Fully Forward-Secure Group Signatures
- Benoît LibertAffiliated withICTEAM Institute, Université catholique de Louvain
- , Moti YungAffiliated withGoogle Inc. and Columbia University
When embedding cryptographic tools in actual computing systems, it is important to ensure physical layer protection to cryptographic keys. A simple risk analysis shows that taking advantage of system (i.e., hardware, software, network) vulnerabilities is usually much easier than cryptanalyzing the cryptographic primitives themselves. For-ward-secure cryptosystems, in turn, are one of the suggested protective measures, where private keys periodically evolve in such a way that, if a break-in occurs, past uses of those keys in earlier periods are protected.
Group signatures are primary privacy-preserving credentials that enable both, non-repudiation and abuser-tracing. In 2001, Song argued why key exposures may cause even greater concerns in the context of group signatures (namely, under the mask of anonymity within a group of other key holders). She then gave two examples of forward-secure group signatures, and argued their ad hoc properties based on the state of understanding of group signature security properties at that time (proper security models had not been formalized yet). These implementations are fruitful initial efforts, but still suffer from certain imperfections. In the first scheme for instance, forward security is only guaranteed to signers as long as the group manager’s private key is safe. Another scheme recently described by Nakanishi et al. for static groups also fails to maintain security when the group manager is compromised.
In this paper, we reconsider the subject and first formalize the notion of “fully forward-secure group signature” (FS-GS) in dynamic groups. We carefully define the correctness and security properties that such a scheme ought to have. We then give a realization of the primitive with quite attractive features: constant-size signatures, constant cost of signing/verifying, and at most polylog complexity of other metrics. The scheme is further proven secure in the standard model (no random oracle idealization is assumed).
KeywordsKey Exposure Security Modeling Key Protection Forward Security Anonymity Group Signature
- Fully Forward-Secure Group Signatures
- Book Title
- Cryptography and Security: From Theory to Applications
- Book Subtitle
- Essays Dedicated to Jean-Jacques Quisquater on the Occasion of His 65th Birthday
- pp 156-184
- Print ISBN
- Online ISBN
- Series Title
- Lecture Notes in Computer Science
- Series Volume
- Series ISSN
- Springer Berlin Heidelberg
- Copyright Holder
- Springer-Verlag Berlin Heidelberg
- Additional Links
- Key Exposure
- Security Modeling
- Key Protection
- Forward Security
- Group Signature
- Industry Sectors
- eBook Packages
To view the rest of this content please follow the download PDF link above.