Strong key-insulated signature schemes

Yevgeniy Dodis, Jonathan Katz, Shouhuai Xu, Moti Yung

Research output: Contribution to journalArticle

Abstract

Signature computation is frequently performed on insecure devices - e.g., mobile phones - operating in an environment where the private (signing) key is likely to be exposed. Strong key-insulated signature schemes are one way to mitigate the damage done when this occurs. In the key-insulated model [6], the secret key stored on an insecure device is refreshed at discrete time periods via interaction with a physically-secure device which stores a "master key". All signing is still done by the insecure device, and the public key remains fixed throughout the lifetime of the protocol. In a strong (t, N)-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods is unable to forge signatures for any of the remaining N-t periods. Furthermore, the physically-secure device (or an adversary who compromises only this device) is unable to forge signatures for any time period. We present here constructions of strong key-insulated signature schemes based on a variety of assumptions. First, we demonstrate a generic construction of a strong (N - 1, N)-key-insulated signature scheme using any standard signature scheme. We then give a construction of a strong (t, N)-signature scheme whose security may be based on the discrete logarithm assumption in the random oracle model. This construction offers faster signing and verification than the generic construction, at the expense of O(t) key update time and key length. Finally, we construct strong (N - 1, N)-key-insulated schemes based on any "trapdoor signature scheme" (a notion we introduce here); our resulting construction in fact serves as an identity-based signature scheme as well. This leads to very efficient solutions based on, e.g., the RSA assumption in the random oracle model.

Original languageEnglish (US)
Pages (from-to)130-144
Number of pages15
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume2567
StatePublished - 2003

Fingerprint

Signature Scheme
Equipment and Supplies
Signature
Random Oracle Model
Cell Phones
Mobile phones
Identity-based Signature
Network protocols
Discrete Logarithm
Public key
Mobile Phone
Efficient Solution
Lifetime
Discrete-time
Damage
Update
Likely

ASJC Scopus subject areas

  • Computer Science(all)
  • Biochemistry, Genetics and Molecular Biology(all)
  • Theoretical Computer Science

Cite this

Strong key-insulated signature schemes. / Dodis, Yevgeniy; Katz, Jonathan; Xu, Shouhuai; Yung, Moti.

In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Vol. 2567, 2003, p. 130-144.

Research output: Contribution to journalArticle

@article{ab7a05dafd304a3d8756a339448141f2,
title = "Strong key-insulated signature schemes",
abstract = "Signature computation is frequently performed on insecure devices - e.g., mobile phones - operating in an environment where the private (signing) key is likely to be exposed. Strong key-insulated signature schemes are one way to mitigate the damage done when this occurs. In the key-insulated model [6], the secret key stored on an insecure device is refreshed at discrete time periods via interaction with a physically-secure device which stores a {"}master key{"}. All signing is still done by the insecure device, and the public key remains fixed throughout the lifetime of the protocol. In a strong (t, N)-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods is unable to forge signatures for any of the remaining N-t periods. Furthermore, the physically-secure device (or an adversary who compromises only this device) is unable to forge signatures for any time period. We present here constructions of strong key-insulated signature schemes based on a variety of assumptions. First, we demonstrate a generic construction of a strong (N - 1, N)-key-insulated signature scheme using any standard signature scheme. We then give a construction of a strong (t, N)-signature scheme whose security may be based on the discrete logarithm assumption in the random oracle model. This construction offers faster signing and verification than the generic construction, at the expense of O(t) key update time and key length. Finally, we construct strong (N - 1, N)-key-insulated schemes based on any {"}trapdoor signature scheme{"} (a notion we introduce here); our resulting construction in fact serves as an identity-based signature scheme as well. This leads to very efficient solutions based on, e.g., the RSA assumption in the random oracle model.",
author = "Yevgeniy Dodis and Jonathan Katz and Shouhuai Xu and Moti Yung",
year = "2003",
language = "English (US)",
volume = "2567",
pages = "130--144",
journal = "Lecture Notes in Computer Science",
issn = "0302-9743",
publisher = "Springer Verlag",

}

TY - JOUR

T1 - Strong key-insulated signature schemes

AU - Dodis, Yevgeniy

AU - Katz, Jonathan

AU - Xu, Shouhuai

AU - Yung, Moti

PY - 2003

Y1 - 2003

N2 - Signature computation is frequently performed on insecure devices - e.g., mobile phones - operating in an environment where the private (signing) key is likely to be exposed. Strong key-insulated signature schemes are one way to mitigate the damage done when this occurs. In the key-insulated model [6], the secret key stored on an insecure device is refreshed at discrete time periods via interaction with a physically-secure device which stores a "master key". All signing is still done by the insecure device, and the public key remains fixed throughout the lifetime of the protocol. In a strong (t, N)-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods is unable to forge signatures for any of the remaining N-t periods. Furthermore, the physically-secure device (or an adversary who compromises only this device) is unable to forge signatures for any time period. We present here constructions of strong key-insulated signature schemes based on a variety of assumptions. First, we demonstrate a generic construction of a strong (N - 1, N)-key-insulated signature scheme using any standard signature scheme. We then give a construction of a strong (t, N)-signature scheme whose security may be based on the discrete logarithm assumption in the random oracle model. This construction offers faster signing and verification than the generic construction, at the expense of O(t) key update time and key length. Finally, we construct strong (N - 1, N)-key-insulated schemes based on any "trapdoor signature scheme" (a notion we introduce here); our resulting construction in fact serves as an identity-based signature scheme as well. This leads to very efficient solutions based on, e.g., the RSA assumption in the random oracle model.

AB - Signature computation is frequently performed on insecure devices - e.g., mobile phones - operating in an environment where the private (signing) key is likely to be exposed. Strong key-insulated signature schemes are one way to mitigate the damage done when this occurs. In the key-insulated model [6], the secret key stored on an insecure device is refreshed at discrete time periods via interaction with a physically-secure device which stores a "master key". All signing is still done by the insecure device, and the public key remains fixed throughout the lifetime of the protocol. In a strong (t, N)-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods is unable to forge signatures for any of the remaining N-t periods. Furthermore, the physically-secure device (or an adversary who compromises only this device) is unable to forge signatures for any time period. We present here constructions of strong key-insulated signature schemes based on a variety of assumptions. First, we demonstrate a generic construction of a strong (N - 1, N)-key-insulated signature scheme using any standard signature scheme. We then give a construction of a strong (t, N)-signature scheme whose security may be based on the discrete logarithm assumption in the random oracle model. This construction offers faster signing and verification than the generic construction, at the expense of O(t) key update time and key length. Finally, we construct strong (N - 1, N)-key-insulated schemes based on any "trapdoor signature scheme" (a notion we introduce here); our resulting construction in fact serves as an identity-based signature scheme as well. This leads to very efficient solutions based on, e.g., the RSA assumption in the random oracle model.

UR - http://www.scopus.com/inward/record.url?scp=35248813300&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=35248813300&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:35248813300

VL - 2567

SP - 130

EP - 144

JO - Lecture Notes in Computer Science

JF - Lecture Notes in Computer Science

SN - 0302-9743

ER -