Jump to content

Server-based signatures: Difference between revisions

Add links
From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
No edit summary
m top: task, replaced: Advances in Cryptology — → Advances in Cryptology – (2)
 
(49 intermediate revisions by 22 users not shown)
Line 1: Line 1:
In [[cryptography]], '''server-based signatures '''are [[digital signature]]s in which a publicly available server participates in the signature creation process. This is in contrast to conventional digital signatures that are based on [[public-key cryptography]] and [[public-key infrastructure]]. With that, they assume that signers use their personal [[trusted computing base]]s for generating signatures without any communication with servers.
{{AFC submission|d|essay|declinets=20130131082617|decliner=Bonkers The Clown|ts=20130130173849|u=Iryanb|ns=5}}
== Server-based Signatures ==


Four different classes of server based signatures have been proposed:


1. '''Lamport One-Time Signatures.''' Proposed in 1979 by [[Leslie Lamport]].<ref>Lamport, L.: Constructing digital signatures from a one way function. Comp. Sci. Laboratory. SRI International (1979) http://research.microsoft.com/en-us/um/people/lamport/pubs/dig-sig.pdf</ref> [[Lamport signature|Lamport one-time signatures]] are based on [[cryptographic hash functions]]. For signing a message, the signer just sends a list of hash values (outputs of a hash function) to a publishing server and therefore the signature process is very fast, though the size of the signature is many times larger, compared to ordinary public-key signature schemes.
Server-based signatures are [[electronic signature|electronic signature]] solutions in which a publicly available server participates in the signature creation process.
The conventional solutions based on [[public-key cryptography|public-key cryptography]] and [[public-key infrastructure|public-key infrastructure]] assume that signers use their personal
[[trusted computing base|trusted computing bases]] for signing documents and signatures can be created off-line without any communication with servers. There are several motives why server-based signatures are preferable compared to off-line solutions, such as:


2. '''On-line/off-line Digital Signatures.''' First proposed in 1989 by [[Shimon Even|Even]], [[Oded Goldreich|Goldreich]] and [[Silvio Micali|Micali]]<ref>{{Cite journal | last1 = Even | first1 = S. | last2 = Goldreich | first2 = O. | last3 = Micali | first3 = S. | title = On-line/off-line digital signatures | doi = 10.1007/BF02254791 | journal = Journal of Cryptology | volume = 9 | pages = 35–67 | year = 1996 | s2cid = 9503598 }}</ref><ref>{{Cite book | last1 = Even | first1 = S. | last2 = Goldreich | first2 = O. | last3 = Micali | first3 = S. | doi = 10.1007/0-387-34805-0_24 | chapter = On-Line/Off-Line Digital Signatures | title = Advances in Cryptology – CRYPTO' 89 Proceedings | series = Lecture Notes in Computer Science | volume = 435 | pages = 263 | year = 1990 | isbn = 978-0-387-97317-3 }}</ref><ref>US Patent #5,016,274. Micali et al. On-line/off-line digital signing. May, 1991.</ref> in order to speed up the signature creation procedure, which is usually much more time-consuming than verification. In case of [[RSA cryptosystem|RSA]], it may be one thousand times slower than verification. On-line/off-line digital signatures are created in two phases. The first phase is performed [[online and offline|off-line]], possibly even before the message to be signed is known. The second (message-dependent) phase is performed on-line and involves communication with a server. In the first (off-line) phase, the signer uses a conventional public-key digital signature scheme to sign a public key of the Lamport one-time signature scheme. In the second phase, a message is signed by using the Lamport signature scheme. Some later works
* to reduce the computational cost of creating [[digital signature|digital signatures]] of ordinary users;
<ref>{{Cite book | last1 = Shamir | first1 = A. | last2 = Tauman | first2 = Y. | chapter = Improved Online/Offline Signature Schemes | doi = 10.1007/3-540-44647-8_21 | title = Advances in Cryptology — CRYPTO 2001 | series = Lecture Notes in Computer Science | volume = 2139 | pages = 355 | year = 2001 | isbn = 978-3-540-42456-7 }}</ref><ref>{{Cite book | last1 = Yu | first1 = P. | last2 = Tate | first2 = S. R. | doi = 10.1109/AINAW.2007.89 | chapter = An Online/Offline Signature Scheme Based on the Strong RSA Assumption | title = 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) | pages = 601 | year = 2007 | isbn = 978-0-7695-2847-2 | s2cid = 12773954 }}</ref><ref>{{Cite book | last1 = Yu | first1 = P. | last2 = Tate | first2 = S. R. | chapter = Online/Offline Signature Schemes for Devices with Limited Computing Capabilities | doi = 10.1007/978-3-540-79263-5_19 | title = Topics in Cryptology – CT-RSA 2008 | series = Lecture Notes in Computer Science | volume = 4964 | pages = 301 | year = 2008 | isbn = 978-3-540-79262-8 }}</ref><ref>{{Cite book | last1 = Catalano | first1 = D. | last2 = Raimondo | first2 = M. | last3 = Fiore | first3 = D. | last4 = Gennaro | first4 = R. | chapter = Off-Line/On-Line Signatures: Theoretical Aspects and Experimental Results | doi = 10.1007/978-3-540-78440-1_7 | title = Public Key Cryptography – PKC 2008 | series = Lecture Notes in Computer Science | volume = 4939 | pages = 101 | year = 2008 | isbn = 978-3-540-78439-5 }}</ref><ref>{{Cite journal | last1 = Girault | first1 = M. | last2 = Poupard | first2 = G. | last3 = Stern | first3 = J. | doi = 10.1007/s00145-006-0224-0 | title = On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order | journal = Journal of Cryptology | volume = 19 | issue = 4 | pages = 463 | year = 2006 | s2cid = 7157130 | doi-access = free }}</ref><ref>{{Cite book | last1 = Girault | first1 = M. | chapter = Self-certified public keys | doi = 10.1007/3-540-46416-6_42 | title = Advances in Cryptology – EUROCRYPT '91 | series = Lecture Notes in Computer Science | volume = 547 | pages = 490–497 | year = 1991 | isbn = 978-3-540-54620-7 }}</ref><ref>{{Cite book | last1 = Joye | first1 = M. | chapter = An Efficient On-Line/Off-Line Signature Scheme without Random Oracles | doi = 10.1007/978-3-540-89641-8_7 | title = Cryptology and Network Security | series = Lecture Notes in Computer Science | volume = 5339 | pages = 98–10 | year = 2008 | isbn = 978-3-540-89640-1 }}</ref> have improved the efficiency of the original solution by Even et al.


3. '''Server-Supported Signatures (SSS).''' Proposed in 1996 by [[N. Asokan|Asokan]], [[Gene Tsudik|Tsudik]] and [[Michael Waidner|Waidner]]<ref>{{Cite book | last1 = Asokan | first1 = N. | last2 = Tsudik | first2 = G. | last3 = Waidner | first3 = M. | doi = 10.1007/3-540-61770-1_32 | chapter = Server-Supported Signatures | title = Computer Security — ESORICS 96 | series = Lecture Notes in Computer Science | volume = 1146 | pages = 131 | year = 1996 | isbn = 978-3-540-61770-9 | citeseerx = 10.1.1.44.8412 }}</ref><ref>Asokan, N., Tsudik, G., Waidner, M.: Server-supported signatures. J. Computer Security (1996) 5: 131--143.</ref> in order to delegate the use of time-consuming operations of [[asymmetric cryptography]] from clients (ordinary users) to a server. For ordinary users, the use of asymmetric cryptography is limited to signature verification, i.e. there is no pre-computation phase like in the case of on-line/off-line signatures. The main motivation was the use of low-performance mobile devices for creating digital signatures, considering that such devices could be too slow for creating ordinary public-key digital signatures, such as [[RSA Cryptosystem|RSA]]. Clients use [[hash chain]] based [[authentication]]<ref>{{Cite journal | last1 = Lamport | first1 = L. | title = Password authentication with insecure communication | doi = 10.1145/358790.358797 | journal = Communications of the ACM | volume = 24 | issue = 11 | pages = 770–772 | year = 1981 | citeseerx = 10.1.1.64.3756 | s2cid = 12399441 }}</ref> to send their messages to a signature server in an [[authentication|authenticated]] way and the server then creates a digital signature by using an ordinary public-key [[digital signature]] scheme. In SSS, signature servers are not assumed to be [[Trusted third party|Trusted Third Parties]] (TTPs) because the transcript of the hash chain authentication phase can be used for [[Non-repudiation|non repudiation]] purposes. In SSS, servers cannot create signatures in the name of their clients.
* to reduce possible misuses of [[cryptographic key|cryptographic keys]] by ordinary users;


4. '''Delegate Servers (DS).''' Proposed in 2002 by Perrin, Bruns, Moreh and Olkin<ref>Perrin, T., Bruns, L., Moreh, J., Olkin, T.: Delegated cryptography, online trusted parties, and [[Public-key infrastructure|PKI]]. In 1st Annual PKI Research Workshop---Proceedings, pp. 97--116 (2002) http://www.cs.dartmouth.edu/~pki02/Perrin/paper.pdf</ref> in order to reduce the problems and costs related to individual [[private key]]s. In their solution, clients (ordinary users) delegate their private cryptographic operations to a Delegation Server (DS). Users authenticate to DS and request to sign messages on their behalf by using the server's own private key. The main motivation behind DS was that private keys are difficult for ordinary users to use and easy for attackers to abuse. Private keys are not memorable like [[password]]s or derivable from persons like [[biometrics]], and cannot be entered from [[Keyboard (computing)|keyboards]] like passwords. Private keys are mostly stored as [[Computer file|file]]s in [[computer]]s or on [[smart-card]]s, that may be stolen by attackers and abuse off-line. In 2003, Buldas and Saarepera<ref>Buldas, A., Saarepera, M.: Electronic signature system with small number of private keys. In 2nd Annual PKI Research Workshop---Proceedings, pp. 96--108 (2003) {{cite web |url=http://middleware.internet2.edu/pki03/presentations/08.pdf |title=Archived copy |access-date=2013-01-30 |url-status=dead |archive-url=https://web.archive.org/web/20100610050028/http://middleware.internet2.edu/pki03/presentations/08.pdf |archive-date=2010-06-10 }}</ref> proposed a two-level architecture of delegation servers that addresses the trust issue by replacing trust with threshold trust via the use of [[threshold cryptosystem]]s.
* to have better control over the number of [[forgery|forged]] signatures in case of malicious abuses of signature keys.


== References ==

Therefore, many different forms of server-based signatures exist:


1. Lamport One-Time Signatures. Proposed in in 1979 by Leslie Lamport
<ref>Lamport, L.: Constructing digital signatures from a one way function. Comp. Sci. Laboratory. SRI International (1979) http://research.microsoft.com/en-us/um/people/lamport/pubs/dig-sig.pdf</ref>.
[[Lamport signature|Lamport one-time signatures]] are based on [[cryptographic hash functions|cryptographic hash functions]]. For signing a message, the signer just sends a list of hash values (outputs of a hash function) to a publishing server and therefore the signature process is very fast, though the size of the signature is many times larger compared to ordinary [[digital signature|public-key signature schemes]].


2. On-line/off-line Digital Signatures. First proposed in 1989 by Even, Goldreich and Micali <ref> {{Cite doi|10.1007/BF02254791}}</ref> <ref>{{Cite doi|10.1007/0-387-34805-0_24}} </ref> in order to speed up the signature creation procedure, which is usually much more time consuming than verification. In case of RSA it may be one thousand times slower than verification. On-line/off-line digital signatures are created in two phases. The first phase is performed off-line, possibly even before the message to be signed is known. The second (message-dependent) phase is performed on-line and involves communication with a server. In the first (off-line) phase, the signer uses a conventional public-key digital signature scheme to sign a public key of the Lamport one-time signature scheme. In the second phase, a message is signed by using the [[Lamport signature|Lamport signature]] scheme. Some later works
<ref>{{Cite doi|10.1007/3-540-44647-8_21}}</ref>
<ref>{{Cite doi|10.1109/AINAW.2007.89}}</ref>
<ref>{{Cite doi|10.1007/978-3-540-79263-5_19}}</ref>
<ref> {{Cite doi|10.1007/978-3-540-78440-1_7}}</ref>
<ref>{{Cite doi|10.1007/s00145-006-0224-0}}</ref>
<ref>{{Cite doi|10.1007/3-540-46416-6_42}}</ref>
<ref>{{Cite doi|10.1007/978-3-540-89641-8_7}}</ref>
have improved the efficiency of the original solution by Even et al.

3. Server-Supported Signatures (SSS). Proposed in 1996 by Asokan, Tsudik and Waidner <ref> {{Cite doi|10.1007/3-540-61770-1_32}}</ref>
<ref>Asokan, N., Tsudik, G., Waidner, M.: Server-supported signatures. J. Computer Security (1996) 5: 131--143.</ref>
in order to delegate the use of time-consuming operations of [[asymmetric cryptography|asymmetric cryptography]] from clients (ordinary users) to a server. For ordinary users the use of asymmetric cryptography is limited to signature verification, i.e. there is no pre-computation phase like in the case of on-line/off-line signatures. The main motivation was the use of mobile phones for creating digital signatures, considering that mobile phones are too slow for creating ordinary public-key digital signatures, such as [[RSA Cryptosystem|RSA]]. Clients use [[hash chain|hash chain]] based [[authentication|authentication]] <ref> {{Cite doi|10.1145/358790.358797}}</ref> to send their messages to a signature server in an [[authentication|authenticated]] way and the server then creates a digital signature by using an ordinary public-key [[digital signature|digital signature]] scheme. In SSS, signature servers are not assumed to be [[Trusted third party|Trusted Third PartyTrusted Third Parties]] (TTPs) because the transcript of the hash chain authentication phase can be used for [[Non-repudiation|non repudiation]] purposes. In SSS, servers cannot create signatures in the name of their clients.


4. Delegate Servers (DS). Proposed in 2002 by Perrin, Burns, Moreh and Olkin
<ref>Perrin, T., Burns, L., Moreh, J., Olkin, T.: Delegated cryptography, online trusted parties, and [[Public-key infrastructure|PKI]]. In 1st Annual PKI Research Workshop---Proceedings, pp. 97--116 (2002) http://www.cs.dartmouth.edu/~pki02/Perrin/paper.pdf</ref> in order to reduce the problems and costs related to individual [[private key|private keys]]. In their solution, clients (ordinary users) delegate their private cryptographic operations to a Delegation Server (DS). Users authenticate to DS and request to sign messages on their behalf by using the server's own private key. The main motivation behind DS was that private keys are difficult for ordinary users to use and easy for attackers to abuse. Private keys are not memorable like [[password|passwords]] or derivable from persons like [[biometrics|biometrics]], and cannot be entered from [[keyboard|keyboards]] like passwords. Private keys are mostly stored as [[file|files]] in [[computer|computers]] or on [[smart-card|smart-cards]], that may be stolen by attackers and abuse off-line. In 2003 Buldas and Saarepera
<ref>Buldas, A., Saarepera, M.: Electronic signature system with small number of private keys. In 2nd Annual PKI Research Workshop---Proceedings, pp. 96--108 (2003) http://middleware.internet2.edu/pki03/presentations/08.pdf</ref>
proposed a two-level architecture of delegation servers that addresses the trust issue by replacing trust with threshold trust via the use of [[threshold cryptosystem|threshold cryptosystems]].

= References =
{{Reflist}}
{{Reflist}}


[[Category:Cryptography]]


= Patents =
* [US5016274] US Patent #5,016,274. Micali et al. On-line/off-line digital signing. May, 1991.
<references />

Latest revision as of 04:24, 5 July 2023

In cryptography, server-based signatures are digital signatures in which a publicly available server participates in the signature creation process. This is in contrast to conventional digital signatures that are based on public-key cryptography and public-key infrastructure. With that, they assume that signers use their personal trusted computing bases for generating signatures without any communication with servers.

Four different classes of server based signatures have been proposed:

1. Lamport One-Time Signatures. Proposed in 1979 by Leslie Lamport.[1] Lamport one-time signatures are based on cryptographic hash functions. For signing a message, the signer just sends a list of hash values (outputs of a hash function) to a publishing server and therefore the signature process is very fast, though the size of the signature is many times larger, compared to ordinary public-key signature schemes.

2. On-line/off-line Digital Signatures. First proposed in 1989 by Even, Goldreich and Micali[2][3][4] in order to speed up the signature creation procedure, which is usually much more time-consuming than verification. In case of RSA, it may be one thousand times slower than verification. On-line/off-line digital signatures are created in two phases. The first phase is performed off-line, possibly even before the message to be signed is known. The second (message-dependent) phase is performed on-line and involves communication with a server. In the first (off-line) phase, the signer uses a conventional public-key digital signature scheme to sign a public key of the Lamport one-time signature scheme. In the second phase, a message is signed by using the Lamport signature scheme. Some later works [5][6][7][8][9][10][11] have improved the efficiency of the original solution by Even et al.

3. Server-Supported Signatures (SSS). Proposed in 1996 by Asokan, Tsudik and Waidner[12][13] in order to delegate the use of time-consuming operations of asymmetric cryptography from clients (ordinary users) to a server. For ordinary users, the use of asymmetric cryptography is limited to signature verification, i.e. there is no pre-computation phase like in the case of on-line/off-line signatures. The main motivation was the use of low-performance mobile devices for creating digital signatures, considering that such devices could be too slow for creating ordinary public-key digital signatures, such as RSA. Clients use hash chain based authentication[14] to send their messages to a signature server in an authenticated way and the server then creates a digital signature by using an ordinary public-key digital signature scheme. In SSS, signature servers are not assumed to be Trusted Third Parties (TTPs) because the transcript of the hash chain authentication phase can be used for non repudiation purposes. In SSS, servers cannot create signatures in the name of their clients.

4. Delegate Servers (DS). Proposed in 2002 by Perrin, Bruns, Moreh and Olkin[15] in order to reduce the problems and costs related to individual private keys. In their solution, clients (ordinary users) delegate their private cryptographic operations to a Delegation Server (DS). Users authenticate to DS and request to sign messages on their behalf by using the server's own private key. The main motivation behind DS was that private keys are difficult for ordinary users to use and easy for attackers to abuse. Private keys are not memorable like passwords or derivable from persons like biometrics, and cannot be entered from keyboards like passwords. Private keys are mostly stored as files in computers or on smart-cards, that may be stolen by attackers and abuse off-line. In 2003, Buldas and Saarepera[16] proposed a two-level architecture of delegation servers that addresses the trust issue by replacing trust with threshold trust via the use of threshold cryptosystems.

References

[edit]
  1. ^ Lamport, L.: Constructing digital signatures from a one way function. Comp. Sci. Laboratory. SRI International (1979) http://research.microsoft.com/en-us/um/people/lamport/pubs/dig-sig.pdf
  2. ^ Even, S.; Goldreich, O.; Micali, S. (1996). "On-line/off-line digital signatures". Journal of Cryptology. 9: 35–67. doi:10.1007/BF02254791. S2CID 9503598.
  3. ^ Even, S.; Goldreich, O.; Micali, S. (1990). "On-Line/Off-Line Digital Signatures". Advances in Cryptology – CRYPTO' 89 Proceedings. Lecture Notes in Computer Science. Vol. 435. p. 263. doi:10.1007/0-387-34805-0_24. ISBN 978-0-387-97317-3.
  4. ^ US Patent #5,016,274. Micali et al. On-line/off-line digital signing. May, 1991.
  5. ^ Shamir, A.; Tauman, Y. (2001). "Improved Online/Offline Signature Schemes". Advances in Cryptology — CRYPTO 2001. Lecture Notes in Computer Science. Vol. 2139. p. 355. doi:10.1007/3-540-44647-8_21. ISBN 978-3-540-42456-7.
  6. ^ Yu, P.; Tate, S. R. (2007). "An Online/Offline Signature Scheme Based on the Strong RSA Assumption". 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07). p. 601. doi:10.1109/AINAW.2007.89. ISBN 978-0-7695-2847-2. S2CID 12773954.
  7. ^ Yu, P.; Tate, S. R. (2008). "Online/Offline Signature Schemes for Devices with Limited Computing Capabilities". Topics in Cryptology – CT-RSA 2008. Lecture Notes in Computer Science. Vol. 4964. p. 301. doi:10.1007/978-3-540-79263-5_19. ISBN 978-3-540-79262-8.
  8. ^ Catalano, D.; Raimondo, M.; Fiore, D.; Gennaro, R. (2008). "Off-Line/On-Line Signatures: Theoretical Aspects and Experimental Results". Public Key Cryptography – PKC 2008. Lecture Notes in Computer Science. Vol. 4939. p. 101. doi:10.1007/978-3-540-78440-1_7. ISBN 978-3-540-78439-5.
  9. ^ Girault, M.; Poupard, G.; Stern, J. (2006). "On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order". Journal of Cryptology. 19 (4): 463. doi:10.1007/s00145-006-0224-0. S2CID 7157130.
  10. ^ Girault, M. (1991). "Self-certified public keys". Advances in Cryptology – EUROCRYPT '91. Lecture Notes in Computer Science. Vol. 547. pp. 490–497. doi:10.1007/3-540-46416-6_42. ISBN 978-3-540-54620-7.
  11. ^ Joye, M. (2008). "An Efficient On-Line/Off-Line Signature Scheme without Random Oracles". Cryptology and Network Security. Lecture Notes in Computer Science. Vol. 5339. pp. 98–10. doi:10.1007/978-3-540-89641-8_7. ISBN 978-3-540-89640-1.
  12. ^ Asokan, N.; Tsudik, G.; Waidner, M. (1996). "Server-Supported Signatures". Computer Security — ESORICS 96. Lecture Notes in Computer Science. Vol. 1146. p. 131. CiteSeerX 10.1.1.44.8412. doi:10.1007/3-540-61770-1_32. ISBN 978-3-540-61770-9.
  13. ^ Asokan, N., Tsudik, G., Waidner, M.: Server-supported signatures. J. Computer Security (1996) 5: 131--143.
  14. ^ Lamport, L. (1981). "Password authentication with insecure communication". Communications of the ACM. 24 (11): 770–772. CiteSeerX 10.1.1.64.3756. doi:10.1145/358790.358797. S2CID 12399441.
  15. ^ Perrin, T., Bruns, L., Moreh, J., Olkin, T.: Delegated cryptography, online trusted parties, and PKI. In 1st Annual PKI Research Workshop---Proceedings, pp. 97--116 (2002) http://www.cs.dartmouth.edu/~pki02/Perrin/paper.pdf
  16. ^ Buldas, A., Saarepera, M.: Electronic signature system with small number of private keys. In 2nd Annual PKI Research Workshop---Proceedings, pp. 96--108 (2003) "Archived copy" (PDF). Archived from the original (PDF) on 2010-06-10. Retrieved 2013-01-30.{{cite web}}: CS1 maint: archived copy as title (link)
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Server-based_signatures&oldid=1163482020"