Cryptography Reference
In-Depth Information
Forward-secure signatures
The private key of the signer is updated at regular
time intervals, with the security property that if the key is compromised,
an adversary can forge only signatures dated within the time period per-
taining to the compromised key. Only one public key is required to validate
signatures from all private keys, thus mitigating the inconvenience of
key exposure.
47
Variants include
group
,
threshold
,
and proxy forward-secure
signatures
.
Undeniable signatures
The signature can be verified only with the coopera-
tion of the signer.
48
Variants include
convertible undeniable signatures
, an
undeniable signature with the additional property that the signer can
eventually release a secret that can convert all his undeniable signatures
into ordinary signatures; and
designated confirmer signatures
, whereby a
third party designated by the confirmer can cooperate in (and only in) the
verification step, should the signer be unable to do so.
49
Designated verifier signatures
Bob can convince himself that a message
indeed originates from Alice, but cannot transfer that conviction to a third
party; that is, the scheme does not provide for non-repudiation.
50
Fail
-
stop signatures
Such schemes provide an additional layer of security.
In conventional schemes, if the underlying computational assumption of
the scheme is broken, the adversary can produce forged signatures at will.
In fail-stop signatures, the supposed signer can nevertheless prove that the
signatures are forgeries.
51
These signature schemes represent fascinating new configurations of
responsibility, liability, trust, and power within the signing process. In
most cases, there are no obvious “real-world” equivalents to these math-
ematical constructs, and in most cases, it is difficult to imagine the specific
context in which they might be applied. Nevertheless, it is standard prac-
tice for cryptographic papers to justify such schemes with a “motivation”
narrative, a “real-world” scenario that aims to suggest a plausible practical
application of the signature scheme. These justificatory narratives form
a unique genre in the mathematical literature, worth quoting at length.
The
Handbook
for example describes a potential application of
convertible
undeniable signatures
:
As an application of this type of signature, consider the following scenario: Entity
A
signs all documents during her lifetime with convertible undeniable signatures.
The secret piece of information needed to convert these signatures to self-authenti-
