Forward secure signatures with untrusted update
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Forward-Secure Signatures with Untrusted Update PowerPoint PPT Presentation


  • 56 Views
  • Uploaded on
  • Presentation posted in: General

Forward-Secure Signatures with Untrusted Update. Xavier Boyen Voltage. Hovav Shacham Weizmann. Emily Shen MIT. Brent Waters SRI International. Detection Center. Signing Key. Worm List Distribution. Users. Time. Verification Key. Detection Center. Signing Key.

Download Presentation

Forward-Secure Signatures with Untrusted Update

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Forward secure signatures with untrusted update

Forward-Secure Signatures with Untrusted Update

Xavier Boyen

Voltage

Hovav Shacham

Weizmann

Emily Shen

MIT

Brent Waters

SRI International


Worm list distribution

Detection Center

Signing Key

Worm List Distribution

Users

Time

Verification Key


Compromise ruins everything

Detection Center

Signing Key

Compromise Ruins Everything

Users

All prior updates are suspect

Time

Verification Key


Forward secure signatures a97

Signing Key

Forward Secure Signatures [A97]

  • Sign message and Timestamp

  • Evolve Key Forward in Time

    • Can’t “backdate” signatures

  • Verifier checks time

1

2

3

4


Past messages not revoked

Detection Center

Signing Key

Okay, revoked at period 4

1

2

3

4

Past Messages not Revoked

1

2

3

4

Users

Time

Verification Key


Anderson s solution

1

2

3

T

Anderson’s Solution

  • T -Time periods

  • Create T SK key pairs w/certifcates from master key

  • Update: Erase old Keys

3 years * hourly =25,000 periods

3MB

Verification Key


Bellare miner tree method

K1

K2

K3

K5

K6

K7

K2

4

5

7

7

1

2

3

8

Bellare-Miner Tree method

  • Leaves with Time Peroids

  • Sign with current leaf

  • lg(T) storage & signature size

Time=

1

2

3

4


Fs signature schemes

FS Signature Schemes

  • Evaluate on Sig Size, Key Size, and Time

  • Bellare and Miner ’99

  • Itkis and Reyzin ’01

  • MMM ’03…

Let’s bring into practice…


In practice

In practice…

  • Private keys are encrypted by passwords

  • FS Signature update needs unencrypted keys!


Our choices

Our Choices

  • No Forward Secure Signatures

  • No Password Encryption (=No Adoption)

  • Bug User per update

  • Invent something new


Forward secure signatures w untrusted update

Decryption PW needed for signing, not update!

Forward Secure Signatures w/ Untrusted Update

  • KeyGen(T,PW): Outputs FSS keypair (EncSK, VK)

  • Update(EncSK): Evovles key forward (PW not needed)

  • Sign(EncSK, PW, M ) Signs M under current key

  • Update( VK,M,S ): Verifies signature S


Security 2 games

Security – 2 Games

  • Forward Security

    • Corrupt at time t (PW and storage)

    • Attacker tries to forge at time t’< t

  • Update Security

    • Corrupts storage, but not PW


Our scheme outline

Our Scheme (Outline)

  • Tree-based with Bilinear Groups

  • PW is “Blinding Factor” B

  • Update operation is “homomorphic” to factor

  • Sketch key update


Bilinear maps

Bilinear Maps

  • G , GT : finite cyclic groups of prime order p.

  • Def: An admissible bilinear mape: GG GTis:

    • Bilinear:e(ga, gb) = e(g,g)ab a,bZ, gG

    • Efficiently computable.


Basic tree method simplified

K1

K2

K3

K5

K6

K7

K2

4

5

7

7

1

2

3

8

ga(h3)r

Basic tree method (simplified)

  • PK= e(g,g)a, h1, h2, … hlg(T)

  • Multiply in when derive to right

ga(h1)r’

ga(h2)r

ga(h2)r(h3)r’’

Can sign using leaf keys


Adding untrusted update

K1

K2

K3

K5

K6

K7

K2

4

5

7

7

1

2

3

8

Bga(h3)r

Adding untrusted update

User Decryption key = B 2 G

Divide out B from leaf key to sign

Bga(h1)r’

Bga(h2)r

Bga(h2)r(h3)r’’

Can sign using leaf keys


Results summary

Results Summary

  • Untrusted Update

  • Constant size sigs

  • Lg(T)2 storage (can tradeoff with sig size)

  • Fast setup, update, and verification

  • No Random Oracles


Untrusted update elsewhere

Untrusted Update elsewhere?

E.g. Bellare-Miner (2)

Update = x2 mod N

Untrusted Update = (Bx)2 mod N

After t time periods must compute B2t mod N

Hurts performance!

(True elsewhere e.g. IR’01)


Conclusion

Conclusion

  • IntroducedUntrusted Update

  • Created scheme

  • Implementation

  • Open: Add untrusted Update to other FSSS


The end

THE END


  • Login