ForwardSecure Signatures with Untrusted Update PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: ForwardSecure Signatures with Untrusted Update


1
Forward-Secure Signatures with Untrusted Update
Xavier Boyen Voltage
Hovav Shacham Weizmann
Emily Shen MIT
Brent Waters SRI International
2
Worm List Distribution
Users
Time
Verification Key
3
Compromise Ruins Everything
Users
All prior updates are suspect
Time
Verification Key
4
Forward Secure Signatures A97
  • Sign message and Timestamp
  • Evolve Key Forward in Time
  • Cant backdate signatures
  • Verifier checks time

1
2
3
4
5
Past Messages not Revoked
1
2
3
4
Users
Time
Verification Key
6
Andersons Solution
  • T -Time periods
  • Create T SK key pairs w/certifcates from master
    key
  • Update Erase old Keys

3 years hourly 25,000 periods 3MB
Verification Key

7
Bellare-Miner Tree method
  • Leaves with Time Peroids
  • Sign with current leaf
  • lg(T) storage signature size

Time
1
2
3
4
8
FS Signature Schemes
  • Evaluate on Sig Size, Key Size, and Time
  • Bellare and Miner 99
  • Itkis and Reyzin 01
  • MMM 03

Lets bring into practice
9
In practice
  • Private keys are encrypted by passwords
  • FS Signature update needs unencrypted keys!

10
Our Choices
  • No Forward Secure Signatures
  • No Password Encryption (No Adoption)
  • Bug User per update
  • Invent something new

11
Forward Secure Signatures w/ Untrusted Update
  • KeyGen(T,PW) Outputs FSS keypair (EncSK, VK)
  • Update(EncSK) Evovles key forward (PW not
    needed)
  • Sign(EncSK, PW, M ) Signs M under current key
  • Update( VK,M,S ) Verifies signature S

12
Security 2 Games
  • Forward Security
  • Corrupt at time t (PW and storage)
  • Attacker tries to forge at time tlt t
  • Update Security
  • Corrupts storage, but not PW

13
Our Scheme (Outline)
  • Tree-based with Bilinear Groups
  • PW is Blinding Factor B
  • Update operation is homomorphic to factor
  • Sketch key update

14
Bilinear Maps
  • G , GT finite cyclic groups of prime order p.
  • Def An admissible bilinear map e G?G ? GT
    is
  • Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
    g?G
  • Efficiently computable.

15
Basic tree method (simplified)
  • PK e(g,g)a, h1, h2, hlg(T)
  • Multiply in when derive to right

ga(h1)r
ga(h2)r
ga(h2)r (h3)r
Can sign using leaf keys
16
Adding untrusted update
User Decryption key B 2 G Divide out B from
leaf key to sign
Bga(h1)r
Bga(h2)r
Bga(h2)r (h3)r
Can sign using leaf keys
17
Results Summary
  • Untrusted Update
  • Constant size sigs
  • Lg(T)2 storage (can tradeoff with sig size)
  • Fast setup, update, and verification
  • No Random Oracles

18
Untrusted Update elsewhere?
E.g. Bellare-Miner (2)
Update x2 mod N
Untrusted Update (Bx)2 mod N
After t time periods must compute B2t mod N Hurts
performance! (True elsewhere e.g. IR01)
19
Conclusion
  • IntroducedUntrusted Update
  • Created scheme
  • Implementation
  • Open Add untrusted Update to other FSSS

20
THE END
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "ForwardSecure Signatures with Untrusted Update" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!