US20060233364A1 - Fine-grained forward-secure signature scheme - Google Patents

Fine-grained forward-secure signature scheme Download PDF

Info

Publication number
US20060233364A1
US20060233364A1 US10/522,472 US52247203A US2006233364A1 US 20060233364 A1 US20060233364 A1 US 20060233364A1 US 52247203 A US52247203 A US 52247203A US 2006233364 A1 US2006233364 A1 US 2006233364A1
Authority
US
United States
Prior art keywords
signature
computer
value
cryptographic key
exponent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/522,472
Inventor
Jan Camenisch
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KOPROWSKI, MACIEJ, CAMENISCH, JAN
Publication of US20060233364A1 publication Critical patent/US20060233364A1/en
Priority to US12/120,349 priority Critical patent/US8139767B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures

Definitions

  • the present invention relates to a method for providing a secret cryptographic key and public cryptographic key applicable in a network of connected computer nodes using a signature scheme. Moreover, the invention relates to methods for providing and verifying a signature value on a message in the network of connected computer nodes. A method for communicating the validity of the generated signature value in the event of a detected intrusion is also disclosed herein.
  • Electronic or digital signatures are used to authenticate information, that is to securely tie the contents of an electronic document to a signer, more precisely, to the signer's public key. Only the true signer should be able to produce valid signatures, and anyone should be able to verify them in order to convince oneself that the signer indeed signed the document. While many digital signature schemes have been proposed so far, a few are used in practice today.
  • a signature is considered non-reputable if it was time-stamped before the signer revoked her public key. Hence, assuming that the trusted third party's key is never leaked, non-repudiation is guaranteed. However, this solution requires frequent interaction with a trusted third party, e.g., the time-stamping service, which is not desirable.
  • Another possibility is to change the keys frequently, i.e., to use a different key pair each day and delete all the secret keys of past days. It then is understood that if a day has passed without that the user has revoked that day's key then all the signatures made with respect to the key are non-reputable. This either requires again frequent interaction with the trusted third party, or, the public key becomes large, i.e., a list of many public keys. Forward secure signature schemes as introduced by R.
  • a forward secure signature scheme can be obtained from any ordinary signature scheme: the signer chooses new secret and public keys for each time period.
  • the public key of the forward secure signature scheme become the set of the ordinary public keys index by the time period for which they are valid.
  • To sign a message the signer uses the secret key of that period. Once a time period has passed, the signer deletes the respective secret key. It is easy to see that this scheme is forward secure. However, the scheme is rather inefficient in terms of (public and secret) storage.
  • a method for providing a secret cryptographic key sk and a public cryptographic key pk applicable in a network of connected computer nodes using a signature scheme is executable by a first computer node and comprises the steps of generating the secret cryptographic key sk by selecting two random factor values P, Q, multiplying the two selected random factor values P, Q to obtain a modulus value (N), and selecting a secret base value g′, h′, x′ in dependence on the modulus value N, wherein the secret base value g′, h′, x′ forms part of the secret cryptographic key g′, h′, x′.
  • the method further comprises generating the public cryptographic key pk by selecting a number I of exponent values e 1 , . . . , e I , and deriving a public base value g, h, x from the exponent values e 1 , . . . , e I and the secret base value g′, h′, x′ wherein the public base value g, h, x and the modulus value N form part of the public cryptographic key g, h, x, N.
  • the method further comprises the steps of deleting the two random factor values P, Q; and providing the public cryptographic key g, h, x, N within the network; such that the public cryptographic key g, h, x, N and at least one of the selected exponent values e 1 , . . . , e I is usable for verifying a signature value i, y, a on a message m to be sent within the network to a second computer node for verification.
  • a method for providing a signature value i, y, a on a message m in a network of connected computer nodes the method being executable by a first computer node and comprising the steps of selecting a first signature element a; selecting a signature exponent value e i from a number I of exponent values e 1 , . . . , e I ; and deriving a second signature element y from a provided secret cryptographic key g′ i , h′ 1 , x′ i , the message m, and the number I of exponent values e 1 , . . .
  • the signature value i, y, a comprises the first signature element a, the second signature element y, and a signature reference i to the signature exponent value e i , the signature value i, y, a being sendable within the network to a second computer node for verification.
  • a method for verifying a signature value i, y, a on a message m in a network of connected computer nodes the method being executable by a second computer node and comprising the steps of receiving the signature value i, y, a from a first computer node; deriving a signature exponent value e i from the signature value i, y, a; and verifying whether the signature exponent value e i and part of the signature value i, y, a satisfy a known relationship with the message m and a provided public cryptographic key g, h, x, N, otherwise refusing the signature value i, y, a, wherein the signature value i, y, a was generated from a first signature element a, a number I of exponent values e 1 , . . . , e I , a provided secret cryptographic key g′ i , h′ i , x
  • a method for communicating within a network of connected computer nodes the validity of a signature value i, y, a in the event of an exposure of a secret cryptographic key sk relating to the signature value i, y, a comprising the steps of defining an order of exponent values e 1 , . . . , e I ; publishing a description of the exponent values e 1 , . . . , e I and the order of the exponent values e 1 , . . . , e I within the network; publishing a revocation reference j to one of the exponent values e 1 , . . .
  • the presented methods form the basis of a forward-secure signature scheme that is provably secure, i.e., its security relies on no heuristic such as the random oracle model.
  • the presented methods form also the basis of a fine-grained forward-secure signature scheme that is secure and efficient.
  • the latter scheme allows one to react immediately on hacker break-ins such that signature values from the past still remain valid without re-issuing them and future signature values based on an exposed key can be identified accordingly.
  • each prepared signature value also referred to as signature
  • carries an ascending signature reference i that also is contemplated as an ascending index i.
  • This index i is attached to the signature value i, y, a in a way such that once it is used, no lower index can be used again to sign.
  • an adversary breaks in an honest signer can just announce the current index, e.g., by signing some special message with respect to the current index, as part of the revocation message for the, current time period. It is then understood that all signatures made in prior time periods as well as all signatures make in the revoked period up to the announced index are valid, i.e., non-reputable.
  • the fine-grained forward-secure signature scheme updates the secret cryptographic key whenever a new message is signed.
  • intrusion detection systems In the event of a break into a signer's system, which can be immediately noticed due to existence of tools called intrusion detection systems, one can revoke the public cryptographic key g, h, x, N and publish the last used index i. Thereby other computer nodes can be informed about the validity of already issued signatures. This prevents other parties form using the exposed provided secret cryptographic key g′ i , h′ i , x′ i to sign while not requiring to re-issue past signatures.
  • a description of the exponent values e 1 , . . . , e I can be provided within the network. This allows every interested party to verify the validity of the signature.
  • Each of the exponent values e 1 , . . . , e I can be applied to at most one signature value i, y, a, which allows to provide a secure signature scheme.
  • a more efficient signature generation can be achieved when the derivation of the signature element y further comprises the step of deriving a signature base value g i , h i , x i by using the provided public cryptographic key g, h, x, N, the provided secret cryptographic key g′ i , h′ i , x′ i , and the exponent values e 1 , . . . , e I .
  • FIG. 1 shows a typical network of connected computer nodes.
  • FIG. 2 shows a schematic flow diagram for providing a secret cryptographic key and a public cryptographic key applicable in the network of connected computer nodes.
  • FIG. 3 shows a schematic flow diagram for providing a signature value on a message in the network of connected computer nodes.
  • FIG. 4 shows a schematic flow diagram for verifying the signature value.
  • FIG. 5 shows a schematic flow diagram for communicating within the network of connected computer nodes the validity of the signature value in the event of an exposure of a secret cryptographic key relating to the signature value.
  • FIG. 1 shows an example of a common computer system 2 . It comprises here a first, second, third, and fourth computer node p 1 , p 2 , p 3 , p 4 which are connected via communication lines 5 to a network.
  • Each computer node p 1 , p 2 , p 3 , p 4 may be any type of computer device or network device known in the art from a computer on a chip or a wearable computer to a large computer system.
  • the communication lines can be any communication means commonly known to transmit data or messages from one computer node to another.
  • the communication lines may be either single, bi-directional communication lines 5 between each pair of computer nodes p 1 , p 2 , p 3 , p 4 or one unidirectional line in each direction between each pair of computer nodes p 1 , p 2 , p 3 , p 4 .
  • the common computer system 2 is shown to facilitate the description of the following methods forming and allowing a forward-secure signature scheme and a fine-grained forward-secure signature scheme.
  • FIG. 2 shows a schematic flow diagram for providing a secret cryptographic key and a public cryptographic key applicable in the network of connected computer nodes.
  • the steps to be performed are indicated in boxes and labeled with numbers, respectively.
  • the same reference numerals or signs are used to denote the same or like parts.
  • the generation of a secret cryptographic key sk, also referred to as secret key, and a public cryptographic key pk, also referred to as public key, is here performed by the first computer node p 1 .
  • the secret cryptographic key sk is generated by selecting two random factor values P, Q, labeled with 20 , 21 . These two selected random factor values P, Q are then multiplied and a modulus value N is thereby obtained, as labeled with 22 . Then, a secret base value g′, h′, x′ is selected in dependence on the modulus value N, as labeled with box 23 , wherein the secret base value g′, h′, x′ forms part of the secret cryptographic key sk, here also denoted as g′, h′, x′.
  • the public cryptographic key pk is generated by selecting a number I of exponent values e 1 , . . . , e I , as labeled with box 24 .
  • a public base value g, h, x is derived from the exponent values e 1 , . . . , e I and the secret base value g′, h′, x′, as labeled with 25 , wherein the public base value g, h, x and the modulus value N form part of the public cryptographic key pk, also denoted as g, h, x, N, and labeled with 26 .
  • the two random factor values P, Q should be deleted afterwards for security reasons, as indicated with 27 .
  • the public cryptographic key g, h, x, N is provided within the network, as indicated with 28 , such that other computer nodes p 2 , p 3 , p 4 have access to this key. Later on, the public cryptographic key g, h, x N and at least one of the selected exponent values e 1 , . . . , e I will be usable for verifying a signature value i, y, a, also referred to as signature, on a message m which is to be sent within the network to, e.g., the second computer node p 2 for verification purposes.
  • a random RSA modulus value N of size k bits is chosen.
  • the modulus value N is preferably a product of two safe primes.
  • QR N is denoted a subgroup of squares in Z* N , whereby all group operations will be performed in this group. It is chosen a random seed W and used by applying some pseudorandom generator to construct the number I random unique l+1-bit prime exponent values e 1 , . . . , e I .
  • FIG. 3 shows a schematic flow diagram for providing a signature value on a message m in the network of connected computer nodes. If the public cryptographic key pk has not yet been revoked, the signature value i, y, a on the message m is here performed by the first computer node p 1 .
  • the first computer node p i is also referred to as signer or signing party.
  • a first signature element a is selected, as labeled with 30 .
  • a signature exponent value e i is selected from a number I of exponent values e 1 , . . . , e I , as shown in box 31 .
  • a second signature element y is derived from a provided secret cryptographic key g′ i , h′ i , x′ i , labeled with 33 , the message m, which is labeled with 34 , and the number I of exponent values e 1 , . . . , e I such that the first signature element a, the second signature element y, and the signature exponent value e i satisfy a known relationship, that is representable as a verification equation, with the message m and the provided public cryptographic key pk comprising g, h, x, N.
  • the signature value i, y, a as labeled with 35 , finally comprises the first signature element a, the second signature element y, and a signature reference i to the signature exponent value e i .
  • the signature value i, y, a is then sent within the network to, e.g., the second computer node p 2 for verification purposes.
  • the generation of the signature value i, y, a is addressed hereafter with regard to some more mathematical aspects. It is assumed that the message m is to be signed. If the public cryptographic key pk has been revoked, e.g., because the secret cryptographic key sk has been leaked, or if i>I, i.e., the maximal number of producable signature values has been reached, then signing is aborted.
  • the signature on the message m is here i, y, a.
  • FIG. 4 shows a schematic flow diagram for verifying the signature value i, y, a.
  • the verification of the signature value i, y, a on the message m is here performed by the second computer node p 2 .
  • the signature value i, y, a is received by the second computer node p 2 from the first computer node p 1 , as indicated by box 40 .
  • the second computer node p 2 derives a signature exponent value e i from the signature value i, y, a, as indicated with box 41 . It can be verified whether or not the signature exponent value e i is a member of a number I of exponent values e 1 , . . .
  • the verification equation with the message m and a provided public cryptographic key g, h, x, N, as provided in box 43 .
  • the signature value i, y, a is refused.
  • the results of the verifications 42 , 44 are either “true” or “false” as indicated in the figure with “T” and “F”, whereby “false” or “F” leads to a refusal of the signature value i, y, a and “true” or “T” to an acceptance. It can be determined that the signature value i, y, a was generated from the first signature element a, the number I of exponent values e i , . . . , e I , a provided secret cryptographic key g′ 1 , h′ i , x′ i , and the message m.
  • FIG. 5 shows a schematic flow diagram for communicating within the network of connected computer nodes the validity of the signature value i, y, a in the event of an exposure of a secret cryptographic key sk, as indicated with 54 , relating to the signature value i, y, a.
  • the validity of a signature value i, y, a is communicated within the network as follows.
  • An order of exponent values e 1 , . . . , e I is defined, as indicated with 50 , whose description is provided within the network, as indicated with 51 .
  • the order of exponent values e 1 , . . . , e I is also published within the network, as indicated with 51 .
  • a revocation reference j to one of the exponent values e 1 , . . . , e I is published within the network, as indicated with 52 , such that the validity of the signature value i, y, a is determinable, as indicated with 53 , by using the revocation reference j, the order of exponent values e 1 , . . . , e I , and a provided public cryptographic key pk, shown with 55 .
  • the following provides some more brief embodiments on how to use the presented signature scheme as forward-secure signature scheme and fine-grained forward-secure signature scheme, which are provable secure without random oracles.
  • the presented signature scheme can be used as forward-secure signature scheme with the particular property that one can sign only one message per time period. That is, one assigns each index i to a time-period rather than to a message.
  • S i public and secret key pairs
  • the final signature on message m comprises the signature s m , the public key pk i , plus the signature on that public key performed with the presented signature scheme applying index i.
  • the presented signature scheme does not prevent a dishonest signer from invalidating a signature made in the past by claiming that a break-in happened and publishing an index that is smaller than the one the signer used with that signature. It seems to be unavoidable that a signer is allowed some time (e.g., an hour) after generating a signature during which she can still recall the signature by claiming a break-in happened. This is because the signer should be allowed some time to figure out that a break-in happened and to react to it. In the following three examples I., II., and III. are presented below to overcome this problem.
  • index i denotes here the time period T i from t 0 +i*t ⁇ to t 0 +(i+1)t ⁇ , where t 0 is the starting time and t ⁇ is the duration of the time-period.
  • the public key of this scheme becomes the public key of a user.
  • a parameter j ⁇ is published as part of the public key, whereby the parameter j ⁇ controls the time the user can take to note that the secret key got compromised.
  • the B i -scheme with index j is used.
  • the signature on the message comprises this signature, the public key of the B i -scheme, and the signature on this public key made with the A-scheme.
  • TTP time-period
  • a signer wants to revoke her key, e.g., in time-period T i′
  • she sends a third trusted party, hereafter abbreviated to TTP, a predetermined message that indicates this, signed with the B i -scheme using the current index, here j′.
  • revocation signature a signature is called revocation signature.
  • the TTP verifies the signature and checks whether T i′ is the current time period. If this is the case the TTP accepts the revocation and publishes the signature appropriately. The signer is not precluded from revoking several times in the same time period.
  • a user's signature with indices i and j is considered valid if no revocation happened, or if a revocation with indices i′ and j′ happened (where i′ and j′ are the smallest indices of any revocation signature published by the TTP), if i ⁇ i′ and j ⁇ j′ ⁇ j 66 holds. Until the time-period in which one signature was signed has not passed, one cannot be sure whether the signature will be valid or not. This, however, holds true for any forward-secure signature scheme.
  • the second example replaces the A-scheme in the previous example with a public archive. It is assumed that it is not possible to delete messages from the archive and that messages are published together with the exact time they were received by the archive.
  • a fine-grained forward-secure signature scheme is achieved as follows using only one instantiation of the presented signature scheme.
  • the signature on the message m is performed with the presented signature scheme using the current index.
  • the secret key is updated.
  • the user signs a predetermined message, e.g., ⁇ last index used in time period T i >>, by applying the presented signature scheme and using the current index, here j, and then updates the secret key and sends this index signature to the public archive.
  • the public archive posts the message along with the time it received the signature.
  • T i′ Whenever a signer wants to revoke her key, e.g., in time-period T i′ , she sends the TTP a preferably predetermined message that indicates this, signed the presented signature scheme using the current index j′.
  • the TTP verifies the signature and checks whether T′ i is the current time period and whether j′ is not smaller than the index j of the index signature the signer provided to the public archive during the previous time period. If this is the case the TTP accepts the revocation and publishes the signature appropriately. Again, the signer is not precluded from revoking several times in the same time period.
  • a user's signature with index i is considered valid if no revocation happened, or if revocation happened, if i ⁇ j′ ⁇ j ⁇ or if i ⁇ j, where j′ is the smallest index of any revocation signatures published by the TTP and j is the index j of the index signature the signer provided to the public archive in the time-period prior to the one in which the key was revoked.
  • the signer might be allowed some time after the passing of a time-period to publish an index signature in the archive and to perform revocation. This allows one to handle break-in at the very end of a time period. As a consequence, the signer should be allowed to put several index signatures in the public archive per time-period, the one with the lowest index being the one that counts. A signature with index i is then counted valid if no revocation happens, or if revocation happens, if i ⁇ j′ ⁇ j ⁇ , where j′ is the index of the revocation signature.
  • the index is bound to the time-periods by allowing exactly s signatures per time-period.
  • the parameter s together with t 0 and t ⁇ is published as part of the public key.
  • the signer sends the revocation signature produced with the current index j′, to the TTP.
  • the TTP verifies the signature and published it if the signature's index matches the current time-period.
  • the signature with index j is considered valid if no revocation happened, or in case a revocation signature with index j′ was published, if j belongs to an earlier time-period that j′ or if j ⁇ j′ ⁇ j ⁇ .
  • Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation; b) reproduction in a different material form.

Abstract

The presented methods form the basis of a forward-secure signature scheme that is provably secure. Moreover, the presented methods form also the basis of a fine-grained forward-secure signature scheme that is secure and efficient. The scheme allows to react immediately on hacker break-ins such that signatures from the past still remain valid without re-issuing them and future signature values based on an exposed key can be identified accordingly. In general, each prepared signature carries an ascending index such that once an index is used, no lower index can be used to sign. Then, whenever an adversary breaks in, an honest signer can just announce the current index, e.g., by signing some special message with respect to the current index, as part of the revocation message for the current time period. It is then understood that all signatures made in prior time periods as well as all signatures make in the revoked period up to the announced index are valid, i.e., non-reputable.

Description

    TECHNICAL FIELD
  • The present invention relates to a method for providing a secret cryptographic key and public cryptographic key applicable in a network of connected computer nodes using a signature scheme. Moreover, the invention relates to methods for providing and verifying a signature value on a message in the network of connected computer nodes. A method for communicating the validity of the generated signature value in the event of a detected intrusion is also disclosed herein.
  • BACKGROUND OF THE INVENTION
  • Electronic or digital signatures are used to authenticate information, that is to securely tie the contents of an electronic document to a signer, more precisely, to the signer's public key. Only the true signer should be able to produce valid signatures, and anyone should be able to verify them in order to convince oneself that the signer indeed signed the document. While many digital signature schemes have been proposed so far, a few are used in practice today.
  • Ordinary digital signature schemes suffer from a fundamental shortcoming: once the secret key is leaked, for example because a hacker managed to break into the signer's computer, and, when this leakage is detected, the public key is revoked then all signatures produced by the signer become reputable, i.e., it is no longer possible to distinguish whether a signature was produced by the signer or the hacker. Therefore ordinary signature schemes can pre se not provide non-repudiation. One possibility to achieve non-repudiation is to use a so-called time-stamping service. Here each signature is sent to a trusted third party who signs a message containing the signature and the current date and time. A signature is considered non-reputable if it was time-stamped before the signer revoked her public key. Hence, assuming that the trusted third party's key is never leaked, non-repudiation is guaranteed. However, this solution requires frequent interaction with a trusted third party, e.g., the time-stamping service, which is not desirable.
  • Another possibility is to change the keys frequently, i.e., to use a different key pair each day and delete all the secret keys of past days. It then is understood that if a day has passed without that the user has revoked that day's key then all the signatures made with respect to the key are non-reputable. This either requires again frequent interaction with the trusted third party, or, the public key becomes large, i.e., a list of many public keys. Forward secure signature schemes as introduced by R. Anderson in “Two remarks on public-key cryptography”, Manuscript, presented by the author at the 4th ACM CCS (1997), September 2000, and formalized by Bellare and Miner in “A forward-secure digital signature scheme”, In Michael Wiener, editor, Advances in Cryptology—CRYPTO '99, volume 1666 of LNCS, pages 431-448, Springer Verlag, 1999, solve this problem by having only one public key but many secret keys—one for each time period. In fact, most forward secure signature schemes allow one to derive the secret key of the current time period from the one of the previous period in a one-way fashion.
  • In principle, a forward secure signature scheme can be obtained from any ordinary signature scheme: the signer chooses new secret and public keys for each time period. The public key of the forward secure signature scheme become the set of the ordinary public keys index by the time period for which they are valid. To sign a message the signer uses the secret key of that period. Once a time period has passed, the signer deletes the respective secret key. It is easy to see that this scheme is forward secure. However, the scheme is rather inefficient in terms of (public and secret) storage.
  • However, current forward secure signature schemes suffer from the following problem. In case of a hacker's break-in all the signatures made in this time-period have to be recalled and the (honest) signer needs to re-issue them. One solution to this is to use small time-periods which only works if the complexity of the key update is comparable to the complexity of signing.
  • From the above it follows that there is a call for an improved forward secure signature scheme that is more secure and efficient. The scheme should furthermore allow to react on a hacker's break-in immediately without re-issuing signatures for the past.
  • SUMMARY AND ADVANTAGES OF THE INVENTION
  • In accordance with a first aspect of the present invention, there is given a method for providing a secret cryptographic key sk and a public cryptographic key pk applicable in a network of connected computer nodes using a signature scheme. The method is executable by a first computer node and comprises the steps of generating the secret cryptographic key sk by selecting two random factor values P, Q, multiplying the two selected random factor values P, Q to obtain a modulus value (N), and selecting a secret base value g′, h′, x′ in dependence on the modulus value N, wherein the secret base value g′, h′, x′ forms part of the secret cryptographic key g′, h′, x′. The method further comprises generating the public cryptographic key pk by selecting a number I of exponent values e1, . . . , eI, and deriving a public base value g, h, x from the exponent values e1, . . . , eI and the secret base value g′, h′, x′ wherein the public base value g, h, x and the modulus value N form part of the public cryptographic key g, h, x, N. The method further comprises the steps of deleting the two random factor values P, Q; and providing the public cryptographic key g, h, x, N within the network; such that the public cryptographic key g, h, x, N and at least one of the selected exponent values e1, . . . , eI is usable for verifying a signature value i, y, a on a message m to be sent within the network to a second computer node for verification.
  • In a second aspect of the present invention, there is given a method for providing a signature value i, y, a on a message m in a network of connected computer nodes, the method being executable by a first computer node and comprising the steps of selecting a first signature element a; selecting a signature exponent value ei from a number I of exponent values e1, . . . , eI; and deriving a second signature element y from a provided secret cryptographic key g′i, h′1, x′i, the message m, and the number I of exponent values e1, . . . , eI such that the first signature element a, the second signature element y, and the signature exponent value ei satisfy a known relationship with the message m and a provided public cryptographic key g, h, x, N, wherein the signature value i, y, a comprises the first signature element a, the second signature element y, and a signature reference i to the signature exponent value ei, the signature value i, y, a being sendable within the network to a second computer node for verification.
  • In a third aspect of the present invention, there is given a method for verifying a signature value i, y, a on a message m in a network of connected computer nodes, the method being executable by a second computer node and comprising the steps of receiving the signature value i, y, a from a first computer node; deriving a signature exponent value ei from the signature value i, y, a; and verifying whether the signature exponent value ei and part of the signature value i, y, a satisfy a known relationship with the message m and a provided public cryptographic key g, h, x, N, otherwise refusing the signature value i, y, a, wherein the signature value i, y, a was generated from a first signature element a, a number I of exponent values e1, . . . , eI, a provided secret cryptographic key g′i, h′i, x′i, and the message m.
  • In a fourth aspect of the present invention, there is given a method for communicating within a network of connected computer nodes the validity of a signature value i, y, a in the event of an exposure of a secret cryptographic key sk relating to the signature value i, y, a, the method comprising the steps of defining an order of exponent values e1, . . . , eI; publishing a description of the exponent values e1, . . . , eI and the order of the exponent values e1, . . . , eI within the network; publishing a revocation reference j to one of the exponent values e1, . . . , eI within the network such that the validity of the signature value i, y, a is determinable by using the revocation reference j, the order of exponent values e1, . . . , eI and a provided public cryptographic key pk.
  • The presented methods form the basis of a forward-secure signature scheme that is provably secure, i.e., its security relies on no heuristic such as the random oracle model. Moreover, the presented methods form also the basis of a fine-grained forward-secure signature scheme that is secure and efficient. The latter scheme allows one to react immediately on hacker break-ins such that signature values from the past still remain valid without re-issuing them and future signature values based on an exposed key can be identified accordingly. In other words, when using the fine-grained forward-secure signature scheme there is no need to re-sign signature values produced in a current time period in the event of a secret-cryptographic-key exposure. Re-signing is tedious, because it would involve to contact the parties again, and possibly some re-negotiating.
  • In general, the presented methods form the basis of a forward-secure signature scheme, in which each prepared signature value, also referred to as signature, carries an ascending signature reference i, that also is contemplated as an ascending index i. This index i is attached to the signature value i, y, a in a way such that once it is used, no lower index can be used again to sign. Then, whenever an adversary breaks in, an honest signer can just announce the current index, e.g., by signing some special message with respect to the current index, as part of the revocation message for the, current time period. It is then understood that all signatures made in prior time periods as well as all signatures make in the revoked period up to the announced index are valid, i.e., non-reputable.
  • Instead of using time periods, like in ordinary forward-secure signature schemes, the fine-grained forward-secure signature scheme updates the secret cryptographic key whenever a new message is signed. In the event of a break into a signer's system, which can be immediately noticed due to existence of tools called intrusion detection systems, one can revoke the public cryptographic key g, h, x, N and publish the last used index i. Thereby other computer nodes can be informed about the validity of already issued signatures. This prevents other parties form using the exposed provided secret cryptographic key g′i, h′i, x′i to sign while not requiring to re-issue past signatures.
  • A description of the exponent values e1, . . . , eI can be provided within the network. This allows every interested party to verify the validity of the signature.
  • It can be defined an order of the selected exponent values e1, . . . , eI for enabling to communicate the validity of the signature value i, y, a in the event of a detected intrusion. This enables the fine-grained property of the presented scheme.
  • Each of the exponent values e1, . . . , eI can be applied to at most one signature value i, y, a, which allows to provide a secure signature scheme.
  • A more efficient signature generation can be achieved when the derivation of the signature element y further comprises the step of deriving a signature base value gi, hi, xi by using the provided public cryptographic key g, h, x, N, the provided secret cryptographic key g′i, h′i, x′i, and the exponent values e1, . . . , eI.
  • When a new secret cryptographic key g′i+1, h′i+, x′i+1 is derived from the provided secret cryptographic key g′i, h′i, x′i and the selected signature exponent value ei, then the advantage occurs that forward security can be achieved.
  • DESCRIPTION OF THE DRAWINGS
  • Preferred embodiments of the invention are described in detail below, by way of example only, with reference to the following schematic drawings.
  • FIG. 1 shows a typical network of connected computer nodes.
  • FIG. 2 shows a schematic flow diagram for providing a secret cryptographic key and a public cryptographic key applicable in the network of connected computer nodes.
  • FIG. 3 shows a schematic flow diagram for providing a signature value on a message in the network of connected computer nodes.
  • FIG. 4 shows a schematic flow diagram for verifying the signature value.
  • FIG. 5 shows a schematic flow diagram for communicating within the network of connected computer nodes the validity of the signature value in the event of an exposure of a secret cryptographic key relating to the signature value.
  • The drawings are provided for illustrative purpose only and do not necessarily represent practical examples of the present invention to scale.
  • Glossary
  • The following are informal definitions to aid in the understanding of the description. The signs relate to the terms indicated beside and are used within the description.
    • P, Q random factor values, preferably primes
    • N modulus value
    • k number of bits of N
    • e1, . . . , eI exponent values
    • ei signature exponent value
    • W seed, part of description of exponent values
    • QRN subgroup of squares in Z*N
    • l security parameter
    • {0,1}1 bit-strings of length l
    • g′, h′, x′ secret base value being part of a secret cryptographic key (sk)
    • g′i, h′i, x′i provided secret cryptographic key
    • g′i+1, h′i+1, x′1+1 new or updated secret cryptographic key
    • g, h, x forming a public base value
    • g, h, x, N public cryptographic key (pk) or provided public cryptographic key (pk)
    • a first signature element
    • y second signature element
    • i signature reference to a signature exponent value ei
    • j revocation reference
    • j′ signature reference
    • I number of signature values producable
    • i, y, a forming a signature value
    • m message
    • p1, p2, p3, p4 first, second, third, fourth computer node
    • t0 starting time
    • T time period
    • tΔ duration of time period
    • s number of producable signature values per time period
    DETAILED DESCRIPTION AND EMBODIMENTS
  • With general reference to the figures, the features of a fine-grained forward-secure signature schemes within a network are described in more detail below.
  • Turning to FIG. 1 which shows an example of a common computer system 2. It comprises here a first, second, third, and fourth computer node p1, p2, p3, p4 which are connected via communication lines 5 to a network. Each computer node p1, p2, p3, p4, may be any type of computer device or network device known in the art from a computer on a chip or a wearable computer to a large computer system. The communication lines can be any communication means commonly known to transmit data or messages from one computer node to another. For instance, the communication lines may be either single, bi-directional communication lines 5 between each pair of computer nodes p1, p2, p3, p4 or one unidirectional line in each direction between each pair of computer nodes p1, p2, p3, p4. The common computer system 2 is shown to facilitate the description of the following methods forming and allowing a forward-secure signature scheme and a fine-grained forward-secure signature scheme.
  • Key Generation
  • FIG. 2 shows a schematic flow diagram for providing a secret cryptographic key and a public cryptographic key applicable in the network of connected computer nodes. The steps to be performed are indicated in boxes and labeled with numbers, respectively. The same reference numerals or signs are used to denote the same or like parts.
  • The generation of a secret cryptographic key sk, also referred to as secret key, and a public cryptographic key pk, also referred to as public key, is here performed by the first computer node p1.
  • At first, the secret cryptographic key sk is generated by selecting two random factor values P, Q, labeled with 20, 21. These two selected random factor values P, Q are then multiplied and a modulus value N is thereby obtained, as labeled with 22. Then, a secret base value g′, h′, x′ is selected in dependence on the modulus value N, as labeled with box 23, wherein the secret base value g′, h′, x′ forms part of the secret cryptographic key sk, here also denoted as g′, h′, x′.
  • At second, the public cryptographic key pk is generated by selecting a number I of exponent values e1, . . . , eI, as labeled with box 24. A public base value g, h, x is derived from the exponent values e1, . . . , eI and the secret base value g′, h′, x′, as labeled with 25, wherein the public base value g, h, x and the modulus value N form part of the public cryptographic key pk, also denoted as g, h, x, N, and labeled with 26. The two random factor values P, Q should be deleted afterwards for security reasons, as indicated with 27. The public cryptographic key g, h, x, N is provided within the network, as indicated with 28, such that other computer nodes p2, p3, p4 have access to this key. Later on, the public cryptographic key g, h, x N and at least one of the selected exponent values e1, . . . , eI will be usable for verifying a signature value i, y, a, also referred to as signature, on a message m which is to be sent within the network to, e.g., the second computer node p2 for verification purposes.
  • In the following the generation of the secret cryptographic key sk and the public cryptographic key pk is presented as an embodiment with some more mathematical details. At first a random RSA modulus value N of size k bits is chosen. The modulus value N is preferably a product of two safe primes. By QRN is denoted a subgroup of squares in Z*N, whereby all group operations will be performed in this group. It is chosen a random seed W and used by applying some pseudorandom generator to construct the number I random unique l+1-bit prime exponent values e1, . . . , eI. Publishing this seed W (as a part of public cryptographic key pk) allows any computer node p2, p3, p4 to reproduce the exponent values e1, . . . , eI. It is also possible to publish all the exponent values e1, . . . , eI as a part of the public cryptographic key pk. Moreover, since different signers can use the same exponents they can be published by some trusted organization. Further, the secret base value g′, h′, x′ is selected randomly from QRN. It is computed
    g:=′gΠ 1≦i≦I e i , h:=h′Π 1≦i≦I e i , and x:=x′Π 1≦i≦I e i .
  • The public cryptographic key pk is here pk:=N, g, h, x, W. The secret cryptographic key sk is here sk:=g′, h′, x′. It is set i:=0.
  • Signing
  • FIG. 3 shows a schematic flow diagram for providing a signature value on a message m in the network of connected computer nodes. If the public cryptographic key pk has not yet been revoked, the signature value i, y, a on the message m is here performed by the first computer node p1. The first computer node pi is also referred to as signer or signing party. At first, a first signature element a is selected, as labeled with 30. Moreover, a signature exponent value ei is selected from a number I of exponent values e1, . . . , eI, as shown in box 31. As indicated with box 32, a second signature element y is derived from a provided secret cryptographic key g′i, h′i, x′i, labeled with 33, the message m, which is labeled with 34, and the number I of exponent values e1, . . . , eI such that the first signature element a, the second signature element y, and the signature exponent value ei satisfy a known relationship, that is representable as a verification equation, with the message m and the provided public cryptographic key pk comprising g, h, x, N. The signature value i, y, a, as labeled with 35, finally comprises the first signature element a, the second signature element y, and a signature reference i to the signature exponent value ei. The signature value i, y, a is then sent within the network to, e.g., the second computer node p2 for verification purposes.
  • The generation of the signature value i, y, a is addressed hereafter with regard to some more mathematical aspects. It is assumed that the message m is to be signed. If the public cryptographic key pk has been revoked, e.g., because the secret cryptographic key sk has been leaked, or if i>I, i.e., the maximal number of producable signature values has been reached, then signing is aborted. Given the secret cryptographic key ski=g′1, h′i, x′i one can compute elements gi, hi, and xi such that
    gi e i =g, hi e i =h, and xi e i =x.
  • Then, one chooses a first signature element a that is random, with a εR {0,1}l, and computes
    y:=xigi ahi a⊕H(m).
  • The signature on the message m is here i, y, a.
  • After having signed, the secret cryptographic key sk is updated by computing
    g′i+1=g′i e i , h′i+1=h′i e i , and x′i+1=x′i e i ,
    and setting the secret cryptographic key sk to ski+1:=(g′i+1, h′i+1, x′t+1) and update i:=i+1.
    Signature Verification
  • FIG. 4 shows a schematic flow diagram for verifying the signature value i, y, a. The verification of the signature value i, y, a on the message m is here performed by the second computer node p2. The signature value i, y, a is received by the second computer node p2 from the first computer node p1, as indicated by box 40. Then, the second computer node p2 derives a signature exponent value ei from the signature value i, y, a, as indicated with box 41. It can be verified whether or not the signature exponent value ei is a member of a number I of exponent values e1, . . . , eI, as indicated with box 42, wherein a description of the of exponent values ei, . . . , eI is accessible within the network, as indicated with box 43. If the signature exponent value ei is not a member of a number I of exponent values e1, . . . , eI then the signature value i, y, a might be refused. As shown with box 44, it is verified whether or not the signature exponent value ei and part of the signature value i, y, a satisfy a known relationship, i.e. the verification equation, with the message m and a provided public cryptographic key g, h, x, N, as provided in box 43. When this verification fails, the signature value i, y, a is refused. The results of the verifications 42, 44 are either “true” or “false” as indicated in the figure with “T” and “F”, whereby “false” or “F” leads to a refusal of the signature value i, y, a and “true” or “T” to an acceptance. It can be determined that the signature value i, y, a was generated from the first signature element a, the number I of exponent values ei, . . . , eI, a provided secret cryptographic key g′1, h′i, x′i, and the message m.
  • In another example, the second computer node p2, that is also referred to as verifier, checks whether or not i, y, a, W is the signature, i.e., the signature value, on the message m. Firstly it is checked if 0≦i≦I. Secondly the second computer node p2 generates the signature exponent value ei from the signature reference i and the seed W, that here also is included in the signature value i, y, a, W. Finally the verifier, i.e., the second computer node p2, accepts the signature if the following known relationship, i.e. the verification equation, is fulfilled
    ye i =xgaha⊕H(m) mod N.
    Revocation
  • FIG. 5 shows a schematic flow diagram for communicating within the network of connected computer nodes the validity of the signature value i, y, a in the event of an exposure of a secret cryptographic key sk, as indicated with 54, relating to the signature value i, y, a. The validity of a signature value i, y, a is communicated within the network as follows. An order of exponent values e1, . . . , eI is defined, as indicated with 50, whose description is provided within the network, as indicated with 51. The order of exponent values e1, . . . , eI is also published within the network, as indicated with 51. Furthermore, a revocation reference j to one of the exponent values e1, . . . , eI is published within the network, as indicated with 52, such that the validity of the signature value i, y, a is determinable, as indicated with 53, by using the revocation reference j, the order of exponent values e1, . . . , eI, and a provided public cryptographic key pk, shown with 55.
  • The following provides some more brief embodiments on how to use the presented signature scheme as forward-secure signature scheme and fine-grained forward-secure signature scheme, which are provable secure without random oracles.
  • Forward-Secure Signature Scheme
  • The presented signature scheme can be used as forward-secure signature scheme with the particular property that one can sign only one message per time period. That is, one assigns each index i to a time-period rather than to a message.
  • Being able to sign only a single message per time-period is of course not very practical. However, using any ordinary signature scheme S together with the presented signature scheme, one can obtain a forward-secure signature scheme where one can sign many messages per time-period as follows.
  • One generates a new instance, i.e., public and secret key pairs, of S (called Si) for each time period Ti, with 1≦i≦I, and signs its public key pki as the i-th message in the presented signature scheme.
  • To sign a message m in time-period Ti, one can then use the signature scheme Si to sign the message m resulting in a signature sm. Thus the final signature on message m comprises the signature sm, the public key pki, plus the signature on that public key performed with the presented signature scheme applying index i.
  • Fine-Grained Forward-Secure Signature Schemes
  • The presented signature scheme does not prevent a dishonest signer from invalidating a signature made in the past by claiming that a break-in happened and publishing an index that is smaller than the one the signer used with that signature. It seems to be unavoidable that a signer is allowed some time (e.g., an hour) after generating a signature during which she can still recall the signature by claiming a break-in happened. This is because the signer should be allowed some time to figure out that a break-in happened and to react to it. In the following three examples I., II., and III. are presented below to overcome this problem.
  • I. A Two-Level Scheme
  • It is used one instantiation of the presented signature scheme, call it A-scheme, where each index denotes a time-period, i.e., index i denotes here the time period Ti from t0+i*tΔ to t0+(i+1)tΔ, where t0 is the starting time and tΔ is the duration of the time-period. The public key of this scheme becomes the public key of a user. Furthermore, a parameter jΔ is published as part of the public key, whereby the parameter jΔ controls the time the user can take to note that the secret key got compromised.
  • Then, for each time-period a second instantiation of the presented signature scheme is used, call it Bi-scheme, and sign its public key using the A-scheme with respect to the index i of that time-period. After this, the secret key of the A-scheme is updated and the new current index of this scheme becomes i+1.
  • To sign a j-message of the current time period Ti, the Bi-scheme with index j is used. The signature on the message comprises this signature, the public key of the Bi-scheme, and the signature on this public key made with the A-scheme. Again, after signing the secret key of the Bi-scheme is updated and the new current index is j:=j+1.
  • Whenever a signer wants to revoke her key, e.g., in time-period Ti′, she sends a third trusted party, hereafter abbreviated to TTP, a predetermined message that indicates this, signed with the Bi-scheme using the current index, here j′. Such a signature is called revocation signature. The TTP verifies the signature and checks whether Ti′ is the current time period. If this is the case the TTP accepts the revocation and publishes the signature appropriately. The signer is not precluded from revoking several times in the same time period.
  • A user's signature with indices i and j is considered valid if no revocation happened, or if a revocation with indices i′ and j′ happened (where i′ and j′ are the smallest indices of any revocation signature published by the TTP), if i≦i′ and j≦j′−j66 holds. Until the time-period in which one signature was signed has not passed, one cannot be sure whether the signature will be valid or not. This, however, holds true for any forward-secure signature scheme.
  • The reason that the signer is allowed to revoke one key several times is that otherwise an adversary who knows the secret key could send a revocation message with index j′ that is higher than the signer's current index. It is easy to see that this gives a fine-grained forward secure signature scheme. Instead of the presented signature scheme, one could use any forward secure signature scheme as A-scheme.
  • II. Using a Public Archive
  • The second example replaces the A-scheme in the previous example with a public archive. It is assumed that it is not possible to delete messages from the archive and that messages are published together with the exact time they were received by the archive.
  • Given such an archive, a fine-grained forward-secure signature scheme is achieved as follows using only one instantiation of the presented signature scheme. The signature on the message m is performed with the presented signature scheme using the current index. After signing, the secret key is updated.
  • At the end of each time period, the user signs a predetermined message, e.g., <<last index used in time period Ti>>, by applying the presented signature scheme and using the current index, here j, and then updates the secret key and sends this index signature to the public archive. The public archive posts the message along with the time it received the signature.
  • Whenever a signer wants to revoke her key, e.g., in time-period Ti′, she sends the TTP a preferably predetermined message that indicates this, signed the presented signature scheme using the current index j′. The TTP verifies the signature and checks whether T′i is the current time period and whether j′ is not smaller than the index j of the index signature the signer provided to the public archive during the previous time period. If this is the case the TTP accepts the revocation and publishes the signature appropriately. Again, the signer is not precluded from revoking several times in the same time period.
  • In this second example, a user's signature with index i is considered valid if no revocation happened, or if revocation happened, if i<j′−jΔ or if i<j, where j′ is the smallest index of any revocation signatures published by the TTP and j is the index j of the index signature the signer provided to the public archive in the time-period prior to the one in which the key was revoked.
  • In this example scheme, one cannot be sure that a signature signed in some time-period is valid until the time period has passed and the signer has published a signature with a higher index in the archive. Compared to the first example solution, the second one has the advantage that signatures are shorter.
  • For practical reasons, the signer might be allowed some time after the passing of a time-period to publish an index signature in the archive and to perform revocation. This allows one to handle break-in at the very end of a time period. As a consequence, the signer should be allowed to put several index signatures in the public archive per time-period, the one with the lowest index being the one that counts. A signature with index i is then counted valid if no revocation happens, or if revocation happens, if i<j′−jΔ, where j′ is the index of the revocation signature.
  • III. Allowing s Signatures Per Time-Period
  • In the third example only one instantiation of the presented signature scheme is used. The index is bound to the time-periods by allowing exactly s signatures per time-period. The parameter s together with t0 and tΔ is published as part of the public key.
  • Thus in time-period Ti the indices i·s, . . . , (i+1 )s−1 can be used to sign. To revoke a key, the signer sends the revocation signature produced with the current index j′, to the TTP. The TTP verifies the signature and published it if the signature's index matches the current time-period.
  • The signature with index j is considered valid if no revocation happened, or in case a revocation signature with index j′ was published, if j belongs to an earlier time-period that j′ or if j<j′−jΔ.
  • The rational behind this third example is that the work of signing a message in the presented signature scheme is governed by updating the secret key. Thus one could calculate how many signature one can possibly issue during a time period given the computational power one has and then set s to this number. Then, one would constantly perform the secret key update, even if no message was signed. This approach would not change the response behavior of the system very much, but does not use a public archive and the signatures are smaller than in the first example.
  • Any disclosed embodiment may be combined with one or several of the other embodiments shown and/or described. This is also possible for one or more features of the embodiments.
  • Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation; b) reproduction in a different material form.

Claims (22)

1. A method comprising providing a secret cryptographic key and a public cryptographic key applicable in a network of connected computer nodes using a signature scheme, the method being executable by a first computer node and the step of providing comprising the steps of:
generating the secret cryptographic key by
selecting two random factor values,
multiplying the two selected random factor values to obtain a modulus value, and
selecting a secret base value in dependence on the modulus value, wherein the secret base value forms part of the secret cryptographic key;
generating the public cryptographic key by
selecting a number of exponent values, and
deriving a public base value from the exponent values and the secret base value, wherein the public base value and the modulus value form part of the public cryptographic key;
deleting the two random factor values; and
providing the public cryptographic key within the network; such that the public cryptographic key and at least one of the selected exponent values is usable for verifying a signature value on a message to be sent within the network to a second computer node for verification.
2. The method according to claim 1, further comprising providing a description of the exponent values within the network.
3. The method according to claim 1, further comprising defining an order of the selected exponent values for enabling to communicate the validity of the signature value in the event of a detected intrusion.
4. A method comprising providing a signature value on a message in a network of connected computer nodes, the method being executable by a first computer node and the step of providing comprising the steps of:
selecting a first signature element;
selecting a signature exponent value from a number of exponent values; and
deriving a second signature element from a provided secret cryptographic key, the message, and the number of exponent values such that the first signature element, the second signature element, and the signature exponent value satisfy a known relationship with the message and a provided public cryptographic key, wherein the signature value comprises the first signature element, the second signature element, and a signature reference to the signature exponent value,
the signature value being sendable within the network to a second computer node for verification.
5. The method according to claim 4, wherein the step of deriving a second signature element further comprises deriving a signature base value using a provided public cryptographic key, the provided secret cryptographic key, and the exponent values.
6. The method according to claim 4, further comprising deriving a new secret cryptographic key from the provided secret cryptographic key and the selected signature exponent value.
7. A method comprising verifying signature value on a message in a network of connected computer nodes, the method being executable by a second computer node and the step of verifying comprising the steps of:
receiving the signature value from a first computer node;
deriving a signature exponent value from the signature value; and
verifying whether the signature exponent value and part of the signature value satisfy a known relationship with the message and a provided public cryptographic key, otherwise refusing the signature value,
wherein the signature value was generated from a first signature element, a number of exponent values, a provided secret cryptographic key, and the message.
8. A method comprising communicating within a network of connected computer nodes the validity of a signature value in the event of an exposure of a secret cryptographic key relating to the signature value, the step of communicating comprising the steps of:
defining an order of exponent values;
publishing a description of the exponent values and the order of the exponent values within the network;
publishing a revocation reference to one of the exponent values within the network such that the validity of the signature value is determinable by using the revocation reference, the order of exponent values, and a provided public cryptographic key.
9. The method according to claim 1, further comprising applying each of the exponent values to at most one signature value.
10. A computer program element comprising program code means for performing the method of claim 1 when said program is run on a computer.
11. A computer program product stored on a computer usable medium, comprising computer readable program means for causing a computer to perform the method according to claim 1.
12. A network device comprising:
a computer program product according to claim 11;
a processor for executing the method;
the processor having access to exchanged messages in the network.
13. The method according to claim 4, further comprising applying each of the exponent values to at most one signature value.
14. The method according to claim 7, further comprising applying each of the exponent values to at most one signature value.
15. The method according to claim 8, further comprising applying each of the exponent values to at most one signature value.
16. A computer program element comprising program code means for performing the method of claim 4, when said program is run on a computer.
17. A computer program product stored on a computer usable medium, comprising computer readable program means for causing a computer to perform a method according to claim 4.
18. A computer program element comprising program code means for performing the method of claim 7, when said program is run on a computer.
19. A computer program product stored on a computer usable medium, comprising computer readable program means for causing a computer to perform a method according to claim 7.
20. A computer program element comprising program code means for performing the method of claim 8, when said program is run on a computer.
21. A computer program product stored on a computer usable medium, comprising computer readable program means for causing a computer to perform a method according to claim 8.
22. A computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing functions of a network device, the computer readable program code means in said computer program product comprising computer readable program code means for causing a computer to effect the functions of claim 12.
US10/522,472 2002-07-29 2003-07-07 Fine-grained forward-secure signature scheme Abandoned US20060233364A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/120,349 US8139767B2 (en) 2002-07-29 2008-05-14 Fine-grained forward-secure signature scheme

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP02405658 2002-07-29
EP02405658.2 2002-07-29
PCT/IB2003/003187 WO2004014020A1 (en) 2002-07-29 2003-07-07 Groups signature scheme

Publications (1)

Publication Number Publication Date
US20060233364A1 true US20060233364A1 (en) 2006-10-19

Family

ID=31198002

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/522,472 Abandoned US20060233364A1 (en) 2002-07-29 2003-07-07 Fine-grained forward-secure signature scheme
US12/120,349 Expired - Fee Related US8139767B2 (en) 2002-07-29 2008-05-14 Fine-grained forward-secure signature scheme

Family Applications After (1)

Application Number Title Priority Date Filing Date
US12/120,349 Expired - Fee Related US8139767B2 (en) 2002-07-29 2008-05-14 Fine-grained forward-secure signature scheme

Country Status (9)

Country Link
US (2) US20060233364A1 (en)
EP (1) EP1540882B1 (en)
JP (1) JP4367938B2 (en)
KR (1) KR100745436B1 (en)
CN (1) CN1672358B (en)
AU (1) AU2003247053A1 (en)
CA (1) CA2494078C (en)
DE (1) DE60318073T2 (en)
WO (1) WO2004014020A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102006166A (en) * 2010-11-11 2011-04-06 西安理工大学 Ring signature method for anonymizing information based on multivariate polynomial
CN102006167A (en) * 2010-11-11 2011-04-06 西安理工大学 Ring signature method for anonymizing information based on algebra
CN102006165A (en) * 2010-11-11 2011-04-06 西安理工大学 Ring signature method for anonymizing information based on multivariate public key cryptography
US20120233657A1 (en) * 2011-03-07 2012-09-13 Adtran, Inc., A Delaware Corporation Method And Apparatus For Network Access Control
US8699715B1 (en) * 2012-03-27 2014-04-15 Emc Corporation On-demand proactive epoch control for cryptographic devices
US20160021099A1 (en) * 2004-10-20 2016-01-21 Intel Corporation Data security
KR101750208B1 (en) 2016-04-28 2017-07-03 한양대학교 산학협력단 Forward-secure digital signature method with optimal signing and Forward-secure digital signature generation apparatus using the same
US20170374063A1 (en) * 2014-12-16 2017-12-28 Giesecke & Devrient Gmbh Introducing an Identity into a Secure Element
CN112368974A (en) * 2018-05-08 2021-02-12 尤尼斯康通用身份控制股份有限公司 Method for securing data exchange in a distributed infrastructure

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8848924B2 (en) * 2008-06-27 2014-09-30 University Of Washington Privacy-preserving location tracking for devices
US9078144B2 (en) * 2012-05-02 2015-07-07 Nokia Solutions And Networks Oy Signature enabler for multi-vendor SON coordination
US10326753B2 (en) 2016-06-23 2019-06-18 International Business Machines Corporation Authentication via revocable signatures
KR102101557B1 (en) * 2018-07-16 2020-04-16 한양대학교 산학협력단 Image authentication method and apparatus based on object detection
CN109743171B (en) * 2018-12-06 2022-04-12 广州博士信息技术研究院有限公司 Key series method for solving multi-party digital signature, timestamp and encryption
KR102283160B1 (en) 2019-06-27 2021-07-28 한양대학교 산학협력단 Forward secure identity-based signature method and apparatus
USD1012808S1 (en) * 2021-10-27 2024-01-30 Citic Dicastal Co., Ltd. Vehicle wheel

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4996711A (en) * 1989-06-21 1991-02-26 Chaum David L Selected-exponent signature systems
US5675649A (en) * 1995-11-30 1997-10-07 Electronic Data Systems Corporation Process for cryptographic key generation and safekeeping
US5850450A (en) * 1995-07-20 1998-12-15 Dallas Semiconductor Corporation Method and apparatus for encryption key creation
US20010010721A1 (en) * 2000-01-25 2001-08-02 Murata Kikai Kabushiki Kaisha And Masao Kasahara Common key generating method, common key generating apparatus, encryption method, cryptographic communication method and cryptographic communication system
US20010014153A1 (en) * 1997-10-14 2001-08-16 Johnson Donald B. Key validation scheme
US6304658B1 (en) * 1998-01-02 2001-10-16 Cryptography Research, Inc. Leak-resistant cryptographic method and apparatus
US20020012898A1 (en) * 2000-01-13 2002-01-31 Motti Shechter Firearm simulation and gaming system and method for operatively interconnecting a firearm peripheral to a computer system
US20030120931A1 (en) * 2001-12-20 2003-06-26 Hopkins Dale W. Group signature generation system using multiple primes
US20040017916A1 (en) * 2002-07-25 2004-01-29 Xerox Corporation Systems and methods for non-interactive session key distribution with revocation

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020013898A1 (en) * 1997-06-04 2002-01-31 Sudia Frank W. Method and apparatus for roaming use of cryptographic values
KR19990053065A (en) * 1997-12-23 1999-07-15 정선종 Digital Multiple Signature Method Based on Discrete Algebra Problem
JP3659791B2 (en) 1998-03-23 2005-06-15 インターナショナル・ビジネス・マシーンズ・コーポレーション Method and system for generating a small time key
KR100453113B1 (en) * 2002-08-12 2004-10-15 학교법인 한국정보통신학원 Method for producing and certificating id-based digital signature from decisional diffie-hellman groups
DE602004006373T2 (en) * 2004-03-02 2008-01-17 France Telecom Methods and apparatus for creating fair blind signatures
JP3936721B2 (en) * 2005-07-29 2007-06-27 株式会社日立コミュニケーションテクノロジー Optical access system, optical subscriber unit and optical concentrator

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4996711A (en) * 1989-06-21 1991-02-26 Chaum David L Selected-exponent signature systems
US5850450A (en) * 1995-07-20 1998-12-15 Dallas Semiconductor Corporation Method and apparatus for encryption key creation
US5675649A (en) * 1995-11-30 1997-10-07 Electronic Data Systems Corporation Process for cryptographic key generation and safekeeping
US20010014153A1 (en) * 1997-10-14 2001-08-16 Johnson Donald B. Key validation scheme
US6304658B1 (en) * 1998-01-02 2001-10-16 Cryptography Research, Inc. Leak-resistant cryptographic method and apparatus
US20020012898A1 (en) * 2000-01-13 2002-01-31 Motti Shechter Firearm simulation and gaming system and method for operatively interconnecting a firearm peripheral to a computer system
US20010010721A1 (en) * 2000-01-25 2001-08-02 Murata Kikai Kabushiki Kaisha And Masao Kasahara Common key generating method, common key generating apparatus, encryption method, cryptographic communication method and cryptographic communication system
US20030120931A1 (en) * 2001-12-20 2003-06-26 Hopkins Dale W. Group signature generation system using multiple primes
US20040017916A1 (en) * 2002-07-25 2004-01-29 Xerox Corporation Systems and methods for non-interactive session key distribution with revocation

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170331814A1 (en) * 2004-10-20 2017-11-16 Intel Corporation Data security
US9654464B2 (en) * 2004-10-20 2017-05-16 Intel Corporation Data security
US20160021099A1 (en) * 2004-10-20 2016-01-21 Intel Corporation Data security
US9942219B2 (en) * 2004-10-20 2018-04-10 Intel Corporation Data security
CN102006166A (en) * 2010-11-11 2011-04-06 西安理工大学 Ring signature method for anonymizing information based on multivariate polynomial
CN102006165A (en) * 2010-11-11 2011-04-06 西安理工大学 Ring signature method for anonymizing information based on multivariate public key cryptography
CN102006167A (en) * 2010-11-11 2011-04-06 西安理工大学 Ring signature method for anonymizing information based on algebra
US20120233657A1 (en) * 2011-03-07 2012-09-13 Adtran, Inc., A Delaware Corporation Method And Apparatus For Network Access Control
US8763075B2 (en) * 2011-03-07 2014-06-24 Adtran, Inc. Method and apparatus for network access control
US8699715B1 (en) * 2012-03-27 2014-04-15 Emc Corporation On-demand proactive epoch control for cryptographic devices
US20170374063A1 (en) * 2014-12-16 2017-12-28 Giesecke & Devrient Gmbh Introducing an Identity into a Secure Element
US10637851B2 (en) * 2014-12-16 2020-04-28 Giesecke & Devrient Gmbh Introducing an identity into a secure element
KR101750208B1 (en) 2016-04-28 2017-07-03 한양대학교 산학협력단 Forward-secure digital signature method with optimal signing and Forward-secure digital signature generation apparatus using the same
CN112368974A (en) * 2018-05-08 2021-02-12 尤尼斯康通用身份控制股份有限公司 Method for securing data exchange in a distributed infrastructure

Also Published As

Publication number Publication date
CA2494078A1 (en) 2004-02-12
WO2004014020A8 (en) 2004-04-22
WO2004014020A1 (en) 2004-02-12
US20090316886A1 (en) 2009-12-24
EP1540882B1 (en) 2007-12-12
CN1672358B (en) 2010-07-14
DE60318073D1 (en) 2008-01-24
JP4367938B2 (en) 2009-11-18
EP1540882A1 (en) 2005-06-15
CN1672358A (en) 2005-09-21
AU2003247053A1 (en) 2004-02-23
US8139767B2 (en) 2012-03-20
CA2494078C (en) 2010-11-23
JP2005535206A (en) 2005-11-17
KR100745436B1 (en) 2007-08-02
KR20050032567A (en) 2005-04-07
DE60318073T2 (en) 2008-12-11

Similar Documents

Publication Publication Date Title
US8139767B2 (en) Fine-grained forward-secure signature scheme
Song Practical forward secure group signature schemes
JP3522447B2 (en) Authentication exchange method and additional public electronic signature method
Camenisch Better privacy for trusted computing platforms
US6473508B1 (en) Auto-recoverable auto-certifiable cryptosystems with unescrowed signature-only keys
Smyth et al. Direct Anonymous Attestation (DAA): Ensuring privacy with corrupt administrators
CN111010265B (en) Block chain organization key management method based on hierarchical key and BLS digital signature
US8661251B2 (en) Method and device for creating a group signature and related method and device for verifying a group signature
US20140082361A1 (en) Data encryption
Islam et al. Certificateless strong designated verifier multisignature scheme using bilinear pairings
CN112989436B (en) Multi-signature method based on block chain platform
Krawczyk et al. Chameleon hashing and signatures
WO2023016729A1 (en) Generating digital signature shares
KR100654933B1 (en) System and its method for authenticating dynamically created certificate by user&#39;s password input
Nakanishi et al. A group signature scheme with efficient membership revocation for reasonable groups
Koga et al. Decentralization methods of certification authority using the digital signature schemes
JP3338088B2 (en) Electronic signature device and electronic signature system
Sunitha et al. Proxy signature schemes for controlled delegation
Kim et al. Provably secure proxy blind signature scheme
Nakanishi et al. A short anonymously revocable group signature scheme from decision linear assumption
Xu et al. A scalable and secure cryptographic service
Matsuura et al. Digital Timestamps for Dispute Settlement in Electronic Commerce: Generation, Verification, and Renewal.
Géraud-Stewart et al. Magnetic RSA
Xiang et al. Bilateral-secure signature by key evolving
Kim et al. New one time proxy signature scheme based on dlp using the warrant

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CAMENISCH, JAN;KOPROWSKI, MACIEJ;REEL/FRAME:017256/0729;SIGNING DATES FROM 20051201 TO 20051229

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION