[Resource Topic] 2022/1753: DSKE: Digital Signature with Key Extraction

Welcome to the resource topic for 2022/1753

DSKE: Digital Signature with Key Extraction

Authors: Orestis Alpos, Zhipeng Wang, Alireza Kavousi, Sze Yiu Chau, Duc Le, Christian Cachin


In general, digital signatures can be used to prove authenticity for as long as the signature scheme is not broken and the signing key is kept secret. While this “long-lived” authenticity might be useful in some scenarios, it is inherently undesirable for certain types of sensitive communication, for instance, whistleblowing. A particular concern in this case is that the communication could be leaked in the future, which might lead to potential retaliation and extortion. Therefore, a natural question to ask is whether it is possible to design a signature scheme that allows the signers to prove authenticity for a limited period of time, and then afterwards be able to deny having signed any messages in the first place. We argue that this could offer a desirable degree of protection to the signers through deniability against future leaks. This also reduces the incentives for criminals to obtain leaked communications for the sole purpose of blackmailing.

This paper introduces the concept of digital signature with key extraction (DSKE). In such schemes, signers can have plausible deniability by demonstrating that a group of recipients can collectively extract the signing key, while, within a certain threshold, the signature deterministically proves message authenticity. We give a formal definition of DSKE, as well as two provably secure constructions, one based on hash-based digital signatures and the other based on polynomial commitments. Later, we propose a forward-forgeable signature construction, GroupForge, by combining DSKE constructions with Merkle trees and timestamps to have a “short-lived” signature with extractable sets that can act as deniable groups under a fixed public key. Finally, we demonstrate that GroupForge can replace Keyforge in the non-attributable email protocol of Specter, Park, and Green (USENIX Sec '21), hence eliminating the need to continuously disclose outdated private keys.

ePrint: https://eprint.iacr.org/2022/1753

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .