Paper 2019/390

KeyForge: Mitigating Email Breaches with Forward-Forgeable Signatures

Michael Specter, Sunoo Park, and Matthew Green


Email breaches are commonplace, and they expose a wealth of personal, business, and political data whose release may have devastating consequences. Such damage is compounded by email’s strong attributability: today, any attacker who gains access to your email can easily prove to others that the stolen messages are authentic, a property arising from a necessary anti-spam/anti-spoofing protocol called DKIM. This greatly increases attackers’ capacity to do harm by selling the stolen information to third parties, blackmail, or publicly releasing intimate or sensitive messages — all with built-in cryptographic proof of authenticity. This paper introduces non-attributable email, which guarantees that a wide class of adversaries are unable to convince discerning third parties of the authenticity of stolen emails. We formally define non-attributability, and present two system proposals — KeyForge and TimeForge — that provably achieve non-attributability while maintaining the important spam/spoofing protections currently provided by DKIM. Finally, we implement both and evaluate their speed and bandwidth performance overhead. We demonstrate the practicality of KeyForge, which achieves reasonable verification overhead while signing faster and requiring 42% less bandwidth per message than DKIM’s RSA-2048.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
deniabilitykey managementpublic-key cryptographydigital signaturesapplications
Contact author(s)
specter @ mit edu
2020-08-31: revised
2019-04-18: received
See all versions
Short URL
Creative Commons Attribution


      author = {Michael Specter and Sunoo Park and Matthew Green},
      title = {KeyForge: Mitigating Email Breaches with Forward-Forgeable Signatures},
      howpublished = {Cryptology ePrint Archive, Paper 2019/390},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.