Protecting electronic signatures in case of key leakage

Abstract

We present a protection mechanism against forgery of electronic signatures with the original signing keys. It works for standard signatures based on discrete logarithm problem such as DSA. It requires only a slight modification of the signing device – an implementation of an additional hidden evidence functionality. We assume that neither verification mechanism can be altered nor extra fields can be added to the signature (both as signed and unsigned fields). Therefore, the old software for signature verification can be used without any change. On the other hand, if a forged signature emerges, the signatory may prove its inconsistency with a probability close to 1. Unlike fail-stop signatures, our method works not only against cryptanalytic attacks, but it is primarily designed for the case when the adversary gets the original signing key stored by the signing device of the user. Unlike cliptographic constructions designed to defend against malicious implementations, we consider catastrophic situation when the key has been already compromised. The technical idea we propose is an application of kleptography for good purposes. It is simple enough, efficient and almost self-evident to be ready for implementation of cryptographic smart cards of moderate storage and computational capabilities. Unfortunately, we have also to bring into attention that our scheme has a dark side and it can be used for leaking the keys via the recent subversion-resistant signatures by A. Russell, Q. Tang, M. Yung and H.-Sh.Zhou.