Secure data communication systems are used to transfer information between a pair of correspondents. At least part of the information that is exchanged is encoded (enciphered) by a predetermined mathematical operation by the sender. The recipient may then perform a complimentary mathematical operation to unencode (decipher) the information. The enciphering and deciphering of information is normally performed utilizing a cryptographic key determined by the particular graphic scheme implemented between the correspondents. Consequently, there are certain parameters that must be known beforehand between the correspondents. For example, in public key or symmetric key systems, various schemes and protocols have been devised to validate the sender's public key, the identity of the sender and such like.
In all of these schemes, it is assumed that the cryptographic keys, be it the private key, the public key or the symmetric key, is derived and valid as specified in the protocol scheme. Problems, however, will arise if these parameters are either bogus or defective in some way.
Digital signature methods have been derived to prove to a id part that a message was signed by the actual originator. Practical public key signature schemes are based on the difficulty of solving certain mathematical problems to make alteration or forgery by unauthorized parties difficult. Most of the proposed schemes have been based either on the problem of factoring large integers or in the difficulty of computing discrete logarithms over finite fields (or over finite grog in general). For example, the RSA system depends on the difficulty of factoring large integers.
A digital signature of a message is a number which is dependent on some secret known only to the signor, and additionally, on the content of the message being signed. Signatures must be verifiable. If a dispute arises as to whether a party signed (caused by either a signor trying to repudiate a signature it did ate or a fraudulent claimant), an unbiased third party should be able to resolve the matter equitably without requiring access to the signor's secret information, i.e., private key.
The ElGamal signature scheme is a randomized signatures mechanism. In order to generate keys for the ElGamal signature scheme, each entity creates a public key and corresponding private key. Thus, each entity generates a large random prime p and a generator .alpha. of the multiplicative group Z*.sub.p. Next, the entities select a random integer a such that 1.ltoreq..alpha..ltoreq.p-2 and computes the value y=.alpha..sup.3 modp. Thus, for example, entity A's public key is (y) along with the system parameters p and .alpha., while A's private key is .alpha..
The security of the above system is generally based on the difficulty of the discrete log problem. The RSA cryptosystem uses a modulus of the form n=pq where p and q are distinct odd primes. The primes p and q must be of sufficient size that factorization of the product is beyond computational reach. Moreover, there should be random primes in the sense that they are chosen as a function of a random input through a process defining a pool of candidates of sufficient cardinality that an exhaustive attack is infeasible. In practice, the resulting primes must also be of a predetermined bit length to meet systems specifications. Without these constraints on the selection of the primes p and q, the RSA system is vulnerable to a so-called "first person attack".
In elliptic curve cryptosystems, the elliptic curve private key is a statistically unique and unpredictable value selected between 1 and n-1 where n is the prime order of G, the generating point of the large subgroup specified by the associated EC domain parameters.
In a possible "first person attack", entity A the attacker, creates a private key that is weak and uses it to obtain services and such like. Later, the dishonest entity repudiates or disavows its private key as being weak and then claims that it did not request these services. That is, party A alleges it inadvertently used a weak private key resulting in a public key that was easily attacked, allowing a third party to derive its private key and thus, was able to impersonate the original entity A For example, where the key is generated using a seeded hash to produce a 161 bit private EC key by generating 2.sup.64, party A may select the one (expected) key with a high order 64 bits of 0s. The first party goes to a judge with a repudiation request and points out that an adversary could attack remaining 97 bits in feasible time. He therefore repudiates his key as it has already been shown that 97 bit keys can be broken. Clearly, in high security applications, it is desirable to avoid the fit person attack.
One way to address this possible concern about first party repudiation is simply to deny all fat party repudiation requests. However, this may result in a problem if a key is generated that actually is weak. What is needed is the ability of the owner to be assured that his particular private key is not weak. In some applications it may not be sufficient to claim that generation of weak key pairs is statistically improbable. The owner wants to be assured that his specific key has no properties that might make it weak, as no matter what value it might be, he is not able to later repudiate it.
The cryptographic strength of the key depends to a large extent on the random distribution of bits in the binary representation used as the key. Thus, although the key may be generated by a pseudorandom number generator and is therefore random, it may be weak if the digits are distributed in a recognizable pattern or grouped to provide a shorter key.
Thus, it is desirable to implement an ECC ElGamal type scheme in which the probability of private key repudiation is minimized.