MXPA99010979A - Auto-recoverable auto-certifiable cryptosystems - Google Patents

Auto-recoverable auto-certifiable cryptosystems

Info

Publication number
MXPA99010979A
MXPA99010979A MXPA/A/1999/010979A MX9910979A MXPA99010979A MX PA99010979 A MXPA99010979 A MX PA99010979A MX 9910979 A MX9910979 A MX 9910979A MX PA99010979 A MXPA99010979 A MX PA99010979A
Authority
MX
Mexico
Prior art keywords
key
public
authorities
keys
private
Prior art date
Application number
MXPA/A/1999/010979A
Other languages
Spanish (es)
Inventor
Adam Lucas Young
Original Assignee
Adam Lucas Young
Yung Marcel Mordechay
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Adam Lucas Young, Yung Marcel Mordechay filed Critical Adam Lucas Young
Publication of MXPA99010979A publication Critical patent/MXPA99010979A/en

Links

Abstract

Un método para un sistema criptográfico de depósito estálibre de factores que bajan el rendimiento, no requieren de la implementación de equipos de cómputo (es decir, puede ser hecho en programas de cómputos), criptográficos, a prueba de manipulaciones imprudentes, se puede verificar públicamente, y, no puede ser usado subliminalmente para permitir un sistema de claves públicas ocultas. Un sistema de claves públicas ocultas es un sistema de claves públicas no depositado, que se exhibe públicamente en una forma cubierta. Las claves generadas por el método se pueden recuperar automáticamente y se pueden certificar automáticamente (abreviatura ARC). El sistema criptográfico ARC se basa en un mecanismo de generación de claves que produce un par de claves públicas/privadas, y un certificado de prueba de que la clave fue generada de acuerdo con el algoritmo. Cada par de claves públicas/privadas, generado puede ser verificado eficientemente por cualquier persona para saber si estádepositado de manera apropiada. El procedimiento de verificación no usa la clave privada. De aquíque, el público en general tiene una forma eficiente de asegurarse de que cualquier clave privada individual, determinada, estádepositada de manera apropiada, y que las autoridades de confianza ser n capaces de tener acceso a la clave privada si es necesario. Dado que la verificación puede ser realizada por cualquier persona, no hay necesidad de unaentidad de confianza especial, conocida en la técnica como un"tercero de confianza". El sistema criptográfico estálibre de factores que bajan el rendimiento dado que no hay interacción adicional de protocolos, entre el usuario que genera su propia clave y la autoridad de certificación o las autoridades de depósito, en comparación con lo que se requiere para presentar la clave pública misma en los sistemas comunes de claves públicas certificadas. Además, el sistema estádiseñado de manera tal que sus componentes internos pueden ser escrutados públicamente (por ejemplo, puede ser distribuido en la forma de código fuente). Esto difiere de cualesquiera de los esquemas que requiere que el dispositivo de depósito consista en equipos de cómputo a prueba de manipulaciones imprudentes. La figura más representativa de la invención es la número 1.

Description

AUTOMATIC CRYPTOGRAPHIC RECOVERY AND CERTIFICATION SYSTEMS FIELD OF THE INVENTION The field of this invention is cryptography. This invention relates to cryptographic systems, and in particular to the deposit and recovery of cryptographic keys and data encrypted under cryptographic keys. The deposit and recovery process ensures that authorized entities such as law enforcement agencies, government agencies, users, and organizations can, when they are allowed or requested, read the encrypted data. The invention relates to cryptographic systems implemented in computer programs, but can also be applied to cryptographic systems implemented in computer equipment.
BACKGROUND OF THE INVENTION Public Key Cryptographic Systems (SCCP) allow secure communications between two parties that have never been found. The notion of a public key cryptographic system was used in (W. Diffie, M. Hell an, "New directions in cryptography", IEEE Transactions on Information Theory, 22, pages 644-654, 1976). This communication can take place through an insecure channel.
In a public key cryptographic system, each user has a public key E and a private key D. E is made publicly available by a key distribution center also called Certification Authority (CA), after the registration authority verifies the authenticity of the user (his identification, etc.). The registration authority is part of the Certification Authority. D is kept private by the user. E is used to encrypt messages, and only D can be used to decrypt messages. From the point of view of computing it is impossible to derive D from E. To use an SCCP, part A obtains public key E from part B of the key distribution center. Part A encrypts a message with E and sends the result to Part B. B retrieves the message by decrypting it with D. Both parties trust that the key distribution center provides the correct public keys upon request. An SCCP based on the difficulty of computing discrete logarithms was published in (T. ElGa al, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", CRYPTO '84, pages 10-18, Springer-Verlag, 1985) . SSCPs are very convenient in terms of use, and allow users to engage in private communications through insecure channels. They can also be used to initiate symmetric key systems such as DES (Data Encryption Standard). However, SCCPs have a disadvantage. Criminals can use the SCCP in the course of criminal activity, since no measures have been taken to provide the agencies dedicated to the application of the laws, the descriptographed keys, and as a result, non-interceptable criminal communications can be presented. Therefore it is desirable to allow private communications exclusively to citizens who respect the law. A general solution to this problem is to make each user present a representation of their private key to trustworthy deposit authorities, or depositaries. The participations are removed from the deposit in the case of a line intersection authorized by the court. Alternatively, the key repository provides a way to recover private keys lost in an organization, or keys of a file system. In a review of some key deposit systems it is observed that all require more than one SCCP alone. The US Patents Numbers: 5,276,737 and 5,315,658 of Micali (1994) describe a Fairly Good Public Key Cryptographic System (SCCPBB) (see also, S. Micali, "Fair Public-Key Cryptosystems", CRYPTO '92, pages 113-138, Springer-Verlag, 1992) that meet the needs of law-abiding citizens and law enforcement (and is based on P. Feldman, 28th annual FOCS).
The preferred embodiment of Micali describes how to convert the Diffie-Hellman SCCP, and the RSC SCCP into acceptable SCCP. In the preferred SCCP mode of Diffie-Hellman, each user presents five shares to five central depositories (also known as "trusted third parties") to register a public key. Therefore this solution is not very scalable, since it requires the use of a small number of reliable authorities, and is therefore very centralized. In the present invention, the user constructs a pair of keys so that the private key is, in a probable way, automatically deposited. Hence, no reliable third parties of any kind are needed. The deposited information can be sent to one of a multitude of decentralized Certification Authorities (AC). In the Micali scheme each depository verifies their respective shares. With the condition that the participation is valid, the participation is stored in a database. Each depository then signs the values that were received and provides them to a key management center. The five authorities have an obligation to secure and manage five private, participatory databases. In this modality, the key information is verified by a Certification Authority. Provided it has the correct form, the key is signed, and immediately placed in the public key database. Only a private database needs to exist. Since only the Certification Authority is needed to administer user passwords, in the current mode, the lowest possible number of factors that lower the performance of the communication is achieved. In acceptable SCCPs only depositaries can verify that a key is properly deposited. Verification is required since without it a user can easily generate keys that are not recoverable. In the present invention, everyone can verify this. This is particularly useful if, for example, a citizen suspects that a Certification Authority is failing to ensure that its keys are properly deposited. It has been shown that the RSA SCCP, acceptable, does not satisfy certain law enforcement needs (J. Kilian, F. Leighton, "Fair Cryptosystems Revisited", CRYPTO '95, pages 208-221, Springer-Verlag, 1995) , since within it a cryptographic system of closed public keys can be inserted. A hidden public key system is a system that can be inserted into a key deposit system that allows conspiratorial users to carry out non-interceptable communications. The flaw in the RSA SCCPBB lies in the fact that it is assumed that the criminals will use the same secret keys that were provided to the deposit authorities. The hidden cryptographic systems make use of what is known in the art as subliminal channels that exist in the public keys of the SCCP. These channels are used to display the hidden SCCP public keys. The Kilian and Leighton paper describes how to convert SCCPs into Key Deposits to Fault Tests (DCPF) systems. Specifically, these describe how to build DCPF systems for SCCP based on a discrete-logarithmic base such as Diffie-Hellman and DSS. In its costly protocol, the user and trusted authorities connect to the protocol to generate the user's public and private keys. In doing so, the authorities are convinced that no subliminal information is contained in the resulting public key. The user is also convinced that the keys are deposited in an appropriate manner. This system is similar to the acceptable SCCP of Diffie-Hellman, except for the greater number of factors that decrease the performance of this protocol. Therefore, it is subject to the same inefficiencies as the acceptable SCCP of Diffie-Hellman. In the present invention, the user selects his own keys independently. Regarding the threat of hidden SCCPs, the present invention is based on the fact that there is no known way to discretely insert a significant number of bits within a modular exponentiation in a finite field. Hence, the exploitation of the cryptographic systems hidden in the SCCP on a discrete-logarithmic basis seems remote. De Santis et al describes a deposit system where depositors are able to open only the messages in the session, instead of opening the key of the suspect part of a criminal activity. This clarifies the notion of acceptable cryptographic systems. Other technologies that describe how to open the users' session key, instead of their permanent public key, are through Walker and Winston (TIS) and the IBM SecureWay document. These technologies for the recovery of keys require that users are aware of the keys and their use, from the set of depositaries, at any session start. These technologies can overwhelm each and every user since they require new protocol extensions that are used in each communication session and also require users to store much more lae keys that are necessary for an ICP. A "Detectable Alternative in Case of Fraud for Key Deposit Purposes" 'based on ElGamal has been described in (E. Verheul, H.van Tilborg, "Binding ElGamal: A Fraud-Detectable Alternative to Key-Escrow Proposals", Eurocrypt '97, pages 119-133, Springer-Verlag, 1997). This system allows users to send encrypted information along with a short test that the encrypted information can be retrieved by a set of depositaries. In this way, this system has the advantage that it does not depend on trusted third parties. However, this system requires an existing Public Key Infrastructure (ICP). The defect found in the Linkage ElGamal approach is that: if the ICP is not deposited then user A can cryptograph a public message in a public key using the public key of user B, and then send the resulting encrypted text message, using ElGamal Linkage. In this case, the test simply serves to demonstrate that depositaries can retrieve this encrypted text, and therefore prevents the law enforcement agency from being able to inspect communications from users suspected of criminal activity. When this abuse is made, the fraud can not be detected. This abuse is made possible because the private key of user B is not deposited. Computer programs that misuse the ElGamal Link scheme could be easily distributed and could severely hamper attempts to enforce laws on a large scale. The present invention describes a method for establishing a deposited PCI, and hence it is not subject to this disadvantage. As in ElGamal de Vinculación, the present invention employs the general technique of non-interactive tests without knowledge, although the tests of the present invention involve new technology. A heuristic to know how to construct these tests, is presented in (A. Fiat, A. Shamir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems", CRYPTO '86, pages 186-194, Springer-Verlag, 1987 ). A general review of key deposit schemes appears in (D. Denning, D. Branstad, "A Taxonomy for Key Escrow Encryption Systems," Communications of the ACM, v. 39, No. 3, 1996). In (N. Jefferies, C. Mitchell, M. Walker, "A Proposed Architecture for Trusted Third Party Services," Cryptography: Policy and Algorithms, LNCS 1029, Springer, 1996) and (R. Anderson, "The GCHQ Protocol and Its Problems ", Eurocrypt '97, pages 134-148, Springer-Verlag, 1997) describes an approach of trusted third parties, for deposits, where the trusted third parties of the participating users are involved in each stage of key establishment of session. All key deposit solutions, hitherto known, suffer from some, if not all, of the following disadvantages. (a) require the implementation of resistance to reckless manipulation, or otherwise require the implementation of computer equipment. This imposes high costs for implementation and low establishment of use. (b) require the use of classified or otherwise internal algorithms. This may be unacceptable for users who may be skeptical about the security or operation of the devices. (c) are implemented in computer programs, and are therefore subject to alteration, resulting in improper functioning and possibly non-interceptable communications. However, this is an inherent problem of any solution using computer programs (in this case, all that may be required is that if users use only the computer program apparatus to achieve privacy, then their clear text, or keys, they can be recovered). (d) they require an excessive interaction of protocols in the generation of keys and / or in general use. In addition, this interaction can be carried out with a small set of centralized entities, thus making traffic and communication delays a potential bottleneck. They may require that the users possess the keys of the depositaries and use them at each session start, and may also require modifications for each communication protocol. (e) require excessive numbers of trusted third parties involved in the operation of the system.
Spreading trust among too many parties increases the risk of security breaches and reduces the ability to escalate. (f) require the generation of cryptographic keys by trusted third parties. A trusted third party, corrupt or otherwise compromised, may put the user's safety at risk by improperly manipulating or describing the user's keys. (g) require the assurance and management of base (s) of secret keys or secret shares on behalf of the users. (h) can be used to establish a hidden public key infrastructure, thus frustrating the purpose of the deposit system completely.
Automatic Cryptographic Recovery and Certification Systems Due to the above disadvantages, what is required is a new mechanism that incorporates the following advantages: (a) a key deposit system that can be distributed in the form of source code without loss of security, and hence provides a system that can be scrutinized publicly to ensure that it works properly. In addition, since the key deposit system may be available in computer programs, it can be implemented on a large scale, quickly, and in an effective manner with respect to cost. This implies a rapid distribution of the system. (b) in the case that a solution based on computer programs is considered unacceptable due to the possibility of modifying the invention, it can be implemented directly in computing equipment resistant to reckless manipulation. However, this adversely affects the benefits of (a) (for example, easy distribution). (c) the deposit system requires the minimum amount of protocol interaction between the deposit authorities, the Certification Authority, and the user, which is theoretically possible. To register a key, a message needs to be sent only to one of the Certification Authorities in a crowd. This mechanism is called a deposit system based on the registry of keys. In comparison, in the preferred mode of acceptable SCCPs, five messages are sent from the user to the depositaries, and then five more messages are sent to a key management center. (d) only a private database is required to implement the deposit system. This database only needs to be authenticated and can be kept private to prevent a hidden SCCP from being established. The user's private keys will not be exposed if the database is exposed. This contrasts with acceptable SCCPs due to the fact that many databases must be maintained and if the user's keys are compromised as well. This requirement makes the new system based solely on the Certification Authority when establishing and certifying user keys as in the usual public key systems. (e) the deposit system allows the user's private key to be verified by anyone. The verification establishes that the private key can be retrieved "" by the deposit authorities given the corresponding public key of the user, the certificate, and the public parameters. In comparison, in acceptable SCCPs only depositaries perform this verification. This requirement of the new system is called universal verification capacity. (f) the deposit system can be made resistant to hidden public keys. It was shown that acceptable SCCPs are not resistant to hidden public keys, that is they can be violated to publish other SCCP schemes (J. Kilian, F. Leighton, "Fair Cryptosystems Revisited", CRYPTO '95, pages 208-221) .
The present invention is versatile enough so that either (a) or (b) (i.e., an implementation of computer programs or computer equipment) can be selected. In each case the requirements of (c) to (f) are met.
SUMMARY OF THE INVENTION To provide the above objects and features, as well as others, which are to be described later, the present invention introduces a new paradigm in cryptography. The present invention provides a method for verifying that a private key generated by a user is contained within a cryptography under the public key of the deposit authorities, without excessive factors that lower the performance. In addition, this verification can be carried out by any person who is in possession of the public key of the deposit authorities. The present invention consists of a preparation process and three functions that process signals in different forms. The functions are key generation, key verification, and key recovery. In the process of preparing the preferred modality, the participants agree on a set of initial public parameters and the authorities generate a public deposit key and the corresponding private keys. The initial parameters and the public deposit key are the public parameters of the system. The deposit authorities, the Certification Authority (AC), and the users of the system, all have access to public parameters. In the process of generating keys, the method generates a public / private key pair of the user, and a certificate of the recovery capacity that is a chain of information that includes an implicit cryptography of the user's private key under the public key of deposit. The signal information that contains the user's public key, and the recovery capacity certificate, can be transmitted to any entity. In the verification process, the user transmits this signal to the verifier. The verification process takes the input signal, processes it, and produces a true or false result. A true result indicates that the user's private key can be retrieved from the recovery capacity certificate, by the deposit authorities. A false result indicates that the private key can not be recovered. The invention is designed in such a way that it is impossible for the user to generate a public key, and the recovery capability certificate is such that the key is not deposited and passes the verification process with a true result. In the preferred mode, users certify their public keys with the registration authority of the Certification Authority (CA) who then signs their public key after successful verification. A public key together with a signature of the Certification Authority, in a chain that contains the public key, constitutes a certified public key. In more detail, upon receipt of the user's public key, and the certificate of recovery capacity, the Certification Authority verifies that the corresponding private key can be recovered. If so, (ie, the verification process produces a true result), the public key is certified and / or made publicly available by the Certification Authority. The user is only asked to keep his public key and to have access to the public key database that contains the public keys of other users as in a typical ICP. In the recovery process, the deposit authorities use the user's recovery capacity certificate, which is obtained from the Certification Authority, as an input signal. The deposit authorities process the recovery capacity certificate, and the corresponding user's private key or encrypted data, using the corresponding public key, is the resulting output signal. The present invention is useful in any environment that demands the recovery of private keys, or keys encrypted under these keys, or information encrypted under these keys. These environments arise in the execution of laws, at national and international level, in the commercial sector, in secure file systems, etc. The successful depositing of private keys involves the successful depositing of information encrypted in public keys, and hence the present invention has many applications. The present invention is robust with respect to any preceding technology since it can be implemented both in computer equipment and in computer programs. When implemented in computer programs, it can be easily scrutinized to ensure that it works as desired and to ensure that it does not compromise the safety of its users. The implementation in computer programs allows the rapid and easy dissemination of the invention, since it can be disseminated in the form of source code via discoe or through a computer communications network. The present invention is as free of communications as theoretically feasible. The only communication is the act of setting up the computer programs themselves (or the computer equipment itself) and the one-time transmission of a user's public key, the certificate of recovery capacity, and additional information. The signals can be processed quickly and the signals themselves constitute a small amount of information. The invention does not require changes in the communication protocols used in typical non-deposited ICPs (for example, the establishment of session keys, the distribution of keys, the secure transmission of messages, etc.). The invention is therefore compatible with typical ICPs. The present invention therefore provides a very efficient way of depositing and recovering cryptographic keys.
BRIEF DESCRIPTION OF THE DRAWINGS The present invention will be described with reference to the attached figures from 1 to 7. Figure 1 is a data flow diagram of the process of preparing the method of the invention, for use with deposit authorities. Figure 2 is a flow chart of the basic steps of the process for generating a public / private key pair and a recovery capacity certificate, using the invention. Figure 3 is a data flow diagram of the verification process of the recovery capacity of a private key. Figure 4 is a data flow diagram of the process of registering a key using the invention. Figure 5 is a data flow diagram of the private key recovery process, by the deposit authorities. Figure 6 describes a system of generic public keys and their main components and operation. Figure 7 describes the system of public keys, which can be deposited, resulting from the use of the invention and its main components and operation.
DESCRIPTION OF THE PREFERRED MODALITIES The following is a description of the first embodiment of the present invention. Variations of the preferred modality will accompany the description of the preferred modality whenever applicable. For convenience in presentation, the selected key calculation algorithm is the SHA algorithm (Schneier 2nd edition, pages 442-445), although any cryptographic key calculation algorithm will suffice instead. In the preferred embodiment the parameters are selected uniformly at random from respective sleep groups. Alternative modalities include alterations of the probability distributions from which those values are selected.
The initial preparation of the system, of the preferred embodiment shown in Figure 1, initiates the cryptographic system. In the preferred embodiment, the participants agree on a large prime number r such that q = 2r + l is a prime number and p = 2q + l is a prime number. Examples of values for r that satisfy this relationship are 5 and 11, although there are small values. The following is a 1024-bit value for r in hexadecimal: fd90e33af0306c8bla9551ba0e536023b4d2965d3aa813587ccflae blba2da82489b8945e8899bc546dfded24c861742d2578764a9e70b 88alfe9953469c7b5b89blbl5blf3d775947a85e709fe97054722c7 8e31ba202379elel6362baa4a66c6da0a58b654223fdc4844963478 441afbbfad7879864feld5df0a4c4b646591 An r of a size of 1024 bits is large enough for use in cryptographic systems. These values of r, q, and p are not as easy to find as if you were just trying to find a prime number, but neither is it an insoluble problem. What is needed is a highly efficient algorithm that can be implemented using, for example, a multiple precision library. These algorithms include the multiplication of Karateuba, the reduction of Montgomery, the chains of addition, and the probabilistic test of Rabin-Miller (J. Lacy, D. Mitchell, W. Schell, "CryptoLib: Cryptography in S of twa re," AT & T Be ll Lab oratories, cryptolib@research.att.com). The following method can be used to find large values for r, q, and p, efficiently. Note that r module 3 must be 2. It can not be 0 because then r would not be a prime number. It can be 1 because then it would be divisible by 3. Also, r module 5 must be 1 or 4. It can not be 0 because then it would be divisible by 5. It can not be 2 because then it would be divisible by 5. It can not be 3 because then p would be divisible by 5, etc. This method is called in the present "search for the residues of the test". When carrying out the search for the residuals of the test, they can discard values for r, q, and p quickly before performing the test events and the search tests for the probabilistic prime number nature. Once the search for the residuals of the test is done, haeta for example 251, test divisions are performed on r, q, and p. If r, q, and p are not discarded then the search test of the nature of prime number, Rabin-Miller, is performed in r, then in q, then in p, then in r, then in q, etc., alternating between the three. This is done by making small potential compositional teetics, fixed from the beginning. If it is found that any of r, q, or p is compound, r is set equal to r + 2x3x5x ... x251 and it is repeated starting with division of test and with the whole set of potential witnesses. In this way, it is not necessary to carry out the residue test again, since the previous conditions on wastewater are required. Once they find r, q, and p, they perform additional proofs of the prime number nature, using potential tokens that are found using a strong random number generator. If r, q, and p pass these tests, then they are assumed to be prime numbers and declared as parameters of the sevenmas. The participants agree, or the Certification Authority selects, a value g that generates the elements in the set. { 1, 2, 3, ..., p-1) and an odd value gl that generates all the values smaller than 2q and relatively primo repect to 2q. Note that 2q is a multiplier group and has an odd generator, g and s in the preferred mode. The values r, q, p, g, and gl are the initial parameters of the system and are made publicly available without loss of security. They may be selected by the authorities themselves and / or by any other. Once gl and q are specified, the authorities (m is greater than or equal to 1) continue to collectively calculate a public key of the deposit authority (Y, gl, 2q), also called the deposit public key, and the keys private from the deposit authority z_l, z_2, ... z_m. To do so, the authority i, where i varies from l to m, selects a value z_i in. { 1, 2, ..., 2r-1) randomly and then causes Y_i to have a high value at this value module 2q. At least one authority then receives all the information from the Y_i from the other m-l deposit authorities. In the preferred embodiment, the authority i, where i varies from 2 am, sends Y_i to the authority 1. The sending of the Y_i is represented in step 11 of Figure 1. And it is calculated by at least one of the authorities , as the product of the Y_ module 2q. In the preferred embodiment, Y is calculated by authority 1. Authority 1 then verifies that (gl / Y) is a generator of all values less than 2q and relatively prime with respect to 2q. If not, then step 12 is executed. In step 12, the other authorities are told to select new values for z, hence the procedure is restarted from the beginning of step 11. In the preferred mode , authority 1 selects z_l also again. In an alternative mode, at least 1 and less than m of the authorities generate new values for z. This procedure continues as many times as necessary until (ql / Y) is a generator of all values less than 2q and relatively prime relative to 2q. Then Y is published, or otherwise made available to the users and to the Certification Authority, by one or more of the deposit authorities. This is reproduced in step 13 of Figure 1. Figure 2 is a diagram illustrating the process of how a user's seventh generates a public / private key pair and a recovery capacity certificate. Once having obtained the signal Y that is made available to the users, on the part of the deposit authority, the eietema of the user proceeds to generate an ElGamal key (and, g, p) for the user. The signal Y may have been included a priori in the invention. The invention proceeds to select a value k in. { 1, 2, ..., 2r-l} randomly. This is represented in step 2004 of Figure 2. In step 2005, the invention calculates C = (high power k) modulo 2q. In step 2006 the invention calculates the private key x of the ueuario, as ((gl / Y) raised to the power k) module q. The invention also calculates and as (g raised to the power x) modulo p. The system proceeds to step 2007 and calculates a certificate that can be used by any interested party to verify that the user's private key is properly coded within C. The certificate contains the value v, which is calculated by the system as g raised to the power w module p, where w is ((1 / Y) raised to the power k) module 2q. The public key parameter y can be retrieved from g and v by calculating v raised to the power C modulo p. The system also processes three non-interactive tests without knowledge, as they are called in the technique, and includes them in the certificate. Let n denote the number of repetitions in each non-interactive test. In the preferred mode, n is set to 40. The first test is designed so that the user can prove that he knows k in C. The second test is designed so that the user can prove that he knows k in v. The last test is designed in such a way that the user can prove that he knows k in v raised to the power C modulo p. By saying that "the ueuario knows the value x" is meant to imply that the system has the value x in its state. In more detail, to connect the non-interactive tests, the system proceeds as follows. Select the values e_l, l, e_l, 2, ..., e_l, n, e_2, 1, e_2, 3, ..., e_2, n, and e_3, l, e_3,2, e_3, 3, .. ., e_3, n in. { 1, 2, ..., 2r-1) randomly. For i to vary from l to n, the seventh adjusts I_l, i so that it is raised to the power e_l, i modulo 2q. For i that varies from 1 to n, the invention establishes I_2, i to be v raised to the power d__i module p, where d_i is Y raised to the power -e_2, i module 2q. For i that varies from l to n, the invention adjusts I_3, i to be and to the power t_i module p, where t__i ee (gl / Y) raised to the power e_3, i module 2g. The invention then calculates the value rnd to be the address calculated by SHA of the set formed by the joint concatenation of the tupios (I_l, i, I_2i, I_3, i) for i that varies from 1 to n. Note that rnd is a function of all I values, using a strong cryptographic addressing function, adequate. In alternative embodiments, the address calculation function may have an effective range of size other than 160 bits. A larger range of the address calculation function allows values for n significantly higher. The system adjusts each of the values with bite sizes, b_l, l, b 1, 2,. . . , b 1, n, b 2, 1, b 2, 2, ..., b 2,, b 3, 2, ..., b_3, n to be each of the 3n least significant bits of rnd, Correspondingly. There are a multitude of ways in which a modality can be assigned in a safe way to the values for b. The values for b are the challenge bits, and this method for finding them is known as the Fiat-Shamir Heuristic. The system then proceeds to calculate the responses for this challenge. For i that varies from 1 to 3 and for j to vary from l to n, the invention sets z_i, j to be e_i, j + (b_i, j) k module 2r. The description of the 2007 operation of Figure 2 ends. The project proceeds to the 2008 step. In the 2008 step, the invention outputs the parameters C, v, y, (I_l, i, I_2, i, I_3, i) , y (z_l, i, z_2, i, z_3, i) for i that varies from 1 to n. In an alternative embodiment the value k is produced by the invention for the user. The user then has the option to test after interactively that his private key x can be retrieved by the deposit authority. This will be discussed in more detail later. Also, the b values can become a part of the certificate. However, this is not necessary since the values for b can be derived from the values for I only. The description of the modality has explained, how the seventh is adjusted to be used by the Certification Authority and other authorities, and how the system is used by users (potential recipients) to generate public / private key pairs and recovery capacity certificates. These certificates are strings that show any person that is read, that the generated key has publicly generated properties. The following describes how the invention is used by the user, to prove to a verifier that x can be recovered from C. This process is represented in Figure 3. The verifier can be the Certification Authority, a deposit authority , or any other that is part of the eietema. The verification procedure of Figure 3 is as follows. In step 3009, the user generates a public / private key pair, the cryptography of x, and a certificate using the invention as described above. In step 3010, the user transmits a signal containing these parameters to a verifier. In step 3011 the verifier uses this signal to verify if the user's private key may or may not be recovered by the deposit authority. For this the verifier uses the public key of the user, the cryptography C, the corresponding certificate, and the public key of deposit Y. Now the way in which the signal of the users is processed will be described in detail. The check mark produces a 0 in the public key and / or the certificate is not valid, and a 1 in any other situation. The invention may take a subsequent action and indicated to the verifier that the public key is not valid, in the event that a 0 is returned. Similarly, the verification system may inform the verifier of a passing validation. To perform the verification, the verification system first verifies that y = v raised to the power C modulo p. If y is not equal to v raised to the power C modulo p, then the verification system returns a value of 0. The verification system then verifies the three non-interactive tests contained within the certificate of the ueuario. The invention calculates (b_l, i, b_2, i, b_3, i,) for i that varies from 1 to n in the same way as it did during the certificate generation process. Recall that this process was described with reference in Figure 2. For the first non-interactive test, the verification system verifies that gl raised to the power z_l, i is equal to C (I_l, i) module 2q if b_l, i = 1, for i that varies from n. The verification system also verifies that gl to the power z_l, i is equal to I_l, i module 2q if b_l, i = 0, for 1 that varies from l to n. If any of these equalities fails, then the verification scheme re-establishes a value of 0. This ends the verification of the first non-interactive test. For the second non-interactive test, the verification system verifies that g raised to the power w_i is equal to I_2, i module p if b_2, i = 1, for i that varies from 1 to n. Hence, w_i is 1 / Y raised to the power z_2, i module 2q. The verification system also verifies that v to the power v_i is equal to I_2, i module p if b_2, i = 0, for i that varies from 1 to n. Here v_i is 1 / Y raised to the power z_2, i module 2q. If any of these equalities fails, then the verification scheme regree a value of 0. This completes the verification of the second non-interactive test. For the third non-interactive test, the invention verifies that g raised to the power w_i is equal to I_3, i module p if b_3, i = 1, for i that varies from l to m. Here w_i is (gl / Y) raised to the power z_3, i module 2q. The invention also verifies that the power v_i is equal to I_3, i ei b_3, i = 0, for i that varies from 1 to m. Here v_i ee (gl / Y) raised to the power z_3, i module 2q. If any of the equates fails, then the verification system returns a value of 0. If all the verifications pass, then the verification system produces a value of 1. In Figure 4 the user certifies his public key with the Certification Authority. In step 4012 of this process, the user generates his public key and recovery capacity certificate, as previously described. The user transmits this signal to the Certification Authority. This corresponds to step 4013 of Figure 4. In step 4014 the Certification Authority acts as a verifier and verifies that the private key of the ueuario can be recovered by the deposit authorities. So far, steps from 4012 through 4014 are identical to steps 3009 through 3011 in the key verification process in Figure 3. In addition, the Certification Authority will make the codes that pertain to the verification process available for other purposes. by requesting it and / or certifying it. If the public key of the bird fails in the verification process, then the certification attempt, or it ignores or alternatively notifies the ueuario of the failed attempt of certification. Depending on the demands of the environment in which the invention is used, users may be requested to submit additional information to register a public key and to certify that they know the portion of private key and disclose it. That information could be a password, social security number, private key previously used, etc. In the case in which the Certification Authority is a trusted entity, the Certification Authority can simply digitally indicate the user's public key, and have the key along with the signature of the Certification Authority, of that key, be available upon request. If the Certification Authority is not trustworthy, then the certificate should be stored in the public file and the certificate along with the recovery capacity certificate, should be provided to the deposit authority, which in turn can assure the capacity of Recovery. This completes the description of the certification process for clavee públicoe. The last process to describe is the process of recovering the private key. This process is represented in Figure 5. In this process the invention is used by the depository authorities to retrieve the private key of the fishery in Bae C. In this process, all the depository authorities obtain C, such as represented in step 5015 of Figure 5. In an alternative mode the Certification Authority transmits C and / or other parameters to one or more of the authorities. In this way they are already in position C. At this point the deposit authority i calculates t_i as C raised to the power z_i module 2q. Remember that z_i is the private key of the i-th deposit authority. This is done for i that varies from l to m. The authorities from 2 to m then send their respective values to the authority 1, as shown in step 5016. Authority 1 then calculates Y raised to the power k module 2q as the product of the values for t_i where i varies from m. Authority 1 then obtains the user's private key x by calculating x = (C / (raised to power k)) module 2q. There are alternative methods in the art to calculate x such that x is distributively represented among the authorities. These methods also allow the authorities to decrypt encrypted messages under the public key corresponding to x, without revealing x itself. What has been described is a Cryptographic System for Automatic Recovery and Automatic Certification (SCRACA). The users of that cryptographic system use the public-key system in such a way that it is identical to a typical ICP for secure communications. This is demonstrated schematically in Figures 6 and 7. Figure 6 is a typical public key cryptographic sevenma in an ICP environment. The following are eon loe paeoe followed by users. (1) The user first reads the information and address of the Certification Authority. (2) The user generates a public / private key pair and sends the public key to the Certification Authority. The record of the authority, in the Certification Authority, verifies the identity of the user, and publishes the public key together with the certificate of the Certification Authority in that key, and identifies the user as the owner of that key. (3) For another user, send a message to that user, the public key is read from the database of the Certification Authority and the certificate is verified. (4) Then, the message is encrypted under the new public key and sent. Figure 7 schematically describes the cryptographic seisma SCRACA. The additional operations are as follows. (0) The authority generates the public deposit key and provides it to the Certification Authority. Steps 1 and 2 are analogous, except that a test is sent along with the public key. Loe paeoe 3 and 4 eon the operation of the eietema and eon identical. Steps 5 and 6 describe the case in which keys are retrieved from the repository. (5) The deposit authority obtains information from the Certification Authority. (6) The deposit authority retrieves the user's private key. In an alternative to the first modality, any subset of the authorities, large enough, can retrieve the private key x or messages encoded under the public key corresponding to x ein reveal xm. This is done independently by receiving the values appropriate for t by the other authorities. This adds robustness in the event that some or all of the authorities are not completely reliable or that are not otherwise available. Also, the authorities may require that the certificate of recovery capacity be sent together with the public key and the cryptography, so that user parameters can be verified first using the verification process. This completes the description of the private key recovery process. The following are a few alternative embodiments of the first embodiment of the present invention. An alternative modality of this involves using a public key of the authority, of the form (Y, g, 2 (raised to the power t)), where t is some integer greater than 1. In the preferred embodiment of the present t is selected as 1, although other values can be used instead of that and still operate on the basis of the primitive roots.
Another alternative modality is to use the product of two or more large prime numbers as part of the public parameters. Clearly, the exact structure of the modules used can vary significantly without departing from the scope of the invention. In another modality, the interactive versions of the three non-interactive tests can be used. This modality requires that the sevenma produce k for the ueuario, during the generation of the clave. This value is used during the interactive protocol, in such a way that the verifier can be convinced that the user's private key can be recovered by the deposit authorities. Note that, however, producing k may result in a cryptographic system of public keys and hidden. This follows, from the fact that ((gl, C, 2q), k) ee a valid pair of public / private clavee ElGamal module 2q. Still in another modality, the Certification Authority, or another entity, reliable, takes the additional participation of hiding the public keys of the users. The Certification Authority selects a k s.t. g '= (g raised to the power k) module p is a generator, and sends the user (g', (and raised to the power k) module p). g 'is the ElGamal generator of the user e y' = (and raised to the power k) module p is part of the user's final key (g *, y ', p). This prevents users from taking advantage of subliminal channels in and.
In another variant, users publish their public keys that are used for exchanges of keys in a "key exchange" similar to that of Diffie-Hellman. For example, the following method can be used. Let the private key of user A be b and be the private key of uerary B. Let y_a = (ga the power) module p ee the public key of uerary A and eea y_b = (ga the power b) module p be the key In order to establish a random session key, user B selects a random string. User A then sends m = (y_b to power a) e module p to station B. Station B retrieves and calculates m / (y_a to power b) module p. Users A and B derive a domain key from a known public function (for example, by applying a one-way routing calculation function to it.) Deepuée, when it is required that the key be assigned, be removed from the network. deposit, the depoeitarian can use either a or to recover s, and hence the session key The following is a description of a second primary mode of the present invention The key calculation algorithm of the SHA (Schneier 2nd edition) , page 442-445), although any cryptographic key calculation algorithm will be used in this place, the bits of the lowest significance, the results of the addressing calculation are used for convenience, but any subset is possible. The preferred modality, the parameters are selected i niformemente and randomly from their respective groups or domains. rations of the probability distributions from which those values are selected. Those choices based on random number generators or pseudo-random number generators are available in the art. The initial preparation of the system of this alternative modality, shown in Figure 1, initiates the cryptographic system. In the preferred embodiment, the deposit authority i for 1 < = i < = m generates a private action D_i, and the corresponding public participation E_i. The private shares D_i form the private, shared D key. Deposit authorities 2, through m send their E_i to deposit authority 1. These are represented by step 11. Deposit authority 1 combines all public holdings E_i and calculates shared public key E. The value for E is published by the deposit authority 1, as represented in step 13. Each authority conserves private D_i, as a concrete example, the deposit authority can generate a strong prime number p and a value g that it generates. { 1, 2, ..., p-l} . The participation D_i can be selected uniformly and randomly from. { 1, 2, ..., p-1} , and E_i = (g raised to the power D_i) modulo p. E is the product of all values E_i module p. The variations of the joint generation of clavee eon poeiblee, as well as an implementation with a single deposit authority. A process similar to that in Figure 2 illustrates how a seventh of the ueno generates a public / private key pair and a recovery capacity certificate. Once obtained (and verified as much as possible) the signal E made available to the users by the deposit authorities, the user's system proceeds to generate a public ElGamal (and, g, p) key for the user ( T. ElGamal, "A Public-Key Cryptosyetem and a Signature Scheme Baeed on Diecrete Logarithme", CRYPTO '84, pages 10-18, Springer-Verlag, 1985). The user's system selects a private key x uniformly and randomly from. { 1, 2, .., p-l} , and calculate and as (g raised to the power x) modulo p. This process leads to the generation of the key code corresponding to step 2006. The system then proceeds to step 2007 and calculates a certificate that can be used by any interested party, in particular by the Certification Authority, to verify that the user's private key x can be recovered from the recovery capacity certificate P. Let ENC (a, s, E) denote the public key cryptography of the message under public key E using the randomness s. Here ENC is a cryptography of public keys, probabilistic, semantically secure, where the string s is used for randomness in probabilistic cryptography. For example, ENC can be ElGamal cryptography, or optimal asymmetric cryptography (Bellare-Rogaway, "Optimal Asymmetric Encryption", Eurocrypt '94). Let DEC be the corresponding public key descriptor function that runs in a shared way. Hence, DEC (ENC (a, s, E), D_l, 2, ..., D_m) = a. P is constructed in accordance with the following algorithm: i. p = () 2. for i = 1 to M do 3. select the r i randomly from the domain . { 1,2, .., p-l} 4. eecting random strings s_i, l and e_i, 2 for the ENC 5. Q__i = (g raised to the power r_i) module p 6. C_i, l = ENC (r_i, s_i, 1, E) 7. C_i , 2 = ENC (r_i - x module p-1, s_i, 2, E) 8. add (Q_i, C_l, 1, C_i, 2) at the end of P .9 val H (P) 10. adjust b_l, b_2 , ..., b_M to be the least significant M bits of val, where bi is in (0,1) 11. for i = the M do 12. w_i = r_i - (b__i) x 13. Z_i = ( (w_i), s_i, j) where j 1 + bi 14. add Z i at the end of P Ae, P = ((Q_l, C_l, l, C_l, 2), ..., (Q_M, C_M, 1, C_M, 2), Z_l, ..., Z_M). H is a one-way, public, proper routing calculation function (eg, SHA), so that b_i can be retrieved from P. The values for b are the challenge bits, and this method of find them and use them analogous to the heuristic of Fiat-Shamir. The user's system produces (and, x, P) in step 2008. Note that the user has the option to interactively test that their private key x can be retrieved by the warehouse authorities. This will be discussed in more detail later. M is a sufficiently large security parameter (for example, M = 50). The description of the modality has explained, in this way, how the system is established for the use by the Certification Authority and other authorities, and how the system works on the part of the users (beneficiary receiver) to generate a public key country. / private and recovery capacity certificate. Certificates are chains that move anyone who is presented to them, that the private key corresponding to the generated public key, can be retrieved by the deposit authorities, using P. The following describes how the invention used by the user to test a verifier, that x can be recovered from P. This process is represented in Figure 3. The verifier can be the Certification Authority, a deposit authority, or any other that knows the parameters of the system. The verification process of Figure 3 is as follows. In step 3009, the user generates a public / private key pair, and a certificate using the invention as described above. In step 3010, the user transmits a signal containing this parameter to a verifier. In step 3011 the verifier uses this signal to verify whether the user's private key may or may not be recovered by the deposit authorities. In this process, the verification system takes the corresponding certificate P, and the public key E of deposit. The check seven checks first that &< p. The verification system inspects that all the values that are in P are in the correct sets. The verification system also prevents the evaluation of C_i, j for all i and j, do not contain repetition. The verification system inspects that none of the Q_i for all lae i is repeated. If any of these checks fails, then a false result is returned. The verification system then calculates b_l, b_2, ..., b_M in the same way as in the certificate generation process. For i = the M, the verification system checks the following coefficients: 1. ENC (W_i, s_i, j, E) = C_i, j, where j = 1 + b_i 2. (Q_i / (and raised to the power b_i)) module p = (g raised to the power w_i) module p.
The verification system returns a true result as long as all the verifications pass and as long as both 1 and 2 presented above, are satisfied for 1 < = i < = M. The invention may take subsequent action and indicate to the verifier that the public key is invalid in the event that a false result is returned. Similarly, the verification system can inform the verifier of a passing validation (the verification system returns a true result). In Figure 4, the user certifies his public key with the Certification Authority. In step 4012 of this process, the user generates his public key and recovery capacity certificate, as previously described. The uene tranemite eeñal to the Certification Authority. This corresponds to step 4013 of Figure 4. In step 4014 the Certification Authority acts as a verifier and verifies that the user's private key can be retrieved by the deposit authorities. Haeta here steps 4012 to 4014 are identical to steps 3009 to 3011 in the key verification process of Figure 3. However, the Certification Authority will also add keys that pass the verification process, available for others when they request it and / or when certifying them. If the user's public key fails the verification process, then the certification attempt is ignored or alternatively the certification of the failed certification attempt is notified. Depending on the demand of the environment in which the invention is used, users may be requested to submit additional information to register a public key and to certify that they know the private key portion without disclosing it. That information could be a password, social security number, a private key previously used, etc. In the event that the Certification Authority is a trusted entity, the Certification Authority can simply digitally sign the user's public key together with the user's name and additional information, and make available, upon request, the key along with the signature of the Certification Authority regarding this information. If the Certification Authority is not trusted (which is not the typical assumption in ICP), then the certificate must be stored in the public file and the certificate, together with the certificate of recovery capacity, must be provided to the deposit authorities. , who in turn can ensure the ability to recover. This completes the description of the public key certification process. It is noted that the Certification Authority keeps the recovery capacity certificate, possibly in a cryptographed form under its own key with authentication information for its integrity. The last process to be written is the process of recovering private keys. This process is represented in Figure 5. In this process, the invention is used by the deposit authority m to retrieve the user's private key based on P. In this process, all m of the deposit authorities obtain y and P , as recited in step 5015 of Figure 5. In an alternative embodiment, the Certification Authority tranemite yy P and / or other parameter to one or more of the authority. In this way the ethan is already in the position of y and P. At this point the deposit authorities use a subset of their shares D_l, D_2, ..., D__m to deepen P to open all C_i, j not open (using for example DEC ). This is achieved by having the deposit authority i retrieve the i-th shares of the user's private key. In this process, the deposit authority extracts the M values for C_i, j not open from P and the descriptography using D_i. The re-evaluated values are grouped with the values of the other deposit authorities, as represented in step 5016 of Figure 5. The grouping is then used by the authorities for the descriptographed of all the open values C_i, starting from Q. In this way all clear texts, corresponding to all C_i, j, are known by the deposit authorities. There are alternative methods in the art to retrieve the clear text corresponding to the C_i, j not open, such that the unopened open text is distributively represented among the authorities. The deposit authority checks the clear text of each pair C_i, 1 and C_i, 2 for a pair of values, which when subtracted together with the module p-l, are equal to the exponent x in y = (g raised to the power x) modulo p. Also, the quantity (g raised to the power x) module p, can be checked against the public and to ensure that it is correct. Once one of these pairs is found, the user's private key has been found. A third primary mode of this invention will now be described. In this mode, system users generate composite public keys. The user system generates n and e in the same manner as described in pending US Patent 08 / 920,504 (by Young and Yung). Recall that n is the product of two (preferably strong) prime numbers p and q, and s is a string that can be used together with a one-way public function, to derive the bit of n of order above. Let e and d denote the public and private exponents (for example, for RSA), respectively. The following shows how to construct P: 1. P = () 2. select a string t 0 randomly module n 3. add t_0 to the end of P 4. for i = 1 to M do 5. select a_i, 1 randomly from of the whole. { 1,2, .., (p-l) (q-l) -l) 6. calculate a_i, 2 = d - a_i, l module (p-l) (q- 1) 7. select two random chains s_i, l and s_i, 2 for use in ENC 8. t_i = H (t_ (ii)) 9. v_i, l = (t_i raised to power a_i, l) module n 10. v__i, 2 = (t_i raised to power a_i , 2) module n 11. Q_i = (t_i, v_í, l, v_i, 2) 12. C_i, l = ENC (a_i, l, s_i, 1, E) 13. C_i, 2 = ENC (a_i, 2, s_i, 2, E) 14. add (Q_i, C_i, 1, C_i, 2) to the end of P 15. val = H (P) 16. set b_l, b_2, ..., b_M to be the M with bits of the least significance of val, where b_i is in. { 0.1 } 17. for i = l a M do 18. Z_i = (a_i, j, e_i, j) where j = 1 + b_i 19. add Z_i to the end of P 20. add s to the end of P In this way, P = (t_0, (Q_l, C_l, l, C_l, 2), ..., (Q_M, C_M, 1, C_M, 2), Z_1, ..., Z_M, s). Previous H can be based on SHA or concatenations of a few SHA applications to generate the appropriate size t_i. The most probable thing is that I was in the set of elements smaller than n and relatively prime with respect to n. The verification system is a bit different than before. The verification system first verifies that the correct set of values has been selected n. Let u denote the integer corresponding to loe k / 2 bite of order e of n. The verification scheme ensures that either H (s) = u or that H (s) = u + 1, as described in pending US Patent 08 / 920,504. The checklist does not specify that all values in P remain in the correct sets. For example, the verification system inspects that t_i falls within the range of H, and that a__i, j < n (or some function of n) where j is 1 or 2. The verification system also inspects that t_i = H (t_ (il)) for i that varies from 1 to M. The verification check does not specify the elements of the tupio Q_i for each i do not contain repetitions, and also the elements that are in the pair for all i do not have repetitions. If any of these checks fails, then a false result is returned. The verification system then calculates b_l, b_2, ..., b_M in the same way as in the generation process of the certificate. For i that varies from 1 to M, the verification system verifies the following coeae: 1. ((v_i, l v_i, 2) multiplied by v_i, 2) raised to the power e) module n = t_i 2. (t_i high to the power a_i, j) module n = v_i, j, where j = 1 + b_i The verification system returns a true result as long as all verifications pass and as long as both criteria are satisfied for K = i < = M.
The deposit authorities retrieve the user's private key as follows. For i that varies from 1 to M, the authorities calculate w_i as the sum of the clear texts corresponding to C_i, l and C_i, 2. If a value w_i is found such that (t_i raised to the power e (w_i)) module n equals t_i, then w_i constitutes a valid RSA private key, corresponding to e. It is well known in the art how to factor n given a value w_i. Note that the RSA function is a homomorphic function and the previous modality can be applied to homomorphic functions similar to RSA. It is emphasized that from the previous modality it is clear that this "test technique" to show that a value can be recovered by the deposit authorities, can be generalized to any homomorphic function. An application of this invention is a multiple deposit authority system, wherein each deposit authority has its own Certification Authorities and usere. When the authorities of the different deposit authority carry out a secure communication, the two deposit authorities can retrieve the user's messages or keys in exchange through a bilateral agreement. This can be applied to international scenarios. Another key deposit system application is a secure file system or a file repository with recoverable keys. This system can be implemented based on the previous modalities, in particular based on the preceding paragraph. For example, user A may be the owner of the file, user B may be the file server, and repositories may be file recovery agents. An example of a file could be a password, in which case, file recovery agents are password recovery agents. The previous description of the first embodiment of the present, of the cryptographic system thereof, makes novel uses of the theory of numbers in cryptography. It shows how to design a cryptographic system in 3 prime numbers with direct arithmetic relationships between all the numbers. That is, r, q, and p are prime numbers such that q = 2r + l and p = 2q + l. The use of three or more prime numbers with relationships between them can produce several cryptographic systems of a nature similar to the one previously described. Some of them are described in the variation of the preferred modality. Another relation can be p = 2q + l and q = 2rs + 1 where p, q, r, and e are all prime numbers and r has a length of 160 bits. Another example is p = 2q + l, q = 2r + l and r = 2s + l where p, q, r, and are all prime numbers. In addition, another innovative use of number theory is to perform cryptographic operations on the exponent, where operations are, for example, modular exponentiation. For example, the second test without knowledge of step 2007 of the first modality, involves testing the knowledge of k in v where v equals ag raised to the power w module p, where w ee (Y raised to the power -k ) module 2q. The ueo of tree or máe dominion in successive exponentiations provides flexibility and power to the cryptographic sevenmas. The eeta applications made throughout the line of the present invention are readily available to those skilled in the art. An application of this invention is a hierarchical public key deposit system. A hierarchical public key deposit system is a deposit system that takes the form of a data structure in the form of a tree. The deposit authorities, located at the root of the tree, are capable of describing the communication of all the entities corresponding to the nodes of the rest of the tree. Recurrently, the deposit authorities at any given node in the tree can describe the communications of all entities corresponding to the nodes in the rest of the secondary tree for which node i is the root. At any time, the leaves of the tree can form another secondary tree and act as a deposit agent (s). By ordering the size of the modules appropriately, it is possible to have multiple deposit agents for any node in the tree. All that is needed is to make sure that the roots start with the smallest module and end with the largest one. Similarly, instead of a fixed tree determining an order, the user can decide on a subset of deposit agents and generate their own preferred tree which is the selected subset of deposit agents sorted by the relative size of their public keys in a line where the biggest key is the root. This forces a commitment structure, and ensures that the eubset needs to work together to retrieve a key or information encrypted under the key. Yet another application of this invention is a certified e-mail message. When users log in to the system, they register an automatic recovery encryption public key and a recovery capacity certificate for the certificate authority, and they also register a public signing key. To send a piece of certified mail, the following is done. The sender sends a package that includes the following: an encryption of an email key under its own self-certified public key, the name of the recipient, a cryptography of the e-mail message encrypted under the e-mail key, a header indicating a certified e-mail message, its own certified public key and the certificate of the Certification Authority for its certified public key , and other information. The package is signed using the private key of the senders' signature. Both the package and the form in the package are sent to the receiver. The receiver forms a return receipt packet consisting of a fixed return receipt header, the received message (or the address of the received message), and additional information. This package is signed using the private signature key of the recipient and sent to the original sender. The original sender verifies the signature on the return receipt package. If the signature is valid, the original sender sends the encrypted email key to the recipient under the certified public key of the recipient. This message is sent along with a signature in it, which uses the sender's original private signature key. The receiver verifies the signature in the encrypted email key. If the signature is valid, the recipient decrypts the e-mail key using its private encryption key. The receiver then encrypts the result using the certified public key of the senders. If the result matches the encrypted text found in the first packet sent by the original sender, then it appears that the email key is authentic. This key is then used to describe and obtain the real information sent by the original sender. If the recipient is unable, for some reason, to make contact with the original sender after the first packet was received, the receiver sends the return receipt and the first packet to the deposit authorities. The deposit authorities will retrieve the email key as long as the package and return receipts are authentic and with the condition that the package contains the correct name of the recipient. The deposit authorities retain the return receipt and the package. Whenever the verifications pass, the email key is sent to the receiver. This constitutes a certified email system based on automatic recovery keys and signature keys, and where the user registration is analogous to the user's registration in a typical public key system with a Certification Authority. Also, it is known in the art how to use certified electronic mail systems, like the previous ones, for signing contracts between two parties. The previous application can be called as such. In this way, a new and improved key deposit system has been described, of some of the many specific embodiments representing applications of the principles and paradigms of the present invention. Clearly, those skilled in the art can easily devise numerous and alternative arrangements without departing from the scope of the present invention.

Claims (36)

  1. NOVELTY OF THE INVENTION Having defined the above invention, it is considered as a novelty, and therefore, the content of the following is claimed as property: CLAIMS 1. A method characterized in that it comprises a cryptographic system that can be used to generate, verify, use, and recover cryptographic keys, which involves at least four entities: agents, authorities, a registry part, and other parties, and which consists of in addition to the following steps: (1) make entities establish a set of system parameters; (2) have the agents generate agent parameters, and have the agents also publish at least one of the agent parameters; (3) have the authorities generate a set of authority parameters and publish at least one of the authorities' parameters; (4) cause the registration party to generate a public key of the registration part and a private key of the registration party, using a specified public procedure that uses at least one of the agent parameters, and the authoritative parameter; (5) have the certification party generate a validation test that certifies that the private part of the registration part was generated using the specified public procedure; (6) have the registration party send the public key of the registration part and the validation test to the authorities; (7) have the authorities verify that the public registry key along with the validation test is correct; (8) if the verification in step (7) is successful, have the authorities carry out a process of publishing public keys of the registration part, and in doing so convert the registration part into a registered part; (9) have the other parties obtain the public key of the registered party, after the publication process, and use it.
  2. 2. A compliance method 1, characterized in that the cryptographic system includes the additional step of effecting an event that causes at least one of the agents and the authorities to retrieve clear text data encrypted under the public key of the registered party.
  3. 3. A method according to claim 1, characterized in that the cryptographic schedule includes the additional step of effecting an event that causes at least one of the agents and the authorities to recover the private key of the registered party.
  4. 4. A method according to claim 1, characterized in that the agent parameters, generated, in step (2) are public / private key pairs, where only the public keys ee are published.
  5. 5. A method according to claim 1, characterized in that the authoritative parameters generated in step (3) include public / private key pairs, of which only public keys are published.
  6. 6. A method according to claim 1, characterized in that the validation test has a non-interactive test chain without knowledge, and because the authorities verify the validation test through the verification of at least one of the non-interactive test strings without knowledge.
  7. 7. A method according to claim 1, characterized in that, the generation, sending, and verification of the validation test, in steps (6) and (7) includes performing an interactive test protocol without knowledge, where the user of the registry is the one who performs the test and the authorities are the verifier.
  8. 8. A method according to claim 1, characterized in that the publication process includes the generation of a certificate of public keys in the name of the regietro part, where the certificate includes the digital signature of the authorities, of the public key of the part of regietro and other information that uses the private key of the authorities, and where the certificate can be verified using at least one of the published parameters of authorities.
  9. 9. A method according to claim 1, characterized in that the publication process includes generating a public key certificate in the name of the registration part, wherein the registration part, wherein the certificate includes the digital signature of the authorities of a modification of the public key of the party of regietro and other information that the private part of the authorities uses, and where the certificate can be verified using at least one of the published parameters of the authorities.
  10. A method according to claim 1, characterized in that the publication process includes marking the public key of the registration part, as a valid key in a file.
  11. 11. A method according to claim 1, characterized in that the use of the public key of the registration part includes the execution of at least one of the following: encryption of public keys, public keys descriptography, digital signature , the verification of the digital signature, the exchange of keys and identification.
  12. 12. A method according to claim 2, characterized in that the event is an appropriate authorization provided to the agents on behalf of an agency within a government or group of governments.
  13. 13. A method according to claim 2, characterized in that the recovery of the clear text data is done to verify the communications of the registered parties, suspected of criminal activity, as well as to protect the privacy of others.
  14. 14. A method according to claim 2, characterized in that it comprises the additional step of: characterizing the activities of the registered parties, as illegals, and the agencies being unable to verify the communications of the registered parties.
  15. 15. A method according to claim 1, characterized in that the functionality of at least one of the agencies, of the registered party, and of an authority, in at least one of the steps, is implemented in the computing equipment.
  16. 16. A method according to claim 1, characterized in that the use of the public key dt- the registered part is for the encryption of the archives.
  17. 17. A method according to claim 1, characterized in that the other parts include the registered part.
  18. 18. A method according to claim 2, characterized in that the additional step is the recovery of clear text information sent between parties, user 1 and user 2, and because at least one of the following two steps occurs. : (1) the first suliconjunto of the agencies retrieves the private key of user 1 or the information encrypted under the public key corresponding to the private key of the user 1; (2) another subset retrieves the private key of the user 2 or the information encrypted under the public key corresponding to the private part of the user 2.
  19. 19. A method according to claim 2, characterized in that the event is generated following a appropriate proceeo within the organization of the party regietrada.
  20. 20. A method according to claim 1, characterized in that ee can be used to generate, use, verify, and recover cryptographic key, wherein the set of system parameters includes at least three domains Fl, F2 and F3, so that Fl is the domain of exponents of F2, and F2 is the exponent domain of F3.
  21. 21. A method according to claim 1, characterized in that it can be used to generate, use, verify, and recover cryptographic keys, wherein the set of system parameters includes at least three domains, based on r, q and p, such so that p = 2q + l = 4r + 3, where p, q, and r are prime numbers.
  22. 22. A method according to claim 1, characterized in that the key of the register parts is and where y is equal to g raised to the power x module p, where g is a prime number generating module p; x is the private key of the record parts.
  23. 23. A method according to claim 1, characterized in that the public key of the registers part is based on a number n, where only the register part knows the factorization of n in the prime numbers.
  24. 24. A method according to claim 1, characterized in that the key of the registration parts is a homomorphic function.
  25. 25. A method according to claim 1, characterized in that the public keys of the registration part are keys based on RSA.
  26. 26. A method according to claim 1, characterized in that the public keys of the registration part are keys based on ElGamal on a specific domain.
  27. 27. A method according to claim 1, characterized in that the validation test includes the encryption using the parameters published by the agencies.
  28. 28. A method according to claim 1, characterized in that the validation test employs cryptography by one-way trap functions.
  29. 29. A method according to claim 1, characterized in that the validation test claims that the agencies are able to recover the private key of the registration part or information encrypted under the public key of the registration part.
  30. 30. a method according to claim 1, characterized in that in the paeo (6) the public register of regietro first sends the public key of the regietro part, and sends the validation test time after.
  31. 31. A method according to claim 1, characterized in that it has the additional steps of effecting that the registration part generates a private / public pair that constitutes a signature key that is different from the public / private key pair of the step (4). ), and that the authority certifies the public key of the signature key.
  32. 32. A method according to claim 31, characterized in that the use of the cryptographic system is for electronic mail with assured delivery.
  33. 33. A method according to claim 1, characterized in that the parameters published by the agencies and the public keys generated by the registration parts are from different key domains.
  34. 34. a method according to claim 1, characterized in that the agencies are a multitude of elements and because the registration part in step (5) generates a validation test that the clear text data of the registration part , encrypted under the public key of the registration part, can be recovered by an eubset of agency.
  35. 35. A method according to claim 2, characterized in that the agencies are a multitude of elements organized in a hierarchy in which each element is capable of recovering clear text data, encrypted under keys in its sub-hierarchy.
  36. 36. A method and apparatus according to claim 35, characterized in that the registration part in step (5) generates a validation test that claims that the clear text data that the registration part, cryptographed under the public key under the registration part, can be recovered by a subset of agencies. SUMMARY OF THE INVENTION A method for a cryptographic deposit system is free from factors that lower performance, do not require the implementation of computer equipment (ie, can be done in computer programs), cryptographic, imprudent manipulation-proof , can be verified publicly, and can not be used subliminally to allow a system of hidden public keys. A system of hidden public keys is a non-depoeited public key system that is publicly displayed in a covered form. Lae clavee generated by the method can be automatically recovered and can be certified automatically (abbreviation ARC). The cryptographic seventh ARC is based on a key generating mechanism that produces a pair of public / private keys, and a test certificate that the key was generated according to the algorithm. Each pair of public / private keys, generated can be verified efficiently by anyone to know if it is deposited in an appropriate manner. The verification procedure does not use the private key. Hence, the general public has an efficient way to ensure that any individual private key, determined, is deposited appropriately, and that trusted authorities will be able to access the private key if necessary. Since the verification can be done by anyone, there is no need for a special trust entity, known in the art as a "trusted third party". The cryptographic system is free from factors that lower performance because there is no additional protocol interaction between the user who generates his own key and the certification authority or the deposit authority, compared to what is required to present the key. public in the common systems of certified public keys. In addition, the system is designed in such a way that internal components can be publicly scrutinized (for example, it can be distributed in the form of a source code). This differs from any of the schemes that require that the deposit device consist of reckless manipulative computing equipment. The most representative figure of the invention is number 1.
MXPA/A/1999/010979A 1997-05-28 1999-11-26 Auto-recoverable auto-certifiable cryptosystems MXPA99010979A (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US08864839 1997-05-28
US08878189 1997-06-18
US08920504 1997-08-29
US08932639 1997-09-17
US08959351 1997-10-28

Publications (1)

Publication Number Publication Date
MXPA99010979A true MXPA99010979A (en) 2001-05-17

Family

ID=

Similar Documents

Publication Publication Date Title
US6202150B1 (en) Auto-escrowable and auto-certifiable cryptosystems
US6389136B1 (en) Auto-Recoverable and Auto-certifiable cryptosystems with RSA or factoring based keys
US6282295B1 (en) Auto-recoverable and auto-certifiable cryptostem using zero-knowledge proofs for key escrow in general exponential ciphers
US8027923B2 (en) Certified transmission system
US5606617A (en) Secret-key certificates
US6473508B1 (en) Auto-recoverable auto-certifiable cryptosystems with unescrowed signature-only keys
US6122742A (en) Auto-recoverable and auto-certifiable cryptosystem with unescrowed signing keys
CN101821987B (en) Efficient certified email protocol
KR100718489B1 (en) Signature process, computer program, apparatus and signature system for the new fair blind signature
Tsiounis Efficient electronic cash: new notions and techniques
Chen Efficient fair exchange with verifiable confirmation of signatures
JPH08263575A (en) Anonymous message transmission system and voting system
US6243466B1 (en) Auto-escrowable and auto-certifiable cryptosystems with fast key generation
US20040073790A1 (en) Intermediated delivery scheme for asymmetric fair exchange of electronic items
AU737037B2 (en) Auto-recoverable auto-certifiable cryptosystems
Krawczyk et al. Chameleon hashing and signatures
Longo Formal Proofs of Security for Privacy-Preserving Blockchains and other Cryptographic Protocols
MXPA99010979A (en) Auto-recoverable auto-certifiable cryptosystems
Saxena et al. A digital cash protocol based on additive zero knowledge
Wang et al. Collusion-resistance in optimistic fair exchange
Erfanian Azad Soltan DGMT: A Fully Dynamic Hash-Based Group Signature
Young et al. RSA-based auto-recoverable cryptosystems
do Amaral Peixinho Digital Certificates and Threshold Cryptography
Subramanyam et al. New Convertible Authenticated Encryption Scheme with Message Linkages
JPH11212455A (en) Method and system for proving identity of original ordinary text from plural cipher texts