GB2434950A

GB2434950A - Providing temporary public/private keys from permanent public/private keys using a formulae involving bilinear mappings

Info

Publication number: GB2434950A
Application number: GB0708876A
Authority: GB
Inventors: Wenbo Mao
Original assignee: Hewlett Packard Development Co LP
Current assignee: Hewlett Packard Development Co LP
Priority date: 2004-10-28
Filing date: 2007-05-09
Publication date: 2007-08-08
Also published as: GB0708876D0

Abstract

A computing entity, 11, has an associated static public/private key pair formed by a static private key comprising a secret (SA), and a static public key (P,R) comprising both a first element (P) and that element combined with the secret (SA). The secret (SA) is stored in higher-security storage provided, for example, by a smartcard, 20. A short-term private key (St) is provided for use by a computing entity 11 in effecting cryptographic operations during an operational period. This short-term private key (St) is generated, independently of any pending cryptographic operations, by mapping a string (str) to a second element (P') and multiplying that element by said secret (SA), the first and second elements (P,P') being such that a computable bilinear map exists for these elements. The short-term private key (St) is stored in lower-security storage, 15, in the computing entity, 11, for a limited period that encompasses the operational period in respect of which the key (St) was generated. A second embodiment relates to a cryptographic system comprising: a first entity arranged to use the private key of an associated static public/private key pair to form a plurality of different short-term private keys each for use during a corresponding limited operational period; a public key infrastructure for providing a certificate associating the first entity with the public key of its static public/private key pair; and a second entity arranged to use a known formula and known data to migrate the static public key of the first entity, whilst retaining the assurance provided by said certificate, to form short-term public keys each for use, during a corresponding said limited operational period, in carrying out cryptographic operations for which there exist complimentary operations requiring use of the corresponding short-term private key.

Description

I

Providing Short-Term Private Keys in Public-Key Cryptographic Systems

Field of the invention

The present invention relates to apparatus for providing short-term private keys in public-key cryptographic systems.

Background of the Invention

Public-key cryptographic systems are well known and involve the use of a public/private key-pair associated with a particular party. More particularly, assuming that the public/private key-pair is associated with a first party, Alice, and that Alice holds the private key and keeps it secret, a second party, Bob, can use the public key both to send a message in confidence to Alice, and to verify a digital signature applied by Alice to a message using 1 5 her private key. Such a system relics on Bob trusting the association between the public key and Alice and this is often achieved by the use of a digital certificate issued and signed by a certification authority using their own public key. Of course, for Bob to trust the certificate, Bob must trust the association of' the public key used to sign the certificate with the certification authority; this association may therefore itself be subject of a further certificate issued by a higher certification authority and so on up a hierarchy of certification authorities until a root authority is reached. The infrastructure established by the hierarchy of certification authorities is referred to as a public key infrastructure, often abbreviated to PKI". In fact, a PKI will generally also take care of key management issues such as generating and distributing new keys, and revoking out-ofdate keys. Due to the overhead involved in issuing and revoking keys, it is generally impractical with a large-scale P1<1 for keys to be updated frequently. According, private keys must be stored securely to ensure that they can have a long operational lifetime.

As will become apparent hereinafter, embodiments of' the present invention make use of cryptographic techniques using bilinear mappings. Accordingly, a briefdescription will now

be given of certain such prior art techniques.

In the present specification, G1 and G2 denote two algebraic groups of large prime order (in which the discrete logarithm problem is believed to he hard and for which there exists a non-degenerate computable bilinear map p. for example, a Tale pairing or Weil pairing.

Note that G1 is a [11-torsion subgroup of a larger algebraic group G( and satisfies [1]P= 0 for all P E G1 where 0 is the identity element, (is a large prime, and 1*cofàctor = nuniber of elements in G0. The group G2 is a subgroup of a multiplicative group of a finite field.

For the Weil pairing:, the bilinear map p is expressed as p: (I x G1 G2.

The Tate pairing can be similarly expressed though it is possible for itlo he of asymmetric form: p: G1 x G0 G2 Generally, the elements of the groups Go and G1 are points on an elliptic curve (typically, though not necessarily, a supersingular elliptic curve); however, this is not necessarily the case.

As is well known to persons skilled in the art, for cryptographic purposes, modified forms oithe Weil and Tate pairings are used that ensure p(P,P) != I where P E G1; however, for convenience, the pairings are relrred to below simply by their usual names without labeling them as modified. Further background regarding Weil and Tate pairings and their cryptographic uses can be found in the following references: -G. Frey, M. Muller, and H. Rück. The Tate pairing and the discrete logarithm applied to elliptic curve clyptosystems. IEEE Transactions on tat brmation Theory, 45(5): 1717- 1719, 1999.

-D. Boneh and M. Franklin. Identity based encryption from the Weil pairing. In Advances in (rvpto/ogv -CR YPTO 200/, LNCS 2 139, pp. 213-229. Springer-Verlag. 2001.

For convenience, the examples given below assume the use of a symmetric bilinear map (p: G1 x G1 -* G2) with the elements of G1 being points' on an elliptic curve of general form y2=x1 +ax + b where x and y are variables and a and b are constants; however, these particularities, are not to be taken as limitations on the scope of the present invention.

As the mapping between G1 and G is bilinear, then for P, Q, R E G1, both: p (P+Q,R) p(P,R) p (Q,R) p (P,Q+R) = p(P,Q) * p (P,R) Furthermore, exponents/multipliers can be moved around. Thus, where aP represents the scalar multiplication ofP by an integer a (that is, P added to itselia limes), then for integers a, b, c Z1 p(aP, bQ) p(aP, cQ)" = p(bP, cQ)' = p(bP, aQ) = p(cP, aQ)h = p(cP, hQ' = p(abP, Q)' p(ahP, cQ) = p(P, abQ) = p(cP, ahQ) = p(ahcP, Q) = p(P, abcQ) = p(P, Q) Additionally, the following cryptographic hash functions are defined: H1: 0,l)*_ G1 H,: 0,1)*_*Z*l H;: G The function H1() is often referred to as the map-to-point function as it serves to convert a string input to a point on the elliptic curve being used.

A normal public/private key-pair can be defined for a trusted authority: the private key is s where s c Z1 and the public key is (P. R) where P and R are respectively master and derived public elements with P E G1 and R c G1, P and R being related by R=sP Additionally, an idenli tier based public key / private key-pair can be defined for a party with the cooperation of the trusted authority. As is well known to persons skilled in the art, in Identifier-based" cryptographic niethods a public, cryptographically unconstrained, string is used in conjunction with public data of a trusted authority to carry out tasks such as data encryption or signing. The complementary tasks, such as decryption and signature verification, require the involvement of the trusted authority to carryout computation based on the public string and its own private data In message-signing applications and frequently also in message encryption applications, the string serves to "identify" a party (the sender in signing applications, the intended recipient in encryption applications); this has given rise to the use of the label "identifier-based" or "identity-based" generally for these cryptographic methods. However, at least in certain encryption applications, the string may serve a different purpose to that of identifying the intended recipient and, indeed, may he an arbitrary string having no other purpose than to fomi the basis of the cryptographic processes. Accordingly, the use of the term "identifier-based" herein in relation to cryptographic methods and systems is to be understood simply as implying that the methods and systems are based on the usc of a cryptographically unconstrained string whether or not the string serves to identify the intended recipient. Furthemiore, as used herein the term "string" is simply intended to imply an ordered series of bits whether derived from a character string, a serialized iniage bit map, a digitized sound signal, or any other data source.

In the present case, the identifier-based public / private key-pair defined for the party has a public key QID and private key Sir) where QID, S E G1 The trusted authority's normal public/private key-pair (P,R / s) is linked with the identifier-based public/private key by = sQiu and QID = I/i (ID) where ID is the identifier string For the party.

Some typical uses for the above described key-pairs will now be given with reference to Figure 1 of the accompanying drawings that depicts a trusted authority 1 with a public key (P. sP) and a private key s. A party A serves as a general third party whilst for the identifier-based cryptographic tasks (IBC) described, a party B has an IBC public key QID and an IBC private key Sir), this latter key being generated by private-key generation functionality of' the trusted authority I from the identifier ID of' party B. The trusted authority will generally only provide the party B with its private key after having checked that party B is entitled to the identifier ID (for example, by having verified that party B meets certain conditions specified in the identifier, such as an identity condition).

Short Signatures (see dashed box 2): The holder of the private key s (that is, the trusted authority I or anyone to whom the latter has disclosed s) can use s to sign a bit string; more particularly, where in denotes a message to be signed, the holder ofs computes a signature element Sig as lol lows: Sig sH1(in).

Verification by party A involves this party checking that the following equation is satisfied: p(P, Sig) = p(R, Hi(;n)) This is based upon the flapping between G1 and G2 being bilinear exponents/multipliers, as described above. That is to say, p(P, Sig) = p(P, sH1(tn)) = p(P, H1()) = p(sP, H1(in)) p(R, Hi(in)) Further description of short signatures of this form can be Ibund in "Short signatures from the Weil pairing", Bonch, D., B. Lynn, and H. Shacham, in Advances in C,-vptologv - 2() ASIACRYPT 0/, LNCS 2248, pages 5 14-532, Springer-Verlag, 2001.

Identifier-Based Encryption (see dashed box 3): -Identifier based encryption allows the holder of the private key Sir) ofan identifier based key-pair (in this case, party B) to decrypt a message sent to them encrypted (by party A) using B's public key QID.

More particularly, party A, in order to encrypt a message in, first coniputes: UrP where r is a random element oiZ*I. Next, party A computes: V = in $ H)(p(R, rQ)) Party A now has the ciphertext elements U and V which it sends to party B. Decryption of the message by party B is performed by computing: V$ H (p(U, S1[) )) = V H(p(rP, sQID)) = V $ H(p(P, Q>)IS) = V $ H(p(sP, rQll))) = V H(p(R, rQiI))) In The foregoing example encryption scheme is the Basicldent" scheme described in the above-referenced paper by D. Boneh and M. Franklin. As noted in that paper, this basic scheme is not secure against a chosen cipheriext attack (the scheme only being described to facilitate an understanding of the principles involved -a fully secure scheme is described later on in the paper and the reader should refer to the paper for details).

Identifier-Based Signatures (see dashed box 4): -Identifier based signatures using pairings can be implemented. For example: I5 Party B first computes: g = p(P,Slr))' where r is a random element of Z*l.

Party B then applies the hash function H2 to inIg (concatenation of in andg, withg having been first converted to string form) to obtain: Ii = H2(in II g) Thereafter party B coniputes W = (r-h)SIr) thus generating the output W and h as the signature on the niessage in.

Verification of the signature by party A can be established by computing:

II

g p(P,W.p(R,Q) where the signature can only be accepted if h = H2 (in hg').

Summary of the Invention

According to one aspect of the present invention, there is provided a cryptographic system comprising: a First entity arranged to use the private key of an associated static public/private key pair to form a plurality of different short-term private keys each fur use during a corresponding limited operational period; a public key infrastructure for providing a certificate associating the first entity with the public key of its static public/private key-pair; and a second entity arranged to use a known formula and known data to migrate the static public key of the first entity, whilst retaining the assurance provided by said certificate, to fbrm short-term public keys each for use, during a corresponding said limited operational period, in carrying out cryptographic operations for which there exist complimentary operations requiring use of the corresponding short-term private key.

Each of the first and second entities can he a person or organisational entity acting through a computing agent, or a computing entity itselil According to a further aspect of the present invention, there is provided a certificate authority of a public key infrastructure, the certificate authority being arranged to provide certificates each certifying an association between an identified entity and the public key of a static public/private key-pair the private key of which is held by the identified entity, at least one certificate also including a formula by which the corresponding public key is to be migrated to forni short-term public keys each for use during a corresponding limited operational period in carrying out cryptographic operations pertaining to the identified entity concerned.

Brief Description of the Drawings

Embodiments of the invention will now be described, by way of non-limiting example, with reference to the accompanying diagrammatic drawings, in which: * Figure 1 is a diagram showing prior art cryptographic processes based on elliptic curve cryptography; and Figure 2 is a diagram illustrating an embodiment of the invention.

Best Mode of Carrying Out the Invention Figure 2 illustrates an arrangement in which a first party A (Alice') with srnartcard 20 has use of a lirst computing entity 11, and a second party B (Bob') has use of a second computing entity 12: by way of example, both coniputing entities are desktop computers or portable computers. The computing entity 11 comprises a conventional file system 1 5 for managing data and programs held on a mass storage device, a processing unit 16, a network interlace 41, and a sniaricard interface 1 7 with which the smartcard 20 can be detachably engaged for the exchange of data with the computing entity 11. The computing entity 12 comprises a conventional file system 18, a processing unit 19, and a network interface 42.

The computing entities 11 and 12 inter-communicate, for exaniple, via the internet or other computer network 40 though it is also possible that the entities actually reside on the same computing platform or that communication between entities is efThcted by the physical transfir of a data storage medium.

A long-term or static" public/private key-pair is associated with Alice. The static private key s4 of this key-pair is stored in Alice's smartcard 20 whilst the static public key of the key-pair is stored in the file system 15 of Alice's computer 11 (that is, the public key is stored on the mass storage device of the computer and is accessible under the same limited access control restrictions as the normal files of the computer).

Alice's static public key comprises a first component P constituted by a first point on a predetermined elliptic curve, and a second component R constituted by the scalar product of the point P with the secret s, this second component R(s,P) also being a point on the predetermined elliptic curve. As is well known in the field of elliptic curve cryptography, because the discrete logarithm problem is hard, a third party given P and s P cannot discover s from s,P.

Alice's static public key (P, R) is, for example, initially generated using the smartcard 20 with its installed secret s,. Alternatively, both Alice's static private keys and static public key (P, R) can be created by a trusted third party and then installed respectively in the smartcard 20 and computing entity 11. However Alice's static public/private key-pair is created, a certification authority 14 of a public key infrastructure 13 is arranged to issue a certificate CerlA (lbr example, an X.500 certificate) that vouches for the association of the static public key (P,R) with Alice after having checked this association. Conveniently, the certilical ion authority 14 itself generates Alice's static key-pair and issues the key-pair in a secure way to Alice along with a copy of the certificate CertA.

Alice's computer II also holds in its file system 15 the current version of a short-term private key S, and, optionally, a corresponding short-term public key element P1. These short-key public and private key elements are used by the computer 11 to carry out cryptographic operations during a short operational period, for exaniple, one calendar day or one hour, before being superseded: holding the current versions of the short-term public and private key elements in the file system 1 5 has the advantage that they arc readily accessible to the processing unit 16. Each version of the short-term private key is only held in the relatively insecure file system 1 5 of the computer 11 for a limited period that encompasses the operational period to which it applies thereafler, that version ofthe short-terni private key is either destroyed or removed to a more secure storage. By only using any one version of the short-term public and private key elements for a limited operational period, and by only keeping that version of' the short-term private key in the low security file system for a limited period, the overall security risk of holding an operational private key in the low security file system is minimised. How the short-term keys are created and used will be described hereinafter.

Bob's computer 12 also stores Alice's static public key (P,R) in its file system 18 along with the certificate CertA, these data having been obtained either from Alice's computer 11 or from another source such as the certification authority 14. In standard manner, Bob can use the certificate CertA to verify the association of the static public key (P,R) with Alice by referring to the certification authority 14, and if'needed, to other, higher-level, certification authorities of the PKI 13.

The file system 18 of Bob's computer may also hold Alice's current short-term public key element P,. Bob's computer I I having either fetched this key element from Alice's computer Ii or independently created it. Whilst Bob's computer 12 can be arranged to I0 fetch or create Alice's current short-term public key element as and when required without referring to the file system 18, it will generally be more efficient to hold the short-term public key clement P,. once obtained, in the file system 18 since even though the operational period of the key element P, is only short term, multiple usages of the key element P, during the period are still likely following a first usage.

Before describing the creation and usage of the short-term key elements P, and S1, a description will he given of Alice's smartcard 20. As used herein, the term smartcard" is intended to include any small- sized device (such as a credit-card sized object) incorporating memory and processing functionality, usually on a single chip, that is externally accessible by any suitable interface whether using physical contacts or non-contact means. Preferably, at least the memory will be tamper resistant/tamper proof I 5 The smartcard 20 comprises an input/output interface functional block 21 and a cryptographic functional block 24 (shown in dashed outline).

The interface block 2 I comprises a data input channel 30, a data output channel 3 1, and an access security entity 22. The interlace block 21 is adapted to permit the srnartcard to be coupled with the smartcard interface 1 7 provided on the computer I I. The access security entity 22 is, for example, implemented to require the input of a PIN code before allowing use of the smartcard, this code being input by a user (in this case, Alice) via apparatus with which the smartcard is operatively coupled.

The input channel 30 is arranged to receive a cryptographically unconstrained input string (generically, string srr) whilst the output channel 31 is arranged to output an element P".

The form in which the element P" is output can be set by entity 29 of interlace block I I to be, for example, of string form.

The cryptographic block 24 of sniartcard 20 comprises the following functional entities: -a non-volatile memory 26 for holding the secret S (for example, installed in the card

II

during manufacture, generated at initialization of the card by suitable random number generation circuitry provided on the card, or loaded into the card at initialization via a

suitable interface)

-a Map-To-Point entity 27 for receiving the string str from the input channel 30 and mapping this string to an element P' ofan algebraic group according to a known one-way mapping function: -a product entity 28 for multiplying the element P' by the stored secret s1 to form a further element P" ofthc same algebraic group as the element P' , the element P" being output on output channel 3 1 (as indicated in dashed lines, the element P' can also be arranged to be output on channel 3 1).

Prefirably, the elements P" and P" are points on the same elliptic curve of general form y2=x3 +ax + b where x and y are variables and a and b are constants. The various hash functions already described above with reference to the Figure 1 examples will be used for the examples given below: in particular, the map-to-point function implemented by entity 27 is the hash function Ha).

Various usages of a smartcard of the above-described form are set out in our co-pending UK patent application No. 0326100.5 liled November 8, 2003.

By its very nature, the srnartcard 20 provides a niore secure storage environment for Alice's static private keys than the file systeni IS of the computer 11. Features that contribute to this greater security include: -the personal nature and portability ofthe smartcard 20 enabling Alice to keep it with her at all times (whilst the computer I I may be portable ii may not be personal and is far less convenient to be kept by Alice at all times); -the limited external computer access possibilities to the smartcard consequent on the fact that the smartcard is only vulnerable to such access when interfaced with a computer and that the card will generally only need to interface with a computer for short periods; -the inherently tamper-resistant nature of the memory used to store the secret s1 (in contrast, it is a relatively simple flatter to read data from the mass storage device of computer II if physical access to that device is possible); -the more reliable access control latures (PIN dc) provided on the srnartcard (whilst most computers do provide access control features, these are often not activated whereas those provided on a smartcard cannot generally be dc-activated by the user).

Any one or more of these Iatures results in the smartcard 20 being more secure for storage ofthe secrets, than the file system 15 of the computer 11. It will also be noted that because the smartcard 20 includes the required functionality For efThciing point multiplication, the secret s i does not need to be copied into the computer I I at any stage.

Consideration will now be given as to how Alice's short-term key elements are generated and used.

In order to generate a short-term private key S, for an operational period such as the current day, Alice inserts her smartcard 20 into the interface 17 of the computer 11 and activates a key generation program 50 for execution by the processing unit 16. Key generation then proceeds as follows: -the computer I I generates a string (sir), which in a prelrred enibodinient is a concatenation of the x coordinate P, of the point P (a component ofAlice's static public key) and the current date: (str), = P, current date -the string (str), is passed to the smartcard 20 which maps the string (sir), to a point P, on the same elliptic curve asP using the map-to-point hash function H10, and nîultiplies the point P, by the secret s i, the result being output on channel 3 1 as the short-terni private key S,: P, = H( (sir), ) SI = S -the short-term private key S, is stored in the file system 15 of the computer 11 -the point P, can also be output by the smartcard 20 and stored in the file system IS as the short-term public key element corresponding to S,; alternatively, the program 50 can be arranged to compute P, itself fbr storage in the file system 15 or as and when required.

The program 50 is also arranged to set the operational period over which the current short-term key elements are to he used by the computer I I for cryptographic operations. Thus, the program 50 provides a user interface for enabling the Alice to specify the operational period (or defaults to a suitably short period); the program 50 is also responsible for automatically removing at least the short-term private key S, from the lile system 15 at the end of the associated operational period.

It will be appreciated that generally (though not necessarily) there will be multiple successive operational periods during which the computer 11 is to carry out cryptographic operations using short-term keys based on the same static public/private key-pair. 11 will be further appreciated that the short-term keys for different operational periods should differ from each other; in this respect, it may be noted that where there is only one operational period per calendar day, then the foregoing formula for the string (str)1 ensures that the string, and thus the short-term private key S,. will be unique for each operational period.

Bob's computer 12 is arranged to run a program 55 to generate Alice's short-term public key element P, lbr the current operational period of Alice's computer I I either for storage in the lile system 18 and subsequent use as and when required, or simply as and when required. This, oI'course, requires Bob's computer 12 to know the lormulaic basis and data upon which Alice's computer creates the string (str), and this information is preferably obtained in advance or is predictable (for exaniple, in the present case the formula for generating (str), could be included in the certificate certA or obtained from the computer II, whilst the component P, will already be available as part of Alice's static public key and the date component will be known). Bob's computer 12 preferably also knows the extent of the operational period for which the short-term public key element is valid, this information being obtained in the same way as that required for constructing the string (str),.

As will become apparent hereinalier, in order for Bob's computer to carry out cryptographic operations during an operational period that complement operations executed or to be executed by Alice's computer using the short-term private key S, for the period concerned, Bob's computer must utilise Alice's static public key (P, R) as well as the short-term public key element P, determined for the period concerned. It is therefore convenient to consider the short-term public key for an operational period to be made up not only of the element P, but also of the elements P and R from Alice's static public key; in other words, the short-term public key comprises (P, R, P,).

Two example cryptographic processes will now be described that make use of Alice's current short-term private key S1 and short-term public key (P,R, P,). Each process comprises a cryptographic operation carried out by one of Alice's and Bob's computers II, 12 and a subsequent complimentary cryptographic operation carried out by the other of Alice's and Bob's computers 11, 12.

1 0 Encrvption/Decri'ytion This encryption/decryption process is similar to that described above with refircnce to dashed box 3 of' Figure I. Suppose that Bob wishes to send confidential subject data (message in) to Alice. To do this, Bob initiates the running of an encryption program 56 by the processing unit 19 of computer 12, this program being supplied with the message in as 1 5 input and having access to and Alice's short-term public key (P, R, P1) in a nianner already described above. Under the control of program 56, Bob's computer 12: -generates a random secret r where;' c Z1, -computes: UrP -computes a key k, applicable to the current operation period: k, = H3 (p(R, i'P,)) where p () is a bilinear mapping function (for example, Weil or Tate pairing), and H() is the hash function previously defined: -uses the key k1 to encrypt the message in using encryption function EO: V = E(k,, in) where an example encryption function is the Exclusive OR function : V = iii though other functionsare, of course, possible; -sends U and V to Alice's computer II.

Bob can trust that only Alice (that is, only a computing entity associated with Alice, such as computer I I) can decrypt the encrypted message Vbecause the message has been encrypted using the element R (=s 1P) ofAlice's public key and requires a knowledge of the secrets1 to decrypt it.

To decrypt the encrypted message V, Alice's computer 11 initiates the running of a decryption program 5 1 by the processing unit I 6 of computer 11, this program being supplied with the encrypted message V and the element Li as input and having access to Alice's current short-term private key S, in tile system I 5. Under the control ofprograni 56, Alices' computer I I: -uses the short-term private key S, to computes the key k,: H(p(L/, S,)) it being straightforward to show that this is equivalent to the computation of the key k, made by Bob's computer 12: H;(p(U, S,)) = H(p(rP, s = H1(p(P, P,))'' = H1 (p(s,P, rP,)) = H(p(R,rP,)) -decrypts the encrypted message V using decryption function DQ: in = D(k,, V) which in the case of the example encryption function in the form of the Exclusive OR function, becomes: in = Vk, Since the decryption process does not involve Alice's static private key s,1 by itselfbut only as conibined with P, in the short-term private key 5,, decryption does not require the presence of the smaricard in the interface 17: thus, decryption can be carried out without Alice being present (which would not be the case if direct use of the secrets. was required as Alice will generally take the sniartcard 20 with her when leaving the computer 11).

Signature / Veriflcation This signature/verification process is similar to that described above with reference to dashed box 4 of Figure 1. Alice can sign subject data (again, taken to be a message in) such that Bob can verify that the signed message originated from Alice. To do this, Alice initiates the running of a signature program 52 by the processing unit 1 6 of computer 11, this program being supplied with the message in as input and having access to Alice's current short-term private key S, and Alice's static public key (P,R) in file system 15. Under the control of program 52, Alice's computer 11: -generates a random secret r where r Z,; -computes: g = p (S,,P wherep() is a bilinear mapping function (for example, Wei I or Tate pairing), it being appreciated that a number of equivalent arrangements of the same 0 components are possible; -converts g to a string and computes: Ii = H(mg) where H2() is the hash function previously defined; -computes: W=(r-h)S1 -sends the message in and the signature components W and h to Bob's computer 12.

Again, since the signature process does not involve Alice's static private keys, by itselibut only as combined with P1 in the short-term private key S,. signing does not require the presence ofthe smartcard in the interlace 17; thus, signing can be carried out without Alice being present.

To verify that the received form in' ofthe message is an uncorrupted message sent by Alice, Bob initiates the running of a verification program 57 by the processing unit 19 olcomputer 12, this program being supplied with the received message in' and the received signature components tV' and h' as input and having access to Alice's short-terni public key (P. R, P,)in a manner already described above. Under the control of program 57, Bob's computer 12: -computes: g' = p(P, W') *p(R, p)h) -converts g' to a string and checks whether: = H(m' g') and ii so, the received message is taken to he a message in sent by Alice, otherwise the message is discarded.

Bob can trust that the verification check will only be passed if Alice signed the niessage because only Alice (that is, only a computing entity associated with Alice, such as computer 11) has access to the secret s1 and use of this secret during the signing process is necessary for the verification check to be passed as this check involves the element R (s 1P).

It should also be noted that other reasons may exist for using migrating short-term keys besides that of wishing to use the more-accessible but less secure file sysleni of Alice's computer for private-key storage. For example, Alice may wish to delegate her work to subordinates by giving each a short-term private key for a respective period for which they arc responsible each subordinate may store the short-term private key in storage of equal security to that used by Alice for her static private key. In such a situation, key migration still provides advantages even though the short-term private keys may not be any niore accessible, or any more insecure, than the static private key.

Variants Many variants are possible to the above-described embodiment ofthe invention and some of these variants will now be described.

With respect to how the string (str), is formed for the or each operational period, there are three main considerations: -Firstly, Alice (that is, Alice's agent computer 11) must be able to derive the string (str)1 independently of any pending cryptographic operation since no such operations may be pending when Alice is present with her sniartcard 20. Thus, the string (st!-), should not be derived, for example, on the basis of Bob sending an encrypted niessage along with a string to be used to form the key for decrypting that message.

-Secondly, Bob as well as Alice must be able to derive or obtain the string (str),. This can be achieved by Alice and Bob agreeing in advance a formula for the deriving the string, the formula using data that is either available or obtainable by both Alice and Bob. Alternatively, Alice and Bob can simply agree in advance a set of one-time strings that they will use, each party then storing the set and taking a siring for use from the set as and when needed. A further possibility is that Alice is in sole control of determining the string and Bob must obtain the string from Alice as and when needed.

-Thirdly, where there are multiple operational periods, there should be a high probability that the string used for any one period is different to that used for any other period (and preferably is unique). Uniqueness can be guaranteed by incorporating into the siring (str), a date or time ofihe period concerned as measured From a reference that is the same for all operational periods. However, this is not the only way of ensuring uniqueness -for example, an incrementing count of the operational periods will also provide unique. It would also be possible, at least in theory, to store all previously used strings and then randomly choose a candidate string for a next operational period but only use it if found to be unique as compared with the previously used strings. In fact, provided that the probability of repeated occurrence of a particular string is low, a randoni technique can be used to generate the string (str), without the need to effect a comparison with previously-used string; this is because the concern is to achieve a particular degree of security so that if other factors permit, sonic relaxation oithe uniqueness criterion is possible.

Thus, whilst the previously given formula for (str), involving the x coordinate oithe point P and the current date, is a preferred Ibmiulation for the string, neither of these components is in itself essential. As with the given formula for the string (str),, the string can be composed of'multiple components, though it is also possible to use a single component.

With regard to the duration of the or each operational period, this can be set by specific times or by a specific duration; alternatively, the beginning and/or end of an operation period can be triggered by a non-time-related event.

it is to be noted that the short-terni private key associated with a given operational period can be held in the low-security storage represented by the file system 15 olcomputer 11 for a limited period that is greater than the operational period itself this is because, the degree of' security required may allow for such longer retention. Thus, it may be convenient to allow for a short-term private key to be created and stored in the file system 15 in advance of the operational period to which it applies so that where Alice knows in advance that she will not he present (and thus her smaricard will not be available) at the time of the next operational period, Alice can cause the short-term private key for that period to be generated in advance and stored ready for the commencement of the operational period.

It will be appreciated that whilst in the described embodiment Alice's static private key s1 has been stored in a smaricard, other relatively secure storage environments can be used to store the static private key. Other suitable secure storage environments include a memory card or other removable memory device, and encrypted storage in the computer I I with decrypted access requiring the presence of Alice (as tested, for example, biometrically or in some other manner).

The short-term private key S, need not be stored in the lile system of a computer and can be I 5 held in any suitable storage providing an acceptable degree to security. It will be appreciated that the required level ofsecurity of the storage used for the short-term private key S, is less than that required for the storage used for the static private key s1.

Claims

CLAIMS

1. A cryptographic system comprising: a first entity arranged to use the private key of an associated static public/private key pair to form a plurality of difThrent short-term private keys each for use during a corresponding Ii rn ited operational period: a public key infrastructure fhr providing a certificate associating the first entity with the public key of its static public/private key-pair; and a second entity arranged to use a known formula and known data to migrate the static public key of the first entity, whilst retaining the assurance provided by said certificate, to fbrm short-term public keys each for use, during a corresponding said limited operational period, in carrying out cryptographic operations for which there exist complimentary operations requiring use of the corresponding short-term private key.

IS
2. A system according to claim I, in which the public key infrastructure comprises a certificate authority arranged to provide said certificate associating the first entity with the public key of its static public/private key-pair, the certificate also including said formula by which the corresponding public key is to be migrated to form said short-term public keys.

3. A certificate authority of a public key infrastructure, the certificate authority being arranged to provide certificates each certifying an association between an identified entity and the public key of a static public/private key-pair the private key of which is held by the identified entity, at least one certificate also including a formula by which the corresponding public key is to he migrated to form shortterm public keys each for use during a corresponding limited operational period in carrying out cryptographic operations pertaining to the identified entity concerned.