New Forward-Secure Signature Scheme with ... - Semantic Scholar

JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 27, 1435-1448 (2011)

New Forward-Secure Signature Scheme with Untrusted Update* JIA YU1, FAN-YU KONG2,3, XIANG-GUO CHENG1, RONG HAO1 AND JIAN-XI FAN4 1

College of Information Engineering Qingdao University Qingdao, 266071 P.R. China 2 Institute of Network Security Shandong University Jinan, 250100 P.R. China 3 Key Lab of Cryptographic Technology and Information Security Ministry of Education Jinan, 250100 P.R. China 4 School of Computer Science and Technology Soochow University Suzhou, 215006 P.R. China Forward-secure signatures can be used to limit the damage of secret key exposure for digital signatures. In a forward-secure signature scheme, the exposure of current secret key doesn’t affect the security of signatures generated in previous periods. In order to integrate this primitive into standard security architectures, Boyen et al. presented a forward-secure signature scheme with untrusted update in the standard model. In this study, we propose another forward-secure signature scheme with untrusted update in the random oracle model. Compared with Boyen’s scheme, this scheme has shorter public key, secret key and better key generation algorithm, update algorithm, encrypted key verifying algorithm and signing algorithm. At last, we prove that the scheme is update secure and forward secure under CDH assumption in the random oracle model. Keywords: digital signature, forward security, bilinear pairings, random oracles, provable security

1. INTRODUCTION Exposure of secret keys seriously threatens the security of digital signatures. The problem of limiting the damage of secret key exposure for digital signatures has attracted much attention of researchers. Forward-secure signature is proposed to reduce the damage of secret key exposure. In this primitive, the whole lifetime of signature is divided into multiple regular intervals called time periods. In each interval, a new secret key is derived from an old one by a one-way function, and then the old secret key is destroyed. Each signature is associated with one time period and the verification also needs to verify whether the time period is valid or not. In this manner, when a user’s secret key is compromised, the adversary can’t forge signatures for past time periods. In an invited talk, Anderson [1] firstly proposed to apply forward security to digital Received July 31, 2009; revised July 29 & November 3, 2010; accepted January 6, 2011. Communicated by Wen-Guey Tzeng. * This paper was supported by National Natural Science Foundation of China (60703089, 60873047), the Science and Technology Project of Provincial Education Department of Shandong (J08LJ02), the Shandong Province Natural Science Foundation of China (ZR2010FQ019, ZR2009GQ008, ZR2010FQ015), and sponsored by Qing Lan Project.

1435

1436

JIA YU, FAN-YU KONG, XIANG-GUO CHENG, RONG HAO AND JIAN-XI FAN

signatures. Bellare and Miner [2] proposed practical schemes and formalized forwardsecure signature and its security. Abdalla and Reyzin [3] further improved the work of [2] to shorten the public key and the secret key. The scheme of Itkis and Reyzin [4], which is based on Guillou-Quisquater signatures [5], achieved optimal signing and verifying at the expense of slower key updates. Other concrete forward-secure signature schemes [6, 7] were proposed. Generic methods constructing forward-secure signature were proposed in [8, 9]. Meanwhile, forward security was also considered in all kinds of signature schemes [10-12]. Key-insulated signature schemes [13, 14] and intrusion-resilient signature schemes [15, 16] can achieve a higher level of security. However, one weakness of these schemes is that they require an additional device to communicate with signer, which makes them unable to be applied to many scenarios. Boyen et al. introduced the concept of forward-secure signature with untrusted update and proposed the first concrete scheme in [17]. In their scheme, the signing key is additionally protected by a second factor. The second factor in practice is a password provided by the user, which is used to encrypt the signing key. Key update procedure can be completed by the encrypted version of signing key, therefore, the password only comes into play for signing messages. They also left open the problem of adding untruted update to other existing forward-secure signature schemes. Subsequently, Libert et al. [18] gave generic constructions of forward-secure signatures in untrusted update environments by expanding MMM construction [9]. However, their method is not for designning a concrete scheme and has great limitations because it needs two signatures and has a lot of additional expenses during setup and key generation. Therefore, how to construct more efficient concrete forward-secure signature schemes with untrusted update is worth researching. Our contribution In this paper, we construct another forward-secure signature scheme in untrusted update. This scheme is based on the binary tree structure to evolve and store secret keys for different time periods. As a result, all the performance complexities are not more than O(logT) in terms of the total number of time periods T. Compared with Boyen’s scheme [17], our scheme achieves faster key generation algorithm, key update algorithm and key check algorithm and similarly efficient verifying algorithm in terms of T. Concretely speaking, our scheme only has O(1) costs in the key generation algorithm and the key update algorithm. In contrast, Boyen’s scheme has O(log2T) costs in the both algorithms. Our encrypted key verifying algorithm can be completed in O(logT) time, beating O(log2T) in Boyen’s scheme. In addition, the public key and the secret key are much shorter than Boyen’s scheme. The only drawback of our scheme is that it has longer signature compared with Boyen’s scheme. However, the signature size in our scheme is nearly the same as Boyen’s scheme after the verifier receives a signature from the same signer in one time period. Our scheme is proven update secure and forward secure under CDH assumption. This assumption seems more natural and appealing than the hardness assumption in Boyen’s scheme. However, our scheme is secure in the random oracle model while Boyen’s scheme is secure without random oracles. Generally speaking, schemes with security in the random oracle model are more efficient than schemes with security in the standard model. Therefore, our scheme may be preferred for the applications where efficiency is primary concern.

NEW FORWARD-SECURE SIGNATURE SCHEME WITH UNTRUSTED UPDATE

1437

We use a similar way to Kang’s scheme [6] to design our scheme. However, our scheme and Kang’s scheme focus on different goals. Kang’s scheme is only a regular forward-secure signature scheme. Our scheme focuses on a scheme with untrusted update property. The main difference between the both schemes is whether the signing key is additionally protected by a second factor derived from a password and the key update procedure can be completed by the encrypted version of the signing key. In our scheme, the signing key is additionally protected by a second factor named DecK. An adversary with access to the private storage will not forge a valid signature. The user can unblind the keys to recover the real secret keys when she signs a message. Beyond Kang’s scheme, our scheme can make an adversary unable to use the encrypted key to forge signatures for past, current and future periods.

2. PRELIMINARIES 2.1 Cryptographic Definitions Definition 1 (Bilinear Pairing) Let G1 and G2 be two multiplicative groups with the same prime order q. We say a map ê: G1 × G1 → G2 is a bilinear pairing if the following properties are satisfied: 1. Bilinear: For all g1, g2 ∈ G1 and a, b ∈ Z, there is eˆ( g1a , g 2b ) = eˆ( g1 , g 2 ) ab . 2. Non-degenerate: The map does not send all pairs in G1 × G1 to the identity in G2. 3. Computable: There is an efficient algorithm to compute ê(g1, g2) for any g1, g2 ∈ G1. Definition 2 (CDH problem) chosen from Z q* , compute gab.

Given ga and gb, where g ∈ G1 and a, b are randomly

Definition 3 (CDH assumption) A probabilistic algorithm A is said (t, ε)-break CDH problem in G1 if A runs at most time t, computes CDH problem with an advantage of at least ε. We say that G1 is a (t, ε)-secure CDH group if no probabilistic algorithm A (t, ε)break CDH problem in G1. 2.2 Forward-Secure Signature Scheme with Untrusted Update Definition 4 (Forward-secure signature scheme with untrusted update) A forwardsecure signature scheme with untrusted update is composed of five algorithms FSIG = (FSIG.key, FSIG.checkKey, FSIG.update, FSIG.sign, FSIG.verify), where:

1. FSIG.key: the key generation algorithm takes as input a security parameter k ∈ N and the total number of time periods T, and generates a public key PK, an encrypted signing key EncSK0, and another second factor decryption key DecK. 2. FSIG.checkKey: the encrypted key verifying algorithm takes as input an encrypted key EncSKj of period j, and outputs “valid” if it is well formed or “invalid”, otherwise. 3. FSIG.update: the key update algorithm takes as input an encrypted secret key EncSKj of period j, and generates a new secret key EncSKj+1 for the next period. This algorithm does not require the decryption key DecK.

1438


4. FSIG.sign: the signing algorithm takes as input an encrypted secret key EncSKj of period j, a second factor decryption key DecK, and a message M, and generates a signature of M for period j. 5. FSIG.verify: the verifying algorithm takes as input the public key PK, a message M and a candidate signature , and outputs 1 when is a valid signature or 0, otherwise. 2.3 Security Model (1) Update Security This game describes the notion of security against an adversary who gets the encrypted signing key, but not the second factor decryption key. The game is played between an adversary and a challenger, and proceeds in the following phases: (i) Key generation phase: The challenger executes a key generation algorithm to produce the public key PK and an initial encrypted signing key EncSK, and provides these data to the adversary. (ii) Signature query phase: The adversary can query the signature of any message she selects for the current time period if she can give a well-formed EncSK. It may return an error symbol ⊥ when she gives a bad-formed EncSK. The adversary can repeatedly make signature queries in the current time period and can also select to come to the next time period for signature queries. Once the adversary selects to come to a new time period, she can’t come back to previous time periods. (iii)Forgery phase: At some point, the adversary will choose to move to a forgery phase. In this phase, the adversary output a forgery for message M*. If the forgery is valid and the adversary has not queried for a signature on M* at time period i*, then it means the adversary is successful. (2) Forward Security This security game follows the security model of regular forward-secure signatures. The adversary knows the total number of time periods and the current time period. (i) Key generation phase: The challenger executes key generation algorithm to produce the public key PK and a second factor decryption key DecK, and provides these data to the adversary. (ii) Chosen message attack (CMA) phase: In this phase, the adversary has access to a signature oracle to query any signature of the message she selects with respect to the current secret key. At the end of each time period, the adversary can choose to stay in this phase or go to the next phase. (iii) Break-in phase: In this phase, the adversary is given the encrypted secret key EncSKi* for a specific time period i* she decides to break in. (iv) Forgery phase: In this phase, the adversary needs to output a forgery. The adversary is considered to be successful if she forges a signature of some new message (that is, not queried previously) for some time period prior to i*.

3. THE PROPOSED SCHEME In this scheme, we use a binary tree structure similar to CHK [19] that is a variant of


1439

the tree structure used in the HIBE scheme in [20]. To obtain the untrusted update property, we blind secret keys by a second factor and directly update the blinded secret keys by the update algorithm in our scheme. Since the secret keys are blinded by a second factor, an adversary with access to the private storage will not forge a valid signature. The user can unblind keys to recover the real secret keys using her password when she signs a message. 3.1 Notations

We use a full binary tree with depth l, therefore, the total number of time periods is T = 2l+1 − 1. Associate each node with each time period through pre-order traversal technique of binary trees in chronological order. Let w0 = ε, where ε denotes an empty string. Let wj denote the node associated with period j. Let wj0 (wj1) be the left (right) child node of wj, wj|k be a k-prefix of wj. The encrypted secret key EncSKj in period j is a set which is composed of the encrypted node secret EncSwj, which is used to sign the message, and the encrypted secrets corresponding to the right siblings of the nodes on the path from root to wj which is used to evolve the following encrypted node secrets. That is, whenever w′0 is a prefix of wj, EncSKj contains the encrypted node secret EncSw′1 of node w′1. The encrypted secret key EncSKj is organized as a stack of the encrypted node secrets in which EncSwj lies in the top of the stack. When update the secret key, pop the current encrypted node secret EncSwj off the stack, then update as follows, 1. If wj is an internal node, generate EncSwj0 and EncSwj1, respectively. And then push EncSwj1 and EncSwj0 onto the stack orderly. The new top is EncSwj0 and indeed wj+1 = wj0. Erase EncSwj at last. 2. If w j is a leaf, erase EncSwj. The next element on top of the stack is EncSwj+1. The following figure clarifies how to update secret keys (in time periods 0, 1, 2, 3, 4, 5 for l = 3) in our scheme.

Fig. 1. How to update keys in our scheme (l = 3).

1440


3.2 Description of Our Scheme

(1) FSIG.key: Input a security parameter k, the total number of time periods T. Then (i) Run a CDH parameter generator IG(1k) to generate groups G1, G2 and ê: G1 × G1 * → G2. Select a generator g ∈ G1 and a secret ρε ∈ Zq at random, and set R = gρε. * Select μ ∈ Zq at random, and set V = gμ. Choose cryptographic hash functions H1: * {0, 1}* × G1 → G1, H2: {0, 1}* × {0, 1}* × G1 → G1, H3: {0, 1}* × G1 → Zq. (ii) The public key is PK = (G1, G2, ê, g, R, V, T, H1, H2, H3). Compute SNε = H1(ε, R)ρε+μ. The second factor decryption key is DecK = H1(ε, R)-μ. The encrypted root node secret key is EncSε = (SNε). Set the initial encrypted secret key EncSK0 = (EncSε). (2) FSIG.checkKey: In order to verify whether the encrypted key EncSKj is valid or not, do as follows, (i) Parse the elements in stack EncSKj as {EncSwj, {EncSwj|1 wj|2 ...wj|k-11}wj|k=0,k≤n}, where n is the depth of the node corresponding to period j. (ii) For convenience, denote the elements in EncSKj with a uniform form EncSw = (Rw|1, Rw|2, …, Rw|n′-1, Rw, SNw). Let hw|m = H3(w|m, Rw|m), where 1 ≤ m ≤ n′ and n′ is ?

the bits length of w. Verify eˆ ( g , SN w ) = eˆ ( R ⋅ V ⋅ ∏

n′ m =1

R w |m

h w |m

, H 1 ( ε , R )). If the

equations for all elements in stack EncSKj are verified, output “valid”, otherwise output “invalid”. (3) FSIG.update: Input the public key PK, the current time period j and an encrypted secret key EncSKj. As we have mentioned, EncSKj consists of EncSwj and the secret keys corresponding to the right siblings of the nodes on the path from root to wj. Organize EncSKj as a stack with EncSwj on top. Firstly, pop the node secret key EncSwj off the stack. Then do as follows, * (i) If wj is an internal node, then select ρwj0, ρwj1 ∈ Zq randomly, and compute Rwj0 = ρwj0 ρwj1 ρwj0hwj0 g , Rwj1 = g , SNwj0 = SNwj ⋅ H1(ε, R) , SNwj1 = SNwj ⋅ H1(ε, R)ρwj1hwj1, where j j hwi0 = H3(w 0, R wj0), hwi1 = H3(w 1, R wj1). Push EncSw1 = (Rw|1, Rw|2, …, Rw|n-1, Rw, Rw1, SNw1) and EncSw0 = (Rw|1, Rw|2, …, Rw|n-1, Rw, Rw0, SNw0) onto the stack orderly, and erase EncSwj (the new top is EncSwj0 and wj+1 = wj0 here). (ii) If wj is a leaf, then erase EncSwj directly (the new top is EncSwj+1 here). (4) FSIG.sign: Input a message M, the current time period j, an encrypted secret key EncSKj and a second factor decryption key DecK. (i) The signer reads the top element EncSw = (Rw|1, Rw|2, …, Rw|n-1, Rw, SNw). She selects * r ∈ Zq randomly, and computes U = gr and FS = SNw ⋅ H2(M, j, U)r ⋅ DecK. (ii) The signer outputs a signature and Rw|m where 1 ≤ m ≤ n. (5) FSIG.verify: Input a signature and Rw|m where 1 ≤ m ≤ n in period j for a message M. The verifier confirms that: ?

eˆ( g , FS ) = eˆ( R ⋅ ∏ m =1 Rw|m n

hw|m

, H1 (ε , R)) ⋅ eˆ(U , H 2 ( M , j , U )).

If the equation works then return 1, else return 0.


1441

4. PERFORMANCE COMPARISONS The complexity analysis is considered in terms of the total number of time periods T. We compare the full performance with Boyen’s scheme [17] in Table 1. Our scheme achieves better efficiency in key generation algorithm, key update algorithm, encrypted key verifying algorithm, signing algorithm, and shorter public key, secret key than Boyen’s scheme without precomputation. The only drawback is that our scheme has relatively larger signature compared with Boyen’s scheme. The signature in our scheme contains verifying values Rw|m (1 ≤ m ≤ n), which makes our signature size increase to O(logT) bits. However, in our scheme the signer can only generate without sending Rw|m (1 ≤ m ≤ n) to the verifier when the verifier has received other signatures from this signer in one time period. In that case, it can make our signature size be nearly the same as Boyen’s scheme. In addition, considering all time periods, the key update algorithm of Boyen’s scheme has amortized O(logT) time. If precomputation is used, the complexity of signing algorithm and verifying algorithm can reduced to O(1) in Boyen’s scheme. Therefore, Boyen’s scheme has lower complexity of verifying algorithm than ours if the precomputation is used. However, a verifier does not need to recompute n h eˆ( R ⋅ ∏ m =1 Rw|m w|m , H1 (ε , R)) when she has verified a valid signature from the same signer in one time period. In that case, the scheme can achieve O(1) verifying time. Table 1. Efficiency comparisons (in terms of the total number of time periods T). Our Scheme Boyen’s scheme without precomputation Boyen’s scheme with precomputation

Key Gen Key Upd Key Verifytime time ing time O(1) O(1) O(logT)

Signing Verifying time time O(1) O(logT)

PK size (bits) O(1)

SK size Signature (bits) size (bits) O (logT) O(logT)

O(log2T)

O(logT)

O(log2T)

O(logT)

O(logT)

O(logT)

O(log2T)

O(1)

O(log2T)

O(logT)

O(log2T)

O(1)

O(1)

O(logT)

O(log2T)

O(1)

5. SECURITY ANALYSIS Theorem 1 Let PK = (G1, G2, ê, g, R, V, T, H1, H2, H3) be the public key and EncSK0 = (EncSε) be encrypted secret key, and DecK = (H1(ε, R)-μ) be the second factor decryption key generated by FSIG.key, respectively; Let the secret key be updated by FSIG.update; Let and Rw|m (m = 1, …, n) be a signature generated by FSIG.sign on input a message M for period j. Then FSIG.verify(M, ) = 1. Proof: eˆ( g , FS ) = eˆ( g , SN w ⋅ H 2 ( M , j , U ) r ⋅ DecK ) n = eˆ( g , SNε ⋅ ∏ m =1 H1 (ε , R ) hw|m ρw|m ⋅ DecK ) ⋅ eˆ( g , H 2 ( M , j , U ) r ) n = eˆ( g , H1 (ε , R )( ρε + μ ) ⋅ ∏ m =1 H1 (ε , R ) hw|m ρw|m ⋅ H1 (ε , R ) − μ ) ⋅ eˆ( g , H 2 ( M , j , U ) r ) n = eˆ( g , H1 (ε , R ) ρε ⋅ ∏ m =1 H1 (ε , R ) hw|m ρw|m ) ⋅ eˆ(U , H 2 ( M , j ,U )) n = eˆ( g ρε + ∑ m=1 hw|m ρw|m , H1 (ε , R )) ⋅ eˆ(U , H 2 ( M , j ,U ))

= eˆ( R ⋅ ∏ m =1 Rw|m hw|m , H1 (ε , R)) ⋅ eˆ(U , H 2 ( M , j , U )). n

1442


Theorem 2 Let F be an adversary that produces an existential forgery, in the update security attack model, against our scheme. Assume that F makes qs signing queries and qH2 H2 hash queries at most. Then there exists an algorithm I that solves the CDH problem in G1 2(q − 1) in time t = t′ + O(TlogT)tG1 with success probability ε = ( )ε ′. 2(q − 1) − qS (2qH 2 − qS − 1) (tG1 denotes the most running time of an operation in G1) Proof: We view H2, H3 as two random oracles in the proof. Firstly, the algorithm I is given parameters (G1, G2, ê) generated by IG(1k) and a challenge (g, gα = R, H1(ε, R) = gβ * = Iε), and the goal of I is to compute gαβ, where α = ρε and β ∈R Zq are unknown to I. I * δ δ randomly selects δ ∈ Zq and computes SNε = H1(ε, R) and V = g ⋅ (R)-1. I selects a total time periods T. I provides PK = (G1, G2, ê, g, R, V, T) and the initial encrypted signing key EncSK0 = (SNε) to F. I runs F as a subroutine. The simulation of H2 queries: When F queries the oracle H2 at a point , I does as follows,

1. If has already appeared on a tuple in H2 table, then I responds H2(M, j, U) = h ∈ G1 to F. 2. Otherwise, I selects γ ∈R Zq and adds to H2 table. I responds H2(M, j, U) = h ∈ G1 to F. The simulation of H3 queries: When F queries the oracle H3 at a point , I does as follows, 1. If has already appeared on a tuple in H3 table, then I responds H3(w, Rw) = hw to F. * 2. Otherwise, I selects hw ∈R Zq and adds to H3 table. I responds H3(w, Rw) = hw to F. F may query the signature for message M she selects in period j. Let wj = w1, …, wt denote the node corresponding to period j. F firstly needs to provide the encrypted signing key EncSKj. I parses each element EncSw in EncSKj as EncSw = (Rw|1, Rw|2, …, Rw|n′-1, ?

Rw, SNw). As specified in the actual scheme, for each element EncSw, verify eˆ( g , SN w ) = n′ h eˆ( R ⋅ V ⋅ ∏ m =1 Rw|m w|m , H1 (ε , R )) . If the test fails, I responds with ⊥. If the test passes, then EncSKj is valid and I needs to provide a signature. Because EncSKj can’t be decrypted, I needs to produce from scratch. We notice that the signature is independent of EncSKj. Thus I does as follows, The simulation of signature oracle queries: When F queries the signature at a point , I does as follows,

1. I selects γ, ϕ ∈R Zq, and sets h = gγ ⋅ Iε-1/ϕ, U = (R + V)ϕ (r = ϕα). If H2(M, j, U) has appeared in H2 table, then I aborts. 2. I adds to H2 table. * 3. I randomly selects ρ wj|m ∈ Zq (m = 1, …, t)( if ρwj|m has not been defined), and sets Rwj|m = *


1443

gρwj|m I queries H3 oracle on . And then I selects γ, ϕ ∈R Zq, and sets H2(M, *

ρ

h

j,U) = gγ ⋅ Iε-1/ϕ, U = Rϕ. Finally, she computes FS = ∏ m =1 I ε w |m w |m ⋅ Rϕγ . 4. I responds to F. Forgery and Reduction: After makes signature queries, F outputs an existential forgery for M in period j. Firstly, F needs to query H2 oracle to get H2(M, j, U = gr). If F can forge a valid signature , then t

FS = I ε α ⋅ ∏ m =1 I ε n

ρ

h

w j |m w j |m

j

j

⋅ H 2 ( M , j,U )r .

I can easily get all ρwj|m, hwj|m (m = 1, …, n) in above equation by the similar simulation. Since F has queried H2(M, j, U), I can find in H2 table. Therefore, I can compute: g αβ = I ε α = FS ⋅ ∏ m =1 I ε n

−ρ

h wi |m wi |m

⋅ g − rγ = FS ⋅ ∏ m =1 I ε n

−ρ

h wi |m wi |m

⋅ U −γ

where γ can be found in a tuple . The construction of algorithm I has been completed. Now, we analyze the following events and compute the probability for I to succeed. Event E1: When F queries the signature oracle, I aborts. There is Pr[E1] ≤ qS(2qH2 − qS − 1)/2(q − 1). In H2 table I maintains, the number of queries generated not by signing algorithm is qH2 − qS. Therefore, when the kth signature query happens, in the worst case, there are at most qH2 − qS + k − 1 of H2 queries defined. The probability for I to abort the kth (k ∈ {1, 2, …, qS}) signature query is at most (qH2 − qS + k − 1)/(q − 1), where q − 1 is the size of * the domain from which U (actually ϕ) is selected (that is the elements number of Zq). Let εk denote the event that I aborts the kth signature query. The following description is right: Pr[ E1 ] = Pr[ε1 ∪ ... ∪ ε qS ] ≤ ∑ k S=1 Pr[ε k ] = ∑ k S=1 q

q

(qH 2 − qS + k − 1) q −1

=

qS (2qH 2 − qS − 1) 2(q − 1)

Event E2: When I doesn’t abort, F succeeds to forge a valid signature for a new message in period j, where 1 ≤ j < b. Obviously, there is Pr[E2] ≥ ε′. Thus the probability of computing αβP is at least Pr[ E2 ] ⋅ Pr[ E1 ] ≥ (ε ′ − ε ′P[ E1 ]) ≥ ε ′(

2(q − 1) − qS (2qH 2 − qS − 1) 2(q − 1)

) = ε.

In order to analyze the total running time of I, we only consider the time in terms of T. The total time is bounded by signature queries, so it is O(TlogT)tG1. The total running time of I is at most t′ + O(TlogT)tG1 = t. This contradicts the assumption that G1 is a (t′, ε′)-secure CDH group. Theorem 3 Let F be an adversary that produces an existential forgery, in the forward security attack model, against our scheme. Assume that F makes qs signing queries and qH2 H2

.


1444

hash queries at most. Then there exists an algorithm I that solves the CDH problem in G1 qS (2qH 2 − qS − 1) in time t with success probability ε, where t = t′ + O(TlogT)tG1, ε = T ε ′ + . 2(q − 1) (tG1 denotes the most running time of an operation in G1) Proof: We replace hash functions H1 and H3 with 1-wise and (l + 1)-wise independent hash functions in function families and view H2 as a random oracle in the proof. If F is an adversary (t, qS, qH2, ε)-attack FSIG, we construct a PPT adversary I(t′, ε′)-break CDH problem in group G1. Firstly, the algorithm I is given parameters (G1, G2, ê) generated by IG(1k) and a * challenge (g, gα, gβ), and the goal of I is to compute gαβ, where α and β ∈R Zq are un* μ known to I. I randomly selects μ ∈ Zq and computes V = g . Thus ρε = α − μ is unknown to I and R = gα/V. I runs F as a subroutine. I selects a total time periods T and guesses the time period b randomly at which F asks the break-in queries, where 0 < b ≤ T. Let wb = * * * w1 ,…, ws, denote the node corresponding to period b. I chooses rwb, hwb ∈R Zq, and * * chooses rwb | , hwb | ∈R Z q for all 1 ≤ i ≤ s and wi = 0. I randomly selects hash function H1 i

i

and H3 from 1-wise and (l + 1)-wise independent hash families, respectively, with the following constraints: r

1/ h

H1 (ε , R) = g β = I ε , Rwb = ( g w ⋅ R −1 ⋅ V −1 ) b

r

wb

, H 3 ( wb , Rwb ) = hwb , 1/ h

For all 1 ≤ i ≤ s and wi* = 0 : Rwb | = ( g w |i ⋅ R −1 ⋅ V −1 ) i

b

wb |i

, H 3 ( wb |i , Rwb | ) = hwb | . i

i

I provides PK = (G1, G2, ê, g, R, V, T, H1, H2, H3) to F. I maintains two tables: H2 oracle table and signature query table to answer the queries from F. I simulates the update procedure at first in order to provide necessary parameters for replying to F’s signature queries and break-in query. Let wj = w1 … wt denote the node corresponding to period j. For all j = 0, …, b − 1, I simulates update procedure orderly as follows, 1. If wj is a leaf, then I does nothing. * 2. If wj0 = wb, then according to rwj0, rwj1, hwj0, hwj1 ∈ Z q which have been defined during selecting H3, I sets Rwj0 = (grwj0 ⋅ R-1 ⋅ V -1)1/hwj0, H3(wj0, Rwj0) = hwj0, Rwj1 = (grwj1 ⋅ R-1 ⋅ V -1)1/hwj1, and H3(wj1, Rwj1) = hwj1. * 3. If wj0 ≠ wb is a prefix of wb, then I selects ρwj0, hwj0 ∈R Zq, and sets Rwj0 = gρwj0, H3(wj0, * Rwj0) = hwj0. According to rwj1, hwj1 ∈ Zq which have been defined during selecting H3, I sets Rwj1 = (grwj1 ⋅ R-1 ⋅ V-1)1/hwj1, and H3(wj1, Rwj1) = hwj1. * 4. Otherwise, I selects ρwj0, hwj0, ρwj1, hwj1 ∈R Zq, and computes Rwj0 = gρwj0, H3(wj0, Rwj0) = ρwj1 j hwj0, Rwj1 = g , and H3(w 1, Rwj1) = hwj1. At that time, F begins to run in the cma phase. F may query H2 oracle and signature oracle, so I needs to simulate these oracles to answer the queries. The simulation of H2 queries: When F queries the oracle H2 at a point , I does as follows, 1. If has already appeared on a tuple in H2 table, then I re-


1445

sponds H2(M, j, U) = h ∈ G1 to F. 2. Otherwise, I selects γ ∈R Zq and adds to H2 table. I responds H2(M, j, U) = h ∈ G1 to F. The simulation of signature oracle queries: When F queries the signature at a point , I does as follows, 1. I selects γ, ϕ ∈R Zq, and sets h = gγ ⋅ Iε-1/ϕ, U = (R + V)ϕ(r = ϕα). If H2(M, j, U) has appeared in H2 table, then I aborts. 2. I adds to H2 table. 3. I uses ρwj|m, hwj|m (1 ≤ m ≤ t) generated during simulating update procedure to compute *

FS = ∏ m =1 I ε t

ρ

h w j |m w j |m

⋅ Rϕγ ⋅ V ϕγ ⋅ Iε μ .

4. I responds to F. Obviously, I can provide the signature to F though she can’t compute Iεα = gαβ. When F finishes the cma phase and comes to the break-in phase, I does as follows in order to provide EncSKb to F. According to the parameters generated during simulating update procedure, I computes EncS wb = I ε w ⋅ ∏ m =1 I ε r

s −1

b

ρ

h wb |m wb |m

*

. For all the nodes wb|i (1 ≤ i ≤ s) satisfying wi = 0 on

the path from root to wb, I computes the node secret keys S wb | = I ε

r

wb |i

i

their right siblings wb =

* w 1,

…,

* ws

i

⋅ ∏ m =1 I ε i −1

ρ

h wb |m wb |m

for

. I responds EncSK b = ( SN wb | , ..., SN wb | , SN wb ) to F, where wb s

1

b

and SN wb | = NULL if the last bit of w |k is 1. k

When F finishes the break-in phase, she comes to the forgery phase. F wants to forge a signature for M in period j, where 1 ≤ j ≤ b − 1. Let wj = w1, …, wn denote the node corresponding to period j. F needs to query H2 oracle to get H2(M, j, U = gr) at first. If F can forge a valid signature , then FS = I ε α ⋅ ∏ m =1 I ε n

ρ

h

w j |m w j |m

⋅ H 2 (M , j, U )r ⋅ Iε − μ .

Since F has queried H2(M, j, U), I can find in H2 table. Therefore, I can compute: g αβ = I ε α = FS ⋅ ∏ m =1 I ε n

−ρ

h wi |m wi |m

⋅ g − rγ ⋅ Iε μ = FS ⋅ ∏ m =1 Iε n

−ρ

h wi |m wi |m

⋅ U −γ ⋅ I ε μ .

where ρwj|m, hwj|m have been generated during simulating update procedure and γ can be found in a tuple . The construction of algorithm I has been completed. Now we analyze the following events and compute the probability for I to succeed. Event E1: When F queries the signature oracle, I aborts. From Theorem 2, there is Pr[E1] qS (2qH 2 − qS − 1) . ≤ 2(q − 1)

1446


Event E2: F outputs d = break and the break-in phase is period b. There is Pr[E2] = 1/T. Event E3: When I doesn’t abort, F succeeds to forge a valid signature for a new message in period j, where 1 ≤ j < b. Obviously, there is Pr[E3] ≥ ε.

Therefore, the probability for I to solve CDH problem is at least: Pr[ E2 ] ⋅ Pr[ E1 ] ⋅ Pr[ E3 ] ≥

qS (2qH 2 − qS − 1) 1 1 1 (ε − ε P[ E1 ]) ≥ (ε − P[ E1 ]) ≥ (ε − ) = ε ′. T T T 2(q − 1)

The total running time of I is at most t + O(TlogT)tG1 = t′. This contradicts the assumption that G1 is a (t′, ε′)-secure CDH group.

6. CONCLUSION Forward-secure signature with untrusted update may facilitate the integration of forward-secure primitives into existing software environments in which the secret key is additionally protected by an extra secret. A new forward-secure signature scheme with untrusted update is proposed in this paper. We also give the full performance comparison with Boyen’s scheme and analyze the security of the proposed scheme.

REFERENCES 1. R. Anderson, “Two remarks on public key cryptology,” in the 4th ACM Conference on Computer and Communications Security, 1997. 2. M. Bellare and S. Miner, “A forward-secure digital signature scheme,” in Proceedings of Crypto, 1999, pp. 431-448. 3. M. Abdalla and L. Reyzin, “A new forward-secure digital signature scheme,” in Proceedings of Cryptology − Asiacrypt, 2000, pp. 116-129. 4. G. Itkis and L. Reyzin, “Forward-secure signatures with optimal signing and verifying,” in Proceedings of Crypto, 2001, pp. 499-514. 5. L. Guillou and J. J. Quisquater, “A paradoxical” identity-based signature scheme resulting from zero-knowledge,” in Proceedings of Crypto, 1988, pp. 216-231. 6. B. G. Kang, J. H. Park, and S. G Halm, “A new forward secure signature scheme,” Cryptology ePrint Archive, Report 2004/183, 2004. 7. J. Yu, F. Y. Kong, C. X. Guo, R. Hao, and G. W. Li, “Construction of yet another forward secure signature scheme using bilinear maps,” in Proceedings of the 2nd International Conference on Provable Security, 2008, pp. 83-97. 8. H. Krawczyk, “Simple forward-secure signatures for any signature scheme,” in Proceedings of the 7th ACM Conference on Computer and Communications Security, 2000, pp. 108-115. 9. T. Malkin, D. Micciancio, and S. Miner, “Efficient generic forward-secure signatures with an unbounded number of time periods,” in Proceedings of Cryptology − Eurocrypt, 2002, pp. 400-417. 10. D. Song, “Practical forward-secure group signature schemes,” in Proceedings of the


1447

8th ACM Symposium on Computer and Communication Security, 2001, pp. 225-234. 11. Z. J. Tzeng and W. G. Tzeng, “Robust forward signature schemes with proactive security,” in Proceedings of the Public-Key Cryptography, 2001, pp. 264-276. 12. J. Yu, R. Hao, F. Y. Kong, X. G. Cheng, J. X. Fan, and Y. K. Chen, “Forward-secure identity-based signature: Security notions and construction,” Information Sciences, Vol. 181, 2011, pp. 648-660. 13. Y. Dodis, J. Katz, S. Xu, and M. Yung, “Strong key-insulated signature scheme,” in Proceedings of the Public-Key Cryptography, 2003, pp. 130-144. 14. J. Weng, X. X. Li, K. F. Chen, and S. L. Liu, “Identity-based parallel key-insulated signature without random oracles,” Journal of Information Science and Engineering, Vol. 24, 2008, pp. 1143-1157. 15. G. Itkis and L. Reyzin, “SiBIR: Signer-base intrusion-resilient signatures,” in Proceedings of Cryptology – Crypto, 2002, pp. 499-514. 16. Z. Gong, X. X. Li, D. Zheng, and K. F. Chen, “A generic construction for intrusionresilient signatures from linear feedback shift register,” Journal of Information Science and Engineering, Vol. 24, 2008, pp. 1347-1360. 17. X. Boyen, H. Shacham, E. Shen, and B. Waters, “Forward-secure signatures with untrusted update,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, 2006, pp. 191-200. 18. B. Libert, J. Quisquater, and M. Yung, “Forward-secure signatures in untrusted update environments: efficient and generic constructions,” in Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007, pp. 266-275. 19. R. Canetti, S. Halevi, and J. Katz, “A forward-secure public-key encryption scheme,” in Proceedings of Cryptology − Eurocrypt, 2003, pp. 255-271. 20. C. Gentry and A. Silverberg, “Hierarchical ID-based cryptography,” in Proceedings of Cryptology – Asiacrypt, 2002, pp. 548-566. Jia Yu (于佳) received the M.S. and B.S. degrees in School of Computer Science and Technology from Shandong University, China, in 2003 and 2000, respectively. He received Ph.D. degree in Institute of Network Security from Shandong University, China, in 2006. He is currently an associate professor in the College of Information Engineering at Qingdao University, China. His research interests include key evolving cryptography, digital signature, cryptographic protocol, and network security.

Fan-Yu Kong (孔凡玉) received the M.S. and B.S. degrees in School of Computer Science and Technology from Shandong University, China, in 2003 and 2000, respectively. He received Ph.D. degree in Institute of Network Security from Shandong University, China, in 2006. He is currently an Associate Professor in the Institute of Network Security at Shandong University, China. His research interests include cryptanalysis, digital signature, and network security.

1448


Xiang-Guo Cheng (程相国) received the B.S. degree in Mathematics Science from Jilin University in 1992, the M.S. degree in Applied Mathematics Science from Tongji University in 1998, and the Ph.D. degree in State Key Laboratory of Integrated Services Network of Xidian University in 2006. He is currently an associate professor in the College of Information Engineering at Qingdao University. His research interests include computer security, public key cryptosystems, and their applications.

Rong Hao (郝蓉) received M.S. degree in Institute of Network Security from Shandong University, China, in 2006. She is currently a lecture in the College of Information Engineering at Qingdao University, China. Her research interests include digital signature and secret sharing.

Jian-Xi Fan (樊建席) received the B.S. degree in Computer Science from Shandong Normal University in 1988, the M.S. degree in Computer Science from Shandong University in 1991, and the Ph.D. degree in Computer Science from City University of Hong Kong, China, in 2006. He is currently a Professor of Computer science in the School of Computer Science and Technology at Soochow University, China. He visited as a research fellow in the Department of Computer Science, City University of Hong Kong, Hong Kong (October 2006-March 2007, June 2009-August 2009). His research interests include parallel and distributed systems, interconnection architectures, design and analysis of algorithms, and graph theory.