Weak Forward Security in Mediated RSA
Mediated RSA (mRSA)  is a simple and practical method of splitting RSA private keys between the user and the Security Mediator (SEM). Neither the user nor the SEM can cheat each other since a signature or a decryption must involve both parties. mRSA allows fast and fine-grained control (revocation) of users’ security priviliges. Forward security is an important and desirable feature for signature schemes. Despite some notable recent results, no forward-secure RSA variant has been developed. In this paper (abstract), we show how weak forward security can be efficiently obtained with mediated RSA. We consider several methods, based on both multiplicative and additive mRSA and discuss their respective merits.
KeywordsSignature Scheme Signature Request Forward Security Extra Exponentiation Suitable Hash Function
Unable to display preview. Download preview PDF.
- 1.D. Boneh, X. Ding, G. Tsudik, and B. Wong, “Instanteneous revocation of security capabilities,” in Proceeding of USENIX Security Symposium 2001, Aug. 2001.Google Scholar
- 2.R. Anderson, “Invited lecture at the acm conference on computer and communication security (ccs’97),” 1997.Google Scholar
- 3.H. Krawczyk, “Simple forward-secure signatures from any signature scheme,” in ACM Conference on Computer and Communication Security (CCS’00), 2000.Google Scholar
- 4.G. Itkis and L. Reyzin, “Forward-secure signatures with optimal signing and verifying,” in CRYPTO’01, 2001.Google Scholar
- 5.M. Bellare and S. Miner, “A forward-secure digital signature scheme,” in CRYPTO’99, 1999.Google Scholar
- 6.P. Gemmel, “An introduction to threshold cryptography,” RSA CryptoBytes, vol. 2, no. 7, 1997.Google Scholar
- 7.R. Ganesan, “Augmenting kerberos with public-key cryptography,” in Symposium on Network and Distributed Systems Security (T. Mayfield, ed.), (San Diego, California),Internet Society, Feb. 1995.Google Scholar
- 8.P. MacKenzie and M. K. Reiter, “Networked cryptographic devices resilient to capture,” in Proceedings of the 2001 IEEE Symposium on Security and Privacy, pp. 12–25, May 2001.Google Scholar
- 9.S. Kent and R. Atkinson, “RFC 2401: Security architecture for the internet protocol,” Nov 1998.Google Scholar