modification tolerant signature schemes location and
play

Modification tolerant signature schemes: location and correction - PowerPoint PPT Presentation

Jun 17, 2023 •279 likes •637 views

Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia Moura, Carlisle Adams tbardini@sfu.ca, lmoura@uottawa.ca, cadams@uottawa.ca Indocrypt, December 17th 2019 1/31 Introduction MTSS Digital Signatures

  1. Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia Moura, Carlisle Adams tbardini@sfu.ca, lmoura@uottawa.ca, cadams@uottawa.ca Indocrypt, December 17th 2019 1/31

  2. Introduction MTSS Digital Signatures Conclusion Introduction Digital signatures: integrity, authenticity, non-repudiation. ✔ ✗ Traditional signature schemes: detect modifications. Modification-tolerant signature scheme (MTSS): locates modifications; corrects modifications. 2/31

  3. Introduction MTSS Digital Signatures Conclusion Introduction When do we want location? Data forensics; Partial integrity; Hide private information; Collaborative work. When do we want correction? Errors during transmission/storage; Malicious modifications. 3/31

  4. Introduction MTSS Digital Signatures Conclusion Contributions We propose a general framework for MTSS. Definition of new algorithms MTSS-KeyGeneration ( ℓ ), MTSS-Sign ( m , SK ), MTSS-Verify ( m , σ, PK ), MTSS-Verify&Correct ( m , σ, PK ). New definitions of valid signatures and security. Scheme 1: Instantiate a d -MTSS using a known combinatorial approach. Scheme 2: Extend Scheme 1 to further provide correction . Scheme 3: Variation of d -MTSS for redactable signatures . Security and correctness proofs. 4/31

  5. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme General Idea Split a document into blocks; Create a more expressive signature using the blocks; During verification, we can locate or locate & correct modified blocks. 5/31

  6. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme General Idea Split a document into blocks; Create a more expressive signature using the blocks; During verification, we can locate or locate & correct modified blocks. verify( ) 6/31

  7. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme Instantiation How can we instantiate this sheme? Easy: one signature per block m 7/31

  8. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme Instantiation How can we instantiate this sheme? Easy: one signature per block m 8/31

  9. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme Instantiation How can we instantiate this sheme? Easy: one signature per block m Total of n signatures. 8/31

  10. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 d -Modification-Tolerant Signature Scheme A better approach: Use a “tolerance level” d . Use combinatorial techniques to create the signature scheme. We can locate up to d modified blocks. The size of the signature depends on d . One signature + O ( d 2 log n ) hash values. Much better than n signatures. 9/31

  11. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Combinatorial group testing Cover-free families The combinatorial approach: Cover-free families . Used in the context of combinatorial group testing. Identify d defective elements from a set of n elements pooled into t groups, where t < n . The groups are tested, instead of all elements individually. 1 2 3 4 5 6 1-CFF(4,6) Matrix 1 2 3 4 5 6 test 1 1 1 1 0 0 0 Test 1 Test 2 Test 3 Test 4 1 0 0 1 1 0 test 2 0 1 0 1 0 1 test 3 0 0 1 0 1 1 test 4 pass pass fail fail 10/31

  12. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Combinatorial group testing Cover-free families A d -cover free family d -CFF( t , n ): A t × n binary matrix; Every set of d + 1 columns contains a permutation submatrix of order d + 1. B 1 B 2 B 3 B 4 B 5 B 6 1 1 1 0 0 0 1 1 0 0 1 1 0 2 log n 0 1 0 1 0 1 3 0 0 1 0 1 1 4 11/31

  13. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 d -Modification-Tolerant Signature Scheme Schemes Three instantiations of d -MTSS using d -cover-free families. Scheme 1: A known 1 d -CFF approach to provide location . Scheme 2: Extend Scheme 1 to further provide correction . Scheme 3: Variation of d -MTSS for redactable signatures . 1 T. B. Idalino, L. Moura, R. F. Cust´ odio, and D. Panario. Locating modifications in signed data for partial data integrity. Information Processing Letters, 2015. 12/31

  14. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location 1-CFF(4,6) Matrix Document Signature 1 2 3 4 5 6 T[1] m[1] h(h 1 ||h 2 ||h 3 ) test 1 1 1 1 0 0 0 T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] test 2 1 0 0 1 1 0 h(h 2 ||h 4 ||h 6 ) m[3] T[4] test 3 h(h 3 ||h 5 ||h 6 ) 0 1 0 1 0 1 m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] sign(sk, T) σ’ m[6] 13/31

  15. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location 1-CFF(4,6) Matrix Document Signature 1 2 3 4 5 6 m[1] T[1] h(h 1 ||h 2 ||h 3 ) test 1 T[2] 1 1 1 0 0 0 m[2] h(h 1 ||h 4 ||h 5 ) test 2 1 0 0 1 1 0 T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] test 3 0 1 0 1 0 1 h(h 3 ||h 5 ||h 6 ) m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] σ’ sign(sk, T) m[6] Verification 3) h(h 1 ||h 2 ||h 3 ) T’[1] 1) σ’ OK? T’[2] h(h 1 ||h 4 ||h 5 ) h(h 2 ||h 4 ||h 6 ) 2) h* ≟ h(m') no T’[3] h(h 3 ||h 5 ||h 6 ) T’[4] ≟ 14/31

  16. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location Document 1-CFF(4,6) Matrix Signature 1 2 3 4 5 6 X T[1] h(h 1 ||h 2 ||h 3 ) test 1 1 1 1 0 0 0 T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) test 2 1 0 0 1 1 0 m[3] T[4] test 3 h(h 3 ||h 5 ||h 6 ) 0 1 0 1 0 1 m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] sign(sk, T) σ’ m[6] Verification T 1 h(h 1 ||h 2 ||h 3 ) T' 1 h(h 1 ||h 2 ||h 3 ) T' 2 T 2 h(h 1 ||h 4 ||h 5 ) h(h 1 ||h 4 ||h 5 ) T 3 h(h 2 ||h 4 ||h 6 ) T' 3 h(h 2 ||h 4 ||h 6 ) T 4 h(h 3 ||h 5 ||h 6 ) h(h 3 ||h 5 ||h 6 ) T' 4 Locate modifications with t ∼ log n extra hash values. Existentially unforgeable. 15/31

  17. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location 1-CFF(4,6) Matrix Document Signature 1 2 3 4 5 6 X T[1] h(h 1 ||h 2 ||h 3 ) test 1 T[2] 1 1 1 0 0 0 m[2] h(h 1 ||h 4 ||h 5 ) test 2 1 0 0 1 1 0 T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] test 3 0 1 0 1 0 1 h(h 3 ||h 5 ||h 6 ) m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] σ’ sign(sk, T) m[6] Verification T 1 T' 1 h(h 1 ||h 2 ||h 3 ) h(h 1 ||h 2 ||h 3 ) T 2 T' 2 h(h 1 ||h 4 ||h 5 ) h(h 1 ||h 4 ||h 5 ) T' 3 T 3 h(h 2 ||h 4 ||h 6 ) h(h 2 ||h 4 ||h 6 ) T 4 h(h 3 ||h 5 ||h 6 ) h(h 3 ||h 5 ||h 6 ) T' 4 How can I correct the modified block? 16/31

  18. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31

  19. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Compute h 2 = h ( m [2]) and h 3 = h ( m [3]); Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31

  20. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Compute h 2 = h ( m [2]) and h 3 = h ( m [3]); Try all possible values for m [1] and corresponding hash h ( m [1]); Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31

  21. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Compute h 2 = h ( m [2]) and h 3 = h ( m [3]); Try all possible values for m [1] and corresponding hash h ( m [1]); Stop when h ( h ( m [1]) || h 2 || h 3 ) = T [1]. Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31

  22. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction “Brute force” search on the original block; Efficient for blocks of small enough size s ; If there there are two or more possible values, return fail. We can always choose a hash function h where no two inputs of size up to s have the same hash value. Since s is small, we can compute all of them and check. We can always correct modifications. 18/31

  23. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Security notions Valid signature A pair ( m , σ ) of message and signature is valid if there exists m ′ such that: σ was generated from m ′ ; m and m ′ differ in at most d positions. m’ m 19/31

Recommend

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford University ISI Kolkata, Jan 2012 Short Integer Solu5ons (SIS) A: Z m --&gt; (Z q ) n m

279 views • 15 slides
Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure The Jakobsson-Sako-Impagliazzo Scheme Security notions for DVS schemes DVS Scheme with tight reduction to DDH in NPRO Universal Designated

620 views • 42 slides
Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Number-Theoretic Methods in Cryptology 2019 Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter: Giovanni Di Crescenzo Perspecta Labs Inc. (also doing business as Applied Communication Sciences)

548 views • 33 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th International Conference on Cryptology, Africacrypt 2020 Fabio Campos 1 Tim Kohlstadt 1 Steffen Reith 1 ottinger 2 Marc St July 19, 2020 1 RheinMain

399 views • 29 slides
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benot Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 .N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological

1.33k views • 92 slides
Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria

335 views • 14 slides
Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram Poettering and Douglas Stebila Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013

454 views • 41 slides
Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin Grgoire 1 , 2 Gilles Barthe 3 Federico Olmedo 3 1 Microsoft Research - INRIA Joint Centre, France 2 INRIA Sophia Antipolis - Mditerrane, France 3

837 views • 51 slides
Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval

Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval

Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval Ecole normale suprieure - France John Malone-Lee - Nigel Smart University of Bristol - UK Summary Summary The methodology of provable

479 views • 12 slides
Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol,

590 views • 39 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of

Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of

Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of Informatics University of Edinburgh 31st January 2013 Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA

1.15k views • 91 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is

439 views • 33 slides
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of

Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of

Overview Background Galindo-Garcia IBS GG-IBS, Improved Transformation Conclusion Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Background

1.76k views • 77 slides
Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &amp;

Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &amp;

Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &amp; Universiteit Leiden IPAM Retreat: Securing Cyberspace 9 June 2009 Network coding [ACLY00] recipient router router router sender router

330 views • 18 slides
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire dInformatique Ecole Normale Sup erieure 45, rue dUlm 75230 PARIS CEDEX 05 Security Proofs for

588 views • 12 slides
Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : chapter 7 Recall : MACs y = h K

Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : chapter 7 Recall : MACs y = h K

Signature Schemes Chester Rebeiro IIT Madras CR CR STINSON : chapter 7 Recall : MACs y = h K (x) Alice Bob h K = K A=ack at Dawn!! Message Digest h K K unsecure channel Message A=ack at Dawn!! MACs allow Bob to be certain

701 views • 37 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides
Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz Motivation and background

Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz Motivation and background

Analysis of a Proposed Hash- Based Signature Standard Jonathan Katz Motivation and background Recent interest in standardization of post- quantum public-key primitives For signature schemes, several proposals based on

383 views • 24 slides
Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter 7 Recall : MACs y = h K (x)

Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter 7 Recall : MACs y = h K (x)

Signature Schemes Chester Rebeiro IIT Madras CR STINSON : chapter 7 Recall : MACs y = h K (x) Alice Bob h K = K Attack at Dawn!! Message Digest h K K unsecure channel Message Message Attack at Dawn!! MACs allow Bob to be

696 views • 35 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides

More recommend