Professional Documents
Culture Documents
HONG Jingxin
Email: hjx@xmu.edu.cn
ABSTRUCT In this paper, the widely used ECC digital signature scheme – ECDSA is advanced, and a new
forward-secure digital signature scheme is proposed in order to reform the limitations of ECDSA. In the new scheme,
although the digital signature’s private key is under the control of a one-way function and continually changed in
different durations with time goes by, its public key remains the same. The attacker could not fake the older signature
even if the private key is leaked out in some period of time. In this way this scheme makes sure of the security of
signature of former phases. The validity of the new scheme is proved and the security is analyzed in the paper.
KEYWORDS ECC (elliptic curve cryptosystem), forward-secure, digital signature, provable security
1. INTRODUCTION
The widely used public key digital signature scheme is designed on the NP problem in mathematics. [1] The ECC
Digital Signature constructs discrete logarithm problem by using the Abel additive group composed of the points on
elliptic curve.[2], [3] With the development of the computer sciences and the communication business, digital signature
becomes one of the most important means to guarantee the security of communication. [1] But in reality, the signature
private key may be leaked out through the secret leaks of system or factitious factors, so the signature may be faked,
which become a difficult part of security problem. This article based on non-supersingular elliptic curve over finite field
n [4] [5]
GF (2 n ) with eigenvalue 2 , advances a kind of forward-secure digital signature scheme .
In non-supersingular elliptic curve field, the digital signature algorithm ECDSA is described as follows:
Select a rational point G on E (GF (2 n )) , called it base point, find n which is a prime number satisfies the
formula nG = O , and select a one-way secure Hash function h(m) [1] (such as SHA-1). For each system user, he has a
private key a , calculate the public key Pa = aG . If user A wants to sign on the message m , the scheme can be
described as:
(1) User A selects an integer k randomly, 0 < k < n , calculate kG = ( x, y ) , r = x mod n , if r = 0 , return to (1).
(3) If X = 0 , this signature is refused; else calculates r1 = x1 mod n , if r = r1 , the confirmer accepts this signature.
K0 K1 K2 …… KT
We select a rational point G ( x, y ) on E (GF (2 n )) as the base point, then calculate n , the exponent of G . Here
n is a prime number satisfied nG = O , and select a one-way secure Hash function h( m) (such as SHA-1).
(1) Divide the period of validity of signature private key to T phases (for example, everyday as a phase), select three
random number ( q, k 0 , K 0 ) , where 0 < (q, k 0 , K 0 ) < n , and q has the same order as n ;
(2) Calculates P0 = k 0 K 0 G ,
(3) Publish system public key {T , q, P0 } ; and the primary private key {K 0 , k 0 } should be kept in secret.
K i = K iq−1 mod n
s1 = k1k0−1K 0q −1 mod n
(
s 2 = k 2 k1−1 K1q −1 mod n = k 2 k1−1 K 0q ( q −1) mod n = k 2 k1−1 k 0 k1−1 s1 ) q
mod n
(
s 3 = k 3 k 2−1 K 2q −1 mod n = k 3 k 2−1 K 1q ( q −1) mod n = k 3 k 2−1 k1 k 2−1 s 2 )
q
mod n
We get the public key update algorithm as the private key is updated:
Based on the above discuss, the private key update algorithm is defined as follows:
When the time of phase 1 arrives, the signatory select a random number k1 , where 1 < k1 < n , and:
(3) Deletes K 0 , publishes S1 and keeps {K 1 , k 0 , k1 , s1} as the new private key for phase 1.
When the time of phase i arrive, 2 ≤ i ≤ T , the signatory select a random number ki , where 1 < ki < n , and:
(3) Deletes K i −1 , ki −2 and si −1 , publishes S i and keep {K i , ki −1.ki , si } as the new private key for phase i .
4. 3 Signature procedure
(1) Select a random number k , 0 < k < n , calculate kG = ( x, y ) , r = x mod n , if r = 0 , return to (1).
(3) If X = 0 , the signature is refused; else calculate r1 = x1 mod n , if r = r1 , the confirmer accepts this signature.
If e = e1 then X = kG .
With the complex theory method (the provable security theory[6]), the new scheme’s security can be divided into
the signature and verification procedure security complexity and the private update security complexity. As the new
scheme’s signature and verification procedure is the same as ECDSA , the only different is that in ECDSA, the public
key P0 keeps the same, and in the new scheme, when the time of phase i arrive, the equivalent public key changes to
[4]
Pi = Si P0 . Based on the ECDSA security is proved , the only thing we must prove is if the private key {K i , ki −1.ki , si }
is leaked out, the private key K i −2 , …, K 0 can not be get.
The private key updating algorithm K i = K iq−1 mod n can be treated as one way function, as the calculation of
K i −1 from K i is the difficulty of discrete logarithm problem. Other ways to get private key K i −1 , K i −2 , …, K 0 are:
(2) From the equation S i = si S i−1 mod n , the si−1 can be got from Si −1 and S i−2 . If all S i is collected, all s i
can be got too. If {K i , k i −1.k i , si } is leaked out, the way to get k i −2 is from equation si = ki ki−−11 (k i−2 ki−−11si −1 ) mod n
q
(3) From the equations s i = k i k i−−11 K iq−−11 mod n and K i = K iq−1 mod n , we get K i −1 = k i −1 k i−1 s i−1 K i mod n . If
{K i , k i −1.k i , si } is leaked out, the K i −1 can be calculated from K i −1 = k i −1 k i−1 si−1 K i mod n , but the K i − 2 can not be
calculated from K i − 2 = k i −2 k i−−11 s i−−11 K i −1 mod n because the k i −2 is unknown.
Based on the above analyzes, we can get the conclusion that in the new schemes, the security of the ways to get private
key K i −2 , …, K 0 from leaked out key {K i , k i −1.k i , si } is has the same complexity of the difficulty of discrete
logarithm problem K i = K iq−1 mod n .
6. CONCLUSIONS
Under the assumption of the intractability of factoring and the discrete logarithm problem, this paper brings
forward a kind of forward-secure digital signature scheme which is based on elliptic curve cryptography digital
signature scheme ECDSA. Meanwhile the new scheme’s security and validity is proved. Because the new scheme is
target on to ensure that, the attacker still could not fake the signature of the past time even if the private key in signature
is leaked out in some period of time, it insure the signature’s forward security and damage caused by leaked out key can
be limited and controlled. Therefore the new scheme can be widely used in electronic commerce and so on.
REFERENCES
[1] Lu Kai-Cheng, Computer Cryptology ---- Data Secrecy and Security in Computer Network [M]. BEJING˖
Tsinghua University Pressˈ2003.
[2] Johson D, Menezes A. The elliptic curve digital signature algorithm. Technical Report, CORR 99-31, Canada:
Department of Combinatories and Optimization, University of Waterloo, 1999.
[3] William Stallings (Author). Cryptography and Network Security˖Principles and Practice Second Edition [M].
Yang Ming, Xu Guang-Hui, Qi Wang-Dong etc (Translator). BEJING˖Publishing House of Electronics
Industryˈ2001
[4] S. Vanstone, Reponses to NIST’s proposal. Communications of the ACM, 35:50-52, July 1992.
[5] M Bellare, S K Miner. A forward-secure digital signature scheme. In: Proc of the CRYPTO’99. Berlin:
Springer-Verlagˈ1999.431~448
[6] Bellare M. Practice -Oriented provable-security. In: Damgard I, ed. Advances in Cryptology Eurocrypt’99.
LNCS 1561, Berlin: Springer-Verlag, 1999. 221-231.