Auto-escrowable and auto-certifiable cryptosystems

US 6,202,150 B1
Filed: 05/28/1997
Issued: 03/13/2001
Est. Priority Date: 05/28/1997
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method and apparatus for generating public keys and a proof that the keys were generated by a specific algorithm comprising the steps of:

the user'"'"'s system generating a random string of bits based on system parameters;

the user running a key generation algorithm to get a secret key and public key using the random string and public parameters;

the user constructing a proof being a string of bits whose public availability does not compromise the secret key and wherein said constructing of said proof requires access to said secret key, but at the same time said proof provides confidence to at least one of a plurality of other entities that said public key was generated properly by the specified algorithm, and wherein said confidence is gained without having access to any portion of said secret key.

View all claims

4 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A method is provided for an escrow cryptosystem that is overhead-free, does not require a cryptographic tamper-proof hardware implementation (i.e., can be done in software), is publicly verifiable, and cannot be used subliminally to enable a shadow public key system. A shadow public key system is an unescrowed public key system that is publicly displayed in a covert fashion. The key generated by the method are auto-recoverable and auto-certifiable (abbrev. ARC). The ARC Cryptosystem is based on a key generation mechanism that outputs a public/private key pair, and a certificate of proof that the key was generated according to the algorithm. Each generated public/private key pair can be verified efficiently to be escrowed properly by anyone. The verification procedure does not use the private key. Hence, the general public has an efficient way of making sure that any given individual'"'"'s private key is escrowed properly, and the trusted authorities will be able to access the private key if needed. Since the verification can be performed by anyone, there is no need for a special trusted entity, known in the art as a “trusted third party”. The cryptosystem is overhead free since there is no additional protocol interaction between the user who generates his or her own key, and the certification authority or the escrow authorities, in comparison to what is required to submit the public key itself in regular certified public key systems. Furthermore, the system is designed so that its internals can be made publicly scrutinizable (e.g., it can be distributed in source code form). This differs from many schemes which require that the escrowing device be tamper-proof hardware.

82 Citations

View as Search Results

59 Claims

1. A method and apparatus for generating public keys and a proof that the keys were generated by a specific algorithm comprising the steps of:
- the user'"'"'s system generating a random string of bits based on system parameters;
  
  the user running a key generation algorithm to get a secret key and public key using the random string and public parameters;
  
  the user constructing a proof being a string of bits whose public availability does not compromise the secret key and wherein said constructing of said proof requires access to said secret key, but at the same time said proof provides confidence to at least one of a plurality of other entities that said public key was generated properly by the specified algorithm, and wherein said confidence is gained without having access to any portion of said secret key.

2. A method and apparatus for generating public keys and a proof that the keys were generated by a specific algorithm comprising the steps of:
- the user'"'"'s system generating a random string of bits based on system parameters;
  
  the user running a key generation algorithm based on system parameters to get a pair comprised of a secret key and a public key using the random string and public parameters;
  
  the user engaging in a protocol with at least one of a plurality of other entities whereby the said other entity repeatedly sends a challenge string and said user sends a response based on the challenge and the public key which requires access to the secret key, such that the public availability of said challenges and responses does not compromise the secret key, but at the same time provides confidence to said other entity that said public key was generated properly by the specified algorithm, and wherein said other entity has no access to any portion of said secret key.

3. A method and apparatus for publishing public keys and a proof that the keys were generated by a specific algorithm comprising the steps of:
- the user'"'"'s system reading the system parameters;
  
  the user'"'"'s system running a key generation algorithm to get a private key and public key;
  
  the user'"'"'s system constructing a proof that the private key was generated properly using the system parameters, and where said constructing of said proof requires access to said private key and verification of said proof can be performed by any other entity with no access to any portion of said private key.
- View Dependent Claims (5, 6, 7)
- - 5. A method and apparatus for registering users into a Public Key Infrastructure (PKI) such that a user and his public key is registered only upon verifying that the key was generated according to a specific algorithm comprising the steps of:
6. A method and apparatus as in claim 5 with an additional step wherein the registration authority, after verifying the validity of said proof and concluding that said proof holds, publishes together with said user ID, said public key in at least one of a public key database, a record given to said user including a signature on said user'"'"'s said public key using said registration authority'"'"'s private key, a public-key database kept by the registration authority, an X.509 certificate, and if verifying the validity of said proof does not lead to the conclusion that said proof holds, said registration authority does not publish said public key.
7. A method and apparatus as in claim 5 with the additional step wherein said registration authority modifies said user'"'"'s public key to create a modified public key to be published.

4. A method and apparatus for publishing public keys and a proof that the corresponding private keys are recoverable by a predetermined entity comprising the steps of:
- the user generating the keys based on input which is the system parameters;
  
  the user sending a string along with the public key, the string being a proof that the corresponding private key is recoverable by said predetermined entity using public information, wherein the construction of said proof requires access to said private key and verification of said proof can be performed with no access to any portion of said private key.
- View Dependent Claims (8)
- - 8. A method and apparatus for registering users into a Public Key Infrastructure such that a user and his public key is registered only upon verifying that the corresponding private key is recoverable by a predetermined entity comprising the steps of:

9. A method and apparatus for a key recovery agent to recover the user'"'"'s private key or information encrypted under said user'"'"'s corresponding public key based on the certified public key of said user available in the public key directory and public parameters comprising of the following steps:
- the key recovery agent reading the user'"'"'s certified public key from the public key directory;
  
  running a key recovery algorithm based on the following inputs;
  
  said user'"'"'s certified public key, the public system parameters, and the private key of said recovery agent;
  
  running said key recovery algorithm resulting in the private key of said user.
- View Dependent Claims (10, 45)
- - 10. The method as described in claim 9 wherein the said recovery agent runs a key recovery algorithm based on the following inputs:
    - said user'"'"'s certified public key read from the public key directory, the proof corresponding to said public key read from the registration authority, the public system parameters, and the private key of said recovery agent.
  - 45. A method and apparatus for two key recovery agencies A and B to recover keys or information encrypted in an exchange between user 1 and user 2, where user 1'"'"'s key is recoverable by agency A and user 2'"'"'s key is recoverable by agency B and there the key recovery proceeds according to the following steps:

11. A method and apparatus for a set of key recovery agents to recover the user'"'"'s private key or information encrypted under said user'"'"'s corresponding public key based on the public key of said user available in the public key directory and public parameters comprising of the following steps:
- a subset of said set of key recovery agents read the user'"'"'s public key from the public key directory;
  
  each member of said subset run a key recovery algorithm based on the following inputs;
  
  said user'"'"'s certified public key, the public system parameters, and the private key of said member of said subset;
  
  running said key recovery algorithm resulting in a partial result of member of said subset;
  
  all said partial results of said members of said subset are combined to generate said secret key of said user.
- View Dependent Claims (12)
- - 12. The method as described in claim 11 wherein each said recovery agent runs a key recovery algorithm based on the following inputs:
    - said user'"'"'s certified public key read from the public key directory, the proof corresponding to said public key read from the registration authority, the public system parameters, and the private key of said member of said subset.

13. A cryptosystem wherein the private key agreed upon by the users is available to the key recovery agent or agents comprising the steps of:
- a first user, based on its own private key and a second user'"'"'s public key, generates a resulting string;
  
  said second user, based on its own private key and said first user'"'"'s public key, generates said resulting string;
  
  said resulting string is recoverable by the key recovery agents.

14. A cryptosystem where the secret key agreed upon by the users is available to the key recovery agent or agents comprising the steps of:
- a first user, based on a random input, system parameters, and a second user'"'"'s public key, generates a signal and a resulting string;
  
  said signal is transmitted to said second user;
  
  said second user, based on its own private key and said signal, generates said resulting string;
  
  said resulting string is recoverable by the key recovery agents.

15. A method and apparatus for generating and publicizing system parameters for a key escrow system whereby:
- all parties agree upon two domains F1 and F2, where F1 is used by the escrow authority public key and F2 is used for the user public keys;
  
  all parties agree on a value g₁which generates F1 and a value g which generates F2;
  
  escrow authorities generate at least one pair of public/private keys in domain F1.
- View Dependent Claims (49, 50, 51, 57)
- - 49. A method and apparatus for generating public keys and proving that the keys were generated by a specific algorithm comprising the steps of:
50. A method and apparatus as described in claim 49 wherein said user'"'"'s public key is cryptographically blinded to create a modified public key which is then published by the registration authority.
51. A method and apparatus for recovering the private key generated as in claim 49 comprising the steps of:
- each escrow agent i obtaining y and the proof of recoverability of x of the user whose private key is to be recovered;
  
  each escrow agent i computing a value s_ibased on y, z_i, and the proof of recoverability of x;
  
  the escrow agents pooling their values s_i;
  
  the escrow agents computing x based on the values s_i.
57. A method and apparatus for an entity to verify the recoverability of a private key generated as in claim 49 comprising the steps of:
- the entity obtaining the public key y and the prof as constructed in claim 52;
  
  the entity verifying all of the non-interactive zero-knowledge proofs as constructed in claim 52;
  
  where if one or more of the validation procedures fail to verify then the verifier assumes that the private key x is not recoverable by the escrow authorities.

16. A method and apparatus for generating and publicizing system parameters for a key escrow system whereby:
- all parties agree upon two domains F1 and F2, where F1 is used by the escrow authority and is the domain of the exponent of domain F2, and domain F2 is used for the user public keys;
  
  all parties agree on a primitive root g₁of domain F1 and a primitive root g of domain F2;
  
  each escrow authority chooses a private key z_i;
  
  the escrow authorities generate a public key Y contained in domain F1 based on g₁and each private key z_i.
- View Dependent Claims (52, 53, 54, 58)
- - 52. A method and apparatus for generating public keys and proving that the keys were generated by a specific algorithm comprising the steps of:
53. A method and apparatus as described in claim 52 wherein said user'"'"'s public key is cryptographically blinded to create a modified public key which is then published by the registration authority.
54. A method and apparatus for recovering the private key generated as in claim 52 comprising the steps of:
- each escrow agent i obtaining y and the proof of recoverability of x of the user whose private key is to be recovered;
  
  each escrow agent i computing a value s_ibased on y, z_i, and the proof of recoverability of x;
  
  the escrow agents pooling their values s_i;
  
  the escrow agents computing x based on the values s_i.
58. A method and apparatus for an entity to verify the recoverability of a private key generated as in claim 52 comprising the steps of:
- the entity obtaining the public key y and the proof as constructed in claim 53;
  
  the entity verifying all of the non-interactive zero-knowledge proofs as constructed in claim 53;
  
  where if one or more of the validation procedures fail to verify then the verifier assumes that the private key x is not recoverable by the escrow authorities.

17. A method and apparatus for generating public keys and a proof that the keys were generated by a specific algorithm where initially a mechanism for generating the system'"'"'s public parameters is executed and then the user takes the following steps:
- accessing the system parameters;
  
  choosing a private key x in domain F1 randomly, and outputting x;
  
  calculating a public key y in domain F2, and outputting y;
  
  computing and outputting one or more non-interactive zero-knowledge proofs that establish that x is recoverable given y, public system parameters, and possibly other values as well.
- View Dependent Claims (18, 55, 56)
- - 18. A method and apparatus as described in claim 17 wherein said user'"'"'s public key is cryptographically blinded to create a modified public key which is then published by the registration authority.
  - 55. A method and apparatus for recovering the private key generated as in claim 17 comprising the steps of:
56. A method and apparatus for an entity to verify the recoverability of a private key generated as in claim 18 comprising the steps of:
- the entity obtaining the public key y and the proof as constructed in claim 18;
  
  the entity verifying all of the non-interactive zero-knowledge proofs as constructed in claim 18;
  
  where if one or more of the non-interactive proofs fail to verify then the verifier assumes that the private key x is not recoverable by the escrow authorities.

19. An apparatus for generating system parameters for conducting key escrow whereby:
- a method for finding a large prime r such that q=2r+1 is prime and p=4r+3 is prime is used where all parties agree upon said large prime r, all parties agree upon a value g that generates the mathematical group Z_pand an odd value g₁such that g₁generates all values that are less than 2q and are relatively prime to it (namely, g₁generates Z_2q* which is isomorphic to Zq);
  
  and where the escrow authorities generate a public key Y in the following manner;
  
  each escrow authority i chooses z_iin Z_2runiformly at random and computer Y_i=(g₁raised to the power z_i) mod 2q;
  
  the escrow authorities pool their values Y_iand compute the Y to be the product of all the Y_i'"'"'s mod 2q;
  
  if (g₁/Y) mod 2q does not generate Z_2qthen the authorities choose the z_iover again and repeat;
  
  so that the public key of the authorities is (Y,g₁,2q), and each of the z_iare kept private by escrow authority i.

20. An apparatus for generating public keys and a proof that the keys were generated by a specific algorithm comprising the steps of:
- choosing a value k in Z_2runiformly at random;
  
  computing C=(g₁to the power k) mod 2q;
  
  solving for the private key x in (Y to the power k)x=C mod 2q;
  
  computing the public key y=(g to the power x) mod p;
  
  computing v=g raised to the ((Y to the power −
  
  k) mod 2q) power mod p;
  
  computing P1, a non-interactive zero-knowledge proof of knowledge of k in C;
  
  computing P2, a non-interactive zero-knowledge proof of knowledge of k in v;
  
  computing P3, a non-interactive zero-knowledge proof of knowledge of k in (v to the power C) mod p;
  
  so that the user'"'"'s public key is (y,g,p) and the user'"'"'s private key is x and where the proof that the public key (y,g,p) was generated by this specific algorithm is the string (C,v,P1,P2,P3).
- View Dependent Claims (21, 24, 59)
- - 21. A method and apparatus for an entity to verify the recoverability of a private key generated as in claim 20 comprising the steps of:
24. An apparatus for an entity to verify the recoverability of a private key generated as in claim 20 comprising the steps of:
- the entity obtaining the public key (y,g,p) and the proof which is the string (C,v,P1,P2,P3) which was supposed to have been computed as in claim 20;
  
  the entity verifying each of the non-interactive zero-knowledge proofs P1, P2, and P3 as constructed in claim 20;
  
  where if one or more of the non-interactive proofs P1, P2, and P3 fail to verify then the verifier assumes that the private key x is not recoverable by the escrow authorities and otherwise it is assumed that x is recoverable by the escrow authorities.
59. A method and apparatus for recovering the private key generated as in claim 20 comprising the steps of:
- each escrow agent i obtaining the value C of the user whose private key is to be recovered;
  
  each escrow agent i computing s_i=(C to the power z_i) mod 2q;
  
  the escrow agents pooling their values s_i;
  
  the escrow agents computing (Y to the power k) to be the product of all of the s_i'"'"'s mod 2q;
  
  the escrow agents computing x=C(Y to the power −
  
  k) mod 2q.

22. An apparatus for generating public keys and proving that the keys were generated by a specific algorithm comprising the steps of:
- choosing a value k in Z_2runiformly at random;
  
  computing C=(g₁to the power k) mod 2q;
  
  solving for the private key x in (Y to the power k)x=C mod 2q;
  
  computing the public key y=(g to the power x) mod p;
  
  computing v=g raised to the ((Y to the power −
  
  k) mod 2q) power mod p;
  
  participating in an interactive zero-knowledge proof protocol demonstrating knowledge of k in C;
  
  participating in an interactive zero-knowledge proof protocol demonstrating knowledge of k in v;
  
  participating in an interactive zero-knowledge proof protocol demonstrating knowledge of k in (v to the power C) mod p;
  
  so that the user'"'"'s public key is (y,g,p) and the user'"'"'s private key is x and where if all three zero-knowledge interactive proofs are verified then the user'"'"'s public key (y,g,p) is published and said user'"'"'s private key x is kept private by the user.
- View Dependent Claims (23)
- - 23. A method and apparatus for recovering the private key generated as in claim 22 comprising the steps of:

25. A method and apparatus, using a public-key cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of criminal activities while protecting the privacy of other users, wherein the escrow authorities produce shares of an escrowing public key, comprising the steps of:
- having each user create a matching pair of private and public keys;
  
  providing a certification authority with a certificate enabling said certification authority to verify that the certificate includes the user'"'"'s secret key hidden using the escrowing public key;
  
  upon a predetermined request, having the said escrow authorities use their own shares to reconstruct, for the predetermined requester, the secret key of a user suspected of criminal activity or certain information encrypted under public key corresponding to said private key of said user suspected of criminal activity, said certain information can be session keys or messages encrypted under session keys.
- View Dependent Claims (26, 27, 28)
- - 26. The method and apparatus as described in claim 25 wherein the predetermined entity is a government agency and the predetermined request is a court order.
  - 27. The method and apparatus as described in claim 25 wherein the predetermined entity is a government or a group of governments and the trustees are representative of said government or said group of governments and the predetermined request is a court order recognized by said government or said group of governments.
  - 28. A method and apparatus for registering users into a Public Key Infrastructure as described in claim 25, wherein the user functions are implemented as a hardware device.

29. A method and apparatus, using a cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of criminal activities while protecting the privacy of law-abiding users, comprising the steps of:
- having the trustees produce shares for an escrowing public key;
  
  having users produce public keys and certifying them;
  
  upon a predetermined request, having the trustees use their shares to enable the entity to attempt to monitor communications of the suspected user during a time period specified in said predetermined request.

30. A method and apparatus, using a cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of criminal activities while protecting the privacy of law-abiding users, comprising the steps of:
- having the trustees hold pieces of information, wherein a piece of information is guaranteed to include a share of a secret decryption key;
  
  having users produce public keys and;
  
  upon a predetermined request, having a given number of trustees each use the piece of information that includes the share of at least one secret decryption key to enable the entity to monitor communications to the suspected user.
- View Dependent Claims (31, 32, 33)
- - 31. The method and apparatus as described in claim 30 with the further step of:
32. The method and apparatus as described in claim 30 wherein a given minority of trustees are unable to reconstruct the secret key.
33. The method and apparatus as described in claim 30 wherein upon the predetermined request all of the trustees each use the piece of information.

34. A method and apparatus for revealing the user'"'"'s secret value, comprising the steps of:
- having the trustees hold pieces of information, wherein a piece of information includes a share of secret value and;
  
  upon predetermined request, having a given number of trustees each use of the piece of information to reveal the share of the user'"'"'s secret value to enable the entity to reconstruct the secret value at a prescribed time specified in the predetermined request.
- View Dependent Claims (35)
- - 35. A method and apparatus as in claim 34 wherein the registering authority functions are implemented as a hardware device.

36. A method and apparatus for revealing private keys of suspected users comprising the steps of:
- having the trustees hold pieces of information, wherein a piece of information is guaranteed to include a share of a secret decryption key and;
  
  upon a predetermined request, having a given number of trustees each use the piece of information that includes the share of at least one secret decryption key to enable the entity to monitor communications of the suspected user by recovering the private key corresponding to the suspected user'"'"'s public key in the public key database.

37. A method and apparatus for certifying public keys comprising the steps of:
- A) having the trustees generate and publish a set of system parameters B) having each user generate a public/private key pair using the system parameters C) having each user prove to a registration authority that said user'"'"'s private key (and information encoded under said user'"'"'s public key) is recoverable by said trustees D) upon successful validation of said proof, publish said user'"'"'s public key certificate authority certificate authority certificate includes at least the ID of said user, said public key of said user, and a digital signature of said registration authority on a string of information which includes at least said user'"'"'s ID, and said public key of said user.
- View Dependent Claims (38)
- - 38. A method and apparatus as described in claim 37 wherein the proof of step C is non-interactive and the registration authority keeps said proof private.

39. A method and apparatus, using a cryptosystem, for enabling anyone in possession of the system'"'"'s public parameters to confirm that each public key in the public key database is recoverable by the trustees.

40. A method and apparatus for a user in a cryptosystem to produce strings of information based on said user'"'"'s key and a random string certifying that required public properties of said key hold.

41. A method and apparatus for a user in a cryptosystem to produce strings of information based on said user'"'"'s key and a random string and another entity'"'"'s public key, said strings of information certify that required properties of said user'"'"'s public key hold and said strings of information also include an encryption of the private key corresponding to said user'"'"'s public key encrypted under said entity'"'"'s public key.

42. A method and apparatus for users in a PKI that enables each pair of users to establish a random session key comprising of the following steps:
- the first user in said pair looks up the second user'"'"'s public key and said second user looks up said first user'"'"'s public key said pair of users exchange messages to establish session key upon a court order which allows tapping of said session, the trustees of said PKI reconstruct said random session key based on at least one of said pair of user'"'"'s private keys.

43. A method and apparatus, using a cryptosystem, for enabling a predetermined entity to recover selectively the files of users comprising the steps of:
- having the recovery authorities produce shares for a recovery public key;
  
  having users produce public keys;
  
  having users produce encrypted files, each file encrypted under a file key and stored, and;
  
  upon a predetermined authenticated request of a user, having the recovery authorities use their shares to enable the user to restore the cleartext version of available encrypted files.

44. A method and apparatus for generating system parameters which are a set of primes related by arithmetic conditions comprising of at least one of the following steps performed in arbitrary order:
- choosing a random fixed set of small potential witnesses of compositeness;
  
  randomly choosing a candidate prime and generating other candidates based on said candidate prime and said arithmetic conditions;
  
  checking the primality of said candidates using said fixed set of small potential witnesses of compositeness;
  
  checking the primality of said candidates by trying to divide them by a fixed set of integers;
  
  checking the primality of said set of candidates by verifying a set of remaindering conditions;
  
  adding a fixed even number to one of said candidates of primality and repeating a certain number of times;
  
  and where if any of the above steps fails then a new set of candidates of primality are chosen, and the entire process is repeated.

46. A cryptosystem with keys based on three or more distinct prime numbers with arithmetic relations between them.

47. A cryptosystem with encryption and decryption operations and key generation whereby operations are performed in any of three domains, F1, F2, and F3such that F1 is the exponent domain of F2 and F2 is the exponent domain of F3.

48. A cryptosystem whereby operations are performed in any of three domains, F1, F2, and F3such that F1 is the exponent domain of F2 and F2 is the exponent domain of F3.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
CryptoPeak Security, LLC (Brian Yates)
Original Assignee
Adam Lucas Young, Marcel Mordechay Yung
Inventors
Young, Adam Lucas, Yung, Marcel Mordechay
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US08/864,839
Time in Patent Office

1,385 Days
Field of Search

380/278, 380/279, 380/283, 380/286, 380/44, 713/155, 713/156, 713/168, 713/167
US Class Current

713/167
CPC Class Codes

H04L 9/0869   involving random numbers or...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3268   using certificate validatio...

Auto-escrowable and auto-certifiable cryptosystems

First Claim

4 Assignments

Litigations

1 Petition

Accused Products

Abstract

82 Citations

59 Claims

Specification

Use Cases

Quick Links

Others

Auto-escrowable and auto-certifiable cryptosystems

First Claim

4 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

59 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others