FORM 2 THE PATENTS ACT, 1970 (39 of 1970) & THE PATENS RULES, 2003 COMPLETE SPECIFICATION [See section 10, Rule 13] DIGITAL CERTIFICATES; NDS LIMITED, A CORPORATION ORGANIZED AND EXISTING UNDER THE LAWS OF UNITED KINGDOM, WHOSE ADDRESS IS ONE LONDON ROAD, STAINES, MIDDLESEX TW18 4EX , UNITED KINGDOM. THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED. FIELD OF THE INVENTION The present invention relates to digitally signed certificates. BACKGROUND OF THE INVENTION The use of digitally signed certificate; is well known in the art. Consider the following example: Two entities A and B each have asymmetric key pairs, each key pair comprising a public key and a private key, as is well known in the art. Entity A is to sign a certificate for entity B, the certificate comprising the public key of entity B and other data regarding entity B. The widespread and well known X.509 format is typically used in the prior art for the purpose of producing certificates of the type described above. The X.509 format is defined in ITU-T Recommendation for X.509, published March 2000, available from ITU-T (the International Telecommunication Union Standardization Sector). The disclosures of all references mentioned above and throughout the present specification are hereby incorporated herein by reference. SUMMARY OF THE INVENTION The present invention seeks to provide improved digitally signed certificates and improved methods for producing digitally signed certificates. Known solutions, as described above, do not provide optimal solutions for some applications. For example, the inventors of the present invention believe that the known solutions described above are not optimal for applications in which certificate verification is implemented in random logic, non-CPU type hardware (also termed herein "hardware"); in such applications, the inventors of the present invention believe that it is desirable for the certificate to be short and to have a form that is easy to parse in hardware. The well-known •-X.509- format, described-above,-is-not- good-for this-purpose, -at-least because certificates produced in accordance with the X.509 format have a variable length structure. that is difficult to parse in hardware; also, X.509 format certificates are generally long, with certificates of 2 KB (kilobytes) in length being common. The present invention, in preferred embodiments thereof, seeks to provide solutions to the problems of prior art certificates. There is thus provided in accordance with a preferred embodiment of the present invention a method for producing a certificate, the certificate including data, the method including choosing a seed s, the seed s including a result of applying a function H to the data, generating a ke}' pair (E,D), such that E=F(s,t), F being a publicly known function, and including s and t in the certificate. Further in accordance with a preferred embodiment of the present invention the including s and t in the certificate includes including s concatenated with t in the certificate. Still further in accordance with a preferred embodiment of the present invention the function H includes a hash function. Additionally in accordance with a preferred embodiment of the present invention the function H includes a checksum function. Moreover in accordance with a preferred embodiment of the present invention the function H includes adding redundancy to the data. 3 there is also provided in accordance with another preferred embodiment of the present invention a certificate produced by the method. There is also provided in accordance with yet another preferred embodiment of the present invention a method for producing a certificate, the certificare including data, the method including generating a modulus N, the modulus N being generated by a scattering method L, a function R, and a seed s, N being generated, in part, by scattering the bits of R(s) throughout N using the scattering method L, all bits of N other than those scattered by the scattering method L being denoted t, and including s and t in the certificate. Further in accordance with a preferred embodiment of the present invention the R(s) includes-data associated-with an owner of the certificate. Still further in accordance with a preferred embodiment of the present invention the data includes an owner identifier. Additionally in accordance with a preferred embodiment of the present invention N includes an RSA modulus. Moreover in accordance with a preferred embodiment of the present invention L includes applying a Lenstra, Lenstra and Lovasz (LLL) method to a lattice. Further in accordance with a preferred embodiment of the present invention the lattice is defined, in part, by a generalized pattern G. Still further in accordance with a preferred embodiment of the present invention the lattice includes wherein n, x, z are integers, and SI,..., Sk are position numbers of contiguous groups of symbols "*" in a generalized 2n-bit pattern G, where positions are numbered from the least significant (0) to the most significant (2n-l), and SI > S2 > ... > Sk, and L1, ..., Lk are lengths of the contiguous groups, numbered correspondingly to the contiguous groups, and p is a (n-x)-bit prime, and s is a seed, and R is a function that expands s to R(s) = rl || r2 || ... || rk, || denoting concatenation, such that, for each i, ri has a length equal to Li. There is also provided in accordance with another preferred embodiment of the present invention a certificate produced by the method. There is also provided in accordance with yet another preferred embodiment -of-the-present invention-a-method- for-producing- a-plurality- of certificates, each certificate including data, the method including providing a plurality of generalized patterns, and for each generalized pattern G of the plurality of generalized patterns, performing the following steps: generating a modulus N, the modulus N being generated by a scattering method L, a function R, and a seed s, N being generated, in part, by scattering the bits of R(s) throughout N using the scattering method L, all bits of N other than those scattered by the scattering method L being denoted t, and including s and t in a certificate associated with G, wherein N includes an RSA modulus, and L includes applying a Lenstra, Lenstra and Lovasz (LLL) method to a lattice, and the lattice is defined, in part- by G; thereby producing a plurality of certificates. There is also provided in accordance with still another preferred embodiment of the present invention a method for producing a plurality of certificates, each certificate including data, the method including providing a plurality of generalized patterns, and for each generalized pattern G of the plurality of generalized patterns, performing the following steps: generating a plurality of moduli Ni, each modulus Nj being generated by a scattering method L, a function R, and a seed Sj, each Ni being generated, in part, by scattering the bits of R(Sj) throughout Nj using the scattering method L, all bits of Nj other than those scattered by the scattering method L being denoted ti, and for each Ni, including Si and ti in a certificate associated with G, wherein Ni includes an RSA modulus, 5 and L includes applying a Lenstra, Lenstra and Lovasz (LLL) method to a lattice, and the lattice is defined, in part, by G, thereby producing a plurality of certificates. Further in accordance with a preferred embodiment of the present invention the lattice includes wherein n, x, z are integers, and S1, ..., Sk are position numbers of contiguous groups of symbols "*" in a generalized 2n-bit pattern G, where positions are numbered from the least significant (0) to the most significant (2n-l), and SI > S2 > ... > Sk, and L1, ..., Lk are lengths of the contiguous groups, numbered correspondingly to the contiguous groups, and p is a (n-x)-bit prime, and s is a seed, and R is a function that expands s to F(s) = rl jj r2 || ... || rk, || denoting concatenation, such that, for each i, ri has a length equal to Li. There is also provided in accordance with another preferred embodiment of the present invention a plurality of certificates, produced by the methods. 6 BRIEF DESCRIPTION OF THE DRAWINGS The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which: Fig. 1 is an illustration of base vectors for a lattice in (k+2)-dimensional space, useful in understanding a preferred embodiment of the present invention; Fig. 2 is a simplified flowchart illustration of a preferred method for producing a certificate in accordance with a preferred embodiment of the present invention; -Fig-3 is a-simplified flowchart- illustration-of-a preferred method for producing a certificate in accordance with an alternative preferred embodiment of the present invention; and . Fig. 4 a simplified flowchart illustration of a preferred method for producing a plurality of certificates in accordance with a further alternative preferred embodiment of the present invention. 7 DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT In accordance with a preferred embodiment of the present invention, a signer produces a certificate signed with recovery. Signatures not signed with recovery, as are well known in the art, are also termed herein "regular signatures" or "regular as>'mmetric signatures". To produce a regular asymmetric signature of a certificate C, the signer computes a signature S as follows: S =f[h(C),D) where: f is a publicly known function; h is a publicly known hash function; and D is the private key of the signer. The signed certificate is C // S, where "//" denotes concatenation. The verifier verifies that: g(S,E) = h(C) where: g is a publicly known function; and E is the public key of the signer. Preferably,/ g, D, E are chosen as follows: 1. A set M of permitted cleartexts is defined; function/defined on the set M. 2. g(y,E) is the inverse off(x,D), i.e. for any xeM g(f(x,D),E) = x. 3. g,f,E are public. 4. It is difficult to find D based only on E. 5. h is chosen such that it is difficult to find different x, y such that h(x) = h(y). A non4imiting example of an appropriate choice for h is SHA-1, which is described in FIPS PUB 180-1, published 17 April 1995 and entitled "Secure Hash Standard", available on the Internet at: www.itljaist.gov/fipspubs/fipl80-l.htm. The following is a non-limiting specific example of appropriate choices for/ g,D,E: 8 Let N=pq - an RSA number, that is, a product of two primes; let M be the set of all integers from 0 to N-l; let e, d be arbitrary integers such that ed = 1 modulo (p(N), (p(N) being Euler's totient function; let E be an ordered pair ; let D be an ordered pair ; let: g(y,E) = ye modulo N-, and let: f(x,D)- =-x-modulo K- For signature with recovery the signer ensures that C has some redundancy in it, or adds such a redundancy. The term "redundancy", as used throughout the present specification and claims, refers to a condition P(C) that holds for a random C with a very small probability. For example and without limiting the generality of the foregoing, the payload may be padded with a sufficiently long constant bit string, or preferably with any appropriate type of pa3'load checksum, such types of checksum being well known in the art. The signer then computes: S=f(C,D) where £ is the certificate signed with recovery. The verifier first recovers C from S: C = g(S,E) and then verifies that Chas the pre-defined redundancy. Persons skilled in the art will appreciate that, when using signature with recovery, signed certificates are shorter than certificates produced with regular signature. On the other hand, unlike regular signature, signature with recovery imposes a limitation on the length of C, because the set M is limited. For example, in the particular example of RSA described above, only numbers less than the modulus N may be signed with recovery. Therefore, in a certificate for B signed by A there may not be enough space in C for the public key of B and for 9 other data; in particular, there will not be enough space in a common case where the keys of A and of B are of the same length. In order to save space and make signature with recovery more efficient and in order to overcome the limitations mentioned above, the public key (and optionally other data) may be compressed. While data may be compressed using standard compression algorithms well known in the art, in many asymmetric algorithms the public keys generated in standard ways have high entropy. As is well known in the art, information having high entropy can not be compressed, and therefore public keys generated in standard ways can not be compressed. The following method may be used for generation of compressible public-keys; 1. Choose an arbitrary seed s. 2. Generate a key pair (E,D) in such a way that: E=F(s,t) where F is a publicly known function and t is some data. For example, t may be some portion of the bits of E (such as, for example, the least significant half of E, the most significant half of E, or bits in positions scattered over E). Any appropriate value s may be used. Function F is preferably chosen to be a function that. 1. expands s pseudo-randomly to a pre-defined number of bits, similarly to the function of the function R described below; and 2. combines the expanded 5 with t in a pre-defined way (such as, for example, using the expanded s as the least significant part of the result of the combining, while using t as the most significant part, or vice versa; or in some interleaving fashion). Instead of E, the certificate preferably includes s // t, which is shorter than E. A particular choice of the function F, the method of generation of a suitable key pair, and the amount of space which is saved depend on the asymmetric algorithm which is used. 10 Persons skilled in the art will appreciate that a certificate typically includes: credentials; characteristics; and a public key, signed all together. All the certificate fields, besides the public key, are referred to herein as "data". When one uses signature with recovery, the recovery process performs only recovery, but does not verify that the person who created the certificate knew the private key. In order to verify that the person who created the certificate knew the private key, it is necessary to have some redundancy in the clear text; that is, some pre-defined condition regarding the recovered message must be met, which condition has a sufficiently low probability for a random bit string. One option is to use a sufficiently long field (say, 16 bytes) with a fixed value. Another option is to use a checksum,-or a-hash, -of-the data. –Unfortunately,-both-options require-an-additional field, so that less bytes are left for a useful payload. To save more space, the seed s may be used as redundancy, if we set: s = H(data) where H is a publicly known function. Thus, space is saved by double use of s, both as the checksum / hash of the data, and as a seed as described above. Alternatively, the data itself, with some redundancy added, may be used as a seed s. The following discussion describes a certain particularly detailed preferred implementation of the present invention, useful if the well-known prior art RSA signature scheme is used. The RSA signature scheme is described, for example, in R L. Rivest, A. Shamir, and L.M.Adelman, "A method for obtaining digital signatures and public-key cryptosystems", Communications of the ACM, 21 (1978), 120-126. RSA is used by way of example only and is not meant to be limiting. If RSA is used for signature, the public key comprises a modulus and a public exponent The limitations on the public exponent are quite loose. In particular, the public exponent may be chosen to be a fixed publicly known number that does not to have to be explicitly included into the certificate, so there is no problem with compression of the public exponent RSA modulus compression is believed to save about half of the length of the RSA modulus. II Several compression techniques for the RSA modulus are now described. For purposes of the following description, by way of example only and without hmiting the generality of the present invention, suppose that 2«-bit RSA moduli of the form N=pqare used, where;p and q are primes having n -x and n + x bits, respectively; the seed s has y bits; and R is a publicly known function that expands the seed stem + x - z bits, where z is a parameter described below. The function R may, for example, comprise a suitable pseudo-random number generator that receives a seed s and expands it to a pseudo-random sequence. For example, the function R may set: s1=h(s), si+1=h(Si), R(s) = s1 || s2 Sn where h comprises an appropriate hash function (for example SHA1, which is described in FIPS PUB 180-1, published 17 April 1995 and entitled "Secure Hash Standard", available on the Internet at: www.itl.nist.gov/fipspubs/fipl80-l.htm; and in RFC 3174, published September 2001 and entitled "US Secure Hash Algorithm 1 (SHA1), available on the Internet at: www.ietf.org/rfc/rfc3174.txt?number=3174), or E(x) XOR x, where E is encryption with a block cipher (for example AES - FIPS Publication 197, November 26, 2001, Announcing the Advanced Encryption Standard (AES) available on the Internet at csrc.nist.gov/publications/fips/fipsl97/fips-197.paf). First, consider "expansion of the most significant half. The following method generates a compressible RSA key: 1. Generate an arbitrary (n - x) -bit prime p and a v-bit seed s. Methods for generating such a prime are well known in the art. In general, such methods (which are described, for example, in Handbook of Applied Cryptography by Alfred J.Menezes, Paul C. van Oorschot, Scott A.Vanstone, section 4.2 "Probabilistic Primality Tests") involve generating an arbitrary number having the required number of bits; testing for primality using a suitable primality test (such as Fermat's test, the Solovay-Strassen test, or the Miller-Rabin test, described in section 4.2 of Handbook of Applied Cryptography, referred to above); and, if the number is not prime, repeating the generating and testing until a prime number is found. 2. Set 12 No=R(s)*2n-x+z,q=No/p rounded up to an odd integer. The most significant bit of R(s) must be forced to 1, by setting the most significant bit of R(s) to 1 even if the function R produces a 0 for the most significant bit. 3. Check q for primality, using a suitable primality test, as discussed in step 1 above. If failure (q is not prime), set q = q+2 and repeat the present step. If success {q is prime), continue to the next step. 4. Check if the n+x-z most significant bits of N = pq are R(s). If not, repeat the method from the beginning (from step 1). If yes, N is the modulus. In compressed form, the n+x-z most significant bits are replaced with the seed 5, so the length of the compressed modulus is n-x+z+y bits. To make the probability of success on step 4 reasonably close to 1, z must be a little more than log2(n), since it is known from number theory that the density of primes around N is proportional to 1/ln N, which means that a search for a prime number will succeed after c In N steps in average, where c is some constant. For example, for a reasonable setting of n=1024 (2048-bit modulus), with .T = z = 16y = 96, the length of the compressed modulus is n-x+z+y = 1120 bits. Now, consider "expansion of the least significant half. The following method generates a compressible RSA key: 1. Generate an arbitrary (n-x)-hit prime p and a ,v-bit seed J. Compute: q = 2"™ +(R(s)/p modulo 2™-z) The least significant bit of R(s) must be forced to 1, which means Xha.tR(s) is odd. Since p is odd, it is invertible modulo exists and is odd. 3. Check q for primality. If failure, set and repeat the present step. If success, continue to the next step. 4. Check if N has exactly 2n bits. If not, repeat from the beginning of the present method, at step 1. If yes, AT is the modulus. In compressed form, the 13 n+x-z least significant bits are replaced with the seed s, so the length of the compressed modulus is n=x+z+y bits. The same settings mentioned above in the case of expansion of the most significant half may preferably be used. Instead of R{s) being the n+x-z most significant or least significant bits of N as described above, it is possible to scatter the bits of R(s) over N. In accordance with a preferred embodiment of the present invention, a preferred method for generation of such N may be based on the LLL (Lenstra, Lenstra, and Lovasz) algorithm (described, for example, in Handbook of Applied Cryptography, referred to above, at section 3.10.1). The LLL algorithm is also termed herein-the-"LLL-method'- A method in accordance with a preferred embodiment of the present invention, for scattering the bits of R(s) over N, using a particular application of the LLL dgorithm, is now described. Consider the following definitions: - A pattern P is a string of 2n symbols from the alphabet {0,1, ?}. We'll say that a 2n-bit number N matches pattern P if and only if for every 0 in P there is 0 in the corresponding position of N, and for every / in P there is / in the corresponding position of N. - A generalized pattern G is a string of 2n symbols from the alphabet;{*,} - A pattern P is an instantiation of a generalized pattern G if and only if for every symbol "? " in G there is "? " in the corresponding position of P. Let G be a generalized pattern. Suppose that all the symbols "*" in G form k contiguous sequences. For any i, 1 S2 >... > Sk, and 19 L1, ..., Lk are lengths of the contiguous groups, numbered correspondingly to the contiguous groups, and p is a (n-x)-bit prime, and s is a seed, and R is a function that expands s to R(s) = rl || r2 || ... || rk, || denoting concatenation, such that, for each i, ri has a length equal to Li. 13. A plurality of certificates for being parsed in hardware, each of the certificates comprising data, the certificates being formed by a process comprising: providing a plurality of generalized patterns; and for each generalized pattern G of the plurality of generalized patterns, performing the following steps: generating a modulus N, the modulus N being generated by: a scattering method L; a function R; and a seed s, N being generated, in part, by scattering the bits of R(s) throughout N using the scattering method L, all bits of N other than those scattered by the scattering method L being denoted t; and including s and t in one of the certificates associated with G, in which N comprises an RSA modulus, and L comprises applying a Lenstra, Lenstra and Lovasz (LLL) method to a lattice, and the lattice is defined, in part, by G, thereby producing the certificates. 14. A plurality of certificates for being parsed in hardware, each of the certificates comprising data, the certificates being formed by a process comprising: providing a plurality of generalized patterns; and for each generalized pattern G of the plurality of generalized patterns, performing the following steps: generating a plurality of moduli N;, each modulus Nj being generated by: a scattering method L; a function R; and a seed Sj, 2o each Nj being generated, in part, by scattering the bits of R(Sj) throughout N; using the scattering method L, all bits of Ni other than those scattered by the scattering method L being denoted t\; and for each Nj, including S\ and t, in one of the certificates associated with G, in which Nj comprises an RSA modulus, and L comprises applying a Lenstra, Lenstra and Lovasz (LLL) method to a lattice, and the lattice is defined, in part, by G, thereby producing the certificates. 15. The certificates according to claim 13 or claim 14 and in which thlattice comprises: n, x, z are integers, and S1, ..., Sk are position numbers of contiguous groups of symbols "*" in a generalized 2n-bit pattern G, where positions are numbered from the least significant (0) to the most significant (2n-l), and SI > S2 > ... > Sk, and L1, ..., Lk are lengths of the contiguous groups, numbered correspondingly to the contiguous groups, and p is a (n-x)-bit prime, and 21 s is a seed, and R is a function that expands s to R(s) = rl || r2 || ... || rk, denoting concatenation, such that, for each i, ri has a length equal to Li. Dated this 14th day of October, 2005. 22 ABSTRACT A method for producing a certificate, the certificate including data, the method including choosing a seed s, the seed s including a result of applying a function H to the data, generating a key pair (E,D), such that E=F(s,t), F beirg a publicly known function, and including s and t in the certificato. Related methods, and certificates produced by the various methods, are also described. 23