1. Sanitizable Signatures ESORICS 2005, LNCS 3679, pp. 159–177, 2005. Springer-Verlag Berlin Heidelberg 2005 Author: Giuseppe Ateniese, Daniel H. Chou, Breno de Medeiros, and Gene Tsudi Adviser: 鄭錦楸, 郭文中 教授 Reporter: 林彥宏

2. 2 Outline Introduction and Motivation Related Work Sanitizable Signatures Construction Based on Chameleon Hashes Extensions and Other Constructions Implementation Conclusions

3. 3 Introduction and Motivation Security Clearance : determination by the United States government that a person or company is eligible for access to classified information Freedom of Information Act (FOIA) Homomorphic Signature Schemes: R. Johnson, D. Molnar, D. Song, and D.Wagner. Topics in Cryptology–CT- RSA 2002 Redactable Signatures: anyone with the knowledge of the public key to generate a valid signature

4. 4 Introduction and Motivation semi-trusted censor to modify designated portions of the document illustrate the utility of sanitizable signatures Multicast and Database Applications Medical Applications Secure Routing subscriber DB adminer sponsor

5. 5 Related Work Incremental cryptography: Incremental cryptography: the case of hashing and signing. Springer- Verlag, 1994. update the function value based on the old value rather than re- computing it Homomorphic signatures: Redactable Signatures Sanitized Signatures: only the censor would be able to generate a valid signature on a modified (sanitized) document Transitive signatures: signer pick a pair i, j of nodes and create a signature of { i, j }; another signature of an edge { j, k } anyone in possession of the public key can create a signature of the edge { i, k } M P1 P2 P3

6. 6 Sanitizable Signatures Sanitizable Signature scheme must have the following properties: Immutability: censor not be able to modify the part of message Privacy: sanitized information is unrecoverable Accountability: the signer can prove to a trusted third party (e.g., court) that a certain message was sanitized by the censor Transparency: no party be able to correctly guess whether the message has been sanitized

7. 7 Sanitizable Signatures Transparency: Weak Transparency: verifier knows exactly which parts of the message are potentially sanitizable Strong Transparency: verifier does not know which parts of the message are immutable strong transparency is not always better: the Freedom of Information Act (FOIA)

8. 8 Model four efficient algorithms: Key generation: Sign: Verify:

9. 9 Model Sanitize: Security Requirements of Sanitizable Signatures: Correctness: Unforgeability: without the knowledge of the private signing key it is difficult to produce a valid signature

10. 10 Model Indistinguishability: and are computationally indistinguishability Identical Distribution:

11. 11 Construction Based on Chameleon Hashes Setup:

12. 12 Sanitizable Signing Mutable block: Immutable block: Construction Based on Chameleon Hashes signer censor

13. 13 Chameleon Hash

14. 14 Chameleon Hash

15. 15 Security Requirements Correctness Indistinguishability: Identical distribution of sanitized and original signatures Unforgeability

16. 16 Extensions and Other Constructions multiple censors, each able to modify different portions of document Strong transparency: assign public keys of non-existing (dummy) censors to the blocks the signer wish to remain unmodified

17. 17 Extensions and Other Constructions Hybrid Scheme: combine the redactable and sanitizable signatures Redacted block can redact by anyone Unredacted block can be sanitized by a censor

18. 18 Attribute Tags the new parts satisfy prescribed semantics or policies immutable attribute tag m1m3 (Address:) m2

19. 19 Implementation operation 1000 times SHA-1 as the generic hash algorithm RSA as the generic signature algorithm Nyberg-Rueppel-based chameleon hash

20. 20 Conclusions Sanitizable signatures allow a semi-trusted censor to modify designated portions of a document. Verifier cannot determine whether a received signature has been sanitized by the censor. The performance results obtained demonstrate that the scheme is practical and efficient.