efficient unlinkable sanitizable signatures from
play

Efficient Unlinkable Sanitizable Signatures from Signatures with - PowerPoint PPT Presentation

Oct 11, 2022 •101 likes •577 views

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

  1. Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr¨ oder Mark Simkin March 7, 2016

  2. ✦ ✪ Sanitizable Signatures [ACdMT05] Bob E.D. $ 800

  3. ✪ Sanitizable Signatures [ACdMT05] Bob $ 800 ✦ E.D.

  4. ✦ Sanitizable Signatures [ACdMT05] Bob censored E.D. ✪ $ 800

  5. ✦ Sanitizable Signatures [ACdMT05] Bob censored E.D. ✪ $ 800 Nurse

  6. ✪ Sanitizable Signatures [ACdMT05] Bob censored E.D. ✦ $ 800 Nurse

  7. ✪ Sanitizable Signatures [ACdMT05] Bob Bob $ 800 ✦ Influenza E.D. $ 800 Nurse

  8. Security of Sanitizable Signatures ◮ Formalized by Brzuska et al. [BFFLPSSV09] ◮ Immutability ◮ Sanitizer Accountability ◮ Signer Accountability ◮ Transparency ◮ Unforgeability ◮ Privacy ◮ Missing property identified by Brzuska et al. [BFLS10] ◮ Unlinkability

  9. Security of Sanitizable Signatures ◮ Formalized by Brzuska et al. [BFFLPSSV09] ◮ Immutability ◮ Sanitizer Accountability ◮ Signer Accountability ◮ Transparency ◮ Unforgeability ◮ Privacy ◮ Missing property identified by Brzuska et al. [BFLS10] ◮ Unlinkability

  10. Security of Sanitizable Signatures ◮ Formalized by Brzuska et al. [BFFLPSSV09] ◮ Immutability ◮ Sanitizer Accountability ◮ Signer Accountability ◮ Transparency ◮ Unforgeability ◮ Privacy ◮ Missing property identified by Brzuska et al. [BFLS10] ◮ Unlinkability

  11. Immutability [ACdMT05][BFFLPSSV09] Bob Charlie E.D. E.D. $ 800 ✪ $ 800 Nurse

  12. Sanitizer-Accountability [ACdMT05][BFFLPSSV09] Bob Influenza $ 800 Nurse Π

  13. Sanitizer-Accountability [ACdMT05][BFFLPSSV09] Bob Influenza $ 800 Nurse Π Yes! This message was sanitized.

  14. Signer-Accountability [ACdMT05][BFFLPSSV09] Bob Stupid $ 800 Π

  15. Signer-Accountability [ACdMT05][BFFLPSSV09] Bob Stupid $ 800 Π Nope! This message was not sanitized.

  16. Transparency [ACdMT05][BFFLPSSV09] Bob Bob ? Influenza Influenza $ 800 $ 800 ???

  17. Unlinkability [BFLS10] Bob Acne $ 800 ? Bob E.D. Nurse $ 800 ??? Bob Influenza $ 800

  18. The General Idea sk sig σ Fix Sign m 1 m 2 m 3 m 4 m 5 sk san

  19. The General Idea sk sig σ Fix Sign m 1 m 2 m 3 m 4 m 5 sk san ? Sign σ ′ σ

  20. The General Idea sk sig σ Fix Sign m 1 m 2 m 3 m 4 m 5 sk san Sign σ ′ σ

  21. Signatures with Re-Randomizable Keys sk κ Gen pk

  22. Signatures with Re-Randomizable Keys Sign sk κ m σ Gen pk

  23. Signatures with Re-Randomizable Keys Sign sk κ m σ Gen pk Verify b

  24. Signatures with Re-Randomizable Keys RandSK Sign sk ρ κ m σ Gen pk Verify RandPK b

  25. Unforgeability under Re-Randomized Keys pk ( sk , pk ) ← Gen (1 κ ) ( m ∗ , σ ∗ )

  26. Unforgeability under Re-Randomized Keys pk ( sk , pk ) ← Gen (1 κ ) m σ ← Sign ( sk , m ) σ ( m ∗ , σ ∗ ) The attacker wins if Verify ( pk , m ∗ , σ ∗ ) = 1 and m � = m ∗

  27. Unforgeability under Re-Randomized Keys pk ( sk , pk ) ← Gen (1 κ ) m σ ← Sign ( sk , m ) σ m, ρ sk ′ ← RandSK ( sk , ρ ) σ ← Sign ( sk ′ , m ) σ ( m ∗ , σ ∗ , ρ ∗ ) The attacker wins if Verify ( pk , m ∗ , σ ∗ ) = 1 and m � = m ∗ or Verify ( pk ′ , m ∗ , σ ∗ ) = 1 and m � = m ∗ with pk ′ ← RandPK ( pk , ρ ∗ )

  28. Unforgeability under Re-Randomized Keys ◮ Nontrivial Property ◮ Does not follow from standard unforgeability. ◮ Many schemes with re-randomizable keys not unforgeable under re-randomized keys ◮ e.g. Boneh-Boyen, Camenisch-Lysyanskaya ◮ Instantiations in ROM and Standard Model ◮ Schnorr ◮ Hofheinz-Kiltz

  29. Unforgeability under Re-Randomized Keys ◮ Nontrivial Property ◮ Does not follow from standard unforgeability. ◮ Many schemes with re-randomizable keys not unforgeable under re-randomized keys ◮ e.g. Boneh-Boyen, Camenisch-Lysyanskaya ◮ Instantiations in ROM and Standard Model ◮ Schnorr ◮ Hofheinz-Kiltz

  30. Our Construction σ Fix sk sig Sign m 1 m 2 m 3 m 4 m 5 pk sig pk san

  31. Our Construction σ Fix sk sig Sign m 1 m 2 m 3 m 4 m 5 RandSK sk ′ pk ′ RandPK pk sig pk san

  32. Our Construction σ Fix sk sig Sign m 1 m 2 m 3 m 4 m 5 Sign RandSK sk ′ σ ′ pk ′ RandPK pk sig pk san

  33. Our Construction σ Fix sk sig Sign m 1 m 2 m 3 m 4 m 5 Sign RandSK sk ′ σ ′ pk ′ RandPK pk sig pk san P PoK τ

  34. Our Construction σ Fix sk sig Sign m 1 m 2 m 3 m 4 m 5 Sign RandSK sk ′ σ ′ pk ′ RandPK pk sig c Enc pk san P PoK τ

  35. Our Construction σ Fix sk sig Sign m 1 m 2 m 3 m 4 m 5 Sign RandSK sk ′ σ ′ pk ′ RandPK pk sig c Enc pk san P PoK τ σ

  36. Our Construction Immutability σ Fix sk sig Sign m 1 m 2 m 3 m 4 m 5 Sign RandSK sk ′ σ ′ pk ′ RandPK pk sig c Enc pk san P PoK τ σ

  37. Our Construction Sanitizer-Accountability σ Fix sk sig Sign m 1 m 2 m 3 m 4 m 5 Sign RandSK sk ′ σ ′ pk ′ RandPK pk sig c Enc pk san P PoK τ σ

  38. Our Construction Signer-Accountability σ Fix sk sig Sign m 1 m 2 m 3 m 4 m 5 Sign RandSK sk ′ σ ′ pk ′ RandPK pk sig c Enc pk san P PoK τ σ

  39. Our Construction Transparency σ Fix sk sig Sign m 1 m 2 m 3 m 4 m 5 Sign RandSK sk ′ σ ′ pk ′ RandPK pk sig c Enc pk san P PoK τ σ

  40. Our Construction Unlinkability σ Fix sk sig Sign m 1 m 2 m 3 m 4 m 5 Sign RandSK sk ′ σ ′ pk ′ RandPK pk sig c Enc pk san P PoK τ σ

  41. Comparison Computation BFLS10 using This Paper 1 Groth07 FY04 KGen sig 7 E 1 E 1 E KGen san 1 E 1 E 4 E Sign 15 E 194 E+ 2 P 2831 E Sanit 14 E 186 E+ 1 P 2814 E Verify 17 E 207 E + 62 P 2011 E Proof 23 E 14 E+ 1 P 18 E Judge 6 E 1 E+ 2 P 2 E E=modular exponentiation,P= pairing evaluation 1 Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ -protocols.

  42. Comparison Computation BFLS10 using This Paper 1 Groth07 FY04 KGen sig 7 E 1 E 1 E KGen san 1 E 1 E 4 E Sign 15 E 194 E+ 2 P 2831 E Sanit 14 E 186 E+ 1 P 2814 E Verify 17 E 207 E + 62 P 2011 E Proof 23 E 14 E+ 1 P 18 E Judge 6 E 1 E+ 2 P 2 E E=modular exponentiation,P= pairing evaluation 1 Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ -protocols.

  43. Comparison Storage BFLS10 using This Paper 2 Groth07 FY04 pk sig 7 1 1 sk sig 14 1 1 pk san 1 1 5 sk san 1 1 1 14 69 1620 σ π 4 1 3 measured in group elements 2 Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ -protocols.

  44. Comparison Storage BFLS10 using This Paper 2 Groth07 FY04 pk sig 7 1 1 sk sig 14 1 1 pk san 1 1 5 sk san 1 1 1 14 69 1620 σ π 4 1 3 measured in group elements 2 Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ -protocols.

  45. Conclusion We construct an unlinkable sanitizable signature scheme that can be instantiated at least one order of magnitude more efficiently than previously known schemes.

  46. Thank You! Nils Fleischhacker fleischhacker@cs.uni-saarland.de Full Version: ia.cr/2015/395

Recommend

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Geometry meets IoT: Efficient low-memory key exchange and signatures Benjamin Smith Team GRACE

Geometry meets IoT: Efficient low-memory key exchange and signatures Benjamin Smith Team GRACE

Geometry meets IoT: Efficient low-memory key exchange and signatures Benjamin Smith Team GRACE INRIA + Laboratoire dInformatique de l Ecole polytechnique (LIX) Summer school on real-world crypto and privacy Sibenik, Croatia, June 8

424 views • 41 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides
Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of

Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of

Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of Technology / Guardtime AS May 17, 2014 Estonian CS Theory days at Narva-J oesuu TL; DR Built a practical signature scheme without modular

585 views • 25 slides
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benot Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 .N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological

1.33k views • 92 slides
Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University

Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University

Efficient Implementation of Hash-Sequence Signatures Ahto Truu, Guardtime AS / Tallinn University of Technology This is joint work with Ahto Buldas and Risto Laanoja The presenter has received the Skype and IT Academy PhD Students Scholarship

318 views • 15 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su & BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Outline Efficient Receipt-Freeness for e-Voting David Pointcheval 1 Introduction Joint work

Outline Efficient Receipt-Freeness for e-Voting David Pointcheval 1 Introduction Joint work

Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Outline Efficient Receipt-Freeness for e-Voting David Pointcheval 1 Introduction

444 views • 11 slides
The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob

The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob

The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob Rees-Mogg Submitted to 10 Downing Street 21 March www.change.org Geographical spread of signatures Distribution of Signatures Bath East of

483 views • 13 slides
Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

M. Kutyowski Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital Signatures Qualified Signatures and Legal Framework Validity of the Signature Standard Implementation Risk Issues Reasons of

436 views • 42 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides
Signatures and grammars Signatures and grammars Why manual disambiguation in SDF?

Signatures and grammars Signatures and grammars Why manual disambiguation in SDF?

Signatures and grammars Signatures and grammars Why manual disambiguation in SDF? Associativity of binary operators y g y y Fully declarative definition of syntax Priorities between binary operators Implicit disambiguation

281 views • 6 slides
Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA Flipping coins over the phone Why are digital signatures important? Compare with paper signatures Danger: Eve would like to use your

423 views • 7 slides
DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA Coin flipping over the phone RSA Signatures allow you to recover the message from the signature; ElGamal signatures dont ElGamal Sig

410 views • 14 slides
Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger

Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger

Synchronized Aggregate Signatures from the RSA Assumption Brent Waters Susan Hohenberger Aggregate Signatures [Boneh-Gentry-Lynn-Shacham03] Idea: Compress several signatures into one PK 3 PK 1 PK 2 PK n M 3 M 1 M 2 M n Sig 1 Sig 2 Sig

646 views • 23 slides

More recommend