1 / 20

Forward Secure Signatures with Untrusted Update: A Novel Approach to Security

This paper presents an innovative scheme for forward secure signatures that accommodates untrusted updates. The proposal includes a bilinear group-based method where the signing keys evolve over time, ensuring that past signatures remain verifiable even if current keys are compromised. By implementing a tree structure and using a password as a blinding factor, the method provides efficient updates and signatures while mitigating risks associated with key compromise. The study evaluates security, performance, and practicality in real-world applications, pushing forward the boundaries of cryptographic signature schemes.

jase
Télécharger la présentation

Forward Secure Signatures with Untrusted Update: A Novel Approach to Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forward-Secure Signatures with Untrusted Update Xavier Boyen Voltage Hovav Shacham Weizmann Emily Shen MIT Brent Waters SRI International

  2. Detection Center Signing Key Worm List Distribution Users Time Verification Key

  3. Detection Center Signing Key Compromise Ruins Everything Users All prior updates are suspect Time Verification Key

  4. Signing Key Forward Secure Signatures [A97] • Sign message and Timestamp • Evolve Key Forward in Time • Can’t “backdate” signatures • Verifier checks time 1 2 3 4

  5. Detection Center Signing Key Okay, revoked at period 4 1 2 3 4 Past Messages not Revoked 1 2 3 4 Users Time Verification Key

  6. 1 2 3 T Anderson’s Solution • T -Time periods • Create T SK key pairs w/certifcates from master key • Update: Erase old Keys 3 years * hourly =25,000 periods 3MB Verification Key …

  7. K1 K2 K3 K5 K6 K7 K2 4 5 7 7 1 2 3 8 Bellare-Miner Tree method • Leaves with Time Peroids • Sign with current leaf • lg(T) storage & signature size Time= 1 2 3 4

  8. FS Signature Schemes • Evaluate on Sig Size, Key Size, and Time • Bellare and Miner ’99 • Itkis and Reyzin ’01 • MMM ’03… Let’s bring into practice…

  9. In practice… • Private keys are encrypted by passwords • FS Signature update needs unencrypted keys!

  10. Our Choices • No Forward Secure Signatures • No Password Encryption (=No Adoption) • Bug User per update • Invent something new

  11. Decryption PW needed for signing, not update! Forward Secure Signatures w/ Untrusted Update • KeyGen(T,PW): Outputs FSS keypair (EncSK, VK) • Update(EncSK): Evovles key forward (PW not needed) • Sign(EncSK, PW, M ) Signs M under current key • Update( VK,M,S ): Verifies signature S

  12. Security – 2 Games • Forward Security • Corrupt at time t (PW and storage) • Attacker tries to forge at time t’< t • Update Security • Corrupts storage, but not PW

  13. Our Scheme (Outline) • Tree-based with Bilinear Groups • PW is “Blinding Factor” B • Update operation is “homomorphic” to factor • Sketch key update

  14. Bilinear Maps • G , GT : finite cyclic groups of prime order p. • Def: An admissible bilinear mape: GG GTis: • Bilinear:e(ga, gb) = e(g,g)ab a,bZ, gG • Efficiently computable.

  15. K1 K2 K3 K5 K6 K7 K2 4 5 7 7 1 2 3 8 ga(h3)r Basic tree method (simplified) • PK= e(g,g)a, h1, h2, … hlg(T) • Multiply in when derive to right ga(h1)r’ ga(h2)r ga(h2)r(h3)r’’ Can sign using leaf keys

  16. K1 K2 K3 K5 K6 K7 K2 4 5 7 7 1 2 3 8 Bga(h3)r Adding untrusted update User Decryption key = B 2 G Divide out B from leaf key to sign Bga(h1)r’ Bga(h2)r Bga(h2)r(h3)r’’ Can sign using leaf keys

  17. Results Summary • Untrusted Update • Constant size sigs • Lg(T)2 storage (can tradeoff with sig size) • Fast setup, update, and verification • No Random Oracles

  18. Untrusted Update elsewhere? E.g. Bellare-Miner (2) Update = x2 mod N Untrusted Update = (Bx)2 mod N After t time periods must compute B2t mod N Hurts performance! (True elsewhere e.g. IR’01)

  19. Conclusion • IntroducedUntrusted Update • Created scheme • Implementation • Open: Add untrusted Update to other FSSS

  20. THE END

More Related