Protecting Electronic Signatures in Case of Key Leakage
       
       Miroslaw Kutylowski, Jacek Cichon, Lucjan Hanzlik, Kamil Kluczniak, 
                Wroclaw University of Science and Technology
                   
                Xiaofeng Chen, Jianfeng Wang 
			Xidian University

We present a protection mechanism against forgery of electronic signatures with 
the original signing keys.  It works for standard signatures based on discrete 
logarithm problem such as DSA. It requires only a slight modification of the signing device --
an implementation of an additional hidden evidence functionality. 

We assume that neither verification mechanism can be altered nor 
extra fields can be added to the signature (both as signed and unsigned fields). 
Therefore, the old software for signature verification can be used
without any change. On the other hand, if a forged signature emerges, the signatory 
may prove its inconsistency with a probability close to 1. 

Unlike fail-stop signatures, our method works not only against cryptoanalytic attacks, 
but it is primarly designed for the case when the adversary gets the original 
signing key stored by the signing device of the user.

Unlike cliptographic constructions designed to defend against malicious implementations, 
we consider catastrophic situation when the key has been already compromised. 

The technical idea we propose is an application of kleptography for good purposes. 
It is simple enough, efficient  and almost self-evident to be ready for 
implementation of cryptographic smart cards of moderate storage and 
computational  capabilities. 

Unfortunately, we have also to bring into attention that our scheme has a dark side and 
it can be used for leaking the keys via the recent subversion-resistant signatures 
by A.Russel, Q.Tang,  M.Yung and H.Sh.Zhou. 


Accepted for MYCRYPT'2016