(19)
(11)EP 1 687 931 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
29.12.2021 Bulletin 2021/52

(21)Application number: 04789786.3

(22)Date of filing:  28.10.2004
(51)International Patent Classification (IPC): 
H04L 9/30(2006.01)
H04L 9/32(2006.01)
(52)Cooperative Patent Classification (CPC):
H04L 9/3263; H04L 9/3252; H04L 9/3066
(86)International application number:
PCT/CA2004/001879
(87)International publication number:
WO 2005/043807 (12.05.2005 Gazette  2005/19)

(54)

METHOD AND APPARATUS FOR VERIFIABLE GENERATION OF PUBLIC KEYS

VERFAHREN UND VORRICHTUNG ZUR VERIFIZIERBAREN ERZEUGUNG ÖFFENTLICHER SCHLÜSSEL

PROCEDE ET DISPOSITIF POUR LA PRODUCTION VERIFIABLE DE CLES PUBLIQUES


(84)Designated Contracting States:
AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PL PT RO SE SI SK TR

(30)Priority: 28.10.2003 US 51468703 P

(43)Date of publication of application:
09.08.2006 Bulletin 2006/32

(73)Proprietor: BlackBerry Limited
Waterloo, ON N2K 0A7 (CA)

(72)Inventor:
  • BROWN, Daniel R.
    Mississauga, Ontario L5N 1X8 (CA)

(74)Representative: Vigand, Philippe 
Novagraaf International SA Chemin de l'Echo 3
1213 Onex - Genève
1213 Onex - Genève (CH)


(56)References cited: : 
US-A1- 2002 108 042
US-B1- 6 279 110
US-B1- 6 212 281
US-B1- 6 341 349
  
  • BROWN D R L ET AL: "Provably secure implicit certificate schemes" PARALLEL AND DISTRIBUTED PROCESSING AND APPLICATIONS: SECOND INTERNATIONAL SYMPOSIUM, ISPA 2004 PROCEEDINGS, HONG KONG, CHINA, DECEMBER 13 - 15, 2004 (IN: LECTURE NOTES IN COMPUTER SCIENCES), SPRINGER, DE, [Online] vol. 2339, 1 January 2002 (2002-01-01), pages 156-165, XP002524293 ISBN: 978-3-540-24128-7 Retrieved from the Internet: URL:http://www.springerlink.com/content/74 45l264h287wp17/fulltext.pd ORD - 2002-00-00>
  • SMART N P ET AL: "A wearable public key infrastructure (WPKI)" WEARABLE COMPUTERS, THE FOURTH INTERNATIONAL SYMPOSIUM ON ATLANTA, GA, USA 16-17 OCT. 2000, LOS ALAMITOS, CA, USA,IEEE COMPUT. SOC, US LNKD- DOI:10.1109/ISWC.2000.888474, 16 October 2000 (2000-10-16), pages 127-133, XP010526002 ISBN: 978-0-7695-0795-8
  
Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


Description

BACKGROUND OF THE INVENTION


FIELD OF THE INVENTION



[0001] The present invention relates to a method, an apparatus and a computer readable medium for storing a program executable on a processor for verifiable generation of public keys.

DESCRIPTION OF THE PRIOR ART



[0002] When communicating in a communication system that operates over a public network, cryptographic techniques are often used to secure communications. Cryptography can provide secrecy and/or authentication through encryption and digital signatures respectively. In public key cryptographic systems, a user's key includes a private key and a mathematically related public key. It is infeasible to determine the private key given only the public key. The public keys for all entities can be published or otherwise distributed to other correspondents in the communication system.

[0003] Accepted good practices for public keys include public key validation (PKV) and proof-of-possession (POP) for the associated private key. These practices are considered to be useful tests that prevent potential abuse of public keys.

[0004] Public key validation includes testing a purported public key for conformance to its type of public key. This testing may or may not involye participation of the holder of associated private key. Public key validation helps assure that use of the purported public key is safe, provided that various other security measures are in place.

[0005] Proof of possession involves one party demonstrating to another party that it knows the private key associated with a given public key. This is often accomplished through providing a digital signature dependent upon the private key. Successful verification of the signature proves knowledge of the private key.

[0006] Neither public key validation nor proof of possession excludes the possibility that the private key was (a) stolen or (b) generated with insufficient randomness. When keys are stolen, it may contribute to identity theft, public key theft, and similar undesirable frauds. Insufficient randomness is a common problem in computers, especially smart cards and other constrained devices. Insufficient randomness can lead to guessable or duplicate private keys, which dramatically undermines security.

[0007] Lecture Notes in Computer Science, 2002, Volume 2339/2002, 156-165, DOI: 10.1007/3-540-46088-8-15 "Provably Secure Implicit Certificate Schemes" Daniel R. L. Brown, Robert Gallant and Scott A. Vanstone discloses that optimal mail certificates are efficient types of implicit certificates which offer many advantages over traditional (explicit) certificates. For example, an optimal mail certificate is small enough to fit on a two-dimensional digital postal mark together with a digital signature. It discloses a general notion of security for implicit certificates, and proves that optimal mail certificates are secure under this definition.

[0008] SMART N P et al "A Wearable Public Key Infrastructure (WPKI)" WHEREABLE COMPUTERS, THE FOURTH INTERNATIONAL SYMPOSIUM ON ATLANTA, GA, USA 16-17 OCT 2000 LOS ALAMITOS , CA, USA IEEE COMPUT. SOC, 16 October 2000, pages 127-133, XPOI05260021SBN describes the design and implementation of public key infrastructure for the Bristol University Cyberjacket and three initial applications. The first removes the need for the user to remember passwords, the second application provides an authentic record that a meeting took place, the third provides an authentic record of a conversation. The wearable public key infrastructure (WPKI) then develop uses very small communication, whilst also providing a balanced and low computational overhead on both the 'client' and 'server' sides.

[0009] It is an object of the present invention to obviate or mitigate the above disadvantages.

SUMMARY OF THE INVENTION



[0010] The invention is set out in the appended claims.

[0011] The inventor has developed a method of performing "verifiable key generation." Using the method, a first party can generate its key pair in a way that allows others to verify that the first party actually generated the key rather than stole it. A trusted authority can also participate in the verifiable key generation process to provide additional randomness in the key pair.

[0012] The inventor has recognized that verifiable key generation helps to exclude the above possibilities of stolen keys and insufficient randomness.

[0013] In one aspect of the invention, there is provided a method of generating a private key and a corresponding public key, the method comprising: generating a digital signature; obtaining message data; generating a self-signed signature message by combining said message data and said digital signature; and computing said private key and said corresponding public key using said self-signed signature message.

[0014] A typical use of Public Key Validation (PKV), Proof of Possession (POP) and verifiable key generation is during a certification of a public key. In a certification, a subject, namely a user or requester, requests a certificate from an issuer, or certification authority (CA). The subject generates a key pair, possibly with the assistance of the CA to obtain sufficient randomness. The subject may aiso generate additional information useful for validating the public key and for verifying the generation of the key. The subject then signs the public key or a signature message to form what is called a certificate request, and sends this with the other information to the CA. The CA confirms the identity of the subject, verifies the signature in the certificate request, validates the public key and verifies the generation of the key pair. Once the CA is satisfied it issues a certificate.

[0015] One embodiment of the verifiable key generation builds upon the existing digital signature techniques. A self-signed signature is defined as a message that is signed and the message itself contains a copy of the signature. The present invention includes a method to simultaneously generate a self-signed signature and a key pair, whereby the verification of the self-signed signature assures that the key pair was generated (i.e. not stolen).

[0016] If a trusted authority includes some randomness in the message then sufficient randomness is ensured. To enhance the security of the key pair owner, the signature verification can be modified with a salt and a long computation to help prevent exhaustive searches of the key pair owner's contribution of randomness to the key pair.

BRIEF DESCRIPTION OF THE DRAWINGS



[0017] These and other features of the preferred embodiments of the invention will become more apparent in the following detailed description in which reference is made to the appended drawings wherein:

Figure 1 is a schematic representation of a communication system;

Figure 2 is a flowchart showing a key generation performed in the communication system of Figure 1;

Figure 3 is a flowchart showing a variation on a step in Figure 2;

Figure 4 is a flowchart showing another embodiment of a key generation method performed in the communication system of Figure 1;

Figure 5 is a flowchart showing yet another embodiment of a key generation method performed in the communication system of Figure 1;

Figure 6 is a flowchart showing a verification method to be used with a key generated by the method of Figure 5;

Figure 7 is a schematic representation of a method performed by the certification authority of Figure 1.


DESCRIPTION OF THE PREFERRED EMBODIMENTS



[0018] Referring to Figure 1, a communication system is shown generally by the numeral 10. The communication system includes a pair of correspondents 12, 14 and a certification authority 16. Each correspondent 12, 14 has a respective cryptographic unit 18, 20 for performing cryptographic operations. The correspondent 12 has a private key 22 and a corresponding public key 24. The certification authority 16 issues a certificate 26 which certifies the public key 24 as will be described further below. The certificate 26 can be shared with the correspondent 14 in order to provide the correspondent 14 with the public key 24 and cryptographic assurances as will be described below.

[0019] The correspondents in Figure 1 may perform a number of cryptographic protocols to achieve various cryptographic goals, particularly to generate the private key 22, public key 24, and certificate 26.

"Self-Signed Signatures" and "Verifiable Key Generation"



[0020] The correspondents may perform the following method for generating a "self-signed signature" based on various digital signature algorithms such as DSA and ECDSA. For convenience, the method is described in terms of ECDSA.

[0021] Referring to Figure 2, a method of generating a self-signed signature performed by the correspondent 12 is shown generally by the numeral 50. Following ECDSA procedures, a point G of order n on an elliptic curve defined over Zp is first selected. Here n is a large prime number. At step 52, the correspondent 12 chooses an integer k at random in the interval [0, n-1]. The correspondent then computes an elliptic curve point R = kG at step 54. Here R is referred to as the signature ephemeral public key and k is referred to as the ephemeral private key.

[0022] The signature data (r,s) contain two integers, r and s. An integer value corresponding to the elliptic curve point R is assigned to integer r at step 56. As will be understood, a number of methods may be employed, including that specified by ECDSA, to convert the elliptic curve point R into an integer. The correspondent chooses at step 58 an integer s in the interval [0, n-1], preferably at random

[0023] Then, it obtains pre-message data m0 at step 60. The pre-message data m0 can be any message data. It may be a message to be signed. It may contain information relating to the owner of the verifiable keys. It also may contain information received from an outside source, such as randomness provided by a certification authority to be contributed to the resulting key pair. The correspondent then combines, for example, by concatenating, the pre-message data m0 and the signature data (r,s) into a self-signed signature message m at step 62.

[0024] The correspondent computes a message digest e = Hash(m) at step 64, where the function Hash is a cryptographic hash function that gives an integer result. The correspondent computes a private key from the message digest e using a formula d = (s k-e)/r mod n at step 66. A public key is computed from the value of the private key using the formula Q = d G at step 68. It is noted that the public key may also be expressed as Q = (1/r mod n)(s R - e G) using the above formula for the private key d.

[0025] To summarize, the method described above includes the following steps:
  1. 1. Choose some integer k (randomly from [0, n - 1], for example).
  2. 2. Compute the elliptic curve point R = kG, the signature ephemeral public key.
  3. 3. Convert R to an integer r.
  4. 4. Choose some integer s (randomly from [0, n -1], for example).
  5. 5. Take some pre-message data m0 (which may contain information from outside sources, such as randomness).
  6. 6. Combine pre-message m0 and signature data (r, s) into a message m (by concatenation, for example).
  7. 7. Compute the message digest e = Hash(m) in integer form.
  8. 8. Compute a private key d = (s k - e)/r mod n.
  9. 9. Compute a public key Q = d G. (Alternatively, Q = (1/r mod n)(s R - e G).)


[0026] If the ECDSA verification algorithm is applied to a triplet, or triple (m, (r, s), Q), the result of the verification algorithm is that the triple is a valid signature. Because the signed message m contains the signature (r, s), the signature is a "self-signed signature".

[0027] Given an already existing public key Q of another party, finding a new self-signed signature is tantamount to forging a signature, which is considered infeasible. Furthermore, even using a pre-existing private key d, supposing an adversary were to steal the private key, finding a new self-signed signature is infeasible, because generation of the self-signed signature results in a new private key, which will almost certainly not be the old private key.

[0028] Therefore a self-signed signature constitutes "verifiable key generation". Following the ECDSA verification algorithm, verification of the signature proves that the key generation process above was used and excludes the possibility the private key was merely stolen or re-used from another source.

Key Generation with Verifiable Randomness



[0029] In verifiable key generation with a self-signed signature, the message m0 influences the value of the key pair, and by contributing to part of this message, a trusted authority such as the certification authority can supplement the randomness of the key pair to a level sufficient to the desired security level. This is especially useful if the key pair owner is constrained in its capability of generating randomness.

[0030] The trusted authority generates data t, which the key pair generator includes in m0. The value t include sufficient randomness according to the desired security level.

[0031] The value t should be conveyed to the key pair generator securely, because the security the key pair depends to some extent on t. To convey t securely is to convey t with confidentiality and authenticity.

[0032] One way to convey t with authenticity is to have t contain a digital signature. The key pair generator can verify the signature to ensure that it originates from the trusted authority. (If t originates from an adversary, security will be weakened considerably.) Generally the digital signature also provides the necessary randomness as well, because it depends on the private key of the trusted authority. If a probabilistic signature algorithm, such as ECDSA, is used then further randomness can be present. Therefore, it can be sufficient for t to consist entirely of a digital signature. The message signed for the purpose of t can be a combination of messages from the authority and the key generator.

[0033] Confidential conveyance of t can be achieved through various means. Encryption can be used, provided that a secure channel can be established. The key pair generator can generate temporary session key and send this securely to the trusted authority using the authority's public key. Independence of the temporary public key from the key being verifiably generated is important.

[0034] Typically, the trusted authority would also be a CA and would authenticate the key pair generator using some non-cryptographic methods.

[0035] Referring therefore to Figure 3, a method of providing the pre-message m0 is shown generally by the numeral 70. The correspondent first requests information related to key generation from the certification authority at step 72. In response to this request, the certification authority generates a message at step 74. As noted above, the message can be generated solely by the certification authority or it may be a combination of messages from the correspondent and the certification authority. When a combination is used, the request made at step 72 includes a message from the correspondent to be included in the certification authority message.

[0036] The certification authority then signs the message at step 76 with its own key to obtain a CA signature. The CA signature is sent to the correspondent over a secure channel at step 78. The secure channel may be accomplished by encryption as described above. The correspondent then uses the signature as pre-message data m0. The correspondent then proceeds to generate a key pair and self-signed signature using the method of Figure 2 with the signature used at step 60.

Protecting the Key Pair Generator's Weak Secret



[0037] If the key pair generator uses a self-signed signature for verifiable key generation and the secret value k generated in the method of Figure 2 is insufficiently random, then the security problem below results. This security problem can be mitigated with a slight modification of the ECDSA algorithm used in the self-signed signature as will be described in detail below with reference to Figure 4.

[0038] The security problem is that if an adversary can guess k and has copies of r, s, and m, which would be the case if the adversary is the trusted authority or another user who wishes to verify the key generation, then the adversary can recover the private key with the same formula the key pair generator uses.

[0039] To make exhaustive guessing of k as difficult as possible, the method of Figure 2 is modified as shown in Figure 4. The steps in the method of Figure 4 are similar to those in Figure 2.

[0040] At step 92, the correspondent 12 chooses an integer k at random in the interval [0, n-1]. The correspondent then computes an elliptic curve point R = kG, referred to as the signature ephemeral public key at step 94.

[0041] At step 96, the correspondent computes r = Hash (A || RAR ∥ ... || A || R), where the number of repetitions can be made as large as is wanted and is convenient, and "||" denotes concatenation of bit strings. The larger the number of repetitions, the longer the calculation takes. Each guess of k requires one computation of r. A long calculation therefore forces an adversary who is trying to guess k to do more work. Therefore the preferred number of repetitions is the largest that the correspondent and CA can tolerate. The value A is a salt value, and is unique to the key pair generator. The salt ensures that function from k to r is unique to the key pair generator, which prevents the adversary from building a dictionary of computed values that is re-usable for different key pair generators.

[0042] The correspondent chooses at step 98 an integer s at random in the interval [0, n-1]. Then, it obtains pre-message data m0 at step 100. The pre-message data m0 may contain randomness to be contributed to the resulting key pair. The correspondent then concatenates the pre-message data m0 and the signature data (r,s) into a message m at step 102. The correspondent computes a message digest e = Hash(m) at step 104, where the function Hash is a cryptographic hash function that gives an integer result. The correspondent computes a private key d = (s k- e)/r mod n at step 106, and a public key Q = d G at step 108. It is noted that the public key may also be expressed as Q = (1/r mod n) (s R - e G) using the above formula for the private key d.

[0043] Other correspondents or the certification authority may verify the modified self-signed signature. The verifier first computes an elliptic curve point R'= (1/s mod n)(eG + rQ), which is part of the ECDSA verification process. This requires a copy of the message m and the public key Q. The verifier needs the salt A and the number of repetitions that the key pair generator used to compute r. The verifier then computes r' = Hash (A || R' || A || R' || ... || A || R'). If r' = r, the verifier accepts the signature, other the verifier rejects it.

[0044] Other lengthy calculations may also be necessary to deter an adversary from guessing k exhaustively. An adversary can use the formula for the private key d = (s k- e)/r mod n and knowledge of the public key Q to check guesses for the secret k and thus for the private key d. To slow this approach of guessing k, the message m can be chosen in the form m = r || s || t || r || s || t || ... || r || s || t. Then the calculation of e as e = Hash (m) takes a long time and has to be done separately for each guess of k. The form of the message m does not require any further modification to the digital signature algorithm used.

[0045] These two methods combined help protect the key pair owner's private from the trusted authority who generates t and any other party who obtains m, r, s and Q, such as parties that want to verify the generation of Q independently from the trusted authority.

An Alternative to Using a Self-Signed Signature



[0046] In another embodiment (not covered by the claimed invention) shown in Figure 5, the correspondent performs a method for generating a hashed-exponentiation triple (m, R, Q) consisting of some message m, a seed, or ephemeral, public key R, and a public key Q. This is one alternative to using an ECDSA signature. For convenience, the method is described the method in terms of elliptic curve (EC) public keys. The method is shown generally by the numeral 110.

[0047] The correspondent first chooses an integer k in the range [0, n-1] at step 112. Then, the correspondent computes an elliptic curve point R = kG to be used as the seed public key at step 114. At step 116, a message digest f = SHA-1(m, R) in integer form is computed. Then at step 118 the private key d = kf and at step 120, the public key Q = fR is computed.

[0048] Upon receipt of a hashed-exponentiation triple (m, R, Q), the recipient can verify the triple using the method shown in Figure 6 by the numeral 130. The verifier first computes the message digest f = SHA-1(m, R) in integer form at step 132. Then the verifier computes T = fR at step 134 and checks at step 136 that Q = T. When Q = T, the hashed-verification triple is accepted by the verifier. Otherwise, it is rejected as invalid.

[0049] It is recognized that a hashed-exponentiation triple has similar properties to a self-signed signature and can function in similar ways.

Communications using Verifiable Key Generation



[0050] In a typical communication session in the system of Figure 1, a user of the system, or the correspondent 12, first initiates communication with the certification authority 14 to obtain the certificate 26. In this case, the correspondent 12 is referred to as the "subject" of the certification. Referring to Figure 7, the certification authority provides an input to the subject to provide randomness at step 152. The input provided by the certification authority may be a signature of the certification authority, for example. The subject generates a key pair at step 154 and forms a certificate request at step 156. The certificate request is signed by the subject using the subject's self-signed signature. The certificate request may be, for example, the signed public key of the subject, or simply the self-signed signature of the subject. The subject sends the certificate request and the public key to the certification authority for certification. The subject may also send some other information, such as the subject's name, together with the certificate request and the public key. Upon receipt of the certificate request and the public key (and possibly other information), the certification authority typically first confirms the identity of the subject at step 158. The CA then may verify the signature in the certificate request at step 160. The CA validates the public key at 162, which involves a set of tests to ensure that the public key is "valid". The CA then verifies generation of the key pair at step 164. The verification was described in detail above. If the public key passes each test that is performed, then the CA issues a certification at step 166. A certificate includes the digital signature of the CA on the information, which includes the subject's identity and public key.

[0051] If the issuing CA of a certificate does public key validation and verification of key generation, then the certificate helps assure another user of the certificate and its public key that the public key is valid, is not stolen, and has sufficient randomness. If the other user of the certificate does not fully trust the issuing CA, then the user may ask to see the additional information that allows the user to perform the public key validation and key generation verification directly.


Claims

1. A method of generating a private key (22) and a corresponding public key (24), the method comprising:

generating a digital signature, wherein generating said digital signature comprises:

selecting (52, 92) an ephemeral private key k, said ephemeral private key being a non-negative integer smaller than a prime number n;

computing (54, 94) an ephemeral public key from said ephemeral private key k, said ephemeral public key being a product of said ephemeral private key and an elliptic curve point G having a prime number as its order;

assigning (56, 96) an integer value corresponding to said ephemeral public key to a first integer r; and

selecting (58, 98) a second integer s, said second integer being a non-negative integer smaller than the prime number n, said first integer and said second integer forming said digital signature;

obtaining (60, 100) message data;

generating (62, 102) a self-signed signature message by combining said data message and said digital signature;

computing (64, 104) a message digest e from an integer hash value of said self-signed signature message;

computing (66, 106) said private key (22) using said self-signed signature message and said message digest; and

computing (68, 108) said corresponding public key (24) using said self-signed signature message and said message digest.


 
2. The method of claim 1, wherein the generation of said public key (24) is verifiable using said digital signature and said self-signed signature message.
 
3. The method of claim 1 or 2, further comprising:

receiving at least a portion of said message data from a trusted authority, wherein

said portion of said message data contains randomness.


 
4. The method of claim 3, further comprising:

sending (72) a request message to a certification authority (16), and

receiving (80) at least said portion of said message data from said certification authority (16) over a secure channel,

wherein at least said portion of said message data is generated (74) by said certification authority (16) from said request message and signed (76) with a private key of said certification authority (16).


 
5. The method of claim 1, wherein said digital signature, said private key (22), and said corresponding public key (24) are generated based on a DSA signature algorithm.
 
6. The method of claim 1, wherein said digital signature, said private key (22), and said corresponding public key (24) are generated based on a ECDSA signature algorithm.
 
7. The method of claim 1, wherein said assigning an integer value corresponding to said ephemeral public key to a first integer r comprises:

obtaining a salt value,

computing a hash value of a pre-determined number of repetitions of a catenation of said salt value and said ephemeral public key, and

assigning, as said first integer r, an integer value of said hash value.


 
8. The method claim 1, wherein said ephemeral private key is selected at random.
 
9. The method of claim 1, wherein said private key (22) is represented by d and said corresponding public key (24) is represented by Q, and wherein computing said private key d and public key Q further comprises:

computing said private key d using a formula d = (s k-e)/r mod n; and

computing said public key Q using a formula Q = d G.


 
10. The method of claim 1, wherein said private key (22) is represented by d and said corresponding public key (24) is represented by Q, and wherein computing said private key d and public key Q further comprises:

computing said private key d using a formula d = (s k-e)/r mod n; and

computing said public key Q using a formula Q = (1/r mod n)(sR-eG).


 
11. A computer readable medium for storing a program executable on a processor, the program implementing a method of generating a private key (22) and public key (24), the program causing the processor to perform the method of any one of claims 1 to 10.
 
12. A cryptographic device (18) for performing cryptographic operations, the cryptographic device (18) configured to implement a method of generating a private key (22) and a corresponding public key (24), the cryptographic device (18) configured to perform the method of any one of claims 1 to 10.
 


Ansprüche

1. Verfahren zum Erzeugen eines privaten Schlüssels (22) und eines entsprechenden öffentlichen Schlüssels (24), wobei das Verfahren Folgendes umfasst:
Erzeugen einer digitalen Signatur, wobei das Erzeugen der digitalen Signatur Folgendes umfasst:

Auswählen (52, 92) eines kurzlebigen privaten Schlüssels k, wobei der kurzlebige private Schlüssel eine nicht negative Ganzzahl kleiner als eine Primzahl n ist;

Berechnen (54, 94) eines kurzlebigen öffentlichen Schlüssels aus dem kurzlebigen privaten Schlüssel k, wobei der kurzlebige öffentliche Schlüssel ein Produkt des kurzlebigen privaten Schlüssels und eines Punktes G einer elliptischen Kurve, der eine Primzahl als seine Ordnung aufweist, ist;

Zuweisen (56, 96) eines ganzzahligen Wertes, der dem kurzlebigen öffentlichen Schlüssel entspricht, zu einer ersten Ganzzahl r; und

Auswählen (58, 98) einer zweiten Ganzzahl s, wobei die zweite Ganzzahl eine nicht negative Ganzzahl kleiner als die Primzahl n ist, wobei die erste Ganzzahl und die zweite Ganzzahl die digitale Signatur bilden;

Erhalten (60, 100) von Nachrichtendaten;

Erzeugen (62, 102) einer selbstsignierten Signaturnachricht durch Kombinieren der Datennachricht und der digitalen Signatur;

Berechnen (64, 104) einer Nachrichtenkurzfassung e aus einem ganzzahligen Hashwert der selbstsignierten Signaturnachricht;

Berechnen (66, 106) des privaten Schlüssels (22) unter Verwendung der selbstsignierten Signaturnachricht und der Nachrichtenkurzfassung; und

Berechnen (68, 108) des entsprechenden öffentlichen Schlüssels (24) unter Verwendung der selbstsignierten Signaturnachricht und der Nachrichtenkurzfassung.


 
2. Verfahren nach Anspruch 1, wobei die Erzeugung des öffentlichen Schlüssels (24) unter Verwendung der digitalen Signatur und der selbstsignierten Signaturnachricht verifizierbar ist.
 
3. Verfahren nach Anspruch 1 oder 2, das ferner Folgendes umfasst:
Empfangen mindestens eines Abschnitts der Nachrichtendaten von einer vertrauenswürdigen Autorität, wobei der Abschnitt der Nachrichtendaten eine Zufälligkeit enthält.
 
4. Verfahren nach Anspruch 3, das ferner Folgendes umfasst:

Senden (72) einer Anforderungsnachricht an eine Zertifizierungsautorität (16), und

Empfangen (80) mindestens des Abschnitts der Nachrichtendaten über einen sicheren Kanal von der Zertifizierungsautorität (16),

wobei mindestens der Abschnitt der Nachrichtendaten von der Zertifizierungsautorität (16) aus der Anforderungsnachricht erzeugt (74) und mit einem privaten Schlüssel der Zertifizierungsautorität (16) signiert (76) wird.


 
5. Verfahren nach Anspruch 1, wobei die digitale Signatur, der private Schlüssel (22) und der entsprechende öffentliche Schlüssel (24) auf Basis eines DSA-Signaturalgorithmus erzeugt werden.
 
6. Verfahren nach Anspruch 1, wobei die digitale Signatur, der private Schlüssel (22) und der entsprechende öffentliche Schlüssel (24) auf Basis eines ECDSA-Signaturalgorithmus erzeugt werden.
 
7. Verfahren nach Anspruch 1, wobei das Zuweisen eines ganzzahligen Wertes, der dem kurzlebigen öffentlichen Schlüssel entspricht, zu einer ersten Ganzzahl r Folgendes umfasst:

Erhalten eines Saltwertes,

Berechnen eines Hashwertes einer vorbestimmten Anzahl von Wiederholungen einer Verkettung des Saltwertes und des kurzlebigen öffentlichen Schlüssels, und

Zuweisen eines ganzzahligen Wertes des Hashwertes als die erste Ganzzahl r.


 
8. Verfahren nach Anspruch 1, wobei der kurzlebige private Schlüssel zufällig ausgewählt wird.
 
9. Verfahren nach Anspruch 1, wobei der private Schlüssel (22) durch d repräsentiert wird und der entsprechende öffentliche Schlüssel (24) durch Q repräsentiert wird und wobei das Berechnen des privaten Schlüssels d und des öffentlichen Schlüssels Q ferner Folgendes umfasst:

Berechnen des privaten Schlüssels d unter Verwendung einer Formel d = (s k-e)/r mod n; und

Berechnen des öffentlichen Schlüssels Q unter Verwendung einer Formel Q = d G.


 
10. Verfahren nach Anspruch 1, wobei der private Schlüssel (22) durch d repräsentiert wird und der entsprechende öffentliche Schlüssel (24) durch Q repräsentiert wird und wobei das Berechnen des privaten Schlüssels d und des öffentlichen Schlüssels Q ferner Folgendes umfasst:

Berechnen des privaten Schlüssels d unter Verwendung einer Formel d = (s k-e)/r mod n; und

Berechnen des öffentlichen Schlüssels Q unter Verwendung einer Formel Q = (1/r mod n)(sR-eG).


 
11. Computerlesbares Medium zum Speichern eines Programms, das auf einem Prozessor ausführbar ist, wobei das Programm ein Verfahren zum Erzeugen eines privaten Schlüssels (22) und eines öffentlichen Schlüssels (24) implementiert, wobei das Programm den Prozessor veranlasst, das Verfahren nach einem der Ansprüche 1 bis 10 durchzuführen.
 
12. Kryptographische Vorrichtung (18) zum Durchführen von kryptographischen Operationen, wobei die kryptographische Vorrichtung (18) dazu ausgelegt ist, ein Verfahren zum Erzeugen eines privaten Schlüssels (22) und eines entsprechenden öffentlichen Schlüssels (24) zu implementieren, wobei die kryptographische Vorrichtung (18) dazu ausgelegt ist, das Verfahren nach einem der Ansprüche 1 bis 10 durchzuführen.
 


Revendications

1. Procédé de génération d'une clé privée (22) et d'une clé publique correspondante (24), le procédé comprenant :
la génération d'une signature numérique, dans lequel la génération de ladite signature numérique comprend :

la sélection (52, 92) d'une clé privée éphémère k, ladite clé privée éphémère étant un nombre entier non négatif inférieur à un nombre premier n ;

le calcul (54, 94) d'une clé publique éphémère à partir de ladite clé privée éphémère k, ladite clé publique éphémère étant un produit de ladite clé privée éphémère et d'un point de courbe elliptique G ayant un nombre premier comme ordre ;

l'attribution (56, 96) d'une valeur entière correspondant à ladite clé publique éphémère à un premier nombre entier r ; et

la sélection (58, 98) d'un second nombre entier s, ledit second nombre entier étant un nombre entier non négatif inférieur au nombre premier n, ledit premier nombre entier et ledit second nombre entier formant ladite signature numérique ;

l'obtention (60, 100) de données de message ;

la génération (62, 102) d'un message de signature auto-signé par la combinaison dudit message de données et de ladite signature numérique ;

le calcul (64, 104) d'un condensé de message e à partir d'une valeur de hachage entière dudit message de signature auto-signé ;

le calcul (66, 106) de ladite clé privée (22) à l'aide dudit message de signature auto-signé et dudit condensé de message ; et

le calcul (68, 108) de ladite clé publique correspondante (24) à l'aide dudit message de signature auto-signé et dudit condensé de message.


 
2. Procédé selon la revendication 1, dans lequel la génération de ladite clé publique (24) est vérifiable à l'aide de ladite signature numérique et dudit message de signature auto-signé.
 
3. Procédé selon la revendication 1 ou 2, comprenant en outre :
la réception d'au moins une partie desdites données de message à partir d'une autorité de confiance, dans lequel ladite partie desdites données de message contient du hasard.
 
4. Procédé selon la revendication 3, comprenant en outre :

l'envoi (72) d'un message de demande à une autorité de certification (16), et

la réception (80) d'au moins ladite partie desdites données de message à partir de ladite autorité de certification (16) sur un canal sécurisé,

dans lequel au moins ladite partie desdites données de message est générée (74) par ladite autorité de certification (16) à partir dudit message de demande et signée (76) avec une clé privée de ladite autorité de certification (16).


 
5. Procédé selon la revendication 1, dans lequel ladite signature numérique, ladite clé privée (22), et ladite clé publique correspondante (24) sont générées sur la base d'un algorithme de signature du type algorithme de signature numérique, DSA.
 
6. Procédé selon la revendication 1, dans lequel ladite signature numérique, ladite clé privée (22), et ladite clé publique correspondante (24) sont générées sur la base d'un algorithme de signature du type algorithme de signature numérique à courbe elliptique, ECDSA.
 
7. Procédé selon la revendication 1, dans lequel ladite attribution d'une valeur entière correspondant à ladite clé publique éphémère à un premier nombre entier r comprend :

l'obtention d'une valeur de salage,

le calcul d'une valeur de hachage d'un nombre prédéterminé de répétitions d'une concaténation de ladite valeur de salage et de ladite clé publique éphémère, et

l'attribution, comme étant ledit premier nombre entier r, d'une valeur entière de ladite valeur de hachage.


 
8. Procédé selon la revendication 1, dans lequel ladite clé privée éphémère est sélectionnée au hasard.
 
9. Procédé selon la revendication 1, dans lequel ladite clé privée (22) est représentée par d et ladite clé publique correspondante (24) est représentée par Q, et dans lequel le calcul de ladite clé privée d et de ladite clé publique Q comprend en outre :

le calcul de ladite clé privée d à l'aide d'une formule d = (s k-e)/r mod n ; et

le calcul de ladite clé publique Q à l'aide d'une formule Q = d G.


 
10. Procédé selon la revendication 1, dans lequel ladite clé privée (22) est représentée par d et ladite clé publique correspondante (24) est représentée par Q, et dans lequel le calcul de ladite clé privée d et de ladite clé publique Q comprend en outre :

le calcul de ladite clé privée d à l'aide d'une formule d = (s k-e)/r mod n ; et

le calcul de ladite clé publique Q à l'aide d'une formule Q = (1/r mod n) (sR-eG) .


 
11. Support lisible par ordinateur pour le stockage d'un programme exécutable sur un processeur, le programme mettant en œuvre un procédé de génération d'une clé privée (22) et d'une clé publique (24), le programme amenant le processeur à réaliser le procédé selon l'une quelconque des revendications 1 à 10.
 
12. Dispositif cryptographique (18) pour la réalisation d'opérations cryptographiques, le dispositif cryptographique (18) étant configuré pour mettre en œuvre un procédé de génération d'une clé privée (22) et d'une clé publique correspondante (24), le dispositif cryptographique (18) étant configuré pour réaliser le procédé selon l'une quelconque des revendications 1 à 10.
 




Drawing


























Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Non-patent literature cited in the description