EP-4742591-A1 - COMPUTER-IMPLEMENTED METHOD FOR GENERATING A DIGITAL SIGNATURE FOR A MESSAGE IN A PRIVATE-KEY AND PUBLIC-KEY CRYPTOGRAPHIC ARCHITECTURE, ENABLING PRIVATE-KEY RECOVERY AND A METHOD FOR PRIVATE-KEY RECOVERY

Abstract

The subject of the application is a computer-implemented method for generating a digital signature for a message ( M ) in a private-key and public-key cryptographic architecture, enabling recovery of the private key for the message ( M ) based on the message ( M ), using two pairs of cryptographic keys, wherein the first key pair comprises a first private key ( x A ) and a first public key ( y A ), and the second key pair comprises a second private key ( x B ) and a second public key ( y B ), a signature for the message ( M ) is generated in steps in which: a first auxiliary value (d) is generated such that d ← y B x A , a second auxiliary value ( k ) is generated such that k ← hash(d ∥ M), a third auxiliary value ( r ) is generated such that r ← g k , a hash function value ( e ) is generated for the message ( M ) and the third auxiliary value ( r ) such that e ← hash(M ∥ r), a signature ( s ) is generated for the message ( M ) s ← k - x A · e mod q, the message ( M ) is linked with the signature ( s ) and the hash function value ( e ). The subject of the application also relates to a computer-implemented method for recovering the private key ( x A ) from a message ( M ).

Inventors

• KUTYLOWSKI, Miroslaw

Assignees

• Naukowa I Akademicka Siec Komputerowa Panstwowy Instytut Badawczy

Dates

Publication Date

20260513

Application Date

20250924

Claims (8)

1. A computer-implemented method for generating a digital signature for a message ( M ) in a private-key and public-key cryptographic architecture, which enables recovery of private key on the basis of the message ( M ), using two pairs of cryptographic keys, wherein the first key pair comprises a first private key ( x A ) and a first public key ( y A ), and a second key pair comprises a second private key ( x B ) and a second public key ( y B ), characterised in that a signature for the message ( M ) is generated in the steps, in which: a first auxiliary value ( d ) is generated such that d ← y B x A a second auxiliary value ( k ) is generated such that k ← hash d M a third auxiliary value ( r ) is generated such that r ← g k a hash function value ( e ) is generated for the message ( M ) and the third auxiliary value ( r ) such that e ← hash M r a signature ( s ) is generated for the message ( M ) such that s ← k − x A ⋅ e mod q the message ( M ) is linked with the signature ( s ) and the hash function value ( e ).
2. The method according to claim 1, characterised in that the first key pair comprising the first private key ( x A ) and the first public key ( y A ), and the second public key ( y B ) , is stored on a first medium ( A ) , and at least the second private key ( x B ) is stored on a second medium ( B ) .
3. A computer program comprising instructions which, when executed by a computer, cause the computer to perform the steps of the method according to any one of claims 1 or 2.
4. A computer-readable medium comprising instructions which, when executed by a computer, cause the computer to perform the steps of the method according to any of claims 1 or 2.
5. A computer-implemented method for recovering a private key ( x A ) from a message ( M ) associated with a signature ( s ) and a value ( e ), signed using the method according to any one of claims 1 or 2, characterised in that , using a first public key ( y A ) and a second key pair comprising a second private key ( x B ) and a second public key ( y B ) , a first auxiliary value ( d ) is generated such that d ← y A x B a second auxiliary value ( k ) is generated such that k ← hash d M a third auxiliary value ( r ) is generated such that r ← g k a recomputed value (r̂) of the third auxiliary value ( r ) is generated such that r ^ ← g s ⋅ y A e a recomputed value (ê) of the hash function value ( e ) for the message ( M ) and the recomputed values (r̂) of third auxiliary value (r), is generated such that e ^ ← hash M r ^ if the recomputed (ê) hash function value ( e ) is equal to the hash function value ( e ) itself and the recomputed (r̂) third auxiliary value ( r ) is equal to the third auxiliary value ( r ) itself, the private key ( x A ) is recovered such that x A ← k − s ⋅ e − 1 mod q
6. The method according to claim 6, characterised in that the first public key ( y A ) and the second private key ( x B ) are retrieved from the second medium (B).
7. A computer program comprising instructions which, when executed by a computer, cause the computer to perform the steps of the method according to any one of claims 5 or 6.
8. A computer-readable medium comprising instructions which, when executed by a computer, cause the computer to perform the steps of the method according to any one of claims 5 or 6.

Description

The invention relates to a computer-implemented method for generating a digital signature for a message in a private-key and public-key cryptographic architecture, enabling private-key recovery, and to a method for recovering the private key. The invention is applicable in the field of computer technology, in particular in cryptography and secure devices for generating digital signatures. The prior art discloses attempts to introduce methods for recovering a private key used in a cryptographic architecture, particularly in the context of blockchain networks. However, traditional approaches introduce significant vulnerabilities into the private-key and public-key architecture, rendering them susceptible to attacks aimed at impersonating signing entity. Application CN 113965324A discloses a method for recovering a private key and a system for performing a modular reduction attack based on the RSA-CRT scheme. The method comprises the following steps: performing multidimensional modelling of the normal distribution of the power trace of a modular reduction operation of a training device based on the Hamming weight model, and obtaining a template corresponding to the intermediate value, byte by byte, after modular reduction. Next, by using a matching scheme to select the encrypted text, an intermediate value r of the modular reduction operation of the RSA algorithm is obtained, and the private key p used by the RSA algorithm is recovered via the intermediate value r. The public key n is then decomposed to obtain the private key q, thereby recovering the private keys p and q of the RSA algorithm. The modeling is based on the Hamming weight model of the intermediate value after modular reduction, and the pattern matching is performed by collecting and selecting the power trace of the modular reduction of the ciphertext to obtain the Hamming weight of the intermediate value after modular reduction. US11743041B2 discloses private-key recovery performed by a processor of a key-recovery computing system. The key-recovery computing system is configured to provide the original private key. The original private key is associated with the storage location of a resource implemented on a blockchain. The key-recovery computer system is configured to receive additional recovery information provided by a user via the user's computing device. The recovery source is generated at least based on a subset of the additional recovery information, wherein the recovery source is irreversible. The original private key and the recovery key are stored in association with the additional recovery information. In some embodiments, the processor is further configured to cryptographically protect at least one of the following: the original private key and the recovery key, using a universal 2nd factor (U2F) device. KR20210059525A discloses a system for utilising and recovering a private key based on blockchain multi-signature. The private-key utilisation and recovery system comprises: a user terminal acting as a blockchain network node and generating a first, second, and third private key; a multi-signature server for handling multi-signature transactions; a private-key recovery server for recovering users' private keys; and an identity-verification authentication server for confirming and authenticating the user's identity. The multi-signature server receives and stores the second private key, and the identity-verification authentication server generates a DI identifier based on an identity-verification authentication request received from the user terminal and transmits it to the user terminal. The private-key recovery server receives and stores encrypted DI data and encrypted data of the third private key from the user terminal, and subsequently decrypts and provides the encrypted data in accordance with the private-key recovery request of the user terminal. A problem encountered in the prior art in the field of cryptography using a private-key and public-key architecture is the inability to recover the private key in the event of loss of access to the private-key medium due to its destruction, damage, or misplacement. The subject matter of the application is defined in claims 1 and 5. The invention relates to a computer-implemented method for generating a digital signature for a message in a private-key and public-key cryptographic architecture, enabling recovery of the private key based on the message and utilising two pairs of cryptographic keys, wherein the first key pair comprises a first private key xA and a first public key yA, and the second key pair comprises a second private key xB and a second public key yB, a signature for the message is generated in steps in which: a first auxiliary value is generated such that d←yBxA, a second auxiliary value is generated such that k ← hash(d ∥ M ∥ T), a third auxiliary value is generated such that r ← gk, a hash function value is generated for the message and the third auxiliary value such th