[PPT] - Modification tolerant signature schemes: location and correction PowerPoint Presentation

SLIDE 1

Modification tolerant signature schemes: location and correction

Thais Bardini Idalino, Lucia Moura, Carlisle Adams

tbardini@sfu.ca, lmoura@uottawa.ca, cadams@uottawa.ca

Indocrypt, December 17th 2019

1/31

SLIDE 2

Introduction MTSS Conclusion Digital Signatures

Introduction

Digital signatures: integrity, authenticity, non-repudiation.

✗ ✔

Traditional signature schemes: detect modifications. Modification-tolerant signature scheme (MTSS):

locates modifications; corrects modifications.

2/31

SLIDE 3

Introduction MTSS Conclusion Digital Signatures

Introduction

When do we want location?

Data forensics; Partial integrity; Hide private information; Collaborative work.

When do we want correction?

Errors during transmission/storage; Malicious modifications.

3/31

SLIDE 4

Introduction MTSS Conclusion Digital Signatures

Contributions

We propose a general framework for MTSS.

Definition of new algorithms MTSS-KeyGeneration(ℓ), MTSS-Sign(m, SK), MTSS-Verify(m, σ, PK), MTSS-Verify&Correct(m, σ, PK). New definitions of valid signatures and security.

Scheme 1: Instantiate a d-MTSS using a known combinatorial approach. Scheme 2: Extend Scheme 1 to further provide correction. Scheme 3: Variation of d-MTSS for redactable signatures. Security and correctness proofs.

4/31

SLIDE 5

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Modification-Tolerant Signature Scheme

General Idea

Split a document into blocks; Create a more expressive signature using the blocks; During verification, we can locate or locate & correct modified blocks.

5/31

SLIDE 6

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Modification-Tolerant Signature Scheme

General Idea

Split a document into blocks; Create a more expressive signature using the blocks; During verification, we can locate or locate & correct modified blocks.

verify( )

6/31

SLIDE 7

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Modification-Tolerant Signature Scheme

Instantiation

How can we instantiate this sheme? Easy: one signature per block

m

7/31

SLIDE 8

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Modification-Tolerant Signature Scheme

Instantiation

How can we instantiate this sheme? Easy: one signature per block

m

8/31

SLIDE 9

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Modification-Tolerant Signature Scheme

Instantiation

How can we instantiate this sheme? Easy: one signature per block

m

Total of n signatures.

8/31

SLIDE 10

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

d-Modification-Tolerant Signature Scheme

A better approach: Use a “tolerance level” d. Use combinatorial techniques to create the signature scheme. We can locate up to d modified blocks. The size of the signature depends on d.

One signature + O(d2 log n) hash values. Much better than n signatures.

9/31

SLIDE 11

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Combinatorial group testing

Cover-free families

The combinatorial approach: Cover-free families. Used in the context of combinatorial group testing. Identify d defective elements from a set of n elements pooled into t groups, where t < n. The groups are tested, instead of all elements individually.

1 2 3 4 5 6 Test 1 Test 2 Test 3 Test 4

fail fail pass pass

test1 test2 test3 test4

1 1 1 0 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 1 0 1 1 1-CFF(4,6) Matrix

1 2 3 4 5 6 10/31

SLIDE 12

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Combinatorial group testing

Cover-free families

A d-cover free family d-CFF(t, n):

A t × n binary matrix; Every set of d + 1 columns contains a permutation submatrix

f order d + 1.

1 2 3 4

1 1 1 0 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 1 0 1 1

log n

B1 B2 B3 B4 B5 B6

11/31

SLIDE 13

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

d-Modification-Tolerant Signature Scheme

Schemes

Three instantiations of d-MTSS using d-cover-free families. Scheme 1: A known1 d-CFF approach to provide location. Scheme 2: Extend Scheme 1 to further provide correction. Scheme 3: Variation of d-MTSS for redactable signatures.

1T. B. Idalino, L. Moura, R. F. Cust´
dio, and D. Panario. Locating

modifications in signed data for partial data integrity. Information Processing Letters, 2015.

12/31

SLIDE 14

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Scheme 1 - location

Document

test1 test2 test3

1-CFF(4,6) Matrix 1 1 1 0 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 1 0 1 1 1 2 3 4 5 6

test4

h(h1||h2||h3) h(h1||h4||h5) h(h2||h4||h6) h(h3||h5||h6)

Signature

T[1] T[2] T[3] T[4]

m[1] m[2] m[3] m[4] m[5] m[6]

h(m)

h*

sign(sk, T)

σ’ 13/31

SLIDE 15

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Scheme 1 - location

Document

test1 test2 test3

1-CFF(4,6) Matrix 1 1 1 0 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 1 0 1 1 1 2 3 4 5 6

test4

h(h1||h2||h3) h(h1||h4||h5) h(h2||h4||h6) h(h3||h5||h6)

Verification

T’[1] T’[2] T’[3] T’[4]

≟

h(h1||h2||h3) h(h1||h4||h5) h(h2||h4||h6) h(h3||h5||h6)

Signature

T[1] T[2] T[3] T[4]

m[1] m[2] m[3] m[4] m[5] m[6]

h(m)

h*

sign(sk, T)

σ’

2) h* ≟ h(m') no 1) σ’ OK?

3)

14/31

SLIDE 16

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Scheme 1 - location

Document

test1 test2 test3

1-CFF(4,6) Matrix 1 1 1 0 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 1 0 1 1 1 2 3 4 5 6

test4

h(h1||h2||h3) h(h1||h4||h5) h(h2||h4||h6) h(h3||h5||h6)

Signature

T[1] T[2] T[3] T[4]

X m[2] m[3] m[4] m[5] m[6]

h(m)

h*

sign(sk, T)

σ’ T'1 T'2 T'3 T'4

h(h1||h2||h3) h(h1||h4||h5) h(h2||h4||h6) h(h3||h5||h6)

T1 T2 T3 T4

h(h1||h2||h3) h(h1||h4||h5) h(h2||h4||h6) h(h3||h5||h6)

Verification

Locate modifications with t ∼ log n extra hash values. Existentially unforgeable.

15/31

SLIDE 17

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Scheme 1 - location

Document

test1 test2 test3

1-CFF(4,6) Matrix 1 1 1 0 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 1 0 1 1 1 2 3 4 5 6

test4

h(h1||h2||h3) h(h1||h4||h5) h(h2||h4||h6) h(h3||h5||h6)

Signature

T[1] T[2] T[3] T[4]

X m[2] m[3] m[4] m[5] m[6]

f size up to s have the same hash value.

Since s is small, we can compute all of them and check. We can always correct modifications.

18/31

SLIDE 23

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Security notions

Valid signature

A pair (m, σ) of message and signature is valid if there exists m′ such that: σ was generated from m′; m and m′ differ in at most d positions.

m’ m

19/31

SLIDE 24

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Security notions

Unforgeability

Unforgeable under the adaptive chosen message attack. Attacker A chooses messages m1, m2, . . . , mq. A requests the respective signatures σ1, σ2, . . . , σq from an

racle O.

A produces an existential forgery if he can create a valid σ for a new message m.

diff(m, mi) > d, 1 ≤ i ≤ q.

There is no such A that can, in probabilistic polynomial time, create an existential forgery with non-negligible probability.

20/31

SLIDE 25

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Security

Sketch of proof

Our schemes use: a collision resistant hash function h to create T; a traditional signature scheme Σ to generate and verify σ′, which is existentially unforgeable. What we want to prove: That d-MTSS as described in Scheme 1, based on h and Σ, is existentially unforgeable. How we do that: show that the security of the hash function h and the unforgeability of the underlying signature scheme Σ ensure unforgeability of d-MTSS.

21/31

SLIDE 26

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Security

Sketch of proof

Assume our scheme is not existentially unforgeable.

A chooses m1, . . . , mq and obtains σ1, . . . , σq. A outputs a valid pair (m, σ) with non-negligible probability. m differs from m1, . . . , mq in more than d positions.

If A exists, we can build an algorithm A′ that outputs:

an existential forgery of the underlying signature scheme Σ; or a collision pair for hash function h

This contradicts either the unforgeability of Σ or the collision resistance of h.

22/31

SLIDE 27

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Scheme 3 - redactable signatures

Redactable signature

Redact (hide) content without invalidating signature; We should not be able to correct redacted blocks; Nor leak any information about it.

CONTRACT

Name: Alice Role: Professor Date of birth: 1/1/85 Salary: $70000

CONTRACT

Name: Alice Role: Professor Date of birth: 1/1/85 Salary: 704000 23/31

SLIDE 28

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Scheme 3 - redactable signatures

Redactable signature

Redact (hide) content without invalidating signature; We should not be able to correct redacted blocks; Nor leak any information about it.

Schemes 1 and 2.

We leak information on original hash value of modified blocks. We can correct the modified block.

Schemes 1 and 2 are not suitable for redactable signatures.

24/31

SLIDE 29

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Scheme 3 - redactable signatures

Document

m[1] m[2] m[3] m[4] m[5] m[6] test1 test2 test3

1-CFF(4,6) Matrix 1 1 1 0 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 1 0 1 1

1 2 3 4 5 6 test4 σ = (σ’, r)

Signature

σ’[1] σ’[2] σ’[3] σ’[4] Sign(T[1], SK) Sign(T[2], SK) Sign(T[3], SK) Sign(T[4], SK) h(h1||h2||h3)||r||id(1,5) h(h1||h4||h5)||r||id(2,5) h(h2||h4||h6)||r||id(3,5) h(h3||h5||h6)||r||id(4,5) T[1] h(m)||r||id(5,5) T[2] T[3] T[4] T[5] σ’[5] Sign(T[5], SK)

25/31

SLIDE 30

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Scheme 3 - redactable signatures

Document

m[1] m[2] m[3] m[4] m[5] m[6] test1 test2 test3

1-CFF(4,6) Matrix 1 1 1 0 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 1 0 1 1

1 2 3 4 5 6 test4 σ = (σ’, r)

Signature

σ’[1] σ’[2] σ’[3] σ’[4] Sign(T[1], SK) Sign(T[2], SK) Sign(T[3], SK) Sign(T[4], SK) h(h1||h2||h3)||r||id(1,5) h(h1||h4||h5)||r||id(2,5) h(h2||h4||h6)||r||id(3,5) h(h3||h5||h6)||r||id(4,5) T[1] h(m)||r||id(5,5) T[2] T[3] T[4] T[5] σ’[5] Sign(T[5], SK)

Verification

no

1) Verify(h(m)||r||id(5,5), σ’[5], PK) ≟ 1 2)

h(h1||h2||h3)||r||id(1,5) h(h1||h4||h5)||r||id(2,5) h(h2||h4||h6)||r||id(3,5) h(h3||h5||h6)||r||id(4,5) T’[1] T’[2] T’[3] T’[4] Verify(T’[1], σ’[1], PK) ≟ 1 Verify(T’[2], σ’[2], PK) ≟ 1 Verify(T’[3], σ’[3], PK) ≟ 1 Verify(T’[4], σ’[4], PK) ≟ 1

Redaction

m[1] m[2] m[3] m[4] m[5] m[6] σ’[1] σ’[2] σ’[3] σ’[4] Sign(T[1], SK) Sign(T[2], SK) Sign(T[3], SK) Sign(T[4], SK) σ’[5] Sign(T[5], SK)

Redactable signatures with privacy of the redacted blocks.

26/31

SLIDE 31

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Scheme 3 - redactable signatures

Security notions

Message m1

A B C

2-CFF(3,3) Matrix 1 0 0 0 1 0 0 0 1

1 2 3 Sign(h(A), SK) Sign(h(B), SK) Sign(h(C), SK) Sign(h(m1), SK)

Signature

σ’[1]

Message m2

D E F σ’[2] σ’[3] σ’[4] Sign(h(D), SK) Sign(h(E), SK) Sign(h(F), SK) Sign(h(m2), SK)

Signature Forgery m3

A anything F Sign(h(A), SK) anything Sign(h(F), SK) anything σ’[1] σ’[2] σ’[3] σ’[4] σ’[1] σ’[2] σ’[3] σ’[4]

Mix two messages and signatures to create a forgery.

Looks like a legit modification on message m3 = A?F.

Solution: use different r = Rand() for each signed message.

27/31

SLIDE 32

Introduction MTSS Conclusion Definitions Scheme 1 Scheme 2 Scheme 3

Scheme 3 - redactable signatures

Security notions

Message m1

A B C

2-CFF(3,3) Matrix 1 0 0 0 1 0 0 0 1

1 2 3

Signature

σ’[1] σ’[2] σ’[3] σ’[4]

Forgery m2

C anything A anything anything σ’[1] σ’[2] σ’[3] σ’[4] Sign(h(A)||123, SK) Sign(h(B)||123, SK) Sign(h(C)||123, SK) Sign(h(m1)||123, SK) Sign(h(C)||123, SK) Sign(h(A)||123, SK)

Signature

Mix the order of the blocks.

Looks like a legit modification on message m = CA?.

Solution: use counter id(i, t + 1) for each one of the rows.

28/31

SLIDE 33

Introduction MTSS Conclusion

Conclusion

Give a general framework for modification-tolerant signature schemes (MTSS). We provide three instantiations MTSS using d-CFFs:

Scheme 1: A known d-CFF approach to provide location.2 Scheme 2: Extend Scheme 1 to further provide correction. Scheme 3: Variation of d-MTSS for redactable signatures.

Security and correctness proofs.

2T. B. Idalino, L. Moura, R. F. Cust´
dio, and D. Panario. Locating

modifications in signed data for partial data integrity. IPL, 2015.

29/31

SLIDE 34

Introduction MTSS Conclusion

Future work

New instantiations beyond the d-CFF approaches; Increase granularity of modification location by using blocks and sub-blocks; Implementations in specific applications and parameter selection analysis.

30/31

SLIDE 35

Introduction MTSS Conclusion

Thank you! tbardini@sfu.ca, lmoura@uottawa.ca, cadams@uottawa.ca

31/31