with Optimal Signing and Verifying
Gene Itkis
Leonid Reyzin y
April9, 2001
Abstract
Ordinarydigitalsignatureshaveaninherentweakness: ifthesecretkeyisleaked,thenallsignatures,
eventheonesgeneratedbeforetheleak,arenolongertrustworthy. Forward-securedigitalsignatureswere
recently proposed to addressthis weakness: theyensure that pastsignatures remain secure even ifthe
currentsecretkeyisleaked.
We propose the rst forward-secure signature scheme for which both signing and verifying are as
eÆcientas foroneof themosteÆcientordinarysignatureschemes (Guillou-Quisquater): each requiring
justtwomodularexponentiationswithashortexponent. Allpreviouslyproposedforward-securesignature
schemestooksignicantlylongerto signandverifythanordinarysignatureschemes.
Ourscheme requires only fractionalincreases to the sizes of keysand signatures, and no additional
public storage. Like the underlying Guillou-Quisquater scheme, our scheme is provably secure in the
randomoraclemodel.
BostonUniversityComputerScienceDept.,111CummingtonSt.,Boston,MA02215,USA.E-Mail:[email protected]
y
MITLaboratory for ComputerScience, 545Technology Square, Cambridge, MA02139, USA. E-Mail:[email protected].
URL:http://theory.lcs.mit.edu/~re yzin .
1 Introduction 3
2 Forward-secure digital signature schemes 4
2.1 Denitions. . . 4
2.2 Underlyinghardproblem . . . 5
3 Our tools 6 4 Our scheme 7 4.1 Main ideasforforwardsecurity . . . 7
4.2 The scheme . . . 9
4.3 EÆciency . . . 9
4.4 Security . . . 11
5 Further Improving EÆciency 12 5.1 Findingthee i 's faster . . . 12
5.2 Optimizingkey update . . . 12
A Details of the Proof of Theorem 4.1 17
The Purpose of Forward Security. Ordinarydigitalsignatureshaveafundamentallimitation: ifthe
secret key of asigner is compromised, allthe signatures(past andfuture) ofthat signer becomeworthless.
This limitation undermines, in particular, the non-repudiation property that digital signatures are often
intendedtoprovide. Indeed,oneoftheeasiestwaysforAlicetorepudiatehersignaturesistoposthersecret
keyanonymouslysomewhere on theInternetand claim tobe avictimof acomputer break-in. In principle,
various revocation techniques can be used to prevent users from accepting signatures with compromised
keys. However, even withthese techniquesinplace,theuserswho hadaccepted signaturesbefore thekeys
were compromised are now left at the mercy of the signer, who could (and, if honest, would) re-issue the
signatures withnew keys.
Forward-securesignatureschemes,rstproposedbyAndersonin[And97 ]and formalizedbyBellareand
Miner in [BM99], are intended to address this limitation. Namely, the goal of a forward-secure signature
scheme is to preserve the validity of past signatures even if the current secret key has been compromised.
ThisisaccomplishedbydividingthetotaltimevalidityperiodofagivenpublickeyintoT time periods, and
usingadierentsecretkeyineach timeperiod(whilethepublickeyremainsxed). Eachsubsequentsecret
key is computed from the current secret key via a key update algorithm. The time period duringwhich a
message is signedbecomes partof thesignature. Forward securitypropertymeansthat even ifthe current
secret keyis compromised, aforger cannot forgesignatures forpasttime periods.
Prior Schemes. Prior forward-secure signature schemes can be divided into two categories: those that
use (ina black-boxmanner)arbitrary signatureschemes, and those thatmodifyspecic signaturescheme.
Intherstcategory,theschemesusesomemethodinwhichamasterpublickeyisusedtocertify(perhaps
via achainofcerticates)thecurrentpublickeyforaparticulartimeperiod. Usually,theseschemesrequire
increases in storage space by noticeable factors in order to maintain the current (public) certicates and
the (secret) keys for issuing future certicates. They also require longer verication times than ordinary
signatures do, because the verier needs to verify the entire certicate chain in addition to verifying the
actual signatureon the message. There is,in fact, a trade-o between storage space and verication time.
The two best such schemes are the tree-based scheme of Bellare and Miner [BM99]
1
(requiring storage of
about lgT secret keys and non-secret certicates, and verication of about lgT ordinary signatures) and
the scheme of Krawczyk [Kra00 ] (requiring storage of T non-secret certicates, and verication of only 2
ordinarysignatures).
In the second category, there have been onlytwo schemes proposed so far (bothin the random oracle
model): thescheme of Bellareand Miner [BM99]based onthe Fiat-Shamirscheme [FS86 ], and thescheme
of Abdallaand Reyzin[AR00 ]based the2 t
-th root scheme [OO88 ,OS90,Mic94 ]. While needinglessspace
than theschemes inthe rst category, both[BM99] and [AR00]require signingand vericationtimes that
are linearinT.
Our Results. We propose a scheme in thesecond category, based on one of the most eÆcient ordinary
signature schemes,dueto Guillou-Quisquater[GQ88 ]. It usesjust two modularexponentiationswith short
exponentsforbothsigning andverifying.
Oursistherstforward-secureschemewhereboth signingandverifyingareas eÆcientasthe underlying
ordinary signature scheme. Moreover, in our scheme the space requirements for keys and signatures are
nearly the same to those in the underlying signature scheme (for realistic parametervalues, lessthan 50%
more).
Thepriceofourschemeisintherunningtimesofitskeygenerationandupdateroutines: botharelinear
inT (however, soiskeygenerationin[Kra00 ],[BM99]and[AR00]). We considerthisa worthwhilepriceto
payforsuch eÆcient signingand verifying,because keygenerationandupdateare(presumably)performed
1
Someimprovementstotree-basedschemeof[BM99](notaectingthisdiscussion)havebeenproposedin[AR00 ]and[MI].
storage of 1+log
2
T values,we canreduce the runningtimeof thekeyupdatealgorithm to belogarithmic
in T without aecting the other components(this, rather unexpectedly,involves a very nice application of
pebbling). Forrealisticparametervalues,thetotal storagerequirements,evenwiththeseadditionalsecrets,
are still less than inall priorschemes; the only exception is the [AR00 ]scheme, which has very ineÆcient
signing and verifying.
Our scheme is provably secure in the random oracle model based on a variant of the strong RSA as-
sumption.
2 Forward-secure digital signature schemes
2.1 Denitions
Thissectioncloselyfollowstheirrstformaldenitionof forwardsecuresignaturesproposedbyBellareand
Miner[BM99]. Theirdenition,inturn,isbasedontheGoldwasser,MicaliandRivest's[GMR88]denition
of (ordinary) digitalsignaturessecureagainst adaptive chosen message attacks.
Key Evolution. Theapproach taken byforward-secure schemesis to changethe secretkey periodically
(and require the owner to properlydestroy theold secret key 2
). Thuswe considerthe time to be divided
intotimeperiods;at theendofeach timeperiod,a newsecretkeyisproducedandtheoldone isdestroyed.
The numberof thetime period when a signaturewasproducedis partof the signatureand isinputto the
vericationalgorithm;signatures withincorrecttime periodsshouldnotverify.
Ofcourse,whilemodifyingthesecretkey,onewouldliketokeepthepublickeyxed. Thiscanbeachieved
byuseof a\master" public key,whichissomehowusedto certifythetemporarypublickey forthecurrent
time period (note however, than one needs to be careful not to keep around the corresponding \master"
secret key|itspresencewoulddefeatthepurposeofforwardsecurity). The rstsimpleincarnationof this
approach was proposed by [And97]; a very elegant tree-based solution was proposed by [BM99]; another
approach, based on generating all of thecerticates in advance, was putforward by[Kra00 ]. However, in
general, one can conceive of schemeswhere thepublickey stays xedbutno suchcerticates of per-period
publickeys arepresent (and,indeed,such schemesareproposedin[BM99,AR00 ],aswellasinthispaper).
The notion of a key-evolving signaturescheme captures, in full generality, the idea of a scheme with a
xed publickeyand avaryingsecret key. It is,essentially,a regularsignaturescheme withtheadditionsof
timeperiodsandthekeyupdatealgorithm. Notethatthisnotionispurelyfunctional: securityisaddressed
separately, in the denition of forward security (which is the appropriate security notion for key-evolving
signature schemes).
Thus,akey-evolvingdigitalsignatureschemeisaquadrupleofalgorithms,FSIG=(FSIG:key;FSIG:update;
FSIG:sign;FSIG:vf),where:
FSIG:key, the key generation algorithm, is a probabilistic algorithm which takes as input a security
parameterk2N(giveninunaryas1 k
)andthetotalnumberofperiodsT andreturnsapair(SK
1
;PK),
theinitialsecret keyand thepublickey;
FSIG:sign , the(possibly probabilistic) signing algorithm, takes as inputthe secret key SK
j
=hS
j
;j;Ti
forthetimeperiodj T and themessageM to besignedand returnsthesignaturehj;sign iof M for
timeperiodj;
FSIG:update,the(possiblyprobabilistic)secret keyupdate algorithm,takesasinputthesecretkeySK
j
forthecurrent periodj<T andreturns thenew secretkey SK
j+1
forthe nextperiodj+1.
2
Obviously,ifthe keyowner doesnotproperlydestroy heroldkeys,anattackercanobtain themandthusforge the\old"
signatures. Indeed,properdeletionofthe oldkeysmaybeanon-trivialtask. However,insistingthatachievingsuchaproper
deletion of the old keys is the responsibility of the key owner is a reasonable requirement|certainly more reasonable than
insistingthatsheguaranteethesecrecyofheractivekeys.
acandidate signaturehj;sign i, andreturns 1ifhj;signi isa valid signatureof M or0,otherwise. Itis
requiredthatFSIG:vf
PK
(M;FSIG:sign
SK
j
(M))=1 forevery message M and timeperiodj.
We adopttheconvention thatSK
T+1
is theemptystringand FSIG:update
SK
T
returns SK
T+1 .
Whenweworkintherandomoraclemodel,alltheabove-mentionedalgorithmswouldhaveanadditional
security parameter, 1 l
, and oracleaccess to a publichash functionH :f0;1g
! f0;1g l
,which is assumed
to be randominthesecurityanalysis.
Forward Security. Forward securitycaptures the notion that it should be computationally infeasible
foranyadversaryto forge asignatureforanypast timeperiodeven intheevent of exposure of thecurrent
secretkey. Ofcourse,sincetheupdatealgorithmispublic,nothingcanbedonewithrespecttofuturesecret
keys,exceptforrevokingthepublickey(thusinvalidatingallsignatures forthetimeperiodofthe break-in
and thereafter). To dene forwardsecurityformally,the notionof a securedigitalsignatureof [GMR88]is
extendedin[BM99]totakeintoaccount theabilityoftheadversaryto obtainakeybymeansofabreak-in.
Intuitively, in this new model, the forger rst conducts an adaptive chosen message attack (cma), re-
questing signatureson messagesof its choice forasmanytimeperiodsashe desires. Wheneverhe chooses,
he \breaksin": requests thesecret key SK
b
forthe current timeperiod band thenoutputs a signatureon
a message M ofhischoice foratimeperiodj<b. The forgeris consideredto be successfulifthesignature
is validand thepair (M;j) wasnot queriedduringcma.
Formally, let the forger F = hF:cma ;F:forgei. For (PK;SK
0 )
R
FSIG:key(k;:::;T), F:cma , given PK
and T,outputs(CM;b),wherebisthebreak-intimeperiodand CM isa setofadaptivelychosenmessage-
periodpairs(theset ofsignaturessign(CM)of thecurrentset CM is availabletoF at all times,including
during the construction of CM) 3
. Finally, F:forge outputs hM;j;sigi F:forge(CM;sign(CM);SK
b ).
We say that F is successful if hM;ji 62 CM;j < b; and FSIG:vf
PK
(M;hj;sigi) = 1. (Note: formally, the
componentsof F can communicateall thenecessary information,includingT andb,via CM be considered
independent,because they communicate state informationvia T;b,as well asforger state information can
be communicatedto F:forge via CM.)
DeneSucc fwsig
(FSIG[k;T];F)tobetheprobability(overcointossesofF andFSIG)thatF issuccessful.
Dene theinsecurityfunctionInSec fwsig
(FSIG[k;T];t;q
sig
) ofFSIG to be themaximum, over all algorithms
F thatarerestrictedto runningtime tand q
sig
signaturequeries, of Succ fwsig
(FSIG[k;T];F).
The insecurityfunction above follows the \concrete security" paradigm and gives us a measure of how
secure orinsecurethescheme reallyis. Therefore, we want its valueto beas smallaspossible. Our goal in
a securityproof willbe to ndanupperboundforit.
The above denition can be translated to the random oracle model in a standard way [BR93 ]: by
introducing an additional security parameter 1 l
, allowing all algorithms the access to the random oracle
H : f0;1g
! f0;1g, and considering q
hash
, the number of queries to the random oracle, as one more
parameter fortheforger.
2.2 Underlying hard problem
We use a variant of the strong RSA assumption, with the restriction that the modulus is a product of
so-called\safe"primes. Thatis,letnbeaproductoftworandomlygenerateddk=2e-bit\safe"primesp
1
;p
2
3
Notethatthe[BM99]denition,whichcaptureswhatF candoinpractice, allowsthemessages-periodpairs tobeadded
to CM onlyinthe orderof increasingtimeperiods andwithout knowledgeof any secretkeys. However, allowing theforger
to construct CM inarbitrary order, and evento obtain SK
b
inthe middleofthe CM construction (sothat somemessages
beconstructedbytheforgerwiththeknowledgeofSKb)would notaectour(andtheir)results. Similarly,theforgercanbe
allowedtoobtainmorethanonesecretkey|weonlycare abouttheearliestperiodbforwhichthesecretkeyisgiventothe
forger. So, the forger mayadaptively selectsome messageswhich are signedfor him, thenrequestsomeperiod's secretkey;
thenadaptivelyselectmoremessagesandagainrequestakey,etc.
(that is, p
i
=2q
i
+1 where q
i
itselfis a prime),and let Z
n
. Let lbe an integer. We assume that itis
hard to take a root modulon ofany degree r,1<r 2 l +1
.
Moreformally,let Abethe adversary forthisproblem. Considerthefollowingexperiment.
ExperimentBreak-Strong-RSA (k;l;A)
Randomlychoose two primesq
1 and q
2
of lengthdk=2e 1each
suchthat 2q
1
+1 and 2q
2
+1 arebothprime.
p
1 2q
1 +1; p
2 2q
2
+1;n p
1 p
2
Randomlychoose 2Z
n .
(;r) A(n;)
If 1<r2 l +1
and r
(mod n) then return1 else return0
DenoteSucc(A;k;l)denotetheprobabilitythatAtheaboveexperimentreturns1,andletInSec SRSA
(k;l;t)
be themaximumof Succ(A;k;l) overall theadversariesA whorunin timeat mostt.
Ourresultswillbe meaningfulonlyifInSec SRSA
(k;l;t) is small.
We notethatourassumption canbe reducedto subexponentialhardnessof RSA.Namely,iftheproba-
bilityofinvertingtheRSA functionintimetforarandomlychosenexponentisat least2 k
forsome ,and
k
l 1is suÆcientlylarge, thenInSec SRSA
(k;l;t) is small.
3 Our tools
A BitofMathematicalBackground. Itwillbehelpfultorstintroducethefollowingtwostatements.
TheywererstpointedoutbyShamir[Sha83 ]inthecontextofgenerationofpseudorandomsequencesbased
on theRSA function.
Proposition 3.1 LetGbeanygroup. Supposee
1
;e
2
2Z aresuchthatgcd(e
1
;e
2
)=1. Givena;b2Gsuch
that anda e1
=b e2
,one cancompute csuch thatc e2
=ainO(lg(e
1 +e
2
))group andarithmeticoperations.
Proof: UsingEuclid'sextended gcd algorithm,withinO(lg (e
1 +e
2
))arithmeticoperationscomputef
1
;f
2 ,
suchthate
1 f
1 +e
2 f
2
=1. Computec=a f2
b f1
,withO(lg (f
1 +f
2
))=O(lg (e
1 +e
2
))groupoperations. Then
c e
2
=a e
2 f
2
b e
2 f
1
=a e
2 f
2
a e
1 f
1
=a.
Lemma 3.2 Let Gbea nitegroup. Supposee
1
;e
2
2Z are such thatgcd (e
1
;e
2
)=g and gcd(g;jGj)=1.
Given a;b 2 G; such that a e
1
= b e
2
, one can compute c such that c e
2
=g
= a in O(lg e
1 +e
2
g
) group and
arithmetic operations.
Proof: Since gcd(g;jGj) = 1, (z g
= 1) ) (z = 1) for any z 2 G. Let e 0
1
= e
1
=g; e 0
2
= e
2
=g. Then
(a e
0
1
=b e
0
2
) g
=1,soa e
0
1
=b e
0
2
,sowecan applyand Proposition3.1 to getc suchthat c e
0
2
=a.
The GQ Scheme. In [GQ88], Guillou and Quisquater propose the following three-round identication
scheme. Let k and l be two security parameters. The prover's secret key consists of a k-bit modulus
n (a product of two random primes p
1
;p
2
), an (l+1)-bit exponent e that is relatively prime to (n) =
(p
1 1)(p
2
1), and arandoms2Z
n
. Thepublickey consistsof n;eand v wherev1=s e
(mod n).
In therst round, theprovergenerates a randomr 2 Z
n
, computes the commitment y =r e
(mod n)
and sends y to the the verier. In the second round, the verier sends a random l-bit challenge to the
prover. In the third round, the prover computes and sends to the verier z = rs
. To check, the verier
computes y 0
=z e
v
and checks ify=y 0
(andy 60 (mod n)).
Thescheme'ssecurityisbasedontheassumptionthatcomputingrootsmodulocompositenisinfeasible
withoutknowledgeof its factors, and can beproven usingLemma 3.2. Informally,iftheprovercan answer
Generate randomdk=2e-bit
primesp
1
;p
2
n p
1 p
2
s R
Z
n
e R
[2 l
;2 l +1
), s.t. gcd (e;(n))=1
v 1=s e
modn
SK (n;s;e)
PK (n;v;e)
return(SK;PK)
r R
Z
n
y r
e
modn
H(y;M)
z rs
modn
return (z;)
algorithm GQ:vf(M;(n;v;e);(z;))
if z0 (mod n)thenreturn 0
y 0
z e
v
modn
if =H(y;M) thenreturn 1 elsereturn 0
Figure 1: The GQSignature Scheme
two dierent challenges, and , for the same y, then it can provide z
and z
such that z e
v
= z e
v
.
Hence, v
= (z
=z
)
e
. Note that e is l+1-bits long, hence e > j j, hence g = gcd ( ;e) < e,
so r =e=g > 1. By Lemma 3.2, knowing v; ;z
=z
and e allows one to eÆciently compute the r-th
root ofv (toapplythe lemma,we needto have g relativelyprime withtheorder (n) ofthemultiplicative
group Z
n
, which is the case byconstruction, because e is picked to be relatively prime with (n)). Thus,
theprovermustknowat leastsome root ofv (infact,ifeispicked to beprime,thentheprovermustknow
preciselythee-th root ofv,because g=1 and r=e). Note thatit iscrucialto theproof thate>2 l
and e
is relativelyprime with(n).
Thestandardtransformation of[FS86 ] can be appliedto thisidenticationschemeto come upwith the
GQ signature scheme, presented inFigure 1. Essentially, the interactive verier's l-bit challenge is now
computed using a randomoracle (hash function) H :f0;1g
! f0;1g L
applied to the message M and the
commitmenty.
4 Our scheme
4.1 Main ideas for forward security
The main idea for our forward-secure scheme is to combine the GQ scheme with Shamir's observation
(Lemma 3.2). Namely,lete
1
;e
2
;:::;e
T
be distinctintegers,all greaterthan2 l
,all pairwiserelativelyprime
and relativelyprime with (n). Let s
1
;s
2
;:::;s
T
be such that s e
i
i
1=v (mod n)for 1iT. Intime
period i, the signer will simply use the GQ scheme with the secret key (n;s
i
;e
i
) and the verier will use
the GQscheme withthepublickey (n;v;e
i
). Intuitively,thiswillbe forward-securebecause oftherelative
primalityof the e
i
's: if the forger breaks-in during time period b and learns the e
b -th, e
b+1
-th, :::;e
T -th
roots of v, thiswill not help it compute e
j
-th root of v forj <b (nor, more generally, the r-th root of v,
where rje
j ).
This idea is quite simple. However, we still need to address the following two issues: how the signer
computes thes
i
's andhowboththesigner and theveriercompute thee
i 's.
Computing s
i
's. Notice that if the signer were required to store all the s
i
's, this scheme would require
secretstoragethatislinearinT. However, thisproblemcanbeeasilyresolved. Letf
i
=e
i e
i+1 :::e
T . Let
t
i
be such that t f
i
i
1=v (modn). Duringthe j-th time period,the signer stores s
j and t
j+1
. At update
time, the signer computes s
j+1
= t f
j+2
j+1
modn and t
j+2
= t e
j+1
j+1
modn. This allows secret storage that is
linear inT at each update, because of thehighcost of computings
j+1
fromt
j+1 .
We can reduce the computation at each update to be only logarithmic in T by properly utilizingpre-
computed powers of t
j+1
. This will require us, however, to store (2lgT 1) secrets instead of just two.
Because thisoptimization concernsonlytheeÆciency oftheupdatealgorithmandaects neithertheother
components oftheschemenor theproofof security,wepresentit separately inSection5.2.
Computing e
i
's. In order for the scheme to be secure, the e
i
's need to be relatively prime with each
other 4
and with (n), and greater than 2 l
. The signer can therefore generate the e
i
's simply as distinct
(l+1)-bitprimes. Ofcourse, tostoreallthee
i
'swouldrequirelinearinT (albeitpublic)storage. However,
thesignerneedonlystoree
j
forthecurrenttimeperiodj,andgenerateanewtheother e
i
'sfori>j during
key update. This works as long as thesigner uses a deterministic algorithm for generating primes: either
pseudorandom search orsequentialsearch from xed starting points. The fact thate
i
's are notstored but
rather recomputed each time slows down the update algorithm only (and, as we show in Section 4.3, not
bymuch). Note thatthewaywecurrentlydescribed theupdatealgorithm,fortheupdateattime periodj
the signer willneed to compute e
j+1
;:::;e
T
. With theoptimization of Section 5.2, however, onlyat most
(2lgT 2) of thee
i
'swillneedto be computedat each update.
We havenotyetaddressedtheissueofhowtheveriergetsthee
i
's. Ofcourse, itcouldsimplygenerate
them thesame waythat thesignerdoesduringeach keyupdate. However, thiswillslowdown verication,
which is undesirable. The solution is perhaps surprising: the verier need not know the e
i
's at all! The
value of e
j
can be simply included bythe signer in every signature for time period j. Of course, a forger
is under no obligation to includethe true e
j
. Therefore, to avoid ambiguity,we willdenote bye thevalue
included ina signature. It mayormay notactuallyequale
j .
After some consideration, itbecomes clearthat e shouldsatisfythe followingrequirementsfor security
of thescheme:
1. e should be included as an argument to the hash function H, so that the forger cannot decide on e
after seeingthechallenge ;
2. eshouldbe greaterthan2 l
,forthesame reasons asintheGQscheme;
3. eshouldbe relativelyprimewith (n),forthesame reasons asintheGQscheme; and
4. e should be relatively prime with the e
b
;:::;e
T
(where b is the break-in time period), so that the
knowledge of theroot of v of degree e
b e
b+1
:::e
T
doesnothelp the forger computeany root of v
of degree rje.
Thersttwoconditionscanbeeasilyenforcedbytheverier. Thethirdconditioncanbeenforcedbyhaving
n be a productof two primes p
1
;p
2
that are of the form p
i
=2q
i
+1, where q is prime. Then the verier
simply needs to check that e is odd (then it must be relatively prime with (n)|otherwise, it would be
divisible by q
1 , q
2 or q
1 q
2
, which would imply that the forger could factor n) . But how can the verier
checkthelastconditionwithoutknowingbandtheactualvaluesofe
b
;:::;e
T
? Theideaistosplittheentire
intervalbetween2 l
and2 l +1
intoT consecutivebucketsofsize2 l
=T each,andhaveeache
i
beaprimecoming
from thei-thbucket. Thentheverierknowsthattheactualvaluese
j+1
;:::;e
T
areallat least2 l
(1+j=T)
and prime. Thus, aslong aseinthesignaturefortimeperiodj islessthan2 l
(1+j=T),it isguaranteed to
be relativelyprimewithe
j+1
;:::;e
T
,and hence withe
b
;:::;e
T
(because b>j). So all theverierneeds to
check isthateis odd,isbetween2 l
and 2 l
(1+j=T) and is includedinthehash computation.
4
Infact, thisrequirementcanberelaxed. Wecanallowthee
i
'snotto bepairwiserelatively prime,aslongas weredene
fi as fi =lcm(fi;fi+1;:::;fT), andrequirethat ei be relatively primewith (n)andei=gcd(ei;fi+1)>2 l
. However, wesee
no advantages inallowing this more general case; the disadvantage is that the e
i
's will have to be longerto satisfy the last
requirement,andthustheschemewillbelesseÆcient.
Ourscheme(calledIR)basedontheseideasispresentedinFigure2. AsintheGQscheme,letH:f0;1g
!
f0;1g l
be ahash function.
4.3 EÆciency
Signing and Verifying. The strength of our scheme is in its signing and verifying performance. Both
are thesame asthealready eÆcient ordinaryGQscheme (signinghas theadditional,negligiblecomponent
of testing whether eis in theright range and odd). Namely, they each take two modularexponentiations,
one modular multiplication and an application of H, for a total time of O(k 2
l) plus the time required to
evaluate H. (Note that, just like theGQ scheme, one of the two modularexponentiations for signing can
be doneo-line, beforethemessage is known;also,one of thetwo modularexponentiations forverifyingis
of a xedbase v,and can benetfrom precomputation.)
Key Generation and Update. We need to make strong assumptionson thedistributionsof primes in
order to estimate eÆciency of key generation and update algorithms. First, we assume that at least one
in O(k) dk=2 e-bit numbers is a prime,and that at least one in O(k) of those is of the form 2q+1, where
q is prime. Then, generatingn takes O(k 2
) primality tests. Each primalitytest can be done inO(k 3
) bit
operations [BS96 ], for a total of O(k 5
) bit operations. Similarly, we will assume that at least one in O(l)
integers in each bucket [2 l
(1+(i 1)=T);2 l
(1 +i=T)) is a prime, so generating each e
i
takes O(l 4
) bit
operations.
In addition to generating n and the e
i
's, key generation needs to compute the product of the e
i 's
modulo (n), which takes O(Tkl) bit operations, and three modular exponentiations, each taking O(k 2
l)
bit operations. Therefore, keygenerationtakesO(k 5
+l 4
T+k 2
l+klT))bit operations.
Keyupdatecannotmultiplyalltherelevante
i
'smodulo(n),because(n)isnotavailable(otherwise,the
schemewouldnotbeforward-secure). Therefore,ithastoperformO(T)modularmultiplicationsseparately,
inaddition to regenerating all thee
i
's. Thus,it takesO(k 2
lT +l 4
T) bitoperations.
Note that the l 4
T component is present in the running time for the update algorithm because of the
needto regenerate thee
i
'seach time. However, forpracticalvaluesofl (ontheorder of100)and k (onthe
orderof1000), l 4
T isroughlythesame ask 2
lT,sothisonlyslowsdownthekeyupdatealgorithmbyasmall
constant factor. Moreover,inSection5.1we showhowtoreduce thel 4
T componentinbothkey generation
and updateto (l 2
+lg 4
T)T (ata very slightexpenseto signing and verifying).
Finally, as shown in Section 5.2, if we are willing to increase secret storage to roughly 2klgT, then
we can replace the factor of T in the cost of update by the factor of lgT, to get update at the cost of
O((l 4
+k 2
l)lgT) (or, ifoptimization ofSection5.1 isadditionally applied,O((k 2
l+l 2
+lg 4
T)lgT)).
Sizes. Allthekeyand signaturesizes arecomparableto those inthe ordinaryGQ scheme.
The public key has l+1 fewer bits than the GQ public key, and the signatures have l+1 more bits,
becauseeisincludedinthesignatureratherthaninthepublickey. Inaddition,boththepublickeyand the
signature have lgT more bitsin order to accommodate T inthe publickey and the current timeperiod in
thesignature(thisisnecessaryinanyforward-securescheme). Thus,thetotal publickeylengthis2k+lgT
bits, and signature length is k +2l+1+lgT bits. Optimization of Section 5.1 shortens the signatures
slightly,replacingl+1 of thesignaturebitswithroughlylgT bits.
Thesecretkeyisk+2lgT+jseedjbitslongerthantheGQschemeinorderto accommodatethecurrent
time period j, the total time periods T, the value t
j+1
necessary to compute future keys and the seed
necessary toregenerate thee
i
'sfori>j. Thus,thetotal secretkeylengthis3k+l+1+jseedj+2lgT bits
(note that only2kof these bitsneedto be keptsecret). If theoptimizationof Section5.2 isused,then the
secret keylengthincreases by roughly2klgT bits, allof which needto bekept secret.
Generate randomdk=2 e 1-bitprimesq
1
;q
2
such thatp
i
=2q
i
+1 arebothprime
n p
1 p
2
t
1 R
Z
n
Generate primese
i
such that2 l
(1+(i 1)=T)e
i
<2 l
(1+i=T) fori=1;2;:::;T.
(Thisgenerationisdoneeitherdeterministically orusingasmallseed seed and
H asa pseudorandomfunction.)
f
2 e
2
:::e
T
mod((n)) (where (n)=4q
1 q
2 )
s
1 t
f2
1
modn
v 1=s e
1
1
modn
t
2 t
e1
1
modn
SK
1
(1;T;n;s
1
;t
2
;e
1
;seed)
PK (n;v;T)
return(SK
1
;PK)
algorithm IR:update(SK
j )
Let SK
j
=(j;T;n;s
j
;t
j+1
;e
j
;seed)
if j =T then return
Regenerate e
j+1
;:::;e
T
usingseed
s
j+1 t
e
j+2 :::e
T
j+1
modn; t
j+2 t
e
j+1
j+1
modn
return SK
j+1
(j+1;T;n;s
j+1
;t
j+2
;e
j+1
;seed)
algorithm IR:sign(M;SK
j )
Let SK
j
=(j;T;n;s
j
;t
j+1
;e
j
;seed)
r R
Z
n
y r
e
j
modn
H(j;e
j
;y;M)
z rs
modn
return (z;;j;e
j )
algorithm IR:vf(M;PK;(z;;j;e))
Let PK =(n;v)
if e2 l
(1+j=T) or e<2 l
or eis even then return 0
if z0 (modn) thenreturn 0
y 0
z e
v
modn
if =H(j;e;y;M) thenreturn 1 elsereturn 0
Figure 2: Our forward-securesignaturescheme (withouteÆciency improvements)
The security of our scheme (in the random oracle model) is comparable to the security of the schemes of
[BM99,AR00 ]. The proofclosely followsthe one in[AR00 ], combiningideasfrom [PS96 ,BM99,MR99].
First,we statethefollowingtheoremthat willallowustoupper-boundtheinsecurityfunction. Thefull
proofof thetheorem isvery similarto theone in[AR00 ]and is containedinAppendixA.
Theorem 4.1 Given aforgerF forIR[k;l;T]thatrunsintimeat mostt,askingat mostq
hash
hashqueries
and q
sig
signing queries, such that Succ fwsig
(IR[k;l;T];F) ", we can construct an algorithm A that, on
inputn(aproductoftwosafeprimes),2Z
n
andl,runsintimet 0
andoutputs(;r)suchthat1<r2 l +1
and r
(modn) withprobability"
0
, where
t 0
= 2t+O(lT(l 2
T 2
+k 2
))
"
0
=
" 2 2 k
q
sig (q
hash +1)
2
T 2
(q
hash +1)
" 2 2 k
q
sig (q
hash +1)
2 l
T
:
ProofIdea. AwilluseF asasubroutine. (NotethatAgetstoprovidethepublickeyforF andtoanswer
its signing andhashingqueries.) A basesthepublickey v on asfollows: itrandomlyguesses j between1
andT,hopingthatF'seventualforgerywillbeforthej-thtimeperiod. Itthengeneratese
1
;:::;e
T
justlike
the real signer,sets t
j+1
= and computes vas v=1=t fj+1
j+1
modn, where, asabove,f
j+1
=e
j+1
:::e
T .
ThenA runsF. AnsweringF'shash andsignaturequeriesis easy,becauseA fullycontrols therandom
oracle H. If A's guess for j was correct, and F indeed will output a forgery for the j-th time period,
then F's break-in query will for the secret of a time period b > j. A can compute the answer as follows:
t
b+1
=t f
j+1
=f
b
j+1
= e
j
1 :::e
b
ands
b
=t f
b+1
b
= e
j
1 :::e
b 1 e
b+1 :::e
T
(the othercomponentsofSK
b
arenotsecret,
anyway). Suppose A'sguess wascorrect, andin theendF outputsa signature(z;;j;e) on some message
M. We will assume that F asked a hash query on (y;M;j;e) where y = z e
v
modn (if not, A can make
that queryforF).
Then,A runs F thesecond timewith thesame random tape,giving the same answers to all theoracle
queries before thequery (y;M;j;e). For(y;M;j;e), A givesa new answer. IfF again forges a signature
(z 0
;;j;e) using the same hash query, we willhave that y z e
v
z 0
e
v
(modn), so (z=z 0
) e
v
f
j+1 ( )
(modn). Note that because e is guaranteed to be relatively prime with f
j+1
, and has
at least one fewer bit than e, gcd(f
j+1
( );e) = gcd( ;e) < e (as long as 6= ). Thus, r =
e=gcd (f
j+1
( );e)>1 and,byLemma 3.2,A willbeable to eÆciently computether-throot of .
Pleaserefer to AppendixA forfurtherdetails.
Thisallows usto state thefollowingtheorem abouttheinsecurityfunctionofourscheme.
Theorem 4.2 Foranyt, q
sig ,and q
hash ,
InSec fwsig
(IR [k;l;T];t;q
sig
;q
hash )
T q
(q
hash
+1)InSec SRSA
(k;l;t 0
)+2 l +1
T(q
hash
+1)+2 2 k
q
sig (q
hash +1);
where t 0
=2t+O(lT(l 2
T 2
+k 2
)).
Proof: The insecurityfunctioniscomputed simplybysolvingfor (" 2 2 k
q
sig (q
hash
+1))=T thequadratic
equation inTheorem4.1 thatexpresses "
0
interms of "to get
(" 2 2 k
q
sig (q
hash
+1))=T = 2 l
(q
hash
+1)+ q
2 2l
(q
hash +1)
2
+"
0
(q
hash +1)
2
l
(q
hash
+1)+ q
2 2l
(q
hash +1)
2
+ p
"
0
(q
hash +1)
= 2 l +1
(q
hash
+1)+ p
"
0
(q
hash +1) ;
5 Further Improving EÆciency
5.1 Finding the e
i
's faster
Findinge
i
'stakestimebecausetheyneedtobel+1-bitprimes. Ifwewereableto usesmallprimesinstead,
wecouldsearchsignicantlyfaster,bothbecausesmallprimesaremorefrequentandbecauseprimalitytests
are fasterforshorter lengths.
5
We cannot use smallprimes directly because, as already pointedout, the e
i
's must have at least l+1
bits. However, we can use powersof small primesthatare at least l+1 bits. That is, we let
i
be a small
prime, (
i
) be such that (
i )
i
>2 l
and e
i
= (
i )
i
. As long as is a deterministicfunction of its input
(for example, ()=l=blog
2
c), we can replace einthe signatureby ,and have theverication algorithm
compute e= ()
.
Of course, the verication algorithm still needs to ensure that e is relatively prime to (n) and to
e
b
;:::;e
T
. Thisisaccomplishedessentiallythesame wayasbefore: we divideaspace ofsmallintegersinto
T consecutive buckets ofsome sizeS each,and have each
i
come from thei-th bucket:
i
2[(i 1)S;iS).
Then, when verifyinga signature fortime period j, it willsuÆce to check that is odd and comes from a
bucketnogreaterthanthej-th: <jS. Itwillbethenrelativelyprimeto
b
;:::;
T
,andthereforee= ()
willbe relativelyprimeto e
b
;:::;
T .
Whenweusedlargeprimes, wesimplypartitioned thespaceof (l+1)-bitintegersinto largebuckets, of
size2 l
=T each. We could have usedsmaller buckets, butthisoeredno advantages. However, nowthatwe
are usingsmall primes,it is advantageous to make thebucket sizeS assmall aspossible, sothat even the
largest prime (aboutTS)is stillsmall.
Thus, to see how much this optimization speeds up the search for the e
i
's, we need to upper-bound
S. S needs to be picked so that there is at least one prime in each interval [(i 1)S;iS) for 1 i T.
It is reasonable to conjecture that the distance between two consecutive primes P
n
and P
n+1
is at most
(ln 2
P
n
) [BS96 ]. Therefore, because the largest prime we are looking for is smaller than TS, S shouldbe
such that S > ln 2
TS. It is easy to see that S = 4ln 2
T will work for T 75. (As a practical matter,
computation shows thatS =282 will work forT up to about 3.5million, because thelargest gap between
consecutive primesup to 1 billion is 282.) Thus, the
i
's are all less than 4Tln 2
T, and therefore the size
of each
i
isO(logT) bits. Thus, ndingand testing theprimalityof the
i
's and thencomputing thee
i 's
takesO(T(log 4
T+l 2
))time, asopposedto O(Tl 4
) withoutthisoptimization.
Theresultingschemewillslightlyincreasevericationtime: theverierneedstocomputeefrom. This
takes time O(l 2
) (exponentiating any quantity to obtain a roughly (l+1)-bit quantity takes time O(l 2
)),
which is lower order than O(k 2
l) verication time. Moreover, it will be impossibleto get e
i
to be exactly
l+1bits(itwillbe,on average,aboutl+(logT)=2 bits). Thiswillslowdownbothvericationandsigning,
albeit by small amounts. Therefore, whether to use the optimization in practice depends on the relative
importanceof thespeeds ofsigning and verifyingvs. thespeeds ofkey generationand update.
5.2 Optimizing key update
The key updatein our scheme requires computing s
i
such that s e
i
i
1=vmodn. Knowledge of s
i 1 , such
thats e
i 1
i 1
1=v modn, doesnothelp,becausee
i ande
i 1
arerelativelyprime. Theeasiest waytocompute
s
i
requires knowledge of (n): s
i
1=v 1=e
i
mod(n)
modn. However, thesigner cannot storethefactors of
n|otherwisetheforger wouldobtainthese factorsduringa break-in,and thusbeable to producethepast
5
Infact, whena tableof smallprimesisreadilyavailable (asit oftenis forreasonably smallT), nosearchingor primality
testsarerequiredatall.
after whichthey shouldbe securelydeleted.
To enable generation of current and future s
i
's without compromising the past ones, we had dened
(in Section 4) a secret t
i
for time period i, from which it was possibleto derive all future periods' secrets
s
ji
. Theupdateoft
i to t
i+1
canbe implementedeÆciently(1 exponentiation). However, inthisapproach
the computation of each s
i
from t
i
requires (T i) exponentiations. This computation can be reduced
dramaticallyifthe storageis increasedslightly.
Specically, in this section we demonstrate how replacing the single secret t
i
with log
2
T secrets can
reduce the complexityoftheupdatealgorithm to onlylog
2
T exponentiations.
Abstracting the Problem. Consider all subsets of Z
T
=f1;2;:::;Tg. Let each such subset S corre-
spondtothesecretvaluet
S
=t Q
i2S= e
i
1
. Forexample,t
1
correspondstoZ
T ,t
i
correspondstofi;i+1;:::;Tg,
v 1
corresponds to the empty set, and each s
i
corresponds to the singleton set fig. Raising some secret
value t
S
to powere
i
correspondsto droppingifrom S.
Thus, instead of secrets and the exponentiation operation, we can consider sets and the operation of
removing an element. Our problem,then, can be reformulated asfollows: design an algorithm that, given
Z
T
, outputs (one-by-one, in order) the singletonsets fig for 1 i T. The only way to create new sets
is to remove elements from known sets. The algorithm should minimize the number of element-removal
operations(because they correspond to theexpensiveexponentiationoperations).
FairlyelementaryanalysisquicklydemonstratesthatthemosteÆcientsolutionforthisproblem(atleast
forT thatis apowerof 2) isthefollowingdivide-and-conqueralgorithm:
Input: An orderednon-emptyset A.
Output: Singletonsets fxg,forx2A,inorder.
Steps: IfA hasone element,output Aand return.
Remove thesecond half ofA's elements to getB.
Recurseon B.
Remove therst halfof A's elementsto getC.
Recurseon C.
ThisalgorithmtakesexactlyTlog
2
T element-removaloperationstooutputallthesingletons. Moreover,
the recursion depth is 1+log
2
T,so only 1+log
2
T sets need to be stored at any time (each set is just a
consecutive interval, sothebookkeepingaboutwhat eachset actuallycontainsis simple).
Thisrecursivealgorithmcanessentiallybetheupdatealgorithmforourscheme: atevery calltoupdate,
weruntherecursivealgorithmalittlefurther,untilitproducesthenextoutput. Wethenstoptherecursive
algorithm, save its stack (we need to save only log
2
T secrets, because the remaining one is the output of
the algorithm), and runit againat thenext callto update. A littlemore care needs to be taken to ensure
forward-security: none of the sets stored at time period i should contain elements less than i. This can
be done bysimply removingi from all sets that stillcontain in(and that are stillneeded) duringthe i-th
update. Thetotal amount of work stilldoes notchange.
Because there are T calls to update (ifwe include theinitial key generation), theamortized amount of
work per update is exactly log
2
T exponentiations. However, some updates will be more expensive than
others, and update will still cost (T) exponentiations in the worst case. We thus want to improve the
worst-case runningtime of our solutionwithout increasing the(already optimal) total runningtime. This
can be donethroughpebblingtechniques,described below.
Pebbling. Leteach subset ofZ
T
correspond to a node in agraph. Connecttwo sets by a directededge
if the destination can be obtained from the source by dropping a single element. The resulting graph is
theT-dimensionalhypercube,withdirections ontheedges(going fromhigher-weight nodesto lower-weight
nodes). We can traverse thegraphinthe directiongiven bytheedges. We startat thenodecorresponding
to Z
T
, andneed to getto all thenodes corresponding to thesingletonsets fig.
numberofsteps. However,wewouldliketominimizenotonlythetotalnumberofsteps,butalsothenumber
of steps taken between any two \consecutive" nodes fig and fi+1g, whilekeepingthe memory usage low.
We willdo thisbyproperlyarranging dierent branches oftherecursive algorithmto runinparallel.
To helpvisualizethealgorithm,we willrepresenteach setstored asa pebbleat thecorrespondingnode
inagraph. Thenremovinganelementfromasetcorrespondstomovingthecorrespondingpebbledownthe
correspondingdirectededge. Theoriginalsetmaybepreserved,inwhichcasea\clone"ofapebbleisleftat
theoriginal node, oritmaybe discarded,inwhich caseno such clone isleft. Our goalcan bereformulated
asfollowsintermsofpebbles: ndapebblingstrategythat, startingatthenodeZ
T
,reacheseverynodefig
in order, while minimizingthe number of pebbles used at any given time (this corresponds to total secret
storage needed), the total number of pebble moves (this corresponds to total number of exponentiations
needed), andthenumberof pebblemovesbetweenanytwo consecutive hitsofasingleton(thiscorresponds
to the worst-casecost of theupdatealgorithm).
The Pebbling Algorithm. We shallassume that T >1is apowerof 2. The followingstrategy uses at
most 1+log
2
T pebbles, takes Tlog
2
T total moves(which isthe minimumpossible),and requiresat most
log
2
T movesperupdate.
Eachpebble hasthefollowinginformationassociatedwithit:
1. its current position, represented by a set P Z
T
(P will always be a set of consecutive integers
fP
min
;:::;P
max g);
2. its \responsibility," represented by a set R P (R willalso always be a set of consecutive integers
fR
min
;:::;R
max
g; moreoverjR jwillalwaysbe apowerof 2).
Eachpebble'sgoalistoensurethatit(togetherwithitsclones,theirclones, etc.) reacheseverysingleton
in its set P. If R ( P, then the pebble can move towards this goal by removing an element from P. If,
however, R = P, then the pebble has to clone (unless jPj = jR j = 1, in which case it has reached its
singleton, and can be removed from the graph). Namely, it creates a new pebble with the same P, and
responsibilitysetR 0
containingonlythesecondhalfofR . ItthenchangesitsownRtoR R 0
(thusdividing
its responsibilityevenlybetweenitself andits clone). Nowboththepebbleand theclonecan move towards
theirdisjoint sets ofsingletons.
We start witha single pebble with P =R = Z
T
. The above rules formoving and cloningensure that
thecombinedmovesof allthepebbleswillbe thesame asintherecursivealgorithm. Thus,thestepsof the
pebbles are already determined. We now have to specify the timingrules: namely, when the pebblestake
theirsteps. A carefulspecicationisimportant: ifapebblemovestoofast, thenitcanproducemoreclones
than necessary, thusincreasing the total memory; ifa pebblemovestoo slowly,then it maytake longer to
reach itsdestination singletons,thusincreasing theworst-case cost ofupdate.
Inordertospecifythetimingrules,wewillimaginehavingaclock. Theclock\ticks"consecutiveinteger
values, starting with T=2+1. After each clocktick, each pebble willdecide whether to move and, if so,
forhow manymoves, as follows:
1. The original pebble always makes two moves per clock tick, untilit reaches the singleton f1g. After
reachingthe singletonitstops, andthen removesitself from thegraphon thenext clocktick.
2. After a new pebble is cloned with responsibility set R , it stays still for djR j=2e clock ticks. After
djR j=2e-th clock-tick following its birth, it starts moving at one move per clock tick. After jR j such
moves,itstartsmovingatwomovesperclocktick,untilitreachesitsleftmostsingleton. Afterreaching
the singletonitstops, andthen removesitself fromthe graphon thenext clocktick.
We remarkthat the above rulesmayseem a bit complex. Indeed, simpler rules can be envisioned: for
example, allowing each pebble at most one move per clock tick, and specifying that each pebbles moves
However, thisset ofrules willrequireroughly 2log
2
T pebbles(even though at mostlog
2
T ofthem willbe
moving at any given time). Having pebbles move at variable speeds allows us to delay their cloning, and
thusreduces thetotal numberofpebbles, asshownbythefollowingtheorem.
Theorem 5.1 SupposeT >1isapoweroftwo. Ifiisthevaluemostrecentlyticked bytheclock,thenthe
totalnumberofpebblesundertheaboverulesneverexceeds1+blog
2
(T i) c(ifi0)or(log
2
T) blog
2 ic
(if T <i<0). The numberof movesoccurringimmediately followingthe clockticki also never exceeds
thisquantity. Foreach i,1iT,apebblereachesthe singletoni+1 immediatelybeforetheclockticks
the value i+1,and isremoved beforetheclockticks i+2.
Proof: Theproofis byinductionon log
2 T.
ForT =2, we start with a single pebble with P =R = f1;2g. After the clock ticks 0, thispebble clones
the pebble withR 0
=2,and itselfmovesto P =f1g. The clone waitsforone clocktickand then, after the
clockticks 1,theclone movesto P =f2g.
Suppose the statement is true for some T that is a power of two. We will now prove it for T 0
= 2T.
After clock tick T +1, we have two pebbles: one responsibleforf1;:::;Tg,and theother responsiblefor
fT +1;:::;2Tg. Forthenext T=2 1 clock ticks, therst pebblewillmove at two stepspertick,and the
second one will stay put (thus, the number of moves does not exceed the number of pebbles). After the
clockticks T=2, therst pebble willarrive at positionP =f1;:::;Tg. Thus, startingat t= T +1, the
inductive hypothesisappliesto theall thepebblesthat willcover therst halfof the singletons: there is a
single pebbleuntilt= T=2+1 and itisinpositionP =f1;:::;Tg afterclock tick T=2+1.
The second pebble will reach the position P 0
= f2;:::;Tg after the clock ticks T=2. Thus, again, after
the clock ticks 1, the inductive hypothesis applies to all the pebbles that will cover the second half of the
singletons, except that time is shifted forwardbyT. That is, if1 i<T, thenthe numberof pebbles in
the second half does notexceed (log
2
T) blog
2
(T i) c, and ift T, then the number of pebbles in the
second half doesnotexceed 1+blog
2
(2T i) c.
The key tonishingtheproof isto realizethat therst halfwilllosea pebblejustas thesecondhalf gains
one. To beprecise, wecan considerthe followingfourcases.
For T <i <0,we have (log
2
T) blog
2
ic pebbles inthe rst half (by the inductive hypothesis),
and one pebbleinthe secondhalf,sowehave a total of (log
2
2T) blog
2
ic pebbles, asrequired.
Fori=0,wehave1+log
2
T =log
2
2T pebblesinthersthalf(bytheinductivehypothesis),and one
pebble inthesecond half,fora total of 1+log
2
2T pebbles, asrequired.
For 0<iT,we have1+blog
2
(T i) cpebblesintherst halfand (log
2
T) blog
2
(T i) c pebbles
in the second half (both by the inductive hypothesis), for a total of 1+log
2
T = 1+blog
2
(2T i) c
pebbles, asrequired.
For i>T,we have no pebblesin the rst halfand blog
2
(2T i) c pebbles inthe second half (by the
inductivehypothesis), asrequired.
It is easy to see that ineach of theabove four cases, the numberof moves does notexceed the numberof
pebbles(because forevery pebblemovingat twostepsperclocktick, thereexists apebblethat isstanding
still|namely,its mostrecent clone).
Security. It is, of course, crucial to ensure that the above changes to the update algorithm do not
compromise thesecurityofour scheme. It suÆcesto prove thatevery secret storedfollowingthe clocktick
i+1
tick i, no pebble'spositionP satisesi2P. This can be easilydone by induction,as long aseach pebble
moves towards its goal by removing the smallest possible element from its positionP (the inductive step
is proved as follows: if 2T is the total number of time periods, then the single pebble responsiblefor the
second halfofthesingletonswillhaveremoved f1;:::;T=2g fromitspositionfollowingtheclocktick1,and
willhave removed f1;:::;Tgfollowingthe clocktickT=2+1).
Acknowledgements
We thank Anna Lysyanskaya and Silvio Micali for helpful discussions about our complexity assumptions.
We alsothank Ron Rivestforsharing hisinsightson pebblingalgorithms.
References
[And97] Ross Anderson. Invited lecture. Fourth Annual Conference on Computer and Communications
Security,ACM,1997.
[AR00] Michel Abdallaand LeonidReyzin. A new forward-secure digitalsignaturescheme. InTatsuaki
Okamoto, editor, Advances in Cryptology|ASIACRYPT 2000, volume 1976 of Lecture Notes in
ComputerScience,pages116{129,Kyoto,Japan,3{7December2000.Springer-Verlag.Fullversion
availablefrom theCryptology ePrintArchive,record2000/002, http://eprint.iacr.org/.
[BM99] Mihir Bellare and Sara Miner. A forward-secure digital signature scheme. In Michael Wiener,
editor, Advances in Cryptology|CRYPTO '99, volume 1666 of Lecture Notes in Computer Sci-
ence, pages 431{448. Springer-Verlag, 15{19 August 1999. Revised version is available from
http://www.cs.ucsd.edu/ mihir/.
[BR93] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for
designing eÆcient protocols. In Proceedings of the 1st ACM Conference on Computer
and Communication Security, pages 62{73, November 1993. Revised version appears in
http://www-cse.ucsd.edu/users/mihir/papers/crypto-papers.html.
[BS96] EricBach and JereyShallit. Algorithmic Number Theory. MITPress, Cambridge, MA,1996.
[FS86] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identication and
signature problems. In Andrew M. Odlyzko, editor, Advances in Cryptology|CRYPTO '86,
volume 263 of Lecture Notes in Computer Science, pages 186{194. Springer-Verlag, 1987, 11{
15 August 1986.
[GMR88] ShaGoldwasser, SilvioMicali,and Ronald L.Rivest. A digitalsignaturescheme secureagainst
adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281{308, April1988.
[Gol88] ShaGoldwasser, editor. Advances inCryptology|CRYPTO '88,volume403 ofLectureNotes in
Computer Science. Springer-Verlag,1990, 21{25 August 1988.
[GQ88] Louis Claude Guillou and Jean-Jacques Quisquater. A \paradoxical" indentity-based signature
scheme resultingfrom zero-knowledge. InGoldwasser[Gol88 ], pages216{231.
[Kra00] HugoKrawczyk. Simpleforward-secure signatures from anysignature scheme. In Seventh ACM
Conference on Computer and Communication Security.ACM, November1{4 2000.
[MI] SilvioMicali andGene Itkis. PrivateCommunication.
501,Massachusetts InstituteofTechnology,Cambridge, MA,March1994.
[MR99] SilvioMicaliand LeonidReyzin. Improvingtheexact securityofFiat-Shamir signatureschemes.
InR.Baumgart, editor, SecureNetworking |CQRE [Secure]'99, volume1740 of LectureNotes
in Computer Science, pages 167{182. Springer-Verlag,1999.
[OO88] Kazuo Ohta and Tatsuaki Okamoto. A modicationof the Fiat-Shamir scheme. In Goldwasser
[Gol88], pages 232{243.
[OS90] H.Ongand ClausP.Schnorr. Fastsignaturegenerationwitha FiatShamir-likescheme. InI. B.
Damgard, editor, Advances in Cryptology|EUROCRYPT 90, volume 473 of Lecture Notes in
Computer Science, pages 432{440. Springer-Verlag, 1991, 21{24 May1990.
[PS96] David Pointcheval and Jacques Stern. Security proofs for signature schemes. In Ueli Maurer,
editor, Advances in Cryptology|EUROCRYPT 96, volume 1070 of Lecture Notes in Computer
Science, pages387{398. Springer-Verlag, 12{16 May1996.
[Sha83] Adi Shamir. On the generation of cryptographically strong pseudorandom sequences. ACM
Transactions on Computer Systems, 1(1):38{44, February1983.
A Details of the Proof of Theorem 4.1
First, we assume that if F outputs (z;;j;e) as a forgery, then the hashing oracle has been queried on
(j;e;y;M), where y = z e
v
modn (any adversary can be modied to do that; this may raise the number
of hashqueriesto q
hash
+1.) We willalso assumethatF performs thenecessarybookkeepingand doesnot
ask thesame hashquerytwice.
6
Note thatF mayaskthesame signaturequerytwice, because theanswers
willmostlikelybe dierent.
Recall that A's job, given and n, is to nd (with F's help) and r > 1 such that beta r
(mod n). First,A has to guess thetime period forwhich F willoutput the forgery: it randomlyselects j,
1 <j T (sometimes A mayalso succeedif theforgery is for a time periodi<j, butthis notnecessary
for our argument). A then generates e
1
;:::;e
T
just like thereal signer, sets t
j+1
= and computes v as
v =1=t f
j+1
j+1
modn, where, asabove, f
j+1
=e
j+1
:::e
T .
AthencomesupwitharandomtapeforF,remembersit,and runsF onthattapeandtheinputpublic
key (n;v;T). If F breaks in at time period b, then A can provideF with the secret key as long as b >j:
knowing t
j+1
will allow A to compute s
b and t
b+1
. If b j, then A aborts (because, in particular, F's
forgery cannot be fortimeperiodj inthat case).
To answer F'ssignature and hash queries, A maintainstwo tables: a signaturequery table and a hash
query table.
Signature queries can be answered almost at random, because A controls the hash oracle. In order to
answerasignaturequerynumbersonamessageM
s
duringtimeperiodj
s
,A selectsarandomz
s 2Z
n and
s
2f0;1g l
, computes y
s
=z
s e
js
v s
,and checks its signaturequery table to seeifa signaturequery on M
s
during timeperiod j
s
hasalready been asked and ify
s
used in answeringit. If so, A changes z
s and
s to
the z and that were usedin answeringthat query. Then A addsthe entry (s;j
s
;e
j
s
;y
s
;
s
;z
s
;M
s
) to its
signature querytable and outputs(z
s
;
s
;j
s
;e
j
s ).
Hash queriesarealso answered at random. To answerthet-th hash query(y 0
t
;M 0
t
;j 0
t
;e 0
t
),A rst checks
its signature query table to see if there is an entry (s;j
s
;e
j
s
;y
s
;
s
;z
s
;M
s
) such that (y
s
;M
s
;j
s
;e
j
s ) =
6
ThismayslightlyincreasetherunningtimeofF,butwewill ignorecostsofsimpletablelook-up forthepurposesofthis
analysis.
(y
t
;M
t
;j
t
;e
t
). Ifso, itjust outputs
s
. Otherwise,it picks a random
t
2f0;1g ,records inits hashquery
table the tuple(t;y 0
t
;M 0
t
;j 0
t
;e 0
t
; 0
t
) and outputs 0
t .
Assumenowthebreak-inqueryoccursduringtimeperiodb>j,andthevalidforgery(z;;i;e)isoutput
fora timeperiodij (ifnot, orifno validforgery is output,A fails). Lety=z e
v
. Because we modied
F to rstask a hashquery on(y;M;i;e), we have that, forsome h, (h;y;M;i;e;)=(h;y 0
h
;M 0
h
;j 0
h
;e 0
h
; 0
h )
in the hashquery table (it can't come from thesignature query table, because F is not allowed to forge a
signatureon amessage forwhich itaskeda signaturequery). A ndssuchan h initstable and remembers
it.
A now resets F withthe same randomtape as the rst time, and runs itagain, giving the exact same
answersto all F's queriesbefore theh-th hash query (it can do sobecause it has all theanswers recorded
inthe tables). Note thatthismeansthat F willbeasking thesame h-th hashquery (y;M;i;e) astherst
time. AssoonasF askstheh-thhashquery,however,Astopsgivingtheanswersfromthetablesandcomes
up with new answers at random, in the same manner as the rst time. Let be the new answergiven to
the h-thhash query,and assume 6=.
Assume again the break-inquery occursduringtime periodb >j, and the valid forgery(z 0
; 0
;i 0
;e 0
) is
output fora timeperiodi 0
j. A again computes y 0
=z 0e
0
v sigma
0
;bythesame reasoningas before, F had
to aska hashquery on (y 0
;M 0
;i 0
;e 0
). Leth 0
be thenumberof thatquery. A ndsh 0
and failsifh 0
6=h. If,
however,h 0
=h,then(y;M;i;e)=(y 0
;M 0
;i 0
;e 0
),simplybecausetheh-thhashqueryhad tobethesame in
bothrunsof F. Also then 0
=. Therefore,
z e
v
z
0 e
v
) (z=z 0
) e
v
f
j+1 ( )
(mod N):
Note that because e is guaranteed to be relatively prime with f
j+1
(as long as i j), and
has at least one fewer bit than e, gcd(f
j+1
( );e) = gcd( ;e) < e (as long as 6= ). Thus,
r =e=gcd (f
j+1
( );e)>1 and,byLemma3.2, A willbe able to eÆcientlycompute ther-throot of .
Running Time Analysis. A runs F twice. Preparing thepublic key and answeringhashing and signing
queries takes A no longer than it would take the real oracles (ignoring the costs of table look-ups). To
ndwhichhashingquery thesignaturecorrespondsto and to applyLemma3.2 takes O(lT(l 2
T 2
+k 2
))bit
operations.
Probability Analysis. We willneedthefollowinglemma inouranalysis.
Lemma A.1 Leta
1
;a
2
;:::;a
bereal numbers. Let a= P
=1 a
. Lets= P
=1 a
2
. Then s a
2
.
Proof: Letb=a= and b
=b a
. Notethat P
=1 b
=b P
=1 a
=a a=0. Then
X
=1 a
2
=
X
=1 (b b
)
2
=b 2
2b
X
=1 b
+
X
=1 b
2
b
2
= a
2
:
First,considertheprobabilitythatA'sanswers toF'soraclequeriesaredistributedasthose ofthetrue
oracles that F expects. This is the case unless, for some signature query, the hash value that A needs to
denehasalreadybeendenedthroughapreviousanswertoahashquery(callthis\A'sfailuretopretend").
BecausezispickedatrandomfromZ
n ,z
e
v
isarandomelementofZ
n
. Theprobabilityofitscollisionwith
avaluefromahashqueryinthesameexecutionofF isatmost(q
hash
+1)=jZ
n
jthus,theprobability(taken
overonlytherandomchoicesofA)ofA'sfailuretopretendisatmostq
sig (q
hash
+1)=jZ
n jq
sig (q
hash +1)2
2 k
(because jZ
n j=4q
1 q
2
>2 k 2
). This is exactly the amount by which F's probabilityof success is reduced
because of interactionwithA ratherthanthe realsigner. LetÆ =" q
sig (q
hash +1)2
2 k
.
b
period b. Clearly, Æ = P
T+1
b=2
"
b
(if b = 1, then F cannot forge for any time period). Assume now that A
picked j=b 1 forsome xed b. The probabilityofthat is1=T.
WewillnowcalculatetheprobabilityoftheeventthatF outputsavalidforgerybasedonthesamehash
query bothtimes and that thehash query was answered dierentlythe second time and that the break-in
query was bboth times. Let p
h;b
be the probabilitythat, in one run, F produces a valid forgery based on
hash querynumberh afterbreak-inquery intimeperiodb. Clearly,
"
b
= q
hash +1
X
h=1 p
h;b
Letp
h;b;S
(forasuÆcientlylongbinarystringS oflengthm)betheprobabilitythat,inone run,F produces
a validforgerybased onhashquerynumberhafter break-inqueryintimeperiodb,given thatthestringS
wasusedto determinetherandomtapeof F and theresponses to allthe oraclequeriesofF until(andnot
including) theh-th hashquery. We have that
2 m
p
h;b
= X
S2f0;1g m
p
h;b;S :
GivensuchaxedstringS,theprobabilitythatF producesavalidforgerybasedonthehashquerynumber
h after break-inquery in time period b inbothruns is p 2
h;b;S
(because therst forgery isnow independent
of thesecond forgery). The additionalrequirementthat theanswerto thehash queryinthesecond runbe
dierent reducesthis probabilityto p
h;b;S (p
h;b;S 2
l
). Thus, theprobability q
h;b
that F produces a valid
forgery based on thehash query number h inbothruns and thatthe answerto thehash queryis dierent
inthe secondrun andthat thebreak-inquery wasbin bothruns is
q
h;b
=
X
S2f0;1g m
2 m
p
h;b;S (p
h;b;S 2
l
)=2 m
0
@ X
S2f0;1g m
p 2
h;b;S 2
l X
S2f0;1g m
p
h;b;S 1
A
2
m
(p
h;b 2
m
) 2
2 m
2 l
p
h;b
=p 2
h;b 2
l
p
h;b
(by LemmaA.1 ).
The probabilitythat F outputsa validforgery based on the same hash query bothtimes and that the
hash querywasanswereddierentlyinthesecond runand thatthebreak-inquery occurred intime period
i isnow
q
hash +1
X
h=1 q
h;b
q
hash +1
X
h=1 p
2
h;b q
hash +1
X
h=1 2
l
p
h;b
"
2
b
q
hash +1
2 l
"
b
(by LemmaA.1 ).
Notethat ifthishappens,then theforgeryoccursintimeperiodi<b=j+1 (because theforgeryhas
to occurbefore thebreak-inquery),soA willbeable to take a root of .
Finally,we remove the assumption thatA picked j =b 1 asthetime period to get theprobabilityof
A's success:
"
0
1
T T+1
X
i=2
"
2
b
q
hash +1
2 l
"
b
Æ 2
T 2
(q
hash +1)
Æ
2 l
T
(by LemmaA.1 ).
