WO2022071889A1

WO2022071889A1 - Methods and apparatus for message authentication

Info

Publication number: WO2022071889A1
Application number: PCT/SG2021/050594
Authority: WO
Inventors: Zheng Yang; Jianying Zhou
Original assignee: Singapore University Of Technology And Design
Priority date: 2020-10-01
Filing date: 2021-10-01
Publication date: 2022-04-07

Abstract

Disclosed is a method for digitally signing a message. The method includes an initialization process that comprises generating a secret key and a public key using a key generator of a chameleon hash function, and generating a plurality of single-use verify points using the chameleon hash function. Each verify point is a chameleon hash of a random message and one of a sequence of random values. The process further includes storing signing data comprising the secret key, the random message, and a first random value of the sequence, and storing verification data that comprises the verify points and the public key.

Description

METHODS AND APPARATUS FOR MESSAGE AUTHENTICATION

TECHNICAL FIELD

The present disclosure relates to methods and apparatus for digitally signing and authenticating messages.

BACKGROUND

Cyber-Physical Systems (CPS) integrate various cyber computation, physical devices, and networking technology to control physical processes through data exchange in real-time. CPS are expected to become highly pervasive in society. CPS devices are already widely used in navigation systems, smart grids, and smart city application domains. However, due to the limitation in both computation and storage, many modern cryptographic schemes cannot run on CPS devices, which results in serious security and privacy issues. It is thus critically important to ensure that the data that comes from CPS devices has not been changed by attackers.

One common way to protect the authenticity and integrity of a message is to use a message authentication code (MAC). A MAC allows the verifier (who possess a shared key with the message sender) to detect any change to the message content. However, a MAC has a potential security risk: when the key stored by the verifier gets leaked, all the future message authentication codes may be compromised. It should be noted that, in more physically isolated CPS, like nuclear plants and manufacturing systems, the verifiers (servers) are actually more vulnerable to cyber-attacks than CPS devices. This is because they are connected to enterprise networks or even to the Internet. For example, the famous Stuxnet worm compromised the engineering workstations first in Iranian nuclear plants before it got a footprint in the controller systems.

Another known way is to use cryptographic digital signatures, which allow receivers to verify the origin of a message using a 'public' key so that it can be secure in a verifier breach. Although there are many online efficient (computationally secure) digital signature schemes, such as the EIGamal signature and Schnorr signature, they require expensive cryptographic operations like modular exponentiation which are too complex for resource- constrained CPS devices.

To make a digital signature scheme deployable on constrained devices, an online/offline signature paradigm has previously been proposed. In this paradigm, a trusted and powerful server is used to pre-compute some expensive operations in an offline phase, so that the signer does not need to perform complex operations. However, the signer needs to securely store a large number of private intermediate values D generated by the server, and the size of D has a linear relation with the number of signatures to be signed.

It has been suggested that the offline phase for computing D can be carried out either during the device manufacturing process or by the device itself as a background computation. However, neither of these two ways of generating D is suitable for CPS. The first solution requires a large amount of storage overhead on the device (e.g., 97MB for seven-day usage with a message rate at 1 second per message). This is generally infeasible on CPS devices. Although some sorts of replenishment of D might be possible, it may interrupt the normal operation and communication of the CPS devices, which need to keep sending data measured in real-time. The second solution demands a lot of computational power and idle time on the device side. However, CPS devices keep generating data at a fast pace, so there is no enough idle time for them to compute these operations in the background. For example, in an automatic identification system used on ships, each time slot for sending a message is just 26.66 milliseconds, which is too short for an exponentiation operation on an embedded device.

SUMMARY

Disclosed is a method for digitally signing a message, comprising: an initialization process that comprises: generating a secret key and a public key using a key generator of a chameleon hash function; generating a plurality of single-use verify points using the chameleon hash function, wherein each verify point is a chameleon hash of a random message and one of a sequence of random values; storing signing data comprising the secret key, the random message, and a first random value of the sequence; and storing verification data that comprises the verify points and the public key.

The method may further comprise a signing process that comprises: retrieving the stored signing data; generating a digital signature by computing a collision of the chameleon hash function based on the secret key, a current random value of the sequence, the random message, and message data comprising the message; wherein if no message has previously been signed, the current random value is the first random value; determining a next random value of the sequence based on the current random value; and setting the current random value to the next random value.

The sequence may be obtained by recursive application of a universal hash function beginning with the first random value, and wherein the signing data comprises a hash key of the universal hash function.

The digital signature may be computed as: x; = M • sk_CH + r' - m • sk_CH (mod q), where M is the random message, sk_CH is the private key, r' is the next random value, m is the message data, and q is a large prime number.

The method may further comprise storing the single-use verify points in a Bloom filter; whereby the verification data comprises the Bloom filter.

The method may comprise transmitting the verification data to a verifier. The initialization process may comprise re-initializing the Bloom filter by transmitting a re-initialization request to a trusted server to cause the trusted server to compute a new set of single-use verify points using the chameleon hash function. The trusted server may be the verifier.

The message data may comprise a hash of a concatenation of the message and a random value, and wherein the hash is generated by an additional hash function.

Also disclosed herein is an apparatus for digitally signing a message, comprising : storage; and at least one processor in communication with the storage; wherein the storage has stored thereon instructions for causing the at least one processor to carry out an initialization process that comprises: generating a secret key and a public key using a key generator of a chameleon hash function; generating a plurality of single-use verify points using the chameleon hash function, wherein each verify point is a chameleon hash of a random message and one of a sequence of random values; storing signing data comprising the secret key, the random message, and a first random value of the sequence; and storing verification data that comprises the public key The instructions may further comprise instructions for causing the at least one processor to carry out a signing process that comprises: retrieving the stored signing data; generating a digital signature by computing a collision of the chameleon hash function based on the secret key, a current random value of the sequence, the random message, and message data comprising the message; wherein if no message has previously been signed, the current random value is the first random value; determining a next random value of the sequence based on the current random value; and setting the current random value to the next random value.

The initialization process may comprise generating the sequence by recursive application of a universal hash function beginning with the first random value, and wherein the signing data further comprises a hash key of the universal hash function.

The signing process may comprise computing the digital signature as: x-. - M • sk_CH + r' - m - sk_CH (mod q); where M is the random message, sk_CH is the private key, r' is the next random value, m is the message data, and q is a large prime number.

The initialization process may further comprise storing the single-use verify points in a Bloom filter, whereby the verification data further comprises the Bloom filter.

The initialization process may comprise transmitting the verification data to a verifier device.

The initialization process may comprise re-initializing the Bloom filter by transmitting a reinitialization request to a trusted server to cause the trusted server to compute a new set of single-use verify points using the chameleon hash function.

The trusted server may be the verifier device.

Also disclosed is a non-transitory computer-readable storage having stored thereon instructions for causing at least one processor to carry out a method as described above. BRIEF DESCRIPTION OF THE DRAWINGS

Some embodiments of a method and a system for in accordance with present teachings will now be described, by way of non-limiting example only, with reference to the accompanying drawings in which:

Figure 1 is a schematic diagram of data flows in an example method of digitally signing messages;

Figure 2 is a flow diagram of an example initialization process of the method of Figure 1; Figure 3 is a flow diagram of an example signing process of the method of Figure 1;

Figure 4 is a flow diagram of an example verification process of the method of Figure 1;

Figure 5 shows pseudocode of a first example set of algorithms for initializing a digital signature scheme, digitally signing messages, and verifying the digital signatures;

Figure 6 is a flow diagram of another example initialization process of the method of Figure 1;

Figure 7 is a flow diagram of another example signing process of the method of Figure 1; Figure 8 is a flow diagram of another example verification process of the method of Figure 1;

Figure 9 shows pseudocode of a second example set of algorithms for initializing a digital signature scheme, digitally signing messages, and verifying the digital signatures;

Figure 10 is a schematic diagram of an example system for server-aided replenishment of verification keys;

Figure 11 is a schematic diagram of an example system for verifier self-replenishment of verification keys; and

Figure 12 shows pseudocode of alternative verification algorithms with verifier selfreplenishment of verification keys.

DETAILED DESCRIPTION

The present disclosure relates to lightweight digital signature methods that can be implemented in resource-constrained devices, such as sensors and other components of cyber-physical systems. Embodiments may find application in a wide variety of contexts, such as authentication of GPS/GNSS signals and messages in satellite systems, automatic identification systems (AIS) used in the maritime field, and integration into firmware of programmable logic controllers (PLCs) and sensors of critical infrastructure systems such as smart grids, water plants, and transportation systems. Embodiments make use of chameleon hash functions (CHF), in particular the computation of collisions thereof, to generate digital signatures. Although it is known for chameleon hashes to be used in cryptographic protocols, existing applications require the (message) sender to compute the hash value of the CHF, which involves two expensive exponentiation operations. In contrast, the present disclosure uses the chameleon hash function in a different way, by leveraging the collision generation function to generate the signatures. This makes the signing procedure much more efficient.

Embodiments of the present disclosure provide digital signature methods that are optimized for the signer, in terms of both computation overhead and storage overhead. The signer only needs to store a constant-sized signing key which does not need to be replenished, for continuous and uninterrupted message authentication.

The following discussion of notation and cryptographic primitives will be useful for understanding of the present disclosure.

The security parameter is denoted by K, the empty string by Φ, and the set of integers

$ between 1 and n by [n] = {l,...,n} e ra. If x is a set, then x <- x denotes the action of

$ sampling a uniformly random element from X. If x is a probabilistic algorithm, then x <- x denotes that x is run with fresh random coins and returns x. Let II be an operation to concatenate two strings, | • | be an operation to get the bit-length of a variable, and # be an operation to get the number of elements in a set.

A universal hash function (UH) family: , refers to a family of hash

functions which guarantees a low number of collisions in expectation even, where and R_UH, are the key, message and output space of UH, respectively. These

spaces are determined by the security parameter K.

A set of hash functions UH is a universal hash function family if: i) we uniformly choose a hash function UHF ∈ UH by sampling a random hash key

ii) v(x,y) e M_UH we have the probability

An important cryptographic primitive that will be used herein is a chameleon hash function. A chameleon hash function CH(pfc,-,-): is associated with

a pair of keys consisting of public key and private key , where

are public and private key spaces, respectively. is the message space,

5?CH is the randomness space and I/CH is the output space. These public/secret key pairs $ are generated by a PPT algorithm (pfc.sfc) «- CHKGen(l^K). If the key is clear from the context, we will write CH(m,r) for CH(pfc, m,r).

A hash value generated by CH(m,r) on input of a message m and a random string r satisfies the following properties:

• Collision resistance. There is no efficient algorithm that on input of the public key pk can output two pairs (m_1; rj and (m₂, r₂) such that mj + m₂ and CHCmprj) = CH(m₂,r₂), except with negligible probability in the security parameter K.

• Trapdoor collisions. There exists an efficient deterministic algorithm CHColl that on input of the secret key sfc, and (r,m,m') outputs a value r'

SUCh that CH(pfc, m,r) — C

• Uniformity. For an arbitrary public key pk output by CHKGen, all messages m e M_CH generate equally distributed hash values CH(m,r) when drawing uniformly

at random. This property ensures that a third party is unable to examine the value hash from deducing any information about the hashed message.

A digital signature scheme SIG may be identified with three probabilistic polynomial time (PPT) algorithms (KGen, Sign, Verify). It is assumed herein that a signature scheme is associated with public and secret key spaces message space and

signature space S_SIG in the security parameter K. The bit length of the space J 'i_s is denoted by which is determined by K. The algorithms of SIG may be defined as follows:

• This algorithm takes as input the security parameter 1^K , the

maximum number € of signatures that SIG can generate, and an auxiliary input aux, and generates the secret key sk and the verification key vk.

• Sign(sfc,m): This is the signing algorithm that generates a

• signature for a message with the signing key sk.

• Verify(vfc,m,o): This is the verification algorithm that takes as input a verification key vk, a message m and a signature σ, outputs 1 if a is a valid signature for m under vk, and 0 otherwise.

A Bloom filter (BF) is a probabilistic data structure that provides space-efficient storage of a set and that can efficiently test whether an element is a member of the set. The probabilistic property of BF may lead to false positive matches, but not false negatives. The more elements that are in the BF, the higher the chance to get a false positive match insertion. To reduce the false positive rate, the approach set out in A. Pagh et al. ("An optimal Bloom filter replacement", in SODA '05: Proceedings of the sixteenth annual ACM- SIAM symposium on discrete algorithms, January 2005, pages 823-829) can be followed, i.e., a BF with i.44dv bits for a set with size N has a false positive rate (FPR) of 2 - e.

In some embodiments, a Bloom filter has the following algorithms:

• /nit(A/,e): On input of a set of size N, the initialization algorithm initiates the Bloom filter of bit length 1.44dV.

• lnsert(m): Element insertion algorithm takes an element m as input, and inserts m into BF.

• Check(m) : Element check algorithm returns 1 if an element m is in BF, and 0 otherwise.

• Pos(m) : Position update algorithm computes positions to be changed for element m in BF.

Figure 1 shows a schematic depiction of entities carrying out processes in a digital signature scheme, and the data flows between them. Messages are digitally signed by a signer device 102 using a chameleon hash function (as will be described in more detail below) and are transmitted with the corresponding generated signature to a verifier device 104. The verifier receives messages and their signatures, and validates the signatures using previously generated verification data, e.g. stored in a Bloom filter, and the chameleon hash function.

The signer device 102 and the verifier device 104 may each be any device having at least one processor in communication with storage that is capable of storing instructions (in the form of program code) and data for carrying out the functions described herein. For example, the signer device 102 may be a sensor, actuator, or other component of a cyber- physical system. Likewise, the verifier device 104 may be a sensor, actuator, or other component of a cyber-physical system. In addition to validating messages received from signers 102, verifier devices 104 may themselves act as signers. In this way, in a cyber- physical or other networked system that has multiple components in communication with each other, the various components have the ability to securely send and receive messages from each other.

Before signing any messages, the signer 102 conducts an initialization process to generate data that are required for signature generation. In some embodiments this process is conducted by or in conjunction with a key generation center (KGC) 106. The KGC 106 may be synonymous with the signer 102, or may be in communication with the signer 102 over a secure channel 108. The KGC 106 may also be in communication with the verifier 104, or with another networked device such as a public server that is accessible by the verifier 104.

Referring now to Figures 2 to 5, a first example of a digital signature scheme will be described. This first example is referred to herein as LiSi (Lightweight Signature 1).

Figure 2 shows steps of an example initialization process 200. Pseudocode for implementing at least some of these steps is also shown in the left panel of Figure 5. The process 200 may accept as input a security parameter 1^K, a maximum number

of signatures to generate, and an auxiliary parameter aux. For example, aux may contain the "false positive parameter" e of the Bloom filter (see above).

In the following discussion it will be assumed that the initialization process 200 is performed by the signer 102. However, it will be appreciated that process 200 may instead be performed by KGC 106, or jointly by signer 102 and KGC 106.

The process 200 starts at 202 with a key generation step 202. The key generation step 202 comprises the signer running a key generation algorithm of a chameleon hash function, to generate a secret key/public key pair.

Next, at step 204, the signer 102 generates random data. The random data comprises a random key

for a universal hash function UHF, a random message M and

an initial random value . The secret key sk_CH generated at step 202, and the random data may then be sent as data over secure channel 108 to signer

102, which stores these values. This transmission step is of course not needed if signer 102 performs steps 202 and 204.

At step 206, the signer 102 may initialize a Bloom filter BF of size and false positive

parameter e (as obtained from aux),

At step 208, the signer 102generates a chain of random values of size

using the initial random value

and the universal hash function UHF. This is done by recursive application of UHF using the random key generated at step 204, i.e.

Next, at step 210, signer 102 checks whether there are any duplicated values in the chain

If so, the process 200 returns to 202 to re-generate the key pair for the chameleon hash function. If not, the process 200 continues to 212. At 212, the signer 102 generates a set of verify points

= and these

are stored for future use. The verify points t, may then be inserted into the Bloom filter BF, at step 214.

Next, at step 216, the first random value of the chain is obtained to use for signing

messages, and is stored by signer 102 as a current random value r' .

At step 218, the Bloom filter BF, and the public key

is published for use by potential verifiers 104. For example, the signer 102 may push the Bloom filter BF and public key to all verifiers 104 individually, or may publish them to a public server that is accessible by verifiers 104. The verifiers 104 may then pull the data from the public server, for example on a periodic basis.

The initialization process 200 is typically performed on a single-time basis for each signer 102. Once completed, the signer 102 is then able to sign messages m. High-level steps of an example signing process 300 are shown in Figure 3, and corresponding pseudocode corresponding to at least some of these steps is shown in the middle panel of Figure 5.

At step 302, the signer 102 first retrieves the stored signing data .

At step 304, the current random value in the chain of random values is obtained. Typically this will be by retrieving the value r' previously stored by the signer 102. If the signer 102 has not signed any messages since initialization 200, this will be the first random value

At step 306, signer 102 generates the signature for the message m by computing a collision for the chameleon hash function. The collision is computed as

The value x can be used as the digital signature for m due to the

trapdoor collisions property of chameleon hash functions.

At step 308, the next random value in the chain is computed by applying the universal hash function to the current random value, The current random value is

then set as the computer next random value, i.e. the value r' is stored as the current random value. It will be appreciated that this step may be performed at any time before the next message authentication is to be carried out, i.e. it does not need to be performed after computation of the digital signature.

The message m and its signature x are then sent to verifier 104, at step 310. High-level steps of an example verification process 400 conducted by verifier 104 are shown in Figure 4, and corresponding pseudocode in the right-hand panel of Figure 5.

At step 402, the verifier 104 receives the message m and signature x from signer 102.

At step 404, the verifier 104 computes a chameleon hash of the message m over the signature x, t = CHF(m, x).

At step 406, the verifier 104 checks whether the chameleon hash t is in the Bloom filter BF, BF. Check (t). Bloom filter BF may be locally stored at the verifier 104 for this purpose, for example.

In some embodiments, to obtain better online efficiency, the signer 102 could compute the universal hash operations offline (or during its idle time). Of course, the signer 102 can also pre-compute and cache many such universal hash values as online/offline signature schemes. Then the signer 102 only needs to run CHColl in the online signing phase, and therefore the signing algorithm could be approximately 2x faster.

Referring now to Figures 6 to 9, a second example of a digital signature scheme will be described. This second example is referred to herein as LiS₂. LiS₂ can resist adaptively chosen message attacks. LiS₂ can be considered to be derived from LiSi by using an additional cryptographic hash function h1 {0,1}* -> which will be modeled as a random

oracle. Hence LiS₂ can be used to authenticate a message with an arbitrary size, unlike LiS₁, which is constrained by the size of

Let be the randomness used in

this construction. Additionally, the universal hash function is replaced with another hash function

In some embodiments, h₁ and h₂ may both be an algorithm such as SHA2.

Figure 6 shows steps of an example initialization process 500 of the second example digital signature scheme. Pseudocode for implementing at least some of these steps is also shown in the left panel of Figure 9. The process 500 may accept as input a security parameter 1^K, a maximum number

of signatures to generate, and an auxiliary parameter aux. For example, aux may contain the "false positive parameter" of the Bloom filter (see above).

In the same way as for process 200, the initialization process 500 may performed by the KGC 106, by signer 102, or jointly by signer 102 and KGC 106. The below discussion assumes that the signer 102 performs all of the steps. The process 500 starts at 502 with a key generation step 502. The key generation step 502 comprises running a key generation algorithm of a chameleon hash function,

to generate a secret key/public key pair.

Next, at step 504, the signer 102 generates random data. The random data comprises a random key and a random message

KGC 106 also initializes two

cryptographic hash functions

At step 506, the signer 102 may initialize a Bloom filter BF of size and false positive parameter (as obtained from aux), BF.Init

At step 508, for the signer 102 generates a sequence of dummy random values

using hash function h₂ such that

At step 512, the signer 102 generates a set of verify points

and these are stored for future use. The verify points t, may then be inserted into the Bloom filter BF, at step 514.

Next, at step 516, the signer 102 initializes a counter ent = o to count the number of generated signatures. As a final outcome of process 500, the (secret) signing data to be used by signer 102 are

and the (public) verification data to be used by verifier 104 are

. The verification data are published at step 518, and again this may be directly from KGC 106 or signer 102 to verifiers 104, or via an intermediate (public) server.

High-level steps of an example signing process 600 are shown in Figure 7, and corresponding pseudocode corresponding to at least some of these steps is shown in the middle panel of Figure 9.

At step 602, the signer 102 first retrieves the stored signing data

At step 604, the signer 102 samples a random value

that will be used in later computation of the chameleon hash. At step 606, a current random value in the sequence of random values is obtained. This is done by computing a hash The counter is also updated, i.e. ent = ent +

1.

At step 608 the signer 102 computes a message hash

At step 610, signer 102 generates the signature for the message m by computing a collision for the chameleon hash function. The collision is computed as

The value x can be used as the digital signature for m due to the trapdoor collisions property of chameleon hash functions.

The message m and its signature x, and the sampled value N, are then sent to verifier 104, at step 614.

High-level steps of an example verification process 700 conducted by verifier 104 are shown in Figure 8, and corresponding pseudocode in the right-hand panel of Figure 9.

At step 702, the verifier 104 receives the message m and signature x and the sampled value N from signer 102.

At step 704, the verifier 104 computes a message hash

and then computes a chameleon hash of the message hash over the signature

At step 706, the verifier 104 checks whether the chameleon hash t is in the Bloom filter BF, BF. Check (t). Bloom filter BF may be locally stored at the verifier 104 for this purpose, for example.

Some specific instantiations of hash functions will now be described in further detail. In the following, let p and q be two large prime numbers, such that p = u • q + 1 where u is a small integer.

In some embodiments, the universal hash function used in the above processes may be instantiated by a Multiply-modular scheme such as that disclosed in L. Carter and M. Wegman (1979), "Universal Classes of Hash Functions", J.Comp.Sys.Sci 18(2), pages 143- 154, the entire contents of which are incorporated by reference. In such embodiments, the key

consists of two group elements

Given a message m, the hash function evaluates the hash value

The original chameleon hash function was based on a discrete logarithm approach and was as follows:

• The key generation algorithm samples random group generator

and a secret key

and computes the public key

•

The evaluation algorithm takes as input a public key p a

message

and a randomness and outputs a hash value y. -

• an efficient deterministic collision algorithm CHColl takes as

input the secret key

To improve the performance of this original algorithm, embodiments of the present disclosure make use of a modified algorithm as follows:

•

The key generation algorithm samples random group generator g of order q in and a secret key , and computes the public key

•

The evaluation algorithm takes as input a public key

a message

and a randomness , and outputs a hash value

Accordingly, the places of m and r are switched relative to the original algorithm.

•

an efficient deterministic collision algorithm CHColl takes as input the secret key

and outputs a value

It will be apparent that the signer 102 can pre-compute

and store it instead of M. Accordingly, this value only needs to be retrieved from memory, and not computed, during signature generation.

Due to the above modification to the original chameleon hash algorithm, the following major performance optimization is obtained: one big-number division is reduced. This provides significant performance improvement for a resource-constrained device since the cost of a big-number modular division is close to a hash operation.

One limitation of a pre-computation strategy for providing verify points is that the precomputed verification keys will be used up eventually. To overcome this limitation and support unlimited message authentication, some embodiments of the present disclosure provide a mechanism to re-initialize the verification key. It is possible to refresh only the verification key without modifying the secret/public key pair, so that services running on the signer 102 will not be interrupted at all.

One possibility is to let the signer 102 initialize a new Bloom filter instance BF' with

chameleon hash values which are generated based on the initial seed

and M as in LiS₁.KGen (Figure 5). To this end, signer 102 has to send BF' to the verifiers 104 together with a signature that can be verified by the current verification key. However, this solution requires the signer 102 to run the expensive key generation algorithm, and thus, may not be favorable in practice.

To free the signer 102 from updating the verification key, the present disclosure contemplates two possibilities.

Server-aided Replenishment (SAR): The signer 102 can outsource the re-initialization job for the new Bloom filter instance BF' to a trusted server (which is not the verifier 104). For example, the trusted server can be KGC 106 as shown in Figure 11. Then, the outsourcing server 106 that knows the dummy randomness/message pair

and the key fc of the universal hash function can compute those chameleon hash values for the signer 102 without any interaction. The signer 102 does not need to get involved in the verification key update, and it can keep using its signing key to sign future messages continuously.

The outsourcing server (e.g. the key generation center 106) only needs to periodically publish a new BF' together with the server's signature to a public bulletin 112, which can be downloaded by the public. Nothing needs to be changed on the signer 102 side. Hence, the signer 102 and the verifier 104 can run in parallel as long as the replenishment of the verification key is in time before the old verification key becomes invalid.

Verifier Self-replenishment (VSR): If the verifier 104 is trustworthy (not controlled or compromised by an adversary), then we can allow the verifier to possess for

signature verification. In this way, the verifier 104 can replenish its own verification keys regularly.

In particular, in a cyber-physical system, it is common that the messages are sent on a regular basis with a fixed time period. Thus, this can be exploited to develop a simplified verification algorithm. In the model, all messages can be considered to be associated with a monotonically increasing time-stamp, and the verification algorithm can be simplified (to reduce the storage cost) to enable the verifier 104 to have a small and constant storage cost. Let T_m denote a time-stamp that is in the message m, and let

be the time when the last valid signature is received. stands for the fixed time slot between two consecutive messages sent from the signer 102. An overview is shown in Figure 12 and pseudocode for the modified verification processes for LiS₁ and LiS₂ are shown in Figure 10. Note that the Bloom filter is not needed in both Setup and Verify algorithms anymore, and thus the size of the verification key does not depend on and becomes a constant.

Furthermore, to modify LiS₂, the signer 102 needs to include the counter ent as part of the message, and it computes

in the Sign algorithm. Since r' or fc needs to be kept secret, the modified algorithms will not be able to provide public verifiability, and it can only be verified by a group of trusted verifiers.

The modified algorithm may be well suited to a cyber-physical system scenario (e.g., smart grid and manufacturing systems) where the verifier 104 needs to continuously monitor the status (and data) of the signer 102 (e.g., a sensor), and the verifiers 104 are only a few pre-known and trusted machines. In this scenario,

can be considered as the maximum number of signature failures (including signature loss and signature verification fails) that the verifier can tolerate between the last valid time T_l and the current time T_c. For a real-time monitoring system in a CPS,

should be small. Note that the KGen algorithm can be modified to let the KGC 106 and the verifier 104 store instead of

for both security and efficiency reasons. This change can hide the value of M from the adversary, and therefore, an adversary who compromised the KGC 106 or the verifier 104 cannot extract the secret key sk_CH with knowing M.

The first replenishment solution SAR is more appealing and practical than the naive solution since it does not need to interact with the signer 102 for replenishment. For example, a maritime transport company can periodically replenish the verification keys for ships in the sea every day. The second replenishment solution VSR can be used when the signature schemes are deployed within a factory or enterprise, which has trustworthy verifiers and does not need public verifiability.

Based on the above replenishment scenarios, the message authentication power of the signer 102 in the presently disclosed signature schemes can be unlimited. Besides, due to this replenishment property, a smaller can be used, to reduce the size of the verification

key.

Many modifications will be apparent to those skilled in the art without departing from the scope of the present invention. Throughout this specification, unless the context requires otherwise, the word "comprise", and variations such as "comprises" and "comprising", will be understood to imply the inclusion of a stated integer or step or group of integers or steps but not the exclusion of any other integer or step or group of integers or steps.

The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as an acknowledgment or admission or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.

Claims

1. A method for digitally signing a message, comprising: an initialization process that comprises: generating a secret key and a public key using a key generator of a chameleon hash function; generating a plurality of single-use verify points using the chameleon hash function, wherein each verify point is a chameleon hash of a random message and one of a sequence of random values; storing signing data comprising the secret key, the random message, and a first random value of the sequence; and storing verification data that comprises the verify points and the public key.

2. A method according to claim 1, further comprising a signing process that comprises: retrieving the stored signing data; generating a digital signature by computing a collision of the chameleon hash function based on the secret key, a current random value of the sequence, the random message, and message data comprising the message; wherein if no message has previously been signed, the current random value is the first random value; determining a next random value of the sequence based on the current random value; and setting the current random value to the next random value.

3. A method according to claim 1 or claim 2, wherein the sequence is obtained by recursive application of a universal hash function beginning with the first random value, and wherein the signing data comprises a hash key of the universal hash function.

4. A method according to any one of claims 1 to 3, wherein the digital signature is computed as: x; = M • sk_CH + r' - m • sk_CH (mod q), where M is the random message, sk_CH is the private key, r' is the next random value, m is the message data, and q is a large prime number.

5. A method according to any one of claims 1 to 4, further comprising storing the single-use verify points in a Bloom filter; whereby the verification data comprises the Bloom filter.

6. A method according to any one of claims 1 to 5, comprising transmitting the verification data to a verifier.

7. A method according to claim 5 or claim 6, wherein the initialization process comprises re-initializing the Bloom filter by transmitting a re-initialization request to a trusted server to cause the trusted server to compute a new set of single-use verify points using the chameleon hash function.

8. A method according to claim 7, wherein the trusted server is the verifier.

9. A method according to any one of claims 1 to 8, wherein the message data comprises a hash of a concatenation of the message and a random value, and wherein the hash is generated by an additional hash function.

10. Apparatus for digitally signing a message, comprising : storage; and at least one processor in communication with the storage; wherein the storage has stored thereon instructions for causing the at least one processor to carry out an initialization process that comprises: generating a secret key and a public key using a key generator of a chameleon hash function; generating a plurality of single-use verify points using the chameleon hash function, wherein each verify point is a chameleon hash of a random message and one of a sequence of random values; storing signing data comprising the secret key, the random message, and a first random value of the sequence; and storing verification data that comprises the public key

11. Apparatus according to claim 10, wherein the instructions further comprise instructions for causing the at least one processor to carry out a signing process that comprises: retrieving the stored signing data; generating a digital signature by computing a collision of the chameleon hash function based on the secret key, a current random value of the sequence, the random message, and message data comprising the message; wherein if no message has previously been signed, the current random value is the first random value; determining a next random value of the sequence based on the current random value; and setting the current random value to the next random value.

12. Apparatus according to claim 10 or claim 11, wherein said initialization process comprises generating the sequence by recursive application of a universal hash function beginning with the first random value, and wherein the signing data further comprises a hash key of the universal hash function.

13. Apparatus according to any one of claims 10 to 12, wherein said signing process comprises computing the digital signature as:

where M is the random message, sk_CH is the private key, r' is the next random value, m is the message data, and q is a large prime number.

14. Apparatus according to any one of claims 10 to 13, wherein said initialization process further comprises storing the single-use verify points in a Bloom filter; whereby the verification data further comprises the Bloom filter.

15. Apparatus according to any one of claims 10 to 14, wherein said initialization process comprises transmitting the verification data to a verifier device.

16. Apparatus according to claim 14 or claim 15, wherein the initialization process comprises re-initializing the Bloom filter by transmitting a re-initialization request to a trusted server to cause the trusted server to compute a new set of single-use verify points using the chameleon hash function.

17. Apparatus according to claim 16, wherein the trusted server is the verifier device.

18. Apparatus according to any one of claims 10 to 17, wherein the message data comprises a hash of a concatenation of the message and a random value, and wherein the hash is generated by an additional hash function. 21 Non-transitory computer-readable storage having stored thereon instructions for causing at least one processor to carry out a method according to any one of claims 1 to 9.