Rennes, 07/11/2014 Cristina Onete CIDRE/ INRIA Controlled malleability. Sanitizable Signatures.

Slides:



Advertisements
Similar presentations
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Advertisements

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Off-the-Record Communication, or, Why Not To Use PGP
Secure Multiparty Computations on Bitcoin
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
 Cristina Onete || 25/09/2014 || 1 TD – Cryptography 25 Sept: Public Key Encryption + RSA 02 Oct: RSA Continued 09 Oct: NO TD 16 Oct: Digital Signatures.
Rennes, 27/11/2014 Cristina Onete Subject Review, Questions, and Exam Practice.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Anonymity and Security in Public Internet Forums Ho-fung LEUNG Senior Member, IEEE Dept. of Computer Science & Engineering The Chinese University of Hong.
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
WISA An Efficient On-line Electronic Cash with Unlinkable Exact Payments Toru Nakanishi, Mitsuaki Shiota and Yuji Sugiyama Dept. of Communication.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
By Jyh-haw Yeh Boise State University ICIKM 2013.
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Bob can sign a message using a digital signature generation algorithm
Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.
Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.
Rennes, 23/10/2014 Cristina Onete Graded Exercises & Authentication.
Forward-Secure Signatures (basic + generic schemes)
IS 302: Information Security and Trust Week 5: Integrity 2012.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Lecture 8 Overview. Secure Hash Algorithm (SHA) SHA SHA SHA – SHA-224, SHA-256, SHA-384, SHA-512 SHA-1 A message composed of b bits.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
1 Number Theory and Advanced Cryptography 6. Digital Signature Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
WISTP’08 ©LAM /05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss.
Rennes, 02/10/2014 Cristina Onete Attacks on RSA. Safe modes.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.
Manu Drijvers, Joint work with Jan Camenisch, Anja Lehmann. March 9 th, 2016 Universally Composable Direct Anonymous Attestation.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Sanitizable Signatures ESORICS 2005, LNCS 3679, pp. 159–177, Springer-Verlag Berlin Heidelberg 2005 Author: Giuseppe Ateniese, Daniel H. Chou, Breno.
Key Substitution Attacks on Some Provably Secure Signature Schemes
Digital signatures.
Digital Signature Schemes and the Random Oracle Model
Cryptography Lecture 27.
Digital Signature Schemes and the Random Oracle Model
CS 394B Introduction Marco Canini.
Topic 13: Message Authentication Code
Lecture 4.1: Hash Functions, and Message Authentication Codes
Cryptography Lecture 26.
Presentation transcript:

Rennes, 07/11/2014 Cristina Onete CIDRE/ INRIA Controlled malleability. Sanitizable Signatures

 Cristina Onete || 07/11/2014 || 2 What is malleability? “Capacité d’un métal à se laisser réduire en feuilles, par forgeage ou par laminage.” Larousse, “(Of a metal or other material) able to be hammered or pres- sed into shape without breaking or cracking” Oxford dict.,

 Reminder: Signatures Medical record Name: Julie Martin Address: 101 Rue de Fougères, Rennes Diagnosis: Lung cancer ……………… Treatment: Signed: Signer (Hospital) Ensures authenticity Cristina Onete || 07/11/2014 || 3

 Reminder: Signatures Signer (Hospital) Verifier (CPAM) m sk Sign(sk, m) pk Verify(pk,m, σ) Adversary m* Verify(pk,m, σ*) Correctness Unforgeability m1m1 m2m2 … mqmq Cristina Onete || 07/11/2014 || 4

 Signatures vs. Malleability  Regular Signatures:  (Probabilistic) signatures: m   (σ 1, σ 2, … σ n )  Unforgeability: If Verify(m,σ)=1, then Verify(m*,σ)=0 with overwhelming probability (for m ≠ m*) m m*  Strong Unforgeability: even given (m, σ), hard to get σ* such that Verify(m, σ*) = 1 mI agree m* I disagree m m* I agree. Julie I disagree. Julie Cristina Onete || 07/11/2014 || 5

 Signatures vs. Malleability  Malleability  Message mauling:  Signature mauling I agree. Julie m I disagree. Julie m* I agree. Julie m m (m,σ) (m*,σ) Else, (m*, σ) is a forgery (m,σ) (m,σ*) (m, σ*) is strong forgery Cristina Onete || 07/11/2014 || 6

 Signatures vs. Malleability  Third-party access to data  Proof: CPAM has Julie’s signed medical record CPAM shows Employer Julie’s record Employer learns what Julie’s disease is CPAM asks Signer (hospital) to sign another record, without sensitive data Breach of Privacy! High Complexity Ideally: CPAM “cleans” up record so signature still verifies Sanitizable signatures chronic disease special needs Employer (Inria) Can I work from home? Yes, if you can prove you need it Cristina Onete || 07/11/2014 || 7

 Contents  What are sanitizable signatures?  Architecture  Properties  Constructing sanitizable signatures  Chameleon Hash Functions  Sanitizable signatures  Extended sanitizable signatures  Unlinkability  Further malleability  Controlled malleability in proofs of knowledge

 Sanitizable Signatures  Architecture Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Diagnosis: Lung cancer Signed: Verifier (CPAM) Signer (Hospital) Employer (Inria) Work from home Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Cristina Onete || 07/11/2014 || 9

 Sanitizable Signatures  Sanitizable Signatures – idea: Message m ……………. m[1]m[2]m[3]m[4]m[5]m[k] blocks Fixed message blockAdmissible message block  can sign any message  can decide which are the admissible blocks  can decide who changes which blocks Cristina Onete || 07/11/2014 || 10

 Sanitizable Signatures  Sanitizable Signatures – idea: Message m ……………. m[1]m[2]m[3]m[4]m[5]m[k] blocks Fixed message blockAdmissible message block  can change admissible blocks (sanitizes m)  uses secret key to maul signature  cannot change fixed message blocks or blocks it is not allowed to change Cristina Onete || 07/11/2014 || 11

 Sanitizable Signatures  Sanitizable Signatures – idea: ……………. m[1]m[2]m[3]m[4]m[5]m[k] ……………. m[1]m’[2]m[3]m’[4]m’[5]m[k] m’[1] Cristina Onete || 07/11/2014 || 12

 Sanitizable Signatures  Properties: Unforgeability: Nobody can output valid (m*, σ*) without or Signer (Hospital) Adversary Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois Diagnosis: Influenza Cristina Onete || 07/11/2014 || 13

 Sanitizable Signatures  Properties: Immutability: Not even the sanitizer can change fixed blocks, or blocks it is not allowed to change Sanitizer (CPAM) Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois Cristina Onete || 07/11/2014 || 14

 Sanitizable Signatures  Properties: Privacy: Given sanitized m*, nothing leaks about original m Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois Medical record Name: Jean Dupont Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois ? ? ? Cristina Onete || 07/11/2014 || 15

 Sanitizable Signatures  Properties: Transparency: Can’t tell whether σ* is only signed or sanitized Medical record Name: Jean Dupont Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois ? ? ? Cristina Onete || 07/11/2014 || 16

 Sanitizable Signatures  Properties: Accountability: A signer can prove to a judge that a sanitizer signed a message Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Diagnosis: Influenza Cristina Onete || 07/11/2014 || 17

 Sanitizable Signatures  Properties: Unforgeability: Nobody can output valid (m*, σ*) without or Immutability: Not even the sanitizer can change fixed blocks, or blocks it is not allowed to change Privacy: Given sanitized m*, nothing leaks about original m Transparency: Can’t tell whether σ* is only signed or sanitized An authorized Judge can tell the difference Accountability Cristina Onete || 07/11/2014 || 18

 Contents  What are sanitizable signatures?  Architecture  Properties  Constructing sanitizable signatures  Chameleon Hash Functions  Sanitizable signatures  Extended sanitizable signatures  Unlinkability  Further malleability  Controlled malleability in proofs of knowledge

 Chameleon Hash Functions  What are hash functions? ……… m[1]m[2]m[N] ………h[1]h[2]h[k] Hash m[1]m[2] Hash ………h[1]h[2]h[k] Turns messages of arbitrary length to hashed mes- sages of constant length Cristina Onete || 07/11/2014 || 20

 Chameleon Hash Functions  What are chameleon hash functions? ……… m[1]m[2]m[N] ………h[1]h[2]h[k] Hash ……… m’[1]m’[2]m’[N] Chameleon hashes: still collision resistant Unless you have a trapdoor… Cristina Onete || 07/11/2014 || 21

 Chameleon Hash Functions  Two types of users Users w/out trapdoor Users with trapdoor ………h[1]h[2]h[k] …… m[1]m[N] …… m’[1]m’[N] …… m[1]m[N] …… m’[1]m’[N] Cristina Onete || 07/11/2014 || 22

 Chameleon Hash Functions  How do you construct a Chameleon Hash? CHash = (Gen, Hash, Adapt) Secret-Keys: generate key K and trapdoor TD Evaluation: Chameleon property: finding collision: Cristina Onete || 07/11/2014 || 23

 Chameleon Hash Functions  How do you construct a Chameleon Hash? Key generation: Hashing: Chameleon property: finding collision: Cristina Onete || 07/11/2014 || 24

 Sanitizable Signatures  Sanitizable Signatures – idea: ……………. m[1]m[2]m[3]m[4]m[5]m[k] ……………. m[1]m’[2]m[3]m’[4]m’[5]m[k] Cristina Onete || 07/11/2014 || 25

 Sanitizable Signatures  Using Chameleon Hashes to get malleability ……………. m[1]m[2]m[3]m[4]m[5]m[k] ……………. m[1]H[2]m[3]H[4]H[5]m[k] Cristina Onete || 07/11/2014 || 26

 Sanitizable Signatures  Using Chameleon Hashes to get malleability ……………. m[1]m[2]m[3]m[4]m[5]m[k] ……………. m[1]H[2]m[3]H[4]H[5]m[k] Cristina Onete || 07/11/2014 || 27

 Sanitizable Signatures  Using Chameleon Hashes to get malleability Fixed blocks: included in the signature Admissible blocks: Hashed with chameleon hash m[i] m[j]m[j], r[j], H(m[j, r[j]]) Signature generation: Verification: check H for fixed blocks, check signature Cristina Onete || 07/11/2014 || 28

 Sanitizable Signatures  Using Chameleon Hashes to get malleability Fixed blocks: included in the signature Admissible blocks: Hashed with chameleon hash m[i] m[j]m[j], r[j], H(m[j, r[j]]) Sanitization: m[j]m’[j]r’[j] m’[j], r’[j], H(m’[j, r’[j]]) Cristina Onete || 07/11/2014 || 29

 Sanitizable Signatures  Properties Unforgeability: Nobody can output valid (m*, σ*) without or Fixed blocks: Unforgeability of signatures w/out Admissible blocks: Collision-resistance of H w/out Immutability: Not even the sanitizer can change fixed blocks, or blocks it is not allowed to change Fixed blocks: Unforgeability of signatures w/out Cristina Onete || 07/11/2014 || 30

 Sanitizable Signatures  Properties Privacy: Given sanitized m*, nothing leaks about original m m[j], r[j], H(m[j], r[j]]) m’[j], r’[j], H(m’[j], r’[j]]) ? ? ? Transparency: Can’t tell whether σ* is only signed or sanitized m’[j], r’[j], H(m’[j], r’[j]])m’[j], r’’[j], H(m’[j], r’’[j]]) m[j], r[j], H(m[j], r[j]])m*[j], r*[j], H(m*[j], r*[j]]) Cristina Onete || 07/11/2014 || 31

 Sanitizable Signatures  Properties Accountability A judge can tell the difference between a signed and a sanitized signature Adds complexity: see original paper for details: “Security of Sanitizable Signatures Revisited” Brzuska, Fischlin, Freudenreich, Lehmann, Page, Schelbert, Schröder, Volk Cristina Onete || 07/11/2014 || 32

 Contents  What are sanitizable signatures?  Architecture  Properties  Constructing sanitizable signatures  Chameleon Hash Functions  Sanitizable signatures  Extended sanitizable signatures  Unlinkability  Further malleability  Controlled malleability in proofs of knowledge

 Extended Sanitizable Signatures  Properties Unlinkability Replace Chameleon Hash by Group Signatures (see next lectures) “Unlinkability of Sanitizable Signatures” Brzuska, Fischlin, Lehmann, Schröder Cristina Onete || 07/11/2014 || 34

 Further Malleability  Multiple Sanitizers Construction with 1 signer and m sanitizers  Nobody should know which party sanitized  Except a judge, who should always be able to trace it Construction with n signers and m sanitizers  Nobody should know who signed OR sanitized  Except a judge, who should always be able to trace it Uses group signatures and non-interactive Zero- knowledge Cristina Onete || 07/11/2014 || 35

 Proofs of Knowledge  General proofs of knowledge Malleability: “Malleable Proof Systems and Applications” Chase, Lysyanskaya, Kohlweiss, Meiklejohn Cristina Onete || 07/11/2014 || 36

CIDRE Thanks!

 Cristina Onete || 23/05/2014 || 38 Signatures vs. Malleability  Regular Signatures:  Unforgeability:  Strong unforgeability: I agree. Julie m I disagree. Julie m* I agree. Julie m m

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.