Protean Signature Schemes Stephan Krenn, Henrich C. Pöhls, Kai Samelin, Daniel Slamanig October 2, 2018 Cryptology And Network Security (CANS 2018), Naples, Italy 1
Digital Signatures 2
Digital Signatures Establish the origin of a message (bind signer s identity to message) A valid signature guarantees Message integrity (no modifications happened) Identity of the signer 3
Digital Signatures Establish the origin of a message (bind signer s identity to message) A valid signature guarantees Message integrity (no modifications happened) Identity of the signer Security (EUF-CMA) Obtain signatures on arbitrary messages Not able to produce valid signature for non-queried message 3
Controlled Modification of Signed Messages Modifications? That s what we try to prevent? 4
Controlled Modification of Signed Messages Modifications? That s what we try to prevent? Controlled modifications Signer determines how signed message can be altered Think of implicitly signing all possible messages 4
Controlled Modification of Signed Messages Modifications? That s what we try to prevent? Controlled modifications Signer determines how signed message can be altered Think of implicitly signing all possible messages Example: Medical documents Anonymization for research/accounting (still want authenticity guarantees) Removing exact diagnosis for sick leave Re-signing after the fact might not be possible (availability, etc.) 4
Controlled Modification of Signed Messages Will look at two common schemes: redactable and sanitizable signatures 4
Redactable Signatures (RSS) 5
Redactable Signatures (RSS) 6
Redactable Signatures (RSS) Blacking out/removal of designated parts by everyone 6
Redactable Signatures (RSS) Security properties Unforgeability Privacy In EUF-CMA sense: cannot come up with valid signature for a message not derivable from signed ones Redacted signatures leaks no information about redacted parts Transparancy (optional) Not visible if redaction happened or not Unlinkability 7
Redactable Signatures (RSS) Originally proposed in [SBZ, ICISC 01] and [JMSW, CT-RSA 02] Various ad-hoc constructions for different message representations (linear, sets, trees) Generic construction from EUF-CMA secure signatures and indistinguishable accumulators [DPSS, ICISC 15] 8
Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): 9
Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X 9
Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X Witnesses wit xi certifying membership of x i in acc X Efficiently computable x X, intractable y / X 9
Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X Witnesses wit xi certifying membership of x i in acc X Efficiently computable x X, intractable y / X Indistinguishability [DS, CT-RSA 15] Neither acc nor wit leak information about X 9
Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X Witnesses wit xi certifying membership of x i in acc X Efficiently computable x X, intractable y / X Indistinguishability [DS, CT-RSA 15] Neither acc nor wit leak information about X RSS: To sign m = {m 1,..., m n } 9
Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X Witnesses wit xi certifying membership of x i in acc X Efficiently computable x X, intractable y / X Indistinguishability [DS, CT-RSA 15] Neither acc nor wit leak information about X RSS: To sign m = {m 1,..., m n } Compute acc m and use Σ to sign acc m 9
Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X Witnesses wit xi certifying membership of x i in acc X Efficiently computable x X, intractable y / X Indistinguishability [DS, CT-RSA 15] Neither acc nor wit leak information about X RSS: To sign m = {m 1,..., m n } Compute acc m and use Σ to sign acc m As redactable signature provide signature of Σ and {wit mi } 9
Sanitizable Signatures (SSS) 10
Sanitizable Signatures (SSS) 11
Sanitizable Signatures (SSS) 12
Sanitizable Signatures (SSS) Replacement of designated parts by designated entity 12
Sanitizable Signatures (SSS) Security properties Unforgeability Immutability Privacy In EUF-CMA sense: Sanitizer cannot come up with valid signature for a message not derivable from signed ones Signer/Sanitizer accountability Signer/sanitizer cannot blame the other party for having produced a signature Transparancy (optional) Invisibility (optional) Signature does not leak which parts are sanitizable Unlinkability 13
Sanitizable Signatures (SSS) Originally proposed in [ACMT, ESORICS 05] and rigorous security model [BFFLP+, PKC 09] Various constructions with different properties and sanitizing restrictions, e.g., limit sanitizing to defined set Generic construction from EUF-CMA secure signatures and chameleon hash functions [BFFLP+, PKC 09] 14
Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): 15
Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) 15
Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) Hashing: h CHash(pk, m; r) 15
Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) Hashing: h CHash(pk, m; r) Collision: sk allows for any h, ˆm to compute ˆr s.t. CHash(pk, m; r) = CHash(pk, ˆm;ˆr) 15
Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) Hashing: h CHash(pk, m; r) Collision: sk allows for any h, ˆm to compute ˆr s.t. CHash(pk, m; r) = CHash(pk, ˆm;ˆr) SSS: To sign m = (m 1,..., m n ) 15
Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) Hashing: h CHash(pk, m; r) Collision: sk allows for any h, ˆm to compute ˆr s.t. CHash(pk, m; r) = CHash(pk, ˆm;ˆr) SSS: To sign m = (m 1,..., m n ) Use Σ to sign h = (h 1,..., h n ) where CHash(pk, m i ; r i ), h i = m i, else if sanitizable 15
Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) Hashing: h CHash(pk, m; r) Collision: sk allows for any h, ˆm to compute ˆr s.t. CHash(pk, m; r) = CHash(pk, ˆm;ˆr) SSS: To sign m = (m 1,..., m n ) Use Σ to sign h = (h 1,..., h n ) where CHash(pk, m i ; r i ), h i = m i, else if sanitizable As sanitizable signature provide signature of Σ and r 15
Merging the Functionalities Provide a primitive that supports removal and editing at the same time Generalize RSS and SSS into a single primitive having all desired properties of RSS and SSS Motivating example (k-anonymization): Removal of attributes Generalization of attributes 16
Using Existing Approaches? We could use SSS to mimic the functionality of RSS Use limited set replacement with a special symbol denoting redaction 17
Using Existing Approaches? We could use SSS to mimic the functionality of RSS Use limited set replacement with a special symbol denoting redaction Destroys transparency! 17
Using Existing Approaches? We could use SSS to mimic the functionality of RSS Use limited set replacement with a special symbol denoting redaction Destroys transparency! Ideally have efficient construction providing all properties 17
Protean Signature Schemes (PSS) 18
Protean Signature Schemes (PSS) 19
Protean Signature Schemes (PSS) Replacement and removal of designated parts by designated entity 19
Protean Signature Schemes (PSS) Security properties Unforgeability Immutability Privacy Signer/Sanitizer accountability Transparancy (optional) Invisibility (optional) 20
Sketch of Construction (Ingredients) We provide a black-box construction of a protean signature scheme Ingredients A secure sanitizable signature scheme (SSS) A secure redactable signature scheme (RSS) A CCA2 secure labeled public key encryption scheme Only required if RSS provides auxiliary redaction information RED RED typically makes redactions more efficient 21
Sketch of Construction (Keys) Signer keys (keys from SSS and RSS) sk sig (sk SSS sig, skrss ) pk sig (pk SSS sig, pkrss ) Sanitizer keys (keys from SSS) sk san sk SSS san pk san pk SSS san 22
Sketch of Construction (Signing) Let us consider a message m = (m 1, m 2, m 3) 23
Sketch of Construction (Signing) Let us consider a message m = (m 1, m 2, m 3) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 (m 2, τ, τ 2, pk sig, pk san ) }{{} σ SSS 2 (m 3, τ, τ 3, pk sig, pk san ) }{{} σ SSS 3 23
Sketch of Construction (Signing) Let us consider a message m = (m 1, m 2, m 3) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 RSS (τ 1, τ 2, τ 3, τ, pk sig, pk san ) }{{} σ RSS (m 2, τ, τ 2, pk sig, pk san ) }{{} σ SSS 2 (m 3, τ, τ 3, pk sig, pk san ) }{{} σ SSS 3 23
Sketch of Construction (Signing) Let us consider a message m = (m 1, m 2, m 3) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 RSS (τ 1, τ 2, τ 3, τ, pk sig, pk san ) }{{} σ RSS Outer SSS (m 2, τ, τ 2, pk sig, pk san ) }{{} σ SSS 2 (m 3, τ, τ 3, pk sig, pk san ) }{{} σ SSS 3 ((m 1, m 2, m 3), σ RSS, (τ 1, τ 2, τ 3, σ1 SSS, σ2 SSS, σ3 SSS ), τ, pk sig, pk san ) }{{} σ0 SSS 23
Sketch of Construction (Editing) Edit the message m = (m 1, m 2, m 3) to ˆm = (m 1, ˆm 2) 24
Sketch of Construction (Editing) Edit the message m = (m 1, m 2, m 3) to ˆm = (m 1, ˆm 2) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 (m 2, τ, τ 2, pk sig, pk san ) (m 3, τ, τ 3, }{{} σ2 SSS pk sig, pk san ) }{{} σ3 SSS 24
Sketch of Construction (Editing) Edit the message m = (m 1, m 2, m 3) to ˆm = (m 1, ˆm 2) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 (m 2, τ, τ 2, pk sig, pk san ) (m 3, τ, τ 3, }{{} σ2 SSS pk sig, pk san ) }{{} σ3 SSS RSS (τ 1, τ 2, τ3, τ, pk sig, pk san ) }{{} ˆσ RSS 24
Sketch of Construction (Editing) Edit the message m = (m 1, m 2, m 3) to ˆm = (m 1, ˆm 2) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 (m 2, τ, τ 2, pk sig, pk san ) (m 3, τ, τ 3, pk }{{} σ2 SSS sig, pk san ) }{{} σ3 SSS RSS (τ 1, τ 2, τ3, τ, pk sig, pk san ) }{{} ˆσ RSS Outer SSS ((m 1, m 2, m 3), σ RSS, (τ 1, τ 2, τ 3, σ1 SSS, σ2 SSS, σ3 SSS ), τ, pk sig, pk san ) }{{} σ0 SSS 24
Sketch of Construction (Editing) Edit the message m = (m 1, m 2, m 3) to ˆm = (m 1, ˆm 2) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 (m 2, τ, τ 2, pk sig, pk san ) (m 3, τ, τ 3, }{{} σ2 SSS pk sig, pk san ) }{{} σ3 SSS RSS (τ 1, τ 2, τ3, τ, pk sig, pk san ) }{{} ˆσ RSS ((m 1, ˆm 2), ˆσ RSS, (τ 1, τ 2, σ1 SSS, σ2 SSS ), τ, pk sig, pk san ) }{{} ˆσ 0 SSS 24
Open Issues and Potential Directions Limiting sets: Integrate features to limit sanitizing to signer-chosen sets of values 25
Open Issues and Potential Directions Limiting sets: Integrate features to limit sanitizing to signer-chosen sets of values Block-level: Accountability notions on a block instead of message level 25
Open Issues and Potential Directions Limiting sets: Integrate features to limit sanitizing to signer-chosen sets of values Block-level: Accountability notions on a block instead of message level Dependencies: Enforce restrictions such as if block i is redacted, also block j needs to be redacted 25
Open Issues and Potential Directions Limiting sets: Integrate features to limit sanitizing to signer-chosen sets of values Block-level: Accountability notions on a block instead of message level Dependencies: Enforce restrictions such as if block i is redacted, also block j needs to be redacted Unlinkability: Seems hard to achieve with our construction paradigm 25
Conclusions and Take-Home RSS and SSS allow controlled modifications of signed messages 26
Conclusions and Take-Home RSS and SSS allow controlled modifications of signed messages RSS and SSS provide different features (e.g., remove vs. replace) 26
Conclusions and Take-Home RSS and SSS allow controlled modifications of signed messages RSS and SSS provide different features (e.g., remove vs. replace) We generalize RSS and SSS into protean signatures (PSS) 26
Conclusions and Take-Home RSS and SSS allow controlled modifications of signed messages RSS and SSS provide different features (e.g., remove vs. replace) We generalize RSS and SSS into protean signatures (PSS) PSS provide all features and strong privacy guarantees 26
Conclusions and Take-Home RSS and SSS allow controlled modifications of signed messages RSS and SSS provide different features (e.g., remove vs. replace) We generalize RSS and SSS into protean signatures (PSS) PSS provide all features and strong privacy guarantees We provide a generic construction based on RSS and SSS (and labeled PKE) 26
Thank you! Questions? @drl3c7er Supported by EU H2020 and ECSEL