Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia Moura, Carlisle Adams tbardini@sfu.ca, lmoura@uottawa.ca, cadams@uottawa.ca Indocrypt, December 17th 2019 1/31
Introduction MTSS Digital Signatures Conclusion Introduction Digital signatures: integrity, authenticity, non-repudiation. ✔ ✗ Traditional signature schemes: detect modifications. Modification-tolerant signature scheme (MTSS): locates modifications; corrects modifications. 2/31
Introduction MTSS Digital Signatures Conclusion Introduction When do we want location? Data forensics; Partial integrity; Hide private information; Collaborative work. When do we want correction? Errors during transmission/storage; Malicious modifications. 3/31
Introduction MTSS Digital Signatures Conclusion Contributions We propose a general framework for MTSS. Definition of new algorithms MTSS-KeyGeneration ( ℓ ), MTSS-Sign ( m , SK ), MTSS-Verify ( m , σ, PK ), MTSS-Verify&Correct ( m , σ, PK ). New definitions of valid signatures and security. Scheme 1: Instantiate a d -MTSS using a known combinatorial approach. Scheme 2: Extend Scheme 1 to further provide correction . Scheme 3: Variation of d -MTSS for redactable signatures . Security and correctness proofs. 4/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme General Idea Split a document into blocks; Create a more expressive signature using the blocks; During verification, we can locate or locate & correct modified blocks. 5/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme General Idea Split a document into blocks; Create a more expressive signature using the blocks; During verification, we can locate or locate & correct modified blocks. verify( ) 6/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme Instantiation How can we instantiate this sheme? Easy: one signature per block m 7/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme Instantiation How can we instantiate this sheme? Easy: one signature per block m 8/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme Instantiation How can we instantiate this sheme? Easy: one signature per block m Total of n signatures. 8/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 d -Modification-Tolerant Signature Scheme A better approach: Use a “tolerance level” d . Use combinatorial techniques to create the signature scheme. We can locate up to d modified blocks. The size of the signature depends on d . One signature + O ( d 2 log n ) hash values. Much better than n signatures. 9/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Combinatorial group testing Cover-free families The combinatorial approach: Cover-free families . Used in the context of combinatorial group testing. Identify d defective elements from a set of n elements pooled into t groups, where t < n . The groups are tested, instead of all elements individually. 1 2 3 4 5 6 1-CFF(4,6) Matrix 1 2 3 4 5 6 test 1 1 1 1 0 0 0 Test 1 Test 2 Test 3 Test 4 1 0 0 1 1 0 test 2 0 1 0 1 0 1 test 3 0 0 1 0 1 1 test 4 pass pass fail fail 10/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Combinatorial group testing Cover-free families A d -cover free family d -CFF( t , n ): A t × n binary matrix; Every set of d + 1 columns contains a permutation submatrix of order d + 1. B 1 B 2 B 3 B 4 B 5 B 6 1 1 1 0 0 0 1 1 0 0 1 1 0 2 log n 0 1 0 1 0 1 3 0 0 1 0 1 1 4 11/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 d -Modification-Tolerant Signature Scheme Schemes Three instantiations of d -MTSS using d -cover-free families. Scheme 1: A known 1 d -CFF approach to provide location . Scheme 2: Extend Scheme 1 to further provide correction . Scheme 3: Variation of d -MTSS for redactable signatures . 1 T. B. Idalino, L. Moura, R. F. Cust´ odio, and D. Panario. Locating modifications in signed data for partial data integrity. Information Processing Letters, 2015. 12/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location 1-CFF(4,6) Matrix Document Signature 1 2 3 4 5 6 T[1] m[1] h(h 1 ||h 2 ||h 3 ) test 1 1 1 1 0 0 0 T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] test 2 1 0 0 1 1 0 h(h 2 ||h 4 ||h 6 ) m[3] T[4] test 3 h(h 3 ||h 5 ||h 6 ) 0 1 0 1 0 1 m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] sign(sk, T) σ’ m[6] 13/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location 1-CFF(4,6) Matrix Document Signature 1 2 3 4 5 6 m[1] T[1] h(h 1 ||h 2 ||h 3 ) test 1 T[2] 1 1 1 0 0 0 m[2] h(h 1 ||h 4 ||h 5 ) test 2 1 0 0 1 1 0 T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] test 3 0 1 0 1 0 1 h(h 3 ||h 5 ||h 6 ) m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] σ’ sign(sk, T) m[6] Verification 3) h(h 1 ||h 2 ||h 3 ) T’[1] 1) σ’ OK? T’[2] h(h 1 ||h 4 ||h 5 ) h(h 2 ||h 4 ||h 6 ) 2) h* ≟ h(m') no T’[3] h(h 3 ||h 5 ||h 6 ) T’[4] ≟ 14/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location Document 1-CFF(4,6) Matrix Signature 1 2 3 4 5 6 X T[1] h(h 1 ||h 2 ||h 3 ) test 1 1 1 1 0 0 0 T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) test 2 1 0 0 1 1 0 m[3] T[4] test 3 h(h 3 ||h 5 ||h 6 ) 0 1 0 1 0 1 m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] sign(sk, T) σ’ m[6] Verification T 1 h(h 1 ||h 2 ||h 3 ) T' 1 h(h 1 ||h 2 ||h 3 ) T' 2 T 2 h(h 1 ||h 4 ||h 5 ) h(h 1 ||h 4 ||h 5 ) T 3 h(h 2 ||h 4 ||h 6 ) T' 3 h(h 2 ||h 4 ||h 6 ) T 4 h(h 3 ||h 5 ||h 6 ) h(h 3 ||h 5 ||h 6 ) T' 4 Locate modifications with t ∼ log n extra hash values. Existentially unforgeable. 15/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location 1-CFF(4,6) Matrix Document Signature 1 2 3 4 5 6 X T[1] h(h 1 ||h 2 ||h 3 ) test 1 T[2] 1 1 1 0 0 0 m[2] h(h 1 ||h 4 ||h 5 ) test 2 1 0 0 1 1 0 T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] test 3 0 1 0 1 0 1 h(h 3 ||h 5 ||h 6 ) m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] σ’ sign(sk, T) m[6] Verification T 1 T' 1 h(h 1 ||h 2 ||h 3 ) h(h 1 ||h 2 ||h 3 ) T 2 T' 2 h(h 1 ||h 4 ||h 5 ) h(h 1 ||h 4 ||h 5 ) T' 3 T 3 h(h 2 ||h 4 ||h 6 ) h(h 2 ||h 4 ||h 6 ) T 4 h(h 3 ||h 5 ||h 6 ) h(h 3 ||h 5 ||h 6 ) T' 4 How can I correct the modified block? 16/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Compute h 2 = h ( m [2]) and h 3 = h ( m [3]); Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Compute h 2 = h ( m [2]) and h 3 = h ( m [3]); Try all possible values for m [1] and corresponding hash h ( m [1]); Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Compute h 2 = h ( m [2]) and h 3 = h ( m [3]); Try all possible values for m [1] and corresponding hash h ( m [1]); Stop when h ( h ( m [1]) || h 2 || h 3 ) = T [1]. Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction “Brute force” search on the original block; Efficient for blocks of small enough size s ; If there there are two or more possible values, return fail. We can always choose a hash function h where no two inputs of size up to s have the same hash value. Since s is small, we can compute all of them and check. We can always correct modifications. 18/31
Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Security notions Valid signature A pair ( m , σ ) of message and signature is valid if there exists m ′ such that: σ was generated from m ′ ; m and m ′ differ in at most d positions. m’ m 19/31
Recommend
More recommend