CZ9904106A3 - Auto-recoverable auto-certifiable cryptosystems - Google Patents

Abstract

A method is provided for an escrow cryptosystem that is overhead-free, does not require a cryptographic tamper-proof hardware implementation (i.e., can be done in software), is publicly verifiable, and cannot be used subliminally to enable a shadow public key system. A shadow public key system is an unescrowed public key system that is publicly displayed in a covert fashion. The keys generated by the method are auto-recoverable and auto-certifiable (abbrev. ARC). The ARC Cryptosystem is based on a key generation mechanism that outputs a public/private key pair, and a certificate of proof that the key was generated according to the algorithm. Each generated public/private key pair can be verified efficient ly to be escrowed properly by anyone. The verification procedure does not use the private key. Hence, the general public has an efficient way of making sure that any given individual's private key is escrowed properly, and the trusted authorities will be able to access the private key if needed. Since the verification can be performed by anyone, there is no need for a special trusted entity, known in the art as a "trusted third party". The cryptosystem is overhead free since there is no additional protocol interact ion between the user who generates his or her own key, and the certification authority or the escrow authorities, in comparison to what is required to submit the public key itself in regular certified public key systems. Furthermore, the system is designed so that its internals can be made publicly scrutinizable (e.g., it can be distributed in source code form). This differs from any schemes which require that the escrowing device be tamper-proof hardware.

Description

The field of the present invention is cryptography. The invention relates to cryptosystems, blessed to store and restore cryptographic keys and cryptographic encrypted data. The imposition and recovery process allows authorized entities, such as law enforcement, government, users and organizations, to be obtained! enabled or, if necessary, clean encrypted data. The invention relates to cryptosystems used in software, but can also be applied to cryptosystems used in hardware.

The prior art

Public Key Cryptosystems (PKC = Key Cryptosystems) allow secure communications between two parties that have not met. The definitions of PKCs have been established by W. Diffiee and M. Hetnan New Cfirections in Cryptography ”, IEEE Transactions on Information Theory, 22, pp. 644-654, 1976. Communization can take place over an insecure channel. In the PKC, each user owns a public E key and a private D key. The E key is publicly accessible by a Key Distribution Center, also known as a CA, after the user's authorization (identification, etc.) has been verified by the registration authority. office. Kflč D is kept private by the user. Key E is used to encrypt messages, while only D can be used to decrypt messages. Key D cannot be derived by calculating from key E. In PKC, side A obtains public key E from side B of the center • ·

-2 • · · * <9 9 9 9 9 * * · · 9 9 9 9

99 · 9 9 ·· 99 »« 9 99 · 9 for cBstribud keys. Side A encrypts the message to help E and sends the result to side B. Party B restores the message by decrypting with the D key. The Dstribud Center has the confidence of both parties to provide the correct public key upon request. PKCs overloaded on the difficult calculation of particular logarithms were published by T. El Gamal, A Publc-Key Cryptosystem Inc. and Scheme Based on Dacrete Logarithms' Signature Scheme Based on Discrete Logarithms, CRYPTO '84, pages 10- 18, Springer-Veriag, 1985.

PKC is convenient to use, allowing users to communicate privately over insecure channels. They can be used to initiate symmetric key systems such as DES (Data Encryption Standard). However, the PKCs have their shortcomings. PKCs can be misused illegally, as there are no measures to ensure that the necessary decryption keys are complied with, which can result in unacceptable illegal communications. Therefore, it is desirable to allow private communications only to law-abiding citizens. The general solution to this problem lies in the obligation of each user to present their private key to the authorized authorities for storing the key to institutions or authorized representatives. In the case of officially wiretapping, the shares from the tightened Silence are forged. Otherwise, the key store authority will offer a way to recover lost private keys in the organization or keys in the file system.

We will give an overview of some key storage systems and show that PKC alone is not enough. US Patents 5,276,737 and 5,315,658 (MtaaN, 1994) show Fair Publc Key Cryptosystems (FPKC) (see also S. MicaK, Fair Public Key Cryptosystems), CRYPTO '92, pp. 113-138 , Springer-Veriag, 1992) that meet the needs of law-abiding citizens and law enforcement (and are based on P. Fektnan, 28th Annuai FOCS). The MIcaRho preferred embodiment shows how to convert a Diffie-Helman PKC and an RSA PKC to a Fair PKC. In a preferred embodiment, a Diffie-Heknan Fair-type PKC is presented. each user, five shares to five Central Trusts (also known as Authorized Third Parties) to «· • ·

-3 * registration of the public code. Therefore, this solution is not advantageous because it requires the use of a small number of authorized bodies and is therefore very centralized. In the invention, the user creates a pair of keys that the private key is stored automatically and can be verified. No third parties are needed. Stored information can be sent to one of many decentralized certification authorities (CAs). In the Mfcal system, each supervisor verifies individual shares. If it is valid, it is stored in the database. Each supervisor then signs the values he has received and passes them to the key management center. These five official bodies are required to secure and manage five private share databases. In the present embodiment, the Ball information is verified by the CA. It has the right form, it is signed and immediately placed in the database, public code. Enough! here Only one private database. Since in this embodiment only the CA is needed to manage all the balls, it is possible to achieve not only possible communication redundancy. In a PKC of the Fair type, only the credentials can verify that the Silence is stored correctly. Authentication is necessary because without it, the user can easily create non-recoverable keys. Anyone can verify them in the invention. This is particularly useful when, for example, a citizen has doubts as to whether a CA can properly secure the custody deposit.

It has been reported that the RSA PKCs of the Fak type do not meet certain legal requirements (J. KBan, F. Leighton, Fair Cryptosystems Renewal - Fair Cryptosystems Again ”, CRYPTO '95, pages 208-221, Springer-Veriag, 1995) a shadow cryptosystem with a public ball can be built. The public silence shadow system is a system that can be built into the silence storage system, and allows illegal users to listen in unserviceably.

The shortcoming of the RSA FPKC is that, de facto, persons violating the Law will use the same secret silence as was provided to the authorities for imposing a silence. Shadow cryptosystems utilize what is known in the art as unregistered channels, existing! in PKC public keys. KMan and Løghton's documentary describes how to convert PKCs to Fai-safe Key Escrow (FKE) systems, specifically showing how to build FKE systems for PKCs based on discrete logarithms similar to the Dreffie-Hefiman system and DSS. In their

-4 ·. * I · · · · · · · · · · · · · · · The user and the authorized authorities, who generalized the public and private keys, logged into the protocol. In doing so, the authorities are convinced that the resulting public MIS does not contain any unregistered information. The user also believes that the keys are stored correctly. This system resembles a Diffie-Hefcan PK Fair system, except for the added redundancy overhead in this protocol. Thus, it has the same drawbacks as the Diffie-Hefenan Fair type PKC. In the invention, the user selects his key independently. In view of the dangers of shadow PKCs, the invention relies on the fact that there is no known way to inconspicuously insert a significant amount of bits into a finite field in modular exposures. Thus, the use of shadow cryptosystems in a logarithm specific PKC seems unlikely.

De Santis et al. we will explain that the silence storage system, where a rumor can only open messages in a session, and nfcofi open to parties suspected of illegal activity. Tlm enhances the idea of Fair cryptosystems. Among the daUf techs that show how to open a user session key instead of a permanent public silence is the Walr and Wlnstone (TIS) method and the IBM SecureWay document. With these silent restore procedures, users need to know and apply the group of agents to each session at the start of each session. However, these procedures can be burdensome for users because they require new protocol extensions used in each communication session, and users must store multiple keys in the PKI.

In the Laundries of E. Verheul and H. van Ttoorge Blnrfing EIGamal: A FraudDetecteble Alternative to Key-Escrow Proposate - An alternative to the suggestion of imposing an abusive detection system based on the El Gamat system, Euiocrypt '97, pages 119-1-33, Springer-Veriag , 1997, an alternative to a scattering design capable of detecting its abuse based on the El Gamat system has been described. This system allows users to send encrypted information along with a brief check that the credential group can recover the encrypted information. This system therefore has the advantage that it does not depend on authorized third parties. However, the system already requires extetuflcl Public Key Infrastructure PKI. And here is the drawback of the Bintfing EtGamaT procedure: nenf-i PKI stored,

Then User A can encrypt public kRC messages using User B's public key and then send the resulting Encrypted message using the Blndng EIGamaT method. In this case, a simple check serves to show that the trustee can restore this text and thus prevents the lawful means of communication of users suspected of illegal activity. Pit abuse of this type is not fraud detectable. Such abuse is possible because User B's private key is not tightened. Software that exploits the Bincfing EIGamaT scheme can be encrypted without difficulty and could interfere with broad-based compliance efforts. The invention describes a procedure for introducing a deposited PKI and therefore does not suffer from this drawback. Similar to the BincSng EIGamaT method, the invention utilizes a general technique of non-interactive controls of zero knowledge value, but the controls of the invention include a novel technique. How to creatively generate these checks has been described in A Fiate and A Sharrara, How to Prove Yoursetf: Prectical Solutions to Identification and Signature Problems - “How to Confirm Your Identity: Practical Troubleshooting for Identification and ροφ® / 'CRYPTO' 86, pages 186-194, SpringerVertag, 1987.

An overview of silence storage patterns appears in D. Denning and D.

Branstad 'Taxonomy tor Key Escrow Encryption Systems', Communications on the ACM, 39, No. 3,1996. The work of N. Jefferies, C. Mitchel, M. Waflcer, and Praposed ArchKecture tor Trusted Third Party Services * - Design of the services structure of authorized third parties, Cryptography: Poflcy and Algortthms, LNCS 1029, Springer, 1996, and R. Anderson The GCHQ Protocol and Its Problems ”- GCHQ and its problems, Eurocrypt '97, pages 134-148, Springer-Vertag, 1997, describe the approach of an authorized third party to be deposited when third parties of the participating users are present at all stages of the silence session.

All known solutions for silence storage suffer from some of the following disadvantages, or most of them:

a) I require means to prevent deliberate disruption or certain hardware applications. This increases the cost of use and slows down implementation.

• ·

-6b) Require the use of Masiftk or otherwise authorized algorithms. This may be impermeable to users who do not trust the safety of the equipment or its operation.

c) They are used in the software and are therefore subject to change, resulting in malfunction and possibly non-monitoring of the communicators. This is, however, an internal problem of any software solution (in this case, only open texts or users can be required to use their software to secure their privacy).

d) require extensive interaction in the protocol to generate silence and / or general use. In addition, this interaction can be accomplished with a small set of centralized entities, thereby creating a potential danger of operational and communication delays. Sometimes it is necessary that the user owns the Silent Trustee and uses them each time a session is initiated, and it is necessary to make modifications to each communication protocol.

e) I require a large number of authorized third parties (TTPs) to participate in the operation of the system. Expanding trust among many parties increases the risk of security breaches and reduces adaptability.

f) Require the generation of cryptographic keys by authorized third parties. A corrupt or otherwise compromised third party may compromise the user's security by intentionally disrupting or disclosing the user's keys.

g) I require securing and managing the database (s) of secret Idlc or secret user shares.

h) Can be used to deploy a public key shadow infrastructure, which completely negates the purpose of the key storage system.

Auto-renewable and auto-verifiable cryptosystems

Due to the above shortcomings, a new mechanism needs to be found, having the following advantages:

-7 • ·· and a ·· «v ·

a) A key tightening system that can be destroyed in the source code without loss of security and thus creates a system that can be publicly investigated to see if it works properly. Furthermore, being a software key tightening system, it can be widely adopted and cost-effective. It supports fast dbtribud system.

b) If the software solution is considered to be unacceptable due to the possibility of modification of the invention, it can be installed directly in the intrusion-protected hardware. However, this will adversely affect the benefits of (a) (e.g., easy distribution).

c) The storage system requires the least amount of protocol interaction between the tightening authorities, CA and user, which is theoretically possible. To register a key, it is sufficient to send a message to one of many CAs. This mechanism is called a key tightening system. By way of comparison, in a preferred embodiment, the PKC of the Fair type sends the user five messages to the trustees, and the other five messages are then sent to the Key Management Center.

(d) A single private database is sufficient for the storage system. This database must only be authorized and its privacy must be preserved to prevent the creation of a shadow PKC. The user's private keys will not be exposed if the database is exposed. This is opposite to the PKC type Fak, in which some database must be maintained and, even if corrupted, the user's keys are also corrupted. Due to this requirement, it is sufficient for the new system to rely solely on the CA to implement and certify user keys, as is the case with conventional public silence systems.

e) The tightening system allows anyone to verify the user's private key. Verification is that the private key is a recoverable key tightening authority with the specified public user ball, certificate, and public parameters. In comparison, for PKC Fair type, this verification is only delegated. This requirement of the new system is called universal verifiability

f) The tightening system can be secured against a shadow public key. It has been shown that Fair PKC systems are not resistant to shadow public squeak, and a

-8 * «·« specifically, they can be misused as part of the disclosure of schemes of other PKCs (J. Klen, F. Leighton, Fair Cryptosystems Revisite — Fair Cryptosystems Again, CRYPTO '95, pages 208-221).

The invention is versatile enough to use either a) or b) (specifically software or hardware). In both cases, requirements (c) to (f) are met.

SUMMARY OF THE INVENTION

In order to meet the above and other features and features described below, the invention introduces a new paradigm into cryptography. The invention describes a method of verifying that a user-created private key is contained in encryption under the public key of the key storage authorities without the need for excessive overhead. In addition, anyone who owns a public silent key storage authority can perform this verification. The invention includes an adjustment process and three functions that process the signal in different ways. These functions are key generation, key verification, and key recovery. In the setup process, in a preferred embodiment, the participants agree on a group of initial public parameters, and the authorities generate a tightened public key and private key privately. Initial parameters and tightened public key are system public parameters. Key tightening authorities, Certification Authority (CA), and system users all have access to public parameters. In the key generation process, create! a user key pair consisting of a public key and a private key, and a recoverability certificate, which is an information string that implicitly encrypts a user's private key with a stored public key. Signal information, including! the user's public key and the recoverability certificate can be transmitted to any entity. In the verification process, the user sends this signal to the verifier. In the verification process the input signal is received, processed and the output is reflected! as true or false. A true result means that the tightening authority can restore the user's private MIC from the renewal certificate. A false result means that the private MIC is not recoverable. The invention is designed so that

-9 · * ·· * «· to prevent the user from generating a public key or a renewal certificate when kH is not tightened, and at the same time the verification process is true and the result is true. In a preferred embodiment, the users certify their public key at the CA's registration authority, which, upon successful verification, signs the public key. The public key, together with the CA's signature on the string that contains the Public Ball, is a certified public key. In more detail, upon the user's public silence and renewal certificate, the CA verifies that the corresponding private CRC is renewable. If this is the case (specifically the result of the validation process is true), the public key is certified and / or made publicly available by the CA. It is only necessary for the user to maintain his public key and to have access to the public key databases containing the other user's public key as in a typical PKI. In the recovery process, CAs use a user recovery certificate obtained from the CA to store the key as an input signal. The key storage authorities process the recoverability certificate, and the resulting output signal will be the corresponding private user code or data encrypted using a public data key.

The invention is useful in any environment in which private keys or keys encrypted with these keys or information encrypted with these keys need to be restored. These environments can be found! in national and international Compliance Offices, the business sector, security systems, etc. Proper storage of private keys implies correct storage of Encrypted Public Key Help Information, and the invention has therefore many uses.

The invention is unpretentious and related. thus, it can be reacted in both hardware and software. When used in software, it can be easily customized to provide the necessary screen functionality, even if it does not endanger! user safety. The software utilization allows for quick and easy dbtribud of the invention since it can be propagated in source code on decets or via computer sff. The invention is also as communication-independent as possible. The only need for communication here is the actual act of distributing the software (or hardware device) and a one-time transmission of the user's public address, a renewal certificate and additional information. The signals can be processed quickly and the signals themselves make up a small amount of information. The invention does not require changes in the communication protocols used in the &quot;

-10typical PKI without storing the key (eg ρΠ loading kHCe session, Key propagation, message transmission security etc.). The invention is therefore compatible with typical PKIs. The invention thus allows for an efficient method of storing and recovering cryptographic keys.

RfcfiM 4? Rjfiki on the bout

The invention will be described with reference to the accompanying figures 1 to 7.

Fig. 1 is a data flowchart in the process of implementing the process of the invention for use with a scoop storage authority.

Figure 2 is a flow chart of the basic steps of the process of generating a pair of publicPrivate key and certificate of recoverability using the invention.

Figure 3 is a flowchart of data in the process of verifying the private scab recoverability.

Fig. 4 is a flow chart of data in the spike-reel process using the invention.

Figure 5 is a flow diagram of data in the government private key recovery process for storing a key.

Figure 6 describes the generic public key system and its main components and operations.

Figure 7 describes a public spike storage system that arises after the application of the invention and its main components and operation.

DETAILED DESCRIPTION OF THE INVENTION

The first preferred embodiment of the invention is described below. Where appropriate, variations on the preferred embodiment will accompany the description of the preferred embodiment. For easier presentation is used transformational • «

-114 · ··· SHA algorithm (Schneier, 2nd edition, pages 442-445), although arbitrary encryption transformation algorithms may be in place. In a preferred embodiment, the voH parameters from the respective sets are uniformly and randomly. Alternative embodiments include changes in the probability distribution from which these values are scented.

The cryptosystem begins with the system setup of the preferred embodiment shown in Figure 1. In the preferred embodiment, the subscriber agrees on a prime number r such that q = 2r + 1 is a prime and p = 2g + 1 is a prime. PffWady values for r that fit this relationship are 5 and 11, but these are small values. The following is a 1024 bit value for r in hexadecimal: fd90e33af0306c8b1a9551ba0e536G23b4d2965d3aa813587ccf1aeb1ba2da824 89b8945e8899bc546dřded24c861742d2578764a9e70b88a11e9953469c7b5b8 9b1b15b1f3d775947a85e709fe97054722c78e31ba20237e1e116362baa4a66c 6da0a58b654223fdo4844963478441albbfad7879864feld5df0a4c4b646591.

The 1024-bit r number is large enough to be used in cryptographic systems. Finding the values of r, q, and p is not as easy as finding a prime, but it is not unreasonable. There is a need for a very efficient algorithm that can be implemented using, for example, a multireire library. Such algorithms include Karatsub multiplication, Montgomery constraint method, scattering strings, and Rabin-Mier probability tests (J. Lacy, D. Mftchel, W. Schel, CryptoLb: Cryptoyaphy in Software * - OryptoUb: Cryptoyafie in Software *, AT & T Bel Laboratories , cryptoB> Qresearch.attcom).

Use the following procedure to efficiently search for large r, q, and p values. However, it is necessary that r is equal to 2. It cannot be 0, because then r would not be a prime number. It can be 1, but then q would be divisible by 3. Also, r mod 5 must be 1 or 4. It cannot be 0 because then r would be lengthwise 5. It could not be 2 because then q would be lengthwise 5. be 3, because then p would be lengthwise 5, etc. This procedure is called tentatively determining the remainder *. Using the experimental method of not giving the remainder, we can quickly eliminate the values for r, q and p before performing the experimental division and prime number search tests. As soon as we do the test Do not give the remainder up to 251, we carry out a test division with r, q and p. If r, q and p are not eliminated, we execute s r, then s, then s p, then s r, then s q

-12 * «··« ·· «·· * · otp. alternately with all three Cista Rabin-MHer's prime test Is-1 some zr, qap pure table, determine r to be equal to r + 2 x 3 x 5 x ... x 251 and repeat everything, starting with the experimental division and with the same set of potential witnesses. In this way, we do not have to carry out an experimental determination of the remainder, as the previous rows for r are found. Once we find r, q and p, we perform further prime tests using possible witnesses that are found using a strong random number generator. If r, q and p pass these tests, they are considered prime numbers and are declared as system parameters.

The participant agrees on the value of g or CA the value of g that generates the elements in the set {1, 2, 3, ..., p-1}, and the odd value of g1 that generates all values less than 2q to 2q relative prime. Note that 2q is a set of multiples and has its generator. The values of g and s are in a preferred embodiment Scho numbers. The values r, q, p, g and g1 are initial system parameters and are publicly accessible without compromising security. They may be elected directly by the competent authorities and / or by anyone else. Once g1 and q are specified, m authorities (m greater than 1 or equal to 1) proceeded to collectively calculate the public storage key of the key (N, g1,2q), also called the stored public key, and private storage keys of the storage authority. keys. To do this, choose i, where i is in the range of 1 to m, choose! randomly the value of z from the set {1. 2, ..., 2r-1}, and then sets Y_i to be equal to g1 raised to this value of mod 2q. The at least one authority will then obtain all information about Y_i from the m-1 remaining storage authorities. In a preferred embodiment, office i, where i is in the range of 2 to m, sends Y_i to office 1. Sending Y_i is described in step 11 of Figure 1. Y is calculated to result in Y J mod 2q from at least one of the offices. Office 1 then verifies that (g1 / Y) is the generator of all values less than 2q and is a relative prime with respect to 2q. If this is not the case, step 12 is performed. In step 12, additional m -1 authorities are requested to select z for the new value, and the process starts again from the beginning of step 11. In a preferred embodiment, Authority 1 also selects z_1 again. In another embodiment, it generates new values for at least 1 and less than m authorities. This procedure is repeated three times as many times as necessary until (g1 / Y) is the generator of all smaller values.

-13 • 4 · «·· 44 ·« · • 4 ·· than 2q, which are relative prime numbers with respect to 2q. One or more tightening authorities then publish Y or make it available to users and CA elsewhere. This is described in step 13 of Figure 1.

Fig. 2 is a development diagram showing the procedure by which the user system generates a double public key and a renewal certificate. Upon receiving the Y signal, which is made available to users by the key storage authorities, the user system continues to generate the key for the users by the Gamakx method (y, g, p). The signal Y may already be included in the invention a priori The invention further selects by randomly selecting the value of k from the set {1, 2, ..., 2r-1}. This is described in step 2004 in Figure 2. In step 2005, the invention calculates C = (g1 raised to k) mod 2q. In step 2006, the invention calculates the private key of user x as ((g1 / Y) raised to k) mod 2q. The invention also calculates y as (g raised to x) mod p.

The system then proceeds to step 2007 and calculates a certificate that any interested party can use to verify that the user's private key is correctly encrypted in C. The certificate contains the value v, which the system calculates as g raised to w mod p, where w is ((1 / Y) raised to k) mod 2q. The public key parameter y fee is recovered from g and in the calculation in the power of C mod p. The system also processes three non-interactive checks of the so-called zero knowledge value and includes them in the certificate. Let n denote the number of repetitions in each non-interactive control. In the preferred embodiment, n is 40. The first control is designed so that the user can verify that he knows kv C. The second control is designed so that the user can verify that he knows k. The last control is designed to the user could verify that he knows k v in the power of C mod p. By saying 'the user knows the value of x' we mean that the system has the value x in its state.

In detail, the system will proceed as follows to construct non-interactive controls. Randomly selects the values e_1,1, e_1,2, ... e_1, n, e_2,1, e_2,3, ..., e_2, to e_3,1, e_3,2, e_3, n from the set {1,2, ..., 2y-1}. For i in the range of 1 to n, the system l1, i as g1 determines the power to e_1, i mod 2q. For i in the range of from 1 to n, the invention determines 12, i as potentiated to dj mod p, where dj is equal to Y power to - e_2, i mod 2q. For i in the range 1 to n, system 13 determines i as y power to ie mod p, where i is (g1 / Y) raised to e_3, i mod 2q. The invention then

-14 calculates the value of md as a SHA transformation of a set created by concatenating pairs l_2, i, l_3, i) for i in the range from 1 to n. Note that md is a function of all values I using an adequately sine kiyptopalic transformation function. In alternative embodiments, the mft transform function may have an effective range of values from 160 bits. The larger range of the transformation function allows substantially higher values of n. each of the bit values b_1.1, b_1.2, ..., b_1, n, b_2.1, b_2.2, ..., b_2, n, b_3.1, b_3.2 ..... b_3, n so that the bytes of the respective 3n are not significant bRy of md. There are many ways in which the invention can safely assign bits md to values belonging to b. Values of b are call bits, and this search method is known as Fiat-Shamir heuristics. The system then proceeds by calculating the response to these white challenges. For i in the range of 1 to 3 and for j in the range of 1 to n statutes! the system zj as ej, j + (b_i, j) k mod 2r. Tfcn ends the description of step 2007 on pebble 2.

The system proceeded to step 2008. In step 2008, the invention outputs parameters C, v, y, (1, 1, i, l_2, i, i_3, i) and (z_1, i, z_2, i, z_3, i) for In an alternative embodiment, the user obtains a value of k at the output of the invention. The user has the option later to interactively check that his private key is recoverable by the silent storage authorities. This will be shown in more detail below. Part of the certificate may also consist of b values. However, this step is not necessary because the b values can be derived directly from the I values.

Thus, the embodiment description has extensively explained how the system is designed to be used by CAs and authorities, and how the system is applied by the user (potential recipients) to generate pairs of the public / private key and the renewal certificate. These certificates are strings showing! to anyone to whom it is submitted that the produced Mlc has publicly specified properties. The following is a description of how the invention and user is to prove the verifier that x is recoverable from C. This process is described in Figure 3. The verifier may be a CA, a silent storage authority, or anyone else who is part of the system.

The verification process of Figure 3 follows. At step 3009, the user genes the public / private silence pair, the x encryption, and the utility certificate of the invention as described above. In step 3010, the user transmits a signal with these parameters to the verifier.

• ·

-15 · * * « _{4 4 4 4 4 4 4 4 4 4 4 4 4} . *,

In step 3011, the authenticator uses the signal to ajBWnt whether the tightening authorities can or cannot recover the user's private key. To do this, the authenticator uses the public key of the user, encrypted C, the certificate and the tightened public key Y.

The manner in which the user signal is processed will now be described in detail. At the output of the authentication system is 0 if the public key and / or certificate is invalid, otherwise it is 1. The invention may proceed to the step of the step and show the verifier that if 0 is received, the public key is invalid. By analogy, the verification system can inform the verifier of a successful vafidad.

When performing the authentication, the verification system does not check that the y is equal to the power of the C mod p. Not the y is equal to the power of the C mod p, states the verification system 0. The verification system then verifies til the non-interactive checks contained in the user certificate. The invention calculates (b_1, i, b_2, i, b3, i,) for i in the range of 1 to n in the same way as during the certificate generation. Remember that this procedure has been described in connection with Figure 2.

For the first non-interactive check, the verification system checks whether gl is raised to z_1, i equals C (l_1, i) mod 2q, is fi b_1, i, = 1 for i in the range from 1 to n. g1 raised to z_1, i is equal to l_1, i mod 2q, if fi_1, i = 0, for i in the range from 1 to n. Don't ask any of these equations, the verification system specifies 0. Tkn ends validating the first non-interactive check .

In a second non-interactive check, the verification system checks whether g is raised to wj equal to l_2, i mod p, is fi b_2, i, = 1 for i in the range from 1 to n. Here, wj is equal to 1 / Y raised to z__2, i mod 2q. The verification system also checks to see if v (power to v_i equals l_2, i mod p, is fi b_2, i = 0, for i in the range of 1 to n. If any of these equations do not apply, the verification system gives a value of 0. Tkn ends checking the second non-interactive check.

In the third non-interactive check, the verification system checks whether g is raised to wj equal to l_3, i mod p if b_3, i = 1 for i in the range from 1 to m. Here, w_i is equal to (g1 / Y) raised to z_3 , i mod 2q. The invention also checks whether y energized to vj is equal to 13, i, if b_3, i = 0, for i in the range from 1 to m. Here, vj is equal to (g1 / Y) raised to z3, i mod 2q. If any of these equality

-16 • o

not valid, the verification system specifies a value of 0, and if all verfenf passes successfully, the verification system specifies a value of 1 on the output.

In Figure 4, the user certifies a public key with a CA. In step 4012 of this procedure, the user generates his public Mlc and certifies recoverability as indicated by <fffve. The user sends a signal to the CA. This corresponds to step 4013 in the figure

4. In step 4014, the CA acts as a verifier and verifies that the user's private code is recoverable by the key storage authorities. So far, steps 4012 to 4014 are the same as steps 3009 to 3011 in the Silent Authentication process in Figure 3. However, CA will also make available Idl that successfully pass on request to others and / or will certify them. If the public key of the user fails the authentication process, the certification attempt is either ignored or the user is notified that the certification attempt failed.

Depending on the requirements of the environment in which the invention is used, users may be required to re-translate additional information to register the public key and confirm that they know the private part of the key without being revealed. This information could be a password, a social security number, a previously used private key, and so on. In the event that the CA is an authorized entity, the CA can simply sign the public key of the user and, upon request, access the key together with the CA's signature. Nenf-fl CA authorized entity, the certificate should be stored in a public file. The certificate together with the renewal certificate should be passed to the key storage authorities, which in turn can ensure the renewability of the Tkn ending with the description of the public key certification process.

Finally, the private key recovery process will be described. This process is described in Figure 5. In this process, the invention uses n key tightening authorities to recover the user's private key based on C. In this process, it receives! C of all key storage authorities as described in step 5015 of Figure 5. In another embodiment, CA sends parameter C and / or other parameters to one or more authorities. Thus, they will possess C. At this point, the key store calculates the value of t i as C raised to z mod 2q. Note that zs is a private key to the Ft's office for key storage. This is done for i in the range from 1 to m. The authorities 2 to m then send individual values t to

-17 ** · »* ·· ** and ·· ·· of Office 1 as described in step 5016. Office 1 then calculates Y raised to k mod 2q as a result of values for ie where i is in the range of 1 to m Office 1 then obtains the private user silence by calculating x - (C / (Y raised to k)) mod 2q. In the field of ex &quot; dattf &quot; procedures for calculating x so that x will be distributed among authorities. These procedures also allow authorities to decrypt messages encrypted with a public key corresponding to x without x being itself seized.

A self-drilling and self-certifying (ARC) cryptosystem has been described. Users of this cryptosystem operate the public key system in the same way as a typical PKI in secure communications. This is schematically shown in Figures 6 and 7. Figure 6 is a typical command key cryptosystem in a PKI environment. I follow the steps that users take. (1) User first reads info and CA address (2) User generates public key private key pair and sends public key to CA CA registration verifies user identity and pubBay public key together with CA certificate for this Mlc, identifying user as owner of this Mlc . (3) In order for another user to send a message to this user, the public key is read from the CA database and the certificate is verified. (4) The message is then handled by a new public key and sent. Figure 7 schematically describes the ARC cryptosystem. The following operations are performed: (0) The Authority generates a stored public key and passes it to CA Steps 1 and 2 are analogous except that control is sent along with the public key. Steps 3 and 4 are the system operator and are identical. Steps 5 and 6 described a case in which keys are recovered from storage. (5} Key storage authority retrieves information from CA (6) The silence storage authority restores the user's private key.

In an alternative to the first embodiment, any sufficiently large subset of authorities may recover a private Mlc x or messages encrypted with a public ball corresponding to x without revealing x itself. This is done independently so that other authorities receive! appropriate values for t This will increase the strength of the system if some or all authorities do not have full confidence or are otherwise unavailable. The authorities may also require that a renewability certificate be sent with the public key and be encrypted so that they can be

-189 4 ·· »· 444 • 4 *

4 4 «

99 user parameters confirmed by the verification process. This ends the description of the private key recovery procedure.

Some other alternatives to the first embodiment of the invention will follow. An alternative embodiment of the invention involves using a public office key in the form (Y, g, 2 (q raised to t)), wherein t is an integer greater than 1. In a preferred embodiment, we are t 1, although other values that may be used I work with prime numbers. Another alternative is to use a result of two or more large beers as part of the public parameters. It goes without saying that the precise structure of the module used can be substantially quenched without departing from the scope of the invention. In another embodiment, an Interactive version of three non-interactive controls may be used. In this embodiment, the system needs to provide the user with a value of k during the generation of the key. This value of k is used during the interactive protocol so that the verifier is satisfied that the key storage authorities can restore the user's private key. Note, however, that the output of k may result in a shadow public key cryptosystem. This follows from the fact that ((g1, C, 2q), k) will be a valid El Gamat's pair of public private mod 2q.

In an embodiment of the invention, the CA or other trusted entity takes on other public key concealment activities. CA selects k, s.t g '= (g raised to k) mod p will be a generator and send the user (g', y raised to k) mod p). The value of g 'is El Gamat's user generator and y' = (y raised to k) mod p is part of the user's final key (g ', y', p). This prevents users from using unregistered channels.

In another variation, users publish public keys that are apt to exchange keys in the Dtffie-Hetiman system as * key exchange. For example, the following poshp can be used. Let a be the private key of user A and b is the private key of user B. Let y_a = (g be raised to a) mod p's public key to user A and let y_b (g be raised to b) mod p's public key to user B. random relations s user B select) random string s. user A then sends m - (y_b raised to a) mod p to user B. User B resumes by calculating m / (y_a raised to b) mod p. session key using a known public function (e.g., aptikacl

-19 • a ·· · «« «« unidirectional transform function). Later, when you need to kick out of the session key store, the credentials can be used to restore with keys a or b, and then the session key.

The following is a description of a second front embodiment of the invention. The rollover transformation algorithm is SHA (Schneier 2nd Edition, pages 442 - 445), although there may be any transformation algorithm at this location. For convenience, we use the least significant points of the transformation results, but maybe a subset of bits. In a preferred embodiment, the parameters are uniformly selected from among their groups or domains. Alternative embodiments include changes in the probability distribution from which these values are selected. These options depend on random number generators or pseudo-random number generators available in the art.

In this alternative, the embodiment shown in Figure 1 initiates a system setup cryptosystem. In a preferred embodiment, the key storage authority i generates a private subtitle DJ and a corresponding public subtitle EJ for 1 <= i <= m. The private DJ shares form a shared private code D. The custodial storage authorities 2 to m send their EJ to the cipher 1 tightening office. This is described in step 11. The key tightening office 1 combines all public EJ shares and calculates the shared public code. E is disclosed by the tightening authorities 1 as described in step 13. Each authority 1 keeps the DJ secret. As a specific example, the key store may generate a prime p and a value of g generating a set of {1, 2, ..., p-1}. According to DJ k choose randomly randomly from the set {1,2, ..., p-1} and EJ = (g raised to DJ) mod p. E is the result of all values of EJ mod p. reafeace with a single office for tightening the kHč.

A procedure similar to that in Figure 2 illustrates how the user system generates a public / private key pair and a renewability certificate. After obtaining (and maximum verifying) the E signal, which is made available to users by KHC tightening authorities, the user system continues to generate El Gamal public key (s, g, p) by the user (T. EIGamal, Ά PubSc-Key Cryptosystem and a Scheme Based Signature). on Discrete Logarithms * - A public key cryptosystem and a signature scheme based on discrete logarithms, CRYPTO '84, pages 10-18,

-20 • 1 · 1 · 1 · ♦ · 1

Springer-Veriag, 1985). The user system compares the private kfiC x uniformly and randomly from the set {1,2, .. ,, p-1} and calculates y as (g raised to x) mod p. This key generation procedure corresponds to step 2006.

The system then proceeds to step 2007 and calculates a certificate that any interested party, especially CA, can use to verify that the private key of user x can be recovered from the renewability certificate P. Let ENC (a, s, E) indicate the encryption of the message by in particular, the public key E using a random event s. Here, the ENC is semantically safe probability encryption with the public key, where the probability encryption uses a s string for the random event. The ENC may be e.g. El Gamat's Encryption or Optimal Asymmetric Encryption (Belare-Rogaway, Optima! Asymmetric Encryption ', Eurocrypt '94). Let DEC be matching! a public key decryption function that is performed in a shared manner. DEC (ENC (a, s, E), D_1, D_2, ..., D_m] = a. Then we get P according to the algorithm:

1. P = 0

2. Proi = 1 to m

3. select randomly r_i from {1,2, ..., p -1}

4. Select two random strings sj, 1 and s_i, 2 for use in ENC

5. QJ = (g raised to r_i) mod p

6. CJ, 1 = ENC (rJ, s_i, 1, E)

7. CJ, 2 = ENC (rj = xmod p-1, s_i, 2, E)

8. add to the end of P (QJ, CJ, 1, CJ, 2)

9th val = H (P)

10. determine b_1, b_2, ..., b_M such that M are the least significant bits val, where {0,1)

11. for 1 = 1 to M do

12. Wj = r_i - (b_i) x

13. ZJ = ((wj), sj "j) where j = 1 + bj

14. add Z_i to the end of P

-21 · · «a a a a a a a a a a a 21 21 21 21 21 21 21

Then P "((Q_1, CJ, 1, C_1,2), ..., (Q_M, C_M, 1, C_M, 2) ₍ Z_1, ..., Z_M). H is a suitable public one-way transformation function (eg (SHA), so b_i can be recovered from P. Values of b are the bits of the prompt and the procedure of their retrieval and use is analogous to Fiat-Shamir's heuristics, based on the user system output at step 2008 (y, x, P). the user can interactively prove that his / her private key x is a recoverable key storage authority This will be described in more detail below M is a sufficiently old security parameter (eg M = 50).

Thus, the description of the embodiment has explained extensively how the system is configured to use CAs and authorities, and how users (potential beneficiaries) work with the system to generate two public & private keys and renewal certificates. These certificates are strings showing! anyone who is presented with the fact that the private key generated by the public key can be restored by the key storage authorities using P. The following describes how the invention is applied by the user to prove the verifier that x is recoverable from P. This procedure is described in Figure 3. be a CA, a key store, or anyone who knows the system's parameters.

The verification process described in Figure 3 follows. In step 3009, the user generates a pair of a private key and a certificate of the invention as described above. In step 3010, the user sends a sipial containing these parameters to the verifier. In step 3011, the verifier uses this signal to verify that the key storage authorities can recover the user's private key. certificate P and stored public key E. The authentication system first checks that y <p. The authentication system checks that all values in P lie in the correct sets. The verification system can check that the C_i, j values for all i and j do not contain any repetitions. The verification system checks that no Q_i is repeated for no i. If any of these verifications fail, then the result is false ”. The authentication system then calculates b_1, b_2, ..., b_M in the same way as in the certificate generation process. For i = 1 to M, the verification system verifies the following! elements:

· 22 · * es es es es es es es es es es

1. ENC (w_i, sJJ, E) = C_i, j, where j = 1 + bj

2. (Q _ ^ (y raised to b_i)) mod p = (g raised to wj) mod p

The authentication system indicates the value "true * if successfully pass all verified, and if the above 1 and 2 for 1 <= i <= M. The invention may switch to other activities and if they give false value ^1, indicate to the verifier that public silence is invalid. Similarly, the verification system can inform the verifier of a successful pass (the verification system specifies true).

In Figure 4, the user certffikije a public key at the CA. In step 4012 of this process, the user generates his public key and recoverability certificate as described previously. The user sends a signal to the CA. This is step 4013 in the figure

4. In step 4014, the CA acts as a verifier and verifies the recoverability of the user's private key by the key storage authorities.

Up to now, steps 4012 to 014 are the same as steps 3009 to 3011 in the key validation process of Figure 3. However, the CA will, in addition, be requested to access and / or certify the Silences that successfully pass the verification. If the user's public silence does not pass the authentication process, the certification attempt is either ignored or the user is notified that the certification attempt failed.

Depending on the requirements of the environment in which the invention is used, users may be required to foresee additional information in order to register the public key and confirm that they know the private part of the key without being disclosed. This information could be a password, a social security number, a previously used private code, etc. In the event that the CA is an authorized entity, the CA can simply dgitally sign the public silent user and, upon request, access the CA with the CA NenHI CA delegated entity (which is not a typical PKI translation), the certificate should be stored in a public file. The certificate, together with the renewal certificate, should be handed over to the Silence Storage Authorities, which, in turn, can ensure the renewability of the Tkn at the end of the public silence certification process. We realize that CA keeps the recoverability certificate, preferably in an encrypted form, under its own Ball together and the authenticity information flow to form a whole.

-23ι «« · ··· «A AS 9 A« «·

Finally, the private key recovery process will be described. This process is described in Figure 5. In this process, the invention uses key storage authorities to recover a user's private key based on P. In this process, ya P receives all m key storage authorities as described in step 5015 in Figure 5. In another embodiment, the CA sends parameters y and P and / or other parameters to one or more authorities. Thus, they will hold y and P. At this point, the storage authorities calculate a subset of their shares D_1, D_2, ..., D_m to decrypt P and open all unopened CJs using, for example, DEC. This is done so that the authority to store the key and restore! He shares the user's private key. In this process, the storage authority i extracts the M values for the unopened C_i'j from P and decrypts them using D_i. The resulting values are associated with values from other key storage authorities, as described in step 5016 of Figure 5. This connection is then used by the authorities to decrypt any unopened CJ-J values. Thus, the key storage authorities know all open texts corresponding to all CJJs. . There are also daBI procedures in the art to restore open text or unopened to unopened C 1, such that unencrypted open text is represented between offices by distribution. The key storage authorities check the open text of each pair of CJ, 1 and CJ, 2 for a pair of values, which, after subtracting mod p-1, is equal to the exponent xvy = (g raised to x) mod p. raised to x) mod p to compare with public y. Once such a double is found, the user's private key was found.

The third front embodiment of the invention will now be described. In this embodiment, system users generate composite public keys. The user system is generated in the same manner as described in patent application pending US Patent 08 / 920,504 (Young and Yung). Note that n is the result of two (preferably sine) prime numbers p and q and s is a string that can be used in conjunction with a public one-way function to derive the upper order of bits n. Let e and d denote a public and private exponent (eg RSA). Here's how P is constructed:

-249 9 9

9999 ··· 9 «

999

1. P = O

2. randomly select the string t_0 mod n

3. read t_0 at the end of P

4. for i = 1 to m

5. choose randomly also from the set {1,2, ..., (p-í Xq-1) -1}

6. calculate also, 2 - d - a_i, 1 mod (p-1Xq-1)

7. Select two random strings s_i, 1 and s_i, 2 for use in ENC

8. t_i = H (t_ (i-1))

9. vj, 1 = (ie raised to aj, 1) mod n

10. v_i, 2 = (ie raised to aj, 2) mod n

11. QJ ^S (t_i, v_i, 1, v_i, 2j

12. C_i, 1 = ENC (a_i, aj.1, E)

13. C_i, 2 = ENC (a_1, 2, sj, 2, E)

14. add (Q_i, C_i, 1, CJ, 2) to the end of P

15th val = H (P)

16. determine b_1, b_2, ..., b_M so that bytes are the least significant bits val, where bj is z {0,1}

17. do ø = 1 to M

18. Z_i = (aJ, j, s_i "j), where = 1+ b_i

19. connect Z_i to the end of P

20. connect s to the end of P

Therefore, P = (LO, (Q_1, C_1.1, C_1.2) ..... (Q_M, C_M, 1, C_M, 2),

Z_1, ..., Z_M, p). In generating a reasonable size, the above-mentioned H may be based on SHA or on the chaining of several α and Bcac1 SHAs. Most likely, ie, there will be a set of elements smaller than n that will be relative prime numbers relative to kn.

The authentication system is somewhat different from the previous. The verification system first checks that n has been selected from the correct set of values Let u denote an integer corresponding to k / 2 of the upper bit order n. The verification system ensures that either H (s) - u or H (s) = u + 1, as described in the patent

-25 US application 08/920, 504 in the present proceedings. The verification system checks whether all values in P lie in the correct sets. For example, the verification system checks whether it lies in the range H and whether aj, j <n (or a certain function n), where j is 1 or 2. The verification system also checks whether elements Q_i do not repeat for any i and whether elements repeat in ZJ for double I. If any of these checks fail, then the result is 'false'. The authentication system then calculates b_1, b_2, ..., b_M in the same way as in the certificate generation process. For the i to M range, the verification system checks the following:

1. ((vj, 1 multiplied by v_i, 2) raised to e) mod n = ie

2. (IJ raised to aj, j) mod n ^with vj, j, where j = 1 + bj

The authentication system specifies true * if the entire authentication is successful and both criteria are met for 1 <= i <= M.

The key storage authorities restore the user's private key as follows. For i in the range from 1 to M, the authorities wj calculate the open texts C 1, 1 and C 1, 2 as the sum of the open texts. If fi is found to be such a value wj that (ie, squared to e (wj) mod n is equal to ie, then wj forms a valid private key RSA corresponding to. It is well known in the art how to decompose n drunk such value wj. The RSA function is a homomorphic function, and the above embodiment is applicable to the homomorphic functions of the analog RSA Note that it is clear from the above embodiment that this control technique to demonstrate that the value is recoverable by the key storage authorities can be generalized to any homomorphic function.

Industrial applicability

The aptatIon of the present invention is a multiple storage system wherein each key storage authority has its own CA and user. When users from two different key storage authorities do! As a security operation, both key storage authorities can retrieve user messages or keys and exchange them under a bilateral agreement. This can also be applied to international activities between several countries.

-26 ········

Another application of silence storage authority systems is a file security system or a file storage system with recoverable silence. Such a system can be reacted on the basis of the preceding embodiments, referred to in the last paragraph. For example, user A may own the file, user B may be the file server, and the credentials may be file recovery representatives. An example of a file is a password, in which case the file recovery agents will be the same as the password recovery agents.

The above description of our first cryptosystem builds on new uses of number theory in cryptography. It shows how to construct a cryptosystem based on three prime numbers with direct arithmetic relationships between all of them. This means that r, q and p are prime numbers such that q = 2r + 1 and p = 2q +1. By utilizing three or more prime numbers with its interrelationships, various cryptosystems of a similar nature to any of the typtosystems described above can be generated. Some of these are described in variations of preferred embodiments. Another relation may be p = 2q + 1 and q = 2rs + 1, where p, q, r, and s are prime numbers and r has a 160 bit bias. Another example is p = 2q + 1, q = 2r + 1 and r * 2s + 1, where p, q, r and s are all prime numbers. Another new use of the theory of numbers is to perform cryptographic operations in an exponent, where operations are eg modular exponentiation. E.g. the second zero knowledge value check in step 2007 of the first embodiment includes proof of knowledge k v v, where v is equal to g raised to w mod p, where w is (Y raised to -k) mod 2q. By using tn or more domains in subsequent exposures, cryptosystems are more flexible and powerful. The teachings of this fact are within the scope of the invention available to those skilled in the art.

The invention is apiofc in a hierarchical system of imposing public silence. Hierarchical Storage System The Swords is a storage system that takes the form of a tree-like data structure. The authorities for storing a key at the root of a tree can decrypt the commsad of all entities corresponding to the nodes of the rest of the tree. Conversely, the key storage authorities in each given node labeled and in the tree structure can decrypt the communication of all entities corresponding to the nodes in the rest of the subtree in which the node is also labeled with the root. At any time, a tree leaf can create another subtree and act as a shortcut (s) to store the Sword. Based

-27 ·· «· β · · correct creation of veitosfi module it is possible to have more shortcuts to save) Silently for any tree node. Suffice it to pass the <ft> verifiability at the root level beginning with the non-modest module and ending with the largest module.

Similarly, the user does not have to make a decision based on a fixed tree to determine the arrangement, but may choose from a subset of silent storage shortcuts and generate their own preferred tree, which is a selected subset of key storage shortcuts arranged according to the relative size of public keys in a row, where n ^ is the root key. This sends the credential structure and ensures that the subset work together to recover the key or information encrypted with the key.

Another system is a certified e-mail system. When a user registers in the system, he or she registers an auto-recoverable public encryption key and a recoverability certificate in the CA, and also registers the public key ροφίβ. When sending certified mail, the following actions are performed. The sender sends a packet containing the encrypted e-mail key under its auto-verifiable public key, the recipient's name, the encrypted e-mail message under the e-mail key, the header indicating the certified e-mail message, its own certified public key and other information. The packet is signed using the sender's private key. Both the packet and the packet on the packet are sent to the recipient. Recipient create! a reverse plank packet, folding! from a permanent return foam header, received message (or sputtered message transformation), and other information. The packet is signed using the receiver's private key and is sent to the original sender. The original sender verifies ροφί5 on the reverse diaper packet. If the β description is valid, the original sender sends the recipient an email encrypted with the recipient's certified public key. This message is sent with the signature using the original user's private signature key. The recipient verifies the signature on the encrypted E-mail Idfčt. If the signature is valid, the company decrypts the e-mail key using its private decryption key. The recipient then decodes the result using the certified public silence of the original sender. The corresponding result of the encrypted text in the first packet sent by the original sender is electronic

-28 »« ·· «» · ·· · mail considered authentic. This key is then used to decrypt and obtain authentic information from the sender. For some reason, if the recipient is unable to contact the original sender after the first packet, the recipient sends the return receipt message and the first packet to the Silent Offices. The Storage Authority of the Controller restores the e-mail key for ensuring that the packet and the forward acknowledgment are authentic and that the packet contains the correct name of the provider. The custodial authorities retain the return receipt message and the packet For ρΓβφοΜβύυ that the check will be successful, the silent electronic mail is sent by ptyemd. This creates a certified electronic mail system based on auto-renewable keys and signature keys, with user registration analogous to user registration in a typical public silence system with CA. It is also known in the art how to use certifiable electronic mail systems of the type mentioned above for signing agreements between two parties. Thus, the above apBcad can also be used.

Thus, a new and improved silence storage system, its variants and applications have been described. The preferred embodiment should be understood as merely an example of some of the many specific embodiments that present the principles and paradigms of the present invention. It is self-evident that many other and alternative embodiments will be readily apparent to those skilled in the art without departing from the scope of the invention.

Claims (2)

PATENT CLAIMS A method for generating, verifying and recovering cryptographic keys on a computer network, comprising at least four parties, agents, authorities, registrants and other parties, characterized in that: a) a set of system parameters of interested parties is created by concluding a contract and recording it in a local processor memory, where the conclusion of the contract contains decisions on the size and types of basic cryptographic tools, types and addresses of public databases, types of communication mechanisms, when creating addresses in the computer network for delivering messages to individual parties and addresses of public bulletin boards news, b) generating agent parameters, generating an agent address on the network, and generating both the agent's private cryptographic key, which is stored in the agent's private memory and correspondingly, using software and hardware! agent's public key, the agents further disclosing at least one of the parameters via a communication network device, (c) a set of official parameters that determine the network location, the selected public public key and the parameters of the agents are generated, and at least one of the official parameters is published using a network communication device; d) generating the registering party's private key using software and hardware, storing the private key in the private memory of the registering party's processor, and generating its corresponding public key using a specified public procedure using at least one of the agent parameters and the official parameters using the software and hardware, (e) the registration party generates a validation certificate, using software and hardware, consisting of at least one bit string, confirming that the registration key's private key has been generated using a specified public procedure; f) the public key of the registering party and the certificate of validity are sent to the authorities by means of a network communication device, (g) the authority verifies the correctness of public key registration together with a validation, and the validation involves the use of a computer program which has at least one received message as input, including a public key, a validation bit corresponding to the public key and output Indication of verification approval or failure verification, 2. version -30 · · · B · · φ φ φ φ φ φ φ φ φ φ φ φ φ φ · Φ Φ «« « (h) only and only if the validation has been approved, the Authority shall publish the public key of the registering party, turning the registrant into a registered party, where the public key of the registering party shall be published by at least one database recording device and sewing, (i) after publication, the other parties receive the registered party's public key and may start using it, retrieving it from the database and using the key as an input to the cryptographic algorithm. The method of claim 1, further comprising the step of recovering, in response to the event, at least one of the agents or authorities, the open text data encrypted by the public key of the registered party, the event determining the conditions in the cryptographic system and the event also includes informing about the need for at least one of the agents and authorities where the open text is restored by means of a communication protocol and a computer program. The method of claim 1, further comprising the step of recovering, in response to the event, at least one of the agents or authorities, the private key of the registered party, wherein the event determines and conditions the cryptographic system. it stores the need for the recovery of the registered party's private key, the event further notifies the need for at least one agent and one authority associated with the communication protocol and computer program for the recovery of the registered party's private key. 4. The method of claim 1, wherein the validation comprises at least one non-interactive zero knowledge control chain generated by a computer program with access to both the private key and the registered user's public key, where the authorities validate the validation by verification. the at least one non-interactive zero-knowledge control chain using a public key access computer program and at least one non-interactive zero-knowledge control chain. 2nd version • 4 4 4 • 4 · · « 445 44 4 · · ♦ -31 5. The method of claim 1, wherein generating, sending, and validating the validation in steps (f) and (g), performs a non-interactive zero knowledge control string protocol in which the registering user is demonstrating and the authorities are verifier, exchanging messages received by the verifier and testing whether they contain predetermined conditions that they must have in view of previous exchanges of information and the public key of the registrant, and where other messages sent by the verifier are prepared based on previously exchanged messages and private the registering user's key and the registering user's public key, at the end of the protocol the verifier decides whether the exchange of information was successful or erroneous. The method of claim 1, wherein the disclosure comprises generating a public key certificate for the benefit of the registrant, the certificate comprising a digital signature of the authorities on the public key of the registrant and other information using the private key of the authorities, wherein said certificate is verifiable using at least one of the published parameters of said authority, the signature of which is performed by the signature computer program device upon receipt of the private office key and the public key of the registering party and other information. 7. The method of claim 1, wherein, upon publication, a public key certificate is generated for the benefit of said registrant, wherein the certificate comprises a digital signature of the authorities to modify the public key of the registrant and other information using the private key of the authorities. using at least one of the published parameters of the Authority, wherein the modification is performed by a device using the new values to modify the representation of the registering party's public key and the signature is performed by the signature computer program based on receiving the authority's private key and the registering party's public key and other information. Method according to claim 1, characterized in that at the time of publication, the public key of the registering party is marked as a valid key in the file by the 2nd version · «· · * • · t ··· ·· · ♦ · and ·« · · * · · «« in ·· -32 public database in accordance with the consent received when compiling system parameters. Method according to claim 1, characterized in that at least one of the following activities is performed using the public key of the registering party: the public key is encrypted, the public key is decrypted, a digital signature is created, the digital signature is verified, the key is exchanged and identify itself, and these operations are performed by the appropriate hardware device with the software computer program, using the registration key's public key for data. The method of claim 2, wherein the event is a proper authorization granted to agents on behalf of a government agency or group of governments, wherein said authorization is signaled to the parties to activate the recovery procedure. 11. The method of claim 2, wherein the recovery of open data is performed to monitor communication of registered parties suspected of illegal activity in protecting the privacy of others, wherein the monitoring is performed by decrypting messages resulting in corresponding messages being signaled by the communication devices of the the law of the executing units. A method according to claim 2, characterized in that the activity of the registered party is declared illegal if the agencies are unable to monitor the communication of the registered parties, which is made at the creation stage and recorded as a system rule by the parties concerned. The method of claim 1, wherein the computing operation of the at least one representative, registered party, and authority is performed in at least one step in the respective hardware device. The method of claim 1, wherein the registered party's public key is used to encrypt files that are organized in a file system, wherein the encryption is part of a file system management and maintenance device. φφφφ · 2nd version «* • · • φ • ΦΦ φφ -3315. The method of claim 1, wherein the additional pages include a registered page. 16. The method of claim 2, further recovering the open text information sent between two pages, user 1 and user 2, wherein at least one of the following two steps occurs: in one subset of agencies, the communication protocol device is used and the user's private key 1 or information encrypted with the public key corresponding to the user's private key 1 is restored, in another subset, the communication protocol device is used and the user's private key 2 or public key information 2. 17. The method of claim 2, wherein the event is generated by following a proper process within the organization of the registered party, which process determines the need for recovering the clear text encrypted by the registered party, and then signals the need for activating the renewal. 18. The method of claim 1, wherein the set of system parameters includes at least three domains F1, F2, F3, wherein F1 is the explanatory domain F2 and F2 is the explanatory domain. F3, and the system parameters are used to select a random value for the cryptographic key in the program to generate different cryptographic keys. 19. The method of claim 1, wherein the set of system parameters comprises at least three domains based on r, q and p such that p = 2q + 1 = 4r + 3 where p, q and r are prime numbers, the system parameters being used to select a random value for the cryptographic key in a program for generating different cryptographic keys. The method of claim 1, wherein the registering party key has a value of y, where y is equal to g raised to x modulo p, wherein g is a modulo generator Version 2 - 34 prime number p, wherein x is a randomly selected private key of the registering party, selected by a computer program using a random bit source. 21. The method of claim 1, wherein the registering party's public key is based on the number n, wherein only the registering party knows the prime n decomposition, wherein the divisors are randomly selected by a computer program on the registering party's processor and placed in private memory, wherein the computer program further multiplies the decomposition elements to form a number n that is part of the registering user's public key. 22. The method of claim 1, wherein the registration page key is based on a homomorphic function that is used to generate cryptographically modified data. The method of claim 1, wherein the registering party's public keys are based on RSA keys and used to generate cryptographically modified data. The method of claim 1, wherein the registering party's public keys are based on the El Gamal system in the specified domain and used to generate cryptographically modified data. 25. The method of claim 1, wherein the validation comprises encryption using published authorized agent parameters, wherein the encryption is part of bit strings. 26. The method of claim 1, wherein the validation comprises one-way failover encryption, wherein the encryption is part of bit strings. 27. The method of claim 1, wherein the validation on success of the validation implies the ability of agents in the future to perform recovery using communication and computing devices, and that they can restore private Version 2 * ··· · and * * * * * in · t · · · ♦ «·« ·· ·· ·· -35 the registration party's key or information encrypted with the registration party's public key. 28. The method of claim 1, wherein a public key is first sent to the registrant by the registering public user by means of a first communication procedure instance, first a public key, and later a validation message is sent using the second communication procedure instance. 29. The method of claim 1, wherein the registrant generates a private / public key pair with private and public signature key generating devices, wherein the private key generates a signature key and the public key generates a signature authentication key, the pair different from the the public / private key pair of step (4), and the authority verifies said public key of said signature key. A method according to claim 31, characterized in that it is used for secured delivery e-mail, wherein the recovery of the clear text data is performed by the communication and computing devices of the authorities and at least one delivery agent if the delivery has not been performed by the registered party and at least once. another side. The method of claim 1, wherein the parameters disclosed by the agents and public keys generated by the registrant parties are from different key domains and generated by different key generation algorithms. 32. The method of claim 1, wherein the agents are a plurality of elements, and the registering party in step (e) generates a validation confirmation on success of the acknowledgment operation indicating that the open data of said registering party encrypted by the registering party's public key is recoverable by a subset of shortcuts when using a recovery device. 33. The method of claim 2, wherein the agents are a plurality of hierarchically organized elements, wherein each element can recover key-encrypted open data in its subordinate hierarchy by a refreshing device associated with the respective level of the hierarchy, the hierarchy being determined as part of system parameters. · · ········ · ··· A method according to claim 33, characterized in that a validation check is generated by the registrant in step (e) declaring that the registrant's open data encrypted by the registrant's public key is recoverable by a subset of representatives.