ES2410679B1 - METHOD FOR ENCRYPTING AND DESCIRATING INFORMATION - Google Patents

Abstract

Method to protect confidential information. # Includes: #i) encrypt information by means of a public key generated by a trusted third party (T); and # ii) decipher, a user or member (U {sub, 1}, U {sub, 2},?, U {sub, t}) of a group of authorized users (U), said encrypted information by means of a private key generated by said third party trust (T). # Also comprises generating, by said third party trust (T), said public key as a common public key and a plurality of different private keys, one for each of said users (U {sub, 1}, U {sub, 2},?, U {sub, t}), each of said plurality of different private keys being associated with said common public key and can be used for said step of decryption ii).

Description

Method to encrypt and decrypt information.

Technical field

The present invention relates, in general, to a method for encrypting and decrypting information in an asymmetric cryptosystem and, more particularly, to a method comprising different private keys, one for each user of a group of authorized users or members, associated with A common public key.

Prior art

All encryption and decryption systems published to date (DES, TDES, AES, RSA, ECC, etc.) share the property that each encryption cable has one and only one corresponding decryption key, which allows text retrieval Simple encrypted with the first [1] [2] [3] [4] [5] [6] [7].

In symmetric cryptography, the same key is used both to encrypt and decrypt a message or document. This key must be kept secret and the participants (sender / receiver) must have means (transmission through private channels, etc.) to ensure that only they know this key.

In asymmetric or public cryptography, each user has an assigned key, the public key, known by the user community, thus allowing any user in the community to send a message to a particular user using their widely known public key. This public key has an associated private key, which belongs to the recipient and that only he knows, that allows decryption of the encrypted messages received. The system is designed in such a way that deriving the private key from the public key is a computationally irresolvable mathematical problem. In this case, in addition, each public key has one and only one corresponding private key.

For both systems, symmetric and asymmetric, the encryption and decryption procedures follow the same steps, as indicated below:

-

Key Generation

-

Information encryption. This process requires a protocol or algorithm that uses both the encryption key and the simple message to be encrypted as inputs.

-

Decryption and recovery of the original information. This process requires a protocol or algorithm that uses both the decryption key and the encrypted message as inputs.

As indicated above, many other encryption systems have been proposed, such as DES, TDES, AES, RSA, ECC, etc., and some of them have been patented. However, none addresses the problem that the present invention solves, since in each case one and only one decryption key is associated with each encryption key. This means that if several users need to share certain encrypted information, they are forced to share their private keys as well, which is a serious inconvenience from the point of view of security, privacy and authenticity.

-

Problems with existing solutions

Conventional cryptosystems, both symmetric and asymmetric, allow the transmission of confidential information via encryption keys. In symmetric cryptosystems, the keys are kept secret and shared by both the sender and the receiver: the first encrypts the information and the second deciphers it. These types of cryptosystems have advantages, such as speed, efficiency, reduced key length and easy implementation; but also disadvantages, such as difficult key exchange, keys with a short service life and problems signing encrypted information. The security of these cryptosystems is based on keeping the keys secret: in practice, an exhaustive search is the only viable option to violate this type of cryptosystems.

In asymmetric cryptosystems, there are two different keys. One of them is publicly known (the public key), by which the information is encrypted; while the other is kept secret by the recipient (the private key), thus allowing decryption only to its owner. In this type of cryptosystems, security is based on the difficulty of deriving the private key from the public key. Such difficulty is normally based on some kind of mathematical problem, whose solution is considered irresolvable.

In some of the cryptosystems described above, each encryption key is associated with a single decryption key, the only one that can reverse the encryption process carried out using the encryption key. If two different people must be allowed to decipher a certain encrypted information, there is no other possibility but to share the decryption key.

However, sharing a secret key carries serious security risks for the entire system. It would be very interesting to have a cryptosystem in which any information encrypted with a given key could be decrypted using different keys. This would allow several people to decipher the same information using different keys, which can be kept secret.

Description of the invention

It is necessary to offer an alternative to the state of the art that overcomes the aforementioned problems suffered by existing solutions.

To this end, the present invention provides a method of protecting confidential information, comprising:

i) encrypt information through a public key generated by a trusted third party (T); Y

ii) decipher, a user or member (U1, U2, ..., Ut) of a group of authorized users (U), said encrypted information by means of a private key generated by said third party of trust (T).

Unlike the known proposals, the method of the invention comprises generating, by said third party trust (T), said public key as a common public key and a plurality of different private keys, one for each of said users (U1 , U2, ..., Ut), each of said plurality of different private keys being associated with said common public key and may be used for said decryption stage ii).

This invention proposes a new type of cryptosystem that can be considered as a variant of a public key cryptosystem since it uses different keys for encryption and decryption processes (and is therefore asymmetric). However, in this proposal each public key has a series of different associated private keys, so that any of these can be used to decrypt a message encrypted with the first one. Therefore, the correspondence between private and public keys is not one to one but many to one.

This invention allows any user belonging to a set of authorized users to decrypt a document that has been encrypted with a given public key, but using its own private key, which is different from the private key of other users. The third part of trust (T) is responsible for the generation of the common public key and the private key of each user.

The invention solves the problem of accessing confidential information in corporate environments, where such information should usually be kept reserved for a (normally small) set of authorized users.

Other embodiments of the process of the invention are described according to the attached claims 2 to 7 and in a later section relating to the detailed description of various embodiments.

The new feature of the proposed system is the possibility of generating an arbitrary number of private keys associated with the same public key. Each time a new user joins the group of authorized users, a completely new private key is provided that corresponds to the same common public key, shared by all users in the group. The new user can access any information encrypted with the common public key using their own private key.

Brief description of the drawings

The foregoing and other advantages and features will be more fully understood from the following detailed description of embodiments, with reference to the accompanying drawings, which should be considered in an illustrative and non-limiting manner, in which:

Figure 1 shows the general scheme to encrypt and decrypt information.

Figure 2 shows the proposed protocol for encryption / decryption, according to the method of the present invention in one embodiment, with its different phases.

Detailed description of various embodiments

This document presents a procedure that consists of an encryption and decryption system that implements several private keys, kept secret by their owners, associated with a single public key. The system then allows you to encrypt any message with a given public key and decrypt it with any of the private keys associated with the public encryption key.

The present invention solves the problem of protecting confidential information in corporate environments so that no one except a set of users has access to it. Confidential information is protected by encrypting it with the public key. Each user in the set of authorized users has a personal private key (different from the private key of any other user) that allows you to access confidential information.

This procedure allows the generation of the keys for a trusted third party (T), which in turn will generate the common public key and the private key of each user in the set of users authorized to access the confidential information. T sends the private key to the corresponding authorized user through a private channel. The user must keep his private key secret.

In addition, a third party of trust (T) such as that required is easy to implement in the context of a company, corporation or government institution, where such entities normally already exist.

The general procedure that allows the encryption and decryption of a document follows the following steps, as shown in Figure 1:

-

 Key Generation

-

 Encryption of the information to be protected using the appropriate password.

-

 Decryption of encrypted text using the appropriate key.

This invention proposes a method for carrying out the processes of encryption and decryption of the information, once the keys have been generated by T, such that a generated encryption key has an arbitrary number of corresponding decryption keys, all of them allowing the decryption of any encrypted text with the encryption key.

The security of the proposed cryptosystem is based on the computationally irresolvable nature of three mathematical problems. These problems are as follows:

-

 Integer Factoring Problem (IFP): Given a positive integer n, find its prime factorization; that is, write n = p1 e1 · p2 e2 ··· pkek where pi are cousins distinct by pairs and each ei ≥ 1.

-

 Problem of discrete logarithm (DLP): Given a prime number p, a generator g of Zp * and an element y in Zp *, find the integer x, 1 <x <p – 1, so that gx = y (mod p ).

-

 Subgroup discrete logarithm problem (SDLP): Let p be a cousin and q be a prime divisor of p – 1. Let G be the unique cyclic subgroup of Zp * of order q and let g be a generator of G. The problem of discrete logarithm in subgroup in G is as follows: Given p, q, gyy in G, find the only integer x, 1 <x <q – 1, so that gx = y (mod p).

Once T generates and verifies the keys, the phases of the protocol proposed in this invention are as follows, as shown in Figure 2:

-

T encrypts the information that must be protected using the generated encryption key.

-

 Decryption of the information stored or transmitted, carried out by any user through their

own decryption key, personal and secret, which is different from other private keys. A more detailed description of each phase will be presented below. The corporation, company or government institution is considered as the T, which wishes to distribute in a restricted way certain documents or corporate information.

The following paragraphs describe the protocol to be followed according to the proposed procedure. Key generation Let T be the third trusted party and let U be the set of authorized users for decryption. To generate your

keys, T follows the following stages:

a) T selects two large prime numbers, p and q, that satisfy p = u1 · r · p1 + 1, q = u2 · r · q1 + 1,

where r, p1 and q1 are prime numbers, u1 and u2 even integers, whose greatest common factor is gcf (u1, u2) = 2, is

say, so that u1 = 2 · v1 and u2 = 2 · v2 and mcd (v1, v2) = 1. To ensure the security of the protocol, the size of r, that is, its bit length, must be large enough so that the problem of discrete logarithm in subgroup of order r of the integers module n, Zn *, is computationally irresolvable.

b) T calculates n = p · q,

φ (n) = (p – 1) (q – 1) = u1 · u2 · r2 · p1 · q1, λ (n) = mcm (p – 1, q – 1) = 2 · v1 · v2 · r · p1 · q1, where mcm represents the least common multiple, φ (n) is Euler's phy function and λ (n) is Carmichael's function.

c) Next, T selects an integer α

* so that its multiplicative order modulo n is r and the following formula is met: mcd (α, φ (n)) = mcd (α, u1 · u2 · r2 · p1 · q1) = 1.

The subgroup Zn * generated by α will be indicated as Mr. Generator α can be obtained efficiently [8]. In fact, according to [8], the first stage is to determine an element g

* whose order is λ (n). The procedure consists of randomly choosing an element g * and verifying that g raised to all possible divisors s of λ (n), module n, is different from 1 in all cases.

This procedure is fast since the factorization of λ (n) is known and only has a few prime factors, so that the list of its divisors can be easily calculated. In case the randomly chosen element does not satisfy this condition, another must be chosen and the procedure repeated.

Once the element g has been determined with order λ (n), the generator α searched is calculated as α = g2 · v1 · v2 · p1 · q1 (mod n).

d) T generates a random secret number s in Sr of Zn * and calculates

β = αs (mod n) (1)

The values (α, β, r, n) are made public, while T keeps the values (p, q, s) secret. Although the r-factor of p – 1 and q – 1 is known and n is the product of two cousins, p and q, there is currently no effective algorithm that can extract the two factors from the integer n.

To generate the keys of the members of the set U, T carries out the following process:

a) First, T determines its private key by randomly generating four integers a0, b0, c0, d0 Zr. He then obtains the common public key for all users, (P, Q), calculating

P = αa0 · βb0 (mod n), (2)

Q = αc0 · βd0 (mod n). (3) Since P and Q are elements in the Sr subgroup, it follows that

P = αa0 (αs) b0 (mod n) = αa0 + s · b0 (mod n),

Q = αc0 (αs) d0 (mod n) = αc0 + s · d0 (mod n),

and therefore there are two integers h, k  Zr, so that h = (a0 + s · b0) (mod r), k = (c0 + s · d0) (mod r).

b) Next, T determines the private key for each user of the set U, taking into account that all users will share a common public key ( P, Q). For each user Ui in U, T calculates four integers ai, bi, ci, di Zr, verifying that

h = (ai + s · bi) (mod r), k = (ci + s · di) (mod r).

or, equivalently, ai = (h - s · bi) (mod r), (4) ci = (k - s · di) (mod r), (5)

Since T knows the values s, h and k, it determines as many private keys as it deems necessary to provide all users in U your personal private key. For it, T generates pairs of random numbers, bi, di Zr and, then, calculates the corresponding values for ai, ci Zr according to what was presented above.

Once T has obtained the private keys, it distributes them, upon request, to authorized users through a secure channel. Each user Ui can verify that the T key is correct by checking the following identities: α ≠ 1 (mod n),

αr = 1 (mod n). In addition, each user must check if the known public key corresponds to their private key. To do this, just check that the following two equations are met:

P = αai · βbi (mod n),

Q = αci · βdi (mod n).

Following this protocol, each user is in possession of a personal private key that corresponds to a key

public shared by all users in U.

Encryption

To encrypt a document, message, or any other information, m

 Zn, T follows the following stages:

a) T generates a random number x

Zr.

b) T calculates the following values:

A = αx (mod n),

 (6)

B = βx (mod n),

 (7)

C = m (P · Q) x (mod n).

T publishes the encrypted message as the triplet: (A, B, C).

Decoded

An encrypted message, (A, B, C), can be decrypted by an authorized user Ui by following the following steps:

a) User Ui requests one of the private keys already generated by T.

b) T checks if the user is authorized to decrypt the message. If so, send one of the keys

private, either (ai, bi, ci, di).

c) Ui verifies that the key of T is correct by checking if the following equations are met:

α ≠ 1 (mod n),

αr = 1 (mod n). d) Ui verifies that its private key really corresponds to the public key determined by T by checking if the following equations are met: P = αai · βbi (mod n), (8)

Q = αci · βdi (mod n). (9)

e) By means of its private key (ai, bi, ci, di), the user Ui calculates the following values:

H = A– (ai + ci) (mod n), (10)

K = B– (bi + di) (mod n). (eleven)

f) Finally, Ui retrieves the original simple message, m, calculating the product

H · K · C (mod n) = m. (12)

Taking into account the formulas given in (6) and (7), the described protocol actually retrieves the original message from the encrypted text since equations (10) and (11) are equivalent, respectively, to the following expressions:

H = α – x (ai + ci) (mod n),

K = β – x (bi + di) (mod n).

Considering now equations (8) and (9), the product in (12) gives rise to the message m as follows:

H · K · C (mod n) = α – x (ai + ci) · β – x (bi + di) · m (P · Q) x (mod n)

= α – x · ai · α – x · ci · β – x · bi · β – x · di · m (P · Q) x (mod n)

= (αai · βbi) –x (αci · βdi) –x · m · Px · Qx (mod n)

= P – x · Q – x · m · Px · Qx (mod n) = m (mod n). Security Unless a user can solve the DLP, he cannot determine the secret value of T or his private key,

only from the knowledge of its own private key and the common public key. Therefore, the scheme is safe. In fact, calculating s from α and β = αs (mod n) would imply the ability to calculate discrete logarithms in the

subgroup Sr, of order r generated by α, which is impossible since r is selected in order to do the problem irresolvable. In addition, from the data known to Ui, specifically,

A = αx (mod n), B = βx (mod n), C = m (P · Q) x (mod n),

It is not possible to determine any of the secret values generated by T. It is even impossible to determine x, the value chosen by T to encrypt the message, since this would imply that the user could resolve the SDLP in the subgroup Sr of order r.

The private key of T, (a0, b0, c0, d0), was generated randomly and it is known that equations (2) and (3) are met.

However, calculating any of the values in this key would imply resolving the DLP. In addition, two users, Ui and Uj, in possession of the private keys (ai, bi, ci, di) and (aj, bj, cj, dj), respectively and that therefore can retrieve the message m, they could conspire to try to obtain the secret value s of T. Each one of them could calculate:

Ai = A– (ai + ci) (mod n),

Bi = B– (bi + di) (mod n), Aj = A– (aj + cj) (mod n),

Bj = B– (bj + dj) (mod n).

Sharing knowledge of the previous values, they could also calculate: Ai · Aj = A– (ai + ci + aj + cj) (mod n) = α – x (ai + ci + aj + cj) (mod n),

Bi · Bj = B– (bi + di + bj + dj) (mod n) = α – x · s (bi + di + bj + dj) (mod n),

Ai · Bj = A– (ai + ci) B– (bj + dj) (mod n) = α – x (ai + ci + s · bj + s · dj) (mod n),

Bi · Aj = B– (bi + di) A– (aj + cj) (mod n) = α – x (s · bi + s · di + aj + cj) (mod n).

However, none of these values jeopardizes the cryptosystem, since the determination of s or x would again be equivalent to resolving the DLP or the SDLP.

Below is an example of a possible implementation of the entire process for the proposed invention.

The example includes key generation, the encryption process carried out by the trusted third party and the decryption process carried out by two different users, with their own private keys. The key lengths for this example will be selected in the currently recommended range, in order to thwart possible attacks, including those related to the factorization of integers of module n, or those related to the discrete logarithm problem, whether in the multiplicative group of integer module not in a subgroup thereof, of order r.

In the following, the third part of trust is T and the number of users with allowed access is a maximum of 5:

U = {U1, U2, U3, U4, U5}

1. Key generation

Proceeding as explained previously, T generates its private key and the common public key for all the users: u1 = 74, u2 = 188, r = 7438317952 9767870861 1026433250 5488611319 37882039, p1 = 1314733836 0857434496 4640010127 2860788933 1152206812 7752380069 2253819002 5632104871

1052604345 8673641821 29767,

q1 = 4311478116 4195091430 0085436277 2362821135 0636990601 1576213821 1969700369 0148313634 2531804130 4755111666 5333, p = 7236762139 2935431996 9367198184 4410156272 1688576612 5012505794 5070152182 4340805762

2714032432 2349209627 0209823621 5406755829 5365497108 3719198837 6535750506 3563,

q = 6029187274 5191980699 0447101873 4773030526 7231922444 8917525115 3597251095 2557421185 2251019755 3803367506 3943419251 8447741361 8120140073 2466480557 6929019494 9557, n = 4363179419 8950958945 0412860891 8377911366 9214605945 2842779060 7437338443 7118414617

5012051953 6765703406 0058967948 3435575027 1137371636 9008870975 1279697114 4880061358 7086501562 6071069685 9755169437 2296989016 3615215423 5147515243 9413820875 8772002353 49483891991991991991991991991991991991991991991991991991991991991999091691908909169198

φ = 4363179419 8950958945 0412860891 8377911366 9214605945 2842779060 7437338443 7118414617

5012051953 6765703406 0058967948 3435575027 1137371636 9008870975 1279697114 4878734763 7672688821 3375088255 9697251118 5498096966 4557822420 4237648503 6136131053 1824505848 276077372749270213991 0273302909302309302309302160330230330230316031603309303302

λ = 2932907310 1459502503 4117915023 0340597126 9675989883 4302201719 3903654559 2056585776

7207452081 2691825954 3014169335 3870661004 6711098360 4688296052 3713645978 9253123648 5164260805 3691444645 5998189178 1931265555 5320404827 7591597993 6439912145 4808237724.

5620408701 4857952624

Then, T generates an element g

 Zn * of order λ and get an element α Zn *, of order r:

2164498313 9869584125 6410712031 g = 4740007684 9077106429 2929895130 9579827420 0664446080 7278283833 8019227369 4680458823 2229234249 5660670911 2464738702 3970764967 8647569232 1560534483 9104695237 0488739787 2974540826 2017118129 4519740462 3866925242 2940233312 8724281995 9553099264 3896691499 9549847095 5036223286 2006116775 85801540,

3625102795 0399630232 7243202122 α = 7054926820 1500268509 4754142275 0960569458 2402444770 3441186307 8520471079 3351085505 5514820801 4655475548 7879710693 2661678657 4798165267 4144163197 8707743301 1545277581 7488689226 99380598194231405486 9393493279 4866136131 2570552511 7567522121 2809706163 7591387712 1152713144 1176644785 2169067.

Then, T generates a secret number s Sr and the element β:

s = α6601654491 6585025442 2657696824 5166944130 62149908 (mod n) = 2681968120 2107353020 5798673029 4162972399

0725592471 3979107913 4626943945 2004604672 3482881696 4576072567 6963835490 9274802212 2162568035 2786052251 2398465926 2571427181 0704907717 2283544315 2771442322 1108219877 3315613189 7998437356 4827671064 1830023651 1353196532 0001574387 7276767548 4834654245 8075436849 7481664401 72746669,

β = αs (mod n) = 1185871960 8387311474 7737702957 6834008361 7309967117 0956454977 2596350617 8232059847 1528998015 9538624841 2276515005 5328123748 1186140375 7026276625 7459027199 05022799597279797279277279277279277279277279277279277279277279277279277279277279277279277279777279779777279777279777279777279579277279277279579277279579277279777279777279777279779777297279777279779479777279177277125

9541117943 3970693292 1868728850 8878698501 7409392198 6555369477 4658586426 0532404. After this, T determines its private key, (a0, b0, c0, d0) (Zn *) 4 and the public key, (P, Q), to be shared with users in the G set:

a0 = 4679513566 8507790231 4543634446 6248896569 95348145, b0 = 1345675385 8221926194 4657694619 0592536072 11273321, c0 = 6698082883 5922341861 0590460419 6627086807 34096935, d0 = 4736269886 2863214987 2218775699 5600011595 68030325, P = 8199045698 3670940934 6677579071 1886972220 5576992566 5022761329 7926803447 6447869477

5704488453 6135876830 4130915724 5367085687 4098780703 7927442194 2102687545 2930169412 7641230284 7844794287 6203772092 2684322687 2602675172 5196830546 5649643822 8563180087 1040733082 0909479209349479274709509349474207

Q = 3163797974 2161631365 3950234045 1614154674 1314039919 9775479720 8330784248 6751487194

5599373588 7388357141 0850439496 7875884459 9771127223 9226385271 8268225474 6882363214 5975200065 8888545328 0841640112 3511407492 5174762706 7579269446 2576945749 4759235236362.

3881972212 8712683684 2894355328 7639408814 6886524359 0632974921

In order to generate private keys for users in G, T calculates the following values:

h = 4244110345 8795196102 8205118610 3409296250 46897225,

k = 5637717146 8220933286 3177216054 1806285120 89709035.

Then, T generates the random values bi, di Zr *, for i = 1, 2, 3, 4, 5 and determines the corresponding values for ai and ci, thus obtaining 5 private keys, which will be distributed to each user in the G set through some private and secure channel:

(a1, b1, c1, d1) = (6014506049 5012852928 5945795214 3629017944 26055953, 2902525644 5567828321 5671620197 7765564567 96519371, 7420158040 5607970356 1432064981 5630058768 61772396, 027701627 0276276276276276276276276276276276276276276276276276276276276276276276276276276276276276276276276276167

(a2, b2, c2, d2) = (7209544318 7722408270 3069088620 8038057623 50753376, 6718235058 1732404851 5818700544 4641902795 42615363, 3908373869 5915470192 0038378154 2944092998 59784736477907477107477107477107477107477107477107477107477107477107477107447

(a3, b3, c3, d3) = (5601368956 1085871119 5128418965 5924675078 71446397, 1704606299 1437129766 4878059339 0894327534 08456867, 7242755884 2976609103 0900265413 4673195920 9951010303021091010303023091010303023091010302

(a4, b4, c4, d4) = (3696000002 0793852112 4685131772 4223122989 31651096, 5503112277 3916718420 0616799984 7970621310 21179114, 1527811699 8925450092 5338793815 5352799704 897829609601307175, 97109601305

(a5, b5, c5, d5) = (4529917007 3496264189 7364413586 3469884461 08575890, 6186850548 3596866239 1480835652 6440051070 15566256, 5454203136 4176524793 2860241601 881258344 6225041488888408406404408382408408408408382304408388348408382

2. Encryption The message to be encrypted is encoded as a decimal number: m = 3917849503 6550893685 6866292013 9758128030 8861662846 6182308361 5964747188 8962740107

9018758326 4096547013 3619340696 3702063268 8061438861 3019152478 8630161021 8172. Assuming that the following is a random number: x = 9739468663 6610809772 5706652055 8459594466 54280704. Then, the encryption of the message m is the following triplet: (A, B, C): A = 2819778566 1388673464 1463579694 5586390662 3130602093 0277044170 1337064856 7238551278

6820137425 0630794558 7734114911 5279575220 8142451933 8456584695 5668461828 6560029868 2921269625 0131674878 1625102816 0589967306 6473445245 6769759378 0116314767 4263972484 528015915 8986199288289119289283125

7256162148 9673809419 1722988397 B = 3191066211 6929405288 7819615962 4889440142 7755536684 6424341685 9276463632 3803409057 2973998842 7952620252 0481696301 1793668973 6377053331 0083077474 3459633072 9786129194 8087952561 4345827196 7018899322 8106484802 4157994258 1193963010 4910072873 9587012872 1842233053 3550384531 5589650927 5017179,

3360842406 1555838153 2453052561 C = 6775892634 0404039481 5096372532 7539220906 1397833066 2815708593 9411969347 0248312333 4941794062 3005932403 7404058108 0795737291 4522671935 4876580560 4096305842 4390758039 5142794954 3517564108 8758541659 6388872251 1361788436 0578767256 9930795637 1490007365 7776855993 4429959956 0423911131 85252076.

3. Decryption

Any user in U, to whom the correct private key has been attributed, can carry out the decryption protocol, thus recovering the message. Take, for example, user U1. This one calculates

H = A- (a1 + c1) (mod n) = 2796367158 2895655510 3971358808 0149744555 6836342717 7796269235 3602075650 4134017517 0981615719 1532170058 4655732297 7849751789 2244780523 3932246389 4909233463 3633778624 8654974042 8322408644 31007633465826677492 6070627265 0508224469 9085657406 5693437051 8700099106 8356679316 0890952697 8672434058 7512258039 3425102356 79949585,

K = B- (b1 + d1) (mod n). = 2916355102 8946222268 9397655322 9573284939 6469049240 0836696742 5101160851 5257582540 0528544232 9876921254 1225913026 0339135113 2302192917 4978619543 9083704341 6039308292 7244141272 2188306282 9138241224 8998241983 1970813044 9333754486 9391440516 1743584259 5525814471 8091975786 6372306645 9308145588 8312827513 9434654682 41222144.

So,

H · K · C (mod n) = 3917849503 6550893685 6866292013 9758128030 8861662846 6182308361 5964747188 8962740107 9018758326 4096547013 3619340696 3702063268 8061438861 3019152478 8630161021 83030161021

that exactly matches the message m.

The same can be done by the user, for example, U2. As before, it calculates

H = A- (a2 + c2) (mod n) = 2062567170 5611172382 5337702759 4771582431 9839382717 4582185263 2710773644 1928238653 2792435512 2215851604 4822378783 5806481464 2719929158 5778481541 7530501372 5197755557 2815818829 8914896658 4262007329 0240598805 3054018471 7530588323 9540907214 1937981052 8005184075 0574113956 2316915667 0182895581 4949695680 6947370140 30634459,

K = B- (b2 + d2) (mod n) = 2983975104 1977880600 7007890392 9756072314 3839750053 6922971610 7549113523 9997935032 0578710081 2759726729 0882534025 7675151581 9636139672 1948791315 0695887623 1901512586 1856596558 0170014780 9608893797 9161510082 8174103089 5088359788 2391667036 1891622628 8448035420 9404235319 9223835190 9829709937 2240861005 7432117529 58246106.

So,

H · K · C (mod n) = 3917849503 6550893685 6866292013 9758128030 8861662846 6182308361 5964747188 8962740107 9018758326 4096547013 3619340696 3702063268 8061438861 3019152478 8630161021 83030161021

which again exactly matches the message m.

Advantages of the invention:

As already mentioned, the present invention allows multiple users to decrypt an encrypted text using a personal private key, said text having been encrypted using a common public key. There is no need at all for users to share their private keys.

In addition, the proposed protocol enjoys the following properties:

-

 It is effective, since all calculations can be carried out in polynomial time.

-

 It is safe since violating it is equivalent to resolving one or more IFP, DLP and SDLP. These problems are considered computationally irresolvable with the tools and technology currently known.

-

 It is not falsifiable.

-

 It is strong against the conspiracy of two or more users.

-

 The number of users is arbitrary. In addition, new users can join the scheme at any time: it is enough that T generates a totally new private key for each newly joined user.

Applications of the invention:

The applications of the invention mainly refer to any environment in which an entity must encrypt a

5 determined information using a given key, so that any user of a set, to whom each has been assigned their own private key, can decrypt and retrieve the original information. Among others, the following applications can be listed:

-

 Access to confidential information in cases where access to only a set of

authorized users or who meet some requirements. The concession can be conceived as being in possession of a private key associated with the common public key used to encrypt confidential information.

-

 Access to confidential corporate documents when authorized to do so.

These applications are useful and typical in environments such as the following:

-

 State administration, public agencies, local, regional or national government institutions.

Access to restricted information or documents classified in different security levels. Only those who have adequate passwords will be granted access to such information or documents.

-

 Corporations, companies, societies. Similarly, corporations or companies grant different levels of access to different managers, according to their positions in the context of the organization, thus allowing an ordering at the security level for confidential or strategic documents.

One skilled in the art can make changes and modifications to the described embodiments without departing from the scope of the invention as defined in the appended claims.

ACRONYMS DLP Discrete Logarithm Problem; Problem of discrete logarithm IFP Integer Factorization Problem; Factorization of integers SDLP Subgroup Discrete Logarithm Problem; Problem of discrete logarithm in subgroup BIBLIOGRAPHY

[1] R. Durán Díaz, L. Hernández Encinas and J. Muñoz Masqué, The RSA Cryptosystem, RA-MA, Madrid, 2005.

[2] T. ElGamal, A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, IEEE Trans. Inform. Theory 31 (1985), 469-472.

[3] A. Fúster Sabater, D. de la Guía Martínez, L. Hernández Encinas, F. Montoya Vitini and J. Muñoz Masqué, 5 Cryptographic Data Protection Techniques, 3rd ed., RA-MA, Madrid, 2004.

[4] D. Hankerson, A.J. Menezes, S. Vanstone, Guide to elliptic curve cryptography, Springer-Verlag, New York, NY, 2004.

[5] A. Menezes, P. van Oorschot, S. Vanstone, Handbook of applied cryptography, CRC Press, Boca Raton, FL, USA, 1997.

10 [6] R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystem, Commun. ACM 21 (1978), 120-126.

[7] D.R. Stinson, Cryptography: Theory and practice, 3rd ed., Chapman & Hall (CRC, Boca Raton, FL., 2006.

[8] W. Susilo, Short fail-stop signature scheme based on factorization and discrete logarithm assumptions, Theor. Comput Sci. 410 (2009), 736-744.

Claims (8)

1. Method for encrypting and decrypting information, which comprises: i) encrypting information by means of a public key generated by a trusted third party (T); and ii) decipher, a user or member (U1, U2, ..., Ut) of a group of authorized users (U), said information encrypted by means of a private key generated by said third party trust (T); in which the procedure is characterized in that it comprises generating, by said third part of trust (T):

-

 said public key as a common public key; Y

-

 a plurality of different private keys, one for each of said users (U1, U2, ..., Ut), being each of said plurality of different private keys associated with said common public key and being able to be used for said decryption stage ii).

2.

Method according to claim 1, wherein said information encryption is calculated as: A = αx (mod n), B = βx (mod n), C = m (P · Q) x (mod n)

where A, B, C are the encrypted information; α is an integer chosen by said third party trust (T) used as a generator; β = αs (mod n); s is a random secret number generated by said third party trust (T); n is an integer calculated as the product of two prime numbers; m is the information to be encrypted; P, Q form said common public key generated by said third party trust.

3.

Method according to claim 2, wherein: P = α a0 · βb0 (mod n);

Q = αc0 · βd0 (mod n); a0, b0, c0, d0 are integers randomly generated by the third party trust (T); α = g2 · v1 · v2 · p1 · q1 (mod n); β = αs (mod n); n = p · q; g is a randomly chosen element that meets that g  Zn * whose order is λ (n) r, p1 and q1 are prime numbers; u1 and u2 are integers, where u1 = 2 · v1 and u2 = 2 · v2; v1, v2 are cousins to each other; p = u1 · r · p1 +1; q = u2 · r · q1 +1; φ (n) = (p – 1) (q – 1) = u1 · u2 · r2 · p1 · q1; where φ (n) is Euler's function; λ (n) = mcm (p – 1, q – 1) = 2 · v1 · v2 · r · p1 · q1 where mcm represents the least common multiple and λ (n) is the Carmichael function; Y α meets the condition: mcd (α, φ (n)) = mcd (α, u1 · u2 · r2 · p1 · q1) = 1 where mcd is the greatest common divisor. 4. Method according to the preceding claims, wherein said decryption of information is calculated as: H · K · C (mod n) = m where H = A– (ai + ci) (mod n); K = B– (bi + di) (mod n); being ai, ci, bi, say the private key associated with one (Ui) of the users (U1, U2, ..., Ut).

5. Method according to claim 4, wherein ai, ci, bi, di  Zr and satisfy that: h = (ai + s · bi) (mod r); Y

k = (ci + s · di) (mod r); where Zr is the set of integers module r; h = (a0 + s · b0) (mod r); k = (c0 + s · d0) (mod r); r is a prime number.

6.

Method according to the preceding claims, wherein said users (U1, U2, ..., Ut) verify said common public key by checking:

α ≠ 1 (mod n) αr = 1 (mod n)

7.

Method according to the preceding claims, wherein said users (U1, U2, ..., Ut) verify said private key by checking:

P = αai · βbi (mod n) Q = αci · βdi (mod n) Figure 1 Figure 2 SPANISH OFFICE OF THE PATENTS AND BRAND Application no .: 201130840 SPAIN Date of submission of the application: 24.05.2011 Priority Date: REPORT ON THE STATE OF THE TECHNIQUE 51 Int. Cl.: H04L9 / 30 (2006.01)  RELEVANT DOCUMENTS

Category

56 Documents cited Claims Affected

X

SUSILO et al. Short fail-stop signature scheme based on factorization and discrete logarithm assumptions. THEORETICAL COMPUTER SCIENCE, 20090301 AMSTERDAM, NL 01.03.2009 VOL: 410 No: 8-10 Pages: 736-744 ISSN 0304-3975 Doi: doi: 10.1016 / j.tcs.2008.10.025 1-7

X

BONEH D; et al. Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys, http://www.eprint.iacr.org/2005/018 one

Category of the documents cited X: of particular relevance Y: of particular relevance combined with other / s of the same category A: reflects the state of the art O: refers to unwritten disclosure P: published between the priority date and the date of priority submission of the application E: previous document, but published after the date of submission of the application

This report has been prepared • for all claims • for claims no:

Date of realization of the report 11.09.2013

Examiner M. Muñoz Sánchez Page 1/4

REPORT OF THE STATE OF THE TECHNIQUE Application number: 201130840 Minimum documentation sought (classification system followed by classification symbols) H04L Electronic databases consulted during the search (name of the database and, if possible, terms of search used) INVENES, EPODOC, WPI XPI3E, XPIEE, NPL State of the Art Report Page 2/4  WRITTEN OPINION Application number: 201130840 Date of Completion of Written Opinion: 11.09.2013 Statement

Novelty (Art. 6.1 LP 11/1986)

Claims Claims 1-7 IF NOT

Inventive activity (Art. 8.1 LP11 / 1986)

Claims Claims 1-7 IF NOT

The application is considered to comply with the industrial application requirement. This requirement was evaluated during the formal and technical examination phase of the application (Article 31.2 Law 11/1986).  Opinion Base.- This opinion has been made on the basis of the patent application as published. State of the Art Report Page 3/4  WRITTEN OPINION Application number: 201130840  1. Documents considered.- The documents belonging to the state of the art taken into consideration for the realization of this opinion are listed below.

Document

Publication or Identification Number publication date

D01

SUSILO et al. Short fail-stop signature scheme based on factorization and discrete logarithm assumptions. THEORETICAL COMPUTER SCIENCE, 20090301 AMSTERDAM, NL 01.03.2009 VOL: 410 No: 8-10 Pages: 736-744 ISSN 0304-3975 Doi: doi: 10.1016 / j.tcs.2008.10.025 01.03.2009

D02

BONEH D; et al. Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys, http://www.eprint.iacr.org/2005/018 12.03.2005

 2. Statement motivated according to articles 29.6 and 29.7 of the Regulations for the execution of Law 11/1986, of March 20, on Patents on novelty and inventive activity; quotes and explanations in support of this statement D01 is considered the closest document of the state of the art to the object of the request.  Independent claims Claim 1: Document D01 discloses a method of signing a public key and private key, in which the signature of a message made by a number of users is verified. The public key is common to all users while each of them has its own private key. The keys are generated by a third party of trust. On the other hand and as is commonly known, the public key and private key systems can be used, in addition to signature verification, also for encryption, as document D02 illustrates for the context of the request. Therefore, the combination of document D01 affects the inventive activity of claim 1 according to article 8.1 of the Patent Law.  Dependent Claims Claims 2-7: the operations included in these claims are part of the generation model and checking keys of document D01. Therefore, document D01 affects the inventive activity of claims 2-7 according to article 8.1 of the Law on Patents State of the Art Report Page 4/4