Forward Secure Identity-Based Signature Scheme with RSA

. A forward secure identity based signature scheme (FSIBS) provides forward secrecy of secret keys. In order to mitigate the damage when keys are leaked, it is desirable to evolve all the secret keys, i.e., both the user keys and the master key. In this paper, we propose a new RSA-based FSIBS scheme which requires constant size keys and generates constant size signatures. The experimental results show that it takes 3ms to generate a signature in the proposed scheme while it takes 75ms in the existing pairing based approach. The proposed scheme is provably secure under the factoring assumption in the random oracle model.


Introduction
The identity based signatures, so called IBS, are digital signatures where an identifier, such as e-mail address etc., is used as a public key.In the IBS system, a private key generator(PKG) publishes a public parameter and issues a secret signing key to an identified user using its master secret key.Because the IBS system utilizes publicly known information such as an identifier as its verification key, it allows any party to verify signatures without the explicit authenticated procedure of the verification key.On the other hand, the forward secure signature is a way to mitigate the damage caused by key exposure.A forward secure signature scheme divides the lifetime into several time periods, and uses a different key at each time period.With this idea, even if a signature key is exposed at a specific point of time, all signatures which are generated before the exposure time can be kept valid.In order to have advantages of both the IBS system and the forward secure signature system, several researches [6,12,[17][18][19][20] have been conducted to add forward security to the signing key issued by a private key generator(PKG).However, forward secrecy in such forward secure ID based signature schemes is limited and incomplete because only the user private keys evolve each time period; Once the master secret key is compromised, all signatures made by any user under this system cannot be considered valid even if the signing keys evolve properly.Mainly, these attacks can be done by the powers, buying off the system managers.In order to minimize the risk from the leakage of the master secret key, the PKG master key as well as the user's signing key also needs to satisfy forward security.This paper simply notates FSIBS with forward-secure PKG as FSIBS hereafter.
The notion of FSIBS was considered first in [15] and the scheme was based on an elliptic curve pairing function.The proposed scheme in [15] satisfies the forward security of both the master secret key and the users' signing keys.That is, even if a master secret key of time period t is exposed, all signatures generated before t are not invalidated.Although the scheme in [15] efficiently generates a signature, its application is limited due to the non-constant size signing keys.Considering the forward secrecy is widely applied including the IoT environment [9], providing more options for FSIBS is desirable.Given the only pairing-based scheme, it may be difficult to cover the resource-constrained IoT devices due to its complex pairing operation.
In this paper, we propose a new forward secure identity based signature scheme (FSIBS) in the RSA setting.Our scheme is constructed by extending the forward secure RSA based signature scheme in [1] into an identity-based scheme.The proposed scheme also allows the master key update for the forward secrecy of the master key.To update the keys, the scheme does not require any interaction between the user and the PKG, once an initial signing key is delivered.The proposed scheme is secure under the factoring assumption in the random oracle model.
Table 1 summarizes the comparison between the proposed scheme and [15].In Table 1, T is the maximum number of periods, l is the bit length of the hash output, k is the bit length in RSA, a is multiplication time in bilinear group, p is pairing time, and e is exponentiation time in bilinear group.As shown in Table 1, in the proposed scheme, the sizes of all keys such as a master secret key, a user signing key and a verification key, and a signature are constant while they are not in [15].The costs of KeyIssue, Update, and Sign algorithms in the optimized proposal are independent of the maximum number of period T .According to our experiment, overall, our (optimized) scheme is faster than [15], except in the Verify algorithm.In particular, for T = 2 15 , generating a signature requests only 3ms with 2048-bit k of RSA, while the scheme in [15] requires 75ms with the 224-bit ECC key.This paper is organized as follows.We begin by discussing the related works in Section 2. In Section 3, we define the notion of forward-secure ID based signature scheme with forward-secure key generation, the background assumption that our scheme is based on, and the formal security model.We construct our signature scheme in Section 4. After that, we describe the security proof in Section 5.In Section 6, we extend our proposed scheme to improve the signing performance.Moreover, experimental results are shown in Section 7. Finally, we conclude in Section 8.

Related Work
The concept of forward security was first proposed by Anderson [2], and Bellare and Miner [3] made the formal definition of forward secure digital signatures(FSS).[3] proposed two forward secure signature constructions.One of them is a generic construction which can be derived by any signature scheme, of which complexity is at least O(log T )-factor times of the original scheme, where T is the number of total time periods.The other is a variation on the Fiat-Shamir signature scheme [7] for a forward secure version that has constant-size signatures and takes O(T )-time for signing and verification.Next, Abdalla and Reyzin proposed a FSS scheme with a short public key [1].However, its key generation, signing and verification are slow.Itkis and Reyzin suggested a FSS scheme with efficient signing and verification based on Guillous-Quisquater signatures [8], however, it costs more update time.On the other hands, Kozlov and Reyzin suggested a FSS scheme with fast update, but its signing and verification takes longer.So far, time complexity of some algorithm components for any suggested FSS constructions is depends on the total number of period T .
Krawczyk proposed a generic FSS construction with a constant-size private key, but with O(T )-size storage (possibly non-private) [11].An efficient generic construction with unlimited time periods [13] is suggested by Malkin, Micciancio, and Miner using Merkletrees [14].
Boyen et al. [4] proposed the concept of forward secure signatures with untrusted updates for additional protection of the private key.Its private key is encrypted by the second factor(i.e., user password), and the key update proceeds with encryption.They construct an efficient scheme with constant-size signatures and provide the security reduction based on the Bilinear Diffie-Hellman Inversion assumption (BDHI) without random oracles.
Liu et al. proposed the forward-secure ID-based signature scheme without providing specific security definition and proof [12].Yu et al [18] formalized the security definition and proposed a scheme with a formal security proof.Meanwhile, Ebri et al. [6] proposed an efficient generic construction of forward-secure ID-based signature.When it is instantiated with Schnorr signatures [16], their construction provides an efficient scheme in the random oracle model.Yu et al. [19] made an extension of forward-secure ID-based signature with untrusted updates.Zhang et al. [20] proposed the two forms of lattice-based constructions under lattice assumption, in the random oracle model and in the standard model.Presently, Wei et al. [17] proposed an efficient revocation forwardsecure ID-based signature to provide forward security and backward security upon key exposure.However, user key update requires interaction with PKG for each period to support revocation.The update algorithm run by the PKG generates an updated private key for each unrevoked user at each period.However, the master secret key of PKG is not updated.
All of the above [6,12,[17][18][19][20] consider only the security of the user's private keys.Oh et al. [15] proposed first and only FSIBS system with forward secure PKG in a bilinear group setting.The scheme is constructed as a three-dimensional hierarchical ID based signature scheme; the first dimension is related with periods, the second dimension with identifiers, and the third dimension with messages.The hierarchical ID based signatures are taken in a double manner; first for issuing users' signing keys, and second for signing.To implement [15], no extra interaction between PKG and users is required, if the signing key is issued properly.

Preliminaries
We define the model for a FSIBS scheme with forward secure private key generator as in [15] in this section.And we define the security model of our scheme and describe its underlying assumption.

FSIBS scheme
A FSIBS scheme with forward secure private key generator consists of six algorithms Σ F SIBS =(PKGKeyGen, MSKUpdate, KeyIssue, UKUpdate, Sign, Verify) as following: -PKGKeyGen(k, T ): This algorithm takes security parameter k and the maximum number of time periods T , and outputs the public verification key V K and the PKG master key M SK t .The PGK master key M SK t includes the current time period t which is initialized to 1.
-MSKUpdate(M SK t ): This algorithm takes the PKG master key at current time period t as an input, and outputs a new PKG master key M SK t+1 .Once a new PKG master key is computed, the previous PKG master key is removed.If t + 1 ≥ T , then the old key is removed and no new keys are created.
-KeyIssue(M SK t , ID): This algorithm takes the PKG master key at current time period t and an identifier ID.It outputs a secret signing key SK t,ID for the specific identifier ID.The signing key also includes the time period t.
-UKUpdate(SK t,ID ): This algorithm takes in the signing key of an identifier ID at current time period t and outputs a new signing key SK t+1,ID .Once a new signing key is created, the previous signing key is removed.If t + 1 ≥ T , then the old key is removed and no new keys are created.
-Sign(SK t,ID , M ): This algorithm takes in the signing key of an identifier ID at current time period t, and a message M .It outputs a signature σ for time period t.
-Verify(ID, σ, M , V K, t): This algorithm takes an identifier ID, a signature σ, a message M , a verification key V K, and a time period t.It outputs either valid or invalid.
Definition 1.A FSIBS scheme is perfectly correct if

Security model
We use a game between an adversary A and a challenger C to define the security.The game captures the notion of PKG master key forward security, users' signing key forward security and the traditional unforgeability with security parameter k, maximum time period T , and negligible function .The game proceeds as following : The time period t is set to 1. Challenger C generates verification key V K and master key M SK 1 through PKGKeyGen, and give V K to adversary A.
[Interactive query phase] In this phase the adversary A is allowed to adaptively query the following oracles.KeyIssue : The adversary A can choose a specific ID and ask the challenger C for the signing key for ID of current time period t.The challenger C returns the signing key SK t,ID for ID of current time period t to adversary A.
Update : The adversary A can request the challenger C to execute the MSKUpdate algorithm and UKUpdate algorithm.
Sign : The adversary A can choose a random message M and a user identifier ID and ask the challenger to sign a message M for ID on the current time period t.Then, it receives a signature σ from the challenger.
Hash: The adversary A can make queries to the random oracle and get the corresponding random values.
[PKG corrupt phase] The adversary A requests the PKG master key of the current time period t from the challenger C. The challenger C returns the master key M SK t .Note that the signing key of any identifier at the current time period and after can be generated using M SK t .
[Final forgery phase] The adversary A produces a fake signature which consists of a time period, user's ID, message and signature tuple (t * , ID * , M * , σ * ).The adversary is successful if t * < t , the signature is valid for time t * , and the adversary had not queried for a signature on M * and ID * at the time period t * .
We define the advantage of an algorithm A attacking scheme Σ by the probability that A is successful in the game, and denote the advantage by Adv FSIBS A,Σ .We say that a PKG forward secure scheme Σ is (τ, q key , q sign , q hash , )-secure if for all adversaries A running in time τ , making q key key issue query, q sign sign query and q hash hash query, if:

Factoring assumption
Let A be an adversary for the problem of factoring Blum integers; an integer n = pq, where p, q are distinct odd primes and p ≡ q ≡ 3 (mod 4), is called a Blum integer.We define the following experiment.
Experiment FactoringA(k) Randomly choose two k/2 bit primes p and q, s.t.: p ≡ q ≡ 3 ( mod 4) N ← pq (p , q ) ← A(N ) If p q = N and p = 1 and q = 1 then return 1 else return 0 Let Adv F AC A (k) denote the probability that experiment Factoring A (k) returns 1.We say that the factoring assumption holds if for all PPT algorithm A with negligible function ,

Multiple forking
Multiple forking (MF) is an extension of general forking to accommodate nested oracle replay attacks [5].The modularity of the MF Lemma allows one to abstract out the probabilistic analysis of the rewinding process from the actual simulation in the security argument.The MF algorithm M Y,n (x) associated to Y and n is defined in [5].
Lemma 1.Let G be a randomized algorithm that takes no input and returns a string.Let Y be a randomized algorithm that on input a string x and elements s 1 , ..., s q ∈ S returns a triple (I, J, σ) consisting of two integers 0 ≤ J < I ≤ q and a string σ.Let where q is the sum of the upper bound on the queries to the random oracles involved and n is, loosely speaking, the number of forking.

The Proposed Scheme
In this section, we construct a forward-secure ID based digital signature scheme with forward-secure key generation, based on the factoring assumption.Our construction is based on a forward secure signature scheme in [1] and extends it into the identity based schemes.The proposed scheme can be considered as a recursive signature scheme; The first signature is generated with the master key to issue the user's signing key and the second signature is performed with the signing key to sign messages.This doubly recursive design should be carefully handled so that the update of the master key is correctly and independently synchronized with the update of the user's signing key.Finally, verifying the final signature must validate the authenticity of identifier, message, and the period.Given a maximum time period T , a security parameter k, and a maximum hash length l, The detailed construction of our FSIBS scheme is described in Algorithm 1.

Algorithm 1 Factoring based FSIBS
PKGKeyGen(k, T, l): Generated random primes p,q s.t: For the following correctness description, we assume that the user signing key is generated as SK j,ID = (N, T, Y, sk j,ID = R•(msk j ) h1 ) for some time period j where j < T .Then, notice that the user signing key at time period i for i > j evolves into SK i,ID = (N, T, Y, sk i,ID = (R • (msk j ) H1(Y ID) ) 2 3l(i−j) mod N ) by the UKUpdate algorithm.Correctness : We show that our scheme is correct by computing the equation below: where

Security Proof
Let k and l be two security parameters.Let p and q be primes and N = pq be a k-bit integer (Since p ≡ q ≡ 3 (mod 4), N is a Blum integer).Let Q denote the set of nonzero quadratic residues modulo N .Note that for x ∈ Q, exactly one of its four square roots is also in Q.
Note that it is allowed to take roots of degree 2 γ since both sides are in Q Theorem 1.Let A be an adversary attacking Σ F SIBS with running in time τ , making q key number of key issue queries, q sign number of sign queries and q hash number of hash queries.If the advantage Adv FSIBS A,Σ is , then there exists an algorithm B that succeeds in solving the factoring problem in expected time at most τ with probability at least , where with q = q hash + q sign + q key .Proof.Given A, we show how to construct an algorithm B of solving the factoring problem with success probability 2T approximately in time 4τ + O(k 2 lT + k 3 ).To factor its input N , B will select a random x ∈ Z * N , compute v ≡ x 2 mod N , and attempt to use the adversary A to find a square root y of v.Because v has four square roots and x is random, with probability 1/2 we have that x ≡ ±y (mod N ) and, then B will be able to find a factor of N by computing the gcd of x − y and N .To do so, we utilize the forking lemma technique in the following.Before start of the game, B guesses the time period b , 1 < b ≤ T that A will make a forgery.
b mod N and gives V K = (N, U, T ) to A. B maintains two hash tables to respond to the hash queries to H 1 and H 2 .
[Interactive query phase] In this phase, A is allowed to query four types of oracles KeyIssue, Update, Sign, and Hash as follows.

KeyIssue query :
The adversary A chooses a specific ID and a time period i, and sends them to B. If i < b then B selects a random Z ∈ Q and chooses random string Sign query : A chooses a random message M and a user identifier ID, and asks B to sign a message M for ID on the current time period i.If i ≥ b , B can generate any signing key as above.Otherwise, B first checks whether the ID and i entry exist in the KeyIssue table.If so, B generates a signature using the private key.If the ID and i entry does not exist in the table, B generates the key in a manner similar to the KeyIssue query phase.B selects random σ i ∈ Z * N and h 2 ∈ {0, 1} l .B selects a random Z and h 1 again, computes Y = Z 2 3l(T +1−i) • U h1 , and adds them into H 1 and uses them.Then, Y is computed as σ 2 j 3l(T +1−t) • U h1•h2 /Y h2 .B, finally, returns (σ , Y, Y ) to A.

Hash query :
The adversary A can make queries to the random oracle and get the corresponding random values.and return it to A.
[Final forgery phase] In order to compute the factors of blum integer N , we utilize double forking here.As usual, B runs A twice with the same random tape, then H 1 (Y ID * ) would be h 1 at the first case, and h 1 for the second case.In each case, B runs A twice, so that each of them outputs different h 2 's this time.
In this phase, A gives a forgery signature (σ j , Y * , Y * ) of identifier ID * and message M * to B, where j < b .As we described before, H 1 (Y * ID * ) returns different h 1 and h 1 for each case.First of all, when h 1 was returned, H 2 (Y * Y * j M * ) is h 2 , and B is given the forgery signature (σ j , Y * , Y * ) from A. So, the equation ( 1) is

Optimization of Performance Improvement
The key issuing and singing in our scheme require computing Y and Y such that Y ← R 2 3l(T +1−j) mod N and Y ← (R ) 2 3l(T +1−i) mod N for randomly chosen numbers R, and R , of which time complexity is proportional to the maximum period T .Fast-AR scheme [10] accelerates the signing algorithm without sacrificing the other factors.
In the scheme, instead of squaring R to compute Y , it chooses an exponent r randomly and then computes R ← g r and Y ← X r where X is precomputed and X = g 2 l(T +1) (mod N ).
We can apply the Fast-AR scheme to the proposed FSIBS.In the KeyIssue algorithm, we choose a random exponent r to compute R and Y such that R ← g r and Y ← X r .In the Sign algorithm, similarly we choose an exponent r randomly and compute R and Y such that R ← g r and Y ← X r .Note that X is precomputed in advance.The verification algorithm is revised similar to the Fast-AR [10].Then the time complexities of the KeyIssue and the Sign algorithms are independent of the maximum period T .In the experiment we compare the optimized FSIBS with the original FSIBS.

Experiment
In this section, we implement the proposed FSIBS and the optimized FSIBS(opt-FSIBS) in section 6 to validate the practicality.The FSIBS and opt-FSIBS are implemented using openssl library in C. For comparison, we also implement the pairing based scheme [15] using PBC library in C. The experiment is performed on Intel i7-8700K 3.7GHz machine with 24GB RAM using Ubuntu 18.04.Table 2 shows the execution time and the key sizes when the security parameter k is 2048 for FSIBS and opt-FSIBS and k = 224 for [15].The maximum time period T is 2 15 and the hash length l is 160.The execution times of FSIBS and opt-FSIBS are almost equivalent except for the KeyIssue and Sign time.KeyIssue and Sign times decrease to 3 ms from 24s in opt-FSIBS which is much faster than the pairing based approach in [15].Note that the verification time is quite large in the proposed scheme.However, the proposed scheme is practically applicable when the verification is not frequently occurred while the sign is performed periodically such as a streaming application [9].The proposed schemes require less memory space to store keys than the pairing based approach.UKUpdate algorithms in each scheme.They show that the execution times of our schemes are shorter than those of [15] always.Figure 1(b) and 1(c) illustrate the execution time of the KeyIssue and Sign algorithm in each scheme.According to these graphs, the KeyIssue time and Sign time of opt-FSIBS and [15] are both short enough.Lastly, Figure 1(d) shows that the Verify algorithm in both FSIBS and opt-FSIBS takes much longer than [15].Note that although Verify is much slower in our scheme than [15], it is relatively insignificant in a streaming application.

Conclusion
This paper proposes a forward-secure ID-based digital signature scheme with forward secure private key generator based on RSA assumption.We define its notion and provide practical constructions and its security proof under the factoring assumption in the random oracle model.The signing algorithm in the proposed scheme is fast enough to be applied in a streaming real-time application with constant size keys and constant size signatures while the verification time is quite long.The proposed scheme is implemented in a real system and the experimental results validate the practicality of the proposed scheme.

[
PKG corrupt phase] Upon the request of the PKG master secret key, B marks the current time period as b.If b < b , B aborts.Otherwise, since B has msk b , B can compute msk b ← v 2 3l(b−b )

Fig. 1 :
Fig. 1: The execution time by varying the maximum time periods

Table 1 :
[15]arison of our scheme and[15] O((a + e) • log2 ID) is defined in the H 1 table then fails and aborts ; otherwise, sets H 1 (Y, ID) as h 1 and adds the entry (Y, ID, h 1 ) into the H 1 table.Set SK i,ID = Z.After that, B returns the signing key SK i,ID = (N, T, Y, sk i,ID ) for ID of current time period i to adversary A. Consider i ≥ b .Since B has msk b = v, it can obtain msk i by executing MSKUpdate algorithm.B returns the singing key SK i,ID simply by applying the KeyIssue algorithm.B maintains a KeyIssue table and updates the entry (SK i,ID , i, ID) into the table.Update query : The adversary A requests the challenger C to execute the MSKUpdate algorithm and UKUpdate algorithm.If i ≤ b then nothing is performed.Otherwise MSKUpdate and UKUpdate is called.