WO2000049768A1

WO2000049768A1 - Method for signature splitting to protect private keys

Info

Publication number: WO2000049768A1
Application number: PCT/IB1999/000281
Authority: WO
Inventors: Thomas Mittelholzer
Original assignee: Thomas Mittelholzer
Priority date: 1999-02-17
Filing date: 1999-02-17
Publication date: 2000-08-24

Abstract

A method for splitting digital signature algorithms is described that can increase the protection of the private key x of the user of an asymmetric key pair (x, y). In an initialization phase, the private key is split into private subkeys. The actual signature splitting method consists of two steps. In a first step (204), partial signature values are computed from the message m to be signed and the subkeys without using the initial private key x. In a second step (206), these partial signature values are combined to form the complete digital signature. To increase the security of the private key x, the private subkeys and the algorithms to compute the partial signature values can be stored and implemented on separate tamper-resistant devices. When a proper subset of the private subkeys becomes compromised, new private subkeys can be generated without having to change the original key pair (x, y).

Description

Method for Signature Splitting to Protect Private Keys

Technical Field

The present invention relates to a method and apparatus for generating a digital signature according to the preamble of the independent claims.

Background Art

In a Public-Key Crypto System (PKCS) each user has one or more key pairs (x,y) consisting of a private key x and a corresponding public key y (cf . Handbook of Applied Cryp- tography by A.J. Menezes, P.C. van Oorschot and S.A.

Vanstone, CRC Press, 1997, ISBN 0-8493-8523-7). The public key is made available to all users of the PKCS in such a way that the authenticity of the link between a user - which is characterized by a distinguished name - and his public key is guaranteed. The private key x, however, is kept secret and only the authorized user has access to x.

Signature schemes that rely on a PKCS are e.g. RSA (cf . US 4 405 829) , or ElGamal based signature schemes, such as the schemes of Schnorr (US 4 995 082) and Nyberg- Rueppel (cf. K.Nyberg, R.Rueppel, "Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem, " Designs, Codes and Cryptography, 7, 1996, pp. 61 - 81) or the DSA, see FIPS 186 ("Digital Signature Standard", Federal Information Processing Standards Publication 186, U.S. Department of Commerce/N. I . S . T. , National Technical Information Service, Springfield, Virginia, 1994) . These digital signature schemes provide methods for signing a digital message and verifying a digital signature. But they do not provide means for protecting the private key.

If an unauthorized party obtains a copy of the private key x, this party can form digital signatures and act as if it were the authorized user. Thus, it is crucial to securely protect the private key x and to avoid that x becomes compromised, e.g., by falling into the hands of an unauthorized party.

The private key is usually protected by an access control system. In a simple access control system, the private key x is stored in encrypted format on a storage device and the private key is only made available if the correct password is provided. The security of an access control system depends on different factors such as the particular access control mechanism, the encryption algorithm used, the device that performs encryption and decryption, and the storage device on which the private key is stored. Possible storage devices could be a diskette, a dedicated protected computer system or a tamper-resistant device such as a chip card or an electronic wallet but also a PC at home.

There are different ways how the private key of a user can become compromised. The following threats may arise.

(I) The access control is compromised. E.g., an unauthorized party has obtained the password or succeeds to read the private key from the storage device.

(II) An authorized party is able to extract (parts of) the private key during the digital signature process from the device that performs the signature.

(III) Information about the private key leaks out to an unauthorized party during the initialization and key dis- tribution phase.

(IV) The underlying PKCS and the corresponding digital signature scheme are broken.

Disclosure of the Invention

The problem to be solved by the present invention is to increase the protection of the private key against at least one of the threats (I) -(III). This problem is solved by the method and apparatus according to the independent claims.

The invention can in particular be used to increase pro- tection against threats (I) and (II) . It can also partly increase the protection against threat (III) depending on the key generation and key distribution model.

The present invention makes use of a particular idea from Secret Sharing (cf. Chapter 12.7 in the textbook cited above), viz., the private key is split into two or more private subkeys. In contrast to Secret Sharing, the private subkeys need not be distributed to different entities; in the present invention, the private subkeys can also be managed and used by the same entity. Thus, this invention is based on a different trust model than the one in Secret Sharing. Another important difference to Secret Sharing consists in the way that the subkeys are used. In the present invention, the subkeys need not be communicated to a dedicated entity to form the original private key x; instead, the subkeys are used to create partial signatures and these partial signatures are combined to form the full signature. Thus, when producing a digital signature, the private key x is never generated from the private subkeys. Moreover, the private subkeys cannot be effectively determined from the partial signa- tures and, hence, even if an unauthorized party knows all partial signatures, the private key is not compromised.

Brief Description of the Drawings

The invention will be better understood and objects other than those set forth above will become apparent when consideration is given to the following detailed description thereof. Such description makes refer- ence to the annexed drawings, wherein:

Fig. 1 shows the steps of the subkey generation phase for generating t private subkeys

Fig. 2 shows the steps of the Signature Splitting Method using t=2 private subkeys Fig. 3 shows a possible hardware implementation for a signature splitting scheme with t=2 private subkeys .

Modes for Carrying Out the Invention

The present invention provides a method to split digital signatures into partial signatures and to combine these to generate the full original signature. The resulting scheme will be called a Signature Splitting Scheme (SSS)

As a prerequisite, it is assumed that the private key x can be viewed as an element of a group X with group operation +, where 0 denotes the neutral element, and that the signature or a characteristic value s of the signa- ture lies in a monoid S with composition law *. Fixing a message m to be signed, the signature algorithm Σ defines a mapping σ_m from the key group X to the signature monoid S, namely, s=σ_m(x) , where s is the signature value that results from applying the signature algorithm Σ to m us- ing the private key x. It is further assumed that, for almost all allowed messages m, the mapping ψ_m defined by Ψm <^χ) = σ_m (x) * (σ_m ( 0 ) ) -¹ , ( 1 )

where (σ_m(0))^-1 denotes the inverse of σ_m(0), is a homo- morphism from X to S .

In an initialization phase, which will be called Subkey Generation Phase, the private key x is split into two or more private subkeys x^, x_{2 <} ••• using a Shared Control Scheme as described in Chapter 12.7.1 in the textbook cited above. A splitting into t private subkeys is obtained by choosing t-1 uniformly random subkeys x-_j_, x₂ , ... ,

~he group X and by requiring that the last private subkey x_t satisfies the equation

X = Xι ^x2 + x₊ (2)

The private subkeys are separately stored and protected by separate access control systems . This concludes the initialization phase of the subkey generation.

The signature splitting method makes use of the homomor- phism property

ψ_m(x)=ψ_m(x₁)*ψ_m(x₂)*...*ψ_m(x_t) . (3)

The following steps are carried out:

(i) For a message m to be signed, the value b=σ_m(0) , which is independent of x, is split into t subvalues b^, b₂ , ... , b_t using a pre-defined splitting rule such that in the monoid S the following equation holds

(ii) Using the private subkeys, the message m and the previously computed subvalues b_j_, the partial signature values

^si ⁼ Ψm ^i ^{) *b}i ^{( 5 )}

are computed for i=l,2,...,t.

(iii) Eventually, the partial signatures values are combined to form the signature value s, given by

S = Si s (6)

Detailed Description for the Implementation of Signature Splitting Schemes

The goal of a SSS is to increase the protection of the private key x. To increase the protection against threats (I) and (II) , the private subkeys x^ and the algorithms for the computation of the partial signature values S_j_ can be stored and implemented on separate tamper- resistant devices, which are under the control of the authorized user of the key pair (x,y) . The combining operation (6), in the last step, can be performed on a dedicated device that reads in the partial signature val- ues and generates the output s. This dedicated device need not be necessarily under the control of the authorized user; the combining operation can e.g. take place on the device of the receiver of the digital signature.

A possible hardware implementation of a SSS is shown in

Fig. 3 where t=2 private subkeys are used. In the key generation phase, the key pair (x, y) can be generated on a computer (shown as device 300 in Fig. 3) . This computer can also contain a program that executes the steps of the Subkey Generation Phase as described above and illustrated in Fig. 1. E.g., the storing operation at step 106 in Fig. 1 will put the private subkeys x^ and x on the two separate chip cards 304 and 308 shown in Fig. 3.

Suppose a message m obtained via the input interface 310 (e.g. a keyboard) or via the network is to be signed by the user with key pair (x,y) using the computer 300 and the two chip cards 304 and 308, which carry the two private subkeys x-i and x₂. The digital signature is performed by applying the steps of the signature splitting method described above and illustrated in Fig. 2. The mentioned computer sends the message m to the processors on the two chip cards 304, 308. In order to activate the partial signature computation (step 204 in Fig. 2) on the chip cards 304, 308, the user must enter the two pass- words for the two subkeys, which can be done via the keyboard of the computer 300 or via two separate mini- keyboards that are installed on the chip cards or on the two chip card readers . After performing the computation of the subvalues (step 202) and the computation of the partial signatures (step 204) , the two chip cards transfer the resulting partial signatures values s^ and s₂ to the mentioned computer. On this computer, the partial signatures values are combined to the signature value s and completed to the full signature in an appropriate format. It can then be transferred over a network 312 to a computer 314 of another user of the PKCS.

Key Protection and Subkey Re-Generation

Once the subkey generation is completed and all subkeys are stored on dedicated devices, the initial private key x need not be kept and stored in a SSS. Without private key x, direct attacks against the private key are no longer possible. Thus, in a SSS the private key can only be attacked via attacks against the subkeys . The Shared Control Scheme described above has the following security feature: If the private key x is split into t private subkeys as specified in the initial Subkey Generation Phase, then x will not be compromised unless all t pri- vate subkeys are compromised because fewer than t subkeys give no information about the private key x. Thus, if the t subkeys are all stored on separate devices, it is about t times more difficult to obtain all subkeys than it would be to obtain the original private key, when no SSS is used. Therefore, a SSS can increase the protection against threat (I) by about a factor of t. A similar increase of the security of the private key x against threat (II) by a factor of t is obtained if all partial signatures values S_]_, s₂ , ..., s^. are computed on t sepa- rate devices.

If in a digital signature scheme the private key gets compromised, there is no way to recover without replacing the old key pair (x,y) by a new key pair (x',y') . This may have far reaching implications if the user of this key pair represents a particular trustworthy authority such as a certification authority of a public key infrastructure. When an SSS is used, such a mandatory replacement of the private key x can be circumvented provided that not all subkeys have been compromised. The following method for recovering from a partially compromised SSS by re-generation of new subkeys can be applied.

Suppose that the private subkeys ^-, , x^-,, ..., x- , where u<t are compromised and that there exists a non- compromised private subkey x^. The SSS is fully recovered by re-generating u+1 new subkeys '-π, x'jo' • • • > 'i x'^, where u of these new subkeys are chosen uniformly random in the group X and the last new subkey is deter- mined by the equation ^x'il ^{+ x}'i₂ ^{+ • • •}+ ^x'i_u + ^x'k = ^xiι ^{+ x}i₂ ^{+ • • ■+ x}i_u ⁺ x • (5)

This re-generation method can also be used to exchange a subset of the private subkeys if such a subkey replacement is required by a key management policy.

Signature Splitting for the RSA Signature

The Rivest-Shamir-Adleman (RSA) PKCS is based on the difficulty of factoring a product n=p-q of two large prime numbers p and q (cf . US 4 405 829) . Let denote the

ring of integers modulo φ(n) , where φ(n) = (p-1) (q-1) . The private key x is a randomly chosen invertible element of ^zφ₍n₎ ^an(^ ^t^^ιe P^ut>lic key is given by n and the inverse y of x, i.e., y satisfies x-y=l mod φ(n) . The key group X consists of the additive group of

the signature monoid S consists of the multiplicative structure of the ring Z_n and for a given message m in Z_n, the mapping σ_m is defined by

σ_m(x) = m^x mod n .

In particular, σ_m(0)=l and, therefore, the mapping ψ_m de- fined in (1) coincides with σ_m. This allows to simplify the signature splitting method by skipping the splitting step of the value b=σ_m(0) as given in (4) . Note that ψ_m=σ_m is a homomorphism if and only if m is relatively prime to n, which is true for almost all m. If m is not relatively prime to n, then m can be used to break this

RSA PKCS, i.e., an attacker can factor n efficiently. But even in the case that m is not relatively prime to n, the splitting scheme still functions properly, i.e., (3) always holds for every splitting of x as given in (2) be- cause x is relatively prime to φ(n) . Signature Splitting for the ElGamal Signature and the PSA

ElGamal based signature schemes rely on the difficulty of the discrete logarithm problem (cf. Chapter 11.5 in the textbook cited above) . In the original ElGamal signature scheme, a large finite field GF(q) and a primitive element β of GF(q) are given. Each user randomly chooses his private key x in the additive group of X = Z_Q- _]_ and forms his public key y=β^x in GF(q) . Let h denote a suitable hash function and let h(m), 0<h(m)<q-l, denote the hash value of a message to be signed. The signature for m, consisting of the pair (r,s), is obtained by carrying out the following steps.

(a) Compute r=β^k in GF(q), where k is a randomly chosen element of Z_Q-± , which is relatively prime to q-1.

(b) Solve for s in the congruence

h(m) = x-h(r) + k-s mod (q-1),

The signature value s lies in the signature monoid S = Z_q__]_, which is actually a group. The signature mapping σ_m is given by

s = σ_m(x) = k^~1-(h(m) - x-h(r))

and the message dependent value b equals σ_m(0) =k^-1 -h(m) . In an ElGamal based SSS, step (a) , which does not depend on the private key x, is performed as in the ElGamal scheme and the signature splitting is applied to step (b) . In this setting, where X = S, a possible splitting rule for the message dependent value b is given by the splitting rule for the private subkeys as specified in the Subkey Generation Phase . The DAS of the DSS as described in FIPS 186 ("Digital Signature Standard" , Federal Information Processing Standards Publication 186, U.S. Department of Com- merce/N. I .S.T. , National Technical Information Service, Springfield, Virginia, 1994) is based on the ElGamal scheme. For the DSA it is assumed that q is a large prime and that there is a prime u in the range 2"° < u < 2^-° , which is a divisor of q-1. Moreover, β e GF(q) is assumed to be a generator of the unique cyclic subgroup of order u in the multiplicative group of GF(q). Similarly as in the ElGamal scheme, the signature of a message m consists of the pair (r, s) , where

r = (β^k mod q) mod u and s = k^_1 (h(m) + x-r) mod u.

Hence, the signature splitting can be carried out in a similar way as in the ElGamal scheme.

Signature Splitting for the Schnorr Signature

The Schnorr signature scheme (US 4 995 082) is a variant of the ElGamal scheme. As a new idea, instead of being a primitive element in GF(q), β is now a generator of a large subgroup of the multiplicative group of GF(q). Thus, β generates a group isomorphic to Z_u, where u divides q-1. The key pair (x,y) is defined as above, i.e, y=β^x where x is an element of the key group X = Z_u.

Moreover, to reduce the message length a hash function h is used.

The signature for m, consisting of the pair (e,s), is ob- tained by carrying out the following steps. (a') Compute

in GF(q), where k is a randomly chosen element of Z_u.

(b') Form the concatenation m| |r of m and r and compute the hash value e=h(m| |r) .

(c') Compute the signature value

s = σ_m(x)= x-e + k mod u .

The signature value s lies in the signature monoid S = Z_u, which is actually a group. The value b equals σ_m(0)=k and, thus, does not depend on m. This value can be split into subvalues

using the method of the Subkey Gen- eration Phase for the group S = Z_u. Since k is random, one can generate this random value by randomly selecting the subvalues k^ and by setting

In a Schnorr based SSS, the splitting method can be applied to step (a'), i.e., one computes the pairs (k_j_,r^) separately, where r._j_=β^ki for i=l,2, ..., t. To carry out step (b) , one needs only the values r^ and the message m as input. The hash value e is computed as above using the product r = r-_j_ -r₂ • ... -r_t (in GF(q)). In step (c¹), the partial signature values SJ_=XJ_ -e+k^ mod u are computed separately before they are combined to form the signature value s .

Note that in this Schnorr based SSS, the random elements k_j_ can be generated and kept on the same separate storage and computing devices as the private subkeys X_j_ and these elements never need to leave these separate devices .

Signature Splitting for the Nyberg-Rueppel Signature The Nyberg-Rueppel signature scheme (cf . K.Nyberg, R.Rueppel, "Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem," Designs, Codes and Cryptography, 7, 1996, pp. 61 - 81) is another variant of the ElGamal scheme, where GF(q) is a prime field, i.e., q is a prime. As in the Schnorr scheme, the key group X consists of a large subgroup Z_u, where u divides q-1. The key pair (x,y) is defined as in the Schnorr scheme. In- stead of a hash function, a redundancy function p is used, which is applied to a set of allowed messages. A message m from this set is signed by carrying out the following steps.

(a'') Compute the redundancy value m'=p(m) . (b' ' ) Compute r=β^~ - in GF(q), where k is a randomly chosen element of Z_u. (c'¹) Compute e=m' -r in GF(q). (d' ' ) Compute the signature value

s = σ_m(x)= x-e + k mod u .

The signature consists of the pair (e,s). In a Nyberg- Rueppel based SSS, step (a' ') is performed as is. The splitting method is applied to both step (b' ') and (d' ') . In step (b' ')/ one uses the splitting method for the random element k as described in the Schnorr based SSS (cf. equation (7)) and generates the pairs (k^, r^_) , where r-_j^β--^^!. In Step (c' '), the value e is computed from m and the values r^ using the product r = r-i -r₂ ^• ... -r_t (in GF(q)). In step (d' ' ) , the partial signature values s^=X_j_-e+k^ mod u are computed separately before they are combined to form the signature value s .

Signature Splitting for Elliptic Curve Based Signatures

ElGamal based digital signatures schemes can also be de- fined over elliptic curves. Instead of considering the multiplicative group of GF(q), one considers a large cyclic subgroup U of an elliptic curve C, which itself forms a group with additive group operation • . The sub- group U is generated by some generator β, which is a point of the elliptic curve C. Let u denote the order of the subgroup U. The mapping of the integers Z onto U given by assigning to an integer i the i-fold 'sum' i -β= (β»β» ... «β) induces an isomorphism from Z_u onto U. For ElGamal based digital signature schemes over elliptic curves, one can apply the signature splitting method in a similar way as for the ElGamal based schemes above. E.g., the key group is X = Z_u and the signature monoid S also equals Z_u .

Secret Sharing and Signature Splitting

Instead of using a simple Shared Control Scheme as described above, more general Secret Sharing Schemes can be applied, where a secret x is shared by e . g . 4 persons and whenever 2 of these 4 persons put together their shares X_j_ , they can reconstruct the secret x. These more general type of Secret Sharing Schemes can be combined with signature splitting if the group operations that are used are compatible with those of the underlying signature scheme .

Consider e.g. an RSA PKCS with n=p-q and a key pair (x,y) . The secret sharing scheme given in the first exam- pie in the paper "On Secret Sharing" by E.D. Karnin, J.W. Green and M.E. Hellman (in IEEE Trans, on Information Th., Vol. 29, No. 1, Jan 1983, pp. 35 - 41) can be adapted to work for signature splitting. To this end, the condition C3) of the mentioned paper is dropped.

The Subkey Generation Phase consists of two steps. In a first step, the private key x is split into x=u-^+u₂ mod φ(n) . In a second step, the secret (u^,u₂) is divided into 4 shares x_χ = (u₃ , u ) , JC = (u₁+u₂+u₃ , u +u ) , x₃ = (u₂+u₃,u₁+u₄) , x₄ = (u₁+u₃,u +u₃+u ) where + denotes addition modulo φ(n) and where u₃ and u₄ are randomly chosen. Eventually, the 4 shares are stored on separate devices.

For a message m, the signature splitting is characterized by the pairs of partial signature values

S_j_ = (m^x^¹, m^χi²) mod n

where x.^ denotes the first and x^ the second component of x. _ . From any 2 of the 4 partial signature pairs S_j_ - when combining their components suitably - one can com- pute

s = (m^ul, m^u2) mod n .

The final signature value is obtained by multiplying the two components of s, i.e., s=m^ul- ^u2 mod n.

The above can be generalized as follows. A t-out-of-w Secret Sharing Scheme, where the secret x is split into w shares x^ lying in a subkey group X' with group operation +', can be characterized by requiring that there exist reconstruction functions f_χ-_{ι j} • • • _lt. from the t-fold direct product X'xX'x...XX' into the key group X for any t- element subset i-^, i₂, ... , i_t such that x - fi₁i₂- . -i_t (xi₁, i₂, • • • ,Xi_t) • Suppose that fi₁i₂---i_t ^is homomorphism and that the partial signature values S_ are contained in a monoid S' with composition law *'. Define a homomorphism gj_-ι _jo • • • j.- ^^rom the t-fold direct product S'xS'x...XS' into the signature monoid S, which is derived from f_j_-_|i_p---i_t- by replacing the group operations +' and + by the composition laws *' and *, respectively. The Secret Sharing Scheme is compatible with the signature scheme if, for almost all messages m, there exists a homomorphism ψ'_m from the subkey group X' to the monoid S' that is compatible with ψ_m, i.e., for every t-tuple ^vl'^v2'^{, , ,,v}t ■'^_n X'^xχ,χ---^χX' the following equation in S must hold

Ψm^(fiιi₂---i_t ^(vl ^Vt^{) ) =} ⁹iii₂---it⁽W^vi> ΨV^vt>>-

For such a compatible Secret Sharing Scheme, one can generate the partial signature values s^ = ψ'_m(^χi) *' k>i in the partial signature monoid S', where the b^, i=l,2,...,w, are elements of the partial signature monoid S' such that

^gi i2 ^{* " "} it il Ϊ2' ^{" "} ' it ^{~ σχn} o:

The combining operation, which generates the signature value s out of any t partial signatures, is given by

s = ^<3^j.^η _Li2 ' " " i ^sil' ^si2 ' " ^{* *} ' ^sit '

While there are shown and described presently preferred embodiments of the invention, it is to be distinctly un- derstood that the invention is not limited thereto but may be otherwise variously embodied and practiced within the scope of the following claims.

Claims

1. A method for generating a digital signature comprising a signature value s = o"_m(x) using a signature algorithm Σ and a private and public key pair x,y for a message m, wherein x is an element of a group X with group operation +, where 0 denotes the neutral element, and the signature value s is an element of a monoid S with composition law * and wherein the map ψ_m defined by ψ_m(x) = σ_m(x) * (σ_m(0) ) ^"^ is a homomorphism from X to S for almost all messages m, said method comprising the steps of providing w > 2 private subkeys x-^ , x , ... , ^ in a subkey group X' with group operation +' such that said private key x can be reconstructed from any subset of at least t, 2≤t≤w, subkeys x-_j. , x_ιn, ... , X_j^ using x = ^fili ^{• •} -it ^χii'^xi2 ' " ' ' ^Xit ' using said subkeys for generating partial signature values s__j_ - ψ'_m(xi) *' k>_j_ in a partial signature monoid S' and generating said signature value s from any t partial signatures using s = g_j- ^_p ...._j. (s • , S_j__p, ... , s ■ ) , wherein fji jo • • • _j.4- is ^a homomorphism from the t- fold direct product X'XX'X...XX' into the key group X and 9i_ιi ---i_*. i^{s a} homomorphism from the t-fold direct prod^¬ uct S'XS'X...XS' into the signature monoid S, which is derived from fi-_ji_o-_'-i^ by replacing the group operations +' and + by the composition laws *' and *, respectively, where the b^, i=l,2,...,w, are elements of the par- tial signature monoid S' such that

9ili₂- ^• -i_t ^(bil'^bi₂' ^{• • •}'^bit^{) = σ}m⁽⁰⁾' and where, for almost all messages m, ψ'_m is a homomorphism from the subkey group X' to the partial signature monoid S' compatible with ψ_m, i.e., for every t- tuple v- v₂ , ... , v_t in X'XX'X...XX' the following equation in S must hold ψ_m ⁽fi₁i₂ • • -i_t ^(vl» • • • -^vt^{) ) =} g_ili2. ^• -i_t(ψ'm<^vl> Ψ'm<^vt> ) ^•

2. The method of claim wherein said signature scheme is the RSA signing algorithm.

3. The method of claim 1 wherein said signature algorithm Σ is the ElGamal, the DSA of the DSS, the Schnorr or the Nyberg-Rueppel signature algorithm over the originally specified groups or over subgroups of an elliptic curve.

4. The method of one of the preceding claims wherein said step of generating said partial signature values s-^,s₂,...,s_w is carried out in a secure environment and said step of generating said signature value from said partial signature values is carried out in a non-secure environment .

5. The method of one of the preceding claims wherein X'=X, S'=S, ψ'_m=ψ_m and t=w and where f₁₂ _ _ _t (xι_ , ... , x_t) = x₁+x₂+...+x_t and g₁₂ ___t(_Sl, ...,s_t) = s₁*s₂* .. • *s_t .

6. The method of claim 5 comprising the step of generating a new set of subkeys {x' _j- , x' j_ , ... , x' j_ _/X'_}-} from said subset and at least one non-compromised subkey x in case that a proper subset {x_x1 , x_ιn , ... , ^ } of said subkeys is compromised or to be replaced.

7. The method of claim 6 wherein said new set of subkeys is generated such that x' _j__, +x' ^„+ ... +x' ^ ÷x'k = x_il+x_i2+...+x_iu+x_k .

8. The method of one of the preceding claims comprising the step of storing at least one of said subkeys X_j_ separately on a tamper-resistant device.

. The method of claim 8 wherein said tamper-resistant device is a chip card.

10. The method of one of the claims 8 or 9 wherein said step for generating the partial signature values s^ = ψ'_m(x_j_)*b^ is carried out in said tamper-resistant device .

11. An apparatus for generating a digital signature com- prising means for carrying out the method of one of the preceding claims.