DSKE: Digital Signature with Key Extraction

Orestis Alpos; Zhipeng Wang; Alireza Kavousi; Sze Yiu Chau; Duc Le; Christian Cachin

Paper 2022/1753

DSKE: Digital Signature with Key Extraction

Orestis Alpos

, University of Bern

Zhipeng Wang, Imperial College London

Alireza Kavousi, University College London

Sze Yiu Chau, The Chinese University of Hong Kong

Duc Le, VISA Research

Christian Cachin

, University of Bern

Abstract

In general, digital signatures can be used to prove authenticity for as long as the signature scheme is not broken and the private key is kept secret. While this ``long-lived" authenticity might be useful in some scenarios, it is inherently undesirable for certain types of sensitive communication, for instance, whistleblowing. A particular concern in this case is that the communication could be leaked in the future, which might lead to potential retaliation and extortion. This calls for a scheme that lets signers prove authenticity for a limited period of time, while allowing them to deny having signed any messages afterwards. We argue that such a scheme could offer a desirable degree of protection to signers through deniability against future leaks, while reducing the incentives for criminals to obtain leaked communications for the sole purpose of blackmailing. This paper introduces the concept of DSKE, digital signatures with key extraction. In a DSKE scheme, the secret key can be extracted if more than a threshold of signatures on arbitrary messages are ever created. Hence, it provides signers with plausible deniability, by demonstrating a group of recipients that can collectively extract the private key, while, within the threshold, each signature still proves authenticity. We give a formal definition of DSKE, as well as two provably secure constructions, one from hash-based digital signatures and one from polynomial commitments. We show that, in applications where a signer is expected to create a number of signatures, DSKE offers deniability for free. Moreover, DSKE can be employed to disincentivize malicious behavior, such as equivocation and double-signing. Additionally, we present a forward-forgeable signature construction, GroupForge. To that end, we combine a DSKE scheme with a Merkle tree and timestamps, thereby obtaining a "short-lived" signature with extractable sets, which provide deniability under a fixed public key. Finally, we demonstrate that GroupForge can replace Keyforge in the non-attributable email protocol of Specter, Park, and Green (USENIX Sec '21), hence eliminating the need to continuously disclose outdated private keys.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Preprint.
Keywords: Digital Signatures Polynomial Commitments Deniability Non-attributability Hash-based Signatures
Contact author(s): orestis alpos @ unibe ch
zhipeng wang20 @ imperial ac uk
alireza kavousi 21 @ ucl ac uk
sychau @ ie cuhk edu hk
History: 2023-03-10: revised; 2022-12-21: received; See all versions
Short URL: https://ia.cr/2022/1753
License: CC BY

BibTeX

@misc{cryptoeprint:2022/1753,
      author = {Orestis Alpos and Zhipeng Wang and Alireza Kavousi and Sze Yiu Chau and Duc Le and Christian Cachin},
      title = {DSKE: Digital Signature with Key Extraction},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1753},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/1753}},
      url = {https://eprint.iacr.org/2022/1753}
}