Method/ sender apparatus and receiver apparatus for modulo operation
The present invention relates to a method, to a sender appa¬ ratus and to a receiver apparatus for modulo operation.
Background
In access control systems, e.g. pay TV systems, square, or more general, d-th roots modulo X are used where X is a com¬ posite number having at least two large prime factors. Typi¬ cally the length of such a number X (denoted |X|) is 64 bytes.
If a sender, e.g. a smart-card, communicates with a receiver only few data are transmitted in order to save time. But this results in an increased number of computation operations in the sender and/or receiver.
Invention
It is one object of the invention to disclose a method for time-reduced modulo operations. This object is reached by the inventive method disclosed in claim 1.
In principle the inventive method consists in secure sending of a number S = D mod X or of a set of numbers S(j) = D(j) mod X, j = l,...,i, from a sender device 28 to a receiver device 27, whereby X is a product of at least two big prime numbers and D is greater than X, comprising the following steps:
- picking a random number A or a set of random numbers A(j) by said sender device;
- calculating in said sender a value E = D+A*X or a set of values E(j) = D(j)+A(j)*X, whereby X is stored in said send¬ er,, or calculating in said sender a set of values E(j) =
D(j)*B, whereby a fixed number B = A*X is stored in said sender;
- transmitting via an interface 10 said value and said val¬ ues, respectively, from said sender to said receiver;
- calculating by said receiver S = E mod X or S(j) = E(j) mod X, whereby the number X is stored in said receiver device.
Advantageous additional embodiments of the inventive method are resulting from the respective dependent claims.
It is a further object of the invention to disclose a sender apparatus which utilizes the inventive method. This object is reached by the inventive apparatus disclosed in claim 6.
In principle the inventive sender apparatus consists in first computation means 25, first memory means 26 which are connected to said first computation means and first data ex¬ change means 24 which are connected to said first computation means, whereby either said first memory means store said modulus X and said first computation means select said random number A or random num¬ bers A(j) and calculate said value E = D+A*X or calculate said set of values E(j) = D(j)+A(j)*X or said first memory means store said fixed number B and said first computation means calculate said set of values E(j) = D(j)+B and whereby said first data exchange means 24 send said value E or said set of values E(j) to said receiver device 27.
Advantageous additional embodiments of the inventive sender apparatus are resulting from the respective dependent claims.
It is a further object of the invention to disclose a receiv¬ er apparatus which utilizes the inventive method. This object is reached by the inventive apparatus disclosed in claim 7.
In principle the inventive receiver apparatus consists in second computation means 22, second memory means 21 which are connected to said second computation means and second data exchange means 23 which are connected to said second computation means, whereby said second memory means store said modulus X and said second computation means calculate the modulo function S = E mod X of said value E or calculate a set of modulo functions S(j) = E(j) mod X of said set of values E(j) .
Advantageous additional embodiments of the inventive receiver apparatus are resulting from the respective dependent claims.
The invention is applicable when a first cryptographic device (sender) communicates with a second cryptographic device (receiver) , especially when the devices use a modulo-based protocol. Thereby the required number of modular operations is reduced or even eliminated. It can be avoided to do modular operations by the first device.
This is particularly advantageous when said first device, e.g. a smart-card, has' a weaker computional power (e.g. less RAM and/or ROM capacity, slower clock rate) than said second device (e.g. a powerful processor acting as a verifier) .
There are such access control systems where all the numbers appearing in the first ("weaker") device have a size n*|X| bytes before modular reduction, where n is a very small inte¬ ger, typically 2 or 3.
There are different variants of the inventive method. First variant:
Let D be a number of length n*|X| bytes.
The sender wishes to communicate S = D mod X to the receiver. For avoiding the modular reduction the sender chooses a ran¬ dom number A, computes E = D+A*X and sends this value E to the receiver. Since A is random the value of D is hidden in E and the receiver can calculate S by: S — E mod X, because
E mod X = D mod X + A*X mod X = D mod X.
Second variantΪ
The sender wishes to communicate a set of i numbers S(j) =
D(j) mod X to the receiver.
Number A is a secret of the sender. The sender keeps in a ROM a pre-calculated constant B, B = A*X.
As before, let D(l) , ... ,D(i) be a set of numbers (all bigger than X) such that the set of values S(j) is to be send to the receiver. Then these D(i) can be hidden by sending to the receiver E(l) = D(l)+B,— ,E(i) = D(i)+B. The receiver will recover S(j) by calculating:
S(j) — E(j) mod X, because
E(j) mod X = D(j) mod X + B mod X = D(j) mod X.
Number i may have a value of 10.
The first and the second variant can be modified. This modi¬ fication fits especially to smart-card applications. It al¬ lows the sender to perform squarings or a multiplication (which result is E) with only |X| RAM bytes.
For doing so the sender computes only the [X| lower bytes of E (denoted Low(E)) and sends them to the receiver. This com¬ putation of Low(E) requires only [X| RAM cells. After the receiver gets Low(E) , the sender can reuse his |X| RAM bytes to compute the |X[ higher bytes of E (denoted High(E)). When the receiver gets High(E) it calculates E = Concatenation (High(E) ,Low(E) ) and continues its calculations as before.
Drawings
Preferred embodiments of the invention will now be described with reference to the accompanying drawings, in which:
Fig. 1 shows an inventive communication protocol between the sender and the receiver; Fig. 2 shows a sender and a receiver.
Preferred embodiments
Fig. 1 shows an interface 10 between a sender, e.g. a weak processor in a smart-card, and a receiver, e.g. a pay TV de¬ coder, which may contain a powerful processor for calculating the modulo function. The microprocessor in the sender prepares a first number D or a first set of numbers D(j) . Then it chooses a random number A and calculates E = D+A*X or it adds value B to each number D(j) and sends E and the set E(j) , respectively, via interface 10 to the receiver side. The receiver calculates S = E mod X or S(j) = E(j) mod X from the received numbers.
Advantageous the final length |E| or |E(j) | of E and E(j), respectively, is less than four times the length |x| of X.
In Fig. 2 a receiver device 27 and a sender device 28 are depicted. The sender device contains a first microprocessor 25, first memory means 26 which are connected to microproces¬ sor 25 and a first connector 24 for data exchange with re¬ ceiver device 27.
The receiver device 27 contains a second microprocessor 22, second memory means 21 which are connected to microprocessor 22 and a second connector 23 for data exchange with sender device 28.
First connector 24 and second connector 23 represent the in¬ terface 10 in Fig. 1. The first memory means 26 store inter¬ mediate calculation results and/or values X and/or B or
Lo (E)/High(E) . First microprocessor 25 computes data as shown in the left side of Fig. 1.
The second memory means 21 store value X and/or intermediate results. Second microprocessor 22 computes data as shown in the right side of Fig. 1.
The invention can be used for identification (VideoCrypt or EuroCrypt Pay TV system) and/or digital signature (credit cards) and/or encryption, especially together with one or more of the following systems for getting in the receiver modulo calculated results without respective modulo calcula¬ tion in the sender i
- Fiat-Shamir;
- Feige-Fiat-Shamir;
- Quisquater-Guillou;
- Fischer-Micali-Rackoff;
Naccache (EP-A-91400111, EP-A-91400301) ;
RSA;
Rabin.
These systems are published according to the following list:
- Fiat-Shamir, "How to prove yourself: Practical solutions to identification and signature problems", A.Odlyzko editor, Advances in Cryptology, Proc. of Crypto '86, August 11 - 15, (Lecture Notes in Computer Science 263) , pp. 186 - 194, Springer Verlag, 1987, Santa Barbara, California, USA
- Feige-Fiat-Shamir, "Zero knowledge proofs of identity", Journal of Cryptology, 1(2), pp. 77 - 94, 1988
- Quisquater-Guillou, "A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmis¬ sion and memory", C.G. Gϋnther editor, Advances in Cryptology, Proc. of Crypto '88, August 16 - 20, (Lecture Notes in Computer Science 330), pp. 123 - 128, Springer Verlag, 1988, Santa Barbara, California, USA
- Fischer-Micali-Rackoff, Unedited papers mentioned in the bibliography of Fiat-Shamir
- RSA: Rivest-Shamir-Adeleman, "A method of obtaining Digital Signatures and Public-key Cryptosystems", CACM, pp. 120 - 126, Vol. 21, No. 2, Feb. 1978
- Rabin, "Digitalized Signatures", Foundations of secure Com¬ putations, R.A. DeMillo et al. editors, Academic Press, pp. 155 - 166, London, 1987