Patent Grant
11936795
The present application is a Section 371 National Stage Application of International Application No. PCT/FR2019/053114, filed on Dec. 17, 2019 and published as WO 2020/136320 A1 on Jul. 2, 2020, not in English, the contents of which are hereby incorporated by reference in their entireties.
The invention applies to the context of cryptography and more precisely that of group signature.
It is recalled that a group signature scheme lets a user prove that he belongs to a group (for example bidders, subscribers to a service, etc.) without revealing his exact identity. Group signatures have the particular feature of being anonymous, as it is not possible to identify the signatory. Group signatures are called non-traceable since it cannot be determined whether two signatures have been sent by the same person or by two separate people.
The validity of a group signature can be verified by anybody because of a public key characterising the group called “public group key”. To be a part of the group a member must register in advance with an administration entity of the group. During this registration phase, the future member blindly obtains a private group key which lets him sign messages in the name of the group. Only a trusted revocation authority, or revocation entity, has the power to revoke the anonymity of a group signature because of a private key called “trapdoor” which only it has. In practice, this trapdoor can in fact be shared among several revocation authorities; they need to cooperate to lift the anonymity of a signature. The group member is therefore protected against abusive lifting of anonymity.
The concept of group signature is described for example in the article by Dan Boneh, Xavier Boyen and Hovav Shacham: “Short Group Signatures. CRYPTO 2004: 41-55”.
For some applications needing to preserve the anonymity of users, such as electronic voting or petition, it is preferable to implement a variant of group signatures, called direct anonymous attestation (DAA, Direct Anonymous Attestation). The concept of DAA is described for example in the article by Ernie Brickell, Liqun Chen, and Jiangtao Li: “A New Direct Anonymous Attestation Scheme from Bilinear Maps. TRUST 2008: 166-178”.
Even though they are anonymous, direct anonymous attestations DAA, with the exception of group signatures, are traceable: it is therefore possible to determine whether two signatures DAA have been sent by the same person or by two separate people. In the context of electronic voting or petition, this traceability would ensure that a voter has voted once only or the electronic petition has properly been signed by different petitioners.
Unfortunately there is no known solution for lifting the anonymity of a signature DAA and therefore identifying a signatory. This raises problems for some applications, such as electronic voting, especially in countries where a voting list for identifying the voters who have voted must be accessible to all voters.
The invention proposes a solution for electronic signature which does not have the disadvantages of the solutions mentioned hereinabove.
Therefore, and according to a first aspect, the aim of the invention is a method for anonymous signature of a message, this method being executed by a member entity of a group and comprising:
Correlatively, the aim of the invention is an anonymous signature device of a message executed by a member entity of a group and comprising:
The invention proposes a cryptographic method of anonymous signatures in which the group signatures are traceable.
Advantageously, and contrary to direct anonymous attestations, the anonymity of an anonymous signature generated by the members of the group in accordance with the scheme can be lifted by the revocation entities.
This cryptographic method also proves more effective, in particular in terms of calculation time, than schemes of direct anonymous attestations DAA or group signatures of the prior art. The security of this anonymous signature scheme is also based on an assumption of security called “non-interactive” considered as more “standard” by the cryptographic community than an assumption of security called “interactive” (for example involving an oracle) on which the most effective direct anonymous attestations schemes of the prior art are based. This type of anonymous signature scheme accordingly offers better security.
According to a second aspect, the invention relates to a method for generating keys for an anonymous signature scheme, this method comprising:
Correlatively, the invention relates to a system for generating keys for an anonymous signature scheme, this system comprising:
In a particular embodiment, the proposed method for generating keys comprises:
In a particular embodiment, the trace generator is renewed periodically.
In a particular embodiment, the trace generator is specific to a given service. The service corresponds to a specific ballot for example.
In fact, by way of these functionalities, the proposed method for generating keys can apply to electronic voting. In fact it offers a signature scheme which is:
In a particular embodiment, the different steps of the method for generating keys and the voting method according to the invention are determined by computer program instructions.
As a consequence, another aim of the invention is a computer program, on an information medium, this program comprising instructions adapted to execute at least one method such as mentioned hereinabove.
This program can utilise any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in partially compiled form, or in any other preferred form.
Another aim of the invention is an information medium readable by a computer, and comprising instructions of a computer program such as mentioned hereinabove.
The information medium can be any entity or device capable of storing the program. For example, the medium can comprise storage means such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or even magnetic recording means, for example a hard drive.
On the other hand, the information medium can be a transmissible medium such as an electrical or optical signal which can be conveyed via an electrical or optical cable, by radio or by other means. The program according to the invention can be downloaded in particular over a network of Internet type.
Alternatively, the information medium can be an integrated circuit into which the program is incorporated, the circuit being adapted to execute or be used in execution of the method in question.
Other characteristics and advantages of the present invention will emerge from the following description in reference to the appended drawings which illustrate an exemplary embodiment devoid of any limiting character, in which:
Throughout this document, the notation PoK(α1, α2, . . . , αn:(α1, α2, . . . , αn)) will be used to designate zero-knowledge proof of elements α1, α2, . . . , αn satisfying the relationship
. So proof of knowledge of the two first factors of a public module RSA (from the name of the inventors, “Rivest-Shamir-Adleman”) N would be noted as: PoK(α1, α2: N=α1·α2∧(α1≠1)∧(α2≠1)).
In the following description,
p is a prime number;
the groups G1, G2 and GT are cyclic groups of order p;
g, h designate two generators, chosen randomly, of G1;
{tilde over (h)} is a generator, chosen randomly, of G2;
e is a bilinear coupling of type 2 or 3, defined on the set G1×G2 to the set GT.
It is recalled that a bilinear coupling, noted e, is an application defined on a set G1×G2 to a set GT where G1, G2 and GT designate cyclic groups of order p. This application e verifies the following properties:
In practice, the groups G1, G2 and GT will be chosen such that there is no isomorphism calculable effectively between G1 and G2. Such couplings are known by the name of couplings of “Type 3” in the literature. In practice, and for a security level of 128 bits, the recommended sizes of the parameters of a coupling of “Type 3” are the following: 256 bits for the prime number p as well as for the elements of G1, 512 for those of G2 and 3072 for those of GT.
The security of the scheme is based partly on the assumption that the problems below are difficult. In other terms, if an attacker is capable of jeopardising the security of the cryptographic scheme, then he is also capable of resolving these problems alleged to be “difficult”.
Problem DDH
Let G be a cyclic group of first order p. Given a generator g∈G, any two elements ga, gb∈G and a candidate X∈G, the Diffie-Hellman decisional problem (DDH) consists of determining whether X=gab or not.
In the case of schemes based on bilinear couplings, there are difficult specific problems. For the couplings used in the invention, the inventors assume that the problem DDH is difficult in the groups G1 and G2. This hypothesis is known by the name of Diffie-Hellman external symmetrical hypothesis (SXDH).
For the method according to the invention, it can be demonstrated that if a third party (having no keys of revocation authorities) manages to identify the signatory of any anonymous signature then it is also capable of resolving the problem SXDH.
Problem q-MSDH
Let (p, G1, G2, GT, e) be a bilinear environment of “Type 3” and g (respectively {tilde over (g)}) a generator of G1 (respectively of G2). Given
that (ga, {tilde over (g)}a, {tilde over (g)}ax) where a and x are any two elements of Zp*, the problem q-MSDH consists of finding a quadruplet
where h∈G1*, P is a maximum-degree polynomial q and ω an element of Zp*, such that the polynomials P(X) and (X+ω) are the first.
It can be demonstrated that if a third party succeeds in “forging” signatures of the anonymous signature scheme according to the invention, then it is also capable of resolving the problem q-MSDH.
In the embodiment described here, at least in some of these aspects the invention implements:
according to the invention. It also illustrates a verification device DV.
The member entity Vi comprises a communications module COM and an anonymous signature device DSA according to the invention.
The system SGC for generating keys comprises an administration entity ε of the group, and the revocation authorities {
j}j=1t with (t≥1).
The administration entity ε of the group comprises a communications module COM, a cryptographic module MCR and a registration module ERG configured to register at least one member entity Vi in the group.
For this purpose, the device DSA of the member entity Vi comprises a registration module ERG configured to register the member entity Vi with the administration entity ε of the group.
In the embodiment described here, each revocation entity j comprises a cryptographic module MCR configured to calculate a pair of revocation keys (
,Pj), this pair comprising a public key Pj and a private key
which can be used by the revocation entity to revoke the anonymity of an anonymous signature complying with said scheme SigA2.
In the embodiment described here, the cryptographic module MCR of a revocation entity j is configured to calculate a trace generator
from the private keys
of the pair of revocation keys, where X1 designates a public parameter produced by the system for generating keys SGC.
In the embodiment described here, the device DSA of each member entity Vi comprises a cryptographic module MCR configured to generate a trace Ti=Pts
In the embodiment described here, the cryptographic module MCR of each member entity Vi is configured to blindly obtain a private group key SKGi.
In the embodiment described here, the cryptographic module MCR of each member entity Vi is configured to generate signatures σi of messages by using the private group key, these signatures comprising the trace Ti.
The verification device DV is configured to verify whether an anonymous signature σi is compliant with the anonymous signature scheme SigA2. It executes a verification algorithm which inputs a message msg, a signature σi and the public key of the group PKG. It determines whether the signature σi is valid or not.
In the embodiment described here, the verification device DV comprises communication means COM and a cryptographic module MCR.
The communications module COM of the verification device DV is configured to obtain an anonymous signature σi such that σi=(w, w′, c1, T, PΠ′i).
The cryptographic module MCR of the verification device DV is configured to determine that the anonymous signature σi of a message msg is valid if:
In the embodiment described here, the cryptographic module MCR of a revocation entity j is configured to execute the method for lifting anonymity of a signature described later in reference to
During a step E2, the cryptographic module MCR of the administration entity ε randomly draws three values, x0, {tilde over (x)}0, x1 of Zp.
During a step E4, the cryptographic module MCR of the administration entity ε calculates Cx
During a step E6, the cryptographic module MCR of the administration entity ε constitutes a pair of keys in which:
During a step E8, the cryptographic module MCR of the administration entity ε generates a zero-knowledge proof PΠ2 to prove that it knows the private key associated with its public key. PΠ2=PoK(α1, α2, α3: Cx
During a step F2, the cryptographic module MCR of each of the revocation entities {j}j=1t randomly draws a value
of Zp. This random value
constitutes a private key of the revocation entity
j for lifting anonymity of a signature.
During a step F4, the cryptographic modules MCR of the revocation entities j in turn calculate a public key Pj associated with this private key
. More precisely, in the embodiment described here:
During a step F6, when all the revocation entities have calculated their public key Pj, the cryptographic module MCR of the revocation entity t constitutes the public key of the group PKG=(Cx
obtained from the private keys of each of the revocation entities j. The private key associated with the public group key is SKG=(x0, {tilde over (x)}0, x1, x
=Πj=1t
).
In the embodiment described here, each member entity Vi has a unique identifier IDv. Examples of digital signature algorithms which can be used for this purpose are: RSA, DSA, ECDSA, . . . .
To obtain its private group key the member entity Vi interacts with the administration entity ε. During a step G2 the cryptographic module MCR of the member entity Vi randomly draws a value xi∈Zp and calculates ci=X1x
It then generates zero-knowledge proof PΠi that it knows xi the discrete logarithm of Ci in base X1: PΠi=PoK(α1: Ci=X1α
During a step G4, the cryptographic module of the member entity Vi generates a signature σV.
During a step E10, the cryptographic module MCR of the administration entity an ε verifies that Ci≠1 and that the signature σV
If this is the case, during a step E12 the cryptographic module MCR of the administration entity ε an generates two random values b and x′ of Zp and calculates E=X1x′ as well as a pair (u, u′) where u=hb and u′=ux
Π3=PoK(α1,α2, α3,α4: u=hα
During a step E14, the cryptographic module MCR of the administration entity an ε transmits E, u, u′ and the proof PΠ3 to the member entity Vi.
During a step G6, the cryptographic module of the member entity Vi verifies that u≠1 and que the proof PΠ3 is valid. If these two verifications are conclusive, during a step G7 the cryptographic module of the member entity Vi generates a signature SigV
During a step G75, the member entity Vi transmits the signature SigV.
During a step E13, the administration entity ε verifies that the signature SigV
The administration entity ε maintains a register REG containing the following values for each member entity Vi of the group:
Ci,C′i=Ci=E=Ci·X1x′,x′,Πi,IDi,PKi and SigV
where n designates the number of members duly registered.
During a step G8, the member entity Vi verifies that E=X1x′ and constitutes its private group key SKGi, if this verification is conclusive. The latter is constituted by the triplet SKGi=(si,u, u′) where si=xi+x′ mod p.
In a particular embodiment, the trace generator Pt is renewed periodically (every hour, every day, start of month, etc.). For this it is enough for the revocation entities to renew their private key and recalculate the corresponding trace generator Pt according to the generation method described previously.
In a particular embodiment, the trace generator Pt is specific to a given service. Typically a trace generator Pt can be generated for a specific election. For a new ballot, the revocation entities must calculate new private keys to deduce a new trace generator P′t therefrom.
According to the anonymous signature scheme SigA2, to anonymously sign a message msg∈{0,1}* with its private group key SKGi the cryptographic module MCR of the member entity Vi randomly draws a value l∈Zp during a step H2. At step H4 t calculates the value w=ul and at step H6 the value w′=(u′)l.
During a step H8, the cryptographic module MCR of the member entity Vi calculates the value c1=ws
The member entity Vi proves that the discrete logarithm of c1 in the base w is the same as the discrete logarithm of Ti in the base Pt:PΠi=PoK(α1:c1=wα
In the embodiment of the invention described here, the proof PΠ′i is the pair (c, r) in which:
During a step H10, the cryptographic module MCR of the member entity Vi generates the anonymous signature σi of the message msg, the latter being constituted by the following five elements: (w, w′, c1, Ti, PΠ′i). It comprises the trace Ti which traces all the signatures sent by the member entity Vi.
During a step K2, the verification device of an anonymous signature obtains an anonymous signature σi=(w, w′, c1, Ti, PΠ′i).
During a step K4, the verification device considers that the anonymous signature σi of a message msg is valid if:
j. It utilises an algorithm which inputs a message msg, a signature σi, the public key of the group PKG a and the private keys
of the revocation authorities and returns IDv
During a step Z2, each of the revocation entities j obtains the anonymous signature σi of a message msg.
During a step Z4, the revocation authorities {j}j=1t successively calculate, Tj=Tj-1
with T0=Ti.
In other words:
It is recalled here that there can be one single revocation entity only.
If all proofs produced by the revocation authorities are valid, Tt==Xis
During a step Z6, the revocation authorities transmit Tt and all proofs {PΠj}j=1t to the administration entity ε
.
During a step Z8, the administration entity an retrieves in its registry REG the entry corresponding to C′i: {ci,C′i,x′, Πi, IDi,PKi,SigV
During a step Z10, the administration entity ε in return provides the revocation entity
j as applicant for lifting anonymity with the identifier IDv
as well as ci, C′i, x′, PKi and SigV
are valid, if C′j=Ci·X1x′ and if the signature SigV
considers that the member entity Vi of which the identifier is IDv
When the service is an electronic vote, it is possible to compile a voting list from the identifiers obtained by executing the method.
Description of a Second Embodiment of the Invention
The anonymous signature scheme SigA2 can be used in particular to implement an electronic vote solution.
according to the invention. It also comprises a verification device DV.
In this embodiment, the member entities Vi of a group are voter entities.
In this embodiment, the system SGC for generating keys comprises a registration entity and an organising entity
. At the same time each acts as administration entity of the group and revocation entity of the group. It is understood that this is an illustrative example and that in other examples the distribution of roles attributed to the different entities can be different. The registration entity
and the organising entity
each comprise a communications module COM and a cryptographic module MCR. The registration entity
and the organising entity
also each comprise a registration module ERG configured to register at least one voter entity Vi in the group.
Therefore, in this embodiment of the invention a voter entity is registered at the same time with the registration entity and with the organising entity
. This embodiment reprises the role of group administrator between two entities so as to prevent a single entity from being capable of creating false voter entities.
The voter entity Vi comprises a communications module COM and an anonymous signature device DSA according to the invention.
The device DSA of the voter entity Vi comprises a registration module ERG configured to register the voter entity Vi with the registration entity .
In the embodiment described here, the cryptographic module MCR of each revocation entity ,
is configured to calculate a pair of revocation keys of which the private key can be used to revoke the anonymity of an anonymous signature complying with said scheme SigA2 and to calculate a trace generator from a public key of the pair of revocation keys.
The device DSA of each voter entity Vi comprises a cryptographic module MCR configured to generate a trace Ti=Pts
In the embodiment described here, the cryptographic module MCR of each voter entity Vi is configured to blindly obtain a private group key SKGi, noted si hereinbelow.
In the embodiment described here, the cryptographic module MCR of each voter entity Vi is configured to generate signatures σi of messages, by using the private group key, these signatures comprising the trace Ti.
The verification device DV is configured to verify if an anonymous signature σi is compliant with the anonymous signature scheme SigA2. It executes a verification algorithm which inputs a message msg, a signature σi and the public key of the group PKG. It determines whether the signature σi is valid or not.
In the embodiment described here, the verification device DV comprises communication means COM and a cryptographic module MCR.
The communications module COM is capable of obtaining an anonymous signature σi such that σi=(w, w′, c1, Ti, PΠ′i).
The cryptographic module MCR is configured to determine that the anonymous signature σi of a message msg is valid if:
In the embodiment described here, the cryptographic module MCR of a revocation entity ,
is configured to execute the method for lifting anonymity of a signature described later in reference to
During a step VE2, the cryptographic module MCR of the organising entity randomly draws four values
,
,
,
of zp. In this embodiment,
is a private key used by the organising entity
for lifting the anonymity of a voter entity.
During a step VE4, the cryptographic module MCR of the organising entity calculates
=
,
=
,
=
,
=
,
=
.
During a step VE6, the cryptographic module MCR of the organising entity constitutes a pair of keys in which:
During a step VE8, the cryptographic module MCR of the organising entity generates proof VOPΠ2 that it knows the private key associated with its public key by generating zero-knowledge proof defined as follows: VOΠ2=PoK(α1, α2, α3, α4:
=gα
=hα
={tilde over (h)}α
={tilde over (h)}α
=X1α
The registration entity proceeds in the same way.
During a step VE2, the cryptographic module MCR of the registration entity randomly draws four values
,
,
,
of Zp. In this embodiment,
is a private key used by the registration entity
for lifting the anonymity of a voter entity.
During a step VE4, the cryptographic module MCR of the registration entity calculates
=
,
=
,
=
,
=
,
=
.
During a step VE6, the cryptographic module MCR of the registration entity constitutes a pair of keys in which:
During a step VE8, the cryptographic module MCR of the registration entity generates proof VAPΠ2 that it knows the private key associated with its public key. This proof is defined as follows:
VAPΠ2=PoK(α1,α2,α3,α4:=gα
=hα
={tilde over (g)}α
={tilde over (h)}α
=X1α
During a step VF4, the cryptographic modules MCR of the organising entity and of the registration entity
, after having made their public keys
and
public, each calculate for their part a trace generator Pt=
=
=
.
During a step VF6, when all the revocation entities, specifically the registration entity and the organising entity
in this embodiment, have calculated their public key, they calculate the public key of the group PKG. It comprises the trace generator Pt=
obtained from the private keys of these revocation entities
and
.
PKG=(Cx·
, X1=
·
, {tilde over (X)}0=
·
and {tilde over (X)}1=
·
. The private key associated with the public group key is
SKG=(x0=+
,{tilde over (x)}0=
+
,x1=
+
,
=
·
)
In this embodiment, each voter entity Vi has a unique identifier IDv and by the organising entity
.
In the embodiment described here, to obtain its private group key the voter entity Vi must interact with the administration entity and with the organising entity
. During a step VG2 the cryptographic module MCR of the member entity Vi randomly draws a value xi∈Zp and calculates Ci=xix
During a step VG4, the cryptographic module MCR of the voter entity Vi generates a signature σV and to the organising entity
.
During a step VE10, the cryptographic module MCR of the administration entity and the cryptographic module MCR of the organising entity
verify ci≠1 and that the signature σV
If this is the case, during a step VE12 the cryptographic module MCR of the administration entity and the cryptographic module MCR of the organising entity
jointly generate two random values b and x′ of zp and calculate E=X1x′ and a pair (u, u′) where u=hb and u′=ux
VOAΠ3=PoK(α1,α2,α3,α4: u=hα
It is recalled that to jointly generate a value, the value x′ for example, the administration entity and the organising entity
can utilise known techniques of distributed cryptography. For example, the administration entity
(respectively the organising entity
) randomly generates a value
of Zp (respectively
of zp) and calculates
=
(respectively
). This gives E=
.
=X1x′ where x′=
+
(mod p).
In this embodiment, during a step VE14 the cryptographic module MCR of the administration entity or of the organising entity
transmits E, u, u′ and the proof VEPΠ3 to the voter entity Vi. As a variant these values are sent by the administration entity
and by the organising entity
and the voter entity Vi verifies that the values received from the two entities
and
are identical.
During a step VG6, the cryptographic module of the voter entity Vi verifies that u≠1 and that the proof VOAPΠ3 is valid. If these two verifications are conclusive, during a step VG7 the cryptographic module of the voter entity Vi generates a signature SigV and to the organising entity
.
During a step VE13, the administration entity and the organising entity
verify that the signature SigV
transmits x′ to the voter entity Vi.
The administration entity maintains a register REG, not shown, containing the following values for each member entity Vi of the group:
Ci,C′i=Ci·X1x′,x′,PΠi,IDi,PKi and SigV
where n designates the number of voter entities duly registered.
During a step VG8, the voter entity Vi verifies that E=X1x′ and constitutes its private group key SKGi, if this verification is conclusive. The latter is constituted by the triplet SKGi=(si,u, u′) where si=xi+x′ mod p. It should be noted that said private group key SKGi is obtained by the member entity from its private key xii known to it alone.
According to the anonymous signature scheme SigA2, for anonymously signing any message msg∈{0,1}* with its private group key SKGi the cryptographic module MCR of the voter entity Vi randomly draws a value l∈Zp during a step VH2 and calculates (step VH4) the value w=ul (step VH6) as well as the value w′=(u′)l.
In the case of a one-ballot uninominal majority poll the message can be constituted by the vote of the voter entity, optionally in encrypted form, the encryption of which can be calculated by using a public key of which the private key would be shared between several assessor entities configured to carry out counting of the vote.
During a step VH8, the cryptographic module MCR of the voter entity Vi calculates the value c1=ws
The voter entity Vi proves that the discrete logarithm of c1 in the base w is the same as the discrete logarithm of Ti in the base Pt: VEPΠ′i=PoK(α1: c1=wα
In the embodiment of the invention described here, the proof VEPΠ′i is the pair (c, r) in which:
During a step VH10, the cryptographic module MCR of the voter entity Vi generates the anonymous signature σi of the message msg, the latter being constituted by the following five elements: (w, w′, c1, Ti, VEPΠ′i). It comprises the trace Ti which traces all the signatures sent by the voter entity Vi.
During a step VK2, the verification device of an anonymous signature obtains an anonymous signature σi=(w, w′, c1, Ti, VEPΠ′i).
During a step VK4, it considers that the anonymous signature σi of message msg is valid if:
In the form of a flowchart and the organising entity
.
During a step VZ2, each of these entities and
obtains the signature σi.
During a step VZ4, the entities and
successively calculate,
with T0=Ti.
If all the proofs produced by the revocation authorities are valid,
In this embodiment, during a step VZ6, the organising entity transmits the proof VOPΠ
1 to the registration entity
.
During a step VZ8, the registration entity retrieves in its register REG the entry corresponding to C′i: {Ci, C′i, x′, PΠi, IDi, PKi, SigV
During a step VZ10, the registration entity returns the identifier IDv
and
and Ci, C′i, x′, PKi and SigV
considers that the voter entity Vi including the identifier is IDv
In the embodiment described here, the administration entity ε, the revocation entities
j, the organising entity
, the registration entity
, the verification device DV the member or voter entities
1 have the hardware architecture of a computer ORD such as shown schematically in
The computer ORD comprises especially a processor 7, a dead memory 8, a live memory 9, a non-volatile memory 10 and communication means COM. These communication means COM allow the different entities to communicate with each other especially. They can comprise one or more communication interfaces on one or more telecommunications networks (fixed or mobile, wired or wireless, etc.).
The dead memory 8 of the computer ORD constitutes a recording medium according to the invention, readable by the processor and on which a computer program according to the invention is registered, designated generally here by PROG, comprising instructions for executing one of the methods forming the subject of the invention. Therefore:
In the same way each of these programmes defines functional modules of the device or of the module on which it is installed, capable of performing the steps of the relevant method and based on the hardware elements 7-10 of the computer ORD.
| Number | Date | Country | Kind |
|---|---|---|---|
| 1874108 | Dec 2018 | FR | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/FR2019/053114 | 12/17/2019 | WO |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2020/136320 | 7/2/2020 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 6446052 | Juels | Sep 2002 | B1 |
| 7234059 | Beaver | Jun 2007 | B1 |
| 8225098 | Chen | Jul 2012 | B2 |
| 8352378 | Al-Herz | Jan 2013 | B2 |
| 8499149 | Chen | Jul 2013 | B2 |
| 10320569 | Wentz | Jun 2019 | B1 |
| 11176546 | Ignatchenko | Nov 2021 | B2 |
| 20030081785 | Boneh | May 2003 | A1 |
| 20040260926 | Arditti Modiano | Dec 2004 | A1 |
| 20050097336 | Canard | May 2005 | A1 |
| 20050169461 | Canard | Aug 2005 | A1 |
| 20050246533 | Gentry | Nov 2005 | A1 |
| 20050268103 | Camenisch | Dec 2005 | A1 |
| 20050278536 | Canard | Dec 2005 | A1 |
| 20060015737 | Canard | Jan 2006 | A1 |
| 20060155985 | Canard | Jul 2006 | A1 |
| 20070255661 | Yoshida | Nov 2007 | A1 |
| 20070256125 | Chen | Nov 2007 | A1 |
| 20080046310 | Canard | Feb 2008 | A1 |
| 20080091941 | Yonezawa | Apr 2008 | A1 |
| 20080201262 | Saito | Aug 2008 | A1 |
| 20080244276 | Prouff | Oct 2008 | A1 |
| 20080270786 | Brickell | Oct 2008 | A1 |
| 20080270790 | Brickell | Oct 2008 | A1 |
| 20080307223 | Brickell | Dec 2008 | A1 |
| 20090024852 | Yonezawa | Jan 2009 | A1 |
| 20090046854 | Di Crescenzo | Feb 2009 | A1 |
| 20090129600 | Brickell | May 2009 | A1 |
| 20090210705 | Chen | Aug 2009 | A1 |
| 20100082973 | Brickell | Apr 2010 | A1 |
| 20100169656 | Yoshida | Jul 2010 | A1 |
| 20110060903 | Yoshida | Mar 2011 | A1 |
| 20110179269 | Furukawa | Jul 2011 | A1 |
| 20120017083 | Canard | Jan 2012 | A1 |
| 20120060028 | Furukawa | Mar 2012 | A1 |
| 20120072732 | Canard | Mar 2012 | A1 |
| 20120284518 | Walker | Nov 2012 | A1 |
| 20130311770 | Reffe | Nov 2013 | A1 |
| 20150067340 | Joye | Mar 2015 | A1 |
| 20160013946 | Patey | Jan 2016 | A1 |
| 20180309574 | Lyubashevsky | Oct 2018 | A1 |
| 20190052470 | Park | Feb 2019 | A1 |
| 20200126075 | Fisch | Apr 2020 | A1 |
| 20200349616 | El Kaafarani | Nov 2020 | A1 |
| Number | Date | Country |
|---|---|---|
| 2940726 | Jul 2010 | FR |
| Entry |
|---|
| International Search Report dated Feb. 20, 2020 for corresponding International Application No. PCT/FR2019/053114, Dec. 17, 2019. |
| Written Opinion of the International Searching Authority dated Feb. 20, 2020 for corresponding International Application No. PCT/FR2019/053114, filed Dec. 17, 2019. |
| Desmoulins Nicolas et al. Direct Anonymous Attestations with Dependent Basename Opening, International Conference on Computer Analysis of Images and Patterns. CAIP 2017: Computer Analysis of Images and Patterns; [Lecture Notes in Computer Science; Lect. Notes Computer], Springer, Berlin, Heidelberg. pp. 206-221, Oct. 22, 2014 (Oct. 22, 2014), XP047302160. |
| English translation of the Written Opinion of the International Searching Authority dated Mar. 2, 2020 for corresponding International Application No. PCT/FR2019/053114, filed Dec. 17, 2019. |
| Boneh, D. et al., “Short Group Signatures” Crypto 2004, pp. 41-55. |
| Brickell, E. et al., “A New Direct Anonymous Attestation Scheme from Bilinear Maps” Trust 2008, pp. 166-178. |
| Number | Date | Country | |
|---|---|---|---|
| 20220103377 A1 | Mar 2022 | US |
