Deterring Certificate Subversion: Efficient Double-Authentication-Preventing Signatures
We present highly efficient double authentication preventing signatures (DAPS). In a DAPS, signing two messages with the same first part and differing second parts reveals the signing key. In the context of PKIs we suggest that CAs who use DAPS to create certificates have a court-convincing argument to deny big-brother requests to create rogue certificates, thus deterring certificate subversion. We give two general methods for obtaining DAPS. Both start from trapdoor identification schemes. We instantiate our transforms to obtain numerous specific DAPS that, in addition to being efficient, are proven with tight security reductions to standard assumptions. We implement our DAPS schemes to show that they are not only several orders of magnitude more efficient than prior DAPS but competitive with in-use signature schemes that lack the double authentication preventing property.
KeywordsIdentification Scheme Signature Scheme Random Oracle Certificate Authority Passive Attack
We thank the authors of  for helpful comments about their scheme. MB was supported by NSF grants CNS-1228890 and CNS-1526801, a gift from Microsoft corporation and ERC Project ERCC (FP7/615074). BP was supported by ERC Project ERCC (FP7/615074). DS was supported in part by Australian Research Council (ARC) Discovery Project grant DP130104304 and Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2016-05146 and an NSERC Discovery Accelerator Supplement.
- 1.Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). doi: 10.1007/3-540-46035-7_28 CrossRefGoogle Scholar
- 2.Bellare, M., Poettering, B., Stebila, D.: Deterring certificate subversion: efficient double-authentication-preventing signatures. Cryptology ePrint Archive, Report 2016/1016 (2016). http://eprint.iacr.org/2016/1016
- 4.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press, November 1993. doi: 10.1145/168588.168596
- 7.Cramer, R.: Modular design of secure, yet practical protocls. Ph.D. thesis, University of Amsterdam (1996)Google Scholar
- 16.Poettering, B., Stebila, D.: Double-authentication-preventing signatures. Int. J. Inf. Secur. (2015). doi: 10.1007/s10207-015-0307-8
- 17.Ruffing, T., Kate, A., Schröder, D.: Liar, liar, coins on fire!: penalizing equivocation by loss of bitcoins. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 15, pp. 219–230. ACM Press, October 2015. doi: 10.1145/2810103.2813686