EP1163752A1 - Systemes d'authentificateurs optimistes - Google Patents

Systemes d'authentificateurs optimistes

Info

Publication number
EP1163752A1
EP1163752A1 EP00926087A EP00926087A EP1163752A1 EP 1163752 A1 EP1163752 A1 EP 1163752A1 EP 00926087 A EP00926087 A EP 00926087A EP 00926087 A EP00926087 A EP 00926087A EP 1163752 A1 EP1163752 A1 EP 1163752A1
Authority
EP
European Patent Office
Prior art keywords
authenticating party
authenticator
party
coin
authenticating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00926087A
Other languages
German (de)
English (en)
Inventor
David Chaum
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of EP1163752A1 publication Critical patent/EP1163752A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1008Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • G06Q20/06Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/341Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/403Solvency checks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/409Device specific authentication in transaction processing
    • G06Q20/4097Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
    • G06Q20/40975Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1016Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3257Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using blind signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the present invention relates to authentication and transaction systems, and more specifically to secure and/or privacy protecting techniques suitable for electronic 3 commerce and including credential mechanisms.
  • Public-key digital signatures being well known in the art, have the property that s anyone can verify them. In particular, when such a signature is received, it is almost always verified, often in the process of "recovering" the message content signed.
  • the self-authenticating property of such signatures that allows anyone to verify a 2 signature, has the known disadvantage for many applications of preventing the signer from exercising control over the verification of signatures. This problem has been addressed by so called “undeniable” and “private” signature schemes, which allow the s party "providing" the message signed to be convinced upon receiving the signature that it is valid and cannot later successfully be refuted.
  • one object of the present invention is to allow an "authenticating 2 party" to issue authenticators without interaction with a "provider party”, apart from any request that may be used, and for the provider party obtaining the authenticator to simply verify an ordinary digital signature on one or preferably a collection of s messages.
  • Another object of the invention is protocols that make it difficult for authenticators to be verified without the cooperation of the authenticating party. 8 Yet another object of the present invention is to offer the possibility of functionality related to that of blinding in blind signature schemes, where the supplier party can hide the correspondence between values supplied initially for authentication 1 and the subsequent verification of their authenticity.
  • Still another object of the invention is to allow the showing protocol of an electronic cash system to be secure and robust without the need for public keys and signatures per coin.
  • Yet a further object of the invention is to provide for so-called “credential” mechanisms, allowing the otherwise untraceable exchange of authenticators between 7 digital pseudonyms and without the need for cumbersome so called “cut-and-choose” protocols used in prior art systems.
  • a further object of the invention is to allow users in a credential system o to have multiple pseudonyms of the same type. Still further objects of the invention include practical, efficient, and secure methods and means for achieving the other objects of the invention. 3 Other objects, features, and advantages of the present invention will be appreciated when the present description and appended claims are read in conjunction with the drawing figurers.
  • FIG. 1 shows a combination flow-chart, block diagram, functional diagram, cryptographic and communication protocol diagram, and transaction processing schema for an exemplary embodiment in accordance with the teachings of the present 9 invention.
  • FIG. 2 shows a flowchart related to the embodiment of Fig. 1 and in accordance with the teachings of the present invention.
  • FIG. 3 shows a protocol notation for an exemplary credential system establishment protocol in accordance with the teachings of the present invention.
  • FIG. 4 shows a flowchart for an audit mass proof of authenticator validity in s accordance with the teachings of the present invention.
  • FIG. 5 shows a set of flowcharts, 5a, 5b, and 5c for the overall function of an embodiment of a system in accordance with the teachings of the present invention.
  • authenticators "issue” items of information called “authenticators” to parties called “providers”. Later, these authenticators, or values derived from them, are returned to the authenticating party and each is either “agreed” by the authenticating party to be a valid authenticator or not agreed.
  • the authenticators are elements in a group where the so-called “discrete-log” problem is believed to be hard, such groups being well known in the cryptographic art. Also in these embodiments,
  • 3 authenticators are formed by raising provided elements to a power secret to the authenticating party.
  • digital signatures are preferably used to commit the authenticating party to the authenticators issued and also those that are agreed or not e agreed.
  • techniques allowing the authenticating party to convince others that digitally-signed sets of pair are in fact properly formed are also shown. Also shown are techniques for "blinding" authenticators, such techniques being
  • novel blinding is 2 applied.
  • the process for accepting a blinded authenticator, such as a coin in an electronic cash system, is also detailed in a way that could be adapted to blind signatures and overcomes problems with existing blind signature accepting protocols.
  • Another exemplary embodiment shows how the values to be authenticated need not contain apparent redundancy, as is typical with signature schemes, but rather can be made known to the authenticating party in advance through a mix system 1 preserve privacy and unlinkability. (Improvements over known prior art functionality and efficiency are detailed later.)
  • a blind signature-like system called a “blind authenticator” system, comprises a
  • authentication party party that can compute a secret function, exponentiation by a secret power s in a group where discrete log is believed hard.
  • a "payer” can obtain 7 such an s power on any group member by providing the number to be exponentiated to the authenticating party and compensating the authenticating party to make the authenticator (such as by allowing corresponding withdrawal from a checking account).
  • a redundancy scheme is fixed for the system, such as the familiar one where valid numbers are the result of applying a fixed agreed function "h” to a "pre- image” number "p", where such h(p) is a member of the group.
  • the payer may wish to protect itself against the authenticating party claiming that the authenticator had already been received.
  • One example known way to do this is to provide first a "commitment" to the values of p and/or the authenticator to the authenticating party; then the authenticating party is to provide a "conditional acceptance” or acknowledgement that this particular value has not been previously spent.
  • Such a commitment might include other transaction data, such as the payee.
  • this conditional acceptance would carry a time “window” associated with it, being a range of times during which the payment will be accepted if sufficient additional information is supplied and it is verified.
  • the window is used to prevent the authenticating party from permanently blocking a valid payment by claiming that it has already been committed.
  • bits are chosen carefully, such as being a prefix of a hash function applied to the usual encoding of the group element, then it might be that twenty to fifty bits might suffice, giving a corresponding low probability of successful cheating per attempt, depending on the penalty, up-front cost, or probability of penalty, of attempted cheating.
  • the values of p, the p;, used could be generated cryptographically from a seed by the payer, and so would require almost no storage. Transmission costs could also be reduced — and storage size as well if regeneration is not used — simply by taking p from a set that is of sufficient size to reduce collision probabilities to an acceptable level.
  • the secret exponent s can immediately be applied by the authenticating party to h of the first component, and compared for equality with the second component. If they are equal, the authenticating party is believed to be able to be confident that the "coin" is validly signed.
  • the authenticating party in known fashion, can simply keep a list of those coins already accepted, referred to as "marking" the coin, and mark new coins atomically as they are accepted.
  • the value p would be associated with the marked coin, which itself would be indexed (i.e. searchable by) the information readily deduced from the form shown in phase one.
  • the payer may be concerned, in some settings, that the authenticating party will falsely claim that a authenticator is not valid or that it has been previously spent. If the claim is that the authenticator is not valid, then it will be possible in principle to prove that it is not valid without revealing the true authenticator, such as by using techniques developed in the context of undeniable signatures. An alternative would be simply to show the authenticator. This authenticator can then be verified, by known "zero-knowledge” or "minimum disclosure” proof techniques for instance. Of course this procedure assumes that the coin is marked as spent before the authenticator is revealed, so that the authenticator revealed cannot simply be spent. 3 Effective countermeasure to the threat that the authenticating party would falsely claim that a coin had already been spent, are known.
  • the payer instead of revealing p initially, the payer reveals k(p), a public one-way function applied to p; e the authenticating party commits to the fact that such an k(p) has not been previously accepted, and gives a time window during which no other such value will be accepted but during which the payer must provide the value of p and the authenticator.
  • k(p) a public one-way function applied to p
  • the authenticating party commits to the fact that such an k(p) has not been previously accepted, and gives a time window during which no other such value will be accepted but during which the payer must provide the value of p and the authenticator.
  • a prefix of the bit representation of p is provided first, and this is what is used as the key in the search for double spent coins where the whole value of p is stored.
  • the authenticating party commits, 2 such as with a digital signature, to accepting the coin, then the full value of p can be revealed, and the transaction completed.
  • the authenticating party is presented with a prefix of p for an already spent coin, then all it has to do is make the full value s of p known at that point.
  • Another potentially improved approach would be that the one-way function is applied to both p and the signature, f(p, h(p) s ). This way, if the authenticator is later revealed by the authenticating party in showing that the one 8 presented is invalid, the commitment signature by the authenticating party contains in effect a commitment, in the form of f(p, h(p) s ), to the purported authenticator.
  • a single one-way function need not be used, but this may be more convenient 1 and efficient and prevent certain attacks.
  • arrows in Fig. 1 show messages between the payer on the left and the authenticating party on the right.
  • the notations in the margins show actions by the party on that side, those on the right for the payer and those on the left for the authenticating party.
  • ⁇ Square brackets enclose the message numbers, to be described in more detail.
  • the payer produces two values potentially at random, which may be physical, algorithmic, or a combination of random sources, involving one or more parties and/or keys.
  • the first is p, the pre-image and payment number, which is a 2 group element as already mentioned.
  • the second, b is actually used as an exponent, and should ideally be chosen uniformly from the set of such exponents, related to the order of the group.
  • This preparation shown in the left margin of Fig. 1 is not shown s for clarity as a step in Fig. 2.
  • the first message [1] in Fig. 1 is formed by the payer in two operations. First the public, fixed one-way function h is applied to the pre-image p. Second, the result of s the first operation is raised to the b power, of course within the group as is implicit and already mentioned. This message is sent to and received by the authenticating party (as with all such right-pointing arrows). Again, as this is a computation by the i provider, it is not shown in Fig. 2.
  • the authenticating party may expect to receive something additional not shown for clarity as compensation for making the authenticator, as already mentioned.
  • the authenticating party proceeds in two parts. First, the message [1] is raised to the authenticating party's secret power s, as already mentioned. Second, the resulting number is signed, denoted by the "sig" function application, by the authenticating 7 party using a public key or undeniable signature scheme, as are well known in the art, and not shown in Fig. 2 for clarity.
  • the authenticating party typically knows the private key used to make the authenticator; the corresponding public key is typically 0 made public in an authenticated way.
  • the resulting authenticator is provided by the authenticating party to and received by the payer, as with all such left-facing large arrows of Fig. 1.
  • the payer may wait an arbitrary amount of time before proceeding.
  • multiple p's could signed in parallel as a batch, and the single signature could apply to all of them.
  • hash or compressing functions can be e applied to the message content before signing as is well known.
  • the payer may also wish to verify the signature received.
  • the authenticating party it would be possible for the authenticating party to prove, in the zero-knowledge or minimum 9 disclosure sense, that the s power was really applied.
  • the protocols here create other kinds of protection for the authenticating party, to encourage the authenticating party not to require such proofs in ordinary operation.
  • the payment could 2 also simply be made instead to the payer's own account, and then new authenticators obtained later if the wait is too long.
  • the payer s may show the signature [2] and a pre-image under a one-way function (not shown or mentioned before for clarity) of b; this would substantiate the bad authenticator by the authenticating party.
  • the payer must compute the inverse of b, which will be called c, such that applying c as an exponent to something that has b applied results in the cancellation of the two exponents. It is believed that this is 1 reasonably accomplished in the exemplary setting of a discrete log system of known prime order by computing c as the multiplicative inverse of b modulo the group order.
  • the next 4 computation made by the payer shown is that the one-way and/or hash function f is applied to a pair of arguments.
  • the first argument is simply p.
  • the second is the "unsig" of message [2], the quantity raised to the c power.
  • the "unsig” notation refers 7 to the widely known property of message recovery from signatures, where, for certain signature schemes, in checking the signature or otherwise the value signed can be readily obtained.
  • the payer can, at its option or even based on 0 probabilities it assigns, verify and retain the signature by the authenticating party. This signature, if valid and retained, can be used later in case the authenticating party shows that the authenticator issued in message [2] was invalid, as mentioned above.
  • Message [3J] is the result of the last margin computation by the payer. It is the public one-way function f applied to the pair p and what should be the s power of h(p). Of course, if the authenticating party has returned an improper authenticator as ⁇ message [2], the form may differ, but this may be detected earlier or later, as has been mentioned.
  • Message [3.2] is simply f applied to the pair p, "payee", where payee could, for instance, be the account identifier of the party to be paid. The intention is
  • the first is simply the value of p associated 1 with the marked message and the second is the actual s power on the f of the associated p, that the authenticating party could store, but could also simply regenerate at this point (assuming authenticators are unique).
  • the payer receiving this 4 message pair basically gives up: either the payer is honest, and then the payer becomes convinced that someone else has already chosen the same p; or the payer is trying to cheat and has sent the number in previously, hoping that the authenticating 7 party would forget, which it has not.
  • the payer has essentially no recourse because no [4a] is held, as will be described.
  • the flowchart of Fig. 2 ends at this point.
  • the main branch is that message [3J] has not been marked and the 0 authenticating party enters the next phase towards accepting the payment.
  • Such a temp mark is completely separate from a mark.
  • the temp mark is, as the name implies, temporary. It prevents any temp marked message
  • Fig. 9 returned by the authenticating party to the payer.
  • This message is shown in Fig. 1 as a signature on two items. The first is the message [3J] submitted. The second is the corresponding [3.2]. 2 At this point, following the main path, the payer is to provide, as shown in Fig.
  • the second path is where [5J] and [5.2] are seen by the authenticating party to be inconsistent, because the authenticating party 1 can take [5.1] and apply h and the secret power s and see that the result is not [5.2].
  • a proper value for [5.2] is generated (by the authenticating party from p, by again applying h and then raising to 4 the s power) and this value is used to create a proper [3J], by pre-pending p and applying f, and this value is marked and p is associated with it. This procedure prevents p from ever being accepted in payment again.
  • Another type of blinding is preferably also included, but has not been shown in the figures or described in detail yet for this embodiment in the interest of clarity in 1 exposition.
  • This second type of blinding enters multiplicatively in the base, as opposed to in the exponent as with the first type already shown.
  • a pair of values g and g s are typically and preferably made public by the authenticating party initially, to serve as a kind of public key.
  • the 7 second type of blinding comprises multiplying the value supplied for authenticating by g c and then dividing the result returned by the authenticating party by (g s ) c .
  • the preferred blinding being the combination of the two types, would give an initial o message of the form g h(p) b and the value returned by the authenticating party then would be of the form (g c h(p) b ) s
  • the unblinding operation would include dividing out the (g s ) Q factor, by multiplying by its multiplicative inverse, and raising the result to the power that is the inverse of b.
  • the e group structure preferably is known to be cyclic. If the authenticating party knows that the blinding is only of the first type, then it can "mark" a value provided for authentication simply by using an exponent different from s, and then it can recognize
  • FIG. 3 will be considered as a formalism, like a formula, and for clarity will not be labeled with callouts.
  • uppercase letters denote public 7 keys
  • the corresponding lower-case letters denote the corresponding private keys.
  • B is the public key related to private key b.
  • Lowercase letters additionally denote temporary variables, such as random padding doubling as blinding keys like 0 "r”.
  • the downward arrows denote the direction of flow of the message shown immediately to their right.
  • a message is shown mainly as a set of nested rectangles, each corresponding to a layer of encryption.
  • the key used to form the encryption is shown in the circle on the right side of the message; the content of the message is
  • variable appearing outside of the rectangles and circles denote those that would, or at least could, be known to the entities that send and/or receive the messages.
  • the values on the left of the boxes are e carried along with the boxes and serve as the input, at the top, and output, at the bottom, of whole cascade.
  • On the right are the public keys of the mixing parties.
  • each person obtains k pseudonyms, but all the pseudonyms are mixed up and indistinguishable as to owner, in a single huge batch (this may be s referred to as an "indistinguishable multiplicity"). More generally, then, for each class of organization, each individual would obtain a the same number of indistinguishable pseudonyms. For instance, each person might be able to have three pseudonyms with 1 banks, but only one with the driver license organization.
  • the first message shown, at the top of Fig. 3, as per the notation, indicates three nested layers of encryption, one to be stripped off by each of three organizations A, B, and Y, using their respective private keys a, b, and y, as the message travels through them, all as well known and described in the referenced article on Mixes. As each layer is stripped off, a blinding value is revealed. A pair of values is passed between 7 the successive stages of the mix, with the left-hand value being a single residue class or group element in the discrete log system. The initial value of this first component is simply the root value that would be present for all the pairs corresponding to the same o individual. The letter p is used, as in the payment system already described, simply for notational convenience.
  • the first mix A uses its private key a to remove the outer layer and recover the blinding key r. Since this is the first mix, by convention, it applies the one-way 3 function to p (although this could have been done in advance, and would have made the operations by each mix the same). Then A applies the blinding key in the exponent and also a related key as the exponent on the public generator g, used in ⁇ establishing the public key of the system, as already described.
  • the related key shown as r', could be simply and preferably is an independent key sent concatenated with r, or the two could be algorithmically related, such as r' being a one way function 9 of r. Passed on to the second mix B are both this residue and the remainder of the nested encryption once the layer and the value r have been removed.
  • B removes the outermost layer of encryption using private key 2 b (unrelated to the blinding key used in Fig. 1 and Fig. 2, but denoted by the same letter for clarity) and recovers the blinding key s.
  • the output of this second mix is then the nested block stripped back one more layer than received by B, and the s residue modified using the blinding key s.
  • First the residue received is raised to the s power, and then this value is multiplied by g, as already described, raised to the other blinding key s' (which is related to s and r' is to r). 8 Again, in a similar way to B, Y transforms the input pair.
  • the person who has presumably chosen r, s, and t, and formed the layered 4 mix message from them, can construct the output digital pseudonym as a power of g and a power of h(p), as would be obvious to those of skill in the art, just as described for the mixes.
  • the user when the user receives a secret power authenticator on one such 7 pseudonym, used with one organization Y, the user can transform it into the same secret power on a second pseudonym, possibly used with a different organization Y'.
  • the exponent used to transform the h(p) power is calculated modulo the order of the 0 group as the inverse of the blinding exponent on the h(p) in the first pseudonym times the exponent on the h(p) in the second pseudonym.
  • the factor formed as a power of g, including the secret exponent of the authenticating party, can be transformed by multiplying by the public key raised to the multiplicative inverse of the blinding
  • the e pairs can be from the issuing side or the showing side.
  • Issuing-side pairs comprise the raw value supplied by the provider as a first component and the authenticator issued by the authenticating party as the second component.
  • showing-side pairs
  • a hash value H is computed as a cryptographic function of s all the elements of all the pairs. This way, the authenticating party cannot manipulate any element without causing an unpredictable and large change in the hash H.
  • the value H is then used to determine exponents for each component, as indicated in step s 4.2. This, as will be appreciated, would be done in a way that resembles each exponent being an independent random value, except that they are all chosen as disjoint parts of a suitable cryptographic sequence that is an expansion of H.
  • each first element is raised to its power and the product of these is determined; similarly, each second component is raised to its power and their product is formed.
  • each second component is raised to its power and their product is formed.
  • a conventional "proof can be given that the exponent relating the two products is the same as the exponent relating the generator g and the public key. Such proofs are well 7 known in the art.
  • Fig. 5a shows an overview for completeness of the 0 authenticator issuing process, already described in detail.
  • the provider party is shown supplying the raw value to be authenticated to the authenticating party.
  • a potential step during which the provider blinds the raw value responsive to blinding key information is not shown for clarity.
  • the authenticating party is shown, using its private key information to produce a corresponding authenticator. This is then returned to and received by the provider in box 5.3a, and, preferably at the same time, some way to hold the authenticating party e accountable for having issued the particular authenticator responsive to the particular raw value is used.
  • the provider in box 5.3a, and, preferably at the same time, some way to hold the authenticating party e accountable for having issued the particular authenticator responsive to the particular raw value is used.
  • the first box 5Jb indicates that the provider may, if blinding has been applied in box 5Ja as already mentioned but not shown, then 2 unblinding would be performed by the provider after the authenticating operation by the authenticating party.
  • an authenticator is shown to the authenticating party, it is provided along with the raw value by the provider or an s intermediary party and received by the authenticating party or an agent having the needed keys. Then, and not shown for clarity, the authenticating party determines whether the authenticator is in fact valid a valid authenticator corresponding to the 8 raw value.
  • the authenticating party makes its decision known regarding the purported authentic pair.
  • the authenticating party commits somehow, such as by signature or by whatever notary technique, to the fact of 1 agreement or lack of agreement to the purported authentic pair.
  • Fig. 5c various showings of validity and invalidity by the authenticating party are shown.
  • one embodiment would have all three 4 types of proofs applied periodically: that the issued pairs are valid, 5Jc, that the agreed pairs are valid, 5.2c, and that the disagreed pairs are invalid, 5.3c.
  • the first two could be combined and the last could be only on demand.
  • some embodiments might not require proofs without a party wishing them, or only partial or random audit might be used.

Abstract

Cette invention se rapporte à un système d'authentification numérique (voir figure) qui peut être utilisé en lieu et place des programmes de signatures. Au lieu de laisser le fournisseur du message se convaincre lors de la réception qu'un authentificateur est valide (2.4), comme c'est le cas avec les programmes de signatures, il est supposé, de façon optimiste, que la partie authentifiante ne triche pas. Les parties peuvent attendre l'audit périodique pour que la validité de tous les authentificateurs supposés valides, à la présentation et même à l'émission, soit établie avec une probabilité élevée. Néanmoins, des techniques de signatures numériques traditionnelles peuvent être employées pour signer les authentificateurs à l'émission, au moins par lots, pour fournir une sorte de preuve pouvant être utilisée au cas où une partie authentifiante tricherait. Comme exemple d'application, on peut citer les protocoles de paiement au comptant électroniques, pour lesquels des techniques additionnelles sont présentées. Comme autre exemple d'application on peut citer les systèmes de crédits non retraçables, et d'autres techniques sont également présentées dans le contexte d'une telle application dans le domaine des crédits.
EP00926087A 1999-04-15 2000-04-17 Systemes d'authentificateurs optimistes Withdrawn EP1163752A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US12938099P 1999-04-15 1999-04-15
US129380P 1999-04-15
PCT/US2000/010398 WO2000064088A1 (fr) 1999-04-15 2000-04-17 Systemes d'authentificateurs optimistes

Publications (1)

Publication Number Publication Date
EP1163752A1 true EP1163752A1 (fr) 2001-12-19

Family

ID=22439680

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00926087A Withdrawn EP1163752A1 (fr) 1999-04-15 2000-04-17 Systemes d'authentificateurs optimistes

Country Status (3)

Country Link
EP (1) EP1163752A1 (fr)
AU (1) AU4467200A (fr)
WO (1) WO2000064088A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI115098B (fi) 2000-12-27 2005-02-28 Nokia Corp Todentaminen dataviestinnässä
US9563881B2 (en) 2008-06-27 2017-02-07 Microsoft Technology Licensing, Llc Fair payment protocol with semi-trusted third party

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4969189A (en) * 1988-06-25 1990-11-06 Nippon Telegraph & Telephone Corporation Authentication system and apparatus therefor
US5560008A (en) * 1989-05-15 1996-09-24 International Business Machines Corporation Remote authentication and authorization in a distributed data processing system
US5418854A (en) * 1992-04-28 1995-05-23 Digital Equipment Corporation Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0064088A1 *

Also Published As

Publication number Publication date
AU4467200A (en) 2000-11-02
WO2000064088A1 (fr) 2000-10-26

Similar Documents

Publication Publication Date Title
Gennaro et al. RSA-based undeniable signatures
US9967239B2 (en) Method and apparatus for verifiable generation of public keys
AU705406B2 (en) Secret-key certificates
US5131039A (en) Optionally moderated transaction systems
US5373558A (en) Desinated-confirmer signature systems
Gennaro et al. RSA-based undeniable signatures
US20100100724A1 (en) System and method for increasing the security of encrypted secrets and authentication
Tsiounis Efficient electronic cash: new notions and techniques
CA2279462A1 (fr) Systeme pour verifier des cartes de donnees
JP2002534701A (ja) 寄託されない署名専用キーを用いた自動回復可能な自動可能暗号システム
WO2014068427A1 (fr) Réémission de justificatifs d'identité cryptographiques
Wang et al. Untraceable off-line electronic cash flow in e-commerce
Michels et al. Breaking and repairing a convertible undeniable signature scheme
Brown et al. Security of ECQV-certified ECDSA against passive adversaries
Gaud et al. On the anonymity of fair offline e-cash systems
EP1163752A1 (fr) Systemes d'authentificateurs optimistes
JPH11234263A (ja) 相互認証方法および装置
Monnerat et al. Efficient Deniable Authentication for Signatures: Application to Machine-Readable Travel Document
Zhang et al. Efficient and optimistic fair exchanges based on standard RSA with provable security
Han et al. Practical fair anonymous undeniable signatures
Le Trieu Phong et al. New dlog-based convertible undeniable signature schemes in the standard model
Wang et al. A fair off-line electronic cash scheme based on RSA partially blind signature
López-García et al. An e-voting protocol based on pairing blind signatures
Yang et al. Security analysis Zhang-Wang signature scheme without using one-way hash functions
Smith Public Key Cryptosystems, Certificates, and Certification Authorities.

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20010921

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

AX Request for extension of the european patent

Free format text: AL;LT;LV;MK;RO;SI

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20010116