초록 ▼

A cryptographic method is disclosed that enables the issuer in a secret-key certificate issuing protocol to issue triples consisting of a secret key, a corresponding public key, and a secret-key certificate of the issuer on the public key, in such a way that receiving parties can blind the public ke

A cryptographic method is disclosed that enables the issuer in a secret-key certificate issuing protocol to issue triples consisting of a secret key, a corresponding public key, and a secret-key certificate of the issuer on the public key, in such a way that receiving parties can blind the public key and the certificate, but cannot blind a predetermined non-trivial predicate of the secret key even when executions of the issuing protocol are performed in parallel.

대표청구항 ▼

[ What is claimed is:] [1.] One or more computer readable media carrying one or more sequences of instructions for constructing a certificate issuing protocol wherein an issuer party issues triples, consisting of a secret key, a matching public key, and a certificate of the issuer party on the publi

[ What is claimed is:] [1.] One or more computer readable media carrying one or more sequences of instructions for constructing a certificate issuing protocol wherein an issuer party issues triples, consisting of a secret key, a matching public key, and a certificate of the issuer party on the public key, such that a receiver party can blind the public key and the corresponding certificate, but not a non-trivial blinding-invariant predicate of the secret key even when executions of the issuing protocol are performed in parallel, wherein execution of one or more of the sequences of instructions by one or more processors causes the one or more processors to perform the steps of:generating by one or more processors of the issuer party a secret key (x.sub.o,g), a public key p,g,h.sub.o,g.sub.l) and a function f(.multidot.), where:q is a prime number;x.sub.o and g are elements of the ring, .sub.q, of integers modulo q;p is a prime number such that q divides p-1 evenly;g is an element of order q in the group, .sub.p, of integers modulo p;h.sub.o is equal to g.sup.x.sbsp.o mod p;g.sub.l is equal to g.sup.g mod p; andfor a,b in .sub.p it is easier to compute f(ab mod p) given f(a) and b than it is to compute f(a.sup..alpha. b.sup..beta. mod p) from f(a) and f(b) for known .alpha. and .beta.;generating for public use a hash-function H(.multidot.) that maps its arguments to .sub.2.spsb.l for a security parameter l;generating in the issuing protocol by the one or more processors of the issuer party a substantially random number w.sub.o in .sub.q, computing a.sub.o .rarw.f(g.sup.w.sbsp.o mod p), and transferring a signal representative of a.sub.o to one or more processors of the receiver party;generating in the issuing protocol by the one or more processors of the receiver party a number x in .sub.q, computing a public key h.rarw.g.sup.x g.sub.l.sup.I mod p, where I mod q represents the blinding-invariant part of the corresponding secret key (x,I);generating in the issuing protocol by the one or more processors of the receiver party two substantially random numbers t and u in .sub.q, computing a.rarw.f(g.sup.w.sbsp.o g.sup.t (h.sub.o g.sub.l.sup.I).sup.u mod p) from a.sub.o and g.sup.t (h.sub.o g.sub.l.sup.I).sup.u mod p, and computing c.rarw.H(h,a); computing in the issuing protocol by the one or more processors of the receiver party the challenge c.sub.o .rarw.c+u mod q, and transferring a signal of c.sub.o to the one or more processors of the issuer party;computing in the issuing protocol by the one or more processors of the issuer party the response r.sub.o .rarw.c.sub.o (x.sub.o +yI)+w.sub.o mod q, and transferring a signal representative of r.sub.o to the one or more processors of the receiver party; andverifying by the one or more processors of the receiver party that f(g.sup.ro (h.sub.o g.sub.l.sup.I).sup.-c.sbsp.o mod p) is equal to a.sub.o, and computing r.rarw.r.sub.o +cx+t mod q in order to complete the certificate (c,r) on the public key h.