Efficient hybrid public key signature scheme
First Claim
1. A method for generating a signature for a message, the method comprising:
- employing a public/private key pair in which the private key includes at least one enhancing key and the public key includes a TCR commitment to said at least one enhancing key;
obtaining an opening string, opening the TCR-commitment to said enhancing key with the opening string, forming a function of the message and the private key, and forming a signature comprising the function and the opening string.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatus and computer products provide solutions to the problem caused by the slow speed of public key signature algorithms. The solutions also solve problems of packet authentication for multicast and other scenarios requiring fast, compact digital signatures. Security guarantees required for packet authentication are provided in a way that can handle multiple independent flows, produces authentication fields of fixed size, works in the fully unreliable setting, does not require any packet delays and has the additional property of being able to withstand and smooth over irregular processor loading and bursty packet output rate. One aspect of the present invention uses a hybrid approach consisting of the signer creating a certificate for the public key of an efficient k-time signature scheme using a regular signature key. The signer then signing up to k messages with the private key corresponding to k-time public key. The time consumed to compute a public key signature is amortized over k signatures. These and other aspects are provided in a signature scheme wherein a commitment is employed.
151 Citations
71 Claims
-
1. A method for generating a signature for a message, the method comprising:
-
employing a public/private key pair in which the private key includes at least one enhancing key and the public key includes a TCR commitment to said at least one enhancing key;
obtaining an opening string, opening the TCR-commitment to said enhancing key with the opening string, forming a function of the message and the private key, and forming a signature comprising the function and the opening string. - View Dependent Claims (2, 3, 4, 5, 11, 12, 13, 14, 15, 16, 19, 20, 70)
-
-
6. A method comprising:
-
receiving a signed message having an internal message, a signature, and a commitment opening string, and authenticating the internal message employing a public key from a public/private key pair in which the public key includes a TCR-commitment to an enhancing key and the private key includes at least one enhancing key. - View Dependent Claims (7, 8, 9, 10)
-
-
17. A method for generating a signature for an internal message, the method comprising:
-
employing a private key which includes at least one enhancing key and which is paired with a public key which includes a commitment to said enhancing key;
opening the commitment to said enhancing key and obtaining an opening string, forming a function of the internal message and the private key, and forming the signature comprising the function and the opening string. - View Dependent Claims (18)
-
-
21. A method for a signer to generate key pairs for a signature scheme, the method comprising:
-
generating k 1-time key pairs;
constructing an authentication tree based on a collision resistant hash function using the k, 1-time public keys of the key pairs thus generated to form a k-time public key; and
signing a root of the tree with a long-term signature key to form a certificate for the k-time key pair, wherein it least one of the k 1-time key pairs includes an embedded commitment. - View Dependent Claims (22, 23, 24, 25)
-
-
26. A method to generate k-time key pairs for a signature scheme, the method comprising:
-
generating k 1-time key pairs;
constructing an TCR authentication tree based on a target collision resistant hash function using k 1-time public keys of the key pairs thus generated to form a k-time public key; and
signing a root of the tree combined with TCR-keys used to build the TCR tree, with a long-term signature key of a signer to form a certificate for at least one of the k-time key pairs. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
choosing a unique key pair taken from said 1-time key pairs;
computing a TCR hash function of said at least one arbitrary message using the enhancing key corresponding to the unique 1-time key;
computing a 1-time signature on an output of said TCR hash function;
a commitment opening string to the commitment included within a public key of the unique 1-time key; and
forming a signature comprised of the 1-time signature, the commitment opening string.
-
-
35. A method as recited in claim 34, further comprising the step of creating ancillary information for identifying and authenticating the unique 1-time public key within the certificate for the k-time public key;
- and
including said ancillary information in the signature.
- and
-
36. A method for verifying a signature on an arbitrary message, wherein the signature is formed according to method recited in claim 34, the method of verifying comprising:
-
obtaining a authentic copy of the 1-time public key associated with said signature;
extracting the commitment opening string from said signature;
deriving the enhancing key using the commitment opening string;
computing a TCR hash function for the arbitrary message using said enhancing key;
verifying the commitment opening string with respect to the commitment embedded in the 1-time public key; and
verifying the 1-time signature which signed an output of said TCR hash function with respect to the 1-time public key.
-
-
37. A method as recited in claim 36, wherein the step of deriving the enhancing key from the commitment opening string includes applying an identity transformation to the commitment opening string.
-
38. A method as recited in claim 35, wherein the step of verifying the commitment opening string includes computing a function on the 1-time public key and the commitment opening string.
-
39. A method as recited in claim 35, wherein the step of verifying the 1-time signature includes applying a function on the 1-time signature on said output of the TCR hash function and on said 1-time public key.
-
40. A method for verifying a signature on an arbitrary message, wherein the signature is formed according to the method recited in claim 35, the method for verifying comprising:
-
obtaining a certificate for the k-time public key associated with said signature;
verifying the certificate using a long term public key of the signer to authenticate the k-time public key;
extracting the commitment opening string from said signature and using the opening string to derive the enhancing key;
computing a TCR hash function on said message using said enhancing key;
verifying the commitment opening string with respect to a commitment embedded in one of the 1-time public keys within the k-time public key;
verifying the 1-time signature on a output of said TCR hash function with respect to one of the 1-time public keys embedded within the k-time public key; and
validating the ancillary information with respect to the authenticated k-time public key to authenticate the 1-time public key associated with said signature.
-
-
41. A method as recited in claim 40, wherein the step of verifying the certificate is performed only once for k uses of the k-time key.
-
42. A method as recited in claim 39, wherein the step of validating the ancillary information includes the step of partially reconstructing the TCR-tree used to create the k-time public key.
-
43. An article of manufacture comprising a computer usable medium having computer readable program code means embodied therein for causing generation of a signature for a message, the computer readable program code means in said article of manufacture comprising computer readable program code means for causing a computer to effect:
-
employing a public/private key pair in which the private key includes at least one enhancing key and the public key includes a TCR commitment to said at least one enhancing key;
obtaining an opening string, opening the TCR-commitment to said enhancing key with the opening string, forming a function of the message and the private key, and forming a signature comprising the function and the opening string. - View Dependent Claims (44, 45, 46, 47)
-
-
48. An article of manufacture comprising a computer usable medium having computer readable program code means embodied therein, the computer readable program code means in said article of manufacture comprising computer readable program code means for causing a computer to effect:
-
receiving a signed message having an internal message, a signature, and a commitment opening string, and authenticating the internal message employing a public key from a public/private key pair in which the public key includes a TCR-commitment to an enhancing key and the private key includes at least one enhancing key. - View Dependent Claims (49, 50, 51, 52, 53, 54, 55)
-
-
56. A computer program product comprising a computer usable medium having computer readable program code means embodied therein for causing a generation of a signature for an internal message, the computer readable program code means in said computer program product comprising computer readable program code means for causing a computer to effect:
-
generating a signature for an internal message employing a private key which includes at least one enhancing key and which is paired with a public key which includes a commitment to said enhancing key;
opening the commitment to said enhancing key and obtaining an opening string;
forming a function of the internal message and the private key; and
forming the signature comprising the function and the opening string. - View Dependent Claims (57, 58)
-
-
59. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for a signer to generate key pairs for a signature scheme, said method steps comprising:
-
generating k 1-time key pairs;
constructing an authentication tree based on a collision resistant hash function using the k, 1-time public keys of the key pairs thus generated to form a k-time public key; and
signing a root of the tree with a long-term signature key to form a certificate for the k-time key pair;
wherein at least one of the k 1-time key pairs includes an embedded commitment. - View Dependent Claims (60, 61, 71)
-
-
62. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for generating k-time key pairs for a signature scheme, said method steps comprising:
-
generating k 1-time key pairs;
constructing an TCR authentication tree based on a target collision resistant hash function using k 1-time public keys of the key pairs thus generated to form a k-time public key; and
signing a root of the tree combined with TCR-keys used to build the TCR tree, with a long-term signature key of a signer to form a certificate for at least one of the k-time key pairs. - View Dependent Claims (63, 64, 65, 66, 67, 68, 69)
employing a k-time key pair generated as recited in claim 63, said method steps for signing comprising: choosing a unique key pair taken from said 1-time key pairs;
computing a TCR hash function of said at least one arbitrary message using the enhancing key corresponding to the unique 1-time key;
computing a 1-time signature on an output of said TCR hash function;
computing a commitment opening string to the commitment included within a public key of the unique 1-time key; and
forming a signature comprised of the 1-time signature, the commitment opening string.
-
-
67. A program storage device readable by machine as recited in claim 66, said method steps further comprising the steps of creating ancillary information for identifying and authenticating the unique 1-time public key within the certificate for the k-time public key;
- and
including the ancillary information in the signature.
- and
-
68. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for verifying a signature on an arbitrary message, wherein the signature is formed according to method recited in claim 66, said method steps for verifying comprising:
-
obtaining a authentic copy of the 1-time public key associated with said signature;
extracting the commitment opening string from said signature;
deriving the enhancing key using the commitment opening string;
computing a TCR hash function for the arbitrary message using said enhancing key;
verifying the commitment opening string with respect to the commitment embedded in the 1-time public key; and
verifying the 1-time signature which signed an output of said TCR hash function with respect to the 1-time public key.
-
-
69. A program storage device readable by machine as recited in claim 62, wherein the signature scheme is a 36-time signature scheme.
Specification