efficient redactable signature and application to
play

Efficient Redactable Signature and Application to Anonymous - PowerPoint PPT Presentation

Sep 01, 2023 •93 likes •437 views

Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange Labs PKC 2020 Context PKC 2020 p 2 Digital Signature Digital signature can be used to authenticate digital data ... Name Birthdate Address

  1. Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange Labs PKC 2020

  2. Context PKC 2020 – p 2

  3. Digital Signature Digital signature can be used to authenticate digital data ... Name Birthdate Address σ Sign sk not even one bit can be modified PKC 2020 – p 3

  4. Digital Signature Digital signature can be used to authenticate digital data ... Name Birthdate Address σ 0 / 1 Verif pk verification requires knowledge of all signed data PKC 2020 – p 3

  5. Limits of Digital Signature Use Case: One just needs to verify that age ≥ 18 � Efficiency: ✗ ( n messages to send) � Privacy: ✗ (reveals all signed data to the verifier) How to efficiently and privately check that k out of n messages are certified or satisfy some relations? Standard Alternatives: � Alternative 1: 1 signature per message − Efficiency: ∼ ( n signatures to store) − Privacy: ➚ PKC 2020 – p 4

  6. Limits of Digital Signature � Alternative 2: Merkle’s tree − Efficiency: ➚ ( log ( n ) elements to send) − Privacy: ∼ (prevents zero-knowledge proofs) � Alternative 3: proof of knowledge of the n messages − Efficiency: ➘ − Privacy: � ⇒ no satisfying solution PKC 2020 – p 5

  7. Accumulators Solution from [FHS19] 1 ... Name Birthdate Address Sign σ Acc C sk messages are accumulated and then signed 1 Fuchsbauer, Hanser and Slamanig, Structure-preserving signatures on equivalence classes and constant-size anonymous credentials , Journal of Cryptology, 2019 PKC 2020 – p 6

  8. Accumulators Solution from [FHS19] 1 ... Name Birthdate Address Open σ W C a witness W that “birthdate” has been accumulated can be computed 1 Fuchsbauer, Hanser and Slamanig, Structure-preserving signatures on equivalence classes and constant-size anonymous credentials , Journal of Cryptology, 2019 PKC 2020 – p 6

  9. Accumulators Solution from [FHS19] 1 ... 0/1 Name Birthdate Address Open σ Verif W C pk 0/1 AccV Given C , W , σ , one can check that “birthdate” has been signed 1 Fuchsbauer, Hanser and Slamanig, Structure-preserving signatures on equivalence classes and constant-size anonymous credentials , Journal of Cryptology, 2019 PKC 2020 – p 6

  10. Accumulators Assessment of FHS solution (compared to basic signature): � Efficiency: � − O (1) certificate size − O (1) communication complexity 2 − O ( k ) verification complexity � Privacy: ∼ − the k messages must be disclosed, no ability to prove that they satisfy some relations ( e.g. age ≥ 18) ⇒ not fully satisfying 2 excluding the k disclosed messages PKC 2020 – p 7

  11. Unlinkable Redactable Signature Solution from [CDHK15] 3 ... Name Birthdate Address σ Sign sk 1 signature σ on all messages 3 Camenisch, Dubovitskaya, Haralambiev and Kohlweiss, Composable and modular anonymous credentials: Definitions and practical constructions , Asiacrypt, 2015 PKC 2020 – p 8

  12. Unlinkable Redactable Signature Solution from [CDHK15] 3 ... Name Birthdate Address σ σ ′ Deriv pk a signature σ ′ can be derived on a subset of messages 3 Camenisch, Dubovitskaya, Haralambiev and Kohlweiss, Composable and modular anonymous credentials: Definitions and practical constructions , Asiacrypt, 2015 PKC 2020 – p 8

  13. Unlinkable Redactable Signature Solution from [CDHK15] 3 ... Name Birthdate Address σ ′ Deriv pk 0/1 Verif no need to know the redacted messages to check σ ′ 3 Camenisch, Dubovitskaya, Haralambiev and Kohlweiss, Composable and modular anonymous credentials: Definitions and practical constructions , Asiacrypt, 2015 PKC 2020 – p 8

  14. Unlinkable Redactable Signature Assessment of CDHK solution (compared to basic signature): � Efficiency: ➚ − O (1) certificate size − O (1) communication complexity 4 − very large constant − O ( k ) verification complexity � Privacy: ∼ − the k messages must be disclosed, no ability to prove that they satisfy some relations ( e.g. age ≥ 18) − derived signatures can be unlinkable ⇒ not fully satisfying PKC 2020 – p 9 4 excluding the k disclosed messages

  15. Our Contribution PKC 2020 – p 10

  16. Unlinkable Redactable Signature We want an unlinkable redactable signature scheme with: � Efficiency: − short, constant-size (derived) signatures − verification of k out of n messages in O ( k ) � Privacy: − unlinkability: to link signatures derived from the same σ is hard − relations about non-redacted messages can be proved in ZK PKC 2020 – p 11

  17. Pointcheval-Sanders Signature Our starting point: PS signature 5 � use asymmetric bilinear group e : G 1 × G 2 → G T � secret ( x , y 1 , . . . , y n ) and public X = g x , Y i = g y i in G 1 x + � n $ i =1 y i m i � a signature on ( m 1 , . . . , m n ) is � σ 1 ← G 2 and � σ 2 ← � σ 1 � verification: n � Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 designed to support proofs of knowledge of m i 5 Pointcheval and Sanders, Short Randomizable Signature , CT-RSA 16 PKC 2020 – p 12

  18. Pointcheval-Sanders Signature � Use Case: V wants to check that a subset { m i } i ∈I of messages is signed and/or satisfies some relations ⇒ messages { m i } i ∈I are redacted, with I = { 1 , . . . , n } \ I � Standard solution: − prove knowledge of redacted messages − reveal and/or prove relations about { m i } i ∈I ⇒ inefficient PKC 2020 – p 13

  19. A First Attempt � Verification of PS signatures: � n Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 PKC 2020 – p 14

  20. A First Attempt � Verification of PS signatures: � n Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 � � Y m i Y m i ? = e ( X , � σ 1 ) i i i ∈I i ∈I PKC 2020 – p 14

  21. A First Attempt � Verification of PS signatures: � n Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 � � Y m i Y m i ? = e ( X , � σ 1 ) i i i ∈I i ∈I � � ? Y m i Y m i = e ( X σ 1 , � σ 1 ) σ 1 = i i i ∈I i ∈I PKC 2020 – p 14

  22. A First Attempt � Verification of PS signatures: � n Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 � � Y m i Y m i ? = e ( X , � σ 1 ) i i i ∈I i ∈I � � ? Y m i Y m i = e ( X σ 1 , � σ 1 ) σ 1 = i i i ∈I i ∈I � m i 0 Y m i ? = e ( X σ 1 Y , � σ 1 ) i 0 i i ∈I\ i 0 � ( σ 1 , � σ 1 , � σ 2 ) is not a secure redactable signature on { m i } i ∈I : PKC 2020 – p 14

  23. A First Attempt � Verification of PS signatures: � n Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 � � Y m i Y m i ? = e ( X , � σ 1 ) i i i ∈I i ∈I � � ? Y m i Y m i = e ( X σ 1 , � σ 1 ) σ 1 = i i i ∈I i ∈I � m i 0 Y m i ? = e ( X σ 1 Y , � σ 1 ) i 0 i i ∈I\ i 0 � m i 0 − t = e ( X σ ′ 1 Y t Y m i σ ′ ? , � σ 1 ) 1 = σ 1 Y i 0 i i 0 i ∈I\ i 0 � ( σ 1 , � σ 1 , � σ 2 ) is not a secure redactable signature on { m i } i ∈I : ( σ ′ 1 , � σ 1 , � σ 2 ) is valid on t and { m i } i ∈I\ i 0 PKC 2020 – p 14

  24. A Linkable Solution Problem: elements Y u i i , for i ∈ I , can be aggregated in σ 1 � solution 1: prove that σ 1 = � i ∈I Y m i i − inefficient (back to square 1) − overkill: prove more that what we need PKC 2020 – p 15

  25. A Linkable Solution Problem: elements Y u i i , for i ∈ I , can be aggregated in σ 1 � our solution: if σ 1 is honestly formed � g y i ) = e ( g , � g ) f ( y 1 ,..., y n ) e ( σ 1 , � i ∈I f only contains monomials y i · y j , for i � = j PKC 2020 – p 15

  26. A Linkable Solution Problem: elements Y u i i , for i ∈ I , can be aggregated in σ 1 � our solution: if σ 1 is forged � g ) f ( y 1 ,..., y n ) g y i ) = e ( g , � e ( σ 1 , � i ∈I f contains monomials y 2 i , i ∈ I � we add { g y i y j } i � = j in pk − sufficient to compute σ 2 = g f ( y 1 ,..., y n ) if σ 1 honestly formed − not sufficient to compute σ 2 = g f ( y 1 ,..., y n ) if σ 1 forged − “validity” of σ 1 can be checked: e ( σ 1 , � g y i ) ? i ∈I � = e ( σ 2 , � g ) PKC 2020 – p 15

  27. Achieving Unlinkability � Our redactable signature ( σ 1 , σ 2 , � σ 1 , � σ 2 ) is: − � constant size (4 group elements) − � O ( |I| ) complexity for verification − ✗ not unlinkable � ( � σ 1 , � σ 2 ) can be re-randomized but not ( σ 1 , σ 2 ) � We use a different approach: u i 0 − σ 2 only proves that σ 1 does not contain illicit elements { Y i 0 } i 0 ∈I − we can aggregate anything else in σ 1 PKC 2020 – p 16

  28. Achieving Unlinkability $ � Step 1: aggregate t ← Z p under dummy public key 1 σ ′′ σ t − � 2 ← � σ 2 · � 1 $ − re-randomize ( � σ ′ σ ′ σ r σ ′′ 2 ) r ), with r 2 ) ← ( � 1 , ( � ← Z p 1 , � σ ′ σ ′ ( � 1 , � 2 ) is valid on ( m 1 , . . . , m n , t ) PKC 2020 – p 17

  29. Achieving Unlinkability $ � Step 1: aggregate t ← Z p under dummy public key 1 σ ′′ σ t − � 2 ← � σ 2 · � 1 $ − re-randomize ( � σ ′ σ ′ σ r σ ′′ 2 ) r ), with r 2 ) ← ( � 1 , ( � ← Z p 1 , � σ ′ σ ′ ( � 1 , � 2 ) is valid on ( m 1 , . . . , m n , t ) � Step 2: redact { m i } i ∈I and t 1 = g t · � i ∈I Y m i − σ ′ i 2 ← ( � i ∈I Y i ) t � i ∈I , j ∈I ( g y i y j ) m j − σ ′ PKC 2020 – p 17

Recommend

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benot Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 .N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological

1.33k views • 92 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides
Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Number-Theoretic Methods in Cryptology 2019 Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter: Giovanni Di Crescenzo Perspecta Labs Inc. (also doing business as Applied Communication Sciences)

548 views • 33 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Automated Application Signature Generation Using LASER and Cosine Similarity Byungchul Park, Jae

Automated Application Signature Generation Using LASER and Cosine Similarity Byungchul Park, Jae

Automated Application Signature Generation Using LASER and Cosine Similarity Byungchul Park, Jae Yoon Jung, John Strassner * , and James Won-ki Hong * {fates, dejavu94, johns, jwkhong}@postech.ac.kr Dept. of Computer Science and Engineering,

302 views • 17 slides
Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

633 views • 44 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Mirosaw Kutyowski 1 and 1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun Shao 2 Definitions of 1-out-of-2 signature 1 Institute of Mathematics and Computer Science Our

489 views • 34 slides
HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai

HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai

HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai Ding, Bo-Yin Yang PQCrypto 2017 Utrecht, Netherlands A. Petzoldt HMFEv PQCrypto 2017 1 / 23 Outline Multivariate Cryptography 1 The HMFEv

575 views • 23 slides
Lithium isotopic signature of high temperature geothermal fluids in volcanic arc islands

Lithium isotopic signature of high temperature geothermal fluids in volcanic arc islands

Lithium isotopic signature of high temperature geothermal fluids in volcanic arc islands (Guadeloupe and Martinique, French West Indies): an efficient tool to constrain the rock nature of the reservoirs and their depth Bernard Sanjuan, Romain

88 views • 5 slides
Efficient ion blocking in gaseous detectors Efficient ion blocking in gaseous detectors and its

Efficient ion blocking in gaseous detectors Efficient ion blocking in gaseous detectors and its

Efficient ion blocking in gaseous detectors Efficient ion blocking in gaseous detectors and its application to and its application to and its application to and its application to visible visible- -sensitive gaseous photomultipliers

549 views • 20 slides
Efficient Local Search Application Examples Graph Coloring Traveling Salesman Problem Single

Efficient Local Search Application Examples Graph Coloring Traveling Salesman Problem Single

Outline DM811 HEURISTICS AND LOCAL SEARCH ALGORITHMS FOR COMBINATORIAL OPTIMZATION Lecture 8 1. Efficient Local Search Efficiency vs Effectiveness Efficient Local Search Application Examples Graph Coloring Traveling Salesman Problem

555 views • 7 slides
Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Presentation & Handwriting Policy Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson Date 24 th January 2018 Review date Jan 2020 1 Presentation 1 Book covers should indicate:

52 views • 4 slides
Highly Efficient GF (2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application

Highly Efficient GF (2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application

Saint-Malo, September 13th, 2015 Cryptographic Hardware and Embedded Systems Highly Efficient GF (2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design Rei Ueno 1 , Naofumi Homma 1 , Yukihiro Sugawara 1 ,

445 views • 26 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

478 views • 24 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

244 views • 21 slides
Digital Signature And Hash Function

Digital Signature And Hash Function

Digital Signature And Hash Function 1 Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Biometric Signature

894 views • 52 slides
HPC & Big Data Analytics in Luxembourg Application to Efficient Parallel Coupling of CFD-DEM

HPC & Big Data Analytics in Luxembourg Application to Efficient Parallel Coupling of CFD-DEM

HPC & Big Data Analytics in Luxembourg Application to Efficient Parallel Coupling of CFD-DEM simulations Dr. X. Besseron and Dr. S. Varrette University of Luxembourg (UL), Luxembourg 6th Annual MVAPICH User Group (MUG) Meeting Aug. 8 th ,

579 views • 24 slides
Efficient matchmaking in assignment games with application to online platforms Peng Shi (USC)

Efficient matchmaking in assignment games with application to online platforms Peng Shi (USC)

Efficient matchmaking in assignment games with application to online platforms Peng Shi (USC) Research question: How can an online platform best help customers match with the right service provider at the right price, so as to minimize the time

281 views • 4 slides
Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based indexing: designed for pmr queries (conjunction of equalities) does not try to achieve better than O(n) performance attempts to provide an

859 views • 27 slides
2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve

2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve

2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve signature metrics for each signature platform over a period of years. 3 Vision for Quality, Affordable Early Learning Strength, confidence,

291 views • 18 slides
An Efficient Black-box Technique for Defeating Web Application Attacks R. Sekar S tony Brook

An Efficient Black-box Technique for Defeating Web Application Attacks R. Sekar S tony Brook

An Efficient Black-box Technique for Defeating Web Application Attacks R. Sekar S tony Brook University (Research supported by DARPA, NS F and ONR) 2/9/2009 Example: SquirrelMail Command Injection Attack: use maliciously Incom ing

747 views • 21 slides
Robust and Efficient Methods of Inference for Non-Probability Samples: Application to Naturalistic

Robust and Efficient Methods of Inference for Non-Probability Samples: Application to Naturalistic

Robust and Efficient Methods of Inference for Non-Probability Samples: Application to Naturalistic Driving Data Ali Rafei 1 , Michael R. Elliott 1 , Carol A.C. Flannagan 2 1 Michigan Program in Survey Methodology 2 University of Michigan

932 views • 66 slides

More recommend