Secret-key certificates

The notion of secret-key certificate schemes is introduced and formalized. As with public-key certificates, triples consisting of a secret key, a corresponding public key, and a secret-key certificate on the public key can only be retrieved by engaging in an issuing protocol with the issuer. The difference with public-key certificates is that pairs consisting of a public key and a secret-key certificate on the public key can be generated by anyone, with a distribution that is indistinguishable from the distribution according to which they are generated in the issuing protocol. Secret-key certificates offer the same functionality as do public-key certificates, because there is no point in using a public-key certificate scheme if the cryptographic actions that are to be performed with respect to a certified public key can be performed without knowing a corresponding secret key. The existence of efficient and secure secret-key certificate schemes is demonstrated by a generally applicable technique for deriving such schemes from signature schemes of a well-known type. The new notion is believed to be of interest in its own right, as it demonstrates an alternative to a stale paradigm in cryptography. More important are the practical advantages: secret-key certificates are better suited for the design of privacy-protecting mechanisms for signature transport, and can be used to construct secure public-key directories and conditional access mechanisms that provably do not leak information that can be of help to forge certificates.