Key generation using multiple sets of secret shares
First Claim
Patent Images
1. A cryptographic method, comprising:
- providing, by a processor, a meta-secret used both to generate a first plurality of cryptographic keys and a second plurality of different sets of secret-shares, each of the cryptographic keys being associated with a respective key identifier, the meta-secret being a secret data structure including an ordered sequence of data values;
generating, by the processor, each one of the cryptographic keys as a function of the meta-secret and the respective key identifier of the one cryptographic key;
creating, using the meta-secret, by the processor, the second plurality of different sets of secret-shares, which are capable;
by combining all the secret-shares in any one of the sets together with the respective key identifier without knowledge of the meta-secret, of generating the associated cryptographic key;
by combining all the secret-shares in any one of the sets together with a first key identifier without knowledge of the meta-secret, of generating a first cryptographic key; and
by combining all the secret-shares in any one of the sets together with a second key identifier without knowledge of the meta-secret, of generating a second cryptographic key;
wherein combining all the secret-shares in any one of the sets together with a different key identifier without knowledge of the meta-secret generates a different cryptographic key;
performing, by the processor, cryptographic operations using the cryptographic keys, wherein performing the cryptographic operations comprises encrypting an item of data using the first cryptographic key; and
distributing the sets of secret-shares over a network to different respective subscribers, using a network interface, wherein the different respective subscribers are operative to;
combine the received secret-shares together with the respective key identifier without knowledge of the meta-secret to generate the first cryptographic key; and
decrypt the item of data using the first cryptographic key, wherein the secret-shares in one of the sets are decrypted following a process of authentication so that the secret-shares can be used to generate the first cryptographic key so as to decrypt the item of data only after the authentication.
2 Assignments
0 Petitions
Accused Products
Abstract
A cryptographic method, including generating, using a meta-secret, a first plurality of cryptographic keys, each cryptographic key associated with a respective key identifier, creating, using the meta-secret, a second plurality of sets of secret-shares, which are capable, by combining all the secrets-shares in any one of the sets together with the respective key identifier, of generating the associated cryptographic key, and performing cryptographic operations using the cryptographic keys. Related methods and apparatus are also included.
15 Citations
18 Claims
-
1. A cryptographic method, comprising:
-
providing, by a processor, a meta-secret used both to generate a first plurality of cryptographic keys and a second plurality of different sets of secret-shares, each of the cryptographic keys being associated with a respective key identifier, the meta-secret being a secret data structure including an ordered sequence of data values; generating, by the processor, each one of the cryptographic keys as a function of the meta-secret and the respective key identifier of the one cryptographic key; creating, using the meta-secret, by the processor, the second plurality of different sets of secret-shares, which are capable; by combining all the secret-shares in any one of the sets together with the respective key identifier without knowledge of the meta-secret, of generating the associated cryptographic key; by combining all the secret-shares in any one of the sets together with a first key identifier without knowledge of the meta-secret, of generating a first cryptographic key; and by combining all the secret-shares in any one of the sets together with a second key identifier without knowledge of the meta-secret, of generating a second cryptographic key; wherein combining all the secret-shares in any one of the sets together with a different key identifier without knowledge of the meta-secret generates a different cryptographic key; performing, by the processor, cryptographic operations using the cryptographic keys, wherein performing the cryptographic operations comprises encrypting an item of data using the first cryptographic key; and distributing the sets of secret-shares over a network to different respective subscribers, using a network interface, wherein the different respective subscribers are operative to; combine the received secret-shares together with the respective key identifier without knowledge of the meta-secret to generate the first cryptographic key; and decrypt the item of data using the first cryptographic key, wherein the secret-shares in one of the sets are decrypted following a process of authentication so that the secret-shares can be used to generate the first cryptographic key so as to decrypt the item of data only after the authentication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. Cryptographic apparatus, comprising:
-
a memory, which is configured to hold a meta-secret used both to generate a first plurality of cryptographic keys and a second plurality of different sets of secret-shares, each of the cryptographic keys being associated with a respective key identifier, the meta-secret being a secret data structure including an ordered sequence of data values; and a processor, which is configured; to generate each one of the cryptographic keys as a function of the meta-secret and the respective key identifier of the one cryptographic key; to create, using the meta-secret, the second plurality of different sets of secret-shares, which are capable; by combining all the secret-shares in any one of the sets together with the respective key identifier without knowledge of the meta-secret, of generating the associated cryptographic key; by combining all the secret-shares in any one of the sets together with a first key identifier without knowledge of the meta-secret, of generating a first cryptographic key; and by combining all the secret-shares in any one of the sets together with a second key identifier without knowledge of the meta-secret, of generating a second cryptographic key; wherein combining all the secret-shares in any one of the sets together with a different key identifier without knowledge of the meta-secret generates a different cryptographic key; to perform cryptographic operations using the cryptographic keys; and to distribute the sets of secret-shares over a network to different respective subscribers, using a network interface, wherein performing the cryptographic operations comprises encrypting an item of data using the first cryptographic key and wherein the different respective subscribers are operative to; combine the received secret-shares together with the respective key identifier without knowledge of the meta-secret to generate, the first cryptographic key; and decrypt the item of data using the first cryptographic key, wherein the secret-shares in one of the sets are decrypted following a process of authentication so that the secret-shares can be used to generate the first cryptographic key so as to decrypt the item of data only after the authentication.
-
-
18. A computer software product, comprising a non-transitory computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to:
-
provide a meta-secret used both to generate a first plurality of cryptographic keys and a second plurality of different sets of secret-shares, each of the cryptographic keys being associated with a respective key identifier, the meta-secret being a secret data structure including an ordered sequence of data values; generate each one of the cryptographic keys as a function of the meta-secret and the respective key identifier of the one cryptographic key; create, using the meta-secret, the second plurality of different sets of secret-shares, which are capable; by combining all the secret-shares in any one of the sets together with the respective key identifier without knowledge of the meta-secret, of generating the associated cryptographic key; by combining all the secret-shares in any one of the sets together with a first key identifier without knowledge of the meta-secret, of generating a first cryptographic key; and by combining all the secret-shares in any one of the sets together with a second key identifier without knowledge of the meta-secret, of generating a second cryptographic key; wherein combining all the secret-shares in any one of the sets together with a different key identifier without knowledge of the meta-secret generates a different cryptographic key; perform cryptographic operations using the cryptographic keys, wherein performing the cryptographic operations comprises encrypting an item of data using the first cryptographic key; and distribute the sets of secret-shares over a network to different respective subscribers, using a network interface, wherein the different respective subscribers are operative to; combine the received secret-shares together with the respective key identifier without knowledge of the meta-secret to generate the first cryptographic key; and decrypt the item of data using the first cryptographic key, wherein the secret-shares in one of the sets are decrypted following a process of authentication so that the secret-shares can be used to generate the first cryptographic key so as to decrypt the item of data only after the authentication.
-
Specification