Cardano protects the immutability of the ledger, among other things, by using the Key-Evolving Signature (KES) scheme. The KES scheme provides so-called forward security. If the signing keys of SPOs are compromised, they cannot be exploited to overwrite the ledger history. This is because Cardano's protocol includes a mechanism where the keys used for signing blocks are rotated and the old keys are deleted. One of the security assumptions is that staking pool operators (SPOs) delete old keys. The One-shot Signatures (OSS) system will strengthen Cardano's security by making signing keys self-destruct after signing every new block. It will not be possible to sign the block again, as there will be no key to do so.
Forward security and KES
Forward security is a property of cryptographic systems that ensures that the compromise of the current key does not compromise the secrecy of past sessions because other keys were used.
In other words, even if an adversary is able to obtain a decryption key, they cannot use it to decrypt past communications. This is because each session uses a unique key, which is deleted or updated after use.
A similar principle is used in Cardano for signing blocks.
If the secret key of an SPO is compromised at some point in time, the signatures generated before that point remain valid and unforgeable.
This is achieved by dividing the lifetime of the signer into periods and using a different secret key for each period. The secret key for each period is derived from the previous one, and then erased after use. The public key remains the same for all periods.
KES limits the scope of each secret key to a specific period (currently 90 days) and ensures that old secret keys are erased and unrecoverable. Therefore, even if an adversary obtains a secret key for a certain period, they can only forge signatures for that period, and not for any previous or future periods.
If an adversary obtains the signing keys of a single operator, he can overwrite only those blocks that were minted by this operator in the period when the key was active. This can be a relatively small number of blocks. Slot leaders are drawn randomly based on their stakes. There are a large number of SPOs in the Cardano network. For an adversary to have a chance to compromise Cardano, he would need to obtain not just a single key, but many keys from a large number of SPOs.
One way to get signing keys is to steal them from SPOs. If SPOs delete old keys, they cannot be stolen. However, the deletion of keys cannot be forced. SPOs can theoretically keep the old keys.
The OSS system can prevent the execution of attacks, as there will be no keys that could be misused. Each new block will be signed with a unique key that will be created for one-time signature only.
In the previous article, we explained the basic principles of one-shot signatures. This quantum cryptography has great potential for use. We will look at how it can be used to strengthen Cardano's security.
One-shot signatures can be used to implement ordered signatures, i.e. a specific mechanism in which it is possible to determine the validity of a sequence of messages or blocks.
The OSS system is a type of signature where any secret key can be used to sign only a single message and then self-destruct. This concept is particularly useful in the context of blockchain technology, where maintaining the integrity and order of blocks is critical.
The order of blocks is crucial because it determines the state of the blockchain at any given point in time. If the order of blocks were changed, it would result in a different state of the blockchain.
Digital signatures play a key role in maintaining this order. When a new block is created, it is signed by the creator of the block. This signature serves as a seal that verifies the authenticity of the block and its position in the chain.
Using a unique key for each signature can provide an additional layer of security. Since each key can only be used once, it becomes impossible to reuse a key to sign a different block or to alter the order of existing blocks. With OSS, it is not possible to overwrite the history of the Cardano ledger.
So, in essence, the ordered sequence of one-shot signatures can help users deterministically identify which blocks are valid and which ones are not, thereby ensuring the integrity and order of the blockchain.
You can think of ordered signatures like a series of locked boxes, each containing a unique key. These boxes are arranged in a specific order. The key in each box can only be used once to unlock the next box in the series, and then it self-destructs. This means that each secret key (or unique key in the box) can be used to sign only a single message. The order of the signatures is determined by the sequence of the boxes.
In the context of KES, ordered signatures can be seen as a sequence of keys that are used in a specific order for signing. Each key in this sequence can be used only once, and then it self-destructs. This means that even within the same period, different keys would be used to sign different blocks. Not just a single key for a given period as it is today.
This change could potentially enhance the security of the Cardano network by making it more resistant to certain types of attacks. For example, it could help prevent long-range attacks, where an attacker tries to rewrite the history of the blockchain by using old keys.
Let's explain the basic concept of how ordered signatures work.
When a party signs a message, he also specifies a tag t. The signing key allows for signing any message, but the requirement is that messages can only be signed in order of increasing t. That is, once a message is signed at tag t0, it then becomes impossible to sign a message at a past tag (t1 < t0). So, every message is signed with respect to a tag t.
The public key will be the public key for a one-shot signature scheme.
To sign a message at tag t, it is necessary to construct a new one-shot signature public and private key pair and delegate it to the new public key. When signing to delegate, sign the entire public key/tag/message triple.
The signature consists of the entire signature chain from the original public key to the latest public key.
Verification requires verification of the signature chain as well as that the tags in the chain occur in increasing order.
The idea is that the only way to produce a new signature is to append it to the signature chain.
Therefore, once an adversary produces a signature at tag t0, he has committed to all the signatures he will produce at tag t1 < t0. If he tries to sign a different message at t1, this will constitute a fork in the chain, violating the one-shot security property.
How Would OSS Prevent Attacks On Cardano?
At the moment, no details are known about how the OSS system could be implemented. Nevertheless, it is possible to assume how such a system could work.
As explained in the previous section, the system can work with tags. Tags can define the sequence number of a block. When signing a new block, it will be necessary to increment the tag (sequence number).
When a block is signed and a tag is incremented, a unique identifier is generated. This unique identifier is associated with the specific combination of the block (the block could be represented by a hash), signature, and tag.
Let's try to explain it with a simplified example.
Imagine you're playing a game of building blocks with your friends (you are SPOs). Each of you has a unique set of blocks and you're building a tower together. Each block represents a set of transactions or a piece of data, and the tower represents the blockchain.
One-shot signatures are like unique stickers that each of you puts on your block when you add it to the tower. This sticker is so special that it can only be used once and then it disappears (the key self-destructs). It's made using a secret key, which is like a magic wand. But here's the catch - the magic wand can only create one sticker and then it breaks.
Now, let's say you want to make sure that the blocks (or transactions) are added to the tower (or blockchain) in the right order. This is where tags and unique identifiers come in.
Each sticker (or signature) you create with your magic wand (or secret key) has a unique tag or identifier. This tag could be a number or a code that is different for each sticker. When you put your block on the tower, everyone can see the tag on your sticker and know exactly where it fits in the sequence.
So, if someone tries to move the blocks around or add a block in the wrong place, you would know because the tags on the stickers would be out of order. This is how ordered signatures can help ensure the correct sequence of blocks in a blockchain.
And what about the magic wands (or secret keys)? Well, after you use your wand to create a sticker, it breaks (or self-destructs). This means that even if someone finds your broken wand, they can't use it to make a new sticker or mess up the order of blocks in the tower.
You can ask what stops someone from using different magic wands (keys) to build a different tower (blockchain) with the same or similar order of blocks (sequence of tags).
Creating a different blockchain that matches the order of the original one is not as simple as it sounds.
Each magic wand (key) is unique and can only create a sticker (signature) for a specific block. So, an adversary can’t just use a different wand to create a sticker for a block that already has one.
In a long-range attack, an adversary tries to create a different blockchain starting from some point in the past. This is like trying to build a different tower starting from the middle. But remember the stickers (signatures) from the past blocks are already there and can’t be changed. So, the adversary can’t just replace them with new ones.
In a blockchain, the order of blocks is determined by a consensus mechanism. This is like a rule in our game that says the order of blocks in the tower is decided by all players together. So, an adversary can’t change the order of blocks on their own.
Once OSS is implemented in Cardano, security guarantees will be significantly higher. To commit a long-range attack will be almost unthinkable. An adversary cannot obtain keys that were self-destructed immediately after signing the blocks.