An Identity-Based Group Signature with Membership Revocation in the Standard Model

Group signatures allow group members to sign an arbitrary number\ud of messages on behalf of the group without revealing their\ud identity. Under certain circumstances the group manager holding a\ud tracing key can reveal the identity of the signer from the\ud signature. Practical group signature schemes should support\ud membership revocation where the revoked member loses the\ud capability to sign a message on behalf of the group without\ud influencing the other non-revoked members. A model known as\ud \emph{verifier-local revocation} supports membership revocation.\ud In this model the trusted revocation authority sends revocation\ud messages to the verifiers and there is no need for the trusted\ud revocation authority to contact non-revoked members to update\ud their secret keys. Previous constructions of verifier-local\ud revocation group signature schemes either have a security proof in the\ud random oracle model or are non-identity based. A security proof\ud in the random oracle model is only a heuristic proof and\ud non-identity-based group signature suffer from standard Public Key\ud Infrastructure (PKI) problems, i.e. the group public key is not\ud derived from the group identity and therefore has to be certified.\ud \ud \ud In this work we construct the first verifier-local revocation group\ud signature scheme which is identity-based and which has a security proof in the standard model. In\ud particular, we give a formal security model for the proposed\ud scheme and prove that the scheme has the\ud property of selfless-anonymity under the decision Linear (DLIN)\ud assumption and it is fully-traceable under the\ud Computation Diffie-Hellman (CDH) assumption. The proposed scheme is based on prime order bilinear\ud groups

Rethinking Privacy for Extended Sanitizable Signatures and a Black-Box Construction of Strongly Private Schemes

Sanitizable signatures, introduced by Ateniese et al. at ESORICS\u2705, allow to issue a signature on a message where certain predefined message blocks may later be changed (sanitized) by some dedicated party (the sanitizer) without invalidating the original signature. With sanitizable signatures, replacements for modifiable (admissible) message blocks can be chosen arbitrarily by the sanitizer. However, in various scenarios this makes sanitizers too powerful. To reduce the sanitizers power, Klonowski and Lauks at ICISC\u2706 proposed (among others) an extension that enables the signer to limit the allowed modifications per admissible block to a well defined set each. At CT-RSA\u2710 Canard and Jambert then extended the formal model of Brzuska et al. from PKC\u2709 to additionally include the aforementioned and other extensions. We, however, observe that the privacy guarantees of their model do not capture privacy in the sense of the original definition of sanitizable signatures. That is, if a scheme is private in this model it is not guaranteed that the sets of allowed modifications remain concealed. To this end, we review a stronger notion of privacy, i.e., (strong) unlinkability (defined by Brzuska et al. at EuroPKI\u2713), in this context. While unlinkability fixes this problem, no efficient unlinkable scheme supporting the aforementioned extensions exists and it seems to be hard to construct such schemes. As a remedy, in this paper, we propose a notion stronger than privacy, but weaker than unlinkability, which captures privacy in the original sense. Moreover, it allows to easily construct efficient schemes satisfying our notion from secure existing schemes in a black-box fashion

Stronger Security for Sanitizable Signatures

Sanitizable signature schemes (SSS) enable a designated party (called the sanitizer ) to alter admissible blocks of a signed message. This primitive can be used to remove or alter sensitive data from already signed messages without involvement of the original signer. Current state-of-the-art security definitions of SSSs only dene a \weak form of security. Namely, the unforgeability, accountability and transparency definitions are not strong enough to be meaningful in certain use-cases. We identify some of these use-cases, close this gap by introducing stronger definitions, and show how to alter an existing construction to meet our desired security level. Moreover, we clarify a small yet important detail in the state-of-the-art privacy definition. Our work allows to deploy this primitive in more and different scenarios

Unlinkable Policy-based Sanitizable Signatures

In CT-RSA 2020, P3S was proposed as the first policy-based sanitizable signature scheme which allows the signer to designate future message sanitizers by defining an access policy relative to their attributes rather than their keys. However, since P3S utilizes a policy-based chameleon hash (PCH), it does not achieve unlinkability which is a required notion in privacy-preserving applications. Moreover, P3S requires running a procedure to share the secret trapdoor information for PCH with each new sanitizer before sanitizing a new message. We further observe that in order to maintain the transparency in P3S’s multiple-sanitizers setting, the signature size should grow linearly with the number of sanitizers. In this work, we propose an unlinkable policy-based sanitizable signature scheme (UP3S) where we employ a rerandomizable digital signature scheme and a traceable attribute-based signature scheme as its building blocks. Compared to P3S, UP3S achieves unlinkability, does not require new secrets to be shared with future sanitizers prior to sanitizing each message, and has a fixed signature size for a given sanitization policy. We define and formally prove the security notions of the generic scheme, propose an instantiation of UP3S utilizing the Pointcheval-Sanders rerandomizable signature scheme and DTABS traceable attribute-based signature scheme, and analyze its efficiency. Finally, we compare UP3S with P3S in terms of the features of the procedures, scalability, and security models

Towards secure end-to-end data aggregation in AMI through delayed-integrity-verification

The integrity and authenticity of the energy usage data in Advanced Metering Infrastructure (AMI) is crucial to ensure the correct energy load to facilitate generation, distribution and customer billing. Any malicious tampering to the data must be detected immediately. This paper introduces secure end-to-end data aggregation for AMI, a security protocol that allows the concentrators to securely aggregate the data collected from the smart meters, while enabling the utility back-end that receives the aggregated data to verify the integrity and data originality. Compromise of concentrators can be detected. The aggregated data is protected using Chameleon Signatures and then forwarded to the utility back-end for verification, accounting, and analysis. Using the Trapdoor Chameleon Hash Function, the smart meters can periodically send an evidence to the utility back-end, by computing an alternative message and a random value (m', r) such that m' consists of all previous energy usage measurements of the smart meter in a specified period of time. By verifying that the Chameleon Hash Value of (m', r) and that the energy usage matches those aggregated by the concentrators, the utility back-end is convinced of the integrity and authenticity of the data from the smart meters. Any data anomaly between smart meters and concentrators can be detected, thus indicating potential compromise of concentrators

Sanitizable signatures with strong transparency in the standard model

Sanitizable signatures provide several security features which are useful in many scenarios including military and medical applications. Sanitizable signatures allow a semi-trusted party to update some part of the digitally signed document without interacting with the original signer. Such schemes, where the verifer cannot identify whether the message has been sanitized, are said to possess strong transparency. In this paper, we have described the first efficient and provably secure sanitizable signature scheme having strong transparency under the standard model

Editing-enabled signatures: A new tool for editing authenticated data

tru

Chameleon-Hashes with Dual Long-Term Trapdoors and Their Applications

A chameleon-hash behaves likes a standard collision-resistant hash function for outsiders. If, however, a trapdoor is known, arbitrary collisions can be found. Chameleon-hashes with ephemeral trapdoors (CHET; Camenisch et al., PKC ’17) allow prohibiting that the holder of the long-term trapdoor can find collisions by introducing a second, ephemeral, trapdoor. However, this ephemeral trapdoor is required to be chosen freshly for each hash. We extend these ideas and introduce the notion of chameleon-hashes with dual long-term trapdoors (CHDLTT). Here, the second trapdoor is not chosen freshly for each new hash; Rather, the hashing party can decide if it wants to generate a fresh second trapdoor or use an existing one. This primitive generalizes CHETs, extends their applicability and enables some appealing new use-cases, including three-party sanitizable signatures, group-level selectively revocable signatures and break-the-glass signatures. We present two provably secure constructions and an implementation which demonstrates that this extended primitive is efficient enough for use in practice

Practical Strongly Invisible and Strongly Accountable Sanitizable Signatures

Sanitizable signatures are a variant of digital signatures where a designated party (the sanitizer) can update admissible parts of a signed message. At PKC’17, Camenisch et al. introduced the notion of invisible sanitizable signatures that hides from an outsider which parts of a message are admissible. Their security definition of invisibility, however, does not consider dishonest signers. Along the same lines, their signer-accountability definition does not prevent the signer from falsely accusing the sanitizer of having issued a signature on a sanitized message by exploiting the malleability of the signature itself. Both issues may limit the usefulness of their scheme in certain applications. We revise their definitional framework, and present a new construction eliminating these shortcomings. In contrast to Camenisch et al.’s construction, ours requires only standard building blocks instead of chameleon hashes with ephemeral trapdoors. This makes this, now even stronger, primitive more attractive for practical use. We underpin the practical efficiency of our scheme by concrete benchmarks of a prototype implementation

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys

In a sanitizable signature scheme the signer allows a designated third party, called the sanitizer, to modify certain parts of the message and adapt the signature accordingly. Ateniese et al. (ESORICS 2005) introduced this primitive and proposed five security properties which were formalized by Brzuska et al.~(PKC 2009). Subsequently, Brzuska et al. (PKC 2010) suggested an additional security notion, called unlinkability which says that one cannot link sanitized message-signature pairs of the same document. Moreover, the authors gave a generic construction based on group signatures that have a certain structure. However, the special structure required from the group signature scheme only allows for inefficient instantiations. Here, we present the first efficient instantiation of unlinkable sanitizable signatures. Our construction is based on a novel type of signature schemes with re-randomizable keys. Intuitively, this property allows to re-randomize both the signing and the verification key separately but consistently. This allows us to sign the message with a re-randomized key and to prove in zero-knowledge that the derived key originates from either the signer or the sanitizer. We instantiate this generic idea with Schnorr signatures and efficient $\Sigma$-protocols, which we convert into non-interactive zero-knowledge proofs via the Fiat-Shamir transformation. Our construction is at least one order of magnitude faster than instantiating the generic scheme of Brzuska et al. with the most efficient group signature schemes