Cryptography Reference
In-Depth Information
6.6.5 Fail-Stop Signatures
The idea behind this type of signature is related to probabilistic cryptography
(Section 5.8), where encryption is ambiguous, while decryption is unambigu-
ous. With fail-stop signatures, decryption is ambiguous, while encryption is
unambiguous. More specifically, many private keys should exist for each pub-
lic key. In the first case, nobody can blame Alice for having created a certain
session key. In the second case, Alice can prove that her signature was forged.
The reason is that, even if Mallory cracked the asymmetric method and recon-
structed
one
private key, the probability that he has not found the one Alice used
(these keys are actually equally probable; there is no cryptological assumption
behind it) is extremely high (e.g., 2
100
:1).
This means that Mallory's signature will virtually always be different from
Alice's. Alice can demonstrate in court that she created a different signature,
using officially certified documents signed by her earlier as evidence.
The first fail-stop signatures were introduced by Birgit Pfitzmann and Michael
Waidner in 1990. In her topic [PfitzFSS], the author explains also how the
name came about: in the event of a cracked public key ('fail'), Alice can prove
the fraud and revoke ('stop') all her signatures, for which that key was used.
Fail-stop signatures are based on cryptological assumptions, similar to regular
digital signatures, such as: the factoring of extremely large numbers is hard,
one-way hash functions are cryptologically not reversible, and so on. Fail-stop
signatures are not more 'durable' than regular ones. But they remove the largest
part of uncertainty: has somebody forged signatures or not? If Mallory decides
to apply his secret super crack algorithm after all, then at least he'll most likely
get caught.
In case of damage, Alice has to first notice the fraud, of course (this is the
biggest problem in my opinion). She'd revoke all her current signatures, which
even increases the damage. She'd then reduce the damage again by checking
every single one of her old signatures that are still important (and accessi-
ble at all), and replacing them by a new one that's more secure. Not bloody
likely! What's more, Mallory's forgery may by then have caused damage
beyond repair.
There might be a way to avoid this crazy repair effort after all, since digital
signatures are actually as secure as we hope them to be. Fail-stop signatures will
at least offer more certainty. This new technology may help solve the 'durability
problem' satisfactorily. For the time being, this protocol is rather costly. There
are no usable implementations, but let's hope there will be in the near future.
