Towards a Smart Contract-Based, Decentralized, Public-Key Infrastructure

Abstract

Public-key infrastructures (PKIs) are an integral part of the security foundations of digital communications. Their widespread deployment has allowed the growth of important applications, such as, internet banking and e-commerce. Centralized PKIs (CPKIs) rely on a hierarchy of trusted Certification Authorities (CAs) for issuing, distributing and managing the status of digital certificates, i.e., unforgeable data structures that attest to the authenticity of an entity’s public key. Unfortunately, CPKI’s have many downsides in terms of security and fault tolerance and there have been numerous security incidents throughout the years. Decentralized PKIs (DPKIs) were proposed to deal with these issues as they rely on multiple, independent nodes. Nevertheless, decentralization raises other concerns such as what are the incentives for the participating nodes to ensure the service’s availability.

In our work, we leverage the scalability, as well as, the built-in incentive mechanism of blockchain systems and propose a smart contract-based DPKI. The main barrier in realizing a smart contract-based DPKI is the size of the contract’s state which, being its most expensive resource to access, should be minimized for a construction to be viable. We resolve this problem by proposing and using in our DPKI a public-state cryptographic accumulator with constant size, a cryptographic tool which may be of independent interest in the context of blockchain protocols. We also are the first to formalize the DPKI design problem in the Universal Composability (UC) framework and formally prove the security of our construction under the strong RSA assumption in the Random Oracle model and the existence of an ideal smart contract functionality.

A Proof of Theorem 2

We construct a simulator \(\mathcal {S}\) (Fig. 8) which emulates an execution of the protocol \(\pi \) in the hybrid world, in the presence of an adversary \(\mathcal {A}\). \(\mathcal {S}\) plays the role of T, \(\mathcal {F}_{TP}\), \(\mathcal {F}_{UDB}\) and acts on behalf of a number of honest clients and on behalf of servers in the emulation of \(\pi \). We show that an environment can distinguish between the executions in the hybrid and the ideal world only by influencing the way the membership or non-membership tests take place in the hybrid world, i.e., it is reduced to the security of the accumulators utilized in protocol \(\pi \). Note that relation \(R(pk,\mathsf {aux})\) does not provide an opportunity for distinguishing since it is the same in both worlds. Furthermore, our proof would also work if the functionalities \(\mathcal {F}_{TP}\) and \(\mathcal {F}_{UDB}\) were global, however, for simplicity, we have the simulator \(\mathcal {S}\) playing their role in the simulation. Assuming that all servers have sent a \((sid,\mathsf {Init})\) message, we consider the case where an environment \(\mathcal {Z}\) sends a \((sid,\mathsf {Register},id,pk)\) message to a client C. We examine the output of C in the hybrid and the ideal world, by examining the following cases:

Fig. 8.

The simulator \(\mathcal {S}\) that emulates the execution of protocol \(\pi \) in the hybrid world.

1. 1.

   \(\mathcal {A}\) has not sent \((sid,\mathsf {ChangeDBstate},DBstate')\) until \((sid,\mathsf {Register},id,pk)\) is sent to the client C. We consider two different sub-cases:

   1. (i)

      The identity id is not registered: In the hybrid world, an honest client C sends \((sid, \mathsf {RetrieveDB})\) to \(\mathcal {F}_{UDB}\) and, if \(\mathcal {A}\) returns \(\mathsf {allow}\), then C receives DBstate and computes the witnesses \(W_1,W_2\) according to Steps 2a, 2b of Fig. 7. Then, C sends \((sid,(\mathsf {Register},id,pk,i+1,W_1,W_2))\) to \(\mathcal {F}_{TP}\). If \(\mathcal {A}\) returns \(\mathsf {allow}\) to \(\mathcal {F}_{TP}\), \(\mathcal {F}_{TP}\) returns \(((c_1',W_1'),(c_2',W_2'),state)\) and C computes the witness \(W_3'\). Then, C sends \((sid,\mathsf {Post},(\mathsf {Register},id,pk,i+1,W_1',W_2',W_3'))\) to \(\mathcal {F}_{UDB}\) and, if \(\mathcal {A}\) returns \(\mathsf {allow}\), C outputs \(\mathsf {success}\) in the hybrid world. In the ideal world, C also outputs \(\mathsf {success}\) because \(\mathcal {S}\), who acts as C and \(\mathcal {F}_{TP}\), returns \(\mathsf {allow}\) to \(\mathcal {F}_{ns}\) (Step 3, Fig. 8). Finally, \(\mathcal {F}_{ns}\) verifies that id is not registered and sends \(\mathsf {success}\) to C.

   2. (ii)

      The identity id is currently registered: In the hybrid world, an honest client C sends \((sid, \mathsf {RetrieveDB})\) to \(\mathcal {F}_{UDB}\) and, when C receives DBstate, checks that id is registered and returns \(\mathsf {fail}\). In the ideal world, \(\mathcal {S}\) simulates C and \(\mathcal {F}_{UDB}\) and, since id is registered, \(\mathcal {S}\) returns \(\mathsf {fail}\) to \(\mathcal {F}_{ns}\). Next, \(\mathcal {F}_{ns}\) returns \(\mathsf {fail}\) to C. A malicious client C (on behalf \(\mathcal {A}\)) in the hybrid world may try to convince \(\mathcal {F}_{TP}\) that id is not registered. Then, C should either provide a non-membership witness \(W_1\) for (id, j, a), for some \(j\ge 2\), such that \(\mathsf {VerifyNonMem}(pk_2,(id,j,a),W_1,c_2)=1\) and a membership witness for \(W_2\) for \((id,j-1,d)\), such that \(\mathsf {VerifyMem}(pk_2,(id,j-1,d), W_2, c_2)=1\), or, C should provide a valid non-membership witness \(W_1\) for (id, 1, a). We show that, by the security of the \(c_2\), such an attack takes place only with negligible probability. Recall that since id is currently registered, it holds that either: (1) there is \(\ell \ge 2\) such that, \((id,\ell ,a)\in X_2\) and \((id,\ell ,d)\notin X_2\), where \(X_2\) is the accumulated set of \(c_2\), or, (2) \((id,1,a)\in X_2\). Starting with (1), we consider the cases where \(1<j\le \ell \), and \(j>\ell \). If \(1<j\le \ell \), then \((id,j,a)\in X_2\) and \((id,j-1,d)\in X_2\). By the security of the \(c_2\), C can produce a valid non-membership witness \(W_1\) for (id, j, a) only with negligible probability. If \(j>\ell \), then \((id,j,a)\notin X_2\) and \((id,j-1,d)\notin X_2\). By the security of the accumulator \(c_2\), C cannot produce a valid membership witness \(W_2\) for \((id,j-1,d)\). Regarding (2), similarly, C can produce a valid non-membership witness \(W_1\) for (id, 1, a) only with negligible probability. Therefore, C returns \(\mathsf {fail}\) in the hybrid world. In the ideal world, C would also return \(\mathsf {fail}\), because \(\mathcal {S}\) sends \(\mathsf {fail}\) to \(\mathcal {F}_{ns}\), which sends \(\mathsf {fail}\) to C.

2. 2.

   \(\mathcal {A}\) has sent \((sid,\mathsf {ChangeDBstate},DBstate')\) until \(\mathcal {Z}\) sends \((sid,\mathsf {Register},id,pk)\), such that \(DBstate'\ne DBstate\) and the set \(X_2'\) derived by \(DBstate'\) is different from the set \(X_2\) accumulated in \(c_2\)¹. We consider the following sub-cases:

   1. (i)

      The identity \(\mathbf {id}\) is not registered but the last record including id in \(DBstate'\) is of the form \((\mathsf {Register},id,pk,j,W_1,W_2,W_3)\): In the hybrid world, an honest C sends \((sid, \mathsf {RetrieveDB})\) to \(\mathcal {F}_{UDB}\) and when C receives \(DBstate'\), checks that id is registered and returns \(\mathsf {fail}\). In the ideal world, \(\mathcal {S}\), simulating C and \(\mathcal {F}_{UDB}\), sends \(\mathsf {fail}\) to \(\mathcal {F}_{ns}\), which returns \(\mathsf {fail}\) to C. If a malicious C sends \((sid,\mathsf {Register},id',pk',j',W'_1,W'_2)\) to \(\mathcal {F}_{TP}\) and \(\mathcal {F}_{TP}\) returns \((\mathsf {fail},state)\), then in the ideal world, \(\mathcal {S}\) sends \(\mathsf {fail}\) to \(\mathcal {F}_{ns}\). Even if \(\mathcal {F}_{TP}\) returns \(((c_1',W_1'),(c_2',W_2'),state)\) and \(\mathcal {F}_{UDB}\) returns \(\mathsf {success}\) to C after receiving a message of the form \((sid,\mathsf {Post},\cdot )\), this means that in the ideal world, \(\mathcal {S}\) returns \(\mathsf {allow}\) to \(\mathcal {F}_{ns}\). Then, \(\mathcal {F}_{ns}\), verifying that id is not registered,sends \(\mathsf {success}\) to C. In both cases, C returns consistent outputs in the hybrid and ideal world.

   2. (ii)

      The identity id is not registered and the last record including id in \(DBstate'\) is of the form \((\mathsf {Revoke},id,pk,j)\), or there is no record for id : The analysis for this case is similar to the same with 2(i) except that an honest client interacts with \(\mathcal {F}_{TP}\) after receiving \(DBstate'\) from \(\mathcal {F}_{UDB}\).

   3. (iii)

      The identity id is registered and the last record including id in \(DBstate'\) is of the form \((\mathsf {Revoke},id,pk,j)\), or there is no record for id: In the hybrid world, an honest C sends \((sid, \mathsf {RetrieveDB})\) to \(\mathcal {F}_{UDB}\) and when C receives \(DBstate'\), computes the witnesses \(W_1,W_2\) according to Steps 2a, 2b and sends \((sid,\mathsf {Register},id,pk',j+1,W_1,W_2)\) to \(\mathcal {F}_{TP}\). Following the same reasoning with the case 1(ii), \(\mathcal {F}_{TP}\) returns \((\mathsf {fail},state)\) except with negligible probability. If an honest C, given the accumulated set \(X_2'\) could produce a valid non-membership witness \(W_1\) for \((id,j+1,a)\) and a valid membership witness \(W_2\) for (id, j, d), with non-negligible probability then the security of \(c_2\) would break. As a result, C returns fail, both in the hybrid and ideal world. A malicious C, in the hybrid world may send \((sid,\mathsf {Register},id,pk^*,\ell , W_1^*,W_2^*)\) to convince \(\mathcal {F}_{TP}\) that id is not registered. The analysis for this case is also the same as 1(ii).

   4. (iv)

      The identity id  is registered but the last record including id in \(DBstate'\) is of the form \((\mathsf {Register},id,pk,i+1,W_1,W_2,W_3)\): The analysis for this case is the same with 2(iii) except that an honest client returns \(\mathsf {fail}\) after receiving \(DBstate'\) from \(\mathcal {F}_{UDB}\).

3. 3.

   \(\mathcal {A}\) has sent \((sid,\mathsf {ChangeDBstate},DBstate')\) until \((\mathsf {Register},id,pk)\) sent by \(\mathcal {Z}\), such that \(DBstate'\ne DBstate\) but the set \(X_2'\) derived by \(DBstate'\) is the same as the set \(X_2\) accumulated in \(c_2\). In this case, our reasoning is similar to case 1, where the adversary has not sent such a message, since an honest client is able to compute the witnesses \(W_1,W_2\) utilizing a correct accumulated set.

We proved that when an environment \(\mathcal {Z}\) sends a message \((\mathsf {Register},id,pk)\) to a client C, \(\mathcal {Z}\) can distinguish between the executions in the hybrid and ideal world only with negligible probability, relying on the security of the accumulator \(c_2\). We argue that, following similar arguments, the same holds for the cases where \(\mathcal {Z}\) sends \((\mathsf {Revoke},id,pk,\mathsf {aux})\), \((\mathsf {Retrieve},id)\), \((\mathsf {VerifyID},id)\), \((\mathsf {VerifyMapping},id,pk)\). However, due to lack of space, a complete proof, including the above cases, will be provided in the full version of the paper.    \(\square \)