|
Abstract : |
Digital signatures are necessary wherever legal certainty is to be achieved for digital message exchange. However, the unforgeability of conventional digital signatures is necessarily based on complexity theoretic assumptions. That is, even the most secure schemes can be broken by an adversary with unexpected computing abilities, e.g., one who can factor unexpectedly large numbers. Fail-stop signatures improve upon this: They are as unforgeable as the best conventional signatures; but if someone nevertheless succeeds in forging a signature, this can be proved by the supposed signer. Thus one can relieve him from the responsibility for this signature. Additionally, one should stop the scheme or increase the security parameters. As applications, mainly digital payment systems are discussed. The social and legal advantages of such a scheme are discussed, and a sketch of the construction of practical failstop signatures for this case is given (roughly three times the expenditure of a conventional signature scheme). 1. Overview To avoid misunderstanding, Section 2 contains a short explanation of important terms in their most common usage. Section 3 explains digital signatures in general. In Section 4, the problem with conventional digital signatures (i.e., those which are not fail-stop) is shown. Fail-stop signatures are introduced, and their general advantages discussed, in Section 5. Important applications are treated in Section 6, and general remarks on practicability are made in Section 7. Section 8 is an optional section with an overview over the construction of concrete fail-stop signatures. The paper ends with a recommendation for the near future (Section 9)., |
