Forward secure signatures basic generic schemes
Download
1 / 17

Forward-Secure Signatures (basic + generic schemes) - PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on

Forward-Secure Signatures (basic + generic schemes). digital signatures. Alice has a secret key Everyone else has the corresponding public key Alice can sign message with her secret key: Given a signature and a message, everyone can verify correctness using Alice’s public key:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Forward-Secure Signatures (basic + generic schemes)' - jaime-avery


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Forward secure signatures basic generic schemes

Forward-Secure Signatures(basic + generic schemes)


Digital signatures
digital signatures

  • Alice has a secret key

  • Everyone else has the corresponding public key

  • Alice can sign message with her secret key:

  • Given a signature and a message, everyone can verify correctness using Alice’s public key:

  • Desirable property: non-repudiation. If Alice signed a contract, she can’t deny it later.


Digital signature schemes
digital signature schemes

  • Three algorithms Key-Gen, Sign, Verify:

    Key-Gen inputs: security parameter (“key size”) k output: keys (PK, SK)

    Sign inputs: message M, secret key SK output: signature S

    Verify inputs: M, signature S,public key PK output: valid/invalid

  • Strong security notion [GMR84]: even given signatures on messages of its choice,adversary cannot forge signatures on new messages

  • Multiple implementations exist


Problem with signatures
problem with signatures

  • Can’t tell when a signature was really generated

    • Not even if you include current time into the document!


Problem with signatures1
problem with signatures

  • Can’t tell when a signature was really generated

    • Not even if you include current time into the document!

  • Therefore,

    signing key disclosed Þall signatures worthless

    (even if produced before disclosure)

  • Inconvenience: your notarized document is no longer valid

  • Repudiation: Alice gets out of past contracts by anonymously leaking her SK

  • Key revocation doesn’t help: it merely informs of the leak


Fixing the problem
fixing the problem

  • Attempt 1: re-sign all the past messages with a new key

    • Expensive

    • What if the signer doesn’t cooperate?

  • Attempt 2: change keys frequently, erasing past SK

    • Disclosure of current SK doesn’t affect past SK

    • However, changing PK is expensive, requires certification

  • Attempt 3: Employ time stamping authority (third party)


Forward security
forward security

  • Idea: change SK but not PK [And97]

  • Divide the lifetime of PK into Ttime periods

  • Each SKj is for a particular time period, erased thereafter

  • If current SKj is compromised, signatures with previous SKj-t remain secure

  • Similar to “forward secrecy” for key agreement [Gün89]

  • Note: can’t be done without assuming secure erasure


Definitions key evolving scheme bm99
definitions: key-evolving scheme [BM99]

  • The usual three algorithms Key-Gen, Sign, Verify:

    Key-Gen inputs: security parameter (“key size”) ktotal number T of time periods output: (PK, SK1)

    Sign inputs: message M, current secret key SKj output: signature S(time period j included)

    Verify inputs: M, time period j,signature S,public key PK output: valid/invalid


Definitions key evolving scheme bm991
definitions: key-evolving scheme [BM99]

  • The usual three algorithms Key-Gen, Sign, Verify:

    Key-Gen inputs: security parameter (“key size”) ktotal number T of time periods output: (PK, SK1)

    Sign inputs: message M, current secret key SKj output: signature S(time period j included)

    Verify inputs: M, time period j,signature S,public key PK output: valid/invalid

  • A new algorithm Update:

    Update input: current secret key SKj output: new secret key SKj+1


Definitions forward security bm99
definitions: forward-security [BM99]

Given:

  • Signatures on messages and time periods of its choice

  • The ability to “break-in” in any time period b and get SKb

    adversary can’t forge a new signature for a time period j<b


Simple schemes efficiency
Simple schemes: efficiency

  • Long Public and Long Private Keys

    • T pairs (p1, s1), (p2,s2),……. (pt, st)

    • PK= (p1,p2,….,pt)

    • SK= (s1,s2,…..,st)

    • Update= erase si for period I

    • Drawback: public and private key linear in t= number of periods


Anderson long secret key only
Anderson: long secret key only

  • T pairs as above and an additonal pair (p,s)

  • Sig(j)=SIG( j || pj) with key s, j =1,…,t [A “certificate”]

  • Public key now = p (only)

  • Secret key = (sj, SIG(j)) j=1,..,t [Still linear]

  • The public key p is like a CA key and a signature will include the period, the certificate, the message, signature on the message with period’s secret key


Long signatures only
Long signatures only

  • Have (p,s)

  • In period j get (pj,sj) and

  • Let Cert(j)= sig_s[j-1] (j || pj)

  • A signature is the entire certificate chain + signature, it is of the form: (j, sig_sj(m), p1, Cert(1),…pj, Cert(j))

  • Think about it as a tree of degree one and length t for t periods

  • (signer memory still linear in t)


Replace keys pseudorandomness
Replace keys pseudorandomness

Have future keys derived from a forward secure pseudorandom generator [Kra]

  • Pseudorandom generators which are forward secure are easy: replace the seed with an iteration of the function.


Binary certification tree bm
Binary Certification tree [BM]

  • Now (s0,p0)

  • Each element certifies two children left and right

  • We have a virtual tree of length log t (for t periods)

  • At each point only a log branch of certificate is used in the signature

  • Only leaves are used to sign

  • Keys that all there children are not going to be used in future periods are erased.

  • We get O(log t) key sizes, signature size


Concrete scheme
Concrete scheme

  • Use a scheme based on Fiat-Shamir variant

  • Have the public key be a point x raised to 2^t

  • Have the initial private key at period zero be x

  • Sign based on FS paradigm

  • Update by squaring the current key

  • The verifier is aware of the period so it knows that currently the private key is raised to the power 2^{t-I} (and the identification proofs are adjusted accordingly).


Later schemes
Later schemes

  • Any t unknown a-priori

  • More efficient non-generic schemes.

  • Forward-secure enc. Was open for a while


ad