GeneItkis
BostonUniversityComputerScienceDept.
111CummingtonSt.
Boston,MA02215,USA
Abstract. We proposea new notion of cryptographic tamper evidence. A tamper-evident signature
schemeprovides anadditionalprocedureDivwhichdetectstampering:giventwosignatures,Divcan
determinewhetheroneofthemwasgeneratedbytheforger.Surprisingly,thisispossibleevenafterthe
adversaryhasinconspicuouslylearned(exposed 1
)some|orevenall|thesecretsinthesystem.In
thiscase,itmightbeimpossibletotellwhichsignatureisgeneratedbythelegitimatesignerandwhich
bytheforger.Butatleastthefactofthetamperingwillbemadeevident.
Wedene several variantsof tamper-evidence,dieringintheir powerto detecttampering.Inallof
these,weassumeanequallypowerfuladversary:sheadaptivelycontrolsalltheinputstothelegitimate
signer (i.e., all messages to be signed and their timing), and observes all his outputs; she can also
adaptivelyexposeallthesecretsatarbitrarytimes.
Weprovidetamper-evidentschemesforallthevariantsandprovetheiroptimality.
Achieving the strongest tamper evidence turnsout to be provably expensive. However, we dene a
somewhatweaker,butstillpractical,variant:-synchronoustamper-evidence(-te)andprovide-te
schemeswithlogarithmiccost.Our-teschemesuseacombinatorialconstructionof-separatingsets,
whichmightbeofindependent interest.
Westressthatourmechanismsarepurelycryptographic:thetamper-detectionalgorithmDivisstateless
andtakesnoinputsexceptthetwosignatures(inparticular,itkeepsnologs),weusenoinfrastructure
(orotherwaystoconcealadditionalsecrets),andweusenohardwareproperties(exceptthoseimplied
bythestandardcryptographicassumptions,suchasrandomnumbergenerators).
Ourconstructionsarebasedonarbitraryordinarysignatureschemesanddonotrequirerandomoracles.
1 Introduction
Key exposure is a well-known threatfor anycryptographic tool. For signatures,exposed keys are
revoked after the exposure is detected. This detection of the exposure has previously been dealt
with outsidethe scope of cryptography (e.g.,delegated tohardwareand/or heuristic \forensics").
Indeed,ifanadversaryinconspicuouslylearnedallthesecretinformationwithinthesystem,itmay
seemthat thecryptographictools withoutanyremaining secretsarehelplessagainst her.
This paper challenges this perception, by providing a cryptographic mechanism to detect the
adversary's presencewithinthesystemevenaftershehaslearnedallthesecrets.Thus,whileitstill
might notbepossibletodistinguish forger-generatedsignatures from thelegitimateones,ournew
mechanismscanatleastmake thetampering evident.
1.1 Related work
Key exposures: avoidance and damage containment. Some mechanismsto minimizethe
damagefrom break-inshave beenproposed inthepast.A representative sample ofthesemethods
1
andreferencesincludethreshold[DF89,Ped91,BF97],pro-active[OY91,HJJ +
97,CHH00 ],
remotely-keyed[Bla95,Bla96,Luc97,BFN98],key-insulated[DKXY02,DKXY],intrusion-resilient[IR02,Itk02],
all-or-nothingprotection[CDH +
00],etc.Inthesemethods,secretsaretypicallyprotectedbybeing
distributed (sharedamong multiple modules), thusminimizing theeectof partialexposures.
In this paper, however, we focus on the total and inconspicuous exposures of all the secrets
within the system at the time of the exposure. For such exposures, only forward-security has
being dened [And97,BM99] and achieved [And97,BM99,Kra00,AR00,IR01,MMM02,Itk02,KR02]
previously.Noneoftheseapproachesprovidedanyhelpindetectingwhetheranexposureoccurred.
Fail-stop signatures. Tamper-evident signatures should be distinguished from the fail-stop
signatures [PP97]: the fail-stop signatures do not address the issue of dealing with an adversary
wholearnedthesigner'ssecrets. 2
Instead,theyhelponly inthecaseofacomputationallypowerful
adversary.Namely,inthe fail-stopmodel, eachpublic keyhas alargenumberof valid private key
valuescorresponding toit. An adversary maybe powerful enough tocompute all of theseprivate
keys,butstillcannotdeterminewhichofthesekeysisknowntothesigner.Givenasignatureforged
bysuch an adversary,thesigner, however, can repudiate itbyproving that he does notknowthe
specic privatekeythat musthavebeenusedtoforgethesignature.Thus,thatapproachtoo does
notoer anyhelpinthe casewhen thesigner's keys havebeen exposed.
Coerciveexposures. Somepreviousworkaddressestheissueofdealingwiththesituationswhere
thesecretkeysareexposedundersomecoercivemethods.Insuchcases,thecoercedsignermayuse
somekind of subliminal communicationembedded inthe signatureto informthe authorities that
thesignatureand/orsecretkeys wereextractedfromthesignerunderduress(see,e.g.,[HJJY00]).
Anotherapproach proposes monotonesignature schemes[NPT01],which allowtheverication
algorithm to be updated after an attack. Namely, under duress the signer can reveal some (but
notall!) of his secrets tothe adversary.These secretsenable theadversary togenerate signatures
that arevalid accordingtothe current vericationalgorithm. However, this verication algorithm
canthen be updated so that all thesignatures generated bythe legitimate signer(before or after
the update) remain valid, but all the signatures generated by the adversary are not valid under
the updated verication.Again, this approach doesnot work incase oftotal exposures.Also, the
cost of these signatures is linear in the number of updates. This matches our least eÆcient (but
strongest)construction,exceptthatwe donotrequiretheupdatesofthevericationalgorithm.In
fact,ourgenerallower-boundsproof inSec.4 canbemodied toyieldthelinear lower boundsfor
thelength ofthe monotone signatures 3
,thusproving optimalityof theresultsof [NPT01]. To the
best of ourknowledge no lower boundsfor monotone signatures were shown previously. However,
slightly modifying the denition of the monotone signatures | to allow key evolution | allows
exponentialperformanceimprovement (seeSec. 5).
1.2 Our contribution: Tamper Evidence
In contrast to the previous work, we consider the situation where the adversary inconspicuously
learns all secretsof the systemat some(unknown) points of time.Our goal is toprovidesecurity
after such undetectedtotalexposures.
2
Infact,in[PP97],theauthorswrite\Naturally,thispossibilityofdistinguishingforgedsignaturesfromauthentic
signaturesonlyexistsaslong as forgerhasnotstolen thesigner'skey".Weshowthat thisobservationdoesnot
fullyapplytothekey-evolvingsignatures(whichwereintroducedaftertheabovepaper).
3
Indeed,someofourconstructions(namely,thestronglytamper-evidentschemes)bearsimilaritytosomeofthoseof
Intuition. Supposethe adversary learns all the secretsattime t
e
. Then,clearly,she hasall the
keysofthelegitimatesigner,andthuscangeneratevalidsignatures.However,ifboththesignerand
theadversaryremainactive(i.e.,generatesignatures)thenthesystemhaschangedfundamentally:
instead of having a single entity| thelegitimate signer | it nowcontains two active \versions"
running at the same time. Now, if the signer evolves in some randomized fashion, then the two
versions will diverge(see Fig. 1),and this divergencemight bedetectable.
State
S
Time
F
t
1
2
e
t
t
Fig.1.Divergenceofforgerandsigner.Signer'ssecretsareexposedattimet
e
.Itstillmaybepossibletotellwhether
signatures,generatedatt1;t2 >te,originatedfrom thedierent\branches"(onesigner's,theother{forger's).
Approach. Indeed,thisisexactlywhatwecaptureinourdenitions.Weusekey-evolvingschemes
(denedoriginallyforforward-security[BM99])asthebasisforourdenitions. Anydirect
connec-tionbetweentamper-evidentandforward-securesignaturesstopsatthat.Inparticular,itiscrucial
forthetamper-evidentschemestousetruerandomnessfortheevolution.Evenpseudo-randomness
is notsuÆcient,as theseed might beexposedtoo. Butforforward-secure signatures,randomness
| even if used, as in[BM99] | can be replaced with pseudo-randomness (as done in [Kra00]to
achievesomeoptimizations).Usingtruerandomnessinkeyevolutionallowsustoachieveandthen
detectdivergenceofthesigner's andforger'sversions. Detectionofthis divergenceisexactly what
constitutestamper-evidence| thusthenameDiv forthe newprocedure.
Variants, constructions, lower bounds. We deneseveral variants oftamper-evidence. In
all thevariants we allowtheforger F toadaptivelydetermine allthemessages tobe signedbythe
The strongestvariant guaranteestodetectdivergencegiven anytwosignaturesgenerated byS
andF atanytwotimeperiodsaftertheexposure(itisimpossibletodo anythingbeyond
forward-securityfortheperiodsbeforetheexposure 4
).Wepresentatamper-evidentsignatureschemewith
this strong tamper-evidence property. This scheme imposes linear in time performance penalty.
Moreover,we prove thatno better scheme ispossible.
Fortunately,moreeÆcientschemesarepossibleforslightlyweakernotionsoftamper-evidence:
Perfectly-synchronoustamper-evidenceworkswiththesamepowerfuladversary,butguarantees
todetectdivergenceonlywhenthetwogivensignaturesaregeneratedbythesignerSandtheforger
F atthesame timeperiod after thekey exposure.
-synchronoustamper-evidencegeneralizes theabove notions:forsuchschemes,thetampering
is guaranteed tobedetected aslongasthe timeperiods ofthe twosignatures arerelatively closer
to each other than to the exposure time. The exact relative proximity is characterized by the
parameter (=0 yieldingstrongand =1 | perfectly-synchronoustamper-evidence).
We present bothperfectly- and - synchronous tamper-evident schemes.The cost of the rst
oneisonlytwicethatofan ordinarysignaturescheme.Foranyniteconstant >0,weconstruct
an -synchronoustamper-evidentschemewitha logarithmicfactor overhead(with appearingin
thebase ofthelogarithm). We proveasymptoticoptimalityofall theseschemes.
Next, in Section 2 we formally dene tamper-evident signatureschemes and present our
con-structions in Section 3. In Section 4 we prove the optimality of our constructions byproving the
information-theoretic lower-bounds. Finally, in the Section 5 we discuss various aspects of the
tamper-evidentsignatures, including theirpotential applications. We also propose there some
im-provementsfor themonotonesignatures.
2 Denitions
2.1 Functional denitions
KeyEvolvingSignatureSchemes. Asdiscussedabove,tamper-evidentsignaturesmustevolve
thesigner'sstate,similarlytotheforward-securesignatures,butforadierentreason. 5
Wetherefore
use the denition of the key-evolving signature schemes proposed by Bellare and Miner [BM99].
Intuitively, in key-evolving schemes the public key remains unchanged, while the corresponding
secretkeychangesperiodically.Thisdenitionispurelyfunctional:securityisaddressedseparately.
Key-evolving signatureschemeisaquadrupleofalgorithmsKESig=(Gen;Upd;Sign;Vf),where:
KESig:Gen, the probabilistickey generation algorithm.
Input: a securityparameterk2N(giveninunary as1 k
); andthe totalnumberof periodsT;
Output:apair (SK
0
;PK),theinitial secretkey and thepublickey;
KESig:Upd, the probabilisticsecret key update algorithm.
Input: thesecret keySK
t
forthe currentperiod t<T;
Output:thenewsecret keySK
t+1
forthenext period t+1.
KESig:Sign, the (possibly probabilistic)signing algorithm.
Input: thesecretkeySK
t =hS
t
;t;TiforthetimeperiodtT andthemessageM tobesigned;
Output:thesignatureht;sigi of M fortimeperiod t.
4
Wecanlimitthewindowofvulnerabilitytotheperiodoftheexposurebycombiningtamper-evidencewith
forward-security.Thiswindowofvulnerabilityisevenstrongeriftamper-evidenceiscombinedwithintrusion-resilience.
5
KESig:Vf, theverication algorithm.
Input: thepublic keyPK;a messageM;and an allegedsignatureht;sigi;
Output:valid ifht;sigi isa valid signatureofM,orfail otherwise.
We requirethatKESig:Vf
PK
(M;KESig:Sign
SK
t
(M))=validforallM andt.Forsomeschemes,T
isoptional: i.e.,T=1 [Itk02].
Divergence test. As discussed in the introduction, at the core of our tamper-evidence is the
observation thatafter thekeyexposurethere inessenceexist two versions ofthesignerwithin the
system|whileundernormalconditions(withoutcompromises)thereshouldbeonlyone.Thuswe
say thatthe exposure leads todivergence. To accommodate functionallythetest ofthis condition
| which providestamper-evidence| we add onemoreprocedure totheabove:
KESig:Div, the(possibly probabilistic)divergencetest algorithm.
Input: two signatures ht
1 ; 1 i;ht 2 ; 2 i;
Output:foulifdivergenceisdetected;ok otherwise.
2.2 Security denitions
Signature security. For the sake of brevity, we skip the signature security denition | it
is essentially the same as the classic denition of Goldwasser, Micali and Rivest's [GMR88] for
(ordinary) digital signatures secure against adaptive chosen message attacks (but as in the other
key-evolving schemes |such asforward-securesignatures | theauthenticityincludes theperiod
number:weconsider theadversary successfulevenifshegeneratesa signaturedieringonly inthe
period number fromoneof those generatedbythelegitimate signer).
Tamper-evidence. Say that KESig is self-consistent if KESig:Div(ht
1 ; 1 i;ht 2 ; 2
i) = ok for all
signaturepairsht
1 ; 1 i,ht 2 ; 2
i,providedthatbothsignaturesaregeneratedbythesamelegitimate
signer S (legitimate signer does not deviate from the algorithms specied by the scheme). We
consider only self-consistentschemesinthis paper.
Denition 1 (Adversary). Let F be an adversary and S the legitimate signer (for the given
instanceof KESig, generated independently of F).AllowF to adaptivelyobtain fromS both
signa-tures for any time-period/message pairs (t;M), and secret keys SK
i . Let t
e
bethe latest exposure
time period: maximum t such that F obtained SK
t
. Eventually (after polynomially-bounded time),
F must output two signatures fht
1 ; 1 i; ht 2 ; 2
ig, such that t
1 ;t
2 > t
e
, and ht
1 ;
1
i was
gener-ated by S (upon F's request), while ht
2 ;
2
i by F (i.e., the corresponding ht
2
;Mi was not queried
from S). We write F S ! ht e ;f(t 1 ; 1 );(t 2 ; 2
)gi. The probability that the adversary succeeds is
PrSucc KESig (F) def =Prob[KESig:Div(ht 1 ; 1 i;ht 2 ; 2
i)=okand KESig:Vf(ht
i ;
i
i)=valid;i=1;2].
Denition 2 (Tamper-Evidence Safety).
Let KESig be self-consistent, and let k bea security parameter. Let F S !ht e ;f(t 1 ; 1 );(t 2 ; 2 )gi. ft 0 1 ;t 0 2 g aret
0
e
-safe (forKESig) if PrSucc
KESig
(F)<1=2 k whenever t e =t 0 e and ft 1 ;t 2 g=ft
0 1 ;t 0 2 g.
In other words, let S be the set of all triplets ht 0 e ;ft 0 1 ;t 0 2
gi such that if for any F as above
F S !ht e ;f(t 1 ; 1 );(t 2 ; 2
)gi and ht
e ;ft
1 ;t
2
gi2S thenPrSucc
KESig
(F)<1=2 k . ft 0 1 ;t 0 2 g are t
0 e -safe i ht 0 e ;ft 0 1 ;t 0 2
gi2S:
Denition 3 (Strong Tamper-Evidence). KESig is strongly tamper-evident if t 0 1 and t 0 2 are t 0
Belowwe consider two weakerversions of tamper-evidence. Forboth of them, we preserve the
power of the adversary. Unlike the strong tamper-evident schemes,both of these weakerversions
areallowedtomisssomecasesoftampering.Therst|weaker|guaranteestodetecttampering
only forsimultaneous signatures:
Denition 4 (Perfectly Synchronous Tamper-Evidence). KESig is perfectly-synchronous
tamper-evident ifft 0
1 ;t
0
2 g are t
0
e
-safe for any t 0
1 ;t
0
2 ;t
0
e
, such that t 0
1 =t
0
2 >t
0
e .
This notion of synchronicitycanberelaxed signicantly: namely,wecan tolerateanydistance
betweenthetimeperiodst
1 ;t
2
ofthesignatures,aslongastheyareclosertoeachotherthansome
factor (1= )of theirdistancetothe exposure timet
e :
Denition 5 ( -Synchronous Tamper-Evidence). KESig is -synchronoustamper-evident if
ft 0
1 ;t
0
2 g aret
0
e
-safe for any t 0
1 ;t
0
2 ;t
0
e
such thatmin(t 0
1 ;t
0
2 ) t
e > jt
0
1 t
0
2 j.
Note:0-synchronoustamper-evidenceisequivalenttothestrongoneofdenition3,whileperfectly
synchronous tamper-evidenceof denition 4 corresponds to 1-synchronoustamper-evidence. We
abbreviate -synchronous tamper-evident as -te (e.g., KESig in denitions 5, 4, and 3 are -te,
1-te,and 0-te, respectively).
Possible relaxations. One might wish to further relax the above denitions, e.g., to achieve
moreeÆcientconstructions. Suchrelaxationsmayincludelimitingadversarypowersand/or
allow-ing notself-consistent schemes (i.e.,\self-consistent"only withhigh probability), and/orallowing
the probability of missing divergence to be much greater (e.g., less thansome constant, say1%),
etc.Inthis paperwedo notconsider anysuch relaxations.
3 Constructions
Thissectionproposesconstructionsforthestronglyandsynchronoustamper-evidentschemes.The
subsequent Section4 showsthat theseconstructionsareoptimal(atleastuptoaconstant factor),
byproving thematchinglowerbounds.
Our constructions are generic in the sensethat they can be based on any ordinary signature
scheme.Alsotheyeasilygeneralizetoallowadditionoftamper-evidencetoothersignaturemodels,
such asforward-secureorintrusion-resilient.
3.1 Strongly Tamper-Evident Scheme
Construction: Intuitively,this construction extends an ordinary signaturebysimply appending
to it a sequence of hsignature - public keyi pairs, where each signature is to be veried using
the corresponding public key of the pair. The public keys (and corresponding secret keys) are
generated at random, one per time period. So, a tamper-evident signatureat time tincludes t of
theserandomly generated (and uncertied) publickeys. When the signer's secretsare exposedat
time t
e
, the adversary learns all the t
e
secret keys corresponding to these t
e
randomly generated
publickeys.Butaftert
e
,thesignergeneratesnewpublic-secretkeypairs,suchthatthesecretkeys
for theseare not known to the adversary. So, the adversary must either use dierent publickeys
for t > t
e
| which enables detection of divergence, or must forge the signatures for the signer's
publickeys forperiodst>t
e
,without knowingthecorresponding secretkeys.
Formally,let beanyordinary signaturescheme.S
i
denotesa specic instanceof withthe
Dene KESig:Gen tobe:Gen!(KESig:SK
0 =S
0
:SK;KESig:PK =S
0 :PK).
KESig:Upd(SK
t 1
),fortT,runs:Gen!S
t
:hPK;SKi.Thesekeysareappendedtothecurrent
key KESig:SK
t 1
yieldingthenext period'skey KESig:SK
t
=ht;S
0
:SK;hS
i :PK;S
i :SKi
i=1to t i.
KESig:Sign(SK
t
;t;M), fort T,runs S
i
:Sign(SK;ht;Mi)!
i
for all i= 0 tot, generatingthe
signature b t;M =ht; 0 ;hS i :PK; i i
i=1to t i.
KESig:Vf(PK;M;ht;
0
;:::i), returns valid if S
i
:Vf(PK;ht;Mi) for all i : 0 i t (i.e., all the
ordinary signaturesare veried). 6
Finally, totestforfoulplay,
KESig:Div(b t 1 ;M 1 ; b 0 t 2 ;M 2
) rst veries all theS-signatures(except
the very rst; their numbers must match the corresponding time periods) in both b t1;M1 and b 0 t 2 ;M 2 for ht 1 ;M 1
i and ht
2 ;M
2
i respectively, and if any are invalid, it returns foul. 7
If all the S
-signatures are valid, it returns ok if one of the sequences hS
i :PKi
i=1tot
1
and hS 0
j :PKi
j=1tot
2 from b t1;M2 ; b t2;M2
respectively,isa prexoftheother. Otherwise,KESig:Div returnsfoul.
Claim. KESig isassecure as (inthe senseof [GMR88]).
Assumingthat issecure, KESig isstrongly tamper-evident (0-te).
Proof sketch: The proof of signature securityis trivial, becauseour signature simply containsthe
ordinary signature, appended withrandomvalues,whichcanbeeasilysimulated.
It is alsoobvious thatourschemeis self-consistent.
Forthetamper-evidenceproof,reduce forgingasignatureS toF foolingtheDiv test.Suppose
that we aregiven a publickeyS:PK (andno corresponding secret key).Suppose thatwe are also
givenasignatureoracleaccesstotheS-signer.ThegoalistouseforgerF |violating the
tamper-evidence of our scheme | to generate an non-queried signature valid for S:PK. To achieve this,
guess a time period j(= t
2
) for which F will fool the Div test, and set S
j
:PK S:PK. All the
other parametersand keysare generatedbythesimulatoratrandom.Thenthe(adaptive)queries
of F canbesatisedbythesimulatoreither directlyorwith thehelpof theS-signer oracle.
IfF choosest
e
<jandt
1 ;t
2
j,andsucceedsingeneratinght
2 ;
2
iwhichpassesthatKESig:Div
test,then
2
containstheS-signatureforht
2
;MiforsomeM.IfF succeeds,thenht
2
;Miwasnever
queried,and thusis aforgery fortheS. ut
Note: inclusion of t in ht;Mi is needed to prevent the truncation attack. Namely, F obtains
from thesignatureoracle forS thesignature
1 =
ht
1 ;Mi
forthemessageM attimet
1
.Then,ift
is notincluded in all the messagesfor anyt
2 <t 1 , 2 = ht2;Mi
is a prexof
1
,and thus canbe
obtainedfrom itbya simpletruncation.
3.2 Perfectly Synchronous Tamper-Evident Scheme
Simpleconstruction: Supposeweusetheabovescheme,butweareguaranteedthatt
1 =t
2 =t.
ThenwecanactuallydropallthekeysandsignatureshS
i :PK;
i i
i=1to t 1
,leavingonlythe\real"
signatureS
0
andthe lastperiod'sappended signaturehS
t :PK;
t i.
The proof above is essentiallyunaected bythis omission.
ThebenettotheeÆciencyis,ofcourse,dramatic:nowatamper-evidentsignatureisjusttwice
aslong astheordinary one.
6
It is feasible to have the verication of the uncertied keysas part of Div,but it would require changing the
functional denition to pass the message to Div. Also, instead of signing the message with all the keys, it is
possible to form a certication chain. This variant can be more eÆcient in some aspects: the chain does not
needtoregeneratedforeachsignature.Moreover,thechainedconstructionmustbeusedtoachievetheuniversal
indisputabilityofthetamperevidencediscussedinSection5.However,theversioninthemaintextappearsslightly
simplertodiscuss.Inparticular,thesecurityproofofthechainedversionrequiresrandomoracles.
Tree-based construction. Asimilar synchronoustamper-evident scheme canbeobtained using
tree-basedconstructions forforward-secureand intrusion-resilient schemes[BM99,MMM02,Itk02].
Indeed these constructions served as one of the inspirations for this work. While not as eÆcient
asthe previoussynchronoustamper-evident scheme, thetree-based constructionbelowprovides a
somewhat moreexible synchronicityrestriction than theabove scheme aswell assome intuition
foroursubsequent constructionsforthe -synchronousschemes.
Intuitively all of these tree-based schemes construct a \certication hierarchy" tree using S
-signatures. In this tree, each leaf corresponds to a time period and each node has a public-secret
key-pair corresponding to it. The rootpublic key isthe public keyof the tree-based scheme. And
each signature is generated using the corresponding leaf keys and includes the certication path
from theleafpublickeytotheroot.Thuseachtree-basedschemesignatureincludes alogarithmic
numberof ordinary signatures(all,butone, arecomputedatmostonceperperiod,independently
of themessagebeing signed).
The hierarchy isactuallynotconstructed allatonce, butrathergenerated asneeded. 8
Our main observation here is that, as forthe strong tamper-evidence, the S-key-pairs can be
generatedinarandomizedfashion(i.e.,withoutpseudo-randomness,asin,say,[Kra00]).Thisway,
even though a similar (actually even slightly larger) number of keys is generated by S in t time
periods, each signature must include only O(lgt) of these keys, and a signature for each of these
O(lgt) keys. Moreover, all but one (leaf) signatures are computed only once per period (or even
lessfrequently)and aresimplyre-used foreach signature.
t
e
t
1
t
2
t’
2
Fig.2. Tree-basedscheme. Here,itis easy toseethat the common prexof thepaths from rootto t1 and t2 is not
a prexofthe pathfrom theroot tot
e
.On the otherhand, t
1 and t
0
2
do not havethisproperty.Thus, Divtest can
detectdivergencefortimest
1 ;t
2
butnott
1 ;t
0
2 .
8
Theoriginal tree-basedschemes[BM99,MMM02,Itk02]storedthesecretkeysofthe\rightpath"forthe current
Intuitively, this scheme has somewhat looser synchronicity restrictions than theperfectly
syn-chronous tamper-evidence: it can detect divergence as long as the paths from root to t
1 and t
2
divergeafterthey diverge witht
e
(orinotherwords,thecommonprex oft
1 andt
2
isnota prex
of t
e
,see Fig.2). Butitstill falls shortofthe -te.
Next, we generalizethe above tree construction toachieve -synchronoustamper-evidencefor
anyconstant .As forthetree construction,thecost isonly O(lgt).
3.3 Separating Sets and -TE Schemes
C-schemes. LetC beacollection ofcontiguoussets(intervals)ofintegers(time period numbers).
Dene a C-scheme as follows: Let a dierent public/secret key pair (S
I :PK;S
I
:SK) correspond
to each interval I 2 C (the key pair is generated randomly at the beginning of the interval, and
is destroyed at the end of it). Each C-signature for the time period t contains a S
I -signature hS I :PK; I
i generated using S
I
:SK for each interval I 2 C such that t 2 I. 9
Let C contain the
inniteinterval I
0
of all theintegers;S
I
0
:PK isthepublickey ofthe C-scheme.
Say,that C is an -separating collection if for any t
e < t 1 ;t 2 : jt e min(t 1 ;t 2
)j > jt
1 t
2 j,
there existsan intervalI 2C suchthat t
1 ;t
2
2I butt
e 62I.
Lemma 1. Let C bean -separating collection.Then C-scheme is -synchronous tamper-evident.
Indeed, since C is -separating, there exists I, such that t
1 ;t
2
2 I but t
e
62 I. Thus, both
signatures b t 1 ;M 1 and b t 2 ;M 2
mustusethesamepublickeyS
I
:PK.However,S
I
:SK wasnotcreated
{ and thus was not known { at the time of the latest exposure t
e
. Thus F cannot generate the
S
I
-signature forS
I
:PK (i.e.,we could reduce forgingS signatures toF'success). ut
The 0-, - and 1- teschemesof the above sections canbe viewed assuch C-schemes:Forthe
0-te scheme we used C
0
= fft;t+1;:::g for all tg. Our 1-te scheme used C
1
= fftgfor all tg.
The tree-basedschemesuse C
tree
=ffi2 j
;:::;(i+1)2 j
1g for all j0;i>0g. 10
Thus,constructing -teschemesisreducedtoacombinatorialproblemofconstructing -separating
collections; thenumber ofintervals containingt,foreacht,correspondstothescheme'scost.
Constructing -Separating Collections
Fact 1 For any t
1 ;t 2 :jt 1 t 2
j= d, any interval of size d(1+ ) containing t
1 ;t
2
cannot also
containsuch t
e thatjt e min(t 1 ;t 2
)j> jt
1 t 2 j. Indeed, jt e min(t 1 ;t 2
)j> jt
1 t
2
j=d)jt
e
max(t
1 ;t
2
)j>(1+ )d.
Let be any constant such that 0 < < . Intuitively, we dene intervals as in Fig. 3: the
intervals of length d(1+ ) are going to be shifted by multiples of d( ). Then, for any t
1 ;t
2
such that djt
1 t
2
jd(1+) there exists an interval(i) containingboth t
1 and t
2
and (ii)not
containing t
e
satisfyingthe -synchronicity:jt
e
min(t
1 ;t
2
)j> jt
1 t 2 j. For t 1 ;t 2
such that jt
1 t
2
j > d(1+) intervals of size >d(1+)(1+ ) are needed. In other
words theintervallengths canincreasebya factor of 1+.
9
Thus, the signer musthave the same secretkey SI:SK for allt 2 I. But then if the signer has SI:SK during
periodst
1 <t
2
,thenthiskeymustalsobeinthesigner'spossession duringallperiodst:t
1 tt
2
.Therefore,
requiringthatthesetsinC becontiguousreectsthesecurityrequirementsinanaturalway.
10
The version of Sec.3.2actually allowedi= 0;though usingit witha balanced hierarchy also bounds t.If t is
unbounded,thenallowingi=0leadsto eachtbelongingto innitenumberof intervals andthusto aninnite
numberofkeysforeachtimet.TheC
tree
aboveeliminatesallintervalscontaining0:thesecannothelpseparation
(1+α)
d
t
1
t
2
>d
<d(1+β)
d
d
(1+β)
(α−β)
te
Fig.3. Arranging intervalsof sized(1+). Any two pointsat distance d(1+)willbe containedinoneof the
intervals.At the sametime, forany t1;t2,separatedbydistance >d, theintervalcontainingt1;t2 cannotcontain
suchat
e
whichwouldsatisfy-synchronicityrequirement:jt
e min(t
1 ;t
2 )j>jt
1 t
2
j.Thus,theseintervals\take
care"ofthesignaturesseparatedbydistances>dandd(1+)
More formally, for level j, let d
j def
= (1+) j
. Then the corresponding interval length is L
j def
=
d
j
(1+ ),separatingt
1 ;t
2 :d
j jt
1 t
2 jd
j
(1+)from t
e
.Theshift
j def
= d
j
( ).Theintervals
forlevel are shiftedby
j
,guaranteeingthat each pair t
1 ;t
2
as above belongs tosomeinterval of
thelevel.Dene intervalI
;;i;j =[i
j
;:::;i
j +L
j
1].Note:jI
;;i;j j=L
j
.We refertoj asthe
levelof I
;;i;j
,andias itsdisplacement.
Dene C
;
=fftg: t>0g S
fI
;;i;j
: i>0; j 0g. Intuitively,the singletonsetsdeal with
thecasesjt
1 t
2
j=0(i.e.,t
1 =t
2
),whilethelevelj intervalshandle thedistancesjt
1 t
2
jsuchthat
d
j <jt
1 t
2 jd
j+1 .
InC
;
,nomorethanL
j =
j
+1=(1+ )=( )+1intervalsofanyonelevelcontaineachpoint
t.Moreover, tcannot be containedbyany intervals of level j such that t <
j
=(1+) j
( ).
Thus, tcanbe containedbyintervals of atmostlog
1+
(t=( )) levels.
So,thetotalnumberofintervalscontainingtimeperiodtisupper-boundedby1+((1+ )=(
)+1)log
1+
t=( ). Usingan C
;
-scheme to achieve -synchronoustamper-evidenceyields
thesameupper-bound(plusonefortheI
0
)onthenumberofkeysusedforandordinarysignatures
included in an -tesignature attime t. Forconstants > >0, theabove formula simpliesto
O(lgt). We leave out of this version of the paper the question of computing the values of for
thegiven , which would yield thebest constant factorshidden bythebig-O notation. It maybe
helpfultoconsiderthecaseof 2-synchronicity:using =1,thenumber ofkeys storedandusedat
timet isatmost2+4lgt.Thuswehave thefollowinglemma:
Lemma 2. Foranyconstant>0andordinarysignaturescheme,thereexistsan -synchronous
tamper-evident scheme KESig, storing O(lgt) keys and generating O(lgt) -signatures for each
KESig-signatureat time t.
3.4 Lower Bounds For The Subset Separation Schemes
In this section we consider only tamper-evident schemes based on using an ordinary signature
scheme to separate S from F by requiring that forany t
e <t
1 ;t
2
there exists a signaturescheme
instance witha public keyp (using corresponding secret key s)such thatthe signaturesfor times
t
1 ;t
2
mustbothusethisinstance,butattimet
e
thekeyswasnotknowntothesigner(andthusto
theattacker,whoexposedallthesecretsofthesignerattimest
e
case lower bounds proven in the subsequent section subsume those of this section. However, we
leavethemhere due totheirmoreintuitive clarity.
Claim. Any ste scheme requires at least t 2 ordinary keys/signatures to be used for each ste
signatureattimet. 11
Indeed, consider thesignature attime t
2
=t.Let t
1
=t 1, and t
e
=t 2. Then there must
be a key shared byt
1 , and t
2
, butnot t
e
.Now, let t
1
=t 2; t
e
=t 3.Then, there must be a
dierent key shared by t;t 2,but not t 3. Let'smake one morestep before we generalize: let
t
1
=t 3; t
e
=t 4.Then,tandt 3mustshare akeynotsharedbyt
e
.Thiskeymustclearlybe
dierentfromtheprevious.Butitalsomustbedierentfromtheonesharedbytandt 1butnot
t 2:becauseifthekeyis known attimest 3 and t,then itmust beknown alsoatt 2.Thus,
togeneralize: foreach 1<i<t 1,there mustbe a dierent keysharedbyt
1
=t and t
2
=t i
butnott
e
=t i 1. ut
The aboveclaim proves thatourscheme(Sec.3.1) isoptimalwithin this general approach.
That claim generalizesto -synchronicity:
Claim. Foranyconstant , any -synchronousscheme foreachsignatureat timetmustgenerate
(lgt)ordinary signatures (usingasmanydierent keys).
Indeed,let>0besomearbitrarilysmallconstant,sett
2
=t,andinitiallylett
1
=t 1andt
e =
bt (1+ ) c.Theremust bea keythat separatest
1 ;t
2
fromt
e
.And itmustbedierent from
the one that separates t
2
= t and t
1
= bt (1+ ) c from t
e
= bt (1+ ) (1+ ) 2
2c.
Thisstepcanbeiteratedktimesaslongast P
k
i=0 (1+ )
i
=(1+ ) k+1
= .Thus,atleast(lgt)
ordinarysignatures(allusingdierentkeys)mustbegeneratedforeachTEsignatureattimet. ut
The next sectionextends theselowerbounds tothemostgeneraltamper-evident schemes.
4 General Lower Bounds
LetKESigbesomekey-evolvingsignatureschemewithadivergencetest,accordingtothedenitions
inSec. 2.1,andthe adversary asintheDenition1.
Dene support of t, supp
KESig
(t), to be a longest increasing chain t
0 ;t
1 ;:::;t
l
=t, such that
t;t
i+1 are t
i
-safe inthegiven KESig scheme forall i:0il 1 (thus, t
j ;t
j 0
arealso t
i
-safe for
anyj;j 0
>i). Orderof t, ord
KESig
(t),is dened tobe the lengthl of this chain (measured inthe
number of possible valuesfor the exposure time period t
i
). For example, if KESig is ste,then for
anyt,ord
KESig
(t)=t+1,since we canset t
i
=i 1 for all 0it+1;exposure time t
e
= 1
correspondstohaving noexposure.For -te KESig,ord
KESig
(t)=(log
1+ t).
Recall thatk isthesecurityparameter usedinthedenition of safety(Def.2).
We now showthat thelengthofthe signatureattimetmustbeatleastord
KESig (t)k.
Lett 0 ;t 1 ;:::;t l
=tbeasupport oft.LetF 0
beany(forger)algorithm;unlessstatedotherwise,
wedonotassumethatF 0
hasanyaccesstothelegitimatesigner'ssecretsorevensignatures.Inthis
respect,F 0
is signicantlyweaker thanthe adversary F of the Denition1. Generate an instance
of KESig, and let the legitimate signer S generate signatures ht
i ;
i
i for some message m and all
i=1;:::;l(signaturefort
0
isnotneeded,sincet
0
isusedonly asa possibleexposure timeperiod;
oftent
0
= 1).Forasignatureht;iofsomeothermessagem 0
(6=m)attimet,deneeventC
i (ht;i)
tobeKESig:Div(ht
i ;
i
i;ht;i)=ok.Let C
[j]
(ht;i)betheconjunction of allC
i=1;:::;j
(ht;i).
Lemma 3. Prob[F 0
!(t;): s.t. C
[l]
(ht;i)]<1=2 kl
Proof:LetP
j def
= Prob[F 0
!(t;): s.t.C
[j]
(ht;i)],for0<jl,and (vacuously)setP
0
=1.Then
thelemmastatesthat P
l <1=2 kl . LetF 0
!(t;).Then,P
j
=Prob[C
j
(ht;i)jC
[j 1]
(ht;i)] Prob[C
[j 1]
(ht;i)].SubstituteP
j 1 =
Prob[C
[j 1]
(ht;i)] intotheabove toget P
j
=Prob[C
j
(ht;i)jC
[j 1]
(ht;i)]P
j 1 .
Let S(t
i
) be thefull record ofthe legitimate signer'sevolution up toand including time period t
i
(that istherecord ofall thesigner's informationup untilthat time,including thesecretkeys).
Then, Prob[C
j
(ht;i)jC
[j 1]
(ht;i)] Prob[F 0S(t
j 1 )
! (t; 0
) : KESig:Div(ht
j ;
j i;ht;
0
i)=ok]
Prob[F S ! ht 0 e =t j 1 ;f(t 0 1 =t j ; 0 1 = j );(t 0 2 =t; 0 2
)gi :KESig:Div(ht 0 1 ; 0 1 i;ht 0 2 ; 0 2
i)=ok] <1=2 k
,
whereF istheforger from Denitions1, 2.
Putting itall togetherweget P
j <P
j 1 1=2
k
.Thus, P
j <1=2
kj
. ut
Let C
l
(ht;i) be true (e.g., ht;i is generated by the legitimate signer S). If jj < lk then a
random 0
= withprobability>1=2 lk
,whichcontradictsLemma3.Thus,thefollowingtheorem
follows asacorollary from theLemma:
Theorem 1. Let KESig:Sign!ht;i for some message.Then jj>kord
KESig (t).
Since for the stronglytamper evident schemesord
KESig
(t)=t+1,and forthe -synchronous
schemes(for nite >0)ord
KESig
(t)=(lgt), we getthefollowingcorollaries:
Corollary 1 (Strong Tamper-Evident Signature Length).
jj>k(t+1)for any ste KESig:Sign!ht;i.
Corollary 2 ( -Synchronous Tamper-Evident Signature Length).
jj=(klgt) for any -teKESig:Sign!ht;i.
5 Discussion
Universal evidence. We canmodifyourconstructions(e.g.,usingchainingassuggestedinthe
footnote6)sothatanypair ofsignaturesht
1 ; 1 i;ht 2 ; 2
i,which arebothvalidforthesamepublic
key but Div(ht
1 ; 1 i;ht 2 ; 2
i)= foul, represents a universal and indisputable evidence that either
thekey hasbeen exposedor thatthesigner isfakingthekey exposure.
PKI implications. Revocation is a traditional method of dealing with the compromised keys.
Whatever is therevocation mechanism, the key compromisemustbe detected rst, and then the
revocationprocessfollowed appropriately.InallthetraditionalPublicKeyInfrastructures(PKIs),
some party | call it Revocation Authority (RA) | must be convinced that the key is indeed
compromised,before itactuates therevocation:typically,generatinga revocation note 12
.
Whether RA is the signer himself or a CA (or other), convincing RA of the key compromise
using thepreviouslyexisting methodsispotentially cumbersomeboth logisticallyand legally.
Incontrast,ourschemesallowanyonetodetecttamperingandpresentauniversallyconvincing
proof ofthecompromise:two valid butinconsistent signaturesasabove.Infact,such aproof may
serve asa revocationnote.Moreover,the legitimatesigner S canposton somepublicly accessible
site his signature for each day (the signature is veried before being posted to avoid denial of
12
This canbea self-signed\suicidenote"(asinPGPor other approaches e.g.,[Riv98]); inthesecasesRAis the
signerhimself.Alternatively,inthemorecommonPKIs,therevocationnoteisapartofaCerticateRevocation
service attack).This canserve as an automatic revocation check: instead of checking a CRL,the
veriers canusethatsignaturewiththeDiv algorithmtoverifythatS hasnotbeen compromised.
Ofcourse, itispossiblethatimmediatelyfollowingan exposure, F managestopostherversionof
the daily signature. But then S will be able to detect the tampering and resolve the conict by
out-of-band means. Alternatively, the server can allow more than one signature to be posted for
each user | if two of the posted signatures trigger the tamper-detection testDiv,then the other
users of the system will also know that the corresponding secret key has been compromised. A
potential key-recovery mechanism would then be to allow the server to obtain S's signatureover
somesecureconnection,andremovetheprevioussignaturesfromtheserver.Thentheveriers will
again beabletodistinguish S's signaturesfrom theforger's.
The public posting sitecan bereplaced with a more\personal" version:in thecase of regular
transactionsbetweenthesignerand arecipient,therecipient cankeepthelatestsigner'ssignature
asa\cookie".Thenevenaftertheexposureofthesigner'ssecrets,theadversarycannotimpersonate
thesinger totherecipient (again,except immediatelyafterthe exposure).
Symmetric signatures and peer-to-peer setting. Sinceourconstructions aregeneric,itis
possibleto use symmetric signatures, and apply the tamper-evidence tothe peer-to-peer setting.
Theuseofsymmetricsignaturesonly,however,requires thecoordinated randomizedkeyevolution
betweenthepairof connectednodes.This canbeachievedunderthecondition thattheadversary
cannot access some of the information exchanged by the legitimate parties.While this assumes a
weaker adversary than the one tolerated with the asymmetric signatures, this model can still be
practicalinsomesituationsandhastheadvantageofeÆciencyoeredbythesymmetricsignatures.
Combining tamper evidence with other features. The tamper-evidencecanbecombined
with other securityimprovements forsignatures: e.g., our constructions can be easily generalized
totheforward-secure [BM99]orintrusion-resilient models[IR02,Itk02].
Monotone Signatures. The monotone signatures were dened by Naccache, Pointcheval and
Tymenin[NPT01].Thesesignaturesallowupdatingthevericationalgorithm.Then,thelegitimate
signercanrevealsomesecretsunderduress.Thiswouldallowtheextortionisttogeneratesignatures
validunderthecurrentvericationalgorithm.However,when thesignerisreleased,he canupdate
thevericationalgorithm in such a waythat all thesignatures generated bythelegitimate signer
remain valid under the new verication procedure as well; but the signatures generated by the
extortionist areno longervalid.
In contrast totamper-evident or forward-secure signatures, the denitions of [NPT01] do not
include thepossibilityof also updating thesigner keys. We propose tousekey-evolving monotone
signaturesinstead.Thenwecanachievethemainfeaturesofthemonotonesignaturesdirectlyfrom
the tamper-evident signatures: The verication algorithm would include checking for tampering
using Div and a signaturefortime period t 1. The signer would maintain a \correct"version of
the secret key, as well as a version \diverged" in the current period. This divergence cannot be
detectedagainst thesignatureof the\pre-diversion" period t 1,usedinthecurrentverication.
Thus, the signer can release that diverged version under duress. Afterwards, he can update the
vericationbyincludingasignaturefortheperiodt.Theattackercanbepreventedfromgenerating
earliersignatures bycombining the above with theforward-security.This method iscertainly not
anymoreeÆcientthantheoriginalconstructionsof[NPT01];itisgivenheresolelytoillustratethe
connectionofthetwoconcepts.However,theeÆciencyofthemonotonesignaturescanbeimproved
bythekey-evolution:this approachis furtherdeveloped in[Itk03].
thatF cannotobtainanysignaturesfromSaftert
e
.Thenwemayattemptthefollowingapproach.
Denesomemetriconthespaceofpublickeys,andrestrictthedistancebetweenconsecutivepublic
keysS
i :PK;S
i+1
:PK,sothatthere isstill amultiplechoiceforthenextpublickey.Thenevolution
ofthesignercorrespondstoarandomwalk.Wecannowtrytoutilizethepropertythatwithinone
random walk, the distance between the positions at times t
1 ;t
2
is likely to be noticeably smaller
than the positions corresponding to t
1 and t
2
on two dierent random walks (which diverged at
someprevioustimet
e
).Itisunlikely,however,thatthisapproachwillimproveonourresultsabove.
Other possible directions for future research include considering more interactive models of
authentication (e.g., zero-knowledge proofs of identity [FS86,FFS88]), and extending Div to use
more than two signatures to detect tampering (such an extension may impact some of the
PKI-related issuesdiscussed inthissection)
6 Acknowledgments
The author is very grateful to Leonid Levin and Drue Coles for useful discussions. In particular,
discussions with Drue were instrumental in crystallizing the key concepts, while Leonid pointed
out the lower bound for the subset separation strongly tamper-evidence schemes. The author is
also grateful to the anonymous referees for their comments, and in particular, for pointing the
connection with the monotone signatures. Finally, thanks to Drue and Peng Xie for their very
helpfulcommentson thepreliminary draftsofthe paper.
References
[And97] RossAnderson. Invitedlecture. FourthAnnualConferenceonComputerandCommunicationsSecurity,
ACM(seehttp://www.ftp.cl.cam.ac.uk/ftp/users/rja14/forwardsecure.pdf),1997.
[AR00] MichelAbdallaandLeonidReyzin.Anewforward-securedigitalsignaturescheme. InTatsuakiOkamoto,
editor,AdvancesinCryptology|ASIACRYPT2000,volume1976ofLectureNotesinComputer Science,
pages116{129,Kyoto,Japan,3{7December2000.Springer-Verlag. Fullversionavailablefromthe
Cryp-tologyePrintArchive,record2000/002,http://eprint.iacr.or g/ .
[BF97] D.BonehandM.Franklin.EÆcientgenerationofsharedRSAkeys.InProc.17thInternationalAdvances
inCryptologyConference{CRYPTO'97,pages425{439,1997.
[BFN98] M.Blaze,J.Feigenbaum,andM.Naor. A formaltreatmentofremotelykeyedencryption. InAdvances
inCryptology{EUROCRYPT'98,pages251{265,1998.
[Bla95] MattBlaze. High-bandwidthencryptionwithlow-bandwidthsmartcards. Technicalreport,AT&TBell
Laboratories,October1995.ftp://research.att.com/dist/mab/cardcipher.ps.Draft.
[Bla96] MattBlaze.High-bandwidthencryptionwithlow-bandwidthsmartcards.InDieterGrollman,editor,Fast
SoftwareEncryption:ThirdInternationalWorkshop,volume1039ofLectureNotesinComputer Science,
pages33{40,Cambridge,UK,21{23February1996.Springer-Verlag.
[BM99] Mihir Bellare and SaraMiner. A forward-secure digitalsignature scheme. In Michael Wiener, editor,
AdvancesinCryptology|CRYPTO'99,volume1666ofLectureNotesinComputerScience,pages431{448.
Springer-Verlag,15{19August1999.Revisedversionisavailablefromhttp://www.cs.ucsd.edu /~ mi hir /.
[CDH +
00] RanCanetti,YevgeniyDodis,ShaiHalevi,EyalKushilevitz,andAmitSahai.Exposure-resilientfunctions
and all-or-nothing transforms. In Bart Preneel,editor, Advances in Cryptology|EUROCRYPT 2000,
volume1807ofLectureNotesinComputerScience,pages453{469.Springer-Verlag,14{18May2000.
[CHH00] RanCanetti,ShaiHalevi,andAmirHerzberg.Maintainingauthenticatedcommunicationinthepresence
ofbreak-ins. Journalof Cryptology,13(1):61{105,January2000.
[DF89] Yvo Desmedt and Yair Frankel. Threshold cryptosystems. In G. Brassard, editor, Advances in
Cryptology|CRYPTO'89, volume435of LectureNotes inComputer Science,pages307{315.
Springer-Verlag,1990,20{24August1989.
[DKXY] YevgeniyDodis,JonathanKatz,ShouhuaiXu,andMotiYung. Strongkey-insulatedsignatureschemes.
UnpublishedManuscript.
[FFS88] Uriel Feige, Amos Fiat, and Adi Shamir. Zero-knowledge proofs of identity. Journal of Cryptology,
1(2):77{94,1988.
[FS86] Amos Fiat and Adi Shamir. How to prove yourself:Practical solutions to identicationand signature
problems.InAndrewM.Odlyzko,editor,AdvancesinCryptology|CRYPTO'86,volume263ofLecture
NotesinComputerScience,pages186{194.Springer-Verlag,1987,11{15August1986.
[GMR88] ShaGoldwasser,SilvioMicali,andRonaldL.Rivest. Adigitalsignatureschemesecureagainstadaptive
chosen-messageattacks.SIAMJournalonComputing,17(2):281{308,April1988.
[HJJ +
97] AmirHerzberg,MarkusJakobsson,Stanis lawJarecki,HugoKrawczyk,andMotiYung. Proactivepublic
keyandsignaturesystems.InFourthACMConferenceonComputerandCommunicationSecurity,pages
100{110.ACM,April1{41997.
[HJJY00] JohanHastad,JakobJonsson,AriJuels,andMotiYung.Funkspielschemes:analternativetoconventional
tamperresistance. InProceedingsofthe7thACMconferenceonComputerandcommunicationssecurity,
pages125{133.ACMPress,2000.
[IR01] GeneItkisandLeonidReyzin.Forward-securesignatureswithoptimalsigningandverifying.InJoeKilian,
editor,AdvancesinCryptology|CRYPTO2001,volume2139ofLectureNotesinComputerScience,pages
332{354.Springer-Verlag,19{23August2001.
[IR02] GeneItkisandLeonidReyzin.Intrusion-resilientsignatures,ortowardsobsoletionofcerticaterevocation.
In Moti Yung, editor, Advances in Cryptology|CRYPTO 2002, Lecture Notes in Computer Science.
Springer-Verlag,18{22August2002. Availablefromhttp://eprint.iacr.org /20 02 /0 54 /.
[Itk02] GeneItkis. Intrusion-resilientsignatures:Genericconstructions,ordefeatingstrongadversarywith
mini-malassumptions. InThirdConference onSecurityinCommunicationNetworks(SCN'02)[SCN02].
[Itk03] GeneItkis. Key-evolvingmonotonesignatures. draft,2003.
[Knu02] LarsKnudsen,editor.AdvancesinCryptology|EUROCRYPT2002,LectureNotesinComputerScience.
Springer-Verlag,28April{2May2002.
[KR02] AntonKozlovandLeonidReyzin. Forward-secure signatureswithfastkeyupdate. InThirdConference
onSecurityinCommunicationNetworks(SCN'02)[SCN02].
[Kra00] HugoKrawczyk.Simpleforward-securesignaturesfromanysignaturescheme.InSeventhACMConference
onComputerandCommunicationSecurity.ACM,November1{42000.
[Luc97] Stefan Lucks. On the security of remotely keyedencryption. In Eli Biham,editor, Fast Software
En-cryption:4thInternationalWorkshop,volume1267ofLectureNotesinComputerScience,pages219{229,
Haifa,Israel,20{22January1997.Springer-Verlag.
[MMM02] Tal Malkin, Daniele Micciancio, and Sara Miner. EÆcient generic forward-secure signatures with an
unboundednumberoftimeperiods. InKnudsen[Knu02].
[NPT01] DavidNaccache,DavidPointcheval,andChristopheTymen.Monotonesignatures.InP.Syverson,editor,
Financial Cryptography, volume 2339 of Lecture Notes in Computer Science, pages 305{318.
Springer-Verlag,2001.
[OY91] RafailOstrovsky andMotiYung. Howtowithstandmobilevirusattacks. In10-thAnnual ACM Symp.
onPrinciplesofDistributedComputing,pages51{59,1991.
[Ped91] TorbenPrydsPedersen. Athresholdcryptosystemwithoutatrustedparty(extendedabstract).InD.W.
Davies, editor, Advances in Cryptology|EUROCRYPT 91, volume 547 of Lecture Notes in Computer
Science,pages522{526.Springer-Verlag,8{11April1991.
[PP97] Torben Pryds Pedersen and Birgit Ptzmann. Fail-stop signatures. SIAM Journal on Computing,
26(2):291{330,1997.
[Riv98] Ronald L.Rivest. Canweeliminate certicate revocation lists? InRafael Hirschfeld,editor, Financial
Cryptography,volume1465ofLectureNotesinComputerScience.Springer-Verlag,1998.
[SCN02] ThirdConferenceonSecurityinCommunicationNetworks(SCN'02),LectureNotesinComputerScience.
