## A forward-secure digital signature scheme (1999)

### Cached

### Download Links

- [www.mathmagic.cn]
- [www-cse.ucsd.edu]
- [www.cs.ucsd.edu]
- [www-cse.ucsd.edu]
- [cseweb.ucsd.edu]
- [charlotte.ucsd.edu]
- [cseweb.ucsd.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 176 - 13 self |

### BibTeX

@INPROCEEDINGS{Bellare99aforward-secure,

author = {Mihir Bellare and Sara K. Miner},

title = {A forward-secure digital signature scheme},

booktitle = {},

year = {1999},

pages = {431--448},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a forward security property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. This can be useful to mitigate the damage caused by key exposure without requiring distribution of keys. Our construction uses ideas from the Fiat-Shamir and Ong-Schnorr identification and signature schemes, and is proven to be forward secure based on the hardness of factoring, in the random oracle model. The construction is also quite efficient. 1

### Citations

1766 | How to share a secret
- Shamir
(Show Context)
Citation Context ...stick to well-known schemes and use large security parameters. The most widely considered solution to the problem of key exposure is distribution of the key across multiple servers via secret sharing =-=[20, 5]-=-. There are numerous instantiations of this idea including threshold signatures [7] and proactive signatures [15]. Distribution however is quite costly. While a large corporation or a certi cation aut... |

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...ible. Forward security of our scheme. We then show that our scheme meets this notion of forward security assuming it is hard to factor Blum-Williams integers. This proof is in the random oracle model =-=[3], mea-=-ning it assumes that a certain hash function used in the scheme has random behavior. Our security analysis proceeds in two steps. We first define a notion of a "forward secure identification (ID)... |

833 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...at our scheme has the forward security property, we first provide a formal definition of forward security for digital signatures, extending the notion of security for standard digital signatures from =-=[11]-=- to allow for key exposure attacks. Our model allows the adversary to mount a chosen-message attack, then expose the signing key at some current period j of its choice. It is successful if it can forg... |

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...ind, we turn to a different paradigm: construction of signature schemes based on identification schemes. We present a forward secure digital signature scheme based on ideas underlying the Fiat-Shamir =-=[10]-=- and Ong-Schnorr [16] identification and signature schemes. The feature of these schemes that is crucial to enable secure key evolution is that even the signer does not need to know the factorization ... |

395 |
Safeguarding cryptographic keys
- Blakley
- 1979
(Show Context)
Citation Context ...stick to well-known schemes and use large security parameters. The most widely considered solution to the problem of key exposure is distribution of the key across multiple servers via secret sharing =-=[18, 5]-=-. There are numerous instantiations of this idea including threshold signatures [7] and proactive signatures [14]. Distribution however is quite costly. While a large corporation or a certification au... |

329 | The exact security of digital signatures - how to sign with rsa and rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...y default.) It will now try to forge signatures under SK b for some b ! j and is declared successful if the signature is valid and the message is new. Following the concrete security paradigm used in =-=[4]-=-, we associate to the scheme an insecurity function whose value is the maximum probability of being able to break the scheme, the maximum being over all adversary strategies restricted to resource bou... |

310 | Zero-knowledge Proof of Identity - Feige, Fiat, et al. - 1988 |

264 | Authentication and authenticated key exchanges
- DIFFIE, OORSCHOT, et al.
- 1992
(Show Context)
Citation Context ...ge" time-stamps if it wanted by simply not deleting previous keys.) History. The term (perfect) "forward secrecy" was first used in [12] in the context of session key exchange protocols=-=, and later in [8]-=-. The basic idea, as described in [8], is that compromise of long-term keys does not compromise past session keys, meaning that past actions are protected in some way against loss of the current key, ... |

255 |
Threshold cryptosystems
- Desmedt, Frankel
- 1989
(Show Context)
Citation Context ...ed solution to the problem of key exposure is distribution of the key across multiple servers via secret sharing [18, 5]. There are numerous instantiations of this idea including threshold signatures =-=[7]-=- and proactive signatures [14]. Distribution however is quite costly. While a large corporation or a certification authority might be able to distribute their keys, the average user, with just one mac... |

226 | A simple unpredictable pseudo-random number generator - Blum, Blum, et al. - 1986 |

209 | Security proofs for signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...nge is speci ed as a hash of the message and the commitment). We then show that this transformation preserves forward security. (The transformation is known to preserve security in the standard sense =-=[18, 16]-=-, but here we are considering a new security feature.) We stress one issue with regard to forward secure ID schemes: they are arti cial constructs, in the sense that the security notion we put forth t... |

204 | How to time-stamp a digital document
- Haber, Stornetta
(Show Context)
Citation Context ... her choice, but not one of the form h32; ii. So she cannot claim to have paid up on February 1st. Relation to time-stamping. Time-stamping signed documents via a trusted time stamping authority (cf. =-=[13]-=-) can also provide a similar kind of security, but this requires that one make use of such an authority, which is costly in various ways. Forward security may be viewed as providing a certain kind of ... |

50 |
An Identity-Based Key-Exchange Protocol
- G¨unther
- 1990
(Show Context)
Citation Context ... it assumes the signer is honest since the signer could of course \forge" time-stamps if it wanted by simply not deleting previous keys.) History. The term (perfect) \forward secrecy" was rst used in =-=[13]-=- in the context of session key exchange protocols, and later in [8]. The basic idea, as described in [8], is that compromise of long-term keys does not compromise past session keys, meaning that past ... |

40 | On concrete security treatment of signatures derived from identification
- Ohta, Okamoto
- 1998
(Show Context)
Citation Context ...ge is specified as a hash of the message and the commitment). We then show that this transformation preserves forward security. (The transformation is known to preserve security in the standard sense =-=[17, 15]-=-, but here we are considering a new security feature.) We stress one issue with regard to forward secure ID schemes: they are artificial constructs, in the sense that the security notion we put forth ... |

40 | Fast Signature Generation with a Fiat-Shamir-Like Scheme. Eurocrypt ’90
- Ong, Schnorr
(Show Context)
Citation Context ...cheme based on ideas underlying the Fiat-Shamir [10] identi cation scheme (in turn based on the zero-knowledge proof of quadratic residuosity of Goldwasser, Micali and Racko [11]) and the Ong-Schnorr =-=[17]-=- identi cation scheme. The feature of these schemes that is crucial to enable secure key evolution is that even the signer does not need to know the factorization of the modulus on which the scheme is... |

35 |
One-way functions are necessary and su cient for secure signatures, STOC
- Rompel
- 1990
(Show Context)
Citation Context ...on. (By non-trivial we mean that the size of keys and signatures can be at most polylog(T ).) Indeed, the tree scheme uses only standard digital signatures, and these exist given any one-way function =-=[19]-=-. 4 Our forward-secure signature scheme This is our main scheme. We rst specify the scheme and its basic properties. Then we analyze its security. 4.1 Description of our scheme Keys and key generation... |

24 |
The knowledge complexity ofinteractive proofs
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...secure digital signature scheme based on ideas underlying the Fiat-Shamir [10] identi cation scheme (in turn based on the zero-knowledge proof of quadratic residuosity of Goldwasser, Micali and Racko =-=[11]-=-) and the Ong-Schnorr [17] identi cation scheme. The feature of these schemes that is crucial to enable secure key evolution is that even the signer does not need to know the factorization of the modu... |

16 |
Proactive public-key and signature schemes
- Herzberg, Jakobsson, et al.
- 1997
(Show Context)
Citation Context ... key exposure is distribution of the key across multiple servers via secret sharing [18, 5]. There are numerous instantiations of this idea including threshold signatures [7] and proactive signatures =-=[14]-=-. Distribution however is quite costly. While a large corporation or a certification authority might be able to distribute their keys, the average user, with just one machine, does not have this optio... |

3 |
A modi cation of the RSA public key encryption procedure
- Williams
- 1980
(Show Context)
Citation Context ... Q t j=1 2 n j j 2 n j ,n j mod N : (3) mod N : Proof: Let S be the set of squares in ZN and f: S! S the map f(x) = x2 mod N. We know that f is a permutation on S because N is a Blum-Williams integer =-=[6, 22]-=-. Let f ,1 : S! S be the inverse map of f. Each number u = x22 S has exactly four square roots, precisely one of which, namely x, is in S. We know that f ,1 is the inverse of a permutation, so f ,1 (u... |

1 |
unther, "An identity-based key-exchange protocol
- G
- 1989
(Show Context)
Citation Context ...t assumes the signer is honest since the signer could of course "forge" time-stamps if it wanted by simply not deleting previous keys.) History. The term (perfect) "forward secrecy"=-=; was first used in [12]-=- in the context of session key exchange protocols, and later in [8]. The basic idea, as described in [8], is that compromise of long-term keys does not compromise past session keys, meaning that past ... |

1 |
On the security of a practical identi cation scheme
- Shoup
- 1996
(Show Context)
Citation Context ...cheme only in the Ong-Schnorr style (rather than a combination of that with Fiat-Shamir as we do). This will reduce key sizes, but increase computation time, and the analysis (one could try to extend =-=[21]-=-) seems more involved. A note on synchronization. One might imagine that a scheme using time periods in the way we do will impose a requirement for clock synchronization, arising from disagreements ne... |