AU737037B2

AU737037B2 - Auto-recoverable auto-certifiable cryptosystems

Info

Publication number: AU737037B2
Application number: AU86564/98A
Authority: AU
Inventors: Adam Lucas Young; Marcel Mordechay Yung
Original assignee: Individual
Current assignee: Individual
Priority date: 1997-05-28
Filing date: 1998-05-21
Publication date: 2001-08-09
Anticipated expiration: 2018-05-21
Also published as: CN1241353C; CZ9904106A3; JP2002500842A; CA2290952A1; IL132961A0; PL338018A1; NO995811L; NO995811D0; CN1262007A; AU8656498A; NZ501273A; EP0997017A2; KR20010013155A; BR9809664A; WO1998054864A3; WO1998054864A2

Description

WO 98/54864 PCT/US98/10392 AUTO-RECOVERABLE AUTO-CERTIFIABLE CRYPTOSYSTEMS Background-Field of Invention The field of this invention is cryptography. This invention relates to cryptosystems, and in particular to the escrowing and recovering of cryptographic keys and data encrypted under cryptographic keys. The escrow and recovery process assures that authorized entities like law-enforcement bodies, government bodies, users, and organizations, can when allowed or required, read encrypted data. The invention relates to cryptosystems implemented in software, but is also applicable to cryptosystems implemented in hardware.

Background-Description of Prior Art Public Key Cryptosystems (PKC's) allow secure communications between two parties who have never met before.

The notion of a PKC was put forth in Diffie, M.

Hellman, "New directions in cryptography", IEEE Transactions on Information Theory, 22, pages 644-654, 1976).

This communication can take place over an insecure channel.

In a PKC, each user possesses a public key E and a private key D. E is made publicly available by a key distribution center, also called certification authority after the registration authority verifies the authenticity of the user (its identification, etc.). The registration authority is part of the certification authority. D is kept private by the user. E is used to encrypt messages, and only D can be used to decrypt messages. It is computationally impossible to derive D from E. To use a PKC, party A obtains party B's public key E from the key distribution center. Party A encrypts a message with E and sends the result to party B. B recovers the message by decrypting with D. The key distribution center is trusted by both parties to give correct public keys upon request. A PKC WO 98/54864 PCT/US98/10392 -2based based on the difficulty of computing discrete logarithms was published in ElGamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", CRYPTO '84, pages 10-18, Springer-Verlag, 1985).

PKC's are highly convenient in terms, of use, and permit users to conduct private communications over insecure channels. They may be used to initiate symmetric key systems like DES (Data Encryption Standard). PKC's have a drawback, however. Criminals can use PKC's in the course of criminal activity, since no provision is made to supply law enforcement with the necessary decryption keys and untappable criminal communications may result. It is therefore desirable to permit private communications exclusively to law abiding citizens. A general solution to this problem is to have each user submit a representation of his or her private key to trusted escrow authorities, or trustees. The shares are taken out of escrow in the event of a court authorized wire tap. Alternatively, key escrow provides a way to recover lost private keys in an organization, or keys of a file system.

Let us review some of the key escrow systems and show that all require more than a PKC alone. U.S. patents 5,276,737, and 5,315,658 to Micali (1994) disclose a Fair Public Key Cryptosystem (FPKC) (see also, S. Micali, "Fair Public-Key Cryptosystems", CRYPTO '92, pages 113-138, Springer-Verlag, 1992) which satisfies the needs of law abiding citizens and law enforcement (and is based on P.

Feldman, 28th annual FOCS). Micali's prefered embodiment discloses how to convert the. Diffie-Hellman PKC, and the RSA PKC into Fair PKC's. In the prefered embodiment of the Fair Diffie-Hellman PKC, each user submits five shares to five central trustees (also known as "trusted third par- WO 98/54864 PCTIUS98/10392 -3ties") to register a public key. This solution is therefore not very scalable, since it requires the use of a small number of trusted authorities, and is thus very centralized. In the present invention, the user constructs a key pair such that the private key is provably escrowed automatically. Hence, no trusted third parties are needed whatsoever. The escrowed information can be sent to one of a multitude of decentralized certification authorities In Micali's scheme each trustee verifies their respective shares. Provided the share is valid, the share is stored in a database. Each trustee then signs the values that were received and gives them to a key management center. The five authorities have the burden of securing and managing five private databases of shares. In the present embodiment, the key information is verified by a CA. Provided it has the correct form, the key is signed, and placed immediately in the database of public keys.

There need only be one private database. Since only the CA is needed to manage user keys in the current embodiment, the least amount of communication overhead that is possible is achieved. In the Fair PKC's, only the trustees can verify that a key is escrowed properly. Verification is required since without it a user can easily generate keys which are not recoverable. In the current invention, everyone can verify this. This is.particularly useful if, for example, a citizen suspects that a CA is failing to insure that its keys are properly escrowed.

It has been shown that the Fair RSA PKC does not meet certain needs of law enforcement Kilian, F. Leighton, "Fair Cryptosystems Revisited", CRYPTO '95, pages 208-221, Springer-Verlag, 1995), since a shadow public key cryptosystem can be embedded within it. A shadow public key system is a system that can be embedded in a key escrow WO 98/54864 PCT/US98/10392 -4system that permits conspiring users to conduct untappable communications.

The flaw in the RSA FPKC lies in the fact that it is assumed that criminals will use the same secret keys that were provided to the escrow authorities. The shadow cryptosystems make use of what is known in the art as subliminal channels that exist in the public keys of the PKC's. These channels are used to display the public keys of the shadow PKC. The Kilian and Leighton paper discloses how to convert PKC's into Fail-safe Key Escrow (FKE) systems. Specifically, they disclose how to construct FKE systems for discrete-log based PKC's like Diffie-Hellman and DSS. In their expensive protocol, the user and the trusted authorities engage in a protocol to generate the user's public and private keys. In so doing, the authorities are convinced that no subliminal information is contained in the resulting public key. The user is also convinced that the keys are escrowed properly. This system is similar to the Fair Diffie-Hellman PKC, except for the added overhead of this protocol. It is thus subject to the same inefficiencies as the Fair Diffie-Hellman PKC. In the present invention, the user chooses his or her own keys independently. With respect to the threat of shadow PKC's, the present invention relies on the fact that there is no known way to inconspicuously embed a significant number of bits within a modular exponentiation in a finite field.

Hence, the exploitation of shadow cryptosystems in discrete-log PKC's seems remote.

De Santis et al. teach an escrow system where trustees are able to open only messages in session rather than.

opening the key of the party suspected of criminal activity. This refines the notion of Fair Cryptosystems. Other technologies that teach how to open the session key of WO 98/54864 WO 9854864PCTIUS98/1 0392 users rather than their permanent public key is by Walker and Winston (TIS) and the IB3M Secureway document. These key recovery technologies require that users be aware of and use the keys of the set of trustees at any session initiation. These technologies may be overburdening each and every user since they require new protocol extensions which are used in every communication session and further require users to store many keys beyond what is needed for a PKI.

A "1Fraud- Detectable Alternative to Key-Escrow Proposals" based on ElGamal has been described in Verheul, H.

van Tilborg, "Binding ElGamal: A Fraud-Detectable Alternative to Key-Escrow Proposals", Eurocrypt '97, pages 119-1- 33, Springer -Verlag, 1997) .This system allows users to send encrypted information along with a short proof that the encrypted information can be recovered by a set of -trustees. So, this system has the advantage that it does not depend on trusted third parties. However, this system requires an already existing Public Key Infrastructure (PKI). Therein lies the flaw in the Binding ElGamal approach:' If the PKI is unescrowed then user A can public key encrypt a message using user B's public key, and then send 'the resulting ciphertext message using Binding ElGarnal. In this case, the proof simply serves to show that the trustees can, recover this ciphertext, and therefore prevents law-enforcement from being able to monitor the communications of users suspected of criminal activity. When this abuse is employed, fraud-is not detectable. This abuse is made possible because user B's private key-is not escrowed., Software that abuses the Binding ElGamal scheme could be readily distributed and could severely hamper attempts at law enforcement on a large-scale. The present invention discloses a method of establishing an escrowed PKI, and is hence not subject to this drawback. Like in Binding WO 98/54864 PCT/US98/10392 -6- ElGamal, the present invention employs the general technique of non-interactive zero-knowledge proofs, though the proofs of the present invention involve new technology. A heuristic for how to construct such proofs was shown in (A.

Fiat, A. Shamir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems", CRYPTO '86, pages 186-194, Springer-Verlag, 1987) An overview of key escrow schemes appears in (D.

Denning, D. Branstad, "A Taxonomy for Key Escrow Encryption Systems," Communications of the ACM, v. 39, n. 3, 1996).

In Jefferies, C. Mitchell, M. Walker, "A Proposed Architecture for Trusted Third Party Services", Cryptography: Policy and Algorithms, LNCS 1029, Springer, 1996) and Anderson, "The GCHQ Protocol and Its Problems", Eurocrypt '97, pages 134-148, Springer-Verlag, 1997) a trusted third party approach to escrow is described where the trusted third parties of the participating users are involved in every session key establishment stage.

All key escrow solutions heretofore known suffer from some if not most of the following disadvantages.

they require tamper-resistant implementation, or otherwise require hardware implementation. This imposes high implementation costs and slow establishment of use.

they require use of classified or otherwise proprietary algorithms. This may be unacceptable to users who may be skeptical about the devices security or operation.

they are implemented in software, and are therefore subject to alteration, resulting in improper operation and possibly untappable communications. This is however, WO 98/54864 PCT/US98/10392 -7an inherent problem of any software solution (all we can require in this case is that if users employ the software apparatus solely for achieving privacy then their plaintext or keys are recoverable) they require excessive protocol interaction in key generation and/or general use. In addition this interaction may be conducted with a small set of centralized entities, thus making traffic and communication delays a potential bottleneck. They may require users to posses the trustees keys and use them in every session initiation, and further require modifications to every communication protocol.

they require excessive numbers of trusted third parties (TTP) to be involved in system operation. Spreading the trust among too many parties increases the risk of security breaches and reduces scalability.

they require generation of cryptographic keys by TTP's. A corrupt or otherwise compromised TTP may put user security at risk by tampering or disclosing user's keys.

they require the securing and management of databaise(s) of secret keys or secret shares on behalf of users.

they can be used to establish a shadow public key infrastructure, thus defeating the purpose of the escrow system altogether.

Auto-Recoverable and Auto-Certifiable Cryptosvstems Due to the above disadvantages, what is required is a new mechanism incorporating the following advantages: WO 98/54864 PCT/US98/10392 -8a key escrow system that can be distributed in source code form with no loss of security, and hence provides a system that can be publicly scrutinized to insure that it operates properly. Furthermore, since the key escrow system can be available in software, it can be implemented on a large scale, quickly, and cost-effectively. This implies fast distribution of the system.

in the case that a software solution is deemed unacceptable due to the possibility of modifying of the invention, it can be implemented directly in tamper-resistant hardware. This however adversely affects the gains from the easy distribution).

the escrow system requires the least amount of protocol interaction between the escrow authorities, CA, and user, that is theoretically possible. To register a key, a message need only be sent to one of a multitude of CA's. This mechanism is called a key registration based escrow system. In comparison, in the prefered embodiment of Fair PKC's, five messages are sent from the user to the trustees, and then five more messages are sent to a key management center.

only one private database is required to implement the escrow system. This database need only be authenticated and may be kept private to prevent a shadow PKC from being established. User's private keys will not be exposed if the database is exposed. This contrasts with Fair PKC's in which several databases must be maintained and if they are compromised, the users keys are compromised. This requirement makes the new system rely only on the CA in establishing and certifying users keys as in usual public key systems.

-9the escrow system allows the user's private key to be verified by anyone. The verification establishes that the private key is recoverable by the escrow authorities given the user's corresponding public key, the certificate, and public parameters. In comparison, in Fair PKC's, only the trustees perform this verification. This requirement of the new system is called universal verifiability.

the escrow system can be made shadow public key resistant. Fair PKC's were shown not to be shadow public key resistant, namely they can be abused to publish other PKC schemes Kilian, F. Leighton, "Fair Cryptosystems Revisited", CRYPTO '95, pages 208-221).

The present invention is versatile enough so that either or can be chosen (namely, a software or hardware implementation). In each case requirements (c) through are met.

*e *o o *ooo oo 9a The discussion of the background to the invention herein is included to explain the context of the invention. This is not to be taken as an admission that any of the material referred to was published, known or part of the common general knowledge in Australia as at the priority date of any of the claims.

Summary of the Invention In order to provide for the above and other objectives and features to be described below, the present invention introduces a new paradigm in cryptography. The present invention may provide a method to verify that a user generated private key is contained within an encryption under the public key of the escrow authorities without excessive overhead. Furthermore, this verification can be performed by anyone in possession of the escrow authorities public key. The present invention may include a setting up process and three functions which process signals in different ways. The functions are key generation, key verification, and key recovery. In the setup process of the preferred embodiment, the participants agree upon a set *o W:\marie\GABNODEL\8564c.doc WO 98/54864 PCT/US98/10392 of initial public parameters and the authorities generate an escrowing public key and corresponding private keys.

The initial parameters and the escrowing public key are the public parameters of the system. The escrowing authorities, Certification Authority and users of the system all have access to the public parameters. In the key generation process, the method generates a user's public/private key pair, and a certificate of recoverability which is a string of information which includes an implicit encryption of the user's private key under the escrowing public key. The signal information containing the user's public key, and the certificate of recoverability can be transmited to any entity. In the verification process, the user transmits this signal to the verifier.

The verification process takes the input signal, processes it, and outputs either true or false. A result of true indicates that the user's private key is recoverable from the certificate of recoverability by the escrow authorities. A result of false indicates that the private key is not recoverable. The invention is designed such that it is intractable for the user to generate a public key, and certificate of recoverability such that the key is not escrowed and such that it passes the verification process with a result of true. In the prefered embodiment, the users certify their public keys with registration authority of the certification authority (CA) who then signs their public key after successful verification. A public key together with a CA's signature on a string that contains the public key constitutes a certified public key. In more detail, upon receiving the user's public key, and certificate of recoverability, the CA verifies that the corresponding private key is recoverable. If it is, (namely, the verification process outputs true) the public key is certified and/or made publicly available by the CA. The user is only required to keep his public key and to have -11adoes not require changes in communication protocols used in typical unescrowed PKI's session key establishment, key distribution, secure message transmission, etc.). The invention is therefore compatible with typical PKI's. The present invention thus provides a very efficient way of escrowinq and recovering cryptographic keys.

According to the present invention there is provided a method including a cryptosystem which can be used for generating, verifying, using, and recovering cryptographic keys, which involves at least four entities: agents, authorities, a registering party, and other parties, and which further includes the following steps: having said entities establish a set of system parameters; having said agents generate agent parameters and having said agents "further publish at least one of said agent parameters; having said authorities generate a set of authority parameters and publish at least one of said authority parameters; having said registering party generate a registering party public key and registering party private key by employing a specified public procedure which uses at least one of said agent parameters, and said authorities parameters; S 20 having said registering party generate a validation proof which certifies that said registering party private key was generated by employing said specified public procedure; having said registering party send said registering party public key and said validation proof to the authorities; having said authorities verify the correctness of said registering public key along with said validation proof; if the verification in step is successful, having said authorities perform a registering party public key publishing process and in so doing turning the registering party into a registered party; having said other parties obtain the registered party public key after said publishing process and make use it.

W:marieGABNODEL\8 5 4c.doc 11 b The Drawings Preferred embodiments of the present invention will now be described with refinrpnc. tn thpnrr~omnanyino drawings wherein: W:XmrieGABNODEUk88564cdoc 12 FIG. 1 is a data flow diagram of the process of :setting up the method of the invention for use with m escrow authorities.

FIG. 2. is a flow chart of the basic steps of the process of generating a public/private key pair and certif- *icate of recoverability using the invention.

FIG. 3. is a data flow diagram of the process of verifying the recoverability of a private key.

FIG. 4 is a data flow diagram of the process of 20 registering a key using the invention.

S: FIG. 5 is a data flow diagram of the process of private key recovery by the escrow authorities.

FIG. 6 describes a generic public key system and its main components and operations FIG. 7 describes the escrowable public key system which results by employing the present invention and its main components and operations.

Description of the Invention: Prefered Embodiments The following is a description of the first prefered embodiment of the present invention. Variations on the Sprefered embodiment will accompany the description of the WO 98/54864 PCT/US98/10392 -13prefered embodiment wherever applicable. For convenience in the presentation, the hashing algorithm selected is SHA (Schneier 2nd edition, pages 442-445), though any cryptographic hashing algorithm will suffice in its place. In the prefered embodiment, parameters are chosen uniformly at random from their respective groups. Alternate embodiments include alterations of the probability distributions from which such values are chosen.

The system setup of the prefered embodiment shown in FIG. 1 initiates the cryptosystem. In the prefered embodiment, the participants agree upon a large prime r such that q 2r+l is prime and p 2q+l is prime. Examples of values for r that satisfy this relation are 5 and 11, though they are small values. The following is a 1024 bit value for r in hexadecimal: fd90e33af0306c8bla9551ba0e536023b4d2965d3aa813587ccflae blba2da82489b8945e8899bc546dfded24c861742d2578764a9e70b 88alfe9953469c7b5b89blbl5blf3d775947a85e709fe97054722c7 8e31ba202379ele16362baa4a66c6da0a58b654223fdc4844963478 441afbbfad7879864feld5df0a4c4b646591 An r of size 1024 bits is large enough for use in cryptographic systems. Such values of r, q, and p are not as easy to find as merely finding a prime number, but doing so is not intractable. What is needed is highly efficient algorithms which can be implemented using, say, a multiprecision library. Such algorithms include Karatsuba multiplication, Montgomery reduction, addition chains, and the Rabin-Miller probabilistic primality test Lacy, D.

Mitchell, W. Schell, "CryptoLib: Cryptography in Software," AT&T Bell Laboratories, cryptolib@research.att.com).

The following method can be used to find large values for r, q, and p efficiently. Note that r mod 3 must be 2.

WO 98/54864 PCT/US98/10392 -14- It can't be 0 since then r wouldn't be prime. It can be 1 since then q would be divisible by 3. Also, r mod 5 must be 1 or 4. It can't be 0 since then r would be divisible by 5. It can't be 2 since then q would be divisible by It can't be 3 since then p would be divisible by 5, etc.

We call this method "trial remaindering". By performing trial remaindering, we can throw out values for r, q, and p quickly prior to performing trial divisions and probabilistic primality tests. Once we perform trial remaindering up to, say, 251, we perform trial divisions on r, q, and p.

If r, q, and p are not thrown out we then do the Rabin-Miller primality test on r, then q, then p, then r, then q, etc. alternating between the three. We do so using small potential witnesses of compositeness that are fixed in advance. If any of r, q, or p are found to be composite, we set r to be equal to r 2 x 3 x 5 251 and repeat starting with trial divisions and the same set of potential witnesses. This way we need not perform trial remaindering again, since the prior conditions on r are assured. Once r, q, and p are found, we perform additional primality tests using potential witnesses that are found using a strong random number generator. If r, q, and p pass these tests, then they are assumed to be prime and are declared as systems parameters.

The participants agree upon, or the CA chooses, a value g which generates the elements in the set and an odd value gl which generates all values less than 2q and relatively prime to 2q. Note that 2q is a multiplicative group and has a generator. g and s are odd in the prefered embodiment. The values r, q, p, g, and gl are the systems initial parameters and are made publicly available with no loss of security. They can be chosen by the authorities themselves and/or anyone else.

Once gl and q are specified, the m authorities (m greater WO 98/54864 PCT/US98/10392 than or equal to 1) proceed to collectively compute an escrow authority public key gl 2q), also called the escrowing public key, and escrow authority private keys z_1, zm. To do so, authority i, where i ranges from 1 to m, chooses a value z_i in at random and then sets Yi to be gl raised to this value modulo 2q. At least one authority then receives all of the information of the Y i's from the m-I other escrow authorities. In the prefered embodiment, authority i, where i ranges from 2 to m, sends Y_i to authority 1. The sending of the Y_i's is depicted by step 11 in FIG. 1. Y is computed to be the product of the Y_i's modulo 2q by at least one of the authorities. In the prefered embodiment, Y is computed by authority 1. Authority 1 then verifies that (gl/Y) is a generator of all values less than 2q and relatively prime to 2q. If it isn't then step 12 is executed. In step 12 the other m-i authorities are told to choose new values for z, hence the procedure is restarted from the beginning of step 11. In the prefered embodiment, authority 1 chooses z_ 1 over again also. In an alternative embodiment, at least 1 and less than m of the authorities generate new values for z. This process is continued as many times as necessary until (gl/Y) is a generator of all values less than 2q and relatively prime to 2q. Y is then published, or otherwise made available to the users and the CA, by one or more of the escrow authorities. This is depicted by step 13 in FIG. 1.

FIG. 2 is a diagram showing the process of how a user's system generates a public/private key pair and a certificate of recoverability. Having obtained the signal Y that is made available to users by the escrow authorities, the user system proceeds to generate an ElGamal key g, p) for the user. The signal Y may a priori have been included in the invention. The invention proceeds by WO 98/54864 PCT/US98/10392 -16choosing a value k in randomly. This is depicted by step 2004 in FIG. 2. In step 2005, the invention computes C (gl raised to the k power) mod 2q. In step 2006 the invention computes the user's private key x to be rasied to the k power) mod 2q. The invention also computes y to be (g raised to the x power) mod p.

The system then proceeds to step 2007 and computes a certificate that can be used by any interested party to verify that the user's private key is properly encrypted within C. The certificate contains the value v, which is computed by the system to be g raised to the power w mod p, where w is raised to the k power) mod 2q. The public key parameter y can be recovered from g and v by computing v raised to the C power mod p. The system also processes three non-interactive zero-knowledge proofs as they are called in the art and includes them in the certificate. Let n denote the number of repetitions in each non-interactive proof. In the prefered embodiment, n is set to be 40. The first proof is designed so that the user can prove that he or she knows k in C. The second proof is designed so that the user can prove that he or she knows k in v. The last proof is designed so that the user can prove that he or she knows k in v raised to the C power mod p. By saying "the user knows value x" we mean that the system has value x in its state.

In more detail, to construct the non-interactive proofs, the system proceeds as follows. It chooses the values e_l,l, e_l,n, e 2,1, e ,e2,n, and e_3,1, e_3,2, e_3,n in 2r-l} randomly.

For i ranging from 1 to n, the system sets I l,i to be gl raised to the e_l,i power mod 2q. For i ranging from 1 to n, the invention sets I_2,i to be v raised to the di power mod p, where di is Y raised to the -e_2,i power modulo WO 98/54864 PCT/US98/10392 -17- 2q. For i ranging from 1 to n, the invention sets I 3,i to be y to the t_i power mod p, where t_i is (gl/Y) raised to the e_3,i power mod 2q. The invention then computes the value rnd to be the SHA hash of the set formed by concatenating together the tuples (I l,i, I 2,i, I 3,i) for i ranging from 1 to n. Note that rnd is a function of all of the I values, using a suitably strong cryptographic hash function. In alternate embodiments, the hash function can have an effective range of size different than 160 bits.

A greater range of the hash function allows for significantly larger values for n. The system sees each of the bit-sized values b 1,1, b b l,n, b 2,1, b b 2,n, b 3,1, b b 3,n to be each of the corresponding 3n least significant bits of rnd. There are a multitude of ways in which an embodiment can securely assign the bits of rnd to the values for b. The values for b are the challenge bits, and this method of finding them is known as the Fiat-Shamir Heuristic. The system then proceeds to compute the responses to these challenge bits.

For i ranging from 1 to 3 and for j ranging from 1 to n, the invention sets z_i,j to be e_i,j (b_i,j)k mod 2r.

This completes the description of step 2007 of FIG. 2.

The system proceeds to step 2008. In step 2008, the invention outputs the parameters v, y, (Il,i, I_2,i, and (z l,i, z_2,i, z_3,i) for i ranging from 1 to n. In an alternate embodiment the value k is output by the invention to the user. The user then has the option to later interactively prove that his or her private key x is recoverable by the escrow authorities. This will be addressed in more detail later. Also, the values b can be made a part of the certificate. This step is however, not necessary, since the values for b can be derived from the values for I alone.

WO 98/54864 PCT/US98/10392 -18- The description of the embodiment has thus far explained how the system is setup for use by the CA and authorities, and how the system is used by users (potential receivers) to generate public/private key pairs and certificates of recoverability. These certificates are strings showing to anyone presented with them that the key generated has the publicly specified properties. The following describes how the invention is used by the user to prove to a verifier that x is recoverable from C. This process is depicted in FIG. 3. The verifier can be the CA, an escrow authority, or anyone else who is part of the system.

The verification process of FIG. 3 is as follows. In step 3009, the user generates a public/private key pair, encryption of x, and a certificate using the invention as described above. In step 3010, the user transmits a signal containing these parameters to a verifier. In step 3011 the verifier usesthis signal to verify whether or not the user's private key is recoverable by the escrow authorities. To do so, the verifier uses the user's public key, the encryption C, the corresponding certificate, and the escrowing public key Y.

The way in which the users signal is processed will now be described-in detail-. The verifying system outputs a 0 if the public key and/or certificate are invalid, and a 1 otherwise. The invention may take subsequent action and indicate to the verifier that the public key is invalid in the event that 0 is returned. Similarly, the verifying system may inform the verifier of a validation that passes.

To perform the verification, the verifying system first verifies that y v raised to the C power mod p. If y is not equal to v raised to the C power mod p, then the verification system returns a value of 0. The verifying WO 98/54864 PCT/US98/10392 -19system then verifies the three non-interactive proofs contained within the certificate of the user. The invention computes b_2,i, b_3,i) for i ranging from 1 to n in the same way as performed during the certificate generation process. Recall that this process was described in regards to FIG. 2.

For the first non-interactive proof, the verifying system checks that gl raised to the z_l,i power equals C(I_l,i) mod 2q if b_l,i 1, for i ranging from 1 to n.

The verifying system also checks that gl to the z_l,i power equals I_l,i mod 2q if b_l,i 0, for 1 ranging from 1 to n. If any of these equalities fails, then the verifying system returns a value of 0. This completes the verification of the first non-interactive proof.

For the second non-interactive proof, the verifying system checks that g raised to the wi power equals I_2,i mod p if b_2,i 1, for i ranging from 1 to n. Here w_i is 1/Y raised to the z_2,i power mod 2q. The verifying system also checks that v to the v_i power equals I_2,i mod p if b_2,i 0, for i ranging from 1 to n. Here v_i is 1/Y to the z_2,i power mod 2q. If any of these equalities fail, then the verifying system returns a value of 0. This completes the verification of the second non-interactive proof.

For the third non-interactive proof, the invention checks that g.raised to the wi power equals I_3,i mod p if b_3,i 1, for i ranging from 1 to m. Here w_i is (gl/Y) raised to the z_3,i power mod 2q. The invention also checks that y to the vi power equals I_3,i if b_3,i 0, for i ranging from 1 to m. Here v_i is (gl/Y) raised to the z_3,i power mod 2q. If any of these equalities fails, then the verifying system returns a value 0. If all of the WO 98/54864 PCT/US98/10392 verifications pass, then the value 1 is output by the verifying system.

In FIG. 4, the user certifies his or her public key with the CA. In step 4012 of this process, the user generates his or her public key and certificate of recoverability, as previously described. The user transmits this signal to the CA. This corresponds to step 4013 of FIG. 4.

In step 4014 the CA acts as a verifier and verifies that the user's private key is recoverable by the escrow authorities. So far, steps 4012 through 4014 are identical to steps 3009 through 3011 in the key verification process of FIG. 3. However the CA, in addition, will make keys that pass the verification process available to others upon request and/or certify them. If the user's public key fails the verification process, then either the certificati.on attempt is ignored, or alternatively the user is notified of the failed certification attempt.

Depending on the demands of the environment in which the invention is used, users may be required to submit extra information in order to register a public key and to certify that they know the private key portion without divulging it. Such information could be a password, social security number, previously used private key, etc. In the case that the CA is a trusted entity, the CA can simply digitally sign the user's public key, and make the key along with the CA's signature of that key available on request. If the CA is not trusted, then the certificate should be stored in the public file and the certificate together with the certificate of recoverability should be given to the escrow authorities, which in turn can insure recoverability. This completes the description of the public key certification process.

WO 98/54864 PCT/US98/10392 -21- The last process to describe is the private key recovery process. This process is depicted in FIG. 5. In this process, the invention is used by the n escrow authorities to recover the user's private key based on C. In this process, all m of the escrow authorities obtain C, as depicted in step 5015 of FIG. 5. In an alternate embodiment the CA transmits C and/or other parameters to one or more of the authorities. Thus they are already in possession of C. At this point escrow authority i computes t i to be C raised to the z_i power mod 2q. Recall that z i is the private key of the ith escrow authority. This is done for i ranging from 1 to m. Authorities 2 through m then send their respective values for t to authority i, as depicted in step 5016. Authority 1 then computes Y raised to the k power mod 2q to be the product of the values for t_i where i ranges from 1 to m. Authority 1 then obtains the user's private key x by computing x raised to the k power)) mod 2q. There are alternative methods in the art for computing x so that x is represented distributively among the authorities. These methods also allows the authorities to decrypt messages encrypted under the public key corresponding to x, without revealing x itself.

What has been described is an Auto-Recoverable and Auto-Certifiable (ARC) cryptosystem. The users of such a cryptosystem employ the public key system in a way that is identical to a typical PKI for secure communications. This is demonstrated schematically in FIG's 6 and 7. FIG. 6 is a typical public key cryptosystem in a PKI environment.

The following are the steps that are followed by the users.

The user first reads the CA's information and address.

The user generates a public/private key pair and sends the public key to the CA. The registration of the authority in the CA verifies the identity of the user, and publishes the public key together with the CA certificate on WO 98/54864 PCT/US98/10392 -22that key, identifying the user as the owner of that key.

For another user to send a message to that user, the public key is read from the CA's database and the certificate is verified. Then, the message is encrypted under new the public key and sent. FIG. 7 schematically describes the ARC cryptosystem. The additional operations are as follows. The authority generates the escrowing public key and gives it to the CA. Steps 1 and 2 are analogous, except that a proof is sent along with the public key. Steps 3 and 4 are the operation of the system and are identical. Steps 5 and 6 describe the case in which keys are recovered from escrow. The escrow authority gets information from the CA. The escrow authority recovers the user's private key.

In an alternative to the first embodiment any large enough subset of the authorities can recover the private key x or messages encrypted under the public key corresponding to x without revealing x itself. This is done independently by receiving the appropriate values for t by the other authorities. This adds robustness in the case that some or all ,of the authorities cannot be completely trusted or are otherwise unavailable. Also, the authorities can require that that the certificate of recoverability be sent along with the public key and encryption so that the user's parameters can first be verified using the verification process. This completes the description of the private key recovery process.

The following are a few alternate embodiments of the first embodiment of the present invention. An alternate embodiment of this invention involves using an authority public key of the form g, 2(q raised to the t power)), where t is some integer greater than 1. We chose t to be 1 in our prefered embodiment, though other values can be WO 98/54864 PCT/US98/10392 -23used instead and still operate based on primitive roots.

Another alternate embodiment is to use the product of two or more large primes as part of the public parameters.

Clearly, the exact structure of the moduli used can vary significantly without departing from the scope of the invention. In another embodiment, the interactive versions of the three non-interactive proofs can be used. Such an embodiment requires that the system output k to the user during key generation. This value k is used during the interactive protocol, so that the verifier can be convinced that the user's private key is recoverable by the escrow authorities. Note that by outputing k, however, a shadow public key cryptosystem may result. This follows from the fact that C, 2q), k) is a valid ElGamal public/private key pair mod 2q.

In yet another embodiment, the CA, or other trusted entity, takes the further action of blinding the user's public keys. The CA chooses a k s.t. g' (g raised to the k power) mod p is a generator, and sends the user (y raised to the k power) mod g' is the user's ElGamal generator and y' (y raised to the k power) mcd p is part of the users final key This prevents users from exploiting subliminal channels in y.

In another variant the users publish their public keys which are used for key exchanges in a Diffie-Hellman like "key exchange". For example, the following method can be used. Let a be user A's private key and let b be user B's private key. Let ya (g to the power a) mod p be user A's public key and let y_b (g to the power b)-mod p be user B's public key. To establish a random session key, user B chooses a random string s. User A then sends m (yb to the a power)s mod p to user B. User B recovers s by computing m/(y a to the power b) mod p. Users A and B WO 98/54864 PCT/US98/10392 -24derive a session key from s using a known public function applying to it a one-way hash function). Later, when the session key is required to be taken out of escrow, the trustees can use either a or b to recover s, and hence the session key.

The following is a description of a second primary embodiment of the present invention. The hashing algorithm selected is SHA (Schneier 2nd edition, pages 442-445), though any cryptographic hashing algorithm will suffice in its place. We use the least significant bits of the hash results for convenience, but any subset of bits is possible. In the prefered embodiment, parameters are chosen uniformly at random from their respective groups or domains. Alternate embodiments include alterations of the probability distributions from which such values are chosen. Such choices based on random number generators or pseudo-random generators are available in the art.

The system setup of this alternate embodiment shown in FIG. 1 initiates the cryptosystem. In the prefered embodiment, escrow authority i for 1 i m generates a private share D_i, and corresponding public share E_i. The private shares D_i form the shared private key D. Escrow authorities 2 through m send their E i to escrow authority 1. This is depicted by step 11. Escrow authority 1 combines all the public shares E_i and computes the shared public key E. The value for E is published, by escrow authority i, as depicted in step 13. Each authority i keeps Di private. As a concrete example, the escrow authorities can generate a strong prime p and a value g which generates Share D i can be chosen uniformly at random from and E_i (g raised to the Di power) mod p. E is the product of all the values Ei modulo p. Variations on joint generation of WO 98/54864 PCT/US98/10392 keys are possible, as well as an implementation with a single escrow authority.

A process similar to FIG. 2 illustrates how a user's system generates a public/private key pair and a certificate of recoverability. Having obtained (and verified as much as possible) the signal E that is made available to users by the escrow authorities, the user system proceeds to generate an ElGamal public key for the user (T.

ElGamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", CRYPTO '84, pages 10-18, Springer-Verlag, 1985). The user system chooses a private key x uniformly at random from and computes y to be (g raised to the x power) modulo p. This key generation process corresponds to step 2006.

The system then proceeds to step 2007 and computes a certificate that can be used by any interested party, in particular the CA, to verify that the user's private key x can be recovered from the certificate of recoverability P.

Let ENC(a,s,E) denote the public key encryption of the message a under public key E using randomness s. Here ENC is a semantically secure probabilistic public key encryption, where the string s is used for the randomness in the probabilistic encryption.- For example, ENC can be an ElGamal encryption, or an optimal asymmetric encryption (Bellare-Rogaway, "Optimal Asymmetric Encryption", Eurocrypt Let DEC be the corresponding public key decryption function which is performed in a shared fashion.

Hence, DEC(ENC(a,s,E),D 1,D m) a. P is constructed according to the following algorithm: 1. P 2. for i 1 to M do 3. choose r_i randomly from the domain WO 98/54864 PCT/US98/10392 -26- 4. choose two random strings si,1 and s_i,2 for use in ENC Q_i (g raised to the r_i power) mod p 6. C_i,l ENC(ri, si,l, E) 7. C_i,2 ENC(r_i x mod p-1, s_i,2, E) 8. add (Qi, Ci,l, Ci,2) to the end of P 9. val H(P) set b_l, b_2, ,b_M to be the M least significant bits of val, where b_i is in {0,1} 11. for i=l to M do 12. w i r i (b i)x 13. Z i i),s i,j) where j 1 b i 14. add Z i to the end of P Thus, P (QM, CM,1, H is a suitable public one-way hash function SHA), so the b i's can be recovered from P.

The values for b are the challenge bits, and this method of finding them and using them is analagous to the Fiat-Shamir Heuristic. The user system outputs in step 2008.

Note that the user has -the option to interactively prove that his or her private key x is recoverable by the escrow authorities. This will be addressed in more detail later.

M is a large enough parameter of security The description of the embodiment has thus far explained how the system is setup for use by the CA and authorities, and how the system is used by users (potential receivers) to generate public/private key pairs and certificates of recoverability. These certificates are strings showing to anyone presented with them that the private keycorresponding to the public key generated is recoverable by the escrow authorities using P. The following describes how the invention is used by the user to prove to a verifier that x is recoverable from P. This process is depicted WO 98/54864 PCT/US98/10392 -27in FIG. 3. The verifier can be the CA, an escrow authority, or anyone else who knows the system parameters.

The verification process of FIG. 3 is as follows. In step 3009, the user generates a public/private key pair, and a certificate using the invention as described above.

In step 3010, the user transmits a signal containing these parameters to a verifier. In step 3011 the verifier uses this signal to verify whether or not the user's private key is recoverable by the escrow authorities. In this process, the verifying system takes y, the corresponding certificate P, and the escrowing public key E. The verifying system first checks that y p. The verifying system checks that all of the values in P lie in the correct sets. The verifying system also checks that the values C_i,j for all i and j, do not contain any repetitions. The verifying system checks that none of the Q i for all i are repetitious. If any of these verifications fail, then false is returned. The verifying system then computes b_l, b M in the same way as in the certificate generation process. For i=l to M, the verifying system verifies the following things: 1. ENC(w_i, s_i,j, E) Ci,j where j 1 bi 2. (Qi/(y raised to the bi power)) mod p g raised to the w_i power) mod p The verifying system returns true as long as all the verifications pass and as long as both 1 and 2 above are satisfied for 1 i M. The invention may take subsequent action and indicate to the verifier that the public key is invalid in the event that false is returned. Similarly, the verifying system may inform the verifier of a validation that passes (the verifying system returns true) WO 98/54864 PCT/US98/10392 -28- In FIG. 4, the user certifies his or her public key with the CA. In step 4012 of this process, the user generates his or her public key and certificate of recoverability, as previously described. The user transmits this signal to the CA. This corresponds to step 4013 of FIG. 4.

In step 4014 the CA acts as a verifier and verifies that the user's private key is recoverable by the escrow authorities.

So far, steps 4012 through 4014 are identical to steps 3009 through 3011 in the key verification process of FIG. 3. However the CA, in addition, will make keys that pass the verification process available to others upon request and/or certify them. If the user's public key fails the verification process, then either the certification attempt is ignored, or alternatively the user is notified of the failed certification attempt.

Depending on the demands of the environment in which the invention is used, users may be required to submit extra information in order to register a public key and to certify that they know the private key portion without divulging it. Such information could be a password, social security number, previously used private key, etc. In the case that the CA is a trusted entity, the CA can simply digitally sign the user's public key together with the user's name and additional information, and make the key alongwith the CA's signature on this information available on request. If the CA is not trusted (which is not the typical assumption in PKI), then the certificate should be stored in the public file and the certificate together with the certificate of recoverability should be given to the escrow authorities, who in turn can insure recoverability.

This completes the description of the public key certification process. We note that the CA keeps the certificate of WO 98/54864 PCT/US98/10392 -29recoverability, possibly in encrypted form under its own key with authentication information for integrity.

The last process to describe is the private key recovery process. This process is depicted in FIG. 5. In this process, the invention is used by the m escrow authorities to recover the user's private key based on P. In this process, all m of the escrow authorities obtain y and P, as depicted in step 5015 of FIG. 5. In an alternate embodiment the CA transmits y and P and/or other parameters to one or more of the authorities. Thus they are already in possession of y and P. At this point escrow authorities use a subset of their shares D 1, D m to decipher P to open all of the unopened C_i,-j (using DEC for example. This is accomplished by having escrow authority i recover the ith shares of the user's private key. In this process, escrow authority i extracts the M values for the unopened C i,j from P and decrypts them using Di. The resulting values are pooled with the values from the other escrow authorities, as depicted in step 5016 of FIG. The pool is then used by the authorities to decrypt all of the unopened values C_i,j from P. Thus all of the plaintexts corresponding to all C_i,j are known to the escrow authorities. There are alternative methods in the art for recovering the plaintext corresponding to the unopened Ci,j, so that the unopened plaintext is represented distributively among the authorities. The escrow authorities check the plaintext of each pair C_i,l and C_i,2 for a pair of values that when subtracted together mod p-l, are equal to the exponent x in y (g raised to the x power) mod p. Also, the quantity (g raised to the x power) mod p can be matched against the public y to assure correctness.

Once such a pair is found, the private key of the user has been found.

WO 98/54864 PCT/US98/10392 We will now describe a third primary embodiment of this invention. In this embodiment, the users of the system generate composite public keys. The user system generates n and s in the same way as described in the pending U.S. Patent 08/920,504 (by Young and Yung). Recall that n is the product of two (preferably strong) primes p and q, and s is a string that can be used in conjunction with a public one-way function to derive the upper order bits of n. Let e and d denote the public and private exponents for RSA), respectively. The following is how P is constructed: 1. P 2. choose a string t_0 randomly mod n 3. add t_0 to the end of P 4. for i 1 to M do choose a_i,l randomly from the set 6. compute a_i,2 d a_i,l mod 7. choose two random strings si,l and si,2 for use in ENC 8. t i H(t 9. v_i,1 (t_i raised to the a_i,l power) mod n vi,2 (ti raised to the ai,2 power) mod n 11. Qi (ti, vi,l, vi,2) 12. C_i,l ENC(ai,l, si,l, E) 13. Ci,2 ENC(a_i,2, si,2, E) 14. add Ci,l, Ci,2) to the end of P val H(P) 16. set b_l, to be the M least significant bits of val, where b_i is in {0,1} 17. for i=l to M do 18. Z_i (ai,j, s_i,j) where j 1 b i 19. add Z i to the end of P 20. add s to the end of P WO 98/54864 PCT/US98/10392 -31- Thus, P (Ql, C_1,1, (QM, CM,1, Z_ Z_M, H above can be based on SHA or on concatenations of a few SHA applications to generate the t_i of appropriate size. It is most likely that the t_i will be in the set of elements less than n and relatively prime to n.

The verifying system is a bit different than before.

The verifying system first checks that n was chosen from the correct set of values. Let u denote the integer corresponding to the k/2 upper order bits of n. The verifying system makes sure that either H(s) u or that H(s) u+1, as described in the pending U.S. patent 08/920,504. The verifying system checks that all of the values in P lie in the correct sets. For example, the verifying system checks that the t_i fall within the range of H, and that a_i,j n (or some function of n) where j is 1 or 2. The verifying system also checks that t i H(t for i ranging from 1 to M. The verifying system checks that elements of the tuple Qi for each i does not contain repetitions, and also that the elements in the pair Z i for all i does not have repetitions. If any of these verifications fails, then false is returned. The verifying system then computes b_l, b_2, ,b_M in the same way as in the certificate generation process. For i ranging from 1 to M, the verifying system verifies the following things: 1. multiplied by v_i,2) raised to the e power) mod n t_i 2. (t_i raised to the a i,j power)' mod n vi,j,where j 1 b_i The verifying system returns true as long as all the verifications pass and as long as all both criterion are satisfied for 1 i M.

WO 98/54864 PCT/US98/10392 -32- The escrow authorities recover the user's private key as follows. For i ranging from 1 to M, the authorities compute wi to be the sum of the plaintexts corresponding to Ci,l and Ci,2. If a value wi is found such that (ti raised to the e(wi) power) mod n equals t_i, then wi constitutes a valid RSA private key corresponding to e. It is well known in the art how to factor n given such a value wi. Note that the RSA function is a homomorphic function and the above embodiment is applicable to homomorphic functions similar to RSA. We remark that from the above embodiment it is clear that this 'proof technique' for showing that a value is recoverable by the escrow authorities can be generalized to any homomorphic function.

_An application of this invention is an multi-escrow authority system where each escrow authority has its own CAs and users. When users from two different escrow authorities conduct secure communication the two escrow authorities can retrieve the user's messages or keys and exchange them through bilateral agreement. This is applicable to international multi-country scenarios.

Another application of key escrow systems is a secure file system or 'file repository system with recoverable keys. Such a system can be implemented based on the previous embodiments, in particular based on the preceding paragraph. For example, user A can be the owner of the file, user B can be the file server, and the trustees can be file recovery agents. An example of a file could be a password, in which case, the file recovery agents are password recovery agents.

The above description of our first embodiment of our cryptosystem makes novel uses of number theory in cryptog- WO 98/54864 PCT/US98/10392 -33raphy. It shows how to design a cryptosystem based on three primes with direct arithmetic relations between all them. That is r, q, and p are primes such that q 2r+l and p 2q+l. The usage of three or more primes with relations between them can produce various cryptosystems of a similar nature to the one described above. Some of them are described in the variation on the prefered embodiment.

Another relation can be p 2q+l and q 2rs 1 where p, q, r, and s are all prime and r is 160 bits in length.

Another example is p 2q+l, q 2r+l, and r 2s+1 where p, q, r, and s are all prime numbers. Furthermore, another innovative use of number theory is performing cryptographic operations in the exponent, where the operations are, for example, modular exponentiations. For example, the second zero-knowledge proof in step 2007 of the first embodiment involves proving knowledge of k in v where v is equal to g raised to the w power mod p, where w is (Y raised to the -k power) mod 2q. The use of three or more domains in successive exponentiations adds flexibility and power to cryptosystems. Applications of this fact along the lines of the present invention, are readily available to those who are skilled'in the art.

An application of this invention is a hierarchical public key escrow system. A hierarchical public key escrow system is an escrow system that takes the form of a tree data structure. The escrow authorities at the root of the tree are able to decrypt the communications of all entities corresponding to the nodes of the rest of the three.

Recursively, the escrow authorities at any-given node i in the tree are able to decrypt the communications of all entities corresponding to the nodes in the rest of the subtree for which node i is root. At any time, the leaf of the tree can form another subtree and act as an escrow agent(s). By ordering the size of the moduli properly, it WO 98/54864 PCT/US98/10392 -34is possible to have multiple escrow agents for any node of the tree. All that is necessary is to do the commitments of the roots starting with the smallest modulus and ending with the largest.

Similarly, rather than a fixed tree which determines an order, the user can decide on a subset of escrow agents and generate its own preferred tree which is the chosen subset of escrow agents ordered by the relative size of their public keys in a line where the largest key is the root. This enforces a structure of the commitment, and assures that the subset needs to work together to recover a key or information encrypted under the key.

Yet another application of this invention is a certified electronic mailing system. When the users register into the system, they register an auto-recoverable encryption public key and a certificate of recoverability to the CA, and they also register a signature public key.

To send a certified piece of mail, the following is done.

The sender sends a packet which includes the following: an encryption of an e-mail key under his own auto-certified public key, the receiver's name, an encryption of the e-mail message encrypted under the e-mail key, a header indicating a certified e-mail message, his own certified public key, and the CA's certificate on his certified public key, and other information. The packet is signed using the senders signature private key. Both the packet and the signature on the packet are sent to the receiver.

The receiver forms a return receipt packet that consists of a fixed return receipt header, the received message (or the hash of the received message), and additional information.

This packet is signed using the receivers private signature key and is sent to the original sender. The original sender verifies the signature on the return receipt packet.

WO 98/54864 PCT/US98/10392 If the signature is valid, the original sender sends the receiver the e-mail key encrypted under the receiver's certified public key. This message is sent along with a signature on it using the original sender's private signing key. The receiver verifies the signature on the encrypted e-mail key. If the signature is valid, the receiver decrypts the e-mail key using his private decryption key.

The receiver then encrypts the result using the original senders certified public key. If the result matches the ciphertext in the first packet that the original sender sent, then the e-mail key is regarded as authentic. This key is then used to decrypt and obtain the actual information that the original sender sent. If the receiver is for some reason unable to contact the original sender after the first packet is received, the receiver sends the return receipt and the first packet to the escrow authorities.

The escrow authorities will recover the e-mail key, provided the packet and return receipts are authentic and provided that the packet contains the corrects receivers name. The escrow authorities retain the return receipt and the packet. Provided the checks pass, the e-mail key is sent to the receiver. This constitutes a certified e-mail system based on auto-recoverable keys and signature keys, and where user registration is analogous to user registration irf a typical public key system with a CA. Also, it is known in the art how to employ certified e-mail systems as above for contract signing between two parties. The above application can be used as such.

Thus, there has been described a new and improved key escrow system, its variants, and applications. It is to be understood that the prefered embodiment is merely illustrative of some of the many specific embodiments which represent applications of the principles and paradigms of the present invention. Clearly, numerous and alternate ar- WO 98/54864 PCT/US98/10392 -36rangements can be readily devised by those who are skilled in the art without departing from the scope of the present invention.

Claims

1. A method including a cryptosystem which can be used for generating, verifying; using, and recovering cryptographic keys, which involves at least four entities: agents, authorities, a registering party, and other parties, and which further includes the following steps: having said entities establish a set of system parameters; having said agents generate agent parameters and having said agents further publish at least one of said agent parameters; having said authorities generate a set of authority parameters and publish at least one of said authority parameters; having said registering party generate a registering party public key and registering party private key by employing a specified public procedure which oo: uses at least one of said agent parameters, and said authorities parameters; 15 having said registering party generate a validation proof which certifies that said registering party private key was generated by employing said specified public procedure; having said registering party send said registering party public key and said validation proof to the authorities; i 20 having said authorities verify the correctness of said registering public key along with said validation proof; S(8) if the verification in step is successful, having said authorities perform a registering party public key publishing process and in so doing turning the registering party into a registered party; having said other parties obtain the registered party public key after said publishing process and make use it.

2. A method as in claim 1 wherein said cryptographic system includes the further step of having an event which causes at least one of said agents and said authorities to recover cleartext data encrypted under said registered party public key. W:Vmarie\GABNODELUS664c.doc 38

3. A method as in claim 1 wherein said cryptographic system includes the further step of having an event which causes at least one of said agents and said authorities to recover said registered party private key.

4. A method as in any one of the preceding claims wherein said agent parameters generated in step are public/private key pairs wherein only said public keys are published. A method as in any one of the preceding claims wherein said authorities parameters generated in step include public/private key pairs of which only the public keys are published.

6. A method as in any one of the preceding claims wherein said validation proof consists of at least one non-interactive zero-knowledge proof strings and 0 0 where said authorities verify said validation proof by verifying said at least one non-interactive zero-knowledge proof strings.

7. A method as in any one of the preceding claims wherein generating, sending, and verifying said validation proof in steps and includes 20 conducting a zero-knowledge interactive proof protocol where said registering user is the prover and said authorities are the verifier. i" 8. A method as in any one of the preceding claims wherein said publishing process includes generating a public key certificate on behalf of said registering *5b* party, where said certificate includes the digital signature of said authorities on said registering party public key and other information using said authorities private key, and where said certificate is verifiable using at least one of said authority published parameters.

9. A method as in any one of claims 1 to 7 wherein said publishing process includes generating a public key certificate on behalf of said registering party, where said certificate includes the digital signature of said authorities on a modification of said registering party public key and other information using said W:,marie\GABNODEL\86564c.doc 39 authorities private key, and where said certificate is verifiable using at least one of said authority published parameters. A method as in any one of the preceding claims wherein said publishing process includes marking said registering party public key as a valid key in a file.

11. A method as in any one of the preceding claims wherein said make use of said registering party public key includes the performance of at least one of the following: public key encryption, public key decryption, digital signing, digital signature verification, key exchange, and identification.

12. A method as in claim 2 wherein said event is a proper authorization given o, to the agents on behalf of an agency within a government or group of governments. 0 13. A method as in claim 2 wherein the recovery of cleartext data is done in order to monitor communications of registered parties suspected of criminal activity while protecting the privacy of others.

14. A method as in claim 2 with the further step of: characterizing the registered parties activities as unlawful if the agencies are unable to monitor the registered parties communications.

15. A method as in any one of the preceding Claims where the functionality of at least one of the agencies, the registered party, and an authority, in at least one of the steps is implemented in hardware.

16. A method as in any one of the preceding Claims where said make use of said registered party public key is for the encryption of files.

17. A method as in any one of the preceding claims where said other parties Sinclude said registered party. W:marie\GABNODELA88564c.do

18. A method as in claim 2 whereby the said further step is recovery of cleartext information sent between two parties, user 1 and user 2, and where at least one of the following two steps occur: the first subset of said agencies recovers the private key of user 1 or information enciphered under the public key corresponding to user l's said private key; another subset recovers the private key of user 2 or information enciphered under the public key corresponding to user 2's said private key.

19. A method as in claim 2 where said event is generated by following a proper process within said registered party's organization. A method as in any one of the preceding claims which can be used for generating, using, verifying, and recovering cryptographic keys wherein said set of system parameters includes at least three domains F1, F2, and F3 such that F1 is the exponent domain of F2, and F2 is the exponent domain of F3. S"21. A method as in any one of claims 1 to 19 which can be used for generating, using, verifying, and recovering cryptographic keys wherein said set 20 of system parameters includes at least three domains based on r, q, and p such that p 2q+1 4r+3, where p, q, and r are prime numbers. •g

22. A method as in any one of the preceding claims where said registering parties key is y, where y equals g raised to the x power modulo p, where g is a generator modulo the prime p; x is said registering parties private key.

23. A method as in any one of the preceding claims where said registering party public key is based on a number n where only said registering party knows the factorization of n into prime numbers.

24. A method as in any one of the preceding claims where said registering parties key is a homomorphic function. W:marie\GABNODEL~88564c.doc -41- A method as in any one of claims 1 to 23 where registering party public keys are RSA based keys.

26. A method as in any one of claims 1 to 23 where registering party public keys are EIGamal based keys over a specified domain.

27. A method as in any one of the preceding claims where said validation proof includes encryptions using said agencies published parameters.

28. A method as in any one of claims 1 to 26 where said validation proof employs encryptions by trapdoor one-way functions.

29. A method as in any one of claims 1 to 26 where said validation proof claims that the agencies are capable of recovering the private key of said 15 registering party or information encrypted under said registering party public key.

30. A method as in any one of the preceding claims where in step said registering public user sends said registering party public key first, and sends said validation proof at some later time. .0 31. A method as in any one of the preceding claims with the additional steps 0le* of having said registering party generate a private/public pair constituting a signature key which is different from the public/private key pair of step and having said authority certify said public key of said signature key.

32. A method as in claim 31 where use of said cryptosystem is for electronic mail with assured delivery.

33. A method as in any one of the preceding claims where said agencies published parameters and said public keys generated by registering parties are from different key domains. W:Vnare\GABNODELU88654c.doc -42-

34. A method as in any one of the preceding claims where the agencies are a multitude of elements and where said registering party in step generates a validation proof that said registering party cleartext data encrypted under registering party public key is recoverable by a subset of agencies. A method as in claim 2 where the agencies are a multitude of elements organized in a hierarchy where each element is able to recover cleartext data encrypted under keys in its sub-hierarchy.

36. A method as in claim 35 where said registering party in step generates a validation proof claiming that said registering party cleartext data encrypted under registering party public key is recoverable by a subset of agencies. *9 9 9 S 15 37. A method for generating, verifying, using and recovering cryptographic keys substantially as herein described with reference to the accompanying drawings. DATED: 4 August, 2000 PHILLIPS ORMONDE FITZPATRICK SAttorneys for: ADAM LUCAS YOUNG and MARCEL MORDECHAY YUNG W:marie\GABNODEL\86564c.doc