Note : Les descriptions sont présentées dans la langue officielle dans laquelle elles ont été soumises.
I I I li OY
CA 02585738 2007-04-25
,
GENERATION OF SESSION PARAMETERS FOR
EL GAMAL-LIKE PROTOCOLS
The present invention relates to public key encryption systems and more
particularly to the generation of session parameters for use with public key
protocols.
Public key data encryption systems are well-known and the more robust are
based
upon the intractability of the discrete log problem in a finite group. Such
public key
encryption systems utilize a group element and a generator of the group. The
generator is
an element from which each other group element can be obtained by repeated
application
of the underlying group operation, ie. repeated composition of the generator.
Conventionally, this is considered to be an exponentiation of the generator to
an integral
power and may be manifested as a k fold multiplication of the generator or a k
fold
addition of the generator depending upon the underlying group operation. In
such a
public key encryption system, an integer k is used as a private key and is
maintained
secret. A corresponding public key is obtained by exponentiating the generator
a with
the integer k to provide a public key in the form a''. The value of the
integer k cannot be
derived even though the value ak is known.
The public and private keys may be utilized in a message exchange where one of
the correspondents may encrypt the data with the recipient's public key ak.
The recipient
receives the encrypted message and utilizes his private key k to decrypt the
message and
retrieve the contents. Interception of the message will not yield the contents
as the
integer k cannot be derived.
A similar technique may be utilized to verify the authenticity of a message by
utilizing a digital signature. In this technique, the transmitter of the
message signs the
...C
4
CA 02585738 2007-04-25
2
message with a private key k and a recipient can verify that the message
originated from
the transmitter by decrypting the message with the transmitter's public key
ak. A
comparison between a function of the plain text message and of the recovered
message
confirms the authenticity of the message.
In both techniques, it is necessary to perform the exponentiation of the group
element a. To be secure, k must be a relatively large number and the
exponentiation can
therefore be relatively long. Where the exponent is used as a long-term public
key, the
time of computation is not of undue concern. However, in digital signature
schemes, a
short term session key is utilized together with the long-term public key.
Each message
1.0 is signed with a different private key k and the corresponding public
session key a'' has
to be computed and transmitted with the message. There is therefore the need
for some
efficiency in the exponentiation.
The computing time for the exponentiation can be reduced by utilizing an
integer
exponent k having a relatively low Hamming weight - that is, the number of 1's
in the
binary representation of the integer is kept low or analogously in another
radix, the
exponent has few non-zero coefficients. However, integers having low Hamming
weights are considered vulnerable to various attacks, including a square root
attack, and
so their use in encryption protocols is not encouraged.
It is therefore an object of the present invention to provide a method of
computing
the session parameters for public key exchange protocols that obviates or
mitigates the
above disadvantages.
In general terms, the present invention provides a method of computing an
Y
CA 02585738 2007-04-25
3
exponent for use in a public key exchange protocol in which an integer k'
is selected, having a Hamming weight less than a predetermined value. An
exponentiation with the generator a is performed and the resultant
intermediate session
parameter ak' is mathematically combined with a secret value y. y is derived
from a
random integer i which has a Hamming weight greater than the predetermined
value.
The mathematical combination of a with the intermediate session parameter
produces a
session parameter whose exponent has a Hamming weight greater than the
predetermined
value and as such is considered computationally secure.
Conveniently, the secret value y can be precomputed so that the real time
exponentiation is confined to the generation of the exponent that utilizes the
integer k'.
The method may be used with the multiplicative group Z p or may be utilized
with other groups such as elliptic curves over a finite field.
Embodiments of the invention will now be described by way of example only
with reference to the accompanying drawings, in which
Figure 1 is a schematic representation of a data communication system;
Figure 2 is a flow chart showing the generation of the session parameters in
the
multiplicative group Z p ;
Figure 3 is a flow chart showing the generation of the session parameters in
the
elliptic curve.
Figure 4 is a flow chart similar to figure 3 of an alternative embodiment of
the
generation of session parameters; and
Figure 5 is a flow chart showing a further embodiment of generation of session
õ .,~
CA 02585738 2007-04-25
4
parameters.
Referring therefore to Figure 1, a data communication system 10 includes a
pair
of correspondents 12,14 respectively. Each of the correspondents 12,14 can
generate a
message M and forward it through a communication link 16 to the other
correspondent
and each have an encryption module 18 to process the message M prior to
transmission
and upon receipt.
In order to permit the correspondent 14 to verify that a message has been
generated by the correspondent 12, various protocols have been derived that
permit
signature of the message M and subsequent verification upon receipt of the
transmitter of
the message. For the purposes of illustration, a simple El Gamal-type protocol
for
signing the message M will be utilized although it will be understood that
other more
sophisticated protocols may be utilized and similar advantages obtained.
Likewise, the
generation of session parameters may be used for Diffie Hellman encryption
schemes
other than digital signatures.
As illustrated schematically in Figure 2, in order to sign the message M, the
correspondent 12 selects an integer k' from an integer generator 20 and checks
it at
comparator 22 to ensure it has a Hamming weight of less than a predetermined
level that
would normally be considered computationally insecure. For example, with a
field of
155, an integer k' having a Hamming weight of less than 15 could be used. If
necessary,
a random number can be generated and the Hamming weight can be adjusted at a
comb
24 to ensure that it is below the predetermined value that facilitates the
computation.
A k' fold composition of the generator a is then performed. For a public key
õ.,C
..d .
CA 02585738 2007-04-25
system using a multiplicative group of the integers mod p, where p is a prime,
ie. Zp, the
intermediate session key e. is then computed in exponentiator 26 utilizing a
known
exponentiation algorithm such as the "square and add" algorithm. Because the
majority
of the binary digits are zero, the exponentiation is relatively quick and the
intermediate
5 session parameter is obtained.
The correspondent 12 then retrieves from a table 28 a precomputed value of an
element y which is of the form a'. The integer i is a random integer and as
such the
Hamming iveight can be assumed to be in the order of 50%. The table 28
containing
the value of i and the corresponding value of y are maintained securely.
The secret value of y and the intermediate session parameter e are multiplied
in
arithmetic processor 30 to provide a session parameter al~+= a~. The
multiplication of
two components may be performed relatively quickly and therefore the session
parameter
ak may be computed in real time.
At the same time, the value k which is equal to i + k' is computed in the
arithmetic processor 30 and used to encrypt or sign the message M in the
encryption
module 18õ The message M and the signature are transmitted to the recipient 14
over the
communication channel 16 together with the session parameter ak. The recipient
14 then
decrypts th.e signed message using the session parameter ak and compares the
content of
the decrypted message with the transmitted message to ensure that they are the
same.
The utilization of the relatively low Hamming weight for the integer k' does
not
render the session parameter ak vulnerable, as the secret value y will have an
adequate
Hamming weight. Accordingly, the Hamming weight of the integer k will also be
, ,",r
, Y
CA 02585738 2007-04-25
6
adequate for security purposes.
The technique may also be used in elliptic curve encryption systems as
illustrated
in Figure 3 where like components are identified with like reference numerals
with a
suffix 'a' added for clarity. With an elliptic curve encryption system, the
group element
used as a public key corresponds to a point kP which is obtained from the k-
fold addition
of a generator P. The underlying field operation is addition and therefore the
group
element kP is representative of exponentiation of the generator P to the power
k. The
security of the public key kP results from the addition of points on the curve
or by the
multiplication of a point by an integer which is equivalent to multiple
additions.
The addition of a pair of points on the curve is relatively complex and the
requiremerit for multiple additions offsets some of the advantages from the
inherently
greater strengths of the elliptic curve encryption systems.
To facilitate the use of such encryption systems, an integer k' is selected by
generator 20a having a Hamming weight less than a predetermined value, which
would
normally be considered insecure. The intermediate session parameter k'P is
computed by
a k' fold composition of the point P, ie. by k' additions of an initial point
P in the elliptic
point accuinulator 26a. The relatively low Hamming weight reduces the point
additions
necessary to facilitate computation of the value k'P.
A secret value y is precomputed from an integer i which is randomly generated
and has a Hamming weight of greater than the predetermined value. The value of
y is
obtained from the i fold addition of the point P, ie. a= iP, and a and i are
stored in table
28a.
.,.,~
N
CA 02585738 2007-04-25
7
'The intermediate session parameter k'P and the secret value iP are then added
to
arithmetic processor 30a to obtain the new point U. The integer k may be
computed in
the processor 30a by the transmitter 12 from the addition of k' and i and the
resultant
signature prepared in the encryption module.
Again, however, the selection of the initial integer k' with a relatively low
Hamming weight reduces the computational time to obtain the intermediate
session
parameter and subsequent mathematical combination with the secret value yields
a
session parameter whose multiplying value k has the requisite Hamming weight.
In each case, the use of a relatively low Hamming weight used for the integer
k' is
masked by the combination with a random integer having a Hamming weight
greater than
the predetermined value.
In the situation where the elliptic curve cryptosystem uses an anomalous
curve,
then exponentiation may be obtained by a square and add algorithm.
A further embodiment is shown in Figure 4 in which like reference numerals
will
be used to denote like components with a prefix 1 added for clarity. In the
embodiment
of Figiire 4, additional terms are introduced in to the computation of the
integer k to
provide enhanced security. The integer k is formed from the combination of a
low
Hamm.ing weight term k' generated by integer generator 120 with the varying
terms
derived from additional integers kc, kL, kD to have the form
k=k'+k*C +k*L +k*D_
Similarly,
.,~
I y
CA 02585738 2007-04-25
8
kP = k'P + k*cP + k*LP + k*DP.
The integers kc, kL, and kD are stored in a lookup table 128 with precomputed
corresponding values of kCP, kLP and kpP. In the example of Figure 4, the
integers kc,kL,
kD are retained as separate sets of values although as will be explained below
a single set
of integers may be used. The values of the integers in table 128 are indexed
against a
reference term t, typically the output of an incrementing counter 32 that
increases at each
generation of the session key k.
In the preferred embodiment, the term k*c is a constant term corresponding to
the
integer retrieved from lookup table 128 for the given value of t. The terms
k*L , k*D are
provided by integers kL and kD respectively that are modified by the reference
term t so
as to vary for each generation of the session key k.
The term k*L is a linear term of the form t.k, and the term k*D is of the form
2'.kD .
As t varies, the values of kc, kL and kD will vary from the lookup table and
the
corresponding value of k*L and k*D will vary with the value of the reference
term t.
In this embodiment, the value k therefore has the form
k = k' + ket + tki, + 2'kDt where ket, kL, and kp, are the values of ke, kL
and kD at time t.
In operation therefore, as shown schematically in Figure 4, upon initiation of
the
generation of the session key k, a value of k' is selected from generator 128
with a low
Hamming weight and the corresponding value of k'P is computed by exponentiator
126.
The output t of counter 32 is used as the reference term for the lookup table
128 to
retrieve corresponding values of kc, kL, kD and the related points kcP, kLP,
and kDP.
...,C
N
CA 02585738 2007-04-25
9
The term kcP corresponds to the term k*cP and therefore may be added to k'P in
arithmetic processor 130. The term k*L is obtained from a t fold addition of
the point kLP
retrieved from table 128 and added in processor 130 to the value of k'P + kcP.
Similarly, the term k*DP is obtained from a 2' fold addition of kDP retrieved
from
the tablle 128 and added to the previous value to provide the session key kP.
Likewise the
value of k can be obtained from addition of k', kc, k*L and k*D.
It will be appreciated that each of the additions involves the addition of a
pair of
points on an elliptic curve. The computation of k*LP and k*DP may be obtained
relatively
easily iusing successive doubling of the point or substitution in the binary
representation
of the value of t.
In addition, the use of k*c, k*L and k*D may be permuted as successive
signatures
are coinputed so as to introduce additional complexity.
The value can be chosen with a suitably low Hamming weight. Similarly, values
of kL or kD may be chosen to have a relatively low Hamming weight if preferred
for ease
of coniputation but it is preferred that kc has a satisfactory Hamming weight
to provide
adequate security at t = o. In general, however, it is preferred that each
value of kc, kL
and kr, has an adequate Hamming weight for computational security. As
described
below, the computation required from signature to signature may be reduced so
that it is
preferred to maintain the value of kL and kD above a predetermined level. In
the above
example, it has been assumed that the values of kc, kL, and kD have been
selected from
different sets of values. However, the values could be selected from the same
table using
a predetermined permutation of values or could be the same integer used in
each term to
, ,,,17
I I1,Y
CA 02585738 2007-04-25
simplify computation.
Similarly, the form of k could include additional and/or different terms to
introduce non-linearity in addition to the constant, linear and doubling terms
described
and complexity and could in fact include additional functions such as the
Frobenius
5 operator in the computation of k when appropriate. The additional terms are
chosen to
provide ease of computation and a final Hamming weight above a predetermined
value
that is considered computationally secure.
A further algorithm for determining successive values of k and kP is shown in
Figure 5.
10 Assume a form of k as described above, such that
k=k'=kc +tkL+2'kD
and kP = k'P + kcP + tk,,P + 2'knP.
Initially, the values of kC, kL and kD and corresponding values kcP, kLP and
kDP are stored
in registers 34.
The new value of k at time t is k'(t) + k"(t)
where k"(t) = kc + tkL + 2'kD.
k'(t) is the new integer with a low Hamming weight generated by generator 220.
To compute a new value of k, the value of k"(t) is computed in arithmetic
processor 230 using the values stored in the registers 34. The resultant value
of k"(t) is
added to k'(t) to obtain the new value of k.
To facilitate computation of the next value of k, ie. k(t+ 1), the computed
values of
k"(t); 2'kD together with kc and kL are stored.
., õ~ ,
u.
CA 02585738 2007-04-25
11
To obtain k(t+l), it is necessary to obtain k' (t+l) and generate k"(t+l).
This can
be readily achieved using the stored values.
k"(t+l) = k. +(t+l) kL + 2(t+') kD
= (kv + tkL + 2tkD) + 2tkv + kL
= k"(t) + 2tkD + kL.
Each of these terms is stored in registers 34 and can readily be retrieved to
provide the value of k"(t+l) which is then combined with k'(t+l) to provide
the new k at
time (t+l).
The :registers 34 are updated so that the value of k"(t) is replaced with
k"(t+l), the
value of kL retained and the value of 2tkD replaced with 2(t+1~kD
The next value of k at time (t+2) can then be obtained in a similar manner.
A siin.ilar procedure is available for computing the value of k(t+l)+P.
The values of k"(t)P, kLP and 2tkDP are stored in registers 34.
k'(t+l)P is obtained by multiple point additions in the elliptic point
accumulator
226 as before.
The value of k"(t+l)P is obtained by computing
k"(t)P + tk,,P + 2tkDP.
Each of these terms is stored in the registers 34 and readily retrieved.
These terms are updated by corresponding terms for time (t+1) and to
facilitate
this, the point 2tkDP is first doubled to provide 2(t+')kDP This is then
stored and also
added to kIJ3 and k"(t) to obtain k"(t+l)P. Again this is stored and also
added to k'(t+l)P
to give the riew value of k(t+l)P.
, .,.,~
I I I ia ll
CA 02585738 2007-04-25
12
The computation k"(t+l)P is therefore achieved with I point doubling and 3
point
additions which in combination with the low Hamming weight of k' leads to a
very
efficient generation of the system parameters.
As noted above, additional complexity may be introduced by permuting the
registers containing the related pairs of stored value for successive
generation of the
session parameters k and ak.
In summary, the generation of a session parameter is facilitated by utilizing
a low
Hamrning weight integer for ease of computation and combining it with a
precomputed
value or set of values to mask the low Hamming weight. Additional complexity
may be
introduced by providing non-linear terms in the set of values and/or by
permuting the set
of values from signature to signature. In this way, the successive session
values are
resistant to attacks but the computations may be performed efficiently.
It will be appreciated that the above computations may be performed on an
integrated circuit or executed in software on a general purpose computer
depending upon
the particular application.
.,,,~
