WHITE-BOX ECC IMPLEMENTATION

Abstract

A microprocessor device comprising an implementation of a cryptographic operation constructed to process parameters and generate an output, wherein at least some of the parameters are obfuscated such that the cryptographic operation processes the obfuscated parameters, wherein the parameters which are obfuscated are obfuscated in that they are encrypted according to an additive homomorphic cryptographic system.

Claims

1.-12. (canceled)

13. A microprocessor device comprising an implementation of a cryptographic operation constructed to process parameters and generate an output, wherein at least some of the parameters (d, d1, v1, v2, ci, m1, fj, m2) are obfuscated such that the cryptographic operation processes the obfuscated parameters, wherein the parameters which are obfuscated are obfuscated in that they are encrypted according to an additive homomorphic cryptographic system.

14. The microprocessor device according to claim 13, wherein the additive homomorphic cryptographic system comprises an encryption function Enc and a decryption function Dec fulfilling the rule Dec(Enc(m))=m, and fulfilling the rule Dec(Enc(m1)*Enc(m2))=m1+m2.

15. The microprocessor device according to claim 13, wherein the additive homomorphic cryptographic system is embodied as the Paillier crypto-graphic system.

16. The microprocessor device according to claim 15, wherein the Paillier cryptographic system comprises: (1) a public encryption key comprised of a pair {n, g} and (2) a private decryption key comprised of a pair {λ, μ} or {α, μ}.

17. The microprocessor device according to claim 13, wherein the parameters to be processed by the cryptographic operation or the output comprise at least a secret key (d; d1), and wherein at least the secret key (d; d1) or/and a value (v1, v2) derived from the secret key (d; d1) is obfuscated in that the secret key (d; d1) or/and a value (v1, v2) derived from the secret key (d; d1) is encrypted according to the additive homomorphic cryptographic system.

18. The microprocessor device according to claim 13, wherein the operational cryptographic system comprises at least one pre-calculated parameter (ci, m1; fj, m2) processed in the cryptographic operation, and wherein at least the pre-calculated parameter (ci, m1; fj, m2) is obfuscated in that the pre-calculated parameter (ci, m1; fj, m2) or/and a value (v1) derived from the pre-calculated parameter is encrypted according to the additive homomorphic cryptographic system.

19. The microprocessor device according to claim 18, wherein the at least one pre-calculated parameter is either one of: at least one pre-calculated parameter (ci, m1) calculated outside the device and provided to the device for later on-device key generation; or at least one pre-calculated parameter (fj*m2 mod q; fj/m2 mod q) calculated outside the device and provided to the device for later on-device calculation of an ephemeral key (ui) used in a calculation of a signature.

20. The microprocessor device according to claim 13, wherein the operational cryptographic system is either one of an elliptic curve EC based or non-elliptic-curve based systems, particularly either one of the following: ECDSA; EC-Schnorr; EC Diffie Hellman ECDH; EdDSA, ECGDSA, KCDSA, SM2; DSA; Schnorr signature scheme; ElGamal signature scheme; Diffie Hellman DH key exchange.

21. The microprocessor device according to claim 14, wherein the cryptographic operation is either one of: a key generation operation according to an operational cryptographic system, with the output being a cryptographic key (d; d1), and with at least the output cryptographic key (d; d1) being encrypted according to said additive homomorphic cryptographic system; or a cryptographic signature generation operation according to an operational cryptographic system constructed to generate a cryptographic signature {r, s} based on a secret key (d; d1), with the output being the cryptographic signature {r,s}, and with at least the secret key (d; d1) or/and a value (v1, v2) derived from the secret key (d; d1) being encrypted according to said additive homomorphic cryptographic system; or a key exchange operation between different parties according to an operational cryptographic system, with the output being a common secret key (R) shared between the different parties and calculated based on an own secret key (d; d1) and a public key (P) of the other party, and with at least the secret key (d; d1) of each party being encrypted according to said additive homomorphic cryptographic system.

22. A method for implementing, in a microprocessor device, an obfuscated cryptographic operation constructed to process obfuscated parameters and generate an output, comprising the steps: providing the microprocessor device with a partial implementation of the cryptographic operation lacking at least some parameters, obfuscating the lacking at least some parameters in a processing device outside the microprocessor device and transferring the obfuscated parameters from the processing device to the microprocessor device, implementing the lacking obfuscated parameters in the partial implementation so as to generate the obfuscated cryptographic operation, wherein the obfuscated parameters are obfuscated in that they are encrypted according to an additive homomorphic cryptographic system.

23. The method according to claim 22, wherein the additive homomorphic cryptographic system comprises an encryption function Enc and a decryption function Dec, and wherein at least some or all of the encryption functions Enc under the additive homomorphic cryptographic system are calculated outside the microprocessor device.

24. A method of generating an output, particularly a cryptographic key (d) or a shared cryptographic key (R) or a cryptographic signature ({r, s}), by operating a microprocessor device according to claim 13.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0091] A White-Box (=obfuscated) ECDSA key generation procedure is as an example of a cryptographic operation according to an embodiment of the invention. Further examples of cryptographic operations such as key agreement and signature generation are shown without reference to drawings. Further, signature verification operations corresponding to the signature generation procedures are disclosed.

[0092] Below we will describe how Paillier encryption can be used to build a white-box ECC implementation, according to embodiments of the invention. [0093] All Paillier encryptions are done outside the device. The encrypted parameters are transferred to the device in an initial setup phase. [0094] Further the public modulus n and some other useful values (e.g. 1/n mod 2.sup.bitlen(n)) are preferably transferred to the device. The generator g needs not be transferred as it is not needed for on device calculations. [0095] The device performs modular multiplications respectively modular exponentiations with the Paillier encrypted parameters. This corresponds to additions respectively multiplications of the unencrypted parameters. The size of the Paillier modulus n is carefully chosen such that the result of these additions resp. multiplications is always smaller than n. [0096] At some points in the implementation a Paillier decryption Dec of blinded values is required, for example for generating a final result to be output. The Paillier decryption can for example be realized as an on-device white-box secured exponentiation with the fixed secret λ resp. α. Such an exponentiation can for example be provided by a white-box secure RSA implementation. The White-Box secured exponentiation with the secret exponent lambda or alpha is for example required to quit (or leave) the Paillier-encryption scheme, in cases where such quitting (or leaving) is required, for example in calculation of the final result of the cryptographic operation, or in some cases for some intermediate results. [0097] If an encrypted parameter Paillier-Enc(m/μ mod n) has to be decrypted on the device, then the parameter μ is not needed (see (3.4.3)). If all on-device Paillier decryptions don't need μ, then this parameter need not be transferred to the device. Otherwise a white-box secured multiplication with 1/μ mod n is needed on the device. [0098] The white-box secured secret exponent λ resp. α is also transferred to the device (and optionally the white-box secured parameter 1/μ mod n). The White-Box secured exponentiation with the secret exponent lambda or alpha is required to quit or leave the Paillier-encryption scheme, in cases where such quitting or leaving is required, for example in calculation of the final result of the cryptographic operation, or for some intermediate results. [0099] In the following we will present possible implementations for ECDSA, ECDH and the EC-Schnorr crypto system. The main ideas of this description can also be used for a white-box implementation of other ECC based crypto systems such as EdDSA, ECGDSA, KCDSA, SM2, EC based encryption schemes and key agreement protocols, or other cryptosystems such as DSA, ElGamal signature scheme, Schnorr signature scheme, Diffie Hellman key exchange. Further the proposed descriptions can be modified as compared to the described way by using the homomorphic properties of the Paillier crypto system.

[0100] 2.1 White-box ECDSA key generation

[0101] (4.1.Setup) Setup Outside the Device [0102] Generate Paillier encryption parameters n.sub.1, λ.sub.1 resp. α.sub.1, μ.sub.1 as described in chapter 3. [0103] Generate a random number 0<m.sub.1<q. [0104] Generate a large table of random numbers 0≤c.sub.i<q. [0105] Calculate the curve points K.sub.i=c.sub.i*G. [0106] Paillier encryption of c.sub.i/m.sub.1 mod q: [0107] Generate randomised k.sub.i∈Γ.sub.1 with Paillier-Dec(k.sub.i)mod q=c.sub.i/m.sub.1 mod q. [0108] Paillier encryption of 1: [0109] Generate randomised l.sub.1∈Γ.sub.1 with Paillier-Dec(l.sub.1)mod q=1.

[0110] (4.1.Transfer) Transfer to the Device [0111] Public Paillier parameter n.sub.1 [0112] White-box secured secret Paillier parameters λ.sub.1 resp. α.sub.1 (and optionally 1/μ.sub.1 mod n.sub.1) [0113] Curve points K.sub.i and Paillier encrypted parameters k.sub.i [0114] l.sub.1=Paillier encrypted 1 [0115] Obfuscated parameter m.sub.1

[0116] (4.1.Calc) Calculation on the Device

TABLE-US-00009 Input:  Parameters n.sub.1, K.sub.i, k.sub.i of (4.1.Transfer) Procedure:  Generate random numbers rand[i]  Calculate the curve point P = Σ.sub.i rand[i] *  K.sub.i. If P is the point at infinity restart.  Calculate d.sub.1 = Π.sub.i k.sub.i.sup.rand[i] mod n.sub.1.sup.2 Output:  Encrypted secret key d.sub.1 and public key P Remark:  The generated secret key d is (Σ.sub.i rand[i] * c.sub.i) mod q  Paillier-Dec(d.sub.1) mod q = d / m.sub.1 mod q

[0117] 2.2 White-box ECDSA signature generation

[0118] (4.2.Setup) Setup Outside the Device

[0119] The following parameters are used for the calculation of the ephemeral key in the ECDSA signature generation. [0120] Generate Paillier encryption parameters n.sub.2, λ.sub.2 resp. α.sub.2, μ.sub.2 as described in chapter 3. [0121] Generate a random number 0<m.sub.2<q. [0122] Generate a large table of random numbers 0≤f.sub.j<q. [0123] Calculate the curve points E.sub.j=f.sub.j*G. [0124] Paillier encryption of f.sub.j*m.sub.2 mod q: Generate randomised e.sub.j∈Γ.sub.2 with Paillier-Dec(e.sub.j) mod q=f.sub.j*m.sub.2 mod q.

[0125] (4.2.Transfer) Transfer to the Device [0126] Public Paillier parameter n.sub.2 [0127] White-box secured secret Paillier parameters λ.sub.2 resp. α.sub.2 (and optionally 1/μ.sub.2 mod n.sub.2) [0128] Curve points E.sub.j and Paillier encrypted parameters e.sub.j [0129] Obfuscated parameter m.sub.2

[0130] (4.2.Calc) Calculation on the Device

TABLE-US-00010 Input:  Parameters n.sub.1, λ.sub.1 resp. α.sub.1, optionally 1μ.sub.1  mod n.sub.1, l.sub.1 , m.sub.1 of (4.1.Transfer)  Encrypted secret key d.sub.1 generated in (4.1.Calc)  All parameters of (4.2.Transfer)  hash(m) of message m Procedure:  Generate random numbers rand[j]  Calculate the curve point Q = Σ.sub.j rand[j] * E.sub.j.  If Q is the point at infinity restart.  Calculate the encrypted ephemeral key u.sub.2 = Π.sub.j e.sub.j.sup.rand[j] mod n.sub.2.sup.2  Calculate the 1.sup.st signature parameter r = Q.x mod q.  If r == 0 restart.  Generate two random numbers z.sub.1 and z.sub.2 and calculate  z = z.sub.1 * z.sub.2 mod q.  If z == 0 repeat the generation of z.sub.1 and z.sub.2.  Modular exponentiation with exponent z:  Calculate v.sub.2 = u.sub.2.sup.z mod n.sub.2.sup.2  Calculate Paillier-Dec(v.sub.2)  w.sub.2 = Paillier-Dec(v.sub.2) mod q  Calculate h.sub.1 = (hash(m) * z.sub.1) * m.sub.2 mod q  Calculate r.sub.1 = ((r * z.sub.1) * m.sub.1) * m.sub.2 mod q  Calculate v.sub.1 = (l.sub.1).sup.h1 * (d.sub.1).sup.r1 mod n.sub.1.sup.2  Calculate Paillier-Dec(v.sub.1)  w.sub.1 = Paillier-Dec(v.sub.1) mod q  Calculate the 2.sup.nd signature parameter s =  (w.sub.1 / w.sub.2) * z.sub.2 mod q. If s == 0 restart. Output:  Signature parameters r, s Remark:  The used ephemeral key u is (Σ.sub.j rand[j] * f.sub.j) mod q  Paillier-Dec(u.sub.2) mod q = u * m.sub.2 mod q.  w.sub.2 = Paillier-Dec(v.sub.2) mod q = u * m.sub.2 * z.sub.1 * z.sub.2 mod q  w.sub.1 = Paillier-Dec(v.sub.1) mod q = (h + r*d) * m.sub.2 * z.sub.1 mod q

[0131] (4.2.Calc) describes a procedure using a key which was generated on the device. Of course it is also possible to use a key d which was generated outside the device. In this case use the following setup for the encryption of d.

[0132] (4.2.SetupKey) Setup outside the device used for extern. generated secret key d [0133] Generate Paillier encryption parameters n.sub.3, λ.sub.3 resp. α.sub.3, μ.sub.3 as described in chapter 3. [0134] Generate a random number 0<m.sub.3<q. [0135] Paillier encryption of d/m.sub.3 mod q: [0136] Generate randomised d.sub.3∈Γ.sub.3 with Paillier-Dec(d.sub.3)mod q=d/m.sub.3 mod q. [0137] Paillier encryption of 1: [0138] Generate randomised l.sub.3∈Γ.sub.3 with Paillier-Dec(l.sub.3)mod q=1.

[0139] Then all parameters of (4.2.SetupKey) are used as input parameters for (4.2.Calc) instead of the parameters of (4.1.Transfer) and (4.1.Calc).

[0140] 2.3 ECDSA signature verification

[0141] This function uses only public key parameters. So no additional encryption of these parameters is required.

[0142] 2.4 White-box ECDH key generation

[0143] (4.4.Setup) Setup Outside the Device

[0144] This procedure is similar to (4.1. Setup) with one exception: The cofactor h is additionally included into the calculations. [0145] Generate Paillier encryption parameters n.sub.1, λ.sub.1 resp. α.sub.1, μ.sub.1 as described in chapter 3. [0146] Generate a random number 0<m.sub.1<q. [0147] Generate a large table of random numbers 0≤c.sub.i<q. [0148] Calculate the curve points K.sub.i=c.sub.i*G. [0149] Paillier encryption of c.sub.i/(h*m.sub.1)mod q: Generate randomised k.sub.i∈Γ.sub.1 with Paillier-Dec(k.sub.i)mod q=c.sub.i/(h*m.sub.1)mod q. [0150] Paillier encryption of 1: [0151] Generate randomised l.sub.1∈Γ.sub.1 with Paillier-Dec(l.sub.1)mod q=1.

[0152] (4.4.Transfer) Transfer to the Device [0153] Public Paillier parameter n.sub.1 [0154] White-box secured secret Paillier parameters λ.sub.1 resp. α.sub.1 (and optionally 1/μ.sub.1 mod n.sub.1) [0155] Curve points K.sub.i and Paillier encrypted parameters k.sub.i [0156] l.sub.1=Paillier encrypted 1 [0157] Obfuscated parameter m.sub.1

[0158] (4.4.Calc) Calculation on the Device

TABLE-US-00011 Input:  Parameters n.sub.1, K.sub.i, k.sub.i of (4.4.Transfer) Procedure:  Generate random numbers rand[i]  Calculate the curve point P = Σ.sub.i rand[i] * K.sub.i.  If P is the point at infinity restart.  Calculate d.sub.1 = Π.sub.i k.sub.i.sup.rand[i] mod n.sub.1.sup.2 Output:  Encrypted secret key d.sub.1 and public key P Remark:  The generated secret key d is (Σ.sub.i rand[i] * c.sub.i) mod q  Paillier-Dec(d.sub.1) mod q = d / (h*m.sub.1) mod q

[0159] 2.5 White-box ECDH key exchange

[0160] (4.5.Calc) Calculation on the Device

TABLE-US-00012 Input:  Parameters n.sub.1, λ.sub.1 resp. α.sub.1, optionally 1μ.sub.1  mod n.sub.1, l.sub.1 , m.sub.1 of (4.4.Transfer)  Encrypted secret key d.sub.1 generated in (4.4.Calc)  Public key P of other party Procedure:  Calculate the curve point Q = h*P  Generate random number z and calculate z.sub.1 = z * m.sub.1 mod q  Calculate the curve point Q.sub.1 = z.sub.1*Q  Calculate v.sub.1 = (l.sub.1).sup.z * d.sub.1 mod n.sub.1.sup.2  Calculate Paillier-Dec(v.sub.1)  Calculate w.sub.1 = Paillier-Dec(v.sub.1) mod q and x.sub.1 = w.sub.1 * m.sub.1 mod q  Calculate R = x.sub.1*Q − Q.sub.1 Output:  Common secret point R  Remark:  w.sub.1 = Paillier-Dec(v.sub.1) mod q = z + d/(h*m.sub.1) mod q  x.sub.1 = z.sub.1 + d/h mod q

[0161] (4.5.Calc) describes a procedure using a key which was generated on the device. Of course it is also possible to use a key d which was generated outside the device. In this case use the following setup for the encryption of d.

[0162] (4.5.SetupKey) Setup outside device used for externally generated secret key d [0163] Generate Paillier encryption parameters n.sub.3, λ.sub.3 resp. α.sub.3, μ.sub.3 as described in chapter 3. [0164] Generate a random number 0<m.sub.3<q. [0165] Paillier encryption of d/(h*m.sub.3)mod q: Generate randomised d.sub.3∈Γ.sub.3 with Paillier-Dec(d.sub.3)mod q=d/(h*m.sub.3)mod q. [0166] Paillier encryption of 1: [0167] Generate randomised l.sub.3∈Γ.sub.3 with Paillier-Dec(l.sub.3)mod q=1.

[0168] Then all parameters of (4.5.SetupKey) are used as input parameters for (4.5.Calc) instead of the parameters of (4.4.Transfer) and (4.4.Calc).

[0169] 2.6 White-box EC-Schnorr key generation

[0170] (4.6.Setup) Setup Outside the Device

Identical to (4.1. Setup) with one exception: l.sub.1 is not needed

[0171] (4.6.Transfer) Transfer to the Device

Identical to (4.1.Transfer) with one exception: l.sub.1 is not needed

[0172] (4.6.Calc) Calculation on the Device

[0173] Identical to (4.1.Calc)

[0174] 2.7 White-box EC-Schnorr signature generation

[0175] (4.7.Setup) Setup Outside the Device

[0176] The following parameters are used for the calculation of the ephemeral key in the EC-Schnorr signature generation. This function is similar to (4.2.Setup) with one exception: Use (1/m.sub.2 mod q) instead of m.sub.2 for Paillier encryption. [0177] Generate Paillier encryption parameters n.sub.2, λ.sub.2 resp. α.sub.2, μ.sub.2 as described in chapter 3. [0178] Generate a random number 0<m.sub.2<q. [0179] Generate a large table of random numbers 0≤f.sub.j<q. [0180] Calculate the curve points E.sub.j=f.sub.j*G. [0181] Paillier encryption of f.sub.j/m.sub.2 mod q: Generate randomised e.sub.j∈Γ.sub.2 with Paillier-Dec(e.sub.j)mod q=f.sub.j/m.sub.2 mod q.

[0182] (4.7.Transfer) Transfer to the Device [0183] Public Paillier parameter n.sub.2 [0184] White-box secured secret Paillier parameters λ.sub.2 resp. α.sub.2 (and optionally 1/μ.sub.2 mod n.sub.2) [0185] Curve points E.sub.j and Paillier encrypted parameters e.sub.j [0186] Obfuscated parameter m.sub.2

[0187] (4.7.Calc) Calculation on the Device

TABLE-US-00013 Input:  Parameters n.sub.1, λ.sub.1 resp. α.sub.1, optionally 1μ.sub.1  mod n.sub.1, m.sub.1 of (4.6.Transfer)  Encrypted secret key d.sub.1 generated in (4.6.Calc)  All parameters of (4.7.Transfer)  message m Procedure:  Generate random numbers rand[j]  Calculate the curve point Q = Σ.sub.j rand[j] * E.sub.j.  If Q is the point at infinity restart.  Calculate the encrypted ephemeral key u.sub.2 = Π.sub.j e.sub.j.sup.rand[j] mod n.sub.2.sup.2  Calculate the 1.sup.st signature parameter r = hash(m ∥ Q.x).  If r mod q == 0 restart.  Generate a random number z which is coprime to q.  Calculate z.sub.2 = z * m.sub.2 mod q.  Modular exponentiation with exponent z.sub.2:  Calculate v.sub.2 = u.sub.2.sup.z2 mod n.sub.2.sup.2  Calculate Paillier-Dec(v.sub.2)  w.sub.2 = Paillier-Dec(v.sub.2) mod q  Calculate r.sub.1 = (r * z) * m.sub.1 mod q  Modular exponentiation with exponent r.sub.1:  Calculate v.sub.1 = d.sub.1.sup.r1 mod n.sub.1.sup.2  Calculate Paillier-Dec(v.sub.1)  w.sub.1 = Paillier-Dec(v.sub.1) mod q  Calculate 2.sup.nd signature parameter s = (w.sub.1 + w.sub.2) / z mod q.  If s == 0 restart. Output:  Signature parameters r, s Remark:  The used ephemeral key u is (Σ.sub.j rand[j] * f.sub.j) mod q  Paillier-Dec(v.sub.2) mod q = u / m.sub.2 mod q.  w.sub.2 = Paillier-Dec(u.sub.2) mod q = u * z mod q  w.sub.1 = Paillier-Dec(v.sub.1) mod q = r * d * z mod q

[0188] (4.7.Calc) describes a procedure using a key which was generated on the device. Of course it is also possible to use a key d which was generated outside the device. In this case use the following setup for the encryption of d.

[0189] (4.7.SetupKey) Setup outside the device used for externally generated secret key d [0190] Generate Paillier encryption parameters n.sub.3, λ.sub.3 resp. α.sub.3, μ.sub.3 as described in chapter 3. [0191] Generate a random number 0<m.sub.3<q. [0192] Paillier encryption of d/m.sub.3 mod q: [0193] Generate randomised d.sub.3∈Γ.sub.3 with Paillier-Dec(d.sub.3)mod q=d/m.sub.3 mod q.

[0194] Then all parameters of (4.7.SetupKey) are used as input parameters for (4.7.Calc) instead of the parameters of (4.6.Transfer) and (4.6.Calc).

[0195] If the Paillier parameters for the secret key (n.sub.1, λ.sub.1 resp. α.sub.1, . . . ) are identical to those of the ephemeral key (n.sub.2, λ.sub.2 resp. α.sub.2, . . . ), then (4.7.Calc) can be replaced by the following procedure which needs only one Paillier decryption.

[0196] (4.7.Calc′) Calculation on the device if (n.sub.1, λ.sub.1 resp. α.sub.1, . . . )=(n.sub.2, λ.sub.2 resp. α.sub.2, . . . )

TABLE-US-00014 Input:  Parameters n.sub.1, λ.sub.1 resp. α.sub.1, optionally 1μ.sub.1 mod n.sub.1, m.sub.1 of (4.6.Transfer)  Encrypted secret key d.sub.1 generated in (4.6.Calc)  All parameters of (4.7.Transfer)  message m Procedure:  Generate random numbers rand[j]  Calculate the curve point Q = Σ.sub.j rand[j] * E.sub.j.  If Q is the point at infinity restart.  Calculate the encrypted ephemeral key u.sub.1 = Π.sub.j e.sub.j.sup.rand[j] mod n.sub.1.sup.2  Calculate the 1.sup.st signature parameter r = hash(m ∥ Q.x).  If r mod q == 0 restart.  Calculate v.sub.1 = u.sub.1 * (d.sub.1).sup.r mod n.sub.1.sup.2  Generate a random number z which is coprime to q.  Calculate z.sub.1 = z * m.sub.1 mod q.  Modular exponentiation with exponent z.sub.1: Calculate x.sub.1 = u.sub.1.sup.z1 mod n.sub.1.sup.2  Calculate Paillier-Dec(x.sub.1)  Calculate 2.sup.nd signature parameter s = Paillier-Dec(x.sub.1) /  z mod q. If s == 0 restart. Output:  Signature parameters r, s Remark:  The used ephemeral key u is (Σ.sub.j rand[j] * f.sub.j) mod q  Paillier-Dec(u.sub.1) mod q = u / m.sub.1 mod q  Paillier-Dec(v.sub.1) mod q = (u + r*d) / m.sub.1 mod q  Paillier-Dec(w.sub.1) mod q = (u + r*d) * z mod q

[0197] 2.8 EC-Schnorr signature verification

[0198] This function uses only public key parameters. So no additional encryption of these parameters is required.