Linkable message tagging: solving the key distribution problem of signature schemes

Digital signatures guarantee practical security only if the corresponding verification keys are distributed authentically; however, arguably, satisfying solutions for the latter have not been found yet. This paper introduces a novel approach for cryptographic message authentication where this problem does not arise: A linkable message tagging scheme (LMT) identifies pairs of messages and accompanying authentication tags as related if and only if these tags were created using the same secret key. Importantly, our primitive fully avoids public keys and hence elegantly sidesteps the key distribution problem of signature schemes. As an application of LMT we envision an email authentication system with minimal user interaction. Email clients could routinely equip all outgoing messages with corresponding tags and verify for incoming messages whether they indeed originate from the same entity as previously or subsequently received messages with identical sender address. As technical contributions we formalize the notions of LMT and its (more efficient) variant CMT (classifiable message tagging), including corresponding notions of unforgeability. For both variants we propose a range of provably secure constructions, basing on different hardness assumptions, with and without requiring random oracles. This article extends prior work of the same authors that appeared in the proceedings of ACISP 2015 (Günther and Poettering in 2015).