Method for generating an electronic signature of a document associated with a condensate

Abstract

The present invention relates to a method for generating an electronic signature of a document associated with a condensate obtained by a given hash function comprising performing by data-processing means (11b) of a server (10b) of steps of: (a) Receiving said condensate and a zero-knowledge proof of the fact that said condensate is indeed the result of application of said given hash function to said document; (b) Verifying that said zero-knowledge proof is valid; (c) Generating an electronic signature of the document from said condensate.

Claims

1. A method for generating an electronic signature of a document associated with a condensate obtained by a given hash function comprising performing by data-processing means of a server of steps of: (a) Receiving said condensate and a zero-knowledge proof of the fact that said condensate is indeed the result of application of said given hash function to said document, wherein said zero-knowledge proof guarantees that given the condensate H received, the equipment having generated the proof has a document M such that h(M)=H where h is the given hash function, and said given hash function is a cryptographic hash function iterating a compression function; (b) Verifying that said zero-knowledge proof is valid; (c) Generating an electronic signature of the document from said condensate.

2. The method according to claim 1, wherein step (c) comprises application to the condensate of a function parameterized by a private key of an emitter of the document.

3. The method according to claim 1, wherein the zero-knowledge proof is a cryptographic object of zero-knowledge succinct non-interactive argument of knowledge (zkSNARK) type.

4. The method according to claim 1, wherein said compression function uses the Merkle-Damgrd principle.

5. The method according to claim 4, wherein said given hash function is selected from the functions of the SHA-1 or SHA-2 families.

6. The method according to claim 4, wherein said zero-knowledge proof of the fact that said condensate is indeed the result of application of said given hash function to said document is a zero-knowledge proof of the fact that the equipment has a pre-image such that said condensate is indeed the result of application of an iteration of the compression function to said pre-image.

7. The method according to claim 1, comprising a prior step (a0) of generation, by data-processing means of equipment having said document, of said zero-knowledge proof of the fact that said condensate is indeed the result of application of said given hash function to said document.

8. The method according to claim 7, wherein step (a0) further comprises prior generation of said condensate by application of said given hash function to said document.

9. The method according to claim 7, wherein step (c) comprises transmission of the generated electronic signature to said data-processing means of the equipment.

10. The method according to claim 9, comprising a subsequent step (d) of association by the data-processing means of the equipment of the electronic signature with the document so as to form the signed document.

11. The method according to claim 7, in step (a0) comprises prior receipt by the processing means of the equipment of a nonce, and generation of a condensate of a concatenation of the document and of the nonce completed by a padding block.

12. The method according to claim 11, wherein step (a) comprises receipt of the nonce completed by a padding block, and of said condensate of a concatenation of the document and of the nonce completed by the padding block.

13. The method according to claim 6 wherein step (a) comprises receipt of the nonce complete by a padding block, and of said condensate of a concatenation of the document and of the nonce completed by the padding block; and wherein said zero-knowledge proof of the fact that the equipment has a pre-image such that said condensate is indeed the result of application of at least one iteration of the compression function to said pre-image, is a zero-knowledge proof of the fact that the condensate of the document and the condensate of the concatenation of the document and of the nonce completed by the padding block are related by a given relation.

14. The method according to claim 13, wherein said given relation between the condensate of the document and the condensate of the concatenation of the document and of the nonce completed by the padding block is selected from a plurality of predetermined relations, step (b) comprising the determination of said relation as a function of the value received of the nonce completed by the padding block, and the verification of the proof as a consequence.

15. The method according to claim 14, wherein step (a0) comprises the determination of the padding block completing the nonce and the choice of said given relation between the condensate of the document and the condensate of the concatenation of the document and of the nonce completed by the padding block, as a function of lengths of said document and/or of the nonce.

16. A non-transitory computer program product comprising code instructions which when executed by a computer, generate an electronic signature of a document associated with a condensate obtained by a given hash function, said code instructions when executed: (a) receive said condensate and a zero-knowledge proof of the fact that said condensate is indeed the result of application of said given hash function to said document, wherein said zero-knowledge proof guarantees that given the condensate H received, the equipment having generated the proof has a document M such that h(M)=H where h is the given has function, and said given hash function is a cryptographic hash function iterating a compression function; (b) verify that said zero-knowledge proof is valid; (c) generate an electronic signature of the document from said condensate.

17. Non-transitory storage means readable by computer equipment on which a computer program product is stored, said computer program product comprising code instructions which when executed by a computer, generate an electronic signature of a document associated with a condensate obtained by a given hash function, said code instructions when executed: (a) receive said condensate and a zero-knowledge proof of the fact that said condensate is indeed the result of application of said given hash function to said document, wherein said zero-knowledge proof guarantees that given the condensate H received, the equipment having generated the proof has a document M such that h(M)=H where h is the given has function, and said given hash function is a cryptographic hash function iterating a compression function; (b) verify that said zero-knowledge proof is valid; (c) generate an electronic signature of the document from said condensate.

Description

PRESENTATION OF THE FIGURES

(1) Other features and advantages of the present invention will become apparent on reading the following description of a preferred embodiment. This description is given with reference to appended drawings, in which:

(2) FIG. 1 is a diagram of architecture for performing the methods according to the invention;

(3) FIG. 2 illustrates the Merkle-Damgard principle.

DETAILED DESCRIPTION

(4) Architecture

(5) With reference to FIG. 1, a method is proposed for generating an electronic signature of a document performed within architecture such as shown. The document is associated with a condensate obtained by a given hash function.

(6) As explained, a hash function inputs a message of arbitrary size (the original document) and produces a condensate of fixed size associated with this message. Here, said given hash function is advantageously a function known as cryptographic, i.e., with additional properties: the condensate is statistically well distributed throughout all arrival values, and it is impossible in a reasonable time to find two messages which have the same condensate (resistance to collisions) and a message which has attained this value cannot be found from the condensate (resistance to pre-image computation).

(7) The hash functions constructed by using the Merkle-Damgard principle (to be specified later), i.e., iterating a so-called compression function, are examples of cryptographic hash functions which are advantageously selected for the present method. The example will be taken of functions of the SHA (Secure Hash Algorithm) family, standardized by the NIST (National Institute of Standards and Technology), in particular the SHA-1 or SHA-2 (especially SHA-256) sub-families.

(8) The present method is indeed a method for generating an electronic signature of a document, and not for signing a document. This means that it produces only the electronic signature of the document and not yet the signed document, i.e. the association of the original document and of the signature, generally in any container.

(9) Electronic signature of a document means the classic definition of this term, specifically a cryptographic primitive for identifying the signatory and ensuring that the document has not been altered from the time when the signature was produced and is definitely the original document (throughout the present description, the document from which the condensate comes will be designated as original). This cryptographic object generally consists of a cypher of the condensate of the document by way of an asymmetrical encryption function: the signatory uses a private key, and everyone can verify the signature by way of a public key (by comparing the condensate contained in the signature and a recomputed condensate).

(10) More precisely, the standards of signatures such as the standard PKCS #1 v2.2 involve signing a summary of fixed size of the document, this summary being obtained from the condensate and padding to produce a predetermined size. It is clear that the data which complete the condense of the document do not depend on the document itself.

(11) In general, it will be considered throughout the present description that the electronic signature is made from the condensate by using a function known to the skilled person, and in a preferred embodiment that the electronic signature is made by modifying the condensate hardly reversibly, by applying a function parameterized by the private key of the signatory (this type of function is called trap function). It should also be noted that according to algorithms of signatures used, the condensate can be completed with padding and masking (to make the signature non-determinist). The skilled person could generate the signature from the condensate by using techniques of his choice.

(12) The present method is essentially implemented via a server 10b of a SSP, equipped with data-processing means 11b (one or more processors). The server 10b can further comprise data-storage means 12 (a memory) for storing the various cryptographic objects involved.

(13) The server 10b can be connected in particular via a network 2 such as the internet to equipment 10a providing said document for which the signature is generated (but transmitting only its condensate as will become evident). The equipment 10a is typically a workstation of a document issuing body, i.e. the signatory (client of the SSP).

(14) The equipment 10a can itself be connected to other third-party servers 10c to which it could transmit the signed document once the server 10b will have sent it the generated electronic signature.

(15) Method for Generating Signature

(16) The present method for generating electronic signature is performed by the data-processing means 11b of the server 10b from an imprint of said document for which the signature is wanted.

(17) More precisely, the server 10b will receive (from the equipment 10a) the condensate of the original document, but not the document itself which can stay confidential.

(18) However, the present method enables execution of signature operations on a condensate with strong guarantee on the fact that this condensate is related to a document validly possessed by the client, in other words enables signing a confidential original document without having direct access to this document.

(19) For this, a cryptographic protocol is used, generating proof that the condensate which is at the origin of the signature is well related to a document, this proof revealing nothing more than the fact that the original document is possessed by the producer of the proof.

(20) The Pinocchio protocol presented in the publication: Bryan Parno, Craig Gentry, Jon Howell and Mariana Raykova, Pinocchio: Nearly Practical Verifiable Computation, in Proceedings of the IEEE Symposium on Security and Privacy, IEEE, 21 May 2013 was one of the first verifiable computing protocols allowing the performer to compute the application of any function in verifiable manner and the order-giver to verify the associated proof in a computing time shorter than the time needed to perform the computation itself.

(21) In a first step (a), the data-processing means 11b of the SSP server 10b (not having the original document and playing the role of verifier) receive said condensate and a zero-knowledge proof of the fact that said condensate is indeed the result of application of said given hash function to said original document.

(22) This step is preferably preceded by a prior step (a0) of generation, by the data-processing means 11a of the equipment 10a of the client (having said original document, and playing the role of prover), of said zero-knowledge proof of the fact that said condensate is indeed the result of application of said given hash function to said document.

(23) More precisely, said zero-knowledge proof guarantees the following affirmation: given the condensate of an original document received, the equipment 10a has a document whereof the condensate corresponds to that provided.

(24) This step (a0) further preferably comprises prior generation of said condensate by application of said given hash function to said document (as explained typically of the SHA-1 or SHA-2 families, in particular SHA-256).

(25) Therefore, the condensate can be related to the original document but it is not possible to obtain information on the content of the original document. The cryptographic protocol gives proof that is rapid to verify (less than half a second) and that cannot be falsified: it is near-impossible (probability lower than .sup.80, even lower than .sup.128 depending on the parameters chosen to perform proof, which may then be slower to produce) to obtain acceptance of proof of the above assertion if the process did not take place in accordance with specified procedure.

(26) When performing proof, the prover uses the possibility of producing zero-knowledge proof to hide the original document. Therefore, the proof does not give any information on the document itself, other than that the condensate provided is related to this document.

(27) In all cases, in a step (b) the data-processing means 11b of the server 10b verify that said zero-knowledge proof is valid, and if this is the case they generate the electronic signature of the document from said condensate in a step (c). As explained, generation of the signature of step (c) consists typically of application to the condensate of a function parameterized by a private key of an emitter of the document, if needed completed with other elements (padding and masking).

(28) Verification of such proof at step (b) is not interactive (the verifier, i.e. the SSP has no need to contact the prover, i.e. the client) and is done simply in constant time by verifying that the proof is valid, demonstrating (at slight probability) to the server 10b that the alleged property is true, i.e. that the client has a valid document having the received condensate for condensate. It is suggested that the condensate sent to him is licit, despite the absence of the original document.

(29) So once the proof is verified, the condensate alone is considered sufficient for a signature to be generated without risk of usurpation.

(30) By way of the proof (which will be referred to again in more detail hereinbelow), confidentiality can be total (since generation of proof needs no communication between the client and the SSP) without SSP taking a risk since the proof guarantees that the client does have the original message.

(31) The proof is short (very shortof the order of 300 octetsin preferred embodiments to be described below), and transmitting it with the condensate of the document poses no problem in bandwidth. Also, verification of this proof is rapid (in constant time, a few tens of thousandths of seconds), which does not increase the computational load at the data-processing means of the SSP server 10b. Generation of the proof as such is more involved in terms of computation time, but as step (a0) is performed on the equipment 10a side, this additional computation time is the responsibility of the client who so to speak takes responsibility for the extra cost related to the need that the document remains confidential.

(32) Therefore, the present method is optimal both for the client and for the provider of the signature.

(33) Furthermore, step (c) can comprise the transmission of the generated electronic signature to said data-processing means 11a of the equipment 10a (in response to step (a) which constitutes a request for signature), so that a subsequent step (d) for association by the data-processing means 11a of the equipment 10a of the electronic signature with the document can be conducted to form the signed document. The equipment 10a can legally invoke this electronic signature among other entities (servers 10c).

(34) Generation of Proof

(35) Preferably, said zero-knowledge proof is a cryptographic object of zkSNARK type.

(36) zkSNARK stands for: zero-knowledge Succinct Non Interactive ARgument of Knowledge. It is a cryptographic primitive constructed around the notion of proof. Researchers in theoretical computing and cryptography have long turned their attention to the notion of proof. There exist theoretical results with which it is possible to produce very short, secure proof of an algorithm, but the time needed to perform this proof is out of reach and will remain so despite increases in computing power. One of the reasons is related to the power given to the entity performing the proof: the prover. In theoretical results on proofs, the prover has infinite computing power and, in spite of this, proofs remain secure.

(37) The notion of proof was then relaxed, the protocol only seeking protection from a prover having extensive but limited computing power. The result of the protocol is no longer proof but an argument. It is on the basis of this notion of argument that practical, verifiable computing systems have been constructed. One additional requirement in a system producing an argument is that this argument should be non-interactive: the verifier and the prover do not need to interact to produce the argument.

(38) Since 2010, achievements of zkSNARKs have been presented: these are arguments of short size (a few elements of an elliptical curve), which do not require interactivity and which in addition enable the prover to perform zero-knowledge proof i.e. the proof does not contain any nontrivial information on the inputs provided by the prover.

(39) There are several protocols which effectively perform zkSNARKs, and persons skilled in the art are able to use these indifferently in the present method: The Pinocchio protocol already mentioned; The Gepetto protocol, presented in the publication: Craig Costello, Cedric Fournet, Jon Howell, Markulf Kohlweiss, Benjamin Kreuter, Michael Naehrig, Bryan Parno, and Samee Zahur, Geppetto: Versatile Verifiable Computation, in Proceedings of the IEEE Symposium on Security and Privacy, IEEE, 18 May 2015, which is an improvement on Pinocchio The protocol presented in the publication et seq.: Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, Madars Virza. SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge. In Proceedings of the 33rd Annual International Cryptology Conference, CRYPTO '13, pages 90-108, 2013, implemented in open-source in the form of a library called libsnark, optimising the protocol producing a zkSNARK in Pinocchio by improving the expressivity thereof i.e. the type of program or algorithm it is possible to verify.

(40) To take the example of the Pinocchio protocol, this protocol comprises several parts:

(41) 1. A conventional program is translated into the form of an arithmetic circuit i.e. a set of relations between the inputs and outputs of the program, translated solely using additions and multiplications of elements of a finite body. It is to be noted that all programs, in theory, may be translated into this form, but only one part of these programs allows efficient translation into circuit form.

(42) 2. The arithmetic circuit obtained is efficiently represented by means of three families of polynomials to which an additional polynomial is added called a target polynomial. These families of polynomials form Quadratic Arithmetic Programs (QAPs). They encode the relations between the inputs and outputs of each multiplication gate of the circuit, the relations of the addition gates being integrated in the first following multiplication gate of the computation.

(43) These QAPs are related to the verifiable computation by the following point: a computation y=C(x) is correct for an input x if and only if all the relations describing the corresponding arithmetic circuit are satisfied by fixing x as input value and y as output value.

(44) In a sense, QAPs allow the compression of all the constraints to be verified into a single relation to be verified: a polynomial constructed from value x and the three QAP families must divide the target polynomial.

(45) 3. A cryptographic protocol therefore takes a QAP as input that is associated with a program, generates evaluation and verification keys which use elliptical curves to hide the polynomial relations. The polynomial proving that computation has been correctly performed is then computed directly using the relations hidden in the elliptical curve. The relation of divisibility is translated solely by means of a constant number of elements in the elliptical curve i.e. the proof is of constant size. Verification of this proof is extremely quick.

(46) Additionally, the protocol makes it possible for some computational inputs provided by the prover to be private: it allows hiding of the values of the prover in performance of the proof, by multiplication thereof by a multiple of the target polynomial, which does not modify the fact that the proof polynomial is divisible by the target polynomial.

(47) This proof polynomial, when hidden in an elliptical curve, consists of a zkSNARK.

(48) The Pinocchio protocol lets anyone producing proof to hide some of the inputs of the computation whereof it offers proof. In the present case, the following computation has to be made:

(49) Input: length of the document M, initialization vector IV

(50) Private input: the document M the condensate h(M) of which is to be computed,

(51) Output: h(M) and proof that the prover knows a document M which hashes into h(M).

(52) It should be noted that there are known protocols provided for generating proof of correct execution of a hash function, which the skilled person could use directly even if they are not optimal. The difficulty is to attain a reasonable computation time for creating the proof and sizes of evaluation keys and verification which are not too consistent. the Zerocash protocol (IEEE Security & Privacy 2014) of Ben-Sasson et al. proposes the definition of an arithmetic circuit for verifying the compression function of SHA-256 which comprises around 30,000 multiplication gates. This gives an execution time of proof of around 5 seconds (per compression level, verifying the entire hash function which comprises many iterations of the compression function will be clearly longer), which stays high and extensively improvable; the ZKBoo protocol, presented in the publication ZKBoo: faster zero-knowledge for Boolean circuits by Giacomelli, Madsen and Orlandi (Usenix Security 2016) enables better performances (proof in 50 ms, verification in 70 ms) by iteration of the compression function, but the size of the proof is consequent (800 Ko) even more since it seems to have been measured only on application of the compression function.

Preferred Embodiment

(53) As explained, the major drawback to the Pinocchio method and its known derivatives is needing a considerable computing power on the side of the operator (the data-processing means 11a of the equipment 10a of the client). The production cost of the proof of a computation by this protocol is higher by several orders of magnitude than that of the computation itself.

(54) In practice, it is noted that the SHA-256 function (and more precisely its compression function) comprises many bitwise operations which are poorly adapted to the representation of computations used in the Pinocchio protocol. A first solution for accelerating generation of proof is to change hash function, for example by using hash functions based on subset sums, also called of arithmetic type, since the arithmetic circuit representing the function has fewer multiplication gates. Examples are described in the publication: O. Goldreich, S. Goldwasser and S. Halevi. Collision-free hashing from lattice problems. Technical report, 1996.

(55) These functions were used in zkSNARKs and described in the publication E. Ben-Sasson, A. Chiesa, E. Tromer and M. Virza. Scalable Zero-Knowledge via Cycles of Elliptic Curves. CRYPTO 2014.

(56) Yet, the functions of the SHA family are those used most often (as they are standardized), and above all they produce a condensate which will be used to produce the standard signature, once the protocol has ended; this is why it is preferable to have an algorithm which uses it despite poor adaptation to the representation of computations used in the Pinocchio protocol.

(57) In a preferred embodiment the present method dispenses with these difficulties by enabling, as will become evident, digital proof of constant small size (of the order of 300 octets, or several thousand times fewer than for known protocols) to be generated in a few thousandths of seconds, and without revealing anything on the original document, by using properties of the cryptographic hash functions iterating a compression function as per the Merkle-Damgrd principle.

(58) In reference to FIG. 2, it can be noted that for documents of arbitrary size to be processed, the Merkle-Damgard principle used by the preferred hash functions such as SHA-1 or SHA-2 consists of defining the compression function h mentioned prior to inputting a message m.sub.i and a chaining variable of fixed size t.sub.i1 (with t.sub.0=IV the initialization vector) and whereof the result is a message t.sub.i of lesser size than the initial message. This function h is called compression function as it takes an input of M bit and produces at its output a sequence of N bits with N strictly less than M. In the case of SHA-256 for example the input has a size of 512 bits (i.e. the message is processed block by block of 512-bit size) and the compression function produces a value of 256-bit size.

(59) Next, the compression function is applied recursively to each block of the message until all possible blocks have been exhausted and finally obtains t.sub.n=H(m)=h(h( . . . h(IV, m.sub.1), m.sub.2), . . . , m.sub.n). This principle therefore extends computation of a condensate to any message of any size (less than 2.sup.641 for SHA-256).

(60) It should be noted that to hedge against certain attacks, the last block of message m.sub.n is completed by a padding block PB, such that the input of the last occurrence of h is m.sub.nPB. In the case of SHA-256, this block is variable in size but at least equal to 65 bits. It comprises a field announcing the size of the message in bits and means of knowing when this block is finished.

(61) A solution for substantially limiting the generation time of the proof and its size when the hash function applies the Merkle-Damgard principle is to use proof of knowledge of a pre-image of the compression function (in other words the internal state after already several iterations of the function h, in practice one of the values t.sub.i, i[[1; n1]], more specifically the final value t.sub.n1) rather than necessarily the original document, this proof also showing possession of the document, provided the hash function does have the cryptographic properties expected of it, such as resistance to pre-image computation or statistically well distributed distribution in all possible values. More precisely, instead of proving that he knows {m.sub.1, m.sub.2, . . . m.sub.n}, the prover can merely prove that he knows the value t.sub.n1, as it verifies (with the last message block m.sub.n) that the result obtained by applying a single iteration of the compression function h is equal to the value of the condensate sent to the verifier.

(62) In fact, it can be shown that the affirmations given the condensate of an original document received, the equipment 10a has a document whereof the condensate corresponds to that provided and given the condensate of an original document received, the equipment 10a has a pre-image of the compression function of said hash function whereof the result (application of an iteration of the compression function to said pre-image) corresponds to the condensate provided are substantially equivalent (both propositions have the same computational difficulty).

(63) For this, a challenge-response mechanism is astutely used. More precisely, studying in more detail the construction of the hash functions based on the Merkle-Damgard diagram allows producing the proof while needing less computation. For a nonce (i.e. an arbitrary number, i.e., a number used once, which plays the role of challenge), when expressing the value of H(m) and H(m) by means of the compression function, it becomes apparent that there are quantities common to both expressions. It suffices to prove that the quantities H(m) and H(m) are related to prove that the client has knowledge of a pre-image of the hash function and therefore of the original document.

(64) In most existing protocols of computation verifiable in practical terms, the programs to be verified must not use a control structure which depends on data. This is problematic in this situation since the program computing the condensate of the message must apply the compression function as many times as there are blocks in the document.

(65) In the proof to be produced, the compression function has to be applied a few times, between two and four times according to the size of the last block of the message. But this too is a case where the program producing the proof comprises instructions which are not fixed before the document is known.

(66) To circumvent this, the idea is to modify the length of the nonce r by means of padding (the result is .sub.pad which is as will become evident included in the response to the challenge) and produce three proof systems which correspond to the three possible cases listed in Table 1 below.

(67) TABLE-US-00001 TABLE 1 Relation between H (m) and H (m || ) as per the size of m Case n.sup.o 1 Case n.sup.o 2 Case n.sup.o 3 l := len(m.sub.n) l 447 447 < l < 512 l = 512 H(m) h(t.sub.n1, m.sub.n || PB.sub.1) h(h(t.sub.n1, m.sub.n || PB.sub.1), PB.sub.2) h(t.sub.n, PB.sub.1) .sub.pad .sub.pad := 00 . . . 0 || .sub.pad := PB.sub.1 || .sub.pad := with m.sub.n || .sub.pad {0, 1}.sup.512 H (m || .sub.pad) h(h(t.sub.n1, m.sub.n || .sub.pad), PB.sub.2) h(h(t.sub.n1, m.sub.n || PB.sub.1), || PB.sub.3) h(t.sub.n, .sub.pad || PB.sub.2)

(68) These three cases, based on the example of SHA-256, are related to the requirement that the padding block is of variable size but at least equal to 65 bits if the final block m.sub.n has a length greater than 447 bits (i.e. 512-65) but greater than 512 bits, then the padding block PB should have between 1 and 64 bits, which is not possible. It is then divided into PB.sub.1 and PB.sub.2 (i.e. PB=PB.sub.1PB.sub.2), PB.sub.1 completing m.sub.n and PB.sub.2 being a complete block of 512 bits compressed in an additional occurrence of h.

(69) Therefore, referring again to the nonce r, for example in the simple case where the document has a length which is a multiple of 512 bit (the last block therefore has a length of 512 bit), the expressions in Table 1 indicate that the client must prove that he knows a value a (which corresponds to t.sub.n) such that: H(m)=h(a, PB.sub.1) and H(m)=h(a, PB.sub.2), with PB.sub.1 a length of 512 bit and PB.sub.2 the length for completing at 512 bits (which is possible if is short, for example 64 bit). The client produces the zero-knowledge proof by hiding the value t.sub.n to the signatory.

(70) Step (a0) advantageously comprises prior receipt by the processing means 11a of the equipment 10a of a nonce (the challenge, preferably by a predetermined length such as 64 bit), and generation of a condensate of a concatenation of the document and of the nonce completed by a padding block .sub.pad to be called auxiliary condensate out of convenience in the present description (the condensate of the original document will be called per se the main condensate). The idea therefore is to modify the length of the nonce by means of padding and produce three proof systems which correspond to the three possible cases listed in Table 1.

(71) More precisely:

(72) In case 1, is generated by the data-processing means 11a of the equipment 10a a zero-knowledge proof of the fact that
x{0,1}.sup.256,a,b{0,1}.sup.512,H(m)=h(x,a)H(m.sub.pad)=h(x,b) In case 2, is generated by the data-processing means 11a of the equipment 10a a zero-knowledge proof of the fact that
x{0,1}.sup.256,a,b,c{0,1}.sup.512,H(m)=h(x,a)H(m.sub.pad)=h(h(x,b),c) In case 3, is generated by the data-processing means 11a of the equipment 10a a zero-knowledge proof of the fact that
x{0,1}.sup.256,a,b,c{0,1}.sup.512,H(m)=h(h(x,a),b)H(m.sub.pad)=h(h(x,a),c)

(73) Even if this table is designed for SHA-256, the skilled person can adapt it for other hash functions constructed with the Merkle-Damgard principle and determine adequate proofs to be generated.

(74) Step (a) then comprises receipt (by the processing means 11b of the server 10b) of said auxiliary condensate H(m.sub.pad) (with the proof and the main condensate H(m)), and said nonce completed by a padding block .sub.pad. In other words, the client transmits .sub.pad and the signatory selects one of the three proof systems as a function of .sub.pad: if .sub.pad is 64 bits long this is in case number 3, if not its bit farthest the left starts with 0 in case number 1 and by 1 in case number 2. The data-processing means 11b of the server 10b then know which proposition to verify at step (b).

Summary of the Preferred Embodiment

(75) In this particularly preferred embodiment, the method for generating an electronic signature of a document m associated with a condensate H(m) obtained by a cryptographic hash function H iterating a compression function h as per the Merkle-Damgard principle, comprises the following steps: (a0) By the processing means 11a of the equipment 10a: Receipt of a nonce (challenge r) generated and sent by the server 10b; Generation of the nonce completed by a padding block (response .sub.pad), said padding block being advantageously determined as a function of lengths of the nonce r and above all of said document m (preferably according to three diagrams according to the length of the document); generation of said condensate (main condensate H(m)) by application of said given hash function H to said document m; generation of a condensate of a concatenation m.sub.pad of the document and of the nonce completed by the padding block (auxiliary condensate H(m.sub.pad)) by application of the same given hash function (to said document to which the nonce completed by the padding block is concatenated); generation of a zero-knowledge proof of the fact that said (main) condensate is the result of application of said given hash function to said document; said proof being more precisely a zero-knowledge proof of the fact that the equipment 10a has a pre-image x such that said condensate H(m) is the result of application of at least one iteration (in particular one or two) of the compression function h to said pre-image x; said proof more precisely being a zero-knowledge proof of the fact that the (main) condensate H(m) and the (auxiliary) condensate of the concatenation of the document and of the nonce completed by the padding block H(m.sub.pad) are related by a given relation (referring to iterations of the compression function h); said given relation between the condensate H(m) of the document and the condensate H(m.sub.pad) of the concatenation of the document and of the nonce completed by the padding block being preferably determined as a function of the length of said document H(m). In the example of SHA-256, as a function of this length there are three cases according to which the relation is: a,b,c{0,1}.sup.512 such that
either H(m)=h(x,a)H(m.sub.pad)=h(x,b);
or H(m)=h(x,a)H(m.sub.pad)=h(h(x,b),c);
or H(m)=h(h(x,a),b)H(m.sub.pad)=h(h(x,a),c); where x is as explained the pre-image (length of 256 bit) the knowledge of which is proven; return to the server 10b of the (main) condensate H(m), of the (auxiliary) condensate H(m.sub.pad) of the concatenation of the document and of the nonce completed by the padding block, of the nonce completed by the padding block .sub.pad, and of the proof; (a) Receipt of these elements by the processing means 11b of the server 10b; (b) determination by the processing means 11b of the server 10b of said relation proven by the proof as a function of the value received from the nonce completed by the padding block .sub.pad, and verification that said zero-knowledge proof is valid as a consequence (knowing the relation); (c) generation of an electronic signature of the document from said (main) condensate H(m), if the proof has indeed been verified and validated, and if needed return to the equipment 10a of the signature such that it produces the signed document, i.e. the original document with its attached signature.
Computer Program Product

(76) In a second and a third aspects, the invention relates to a computer program product comprising code instructions to execute (in particular on the data-processing means 11a, 11b of the equipment 10a and/or of the server 10b) a method, according to the first aspect of the invention, for generating an electronic signature of a document associated with a condensate, as well as storage means readable by a computer equipment (a memory of the equipment 10a or of the second server 10b) containing this computer program product.