Shared generation of random number with timestamp: How to cope with the leakage of the CA’s secret

Abstract

Public-key certificates play an important role in a public-key cryptosystem. In a public-key infrastructure, it is a presupposition that only the issuer of a signature knows the signing key. Since the security of all clients of the CA depends on the secrecy of the CA’s signing-key, CA’s will pose an attractive target for break-ins[1][2]. Once there is a leakage of information on the signing key, the whole system has to be reconstructed as quickly as possible in order to prevent the spread of damage. However, it requires a long time to reconstruct all certificates, because it involves large computation and communication. In this paper, we present a practical solution to cope with the leakage of the CA’s signing-key. In our protocol, two random number generators (RNG) generate distinct random numbers, and combine them to a random number utilized in the signature algorithm and the timestamp which cannot be forged without revealing the secret of both RNG. A verifier can check the timestamp and verify validity and time when the random number has been generated. That is, it is impossible for adversaries to forge arbitrary certificates without revealing the secret of both RNGs. We show a concrete protocol suitable for a digital signature scheme based on the discrete logarithm.