Secret-key certificates

US 5,606,617 A
Filed: 10/14/1994
Issued: 02/25/1997
Est. Priority Date: 10/14/1994
Status: Expired due to Term

First Claim

Patent Images

1. Apparatus for implementing a cryptographic system in which a first party certifies a key pair of a second party, the apparatus comprising:

first key generation means that, on being given as input at least a security parameter, outputs a pair consisting of a secret key and a matching public key, to be used by the first party;

second key generation means that, on being given as input at least a security parameter, outputs a pair consisting of a secret key and a matching public key, to be used by the second party;

certificate verification means that, on being given as input the public key of the first party and a pair consisting of a public key and a presumed certificate on the public key, responds affirmatively or negatively, depending on whether the presumed certificate on the public key is a secret-key certificate on the public key or not;

certificate issuing means that, on being given as input the secret key of the first party and a pair consisting of the secret key and the public key of the second party, outputs a digital signature on the secret key of the second party, such that the digital signature is a secret-key certificate on the public key of the second party; and

certificate simulating means that, on being given as input the public key of the first party, outputs a pair consisting of a public key and a secret-key certificate on this public key,where the probability distribution of the output of the certificate simulating means is substantially indistinguishable from the probability distribution that applies when the public key is generated by the second key generation means and the secret-key certificate is generated by the certificate issuing means.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cryptographic methods and apparatus are disclosed that enable forming and issuing of secret-key certificates. Contrary to the well-known cryptographic technique of public-key certificates, where a public-key certificate is a digital signature of a certification authority on a public key, pairs consisting of a public key and a corresponding secret-key certificate can be generated by anyone. As a result, a public-key directory based on secret-key certificates cannot help anyone in attacking the signature scheme of the certification authority, and it does not reveal which of the listed public keys have been certified by the certification authority and which have not.

Yet, if a party associated with a public key can perform cryptographic actions with the secret key corresponding to its public key, such as decrypting, digital signing, issuing a secret-key certificate, and identification, then the certificate must have been computed by the certification authority.

Citations

21 Claims

1. Apparatus for implementing a cryptographic system in which a first party certifies a key pair of a second party, the apparatus comprising:
- first key generation means that, on being given as input at least a security parameter, outputs a pair consisting of a secret key and a matching public key, to be used by the first party;
  
  second key generation means that, on being given as input at least a security parameter, outputs a pair consisting of a secret key and a matching public key, to be used by the second party;
  
  certificate verification means that, on being given as input the public key of the first party and a pair consisting of a public key and a presumed certificate on the public key, responds affirmatively or negatively, depending on whether the presumed certificate on the public key is a secret-key certificate on the public key or not;
  
  certificate issuing means that, on being given as input the secret key of the first party and a pair consisting of the secret key and the public key of the second party, outputs a digital signature on the secret key of the second party, such that the digital signature is a secret-key certificate on the public key of the second party; and
  
  certificate simulating means that, on being given as input the public key of the first party, outputs a pair consisting of a public key and a secret-key certificate on this public key,where the probability distribution of the output of the certificate simulating means is substantially indistinguishable from the probability distribution that applies when the public key is generated by the second key generation means and the secret-key certificate is generated by the certificate issuing means.

2. A cryptographic method for forming and verifying a secret-key certificate of an issuer party on a public key of a receiver party, where the certificate is called a secret key because it is a digital signature of said issuer party on a secret key corresponding to said public key but not on said public key itself, and said receiver party is able to demonstrate to a verifier party that said secret-key certificate was formed by said issuer party without necessarily revealing said secret key, the method comprising the steps of:
- forming said secret-key certificate on said public key by said issuer party computing a digital signature on said secret key using a private key, said digital signature not being a digital signature of said issue party on said public key;
  
  transforming by said receiver party to said verifier party, said public key, said secret-key certificate and data evidencing possession of said secret key by said receiver party, wherein said data does not reveal said secret key; and
  
  verifying said secret-key certificate by said verifier party, by verifying said data, and verifying whether said secret-key certificate satisfies a pre-defined certificate verification relation involving a public key of said issuer party corresponding to said private key.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 3. The method of claim 2, wherein said data is a digital signature, with respect to said public key of said receiver party, on a message known to said verifier party.
  - 4. The method of claim 2, wherein said issuer party is the same as said receiver party, and said secret key is substantially random and one-time.
  - 5. The method of claim 2, wherein said data is a zero-knowledge proof of knowledge of said secret key by said receiver party.
  - 6. The method of claim 2, wherein said data evidences that said receiver party successfully decrypted an encrypted message, computed by said verifier party applying said public key of said receiver party to the message.
  - 7. The method of claim 2, wherein said data is a secret-key certificate of said receiver party, with respect to said public key of said receiver party, on a public key of said verifier party.
  - 8. The method of claim 2, wherein during the step of forming said secret-key certificate, said receiver party hides said secret key from said issuer party.
  - 9. The method of claim 2, wherein during the step of forming said secret-key certificate, said receiver party blinds said secret key, said public key of said receiver party, and said secret-key certificate.
  - 10. The method of claim 2, wherein during the step of forming said secret-key certificate, said receiver party blinds said public key of said receiver party and said secret key certificate, while said issuer party prevents a part of said secret key from being blinded by said receiver party.
  - 11. The method of claim 2, wherein said receiver party comprises two sub-parties, one of which acts on behalf of said issuer party, said secret key being shared by said two sub-parties to the effect that neither sub-party knows said secret key.
  - 12. The method of claim 2, wherein said secret-key certificate is a digital signature of the Fiat/Shamir type formed by applying a mathematical combination of said secret key and said private key to at least said public key of said receiver party.
  - 13. The method of claim 2, wherein said pre-defined certificate verification relation also involves a string identifying said receiver party.

14. A cryptographic apparatus for forming and verifying a secret-key certificate of an issuer party on a public key of a receiver party, where the certificate is called a secret-key certificate because it is a digital signature of said issuer party on a secret key corresponding to said public key but not on said public key itself, and said receiver party is able to demonstrate to a verifier party that said secret-key certificate was formed by said issuer party without necessarily revealing said secret key, the apparatus comprising;
- certificate forming means for forming said secret-key certificate on said public key by said issuer party computing said digital signature on said secret key using a private key, said digital signature not being a digital signature of said issuer party on said public key;
  
  certificate storing means, for storing by said receiver party, said secret key, said public key and said secret-key certificate;
  
  data computing means for computing by said receiver party, data evidencing possession of said secret key by said receiver party, wherein said data does not reveal said secret key;
  
  certificate transferring means for transferring to said verifier party, said public key, said secret-key certificate and said data; and
  
  certificate verification means for verifying said secret-key certificate by said verifier party, wherein said means verifies whether said secret-key certificate satisfies a pre-defined certificate verification relation involving a public key of said issuer party corresponding to said private key, and by verifying said data.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The apparatus of claim 14, wherein said data is a digital signature, with respect to said public key of said receiver party, on a message known to said verifier party.
  - 16. The apparatus of claim 14, wherein said data is a zero-knowledge proof of knowledge of said secret key by said receiver party.
  - 17. The apparatus of claim 14, wherein said data evidences that said receiver party successfully decrypted an encrypted message, computed by said verifier party applying said public key of said receiver party to the message.
  - 18. The apparatus of claim 14, wherein said certificate forming means further comprises hiding means for said receiver party to hide said secret key from said issuer party.
  - 19. The apparatus of claim 14, wherein said certificate forming means further comprises blinding means for said receiver party to blind said public key of said receiver party and said secret-key certificate, and blinding-preventing means for said issuer party to prevent a part of said secret key from being blinded by said receiver party.
  - 20. The apparatus of claim 19, wherein said certificate storing means further comprises tamper-resistant storing means for storing part of said secret key, said tamper-resistant storing means acting on behalf of said issuer party.
  - 21. The apparatus of claim 14, wherein said secret-key certificate is a digital signature of the Fiat/Shamir type formed by applying a arithmetical combination of said secret key and said private key to at least said public key of said receiver party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Brands Stefan, Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Stefanus A. Brands
Inventors
Brands, Stefanus A.
Primary Examiner(s)
CANGIALOSI, SALVATORE A

Application Number

US08/321,855
Time in Patent Office

865 Days
Field of Search

380/30
US Class Current

380/30
CPC Class Codes

H04L 2209/04 Masking or blinding

H04L 9/3263 involving certificates, e.g...

Secret-key certificates

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secret-key certificates

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links