Linkable message tagging: solving the key distribution problem of signature schemes

Digital signatures guarantee practical security only if the corresponding verification keys are distributed authentically; however, arguably, satisfying solutions for the latter have not been found yet. This paper introduces a novel approach for cryptographic message authentication where this problem does not arise: A linkable message tagging scheme (LMT) identifies pairs of messages and accompanying authentication tags as related if and only if these tags were created using the same secret key. Importantly, our primitive fully avoids public keys and hence elegantly sidesteps the key distribution problem of signature schemes. As an application of LMT we envision an email authentication system with minimal user interaction. Email clients could routinely equip all outgoing messages with corresponding tags and verify for incoming messages whether they indeed originate from the same entity as previously or subsequently received messages with identical sender address. As technical contributions we formalize the notions of LMT and its (more efficient) variant CMT (classifiable message tagging), including corresponding notions of unforgeability. For both variants we propose a range of provably secure constructions, basing on different hardness assumptions, with and without requiring random oracles. This article extends prior work of the same authors that appeared in the proceedings of ACISP 2015 (Günther and Poettering in 2015).

[1]  Sean Turner,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification , 2019, RFC.

[2]  David Shaw,et al.  OpenPGP Message Format , 1998, RFC.

[3]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[4]  Dirk Westhoff,et al.  Zero Common-Knowledge Authentication for Pervasive Networks , 2003, Selected Areas in Cryptography.

[5]  Felix Günther,et al.  Linkable Message Tagging: Solving the Key Distribution Problem of Signature Schemes , 2015, ACISP.

[6]  Adam Langley,et al.  Certificate Transparency , 2014, RFC.

[7]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[8]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[9]  Blake Ramsdell,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification , 2004, RFC.

[10]  Claus-Peter Schnorr,et al.  Fast Signature Generation With a Fiat Shamir-Like Scheme , 1991, EUROCRYPT.

[11]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[12]  Yongge Wang,et al.  Public Key Cryptography Standards: PKCS , 2012, ArXiv.

[13]  Serguei Leontiev,et al.  Using the GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 2006, RFC.

[14]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[15]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[16]  Jean-Jacques Quisquater,et al.  A "Paradoxical" Indentity-Based Signature Scheme Resulting from Zero-Knowledge , 1988, CRYPTO.

[17]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[18]  Kenneth G. Paterson,et al.  Certificateless Public Key Cryptography , 2003 .

[19]  Alfred Menezes,et al.  Another look at security definitions , 2013, Adv. Math. Commun..

[20]  Daniel R. L. Brown Generic Groups, Collision Resistance, and ECDSA , 2002, Des. Codes Cryptogr..

[21]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[22]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[23]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[24]  Burton S. Kaliski,et al.  PKCS #7: Cryptographic Message Syntax Version 1.5 , 1998, RFC.

[25]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[26]  Alfred Menezes,et al.  Security of Signature Schemes in a Multi-User Setting , 2004, Des. Codes Cryptogr..

[27]  Alfred Menezes,et al.  Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol , 1999, Public Key Cryptography.

[28]  Russ Housley,et al.  Cryptographic Message Syntax (CMS) , 2002, RFC.

[29]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[30]  Stefan Santesson,et al.  Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA , 2010, RFC.

[31]  Jakob Jonsson,et al.  Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 , 2003, RFC.

[32]  Serge Vaudenay,et al.  A Message Recognition Protocol Based on Standard Assumptions , 2010, ACNS.

[33]  Russ Housley,et al.  Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2005, RFC.

[34]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[35]  William Stallings,et al.  PGP Message Exchange Formats , 1996, RFC.

[36]  Jonathan Katz,et al.  Digital Signatures , 2010 .

[37]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[38]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[39]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[40]  Silvio Micali,et al.  A "Paradoxical'"Solution to the Signature Problem (Abstract) , 1984, CRYPTO.