Keywords

1 Introduction

The identity based signatures, so called IBS, are digital signatures where an identifier, such as e-mail address etc., is used as a public key. In the IBS system, a private key generator (PKG) publishes a public parameter and issues a secret signing key to an identified user using its master secret key. Because the IBS system utilizes publicly known information such as an identifier as its verification key, it allows any party to verify signatures without the explicit authenticated procedure of the verification key. On the other hand, the forward secure signature is a way to mitigate the damage caused by key exposure. A forward secure signature scheme divides the lifetime into several time periods, and uses a different key at each time period. With this idea, even if a signature key is exposed at a specific point of time, all signatures which are generated before the exposure time can be kept valid. In order to have advantages of both the IBS system and the forward secure signature system, several researches [6, 12, 17,18,19,20] have been conducted to add forward security to the signing key issued by a private key generator (PKG). However, forward secrecy in such forward secure ID based signature schemes is limited and incomplete because only the user private keys evolve each time period; Once the master secret key is compromised, all signatures made by any user under this system cannot be considered valid even if the signing keys evolve properly. Mainly, these attacks can be done by the powers, buying off the system managers. In order to minimize the risk from the leakage of the master secret key, the PKG master key as well as the user’s signing key also needs to satisfy forward security. This paper simply notates FSIBS with forward-secure PKG as FSIBS hereafter.

The notion of FSIBS was considered first in [15] and the scheme was based on an elliptic curve pairing function. The proposed scheme in [15] satisfies the forward security of both the master secret key and the users’ signing keys. That is, even if a master secret key of time period t is exposed, all signatures generated before t are not invalidated. Although the scheme in [15] efficiently generates a signature, its application is limited due to the non-constant size signing keys. Considering the forward secrecy is widely applied including the IoT environment [9], providing more options for FSIBS is desirable. Given the only pairing-based scheme, it may be difficult to cover the resource-constrained IoT devices due to its complex pairing operation.

In this paper, we propose a new forward secure identity based signature scheme (FSIBS) in the RSA setting. Our scheme is constructed by extending the forward secure RSA based signature scheme in [1] into an identity-based scheme. The proposed scheme also allows the master key update for the forward secrecy of the master key. To update the keys, the scheme does not require any interaction between the user and the PKG, once an initial signing key is delivered. The proposed scheme is secure under the factoring assumption in the random oracle model.

Table 1. Comparison of our scheme and [15]
Full size table

Table 1 summarizes the comparison between the proposed scheme and [15]. In Table 1, T is the maximum number of periods, l is the bit length of the hash output, k is the bit length in RSA, a is multiplication time in bilinear group, p is pairing time, and e is exponentiation time in bilinear group. As shown in Table 1, in the proposed scheme, the sizes of all keys such as a master secret key, a user signing key and a verification key, and a signature are constant while they are not in [15]. The costs of KeyIssue, Update, and Sign algorithms in the optimized proposal are independent of the maximum number of period T. According to our experiment, overall, our (optimized) scheme is faster than [15], except in the Verify algorithm. In particular, for \(T=2^{15}\), generating a signature requests only 3 ms with 2048-bit k of RSA, while the scheme in [15] requires 75 ms with the 224-bit ECC key.

This paper is organized as follows. We begin by discussing the related works in Sect. 2. In Sect. 3, we define the notion of forward-secure ID based signature scheme with forward-secure key generation, the background assumption that our scheme is based on, and the formal security model. We construct our signature scheme in Sect. 4. After that, we describe the security proof in Sect. 5. In Sect. 6, we extend our proposed scheme to improve the signing performance. Moreover, experimental results are shown in Sect. 7. Finally, we conclude in Sect. 8.

2 Related Work

The concept of forward security was first proposed by Anderson [2], and Bellare and Miner [3] made the formal definition of forward secure digital signatures (FSS). [3] proposed two forward secure signature constructions. One of them is a generic construction which can be derived by any signature scheme, of which complexity is at least \(O(\log T)\)-factor times of the original scheme, where T is the number of total time periods. The other is a variation on the Fiat-Shamir signature scheme [7] for a forward secure version that has constant-size signatures and takes O(T)-time for signing and verification. Next, Abdalla and Reyzin proposed a FSS scheme with a short public key [1]. However, its key generation, signing and verification are slow. Itkis and Reyzin suggested a FSS scheme with efficient signing and verification based on Guillous-Quisquater signatures [8], however, it costs more update time. On the other hands, Kozlov and Reyzin suggested a FSS scheme with fast update, but its signing and verification takes longer. So far, time complexity of some algorithm components for any suggested FSS constructions is depends on the total number of period T.

Krawczyk proposed a generic FSS construction with a constant-size private key, but with O(T)-size storage (possibly non-private) [11]. An efficient generic construction with unlimited time periods [13] is suggested by Malkin, Micciancio, and Miner using Merkletrees [14].

Boyen et al. [4] proposed the concept of forward secure signatures with untrusted updates for additional protection of the private key. Its private key is encrypted by the second factor (i.e., user password), and the key update proceeds with encryption. They construct an efficient scheme with constant-size signatures and provide the security reduction based on the Bilinear Diffie-Hellman Inversion assumption (BDHI) without random oracles.

Liu et al. proposed the forward-secure ID-based signature scheme without providing specific security definition and proof [12]. Yu et al. [18] formalized the security definition and proposed a scheme with a formal security proof. Meanwhile, Ebri et al. [6] proposed an efficient generic construction of forward-secure ID-based signature. When it is instantiated with Schnorr signatures [16], their construction provides an efficient scheme in the random oracle model. Yu et al. [19] made an extension of forward-secure ID-based signature with untrusted updates. Zhang et al. [20] proposed the two forms of lattice-based constructions under lattice assumption, in the random oracle model and in the standard model. Presently, Wei et al. [17] proposed an efficient revocation forward-secure ID-based signature to provide forward security and backward security upon key exposure. However, user key update requires interaction with PKG for each period to support revocation. The update algorithm run by the PKG generates an updated private key for each unrevoked user at each period. However, the master secret key of PKG is not updated.

All of the above [6, 12, 17,18,19,20] consider only the security of the user’s private keys. Oh et al. [15] proposed first and only FSIBS system with forward secure PKG in a bilinear group setting. The scheme is constructed as a three-dimensional hierarchical ID based signature scheme; the first dimension is related with periods, the second dimension with identifiers, and the third dimension with messages. The hierarchical ID based signatures are taken in a double manner; first for issuing users’ signing keys, and second for signing. To implement [15], no extra interaction between PKG and users is required, if the signing key is issued properly.

3 Preliminaries

We define the model for a FSIBS scheme with forward secure private key generator as in [15] in this section. And we define the security model of our scheme and describe its underlying assumption.

3.1 FSIBS Scheme

A FSIBS scheme with forward secure private key generator consists of six algorithms \(\varSigma _{FSIBS}\) = (PKGKeyGen, MSKUpdate, KeyIssue, UKUpdate, Sign, Verify) as following:

  • PKGKeyGen(kT): This algorithm takes security parameter k and the maximum number of time periods T, and outputs the public verification key VK and the PKG master key \(MSK_t\). The PGK master key \(MSK_t\) includes the current time period t which is initialized to 1.

  • MSKUpdate(\(MSK_t\)): This algorithm takes the PKG master key at current time period t as an input, and outputs a new PKG master key \(MSK_{t+1}\). Once a new PKG master key is computed, the previous PKG master key is removed. If \(t+1 \ge T\), then the old key is removed and no new keys are created.

  • KeyIssue(\(MSK_t\), ID): This algorithm takes the PKG master key at current time period t and an identifier ID. It outputs a secret signing key \(SK_{t, ID}\) for the specific identifier ID. The signing key also includes the time period t.

  • UKUpdate(\(SK_{t, ID}\)): This algorithm takes in the signing key of an identifier ID at current time period t and outputs a new signing key \(SK_{t+1, ID}\). Once a new signing key is created, the previous signing key is removed. If \(t+1 \ge T\), then the old key is removed and no new keys are created.

  • Sign(\(SK_{t, ID}\), M): This algorithm takes in the signing key of an identifier ID at current time period t, and a message M. It outputs a signature \(\sigma \) for time period t.

  • Verify(ID, \(\sigma \), M, VK, t): This algorithm takes an identifier ID, a signature \(\sigma \), a message M, a verification key VK, and a time period t. It outputs either valid or invalid.

Definition 1

A FSIBS scheme is perfectly correct if

$$\begin{aligned} \begin{aligned} \Pr \left[ \begin{aligned}&{\mathsf {Verify}}(ID, \mathsf {Sign}(SK_{t, ID},M) ,M, VK, t) = 1 |\\&SK_{i, ID} \leftarrow \mathsf {KeyIssue}(MSK_i ,ID) \vee \mathsf {UKUpdate}(SK_{i-1, ID})\\&\wedge \,(MSK_1, VK) \leftarrow \mathsf {PKGKeyGen}(k, T) \\&\wedge \, MSK_j \leftarrow \mathsf {MSKUpdate}^j(MSK_1) \end{aligned} \right] =1 \end{aligned} \end{aligned}$$

3.2 Security Model

We use a game between an adversary \({\mathcal {A}}\) and a challenger \(\mathcal{{C}}\) to define the security. The game captures the notion of PKG master key forward security, users’ signing key forward security and the traditional unforgeability with security parameter k, maximum time period T, and negligible function \(\epsilon \). The game proceeds as following:

[Setup phase] The time period t is set to 1. Challenger \(\mathcal{{C}}\) generates verification key VK and master key \(MSK_1\) through \(\textsf {PKGKeyGen}\), and give VK to adversary \({\mathcal {A}}\).

[Interactive query phase] In this phase the adversary \({\mathcal {A}}\) is allowed to adaptively query the following oracles.

KeyIssue: The adversary \({\mathcal {A}}\) can choose a specific ID and ask the challenger \(\mathcal{{C}}\) for the signing key for ID of current time period t. The challenger \(\mathcal{{C}}\) returns the signing key \(SK_{t, ID}\) for ID of current time period t to adversary \({\mathcal {A}}\).

Update: The adversary \({\mathcal {A}}\) can request the challenger \(\mathcal{{C}}\) to execute the \(\textsf {MSKUpdate}\) algorithm and \(\textsf {UKUpdate}\) algorithm.

Sign: The adversary \({\mathcal {A}}\) can choose a random message M and a user identifier ID and ask the challenger to sign a message M for ID on the current time period t. Then, it receives a signature \(\sigma \) from the challenger.

Hash: The adversary \({\mathcal {A}}\) can make queries to the random oracle and get the corresponding random values.

[PKG corrupt phase] The adversary \({\mathcal {A}}\) requests the PKG master key of the current time period \(t'\) from the challenger \(\mathcal{{C}}\). The challenger \(\mathcal{{C}}\) returns the master key \(MSK_{t'}\). Note that the signing key of any identifier at the current time period and after can be generated using \(MSK_{t'}\).

[Final forgery phase] The adversary \({\mathcal {A}}\) produces a fake signature which consists of a time period, user’s ID, message and signature tuple (\(t^*\), \(ID^*\), \(M^*\), \(\sigma ^*\)). The adversary is successful if \(t^*<t'\), the signature is valid for time \(t^*\), and the adversary had not queried for a signature on \(M^*\) and \(ID^*\) at the time period \(t^*\).

We define the advantage of an algorithm \({\mathcal {A}}\) attacking scheme \(\varSigma \) by the probability that \({\mathcal {A}}\) is successful in the game, and denote the advantage by \(Adv_{{\mathcal {A}}, \varSigma }^\textsf {FSIBS}\). We say that a PKG forward secure scheme \(\varSigma \) is (\(\tau , q_{key}, q_{sign}, q_{hash}, \epsilon \))-secure if for all adversaries \({\mathcal {A}}\) running in time \(\tau \), making \(q_{key}\) key issue query, \(q_{sign}\) sign query and \(q_{hash}\) hash query, if:

$$\begin{aligned} \begin{aligned} Adv_{{\mathcal {A}},\varSigma }^{\textsf {FSIBS}} (k, T) \le \epsilon (k) \end{aligned}. \end{aligned}$$

3.3 Factoring Assumption

Let \({\mathcal {A}}\) be an adversary for the problem of factoring Blum integers; an integer \(n = pq\), where pq are distinct odd primes and \(p \equiv q \equiv 3\) (mod 4), is called a Blum integer. We define the following experiment.

figure a

Let \(Adv_{{\mathcal {A}}}^{FAC}(k)\) denote the probability that experiment Factoring\(_{\mathcal {A}}\)(k) returns 1. We say that the factoring assumption holds if for all PPT algorithm \({\mathcal {A}}\) with negligible function \(\epsilon \),

$$\begin{aligned} Adv_{{\mathcal {A}}}^{FAC}(k) \le \epsilon (k). \end{aligned}$$

3.4 Multiple Forking

Multiple forking (MF) is an extension of general forking to accommodate nested oracle replay attacks [5]. The modularity of the MF Lemma allows one to abstract out the probabilistic analysis of the rewinding process from the actual simulation in the security argument. The MF algorithm \(\mathcal {M}_{\mathcal {Y},n}(x)\) associated to \(\mathcal {Y}\) and n is defined in [5].

Lemma 1

Let \(\mathcal {G}\) be a randomized algorithm that takes no input and returns a string. Let \(\mathcal {Y}\) be a randomized algorithm that on input a string x and elements \(s_1,...,s_q \in \mathbb {S}\) returns a triple \((I,J,\sigma )\) consisting of two integers \(0 \le J < I \le q\) and a string \(\sigma \). Let

$$\begin{aligned} \begin{aligned} mfrk := Pr[&(b=1)\ |\ x {\mathop {\leftarrow }\limits ^{\$}}\mathcal {G}; (b,\{\sigma _0,...,\sigma _n\}){\mathop {\leftarrow }\limits ^{\$}}\mathcal {M}_{\mathcal {Y},n}(x)] \ and\\ acc := Pr[&(I\ge 1)\wedge (J\ge 1)]\ |\ x{\mathop {\leftarrow }\limits ^{\$}}\mathcal {G}; \{s_1,..., s_q\}{\mathop {\leftarrow }\limits ^{U}}\mathbb {S}; (I,J,\sigma ){\mathop {\leftarrow }\limits ^{\$}}\mathcal {Y}(x, s_1,...,s_q)]\\ \end{aligned} \end{aligned}$$

then

$$\begin{aligned} \begin{aligned} mfrk \ge acc \cdot \left( \frac{acc^n}{q^{2n}}-\frac{(n+1)(n+3)}{8|\mathbb {S}|}\right) , \end{aligned} \end{aligned}$$

where q is the sum of the upper bound on the queries to the random oracles involved and n is, loosely speaking, the number of forking.

4 The Proposed Scheme

In this section, we construct a forward-secure ID based digital signature scheme with forward-secure key generation, based on the factoring assumption. Our construction is based on a forward secure signature scheme in [1] and extends it into the identity based schemes. The proposed scheme can be considered as a recursive signature scheme; The first signature is generated with the master key to issue the user’s signing key and the second signature is performed with the signing key to sign messages. This doubly recursive design should be carefully handled so that the update of the master key is correctly and independently synchronized with the update of the user’s signing key. Finally, verifying the final signature must validate the authenticity of identifier, message, and the period. Given a maximum time period T, a security parameter k, and a maximum hash length l, The detailed construction of our FSIBS scheme is described in Algorithm 1.

figure b

For the following correctness description, we assume that the user signing key is generated as \(SK_{j,ID}=(N, T, Y, sk_{j, ID}=R \cdot (msk_j)^{h_1})\) for some time period j where \(j<T\). Then, notice that the user signing key at time period i for \(i>j\) evolves into \(SK_{i, ID}=(N, T, Y, sk_{i, ID}=(R \cdot (msk_j)^{H_1(Y \parallel ID)})^{2^{3l (i-j)}} \bmod N)\) by the UKUpdate algorithm.

Correctness: We show that our scheme is correct by computing the equation below:

$$\begin{aligned} \begin{aligned} \sigma _i^{2^{3l(T+1-i)}}&= (R' \cdot (sk_{i,ID})^{h_2})^{2^{3l(T+1-i)}} \\&= R'^{2^{3l(T+1-i)}}(R^{2^{3l(i-j)}}(msk_j^{2^{3l(i-j)}})^{h_1})^{h_22^{3l(T+1-i)}} \\&= R'^{2^{3l(T+1-i)}}(R^{2^{3l(T+1-j)}}(msk_j^{2^{3l(T+1-j)}})^{h_1})^{h_2} \\&= R'^{2^{3l(T+1-i)}}(R^{2^{3l(T+1-j)}}(S^{2^{3lj}})^{h_12^{3l(T+1-j)}})^{h_2} \\&= R'^{2^{3l(T+1-i)}}(R^{2^{3l(T+1-j)}})^{h_2}(S^{2^{3l(T+1)}})^{h_1h_2} \\&= Y'(Y)^{h_2}(1/U)^{h_1h_2} \\ \end{aligned} \end{aligned}$$

where \(h_1 = H_1(Y \parallel ID)\), \(h_2 = H_2(Y \parallel Y' \parallel i \parallel M)\).

5 Security Proof

Let k and l be two security parameters. Let p and q be primes and \(N = pq\) be a k-bit integer (Since \(p \equiv q \equiv 3 \pmod 4\), N is a Blum integer). Let Q denote the set of non-zero quadratic residues modulo N. Note that for \(x \in Q\), exactly one of its four square roots is also in Q.

Lemma 2

Given \(\alpha \ne 0, \lambda > 0, v \in Q\) and \(X \in \mathbb {Z}_N^*\) such that \(v^{\alpha } \equiv X^{2^{\lambda }} \pmod N\) and \(\alpha < 2^{\lambda }\), one can easily compute y such that \(v \equiv y^2 \pmod N\).

Proof

Let \(\alpha = 2^\gamma \beta \) where \(\beta \) is odd. Note that \(\lambda > \gamma \). Let \(\beta = 2\delta + 1\). Then \((v^{2\delta + 1})^{2^\gamma } \equiv v^\alpha \equiv X^{2^\lambda } \pmod N\), so \(v^{2\delta + 1} \equiv X^{2^{\lambda - \gamma }} \pmod N\). Note that it is allowed to take roots of degree \(2^\gamma \) since both sides are in Q. Let \(y = X^{2^{\lambda - \gamma - 1}}/v^\delta \bmod N\). Then \(y^2 \equiv X^{2^{\lambda - \gamma }} / v^{2\delta } \equiv v \pmod N\). Note that since \(\alpha < 2^\lambda , \lambda - \gamma - 1 \ge 0\).

Theorem 1

Let \({\mathcal {A}}\) be an adversary attacking \(\varSigma _{FSIBS}\) with running in time \(\tau \), making \(q_{key}\) number of key issue queries, \(q_{sign}\) number of sign queries and \(q_{hash}\) number of hash queries. If the advantage \(Adv_{{\mathcal {A}}, \varSigma }^{\textsf {FSIBS}}\) is \(\epsilon \), then there exists an algorithm \({\mathcal {B}}\) that succeeds in solving the factoring problem in expected time at most \(\tau '\) with probability at least \(\epsilon '\), where \(\tau ' = 4\tau + O(k^2lT + k^3)\) and \(\epsilon ' = \frac{\epsilon }{2T}\cdot \left( \frac{\epsilon ^3}{T^3\cdot q^6}-\frac{28}{2^{k+3}}\right) \) with \(q = q_{hash}+q_{sign}+q_{key}\).

Proof

Given \({\mathcal {A}}\), we show how to construct an algorithm \({\mathcal {B}}\) of solving the factoring problem with success probability \(\frac{\epsilon }{2T}\cdot \left( \frac{\epsilon ^3}{T^3\cdot q^6}-\frac{28}{2^{k+3}}\right) \) approximately in time \(4\tau + O(k^2lT + k^3)\). To factor its input N, \({\mathcal {B}}\) will select a random \(x \in \mathbb {Z}^*_N\), compute \(v \equiv x^2\) mod N, and attempt to use the adversary \({\mathcal {A}}\) to find a square root y of v. Because v has four square roots and x is random, with probability 1/2 we have that \(x \not \equiv \pm y \pmod N\) and, then \({\mathcal {B}}\) will be able to find a factor of N by computing the gcd of \(x - y\) and N. To do so, we utilize the forking lemma technique in the following. Before start of the game, \({\mathcal {B}}\) guesses the time period \(b'\), \(1 < b' \le T\) that \({\mathcal {A}}\) will make a forgery.

[Setup phase] \({\mathcal {B}}\) selects a random value \(x \in \mathbb {Z}^*_N\), compute \(v \equiv x^2 \bmod N\) and sets \(msk_{b'} = v\). Then, \({\mathcal {B}}\) sets \(U \equiv 1/msk_{b'}^{2^{3l(T+1-b')}} \bmod N\) and gives \(VK = (N, U, T)\) to \({\mathcal {A}}\). \({\mathcal {B}}\) maintains two hash tables to respond to the hash queries to \(H_1\) and \(H_2\).

[Interactive query phase] In this phase, \({\mathcal {A}}\) is allowed to query four types of oracles KeyIssue, Update, Sign, and Hash as follows.

KeyIssue query: The adversary \({\mathcal {A}}\) chooses a specific ID and a time period i, and sends them to \({\mathcal {B}}\). If \(i < b'\) then \({\mathcal {B}}\) selects a random \(Z \in Q\) and chooses random string \(h_1 \in \{0,1\}^l\). Y is computed as \(U^{h_1}Z^{2^{3l(T+1-i)}}\). If \(H_1(Y,ID)\) is defined in the \(H_1\) table then fails and aborts; otherwise, sets \(H_1(Y,ID)\) as \(h_1\) and adds the entry \((Y,ID,h_1)\) into the \(H_1\) table. Set \(SK_{i,ID} = Z\). After that, \({\mathcal {B}}\) returns the signing key \(SK_{i, ID} = (N,T,Y,sk_{i,ID})\) for ID of current time period i to adversary \({\mathcal {A}}\). Consider \(i \ge b'\). Since \({\mathcal {B}}\) has \(msk_{b'} = v\), it can obtain \(msk_i\) by executing \(\textsf {MSKUpdate}\) algorithm. \({\mathcal {B}}\) returns the singing key \(SK_{i, ID}\) simply by applying the \(\textsf {KeyIssue}\) algorithm. \({\mathcal {B}}\) maintains a \(\textsf {KeyIssue}\) table and updates the entry (\(SK_{i, ID}, i, ID\)) into the table.

Update query: The adversary \({\mathcal {A}}\) requests the challenger \(\mathcal{{C}}\) to execute the \(\textsf {MSKUpdate}\) algorithm and \(\textsf {UKUpdate}\) algorithm. If \(i \le b'\) then nothing is performed. Otherwise \(\textsf {MSKUpdate}\) and \(\textsf {UKUpdate}\) is called.

Sign query: \({\mathcal {A}}\) chooses a random message M and a user identifier ID, and asks \({\mathcal {B}}\) to sign a message M for ID on the current time period i. If \(i \ge b'\), \({\mathcal {B}}\) can generate any signing key as above. Otherwise, \({\mathcal {B}}\) first checks whether the ID and i entry exist in the \(\textsf {KeyIssue}\) table. If so, \({\mathcal {B}}\) generates a signature using the private key. If the ID and i entry does not exist in the table, \({\mathcal {B}}\) generates the key in a manner similar to the KeyIssue query phase. \({\mathcal {B}}\) selects random \(\sigma _i \in \mathbb {Z}_N^*\) and \(h_2 \in \{0,1\}^l\). \({\mathcal {B}}\) selects a random Z and \(h_1\) again, computes \(Y = {Z^2}^{3l(T+1-i)}\cdot U^{h_1}\), and adds them into \(H_1\) and uses them. Then, \(Y'\) is computed as \({\sigma _j^2}^{3l(T+1-t)}\cdot U^{h_1\cdot h_2} / Y^{h_2}\). \({\mathcal {B}}\), finally, returns \((\sigma ', Y, Y')\) to \({\mathcal {A}}\).

Hash query: The adversary \({\mathcal {A}}\) can make queries to the random oracle and get the corresponding random values.

[PKG corrupt phase] Upon the request of the PKG master secret key, \({\mathcal {B}}\) marks the current time period as b. If \(b < b'\), \({\mathcal {B}}\) aborts. Otherwise, since \({\mathcal {B}}\) has \(msk_{b'}\), \({\mathcal {B}}\) can compute \(msk_{b} \leftarrow v^{2^{3l(b-b')}}\) and return it to \({\mathcal {A}}\).

[Final forgery phase] In order to compute the factors of blum integer N, we utilize double forking here. As usual, \({\mathcal {B}}\) runs \({\mathcal {A}}\) twice with the same random tape, then \(H_1(Y\parallel ID^*)\) would be \(h_1\) at the first case, and \(\overline{h_1}\) for the second case. In each case, \({\mathcal {B}}\) runs \({\mathcal {A}}\) twice, so that each of them outputs different \(h_2\)’s this time.

In this phase, \({\mathcal {A}}\) gives a forgery signature \((\sigma _j, Y'^*, Y^*)\) of identifier \(ID^*\) and message \(M^*\) to \({\mathcal {B}}\), where \(j < b'\). As we described before, \(H_1(Y^* \parallel ID^*)\) returns different \(h_1\) and \(\overline{h_1}\) for each case. First of all, when \(h_1\) was returned, \(H_2(Y^* \parallel Y'^* \parallel j\parallel M^*)\) is \(h_2\), and \({\mathcal {B}}\) is given the forgery signature \((\sigma _j, Y'^*, Y^*)\) from \({\mathcal {A}}\). So, the Eq. (1) is valid.

$$\begin{aligned} \begin{aligned} {(\sigma _{j})^2}^{3l(T+i-j)}\cdot U^{h_1\cdot h_2} = Y'^*\cdot {Y^*}^{h_2} \end{aligned} \end{aligned}$$
(1)

\({\mathcal {B}}\), then, rewinds with the same random tape, \(H_2(Y^* \parallel Y'^* \parallel j\parallel M^*)\) is \(h_2^*\) and get the different forgery signature \((\sigma _j^*, Y'^*, Y^*)\) from \({\mathcal {A}}\). We obtain the Eq. (2) at this time.

$$\begin{aligned} \begin{aligned} {(\sigma _{j}^*)^2}^{3l(T+i-j)}\cdot U^{h_1\cdot h_2^*} = Y'^*\cdot {Y^*}^{h_2^*} \end{aligned} \end{aligned}$$
(2)

With dividing (1) by (2), Eq. (3) comes out.

$$\begin{aligned} \begin{aligned} {(\sigma _j/\sigma _j^*)^2}^{3l(T+1-j)} = (Y^*/U^{h_1})^{h_2-h_2^*} \end{aligned} \end{aligned}$$
(3)

\({\mathcal {B}}\) resets the nesting fork, \(H_1(Y^* \parallel ID^*)\) is \(\overline{h_1}\) in this time. In this round, we can get two Eqs. (4) and (5), and Eq. (6) is computed by (4)/(5).

$$\begin{aligned}&{\overline{(\sigma _{j'})}^2}^{3l(T+1-j')}\cdot U^{\overline{h_1}\cdot \overline{h_2}} = \overline{Y'^*}\cdot {Y^*}^{\overline{h_2}}\end{aligned}$$
(4)
$$\begin{aligned}&{\overline{(\sigma _{j'}^*)}^2}^{3l(T+1-j')}\cdot U^{\overline{h_1}\cdot \overline{h_2^*}} = \overline{Y'^*}\cdot {Y^*}^{\overline{h_2^*}} \end{aligned}$$
(5)
$$\begin{aligned}&{(\overline{\sigma _{j'}}/\overline{\sigma _{j'}^*})^2}^{3l(T+1-j')} = (Y^*/U^{\overline{h_1}})^{\overline{h_2}-\overline{h_2^*}} \end{aligned}$$
(6)

By calculating (3)\(^{(\overline{h_2}-\overline{h_2^*})}/\)(6)\(^{(h_2-h_2^*)}\) and replacing U with \(1/v^{2^{3l(T+1-b')}}\), the following Eq. (7) can be derived. We assume without loss of generality that \(j \ge j'\).

$$\begin{aligned} \begin{aligned} \frac{(\sigma _j / \sigma _j^*)^{(\overline{h_2} - \overline{h_2^*})\cdot {2^{3l(b'-j)}}}}{(\overline{\sigma _j} / \overline{\sigma _j^*})^{(h_2 - h_2^*)\cdot {2^{3l(b'-j')}}}} = v^{(h_1 - \overline{h_1})(h_2 - h_2^*)(\overline{h_2} - \overline{h_2^*})} \end{aligned} \end{aligned}$$
(7)

By Lemma 2 in, if we set \(\alpha = (h_1-\overline{h_1})(h_2-h_2^*)(\overline{h_2}-\overline{h_2^*}), X = \frac{Z}{\overline{Z}^{2^{3l(j - j')}}}, \lambda = 3l(b'-j)\), we can easily get the square root of v, where \(Z=(\sigma _j/\sigma _j^*)^{(\overline{h_2}-\overline{h_2^*})}\) and \(\overline{Z}=(\overline{\sigma _j}/\overline{\sigma _j^*})^{(h_2-h_2^*)}\).

Because v has four square roots and x is random, with probability 1/2 we have that \(x\not \equiv \pm y\) (mod N) and, hence \({\mathcal {B}}\) will be able to find a factor of N by computing the gcd of \(x-y\) and N.

To succeed the forgery, i should be \(j < i \le t'\). So, the probability loss is at most \(\frac{1}{T}\), and this is used as acc in Lemma 1. According to Lemma 1, the final probability that \({\mathcal {B}}\) succeeds becomes at least \(\frac{\epsilon }{2T}\cdot \left( \frac{\epsilon ^3}{T^3\cdot q^6}-\frac{28}{2^{k+3}}\right) \) where \(n = 3\), and \(q = q_{hash}+q_{sign}+q_{key}\).

6 Optimization of Performance Improvement

The key issuing and singing in our scheme require computing Y and \(Y'\) such that \(Y \leftarrow R^{2^{3l(T+1-j)}} \bmod N\) and \(Y' \leftarrow (R')^{2^{3l(T+1-i)}} \bmod N\) for randomly chosen numbers R, and \(R'\), of which time complexity is proportional to the maximum period T. Fast-AR scheme [10] accelerates the signing algorithm without sacrificing the other factors. In the scheme, instead of squaring R to compute Y, it chooses an exponent r randomly and then computes \(R \leftarrow g^r\) and \(Y \leftarrow X^r\) where X is precomputed and \(X = g^{2^{l(T+1)}} \pmod N\).

We can apply the Fast-AR scheme to the proposed FSIBS. In the KeyIssue algorithm, we choose a random exponent r to compute R and Y such that \(R \leftarrow g^r\) and \(Y \leftarrow X^r\). In the Sign algorithm, similarly we choose an exponent \(r'\) randomly and compute \(R'\) and \(Y'\) such that \(R' \leftarrow g^{r'}\) and \(Y' \leftarrow X^{r'}\). Note that X is precomputed in advance. The verification algorithm is revised similar to the Fast-AR [10]. Then the time complexities of the KeyIssue and the Sign algorithms are independent of the maximum period T. In the experiment we compare the optimized FSIBS with the original FSIBS.

7 Experiment

In this section, we implement the proposed FSIBS and the optimized FSIBS(opt-FSIBS) in Sect. 6 to validate the practicality. The FSIBS and opt-FSIBS are implemented using openssl library in C. For comparison, we also implement the pairing based scheme [15] using PBC library in C. The experiment is performed on Intel i7-8700K 3.7 GHz machine with 24 GB RAM using Ubuntu 18.04.

Table 2. Comparison of FSIBS, opt-FSIBS, and [15]
Full size table
Fig. 1.
figure 1

The execution time by varying the maximum time periods

Full size image

Table 2 shows the execution time and the key sizes when the security parameter k is 2048 for FSIBS and opt-FSIBS and \(k=224\) for [15]. The maximum time period T is \(2^{15}\) and the hash length l is 160. The execution times of FSIBS and opt-FSIBS are almost equivalent except for the KeyIssue and Sign time. KeyIssue and Sign times decrease to 3 ms from 24 s in opt-FSIBS which is much faster than the pairing based approach in [15]. Note that the verification time is quite large in the proposed scheme. However, the proposed scheme is practically applicable when the verification is not frequently occurred while the sign is performed periodically such as a streaming application [9]. The proposed schemes require less memory space to store keys than the pairing based approach.

Figure 1 illustrates the execution time by varying the maximum time periods. Figure 1(a), (e), and (f) show the execution times of PKGKeyGen, MSKUpdate, and UKUpdate algorithms in each scheme. They show that the execution times of our schemes are shorter than those of [15] always. Figure 1(b) and (c) illustrate the execution time of the KeyIssue and Sign algorithm in each scheme. According to these graphs, the KeyIssue time and Sign time of opt-FSIBS and [15] are both short enough. Lastly, Fig. 1(d) shows that the Verify algorithm in both FSIBS and opt-FSIBS takes much longer than [15]. Note that although Verify is much slower in our scheme than [15], it is relatively insignificant in a streaming application.

8 Conclusion

This paper proposes a forward-secure ID-based digital signature scheme with forward secure private key generator based on RSA assumption. We define its notion and provide practical constructions and its security proof under the factoring assumption in the random oracle model. The signing algorithm in the proposed scheme is fast enough to be applied in a streaming real-time application with constant size keys and constant size signatures while the verification time is quite long. The proposed scheme is implemented in a real system and the experimental results validate the practicality of the proposed scheme.