Basel Alomair
, Krishna Sampigethaya, and Radha Poovendran
{alomair,rkrishna,rp3}@
u.washington.edu
University of Washington
TexPoint fonts used in EMF.
Read the TexPoint manual before you delete this box.:
The signer has a pair of keys; a private
(signing) key
x
and a public (verifying) key
y
.
The private key is used to sign messages
while the public key is used to verify the
signature.
Unauthorized users with access to
the private key can generate
signatures that are indistinguishable
from those of the authenticated
user.
Furthermore, all signature
generated with the exposed key
become
repudiable
, even if they
have been generated long time
before key exposure.
Forward security, in the context of digital
signatures, was first introduced by Ross
Anderson in ACM

CCS 1997.
In forward

secure signatures, the validity of
signatures generated before the exposure of
the private key remains intact.
Time is divided into disjoint intervals.
Secret key is updated at each interval.
Trivial to design if size of registered keys is
linear in T.
Size of registered keys must not grow
proportionally with number of intervals.
To achieve forward

security with
one
pair of
registered key.
Challenge: how can a user, with a single pair
of keys, update the signing key for each
period such that the signature is still
verifiable using the same public key.
Forward

secure signatures can be divided
into two main categories:
Number theoretic schemes.
Based on specific number theoretic assumptions.
Generic approach schemes.
Use standard signature scheme as a building block.
In ACM

CCS 2000, Hugo Krawczyk proposed
the first practical generic scheme.
Signer possesses a
single
pair of registered keys.
Generate
T certificates
, one per period.
Certificates
need not
be secret.
Certificate
must be
available to generate valid
signatures.
In EUROCRYPT 2002, Malkin et al. proposed
another generic scheme.
Signer possesses a
single
pair of registered keys.
Use of subtrees.
Generate secret keys for every
tree leaf
.
Secret keys
must be
kept
secret.
Secret keys
must be
available to generate valid
signatures.
How about using more than one
key?
Can we improve the performance
without violating the required
independence of T?
YES
Signer possesses
two
pairs of registered keys
(x
1
,y
1
)
and
(x
2
,y
2
)
.
Generate a public forward

security chain R
of length T.
The forward

security chain R is collection of
the r’s.
R is signed with x
1
.
x
1
is deleted from the system.
The chain need not be secret.
The chain is not needed for signature
generation.
l: a security parameter such that performing
an exhaustive search over l

bit sequences is
infeasible. We assume the output of the hash
function and the size of secret keys are l
bits.
k: a security parameter such that the
discrete logarithm problem modulo a k

bit
prime is believed to be hard. We assume that
the size of public key is k bits.
Typical values k=1024 bits and l=160 bits.
Pre

computation of r’s and k’s.
Given r, one cannot compute k (by the DLP
assumption).
Given k
(i)
, one cannot compute k
(i

j)
(by the
use of one

way functions).
In proxy signature schemes, Alice wants to delegate her
signing capability to Bob.
Must satisfy:
Verifiability
: from a proxy signature, a verifier can be
convinced of the original signer’s agreement on the signed
message.
Strong unforgeability
: the original signer and third parties who
are not designated as proxy signers cannot create a valid proxy
signature.
Strong identifiability
: anyone can determine the identity of the
corresponding proxy signer from a proxy signature.
Strong undeniability
: a proxy signer cannot repudiate a proxy
signature it created.
Prevention of misuse
: a proxy signing key cannot be used for
purposes other than generating valid proxy signatures. In case
of misuse, the responsibility of the proxy signer should be
determined explicitly.
The use of two pairs of registered keys allow
the design of a simple and computationally
efficient forward

secure signature scheme.
Extension to proxy signatures is
straightforward.
Comments 0
Log in to post a comment