The present invention relates to systems and methods for cryptographic random number generation.
Random numbers are utilized in many cryptographic operations to provide underlying security. In public key infrastructures, for example, the private key of a key pair is generated by a random number generator and the corresponding public key mathematically derived therefrom. A new key pair may be generated for each session and the randomness of the generator therefore is critical to the security of the cryptographic system.
To provide a secure source of random numbers, cryptographically secure pseudorandom bit generators have been developed in which the security of each generator relies on a presumed intractability of the underlying number-theoretical problem. The American National Standards Institute (ANSI) has set up an Accredited Standards Committee (ASC) X9 for the financial services industry, which is preparing a American National Standard (ANS) X9.82 for cryptographic random number generation (RNG). One of the RNG methods in the draft of X9.82, called Dual_EC_DRBG, uses elliptic curve cryptography (ECC) for its security. Dual_EC_DRBG will hereinafter be referred to as elliptic curve random number generation (ECRNG).
Elliptic curve cryptography relies on the intractability of the discrete log problem in cyclic subgroups of elliptic curve groups. An elliptic curve E is the set of points (x, y) that satisfy the defining equation of the elliptic curve. The defining equation is a cubic equation, and is non-singular. The coordinates x and y are elements of a field, which is a set of elements that can be added, subtracted and divided, with the exception of zero. Examples of fields include rational numbers and real numbers. There are also finite fields, which are the fields most often used in cryptography. An example of a finite field is the set of integers modulo a prime q.
Without the loss of generality, the defining equation of the elliptic curve can be in the Weierstrass form, which depends on the field of the coordinates. When the field F is integers modulo a prime q>3, then the Weierstrass equation takes the form y2=x3+ax+b, where a and b are elements of the field F.
The elliptic curve E includes the points (x, y) and one further point, namely the point O at infinity. The elliptic curve E also has a group structure, which means that the two points P and Q on the curve can be added to form a third point P+Q. The point O is the identity of the group, meaning P+O=O+P=P, for all points P. Addition is associative, so that P+(Q+R)=(P+Q)+R, and commutative, so that P+Q=Q+R, for all points P, Q and R. Each point P has a negative point −P, such that P+(−P)=O. When the curve equation is the Weierstrass equation of the form y2=x3+ax+b, the negative of P=(x, y) is determined easily as −P=(x, y). The formula for adding points P and Q in terms of their coordinates is only moderately complicated involving just a handful of field operations.
The ECRNG uses as input two elliptic curve points P and Q that are fixed. These points are not assumed to be secret. Typically, P is the standard generator of the elliptic curve domain parameters, and Q is some other point. In addition a secret seed is inserted into the ECRNG.
The ECRNG has a state, which may be considered to be an integer s. The state s is updated every time the ECRNG produces an output. The updated state is computed as u=z(sP), where z( ) is a function that converts an elliptic curve point to an integer. Generally, z consists of taking the x-coordinate of the point, and then converting the resulting field element to an integer. Thus u will typically be an integer derived from the x-coordinate of the point s.
The output of the ECRNG is computed as follows: r=t(z(sQ)), where t is a truncation function. Generally the truncation function removes the leftmost bits of its input. In the ECRNG, the number of bits truncated depends on the choice of elliptic curve, and typically may be in the range of 6 to 19 bits.
Although P and Q are known, it is believed that the output r is random and cannot be predicted. Therefore successive values will have no relationship that can be exploited to obtain private keys and break the cryptographic functions. The applicant has recognized that anybody who knows an integer d such that Q=dP, can deduce an integer e such that ed=1 mod n, where n is the order of G, and thereby have an integer e such that P=eQ. Suppose U=sP and R=sQ, which are the precursors to the updated state and the ECRNG output. With the integer e, one can compute U from R as U=eR. Therefore, the output r=t(z(R)), and possible values of R can be determined from r. The truncation function means that the truncated bits of R would have to be guessed. The z function means that only the x-coordinate is available, so that decompression would have to be applied to obtain the full point R. In the case of the ECRNG, there would be somewhere between about 26=64 and 219 (i.e. about half a million) possible points R which correspond to r, with the exact number depending on the curve and the specific value of r.
The full set of R values is easy to determine from r, and as noted above, determination of the correct value for R determines U=eR, if one knows e. The updated state is u=z(U), so it can be determined from the correct value of R. Therefore knowledge of r and e allows one to determine the next state to within a number of possibilities somewhere between 26 and 219. This uncertainty will invariably be eliminated once another output is observed, whether directly or indirectly through a one-way function.
Once the next state is determined, all future states of ECRNG can be determined because the ECRNG is a deterministic function. (at least unless additional random entropy is fed into the ECRNG state) All outputs of the ECRNG are determined from the determined states of the ECRNG. Therefore knowledge of r and e, allows one to determine all future outputs of the ECRNG.
It has therefore been identified by the applicant that this method potentially possesses a trapdoor, whereby standardizers or implementers of the algorithm may possess a piece of information with which they can use a single output and an instantiation of the RNG to determine all future states and output of the RNG, thereby completely compromising its security. It is therefore an object of the present invention to obviate or mitigate the above mentioned disadvantages.
In one aspect, the present invention provides a method for computing a verifiably random point Q for use with another point P in an elliptic curve random number generator comprising computing a hash including the point P as an input, and deriving the point Q from the hash.
In another aspect, the present invention provides a method for producing an elliptic curve random number comprising generating an output using an elliptic curve random number generator, and truncating the output to generate the random number.
In yet another aspect, the present invention provides a method for producing an elliptic curve random number comprising generating an output using an elliptic curve random number generator, and applying the output to a one-way function to generate the random number.
In yet another aspect, the present invention provides a method of backup functionality for an elliptic curve random number generator, the method comprising the steps of computing an escrow key e upon determination of a point Q of the elliptic curve, whereby P=eQ, P being another point of the elliptic curve; instituting an administrator, and having the administrator store the escrow key e; having members with an elliptic curve random number generator send to the administrator, an output r generated before an output value of the generator; the administrator logging the output r for future determination of the state of the generator.
An embodiment of the invention will now be described by way of example only with reference to the appended drawings wherein:
Referring therefore to
This input 16 representing the point P is in a first embodiment, selected from a known value published as suitable for such use.
The input 18 is obtained from the output of a one way function in the form of a hash function 24 typically a cryptographically secure hash function such as SHA1 or SHA2 that receives as inputs the point P. The function 24 operates upon an arbitrary bit string A to produce a hashed output 26. The output 26 is applied to arithmetic unit 12 for further processing to provide the input Q.
In operation, the ECRNG receives a bit string as a seed, which is stored in the register 14. The seed is maintained secret and is selected to meet pre-established cryptographic criteria, such as randomness and Hamming weight, the criteria being chosen to suit the particular application.
In order to ensure that d is not likely to be known (e.g. such that P=dQ, and ed=1 mod n); one or both of the inputs 16, 18 is chosen so as to be verifiably random. In the embodiment of
The points P and Q are applied at respective inputs 16, 18 and the arithmetic unit 12 computes the point sQ where s is the current value stored in the register 14. The arithmetic unit 12 converts the x-coordinate of the point (in this example point sQ) to an integer and truncates the value to obtain r=t(z(sQ)). The truncated value r is provided to the output 20.
The arithmetic unit 12 similarly computes a value to update the register 14 by computing sP, where s is the value of the register 14, and converting the x-coordinate of the point sP to an integer u. The integer u is stored in the register to replace s for the next iteration. {ditto above}
As noted above, the point P may also be verifiably random, but may also be an established or fixed value. Therefore, the embodiment of
In general, inclusion of the point P in the input to the hash function ensures that P was determined before Q is determined, by virtue of the one-way property of the hash function and since Q is derived from an already determined P. Because P was determined before Q, it is clearly understood that P could not have been chosen as a multiple of Q (e.g. where P=eQ), and therefore finding d is generally as hard as solving a random case of the discrete logarithm problem.
Thus, having a seed value S provided and a hash-based function F( ) provided, a verifier can determine that Q=F(S,P), where P may or may not be verifiably random. Similarly, one could compute P=F(S,Q) with the same effect, though it is presumed that this is not necessary given that the value of P in the early drafts of X9.82 were identical to the base points specified in FIPS 186-2.
The generation of Q from a bit string as outlined above may be performed externally of the ECRNG 10, or, preferably, internally using the arithmetic unit 12. Where both P and Q are required to be verifiably random, a second hash function 24 shown in ghosted outline in
It will also be noted that the output generated is derived from the x coordinate of the point sP. Accordingly, the inputs 16, 18 may be the x coordinates of P and Q and the corresponding values of sP and sQ obtained by using Montgomery multiplication techniques thereby obviating the need for recovery of the y coordinates.
An alternative method for choosing Q is to choose Q in some canonical form, such that its bit representation contains some string that would be difficult to produce by generating Q=dP for some known d and P for example a representation of a name. It will be appreciated that intermediate forms between this method and the preferred method may also exist, where Q is partly canonical and partly derived verifiably at random. Such selection of Q, whether verifiably random, canonical, or some intermediate, can be called verifiable.
Another alternative method for preventing a key escrow attack on the output of an ECRNG, shown in
Yet another alternative method shown in
As discussed above, to effectively prevent the existence of escrow keys, a verifiably random Q should be accompanied with either a verifiably random P or a pre-established P. A pre-established P may be a point P that has been widely publicized and accepted to have been selected before the notion of the ECRNG 12, which consequently means that P could not have been chosen as P=eQ because Q was not created at the time when P was established.
Whilst the above techniques ensure the security of the system using the ECRNG by “closing” the trap door, it is also possible to take advantage of the possible interdependence of P and Q, namely where P=eQ, through careful use of the existence of e.
In such a scenario, the value e may be regarded as an escrow key. If P and Q are established in a security domain controlled by an administrator, and the entity who generates Q for the domain does so with knowledge of e (or indirectly via knowledge of d). The administrator will have an escrow key for every ECRNG that follows that standard.
Escrow keys are known to have advantages in some contexts. They can provide a backup functionality. If a cryptographic key is lost, then data encrypted under that key is also lost. However, encryption keys are generally the output of random number generators. Therefore, if the ECRNG is used to generate the encryption key K, then it may be possible that the escrow key e can be used to recover the encryption key K. Escrow keys can provide other functionality, such as for use in a wiretap. In this case, trusted law enforcement agents may need to decrypt encrypted traffic of criminals, and to do this they may want to be able to use an escrow key to recover an encryption key.
The administrator 44 chooses the values of P and Q such that he knows an escrow key e such that Q=eP. Other members of the domain 40 use the values of P and Q, thereby giving the administrator 44 an escrow key e that works for all the members of the organization.
This is most useful in its backup functionality for protecting against the loss of encryption keys. Escrow keys e could also be made member-specific so that each member has its own escrow e′ from points selected by the administrator 44.
As generally denoted as numeral 400 in
The secure use of such an escrow key 34e is generally denoted by numeral 500 and illustrated in
In order for the escrow key to function with full effectiveness, the escrow administrator 44 needs direct access to an ECRNG output value r that was generated before the ECRNG output value k (i.e. 16) which is to be recovered. It is not sufficient to have indirect access to r via a one-way function or an encryption algorithm. A formalized way to achieve this is to have each member with an ECRNG 12 communicate with the administrator 44 as indicated at 46 in
Many other protocols exchange such random values, often called nonces. If the escrow administrator observes these nonces, and keeps a log of them 508, then later it may be able to determine the necessary r value. This allows the administrator to determine the subsequent state of the ECRNG 12 of the client or server 510 (whoever is a member of the domain), and thereby recover the subsequent ECRNG 12 values. In particular, for the client who generally generates a random pre-master secret from which is derived the encryption key for the SSL or TLS session, the escrow key may allow recovery of the session key. Recovery of the session key allows recovery of the whole SSL or TLS session.
If the session was logged, then it may be recovered. This does not compromise long-term private keys, just session keys obtained from the output of the ECRNG, which should alleviate any concern regarding general suspicions related to escrows.
Whilst escrow keys are also known to have disadvantages in other contexts, their control within specific security domains may alleviate some of those concerns. For example, with digital signatures for non-repudiation, it is crucial that nobody but the signer has the signing key, otherwise the signer may legitimately argue the repudiation of signatures. The existence of escrow keys means the some other entity has access to the signing key, which enables signers to argue that the escrow key was used to obtain their signing key and subsequently generate their signatures. However, where the domain is limited to a particular organization or part of an organization it may be sufficient that the organization cannot repudiate the signature. Lost signing keys do not imply lost data, unlike encryption keys, so there is little need to backup signing keys.
Although the invention has been described with reference to certain specific embodiments, various modifications thereof will be apparent to those skilled in the art without departing from the spirit and scope of the invention as outlined in the claims appended hereto.
This application is a continuation of and claims priority from U.S. patent application Ser. No. 16/277,017, filed Feb. 15, 2019, which is a continuation of and claims priority from U.S. patent application Ser. No. 14/575,844, filed on Dec. 18, 2014, which is a continuation of and claims priority from U.S. patent application Ser. No. 13/770,533, filed on Feb. 19, 2013 and issued as U.S. Pat. No. 8,948,388 on Feb. 3, 2015, which is a continuation of and claims priority from U.S. patent application Ser. No. 11/336,814, filed on Jan. 23, 2006 and issued as U.S. Pat. No. 8,396,213 on Mar. 12, 2013, which is hereby incorporated by reference and which claims priority from U.S. Provisional Patent Application No. 60/644,982 filed on Jan. 21, 2005.
Number | Name | Date | Kind |
---|---|---|---|
5442707 | Miyaji et al. | Aug 1995 | A |
6044388 | DeBellis et al. | Mar 2000 | A |
6088798 | Shimbo | Jul 2000 | A |
6122375 | Takaragi et al. | Sep 2000 | A |
6243467 | Reiter et al. | Jun 2001 | B1 |
6263081 | Miyaji et al. | Jul 2001 | B1 |
6285761 | Patel et al. | Sep 2001 | B1 |
6307935 | Crandall et al. | Oct 2001 | B1 |
6370247 | Takaragi et al. | Apr 2002 | B1 |
6424712 | Vanstone et al. | Jul 2002 | B2 |
6466668 | Miyazaki et al. | Oct 2002 | B1 |
6477254 | Miyazaki et al. | Nov 2002 | B1 |
6480605 | Uchiyama et al. | Nov 2002 | B1 |
6687721 | Wells et al. | Feb 2004 | B1 |
6714648 | Miyazaki et al. | Mar 2004 | B2 |
6738478 | Vanstone et al. | May 2004 | B1 |
6882958 | Schmidt et al. | Apr 2005 | B2 |
6931126 | Jakobsson | Aug 2005 | B1 |
6990201 | Coron et al. | Jan 2006 | B1 |
7000110 | Terao | Feb 2006 | B1 |
7013047 | Schmidt et al. | Mar 2006 | B2 |
7062043 | Solinas | Jun 2006 | B1 |
7062044 | Solinas | Jun 2006 | B1 |
7092979 | Shim | Aug 2006 | B1 |
7124443 | Ishibashi et al. | Oct 2006 | B2 |
7162033 | Coron et al. | Jan 2007 | B1 |
7171000 | Toh et al. | Jan 2007 | B1 |
7197527 | Naslund et al. | Mar 2007 | B2 |
7200225 | Schroeppel | Apr 2007 | B1 |
7218735 | Coron | May 2007 | B2 |
7221758 | Cramer et al. | May 2007 | B2 |
7224795 | Takada et al. | May 2007 | B2 |
7225341 | Yoshino et al. | May 2007 | B2 |
7243292 | Naslund | Jul 2007 | B1 |
7286666 | Coron | Oct 2007 | B1 |
7308096 | Okeya et al. | Dec 2007 | B2 |
7308588 | Nishizawa et al. | Dec 2007 | B2 |
7327845 | Orr | Feb 2008 | B1 |
7353395 | Gentry et al. | Apr 2008 | B2 |
7388957 | Ono et al. | Jun 2008 | B2 |
7418099 | Vanstone et al. | Aug 2008 | B2 |
7424114 | Joye | Sep 2008 | B2 |
7480795 | Vanstone | Jan 2009 | B2 |
7542568 | Ohmori et al. | Jun 2009 | B2 |
7590846 | Girault | Sep 2009 | B2 |
7599491 | Lambert | Oct 2009 | B2 |
7613917 | Chojnacki | Nov 2009 | B1 |
7639799 | Lauter et al. | Dec 2009 | B2 |
7650507 | Crandall et al. | Jan 2010 | B2 |
7680270 | Srungaram | Mar 2010 | B2 |
7680272 | Yoon et al. | Mar 2010 | B2 |
7853013 | Vasyltsov et al. | Dec 2010 | B2 |
7907726 | Lauter et al. | Mar 2011 | B2 |
7936874 | Futa et al. | May 2011 | B2 |
7961874 | Ibrahim | Jun 2011 | B2 |
8074266 | Yoneda | Dec 2011 | B2 |
8411855 | Robinson et al. | Apr 2013 | B1 |
8428252 | Makepeace et al. | Apr 2013 | B1 |
8559625 | Douguet et al. | Oct 2013 | B2 |
8619977 | Douguet et al. | Dec 2013 | B2 |
10756893 | Brown et al. | Aug 2020 | B2 |
20020044649 | Gallant et al. | Apr 2002 | A1 |
20030081785 | Boneh | May 2003 | A1 |
20030156714 | Okeya et al. | Aug 2003 | A1 |
20040005053 | Koshiba | Jan 2004 | A1 |
20040102242 | Poelmann et al. | May 2004 | A1 |
20040228485 | Abu et al. | Nov 2004 | A1 |
20040247115 | Ono et al. | Dec 2004 | A1 |
20050036609 | Eisentraeger et al. | Feb 2005 | A1 |
20050251680 | Brown et al. | Nov 2005 | A1 |
20060129800 | Lauter et al. | Jun 2006 | A1 |
20060165231 | Srungaram | Jul 2006 | A1 |
20060285682 | Sarangarajan et al. | Dec 2006 | A1 |
20070121933 | Futa et al. | May 2007 | A1 |
20070248224 | Buskey et al. | Oct 2007 | A1 |
20080056499 | Vanstone | Mar 2008 | A1 |
20190190711 | Brown et al. | Jun 2019 | A1 |
Number | Date | Country |
---|---|---|
2381397 | Feb 2001 | CA |
2001222220 | Aug 2001 | JP |
2003507761 | Feb 2003 | JP |
2005500740 | Jan 2005 | JP |
200113218 | Feb 2001 | WO |
200135573 | May 2001 | WO |
Entry |
---|
ANS X9.62-2005, “Public Key Cryptography for the Financial Services Industry—The Elliptic Curve Digital Signature Algorithm (ECDSA)”, Nov. 16, 2005, 163 pages. |
ANSI X9.82, “Part 3 for X9F1” Oct. 2003, 175 pages. |
ANS X9.82, “Part 3—Draft”, Jun. 2004, 189 pages. |
Barker, Elaine and John Kelsey, “Recommendation for Random Number Generation Using Deterministic Random Bit Generators”, NIST Special Publication 800-90, National Institute of Standards and Technology, Dec. 2005, 130 pages. |
Barker, Elaine and John Kelsey, “Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised)”, NIST Special Publication 800-90, National Institute of Standards and Technology, Mar. 2007, 133 pages. |
Blum, Manuel and Silvio Micali, “How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits”, SIAM Journal on Computing, vol. 13, No. 4, Nov. 1984, pp. 850-864. |
Brown, Daniel R.L., “Conjecture Security of the ANSI-NIST Elliptic Curve RNG”, Cryptology ePrint Archive, Report 2006/117, Mar. 29, 2006, Retrieved from : URL <http://eprint.iacr.org>, 14 pages. |
El Mahassni, Edwin and Igor Shparlinksi, “On the Uniformity of Distribution of Congruential Generators over Elliptic Curves”, Sequences and Their Applications: Proceedings of SETA '01, 2002 pp. 257-264. |
Gjoesteen, Kristian, “Comments on Dual-EC-DRBG/NIST SP 800-90, Draft Dec. 2005”, Mar. 16, 2006, 8 pages. |
Goldreich, Oded, Foundations of Cryptography Basic Tools, Cambridge University Press, 2001, pp. 30-183. |
Guerel, Nicolas, “Extracting Bits from Coordinates of a Point of an Elliptic Curve”, Mar. 2005, Cryptology ePrint Archive, Report 2005/324, Retrieved from : URL <http://eprint.iacr.org>, 9 pages. |
Johnson, Don B., “X9.82 Part 3—Number Theoretic DRBGs”, NIST RNG Workshop, Jul. 20, 2004, retrieved from the internet <http://csrc.nist.gov/groups/ST/tooklit/documents/mg/NumberTheoreticDRBG.pdf>, 23 pages. |
Kaliski, Burton S., Jr., “A Pseudo-Random Bit Generator Based on Elliptic Logarithms”, Advances in Cryptology, CRYPTO 1986, vol. 263, pp. 84-103. |
Lee, K. et al., “Elliptic Curve Random Number Generation”, Electrical and Electronic Technology 2001, Proceedings of IEEE Region 10 International Conference, Aug. 19-22, 2001, pp. 239-241. |
Lichota, Dr. RW, “Verifying the Correctness of Cryptographic Protocols Using ‘Convince’” IEEE, Dec. 13, 1996, pp. 119-122. |
Luby, Michael, “Pseudorandomness and Cryptographic Applications”, Princeton University Press, 1996, pp. 70-74. |
Satoh, A., “Scalable Dual-Field Elliptical Curve Cryptographic Processor”, IEEE, vol. 52, Apr. 2003, pp. 452-456. |
Extended European Search Report issued in European Application No. 06704329.9 dated Nov. 12, 2009, 6 pages. |
Communication pursuant to Article 94(3) EPC issued in European Application No. 06704329.9 dated Mar. 10, 2010, 4 pages. |
Communication pursuant to Article 94(3) EPC issued in European Application No. 06704329.9 dated Jul. 22, 2010, 4 pages. |
Communication pursuant to Article 94(3) EPC issued in European Application No. 06704329.9 dated Jun. 15, 2011, 4 pages. |
PCT International Search Report and Written Opinion of the International Searching Authority in International Application No. PCT/CA2006/000,065, dated May 1, 2006, 11 pages. |
PCT International Preliminary Report on Patentability in International Application No. PCT/CA2006/000,065, dated Aug. 2, 2007, 11 pages. |
Official Action issued in Canadian Application No. 2,594,670 dated Aug. 9, 2012, 4 pages. |
Notice of Allowance issued in Canadian Application No. 2,594,670 dated Mar. 21, 2014, 1 page. |
Office Action issued in Japanese Application No. 2007-551522 dated Aug. 26, 2011, 18 pages. |
Office Action issued in Japanese Application No. 2007-551522 dated Jan. 18, 2012, 8 pages. |
Notice of Final Rejection issued in Japanese Application No. 2007-551522 dated May 30, 2012, 7 pages. |
Notice of Allowance issued in Japanese Application No. 2007-551522 dated Oct. 31, 2012, 3 pages. |
Office Action issued in Japanese Application No. 2011-259363 dated Jan. 31, 2013, 12 pages. |
Office Action issued in Japanese Application No. 2011-259363 dated Jun. 7, 2013, 13 pages. |
Advisory Action issued in U.S. Appl. No. 14/575,844 dated Apr. 10, 2018, 3 pages. |
Non-Final Office Action issued in U.S. Appl. No. 14/575,844 dated Jun. 26, 2018, 15 pages. |
Interview Summary issued in U.S. Appl. No. 14/575,844 dated Oct. 22, 2018, 4 pages. |
Notice of Allowance issued in U.S. Appl. No. 14/575,844 dated Nov. 15, 2018, 9 pages. |
Non-Final Office Action issued in U.S. Appl. No. 16/277,017 dated Dec. 18, 2019, 16 pages. |
Number | Date | Country | |
---|---|---|---|
20200366477 A1 | Nov 2020 | US |
Number | Date | Country | |
---|---|---|---|
60644982 | Jan 2005 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 16277017 | Feb 2019 | US |
Child | 16938180 | US | |
Parent | 14575844 | Dec 2014 | US |
Child | 16277017 | US | |
Parent | 13770533 | Feb 2013 | US |
Child | 14575844 | US | |
Parent | 11336814 | Jan 2006 | US |
Child | 13770533 | US |