Rotating file-sign and file-verify keys

By using the file-lock box key generated above as a seed, we can bootstrap the seed into file-sign and file-verify keys as follows. Let the version $v$ file-sign key be $(e_v, N_v)$ and the corresponding file-verify key be $(d_v, N_v)$. In Plutus $N_v$ is stored in file's header in the clear, signed by the owner to protect its integrity. Note that all files in the filegroup with the same version have the same value for $N_v$.

When a user is revoked, the owner picks a new RSA modulus $N_v$, and rotates the file-lockbox key forward to $K_v$. Using the latest seed $K_v$, owners and readers generate the file-verify key as follows. Given the seed $K_v$, $e_v$ is calculated by using $K_v$ as a seed in a pseudo-random number generator. The numbers output are added to $\sqrt{N_v}$ and tested for primality. The first such number is chosen as $e_v$. The conditions that $e_v \geq \sqrt{N_v}$ and $e_v$ is a prime guarantee that $\gcd(e_v,\phi(N_v)) = 1$ [28], making it a valid RSA public key. (Notice that the latter test cannot be performed by readers because they do not know $\phi(N_v)$). The pair $(e_v, N_v)$ is the file-verify key.

Owners generate the corresponding RSA private key $d_v$ and use it as the file-sign key. Since writers never have to sign any data with old file-sign keys, they directly get the latest file-sign key $(d_v, N_v)$ from the owner. If the writers have no read access, then they never get the seed, and so it is hard for them to determine the file-verify key from the file-sign key.

Given the current version seed $K_v$, readers can generate previous version file-verify keys $(d_u, N_u)$, for $u< v$ as follows. They first rotate the seed $K_v$ backwards to get the seed $K_u$, as described in the previous section. They read (and verify) the modulus $N_u$ from the file header. They then use the procedure described above to determine $e_u$ from $N_u$ and $K_u$.

The reason for changing the modulus after every revocation is to thwart a subtle collusion attack involving a reader and revoked writer - if the modulus is fixed to, say $N'$, a revoked writer can collude with a reader to become a valid writer (knowing $e_v$, $d_v$, and $N'$ allows them to factor $N'$, and hence compute the new file-sign key).