Weak Forward Security in Mediated RSA

  • Gene Tsudik
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2576)


Mediated RSA (mRSA) [1] is a simple and practical method of splitting RSA private keys between the user and the Security Mediator (SEM). Neither the user nor the SEM can cheat each other since a signature or a decryption must involve both parties. mRSA allows fast and fine-grained control (revocation) of users’ security priviliges. Forward security is an important and desirable feature for signature schemes. Despite some notable recent results, no forward-secure RSA variant has been developed. In this paper (abstract), we show how weak forward security can be efficiently obtained with mediated RSA. We consider several methods, based on both multiplicative and additive mRSA and discuss their respective merits.


Signature Scheme Signature Request Forward Security Extra Exponentiation Suitable Hash Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    D. Boneh, X. Ding, G. Tsudik, and B. Wong, “Instanteneous revocation of security capabilities,” in Proceeding of USENIX Security Symposium 2001, Aug. 2001.Google Scholar
  2. 2.
    R. Anderson, “Invited lecture at the acm conference on computer and communication security (ccs’97),” 1997.Google Scholar
  3. 3.
    H. Krawczyk, “Simple forward-secure signatures from any signature scheme,” in ACM Conference on Computer and Communication Security (CCS’00), 2000.Google Scholar
  4. 4.
    G. Itkis and L. Reyzin, “Forward-secure signatures with optimal signing and verifying,” in CRYPTO’01, 2001.Google Scholar
  5. 5.
    M. Bellare and S. Miner, “A forward-secure digital signature scheme,” in CRYPTO’99, 1999.Google Scholar
  6. 6.
    P. Gemmel, “An introduction to threshold cryptography,” RSA CryptoBytes, vol. 2, no. 7, 1997.Google Scholar
  7. 7.
    R. Ganesan, “Augmenting kerberos with public-key cryptography,” in Symposium on Network and Distributed Systems Security (T. Mayfield, ed.), (San Diego, California),Internet Society, Feb. 1995.Google Scholar
  8. 8.
    P. MacKenzie and M. K. Reiter, “Networked cryptographic devices resilient to capture,” in Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 12–25, May 2001.Google Scholar
  9. 9.
    S. Kent and R. Atkinson, “RFC 2401: Security architecture for the internet protocol,” Nov 1998.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Gene Tsudik
    • 1
  1. 1.Department of Information and Computer ScienceUniversity of CaliforniaIrvine

Personalised recommendations