Monotone signatures

Abstract

In many real-life situations, massive quantities of signatures have to be issued on cheap passive supports (e.g. paper-based) such as bank-notes, badges, ID cards, driving licenses or passports (hereafter IDs); while large-scale ID replacements are costly and prohibitive, one may reasonably assume that the updating of verification equipment (e.g. off-line border checkpoints or mobile patrol units) is exceptionally acceptable. In such a context, an attacker using coercive means (e.g. kidnapping) can force the system authorities to reveal the infrastructure’s secret signature keys and start issuing signatures that are indistinguishable from those issued by the authority. The solution presented in this paper withstands such attacks up to a certain point: after the theft, the authority restricts the verification criteria (by an exceptional verification equipment update) in such a way that the genuine signatures issued before the attack become easily distinguishable from the fresher signatures issued by the attacker. Needless to say, we assume that at any point in time the verification algorithm is entirely known to the attacker.