30 research outputs found
Sanitizable signatures with strong transparency in the standard model
Sanitizable signatures provide several security features which
are useful in many scenarios including military and medical applications. Sanitizable signatures allow a semi-trusted party to update some part of the digitally signed document without interacting with the original signer. Such schemes, where the verifer cannot identify whether the message has been sanitized, are said to possess strong transparency. In this paper, we have described the first efficient and provably secure sanitizable signature scheme having strong transparency under the standard
model
Stronger Security for Sanitizable Signatures
Sanitizable signature schemes (SSS) enable a designated party (called the sanitizer ) to alter admissible
blocks of a signed message. This primitive can be used to remove or alter sensitive data from already signed
messages without involvement of the original signer.
Current state-of-the-art security definitions of SSSs only dene a \weak form of security. Namely, the unforgeability,
accountability and transparency definitions are not strong enough to be meaningful in certain use-cases. We
identify some of these use-cases, close this gap by introducing stronger definitions, and show how to alter an
existing construction to meet our desired security level. Moreover, we clarify a small yet important detail in the
state-of-the-art privacy definition. Our work allows to deploy this primitive in more and different scenarios
Rethinking Privacy for Extended Sanitizable Signatures and a Black-Box Construction of Strongly Private Schemes
Sanitizable signatures, introduced by Ateniese et al. at ESORICS\u2705, allow to issue a signature on a message where certain predefined message blocks may later be changed (sanitized) by some dedicated party (the sanitizer) without invalidating the original signature. With sanitizable signatures, replacements for modifiable (admissible) message blocks can be chosen arbitrarily by the sanitizer. However, in various scenarios this makes sanitizers too powerful. To reduce the sanitizers power, Klonowski and Lauks at ICISC\u2706 proposed (among others) an extension that enables the signer to limit the allowed modifications per admissible block to a well defined set each. At CT-RSA\u2710 Canard and Jambert then extended the formal model of Brzuska et al. from PKC\u2709 to additionally include the aforementioned and other extensions. We, however, observe that the privacy guarantees of their model do not capture privacy in the sense of the original definition of sanitizable signatures. That is, if a scheme is private in this model it is not guaranteed that the sets of allowed modifications remain concealed. To this end, we review a stronger notion of privacy, i.e., (strong) unlinkability (defined by Brzuska et al. at EuroPKI\u2713), in this context. While unlinkability fixes this problem, no efficient unlinkable scheme supporting the aforementioned extensions exists and it seems to be hard to construct such schemes. As a remedy, in this paper, we propose a notion stronger than privacy, but weaker than unlinkability, which captures privacy in the original sense. Moreover, it allows to easily construct efficient schemes satisfying our notion from secure existing schemes in a black-box fashion
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys
In a sanitizable signature scheme the signer allows a designated third party, called the sanitizer, to modify certain parts of the message and adapt the signature accordingly. Ateniese et al. (ESORICS 2005) introduced this primitive and proposed five security properties which were formalized by Brzuska et al.~(PKC 2009). Subsequently, Brzuska et al. (PKC 2010) suggested an additional security notion, called unlinkability which says that one cannot link sanitized message-signature pairs of the same document. Moreover, the authors gave a generic construction based on group signatures that have a certain structure. However, the special structure required from the group signature scheme only allows for inefficient instantiations.
Here, we present the first efficient instantiation of unlinkable sanitizable signatures. Our construction is based on a novel type of signature schemes with re-randomizable keys. Intuitively, this property allows to re-randomize both the signing and the verification key separately but consistently. This allows us to sign the message with a re-randomized key and to prove in zero-knowledge that the derived key originates from either the signer or the sanitizer. We instantiate this generic idea with Schnorr signatures and efficient -protocols, which we convert into non-interactive zero-knowledge proofs via the Fiat-Shamir transformation. Our construction is at least one order of magnitude faster than instantiating the generic scheme of Brzuska et al. with the most efficient group signature schemes
Practical Strongly Invisible and Strongly Accountable Sanitizable Signatures
Sanitizable signatures are a variant of digital signatures where a designated party (the sanitizer) can
update admissible parts of a signed message. At PKC’17, Camenisch et al. introduced the notion of invisible
sanitizable signatures that hides from an outsider which parts of a message are admissible. Their security definition of
invisibility, however, does not consider dishonest signers. Along the same lines, their signer-accountability definition
does not prevent the signer from falsely accusing the sanitizer of having issued a signature on a sanitized message
by exploiting the malleability of the signature itself. Both issues may limit the usefulness of their scheme in certain
applications.
We revise their definitional framework, and present a new construction eliminating these shortcomings. In contrast
to Camenisch et al.’s construction, ours requires only standard building blocks instead of chameleon hashes with
ephemeral trapdoors. This makes this, now even stronger, primitive more attractive for practical use. We underpin
the practical efficiency of our scheme by concrete benchmarks of a prototype implementation
Protean Signature Schemes
We introduce the notion of Protean Signature schemes. This novel type of signature scheme allows to
remove and edit signer-chosen parts of signed messages by a semi-trusted third party simultaneously. In existing
work, one is either allowed to remove or edit parts of signed messages, but not both at the same time. Which and
how parts of the signed messages can be modified is chosen by the signer. Thus, our new primitive generalizes both
redactable (Steinfeld et al., ICISC \u2701, Johnson et al., CT-RSA \u2702 & Brzuska et al., ACNS\u2710) and sanitizable
signatures schemes (Ateniese et al., ESORICS \u2705 & Brzuska et al., PKC\u2709). We showcase a scenario where either
primitive alone is not sufficient. Our provably secure construction (offering both strong notions of transparency and
invisibility) makes only black-box access to sanitizable and redactable signature schemes, which can be considered
standard tools nowadays. Finally, we have implemented our scheme; Our evaluation shows that the performance is
reasonable
Chameleon-Hashes with Dual Long-Term Trapdoors and Their Applications
A chameleon-hash behaves likes a standard collision-resistant hash function for outsiders. If, however, a trapdoor is known, arbitrary collisions can be found. Chameleon-hashes with ephemeral trapdoors (CHET; Camenisch et al., PKC ’17) allow prohibiting that the holder of the long-term trapdoor can find collisions by introducing a second, ephemeral, trapdoor. However, this ephemeral trapdoor is required to be chosen freshly for each hash. We extend these ideas and introduce the notion of chameleon-hashes with dual long-term trapdoors (CHDLTT). Here, the second trapdoor is not chosen freshly for each new hash; Rather, the hashing party can decide if it wants to generate a fresh second trapdoor or use an existing one. This primitive generalizes CHETs, extends their applicability and enables some appealing new use-cases, including three-party sanitizable signatures, group-level selectively revocable signatures and break-the-glass signatures. We present two provably secure constructions and an implementation which demonstrates that this extended primitive is efficient enough for use in practice
Chameleon-Hashes with Ephemeral Trapdoors And Applications to Invisible Sanitizable Signatures
A chameleon-hash function is a hash function that involves a trapdoor the knowledge of which allows one to find arbitrary collisions in the domain of the function. In this paper, we introduce the notion of chameleon-hash functions with ephemeral trapdoors. Such hash functions feature additional, i.e., ephemeral, trapdoors which are chosen by the party computing a hash value. The holder of the main trapdoor is then unable to find a second pre-image of a hash value unless also provided with the ephemeral trapdoor used to compute the hash value. We present a formal security model for this new primitive as well as provably secure instantiations. The first instantiation is a generic black-box construction from any secure chameleon-hash function. We further provide three direct constructions based on standard assumptions. Our new primitive has some appealing use-cases, including a solution to the long-standing open problem of invisible sanitizable signatures, which we also present
On Structural Signatures for Tree Data Structures
Abstract. In this paper, we present new attacks on the redactable signature scheme introduced by Kundu and Bertino at VLDB '08. This extends the work done by Brzuska et al. at ACNS '10 and Samelin et al. at ISPEC '12. The attacks address unforgeability, transparency and privacy. Based on the ideas of Kundu and Bertino, we introduce a new provably secure construction. The corresponding security model is more flexible than the one introduced by Brzuska et al. Moreover, we have implemented schemes introduced by Brzuska et al. and Kundu and Bertino. The evaluation shows that schemes with a quadratic complexity become unuseable very fast
Fully Invisible Protean Signatures Schemes
Protean Signatures (PS), recently introduced by Krenn et al. (CANS \u2718), allow a semi-trusted third party, named the sanitizer, to modify a signed message in a controlled way.
The sanitizer can
edit signer-chosen parts to arbitrary bitstrings, while the sanitizer can also redact
admissible parts, which are also chosen by the signer. Thus, PSs generalize both redactable signature (RSS) and sanitizable signature (SSS)
into a single notion.
However, the current definition of invisibility does not prohibit that an outsider can decide which
parts of a message are redactable - only which parts can be edited are hidden. This negatively
impacts on the privacy guarantees provided by the state-of-the-art definition.
We extend PSs to be fully invisible.
This strengthened notion guarantees that an outsider can neither decide which parts of a message can be edited nor which
parts can be redacted. To achieve our goal, we introduce the new notions of Invisible RSSs and Invisible Non-Accountable SSSs (SSS\u27), along with a consolidated framework for aggregate signatures.
Using those building blocks, our resulting construction is significantly
more efficient than the original scheme by Krenn et al., which we demonstrate in a prototypical implementation