Reactively secure signature schemes

Protocols for problems like Byzantine agreement, clock synchronization, or contract signing often use digital signatures as the only cryptographic operation. Proofs of such protocols are frequently based on an idealizing "black-box" model of signatures. We show that the standard cryptographic security definition for digital signatures is not sufficient to ensure that such proofs are still valid if the idealized signatures are implemented with real, provably secure signatures. We propose a definition of signature security suitable for general reactive, asynchronous environments, called reactively secure signature schemes, and prove that, for signature schemes where signing just depends on a counter as state, the standard security definition implies our definition. We further propose an idealization of digital signatures that can be used in a reactive and composable fashion, and we show that reactively secure signature schemes constitute a secure implementation of our idealization. © Springer-Verlag 2005.