Subclass 46	Subclass 47	Subclass 28
Plural generators

Distributed split-key cryptosystem and applications

6026163

Abstract

A distributed split-key cryptosystem and application in a public-key setting wherein each of a plurality of trustees independently selects his own secret-public key pair. The trustees combine their public encryption keys into a single public encryption key. Using this combined public key for an electronic auction and other secure transactions.

Claims

What is claimed is:

1. A method for an electronic auction with encrypted bids, comprising:

having each of a plurality of trustees generate an individual public key with a corresponding individual secret key;

combining the individual public keys of the plurality of trustees into a combined public key;

encrypting a bid of a user with the combined public key;

reconstructing a combined secret key corresponding to the combined public key from the individual secret keys of the plurality of trustees; and

using the combined secret key to decrypt the user's bid.

2. A method according to claim 1, wherein the bid of a user is encrypted together with an indication of an identity of the user.

3. A method according to claim 1, wherein the bid of the user includes an indication of an identity of the user.

4. A method as in claim 1, wherein the bid of the user in encrypted so as to avoid that the bid of the user is copied by another user.

Description

TECHNICAL FIELD

The present invention relates to secure communications.

BACKGROUND OF THE INVENTION

Recently, systems have been developed by which a secret decryption key is in the hands of several trustees, so that each trustee holds a guaranteed piece of the key, while he cannot predict the full key. Examples of such systems include Micali's Fair Cryptosystems and the Clipper Chip.

We want to develop such a system in a public key setting so that the secret key that is guaranteed to be shared among some trustees is the secret decryption key corresponding to a given public encryption key. The inventive system does not work by having an initial entity who (1) computes a public-secret key pair, and (2) divides the secret key among various trustees in a proper way. Indeed, whether or not such entity blows itself up after doing so (e.g., as suggested by Desmet), the doubt exists that leakage of the secret decryption key may have occurred, either maliciously or by accident.

SUMMARY OF THE INVENTION

Accordingly, the present invention works by having each trustee independently select his own secret-public key pair, and then having the trustees combine their public encryption keys into a single public encryption key. To this combined public key corresponds a combined secret key, such that the individual secret keys selected by the trustees are guaranteed to be pieces of this combined secret key. Thus, while no one knows said combined secret key (and indeed while, possibly, this secret key has never been computed, if so wanted), the trustees are guaranteed that they can reconstruct this key, or, alternatively, that they can decrypt any message encrypted with the combined public key without revealing its corresponding secret key.

BRIEF DESCRIPTION OF DRAWINGS

The sole FIGURE illustrates a bid and auction process according to the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Let us exemplify one way to achieve our goals with the Diffie-Hellman public-key cryptosystem. The skilled in the art will have no difficulty in obtaining similar results for other public-key cryptosystems.

In the Diffie-Hellman system, there is a prime p and a generator g common to all users. A user X chooses his own secret key x at random between 1 and p-1, and sets his public key to be g.sup.x mod p. Let now y and g.sup.y mod p be, respectively, the secret and public keys of user Y. Then X and Y essentially share the secret key g.sup.xy mod p. Indeed, each of X and Y can compute this "common secret key" by raising the other's public key to his own secret key mod p. On the other hand, without knowledge of x or y, no other user can, given the public keys g.sup.x mod p and g.sup.y mod p, based on any known method, feasibly compute the secret key g.sup.xy mod p. Thus X or Y can use this key to secure communications between each other (e.g., by using it as the key of a symmetric cipher).

Let now T.sub.1, . . . , T.sub.n be our trustees. Then, each T.sub.i chooses a secret key x.sub.i and a matching public key g.sup.xi mod p. Then the combined public key is set to be the product of these public keys mod p, g.sup.z mod p (i.e., g.sup.z =g.sup.xl+. . . +xn mod p). This key can be made public or otherwise known to a group of users. Alternatively, the individual trustees' public keys can be made known, so that anyone can compute the combined public key from the individual trustees' public keys, just as the trustees themselves did.

Notice that each trustee has a share of the corresponding secret key, z, of the combined secret key so computed. Indeed, this combined secret key would be z=x.sub.1 +.sup.. . . x.sub.n mod p-1. Thus each trustee is guaranteed to have a piece of this combined key. Indeed, if the trustees want, they could reveal their secret keys and thus easily compute z. Notice that a trustee cannot reveal a false piece of z without being caught. For instance, if trustee T.sub.1 reveals a piece p.sub.1 other than x.sub.1, anyone can detect that g.sup.p1 .noteq.g.sup.x1 T.sub.1 's public key.

Assume now that user Alice wishes to encrypt a message m with the combined public key. Then she selects a (preferably) temporary secret key a and its corresponding public key g.sup.a mod p; computes the secret key g.sup.az mod p; encrypts m conventionally with said key g.sup.az. ; and sends this ciphertext to a proper recipient together with the temporary public-key g.sup.a mod p.

At this point, the encryption of Alice's message is known, while the message can be revealed by either Alice herself (e.g., by releasing a), or by the collection of Trustees; for instance, by having them release their individual secret keys x.sub.i, and thus the combined secret key z.

This method can be used for applications other than law-enforcement ones. For instance, it can be used for simultaneous (sealed-bid) electronic auctions, which is illustrated in the sole Figure, which shows bidders B.sub.1 . . . B.sub.m submitting sealed bids b.sub.1 . . . b.sub.m in a system having n trustees, T.sub.1 . . . T.sub.n. Indeed, users, like Alice, may encrypt their bids with a proper combined key (preferably indicating within the secret bid their own identities in order, among other things, to avoid that their bids can be "copied" by others). At the appropriate time, all bids will be revealed; for instance, by having the trustees release their individual x.sub.i, values so that the combined secret key z can be reconstructed, and thus all secret keys g.sup.az mod p are also reconstructed and used for decrypting all bids.

Notice that no one can leak an individual bid, before the proper time, without the consent of the user who made it. In fact, for decrypting a bid the cooperation of all trustees would be needed, and it is extremely unlikely that such an improper collusion will ever occur if the Trustees are chosen to be trustworthy (or properly functioning machines). Thus, each individual bidder is protected, and so are the trustees (e.g., from some frivolous accusation of bid leakage).

It should be appreciated that such an auction mechanism is just one application of the inventive technology. The system can also be implemented so that certain prescribed sets of trustees (e.g., any majority of trustees rather than all trustees) suffice for reconstructing the combined secret key. Also, decryption of user messages may occur without revealing the combined secret key, if so wanted.

While the invention has been disclosed in connection with the preferred embodiments shown and described in detail, various modifications and improvements thereon will become readily apparent to those skilled in the art. Accordingly, the spirit and scope of the present invention is to be limited only by the following claims.

Inventors
Micali, Silvio;
Published
Feb-15-2000
Current US Classes:
380/286
380/30
380/47
705/64
705/71
705/74
705/75
705/77
705/78
705/80
Application #
766448
International Classes
H04K 001/00
Field of Search
380/4 380/21 380/25 380/28 380/29 380/30 380/43 380/44 380/45 380/46 380/49 380/59 705/1 705/37 705/74 705/77 705/78 705/80 713/168 713/171
Examiner
Swann; Tod R.
Agent
Foley, Hoag & Eliot LLP
US Patent References:
4200770
4218582
4326098
4375579
4405829
4438824
4458109
4879747
4885777
4908861
4924514
4933970
4944009
4953209
4995081
5005200
5018196
5081676
5124117
5136643
5150411
5177791
5199070
5202977
5208853
5214698
5214700
5220501
5224162
5276737
5315658
5373558
5440634
5453601
5455407
5497421
5509071
5511121
5521980
5553145
5557346
5610982
5615269
5633928
5664017
5666414
5666420
5675649
5761306
5794207
5796830
5799086
5809144
5812670
5815573
5841865
5850442
5850451
5857022
5872849

Same subclass

Key generating system	3934078
Data encryption key failure monitor	4926475
Code lengthening system	4809295
Device for implementing a block-ciphering process	6760439
Conditional access system, downloading of cryptographic information	6108422
Method of implementing connection security in a wireless network	6081601
Cascaded stream cipher	6961426
Encoding and decoding information using randomization with an alphabet of high dimensionality	6301361
Method and apparatus for generating random permutations	6934388
Method and apparatus for ciphering and deciphering messages	4145568
Apparatus for privacy transmission in system having bandwidth constraint	4398062
Data communication system and method with data scrambling	5261003

Same class

Information recording device and information reproducing device	6941283
Set top terminal for cable television delivery systems	5734853
Control system for satellite delivered pay-per-view television system	5151782
Method for updating encryption key information in communication units	5325432
Vehicle security device with electronic use authorization coding	5774550
Method for point-to-point communications within secure communication systems	5357571
Electronic indicia in bit-mapped form	4949381
High throughput system for encryption and other data operations	6870929
Image pattern detection method and apparatus	6766056
Apparatus for data copyright management system	6789197
Process for the transmission and reception of conditional access programs controlled by the same operator	5615265
Authentication failure trigger method and apparatus	6236852

Consider this

Method and system for debugging parallel and distributed applications	5781778
Method and system for debugging parallel and distributed applications	5794046
Code generator for applications in distributed object systems	5860004
Visual application partitioning for creating distributed object oriented applications	5915113
Constructing applications in distributed control systems using components having built-in behaviors	6205362
Using a distributed object system to find and download java-based applications	6260078
Fractal process scheduler for testing applications in a distributed processing system	6460068
Method and apparatus for installing applications in a distributed data processing system	6487718
System and method for providing interpreter applications access to server resources in a distributed network	6496865
System and method for adding transport protocols in distributed middleware applications	7010609