How to prove yourself: practical solutions to identification and signature problems
Proceedings on Advances in cryptology---CRYPTO '86
A digital signature scheme secure against adaptive chosen-message attacks
SIAM Journal on Computing - Special issue on cryptography
Zero-knowledge proofs of identity
Journal of Cryptology
How to withstand mobile virus attacks (extended abstract)
PODC '91 Proceedings of the tenth annual ACM symposium on Principles of distributed computing
CRYPTO '89 Proceedings on Advances in cryptology
SIAM Journal on Computing
Proactive public key and signature systems
Proceedings of the 4th ACM conference on Computer and communications security
Simple forward-secure signatures from any signature scheme
Proceedings of the 7th ACM conference on Computer and communications security
Funkspiel schemes: an alternative to conventional tamper resistance
Proceedings of the 7th ACM conference on Computer and communications security
Efficient Generation of Shared RSA Keys (Extended Abstract)
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Key-Insulated Public Key Cryptosystems
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Efficient Generic Forward-Secure Signatures with an Unbounded Number Of Time Periods
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
FC '01 Proceedings of the 5th International Conference on Financial Cryptography
Can We Eliminate Certificate Revocations Lists?
FC '98 Proceedings of the Second International Conference on Financial Cryptography
High-Bandwidth Encryption with Low-Bandwidth Smartcards
Proceedings of the Third International Workshop on Fast Software Encryption
On the Security of Remotely Keyed Encryption
FSE '97 Proceedings of the 4th International Workshop on Fast Software Encryption
Strong Key-Insulated Signature Schemes
PKC '03 Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography
SiBIR: Signer-Base Intrusion-Resilient Signatures
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Exposure-resilient functions and all-or-nothing transforms
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
SCN'02 Proceedings of the 3rd international conference on Security in communication networks
Forward-secure signatures with fast key update
SCN'02 Proceedings of the 3rd international conference on Security in communication networks
A survey of key evolving cryptosystems
International Journal of Security and Networks
Efficient data structures for tamper-evident logging
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Two-Head dragon protocol: preventing cloning of signature keys
INTRUST'10 Proceedings of the Second international conference on Trusted Systems
Delegating secure logging in pervasive computing systems
SPC'06 Proceedings of the Third international conference on Security in Pervasive Computing
| Hi-index | 0.00 |
We propose a new notion of cryptographic tamper evidence. A tamper-evident signature scheme provides an additional procedure Div which detects tampering: given two signatures, Div can determine whether one of them was generated by the forger. Surprisingly, this is possible even after the adversary has inconspicuously learned (exposed\footnote We say that a secret is exposed when it becomes known to the adversary. Exposure does not imply that the secrets become publicly known. Moreover, nobody --- except the adversary --- is aware of the exposure taking place.) some --- or even all --- the secrets in the system. In this case, it might be impossible to tell which signature is generated by the legitimate signer and which by the forger, but at least the fact of the tampering will be made evident.We define several variants of tamper-evidence, differing in their power to detect tampering. In all of these, we assume an equally powerful adversary: she adaptively controls all the inputs to the legitimate signer (i.e., all messages to be signed and their timing), and observes all his outputs; she can also adaptively expose all the secrets at arbitrary times.We provide tamper-evident schemes for all the variants. Some of our schemes use a combinatorial construction of a-separating sets, which might be of independent interest.The schemes are optimal: we prove tight lower-bounds. These lower bounds are perhaps the most surprising result of this paper. The lower bounds proofs are information-theoretic, and thus cannot be broken by introducing number-theoretic or algebraic complexity assumptions.Our mechanisms are purely cryptographic: the tamper-detection algorithm Div is stateless and takes no inputs except the two signatures, it uses no infrastructure (or other ways to conceal additional secrets), and relies on no hardware properties (except those implied by the standard cryptographic assumptions, such as random number generators).All constructions in this paper are based on arbitrary ordinary signature schemes and do not require random oracles.