A New Forward-Secure Digital Signature Scheme

HONG Jingxin

Communication Engineering Department of Xiamen University, Xiamen, Fujian, P. R. China, 361005

Email: hjx@xmu.edu.cn

ABSTRUCT In this paper, the widely used ECC digital signature scheme – ECDSA is advanced, and a new
forward-secure digital signature scheme is proposed in order to reform the limitations of ECDSA. In the new scheme,
although the digital signature’s private key is under the control of a one-way function and continually changed in
different durations with time goes by, its public key remains the same. The attacker could not fake the older signature
even if the private key is leaked out in some period of time. In this way this scheme makes sure of the security of
signature of former phases. The validity of the new scheme is proved and the security is analyzed in the paper.

KEYWORDS ECC (elliptic curve cryptosystem), forward-secure, digital signature, provable security

1. INTRODUCTION

The widely used public key digital signature scheme is designed on the NP problem in mathematics. [1] The ECC
Digital Signature constructs discrete logarithm problem by using the Abel additive group composed of the points on
elliptic curve.[2], [3] With the development of the computer sciences and the communication business, digital signature
becomes one of the most important means to guarantee the security of communication. [1] But in reality, the signature
private key may be leaked out through the secret leaks of system or factitious factors, so the signature may be faked,
which become a difficult part of security problem. This article based on non-supersingular elliptic curve over finite field
n [4] [5]
GF (2 n ) with eigenvalue 2 , advances a kind of forward-secure digital signature scheme .

2. NON-SUPERSINGULAR ELLIPTIC CURVES DIGITAL SIGNATURE ALGORITHM (ECDSA) [4]

In non-supersingular elliptic curve field, the digital signature algorithm ECDSA is described as follows:

Select a rational point G on E (GF (2 n )) , called it base point, find n which is a prime number satisfies the
formula nG = O , and select a one-way secure Hash function h(m) [1] (such as SHA-1). For each system user, he has a
private key a , calculate the public key Pa = aG . If user A wants to sign on the message m , the scheme can be
described as:

(1) User A selects an integer k randomly, 0 < k < n , calculate kG = ( x, y ) , r = x mod n , if r = 0 , return to (1).

(2) Calculate e = h(m) ; s = k −1 (e + ra ) mod n , if s = 0 , return to (1).

(3) Take ( r , s ) as the digital signature of message m by A.

The verification of digital signature:

(1) Calculate e1 = h(m1 ) , u = s −1e1 mod n , v = s −1r mod n .

(2) Calculate X = uG + vP0 = s −1 (e1G + raG ) = s −1 (e1 + ra)G = k ;G = ( x1 , y1 ) .

(3) If X = 0 , this signature is refused; else calculates r1 = x1 mod n , if r = r1 , the confirmer accepts this signature.

3. THE KNOWLEDGE OF FORWARD-SECURE DIGITAL SIGNATURE[5]

1-4244-1035-5/07/$25.00 .2007 IEEE. 254

 The forward-secure scheme aims at eliminating the limitation of ordinary digital signature. In ordinary digital
signature, if a signatory’s private key is leaked out all signatures from him may be in public, including the signatures in
the past or the future. This limitation affects the undeniability that the signature should have. In fact, for the signatory,
the simplest way to deny his signature is to publish his secret key anonymously, and then declare that his computer is
invaded. The forward-secure scheme’s target is to ensure that, the attacker still could not fake the signature of the past
time even if the private key in signature is leaked out in some period of time. In this way the scheme makes sure of the
security of signature of former phases, and obviously reduces and controls the expense caused by the private key’s
leaking. With different to ordinary signature schemes, when time goes by, the forward-secure digital signature’s private
key is continually changed in different durations, but its public key remains the same. Normally, when a system builds
up, a user registers a certification first, and he gets a public key PK and the corresponding private key K 0 , keeps the
private key secretly. After that, he divides the period of validity of secret key into T phases, marked with 1,2,…, T
respectively. During the period of validity, PK , the public key, is invariant, while the private key updates in different
durations. Let’s take K i denoting the private key of duration i. When the time of phase i arrives ,to begin with, we
should use the formula K i = f ( K i −1 ) to transform the private key from K i −1 to K i , where f () is an unilateral
function, and should delete K i −1 as soon as we get K i . Regardless of a attacker invades the computer and gets K i , he
could not get K i −1 , K i −2 , …, K 0 , because there will be a considerable problem of discrete logarithm. In this way we
can ensure the security of signature in past time. The Fig. 1 describes the private key’s updating process:

f phase 1 f phase 2 f f phase T

K0 K1 K2 …… KT

Fig. 1 The private key’s updating process

4. THE NEW FORWARD-SECURE DIGITAL SIGNATURE SCHEME

We select a rational point G ( x, y ) on E (GF (2 n )) as the base point, then calculate n , the exponent of G . Here
n is a prime number satisfied nG = O , and select a one-way secure Hash function h( m) (such as SHA-1).

4.1 The process of generating the first key pair signatory

(1) Divide the period of validity of signature private key to T phases (for example, everyday as a phase), select three
random number ( q, k 0 , K 0 ) , where 0 < (q, k 0 , K 0 ) < n , and q has the same order as n ;

(2) Calculates P0 = k 0 K 0 G ,

(3) Publish system public key {T , q, P0 } ; and the primary private key {K 0 , k 0 } should be kept in secret.

4.2 Signatory’s private key updating algorithm

The signatory’s private key update algorithm are defined as:

K i = K iq−1 mod n

With the following definition:

s1 = k1k0−1K 0q −1 mod n

(
s 2 = k 2 k1−1 K1q −1 mod n = k 2 k1−1 K 0q ( q −1) mod n = k 2 k1−1 k 0 k1−1 s1 ) q
mod n

(
s 3 = k 3 k 2−1 K 2q −1 mod n = k 3 k 2−1 K 1q ( q −1) mod n = k 3 k 2−1 k1 k 2−1 s 2 )
q
mod n

1-4244-1035-5/07/$25.00 .2007 IEEE. 255

…

We get the public key update algorithm as the private key is updated:

P1 = k1 K1G = k1k 0−1k 0 K 0q G = k1k 0−1 K 0q −1k 0 K 0 G = k1k0−1 K 0q −1 P0 = s1 P0

P2 = k 2 K 2G = k 2 k1−1k1 K1q G = k 2 k1−1 K1q −1k1 K1G = k 2 k1−1 K1q −1 P1 = s2 P1 = s2 s1 P0

P3 = k 3 K 3G = k3 k 2−1k 2 K 2q G = k 3 k 2−1 K 2q −1k 2 K 2G = k 3 k 2−1 K 2q −1 P2 = s3 P2 = s3 s 2 s1 P0

Based on the above discuss, the private key update algorithm is defined as follows:

When the time of phase 1 arrives, the signatory select a random number k1 , where 1 < k1 < n , and:

(1) Calculates s1 = k1k0−1K 0q −1 mod n , S1 = s1 ,

(2) Calculates the private key K1 = K 0q mod n ,

(3) Deletes K 0 , publishes S1 and keeps {K 1 , k 0 , k1 , s1} as the new private key for phase 1.

When the time of phase i arrive, 2 ≤ i ≤ T , the signatory select a random number ki , where 1 < ki < n , and:

(1) Uses K i −1 , the private key of phase i − 1 , to calculate K i = K iq−1 mod n .

(2) Uses si −1 to calculate si = ki ki−−11 (k i−2 ki−−11si −1 ) mod n , and S i = si S i −1 mod n .

q

(3) Deletes K i −1 , ki −2 and si −1 , publishes S i and keep {K i , ki −1.ki , si } as the new private key for phase i .

4. 3 Signature procedure

(1) Select a random number k , 0 < k < n , calculate kG = ( x, y ) , r = x mod n , if r = 0 , return to (1).

(2) Calculate e = h(m) , s = k −1 (e + rk i K i ) mod n , if s = 0 , return to (1).

(3) Take ( r , S i , s ) as the digital signature of message m by the signatory.

4.4 Verification procedure

(1) Calculate e1 = h(m1 ) , u = s −1e1 mod n , v = s −1r mod n .

(2) Calculate X = uG + vSi P0 = ( x1 . y1 ) .

(3) If X = 0 , the signature is refused; else calculate r1 = x1 mod n , if r = r1 , the confirmer accepts this signature.

4.5 The scheme validity Prove

Actually, X = uG + vS i P0 = s −1 (e1G + rki K i G ) = s −1 (e1G + rki K i G) = s −1 (e1 + rk i K i )G = k 'G = ( x1 . y1 )

If e = e1 then X = kG .

1-4244-1035-5/07/$25.00 .2007 IEEE. 256

The validation of the scheme is proved.

5. THE NEW SCHEME’S PROVABLE SECURITY ANALYSIS

With the complex theory method (the provable security theory[6]), the new scheme’s security can be divided into
the signature and verification procedure security complexity and the private update security complexity. As the new
scheme’s signature and verification procedure is the same as ECDSA , the only different is that in ECDSA, the public
key P0 keeps the same, and in the new scheme, when the time of phase i arrive, the equivalent public key changes to
[4]
Pi = Si P0 . Based on the ECDSA security is proved , the only thing we must prove is if the private key {K i , ki −1.ki , si }
is leaked out, the private key K i −2 , …, K 0 can not be get.

The private key updating algorithm K i = K iq−1 mod n can be treated as one way function, as the calculation of
K i −1 from K i is the difficulty of discrete logarithm problem. Other ways to get private key K i −1 , K i −2 , …, K 0 are:

(1) Calculate K i −1 directly from K i = K iq−1 mod n .

(2) From the equation S i = si S i−1 mod n , the si−1 can be got from Si −1 and S i−2 . If all S i is collected, all s i
can be got too. If {K i , k i −1.k i , si } is leaked out, the way to get k i −2 is from equation si = ki ki−−11 (k i−2 ki−−11si −1 ) mod n
q

and another way to get K i −1 is from equation s i = k i k i−−11 K iq−−11 mod n .

(3) From the equations s i = k i k i−−11 K iq−−11 mod n and K i = K iq−1 mod n , we get K i −1 = k i −1 k i−1 s i−1 K i mod n . If
{K i , k i −1.k i , si } is leaked out, the K i −1 can be calculated from K i −1 = k i −1 k i−1 si−1 K i mod n , but the K i − 2 can not be
calculated from K i − 2 = k i −2 k i−−11 s i−−11 K i −1 mod n because the k i −2 is unknown.

Based on the above analyzes, we can get the conclusion that in the new schemes, the security of the ways to get private
key K i −2 , …, K 0 from leaked out key {K i , k i −1.k i , si } is has the same complexity of the difficulty of discrete
logarithm problem K i = K iq−1 mod n .

6. CONCLUSIONS

Under the assumption of the intractability of factoring and the discrete logarithm problem, this paper brings
forward a kind of forward-secure digital signature scheme which is based on elliptic curve cryptography digital
signature scheme ECDSA. Meanwhile the new scheme’s security and validity is proved. Because the new scheme is
target on to ensure that, the attacker still could not fake the signature of the past time even if the private key in signature
is leaked out in some period of time, it insure the signature’s forward security and damage caused by leaked out key can
be limited and controlled. Therefore the new scheme can be widely used in electronic commerce and so on.

REFERENCES

[1] Lu Kai-Cheng, Computer Cryptology ---- Data Secrecy and Security in Computer Network [M]. BEJING˖
Tsinghua University Pressˈ2003.
[2] Johson D, Menezes A. The elliptic curve digital signature algorithm. Technical Report, CORR 99-31, Canada:
Department of Combinatories and Optimization, University of Waterloo, 1999.
[3] William Stallings (Author). Cryptography and Network Security˖Principles and Practice Second Edition [M].
Yang Ming, Xu Guang-Hui, Qi Wang-Dong etc (Translator). BEJING˖Publishing House of Electronics
Industryˈ2001
[4] S. Vanstone, Reponses to NIST’s proposal. Communications of the ACM, 35:50-52, July 1992.
[5] M Bellare, S K Miner. A forward-secure digital signature scheme. In: Proc of the CRYPTO’99. Berlin:
Springer-Verlagˈ1999.431~448
[6] Bellare M. Practice -Oriented provable-security. In: Damgard I, ed. Advances in Cryptology Eurocrypt’99.
LNCS 1561, Berlin: Springer-Verlag, 1999. 221-231.

1-4244-1035-5/07/$25.00 .2007 IEEE. 257