efficient redactable signature and application to
play

Efficient Redactable Signature and Application to Anonymous - PowerPoint PPT Presentation

Sep 01, 2023 •93 likes •437 views

Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange Labs PKC 2020 Context PKC 2020 p 2 Digital Signature Digital signature can be used to authenticate digital data ... Name Birthdate Address

  1. Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange Labs PKC 2020

  2. Context PKC 2020 – p 2

  3. Digital Signature Digital signature can be used to authenticate digital data ... Name Birthdate Address σ Sign sk not even one bit can be modified PKC 2020 – p 3

  4. Digital Signature Digital signature can be used to authenticate digital data ... Name Birthdate Address σ 0 / 1 Verif pk verification requires knowledge of all signed data PKC 2020 – p 3

  5. Limits of Digital Signature Use Case: One just needs to verify that age ≥ 18 � Efficiency: ✗ ( n messages to send) � Privacy: ✗ (reveals all signed data to the verifier) How to efficiently and privately check that k out of n messages are certified or satisfy some relations? Standard Alternatives: � Alternative 1: 1 signature per message − Efficiency: ∼ ( n signatures to store) − Privacy: ➚ PKC 2020 – p 4

  6. Limits of Digital Signature � Alternative 2: Merkle’s tree − Efficiency: ➚ ( log ( n ) elements to send) − Privacy: ∼ (prevents zero-knowledge proofs) � Alternative 3: proof of knowledge of the n messages − Efficiency: ➘ − Privacy: � ⇒ no satisfying solution PKC 2020 – p 5

  7. Accumulators Solution from [FHS19] 1 ... Name Birthdate Address Sign σ Acc C sk messages are accumulated and then signed 1 Fuchsbauer, Hanser and Slamanig, Structure-preserving signatures on equivalence classes and constant-size anonymous credentials , Journal of Cryptology, 2019 PKC 2020 – p 6

  8. Accumulators Solution from [FHS19] 1 ... Name Birthdate Address Open σ W C a witness W that “birthdate” has been accumulated can be computed 1 Fuchsbauer, Hanser and Slamanig, Structure-preserving signatures on equivalence classes and constant-size anonymous credentials , Journal of Cryptology, 2019 PKC 2020 – p 6

  9. Accumulators Solution from [FHS19] 1 ... 0/1 Name Birthdate Address Open σ Verif W C pk 0/1 AccV Given C , W , σ , one can check that “birthdate” has been signed 1 Fuchsbauer, Hanser and Slamanig, Structure-preserving signatures on equivalence classes and constant-size anonymous credentials , Journal of Cryptology, 2019 PKC 2020 – p 6

  10. Accumulators Assessment of FHS solution (compared to basic signature): � Efficiency: � − O (1) certificate size − O (1) communication complexity 2 − O ( k ) verification complexity � Privacy: ∼ − the k messages must be disclosed, no ability to prove that they satisfy some relations ( e.g. age ≥ 18) ⇒ not fully satisfying 2 excluding the k disclosed messages PKC 2020 – p 7

  11. Unlinkable Redactable Signature Solution from [CDHK15] 3 ... Name Birthdate Address σ Sign sk 1 signature σ on all messages 3 Camenisch, Dubovitskaya, Haralambiev and Kohlweiss, Composable and modular anonymous credentials: Definitions and practical constructions , Asiacrypt, 2015 PKC 2020 – p 8

  12. Unlinkable Redactable Signature Solution from [CDHK15] 3 ... Name Birthdate Address σ σ ′ Deriv pk a signature σ ′ can be derived on a subset of messages 3 Camenisch, Dubovitskaya, Haralambiev and Kohlweiss, Composable and modular anonymous credentials: Definitions and practical constructions , Asiacrypt, 2015 PKC 2020 – p 8

  13. Unlinkable Redactable Signature Solution from [CDHK15] 3 ... Name Birthdate Address σ ′ Deriv pk 0/1 Verif no need to know the redacted messages to check σ ′ 3 Camenisch, Dubovitskaya, Haralambiev and Kohlweiss, Composable and modular anonymous credentials: Definitions and practical constructions , Asiacrypt, 2015 PKC 2020 – p 8

  14. Unlinkable Redactable Signature Assessment of CDHK solution (compared to basic signature): � Efficiency: ➚ − O (1) certificate size − O (1) communication complexity 4 − very large constant − O ( k ) verification complexity � Privacy: ∼ − the k messages must be disclosed, no ability to prove that they satisfy some relations ( e.g. age ≥ 18) − derived signatures can be unlinkable ⇒ not fully satisfying PKC 2020 – p 9 4 excluding the k disclosed messages

  15. Our Contribution PKC 2020 – p 10

  16. Unlinkable Redactable Signature We want an unlinkable redactable signature scheme with: � Efficiency: − short, constant-size (derived) signatures − verification of k out of n messages in O ( k ) � Privacy: − unlinkability: to link signatures derived from the same σ is hard − relations about non-redacted messages can be proved in ZK PKC 2020 – p 11

  17. Pointcheval-Sanders Signature Our starting point: PS signature 5 � use asymmetric bilinear group e : G 1 × G 2 → G T � secret ( x , y 1 , . . . , y n ) and public X = g x , Y i = g y i in G 1 x + � n $ i =1 y i m i � a signature on ( m 1 , . . . , m n ) is � σ 1 ← G 2 and � σ 2 ← � σ 1 � verification: n � Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 designed to support proofs of knowledge of m i 5 Pointcheval and Sanders, Short Randomizable Signature , CT-RSA 16 PKC 2020 – p 12

  18. Pointcheval-Sanders Signature � Use Case: V wants to check that a subset { m i } i ∈I of messages is signed and/or satisfies some relations ⇒ messages { m i } i ∈I are redacted, with I = { 1 , . . . , n } \ I � Standard solution: − prove knowledge of redacted messages − reveal and/or prove relations about { m i } i ∈I ⇒ inefficient PKC 2020 – p 13

  19. A First Attempt � Verification of PS signatures: � n Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 PKC 2020 – p 14

  20. A First Attempt � Verification of PS signatures: � n Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 � � Y m i Y m i ? = e ( X , � σ 1 ) i i i ∈I i ∈I PKC 2020 – p 14

  21. A First Attempt � Verification of PS signatures: � n Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 � � Y m i Y m i ? = e ( X , � σ 1 ) i i i ∈I i ∈I � � ? Y m i Y m i = e ( X σ 1 , � σ 1 ) σ 1 = i i i ∈I i ∈I PKC 2020 – p 14

  22. A First Attempt � Verification of PS signatures: � n Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 � � Y m i Y m i ? = e ( X , � σ 1 ) i i i ∈I i ∈I � � ? Y m i Y m i = e ( X σ 1 , � σ 1 ) σ 1 = i i i ∈I i ∈I � m i 0 Y m i ? = e ( X σ 1 Y , � σ 1 ) i 0 i i ∈I\ i 0 � ( σ 1 , � σ 1 , � σ 2 ) is not a secure redactable signature on { m i } i ∈I : PKC 2020 – p 14

  23. A First Attempt � Verification of PS signatures: � n Y m i ? e ( g , � σ 2 ) = e ( X , � σ 1 ) i i =1 � � Y m i Y m i ? = e ( X , � σ 1 ) i i i ∈I i ∈I � � ? Y m i Y m i = e ( X σ 1 , � σ 1 ) σ 1 = i i i ∈I i ∈I � m i 0 Y m i ? = e ( X σ 1 Y , � σ 1 ) i 0 i i ∈I\ i 0 � m i 0 − t = e ( X σ ′ 1 Y t Y m i σ ′ ? , � σ 1 ) 1 = σ 1 Y i 0 i i 0 i ∈I\ i 0 � ( σ 1 , � σ 1 , � σ 2 ) is not a secure redactable signature on { m i } i ∈I : ( σ ′ 1 , � σ 1 , � σ 2 ) is valid on t and { m i } i ∈I\ i 0 PKC 2020 – p 14

  24. A Linkable Solution Problem: elements Y u i i , for i ∈ I , can be aggregated in σ 1 � solution 1: prove that σ 1 = � i ∈I Y m i i − inefficient (back to square 1) − overkill: prove more that what we need PKC 2020 – p 15

  25. A Linkable Solution Problem: elements Y u i i , for i ∈ I , can be aggregated in σ 1 � our solution: if σ 1 is honestly formed � g y i ) = e ( g , � g ) f ( y 1 ,..., y n ) e ( σ 1 , � i ∈I f only contains monomials y i · y j , for i � = j PKC 2020 – p 15

  26. A Linkable Solution Problem: elements Y u i i , for i ∈ I , can be aggregated in σ 1 � our solution: if σ 1 is forged � g ) f ( y 1 ,..., y n ) g y i ) = e ( g , � e ( σ 1 , � i ∈I f contains monomials y 2 i , i ∈ I � we add { g y i y j } i � = j in pk − sufficient to compute σ 2 = g f ( y 1 ,..., y n ) if σ 1 honestly formed − not sufficient to compute σ 2 = g f ( y 1 ,..., y n ) if σ 1 forged − “validity” of σ 1 can be checked: e ( σ 1 , � g y i ) ? i ∈I � = e ( σ 2 , � g ) PKC 2020 – p 15

  27. Achieving Unlinkability � Our redactable signature ( σ 1 , σ 2 , � σ 1 , � σ 2 ) is: − � constant size (4 group elements) − � O ( |I| ) complexity for verification − ✗ not unlinkable � ( � σ 1 , � σ 2 ) can be re-randomized but not ( σ 1 , σ 2 ) � We use a different approach: u i 0 − σ 2 only proves that σ 1 does not contain illicit elements { Y i 0 } i 0 ∈I − we can aggregate anything else in σ 1 PKC 2020 – p 16

  28. Achieving Unlinkability $ � Step 1: aggregate t ← Z p under dummy public key 1 σ ′′ σ t − � 2 ← � σ 2 · � 1 $ − re-randomize ( � σ ′ σ ′ σ r σ ′′ 2 ) r ), with r 2 ) ← ( � 1 , ( � ← Z p 1 , � σ ′ σ ′ ( � 1 , � 2 ) is valid on ( m 1 , . . . , m n , t ) PKC 2020 – p 17

  29. Achieving Unlinkability $ � Step 1: aggregate t ← Z p under dummy public key 1 σ ′′ σ t − � 2 ← � σ 2 · � 1 $ − re-randomize ( � σ ′ σ ′ σ r σ ′′ 2 ) r ), with r 2 ) ← ( � 1 , ( � ← Z p 1 , � σ ′ σ ′ ( � 1 , � 2 ) is valid on ( m 1 , . . . , m n , t ) � Step 2: redact { m i } i ∈I and t 1 = g t · � i ∈I Y m i − σ ′ i 2 ← ( � i ∈I Y i ) t � i ∈I , j ∈I ( g y i y j ) m j − σ ′ PKC 2020 – p 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benot Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 .N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological

1.33k views • 92 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides
Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Number-Theoretic Methods in Cryptology 2019 Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter: Giovanni Di Crescenzo Perspecta Labs Inc. (also doing business as Applied Communication Sciences)

548 views • 33 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Automated Application Signature Generation Using LASER and Cosine Similarity Byungchul Park, Jae

Automated Application Signature Generation Using LASER and Cosine Similarity Byungchul Park, Jae

Automated Application Signature Generation Using LASER and Cosine Similarity Byungchul Park, Jae Yoon Jung, John Strassner * , and James Won-ki Hong * {fates, dejavu94, johns, jwkhong}@postech.ac.kr Dept. of Computer Science and Engineering,

302 views • 17 slides
Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

633 views • 44 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Mirosaw Kutyowski 1 and 1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun Shao 2 Definitions of 1-out-of-2 signature 1 Institute of Mathematics and Computer Science Our

489 views • 34 slides
HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai

HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai

HMFEv - An Efficient Multivariate Signature Scheme Albrecht Petzoldt, Ming-Shing Chen, Jintai Ding, Bo-Yin Yang PQCrypto 2017 Utrecht, Netherlands A. Petzoldt HMFEv PQCrypto 2017 1 / 23 Outline Multivariate Cryptography 1 The HMFEv

575 views • 23 slides
Lithium isotopic signature of high temperature geothermal fluids in volcanic arc islands

Lithium isotopic signature of high temperature geothermal fluids in volcanic arc islands

Lithium isotopic signature of high temperature geothermal fluids in volcanic arc islands (Guadeloupe and Martinique, French West Indies): an efficient tool to constrain the rock nature of the reservoirs and their depth Bernard Sanjuan, Romain

88 views • 5 slides
Efficient ion blocking in gaseous detectors Efficient ion blocking in gaseous detectors and its

Efficient ion blocking in gaseous detectors Efficient ion blocking in gaseous detectors and its

Efficient ion blocking in gaseous detectors Efficient ion blocking in gaseous detectors and its application to and its application to and its application to and its application to visible visible- -sensitive gaseous photomultipliers

549 views • 20 slides
Efficient Local Search Application Examples Graph Coloring Traveling Salesman Problem Single

Efficient Local Search Application Examples Graph Coloring Traveling Salesman Problem Single

Outline DM811 HEURISTICS AND LOCAL SEARCH ALGORITHMS FOR COMBINATORIAL OPTIMZATION Lecture 8 1. Efficient Local Search Efficiency vs Effectiveness Efficient Local Search Application Examples Graph Coloring Traveling Salesman Problem

555 views • 7 slides
Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Presentation & Handwriting Policy Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson Date 24 th January 2018 Review date Jan 2020 1 Presentation 1 Book covers should indicate:

52 views • 4 slides
Highly Efficient GF (2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application

Highly Efficient GF (2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application

Saint-Malo, September 13th, 2015 Cryptographic Hardware and Embedded Systems Highly Efficient GF (2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design Rei Ueno 1 , Naofumi Homma 1 , Yukihiro Sugawara 1 ,

445 views • 26 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

478 views • 24 slides
Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 ,

Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 ,

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 , Julian Loss 3 , Gregory Neven 1 , Igors Stepanovs 4 1 DFINITY, 2 EPFL , 3 Ruhr-University Bochum, 4 UCSD To appear at S&P 2019,

393 views • 27 slides
Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM

Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM

Digital Signatures for Flows and Multicasts by Chung Kei Wong and Simon S. Lam in IEEE/ACM Transactions on Networking , August 1999 Digital Signatures (Simon S. Lam) 1 3/8/2017 1 Digital Signature Examples: RSA, DSA Provide

1.17k views • 43 slides
G , G , T are finite cyclic groups of prime order p , where G = G and G = G

G , G , T are finite cyclic groups of prime order p , where G = G and G = G

S HORT S TRUCTURE -P RESERVING S IGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 S HORT S TRUCTURE -P RESERVING S IGNATURES O UTLINE B ACKGROUND 1 O UR S CHEME 2 E FFICIENCY C

529 views • 28 slides
Signing by hand ALICE Pay Bob $100 DIGITAL SIGNATURES COSMO ALICE Cosmo

Signing by hand ALICE Pay Bob $100 DIGITAL SIGNATURES COSMO ALICE Cosmo

Signing by hand ALICE Pay Bob $100 DIGITAL SIGNATURES COSMO ALICE Cosmo Alice Alice Bank =? no yes pay Bob Dont Mihir Bellare UCSD 1 Mihir Bellare UCSD 2 Signing electronically Signing electronically

629 views • 9 slides
Packet-Level Signatures for Smart Home Devices Rahmadi Trimananda, Janus Varmarken, Athina

Packet-Level Signatures for Smart Home Devices Rahmadi Trimananda, Janus Varmarken, Athina

Packet-Level Signatures for Smart Home Devices Rahmadi Trimananda, Janus Varmarken, Athina Markopoulou, and Brian Demsky Smart Home 2 Smart Home Smart Plugs 2 Smart Home Smart Plugs Light Bulbs 2 Smart Home Smart Plugs Light Bulbs

1.92k views • 146 slides
Sublinear Algorithms Lecture 26 Sofya Raskhodnikova Penn State University Thanks to Madhav Jha

Sublinear Algorithms Lecture 26 Sofya Raskhodnikova Penn State University Thanks to Madhav Jha

Sublinear Algorithms Lecture 26 Sofya Raskhodnikova Penn State University Thanks to Madhav Jha (Penn State) for help with creating these slides. 1 Testing Linearity Linear Functions Over Finite Field 2 A Boolean function : 0,1

489 views • 23 slides
Announcements Homework 1 Due today 11:59pm Submit through GradeScope in PDF Midterm

Announcements Homework 1 Due today 11:59pm Submit through GradeScope in PDF Midterm

Announcements Homework 1 Due today 11:59pm Submit through GradeScope in PDF Midterm exam Next Thursday , in class (2-3:20pm) 1 Lecture 8 Public Key Cryptography II: Signatures (contd) + Identification [lecture slides are

405 views • 28 slides
THE MOD 8 SIGNATURE OF A SURFACE BUNDLE Andrew Ranicki Report on a joint project with Dave

THE MOD 8 SIGNATURE OF A SURFACE BUNDLE Andrew Ranicki Report on a joint project with Dave

1 THE MOD 8 SIGNATURE OF A SURFACE BUNDLE Andrew Ranicki Report on a joint project with Dave Benson, Caterina Campagnolo and Carmen Rovi http://www.maths.ed.ac.uk/aar/ University of Edinburgh Dedicated to the memory of Fritz Hirzebruch on

835 views • 19 slides

More recommend