1. Field of the Invention
This invention relates to cryptographic systems, and more specifically to systems including public key digital signatures.
2. Description of Prior Art
The concept of digital signatures promises to be an important one in commercial applications of cryptographic techniques. The digital signature concept is quite simple. Suppose a bank wishes to be able to make digital signatures that can be checked by all its customers. The bank develops a mathematical function, and supplies all its customers, and anyone else who cares to know, complete instructions for efficiently computing the function. The trick is, that when the bank developed the function, it included in it a trapdoor. This trapdoor allows the bank to efficiently compute the inverse of the function. Because it is infeasible to compute the inverse of the function without knowing the trapdoor, only the bank can compute the inverse of the function. Thus, if a customer of the bank sees a message that could only have been created by someone who knows how to compute the inverse of the function, then the customer knows that the message must have come from the bank.
The concept of digital signatures was first proposed in the literature by Diffie, et al, in "Multiuser Cryptographic Techniques," AFIPS-Conference Proceedings, Vol, 45, pp. 109-112. The first really practical example functions with the required trapdoor properties were disclosed by Rivest, Shamir and Adelman, in "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM Vol. 21, No. 2, February 1978. This system has become known as "RSA", after its inventors, and remains the most credible candidate for widespread use. It is based on two main ideas. The first is that is relatively easy for someone to create a large number for which only he knows the prime factors. (One way to accomplish this is for the creator to form the number as the product of two suitable sufficiently large primes chosen at random. Such primes are easily found by random trial and error since the density of primes even in the neighborhood of 50 digit numbers is on the order of one percent, and reasonably efficient primality tests are well known in the art.) The second main idea is that knowing the prime factors of the modulus under which exponentiation is performed allows one to produce pairs of exponents that behave as inverses.
In other words, consider the function f(x)=x.sup.e mod n, to be the result of raising x to the power e and then finding the remainder after dividing by n. There may be a number d, such that g(x)=x.sup.d mod n and g(f(x))=f(g(x))=x. If one chooses primes p and q and a suitable e, one can readily compute a corresponding d, simply as the multiplicative inverse of e modulo ((p-1).times.(q-1)), such modular multiplicative inverses to be described. It is thought to be almost impossible to compute d from e and n without knowing p and q, and almost impossible to determine p and q from n. Thus, if e and n are made public, anyone can compute f(x), but only the creator of n can compute the inverse g(x).
There are a variety of ways to use such a "public signature function" and its inverse "secret signature function" to make digital signatures. In general it is not desirable to maintain that any message which results from applying the public signature function is a valid signed message. The reason is that anyone could create a number at random and claim that it was a signature on the message that results when the public signature function is applied. One solution to this problem is to designate some subset of the messages as "valid messages" such that, for example, only one in 10.sup.50 messages is valid. Thus someone would have to apply the public signature function to an average of 5.times.10.sup.49 random messages, (which may not be a credible threat) before obtaining a valid message as a result. (An RSA system with a one-hundred digit modulus would still have 10.sup.50 possible valid messages.) The process of "checking" a digital signature in such a scheme involves applying the public signature function to the digital signature to be checked, and determining whether the resulting number is a member of the set of valid messages.
It is anticipated that a bank may wish to use digital signatures to validate various numbers that are to serve as electronic money. The bank will form digital signatures of valid numbers, and sell them to individuals by charging the individuals' accounts say one dollar for each signed number. These digitally signed numbers might be thought of as electronic bank "notes". An individual can check the digital signature on such a digitally signed note by applying the public signature function of the bank to the note and verifying that the result is a valid message. When the individual wishes to pay for some goods or services, say for example buying something costing one dollar at a shop, the individual gives the digitally signed note to the shop as payment. The shop can then check the digital signature on the note. If the result of the check is positive, then the shop can supply the digital signature to the bank, who can deposit one dollar in the shop's account, after again checking the signature on the note. The bank will also keep a list of the valid numbers which have been previously cleared, to prevent the same one from being used more than once. Of course, many different denominations of such digitally signed bank notes might actually be offered for sale by the bank, each denomination using a different pair of signature functions.
The problems with such payments systems possible under the prior art is that the bank will always be able to know which account a note was withdrawn from and which account it is ultimately deposited to--and this poses serious problems from a personal privacy perspective. As more and more payment transactions become automated, and more and more data associated with transactions is captured electronically, a tremendous amount of data about a person's habits, affiliations, lifestyle, whereabouts and so on could be captured by the bank in electronic form. This places the bank in a position it would rather not be in, because it has to to convince its customers that it handles this data properly, and also because of possible legal exposure, there will be various costs, restrictions on and interference with operating procedures and personnel. The customers of the bank are also placed in an undesirable position, since there may always be some doubt as to how such data is actually being used or might be used in the future.
This example illustrates the need for signature systems that do not allow the signer to trace all things validated with his signature. Many other similar situations, such as notarizations, stocks, bonds, other certificates, credentials, authorizations and so on are also anticipated.