An Optimized Double Cache Technique for Efficient Use of Forward-secure Signature Schemes

The greatest threat against the security of a digital signature scheme is the exposure of the secret (signing) key, due to the compromise of the security of the underlying system or machine storing the key. This attack is known as key exposure attack, and hypothetically any security service that is provided via an online server digitally signing in real time the data (e.g. timestamping server) is exposed to such an attack. In this paper we perform one step forward towards optimizing the usage of Forward Secure Signature (FSS) schemes on large scale to mitigate key exposure attacks. First of all, we have performed extended tests with the already implemented OpenSSL-based libfss library, which supports several generic FSS schemes, such as ISum, BMTree or MMM schemes. We observed that one critical phase is the key update phase, which typically requires a large amount of time and resources. Thus, we propose an optimization technique for ISum scheme´s implementation (named double cache updating technique), which makes use of two dedicated caches: one for the keys and one for the intermediate (hash) nodes. The results obtained are encouraging since the proposed double cache technique provides a constant key update time and a low memory footprint.