Paper 2021/818
CTng: Secure Certificate and Revocation Transparency
Abstract
We present CTng, an evolutionary and practical PKI design that efficiently addresses multiple key challenges faced by deployed PKI systems. CTng ensures strong security properties, including guaranteed transparency of certificates and guaranteed, unequivocal revocation, achieved under NTTP-security, i.e., without requiring trust in any single CA, logger, or relying party. These guarantees hold even in the presence of arbitrary corruptions of these entities, assuming only a known bound (f) of corrupt monitors (e.g., f=8), with minimal performance impact. CTng also enables offline certificate validation and preserves relying-party privacy, while providing scalable and efficient distribution of revocation updates. Furthermore, CTng is post-quantum ready, maintaining efficiency even with high-overhead quantum-secure signature schemes. These properties significantly improve upon current PKI designs. In particular, while Certificate Transparency (CT) aims to eliminate single points of trust, the existing specification still assumes benign loggers. Addressing this through log redundancy is possible, but rather inefficient, limiting deployed configurations to f ≤ 2. We present a security analysis and an evaluation of our open-source CTng prototype, showing that it is efficient and scalable under realistic deployment conditions.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- Preprint.
- Keywords
- public key infrastructurecertificate transparency
- Contact author(s)
-
jie kong @ uconn edu
damon james @ uconn edu
leibo hemi @ gmail com
ewa syta @ trincoll edu
amir herzberg @ uconn edu - History
- 2025-05-22: last of 4 revisions
- 2021-06-16: received
- See all versions
- Short URL
- https://ia.cr/2021/818
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2021/818, author = {Jie Kong and Damon James and Hemi Leibowitz and Ewa Syta and Amir Herzberg}, title = {{CTng}: Secure Certificate and Revocation Transparency}, howpublished = {Cryptology {ePrint} Archive, Paper 2021/818}, year = {2021}, url = {https://eprint.iacr.org/2021/818} }