Cryptology ePrint Archive: Report 2019/807

When PKI (finally) met Provable Security

Hemi Leibowitz and Amir Herzberg and Ewa Syta

Abstract: Public Key Infrastructure (PKI) schemes were first proposed in 1978 and standardized in 1988, yet, unlike most cryptographic schemes, PKI schemes were never rigorously defined. Achieving provable security for PKI is necessary and long overdue, as PKI provides the foundation for important applications of public key cryptography, such as TLS/SSL. In response, we present the first precise specifications of a secure PKI scheme, suitable for a variety of PKI designs.

PKI schemes have significantly evolved since X.509, with more complex goals, e.g., transparency, to ensure security against corrupt issuers. In addition to the basic PKI properties, our definitions encompass these more recent and advanced aspects.

Our results have important implications. First, our specifications allow a better scrutiny and comparison of the multitude of new PKI designs recently proposed, such as Google’s Certificate Transparency (CT) and related PKIs, as well as future designs. Second, the specifications facilitate proper analysis of protocols and systems that use PKI, such as TLS/SSL, code signing, IPsec, DNSSEC, RPKI, BGPsec, permissioned blockchains, voting, recommendations, which is of critical importance as most real-world security schemes inherently rely on PKI. Finally, we use our specifications to formalize and prove X.509 version 2 PKI, showing that provable security is achievable for ‘real’ PKI designs.

Category / Keywords: public-key cryptography / public-key infrastrcture, certificates

Date: received 11 Jul 2019, last revised 29 Sep 2021

Contact author: leibo hemi at gmail com, amir herzberg at gmail com, ewa syta at trincoll edu

Available format(s): PDF | BibTeX Citation

Note: Some of the work that was initially included in previous versions of this work resulted in separate publications. Namely: - MoSS: Modular Security Specifications Framework ( - CTng: Secure Certificate and Revocation Transparency (

Version: 20210929:120623 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]