Abstract
Public-key infrastructures (PKIs) are an integral part of the security foundations of digital communications. Their widespread deployment has allowed the growth of important applications, such as, internet banking and e-commerce. Centralized PKIs (CPKIs) rely on a hierarchy of trusted Certification Authorities (CAs) for issuing, distributing and managing the status of digital certificates, i.e., unforgeable data structures that attest to the authenticity of an entity’s public key. Unfortunately, CPKI’s have many downsides in terms of security and fault tolerance and there have been numerous security incidents throughout the years. Decentralized PKIs (DPKIs) were proposed to deal with these issues as they rely on multiple, independent nodes. Nevertheless, decentralization raises other concerns such as what are the incentives for the participating nodes to ensure the service’s availability.
In our work, we leverage the scalability, as well as, the built-in incentive mechanism of blockchain systems and propose a smart contract-based DPKI. The main barrier in realizing a smart contract-based DPKI is the size of the contract’s state which, being its most expensive resource to access, should be minimized for a construction to be viable. We resolve this problem by proposing and using in our DPKI a public-state cryptographic accumulator with constant size, a cryptographic tool which may be of independent interest in the context of blockchain protocols. We also are the first to formalize the DPKI design problem in the Universal Composability (UC) framework and formally prove the security of our construction under the strong RSA assumption in the Random Oracle model and the existence of an ideal smart contract functionality.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
As we explained in Sect. 5, a set \(X_2'\) is derived by \(DBstate'\) in the following way: For any record of the form \((\mathsf {Register}, id, pk, i, W_1, W_2,W_3)\), (id, i, a) is added to \(X_2\) and for any record of the form \((\mathsf {Revoke}, id, pk, i)\), (id, i, d) is added to \(X_2\).
References
ASCAP, PRS and SACEM join forces for blockchain copyright system. https://tinyurl.com/y7aruwlw. Accessed 06 July 2017
Emercoin - distributed blockchain services for business and personal use. http://www.emercoin.com. Accessed 30 Sept 2010
Final report on diginotar hack shows total compromise of ca servers. https://tinyurl.com/hnmuahc. Accessed 07 Apr 2017
Google takes symantec to the woodshed for mis-issuing 30,000 HTTPS certs. https://tinyurl.com/kwkvfur. Accessed 07 Apr 2017
IBM pushes blockchain into the supply chain. https://tinyurl.com/yazgt9pk. Accessed 06 July 2017
Namecoin. https://namecoin.org/. Accessed 07 Apr 2017
Swiss industry consortium to use Ethereum’s blockchain. https://tinyurl.com/zlbfmnt. Accessed 06 July 2017
Trustwave admits it issued a certificate to allow company to run man-in-the-middle attacks. https://tinyurl.com/ycfv6kfs. Accessed 07 Apr 2017
Aberer, K.: P-grid: a self-organizing access structure for P2P information systems. In: Batini, C., Giunchiglia, F., Giorgini, P., Mecella, M. (eds.) CoopIS 2001. LNCS, vol. 2172, pp. 179–194. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44751-2_15
Avramidis, A., Kotzanikolaou, P., Douligeris, C., Burmester, M.: Chord-PKI: a distributed trust infrastructure based on P2P networks. Comput. Netw. 56, 378–398 (2012)
Badertscher, C., Maurer, U., Tschudi, D., Zikas, V.: Bitcoin as a transaction ledger: a composable treatment. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 324–356. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_11
Baldimtsi, F., et al.: Accumulators with applications to anonymity-preserving revocation. In: EuroS&P (2017)
Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_33
Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_24
Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_5
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. IACR Cryptology ePrint Archive 2000:67 (2000)
Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)
Datta, A., Hauswirth, M., Aberer, K.: Beyond “web of trust”: enabling P2P e-commerce. In: CEC 2003, pp. 303–312 (2003)
Douceur, J.R.: The sybil attack. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 251–260. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45748-8_24
Ellison, C., Schneier, B.: Ten risks of PKI: what you’re not being told about public key infrastructure (2000)
Fromknecht, C., Velicanu, D., Yakoubov, S.: A decentralized public key infrastructure with identity retention. IACR (2014)
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol with chains of variable diculty. IACR Cryptology ePrint Archive (2016)
Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_9
Gipp, B., Meuschke, N., Gernandt, A.: Decentralized trusted timestamping using the crypto currency bitcoin. CoRR, abs/1502.04015 (2015)
Jhanwar, M.P., Safavi-Naini, R.: Compact accumulator using lattices. In: Chakraborty, R.S., Schwabe, P., Solworth, J. (eds.) SPACE 2015. LNCS, vol. 9354, pp. 347–358. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24126-5_20
Karakaya, M., Korpeoglu, I., Ulusoy, Ö.: Free riding in peer-to-peer networks. IEEE Internet Comput. 13(2), 92–98 (2009)
Lesueur, F., Me, L., Tong, V.V.T.: An efficient distributed PKI for structured P2P networks. In IEEE P2PC (2009)
Li, J., Li, N., Xue, R.: Universal accumulators with efficient nonmembership proofs. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 253–269. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_17
Maymounkov, P., Mazières, D.: Kademlia: a peer-to-peer information system based on the XOR metric. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 53–65. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45748-8_5
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. http://bitcoin.org/bitcoin.pdf. Accessed 07 Apr 2017
Nguyen, L.: Accumulators from bilinear pairings and applications. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 275–292. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_19
Nyberg, K.: Fast accumulated hashing. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 83–87. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_45
Reiter, M.K.: Franklin, M.K., Lacy, J.B., Wright, R.N.: The \(\omega \) key management service. In: CCS 1996 (1996)
Reyzin, L., Yakoubov, S.: Efficient asynchronous accumulators for distributed PKI. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 292–309. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44618-9_16
Sander, T.: Efficient accumulators without trapdoor extended abstract. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 252–262. Springer, Heidelberg (1999). https://doi.org/10.1007/978-3-540-47942-0_21
Wouhaybi, R.H., Campbell, A.T.: Keypeer: a scalable, resilient distributed public-key system using chord (2008)
Yüce, E., Selçuk, A.A.: Server notaries: a complementary approach to the web PKI trust model. IACR Cryptology ePrint Archive 2016:126 (2016)
Zhou, L., Schneider, F.B., Van Renesse, R.: COCA: a secure distributed online certification authority. ACM Trans. Comput. Syst. 20, 329–368 (2002)
Zimmermann, P.: Pretty good privacy. https://philzimmermann.com
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 2
A Proof of Theorem 2
We construct a simulator \(\mathcal {S}\) (Fig. 8) which emulates an execution of the protocol \(\pi \) in the hybrid world, in the presence of an adversary \(\mathcal {A}\). \(\mathcal {S}\) plays the role of T, \(\mathcal {F}_{TP}\), \(\mathcal {F}_{UDB}\) and acts on behalf of a number of honest clients and on behalf of servers in the emulation of \(\pi \). We show that an environment can distinguish between the executions in the hybrid and the ideal world only by influencing the way the membership or non-membership tests take place in the hybrid world, i.e., it is reduced to the security of the accumulators utilized in protocol \(\pi \). Note that relation \(R(pk,\mathsf {aux})\) does not provide an opportunity for distinguishing since it is the same in both worlds. Furthermore, our proof would also work if the functionalities \(\mathcal {F}_{TP}\) and \(\mathcal {F}_{UDB}\) were global, however, for simplicity, we have the simulator \(\mathcal {S}\) playing their role in the simulation. Assuming that all servers have sent a \((sid,\mathsf {Init})\) message, we consider the case where an environment \(\mathcal {Z}\) sends a \((sid,\mathsf {Register},id,pk)\) message to a client C. We examine the output of C in the hybrid and the ideal world, by examining the following cases:
-
1.
\(\mathcal {A}\) has not sent \((sid,\mathsf {ChangeDBstate},DBstate')\) until \((sid,\mathsf {Register},id,pk)\) is sent to the client C. We consider two different sub-cases:
-
(i)
The identity id is not registered: In the hybrid world, an honest client C sends \((sid, \mathsf {RetrieveDB})\) to \(\mathcal {F}_{UDB}\) and, if \(\mathcal {A}\) returns \(\mathsf {allow}\), then C receives DBstate and computes the witnesses \(W_1,W_2\) according to Steps 2a, 2b of Fig. 7. Then, C sends \((sid,(\mathsf {Register},id,pk,i+1,W_1,W_2))\) to \(\mathcal {F}_{TP}\). If \(\mathcal {A}\) returns \(\mathsf {allow}\) to \(\mathcal {F}_{TP}\), \(\mathcal {F}_{TP}\) returns \(((c_1',W_1'),(c_2',W_2'),state)\) and C computes the witness \(W_3'\). Then, C sends \((sid,\mathsf {Post},(\mathsf {Register},id,pk,i+1,W_1',W_2',W_3'))\) to \(\mathcal {F}_{UDB}\) and, if \(\mathcal {A}\) returns \(\mathsf {allow}\), C outputs \(\mathsf {success}\) in the hybrid world. In the ideal world, C also outputs \(\mathsf {success}\) because \(\mathcal {S}\), who acts as C and \(\mathcal {F}_{TP}\), returns \(\mathsf {allow}\) to \(\mathcal {F}_{ns}\) (Step 3, Fig. 8). Finally, \(\mathcal {F}_{ns}\) verifies that id is not registered and sends \(\mathsf {success}\) to C.
-
(ii)
The identity id is currently registered: In the hybrid world, an honest client C sends \((sid, \mathsf {RetrieveDB})\) to \(\mathcal {F}_{UDB}\) and, when C receives DBstate, checks that id is registered and returns \(\mathsf {fail}\). In the ideal world, \(\mathcal {S}\) simulates C and \(\mathcal {F}_{UDB}\) and, since id is registered, \(\mathcal {S}\) returns \(\mathsf {fail}\) to \(\mathcal {F}_{ns}\). Next, \(\mathcal {F}_{ns}\) returns \(\mathsf {fail}\) to C. A malicious client C (on behalf \(\mathcal {A}\)) in the hybrid world may try to convince \(\mathcal {F}_{TP}\) that id is not registered. Then, C should either provide a non-membership witness \(W_1\) for (id, j, a), for some \(j\ge 2\), such that \(\mathsf {VerifyNonMem}(pk_2,(id,j,a),W_1,c_2)=1\) and a membership witness for \(W_2\) for \((id,j-1,d)\), such that \(\mathsf {VerifyMem}(pk_2,(id,j-1,d), W_2, c_2)=1\), or, C should provide a valid non-membership witness \(W_1\) for (id, 1, a). We show that, by the security of the \(c_2\), such an attack takes place only with negligible probability. Recall that since id is currently registered, it holds that either: (1) there is \(\ell \ge 2\) such that, \((id,\ell ,a)\in X_2\) and \((id,\ell ,d)\notin X_2\), where \(X_2\) is the accumulated set of \(c_2\), or, (2) \((id,1,a)\in X_2\). Starting with (1), we consider the cases where \(1<j\le \ell \), and \(j>\ell \). If \(1<j\le \ell \), then \((id,j,a)\in X_2\) and \((id,j-1,d)\in X_2\). By the security of the \(c_2\), C can produce a valid non-membership witness \(W_1\) for (id, j, a) only with negligible probability. If \(j>\ell \), then \((id,j,a)\notin X_2\) and \((id,j-1,d)\notin X_2\). By the security of the accumulator \(c_2\), C cannot produce a valid membership witness \(W_2\) for \((id,j-1,d)\). Regarding (2), similarly, C can produce a valid non-membership witness \(W_1\) for (id, 1, a) only with negligible probability. Therefore, C returns \(\mathsf {fail}\) in the hybrid world. In the ideal world, C would also return \(\mathsf {fail}\), because \(\mathcal {S}\) sends \(\mathsf {fail}\) to \(\mathcal {F}_{ns}\), which sends \(\mathsf {fail}\) to C.
-
(i)
-
2.
\(\mathcal {A}\) has sent \((sid,\mathsf {ChangeDBstate},DBstate')\) until \(\mathcal {Z}\) sends \((sid,\mathsf {Register},id,pk)\), such that \(DBstate'\ne DBstate\) and the set \(X_2'\) derived by \(DBstate'\) is different from the set \(X_2\) accumulated in \(c_2\)Footnote 1. We consider the following sub-cases:
-
(i)
The identity \(\mathbf {id}\) is not registered but the last record including id in \(DBstate'\) is of the form \((\mathsf {Register},id,pk,j,W_1,W_2,W_3)\): In the hybrid world, an honest C sends \((sid, \mathsf {RetrieveDB})\) to \(\mathcal {F}_{UDB}\) and when C receives \(DBstate'\), checks that id is registered and returns \(\mathsf {fail}\). In the ideal world, \(\mathcal {S}\), simulating C and \(\mathcal {F}_{UDB}\), sends \(\mathsf {fail}\) to \(\mathcal {F}_{ns}\), which returns \(\mathsf {fail}\) to C. If a malicious C sends \((sid,\mathsf {Register},id',pk',j',W'_1,W'_2)\) to \(\mathcal {F}_{TP}\) and \(\mathcal {F}_{TP}\) returns \((\mathsf {fail},state)\), then in the ideal world, \(\mathcal {S}\) sends \(\mathsf {fail}\) to \(\mathcal {F}_{ns}\). Even if \(\mathcal {F}_{TP}\) returns \(((c_1',W_1'),(c_2',W_2'),state)\) and \(\mathcal {F}_{UDB}\) returns \(\mathsf {success}\) to C after receiving a message of the form \((sid,\mathsf {Post},\cdot )\), this means that in the ideal world, \(\mathcal {S}\) returns \(\mathsf {allow}\) to \(\mathcal {F}_{ns}\). Then, \(\mathcal {F}_{ns}\), verifying that id is not registered,sends \(\mathsf {success}\) to C. In both cases, C returns consistent outputs in the hybrid and ideal world.
-
(ii)
The identity id is not registered and the last record including id in \(DBstate'\) is of the form \((\mathsf {Revoke},id,pk,j)\), or there is no record for id : The analysis for this case is similar to the same with 2(i) except that an honest client interacts with \(\mathcal {F}_{TP}\) after receiving \(DBstate'\) from \(\mathcal {F}_{UDB}\).
-
(iii)
The identity id is registered and the last record including id in \(DBstate'\) is of the form \((\mathsf {Revoke},id,pk,j)\), or there is no record for id: In the hybrid world, an honest C sends \((sid, \mathsf {RetrieveDB})\) to \(\mathcal {F}_{UDB}\) and when C receives \(DBstate'\), computes the witnesses \(W_1,W_2\) according to Steps 2a, 2b and sends \((sid,\mathsf {Register},id,pk',j+1,W_1,W_2)\) to \(\mathcal {F}_{TP}\). Following the same reasoning with the case 1(ii), \(\mathcal {F}_{TP}\) returns \((\mathsf {fail},state)\) except with negligible probability. If an honest C, given the accumulated set \(X_2'\) could produce a valid non-membership witness \(W_1\) for \((id,j+1,a)\) and a valid membership witness \(W_2\) for (id, j, d), with non-negligible probability then the security of \(c_2\) would break. As a result, C returns fail, both in the hybrid and ideal world. A malicious C, in the hybrid world may send \((sid,\mathsf {Register},id,pk^*,\ell , W_1^*,W_2^*)\) to convince \(\mathcal {F}_{TP}\) that id is not registered. The analysis for this case is also the same as 1(ii).
-
(iv)
The identity id is registered but the last record including id in \(DBstate'\) is of the form \((\mathsf {Register},id,pk,i+1,W_1,W_2,W_3)\): The analysis for this case is the same with 2(iii) except that an honest client returns \(\mathsf {fail}\) after receiving \(DBstate'\) from \(\mathcal {F}_{UDB}\).
-
(i)
-
3.
\(\mathcal {A}\) has sent \((sid,\mathsf {ChangeDBstate},DBstate')\) until \((\mathsf {Register},id,pk)\) sent by \(\mathcal {Z}\), such that \(DBstate'\ne DBstate\) but the set \(X_2'\) derived by \(DBstate'\) is the same as the set \(X_2\) accumulated in \(c_2\). In this case, our reasoning is similar to case 1, where the adversary has not sent such a message, since an honest client is able to compute the witnesses \(W_1,W_2\) utilizing a correct accumulated set.
We proved that when an environment \(\mathcal {Z}\) sends a message \((\mathsf {Register},id,pk)\) to a client C, \(\mathcal {Z}\) can distinguish between the executions in the hybrid and ideal world only with negligible probability, relying on the security of the accumulator \(c_2\). We argue that, following similar arguments, the same holds for the cases where \(\mathcal {Z}\) sends \((\mathsf {Revoke},id,pk,\mathsf {aux})\), \((\mathsf {Retrieve},id)\), \((\mathsf {VerifyID},id)\), \((\mathsf {VerifyMapping},id,pk)\). However, due to lack of space, a complete proof, including the above cases, will be provided in the full version of the paper. \(\square \)
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Patsonakis, C., Samari, K., Roussopoulos, M., Kiayias, A. (2018). Towards a Smart Contract-Based, Decentralized, Public-Key Infrastructure. In: Capkun, S., Chow, S. (eds) Cryptology and Network Security. CANS 2017. Lecture Notes in Computer Science(), vol 11261. Springer, Cham. https://doi.org/10.1007/978-3-030-02641-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-02641-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02640-0
Online ISBN: 978-3-030-02641-7
eBook Packages: Computer ScienceComputer Science (R0)