Certificate Transparency with Enhancements and Short Proofs
This work addresses security issues in detecting malicious websites due to certificate misissuance or compromised authorities, offering an incremental improvement in proof efficiency for domain-specific applications.
The paper tackles the problem of certificate transparency by introducing a new scheme that provides constant-size proofs, improving upon existing logarithmic proof sizes, and demonstrates efficient revocation and low verification costs.
Browsers can detect malicious websites that are provisioned with forged or fake TLS/SSL certificates. However, they are not so good at detecting malicious websites if they are provisioned with mistakenly issued certificates or certificates that have been issued by a compromised certificate authority. Google proposed certificate transparency which is an open framework to monitor and audit certificates in real time. Thereafter, a few other certificate transparency schemes have been proposed which can even handle revocation. All currently known constructions use Merkle hash trees and have proof size logarithmic in the number of certificates/domain owners. We present a new certificate transparency scheme with short (constant size) proofs. Our construction makes use of dynamic bilinear-map accumulators. The scheme has many desirable properties like efficient revocation, low verification cost and update costs comparable to the existing schemes. We provide proofs of security and evaluate the performance of our scheme.