One of the functions performed by a cryptosystem is the computation of digital signatures that are used to confirm that a particular party has originated a message and that the contents have not been altered during transmission. A widely used set of signature protocols utilizes the E1Gamal public key signature scheme that signs a message with the sender's private key. The recipient may then recover the message with the sender's public key. The E1Gamal scheme gets its security from calculating discrete logarithms in a finite field. Furthermore, the E1Gamal-type signatures work in any group and in particular elliptic curve groups. For example given the elliptic curve group E(F.sub.q) then for .epsilon.E(F.sub.q) and Q=aP the discrete logarithm problem reduces to finding the integer a. Thus these cryptosystems can be computationally intensive.
Various protocols exist for implementing such a scheme. For example, a digital signature algorithm DSA is a variant of the E1Gamal scheme. In these schemes, a pair of correspondent entities A and B each create a public key and a corresponding private key. The entity A signs a message m of arbitrary length. The entity B can verify this signature by using A's public key. In each case however, both the sender, entity A, and the recipient, entity B, are required to perform a computationally intensive operations to generate and verify the signature respectively. Where either party has adequate computing power this does not present a particular problem but where one or both the parties have limited computing power, such as in a `smart card` application, the computations may introduce delays in the signature and verification process.
Public key schemes may be implemented using one of a number of multiplicative groups in which the discrete log problem appears intractable, but a particularly robust implementation is that utilizing the characteristics of points on an elliptic curve over a finite field. This implementation has the advantage that the requisite security can be obtained with relatively small orders of field compared with, for example, implementations in Z.sub.p * and therefore reduces the bandwidth required for communicating the signatures.
In a typical implementation of such a digital signature algorithm such as the Elliptic Curve Digital Signature Algorithm (ECDSA) a signature component s has the form: EQU s=k.sup.-1 (e+dr)modn
where:
d is a long term private key random integer of the signor; PA1 Q is a public key of the signor derived by computing the point Q=dP; PA1 P is a point (x, y) on the curve which is a predefined parameter of the system; PA1 k is a random integer selected as a short term private or session key, and has a corresponding short term public key R=kP; PA1 e is a secure hash, such as the SHA-1 hash function of a message; and PA1 n is the order of the curve. PA1 in a secure computer system: PA1 a secure boundary containing; PA1 a first short term private key generator; PA1 a second short term private key generator; PA1 a first signature component generator using at least the second short term session key. The processor operates to PA1 generate a masked signature component using the first and second short term session keys to produce masked signature components of the message m.
In this scheme the signor represents the x coordinate of the point kP as an integer z and then calculates a first signature component r=z mod n. Next, the second signature component s above is calculated. The signature components s and r and a message M is then transmitted to the recipient. In order for the recipient to verify the signature (r,s) on M, the recipient looks up the public key Q of the signor. A hash e' of the message M is calculated using a hash function H such that e'=H(M). A value c=S.sup.-1 mod n is also calculated. Next, integer values u.sub.1 and u.sub.2 are calculated such that u.sub.1 =e'c mod n and u.sub.2 =rc mod n. In order that the signature be verified, the value u.sub.1 P+u.sub.2 Q must be calculated. Since P is known and is a system wide parameter, the value u.sub.1 P may be computed quickly. The point R=u.sub.1 P+u.sub.2 Q is computed. The field element x of the point R=(x.sub.1,y) is converted to an integer z, and a value v=z mod n is computed. If v=r, then the signature is valid.
Other protocols, such as the MQV protocols also require similar computations when implemented over elliptic curves which may result in slow signature and verification when the computing power is limited. The complexity of the calculations may be explained by observing a form of the elliptic curve. Generally, the underlying elliptic curve has the form y.sup.2 +xy=x.sup.3 +ax+b and the addition of two points having coordinates (x.sub.1,y.sub.1) and (x.sub.2,y.sub.2) results in a point (x.sub.3,y.sub.3) where: ##EQU1##
The doubling of a point i.e. P to 2P, is performed by adding the point to itself so that ##EQU2##
It may be seen in the above example of the ECDSA algorithm that the calculation of the second signature component involves at least the computation of an inverse. Modulo a number the generation of each of the doubled points requires the computation of both the x and y coordinates and the latter requires a further inversion. These steps are computationally complex and therefore require either significant time or computing power to perform. Inversion is computationally intensive, and generally performed within a secure boundary where computational power is limited thus it would be advantageous to perform such calculations outside the secure boundary, particularly where computational power is more readily available. This however cannot be done directly on the ECDSA signature scheme without potentially compromising the private key information. Therefore there exists a need for a method of performing at least part of a signature operation outside a secure boundary while still maintaining an existing level of security in current signature schemes.