Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberEP0731941 A1
Publication typeApplication
Application numberEP19950904152
PCT numberPCT/US1994/013645
Publication date18 Sep 1996
Filing date29 Nov 1994
Priority date29 Nov 1993
Also published asEP0731941A4, WO1995014968A1
Publication number1995904152, 95904152, 95904152.6, EP 0731941 A1, EP 0731941A1, EP-A1-0731941, EP0731941 A1, EP0731941A1, EP19950904152, EP95904152, PCT/1994/13645, PCT/US/1994/013645, PCT/US/1994/13645, PCT/US/94/013645, PCT/US/94/13645, PCT/US1994/013645, PCT/US1994/13645, PCT/US1994013645, PCT/US199413645, PCT/US94/013645, PCT/US94/13645, PCT/US94013645, PCT/US9413645
InventorsBenjamin Arazi, Carmi David Gressel
ApplicantFORTRESS U&T Ltd.
Export CitationBiBTeX, EndNote, RefMan
External Links: Espacenet, EP Register
Data verification system and method
EP 0731941 A1 (text from WO1995014968A1) 
Abstract  
A system and method of verifying data (D) sent by a card having a private key (S) and identification number (ID). The method is independent of a challenge received from the interrogating terminal and the challenge input to the system public transformation (H) is replaced by data input. The input (ID) is transformed by system private transformation (T), by the verifying terminal, yielding a private key (S). The system public transformation (H) is executed on the data (D) and the private key (S) to result in a verification value (G). The verifying terminal then executes a reference transformation (TH) using the data (D) and the identification number (ID) which results in a reference value (G'). The value (G') obtained by the verifying terminal equals the value (G) if (ID) and (D) were genuinely submitted by the card that possesses (S) associated with (ID).
Claims  (OCR text may contain errors)
1. A system for verifying authenticity of a message transmitted by a message transmitting facility, the message transmitting facility being operative to store an ID (identification number) and a private key S, and including a first signature key generator operative to generate a first signature key by combining a challenge, the private key, and the message, the system comprising: a message transmitting facility interface operative to receive the ID, the message and the first signature key from the message transmitting facility; a second signature key generator operative to generate a second signature key by combining a random number, the ID and the message; a challenge generator operative to generate the challenge from the random number such that the random number cannot be extracted from the challenge and to transmit the challenge to the message transmitting facility; and a signature key comparator operative to compare said first and second signature keys and to provide an output indication of authenticity based on the results of the comparison.
2. A system according to claim 1 wherein said message transmitting facility comprises an IC-card including a message memory storing the message to be transmitted to the system and to be verified by the system, an identification number memory storing an identification number ID characterizing the card, and a secure private key memory storing a private key S associated with the identification number ID via a system private transformation and in which said first signature key generator is realized in the form of a three-input one-way transformer.
3. A system according to any of the preceding claims wherein the challenge generator generates the challenge from the random number and from the identification number ID of the message transmitting facility.
4. A system for verifying authenticity of an ID (identification number) transmitting facility, the ID transmitting facility being operative to store the ID and a private key S, and including a first signature key generator operative to generate a first signature key by combining, a challenge and the private key, the system comprising: an ID transmitting facility interface operative to receive the ID and the first signature key from the ID transmitting facility; a second signature key generator operative to generate a second signature key by combining a random number and the ID; a challenge generator operative to generate the challenge from the random number such that the random number cannot be extracted from the challenge and to transmit the challenge to the ID transmitting facility; and a signature key comparator operative to compare said first and second signature keys and to provide an output indication of authenticity based on the results of the comparison.
5. A system according to claim 4 wherein said ID transmitting facility comprises an IC-card including an identification number memory storing an identification number ID characterizing the card to be transmitted to the system and to be verified by the system, and a secure private key memory storing a private key S associated with the identification number ID via a system private transformation and in which said first signature key generator is realized in the form of a two-input one-way transformer.
6. A system according to any of the preceding claims 4 and 5 wherein the challenge generator generates the challenge from the random number and from the identification number ID of the ID transmitting facility.
7. A system according to claim 1 wherein said second signature key generator comprises: said challenge generator; a private key generator operative to generate the private key by transforming the ID number; and a third signature key generator which is the same as said first signature key generator and operative to receive the challenge, the transformed ID number and the received message.
8. A system according to claim 4 wherein said second signature key generator comprises: said challenge generator; a private key generator operative to generate the private key by transforming the ID number; and a third signature key generator which is the same as said first signature key generator and operative to receive the challenge and the transformed ID number.
9. A system according to any of claims 7 and 8 wherein said challenge generator, said third signature key generator and said private key generator are combined into a single transformer.
10. A system according to any of claims 1-6 wherein each of said challenge generator, said first signature key generator and said second signature key generator comprises an electronic circuit.
11. A system according to any of claims 7-9 wherein each of said challenge generator, said first signature key generator, said second signature key generator, said third signature key generator and said private key generator comprises an electronic circuit.
12. A system according to any of claims 1-6 wherein at least one of said challenge generator, said first signature key generator and said second signature key generator comprises an electronic circuit.
13. A system according to any of claims 7-9 wherein at least one of said challenge generator, said first signature key generator, said second signature key generator, said third signature key generator and said private key generator comprises an electronic circuit.
14. A system according to claim 9 wherein each of said challenge generator, said first signature key generator, said second signature key generator, said third signature key generator and said private key generator comprises an electronic circuit, and wherein said single transformer includes an electronic circuit comprising a logic design combination of the challenge generator, the private key generator and said third signature key generator.
15. A system according to any of claims 1-6 wherein at least one of said challenge generator, said first signature key generator and said second signature key generator are implemented in software.
16. A system according to any of claims 7-9 wherein at least one of said challenge generator, said first signature key generator, said second signature key generator, said third signature key generator and said private key generator are implemented in software.
Description  (OCR text may contain errors)

DATA VERIFICATION SYSTEM AND METHOD

The present invention relates to systems for verifying the authenticity of integrated-circuit cards and verifying the authenticity of data sent by integrated-circuit cards.

Identity-based digital signature techniques are well known in the art of information integrity. An example for such a technique is the Fiat-Shamir method [A. Fiat and A. Shamir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems", Advances in Cryptology - Crypto '86, Springer- Verlag LNCS 263, pp. 186-194, 1987]. If D is a numerical data sent by a user, identity-based digital signature techniques enable that user to generate a numerical value G, such that the recipient of the pair {D;G} can verify that this pair was originated by that user. When generating G, the user has a private key S, known only to him. Let ID denote the numerical value of the identification details of the user. ID is also sent together with the pair {D;G} . To verify that the pair {D;G} originated by that user, the recipient uses ID as a reference information. The knowledge of ID should not enable the recovery of S or the generation of G by any party beside that user. Knowledge of many pairs {D;G} generated by the same user, or even selecting specific messages D, should still not enable generating, on behalf of that user, any new pairs {D;G}.

Beside using ID as a reference information, the recipient, who has to establish the authenticity of a received pair {D;G}, needs some other non-secret information which is publicly known and which is associated with an authorized center that controls the entire system. This demand follows from the observation that the privacy of an entire system cannot "lift itself with its own bootstraps", and there must be a trusted supervision.

Let AA denote the authorized center. Any recipient in a network that is controlled by AA, that will need to verify the authenticity of messages sent by users, is given a universal public reference information RA that only AA can generate. Furthermore, AA keeps to himself a certain system private key SA associated with RA. Whereas the form by which RA and SA are realized can be different for different applications, the need for having such values is a constitutional feature.

The case where the users that generate said pairs {D;G} are IC-cards is frequently encountered. Such cards carry an Integrated Circuit which is also responsible for the generation of said pairs. Said recipients, which verify the authenticity of received pairs {D;G}, are corresponding terminals.

The card issuing process comprises the authorized issuing party AA, which issues to each card its ID number and its private key S which is associated with ID, where this association is a system private key, denoted hereinbefore as SA. ID and S are then stored in the card by AA.

The issue of verifying the authenticity of IC- cards has two particularly important aspects:

1) Verifying that the card itself is authentic. That is, making sure that the card was issued by an authorized party.

2) Verifying that data sent by the card is authentic. That is, making sure that data sent by the card is associated with the serial number or other identifying details of the card.

Fig. 1A shows a prior art card [M. Meyerstein, "The Disposable Telephone Card Comes of Age", Smart-Card 94 Conference, London, England] operative to verify the authenticity of data sent by the card. The card comprises three registers which store data D, the ID details of the card, and the private key S of the card. The latter is stored in a secured memory. The card also carries out a highly non-linear one-way transformation H which converts three input values into a single output.

Verifying the authenticity of data D sent by a card is established by asking the card to prove that D and ID are submitted by the card which stores the private key S associated with ID. The value S is never revealed openly, and the proof does not provide any information about S. The card proves that it possesses S by responding to a challenge C generated randomly by the interrogating terminal. Upon receiving C, the card enters C, D and S as inputs to the transformation H. The output G of the transformation H is sent to the interrogating terminal together with ID and D. Based on the received ID and D, the interrogating terminal should be able to generate independently a value G1, such that G' equals to the received G if the card possesses the genuine S associated with ID. This way, the interrogating terminal is able to verify the authenticity of the data D sent by the card.

Fig. IB shows a card operative to verify the card's authenticity, which is based on the prior art card shown in Fig. 1A. The card comprises two registers which store the ID details of the card (usually a serial number) , and the private key S of the card. The latter is stored in a secured memory, which is unreadable from the outside and submits its contents only to an internal processor. The card also carries out a highly non-linear one-way transformations H which converts two input values into a single output.

Verifying the authenticity of a card is established by asking the card to prove .that it stores the private key S associated with ID. The value S is never revealed openly, and the proof does not provide any information about S. The card proves that it possesses S by responding to a challenge C generated randomly by the interrogating terminal. Upon receiving C, the card enters C and S into the transformation H. The output G from the transformation H is sent to the interrogating terminal together with ID. Based on the received ID, the interrogating terminal should be able to generate independently a value G', such that G' equals to the received G if the card possesses the genuine S associated with ID. This way, the interrogating terminal is able to verify the authenticity of the card.

Methods for synthesizing and analyzing highly non-linear one-way transformations H are known. The following references exhibit such synthesis and analysis techniques;

- W. Meier and O.Staffelbach, "Nonlinearity criteria for cryptographic functions", Advances in Cryptology - Eurocrypt '89, Springer-Verlag LNCS, 434, pp. 549 - 562, 1990; J.B. Kam and G.I. Davida, "Structured design of substitution-permutation encryption networks", IEEE Trans, on Computers, vol. C-28, pp. 747- 753, 1979; A.F. Webster and S.E. Tavares, "On the design of S-Boxes", Advances in Cryptology - CRYPTO '85, Springer-Verlag LNCS, 218, pp. 523 - 534, 1986; S. Lloyd, "Counting functions satisfying a higher order strict avalanche criterion", Advances in Cryptology - Eurocrypt '89, Springer-Verlag LNCS 434, pp. 63 - 74, 1990; R. Yarlagadda and J.E. Hershey, "Analysis and synthesis of bent sequences", Proc. IEE, Part-E, vol. 136, pp. 112-123, 1989; B. Preneel et al. , "Boolean functions satisfying higher order propagation criteria", Advances in Cryptology - Eurocrypt '91, Springer-Verlag LNCS 547, pp. 141 - 152, 1991; J. Pieprzyk and G. Finkelstein, "Towards effective non-linear cryptosystem design", Proc. IEE, Part-E, vol. 135, pp. 325-335, 1988.

A major issue, which is related to both IC-card authenticity verification and the verification of the authenticity of data sent by the card, concerns the obvious question: how does the interrogating terminal have the knowledge to generate the described G', based on the information it receives from the card? One approach is to have an on-line communication with a secured center. There S is recovered and the same operation which was performed in the card is also performed in the secured center, enabling the generation of G' which is sent back to the interrogating terminal and compared to G in the interrogating terminal. The need for an on-line communication with the authorized center is a major drawback of this method.

Another approach for generating G' concerns off-line operations. Here, the interrogating terminal itself should be able to generate G' from the information it received from the card, without any secret stored in the interrogating terminal.

Techniques relevant to this patent are discussed in: W. Diffie and M.E. Hellman, "Multiuser Cryptographic Techniques", National Computer Conference, pp. 109-112, 1976; and in Y. Desmedt and J.J. Quisquater, "Public-key systems based on the difficulty of tampering" (Is there a difference between DES and RSA?)" Advances in Cryptology - CRYPTO '86, Springer-Verlag LNCS, 263, pp. Ill—117; P. Guam, "Cellular Automaton Public Key Cryptosystem", Complex Systems, vol. 1, pp. 51-57, 1987; T. Renji, "Finite Automata, Latin Array and Cryptography", Institute of Software, Academia Sinica, Beijing 100080, PRC; M. M. Mano, "Digital Design", Prentice-Hill, Englewood Cliffs, New-Jersey, 1984.

Relevant techniques are also discussed in the following references: W. Diffie and . M.E. Hellman, "New Directions in Cryptography", IEEE Trans. on Inform. Theory, vol. IT-22, pp. 644-654, 1976; P. Peyret, G. Lisimaque and T.Y. Chua, "Smart cards provide very high security and management flexibility in subscribers management for pay-television systems", IEEE Trans. on Consumer Electronics, vol. 36, pp. 744-752, 1990; C. Adams and S. Tavares, "The Structured Design of Cryptographically Good S-Boxes", J. of Cryptology, vol. 3, no. 1, pp. 27-41, 1990.

The disclosures of the above publications and of all publications referenced therein are hereby incorporated by reference.

The present invention seeks to provide a method for secure off-line IC-card authenticity verification and the verification of the authenticity of data sent by the card. That is, the invention offers a way under which an interrogating terminal has the knowledge to generate the hereinbefore described value G', based on the information it receives from the card, and this without having an on-line communication with an authorized center. The invention pursues digital signature methods in which the system private key is embedded within a publicly available domain, using logic protection methods. That is, the difficulty of recovering the system private key is modeled by computational methods.

The IC-card authenticity verification system preferably comprises:

- an authorized center; a plurality of IC-cards and interrogating terminals; first apparatus located at said center for effecting a first transformation T of digital data. This apparatus is to be kept secret, not to be revealed;

- apparatus located at said center for attributing to each IC-card a specific reference datum (ID) ; apparatus for generating at said center a private key (S) specific to that IC-card, the latter being derived from applying said first transformation T to said reference datum;

- memory apparatus located at each IC-card for registering said reference datum and private key; second apparatus, provided to all IC-cards, each IC-card being provided with this same apparatus, for effecting a second transformation H of digital data, deriving a single output from two inputs; one of the inputs being a challenge C received from an interrogating terminal and the other input being the private key S; the output of the transformation H being a value G sent to the interrogating terminal;

- third apparatus, provided to each interrogating terminal from said authorized center, for effecting a third transformation ATH of digital data, deriving two outputs from two inputs, said third transformation being equivalent to the merging of three transformations A, T, H, the latter two being said first and second transformations and A being a one-way transformation; the transformation A having two inputs one being the ID value of the interrogated IC-card and the other being a random number R, where said two inputs to the transformation A also form the two inputs to said third transformation ATH, the single output of the transformation A being a challenge C which forms one of the outputs of said third transformation ATH; the apparatus for effecting the transformation H being operative to receive the value C and the output of T and being operative to generate an output G' which forms the second output of said third transformation ATH; the apparatus for effecting the transformation T being operative to receive the ID value of the interrogated IC- card and being operative to generate an output which forms one of the inputs to the transformation H; said merging of the three transformations A, T, H being intended to unable the recovery of T, thereby providing logic integrity, to unable the recovery of the value which forms the internal output of T and to unable the injection of external values through the output C of said apparatus for effecting the third transformation ATH.

- a comparator at the interrogating terminal which compares the values of said G and G', yielding a yes/no indication concerning the equality/inequality of said two values.

The invention further provides a system for effecting the verification of the authenticity of data sent by an IC- card which preferably comprises:

- an authorized center;

- a plurality of IC-cards and interrogating terminals;

- first apparatus located at said center for effecting a first transformation T of digital data, these apparatus are to be kept secret, not to be revealed;

- apparatus located at said center for attributing to each IC-card a specific reference datum (ID) ; apparatus for generating at said center a private key (S) specific to that IC-card, the latter being derived from applying said first transformation T to said reference datum; memory apparatus located at each IC-card for registering said reference ID, said private key S and data (D) to be sent to interrogating terminals and whose authenticity is to be verified at said terminal;

- second apparatus, provided to all IC-cards, each IC-card being provided with the same apparatus, for effecting a second transformation H of digital data, deriving a single output from three inputs; one of the inputs being a challenge C received from an interrogating terminal, the other input being the private key S and the third input being the data D whose authenticity is to be verified at said interrogating terminal; the output of the transformation H being a value G sent to the interrogating terminal; third apparatus, provided to each interrogating terminal from said authorized center, for effecting a third transformation ATH of digital data, deriving two outputs from three inputs, said third transformation being equivalent to the merging of three transformations A, T, H, the latter two being said first and second transformations and A being a one-way transformation; the transformation A having two inputs one being the ID value of the interrogated IC-card and the other being a random number R, where said two inputs to the transformation A also form two inputs to said apparatus for effecting the third transformation ATH, the single output of the transformation A being a challenge C which forms one of the outputs of said third transformation ATH; the apparatus for effecting the transformation H being operative to receive the value C, the output of T and the data D received from the IC-card, which also forms the third input to said third transformation ATH; said apparatus for effecting the transformation H being operative to generate an output G' which forms the second output of said third transformation ATH; the apparatus for effecting the transformation T being operative to receive the ID value of the interrogated IC-card and being operative to generate an output which forms one of the inputs to the transformation H; said merging of the three transformations A, T, H being intended to unable the recovery of T, thereby providing logic integrity, to unable the recovery of the value which forms the internal output of T and to unable the injection of external values through the output C of said third transformation ATH.

- a comparator at the interrogating terminal which compares the values of said G and G', yielding a yes/no indication concerning the equality/inequality of said two values.

Also provided is a method for effecting authenticity verification of a message D sent from the authorized center to an IC-card in a system, which comprises:

- providing said second apparatus for effecting a two-input transformation H to the IC-card;

- having the IC-card transmit his reference datum ID to said center;

- having said center feed said reference datum ID to the apparatus for effecting the transformation T, to obtain the IC-card' s private key S, feed said private key S and the message D to the apparatus for effecting the two-input transformation H, which the center also has, whereby to obtain a center's output G, and transmit said message D and said center's output G to said IC- card; and

- having said IC-card to feed said private key S, while feeding the said message D to the apparatus for effecting the two-input transformation H, whereby to obtain an IC-card's output G',

- having a comparator at the IC-card which compares the values of said G and G', yielding a yes/no indication whereby to verify that said message D was sent by said center and is intended for said IC-card.

Also provided is a method for effecting verification of a message D from the authorized center to an IC-card in a system, intended to overcome the threat of sending to the IC-card a re-played authentic message sent previously to that card, which comprises:

- providing said second apparatus for effecting a three-input transformation H .to the IC-card;

- having the IC-card transmit his reference datum ID and a randomly generated R to said center;

- having said center feed said reference datum ID to the apparatus for effecting the transformation T, to obtain the IC-card' s private key S, feed said private key S and the message D and the random R to the apparatus for effecting the three-input transformation H, which the center also has, whereby to obtain a center's output G, and transmit said message D and said center's output G to said IC-card; and

- having said IC-card to feed said private key S, while feeding the said message D and said random R to the apparatus for effecting the three-input transformation H, whereby to obtain an IC-card's output

G\

- having a comparator at the IC-card which compares the values of said G and G', yielding a yes/no indication whereby to verify that said message D was sent by said center and is intended for said IC-card, while also preventing a re-play of previous valid messages.

Also provided is a method for verifying the authorized center's signature on a message D sent to an interrogating terminal, which comprises:

- providing said second apparatus for effecting a two-input transformation H to said interrogating terminal;

- having said center effect said first transformation H on the message D, whereby to obtain a signature G, and transmit to said interrogating terminal said message D and said signature G;

- having said recipient feed a random digital number R and said message D to said third apparatus for effecting a two-input transformation ATH, whereby to obtain a first output, feed said random number R and said signature G to said second apparatus for effecting a two- input transformation H, whereby to obtain a second output, and compare said first and second outputs and verify that said signature is that of said center and that said message originates from it, if and only if said outputs coincide.

Also provided is a method wherein said apparatus for effecting the transformations T, H, A and ATH are in the form of electronic circuits.

Also provided is a method wherein the merging of the circuits that effect the transformations A, T, H into the circuit which effects the transformation ATH is effected by means of chaining Boolean identities.

There is also provided in accordance with another preferred embodiment of the present invention a system for verifying authenticity of a message transmitted by a message transmitting facility, the message transmitting facility being operative to store an ID (identification number) and a private key S, and including a first signature key generator operative to generate a first signature key by combining a challenge, the private key, and the message, the system including a message transmitting facility interface operative to receive the ID, the message and the first signature key from the message transmitting facility, a second signature key generator operative to generate a second signature key by combining a random number, the ID and the message, a challenge generator operative to generate the challenge from the random number such that the random number cannot be extracted from the challenge and to transmit the challenge to the message transmitting facility, and a signature key comparator operative to compare the first and second signature keys and to provide an output indication of authenticity based on the results of the comparison. Further in accordance with a preferred embodiment of the present invention the message transmitting facility includes an IC-card including a message memory storing the message to be transmitted to the system and to be verified by the system, an identification number memory storing an identification number ID characterizing the card, and a secure private key memory storing a private key S associated with the identification number ID via a system private transformation and in which the first signature key generator is realized in the form of a three-input oneČ way transformer.

Still further in accordance with a preferred embodiment of the present invention the challenge generator generates the challenge from the random number and from the identification number ID of the message transmitting facility.

Additionally in accordance with a preferred embodiment of the present invention any third signature key generated by employing the signature key generator to combine the challenge, the identification number ID and the message is not similar to the first signature key.

There is also provided in accordance with another preferred embodiment of the present invention a system for verifying authenticity of an ID (identification number) transmitting facility, the ID transmitting facility being operative to store the ID and a private key S, and including a first signature key generator operative to generate a first signature key by combining a challenge and the private key, the system including an ID transmitting facility interface operative to receive the ID and the first signature key from the ID transmitting facility, a second signature key generator operative to generate a second signature key by combining a random number and the ID, a challenge generator operative to generate the challenge from the random number such that the random number cannot be extracted from the challenge and to transmit the challenge to the ID transmitting facility, and a signature key comparator operative to compare the first and second signature keys and to provide an output indication of authenticity based on the results of the comparison.

Further in accordance with a preferred embodiment of the present invention the ID transmitting facility includes an IC-card including an identification number memory storing an identification number ID characterizing the card to be transmitted to the system and to be verified by the system, and a secure private key memory storing a private key S associated with the identification number ID via a system private transformation and in which the first signature key generator is realized in the form of a two-input one-way transformer.

Still further in accordance with a preferred embodiment of the present invention the challenge generator generates the challenge from the random number and from the identification number ID of the ID transmitting facility.

Additionally in accordance with a preferred embodiment of the present invention any third signature key generated by employing the signature key generator to combine the challenge and the identification number ID is not similar to the first signature key.

Moreover in accordance with a preferred embodiment of the present invention the second signature key generator includes the challenge generator, a private key generator operative to generate the private key by transforming the ID number, and a third signature key generator which is the same as the first signature key generator and operative to receive the challenge, the transformed ID number and the received message. 15

Further in accordance with a preferred embodiment of the present invention the second signature key generator includes the challenge generator, a private key generator operative to generate the private key by transforming the ID number, and a third signature key generator which is the same as the first signature key generator and operative to receive the challenge and the transformed ID number.

Still further in accordance with a preferred embodiment of the present invention the challenge generator, the third signature key generator and the private key generator are combined into a single transformer.

Additionally in accordance with a preferred embodiment of the present invention each of the challenge generator, the first signature key generator, the second signature key generator, the third signature key generator and the private key generator includes an electronic circuit.

Moreover in accordance with a preferred embodiment of the present invention at least one of the challenge generator, the first signature key generator, the second signature key generator, the third signature key generator and the private key generator includes an electronic circuit.

Further in accordance with a preferred embodiment of the present invention each of said challenge generator, said first signature key generator, said second signature key generator, said third signature key generator and said private key generator comprises an electronic circuit, and the single transformer includes an electronic circuit including a logic design combination of the challenge generator, the private key generator and the third signature key generator.

Still further in accordance with a preferred embodiment of the present invention at least one of the challenge generator, the first signature key generator, the second signature key generator, the .third signature key generator and the private key generator are implemented in software.

1 7

The present invention will be understood and appreciated from the following detailed description, taken in conjunction with the drawings in which:

Fig. 1A illustrates the structure of a prior art card intended to facilitate the verification of the authenticity of data sent by the card;

Fig. IB illustrates the structure of a prior art card intended to facilitate authenticity verification of the card itself;

Fig. 2A illustrates a transformation T which may be employed as the system private key, generally denoted hereinbefore as SA, used by the authorized center when generating the private key S of an IC-card, based on the ID value of the card;

Fig. 2B illustrates a two-input transformation H;

Fig. 2C illustrates the internal structure of a transformation TH which is executed at a terminal that interrogates the IC-card;

Fig. 3 illustrates a process for verifying the authenticity of data sent by an IC-card, operative in accordance with one alternative embodiment of the present invention;

Fig. 4 illustrates a process, operative in accordance with one alternative embodiment of the present invention, for generating, at the premises of the authorized center, a signature G which attests to the authenticity of a message D that is intended to a specific card, and subsequent verifications which may be performed at the card;

Fig. 5 illustrates a process, operative in accordance with one alternative embodiment of the present invention, for generating, at the premises of the authorized center, a signature G which attests to the authenticity of a message D that is intended for any terminal which interrogates cards;

Fig. 6A illustrates the internal structure of a two-input transformation ATH;

Fig. 6B illustrates a three-input transformation H;

Fig. 6C illustrates the internal structure of a three-input transformation ATH;

Fig. 7 illustrates a preferred process for authenticity verification of an IC-card;

Fig. 8 illustrates a process for verifying the authenticity of data sent by an IC-card, operative according to a preferred embodiment of the present invention;

Fig. 9 illustrates a process for generating, at the premises of the authorized center, a signature G which attests the authenticity of a message D that is intended to a specific card, and subsequent verifications which may be performed at the card, according to a preferred embodiment of the invention;

Fig. 10 illustrates a preferred process for generating, at the premises of the authorized center, a signature G which attests the authenticity of a message D that is intended to a specific card, and subsequent verifications which may be performed at the card, with prevention of re-play of a previous valid message;

Fig. 11 illustrates a process for generating, at the premises of the authorized center, a signature G which attests the authenticity of a message D that is intended for any terminal which interrogates cards, according to a preferred embodiment of the invention;

Fig. 12A illustrates in block diagram form the method of "chaining Boolean identities" used for implementing one embodiment of the invention;

Fig. 12B illustrates a preferred implementation of the method of Fig. 12A; Figs. 13A, 13B and 13C illustrate in further details the process of chaining Boolean . identities;

Figs. 14A and 14B illustrates the Karnaugh maps used for generating an irreducible Boolean identity; and

Figs. 15A and 15B illustrate a merging of separate circuits T and H into one integrated circuit TH in accordance with a preferred embodiment of the present invention.

The field of the invention relates to a method and device which implement IC-card authenticity verification and the verification of the authenticity of messages sent by an IC-card, off-line, without a secret stored in the interrogating terminal and without a system secret stored in the card. The method and the system implement a pure identity-based digital signature based on cascading one-way transformations in an inseparable way.

The present invention preferably includes at least some and preferably all of the following seven features:

1) The IC-card has only trivial and fast hardware in its possession.

2) The method provides a small communication overhead. Generating, by illegal means, a valid response to be sent on behalf of an IC-card is substantially as complex and time consuming as a brute force guessing of the response.

3) The method provides a small storage overhead. Breaking, computationally, the private key stored at the IC-card is no less complex than a brute force guess of the key, for any key-length.

4) The method and system are based on a pure identity-based digital signature. That is, the public reference information of a card equals its ID details.

5) The IC-card is universal. Any vendor (a telecom company, a bank, a home TV company) can use the same fabricated card. This also means that whenever it is necessary for the vendor to change privacy parameters of the system, the change in the card is reduced to changing one stored value.

6) In the case where the card is a reloadable debit card, a reloadable payphone card or a home TV card which needs subscription updating, the trivial transformation and minimal memory in the card still enable the card to verify that a command is sent to it by an authorized center and that the command is intended only for that specific card.

7) Any terminal, which verifies the authenticity of IC-cards or the authenticity of messages sent by IC-cards, can also verify the signature of the authorized center on messages intended to all terminals.

Preferably the invention provides a new method and system for verifying the authenticity of IC-cards or the authenticity of messages sent by IC-cards such that all the above seven features are satisfied.

One embodiment of the invention involves three computational transformations which may be implemented electronically. The following are the three said computational transformations:

T - a one-way transformation which acts as the system private key, and which was generally denoted hereinbefore as SA. Such a transformation does not necessarily have a known inverse. The form of this transformation is shown in Fig. 2A.

H - a two-input one-way non-linear transformation, such as a hash transformation, known to all the parties involved. The transformation is not commutative, (i.e., (H(x, y) is not equal (H(y, x) . ) The form of a preferred embodiment of such a transformation is shown in Fig. 2B.

TH - a transformation which consists of the merging of the two transformations T and H, in the form shown in Fig. 2C. That is, TH(x,y) = H(x, T(y)) This transformation acts as said reference information RA.

The corresponding transformation circuits are preferably logic circuits, inputs and outputs of which are binary vectors. Treating T and H as logic circuits, the block which is framed in Fig. 2C is a single circuit which consists of the merging of T and H. This circuit has the two binary vectors x and y as its inputs, yielding a single output vector. The internal structure of the circuit does not have to consist of the discrete cascading of T and H, as long as its behavior is equivalent to the functioning (H(x, T(y)) .

It is important to mention that the privacy of the method of the present invention depends on the way T and H are merged, by the authorized agent AA, into the single circuit representing the function TH. The purpose of the merging is to prevent the recovery of T, given the circuit which perform the combined transformation TH and given the functioning (input-output behavior) of the transformation H. The implementation of the merging of T and H into one circuit representing the function TH is discussed in detail with reference to Figs. 12, 13A, 13B, 13C, 14A and 14B.

The reference information RA, defined hereinbefore is the circuit that implements the transformation TH. According to its definition, RA is distributed to all the parties that will need to interrogate IC-cards. In the pay-phone scenario, the circuit that implements the transformation TH is installed in all the pay-phones. The card is provided by the authorized agent AA with a pair of private key and ID number {S; ID} . In the present implementation, this pair is generated by AA based on the relation

S = T(ID) . i.e., the center AA used its system private key T in order to generate S out of ID.

A method of verifying data sent by a card which has the private key S and identification number ID, is illustrated in Pig. 3. Basically, the method of Fig. 3 is similar to the one described in Fig. IB. The difference between said two methods is due to the fact that the implementation in Fig. 3 is independent of a challenge received from the interrogating terminal and the challenge input to H is replaced by data input. From a functional point of view the input ID is transformed by T, inside the verifying terminal, yielding internally the value S. The operation performed next in the terminal, performing the transformation H with two inputs, is identical to that performed by the card when it generated G. The value G' obtained by the verifying terminal therefore equals G if ID and D were genuinely submitted by the card that possesses the value S associated with ID.

The system private key is the association between S and ID, known to the authorized agent AA which stores these values in a card, during its initiation. According to a preferred embodiment of the present invention, this system private key is the transformation T. If, for any reason, there is a need to change T, it is of course necessary for the agent AA to design a new circuit which implements TH. This circuit is subsequently distributed to all the terminals that have to verify signatures. However, H is not changed, meaning that a change in T does not necessitate a hardware change in the circuit distributed to a card. The change in T just causes a change in the way S is derived from ID, where S is a value stored in the card and it has no effect on the hardware (ID, which is the other value stored in the card, equals the identification details of the card and therefore remains unchanged) .

Fig. 4 describes a signature system in which a message D is sent from an authorized agent AA to a card. As mentioned hereinbefore, the private key and identification number stored in a card are {S; ID}, while S = T(ID) . The details of the system private key T are known to the authorized center AA.

After receiving the ID number of the intended recipient of the message D, AA first computes S = T(ID). The value G = H(S, D) is then computed and sent to the card together with the message D. Upon receiving D and G, the card computes independently the value G' = H(S, D) , and compares it to the received G. The order of the two inputs to H is interchanged in Fig. 4, when compared to the implementation of Fig. 3. In case the order of the two inputs is not interchanged, the card can generate G, by using the circuit TH, in the same way the authorized center AA generates G, by using T. On the other hand, using the method depicted in Fig. 4, and based on the fact that H is not commutative, the equality G' = G assures the card that the originator of the pair {D; G} must have made an explicit use of S, and therefore it must be the authorized agent AA, which alone knows how to recover S from ID. Furthermore, only that specific card is able to make this verification, which needs the value S. To conclude, only the authorized center AA can send the described pair {D; G} and only that card can verify the authenticity of this pair.

As clarified in Fig. 3, the terminal can verify the signature of the card based on a universal circuit which implements the transformation TH. The latter circuit, which plays the role of the reference information RA, is supplied to the terminal by the authorized center AA. Following, the case where the terminal has to verify the signature of AA on a message D sent from AA to the terminal is described. In this procedure, AA generates a signature by making use of its knowledge of the system private key T. Subsequently, the terminal is verifying the signature of AA by assuring that the sender really knows T. A way for implementing this procedure is shown in Fig. 5. The center AA operates on the message D with the system private key T, thereby generating the signature G = T(D), which is sent to the terminal together with D. Signature verification, that is, assuring that the pair {D; G} originated at AA, is performed at the terminal by generating a random number N and computing U' = TH(N,D) and U = H(N,G). The non- secret circuit H is assumed to be installed at the terminal in this application. The authenticity of the pair {D; G} is established if U' = U.

To understand the validity of the described signature verification procedure, refer to Fig. 2C which clarifies that:

U' = TH(N,D) = H(N, T(D)) = H(N,G) = U.

Although the verifying terminal actively participated in the signature verification process by generating the random number N, the presented signature method satisfies the basic definition of a digital signature, which also means that the signature can stand in court if and when the signer denies that he generated the pair {D; G} . This issue is, of course, academic, in the pay-phone scenario. In this case the judge can generate his own N and make the same verification process described above, convincing himself that only AA could compute G from D.

A preferred embodiment of the invention uses five transformations that convert an input binary block, or several input binary blocks, into a single output block.

T - a one-way transformation which acts as the system private key, and which was generally denoted hereinbefore as SA. The form of this transformation is shown in Fig. 2A. Such a transformation does not necessarily have a known inverse .

A two-input transformation H - a highly nonČ linear two-input one-way transformation known to all the parties involved. The form of this transformation is shown in Fig. 2B.

A two-input transformation ATH - a two-input two-output transformation which consists of merging three transformations, two of which are T and H and the third one is a further highly non-linear one-way transformation A. The form of this transformation is shown in Fig. 6A. For x, y denoting the two inputs to ATH and v,w denoting the two outputs of ATH, the relation between the inputs and outputs is: v = A(x, y) , w = H(A(x, y), T(y)) .

A three-input transformation H - a highly nonČ linear one-way transformation known to all the parties involved. The form of this transformation is shown in Fig. 6B.

A three-input transformation ATH - a three- input two-output transformation which consists of merging three transformations, two of which are T and H and the third one is a further highly non-linear one-way transformation A. The form of this transformation is shown in Fig. 6C. For x, y and z denoting the three inputs to ATH and v,w denoting the two outputs of ATH, the relation between the inputs and outputs is: v = A(x, y), w = H(A(x, y), T(y), z) .

The first three transformations can be carried out by means known in prior art such as [C. Adams and S. Tavares, "The Structured Design of Cryptographically Good S-Boxes", J. of Cryptology, vol. 3, no. 1, pp. 27- 41, 1990] referenced above. One preferred embodiment of the invention concerns devising the functioning of the fourth and fifth transformations and a method for constructing them by electronic apparatus.

Merging of the three transformations A, T, H into a single transformation ATH provides the following three features:

(1) Given the transformations ATH and H - it would be infeasible to recover the transformation T or any transformation which functions like T.

(2) Given the transformations ATH and H - it would be infeasible to enter the value v into the merged transformation in a way which is equivalent to entering v at the point marked by 10 in the discrete framed structure shown in Figs. 6B and 6C.

(3) Given the transformations ATH and H - it would be infeasible to recover the vector which exists, during the operation of the discrete structure, at the point marked by 15 shown in Figs. 6B and 6C.

These three features are to be obtained based on computational considerations. That is, the complexity of performing any of the three operations should be formulated and evaluated based on computational methods.

The transformations are preferably implemented as logic circuits, the inputs and outputs of which are binary vectors. Treating A, T and H as logic circuits, the block which is framed in Figs. 6B and 6C is a single circuit which consists of the hardware merging of A, T and H. The internal structure of the circuit ATH does not consist of the discrete cascading of A, T and H, but is rather obtained by applying logic transformations on the discrete structure, such that the internal conduction lines in the discrete structure do not exist in practice. The implementation of the merging of A, T and H into one circuit representing the function ATH is discussed in detail with reference to Figs. 12, 13A, 13B, 13C, 14A and 14B.

A two-input one-way transformation H is installed in all IC-cards that will ever need to prove their authenticity. A three-input one-way transformation H is installed in all IC-cards that will ever need to prove the authenticity of data sent by them.

The circuit that implements the transformation ATH is distributed to all the terminals that will need to interrogate IC-cards. A two-input circuit is distributed to the terminals that will need to verify the authenticity of IC-cards. A three-input circuit is distributed to the terminals that will need to verify the authenticity of data sent by IC-cards. The circuit that implements the transformation ATH is the reference information RA, defined hereinbefore.

The system private key T is used by the authorized agent AA to generate the pair of private and public keys {S; R} , installed in an IC-card during its initialization. This pair is generated by AA based on the relation S = T(R). Since the value of the public key R can be selected by AA to equal the value of the identity details ID of the card, the resulting system is an identity based system.

If, for any reason, there is a need to change the system private key T, it is of course necessary for the agent AA to design a new circuit which implements ATH. This circuit is subsequently distributed to all the interrogating terminals. However, no change has to be made in the transformation H so that the user cards need not be changed.

The process of authenticity verification of an IC-card is shown in Fig. 7. As defined hereinbefore, in this process the interrogating terminal verifies that a card, which submits its ID, possesses the private key S associated with ID. The terminal first receives the ID value which is entered from the card, together with a random input R which is generated in the terminal, into the terminal's circuit. The output C of ATH is a challenge which is sent to the card. The card then responds with a value G which is compared to the value G', where the latter is independently generated by the terminal. G' may be already available at the verifying side before G is received. An equality between G' and G assures the terminal that the interrogated card has at its possession the private key S associated with ID.

The process of verifying the authenticity of data D sent by an IC-card is shown in Fig. 8. As defined hereinbefore, in this process the interrogating terminal verifies that values ID and D, submitted by a card, were both submitted by a card that possesses the private key S associated with ID. The process shown in Fig. 8 is an extension of the card authentication process of Fig. 7. The difference lies in the fact that a three-input transformation H is used, where the additional input is the message D.

We now comment on the privacy aspects of the process of authenticity verification of an IC-card and the process of authenticity verification of messages sent by an IC-card, described hereinbefore.

The value G is generated in the card based on C and S, while G1 is generated in the terminal based on R and ID. A party that possesses the universal non-secret transformation H and intercepts the publicly exchanged values ID and C cannot generate G since it does not know S, which is isolated from the publicly known ID by the unknown function T. Considering the fact that the circuit ATH is also publicly known, an outside party can try to generate G' and transmit it to the terminal on behalf of the interrogated card. The terminal will then be lead to assume that the response supposedly sent by the card is authentic, since the comparator will compare G' to G', yielding a 'yes' answer for sure.

The latter possibility is prevented in this invention since the terminal is inputting into the circuit ATH the values R and ID. Whereas any party has the circuit ATH and can intercept the values ID and C, that party cannot generate G' since it does not know R which is isolated from the publicly available information C by a one-way function. For this reason it was demanded that the merging of the discrete circuits A, T and H into the circuit ATH should prevent the injection of C into the point marked by 10 in Fig. 6B and 6C, since otherwise a third party which uses ATH can really generate G' on behalf of a valid card.

It should further be noted that hiding the system private key T within the publicly available transformation ATH is in accordance with the definition of digital signature, as any digital signature system is inherently based on the public availability of the universal reference information RA of the authorized center AA. By definition, RA is associated with the system private key SA. If the system private key SA is disclosed, the entire system collapses.

Furthermore, based again on the fundamental features of digital signature, the system private key SA is hidden in some sense within the publicly available RA, where the difficulty in recovering SA from RA should be based on that of trying to solve an intractable problem. That is, the system private key is there, but it should be computationally infeasible to recover it.

According to a preferred embodiment of the invention, the system private key SA is the transformation T which is hidden, based on logic complexity, within the publicly available transformation ATH which acts as RA. In view of the above, this does not present any exception and does not pose a threat of a type which is not met in other digital signature methods.

Note that recovering in ATH the vector which exists, during the operation of the discrete structure, at the point marked by 15 in Fig. 6B and 6C, reveals the private key S from the public data ID. In this respect it should be noted that one of the indicated purposes in the merging of the discrete structure into the circuit ATH is to prevent this possibility.

A process of sending from the authorized center AA a message D which is specifically intended to a certain card whose identification details are ID, and the subsequent verifications performed at the card's premises, is shown in Fig. 9.

After receiving the value ID, the center AA computes the value G = H(D, T(ID)) and sends it to the card together with the message D. Upon receiving D and G, the card computes independently the value G' = H(D, S) , and compares it to the received G. The equality G1 = G assures the card that the originator of the pair {D; G} made an explicit use of S, and therefore he must be the authorized center AA, who knows how to recover S from ID. Furthermore, only the card whose identification details are ID was able to make this verification, which again needs the value S.

The procedure described before of sending a message D from the authorized center AA to a card can be intended, in practice, to reload debit cards. D is the command for reloading a specific value. When using this procedure a party who has good reasons to reload a card by illegal means, thereby actually printing money, can re-play a valid reloading message sent previously to a card.

Fig. 10 depicts a way of preventing a reloading by re-play of an old valid message. Here, the one-way transformation H has three inputs, where the additional input is intended for a random value R, internally generated in the card. Following the procedure shown in the drawing, it is clear that a re-play will not work, since the internal circuitry in the card forces the value G' to be dependent on the present R.

A process of signing at the premises of the authorized center AA a message whose authenticity is intended to be verified by any terminal, and the subsequent verification process at a terminal, is described in Fig. 11. Here the terminal proves to itself that the message was sent by a party that knows the system private key T. During the verification process, a terminal uses its circuit ATH, which plays the role of the public key RA of AA, supplied by AA to all the intended verifying terminals. The terminal further uses the transformation H (which is also a universal non- secret transformation) .

The center AA operates on the message D with the system private key T, generating the value G = T(D) . This is sent, together with D, to the terminal. Verification at the terminal is performed by the process shown on the right of the drawing. The right output from ATH is the value H(A(R,D), T(D)) . This value is also generated at the output of H. The validity of D is proved to be correct if the two inputs to the comparator equal.

The merging of the transformations A, T and H into the transformation ATH forms the privacy of the system. It is done by the authorized agent AA, where the purpose of the merging is to wipe out all trace of the original separate structure.

One way to form this merging is based on 'chaining Boolean identities' . Here a group of logic gates is transformed into another group of gates which performs the same functioning, based on Boolean identities. Another group of gates, some of which are contained in a group obtained in the preceding step, is now transformed into another group which performs the same functioning, and so on.

Reference is now made to Fig. 12A which illustrates in block diagram form the method of "chaining Boolean identities" used for implementing one embodiment of the invention. In Fig. 12A each circle defines a group of gates which is transformed into another group that performs the same functioning. The meanings of the two 'types' indicated in the drawing is clarified later. The circles partially overlap, showing that each group, starting with the second group, contains some gates obtained at a preceding step.

Chains of the described form are to be activated hundreds of times, in all directions, covering numerous times all the original gates of the separate T and H circuits or the transformed versions of the original gates. The Boolean identities used in the process can either leave the same number of gates as in the original group, or change this number. The identities used in the last generated chains will be intended towards decreasing the number of gates.

The described process is similar to "kneading the dough", finally leading to the circuit TH where all traces of the original separate structure are wiped out.

Fig. 12A also treats two "types" of chainings. "Type 1" chains 50 represents chains in which the first group is a border group, containing gates from both the circuits T and H. The chain then propagates either into the circuit T or H. Chains of "type 1" are generated first when integrating the two circuits into the combined circuit TH. "Type 2" chains 55 are generated at a later step of the process.

To distinguish between the two "types" shown in Fig. 12A, note the first five groups of the chain of "type 2" 55 depicted, which all fall in the circuit TH. There is no point of starting the integration of the circuits T and H by chaining these five groups, as the effect of this chaining will just be to scramble the circuit H in itself. On the other hand, chains of "type 1" 50 join the circuits T and H and then further propagate the resultant effect. After running a sufficient number, typically tens, chains of "type 1" 50 it will be constructive to run chains of "type 2" 55, further spreading throughout the circuit the initial effect of the chains of "type 1" 50.

The purpose of forming the described chains is to cause a strong inter-dependence among all the gates in the combined circuit TH. The grouping of gates within one link of a chain is intended to form a situation in which gates from a preceding link cause a change in the structure of many other gates in the new link.

A preferred implementation of the method of Fig. 12A is illustrated in Fig 12B, where each circle defines a group of gates which is transformed into another group that performs the same functioning. The circles partially overlap, showing that each group, from the second onwards, contains some gates obtained at a preceding step.

The purpose of forming the described chains is to cause a strong inter-dependence among all the gates in the combined transformation ATH. The grouping of gates within one link of a chain is intended to form a situation in which gates from a preceding link cause a change in the structure of many other gates in the new link.

Figs. 13A, 13B and 13C further clarify the process of chaining Boolean identities. Observing Fig. 13A, the gates are grouped within a first link 100, which is link #i of a chain, which chain includes a gate 105, the gate 105 forming an implicant a'b' . The gate 105 also belongs to a second link 110, which is link #(i+l). Due to transformations performed within the first link 100, the implicant a'b' changes to ab, as shown in Fig. 13B. In order that the second link 110, which is link #(i+l), will still function correctly, the rest of the gates in the second link 110 should now be changed such that, together with the new implicant ab, the second link 110 will still perform the function f(a,b,c)= a'b'+ac '+bc. Subsequently, the other gates in the second link 110 also change, as shown in Fig. 13C, which implements the function ab + a'c + b'c' that logically equals the above function f(a,b,c) . That is, a change in the first link 100, link #i, propagated to the second link 110, link #(i+l), through the common gate 105.

The latter process can be facilitated by the use of basic logic design tools like Karnaugh maps. These can be used conveniently when the group of gates which form a link have up to six different input values. There are various Boolean identities, many of which relate to De-Morgan's theorems. Karnaugh map techniques and De-Morgan's theorems are described in detail in the above referenced [M. M. Mano, "Digital Design", Prentice- Hill, Englewood Cliffs, New-Jersey, 1984]. An example for the use of. De-Morgan's theorem is ab = (a'+b')'. This identity can be extended to: (ab + cd) = [ (a'+b1 ) (c'+d' ) ] ' . The latter identity, which concerns four variables, is reducible in the sense that it is formed by applying the first identity twice, on two separate pairs of variables. On the other hand, a Boolean identity like a'b' + ac' + be = ab + a'c + b'c', which was used in the example of Figs. 13A, 13B and 13C is irreducible in the sense that it holds only in its complete form, due to an interdependence among its various components, and it is not formed by extending lower dimension identities. Privacy considerations dictate that the Boolean identities used in the chaining process should be multi-variable and irreducible. Fig. 14A shows the Karnaugh map of the Boolean function f(a,b,c) = a'b' + ac" + be. Each of the three implicants of which this function consists is formed by joining two maxterms, as shown in the drawing. Fig. 14B depicts another way of defining the same function, based on the implicants ab + a'c + b'c'. These are formed by joining pairs of maxterms in a different way, as shown by the dotted grouping.

Reference is now made to Figs. 15A and 15B which illustrate a merging of separate circuits T and H into one integrated circuit TH in accordance with a preferred embodiment of the present invention. Fig. 15 further demonstrates an integration of circuits T and H into one TH circuit. It is important to note that the border between the two original circuits T and H is totally wiped in the resultant circuit TH.

It is also important to note that there is an imbalance in the originally separate structures, in the sense that the inputs PK propagate via more logic levels, on their way towards the output, when compared to the inputs D. Special attention should therefore be given, during the described chaining process, to the integration of the D inputs into the combined system. This is done by generating initially chains that purposely involve gates that process the D inputs. When the process terminates it is required that the number of logic levels via which the D inputs propagate towards the output will not be smaller, on the average, than the number of logic levels via which the PK inputs propagate.

While a number of embodiments of the invention have been described, it will be understood that the same can be carried out into practice by skilled persons with a number of variations, modifications, and adaptations, without departing from its spirit or exceeding the scope of the claims.

For example, the transformations T, H, A and ATH can be computational transformations. Or, these transformations can be implemented in hardware by sequential machines. In this case the merging of and H into the circuit ATH can be based on design considerations other than Boolean chainings.

It is appreciated that the various components of the present invention which are described as being implemented in hardware need not be implemented in hardware. Alternatively, these blocks may be implemented in software. Implementation in software may be desirable, as for example, when computational transformations for which dedicated hardware is unavailable are employed.

For example, the hardware implementation described above may be transformed into software by replacing each circuit with a program executing the same operation. It is appreciated that the software components of the present invention may, if desired, be implemented in ROM (read-only memory) form. The software components may, generally, be implemented in hardware, if desired, using conventional techniques.

It is appreciated that various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable subcombination.

It will be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention is defined only by the claims that follow:

Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
EP0037762A1 *20 Mar 198114 Oct 1981COMPAGNIE INTERNATIONALE POUR L'INFORMATIQUE CII - HONEYWELL BULL (dite CII-HB)Method and system for transmitting signed messages
EP0077238A1 *28 Sep 198220 Apr 1983Bull S.A.Method and apparatus for authenticating the signature of a message
EP0292247A2 *18 May 198823 Nov 1988THE GENERAL ELECTRIC COMPANY, p.l.c.Authenticator
EP0427465A2 *1 Nov 199015 May 1991AT&T Corp.Databaseless security system
DE4138861A1 *26 Nov 19911 Oct 1992Siemens Nixdorf Inf SystAuthentication of electronic card users of communication system - assigning additional identification bits to distinguish between users with same card
US5016274 *8 Nov 198814 May 1991Silvio MicaliOn-line/off-line digital signing
Non-Patent Citations
Reference
1 *See also references of WO9514968A1
Classifications
International ClassificationH04L9/32, G07F7/10
Cooperative ClassificationH04L9/3247, G06Q20/40975, G07F7/1008, G06Q20/341, H04L9/3271
European ClassificationG06Q20/40975, G06Q20/341, H04L9/32R, G07F7/10D
Legal Events
DateCodeEventDescription
18 Sep 199617PRequest for examination filed
Effective date: 19960529
18 Sep 1996AKDesignated contracting states:
Kind code of ref document: A1
Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LI LU MC NL PT SE
17 Mar 1999A4Despatch of supplementary search report
Effective date: 19990201
17 Mar 1999AKDesignated contracting states:
Kind code of ref document: A4
Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LI LU MC NL PT SE
24 Nov 199918DDeemed to be withdrawn
Effective date: 19980416