A method of generating a key by a first correspondent. The key is computable by a second correspondent. The method comprises the steps of:

PTO Wrapper PDF
Dossier Espace Google
Patent
   RE43792
Priority
Dec 31 2001
Filed
Mar 30 2011
Issued
Nov 06 2012
Expiry
Jan 29 2022

TERM.DISCL.
Inventors
Vadekar, A…
Assg.orig
Certicom C…
Assg.curr
Malikie In…
Entity
Large
Referenced by
1
References
14
Maint.:
all paid
10. A cryptographic unit for generating a shared key in an a Menezes-Qu-Vanstone (MQV) key generation protocol, said cryptographic unit configured for:
a) providing a first short term public key;
b) obtaining a second short term public key;
c) computing a first exponent derived from a first short term private key, said first short term public key, and a first long term private key;
d) computing a second exponent derived from said first short term private key, said first short term public key, a second short term public key, and said first long term private key;
e) computing a simultaneous exponentiation of, by said first exponent with, of said second short term public key and, by said second exponent with, of a second long term public key; and
f) generating said shared key using a result of said simultaneous exponentiation.
18. A non-transitory computer readable medium operable with a cryptographic unit, said computer readable medium having instructions for generating a shared key in an a Menezes-Qu-Vanstone (MQV) key generation protocol, said instructions comprising instructions for:
a) providing a first short term public key;
b) obtaining a second short term public key;
c) computing a first exponent derived from a first short term private key, said first short term public key, and a first long term private key;
d) computing a second exponent derived from said first short term private key, said first short term public key, a second short term public key, and said first long term private key;
e) computing a simultaneous exponentiation of, by said first exponent with, of said second short term public key and, by said second exponent with, of a second long term public key; and
f) generating said shared key using a result of said simultaneous exponentiation.
1. A cryptographic system for generating a shared key in an a Menezes-Qu-Vanstone (MQV) key generation protocol, said system comprising a first correspondent having a first cryptographic unit configured for:
a) making a first short term public key available to a second correspondent over a communication channel;
b) obtaining a second short term public key from said second correspondent;
c) computing a first exponent derived from a first short term private key, said first short term public key, and a first long term private key;
d) computing a second exponent derived from said first short term private key, said first short term public key, a second short term public key, and said first long term private key;
e) computing a first simultaneous exponentiation of, by said first exponent with, of said second short term public key and, by said second exponent with, of a second long term public key; and
f) generating said shared key using a result of said first simultaneous exponentiation.
2. The cryptographic system of claim 1 comprising a second correspondent having a second cryptographic unit configured for:
g) making said second short term public key available to said first correspondent over said communication channel;
h) obtaining said first short term public key from said first correspondent;
i) computing a one exponent derived from a second short term private key, said second short term public key, and a second long term private key;
j) computing another exponent derived from said second short term private key, said second short term public key, said second long term private key, and said first short term public key;
k) computing a second simultaneous exponentiation of, by said one exponent with, of said first short term public key and, by said another exponent with, of a first long term public key; and
l) generating said shared key using a result of said second simultaneous exponentiation.
3. The cryptographic system of claim 2 configured for performing a) and g) in parallel, for performing b)and h)in parallel, for performing c)and d)in parallel with i) And j), and for performing k) and l) in parallel with e) and f).
4. The cryptographic system of claim 1 wherein said first cryptographic unit is configured for performing said first simultaneous exponentiation by:
establishing a window of width w;
establishing a table of small exponentiations of said second short term public key, and a table of small exponentiations of said second long term public key to provide a series of potential exponentiations representing said first and second exponents; and
examining said tables using said window w until said shared key is computed.
5. The cryptographic system of claim 4 wherein said examining said tables includes retrieving the corresponding powers of values of said second short term public key and said second long term public key within said window w, accumulating the product of corresponding entries from said tables and squaring said product w times, and examining further windows repeatedly until said shared key is computed.
6. The cryptographic system of claim 1 wherein said first cryptographic unit is configured for performing said first simultaneous exponentiation by:
storing values of said first and second exponents in first and second registers respectively, each register having an associated pointer;
using said pointers to selectively accumulate and multiply corresponding values stored in said registers; and
repeatedly multiplying said values until said shared key is computed.
7. The cryptographic system of claim 1 wherein said first cryptographic unit is configured for performing elliptic curve operations.
8. The cryptographic system of claim 7 wherein said first cryptographic unit is configured for performing said first simultaneous exponentiation by performing simultaneous multiple scaler scalar multiplication using a window of width w and tables of small exponentiations scalar multiples of said second short term public key and said second long term public key.
9. The cryptographic system of claim 1 wherein said first cryptographic unit is configured for implementing cryptographic protocols from instructions provided by software, said software being stored on a memory.
11. The cryptographic unit of claim 10 configured for performing a) in parallel with a first corresponding step performed by another cryptographic unit, for performing b) in parallel with a second corresponding step performed by said another cryptographic unit, for performing c) and d) in parallel with third and fourth corresponding steps performed by said another cryptographic unit, and for performing e) and f) in parallel with fifth and sixth corresponding steps performed by said another cryptographic unit.
12. The cryptographic unit of claim 10 wherein said cryptographic unit is configured for performing said simultaneous exponentiation by:
establishing a window of width w;
establishing a table of small exponentiations of said second short term public key, and a table of small exponentiations of said second long term public key to provide a series of potential exponentiations representing said first and second exponents; and
examining said tables using said window w until said shared key is computed.
13. The cryptographic unit of claim 12 wherein said examining said tables includes retrieving the corresponding powers of values of said second short term public key and said second long term public key within said window w, accumulating the product of corresponding entries from said tables and squaring said product w times, and examining further windows repeatedly until said shared key is computed.
14. The cryptographic unit of claim 10 wherein said cryptographic unit is configured for performing said simultaneous exponentiation by:
storing values of said first and second exponents in first and second registers respectively, each register having an associated pointer;
using said pointers to selectively accumulate and multiply corresponding values stored in said registers; and
repeatedly multiplying said values until said shared key is computed.
15. The cryptographic unit of claim 10 wherein said cryptographic unit is configured for performing elliptic curve operations.
16. The cryptographic unit of claim 15 wherein said cryptographic unit is configured for performing said simultaneous exponentiation by performing simultaneous multiple scalar multiplication using a window of width w and tables of small exponentiations scalar multiples of said second short term public key and said second long term public key.
17. The cryptographic unit of claim 10 wherein said cryptographic unit is configured for implementing cryptographic protocols from instructions provided by software, said software being stored on a memory.
19. The computer readable medium of claim 18 wherein said instructions are configured for performing said simultaneous exponentiation by:
establishing a window of width w;
establishing a table of small exponentiations of said second short term public key, and a table of small exponentiations of said second long term public key to provide a series of potential exponentiations representing said first and second exponents; and
examining said tables using said window w until said shared key is computed.
20. The computer readable medium of claim 18 wherein said instructions are configured for performing said simultaneous exponentiation by:
storing values of said first and second exponents in first and second registers respectively, each register having an associated pointer;
using said pointers to selectively accumulate and multiply corresponding values stored in said registers; and
repeatedly multiplying said values until said shared key is computed.

This application is a EMBODIES EMBODIMENTS

Referring to FIG. 1, a cryptographic system is shown generally by the numeral 10. A pair of correspondents 12, 14, referred to as Alice and Bob, communicate over a network 16. Each correspondent has an arithmetic logic unit (ALU) 18, 20. The ALU can be a general-purpose computer, with a cryptographic unit, which implements cryptographic protocols from instructions provided by software. The software may be provided on a data carrier or in memory. Each correspondent has a long-term private key a, b and a corresponding long-term public key YA, YB. Each correspondent has access to an authentic copy of the other correspondent's long-term public key.

It is desired to share a key between the correspondents using the MQV protocol. It is recognized that the MQV equations can be reorganized to provide efficient computations without necessarily using the truncation operation. The reorganization proceeds as follows.

The formula K=(RB(YB)RB)sA that is used to determine the key can be rearranged as K=(RB(YB)RB)sA=RBsAYBsARB, using the notation above. This rearrangement allows the key to be computed by using a technique known as simultaneous multiple exponentiation, which uses only one set of squares.

To compute the multiple K=RBsAYBsARB, two tables of small exponents of RB and YB respectively of a predetermined width are first established. The scalars sA and sARB are then examined using windows of the predetermined width. The multiples of RB and YB corresponding to each window are retrieved from each respective table. The product of the table entries from the two windows is multiplied into an accumulator. The accumulator is then squared in accordance with the width of the window, and then the next window is examined. This process is repeated until each window has been examined, and therefore terminates with the accumulator holding the value of K.

Referring to FIG. 2, a method of computing a shared secret key is shown generally by the numeral 100. Alice selects an ephemeral private key x at random from the interval 1 to q−1 (102). Alice computes the corresponding ephemeral public key gx and sends it to Bob (104). Similarly, Bob selects an ephemeral private key y at random from the interval 1 to q−1 (106). Bob computes the corresponding ephemeral public key gy and sends it to Alice (108). Alice computes sA=(x+aRA)mod q and the shared secret K=RBsAYBsARB (110) using simultaneous multiple exponentiation, as described below. Bob computes sB=(y+bRB)mod q and the shared secret K=RBsAYBsARB (112) using simultaneous multiple exponentiation.

Referring FIG. 3, a method of computing a simultaneous multiple exponentiation is shown generally by the numeral 300. A window width of a predetermined number of bits w is first established (302). Then, a table of small exponents α exponentiations of RB is established (304) and a table of small exponents β exponentiations of YB is established (306). The table entries consist of a column of possible bit combinations (e.g. α=10012), and a column of corresponding exponentiations (e.g. RB10012). Then, the scalars sA and sARB are examined using windows of the window width w w (308). The powers of RB and YB corresponding to each window are retrieved from each respective table (310). The product of the table entries from the two windows is multiplied into an accumulator (312). The accumulator is then squared w times in accordance with the width w of the window (314), and then the next window is examined (316). The scalars are repeatedly examined and table entries multiplied into the accumulator and the accumulator squared w times for each repetition as described above (318) until the shared secret K is computed (320).

It will be noted that in this embodiment one simultaneous multiple exponentiation is used instead of two separate exponentiations. Accordingly, the number of squaring operations required corresponds to the number required for one exponentiation instead of that required for two separate exponentiations. It will be recognized that using the method of this embodiment, truncating the first exponent in an attempt to save squarings is not effective, since these squaring can be shared with the second multiplication. The truncation then saves only multiplications, not squarings, when applied to this embodiment since this embodiment uses simultaneous multiple exponentiation.

Referring to FIG. 4, an alternate embodiment is shown generally by the numeral 200. In this embodiment, Alice uses the improved method of computing the shared key, while Bob can compute the shared key by any method. Alice selects (202) x at random from the interval 1 to q−1. Then, Alice computes (204) gx and makes it available to Bob (206). Alice then obtains (208) gy from Bob. Alice computes (210) sA=(x+aRA)mod q and then computes (212) the shared secret K=RBsAYBsARB using simultaneous multiple exponentiation.

Referring to FIG. 5, an alternate embodiment is shown generally by the numeral 500. In this embodiment, the correspondents of FIG. 2 are shown carrying out the method in parallel. Alice selects an ephemeral private key x at random from the interval 1 to q−1 (502). Bob selects an ephemeral private key y at random from the interval 1 to q−1 (106). Alice computes the ephemeral public key gx corresponding to the ephemeral private key x (504). Similarly, Bob computes his ephemeral public key gy (514). Alice sends gx to Bob and Bob sends gy to Alice. After Alice receives Bob's ephemeral public key, she computes sA=(x+aRA) mod q (506). Then Alice computes the shared secret K as before (508). After Bob receives Alice's ephemeral public key, he computes sB as before (516). Then Bob computes K as before (518). Thus, it will be understood that the order of the computations is not critical and it is only necessary that a correspondent have both its own private key and the other correspondent's, ephemeral public key before computing s and K.

Referring to FIG. 6, an alternate method of computing a simultaneous multiple exponentiation is shown generally by the numeral 600. The exponent sA is shown stored in a register 602. The exponent sARB is shown stored in a register 604. Each register has an associated pointer 603, 605. The pointers are aligned to designate corresponding bits in each exponent. A pair of switches 606, 608 are provided. Two multipliers 610, 612 are shown, although their functionality could be performed by one multiplier. An accumulator 614, a squaring operation 616, and a control 618 are provided.

In use, the pointer 603 is an input to the switch 606 which controls multiplier 610 so that when the corresponding bit of sA is set, the quantity RB is multiplied into the accumulator 514. Similarly, the pointer 605 is an input to the switch 608 which operates the multiplier 612. The quantity YB is multiplied into the accumulator 614 when the corresponding bit of register 604 is set. After considering each exponent, the accumulator is squared 616, and the control 618 operates to set the pointers 603, 605 to the next bits of registers 602, 604. The process repeats until all the bits have been considered. In this way, the bits of the two exponents are considered simultaneously, and only one set of squares is performed.

The above methods can be implemented in any group where the discrete logarithm problem is believed to be intractable. One example of such a group is an elliptic curve group, where the method is very similar however, the additive notation is usually used instead of multiplicative notation. In the elliptic curve setting, group multiplication corresponds to addition of elliptic curve points, and group exponentiation corresponds to scalar multiplication. In this case, the tables will contain a column possible bit combinations of the scalar (e.g. 10012), and a column of corresponding point multiplications (e.g. 10012P).

Referring therefore to FIG. 7, the method of FIG. 5 is shown in an elliptic curve setting by the numeral 700. The correspondents have common elliptic curve parameters comprising an elliptic curve, a finite field, a base point P of order q, and a function π to convert elliptic curve points to integers, Each correspondent has a long term private key a, b and a corresponding long term public key YA=aP, YB=bP. Alice selects an ephemeral private key x at random from the interval 1 to q−1 (702). Bob selects an ephemeral private key y at random from the interval 1 to q−1 (712). Alice computes the ephemeral public key xP corresponding to the ephemeral private key x (704). Similarly, Bob computes his ephemeral public key yP (714). Alice sends xP to Bob and Bob sends yP to Alice. After Alice receives Bob's ephemeral public key, she computes sA=(x+aπ(RA))mod q (706). Then Alice computes the shared secret K=sARB+sAπ(RB)YB (708) using simultaneous multiple scalar multiplication (FIG. 8). After Bob receives Alice's ephemeral public key, he computes sB=(y+bπ(RB))mod q (716). Then Bob computes K=sBRA+sBπ(RA)YA (718) using simultaneous multiple scalar multiplication (FIG. 8).

Referring to FIG. 8, a method of performing simultaneous multiple scalar multiplication used in this embodiment is shown generally by the numeral 800. A window width of a predetermined number of bits w is first established (802). Then, a table of small exponents a scalar multiples of RB is established (804) and a table of small exponents β scalar multiples of YB is established (806). The table entries consist of a column of possible bit combinations (e.g. α=10012), and a column of corresponding scalar multiples (e.g. 10012RB). Then, the scalars sA and sAπ(RB) are examined using windows of the window width w w (808). The scalar multiples of RB and YB corresponding to each window are retrieved from each respective table (810). The sum of the table entries from the two windows is added into an accumulator (812). The accumulator is then doubled w times in accordance with the width w of the window (814), and then the next window is examined (816). The scalars are repeatedly examined and table entries added into the accumulator and the accumulator doubled w times for each repetition as described above (818) until the shared secret K is computed (820).

Although the invention has been described with reference to certain specific embodiments, various modifications thereof will be apparent to those skilled in the art without departing from the spirit and scope of the invention as outlined in the claims appended hereto.

INVENTORS:

Vadekar, Ashok, Lambert, Robert

THIS PATENT IS REFERENCED BY THESE PATENTS:
Patent Priority Assignee Title
8693684, Dec 31 2001 Malikie Innovations Limited Method and apparatus for computing a shared secret key
THIS PATENT REFERENCES THESE PATENTS:
Patent Priority Assignee Title
5761305, Apr 21 1995 Malikie Innovations Limited Key agreement and transport protocol with implicit signatures
5889865, May 17 1995 Malikie Innovations Limited Key agreement and transport protocol with implicit signatures
5896455, May 17 1995 Malikie Innovations Limited Key agreement and transport protocol with implicit signatures
5987131, Aug 18 1997 Polycom, Inc Cryptographic key exchange using pre-computation
5999627, Jan 07 1995 SAMSUNG ELECTRONICS CO , LTD Method for exponentiation in a public-key cryptosystem
6122736, Apr 21 1995 Malikie Innovations Limited Key agreement and transport protocol with implicit signatures
6490352, Mar 05 1999 Cryptographic elliptic curve apparatus and method
7051200, Jun 27 2000 Microsoft Technology Licensing, LLC System and method for interfacing a software process to secure repositories
7062044, Jun 28 2002 The United States of America as represented by The National Security Agency; National Security Agency Method of elliptic curve cryptographic key agreement using coefficient splitting
7127063, Dec 31 2001 Malikie Innovations Limited Method and apparatus for computing a shared secret key
7215780, Dec 31 2001 Malikie Innovations Limited Method and apparatus for elliptic curve scalar multiplication
20020044649,
20030123655,
20050251680,
ASSIGNMENT RECORDS    Assignment records on the USPTO
/////
Executed onAssignorAssigneeConveyanceFrameReelDoc
Apr 16 2001LAMBERT, ROBERT J Certicom CorpASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0263660344 pdf
Apr 16 2001VADEKAR, ASHOKCerticom CorpASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0263660344 pdf
Mar 30 2011Certicom Corp.(assignment on the face of the patent)
Sep 30 2019Certicom CorpBlackBerry LimitedASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0506100937 pdf
May 11 2023BlackBerry LimitedMalikie Innovations LimitedASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0641040103 pdf
MAINTENANCE FEES AND DATES:    Maintenance records on the USPTO
Date Maintenance Fee Events
Sep 30 2016M1552: Payment of Maintenance Fee, 8th Year, Large Entity.
Sep 30 2020M1553: Payment of Maintenance Fee, 12th Year, Large Entity.


Date Maintenance Schedule
Nov 06 20154 years fee payment window open
May 06 20166 months grace period start (w surcharge)
Nov 06 2016patent expiry (for year 4)
Nov 06 20182 years to revive unintentionally abandoned end. (for year 4)
Nov 06 20198 years fee payment window open
May 06 20206 months grace period start (w surcharge)
Nov 06 2020patent expiry (for year 8)
Nov 06 20222 years to revive unintentionally abandoned end. (for year 8)
Nov 06 202312 years fee payment window open
May 06 20246 months grace period start (w surcharge)
Nov 06 2024patent expiry (for year 12)
Nov 06 20262 years to revive unintentionally abandoned end. (for year 12)