Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forward-Secure Signatures (basic + generic schemes)

Published byKelley Anthony Modified over 9 years ago

Similar presentations

Presentation on theme: "Forward-Secure Signatures (basic + generic schemes)"— Presentation transcript:

1 Forward-Secure Signatures (basic + generic schemes)

2 digital signatures Alice has a secret key
Everyone else has the corresponding public key Alice can sign message with her secret key: Given a signature and a message, everyone can verify correctness using Alice’s public key: Desirable property: non-repudiation. If Alice signed a contract, she can’t deny it later.

3 digital signature schemes
This is known as “existential unforgeability under adaptive chosen-message attack” Three algorithms Key-Gen, Sign, Verify: Key-Gen inputs: security parameter (“key size”) k output: keys (PK, SK) Sign inputs: message M, secret key SK output: signature S Verify inputs: M, signature S, public key PK output: valid/invalid Strong security notion [GMR84]: even given signatures on messages of its choice, adversary cannot forge signatures on new messages Multiple implementations exist

4 problem with signatures
Can’t tell when a signature was really generated Not even if you include current time into the document!

5 problem with signatures
Can’t tell when a signature was really generated Not even if you include current time into the document! Therefore, signing key disclosed Þ all signatures worthless (even if produced before disclosure) Inconvenience: your notarized document is no longer valid Repudiation: Alice gets out of past contracts by anonymously leaking her SK Key revocation doesn’t help: it merely informs of the leak

6 fixing the problem Attempt 1: re-sign all the past messages with a new key Expensive What if the signer doesn’t cooperate? Attempt 2: change keys frequently, erasing past SK Disclosure of current SK doesn’t affect past SK However, changing PK is expensive, requires certification Attempt 3: Employ time stamping authority (third party)

7 forward security Idea: change SK but not PK [And97]
Divide the lifetime of PK into T time periods Each SKj is for a particular time period, erased thereafter If current SKj is compromised, signatures with previous SKj-t remain secure Similar to “forward secrecy” for key agreement [Gün89] Note: can’t be done without assuming secure erasure

8 definitions: key-evolving scheme [BM99]
The usual three algorithms Key-Gen, Sign, Verify: Key-Gen inputs: security parameter (“key size”) k total number T of time periods output: (PK, SK1) Sign inputs: message M, current secret key SKj output: signature S (time period j included) Verify inputs: M, time period j, signature S, public key PK output: valid/invalid

9 definitions: key-evolving scheme [BM99]
The usual three algorithms Key-Gen, Sign, Verify: Key-Gen inputs: security parameter (“key size”) k total number T of time periods output: (PK, SK1) Sign inputs: message M, current secret key SKj output: signature S (time period j included) Verify inputs: M, time period j, signature S, public key PK output: valid/invalid A new algorithm Update: Update input: current secret key SKj output: new secret key SKj+1

10 definitions: forward-security [BM99]
Given: Signatures on messages and time periods of its choice The ability to “break-in” in any time period b and get SKb adversary can’t forge a new signature for a time period j<b

11 Simple schemes: efficiency
Our cost is only in the components that are specific to forward security: in the update Long Public and Long Private Keys T pairs (p1, s1), (p2,s2),……. (pt, st) PK= (p1,p2,….,pt) SK= (s1,s2,…..,st) Update= erase si for period I Drawback: public and private key linear in t= number of periods

12 Anderson: long secret key only
T pairs as above and an additonal pair (p,s) Sig(j)=SIG( j || pj) with key s, j =1,…,t [A “certificate”] Public key now = p (only) Secret key = (sj, SIG(j)) j=1,..,t [Still linear] The public key p is like a CA key and a signature will include the period, the certificate, the message, signature on the message with period’s secret key

13 Long signatures only Have (p,s) In period j get (pj,sj) and
Let Cert(j)= sig_s[j-1] (j || pj) A signature is the entire certificate chain + signature, it is of the form: (j, sig_sj(m), p1, Cert(1),…pj, Cert(j)) Think about it as a tree of degree one and length t for t periods (signer memory still linear in t)

14 Replace keys pseudorandomness
Have future keys derived from a forward secure pseudorandom generator [Kra] Pseudorandom generators which are forward secure are easy: replace the seed with an iteration of the function.

15 Binary Certification tree [BM]
Now (s0,p0) Each element certifies two children left and right We have a virtual tree of length log t (for t periods) At each point only a log branch of certificate is used in the signature Only leaves are used to sign Keys that all there children are not going to be used in future periods are erased. We get O(log t) key sizes, signature size

16 Concrete scheme Use a scheme based on Fiat-Shamir variant
Have the public key be a point x raised to 2^t Have the initial private key at period zero be x Sign based on FS paradigm Update by squaring the current key The verifier is aware of the period so it knows that currently the private key is raised to the power 2^{t-I} (and the identification proofs are adjusted accordingly).

17 Later schemes Any t unknown a-priori
More efficient non-generic schemes. Forward-secure enc. Was open for a while

Download ppt "Forward-Secure Signatures (basic + generic schemes)"

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Introduction to Practical Cryptography Forward Key Security Zero Knowledge Oblivious Transfer Multi-Party Computation.

Introduction to Practical Cryptography Forward Key Security Zero Knowledge Oblivious Transfer Multi-Party Computation.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

Similar presentations

Ads by Google