CA2350118C - A method for the application of implicit signature schemes - Google Patents

A method for the application of implicit signature schemes Download PDF

Info

Publication number
CA2350118C
CA2350118C CA2350118A CA2350118A CA2350118C CA 2350118 C CA2350118 C CA 2350118C CA 2350118 A CA2350118 A CA 2350118A CA 2350118 A CA2350118 A CA 2350118A CA 2350118 C CA2350118 C CA 2350118C
Authority
CA
Canada
Prior art keywords
correspondent
certifying authority
component
gamma
transaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CA2350118A
Other languages
French (fr)
Other versions
CA2350118A1 (en
Inventor
Scott A. Vanstone
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BlackBerry Ltd
Original Assignee
Certicom Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=24359974&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=CA2350118(C) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Certicom Corp filed Critical Certicom Corp
Publication of CA2350118A1 publication Critical patent/CA2350118A1/en
Application granted granted Critical
Publication of CA2350118C publication Critical patent/CA2350118C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/64Self-signed certificates

Abstract

A method of verifying a transaction over a data communication system between a first and second correspondent through the use of a certifying authority. The certifying authority has control of a certificate's validity, which is used by at least the first correspondent. The method comprises the following steps. One of the first and second correspondents advising the certifying authority that the certificate is to be validated. The certifying authority verifies the validity of the certificate attributed to the first correspondent. The certifying authority generates implicit signature components including specific authorization information. At least one of the implicit signature components is forwarded to the first correspondent for permitting the first correspondent to generate an ephemeral private key. At least one of the implicit signature components is forwarded to the second correspondent for permitting recovery of an ephemeral public key corresponding to the ephemeral private key. The first correspondent signs a message with the ephemeral private key and forwards the message to the second correspondent. The second correspondent attempts to verify the signature using the ephemeral public key and proceeds with the transaction upon verification.

Description

A Method for the Application of Implicit Signature Schemes This invention relates generally to cryptographic schemes, and more specially to implicit signature schemes.
BACKGROUND OF THE INVENTION
Diffie-Hellman key agreement provided the first practical solution to the key distribution problem, in cryptographic systems. The key agreement protocol allows two parties never having met in advance or sharing key material to establish a shared secret by exchanging messages over an open (unsecured) channel. The security rests on the intractability of computing discrete logarithms or in factoring large integers.
With the advent of the Internet and such like, the requirement for large-scale distribution of public keys and public key certificates is becoming increasingly important to enable systems like Diffie-Hellman key agreement.
A number of vehicles are known by which public keys may be stored, distributed or forwarded over unsecured media without danger of undetectable manipulation.
These vehicles include public-key certificates, identity-based systems, and implicit certificates. The objective of each vehicle is to make one party's public key available to others such that its authenticity and validity are verifiable.
A public-key certificate is a data structure consisting of a data part and a signature part. The data part contains cleartext data including as a minimum, a public key and a string identifying the party to be associated therewith. The signature part consists of the digital signature of a certification authority (CA) over the data part, effectively the encryption of the data with the CA's private key so it may be recovered with his public key, thereby binding the entities identity to the specified public key. The CA is a trusted third party whose signature on the certificate vouches for the authenticity of the public key bound to the subject entity.
Identity-based systems (ID-based system) resemble ordinary public-key systems, involving a private transformation and a public transformation, but parties do not have explicit public keys as before. Instead, the public key is effectively replaced by a party's publicly available identity information (e.g. name or network address). Any publicly available information, which uniquely identifies the party and can be undeniably associated with the party, may serve as identity information. Here a trusted CA is required to furnish each party with the private key corresponding to their public key.

An alternate approach to distributing public keys involves implicitly certified public keys. Here explicit user public keys exist, but they are to be reconstructed by the recipient rather than transported by explicitly signed public-key certificates as in certificate based systems. Thus implicitly certified public keys may be used as an alternative means for distributing public keys (e.g. Diffie-Hellman keys).
With a conventional certificate, the authenticity of the information must be verified to ensure that the sender and the sender's public key are bound to one another.
With an implicit certification it is simply necessary to verify the sender's signature of the message using the implicit certificate. The primary advantage of implicit certificates is the computationally expense explicit certificate verification is not required as it is in certification schemes.
Further, unconditionally trusted CAs are not required as they are in ID-based schemes.
An example of an implicitly certified public key mechanism is known as Gunther's implicitly-certified public key method. In this method:
1. A trusted server T selects an appropriate fixed public prime p and generator a of Z. T selects a random integer t, with 1 t p-2 and gcd(t,p-1) = 1, as its private key, and publishes its public key u = at mod p, along with a, p.
2. T assigns to each party A a unique name or identifying string IA and a random integer kA with gcd(kA,p-1) = 1. T then computes PA = alcA mod p. PA is A's key reconstruction public data, allowing other parties to compute (PA)a below.
3. Using a suitable hash function h, T solves the following equation for a:
H(IA) t.PA + kA a(mod p-1)
4. T securely transmits to A the pair (r,$) = (PA,a), which is T's ElGamal signature on IA. (a is A's private key for a Diffie-Hellman key-agreement) a
5. Any other party can then reconstruct A's Diffie-Hellman public key PA
entirely from publicly available information (a, IA, u, PA,p) by computing:
a Ha) u-PA mod p Thus signing an implicit certificate needs one exponentiation operation, but reconstructing the ID-based implicitly-verifiable public key needs two exponentiations.

It is known that exponentiation in the group Zp* and its analog scalar multiplication of a point in E(Fq) is computationally intensive. An RSA scheme is extremely slow requiring successive squaring and multiplication operations. Elliptic curve (EC) cryptosystems are not only more robust but also more efficient by using doubling and adding operations. However, Significant improvements have been made in the efficacy of certification protocols by adopting the protocols set out in Canadian patent application 2,232,936. In this arrangement, For each correspondent A, the CA selects a unique identity IA distinguishing the entityA. The CA generates public data yA for reconstruction of a public key of correspondent A by mathematically combining a private key of the trusted party CA and a generator created Certificates, implicit certificates, and ID-based systems provide assurance of the authenticity of public keys. However, it is frequently necessary to verify the status of the public key to ensure it has not been revoked by the CA.
25 Several solutions are known to this revocation problem, the most common bein the use of certificate revocation lists (CRLs). Each CA maintains a CRL which contains the serial number of revoked certificates and is signed by the CA using its private key. When a recipient receives a message that has been secured with a certificate, the recipient will recover the serial number, and check the CRL.
30 Typically, therefore, the correspondent A will sign a message m with a private key, a, and forward it together with a certificate from the CA that binds the sender A
and the public key aP. The recipient B checks the certificate and verifies the signature on the message m.

The correspondent B will then ask the CA whether the certificate is valid and receives a message signed by the CA confirming the status of the certificate at a particular time. The correspondent B will then verify the signature on the CA's message and proceed accordingly to accept or reject the message sent by correspondent A.
During this process it is necessary for correspondent A to perform one signature, for the CA to perform one signature, and for the recipient B to verify three signatures. CAs may also issue authorization or attributable certificates in addition to public-key certificates. In this case the certificate issued by the CA to the correspondent A has a certain expiry or has details such as a credit limit or access rights to certain programs.
However with each arrangement, verification of the certificates is necessary as the information contained in the certificate may change periodically, even within the life of the certificate.
Furthermore, a correspondent may wish to be recertified. This is particularly true if the correspondent has reason to believe that its implicit public key has been compromised.
However, recertification is a costly process that requires the correspondent to regenerate its private key, securely communicate its private key with the CA, and regenerate the data for constructing and reconstructing the implicit public key.
Accordingly, there is a need for a technique that simplifies the verification and recertification of certificates issued by a certifying authority and it is an object of the present invention to provide a technique that obviates or mitigates the above disadvantages.
SUMMARY OF THE INVENTION
In accordance with an embodiment of the present invention there is provided a method of verifying a transaction over a data communication system between a first and second correspondent through the use of a certifying authority. The certifying authority has control of a certificate's validity, which is used by at least the first correspondent. The method comprises the following steps. One of the first and second correspondents advising the certifying authority that the certificate is to be validated. The certifying authority verifies the validity of the certificate attributed to the first correspondent. The certifying authority generates implicit signature components including specific authorization information. At least one of the implicit signature components is forwarded to the first correspondent for permitting the first correspondent to generate an ephemeral private key. At least one of the implicit signature components is forwarded to the second correspondent for permitting recovery of an ephemeral public key corresponding to the ephemeral private key. The first correspondent signs a message with the ephemeral private key and forwards the message to the second correspondent. The second correspondent attempts to verify the signature using the ephemeral public key and proceeds with the transaction upon verification.
BRIEF DESCRIPTION OF THE DRAWINGS
Embodiments of the present invention will now be described by way of example only with reference to the accompanying drawings in which Figure 1 is a schematic representation of a data communication system;
Figure 2 is a flow chart illustrating the exchange of information conducted on the system of figure 1 in a first embodiment;
Figure 3 is a flow chart illustrating the exchange of information conducted on the system of figure 1 in a second embodiment;
Figure 4 is a flow chart showing a third embodiment of the system of Figure 1;
Figure 5 is a flow chart showing a fourth embodiment of the system of Figure 1;
Figure 6 is a flow chart showing a fifth embodiment of the system of Figure 1.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
Referring therefore to figure 1, a data communication system 10 includes a pair of correspondents A,B, respectively identified as 12, 14, interconnected by a communication link 16. The correspondent B, 14, is also connected by a communication link 18 to a certifying authority, CA, indicated at 20. It will be appreciated that the links 16, 18 are typically telephone lines or wireless links allowing the parties to route messages to intended recipients.
Each of the correspondents, 12, 14 and certifying authority 20 incorporate cryptographic units 22 that perform public-key cryptographic functions under the control of cryptographic software that may be embodied on a data carrier or programmed in an integrated circuit. Such implementations are well known and need not be described in detail, except to the extent necessary to appreciate the operation of the exchange of messages. For the purpose of this description it is assumed that each of the units 22 implement an elliptic curve public-key cryptosystem (ECC) operating in a field defined over F(q) but it will be appreciated that other implementations, such as those using Zp* F;, the multiplicative group of integers modulo a prime may be used.
The parameters for the ECC are an underlying cubic curve and a defined point P
on the curve of order n. The correspondent A has an identity, IDA, a short term or ephemeral private key k and a corresponding public key kP. The CA 20 is advised of the public key kP
and identity IDA which conveniently remain the same for all correspondence originating from the correspondent A.
To initiate an exchange of a message, m, for example a transaction record, between correspondents A and B, the message is sent by correspondent A to correspondent B over the communication channel 16. The message m is sent in the clear or in any other manner that may be read by correspondent B.
The correspondent B advises the certifying authority CA 20 that he has received a message from correspondent A and may also include some additional information relating to the nature of the transaction. This may be performed on a dedicated channel or may be encrypted if the information is considered to be of a sensitive nature. Upon receiving the information from correspondent B, the CA 20 checks the record of correspondent A and, if in order, prepares to return to the correspondent B the implicit certificate components, 24, identified as s,,y, and A,.
The component A, includes the identity of A, i.e. IDA, typically a unique distinguishing name or identity, for example a name, address or phone number that is stored by the CA 20 and a time stamp, message or similar transaction specific information.
The CA 20 also generates a random integer r and computes a corresponding public key rP. The value ofy, is then computed from the relationship that y, = kP +
rP.
The value of s, is then computed. s, is a signature component computed from one of the number of signing equations having a complementary public key reconstruction equation.
In the embodiment described, the signing equation is selected as s, = r ¨
c=H(A,,y,) (mod n) where c is a long term secret key of the CA 20, and H indicates a secure hash function such as SHA 1 or SHA 2.
The CA 20 forwards si, yi, and A, to correspondent B. Since A, contains transaction specific information, the implicit signature components s, are also transaction specific. It is preferable, but not necessary, that the CA signs the signature components forwarded to correspondent B.
6 Correspondent B, upon receipt of the communication from the CA 20, forwards the certificate component si to the correspondent A. It is preferable, but not necessary, that correspondent B signs the certificate component sent to correspondent A. The correspondent A computes a transaction specific private key ai from the relationship a, =
k+si. The message m is then signed according to a selected signature scheme that utilizes the computed private key a, and the signature is returned to the correspondent B. For example, a Nyberg Rueppel signature scheme may be implemented between the correspondents A and B. The correspondent A selects an ephemeral key pair w; W where w is a randomly selected integer and W is a corresponding point wP.
The signature on the message m is R, S where R =Wx + I-1(m) (mod n) and S = w¨ aiR (mod n) and Wx is the x coordinate of the point wP.
The correspondent B then recovers the value corresponding to the transaction specific public key, a,P, from the values of yi and Ai received from the CA 20. For the signing equation exemplified above, the public key a,P can be computed from a,P= 71-H(Ai,y,)=cP
(mod n), where cP is the public key of the CA 20, and checks the signature on the message m.
The verification equation for a Nyberg Rueppel schemes requires the computation of sP + R(aiP) which is the point W on the curve. The x coordinate of the point is selected and R-Wx is computed. The result should correspond to H(m), which can be computed and verified by B. If the signature verifies, the message m is accepted and the transaction completed.
The implementation described above maintains a relatively small size of certificate and reduces the work performed by the correspondents A and B. The CA 20 is required to perform one implicit signature per transaction and correspondent B only requires one implicit signature verification and two signature verifications per transaction.
Whereas prior proposals would require the CA 20 to return a message to the correspondent B stating that correspondent A has a valid certificate, this is avoided in the present embodiment by sending transaction specific implicit certificate components.
As described above, a common key kP is used for each transaction by correspondent A but if preferred a different key kP may be used to inhibit tracing of transactions originating at correspondent A. In this case new values of kP are sent to the CA 20 offline with appropriate levels of security.
7 In the above embodiment a specific computation of s, and the public key reconstruction equation is given. It will be appreciated that other forms of s, may be used. For example si = (mod n) could be used with a corresponding change to the public key reconstruction equation such that aiP =1-1(iliyi)y1=cP. With this scheme, the correspondents A and B may utilize an ECDSA signature scheme to exchange the messages, m, in which the signature is R, S with the component S of the form k-1(E+RD) where K is an ephemeral private key, R is an integer derived from the x coordinate of the point kP, E is a hash of the message m, and D is a long term private key.
In this embodiment, the computed private, a1, is used for the long term private key D with K
and R computed for each communication in the normal manner. For a ECDSA
scheme, the verification is performed by computing u1=ES-1 mod (n) and u2-RS-1 mod (n). A
value corresponding to R is computed from u1P+u2(a113) and compared with the received value of R.
If they correspond, the signature is verified, the message is accepted and the transaction completed.
An alternative arrangement is shown in figure 3, wherein like numerals with a prefix "1" refer to similar components as those of Figure 1, in which the originator of the message, correspondent A, communicates directly with the CA 120 who has previously been provided with the identity rDA and the public key kP. In this arrangement the correspondent A notifies the CA 120 that a certificate is required. The CA 120 generates a certificate with components si, yõ A, as before. The correspondent A then computes the transaction specific private key a, = k + s, and uses it to sign the message m. The signed message is forwarded together with the explicit signature components y, and A, to the correspondent B.
The correspondent B recovers the public key a,P from A, and yi and checks the signature on the message m. The transaction specific information in the component A, is checked to determine if it is as expected. Verification of the transaction specific information after it has been recovered is known in the art and depends on the type of information being verified. If both the signature and the information are verified then the transaction is accepted.
8 Alternately, the CA 120 could send si to correspondent A and n, Ai to correspondent B. Correspondent A can then sign message m using the private key d, =a+si and forward the message and signature to correspondent B.
The above protocol may also be used to provide implicit attributable certificates as shown in figure 4, wherein like numerals with a prefix "2" refer to similar components as those of Figure 1. Initially the values of IDA and kP are transferred to the CA 220 from correspondent A. A request is then sent from correspondent A to the CA 220 to gain access to a particular application controlled by B.
The CA 220 generates a certificate including X, y, and s, with A including the IDA
and an indication that the correspondent A can use a particular application and sends the certificate to A. A value of a, = k + s, is generated by the correspondent A
and used to sign the message m. The signed message is forwarded to correspondent B together with yi and A, who recovers the corresponding public key aP. The signature is then checked and, if it verifies, access is given to the application. If the signature does not verify, the request is returned.
The above implicit attributable certificate is efficient in that it only requires one signed certificate and by using different public keys per application is hard to trace to a particular user. Moreover, the identity and the specific attributable certificate can be incorporated into one certificate rather than the two normally required.
Yet an alternate embodiment, similar to that illustrated in figure 3, is shown in figure 5. The CA 120 has a private key, c, and a public key, Qc = cP. In order to acquire a certificate, correspondent A first generates a random integer, a. Integer a is used to compute a value aP, which is sent to the CA 120 along with correspondent A's identity, IDA or, alternately, A, (which may contain DA).
Upon receiving aP and IDA from correspondent A, the CA 120 generates a random integer CA and uses it to calculate correspondent A's certificate, IA = aP +
CAP. The CA 120 also calculates a signature component sA of a suitable form. In the preferred embodiment, sA= II(y All ID All cP)c + CA(modn) . As an alternative, sA could be computed from sA = A IIIDA II cl'k A + c(modn) . The certificate, 7A and sA are sent to correspondent A.
Correspondent A's private key then becomes d=a+sA, and its public key becomes QA =
dP. Correspondent A's public key can be derived from the certificate according to the
9 appropriate public key reconstruction equation, i.e. in the preferred embodiment QA = h(r A II ID A II c13)Qc r A =
Therefore, if correspondent A wants to sign a message, m, to send to correspondent B, correspondent A does so using the private key, d. Correspondent A then sends the signed message along with the certificate, yA, and identification, IDA. Upon receiving the information sent from correspondent A, correspondent B uses the certificate and identification along with the CA's public key, Qc, for deriving correspondent A's public key, QA. The message is accepted if the signature is verified using correspondent A's derived public key, QA.
In the present embodiment, it is possible for the CA to efficiently recertify correspondent A. The CA generates a random number, cA and computes CAP. Using the original value of aP received from correspondent A, the CA generates a new certificate, 7A =cAP + aP and anew TA

=lin II iDA cP + c A (mod n). The certificate, yA , and SA
are sent to correspondent A. Therefore, correspondent A has a new private key, Ti = a + SA, and a new certificate, yA . Therefore, correspondent A's new public key, CIA, can be derived according to QA = HQ '4 ID All cP)Qc. + A .
Using such a recertification process can recertify correspondent A without requiring correspondent A to change its private key. However, this scheme requires sufficient bandwidth to send both SA and IA to correspondent A. Furthermore, for each correspondent (such as correspondent A), the CA has to perform a point multiplication to obtain the new certificate, 7A
However, it is possible to make a modification to the recertification process as described above such that it is more efficient and requires less bandwidth. In the following example illustrated in figure 6, the CA recertifies all correspondents (including correspondent A). Also, it is assumed that correspondent A has been previously certified, acquired the certificate, IA, from the CA and determined the private key d = a+ SA.
The CA certifies the correspondents at the expiration of a certification period. For an ith certification period, the CA generates a random value k, and computes the value Q = k,P.
For each correspondent such as correspondent A, the CA computes r, = ID All cPJJ 1 ciP II i) and then s = ric + ki + CA (mod n) . Again, the CA

could use other equations to produce , for example SA, = r,CA C k, (mod n) with a corresponding public key reconstruction equation. Since the certificate does not change, it is only necessary for the CA to send 5A., to correspondent A. The private key for correspondent A becomes di= a + SA, and the certificate remains yA. The CA makes Q and i publicly available.
Therefore, it is possible to reconstruct correspondent A's public key, diP, by computing rõ and then calculating diP = rQc. +7 A + Qi. Correspondent A
communicates with correspondent B similarly to the situation previously described. If correspondent A
wants to sign a message to send to correspondent B, correspondent A does so using the private key, di. Correspondent A then sends the signed message along with the certificate, 7A, and identification IDA. Upon receiving the information sent from correspondent A, correspondent B uses the certificate and identification along with the CA's public keys, Qc and Q, for deriving ri. The values ri, Qc, Qi, and yA are then used for deriving correspondent A's public key. The message is accepted if the signature is verified using correspondent A's derived public key.
Thus it can be seen that correspondent A's certificate does not change.
Therefore, the CA is only required to send s, and i to correspondent A for recertification, which requires essentially half the bandwidth of sending sA and yA as in the previous example. Further, although the CA has to calculate Qi=kiP for the ith certification period, the calculation is amortized over all the correspondents. That is, the CA only has to do one point multiplication for all the correspondents (for the calculation of Qi). The CA
also has to perform one modular multiplication for each correspondent (while calculating SA). This results in a more efficient process than previously described wherein the CA
has to perform one point multiplication and one modular multiplication for each correspondent.
Since the recertification scheme described above is not a costly operation for the CA, the CA could recertify correspondents more frequently than if traditional schemes are implemented. Therefore, one application of this recertification scheme is to replace revocation lists. Instead of providing a list of revoked certificates, the CA
recertifies only those certificates that are still valid and have not been revoked.
In an alternate embodiment, the certificates as described in the previous embodiments are embedded into an RSA modulus itself. For an RSA encryption algorithm, correspondent A is required to provide a public key pair, (n, e), where n is the modulus and e is the public exponent. The modulus is defined as n=pq where p and q are large prime numbers. The public exponent is selected as l< e <0, where 0 =(p-1)(q-1). It has been shown that a portion of the modulus can be set aside to have a predetermined value without increasing the vulnerability of the key. This method is described in detail in U.S. Patent No. 6,134,325 issued on October 17, 2000.
Embedding the certificate into the modulus reduces the bandwidth requirements since the certificate is included as part of the modulus instead of in addition to it.
This implementation is particularly useful for a CA who signs using RSA and certifies using ECC. For example, a 2048-bit RSA modulus can easily contain a 160-bit ECC certificate.
Although the invention has been described with reference to certain specific embodiments, various modifications thereof will be apparent to those skilled in the art without departing from the spirit and scope of the invention as outlined in the claims appended hereto.

Claims (203)

WHAT IS CLAIMED IS:
1. A method of verifying a transaction over a data communication system between a first and second correspondent through the use of a certifying authority having control of generation of implicit certificate components, at least one of said certificate components being used by at least said first correspondent in performing said transaction, said method comprising the steps of:
one of said first and second correspondents notifying said certifying authority of said transaction;
said certifying authority generating implicit certificate components which include transaction specific authorization information;
making available to said first correspondent at least said one of said implicit certificate components which includes transaction specific authorization information for permitting said first correspondent to generate an ephemeral private key;
making available to said second correspondent at least one of said implicit certificate components for permitting recovery of an ephemeral public key corresponding to said ephemeral private key;
whereby, said first correspondent may sign a message with said ephemeral private key to generate a signature and forward said message to said second correspondent and said second correspondent may verify said signature using said ephemeral public key and proceed with said transaction upon verification.
2. A method as defined in claim 1, wherein said second correspondent notifies said certifying authority of said transaction upon receiving an initial message from said first correspondent.
3. A method as defined in any one of claims 1 or 2, wherein said at least one of said implicit certificate components is forwarded to said second correspondent by said certifying authority.
4. A method as defined in any one of claims 1 to 3, wherein said at least one of said implicit certificate components is forwarded to said first correspondent by said second correspondent.
5, A method as defined in claim 4, wherein said implicit certificate components include:
a) a component y i wherein y i = kP rP, and wherein k is a private key of said first correspondent, r is a random integer generated by said certification authority, and P is a point on a curve; and b) a component s i, wherein s i = r c.cndot.H(A i, y i), and wherein c is a long term private key of said certifying authority, A i is an identifier and includes at least one distinguishing feature of said first correspondent and said transaction specific authorization information, and H indicates a secure hash function.
6. A method as defined in claim 5, wherein said identifier A i and said components, y i, and s i are forwarded to said second correspondent and said component si is forwarded to said first correspondent.
7. A method as defined in any one of claims 5 or 6, wherein said distinguishing feature includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
8. A method as defined in any one of claims 5, 6 or 7, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
9. A method as defined in any one of claims 5 to 8, wherein said ephemeral private key is generated according to a i = k + s i, wherein a i is said ephemeral private key.
10. A method as defined in claim 9, wherein said ephemeral public key is recovered according to a,P= y i-H(A i, y i).cndot.cP wherein a i P is said ephemeral public key and eP is said certifying authority's public key.
11. A method according to any one of claims 5 to 10 wherein a public key kP
corresponding to said private key k is computed by said first correspondent and forwarded to said certifying authority prior to notification of said transaction.
12. A method as defined in any one of claims 1 to 11, wherein, prior to recertification, said certifying authority verifies the validity of said certificate attributed to said first correspondent by checking a list for determining if said certificate has been revoked.
13. A method as defined in any one of claims 1 to 12, wherein said ephemeral private key is a transaction specific private key and said ephemeral public key is a transaction specific public key.
14. A method as defined in claim 1, wherein said first correspondent notifies said certifying authority that said certificate is to be validated.
15. A method as defined in claim 14, wherein said at least one of said implicit certificate components is forwarded to said first correspondent by said certifying authority.
16. A method as claimed in any one of claims 14 and 15, wherein said at least one of said implicit certificate components is forwarded to said second correspondent by said first correspondent.
17. A method as defined in claim 16, wherein said implicit certificate components include:
a) a component .gamma.i, wherein = kP + rP, and wherein k is a private key of said first device, r is a random integer generated by said certifying authority, and P is a point on a curve:. and b) a component s i, wherein s i = r - c.cndot.H(A i, .gamma.i), and wherein c is a long term private key of said certifying authority, A i is an identifier and includes at least one distinguishing feature of said first correspondent and said transaction specific authorization information. and indicates a secure hash function.
18. A method as defined in claim 17, wherein said identifier A i and said components .gamma.i, and s i are forwarded to said first correspondent, and said identifier A i and component .gamma.i are forwarded to said second correspondent.
19. A method as defined in any one of claims 17 or 18, wherein said distinguishing feature includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
20. A method as defined in any one of claims 17, 18 or 19, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
21. A method as defined in any one of claims 17 to 19. wherein said ephemeral private key is generated according to a i = k+s i, wherein ai is said ephemeral private key.
22. A method as defined in claim 21, wherein said ephemeral public key is recovered according to a i P=.gamma.i-H(A i,.gamma.i)-cP, wherein a i P is said ephemeral public key and cP is said certifying authority's public key.
23. A method according to any one of claims 17 to 22 wherein a public key kP
corresponding to said private key k is computed by said first correspondent and forwarded to said certifying authority prior to notification or said transaction.
24. A method as defined in any one of claims 17 to 23, wherein, prior to recertification, said certifying authority verifies the validity of said certificate attributed to said first correspondent by checking a list for determining if said certificate has been revoked.
25. A method as defined in any one of claims 14 to 24, wherein said generated implicit certificate components include a parameter for indicating a predetermined permission for said first correspondent, said second correspondent granting access to said first correspondent according to said predetermined permission upon verification of said signature.
26. A method as defined in any one of claims 1 to 4 and 14 to 16, wherein said implicit certificate components include:
a) a component .gamma.A, wherein .gamma.A=aP+c A P, and wherein aP is a long term public key of said first correspondent, c A is a random integer generated by said certifying authority, and P is a point on a curve; and h) a component s A, wherein s A=h(.gamma. A ~ A i ~ cP)c+c A (mod n), and wherein said identifier A i includes at least one distinguishing feature of said first correspondent, wherein c is a long term private key of said certifying authority, n is a large prime number, and h indicates a secure hash function,
27. A method as defined in claim 26, wherein said components .gamma. A and s A
are forwarded to said first correspondent, and said identifier A i and component .gamma. A are forwarded to said second correspondent by said first correspondent.
28. A method as defined in any one of claims 26 and 27, wherein said distinguishing feature includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
29. A method as defined in any one of claims 26 to 28, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
30. A method as defined in any one of claims 26 to 29, wherein said ephemeral private key is generated according to d = a +s A, wherein d is said ephemeral private key.
31. A method as defined in claim 30, wherein said ephemeral public key is recovered according to Q A = h(.gamma. A ~ A i ~i Q C)Q C + .gamma. A, wherein Q A is said ephemeral public key and Q C is said certifying authority's long term public key.
32. A method as defined in claim 31, wherein said certifying authority recertities said certificate attributed to said first correspondent by changing said random integer, c A.
33. A method as defined in any one of claims 26 to 32, wherein said ephemeral private key is a transaction specific private key and said ephemeral public key is a transaction specific public key.
34. A method as defined in any one of claims 1 to 4 and 14 to 16, wherein said implicit certificate components include:
a) a value i, indicative of a certification period;
b) a component s A, wherein s A, = r i c + K i + c A (mod n), n is a large prime number, c is a long term private key of said certifying authority, c A and k i are random integers, and r i = h(.gamma.A ¦¦ A i ¦¦ cP ¦¦ k i P ¦¦ i), wherein A i is an identifier and includes at least one distinguishing feature of said correspondent and said transaction specific authorization information, P is a point on a curve, and h indicates a secure hash function;
wherein .gamma.A is a component and .gamma.A = aP + c A P, and where aP is a long term public key of said correspondent.
35. A method as defined in claim 33 wherein said component .gamma.A has previously been determined by said certifying authority and forwarded to said correspondent.
36. A method as defined in any one of claim 34 and 35, wherein said value i and said component s A are forwarded to said first correspondent, and said identifier A
i and said component .gamma.A are forwarded to said second correspondent by said first correspondent.
37. A method as defined in any one of claims 34 and 36, wherein said distinguishing feature includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
38. A method as defined in any one of claims 34 to 37, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
39. A method as defined in any one of claims 34 to 38, wherein said ephemeral private key is generated according to d i = a + s Ai, wherein d i is said ephemeral private key.
40. A method as defined in claim 39, wherein said ephemeral public key is recovered according to Q A = r i Q C .gamma. A + Q i wherein Q A is said ephemeral public key, Q i is said certifying authority's certification period public key, and Q C is said certifying authority's long term public key.
41. A method as defined in claim 40, wherein said certifying authority recertifies said certificate attributed to said first correspondent for each certification period by changing said random integer, k i.
42. A method as defined in any one of claims 34 to 41, wherein said ephemeral private key and said ephemeral public key have a predetermined period of validity.
43. A method as defined in claim 42, wherein said predetermined period of validity is one transaction.
44. A method as defined in claim 42, wherein said predetermined period of validity is a predetermined number of transactions.
45. A method as defined in claim 42, wherein said predetermined period of validity is a predetermined time period.
46. A method for certifying a correspondent through use of a certifying authority having control of generation of implicit certificate components, said method comprising the steps of:
said certifying authority generating a first random number having a value;
generating implicit certificate components based on said first random number;
publishing information including a public key of said certifying authority for use in verifying said correspondent; and forwarding said implicit certificate components from said certifying authority to said correspondent;
wherein said certifying authority recertifies previously generated implicit certificate components associated with said correspondent by changing said value of said first random number.
47. A method as defined in claim 46, wherein c A is said first random number generated by said certifying authority and said implicit certificate components include:
a) a component .gamma.A, where .gamma.A=aP+c A P, and where aP is a long term public key of said correspondent and P is a point on a curve: and b) a component s A, where s A = h(.gamma.A ¦¦ A i ¦¦ cP)c+c A (mod n), and where c is a long term private key of said certifying authority, n is a large prime number, A i is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent, and h indicates a secure hash function;
48. A method as defined in claim 47, wherein said correspondent is recertified by forwarding said implicit certificate components for said first random number having said changed value from said certifying authority to said correspondent.
49. A method as defined in any one of claims 46 to 48, wherein said first random integer has said value for one certification period, said value being changed for others of said certifications periods.
50. A method as defined in claim 49, wherein k i is said first random integer generated by said certifying authority for an ith certification period and said implicit certificate components include:
a) a value i, indicative of a current certification period;
b) a component s A, wherein s A, r i c + k i+c A (mod n), n is a large prime number, c is a long term private key of said certifying authority, c A is a second random integer, and r i=h(.gamma.A ¦¦ A i ¦¦ cP ¦¦ k i P. ¦¦ i), wherein A i is an identifier and includes at least one distinguishing feature of said correspondent, P is a point on a curve.
and h indicates a secure hash function;
wherein .gamma.A is a component and .gamma.A = aP + c A P. and wherein aP is a long term public key of said correspondent.
51. A method according to claim 50 wherein said component .gamma.A has previously been determined by said certifying authority and forwarded to said correspondent.
52. A method as defined in any one of claims 48, 50 and 51, wherein information published further includes an ephemeral public key k i P and said value i.
53. A method as defined in any one of claims 46 to 51, wherein said correspondent is recertified by forwarding said implicit certificate components for said first random number having said changed value from said certifying authority to said correspondent.
54. A method of a certifying authority verifying a transaction over a data communication system between a first and second correspondent, said certifying authority having control of a certificate's validity, said certificate being used by at least said first correspondent in said transaction, said method comprising the steps of:
said certifying authority receiving from one of said first and second correspondents a notification of said transaction;
said certifying authority generating implicit certificate components including transaction specific authorization information particular to said request;
said certifying authority making available to said first correspondent at least one of said implicit certificate components including transaction specific authorization information for permitting said first correspondent to generate an ephemeral private key; and said certifying authority making available to said second correspondent at least one of said implicit certificate components for permitting recovery of an ephemeral public key corresponding to said ephemeral private key. whereby, said first correspondent may sign a message with said ephemeral private key to generate a signature and forward said message to said second correspondent and said second correspondent may verify said signature using said ephemeral public key and proceed with said transaction upon verification.
55. A method as defined in claim 54, wherein said certifying authority receives said notification from said second correspondent.
56. A method as defined in any one of claims 54 or 55, wherein said at least one of said implicit certificate components is forwarded to said second correspondent by said certifying authority for subsequent forwarding to said first correspondent.
57. A method according to any one of claims 54 to 56, wherein said implicit certificate components generated by said certifying authority includes:
a) a component 16 wherein .gamma. i = kP rP, and wherein k is a private key of said first correspondent, r is a random integer generated by said certifying authority, and P
is a point on a curve; and b) a component s i wherein s i = r -c .cndot .H(A i, .gamma.i), and wherein c is a long term private key of said certifying authority, A i is an identifier and includes at least one distinguishing feature of said first correspondent and said transaction specific authorization information, and H indicates a secure hash function;
wherein said public key kP corresponding to said private key k of said first correspondent is received by said certifying authority.
58. A method according to claim 57 wherein said public key kP is received prior to notification of said transaction.
59. A method as defined in any one of claims 57 and 58, wherein said identifier A i and said components .gamma. i, and s i are forwarded to said second correspondent and said component s i is forwarded to said first correspondent.
60. A method according to anyone of claims 57 and 59, wherein said distinguishing feature includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and art address of said first correspondent.
61. A method according to any one of claims 54 to 56, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
62. A method according to anyone of claims 54 to 61, wherein, prior to recertification, said certifying authority verifies the validity of said certificate components attributed to said first correspondent by checking a list for determining if said certificate components have been revoked.
63. A method according to claim 54, wherein said certifying authority receives said notification from said first correspondent.
64. A method according to claims 63, wherein said at least one of said implicit certificate components is forwarded to said first correspondent by said certifying authority.
65. A method according to claim 64, wherein said at least one of said implicit certificate components for recovering said ephemeral public key is forwarded to said first correspondent for subsequent forwarding to said second correspondent.
66. A method as claimed in any one of claims 63 to 65, wherein said communications are implemented over an elliptic curve cryptosystem and said implicit certificate components include:
a component .gamma.i, wherein .gamma.i = kP + rP, and wherein k is a long term private key of said first correspondent, r is a random integer generated by said certifying authority, and P is a point on a curve; and h) a component s i, where s i = r -c.cndot.H(A i, .gamma.i), and where c is a long term private key of said certifying authority, A i is an identifier and includes at least one distinguishing feature of said first correspondent and said transaction specific authorization information, and H indicates a secure hash function;
wherein said public key kP corresponding to said private key k of said first correspondent is received by said certifying authority.
67. A method according to claim 66 wherein said public key kP is received prior to notification of said transaction.
68. A method according to any one of claims 66 and 67, wherein said identifier A i and said components .gamma.i, and s i are forwarded to said first correspondent, and identifier A i and component .gamma.i are forwarded to said second correspondent.
69. A method according to any one of claims 66 or 68, wherein said distinguishing feature is includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
70. A method according to anyone of claims 66 to 69, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
71. A method according to any one of claims 63 to 70, wherein, prior to recertification, said certifying authority verifies the validity of said certificate components attributed to said first correspondent by checking a list for determining if said certificate components have been revoked.
72. A method according to any one of claims 54 to 71, wherein said implicit certificate components generated by said certifying authority include a parameter for indicating a predetermined permission for said first correspondent, said second correspondent granting access to said first correspondent according to said predetermined permission upon verification of said signature.
73. A method according to claim 54, wherein said communications are implemented over an elliptic curve cryptosystem and said generated implicit certificate components include:
a) a component y A, wherein y A=aP+C A P, and wherein aP is a long term public key of said first correspondent, c A is a random integer generated by said certifying authority, and P is a point on a curve; and b) a component s A, wherein s A=h(y A ¦¦ A i ¦¦ cP)c+c A (mod n), and wherein A i is an identifier that includes at least one distinguishing feature of said first correspondent, wherein c is a long term private key of said certifying authority, n is a large prime number, and h indicates a secure hash function.
74. A method according to claim 73, wherein said components y A and s A are forwarded to said first correspondent.
75. A method according to any one of claims 73 and 74, wherein said distinguishing feature includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
76. A method according to any one of claims 73 to 75, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
77. A method according to any one of claims 73 to 76, wherein said certifying authority recertifies previously generated implicit certificate components attributed to said first correspondent by changing said random integer, c A.
78. A method according to claim 54, wherein said communications are implemented over an elliptic curve cryptosystem and said implicit certificate components generated by said certifying authority include:
a) a value i, indicative of a certification period;
b) a component s A, wherein s A,= r i c + k i + c A (mod n), n is a large prime number, c is a long term private key of said certifying authority, c A and k i are random integers, and r i = h(.gamma.A ¦¦ A i ¦¦ cP ¦¦ k i P ¦¦ i), wherein A i is an identifier and includes at least one distinguishing feature of said correspondent and said transaction specific authorization information, P is a point on a curve, and h indicates a secure hash function;
wherein .gamma.A is a component and .gamma.A = aP + c A P, and aP is a long term public key of said correspondent.
79. A method according to claim 78 wherein said component .gamma.A has previously been determined by said certifying authority and forwarded to said correspondent.
80. A method according to any one of claims 78 or 79. wherein said value i and component s A are forwarded to said first correspondent.
81. A method according to any one of claims 78 to 80, wherein said distinguishing feature includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
82. A method according to any one of claims 77 to 81, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
83. A method according to any one of claims 78 to 82, wherein said certifying authority recertifies previously generated implicit certificate components attributed to said first correspondent for each certification period by changing said random integer, k i.
84. A certifying authority for certifying a correspondent, said certifying authority having control of generation of implicit certificate components for use by said correspondent and including a cryptographic unit for:
a) generating a first random number having a value;
b) generating implicit certificate components including a first component generated using said first random number, and a second component generated using said first component and a private key of said certifying authority;
c) publishing a public key of said certifying authority;
d) forwarding said implicit certificate components to said correspondent to enable said correspondent to generate a new private key using said second component and a new public key using said first component and said public key of said certifying authority; and e) recertifying a previously generated certificate component attributed to said correspondent by changing said value of said first random number.
85. A certifying authority as defined in claim 84, wherein C A is said first random number generated by said certifying authority and:
a) said first component is .gamma.A, wherein .gamma.A=aP+c A P, and wherein aP is a long term public key of said correspondent and P is a point on a curve; and b) said second component is s A, wherein s A = h(.gamma.A ¦¦ A i ¦¦ cP)c+c A (mod n), and wherein c is a long term private key of said certifying authority, n is a large prime number, A i is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent, and h indicates a secure hash function.
86. A certifying authority as claimed in any one of claims 84 or 85, wherein said correspondent is recertified by forwarding new implicit certificate components with said first random number having said changed value from said certifying authority to said correspondent.
87. A certifying authority as claimed in any one of claims 84 to 86, wherein said first random integer has said value for one certification period, said value being changed for others of said certification periods.
88. A certifying authority as claimed in any one of claims 84 to 87, wherein k i is said first random integer generated by said certifying authority for an ith certification period and said implicit certificate components include:
a) a value i, indicative of a current certification period;
b) said second component is s A, wherein s A, r i c + k i + c A (mod n), n is a large prime number, c is along term private key of said certifying authority, c A is a second random integer. and r i=h(.gamma.A ¦¦ A i ¦¦ cP ¦¦ k i P. ¦¦i), wherein A i is an identifier and includes at least one distinguishing feature of said correspondent, P is a point on a curve, and h indicates a secure hash function:
wherein said first component is .gamma.A aP c AP, and where aP is a long tern public key of said correspondent.
89. A certifying authority according to claim 88 wherein said component .gamma.A has previously been determined by said certifying authority and forwarded to said correspondent.
90, A certifying authority as claimed in anyone of claims 84 to 89, wherein said values k i P
and i are also published.
91. A certifying authority for enabling a transaction between a first and second correspondent over a data communication system to be verified, said certifying authority having control over generation of implicit certificate components used by at least said first correspondent in performing said transaction, said certifying authority comprising a cryptographic unit configured for:
receiving from one of said first and second correspondents, a notification of said transaction;
generating implicit certificate components including a first component comprising transaction specific information particular to said transaction, a second component computed using a public key of said first correspondent, and a third component computed from said first and second components and a private key of said certifying authority;
having forwarded to said first correspondent, at least said third component of said implicit certificate components for permitting said first correspondent to generate a transaction specific private key using said third component; and having forwarded to said second correspondent at least said first and second components of said implicit certificate components for permitting recovery of a transaction specific public key corresponding to said transaction specific private key using said first and second components and a public key of said certifying authority;
wherein said first correspondent can sign a message with said transaction specific private key, forward said message to said second correspondent, and said second correspondent can attempt to verify said message using said transaction specific public key to proceed with said transaction upon verification.
92, A certifying authority as defined in claim 91, wherein said at least one of said implicit certificate components is forwarded to said second correspondent by said certifying authority.
93. A. certifying authority as claimed in any one of claims 91 and 92, wherein said second component is wherein .gamma.i=
kP + rP, and where k is a long term private key of said first correspondent, r is a random integer generated by said certifying authority, and P is a point on a curve; and said third component is Si, where S i=r-c.cndot.H(A i, .gamma. i), and where c is a long term private key of said certifying authority, A i is an identifier and includes at least one distinguishing feature of said first correspondent and said transaction specific information, and H indicates a secure hash function;
wherein said private key kP corresponding to said private key k of said first correspondent is received by said certifying authority,
94. A certifying authority according to claim 93 wherein said private key kP
is received prior to notification of said transaction.
95. A certifying authority as claimed in any one of claims 91 to 94, wherein said transaction specific information includes at least one of a time of said transaction and a date of said transaction.
96. A certifying authority as claimed in any one of claims 91 to 95, wherein, prior to recertification of previously generated implicit certificate components, attributed to said first correspondent said certifying authority checks a list for determining if said certificate components have been revoked.
97. A certifying authority as claimed in. any one of claims 91 to 96, wherein said certifying authority includes in said implicit certificate components a parameter for indicating a predetermined permission for said first correspondent, wherein said second correspondent can grant access to said first correspondent according to said predetermined permission upon verification of said signature.
98. A certifying authority as claimed in any one of claims 91 to 97, wherein said certifying authority recertifies said implicit certificate components attributed to said first correspondent by changing said random integer, c A.
99. A certifying authority a,s claimed in any one of claims 91 to 98, wherein said generated implicit certificate. components include:
a) a value i. indicative of a certification period;
b) said third component is s A, wherein s Ai = r i CA+ki+C A (mod n), and n is a large prime number, c is a long term private key of said certifying authority, c A
and k i are random integers, and r i=h(.gamma.A ¦¦ A i ¦¦ c P ¦¦ k i P.¦¦ i), wherein A i an identifier and includes at least one distinguishing feature of said correspondent and said specific authorization information, P is a point on a curve, and h indicates a secure hash function; and wherein said second component is y A = aP+C A P, and where aP is a long term public key of said correspondent.
100. A certifying authority as claim in claim 99 wherein said component y A
has previously been determined by said certifying authority and forwarded to said correspondent.
101. A certifying authority as claimed in claim 99, wherein said certifying authority recertifies said implicit certificate components attributed to said first correspondent for each certification period, i, by changing said random integer, k i.
102. A method of a first correspondent verifying a transaction over a data communication system with a second correspondent through use of a certifying authority having control of generation of implicit certificate components, at least one of said components being used by at least said first correspondent in performing said transaction. said method comprising the steps of:
a) said first correspondent initiating notification of said certifying authority of said transaction;
b) said first correspondent receiving at least one of said implicit certificate components generated by said certifying authority and including transaction specific authorization information, for permitting said first correspondent to generate an ephemeral private key;
c) said first correspondent generating said ephemeral private key; and d) said first correspondent signing a message with said ephemeral private key and forwarding said message to said second correspondent, wherein said second correspondent may verify said signature using implicit certificate components generated by said certifying authority to recover an ephemeral public key.
103. A method as defined in claim 102, wherein said first correspondent notifies said certifying authority of said transaction.
104. A method as claimed in any one of claims 102 or 103, wherein said at least one of said implicit certificate components is received by said first correspondent from said second correspondent.
105. A method as claimed in any one of claims 102 to 104, wherein said implicit certificate components includes:
a) a component y i, wherein y i = kP rP, and wherein k is a private key of said first correspondent, r is a random integer generated by said certifying authority, and P
is a point on a curve; and b) a component s i, wherein s i = r -c.cndot.H(A i, y i), and wherein c is a long term private key of said certifying authority, A i is an identifier and includes at least one distinguishing feature of said first correspondent and said transaction specific authorization information, and H indicates a secure hash function;
wherein said public key kP of said first correspondent is generated by said first correspondent and sent to said certifying authority.
106. A method according to claim 105 wherein said public key kP is sent to said certifying authority prior to notification of said transaction.
107. A method as defined in any one of claims 105 and 106, wherein said component % is received by said First correspondent from said second correspondent.
108. A method as defined in claim 107, wherein said distinguishing feature includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
109. A method as defined in claim 107, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
110. A method according to any one of claims 107 to 109, wherein said ephemeral private key is generated according to a i, = k+S i, wherein a i is said ephemeral private key.
111. A method as claimed in any one of claims 102 to 104, wherein said generated implicit certificate components include:
a) a component .gamma. A, wherein .gamma. A=aP+c A P, and wherein aP is a long term public key of said first correspondent, c A is a random integer generated by said certifying authority, and P is a point on a curve; and b) a component s A, wherein s A=h(.gamma. A ¦¦ A i ¦¦ cP)c+c A (mod n), and wherein A i is an identifier and includes at least one distinguishing feature of said first correspondent, wherein c is a long term private key of said certifying authority, n is a large prime number, and h indicates a secure-hash function.
112. A method claimed in claim 111, wherein said components .gamma. A and s A
are received by said first correspondent, and said indicator A i and component .gamma. A are forwarded to said second correspondent by said first correspondent.
113. .A method as claimed in any one of claims 110 and 112, wherein said distinguishing feature includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
114. A method as claimed in any one of claims 111 to 113, Wherein said transaction specific authorization information includes at Ieast one of a time of said transaction and a date of said transaction.
115. A method as claimed in any one of claims 111 to 114, wherein said ephemeral private key is generated according to d = a + s A, Where d is said ephemeral private key.
116, A method as claimed in any one of claims 102 to 104, wherein said generated implicit certificate components include:
a) a value i, indicative of a certification period;
b) a component s A, wherein s A = r i c+ k i+ c A (mod n), n is a large prime number, c is a long term private key of said certifying authority, c A and k i are random integers, and r i = h(.gamma.A ¦¦ A i ¦¦ cP ¦¦ k i P ¦¦ i), wherein A i is an identifier and includes at least one distinguishing feature of said first correspondent and said transaction specific authorization information, P is a point on a curve, and h indicates a secure hash function;
wherein .gamma.A is a component and .gamma.A = aP + c A P, and wherein aP is a long term public key of said correspondent and from said certifying authority .gamma.A is received by said first correspondent from said certifying authority.
117. A method according to claim 116 wherein said component .gamma.A is received from said certifying authority prior to notification of said transaction.
118. A method as claimed in any one of claims 116 and 117, wherein said value i and component s A are received by said first correspondent, and said identifier A
i and component .gamma.A are forwarded to said second correspondent by said first correspondent.
119. A method as claimed in any one of claims 116 and 118, wherein said distinguishing feature includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
120. A method as claimed in any one of claims 116 to 119, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
121. A method as claimed in any one of claims 116 to 120, wherein said ephemeral private key is generated according to d i = a + s Ai, wherein d i is said ephemeral private key.
122. A method of a second correspondent verifying a transaction over a data communication system with a first correspondent through the use of a certifying authority having control of generation of implicit certificate components, at least one of said certificate components being used by at least said first correspondent in performing said transaction, said method comprising the steps of:
a) said second correspondent receiving from said certifying authority implicit certificate components for permitting recovery of an ephemeral public key corresponding to a transaction specific ephemeral private key of said first correspondent, said implicit certificate components being generated by said certifying authority in response to a notification to said certifying authority of said transaction. said implicit certificate components including transaction specific authorization information;
h) said second correspondent constructing said ephemeral public key from at least one of said implicit certificate components;
c) said second correspondent attempting to verify a signature on a message received from said first correspondent by using said ephemeral public key; and d) proceeding with said transaction upon verification.
123. A method as defined in claim 122, wherein said second correspondent notifies said certifying authority of said transaction upon receiving an initial message from said first corespondent.
124. A method as claimed in any one of claims 122 and 123, wherein said second correspondent forwards to said first correspondent implicit certificate components received from said certifying authority to enable said first correspondent to generate said ephemeral private key.
125. A method as claimed in any one of claims 122 to 124, wherein said implicit certificate components include:
a) a component .gamma.i, wherein .gamma.i=kP + rP, and where k is a private key of said first correspondent, r is a random integer generated by said certifying authority, and P
is a point on a curve; and 1") a component s i, wherein s i = r c.cndot.H(A i, .gamma. i), and wherein c is a long term private key of said certifying authority. A i is an identifier and includes at least one distinguishing feature of said first correspondent and said transaction specific authorization information. and H indicates a secure hash function.
126. A method according to claim 125 wherein said long term public key of said first correspondent is sent to said certifying authority prior to said transaction.
127. A method as claimed in any one of claims 126 and 127, wherein said identifier A i, and components .gamma. i, and s i are received by said second correspondent and said component s i is forwarded by said second correspondent to said first correspondent.
128. A method as claimed in any on of claims 126 and 127, wherein said distinguishing feature is includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
129. A method as claimed in any one of Claims 126 to 128, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
130. A method as claimed in any one of claims 123 to 127, wherein said ephemeral public key is recovered according to a iP=.gamma. i-H(A i, .gamma. i).cP wherein a i P is said ephemeral public key and cP is said certifying authority's public key.
131. A method as claimed in any one of claims 122 and 123, wherein said implicit certificate components are received by said second correspondent from said first correspondent.
132. A method as claimed in any one of claims 122 to 131, wherein said implicit certificate components include:
a) component .gamma. ì, wherein .gamma.i = kP + rP, and wherein k is a private key of said first correspondent r is a random integer generated by said certifying authority, and P
is a point on a curve; and b) a component s i, wherein s i = r - c.H(A i, .gamma.i), and wherein c is a long term private key of said certifying authority, A i is an identifier and includes at least one distinguishing feature of said first correspondent and said transaction specific authorization information, and H indicates a secure hash function;
133. A method as claimed in claim 132 wherein said long term public key of said first correspondent is sent to said certifying authority prior to notification of said verification transaction,
134. A method as claimed in any one of claims 132 and 133, wherein said identifier A i and component .gamma. i are received by said second correspondent from said first correspondent.
135. A method as claimed in any one of claims 132 to 134, wherein said distinguishing feature is includes at least one of a name of said first correspondent, a telephone number of said first correspondent, and an address of said first correspondent.
136. A method as claimed in any one of claims 133 to 135, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
137. A method as claimed in any one of claims 133 to 136, wherein said ephemeral public key is recovered according to a iP=.gamma. i-H(A i,.gamma.i).cP, wherein a i P
is said ephemeral public key and CP is said certifying authority's public key.
138. A method as claimed in claim 133, wherein said implicit certificate components include a parameter for indicating a predetermined permission for said first correspondent, said second correspondent granting access to said first correspondent according to said predetermined permission upon verification pf said signature.
139. A method as claimed in claim 133, wherein said generated implicit certificate components include:
a) a component .gamma.A, wherein .gamma.A=aP+c A P, and wherein aP is a long term public key of said first correspondent,c A is a random integer generated by said certifying authority, and P is a point on a curve: and b) a component s A, wherein s A=h(.gamma.A ¦¦ A i ¦¦ cP)c+c A (mod n), and wherein A i is an identifier and includes at least one distinguishing feature of said first correspondent, wherein c is a long term private key of said certifying authority, n is a large prime number, and h indicates a secure hash function.
140. A method as claimed in claim 139, wherein said identifier A i and said component .gamma.A
are forwarded to said second correspondent by said first correspondent.
141. A method as claimed in any one of claims 139 and 140, wherein said distinguishing feature includes at least one of a name of said first correspondent. a telephone number of said first correspondent, and an address of said first correspondent.
142. A method as claimed in any one of claims 139 to 141, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
143. A method as claimed in any one of claims 139 to 142, wherein said ephemeral public key is recovered according to Q A= h(.gamma.A ¦¦ A i ¦¦ Qc)Qc + y A, where Q A
is said ephemeral.
public key and Q c is said certifying authority's long term public key.
144. A method claimed in claim 131, wherein said generated implicit certificate components include:
a) a value i, indicative of a certification period;
b) a component s A, wherein s A, = r i c + k i + c A (mod n), n is a large prime number, c is a long term private key of said certifying authority, c A and k i are random integers, and r i = h(.gamma.A ¦¦ A i ¦¦ cP ¦¦ k i P ¦¦ i), wherein A i is an identifier and includes at least one distinguishing feature of said first correspondent and said transaction specific authorization information, P is a point on a curve, and h indicates a secure hash function;
wherein .gamma.A = aP + c A P, and where aP is a long term public key of said first correspondent.
145. A method as claimed in claim 144 wherein said component .gamma.A has been determined by said certifying authority and forwarded to said first correspondent.
146. A method as claimed in .any one of claims 144 and 145, wherein said identifier A i and component .gamma.A are received by said second correspondent from said first correspondent.
147. A method as claimed in any one of claims 144 to 146, wherein said distinguishing feature includes at least one of a name of said first correspondent a telephone number of said first correspondent, and an address of said first correspondent.
148. A method as claimed in any one of claims 144 to 147, wherein said transaction specific authorization information includes at least one of a time of said transaction and a date of said transaction.
149. A method as claimed in any one of claims 144 to 148, wherein said ephemeral public key is recovered according to Q A = r i Q c+ .gamma.A Q i, wherein Q A is said ephemeral public key, Q i is said certifying authority's certification period public key. and Q
c is said certifying authority's long term public key.
150. A method as claimed in claim 149, wherein said ephemeral public key has a predetermined period of validity.
151. A method as claimed in claim 150, wherein said predetermined period of validity is one transaction.
152. A method as claimed in claim 150, wherein said predetermined period of validity is a predetermined number of transactions.
153. A method as claimed in 150, wherein said predetermined period of validity is a predetermined time period.
154. A cryptographic system for verifying a transaction over a data communication system, said cryptographic system including a certifying authority, a first correspondent and a second correspondent and said certifying authority having control over a certificate to be used by said first correspondent, said cryptographic system being configured to perform the method of any one of claims 1 to 53.
155. A certifying authority for use in a cryptographic system including a first correspondent and a second correspondent, said certifying authority having control over generation of implicit certificate components to be used by said first correspondent in performing a transaction, said certification authority being configured to perform the method of any one of claims 54 to 83.
156. A first correspondent to communicate through a data communication system with a certifying authority and a second correspondent, said first correspondent utilising implicit certificate components generated under the control of said certifying authority to conduct a transaction with said second correspondent, said first correspondent being configured to perform the method of any one of claims 102 to 121.
157. A second correspondent to communicate through a data communication system with a certifying authority and a first correspondent, said second correspondent utilizing implicit certificate components generated under the control of said certifying authority to conduct a transaction with said first correspondent, said second correspondent being configured to perform the method of any one of claims 122 to 153.
158, A method for recertifying a correspondent through the use of a certifying authority, said method comprising the steps of:
a) said certifying authority generating a first random number having a value;
b) said certifying authority generating implicit certificate components including a first component generated using said first random number, and a second component generated using said first component and a private key of said certifying authority;
c) said certifying authority publishing a public key of said certifying authority; and d) said certifying authority making available said implicit certificate components to enable said correspondent to generate a new private key using said second component and to enable the construction of a new public key using said first component and said public key of said certifying authority;
wherein said certifying authority recertifies said correspondent's certificate by changing said value of said first random number.
159. The method as defined in claim 158. wherein c A is said first random number generated by said certifying authority and:
a) said first component is .gamma.A, when .gamma.A=.alpha.P+c A P, and where aP is a long term public key of said correspondent and P is a point on a curve; and b) said second component is s A, where s A h(.gamma.A ¦¦ ID A ¦¦ cP) c i c j (mod n), and where c is a long term private key of said certifying authority, n is a large prime number, ID A is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent, h indicates a secure hash function, c, is one of said long term private key of said certifying authority and said first random number, and c j is the other of said long term private key of said certifying authority and said first random number.
160. The method as defined in claim 159, wherein said second component s A=
h(.gamma.A ¦¦
ID A ¦¦ cP)c +c A (mod n).
161. The method as defined in claim 159. wherein said second component s A
= h(.gamma. A ¦¦
ID A ¦¦ cP)c A+c (mod n).
162. The method as defined in claim 158, wherein c A is said first random number generated by said certifying authority and:
a) said first component is .gamma.A, where .gamma.A=.alpha.P4+c A P, and where aP is a long term public key of said correspondent and P is a point on a curve; and b) said second component is s A, where S A = c A ~ c h(ID A¦¦.gamma.A) (mod n), and where c is a long term private key of said certifying authority, n is a large prime number, ID A is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent, and h indicates a secure hash function.
163. The method as defined in claim 158. wherein c A is said first random number generated by said certifying authority and:
a) said first component is .gamma.A, where .gamma.A=.alpha.P+c AP, and where aP is a long term public key of said correspondent and P is a point on a curve; and said second component is s A, where s A = c A h(ID A¦¦.gamma.A)~c (mod n), and where c is a long term private key of said certifying authority, n is a large prime number, ID A is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent, and h indicates a secure hash function.
164. The method as defined in any one of claims 158 to 163, wherein said correspondent is recertified by forwarding new implicit certificate components with said first random number having said changed value from said certifying authority to said correspondent.
165. The method as defined in any one of claims 158 to 164, wherein said first random number has said value for one certification period, said value being changed for others of said certification periods.
166. A certifying authority for recertifying a correspondent, said certifying authority including a cryptographic unit for:
a) generating a first random number having a value;
generating implicit certificate components including a first component generated using said first random number, and a second component generated using said first component and a private key of said certifying authority:
c) publishing a public key of said certifying authority;
d) making available said implicit certificate components to enable said correspondent to generate a new private key using said second component and to enable the construction of a new public key using said first component and said public key of said certifying authority; and e) recertifying said correspondent's certificate by changing said value of said first random number.
167. A certifying authority as declined in claim 166, wherein c A is said first random number generated by said certifying authority and:
a) said first component is .gamma.A, where .gamma.A=.alpha.P+c A P, and where aP is a long term public key of said correspondent and P is a point on a curve; and b) said second component is s A, where s A = h(.gamma.A ¦¦ ID A ¦¦ cP) c i + c j (mod n), and where c is a long term private key of said certifying authority, n is a large prime number, ID A is an identifier of said correspondent arid includes at least one distinguishing feature of said correspondent, h indicates a secure hash function, c i is one of said long term private key of said certifying authority and said first random number, and c j is the other of said long term private key of said certifying .cndot. authority and said first random number.
168. The certifying authority as defined in claim 167, wherein said second component S A = h(.gamma. A ~ID~ cP)c+c A (mod n).
169. The certifying authority as defined in claim 167, wherein said second component S A = h(.gamma. A ~ID~ cP)c+c A (mod n).
170. The certifying authority as defined in claim 166, wherein c A is said first random number generated by said certifying authority and:
a) said first component is .gamma. A, where .gamma.A=a P+c A P, and where aP is a long term public key of said correspondent and P is a point on a curve; and b) said second component is SA, where SA = c A ~ c h (ID A ~.gamma. A) (mod n), and where c is a long term private key of said certifying authority, n is a large prime number, ID A is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent, and h indicates a secure hash function.
171. The certifying authority as defined in claim 166, wherein CA is said first random number generated by said certifying authority and:
a) said first component is .gamma. A, where .gamma. A=aP+c A P, and where aP is a long term public key of said correspondent and P is a point on a curve; and b) said second component is s A, where s A = c A h(ID A~ .gamma.A)~ c (mod n), and where c is a long term private key of said certifying authority, n is a large prime number.
ID A is an identifier of said correspondent and indicates at least one distinguishing feature of said correspondent, and h indicates a secure hash function.
172. The certifying authority as defined in any one of claims 166 to 171, wherein said correspondent is recertified by forwarding new implicit certificate components with said first random number having said changed value from said certifying authority to said correspondent.
173. The certifying authority as defined in any one of claims 166 to 172, wherein said first random number has said value for one certification period, said value being changed for others of said certification periods.
174. A computer-readable medium having stored thereon computer-executable instructions for performing a method for recertifying a correspondent through the use of a certifying authority, said computer-executable instructions comprising instructions to perform the steps of a) said certifying authority generating a first random number having a value;
b) said certifying authority generating implicit certificate components including a first component generated using said first random number, and a second component generated using said first component and a private key of said certifying authority;
c) said certifying authority publishing a public key of said certifying authority; and d) said certifying authority making available said implicit certificate components to enable said correspondent to generate a new private key using said second component and to enable the construction of a new public key using said first component and said public key of said certifying authority;
wherein said computer-executable instructions further comprise instructions for recertifying said correspondent's certificate by changing said value of said first random number.
175. A computer-readable medium as defined in claim 174, wherein cA is said first random number generated by said certifying authority and:
a) said first component is .gamma. A, where .gamma. A = a P+c A P, and where aP is a long term public key of said correspondent and P is a point on a curve; and b) said second component is s A, where s A = h(.gamma. A ~ ID A ~c P) c i-c j (mod n), and where c is a long term private key of said certifying authority, n is a large prime number, IDA is an identifier of said correspondent and includes at least one distinguishing feature of said corespondent, h indicates a secure hash function, c i is one of said long term private key of said certifying authority and said first random number, and c j is the other of said long term private key of said certifying authority and said first random number.
176. The computer-readable medium as defined in claim 175, wherein said second component s A = h(.gamma. A ¦¦ ID A ¦¦ cP)c +c A (mod n).
177. The non-transitory computer-readable medium as defined in claim 175, wherein said second component A = h(.gamma. A ¦¦ ID A ¦¦ cP)c +c A (mod n).
178. The computer-readable medium as defined in claim 174, wherein c A is said first random number generated by said certifying authority and:
a) said first component is .gamma.A, where .gamma. A=c A P+c A P , and where aP is a long term public key of said correspondent and P is a point on a curve: and b) said second component is s A, where s A = c A ~ c h(ID A¦¦ .gamma.A) (mod n), and where c is a long term private key of said certifying authority, n is a large prime number.
ID A is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent, and h indicates a secure hash function.
179. The computer-readable medium as defined in claim 174, wherein c A is said first random number generated by said certifying authority and:
a) said first component is .gamma. A. where .gamma. A=aP+c A P , and where aP is a long term public key of said correspondent and P is a point on a curve; and b) said second component is s A, where S A = c A h(ID A ¦¦ .gamma.A) ~ c (mod n), and where c is a long term private key of said certifying authority, n is a large prime number, ID A is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent, and h indicates a secure hash function.
180. The computer-readable medium as defined in any one of claims 174 to 179, wherein said correspondent is recertified by forwarding new implicit certificate components with said first random number having said changed value from said certifying authority to said correspondent.
181. The computer-readable medium as defined in any one of claims 174 to 180, wherein said first random number has said value for one certification period, said value being changed for others of said certification periods.
182. A method for recertifying a correspondent through the use of a certifying authority, said method comprising the steps of:
a) said certifying authority generating a first random number;
b) said certifying authority generating implicit certificate components including a first component generated using said first random number, and a second component generated using said first component, a private key of said certifying authority, and a second random number;
c) said certifying authority publishing a public key of said certifying authority; and d) said certifying authority making available said implicit certificate components to enable said correspondent to generate a new private key using said second component and to enable the construction of a new public key using said first component and said public key of said certifying authority;
wherein said certifying authority recertifies said correspondent's certificate by changing said second random number.
183. The method as defined in claim 182, wherein k i is said second random number generated by said certifying authority for an ith certification period and said second component is s A i = r i c + k i, c A (mod n) , where n is a large prime number, c is a long term private key of said certifying authority, c A is said first random number, and r i=h(.gamma.A ¦¦
ID A ¦¦ cP ¦¦ k i P¦¦ i), where ID A includes at least one distinguishing feature of said correspondent, P is a point on a curve, and h indicates a secure hash function; and wherein said first component is .gamma.A = aP + c A P, where aP is a long term public key of said correspondent.
184. A method as defined in claim 182 or 183 wherein said correspondent is recertified by forwarding from said certifying authority to said correspondent a new second component with said second random number having said changed value.
185. A certifying authority for recertifying a correspondent, said certifying authority including a cryptographic unit for:
a) generating a first random number;
b) generating implicit certificate components including a first component generated using said first random number, and a second component generated using said first component, a private key of said certifying authority, and a second random number;
c) publishing a public key of said certifying authority;
d) making available said implicit certificate components to enable said correspondent to generate a new private key using said second component and to enable the construction of a new public key using said first component and said public key of said certifying authority; and e) recertifying said correspondents certificate by changing said second random number.
186. A certifying authority as defined in claim 185, wherein k i is said second random number generated by said certifying authority for an ith certification period and said second component is s A i = r i c + k i, c A (mod n) , where rt is a large prime number, c is a long term private key of said certifying authority, c A is said first random number, and r i=h(.gamma.A ¦¦ ID A ¦¦ cP ¦¦ k i P¦¦ i), where ID A includes at least one distinguishing feature of said correspondent, P is a point on a curve, and h indicates a secure hash function; and wherein said first component is .gamma.A= aP c A P, where aP is a long term public key of said correspondent.
187. A certifying authority as defined in claim 185 or 186, wherein said correspondent is recertified by forwarding from said certifying authority to said correspondent a new second component with said second random number having said changed value.
188. A computer-readable medium having stored thereon computer-executable instructions for recertifying a correspondent through the use of a certifying authority, said computer-executable instructions comprising instructions for performing the steps of:

a) said certifying authority generating a first random number;
b) said certifying authority generating implicit certificate components including a first component generated using said first random number, and a second component generated using said first component, a private key of said certifying authority, and a second random number;
c) said certifying authority publishing a public key of said certifying authority; and d) said certifying authority making available said implicit certificate components to enable said correspondent to generate a new private key using said second component and to enable the construction of a new public key using said first component and said public key of said certifying authority;
wherein said computer-executable instructions further comprise instructions for recertifying said correspondent's certificate by changing said second random number.
189. The computer-readable medium as defined in claim 188, wherein k i is said second random number generated by said certifying authority for an ith certification period and said second component is s A i = r i c + k i + c A(mod n), where n is a large prime number, c is a long term private key of said certifying authority, c A is said first random number, and r i=h(.gamma.A ¦¦ ID A ¦¦ cP ¦¦ k i P¦¦ i), where ID A includes at least one distinguishing feature of said correspondent, P is a point on a curve, and h indicates a secure hash function; and wherein said first component is .gamma.A = aP + c A P, where aP is a long term public key of said correspondent.
190. The computer-readable medium as defined in claim 188 or 189, wherein said correspondent is recertified by forwarding from said certifying authority to said correspondent a new second component with said second random number having said changed value.
191. A method of a certifying authority certifying a correspondent in a data communication system, said method comprising:
generating a random integer c A;
generating transaction specific implicit signature components .gamma.A, s A
based on said random integer c A and a value aP received by said certifying authority from said correspondent;
providing said transaction specific implicit signature components .gamma.A, s A for use in said data communication system; and providing a public key Q c of said certifying authority for use in derivation of a public key Q A of said correspondent from one of said transaction specific implicit signature components .gamma.A;
wherein said certifying authority recertifies said correspondent by providing transaction specific implicit signature components ~ , ~ generated using said value aP
and a random value ~ for said random integer c A.
192. The method of claim 191, wherein said transaction specific implicit signature component s A is generated using the transaction specific implicit signature component .gamma.A
and a private key c of said certifying authority.
193. The method of claim 191, wherein said transaction specific implicit signature component .gamma.A = a P + c A P
, wherein aP
is provided to said certifying authority by said correspondent and P is a point on a curve;
and said transaction specific implicit signature component s A = h(.gamma.A ¦¦ ID
A¦¦ cP) c + c A
(mod n), wherein c is a private key of said certifying authority, n is a large prime number, ID A is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent; and h indicates a hash function.
194. The method of claim 191, wherein said transaction specific implicit signature component .gamma.A = .alpha.P + c A P , wherein .alpha.P
is provided to said certifying authority by said correspondent and P is a point on a curve;
and said transaction specific implicit signature component s A = h(.gamma.A ¦¦ ID
A¦¦ cP) c A + c (mod n), wherein c is a private key of said certifying authority, n is a large prime number, ID A is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent; and h indicates a hash function.
195. The method of claim 191, wherein said transaction specific implicit signature component .gamma.A = .alpha.P + c A P , wherein .alpha.P
is provided to said certifying authority by said correspondent and P is a point on a curve;
and said transaction specific implicit signature component s A = c A ~ c h(ID A¦¦
.gamma.A) (mod n), wherein c is a private key of said certifying authority, n is a large prime number, ID A
is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent; and h indicates a hash function.
196. The method of claim 191, wherein said transaction specific implicit signature component .gamma.A = .alpha.P + c A P , wherein .alpha.P
is provided to said certifying authority by said correspondent and P is a point on a curve;
and said transaction specific implicit signature component s A = c A h(ID A¦¦
.gamma.4) ~ c (mod n), wherein c is a private key of said certifying authority, n is a large prime number, ID A
is an identifier of said correspondent and includes at least one distinguishing feature of said correspondent; and h indicates a hash function.
197. The method of any one of claims 191 to 196, the method further comprising recertifying all correspondents whose certificates have not been revoked.
198. The method of claim 197, wherein said recertifying occurs with each certification period.
199. A method of a correspondent obtaining a private key for use in a data communication system, said method comprising:
receiving a transaction specific implicit signature component s A generated by a certifying authority; and utilizing said transaction specific implicit signature component s A and an integer a generated by the correspondent to generate the private key d of the correspondent, wherein said correspondent obtains a new private key by utilizing said integer a and a new value received from said certifying authority for said transaction specific implicit signature component.
200. The method of claim 199, further comprising sending a value .alpha.P
computed from said integer a to said certifying authority for use in generation of said transaction specific implicit signature component s A and said new value for said transaction specific implicit signature component.
201. The method of any one of claims 191 to 200, wherein the arithmetic is replaced by appropriate arithmetic for a multiplicative group of integers modulo a prime.
202. A device configured to perform any of the methods of claims 191 to 201.
203. A computer readable medium having stored thereon computer executable instructions for performing the method of any one of claims 191 to 201.
CA2350118A 2000-06-09 2001-06-11 A method for the application of implicit signature schemes Expired - Lifetime CA2350118C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US58989100A 2000-06-09 2000-06-09
US09/589,891 2000-06-09

Publications (2)

Publication Number Publication Date
CA2350118A1 CA2350118A1 (en) 2001-12-09
CA2350118C true CA2350118C (en) 2013-08-13

Family

ID=24359974

Family Applications (1)

Application Number Title Priority Date Filing Date
CA2350118A Expired - Lifetime CA2350118C (en) 2000-06-09 2001-06-11 A method for the application of implicit signature schemes

Country Status (6)

Country Link
US (3) US7480795B2 (en)
EP (3) EP1292872B2 (en)
AU (1) AU2001267198A1 (en)
CA (1) CA2350118C (en)
DE (1) DE60139621D1 (en)
WO (1) WO2001095068A2 (en)

Families Citing this family (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8261062B2 (en) 2003-03-27 2012-09-04 Microsoft Corporation Non-cryptographic addressing
JP4741503B2 (en) * 2003-10-28 2011-08-03 サーティコム コーポレーション Method and apparatus for generating verifiable public key
US20050177715A1 (en) * 2004-02-09 2005-08-11 Microsoft Corporation Method and system for managing identities in a peer-to-peer networking environment
US7603716B2 (en) * 2004-02-13 2009-10-13 Microsoft Corporation Distributed network security service
US7814543B2 (en) * 2004-02-13 2010-10-12 Microsoft Corporation System and method for securing a computer system connected to a network from attacks
US7716726B2 (en) * 2004-02-13 2010-05-11 Microsoft Corporation System and method for protecting a computing device from computer exploits delivered over a networked environment in a secured communication
US7929689B2 (en) 2004-06-30 2011-04-19 Microsoft Corporation Call signs
EP1766849A1 (en) * 2004-07-08 2007-03-28 Koninklijke Philips Electronics N.V. Method of providing digital certificate functionality
GB2419787B (en) * 2004-10-28 2007-07-04 Hewlett Packard Development Co Method and apparatus for providing short-term private keys in public-key cryptographic systems
GB2434950A (en) * 2004-10-28 2007-08-08 Hewlett Packard Development Co Providing temporary public/private keys from permanent public/private keys using a formulae involving bilinear mappings
US7716727B2 (en) * 2004-10-29 2010-05-11 Microsoft Corporation Network security device and method for protecting a computing device in a networked environment
GB2421407A (en) * 2004-12-18 2006-06-21 Hewlett Packard Development Co Generating a shared symmetric key using identifier based cryptography
US7936869B2 (en) 2005-01-07 2011-05-03 First Data Corporation Verifying digital signature based on shared knowledge
US20060153367A1 (en) * 2005-01-07 2006-07-13 Beeson Curtis L Digital signature system based on shared knowledge
US7869593B2 (en) * 2005-01-07 2011-01-11 First Data Corporation Software for providing based on shared knowledge public keys having same private key
US7693277B2 (en) 2005-01-07 2010-04-06 First Data Corporation Generating digital signatures using ephemeral cryptographic key
US8396213B2 (en) 2005-01-21 2013-03-12 Certicom Corp. Elliptic curve random number generation
US8086842B2 (en) 2006-04-21 2011-12-27 Microsoft Corporation Peer-to-peer contact exchange
CA2669145C (en) 2006-11-15 2013-11-05 Certicom Corp. Implicit certificate verification
JP5138775B2 (en) 2007-07-17 2013-02-06 サーティコム コーポレーション Method and system for generating implicit credentials and applications for ID-based encryption (IBE)
CA2698000C (en) * 2007-09-04 2015-10-27 Certicom Corp. Signatures with confidential message recovery
US8429408B2 (en) * 2010-06-11 2013-04-23 Certicom Corp. Masking the output of random number generators in key generation protocols
EP2705629A4 (en) 2011-05-06 2015-07-29 Certicom Corp Validating a batch of implicit certificates
CN103765809B (en) * 2011-06-10 2019-07-30 塞尔蒂卡姆公司 The public key of implicit authentication
US10110386B2 (en) 2011-06-10 2018-10-23 Certicom Corp. Implicitly certified digital signatures
IN2013CH00917A (en) * 2013-03-04 2015-08-07 Infosys Ltd
US10516543B2 (en) 2017-05-08 2019-12-24 Amazon Technologies, Inc. Communication protocol using implicit certificates
US10511591B2 (en) * 2017-05-08 2019-12-17 Amazon Technologies, Inc. Generation of shared secrets using pairwise implicit certificates
US10798086B2 (en) 2017-05-08 2020-10-06 Amazon Technologies, Inc. Implicit certificates using ring learning with errors
US10505978B2 (en) 2017-08-24 2019-12-10 Visa International Service Association Utilizing trust tokens to conduct secure message exchanges
US10536279B2 (en) 2017-10-22 2020-01-14 Lg Electronics, Inc. Cryptographic methods and systems for managing digital certificates
US11449864B2 (en) * 2017-10-31 2022-09-20 R3 Ltd. Reissuing obligations to preserve privacy
US11190363B2 (en) 2018-01-11 2021-11-30 Lg Electronics, Inc. Cryptographic methods and systems using activation codes for digital certificate revocation
EP3750277A4 (en) 2018-02-05 2021-12-08 Lg Electronics Inc. Cryptographic methods and systems using blinded activation codes for digital certificate revocation
US11777720B2 (en) * 2020-06-12 2023-10-03 Nagravision Sàrl Distributed anonymized compliant encryption management system

Family Cites Families (48)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CH678134A5 (en) 1989-01-13 1991-07-31 Ascom Radiocom Ag Authenticated cryptographic key exchange in digital subscriber network - using preliminary phase of multiplication in finite galois field with random number selection for public key
US5136647A (en) 1990-08-02 1992-08-04 Bell Communications Research, Inc. Method for secure time-stamping of digital documents
US5136646A (en) 1991-03-08 1992-08-04 Bell Communications Research, Inc. Digital document time-stamping with catenate certificate
US7028187B1 (en) * 1991-11-15 2006-04-11 Citibank, N.A. Electronic transaction apparatus for electronic commerce
NZ329891A (en) * 1994-01-13 2000-01-28 Certco Llc Method of upgrading firmware of trusted device using embedded key
US5511121A (en) * 1994-02-23 1996-04-23 Bell Communications Research, Inc. Efficient electronic money
US6868408B1 (en) * 1994-04-28 2005-03-15 Citibank, N.A. Security systems and methods applicable to an electronic monetary system
US6091820A (en) * 1994-06-10 2000-07-18 Sun Microsystems, Inc. Method and apparatus for achieving perfect forward secrecy in closed user groups
NZ306846A (en) * 1995-06-05 2000-01-28 Certco Llc Digital signing method using partial signatures
US5850442A (en) * 1996-03-26 1998-12-15 Entegrity Solutions Corporation Secure world wide electronic commerce over an open network
US6226383B1 (en) * 1996-04-17 2001-05-01 Integrity Sciences, Inc. Cryptographic methods for remote authentication
US6085320A (en) 1996-05-15 2000-07-04 Rsa Security Inc. Client/server protocol for proving authenticity
US5884272A (en) * 1996-09-06 1999-03-16 Walker Asset Management Limited Partnership Method and system for establishing and maintaining user-controlled anonymous communications
US5937066A (en) 1996-10-02 1999-08-10 International Business Machines Corporation Two-phase cryptographic key recovery system
GB9621274D0 (en) 1996-10-11 1996-11-27 Certicom Corp Signature protocol for mail delivery
US5953420A (en) * 1996-10-25 1999-09-14 International Business Machines Corporation Method and apparatus for establishing an authenticated shared secret value between a pair of users
CA2228185C (en) * 1997-01-31 2007-11-06 Certicom Corp. Verification protocol
US5982898A (en) * 1997-03-07 1999-11-09 At&T Corp. Certification process
US6335972B1 (en) * 1997-05-23 2002-01-01 International Business Machines Corporation Framework-based cryptographic key recovery system
US6202150B1 (en) * 1997-05-28 2001-03-13 Adam Lucas Young Auto-escrowable and auto-certifiable cryptosystems
WO1999000244A1 (en) 1997-06-30 1999-01-07 Kimberly-Clark Worldwide, Inc. Medical packaging material and process for making same
US6058188A (en) * 1997-07-24 2000-05-02 International Business Machines Corporation Method and apparatus for interoperable validation of key recovery information in a cryptographic system
US6233685B1 (en) * 1997-08-29 2001-05-15 Sean William Smith Establishing and employing the provable untampered state of a device
US6424712B2 (en) 1997-10-17 2002-07-23 Certicom Corp. Accelerated signature verification on an elliptic curve
US6151395A (en) 1997-12-04 2000-11-21 Cisco Technology, Inc. System and method for regenerating secret keys in diffie-hellman communication sessions
US6490680B1 (en) 1997-12-04 2002-12-03 Tecsec Incorporated Access control and authorization system
US6105006A (en) 1997-12-22 2000-08-15 Motorola Inc Transaction authentication for 1-way wireless financial messaging units
US6298153B1 (en) * 1998-01-16 2001-10-02 Canon Kabushiki Kaisha Digital signature method and information communication system and apparatus using such method
US7095852B2 (en) * 1998-02-13 2006-08-22 Tecsec, Inc. Cryptographic key split binder for use with tagged data elements
CA2235359C (en) * 1998-03-23 2012-04-10 Certicom Corp. Implicit certificate scheme with ca chaining
CA2232936C (en) 1998-03-23 2008-10-21 Certicom Corp. Implicit certificate scheme
US6615350B1 (en) * 1998-03-23 2003-09-02 Novell, Inc. Module authentication and binding library extensions
US6295359B1 (en) 1998-05-21 2001-09-25 Pitney Bowes Inc. Method and apparatus for distributing keys to secure devices such as a postage meter
US6564320B1 (en) 1998-06-30 2003-05-13 Verisign, Inc. Local hosting of digital certificate services
US6167518A (en) * 1998-07-28 2000-12-26 Commercial Electronics, Llc Digital signature providing non-repudiation based on biological indicia
KR100484209B1 (en) * 1998-09-24 2005-09-30 삼성전자주식회사 Digital Content Encryption / Decryption Device and Method
US6820063B1 (en) * 1998-10-26 2004-11-16 Microsoft Corporation Controlling access to content based on certificates and access predicates
JP2000165373A (en) * 1998-11-25 2000-06-16 Toshiba Corp Enciphering device, cryptographic communication system, key restoration system and storage medium
US6230266B1 (en) * 1999-02-03 2001-05-08 Sun Microsystems, Inc. Authentication system and process
IL128609A0 (en) * 1999-02-18 2000-01-31 Nds Ltd Identification protocols
US6490352B1 (en) 1999-03-05 2002-12-03 Richard Schroeppel Cryptographic elliptic curve apparatus and method
US6772331B1 (en) * 1999-05-21 2004-08-03 International Business Machines Corporation Method and apparatus for exclusively pairing wireless devices
US6363480B1 (en) 1999-09-14 2002-03-26 Sun Microsystems, Inc. Ephemeral decryptability
US7188258B1 (en) * 1999-09-17 2007-03-06 International Business Machines Corporation Method and apparatus for producing duplication- and imitation-resistant identifying marks on objects, and duplication- and duplication- and imitation-resistant objects
US6907401B1 (en) * 2000-03-13 2005-06-14 Verizon Corporate Services Group Inc. Portal switch for electronic commerce
US6615320B2 (en) * 2001-02-12 2003-09-02 International Business Machines Corporation Store collapsing mechanism for SMP computer system
US7080404B2 (en) * 2002-04-01 2006-07-18 Microsoft Corporation Automatic re-authentication
US8449357B2 (en) 2007-10-05 2013-05-28 Chien-Min Sung Polymeric fiber CMP pad and associated methods

Also Published As

Publication number Publication date
US8522012B2 (en) 2013-08-27
US20120102318A1 (en) 2012-04-26
EP1292872B2 (en) 2018-12-19
EP2276196A1 (en) 2011-01-19
US20050193219A1 (en) 2005-09-01
DE60139621D1 (en) 2009-10-01
EP2148465B9 (en) 2013-04-17
EP1292872A2 (en) 2003-03-19
WO2001095068A2 (en) 2001-12-13
EP2276196B1 (en) 2014-09-03
EP2148465A1 (en) 2010-01-27
CA2350118A1 (en) 2001-12-09
WO2001095068A3 (en) 2002-10-03
EP1292872B1 (en) 2009-08-19
EP2148465B1 (en) 2012-12-05
US20090086968A1 (en) 2009-04-02
US8069347B2 (en) 2011-11-29
US7480795B2 (en) 2009-01-20
EP1292872B9 (en) 2012-03-07
AU2001267198A1 (en) 2001-12-17

Similar Documents

Publication Publication Date Title
CA2350118C (en) A method for the application of implicit signature schemes
AU758044B2 (en) Implicit certificate scheme
US8069346B2 (en) Implicit certificate verification
JP5205398B2 (en) Key authentication method
JP2002534701A (en) Auto-recoverable, auto-encryptable cryptosystem using escrowed signature-only keys
WO2014205571A1 (en) Signature protocol
JP4146252B2 (en) Anonymous communication method capable of identifying unauthorized persons, user device used in the method, and relay server device
CA2232936C (en) Implicit certificate scheme
JP3862397B2 (en) Information communication system
Chen et al. Comment on the Public Key Substitution Attacks.

Legal Events

Date Code Title Description
EEER Examination request
MKEX Expiry

Effective date: 20210611

MKEX Expiry

Effective date: 20210611

MKEX Expiry

Effective date: 20210611