Protean Signature Schemes

Similar documents
Chameleon-Hashes with Dual Long-Term Trapdoors and Their Applications

Cryptographic Solutions for Data Integrity in the Cloud

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Practical Strongly Invisible and Strongly Accountable Sanitizable Signatures

Chameleon-Hashes with Ephemeral Trapdoors

Digital signature schemes

Digital Signatures. Adam O Neill based on

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Lecture 18: Message Authentication Codes & Digital Signa

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Indistinguishability of One-Way Accumulators

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

Anonymous Signatures Made Easy

Ring Group Signatures

Schnorr Signature. Schnorr Signature. October 31, 2012

Short Redactable Signatures Using Random Trees

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Enforcing honesty of certification authorities: Tagged one-time signature schemes

Constructing Provably-Secure Identity-Based Signature Schemes

FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan

Transitive Signatures Based on Non-adaptive Standard Signatures

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Smooth Projective Hash Function and Its Applications

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Group Undeniable Signatures

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Authentication. Chapter Message Authentication

Short Randomizable Signatures

March 19: Zero-Knowledge (cont.) and Signatures

Group Undeniable Signatures

Convertible Group Undeniable Signatures

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Hash-based signatures & Hash-and-sign without collision-resistance

Cryptographic Protocols Notes 2

George Danezis Microsoft Research, Cambridge, UK

II. Digital signatures

Gentry IBE Paper Reading

Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption

RSA and Rabin Signatures Signcryption

A Constant-Size Signature Scheme with a Tighter Reduction from the CDH Assumption

An update on Hash-based Signatures. Andreas Hülsing

Digital Signatures. p1.

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Katz, Lindell Introduction to Modern Cryptrography

A Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

On the (In)security of the Fiat-Shamir Paradigm

Lattice-based DAPS and Generalizations

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Accumulators with Applications to Anonymity-Preserving Revocation

Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

ECS 189A Final Cryptography Spring 2011

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

BEYOND POST QUANTUM CRYPTOGRAPHY

Comparing With RSA. 1 ucl Crypto Group

Short Signatures Without Random Oracles

CPSC 467: Cryptography and Computer Security

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Chapter 8 Public-key Cryptography and Digital Signatures

Ring Signatures without Random Oracles

On the Selective-Opening Security of DHIES

Computing on Authenticated Data for Adjustable Predicates

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

Attribute-Based Signatures

A survey on quantum-secure cryptographic systems

Dr George Danezis University College London, UK

1 Number Theory Basics

Mitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song

Improved Security for Linearly Homomorphic Signatures: A Generic Framework

Lecture 9 - Symmetric Encryption

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Short Signatures From Diffie-Hellman: Realizing Short Public Key

A Composition Theorem for Universal One-Way Hash Functions

A New Paradigm of Hybrid Encryption Scheme

The Cramer-Shoup Cryptosystem

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials

Non-interactive Designated Verifier Proofs and Undeniable Signatures

Provable security. Michel Abdalla

Transitive Signatures based on Factoring and RSA

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives

Sub-linear Blind Ring Signatures without Random Oracles

John Hancock enters the 21th century Digital signature schemes. Table of contents

Practical Round-Optimal Blind Signatures in the Standard Model

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

VI. The Fiat-Shamir Heuristic

Hash-based Signatures. Andreas Hülsing

SPHINCS: practical stateless hash-based signatures

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Key-Exposure Free Chameleon Hashing and Signatures Based on Discrete Logarithm Systems

Lecture 1. Crypto Background

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors

Transcription:

Protean Signature Schemes Stephan Krenn, Henrich C. Pöhls, Kai Samelin, Daniel Slamanig October 2, 2018 Cryptology And Network Security (CANS 2018), Naples, Italy 1

Digital Signatures 2

Digital Signatures Establish the origin of a message (bind signer s identity to message) A valid signature guarantees Message integrity (no modifications happened) Identity of the signer 3

Digital Signatures Establish the origin of a message (bind signer s identity to message) A valid signature guarantees Message integrity (no modifications happened) Identity of the signer Security (EUF-CMA) Obtain signatures on arbitrary messages Not able to produce valid signature for non-queried message 3

Controlled Modification of Signed Messages Modifications? That s what we try to prevent? 4

Controlled Modification of Signed Messages Modifications? That s what we try to prevent? Controlled modifications Signer determines how signed message can be altered Think of implicitly signing all possible messages 4

Controlled Modification of Signed Messages Modifications? That s what we try to prevent? Controlled modifications Signer determines how signed message can be altered Think of implicitly signing all possible messages Example: Medical documents Anonymization for research/accounting (still want authenticity guarantees) Removing exact diagnosis for sick leave Re-signing after the fact might not be possible (availability, etc.) 4

Controlled Modification of Signed Messages Will look at two common schemes: redactable and sanitizable signatures 4

Redactable Signatures (RSS) 5

Redactable Signatures (RSS) 6

Redactable Signatures (RSS) Blacking out/removal of designated parts by everyone 6

Redactable Signatures (RSS) Security properties Unforgeability Privacy In EUF-CMA sense: cannot come up with valid signature for a message not derivable from signed ones Redacted signatures leaks no information about redacted parts Transparancy (optional) Not visible if redaction happened or not Unlinkability 7

Redactable Signatures (RSS) Originally proposed in [SBZ, ICISC 01] and [JMSW, CT-RSA 02] Various ad-hoc constructions for different message representations (linear, sets, trees) Generic construction from EUF-CMA secure signatures and indistinguishable accumulators [DPSS, ICISC 15] 8

Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): 9

Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X 9

Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X Witnesses wit xi certifying membership of x i in acc X Efficiently computable x X, intractable y / X 9

Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X Witnesses wit xi certifying membership of x i in acc X Efficiently computable x X, intractable y / X Indistinguishability [DS, CT-RSA 15] Neither acc nor wit leak information about X 9

Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X Witnesses wit xi certifying membership of x i in acc X Efficiently computable x X, intractable y / X Indistinguishability [DS, CT-RSA 15] Neither acc nor wit leak information about X RSS: To sign m = {m 1,..., m n } 9

Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X Witnesses wit xi certifying membership of x i in acc X Efficiently computable x X, intractable y / X Indistinguishability [DS, CT-RSA 15] Neither acc nor wit leak information about X RSS: To sign m = {m 1,..., m n } Compute acc m and use Σ to sign acc m 9

Redactable Signatures (RSS) Sketch of RSS for sets (accumulator + EUF-CMA signatures Σ): Accumulator: X = {x 1,..., x n } succinctly represented by acc X Witnesses wit xi certifying membership of x i in acc X Efficiently computable x X, intractable y / X Indistinguishability [DS, CT-RSA 15] Neither acc nor wit leak information about X RSS: To sign m = {m 1,..., m n } Compute acc m and use Σ to sign acc m As redactable signature provide signature of Σ and {wit mi } 9

Sanitizable Signatures (SSS) 10

Sanitizable Signatures (SSS) 11

Sanitizable Signatures (SSS) 12

Sanitizable Signatures (SSS) Replacement of designated parts by designated entity 12

Sanitizable Signatures (SSS) Security properties Unforgeability Immutability Privacy In EUF-CMA sense: Sanitizer cannot come up with valid signature for a message not derivable from signed ones Signer/Sanitizer accountability Signer/sanitizer cannot blame the other party for having produced a signature Transparancy (optional) Invisibility (optional) Signature does not leak which parts are sanitizable Unlinkability 13

Sanitizable Signatures (SSS) Originally proposed in [ACMT, ESORICS 05] and rigorous security model [BFFLP+, PKC 09] Various constructions with different properties and sanitizing restrictions, e.g., limit sanitizing to defined set Generic construction from EUF-CMA secure signatures and chameleon hash functions [BFFLP+, PKC 09] 14

Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): 15

Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) 15

Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) Hashing: h CHash(pk, m; r) 15

Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) Hashing: h CHash(pk, m; r) Collision: sk allows for any h, ˆm to compute ˆr s.t. CHash(pk, m; r) = CHash(pk, ˆm;ˆr) 15

Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) Hashing: h CHash(pk, m; r) Collision: sk allows for any h, ˆm to compute ˆr s.t. CHash(pk, m; r) = CHash(pk, ˆm;ˆr) SSS: To sign m = (m 1,..., m n ) 15

Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) Hashing: h CHash(pk, m; r) Collision: sk allows for any h, ˆm to compute ˆr s.t. CHash(pk, m; r) = CHash(pk, ˆm;ˆr) SSS: To sign m = (m 1,..., m n ) Use Σ to sign h = (h 1,..., h n ) where CHash(pk, m i ; r i ), h i = m i, else if sanitizable 15

Sanitizable Signatures (SSS) Sketch of SSS (chameleon hashes + EUF-CMA signatures Σ): Chameleon Hash: Collision resistant hash keyed with (sk, pk) Hashing: h CHash(pk, m; r) Collision: sk allows for any h, ˆm to compute ˆr s.t. CHash(pk, m; r) = CHash(pk, ˆm;ˆr) SSS: To sign m = (m 1,..., m n ) Use Σ to sign h = (h 1,..., h n ) where CHash(pk, m i ; r i ), h i = m i, else if sanitizable As sanitizable signature provide signature of Σ and r 15

Merging the Functionalities Provide a primitive that supports removal and editing at the same time Generalize RSS and SSS into a single primitive having all desired properties of RSS and SSS Motivating example (k-anonymization): Removal of attributes Generalization of attributes 16

Using Existing Approaches? We could use SSS to mimic the functionality of RSS Use limited set replacement with a special symbol denoting redaction 17

Using Existing Approaches? We could use SSS to mimic the functionality of RSS Use limited set replacement with a special symbol denoting redaction Destroys transparency! 17

Using Existing Approaches? We could use SSS to mimic the functionality of RSS Use limited set replacement with a special symbol denoting redaction Destroys transparency! Ideally have efficient construction providing all properties 17

Protean Signature Schemes (PSS) 18

Protean Signature Schemes (PSS) 19

Protean Signature Schemes (PSS) Replacement and removal of designated parts by designated entity 19

Protean Signature Schemes (PSS) Security properties Unforgeability Immutability Privacy Signer/Sanitizer accountability Transparancy (optional) Invisibility (optional) 20

Sketch of Construction (Ingredients) We provide a black-box construction of a protean signature scheme Ingredients A secure sanitizable signature scheme (SSS) A secure redactable signature scheme (RSS) A CCA2 secure labeled public key encryption scheme Only required if RSS provides auxiliary redaction information RED RED typically makes redactions more efficient 21

Sketch of Construction (Keys) Signer keys (keys from SSS and RSS) sk sig (sk SSS sig, skrss ) pk sig (pk SSS sig, pkrss ) Sanitizer keys (keys from SSS) sk san sk SSS san pk san pk SSS san 22

Sketch of Construction (Signing) Let us consider a message m = (m 1, m 2, m 3) 23

Sketch of Construction (Signing) Let us consider a message m = (m 1, m 2, m 3) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 (m 2, τ, τ 2, pk sig, pk san ) }{{} σ SSS 2 (m 3, τ, τ 3, pk sig, pk san ) }{{} σ SSS 3 23

Sketch of Construction (Signing) Let us consider a message m = (m 1, m 2, m 3) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 RSS (τ 1, τ 2, τ 3, τ, pk sig, pk san ) }{{} σ RSS (m 2, τ, τ 2, pk sig, pk san ) }{{} σ SSS 2 (m 3, τ, τ 3, pk sig, pk san ) }{{} σ SSS 3 23

Sketch of Construction (Signing) Let us consider a message m = (m 1, m 2, m 3) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 RSS (τ 1, τ 2, τ 3, τ, pk sig, pk san ) }{{} σ RSS Outer SSS (m 2, τ, τ 2, pk sig, pk san ) }{{} σ SSS 2 (m 3, τ, τ 3, pk sig, pk san ) }{{} σ SSS 3 ((m 1, m 2, m 3), σ RSS, (τ 1, τ 2, τ 3, σ1 SSS, σ2 SSS, σ3 SSS ), τ, pk sig, pk san ) }{{} σ0 SSS 23

Sketch of Construction (Editing) Edit the message m = (m 1, m 2, m 3) to ˆm = (m 1, ˆm 2) 24

Sketch of Construction (Editing) Edit the message m = (m 1, m 2, m 3) to ˆm = (m 1, ˆm 2) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 (m 2, τ, τ 2, pk sig, pk san ) (m 3, τ, τ 3, }{{} σ2 SSS pk sig, pk san ) }{{} σ3 SSS 24

Sketch of Construction (Editing) Edit the message m = (m 1, m 2, m 3) to ˆm = (m 1, ˆm 2) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 (m 2, τ, τ 2, pk sig, pk san ) (m 3, τ, τ 3, }{{} σ2 SSS pk sig, pk san ) }{{} σ3 SSS RSS (τ 1, τ 2, τ3, τ, pk sig, pk san ) }{{} ˆσ RSS 24

Sketch of Construction (Editing) Edit the message m = (m 1, m 2, m 3) to ˆm = (m 1, ˆm 2) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 (m 2, τ, τ 2, pk sig, pk san ) (m 3, τ, τ 3, pk }{{} σ2 SSS sig, pk san ) }{{} σ3 SSS RSS (τ 1, τ 2, τ3, τ, pk sig, pk san ) }{{} ˆσ RSS Outer SSS ((m 1, m 2, m 3), σ RSS, (τ 1, τ 2, τ 3, σ1 SSS, σ2 SSS, σ3 SSS ), τ, pk sig, pk san ) }{{} σ0 SSS 24

Sketch of Construction (Editing) Edit the message m = (m 1, m 2, m 3) to ˆm = (m 1, ˆm 2) Inner SSS (m 1, τ, τ 1, pk sig, pk san ) }{{} σ SSS 1 (m 2, τ, τ 2, pk sig, pk san ) (m 3, τ, τ 3, }{{} σ2 SSS pk sig, pk san ) }{{} σ3 SSS RSS (τ 1, τ 2, τ3, τ, pk sig, pk san ) }{{} ˆσ RSS ((m 1, ˆm 2), ˆσ RSS, (τ 1, τ 2, σ1 SSS, σ2 SSS ), τ, pk sig, pk san ) }{{} ˆσ 0 SSS 24

Open Issues and Potential Directions Limiting sets: Integrate features to limit sanitizing to signer-chosen sets of values 25

Open Issues and Potential Directions Limiting sets: Integrate features to limit sanitizing to signer-chosen sets of values Block-level: Accountability notions on a block instead of message level 25

Open Issues and Potential Directions Limiting sets: Integrate features to limit sanitizing to signer-chosen sets of values Block-level: Accountability notions on a block instead of message level Dependencies: Enforce restrictions such as if block i is redacted, also block j needs to be redacted 25

Open Issues and Potential Directions Limiting sets: Integrate features to limit sanitizing to signer-chosen sets of values Block-level: Accountability notions on a block instead of message level Dependencies: Enforce restrictions such as if block i is redacted, also block j needs to be redacted Unlinkability: Seems hard to achieve with our construction paradigm 25

Conclusions and Take-Home RSS and SSS allow controlled modifications of signed messages 26

Conclusions and Take-Home RSS and SSS allow controlled modifications of signed messages RSS and SSS provide different features (e.g., remove vs. replace) 26

Conclusions and Take-Home RSS and SSS allow controlled modifications of signed messages RSS and SSS provide different features (e.g., remove vs. replace) We generalize RSS and SSS into protean signatures (PSS) 26

Conclusions and Take-Home RSS and SSS allow controlled modifications of signed messages RSS and SSS provide different features (e.g., remove vs. replace) We generalize RSS and SSS into protean signatures (PSS) PSS provide all features and strong privacy guarantees 26

Conclusions and Take-Home RSS and SSS allow controlled modifications of signed messages RSS and SSS provide different features (e.g., remove vs. replace) We generalize RSS and SSS into protean signatures (PSS) PSS provide all features and strong privacy guarantees We provide a generic construction based on RSS and SSS (and labeled PKE) 26

Thank you! Questions? @drl3c7er Supported by EU H2020 and ECSEL

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback