CA2308170C - Masked digital signatures - Google Patents
Masked digital signatures Download PDFInfo
- Publication number
- CA2308170C CA2308170C CA002308170A CA2308170A CA2308170C CA 2308170 C CA2308170 C CA 2308170C CA 002308170 A CA002308170 A CA 002308170A CA 2308170 A CA2308170 A CA 2308170A CA 2308170 C CA2308170 C CA 2308170C
- Authority
- CA
- Canada
- Prior art keywords
- signature
- private key
- short term
- component
- term private
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000000034 method Methods 0.000 claims abstract description 40
- 238000004891 communication Methods 0.000 claims abstract description 11
- 238000012795 verification Methods 0.000 claims abstract description 9
- 230000007774 longterm Effects 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 7
- 238000007620 mathematical function Methods 0.000 abstract 2
- 230000006870 function Effects 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 239000000654 additive Substances 0.000 description 1
- 230000000996 additive effect Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/409—Device specific authentication in transaction processing
- G06Q20/4097—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
- G06Q20/40975—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/04—Masking or blinding
Abstract
The present invention relates to digital signature operations using public key schemes in a secure communications system and in particular for use with processors having limited computing power such as "smart cards". This invention describes a method for creating and authenticating a digital signature comprising the steps of selecting a first session parameter k and generating a first short term public key derived from the session parameter k, computing a first signature component r derived from a first mathematical function using the short term public key, selecting a second session parameter t and computing a second signature component s derived from a second mathematical function using the second session parameter t and without using an inverse operation, computing a third signature component using the first and second session parameters and sending the signature components (r, s, c) as a masked digital signature to a receiver computer system. In the receiver computer system computing a recovered second signature component s' by combining a third signature component with the second signature component to derive signature components ( ~, r) as an unmasked digital signature. Verifying these signature components as in a usual ElGamal or ECDSA type signature verification.
Description
MASKED DIGITAL SIGNATURES
This invention relates to a method of accelerating digital signature operations used in secure conimunication systems, and in particular for use with processors having limited computing power.
BACKGROUND OF THE INVENTION
One of the functions performed by a cryptosystem is the computation of digital signatures that are used to confirm that a particular party has originated a message and that the contents have not been altered during transmission. A widely used set of signature protocols utilizes the E1Gamal public key signature scheme that signs a message with the sender's private key. The recipient may then recover the message with the sender's public key. The E1Gamal scheme gets its security from calculating discrete logarithins in a finite field. Furthermore, the E1Gamal-type signatures work in any group and in particular elliptic curve groups. For example given the elliptic curve group E(Fq) then for P E E(Fq) and Q = aP the discrete logarithni problem reduces to finding the integer a.
Thus these cryptosystems can be computationally intensive.
Various protocols exist for implementing such a scheme. For exatnple, a digital signature algorithm DSA is a variant of the ElGamal scheme. In these scliemes a pair of correspondent entities A and B each create a public key and a corresponding private key.
The entity A signs a message m of arbitrary length. The entity B can verify this signature by using A's public key. In eacll case however, both the sender, entity A, and the recipient, entity B, are required to perform a computationally intensive operations to generate and verify the signature respectively. Where either party has adequate computing power this does not present a particular problem but where one or both the parties have limited computing power, such as in a'smart card' application, the computations may introduce delays in the signature and verification process.
Public key schemes may be implemented using one of a number of multiplicative groups in which the discrete log problem appears intractable but a particularly robust implementation is that utilizing the characteristics of points on an elliptic curve over a finite field. This implenientation has the advantage that the requisite security can be obtained with relatively small orders of field compared with, for example, implementations in ZP' and therefore reduces the bandwidth required for communicating the signatures.
In a typical implementation of such a digital signature algorithm such as the Elliptic Curve Digital Signature Algorithm (ECDSA) a signature component s has the form:
s=k`(e+dr)modn where:
d is a long term private key random integer of the signor;
Q is a public key of the signor derived by computing the point Q = dP;
P is a point (x, y) on the curve which is a predefined parameter of the system;
k is a random integer selected as a short term private or session key, and has a corresponding short term public key R = kP;
e is a secure hash, such as the SHA-1 hash function of a message; and n is the order of the curve.
In this scheme the signor represents the x coordinate of the point kP as an integer z and then calculates a first signature component r = z mod n. Next, the second signature cornponent s above is calculated. The signature components s and r and a message M is then transmitted to the recipient. In order for the recipient to verify the signature (?;s) on M, the recipient looks up the public key Q of the signor. A hash e'of the message M is calculated using a hash function H such that e' = H(M). A value c = s-' mod n is also calculated. Next, integer values u, and u1 are calculated such that u, = e'c mod n and uI=
rc mod n. In order that the signature be verified, the value u,P + u1Q must be calculated.
Since P is known and is a systern wide parameter, the value u,P may be computed quickly.
The point R = u,P + u2Q is computed. The field element x of the point R=(x,,y) is converted to an integer z, and a value v = z mod n is computed. If v = r, then the signature is valid.
Other protocols, such as the MQV protocols also require similar computatioiis when implemeiited over elliptic curves which inay result in slow signature and verification when the computing power is limited. The complexity of the calculations may be explained by observing a form of the elliptic curve. Geilerally, the underlying elliptic curve has the form yZ + xy = x' + ax + b and the addition of two points having coordinates (x,,y, ) and (xZ,yZ) results in a point (x3,y3) where 2 , =
x' Yi .y'2 I Yz x, X2 a (P ~ Q) x, x1 x, X2 Ys Yz I (x, x') x3 Y, (P * Q) x, xz J
The doubling of a point i.e. P to 2P, is performed by adding the point to itself so that , =
y3 = X~ Xi y' X3 Xj Xi xj = x; 2 x;
It may be seen in the above example of the ECDSA algorithm that the calculation of the second signature component involves at least the computation of an inverse.
Modulo a number for the generation of each of the doubled points requires the computation of both the x and y coordinates and the latter requires a further inversion.
These steps are computationally complex and therefore require either significant time or computing power to perform.
Inversion is computationally intensive, and generally performed within a secure boundary where computational power is limited thus it would be advantageous to perform such calculations outside the sectire boundary, particularly where computational power is nlore readily available. This however cannot be done directly on the ECDSA signature scheme without potentially compromising the private key information. Therefore there exists a need for a method of performing at least part of a signature operation outside a secure boundary while still maintaining an existing level of security in current signature scliemes.
It is therefore an object of the present inveiition to provide a inetliod and apparatus in which at least some of the above disadvantages are mitigated.
This invention relates to a method of accelerating digital signature operations used in secure conimunication systems, and in particular for use with processors having limited computing power.
BACKGROUND OF THE INVENTION
One of the functions performed by a cryptosystem is the computation of digital signatures that are used to confirm that a particular party has originated a message and that the contents have not been altered during transmission. A widely used set of signature protocols utilizes the E1Gamal public key signature scheme that signs a message with the sender's private key. The recipient may then recover the message with the sender's public key. The E1Gamal scheme gets its security from calculating discrete logarithins in a finite field. Furthermore, the E1Gamal-type signatures work in any group and in particular elliptic curve groups. For example given the elliptic curve group E(Fq) then for P E E(Fq) and Q = aP the discrete logarithni problem reduces to finding the integer a.
Thus these cryptosystems can be computationally intensive.
Various protocols exist for implementing such a scheme. For exatnple, a digital signature algorithm DSA is a variant of the ElGamal scheme. In these scliemes a pair of correspondent entities A and B each create a public key and a corresponding private key.
The entity A signs a message m of arbitrary length. The entity B can verify this signature by using A's public key. In eacll case however, both the sender, entity A, and the recipient, entity B, are required to perform a computationally intensive operations to generate and verify the signature respectively. Where either party has adequate computing power this does not present a particular problem but where one or both the parties have limited computing power, such as in a'smart card' application, the computations may introduce delays in the signature and verification process.
Public key schemes may be implemented using one of a number of multiplicative groups in which the discrete log problem appears intractable but a particularly robust implementation is that utilizing the characteristics of points on an elliptic curve over a finite field. This implenientation has the advantage that the requisite security can be obtained with relatively small orders of field compared with, for example, implementations in ZP' and therefore reduces the bandwidth required for communicating the signatures.
In a typical implementation of such a digital signature algorithm such as the Elliptic Curve Digital Signature Algorithm (ECDSA) a signature component s has the form:
s=k`(e+dr)modn where:
d is a long term private key random integer of the signor;
Q is a public key of the signor derived by computing the point Q = dP;
P is a point (x, y) on the curve which is a predefined parameter of the system;
k is a random integer selected as a short term private or session key, and has a corresponding short term public key R = kP;
e is a secure hash, such as the SHA-1 hash function of a message; and n is the order of the curve.
In this scheme the signor represents the x coordinate of the point kP as an integer z and then calculates a first signature component r = z mod n. Next, the second signature cornponent s above is calculated. The signature components s and r and a message M is then transmitted to the recipient. In order for the recipient to verify the signature (?;s) on M, the recipient looks up the public key Q of the signor. A hash e'of the message M is calculated using a hash function H such that e' = H(M). A value c = s-' mod n is also calculated. Next, integer values u, and u1 are calculated such that u, = e'c mod n and uI=
rc mod n. In order that the signature be verified, the value u,P + u1Q must be calculated.
Since P is known and is a systern wide parameter, the value u,P may be computed quickly.
The point R = u,P + u2Q is computed. The field element x of the point R=(x,,y) is converted to an integer z, and a value v = z mod n is computed. If v = r, then the signature is valid.
Other protocols, such as the MQV protocols also require similar computatioiis when implemeiited over elliptic curves which inay result in slow signature and verification when the computing power is limited. The complexity of the calculations may be explained by observing a form of the elliptic curve. Geilerally, the underlying elliptic curve has the form yZ + xy = x' + ax + b and the addition of two points having coordinates (x,,y, ) and (xZ,yZ) results in a point (x3,y3) where 2 , =
x' Yi .y'2 I Yz x, X2 a (P ~ Q) x, x1 x, X2 Ys Yz I (x, x') x3 Y, (P * Q) x, xz J
The doubling of a point i.e. P to 2P, is performed by adding the point to itself so that , =
y3 = X~ Xi y' X3 Xj Xi xj = x; 2 x;
It may be seen in the above example of the ECDSA algorithm that the calculation of the second signature component involves at least the computation of an inverse.
Modulo a number for the generation of each of the doubled points requires the computation of both the x and y coordinates and the latter requires a further inversion.
These steps are computationally complex and therefore require either significant time or computing power to perform.
Inversion is computationally intensive, and generally performed within a secure boundary where computational power is limited thus it would be advantageous to perform such calculations outside the sectire boundary, particularly where computational power is nlore readily available. This however cannot be done directly on the ECDSA signature scheme without potentially compromising the private key information. Therefore there exists a need for a method of performing at least part of a signature operation outside a secure boundary while still maintaining an existing level of security in current signature scliemes.
It is therefore an object of the present inveiition to provide a inetliod and apparatus in which at least some of the above disadvantages are mitigated.
This invention seeks to provide a digital signature method, which may be implemented relatively efficientlyon a processor with limited processing capability, such as a'smart card' or the like.
In general terms, the present invention provides a method and apparatus in which signature verification may be accelerated.
In accordance with this invention there is provided; a method of signing and authenticating a message m in a public key data comniunication system, comprising the steps of:
in a secure computer system:
(a) generating a first short term private key k;
(b) computing a first short term public key derived from the first short term private key k, (c) coniputing a first signature component r by using the first short term public key k;
(d) generating a second short term private key t;
(e) computing a second signature component s by using the second short term ptivate key t on the message ni, the iong term private key and the first signature component r;
(f) computing a third signature component c using the first and second short term private keys I and k respectively, and sending the signature components (r, s, c) as a masked digital signature of the message ni to a receiver computer system; in the receiver system;
(g) using said second and third signature components (s,c) computing a regtilar signature component s and sending the signature components (s, r) as a regular digital signature to a verifer computer sys,Xem; and (h) verifying normal signature.
In accordance with a further aspect of the invention there is provided; a processing means for signing a message m without performing inversion operations and including a long term private key contained within a secure boundary and a long temi public key derived from the private key and a generator of predetermined order in a field, the processing means comprising:
within the secure boundary;
In general terms, the present invention provides a method and apparatus in which signature verification may be accelerated.
In accordance with this invention there is provided; a method of signing and authenticating a message m in a public key data comniunication system, comprising the steps of:
in a secure computer system:
(a) generating a first short term private key k;
(b) computing a first short term public key derived from the first short term private key k, (c) coniputing a first signature component r by using the first short term public key k;
(d) generating a second short term private key t;
(e) computing a second signature component s by using the second short term ptivate key t on the message ni, the iong term private key and the first signature component r;
(f) computing a third signature component c using the first and second short term private keys I and k respectively, and sending the signature components (r, s, c) as a masked digital signature of the message ni to a receiver computer system; in the receiver system;
(g) using said second and third signature components (s,c) computing a regtilar signature component s and sending the signature components (s, r) as a regular digital signature to a verifer computer sys,Xem; and (h) verifying normal signature.
In accordance with a further aspect of the invention there is provided; a processing means for signing a message m without performing inversion operations and including a long term private key contained within a secure boundary and a long temi public key derived from the private key and a generator of predetermined order in a field, the processing means comprising:
within the secure boundary;
nieans for geuerating a first short term private key;
means for generatitlg a second short term private key;
means for generating a first signature component using at least the second shoi-t term session key; and generating a masked signature component using the first and second sliort term session keys to produce masked signature components of the message in.
BRIEF DESCRIPTION OF THE DRAWINGS
Embodiments of the present invention will now be described by way of example only with reference to the accompanying drawings in which:-Figure 1 is a schematic representation of a communication system; and Figure 2 is a flow chart showing a signature algorithm according to the present invention.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
Referring therefore to Figure 1, a data communication system 10 includes a pair of correspondents, designated as a sender 12, and a recipient 14, who are connected by a communication channel 16. Each of the correspondents 12,14 includes an encryption unit 18,20 respectively that may process digital information and prepare it for transmission through the channel 16 as will be described below. The sender is the party signing a message rni to be verified by the recipient. The signature is generally performed in the encryption unit 18 and normally defines a secure boundary. The sender could be a'smart card', a terminal or similar device. If for example the signor is a'smart card', it generally has limited processing power. However, the'smart card' is typically used in conjunction with a terminal 22 which has at least some computing power. The 'smart card' is inserted into a terminal 22 which then forwards digital information received from the 'smart card' 12 along the channel 16 to the recipient 14. The terminal may preprocess this information before sending it along the channel 16.
In accordance then with a general embodiment, the sender assembles a data string, which includes amongst others the public key Q of the sender, a message in, the sender's short-term public key R and a signature S of the sender. When assembled the data string is sent over the channel 16 to the intended recipient 18. The signature S is generally comprised of one or more components as will be described below with reference to a specific embodiment and according to a signature scheme being implemented by the data conununication systcrn.
The invention describes in a broad aspect a signature algorithm in which the private key is masked to generate masked signature components which may then be converted to a regular signature prior to the verification of the signature.
Referring to figure 2, it is assumed that E is an elliptic curve defined over Fq, P is point of prime order n in E(FQ), d is the senders private signature key, such that 2SdSn-2, Q=dP is the senders public verification key and m is the message to be signed.
It is further assumed these parameters are stored in memory within a secure boundary as indicated by block 30. For example if the sender is a'smart card', then that would define the secure boundary while for example the tenninal in which the'smart card' was inserted would be outside the secure boundary. The first step is for the sender to sign the message ni. The sender computes a hash value e= H(m) of the message in, where H is typically a hash function. A first statistically uniqtie and unpredictable integer k, the first short term private key, is selected such that 2-:5k S( -2). Next a point (xõy,) = kP is computed.
The field element x, of the point kP is converted to an integer x, and a first signature component r= x, (mod n) is calculated. A second statistically unique and unpredictable integer the second short-temi private key is selected such that 2<t _<(n- 2).
Second and third signature components s= t(e+dr)(mod ) and c = tk (mod n) respectively are also computed as indicated. This generates the masked ECDSA signature having components (r,s,c). This masked ECDSA signature (r, s, c) may be converted to regttlar ECDSA
signature (s, r) by computing s = cs mod n. The ECDSA signature of the sender 12 is then s and r. The signature (s, r) can theii be verified as a normal ECDSA
signature as described below. Thus the sender can either forward the masked ECDSA signature c) to the verifier where the verifier can do the conversion operation to obtain the signature (s, r) prior to the verification operation or the sender can perform the conversion outside the secure boundary, as for example in a tetminal and then forward the DSA
signature (s, r) to the verifier.
Once the recipient has the signature components (s, r), then to verify the signature the recipient calculates a hasli value e = H(m) where H( ) is the hash fimction of the signor and is,known to the verifier of the message ni and then computes ri = s-'e inod n and WO 99/25092 1'CT/CA98/01040 v = s~rmodn . Thus the point (xõy,) = uP + vQ may now be calculated. If (xõy,) is the point at infinity then the signature is rejected. If not however the field eleinent x, is converted to an integer x, . Finally the value r' = x, mod n is calculated. If r' = r the signature is verified. If r' # r then the signature is rejected.
Thus it may be seen that an advantage of the masked ECDSA is that modular inverse operation of the normal ECDSA is avoided for the masked signing operation. As stated earlier this is very useful for some applications with limited computational power.
The masked signature to ECDSA signature conversion operation can be performed outside the secure boundary protecting the private key of the sender. For example if the sender was a'smart card' that communicated with a card reader then this operation could be perfonned in the'smart card' reader. Alternatively the masked signature can be transmitted to the verifier, and the verifier can do the conversion operation prior to the verification operation. It may be noted that in the masked ECDSA, no matter how we choose t, we always have t= cV. Since c is made public, t is not an independent variable.
While the invention has been described in connection with specific embodiments thereof and in specific uses, various modifications thereof will occur to those skilled in the art without departing from the spirit of the invention as set forth in the appended claims.
For example in the above description of preferred embodiments, use is made of multiplicative notation, however the method of the subject invention may be equally well described utilizing additive notation. It is well known for example that elliptic curve algorithm embodied in the ECDSA is equivalent of the DSA and that the elliptic curve analog of a discrete log logorithm algorithm that is usually described in a setting of, FP the multiplicative group of the integers modulo a prime. There is a correspondence between the elements and operations of the group FP and the elliptic curve group E(F4).
Furthermore, this signature technique is equally well applicable to functions performed in a field defined over Fo and FZ,. It is also to be noted that the DSA signature scheme described above is a specific instance of the ElGamal generalized signature scheme whicli is known in the art and thus the present techniques are applicable thereto.
The present invention is thus generally concerned with an encryption method and system and particularly an elliptic curve encryption method and system in which finite field elements are multiplied in a processor efficient manner. The encryption system can comprise any suitable processor unit such as a suitably programnied general-purpose computer.
means for generatitlg a second short term private key;
means for generating a first signature component using at least the second shoi-t term session key; and generating a masked signature component using the first and second sliort term session keys to produce masked signature components of the message in.
BRIEF DESCRIPTION OF THE DRAWINGS
Embodiments of the present invention will now be described by way of example only with reference to the accompanying drawings in which:-Figure 1 is a schematic representation of a communication system; and Figure 2 is a flow chart showing a signature algorithm according to the present invention.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
Referring therefore to Figure 1, a data communication system 10 includes a pair of correspondents, designated as a sender 12, and a recipient 14, who are connected by a communication channel 16. Each of the correspondents 12,14 includes an encryption unit 18,20 respectively that may process digital information and prepare it for transmission through the channel 16 as will be described below. The sender is the party signing a message rni to be verified by the recipient. The signature is generally performed in the encryption unit 18 and normally defines a secure boundary. The sender could be a'smart card', a terminal or similar device. If for example the signor is a'smart card', it generally has limited processing power. However, the'smart card' is typically used in conjunction with a terminal 22 which has at least some computing power. The 'smart card' is inserted into a terminal 22 which then forwards digital information received from the 'smart card' 12 along the channel 16 to the recipient 14. The terminal may preprocess this information before sending it along the channel 16.
In accordance then with a general embodiment, the sender assembles a data string, which includes amongst others the public key Q of the sender, a message in, the sender's short-term public key R and a signature S of the sender. When assembled the data string is sent over the channel 16 to the intended recipient 18. The signature S is generally comprised of one or more components as will be described below with reference to a specific embodiment and according to a signature scheme being implemented by the data conununication systcrn.
The invention describes in a broad aspect a signature algorithm in which the private key is masked to generate masked signature components which may then be converted to a regular signature prior to the verification of the signature.
Referring to figure 2, it is assumed that E is an elliptic curve defined over Fq, P is point of prime order n in E(FQ), d is the senders private signature key, such that 2SdSn-2, Q=dP is the senders public verification key and m is the message to be signed.
It is further assumed these parameters are stored in memory within a secure boundary as indicated by block 30. For example if the sender is a'smart card', then that would define the secure boundary while for example the tenninal in which the'smart card' was inserted would be outside the secure boundary. The first step is for the sender to sign the message ni. The sender computes a hash value e= H(m) of the message in, where H is typically a hash function. A first statistically uniqtie and unpredictable integer k, the first short term private key, is selected such that 2-:5k S( -2). Next a point (xõy,) = kP is computed.
The field element x, of the point kP is converted to an integer x, and a first signature component r= x, (mod n) is calculated. A second statistically unique and unpredictable integer the second short-temi private key is selected such that 2<t _<(n- 2).
Second and third signature components s= t(e+dr)(mod ) and c = tk (mod n) respectively are also computed as indicated. This generates the masked ECDSA signature having components (r,s,c). This masked ECDSA signature (r, s, c) may be converted to regttlar ECDSA
signature (s, r) by computing s = cs mod n. The ECDSA signature of the sender 12 is then s and r. The signature (s, r) can theii be verified as a normal ECDSA
signature as described below. Thus the sender can either forward the masked ECDSA signature c) to the verifier where the verifier can do the conversion operation to obtain the signature (s, r) prior to the verification operation or the sender can perform the conversion outside the secure boundary, as for example in a tetminal and then forward the DSA
signature (s, r) to the verifier.
Once the recipient has the signature components (s, r), then to verify the signature the recipient calculates a hasli value e = H(m) where H( ) is the hash fimction of the signor and is,known to the verifier of the message ni and then computes ri = s-'e inod n and WO 99/25092 1'CT/CA98/01040 v = s~rmodn . Thus the point (xõy,) = uP + vQ may now be calculated. If (xõy,) is the point at infinity then the signature is rejected. If not however the field eleinent x, is converted to an integer x, . Finally the value r' = x, mod n is calculated. If r' = r the signature is verified. If r' # r then the signature is rejected.
Thus it may be seen that an advantage of the masked ECDSA is that modular inverse operation of the normal ECDSA is avoided for the masked signing operation. As stated earlier this is very useful for some applications with limited computational power.
The masked signature to ECDSA signature conversion operation can be performed outside the secure boundary protecting the private key of the sender. For example if the sender was a'smart card' that communicated with a card reader then this operation could be perfonned in the'smart card' reader. Alternatively the masked signature can be transmitted to the verifier, and the verifier can do the conversion operation prior to the verification operation. It may be noted that in the masked ECDSA, no matter how we choose t, we always have t= cV. Since c is made public, t is not an independent variable.
While the invention has been described in connection with specific embodiments thereof and in specific uses, various modifications thereof will occur to those skilled in the art without departing from the spirit of the invention as set forth in the appended claims.
For example in the above description of preferred embodiments, use is made of multiplicative notation, however the method of the subject invention may be equally well described utilizing additive notation. It is well known for example that elliptic curve algorithm embodied in the ECDSA is equivalent of the DSA and that the elliptic curve analog of a discrete log logorithm algorithm that is usually described in a setting of, FP the multiplicative group of the integers modulo a prime. There is a correspondence between the elements and operations of the group FP and the elliptic curve group E(F4).
Furthermore, this signature technique is equally well applicable to functions performed in a field defined over Fo and FZ,. It is also to be noted that the DSA signature scheme described above is a specific instance of the ElGamal generalized signature scheme whicli is known in the art and thus the present techniques are applicable thereto.
The present invention is thus generally concerned with an encryption method and system and particularly an elliptic curve encryption method and system in which finite field elements are multiplied in a processor efficient manner. The encryption system can comprise any suitable processor unit such as a suitably programnied general-purpose computer.
Claims (27)
1. A method of signing and authenticating a message m in a public key data communication system, by a correspondent having a long term private key d, and a corresponding long term public key derived from said long term private key d, comprising the steps of:
in a secure computer system:
(a) generating a first short term private key k;
(b) computing a first short term public key derived from said first short term private key k, (c) computing a first signature component r by using said first short term public key;
(d) generating a second short term private key t;
(e) computing a second signature component s by using said second short term private key t on said message m, said long term private key d, and said first signature component r;
(f) computing a third signature component c using said first and second short term private keys k and t respectively and providing said signature components (r, s, c) as a masked digital signature of said message m to a receiver computer system associated with said secure computer system; and (g) using said second and third signature components (s, c) to compute a regular signature component ~ and providing said signature components (~, r) as a regular digital signature to a receiver verifier computer system to enable said verifier system to verify said regular signature ( ~, r).
in a secure computer system:
(a) generating a first short term private key k;
(b) computing a first short term public key derived from said first short term private key k, (c) computing a first signature component r by using said first short term public key;
(d) generating a second short term private key t;
(e) computing a second signature component s by using said second short term private key t on said message m, said long term private key d, and said first signature component r;
(f) computing a third signature component c using said first and second short term private keys k and t respectively and providing said signature components (r, s, c) as a masked digital signature of said message m to a receiver computer system associated with said secure computer system; and (g) using said second and third signature components (s, c) to compute a regular signature component ~ and providing said signature components (~, r) as a regular digital signature to a receiver verifier computer system to enable said verifier system to verify said regular signature ( ~, r).
2. The method according to claim 1, said first short term private key k is an integer and said first short term public key k is derived by computing the value kP=(x1, y1) wherein P is a point of prime order n in E(F q), wherein E is an elliptic curve defined over F q.
3. The method according to claim 2, said first signature component r having a form defined by r = ~(mod n) wherein ~ is derived by converting said coordinate x1 to an integer ~.
4. The method according to claim 3, said second short term private key t being an integer selected such that 2<= t<= (n-2), and said second signature component s is defined by s = t (e + dr)(mod n), wherein e is a hash of said message m.
21824077.1
21824077.1
5. The method according to claim 4, said third signature component c being defined by c = tk(mod n).
6. The method according to claim 5, said regular signature component ~ being defined by ~ =c-1s mod n.
7. A computer readable medium comprising computer executable instructions for performing the method according to any one of claims 1 to 6.
8. A cryptographic processor at a sender in a data communication system having access to a long term private key d, and a corresponding long term public key derived from said long term private key d, said processor being configured for performing the method according to any one of claims 1 to 6.
9. A method of generating a digital signature S of a message in a data communication system, wherein a signor of the message has a long term private key d and a long term public key y derived from a generator g and said long term private key d, said method comprising the steps of:
(a) generating a short term private key k;
(b) computing a first short term public key derived from said short term private key k, (c) computing a first signature component r by using said first short term public key k, (d) generating a second short term private key t;
(e) computing a second signature component s by using said second short term private key t on said message m, said long term private key d and first signature component r;
(f) computing a third signature component c using said first and second short term private keys k and t respectively; and (g) sending said signature components (r, s, c) as a masked digital signature of said message m to a receiver computer system.
(a) generating a short term private key k;
(b) computing a first short term public key derived from said short term private key k, (c) computing a first signature component r by using said first short term public key k, (d) generating a second short term private key t;
(e) computing a second signature component s by using said second short term private key t on said message m, said long term private key d and first signature component r;
(f) computing a third signature component c using said first and second short term private keys k and t respectively; and (g) sending said signature components (r, s, c) as a masked digital signature of said message m to a receiver computer system.
10. The method according to claim 9 including the step of in said receiver computer system, using said second and third signature components (s, c) computing a regular signature component ~, and sending said signature components ( ~, r) as a regular digital signature to a 21824077.1 verifier computer system, and verifying said regular signature ( ~, r) by said verifier system.
11. The method according to claim 9 including the step of in said receiver system, using said second and third signature components (s, c) to compute a regular signature component ~, to derive a regular digital signature components ( ~, r) and; verifying said regular signature components.
12. A computer readable medium comprising computer executable instructions for performing the method according to any one of claims 9 to 11.
13. A cryptographic processor at a sender in a data communication system having access to a long term private key d and a long term public key y derived from a generator g and said long term private key d, said processor being configured for performing the method according to any one of claims 9 to 11.
14. A processing means for signing a message m without performing inversion operations and including a long term private key contained within a secure boundary and a long term public key derived from said private key and a generator of predetermined order in a field, said processing means comprising:
a generator for generating a first short term private key;
a generator for generating a second short term private key;
a generator for generating a first signature component using at least said second short term private key;
said processor operating to generate a masked signature component using said first and second short term private keys to produce masked signature components of said message m.
a generator for generating a first short term private key;
a generator for generating a second short term private key;
a generator for generating a first signature component using at least said second short term private key;
said processor operating to generate a masked signature component using said first and second short term private keys to produce masked signature components of said message m.
15. The processing means according to claim 14, including a converter to convert said signature components to a regular signature component; and a communication channel for transmitting said regular signature components to a recipient.
16. A method for verifying a signature for a message m in a data communication system established between a sender and a verifier, said sender having generated in a secure computer 21824077.1 system a masked signature having a first signature component r computed using a first short term public key derived from a first short term private key; a second signature component s computed using a second short term private key on said message m, a long term private key, and said first signature component r, and a third signature component c computed using said first and second short term private keys, said method for verifying comprising said verifier:
a) obtaining a regular signature derived from said masked signature (r, s, c), said regular signature having said first signature component r, and another signature component ~
computed using said second signature component s and said third signature component c;
b) recovering a point on an elliptic curve defined over a finite field using said message m and said another signature component s;
c) converting an element of said point to an integer;
d) calculating a value r' using said integer; and e) verifying said regular signature (~, r) if said value r' is equal to said first signature component r.
a) obtaining a regular signature derived from said masked signature (r, s, c), said regular signature having said first signature component r, and another signature component ~
computed using said second signature component s and said third signature component c;
b) recovering a point on an elliptic curve defined over a finite field using said message m and said another signature component s;
c) converting an element of said point to an integer;
d) calculating a value r' using said integer; and e) verifying said regular signature (~, r) if said value r' is equal to said first signature component r.
17. The method according to claim 16 further comprising the step of said verifier receiving said masked signature (r, s, c) from said sender and converting (r, s, c) to obtain said regular signature (~, r).
18. The method according to claim 16 further comprising the step of said sender converting said masked signature (r, s, c) to said regular signature (~, r) and said sender sending said regular signature ( ~, r) to said verifier.
19. The method according to claim 16 wherein said point is calculated using a pair of values u and v, said values u and v derived from said regular signature ( ~, r) and said message m.
20. The method according to claim 19 wherein said point is calculated as (x1, yl) = uP + vQ, wherein P is a point on an elliptic curve E and Q is a public verification key of said sender derived from P as Q = dP.
21. The method according to claim 19 wherein said value u is computed as u = ~-1e mod n and said value v is computed as v = ~-1r mod n, e being a representation of said message m.
22. The method according to claim 21 wherein e is calculated as e = H(m), H( ) being a hash function of said sender and being known to said verifier.
21824077.1
21824077.1
23. The method according to claim 16 wherein a coordinate x1 of said point is first converted to an integer ~1 prior to calculating said component r'.
24. The method according to claim 23 wherein said component r' is calculated as r' = ~1 mod n.
25. The method according to claim 16 wherein prior to calculating said component r', a coordinate pair (x1, y1) of said point is first verified, whereby if said coordinate pair (x1, y1) is a point at infinity, then said regular signature ( ~, r) is rejected.
26. A computer readable medium comprising computer executable instructions for performing the method according to any one of claims 16 to 25.
27. A cryptographic processor at a verifier in a data communication system, said processor being configured to perform the method according to any one of claims 16 to 25.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US08/966,702 US6279110B1 (en) | 1997-11-10 | 1997-11-10 | Masked digital signatures |
| US08-966702 | 1997-11-10 | ||
| PCT/CA1998/001040 WO1999025092A1 (en) | 1997-11-10 | 1998-11-10 | Masked digital signatures |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2308170A1 CA2308170A1 (en) | 1999-05-20 |
| CA2308170C true CA2308170C (en) | 2009-12-22 |
Family
ID=25511765
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002308170A Expired - Lifetime CA2308170C (en) | 1997-11-10 | 1998-11-10 | Masked digital signatures |
Country Status (6)
| Country | Link |
|---|---|
| US (6) | US6279110B1 (en) |
| EP (1) | EP1033009B1 (en) |
| JP (1) | JP4649040B2 (en) |
| AU (1) | AU1017599A (en) |
| CA (1) | CA2308170C (en) |
| WO (1) | WO1999025092A1 (en) |
Families Citing this family (71)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10181953B1 (en) | 2013-09-16 | 2019-01-15 | Amazon Technologies, Inc. | Trusted data verification |
| US6424712B2 (en) * | 1997-10-17 | 2002-07-23 | Certicom Corp. | Accelerated signature verification on an elliptic curve |
| US6279110B1 (en) * | 1997-11-10 | 2001-08-21 | Certicom Corporation | Masked digital signatures |
| AU5457699A (en) * | 1998-06-23 | 2000-01-10 | Microsoft Corporation | A technique for producing privately authenticatable cryptographic signatures and for using such a signature in conjunction with a product copy |
| US6163841A (en) * | 1998-06-23 | 2000-12-19 | Microsoft Corporation | Technique for producing privately authenticatable cryptographic signatures and for authenticating such signatures |
| US7599491B2 (en) * | 1999-01-11 | 2009-10-06 | Certicom Corp. | Method for strengthening the implementation of ECDSA against power analysis |
| US7092523B2 (en) * | 1999-01-11 | 2006-08-15 | Certicom Corp. | Method and apparatus for minimizing differential power attacks on processors |
| US7249259B1 (en) * | 1999-09-07 | 2007-07-24 | Certicom Corp. | Hybrid signature scheme |
| US20020026584A1 (en) * | 2000-06-05 | 2002-02-28 | Janez Skubic | Method for signing documents using a PC and a personal terminal device |
| US7181017B1 (en) * | 2001-03-23 | 2007-02-20 | David Felsher | System and method for secure three-party communications |
| US9818136B1 (en) | 2003-02-05 | 2017-11-14 | Steven M. Hoffberg | System and method for determining contingent relevance |
| US8261062B2 (en) | 2003-03-27 | 2012-09-04 | Microsoft Corporation | Non-cryptographic addressing |
| WO2005043807A1 (en) * | 2003-10-28 | 2005-05-12 | Certicom Corp. | Method and apparatus for verifiable generation of public keys |
| US20050177715A1 (en) * | 2004-02-09 | 2005-08-11 | Microsoft Corporation | Method and system for managing identities in a peer-to-peer networking environment |
| US7716726B2 (en) * | 2004-02-13 | 2010-05-11 | Microsoft Corporation | System and method for protecting a computing device from computer exploits delivered over a networked environment in a secured communication |
| US7814543B2 (en) * | 2004-02-13 | 2010-10-12 | Microsoft Corporation | System and method for securing a computer system connected to a network from attacks |
| US7603716B2 (en) * | 2004-02-13 | 2009-10-13 | Microsoft Corporation | Distributed network security service |
| AU2005228061A1 (en) | 2004-04-02 | 2005-10-13 | Research In Motion Limited | Deploying and provisioning wireless handheld devices |
| US7929689B2 (en) | 2004-06-30 | 2011-04-19 | Microsoft Corporation | Call signs |
| US7716727B2 (en) * | 2004-10-29 | 2010-05-11 | Microsoft Corporation | Network security device and method for protecting a computing device in a networked environment |
| US8467535B2 (en) * | 2005-01-18 | 2013-06-18 | Certicom Corp. | Accelerated verification of digital signatures and public keys |
| EP2395424B1 (en) | 2005-01-18 | 2013-07-31 | Certicom Corp. | Accelerated verification of digital signatures and public keys |
| US7720221B2 (en) * | 2005-05-20 | 2010-05-18 | Certicom Corp. | Privacy-enhanced e-passport authentication protocol |
| CA2542556C (en) | 2005-06-03 | 2014-09-16 | Tata Consultancy Services Limited | An authentication system executing an elliptic curve digital signature cryptographic process |
| US8874477B2 (en) | 2005-10-04 | 2014-10-28 | Steven Mark Hoffberg | Multifactorial optimization system and method |
| US20070124584A1 (en) * | 2005-11-30 | 2007-05-31 | Microsoft Corporation | Proving ownership of shared information to a third party |
| US8086842B2 (en) | 2006-04-21 | 2011-12-27 | Microsoft Corporation | Peer-to-peer contact exchange |
| CA2669472C (en) * | 2006-11-13 | 2015-11-24 | Certicom Corp. | Compressed ecdsa signatures |
| US8219820B2 (en) * | 2007-03-07 | 2012-07-10 | Research In Motion Limited | Power analysis countermeasure for the ECMQV key agreement algorithm |
| CN101364869B (en) * | 2007-08-09 | 2012-03-28 | 鸿富锦精密工业(深圳)有限公司 | Electronic document digital checking system and method |
| US8144940B2 (en) * | 2008-08-07 | 2012-03-27 | Clay Von Mueller | System and method for authentication of data |
| FR2937484B1 (en) * | 2008-10-22 | 2011-06-17 | Paycool Int Ltd | DIGITAL SIGNATURE METHOD IN TWO STEPS |
| US9252941B2 (en) * | 2009-11-06 | 2016-02-02 | Nikolajs VOLKOVS | Enhanced digital signatures algorithm method and system utilitzing a secret generator |
| US8775813B2 (en) * | 2010-02-26 | 2014-07-08 | Certicom Corp. | ElGamal signature schemes |
| US9237155B1 (en) | 2010-12-06 | 2016-01-12 | Amazon Technologies, Inc. | Distributed policy enforcement with optimizing policy transformations |
| US8769642B1 (en) | 2011-05-31 | 2014-07-01 | Amazon Technologies, Inc. | Techniques for delegation of access privileges |
| US9203613B2 (en) | 2011-09-29 | 2015-12-01 | Amazon Technologies, Inc. | Techniques for client constructed sessions |
| US9197409B2 (en) | 2011-09-29 | 2015-11-24 | Amazon Technologies, Inc. | Key derivation techniques |
| US9178701B2 (en) | 2011-09-29 | 2015-11-03 | Amazon Technologies, Inc. | Parameter based key derivation |
| US8745376B2 (en) | 2011-10-14 | 2014-06-03 | Certicom Corp. | Verifying implicit certificates and digital signatures |
| FR2982106B1 (en) * | 2011-10-28 | 2014-04-18 | Logiways France | MESSAGE CRYPTOGRAPHIC SIGNATURE METHOD, SIGNATURE VERIFICATION METHOD AND CORRESPONDING SIGNATURE AND VERIFICATION DEVICES |
| US8892865B1 (en) | 2012-03-27 | 2014-11-18 | Amazon Technologies, Inc. | Multiple authority key derivation |
| US9215076B1 (en) * | 2012-03-27 | 2015-12-15 | Amazon Technologies, Inc. | Key generation for hierarchical data access |
| US8739308B1 (en) | 2012-03-27 | 2014-05-27 | Amazon Technologies, Inc. | Source identification for unauthorized copies of content |
| US9258118B1 (en) | 2012-06-25 | 2016-02-09 | Amazon Technologies, Inc. | Decentralized verification in a distributed system |
| US9660972B1 (en) | 2012-06-25 | 2017-05-23 | Amazon Technologies, Inc. | Protection from data security threats |
| DE102013204708A1 (en) * | 2013-03-18 | 2014-09-18 | Siemens Aktiengesellschaft | Arithmetic unit and method for providing a digital signature |
| US9407440B2 (en) | 2013-06-20 | 2016-08-02 | Amazon Technologies, Inc. | Multiple authority data security and access |
| US20150006900A1 (en) * | 2013-06-27 | 2015-01-01 | Infosec Global Inc. | Signature protocol |
| US9521000B1 (en) | 2013-07-17 | 2016-12-13 | Amazon Technologies, Inc. | Complete forward access sessions |
| US9237019B2 (en) | 2013-09-25 | 2016-01-12 | Amazon Technologies, Inc. | Resource locators with keys |
| US9311500B2 (en) | 2013-09-25 | 2016-04-12 | Amazon Technologies, Inc. | Data security using request-supplied keys |
| US10243945B1 (en) | 2013-10-28 | 2019-03-26 | Amazon Technologies, Inc. | Managed identity federation |
| US9420007B1 (en) | 2013-12-04 | 2016-08-16 | Amazon Technologies, Inc. | Access control using impersonization |
| US10135621B2 (en) * | 2013-12-31 | 2018-11-20 | Nxp B.V. | Method to reduce the latency of ECDSA signature generation using precomputation |
| US9374368B1 (en) | 2014-01-07 | 2016-06-21 | Amazon Technologies, Inc. | Distributed passcode verification system |
| US9292711B1 (en) | 2014-01-07 | 2016-03-22 | Amazon Technologies, Inc. | Hardware secret usage limits |
| US9369461B1 (en) | 2014-01-07 | 2016-06-14 | Amazon Technologies, Inc. | Passcode verification using hardware secrets |
| US9262642B1 (en) | 2014-01-13 | 2016-02-16 | Amazon Technologies, Inc. | Adaptive client-aware session security as a service |
| US10771255B1 (en) | 2014-03-25 | 2020-09-08 | Amazon Technologies, Inc. | Authenticated storage operations |
| US9258117B1 (en) | 2014-06-26 | 2016-02-09 | Amazon Technologies, Inc. | Mutual authentication with symmetric secrets and signatures |
| US10326597B1 (en) | 2014-06-27 | 2019-06-18 | Amazon Technologies, Inc. | Dynamic response signing capability in a distributed system |
| US10002256B2 (en) | 2014-12-05 | 2018-06-19 | GeoLang Ltd. | Symbol string matching mechanism |
| US9800418B2 (en) | 2015-05-26 | 2017-10-24 | Infosec Global Inc. | Signature protocol |
| US10122689B2 (en) | 2015-06-16 | 2018-11-06 | Amazon Technologies, Inc. | Load balancing with handshake offload |
| US10122692B2 (en) | 2015-06-16 | 2018-11-06 | Amazon Technologies, Inc. | Handshake offload |
| US10116440B1 (en) | 2016-08-09 | 2018-10-30 | Amazon Technologies, Inc. | Cryptographic key management for imported cryptographic keys |
| FR3085215B1 (en) * | 2018-08-21 | 2020-11-20 | Maxim Integrated Products | DEVICES AND METHODS FOR MASKING ECC CRYPTOGRAPHY OPERATIONS |
| KR102062377B1 (en) | 2018-12-31 | 2020-01-06 | 주식회사 크립토랩 | Method for encryption digitalsignature to blind signature |
| US11601284B2 (en) * | 2019-06-14 | 2023-03-07 | Planetway Corporation | Digital signature system based on a cloud of dedicated local devices |
| CN110517147B (en) * | 2019-08-30 | 2023-04-14 | 深圳市迅雷网络技术有限公司 | Transaction data processing method, device and system and computer readable storage medium |
Family Cites Families (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5016274A (en) * | 1988-11-08 | 1991-05-14 | Silvio Micali | On-line/off-line digital signing |
| US5271061A (en) | 1991-09-17 | 1993-12-14 | Next Computer, Inc. | Method and apparatus for public key exchange in a cryptographic system |
| US5351302A (en) * | 1993-05-26 | 1994-09-27 | Leighton Frank T | Method for authenticating objects identified by images or other identifying information |
| EP0639907B1 (en) | 1993-08-17 | 1999-12-08 | R3 Security Engineering AG | Digital signature method and key agreement method |
| US5825880A (en) * | 1994-01-13 | 1998-10-20 | Sudia; Frank W. | Multi-step digital signature method and system |
| CA2129203C (en) * | 1994-07-29 | 2010-01-12 | Gordon B. Agnew | Public key cryptography utilizing elliptic curves |
| JP3540477B2 (en) * | 1995-12-13 | 2004-07-07 | 松下電器産業株式会社 | Signature scheme |
| US5999626A (en) | 1996-04-16 | 1999-12-07 | Certicom Corp. | Digital signatures on a smartcard |
| CA2540787C (en) | 1996-04-16 | 2008-09-16 | Certicom Corp. | Digital signatures on a smartcard |
| GB9610154D0 (en) | 1996-05-15 | 1996-07-24 | Certicom Corp | Tool kit protocol |
| CA2228185C (en) | 1997-01-31 | 2007-11-06 | Certicom Corp. | Verification protocol |
| US6279110B1 (en) * | 1997-11-10 | 2001-08-21 | Certicom Corporation | Masked digital signatures |
-
1997
- 1997-11-10 US US08/966,702 patent/US6279110B1/en not_active Expired - Lifetime
-
1998
- 1998-11-10 WO PCT/CA1998/001040 patent/WO1999025092A1/en active Application Filing
- 1998-11-10 EP EP98952478A patent/EP1033009B1/en not_active Revoked
- 1998-11-10 CA CA002308170A patent/CA2308170C/en not_active Expired - Lifetime
- 1998-11-10 AU AU10175/99A patent/AU1017599A/en not_active Abandoned
- 1998-11-10 JP JP2000519973A patent/JP4649040B2/en not_active Expired - Lifetime
-
2001
- 2001-02-02 US US09/773,665 patent/US7260723B2/en not_active Expired - Fee Related
-
2007
- 2007-08-02 US US11/882,560 patent/US7552329B2/en not_active Expired - Fee Related
-
2009
- 2009-06-22 US US12/488,652 patent/US7996676B2/en not_active Expired - Fee Related
-
2011
- 2011-06-29 US US13/172,138 patent/US8359468B2/en not_active Expired - Fee Related
-
2012
- 2012-12-28 US US13/730,440 patent/US8732467B2/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| JP2001523067A (en) | 2001-11-20 |
| US20090319790A1 (en) | 2009-12-24 |
| CA2308170A1 (en) | 1999-05-20 |
| US7552329B2 (en) | 2009-06-23 |
| US20080005570A1 (en) | 2008-01-03 |
| US8732467B2 (en) | 2014-05-20 |
| WO1999025092A1 (en) | 1999-05-20 |
| US8359468B2 (en) | 2013-01-22 |
| AU1017599A (en) | 1999-05-31 |
| EP1033009B1 (en) | 2013-01-16 |
| US7996676B2 (en) | 2011-08-09 |
| US20130145168A1 (en) | 2013-06-06 |
| JP4649040B2 (en) | 2011-03-09 |
| US6279110B1 (en) | 2001-08-21 |
| US20010008013A1 (en) | 2001-07-12 |
| US7260723B2 (en) | 2007-08-21 |
| US20110258455A1 (en) | 2011-10-20 |
| EP1033009A1 (en) | 2000-09-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2308170C (en) | Masked digital signatures | |
| CA2130250C (en) | Digital signature method and key agreement method | |
| US6782100B1 (en) | Accelerated finite field operations on an elliptic curve | |
| US8312283B2 (en) | Accelerated signature verification on an elliptic curve | |
| US9800418B2 (en) | Signature protocol | |
| US20090323944A1 (en) | Method of public key generation | |
| EP0704124A4 (en) | A cryptographic method | |
| EP0874307B1 (en) | Accelerated finite field operations on an elliptic curve | |
| GB2321834A (en) | Cryptographic signature verification using two private keys. | |
| Hwang et al. | An untraceable blind signature scheme | |
| Huang et al. | An efficient convertible authenticated encryption scheme and its variant | |
| US20150006900A1 (en) | Signature protocol | |
| US6499104B1 (en) | Digital signature method | |
| Nayak et al. | An ECDLP based untraceable blind signature scheme | |
| WO2016187689A1 (en) | Signature protocol | |
| CA2306468A1 (en) | Signature verification for elgamal schemes | |
| Boyd | Towards a classification of key agreement protocols | |
| JP4462511B2 (en) | Session parameter generation method for Elgamal-like protocol | |
| CA2892318C (en) | Signature protocol | |
| EP0854603A2 (en) | Generation of session parameters for el gamal-like protocols | |
| Sain et al. | Survey on Digital Signature algorithms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |
Effective date: 20181113 |