Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs

Definitions

• the present invention relates to an authentication or signature process with a reduced calculations set.
• the invention relates to the public key cryptography domain.
• the entity to be authenticated the prover—possesses a secret key and an associated public key.
• the authenticating entity the verifier—only needs this public key to achieve the authentication.
• the process relates to the set of processes called “zero-knowledge Protocols”, i.e. without any communication of knowledge.
• the authentication is carried out following a protocol that, as it is recognized, and under assumptions considers as perfectly reasonable by the scientific community, discloses nothing about the secret key of the prover.
• the invention relates to zero-knowledge processes based on factoring problems (i.e. on the difficulty to factor large integers into a product of prime numbers).
• the invention is applicable in every system where it is necessary to authenticate parties or messages, or to sign messages, in particular in systems where the amount of calculations to be carried out by the prover is critical. This is especially the case for cards that use a standard microprocessor or low cost cards, with no arithmetic coprocessor (which are often called cryptoprocessor) where cryptographic calculations must be accelerated.
• a typical application of the invention is the electronic purse that requires a very high security level while discarding the use of a cryptoprocessor, either because of the cost or for technical reasons (for example the use of a contactless interface), or both.
• next generation tele-card whose cost constraints are by far stricter than those of the electronic purse.
• c a pseudo-random function
• h a pseudo-random function
• x x
• M the symbol
• Some protocols may involve several openings.
• B sends to A a parameter e selected at random (the “question”). It is the second step.
• A sends to B an “answer” y that is in coherence with the question e, the opening c and the secret key of A (third step).
• n is a compound number that is hard to factor. This number is said to be of the universal type, generated by a trustworthy third party. It is stored and used by all authorised entities.
• the “universal” character of n implies that it is a large number (usually 1024 bits), as breaking the factoring of n should compromise the secret keys of all accredited users.
• modulus n being an individual parameter (in other words each user owns his own n value), this selection may be exploited in the following two ways (which may be advantageously combined):
• n lower than the currently used values typically lower than 1000 bits and for example, ranging between 700 and 800 bits
• breaking the factoring of n only compromises the secret key of the related user and in no way the secret keys of other users; this modification alone reduces the duration of calculations carried out modulo n by 40%
• the user may use the Chinese remainders technique to further reduce the duration of modulo n calculations by 40%, when there are two prime factors; this reduction may be increased when using several prime factors (typically 3 or 4).
• the modulo n calculations can then be reduced by 60%, that is a factor 2, at least.
• the aforementioned entities may be, for example, micro-circuit cards, electronic purses, telecards, and so on . . .
• the zero-knowledge information exchanges and the cryptographic calculations are as follows:
• the size of the number n, expressed in number of bits, is less than 1000. For example, it may be between 700 and 800.
• the present invention also relates to a message signature process to be used by an entity called a “signatory”, this entity being provided with a public key v and a secret key s , which are related by a modulo n operation, where n is an integer called modulus and t is a parameter, a process in which the signatory calculates an opening c that is notably a function of the message to be signed and a number y that is a function of the secret key, transmits the numbers y and c that are the signature and the message, the process being characterised in that the modulus n is specific to the signatory.
• the signatory selects an integer r at random between 1 and n ⁇ 1, calculates a parameter x equal to r t (mod n), calculates a number c that is a function of the parameter x and of the message to be signed, calculates a number y using the secret key s , as a function of numbers r and e , then transmits the numbers c and y as signature.
• the universal parameters of the GUILLOU-QUISQUATER protocol are the modulus n , products of prime numbers, comprising at least 1024 bits, and an integer value t .
• the retained security level is u (lower than or equal to t , commonly equal to t )
• t is the only universal parameter.
• the public key is (n,v), where n has at least 768 bits.
• the secret key may include prime factors from n to take advantage of the second aspect of the invention.
• the parameter t may be included in the public key (in this case, there is no longer any universal parameter).
• the authentication of Alice by Bob is performed as described above, but with faster calculations, which results from a smaller modulus n.
• the gain factor resulting from only one modular multiplication affects the complete set of calculations completed by Alice when carrying out the protocol. This should be the same, for example, with Fiat-Shamir or Girault protocols (in the latter case, no gain should be expected in step 3, as there is no modular computation, but the execution time of this step is negligible with respect to the modular exponentiation of the first one).
• the invention may also be implemented by the Chinese remainders technique, which consists of calculating the values modulo n of the prime factors of n. As these numbers are inevitably smaller, these operations are quickly done. The result modulo n is still to be obtained through a “reconstitution” operation.
• This technique is described in the article of J. J QUISQUATER and C. COUVREUR entitled (Fast Decipherment algorithm for RSA public-key crypto-system” published in “Electronic Letters”, vol. 18, October 1982, pp. 905-907.
• the method of Chinese remainders leads to an acceleration of calculations by a factor ranging from 3 to 4 in the first case, and from 1.5 to 2 in the second case, when the number of prime factors (assumed to be of similar sizes) is larger than 2 and equal to k; the acceleration factor is nearing k 2 in the first case and close to k in the second case.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Storage Device Security (AREA)
• Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
• Collating Specific Patterns (AREA)
• Mobile Radio Communication Systems (AREA)

Applications Claiming Priority (3)

Related Parent Applications (1)

Publications (1)

Family

ID=9541270

Family Applications (2)

Family Applications After (1)

Country Status (9)

Families Citing this family (12)

Citations (12)

• 1999
  • 1999-01-27 FR FR9900887A patent/FR2788909B1/fr not_active Expired - Lifetime
• 2000
  • 2000-01-26 DE DE60000649T patent/DE60000649T2/de not_active Expired - Lifetime
  • 2000-01-26 WO PCT/FR2000/000174 patent/WO2000045549A1/fr active IP Right Grant
  • 2000-01-26 US US12/393,959 patent/USRE42517E1/en not_active Expired - Fee Related
  • 2000-01-26 ES ES00900666T patent/ES2184691T3/es not_active Expired - Lifetime
  • 2000-01-26 US US09/889,557 patent/US7184547B1/en not_active Ceased
  • 2000-01-26 JP JP2000596695A patent/JP4945026B2/ja not_active Expired - Lifetime
  • 2000-01-26 AT AT00900666T patent/ATE226773T1/de not_active IP Right Cessation
  • 2000-01-26 CA CA002360953A patent/CA2360953C/fr not_active Expired - Fee Related
  • 2000-01-26 EP EP00900666A patent/EP1145483B1/fr not_active Expired - Lifetime

Patent Citations (12)

Non-Patent Citations (26)

Also Published As

Similar Documents

Legal Events