Abstract
We put forward a new abstraction for achieving forward-secure signatures that are (1) short, (2) have fast update and signing and (3) have small private key size. Prior work that achieved these parameters was pioneered by the pebbling techniques of Itkis and Reyzin (CRYPTO 2001) which showed a process for generating a sequence of roots \(h^{1/e_1}, h^{1/e_2}, \ldots , h^{1/e_T}\) for a group element h in \(\mathbb {Z}_N^*\). However, the current state of the art has limitations.
First, while many works claim that Itkis-Reyzin pebbling can be applied, it is seldom shown how this non-trivial step is concretely done. Second, setting up the pebbling data structure takes T time which makes key generation using this approach expensive (i.e., T time). Third, many past works require either random oracles and/or the Strong RSA assumption; we will work in the standard model under the RSA assumption.
We introduce a new abstraction that we call an RSA sequencer. Informally, the job of an RSA sequencer is to store roots of a public key U, so that at time period t, it can provide \(U^{1/e_t}\), where the value \(e_t\) is an RSA exponent computed from a certain function. This separation allows us to focus on building a sequencer that efficiently stores such values, in a forward-secure manner and with better setup times than other comparable solutions. In addition, our sequencer abstraction has certain re-randomization properties that allow for constructing forward-secure signature schemes with a single trusted setup that takes T time and afterward individual key generation takes \(\lg (T)\) time.
We demonstrate the utility of our abstraction by using it to provide concrete forward-secure signature schemes. We first give a random-oracle construction that closely matches the performance and structure of the Itkis-Reyzin scheme with the important exception that key generation can be realized much faster (after the one-time setup). We then move on to designing a standard model scheme. We believe this abstraction and illustration of how to use it will be useful for other future works.
We include a detailed performance evaluation of our constructions, with an emphasis on the time and space costs for large caps on the maximum number of time periods T supported. Our philosophy is that frequently updating forward secure keys should be part of “best practices” in key maintenance. To make this practical, even for bounds as high as \(T=2^{32}\), we show that after an initial global setup, it takes only seconds to generate a key pair, and only milliseconds to update keys, sign messages and verify signatures. The space requirements for the public parameters and private keys are also a modest number of kilobytes, with signatures being a single element in \(\mathbb {Z}_N\) and one smaller value.
S. Hohenberger—Supported by NFS CNS-1414023, NSF CNS-1908181, the Office of Naval Research N00014-19-1-2294, and a Packard Foundation Subaward via UT Austin.
B. Waters—Supported by NSF CNS-1414082, NSF CNS-1908611, Simons Investigator Award and Packard Foundation Fellowship.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Key updates could correspond to actual time intervals or be done in some other arbitrary manner.
- 2.
For the purposes of this overview, we will implicitly assume that all \(e_i\) values are relatively prime to \(\phi (N)\) and thus \(V_j^{1/e_i}\) is uniquely defined. However, this is not required in our formal specification.
- 3.
Any adversary \(\mathcal {A}\) that runs in time polynomial in \(\lambda \) will be restricted (by its own running time) to responding with a T value that is polynomial in \(\lambda \).
- 4.
Technically, it is non-limiting to allow the adversary only one break-in period, because from this secret key she can run the update algorithm to produce valid signing keys for all future periods. Her forgery must, in any event, come from a period prior to her earliest break-in.
- 5.
In a particular \(S_i\) there might be zero, one or two tuples. If there are two, the one with the larger \(\mathtt {open}\) value is ignored. Ties will not occur, as our analysis will show.
- 6.
The \(e_{\mathrm {default}}\) value is included to guarantee that \(H_K()\) returns some value for each input, but we have chosen the search space so that \(e_{\mathrm {default}}\) is only returned with negligible probability.
- 7.
For convenience, we pass the key K to \(\mathsf {SeqSetup}\) with the assumption that it implicitly describes \(H_K\).
- 8.
Technically, \(\mathsf {SeqCurrent}\) returns a tuple of length \(\mathtt {len}\), since \(\mathtt {len}=1\) in this case, we allow \(\mathsf {SeqCurrent}\) to return s instead of (s).
- 9.
The parameters given for this and the standard model scheme evaluation do not have a total correspondence to the scheme description, e.g., using 81-bit e values technically requires a variant of the RSA assumption with smaller exponents. We also do not attempt to set the modulus size to match the security loss of our reductions. It is unknown if this loss can be utilized by an attacker and we leave it as future work to deduce an optimally tight reduction. Our focus here is to give the reader a sense of the relative performance of the schemes for reasonable parameters.
- 10.
Technically, \(T = 2^{\mathtt {levels}+1}-2\) (see Sect. 5), we ignore the small constants.
- 11.
This could be further reduced by using a faster computer and/or parallelizing.
References
Abdalla, M., Benhamouda, F., Pointcheval, D.: On the tightness of forward-secure signature reductions. J. Cryptol. 32(1), 84–150 (2019)
Abdalla, M., Reyzin, L.: A new forward-secure digital signature scheme. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 116–129. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_10
Anderson, R.: Invited lecture. In: Fourth Annual Conference on Computer and Communications Security. ACM (1997)
Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_28
Bellare, M., Ristov, T.: Hash functions from sigma protocols and improvements to VSH. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 125–142. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_9
Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_24
Boneh, D., Boyen, X.: Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Boneh, D., Franklin, M.K.: Efficient generation of shared RSA keys. J. ACM 48(4), 702–722 (2001)
Camenisch, J., Koprowski, M.: Fine-grained forward-secure signature schemes without random oracles. Discrete Appl. Math. 154(2), 175–188 (2006)
Fisher, D.: Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Threatpost, 31 October 2012. https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
Hoffman, S.: RSA SecureID Breach Costs EMC \$66 Million. CRN Magazine, 28 July 2011. http://www.crn.com/news/security/231002862/rsa-secureid-breach-costs-emc-66-million.htm
Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_38
Hohenberger, S., Waters, B.: Synchronized aggregate signatures from the RSA assumption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 197–229. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_7
Itkis, G., Reyzin, L.: Forward-secure signatures with optimal signing and verifying. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 332–354. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_20
Kozlov, A., Reyzin, L.: Forward-secure signatures with fast key update. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 241–256. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_18
Krawczyk, H.: Simple forward-secure signatures from any signature scheme. In: ACM Conference on Computer and Communications Security, pp. 108–115 (2000)
Malkin, T., Micciancio, D., Miner, S.: Efficient generic forward-secure signatures with an unbounded number of time periods. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 400–417. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_27
Mohassel, P.: One-time signatures and chameleon hash functions. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 302–319. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19574-7_21
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Shoup, V.: NTL: A Library for doing Number Theory, v10.5.0 (2017). http://www.shoup.net/ntl/
Song, D.X.: Practical forward secure group signature schemes. In: ACM Conference on Computer and Communications Security, pp. 225–234 (2001)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Hohenberger, S., Waters, B. (2020). New Methods and Abstractions for RSA-Based Forward Secure Signatures. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds) Applied Cryptography and Network Security. ACNS 2020. Lecture Notes in Computer Science(), vol 12146. Springer, Cham. https://doi.org/10.1007/978-3-030-57808-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-57808-4_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57807-7
Online ISBN: 978-3-030-57808-4
eBook Packages: Computer ScienceComputer Science (R0)