Method and system for generating keys for an anonymous signature scheme

Abstract

A method for anonymous signature of a message executed by a member entity of a group. The method includes: registering the member entity with an administration entity of the group; generating by the member entity a trace from a trace generator calculated by at least one revocation entity and included in a public key of the group, the trace being invariant relative to the anonymous signatures generated by the member entity in accordance an anonymous signature scheme; blindly obtaining by the member entity a private group key; and generating at least one signature according to the anonymous signature scheme by using the private key, the signature comprising the trace.

Claims

1. A method for anonymous signature of a message executed by a member entity of a group and comprising: registering said member with an administration entity of the group; generating by said member entity a trace from a trace generator calculated by at least one revocation entity and included in a public key of said group, said trace being invariant relative to the anonymous signatures generated by said member entity in accordance with an anonymous signature scheme; blindly obtaining by said member entity a private group key; generating at least one signature according to the anonymous signature scheme by using said private key, said signature comprising said trace.

2. A method for generating keys for an anonymous signature scheme, said method comprising: calculating by at least one revocation entity a pair of revocation keys comprising a public key and a private key, said private key being usable by said revocation entity to revoke the anonymity of an anonymous signature complying with said scheme; registering by a group administration entity at least one member entity with said group; calculating, from the public key of said at least one pair of revocation keys, a trace generator, said trace generator being intended to be used by each said member entity to generate a trace representative of said member entity, said trace being invariant relative to the anonymous signatures generated by said member entity in accordance with said scheme; and said member entity blindly obtaining a private group key, said private key used by said member entity to generate anonymous signatures in accordance with said scheme, said anonymous signatures comprising said trace.

3. The method for generating keys according to claim 2, said method comprising: generating, by the group administration entity, a pair of keys of said scheme for at least one administration entity of the group; the public key of said at least one revocation entity being calculated from a public key of said pair of keys.

4. The method for generating keys according to claim 2 in which said trace generator is renewed periodically.

5. The method according to claim 2 in which said trace generator is specific to a given service.

6. A system for generating keys for an anonymous signature scheme, this system comprising: at least one revocation entity configured to calculate a pair of revocation keys comprising a public key and a private key, said private key being usable by said revocation entity to revoke anonymity of an anonymous signature complying with said anonymous signature scheme; a group administration entity configured to register at least one member entity with said group; said at least one revocation entity being configured to calculate, from a public key of said at least one pair of revocation keys, a trace generator, said trace generator being intended to be used by each said member entity to generate a trace representative of said member entity, said trace being invariant relative to the anonymous signatures generated by said member entity in accordance with said scheme; and said at least one member entity, which is configured to blindly obtain a private group key, said private key being used by said member entity to generate anonymous signatures complying with said scheme, said anonymous signatures comprising said trace.

7. An anonymous signature device of a message executed by a member entity of a group and comprising: a processor; and a non-transitory computer-readable medium comprising instructions stored thereon which when executed by the processor configure the anonymous signature device to: register said member entity with an administration entity of the group; generate a trace from a trace generator calculated by at least one revocation entity and included in a public key of said group, said trace being invariant relative to the anonymous signatures generated by said member entity in accordance with said scheme; blindly obtain a private group key; and generate the anonymous signatures by using said private group key, said signatures comprising said trace.

8. (canceled)

9. (canceled)

10. (canceled)

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0048] Other characteristics and advantages of the present invention will emerge from the following description in reference to the appended drawings which illustrate an exemplary embodiment devoid of any limiting character, in which:

[0049] FIG. 1 illustrates a system for generating keys and an anonymous signature device according to an embodiment of the invention;

[0050] FIG. 2 illustrates the principal steps of a method for generating keys according to the invention in the form of a flowchart;

[0051] FIG. 3 illustrates the principal steps of a signature method according to the invention in the form of a flowchart;

[0052] FIG. 4 illustrates the principal steps of a verification method of a signature which can be used in the invention in the form of a flowchart;

[0053] FIG. 5 illustrates the principal steps of a method for lifting anonymity which can be used in the invention in the form of a flowchart;

[0054] FIG. 6 illustrates an electronic voting system according to an embodiment of the invention;

[0055] FIG. 7 illustrates the principal steps of a method for generating keys in the voting system of FIG. 6 in the form of a flowchart;

[0056] FIG. 8 illustrates the principal steps of a voting method according to the invention in the form of a flowchart;

[0057] FIG. 9 illustrates the principal steps of a verification method of a signature which can be used in the voting system of FIG. 6 in the form of a flowchart;

[0058] FIG. 10 illustrates the principal steps of a method for lifting anonymity which can be used in the voting system of FIG. 6 in the form of a flowchart;

[0059] FIG. 11 illustrates the hardware architecture of the devices used in the invention, in a particular embodiment.

DETAILED DESCRIPTION OF EMBODIMENTS

Notations and Assumptions

[0060] Throughout this document, the notation PoK(α.sub.1, α.sub.2, . . . , α.sub.n: custom-character (α.sub.1, α.sub.2, . . . , α.sub.n)) will be used to designate zero-knowledge proof of elements α.sub.1, α.sub.2, . . . , α.sub.n satisfying the relationship . So proof of knowledge of the two first factors of a public module RSA (from the name of the inventors, “Rivest-Shamir-Adleman”) N would be noted as: PoK(α.sub.1, α.sub.2: N=α.sub.1.Math.α.sub.2∧(α.sub.1≠1)∧(α.sub.2≠1)).

In the following description,

[0061] p is a prime number;

[0062] the groups G.sub.1, G.sub.2 and G.sub.T are cyclic groups of order p;

[0063] g, h designate two generators, chosen randomly, of G.sub.1;

[0064] {tilde over (h)} is a generator, chosen randomly, of G.sub.2;

[0065] e is a bilinear coupling of type 2 or 3, defined on the set G.sub.1×G.sub.2 to the set G.sub.T.

[0066] It is recalled that a bilinear coupling, noted e, is an application defined on a set G.sub.1×G.sub.2 to a set G.sub.T where G.sub.1, G.sub.2 and G.sub.T designate cyclic groups of order p. This application e verifies the following properties:

[0067] Bilinearity: ∀g.sub.1∈G.sub.1, ∀g.sub.2∈G.sub.2 and Å(a, b)∈Z.sub.p, e(g.sub.1.sup.a,g.sub.2.sup.b)=e(g.sub.1,g.sub.2).sup.ab.

[0068] Non-degenerated: For g.sub.1≠1.sub.G.sub.1 and g.sub.2≠1.sub.G.sub.2, e(g.sub.1,g.sub.2)≠1.sub.G.sub.T, in which 1.sub.G.sub.1 and 1.sub.G.sub.2 designate respectively the neutral element of the groups G.sub.1, G.sub.2.

[0069] Calculable: ∀g.sub.1∈G.sub.1, ∀g.sub.2∈G.sub.2, there is an efficacious algorithm for calculating e(g.sub.1,g.sub.2).

[0070] In practice, the groups G.sub.1, G.sub.2 and G.sub.T will be chosen such that there is no isomorphism calculable effectively between G.sub.1 and G.sub.2. Such couplings are known by the name of couplings of “Type 3” in the literature. In practice, and for a security level of 128 bits, the recommended sizes of the parameters of a coupling of “Type 3” are the following: 256 bits for the prime number p as well as for the elements of G.sub.1, 512 for those of G.sub.2 and 3072 for those of G.sub.T.

[0071] The security of the scheme is based partly on the assumption that the problems below are difficult. In other terms, if an attacker is capable of jeopardising the security of the cryptographic scheme, then he is also capable of resolving these problems alleged to be “difficult”.

[0072] Problem DDH

[0073] Let G be a cyclic group of first order p. Given a generator g∈G, any two elements g.sup.a, g.sup.b∈G and a candidate X∈G, the Diffie-Hellman decisional problem (DDH) consists of determining whether X=g.sup.ab or not.

[0074] In the case of schemes based on bilinear couplings, there are difficult specific problems. For the couplings used in the invention, the inventors assume that the problem DDH is difficult in the groups G.sub.1 and G.sub.2. This hypothesis is known by the name of Diffie-Hellman external symmetrical hypothesis (SXDH).

[0075] For the method according to the invention, it can be demonstrated that if a third party (having no keys of revocation authorities) manages to identify the signatory of any anonymous signature then it is also capable of resolving the problem SXDH.

[0076] Problem q-MSDH

[0077] Let (p, G.sub.1, G.sub.2, G.sub.T, e) be a bilinear environment of “Type 3” and g (respectively {tilde over (g)}) a generator of G.sub.1 (respectively of G.sub.2). Given

[00001] ${{(g^{x^{i}}, {\tilde{g}}^{x^{i}}}}_{i = 0}^{q}$

that (g.sup.a, {tilde over (g)}.sup.a, {tilde over (g)}.sup.ax) where a and x are any two elements of Z.sub.p*, the problem q-MSDH consists of finding a quadruplet

[00002] $(ω, P, h^{\frac{1}{x + ω}}, h^{\frac{a}{P (x)}})$

where h∈G.sub.1*, P is a maximum-degree polynomial q and ω an element of Z.sub.p*, such that the polynomials P(X) and (X+ω) are the first.

[0078] It can be demonstrated that if a third party succeeds in “forging” signatures of the anonymous signature scheme according to the invention, then it is also capable of resolving the problem q-MSDH.

[0079] In the embodiment described here, at least in some of these aspects the invention implements:

[0080] one or more administration entities ε custom-character of a group;

[0081] revocation authorities { custom-character .sub.j}.sub.j=1.sup.t with (t≥1);

[0082] member entities V.sub.i of the group. custom-character designates the group of the n member entities.

[0083] FIG. 1 illustrates a system SGC for generating keys for an anonymous signature scheme SigA.sub.2 and a member entity V.sub.i of a group custom-character according to the invention. It also illustrates a verification device DV.

[0084] The member entity V.sub.i comprises a communications module COM and an anonymous signature device DSA according to the invention.

[0085] The system SGC for generating keys comprises an administration entity ε custom-character of the group, and the revocation authorities {.sub.j}.sub.j=1.sup.t with (t≥1).

[0086] The administration entity ε custom-character of the group comprises a communications module COM, a cryptographic module MCR and a registration module ERG configured to register at least one member entity V.sub.i in the group.

[0087] For this purpose, the device DSA of the member entity V.sub.i comprises a registration module ERG configured to register the member entity V.sub.i with the administration entity ε custom-character of the group.

[0088] In the embodiment described here, each revocation entity custom-character .sub.j comprises a cryptographic module MCR configured to calculate a pair of revocation keys (,P.sub.j), this pair comprising a public key P.sub.j and a private key which can be used by the revocation entity to revoke the anonymity of an anonymous signature complying with said scheme SigA.sub.2.

[0089] In the embodiment described here, the cryptographic module MCR of a revocation entity custom-character .sub.j is configured to calculate a trace generator from the private keys of the pair of revocation keys, where X.sub.1 designates a public parameter produced by the system for generating keys SGC.

[0090] In the embodiment described here, the device DSA of each member entity V.sub.i comprises a cryptographic module MCR configured to generate a trace T.sub.i=P.sub.t.sup.s.sup.i representing the member entity V.sub.i by using this trace generator from the private key of the member entity V.sub.i. This trace T.sub.i is invariant relative to the anonymous signatures σ.sub.i generated by the member entity in accordance with the scheme SigA.sub.2.

[0091] In the embodiment described here, the cryptographic module MCR of each member entity V.sub.i is configured to blindly obtain a private group key SK.sub.G.sup.i.

[0092] In the embodiment described here, the cryptographic module MCR of each member entity V.sub.i is configured to generate signatures σ.sub.i of messages by using the private group key, these signatures comprising the trace T.sub.i.

[0093] The verification device DV is configured to verify whether an anonymous signature σ.sub.i is compliant with the anonymous signature scheme SigA.sub.2. It executes a verification algorithm which inputs a message msg, a signature σ.sub.i and the public key of the group PK.sub.G. It determines whether the signature σ.sub.i is valid or not.

[0094] In the embodiment described here, the verification device DV comprises communication means COM and a cryptographic module MCR.

[0095] The communications module COM of the verification device DV is configured to obtain an anonymous signature σ.sub.i such that σ.sub.i=(w, w′, c.sub.1, T, PΠ′.sub.i).

[0096] The cryptographic module MCR of the verification device DV is configured to determine that the anonymous signature σ.sub.i of a message msg is valid if:

[0097] w≠1.sub.G.sub.1

[0098] T≠1.sub.G.sub.1;

[0099] PΠ′.sub.i is valid; and

[0100] e(w, {tilde over (X)}.sub.0).Math.e(c.sub.1, {tilde over (X)}.sub.1)=e (w′, {tilde over (h)}).

[0101] In the embodiment described here, the cryptographic module MCR of a revocation entity custom-character .sub.j is configured to execute the method for lifting anonymity of a signature described later in reference to FIG. 5.

[0102] FIG. 2 illustrates the principal steps of a method for generating group keys according to the invention in the form of a flowchart.

[0103] During a step E2, the cryptographic module MCR of the administration entity ε custom-character randomly draws three values, x.sub.0,{tilde over (x)}.sub.0,x.sub.1 of Z.sub.p.

[0104] During a step E4, the cryptographic module MCR of the administration entity ε custom-character calculates C.sub.x.sub.0=g.sup.x.sup.0h.sup.{tilde over (x)}.sup.0, X.sub.1=h.sup.x.sup.1, {tilde over (X)}.sub.0={tilde over (h)}.sup.x.sup.0, {tilde over (X)}.sub.1={tilde over (h)}.sup.x.sup.1.

[0105] During a step E6, the cryptographic module MCR of the administration entity ε custom-character constitutes a pair of keys in which: [0106] the private key is constituted by the three values (x.sub.0, {tilde over (x)}.sub.0,x.sub.1) which have been drawn randomly; and [0107] the public key is constituted by the elements calculated at step E4: =(C.sub.x.sub.0, X.sub.1, {tilde over (X)}.sub.0, {tilde over (X)}.sub.1).

[0108] During a step E8, the cryptographic module MCR of the administration entity ε custom-character generates a zero-knowledge proof PΠ.sub.2 to prove that it knows the private key associated with its public key. PΠ.sub.2=PoK(α.sub.1, α.sub.2, α.sub.3: C.sub.x.sub.0=g.sup.α.sup.1h.sup.α.sup.2∧X.sub.1=h.sup.α.sup.3∧{tilde over (X)}.sub.0={tilde over (h)}.sup.α.sup.1∧{tilde over (X)}.sub.1={tilde over (h)}.sup.α.sup.3).

[0109] During a step F2, the cryptographic module MCR of each of the revocation entities { custom-character .sub.j}.sub.j=1.sup.t randomly draws a value of Z. This random value constitutes a private key of the revocation entity .sub.j for lifting anonymity of a signature.

[0110] During a step F4, the cryptographic modules MCR of the revocation entities custom-character .sub.j in turn calculate a public key P.sub.j associated with this private key . More precisely, in the embodiment described here: [0111] the revocation entity .sub.1 calculates and proves that it knows the private key associated with its public key, in other words the discrete logarithm of P.sub.1 in the base X.sub.1. [0112] the revocation entity custom-character .sub.2 calculates and proves that it knows the private key associated with its public key, in other words the discrete logarithm of P.sub.2 in the base P.sub.1. [0113] the revocation entity .sub.j, for t≥j≥2, calculates and proves that it knows the private key associated with its public key, in other words the discrete logarithm of P.sub.j in the base P.sub.j-1.

[0114] During a step F6, when all the revocation entities have calculated their public key P.sub.j, the cryptographic module MCR of the revocation entity custom-character .sub.t constitutes the public key of the group PK.sub.G=(C.sub.x.sub.0,X.sub.1,{tilde over (X)}.sub.0,{tilde over (X)}.sub.1,P.sub.t). It comprises the trace generator

[00003] $P_{t} = X_{1}^{{.Math.}_{j = 1}^{t} x_{ℛ}^{j}}$

obtained from the private keys of each of the revocation entities custom-character .sub.j. The private key associated with the public group key is SK.sub.G=(x.sub.0, {tilde over (x)}.sub.0, x.sub.1, x=Π.sub.j=1.sup.t).

[0115] In the embodiment described here, each member entity V.sub.i has a unique identifier ID.sub.v.sub.i as well as a pair of private, public keys (SK.sub.i, PK.sub.i), of a digital signature algorithm, the public key PK.sub.i having been certified by a recognised certification entity, for example by the administration entity ε custom-character . Examples of digital signature algorithms which can be used for this purpose are: RSA, DSA, ECDSA, . . . .

[0116] To obtain its private group key the member entity V.sub.i interacts with the administration entity ε custom-character . During a step G2 the cryptographic module MCR of the member entity V.sub.i randomly draws a value x.sub.i∈Z.sub.p and calculates c.sub.i=X.sub.1.sup.x.sup.i. It should be noted that the private group key SK.sub.G.sup.i is obtained by the member entity from its private key xi.sub.i known to it only.

[0117] It then generates zero-knowledge proof PΠ.sub.i that it knows x.sub.i the discrete logarithm of C.sub.i in base X.sub.1: PΠ.sub.i=PoK(α.sub.1: C.sub.i=X.sub.1.sup.α.sup.1). The example of such proof is provided in the document Claus-Peter Schnorr, “Efficient Identification and Signature for Smart Cards”, Theory and Application of Cryptology, Springer, 1989.

[0118] During a step G4, the cryptographic module of the member entity V.sub.i generates a signature σ.sub.V.sub.i on C.sub.i: σ.sub.V.sub.i=Sign.sub.SK.sub.i(C.sub.i) where SK.sub.i designates the private key of V.sub.i. The member entity V.sub.i then transmits these three values C.sub.i, PΠ.sub.1, σ.sub.V.sub.i to the administration entity ε custom-character .

[0119] During a step E10, the cryptographic module MCR of the administration entity an ε custom-character verifies that C.sub.i≠1 and that the signature σ.sub.V.sub.i and the proof PΠ.sub.i are both valid.

[0120] If this is the case, during a step E12 the cryptographic module MCR of the administration entity ε custom-character an generates two random values b and x′ of Z.sub.p and calculates E=X.sub.1.sup.x′ as well as a pair (u, u′) where u=h.sup.b and u′=u.sup.x.sup.0(C.sub.i.Math.X.sub.1.sup.x′).sup.b=u.sup.x.sup.0.sup.+(x.sup.i.sup.+x′)x.sup.1. It proves that the pair (u, u′) has been calculated consistently and especially from the private keys x.sub.0 and x.sub.1:

Π.sub.3=PoK(α.sub.1, α.sub.2, α.sub.3, α.sub.4: u=h.sup.α.sup.1∧u′=u.sup.α.sup.2(C.sub.i.Math.X.sub.1.sup.α.sup.4).sup.α.sup.1∧C.sub.x.sub.0=g.sup.α.sup.2h.sup.α.sup.3∧E=X.sub.1.sup.α.sup.4)

[0121] During a step E14, the cryptographic module MCR of the administration entity an ε custom-character transmits E, u, u′ and the proof PΠ.sub.3 to the member entity V.sub.i.

[0122] During a step G6, the cryptographic module of the member entity V.sub.i verifies that u≠1 and que the proof PΠ.sub.3 is valid. If these two verifications are conclusive, during a step G7 the cryptographic module of the member entity V.sub.i generates a signature Sig.sub.V.sub.i on C.sub.i and E: Sig.sub.V.sub.i=Sign.sub.SK.sub.i(C.sub.i,E), where SK.sub.i designates the private key of the member entity V.sub.i.

[0123] During a step G75, the member entity V.sub.i transmits the signature Sig.sub.V.sub.i to the administration entity ε custom-character .

[0124] During a step E13, the administration entity ε custom-character verifies that the signature Sig.sub.V.sub.i is valid, and if this is the case, transmits x′ to the member entity V.sub.i.

[0125] The administration entity ε custom-character maintains a register REG containing the following values for each member entity V.sub.i of the group:

C.sub.i, C′.sub.i=C.sub.i=E=C.sub.i.Math.X.sub.1.sup.x′, x′, Π.sub.i, ID.sub.i, PK.sub.i and Sig.sub.V.sub.i: REG={C.sub.i,C′.sub.i, x′, Π.sub.i, ID.sub.i,PK.sub.i,Sig.sub.V.sub.i}.sub.i=1.sup.n where n designates the number of members duly registered.

[0126] During a step G8, the member entity V.sub.i verifies that E=X.sub.1.sup.x′ and constitutes its private group key SK.sub.G.sup.i, if this verification is conclusive. The latter is constituted by the triplet SK.sub.G.sup.i=(s.sub.i,u, u′) where s.sub.i=x.sub.i+x′ mod p.

[0127] In a particular embodiment, the trace generator P.sub.t is renewed periodically (every hour, every day, start of month, etc.). For this it is enough for the revocation entities to renew their private key custom-character and recalculate the corresponding trace generator P.sub.t according to the generation method described previously.

[0128] In a particular embodiment, the trace generator P.sub.t is specific to a given service. Typically a trace generator P.sub.t can be generated for a specific election. For a new ballot, the revocation entities must calculate new private keys custom-character to deduce a new trace generator P′.sub.t therefrom.

[0129] FIG. 3 illustrates in the form of a flowchart the principal steps of a signature method according to the invention. This signature method utilises the anonymous signature scheme SigA.sub.2. This scheme utilises an algorithm which produces a signature σ.sub.i of the message msg from a message msg, the public group key PK.sub.G and the private group key SK.sub.G.sup.i of a member entity.

[0130] According to the anonymous signature scheme SigA.sub.2, to anonymously sign a message msg∈{0,1}* with its private group key SK.sub.G.sup.i the cryptographic module MCR of the member entity V.sub.i randomly draws a value l∈Z.sub.p during a step H2. At step H4 t calculates the value w=u.sup.l and at step H6 the value w′=(u′).sup.l.

[0131] During a step H8, the cryptographic module MCR of the member entity V.sub.i calculates the value c.sub.1=w.sup.s.sup.i and the trace T.sub.i=P.sub.t.sup.s.sup.i. This trace T.sub.i calculated from the trace generator P.sub.t and of the element s.sub.i of the private group key of the member entity V.sub.i does not depend on the message msg. In other words, the trace T.sub.i constitutes an invariant of the signatures sent by the member entity V.sub.i.

[0132] The member entity V.sub.i proves that the discrete logarithm of c.sub.1 in the base w is the same as the discrete logarithm of T.sub.i in the base P.sub.t:PΠ.sub.i=PoK(α.sub.1:c.sub.1=w.sup.α.sup.1∧T.sub.i=P.sub.t.sup.α.sup.1).

[0133] In the embodiment of the invention described here, the proof PΠ′.sub.i is the pair (c, r) in which:

[0134] z is a random value of z.sub.p drawn by the member entity V.sub.i;

[0135] T.sub.1=w.sup.z;

[0136] T.sub.2=P.sub.t.sup.z;

[0137] c= custom-character (T.sub.1, T.sub.2, P.sub.t, msg);

[0138] r=z−cs.sub.i mod p

The proof is valid if c= custom-character (w.sup.r c.sub.1.sup.c, P.sub.t.sup.r T.sub.i.sup.c, P.sub.t, m).

[0139] During a step H10, the cryptographic module MCR of the member entity V.sub.i generates the anonymous signature σ.sub.i of the message msg, the latter being constituted by the following five elements: (w, w′, c.sub.1, T.sub.i, PΠ′.sub.i). It comprises the trace T.sub.i which traces all the signatures sent by the member entity V.sub.i.

[0140] FIG. 4 illustrates in the form of a flowchart the principal steps of a verification method of an anonymous signature which can be used in the invention. This method is executed by the verification device DV of FIG. 1. It executes a verification algorithm which inputs a message msg, a signature σ.sub.i and the public key of the group PK.sub.G. It determines whether the signature σ.sub.i is valid or not.

[0141] During a step K2, the verification device of an anonymous signature obtains an anonymous signature σ.sub.i=(w, w′, c.sub.1, T.sub.i, PΠ′.sub.i).

[0142] During a step K4, the verification device considers that the anonymous signature σ.sub.i of a message msg is valid if:

[0143] w≠1.sub.G.sub.1;

[0144] T.sub.i≠1.sub.G.sub.1;

[0145] PΠ′.sub.i is valid; and

[0146] e(w, {tilde over (X)}.sub.0).Math.e(c.sub.1, {tilde over (X)}.sub.1)=e(w′, {tilde over (h)}).

[0147] FIG. 5 illustrates in the form of a flowchart the principal steps of a method for lifting anonymity of a valid signature σ.sub.i=(w, w′, c.sub.1, T.sub.i, Π′.sub.i) of a message msg. This method can be carried out only by the revocation entities custom-character .sub.j. It utilises an algorithm which inputs a message msg, a signature σ.sub.i, the public key of the group PK.sub.G a and the private keys of the revocation authorities and returns ID.sub.v.sub.i the identity of a member entity V.sub.i as well as proof that V.sub.i is the real author of this signature σ.sub.i.

[0148] During a step Z2, each of the revocation entities custom-character .sub.j obtains the anonymous signature σ.sub.i of a message msg.

[0149] During a step Z4, the revocation authorities { custom-character .sub.j}.sub.j=1.sup.t successively calculate, T.sub.j=T.sub.j-1 with T.sub.0=T.sub.i.

In other words: [0150] custom-character .sub.1 calculates and proves () that the discrete logarithm of T.sub.1 in the base T.sub.i is equal to the discrete logarithm of X.sub.1 in the base P.sub.1. [0151] .sub.2 calculates and proves () that the discrete logarithm of T.sub.2 in the base T.sub.1 is equal to the discrete logarithm of P.sub.1 in the base P.sub.2. [0152] custom-character .sub.j, for t≥j≥2, calculates T.sub.j= and proves (PΠ.sup.j) that the discrete logarithm of T.sub.j in the base T.sub.j-1 is equal to the discrete logarithm of P.sub.j-1 in the base P.sub.j.

[0153] It is recalled here that there can be one single revocation entity only.

[0154] If all proofs produced by the revocation authorities are valid, T.sub.t= custom-character =X.sub.i.sup.s.sup.i=C′.sub.i.

[0155] During a step Z6, the revocation authorities transmit T.sub.t and all proofs {PΠ custom-character .sup.j}.sub.j=1.sup.t to the administration entity ε.

[0156] During a step Z8, the administration entity an retrieves in its registry REG the entry corresponding to C′.sub.i: {c.sub.i,C′.sub.i,x′, Π.sub.i, ID.sub.i,PK.sub.i,Sig.sub.V.sub.i}.

[0157] During a step Z10, the administration entity ε custom-character in return provides the revocation entity .sub.j as applicant for lifting anonymity with the identifier ID.sub.v.sub.i, the proofs as well as c.sub.i, C′.sub.i, x′, PK.sub.i and Sig.sub.V.sub.i. If all the proofs are valid, if C′.sub.j=C.sub.i.Math.X.sub.1.sup.x′ and if the signature Sig.sub.V.sub.i is valid then the administration entity ε custom-character considers that the member entity V.sub.i of which the identifier is ID.sub.v.sub.i is the real author of the signature σ.sub.i of the message msg.

[0158] When the service is an electronic vote, it is possible to compile a voting list from the identifiers obtained by executing the method.

Description of a Second Embodiment of the Invention

[0159] The anonymous signature scheme SigA.sub.2 can be used in particular to implement an electronic vote solution.

[0160] FIG. 6 illustrates a voting system electronic SVE2 according to the invention. This system comprises a system SGC for generating keys for an anonymous signature scheme SigA.sub.2 and a member entity V.sub.i of a group custom-character according to the invention. It also comprises a verification device DV.

[0161] In this embodiment, the member entities V.sub.i of a group are voter entities.

[0162] In this embodiment, the system SGC for generating keys comprises a registration entity custom-character and an organising entity . At the same time each acts as administration entity of the group and revocation entity of the group. It is understood that this is an illustrative example and that in other examples the distribution of roles attributed to the different entities can be different. The registration entity custom-character and the organising entity each comprise a communications module COM and a cryptographic module MCR. The registration entity and the organising entity also each comprise a registration module ERG configured to register at least one voter entity V.sub.i in the group.

[0163] Therefore, in this embodiment of the invention a voter entity is registered at the same time with the registration entity custom-character and with the organising entity . This embodiment reprises the role of group administrator between two entities so as to prevent a single entity from being capable of creating false voter entities.

[0164] The voter entity V.sub.i comprises a communications module COM and an anonymous signature device DSA according to the invention.

[0165] The device DSA of the voter entity V.sub.i comprises a registration module ERG configured to register the voter entity V.sub.i with the registration entity custom-character .

[0166] In the embodiment described here, the cryptographic module MCR of each revocation entity custom-character , is configured to calculate a pair of revocation keys of which the private key can be used to revoke the anonymity of an anonymous signature complying with said scheme SigA.sub.2 and to calculate a trace generator from a public key of the pair of revocation keys.

[0167] The device DSA of each voter entity V.sub.i comprises a cryptographic module MCR configured to generate a trace T.sub.i=P.sub.t.sup.s.sup.i by using this trace generator, this trace T.sub.i being invariant relative to the anonymous signatures σ.sub.i generated by the voter entity in accordance with the scheme SigA.sub.2.

[0168] In the embodiment described here, the cryptographic module MCR of each voter entity V.sub.i is configured to blindly obtain a private group key SK.sub.G.sup.i, noted s.sub.i hereinbelow.

[0169] In the embodiment described here, the cryptographic module MCR of each voter entity V.sub.i is configured to generate signatures σ.sub.i of messages, by using the private group key, these signatures comprising the trace T.sub.i.

[0170] The verification device DV is configured to verify if an anonymous signature σ.sub.i is compliant with the anonymous signature scheme SigA.sub.2. It executes a verification algorithm which inputs a message msg, a signature σ.sub.i and the public key of the group PK.sub.G. It determines whether the signature σ.sub.i is valid or not.

[0171] In the embodiment described here, the verification device DV comprises communication means COM and a cryptographic module MCR.

[0172] The communications module COM is capable of obtaining an anonymous signature σ.sub.i such that σ.sub.i=(w, w′, c.sub.1, T.sub.i, PΠ′.sub.i).

[0173] The cryptographic module MCR is configured to determine that the anonymous signature σ.sub.i of a message msg is valid if:

[0174] w≠1.sub.G.sub.1;

[0175] T.sub.i≠1.sub.G.sub.1;

[0176] PΠ′.sub.i is valid; and

[0177] e(w, {tilde over (X)}.sub.0).Math.e(c.sub.1, {tilde over (X)}.sub.1)=e(w′, {tilde over (h)}).

[0178] In the embodiment described here, the cryptographic module MCR of a revocation entity custom-character , is configured to execute the method for lifting anonymity of a signature described later in reference to FIG. 10.

[0179] FIG. 7 illustrates in the form of a flowchart a method for generating keys of the voter entities according to this embodiment of the invention.

[0180] During a step VE2, the cryptographic module MCR of the organising entity custom-character randomly draws four values ,,, of z.sub.p. In this embodiment, is a private key used by the organising entity for lifting the anonymity of a voter entity.

[0181] During a step VE4, the cryptographic module MCR of the organising entity custom-character calculates =,=,=,=,=.

[0182] During a step VE6, the cryptographic module MCR of the organising entity custom-character constitutes a pair of keys in which: [0183] the private key is constituted by the four values (,,,) which have been drawn randomly; and [0184] the public key PK is constituted by the elements calculated at step VE4: PK=(,,,,).

[0185] During a step VE8, the cryptographic module MCR of the organising entity custom-character generates proof VOPΠ.sub.2 that it knows the private key associated with its public key by generating zero-knowledge proof defined as follows: VOΠ.sub.2=PoK(α.sub.1, α.sub.2, α.sub.3, α.sub.4:=g.sup.α.sup.1h.sup.α.sup.2∧=h.sup.α.sup.3∧={tilde over (h)}.sup.α.sup.1∧={tilde over (h)}.sup.α.sup.3∧ custom-character =X.sub.1.sup.α.sup.4).

[0186] The registration entity custom-character proceeds in the same way.

[0187] During a step VE2, the cryptographic module MCR of the registration entity custom-character randomly draws four values ,,, of Z.sub.p. In this embodiment, is a private key used by the registration entity for lifting the anonymity of a voter entity.

[0188] During a step VE4, the cryptographic module MCR of the registration entity custom-character calculates =,=,=,=,=.

[0189] During a step VE6, the cryptographic module MCR of the registration entity custom-character constitutes a pair of keys in which: [0190] the private key is constituted by the four values (,,,) which have been drawn randomly; and [0191] the public key , is constituted by the elements calculated at step VE4: =(,,,,).

[0192] During a step VE8, the cryptographic module MCR of the registration entity custom-character generates proof VAPΠ.sub.2 that it knows the private key associated with its public key. This proof is defined as follows:

VAPΠ.sub.2=PoK(α.sub.1, α.sub.2, α.sub.3, α.sub.4: custom-character =g.sup.α.sup.1h.sup.α.sup.2∧=h.sup.α.sup.3∧={tilde over (g)}.sup.α.sup.1∧={tilde over (h)}.sup.α.sup.3∧=X.sub.1.sup.α.sup.4)

[0193] During a step VF4, the cryptographic modules MCR of the organising entity custom-character and of the registration entity , after having made their public keys and public, each calculate for their part a trace generator P.sub.t===.

[0194] During a step VF6, when all the revocation entities, specifically the registration entity custom-character and the organising entity in this embodiment, have calculated their public key, they calculate the public key of the group PK.sub.G. It comprises the trace generator P.sub.t= obtained from the private keys of these revocation entities and .

PK.sub.G=(C.sub.x.sub.0, X.sub.1, {tilde over (X)}.sub.0, {tilde over (X)}.sub.1, P.sub.t) where c.sub.x.sub.0= custom-character .Math., X.sub.1=.Math., {tilde over (X)}.sub.0=.Math. and {tilde over (X)}.sub.1=.Math.. The private key associated with the public group key is

SK.sub.G=(x.sub.0= custom-character +,{tilde over (x)}.sub.0=+,x.sub.1=+,=.Math.)

[0195] In this embodiment, each voter entity V.sub.i has a unique identifier ID.sub.v.sub.i as well as a pair of keys, private and public (SK.sub.i, PK.sub.i), of an algorithm of digital signature, the public key PK.sub.i having been certified previously by a recognised certification authority, for example by the registration entity custom-character and by the organising entity .

[0196] In the embodiment described here, to obtain its private group key the voter entity V.sub.i must interact with the administration entity custom-character and with the organising entity . During a step VG2 the cryptographic module MCR of the member entity V.sub.i randomly draws a value x.sub.i∈Z.sub.p and calculates C.sub.i=x.sub.i.sup.x.sup.i. It then generates zero-knowledge proof VEPΠ.sub.i that it knows x.sub.i the discrete logarithm of C.sub.i in base X.sub.1: VEPΠ.sub.i=PoK(α.sub.1: C.sub.i=X.sub.1.sup.α.sup.1).

[0197] During a step VG4, the cryptographic module MCR of the voter entity V.sub.i generates a signature σ.sub.V.sub.i on C.sub.i: σ.sub.V.sub.i=Sign.sub.SK.sub.i(C.sub.i) where SK; designates the private key of V.sub.i. The voter entity V.sub.i then transmits these three values C.sub.i, VEPΠ.sub.i, σ.sub.V.sub.i, to the administration entity custom-character and to the organising entity .

[0198] During a step VE10, the cryptographic module MCR of the administration entity custom-character and the cryptographic module MCR of the organising entity verify c.sub.i≠1 and that the signature σ.sub.V.sub.i and the proof PΠ.sub.i are both valid.

[0199] If this is the case, during a step VE12 the cryptographic module MCR of the administration entity custom-character and the cryptographic module MCR of the organising entity jointly generate two random values b and x′ of z.sub.p and calculate E=X.sub.1.sup.x′ and a pair (u, u′) where u=h.sup.b and u′=u.sup.x.sup.0(C.sub.i.Math.X.sub.1.sup.x′).sup.b=u.sup.x.sup.0.sup.+(x.sup.i.sup.+x′)x.sup.1. They prove that the pair (u, u′) has been calculated consistently and especially from the private keys x.sub.0 and x.sub.1:

VOAΠ.sub.3=PoK(α.sub.1,α.sub.2,α.sub.3,α.sub.4: u=h.sup.α.sup.1∧u′=u.sup.α.sup.2(C.sub.i.Math.X.sub.1.sup.α.sup.4).sup.α.sup.1∧C.sub.x.sub.0=g.sup.α.sup.2h.sup.α.sup.3∧E=X.sub.1.sup.α.sup.4)

[0200] It is recalled that to jointly generate a value, the value x′ for example, the administration entity custom-character and the organising entity can utilise known techniques of distributed cryptography. For example, the administration entity (respectively the organising entity ) randomly generates a value of Z.sub.p (respectively of z.sub.p) and calculates = (respectively ). This gives E=. =X.sub.1.sup.x′ where x′= custom-character + (mod p).

[0201] In this embodiment, during a step VE14 the cryptographic module MCR of the administration entity custom-character or of the organising entity transmits E, u, u′ and the proof VEPΠ.sub.3 to the voter entity V.sub.i. As a variant these values are sent by the administration entity and by the organising entity and the voter entity V.sub.i verifies that the values received from the two entities custom-character and are identical.

[0202] During a step VG6, the cryptographic module of the voter entity V.sub.i verifies that u≠1 and that the proof VOAPΠ.sub.3 is valid. If these two verifications are conclusive, during a step VG7 the cryptographic module of the voter entity V.sub.i generates a signature Sig.sub.V.sub.i on C.sub.i and E: Sig.sub.V.sub.i=Sign.sub.SK.sub.i(C.sub.i,E), where SK.sub.i designates the private key of the voter entity V.sub.i. During a step VG75, the voter entity V.sub.i transmits the signature Sig.sub.V.sub.i to the administration entity custom-character and to the organising entity .

[0203] During a step VE13, the administration entity custom-character and the organising entity verify that the signature Sig.sub.V.sub.i is valid, and if this is the case the administration entity transmits x′ to the voter entity V.sub.i.

[0204] The administration entity custom-character maintains a register REG, not shown, containing the following values for each member entity V.sub.i of the group:

C.sub.i, C′.sub.i=C.sub.i.Math.X.sub.1.sup.x′, x′, PΠ.sub.i, ID.sub.i, PK.sub.i and Sig.sub.V.sub.i: REG={C.sub.i, C′.sub.i, x′, PΠ.sub.i, ID.sub.v.sub.i, PK.sub.i, Sig.sub.V.sub.i}.sub.i=1.sup.n where n designates the number of voter entities duly registered.

[0205] During a step VG8, the voter entity V.sub.i verifies that E=X.sub.1.sup.x′ and constitutes its private group key SK.sub.G.sup.i, if this verification is conclusive. The latter is constituted by the triplet SK.sub.G.sup.i=(s.sub.i,u, u′) where s.sub.i=x.sub.i+x′ mod p. It should be noted that said private group key SK.sub.G.sup.i is obtained by the member entity from its private key xi.sub.i known to it alone.

[0206] FIG. 8 illustrates the principal steps of a voting method according to this embodiment of the invention in the form of a flowchart.

[0207] According to the anonymous signature scheme SigA.sub.2, for anonymously signing any message msg∈{0,1}* with its private group key SK.sub.G.sup.i the cryptographic module MCR of the voter entity V.sub.i randomly draws a value l∈Z.sub.p during a step VH2 and calculates (step VH4) the value w=u.sup.l (step VH6) as well as the value w′=(u′).sup.l.

[0208] In the case of a one-ballot uninominal majority poll the message can be constituted by the vote of the voter entity, optionally in encrypted form, the encryption of which can be calculated by using a public key of which the private key would be shared between several assessor entities configured to carry out counting of the vote.

[0209] During a step VH8, the cryptographic module MCR of the voter entity V.sub.i calculates the value c.sub.1=w.sup.s.sup.i and the trace T.sub.i=P.sub.t.sup.s.sup.i. This trace T.sub.i calculated from the trace generator P.sub.t and the element s.sub.i of the private group key of the voter entity V does not depend on the message msg. In other words, the trace T.sub.i therefore constitutes an invariant of the signatures sent by the voter entity V.sub.i.

[0210] The voter entity V.sub.i proves that the discrete logarithm of c.sub.1 in the base w is the same as the discrete logarithm of T.sub.i in the base P.sub.t: VEPΠ′.sub.i=PoK(α.sub.1: c.sub.1=w.sup.α.sup.1∧T.sub.i=P.sub.t.sup.α.sup.1).

[0211] In the embodiment of the invention described here, the proof VEPΠ′.sub.i is the pair (c, r) in which:

[0212] z is a random value of z.sub.p drawn by the voter entity V.sub.i;

[0213] T.sub.1=w.sup.z;

[0214] T.sub.2=P.sub.t.sup.z;

[0215] c= custom-character (T.sub.1, T.sub.2, P.sub.t, msg);

[0216] r=z−cs.sub.i mod p

The proof is valid if c= custom-character (w.sup.r c.sub.1.sup.c, P.sub.t.sup.r T.sub.i.sup.c, P.sub.t, m).

[0217] During a step VH10, the cryptographic module MCR of the voter entity V.sub.i generates the anonymous signature σ.sub.i of the message msg, the latter being constituted by the following five elements: (w, w′, c.sub.1, T.sub.i, VEPΠ′.sub.i). It comprises the trace T.sub.i which traces all the signatures sent by the voter entity V.sub.i.

[0218] FIG. 9 illustrates the principal steps of a verification method of an anonymous signature according to the invention in the form of a flowchart.

[0219] During a step VK2, the verification device of an anonymous signature obtains an anonymous signature σ.sub.i=(w, w′, c.sub.1, Ti, VEPΠ′.sub.i).

[0220] During a step VK4, it considers that the anonymous signature σ.sub.i of message msg is valid if:

[0221] w≠1.sub.G.sub.1

[0222] Ti≠1.sub.G.sub.1;

[0223] VEPΠ′.sub.i is valid; and

[0224] e(w, {tilde over (X)}.sub.0).Math.e(c.sub.1,{tilde over (X)}.sub.1)=e (w′, {tilde over (h)}).

[0225] In the form of a flowchart FIG. 10 illustrates the principal steps of a method for lifting anonymity of the valid signature σ.sub.i=(w, w′,c.sub.1, T.sub.i, Π′.sub.i) of a message msg according to this second embodiment of the invention. This method is executed by the registration entity custom-character and the organising entity .

[0226] During a step VZ2, each of these entities custom-character and obtains the signature σ.sub.i.

[0227] During a step VZ4, the entities custom-character and successively calculate, with T.sub.0=T.sub.i. [0228] calculates and proves () that the discrete logarithm of T.sub.1 in the base T.sub.i is equal to the discrete logarithm of X.sub.1 in the base P.sub.1. [0229] calculates and proves (VAPΠ.sup.2) that the discrete logarithm of T.sub.2 in the base T.sub.1 is equal to the discrete logarithm of P.sub.1 in the base P.sub.2.

[0230] If all the proofs produced by the revocation authorities are valid,

custom-character

[0231] In this embodiment, during a step VZ6, the organising entity custom-character transmits the proof VOPΠ.sup.1 to the registration entity .

[0232] During a step VZ8, the registration entity custom-character retrieves in its register REG the entry corresponding to C′.sub.i: {C.sub.i, C′.sub.i, x′, PΠ.sub.i, ID.sub.i, PK.sub.i, Sig.sub.V.sub.i}.

[0233] During a step VZ10, the registration entity custom-character returns the identifier ID.sub.v.sub.i, the proofs and and C.sub.i, C′.sub.i, x′, PK.sub.i and Sig.sub.V.sub.i. If all the proofs are valid, if C′.sub.i=C.sub.i.Math.X.sub.1.sup.x′ and if the signature Sig.sub.V.sub.i is valid then the registration entity considers that the voter entity V.sub.i including the identifier is ID.sub.v.sub.i is the real author of the signature σ.sub.i of the message msg.

[0234] In the embodiment described here, the administration entity ε custom-character , the revocation entities .sub.j, the organising entity , the registration entity , the verification device DV the member or voter entities .sub.1 have the hardware architecture of a computer ORD such as shown schematically in FIG. 11.

[0235] The computer ORD comprises especially a processor 7, a dead memory 8, a live memory 9, a non-volatile memory 10 and communication means COM. These communication means COM allow the different entities to communicate with each other especially. They can comprise one or more communication interfaces on one or more telecommunications networks (fixed or mobile, wired or wireless, etc.).

[0236] The dead memory 8 of the computer ORD constitutes a recording medium according to the invention, readable by the processor and on which a computer program according to the invention is registered, designated generally here by PROG, comprising instructions for executing one of the methods forming the subject of the invention. Therefore: [0237] for the administration entity ε custom-character , the program PROG is a program PROG1 comprising instructions for executing steps E2 to E12 of a method for generating a key according to the invention, and steps Z8 to Z10 of a method for lifting anonymity according to the invention, [0238] for the revocation entities .sub.j, the program PROG is a program PROG1 comprising instructions for executing steps F2 to F6 of a method for generating a key according to the invention, and steps Z2 to Z6 of a method for lifting anonymity according to the invention, [0239] for the organising entity custom-character , the program PROG is a program PROG2 comprising instructions for executing steps VE2 to VE12 of a method for generating a key according to the invention and steps VZ2 to VZ6 of a method for lifting anonymity according to the invention, [0240] for the registration entity , the program PROG is a program PROG3 comprising instructions for executing steps VE2 to VE12 of a method for generating a key according to the invention and steps VZ2 to VZ10 of a method for lifting anonymity according to the invention, [0241] for the verification device DV, the program PROG is a program PROG4 comprising instructions for executing steps K2 to K4 or VK2 to VK4 of a signature verification method according to the invention, [0242] for the member entities custom-character .sub.i, the program PROG is a program PROG5 comprising instructions for executing steps G2 to G8 or VG2 to VG8 of the method for generating a key according to the invention, steps H2 to H10 or VH2 to VH10 of a signature method according to the invention.

[0243] In the same way each of these programmes defines functional modules of the device or of the module on which it is installed, capable of performing the steps of the relevant method and based on the hardware elements 7-10 of the computer ORD.

Method and system for generating keys for an anonymous signature scheme

Inventors

Cpc classification

Classification Explorer

H04L2209/463

ELECTRICITY

Classification Explorer

H04L9/0861

ELECTRICITY

Classification Explorer

H04L9/3255

ELECTRICITY

Classification Explorer

H04L2209/42

ELECTRICITY

International classification

Classification Explorer

H04L9/32

ELECTRICITY

Classification Explorer

H04L9/08

ELECTRICITY

Abstract

Claims

Description