Computing method for elliptic curve cryptography
First Claim
Patent Images
1. A cryptographic method employed between two entities exchanging information via a non-secure communication channel, each of the two entities comprising a memory readable by a machine, tangibly embodying a program of instruction executable by the machine to perform the method, the method including a step of multiplying an odd order point of a non-supersingular elliptic curve by an integer, wherein, for exchanging information via the non-secure communication channel, the step of multiplying is performed by addition and halving operations of points of said elliptic curve, the halving of a point P is defined as the unique odd order point D such that [2]D=P,
-
P _
1 Assignment
0 Petitions
Accused Products
Abstract
A fast cryptographic method between two entities exchanging data via a non-secure communication channel. The method, for example, forms a common key between two entities (A,B), each having a secret key (a,b) and using a public key (P) formed by a point of an elliptic curve (E), and includes at least multiplying the odd order point (P) by an integer by additions and halving operations.
57 Citations
11 Claims
-
1. A cryptographic method employed between two entities exchanging information via a non-secure communication channel, each of the two entities comprising a memory readable by a machine, tangibly embodying a program of instruction executable by the machine to perform the method, the method including a step of multiplying an odd order point of a non-supersingular elliptic curve by an integer, wherein, for exchanging information via the non-secure communication channel, the step of multiplying is performed by addition and halving operations of points of said elliptic curve, the halving of a point P is defined as the unique odd order point D such that [2]D=P,
-
P _ denotes the point D. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
and E[2k] is the set of points P of said elliptic curve such that P added 2k times to itself gives the neutral element O, where k is an integer greater than or equal to 1, wherein a point P=(x,y) of said elliptic curve gives by said halving the point of said elliptic curve obtained by effecting the following operations; (a) seek a first value λ
o such that λ
o2+λ
o=α
+x;(b) calculate a second value uo2 such that uo2=x (λ
o+1)+y;(c) if k has the value 1, check if the equation;
λ
2+λ
=α
2+u2o has solutions in F2n;(d) if the check in step (c) is yes, calculate said halving as follows;
uo=√
{square root over (u02)},
vo=uo(uo+λ
o)and (e) if not, add x to said second value uo2 and 1 to said first value λ
o and calculate said halving as in step (d);(f) if k is greater than 1, perform an iterative calculation as follows; (i) seek a value λ
i such that λ
i2+λ
i=α
+ui−
1; and(ii) then calculate the value u2i such that u2i=ui−
1(λ
i+λ
i−
1+ui−
1+1) by incrementing i from i=1 until the value u2k−
1 is obtained;(g) check whether the equation λ
2+λ
=α
2+u2k−
1 has solutions in F2n;(h) if so, calculate said halving as follows;
uo=√
{square root over (u02)},
vo=uo(uo+λ
o)and (i) if not, add x to the second value uo2 and 1 to said first value λ
o and calculate said halving as in step (h).
-
-
3. A method according to claim 1, where F2n is a finite body of 2n elements, E(F2n) is the sub-group of an elliptic curve E defined by:
-
E(F2n)={(x,y)ε
F2n×
F2n|y2+xy=x3+α
x2+β
}∪
{O}α
, β
ε
F2n,β
≠
0and E[2k] is the set of points P of said elliptic curve such that P added 2k times to itself gives the neutral element O, where k is an integer greater than or equal to 1, wherein a point P=(x,y) of said elliptic curve gives by said halving the point of said elliptic curve, with λ
o=uo+vo/uo, obtained by effecting the following operations;(a) seek a first value λ
o such that λ
o2+λ
o=α
+x;(b) calculate a second value uo2 such that;
uo2=x (λ
o+1)+y;(c) if k has the value 1, check if the equation;
λ
2+λ
=α
2+uo2 has solutions in F2n;(d) if so, calculate said halving as follows;
uo=√
{square root over (u02)},and (e) if not, add x to said second value uo2 and 1 to said first value λ
o and calculate said halving as in step (d);(f) if k is greater than 1, perform the following iterative calculation; (i) seek a value λ
i, such that λ
i2+λ
i=α
+ui−
1; and(ii) then calculate the value ui2 such that ui2=ui−
1(λ
i+λ
i−
1+ui−
1+1) by incrementing i from i=1 until the value u2k−
1 is obtained;(g) check if the equation λ
2+λ
=α
2+u2k−
1 has solutions in F2n ;(h) if so, calculate said halving as follows;
uo=√
{square root over (u02)}, and(i) if not, add x to said second value uo2 and 1 to said first value λ
o to calculate said halving as in step (h).
-
-
4. A method according to claim 1, where F2n is a finite body of 2n elements, E(F2n) is the sub-group of an elliptic curve E defined by:
-
E(F2n)={(x,y)ε
F2n×
F2n|y2+xy=x3+α
x2+β
}∪
{O}α
, β
ε
F2n,β
≠
0and E[2k] is the set of points P of said elliptic curve such that P added 2k times to itself gives the neutral element O, where k is an integer greater than or equal to 1, wherein a point P=(x,y) of said elliptic curve represented by (x,λ
p) with λ
p=x+y/x gives by said halving the pointof said elliptic curve obtained by effecting the following operations; (a) seek a first value λ
0 such that λ
o2+λ
o=α
+x;(b) calculate a second value uo2 such that uo2=x (λ
oλ
+λ
p+x+1);(c) if k has the value 1, check if the equation;
λ
2+λ
=α
2+uo2 has solutions in F2n;(d) if so, calculate said halving as follows;
uo=√
{square root over (02)},
vo=uo(uo+λ
o),(e) if not, add x to said second value uo2 and 1 to said first value λ
o and calculate said halving as in step (d);(f) if k is greater than 1, perform the following iterative calculation; (i) seek a value λ
i such that λ
i2+λ
i=α
+ui−
1; and(ii) then calculate the value ui2 such that ui2=ui−
1 (λ
i+λ
i−
1+ui−
1+1) incrementing i from i=1 until the value u2k−
1 is obtained;(g) check if the equation λ
2+λ
=α
2+u2k−
1 has solutions in F2n;(h) if so, calculate said halving as follows;
uo=√
{square root over (02)},
vo=uo(uo+λ
o),(i) if not, add x to said second value uo2 and 1 to said first value λ
o and calculate said halving as in step (h).
-
-
5. A method according to claim 1, where F2n is a finite body of 2n elements, E(F2n) is the sub-group of an elliptic curve E defined by:
-
E(F2n)={(x,y)ε
F2n×
F2n|y2+xy=x3+α
x2+β
}∪
{O}α
, β
ε
F2nβ
≠
0and E[2k] is the set of points P of said elliptic curve such that P added 2k times to itself gives the neutral element O, where k is an integer greater than or equal to 1, wherein a point P=(x,y) of said elliptic curve represented by (x,λ
p) with λ
p=x+y/x gives by said halving the pointof said elliptic curve represented by (uo, λ
o), with λ
o=uo+vo/uo obtained by effecting the following operations;(a) seek for a first value λ
o such that λ
o2+λ
o=α
+x;(b) calculate a second value uo2 such that uo2=x (λ
o+λ
p+x+1);(c) if k has the value 1, check if the equation λ
2+λ
=α
2+uo2 has solutions in F2n;(d) if so, calculate said halving as follows;
uo=√
{square root over (u02)},(e) if not, add x to said second value uo2 and 1 to said first value λ
o and calculate said halving as in step (d);(f) if k is greater than 1, perform the following iterative calculation; (i) seek a value λ
i such that λ
i2+λ
i=α
+ui−
1; and(ii) then calculate the value ui2 such that ui2=ui−
1(λ
i+λ
i−
1+ui−
1+1) incrementing i from i=1 until the value u2k−
1 is obtained;(g) check if the equation λ
2+λ
=α
2+u2k−
1 has solutions in F2n;(h) if so, calculate said halving as follows;
uo=√
{square root over (u02)},(i) if not, add x to said second value uo2 and 1 to said first value λ
o and calculate said halving as in step (h).
-
-
6. A method according to claim 1, further comprising constructing a common key from two secret keys respectively belonging to the aforementioned two entities and a public key consisting of the point P of odd order r of a chosen non-supersingular elliptic curve E.
-
7. A method according to claim 6, wherein a and b are the secret keys of first and second entities, respectively, and:
-
(a) the first entity calculates the scalar multiplication [a]P and sends the result point to the second entity, (b) the second entity calculates the scalar multiplication [b]P and sends the result point to the first entity, (c) the two entities respectively calculate a common point (C)=(x,y) of said elliptic curve (E) by respectively effecting the scalar multiplications [a] ([b]P) and [b] ([a]P), both equal to [a.b]P, and (d) the two entities choose as their common key the coordinate (x) of said common point (C) obtained by said scalar multiplication [a.b]P, at least one of the preceding scalar multiplications, and preferably all of them, being effected by means of predefined halvings.
-
-
8. A method according to claim 7, wherein scalar multiplication using halvings is obtained by the following operations:
-
(e) if said scalar of the multiplication is denoted S, choose m+1 values So . . . Smε
{0,1} to define S as follows;r being the aforementioned odd order and m being the single integer between log2(r)−
1 and log2(r),(f) calculate the scalar multiplication [S]P of a point P of said elliptic curve by the scalar S by applying an algorithm consisting of determining the series of points (Qm+1, Qm . . . , Qi . . . , Qo) of said elliptic curve E such that;
Qm+1=O (neutral element), and(g) calculate the last point Qo of said series giving the result [S]P of said scalar multiplication.
-
-
9. A method according to claim 1, further comprising calculating a signature between two entities based on a pair of permanent keys belonging to one of the entities, one secret (a) and the other public (Q), by scalar multiplication of the secret key (a) by another public key consisting of the point (P) of odd order r of a chosen non-supersingular elliptic curve (E).
-
10. A method according to claim 9, further comprising the following operations:
-
(a) the first entity (A) holding said pair of permanent keys constructs a single-use pair of keys, one key (g) being chosen arbitrarily and the other key [g]P resulting from scalar multiplication of said arbitrarily chosen key (g) by the public point P of said elliptic curve, the coordinates of the key ([g]P) being denoted (x,y) with 2≦
g≦
r−
2,(b) the first entity (A) converts the polynomial x of said single-use key [g]P=(x,y) into an integer i whose binary value is represented by the sequence of binary coefficients of said polynomial x, (c) said first entity (A) calculates a signature (c,d) of the message (M) as follows; c=i modulo r d=g−
1 (M+ac) modulo r,(d) said first entity sends said message (M) and said signature (c, d) to said second entity;
upon receiving it;(i) said second entity (B) checks if the elements of said signature (c,d) each belong to the range [1, r−
1],(ii) if the check in step (i) is no, the second entity declares the signature invalid and stops; (iii) if the check in step (i) is yes, said second entity (B) calculates three parameters; h=d−
1 modulo r,h1=Mh modulo r, and h2=ch modulo r, (e) said second entity calculates a point T of said elliptic curve by summing the scalar multiplications of the points P and Q by the last two parameters cited;
T=[h1]P+[h2]Q, and(i) if the resultant point T is the neutral element, said second entity declares the signature invalid and stops; (ii) if the resultant point T is not the neutral element, considering the point T with coordinates x′ and
y′
;
T=(x′
,y′
),(A) said second entity (B) converts the polynomial x′
of that point into an integer i′
whose binary value is represented by the sequence of binary coefficients or said polynomial x′
,(B) said second entity (B) calculates c′
=i′
modulo r and,(C) said second entity (B) checks if c′
=c, in which case said second entity (B) validates said signature, or if not, said second entity (B) invalidates said signature, at least one aforementioned scalar multiplication operation being effected by means of the predefined halvings.
-
-
11. A method according to claim 1, wherein said integer is decomposed as a set of values using powers of half said order, and said addition and halving operations are implemented dependent on said set of values.
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeOberthur Card Systems, S.A. (Advent International Corporation)
-
Original AssigneeOberthur Card Systems, S.A. (Advent International Corporation)
-
InventorsKnudsen, Erik
-
Primary Examiner(s)Barron, Jr., Gilberto
-
Assistant Examiner(s)Simitoski, Michael J.
-
Application NumberUS09/786,756Time in Patent Office2,202 DaysField of Search380/28, 380/30, 380/282, 380/285, 380/44, 713/176, 708/492US Class Current380/30CPC Class CodesG06F 7/725 over elliptic curves
