U.S. patent application number 12/135865 was filed with the patent office on 2008-12-18 for digital signature on a smartcard.
Invention is credited to Alfred Menezes, Scott A. VANSTONE.
Application Number | 20080310625 12/135865 |
Document ID | / |
Family ID | 24537188 |
Filed Date | 2008-12-18 |
United States Patent
Application |
20080310625 |
Kind Code |
A1 |
VANSTONE; Scott A. ; et
al. |
December 18, 2008 |
DIGITAL SIGNATURE ON A SMARTCARD
Abstract
A digital signature scheme for a "smart" card utilizes a set of
prestored signing elements and combines pairs of the elements to
produce a new session pair. The combination of the elements is
performed partly on the card and partly on the associated
transaction device so that the exchange of information between card
and device does not disclose the identity of the signing elements.
The signing elements are selected in a deterministic but
unpredictable manner so that each pair of elements is used once.
Further signing pairs are generated by implementing the signing
over an anomalous elliptic curve encryption scheme and applying a
Frobenius Operator to the normal basis representation of one of the
elements.
Inventors: |
VANSTONE; Scott A.;
(Campbellville, CA) ; Menezes; Alfred; (Waterloo,
CA) |
Correspondence
Address: |
John R.S. Orange;Blake, Cassels & Graydon, LLP
Box 25, Commerce Court West, 199 Bay Street
Toronto
ON
M5L 1A9
CA
|
Family ID: |
24537188 |
Appl. No.: |
12/135865 |
Filed: |
June 9, 2008 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
11563017 |
Nov 23, 2006 |
|
|
|
12135865 |
|
|
|
|
10765976 |
Jan 29, 2004 |
|
|
|
11563017 |
|
|
|
|
09942492 |
Aug 29, 2001 |
6704870 |
|
|
10765976 |
|
|
|
|
09434247 |
Nov 5, 1999 |
6925564 |
|
|
09942492 |
|
|
|
|
08632845 |
Apr 16, 1996 |
5999626 |
|
|
09434247 |
|
|
|
|
Current U.S.
Class: |
380/30 |
Current CPC
Class: |
H04L 9/3247 20130101;
G06Q 20/40975 20130101; G07F 7/082 20130101; G06Q 20/341 20130101;
H04L 9/3066 20130101; G07F 7/1008 20130101; H04L 2209/56 20130101;
G06F 7/725 20130101 |
Class at
Publication: |
380/30 |
International
Class: |
H04L 9/30 20060101
H04L009/30 |
Claims
1. A method of generating a signature implemented over an elliptic
curve public key encryption scheme utilizing information maintained
secret in one computing device comprising the steps of: i)
initiating the computation of a coordinate a point on the elliptic
curve from a pair of other points on said curve by performing on
said one device an initial set of sufficient steps in the
computation to inhibit recognition of information pertaining to the
identity of said other points; ii) transferring to another
computing device remote from the one device the results of said
steps; iii) performing at least such additional steps in said
computation at said other device to permit the completion of said
computation at said one device; and iv) transferring the result of
said additional steps to said one device for incorporation in said
signature.
2. A method according to claim 1 wherein said initial steps
includes a field operation to combine information from each of said
other points.
3. A method according to claim 2 wherein said combined information
is utilized in said additional steps.
4. A method according to claim 3 wherein said field operation
includes the summation of the information representing one
coordinate of each of said other points and the summation of the
information representing the other coordinate of each of the other
points.
5. A method according to claim 1 wherein said additional steps
complete said computation.
6. A method according to claim 4 wherein said information
representing the summation of said coordinates is transferred from
said one device to said other device.
7. A method according to claim 4 wherein said elliptic curve is
over the finite field 2.sup.m and represents said coordinates in a
normal basis in said field.
8. A method according to claim 7 wherein said additional steps
includes cyclically shifting said information representing the
summation of said coordinates.
9. A method according to claim 1 wherein said computation generates
a single coordinate of said point, said single coordinates being
utilized in said signing.
10. A method of deriving a coordinate of a point on an anomalous
elliptic curve over the field GF2.sup.m for utilization in a public
key encryption scheme implemented on said curve, said method
comprising the steps of: i) storing a normal basis representation
of each of a set of coordinates of points on said curve; ii)
retrieving said normal basis representation of a coordinate of the
of said points; iii) performing an i-fold cyclic shift on said
retrieved normal basis representation of said one coordinate; and
iv) utilizing the resultant representation as a coordinate of a
flier point on the curve resulting from an i-fold application of
the Frobenius Operation to said one point.
11. A method according to claim 10 wherein each of said set of
coordinates represents a point on the curve that is an integer
multiple k, of a starting point P, and the i-fold application of Me
Frobenius Operation to said staring point P produces a new point
O.sup.iP where O.sup.iP=.lamda..sup.iP said method including the
step of determining the integer k.sup.7 associated with said
further point by computer k.lamda..sup.i.
12. A method of generating a session pair k,kP for use in a digital
signature performed on an anomalous elliptic curve in the fled
GF2.sup.m where kP is a point on said curve resulting from the k
fold addition of a starting point P where k is an integer, said
method comprising the steps of: i) storing a set of initial values
of k and kP, as a normal basis representation in the field
GF2.sup.m; ii) selecting a coordinate of one of said points kP in
said set of initial values; iii) performing an i-old cyclic shift
on said coordinate to obtain a normal basis representation of the
coordinate after an i-fold application of a Frobenius Operation;
iv) selecting the integer k associated with said one of said
points; v) computing an integer value .lamda..sup.ik where .lamda.
defines the relationship between the start point P and a point OP
and O indicates a Frobenius Operation; vi) utilizing the result
representation of the coordinate and the value .lamda..sup.ik as a
session pair in a digital signature r,s where r is derived from the
representation of a coordinate of a point on the curve and s is
derived form the integer value associated with such point, the
message to be signed and r.
13. A method of generating signature components for use in a
digital signature scheme, said signature components including
private information and a public key derived from said private
information, said method comprising the steps of storing private
information and related public key as an element in a set of such
elements, cycling in a deterministic but unpredictable manner
through said set to select at least one element of said set without
repetition and utilizing said one element to derive a signature
component in said digital signature scheme.
14. A method according to claim 13 wherein a paw of said elements
are selected from said set and said pair of elements combined to
provide said signature components.
15. A method according to claim 14 wherein said value selected pair
of elements is operated upon to produce private information and a
public key derived from said one element prior to combination with
the other of said elements.
16. A method according to claim 15 wherein a computation to combine
said elements is initiated on one computing device and sufficient
steps of said computation are performed on said one device to
inhibit recognition of information in said elements and subsequent
steps are performed on another computing device after transfer of a
partially completed computation thereto.
17. A method according to claim 14 wherein said pairs of elements
are selected by generating a pair of indices indicating respective
locations of said elements in said set.
18. A method according to claim 17 wherein said indices are
obtained from an ordered array arranged to provide each possible
combination of indices.
19. A method according to claim 18 wherein said indices are
selected from a counter that increments with each signature.
20. A method according to claim 19 wherein output from said counter
is modified to provide a non-sequential selection of said indices.
Description
[0001] This application is a continuation of U.S. patent
application Ser. No. 11/563,017 filed on Nov. 23, 2006 which is a
continuation of U.S. patent application Ser. No. 10/765,976 filed
on Jan. 29, 2004 which is division of U.S. patent application Ser.
No. 09/942,492 filed on Aug. 29, 2001, now U.S. Pat. No. 6,704,870
which is a continuation of U.S. patent application Ser. No.
09/434,247 filed on Nov. 5, 1999, now U.S. Pat. No. 6,925,564 which
is a Continuation-in-Part of U.S. patent application Ser. No.
08/632,845 filed on Apr. 16, 1996, now U.S. Pat. No. 5,999,626.
BACKGROUND OF THE INVENTION
[0002] 1. Field of the Invention
[0003] The present invention relates to methods and apparatus for
generating digital signatures.
[0004] 2. Discussion of Related Art
[0005] It has become widely accepted to conduct transactions, such
as financial transactions or exchange of documents, electronically.
In order to verify the transaction, it is also well known to "sign"
the transaction digitally so that the authenticity of the
transaction can be verified. The signature is performed according
to a protocol that utilizes the message, i.e. the transaction, and
a secret key associated with the part. The recipient can verify the
signature using a public key of the signing party to recover the
message and compare it with the transmitted message. Any attempt to
tamper with the message or to use a key other than that of the
signing patty will result in an incompatibility between the sent
message and that recovered from the signature or will fail to
identify the party correctly and thereby lead to rejection of the
transaction.
[0006] The signature must be performed such that the signing
party's secret key cannot be determined. To avoid the complexity of
distributing secret keys, it is convenient to utilize a public key
encryption scheme in the generation of the signature. Such
capabilities are available where the transaction is conducted
between parties having access to relatively large computing
resources but it is equally important to facilitate such
transactions at an individual level where more limited computing
resources are available.
[0007] Automated teller machines (ATMs) and credit cards are widely
used for personal transactions and as their use expands, so the
need to verify such transactions increases. Transaction cards, i.e.
credit/debit cards or pass cards are now available with limited
computing capacity (so-called "Smart Cards") but these do not have
sufficient computing capacity to implement existing digital
signature protocols in a commercially viable manner.
[0008] As noted above, in order to generate a digital signature, it
is necessary to utilize a public key encryption scheme. Most public
key schemes are based on the Diffie Helman Public key protocol and
a particularly popular implementation is that known as DSS. The DSS
scheme utilizes the set of integers Zp where p is a large prime.
For adequate security, p must be in the order of 512 bits although
the resultant signature may be reduced mod q, where q divides p-1,
and may be in the order of 160 bits.
[0009] The DSS protocol provides a signature composed of two
components r, s. The protocol requires the selection of a secret
random integer k referred to as the session key from the set of
integers (0, 1, 2, . . . q-1), i.e. [0010] k.epsilon.{0, 1, 2, . .
. q-1}.
[0011] The component r is then computed such that
r={.beta..sup.k mod p} mod q
[0012] where .beta. is a generator of q.
[0013] The component s is computed as
s=[k.sup.-1(h(m))+ar] mod q
[0014] where m is the message to be transmitted, [0015] h(m) is a
hash of that message, and [0016] a is the private key of the
user.
[0017] The signature associated with the message is then s,r which
may be used to verify the origin of the message from the public key
of the user.
[0018] The value .beta..sup.k is computationally difficult for the
DSS implementation as the exponentiation requires multiple
multiplications mod p. This is beyond the capabilities of a "Smart
Card" in a commercially acceptable time. Although the computation
could be completed on the associated ATM, is would require the
disclosure of the session key k to the ATM and therefore render the
private key, a, vulnerable.
[0019] It has been proposed to precompute .beta..sup.k and store
sets of values of r and k on the card. The generation of the
signature then only requires two 160 bit multiplications and
signing can be completed within 1/2 second for typical
applications. However, the number of sets of values stored limits
the number of uses of the card before either reloading or
replacement is required. A problem that exists therefore is how to
generate sufficient sets of values within the storage and/or
computing capacity of the card.
[0020] One possibility is to use a smaller value of p but with the
DSS scheme this will jeopardize the security of the
transaction.
[0021] An alternative encryption scheme that provides enhanced
security at relatively small modulus is that utilizing elliptic
curves in the finite field 2.sup.m. A value of m in the order of
155 provides security comparable to a 512 bit modulus for DSS and
therefore offers significant benefits in implementation.
[0022] Diffie Helman Public Key encryption utilizes the properties
of discrete logs so that even if a generator p and the
exponentiation p is known, the value of k cannot be determined. A
similar property exists hi elliptic curves where the addition of
two points on a curve produces a third point on the curve.
Similarly, multiplying any point on the curve by an integer k
produces a Her point on the curve. However, knowing the starting
point and the end point does not reveal the value of the integer
`k` which may then be used as a session key for encryption. The
value kP, where P is an initial known point is therefore equivalent
to the exponentiation .beta..sup.k.
[0023] In order to perform a digital signature on an elliptic
curve, it is necessary to have available the session key k and a
value of kP referred to as a "session pair" Each signature utilizes
a different session pair k and kP and although the representation
of k and kP is relatively small compared with DSS implementations,
the practical limits for "Smart Cards" are in the order of 32
signatures. This is not sufficient for commercial purposes.
[0024] One solution for both DSS and elliptic curve implementations
is to store pairs of signing elements k, kP and combine stored
pairs to produce a new session pair. For an elliptic curve
application, this would yield a possible 500 session pairs from an
initial group of 32 stored signing elements. The possibilities
would be more limited when using DSS because of the smaller group
of signing elements that could be stored.
[0025] In order to compute a new session pair, k and kP, from a
pair of stored signing elements, it is necessary to add the values
of k, e.g. k.sub.1+k.sub.2.fwdarw.k and the values of k.sub.1P and
k.sub.2P to give a new value kP. In an elliptic curve, the addition
of two points to provide a third point is performed according to
set formula such that the addition of a point k.sub.2P having
coordinates (x,y) and a point k.sub.1P having coordinates
(x.sub.2y.sub.2) provides a point k.sub.3P whose x coordinate
x.sub.3 is given by:
x 3 = y 1 .sym. y 2 x 1 .sym. x 2 2 .sym. y 1 .sym. y 2 x 1 .sym. x
2 .sym. x 1 .sym. x 2 . ##EQU00001##
[0026] This computation may be significantly simplified using the
normal basis representation in a field F2.sup.m, as set out more
fully in our PCT Application Serial No. PCT/CA/9500452, the
contents of which are incorporated herein by reference. However,
even using such advantageous techniques, it is still necessary to
utilize a finite field multiplier and provide sufficient space for
code to perform the computation. This is not feasible within the
practical limits of available "Smart" cards.
[0027] As noted above, the ATM used in association with the card
has sufficient computing power to perform the computation but the
transfer of the coordinates of k.sub.1P and k.sub.2P from the card
to the terminal would jeopardize the integrity of subsequent
digital signatures as two of the stored signing elements would be
known.
SUMMARY OF THE INVENTION
[0028] It is therefore an object of the present invention to
obviate or mitigate the above disadvantages and facilitate the
preparation of additional pairs of values from a previously stored
set.
[0029] In general terms, one aspect of the present invention
proposes to compute on one computing device an initial step in the
computation of a coordinate of a point derived from a pair of
points to inhibit recognition of the individual components,
transfer such information to another computing device remote from
said one device, perform at least such additional steps in said
derivation at such other device to permit the completion of the
derivation at said one device and transfer the result thereof to
said one computing device.
[0030] Preferably, the initial step involves a simple field
operation on the two sets of coordinates which provides information
required in the subsequent steps of the derivation.
[0031] Preferably also the additional steps performed at the other
device complete the derivation.
[0032] In a preferred embodiment, the initial step involves the
addition of the x coordinates and the addition y coordinates to
provide the terms (x.sub.1.sym.x.sub.2) and
(y.sub.1.sym.y.sub.2).
[0033] The addition of the coordinates is an XOR operation that can
readily be performed on the card and the results provided to the
terminal.
[0034] In this manner, the coordinates (x,y) representing kP in a
stored signing element are not disclosed as insufficient
information is provided even with subsequent uses of the card.
Accordingly, the x coordinate of up to 500 signatures can be
generated from an initial set of 32 stored signing elements.
[0035] The new value of k can be computed on the card and to avoid
computing the inverse k.sup.-1, alternative known masking
techniques can be utilized.
[0036] A further aspect of the present invention provides a method
of generating additional sets of points from the initial set that
may be used individually as a new value of kP or in combination to
generate still further values of kP.
[0037] According to this aspect of the invention, the curve is an
anomalous curve and the Frobenius Operator is applied to at least
one of the coordinates representing a point in the initial set to
provide a coordinate of a further point on the elliptic curve. The
Frobenius Operator O provides that for a point (x.sub.1,y.sub.1) on
an anomalous curve, then O (x.sub.1,y.sub.1) is a point
(x.sub.1.sup.2,y.sub.1.sup.2) that also lies on the curve. In
general, O.sup.i(x.sub.1y.sub.1) is a point x.sup.2.sup.i,
y.sup.2.sup.i that also lies on the curve. For a cue over the field
2.sup.m, there are m Frobenius Operators so for each value of kP
stored in the initial set, m values of kP may be generated,
referred to as "derived" values. The new value of k associated with
each point can be derived from the initial relationship between P
and OP and the initial value of k.
[0038] For a practical implementation where 32 pairs of signing
elements are initially retained on the card and the curve is over
the field 2.sup.155, utilizing the Frobenius Operator provides in
the order of 4960 possible derived values and by combining pairs of
such derived values as above in the order of 10.sup.7 values of k
cm be obtained from the initial 32 stored signing elements and the
corresponding values of k obtained to provide 10.sup.7 session
pairs.
[0039] Preferably, the stored values of kP are in a normal basis
representation. The application Frobenius Operator then simply
requires an "i" fold cyclic shift to obtain the value for an
O.sup.i operation.
[0040] According to a further aspect of the inventions there is
provided a method of generating signature components for use in a
digital signature scheme, said signature components including
private information and a public key derived from said private
information, said method comprising the steps of storing private
information and related public key as an element in a set of such
information, cycling in a deterministic but unpredictable fashion
tough said set to select at least one element of said set without
repetition and utilizing said one element to derive a signature
component in said digital signature scheme.
BRIEF DESCRIPTION OF THE DRAWINGS
[0041] The above and other object and advantages of the present
invention will become apparent from the following description when
read in conjunction with the accompanying drawings wherein:
[0042] FIG. 1 is a schematic representation of a programmable
credit card;
[0043] FIG. 2 is a schematic representation of a transaction
performed between the card and network;
[0044] FIG. 3 is a schematic representation of the derivation of a
session pair from a pair of stored signing elements;
[0045] FIG. 4 is a schematic representation of one step in the
transmission of information show in FIG. 2;
[0046] FIG. 5 is a schematic representation of a preferred
implementation of the derivation of a session pair from two pairs
of stored values; and
[0047] FIG. 6 is a schematic representation of a selection unit
shown in FIG. 1;
[0048] FIG. 7 is a schematic representation of a titer embodiment
of the derivation of session pairs from stored values.
[0049] FIG. 8 is an alternative schematic to the embodiment of FIG.
7; and
[0050] FIG. 9 is yet another alternative schematic to the
embodiment of FIG. 7.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
The System
[0051] Referring therefore to FIG. 1, a programmable credit card 10
(referred to as a `SMART` card) has an integrated circuit 12
embedded within the body of card 10.
[0052] The integrated circuit includes a logic array 14, an
addressable memory 16 and a communication bus 18. The memory 16
includes a RAM section 20 to store information, a pair of cyclic
shift registers 22 for temporary storage of information and
programming code 24 for control of the logic array 14 and
communication bus 18. The array 14 includes an arithmetic unit 26
to provide modular arithmetic operation, e.g. additional and
multiplication, and a selection unit 28 controlled by the
programming code 24. It will be appreciated that the description of
the card 10 is a schematic and restricted to that necessary for
explanation of the preferred embodiment of the invention.
[0053] The card 10 is used in conjunction with a terminal 30, for
example an automated teller machine (ATM), that is connected to a
network to allow financial transactions to be conducted. The
terminal 30 includes a keypad 32 to select options and tasks and
has computing capabilities to perform the necessary functions in
conjunction with the card 10.
[0054] Access to the terminal 30 is obtained by inserting card 10
into a reader 34 and entering a pass code in a conventional manner.
The pass code is verified with the card 10 through communication
bus 18 and the terminal 30 activated. The keypad 32 is used to
select a transaction, for example a transfer of funds, between
accounts and generate a message through the network to give effect
to the transactions, and card 10 is used to sign that transaction
to indicate its authenticity. The signature and message are
transmitted over the network to the intended recipient and upon
receipt and verification, the transaction is completed.
The Card
[0055] The RAM section 20 of memory 16 includes digital data string
representing a private key, a, which remains secret with the owner
of the card and a corresponding public key Q=aP where P is the
publicly known initial point on the selected curve. The RAM section
20 also includes a predetermined set of coordinates of points, UP,
on an elliptic curve that has been preselected for use in a public
key encryption scheme. It is preferred that the curve is over a
finite field 2.sup.m, conveniently and by way of example only,
2.sup.155, and that the points kP are represented in normal basis
representation. The selected curve should be an anomalous curve,
e.g. a curve that satisfies y.sup.2+xy=x.sup.3+1, and has an order,
e. Each point kP has an x coordinate and a y coordinate and is thus
represented as two 155 digital data strings that are stored in the
RAM 20. By way of example, it will be assumed that the RAM 20
contains 32 such points identified generically as kP and
individually as k.sub.0P, k.sub.1P . . . k.sub.31P. Similarly,
their coordinates (x,y) will be individually designated
x.sub.0y.sub.0 . . . x.sub.31y.sub.31.
[0056] The points kP are precomputed from the chosen parameters of
the curve and the coordinates of an originating point P. The k-fold
addition of point P will provide a further point kP on the curve,
represented by its coordinates (x,y) and the value of k cannot be
determined even if the coordinates of points P and kP are
known.
[0057] RAM 20 therefore contains the values of k associated with
the respective points kP so that a set of stored signing elements
k,kP is available for use in the signing of the transaction.
Signing
[0058] To sign a message m generated by the transaction, one
session pair k.sub.j; k.sub.jP is required and may be obtained from
RAM 20 as set out more fully below. Assuming that values k.sub.j,
k.sub.jP have been obtained, the signing protocol requires a
signature r,s) where [0059] r is the data string representing the
x-coordinate, x.sub.j reduced mod q (q is a preselected publicly
known divisor of e, the order of the curve, i.e. q/e.sub.x); and
[0060] s=[k.sup.-1(h(m))+ar] mod q where h(m) is a q-bit hash of
the message m generated by the transaction.
[0061] In this signature, even though r is known, s contains the
secret k and the private key, a, and so inhibits the extraction of
either.
[0062] The generation of S requires the inversion of the value k
and since k is itself to be derived from the stored set of values
of k, it is impractical to store corresponding inverted values of
possible k's. Accordingly, a known masking technique is used to
generate components r, s.sup.1 and u of a signature. This is done
by selecting an integer, c, and computing a value u=ck. The value
s.sup.-1=c=(h(m)+ar) mod q.
[0063] The signature value s can then be obtained by the recipient
computing s.sup.1u.sup.-1=k.sup.-1[h(m)+ar].
[0064] The signature (r,s.sup.1,u) can be computed on the card 10
and forwarded by bus 19 to the terminal 30 for attachment to the
message m.
Generation of Session Pair
[0065] As noted above, in order to generate the signature (r,s), it
is necessary to have for session pair K and kP. Security dictates
that each session pair is only used once and it is assumed that the
number of signing elements stored in RAM 20 is insufficient for
commercial application.
[0066] In the preferred embodiment, two techniques are used to
generate additional-session pairs to the stored signing elements.
It will be appreciated that each technique may be used individually
although the combination of the two is preferred.
(i) Frobenius Operator
[0067] The first technique involves the use of the Frobenius
Operator to derive additional session pairs from the stored signing
elements and is shown in FIG. 3. The Frobenius Operator denoted O
operates on a point P having coordinates (x,y) on an anomalous
elliptic curve in the finite field 2.sup.m such that
O.sup.iP=(x.sup.2.sup.i,y.sup.2.sup.i). Moreover, the point
O.sup.iP is also on the curve. In the field 2.sup.m, there are 155
Frobenius Operators so each point kP stored in memory 20 may
generate 155 points on the curve by application of the Frobenius
Operators. Thus, for the 32 values of kP stored, there are 4960
possible values of kit available by application of the Frobenius
Operator.
[0068] To derive the value of O.sup.iP, it is simply necessary to
load the x and y coordinates of a point kP into respective shift
registers 22 and perform an i-fold cyclic shift. Because the
coordinates (x,y) have a normal basis representation, a cyclic
shift in the register 22 will perform a squaring operation, and an
i-fold cyclic shift will raise the value to the power 2'.
Therefore, after the application of i clock cycles, the registers
22 contain the coordinates of O.sup.i(kP) which is a point on the
curve and may be used in the signing protocol. The 155 possible
values of the coordinates (x,y) of O.sup.i(kP) may be obtained by
simple cyclic shifting. The representations in the registers 22 may
then be used to obtain r.
[0069] Where the use of Frobenius Operator provides sufficient
values for commercial use, only one coordinate is needed to compute
the value of r and so only a single shift register is needed.
However, as will be described below, flanker session pairs can be
derived if both the coordinates are known and so a pair of
registers is provided.
[0070] For each value of O.sup.i(kP), it is necessary to obtain the
corresponding value of k O(P)=.lamda.P. .lamda. is a constant that
may be evaluated ahead of time and the values of its first m
powers, .lamda..sup.i computed. The m values are stored in RAM
20.
[0071] In general, O.sup.i(P).fwdarw..lamda..sup.ikP so the value
of k associated with O.sup.i(kP) is .lamda..sup.ik. Since k is
stored for each value of kP in RAM 20 and X is also stored, the new
value of k, i.e. .lamda..sup.ik, can be computed using the
arithmetic unit 26.
[0072] As an alternative, to facilitate efficient computation of
.lamda..sup.i and avoid excessive storage, it is possible to
precompute specific powers of X and store them in RAM 20. Because m
is 155 in the specific example, the possible values of i can be
represented as an 8-bit binary word. The values of
.lamda..sup.2.fwdarw..lamda..sup.2.sup.7 are thus stored in RAM 20
and the value of .lamda. represented in binary. The prestored
values of .lamda..sup.2.sup.i are then retrieved as necessary and
multiplied mod e by arithmetic unit 26 to provide the value of
.lamda..sup.i. This is then multiplied by k to obtain the new value
associated with O.sup.i(kP).
[0073] It will be seen therefore that new session pairs k, kP may
be derived simply and efficiently from the stored signing elements
of the initial set. These session pairs may be computed in real
time, thereby obviating the need to increase storage capacity and
their computation utilizes simple arithmetic operations that may be
implemented in arithmetic unit 26.
(ii) Combining Pairs
[0074] A further technique, illustrated schematically in FIG. 4, to
increase the number of session pairs of k and kP available, and
thereby increase the number of signatures available from a card, is
to combine pairs of stored signing elements to produce a new
derived value. The addition of two points k.sub.1P and k.sub.2P
will produce a third point k.sub.3P that also lies on the curve and
may therefore be used for signatures.
[0075] The addition of two points having coordinates
(x.sub.1,y.sub.1)(x.sub.2y.sub.2) respectively on a curve produces
a new point having an x coordinate x.sub.3 where
x 3 = y 1 .sym. y 2 x 1 .sym. x 2 2 .sym. y 1 .sym. y 2 x 1 .sym. x
2 .sym. x 1 .sym. x 2 ##EQU00002##
[0076] In the finite field 2m, y1.sym.y2 and x1.sym.x2 is an XOR
field operation that may be performed simply in logic array 16.
Thus the respective values of x.sub.1, x.sub.2 and y.sub.1,y.sub.2
are placed in respective ones of registers 22 and XOR'D. The
resultant data string is then passed over communication bus 16 to
the terminal 30. The terminal 30 has sufficient computing capacity
to perform the inversion, multiplication and summation to produce
the value of x.sub.3. This is then returned to register 22 for
signature. The potential disclosure of x.sub.3 does not jeopardize
the security of the signature as the relevant portion is disclosed
in the transmission of r.
[0077] The value of k.sub.1+k.sub.2, is obtained from the
arithmetic unit 26 within logic array 16 to provide a value of
k.sub.3 and hence a new session pair k.sub.37 k.sub.3P is available
for signature.
[0078] It will be appreciated that the value for y, has not been
computed as the signing value r is derived from x.sub.3 rather than
both coordinates.
[0079] It will be noted that the values of x.sub.1 and x.sub.2 or
y.sub.1 and y.sub.2 are not transmitted to terminal 30 and provided
a different pair of points is used for each signature, then the
values of the coordinates remains undisclosed.
[0080] At the same time, the arithmetic functions performed on the
card are relatively simple and those computationally more difficult
are performed on the terminal 30.
Preferred Implementation of Gene-rating Session Pairs
[0081] The above technique may of course be used with pairs
selected directly from the stored signing elements or with the
derived values obtained using the Frobenius Operator as described
above. Alternatively, the Frobenius Operator could be applied to
the value of kP obtained from combining pairs of the stored signing
elements to provide m possible values of each derived value.
[0082] To ensure security and avoid duplication of session pairs,
it is preferred that only one of the stored signing elements should
have the Frobenius Operator applied, as in the preferred embodiment
illustrated in FIG. 5.
[0083] In this arrangement, the coordinates x.sub.1,y.sub.1 of one
of the stored signing elements is applied to the registers 22 and
cyclically shifted i times to provide O'.sup.ik.sub.1P.
[0084] The respective coordinates, x.sub.O.sub.1,y.sub.O.sub.1, are
XOR'd with the coordinates from another of the stored values
k.sub.2P and the summed coordinates transmitted to ATM 30 for
computation of the coordinate x.sub.3. This is retransmitted to the
card 10 for computation of the value r.
[0085] The value of k.sub.1 is processed by arithmetic unit 26 to
provide .lamda..sup.ik and added to k.sub.2 to provide the new
value k.sub.3 for generation of signature component. In this
embodiment, from an original set of 32 stored signing elements
stored on card 10, it is possible to generate in the order of
10.sup.7 session pairs. In practice, a limit of 10.sup.6 is
realistic.
Selection of Pairs Stored Signing Elements
[0086] The above procedure requires a pair of stored signing
elements to be used to generate each session pair. In order to
preserve the integrity of the system, the same set cannot be used
more than once and the pairs of stored values constituting the set
must not be selected in a predictable manner.
[0087] This selection function is performed by the selection unit
28 whose operation is shown schematically in FIG. 6.
[0088] Selection unit 28 includes a set of counters 40,42,44 whose
outputs address respective look up tables 46,48,50. The look up
tables 46,48,50 map the successive outputs of the counters to
pseudo random output values to provide unpredictability for the
selection stored signing elements.
[0089] The 32 stored values of k and kP are assigned nominal
designations as elements in a set 52 ranging from -15 to +15 with
one designated CA. To ensure that all available combinations of
stored values are used without repetition, the nominal designations
are grouped in 16 pairs in an ordered array 54 such that the
difference (mod 31) in the assigned values of a pair uses all the
numbers from 1 to 30. .infin. is grouped with 0. This array
provides a first row of a notional matrix.
[0090] Successive rows 54a,b,c, etc. of the notional matrix are
developed by adding 1 to each assigned designation of the preceding
row until 15 rows are developed. In this way a: matrix is developed
without repetition of the designations in each cell. By convention
.infin.+1=.infin..
[0091] Counter 42 will have a full count after 15 increments and
counter 40 will have a full count after 14 increments. Provided the
fall count values of counters 40,42 are relatively prime and the
possible values of the counter 50 to select Frobenius Operator are
relatively large, the output of counters 40,42,44 are mapped
through the tables 46,48,50 respectively to provide values for row
and column of the notional matrix and the order i of the Frobenius
Operator to be applied.
[0092] The output of counter 48 selects a column of the array 54
from which a designation associated w a starting pair can be
ascertained. In the example of FIG. 6, the output of counter 42 is
mapped by table 48 to provide an output of 3, indicating that
column 3 of array 54 should be selected. Similarly, the output of
counter 40 is mapped through table 46 to provide a count of 3
indicating that values in row 3 of the matrix should be used.
[0093] The assigned designations for a particular row are then
obtained by adding the row value to the values of the starting
pair. This gives a new pair of assigned designations that indicate
the locations of elements in set 52. The signing elements are then
retrieved from the set 52.
[0094] One of those pairs of signing elements is then output to a
shift register 22 and operated upon by the designated Frobenius
Operator O. The value of the Frobenius Operation is obtained from
the output of table 50 which maps counter 44. The value obtained
from table D sets the shift clock associated with register 22 so
that the contents of the register 22 are cyclically shifted to the
Frobenius value O indicated by the output of table 50.
[0095] Accordingly, a new value for kP is obtained. The associated
value of k can be computed as described above with the arithmetic
unit utilizing the output of table 50 to determine the new value of
.lamda.. Accordingly, a derived value is obtained.
[0096] The derived value and signing element are then combined as
described at (ii) above to provide a new session pair k, kP for use
in the signing process.
[0097] The use of the counters 40,42 provides input values for the
respective tables so that the array 54 is accessed in a
deterministic but unpredictable fashion. The grouping of the pairs
in the array 54 ensures there is no repetition in the selected
elements to maintain the integrity of the signature scheme.
[0098] Counter 44 operates upon one of the selected pairs to modify
it so that a different pair of values is presented for combination
on each use, even though multiple access may be made to the array
54.
[0099] The counters 40,42,44 may also be utilized to limit the use
of the Smart Card if desired so that a forced expiry will occur
after a certain number of uses. Given the large number of possible
signatures, this facility may be desirable.
[0100] Alternative structures to the look up tables 46,48,50 may be
utilized, such as a linear feedback shift register, to achieve a
mapped output if preferred.
[0101] Further selection of the session pairs can be obtained by
preprocessing of the contents of register 52 using one or more of
the techniques shown in FIG. 7, 8 or 9.
[0102] In its simplest form, as shown in FIG. 7, a source row `s`
is selected and the session pair k.sub.s,k.sub.sP read from the
register. A function is applied to the session pair, which for
example is the Frobenius operation as set out in FIG. 3 to provide
a new session pair 2' k, .phi..sup.1(k.sub.sP). A destination row,
d, is then selected in the table 52 and the new session pair
combined with the contents of that row to generate a new pair of
values. The contents of the table 52 are thus updated and a
selection of pairs may be made for the generation of a new session
pair as described above.
[0103] The preprocessing may be repeated a number of times with
different source rows s, and destinations, d, so that a thorough
mixing is obtained. The selection of source rows, s, and
destinations, d, may be selected deterministically using the
counters 40,42.
[0104] Alternatively, where the card 10 does not have adequate
computing power Pa curve other than an anomalous curve is used, an
alternative function may be applied to the selected row. For
example, a sign may be applied to the selected row prior to
accumulation of a destination.
[0105] An alternative embodiment is shown in FIG. 8 where multiple
source rows s.sub.1 . . . s.sub.n are used and the selected session
pairs combined. Typically two source rows are used but more than
two can be combined if preferred. In this case the combining may
proceed as shown in FIG. 5 and the new value accumulated at the
destination row, d, of the register. As the x coordinate of the
combined point will identify one of the coordinates in the register
52, it is preferred to perform the computation on the card where
feasible.
[0106] The selected session pairs may be modified prior to or
subsequent to their addition by application of a second function,
e.g. signing, (as shown in ghosted outline) to provide further
security in the updating of the register 52.
[0107] Where a random number generator is incorporated on the card
10, the above preprocessing may be used effectively in the
production of the cards. Referring to FIG. 9, an initial set of
session pairs is injected into the register 52 of each card 10. A
random number generator 60 is run for an initial period and its
output used to select the source and destination rows of the
register 52. The source row is accumulated with the destination now
so that the session pair of the set are changed with each
iteration. If preferred, a function such as a sign or a Frobenius
operation may be applied to the selected session pair before
accumulation. The mixing continues for a further period with the
output of generator 60 being used periodically to select each row.
Once the register is considered thoroughly mixed, the session pairs
may be selected and combined as described above for FIG. 6. As the
output of each generator 60 win vary from device to device, the
sets of session pairs in each register 52 will also vary from
device to device. Therefore the same initial table may be used but
different session pairs will be generated.
[0108] In summary, therefore, pairs of signing elements from an
initial set of stored values can be selected in a deterministic and
unpredictable manner and one of those elements operated upon by the
Frobenius Operator to provide additional values for the elements.
The elements may then be combined to obtain a new session pair with
a portion of the computation being performed off card but without
disclosing the value of the elements. Accordingly, an extended
group of session pairs is available for signing from a relatively
small group of stored values.
[0109] When the present invention has been illustrated and
described by means of a specific embodiment, it is to be understood
that numerous changes and modifications can be made therein without
depart from the spirit and scope of the invention.
* * * * *