WO2000067423A1 - Public-key signature methods and systems - Google Patents
Public-key signature methods and systems Download PDFInfo
- Publication number
- WO2000067423A1 WO2000067423A1 PCT/IB2000/000692 IB0000692W WO0067423A1 WO 2000067423 A1 WO2000067423 A1 WO 2000067423A1 IB 0000692 W IB0000692 W IB 0000692W WO 0067423 A1 WO0067423 A1 WO 0067423A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- vinegar
- variables
- oil
- scheme
- signature
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3093—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme
Definitions
- the present invention generally relates to cryptography, and more particularly to public-key cryptography.
- y ⁇ P ⁇ (x ⁇ ,...,x n )
- y 2 P 2 ( ⁇ ⁇ ,..., ⁇ n )
- Pi,..., P K are multivariable polynomials of small total degree, typically, less than or equal to 8, and in many cases, exactly two.
- the C* scheme is described in an article titled "Public Quadratic Polynomial-tuples for Efficient Signature Verification and Message-encryption” in Proceedings of EUROCRYPT'88, Springer- Verlag, pp. 419 - 453.
- the HFE scheme is described in an article titled “Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms” in Proceedings of EUROCRYPT'96, Springer- Verlag, pp. 33 - 48.
- HFE Hidden Fields Equations
- IP Isomorphisms of Polynomials
- the present invention seeks to improve security of digital signature cryptographic schemes in which the public-key is given as a set of k multivariable polynomial equations, typically, over a finite mathematical field K
- the present invention seeks to improve security of the basic form of the "Oil and Vinegar” and the HFE schemes
- An "Oil and Vinegar” scheme which is modified to improve security according to the present invention is referred to herein as an unbalanced "Oil and Vinegar” (UOV) scheme
- UOV unbalanced "Oil and Vinegar
- An HFE scheme which is modified to improve security according to the present invention is referred to herein as an HFEV scheme
- a set SI of k polynomial functions is supplied as a public-key
- the set SI preferably includes the functions P ⁇ (x ⁇ , ,x technically+ v , yi, ,yk), , Pk(x ⁇ , ,x n +v, yi, ,yk), where k, v, and n are integers, xi, ,x n+v are n+v variables of a first type, and yi, ,y are k variables of a second type
- the set SI is preferably obtained by applying a secret key operation on a set S2 of k polynomial functions P' ⁇ (a ⁇ , ,adire + v,y ⁇ , ,y ⁇ , ,P ⁇ (a ⁇ , ,a n+v ,y ⁇ , ,y where a., ,a n+v are n+v variables which include a set of n "oil" variables ai, ,afro, and a set of
- k values b ⁇ ,...,bk are preferably substituted for the variables y ⁇ ,...,y k of the set S2 respectively so as to produce a set S3 of k polynomial functions P" ⁇ (a ⁇ ,...,a supplement+v),..., P"k(ai,...,an+ V ). Then, v values a' supplement+ ⁇ ,...,a' phenomenon+v may be selected for the v "vinegar" variables a n + ⁇ ,...,a political+v, either randomly or according to a predetermined selection algorithm.
- the secret key operation may be applied to transform a' ⁇ ,...,a' n+v to a digital signature ei,...,en+ v .
- the generated digital signature e ⁇ ,...,eflower+v may be verified by a verifier which may include, for example, a computer or a smart card.
- the verifier preferably obtains the signature ei,...,eflower+v, the message, the hash function and the public key. Then, the verifier may apply the hash function on the message to produce the series of k values b ⁇ ,...,bk.
- a digital signature cryptographic method including the steps of supplying a set S 1 of k polynomial functions as a public-key, the set S 1 including the functions P ⁇ (x ⁇ ,...,x conveyor +V , y ⁇ , ..,yk),- ., Pk(x ⁇ , ..,x n+ v, y ⁇ ....,yk), where k, v, and n are integers, x ⁇ ,...,xicide +v are n+v variables of a first type, y ⁇ ,...,yk are k variables of a second type, and the set S 1 is obtained by applying a secret key operation on a set S2 of k polynomial functions P',(a ⁇ ,...,a n+ v,y ⁇ ,...,yk),...,P'k(a ⁇ ,...,a n+ v,y ⁇ ,...,yk) where a ⁇ ,...,acute +v are
- the method also includes the step of verifying the digital signature.
- the secret key operation preferably includes a secret affine transformation s on the n+v variables a ⁇ ,...,a n+v .
- the set S2 includes the set f(a) of k polynomial functions of the HFEV scheme.
- the set S2 preferably includes an expression including k functions that are derived from a univariate polynomial.
- the univariate polynomial preferably includes a univariate polynomial of degree less than or equal to 100,000.
- the set S2 includes the set S of k polynomial functions of the UOV scheme.
- the supplying step may preferably include the step of selecting the number v of "vinegar” variables to be greater than the number n of "oil” variables.
- v is selected such that q v is greater than 2 32 , where q is the number of elements of a finite field K.
- the supplying step includes the step of obtaining the set SI from a subset S2' of k polynomial functions of the set S2, the subset S2' being characterized by that all coefficients of components involving any of the yi, ... ,y k variables in the k polynomial functions P' ⁇ (a ⁇ ,...,a ⁇ + v,y ⁇ ,...,y k ),...,P' k (a ⁇ ,...,a n+v ,y ⁇ ,...,y k ) are zero, and the number v of "vinegar” variables is greater than the number n of "oil” variables.
- an improvement of an "Oil and Vinegar” signature method including the step of using more "vinegar” variables than "oil” variables.
- FIG. 1 is a simplified block diagram illustration of a preferred implementation of a system for generating and verifying a digital signature to a message, the system being constructed and operative in accordance with a preferred embodiment of the present invention
- Fig. 2A is a simplified flow chart illustration of a preferred digital signature cryptographic method for generating a digital signature to a message, the method being operative in accordance with a preferred embodiment of the present invention.
- Fig. 2B is a simplified flow chart illustration of a preferred digital signature cryptographic method for verifying the digital signature of Fig. 2A, the method being operative in accordance with a preferred embodiment of the present invention.
- Appendix I is an article by Aviad Kipnis, Jacques Patarin and Louis Goubin submitted for publication by Springer- Verlag in Proceedings of EUROCRYPT'99, the article describing variations of the UOV and the HFEV schemes.
- FIG. 1 is a simplified block diagram illustration of a preferred implementation of a system 10 for generating and verifying a digital signature to a message, the system 10 being constructed and operative in accordance with a preferred embodiment of the present invention.
- the system 10 includes a computer 15, such as a general purpose computer, which communicates with a smart card 20 via a smart card reader 25.
- the computer 15 may preferably include a digital signature generator 30 and a digital signature verifier 35 which may communicate data via a communication bus 40.
- the smart card 20 may preferably include a digital signature generator 45 and a digital signature verifier 50 which may communicate data via a communication bus 55.
- a signer of a message and a receptor of a signed message agree on a public-key which is published, and on a hash function to be used. In a case that the hash function is compromised, the signer and the receptor may agree to change the hash function. It is appreciated that a generator of the public-key need not be the signer or the receptor.
- the digital signature verifier 35 may verify a signature generated by one of the digital signature generator 30 and the digital signature generator 45.
- the digital signature verifier 50 may verify a signature generated by one of the digital signature generator 30 and the digital signature generator 45.
- FIG. 2A which is a simplified flow chart illustration of a preferred digital signature cryptographic method for generating a digital signature to a message in a first processor (not shown), and to Fig. 2B which is a simplified flow chart illustration of a preferred digital signature cryptographic method for verifying the digital signature of Fig. 2A in a second processor (not shown), the methods of Figs. 2A and 2B being operative in accordance with a preferred embodiment of the present invention.
- Figs 2A and 2B may be implemented in hardware, in software or in a combination of hardware and software
- the first processor and the second processor may be identical
- the method may be implemented by the system 10 of Fig 1 in which the first processor may be comprised, for example, in the computer 15, and the second processor may be comprised in the smart card 20, or vice versa
- Figs 2A and 2B are described in Appendix I which is incorporated herein
- the applications of the methods of Figs 2A and 2B may be employed to modify the basic form of the "Oil and Vinegar" scheme and the HFE scheme thereby to produce the
- Appendix I includes an unpublished article by Aviad Kipnis, Jacques
- a set SI of k polynomial functions is preferably supplied as a public-key (step 100) by a generator of the public-key (not shown) which may be, for example, the generator 30 of Fig 1, the generator 45 of Fig 1, or an external public-key generator (not shown)
- the set SI preferably includes the functions P ⁇ (x ⁇ , ,x n +v, yi, ..,y k ), , Pk(x ⁇ , ,x n+ v, yi, ,y k ), where k, v, and n are integers, x ,x n+v are n+v variables of a first type, and yi, ,y k are k variables of a second type
- the set SI is preferably obtained by applying a secret key operation on a set S2 of k polynomial functions P' ⁇ (a ⁇ , ,adire + v,y ⁇ , ,y k ), ,P ⁇ (a ⁇ , ,adire +v ,y ⁇ , ,y k ) where a u ,aology +v are n+v variables which include a set of n "oil” variables ai, ,arate, and a set of v "vinegar” variables a dire +
- oil variables and "vinegar” variables refer to "oil” variables and "vinegar” variables as defined in the basic form of the "Oil and
- a signer may apply a hash function on the message to produce a series of k values b ⁇ ,...,b k (step 110).
- the signer may be, for example, the generator 30 or the generator 45 of Fig. 1.
- the series of k values b ⁇ ,...,b is preferably substituted for the variables y ⁇ ,...,yk of the set S2 respectively so as to produce a set S3 of k polynomial functions P" ⁇ (a ⁇ ,...,an+ V ), .., P" k (a ⁇ ,...,an+ V ) (step 115).
- v values a'n+ ⁇ ,...,a' n +v may be randomly selected for the v "vinegar" variables a n + ⁇ ,...,a n +v (step 120).
- the v values a' n+ ⁇ ,...,a' n +v may be selected according to a predetermined selection algorithm.
- the secret key operation may be applied to transform a' ⁇ ,...,a' n +v to a digital signature e ⁇ ,...,e n+v (step 130).
- the generated digital signature e ⁇ ,...,en+ v may be verified according to the method described with reference to Fig. 2B by a verifier of the digital signature (not shown) which may include, for example, the verifier 35 or the verifier 50 of Fig. 1.
- the verifier preferably obtains the signature ei,...,en+ v , the message, the hash function and the public key (step 200). Then, the verifier may apply the hash function on the message to produce the series of k values b ⁇ ,...,b k (step 205).
- the generation and verification of the digital signature as mentioned above may be used for the HFEV by allowing the set S2 to include the set f(a) of k polynomial functions of the HFEV scheme as described in Appendix I.
- the methods of Figs 2A and 2B enable obtaining of digital signatures which are typically smaller than digital signatures obtained in conventional number theoretic cryptography schemes, such as the well known RSA scheme
- the set SI may be supplied with the number v of "vinegar" variables being selected to be greater than the number n of "oil” variables
- v may be also selected such that q v is greater than 2 32 , where q is the number of elements of a finite field K over which the sets S 1 , S2 and S3 are provided
- the SI may be obtained from a subset S2' of k polynomial functions of the set S2, the subset S2' being characterized by that all coefficients of components involving any of the yi, ,y k variables in the k polynomial functions P' ⁇ (a ⁇ , ,adire +v ,y ⁇ , ,y k ), ,P ⁇ (a ⁇ , ,a n+v ,y ⁇ , ,y k ) are zero, and the number v of "vinegar" variables is greater than the number n of "oil" variables
- the number v of "vinegar” variables is chosen to be equal to the number n of "oil” variables
- Aviad Kipnis who is one of the inventors of the present invention
- Adi Shamir have shown, in the above mentioned Proceedings of CRYPTO 98, Springer, LNCS n°1462, on pages 257 - 266, a cryptanalysis of the basic "Oil and Vinegar” signature scheme which renders the basic "Oil and Vinegar” scheme insecure
- the basic "Oil and Vinegar” scheme may be shown to be insecure for any number v of "vinegar” variables which is lower than the number n of "oil” variables
- the inventors of the present invention have found, as described in
- the UOV scheme is considered secure for values of v which satisfy the inequality q ⁇ "1 1 * n 4 > 2 40 .
- the number v of "vinegar" variables may be selected so as to satisfy the inequalities v ⁇ n 2 and q (v ⁇ nH * n 4 >2 40 . It is appreciated that for values of v which are higher than n 2 /2 but less than or equal to n 2 , the UOV is also considered secure, and solving the set SI is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n 2 , the UOV is believed to be insecure.
- the UOV scheme is considered secure for values of v which are substantially greater than n*(l + sqrt(3)) and lower than or equal to n 6. It is appreciated that for values of v which are higher than n 3 /6 but lower than or equal to n 3 /2, the UOV is also considered secure, and solving the set S 1 is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n /2, and for values of v which are lower than n*(l + sqrt(3)), the UOV is believed to be insecure.
- the UOV scheme is considered secure for values of v which are substantially greater than n and lower than or equal to n 4 . It is appreciated that for values of v which are higher than n 3 /6 but lower than or equal to n 4 , the UOV is also considered secure, and solving the set SI is considered to be as difficult as solving a random set of k equations. For values of v which are higher than n 4 , and for values of v which are lower than n, the UOV is believed to be insecure.
- the set S2 may include an expression which includes k functions that are derived from a univariate polynomial.
- the univariate polynomial may include a polynomial of degree less than or equal to 100,000 on an extension field of degree n over K.
- UOV is a very simple scheme: the original Oil and Vinegar signature scheme (of [16]) was broken (see [10]), but if we have significantly more "vinegar” unknowns than "oil” unknowns (a definition of the "oil” and “vinegar” unknowns can be found in section 2), then the attack of [10] does not work and the security of this more general scheme (called UOV) is still an open problem.
- UOV Oil and Vinegar schemes of degree three (instead of two).
- HFEV HFEV combines the ideas of HFE (of [14]) and of vinegar variables. HFEV looks more efficient than the original HFE scheme.
- section 13 we present what we know about the main schemes in this area of multivariate polynomials.
- n and v be two integers.
- q n _ 2 128 (in section 8, we will see that q n _ 2 64 is also possible).
- the secret key is made of two parts:
- a bijective and affine function s K n+V — ⁇ K n+V .
- affine we mean that each component of the output can be written as a polynomial of degree one in the n + v input unknowns, and with coefficients in K.
- the coefficients tJ k, j k- ⁇ i j , ⁇ t ' J an ⁇ 3 ⁇ t are the secret coefficients of these n equations.
- the values ⁇ i, ..., a n (the "oil” unknowns) and a' x , ..., a' v (the "vinegar” unknowns) lie in K. Note that these equations (S) contain no terms in a ⁇ a 3 .
- Each value y t , 1 ⁇ i ⁇ n, can be written as a polynomial P % of total degree two in the x ⁇ unknowns, 1 ⁇ j ⁇ n + v.
- V the set of the following n equations:
- Step 1 We find n unknowns ⁇ i ...., oograph of K and ⁇ unknowns a , ..., a v ' of K such that the n equations (S) are satisfied. This can be done as follows: we randomly choose the v vinegar unknowns a, and then we compute the a t unknowns from ( ⁇ S) by Gaussian reductions (because - since there are no a t a j terms - the (S) equations are affine in the a t unknowns when the a are fixed).
- a signature x of y is valid if and only if all the (V) are satisfied. As a result, no secret is needed to check whether a signature is valid: this is an asymmetric signature scheme.
- the name “Oil and Vinegar” comes from the fact that - in the equations (S) - the "oil unknowns" a t and the “vinegar unknowns” a' are not all mixed together: there are no a l a J products.
- (V) this property is hidden by the "mixing" of the unknowns by the s transformation. Is this property "hidden enough" ? In fact, this question exactly means: “is the scheme secure ?” .
- G ⁇ S I R _ l I S', where S is an invertible In x In matrix.
- Definition 3.1 We define the oil subspace to be the linear subspace of all vectors in K 2n whose second half contains only zeros.
- E and F be a 2n x 2n matrices with an upper left zero n x n submatrix. If F is in ⁇ ertible then the oil subspace is an invariant subspace of EF- 1 .
- Theorem 3.1 O is a common invariant subspace of all the matrices G tJ . Proof:
- the two inner matrices have the form of E and F in lemma 1. Therefore, the oil subspace is an invariant subspace of the inner term and 0 is an invariant subspace of G G ⁇ l .
- Lemma 1 is not true any more when ⁇ > n.
- the oil subspace is still mapped by E and F into the vinegar subspace.
- “1 does not necessary maps the image by E of the oil subspace back into the oil subspace and this is why the cryptanalysis of the original oil and vinegar is not valid for the unbalanced case.
- Definition 4.1 We define in this section the oil subspace to be the linear subspace of all vectors in K n+ ⁇ whose last v coordinates are only zeros.
- vinegar subspace was the linear subspace of all vectors in K n+V whose first n coordinates are only zeros.
- a t is a n x v matrix
- B ⁇ is a v x n matrix
- C ⁇ is a v x ⁇ matrix
- S is a (n + v) x (n + v) invertible linear matrix.
- the algorithm we propose is probabilistic. It looks for an invariant subspace of the oil subspace after it is transformed by S. The probability for the algorithm to succeed on the first try is small. Therefore we need to repeat it with different inputs. We use the following property: any linear combination of the matrices
- the inner term is an invariant subspace of the oil subspace with the required probability. Therefore, the same will hold for FG k , but instead of a subspace of the oil subspace, we get a subspace of O.
- Lemma 3 gives a polynomial test to distinguish between subspaces of O and random subspaces. If the matrix we used has no minimal subspace which is also a subspace of O, then we pick another linear combination of Gi , ..., G n , multiply it by an inverse of one of the G k matrices and try again. After repeating this process approximately q d ⁇ x times, we find with good probability at least one zero vector of O. We continue the process until we get n independent vectors of O. These vectors span O. The expected complexity of the process is proportional to q d ⁇ 1 ⁇ n 4 . We use here the expected number of tries until we find a non trivial invariant subspace and the term n 4 covers the computational linear algebra operations we need to perform for evey try.
- (A) be a random set of n quadratic equations in (n + v) variables n , ..., x + ⁇ .
- (By "random” we mean that the coefficients of these equations are uniformly and randomly chosen).
- v ⁇ and more generally when v _ )
- n+ ⁇ C ( n+v,l ⁇ + Q -n+v, 2 ' ⁇ ⁇ ⁇ ⁇ Ctn+v,n+vX n +v
- the system may have a solution, but finding the solution might be a difficult problem. This is why an Unbalanced Oil and Vinegar scheme might be secure (for well chosen parameters): there is always a linear change of variables that makes the problem easy to solve, but finding such a change of variables might be difficult.
- the main idea of the algorithm consists in using a change of variables such as:
- ⁇ Xn+v whose a ltJ coefficients (for 1 ⁇ i ⁇ n, 1 ⁇ j ⁇ n + v) are found step by step, in order that the resulting system (S 1 ) (written with respect to these new variables 2/ ⁇ , ..., y n +v) is easy to solve.
- n vectors ⁇ ' , ..., ' • are very likely to be
- ⁇ tJ constants i.e. those with n + 1 ⁇ i ⁇ n + ⁇ and 1 ⁇ j ⁇ n + 1) are randomly chosen, so as to obtain a bijective change of variables.
- the cryptanalyst can specify about n — 1 of the coordinates d k of d, since the vectorial space of the correct d is of dimension n. It remains thus to solve n - (n + v) quadratic equations in (v + 1) unknowns d ⁇ .
- v is not too large (typically when ⁇ v+ 2 ' ⁇ n(n + ⁇ ), i.e. when v ⁇ (1 + y/3)n)
- this is expected to be easy.
- ⁇ ⁇ approximately (1 + y/S)n and ⁇ K ⁇ is odd, this gives a simple way to break the scheme.
- ⁇ l , a t and ⁇ o are elements of the field F ⁇ « .
- v be an integer (v will be the number of extra x % variables, or the number of "vinegar" variables that we will add in the scheme).
- a' — (a[, ⁇ , ' v ) be a ⁇ -uple of variables of K.
- each a ⁇ of (1) be an element of ⁇ q n such that each of the n components of ⁇ 2 in a basis is a secret random linear function of the vinegar variables ⁇ i , ..., a' v .
- ⁇ o be an element of F 9 n such that each one of the n components of ⁇ o in a basis is a secret random quadratic function of the variables a[ , ..., a' ⁇ .
- the n + v variables oi , ..., ⁇ ordinate, a[ , ..., a' ⁇ will be mixed in the secret affine bijection s in order to obtain the variables x , ..., x n + v .
- t(b ⁇ , ..., b n ) (y ⁇ , —, y n ), where t is a secret affine bijection.
- oilxoil such as a 17 , a 12 , a 10 , etc
- oilxvinegar such as ⁇ ea l ⁇ , ⁇ % cP, etc
- vinegar x vinegar in ⁇ o
- the signature scheme is the one of section 8, and the length of a signature is only 192 bits (or 256 bits) in this case. More examples of possible parameters are given in the extended version of this paper.
- HFE- is just an HFE where some of the public equations are not published. Due to [1] and [2], it may be recommended to do this (despite the fact that original HFE may be secure without it). In the extended version of [14] a second challenge of US $500 is described on a HFE- .
- HFEV is described in this paper. HFEV and HFEV- look very hard to break. Moreover, HFEV is more efficient than the original HFE and it can give public key signatures of only 80 bits !
- HM and HM " were designed in [20]. Very few analysis have been done in these schemes (but maybe we can recommend to use HM ⁇ instead of HM ?).
- IP was designed in [14]. IP schemes have the best proofs of security so far (see [19]). IP is very simple and can be seen as a nice generalization of Graph Isomorphism. The original Oil and Vinegar was presented in [16] and broken in [10].
- HFE Hidden Fields Equations
- IP Isomorphisms of Polynomials
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
ES99401048T ES2230814T3 (en) | 1999-04-29 | 1999-04-29 | METHODS AND SYSTEMS OF PUBLIC KEY SIGNATURE. |
AU46028/00A AU774346B2 (en) | 1999-04-29 | 2000-04-28 | Public-key signature methods and systems |
BRPI0006085A BRPI0006085B1 (en) | 1999-04-29 | 2000-04-28 | public key signing systems and methods |
JP2000616162A JP4183387B2 (en) | 1999-04-29 | 2000-04-28 | Methods and systems for signing public keys |
HK02100489.6A HK1039004B (en) | 1999-04-29 | 2002-01-22 | Public-key signature methods and systems |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP99401048.6 | 1999-04-29 | ||
EP99401048A EP1049289B1 (en) | 1999-04-29 | 1999-04-29 | Public-key signature methods and systems |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2000067423A1 true WO2000067423A1 (en) | 2000-11-09 |
Family
ID=8241961
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2000/000692 WO2000067423A1 (en) | 1999-04-29 | 2000-04-28 | Public-key signature methods and systems |
Country Status (12)
Country | Link |
---|---|
US (1) | US7100051B1 (en) |
EP (1) | EP1049289B1 (en) |
JP (2) | JP4183387B2 (en) |
CN (1) | CN1285191C (en) |
AU (1) | AU774346B2 (en) |
BR (1) | BRPI0006085B1 (en) |
DE (1) | DE69920875T2 (en) |
DK (1) | DK1049289T3 (en) |
ES (1) | ES2230814T3 (en) |
HK (1) | HK1039004B (en) |
IL (1) | IL135647A (en) |
WO (1) | WO2000067423A1 (en) |
Families Citing this family (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2810139B1 (en) * | 2000-06-08 | 2002-08-23 | Bull Cp8 | METHOD FOR SECURING THE PRE-INITIALIZATION PHASE OF AN ON-BOARD ELECTRONIC CHIP SYSTEM, ESPECIALLY A CHIP CARD, AND ON-BOARD SYSTEM IMPLEMENTING THE METHOD |
WO2002084590A1 (en) * | 2001-04-11 | 2002-10-24 | Applied Minds, Inc. | Knowledge web |
US20030196094A1 (en) * | 2002-04-10 | 2003-10-16 | Hillis W. Daniel | Method and apparatus for authenticating the content of a distributed database |
US7844610B2 (en) * | 2003-12-12 | 2010-11-30 | Google Inc. | Delegated authority evaluation system |
US20030195834A1 (en) * | 2002-04-10 | 2003-10-16 | Hillis W. Daniel | Automated online purchasing system |
US8069175B2 (en) | 2002-04-10 | 2011-11-29 | Google Inc. | Delegating authority to evaluate content |
US7600118B2 (en) * | 2002-09-27 | 2009-10-06 | Intel Corporation | Method and apparatus for augmenting authentication in a cryptographic system |
AU2003297193A1 (en) | 2002-12-13 | 2004-07-09 | Applied Minds, Inc. | Meta-web |
US8012025B2 (en) * | 2002-12-13 | 2011-09-06 | Applied Minds, Llc | Video game controller hub with control input reduction and combination schemes |
US20050131918A1 (en) * | 2003-12-12 | 2005-06-16 | W. Daniel Hillis | Personalized profile for evaluating content |
CN1870499B (en) * | 2005-01-11 | 2012-01-04 | 丁津泰 | Method for generating multiple variable commom key password system |
US7961876B2 (en) * | 2005-01-11 | 2011-06-14 | Jintai Ding | Method to produce new multivariate public key cryptosystems |
WO2007057610A1 (en) * | 2005-11-18 | 2007-05-24 | France Telecom | Cryptographic system and method of authentication or signature |
FR2916317B1 (en) * | 2007-05-15 | 2009-08-07 | Sagem Defense Securite | PROTECTION OF EXECUTION OF A CRYPTOGRAPHIC CALCULATION |
CN101321059B (en) * | 2007-06-07 | 2011-02-16 | 管海明 | Method and system for encoding and decoding digital message |
FR2918525A1 (en) | 2007-07-06 | 2009-01-09 | France Telecom | ASYMMETRICAL ENCRYPTION OR SIGNATURE VERIFICATION PROCESS. |
CN101227286B (en) * | 2008-01-31 | 2010-04-14 | 北京飞天诚信科技有限公司 | Method for generating message authentication code |
WO2011033642A1 (en) * | 2009-09-17 | 2011-03-24 | 株式会社 東芝 | Signature generation device and signature verification device |
JP2011107528A (en) * | 2009-11-19 | 2011-06-02 | Sony Corp | Information processing apparatus, key generating apparatus, signature verifying apparatus, information processing method, signature generating method, and program |
IL205803A0 (en) * | 2010-05-16 | 2010-12-30 | Yaron Sella | Collision-based signature scheme |
IL206139A0 (en) | 2010-06-02 | 2010-12-30 | Yaron Sella | Efficient multivariate signature generation |
IL207918A0 (en) | 2010-09-01 | 2011-01-31 | Aviad Kipnis | Attack-resistant multivariate signature scheme |
JP5790287B2 (en) * | 2011-08-12 | 2015-10-07 | ソニー株式会社 | Information processing apparatus, information processing method, program, and recording medium |
US20160149708A1 (en) * | 2013-07-12 | 2016-05-26 | Koninklijke Philips N.V. | Electronic signature system |
CN103457726B (en) * | 2013-08-26 | 2016-12-28 | 华南理工大学 | Multi-variable public key ciphering method based on matrix |
CN103780383B (en) * | 2014-01-13 | 2017-05-31 | 华南理工大学 | One kind is based on hyperspherical multivariable public key signature/checking system and method |
CN104009848B (en) * | 2014-05-26 | 2017-09-29 | 华南理工大学 | A kind of multivariate digital signature system and method for mixed type |
CN105245343B (en) * | 2015-09-22 | 2018-09-14 | 华南理工大学 | A kind of online static signature system and method based on multivariable cryptographic technique |
JP7322763B2 (en) | 2020-03-13 | 2023-08-08 | 日本電信電話株式会社 | Key generation device, key generation method and program |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
NZ240019A (en) * | 1991-09-30 | 1996-04-26 | Peter John Smith | Public key encrypted communication with non-multiplicative cipher |
US5375170A (en) | 1992-11-13 | 1994-12-20 | Yeda Research & Development Co., Ltd. | Efficient signature scheme based on birational permutations |
US5263085A (en) | 1992-11-13 | 1993-11-16 | Yeda Research & Development Co. Ltd. | Fast signature scheme based on sequentially linearized equations |
FR2737370B1 (en) * | 1995-07-27 | 1997-08-22 | Bull Cp8 | CRYPTOGRAPHIC COMMUNICATION METHOD |
FR2744309B1 (en) * | 1996-01-26 | 1998-03-06 | Bull Cp8 | ASYMMETRIC CRYPTOGRAPHIC COMMUNICATING METHOD, AND PORTABLE OBJECT THEREOF |
US6076163A (en) * | 1997-10-20 | 2000-06-13 | Rsa Security Inc. | Secure user identification based on constrained polynomials |
-
1999
- 1999-04-29 ES ES99401048T patent/ES2230814T3/en not_active Expired - Lifetime
- 1999-04-29 DK DK99401048T patent/DK1049289T3/en active
- 1999-04-29 DE DE69920875T patent/DE69920875T2/en not_active Expired - Lifetime
- 1999-04-29 EP EP99401048A patent/EP1049289B1/en not_active Expired - Lifetime
-
2000
- 2000-04-13 IL IL135647A patent/IL135647A/en not_active IP Right Cessation
- 2000-04-19 US US09/552,115 patent/US7100051B1/en not_active Expired - Lifetime
- 2000-04-28 JP JP2000616162A patent/JP4183387B2/en not_active Expired - Lifetime
- 2000-04-28 BR BRPI0006085A patent/BRPI0006085B1/en active IP Right Grant
- 2000-04-28 AU AU46028/00A patent/AU774346B2/en not_active Expired
- 2000-04-28 CN CNB008010382A patent/CN1285191C/en not_active Expired - Lifetime
- 2000-04-28 WO PCT/IB2000/000692 patent/WO2000067423A1/en active IP Right Grant
-
2002
- 2002-01-22 HK HK02100489.6A patent/HK1039004B/en not_active IP Right Cessation
-
2005
- 2005-04-12 JP JP2005114430A patent/JP2005253107A/en active Pending
Non-Patent Citations (2)
Title |
---|
KIPNIS A ET AL: "Cryptanalysis of the oil and vinegar signature scheme", ADVANCES IN CRYPTOLOGY - CRYPTO'98. 18TH ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE. PROCEEDINGS, ADVANCES IN CRYPTOLOGY - CRYPTO '98. 18TH ANNUAL INTERNATIONAL CRYPTOLOGY CONFERENCE. PROCEEDINGS, SANTA BARBARA, CA, USA, 23-27 AUG. 1998, 1998, Berlin, Germany, Springer-Verlag, Germany, pages 257 - 266, XP002116820, ISBN: 3-540-64892-5 * |
PATARIN J: "HIDDEN FIELDS EQUATIONS (HFE) AND ISOMORPHISMS OF POLYNOMIALS (IP):TWO NEW FAMILIES OF ASYMMETRIC ALGORITHMS", ADVANCES IN CRYPTOLOGY - EUROCRYPT '96 INTERNATIONAL CONFERENCE ON THE THEORY AND APPLICATION OF CRYPTOGRAPHIC TECHNIQUES, SARAGOSSA, MAY 12 - 16, 1996, 12 May 1996 (1996-05-12), MAURER U (ED ), pages 33 - 48, XP000725433, ISBN: 3-540-61186-X * |
Also Published As
Publication number | Publication date |
---|---|
AU774346B2 (en) | 2004-06-24 |
JP2005253107A (en) | 2005-09-15 |
EP1049289B1 (en) | 2004-10-06 |
BR0006085A (en) | 2001-03-20 |
AU4602800A (en) | 2000-11-17 |
IL135647A0 (en) | 2001-05-20 |
JP2002543478A (en) | 2002-12-17 |
CN1285191C (en) | 2006-11-15 |
DE69920875T2 (en) | 2005-10-27 |
CN1314040A (en) | 2001-09-19 |
EP1049289A1 (en) | 2000-11-02 |
DE69920875D1 (en) | 2004-11-11 |
IL135647A (en) | 2010-11-30 |
ES2230814T3 (en) | 2005-05-01 |
HK1039004A1 (en) | 2002-04-04 |
BRPI0006085B1 (en) | 2016-05-10 |
US7100051B1 (en) | 2006-08-29 |
JP4183387B2 (en) | 2008-11-19 |
DK1049289T3 (en) | 2005-02-14 |
HK1039004B (en) | 2007-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Kipnis et al. | Unbalanced oil and vinegar signature schemes | |
WO2000067423A1 (en) | Public-key signature methods and systems | |
Patarin et al. | C−+* and HM: Variations around two schemes of T. Matsumoto and H. Imai | |
Patarin et al. | QUARTZ, 128-Bit Long Digital Signatures: http://www. minrank. org/quartz | |
Fouque et al. | Differential cryptanalysis for multivariate schemes | |
Eichlseder et al. | An algebraic attack on ciphers with low-degree round functions: application to full MiMC | |
EP2873186B1 (en) | Method and system for homomorphicly randomizing an input | |
Kipnis et al. | Efficient methods for practical fully homomorphic symmetric-key encrypton, randomization and verification | |
EP2351287B1 (en) | Method of generating a cryptographic key, network and computer program therefor | |
WO2011151680A1 (en) | Efficient multivariate signature generation | |
Raghunandan et al. | Key generation using generalized Pell’s equation in public key cryptography based on the prime fake modulus principle to image encryption and its security analysis | |
KR100445893B1 (en) | Asymmetric cryptographic communication method and related portable object | |
EP2966802A1 (en) | Method for ciphering and deciphering digital data, based on an identity, in a multi-authorities context | |
JP2002540484A (en) | Countermeasures for Electronic Components Using Elliptic Curve Type Public Key Encryption Algorithm | |
Kundu et al. | Post-quantum digital signature scheme based on multivariate cubic problem | |
Yasuda et al. | Reducing the key size of Rainbow using non-commutative rings | |
Badhwar | The need for post-quantum cryptography | |
Hakuta et al. | Batch verification suitable for efficiently verifying a limited number of signatures | |
US11888984B2 (en) | White-box ECC implementation | |
Garg | Candidate multilinear maps | |
Ding et al. | Hidden Field Equations | |
Ding et al. | Cryptanalysis of an implementation scheme of the tamed transformation method cryptosystem | |
Tripathi et al. | An efficient digital signature scheme by using integer factorization and discrete logaríthm problem | |
Smith-Tone | Properties of the discrete differential with cryptographic applications | |
Moh | An application of algebraic geometry to encryption: tame transformation method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 00801038.2 Country of ref document: CN |
|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AU BR CN JP |
|
ENP | Entry into the national phase |
Ref document number: 2000 616162 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 46028/00 Country of ref document: AU |
|
WWG | Wipo information: grant in national office |
Ref document number: 46028/00 Country of ref document: AU |