Autotomic signatures

Abstract

Digital signature security is classically defined as an interaction between a signer S sk, a verifier V pk and an attacker A. A submits adaptively to S sk a sequence of messages m 1, ⋯, m q to which S sk replies with the signatures U = {σ 1, ⋯, σ q}. Given U, A attempts to produce a forgery, i.e. a pair (m', σ') such that V pk (m', σ') = true and σ' ∉ U. The traditional approach consists in hardening S sk against a large query bound q. Interestingly, this is one specific way to prevent from winning the forgery game. This work explores an alternative option. Rather than hardening S sk, we weaken A by preventing him from influencing S sk's input: upon receiving m i, S sk will generate a fresh ephemeral signature key-pair (sk i, pk i), use sk i to sign m i , erase sk i, and output the signature and a certificate on pk i computed using the long-term key sk. In other words, S sk will only use his permanent secret to sign inputs which are beyond A's control (namely, freshly generated public-keys). As the are ephemeral, q = 1 by construction. We show that this paradigm, called autotomic signatures, transforms weakly secure signature schemes (secure against generic attacks only) into strongly secure ones (secure against adaptively chosen-message attacks). As a by-product of our analysis, we show that blending public key information with the signed message can significantly increase security. © 2012 Springer-Verlag Berlin Heidelberg.