[PPT] - Delegatable Functional Signatures Michael Backes, Sebastian Meiser , PowerPoint Presentation

SLIDE 1

Michael Backes, Sebastian Meiser, Dominique Schröder

Delegatable Functional Signatures

Public Key Cryptography, March 7, 2016, Taipei

SLIDE 2 We introduce del egatable functi onal signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionali ty F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technicall y, DFS unify several seemingl y different signature pri miti ves, i ncluding functional signatures and poli cy-based signatures (PKC '14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiabil ity of DFS with respect to the cor responding security noti ons of unforgeability and pri vacy. On the positi ve side we show that pri vacy-fr ee D FS can be constructed from

ne- way

functions. Further more, we show that unforgeable and pri vate DFS can be constructed from doubl y- enhanced tr apdoor per mutations. On the negative si de we show that the previ ous result is opti mal regarding its underl ying assumptions presenting an i mpossibility result for unforgeable pri vate DFS from

ne- way

permutations.

What is a malleable Signature?

1 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Alice (original signer)

Alice signs a message with her secret key.
Public verifiability means:

a) Alice signed the message, or b) Alice signed the message and the message has been modified, s.t. …

… the resulting message still is in some relation to the signed message.
… all operations performed on the message were “valid”.

We introduce del egatable functi onal signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionali ty F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technicall y, DFS unify several seemingl y different signature pri miti ves, i ncluding functional signatures and poli cy-based signatures (PKC '14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiabil ity of DFS with respect to the cor responding security noti ons of unforgeability and pri vacy. On the positi ve side we show that pri vacy-fr ee D FS can be constructed from

ne- way

functions. Further more, we show that unforgeable and pri vate DFS can be constructed from doubl y- enhanced tr apdoor per mutations. On the negative si de we show that the previ ous result is opti mal regarding its underl ying assumptions presenting an i mpossibility result for unforgeable pri vate DFS from

ne- way

permutations.

Alice signed this message!

SLIDE 3

What is a malleable Signature?

2 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Alice (original signer)

Alice signs a message with her secret key.
Public verifiability means:

a) Alice signed the message, or b) Alice signed the message and the message has been modified, s.t. …

… the resulting message still is in some relation to the signed message.
… all operations performed on the message were “valid”.

We introduce del egatable functi onal signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionali ty F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technicall y, DFS unify several seemingl y different signature pri miti ves, i ncluding functional signatures and poli cy-based signatures (PKC '14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiabil ity of DFS with respect to the cor responding security noti ons of unforgeability and pri vacy. On the positi ve side we show that pri vacy-fr ee D FS can be constructed from

ne- way

functions. Further more, we show that unforgeable and pri vate DFS can be constructed from doubl y- enhanced tr apdoor per mutations. On the negative si de we show that the previ ous result is opti mal regarding its underl ying assumptions presenting an i mpossibility result for unforgeable pri vate DFS from

ne- way

permutations.

Alice signed… some related message..?!

SLIDE 4

(Malleable) Signature Primitives

3 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Proxy Signatures Functional Digital Signatures Policy-based Signatures Homomorphic Signatures Redactable Signatures Sanitizable Signatures PKC’15 Goal: Generalization and simplification of primitives and notions Classical Signatures Rerandomizable Signatures Identity-based Signatures Blind Signatures [BGI] [BF]

SLIDE 5

Alice signs a message and chooses how the message can be modified by which

evaluator (Bob) and decides what Bob can further delegate, if at all.

Bob modifies the message/signature pair, chooses how it can be further

modified and by whom (Charlie).

We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technically, DFS unify several seemingly different signature primitives, including functional signatures and policy-based signatures (PKC'14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiability of DFS with respect to the corresponding security notions of unforgeability and privacy. On the positive side we show that privacy-free DFS can be constructed from

ne-way

functions. Furthermore, we show that unforgeable and private DFS can be constructed from doubly- enhanced trapdoor permutations. On the negative side we show that the previous result is

ptimal regarding its underlying assumptions

presenting an impossibility result for unforgeable private DFS from one-way permutations.

Delegatable Functional Signatures

4 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Alice (original signer) Bob Inc. (evaluator)

𝑡𝑙

Charlie Ltd. (evaluator)

𝑡𝑙′

We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technically, DFS unify several seemingly different signature primitives, including functional signatures and policy-based signatures (PKC'14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiability of DFS with respect to the corresponding security notions of unforgeability and privacy. On the positive side we show that privacy-free DFS can be constructed from

ne-way

functions. Furthermore, we show that unforgeable and private DFS can be constructed from doubly- enhanced trapdoor permutations. On the negative side we show that the previous result is

ptimal regarding its underlying assumptions

presenting an impossibility result for unforgeable private DFS from one-way permutations.

𝑞𝑙

We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technically, DFS unify several seemingly different signature primitives, including functional signatures and policy-based signatures (PKC'14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiability of DFS with respect to the corresponding security notions of unforgeability and privacy. On the positive side we show that privacy-free DFS can be constructed from

ne-way

functions. Furthermore, we show that unforgeable and private DFS can be constructed from doubly- enhanced trapdoor permutations. On the negative side we show that the previous result is

ptimal regarding its underlying assumptions

presenting an impossibility result for unforgeable private DFS from one-way permutations.

𝑞𝑙 Alice signed this message

r allowed it!

𝒈

𝑛, 𝜏 𝒈′

SLIDE 6

Alice signs a message and chooses how the message can be modified by which

evaluator (Bob) and decides what Bob can further delegate, if at all.

Bob modifies the message/signature pair, chooses how it can be further

modified and by whom (Charlie).

Delegatable Functional Signatures

5 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Alice (original signer) Bob Inc. (evaluator)

𝑡𝑙

Charlie Ltd. (evaluator)

𝑡𝑙′

We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technically, DFS unify several seemingly different signature primitives, including functional signatures and policy-based signatures (PKC'14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiability of DFS with respect to the corresponding security notions of unforgeability and privacy. On the positive side we show that privacy-free DFS can be constructed from

ne-way

functions. Furthermore, we show that unforgeable and private DFS can be constructed from doubly- enhanced trapdoor permutations. On the negative side we show that the previous result is

ptimal regarding its underlying assumptions

presenting an impossibility result for unforgeable private DFS from one-way permutations. We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its

capabilities. Technically, DFS unify several

seemingly different signature primitives, including functional signatures and policy-based signatures (PKC'14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiability of DFS with respect to the corresponding security notions of unforgeability and privacy. On the positive side we show that privacy-free DFS can be constructed from

ne-way

functions. Furthermore, we show that unforgeable and private DFS can be constructed from doubly- enhanced trapdoor permutations. On the negative side we show that the previous result is

ptimal regarding its underlying assumptions

presenting an impossibility result for unforgeable private DFS from one-way permutations. We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its

capabilities. Technically, DFS unify several

seemingly different signature primitives, including functional signatures and policy-based signatures (PKC'14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiability of DFS with respect to the corresponding security notions of unforgeability and privacy. On the positive side we show that privacy-free DFS can be constructed from

ne-way

functions. Furthermore, we show that unforgeable and private DFS can be constructed from doubly- enhanced trapdoor permutations. On the negative side we show that the previous result is

ptimal regarding its underlying assumptions

presenting an impossibility result for unforgeable private DFS from one-way permutations.

𝜷

𝒈

SLIDE 7

Alice signs a message and chooses how the message can be modified by which

evaluator (Bob) and decides what Bob can further delegate, if at all.

Bob modifies the message/signature pair, chooses how it can be further

modified and by whom (Charlie).

Delegatable Functional Signatures

6 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Alice (original signer) Bob Inc. (evaluator)

𝑡𝑙

Charlie Ltd. (evaluator)

𝑡𝑙′

We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technically, DFS unify several seemingly different signature primitives, including functional signatures and policy-based signatures (PKC'14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiability of DFS with respect to the corresponding security notions of unforgeability and privacy. On the positive side we show that privacy-free DFS can be constructed from

ne-way

functions. Furthermore, we show that unforgeable and private DFS can be constructed from doubly- enhanced trapdoor permutations. On the negative side we show that the previous result is

ptimal regarding its underlying assumptions

presenting an impossibility result for unforgeable private DFS from one-way permutations. We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its

capabilities. Technically, DFS unify several

seemingly different signature primitives, including functional signatures and policy-based signatures (PKC'14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiability of DFS with respect to the corresponding security notions of unforgeability and privacy. On the positive side we show that privacy-free DFS can be constructed from

ne-way

functions. Furthermore, we show that unforgeable and private DFS can be constructed from doubly- enhanced trapdoor permutations. On the negative side we show that the previous result is

ptimal regarding its underlying assumptions

presenting an impossibility result for unforgeable private DFS from one-way permutations.

𝑞𝑙′

We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its

capabilities. Technically, DFS unify several

seemingly different signature primitives, including functional signatures and policy-based signatures (PKC'14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiability of DFS with respect to the corresponding security notions of unforgeability and privacy. On the positive side we show that privacy-free DFS can be constructed from

ne-way

functions. Furthermore, we show that unforgeable and private DFS can be constructed from doubly- enhanced trapdoor permutations. On the negative side we show that the previous result is

ptimal regarding its underlying assumptions

presenting an impossibility result for unforgeable private DFS from one-way permutations.

𝑞𝑙′

𝒈′ 𝑛′, 𝜏′ 𝑛′′, 𝜏′′

SLIDE 8

Alice signs a message and chooses how the message can be modified by which

evaluator (Bob) and decides what Bob can further delegate, if at all.

Bob modifies the message/signature pair, chooses how it can be further

modified and by whom (Charlie).

Delegatable Functional Signatures

7 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Alice (original signer) Bob Inc. (evaluator)

𝑡𝑙

Charlie Ltd. (evaluator)

𝑡𝑙′

We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its

capabilities. Technically, DFS unify several

seemingly different signature primitives, including functional signatures and policy-based signatures (PKC'14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiability of DFS with respect to the corresponding security notions of unforgeability and privacy. On the positive side we show that privacy-free DFS can be constructed from

ne-way

functions. Furthermore, we show that unforgeable and private DFS can be constructed from doubly- enhanced trapdoor permutations. On the negative side we show that the previous result is

ptimal regarding its underlying assumptions

presenting an impossibility result for unforgeable private DFS from one-way permutations.

𝜷

SLIDE 9

Alice signs a message and chooses how the message can be modified by which

evaluator (Bob) and decides what Bob can further delegate, if at all.

Bob modifies the message/signature pair, chooses how it can be further

modified and by whom (Charlie).

Delegatable Functional Signatures

8 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Alice (original signer) Bob Inc. (evaluator)

𝑡𝑙

Charlie Ltd. (evaluator)

𝑡𝑙′

We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its

capabilities. Technically, DFS unify several

seemingly different signature primitives, including functional signatures and policy-based signatures (PKC'14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiability of DFS with respect to the corresponding security notions of unforgeability and privacy. On the positive side we show that privacy-free DFS can be constructed from

ne-way

functions. Furthermore, we show that unforgeable and private DFS can be constructed from doubly- enhanced trapdoor permutations. On the negative side we show that the previous result is

ptimal regarding its underlying assumptions

presenting an impossibility result for unforgeable private DFS from

ne-way

permutations.

Alice signed this message

r allowed it!

𝑛′′, 𝜏′′

SLIDE 10

Overview

Functionality and capabilities
Security notions:
Types of adversaries
Unforgeability
Privacy
Instantiability:
Privacy-free from one-way functions
Impossibility from one-way functions
Possibility from trapdoor permutations

9 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

SLIDE 11

Functionalities and their Transitive Closure

A functionality 𝐺 is a function: 𝐺 𝒈, 𝜷, 𝑞𝑙𝑓𝑤𝑏𝑚, 𝑛 → (𝒈′, 𝑛′)
Transitive Closure 𝐺∗ for 𝑛 and 𝒈 with respect to the functionality 𝐺:
For 𝑜 = 0: 𝐺0 𝒈, 𝑛 ≔

𝒈, 𝑛

For 𝑜 > 0: 𝐺𝑜 𝒈, 𝑛 ≔

𝒈, 𝑛 𝐺𝑜−1 𝐺 𝒈, 𝜷, 𝑞𝑙𝑓𝑤𝑏𝑚, 𝑛

𝜷,𝑞𝑙𝑓𝑤𝑏𝑚

𝐺∗ 𝒈, 𝑛 ≔ 𝐺𝑗 𝒈, 𝑛

∞ 𝑗=0

10 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Evaluator capabilities Evaluator input Key of next evaluator Message Modified Message Delegated capabilities

𝑞𝑙

SLIDE 12

Overview

Functionality and capabilities
Security notions:
Types of adversaries
Unforgeability
Privacy
Instantiability:
Privacy-free from one-way functions
Impossibility from one-way functions
Possibility from trapdoor permutations

11 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

SLIDE 13

Security Notions – Adversaries

Three different types of adversaries:
Outsider:
Access to an oracle for public evaluator keys.
No access to secret evaluator keys.
Insider:
Access to an oracle for public evaluator keys.
Access to an oracle for secret evaluator keys.
Strong Insider:
Access to an oracle for public evaluator keys.
Access to an oracle for secret evaluator keys.
Can register its own secret evaluator keys.

12 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Secret Evaluator Key(s):

SLIDE 14

Unforgeability – Intuition

The adversary can request message/signature

pairs; fresh ones as well as modified ones.

The adversary should not be able to generate

valid (verifying) message/signature pairs that are not allowed by the signer.

All “forgeries” that were allowed by the signer,

modified by legitimate evaluators or by the adversary (if delegated to it) are discarded.

13 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

𝑛∗, 𝜏∗ 𝑛, 𝜏 → 𝑛′, 𝜏′ ∀ 𝑛, 𝒈 𝑝𝑔 , ∀𝒈. 𝑛∗, 𝒈 ∉ 𝐺∗ 𝒈, 𝑛

SLIDE 15

Unforgeability – Oracles

14 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Sign Oracle

𝑛, 𝒈, 𝑞𝑙 𝜏 = 𝑇𝑗𝑕 𝑡𝑙 , 𝑞𝑙 , 𝑛, 𝒈

Eval Oracle

𝑞𝑙 , 𝜷, 𝑛, 𝑞𝑙 , 𝜏 𝜏′ = 𝑇𝑗𝑕 𝑡𝑙 , 𝑞𝑙 , 𝛽, 𝑛, 𝑞𝑙 , 𝜏

KGenP Oracle

𝑞𝑙

Outsider KGenS Oracle

𝑡𝑙 , 𝑞𝑙

(weak) Insider RegKey

𝑡𝑙 , 𝑞𝑙

(strong) Insider

SLIDE 16

Privacy (under Chosen Function Attacks) – Intuition

The adversary should be unable

to distinguish a signature that has been modified from a fresh signature for the same message.

Conditions and Exceptions:
The message (𝑛’’) has to be

the same.

The capabilities (𝒈’’) have to

be the same.

Each evaluator may learn

something about the previous party in the line (for verifying the previous step).

15 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

≈

𝑛, 𝜏

𝒈

𝑛′′, 𝜏′′

𝒈′′ 𝒈′′

→ 𝑛′′, 𝜏′′

𝒈′

→ 𝑛′, 𝜏′

SLIDE 17

Privacy – Reminder of the Oracles

16 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Sign Oracle

𝑛, 𝒈, 𝑞𝑙 𝜏 = 𝑇𝑗𝑕 𝑡𝑙 , 𝑞𝑙 , 𝑛, 𝒈

Eval Oracle

𝑞𝑙 , 𝜷, 𝑛, 𝑞𝑙 , 𝜏 𝜏′ = 𝑇𝑗𝑕 𝑡𝑙 , 𝑞𝑙 , 𝛽, 𝑛, 𝑞𝑙 , 𝜏

KGenP Oracle

𝑞𝑙

Outsider KGenS Oracle

𝑡𝑙 , 𝑞𝑙

(weak) Insider RegKey

𝑡𝑙 , 𝑞𝑙

(strong) Insider

SLIDE 18

Privacy –Privacy Oracle

17 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Privacy Oracle

if Vf 𝑞𝑙 , 𝑞𝑙𝑓𝑤 0 , 𝑛0, 𝜏0 ≠ 1:

utput ⊥

extract 𝒈𝟏 from 𝜏0 using 𝑡𝑙𝑓𝑤

∗

for 𝑗 ∈ 1, … , 𝑢 :

𝒈𝒋, 𝑛𝑗 ≔ 𝐺 𝒈𝒋−𝟐, 𝜷 𝒋 , 𝑞𝑙𝑓𝑤 𝑗 , 𝑛𝑗−1
𝜏𝑗 ← 𝐹𝑤𝑏𝑚𝐺 …

if 𝒄 = 𝟏: 𝜏 ← 𝑇𝑗𝑕(𝑡𝑙 , 𝑛 𝑞𝑙𝑓𝑤 𝑢 , 𝒈𝒖, 𝑛𝑢) if 𝒄 = 𝟐: 𝜏 ≔ 𝜏𝑢

𝒄 𝑞𝑙𝑓𝑤, 𝜷 𝑢 0, 𝑢, 𝑛0, 𝜏0

𝑛0, 𝜏0

If for any key 𝑞𝑙𝑓𝑤 𝑗 no pair 𝑡𝑙𝑓𝑤 𝑗 , 𝑞𝑙𝑓𝑤 𝑗 is known:

utput ⊥

Add 𝑞𝑙𝑓𝑤 𝑢 to a set of tainted keys.

KGenP Oracle

𝑞𝑙

RegKey

𝑡𝑙 , 𝑞𝑙

KGenS Oracle

𝑡𝑙 , 𝑞𝑙

honest

Handle key s Check 𝜏 Modify 𝜏 Output 𝜏

SLIDE 19

Privacy –Privacy Oracle

18 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Privacy Oracle

if Vf 𝑞𝑙 , 𝑞𝑙𝑓𝑤 0 , 𝑛0, 𝜏0 ≠ 1:

utput ⊥

extract 𝒈𝟏 from 𝜏0 using 𝑡𝑙𝑓𝑤

∗

for 𝑗 ∈ 1, … , 𝑢 :

𝒈𝒋, 𝑛𝑗 ≔ 𝐺 𝒈𝒋−𝟐, 𝜷 𝒋 , 𝑞𝑙𝑓𝑤 𝑗 , 𝑛𝑗−1
𝜏𝑗 ← 𝐹𝑤𝑏𝑚𝐺 …

if 𝒄 = 𝟏: 𝜏 ← 𝑇𝑗𝑕(𝑡𝑙 , 𝑛 𝑞𝑙𝑓𝑤 𝑢 , 𝒈𝒖, 𝑛𝑢) if 𝒄 = 𝟐: 𝜏 ≔ 𝜏𝑢

𝒄 𝑞𝑙𝑓𝑤, 𝜷 𝑢 0, 𝑢, 𝑛0, 𝜏0

𝑛0, 𝜏0

If for any key 𝑞𝑙𝑓𝑤 𝑗 no pair 𝑡𝑙𝑓𝑤 𝑗 , 𝑞𝑙𝑓𝑤 𝑗 is known:

utput ⊥

Add 𝑞𝑙𝑓𝑤 𝑢 to a set of tainted keys. Handle key s Check 𝜏 Modify 𝜏 Output 𝜏

SLIDE 20

Privacy –Privacy Oracle

19 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Privacy Oracle

if Vf 𝑞𝑙 , 𝑞𝑙𝑓𝑤 0 , 𝑛0, 𝜏0 ≠ 1:

utput ⊥

extract 𝒈𝟏 from 𝜏0 using 𝑡𝑙𝑓𝑤

∗

for 𝑗 ∈ 1, … , 𝑢 :

𝒈𝒋, 𝑛𝑗 ≔ 𝐺 𝒈𝒋−𝟐, 𝜷 𝒋 , 𝑞𝑙𝑓𝑤 𝑗 , 𝑛𝑗−1
𝜏𝑗 ← 𝐹𝑤𝑏𝑚𝐺 …

if 𝒄 = 𝟏: 𝜏 ← 𝑇𝑗𝑕(𝑡𝑙 , 𝑛 𝑞𝑙𝑓𝑤 𝑢 , 𝒈𝒖, 𝑛𝑢) if 𝒄 = 𝟐: 𝜏 ≔ 𝜏𝑢

𝒄 𝑞𝑙𝑓𝑤, 𝜷 𝑢 0, 𝑢, 𝑛0, 𝜏0

𝑛0, 𝜏0 𝑛0, 𝜏0 → 𝑛1, 𝜏1 → … → 𝑛𝑢, 𝜏𝑢 𝒈𝟏 𝜷𝟐 𝒈𝟐 𝜷𝟑 𝒈𝒖−𝟐 𝜷𝒖

If for any key 𝑞𝑙𝑓𝑤 𝑗 no pair 𝑡𝑙𝑓𝑤 𝑗 , 𝑞𝑙𝑓𝑤 𝑗 is known:

utput ⊥

Add 𝑞𝑙𝑓𝑤 𝑢 to a set of tainted keys. Handle key s Check 𝜏 Modify 𝜏 Output 𝜏

SLIDE 21

Privacy –Privacy Oracle

20 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Privacy Oracle

if Vf 𝑞𝑙 , 𝑞𝑙𝑓𝑤 0 , 𝑛0, 𝜏0 ≠ 1:

utput ⊥

extract 𝒈𝟏 from 𝜏0 using 𝑡𝑙𝑓𝑤

∗

for 𝑗 ∈ 1, … , 𝑢 :

𝒈𝒋, 𝑛𝑗 ≔ 𝐺 𝒈𝒋−𝟐, 𝜷 𝒋 , 𝑞𝑙𝑓𝑤 𝑗 , 𝑛𝑗−1
𝜏𝑗 ← 𝐹𝑤𝑏𝑚𝐺 …

if 𝒄 = 𝟏: 𝜏 ← 𝑇𝑗𝑕(𝑡𝑙 , 𝑛 𝑞𝑙𝑓𝑤 𝑢 , 𝒈𝒖, 𝑛𝑢) if 𝒄 = 𝟐: 𝜏 ≔ 𝜏𝑢

𝒄 𝑞𝑙𝑓𝑤, 𝜷 𝑢 0, 𝑢, 𝑛0, 𝜏0 𝜏

𝑛0, 𝜏0 𝑛0, 𝜏0 → 𝑛1, 𝜏1 → … → 𝑛𝑢, 𝜏𝑢 𝒈𝟏 𝜷𝟐 𝒈𝟐 𝜷𝟑 𝒈𝒖−𝟐 𝜷𝒖

If for any key 𝑞𝑙𝑓𝑤 𝑗 no pair 𝑡𝑙𝑓𝑤 𝑗 , 𝑞𝑙𝑓𝑤 𝑗 is known:

utput ⊥

Add 𝑞𝑙𝑓𝑤 𝑢 to a set of tainted keys. Handle key s Check 𝜏 Modify 𝜏 Output 𝜏

SLIDE 22

Overview

Functionality and capabilities
Security notions:
Types of adversaries
Unforgeability
Privacy
Instantiability:
Privacy-free from one-way functions
Impossibility from one-way functions
Possibility from trapdoor permutations

21 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

SLIDE 23

Instantiation from OWF (without Privacy)

22 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

We introduce del egatable functi onal signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionali ty F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technicall y, DFS unify several seemingl y different signature pri miti ves, i ncluding functional signatures and poli cy-based signatures (PKC '14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiabil ity of DFS with respect to the cor responding security noti ons of unforgeability and pri vacy. On the positi ve side we show that pri vacy-fr ee D FS can be constructed from

ne- way

functions. Further more, we show that unforgeable and pri vate DFS can be constructed from doubl y- enhanced tr apdoor per mutations. On the negative si de we show that the previ ous result is opti mal regarding its underl ying assumptions presenting an i mpossibility result for unforgeable pri vate DFS from

ne- way

permutations. We introduce del egatable functi onal signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionali ty F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technicall y, DFS unify several seemingl y different signature pri miti ves, i ncluding functional signatures and poli cy-based signatures (PKC '14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiabil ity of DFS with respect to the cor responding security noti ons of unforgeability and pri vacy. On the positi ve side we show that pri vacy-fr ee D FS can be constructed from

ne- way

functions. Further more, we show that unforgeable and pri vate DFS can be constructed from doubl y- enhanced tr apdoor per mutations. On the negative si de we show that the previ ous result is opti mal regarding its underl ying assumptions presenting an i mpossibility result for unforgeable pri vate DFS from

ne- way

permutations.

Bob Inc. (evaluator)

𝑡𝑙

Charlie Ltd. (evaluator)

𝑡𝑙′

Alice (original signer)

Idea: authentication chain

Alice signs a message and a functionality with her secret key.
Bob appends his changes and signs them (and the message/signature upon

which they are based) with his secret key.

Charlie appends his changes and signs them (and the message/signature

upon which they are based) with his secret key.

Requires:

ne-way functions

SLIDE 24

Instantiation from OWF (without Privacy)

23 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

We introduce del egatable functi onal signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionali ty F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technicall y, DFS unify several seemingl y different signature pri miti ves, i ncluding functional signatures and poli cy-based signatures (PKC '14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiabil ity of DFS with respect to the cor responding security noti ons of unforgeability and pri vacy. On the positi ve side we show that pri vacy-fr ee D FS can be constructed from

ne- way

functions. Further more, we show that unforgeable and pri vate DFS can be constructed from doubl y- enhanced tr apdoor per mutations. On the negative si de we show that the previ ous result is opti mal regarding its underl ying assumptions presenting an i mpossibility result for unforgeable pri vate DFS from

ne- way

permutations.

Bob Inc. (evaluator)

𝑡𝑙

Charlie Ltd. (evaluator)

𝑡𝑙′

Alice (original signer)

We introduce del egatable functi onal signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionali ty F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technicall y, DFS unify several seemingl y different signature pri miti ves, i ncluding functional signatures and poli cy-based signatures (PKC '14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiabil ity of DFS with is opti mal regarding its underl ying assumptions presenting an i mpossibility result for unforgeable pri vate DFS from

ne- way

permutations.

Idea: authentication chain

Alice signs a message and a functionality with her secret key.
Bob appends his changes and signs them (and the message/signature upon

which they are based) with his secret key.

Charlie appends his changes and signs them (and the message/signature

upon which they are based) with his secret key.

Requires:

ne-way functions

SLIDE 25

Instantiation from OWF (without Privacy)

24 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

We introduce del egatable functi onal signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionali ty F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technicall y, DFS unify several seemingl y different signature pri miti ves, i ncluding functional signatures and poli cy-based signatures (PKC '14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiabil ity of DFS with respect to the cor responding security noti ons of unforgeability and pri vacy. On the positi ve side we show that pri vacy-fr ee D FS can be constructed from

ne- way

functions. Further more, we show that unforgeable and pri vate DFS can be constructed from doubl y- enhanced tr apdoor per mutations. On the negative si de we show that the previ ous result is opti mal regarding its underl ying assumptions presenting an i mpossibility result for unforgeable pri vate DFS from

ne- way

permutations.

Bob Inc. (evaluator)

𝑡𝑙

Charlie Ltd. (evaluator)

𝑡𝑙′

Alice (original signer)

We introduce del egatable functi onal signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionali ty F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. Technicall y, DFS unify several seemingl y different signature pri miti ves, i ncluding functional signatures and poli cy-based signatures (PKC '14), sanitizable signatures, identity based signatures, and blind signatures. We characterize the instantiabil ity of DFS with is opti mal regarding its underl ying assumptions presenting an i mpossibility result for unforgeable pri vate DFS from

ne- way

permutations. We introduce del egatable functi onal signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionali ty F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input, and decide how the evaluator can further delegate its capabilities. permutations.

Idea: authentication chain

Alice signs a message and a functionality with her secret key.
Bob appends his changes and signs them (and the message/signature upon

which they are based) with his secret key.

Charlie appends his changes and signs them (and the message/signature

upon which they are based) with his secret key.

Requires:

ne-way functions

SLIDE 26

Impossibility with Privacy

Idea: We construct blind signatures from DFS using black-box techniques.
Blind signatures cannot be constructed from one-way permutations using

black-box techniques [KSY – TCC’11].

Functionality:

𝐺𝐷 𝟐, 𝜷, 𝑞𝑙𝑣𝑡𝑓𝑠, 𝑛 ≔ (𝟏, 𝑃𝑞𝑓𝑜 𝜷, 𝑛 )

25 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Construction from

ne-way permutations

is impossible. 𝑑, 𝑦 ≔ 𝐷𝑝𝑛𝑛𝑗𝑢(𝑛)

Signer

𝑡𝑙

User

𝑡𝑙

𝑑 𝜏 ← 𝑇𝑗𝑕(𝑡𝑙 , 𝑞𝑙 , 1, 𝑑) 𝜏 𝜏′ ← 𝐹𝑤𝑏𝑚𝐺𝐷 (𝑡𝑙 , 𝑞𝑙 , 𝑦, 𝜏)

commitment

n m

signature on m signature on c

𝐷𝑝𝑛𝑛𝑗𝑢(𝑛), 𝜏0 → 𝑛, 𝜏1

SLIDE 27

Instantiation from trapdoor permutations

Idea: Encrypt and prove.
Each evaluator verifies the signature of the previous party.
Encrypt the transcript of all signatures (pre-allocate enough space).
Zero Knowledge proofs that the signature chain is valid.

26 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

𝒈𝟏, 𝝉𝟏

(max) allowed delegations

ZK

Construction from trapdoor permutations.

SLIDE 28

Instantiation from trapdoor permutations

Idea: Encrypt and prove.
Each evaluator verifies the signature of the previous party.
Encrypt the transcript of all signatures (pre-allocate enough space).
Zero Knowledge proofs that the signature chain is valid.

27 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

𝒈𝟏, 𝝉𝟏 𝒈𝟐, 𝝉𝟐

(max) allowed delegations

ZK

Construction from trapdoor permutations.

SLIDE 29

Instantiation from trapdoor permutations

Idea: Encrypt and prove.
Each evaluator verifies the signature of the previous party.
Encrypt the transcript of all signatures (pre-allocate enough space).
Zero Knowledge proofs that the signature chain is valid.

28 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

𝒈𝟏, 𝝉𝟏 𝒈𝟐, 𝝉𝟐 𝒈𝟑, 𝝉𝟑 𝒈𝟒, 𝝉𝟒

ZK

Construction from trapdoor permutations.

SLIDE 30

Open Problems

Construction for unbounded number of delegations
Efficient Construction
Signatures with constant size

29 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

SLIDE 31

Open Problems

30 Delegatable Functional Signatures – PKC 2016 – Sebastian Meiser

Delegatable Functional Signatures Michael Backes, Sebastian Meiser , - - PowerPoint PPT Presentation

Delegatable Functional Signatures

𝑛, 𝜏 𝒈′

𝜷

𝒈′ 𝑛′, 𝜏′ 𝑛′′, 𝜏′′

𝜷

𝑛′′, 𝜏′′

𝑛∗, 𝜏∗ 𝑛, 𝜏 → 𝑛′, 𝜏′ ∀ 𝑛, 𝒈 𝑝𝑔 , ∀𝒈. 𝑛∗, 𝒈 ∉ 𝐺∗ 𝒈, 𝑛

≈

𝑛, 𝜏

𝑛′′, 𝜏′′

𝒈′′ 𝒈′′

→ 𝑛′′, 𝜏′′

𝒈′

→ 𝑛′, 𝜏′

Thank you for your attention!

Questions?