The field of this invention is cryptography. This invention relates to cryptosystems, and in particular to the escrowing and recovering of cryptographic keys and data encrypted under cryptographic keys. The escrow and recovery process assures that authorized entities like law-enforcement bodies, government bodies, users, and organizations, can when allowed or required, read encrypted data. The invention relates to cryptosystems implemented in software or in hardware. In particular, the invention relates to the generation of user public keys based on composite numbers and on the hardness of number factoring, and relates to implementing a hierarchical key escrow system.
Public Key Cryptosystems (PKC""s) allow secure communications between two parties who have never met before. The notion of a PKC was put forth in (W. Diffie, M.
Hellman, xe2x80x9cNew directions in cryptographyxe2x80x9d, IEEE Transactions on Information Theory, 22, pages 644-654, 1976). This communication can take place over an insecure channel. In a PKC, each user possesses a public key E and a private key D. E is made publicly available by a key distribution center, also called certification authority (CA), after the registration authority verifies the authenticity of the user (its identification, etc.). The registration authority is part of the certification authority. D is kept private by the user. E is used to encrypt messages, and only D can be used to decrypt messages. It is computationally impossible to derive D from E. To use a PKC, party A obtains party B""s public key E from the key distribution center. Party A encrypts a message with E and sends the result to party B. B recovers the message by decrypting with D. The key distribution center is trusted by both parties to give correct public keys upon request. A PKC based on the difficulty of computing discrete logarithms was published in (T. ElGamal, xe2x80x9cA Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithmsxe2x80x9d, CRYPTO ""84, pages 10-18, Springer-Verlag, 1985).
The current invention relates to key escrow systems. Prior methods for conducting key escrow are U.S. Pat. No. 5,276,737, and 5,315,658 which are due to Micali (1994). In these patents Micali discloses a Fair Public Key Cryptosystem (FPKC) which is based on the work of P. Feldman (28th annual FOCS). The FPKC solution is not as efficient in terms of use as Auto-Recoverable and Auto-Certifiable Cryptosystems. Furthermore, It has been shown that the Fair RSA PKC does not meet certain needs of law enforcement (J. Kilian, F. Leighton, xe2x80x9cFair Cryptosystems Revisitedxe2x80x9d, CRYPTO ""95, pages 208-221, Springer-Verlag, 1995), since a shadow public key cryptosystem can be embedded within it. A shadow public key system is a system that can be embedded in a key escrow system that permits conspiring users to conduct untappable communications. Kilian and Leighton disclose a Fail-safe Key Escrow system. This system has the drawback that it requires users to engage in a costly multi-round protocol in order to generate public/private key pairs. Other key escrow systems with similar inefficiencies are by De Santis et al., Walker and Winston (TIS), and the IBM SecureWay document. These solutions propose session-level escrow which requires changes in communication protocols. A xe2x80x9cFraud-Detectable Alternative to Key-Escrow Proposalsxe2x80x9d based on ElGamal has been described in (E. Verheul, H. van Tilborg, xe2x80x9cBinding ElGamal: A Fraud-Detectable Alternative to Key-Escrow Proposalsxe2x80x9d, Eurocrypt ""97, pages 119-133, Springer-Verlag, 1997). This system, called Binding ElGamal, provides for session level key recoverability, and makes no provision for preventing users from encrypting messages using the provided unescrowed public key infrastructure prior to using the Binding ElGamal system. Hence, it permits conspiring criminals to conduct untappable communications. Binding ElGamal also imposes a large amount of communication overhead per communications session. An overview of key escrow schemes appears in (D. Denning, D. Branstad, xe2x80x9cA Taxonomy for Key Escrow Encryption Systems,xe2x80x9dCommunications of the ACM, v. 39, n. 3, 1996). In (N. Jefferies, C. Mitchell, M. Walker, xe2x80x9cA Proposed Architecture for Trusted Third Party Servicesxe2x80x9d, Cryptography: Policy and Algorithms, LNCS 1029, Springer, 1996) and (R. Anderson, xe2x80x9cThe GCHQ Protocol and Its Problemsxe2x80x9d, Eurocrypt ""97, pages 134-148, Springer-Verlag, 1997) a trusted third party approach to escrow is described where the trusted third parties of the participating users are involved in every session key establishment stage, and hence provides for another cumbersome solution as well.
In the pending U.S. Pat. Nos. 08/864,839, 08/878,189, and xe2x80x9cAuto-Recoverable And Auto-Certifiable Cryptosystems with Fast Key Generationxe2x80x9d filed Aug. 29, 1997 (by Young and Yung), Auto-Recoverable and Auto-Certifiable public key cryptosystems were disclosed that have the following properties. Users of the system can generate a public/private key pair and a certificate of recoverability. This certificate of recoverability can be used to both recover the private key by the escrow authorities, and verify that the private key is recoverable. The present invention is a new Auto-Recoverable and Auto-Certifiable key escrow solution. The main restriction of the prior Auto- Recoverable and Auto-Certifiable cryptosystems that were proposed is that it is not possible to generate user public and private keys that are based on the difficulty of factoring. Such cryptosystems based on a multiple of two large prime numbers, for example, are popular. Inn particular the RSA system by Rivest et. al (Rivest 1983) is very popular. The previous Auto-Recoverable and Auto-Certifiable systems based users""keys on the hardness of the problem of computing discrete logarithms. Indeed, it could be the case that computing discrete logs is not as hard as is currently believed, but that factoring is hard. Thus for this reason, there is a significant advantage to an Auto-Recoverable and Auto-Certifiable cryptosystem based on the difficulty of factoring, as in the present invention. The present invention discloses an Auto-Recoverable and Auto-Certifiable cryptosystem in which the public key of the escrow authorities and the public keys of the users are based on the hardness of factoring composites. In another embodiment the escrow authorities keys are based on the discrete log problem.
The present invention also introduces a new notion, the notion of a key escrow hierarchy which is a method with new functionality. We disclose a method for implementing a key escrow hierarchy that takes the form of a tree. This tree has the property that any node has the ability to recover the communications of nodes of the subtree for which it is the root. Thus, the root node of the entire tree is able to recover the communications of all users of the system. Such a system is ideal for implementing national and multinational Public Key Infrastructures (PKI). For instance, a national PKI for the U.S. could be implemented as a depth-3 tree. The federal government could be the root. The state governments could be the middle nodes, and the residents of each state could be the leaves. This would allow the federal government to decrypt all communications, and would restrict the state governments to only be able to decrypt the communications of the states own residents.
Both Binding ElGamal and the Auto-Recoverable and Auto-Certifiable Cryptosystems solutions employ the use of non-interactive proofs. More specifically, they employ the Fiat Shamir heuristic which is disclosed in (A. Fiat, A. Shamir, xe2x80x9cHow to Prove Yourself: Practical Solutions to Identification and Signature Problemsxe2x80x9d, CRYPTO ""86, pages 186-194, Springer-Verlag, 1987). It is known in the art how to replace non-interactive proofs by interactive proofs. The variant of proofs introduced by our mechanism is a proof that combines a zero-knowledge methodology with explicit encryption of values to a third party.
The present invention provides a method to verify that information that can be used to recover a user generated private key is contained within an encryption under the public key of the escrow authorities. Also, this method does not involve a lot of overhead. Furthermore, this verification can be performed by anyone in possession of the escrow authorities public key. The present invention can replace a public key infrastructure which is based on users"" keys based on factoring (e.g., RSA keys as in Rivest 1983) without changing the encryption and decryption functions since the keys generated are compatible with factoring based keys. The present invention is also compatible with a usual Public Key Infrastructure and does not require other changes (like changes of communication protocols and computations). The present invention consists of a setting up process and three functions which process signals in different ways. The functions are key generation, key verification, and key recovery. In the setup process of the prefered embodiment, the participants agree upon a set of initial public parameters and the authorities generate an escrowing public key and corresponding private keys. The initial parameters and the escrowing public key are the public parameters of the system. The escrowing authorities, Certification Authority (CA), and users of the system all have access to the public parameters. In the key generation process, the method generates a user""s public/private key pair, and a certificate of recoverability which is a string of information which includes encryptions of information that allows the recovery of the user""s private key, encrypted under the escrowing public key. The signal information containing the user""s public key, and the certificate of recoverability can be transmited to any entity. In the verification process, the user transmits this signal to the verifier. The verification process takes the input signal, processes it, and outputs either true or false. A result of true indicates that the user""s private key is recoverable from the certificate of recoverability by the escrow authorities. A result of false indicates that the private key is not recoverable. The invention is designed such that it is intractable for the user to generate a public key, and certificate of recoverability such that the key is not escrowed and such that it passes the verification process with a result of true. In the prefered embodiment, the users certify their public keys with the registration authority of the certification authority (CA) who then signs their public key after successful verification. A public key together with a CA""s signature on a string that contains the public key, the user""s identity, and other information, constitutes a certified public key. The other information can include the certificate of recoverability in the present invention. It can also include the message digest of the certificate of recoverability. In more detail, upon receiving the user""s public key, and certificate of recoverability, the CA verifies that the corresponding private key is recoverable. If it is, (namely, the verification process outputs true) the public key is certified and/or made publicly available by the CA. The CA keeps a copy of the certificate of recoverability, perhaps in encrypted form under its own key. The user is only required to keep his private key and to have access to the public key database containing public keys of other users as in a typical PKI. In the recovery process, the escrow authorities use the user""s certificate of recoverability and public key, which is obtained from the CA, as an input signal. The escrow authorities process the certificate of recoverability, and the corresponding user""s private key is the resulting output signal. When the escrow authorities are implemented in tamper-proof hardware, it is possible to output decryptions of messages encrypted under the private key rather than the private key itself.
The present invention is useful in any environment that demands the recovery of private keys, or keys encrypted under these keys, or information encrypted under these keys. Such environments arise in law enforcement nationally and internationally, in the business sector, in secure file systems, on the Internet, in Certified Mail services, etc. The successful escrowing of private keys implies the successful escrowing of public key encrypted information, and hence the present invention has many applications.
The present invention is robust with respect to any underlying technology since it can be implemented in both hardware and software. When implemented in software it can be easily scrutinized to insure that it functions as desired and to insure that it does not compromise the security of its users. The software implementation allows for fast and easy dissemination of the invention, since it can be disseminated in source code form over diskettes or over a computer communication network. The present invention is also communication efficient. At most, one, two, or three message exchanges suffice for the various embodiments of the present invention. The signals can be processed quickly and the signals themselves constitute a small amount of information. The invention does not require changes in communication protocols used in typical unescrowed PKI""s (e.g., session key establishment, key distribution, secure message transmission, etc.). The invention is therefore compatible with typical PKI""s. The present invention thus provides a very efficient way of escrowing and recovering cryptographic keys. The present invention does not require changes in header information of messages, content of messages, or additional messages outside the PKI protocols, and as mentioned above does not require changes of cryptographic encryption and decryption in systems based on RSA or factoring based keys.