A New Construction of Time Capsule Signature

(1)

A New Construction of Time Capsule Signature

Miaomiao Zhang∗ Gongliang Chen‡ Jianhua Li∗ ‡ Licheng Wang† Haifeng Qian†

Abstract

In this paper we introduce a new approach of constructing time capsule signature. Our new con-struction captures the basic requirements defined by dodiset al., and it is also very straightforward and flexible. The time capsule signature provides an elegant way to produce a “future signature” that be-comes valid from a specific future timet, when a trusted third party (calledTime Server) publishes some trapdoor information associated with the timet. It also has many other advantages. Our work includes a developed security model of time capsule signature, a novel way of construction based on the bipar-tite ring signature, which is proven secure in the random oracle model and a concrete realization of the scheme.

Keywords: time capsule, digital signature, ring signature, provable security.

∗

Dept. of Electronic Engineering, Shanghai Jiao Tong University, Shanghai, 200240, P.R.China. Email address: mmzhang [email protected]

†

Dept. of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, 200240, P.R.China

‡

(2)

List of Tables

(3)

1 Introduction

1.1 Motivation

The notion of a digital signature may prove to be one of the most fundamental and useful inventions of modern cryptography. A signature scheme provides a way for each user to sign messages so that the signa-tures can later be verified by anyone else. More specifically, each user can create a matched pair of private and public keys so that only he can create a signature for a message (using his private key), but anyone can verify the signature for the message (using the signer’s public key). The verifier can convince himself that the message contents have not been altered since the message was signed. Also, the signer can not later repudiate having signed the message, since no one but the signer possesses his private key.

In an ordinary signature scheme, the validity of a signature value is determined at the point of signature generation and never changes unless the signer’s public key is revoked. Users cannot generate the so-called “future signature” which is not currently valid but becomes valid from a future time t. A possible way to achieve this is signing with a statement like “the signature of messagem becomes valid from time t”. However, this has several drawbacks. The verifier has to be aware of the current time. And more seriously, in this solution the signer herself loses control over the validity of the “future signature”. Even the real signer cannot make her signature valid until time t, which could be undesirable in certain situations. In another solution, the signer can issue a new but also independent signature ofmbefore timet. However, this may also cause some problem in certain situations. For instance, the verifier can distinguish whether the message

mwas signed in the “future” or “regular” way, which seems to be unnecessary in most situations. And in case the messagemcarries some monetary value, the signer needs to make sure that no “double spending” occurs, that is the signer can revoke the original signature, so that it will not become valid at timet.

Therefore, we need a solution where the signer can issue a future signature which should satisfy the following properties:

• After the signature creation, the recipient can make sure that the signature will become valid by time

t, even if the signer refuses to cooperate after she produces the future signature.

• The signer can make his future signature valid at any time after the initial creation.

• The resulting signatures are indistinguishable. In other words, the verifier cannot tell whether the signature is validated by the signer earlier, or it became “automatically valid” at timet.

1.2 Related Work

It is crucial to specify the mechanism under which the signature can be “automatically” completed at timet

(which we call “hatching” as opposed to “pre-hatching” which can be done by the signer at any time). There are two main lines of work related to cryptographic time capsule, depending on whether or not involve a trusted third party.

(4)

signer, or by the recipient-the latter if the recipient solves a moderately hard problem. Then [GJ02,GP03] made some advances in this work.

The second approach is based on the trusted third party(TTP). It has two main flavors: optimistic fair exchange of digital signatures, and identity-based future encryption. In the former case, the server needs to resolve all individual signatures where the signer refused to validate the signature. Representative examples include [ASW98,ASW00,BGLS03,DR03]. In the case of future encryption [BC04,BF01,OKC04], the main problem addressed was that the sender wants to ensure that the message would remain hidden before theTime Serverwould publish the corresponding trapdoor.

Dodiset al.introduced the notion of time capsule signatures[DY05], which is is a “future signature” that becomes valid from a specific future timet, when a trusted third party (the arbitrator which called theTime Server) publishes some trapdoor information associated with the timet. In addition, time capsule signature should satisfy the following properties:

• If the signer wants, she can make her time capsule signature effective before the pre-defined timet.

• The recipient of ”future signature” can verify right away that the signature will become valid no later than at timet.

• Time Serverneed not contact any user at any time, and in fact does not need to know anything about the PKI employed by the users.

• Signatures completed by the signer before timetare indistinguishable from the ones completed using theTime Serverat timet.

More specifically, in a time capsule signature scheme, when Alice gives Bob her time capsule signature

σt for a future timet, Bob can verify that Alice’s time capsule signature will become valid from the time

t. In addition, if Alice wishes, she can make her time capsule signature effective before the predefined time

t. The assumption onTime Server is minimal, for theTime Serveronly publishes some information at the beginning of each time period and need not contact any user at any time. They also mentioned that the concept of time capsule signature can be generalized to event capsule signature, whereEvent Serverissues the notification information of specific events. The event capsule signature becomes valid if a specific event happens or the signer makes valid before the event occurs.

They also provide a generic construction based on a primitive called identity-based trapdoor hard-to-invert relation (ID-THIR). In brief, ID-THIR is given by a familyRof relationsRid, where (1) it is easy to sample a random pair(c, d) ∈ Rid and verify if the pair(c, d)belongs toRid; (2) for each identityid, there exists a trapdoor tdid, which allows one to compute a randomdcorresponding to any given c(The trapdoortdidcan be efficiently computed from a single “master trapdoor”mtdR); (3) without the trapdoor, it is hard to find a matchingdcorresponding to a randomly sampledc, even if one knows many trapdoors corresponding to identitiesid0(=id).

Theorem 1 in [DY05] says that the existence of one-way function (OWF) is sufficient condition for the existence of ID-THIR in the random oracle model. According to our understanding, the technique clues for construction time capsule signatures can be depicted as follows:

Signature ⇒ Σsig m

OW F ⇒ Σf







⇒ΣOR⇒OR signature⇒ID−T HIR⇒T CS

1.3 Our Contribution

(5)

time capsule signature is very nature, plain and flexible and it is proven secure in the random oracle model if the underlying building blocks(the ordinary signature scheme and the ring signature scheme) are secure. Concrete time capsule signature scheme can be easily realized from our generic construction.

The technique clues for our construction is depicted as follows:

Signature ⇒ T Sign

Bipartite ring signature ⇒ T Release, P reHatch

⇒T CS

The rest of this paper is organized as follows: In Section 2, we recall the components of digital signa-ture scheme and ring signasigna-ture scheme, and their security definitions. InSection 3, we first introduce the definitions of time capsule signature and develop the underlying security model. Then we give our new construction based on a bipartite ring signature and its security proof. Then inSection 4, we present a con-crete and full time capsule signature scheme from our generic construction and analyze its security. Finally, concluding remarks are made inSection 5.

2 Preliminaries

2.1 Security Notions of Digital Signature

We first review the formal definition of a generic digital signature scheme[GB99], which we denote byDS.

Definition 2.1. [Digital Signature Scheme]A digital signature schemeDS = (G,S,V)is defined by the following algorithms:

• on input1k, wherekis the security parameter, the algorithmGproduces a pair(pk, sk)of matching public and secret keys. AlgorithmGis probabilistic.

• Giving a messagemand a pair of matching public and secret keys(pk, sk),Scan produce a signature

σ. The signing algorithm might be probabilistic.

• Given a signatureσ, a messagem and a public keypk,V tests whetherσ is a valid signature ofm

with respect topk. In general, the verification algorithm need not be probabilistic.

Formally, LetO_ALGbe an oracle simulating the algorithmALG. Let the attackerFon input the public parameterparamhave access toOALG, denoted asFOALG(param).Query(F,O_ALG)is the set of queries

Fasked to the algorithmALGsimulated by oracleO.

Definition 2.2. [UF-CMA]Let DS = (G,S,V) be a digital signature scheme, and let Abe an attacker assumed to be a probabilistic Turing machine taking a security parameterkas input. Consider the following experiment of runningAin an attack on digital signature schemeDSas the following. Notice that the public key is provided as an input toA.

ExperimentExpUF-CMA_DS_,_A

Let(pk, sk)←R− G(1k)

Let(m, σ)←AOS₍_pk₎

IfV(m, σ) = 1andm /∈Query(A,OS)

(6)

We defineSuccUF-CMA_DS_,_A be the probability that experimentExpUF-CMA_DS_,_A returns 1.

SuccUF-CMA_DS_,_A (k) =P r[V(m, σ) = 1]

Then for anyt,qlet

SuccUF-CMADS (t, q) =max

A {Succ

UF-CMA

DS,A }

where the maximum is over allAsuch that the execution time of experimentExpUF-CMA_DS_,_A is at mosttand the number of oracle queries made byAis at mostq. Note that the running time and the number of queries are all polynomial in the security parameterk.

In practice, the queries correspond to messages signed by the legitimate sender, and it would make sense that getting these examples is more expensive than just computing on one’s own. That is, we would expect

qto be smaller thant.

The schemeDSis said to be UF-CMA secure ifSuccUF-CMA_DS (t, q)is negligible ink.

2.2 Security Notions of Ring Signature

The concept of ring signature was formalized by Rivestet al. in [RST01]. According to [LW04,BKM06], we give a concise formalized definition of ring signature scheme as follows.

Definition 2.3. [Ring Signature Scheme]A ring signature scheme, which we denote byRS, is a triple of algorithms(G,S,V)

• (Si, Pi) ← G(1k)is a probabilistic polynomial time algorithm which takes security parameterkand outputs private keySiand corresponding public keyPiof a useri.

• σ ← S(m,hPri, Ss) is a probabilistic polynomial time algorithm which takes as inputs a message

m, secret key Ss of signers, and r possible signers’ public key set hPri which includes the one corresponding toSs, produces a signatureσ.

• 1/0 ← V(hPri, m, σ) is a deterministic polynomial time algorithm which takes a message m, a signatureσand a set ofrpublic keyshPrias inputs, returns 1 or 0 for accept or reject, respectively.

It is required that for any messagem, any(Ss, Ps)generated byG(1k) and anyhPrithat includesPs, the equationV(hPri, m,S(1k, Ss)) = 1satisfies.

The security of ring signature schemes has two aspects: unforgeabilityandanonymity.

Definition 2.4. [Unforgeability of Ring Signature]LetRS = (G,S,V)be a ring signature scheme, and letAbe a PPT (probabilistic polynomial-time) adversary taking a security parameterkas input. Consider an experiment of runningAin an attack on ring signature schemeRS as the following.

ExperimentExpUF_RS_,_A

Let(Pi, Si) R ←− G(1k)

Let(m, σ)←AOS(hPri)

IfV(m, σ,hPri) = 1andm /∈Query(A,OS)

(7)

DefineSuccUF_RS_,_Abe the probability that experimentExpUF_RS_,_Areturns 1.

SuccUF_RS_,_A(k) =P r[V(m, σ) = 1]

Then for anyt,qlet

SuccUF_RS(t, q) =max

A {Succ

UF

RS,A}

where the maximum is over all Asuch that the execution time of experiment ExpUF_RS_,_A is at mostt, the number of oracle queries made byAis at mostq.

A ring signature scheme is unforgeable if for any PPT adversary A, SuccUF_RS(t, q) is negligible. A functionis negligible if for all polynomialsπ,(k)<1/π(k)holds for all sufficiently largek.

Definition 2.5. [Anonymity of Ring Signature]LetRS = (G,S,V)be a ring signature scheme, and letA

be a PPT adversary taking a security parameterkas input. Consider the following experiment of runningA

in an attack onRS.

ExperimentExpANON_RS_,_A

Let(hPri, m)←AG(1k)

Let(i0, i1)←A, wherei0, i1 are indices thatPi0, Pi1 ∈ hPri b←R− {0,1}

Letσ← S(Sib,hPri, m) ˜_b_←_AOS

(hPri, i0, i1) If˜b=b

Then return 1 else return 0

We defineSuccANON_RS_,_Abe the probability as follows

SuccANON_RS_,_A(k) =|P r[˜b=b]−1/2|

Then for anyt,qlet

SuccANONRS (t, q) =max

A {Succ

ANON

RS,A}

where the maximum is over all Asuch that the execution time of experiment ExpANON_RS_,_A is at mostt, the number of oracle queries made byAis at mostq.

A ring signature scheme is anonymous if for any PPT adversaryA,SuccANON_RS (t, q)is negligible.

3 Time Capsule Signature

3.1 Defination

Definition 3.1. [time capsule signature scheme]A time capsule signature scheme is specified by an 8-tuple of PPT algorithms (SetupT S_,_SetupU ser_,_{T Sign}_,_{T V erif y}_,_{T Release}_,_Hatch_,_{P reHatch}_,_{V erif y}_{) such} that:

• SetupT S_{: This setup algorithm is run by Time Server. It takes a security parameter as input and} returns a public/private time release key pair(T P K, T SK).

(8)

• T Sign: The time capsule signature generation algorithmT Signtakes as input(m, SK, T P K, t), wheretis the specific time from which the signature becomes valid. It outputs a time capsule signature

σ_t0.

• T V erif y: The time capsule signature verification algorithmT V erif ytakes as input(m, σ_t0, P K, T P K, t)and outputs 1 (accept) or 0 (reject).

• T Release: The time release algorithmTReleaseis run by Time Server and takes as input(t, T SK). At the beginning of each time periodt, Time Server publishesZt=T Release(t, T SK). Note that Time Server dose not contact any user at any time and need not know anything about the users.

• Hatch: This algorithm is run by any party and is used to open a valid time capsule signature which became mature. It takes as input(m, σ_t0, P K, T P K, Zt)and returns the hatched signatureσt. • P reHatch: This algorithm is run by the signer and used to open a valid time capsule signature which

is not mature yet. It takes as input(m, σ_t0, SK, T P K, t)and returns the pre-hatched signatureσˆt. • V erif y: This algorithm is used to verify a hatched (or pre-hatched) signature.V erif ytakes as input

(m, σt/σˆt, P K, T P K, t)and returns 1 (accept) or 0 (reject).

Correctnessproperty states that

–T V erif y(m, T sig(m, SK, T P K, t), P K, T P K, t)

–V erif y(m, σt/σˆt, P K, T P K, t), whereσt=Hatch(m, σ0t, P K, T P K, Zt)or

ˆ

σt=P reHatch(m, σt0, SK, T P K, t).

3.2 Security of Time Capsule Signature

In the time capsule signature scheme, theTime Serveris assumed to be a trusted third party, which implies that it’s unnecessary to consider any dishonest behavior of theTime Server. We define the security of time capsule signature as follows.

Definition 3.2. [Security of Time Capsule Signature]The security of time capsule signatures consists of four aspects:

• Unforgeability of the immature signature. We require that any PPT adversaryAsucceeds with at most negligible probability in the following experiment.

ExperimentExpUF-imTCS_{T CS}_,_A

Let(T P K, T SK)←SetupT S(1k)

Let(P K, SK)←SetupU ser(1k) (m, t, σ_t0)←AOT Sign(P K, T P K)

IfT V erif y(m, σ0_t, P K, T P K, t) = 1

and(m,˜t)∈/ Query(A,O_{T Sign})for all˜t

whereQuery(A,OT sign)is the set of queriesAasked to the time capsule signature generation oracle O_{T Sign}. DefineSuccUF-imTCS_{T CS}_,_A be the probability that experimentExpUF-imTCS_{T CS}_,_A returns 1.

(9)

• Un-Prehatchable by dishonest users. We require that any PPT adversary Bsucceeds with at most negligible probability in the following experiment.

ExperimentExpUPH-TCS_{T CS}_,_B

Let(P K, SK)←SetupU ser(1k) (m, t, σ_t0)←T sign(m, SK, T P K, t)

Let(m, t, σt)←BOT R,OP reH(P K, T P K) IfV erif y(m, σt, P K, T P K, t) = 1and

t /∈Query(B,OT R)and(m, t,σ˜t0)∈/ Query(B,OP reH) for∀σ˜0_tsuch thatT V erif y(m, σ0_t, P K, T P K, t) = 1

whereQuery(B,O_{T R})is the set of queries ofBasked to the time release oracleO_{T R}, andQuery(B,

O_{P reH})is the set of valid queriesBasked to the oracleO_{P reH}. In other words, no one should be able to open a pre-mature time capsule signature without help of the signer or Time Server. Notice that adversaryBcan make any time release query toO_{T R}except the target timet. Therefore, the above experiment requires strong security guaranteeing both forward and backward secrecy.

DefineSuccUPH-TCS_{T CS}_,_B be the probability that experimentExpUPH-TCS_{T CS}_,_B returns 1.

• Non-cheating of the signer. We require that any PPT adversaryCsucceeds with at most negligible probability in the following experiment.

ExperimentExpNCH-TCS_{T CS}_,_C

Let(T P K, T SK)←SetupT S(1k) (m, t, σ_t0, P K)←COT R(T P K)

LetZt←T Release(t, T SK)

Letσt←Hatch(m, σt0, P K, T P K, Zt) IfT V erif y(m, σ0_t, P K, T P K, t) = 1and

V erif y(m, σt, P K, T P K, t) = 0 Then return 1 else return 0

DefineSuccNCH-TCS_{T CS}_,_C be the probability that experimentExpNCH-TCS_{T CS}_,_C returns 1.

In other words, adversaryAshould not be able to produce a time capsule signatureσ_t0, whereσ0_tlooks good to the verifier but cannot be hatched intoA’s full signature by the Time Server.

• Indistinguishability. It is required that the hatched signature and the prehatched signature are compu-tationally indistinguishable. LetDbe any PPT distinguisher. We require that the success probabilisty ofDin the following experiment is negligibly close to 1/2.

ExperimentExpIND-TCS_{T CS}_,_D

Let(P K, SK)←SetupU ser(1k)

Let(m, t, σ_t0)←T sign(m, SK, T P K, t)

Letd←R− {0,1}

(10)

Letd˜←DOT R,OHatch,OP reH₍_{P K, T P K, σ}0

t) Ifd˜=d

Then Return 1 else reture 0

Define the success probability ofDas

SuccIND-TCS_{T CS}_,_D =|P r[ExpIND-TCS_{T CS}_,_D = 1]−1/2|

For anyt,qwe define the success probability of distinguishingT CSsignature via

SuccIND-TCS_{T CS} (t, q) =max

D

{SuccIND-TCS_{T CS}_,_D}

Definition 3.3. [UF-TCS-CMA]AT CSscheme is sad to be UF-TCS-CMA secure if theUnforgeability of the immature signatureproperty and theUn-Prehatchable by dishonest usersproperty achieved.

It is obvious

SuccUF-TCS-CMA_{T CS} ≤SuccUF-imTCS_{T CS} +SuccUPH-TCS_{T CS} (1)

Note: The definition above is just an unforgeability notion for theT CS. We give this definition in order to generalize the unforgery aspect of the time capsule signature, whereas the full description of security is proposed inDefinition 3.2.

3.3 Generic Construction Based on Ring Signature

In this part we give a generic construction of time capsule signature scheme based on bipartite ring signature. LetDS=(Set,Sig,V er) be an ordinary signature scheme.

• SetupT S: ThisTime Servertakes a security parameterkas input and sets a public/private time release key pair(T P K, T SK) = (SKT S, P KT S).

• SetupU ser: Each userisets his public/private key pair (PK, SK)=(SKi,P Ki) by runningSet(1k).

• T Sign: To generate a probabilistic time capsule signature on a messagemfor timet, the signersfirst gets the hash valueh=H0(m||P KT S||t)and computesσt0 =SigSKs(h)as a time capsule signature.

• T V erif y: For a given signature σ0_t, the verifier checks whether σ_t0 is a valid signature on h = H0(m||P KT S||t)by runningV erP Ks(h, σ

0

t).

• T Release: For a given time valuet,Time Servercomputes a ring signature relate to users

– Determine the symmetric key: The Time Server first computes the hash of his public key, the Signer’s ID and timetas the symmetric keyk:k=H1(P KT S, IDs, t)

– Pick a random glue value: TheTime Server picks an initialization(glue) valuev uniformly at random from(0,1)b.

– Pick random value for signer: TheTime Serverpicks a random valuexsuniformly from(0,1)b and computesys =gs(xs), wheregsis an extended trapdoor permutation[RST01] correspond-ing tos.

– Solve foryT S: TheTime Serversolves the following ring equation foryT S:Ck,v(ys, yT S) =v

(11)

– publish the ring signature: The ring signature part is defined to be the 5-tuple:Zt= (P Ks, P KT S;

v;xs, xT S)and theTime ServerpublishesZt.

• Hatch: To open an mature time capsule signatureσ0_t, a party combine σ_t0 with Zt and returns the hatched signatureσt= (σt0, P Ks, P KT S;v;xs, xT S).

• P reHatch: To open a valid pre-mature time capsule signatureσ_t0, the signer should computes a valid ring signature himself:

– computes the symmetric key: The Signer computes the symmetric keyk:k=H1(P KT S, IDs, t)

– Pick a random glue value: The Signer picks an initialization(glue) valueˆvuniformly at random from(0,1)b_.

– Pick random value for theTime Server: The Signer picks a random valuexˆT S uniformly from

(0,1)b and computesyT Sˆ =gT S( ˆxT S)

– Solve foryˆs: The Signer solves the following ring equation foryˆs:Ck,v( ˆys,yT Sˆ ) = ˆv

– Invert the trapdoor permutation: The Signer uses his trapdoor information in order to invertgs onyˆsto obtainxˆs:xˆs=gs−1( ˆys)

– reture a pre-mature signature: The ring signature part generated by the Signer is defined to be the 5-tuple:(P Ks, P KT S; ˆv; ˆxs,xˆT S)and the pre-mature signature isσˆt= (σ0t, P Ks, P KT S; ˆv; ˆxs,

ˆ xT S)

• V erif y: For a given hatched signatureσt (or pre-hatched signatureσˆt). The verifier first check the ring signature part:

– Apply the trapdoor permutation: the verifier computesyT S =gT S(xT S)andys=gs(xs).

– Obtain: the verifier hashes the public key of theTime Serverand the Signer’s ID to compute the symmetric encryption keyk:k=H1(P KT S, IDs)

– Verify the ring equation: the verifier checks whether the following equation is satisfied:

Ck,v(ys, yT S) =v.

If the ring equation is satisfied, then he verifies thatσ0_tis a valid time capsule signature onhby running

V erP Ks(h, σ 0

t).

The correctness property of the scheme are obvious from the properties of the basis digital signature scheme and the ring signature scheme. We now analyze its security.

Lemma 3.4. The time capsule signature scheme presented above is unforgery if the underlying ordinary signature scheme is UF-CMA secure and ring signature scheme is unforgery. Concretely, we obtain the following bound:

SuccUF-TCS-CMA_{T CS} (tTCS, qTCS)≤SuccUF-CMADS (tDS, qDS) +SuccUFRS(tRS, qRS) (2)

wheretDS+tRS=tTCS+TOS

DS+TOSRS, andqDS+qRS =qTCS. Here,TOSDS andTOSRS denote the running time of the signature generation algorithm simulated by oracleOS in the attack games ofDS scheme and

(12)

Proof. LetBdenote an attacker that defeats theunforgeability of the immature signaturein theT CSscheme. LetAdenote an attacker that defeats the UF-CMA security of theDS scheme.

We show how the view ofBin the real attack game of UF-imTCS (Definition 3.2), which we denote by

G0, can be simulated to obtain a new gameG1which is related to the ability of the attackerAto defeat the

UF-CMA security of theDS scheme.

GameG0: As mentioned, this game is identical to the real attack gameExpUF-imTCST CS,B described in

Defi-nition 3.2. We denote byE0the event thatBoutputs a valid message and immature time capsule signature

pair as a forgery. We use a similar notationE1for GameG1. Since GameG0is the same as the real attack

game, we have

P r[E0] =SuccUF-imTCST CS,B

GameG1: First, we replaceB’s common parameter byA’s common parameter, denoted ascp1. Then we

do the following. WheneverBissues a time capsule signature(an immature signature) generation querym, we intercept it and forward(m,·)asA’s signature generation query toA’s Challenger to get a corresponding signatureσ. We then send thisσ toB. IfBoutputs(m,˜t,σ˜t), we intercept it and return it asA’s forgery. Note from the simulation thatB’s view in the real attack game is identical to it’s view in GameG1. Hence

we have

P r[E1]≥P r[E0]

By definition of Pr[E1] and Pr[E0], we obtain

SuccUF-CMA_DS_,_A (k)≥SuccUF-imTCS_{T CS}_,_B (k)

Considering the running time and the number of queries, we obtain the following bound

SuccUF-imTCS_{T CS}_,_B (timTCS, qimTCS)≤SuccUF-CMADS,A (tDS, qDS) (3) wheretDS = timTCS+TOS

DS, and qDS = qimTCS. Here,TOSDS denotes the running time of the signature

generation algorithm simulating by oracleOSin the attack game ofDS scheme.

Then letDdenote an attacker that defeats theUn-Prehatchable by dishonest usersin theT CSscheme. AndCdenote an attacker that defeats theunforgeabilityof theRSscheme.

We show how the view ofDin the real attack game of UPH-TCS (Definition 3.2), which we denote by

G2, can be simulated to obtain another new gameG3 related to the ability of the attackerCto defeat the

unforgeabilityof theRSscheme.

GameG2: As mentioned, this game is identical to the real attack gameExpUPH-TCS_{T CS}_,_D described in

Defin-ition 3.2. We denote byE2the event thatDoutputs a valid(m, t, σt)triple as a forgery from the given time capsule signature triple(m, t, σ_t0). We use a similar notationE3for GameG3. Since GameG2is the same

as the real attack game and we have

P r[E2] =SuccUPH-TCST CS,D

GameG3: We first replaceD’s common parameter byC’s common parameter, denoted ascp2. Then

we do the following. WheneverDissues a time release querytor a PreHatch query(m, t, σ0_t), we intercept it and forward(t, σ0_t)asC’s ring signature generation query toC’s Challenger to get a corresponding ring signature. Combine this ring signature withσ_t0and get a signatureσt. We then send thisσttoD. IfDoutputs

(m, t,σ˜t), we intercept it and parse it to get the ring signature partσRS˜ . Then return it asC’s forgery. Note from the simulation thatD’s view in the real attack game is identical to it’s view in GameG3. Hence we

have

P r[E3]≥P r[E2]

By definition of Pr[E3] and Pr[E2], we obtain

(13)

Considering the running time and the number of queries, we obtain the following bound

SuccUPH-TCS_{T CS}_,_D (tUPH, qUPH)≤SuccUFRS,C(tRS, qRS) (4) wheretRS = tUPH+TOS_RS, andqRS = qUPH. Here,TOS_RS denotes the running time of the ring signature generation algorithm simulating by oracleOSin the ring signature attack game.

LetFbe an attacker, which possesses the attack capability of bothBandD, defeats the UF-TCS-CMA security of theT CSscheme.

As we see Equation (1) inDefinition 3.3,SuccUF-TCS-CMA_{T CS} ≤ SuccUF-imTCS_{T CS} +SuccUPH-TCS_{T CS} . Combine with Equation (3) and (4), we obtain

SuccUF-TCS-CMA_{T CS}_,_F (k)≤SuccUF-CMA_DS_,_A (k) +SuccUF_RS_,_C(k)

Considering the running time and the number of queries, we can obtain the bound. So Equation (2) in the theorem statement holds.

Lemma 3.5. The time capsule signature scheme presented above is indistinguishable(ambiguous) if the underlying bipartite ring signature schemeRSbiholds the anonymity. Concretely, we obtain the following

equation:

SuccANON_RS

bi,A(k)≥Succ IND-TCS

T CS,D(k) (5)

Proof. LetDdenote an attacker that defeats theindistinguishabilityin theT CSscheme and letAdenote an attacker that defeats theanonymityof the bipartiteRS_bischeme.

We will show how the view ofDin the real attack game of IND-TCS (Definition 3.2), which we denote byG0, can be simulated to obtain a new gameG1which is related to the ability of the attackerAto defeat

theanonymityof the bipartiteRS_bischeme.

Game G0: this game is identical to the real attack gameExpIND-TCST CS,D described inDefinition 3.2. We

denote by E0 the event thatD’s output d˜equals tod.We use a similar notationE1 for GameG1. Since

GameG0is the same as the real attack game, we have

|P r[E0]−1/2|=SuccIND-TCST CS,D

GameG1: As we know, in this game, adversaryAwill be provided an oracle for a biparitie ring signature

algorithm and the goal of adversaryAis to successfully guessb. To do so,Afirst output a pair of indices

(i0, i1)whereP Ki0 andP Ki1 are the public keys of the two parties in the bipartite ring, respectively. Then

Awill run distinguisherDas a subroutine. We replaceD’s common parameters byA’s common parameter, denoted ascp. Then we do the following. WheneverDissues aHatchqueryσ0_ttoO_Hatch(notice that here the oracleO_Hatchwill run oracleO_{T R}first interiorly), we intercept it and forward(σ0_t, t)asA’s signature generation query toA’s challenger and get a ring signatureσRS0 corresponding toi0. We then concatenate σ_t0 andσRS0 asσtand sendσttoD. When Dissue aP reHatch query ofσ

0

t toOP reHatch, we intercept it and forward (σ_t0, t) asA’s signature generation query to A’s challenger and get a ring signature σRS1

corresponding toi1. We then concatenateσ_t0 andσRS1 asσtand sendσttoD. IfDoutputd˜, we intercept it

and let˜b= ˜dasA’s guess result.

From the simulation thatD’s view in the real attack game is identical to it’s view in GameG1. Hence

we have

|P r[E1]−1/2| ≥ |P r[E0]−1/2|

By definition of Pr[E1] and Pr[E0], we obtain Equation (5)

SuccANON_RS

bi,A(k)≥Succ

IND-TCS

T CS,D(k)

(14)

Lemma 3.6. The cheating behavior of dishonest signer do not exist in our construction.

Proof. Let’s recall the experimentExpNCH-TCS_{T CS}_,_C given inDefinition 3.2. The adversaryC(dishonest signer) wins the game means that he successfully produced a time capsule signatureσ0_twhich looks good to the verifier but can not be hatched into a full signature ofCby any recipient using the information released by

Time Sever.

However, in our construction of T CS scheme, the security aspectnon-cheating of the signer follows unconditionally. If a time capsule signatureσ0_t satisfies thatT V erif y(m, σ0_t, P K, T P K, t) = 1. When

Time ServerreleasesZt, any party can obtain a signatureσtrelated toσ0t. By thecorrectnessproperty of ring signature, the ring signature part ofσtalways holds the ring equation. Therefore, the hatched signature

σtcan passes the verification algorithmV erif y.

Theorem 3.7. Our generic construction of time capsule signature from bipartite ring signature is secure.

Proof. According to the above three Lemmas and analysis, it is obvious that those four security aspects mentioned inDefinition 3.2can be achieved. Therefore our construction of time capsule signature is secure.

4 A Concrete Time Capsule Signature Scheme

4.1 Description of Our Proposed Scheme

We use the digital signature scheme PSS[BR96] and the ring signature given in [RST01] as basic building blocks of our construction. LetGen(1k)be the system parameter generation algorithm andSet(1k)be the usual RSA key generation algorithm. In our scheme, each partyAi has an RSA public keyPi = (Ni, ei) which specifies the trapdoor one-way permutationfiofZNi:

fi(x) =xei (mod Ni)

Assume that only Ai knows how to compute the inverse permutation fi−1 efficiently, using trapdoor information di = e−1_i (mod φ(Ni)). This is the original Diffie Hellman model[DH76] for public-key cryptography.

For the trap door permutationf overZN, we define a extended trapdoor permutationgover{0,1}j in the following way. For anyj-bit inputmdefine nonegative integersqandrso thatm=qN+r,0< r < N. Then

g(m) =

(

qN +f(r), if(q+ 1)N ≤2j

m, o.w.

The functiong is clearly a permutation over{0,1}j_{, and it is a one-way trapdoor permutation since only} someone who know how to invertfcan invertgefficiently on more than a negligible fraction of the possible inputs.

Let E be a publicly defined symmetric encryption algorithm such that for any key k of length l, the functionEkis a permutation overj-bit strings.

Define a family of keyed combine functions:

Ck,v(y0, y1) =Ek(y1⊕Ek(y0⊕v)) =v

It takes as input a keyk, an initialization valuev, and arbitrary valuesy0, y1 in{0,1}j. Each such combine

(15)

1. For any fixed value ofyb,b∈ {0,1}, the functionCk,vis a one-to-one mapping fromy¯bto the output

z.

2. Givenj-bit valueszandyb, it is possible to efficiently find aj-bit value fory¯bsuch thatCk,v(yb, y¯b) =

z.

3. Givek,v,z, it is infeasible for an adversary to solve the equation

Ck,v(g0(x0), g1(x1)) =z

forx0,x1if the adversary can’t invert any of the trapdoor functionsg0,g1.

We now describe the full time capsule signature scheme by specifying an 8-tuple of PPT algorithms (SetupTS,SetupUser,TSign, TVerify,TRelease,Hatch,PreHatch,Verify), corresponding to eight phases re-spectively. To make clear, we list these eight algorithms in Table 1.

• Setup Phase of Time Server: In algorithmSetupTS(1k₎_,_k ₌ _k

0 +k1 = |NT S|with2−k0 and2−k1 being negligible quantities;H,H0,H3are hash functions satisfying

H0:{0,1}∗ 7→ {0,1}k1_{, H} _:_{₀_,₁_}k1 _{7→ {}₀_,₁_}k−k1−1_{, H3} _:_{₀_,₁_}∗_{7→ {}₀_,₁_}l

The output bit string fromHis split into two sub-bit-strings, one is denoted byH1 and hash the first k0 bits, the other is denoted byH2 and hash the remainingk−k1−k0−1bits.lis the key length of

symmetric encryption algorithmEk.

• Setup Phase of User: Each userUiwith identityIDi in the system runs the algorithmSetupUser(1k) during this phase.

• Time capsule signature generation:To make a future signature, the signersruns algorithmTSign(m, ds, Ns).

• Time capsule signature verification:To check the time capsule signature, the algorithmTVerify(m, σ_t0, es, Ns)is run by verifier.

• The time release phase: At the beginning of each time period t, the Time Server runs algorithm

TRelease(t, IDs, IDT S, P Ks, P KT S) computes and publishes the knowledge for hatching a valid time capsule signature of signers.

• Open a mature and valid time capsule signature:The recipient runs algorithmHatch(σ_t0, Zt). • Open an immature but valid time capsule signature: Before time t, the signer can run algorithm

PreHatch(t, IDs, IDT S, P Ks, P KT S) to open a valid time capsule signature which is not mature yet.

• Verify a hatched or prehatched signature:The verifier checks a mature signature by running algorithm

(16)

Table 1: The diagram of proposed time capsule signature scheme

Algorithm SetupTS(1k) Algorithm SetupUser(1k) (NT S,eT S,dT S,H,H0,H3,k0,k1)←Gen(1k) (Ni, ei, di)←Set(1k)

P KT S ←(NT S, eT S) P Ki ←(Ni, ei)

SKT S←dT S SKi ←di

Output (P KT S, H, H0, H3, k0, k1) Return P Ki

Algorithm TSign(m, ds, Ns) Algorithm TVerify(m, σt0, es, Ns)

r←R− {0,1}k0 _y_←₍_σ0

t)es (mod Ns)

w←H0(mkIDsktkr) Parseyas bkwkr∗kH2(w) r∗←H1(w)⊕r r ←r∗⊕H1(w)

y←0kwkr∗kH2(w) If(H0(mkIDsktkr)=w∧H2(w)=r∧b=0) σ_t0 ←yds ₍_{mod N}

s) Return 1

Return σ0_t else Return 0

Algorithm TRelease(t,IDs,IDT S,P Ks,P KT S) Algorithm PreHatch(t,IDs,IDT S,P Ks,P KT S) k←H3(IDT S, IDs, t) k←H3(IDT S, IDs, t)

v←R− {0,1}j _v_←R_{− {}₀_,₁_}j

xs R

←− {0,1}j _x

T S R

←− {0,1}j

ys←gs(xs) yT S ←gT S(xT S)

solve equationCk,v(ys, yT S) =vforyT S solve equationCk,v(ys, yT S) =vforys

xT S ←g−1_{T S}(yT S) xs←g−1s (ys)

Zt←(P Ks, P KT S, v, xs, xT S) σt←(σt0, P Ks, P KT S, v, xs, xT S)

Return Zt Return σt

Algorithm Hatch(σ_t0, Zt) Algorithm Verify(m,σt,IDs,IDT S,P Ks,P KT S,t) σt←(σ0t, P Ks, P KT S, v, xs, xT S) yT S ←gT S(xT S)

= (σ_t0;Zt) ys ←gs(xs)

Return σt k←H3(IDT S, IDs, t)

IfCk,v(ys, yT S) =v Run TVerify(m, σ_t0, P Ks) else Return 0

4.2 Security Analysis

Theorem 4.1. This concrete time capsule signature scheme given above is a secure time capsule signature scheme.

Proof. As the underlying original digital signature scheme used in the construction are UF-CMA secure and the bipartite ring signature scheme we utilize is unforgeable and anonymous. According to the security analysis andTheorem 3.7given inSection 3, our concrete construction of time capsule signature scheme is secure.

5 Conclusion

(17)

(18)

References

[ASW00] Asokan, Shoup, and Waidner. Optimistic fair exchange of digital signatures. IEEEJSAC: IEEE Journal on Selected Areas in Communications, 18, 2000.

[ASW98] N. Asokan, Victor Shoup, and Michael Waidner. Optimistic fair exchange of digital signatures (extended abstract). InEUROCRYPT, pages 591–606, 1998.

[BG96] Mihir Bellare and Shafi Goldwasser. Encapsulated key escrow. Technical Report 688, 1996.

[BG97] Mihir Bellare and Shafi Goldwasser. Verifiable partial key escrow. In ACM Conference on Computer and Communications Security, pages 78–91, 1997.

[BR96] Mihir Bellare and Phillip Rogaway. The exact security of digital signatures - HOw to sign with RSA and rabin. InEUROCRYPT, pages 399–416, 1996.

[BKM06] Adam Bender, Jonathan Katz, and Ruggero Morselli. Ring signatures: Stronger definitions, and constructions without random oracles. InTCC, pages 60–79, 2006.

[BC04] Ian F. Blake and Aldar C-F. Chan. Scalable, server-passive, user-anonymous timed release public key encryption from bilinear pairing, 2004.

[BF01] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the weil pairing. In

CRYPTO, pages 213–229, 2001.

[BGLS03] Dan Boneh, Craig Gentry, Ben Lynn, and Hovav Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. InEUROCRYPT, pages 416–432, 2003.

[BN00] Dan Boneh and Moni Naor. Timed commitments. InCRYPTO, pages 236–254, 2000.

[DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptography.IEEE Transactions on Information Theory, IT-22(6):644–654, 1976.

[DR03] Yevgeniy Dodis and Leonid Reyzin. Breaking and repairing optimistic fair exchange from PODC 2003. InDigital Rights Management Workshop, pages 47–54, 2003.

[DY05] Yevgeniy Dodis and Dae Hyun Yum. Time capsule signature. InFinancial Cryptography, pages 57–71, 2005.

[DN92] Cynthia Dwork and Moni Naor. Pricing via processing or combatting junk mail. InCRYPTO, pages 139–147, 1992.

[GJ02] Juan A. Garay and Markus Jakobsson. Timed release of standard digital signatures. InFinancial Cryptography, pages 168–182, 2002.

[GP03] Juan A. Garay and Carl Pomerance. Timed fair exchange of standard signatures: [extended abstract]. InFinancial Cryptography, pages 190–207, 2003.

[GB99] Shafi Goldwasser and Mihir Bellare. Lecture notes on cryptography. Summer Course “Cryp-tography and Computer Security” at MIT, 1996–1999, 1999.

(19)

[OKC04] Ivan Osipkov, Yongdae Kim, and Jung Hee Cheon. A scheme for timed-release public key based authenticated encryption, 2004.

[RSW96] R. L. Rivest, A. Shamir, and D. A. Wagner. Time-lock puzzles and timed-release crypto. Tech-nical Report MIT/LCS/TR-684, 1996.

A New Construction of Time Capsule Signature