Autoescrowable and autocertifiable cryptosystems
First Claim
1. A method and apparatus for generating public keys and a proof that the keys were generated by a specific algorithm comprising the steps of:
 the user'"'"'s system generating a random string of bits based on system parameters;
the user running a key generation algorithm to get a secret key and public key using the random string and public parameters;
the user constructing a proof being a string of bits whose public availability does not compromise the secret key and wherein said constructing of said proof requires access to said secret key, but at the same time said proof provides confidence to at least one of a plurality of other entities that said public key was generated properly by the specified algorithm, and wherein said confidence is gained without having access to any portion of said secret key.
4 Assignments
Litigations
1 Petition
Accused Products
Abstract
A method is provided for an escrow cryptosystem that is overheadfree, does not require a cryptographic tamperproof hardware implementation (i.e., can be done in software), is publicly verifiable, and cannot be used subliminally to enable a shadow public key system. A shadow public key system is an unescrowed public key system that is publicly displayed in a covert fashion. The key generated by the method are autorecoverable and autocertifiable (abbrev. ARC). The ARC Cryptosystem is based on a key generation mechanism that outputs a public/private key pair, and a certificate of proof that the key was generated according to the algorithm. Each generated public/private key pair can be verified efficiently to be escrowed properly by anyone. The verification procedure does not use the private key. Hence, the general public has an efficient way of making sure that any given individual'"'"'s private key is escrowed properly, and the trusted authorities will be able to access the private key if needed. Since the verification can be performed by anyone, there is no need for a special trusted entity, known in the art as a “trusted third party”. The cryptosystem is overhead free since there is no additional protocol interaction between the user who generates his or her own key, and the certification authority or the escrow authorities, in comparison to what is required to submit the public key itself in regular certified public key systems. Furthermore, the system is designed so that its internals can be made publicly scrutinizable (e.g., it can be distributed in source code form). This differs from many schemes which require that the escrowing device be tamperproof hardware.
77 Citations
59 Claims

1. A method and apparatus for generating public keys and a proof that the keys were generated by a specific algorithm comprising the steps of:

the user'"'"'s system generating a random string of bits based on system parameters;
the user running a key generation algorithm to get a secret key and public key using the random string and public parameters;
the user constructing a proof being a string of bits whose public availability does not compromise the secret key and wherein said constructing of said proof requires access to said secret key, but at the same time said proof provides confidence to at least one of a plurality of other entities that said public key was generated properly by the specified algorithm, and wherein said confidence is gained without having access to any portion of said secret key.


2. A method and apparatus for generating public keys and a proof that the keys were generated by a specific algorithm comprising the steps of:

the user'"'"'s system generating a random string of bits based on system parameters;
the user running a key generation algorithm based on system parameters to get a pair comprised of a secret key and a public key using the random string and public parameters;
the user engaging in a protocol with at least one of a plurality of other entities whereby the said other entity repeatedly sends a challenge string and said user sends a response based on the challenge and the public key which requires access to the secret key, such that the public availability of said challenges and responses does not compromise the secret key, but at the same time provides confidence to said other entity that said public key was generated properly by the specified algorithm, and wherein said other entity has no access to any portion of said secret key.


3. A method and apparatus for publishing public keys and a proof that the keys were generated by a specific algorithm comprising the steps of:

the user'"'"'s system reading the system parameters;
the user'"'"'s system running a key generation algorithm to get a private key and public key;
the user'"'"'s system constructing a proof that the private key was generated properly using the system parameters, and where said constructing of said proof requires access to said private key and verification of said proof can be performed by any other entity with no access to any portion of said private key.  View Dependent Claims (5, 6, 7)
the user generating the keys as in claim 3, and in addition;
the user proving its identity to a registration authority;
the user sending to the registration authority the public key and a proof of the fact that the private key was generated according to a specific algorithm, and where said proof is based on access to said private key of the user corresponding to said public key;
if the registration authority is convinced of the validity of said fact and of the user'"'"'s identity, then a certification authority issues a certificate for user'"'"'s said public key, wherein said validity can be ascertained without access to any portion of said private key. 

6. A method and apparatus as in claim 5 with an additional step wherein the registration authority, after verifying the validity of said proof and concluding that said proof holds, publishes together with said user ID, said public key in at least one of a public key database, a record given to said user including a signature on said user'"'"'s said public key using said registration authority'"'"'s private key, a publickey database kept by the registration authority, an X.509 certificate, and if verifying the validity of said proof does not lead to the conclusion that said proof holds, said registration authority does not publish said public key.

7. A method and apparatus as in claim 5 with the additional step wherein said registration authority modifies said user'"'"'s public key to create a modified public key to be published.

4. A method and apparatus for publishing public keys and a proof that the corresponding private keys are recoverable by a predetermined entity comprising the steps of:

the user generating the keys based on input which is the system parameters;
the user sending a string along with the public key, the string being a proof that the corresponding private key is recoverable by said predetermined entity using public information, wherein the construction of said proof requires access to said private key and verification of said proof can be performed with no access to any portion of said private key.  View Dependent Claims (8)
the user generating the keys as in claim 4, and in addition;
the user proving its identity to a registration authority;
the user sending to the registration authority the public key and a proof of the fact that the corresponding private key is recoverable by said predetermined entity using public information, wherein construction of said proof requires access to said private key;
if the registration authority is convinced of the validity of said fact and of the user'"'"'s identity, then a certification authority issues a certificate for user'"'"'s said public key, and if the registration authority is not convinced of said validity then it does not issue a certificate for said public key. 

9. A method and apparatus for a key recovery agent to recover the user'"'"'s private key or information encrypted under said user'"'"'s corresponding public key based on the certified public key of said user available in the public key directory and public parameters comprising of the following steps:

the key recovery agent reading the user'"'"'s certified public key from the public key directory;
running a key recovery algorithm based on the following inputs;
said user'"'"'s certified public key, the public system parameters, and the private key of said recovery agent;
running said key recovery algorithm resulting in the private key of said user.  View Dependent Claims (10, 45)
said agency A and said agency B bilaterally agree on a procedure for exchanging information recovered from communication between users from their respective jurisdictions who are suspected of criminal activity;
said agency A recovers said user 1'"'"'s private key or information encrypted using the corresponding public key using the method as described in claim 10 where we call the said recovered information, information X;
said agency B recovers said user 2'"'"'s private key or information encrypted using the corresponding public key using the method as described in claim 10 where we call the said recovered information, information Y;
said agencies A and B exchange information X and Y respectively according to said bilateral agreement. 

11. A method and apparatus for a set of key recovery agents to recover the user'"'"'s private key or information encrypted under said user'"'"'s corresponding public key based on the public key of said user available in the public key directory and public parameters comprising of the following steps:

a subset of said set of key recovery agents read the user'"'"'s public key from the public key directory;
each member of said subset run a key recovery algorithm based on the following inputs;
said user'"'"'s certified public key, the public system parameters, and the private key of said member of said subset;
running said key recovery algorithm resulting in a partial result of member of said subset;
all said partial results of said members of said subset are combined to generate said secret key of said user.  View Dependent Claims (12)


13. A cryptosystem wherein the private key agreed upon by the users is available to the key recovery agent or agents comprising the steps of:

a first user, based on its own private key and a second user'"'"'s public key, generates a resulting string;
said second user, based on its own private key and said first user'"'"'s public key, generates said resulting string;
said resulting string is recoverable by the key recovery agents.


14. A cryptosystem where the secret key agreed upon by the users is available to the key recovery agent or agents comprising the steps of:

a first user, based on a random input, system parameters, and a second user'"'"'s public key, generates a signal and a resulting string;
said signal is transmitted to said second user;
said second user, based on its own private key and said signal, generates said resulting string;
said resulting string is recoverable by the key recovery agents.


15. A method and apparatus for generating and publicizing system parameters for a key escrow system whereby:

all parties agree upon two domains F1 and F2, where F1 is used by the escrow authority public key and F2 is used for the user public keys;
all parties agree on a value g_{1 }which generates F1 and a value g which generates F2;
escrow authorities generate at least one pair of public/private keys in domain F1.  View Dependent Claims (49, 50, 51, 57)
accessing system parameters as generated in claim 15;
choosing a private key x in domain F1 randomly, and outputting x;
calculating a public key y in domain F2 using g and x, and outputting y;
proving using one or more zeroknowledge validation procedures that x is recoverable given y, g, and public information. 

50. A method and apparatus as described in claim 49 wherein said user'"'"'s public key is cryptographically blinded to create a modified public key which is then published by the registration authority.

51. A method and apparatus for recovering the private key generated as in claim 49 comprising the steps of:

each escrow agent i obtaining y and the proof of recoverability of x of the user whose private key is to be recovered;
each escrow agent i computing a value s_{i }based on y, z_{i}, and the proof of recoverability of x;
the escrow agents pooling their values s_{i};
the escrow agents computing x based on the values s_{i}.


57. A method and apparatus for an entity to verify the recoverability of a private key generated as in claim 49 comprising the steps of:

the entity obtaining the public key y and the prof as constructed in claim 52;
the entity verifying all of the noninteractive zeroknowledge proofs as constructed in claim 52;
where if one or more of the validation procedures fail to verify then the verifier assumes that the private key x is not recoverable by the escrow authorities.


16. A method and apparatus for generating and publicizing system parameters for a key escrow system whereby:

all parties agree upon two domains F1 and F2, where F1 is used by the escrow authority and is the domain of the exponent of domain F2, and domain F2 is used for the user public keys;
all parties agree on a primitive root g_{1 }of domain F1 and a primitive root g of domain F2;
each escrow authority chooses a private key z_{i};
the escrow authorities generate a public key Y contained in domain F1 based on g_{1 }and each private key z_{i}.  View Dependent Claims (52, 53, 54, 58)
accessing system parameters as generated in claim 16;
choosing a private key x in domain F1 randomly, and outputting x;
calculating a public key y in domain F2 using g and x, and outputting y;
proving using one or more zeroknowledge validation procedures that x is recoverable given y, g, and public information. 

53. A method and apparatus as described in claim 52 wherein said user'"'"'s public key is cryptographically blinded to create a modified public key which is then published by the registration authority.

54. A method and apparatus for recovering the private key generated as in claim 52 comprising the steps of:

each escrow agent i obtaining y and the proof of recoverability of x of the user whose private key is to be recovered;
each escrow agent i computing a value s_{i }based on y, z_{i}, and the proof of recoverability of x;
the escrow agents pooling their values s_{i};
the escrow agents computing x based on the values s_{i}.


58. A method and apparatus for an entity to verify the recoverability of a private key generated as in claim 52 comprising the steps of:

the entity obtaining the public key y and the proof as constructed in claim 53;
the entity verifying all of the noninteractive zeroknowledge proofs as constructed in claim 53;
where if one or more of the validation procedures fail to verify then the verifier assumes that the private key x is not recoverable by the escrow authorities.


17. A method and apparatus for generating public keys and a proof that the keys were generated by a specific algorithm where initially a mechanism for generating the system'"'"'s public parameters is executed and then the user takes the following steps:

accessing the system parameters;
choosing a private key x in domain F1 randomly, and outputting x;
calculating a public key y in domain F2, and outputting y;
computing and outputting one or more noninteractive zeroknowledge proofs that establish that x is recoverable given y, public system parameters, and possibly other values as well.  View Dependent Claims (18, 55, 56)
each escrow agent i obtaining y and the proof of recoverability of x of the user whose private key is to be recovered;
each escrow agent i computing a value s_{i }based on y, z_{i}, and the proof of recoverability of x;
the escrow agents pooling their values s_{i};
the escrow agents computing x based on the values s_{i}. 

56. A method and apparatus for an entity to verify the recoverability of a private key generated as in claim 18 comprising the steps of:

the entity obtaining the public key y and the proof as constructed in claim 18;
the entity verifying all of the noninteractive zeroknowledge proofs as constructed in claim 18;
where if one or more of the noninteractive proofs fail to verify then the verifier assumes that the private key x is not recoverable by the escrow authorities.


19. An apparatus for generating system parameters for conducting key escrow whereby:

a method for finding a large prime r such that q=2r+1 is prime and p=4r+3 is prime is used where all parties agree upon said large prime r, all parties agree upon a value g that generates the mathematical group Z_{p }and an odd value g_{1 }such that g_{1 }generates all values that are less than 2q and are relatively prime to it (namely, g_{1 }generates Z_{2q}* which is isomorphic to Zq);
and where the escrow authorities generate a public key Y in the following manner; each escrow authority i chooses z_{i }in Z_{2r }uniformly at random and computer Y_{i}=(g_{1 }raised to the power z_{i}) mod 2q;
the escrow authorities pool their values Y_{i }and compute the Y to be the product of all the Y_{i}'"'"'s mod 2q;
if (g_{1}/Y) mod 2q does not generate Z_{2q }then the authorities choose the z_{i }over again and repeat;
so that the public key of the authorities is (Y,g_{1},2q), and each of the z_{i }are kept private by escrow authority i.


20. An apparatus for generating public keys and a proof that the keys were generated by a specific algorithm comprising the steps of:

choosing a value k in Z_{2r }uniformly at random;
computing C=(g_{1 }to the power k) mod 2q;
solving for the private key x in (Y to the power k)x=C mod 2q;
computing the public key y=(g to the power x) mod p;
computing v=g raised to the ((Y to the power −
k) mod 2q) power mod p;
computing P1, a noninteractive zeroknowledge proof of knowledge of k in C;
computing P2, a noninteractive zeroknowledge proof of knowledge of k in v;
computing P3, a noninteractive zeroknowledge proof of knowledge of k in (v to the power C) mod p;
so that the user'"'"'s public key is (y,g,p) and the user'"'"'s private key is x and where the proof that the public key (y,g,p) was generated by this specific algorithm is the string (C,v,P1,P2,P3).  View Dependent Claims (21, 24, 59)
the entity obtaining the public key (y,g,p) and the proof which is the string (C,v,P1,P2,P3) which was supposed to have been computed as in claim 24;
the entity verifying each of the noninteractive zeroknowledge proofs P1, P2, and P3 as constructed in claim 20;
the entity taking the subsequent action of verifying the algebraic relations between y, v, C, and p; and
where the verifier assumes that the private key x is not recoverable by the escrow authorities if any of the verifications fail, and where otherwise it is assumed that x is recoverable by the escrow authorities. 

24. An apparatus for an entity to verify the recoverability of a private key generated as in claim 20 comprising the steps of:

the entity obtaining the public key (y,g,p) and the proof which is the string (C,v,P1,P2,P3) which was supposed to have been computed as in claim 20;
the entity verifying each of the noninteractive zeroknowledge proofs P1, P2, and P3 as constructed in claim 20;
where if one or more of the noninteractive proofs P1, P2, and P3 fail to verify then the verifier assumes that the private key x is not recoverable by the escrow authorities and otherwise it is assumed that x is recoverable by the escrow authorities.


59. A method and apparatus for recovering the private key generated as in claim 20 comprising the steps of:

each escrow agent i obtaining the value C of the user whose private key is to be recovered;
each escrow agent i computing s_{i}=(C to the power z_{i}) mod 2q;
the escrow agents pooling their values s_{i};
the escrow agents computing (Y to the power k) to be the product of all of the s_{i}'"'"'s mod 2q;
the escrow agents computing x=C(Y to the power −
k) mod 2q.


22. An apparatus for generating public keys and proving that the keys were generated by a specific algorithm comprising the steps of:

choosing a value k in Z_{2r }uniformly at random;
computing C=(g_{1 }to the power k) mod 2q;
solving for the private key x in (Y to the power k)x=C mod 2q;
computing the public key y=(g to the power x) mod p;
computing v=g raised to the ((Y to the power −
k) mod 2q) power mod p;
participating in an interactive zeroknowledge proof protocol demonstrating knowledge of k in C;
participating in an interactive zeroknowledge proof protocol demonstrating knowledge of k in v;
participating in an interactive zeroknowledge proof protocol demonstrating knowledge of k in (v to the power C) mod p;
so that the user'"'"'s public key is (y,g,p) and the user'"'"'s private key is x and where if all three zeroknowledge interactive proofs are verified then the user'"'"'s public key (y,g,p) is published and said user'"'"'s private key x is kept private by the user.  View Dependent Claims (23)
each escrow agent i obtaining the value C of the user whose private key is to be recovered;
each escrow agent i computing s_{i}=(C to the power z_{i}) mod 2q;
the escrow agents pooling their values s_{i};
the escrow agents computing (Y to the power k) to be the product of all of the s_{i}'"'"'s mod 2q;
the escrow agents computing x=C(Y to the power −
k) mod 2q. 

25. A method and apparatus, using a publickey cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of criminal activities while protecting the privacy of other users, wherein the escrow authorities produce shares of an escrowing public key, comprising the steps of:

having each user create a matching pair of private and public keys;
providing a certification authority with a certificate enabling said certification authority to verify that the certificate includes the user'"'"'s secret key hidden using the escrowing public key;
upon a predetermined request, having the said escrow authorities use their own shares to reconstruct, for the predetermined requester, the secret key of a user suspected of criminal activity or certain information encrypted under public key corresponding to said private key of said user suspected of criminal activity, said certain information can be session keys or messages encrypted under session keys.  View Dependent Claims (26, 27, 28)


29. A method and apparatus, using a cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of criminal activities while protecting the privacy of lawabiding users, comprising the steps of:

having the trustees produce shares for an escrowing public key;
having users produce public keys and certifying them;
upon a predetermined request, having the trustees use their shares to enable the entity to attempt to monitor communications of the suspected user during a time period specified in said predetermined request.


30. A method and apparatus, using a cryptosystem, for enabling a predetermined entity to monitor communications of users suspected of criminal activities while protecting the privacy of lawabiding users, comprising the steps of:

having the trustees hold pieces of information, wherein a piece of information is guaranteed to include a share of a secret decryption key;
having users produce public keys and;
upon a predetermined request, having a given number of trustees each use the piece of information that includes the share of at least one secret decryption key to enable the entity to monitor communications to the suspected user.  View Dependent Claims (31, 32, 33)
characterizing the user'"'"'s activities as unlawful if the entity is unable to monitor the user'"'"'s communications. 

32. The method and apparatus as described in claim 30 wherein a given minority of trustees are unable to reconstruct the secret key.

33. The method and apparatus as described in claim 30 wherein upon the predetermined request all of the trustees each use the piece of information.

34. A method and apparatus for revealing the user'"'"'s secret value, comprising the steps of:

having the trustees hold pieces of information, wherein a piece of information includes a share of secret value and;
upon predetermined request, having a given number of trustees each use of the piece of information to reveal the share of the user'"'"'s secret value to enable the entity to reconstruct the secret value at a prescribed time specified in the predetermined request.  View Dependent Claims (35)


36. A method and apparatus for revealing private keys of suspected users comprising the steps of:

having the trustees hold pieces of information, wherein a piece of information is guaranteed to include a share of a secret decryption key and;
upon a predetermined request, having a given number of trustees each use the piece of information that includes the share of at least one secret decryption key to enable the entity to monitor communications of the suspected user by recovering the private key corresponding to the suspected user'"'"'s public key in the public key database.


37. A method and apparatus for certifying public keys comprising the steps of:

A) having the trustees generate and publish a set of system parameters B) having each user generate a public/private key pair using the system parameters C) having each user prove to a registration authority that said user'"'"'s private key (and information encoded under said user'"'"'s public key) is recoverable by said trustees D) upon successful validation of said proof, publish said user'"'"'s public key certificate authority certificate authority certificate includes at least the ID of said user, said public key of said user, and a digital signature of said registration authority on a string of information which includes at least said user'"'"'s ID, and said public key of said user.  View Dependent Claims (38)


39. A method and apparatus, using a cryptosystem, for enabling anyone in possession of the system'"'"'s public parameters to confirm that each public key in the public key database is recoverable by the trustees.

40. A method and apparatus for a user in a cryptosystem to produce strings of information based on said user'"'"'s key and a random string certifying that required public properties of said key hold.

41. A method and apparatus for a user in a cryptosystem to produce strings of information based on said user'"'"'s key and a random string and another entity'"'"'s public key, said strings of information certify that required properties of said user'"'"'s public key hold and said strings of information also include an encryption of the private key corresponding to said user'"'"'s public key encrypted under said entity'"'"'s public key.

42. A method and apparatus for users in a PKI that enables each pair of users to establish a random session key comprising of the following steps:

the first user in said pair looks up the second user'"'"'s public key and said second user looks up said first user'"'"'s public key said pair of users exchange messages to establish session key upon a court order which allows tapping of said session, the trustees of said PKI reconstruct said random session key based on at least one of said pair of user'"'"'s private keys.


43. A method and apparatus, using a cryptosystem, for enabling a predetermined entity to recover selectively the files of users comprising the steps of:

having the recovery authorities produce shares for a recovery public key;
having users produce public keys;
having users produce encrypted files, each file encrypted under a file key and stored, and;
upon a predetermined authenticated request of a user, having the recovery authorities use their shares to enable the user to restore the cleartext version of available encrypted files.


44. A method and apparatus for generating system parameters which are a set of primes related by arithmetic conditions comprising of at least one of the following steps performed in arbitrary order:

choosing a random fixed set of small potential witnesses of compositeness;
randomly choosing a candidate prime and generating other candidates based on said candidate prime and said arithmetic conditions;
checking the primality of said candidates using said fixed set of small potential witnesses of compositeness;
checking the primality of said candidates by trying to divide them by a fixed set of integers;
checking the primality of said set of candidates by verifying a set of remaindering conditions;
adding a fixed even number to one of said candidates of primality and repeating a certain number of times;
and where if any of the above steps fails then a new set of candidates of primality are chosen, and the entire process is repeated.


46. A cryptosystem with keys based on three or more distinct prime numbers with arithmetic relations between them.

47. A cryptosystem with encryption and decryption operations and key generation whereby operations are performed in any of three domains, F1, F2, and F3such that F1 is the exponent domain of F2 and F2 is the exponent domain of F3.

48. A cryptosystem whereby operations are performed in any of three domains, F1, F2, and F3such that F1 is the exponent domain of F2 and F2 is the exponent domain of F3.
1 Specification