• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The present invention relates to a key agreement protocol, a cryptographic communication system and a cryptographic correspondence apparatus. The protocol is executed between two instances and comprises: generating a private key and a public key communicating the public key generating a common value (100, 200) generating secret values (104, 204) calculating an ephemeral value generating a shared secret
    公开号:CH711134A2
    申请号:CH01276/15
    申请日:2015-09-04
    公开日:2016-11-30
    发明作者:Antipa Adrian
    申请人:Infosec Global Inc;
    IPC主号:
    专利说明:

    TECHNICAL PART
    The present invention relates to data communication systems and protocols used in such systems.
    BACKGROUND
    Data communication systems are used to exchange information between devices. The information to be exchanged includes data arranged as sequences of digital bits that are formatted to be recognized by other devices and allow the information to be processed and / or recovered.
    The exchange of information may take place over a public network such as a communication link between two devices, over an associated network within an organization, or may take place between two devices within the same associated component as within a computer or point-of-sale device.
    The devices range from relatively large computer systems to telecommunications devices, cell phones, monitors, sensors, electronic purses and smart cards, and a wide variety of devices connected to transfer data between two or more such devices.
    A variety of communication protocols have been developed to allow the exchange of data between different devices. The communication protocols allow the exchange of data in a robust manner, often with error correction and error detection functionality, and the data to be routed to the intended recipient and restored for reuse.
    Since the data may be accessible to other devices, they are susceptible to interception and monitoring or manipulation. The sensitive nature of the information requires that steps be taken to safeguard the information and ensure its integrity.
    A number of methods, collectively referred to as encryption protocols and authentication protocols, have been developed to provide the required attributes and to ensure security and / or integrity in the exchange of information. These methods use a key that is combined with the data.
    There are two major forms of cryptosystems that implement the protocols: symmetric key cryptosystems and asymmetric or public-key cryptosystems. In a symmetric key cryptosystem, the devices exchanging information share a common key known only to the devices that are to share the information. Systems with symmetric keys have the advantage that they are relatively fast and therefore can handle large amounts of data in a relatively short time, even with limited computational power. However, the keys must be securely distributed to the various services, resulting in increased operational costs and increased vulnerabilities if the key is compromised.
    Asymmetric public-key cryptosystems use a key pair, one of which is public and the other is private and associated with each device. The public key and the private key are linked by a "grave" mathematical problem, so even if the public key and the underlying problem are known, the private key can not be recovered in a reasonable amount of time. One such problem is the factorization of the product of two large primes, as used in RSA cryptosystems. Another is the discrete log problem in a finite group. A generator, α, of the underlying group is identified as a system parameter, and a random integer, k, is generated for use as a private key. To obtain a public key, K, a k-fold group operation is performed such that K = f (α, k).
    In discrete log cryptosystems, various groups can be used, comprising the multiplicative group of a finite field, the group of integers in a finite cyclic group of order p, usually given as Zp * and consisting of the integers 0 to p -1. The group operation is a multiplication such that K = f (α <k>).
    Another group used for improved security is an Elliptic Curve Group. The elliptic curve group is composed of pairs of elements, one of which is given as x and the other as y in a range which satisfies the equation of the selected elliptic curve. For an elliptic curve group of order p, the elliptic curve is generally defined by the relationship y <2> mod p = x <3> + ax + b mod p. It is well known that different curves are used for different groups. Each such pair of elements is a point on the curve and a generator of the group is indicated as a point P. The group operation is an addition so that a private key k has an associated public key f (kP).
    Public-key cryptosystems reduce the infrastructure required for symmetric-key cryptosystems. A device can generate an integer k and the associated public key kP. The public key is published so that it is available to other devices. The device may then use a suitable signature protocol to sign a message using the private key k and other devices may confirm the integrity of the message using the public key kP.
    Similarly, a device may encrypt a message to be sent to another device using the public key of the other device. The message can then be recovered from the other device using the private key. However, these protocols are computationally intensive and, thus, relatively slow compared to symmetric cryptosystem protocols.
    Public-key cryptosystems can also be used to generate a key that is shared by two devices. In the simplest form proposed by Diffie-Hellmann, each device sends a public key to the other device. Both devices then combine the obtained public key with their private key to obtain a shared key.
    A device, Alice, commonly referred to as an instance (or correspondent), generates a private key and sends the public key kaP to another device or entity, Bob.
    Bob generates a private key kbund sends the public key kban Alice.
    Alice computes ka <•> kbP and Bob computes kb <•> kaP so that they share a common key K = kakbP = kbkaP. The shared key can then be used in a symmetric key protocol. Neither Alice nor Bob can restore the other's private key and third parties can not reconstruct the shared key.
    In order to ensure the integrity of the shared key and to ward off attacks designed to recover or replace the shared key and / or private keys within the shared key, key authentication protocols have been developed.
    Key establishment is the process in which two (or more) instances create a shared secret key. The key is subsequently used to achieve a cryptographic goal such as confidentiality or data integrity.
    In simple terms, there are two types of key establishment protocols: key transport protocols in which a key is generated from one instance and securely transmitted to the second entity, and key approval protocols in which both parties contribute information that together generate the shared secret key. The present application is focused on key approval protocols for the public key cryptosystems.
    If Alice and Bob are two honest instances, i. legitimate entities that perform the steps of a protocol correctly, then a key agreement protocol, generally stated, should provide implicit key authentication (from Bob to Alice) if the instance Alice is sure that no other instance besides a specially identified second instance may possibly be Bob can learn the value of a particular secret key. The implicit key authentication capability does not necessarily mean that Alice is certain that Bob actually owns the key, but that Alice is certain that no one other than Bob owns the key. A key agreement protocol that allows implicit key authentication for both parties involved is called an authenticated key agreement (AK) protocol.
    In sum, a key agreement protocol is intended to provide a key acknowledgment (from Bob to Alice) if instance A is sure that the second instance Bob actually has a particular secret key. If both implicit key authentication and key acknowledgment (provided by Bob to Alice) are provided, then the key establishment protocol should provide explicit key authentication (from Bob to Alice). A key agreement protocol that allows explicit key authentication for both parties involved is referred to as an authenticated Key Agreement Protocol (AKC). An extensive study on key establishment is provided in Chapter 12 of the Handbook of Applied Cryptography by Menezes, van Oorshot and Vanstone, the contents of which are incorporated by reference.
    It is necessary to proceed with extreme care when the key confirmation is separated from the implicit key authentication. If an AK protocol is used that does not offer a key acknowledgment, then it is, as in the 1997 paper by S. Blake-Wilson, D. Johnson, and A. Menezes, entitled Key Agreement Protocols and their Security Analysis »Indicated, desirable that the agreed key is confirmed before cryptographic use. This can take place in different ways. For example, if the key is to be subsequently used to achieve confidentiality, encryption may begin with the key for some (carefully selected) known data. Other systems may provide the key confirmation during a "real-time" telephone conversation. Separating the key certificate from the implicit key authentication is sometimes desirable because it allows flexibility in choosing how a particular implementation wishes to achieve key confirmation, thus transferring the burden of key confirmation from the establishment mechanism to the application.
    Over the years, numerous Diffie-Hellman based AK and AKC protocols have been proposed; for many, however, it was subsequently found that they have security holes. The main problems were that there was a lack of formal definition for appropriate hazard models and the objectives for safe AK and AKC protocols. Blake-Wilson, Johnson and Menezes provided a formal model for distributed computation and strict definitions for the objectives of safe AK and AKC protocols within this module, using a previous work by Bellare and Rogaway for symmetric configuration. Concrete AK and AKC protocols have been proposed and their safety demonstrated in this framework in the random oracle model.
    It is expected that a secure protocol will allow both passive attacks (in which an adversary tries to prevent a protocol from achieving its goals by merely watching honest instances in the execution of the protocol) as well as active attacks (in which a Opponent additionally can withstand the communication by inserting, deleting, changing or replaying messages undermines).
    In addition to the implicit key authentication and key acknowledgment, a number of desirable security features have been identified by AK and AKC protocols:<tb> 1) <SEP> Security of known key. Each pass of a key agreement protocol between A and B should generate a unique secret key; such keys are called session keys. A protocol should also reach its destination despite an adversary having experienced some other session keys.<tb> 2) <SEP> (Perfect) Forward Secrecy. When long-term keys of one or more instances are compromised, the secrecy of previous session keys generated by honest instances is not affected.<tb> 3) <SEP> Imitation key compromise. It is assumed that A's long term key was uncovered. Obviously, an opponent who knows this value can now mimic A, since it is precisely this value that identifies A. However, it may be desirable that this loss does not allow an opponent to mimic other instances to A.<Tb> 4) <September> Unknown Key Share. Instance A can not be forced to share a key with instance B without the knowledge of A, i. if A believes that the key is shared with an instance C ≠ B and B (correctly) believes that the key is shared with A.<Tb> 5) <September> key control. None of the instances should be able to force the session key to a previously selected value.
    Desirable features of AK and AKC protocols include a minimum number of operations (the number of messages exchanged in one pass of the protocol), low communication overhead (the total amount of transmitted bits), and low computational overhead. Other features that may be desirable include role symmetry (messages transmitted between instances have the same structure), non-interactivity (messages transmitted between the two instances are independent of each other), and independence from encryption, hash functions ( as these are known to be difficult to develop) and time marking (since in practice it is difficult to implement safely).
    Therefore, it is an object of the present invention to provide a key agreement protocol, in which the aforementioned disadvantages are avoided or mitigated and the achievement of the desired features is facilitated.
    SUMMARY
    In one aspect, a key agreement protocol is provided that is executed between a pair of instances communicating over a data communication system, with each of the instances being a long-term private key, an associated long-term cryptographic public key, using of the long-term private key, and an identity is associated, the protocol comprising: for each instance, generating a respective private key for the session and an associated cryptographic public key for the session; Communicating the public key for the session of each instance to the other entity; Obtain the identity of the two instances at each instance; Generating a common value, at each instance, including combining the public key for the session of the instance, the public key for the session of the other instance, and the identities of each instance; for each instance, generating a respective secret value, comprising multiplying the common value by the private key for the session of the instance and adding the result to the long-term private key of the instance; at each instance, calculating an ephemeral value, comprising multiplying the public key for the session of the other instance by the common value and adding the result to the long-term public key of the other instance; and at each instance, generating a shared secret by combining the secret value of the instance and the ephemeral value.
    In another aspect, there is provided a cryptographic communication system, the system comprising a pair of cryptographic correspondents configured to implement the embodiments of the key agreement protocol.
    In a further aspect, there is provided a cryptographic correspondent apparatus comprising a processor and a memory, wherein the memory stores a long-term private key, the apparatus further comprising an associated long-term cryptographic public key stored under Using the long-term private key and an identity are associated, the memory further storing computer instructions that, when executed by the processor, cause the processor to implement a key agreement protocol comprising: generating one Private keys for the session and an associated cryptographic public key for the session; Communicating the public key for the session via a data communication system to another cryptographic correspondent device; from the other cryptographic correspondent device, receive their public key for the session; Preserving the identity of the two correspondents; Generating a common value, comprising combining the public key for the correspondent's session, the public key for the meeting of the other correspondent, and the identities of each correspondent; Generating a secret value comprising multiplying the common value by the private key for the correspondent's session and adding the result to the long-term private key; Calculating an ephemeral value, comprising multiplying the public key for the session of the other correspondent and the common value, and adding the result to the long-term public key of the other correspondent; and generating a shared secret from the secret value of the correspondent and the ephemeral value.
    Generally speaking, the protocol combines the public keys for the session of each instance and the identities of each instance to obtain a common value that links the two instances together. This is used by each instance to generate a respective secret value by combining the common value and both the session and long-term private keys of the instance. The secret value is used as an ephemeral private key. The other instance uses the shared value to compute an ephemeral public key that matches the secret value of the one instance. Each instance can then generate a shared secret from its ephemeral private key and the ephemeral public key of the other instance.
    Preferably, the shared secret is used as an input for a key derivation function to obtain a common key.
    Preferably, the protocol is also implemented in an elliptic curve cryptosystem and the combination of the public keys for the sessions is performed by point addition.
    As another preference, the identity of the entities is obtained by a cryptographic certificate created by a trusted party.
    By connecting the instances as described above, each pass generates a new secret value, and with an appropriate choice of parameters in consideration of normal cryptographic practice, the desirable features are achieved.
    DESCRIPTION OF THE DRAWINGS
    An embodiment of the present invention will now be described by way of example only with reference to the accompanying drawings, in which:<Tb> FIG. 1 <SEP> is a schematic representation of a data communication system;<Tb> FIG. Fig. 2 <SEP> is an illustration of a device used in the data communication system of Fig. 1; and<Tb> FIG. 3 <SEP> is a flowchart showing the protocol implemented between a pair of devices shown in FIG.
    DETAILED DESCRIPTION
    As described below, an effective two-pass AK protocol is proposed which is based on a Diffie-Hellmann key agreement and has many of the desirable security and performance features described in the 1997 paper by S. Blake-Wilson , D. Johnson and A. Menezes, entitled "Key Agreement Protocols and their Security Analysis".
    The protocol described below has been described in the context of the group of points on an elliptic curve that are defined for a finite field. However, it can simply be changed to work for any finite group in which the discrete logarithm problem appears intractable. Suitable choices include the multiplicative group of a finite field, subsets of Z * n, where n is a composite integer, and non-trivial subgroups of Z * prime order q. Elliptic-curve groups are advantageous because they offer equivalent security to the other groups, but with smaller key sizes and faster computation times.
    Thus, referring to FIG. 1, a data communication system 10 includes a plurality of devices 12 interconnected by communication links 14. The devices 12 may be of any known type, including a computer 12a, a server 12b, a cellular phone 12c, an ATM 12d, and a smart card 12e. The communication links 14 may be conventional landline telephone connections, wireless connections implemented between the devices 12, near-field communication connections such as Bluetooth, or other conventional forms of communication.
    The devices 12 differ in their intended use, but typically include a communication module 20 (Figure 2) for communicating with the links 14. A memory 22 provides a persistent instruction storage medium for implementing protocols and data as desired save. The instructions are executed by a cryptographic processor (30). A secure storage module 24, which may be part of the memory 22 or a separate module, is used to store private information such as the private keys used in the encryption protocols and to withstand manipulation with that data. An arithmetic logic unit (ALU) 26 is provided to execute the arithmetic operation instructions from the memory 22 using the data stored in the memories 22, 24. Also, a random or pseudorandom number generator 28 is integrated to generate bit strings that represent random numbers in a cryptographically secure manner.
    It will be appreciated that the device 12 illustrated in FIG. 2 is highly schematic and representative of a conventional device used in a data communication system.
    The memory 22 stores system parameters for the cryptosystem to be implemented and a series of computer readable instructions for implementing the required protocol. In the case of an elliptic curve cryptosystem, elliptic curve domain parameters consist of six sets q, a, b, P, n, and h, which are:The field size qThe coefficients of the elliptic curve a and bThe base point generator PThe order n of the base point generatorThe cofactor h, which is the number such that hn is the number of points on the elliptic curve.
    The parameters are represented as bit sequences and the representation of the base point G is represented as a pair of bit strings, each representing an element of the underlying field. As is usual, one of these episodes can be truncated, as the full representation can be restored by the other coordinate and the truncated representation.
    The secure memory module 24 includes a bit string representing a long-term private key d and the associated public key Q. For an elliptic curve cryptosystem, the key Q = dP.
    The secure storage 24 also includes an identification ID of the device 12. Conveniently, this is a certificate created by a trusted entity to allow verification of identity by a third party. A suitable form of certificate is an ECQV certificate as set forth in the SEC 4 standard.
    Ephemeral values computed by the ALU may also be stored in the secure module 24 if their value is to be secret.
    The key agreement protocol is shown in Figure 3 and performed between a pair of devices, referred to as the instance Alice and the instance Bob. Values associated with Alice are labeled with the suffix A and those of Bob with the suffix B. Alice has a long-term private key dA and associated public key QA stored in secure storage module 24. Similarly, Bob has a private key dB and associated public key QB stored in his secure memory module 24.
    The instances Alice and Bob want to share a common key, and thus implement the protocol shown in FIG. 3 through the instructions stored in the memory 22.
    At 100, using the RNG 28, Alice generates a random integer and stores the integer a as the private key for the session in the secure module 24. Alice's ALU 26 computes at 102 an associated public key for the session aP, which it sends via a communication link 16 to Bob. The public key for session aP is a representation of a point on the curve and has a pair of bit strings, each representing an element in the underlying field. In some implementations, the calculations performed by the ALU 26, it is only necessary to use the x-coordinate of the point, where the y-coordinate is not necessary in this case. The x-coordinate is representative in this situation for the public key aP. The y coordinate can be restored from the x coordinate as needed. Similarly, methods for point compression may be used in which an indication of the value of the y-coordinate is sent with the x-coordinate, if preferred, to reduce the bandwidth in the transmission.
    Likewise, at 200, Bob, with his RNG 28, generates a random integer, which he stores in his secure module 24 as a private key for session b. An associated public key for session bP is calculated at 202 and sent to Alice via a communications link 16.
    Both Alice and Bob perform point addition using the ALU 26 to compute y = bP + aP, as shown at 104, 204. This, in turn, is another point, y, on the curve and is therefore represented as a pair of elements. In embodiments, it is possible to use only the x-coordinate of the sum of the public keys in the calculation of y.
    In further embodiments, where the protocol is implemented in a hyperelliptic curve cryptosystem, the combination of the public keys is performed by point addition in the Jacobian matrix of the hyperelliptic curve.
    Both Alice and Bob receive copies of the other's identity (106, 206). This can be done before the implementation of the protocol or the certificate can be sent with the public keys for the sessions. The certificate can be checked by the recipient if necessary.
    At 108, 208, Alice and Bob each calculate a common value c = H (y // IDA // IDB), where H is a cryptographically secure hash function, such as a SHA2 hash function. The value c is stored in the memory 22. The common value c links Alice and Bob. By concatenating the identities ID, it is necessary to determine the order in which the string representing c is composed, the use of the lexicographical order being a widespread option. As an alternative, the identities can thus be combined by XORing the IDs and thereby allowing the string to be assembled without regard to order. Likewise, an XOR association with the IDs may be made for y, if preferred.
    Alice calculates at 110 a component sA = dA + c • a (mod n) which uses the long term and short term private keys stored in the secure module 24.
    Similarly, Bob calculates 210 sB = dB + c • b (mod n).
    From public information, including Bob's public key for session bP, Alice may compute sBP = QB + c • bP, as shown at 112.
    Similarly, Bob can compute sAP = QA + c • aP (212).
    Alice and Bob each have a component calculated from private information and the common value and a component calculated from public information. These can be combined to provide a shared secret.
    Thus, at 114, 214 both Alice and Bob can compute the value K = h <> sA <•> sB <•> P as the shared secret.
    Alice calculated sBP from public information and stored the value sA.
    Similarly, Bob has calculated sAP and stored the value sB.
    Another option for calculating the shared secret for Alice is the calculation of K = sA <•> sBP and for Bob the calculation of K = sB <•> sAP, disregarding the cofactor h. This is useful if the value of h is small, e.g. 1 or if there is resistance to the small group attack.
    The protocol described above thus generates a shared secret K between two instances. A key derivation function should be used to derive a secret key from the shared key. This is necessary because the shared secret K may have a weak bit - bits of information about K that can be correctly predicted with significant advantages.
    One way to derive a key from the shared secret K is to use a one-way hash function such as SHA-1 for K. Alternatively, other key derivation functions can be used, as more fully described in Chapter XX of the Handbook of Applied Cryptography, its contents be introduced by reference.
    In summary, the key agreement protocol can be implemented using the following method:<tb> 1) <SEP> Alice receives an authentic copy of Bob QB's long-term public key.<tb> 2) <SEP> Alice generates a random integer to provide a private key for session a (0 <a <n).<tb> 3) <SEP> Alice calculates aP and sends it to Bob.<tb> 4) <SEP> Bob gets an authentic copy of Alice QA's long-term public key.<tb> 5) <SEP> Bob generates a random integer b, (0 <b <n).<tb> 6) <SEP> Bob calculates bP and sends it to Alice.<tb> 7) <SEP> Both Alice and Bob compute y = bP + aP.<tb> 8) <SEP> Both Alice and Bob compute c = H (y // IDA // IDB). (Note: The IDA and IDB can each contain the Public Keys of Alice and Bob and they are lexicographically ordered).<tb> 9) <SEP> Alice calculates sA = dA + c • a (mod n).<tb> 10) <SEP> Alice calculates sBP = QB + c • bP. (Note: Bob sent bP to Alice and she received an authentic copy of QB).<tb> 11) <SEP> Bob calculates sB = dB + c • b (mod n).<tb> 12) <SEP> Bob calculates public information sAP = QA + c • aP.<tb> 13) <SEP> Alice can now compute h <•> sA <•> sB <•> P and Bob can now compute h <•> sB <•> sAP. In both cases, the result is the same shared secret K = h <•> sA <•> sB <•> P.<tb> 14) <SEP> If necessary, the shared secret can be used as the input for a key derivation function.
    Another option for calculating the shared secret is K = sA <•> sB <•> P, disregarding the cofactor h. This is useful if the value of h is small, e.g. 1 or if there is resistance to the minor subgroup attack.
    权利要求:
    Claims (21)
    [1]
    A key agreement protocol executed between a pair of instances communicating over a data communication system, wherein each of the instances is a long-term private key, an associated long-term cryptographic public key generated using the long-term private key and a generator point is generated and an identity is linked, the protocol comprising:for each instance, generating a respective private key for the session and an associated cryptographic public key for the session;Communicating the public key for the session of each instance to the other entity; Obtain the identity of the two instances at each instance;Generating a common value, at each instance, including combining the public key for the session of the instance, the public key for the session of the other instance, and the identities of each instance;for each instance, generating a respective secret value, comprising multiplying the common value by the private key for the session of the instance and adding the result to the long-term private key of the instance;at each instance, calculating an ephemeral value, comprising multiplying the public key for the session of the other instance by the common value and adding the result to the long-term public key of the other instance; andat each instance, generating a shared secret by combining the secret value of the instance and the ephemeral value.
    [2]
    The protocol of claim 1, wherein the shared secret is used as an input for a key derivation function to obtain a common key.
    [3]
    The protocol of claim 1, wherein generating a common value comprises applying an XOR operation to the identities of each instance.
    [4]
    The protocol of claim 1, wherein the protocol is implemented in an elliptic curve cryptosystem and the combination of public keys for the sessions is performed by point addition.
    [5]
    The protocol of claim 1, wherein the protocol is implemented in an elliptic curve cryptosystem, and generating the common value comprises obtaining an x-coordinate from the sum of the public keys.
    [6]
    The protocol of claim 1, wherein the protocol is implemented in a hyperelliptic curve cryptosystem and the combination of the public keys is performed by point addition in the Jacobian matrix of the hyperelliptic curve.
    [7]
    The protocol of claim 1, wherein generating the public key for the session comprises a scalar multiplication of the private key for the session and the generator point.
    [8]
    The protocol of claim 1, wherein the combination of the secret value and the ephemeral value is the scalar multiplication of the secret value and the ephemeral value.
    [9]
    The protocol of claim 1, wherein the combination of the secret value and the ephemeral value is the scalar multiplication of the cofactor, the secret value, and the ephemeral value.
    [10]
    The protocol of claim 1, wherein the identity of the entities is obtained by a cryptographic certificate created by a trusted party.
    [11]
    11. A cryptographic communication system comprising a pair of cryptographic correspondents configured to implement the key agreement protocol of claim 1.
    [12]
    12. A cryptographic correspondent device comprising a processor and a memory, wherein in the memory, a long-term private key is stored, with the device also having an associated cryptographic long-term public key, using the long-term private key and a cryptographic generator point, and an identity is associated with the memory, further storing computer instructions which, when executed by the processor, cause the processor to implement a key agreement protocol comprising:Generating a private key for the session and an associated cryptographic public key for the session;Communicating the public key for the session via a data communication system to another cryptographic correspondent device;from the other cryptographic correspondent device, receive their public key for the session;Preserving the identity of the two correspondents;Generating a common value, comprising combining the public key for the correspondent's session, the public key for the meeting of the other correspondent, and the identities of each correspondent;Generating a secret value comprising multiplying the common value by the private key for the correspondent's session and adding the result to the long-term private key;Calculating an ephemeral value, comprising multiplying the public key for the session of the other correspondent and the common value, and adding the result to the long-term public key of the other correspondent; andGenerate a shared secret from the secret value of the correspondent and the ephemeral value.
    [13]
    The apparatus of claim 12, wherein the shared secret is used as an input for a key derivation function to obtain a common key.
    [14]
    14. The apparatus of claim 12, wherein generating a common value comprises applying an XOR operation to the identities of each correspondent.
    [15]
    15. The apparatus of claim 12, wherein the protocol is implemented in an elliptic curve cryptosystem and the combination of public keys for the sessions is performed by point addition.
    [16]
    16. The apparatus of claim 12, wherein the protocol is implemented in an elliptic curve cryptosystem, and generating the common value comprises obtaining an x-coordinate from the sum of the public keys.
    [17]
    17. The apparatus of claim 12, wherein the protocol is implemented in a hyperelliptic curve cryptosystem and the combination of the public keys is performed by point addition in the Jacobian matrix of the hyperelliptic curve.
    [18]
    18. The apparatus of claim 12, wherein generating the public key for the session comprises a scalar multiplication of the private key for the session and the generator point.
    [19]
    The apparatus of claim 12, wherein the combination of the secret value and the ephemeral value is the scalar multiplication of the secret value and the ephemeral value.
    [20]
    The apparatus of claim 12, wherein the combination of the secret value and the ephemeral value is the scalar multiplication of the cofactor, the secret value, and the ephemeral value.
    [21]
    21. The apparatus of claim 12, wherein the identity of the correspondents is obtained by a cryptographic certificate created by a trusted party.
    类似技术:
    公开号 | 公开日 | 专利标题
    CH708239A2|2014-12-31|Key agreement protocol.
    DE69935469T2|2007-11-29|Method for fast execution of decryption or authentication
    DE602004004029T2|2007-11-15|Method for distributing conference keys, according to an identity-based encryption system
    DE60200496T2|2005-06-23|Method and apparatus for performing an efficient password-authenticated key exchange
    DE60313704T2|2008-01-17|Method and apparatus for generating a secret key
    DE69633590T2|2006-02-02|Procedure for signature and session key generation
    DE60036112T2|2007-12-06|SERVER SUPPORTED RECOVERY OF A STRONG SECRET FROM A WEAK SECRET
    DE69636815T2|2007-11-08|PROCEDURE FOR MEETING KEY GENERATION WITH IMPLIED SIGNATURES
    DE69630331T2|2004-07-29|Process for secure session key generation and authentication
    DE69534603T2|2006-08-03|ENCRYPTION SYSTEM FOR ELLIPTIC CURVE
    DE69918818T2|2005-08-25|A method for generating a public key in a secure digital communication system and implicit certificate
    CH711133A2|2016-11-30|Protocol for signature generation.
    DE69917356T2|2005-02-17|Security technology on a computer network
    DE102012206341A1|2012-10-31|Shared encryption of data
    DE69838258T2|2008-05-08|Public key data transmission systems
    DE112012001828B4|2016-09-15|Password-based single-round key exchange protocols
    DE102010002241B4|2012-03-22|Apparatus and method for efficient one-way authentication
    Fujioka et al.2018|Supersingular isogeny Diffie–Hellman authenticated key exchange
    CH708240A2|2014-12-31|Signature log and device for its implementation.
    CH711134A2|2016-11-30|Key tuning protocol.
    LU93024B1|2017-11-08|Method and arrangement for establishing secure communication between a first network device | and a second network device |
    DE112012000971B4|2014-06-26|data encryption
    DE69831792T2|2006-06-22|METHOD FOR THE DIGITAL SIGNATURE
    EP1286494B1|2006-03-01|Method for generating an asymmetric cryptographic group-key pair
    WO2016187690A1|2016-12-01|Key agreement protocol
    同族专利:
    公开号 | 公开日
    US20160352689A1|2016-12-01|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    EP3273635B1|2016-07-20|2019-10-30|Mastercard International Incorporated|Secure channel establishment|
    US10659222B2|2017-04-28|2020-05-19|IronCore Labs, Inc.|Orthogonal access control for groups via multi-hop transform encryption|
    法律状态:
    2018-05-15| PCAR| Change of the address of the representative|Free format text: NEW ADDRESS: HOLEESTRASSE 87, 4054 BASEL (CH) |
    2018-07-13| NV| New agent|Representative=s name: ISLER AND PEDRAZZINI AG, CH |
    2018-10-15| AZW| Rejection (application)|
    优先权:
    申请号 | 申请日 | 专利标题
    US14/721,564|US20160352689A1|2015-05-26|2015-05-26|Key agreement protocol|
    [返回顶部]