CryptoRevocate: A cryptographic accumulator based distributed certificate revocation list

Abstract

Verification of the certificate revocation status is a crucial process for Public Key Infrastructure (PKI) system reliability. Failing to detect a revoked certificate may lead to catastrophic system compromises. Existing verification systems use slow and centralized approaches like Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP). These systems are known to cause verification failures (soft fails) because of system and network delays. Additionally, the availability of these systems are a major concern. Recent developments in distributed ledger (blockchain) technologies enable this information to be reliably published on the Internet, in a distributed manner. However in a distributed system, synchronizing large amounts of data among the nodes is an expensive task. One way to combat this issue is to use cryptographic accumulators, a tool that can be used to reduce data size; when only membership test statuses are necessary from a set of data. In this study, we focus on the reliable and effective distribution of certificate revocation information. We present a design of an asymmetric cryptographic accumulator based effective certificate revocation system. To the best of our knowledge, this is the first study using asymmetric cryptographic accumulators to distribute certificate revocation data via blockchain.