Strong Key-Insulated Signature Schemes

Signature computation is frequently performed on insecure devices -- e.g., mobile phones -- operating in an environment where the private (signing) key is likely to be exposed. Strong key-insulated signature schemes are one way to mitigate the damage done when this occurs. In the key-insulated model [6], the secret key stored on an insecure device is refreshed at discrete time periods via interaction with a physically-secure device which stores a "master key". All signing is still done by the insecure device, and the public key remains fixed throughout the lifetime of the protocol. In a strong (t,N)-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods is unable to forge signatures for any of the remaining N-t periods. Furthermore, the physically-secure device (or an adversary who compromises only this device) is unable to forge signatures for any time period.We present here constructions of strong key-insulated signature schemes based on a variety of assumptions. First, we demonstrate a generic construction of a strong (N - 1,N)-key-insulated signature scheme using any standard signature scheme. We then give a construction of a strong (t,N)-signature scheme whose security may be based on the discrete logarithm assumption in the random oracle model. This construction offers faster signing and verification than the generic construction, at the expense of O(t) key update time and key length. Finally, we construct strong (N - 1,N)-key-insulated schemes based on any "trapdoor signature scheme" (a notion we introduce here); our resulting construction in fact serves as an identity-based signature scheme as well. This leads to very efficient solutions based on, e.g., the RSA assumption in the random oracle model.

[1]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[2]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 2000, Journal of Cryptology.

[3]  Tal Malkin,et al.  Composition and Efficiency Tradeoffs for Forward-Secure Digital Signatures , 2001, IACR Cryptol. ePrint Arch..

[4]  Shouhuai Xu,et al.  Key-Insulated Public Key Cryptosystems , 2002, EUROCRYPT.

[5]  Jonathan Katz,et al.  Threshold Cryptosystems Based on Factoring , 2002, ASIACRYPT.

[6]  Mihir Bellare,et al.  Rekeyed Digital Signature Schemes: Damage-containment in the face of key exposure , 2001 .

[7]  Claus-Peter Schnorr,et al.  Security of 2^t-Root Identification and Signatures , 1996, CRYPTO.

[8]  Yevgeniy Dodis,et al.  On the Power of Claw-Free Permutations , 2002, SCN.

[9]  Jung Hee Cheon A Universal Forgery of Hess's Second ID-based Signature against the Known-message Attack , 2002, IACR Cryptol. ePrint Arch..

[10]  Shiuh-Pyng Shieh,et al.  Secure Key-Evolving Protocols for Discrete Logarithm Schemes , 2002, CT-RSA.

[11]  Victor Shoup On the Security of a Practical Identification Scheme , 1996, EUROCRYPT.

[12]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[13]  Wen-Guey Tzeng,et al.  Robust Key-Evolving Public Key Encryption Schemes , 2002, ICICS.

[14]  Gene Itkis,et al.  Forward-Secure Signatures with Optimal Signing and Verifying , 2001, CRYPTO.

[15]  Chanathip Namprempre,et al.  From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security , 2002, EUROCRYPT.

[16]  Leonid Reyzin,et al.  A New Forward-Secure Digital Signature Scheme , 2000, ASIACRYPT.

[17]  Claus-Peter Schnorr,et al.  Fast Signature Generation With a Fiat Shamir-Like Scheme , 1991, EUROCRYPT.

[18]  Gene Itkis,et al.  SiBIR: Signer-Base Intrusion-Resilient Signatures , 2002, CRYPTO.

[19]  Florian Hess,et al.  Efficient Identity Based Signature Schemes Based on Pairings , 2002, Selected Areas in Cryptography.

[20]  A. Shamm Identity-based cryptosystems and signature schemes , 1985 .

[21]  Birgit Pfitzmann,et al.  Self-Delegation with Controlled Propagation - or - What If You Lose Your Laptop , 1998, CRYPTO.

[22]  Kenneth G. Paterson,et al.  ID-based Signatures from Pairings on Elliptic Curves , 2002, IACR Cryptol. ePrint Arch..

[23]  Hugo Krawczyk,et al.  Simple forward-secure signatures from any signature scheme , 2000, IACR Cryptol. ePrint Arch..

[24]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[25]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[26]  Marc Girault,et al.  Relaxing Tamper-Resistance Requirements for Smart Cards by Using (Auto-)Proxy Signatures , 1998, CARDIS.

[27]  Gene Itkis,et al.  Intrusion-Resilient Signatures: Generic Constructions, or Defeating Strong Adversary with Minimal Assumptions , 2002, SCN.

[28]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[29]  Tatsuaki Okamoto,et al.  Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , 1992, CRYPTO.

[30]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[31]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[32]  Jung Hee Cheon,et al.  An Identity-Based Signature from Gap Diffie-Hellman Groups , 2003, Public Key Cryptography.

[33]  Kazuo Ohta,et al.  On Concrete Security Treatment of Signatures Derived from Identification , 1998, CRYPTO.

[34]  Antoine Joux,et al.  Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic groups , 2001, IACR Cryptology ePrint Archive.