Forward Secure Updates Using Encrypted Keys:
An Analysis of Efficacency and Efficiency
Christopher Harrison
TSYS Computer Science Department
Columbus State University
Columbus, GA, USA
November 9, 2009
Abstract— Forward-secure signatures (FSS)
are a necessary construct of public key
cryptography to ensure repudiation that can occur
with forgeries. However, the standardization of
FSS has not occurred because of the difficulty of
integrating it with current cryptosystems. The use
of untrusted updates on encrypted keys resolves
much of the integration issues. This paper
proposes a hybrid system that encapsulates the
best part of three separate forward-secure
signature schemes. The proposed construction
results from a critique of the three systems based
on emphasizing the positives while mitigating the
negatives
whilst
attempting
to
stay
computationally efficient and minimizing the use
of unnecessary storage space for the utilization of
small devices.
Keywords- forward secure signatures,
untrusted updates, encrypted keys
I.
INTRODUCTION
A principle weakness of public key
cryptography is that an attacker that discovers the
secret key gains access to the entirety of
information protected by that key. In fact, so
significant was this problem, that many attackers
now ignore attempts at breaking the public key
cryptography altogether and instead attack the
users' private storage as it's both easier and the key
discovery has a larger impact.[2] Worse still, this
threat meant that once a private key is discovered,
signatures can be forged; thus, all authorized
signatures become repudiable, violating a key
component of the public key system.[3] To
mitigate this weakness, Ross Anderson proposed a
scheme [4] that established a time interval wherein
the current private key is deleted and a new one is
used so that exposure of the private key only
reveals information from that particular period of
time and no other (the public key remains
unchanged). The primary drawback of Anderson's
proposal was the private key grew in size linearly
with the number of intervals utilized.[1] This
proved inadequate for small storage devices (smart
cards, PDA, mobile phones). Further, it was
infeasible for users to personally register such a
large number of keys in existing systems (such as
a Certificate Authority).[3]
When Bellare and Miner [5] codified and
named the idea put forth by Anderson - forwardsecure signatures (FSS) - they began the process of
resolving these impracticalities. However, neither
of the two methodologies they suggested could be
easily integrated into current cryptosystems and
thus, remained regulated to the world of academia.
The primary difficulty in integration is how to
automate the process of updating the private key
(thus removing the user from the equation) whilst
attaining a small storage space and remaining
computational efficiency. The three systems this
paper studies all resolve the issue of integration
into current cryptosystems and attempt to resolve
the other two drawbacks as well. The purpose of
this paper is to critique each methodology and then
suggest a solution that improves upon them.
II.
RELATED WORK
The first attempt to resolve the integration and
update issue came in 2006. [1] The idea being that
many cryptosystems use an encryption system for
the private key itself known as the "second factor"
which allows for added security for when the
storage system is comprised. Pretty Good Privacy
(PGP) is an example of one such system that
utilizes this. Up to this point, update algorithms
that didn't rely on the user, could only update
unencrypted keys and thus, to utilize the algorithm
in systems that used a second factor, relied on the
user to decrypt the private key, update, then
encrypt, revoking the entire purpose of automation
to begin with. Further, it makes many update
schemes infeasible (such as updating the key every
hour) and since it relies on the user, it's possible it
will not be updated on schedule.[1] Thus was born
the idea of the "untrusted update". An untrusted
update would allow the update to the key to be
performed on the encrypted private key without
the need for decryption. If this could be
accomplished, all three issues would be resolved.
The methodology is a modified Bellare-Miner
scheme using a tree hierarchy. In this system, the
generic signature scheme builds a binary tree from
chains of certificates where each leaf corresponds
directly to a specific time period. The private key
storage, time and verification time are all
multiplicative factors of O(log(T)) where T is the
# of time periods. This is consistent with other
previous attempts; however, where others use a
Merkle tree, which is not computational or storage
efficient, this model uses a Hierarchical IdentityBased Encryption system instead, which has been
shown to have a constant size (independent of the
depth) when three group elements are used. [6] In
this system, the private key size is O(t) and the
ciphertext size is O(√𝑇). In fact, in the Boneh,
Goh and Boyen compression system utilized,
private keys shrink as depth increases, a unique
factor that allows for frequent updates.[6] The
signature is then derived from this key and the
message using the Waters Hash.
To generate the untrusted update feature, at the
original key creation time, the initial private keys
generated are multiplied by the second factor.
Thus the attacker without knowing either the
initial number or the second factor cannot decipher
the scheme and updates can be easily achieved
automatically by having the decryption scheme
produce private keys using a divisor that's a single
factor away from the "real key", thus allowing for
the untrusted update.[1] The primary limitation of
this system relies in its current utilization. The
ideal setup relies on a cron job that operates on the
user behalf's. However, because cron jobs are
beyond the typical means of the average users and
because it's likely that the server will retain old
keys (which in the case of compromise, still leaves
all past information at risk), it still has
modifications necessary. Another issue with this
methodology was it was computationally
expensive, being roughly 2-4 times slower than
RSA. [2]
To resolve these flaws and add two more
significantly used environments (GNU-PG and
S/MIME), a second iteration was developed. [2]
In this system, a message was signed twice. Once
using the regular FSS scheme and the second time
signing with a key derived from the second factor.
This method is made efficient through the use of
MMM construction and sum-product composition
to utilize untrusted updates that like the first
method, are unbounded by the number of time
intervals. However, unlike the first method, this
instance has the same efficiency as RSA and
because the signing method is derived entirely
from the secondary factor, it works with virtually
any FSS scheme. Another advantage of the MMM
scheme is the number of time intervals does not
have to be predefined.[3] A critical flaw exists
within this protocol though. While the proposed
scheme itself does not rely on random oracles, all
instantiations of the "unbounded" systems utilizing
this model do rely upon the random oracle model.
Thus, as the truly random oracle does not exist, the
system is not provably secure as was the first
system.
The final methodology occurred in 2008 [3]
and is remarkably different from the other two.
Instead of relying on time intervals, as virtually all
FSS schemes do (starting from the original by
Anderson), this FSS system ties each iteration of
the private key to a single signature. In this
manner, it represents a one-time pad and resolves
a major flaw in the original FSS scheme. No
matter how short the interval, as long as more than
one communication can exist, a window of
repudiability exists.
To achieve this scheme, the FSS is based on the
discrete logarithm problem (DLP). As the keys
are tied to a single signature, the moment the key
is used, it's immediately updated. This resolves
another weakness of the time based scheme.
While the computer housing the time intervals was
not on, that particular interval was extended even
if it normally was very short. Because the
computer has to be on for the communication to be
sent, there is never a moment where additional
messages could be forged.[3] The final advantage
of the system is it's extremely efficient both in
terms of the key update - performed in O(l) time,
where l is the security input parameter - and
signature generation is performed in O(l𝑘 2+2𝑙 2 ),
where k is the half the public key size. The
downside of this method is the increased need for
storage space; however, between 2006 and 2008,
storage space has grown significantly cheaper and
thus the negative impact of this drawback may be
negligible. Another disadvantage is the
computational period of waiting for a new key to
generate after the message is sent.
III.
SOLUTION
My solution to these issues then is to
amalgamate the greatest advantages of all three
approaches into a single flexible form. From the
initial method, the HIBE methodology is the most
efficient mechanism for both the private key size
and the resultant ciphertext size. Further, because
this method does not increase in size with the
number of key iterations, it largely bypasses the
advantage of the MMM approach of being
unbounded, since a single user is unlikely to send
more than a million messages in their lifetime.
The MMM scheme cannot be adopted from the
second methodology because it is not provably
secure (though it may actually be secure).
However, the multiple signing method can be
adopted and should be because of the increased
level of integration acquired from deriving the
encryption from the secondary factor. Finally, the
single key per signature feature is adopted from
the third model for two reasons. It allows for true
non-repudiation and second, it most resembles the
one-time pad.
Combined, it achieves the following goals.
First, it can be applied to GNU-PG, S/MIME,
PGP, and virtually any other FSS scheme that uses
a second factor. Second, it's extremely storage
efficient due to its constant-size key. Third, it's
non-repudiable. Fourth, it's provably secure.
Finally and perhaps most importantly, this
system can be integrated as a shell script that fires
upon the sending of the communication. Unlike a
cron job, it is not subject to failures during power
off and most importantly, the shell script is generic
and only the application trigger needs to be added,
making it far more accessible to the average user
(though still requiring some level of computer
literacy).
IV.
CONCLUSION
The proposed solution mitigates almost all of
the original drawbacks of the FSS methodology
proposed by Anderson.
However, a few
limitations still exist within the cryptosystem.
First, it's more computationally expensive than
RSA. In exchange for it's extremely small storage
size, it's between 2 and 4 times more
computationally expensive than RSA. This is not a
considerable flaw because like storage space,
processor speeds have continually improved in
small devices and RSA dates to the 80s and was
fairly efficient when it was originated. Second,
none of these solutions (including the proposed
solution) resolve the issue of scrubbing the private
key from storage and memory entirely. Future
proposals should particularly look at this as it
threatens to undo all the advantages these schemes
employ for as long as previous private keys exist in
the memory in some form, they remain available to
attackers who gain control over the system.
ACKNOWLEDGMENT
The author would like to thank James Kelly for
his work as editor.
REFERENCES
[1]
[2]
[3]
[4]
Boyen, X., Shacham, H., Shen, E., Waters, B.:
"Forward-Secure Signatures with Untrusted
Update", Proceedings of the 13th ACM
conference on Computer and communications
security, ACM Press. pp. 191–200 (2006)
Libert, B., Quisquater, J., Yung, M.:
"Forward-secure signatures in untrusted
update environments: efficient and generic
constructions", Proceedings of the 14th ACM
conference on Computer and communications
security, ACM Press. pp. 266–275 (2007)
Alomair, B., Sampigethaya, K., and
Poovendran, R.: "Efficient Generic ForwardSecure Signatures and Proxy Signatures",
Lecture Notes in Computer Science, Vol. 5057
pp. 166-181 (2008)
Anderson, R.: Two remarks on public key
cryptology. In: Invited Lecture, ACM-CCS
1997 (1997)
[5]
Bellare, M., Miner, S.: A forward-secure
digital signature scheme. In: Wiener, M.J.
(ed.) CRYPTO 1999. LNCS, vol. 1666, pp.
431–448. Springer, Heidelberg (1999)
[6]
Boneh, D., Boyen, X., and Goh, E.:
Hierarchical identity based encryption with
constant size ciphertext. In: Advances in
Cryptology—EUROCRYPT 2005, vol. 3494
LNCS, pp. 440–456. Springer (2005)