## Strong Key-Insulated Signature Schemes (2002)

### Cached

### Download Links

- [theory.lcs.mit.edu]
- [dimacs.rutgers.edu]
- [cs.nyu.edu]
- [www.cs.nyu.edu]
- [www.cs.umd.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 49 - 13 self |

### BibTeX

@MISC{Dodis02strongkey-insulated,

author = {Yevgeniy Dodis and Jonathan Katz and Shouhuai Xu and Moti Yung},

title = {Strong Key-Insulated Signature Schemes},

year = {2002}

}

### Years of Citing Articles

### OpenURL

### Abstract

Digital signing is at the heart of Internet based transactions and e-commerce. In this global communication environment, signature computation will be frequently performed on a relatively insecure device (e.g., a mobile phone) that cannot be trusted to completely (and at all times) maintain the secrecy of the private key.

### Citations

880 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...u-Quisquater scheme [13] provides a trapdoor signature scheme based on the RSA assumption (in the random oracle model). However, a number of additional schemes satisfy this requirement as well (e.g., =-=[8, 20, 23, 29, 27]-=-). Thus our technique is quite flexible and allows for adaptation of a number of standard (and previously analyzed) schemes. We also note that the loss of a factor q(k) = q hash (where this represents... |

862 | A digital signature scheme secure against adaptive chosen-message attacks - Goldwasser, Micali, et al. - 1988 |

791 |
Identity-based cryptosystems and signature schemes
- Shamir
- 1985
(Show Context)
Citation Context ...me, where again we additionally ensure strong security of our construction. The notion of random access to keys is unique to our treatment. Finally, we mention that an identity-based signature scheme =-=[28]-=- immediately gives an (N 1; N)-key-insulated signature scheme (ensuring strong security requires some additional work). -- 4 -- However, we are not aware of any previous formal definitions or proofs o... |

618 |
Efficient Signature Generation for Smart Cards
- Schnorr
(Show Context)
Citation Context ...hile practical for small values of t, it does not completely solve the problem for t N . We defer such a solution to the following section. Our scheme builds on the Okamoto-Schnorr signature scheme [=-=22, 26-=-] which we review here. Let p; q be primes such that p = 2q + 1 and let G be the subgroup of Z p of order q. Fix generators g; h 2 G. A public key is generated by choosing x; y 2R Z q and setting v =... |

204 |
A Practical Zero-Knowledge Protocol Fitted to Security Microprocessors Minimizing both Transmission and
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ... our scheme is strong key-insulated. Our discrete logarithm scheme has no counterpart in [1]. Our scheme based on trapdoor signatures and specialized for RSA may be viewed as the "Guillou-Quisqua=-=ter" [13] analogue -=-to their "Ong-Schnorr" [23] factoring-based scheme, where again we additionally ensure strong security of our construction. The notion of random access to keys is unique to our treatment. Fi... |

192 |
Cryptosystems based on pairing
- Sakai, Ohgishi, et al.
- 2000
(Show Context)
Citation Context ...). This results in very efficient solutions based on, e.g., the RSA assumption in the random oracle model. Our last approach also generalizes several recent (and independent from this work) proposals =-=[6, 15, 27, 28]-=- for identity-based signature schemes based on the so called “Gap Diffie-Hellman Groups” (see [25]). We believe that this demonstated variety of schemes for the specialized protection of digital signa... |

185 | A forward-secure digital signature scheme
- Bellare, Miner
- 1999
(Show Context)
Citation Context ...gnature delegation. Besides the key-insulated model, many alternate approaches have been proposed to address the risks associated with key exposure. The first such example is that of forward security =-=[2, 3]-=-. In this model no external device is present, and the entire secret key is stored on --- and updated by --- the insecure device itself. Clearly, any exposure now compromises all future time periods; ... |

155 |
Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes
- Okamoto
- 1992
(Show Context)
Citation Context ...hile practical for small values of t, it does not completely solve the problem for t N . We defer such a solution to the following section. Our scheme builds on the Okamoto-Schnorr signature scheme [=-=22, 26-=-] which we review here. Let p; q be primes such that p = 2q + 1 and let G be the subgroup of Z p of order q. Fix generators g; h 2 G. A public key is generated by choosing x; y 2R Z q and setting v =... |

130 | The Gap Problems: A New Class of Problems for the Security
- Okamoto, Pointcheval
- 1992
(Show Context)
Citation Context ...r last approach also generalizes several recent (and independent from this work) proposals [6, 15, 27, 28] for identity-based signature schemes based on the so called “Gap Diffie-Hellman Groups” (see =-=[25]-=-). We believe that this demonstated variety of schemes for the specialized protection of digital signatures is an important step toward full deployment of a Public Key Infrastructure in realistic envi... |

99 | Id-based signatures from pairings on elliptic curves. Cryptology ePrint Archive, Report
- Paterson
(Show Context)
Citation Context ...uce here); this results in very efficient solutions based on, e.g., the RSA assumption in the random oracle model. Our construction (which may be viewed as a generalization of recent independent work =-=[4, 14, 24, 25]-=-) may also be used as an identity-based signature scheme; we believe this is of independent interest since no rigorous proofs of security for ID-based signature schemes were previously known. RELATED ... |

83 | Robust and Efficient Sharing of RSA Functions
- Gennaro, Krawczyk, et al.
(Show Context)
Citation Context ...he RSA-based scheme in which f N;e (x) def = x e mod N and f 1 N;d (y) def = y d mod N (for ed = 1 mod '(N)), the user and the device can share d additively using standard threshold techniques (e.g., =-=[9]-=-). Here, the user stores (at all times) d 1 and the physically-secure device stores d 2 such that d 1 +d 2 = d mod '(N). To compute the key SK i for period i, the device sends x i;2 = H(i) d2 to the u... |

80 | A new forward-secure digital signature scheme
- Abdalla, Reyzin
- 2000
(Show Context)
Citation Context ... formalized, and schemes with rigorous proofs of security given, in the recent work of Dodis, et al. [8]. The notion of key insulation is related to, yet distinct from, the notion of forward security =-=[4, 5, 3, 19, 16, 21]-=-. In the forward-secure model (introduced by [4, 5]), the secret key is updated without any interaction with an outside device; thus, an adversary compromising the system obtains all the secret inform... |

69 | Forward-Secure Signatures with Optimal Signing and Verifying
- Itkis, Reyzin
- 2001
(Show Context)
Citation Context ... formalized, and schemes with rigorous proofs of security given, in the recent work of Dodis, et al. [8]. The notion of key insulation is related to, yet distinct from, the notion of forward security =-=[4, 5, 3, 19, 16, 21]-=-. In the forward-secure model (introduced by [4, 5]), the secret key is updated without any interaction with an outside device; thus, an adversary compromising the system obtains all the secret inform... |

68 | Separating decision Diffie-Hellman from Diffie-Hellman in cryptographic groups
- Joux, Nguyen
- 2001
(Show Context)
Citation Context ...an be viewed as applying our methodology above to various trapdoor signature schemes using the same function f 1 . Roughly, the corresponding function (considered in a "gap Diffie-Hellman" g=-=roup; see [17]-=-) has the form f 1 g;g a(g b ) = g ab . This (inverse) function can be efficiently computed given the trapdoor a. Even though f itself is not efficiently computable given only g; g a , one can easily ... |

58 | Simple forward-secure signatures from any signature scheme
- Krawczyk
- 2000
(Show Context)
Citation Context ... formalized, and schemes with rigorous proofs of security given, in the recent work of Dodis, et al. [8]. The notion of key insulation is related to, yet distinct from, the notion of forward security =-=[4, 5, 3, 19, 16, 21]-=-. In the forward-secure model (introduced by [4, 5]), the secret key is updated without any interaction with an outside device; thus, an adversary compromising the system obtains all the secret inform... |

41 | On concrete security treatment of signatures derived from identification
- Ohta, Okamoto
(Show Context)
Citation Context ...rpreted as an element of Z q . The signature is: (w; r 1 tx; r 2 ty). A signature (w; a; b) on message M is verified by computing t = H(M;w) and then checking that w ? = g a h b v t . It can be shown [22, 21] that signature forgery is equivalent to computing log g h. Gen(1 k ; N): x 0 ; y 0 ; : : : ; x t ; y tsZ q v i = g x i h y i , for i = 0; : : : ; t SK = (x 1 ; y 1 ; : : : ; x `... |

41 | Fast signature generation with a Fiat Shamir-like scheme,” EUROCRYPT’90
- Ong, Schnorr
- 1990
(Show Context)
Citation Context ...Our discrete logarithm scheme has no counterpart in [1]. Our scheme based on trapdoor signatures and specialized for RSA may be viewed as the "Guillou-Quisquater" [13] analogue to their &quo=-=t;Ong-Schnorr" [23]-=- factoring-based scheme, where again we additionally ensure strong security of our construction. The notion of random access to keys is unique to our treatment. Finally, we mention that an identity-ba... |

35 | SiBIR: Signer-Base Intrusion-Resilient Signatures
- Itkis, Reyzin
- 2002
(Show Context)
Citation Context ...appropriate secret key has been erased. More recently --- and subsequent to the present work --- the key-insulated model has been extended and strengthened to yield the notion of intrusion-resilience =-=[16]-=-. This model adds to our notion a proactive refresh capability which may be performed more frequently than key updates; hence, intrusion-resilient schemes can tolerate multiple corruptions of both the... |

34 | From identification to signatures via the Fiat-Shamir transform: Minimizing assumptions for security and forward-security - Abdalla, An, et al. |

23 | On the Power of Claw-Free Permutations
- Dodis, Reyzin
- 2003
(Show Context)
Citation Context ...) in the concrete security reduction above can be improved for schemes based on specific trapdoor permutations. In particular, when the trapdoor permutation is induced by a claw-free permutation (see =-=[7-=-] for a definition) and is constructed via the Fiat-Shamir transform [8] (i.e., the signature corresponds to a proof of knowledge of f 1 (y)), we can obtain a security bound losing only a factor O(q ... |

21 | Exponent group signature schemes and efficient identity based signature schems based on pairing
- Hess
- 2002
(Show Context)
Citation Context ...uce here); this results in very efficient solutions based on, e.g., the RSA assumption in the random oracle model. Our construction (which may be viewed as a generalization of recent independent work =-=[4, 14, 24, 25]-=-) may also be used as an identity-based signature scheme; we believe this is of independent interest since no rigorous proofs of security for ID-based signature schemes were previously known. RELATED ... |

21 | On the Security of a Practical Identification Scheme
- Shoup
- 1996
(Show Context)
Citation Context ...u-Quisquater scheme [13] provides a trapdoor signature scheme based on the RSA assumption (in the random oracle model). However, a number of additional schemes satisfy this requirement as well (e.g., =-=[8, 20, 23, 29, 27]-=-). Thus our technique is quite flexible and allows for adaptation of a number of standard (and previously analyzed) schemes. We also note that the loss of a factor q(k) = q hash (where this represents... |

17 | Self-delegation with controlled propagation | or | what if you lose your laptop
- Goldreich, P¯tzman, et al.
- 1998
(Show Context)
Citation Context ...ulated public-key encryption was first formally defined in [6], and schemes with rigorous proofs of security are given there. Somewhat related to key insulation is the problem of signature delegation =-=[11]-=-. In this model, a user wants to delegate use of a signing key in a particular way. For example (to place it in our setting), a user may delegate the right to sign messages for a single day. Here, one... |

11 |
Intrusion-resilient signature: Generic constructions, or Defeating a strong adversary with minimal assumption,” In
- Itkis
- 2002
(Show Context)
Citation Context ... thereby allowing, e.g., the signing of documents for prior time periods when needed. This is impossible in the forward-secure or intrusion-resilient settings. Also, known intrusion-resilient schemes =-=[16, 15] are (thus-=- far) less efficient than the key-insulated schemes presented here, suggesting that one use the latter when physical security of the "home base" can be guaranteed. Independent of the present... |

11 | Robust key-evolving public key encryption schemes. Record 2001/009, Cryptology ePrint Archive, 2001. Secure Key-Evolving Protocols for Discrete Logarithm Schemes 309
- Tzeng, Tzeng
(Show Context)
Citation Context ...signatures in the context of smart-card research. However, this preliminary work contained no formal model or proofs of security. Key-insulated public-key encryption was considered by Tzeng and Tzeng =-=[30]-=- and also by Lu and Shieh [19], but these works only consider security against a weak, non-adaptive adversary. Key-insulated public-key encryption was first formally defined in [6], and schemes with r... |

9 |
Security of 2 t -root identification and signatures
- Schnorr
- 1996
(Show Context)
Citation Context ...u-Quisquater scheme [13] provides a trapdoor signature scheme based on the RSA assumption (in the random oracle model). However, a number of additional schemes satisfy this requirement as well (e.g., =-=[8, 20, 23, 29, 27]-=-). Thus our technique is quite flexible and allows for adaptation of a number of standard (and previously analyzed) schemes. We also note that the loss of a factor q(k) = q hash (where this represents... |

7 | Secure Key-Evolving Protocols for Discrete Logarithm Schemes
- Lu, Shieh
- 2002
(Show Context)
Citation Context ...mart-card research. However, this preliminary work contained no formal model or proofs of security. Key-insulated public-key encryption was considered by Tzeng and Tzeng [30] and also by Lu and Shieh =-=[19]-=-, but these works only consider security against a weak, non-adaptive adversary. Key-insulated public-key encryption was first formally defined in [6], and schemes with rigorous proofs of security are... |

6 |
Key-Insulated Public-Key Cryptosystems. Eurocrypt 2002
- Dodis, Katz, et al.
(Show Context)
Citation Context ...ng in an environment where the private (signing) key is likely to be exposed. Strong keyinsulated signature schemes are one way to mitigate the damage done when this occurs. In the keyinsulated model =-=[6], the secr-=-et key stored on an insecure device is refreshed at discrete time periods via interaction with a physically-secure device which stores a "master key". All signing is still done by the insecu... |

6 |
A secure and efficient digital signature algorithm
- Micali
- 1994
(Show Context)
Citation Context |

5 | Ecient Signature Generation for Smart Cards Crypto '89 - Schnorr - 1989 |

4 |
Relaxing Tamper-Resistance Requirements for Smart Cards Using (Auto)-Proxy Signatures. CARDIS '98
- Girault
(Show Context)
Citation Context ...used as an identity-based signature scheme; we believe this is of independent interest since no rigorous proofs of security for ID-based signature schemes were previously known. RELATED WORK. Girault =-=[10]-=- investigates a notion similar to key-insulated digital signatures in the context of smart-card research. However, this preliminary work contained no formal model or proofs of security. Key-insulated ... |

4 | Robust and Efficient Sharing of RSA Functions. J. Crypto 13(2): 273--300 (2000). [11] M. Girault. Relaxing Tamper-Resistance Requirements for Smart Cards Using (Auto)-Proxy Signatures - Gennaro, Jarecki, et al. - 1996 |

2 | Rekeyed Digital Signature Schemes: Damage-Containment in the Face of Key Exposure. Manuscript
- Abdalla, Bellare
- 2001
(Show Context)
Citation Context ...itial work on key-insulated cryptosystems [6] focused primarily on the case of public-key encryption; here, we focus on the complementary case of digital signatures. Adapting a "folklore" re=-=sult (see [1]-=-), we first show a generic construction of a strong (N 1; N)-key-insulated signature scheme from any standard signature scheme. We then give a more efficient strong (t; N)-key-insulated signature sche... |

2 |
An Identity-based Signature Scheme from Gap Diffie-Hellman Groups. Available from IACR E-print archive, report 2002/18
- Cha, Cheon
(Show Context)
Citation Context ...uce here); this results in very efficient solutions based on, e.g., the RSA assumption in the random oracle model. Our construction (which may be viewed as a generalization of recent independent work =-=[4, 14, 24, 25]-=-) may also be used as an identity-based signature scheme; we believe this is of independent interest since no rigorous proofs of security for ID-based signature schemes were previously known. RELATED ... |

2 | A Universal Forgery of Hess's Second ID-based Signature against the Knownmessage Attack. Available at http://eprint.iacr.org/2002/028
- Cheon
(Show Context)
Citation Context ...ork) several proposals [25, 24, 4, 14] for ID-based signatures have been given. (Among these, only [4] provides formal definitions and analysis; indeed, one of the schemes of [14] was recently broken =-=[5].) In-=-terestingly, they all can be viewed as applying our methodology above to various trapdoor signature schemes using the same function f 1 . Roughly, the corresponding function (considered in a "gap... |

1 |
Threshold Crytptosystems Based on Factoring. Asiacrypt 2002
- Katz, Yung
(Show Context)
Citation Context ... device sends x i;2 = H(i) d2 to the user who then computessSK i = x i;2 H(i) d 1 = H(i) d . We note that similar threshold techniques are available for computing f 1 in 2 t -root signature schemes [=-=18]-=-, showing that the scheme based on Ong-Schnorr signatures can be efficiently made strong as well. 6 Relation to Identity-Based Signature Schemes An ID-based signature scheme [28] allows a trusted cent... |

1 | Available from IACR E-print archive, report 2002/28, http://eprint.iacr.org/2002/028/. [8 - Dodis, Katz, et al. |

1 | Composition and Efficiency Tradeoffs for Forward-Secure Digital Signatures. Eurocrypt 2002
- Malkin, Micciancio, et al.
(Show Context)
Citation Context |

1 | Security of 2 t -root Identification and Signatures. Crypto '96 - Schnorr |

1 |
Security of -root Identification and Signatures. Crypto ’96
- Schnorr
(Show Context)
Citation Context ...] provides an example of such a scheme whose security is equivalent to the RSA assumption (in the random oracle model). However, a number of additional schemes satisfy this requirement as well (i.e., =-=[9, 22, 26, 32, 30]-=-). Thus our technique is quite flexible and allows for adaptation of a number of standard (and previously analyzed) schemes. As an example, the second scheme of [2] may be viewed as an instance of our... |

1 |
state the following lemma without proof, and refer the reader to [24] for details: ���������, Lemma 3 Assume there exists an adversary�with non-negligible probability of impersonating the prover in time period�. Then there exists an algorithm which runs i
- We
(Show Context)
Citation Context ...Thus, while practical for small values of , it does not completely solve the problem for�. We defer such a solution to the following section. Our scheme builds on the Okamoto-Schnorr signature scheme =-=[24, 29]-=- which we review here. Let�be primes such that� and let�be the subgroup of�of order . Fix generators��� �. A public key is generated by choosing� �and setting���.To sign message , a user chooses rando... |