FIELD OF INVENTION

The present invention concerns a method and a system for cryptographic processing of a message.

Particularly, the present invention is advantageously but not exclusively used for communication of a message between two communication units, e.g. two terminals, two nodes of a (peer-to-peer) communication network, or a client and a server, the two communication units communicating over a generally insecure communication channel that is part of a communication network.

BACKGROUND THE INVENTION

One of the most common methods to establish a cryptographic communication uses an asymmetric key algorithm known as the acronym RSA, from the initials of its inventors (Rivest, Shamir, Adleman), which involves the generation of a public key, to be used for encrypting a message into a cryptogram, and a private key, to be used for decrypting the cryptogram and obtain the original message. This method is disclosed in US Patent 4,405,829. In short, the public key is issued by the recipient of the message, to be used by the sender of the message for encryption of the latter, whereas the private key is known to the recipient only and is used for decryption of the cryptogram. The public key and the private key of the RSA algorithm are created from the product of two prime numbers. The security of the RSA method lies in that the private key cannot be calculated by only knowing the public key, but requires the two prime numbers to be known. The only way to determine the private key is to solve the mathematical problem of factorization in prime numbers of the public key, and the solution is a "brute-force" operation, which is computationally rather complex. In general terms, the larger the prime numbers and thus their product, the longer it will take to search for the private key and hence the more secure the cryptography is. Nowadays, certain applications require at least 728-bit keys, in certain cases 1024-bit keys or keys with a even larger number of bits.

The applicant has observed that the exponential increase of the computing power of common computers, as well as the recent discoveries about the determinism of prime numebrs potentially affect the security of the RSA method to an increasing extent, unless the number of digits of the two primes is hugely increased. Nevertheless, the latter solution would eventually increase the computational burden of the encryption system.

The Italian patent application BO2009A000383, filed on 12 June 2009, concerns a method of establishing a cryptographic communication which comprises the creation of a "secret" key (K), shared by the sender unit and the recipient unit, which is obtained by the sum modulo p of terms obtained by raising two respective private keys a and b to a power equal to the number p, where p is a known prime number, and the encryption by the sender unit of a message M into a cryptogram C obtained by the modular product of M and K.

The Applicant has observed that, while the method disclosed in Patent Application BO2009A000383 provides the advantage of using an encryption algorithm that requires a relatively low computational effort, it is still based on an algorithm that uses encryption equations considerably different from those of the RSA algorithm.

The Applicant has noted that RSA is commonly used in applications that require a high security level, such as applications for managing electronic business transactions, and that an encryption system such as the one disclosed in patent application BO2009A000383 may not be readily implemented or may require substantial changes to be made to the operational protocol for use of the encryption algorithm.

SUMMARY OF INVENTION

The present invention concerns a cryptographic processing method and a system that uses an asymmetric cryptography-based scheme. The Applicant has understood that a cryptographic processing method that calculates the cryptogram by a modular arithmetic power function and bases its effectiveness on the discrete logarithm problem to define the exponent of the cryptogram can ensure high security. The discrete logarithm is thought to be a very difficult problem to solve, because unlike the factorization problem, it has many possible solutions and particularly if modular equations modulo p are used, with p being a sufficiently large number, the solution of exponential modular equations is very burdensome, or almost impossible.

In one main aspect, the method of the present invention is based on an asymmetric algorithm that uses private keys and public keys, and derives its robustness from application of modular exponential equations, which are injective (one-way) functions for defining exponents of the encryption (and decryption) equations.

In one aspect, the present invention is directed to a method of cryptographic processing of a message, the method comprising: establishing a communication between a first communication unit and a second communication unit in a communication domain comprising a communication channel; providing a message T by the first communication unit;

defining, by the second communication unit, an integer a as a first private key and a number KA as a first public key, the first public key being a number determined based on a prime integer p, a generator prime integer g and the first private key;

making the first public key K _A available to the first communication unit;

sharing the first and the second communication units the prime number p and the generator number g;

defining, by the first communication unit, an integer b as a second private key and a number KB as a second public key, the second public key being a number determined based on the prime number p, the generator number g and the second private key;

determining by the first communication unit an encryption exponent x by means of the modular equation:

{[¾* + e _B ] (mod/?)}* x≡ 1 mod (p-1),

where eg is a parameter selected from the group of integers, so that coprimeness of [KA ⁴ + ee] (mod p) and (p-l) is verified;

coding the message T, where coding comprises dividing the message T into at least one message block M, and

encrypting by the first communication unit the at least one message block M, thereby obtaining at least one cryptogram C by the modular equation

C≡ M ^x (mod p).

Preferably, the method further comprises, after encryption of the at least one message block M:

making the second public key KB and the parameter 6B available to the second communication unit;

transmitting the at least one cryptogram C to the second communication unit;

determining by the second communication unit a decryption exponent y={ [K _B ^A + e _B ] (mod p)}, and

decrypting the at least one cryptogram C thereby obtaining at least one message block M' by the modular equation

M'≡ C ^y (mod p).

Preferably, the method further comprises, after decryption of the at least one cryptogram C, decoding the at least one message block M' obtained from decryption of the cryptogram C, wherein decoding comprises recomposing the at least one message block M' to obtain a message T'. The message T' matches the message T.

Preferably, the method is a method of establishing a cryptographic communication between the first communication unit and the second communication unit.

Preferably, defining an integer b as a second private key comprises selecting, by the first communication unit, an integer coprime to (p-1).

In some preferred embodiments, defining a number b as a second private key comprises:

a) selecting by the first communication unit a first integer as a second private key;

b) determining whether the first integer is coprime to (p-1);

c) if the result of determining is negative, selecting by the first communication unit a second integer;

d) determining whether the second integer is coprime to (p-1), and

e) if the result of determining is negative, repeating the steps c) and d) until the result of determining is positive.

Preferably, defining a number a as a first private key comprises selecting, by the second communication unit, an integer coprime to (p-l).

In some preferred embodiments, defining a number a as a first private key comprises: f) selecting by the second communication unit a first integer as a first private key;

g) determining whether the first integer is coprime to (p-l);

h) if the result of determining is negative, selecting by the second communication unit a second integer;

1) determining whether the second integer is coprime to (p-l), and

m) if the result of determining is negative, repeating the steps h) and 1) until the result of determining is positive.

Preferably, the at least one message block M is of a length k smaller than p.

Preferably, the generator prime number g is different from the prime number p.

Preferably, defining, by the second communication unit, a first public key K _A based on a prime number p, a generator prime number g and a number a comprises generating a prime number p and a prime number g.

Preferably, defining a first public key comprises calculating the number KA from the modular equation K _A = g ^a (mod p). Preferably, defining a second public key comprises calculating the number K _B from the modular equation KB≡ g*(mod p).

In some preferred embodiments, making the first public key K _A available and sharing the prime number p and the generator prime number g comprises transmitting, by the second communication unit, the first public key, the prime number p and the generator number g to the first communication unit through the communication channel.

Preferably, making the second public key K _B and the parameter e _B available comprises transmitting, by the first communication unit, the second public key and the parameter e _B through the communication channel.

Preferably, the communication domain is a communication network.

In a further aspect, the present invention relates to a system for cryptographic processing of a message in a communication domain, which comprises:

a first communication unit which comprises a first encrypting device, a first coding device and a first transceiver module;

a second communication unit which comprises a first decrypting device, a first decoding device and a second transceiver module, and

a communication channel apt to connect the first communication unit with the second communication unit by means of the first and second transceiver modules, wherein

the first communication unit is apt to provide a message T;

the second communication unit is apt to define an integer a as a first private key and a number as a first public key, the first public key being a number determined based on a prime number p, a generator prime number g and the first private key;

the second transceiver module is apt to transmit the first public key K _A to the first communication unit through the communication channel, the first and second communication units being apt to share the prime number p and the generator prime number g through the communication channel;

the first communication unit is apt to define an integer b as a second private key and a number K _B as a second public key, the second public key being a number determined based on the prime number p, the generator number g and the second private key;

the first encrypting device is apt to determine an encryption exponent x by the modular equation

{ [K + e _B ] (mod p)}* x≡ 1 mod (p-1),

where e^ is a parameter selected from the group of integers, so that coprimeness of [KA^ + ββ] (mod p) and (p-1) is verified;

the first coding device is apt to code the message T, where coding comprises dividing the message T into at least one message block M, and

the first encrypting device is apt to encrypt the at least one message block M, thereby obtaining at least one cryptogram C by the modular equation

C≡M ^x (mod p).

Preferably, the first transceiver module is apt to transmit the at least one cryptogram C, the second public key KB and the parameter es to the second communication unit (3), and the first decrypting device is apt to determine a decryption exponent number y={ [K _B ^A + e _B ] (mod p)}, and to decrypt the at least one cryptogram C, thereby obtaining at least one message block M' by the modular equation

M'≡ C ^y (mod p).

BRIEF DESCRIPTION OF THE FIGURES

Further characteristics and advantages of the invention will be apparent from the following detailed description, which is made with reference to non-limiting embodiments thereof, and to the accompanying figures, in which:

- Figure 1 shows a block diagram of a communication system that implements the method of cryptographic processing of a message between a first communication unit and a second communication unit, according to an embodiment of the present invention; and

- Figure 2 shows a flowchart describing an embodiment of the method of cryptographic processing of a message according to the present invention.

DETAILED DESCRIPTION

In Figure 1, a communication system apt to establish a cryptographic communication is generally designated by numeral 1. The system 1 comprises at least one first communication unit 2 and one second communication unit 3. Each of the communication units 2 and 3 comprises a respective transceiver module 9 and 10, which is apt to send and/or receive data to/from a communication channel 4 that can connect the transceiver modules 9 and 10 together. Data is transmitted by means of a signal having the format required by the communication channel. In certain embodiments, each communication unit comprises or consists of a terminal or a node for a communication network. The communication channel is part of a larger communication network (not shown). For example, the first and second communication units are two computers (e.g. two personal computers or a client-server pair), the communication network is the Internet, and the communication channel 4 is defined by the connection established between the two computers when they are connected to the Internet. As a further example, the communication network is a cellular network and each communication unit comprises a mobile terminal.

Assume that the communication unit 2 is the sender unit, which wants to send a message T to the communication unit 3 (recipient unit) through the communication channel 4. As used herein, the term message, also termed "plaintext", generally designates data in any form (text, numbers, alphanumeric data, etc.), such as Unicode data.

The communication unit 2 comprises a coding device 11, which is apt to code the message T to be transmitted using a conventional coding. The coding procedure comprises the division of the message T into one or more message blocks M. The coding device 11 is connected to an encrypting device 5, which is apt to encrypt each message block M into a respective cryptogram (encrypted message) C. Without loss of generality, each message block M is represented by an integer, and each respective cryptogram C is represented by a respective integer.

The encrypting device 5 of the communication unit 2 is connected to the transceiver module 9, which is apt to be connected to a decrypting device 8 in the communication unit 3, through the communication channel 4. Particularly, the cryptogram C created by the encrypting device 5 is transmitted to the communication unit 3, that receives it via the transceiver module 10. The latter is connected to the decrypting device 8.

The decrypting device 8 receives the cryptogram C from the transceiver module 10 and decrypts it, thereby creating one or more decrypted message blocks M', each block M' matching a respective original message block M. The message blocks M' are later decoded by a decoding device 14 connected to the decrypting device 8, which is apt to decode the one or more message blocks M', according to the conventional coding that was used by the coding block 11 of the unit 2, into a message T' that matches the original message T.

In case of bidirectional data transmission between the communication units 2 and 3, each unit 2, 3 comprises a respective encrypting device 5, 7 and a respective decrypting device 6, 8. In case of a bidirectional transmission in which the communication unit 3 is the sender unit, the encrypting device 7 of the communication unit 3 is apt to be coupled to the decrypting device 6 of the communication unit 2 through the communication channel 4.

In certain preferred embodiments, each communication unit 2, 3 comprises a respective coding device 1 1, 13 for coding the message to be transmitted, and a respective decoding device 12, 14 for decoding the received and decrypted message.

Figure 1 indicates the "reverse" flow, in which the second communication unit 3 is the sender unit that wants to send a message R to the first communication unit 2, here the recipient unit. The message R is coded by the coding device 13, sent to the encrypting device 7 which encrypts it and transmits it via the transceiver module 10 and through the communication channel 4 to the transceiver module 9 of the first communication unit 2. The encrypted message received by the transceiver module 9 is transmitted to the decrypting device 6, which decrypts it, and is later decoded by the decoding device 12, to obtain a message R' matching the original message R.

While the block diagram of Figure 1 shows the encrypting device and the decrypting device as distinct units, each unit may comprise a single encrypting/decrypting device, apt to both encrypt and decrypt a message, and implemented, for instance, by means of a software program installed in the communication unit.

The coding device of the first or of the second communication unit may be part of the encrypting device of its respective unit. The decoding device of the first or second communication unit may be part of the decrypting device of its respective unit.

The flowchart of Figure 2 represents an embodiment of the method of cryptographic processing of a message. Particularly, the chart describes a method of establishing a cryptographic communication, which comprises encrypting a message T by a first communication unit and transmitting at least one encrypted message (cryptogram) to a second communication unit. For a better understanding of the invention and without limitation thereto, particularly referring to the embodiment of Figure 1 , the communication unit 2 is designated herein as sender unit and the communication unit 3 is designated as recipient unit. The flowchart of Figure 2 is divided into two flows, the one defining the steps carried out by the sender unit, the other defining the steps carried out by the recipient unit. It shall be intended that, if the message T is transmitted in the opposite direction, the communication units 2 and 3 will exchange their sender and recipient roles without changing the flow of cryptographic communication.

Assume two users A and B who want to exchange data through a communication channel. In the example of Figure 2, the user B wants to transmit a message T to the user A from the sender unit to the recipient unit (step 100).

The user A generates a first prime integer p and a second prime integer g, the latter being referred to as a generator number, and selects an integer a forming a private key (step 101). The numbers g and p may be generated by an integer generator device, known per se, whereas the number a is selected by the user A. In one embodiment, the recipient unit comprises a prime number generator device, e.g. an algorithm contained in a commercial library or a developed library "embedded" in the cryptographic processing algorithm. For instance, the prime number generator device may be part of the encrypting device within the recipient unit or be connected thereto.

The numbers g and p, which are primes and hence coprime to each other, are different. In case of random generation of prime numbers by the recipient communication unit, such diversity may be checked in a step subsequent to the generation of the numbers g and p. In one embodiment, the method comprises: generating a prime integer p and a prime integer g; determining whether the numbers are different; if the step of determining results in g=p (i.e. diversity condition not satisfied), generating a new number g and/or generating a new number p and repeating the step of determining the diversity of g and p and the step of generating a new number p and/or a number g until the diversity of the numbers g and p is satisfied.

In a different embodiment, the recipient unit comprises a prime number generator number, which is apt to generate a first prime number (p or g) and a second prime number (g or p) other than the first prime number.

In certain preferred embodiments, p is an integer composed of at least 30 digits. Preferably, g is an integer composed of at least 7 digits. The number a is preferably an integer composed of at least 6 digits.

The following mathematical equations are expressed in modular arithmetic. From the numbers a, g and p, the user A calculates a public key A, as a modular exponential function defined as:

K _A ≡g ^fl (mod/>), (1) ^' which means that the public key of the user A is defined by a modular exponential equation, modulo p, whose exponent is the private key a of the user. For the cryptographic communication to be not easily interceptable, the public key KA is an integer other than zero and other than 1. If the condition g≠p is satisfied, then K _A is other than zero. For KA to result from the equation (1) as other than 1 , the integer a selected as a private key shall be coprime to (p- 1 ). In certain embodiments, the number a is selected to be coprime to (p-l). If this condition is not satisfied, then the cryptographic processing system may be configured to reject the number a and to notify the user A that a new number a has to be selected as a private key.

According to a preferred embodiment, the cryptographic processing method comprises, after generation of the numbers p and g and selection of the number a, and before determination of the public key K _A , a process (not shown in Figure 2) of checking that the number a is coprime to (p-l). In one embodiment, the method comprises: selecting, by the recipient unit, a first integer a as a private key; determining whether the first number a is coprime to (p-l); if the result of determining is negative, selecting a second integer as a private key, and repeating the step of determining and the step of selecting an integer until the result of determining is positive (i.e. coprimeness of a and (p-l) assessed).

The recipient unit makes the public key K _A , determined according to the equation (1), and the numbers p and g available, e.g. in the communication channel 4 (step 102). The private key is secret, which means that it is known to the user A only. In one embodiment, the user A transmits the numbers K _A ,p and g through the communication channel.

In a further embodiment (not shown), the user A and the user B agree the use of a number p and a number g before cryptographic processing of a message, particularly before establishment of a cryptographic communication.

As used herein, the numbers p and g are said to be shared by the user A and the user B.

When the user B wants to transmit the message T to the recipient unit 3 (step 100), the sender unit selects an integer b as its own secret private key, known to the user B only (step 103). The number b is preferably an integer composed of at least 6 digits. The private key b is an integer selected to satisfy the coprimeness condition relative to the number (p-l). If this condition is not satisfied, then the encrypting system may be configured to reject the number b and to notify the user B that a new number b has to be selected as a private key.

In one embodiment, the method comprises, after the step of generating the number b (step 103), a process (not shown in Figure 2) of checking coprimeness of the numbers b and (p-l) which comprises: selecting, by the sender unit, a first integer έ as a private key; determining whether the first number b is coprime to (p-l); if the result of checking is negative, selecting a second integer as a private key, and repeating the step of checking and the step of selecting an integer as a private key until the result of determining is positive (i.e. coprimeness of b and (p-l) assessed). From the generator number g and the number p made available by the user A (step 101), the user B determines a public key KB (step 104) by means of the following modular exponential equation: K _B ≡g ^b (modp). (2)

In the equation (2), the exponent number b is the private key of the user B.

For the cryptographic communication to be not easily interceptable, the public key KB must be an integer other than zero and other than 1. If g is other than p, then the public key KB is other than zero. If b is coprime to (p-1), then the public key KB is other than 1.

If coprimeness of a to (p-1) and/or of b to (p-1) and/or diversity of the numbers g and p are not assessed in the steps preceding determination of the public key K _A (step 102) and/or determination of the public key K _B (step 104), then preferably, after the steps of determining K _a and KB, the method comprises a step (not shown in Figure 2) of checking from the numbers a, p and g, that the public key KA is not zero or 1 and/or, from the numbers b, p and g, that the public key KB is not zero or 1.

In one embodiment, after the step of selecting, by the user B, an integer b as a private key, the method comprises starting a first check process for checking that the public key KB defined by the sender unit is not equal to 1 , which comprises:

i) defining a public key KB based on the numbers p, g and b;

ii) determining whether the public key KB is equal to 1 ;

iii) if the public key KB is found to be equal to 1, selecting a new integer as a private key;

iv) defining a new public key ΚΈ;

v) determining whether the new public key K'B is equal to 1 and, if the result of determining is positive, repeating the steps iii) and iv) until the public key is determined to be other than 1.

In one embodiment, the method comprises starting a second check process, after the steps of defining K _A and KB (steps 102 and 104) to check that both the first public key K _A and the second public key KB are other than zero, which comprises:

vi) determining whether at least one of the public keys KA and KB is zero;

vii) if at least one of the public keys KA and KB is determined to be zero, selecting a new integer p and/or a new integer g; viii) defining at least one new number as at least one of the public keys; ix) determining whether the at least one new public key is zero and, if it is, repeating the steps vii) and viii) until the at least one public key is found to be other than zero.

In one embodiment, after the step of selecting, by the user A, an integer a as a private key, the method further comprises starting a first check process for checking that the public key KA defined by the recipient unit is not equal to 1, which comprises:

x) defining a public key K _A based on the numbers p, g and a;

xi) determining whether the public key K _A is equal to 1 ;

xii) if the public key is determined to be equal to I , selecting a new integer as a private key;

xiii) defining a new public key ΚΆ;

xiv) determining whether the new public key ' _A is equal to 1 and, if the result of determining is positive, repeating the steps xii) and xiii) until the second public key is found to be other than 1.

Once the public key K _B has been determined, the user B makes its public key available to the user A, e.g. by transmitting it to the recipient unit 3 through the communication channel 4, after the step 104.

If the length of the message T is greater than the value of p, then the message T needs to be coded to ensure that the message T is identical to the message T' obtained by decrypting the cryptogram received by the recipient unit.

The step of coding the message T comprises dividing the message T into at least one message block ("token") M, where the at least one message block M is of a length equal to an integer k smaller than the integer p, i.e. contains data with a number k<p of bits. In certain embodiments, the coding step comprises dividing the message T into a plurality of message blocks M, in which each block has the same length k.

In one embodiment, if the total length of the data contained in the message T is not a multiple of the number p, then the coding step comprises coding the message T by means of a reversible protocol, known per se, in which a "padding", preferably random, is added to the message T such that the message T can be divided into an integer number of message blocks, preferably but not necessarily of the same length.

For example, the message to be transmitted is ASCII encoded such that each message block M is represented by a particular decimal code included in the set of decimal codes of the ASCII table. If the length of the message T is not greater than the number p, the message T can be divided into a message block M, so that T corresponds to M.

Without loss of generality, a process of encrypting a single message block M will be described below, considering that the same process is used for each message block M, if the original message T is coded into a plurality of blocks M.

In one embodiment, the step 105 precedes the step 104 or precedes the step 103.

From KA and p, the user B calculates a number x, referred to as an encryption exponent, which is determined by one of the solutions of the modular equations: {K _A ^b (mod/?)} * x≡ 1 mod (p-l). (3)

The symbol "*" in the equation indicates the product of the factors {K _A ^b (mod p)} and x. It shall be noted that the public key of the user A in the equation (3) is raised, e.g. by the encrypting device of the sender unit, to the power of the private key of the user B.

In certain cases, mainly depending on the number b selected as a private key by the user

B, the equation (3) may be unsolvable, that is it is not possible to derive the number x that satisfies the coprimeness condition between KA (mod p) and (p-l). In order to solve the equation, irrespective of the selection of b, the Applicant has understood that a parameter may be preferably introduced into the equation (3), for the equation to be always verified, for at least one solution exists. Preferably, a parameter is introduced into the equation (3), which is referred to as iteration parameter ee. In the preferred embodiments, the encryption number x is one of the solutions of the following equation:

{ [K _A ^b + e _B ] (mod p)}* x≡ 1 mod p-l), (4) where ββ is the iteration parameter valid for obtaining coprimeness of [KA ^b + QB] (mod p) and (p-l), for the equation (4) to be solvable.

The solution of the modular equation (4) are mod (p-l), which means that the congruence modulo (p-l) must be satisfied between the inverse of x and the number [A^^+ee], the latter being calculated modulo p. The step of determining the encryption exponent is referenced 106 in Figure 2. In one embodiment, the step 106 precedes the step 105.

In the preferred embodiments, the iteration parameter is an integer selected from the group of integers Z={0, ±1 , ±2, ±3, ... } . It shall be noted that e _B may be equal to zero, if {K _A ⁶ (mod p)} and (p-1) are coprime per se, in which case the equation (4) is equal to the equation

(3) . It is possible that more than one number selected from the group of integers Z solve the equation (4). In certain cases, a plurality of iteration parameters can solve the equation (4). Particularly, there may be an infinite or very large number of solutions of the equation (4). The encrypting device may be configured to search for the smallest number x that satisfies the equation (4), i.e. the smallest integer multiple of (p-l) that is equal to the difference between the product {[KA* + eeKmod p)}*x and 1.

Preferably, the method of establishing a cryptographic communication comprises an iteration process that ends as the condition [K _A ^b + ββ] (mod p) coprime to (p-l) is satisfied.

In one embodiment, the method comprises: selecting a first integer ee as an iteration parameter; checking the coprimeness condition of {[K _A ^b + ee](mod p)} to (p-l ); if the result of checking is negative (i.e. the coprimeness condition is not satisfied), selecting a second integer Q as an iteration parameter; checking that the second integer satisfies the equation

(4) ; repeating the step of selecting an integer as an iteration parameter and checking the coprimeness condition until the step of checking is positive, and hence the equation (4) is solvable.

In a further embodiment, the method comprises: selecting a first integer ee as an iteration parameter; checking that the equation (4) can be solved for the first integer e _B ; if the step of checking is negative, selecting a second integer ee as an iteration parameter, and repeating the step of selecting an integer as an iteration and check parameter until the equation (4) becomes solvable.

In one embodiment, the integers other than zero are selected in numerical sequence, e.g. a numerical sequence of numbers equal to zero or positive numbers {0, 1, 2, 3, ... } .

According to a further embodiment, the method comprises random selection of a first parameter ee from a subset of the set of integers. The subset is preferably sufficiently large. For instance, assuming that N is the number of message blocks M into which the message T is divided, such set is given by the numerical range (1 , N* 10). In this embodiment, the method comprises: defining a subset of integers; selecting a first number as an iteration parameter from the subset; checking that the first number satisfies the equation (4); if the result of checking is negative, selecting a second number as an iteration parameter from the subset in a random fashion or from the first parameter. For instance, the second number is selected such that e B=eB+l . The method also comprises repeating the step of checking, and if the result of checking is negative, repeating the step of selecting a number as an iteration parameter and the step of checking until the step of checking provides a positive result, i.e. the equation (4) is solvable. For instance, at each iteration, the selection step comprises selecting a new parameter by increasing the number selected in the previous step by one, i.e. e B=eB+ ·

For example, if the original message T was divided, during coding, into 100 messages M, the encryption exponent number x will be determined by selecting a random integer as an iteration parameter from a subset of integers in the range (1 , 1000), for instance, by random selection using an algorithm for pseudo-random selection in the determined range.

For example, assume that the number randomly selected as a first iteration parameter is 134 and the equation (4) is not verified with such number. Then, the selected number is increased by one unit, whereby an iteration parameter of 135 will be used for the next iteration, and so on until an integer is found as an iteration parameter, that can satisfy the equation (4). This process may be preferred in certain embodiments, as it helps to increase the randomness of the cryptogram.

In one embodiment, the message T is divided into a plurality of message blocks M and for each block M the equation (4) is solved by random selection of the parameter from a subset of the set of the integers and by implementation of a step of checking that the selected parameter solves the equation (4). This will create an independence of the blocks of the plurality of message blocks. For example, encryption of a first message block Ml will provide a cryptogram C and encryption of a second message block M2, where Ml is equal to M2, provides a cryptogram C other than the cryptogram C for the message Ml .

Once the encryption exponent x has been determined by the equation (4), the user B calculates the cryptogram ("ciphertext") C that forms the encrypted message based on the equation (step 107): C≡ M ^x (mod p) (5)

The cryptogram C is congruent modulo p to the message M raised to the discrete power x. In other words, the number x is the discrete logarithm modulo p of the number C in base M. It shall be noted that the modular equations (1), (4) and (5) that lead to the definition of the cryptogram C are all injective ("one way") functions, where the inverse of each equation is "impossible" to be calculated without knowing the exponent. In other words, no algorithm is currently known that can determine in a reasonable time the number b and then derive {K _A ^b (mod p)} and hence the number x, although p, g and KA may be publicly known, as they are for users A and B.

Then (step 108), the cryptogram C is transmitted to the recipient unit, possibly with the public key KB and the parameter e _B , if the latter have not been already made available to the user B after the step 104. The transmission of the cryptogram C from the user B (sender unit 2) to the user A (recipient unit 3) is defined by the broken arrow 109.

Once the cryptogram C, the public key KB and the iteration parameter e _B have been received, the user A uses K _B and e _B to determine a number M' (step 1 10) by the following equation, which is the inverse of the equation (5): M'≡ C ^y (mod p) (6) where y is the decryption exponent number equal to {[KB* + e _B ] (mod p)}, i.e. given by y={ [K _B ^A + e _B ] (mod p)} . (7)

The public key of the user B in the equation (6) is raised, e.g. by the decrypting device of the recipient unit, to the power of the private key of the user A. Thus, the received cryptogram, represented by the number C, is decrypted into a message block M' that matches the original message block M.

Since the public keys are generated by modular exponential equations using the Diffie- Hellman key exchange protocol, i.e. equations (1) and (2), then K ³ (mod ?)=K _B ^A (mod p) and also

[K _A * + e _B ] (mod p)=[K _B ^a + e _B ](mod p) (8) is verified for e _B ≠0. Therefore, the correspondence between M and M' is verified.

The message T' is reconstructed (step 1 12) by decoding the one or more message blocks M' (step 1 11), each obtained by decrypting a respective cryptogram C by the equation (6), the decoding step comprising recomposing the one or more message blocks M' thereby obtaining a message T ¹ that matches the message T.

If the coding step comprises dividing the message T into a plurality of message blocks M, in one embodiment the method comprises, after the decryption step (equation (6)), repeating the previous encryption and decryption steps to obtain a plurality of message blocks Μ', each message block M' matching a message block M of the plurality of message blocks, and decoding the plurality of message blocks M', where decoding comprises recomposing the plurality of message blocks M', thereby obtaining a message T' matching the message T.

If the step of coding the message T comprises the application of a reversible protocol in which a "padding" has been added, the decoding step comprises applying the inverse of the protocol applied during coding, where the "padding" is removed, and then the message T' is recomposed by reassembling the one or more messages '.

Example

A numerical example is described below of a cryptographic communication established between the sender unit 2 and the recipient unit 3 according to the present invention. The recipient unit 3 uses a prime number p=19\9 and a generator unit g=7. The recipient unit 3 selects a private key a having six digits, and particularly a= 123456.

According to the equation (1), the parameter KA is given by:

K _A ≡ 7 ¹²³⁴⁵⁶ (mod 7919) = 7036,

The recipient unit 3 makes the triple of numbers (p, K _A , g) = (7919, 7036, 7) available to the sender unit 2, i.e. shares them with the sender unit.

The sender unit 2 wants to transmit a message T which has, after coding, a message block M=88 matching therewith. The sender unit 2 generates a six-digit private key b, particularly 6=543210, and calculates the public key KB by the equation (2):

K _B ≡ 7 ⁵⁴³²¹⁰ (mod 7919) = 4997

The sender unit 2 calculates the parameter x by the equation:

{ [ 7036 ⁵⁴³²¹⁰ + e _B ] (mod 7919)} * x≡ 1 mod (7919 - 1), where e _B = 1 is the smallest integer that verifies the equation (4).

Thus, the sender unit determines x = 3009. Using the equation (5), the sender unit 2 calculates the cryptogram C: C≡ 88 ³⁰⁰⁹ mod 7919 = 2760

The sender unit 2 transmits the triple of numbers (C, KB, CB) = (2760, 4997, 1) to the recipient unit 3.

Once the recipient unit 3 has received the triple (C, K _B , ea), it decrypts the cryptogram C and determines the message block M', by the equation (6):

M'≡ 2760 ^Λ {[ 4997 ¹²³⁴⁵⁶ + 1 ](mod 7919)} (mod 7919),

wherefrom M -88, which value matches the original message block M transmitted by the sender unit. In a different embodiment, the user B uses a procedure for selecting as described above, from an integer randomly selected from a subset of the set of integers. Since the text to be encrypted is coded, in this example, into a single block (T=M), the number of messages N is equal to 1 and ee is randomly selected from the range (1, 10). Assuming that e _B is selected as being equal to 6, the equation (4) is not verified. Then, the number randomly selected from the given range is increased by one, and the check process is repeated using e _B =7. With ee-7 the equation (4) is verified, which means that satisfies the coprimeness condition, whereby x = 5575.

With the sender unit determines x = 5575. Using the equation (5), the sender unit 2 calculates the cryptogram C. C≡ 88 ⁵⁵⁷⁵ mod 7919 = 2195

The sender unit 2 transmits the triple of numbers (C, KB, = (2195, 4997, 7) to the recipient unit 3.

Once the recipient unit 3 has received the triple (C, KB, es), it decrypts the received cryptogram C and determines the message block M':

M'≡2195 ^A { [ 4997 ¹²³⁴⁵⁶ + 7 ](mod 7919)} (mod 7919),

from this equation M -88, which value matches the original message block M transmitted by the sender unit.

In one of its main aspects, the method and system of the present invention allows implementation of a method that uses modular exponential equations for encryption and decryption of a message, and that ensures high communication security, as any decryption of the messages by an opponent requires the solution of discrete logarithms and not, as in the RSA method the factorization of large prime numbers. The security of a cryptographic communication established by a RSA method is based on a public key obtained by multiplying two secrete prime numbers having a very large number of digits. Conversely, the security of a cryptographic communication established according to the method and system of the present invention is based on an encryption key, i.e. the encryption exponent, which is the solution of a modular equation determined by the public key of the recipient unit raised to the private key of the sender unit, which public key of the recipient unit has been in turn obtained, in the preferred embodiments, using a modular exponential equation having the private key of the recipient unit as an exponent. Therefore, the encryption equation (equation (5)) comprises both the private key of the sender unit and the private key of the recipient unit, as exponents of the modular equation. According to certain aspects of the present invention, the method is based on raising numbers to a power in modular arithmetic, and hence on the discrete logarithm problem, which is currently unsolvable by computational means.

The foregoing description relates to cryptographic processing of a message by a first communication unit, to be transmitted to a second communication unit, with a main purpose of not allowing a third communication unit that intercepts the communication to derive the message content. Therefore, according to one of the characteristics of the present solution, the message contents remains "secret" as it can be only decrypted by the message receiving unit.

The Applicant has understood that the method and system of the present invention may be used for digitally signing a message sent from a sender unit to a recipient unit. The message to be signed by a digital signature is not necessarily a confidential message between two users.

According to some embodiments, the cryptogram C defined by the equation (5) is the digital signature of at least one message block M. According to the equation (9), the digital signature is congruent modulo p to the message block M raised to the discrete power x, where x is given by the equation (4). The recipient unit makes the public key K _A , determined according to the equation (1), and the numbers p and g available, e.g. in a communication channel. The private key a is known to the user A only.

When the user B wants to transmit the digitally signed message T to the recipient unit, the user B selects (or has already selected) an integer b as its own private key and calculates the public key KB by the equation (2). The sender units signs the block M with the parameters received by the recipient unit.

The user A (recipient unit) receives the cryptogram C and decrypts it using the public key KB of the sender unit by the equation (6), where y is given by the equation (7), to obtain a message block M' matching the original message block M.

Thus, the message T is reconstructed by the recipient unit, which can thus accept the signature as valid. Therefore, the recipient unit can check the identity of the user B and hence the authenticity of the message.

In one embodiment, the recipient unit transmits the parameters K _A and the numbers p and g to the sender unit, for the sender unit to use them both for encrypting a first message that has to remain undecryptable by users other from the sender and recipient units and for signing a second message, whose contents are not necessarily secret. According to this embodiment, the sender unit may sign a message without requiring parameters to be known from the recipient unit in addition to those required for encryption of a confidential message, and the recipient unit may readily check the authenticity of the message without asking for additional parameters to the sender unit.

In some embodiments of the present invention, the at least one message block M is the hash value of a message R, obtained by applying a cryptographic hash function to the message R, i.e. M=h(R), the cryptographic function h being known per se. A method of cryptographic processing of a hash value of a message may be advantageous in some embodiments, e.g. if the message R to be sent is a large-size document. In one embodiment, the hash value is of a length equal to an integer k smaller than the integer p, and hence the message T to be cryptographically processed corresponds to M (i.e. T is coded into a single message block).

The cryptographic hash function is preferably selected to minimize the probability that the same hash value can be obtained from different "plaintexts", and that it cannot be reversed, i.e. that the original message cannot be retrieved from the hash value. For example, the cryptographic hash function is the Message Digest algorithm 5 (MD5) or a Secure Hash Algorithm (SHA) published by the National Institute of Standards and Technology (NIST).

In the embodiments in which the at least one message block M is a hash value of a message R (M=h(R)), the R message may be public. A cryptogram C (i.e. the digital signature) of the hash value M is thus generated, by the equation (5), and is sent to the user A. Preferably, the user B and the user A share the cryptographic hash function used to generate the message M.

In one embodiment, the digital signature C of the hash value M is attached to the message R sent by the user A, e.g. by adding the string generated by the encryption of M, i.e. the cryptogram C, to the bottom of the message. The user A receives the public key KB with the message R or has previously received it by the user B, and decrypts C by the equation (6) thereby obtaining a hash value M'. Upon receipt of M', the user A applies the cryptographic hash function to the received message R, if the latter has been transmitted in clear form. If the value h(R) so obtained is equal to M', the authenticity and integrity of the message R will be verified.