Abstract: A communication method between a first and second party, in the presence of a trusted party, that enables a transaction in which the second party receives a first value produced by the first party and unpredictable to the second party if and only if the first party receives a second value produced by the second party and unpredictable to the first party. The method includes two basic steps: exchanging a first set of communications between the first and second parties without participation of the trusted party to attempt completion of the transaction, and if the transaction is not completed using the first set of communications between the first and second parties, having the trusted party take action to complete the transaction.

Abstract: A method and system for overcoming the problems associated with certificate revocation lists (CRL's), for example, in a public key infrastructure. The invention uses a tree-based scheme to replace the CRL.

Abstract: A distributed split-key cryptosystem and application in a public-key setting wherein each of a plurality of trustees independently selects his own secret-public key pair. The trustees combine their public encryption keys into a single public encryption key. Using this combined public key for an electronic auction and other secure transactions.

Abstract: A method of managing certificates in a communication system having a certifying authority and a directory. Preferably, the method begins by having the certifying authority generate certificates by digitally signing a given piece of data. At a later point time, the certifying authority may produce a string that proves whether a particular certificate is currently valid without also proving the validity of at least some other certificates. The technique obviates use of certification revocation lists communicated between the certifying authority and the directory.

Abstract: Encryption is a common tool to achieve privacy of communication in networks whose lines are not physically protected. In most communication networks, however, having a sender S send an encrypted message to a recipient R does not hide the very fact that S has sent a message to R, and this may in itself constitute valuable information that the parties would rather keep confidential. A transmission method is described that (1) keeps the identities of senders and receivers confidential, but (2) can trace senders and receivers under certain given circumstances.

Abstract: Authenticating information about revoked certificates includes generating data identifying the revoked certificates, generating information about the revoked certificates including the data without including the revocation date of every one of the revoked certificates, and having the authority authenticate the information. The data may be generated by performing a hash of at least a portion of each of the certificates. Generating information about the revoked certificates may include adding a date indicating when the information was authenticated and may exclude the revocation date of any one of the revoked certificates in the list.

Abstract: An information retrieval system in which data is retrieved anonymously by a user with the assistance of one or more trusted agents.

Abstract: An authority provides authenticated information about a plurality of certificate identifiers by generating a data string identifying all the plurality of certificate identifiers and by having the authority authenticate one or more of the data string alone, the data string together with date information, or the data string together with additional information. The date information may include the date of authentication. The additional information may include a date of issuance of at least one of the certificates. The additional information may include certificate information about at least some of the issued certificates. The certificate information may include one or more of: revocation information or validity information of at least some of the issued certificates.

Abstract: A method for certifying public keys of a digital signature scheme in a communications system is provided. The secure communications system is one in which there are at least two levels of authorities. A user presents a piece of data to an intermediate level authority who, upon verifying the data, causes an issuing authority to issue a certificate that the piece of data posses a given property. Although the certificate is compacted by not having it contain a pubic key of the intermediate authority, nonetheless, information is stored in order to keep the intermediate authority accountable.

Abstract: A communication method between a first and second party, in the presence of a trusted party, that enables a transaction in which the second party receives a first value produced by the first party and unpredictable to the second party if and only if the first party receives a second value produced by the second party and unpredictable to the first party. The method includes two basic steps: exchanging a first set of communications between the first and second parties without participation of the trusted party to attempt completion of the transaction, and if the transaction is not completed using the first set of communications between the first and second parties, having the trusted party take action to complete the transaction.

Abstract: A given decryption key is decomposed into at least two parts, for example, a first subkey and a second subkey. The first subkey may be verifiably secret-shared among a set of one or more trustees, whereas the trustees preferably receive no information at all about the second subkey. Reconstruction of the first subkey by the trustees does not yield a decryption key useful by itself in decrypting ciphertexts. The trustees, however, also receive a guarantee that once they reveal their shares to a given entity, the entity has the capability of determining the second subkey. Generally, the generation of the second subkey will be carried out by the entity using a brute force technique, although the calculation may be performed by still another party (or even the trustees themselves in cooperation with the entity). Once the second subkey is determined, the guarantee ensures that combination of the first and second subkeys yields a given decryption key that may then be used to decrypt ciphertexts.

Abstract: A method of managing certificates in a communication system having a certifying authority and a directory. Preferably, the method begins by having the certifying authority generate certificates by digitally signing a given piece of data. At a later point time, the certifying authority may produce a string that proves whether a particular certificate is currently valid without also proving the validity of at least some other certificates. The technique obviates use of certification revocation lists communicated between the certifying authority and the directory.

Abstract: Digitally signing data includes collecting a group of signers, each having a public key and a corresponding secret key, a subgroup of signers each producing a partial digital signature of the data, and obtaining a combined signature of the data by combining the partial digital signatures of the data, where the combined digital signature keeps the subgroup of signers accountable for the data for which the subgroup of signers each produce a partial digital signature. Verifying a digital signature of data includes ascertaining members of a subgroup of signers that contributed to provide the digital signature of the data, determining a combined public key corresponding to individual secret keys of a the subgroup of signers, and using the combined public key to verify that the subgroup of signers have each contributed to provide the digital signature of the data.

Abstract: A number of electronic communications methods are described involving a first and a second party (i.e., sender and recipient), with assistance from at least a trusted party, enabling electronic transactions in which the first party has a message for the second party. The first party, the second party and the trusted party undertake an exchange of transmissions, such that if all transmissions reach their destinations the second party only receives the message if the first party receives at least one receipt. Preferably, the identity of the first party is temporarily withheld from the second party during the transaction. At least one receipt received to the first party enables the first party to prove the content of the message received by the second party.

Abstract: There is described an electronic communications method between a first party and a second party, with assistance from at least a plurality of trustees, enabling an electronic transaction in which the first party having a selling reservation price (SRP) and the second party having a buying reservation price (BRP) may be committed to a transaction if a predetermined relationship between SRP and BRP is established, but not otherwise. The method begins by having each of the parties transmit shares of their respective reserve prices to the trustees. These shares are such that less than a given number of them does not provide enough useful information for reconstructing the reserve prices while a sufficiently high number of them allows such reconstruction. The trustees then take some action to determine whether the predetermined relationship exists without reconstructing SRP and BRP.

Abstract: Certifying data includes having a subgroup of authorities each contribute a partial digital signature of the data to enable computation of a combined signature where the subgroup includes some, but not all, of the total number of authorities capable of applying a partial signature to the data, issuing a certificate for the data, and storing information in order to keep the subgroup of authorities accountable for the data that the subgroup of authorities contribute to eerily. In another scheme, certifying data can include having one or more lower-level authorities cause top-level authorities to receive an indication that the data is to be certified. A first subgroup of top-level authorities each applies a partial digital signature to the data. A certificate is issued containing a combined digital signature of a second subgroup of top-level authorities.

Abstract: A method for certifying public keys of a digital signature scheme in a communications system is provided. The secure communications system is one in which there are at least two levels of authorities. A user presents a piece of data to an intermediate level authority who, upon verifying the data, causes an issuing authority to issue a certificate that the piece of data posses a given property. Although the certificate is compacted by not having it contain a pubic key of the intermediate authority, nonetheless, information is stored in order to keep the intermediate authority accountable.

Abstract: A digital signature scheme wherein the signature of a message M relative to a public key is computed by means of a secret key. The scheme begins by having the user select a number x independent of M. This step may occur off-line and before there is any knowledge of the particular message M to be signed. To sign the message, the routine computes a description of a function G which is dependent of the message M, and then applies the function G to x to produce a string z. The routine outputs z and a description of a second function F as the desired signature of the message M. Thus according to the invention a signature of the message is obtained by applying to an independent argument x a function dependent on M. This operation provides enhanced efficiency and security over the prior art and facilitates use of the scheme to allow multiple users of a secure communications system to share the same public key; alternatively, the scheme is useful for generating short certificates of public keys used in such systems.

Abstract: The present invention describes a method for enabling users of a cryptosystem to agree on secret keys. In one embodiment, a trusted agent chooses at least one individual key for each user, with at least a portion of such individual key being secret. At least some of the individual keys are then stored in physically secure devices, and the pair of users i and j use their individual keys to compute a common secret key. In another embodiment, each trustee of a group of trustees choose at least one individual key for each user, with at least some portion of such individual key being secret. The keys chosen by a sufficiently small number of such trustees, however, are insufficient for computing the common secret key of the users. Other hardware and software key exchange protocols based on these two techniques are also disclosed.

Abstract: A method, using a public-key cryptosystem, for enabling a predetermined entity to monitor communications of users .?.suspected of unlawful activities while protecting the privacy of law-abiding users.!., wherein each user is assigned a pair of matching secret and public keys. According to the method, each user's secret key is broken into shares. Then, each user provides a plurality of "trustees" pieces of information. The pieces of information provided to each trustee enable that trustee to verify that such information includes a "share" of a secret key of some given public key. Each trustee can verify that the pieces of information provided include a share of the secret key without interaction with any other trustee or by sending messages to the user. Upon a predetermined request or condition, e.g., a court order authorizing the entity to monitor the communications of a user .?.suspected of unlawful activity.!., the trustees reveal to the entity the shares of the secret key of such user.