U.S. patent application number 08/953637 was filed with the patent office on 2001-11-29 for accelerated signature verification on an elliptic curve.
Invention is credited to JOHNSON, DONALD B., VANSTONE, SCOTT A..
Application Number | 20010046291 08/953637 |
Document ID | / |
Family ID | 25494301 |
Filed Date | 2001-11-29 |
United States Patent
Application |
20010046291 |
Kind Code |
A1 |
VANSTONE, SCOTT A. ; et
al. |
November 29, 2001 |
ACCELERATED SIGNATURE VERIFICATION ON AN ELLIPTIC CURVE
Abstract
A public key encryption system exchanges information between a
pair of correspondents. The recipient performs computations on the
received data to recover the transmitted data or verify the
identity of the sender. The data transferred includes supplementary
information that relates to intermediate steps in the computations
performed by the recipient.
Inventors: |
VANSTONE, SCOTT A.;
(WATERLOO, CA) ; JOHNSON, DONALD B.; (MANASSAS,
VA) |
Correspondence
Address: |
FINNEGAN, HENDERSON, FARABOW, GARRETT &
DUNNER LLP
1300 I STREET, NW
WASHINGTON
DC
20005
US
|
Family ID: |
25494301 |
Appl. No.: |
08/953637 |
Filed: |
October 17, 1997 |
Current U.S.
Class: |
380/28 |
Current CPC
Class: |
H04L 9/0838 20130101;
G06F 7/725 20130101; H04L 9/3066 20130101; H04L 9/3247 20130101;
H04L 9/32 20130101 |
Class at
Publication: |
380/28 |
International
Class: |
H04K 001/00; H04L
009/00 |
Claims
The embodiments of the invention in which an exclusive property or
privilege is claimed are defined as follows:
1. A method of transferring data over a communication channel
between a pair of correspondents who perform respective ones of a
pair of complementary mathematical operations upon information
transferred between said correspondents, said method comprising the
steps of: a) assembling at one of said correspondents a data string
including information to be transferred to the other of said
correspondents; b) incorporating in said data string additional
information supplementary to that necessary for said other
correspondent to perform said complementary mathematical operation
and relating to the computation of intermediate steps involved in
the performance of said complementary mathematical operation; c)
performing one of said complementary mathematical operations upon
at least a portion of said data string; d) forwarding said data
string over said communication channel to said other correspondent;
and e) performing the other of said complementary mathematical
operations at said other correspondent with said additional
information being available to facilitate the computation of
intermediate steps involved in said complementary mathematical
operation.
2. A method according to claim 1 wherein said complementary
mathematical operations are public key data exchange operations
utilizing a public key and a private key of one of said
correspondents.
3. A method according to claim 2 wherein said one complementary
mathematical operation utilizes a public key of said other
correspondent to provide a digital signature of at least said
portion of said data string.
4. A method according to claim 1 wherein said complementary
mathematical operations utilize characteristics of the group of
points on an elliptic curve over a finite field.
5. A method according to claim 4 wherein said additional
information includes data pertaining to coordinates of points on
said curve.
6. A method according to claim 5 wherein said additional
information includes data pertaining to coordinates of points on
said curve obtained by successive doubling of a designated point on
said curve.
7. A method according to claim 6 wherein said additional
information includes an indication as to which of a pair of
possible values resulting from said intermediate steps is an
intended value.
8. A method according to claim 6 wherein said additional
information includes a coordinate of each of said points.
9. A method according to claim 6 wherein said additional
information includes a pair of coordinates of each of said
points.
10. A method according to claim 4 wherein one of said intermediate
steps includes obtaining projective coordinates of points on said
curve resulting from successive doubling of a designated point.
11. A method according to claim 10 including the step of converting
a projective coordinate of at least one of said points to a
corresponding affine coordinate and utilizing said additional
information to determine the other affine coordinate of said one
point therefrom.
12. A method according to claim 11 wherein said additional
information includes an indication as to which of a pair of
possible values of said other affine coordinate is an intended
value.
13. A method according to claim 4 wherein said complementary
mathematical operation requires the computation of a point on the
curve that is an integral multiple of a designated point, said
method including the steps of representing said integer as a t bit
binary string, arranging said binary string as a k by k/t combing
table, including in said additional information the points
resulting from each possible combination of bits in columns in said
combing table, selecting the points corresponding to the
combination of bits in respective columns of said table and
subsequently combining the selected points to obtain the
coordinates of said point.
14. A method according to claim 13 wherein said selected points are
combined by a) doubling a point; b) adding the doubled point to the
next selected point; c) doubling the resultant point; and d)
repeating steps b) and c) until a single point representing the
integral multiple of the designated point is obtained.
15. The method of claim 14 wherein said additional information
includes data pertaining to coordinates of the points obtained from
doubling and adding the selected points.
Description
[0001] The present invention relates to public key data
communication systems.
BACKGROUND OF THE INVENTION
[0002] Public key data communication systems are used to transfer
information between a pair of correspondents. At least part of the
information exchanged is enciphered by a predetermined mathematical
operation by the sender and the recipient may perform a
complementary mathematical operation to decipher the
information.
[0003] A typical example of such a system is a digital signature
protocol. Digital signatures are used to confirm that a message has
been sent by a particular party and that the contents have not been
altered during transmission.
[0004] A widely used set of signature protocols utilizes the El
Gamal public key signature scheme that signs a message with the
sender's private key. The recipient may then recover the message
with the sender's public key.
[0005] Various protocols exist for implementing such a scheme and
some have been widely used. In each case however the recipient is
required to perform a computation to verify the signature. Where
the recipient has adequate computing power this does not present a
particular problem but where the recipient has limited computing
power, such as in a "Smart card " application, the computations may
introduce delays in the verification process.
[0006] Public key schemes may be implemented using one of a number
of multiplicative groups in which the discrete log problem appears
intractable but a particularly robust implementation is that
utilizing the characteristics of points on an elliptic curve over a
finite field. This implementation has the advantage that the
requisite security can be obtained with relatively small orders of
field compared with, for example, implementations in Z.sub.p* and
therefore reduces the bandwidth required for communicating the
signatures.
[0007] In a typical implementation a signature component s has the
form:
s=ae+k(mod n)
[0008] where:
[0009] P is a point on the curve which is a predefined parameter of
the system
[0010] k is a random integer selected as a short term private or
session key, and has a corresponding short term public key R=kP
[0011] a is the long term private key of the sender and has a
corresponding public key aP=Q
[0012] e is a secure hash, such as the SHA hash function, of a
message m and short term public key R, and
[0013] n is the order of the curve.
[0014] The sender sends to the recipient a message including m, s,
and R and the signature is verified by computing the value -(sP-eQ)
which should correspond to R. If the computed values correspond
then the signature is verified.
[0015] In order to perform the verification it is necessary to
compute a number of point multiplications to obtain sP and eQ, each
of which is computationally complex. Other protocols, such as the
MQV protocols require similar computations when implemented over
elliptic curves which may result in slow verification when the
computing power is limited.
[0016] Typically, the underlying curve has the form
y.sup.2+xy=x.sup.3+ax+b and the addition of two points having
coordinates (x.sub.1, y.sub.1) and (x.sub.2,y.sub.2) results in a
point (x.sub.3,y.sub.3) where: 1 x 3 = { ( y 1 y 2 x 1 x 2 ) 2 y 1
y 2 x 1 x 2 x 1 x 2 a ( P Q ) y 3 = { ( y 1 y 2 x 1 x 2 ) ( x 1 x 3
) x 3 y 1 ( P Q )
[0017] The doubling of a point i.e. P to 2P, is performed by adding
the point to itself so that 2 y 3 = { x 1 2 ( x 1 y 1 x 1 ) } x 3 x
3 x 3 = x 1 2 b x 1 2
[0018] It will be appreciated that successive doubling of the point
Q produces values for 2Q, 2.sup.2Q, 2.sup.3Q . . .2.sup.jQ and that
these values may be substituted in the binary representation of the
hash value e and added using the above equations to provide the
value eQ. At most this would require t doublings and t point
additions for a t bit representation of e. Similarly the point P
may be doubled successively and the values substituted in the
representation of s to obtain sP. However, the generation of each
of the doubled points requires the computation of both the x and y
coordinates and the latter requires a further inversion. These
steps are computationally complex and therefore require either
significant time or computing power to perform. Substitution in the
underlying curve to determine the value of y is not practical as
two possible values for y will be obtained without knowing which is
intended.
[0019] It is therefore an object of the present invention to
provide a method and apparatus in which the above disadvantages are
obviated or mitigated.
SUMMARY OF THE INVENTION
[0020] In general terms, the present invention provides a method
and apparatus in which the transmitted data string is modified to
include information additional to that necessary to perform the
verification but that may be used to facilitate the computations
involved in the verification.
BRIEF DESCRIPTION OF THE DRAWINGS
[0021] Embodiments of the present invention will now be described
by way of example only with reference to the accompanying drawings,
in which
[0022] FIG. 1 is a schematic representation of a communication
system;
[0023] FIG. 2 is a representation of the data transmitted over the
communication system in a first embodiment;
[0024] FIG. 3 is a flow chart showing the steps in verifying a
signature transmitted over the system of FIG. 1 using the data
format of FIG. 2;
[0025] FIG. 4 is a flow chart showing the verification according to
a second embodiment;
[0026] FIG. 5 is a representation of the data transmitted over the
communication system in a third embodiment; and
[0027] FIG. 6 is a flow chart showing the steps of verifying the
signature sing the data format of FIG. 5.
DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0028] Referring therefore to FIG. 1, a data communication system
10 includes a pair of correspondents, designated as a sender12, and
a recipient 14, who are connected by a communication channel 16.
Each of the correspondents 12,14 includes an encryption unit 18,20
respectively that may process digital information and prepare it
for transmission through the channel 16 as will be described below.
Each of the correspondents 12,14 also includes a computational unit
19,21 respectively to perform mathematical computations related to
the encryption units 18,20. The computational power of the units
19,21 will vary according to the nature of the correspondents 12,14
but for the purpose of the present disclosure, it will be assumed
that the unit 19 has greater power than that of unit 21, which may
in fact be a Smart card or the like.
[0029] In accordance with a first embodiment, the sender 12
assembles a data string 22 shown schematically in FIG. 2. The data
string 22 includes a certificate 24 from the certifying authority
C.sub.A that includes the an identifier I.D. of the sender; a time
stamp T; the public key Q of the sender; a string of bits y'
representing supplementary information; the signature component
S.sub.auth of the certifying authority; and the short term public
key R.sub.auth of the certifying authority. The data string 22 also
includes a senders certificate 26 that includes the message m, the
senders short term public key R and the signature component s of
the sender. The string of bits y' included in the certificate 24 is
obtained from the computational unit 19. The unit 19 performs at
least part of the mathematical operations required to verify the
signature at the recipient 14 and extracts from the computations
the supplementary information y.sup.1. When assembled, the data
string 22 is sent over the channel 16 to the intended recipient
18.
[0030] For simplicity it will be assumed that the signature
component s of the sender 12 is of the form s=ae+k (mod n) as
discussed above, although it will be understood that other
signature protocols may be used. To verify the signature, sP-eQ
must be computed and compared with R.
[0031] The certifying authorities signature component s.sub.auth is
of similar form with its message m composed of the identifier I.D.,
time T and the sign bits y'.
[0032] The first step in the verification by the recipient 14 is to
retrieve the value of Q and the sign bits y' from the certificate
24 using the certifying authorities public key. A hash value e' is
also computed from the message m and the coordinates of the point R
in the senders certificate 26. The recipient 14 is then able to
perform the verification by computing sP and e'Q. However, as noted
above, the computational unit 21 has limited computing power and
the computation of sP and e'Q may be time-consuming.
[0033] One or more of a number of enhancements are therefore
adopted to facilitate the verification. In a first embodiment, use
is made of the fact that P is a long-term system parameter. Values
corresponding to integral multiples of P may be stored at the
recipient 14 in lookup tables indicated at 28 in FIG. 1. The
integer corresponding to s is thus located in table 28 and the
value sP retrieved to provide a first component of the
verification.
[0034] The value of Q will vary from sender to sender and
accordingly it is not practical to pre-compute the possible values
of e'Q in a manner similar to sP. To facilitate the computation of
e'Q, e' is treated as a binary representation of an integer with
each bit indicative of a coefficient of successive values of
2.sup.j. The computational unit 19 at sender 12 is used to double
successively the point Q so that the coordinates of 2.sup.jQ are
obtained. The most significant bit of the y coordinate indicates
the "sign" of the y coordinate and a string of bits representing
the signs of the y coordinates of the successively doubled points
is incorporated as the supplementary information y' in the
certificate 24. To compute the value of e'Q at the recipient 14,
the x coordinate of the point Q is successively doubled by applying
the equation noted above so that the x coordinates of successive
values of 2.sup.jQ are obtained. Where the binary representation of
e' indicates that a value of 2.sup.jQ is required (ie. where the
coefficient is "1"), the corresponding value of the y coordinate is
determined by substitution in the underlying curve. Two possible
values of the y coordinate are obtained and the appropriate value
is determined by reference to the sign bits y' retrieved from the
certificate 24. Accordingly, the computation of the y coordinate
that requires an inversion is avoided.
[0035] Having obtained each pair of coordinates for the
coefficients of 2.sup.jQ, they may be combined to provide the value
for e'Q and combined with sP to obtain sP-e'Q. This is then
compared with the recovered value of R for verification.
[0036] It will be appreciated that sP may be computed in a manner
similar to e'Q with the inclusion of additional sign bits for the y
coordinates of 2.sup.jP in the certificate 24. It is, however,
believed to be preferable to utilize the lookup tables 28 where
practical.
[0037] Although the above procedure reduces the computational
complexities, the computation of the x coordinate still requires an
inversion. Inversion is relatively costly and to facilitate the
computation, the process of FIG. 3 is modified as shown in FIG. 4.
Upon receipt of the data string 22, the recipient 14 recovers the
affine coordinates (x, y) of the point Q and converts them into
projective coordinates (x, y, z) by replacing x with x/z and y with
y/z.
[0038] The value of the x and z coordinates of the point 2Q can
then be calculated using the relationship in that 2(x.sub.1,
y.sub.1, z.sub.1)=(x.sub.2, Y.sub.2, Z.sub.2) where
x.sub.2=x.sub.1.sup.4+z.sub.1.sup.4b and
z.sub.2=(x.sub.1z.sub.1).sup.2
[0039] "b" is the constant associated with the underlying curve and
can be chosen suitably small, ie. one word.
[0040] Once the x and z values for 2Q have been computed, they may
be used in a similar manner to obtain the values of x and z for 4Q.
This may be repeated up to 2.sup.tQ so that the t sets of
projective coordinates each representing the x and z coordinates of
a respective one of 2.sup.jQ 0.ltoreq.j.ltoreq.t are obtained.
[0041] Each of the projective x coordinates is converted into a
corresponding affine coordinate by dividing the x coordinate by the
z coordinate. The x coordinate of the respective values of 2.sup.jQ
can then be used where necessary in the representation of e' to
obtain the corresponding y coordinates by substitution in the
equation representing the underlying curve. The corresponding y
value is obtained by inspection of the sign bits y' included in the
data string 22 which indicates the appropriate value.
[0042] With each of the coordinates obtained, the values for
2.sup.jQ can be substituted in the binary representation of e and
the resultant value of eQ obtained. As the representation of e will
be a string of 1's and 0's, only those values having a coefficient
of 1 need be combined to simplify the computation further. The
result may then be combined with the value of sP and compared with
the retrieved value of R to obtain a verification.
[0043] It will be seen, therefore, that a verification is obtained
without requiring an inversion at each addition to obtain the
successive x coordinates which facilitates the verification
process. The computation of the values of 2.sup.jQ can be readily
obtained if the elliptic curve is implemented over the field GF2
when represented in normal basis representation. In this case, the
computation of x.sub.1.sup.4 and z.sub.1.sup.4 is obtained by two
cyclic shifts of the representation of the respective coordinates.
After multiplying with "b", the result is XOR'd to obtain the value
of the resultant x coordinate. Similarly, the value of the z
coordinate can be obtained from a cyclic shift of the product of
x.sub.1 and z.sub.1.
[0044] The above procedure may be modified with an increase in
bandwidth by forwarding in the certificate the x coordinate of Q
and each of the y coordinates of 2.sup.jQ. Some of these will of
course be redundant depending on the representation of e'. However,
in this manner the computation of the y coordinates is avoided but
the length of the message is increased. This may be acceptable,
particularly where limited computing power is available at the
recipient.
[0045] As a further variant, the message could be modified to
include both the x and y coordinates for each value of 2.sup.jQ
with the attendant redundancy. This has the effect of minimizing
the computation of eQ but does increase the message length.
[0046] A further embodiment is shown in FIGS. 5 and 6 where combing
is used to facilitate the computation of eQ. If e is a t bit binary
number, it may be represented as a k-fold matrix having k columns
and t/k rows. If the sum of each column is V.sub.1, V.sub.2,
V.sub.3 . . . V.sub.k, then
e=V.sub.1+2V.sub.2+2.sup.2V.sub.3+. . .
+2.sup.k-1V.sub.k-1+2.sup.kV.sub.k- , and
eQ=V.sub.1Q+2V.sub.2Q+2.sup.2V.sub.3Q+. .
.+2.sup.k-1V.sub.k-1Q+2.sup.kV.s- ub.kQ
[0047] Each of the columns may have one of 2.sup.t/k combinations
of bits. Each combination will produce a particular value
.SIGMA..sub.1, .SIGMA..sub.2, .SIGMA..sub.3 etc. for V which has to
be multiplied by the point Q to obtain the coordinates of the point
2.sup.jV.sub.jQ. The certificate 24 is thus modified to include in
an ordered, retrievable manner the coordinates of the 2.sup.t/k
possible points resulting from the combination of bits in the
columns which have been pre-computed by the sender 12. Upon
receipt, the recipient 14 extracts the message m and point R to
obtain a recovered value for e. This bit string is arranged in a
k-fold matrix of established configuration and the bit combination
of the most significant column determined. The coordinates of the
point resulting from this combination is obtained from the
certificate 24, and doubled. The point corresponding to the bit
combination in the next most significant column is retrieved and
added to the result of the previous doubling. This is then doubled
and the procedure repeated until e'Q is computed. In this way a
reduced number of point additions is required, a maximum of 2 k,
and the bandwidth required to transmit the information is reduced.
The sign bit string y' may be utilized to provide the sign bits of
the y coordinates of the doubled points and added points to
facilitate the computation.
[0048] In each of the above cases, the data string 22 includes
additional information that may be utilized to facilitate the
computation of the value eQ. In each case however the integrity of
the signature is not compromised as the information could be
computed from the contents of the data string as part of the
verification process. The value of e with which the information is
subsequently used is derived from the received data string so that
tampering with the senders certificate would produce an incorrect
verification. The additional information is contained within the
certifying authorities certificate and forms part of the signature
component and so that it cannot be substituted by an attacker
without detection.
[0049] It will be seen therefore that in each embodiment the
verification of a signature is facilitated by forwarding
information to the recipient in addition to that required for
verification and which facilitates the verification computation. It
will be appreciated that while the embodiments describe the
operation between a pair of correspondents, one of those
correspondents could be a certifying authority or trusted
intermediary. The CA receives a message from an originating
correspondent, computes the supplementary information, assembles
the data string and forwards the data string to the recipient. In
this manner, the public key exchange between a pair of
correspondents each having limited computing power may be
facilitated.
[0050] The above embodiments have been described in the context of
a signature verification protocol. However, the techniques may be
utilized on other public key operations such as key agreement or
key transport protocols. Examples of these protocols are the MQV
protocols or protocols set out in IEEE P 21363 draft standard. In
such protocols, it is typically necessary to generate a scaled
multiple of a point on the curve, i.e. kP where k is an integer and
P is a point on the curve. Accordingly, the information transferred
between correspondents may be modified to include supplementary
information to facilitate the computations involved in such
protocols.
* * * * *