Technical Field
This invention generally relates to production of cryptographic signatures in data processing systems. Methods, systems and computer programs are provided for producing a cryptographic signature on a message at a user computer under a key x which is shared between the user computer and an authentication computer.
Description of the Related Art
Cryptographic signatures are widely used in data processing systems for protecting messages communicated over the system against unauthorized access by parties other than the legitimate sender and recipient. A cryptographic signature is produced by encoding the message using a cryptographic key in accordance with an algorithm defined by the signature scheme. The signature can only be decoded to reveal the message by a recipient in possession of the correct key. Signature schemes commonly use a pair of cryptographic keys, namely a secret key known only to one party to the scheme, and a public key which is available to all users of the scheme. A message signed under a sender's secret key can be decoded by a recipient using the sender's public key. Since the secret signing key is known only to the sender, correct decoding using the sender's public key confirms the authenticity of the message.
Cryptographic keys are increasingly stored and used on personal computer devices such as smart phones and laptop computers. Unfortunately, such devices are vulnerable to viruses and other malware, so users run the risk that their cryptographic keys will be compromised by such malware. One approach to counter this is to store keys on a secure hardware device such as a smart card. As the secure device does not typically have a screen, keyboard or other user interface, the secure device still has to be used in conjunction with a personal computer device in order to perform operations with the keys. So while this approach prevents theft of the keys by malware, the malware may still make use of the keys without the user noticing. Furthermore, if the hardware device is lost or stolen, the keys are also lost and can be misused by unauthorised parties. Additional protection of the keys is therefore required. Methods here include use of some form of password which the user must provide each time the key is used. However, passwords are inherently vulnerable to offline guessing attacks, as they must be short enough for users to remember.
Key-sharing schemes are known whereby a cryptographic key is shared between a plurality of entities, e.g., servers in a data processing system, each of which holds a respective share of the key. The cryptographic key is, thus, some function of all the individual key-shares. A signature under the cryptographic key can be jointly produced by the entities, each of which sees the message and uses its key-share to perform part of the signature scheme, such that a full signature under the shared key is obtained at the end of the process.
Blind signature schemes are known whereby a user can obtain a signature on a message from a signing entity without the signing entity seeing the message. An example of a blind signature scheme using Boneh Lynn Shacham (“BLS”) signatures is discussed in “Efficient threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-group signature scheme”, Boldyreva, Public Key Cryptography 2003, Lecture Notes in Computer Science Vol. 2567, Springer-Verlag, 2003. With these schemes the signer has full control of the signing key and the signature process.
Password-based signatures are also known and are discussed in “Password-based Signatures”, Gjøsteen and Thuen, EuroPKI 2011, LNCS 7163, pp. 17-33, 2012; and “Partially blind password-based signatures using elliptic curves”, Kristian Gjøsteen, http://eprint.iacr.org/2013/472.pdf. These schemes allow a user with a password to obtain a signature with the help of a server without revealing the message to the server. In “Password-based Signatures”, for example, the server does not hold the entire signing key, but only a share of it. The user's password is the second share of the signing key and is used to complete the final signature. However, various security problems are associated with prior password-based signature schemes. For example, though the signing process may fail if the user password is incorrect, the signature scheme can be readily subverted if the user password is weak. The systems are vulnerable to online attacks, e.g., where an adversary makes repeated requests while guessing the password. An adversary may also make one request with a bad password and then use the information obtained in an offline guessing attack. Moreover, these schemes require the server to be fully-trusted, and there is no protection against offline attacks if information from the server leaks.