulation of the signature, since each signature is called upon to be verified several times.
However, it is possible to choose 264 (that is to say a power of 2) as exponent p in order to simplify the computations, without modifying the security of the system. The raising to the power p is then undertaken by 64 squares. The exponent D is a number of 64 bits. The signature is then undertaken in 160 multiplications. The verification of a signature is reflected, on average, in 96 multiplications in the ring, PHQ 87.030 19 02.08.1988 i.e. 12.5% of the RSA with 512 bits and 6.2% of the RSA with 1024 bits.
In the earlier process FS described hereinabove with 64 multiple accreditations in the same card, one square and an average of 32 multipliations are required. Thus, the method of the invention involving comprehensive accreditation is utilized at the cost of a surplus of computations by a multiplicative factor of the order of 3.
When, in the prior art, there is a limitation to 8 accreditations in the card, with 8 markers in the signature (8 iterations at multiplications, i.e. 40 multiplications), the ratio dimishes slightly further, in favour of the invention.
~It is certainly also possible to choose 264+1 as public exponent (that is to say an odd number). At the cost of only one supplementary multiplication to compute a public power, certain restrictions are lifted in this way with regard to the quadratic 15 residues in the ring (when the exponent p is even, several elements of i: the ring may correspond to the p-th root, but only one is appropriate).
Figure 10 shows diagrammatically a computer which permits 4 wethe invention to be implemented, among other things for executing the S. authentication process. For simplicity, the other station communicating S 20 with this computer, has not been shown. Either or both stations may be physically realized in a so-called smart card, that, for other purposes, o has been published extensively.
The computer shown comprises an input-output interface IO, a central unit CU, a programmable memory of trhe read-only type 25 (PROM), a read-only memory (ROM) and a random access memory (RAM). The computer further comprises an element G of the noise-generator or randomgenerator type.
The accreditation and the identity information items recorded in the memory PROM are inaccessible from outside. The programs are recorded in the memory ROM. The memory RAM serves to store computation results. The generator G is used for drawing of the various numbers participating in the process D).
The central unit and the memories may be structured as the monolithic self-programmable microcomputer described in United States Patent 4,382,279.
The compression function may rely upon the DES (Data Encryption Standard) algorithm. There is in existence a smart card, which executes this DES algorithm.
Claims (9)
1. A method for the authentication of an accreditation number with zero-knowledge proof, this accreditation number having been formulated by a process of the public-key type comprising the following operations: an authority issuing the accreditation number chooses two prime factors, forms the product of these two zJ.lc i s, keeps secret these factors, chooses an integer p and :blishes N and p; for the holder of the accreditation number, a digital identity I is formed, and supplemented by redundancy in order to form a shaded identity word J, an accreditation number A is formulated by the authority by taking the p-th root of the shaded identity in the ring of integers modulo N (A=J 1 'P mod N), into an appropriate memory the authority loads the inverse modulo N of the accreditation number A, i.e. the inverse accreditation number B (BPJ mod which is to be authenticated, the authentication of the accreditation number comprising an interactive and probabilistic digital process of the zero-knowledge proof type and taking place between a medium containing the memory, this medium being referred to as "the verified" and an authentication element referred to as "the verifier", this process comprising at least one digital process comprising the following operation; the verified draws first of all, a random integer r which is a member of the ring of integers modulo N, the verified raises this integer r to the power p modulo N, the result being referred to as title T, the verified then issues at least a portion of the bits of the title T, the verifier then draws, a second random number (d) and request the verified to undertake predetermined operations on r and on the inverse accreditation number B, these operations being associated with the number drawn at random by the verifier and being executed in the ring of integers modulo N, 14;u 'Kr s 'PHQ 87030 21 5.4.91 the verified issues to the verifier a number t, referred to as the marker, being the result of these operations, the verifier undertakes, in his turn, operations relating to the marker t issued by the verified and to the shaded identity J of the verified, these operations being themselves also associated with the number d drawn at random by the verifier and undertaken in the ring of integers modulo N, the verifier compares the result thus obtained with the bits of the title T which the verified issued at the start of the verification process, and acknowledges the authenticity of the accreditation if he retrieves these bits, this process being characterized in that: a) in the course of the formulation of the accreditation the number p serving to extract the p-th root of the shaded identity comprises at least ten bits, b) for the authentication of the accreditation the process comprises only a single interactive and probabilistic processing having the following operations: the numbe: which the verifier draws at random is an integer D within the interval between 0 and p-1 (including the limits), the operation which the verified executes in order to issue a marker t is the product, in the ring of integers modulo N, of the component r which it has itself drawn at random, and the D-th power of the inverse accreditation B, the marker then being t=r.BD mod N, the operations which the verifier executes are the product, in the ring of integers modulo N, of the p-th power of the marker t and the D-th power of the shaded identity J, i.e. tPJD mod N, the comparison operation executed by the verifier then relates to the bits of the title T which are issued by the verified and to the bits obtained by the preceding operation, the authenticity of the accreditation being TR ZZ acquired in a single processing step since all the bits of i the title issued by the verified are retrieved by the a\ 40 verifier in tPjD mod N. <PHQ 87030 5.4.91
2. A method for the authentication of a message, this message originating from a principal considered to be accredited: a) the accreditation of a principal consisting of a digital word B obtained by a public-key process comprising the following operations: an authority issuing accreditations chooses two prime numbers, forms the product N of these two numbers, keeps secret these two numbers, chooses an integer p and publishes N and p, for each principal a digital identity I is formed, and is then supplemented by redundancy in order to form a word J referred to as the shaded identity, an accreditation number A is formulated by the authority by taking the p-th root of the shaded identify J C.. in the ring of integers modulo N (A=J'P mod N), into an appropriate medium held by the principal the authority loads the inverse modulo N of the accreditation number A, i.e. a number B referred to as the inverse accreditation (B P J mod N=1), b) the authentication of a message issued by the principal thus accredited consisting of an interactive and probabilistic digital process of the zero-knowledge proof type and taking place between the medium of the principal considered to be accredited and referred to as "the verified" and a verification element referred to as "the verifier", this process comprising at least one digital processing comprising the following operations: the verified draws first of all, at random, an integer r which is a member of the ring of integers modulo N, the verified raises this integer r to the power p modulo N and computes a result by a compression function by taking as argument the message m and r P mod N, i.e. r P mod the result being referred to as title T, the verified then issues at least a portion of the bits of title T, S the verifier then draws, at random, a number D and requests the verified to undertake certain operations on r 1I"" I cPHQ 87030 5.4.91 0 @6**00 0* 0 and on the inverse accreditation B, these operations being associated with the number D drawn at random by the verifier and being executed in the ring of integers modulo N, the verified issues to the verifier a number t, referred to as the marker, being the result of these operations, the verifier undertakes, in turn, operations relating to the marker t issued by the verified and to the shaded identity J of the verified, these operations being themselves also associated with the number D drawn at random by the verifier and undertaken in the ring of integers modulo N, the verifier forms a compression function by taking as arguments the message to be authenticated m and the result of the preceding operation, i.e. f(m, t, J), the verifier compares the compression function obtained with the title T which the verified issued at the start of the verification process, a) in the course of the formulation of the accreditation of the principal, the number p serving to extract the p-th root of the shaded identity comprises at least ten bits, b) for the authentication of the message, the process comprises only a single interactive and probabilistic processing comprising the following operations: the number which the verifier draws at random is an integer D within the range between 0 and p-i (including the limits), the operation which the verified executes in order to issue a marker t is the product, in the ring of integers modulo N, of the component r which it has itself drawn at random, and the D-th power of the inverse accreditation number B, the marker then being r.BD mod N, the operations which the verifier executes are generating the product, in the ring of integers modulo N, of the p-th power of the marker t and the D-th power of the shaded identity J, the verifier forms the compression function of the message and of the result of the preceding operations, i.e. f(m, t P JD mod N), I; 40 'PHQ 87030 24 5.4.91 the comparison which the verifier executes then relates to the compression function which he has obtained and to the title T which the verified has issued to him at the start of the verification process, the authenticity of the message being acquired in a single processing since, at the end of this processing, there is correspondence between all the bits of the compression function obtained by the verifier and the bits of the title which are issued by the verified.
3. A method for signing a message by an entity, this entity being considered to be accredited, an authority to issue accreditations choose two prime numbers, foxms the product N of these two numbers, keeps secret the two prime numbers, chooses an integer p and publishes N and p, Ce:* for each entity which is a signatory a digital identity I Is formed, and is then supplemented by redundancy in order to form a word J referred to as the shaded S. S identity, an accreditation number A is formulated by the authority by taking the p-th root of the shaded identity J in the ring of integers modulo N, Jl/P mod N), into an appropriate medium held by the signatory the authority loads the inverse modulo N of the accreditation number A, i.e. a number B referred to as the inverse accreditation (BPJ mod N=1), b) the signing of a message m by a signatory of identity I consisting of a probabilistic digital processing comprising 0°00 the following operations: the signatory draws, a random integer r which is a member of the ring of integers modulo N, the signatory raises this integer r to the power p modulo N, the signatory computes a compression function f by taking as arguments the message m to be signed and the power r P obtained, ,p. l PHQ 87030 25 5.4.91 the signatory forms one marker t by executing certain operations on r and on the inverse accreditation number B, these operations being associated with a number D, drawn at random and being executed in the ring of integers modulo N, the signatory transmits the message m, its identity I, the word D, the marker or markers t, the total forming a signed message, this process being characterized in that a) in the course of the formulation of the accreditation of the signatory the number p serving to extract the p-th root of the shaded identity comprises at least thirty bits, b) for the operation of signing the message: the signatory draws, at random, only a single integer r which is a member of the ring of integers modulo '.15 N, 0.0 Si** the compression function has, as arguments,the message m and the p-th power of r, which provides a number D, the marker produced by the signatory is the product, in the ring of integers modulo N, of the integer r and the D-th power of the inverse accreditation B, the signatory provides, with the message m, his identity I, the word D and the marker t.
4. A system for the authentication of an accreditation number A with zero-knowledge proof, this accreditation number having been formulated by a process of the public-key type comprising the following operations: an authority issuing the accreditation number chooses two prime factors, forms the product N of these two factors, keeps secret these factors, chooses an integer p that comprises at least ten positions and publishes N and p, for the holder of the accreditation number, a digital identity I is formed, and supplemented by redundancy in order to form a shaded identity word J, the accreditation number A is formulated by the authority by taking the p-th root of the shaded identity J in the ring of integers modulo N, Jl/P mod N), said system comprising SPRfQ 87030 26 5.4.91 a memory for storing the inverse modulo N of the accreditation number A, i.e. the inverse accreditation number B (B P J mod which is to be authentificated, processing means for executing the authentification operation by means of a single-layer interactive and probabilistic digital process of the zero-knowledge proof type and comprising communication means for communicating between a medium containing the memory called "the verified" and an authentification element called "the verifier", said processing means comprising: in the verified first random number generating means for generating a first random integer r that is a member of the ring of integers modulo N, power rising means fed by the first random number generating means for raising r to the power p modulo N to produce a title T, S- first transmission means fed by the power raising SV means for transmitting at least a predetermined bit portion *of the title T to the verifier, in the verifier second random number generating means for generating a second random number within the interval 0 and including the limits thereof, request means cum second transmission means fed by the second random number generating means for generating and transmitting a processing request to the verified, in the verified first calculating means fed by the second transmission means to calculate the product in the ring of integers modulo N of the first random integer r, and the D-th power of the inverse accreditation number B to feed the result there of as a marker t=r.BD mod N to the first transmission means, in the verifier second calculating means fed by the first transmission means for calculating the product of the marker t, within the ring of integers modulo N, and the D-th power of the shaded identity J, i.e. tPJD mod N, in the verifier comparing means fed by the second calculating means and by the first transmission means for comparing said predetermined bit portion to a corresponding 4 f4 S'PHQ 87030 5.4.91 S :0.15 S. S S S agog bit portion of tPJD mod N for in a single comparison step upon a detected equality issuing an authentified accreditation signal. A system for the authentification of a message m originating from a presumably accredited principal, by means of a digital word B obtained by a public-key process comprising the following operations: an authority issuing the accreditation number chooses two prime numbers, forms the product N of these two numbers, chooses an integer p, and publishes N and p, for the principal a digital identity is formed and supplemented by redundancy to form a shaded identity word J, an accreditation number A is formulated by taking the p-th root of the shaded identity J in the ring of integers modulo N, jl/p mod N), said system comprising a memory for storing the inverse modulo N of the accreditation number A, i.e. the inverse accreditation number B (B P H mod N=1), processing means for executing the authentification operation by means of a single-layer interactive and probabilistic process of the zero-knowledge proof type and comprising communication means for communicating between a medium containing the memory called "the verified" and an authentification element called "the verifier", said processing means comprising: in the verified first random number generating means for generating a first random integer r that is an element of the ring of integers modulo N, -power raising means cum first compression means fed by the first random number generating means for raising r to the power p modulo N and computing a result by means of a compression function that has as arguments the message m and r P mod B, said result constituting a title T, first transmission means fed by the first compression means for transmitting at least a predetermined bit portion of the title T to the verifier, T r "PHQ 87030 28 5.4.91 in the verifier second random number generating means for generating a second random number within the interval between 0 and including the limits thereof, request means cum second transmission means fed by the second random number generating means for generating and transmitting a processing request to the verified, in the verified first calculating means fed by the second transmission means to calculate the product in the ring of integers modulo N of the first random integer r, and the D-th power of the inverse accreditation number B to feed said product as a marker t=r.BD mod N to the first transmission means, in the verifier second calculating means fed by the first transmission means for calculating the product of the marker t, within the ring of integers modulo N, and the D-th *ie.e power of the shaded identity J, i.e. tPjD mod N, in the verifier second compression means fed by the second calculating means for computing a result by taking as I arguments the message to be authentificated and said product, in the verifier comparing means fed by the said second compression means and by the first transmission means for in a single comparison step comparing said predetermined bit portion to a corresponding bit portion of said result j 5 and upon a detected equality issuing an "authentic message signal".
6. A system for signing a message m by a presumably accredited entity, this accreditation number having been formulated by a public-key process comprising the following operations: an authority issuing the accreditation number chooses two prime factors, forms the product of these two factors, keeps secret these factors, chooses an integer p that comprises at least thirty bit positions and publishes N and p, x 'S 'V T y I It PHQ 87030 29 5.4.91 for any entity that is a signatory a digital identity I is formed and supplemented by redundancy in order to form a shaded identity word J, the accreditation number A is formulated by the authority by taking the p-th root of the shaded identity J in the ring of integers modulo N (A=J I 1 P mod N), said system comprising: a memory medium held by the signatory for storing the inverse modulo N of the accreditation number A, i.e. tbh inverse accreditation number B BPJ mod N=1), signature generating means for generating a signature according to a probabilistic digital process, and comprising: random number generating means for generating a random integer r that is a member of the ring of integers modulo N, power raising means fed by the random number generating means for raising r to the power p modulo N, compression means fed by the power raising means for calculating a compression function that has as arguments the message m and r P mod N to yield a result number D, product forming means fed by the random number S* generator and by the compression means to form the product of r and D-th power of the inverse accreditation number B to yield a sole marker t, transmission means fed by the product forming means to transmit a signal message consisting of the message m, ,the identity I, the result number D, and the sole marker t. 7, A station for use as the "verified" in a system as claimed in either Claim 4 of Claim
8. A station for use as the "verifier" in a system as claimed in either Claim 4 or Claim
9. A signature generating station for use in a system as claimed in Claim 6. f- C, is7 "PHQ 87030 30 5.4.91 A station as claimed in either of Claims 7, 8, or 9, manufactured in the shape of a smart card.
11. A process for the authentication of an accreditation substantially as described herein with reference to Figures 7 to 9 of the accompanying Drawings.
12. An assembly for the authentication of an accreditation number substantially as described herein with reference to Figure 10 of the accompanying Drawings. DATED THIS EIGHTEENTH DAY OF APRIL 1991 oo e L'ETAT FRANCAIS, TELEDIFFUSION DE FRANCE N. V. PHILIPS' GLOEILAMPENFABRIEKEN 0 SI 0.B S
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FR8712366 | 1987-09-07 | ||
| FR8712366A FR2620248B1 (en) | 1987-09-07 | 1987-09-07 | METHODS OF AUTHENTICATING ACCREDITATIONS OR MESSAGES WITH ZERO KNOWLEDGE AND SIGNATURE OF MESSAGES |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| AU2197188A AU2197188A (en) | 1989-03-23 |
| AU613084B2 true AU613084B2 (en) | 1991-07-25 |
Family
ID=9354667
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU21971/88A Ceased AU613084B2 (en) | 1987-09-07 | 1988-09-07 | A method and system for authentication of accreditations and of messages with zero-knowledge proof and for the signing of messages, and a station for use in such system, in particular executed as a smart card station |
Country Status (10)
| Country | Link |
|---|---|
| EP (1) | EP0311470B1 (en) |
| JP (2) | JP3158118B2 (en) |
| KR (1) | KR960008209B1 (en) |
| AT (1) | ATE83573T1 (en) |
| AU (1) | AU613084B2 (en) |
| CA (1) | CA1295706C (en) |
| DE (1) | DE3876741T2 (en) |
| ES (1) | ES2037260T3 (en) |
| FI (1) | FI97170C (en) |
| FR (1) | FR2620248B1 (en) |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2663141B1 (en) * | 1990-06-11 | 1992-08-21 | France Etat | METHOD FOR TRANSFERRING SECRECY, BY EXCHANGING TWO CERTIFICATES BETWEEN TWO RECIPROCALLY AUTHENTICATING MICROCULCATORS. |
| US4868877A (en) * | 1988-02-12 | 1989-09-19 | Fischer Addison M | Public key/signature cryptosystem with enhanced digital signature certification |
| US5005200A (en) * | 1988-02-12 | 1991-04-02 | Fischer Addison M | Public key/signature cryptosystem with enhanced digital signature certification |
| FR2654288B1 (en) * | 1989-11-08 | 1996-11-29 | Europ Rech Electr Lab | METHOD FOR AUTHENTICATING A MICROPROCESSOR CARD AND SYSTEM USING THE SAME. |
| EP0570388B1 (en) * | 1991-02-07 | 1995-05-24 | THOMSON multimedia | Method, identification device and verification device for identification and/or performing digital signature |
| FR2718311A1 (en) * | 1994-03-30 | 1995-10-06 | Trt Telecom Radio Electr | Device for implementing a message signature system and chip card comprising such a device. |
| US5539828A (en) * | 1994-05-31 | 1996-07-23 | Intel Corporation | Apparatus and method for providing secured communications |
| FR2747257B1 (en) * | 1996-04-09 | 1998-09-11 | Gilbert Henri | IDENTIFICATION AND / OR SIGNATURE PROCESS |
| FR2763452B1 (en) * | 1997-05-13 | 1999-06-18 | France Telecom | PUBLIC KEY IDENTIFICATION PROCESS |
| FR2763451B1 (en) * | 1997-05-13 | 1999-06-18 | France Telecom | PUBLIC KEY IDENTIFICATION METHOD USING TWO HASH FUNCTIONS |
| FR2773406B1 (en) * | 1998-01-06 | 2003-12-19 | Schlumberger Ind Sa | METHOD FOR AUTHENTICATING INTEGRATED CIRCUIT CARDS |
| FR2788911A1 (en) * | 1999-01-27 | 2000-07-28 | France Telecom | Banking message authentication technique having private/public word transfer power two relationship connected with authentication unit knowing relation and carrying out confirmation calculations. |
| FR2788910A1 (en) * | 1999-01-27 | 2000-07-28 | France Telecom | Banking message authentication technique having private/public word transfer power two relationship connected with authentication unit knowing relation and carrying out confirmation calculations. |
| EP1145473B1 (en) * | 1999-01-27 | 2019-04-17 | Callahan Cellular L.L.C. | Method, system, device for proving the authenticity of an entity and/or the integrity and/or the authenticity of a message using specific prime factors |
| EP1216536A1 (en) * | 1999-10-01 | 2002-06-26 | France Telecom | Set of particular keys for proving authenticity of an entity or the integrity of a message |
| KR20020060189A (en) * | 1999-10-01 | 2002-07-16 | 마드 리즈크 | Set of particular keys for proving authenticity of an entity or the integrity of a message |
| FR2822002B1 (en) | 2001-03-12 | 2003-06-06 | France Telecom | CRYPTOGRAPHIC AUTHENTICATION BY EPHEMER MODULES |
| US7631196B2 (en) | 2002-02-25 | 2009-12-08 | Intel Corporation | Method and apparatus for loading a trustable operating system |
| US7444512B2 (en) * | 2003-04-11 | 2008-10-28 | Intel Corporation | Establishing trust without revealing identity |
| US8037314B2 (en) | 2003-12-22 | 2011-10-11 | Intel Corporation | Replacing blinded authentication authority |
| US7802085B2 (en) | 2004-02-18 | 2010-09-21 | Intel Corporation | Apparatus and method for distributing private keys to an entity with minimal secret, unique information |
| US8924728B2 (en) | 2004-11-30 | 2014-12-30 | Intel Corporation | Apparatus and method for establishing a secure session with a device without exposing privacy-sensitive information |
| US7809957B2 (en) | 2005-09-29 | 2010-10-05 | Intel Corporation | Trusted platform module for generating sealed data |
| US8014530B2 (en) | 2006-03-22 | 2011-09-06 | Intel Corporation | Method and apparatus for authenticated, recoverable key distribution with no database secrets |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2102606B (en) * | 1981-06-19 | 1985-01-30 | Nat Res Dev | Apparatus and methods for making payments electronically |
| FR2536928B1 (en) * | 1982-11-30 | 1989-10-06 | France Etat | SYSTEM FOR ENCRYPTING AND DECIPHERING INFORMATION, OF THE TYPE USING A PUBLIC KEY DECRYPTION SYSTEM |
| US4748668A (en) * | 1986-07-09 | 1988-05-31 | Yeda Research And Development Company Limited | Method, apparatus and article for identification and signature |
-
1987
- 1987-09-07 FR FR8712366A patent/FR2620248B1/en not_active Expired
-
1988
- 1988-09-05 ES ES198888402231T patent/ES2037260T3/en not_active Expired - Lifetime
- 1988-09-05 FI FI884082A patent/FI97170C/en not_active IP Right Cessation
- 1988-09-05 AT AT88402231T patent/ATE83573T1/en not_active IP Right Cessation
- 1988-09-05 DE DE8888402231T patent/DE3876741T2/en not_active Expired - Fee Related
- 1988-09-05 EP EP88402231A patent/EP0311470B1/en not_active Expired - Lifetime
- 1988-09-06 CA CA000576531A patent/CA1295706C/en not_active Expired - Lifetime
- 1988-09-07 AU AU21971/88A patent/AU613084B2/en not_active Ceased
- 1988-09-07 JP JP22436388A patent/JP3158118B2/en not_active Expired - Fee Related
- 1988-09-07 KR KR1019880011581A patent/KR960008209B1/en not_active IP Right Cessation
-
2000
- 2000-04-14 JP JP2000114230A patent/JP2000358027A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| EP0311470A1 (en) | 1989-04-12 |
| JPH01133092A (en) | 1989-05-25 |
| DE3876741T2 (en) | 1993-06-24 |
| ATE83573T1 (en) | 1993-01-15 |
| ES2037260T3 (en) | 1993-06-16 |
| CA1295706C (en) | 1992-02-11 |
| KR960008209B1 (en) | 1996-06-20 |
| FR2620248B1 (en) | 1989-11-24 |
| JP2000358027A (en) | 2000-12-26 |
| EP0311470B1 (en) | 1992-12-16 |
| DE3876741D1 (en) | 1993-01-28 |
| AU2197188A (en) | 1989-03-23 |
| JP3158118B2 (en) | 2001-04-23 |
| FI97170B (en) | 1996-07-15 |
| FI97170C (en) | 1996-10-25 |
| FI884082A0 (en) | 1988-09-05 |
| KR890005634A (en) | 1989-05-16 |
| FI884082A (en) | 1989-03-08 |
| FR2620248A1 (en) | 1989-03-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US5140634A (en) | Method and apparatus for authenticating accreditations and for authenticating and signing messages | |
| AU613084B2 (en) | A method and system for authentication of accreditations and of messages with zero-knowledge proof and for the signing of messages, and a station for use in such system, in particular executed as a smart card station | |
| US4926479A (en) | Multiprover interactive verification system | |
| Simmons | A survey of information authentication | |
| US4748668A (en) | Method, apparatus and article for identification and signature | |
| US5483597A (en) | Authentication process for at least one identification device using a verification device and a device embodying the process | |
| US4969189A (en) | Authentication system and apparatus therefor | |
| Guillou et al. | A “paradoxical” indentity-based signature scheme resulting from zero-knowledge | |
| US5581615A (en) | Scheme for authentication of at least one prover by a verifier | |
| Stern | A new paradigm for public key identification | |
| US5016274A (en) | On-line/off-line digital signing | |
| US4933970A (en) | Variants of the fiat-shamir identification and signature scheme | |
| Desmedt et al. | Special uses and abuses of the Fiat-Shamir passport protocol | |
| EP0522473B1 (en) | Cryptographic identity verification method | |
| US4995082A (en) | Method for identifying subscribers and for generating and verifying electronic signatures in a data exchange system | |
| US5347581A (en) | Verification process for a communication system | |
| EP0723349B1 (en) | Method and apparatus for secure anonymous message transfer and electronic voting | |
| Pfitzmann et al. | Coin-based anonymous fingerprinting | |
| EP0570388B1 (en) | Method, identification device and verification device for identification and/or performing digital signature | |
| US6125445A (en) | Public key identification process using two hash functions | |
| Brickell et al. | Interactive identification and digital signatures | |
| I͡Ashchenko | Cryptography: An Introduction: An Introduction | |
| Simmons | A protocol to provide verifiable proof of identity and unforgeable transaction receipts | |
| Simmons et al. | Zero-knowledge proofs of identity and veracity of transaction receipts | |
| US7389267B2 (en) | Electronic verification system and method |