Generalized key-evolving signature schemes or how to foil an armed adversary

Abstract

Key exposures, known or inconspicuous, are a real security threat. Recovery mechanisms from such exposures are required. For digital signatures such a recovery should ideally -and when possible-include invalidation of the signatures issued with the compromised keys. We present new signature schemes with such recovery capabilities. We consider two models for key exposures: full and partial reveal. In the first, a key exposure reveals all the secrets currently existing in the system. This model is suitable for the pessimistic inconspicuous exposures scenario. The partial reveal model permits the signer to conceal some information under exposure: e.g., under coercive exposures the signer is able to reveal a "fake" secret key. We propose a definition of generalized key-evolving signature scheme, which unifies forward-security and security against the coercive and inconspicuous key exposures (previously considered separately [5,18,11]). The new models help us address repudiation problems inherent in the monotone signatures [18], and achieve performance improvements. © Springer-Verlag Berlin Heidelberg 2003.