Efficient Unlinkable Sanitizable Signatures from Signatures with - - PowerPoint PPT Presentation
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures
Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr¨
Mark Simkin March 7, 2016
Sanitizable Signatures [ACdMT05] Bob E.D. $ 800
Sanitizable Signatures [ACdMT05] Bob E.D. $ 800 ✦
Sanitizable Signatures [ACdMT05] Bob E.D. $ 800 censored
Sanitizable Signatures [ACdMT05]
NurseBob E.D. $ 800 censored
Sanitizable Signatures [ACdMT05]
NurseBob E.D. $ 800 censored
Sanitizable Signatures [ACdMT05]
NurseBob E.D. $ 800 Bob Influenza $ 800 ✦
Security of Sanitizable Signatures
◮ Formalized by Brzuska et al. [BFFLPSSV09]
◮ Immutability ◮ Sanitizer Accountability ◮ Signer Accountability ◮ Transparency ◮ Unforgeability ◮ Privacy
◮ Missing property identified by Brzuska et al. [BFLS10]
◮ Unlinkability
Security of Sanitizable Signatures
◮ Formalized by Brzuska et al. [BFFLPSSV09]
◮ Immutability ◮ Sanitizer Accountability ◮ Signer Accountability ◮ Transparency ◮ Unforgeability ◮ Privacy
◮ Missing property identified by Brzuska et al. [BFLS10]
◮ Unlinkability
Security of Sanitizable Signatures
◮ Formalized by Brzuska et al. [BFFLPSSV09]
◮ Immutability ◮ Sanitizer Accountability ◮ Signer Accountability ◮ Transparency ◮ Unforgeability ◮ Privacy
◮ Missing property identified by Brzuska et al. [BFLS10]
◮ Unlinkability
Immutability [ACdMT05][BFFLPSSV09]
NurseBob E.D. $ 800 Charlie E.D. $ 800✪
Sanitizer-Accountability [ACdMT05][BFFLPSSV09]
NurseBob Influenza $ 800 Π
Sanitizer-Accountability [ACdMT05][BFFLPSSV09]
NurseBob Influenza $ 800 Π Yes! This message was sanitized.
Signer-Accountability [ACdMT05][BFFLPSSV09] Bob Stupid $ 800 Π
Signer-Accountability [ACdMT05][BFFLPSSV09] Bob Stupid $ 800 Π Nope! This message was not sanitized.
Transparency [ACdMT05][BFFLPSSV09] Bob Influenza $ 800 Bob Influenza $ 800
???
Unlinkability [BFLS10] Bob Influenza $ 800
NurseBob E.D. $ 800 Bob Acne $ 800
???
The General Idea Sign σFix m1 m2 m3 m4 m5 sksig sksan
The General Idea Sign σFix m1 m2 m3 m4 m5 Sign σ′ sksig sksan
σ
The General Idea Sign σFix m1 m2 m3 m4 m5 Sign σ′ sksig sksan σ
Signatures with Re-Randomizable Keys κ Gen sk pk
Signatures with Re-Randomizable Keys κ Gen sk pk Sign m σ
Signatures with Re-Randomizable Keys κ Gen sk pk Sign m σ Verify b
Signatures with Re-Randomizable Keys κ Gen sk pk Sign m σ Verify b RandSK RandPK ρ
Unforgeability under Re-Randomized Keys (sk, pk) ← Gen(1κ) pk (m∗, σ∗)
Unforgeability under Re-Randomized Keys σ ← Sign(sk, m) m σ The attacker wins if Verify(pk, m∗, σ∗) = 1 and m = m∗ (sk, pk) ← Gen(1κ) pk (m∗, σ∗)
Unforgeability under Re-Randomized Keys σ ← Sign(sk, m) m σ The attacker wins if Verify(pk, m∗, σ∗) = 1 and m = m∗ sk′ ←RandSK(sk, ρ) σ ←Sign(sk′, m) m, ρ σ
(sk, pk) ← Gen(1κ) pk (m∗, σ∗, ρ∗)
Unforgeability under Re-Randomized Keys
◮ Nontrivial Property
◮ Does not follow from standard unforgeability. ◮ Many schemes with re-randomizable keys not unforgeable
under re-randomized keys
◮ e.g. Boneh-Boyen, Camenisch-Lysyanskaya
◮ Instantiations in ROM and Standard Model
◮ Schnorr ◮ Hofheinz-Kiltz
Unforgeability under Re-Randomized Keys
◮ Nontrivial Property
◮ Does not follow from standard unforgeability. ◮ Many schemes with re-randomizable keys not unforgeable
under re-randomized keys
◮ e.g. Boneh-Boyen, Camenisch-Lysyanskaya
◮ Instantiations in ROM and Standard Model
◮ Schnorr ◮ Hofheinz-Kiltz
Our Construction Sign σFix m1 m2 m3 m4 m5 sksig pksig pksan
Our Construction Sign σFix m1 m2 m3 m4 m5 sk′ pk′ RandSK RandPK sksig pksig pksan
Our Construction Sign σFix m1 m2 m3 m4 m5 Sign sk′ pk′ RandSK RandPK sksig pksig pksan σ′
Our Construction Sign σFix m1 m2 m3 m4 m5 Sign sk′ pk′ RandSK RandPK sksig pksig pksan PPoK τ σ′
Our Construction Sign σFix m1 m2 m3 m4 m5 Sign sk′ pk′ RandSK RandPK sksig pksig pksan PPoK τ Enc c σ′
Our Construction Sign σFix m1 m2 m3 m4 m5 Sign sk′ pk′ RandSK RandPK sksig pksig pksan PPoK τ Enc c σ′ σ
Our Construction Immutability Sign σFix m1 m2 m3 m4 m5 Sign sk′ pk′ RandSK RandPK sksig pksig pksan PPoK τ Enc c σ′ σ
Our Construction Sanitizer-Accountability Sign σFix m1 m2 m3 m4 m5 Sign sk′ pk′ RandSK RandPK sksig pksig pksan PPoK τ Enc c σ′ σ
Our Construction Signer-Accountability Sign σFix m1 m2 m3 m4 m5 Sign sk′ pk′ RandSK RandPK sksig pksig pksan PPoK τ Enc c σ′ σ
Our Construction Transparency Sign σFix m1 m2 m3 m4 m5 Sign sk′ pk′ RandSK RandPK sksig pksig pksan PPoK τ Enc c σ′ σ
Our Construction Unlinkability Sign σFix m1 m2 m3 m4 m5 Sign sk′ pk′ RandSK RandPK sksig pksig pksan PPoK τ Enc c σ′ σ
Comparison
Computation
This Paper1 BFLS10 using Groth07 FY04 KGensig 7E 1E 1E KGensan 1E 1E 4E Sign 15E 194E+2P 2831E Sanit 14E 186E+1P 2814E Verify 17E 207E + 62P 2011E Proof 23E 14E+1P 18E Judge 6E 1E+2P 2E
E=modular exponentiation,P= pairing evaluation
1Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ-protocols.
Comparison
Computation
This Paper1 BFLS10 using Groth07 FY04 KGensig 7E 1E 1E KGensan 1E 1E 4E Sign 15E 194E+2P 2831E Sanit 14E 186E+1P 2814E Verify 17E 207E + 62P 2011E Proof 23E 14E+1P 18E Judge 6E 1E+2P 2E
E=modular exponentiation,P= pairing evaluation
1Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ-protocols.
Comparison
Storage
This Paper2 BFLS10 using Groth07 FY04 pksig 7 1 1 sksig 14 1 1 pksan 1 1 5 sksan 1 1 1 σ 14 69 1620 π 4 1 3
measured in group elements
2Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ-protocols.
Comparison
Storage
This Paper2 BFLS10 using Groth07 FY04 pksig 7 1 1 sksig 14 1 1 pksan 1 1 5 sksan 1 1 1 σ 14 69 1620 π 4 1 3
measured in group elements
2Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ-protocols.
Conclusion We construct an unlinkable sanitizable signature scheme that can be instantiated at least one order of magnitude more efficiently than previously known schemes.
Nils Fleischhacker fleischhacker@cs.uni-saarland.de Full Version: ia.cr/2015/395