TW427087B

TW427087B - Full domain key recovering system

Info

Publication number: TW427087B
Application number: TW88107849A
Authority: TW
Inventors: Lein Harn
Original assignee: Qic Systems Corp
Priority date: 1999-05-14
Filing date: 1999-05-14
Publication date: 2001-03-21

Abstract

A system combining key recovering and public key authentication in the digital communication environment with a plurality of client/server which attaches a public key authentication in the digital message to be transmitted so as to authenticate the signer's identification; meanwhile, the private key can be recovered by the authentication agency. The method has the following steps: firstly, each user must select the modulus, private key and authentication agency and calculate the corresponding public key; separating the private key into several partial private keys and calculating the corresponding partial public keys respectively; transmitting the public data (including the public key, partial public key, authentication agency) and one copy of the partial private key to each authentication agency; then, each authentication agency will apply integrity check on the received data and calculate a partial signature for broadcasting to other authentication agencies; signing the public data and sending back the signature result to the user; thereafter, the user can confirm the returned partial signature and combine all the partial signatures into the required public key authentication.

Description

4 2 7 0 8 7 五'發明說明（1) 本發明是有關於密碼通訊及公鑰密碼系統的私鑰回復方法，特別是有關於網路安全應用，其允許公鑰密碼系統的擁有者或可信賴的第三者得以回復遺失或無法取得的私餘。電腦與通訊技術的結合，使資訊的收集和傳遞在速度與數量等方面都急遽增加。多樣化的應用使得電子傳輸已經取代傳統以紙為傳遞媒介的通訊方式。這個結果使得資訊的運用度更加提高，但是相對的也容易使資訊受到非法或未授權者的惡意攻擊。因此，如何將資訊安全的技術與電子通訊系統相結合，藉以保護資訊的私密性及真確性，使資訊不會遭受被動式的竊聽或主動式的竄改，乃成為當前最重要的課題。 DES(Data Encryption Standard)是第一個可公開利用並由美國政府背書的密碼演算法，這是—種1，單一金鑰 (One Key)或"對稱金餘"（Symmetric Key)的密碼系統。所謂"單一金鑰”或’'對稱金鑰"的密碼系統，就是用於加/ 解密的金鑰可以很容易地互相推導得到，換句話說：只要有了加密金鑰便可以报容易的推導得到解密金鑰，反之亦然0 在1 976年，Di f f ie與He 1 iamn提出一種所謂"公输η (Public key)或"非對稱金鍮”（Asymmetric key)的密碼系統，用以解決"單一金鑰"或"對稱金鑰"的密碼系統中需要秘密交換金鑰的問題。在這種公鑰密碼系統中，每個加密金鑰都有一個對應的解密金鑰，這一對長得完全不一樣的4 2 7 0 8 7 5 'Description of the invention (1) The present invention relates to a private key recovery method for cryptographic communication and public key cryptosystems, and more particularly to network security applications that allow the owner of a public key cryptosystem or A trusted third party can recover lost or unreachable privacy. The combination of computer and communication technology has led to a rapid increase in the speed and quantity of information collection and transmission. Diversified applications have made electronic transmission a replacement for traditional paper-based communication methods. As a result, the use of information is further improved, but it is relatively easy to make information vulnerable to malicious attacks by illegal or unauthorized persons. Therefore, how to combine information security technology with electronic communication systems to protect the privacy and authenticity of information and prevent information from passive eavesdropping or active tampering has become the most important issue at present. DES (Data Encryption Standard) is the first cryptographic algorithm that is publicly available and endorsed by the US government. This is a kind of 1. One Key or "Symmetric Key" cipher. system. The so-called "single key" or "symmetric key" cryptosystem is that the keys used for encryption / decryption can be easily derived from each other, in other words: as long as the encryption key is available, it can be reported easily. Derivation to obtain the decryption key, and vice versa. In 1 976, Diffie and He 1 iamn proposed a so-called " public input η (Public key) or " asymmetric key " (Asymmetric key) cryptosystem, It is used to solve the problem of "single key" or "symmetric key" cryptographic system that needs secret key exchange. In this public key cryptosystem, each encryption key has a corresponding decryption key. This pair looks completely different.

第4頁 427087 五、發明說明（2) 金鑰有著密不寸分的關係，但是想要從其中一個金鍮推導知到對應的另一個金输，卻不是一件簡單的事。在這種公鑰密碼系統中，每個成員的加密金鑰都必須公開。如此’任何人只要利用接收者公開的加密金鑰將機密文件加密’便可將加密的機密文件透過不安全的通訊通道女全地送到接收者處。由於只有合法的接收者才會擁有該加密金鑰所對應的解密金鑰，因此也只有合法的接收者才能解出被加密的機密文件。 © 在電子交易安全（SETTK)的標準中，訊息資料會利用隨機產生的對稱加密金鑰進行加密，而對稱金錄則復以接收者公開的加密金鑰（以下稱為公鑰）進行加密。此即訊息資料的"數位信封"（D i g i t a 1 E n v e 1 ope)，其會伴隨著加密訊息一起送到接收者處。待接收者收到數位信封後，便會利用未么開的解始、金餘（以下無為私输）解開數位信封，籍以得到隨機產生的對稱金鑰，並且利用這個對稱金鑰解開原訊息資料。公输密碼系統具有一個非常獨特的特性，也就是所謂的數位簽章（Digital Signature)。數位簽章與傳統的親筆簽名一樣，可用來鑑別該簽章的作者。數位簽章就是對電子文件的簽署動作，其簽署結果可提供_鑑別 (authentication)與不可否認性（non-repudiation)。要簽署電子文件時，發送者必須先將該電子文件輸入所謂的單向雜凑函數（one-way hash function)以獲得一段訊息摘要（Message Digest)或雜湊值（Hash Value)。為了安全Page 4 427087 V. Description of the invention (2) The keys are inextricably linked, but it is not easy to deduce from one of them to the corresponding one of the other losers. In this public key cryptosystem, each member's encryption key must be made public. In this way, 'anyone can encrypt the confidential file using the encryption key publicly disclosed by the receiver', and the encrypted confidential file can be sent to the receiver through the insecure communication channel. Since only the legitimate receiver will own the decryption key corresponding to the encryption key, only the legitimate receiver can decrypt the encrypted confidential file. © In the standard of Electronic Transaction Security (SETTK), the message data is encrypted with a randomly generated symmetric encryption key, and the symmetric gold record is encrypted with the encryption key (hereinafter referred to as the public key) publicly disclosed by the receiver. This is the " digital envelope " (D i g i t a 1 E n v e 1 ope) of the message data, which will be sent to the recipient along with the encrypted message. After the recipient receives the digital envelope, he will use the unopened solution to open the digital envelope (the following is not a private input) to unlock the digital envelope, to obtain a randomly generated symmetric key, and use this symmetric key to unlock Original message data. The public input cipher system has a very unique feature, which is the so-called digital signature. Digital signatures, like traditional autographs, can be used to identify the author of the signature. Digital signature is the act of signing an electronic document. The signing result can provide authentication and non-repudiation. To sign an electronic document, the sender must first enter the electronic document into a so-called one-way hash function to obtain a message digest or hash value. for safety

第5頁 427087Page 5 427087

五、發明說明（3) 起見，單向雜湊函數必須具有兩個特性：由輸入訊自訊息摘要非常容易；由訊息摘要反推回輸入訊息非； °存獲得訊息摘要後，發送者便可利用未公開的解密私鑰）將該訊息摘要加密，而這個加密的結果便是押數位簽章。隨後，發送者便可將數位簽章附在原始=文件後同時送給接收者以便日後驗證之用。〇接收者則可以利用發送者所公開的加密金鑰（公鑰）對數位簽章進行解密的動作，藉以還原出簽章時的訊息摘要。另一方面，接收者亦可以將收到的電子文件輸入單向雜湊函數以獲得一段訊息摘要，並將這段訊息摘要與由數位簽章還原出來的訊息摘要做比較’若兩者相同，則表示該電子文件未被竄改過。目前有兩個眾所周知的公鑰密碼系統能同時提供加密與簽章’它們分別是安全性基於分解因數問題的RSA系統 (IKS. Patent No，4 ’405 ’829 )與安全性基於解離散對數問題的E 1 G a m a 1系統。在1 9 9 1年，美國政府便建議採用數位簽章標準（D S S )作為聯邦政府代理人以數位簽章演算法（DSA )簽署電子文件時的聯邦標準^ dSS標準是以離散對數問題為基礎的一種ElGamal類型的簽章方法。再者，安全性基於橢圓曲線的密碼系統（El 1 i Ptic CurveV. Explanation of the invention (3) For the sake of simplicity, the one-way hash function must have two characteristics: it is very easy to input the message from the message digest; the message digest is pushed back to the input message not; after the message digest is obtained, the sender can The message digest is encrypted with an undisclosed private key, and the result of this encryption is a digital signature. The sender can then attach the digital signature to the original document and send it to the receiver for later verification. 〇 The receiver can use the encryption key (public key) disclosed by the sender to decrypt the digital signature to restore the message digest at the time of signature. On the other hand, the receiver can also enter the received electronic file into the one-way hash function to obtain a message digest, and compare this message digest with the message digest restored from the digital signature. 'If the two are the same, then Indicates that the electronic file has not been tampered with. At present, there are two well-known public key cryptosystems that can provide both encryption and signatures. They are security-based RSA system (IKS. Patent No, 4 '405' 829) and security-based discrete logarithm problem. E 1 Gama 1 system. In 1991, the U.S. government proposed the Digital Signature Standard (DSS) as the federal standard for federal government agents to sign electronic documents with the Digital Signature Algorithm (DSA) ^ The dSS standard is based on the discrete logarithm problem An ElGamal type signature method. Furthermore, the elliptic curve-based cryptosystem (El 1 i Ptic Curve)

Cryptosystem ;ECC)最近也受到注意並被IEEE P1 3 63考慮作為密碼系統的標準之一。事實上’安全性基於橢圓曲線的密碼系統有許多特性與安全性基於解離散對數問題的 E 1 Gama丨系統是一樣的。Cryptosystem (ECC) has also recently received attention and is considered by IEEE P1 3 63 as one of the standards for cryptosystems. In fact, the security-based elliptic curve-based cryptosystem has many characteristics similar to the E 1 Gama 丨 system whose security is based on solving discrete logarithms.

第6頁 427087 五、發明說明（4) 在公鑰密碼系統中，公鑰憑證必須藉由一些可信賴的憑證機構（Certificate Authority，CA)產生，並由憑證機構或使用者將公鑰憑證放在目錄中。每一個公鑰憑證都是由憑證機構以自有私鑰對使用者的公输簽署而成。公錄憑證存在的目的是為了幫助其他使用者鑑別公鑰擁有者的合法性。ITU-T建議使用X. 509做為X· 500目錄檢索服務的一部份。X. 5 09對X. 500的目錄檢索服務提供鑑別的服務。然而’該標準並未規定採取那些特定的演算法。事實上， X. 5 0 9已經使用在各式各樣的場合中。譬如X. 5 〇 9的憑證格式已經被S/MIME ’IP Security ’SSL/TLS 與 SETTM 採用。金鑰回復是使加密資料的擁有者或可信賴的第三者得 Γ 以回復遺失或無法取得的加密金鑰（gessi〇n Key)的技術。當金錄遺失或無法取得時，金鑰回復便成為回復加密資訊的安全且實用的方法。 ^ 有鑑於此，本發明的主要目的便是提出一種金鑰回復系統’其可以結合公鑰憑證及金鑰回復機構的功能。本發明的金鑰回復系統可用以回復公鑰密碼系統的使用者私鑰。另外’公鑰密碼系統中的使用者私鑰則可用以產生數位簽章或解密”數位信封"的隨機加密金鑰。再者，本發明的公鑰密碼系統具有容易實施（Easy t〇 Implement)，可伸縮性（Scalable)，無單一弱點（N〇 Singie p〇int 〇f 'Page 6 427087 V. Description of the invention (4) In the public key cryptosystem, the public key certificate must be generated by some trusted certificate authority (CA), and the public key certificate should be placed by the certificate authority or user. In the directory. Each public key certificate is signed by the certificate authority with the public input of the user's private key. The purpose of the public record certificate is to help other users verify the legitimacy of the public key owner. ITU-T recommends using X.509 as part of the X · 500 directory retrieval service. X. 5 09 provides authentication services for X. 500 directory retrieval services. However, the standard does not prescribe those specific algorithms. In fact, X.509 has been used in a variety of situations. For example, the certificate format of X.509 has been adopted by S / MIME ’IP Security’ SSL / TLS and SETTM. Key recovery is a technology that allows the owner of the encrypted data or a trusted third party to get Γ to recover the lost or unreachable encryption key (gessión Key). When gold records are lost or unavailable, key recovery becomes a secure and practical method for recovering encrypted information. ^ In view of this, the main object of the present invention is to propose a key recovery system, which can combine the functions of a public key certificate and a key recovery mechanism. The key recovery system of the present invention can be used to recover the user's private key of the public key cryptosystem. In addition, the user's private key in the 'public key cryptosystem' can be used to generate a digital signature or decrypt a "digital envelope" random encryption key. Furthermore, the public key cryptosystem of the present invention has an easy implementation (Easy t〇Implement ), Scalability (Scalable), no single weakness (N〇Singie p〇int 〇f '

Vulnerability)、可互通操作（Inter〇perable)等優點，且可以實施於大型全域通訊系統中。為達上述及其他目的，本發明乃提出一種金鑰回復系(Vulnerability), interoperable (Interoperable) and other advantages, and can be implemented in large global communication systems. To achieve the above and other objectives, the present invention proposes a key recovery system

270 87 五、發明說明（5) 統，可以回復公鑰密螞系統的使用者復演算法時，通常要考慮下列要求：冑”^金输回 •容易實施 •可應用於所有密碼演算法 •可伸縮性 •無單一韻點 •可互通操作 •整合性檢查 t 而本發明中便提出一種滿足上述要求 ’用以回復公餘密碼系統的使用上鑰【I】全域金鑰回復系統是採用多重簽章演算法 (Mult^ignature Algorithra)以結合憑證機構（ca)及金回復機構的功能。這種全域金输^复系、統么^输架構（PKO及大型的全域通訊系統中。個人通訊系α统的 =cs)便是可應用本發明的—個範例。舉例來說，基^安王的:量’個人通訊系統（PCS)的甸服器可要求所有個人 3訊系統(PCS)的使用者，利用金鑰回本發明可以在不增加實施複雜度的情況下厲？安全基本上，本發明提供了有效方法以結合憑證機構及金鑰回復機構的功能。並非分別在這兩種不同的機構中登錄二本發明是採用一種簡單的方法以允許使用者得以同時= ^兩種登錄。這财法會大幅）成少整體通時間。1 994年i月4日公告的美國專利第5276737號"Fa&錄 -A2.7Q B1 五、發明說明（6)270 87 V. Description of the invention (5) system, which can restore the user's recurrence algorithm of the public key cryptosystem, usually the following requirements should be considered: 金 ”金金回回 • Easy to implement • Can be applied to all cryptographic algorithms • Scalability • No single rhyme • Interoperable operation • Integrity check t The present invention proposes a method that satisfies the above requirements' to restore the use of public cryptosystems [I] The global key recovery system uses multiple The signature algorithm (Mult ^ ignature Algorithra) combines the functions of the certificate authority (CA) and the gold reply mechanism. This kind of global gold loss system, complex system, system structure (PKO and large-scale global communication system. Personal communication The system of α system = cs) is an example to which the present invention can be applied. For example, based on King's: Volume 'personal communication system (PCS), the server can require all personal communication systems (PCS) Users, using the key recovery method of the present invention can be improved without increasing the implementation complexity? Security Basically, the present invention provides an effective method to combine the functions of the certificate authority and the key recovery mechanism. This invention adopts a simple method to allow users to log in at the same time. This financial method will greatly reduce the overall time. US patent issued on January 4, 994 No. 5276737 " Fa & Record-A2.7Q B1 V. Description of Invention (6)

Cryptosystem and Method of Use"是由Silvio Micali 所提出。在M i c a 1 i的密碼系統中，每個使用者提供數個"託管人11的資訊片段。提供給每個託管人的資訊片段可使託管人能夠確認該資訊中包括有給定公鑰的部分私鑰。而特定條件下，這些託管人才會將部分私鑰送出以重建原始私Cryptosystem and Method of Use " was proposed by Silvio Micali. In the M i c a 1 i password system, each user provides several " trustee 11 information pieces. A piece of information provided to each custodian enables the custodian to verify that the information includes a portion of the private key for a given public key. Under certain conditions, these escrow personnel will send out some private keys to reconstruct the original private key

鑰。至於本發明與M i c a 1 i的密碼系統則有幾個差異。首先，憑證機構及託管人在M i ca 1 i的密碼系統中是不同的個體 ’但本發明則以群體簽早將兩者結合。由於憑證機構及金鑰回復機構需要由所有使用者交互信賴，結合這兩種憑證機構可簡化實施步驟。其次，在M i c a 1 i的密碼系統中只有單一憑證機構，但本發明卻由使用者自行選定數個金鑰回復及公鍮憑證機構。因此’本發明沒有單一弱點。再者，本發明建議在X, 50 9公鑰架構中整合金输回復，因此具有可伸縮性及可互通操作的優點。另外，本發明亦能夠讓每個使用者有效率地分割任何公鑰密碼系統的私鑰β這些特性均使得金鑰回復變得可行而實用。簡言之，本發明利用金鑰分割演算法以讓使用者能將私鑰分成數段，並在登錄時將每段私鑰分別存放在使用者選定的憑證機構中。根據本發明，使用者選定的憑證機構 :以同時是金鑰回復機構及公鑰憑證機構。各憑證機構均會執行整合性檢查以驗證私鑰是否已被適當地分判，且段私鑰是否在簽署使用者公鍮的公鑰憑證前已被適當地存放。另外，各憑證機構亦會以多重簽章演算法產生部分崎證。待所有憑證機構確認部分私鑰的接收（所有憑證機構^key. As for the cryptographic system of the present invention and Mi c a 1 i, there are several differences. First, the certificate authority and the custodian are different individuals in the crypto system of M i ca 1 i ′, but the present invention combines the two early with a group signature. Since the certificate authority and the key recovery authority need to be trusted by all users, combining these two types of certificate authority can simplify the implementation steps. Secondly, there is only a single certificate authority in the cryptosystem of M i c a 1 i, but the present invention selects several key reply and public certificate authorities by the user. Therefore, the present invention has no single weakness. Furthermore, the present invention proposes to integrate the gold loss reply in the X, 509 public key architecture, so it has the advantages of scalability and interoperability. In addition, the present invention also enables each user to efficiently partition the private key β of any public key cryptosystem, which makes key recovery feasible and practical. In short, the present invention utilizes a key-splitting algorithm so that the user can divide the private key into segments, and each segment of the private key is stored in a certificate authority selected by the user when logging in. According to the present invention, the certificate authority selected by the user is: both a key recovery authority and a public key certificate authority. Each certificate authority performs an integration check to verify that the private key has been properly subdivided and that the private key has been properly stored before signing the public key certificate of the user's public key. In addition, each certificate authority will also use a multi-signature algorithm to generate some certificates. Wait for all certificate authorities to confirm receipt of some private keys (all certificate authorities ^

第9頁 427087 五、發明說明（7) *" --- ^作時可以知道使用者的私鑰）並發送部分憑證後，使用 =便可以組合所有部分憑證以得到公鑰通訊的簡要憑證 (Compact Certificate) ° 特別是，模數P(ElGamal類型的簽章方法令的大質數）是由所有憑證機構所同意。所有憑證機構都會用這個模數產^部分憑證。使用者需要選定數個憑證機構以作為金鑰 =^及公鑰憑證機構。使用者可選定RSA類型或£；1(^随1類型街碼糸統的私鑰。使用者需要利用適當的金鑰分割演算法將私鑰为割成數個部分私鑰。然後，使用者計算部分私鑰所對應的部分公鑰。使用者分別將公開資訊（包括使用者公鑰、所有部分公鑰、所有選定憑證機構的名稱）及個邛77私鑰送至各憑證機構。待各憑證機構驗證過使用者的公開資訊及其附加的部分私鑰後，便會產生使用者公開貝訊的部分憑證。這個部分憑證會送回使用者。待使用者收到所有部分憑證後，便可將所有部分憑證組合以得到簡要芯、也。這個簡要憑證可存放於公鑰目錄或送至通訊系統中的，何成員。待使用者需要確認此簡要憑證時，簽署邛刀的所有憑證機構便可由簡要憑證中辨識出來。簡要憑也可利用群體公鑰（所有CA公鑰的模數積P)確認。這 J:法可大幅減少確認多重簽章的整體計算量，因為只需 Y，簽早確認動作◊另外’當私鑰擁有者或可信賴的第二者想要回；ί|】貴生4·，&、j_ 逍失或無法取得的私鑰時，所有金鑰回復 e m ίI由公鑰憑證中辨識出來。隨後，只要向各金鑰回 ^ 回部分私输’便可將所有部分私鑰組合以得到原Page 9 427087 V. Description of the invention (7) * " --- ^ You can know the user's private key when working) and send some certificates, then use = to combine all the certificates to get the brief certificate of public key communication (Compact Certificate) ° In particular, the modulus P (large prime number of the ElGamal type signature method order) is agreed by all certificate authorities. All certificate authorities will use this module to produce ^ some certificates. The user needs to select several certificate authorities as the key = ^ and public key certificate authority. The user can choose the RSA type or the private key of the type 1; the user needs to use an appropriate key split algorithm to divide the private key into several partial private keys. Then, the user calculates Some private keys corresponding to some private keys. The user sends the public information (including the user's public key, all partial public keys, and the names of all selected certificate authorities) and a private key of 77 to each certificate authority. Waiting for each certificate After the organization verifies the user's public information and some additional private keys, it will generate a part of the user's public Besson certificate. This part of the certificate will be returned to the user. After the user receives all of the part of the certificate, he can Combine all the partial certificates to get a brief core, also. This brief certificate can be stored in the public key directory or sent to the communication system, any member. When the user needs to confirm this brief certificate, all the certificate agencies that signed the stab knife will then It can be identified from the brief certificate. The brief certificate can also be confirmed by using the group public key (the modulus product P of all CA public keys). This J: method can greatly reduce the overall calculation of confirming multiple signatures. ， Because only Y, sign the early confirmation action◊ In addition, 'When the private key owner or a trusted second party wants to return; ί |] Guisheng 4, · & j_ lost or unable to obtain the private key, All the key responses em ίI are identified from the public key certificate. Then, as long as you return to each key ^ back to part of the private input ', you can combine all parts of the private key to get the original

第10頁 427087 五、發明說明（8) 始私以下即是本發明的特徵。 (a) 本發明可實施於X. 5 09的公鑰架構中，並且具有可伸縮性及可互通操作的優點。 (b) 本發明不依賴任何抗外力入侵（Tamper_Resistant )裝置’並且可以軟體或硬體方式實施。 (c )本發明允許使用者選定數個金鑰回復及公鑰憑證機構’因此沒有單—弱點。換句話說，除非攻擊者能取得所有憑證機構的同意，否則便無法成功破解本系統。 0 (d )本發明並不會增加時間以確認數個憑證機構的公錄憑證。無論使用者選定憑證機構的數目多少，公鑰憑證的確認時間均等於單一機構所簽署公鑰憑證的確認時間。 (e)本發明允許使用者自由選定公鑰及私鑰。另外，任何使用者亦可自由決定憑證機構，及決定金鑰回復及公输憑證機構的數目。這種由使用者主導的特性在尋求金鑰回復的廣泛支持時尤其重要。 (〇藉由檢查使用者的公鑰，任何人均可執行整合性檢查以觀察使用者私鑰是否適當地分割。另外，任何人亦可辨識出金鑰回復機構。Page 10 427087 V. Description of the Invention (8) Originality The following are the features of the present invention. (a) The present invention can be implemented in the public key architecture of X.509, and has the advantages of scalability and interoperability. (b) The present invention does not rely on any Tamper_Resistant device 'and can be implemented in software or hardware. (c) The present invention allows the user to select a number of key reply and public key certificate authorities' so there is no single-weakness. In other words, unless the attacker can obtain the consent of all certificate authorities, the system cannot be successfully cracked. 0 (d) The present invention does not increase the time to confirm the registration certificates of several certificate authorities. Regardless of the number of certificate authorities selected by the user, the confirmation time of a public key certificate is equal to the confirmation time of a public key certificate signed by a single institution. (e) The present invention allows a user to freely choose a public key and a private key. In addition, any user can freely decide the certificate authority, and decide the number of key recovery and public certificate authorities. This user-led feature is especially important when seeking broad support for key replies. (〇 By checking the user's public key, anyone can perform an integration check to see if the user's private key is properly partitioned. In addition, anyone can identify the key recovery mechanism.

本發明並不欲限定於任何特定的公開簽章方法。由於 IEEE P 1 363建議採用的ECC簽章方法與E1Garaal類型的簽章方法具·有彳艮多類似的特性，本發明亦可應用在這些方法中。另外’由於DSS標準是以離散對數問題為基礎的一種 E1Gamal類型的簽章方法，且使用P-1的一個質因數（PrimeThe invention is not intended to be limited to any particular method of public signature. Since the ECC signature method proposed by IEEE P 1 363 and the E1Garaal type signature method have similar characteristics, the present invention can also be applied to these methods. In addition, because the DSS standard is an E1Gamal signature method based on the discrete logarithm problem, and uses a prime factor of P-1 (Prime

第11頁 427087 五、發明說明（9)Page 11 427087 V. Description of the invention (9)

Divis〇r)q以縮矩數位簽章的長度，Divis〇r) q the length of the digital signature with reduced moments,

類型的簽章方法中。本發月亦可應用於DSS 為讓本發明之上述和兑他目顯易懂，下文特舉-較佳實施例：並；；所:;優點能更明細說明如下：及配所附圖式，作詳圖式說明第1圖是本發明回復RSA類型私各使用者及憑證機構所需執行動作的流程圖7鑰憑證時’ 第2圖是本發明回復以^^丨類遂時，各使用者及憑證機構所需執行動作圖生公錄憑證第3圖是本發明自金錄回復機構回復私輪時| 有者或可信賴的第三者所需執行動作的流程圖芋作的Γ程圖圖是本發明蜂認公输憑證時’讀認者所需執行動龜-隹實施例在以下敘述中，其目的是解釋而非限定使用方式，本發明的特殊細節均會具體呈現以提供完整的說明過，，習此技藝之人士亦可能將本發明應用不同於上述特殊細節的其他實施例中。因此’像是演算法及程式程序等細節將予以省略以避免不必要的限定。 ^ 應用本發明的一個例子將配合第1圖而說明如下，其中，使用者私餘-是屬於RSA類型的密碼系統。在下列討論中，假設使用者選定兩個憑證機構CA1及CA2以作為金输回復及公錄憑證機構。根據R S A類型的密碼演算法，使用者In the signature method. This issue of the month can also be applied to DSS. To make the above and other aspects of the present invention easy to understand, the following is enumerated-preferred embodiments: and ;; the :; the advantages can be explained in more detail as follows: Figure 1 is a detailed flowchart. Figure 1 is a flowchart of the actions required by the present invention to respond to the RSA type of private users and certificate authorities. 7 When the key certificate is used, the second figure is when the present invention responds to the ^^ 丨 type. Figure 3 shows the actions required by the user and the certificate authority to generate the public record certificate. Figure 3 is a flowchart of the actions required by some people or trusted third parties to respond to the private round. The process map is the example of the present invention that the reader needs to execute the moving turtle- 隹 when the bee recognition of the voucher is issued. In the following description, the purpose is to explain rather than limit the way of use. It has been completely explained that those skilled in the art may also apply the present invention to other embodiments different from the above specific details. Therefore, details such as algorithms and programs will be omitted to avoid unnecessary restrictions. ^ An example to which the present invention is applied will be described with reference to FIG. 1, in which the user's privacy-is a cryptosystem of the RSA type. In the following discussion, it is assumed that the user selects two certificate authorities CA1 and CA2 as the gold loss reply and public record certificate authorities. According to the R S A type of cryptographic algorithm, the user

第12頁 427087 五、發明說明（ίο) 選定模數n = pq ’其中p及q為兩個大質數（Prime)。令e及d 勿別為公錄及私輪’其中ed mod 4(n) = l且0(η) = (ρ-1) (Q-i )。使用者必須將私鑰d分成兩個部分私鑰山及(12，其中d = dl+d2 mod 0(n) ’並分別計算對應的部分公鑰pki及 pk2 ’ 其中 pk/ adl mod η 且pk2= o:d2 mod η。在這個例子裡’ α為倍數群（Multiplicative Group)Ζη中最大冪次的成分。接著，使用者會將公開資訊（e，η，（ph，CAd， (pkz ’ CAD )及部分私錄巾送至憑證機構CA1，並將公開資訊 (e，η，（pk〗，CAd，（Pk2，CA2))及部分私鑰d2送至憑證機構 CA2。待接收公開資料（e ’ n ’（pki ’ CA〗），（pk2，C、））及部分私鑰d!後’憑證機構CAi會判斷是否pki= adl m〇d n以執行整合性檢查。然後，憑證機構CAi會判斷是否（pkipk2)e mod ri= α。若兩個條件均滿足，表示使用者已正確地將部分私鑰d〗存放在憑證機構CAi。類似地，憑證機構亦會細公開資訊（e，η，（ph , CAJ，（pk2，CA2))及部分私鑰d2 執行整合性檢查。如此，rSA類型私鑰的金鑰回復程序便告完成。應用本發明的另一個例子將配合第2圖說明如下，立中’使用者私鑰是屬於以以^“類型的密碼系統。根據， E1 Gama 1類型的密碼系統演算法，使用者選定模數n，其中 η為大質數。令6及d分別為公鑰及私鑰，其中e=^dn ,α 為有限場GF(n)的元素（primitive Element)。苢先，使用者要將其私鑰d分割成兩個部分私鑰以及 4-270 87 、發明說明（11) d2，並分別計算對應的部分公鑰及，其中 d = di + d2 mod 0 f (η) > φ (n)=n-l 、且叫=adl mod η pk2= ad2 mod n 接著’使用者便會將公開資訊（e，n，（pk , CA )， ’（：〜））及部分私鑰山送至憑證機構，並將公開私鑰 (=’n，（pkl，CAi)，（pk2，Ca2))及部分私鑰t送至憑證機稱 CA2 。待接收到公開資訊（e，n，（pki，CAi) ’（pk2，CA2))及 j为私鑰t後，憑證機構CAi會判斷是否pki=adl m〇d n以執^ 行整合性檢查。然後，憑證機構CAi會判斷是否（γ mod n=e。若兩個條件均滿足，表示使用者已正確^ ^部分私鑰d〗存放在憑證機構CA!。類似地，憑證機構亦會對公開資訊（e，η ’（pkl，CAJ，（pk2，CA2))及七執^整3合性檢查。如此，ElGamal類型私餘的金錄回復程序便告完成。值得一提的是，這種金鑰回復程序亦可應用在以離散對數為基礎的E C C密碼系統中。接著’說明各憑證機構CAi是如何發布各公鍮的部分憑證。根據多重簽章方法’假設憑證機構CAi及〇八2分別具有不同的私鑰X!及乂2，其中，相對應的公鑰％= adi m〇d p l > 及y2= ad2 mod p， p為大質數，a為有限場GF(p)的元素。[ 每個憑證機構CAi由[1，p-l]中隨機選定一數值^，並計算相對應的整數ri = aki mod p，廣播至其他憑證機構。待!^及〇得到後，各憑證機構CA;便可計算委託值Page 12 427087 V. Description of the invention (ίο) Select the modulus n = pq ′ where p and q are two large prime numbers (Prime). Let e and d not be public records and private rounds, where ed mod 4 (n) = l and 0 (η) = (ρ-1) (Q-i). The user must divide the private key d into two partial private keys and (12, where d = dl + d2 mod 0 (n) 'and calculate the corresponding partial public keys pki and pk2' where pk / adl mod η and pk2 = o: d2 mod η. In this example, 'α is the component of the largest power in the multiplicative group Zη. Then, the user will disclose the information (e, η, (ph, CAd, (pkz' CAD ) And part of the private record to the certificate authority CA1, and the public information (e, η, (pk〗, CAd, (Pk2, CA2)) and part of the private key d2 to the certificate authority CA2. To receive public information (e 'n' (pki 'CA〗), (pk2, C,)) and some private keys d! After the' certificate authority CAi will determine whether pki = adl mdn to perform an integration check. Then, the certificate authority CAi will judge Whether (pkipk2) e mod ri = α. If both conditions are met, it means that the user has correctly stored part of the private key d in the certificate authority CAi. Similarly, the certificate authority will also disclose the information (e, η, (Ph, CAJ, (pk2, CA2)) and part of the private key d2 to perform integration checks. In this way, the rSA type private key's gold The reply procedure is completed. Another example of applying the present invention will be described with reference to FIG. 2 below. The user's private key belongs to a cryptosystem of type "^". According to E1 Gama 1 cryptosystem algorithm The user selects the modulus n, where η is a large prime number. Let 6 and d be the public key and the private key, respectively, where e = ^ dn and α is the element of the finite field GF (n). First, The user should divide his private key d into two partial private keys and 4-270 87 and invention description (11) d2, and calculate the corresponding partial public keys and, respectively, where d = di + d2 mod 0 f (η) > φ (n) = nl, and it is called = adl mod η pk2 = ad2 mod n, then the user will public information (e, n, (pk, CA), '(: ~)) and some private keys Send to the certificate authority, and send the public private key (= 'n, (pkl, CAi), (pk2, Ca2)) and part of the private key t to the certificate machine called CA2. To receive the public information (e, n, After (pki, CAi) '(pk2, CA2)) and j are the private key t, the certificate authority CAi will determine whether pki = adl m〇dn to perform the integration check. Then, the certificate machine The structure CAi will determine whether (γ mod n = e. If both conditions are met, it means that the user has correctly stored some private key d in the certificate authority CA !. Similarly, the certificate authority will also check the public information (e, η '(pkl, CAJ, (pk2, CA2)) and the integrity of the seven licenses. In this way, the ElGamal type private gold record recovery process is completed It is worth mentioning that this key recovery procedure can also be applied to ECC cryptosystems based on discrete logarithms. Then 'explain how each certificate authority CAi issues some public certificates. According to the multi-signature method 'Assume that the certificate authorities CAi and 〇82 have different private keys X! And 乂 2, respectively, where the corresponding public key% = adi m〇dpl > and y2 = ad2 mod p, where p is a large prime number and a is Elements of the finite field GF (p). [Each certificate authority CAi randomly selects a value ^ from [1, pl], and calculates the corresponding integer ri = aki mod p, and broadcasts it to other certificate authorities. To be confirmed! ^ And 〇After obtaining, each certificate authority CA can calculate the entrusted value

427087 五、發明說明（12) (Commi tment Value)r = rir2 mod p » 由於這個數值鱼署訊息無關，因此可事先離線計算。待各憑證機構CAi成功執行使用者公鑰m=(e，n，（ ^ CA[) ( Ph，C Aa))的整合性檢查後，可利用密輪 1 機選定的數值h簽署訊息„1，，其中m，=h(m)且h為單向^ 函數。隨即，各憑證機構CAi便可解開方程sSi = Xj、k、、 m〇d p_1 ’並將部分簽章（ri，Si)送回使用者。 ΐΓ 使用者則會在接收到各憑證機構以丨回傳的部 (I\— Si)後，檢查是否V，=r/ 〇:si mod p以驗證此部分早^ 。若兩個部分簽章均通過驗證，— 可以產生，其中S=s+Q ^ ^ 4也U’s)便部分簽章的長度相同2: P_1。由於公鑰憑證的長度與域通訊。又°各使用者可藉此公鑰憑證以達到全务私鑰擁有者或可作笙二去取得的私鑰時，所有&二、、一心要回復遺失或無法出來H使由公输憑證中辨識分私鑰，再將取得 $的回復可先由各憑證機構取得部另外’任何確認者的π ± :~ (Ρ、，CAl)，（pk ，ΓΑ均可由使用者的公開資訊（e，η，名稱。至於公輪2;馬讽^中辨識出簽署此公鑰憑證的機構以確認。心也的驗證則可檢查是否r.ns m〇d p 根據本發明，兔公鑰憑證，使用者及卷到RS A類型私鑰的金鑰回復並產生 1圖之流程說明如下個憑證機構所需要的執行動作以第427087 V. Description of the invention (12) (Committment Value) r = rir2 mod p »Since this value is not relevant to fisheries agency information, it can be calculated offline in advance. After each certificate authority CAi successfully performs the integration check of the user's public key m = (e, n, (^ CA [) (Ph, C Aa)), the value h selected by the secret wheel 1 machine can be used to sign the message „1 , Where m, = h (m) and h is a one-way ^ function. Then, each certificate authority CAi can solve the equation sSi = Xj, k,, m〇d p_1 'and partially sign (ri, Si ) To return to the user. Γ The user will check whether V, = r / 〇: si mod p after receiving the parts (I \ —Si) returned by each certificate authority to verify that this part is early ^. If both partial signatures pass the verification, — can be generated, where S = s + Q ^ ^ 4 and also U's), the length of the partial signatures is the same 2: P_1. Because the length of the public key certificate communicates with the domain. Users can use this public key certificate to achieve the full-service private key owner or the private key that can be obtained by Sheng Er, all & two, and all want to recover the lost or unable to come out so that the private distribution can be identified from the public input certificate Key, and then get a reply of $ can be obtained by each certificate authority's department additionally 'any confirmer's π ±: ~ (Ρ ,, CA1), (pk, ΓΑ can be publicly funded by the user (E, η, name. As for public round 2; Ma Wei ^ identified the institution that signed this public key certificate to confirm. Xinye verification can check whether r.ns m〇dp according to the present invention, rabbit public key certificate , The user and the key that is rolled to the RS A type private key reply and generate a flow chart of 1 to illustrate the execution actions required by the following certificate authority

第15頁 Λ27〇8^ 五、發明說明（13) 首先’在步驟10中，使用者選定模數n = pq，其中1)及兑為兩個大質數。令e及d分別為公鐵·及私錄，甘+ j 其中 ed mod φ Cn) = 1 ο 接著’在步驟11中’使用者須將私鑰分成兩個部分私鑰士及4 ’並分別計算對應的部分公鑰pkl ，其中 d = d!+d2 mod f(n) 2 且pk/ad1 mod η pk2 = ad2 mod n 接著’在步驟1 2中’使用者便將公開資訊（e，n，（將公開私鑰（送至憑證機構ca2。接著，在步驟1 3中 mod η以執行整合性檢查 a。若兩個條件均滿足Page 15 Λ27〇8 ^ V. Description of the invention (13) First, in step 10, the user selects the modulus n = pq, where 1) and 兑 are two large prime numbers. Let e and d be public railways and private records, respectively, gan + j where ed mod φ Cn) = 1 ο Then 'in step 11' the user must divide the private key into two parts, the private key clerk and 4 'and respectively Calculate the corresponding part of the public key pkl, where d = d! + D2 mod f (n) 2 and pk / ad1 mod η pk2 = ad2 mod n Then 'in step 12' the user will disclose the information (e, n , (Send the public private key (to the certificate authority ca2.) Then, in step 13 mod η to perform the integration check a. If both conditions are met

Ph ’CA〗），（Pk2，CA2))及部分私鑰di送至憑證機構，並，（Pkl , CAl)，（Pki!，CA2))及部分私鑰d2 a 憑證機構CAi會判斷是否pk 並且判斷是否（pkiPk2)e mod n = 表示使用者已正確地將部分私鑰七存放在憑證機構CA,。類似地，憑證機構CA2亦會對公開資訊（e，n，（Pki，CAl)，（pk2，CA2))及部分私鑰行整合性檢查。Ph 'CA〗), (Pk2, CA2)) and part of the private key di are sent to the certificate authority, and (Pkl, CAl), (Pki !, CA2)) and part of the private key d2 a certificate authority CAi will determine whether pk And determine whether (pkiPk2) e mod n = indicates that the user has correctly stored part of the private key VII in the certificate authority CA ,. Similarly, CA2 will check the integrity of public information (e, n, (Pki, CA1), (pk2, CA2)) and some private keys.

接著，在步驟14中，各憑證機構％會由]中隨機選定一數值ki並計算相對應的整數ri= aki m〇d p，廣播至其他憑證機構。待q及!^得到後，各憑證機構便會計算委託值mod p。接著，在步驟1 5中，待各憑證機構成功執行使用者公鑰m=(e，η，（ph，（^)，（pk2 ’ CA2))的整合性檢查後 427087Next, in step 14, each certificate authority% will randomly select a value ki from] and calculate the corresponding integer ri = aki m0d p, and broadcast it to other certificate authorities. After q and! ^ Are obtained, each certificate authority will calculate the commission value mod p. Next, in step 15 after each certificate authority successfully performs the integration check of the user's public key m = (e, η, (ph, (^), (pk2 ’CA2)) 427087

五、發明說明（14) ’利用其密鑰Xi及隨機選定數值h簽署訊息m’ ，其中 m =h(m)且h為單向雜湊函數。各憑證機構CAi可解開方程式si=Xiin’ -hr mod P-1 ’並將部分簽章，Si)送回使用者〇最後，在步驟16中’使用者會檢查是否«aSim〇d p 以驗證各部分簽章。若兩個部分簽章均通過驗證，則最後的公鑰憑證（r，s)便可以產生’其中3 = 3032 mod p-l。V. Description of the invention (14) ′ Use its key Xi and a randomly selected value h to sign a message m ′, where m = h (m) and h is a one-way hash function. Each certificate authority CAi can solve the equation si = Xiin '-hr mod P-1' and send a part of the signature, Si) back to the user. Finally, in step 16 'the user will check whether «aSim〇dp to verify Each part is signed. If both partial signatures pass the verification, the final public key certificate (r, s) can generate ′ where 3 = 3032 mod p-l.

另外’根據本發明’為達成ElGamal類型私鑰的金鑰回復及產生公鑰憑證’使用者及每個憑證機構所需的執行動作以第2圖之流程說明如下。質齡首J $步驟2°中，使用者須選定模數n ’ i中質數。令e及d分別a廿、 ^ ^ ^ τη ^ ^ α為有限場GF(n)的’"V、么鑰及私鑰，其令e= a<1 m〇d η， ΙΑ 义素。接著’在步驟2丨φ 分私鑰…及(12，並分^ ，使用者要將私鑰d分割成兩個部 d = d1 + d2 m〇d ^算對應的部分公錄叫及叫，其Η 且PMW m〇d η 0(Π)及 Μη)-! pk2= ad2 mod ri 接著，在步驟22由In addition, according to the present invention, to perform the key recovery of the ElGamal type private key and generate the public key certificate, the execution actions required by the user and each certificate authority are described below with reference to the flow chart in FIG. 2. In the first step of the prime age, in step 2 °, the user must select the prime number in the modulus n ′ i. Let e and d be a 廿, ^ ^ ^ τη ^ ^ α, respectively, '" V, Mod key and private key of the finite field GF (n), and let e = a < 1 mOd η, ΙΑ Sense. Then 'in step 2 φ 分 divide the private key ... and (12, and divide ^, the user will divide the private key d into two parts d = d1 + d2 m〇d ^ to calculate the corresponding part of the public call and call, Its Η and PMW m0d η 0 (Π) and Μη)-! Pk2 = ad2 mod ri Then, in step 22,

(P、，CAl)，（Pk2，u /使用者便將公開資訊（e，n，並將公開資訊（e，n /及部分私鑰dl送至憑證機構CA,， d2送至憑證機構CA2。 Pki ’ CAl) ’（pk2 ’ CA2))及部分私鑰接著’在步驟23中憑證機構CAt會判斷是否ρ、=以1(P ,, CA1), (Pk2, u / user sends the public information (e, n, and sends the public information (e, n / and part of the private key dl to the certificate authority CA, d2 to the certificate authority CA2 Pki 'CA1) (pk2' CA2)) and some private keys followed by 'In step 23, the certificate authority CAt will determine whether ρ, = 1

第17頁 427087 五、發明說明（15) _ mod η以執行整合性檢杳，若兩個條件均滿足，表~厂、且判斷是否Pklt)k2 mod n = e。放在憑證機構CAi。類用者已正確地將部分私鑰di存 (e，η，（ph，CA!)，（ k ’憑證機構CA2亦會對公開資訊檢查。 P 2 ’ C〜））及部分私輪(i2執行整合性至於第2圖的步驟24 故在此不再重述。則與第Ϊ圖的步驟14〜16相同’ 根據本發明，為回箱 '嗇+ 有者或可信賴的第三去f失或無法取得的私鍮，私鑰擁明如下。者所的執行動作以第3圖之流程說 Θ 首先’在步驟30中’私鑰擁有者或可信賴的第三者要從公鑰憑證中辨識出所有的金鑰回復機構。然後’在步驟3 2中，私鑰擁有者或可信賴的第三者要向各憑證機構取得部分私錄’並將取得的所有私鍮組合成原始的使用者私鑰(1 = 4 + (12 mod p-1。根據本發明，為碟認金瑜憑證，確認者所需的執行動作以第4圖之流程說明如下。Page 17 427087 V. Description of the invention (15) _ mod η is used to perform integration check. If both conditions are met, table ~ factory and determine whether Pklt) k2 mod n = e. Placed in the certificate authority CAi. The user has correctly stored part of the private key di (e, η, (ph, CA!), (K 'certificate authority CA2 will also check the public information. P 2' C ~)) and part of the private round (i2 Integrity is implemented as step 24 in FIG. 2 and will not be repeated here. It is the same as steps 14 to 16 in FIG. 2 'According to the present invention, it is back to the box' + someone or a trusted third person f The lost or unreachable private key, the private key is identified as follows. The actions performed by the person are described in the flow of Figure 3 Θ First, in step 30, the private key owner or a trusted third party needs to obtain the public key certificate Identifies all the key replying agencies. Then 'in step 32, the private key owner or a trusted third party needs to obtain a partial private record from each certificate authority' and combines all the obtained private keys into the original The user's private key (1 = 4 + (12 mod p-1.) According to the present invention, for the dish to recognize the Jinyu certificate, the execution action required by the confirmer is described below with reference to the flowchart in FIG. 4.

首先’在步驟40中，確認者可由使用者的公開資訊（ e ’ η，（ph ’ CA〗），（pk2 ’ CA2))中辨識出所有憑證機構的名稱。然後，在步驟42中，檢查ym =rr as mod p以確認此公錄憑證的正確性，其中mod p。綜上所述，本發明的全域金输回復系統可結合公錄憑證及金鑰回復機構的功能以回復公鑰密碼系統的使用者私First, in step 40, the confirmer can identify the names of all certificate authorities from the user's public information (e'n, (ph 'CA]), (pk2' CA2)). Then, in step 42, ym = rr as mod p is checked to confirm the correctness of this register certificate, where mod p. To sum up, the global gold loss recovery system of the present invention can combine the functions of a public record certificate and a key recovery mechanism to restore the user privacy of the public key cryptosystem.

第18頁 4270B7 五、發明說明（16) ' -- Ϊ"碼系統中的使用者私錄可產生數位簽章或解在數位信封=隨機對話金鑰。另外’本發明的公鑰密碼系統具有容易實施（Easy to mpUment) ’可伸縮性（Scalable)，無單一弱點（NoPage 18 4270B7 V. Description of the invention (16) '-Ϊ " The private record of the user in the code system can generate a digital signature or solution. Digital envelope = random conversation key. In addition, the public key cryptosystem of the present invention is easy to implement (Scalable) and has no single weakness (No

Single Point of Vulnerability)、可互通操作 (Interoperable)等優點，且可實施於大型全域通訊系統中〇雖然本發明已以較佳實施例揭露如上，然其並非用以限定本發明’任何熟習此技藝者，在不脫離本發明之精神和範圍内，當可做更動與潤飾，因此本發明之保護範圍杂視後附之申請專利範圍所界定者為準。 ^ ©'(Single Point of Vulnerability), Interoperable, etc., and can be implemented in large-scale global communication systems. Although the present invention has been disclosed as above with preferred embodiments, it is not intended to limit the present invention. In addition, without departing from the spirit and scope of the present invention, it can be modified and retouched. Therefore, the scope of protection of the present invention is subject to the scope defined in the attached patent application. ^ © '

Claims

6. Patent Application Fanyuan __ 1. In the digital communication environment of a generator of public key certificates, there are methods such as 'in the case of having multiple users / servicing information' to verify the identity of the signatory. (A) Each user selects a wedge number, including:, and calculates the public round corresponding to the private record, sf calculates the private key of at least one certificate authority (b) each user divides the private key, and calculates the The corresponding part of the private input of the Ministry of Eighth, the plural part of the private key, and separately count (c :) each user will disclose the funds, Gongyu; Yu, the vouchers and the land including the public record 、 These parts of the public structure; ~ ° 卩 One of the private keys is distributed to each certificate machine

(d) Each certificate authority shall check the receipt4, (e) Each certificate authority calculates a dollar for integration check; broadcast to other certificate authorities; ° sub-sign the seal 'and sign the part widely (0 each certificate authority sign Send it back to the user early; and Ίtribute alum, and combine the signed part of the signature (g) each user's confirmation of the public seal to form the public key certificate. To sign early, and sign all parts 2. Such as Item 1 of the scope of patent application where 'This private record is an RSA type private ship. How to generate a U 鍮 certificate'

The method of generating a public key certificate as described in item 3, and item 1 in the scope, includes a side private key and an ElGamai type private key. The method of generating a public key certificate as described in Item 1 of i.4. The method of replying to the private key includes: (a) The owner of the private key or a trusted third party is the

427〇87__ VI. Identifies all certificate authorities in the scope of patent application; and (b) the private key owner or a trusted third party obtains part of the private key from all certificate authorities and synthesizes all the obtained private keys into the original private key . 5. The method for generating a public key certificate according to item 4 of the scope of patent application, wherein the private key is an RSA type private key. 6. The method for generating a public key certificate as described in item 4 of the scope of patent application, wherein the private record is an ElGamal type private input. 7. The method for generating a public key certificate as described in item 1 of the scope of patent application, wherein the method for confirming the public key certificate includes: (a) the confirmer identifies all certificate authorities from the public key certificate; and (b) The confirmer uses the public keys of all certificate authorities as the group public key to identify the user's public key certificate. 8. The method for generating a public key certificate as described in item 7 of the scope of patent application, wherein the public key certificate is a combination of all the confirmed partial signatures and Cj