WO1992014318A1

WO1992014318A1 - Method, identification device and verification device for identification and/or performing digital signature

Info

Publication number: WO1992014318A1
Application number: PCT/EP1992/000045
Authority: WO
Inventors: David Naccache
Original assignee: Thomson Consumer Electronics S.A.
Priority date: 1991-02-07
Filing date: 1992-01-11
Publication date: 1992-08-20
Also published as: DE69202699T2; EP0502559A2; AU1159292A; US5502764A; AU648643B2; EP0570388A1; CA2101322A1; EP0502559A3; JP3456993B2; EP0570388B1; JPH06505343A; DE69202699D1

Abstract

The present invention relates to a method, identification device and verification device for identification and/or performing digital signature which allows zero-knowledge access control. For many applications, e.g. smart cards for Pay-TV purposes, credit cards, passports, dongels or other kind of electronic keys, unforgeable systems for access control or digital signature are required. Such access control and signature systems may include public keys. But in many of such public key systems the key management becomes very complicated when the number of users increases. The invention uses the fact that it is difficult to compute roots mod n when factoring of n is unknown. The invention is based on the identity: x?d(x?-1)?d = 1 mod n which is computed and verified between an identification device and a verification device. An authority records seed data, the modulus n, a pseudo-random function and a set of numbers derived from roots modulo n on an identifier device. The public key directory is replaced by a unique transmission of seed data from the identifier to a verifier, which will give after a proper processing both, the identity information for the identifier and public keys.

Description

Method, identification device and verification device for identification and/or performing digital signature

The present invention relates to a method, identification device and verification device for identification and/or per¬ forming digital signature which allows zero-knowledge access control.

Background

In access control systems roots modulo X are used where X is a composite number having at least two large prime factors. There are such access control systems where the factoring of X is known to some users. One example is the algorithm "^ue to Rabin which is disclosed in "Probabilistic Algorithm*-*", in S. Traub Ed., "Algorithms and Complexity, New Directions and Recent Results", Academic press, New York, 1976, 21-24.

Invention

It is one object of the invention to disclose a method for preparing identification and/or digital signature which al¬ lows zero-knowledge access control. This object is reached by the inventive method disclosed in claim 1.

It is a further object of the invention to disclose a method for performing identification and/or digital signature. This object is reached by and advantageous additional embodiments of the inventive method are resulting from the respective dependent claims.

In principle the inventive method consists in computing data by an authority and recording on an identification device U, comprising the following first steps: - choosing and publishing a modulus X, a power d and a func¬ tion H, whereby X is a product of at least two big prime num¬ bers and H is a one-way pseudo-random function;

- computing a set {PK, , ... ,PK, } of k small prime numbers PK. such that each PKl. has a root modulo X;'

- concatenating said small prime numbers PK. with pattern data PN, especially a part of X, and with specific informa¬ tion data ID which contain information about said identifica¬ tion device U and producing seed data SD such that

SD^d mod X = (PK_χ &...& PK_fe & PN & ID), whereby in case of (PK-. &. . . & PK, & PN & ID) having no d-th root either the order of the PK 1. can be p ^ermuted until a root is found or a small arbitrary string J can be appended to (PK_j, &. . . & PK, & PN & ID) in such a way that (J & PK_χ &. . . & PK, & PN & ID) has a d-th root;

- recording on said identification device U (18) said seed data SD and/or said modulus X and/or said function H and/or } of numbers SK. which are defined by

Thereafter in case of identification the following second steps (Fig. 2) are carried out in said identification device U (18) and/or in a verification device V (17): a) U sends said seed data SD to V; b) U picks h random numbers R. in the jrange f -J(X), X], com¬ putes and sends a number 2 defined by

Z = H(R₁ ^d mod X &... & R^ mod X) to V; c) V computes SD mod X, checks that said pattern data PN is valid, separates said small prime numbers PK. which are in¬ side SD mod X, picks a set {c. , ... ,c. } of h numbers c. such that each 0<ci.<k and sends them to U; d) U computes h values

RESP 1. = (if (c1. eq^ual 0) ' then R1. else R1.SKC1. mod X)' and sends the set (RESP-,, ... ,RESP, ] of said h values RESP. to V; e) V checks U's identity by verifying that

Z = H(&&(if (c. equal 0) then 1 else PK )RESP ^d mod X); and in case of performing digital signature of a message m the following second steps are carried out in said identifi¬ cation device U (18) and/or in a verification device V (17): a) U sends said seed data SD to V; b) V computes SD mod X, checks that said pattern data PN is valid and separates said small prime numbers PK. which are j inside SD mod X; c) U picks h random numbers R. in the range [ -T(X), X], and computes a number Z defined by

Z = H(R₁ ^d mod X &. . . & R ^d mod X & m) and reads said number Z as a set {c., ...,c, } of h numbers c.

' 1 h' l

d) U computes h values

RESPi. = (if (cl. eq^ual 0) ' then R1. else Rl.SKci. mod X)' and sends the set { Z , m, RESP, , ...,RESP, ) to V; e) V checks U' s signature on m by verifying that

Z = H(&&(if (c. equal 0) then 1 else PK .)RESP.^d mod X & m) .

It is a further object of the invention to disclose an iden¬ tification device and a verification device, respectively, for the inventive method. This object is reached by the in¬ ventive identification device and verification device dis¬ closed in claims 11 and 12, respectively.

In principle the inventive identification device contains first computation means (15), first memory means (16) which are connected to said first computation means and first data exchange means (14) which are connected to said first cor:-pu- tation means, whereby said first memory means store said seed data SD, said modulus X, said function H and said set [SK.. , ... ,SK, ] of numbers SK. and whereby said data exchange means send data to and receive data from said verification device (17) .

In principle the inventive verification device contains sec¬ ond computation means (12), second memory means (11) which are connected to said second computation means and second data exchange means (13) which are connected to said second computation means, whereby said second memory means store said modulus X and said function H and whereby said data ex¬ change means send data to and receive data from said identi¬ fication device (18) and whereby said second computation means verify data received from said identification device.

Advantageous additional embodiments of the inventive identi¬ fication device are resulting from the respective dependent claim.

The inventive access control system allows to create unforgeable identification devices which communicate with a verifier device and it has many practical applications in Pay-TV, credit-cards, dongles, passports, door-keys, comput¬ ers, terminals etc .

The algorithm is based on quadratic residuosity in a finite ring i.e. on the difficulty to compute square (or higher) roots modulo X where X is a composite number having at least two strong prime factors. These prime factors must keep the following conditions:

1) X = pq, where length(p) is approximately equal to length(q) .

2) Both (p-1) and (q-1) contain large prime factors.

3) The greatest common divisor of (p-1) and (q-1) is small.

The main characteristics of the access control system are:

1) The algorithm is provably zero-knowledge.

2) An illimited number of users (identification devices) can join the system without informing the verifiers nor compro¬ mizing the system's security.

3) Only the authority knows the factoring of X.

4) No modular exponentiations are required, only multiplica¬ tions and squarings.

5) Attacks against one user do not compromize the security of the whole scheme. Conventions all along this invention are:

1) "&" will stand for the concatenation operation.

2) "&&Expr." stands for "Expr-, S. Expr_ &. . . & Expr, " .

3) H is a cryptographically strong one-way pseudo-random hash function mapping w, , _?, ... ,w, to a long arbitrary string H(w, & w- &...& w, ) .

Any authorized identification device U, e.g. a smart-card, must be able to present a variety of k (typically in the range [8, 20]) roots to the verifier V. The verifier will randomly choose h (typically in the range [3, 10]) of these inverse roots which will then be hidden by h random numbers (thereby insuring the zero-knowledge property of the scheme because computing roots modulo X is as hard as factoring X) and presented by the smart-card.

Before issuing smart-cards, the authority picks a set of small random primes denoted PK.. , PK_, ... , PK, that have roots modulo X and concatenates them with (e.g. a part of X) public pattern data PN and useful information (such as date of validity, name, rights etc, herein denoted ID) and com¬ putes the root modulo X of PK-, &. . . & PK, S. PN &. ID (this root is denoted SD) .

If PK.1, &...& PK.k & PN & ID has no root, the order of the PKl. can be permuted until such a root value is found. The proba¬ bility not to find a good root decreases exponentially with the number of attempted permutations.

When SD is finally found, the authority records on said smart-card SD, X and the pseudo-random function H together with PK-1^~ " ,'...,'PK.k^~ ' . From here on PKl.^{" *} will be denot- ed SK 1.. The roots are taken modulo X.

When the identification device U wants to prove to a verifi¬ eerr VV tthhaatt iitt kknnoowwss tthhee SSKK.. wwiitthhoouutt ddii∑sclosing their values, the following protocol is carried out: 1) U sends seed data SD to V.

2) U picks h random numbers R. in the range [-T(X), X], com¬ putes and sends

Z - H^² mod X &. . . & R_fa ² mod X) to V.

2

3) V computes SD mod X, checks that the pattern data PN is

2 valid, separates the PK. (found inside SD mod X), picks a set {¹c1. , ... ,ch, }¹ of h numbers ci. such that each O≤ci.≤k and sends them to U.

4) U computes h values

RESP 1. = (^λif (^vc1. eq^ual 0) ' then R1. else R1.SKCl. mod X) ' and sends the set {RESP-, ... ,RESP, ] to V.

5) V checks U's identity by verifying that

Z = H(<S& (If (c. equal 0) then 1 else PK .)RESP.² mod X)

A digital signature of a message πi is performed by the fol¬ lowing protocol:

1) U sends seed data SD to V.

2

2) V computes SD mod X, checks that said pattern data PN is valid and separates said small prime numbers PK. which are

2 * ¹ inside SD mod X;

3) U picks h random numbers R. in the range [-T(X), X], and computes a number Z defined by

Z ^'= H(R ² mod X &. . . &. R ² mod X & m) and reads said number Z as a set [c-,...,c, } of h numbers c. such that each O≤cl.≤k;'

4) U computes h values

RESP 1. = (if (^xc1. eq^ual 0) ' then R1. else R1.SKCl. mod X) and sends the set {Z, m, RESP.,, ... ,RESP_hJ to V; 5) V checks U's signat a on m by verifying that

Z = H(&&(if (c. equal 0) then 1 else PK .)RESP.² mod X & m).

Drawings

Preferred embodiments of the invention will now be described with reference to the accompanying drawings, in which:

Fig. 1 shows an identification device and a verifica¬ tion device;

Fig. 2 shows a first authentication protocol between the identification and the verification device;

Fig. 3 shows stored and computed data and a flow chart for the identification device;

Fig. 4 shows stored and computed data and a flow chart for the verification device.

Preferred embodiments

In Fig. 1 a verification device 17 and an identification de¬ vice 18 are depicted. The identification device contains a first microprocessor 15, a first memory 16 which is connect¬ ed to the first microprocessor 15 and a first connector 14 for data exchange with the verification device 17. The verification device 17 contains a second microprocessor 12, a second memory 11 which is connected to the second mi¬ croprocessor 12 and a second connector 13 for data exchange with the identification device 18.

The first memory 16 stores seed data SD, a modulus X, a func¬ tion H and a set {SK.. , ... SK, ] of numbers SK.. The first mi¬ croprocessor 15 computes data as shown in Fig. 3. The first memory 16 may be used to store intermediate results. The da¬ ta send to and received from the identifier I/O interface of Fig. 3 pass the first connector 14. S

The second memory 11 stores a modulus X and a function H. The second microprocessor 12 computes data as shown in Fig. 4. The second memory 11 may be used to store intermediate re¬ sults. The data send to and received from the verifier I/O interface of Fig. 4 pass the second connector 13.

Fig. 2 illustrates by way of a first protocol which data can be computed and exchanged between the identification device 18 and the verification device 17. The following steps are carried out in the identification device U 18 and in the verification device V 17:

2 U has send seed data SD to V. V has computed SD mod X and checked that the pattern data PN is valid and separated the

2 small prime numbers PK. which are inside SD mod X.

U picks h random numbers R. in the range f-J^"(X), X], computes and sends a number Z define ¹d by Z = H(R,2 mod X <S...& R, 2 mod X) to V. V picks a set {c.,...,c, } of h numbers c. such that each O≤c 1.≤k and sends them to U.

U computes h values RESP. = (if (c. equal 0) then R. else

Rl.SKci. mod X) ' and sends the set Y = {'RESP.1, ,' ... ,'RESP h, ]ⁱ of said h values RESP. to V. V checks U's identity by comparing

Z and the value of H(&<£(if (c. e-qual 0) then 1 else

PK . )RESP. 2 mod X). If these v^~Lalues are equal the claimed identity of U is accepted.

The pseudo-random function H can be replaced by a pseudo-ran¬ dom hash function H applied on an algebraic function P. In

2 2 this case the number Z is defined by Z = H(P(R. &. . . & R, ) mod X). For checking U's identity V computes h values

{ -, , ... , , } defined by . = (if (c. equal 0) then 1 else

PKci.')RESPl. mod X and verifies that Z = H(P(^vL-1, , ... ,L,r) mod

X).

Fig. 3 shows which data are computed in the first micropro¬ cessor 15 and exchanged with the verification device. Fig. 4 shows which data are computed in the second micropro¬ cessor 12 and exchanged with the identification device.

A range [8, 20] is preferred for k.

A range [3, 10] is preferred for h.

Advantageously s has the value s = 2*h.

Advantageously the length of the numbers SK. is greater equal 1 byte and less equal 8 bytes.

The invention can be generalized in a variety of ways, the most evident are:

- The small prime numbers PK can be recorded in a public di¬ rectory;

- Using third or higher roots instead of second powers;

- Using a modulus X which is the product of more then two big prime factors;

- Increasing the size of X. An advantageous value is 512 bits = 64 bytes;

- Replacing modulo X by any other finite field;

- Using other PK values obtained by the application of a random function on ID. For example a table of t small primes can be generated or recorded in the verification device and the t-th bit of f(ID) can be used to indicate PK. (e.g. : 0 - this is not a public key, 1 - this is a public key) . Here f is a pseudo random function. A range [8, 20] is preferred for t;

- The protocols can be repeated e times (e greater than 1) to increase the strength exponentially.

- Advantageously the pseudo-random function H can be re¬ placed by a hash function applied on an algebraic function (e.g. a linear combination or a polynomial)

Z = H(P(R₁ ^d, ... , R_h ^d) mod X) .

This avoids h-1 modular reductions to U whilst V will check that Z = H(P(R₁ ^d mod X, ... ,R_h ^d mod X) mod X) .

Claims

1. Method for identification and/or performing digital sig¬ nature, whereby data are computed by an authority and recorded on an identification device U (18), comprising the first steps of:

- choosing and publishing a modulus X, a power d and a function H, whereby X is a product of at least two big prime numbers and H is a one-way pseudo-random function;

- computing a set {PK.. , ... ,PK, ] of k small prime num¬ bers PK 1. such that each PK1. has a root modulo X;

- concatenating said small prime numbers PK. with pat¬ tern data PN, especially a part of X, and with specific information data ID which contain information about said identification device U and producing seed data SD such that

SD^d mod X = (PK-_j^ & . . . & PK_k & PN & ID), whereby in case of (PK-, &. . . & PK, & PN & ID) having no d-th root either the order of the PK. can be permuted until a root is found or a small arbitrary string J can be appended to (PK-. &. . . & PK, & PN & ID) in such a way that (J & PK-_j^ &. . . & PK_fc & PN & ID) has a d-th root; - recording on said identification device U (18) said seed data SD and/or said modulus X and/or said function H and/or a set {SK- , ... ,SK, } of numbers SK. which are defined by - SKi. PKi. mod X = 1.

2. Method according to claim 1, characterized in that in case of identification the following second steps (Fig. 2) are carried out in said identification device U (18) and/or in a verification device V (17): a) U sends said seed data SD to V; b) U picks h random numbers R. in the range [ -T(X), X], computes and sends a number Z defined by

Z = H(R ^d mod X &. . . & R^ mod X) to V; c) V computes SD mod X, checks that said pattern data PN is valid, separates said small prime numbers PK. which are inside SD mod X, picks a set {c,, ...,c, ] of h numbers c. such that each O≤c.≤k and sends them to U; d) U computes h values

RREESSPPl.. == ((iiff ((^vccl.. eeqq^uuaall 0C ) ' then R1. else Rl.SKci. mod X) ' and sends the set {RESP.. , ... ,RESP, } of said h values

e) V checks U's identity by verifying that

Z = H(&&(if (c X. equal 0) then 1 else PK X.)RESPX.^d mod X)

Method according to claim 1, characterized in that in case of performing digital signature of a message m the following second steps are carried out in said identifi¬ cation device U (18) and/or in a verification device V (17): a) U sends said seed data SD to V; b) V computes SD mod X, checks that said pattern data PN is valid and separates said small prime numbers PK. which are inside SD mod X; c) U picks h random numbers R. in the range [ -T(X), X], and computes a number Z defined by

Z = H(R₁ ^d mod X &. . . & R_h ^d mod X & m) and reads said number Z as a set [c-,...,c, } of h num¬ bers c 1. such that each O≤c1.≤k; d) U computes h values

RESPl. = (if (cl. equal 0) ' then R1. else Ri.SKci. mod X) and sends the set {Z, m, RESP., , ...,RESP, ] to V; e) V checks U's signature on m by verifying that

Z = H(&<£(if (c X. equal 0) then 1 else PKm-X.)RESPX.^d mod X

& m) .

Method according to claim 2, characterized in that said pseudo-random function H is replaced by a pseudo-random hash function H applied on an algebraic function P and that steps b) and e) of said second steps are replaced by: b) U picks h random numbers R. in the range [ -T(X), X] , computes and sends a number Z defined by Z = H(P (R₁ ^d &. . . & R_h ^d) mod X) to V; e) V computes h values {L₁,...,L, },

Li. = (^xif (^vcl. eq^ual 0) ' then 1 else PKci.)⁷RESPi.^d mod X and checks U' s identity by verifying that Z = H(P(L , ..., _h) mod X).

5. Method according to claim 1, characterized in that in case of identification the following second steps (Fig. 5) are carried out in said identification device U (18) and/or in a verification device V (17): a) U sends said seed data SD to V; b) U picks s≥h random numbers R. and/or R. in the range [ -*T(X), X], computes and sends a number Z defined by

Z = H((R_n *-.. * R_e)^d mod X) to V; c) V computes SDd mod X, checks that said pattern data

PN is valid, separates said small prime numbers PK. which are inside SD mod X, picks a set {c.,...,c, ] of h numbers c 1. such that each O≤c1.≤k and sends them to U; d) V picks and sends to U a set {v,,...,v, ] of h binary vectors v 1. and/or vJ., whereby the length of each v1. is s bits and whereby

(if ((i not e-qual j) and (u-th bit of v. equal '1')) then (u-th bit of v. equal '0')) and whereby at least one bit in each v. is set to '1'; e) U computes h values {a.,...,a, j whereby a. = (product for j=l to s (if (j-th bit of v. equal ' 1' ) then R. else 1) ); f) U computes h values

RESPi. = (if (cl. eq^ual 0) ' then a1. else a1.SKci. mod X) ' and sends the set {RESP- , ... ,RESP, } of said h values RESP. to V; g) V checks U's identity by verifying that

Z = H(produkt for i=l to h (if (c. equal 0) then 1 else PK -L_*X. )RESPX.^d mod X).

6. Method according to claim 3, characterized in that said pseudo-random function H is replaced by a pseudo-random hash function H applied on an algebraic function P and that steps c) and e) of said second steps are replaced by: c) U picks h random numbers R. in the range [ -T(X), X] , computes and sends a number Z defined by

Z = H((P(R₁ ^d mod X & . . . & R ^d) mod X) & m) to V; e) V computes h values {L- , ... , L, ]

Lx. = (if (cx. equal 0) then 1 else PK x. )RESPx.^d _.mod X and checks U's signature on m by verifying that Z = H((P(L₁, ... ,L_h) mod X) & m) .

7. Method according to any of claims 1 to 6, characteri¬ zed in that said small prime numbers PK. are a random function of said information data ID, especially by mak¬ ing a table of t small prime numbers in said verifier device V and using the t-th bit of f(ID) to indicate

PK. , whereby f is a second pseudo-random function.

8. Method according to any of claims 1 to 7, characteri¬ zed in that said small prime numbers PK. are recorded in a public directory known to said verification device V.

9. Method according to any of claims 1 to 8, characteri¬ zed in that X is about 64 bytes long and/or 3≤h≤10 and/or s=2*h and/or 8≤k≤20 and/or 8≤t≤20 and/or that the length of said numbers SK. is greater equal 1 byte and less equal 8 bytes.

10. Method according to any of claims 2 to 9, characteri¬ zed in that said second steps are repeated e>l times.

11. Identification device U (18) which uses a method accord¬ ing to any of claims 1 to 10, containing first computa¬ tion means (15), first memory means (16) which are con¬ nected to said first computation means and first data exchange means (14) which are connected to said first Λ ψ computation means, whereby said first memory means store said seed data SD, said modulus X, said function H and said set {SK- , ... ,SK, ] of numbers SK. and whereby said data exchange means send data to and receive data from said verification device V (17).

12. Verification device V (17) which uses a method accord¬ ing to any of claims 1 to 11, containing second computa¬ tion means (12), second memory means (11) which are con¬ nected to said second computation means and second data exchange means (13) which are connected to said second computation means, whereby said second memory means store said modulus X and said function H and whereby said data exchange means send data to and receive data from said identification device U (18) and whereby said second computation means verify data received from said identification device U (18).

13. Identification device according to claim 11, characte¬ rized in that said identification device U (18) is a smart-card or a computer or a terminal or a credit-card or a dongle or a passport or a door-key.