1
Forward-Secure Signatures(basic + generic schemes)
2
digital signatures• Alice has a secret key• Everyone else has the corresponding public key• Alice can sign message with her secret key:
• Given a signature and a message, everyone can verify correctness using Alice’s public key:
• Desirable property: non-repudiation. If Alice signed a contract, she can’t deny it later.
3
digital signature schemes• Three algorithms Key-Gen, Sign, Verify:
Key-Gen inputs: security parameter (“key size”) k output: keys (PK, SK)
Sign inputs: message M, secret key SK output: signature
Verify inputs: M, signature , public key PK output: valid/invalid
• Strong security notion [GMR84]: even given signatures on messages of its choice,adversary cannot forge signatures on new messages
• Multiple implementations exist
4
problem with signatures• Can’t tell when a signature was really generated
– Not even if you include current time into the document!
5
problem with signatures• Can’t tell when a signature was really generated
– Not even if you include current time into the document!
• Therefore,
signing key disclosed all signatures worthless
(even if produced before disclosure)
• Inconvenience: your notarized document is no longer valid• Repudiation: Alice gets out of past contracts by
anonymously leaking her SK
• Key revocation doesn’t help: it merely informs of the leak
6
fixing the problem
• Attempt 1: re-sign all the past messages with a new key– Expensive– What if the signer doesn’t cooperate?
• Attempt 2: change keys frequently, erasing past SK– Disclosure of current SK doesn’t affect past SK
– However, changing PK is expensive, requires certification
• Attempt 3: Employ time stamping authority (third party)
7
forward security
• Idea: change SK but not PK [And97]
• Divide the lifetime of PK into T time periods
• Each SKj is for a particular time period, erased thereafter
• If current SKj is compromised, signatures with previous SKj-t
remain secure
• Similar to “forward secrecy” for key agreement [Gün89]
• Note: can’t be done without assuming secure erasure
8
definitions: key-evolving scheme [BM99]
• The usual three algorithms Key-Gen, Sign, Verify:Key-Gen inputs: security parameter (“key size”) k
total number T of time periodsoutput: (PK, SK1)
Sign inputs: message M, current secret key SKj output: signature (time period j included)
Verify inputs: M, time period j, signature , public key PK
output: valid/invalid
9
definitions: key-evolving scheme [BM99]
• The usual three algorithms Key-Gen, Sign, Verify:Key-Gen inputs: security parameter (“key size”) k
total number T of time periodsoutput: (PK, SK1)
Sign inputs: message M, current secret key SKj output: signature (time period j included)
Verify inputs: M, time period j, signature , public key PK output: valid/invalid
• A new algorithm Update:Update input: current secret key SKj
output: new secret key SKj+1
10
definitions: forward-security [BM99]
Given:
• Signatures on messages and time periods of its choice
• The ability to “break-in” in any time period b and get SKb
adversary can’t forge a new signature for a time period j<b
11
Simple schemes: efficiency• Long Public and Long Private Keys
– T pairs (p1, s1), (p2,s2),……. (pt, st)– PK= (p1,p2,….,pt) – SK= (s1,s2,…..,st) – Update= erase si for period I– Drawback: public and private key linear in t= number of periods
12
Anderson: long secret key only• T pairs as above and an additonal pair (p,s)• Sig(j)=SIG( j || pj) with key s, j =1,…,t [A “certificate”]• Public key now = p (only)• Secret key = (sj, SIG(j)) j=1,..,t [Still linear]• The public key p is like a CA key and a signature will
include the period, the certificate, the message, signature on the message with period’s secret key
13
Long signatures only• Have (p,s)• In period j get (pj,sj) and • Let Cert(j)= sig_s[j-1] (j || pj)• A signature is the entire certificate chain + signature, it is of
the form: (j, sig_sj(m), p1, Cert(1),…pj, Cert(j))• Think about it as a tree of degree one and length t for t
periods• (signer memory still linear in t)
14
Replace keys pseudorandomness
Have future keys derived from a forward secure pseudorandom generator [Kra]
• Pseudorandom generators which are forward secure are easy: replace the seed with an iteration of the function.
15
Binary Certification tree [BM]• Now (s0,p0)• Each element certifies two children left and right• We have a virtual tree of length log t (for t periods)• At each point only a log branch of certificate is used in
the signature • Only leaves are used to sign• Keys that all there children are not going to be used in
future periods are erased.• We get O(log t) key sizes, signature size
16
Concrete scheme• Use a scheme based on Fiat-Shamir variant• Have the public key be a point x raised to 2^t• Have the initial private key at period zero be x• Sign based on FS paradigm• Update by squaring the current key• The verifier is aware of the period so it knows that
currently the private key is raised to the power 2^{t-I} (and the identification proofs are adjusted accordingly).
17
Later schemes
• Any t unknown a-priori• More efficient non-generic schemes.
• Forward-secure enc. Was open for a while
Top Related