WO2000064088A1 - Optimistic authenticator systems - Google Patents
Optimistic authenticator systems Download PDFInfo
- Publication number
- WO2000064088A1 WO2000064088A1 PCT/US2000/010398 US0010398W WO0064088A1 WO 2000064088 A1 WO2000064088 A1 WO 2000064088A1 US 0010398 W US0010398 W US 0010398W WO 0064088 A1 WO0064088 A1 WO 0064088A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authenticating party
- authenticator
- party
- coin
- authenticating
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/04—Payment circuits
- G06Q20/06—Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/34—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
- G06Q20/341—Active cards, i.e. cards including their own processing means, e.g. including an IC or chip
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/403—Solvency checks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/409—Device specific authentication in transaction processing
- G06Q20/4097—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners
- G06Q20/40975—Device specific authentication in transaction processing using mutual authentication between devices and transaction partners using encryption therefor
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1016—Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3257—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using blind signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
Definitions
- the present invention relates to authentication and transaction systems, and more specifically to secure and/or privacy protecting techniques suitable for electronic 3 commerce and including credential mechanisms.
- Public-key digital signatures being well known in the art, have the property that s anyone can verify them. In particular, when such a signature is received, it is almost always verified, often in the process of "recovering" the message content signed.
- the self-authenticating property of such signatures that allows anyone to verify a 2 signature, has the known disadvantage for many applications of preventing the signer from exercising control over the verification of signatures. This problem has been addressed by so called “undeniable” and “private” signature schemes, which allow the s party "providing" the message signed to be convinced upon receiving the signature that it is valid and cannot later successfully be refuted.
- one object of the present invention is to allow an "authenticating 2 party" to issue authenticators without interaction with a "provider party”, apart from any request that may be used, and for the provider party obtaining the authenticator to simply verify an ordinary digital signature on one or preferably a collection of s messages.
- Another object of the invention is protocols that make it difficult for authenticators to be verified without the cooperation of the authenticating party. 8 Yet another object of the present invention is to offer the possibility of functionality related to that of blinding in blind signature schemes, where the supplier party can hide the correspondence between values supplied initially for authentication 1 and the subsequent verification of their authenticity.
- Still another object of the invention is to allow the showing protocol of an electronic cash system to be secure and robust without the need for public keys and signatures per coin.
- Yet a further object of the invention is to provide for so-called “credential” mechanisms, allowing the otherwise untraceable exchange of authenticators between 7 digital pseudonyms and without the need for cumbersome so called “cut-and-choose” protocols used in prior art systems.
- a further object of the invention is to allow users in a credential system o to have multiple pseudonyms of the same type. Still further objects of the invention include practical, efficient, and secure methods and means for achieving the other objects of the invention. 3 Other objects, features, and advantages of the present invention will be appreciated when the present description and appended claims are read in conjunction with the drawing figurers.
- FIG. 1 shows a combination flow-chart, block diagram, functional diagram, cryptographic and communication protocol diagram, and transaction processing schema for an exemplary embodiment in accordance with the teachings of the present 9 invention.
- FIG. 2 shows a flowchart related to the embodiment of Fig. 1 and in accordance with the teachings of the present invention.
- FIG. 3 shows a protocol notation for an exemplary credential system establishment protocol in accordance with the teachings of the present invention.
- FIG. 4 shows a flowchart for an audit mass proof of authenticator validity in s accordance with the teachings of the present invention.
- FIG. 5 shows a set of flowcharts, 5a, 5b, and 5c for the overall function of an embodiment of a system in accordance with the teachings of the present invention.
- authenticators "issue” items of information called “authenticators” to parties called “providers”. Later, these authenticators, or values derived from them, are returned to the authenticating party and each is either “agreed” by the authenticating party to be a valid authenticator or not agreed.
- the authenticators are elements in a group where the so-called “discrete-log” problem is believed to be hard, such groups being well known in the cryptographic art. Also in these embodiments,
- 3 authenticators are formed by raising provided elements to a power secret to the authenticating party.
- digital signatures are preferably used to commit the authenticating party to the authenticators issued and also those that are agreed or not e agreed.
- techniques allowing the authenticating party to convince others that digitally-signed sets of pair are in fact properly formed are also shown. Also shown are techniques for "blinding" authenticators, such techniques being
- novel blinding is 2 applied.
- the process for accepting a blinded authenticator, such as a coin in an electronic cash system, is also detailed in a way that could be adapted to blind signatures and overcomes problems with existing blind signature accepting protocols.
- Another exemplary embodiment shows how the values to be authenticated need not contain apparent redundancy, as is typical with signature schemes, but rather can be made known to the authenticating party in advance through a mix system 1 preserve privacy and unlinkability. (Improvements over known prior art functionality and efficiency are detailed later.)
- a blind signature-like system called a “blind authenticator” system, comprises a
- authentication party party that can compute a secret function, exponentiation by a secret power s in a group where discrete log is believed hard.
- a "payer” can obtain 7 such an s power on any group member by providing the number to be exponentiated to the authenticating party and compensating the authenticating party to make the authenticator (such as by allowing corresponding withdrawal from a checking account).
- a redundancy scheme is fixed for the system, such as the familiar one where valid numbers are the result of applying a fixed agreed function "h” to a "pre- image” number "p", where such h(p) is a member of the group.
- the payer may wish to protect itself against the authenticating party claiming that the authenticator had already been received.
- One example known way to do this is to provide first a "commitment" to the values of p and/or the authenticator to the authenticating party; then the authenticating party is to provide a "conditional acceptance” or acknowledgement that this particular value has not been previously spent.
- Such a commitment might include other transaction data, such as the payee.
- this conditional acceptance would carry a time “window” associated with it, being a range of times during which the payment will be accepted if sufficient additional information is supplied and it is verified.
- the window is used to prevent the authenticating party from permanently blocking a valid payment by claiming that it has already been committed.
- bits are chosen carefully, such as being a prefix of a hash function applied to the usual encoding of the group element, then it might be that twenty to fifty bits might suffice, giving a corresponding low probability of successful cheating per attempt, depending on the penalty, up-front cost, or probability of penalty, of attempted cheating.
- the values of p, the p;, used could be generated cryptographically from a seed by the payer, and so would require almost no storage. Transmission costs could also be reduced — and storage size as well if regeneration is not used — simply by taking p from a set that is of sufficient size to reduce collision probabilities to an acceptable level.
- the secret exponent s can immediately be applied by the authenticating party to h of the first component, and compared for equality with the second component. If they are equal, the authenticating party is believed to be able to be confident that the "coin" is validly signed.
- the authenticating party in known fashion, can simply keep a list of those coins already accepted, referred to as "marking" the coin, and mark new coins atomically as they are accepted.
- the value p would be associated with the marked coin, which itself would be indexed (i.e. searchable by) the information readily deduced from the form shown in phase one.
- the payer may be concerned, in some settings, that the authenticating party will falsely claim that a authenticator is not valid or that it has been previously spent. If the claim is that the authenticator is not valid, then it will be possible in principle to prove that it is not valid without revealing the true authenticator, such as by using techniques developed in the context of undeniable signatures. An alternative would be simply to show the authenticator. This authenticator can then be verified, by known "zero-knowledge” or "minimum disclosure” proof techniques for instance. Of course this procedure assumes that the coin is marked as spent before the authenticator is revealed, so that the authenticator revealed cannot simply be spent. 3 Effective countermeasure to the threat that the authenticating party would falsely claim that a coin had already been spent, are known.
- the payer instead of revealing p initially, the payer reveals k(p), a public one-way function applied to p; e the authenticating party commits to the fact that such an k(p) has not been previously accepted, and gives a time window during which no other such value will be accepted but during which the payer must provide the value of p and the authenticator.
- k(p) a public one-way function applied to p
- the authenticating party commits to the fact that such an k(p) has not been previously accepted, and gives a time window during which no other such value will be accepted but during which the payer must provide the value of p and the authenticator.
- a prefix of the bit representation of p is provided first, and this is what is used as the key in the search for double spent coins where the whole value of p is stored.
- the authenticating party commits, 2 such as with a digital signature, to accepting the coin, then the full value of p can be revealed, and the transaction completed.
- the authenticating party is presented with a prefix of p for an already spent coin, then all it has to do is make the full value s of p known at that point.
- Another potentially improved approach would be that the one-way function is applied to both p and the signature, f(p, h(p) s ). This way, if the authenticator is later revealed by the authenticating party in showing that the one 8 presented is invalid, the commitment signature by the authenticating party contains in effect a commitment, in the form of f(p, h(p) s ), to the purported authenticator.
- a single one-way function need not be used, but this may be more convenient 1 and efficient and prevent certain attacks.
- arrows in Fig. 1 show messages between the payer on the left and the authenticating party on the right.
- the notations in the margins show actions by the party on that side, those on the right for the payer and those on the left for the authenticating party.
- ⁇ Square brackets enclose the message numbers, to be described in more detail.
- the payer produces two values potentially at random, which may be physical, algorithmic, or a combination of random sources, involving one or more parties and/or keys.
- the first is p, the pre-image and payment number, which is a 2 group element as already mentioned.
- the second, b is actually used as an exponent, and should ideally be chosen uniformly from the set of such exponents, related to the order of the group.
- This preparation shown in the left margin of Fig. 1 is not shown s for clarity as a step in Fig. 2.
- the first message [1] in Fig. 1 is formed by the payer in two operations. First the public, fixed one-way function h is applied to the pre-image p. Second, the result of s the first operation is raised to the b power, of course within the group as is implicit and already mentioned. This message is sent to and received by the authenticating party (as with all such right-pointing arrows). Again, as this is a computation by the i provider, it is not shown in Fig. 2.
- the authenticating party may expect to receive something additional not shown for clarity as compensation for making the authenticator, as already mentioned.
- the authenticating party proceeds in two parts. First, the message [1] is raised to the authenticating party's secret power s, as already mentioned. Second, the resulting number is signed, denoted by the "sig" function application, by the authenticating 7 party using a public key or undeniable signature scheme, as are well known in the art, and not shown in Fig. 2 for clarity.
- the authenticating party typically knows the private key used to make the authenticator; the corresponding public key is typically 0 made public in an authenticated way.
- the resulting authenticator is provided by the authenticating party to and received by the payer, as with all such left-facing large arrows of Fig. 1.
- the payer may wait an arbitrary amount of time before proceeding.
- multiple p's could signed in parallel as a batch, and the single signature could apply to all of them.
- hash or compressing functions can be e applied to the message content before signing as is well known.
- the payer may also wish to verify the signature received.
- the authenticating party it would be possible for the authenticating party to prove, in the zero-knowledge or minimum 9 disclosure sense, that the s power was really applied.
- the protocols here create other kinds of protection for the authenticating party, to encourage the authenticating party not to require such proofs in ordinary operation.
- the payment could 2 also simply be made instead to the payer's own account, and then new authenticators obtained later if the wait is too long.
- the payer s may show the signature [2] and a pre-image under a one-way function (not shown or mentioned before for clarity) of b; this would substantiate the bad authenticator by the authenticating party.
- the payer must compute the inverse of b, which will be called c, such that applying c as an exponent to something that has b applied results in the cancellation of the two exponents. It is believed that this is 1 reasonably accomplished in the exemplary setting of a discrete log system of known prime order by computing c as the multiplicative inverse of b modulo the group order.
- the next 4 computation made by the payer shown is that the one-way and/or hash function f is applied to a pair of arguments.
- the first argument is simply p.
- the second is the "unsig" of message [2], the quantity raised to the c power.
- the "unsig” notation refers 7 to the widely known property of message recovery from signatures, where, for certain signature schemes, in checking the signature or otherwise the value signed can be readily obtained.
- the payer can, at its option or even based on 0 probabilities it assigns, verify and retain the signature by the authenticating party. This signature, if valid and retained, can be used later in case the authenticating party shows that the authenticator issued in message [2] was invalid, as mentioned above.
- Message [3J] is the result of the last margin computation by the payer. It is the public one-way function f applied to the pair p and what should be the s power of h(p). Of course, if the authenticating party has returned an improper authenticator as ⁇ message [2], the form may differ, but this may be detected earlier or later, as has been mentioned.
- Message [3.2] is simply f applied to the pair p, "payee", where payee could, for instance, be the account identifier of the party to be paid. The intention is
- the first is simply the value of p associated 1 with the marked message and the second is the actual s power on the f of the associated p, that the authenticating party could store, but could also simply regenerate at this point (assuming authenticators are unique).
- the payer receiving this 4 message pair basically gives up: either the payer is honest, and then the payer becomes convinced that someone else has already chosen the same p; or the payer is trying to cheat and has sent the number in previously, hoping that the authenticating 7 party would forget, which it has not.
- the payer has essentially no recourse because no [4a] is held, as will be described.
- the flowchart of Fig. 2 ends at this point.
- the main branch is that message [3J] has not been marked and the 0 authenticating party enters the next phase towards accepting the payment.
- Such a temp mark is completely separate from a mark.
- the temp mark is, as the name implies, temporary. It prevents any temp marked message
- Fig. 9 returned by the authenticating party to the payer.
- This message is shown in Fig. 1 as a signature on two items. The first is the message [3J] submitted. The second is the corresponding [3.2]. 2 At this point, following the main path, the payer is to provide, as shown in Fig.
- the second path is where [5J] and [5.2] are seen by the authenticating party to be inconsistent, because the authenticating party 1 can take [5.1] and apply h and the secret power s and see that the result is not [5.2].
- a proper value for [5.2] is generated (by the authenticating party from p, by again applying h and then raising to 4 the s power) and this value is used to create a proper [3J], by pre-pending p and applying f, and this value is marked and p is associated with it. This procedure prevents p from ever being accepted in payment again.
- Another type of blinding is preferably also included, but has not been shown in the figures or described in detail yet for this embodiment in the interest of clarity in 1 exposition.
- This second type of blinding enters multiplicatively in the base, as opposed to in the exponent as with the first type already shown.
- a pair of values g and g s are typically and preferably made public by the authenticating party initially, to serve as a kind of public key.
- the 7 second type of blinding comprises multiplying the value supplied for authenticating by g c and then dividing the result returned by the authenticating party by (g s ) c .
- the preferred blinding being the combination of the two types, would give an initial o message of the form g h(p) b and the value returned by the authenticating party then would be of the form (g c h(p) b ) s
- the unblinding operation would include dividing out the (g s ) Q factor, by multiplying by its multiplicative inverse, and raising the result to the power that is the inverse of b.
- the e group structure preferably is known to be cyclic. If the authenticating party knows that the blinding is only of the first type, then it can "mark" a value provided for authentication simply by using an exponent different from s, and then it can recognize
- FIG. 3 will be considered as a formalism, like a formula, and for clarity will not be labeled with callouts.
- uppercase letters denote public 7 keys
- the corresponding lower-case letters denote the corresponding private keys.
- B is the public key related to private key b.
- Lowercase letters additionally denote temporary variables, such as random padding doubling as blinding keys like 0 "r”.
- the downward arrows denote the direction of flow of the message shown immediately to their right.
- a message is shown mainly as a set of nested rectangles, each corresponding to a layer of encryption.
- the key used to form the encryption is shown in the circle on the right side of the message; the content of the message is
- variable appearing outside of the rectangles and circles denote those that would, or at least could, be known to the entities that send and/or receive the messages.
- the values on the left of the boxes are e carried along with the boxes and serve as the input, at the top, and output, at the bottom, of whole cascade.
- On the right are the public keys of the mixing parties.
- each person obtains k pseudonyms, but all the pseudonyms are mixed up and indistinguishable as to owner, in a single huge batch (this may be s referred to as an "indistinguishable multiplicity"). More generally, then, for each class of organization, each individual would obtain a the same number of indistinguishable pseudonyms. For instance, each person might be able to have three pseudonyms with 1 banks, but only one with the driver license organization.
- the first message shown, at the top of Fig. 3, as per the notation, indicates three nested layers of encryption, one to be stripped off by each of three organizations A, B, and Y, using their respective private keys a, b, and y, as the message travels through them, all as well known and described in the referenced article on Mixes. As each layer is stripped off, a blinding value is revealed. A pair of values is passed between 7 the successive stages of the mix, with the left-hand value being a single residue class or group element in the discrete log system. The initial value of this first component is simply the root value that would be present for all the pairs corresponding to the same o individual. The letter p is used, as in the payment system already described, simply for notational convenience.
- the first mix A uses its private key a to remove the outer layer and recover the blinding key r. Since this is the first mix, by convention, it applies the one-way 3 function to p (although this could have been done in advance, and would have made the operations by each mix the same). Then A applies the blinding key in the exponent and also a related key as the exponent on the public generator g, used in ⁇ establishing the public key of the system, as already described.
- the related key shown as r', could be simply and preferably is an independent key sent concatenated with r, or the two could be algorithmically related, such as r' being a one way function 9 of r. Passed on to the second mix B are both this residue and the remainder of the nested encryption once the layer and the value r have been removed.
- B removes the outermost layer of encryption using private key 2 b (unrelated to the blinding key used in Fig. 1 and Fig. 2, but denoted by the same letter for clarity) and recovers the blinding key s.
- the output of this second mix is then the nested block stripped back one more layer than received by B, and the s residue modified using the blinding key s.
- First the residue received is raised to the s power, and then this value is multiplied by g, as already described, raised to the other blinding key s' (which is related to s and r' is to r). 8 Again, in a similar way to B, Y transforms the input pair.
- the person who has presumably chosen r, s, and t, and formed the layered 4 mix message from them, can construct the output digital pseudonym as a power of g and a power of h(p), as would be obvious to those of skill in the art, just as described for the mixes.
- the user when the user receives a secret power authenticator on one such 7 pseudonym, used with one organization Y, the user can transform it into the same secret power on a second pseudonym, possibly used with a different organization Y'.
- the exponent used to transform the h(p) power is calculated modulo the order of the 0 group as the inverse of the blinding exponent on the h(p) in the first pseudonym times the exponent on the h(p) in the second pseudonym.
- the factor formed as a power of g, including the secret exponent of the authenticating party, can be transformed by multiplying by the public key raised to the multiplicative inverse of the blinding
- the e pairs can be from the issuing side or the showing side.
- Issuing-side pairs comprise the raw value supplied by the provider as a first component and the authenticator issued by the authenticating party as the second component.
- showing-side pairs
- a hash value H is computed as a cryptographic function of s all the elements of all the pairs. This way, the authenticating party cannot manipulate any element without causing an unpredictable and large change in the hash H.
- the value H is then used to determine exponents for each component, as indicated in step s 4.2. This, as will be appreciated, would be done in a way that resembles each exponent being an independent random value, except that they are all chosen as disjoint parts of a suitable cryptographic sequence that is an expansion of H.
- each first element is raised to its power and the product of these is determined; similarly, each second component is raised to its power and their product is formed.
- each second component is raised to its power and their product is formed.
- a conventional "proof can be given that the exponent relating the two products is the same as the exponent relating the generator g and the public key. Such proofs are well 7 known in the art.
- Fig. 5a shows an overview for completeness of the 0 authenticator issuing process, already described in detail.
- the provider party is shown supplying the raw value to be authenticated to the authenticating party.
- a potential step during which the provider blinds the raw value responsive to blinding key information is not shown for clarity.
- the authenticating party is shown, using its private key information to produce a corresponding authenticator. This is then returned to and received by the provider in box 5.3a, and, preferably at the same time, some way to hold the authenticating party e accountable for having issued the particular authenticator responsive to the particular raw value is used.
- the provider in box 5.3a, and, preferably at the same time, some way to hold the authenticating party e accountable for having issued the particular authenticator responsive to the particular raw value is used.
- the first box 5Jb indicates that the provider may, if blinding has been applied in box 5Ja as already mentioned but not shown, then 2 unblinding would be performed by the provider after the authenticating operation by the authenticating party.
- an authenticator is shown to the authenticating party, it is provided along with the raw value by the provider or an s intermediary party and received by the authenticating party or an agent having the needed keys. Then, and not shown for clarity, the authenticating party determines whether the authenticator is in fact valid a valid authenticator corresponding to the 8 raw value.
- the authenticating party makes its decision known regarding the purported authentic pair.
- the authenticating party commits somehow, such as by signature or by whatever notary technique, to the fact of 1 agreement or lack of agreement to the purported authentic pair.
- Fig. 5c various showings of validity and invalidity by the authenticating party are shown.
- one embodiment would have all three 4 types of proofs applied periodically: that the issued pairs are valid, 5Jc, that the agreed pairs are valid, 5.2c, and that the disagreed pairs are invalid, 5.3c.
- the first two could be combined and the last could be only on demand.
- some embodiments might not require proofs without a party wishing them, or only partial or random audit might be used.
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Computer Security & Cryptography (AREA)
- Accounting & Taxation (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Finance (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Storage Device Security (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU44672/00A AU4467200A (en) | 1999-04-15 | 2000-04-17 | Optimistic authenticator systems |
EP00926087A EP1163752A1 (en) | 1999-04-15 | 2000-04-17 | Optimistic authenticator systems |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12938099P | 1999-04-15 | 1999-04-15 | |
US60/129,380 | 1999-04-15 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2000064088A1 true WO2000064088A1 (en) | 2000-10-26 |
Family
ID=22439680
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2000/010398 WO2000064088A1 (en) | 1999-04-15 | 2000-04-17 | Optimistic authenticator systems |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1163752A1 (en) |
AU (1) | AU4467200A (en) |
WO (1) | WO2000064088A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002052784A1 (en) * | 2000-12-27 | 2002-07-04 | Nokia Corporation | Authentication in data communication |
US9563881B2 (en) | 2008-06-27 | 2017-02-07 | Microsoft Technology Licensing, Llc | Fair payment protocol with semi-trusted third party |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4969189A (en) * | 1988-06-25 | 1990-11-06 | Nippon Telegraph & Telephone Corporation | Authentication system and apparatus therefor |
US5497421A (en) * | 1992-04-28 | 1996-03-05 | Digital Equipment Corporation | Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system |
US5560008A (en) * | 1989-05-15 | 1996-09-24 | International Business Machines Corporation | Remote authentication and authorization in a distributed data processing system |
-
2000
- 2000-04-17 WO PCT/US2000/010398 patent/WO2000064088A1/en active Application Filing
- 2000-04-17 EP EP00926087A patent/EP1163752A1/en not_active Withdrawn
- 2000-04-17 AU AU44672/00A patent/AU4467200A/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4969189A (en) * | 1988-06-25 | 1990-11-06 | Nippon Telegraph & Telephone Corporation | Authentication system and apparatus therefor |
US5560008A (en) * | 1989-05-15 | 1996-09-24 | International Business Machines Corporation | Remote authentication and authorization in a distributed data processing system |
US5497421A (en) * | 1992-04-28 | 1996-03-05 | Digital Equipment Corporation | Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system |
Non-Patent Citations (10)
Title |
---|
BROWN, LAWRIE Message Authentication, Feb 1999, http://www.cs.adfa.oz.au/ teaching/studinfo/csc/lectures/authent. html, XP002930002 * |
CHAUM, DAVID: "Achieving Electronic Privacy", SCIENTIFIC AMERICAN, August 1992 (1992-08-01), pages 96 - 101, XP002929195 * |
HORSTER, PATRICK ET. AL.: "Discrete Logarithm Based Protocols", EUROCRYPTO 91, 1991, pages 399 - 408, XP002929199 * |
JAKOBSSON, MARKUS: "Ripping Coins for a Fair Exchange", EUROCRYPT 95, May 1995 (1995-05-01), pages 220 - 230, XP002930003 * |
OHTA, KAZUO ET. AL.: "Membership Authentication for Heierchical Multigroups Using the Extended Fiat-Shamir-Scheme", EUROCRYPTO 90, pages 446 - 457, XP002929197 * |
REAGLE, JOSEPH: "Trust in Cryptographic Economy and Digital Security Deposits: Protocal and Policies", MIT THESIS, May 1996 (1996-05-01), pages 1 - 133, XP002930004 * |
SIMMONS, G. A.: "Survey of Information Authentication, Chapter 7", CONTEMPORARY CRYPTOLOGY ED, SIMMONS, G., 1992, XP002929196 * |
SIMMONS, G. J. ET. AL.: "The Role of Trust in Information Integrity Protocols", IEEE COMPUTER SECURITY FOUNDATIONS WORKSHOP VI, FRANCONIA, NH, June 1993 (1993-06-01), XP002929194 * |
SIMMONS, G.: "The Practice of Authentication", EUROCRYPTO 85, 1985, pages 261 - 272, XP002929200 * |
SIMMONS, GUSTAVUS: "Message Authentication with arbitration of transmitter/receiver disputes", EUROCRYPTO 90, 1990, pages 151 - 165, XP002929198 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002052784A1 (en) * | 2000-12-27 | 2002-07-04 | Nokia Corporation | Authentication in data communication |
US7472273B2 (en) | 2000-12-27 | 2008-12-30 | Nokia Corporation | Authentication in data communication |
US8122250B2 (en) | 2000-12-27 | 2012-02-21 | Nokia Corporation | Authentication in data communication |
US9563881B2 (en) | 2008-06-27 | 2017-02-07 | Microsoft Technology Licensing, Llc | Fair payment protocol with semi-trusted third party |
Also Published As
Publication number | Publication date |
---|---|
EP1163752A1 (en) | 2001-12-19 |
AU4467200A (en) | 2000-11-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Gennaro et al. | RSA-based undeniable signatures | |
US9967239B2 (en) | Method and apparatus for verifiable generation of public keys | |
Boyd et al. | Off-line fair payment protocols using convertible signatures | |
AU705406B2 (en) | Secret-key certificates | |
US5131039A (en) | Optionally moderated transaction systems | |
US5373558A (en) | Desinated-confirmer signature systems | |
Gennaro et al. | RSA-based undeniable signatures | |
US4881264A (en) | Digital signature system and method based on a conventional encryption function | |
US20100100724A1 (en) | System and method for increasing the security of encrypted secrets and authentication | |
JP2002534701A (en) | Auto-recoverable, auto-encryptable cryptosystem using escrowed signature-only keys | |
Wang et al. | Untraceable off-line electronic cash flow in e-commerce | |
WO2014068427A1 (en) | Reissue of cryptographic credentials | |
Michels et al. | Breaking and repairing a convertible undeniable signature scheme | |
Brown et al. | Security of ECQV-certified ECDSA against passive adversaries | |
Gaud et al. | On the anonymity of fair offline e-cash systems | |
EP1163752A1 (en) | Optimistic authenticator systems | |
JPH11234263A (en) | Method and device for mutual authentication | |
Monnerat et al. | Efficient Deniable Authentication for Signatures: Application to Machine-Readable Travel Document | |
Zhang et al. | Efficient and optimistic fair exchanges based on standard RSA with provable security | |
Han et al. | Practical fair anonymous undeniable signatures | |
Le Trieu Phong et al. | New dlog-based convertible undeniable signature schemes in the standard model | |
López-García et al. | An e-voting protocol based on pairing blind signatures | |
Juang et al. | Fair blind threshold signatures based on discrete logarithm | |
Smith | Public Key Cryptosystems, Certificates, and Certification Authorities. | |
Waidner | Optimistic Fair Exchange of Digital Signatures |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWW | Wipo information: withdrawn in national office |
Ref document number: 2000926087 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2000926087 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2000926087 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: JP |