Abstract
Protocols for problems like Byzantine agreement, clock synchronization, or contract signing often use digital signatures as the only cryptographic operation. Proofs of such protocols are frequently based on an idealizing “black-box” model of signatures. We show that the standard cryptographic security definition for digital signatures is not sufficient to ensure that such proofs are still valid if the idealized signatures are implemented with real, provably secure signatures.
We propose a definition of signature security suitable for general reactive, asynchronous environments, called reactively secure signature schemes, and prove that, for signature schemes where signing just depends on a counter as state, the standard security definition implies our definition.
We further propose an idealization of digital signatures that can be used in a reactive and composable fashion, and we show that reactively secure signature schemes constitute a secure implementation of our idealization.
Similar content being viewed by others
References
Backes M, Jacobi C (2003) Cryptographically sound and machine-assisted verification of security protocols. In: Proc. 20th annual symposium on theoretical aspects of computer science (STACS). Lecture notes in computer science, vol 2607. Springer, Berlin Heidelberg New York, pp 675–686
Backes M, Pfitzmann B (2002) Computational probabilistic non-interference. In: Proc. 7th European symposium on research in computer security (ESORICS). Lecture notes in computer science, vol 2502. Springer, Berlin Heidelberg New York, pp 1–23
Backes M, Pfitzmann B (2003) Intransitive non-interference for cryptographic purposes. In: Proc. 24th IEEE symposium on security and privacy, pp 140–152
Backes M, Pfitzmann B, Steiner M, Waidner M (2002) Polynomial fairness and liveness. In: Proc. 15th IEEE workshop on computer security foundations (CSFW), pp 160–174
Backes M, Pfitzmann B, Waidner M (2003) A composable cryptographic library with nested operations (extended abstract). In: Proc. 10th ACM conference on computer and communications security, pp 220–230. Full version in IACR Cryptology ePrint Archive 2003/015, January 2003. http://eprint.iacr.org/
Backes M, Pfitzmann B, Waidner M (2003) Reactively secure signature schemes. In: Proc. 6th conference on information security (ISC), pp 84–95
Backes M, Pfitzmann B, Waidner M (2004) Low-level ideal signatures and general integrity idealization. In: Proc. 7th conference on information security (ISC). (in press)
Beaver D (1991) Secure multiparty protocols and zero knowledge proof systems tolerating a faulty minority. J Cryptol 4(2):75–122
Beaver D (1992) How to break a “secure" oblivious transfer protocol. In: Advances in Cryptology: EUROCRYPT ’92. Lecture notes in computer science, vol 658. Springer, Berlin Heidelberg New York, pp 285–296
Bellare M, Boldyreva A, Micali S (2000) Public-key encryption in a multi-user setting: security proofs and improvements. In: Advances in Cryptology: EUROCRYPT 2000. Lecture notes in computer science, vol 1807. Springer, Berlin Heidelberg New York, pp 259–274
Bellare M, Canetti R, Krawczyk H (1998) A modular approach to the design and analysis of authentication and key exchange protocols. In: Proc. 30th annual ACM symposium on theory of computing (STOC), pp 419–428
Canetti R (2000) Security and composition of multiparty cryptographic protocols. J Cryptol 3(1):143–202
Canetti R (2001) Universally composable security: a new paradigm for cryptographic protocols. In: Proc. 42nd IEEE symposium on foundations of computer science (FOCS), pp 136–145. Extended version in Cryptology ePrint Archive, Report 2000/67. http://eprint.iacr.org/
Canetti R (2004) Universally composable signatures, certification and authorization. In: Proc. 17th IEEE workshop on computer security foundations (CSFW). Extended version in Cryptology ePrint Archive, Report 2003/239. http://eprint.iacr.org/
Canetti R, Goldwasser S (1999) An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack. In: Advances in Cryptology: EUROCRYPT ’99. Lecture notes in computer science, vol 1592. Springer, Berlin Heidelberg New York, pp 90–106
Canetti R, Krawczyk H (2002) Universally composable notions of key exchange and secure channels (extended abstract). In: Advances in Cryptology: EUROCRYPT 2002. Lecture notes in computer science, vol 2332. Springer, Berlin Heidelberg New York, pp 337–351. Extended version in IACR Cryptology ePrint Archive 2002/059. http://eprint.iacr.org/
Canetti R, Rabin T (2003) Universal composition with joint state. In: Advances in Cryptology: CRYPTO 2003. Lecture notes in computer science, vol 2729. Springer, Berlin Heidelberg New York, pp 265–281
Cramer R, Damgård I (1995) Secure signature schemes based on interactive protocols. In: Advances in Cryptology: CRYPTO ’95. Lecture notes in computer science, vol 963. Springer, Berlin Heidelberg New York, pp 297–310
Cramer R, Damgård I (1996) New generation of secure and practical RSA-based signatures. In: Advances in Cryptology: CRYPTO ’96. Lecture notes in computer science, vol 1109. Springer, Berlin Heidelberg New York, pp 173–185
Dolev D, Yao AC (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208
Dwork C, Naor M (1998) An efficient existentially unforgeable signature scheme and its applications. J Cryptol 11(3):187–208
Gennaro R, Micali S (1995) Verifiable secret sharing as secure computation. In: Advances in Cryptology: EUROCRYPT ’95. Lecture notes in computer science, vol 921. Springer, Berlin Heidelberg New York, pp 168–182
Goldreich O (2002) Secure multi-party computation. Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, June 1998, revised version 1.4 October 2002. http://www.wisdom.weizmann.ac.il/users/oded/pp.htm
Goldreich O, Micali S, Wigderson A (1987) How to play any mental game – or – a completeness theorem for protocols with honest majority. In: Proc. 19th annual ACM symposium on theory of computing (STOC), pp 218–229
Goldwasser S, Levin L (1990) Fair computation of general functions in presence of immoral majority. In: Advances in Cryptology: CRYPTO ’90. Lecture notes in computer science, vol 537. Springer, Berlin Heidelberg New York, pp 77–93
Goldwasser S, Micali S, Rivest RL (1988) A digital signature scheme secure against adaptive chosen-message attacks. SIAM J Comput 17(2):281–308
Hirt M, Maurer U (2000) Player simulation and general adversary structures in perfect multiparty computation. J Cryptol 13(1):31–60
Lincoln P, Mitchell J, Mitchell M, Scedrov A (1998) A probabilistic poly-time framework for protocol analysis. In: Proc. 5th ACM conference on computer and communications security, pp 112–121
Lincoln P, Mitchell J, Mitchell M, Scedrov A (1999) Probabilistic polynomial-time equivalence and security analysis. In: Proc. 8th symposium on formal methods Europe (FME 1999). Lecture notes in computer science, vol 1708. Springer, Berlin Heidelberg New York, pp 776–793
Micali S, Rogaway P (1991) Secure computation. In: Advances in Cryptology: CRYPTO ’91. Lecture notes in computer science, vol 576. Springer, Berlin Heidelberg New York, pp 392–404
Pfitzmann B (1993) Sorting out signature schemes. In: Proc. 1st ACM conference on computer and communications security, pp 74–85
Pfitzmann B (1996) Digital signature schemes – general framework and fail-stop signatures. Lecture notes in computer science, vol 1100. Springer, Berlin Heidelberg New York
Pfitzmann B, Waidner M (1994) A general framework for formal notions of “secure” systems. Research report 11/94, University of Hildesheim, April. http://www.semper.org/sirene/lit/abstr94.html#PfWa_94
Pfitzmann B, Waidner M (2000) Composition and integrity preservation of secure reactive systems. In: Proc. 7th ACM conference on computer and communications security, pp 245–254. Extended version (with Matthias Schunter) IBM Research Report RZ 3206, May 2000. http://www.semper.org/sirene/publ/PfSW1_00ReactSimulIBM.ps.gz
Pfitzmann B, Waidner M (2001) A model for asynchronous reactive systems and its application to secure message transmission. In: Proc. 22nd IEEE symposium on security and privacy, pp 184–200. Extended version of the model (with Michael Backes) IACR Cryptology ePrint Archive 2004/082. http://eprint.iacr.org/
Rompel J (1990) One-way functions are necessary and sufficient for secure signatures. In: Proc. 22nd annual ACM symposium on theory of computing (STOC), pp 387–394
Syverson P, Meadows C (1993) A logical language for specifying cryptographic protocol requirements. In: Proc. 14th IEEE symposium on security and privacy, pp 165–177
Yao AC (1982) Protocols for secure computations. In: Proc. 23rd IEEE symposium on foundations of computer science (FOCS), pp 160–164
Yao AC (1982) Theory and applications of trapdoor functions. In: Proc. 23rd IEEE symposium on foundations of computer science (FOCS), pp 80–91
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Backes, M., Pfitzmann, B. & Waidner, M. Reactively secure signature schemes. Int J Inf Secur 4, 242–252 (2005). https://doi.org/10.1007/s10207-004-0062-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-004-0062-8