Linkable Message Tagging: Solving the Key Distribution Problem of Signature Schemes

  • Felix Günther
  • Bertram Poettering
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9144)


Digital signatures guarantee practical security only if the corresponding verification keys are distributed authentically; however, arguably, satisfying solutions for the latter haven’t been found yet. This paper introduces a novel approach for cryptographic message authentication where this problem does not arise: A linkable message tagging scheme (LMT) identifies pairs of messages and accompanying authentication tags as related if and only if these tags were created using the same secret key. Importantly, our primitive fully avoids public keys, and hence elegantly sidesteps the key distribution problem of signature schemes.

As an application of LMT we envision an email authentication system with minimal user interaction. Email clients could routinely equip all outgoing messages with corresponding tags and verify for incoming messages whether they indeed originate from the same entity as previously or subsequently received messages with identical sender address.

As technical contributions we formalize the notions of LMT and its (more efficient) variant CMT (classifiable message tagging), including corresponding notions of unforgeability. For both variants we propose a range of provably secure constructions, basing on different hardness assumptions, with and without requiring random oracles.


Message authentication Key distribution problem Message tagging Digital signatures 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 452–473. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  2. 2.
    Balfanz, D., Smetters, D.K., Stewart, P., Wong, H.C.: Talking to strangers: authentication in ad-hoc wireless networks. In: NDSS 2002. The Internet Society, February 2002Google Scholar
  3. 3.
    Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  4. 4.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  5. 5.
    Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP Message Format. RFC 4880 (Proposed Standard), November 2007. Updated by RFC 5581
  6. 6.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)zbMATHMathSciNetCrossRefGoogle Scholar
  7. 7.
    Fox-IT: Black Tulip – Report of the investigation into the DigiNotar Certificate Authority breach, August 2012.
  8. 8.
    Google Online Security Blog: Maintaining digital certificate security, July 2014.
  9. 9.
    Günther, F., Poettering, B.: Linkable Message Tagging: Solving the key distribution problem of signature schemes. Cryptology ePrint Archive, Report 2014/014 (2014).
  10. 10.
    Kaliski, B.: PKCS #7: Cryptographic Message Syntax Version 1.5. RFC 2315 (Informational), March 1998.
  11. 11.
    Koblitz, N., Menezes, A.: Another look at security definitions. Advances in Mathematics of Communications 7(1), 1–38 (2013)zbMATHMathSciNetCrossRefGoogle Scholar
  12. 12.
    Mashatan, A., Vaudenay, S.: A message recognition protocol based on standard assumptions. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 384–401. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  13. 13.
    Menezes, A., Smart, N.P.: Security of signature schemes in a multi-user setting. Designs, Codes and Cryptography 33(3), 261–274 (2004)zbMATHMathSciNetCrossRefGoogle Scholar
  14. 14.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13(3), 361–396 (2000)zbMATHCrossRefGoogle Scholar
  15. 15.
    Schnorr, C.P.: Efficient signature generation by smart cards. Journal of Cryptology 4(3), 161–174 (1991)zbMATHMathSciNetCrossRefGoogle Scholar
  16. 16.
    Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) CrossRefGoogle Scholar
  17. 17.
    TURKTRUST Information Security Services Inc.: Public Announcements, January 2013.
  18. 18.
    Weimerskirch, A., Westhoff, D.: Zero common-knowledge authentication for pervasive networks. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 73–87. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  19. 19.
    Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 8th Conference on USENIX Security Symposium, SSYM 1999, vol. 8, p. 14. USENIX Association, Berkeley (1999).

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Cryptoplexity GroupTechnische Universität DarmstadtDarmstadtGermany
  2. 2.Foundations of CryptographyRuhr-Universität BochumBochumGermany

Personalised recommendations