Skip to main content

New Methods and Abstractions for RSA-Based Forward Secure Signatures

  • 488 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12146)


We put forward a new abstraction for achieving forward-secure signatures that are (1) short, (2) have fast update and signing and (3) have small private key size. Prior work that achieved these parameters was pioneered by the pebbling techniques of Itkis and Reyzin (CRYPTO 2001) which showed a process for generating a sequence of roots \(h^{1/e_1}, h^{1/e_2}, \ldots , h^{1/e_T}\) for a group element h in \(\mathbb {Z}_N^*\). However, the current state of the art has limitations.

First, while many works claim that Itkis-Reyzin pebbling can be applied, it is seldom shown how this non-trivial step is concretely done. Second, setting up the pebbling data structure takes T time which makes key generation using this approach expensive (i.e., T time). Third, many past works require either random oracles and/or the Strong RSA assumption; we will work in the standard model under the RSA assumption.

We introduce a new abstraction that we call an RSA sequencer. Informally, the job of an RSA sequencer is to store roots of a public key U, so that at time period t, it can provide \(U^{1/e_t}\), where the value \(e_t\) is an RSA exponent computed from a certain function. This separation allows us to focus on building a sequencer that efficiently stores such values, in a forward-secure manner and with better setup times than other comparable solutions. In addition, our sequencer abstraction has certain re-randomization properties that allow for constructing forward-secure signature schemes with a single trusted setup that takes T time and afterward individual key generation takes \(\lg (T)\) time.

We demonstrate the utility of our abstraction by using it to provide concrete forward-secure signature schemes. We first give a random-oracle construction that closely matches the performance and structure of the Itkis-Reyzin scheme with the important exception that key generation can be realized much faster (after the one-time setup). We then move on to designing a standard model scheme. We believe this abstraction and illustration of how to use it will be useful for other future works.

We include a detailed performance evaluation of our constructions, with an emphasis on the time and space costs for large caps on the maximum number of time periods T supported. Our philosophy is that frequently updating forward secure keys should be part of “best practices” in key maintenance. To make this practical, even for bounds as high as \(T=2^{32}\), we show that after an initial global setup, it takes only seconds to generate a key pair, and only milliseconds to update keys, sign messages and verify signatures. The space requirements for the public parameters and private keys are also a modest number of kilobytes, with signatures being a single element in \(\mathbb {Z}_N\) and one smaller value.

S. Hohenberger—Supported by NFS CNS-1414023, NSF CNS-1908181, the Office of Naval Research N00014-19-1-2294, and a Packard Foundation Subaward via UT Austin.

B. Waters—Supported by NSF CNS-1414082, NSF CNS-1908611, Simons Investigator Award and Packard Foundation Fellowship.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-57808-4_15
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   69.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-57808-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   89.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.


  1. 1.

    Key updates could correspond to actual time intervals or be done in some other arbitrary manner.

  2. 2.

    For the purposes of this overview, we will implicitly assume that all \(e_i\) values are relatively prime to \(\phi (N)\) and thus \(V_j^{1/e_i}\) is uniquely defined. However, this is not required in our formal specification.

  3. 3.

    Any adversary \(\mathcal {A}\) that runs in time polynomial in \(\lambda \) will be restricted (by its own running time) to responding with a T value that is polynomial in \(\lambda \).

  4. 4.

    Technically, it is non-limiting to allow the adversary only one break-in period, because from this secret key she can run the update algorithm to produce valid signing keys for all future periods. Her forgery must, in any event, come from a period prior to her earliest break-in.

  5. 5.

    In a particular \(S_i\) there might be zero, one or two tuples. If there are two, the one with the larger \(\mathtt {open}\) value is ignored. Ties will not occur, as our analysis will show.

  6. 6.

    The \(e_{\mathrm {default}}\) value is included to guarantee that \(H_K()\) returns some value for each input, but we have chosen the search space so that \(e_{\mathrm {default}}\) is only returned with negligible probability.

  7. 7.

    For convenience, we pass the key K to \(\mathsf {SeqSetup}\) with the assumption that it implicitly describes \(H_K\).

  8. 8.

    Technically, \(\mathsf {SeqCurrent}\) returns a tuple of length \(\mathtt {len}\), since \(\mathtt {len}=1\) in this case, we allow \(\mathsf {SeqCurrent}\) to return s instead of (s).

  9. 9.

    The parameters given for this and the standard model scheme evaluation do not have a total correspondence to the scheme description, e.g., using 81-bit e values technically requires a variant of the RSA assumption with smaller exponents. We also do not attempt to set the modulus size to match the security loss of our reductions. It is unknown if this loss can be utilized by an attacker and we leave it as future work to deduce an optimally tight reduction. Our focus here is to give the reader a sense of the relative performance of the schemes for reasonable parameters.

  10. 10.

    Technically, \(T = 2^{\mathtt {levels}+1}-2\) (see Sect. 5), we ignore the small constants.

  11. 11.

    This could be further reduced by using a faster computer and/or parallelizing.


  1. Abdalla, M., Benhamouda, F., Pointcheval, D.: On the tightness of forward-secure signature reductions. J. Cryptol. 32(1), 84–150 (2019)

    MathSciNet  CrossRef  Google Scholar 

  2. Abdalla, M., Reyzin, L.: A new forward-secure digital signature scheme. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 116–129. Springer, Heidelberg (2000).

    CrossRef  Google Scholar 

  3. Anderson, R.: Invited lecture. In: Fourth Annual Conference on Computer and Communications Security. ACM (1997)

    Google Scholar 

  4. Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999).

    CrossRef  Google Scholar 

  5. Bellare, M., Ristov, T.: Hash functions from sigma protocols and improvements to VSH. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 125–142. Springer, Heidelberg (2008).

    CrossRef  Google Scholar 

  6. Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994).

    CrossRef  Google Scholar 

  7. Boneh, D., Boyen, X.: Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004).

    CrossRef  Google Scholar 

  8. Boneh, D., Franklin, M.K.: Efficient generation of shared RSA keys. J. ACM 48(4), 702–722 (2001)

    MathSciNet  CrossRef  Google Scholar 

  9. Camenisch, J., Koprowski, M.: Fine-grained forward-secure signature schemes without random oracles. Discrete Appl. Math. 154(2), 175–188 (2006)

    MathSciNet  CrossRef  Google Scholar 

  10. Fisher, D.: Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Threatpost, 31 October 2012.

  11. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

    MathSciNet  CrossRef  Google Scholar 

  12. Hoffman, S.: RSA SecureID Breach Costs EMC \$66 Million. CRN Magazine, 28 July 2011.

  13. Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009).

    CrossRef  Google Scholar 

  14. Hohenberger, S., Waters, B.: Synchronized aggregate signatures from the RSA assumption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 197–229. Springer, Cham (2018).

    CrossRef  Google Scholar 

  15. Itkis, G., Reyzin, L.: Forward-secure signatures with optimal signing and verifying. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 332–354. Springer, Heidelberg (2001).

    CrossRef  Google Scholar 

  16. Kozlov, A., Reyzin, L.: Forward-secure signatures with fast key update. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 241–256. Springer, Heidelberg (2003).

    CrossRef  Google Scholar 

  17. Krawczyk, H.: Simple forward-secure signatures from any signature scheme. In: ACM Conference on Computer and Communications Security, pp. 108–115 (2000)

    Google Scholar 

  18. Malkin, T., Micciancio, D., Miner, S.: Efficient generic forward-secure signatures with an unbounded number of time periods. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 400–417. Springer, Heidelberg (2002).

    CrossRef  Google Scholar 

  19. Mohassel, P.: One-time signatures and chameleon hash functions. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 302–319. Springer, Heidelberg (2011).

    CrossRef  Google Scholar 

  20. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    MathSciNet  CrossRef  Google Scholar 

  21. Shoup, V.: NTL: A Library for doing Number Theory, v10.5.0 (2017).

  22. Song, D.X.: Practical forward secure group signature schemes. In: ACM Conference on Computer and Communications Security, pp. 225–234 (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding authors

Correspondence to Susan Hohenberger or Brent Waters .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Hohenberger, S., Waters, B. (2020). New Methods and Abstractions for RSA-Based Forward Secure Signatures. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds) Applied Cryptography and Network Security. ACNS 2020. Lecture Notes in Computer Science(), vol 12146. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-57807-7

  • Online ISBN: 978-3-030-57808-4

  • eBook Packages: Computer ScienceComputer Science (R0)