ForwardSecure Signatures with Untrusted Update

1
Forward-Secure Signatures with Untrusted Update
Xavier Boyen Voltage
Hovav Shacham Weizmann
Emily Shen MIT
Brent Waters SRI International
2
Worm List Distribution
Users
Time
Verification Key
3
Compromise Ruins Everything
Users
All prior updates are suspect
Time
Verification Key
4
Forward Secure Signatures A97

• Sign message and Timestamp
• Evolve Key Forward in Time
• Cant backdate signatures
• Verifier checks time

1
2
3
4
5
Past Messages not Revoked
1
2
3
4
Users
Time
Verification Key
6
Andersons Solution

• T -Time periods
• Create T SK key pairs w/certifcates from master
  key
• Update Erase old Keys

3 years hourly 25,000 periods 3MB
Verification Key

7
Bellare-Miner Tree method

• Leaves with Time Peroids
• Sign with current leaf
• lg(T) storage signature size

Time
1
2
3
4
8
FS Signature Schemes

• Evaluate on Sig Size, Key Size, and Time
• Bellare and Miner 99
• Itkis and Reyzin 01
• MMM 03

Lets bring into practice
9
In practice

• Private keys are encrypted by passwords
• FS Signature update needs unencrypted keys!

10
Our Choices

• No Forward Secure Signatures
• No Password Encryption (No Adoption)
• Bug User per update
• Invent something new

11
Forward Secure Signatures w/ Untrusted Update

• KeyGen(T,PW) Outputs FSS keypair (EncSK, VK)
• Update(EncSK) Evovles key forward (PW not
  needed)
• Sign(EncSK, PW, M ) Signs M under current key
• Update( VK,M,S ) Verifies signature S

12
Security 2 Games

• Forward Security
• Corrupt at time t (PW and storage)
• Attacker tries to forge at time tlt t
• Update Security
• Corrupts storage, but not PW

13
Our Scheme (Outline)

• Tree-based with Bilinear Groups
• PW is Blinding Factor B
• Update operation is homomorphic to factor
• Sketch key update

14
Bilinear Maps

• G , GT finite cyclic groups of prime order p.
• Def An admissible bilinear map e G?G ? GT
  is
• Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
  g?G
• Efficiently computable.

15
Basic tree method (simplified)

• PK e(g,g)a, h1, h2, hlg(T)
• Multiply in when derive to right

ga(h1)r
ga(h2)r
ga(h2)r (h3)r
Can sign using leaf keys
16
Adding untrusted update
User Decryption key B 2 G Divide out B from
leaf key to sign
Bga(h1)r
Bga(h2)r
Bga(h2)r (h3)r
Can sign using leaf keys
17
Results Summary

• Untrusted Update
• Constant size sigs
• Lg(T)2 storage (can tradeoff with sig size)
• Fast setup, update, and verification
• No Random Oracles

18
Untrusted Update elsewhere?
E.g. Bellare-Miner (2)
Update x2 mod N
Untrusted Update (Bx)2 mod N
After t time periods must compute B2t mod N Hurts
performance! (True elsewhere e.g. IR01)
19
Conclusion

• IntroducedUntrusted Update
• Created scheme
• Implementation
• Open Add untrusted Update to other FSSS

20
THE END