302 views

Uploaded by anushareddygade

hiee

save

- Cam
- 16 Chapter 7
- Adapting Singlet Login in Distributed Systems
- RSA-Security’s-Official-Guide-to-Cryptography
- A Secure, Intelligent Electric Vehicle Ecosystem for Safe Integration with the Smart Grid
- The Information Technology Act,2000
- E-Lock Digital Signatures
- Improve Security of Cloud Storage using Digital Signature
- An Attribute-Based Public Key Infrastructure
- Lecture 33
- PractiSES
- Review on Security in Geo-Social Applications through Preserving Location Privacy
- IJAIEM-2013-06-06-015
- Rsa Securitys Official Guide to Cryptography.
- OASIS-2011
- MCA 21
- Network Security Glossary
- 12-04-02 Responses by National Authorities/Experts - Appendix 07: Request for Comments by Minister of Justice Yaakov Neeman s
- BT eSignature Whitepaper: from BT and EchoSign ESign
- eSign-API v1.0
- ch10
- ss.pptx
- ecc03paar
- 12-07-03 Fraud on the Courts in the Age of Mechanical Duplication
- rsa algorithm
- Emudhra Class2 Class3 Individual Digital Signature Form
- Borromean Draft 0.01 8c3f9e7
- Crypto
- Cryptography(97 2003)
- eCom IM
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
- Dispatches from Pluto: Lost and Found in the Mississippi Delta
- The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution
- Yes Please
- The Unwinding: An Inner History of the New America
- Sapiens: A Brief History of Humankind
- The Emperor of All Maladies: A Biography of Cancer
- This Changes Everything: Capitalism vs. The Climate
- Grand Pursuit: The Story of Economic Genius
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
- The Prize: The Epic Quest for Oil, Money & Power
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America
- John Adams
- The World Is Flat 3.0: A Brief History of the Twenty-first Century
- The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
- Smart People Should Build Things: How to Restore Our Culture of Achievement, Build a Path for Entrepreneurs, and Create New Jobs in America
- Rise of ISIS: A Threat We Can't Ignore
- The New Confessions of an Economic Hit Man
- Team of Rivals: The Political Genius of Abraham Lincoln
- Steve Jobs
- Angela's Ashes: A Memoir
- How To Win Friends and Influence People
- Bad Feminist: Essays
- You Too Can Have a Body Like Mine: A Novel
- The Incarnations: A Novel
- The Light Between Oceans: A Novel
- Extremely Loud and Incredibly Close: A Novel
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)
- The Silver Linings Playbook: A Novel
- Leaving Berlin: A Novel
- The Master
- Bel Canto
- A Man Called Ove: A Novel
- The Flamethrowers: A Novel
- Brooklyn: A Novel
- The Rosie Project: A Novel
- The Blazing World: A Novel
- We Are Not Ourselves: A Novel
- The First Bad Man: A Novel
- The Love Affairs of Nathaniel P.: A Novel
- Life of Pi
- The Bonfire of the Vanities: A Novel
- Lovers at the Chameleon Club, Paris 1932: A Novel
- The Perks of Being a Wallflower
- The Cider House Rules
- A Prayer for Owen Meany: A Novel
- My Sister's Keeper: A Novel
- The Wallcreeper
- The Art of Racing in the Rain: A Novel
- Wolf Hall: A Novel
- The Kitchen House: A Novel
- Beautiful Ruins: A Novel
- Interpreter of Maladies

You are on page 1of 4

HONG Jingxin

Communication Engineering Department of Xiamen University, Xiamen, Fujian, P. R. China, 361005

Email: hjx@xmu.edu.cn

ABSTRUCT In this paper, the widely used ECC digital signature scheme – ECDSA is advanced, and a new

forward-secure digital signature scheme is proposed in order to reform the limitations of ECDSA. In the new scheme,

although the digital signature’s private key is under the control of a one-way function and continually changed in

different durations with time goes by, its public key remains the same. The attacker could not fake the older signature

even if the private key is leaked out in some period of time. In this way this scheme makes sure of the security of

signature of former phases. The validity of the new scheme is proved and the security is analyzed in the paper.

KEYWORDS ECC (elliptic curve cryptosystem), forward-secure, digital signature, provable security

1. INTRODUCTION

The widely used public key digital signature scheme is designed on the NP problem in mathematics. [1] The ECC

Digital Signature constructs discrete logarithm problem by using the Abel additive group composed of the points on

elliptic curve.[2], [3] With the development of the computer sciences and the communication business, digital signature

becomes one of the most important means to guarantee the security of communication. [1] But in reality, the signature

private key may be leaked out through the secret leaks of system or factitious factors, so the signature may be faked,

which become a difficult part of security problem. This article based on non-supersingular elliptic curve over finite field

n [4] [5]

GF (2 n ) with eigenvalue 2 , advances a kind of forward-secure digital signature scheme .

2. NON-SUPERSINGULAR ELLIPTIC CURVES DIGITAL SIGNATURE ALGORITHM (ECDSA) [4]

In non-supersingular elliptic curve field, the digital signature algorithm ECDSA is described as follows:

**Select a rational point G on E (GF (2 n )) , called it base point, find n which is a prime number satisfies the
**

formula nG = O , and select a one-way secure Hash function h(m) [1] (such as SHA-1). For each system user, he has a

private key a , calculate the public key Pa = aG . If user A wants to sign on the message m , the scheme can be

described as:

(1) User A selects an integer k randomly, 0 < k < n , calculate kG = ( x, y ) , r = x mod n , if r = 0 , return to (1).

(2) Calculate e = h(m) ; s = k −1 (e + ra ) mod n , if s = 0 , return to (1).

(3) Take ( r , s ) as the digital signature of message m by A.

The verification of digital signature:

(1) Calculate e1 = h(m1 ) , u = s −1e1 mod n , v = s −1r mod n .

(2) Calculate X = uG + vP0 = s −1 (e1G + raG ) = s −1 (e1 + ra)G = k ;G = ( x1 , y1 ) .

(3) If X = 0 , this signature is refused; else calculates r1 = x1 mod n , if r = r1 , the confirmer accepts this signature.

3. THE KNOWLEDGE OF FORWARD-SECURE DIGITAL SIGNATURE[5]

**1-4244-1035-5/07/$25.00 .2007 IEEE. 254
**

The forward-secure scheme aims at eliminating the limitation of ordinary digital signature. In ordinary digital

signature, if a signatory’s private key is leaked out all signatures from him may be in public, including the signatures in

the past or the future. This limitation affects the undeniability that the signature should have. In fact, for the signatory,

the simplest way to deny his signature is to publish his secret key anonymously, and then declare that his computer is

invaded. The forward-secure scheme’s target is to ensure that, the attacker still could not fake the signature of the past

time even if the private key in signature is leaked out in some period of time. In this way the scheme makes sure of the

security of signature of former phases, and obviously reduces and controls the expense caused by the private key’s

leaking. With different to ordinary signature schemes, when time goes by, the forward-secure digital signature’s private

key is continually changed in different durations, but its public key remains the same. Normally, when a system builds

up, a user registers a certification first, and he gets a public key PK and the corresponding private key K 0 , keeps the

private key secretly. After that, he divides the period of validity of secret key into T phases, marked with 1,2,…, T

respectively. During the period of validity, PK , the public key, is invariant, while the private key updates in different

durations. Let’s take K i denoting the private key of duration i. When the time of phase i arrives ,to begin with, we

should use the formula K i = f ( K i −1 ) to transform the private key from K i −1 to K i , where f () is an unilateral

function, and should delete K i −1 as soon as we get K i . Regardless of a attacker invades the computer and gets K i , he

could not get K i −1 , K i −2 , …, K 0 , because there will be a considerable problem of discrete logarithm. In this way we

can ensure the security of signature in past time. The Fig. 1 describes the private key’s updating process:

f phase 1 f phase 2 f f phase T

K0 K1 K2 …… KT

Fig. 1 The private key’s updating process

4. THE NEW FORWARD-SECURE DIGITAL SIGNATURE SCHEME

**We select a rational point G ( x, y ) on E (GF (2 n )) as the base point, then calculate n , the exponent of G . Here
**

n is a prime number satisfied nG = O , and select a one-way secure Hash function h( m) (such as SHA-1).

4.1 The process of generating the first key pair signatory

(1) Divide the period of validity of signature private key to T phases (for example, everyday as a phase), select three

random number ( q, k 0 , K 0 ) , where 0 < (q, k 0 , K 0 ) < n , and q has the same order as n ;

(2) Calculates P0 = k 0 K 0 G ,

(3) Publish system public key {T , q, P0 } ; and the primary private key {K 0 , k 0 } should be kept in secret.

4.2 Signatory’s private key updating algorithm

The signatory’s private key update algorithm are defined as:

K i = K iq−1 mod n

With the following definition:

s1 = k1k0−1K 0q −1 mod n

(

s 2 = k 2 k1−1 K1q −1 mod n = k 2 k1−1 K 0q ( q −1) mod n = k 2 k1−1 k 0 k1−1 s1 ) q

mod n

(

s 3 = k 3 k 2−1 K 2q −1 mod n = k 3 k 2−1 K 1q ( q −1) mod n = k 3 k 2−1 k1 k 2−1 s 2 )

q

mod n

**1-4244-1035-5/07/$25.00 .2007 IEEE. 255
**

…

We get the public key update algorithm as the private key is updated:

P1 = k1 K1G = k1k 0−1k 0 K 0q G = k1k 0−1 K 0q −1k 0 K 0 G = k1k0−1 K 0q −1 P0 = s1 P0

P2 = k 2 K 2G = k 2 k1−1k1 K1q G = k 2 k1−1 K1q −1k1 K1G = k 2 k1−1 K1q −1 P1 = s2 P1 = s2 s1 P0

P3 = k 3 K 3G = k3 k 2−1k 2 K 2q G = k 3 k 2−1 K 2q −1k 2 K 2G = k 3 k 2−1 K 2q −1 P2 = s3 P2 = s3 s 2 s1 P0

…

Based on the above discuss, the private key update algorithm is defined as follows:

When the time of phase 1 arrives, the signatory select a random number k1 , where 1 < k1 < n , and:

(1) Calculates s1 = k1k0−1K 0q −1 mod n , S1 = s1 ,

(2) Calculates the private key K1 = K 0q mod n ,

(3) Deletes K 0 , publishes S1 and keeps {K 1 , k 0 , k1 , s1} as the new private key for phase 1.

When the time of phase i arrive, 2 ≤ i ≤ T , the signatory select a random number ki , where 1 < ki < n , and:

(1) Uses K i −1 , the private key of phase i − 1 , to calculate K i = K iq−1 mod n .

**(2) Uses si −1 to calculate si = ki ki−−11 (k i−2 ki−−11si −1 ) mod n , and S i = si S i −1 mod n .
**

q

(3) Deletes K i −1 , ki −2 and si −1 , publishes S i and keep {K i , ki −1.ki , si } as the new private key for phase i .

4. 3 Signature procedure

(1) Select a random number k , 0 < k < n , calculate kG = ( x, y ) , r = x mod n , if r = 0 , return to (1).

(2) Calculate e = h(m) , s = k −1 (e + rk i K i ) mod n , if s = 0 , return to (1).

(3) Take ( r , S i , s ) as the digital signature of message m by the signatory.

4.4 Verification procedure

(1) Calculate e1 = h(m1 ) , u = s −1e1 mod n , v = s −1r mod n .

(2) Calculate X = uG + vSi P0 = ( x1 . y1 ) .

(3) If X = 0 , the signature is refused; else calculate r1 = x1 mod n , if r = r1 , the confirmer accepts this signature.

4.5 The scheme validity Prove

Actually, X = uG + vS i P0 = s −1 (e1G + rki K i G ) = s −1 (e1G + rki K i G) = s −1 (e1 + rk i K i )G = k 'G = ( x1 . y1 )

If e = e1 then X = kG .

**1-4244-1035-5/07/$25.00 .2007 IEEE. 256
**

The validation of the scheme is proved.

5. THE NEW SCHEME’S PROVABLE SECURITY ANALYSIS

With the complex theory method (the provable security theory[6]), the new scheme’s security can be divided into

the signature and verification procedure security complexity and the private update security complexity. As the new

scheme’s signature and verification procedure is the same as ECDSA , the only different is that in ECDSA, the public

key P0 keeps the same, and in the new scheme, when the time of phase i arrive, the equivalent public key changes to

[4]

Pi = Si P0 . Based on the ECDSA security is proved , the only thing we must prove is if the private key {K i , ki −1.ki , si }

is leaked out, the private key K i −2 , …, K 0 can not be get.

The private key updating algorithm K i = K iq−1 mod n can be treated as one way function, as the calculation of

K i −1 from K i is the difficulty of discrete logarithm problem. Other ways to get private key K i −1 , K i −2 , …, K 0 are:

(1) Calculate K i −1 directly from K i = K iq−1 mod n .

(2) From the equation S i = si S i−1 mod n , the si−1 can be got from Si −1 and S i−2 . If all S i is collected, all s i

can be got too. If {K i , k i −1.k i , si } is leaked out, the way to get k i −2 is from equation si = ki ki−−11 (k i−2 ki−−11si −1 ) mod n

q

and another way to get K i −1 is from equation s i = k i k i−−11 K iq−−11 mod n .

**(3) From the equations s i = k i k i−−11 K iq−−11 mod n and K i = K iq−1 mod n , we get K i −1 = k i −1 k i−1 s i−1 K i mod n . If
**

{K i , k i −1.k i , si } is leaked out, the K i −1 can be calculated from K i −1 = k i −1 k i−1 si−1 K i mod n , but the K i − 2 can not be

calculated from K i − 2 = k i −2 k i−−11 s i−−11 K i −1 mod n because the k i −2 is unknown.

Based on the above analyzes, we can get the conclusion that in the new schemes, the security of the ways to get private

key K i −2 , …, K 0 from leaked out key {K i , k i −1.k i , si } is has the same complexity of the difficulty of discrete

logarithm problem K i = K iq−1 mod n .

6. CONCLUSIONS

Under the assumption of the intractability of factoring and the discrete logarithm problem, this paper brings

forward a kind of forward-secure digital signature scheme which is based on elliptic curve cryptography digital

signature scheme ECDSA. Meanwhile the new scheme’s security and validity is proved. Because the new scheme is

target on to ensure that, the attacker still could not fake the signature of the past time even if the private key in signature

is leaked out in some period of time, it insure the signature’s forward security and damage caused by leaked out key can

be limited and controlled. Therefore the new scheme can be widely used in electronic commerce and so on.

REFERENCES

**[1] Lu Kai-Cheng, Computer Cryptology ---- Data Secrecy and Security in Computer Network [M]. BEJING˖
**

Tsinghua University Pressˈ2003.

[2] Johson D, Menezes A. The elliptic curve digital signature algorithm. Technical Report, CORR 99-31, Canada:

Department of Combinatories and Optimization, University of Waterloo, 1999.

[3] William Stallings (Author). Cryptography and Network Security˖Principles and Practice Second Edition [M].

Yang Ming, Xu Guang-Hui, Qi Wang-Dong etc (Translator). BEJING˖Publishing House of Electronics

Industryˈ2001

[4] S. Vanstone, Reponses to NIST’s proposal. Communications of the ACM, 35:50-52, July 1992.

[5] M Bellare, S K Miner. A forward-secure digital signature scheme. In: Proc of the CRYPTO’99. Berlin:

Springer-Verlagˈ1999.431~448

[6] Bellare M. Practice -Oriented provable-security. In: Damgard I, ed. Advances in Cryptology Eurocrypt’99.

LNCS 1561, Berlin: Springer-Verlag, 1999. 221-231.

1-4244-1035-5/07/$25.00 .2007 IEEE. 257

- CamUploaded bysandeepsaraswat
- 16 Chapter 7Uploaded bySHAMALA R
- Adapting Singlet Login in Distributed SystemsUploaded byesatjournals
- RSA-Security’s-Official-Guide-to-CryptographyUploaded byMartin Schweighart Moya
- A Secure, Intelligent Electric Vehicle Ecosystem for Safe Integration with the Smart GridUploaded byAldar Chan
- The Information Technology Act,2000Uploaded byAishwaryaSushant
- E-Lock Digital SignaturesUploaded byE-Lock
- Improve Security of Cloud Storage using Digital SignatureUploaded byIJIRST
- An Attribute-Based Public Key InfrastructureUploaded byijcsis
- Lecture 33Uploaded byAbdul Ghani Khan
- PractiSESUploaded bySeepika Soni
- Review on Security in Geo-Social Applications through Preserving Location PrivacyUploaded byIRJET Journal
- IJAIEM-2013-06-06-015Uploaded byAnonymous vQrJlEN
- Rsa Securitys Official Guide to Cryptography.Uploaded byNikola Nojic
- OASIS-2011Uploaded byAnil Kumar Bhal
- MCA 21Uploaded byShivani Dutta
- Network Security GlossaryUploaded byAnkur Verma
- 12-04-02 Responses by National Authorities/Experts - Appendix 07: Request for Comments by Minister of Justice Yaakov Neeman sUploaded bySELA - Human Rights Alert - Israel
- BT eSignature Whitepaper: from BT and EchoSign ESignUploaded byEchoSign
- eSign-API v1.0Uploaded bysumandro
- ch10Uploaded byiamthe11
- ss.pptxUploaded byVaibhav Gupta
- ecc03paarUploaded byRaul Cuenos
- 12-07-03 Fraud on the Courts in the Age of Mechanical DuplicationUploaded bySELA - Human Rights Alert - Israel
- rsa algorithmUploaded bygloveable
- Emudhra Class2 Class3 Individual Digital Signature FormUploaded byabhics67
- Borromean Draft 0.01 8c3f9e7Uploaded byhabil
- CryptoUploaded byNatasha Nawaz
- Cryptography(97 2003)Uploaded byNiharika Bundela
- eCom IMUploaded byarjun__majumdar