Methods of authentication by password are based on the use of an algorithm of the EKE type. This type of algorithm is illustrated in FIG. 1.
A device D 10 wishes to be authenticated on the basis of a password π at a controller C 11. Each of these entities knows the password π. Moreover, let us consider an elliptic curve Ea,b, and a generator G of the set of points on the elliptic curve, as public parameters. The elliptic curve satisfies the following equation:Ea,b(x,y):x3+ax+b=y2  (1)
At a step 12, the device D 10 generates a random number r1. Then, it transmits this random number in the form of a point on the elliptic curve to the controller 11. For this purpose, it determines a value V to be transmitted satisfying:V=r1·G 
This result is then encrypted with the password in the form Eπ(r1.G), Eπ being an encryption function by password.
Then, the device sends a message 13 to the controller stating the value Eπ(r1.G).
On receiving the message 13, in its turn the controller 11 generates a random value r2 at a step 14. Then it transmits this value in the form of a point on the elliptic curve, and transmits a message 15 to the device 10 stating the result:Eπ(r2·G)
Following this exchange of random values r1 and r2 in encrypted form, the device 10 recovers at a step 16 the random value r2 generated by the controller by deciphering, using a decryption function with password Dπ, the information contained in the message 15:r2·G=DπEπ(r2·G)
and the controller 11 recovers at a step 17 the random value r1 generated by the device 10 by deciphering the information contained in the message 13:r1·G=DπEπ(r1·G)
Thus, following a protected exchange, each entity is able to calculate a common key K:K=r1·r2·G 
This type of algorithm aims to exchange values in a form encrypted with a password or a key derived from a password. However, it should be noted that according to a classical representation of an elliptic curve satisfying equation (1) on a finite field Fq, the exchanges described with reference to FIG. 1 can allow a potential attacker to deduce information relating to the password π. In fact, exchanging random values in an encrypted form as described above, via the two messages 13 and 15, supplies a redundancy of information which may allow the secret of the password to be broken. More precisely, at each listening-in, an attacker could test a password to decipher the information exchanged in messages 13 and 15. He is then presented with two cases. In the first case, the decrypted information corresponds to a point on the curve and accordingly the password is correct. In the second case, the decrypted information does not correspond to a point on the elliptic curve and the password is not discovered. By multiplying the listenings-in and the separate passwords, it is thus possible to find the password belonging to a finite set of elements.
The present invention aims to improve the situation.