Search Images Maps Play YouTube News Gmail Drive More »
Advanced Patent Search | Web History | Sign in

Patents

A cryptosystem utilizes the properties of discrete logs in finite groups, either in a public key message exchange or in a key exchange and generation protocol. If the group selected has subgroups of relatively small order, the message may be exponentiated by a factor of the order of the group to place the message in a subgroup of relatively small order. To inhibit such substitution, the base or generator of the cryptosystem is chosen to be a generator of a subgroup of prime order or a subgroup of an order having a number of relatively small divisors. The message may be exponentiated to each of the relatively small divisors and the result checked for the group identity. If the group identity is found, it indicates a vulnerability to substitution and is rejected.

InventorsScott A. Vanstone, Alfred John Menezes, Minghua Qu
Original AssigneeCerticom Corp.
Primary Examiner: Gail Hayes
Secondary Examiner: Hosuk Song
Attorney: The Maxham Firm
Current U.S. Classification380/30; 380/28; 380/285
International Classification: H04L/900

View patent at USPTO
Search USPTO Assignment Database

Citations

Cited PatentFiling dateIssue dateOriginal AssigneeTitle
US4351982Dec 15, 1980Sep 28, 1982Racal-Milgo, Inc.RSA Public-key data encryption system having large random prime number generating microprocessor or the like
US4405829Dec 14, 1977Sep 20, 1983Massachusetts Institute of TechnologyCryptographic communications system and method
US4633036May 31, 1984Dec 30, 1986Martin E. HellmanMethod and apparatus for use in public-key data encryption system
US4956863Apr 17, 1989Sep 11, 1990TRW Inc.Cryptographic method and apparatus for public key exchange with authentication
US5150411Jan 16, 1991Sep 22, 1992OmnisecCryptographic system allowing encrypted communication between users with a secure mutual cipher key determined without user interaction
US5159632Sep 17, 1991Oct 27, 1992NeXT Computer, Inc.Method and apparatus for public key exchange in a cryptographic system
US5271061Oct 2, 1992Dec 14, 1993NeXT Computer, Inc.Method and apparatus for public key exchange in a cryptographic system
US5272755Jun 26, 1992Dec 21, 1993Matsushita Electric Industrial Co., Ltd.Public key cryptosystem with an elliptic curve
US5299263Mar 4, 1993Mar 29, 1994Bell Communications Research, Inc.Two-way public key authentication and key agreement for low-cost terminals
US5442707Sep 27, 1993Aug 15, 1995Matsushita Electric Industrial Co., Ltd.Method for generating and verifying electronic signatures and privacy communication using elliptic curves
US5463690Dec 14, 1993Oct 31, 1995Next Computer, Inc.Method and apparatus for public key exchange in a cryptographic system
US5497423Jun 20, 1994Mar 5, 1996Matsushita Electric Industrial Co., Ltd.Method of implementing elliptic curve cryptosystems in digital signatures or verification and privacy communication
US5581616Jun 7, 1995Dec 3, 1996NeXT Software, Inc.Method and apparatus for digital signature authentication
US5600725Aug 17, 1994Feb 4, 1997R3 Security Engineering AGDigital signature method and key agreement method
US5625692Jan 23, 1995Apr 29, 1997International Business Machines CorporationMethod and system for a public key cryptosystem having proactive, robust, and recoverable distributed threshold secret sharing
US5724425Jun 10, 1994Mar 3, 1998Sun Microsystems, Inc.Method and apparatus for enhancing software security and distributing software
US5761305May 17, 1995Jun 2, 1998Certicom CorporationKey agreement and transport protocol with implicit signatures
US5768388Mar 21, 1996Jun 16, 1998Time delayed key escrow
US5987131Aug 18, 1997Nov 16, 1999PictureTel CorporationCryptographic key exchange using pre-computation

Referenced by

Citing PatentFiling dateIssue dateOriginal AssigneeTitle
US7457010May 29, 2003Nov 25, 2008Hewlett-Packard Development Company, L.P.System and method for fast scanning
US7511848Nov 30, 2004Mar 31, 2009Microsoft CorporationMethod and system for configuring an electronic device
US7546357Mar 23, 2004Jun 9, 2009Microsoft CorporationConfiguring network settings using portable storage media
US7616588Mar 31, 2005Nov 10, 2009Microsoft CorporationSimplified creation and termination of an ad hoc wireless network with internet connection sharing
US7657612Mar 23, 2004Feb 2, 2010Microsoft CorporationXML schema for network device configuration
US7680270Oct 20, 2003Mar 16, 2010The Additional Director (IPR), Defence Research & Development OrganisationSystem for elliptic curve encryption using multiple points on an elliptic curve derived from scalar multiplication
US7710587Oct 18, 2004May 4, 2010Microsoft CorporationMethod and system for configuring an electronic device
US7769995Nov 30, 2004Aug 3, 2010Microsoft CorporationSystem and method for providing secure network access
US7774437Nov 30, 2004Aug 10, 2010Microsoft CorporationConfigurable multi-connector storage device
US7826833Feb 17, 2005Nov 2, 2010Channel assay for thin client device wireless provisioning
US8145735Apr 18, 2011Mar 27, 2012Microsoft CorporationConfiguring network settings using portable storage media
US8229113Jul 13, 2009Jul 24, 2012Certicom Corp.Strengthened public key protocol

Claims

1. A method of determining the integrity of a message exchanged between a pair of correspondents, said message being secured by embodying said message in a function of x where is an element of a finite group S of order q, said method comprising the steps of at least one of the correspondents receiving public information x where x is an integer selected by another of said correspondents, determining whether said public information x lies within a subgroup of S having less than a predetermined number of elements and rejecting messages utilizing said public information if said public information lies within such a subgroup.

2. A method according to claim 1 wherein said order q is a prime number.

3. A method according to claim 2 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

4. A method according to claim 1 wherein said group is a multiplicative group Z*p of integers mod p where p is a prime.

5. A method according to claim 4 wherein said modulus p is of the form 2r1 and r is a prime.

6. A method according to claim 4 wherein said modulus p is of the form nrr1 and r and r are relatively large primes.

7. A method according to claim 4 wherein said message is examined by operating upon said public information by a value t where t is a divisor of q and determining whether the resultant value corresponds to the group identity.

8. A method according to claim 4 wherein said group S is a subgroup of a group G of order n.

9. A method according to claim 4 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

10. A method according to claim 9 wherein said message is examined by operating upon said public information by a value t where t is a divisor of q and determining whether the resultant value corresponds to the group identity.

11. A method according to claim 4 wherein said modulus p is of the form 2rr1 and r and r are prime.

12. A method according to claim 4 wherein said group G is an elliptical curve group over a finite field F2m.

13. A method according to claim 12 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

14. A method according to claim 13 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

15. A method according to claim 14 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

16. A method according to claim 1 wherein said group is a multiplicative group of a finite field.

17. A method according to claim 1 wherein said group is an elliptical curve group over a finite field.

18. A method according to claim 17 wherein said group S is a subgroup of a group G of order n.

19. A method according to claim 17 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

20. A method according to claim 1 wherein said group is over a finite field F2m.

21. A method according to claim 20 wherein said group is an elliptic curve group.

22. A method according to claim 21 wherein said message is examined by operating upon said public information by a value t where t is a divisor of q and determining whether the resultant value corresponds to the group identity.

23. A method according to claim 21 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

24. A method according to claim 23 wherein said message is examined by operating upon said public information by a value t where t is a divisor of q and determining whether the resultant value corresponds to the group identity.

25. A method according to claim 19 wherein said message is examined by operating upon said public information by a value t where t is a divisor of q and determining whether the resultant value corresponds to the group identity.

26. A method according to claim 1 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

27. A method according to claim 26 wherein said message is examined by operating upon said public information by a value t where t is a divisor of q and determining whether the resultant value corresponds to the group identity.

28. A method according to claim 1 wherein said message is examined by operating upon said public information by a value t where t is a divisor of q and determining whether the resultant value corresponds to the group identity.

29. A method according to claim 28 wherein a plurality of values of t are utilized and each resultant value compared to the group identity.

30. A method according to claim 1 wherein said determination includes the step of operating on said message by an operator q/p where q is the order of the group S and p ranges over all prime divisors of q.

31. A method according to claim 1 wherein said group is over a finite field.

32. A method of determining the integrity of a message exchanged between a pair of correspondents, said message being secured by embodying said message in a function of x where is an element of a finite group S of order q and said group S is a subgroup of a finite group G of order n, said method comprising the steps of at least one of the correspondents receiving public information x where x is an integer selected by another of said correspondents, determining whether said public information x lies within a subgroup S of G having less than a predetermined number of elements and rejecting messages utilizing said public information if said public information lies within such a subgroup.

33. A method according to claim 32 wherein q is a prime number.

34. A method according to claim 33 wherein said determination is made by operating on said message by an operator n/p where p ranges over all prime divisors of n.

35. A method according to claim 34 wherein said operation includes exponentiation of said message and said determination is made by examination for a group identity.

36. A method according to claim 33 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

37. A method according to claim 33 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

38. A method according to claim 37 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

39. A method according to claim 33 wherein said group G is a multiplicative group of a finite field.

40. A method according to claim 33 wherein said group G is a multiplicative group Z*p of integers mod p where p is a prime.

41. A method according to claim 40 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

42. A method according to claim 40 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

43. A method according to claim 42 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

44. A method according to claim 40 wherein said modulus p is of the form 2r1 and r is a prime.

45. A method according to claim 33 wherein said group G is an elliptical curve group over a finite field.

46. A method according to claim 45 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

47. A method according to claim 45 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

48. A method according to claim 33 wherein said group G is an elliptical curve group over a finite field F2m.

49. A method according to claim 48 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

50. A method according to claim 48 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

51. A method according to claim 48 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

52. A method according to claim 33 wherein said group is over a finite field.

53. A method of establishing a session key for encryption of data between a pair of correspondents comprising the steps of one of said correspondents selecting a finite group G, establishing a subgroup S having an order q of the group G, determining an element of the subgroup S to generate greater than a predetermined number of the q elements of the subgroup S and utilising said element to generate a session key at said one correspondent.

54. A method according to claim 53 wherein said order q of said subgroup S is a prime.

55. A method according to claim 53 including the step of receiving at one of said correspondents a message x, where x is an integer selected by an other of said correspondents, exponentiating said message x to a value t where t is a divisor of the order of the subgroup, comparing a resultant value xt to the group identity and preventing establishment of said session key if said value corresponds to the group identity.

56. A method according to claim 55 wherein a plurality of values of t are utilized and each resultant value compared to the group identity.

57. A method according to claim 55 wherein said message is examined by operating upon said public information by a value t where t is a divisor of q and determining whether the resultant value corresponds to the group identity.

58. A method according to claim 53 wherein said order of said subgroup is of the form utilising an integral number of a product of a plurality of large primes.

59. A method according to claim 58 wherein the order of said subgroup is of the form nrr where n, r and r are each integers and r and r are each prime numbers.

60. A method according to claim 59 wherein n has a value of 2.

61. A method according to claim 53 wherein said subgroup is selected to have an order that is to be a function of the product of a pair of primes r,r and said element is a generator of a subgroup of an order of one of said primes r,r.

62. A method according to claim 53 including the step of determining whether information received by one of the correspondents sharing said session key lies within a subgroup of S having less than a predetermined number of elements and rejecting said information if it lies within such a subgroup.

63. A method according to claim 53 wherein said group is an elliptical curve group G over a finite field.

64. A method according to claim 63 wherein said elliptic curve group is over the finite field Fp where p is a prime power.

65. A method according to claim 53 wherein said group is over a finite field F2m.

66. A method according to claim 65 wherein said group is an elliptic curve group.

67. A method according to claim 66 wherein the order q of said subgroup S is prime.

68. A method of establishing a session key of the form xy for encryption of data between a pair of correspondents having respective private keys x, and y comprising the steps of selecting an elliptic curve over a field of prime order p having p elements, said elliptic curve having a prime order q, to provide q points on the curve, determining an element of a group G comprising said q points to generate the q elements of the group G and utilising said element to generate a session key of the form xy at each correspondent where x is an integer selected by one of the correspondents and y is an integer selected by another of said correspondents, whereby the order of the curve q is selected such that the intractability of the discrete log problem inhibits recovery of the private keys x or y.

69. A method according to claim 68 including the step of one of said correspondents determining the number of elements of the group G and terminating establishment of said session key if said number is less than a predetermined number of elements.

70. A method according to claim 68 including the step of one of said correspondents determining if the information received from the other correspondent corresponds to the group identity.

71. A method according to claim 68 including the step of checking that said order q is prime.

72. A method according to claim 71 wherein said order q is greater than 1040.

73. A method of establishing by way of a discrete log key agreement scheme a session key for encryption of data between a pair of correspondents comprising the steps of selecting a finite group G, establishing a subgroup S having an order q of the group G, determining an element of the subgroup S to generate greater than a predetermined number of the q elements of the subgroup S and utilising said element to generate a session key at each corespondent.

74. A method according to claim 73 wherein each of said correspondents have respective private keys x and y and said session key is of the form xy.

75. A method according to claim 74 wherein said subgroup S is of prime order.

76. A method according to claim 75 wherein at least one of said correspondents ascertains whether information received from said other correspondent corresponds to the group identity.

77. A method according to claim 74 wherein said group G is an elliptic curve group.

78. A method of establishing a session key for encryption of data between a pair of correspondents comprising the steps of selecting a finite field of order n, establishing a subgroup S having an order q of the multiplicative group of the finite field, determining an element of the subgroup S to generate greater than a predetermined number of the q elements of the subgroup S and utilising said element to generate a session key at each corespondent.

79. A method according to claim 78 wherein said order q of said subgroup S is a prime.

80. A method according to claim 78 wherein said order n is a prime of the form 2q1 and q is prime.

81. A method according to claim 78 wherein said order n is a prime of the form rq1 and r is small and q is prime.

82. A method according to claim 78 wherein said order n is a prime of the form 2qq1 and q and q are prime.

83. A method according to claim 78 wherein said order n is a prime of the form rqq1 and r is small, and q and q are prime.

84. A method according to claim 78 wherein said order n is a prime of the form 2qq1 and q is prime and q is the product of a plurality of large primes.

85. A method according to claim 78 wherein said order n is a prime of the form rqq1 where r is small, q is prime, and q is the product of a plurality of large primes.

86. A method of establishing a session key for encryption of data between a pair of correspondents comprising the steps of selecting an elliptic curve group of order n over a finite field, establishing a subgroup S having an order q of the elliptic curve group, determining an element of the subgroup S to generate greater than a predetermined number of the q elements of the subgroup S and utilising said element to generate a session key at each corespondent.

87. A method according to claim 86 wherein said order q of said subgroup S is a prime.

88. A method according to claim 86 wherein said finite field is a finite field Fp.

89. A method according to claim 88 wherein said order q of said subgroup S is a prime.

90. A method according to claim 86 wherein said finite field is a finite field F2m.

91. A method according to claim 90 wherein said order q of said subgroup S is a prime.

92. A method of establishing a session key for encryption of data between a pair of correspondents comprising the steps of selecting a group of order n over a finite field, establishing a subgroup S having an order q of said group, determining an element of the subgroup S to generate greater than a predetermined number of the q elements of the subgroup S and utilising said element to generate a session key at each corespondent.

93. A method according to claim 51 wherein said order q of said subgroup S is a prime.

94. A method of establishing by way of a discrete log key agreement scheme a session key for encryption of data between a pair of correspondents comprising the steps of selecting a finite field of order n, establishing a subgroup S having an order q of the group G, determining an element of the subgroup S to generate greater than a predetermined number of the q elements of the subgroup S and utilising said element to generate a session key at each correspondent.

95. A method according to claim 94 wherein said order q of said subgroup S is a prime.

96. A method according to claim 94 wherein said order q of said subgroup S is a prime.

97. A method according to claim 94 wherein said order n is a prime of the form 2q1 and q is prime.

98. A method according to claim 94 wherein said order n is a prime of the form rq1 and r is small and q is prime.

99. A method according to claim 94 wherein said order n is a prime of the form 2qq1 and q and q are prime.

100. A method according to claim 94 wherein said order n is a prime of the form rqq1 and r is small, and q and q are prime.

101. A method according to claim 94 wherein said order n is a prime of the form 2qq1 and q is prime and q is the product of a plurality of large primes.

102. A method according to claim 94 wherein said order n is a prime of the form rqq1 where r is small, q is prime, and q is the product of a plurality of large primes.

103. A method of establishing by way of a discrete log key agreement scheme a session key for encryption of data between a pair of correspondents comprising the steps of selecting an elliptic curve group of order n over a finite field, establishing a subgroup S having an order q of the elliptic curve group, determining an element of the subgroup S to generate greater than a predetermined number of the q elements of the subgroup S and utilising said element to generate a session key at each corespondent.

104. A method according to claim 103 wherein said order q of said subgroup S is a prime.

105. A method according to claim 103 wherein said finite field is a finite field Fp.

106. A method according to claim 105 wherein said order q of said subgroup S is a prime.

107. A method according to claim 103 wherein said finite field is a finite field F2m.

108. A method according to claim 107 wherein said order q of said subgroup S is a prime.

109. A method of establishing a session key of the form xy for encryption of data between a pair of correspondents having respective private keys x and y comprising the steps of selecting an elliptic curve group of order n over a finite field, establishing a subgroup S having an order q of the elliptic curve group, determining an element of the group G to generate the q elements of the group G and utilising said element to generate a session key of the form xy at each corespondent where x is an integer selected by one of said correspondents and y is an integer selected by another of said correspondents.

110. A method according to claim 109 wherein said finite field is a finite field Fp.

111. A method according to claim 110 wherein said order q of said subgroup S is a prime.

112. A method according to claim 109 wherein said finite field is a finite field F2m.

113. A method according to claim 112 wherein said order q of said subgroup S is a prime.

114. A method of establishing by way of a discrete log key agreement scheme a session key for encryption of data between a pair of correspondents comprising the steps of selecting an elliptic curve over a field of prime order p having p elements, said elliptic curve having a prime order q to provide q points on the curve greater than a predetermined number of points sufficient to avoid vulnerability in a cryptographic system, determining an element of the group G to generate the q elements of the group G, and utilising said element to generate a session key at each correspondent.

115. A method according to claim 114 including the step of checking that said order q is prime.

116. A method according to claim 114 wherein said order q is greater than 1040.

117. A method of establishing by way of a discrete log key agreement scheme a session key for encryption of data between a pair of correspondents comprising the steps of selecting a group G of prime order q over a finite field, determining an element of the group G to generate the q elements of the group G, and utilising said element to generate a session key at each correspondent.

118. A method according to claim 117 including the step of checking that said order q is prime.

119. A method of establishing a session key of the form xy for encryption of data between a pair of correspondents having respective private keys x and y comprising the steps of selecting a group G of prime order q over a finite field, determining an element of the group G to generate the q elements of the group G and utilising said element to generate a session key of the form xy at each corespondent where x is an integer selected by one of said correspondents and y is an integer selected by another of said correspondents.

120. A method according to claim 119 including the step of checking that said order q is prime.

121. A method according to claim 119 wherein said order q is greater than 1040.

122. A discrete log based key agreement system to permit a message to be exchanged between a pair of correspondents in a data communication system, said system utilising a group G of order n and having a generator and wherein said message is secured by embodying said message in a function of x where x is an integer, said system having a predefined parameter of a finite group S of order q, which is a subgroup of the group G and itself has no sub groups with less than a predetermined number of elements sufficient to avoid vulnerability in a cryptographic system.

123. A system according to claim 122 wherein at least one of said correspondents includes a monitor to determine whether said message corresponds to a group identity.

124. A cryptographic unit for use in a data communication system established between a pair of correspondents exchanging public information across a communication channel by way of a public key encryption scheme operating in a finite group G, said unit including a monitor to receive public information from one of said correspondents and examine said public information to determine whether it lies within a subgroup S of group G having less than a predetermined number of elements.

125. A method according to claim 32 wherein said determination is made by operating on said message by an operator n/p where p ranges over all prime divisors of n.

126. A method according to claim 125 wherein said operation includes exponentiation of said message and said determination is made by examination for a group identity.

127. A method according to claim 32 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

128. A method according to claim 32 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

129. A method according to claim 128 wherein said message is examined by operating upon said public information by a value t where t is a divisor of q and determining whether the resultant value corresponds to the group identity.

130. A method according to claim 129 wherein said message is examined by operating upon said public information by a value t where t is a divisor of q and determining whether the resultant value corresponds to the group identity.

131. A method according to claim 32 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

132. A method according to claim 131 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

133. A method according to claim 132 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

134. A method according to claim 32 wherein said group G is a multiplicative group of a finite field.

135. A method according to claim 32 wherein said group G is a multiplicative group Zp of integers mod p where p is a prime.

136. A method according to claim 135 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

137. A method according to claim 135 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

138. A method according to claim 137 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

139. A method according to claim 135 wherein said modulus p is of the form 2r1 and r is a prime.

140. A method according to claim 32 wherein said group G is an elliptical curve group over a finite field.

141. A method according to claim 140 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

142. A method according to claim 140 wherein said message is a component of a session key xy where y is an integer selected by said one correspondent.

143. A method according to claim 11 wherein said message is examined by operating upon said public information by a value t where t is a divisor of n and determining whether the resultant value corresponds to the group identity.

144. A method according to claim 32 wherein said group is over a finite field.

145. A method according to claim 17 wherein said message is examined by operating upon said public information by a value t where t is a divisor of q and determining whether the resultant value corresponds to the group identity.

Drawings