Linkable message tagging: solving the key distribution problem of signature schemes

  • Felix Günther
  • Bertram Poettering
Regular Contribution


Digital signatures guarantee practical security only if the corresponding verification keys are distributed authentically; however, arguably, satisfying solutions for the latter have not been found yet. This paper introduces a novel approach for cryptographic message authentication where this problem does not arise: A linkable message tagging scheme (LMT) identifies pairs of messages and accompanying authentication tags as related if and only if these tags were created using the same secret key. Importantly, our primitive fully avoids public keys and hence elegantly sidesteps the key distribution problem of signature schemes. As an application of LMT we envision an email authentication system with minimal user interaction. Email clients could routinely equip all outgoing messages with corresponding tags and verify for incoming messages whether they indeed originate from the same entity as previously or subsequently received messages with identical sender address. As technical contributions we formalize the notions of LMT and its (more efficient) variant CMT (classifiable message tagging), including corresponding notions of unforgeability. For both variants we propose a range of provably secure constructions, basing on different hardness assumptions, with and without requiring random oracles. This article extends prior work of the same authors that appeared in the proceedings of ACISP 2015 (Günther and Poettering in 2015).


Message authentication Key distribution problem Message tagging Digital signatures 

Mathematics Subject Classification

94A60 68P25 



Both authors were supported by the German Federal Ministry of Education and Research (BMBF) within EC SPRIDE, and B. Poettering additionally by EPSRC Leadership Fellowship EP/H005455/1 and a Sofja Kovalevskaja Award of the Alexander von Humboldt Foundation. This work has been co-funded by the German Research Foundation (DFG) as part of project S4 within the CRC 1119 CROSSING.


  1. 1.
    Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In: Laih, C.S. (Ed.) ASIACRYPT 2003, LNCS, vol. 2894, pp. 452–473. Springer, Berlin (2003)Google Scholar
  2. 2.
    American National Standard for Financial Services: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) (ANS X9.62-2005) (2005)Google Scholar
  3. 3.
    Atkins, D., Stallings, W., Zimmermann, P.: PGP Message Exchange Formats. RFC 1991 (Informational) (1996)., obsoleted by RFC 4880
  4. 4.
    Balfanz, D., Smetters, D.K., Stewart, P., Wong, H.C.: Talking to strangers: Authentication in ad-hoc wireless networks. In: NDSS 2002. The Internet Society (2002)Google Scholar
  5. 5.
    Bassham, L., Polk, W., Housley, R.: Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 3279 (Proposed Standard) (2002)., updated by RFCs 4055, 4491, 5480, 5758
  6. 6.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (Eds.) CHES 2011, LNCS, vol. 6917, pp. 124–142. Springer, Berlin (2011)Google Scholar
  7. 7.
    Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Imai, H., Zheng, Y. (Eds.) PKC’99 LNCS, vol. 1560, pp. 154–170. Springer, Berlin (1999)Google Scholar
  8. 8.
    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J. (Eds.) EUROCRYPT 2004, LNCS, vol. 3027, pp. 56–73. Springer, Berlin (2004)Google Scholar
  9. 9.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (Ed.) ASIACRYPT 2001, LNCS, vol. 2248, pp. 514–532. Springer, Berlin (2001)Google Scholar
  10. 10.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Brown, D.: Certicom Research, Standards for Efficient Cryptography Group (SECG)—SEC 1: Elliptic Curve Cryptography (2009)., version 2.0
  12. 12.
    Brown, D.R.L.: Generic groups, collision resistance, and ECDSA. Des. Codes Cryptogr. 35(1), 119–152 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP Message Format. RFC 4880 (Proposed Standard) (2007)., updated by RFC 5581
  14. 14.
    Callas, J., Donnerhacke, L., Finney, H., Thayer, R.: OpenPGP Message Format. RFC 2440 (Proposed Standard) (1998)., obsoleted by RFC 4880
  15. 15.
    Dang, Q., Santesson, S., Moriarty, K., Brown, D., Polk, T.: Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA. RFC 5758 (Proposed Standard) (2010).
  16. 16.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (Ed.) CRYPTO’86, LNCS, vol. 263, pp. 186–194. Springer, Berlin (1987)Google Scholar
  18. 18.
    Fox-IT: Black Tulip—Report of the Investigation into the DigiNotar Certificate Authority Breach (2012).
  19. 19.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Goldwasser, S., Micali, S., Rivest, R.L.: A “paradoxical” solution to the signature problem (abstract) (impromptu talk). In: Blakley, G.R., Chaum, D. (Eds.) CRYPTO’84, LNCS, vol. 196, p. 467. Springer, Berlin (1985)Google Scholar
  21. 21.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Google Online Security Blog: Maintaining Digital Certificate Security (2014).
  23. 23.
    Guillou, L.C., Quisquater, J.J.: A “paradoxical” indentity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (Ed.) CRYPTO’88, LNCS, vol. 403, pp. 216–231. Springer, Berlin (1990)Google Scholar
  24. 24.
    Günther, F., Poettering, B.: Linkable Message Tagging: Solving the Key Distribution Problem of Signature Schemes. In: Foo, E., Stebila, D. (Eds.) Information Security and Privacy, 20th Australasian Conference (ACISP 2015), LNCS, vol. 9144, pp. 195–212. Springer, Berlin (2015)Google Scholar
  25. 25.
    Housley, R.: Cryptographic Message Syntax (CMS). RFC 3369 (Proposed Standard) (2002)., obsoleted by RFC 3852
  26. 26.
    Housley, R.: Cryptographic Message Syntax (CMS). RFC 3852 (Proposed Standard) (2004)., obsoleted by RFC 5652, updated by RFCs 4853, 5083
  27. 27.
    Housley, R.: Cryptographic Message Syntax (CMS). RFC 5652 (INTERNET STANDARD) (2009).
  28. 28.
    Jonsson, J., Kaliski, B.: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 3447 (Informational) (2003).
  29. 29.
    Kaliski, B.: PKCS #7: Cryptographic Message Syntax Version 1.5. RFC 2315 (Informational) (1998).
  30. 30.
    Katz, J.: Digital Signatures. Springer, Berlin (2010); iSBN 978-0387277110Google Scholar
  31. 31.
    Koblitz, N., Menezes, A.: Another look at security definitions. Adv. Math. Commun. 7(1), 1–38 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Laurie, B., Langley, A., Kasper, E.: Certificate Transparency. RFC 6962 (Experimental) (2013).
  33. 33.
    Leontiev, S., Shefanovski, D.: Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC 4491 (Proposed Standard) (2006).
  34. 34.
    Mashatan, A., Vaudenay, S.: A message recognition protocol based on standard assumptions. In: Zhou, J., Yung, M. (Eds.) ACNS 10 LNCS, vol. 6123, pp. 384–401. Springer, Berlin (2010)Google Scholar
  35. 35.
    Menezes, A., Smart, N.P.: Security of signature schemes in a multi-user setting. Des. Codes Cryptogr. 33(3), 261–274 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Micali, S.: A Secure and Efficient Digital Signature Algorithm. Technical Memo MIT/LCS/TM-501b, Massachusetts Institute of Technology, Laboratory for Computer Science (1994)Google Scholar
  37. 37.
    National Institute of Standards and Technology: Digital Signature Standard (DSS) (FIPS PUB 186-4) (2013)Google Scholar
  38. 38.
    Ong, H., Schnorr, C.P.: Fast signature generation with a Fiat–Shamir-like scheme. In: Damgård, I. (Ed.) EUROCRYPT’90, LNCS, vol. 473, pp. 432–440. Springer, Berlin (1990)Google Scholar
  39. 39.
    OpenSSL Project: Open Source Secure Sockets Layer and Transport Layer Security Implementation.
  40. 40.
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (Ed.) EUROCRYPT’96, LNCS, vol. 1070, pp. 387–398. Springer, Berlin (1996)Google Scholar
  41. 41.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar
  42. 42.
    Ramsdell, B.: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification. RFC 3851 (Proposed Standard) (2004)., obsoleted by RFC 5751
  43. 43.
    Ramsdell, B., Turner, S.: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification. RFC 5751 (Proposed Standard) (2010).
  44. 44.
    Schaad, J., Kaliski, B., Housley, R.: Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 4055 (Proposed Standard) (2005)., updated by RFC 5756
  45. 45.
    Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (Ed.) CRYPTO’89, LNCS, vol. 435, pp. 239–252. Springer, Berlin (1990)Google Scholar
  46. 46.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)CrossRefzbMATHGoogle Scholar
  47. 47.
    Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (Eds.) CRYPTO’84, LNCS, vol. 196, pp. 47–53. Springer, Berlin (1985)Google Scholar
  48. 48.
    TURKTRUST Information Security Services Inc.: Public Announcements (2013).
  49. 49.
    Waters, B.R.: Efficient identity-based encryption without random oracles. In: Cramer, R. (Ed.) EUROCRYPT 2005, LNCS, vol. 3494, pp. 114–127. Springer, Berlin (2005)Google Scholar
  50. 50.
    Weimerskirch, A., Westhoff, D.: Zero common-knowledge authentication for pervasive networks. In: Matsui, M., Zuccherato, R.J. (Eds.) SAC 2003, LNCS, vol. 3006, pp. 73–87. Springer, Berlin (2004)Google Scholar
  51. 51.
    Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 8th Conference on USENIX Security Symposium—Volume 8 (SSYM’990), pp. 14. USENIX Association, Berkeley, CA, USA (1999).

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.Cryptoplexity GroupTechnische Universität DarmstadtDarmstadtGermany
  2. 2.Foundations of CryptographyRuhr-Universität BochumBochumGermany

Personalised recommendations