Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
  • H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/42—Anonymization, e.g. involving pseudonyms
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/46—Secure multiparty computation, e.g. millionaire problem
  • H04L2209/463—Electronic voting
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash

Definitions

• the present invention relates to the field of electronic message signature using cryptographic techniques.
• the electronic signature is a mechanism covered by so-called asymmetric or public key cryptography.
• the signatory has a secret or private key and an associated public key. It produces the signature of a message by applying a cryptographic algorithm to it. using his secret key.
• the verifier can verify the signature by applying the same cryptographic algorithm using the corresponding public key.
• the general principle underlying the concept of group signature is to associate with each member of the group a separate solution to a common difficult problem, this solution being provided by a trusted authority empowered to each new member of the group when registering.
• the member When registering, the member calculates a private signature key of his own and interacts with the trusted authority in order to obtain his own solution to this difficult problem.
• the member and the trusted authority also calculate a member certificate which is strongly linked to the member's private key and possibly to the solution of the member's known problem.
• the member To sign a message on behalf of the group, the member encrypts his certificate with the public encryption key of the trusted authority, and proves that he knows a group member's private key, a solution to the difficult problem and a member certificate associated with the clear text included in the code (proof of membership).
• proof of membership We rely here on cryptography and more particularly on proofs of knowledge to obtain the desired properties of group signatures.
• the verification of a group signature consists in verifying the proof of knowledge, the opening of the signature consisting simply in deciphering the certificate.
• group signature a trusted authority can at any time lift the anonymity of the signatory, that is to say determine the identity of the person in the group who issued a signature.
• this type of signature is said to be "unreliable”, that is to say that it does not make it possible to determine whether or not two signatures have been issued by the same person without lifting the anonymity of the signature. .
• the concept of group signature is therefore unsuitable for electronic voting.
• List signature is thus well suited to voting or electronic polling, since each voter can produce a signature list of his vote, which guarantees his anonymity, while allowing the detection of votes cast by the same person during '' the same election (sequence) given.
• List signature is also well suited to access tickets such as transport tickets or cinema tickets, because the user can produce a list signature which guarantees his anonymity for any access to which he is entitled. by allowing the number of signatures already issued during a given sequence to be determined, so as to allow it access to the service a number of times corresponding to the amount paid.
• some list signatures are said to be "working", that is to say that a trusted authority can determine the identity of the signatory from a signature.
• each member of a list calculates, when subscribing to the list, a private key and obtains from a trusted authority a certificate of member of the list, as well as a solution to a difficult problem.
• the concept of list signature does not allow the lifting of anonymity, it does not include encryption when producing a signature.
• the trusted authority At the start of a given sequence, the trusted authority generates a sequence representative valid only for the duration of the sequence.
• a member of the list provides, as in the group signature, proof that he knows a private key, a solution to the difficult problem and a list member certificate. It also calculates a power of the representative of the sequence whose exponent is the private key. For a given sequence, it is possible to link two signatures produced by the same member of the list, since the representative of the sequence and the private key are fixed for this sequence. We can therefore count the number of signatures issued by each member of the list during the same sequence.
• the present invention aims to eliminate these drawbacks.
• This objective is achieved by providing a method for generating a list signature relating to a message to be signed, comprising steps executed by an electronic hardware support of a member of a list, during which the hardware support electronic generates an electronic signature from the message to be signed, and issues the generated signature.
• the electronic signature is generated solely as a function of the message to be signed, of a sequence number supplied by a trusted authority to the electronic medium, of proof of membership in the list of members, of data specific to electronic material support, and optionally a key from an authority empowered to lift the anonymity of the generated signature.
• the electronic hardware support generates a pseudo-random number as a function of the sequence number used for generating the electronic signature, the pseudo-random number generated varying only as a function of the sequence and data number specific to electronic material support.
• the generation of the pseudo-random number is carried out using an encryption function using a secret key stored by the electronic hardware medium and specific to it.
• the pseudo-random number generated from the sequence number is transmitted with the generated electronic signature.
• the proof of membership of the list of members is constituted by the knowledge of a secret key common to the members of the list.
• the electronic hardware support encryption by an encryption algorithm using the key of the authority empowered to lift the anonymity of the generated signature, an identification code stored by the electronic medium, identifying the member having the electronic medium, for obtain an encrypted identifier which is used for the generation of the electronic signature.
• a pseudo-random number generated from the sequence number is used for the encryption of the member identification code.
• the encrypted identifier is issued with the electronic signature generated.
• the electronic hardware medium receives the sequence number associated with a signature of the sequence number, from a trusted authority, verifies the signature of the sequence number, and refuses to generate a new signature if the signature associated with the sequence number is not correct.
• the electronic material support generates a signature if the number of previously issued signatures is less than or equal to a maximum number of authorized signatures.
• the maximum number of signatures transmitted is initialized when a sequence number is changed.
• the invention also relates to an electronic voting method comprising an election organization phase, during which an organizing authority generates the parameters necessary for an election, and allocates keys to tellers enabling them to decipher and verify ballot papers, a phase of granting a signature right to each of the electors, a voting phase during which the electors sign a ballot, and a counting phase during which the tellers verify the ballot papers, and calculate the result of the ballot according to the content of the deciphered and valid ballot papers.
• the method implements a list signing method in accordance with that defined above, to sign the ballot papers, each voter being registered as a member of a list, a sequence number is generated for the ballot, the maximum number of signatures authorized being equal to 1.
• the invention also relates to an electronic material support comprising means for implementing the method defined above.
• the electronic hardware support is in the form of a cryptographic microprocessor card.
• FIG. 1 represents a system allowing the implementation of the list signing and electronic voting methods, according to the invention
• FIG. 2 schematically represents the functional elements of a smart card that can be used to generate list signatures in accordance with the method according to the invention
• Figure 3 shows in the form of a flowchart a list signing procedure according to the invention, which is not openable and executable by the smart card illustrated in Figure 2;
• FIGS 4 and 5 show in the form of flowcharts list signing procedures according to the invention, which are open and executable by the smart card illustrated in Figure 2;
• FIG. 6 illustrates in the form of flowcharts another variant of list signing procedures according to the invention, which can be executed by the smart card illustrated in FIG. 2;
• Figures 7 to 9 illustrate in the form of flowcharts an application of the list signing method according to the invention to electronic voting.
• the present invention provides a list signing process in which all authorized persons, that is to say belonging to the list, can produce a signature which is anonymous, and whose validity can be verified by anyone without have access to the identity of the member of the list who issued the signature.
• This system comprises terminals 2 made available to users and connected to a network 5 for transmitting digital data, such as the Internet network.
• Each terminal 2 is advantageously connected to a reading device 8 of an electronic material support such as a smart card 7.
• the users can connect to a server 6 giving access to information for example stored in a database 4.
• This system also includes a computer 1 of a trusted authority which in particular delivers smart cards 7 to users.
• the system according to the invention is also based on the establishment of a group signature, as described for example in the aforementioned patent application FR 2 834 403, but nevertheless using a symmetrical or asymmetrical encryption algorithm.
• the trusted authority responsible for the group generates all the keys and parameters necessary for the implementation of the group signature chosen, and places all the public elements of these elements in a directory (for example database 4).
• each member has received from the trusted authority a smart card 7 presenting for example the functional architecture represented in FIG. 2.
• This architecture comprises:
• a microprocessor 11 ensuring the management of internal functions and the execution of application programs stored in a memory of the card, and which may include a cryptographic processor optimized to perform cryptographic calculations; memories 12 comprising a random access memory 14 accessible in reading and writing, allowing the recording by the processor 11 of ephemeral data, for example the intermediate results of the cryptographic calculations, a non-volatile memory 13, for example of the type reprogrammable (EEPROM) and allowing the storage of long-term data after the manufacture of the card, such as personalization data and application programs, a non-volatile memory 15 of the ROM type programmed with immutable data during the manufacture of the smart card and allowing the storage in particular of the internal management program of the smart card and possibly of encryption data; - A communication interface 16 by which the card exchanges data with an appropriate smart card reader 8, and - an internal bus 17 making it possible to connect the aforementioned elements to one another.
• memories 12 comprising a random access memory 14 accessible in reading and writing, allowing the recording by the processor 11 of
• the smart card 7 is preferably secure to prevent access from the outside to certain data stored in particular in the ROM memory 15.
• the memories 12 of the card contain means for producing a group signature using a signature algorithm, an identifier Idj of the member i, a secret key for signing the list SK L which is common to all the members of the list, a secret key SKi known only to the smart card and specific to it, as well as means for generating a pseudo-random number.
• a symmetric or asymmetric encryption algorithm takes as input the message to be encrypted, and possibly a pseudo random number, for example the pseudo random number R i5 which is different each time the algorithm is executed, so as to produce different ciphers of the same message. every time it is executed. On the other hand, if the pseudo-random number is not modified, the cipher obtained for the same message is always the same.
• the trusted authority also manages successive sequences of predetermined durations, for each of which, it randomly generates a unique REPSEQ sequence number which must be different from all the previously generated sequence numbers, and common to all the members of the list. . This number is also preferably signed by the trusted authority.
• the sequence number is for example obtained from a randomly generated element for which the trusted authority calculates a digest using a hash function, for example the SHA-1 function, and formats the result for example by applying the OS2IP function of the PKCS # 1 standard, v2.1.
• a hash function for example the SHA-1 function
• a member of the list uses the smart card 7 which has been given to him by the trusted authority, which receives as input the message M to be signed and the sequence number REPSEQ, via a terminal 2 and a smart card reader 8.
• the smart card then performs the list signing procedure as illustrated. in FIG. 3, this procedure consisting in generating a pseudo random number Ri depending on the smart card, using a pseudo random number generation function PRNG, receiving as input the valid sequence number REPSEQ , this input data serving as a "seed" for the pseudo-random generation function.
• the function is chosen so that two different cards of members of the list necessarily produce two different pseudo-random numbers from the same sequence number REPSEQ.
• the PRNG function is a generic function for all the smart cards delivered to the members of the list and also receives as seed the secret key SK; specific to the smart card 7.
• the list signing procedure executed by the smart card then includes the execution of a group signing algorithm.
• This algorithm consists for example in concatenating the message M to be signed with the pseudo-random number R ; obtained and applying a conventional signature function Sign to the value obtained using the secret list signing key SK L stored by the smart card.
• the signature S which is delivered at the output by the smart card comprises the pseudo-random number R, concatenated with the signature value Si provided by the signature function Sign:
• Ri PRNG (SK ⁇ , REPSEQ) (1)
• Si Sign (SK L , Ri
• the PRNG function is for example performed by a conventional encryption function, for example of the AES (Advanced Encryption Standard) type or else by a modular exponentiation which raises the REPSEQ sequence number to the power SK; modulo n.
• AES Advanced Encryption Standard
• the Sign function chosen is for example of the RSA (Rivest, Shamir, and Adleman) type consisting of a transformation of the value Rj
• M is for example the function OS2LP for converting a character string into a positive integer, provided for in the standard PKCS # 1, v2.1.
• the verification of the signature also includes a verification that the value R; associated with the signature S; corresponds to the value R ; associated with message M in the signature.
• the procedure which has just been described generates a so-called non-opening signature, that is to say it is impossible even for an authority having the necessary rights to lift the anonymity of the signature of list S obtained. If the signature is to be openable, the smart card 7 performs the procedure for signature of list illustrated in FIG. 4.
• this procedure includes the application of an encryption function Enc to the element Idi making it possible to identify the member i of the list having the card, this element consisting of an identifier or part of a certificate issued by a competent authority which knows the link between this part of the certificate and the real identity of the member.
• This encryption uses a public encryption key PK M o which is linked to a private decryption key SK M o belonging to the authority empowered to lift the anonymity of a signature issued by a member of the list.
• the encryption of the Idi identifier can be symmetrical or asymmetrical. If this encryption is asymmetrical, the card stores the public key PK MO . If this encryption is symmetrical, the card securely stores a secret key SK M o known only to the authority empowered to lift the anonymity of the signatures issued by the members of the list.
• the PRNG function can also consist of a conventional encryption function, for example of the AES type.
• the encryption function Enc consists, for example, of a conventional encryption function, for example of the AES or RSA type receiving as input, the key PK M0 and the identifier Id; of member i of the list, and possibly the pseudo-random number R ;.
• the Sign signature function consists, for example, in converting the value Ri
• This algorithm therefore only includes a pseudo-random number calculation and two encryption calculations which can each consist of a simple modular exponentiation.
• the trusted authority wishes to lift the anonymity of the signature, it suffices to apply the decryption function corresponding to the encryption function Enc to the value Ci using the key SK M o- This operation allows it to obtain an identifier which it can then search in its directory (database 4) to find the identity of the signatory member of the list.
• An additional security consists in dividing the trusted authority into two distinct entities.
• the first authority only has the private key SK L and has no knowledge of the identifiers Id ; members of the list: it is the authority of the list which intervenes when registering a new member to the list.
• the second authority only has the SK MO key as well as all the identifiers of the members of the list: it is the opening authority which alone is empowered to lift the anonymity of a signature.
• the second authority can also be divided into several entities having only a respective part of the opening key SK M o in order to be able to decrypt only part of an identifier Id i5 and an authority establishing the connection between an identifier and the identity of the corresponding person.
• a variant raising the security level consists in assigning a respective key SK M0 i to each identifier Id; and to encrypt only the pseudo-random number R; which is used to make encryption probabilistic.
• the lifting of the anonymity of a signature then consists in testing all the encryption keys SK M0 i until obtaining an identifier Idj appearing in the directory.
• FIG. 5 illustrates another openable variant of the list signing method according to the invention.
• the procedure illustrated in this figure differs from that illustrated in Figure 4 simply by the fact that the pseudo-random number R; obtained by the PRNG function is used to make the encryption function applied to the identifier Idi of the member of the list having the smart card 7 probabilistic, the result C of this encryption being concatenated to the message M to be signed and to the signature S generated.
• the signature provided by the smart card contains the signature S produced, concatenated with the encryption value Cj.
• the value Q associated with the signature S remains invariant for the same member of the list and the same sequence number. It therefore makes it possible to determine whether two signatures are issued by the same member of the list.
• To lift the anonymity of the signature it suffices to apply to the value Ci the decryption function corresponding to the encryption function Enc, using the secret key SK M o corresponding to the key PK M o-
• the encryption function Enc can be symmetrical or asymmetrical.
• a single secret key SK M o is used which is memorized by the smart cards of the members of the list and known only to the authority empowered to open signatures.
• the number of signatures capable of being issued by the smart card can be fixed.
• the smart card then comprises means for transmitting an error message during the procedure for transmitting a signature when the number of signatures already issued exceeds a predetermined number.
• the smart card 7 executes the signature generation procedure 40 illustrated in FIG. 7.
• the number of signatures liable to be issued by the smart card is fixed.
• the smart card then comprises means for transmitting an error message during the procedure for transmitting a signature when the number of signatures already issued exceeds a predetermined number.
• the smart card 7 receives the message M to be signed and a sequence number REPSEQ, and checks the validity of the latter, for example using a generated signature by the trusted authority which is transmitted with the sequence number. This verification is carried out with a public key PK A of the trusted authority, stored by the smart card. If the signature associated with the sequence number is not valid, the smart card emits an error message (step 49) and the procedure ends. without any signature being generated by the card.
• the smart card goes to the next step 42 where it compares the sequence number received with a sequence number previously stored in the non-volatile memory 13, and if this number has not been previously stored , it stores it in step 43.
• the maximum number of NBSIG signatures that can be issued is stored once and for all in the non-volatile memory 13 of the card, this number possibly depending on the type of card.
• this number possibly depending on the type of card.
• the maximum number of signatures capable of being transmitted is transmitted with the sequence number and included in the signature which is verified by the smart card in step 41.
• the signature generated by the the trusted authority received by the smart card can relate to the sequence number concatenated with the number of authorized signatures and the current date: (REPSEQ
• the smart card performs an additional step 44 of initialization of a counter CPT with the number received of authorized signatures NBSIG at each change of sequence number.
• step 45 which is executed in the two variants described above and if the stored sequence number is identical to the received sequence number (step 42), the number of signatures capable of being generated NBSIG is decremented in the non-volatile memory 13. If the number obtained is strictly negative (step 46), the smart card emits an error message (step 49). Otherwise, the smart card calculates in step 47 a signature Si of the message M in accordance with one of the list signing methods described above and issues the generated signature Si (step 48).
• the card can also manage a different counter by sequence number. Each time the card receives a new sequence number and, if necessary, a maximum number of NBSIG signatures (if this can be different for each sequence number), it initializes a CPT counter which is stored in a table in association with the sequence number. When the card receives a sequence number with a message to sign, it searches in this table if the received sequence number is stored there, and if this is the case, it updates the associated counter to take account of the new signature generated.
• the list signing process which has just been described can be applied to an electronic voting process.
• the electronic voting method according to the invention comprises several phases including the execution of the procedures for the list signing method described above.
• This process involves the intervention of a trusted authority organizing the elections, which for this purpose performs a procedure 50 for organizing the ballot.
• This procedure consists in generating the data necessary for the smooth running of the elections, a public database accessible to all in which the ballot papers are collected.
• scrutineers are also appointed who will count the votes and determine the result of the election.
• the organizing authority first of all generates the various parameters necessary for setting up a list signature. Voters must then register beforehand, for example in a town hall, on an electoral list so as to receive a smart card 7 as described above, containing all the necessary data, namely an identifier Id ; from member i, a secret list signing key SK L which is common to all the members of the list, and a secret key SK; known only to and specific to the smart card. Using these parameters, voters can participate in all future elections.
• step 51 of procedure 50 the organizing authority also publishes a sequence number m necessary for setting up a new list signing sequence, so as to prevent voters from voting (signing) twice. in this election.
• scrutineers responsible for counting the ballots will create 52 the necessary public / private key pairs, so that they must all cooperate in order to be able to decrypt an encrypted message with the public key.
• the cryptographic system put in place is chosen so as to allow a voter to encrypt a message (ballot) using at least one public key, while requiring the cooperation of all tellers to use the corresponding private key (s), and thus decrypt the message.
• the sharing of the private decryption key between all of the tellers can be done as follows.
• An analogous result can be achieved by encrypting using all of the respective public keys of the tellers. Decryption requiring knowledge of all corresponding private keys.
• each voter issues a ballot by executing a procedure 60 on a terminal.
• the voter selects his vote Vi and encrypts it using the key public scrutineers to obtain an encrypted vote Dj. Then he signs the encrypted vote using the list signing process to obtain a signature Sj.
• the ballot made up of all (Dj, S;) of the vote and the signature, is then published anonymously in a public database 4.
• the voter E j has thus generated his ballot (D j , S j ) which he sends 64 to the public database 4 by means of an anonymous transmission channel, that is to say that is to say prohibiting to link a message transmitted to the transmitter of this one.
• the voter can use a public terminal or a network of mixers for this purpose.
• the tellers carry out the counting of the votes by executing the procedure 70 on the terminal 3.
• This procedure consists first of all in generating 71 the private decryption key X from their respective private keys x; and using formula (3). Then, in step 72, they access the public database 4 of the ballot papers to obtain the ballot papers (D ;, Si) and to decipher them.
• the votes V j thus deciphered and verified, with the result of the corresponding verification, are entered 77 into the database 4 of the ballot papers, in association with the ballot paper (D j , S j ).
• the private decryption key X is also published to allow everyone to check the counting of the ballots.
• this procedure 70 calculates in step 78 the result of the election and updates the public database of ballots by entering this result, and possibly the key private decryption X.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Storage Device Security (AREA)
• Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Priority Applications (1)

Applications Claiming Priority (4)

Publications (1)

Family

ID=34978912

Family Applications (1)

Country Status (6)

Families Citing this family (17)

Family Cites Families (17)

• 2005
  • 2005-05-18 US US11/596,548 patent/US8352380B2/en not_active Expired - Fee Related
  • 2005-05-18 CN CN2005800157789A patent/CN1954546B/zh not_active Expired - Fee Related
  • 2005-05-18 JP JP2007517338A patent/JP4818264B2/ja not_active Expired - Fee Related
  • 2005-05-18 WO PCT/FR2005/001248 patent/WO2005122466A1/fr active Application Filing
  • 2005-05-18 EP EP05773026A patent/EP1747639A1/de not_active Withdrawn
  • 2005-05-18 KR KR1020067025556A patent/KR101192875B1/ko not_active IP Right Cessation

Non-Patent Citations (4)

Also Published As

Similar Documents

Legal Events