One-Time Data Signature System and Method with Untrusted Server Assistance

Abstract

To digitally sign a message, a signing entity generates a set of secret keys is generated and, for each secret key, a signing key is derived. An authenticator value is submitted to a signature server and is formed as a cryptographic binding of both the message and a respective one of the signing keys. The signature server then generates and returns to the signing entity a first signature of the authenticator value. If the signing entity determine that the first signature is valid, it replaces the signing key within the first signature with the secret key from which it was derived to form an augmented signature, and only thereafter reveals the respective secret key. This allows the signing entity to offload computational burden onto even an untrusted signature server.

Claims

1. A method for digitally signing a message comprising: generating a set of secret keys; deriving signing keys as a function of respective ones of the secret keys; submitting to a signature server an authenticator value formed as a cryptographic binding of both the message and a respective one of the signing keys, said signature server thereupon generating and returning to the signing entity a first signature of the authenticator value; receiving the first signature from the signature server; determining the validity of the first signature; and if the first signature is determined to be valid, replacing within the first signature the signing key with the secret key from which the signing key was derived to form an augmented signature, and revealing the respective secret key.

2. The method of claim 1, further comprising: generating the set of secret keys as a function of time, each secret key and its corresponding signing key being associated with a time; and revealing the respective secret key only after its associated time has passed.

3. The method of claim 1, further comprising generating the set of secret keys and the signing keys as a function of a series index.

4. The method of claim 1, in which each signing key is derived as a cryptographic hash function with the respective secret key as an input parameter.

5. The method of claim 1, in which the cryptographic binding includes timestamping.

6. The method of claim 1, in which the first and augmented signatures comprise at least one hash chain leading to a respective hash tree root value.

7. The method of claim 1, further comprising computing a public key by inputting and aggregating the signing keys into a hash tree that has a root that forms a public key.

8. The method of claim 7, further comprising including respective time-associated values along with each respective signing key in the hash tree aggregation of the signing keys.

9. The method of claim 8, further comprising submitting the public key to the signing server along with the corresponding signing keys.

10. The method of claim 6, in which in which the first signature includes recomputation parameters and a calendar value corresponding to a calendar period during which the first signature was originally computed, such that an arbitrary subsequent test value is considered authenticated relative to the original inputted value if, using the recomputation parameters to logically recompute a hash tree path to the calendar value, which corresponds to the public key, the same calendar value is attained as when it was originally computed.

11. The method of claim 6, further comprising: verifying that the secret key associated with the message was committed at a corresponding correct time by recomputing the corresponding hash chain to the root value associated with the secret key and that correct time; and verifying that the message was authenticated at a corresponding correct time by recomputing the corresponding hash chain to the root value associated with the message and that correct time.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0020] FIG. 1 illustrates the main entities and components of a BLT signature method and system.

[0021] FIG. 2 illustrates the main components and information exchange between components in some embodiments.

[0022] FIG. 3 illustrates a hash tree with indexed leaves.

[0023] FIG. 4 illustrates a t-th round of a server tree.

[0024] FIG. 5 shows the steps involved in the operation of an oracle that may be used in embodiments.

[0025] FIG. 6 illustrates a hash tree in which hashes of secret keys form some of the leaves.

DESCRIPTION

[0026] Embodiments of this invention provide new methods, and corresponding system implementations, that are practical, provide forward security, non-repudiation of the origin, are resistant to known attacks even by quantum computers, and may even provide built in cryptographic time-stamping. The sizes of the signatures and keys, and their efficiency, are comparable with the state of the art of hash-based signature schemes. The new signature solutions are stateful, and the maximum number of signatures they create using a set of keys may be determined at the key-generation time.

BLT Signature Scheme

[0027] Some of the present inventors (Buldas, Laanoja, Truu) have themselves previously presented a hash-based solutionreferred to as the BLT signature schemewhich depends on interaction with a time-stamping service. FIG. 1 illustrates the main entities and components of the BLT method and system: A Signer, who uses trusted functionality in a secure Device (D), at least one server (S), a Repository (R), and a Verifier (V). The principal idea of the BLT signature scheme is to have the signer commit to a sequence of secret keys. Each key is assigned a time epoch during which it can be used to sign messages and will transition from signing key to verification key once the epoch has passed. In order to prove timely usage of the keys, a cryptographic time-stamping service is used. It is possible to provide a suitable time-stamping service (see A. Buldas, A. Kroonmaa, and R. Laanoja, Keyless signatures' infrastructure: How to build global distributed hash-trees, NordSec 2013, Proceedings, volume 8208 of LNCS, pages 313-320. Springer, 2013) with no trust in the service provider (see . Buldas, R. Laanoja, P. Laud, and A. Truu, Bounded pre-image awareness and the security of hash-tree keyless signatures, ProvSec 2014, Proceedings, volume 8782 of LNCS, pages 130-145. Springer, 2014), using hash-linking and hash-then-publish schemes. Signing itself comprises time-stamping the message-key commitment in order to prove that the signing operation was performed at the correct time.

[0028] In more detail, in order to be able to sign messages at time epochs (1; . . . ; T), the Signer: [0029] 1) Generates T signing keys (.sub.1; . . . ; .sub.T), which may, for example, be unpredictable values drawn from {0; 1}.sup.k; [0030] 2) Binds each key to a respective epoch number: x.sub.ih(i; ) for i{1; . . . ; T}, where h is a hash function; and [0031] 3) Computes the public key p by aggregating the key-epoch bindings into a hash tree: pT.sup.h(x.sub.1; . . . ; x.sub.T). [0032] 4) Let Xc>Y denote that Y is the result of computation over a hash chain c with an input X. In the figures, c>Y is shown as a curvy arrow with the corresponding c over it. Where the chain is not specifically labeled, no c is indicated in the text or figures.

[0033] The resulting data structure is shown in FIG. 3 and its purpose is to be able to extract hash chains c.sub.i linking the key-epoch bindings h(i; .sub.i) to the public key p, that is, h(i; .sub.i)c.sub.i>p.

[0034] To sign a message m during epoch t, the signer: [0035] 1) Uses the appropriate key to authenticate the message: yh(m; .sub.t). [0036] 2) Obtains a time-stamp on the authenticator y. It is preferred to use a hash-then-publish time-stamping service, in which case the time-stamp takes the form of a hash chain a.sub.t linking the authenticator y to r.sub.t, the root of the aggregation tree built by the server during the epoch t. [0037] 3) Outputs the tuple (t; .sub.t; c.sub.t; a.sub.t) as the signature.

[0038] Note that the signature is composed and emitted only after the verification of r.sub.t, which makes it safe for the signer to release the key .sub.t as part of the signaturethe time-stamping service will already have closed the aggregation epoch t so that it's no longer possible to link new message authenticators to r.sub.t.

[0039] To verify that the message m and the signature s=(t; ; c; a) match the public key p, the verifier: [0040] 1) Checks that .sub.t was committed as a signing key for time t: h(t; )c>p. [0041] 2) Checks that m was authenticated with key at time t: h(m; )a>r.sub.t.

[0042] The BLT signature scheme thus uses one-time, time-bound keys, together with a cryptographic time-stamping service. It is post-quantum secure against known attacks and the integrity of a BLT signature does not depend on the secrecy of keys. The fact that keys have to be pre-generated for every possible signing epoch, for every signature, however, creates some implementation challenges, making, for example, on-smartcard key generation prohibitively slow in the case of real-world parameters.

Guardtime KSI Blockchain

[0043] Embodiments of this invention do not require any specific form of time-stamping service, but a particularly advantageous form (based on the Guardtime infrastructure) is described below. In a preferred embodiment, the time-stamping is implemented using the data signature infrastructure developed and marketed under the name KSI by Guardtime AS of Tallinn, Estonia. This system is described in general in U.S. Pat No. 8,719,576 (also Buldas, et al., Document verification with distributed calendar infrastructure). In summary, for each of a sequence of calendar periods (typically related one-to-one with physical time units, such as one second), the Guardtime infrastructure takes digital input records as inputs, that is, lowest-level tree leaves. These are then cryptographically hashed together in an iterative, preferably binary hash tree, ultimately yielding an uppermost hash value (a calendar value) that encodes information in all the input records. This uppermost hash value is then entered into a calendar, which is structured as a form of blockchain which, in some implementations, may involve aggregating calendar values into a progressive hash tree. The KSI system then may return a signature in the form of a vector, including, among other data, the values of sibling nodes in the hash tree that enable recomputation of the respective calendar value if a purported copy of the corresponding original input record is in fact identical to the original input record.

[0044] As long as it is formatted according to specification, almost any set of data, including concatenations or other combinations of multiple input parameters, may be submitted as the digital input records, which do not even have to comprise the same parameters. One advantage of the KSI system is that each calendar block, and thus each signature generated in the respective calendar time period, has an irrefutable relationship to the time when the block was created. In other words, a KSI signature also acts as an irrefutable timestamp, since the signature itself encodes time to within the precision of the calendar period.

[0045] One other advantage of using a Guardtime infrastructure is that there is no need to store and maintain public/private (such as PKI) key pairsthe Guardtime system may be configured to be totally keyless except possibly for the purposes of identifying users or as temporary measures in some implementations in which calendar values are themselves combined in a hash tree structure for irrefutable publication. Another advantage is less apparent: Given the signature vector for a current, user-presented data record and knowledge of the hash function used in the hash tree, an entity will be able to verify (through hash computations as indicated by the signature vector) that a candidate record is correct even without having to access the signature/timestamping system at all.

[0046] Yet another advantage of the Guardtime infrastructure is that the digital input records that are submitted to the infrastructure for signature/timestamping do not need to be the raw data; rather, in most implementations, the raw data is optionally combined with any other desired input information (such as user ID, system information, various metadata, etc.) and then hashed. Given the nature of cryptographic hash functions, what gets input into the KSI system, and thus ultimately into the calendar blockchain, cannot be reconstructed from the hash, or from what is entered into the calendar blockchain.

Blockchain-Backed BLT

[0047] In order to avoid the inherent inefficiency of pre-assigning individual keys to every time epoch, it would be advantageous if keys may be spent sequentially, one-by-one, as needed. This approach is particularly useful for real-world use cases where signing is performed in infrequent batches, for example, when paying monthly bills. Sequential key use needs more elaborate support from the server; in particular, it is necessary to keep track of spent keys by both the signer and the server, and to avoid successful re-use of the spent keys. Embodiments of the invention described herein manage these keys sequentially without placing too much trust in the server.

[0048] Embodiments of this invention, which improve on the basic BLT signature scheme, should preferably have as many of the following properties as possible: [0049] The number of trusted components should be kept to a minimum, including minimization of trusted storage and computation, which may be offloaded to secure hardware or to a distributed cluster; [0050] Forgery should be avoided as soon as possible, that is, it is better to avoid forgery at signing time so that a signature cannot be created at all, rather than creating a signature and requiring a verifier to detect the forgery. The least desirable option is not to be able to detect forgery until some later audit; [0051] The amount of globally shared data should be minimal; [0052] There should be a well-defined security model, assumptions, and root of trust; [0053] Efficiency: many signers, few servers, single, shared root of trust; [0054] Privacy by design. Even the fact that a signer has created a signature should preferably be known to the designated verifier(s) only; and [0055] Easy to provide higher-level properties like non-repudiation, revocation, signing time.

[0056] Embodiments guarantee that reused one-time keys do not produce valid signatures. The previous BLT signature method employs time-bound keys, where every key can be used for signing at a specific point of time and no later. This incurs quite large overhead, however: Keys must be pre-generated even for time periods when no signatures are created. In contrast, the embodiments discussed below use keys sequentially, with server-side supportevery signer has a designated server, which keeps track of spent keys, together with the signer, and does not allow creation of valid signatures using already spent keys.

[0057] One solution is to trust the server to behave honestly. In this case, the server maintains a spent key counter that is synchronized with the signer. The server then refuses to create signatures if key indexes do not match. One drawback of this solution is lack of non-repudiationthe server can collect spent keys and create valid signatures on behalf of the signer. This situation can be improved upon with trusted logging and auditing. Below, an embodiment is presented that addresses this problem of an untrusted signing server.

[0058] The signer may publish all signing events, including a key counter, in a public repository, such that the server cannot reuse keys and does not have to be treated as a trusted component. This approach will often be inefficient because of the amount of public, replicated data, which must be distributed and processed during verification; moreover, it leaks information about the signer's behavior. In this case, the public repository is like a component often called the ledger in literature relating to blockchains.

[0059] Embodiments described below avoid publishing all signing transactions, while not trusting the server. As a common feature, embodiments use spent key counters both at the signer side and server side; and the server periodically creates hash trees on top of its counters (i) and input hashes (y); and publishes root hashes to a public repository.

[0060] Assuming no collaboration between server and verifiers, the server cannot learn keys .sub.i, and thus cannot produce valid signatures that depend on those keys. This may be difficult to enforce in practical implementations, howeverone may normally assume that signatures can be published, and that the server has access to spent keys. With this restriction, a better method should eliminate the attack where the server decrements the spent key counter to i, signs a message using captured .sub.i, and then increments the counter to its previous value.

[0061] Assuming the server and (other) signers do not cooperate maliciously, one solution is neighborhood watch: Signers observe changes in returned hash-chains and published roots and request proofs from the server that all changes were legitimate, by checking that key counters of signers assigned to neighboring leaves were incremented only. This approach detects forgeries but does not block them. A weakness of this approach is that it fails to deal with the possibility (or ever-present suspicion) of malicious cooperation between server and some of its clients.

[0062] The concept of authenticated data structures (see above) can be used for verifying the correct operation of the server. If the proof of correct operation is a part of signatures, then verifiers can reject signatures without valid proof and thus the server cannot forge signatures by tampering with the counters. This approach has quite large overhead: All potential verifiers must be able to validate all counters throughout their operational time. Other parties who can perform such validation are the Repository, the Signer, or an independent Auditor. Both Signer and Auditor could discover a forgery after the fact, but this will typically not be early enough to avoid creation of forged signatures.

[0063] In an embodiment, pre-validation is done by the Repository R, which may be implemented in a manner analogous to double-spending prevention performed by blockchains backing cryptographic currencies. In this case, Servers S should provide proofs of correct operation to the trusted Repository. The Repository may then publish a root hash only after validating the correct operation of the Servers. Published hashes may be made immutable using known cryptographic techniques and be widely distributed. Because signatures can be verified based only on the corresponding published root hash in the Repository, servers' forging of signatures by temporarily decrementing key usage counters can be eliminated. This solution is efficient since the blockchain (the amount of public data) grows only in linear relation to time; there is a relatively low number of trusted components; the blockchain, including its input validation is forward secure; the server's forgery attempts will be prevented at the signing time; and it is not necessary to have a long-term log of private data. The Repository may be implemented as a Byzantine fault tolerant distributed state machine, which eliminates the need to trust a single party. This embodiment will be described in more detail below.

[0064] See now FIG. 2, which illustrates the main components and information exchange between the components in some embodiments:

[0065] Signer/Device D generates keys and then signs data.

[0066] Server S assists signers in generating signatures and keeps counters i of spent keys and publishes aggregate hashes to the Repository R. The correctness of operation of S may be verified by R before publishing.

[0067] S operates in rounds. It maintains a hash tree; there is one pre-assigned leaf for every signer client, indexed by j. A leaf l.sub.t=(i.sub.t; y.sub.t) for round t contains the tuple of the counter value and the last input query from the Signer. FIG. 4 illustrates, for example, a server tree for round t, depicting the key counter and input of the second client only.

[0068] S is allowed only to increment i; for every changed leaf it presents a proof P of correct operation to R. A proof consists of the value of the leaf in the previous round and hash chain leading to the root of previous round, previously published by R, the leaf value at current round, and the newly computed root of current round.

[0069] The Repository R performs two tasks. First (depicted as layer R.sub.v), it verifies the operation of S and after successful verification it commits the new root value r to a public append-only ledger or other irrefutable data structure.

[0070] The Verifier V is any relying party who wishes or needs to verify the signatures in any known manner. Described above is how Guardtime KSI signatures may be verified.

[0071] Keys may be generated in the same manner as in the basic BLT, although the number of keys required will typically be much smaller, and thus the generation process may be more efficient. In order to be able to sign N messages the Signer: [0072] 1) Generates N signing keys (.sub.1; . . . ; .sub.N), which may, for example, be unpredictable values drawn from {0; 1}.sup.k; [0073] 2) Binds each key to a respective sequence number: x.sub.ih(i; .sub.i) for i{1; . . . ; N}, where h is a hash function; and [0074] 3) Computes the public key p by aggregating the key-index bindings into a hash tree: pT.sup.h(x.sub.1; . . . ; x.sub.N).

[0075] The resulting data structure (shown in FIG. 3) is the same as in case of basic BLT and its purpose is also the same: extracting the hash chains h(i; .sub.i)c.sub.i>p.

[0076] For signing, each Signer should keep its state, the sequence number i of next key. To sign a message in, the Signer: [0077] 1) Uses the next key to authenticate the message: yh(m,.sub.i). [0078] 2) Sends y to Server and receives membership proof a.sub.t that links the authenticator to the updated published root of the Server's hash tree: h(i; y)a.sub.t>r.sub.t. [0079] 3) Signer validates the Server's response using the authentic r.sub.t. [0080] 4) If validation succeeds, the Signer outputs the tuple (i; .sub.i; c.sub.i; t; a.sub.t), where i is the key sequence number, .sub.i is the i-th signing key, c.sub.i is the hash chain linking the binding of .sub.i, and its sequence number i to the Signer's public key p, and a.sub.t is the hash chain returned by the Server linking the pair (i; y) to r.sub.t.

[0081] Finally, the Signer increments its spent key counter: ii+1.

[0082] The Server S, upon receiving a request y, performs the following steps: [0083] 1) Collects requests from other clients until the end of the current aggregation round. [0084] 2) For each received request y, updates the leaf j for the client who made the query: i.sub.ji.sub.j+1; l.sub.j(i.sub.j; y). [0085] 3) Computes the updated hast tree root r.sub.t. [0086] 4) Submits the new r.sub.t to Repository R together with validity proof of every changed leaf: l.sub.t1; l.sub.t>r.sub.t. [0087] 5) Upon receiving confirmation that r.sub.t is registered in the blockchain, returns hash chains a.sub.t to all clients with pending queries: p.sub.ja.sub.t>r.sub.t.

[0088] Note that, as before, the signatures are composed and emitted only after the verification of r.sub.t, which makes it safe for the Signer to release the key .sub.i as part of the signaturethe server has already incremented its counter i so that only .sub.i+1 could be used to produce the next valid signature.

[0089] The blockchain, which may be implemented in any entity, performs following operations: [0090] 1) Verifies the validity of every change in the Server's hash tree. For each update to the root must be a proof showing that this change was caused by a valid change of a leaf, where the key index was incremented; [0091] 2) Maintains cryptographic links between roots; and [0092] 3) Makes the roots publicly available.

[0093] To verify that the message in and the signature s=(i; ; c; t; a) match the public key p, the Verifier: [0094] 1) Checks that was committed as a signing key number i: h(i; )c>p. [0095] 2) Checks that in was authenticated with key at time t: h(i; h(m; ))a>r.sub.t. [0096] 3) Checks that the value r.sub.t obtained in the previous step matches the one in the Repository.

[0097] The proofs of correct operation that the Server presents to the Repository can be constructed either iteratively, by generating hash chains before and after each leaf change, or in batches, taking hash chains before a round, applying all changes to leaves, generating a final Merkle tree, and then generating after-hash chains for each changed leaf. An iterative approach has the advantage that it is not necessary to perform explicit consistency and completeness checks between each leaf's chain.

[0098] Denote the sequence of indexes of leaf positions of clients who have provided a request during a round as a. Proof of correct operation of the round t may be defined as the sequence

.sub.t=((i.sup.j.sub.t1;y.sup.j.sub.t1)a.sup.j.sub.t;(i.sup.j.sub.ty.sup.j.sub.t):j=.sub.v,v=(1; . . . ;||),

where (i.sup.j.sub.t; y.sup.j.sub.t) is the j-th leaf of the server hash tree in round t and a.sup.j.sub.t is the hash-chain from the leaf to the root. For the computation of the proof, the server tree is updated every time a leaf is changed (denoted by incrementing the in-round change counter v). Note that the content of the hash chain a.sup.j does not change when the j-th leaf changes, because the rest of the leaves are still the same; this fact allows verification of the completeness of and consistency of its elements by just verifying hash chains in the provided sequence, and checking that each after-root is the same as the before-root of the following change, checking the correctness and matching root of hash chains when computed in the same order.

[0099] A verification routine for is illustrated as the Oracle R.sub.a in FIG. 5, where function R computes the hash tree root based on a leaf and a hash chain, so that r=R(l, a) if and only if la>r.

Delegated BLT

[0100] In this section of the disclosure, an embodiment is described that enables delegation of signing to an untrusted server. This extension to the basic BLT signature scheme described above allows a client to delegate the signing process to an untrusted server in such a way that the user will be able to verify what the server is signing before a valid signature is formed. This may be particularly relevant for the situations when the client has to produce signatures in an environment that is constrained, for example, by low computational power. To achieve that, the key generation, signing, and verification procedures are changed as follows.

[0101] To prepare to sign messages at time epochs (1; . . . ; T), the Signer: [0102] 1) Generates T secret keys (S.sub.1; . . . ; s.sub.T), which may, for example, be unpredictable values drawn from {0; 1}.sup.k. [0103] 2) Derives T signing keys (.sub.1; . . . ; .sub.T): .sub.if(i; s.sub.i) for i{1; . . . ; T}, where f is a one-way function such as a hash function. [0104] 3) Binds each signing key to a respective sequence number: x.sub.ih(i; .sub.i) for i{1; . . . ; T}, where h is, for example, a hash function. [0105] 4) Computes the public key p by aggregating the key-epoch bindings into a hash tree: pT.sup.h(x.sub.1; . . . ; x.sub.T). [0106] 5) Hands the signing keys .sub.i and the public key p over to the Server but keeps the secret keys s.sub.i strictly private.

[0107] The resulting data structure (shown in FIG. 6) now has two purposes: First, for each signing key the hash chain h(i; .sub.i)c.sub.i>p can be extracted; and second, for each signing key .sub.i, the corresponding secret key s.sub.i, when disclosed, can be verified via the relationship .sub.i=f(i; s.sub.i).

[0108] To have the Server sign a message m on its behalf, the Signer: [0109] 1) Uses the appropriate secret key to authenticate the message: yh(m; s.sub.t). [0110] 2) Asks the Server to sign the authenticator y with the signing key .sub.t. [0111] 3) The Server returns a standard BLT signature sig' =(t, .sub.t, a.sub.t, c.sub.t). [0112] 4) The Signer verifies that sig' is a valid BLT signature on y. [0113] 5) If sig' is valid, the Signer replaces .sub.t with s.sub.t to obtain a complete augmented signature sig=(t, s.sub.t, a.sub.t, c.sub.t).

[0114] Note that, to authenticate the message m, this embodiment uses a secret key and not a signing key.

[0115] To verify that the message m and the augmented signature sig=(t; s; c; a) match the public key p, the verifier: [0116] 1) Checks that s.sub.t was committed as a secret key for time t: h(t; f(s))c>p. [0117] 2) Checks that m was authenticated with key s at time t: h(m; s) a>r.sub.t.

[0118] This embodiment provides an extension to the basic BLT scheme that allows even a computationally weak user to delegate the signature-forming process to an untrusted server. The security of the described extension is based on the fact that the untrusted server produces only a partial signature sig=(t, , a, c), which can be checked by the signer before completing the signing process. To complete the process, , which acts as a token, is replaced with its pre-image s. Under standard cryptographic assumptions, this should be possible only by the signer who knows the original secret key s.

[0119] The solution provided by this embodiment may be compared with signature production methods that rely on zero-knowledge techniques. ZQL, for example, is a language for writing computations over hidden inputs. The disadvantage of the zero-knowledge approach is increased cryptographic and computational complexity, which results in performance penalties. In contrast, this extended BLT embodiment relies on well-known secure, yet easily computed hash functions.