Paper 2022/1753

DSKE: Digital Signature with Key Extraction

Orestis Alpos, University of Bern
Zhipeng Wang, Imperial College London
Alireza Kavousi, University College London
Sze Yiu Chau, The Chinese University of Hong Kong
Duc Le, VISA Research
Christian Cachin, University of Bern

In general, digital signatures can be used to prove authenticity for as long as the signature scheme is not broken and the private key is kept secret. While this ``long-lived" authenticity might be useful in some scenarios, it is inherently undesirable for certain types of sensitive communication, for instance, whistleblowing. A particular concern in this case is that the communication could be leaked in the future, which might lead to potential retaliation and extortion. This calls for a scheme that lets signers prove authenticity for a limited period of time, while allowing them to deny having signed any messages afterwards. We argue that such a scheme could offer a desirable degree of protection to signers through deniability against future leaks, while reducing the incentives for criminals to obtain leaked communications for the sole purpose of blackmailing. This paper introduces the concept of DSKE, digital signatures with key extraction. In a DSKE scheme, the secret key can be extracted if more than a threshold of signatures on arbitrary messages are ever created. Hence, it provides signers with plausible deniability, by demonstrating a group of recipients that can collectively extract the private key, while, within the threshold, each signature still proves authenticity. We give a formal definition of DSKE, as well as two provably secure constructions, one from hash-based digital signatures and one from polynomial commitments. We show that, in applications where a signer is expected to create a number of signatures, DSKE offers deniability for free. Moreover, DSKE can be employed to disincentivize malicious behavior, such as equivocation and double-signing. Additionally, we present a forward-forgeable signature construction, GroupForge. To that end, we combine a DSKE scheme with a Merkle tree and timestamps, thereby obtaining a "short-lived" signature with extractable sets, which provide deniability under a fixed public key. Finally, we demonstrate that GroupForge can replace Keyforge in the non-attributable email protocol of Specter, Park, and Green (USENIX Sec '21), hence eliminating the need to continuously disclose outdated private keys.

Available format(s)
Cryptographic protocols
Publication info
Digital SignaturesPolynomial CommitmentsDeniabilityNon-attributabilityHash-based Signatures
Contact author(s)
orestis alpos @ unibe ch
zhipeng wang20 @ imperial ac uk
alireza kavousi 21 @ ucl ac uk
sychau @ ie cuhk edu hk
2023-03-10: revised
2022-12-21: received
See all versions
Short URL
Creative Commons Attribution


      author = {Orestis Alpos and Zhipeng Wang and Alireza Kavousi and Sze Yiu Chau and Duc Le and Christian Cachin},
      title = {DSKE: Digital Signature with Key Extraction},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1753},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.