New patents are issued by the USPTO on Tuesdays. Today's Spotlight Patents continue the theme of blockchain (distributed ledger, smart contracts) and digital rights management broadly construed. Both of today's patents are assigned to Amazon. The first patent addresses techniques for key distribution in a distributed computing environment. The second patent addresses techniques for key revocation.
10,243,939, "Key distribution in a distributed computing environment," assigned to Amazon.
A key distribution service operated by a signature authority distributes one-time-use cryptographic keys to one or more delegates that generate digital signatures on behalf of the signature authority. The key distribution service uses a root seed value to generate subordinate seeds. The subordinate seeds are used to generate a set of cryptographic keys. Hashes are generated for each key, and the hashes are arranged into a Merkle tree with a root hash controlled by the signature authority. In response to a request from a delegate, the signature authority provides a subordinate seed to the delegate. The delegate uses the subordinate seed to generate one or more cryptographic keys. The cryptographic keys are used to generate digital signatures which are verifiable up to the root hash of the Merkle tree. Additional subordinate seeds may be distributed to entities by the signature authority when appropriate.
10,237,249, "Key revocation," assigned to Amazon.
A signature authority generates revocable one-time-use keys that are able to generate digital signatures. The signature authority generates a set of one-time-use keys, where each one-time-use key has a secret key and a public key derived from a hash of the secret key. The signature authority generates one or more revocation values that, when published, proves that the signature authority has the authority to revoke corresponding cryptographic keys. The signature authority hashes the public keys and the revocation values and arranges the hashes in a hash tree where the root of the hash tree acts as a public key of the signature authority. In some implementations, the one-time-use cryptographic keys are generated from a tree of seed values, and a particular revocation value is linked to a particular seed value, allowing for the revocation of a block of one-time-use cryptographic keys associated with the particular seed.