Deterring Certificate Subversion: Efficient Double-Authentication-Preventing Signatures

  • Mihir Bellare
  • Bertram Poettering
  • Douglas StebilaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10175)


We present highly efficient double authentication preventing signatures (DAPS). In a DAPS, signing two messages with the same first part and differing second parts reveals the signing key. In the context of PKIs we suggest that CAs who use DAPS to create certificates have a court-convincing argument to deny big-brother requests to create rogue certificates, thus deterring certificate subversion. We give two general methods for obtaining DAPS. Both start from trapdoor identification schemes. We instantiate our transforms to obtain numerous specific DAPS that, in addition to being efficient, are proven with tight security reductions to standard assumptions. We implement our DAPS schemes to show that they are not only several orders of magnitude more efficient than prior DAPS but competitive with in-use signature schemes that lack the double authentication preventing property.


Identification Scheme Signature Scheme Random Oracle Certificate Authority Passive Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We thank the authors of [17] for helpful comments about their scheme. MB was supported by NSF grants CNS-1228890 and CNS-1526801, a gift from Microsoft corporation and ERC Project ERCC (FP7/615074). BP was supported by ERC Project ERCC (FP7/615074). DS was supported in part by Australian Research Council (ARC) Discovery Project grant DP130104304 and Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2016-05146 and an NSERC Discovery Accelerator Supplement.


  1. 1.
    Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). doi: 10.1007/3-540-46035-7_28 CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Poettering, B., Stebila, D.: Deterring certificate subversion: efficient double-authentication-preventing signatures. Cryptology ePrint Archive, Report 2016/1016 (2016).
  3. 3.
    Bellare, M., Poettering, B., Stebila, D.: From identification to signatures, tightly: a framework and generic transforms. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 435–464. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53890-6_15 CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press, November 1993. doi: 10.1145/168588.168596
  5. 5.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). doi: 10.1007/11761679_25 CrossRefGoogle Scholar
  6. 6.
    Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002). doi: 10.1007/3-540-45760-7_9 CrossRefGoogle Scholar
  7. 7.
    Cramer, R.: Modular design of secure, yet practical protocls. Ph.D. thesis, University of Amsterdam (1996)Google Scholar
  8. 8.
    Dai, Y., Steinberger, J.: Indifferentiability of 8-round Feistel networks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 95–120. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_4 CrossRefGoogle Scholar
  9. 9.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi: 10.1007/3-540-47721-7_12 Google Scholar
  10. 10.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988). doi: 10.1137/0217017 MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Guillou, L.C., Quisquater, J.-J.: A “paradoxical” indentity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990). doi: 10.1007/0-387-34799-2_16 Google Scholar
  12. 12.
    Micali, S., Reyzin, L.: Improving the exact security of digital signature schemes. J. Cryptol. 15(1), 1–18 (2002). doi: 10.1007/s00145-001-0005-8 MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Miracle, S., Yilek, S.: Reverse cycle walking and its applications. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 679–700. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53887-6_25 CrossRefGoogle Scholar
  14. 14.
    Ohta, K., Okamoto, T.: On concrete security treatment of signatures derived from identification. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 354–369. Springer, Heidelberg (1998). doi: 10.1007/BFb0055741 Google Scholar
  15. 15.
    Poettering, B., Stebila, D.: Double-authentication-preventing signatures. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 436–453. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-11203-9_25 Google Scholar
  16. 16.
    Poettering, B., Stebila, D.: Double-authentication-preventing signatures. Int. J. Inf. Secur. (2015). doi: 10.1007/s10207-015-0307-8
  17. 17.
    Ruffing, T., Kate, A., Schröder, D.: Liar, liar, coins on fire!: penalizing equivocation by loss of bitcoins. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 15, pp. 219–230. ACM Press, October 2015. doi: 10.1145/2810103.2813686

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Bertram Poettering
    • 2
  • Douglas Stebila
    • 3
    Email author
  1. 1.Department of Computer Science and EngineeringUniversity of California, San DiegoLa JollaUSA
  2. 2.Department of MathematicsRuhr University BochumBochumGermany
  3. 3.Department of Computing and SoftwareMcMaster UniversityHamiltonCanada

Personalised recommendations