Zero-knowledge proof cryptography methods and devices

Information

  • Patent Application
  • 20070121936
  • Publication Number
    20070121936
  • Date Filed
    January 24, 2005
    19 years ago
  • Date Published
    May 31, 2007
    17 years ago
Abstract
A cryptography method involving a keyholder having a number m≧1 of private keys Q1, Q2, . . . , Qm and respective public keys G1, G2, . . . , Gm, each pair of keys (Qi, Gi) (where i=1, . . . , m) satisfying either the relationship Gi=Qiv mod n or the relationship Gi×Qiv=1 mod n, where n is a public integer equal to the product of f (where f>1) private prime factors p1, . . . , pf, at least two of which are separate, and the exponent v is a public integer equal to a power of 2. Disclosed is what mathematical structure may be imparted to the public keys for it to be impossible to calculate said private keys from said public parameters in a reasonable time unless said prime factors are known. Devices adapted to implement the method are also disclosed.
Description

The present invention relates to asymmetrical key cryptography, also known as public key cryptography. It relates more precisely to a method and a system for verifying the authenticity of a known entity or a message coming from a known entity or for signing a message.


Asymmetrical key cryptography systems use pairs of keys, each pair comprises a public key and a private key, and each key may include a number of parameters. Each public key is linked to the identity of its holder by a certification authority. Asymmetrical key cryptography systems include entities known as controllers that store a number of public keys in conjunction with the certified identities of their holders.


The problem of factorizing integers has been the subject of intense research since the invention of the RSA asymmetrical key cryptographic method (see the article by M. Gardner, “A new kind of cipher that would take millions of years to break”, Scientific American, August 1977). The name RSA of the algorithm is derived from the initials of its inventors R. Rivest, A. Shamir, and L. Adleman. Despite considerable advances, more a result of growth in computing power than of progress in factorizing algorithms, there is still no known method of factorizing a large integer in a reasonable time. Users are therefore justified in placing their trust in the RSA method.


Each use of the RSA method is associated with an integer n known as the modulus and which is the product of two separate large prime factors p1 and p2. Given present-day computing capacities, it is recommended that moduluses of at least 1024 bits (of the order of 10308) are used. An RSA public key includes the modulus n and an exponent e that is prime with (p1−1) and with (p2−1). The corresponding RSA private key includes an exponent d such that (the symbol “mod” signifies “modulo”):

e×d=1 mod[(p1−1)(p2−1)]


The security of this method relies on the fact that it is impossible to calculate d from n and e within a reasonable time if the factors p1 and p2 are not known. As explained above, it is not possible to calculate these factors (which are naturally kept secret) in a reasonable time.


The cryptographic procedure for entity authentication uses a controller and a keyholder, referred to below as the claimant, who wishes to be authenticated by the controller in order to receive an authorization, for example the authorization to access electronic data processing resources. The claimant declares an identity to the controller, and must prove to the controller that the claimant holds the private key corresponding to the public key linked to that identity.


It is possible to effect this authentication without the claimant disclosing to the controller any information at all concerning the claimant's private key: this technique is known as zero-knowledge proof authentication and is described in general terms by S. Goldwasser, S. Micali, and C. Rackoff in their paper “The Knowledge Complexity of Interactive Proof Systems” delivered at the 17th ACM Symposium on the Theory of Computing (Proceedings, 291 to 304, 1985).


In the paper “Zero-knowledge Proofs of Identity” (Journal of Cryptology, vol. 1, pages 77 to 94, 1988), U. Feige, A. Fiat, and A. Shamir propose a zero-knowledge proof cryptographic method in which the claimant holds a private key Q and publishes an RSA modulus n and a public key G=Q2 mod n (it is impossible to calculate Q from G, i.e. to calculate a square root modulo n, in a reasonable time unless the prime factors of n are known).


When the above method is applied to authenticating entities, the Fiat-Shamir procedure comprises the following interactive steps:


1. Witness step: the claimant chooses at random an integer r, calculates the “witness” R=r2 mod n and sends the witness to the controller;


2. Challenge step: the controller chooses at random an integer d called a “challenge” which can take the value 0 or the value 1 and sends the challenge to the claimant;


3. Response step: the claimant calculates the “response” D=r×Qd mod n and sends the response to the controller; and


4. Verification step: the controller calculates
(D2Gd)modn

and verifies that the result is equal to the witness R.


For increased security, it is recommended that this procedure should be repeated “sequentially” as many times as possible before considering that authentication has been effected (varying r and d each time).


This is a zero-knowledge proof procedure because an observer cannot calculate the private key Q of the claimant from the data exchanged.


In a Feige-Fiat-Shamir or parallel variant, the claimant holds a number m>1 of private keys Q1, Q2, . . . , Qm and publishes, in addition to an RSA modulus n, respective public keys G1, G2, . . . , Gm, where Gi=Qi2 mod n for i=1, . . . , m. The following steps are then executed:


1. Witness step: the claimant chooses at random an integer r, calculates the witness R=r2 mod n and sends the witness to the controller;


2. Challenge step: the controller chooses at random m challenges d1, d2, . . . , dm where di is equal to 0 or 1 and for i=1, . . . , m and sends the challenges to claimant;


3. Response step: the claimant calculates the response D=r×Q1d1×Q2d2× . . . ×Qmdm mod n and sends the response to the controller; and


4. Verification step: the controller calculates
(D2G1d1×G2d2××Gmdm)modn

and verifies that the result is equal to the witness R.


This parallel variant accelerates the Fiat-Shamir authentication procedure compared to the sequential (i.e. series) variant referred to above.


Note further that the calculations required to implement either of these variants can be reduced if the claimant uses the Chinese remainder theorem well known to experts in number theory. The claimant may proceed in the following manner.


Consider first the calculation of the witness R. For a modulus n=p1×p2, where p1<p2, let a number C (known as a Chinese remainder) be the positive number less than p1 such that p1 is a factor of (p2×C−1). The claimant chooses at random two integers r1 and r2 such that 0<r1<p1 and 0<r2<p2 and calculates the two witness components R1=r12 mod p1 and R2=r22 mod p2. The value of the witness is deduced therefrom as follows, where z=C×(R1−R2):

R=z×p2+R2


To calculate the response D, the claimant may proceed as follows. Private key components Qi,1=Qi mod p1 and Qi,2=Qi mod p2 are defined for i=1, . . . , m. The claimant first calculates the two response components:

D1=r1×Q1,1d1×Q2,1d2× . . . ×Qm,1dm mod p1, and
D2=r2×Q1,2d1×Q2,2d2× . . . ×Qm,2dm mod p2.

The claimant then obtains the value of the response as follows, where z=C×(D1−D2):

D=z×p2+D2


The advantage of this Chinese remainder calculation method is that the claimant calculates modulo p1 and modulo p2 instead of modulo n under conditions whereby p1 and p2 are generally much smaller than n.


The Fiat-Shamir entity authentication procedure may be transposed easily to verification by a controller that a message M that it has received was sent by a certain keyholder, here also called the claimant. This message authentication procedure comprises the following interactive steps:


1. Witness step: the claimant chooses at random an integer r and calculates first the witness R=r2 mod n and then the token T=h(M, R), where h is a hashing function (for example one of the functions defined in the ISO/IEC Standard 10118-3), and finally sends the token T to the controller;


2. Challenge step: the controller chooses at random a challenge d which can taken the value 0 or 1 and sends the challenge to the claimant;


3. Response step: the claimant calculates the response D=r×Qd mod n and sends the response to the controller; and


4. Verification step: the controller calculates
h(M,(D2Gd)modn)

and verifies that the result is equal to the token T.


Finally, the Fiat-Shamir entity authentication procedure can be transposed to define a procedure for signing a message M that is sent to a controller by a keyholder called the signatory; note that a signing procedure is not interactive in itself. The signatory holds a plurality of private keys Q1, Q2, . . . , Qm, where m is large compared to 1, and publishes, in addition to an RSA modulus n, respective public keys G1, G2, . . . , Gm where Gi=Qi2 mod n and for i=1, . . . , m. This signing procedure comprises the following steps (given the same names as above by analogy):


1. Witness step: the signatory chooses at random m integers ri where i=1, . . . , m and calculates first the witnesses Ri=ri2 mod n and then the token T=h(M, R1, R2, . . . , Rm), where h is a hashing function producing a word of m bits, and finally sends the token T to the controller;


2. Challenge step: the signatory identifies the bits d1, d2, . . . , dm of the token T;


3. Response step: the signatory calculates the responses Di=ri×Qidi mod n and sends the responses to the controller; and


4. Verification step: the controller calculates
h(M,(D12G1d1)modn,(D22G2d2)modn,,(Dm2Gmdm)modn)

and verifies that the result is equal to the token T.


Consider now in more detail the security of the Fiat-Shamir method. For example, in the case of the entity authentication procedure explained above, the question arises: is it possible for an impostor (i.e. an entity knowing the RSA modulus n and the public key G, but not knowing the private key Q of the entity that it is pretending to be) to fool the controller?


Note first that the challenge, although random, can take only two values: if an impostor guesses the value of the challenge thrown down by the controller during the authentication procedure correctly (and thus with a 50% chance of success), could it satisfy all the steps of the Fiat-Shamir method without being caught by the controller? The answer to this question is yes. In fact:

    • if the impostor guesses that the challenge will be d=0 it supplies to the controller a witness R=r2 mod n and a response D=r; and
    • if the impostor guesses that the challenge will be d=1 it chooses any integer l>0 and supplies to the controller a witness R=l2×G mod n and a response D=l×G mod n.


The Fiat-Shamir procedure therefore has a weakness, although its effect can be attenuated, as indicated above, if the procedure is repeated sequentially to render a correct series of anticipations of the challenge by an impostor as improbable as possible. It follows that, to make this authentication procedure sufficiently secure, its duration must be considerably increased.


International application WO-00/45550 discloses a cryptography method that is applicable to an entity authentication procedure, a message authentication procedure and a message signing procedure and does not suffer from this drawback. In that method, the claimant publishes not only an RSA modulus n and a public key G but also an integer (called the exponent) v=2k where k (called the security parameter) is an integer greater than 1. Moreover, if Q is the private key of the claimant:

G=Qv mod n  (1)


The authentication procedure of application WO-00/45550 comprises the following steps:


1. Witness step: the claimant chooses at random an integer r, calculates the witness R=rv mod n and sends the witness to the controller;


2. Challenge step: the controller chooses at random an integer d called the challenge, where 0≦d≦2k−1−1, and sends the challenge to the claimant;


3. Response step: the claimant calculates the response D=r×Qd mod n and sends the response to the controller; and


4. Verification step: the controller calculates
(DvGd)modn

and verifies that the result is equal to the witness R.


Thus in this procedure the challenge can take 2k−1 different values (as opposed to only two values in the Fiat-Shamir method), which, for a single execution of the above succession of steps, makes correct anticipation of the challenge by an impostor increasingly improbable as the value of k increases.


This being the case, to enhance security, this procedure can of course be repeated sequentially s times and/or m pairs of keys can be used in parallel as explained above; it is then advantageous to use the Chinese remainder theorem for the calculations. In practice, because a hacker has more time to crack the code in the case of signing than in the case of authentication, it is recommended that the product [(k−1)×m×s] have a value at least equal to 40 in the case of authentication and at least equal to 80 in the case of signing.


Moreover, according to application WO-00/45550, the public key is required to satisfy the following relationship, in which g is a small integer (called the base number) greater than 1:

G=g2 mod n  (2)


Combining the above equations (1) and (2) shows that it is necessary to find a pair (g, Q) satisfying the following equation for given n and v:

Qv=g2 mod n  (3)


It can be shown that equation (3) can be solved in a reasonable time only by someone who knows the factors of the modulus, i.e. the keyholder. In other words, calculating a pair of keys conforming to application WO-00/45550 from the corresponding public parameters is just as complicated as factorizing the number n; the two tasks are said to be equivalent in terms of complexity and a set of keys implying this kind of equivalence satisfies the equivalence criterion.


A first advantage of this state of affairs is that there is a reference level of security (i.e. the factorization problem). A second advantage is that a holder of keys according to application WO-00/45550 does not need to have such a public key certified by a certification authority, i.e. to obtain from that authority a certificate linking that public key to the identity of its holder; it is only necessary to certify the RSA modulus n, the other parameters being published directly by the holder. In contrast, in the Fiat-Shamir method, for example, it is possible for different entities to construct their own pairs of keys from the same RSA modulus (Fiat-Shamir pairs therefore do not satisfy the equivalence criterion defined above), and consequently each particular public key must be linked by a certification authority to the identity of its holder.


It can nevertheless be shown that there exist solutions of equation (3) for only certain particular moduluses n (representing about one quarter of all RSA moduluses). This is problematic for an entity seeking to produce pairs of keys according to application WO-00/45550: if that entity already has a collection of RSA moduluses, it can generally use only some of them to construct the keys, whereas if it does not already have any RSA moduluses, it will find it more difficult to find adequate moduluses than if all (or almost all) the RSA moduluses were compatible with the method.


Thus a first aspect of the present invention relates to an asymmetrical key cryptography method involving a keyholder having a number m≧1 of private keys Q1, Q2, . . . , Qm and respective public keys G1, G2, . . . , Gm, each pair of keys (Qi, Gi) where i=1, . . . , m) satisfying either the relationship Gi=Qiv mod n or the relationship Gi×Qiv=1 mod n, where n is a public integer equal to the product of f (where f>1) private prime factors p1, . . . , pf, at least two of which are separate, and the exponent v is a public integer equal to a power of 2. The method is noteworthy in that

v=2b+k,

where k is a strictly positive integer and b=max(b1, . . . , bf), where bj (where j=1, . . . , f) is the highest integer such that (pj−1)/2bj−1 is even,


and each public key Gi (where i=1, . . . , m) is of the form Gi=gi2ai mod n,


where the base numbers gi are integers strictly greater than 1 and the numbers ai are integers such that 1≦ai≦b and at least one of them is strictly greater than 1.







Note that the present invention differs from application WO-00/45550 in particular in that each public key is of the form Gi=gi2ai mod n, where at least one of the numbers ai is strictly greater than 1, rather than of the form Gi=gi2 mod n.


As shown in the detailed description given below, by means of these provisions, regardless of the value chosen for the modulus n, and apart from very rare exceptions (these particular moduluses being in practice never chosen for executing the RSA method), keys according to the invention, i.e. key pairs (g, Q) satisfying the conditions briefly stated above, necessarily exist. In other words, the method according to the present invention is compatible with any RSA modulus.


According to a particular feature of the invention, at least one of said prime factors p1, . . . , pf is congruent to 1 modulo 4 and the integers ai (where i=1, . . . , m) are all equal to said number b.


This considerably facilitates the construction of sets of keys according to the invention.


According to another particular feature of the invention, said base numbers g1, . . . , gm include at least one number gs and said prime factors p1, . . . , pf include at least two numbers pt and pu other than 2 such that, given said numbers b1, . . . , bf:

    • if bt=bu, then (gs|pt)=−(gs|pu), and
    • if bt<bu, then (gs|pu)=−1,


      where (gs|pt) and (gs|pu) denote the Legendre symbols of gs relative to pt and pu.


It can be shown that, by means of this feature, the keys obtained satisfy the equivalence criteria defined above.


According to a further particular feature of the invention, said method involves a controller and said keyholder, here called the claimant. The method is noteworthy in that it comprises the following steps:

    • the claimant chooses at random an integer r, calculates the witness R=rv mod n and sends the witness to the controller,
    • the controller chooses at random m challenges d1, d2, . . . , dm where i=1, . . . , m and sends the challenges to the claimant,
    • the claimant calculates the response

      D=r×Q1d1×Q2d2× . . . ×Qmdm mod n,

      and sends the response to the controller, and
    • the controller calculates

      Dv×G1ε1d1×G2ε2d2× . . . ×Gmεmdm mod n

      where, for i=1, . . . , m, εi=+1 if Gi×Qiv=1 mod n and εi=−1 if Gi=Qiv mod n,


      and verifies that the result is equal to the witness R.


It is important to note that it is not necessary for a controller and a claimant that use this method to exchange all of the witness or all of the response: they can, by mutual agreement, exchange only some of the data or the result of applying a predetermined hashing function to some or all of the data.


The execution of the method can advantageously be accelerated by using the Chinese remainder theorem, of course.


For example, to calculate the witness R, the claimant can proceed as follows. For a modulus n=p1×p2, where p1<p2, let C be the positive number (known as the Chinese remainder) less than p1 such that p1 is a factor of (p2×C−1). The claimant chooses at random two integers r1 and r2 such that 0<r1<p1 and 0<r2<p2 and calculates the two witness components R1=r1v mod p1 and R2=r2v mod p2. The value of the witness is deduced therefrom as follows, where z=C×(R1−R2):

R=z×p2+R2


The claimant can also use the Chinese remainder theorem to obtain the response D in a similar manner to the calculation technique described above for the Fiat-Shamir method.


Finally, note that the challenges may be limited to challenges satisfying the condition 0≦di≦2k−1 for i=1, . . . , m (which has the advantage of simplifying the calculations both for the claimant and for the controller). It is easy to verify that, for two values of di differing by 2k, the corresponding values of Qidi are deduced from each other by a factor gi. As the publication of the public keys Gi essentially involves the disclosure of the base numbers gi, it is seen that the same level of security is obtained with challenge values in the range 0≦di≦2k−1 as with challenge values outside that range.


According to a further particular feature of the invention, said method enables a controller to verify that a message M that it has received was sent to it by said keyholder, here called the claimant. The method is noteworthy in that it comprises the following steps:

    • the claimant chooses at random an integer r and first calculates the witness R=rv mod n, then calculates the token T=h(M, R), where h is a hashing function, and finally sends the token T to the controller,
    • the controller chooses at random m challenges, where i=1, . . . , m, and sends the challenges to the claimant,
    • the claimant calculates the response

      D=r×Q1d1×Q2d2× . . . ×Qmdm mod n,

      and sends the response to the controller, and
    • the controller calculates

      h(M, Dv×G1ε1d1×G2ε2d2× . . . ×Gmεmdm mod n)

      where, for i=1, . . . , m, εi=+1 if Gi×Qiv=1 mod n and εi=−1 if Gi=Qiv mod n,


      and verifies that the result is equal to the token T.


The above remark on the values of the challenges in the entity authentication method obviously applies equally to this message authentication method.


Note also that this message authentication procedure is sometimes considered to be a form of message signing.


According to another particular feature of the invention, another way of signing a message, which enables said keyholder, here called the signatory, to sign a message M sent to a controller, is noteworthy in that it comprises the following steps:

    • the signatory chooses at random m integers ri, where i=1, . . . , m, and first calculates the witnesses R=rv mod n, then calculates the token T=h(M, R1, R2, . . . , Rm), where h is a hashing function producing a word of m bits, and finally sends the token T to the controller,
    • the signatory identifies the bits d1, d2, . . . , dm of the token T,
    • the signatory calculates the responses Di=ri×Qidi mod n and sends the responses to the controller, and
    • the controller calculates

      h(M, D1v×G1ε1d1 mod n, D2v×G2ε2d2 mod n, . . . , Dmv×Gmεmdm mod n)

      where, for i=1, . . . , m, εi=+1 if Gi×Qiv=1 mod n and εi=−1 if Gi=Qiv mod n,


      and verifies that the result is equal to the token T.


A second aspect of the invention relates to various devices.


This aspect of the invention relates firstly to an electronic circuit including a processor and memories that is noteworthy in that it can be programmed to act as the keyholder in executing any of the cryptography methods described above.


It relates further to a dedicated electronic circuit that is noteworthy in that it contains data enabling it to act as the keyholder in executing any of the cryptography methods described above. It may in particular be an application-specific integrated circuit (ASIC).


The above two electronic circuits may take the form of an electronic microchip, for example.


The invention also relates, thirdly, to a portable object adapted to be connected to a terminal to exchange data with the terminal and noteworthy in that it contains an electronic circuit as described above and is able to store identification data and private keys specific to said keyholder.


This portable object may be a smart card or a USB key, for example.


The invention also relates, fourthly, to a terminal adapted to be connected to a portable object to exchange data with the portable object and noteworthy in that it includes a data processing device programmed to act as said controller in executing any of the cryptography methods described above.


The invention also relates, fifthly, to a cryptography system comprising a portable object and a terminal both as described above.


The invention also relates, sixthly, to non-removable data storage means containing electronic data processing program code instructions for, as said keyholder, executing the steps of any of the cryptography methods described above.


The invention also relates, seventhly, to partially or totally removable data storage means containing electronic data processing programming code instructions for, as said keyholder, executing steps of any of the cryptography methods described above.


The invention also relates, eighthly, to a data processing device comprising keyholder storage means as described above. This data processing device may be a personal computer or a server, for example.


The invention also relates, ninthly, to non-removable data storage means containing electronic data processing program code instructions for, as said controller, executing the steps of any of the cryptography methods described above.


The invention also relates, tenthly, to partially or totally removable data storage means containing electronic data processing program code instructions for, as said controller, executing the steps of any of the cryptography methods described above.


The invention also relates, eleventhly, to a data processing device comprising controller storage means as described above.


This data processing device may be a personal computer or a server, for example.


The invention also relates, twelfthly, to a cryptography system comprising a keyholder data processing device and a controller data processing device as described above.


The advantages of the above devices are essentially the same as those of the corresponding methods described above.


The invention also provides a computer program containing instructions such that, when said program controls a programmable data processing device, said instructions cause said data processing device to execute one of the cryptography methods described above.


The advantages of this computer program are essentially the same as those of the cryptography methods described above.


Other aspects and advantages of the invention become apparent on reading the following detailed description.


Consider a modulus n that is generally the product of f (where f>1) large prime factors p1, . . . , pf, at least two of which are separate, where p1≦ . . . ≦pf and p1<pf:

n=p1× . . . ×pf


Each factor pj, where j=1, . . . , f, may be associated with a strictly positive integer bj defined in the following manner: (pj−1) is divisible by 2bj, but not by 2bj+1 (in other words, bj is the highest integer such that (pj−1)/2bj−1 is even). It is easy to verify that bj=1 if pj=3 mod 4 and bj>1 if pj=1 mod 4.


If an entity wishes to become a keyholder, it can request a certification authority to assign it an RSA modulus n. The entity then constructs a number m≧1 of private keys Q1, Q2, . . . , Qm and publishes said modulus n, an exponent v and respective public keys G1, G2, . . . , Gm.


According to the invention, these quantities conform to the following conditions:

    • the exponent is of the following form, where b=max(b1, . . . , bf) and k≧1:

      v=2b+k,
    • each public key Gi (where i=1, . . . , m) is of the following form, where the base numbers gi are integers strictly greater than 1 and the numbers ai are integers such that 1≦ai≦b and such that at least one of them is strictly greater than 1: Gi=gi2ai mod n
    • each pair of keys (Qi, Gi) (where i=1, . . . , m) satisfies

      either the relationship Gi=Qiv mod n  (1i)
      or the relationship Gi×Qiv=1 mod n  (1′i)


It can be shown that, for pairs of keys satisfying the above conditions to exist, the rank of each key Gi relative to each prime factor pj must be odd. In this regard, note that “the rank λ relative to p” of a non-null element x of the body of integers modulo p (where p is prime) is the smallest strictly positive integer λ such that xλ=1 mod p (where the successive powers of x are taken modulo p).


The condition whereby the rank of Gi relative to each of the prime factors of the modulus n is odd implies that no prime factor pj can be such that (pj−1) is equal to a power of 2; however, the prime numbers satisfying this condition (for example 3, 5, 17, and 257) are rare, and even very rare if large numbers are chosen for the prime factors of the modulus.


This property of public keys can be obtained by choosing the integers gi and ai in accordance with the following rule for all j=1, . . . , f:

ai≧h(gi)mod pj

where, for any non-null integer x of the body of integers modulo p (where p is prime), the “height h(x) mod p of x relative to p” is defined as the highest power of 2 that is a factor of the rank of x relative to p.


One particular embodiment of the invention is described next by way of non-limiting example.


In this embodiment, the prime factors pj of the modulus n are chosen so that at least one of them is congruent to 1 modulo 4 (the other factors can be congruent either to 1 or to 3 modulo 4). It follows from the properties of the associated numbers bj stated above that:

b>1.


Moreover, for all i=1, . . . , m:

Gi=gi2b mod n  (4)


Note that, in contrast, the keys defined by application WO-00/45550 (which satisfy the relationship Qiv=gi2 mod n, as indicated above) exist only for the moduluses for which all the prime factors are congruent to 3 modulo 4.


It can be shown that the public keys Gi defined by equation (4) are of odd rank relative to each of the prime factors of the modulus.


Finally, there must exist at least one number gs among said base numbers g1, . . . , gm and two numbers pt and pu other than 2 among said prime factors p1, . . . , pf such that

if bt=bu, then (gs|pt)=−(gs|pu)  (5a)
if bt<bu, then (gs|pu)=−1, (5b)

where the numbers bt and bu (see above for definitions of these numbers) are determined relative to pt and pu and (gs|pt) and (gs|pu) denote the corresponding Legendre symbols of gs.


In this regard, note that the “Legendre symbol relative to p” (x|p), of a non-null element x of the body of integers modulo p (where p is a prime number other than 2) is equal to x(p−1)/2 mod p. It is easily shown that (x|p)=0 if x is a multiple of p, (x|p)=+1 if x is equal to the square modulo p of another element of the body, and (x|p)=−1 otherwise.


The equations (5a-5b) represent an embodiment of the invention in which the keys satisfy the equivalence criteria, i.e. in which it is impossible to calculate the private keys Q1, Q2, . . . , Qm from public parameters n, v and G1, G2, . . . , Gm in a reasonable time unless the prime factors of the modulus are known.


In contrast, if the factors of the modulus are known, the private keys can be obtained in the following manner. Let A be the lowest common multiple of the numbers (pj−1)/2b, where j=1, . . . , f, and let u be the smallest positive integer such that (u×v+1) is a multiple of A. Each private key satisfies:


Qi×Giu=1 mod n if equation (1i) is chosen (i.e. Gi=Qiv mod n), or


Qi=Giu mod n if equation (1′i) is chosen (i.e. Gi×Qiv=1 mod n).


The private keys Q1, Q2, . . . , Qm can also be calculated using the Chinese remainder theorem.


To finish, a few remarks concerning the base numbers.


It is found that the speed of the calculations effected during the execution of the method according to the invention increases when the base numbers are taken to be smaller. It is therefore recommended that they be chosen to be as small as possible.


For example, the base numbers may be chosen from the first 54 prime numbers (the fifty-fourth prime number being 251).


Alternatively, the first m prime numbers can systematically be taken as base numbers, that is to say g1=2, g2=3, g3=5, g4=7, g5=11, and so on. This approach has the advantage of simplicity, but does not guarantee that a set of keys is obtained satisfying the equivalence criterion. However, it can be shown that the proportion of sets not satisfying the equivalence criterion is less than ½m; for example, for m=16 (corresponding to g16=53), this proportion is less than 1/65 536.

Claims
  • 1. An asymmetrical key cryptography method involving a keyholder having a number m≧1 of private keys Q1, Q2, . . . , Qm and respective public keys G1, G2, . . . , Gm, each pair of keys (Qi, Gi) (where i=1, . . . , m) satisfying either the relationship Gi=Qiv mod n or the relationship Gi×Qiv=1 mod n, where n is a public integer equal to the product of f (where f>1) private prime factors pi, . . . , pf, at least two of which are separate, and the exponent v is a public integer equal to a power of 2, wherein the method comprises the steps of: arranging exponent v to have the relationship v=2b+k, where k is a strictly positive integer and b=max(b1, . . . , bf), where bj (where j=1, . . . , f) is the highest integer such that (pj−1)/2bj−1 is even; and arranging each public key Gi (where i=1 . . . , m) to have the form Gi=gi2ai mod n where the base numbers gi are integers strictly greater than 1 and the numbers ai are integers such that 1≦ai≦b and at least one of them is strictly greater than 1.
  • 2. A method according to claim 1, wherein at least one of said prime factors p1, . . . , pf is congruent to 1 modulo 4 and the integers ai (where i=1, . . . , m) are all equal to said number b.
  • 3. A method according to claim 1, wherein said base numbers g1, . . . , gm include at least one number gs and said prime factors p1, . . . , pf include at least two numbers pt and pu other than 2 such that, given said numbers b1, . . . , bf,
  • 4. A method according to claim 1, wherein the base numbers g1, . . . , gm are prime numbers.
  • 5. A method according to claim 1, involving a controller and said keyholder, here called the claimant, wherein the method comprises the following steps: the claimant chooses at random an integer r, calculates the witness R=rv mod n and sends the witness to the controller, the controller chooses at random m challenges d1, d2, . . . , dm and sends the challenges to the claimant, the claimant calculates the response D=r×Q1d1×Q2d2× . . . ×Qmdm mod n, and sends the response to the controller, and the controller calculates Dv×G1ε1d1×G2ε2d2× . . . ×Gmεmdm mod n where, for i=1, . . . , m, εi=+1 if Gi×Qiv=1 mod n and εi=−1 if Gi=Qiv mod n, and verifies that the result is equal to the witness R.
  • 6. A method according to claim 1, enabling a controller to verify that a message M that it has received was sent to it by said keyholder, here called the claimant, wherein the method comprises the following steps: the claimant chooses at random an integer r and first calculates the witness R=rv mod n, then calculates the token T=h(M, R), where h is a hashing function, and finally sends the token T to the controller, the controller chooses at random m challenges d1, d2, . . . , dm, and sends the challenges to the claimant, the claimant calculates the response D=r×Q1d1×Q2d2× . . . ×Qmdm mod n and sends the response to the controller, and the controller calculates h(M, Dv×G1ε1d1×G2ε2d2× . . . ×Gmεmdm mod n) where, for i=1, . . . , m, εi=+1 if Gi×Qiv=1 mod n and εi=−1 if Gi=Qiv mod n, and verifies that the result is equal to the token T.
  • 7. A method according to claim 5, wherein the challenges satisfy the condition 0≦di≦2k−1 for i=1, . . . , m.
  • 8. A method according to claim 1, enabling said keyholder, here called the signatory, to sign a message M that it sends to a controller, wherein the method comprises the following steps: the signatory chooses at random m integers ri, where i=1, . . . , m, and first calculates the witnesses Ri=riv mod n, then calculates the token T=h(M, R1, R2, . . . , Rm), where h is a hashing function producing a word of m bits, and finally sends the token T to the controller, the signatory identifies the bits d1, d2, . . . , dm of the token T, the signatory calculates the responses Di=ri×Qidi mod n and sends the responses to the controller, and the controller calculates h(M, D1v×G1ε1d1 mod n, D2v×G2ε2d2 mod n, . . . , Dmv×Gmεmdm mod n) where, for i=1, . . . , m, εi=+1 if Gi×Qiv=1 mod n and εi=−1 if Gi=Qiv mod n, and verifies that the result is equal to the token T.
  • 9. An electronic circuit including a processor and memories, wherein the electronic circuit is programmed to act as said keyholder in executing a method according to claim 1.
  • 10. A dedicated electronic circuit, including microcomponents enabling the electronic circuit to process data in such manner as to act as said keyholder in executing a method according to claim 1.
  • 11. A portable object adapted to be connected to a terminal to exchange data with that terminal, wherein the portable object includes an electronic circuit according to claim 9 or claim 10 and is adapted to store identification data and private keys specific to said key holder.
  • 12. A terminal adapted to be connected to a portable object to exchange data with that portable object, wherein the terminal includes a data processing device programmed to act as said controller in executing a method according to any one of claims 5-8.
  • 13. A cryptography system comprising: a portable object adapted to be connected to a terminal to exchange data with that terminal, wherein the portable object includes an electronic circuit wherein the electronic circuit is programmed to act as said keyholder in executing an asymmetrical key cryptography method involving a keyholder having a number m≧1 of private keys Q1, Q2, . . . , Qm and respective public keys G1, G2, . . . , Gm, each pair of keys (Qi, Gi) (where i=1, . . . , m) satisfying either the relationship Gi=Qiv mod n or the relationship Gi×Qiv=1 mod n where n is a public integer equal to the product of f (where f>1) private prime factors p1, . . . , pf, at least two of which are separate, and the exponent v is a public integer equal to a power of 2, wherein the method comprises the steps of: arranging exponent v to have the relationship v=2b+k, where k is a strictly positive integer and b=max(b1, . . . , bf), where bj (where j=1, . . . , f) is the highest integer such that (pj−1)/2bj−1 is even; and arranging each public key Gi (where i=1, . . . , m) to have the form Gi=gi2ai mod n where the base numbers gi are integers strictly greater than 1 and the numbers ai are integers such that 1≦ai≦b and at least one of them is strictly greater than 1, and wherein the portable object is adapted to store identification data and private keys specific to said key holder; and a terminal adapted to be connected to the portable object to exchange data with that portable object, wherein the terminal includes a data processing device programmed to act as said controller in executing a method according to any one of claims 5-8.
  • 14. Non-removable data storage means containing electronic data processing program code instructions for, as said keyholder, executing the steps of a method according to claim 1.
  • 15. Partially or totally removable storage means containing electronic data processing program code instructions for, as said keyholder, executing the steps of a method according to claim 1.
  • 16. A data processing device comprising storage means according to claim 14 or claim 15.
  • 17. Non-removable data storage means containing electronic data processing program code instructions for, as said controller, executing the steps of a method according to any one of claims 5-8.
  • 18. Partially or totally removable data storage means containing electronic data processing program code instructions for, as said controller, executing the steps of a method according to any one of claims 5-8.
  • 19. A data processing device, wherein it comprises storage means according to claim 17 or claim 18.
  • 20. A cryptography system comprising. a data processing device including storage means containing electronic data processing program code instructions for, as said keyholder, executing the steps of an asymmetrical key cryptography method involving a keyholder having a number m≧1 of private keys Q1, Q2, . . . , Qm and respective public keys G1, G2, . . . , Gm, each pair of keys (Qi, Gi) (where i=1, . . . , m) satisfying either the relationship Gi=Qiv mod n or the relationship Gi×Qiv=1 mod n, where n is a public integer equal to the product of f (where f>1) private prime factors p1, . . . , pf, at least two of which are separate, and the exponent v is a public integer equal to a power of 2, wherein the method comprises the steps of: arranging exponent v to have the relationship v=2b+k, where k is a strictly positive integer and b=max(b1, . . . , bf), where bj (where j=1, . . . , f) is the highest integer such that (pj−1)/2bj−1 is even; and arranging each public key Gi (where i=1, . . . , m to have the form Gi=gi2ai mod n where the base numbers gi are integers strictly greater than 1 and the numbers ai are integers such that 1≦ai≦b and at least one of them is strictly greater than 1; and a data processing device including data storage means containing electronic data processing program code instructions for, as said controller, executing the steps of a method according to any one of claims 5-8.
  • 21. A computer program containing instructions such that, when said program controls a programmable data processing device, said instructions cause said data processing device to execute a method according to claim 1.
  • 22. A method according to claim 4, wherein the base numbers g1, . . . , gm are chosen from the first 54 prime numbers.
Priority Claims (1)
Number Date Country Kind
0450129 Jan 2004 FR national
PCT Information
Filing Document Filing Date Country Kind 371c Date
PCT/FR05/00158 1/24/2005 WO 7/24/2006