Secret-key certificates
First Claim
1. Apparatus for implementing a cryptographic system in which a first party certifies a key pair of a second party, the apparatus comprising:
- first key generation means that, on being given as input at least a security parameter, outputs a pair consisting of a secret key and a matching public key, to be used by the first party;
second key generation means that, on being given as input at least a security parameter, outputs a pair consisting of a secret key and a matching public key, to be used by the second party;
certificate verification means that, on being given as input the public key of the first party and a pair consisting of a public key and a presumed certificate on the public key, responds affirmatively or negatively, depending on whether the presumed certificate on the public key is a secret-key certificate on the public key or not;
certificate issuing means that, on being given as input the secret key of the first party and a pair consisting of the secret key and the public key of the second party, outputs a digital signature on the secret key of the second party, such that the digital signature is a secret-key certificate on the public key of the second party; and
certificate simulating means that, on being given as input the public key of the first party, outputs a pair consisting of a public key and a secret-key certificate on this public key,where the probability distribution of the output of the certificate simulating means is substantially indistinguishable from the probability distribution that applies when the public key is generated by the second key generation means and the secret-key certificate is generated by the certificate issuing means.
12 Assignments
0 Petitions
Accused Products
Abstract
Cryptographic methods and apparatus are disclosed that enable forming and issuing of secret-key certificates. Contrary to the well-known cryptographic technique of public-key certificates, where a public-key certificate is a digital signature of a certification authority on a public key, pairs consisting of a public key and a corresponding secret-key certificate can be generated by anyone. As a result, a public-key directory based on secret-key certificates cannot help anyone in attacking the signature scheme of the certification authority, and it does not reveal which of the listed public keys have been certified by the certification authority and which have not.
Yet, if a party associated with a public key can perform cryptographic actions with the secret key corresponding to its public key, such as decrypting, digital signing, issuing a secret-key certificate, and identification, then the certificate must have been computed by the certification authority.
-
Citations
21 Claims
-
1. Apparatus for implementing a cryptographic system in which a first party certifies a key pair of a second party, the apparatus comprising:
-
first key generation means that, on being given as input at least a security parameter, outputs a pair consisting of a secret key and a matching public key, to be used by the first party; second key generation means that, on being given as input at least a security parameter, outputs a pair consisting of a secret key and a matching public key, to be used by the second party; certificate verification means that, on being given as input the public key of the first party and a pair consisting of a public key and a presumed certificate on the public key, responds affirmatively or negatively, depending on whether the presumed certificate on the public key is a secret-key certificate on the public key or not; certificate issuing means that, on being given as input the secret key of the first party and a pair consisting of the secret key and the public key of the second party, outputs a digital signature on the secret key of the second party, such that the digital signature is a secret-key certificate on the public key of the second party; and certificate simulating means that, on being given as input the public key of the first party, outputs a pair consisting of a public key and a secret-key certificate on this public key, where the probability distribution of the output of the certificate simulating means is substantially indistinguishable from the probability distribution that applies when the public key is generated by the second key generation means and the secret-key certificate is generated by the certificate issuing means.
-
-
2. A cryptographic method for forming and verifying a secret-key certificate of an issuer party on a public key of a receiver party, where the certificate is called a secret key because it is a digital signature of said issuer party on a secret key corresponding to said public key but not on said public key itself, and said receiver party is able to demonstrate to a verifier party that said secret-key certificate was formed by said issuer party without necessarily revealing said secret key, the method comprising the steps of:
-
forming said secret-key certificate on said public key by said issuer party computing a digital signature on said secret key using a private key, said digital signature not being a digital signature of said issue party on said public key; transforming by said receiver party to said verifier party, said public key, said secret-key certificate and data evidencing possession of said secret key by said receiver party, wherein said data does not reveal said secret key; and verifying said secret-key certificate by said verifier party, by verifying said data, and verifying whether said secret-key certificate satisfies a pre-defined certificate verification relation involving a public key of said issuer party corresponding to said private key. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A cryptographic apparatus for forming and verifying a secret-key certificate of an issuer party on a public key of a receiver party, where the certificate is called a secret-key certificate because it is a digital signature of said issuer party on a secret key corresponding to said public key but not on said public key itself, and said receiver party is able to demonstrate to a verifier party that said secret-key certificate was formed by said issuer party without necessarily revealing said secret key, the apparatus comprising;
-
certificate forming means for forming said secret-key certificate on said public key by said issuer party computing said digital signature on said secret key using a private key, said digital signature not being a digital signature of said issuer party on said public key; certificate storing means, for storing by said receiver party, said secret key, said public key and said secret-key certificate; data computing means for computing by said receiver party, data evidencing possession of said secret key by said receiver party, wherein said data does not reveal said secret key; certificate transferring means for transferring to said verifier party, said public key, said secret-key certificate and said data; and certificate verification means for verifying said secret-key certificate by said verifier party, wherein said means verifies whether said secret-key certificate satisfies a pre-defined certificate verification relation involving a public key of said issuer party corresponding to said private key, and by verifying said data. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification