« PreviousContinue »
United States Patent m
 GUARANTEED PARTIAL KEY-ESCROW
 Inventor: Silvio Micali, 459 Chestnut Hill Ave., Brookline, Mass. 02146
 Appl. No.: 620,080
 Filed: Mar. 21,1996
Related U.S. Application Data
 Provisional application No. 60/003,028, Aug. 31, 1995 and provisional application No. 60/003,223, Sep. 5, 1995.
 Int CI.6 H04L 9/00; H04K 1/00
 U.S. CI 380/21; 380/30; 380/45
 Field of Search 380/21, 30, 45
 References Cited
U.S. PATENT DOCUMENTS
4,265,827 5/1981 McDonald .
4,326,098 4/1982 Bouricius et al. .
4,879,747 11/1989 Leighton et al. .
4,908,861 3/1990 BracM et al. .
4,924,514 5/1990 Maryas et al. .
4,944,009 7/1990 Micali et al. .
4,995,081 2/1991 Leighton et al. .
5,081,676 1/1992 Chou et al. .
5,177,791 1/1993 Yen et al. .
5,208,853 5/1993 Armbruster et al. .
5,214,698 5/1993 Smith, Sr. et al. .
5,276,737 1/1994 Micali.
5,315,658 5/1994 Micali.
Micali, S., "Fair Public-Key Cryptosystems", Cryptosystems, May 20, 1992.
Pederson, Torben Pryds, "Distributed Provers with Applications to Undeniable Signatures", Eurocrypt '91 Abstracts, Univ. of Sussex, Brighton, UK, 8th-llth Apr. 1991, pp. 117-122.
Beth, Th., "Zur Diskussion gesteilt, Informatic Spektrum", vol. 13, 1990, pp. 204-215.
Feldman, Paul, "A Practical Scheme for Noninteractive Verifiable Secret Sharing", 1987, pp. 427-437.
US005666414A [ii] Patent Number: 5,666,414  Date of Patent: Sep. 9, 1997
Blakley, G.R., "Safeguarding Cryptographic Keys, AFIPS-Conference Proceedings", vol. 48, National Computer Conference, 1979, pp. 313-317.
Shamir, Adi, "How to Share a Secret", Communication of the ACM, vol. 22, No. 11, Nov. 1979, pp. 612-613. DeMillo, Richard A., Davida, George I., Dobkin, David P.; Harrison, Michael A.; and Lipton, Richard J., "Cryptology in Revolution: Mathematics and Models", San Francisco, CA, Jan. 5-6, 1981, pp. 152-155. Simmons, Gustavus J., "How to (Really) Share a Secret", Advances in Cryptology—CRYPTO '88, pp. 390-448. Desmedt, Yvo; and Frankel, Yair, "Threshold Cryptosystems", Advances in Cryptology—CRYPTO '89, pp. 307-315.
Benaloh, Josh Cohen, "Secret Sharing Homorphisms: Keeping Shares of A Secret Secret", Advances in Cryptology— CRYPTO '86, pp. 251-260.
Galil, Zvi; & Yung, Moti, 'Tartitioned Encryption & Achieving Simultaneity by Partitioning", Oct. 19, '87, pp. 81-88.
(List continued on next page.)
Primary Examiner—Stephen C. Buczinski
Attorney, Agent, or Firm—Foley, Hoag & Eliot LLP
A given decryption key is decomposed into at least two parts, for example, a first subkey and a second subkey. The first subkey may be verifiably secret-shared among a set of one or more trustees, whereas the trustees preferably receive no information at all about the second subkey. Reconstruction of the first subkey by the trustees does not yield a decryption key useful by itself in decrypting ciphertexts. The trustees, however, also receive a guarantee that once they reveal their shares to a given entity, the entity has the capability of determining the second subkey. Generally, the generation of the second subkey will be carried out by the entity using a brute force technique, although the calculation may be performed by still another party (or even the trustees themselves in cooperation with the entity). Once the second subkey is determined, the guarantee ensures that combination of the first and second subkeys yields a given decryption key that may then be used to decrypt ciphertexts.
23 Claims, 1 Drawing Sheet
Feldman, Paul Neil, "Optimal Algorithms for Byzantine Agreement", May 13, 1988.
Diffie, Whitfield; & Hellman, Martin E., "New Directions in Crytography", IEEE Transactions on Information Theory, vol. rr-22, No. 6, Nov. 1976, pp. 644-654. Pedersen, Torben Pryds, "Distributed Provers with Applications to Undeniable Signatures", Advances in Cryptology— EUROCRYPT '91, Brighton, UK, Apr. 1991, pp. 221-242. G. Simmons, "How to Insure that Data Acquired to Verify Treaty Compliance are Trustworthy", Proceedings IEEE, vol. 76, No. 5, May 1988.
Merkle, Ralph C, "A Digital Signature Based on a Conventional Encryption Function", 1987. Meyer, Carl H.; & Matgas, Stephen M., Cryptography: A New Dimension in Computer Data Security, 1982, pp. 350-428 (Chapters 8 and 9).
Beker, Henry; & Piper, Fred, Cipher Systems, 1982, pp. 292-305 (Sections 8.2 and 8.3).
Longley, Dennis, Data & Computer Security, 1987, pp. 120-323.
Konheim, Alan G., Cryptography—A Primer, 1981, pp. 285-293 (Chapter 7).
Denning D.E.R., Cryptograph & Data Security, 1982, pp. 161-179 (Sections 3.6 and 3.7).
Simmons, Gustavus J., Contemporary Cryptology The Science of Information Integrity, 1992, pp. 325-419 and 615-630 (Chapters 6, 7 and 13).
Micali. S., "Fair Public Key Cryptosystems", Advances in
Cryptology—CRYPTO '92, Aug. 1992.
Micali, S., "Fair Cryptosystems", Mrr/LCS/TR-579 b, Nov.
Leighton, Tom; & Micali, S., "New Approaches to
Secret-Key Exchange", Apr. 1993.
Leighton, Tom; & Kilian, Joseph, "Failsafe Key Escrow",
Rabin, Tal; & Ben-Or, Michael; "Verifiable Secret Sharing and Multiparty Protocols with Honest Majority" (Extended Abstract), Instituteof Mathematics and Computer Science, The Hebrew University, Jerusalem, Israel, Aug. 1989, pp. 73-85.
Karnin, Ehud D.; Greene, Jonathan W.; & Hellman, Martin
E., "On Secret Sharing Systems", TFFK Transactions on
Information Theory, vol. IT-29, No. 1, Jan. 1983.
Ito, Mitsuru; Saito, Akira; and NishizeM, Takao, "Secret
Sharing Scheme Realizing General Access Structure", Dept.
of Electrical Communications, Tohoku University, Sendai,
Miyagi 9890, Japan, pp. 3.6.1-3.6.4.
Bearer, Donald; "Multiparty Protocols Tolerating Half
Faulty Processors"; Aiken Computation Lab, Harvard Uni-
versity, pp. 560-572.
Gong, Li; "Securely Replicating Authentication Services", Univ. of Cambridge Computer Lab., Cambridge, England, pp. 85-9L
Brassard, Gilles, "On Computationally Secure Authentica-
tion Tags Requiring Short Secret Shared Keys", Univ. de
Montreal, Dept. d'informatique et de recherche operation-
nelle, CP. 6128, Montreal, Quebec, pp. 79-86.
Meyer, Carl H. & Matyas, Stephen M., "Cryptography: A
New Dimension in Computer Data Security", Cryptography
Competency Center, IBM Corporation, Kingston, New
York, 1982. pp. 350-541.
Christoffersson, Per; Ekhall, Stig-arne; & Fak, Viiveke;
"Crypto Users' Handbook: A Guide for Implementors of
Cryptographic Protection in Computer Systems", 1988, pp.
Longley, Dennis and Shain, Michael; "Data & Computer Security: Dictionary of standards concepts and terms", 1987, pp. 10-421.
Chor, Benny, Shaft Goldwasser, Silvio Micali and Baruch Awerbauch, "Verifiable Secret Sharing and Achieving Simultaneity in the Presence of Faults" (Extended Abstract), Massachusetts Institute of Technology Laboratory for Computer Science, 1985, pp. 383-395. Goldreich, Oded, Silvio Micali and Avi Wigderson, "Proofs that Yield Nothing But their Validity and a Methodology of Cryptographic Protocol Design" (Extended Abstract), 1986, pp. 174-187.
Graham, S.L and R.L. Rivest, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" Communications of the ACM, Feb. 1978, vol. 21, No. 2.
GIVEN ENTITY THAT RECONSTRUCTS FIRST SUBKEY SKi UPON A
PREDETERMINED REQUEST AND DETERMINES SECOND SUBKEY SK2
GUARANTEED PARTIAL KEY-ESCROW reconstruct the secret decryption key. The secret decryption
key is then used to decrypt ciphertexts decryptable by the
RELATED APPLICATIONS secret decryption key.
.. .. . , . . , • . - There are a number of important advantages of the present
Tius application is based on and claim, pnonty on ... ^ tne rf()r ^ le ^ hdd
Provisional application Ser. No. 60/003,028 filed Aug 31 shares of a ^ven decryption key of a ^bUc-key cryptosys
1995 and Provisional application Ser. No. 60/003,223, filed tem. Here ^ hold shares of only a secret yalue
Sep. 5, 1995. (namely, the first subkey), which is not a given decryption
key. The decryption key is only yielded by a combination of
lilCtUMlLALMtlLlJ ^ this ... value and secret value ... me
The present invention relates generally to secure commu- second subkey). This significantly enhances the protection
nications and more particularly to key escrow. of Privacy of those individuals who otherwise might be
subject to having their communications illegally monitored
BACKGROUND OF THE TNVENTION (e-g-> where the prior art systems are abused by colluding
trustees or by an authoritative government). Citizens will
The patent to Micali, U.S. Pat. No. 5,276,737 relates to a 15 thus be more "comfortable" in dealing with such a system as
key escrow system whereby trustees hold pieces of secret compared to prior key escrow schemes wherein trustees
decryption keys. Among other things, the method allows have the capability to surreptiously collude and wrongfully
very strong encryption to be used by law abiding citizens, construct the entire secret decryption key.
while making criminals prone to legitimately-issued wiretap In addition, by providing the trustees with a "guarantee"
orders. 20 as discussed above, the trustees themselves have a "proof
U.S. Pat. No. 5,315,658, also issued to Micali, discloses that once they combine their shares (to generate the first
additional features of a key escrow system with respect to subkey), the second subkey, which is much easier to
the previously described patent, such as time bounded compute, will be readily computable in a reasonable (but not
line-tapping. The reference suggests the implementation of necessarily trivial) period of time. The amount of time
such key escrow systems utilizing tamper proof hardware. In 25 necessary to compute the second subkey will vary depend
particular, the references teaches that a tamperproof encrypt- ing on its length and the complexity of the cryptosystem In
ing device, besides producing ciphertext, may also produce some cases it may take a reasonably long period (e.g., a day
matching authentication tags to prove that ciphertext has to a week) to calculate the second subkey. Even though this
been produced using an approved key escrow system with- period is somewhat lengthy, the guarantee ensures that the
out any need to understand the corresponding ciphertext. 30 calculation will be worthwhile—in other words, that com
Li the preferred embodiment of the key escrow systems bimtio* of &s* ^second subkeys m fact wiU yield me
such as described in the above-identified patents, trustees glven decryption key.
coUecuvelyholdpiecesofanentiresecretdecryptionkey.lt As used herein, the phrase "first subkey" or "second would be desirable to provide a key escrow technique that subkey" should not be taken as a limitation. For instance, the does not require trustees to possess the entire secret key. This given decryption key may be the combination of a multitype of key escrow may be conveniently referred to as partial PUcity of subkeys and the trustees may have shares of some key-escrow. °f these subkeys and not others. From a logical point of
view, therefore, all the subkeys for which the trustees have
BRIEF SUMMARY OF THE INVENTION constitute a de facto logical "first subkey," and all other or
. ..^ iJLJ- ^ c i ^ 40 remaining subkeys are a logical "second subkey." Indeed,
According to one preferred embodiment of the present t, . ... ,. r , ^, ■' .
J* ■ J •,_ J it _. ^ ■ . there may be no multiplicity of subkeys and the trustees may
invention, there is described a method tor escrowmg secret haye ... of information ^
are guaranteed to greatly
decryption keys useful in decrypting ciphertexts. The ... me recons(ruction of a given fecret decryption key.
method mvolves two basic steps. In the first step, a set of one T *u- •- • • ii J * _/
^_ ^ . , . iL s .. . ... In this case, such pieces of information may yield, de facto,
or more trustees (and perhaps others) are provided with a 45 . . , c . ... . . . . „.'
(l * »iL * • 4. j 4_- 1 -4.1. a logical first subkey, and the remaining missing information
guarantee that a given secret decryption key is the com- t" . ^ ./ . . .. , . . c .
&■... £ £ 4. tc t.i .» J j «. ... „ ^ f°r constructing the secret decryption key is a de facto
position of a first subkey and a second subkey. The secon(j subkev second subkey is substantially easier to compute than the
first subkey. In the second step, the trustees are then pro- BRIEF DESCRIPTION OF THE DRAWINGS
vided with pieces of information that are guaranteed to 50 For a more complete understanding of the present inven
include shares of the first subkey. Moreover, if desired, it tion and the advantages thereof, reference should be made to
may be achieved that a sufficient high number of such shares the following Detailed Description taken in connection with
can be combined to yield the first subkey, while any suffi- the accompanying drawings in which:
cient number of shares are useless to compute the first mG x ... a simplified multiple trustee GPKE
subkey. 55 scneme m wnich individual trustees of a set of trustees hold
4^fter the keys have been escrowed in the manner shares of a first subkey that are provided to a given entity
described above, the escrowed information may be used to upon a predetermined request to enable the entity to derive
decrypt ciphertexts in a secure communications environ- the second subkey; and
ment yet still preserve the privacy of the secret decryption mG_ 2 illustrates a simplified single trustee GPKE scheme
keys to a significant extent. Indeed, upon a predetermined 60 in wnicn me trustee provides the first subkey to the given
request, the trustees reveal their shares of the first subkey to entity upon a predetermined request, the entity derives the
a given entity, which may be a law enforcement agency or second subkey and then outputs the secret key. a private organization. The predetermined request, without
limitation, may be a court-ordered wiretapping. The given DET4AILED DESCRIPTION OF THE
entity then determines (or has others determine for it) the 65 PREFERRED EMBODIMENT
second subkey (e.g., possibly even through a brute force It is desirable according to this invention to implement
calculation), and then uses the first and second subkeys to partial key-escrow systems wherein it is guaranteed that the