Fail-stop

Schemes with special security properties such as fail-stop, dual, and information-theoretic security will be treated in detail later (starting in Chapter 3 and with an overview in Chapter 6) and are therefore not treated here.

Ever since the invention of digital signature schemes, it had been accepted that signers can only be secure in the computational sense and on cryptologic assumptions (see [DiHe76] and Section 2.3). One purpose of this work is to show that this need not be so, and to present several alternatives, in particular fail-stop signature schemes. 

It is clear from the description of the fail-stop property that fail-stop signature schemes contain at least two new components, in addition to those from Figure 2.2 ... 

The need for such a framework arose as follows in the context of a work whose original purpose was only to present fail-stop signature schemes and related schemes ... 

Secondly, so far, any new type of signature scheme that had a formal definition at all needed a completely new one, as explained with fail-stop signature schemes at the end of Section 3.2. This is unsatisfactory First, if they are all called signature schemes, they should have something in common, and secondly, new definitions in cryptology have turned out to be just as error-prone as new constructions. 

Hence the goal was one common definition that should at least cover the GMR definition, the schemes invented as ordinary digital signature schemes but not exactly fitting the GMR definition, and all the existing variants of fail-stop and invisible signature schemes, where existing means that a concrete construction has been proposed in the literature. Such a definition is sketched here. 

Multiple speciHcations, i.e., different specifications intended for different degrees of security, which would be redundant otherwise. For instance, with fail-stop signature schemes one first requires that no forgeries occur, but secondly, if a forgery occurs nevertheless, it should be provable. This makes sense because the second requirement is to hold on weaker assumptions than the first... 

The, fail-stop property is the only example of multiple specifications actually considered. 

So-called tranrfers of proofs of forgery are considered in the subsection on the fail-stop property. 

First, in the service of fail-stop signature schemes, the fact that a proof of forgery has occurred in the system is represented at the interface by acc= broken . 

A beautiful, but unrealistic variant would be that the court finds out exactly who has produced a forgery. Realistically, with implementations of fail-stop signature schemes where different parts rely on different assumptions, there can be an output parameter which assumption that distinguishes which assumption was broken. 

This combination occurs in some versions of fail-stop and dual signature schemes, see below. 

Moreover, the fail-stop property will only be used with two specific degrees of security low is on a cryptologic assumption and high information-theoretically . In principle, other combinations are also possible, for instance that low needs an upper bound on the number of attackers and high means that more attackers are tolerated. 

Figure 5.12. Requirements on the court s output in schemes with a fail-stop property.

The fail-stop property is stronger than both these types One can simulate ordinary security by identifying broken with TRUE and dual security by identifying broken with FALSE. 

At the top, the optimal situation is shown, where the court always decides correctly. Fail-stop security would therefore be placed in the middle of this diagram. 

In this subsection, a weaker version of the fail-stop property is explained. In the notation of Section 5.2.3, it yields a signature-like scheme with accountable centres. Such schemes are called fail-stop signature schemes with special risk hearers. Where a distinction is necessary, the real signature schemes with a fail-stop property as described above are called full fail-stop signature schemes, and their property a full fail-stop property. 

Thus the full fail-stop property is one where everybody is regarded as a risk bearer (except that they do not have special access points for their role as risk bearers then). The full fail-stop property is useful, for instance, if one wants unforgeability in the original sense, or if the system is completely stopped once the output broken occurs and everybody considers this a nuisance. 

The following requirements are stronger than the minimal ones for signature-like schemes with accountable centres. In particular, effectiveness of authentication is required even if all risk bearers are dishonest this is needed when schemes with one risk bearer are used as building blocks for full fail-stop signature schemes. 

Particularly efficient implementations of fail-stop and dual signature schemes (see Figure 5.12) and of the ordinary digital signature scheme GMR (see [FoPf91]) exist in this case. 

If a scheme has 2-party disputes, they are often non-interactive. However, no non-interactive 3-party dispute is known, i.e., none where the entities of the signer and the recipient each send a message to the court s entity in the first round and the court s entity immediately decides. Instead, as with fail-stop signature schemes, the... 

An example of this distinction in fail-stop signature schemes is given in Section 10.4. The related distinction between authentic and untrusted storage was made for incremental signature schemes [BeGG95]. One can also regard server-aided computation as related if the server is a larger untrusted device of the same user. 

Primarily, the two requirements on disputes are considered (and related additional requirements, such as fail-stop properties), and only information-theoretic and computational security are distinguished. Unforgeability, as mentioned, is a consequence of these two requirements. The other requirements are usually ftilfilled information-theoretically. 

---