Certificate Revocation Using Fine Grained Certificate Space Partitioning

  • Vipul Goyal
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4886)


A new certificate revocation system is presented. The basic idea is to divide the certificate space into several partitions, the number of partitions being dependent on the PKI environment. Each partition contains the status of a set of certificates. A partition may either expire or be renewed at the end of a time slot. This is done efficiently using hash chains.

We evaluate the performance of our scheme following the framework and numbers used in previous papers. We show that for many practical values of the system parameters, our scheme is more efficient than the three well known certificate revocation techniques: CRL, CRS and CRT. Our scheme strikes the right balance between CA to directory communication costs and query costs by carefully selecting the number of partitions.


Time Slot Serial Number Fine Grained Internet Engineer Task Force Revocation Status 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [ALO98]
    Aiello, W., Lodha, S., Ostrovsky, R.: Fast digital identity revocation (extended abstract). In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 137–152. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  2. [BF01]
    Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. [BLL00]
    Buldas, A., Laud, P., Lipmaa, H.: Accountable certificate management using undeniable attestations. In: ACM Conference on Computer and Communications Security, pp. 9–17 (2000)Google Scholar
  4. [CJ02]
    Coppersmith, D., Jakobsson, M.: Almost optimal hash sequence traversal. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 102–119. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. [DBW01]
    Dan Boneh, G.T., Ding, X., Wong, C.M.: A method for fast revocation of public key certificates and security capabilities. In: The 10th USENIX Security Symposium, pp. 297–308 (2001)Google Scholar
  6. [Gen03]
    Gentry, C.: Certificate-based encryption and the certificate revocation problem. In: Biham, E. (ed.) EUROCRPYT 2003. LNCS, vol. 2656, pp. 272–293. Springer, Heidelberg (2003)Google Scholar
  7. [GGM00]
    Gassko, I., Gemmell, P., MacKenzie, P.D.: Efficient and fresh certification. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 342–353. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. [Goy04]
    Goyal, V.: Certificate revocation lists or online mechanisms. In: Fernández-Medina, E., César Hernández Castro, J., Javier García-Villalba, L.(eds.) WOSIS, pp. 261–268, INSTICC Press (2004)Google Scholar
  9. [Jak02]
    Jakobsson, M.: Fractal hash sequence representation and traversal. In: ISIT 2002, and
  10. [Koc98]
    Kocher, P.C.: On certificate revocation and validation. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 172–177. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  11. [Mer89]
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990)Google Scholar
  12. [Mic96]
    Micali, S.: Efficient certificate revocation. Technical Report MIT/LCS/TM-542b (1996)Google Scholar
  13. [Mic97]
    Micali, S.: Efficient certificate revocation. In: Proceedings 1997 RSA Data Security Conference (1997)Google Scholar
  14. [Mic02]
    Micali, S.: Novomodo: Scalable certificate validation and simplified pki management. In: 1st Annual PKI Research Workshop - Proceeding (2002)Google Scholar
  15. [MJ00]
    McDaniel, P.D., Jamin, S.: Windowed certificate revocation. In: INFOCOM, pp. 1406–1414 (2000)Google Scholar
  16. [NN98]
    Naor, M., Nissim, K.:Certificate revocation and certificate update. In: Proceedings 7th USENIX Security Symposium (San Antonio, Texas) (January 1998)Google Scholar
  17. [OCSrg]
    Online certificate status protocol: version 2. In: Working document of the Internet Engineering Task Force (IETF), RFC 2560,
  18. [Riv98]
    Rivest, R.L.: Can we eliminate certificate revocations lists? In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 178–183. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  19. [Sel03]
    Sella, Y.: On the computation-storage trade-offs of hash chain traversal. In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 270–285. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. [Stu95]
    Stubblebine, S.: Recent-secure authentication: Enforcing revocation in distributed systems. In: Proceedings 1995 IEEE Symposium on Research in Security and Privacy, pp. 224–234 (May 1995)Google Scholar
  21. [Zhe03]
    Zheng, P.: Tradeoffs in certificate revocation schemes. Computer Communication Review 33(2), 103–112 (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Vipul Goyal
    • 1
  1. 1.Department of Computer ScienceUniversity of CaliforniaLos Angeles

Personalised recommendations