Basel Alomair, Krishna Sampigethaya, and Radha Poovendran

{alomair,rkrishna,rp3}@u.washington.eduUniversity of Washington

The signer has a pair of keys; a private (signing) key x and a public (verifying) key y.

The private key is used to sign messages while the public key is used to verify the signature.

Unauthorized users with access to the private key can generate signatures that are indistinguishable from those of the authenticated user.

Furthermore, all signature generated with the exposed key become repudiable, even if they have been generated long time before key exposure.

Forward security, in the context of digital signatures, was first introduced by Ross Anderson in ACM-CCS 1997.

In forward-secure signatures, the validity of signatures generated before the exposure of the private key remains intact.

Time is divided into disjoint intervals. Secret key is updated at each interval. Trivial to design if size of registered

keys is linear in T. Size of registered keys must not grow

proportionally with number of intervals.

To achieve forward-security with one pair of registered key.

Challenge: how can a user, with a single pair of keys, update the signing key for each period such that the signature is still verifiable using the same public key.

Forward-secure signatures can be divided into two main categories:Number theoretic schemes.

Based on specific number theoretic assumptions.Generic approach schemes.

Use standard signature scheme as a building block.

In ACM-CCS 2000, Hugo Krawczyk proposed the first practical generic scheme.Signer possesses a single pair of registered

keys.Generate T certificates, one per period.Certificates need not be secret.Certificate must be available to generate

valid signatures.

In EUROCRYPT 2002, Malkin et al. proposed another generic scheme.Signer possesses a single pair of registered

keys.Use of subtrees.Generate secret keys for every tree leaf.Secret keys must be kept secret.Secret keys must be available to generate

valid signatures.

How about using more than one key?

Can we improve the performance without violating the required independence of T?

YES

Signer possesses two pairs of registered keys (x1,y1) and (x2,y2).

Generate a public forward-security chain R of length T.

The forward-security chain R is collection of the r’s.

R is signed with x1. x1 is deleted from the system. The chain need not be secret. The chain is not needed for signature

generation.

l: a security parameter such that performing an exhaustive search over l-bit sequences is infeasible. We assume the output of the hash function and the size of secret keys are l bits.

k: a security parameter such that the discrete logarithm problem modulo a k-bit prime is believed to be hard. We assume that the size of public key is k bits.

Typical values k=1024 bits and l=160 bits.

Pre-computation of r’s and k’s. Given r, one cannot compute k (by the

DLP assumption). Given k(i), one cannot compute k(i-j) (by

the use of one-way functions).

In proxy signature schemes, Alice wants to delegate her signing capability to Bob.

Must satisfy: Verifiability: from a proxy signature, a verifier can be

convinced of the original signer’s agreement on the signed message.

Strong unforgeability: the original signer and third parties who are not designated as proxy signers cannot create a valid proxy signature.

Strong identifiability: anyone can determine the identity of the corresponding proxy signer from a proxy signature.

Strong undeniability: a proxy signer cannot repudiate a proxy signature it created.

Prevention of misuse: a proxy signing key cannot be used for purposes other than generating valid proxy signatures. In case of misuse, the responsibility of the proxy signer should be determined explicitly.

The use of two pairs of registered keys allow the design of a simple and computationally efficient forward-secure signature scheme.

Extension to proxy signatures is straightforward.