modification tolerant signature schemes location and
play

Modification tolerant signature schemes: location and correction - PowerPoint PPT Presentation

Jun 17, 2023 •279 likes •637 views

Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia Moura, Carlisle Adams tbardini@sfu.ca, lmoura@uottawa.ca, cadams@uottawa.ca Indocrypt, December 17th 2019 1/31 Introduction MTSS Digital Signatures

  1. Modification tolerant signature schemes: location and correction Thais Bardini Idalino, Lucia Moura, Carlisle Adams tbardini@sfu.ca, lmoura@uottawa.ca, cadams@uottawa.ca Indocrypt, December 17th 2019 1/31

  2. Introduction MTSS Digital Signatures Conclusion Introduction Digital signatures: integrity, authenticity, non-repudiation. ✔ ✗ Traditional signature schemes: detect modifications. Modification-tolerant signature scheme (MTSS): locates modifications; corrects modifications. 2/31

  3. Introduction MTSS Digital Signatures Conclusion Introduction When do we want location? Data forensics; Partial integrity; Hide private information; Collaborative work. When do we want correction? Errors during transmission/storage; Malicious modifications. 3/31

  4. Introduction MTSS Digital Signatures Conclusion Contributions We propose a general framework for MTSS. Definition of new algorithms MTSS-KeyGeneration ( ℓ ), MTSS-Sign ( m , SK ), MTSS-Verify ( m , σ, PK ), MTSS-Verify&Correct ( m , σ, PK ). New definitions of valid signatures and security. Scheme 1: Instantiate a d -MTSS using a known combinatorial approach. Scheme 2: Extend Scheme 1 to further provide correction . Scheme 3: Variation of d -MTSS for redactable signatures . Security and correctness proofs. 4/31

  5. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme General Idea Split a document into blocks; Create a more expressive signature using the blocks; During verification, we can locate or locate & correct modified blocks. 5/31

  6. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme General Idea Split a document into blocks; Create a more expressive signature using the blocks; During verification, we can locate or locate & correct modified blocks. verify( ) 6/31

  7. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme Instantiation How can we instantiate this sheme? Easy: one signature per block m 7/31

  8. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme Instantiation How can we instantiate this sheme? Easy: one signature per block m 8/31

  9. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Modification-Tolerant Signature Scheme Instantiation How can we instantiate this sheme? Easy: one signature per block m Total of n signatures. 8/31

  10. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 d -Modification-Tolerant Signature Scheme A better approach: Use a “tolerance level” d . Use combinatorial techniques to create the signature scheme. We can locate up to d modified blocks. The size of the signature depends on d . One signature + O ( d 2 log n ) hash values. Much better than n signatures. 9/31

  11. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Combinatorial group testing Cover-free families The combinatorial approach: Cover-free families . Used in the context of combinatorial group testing. Identify d defective elements from a set of n elements pooled into t groups, where t < n . The groups are tested, instead of all elements individually. 1 2 3 4 5 6 1-CFF(4,6) Matrix 1 2 3 4 5 6 test 1 1 1 1 0 0 0 Test 1 Test 2 Test 3 Test 4 1 0 0 1 1 0 test 2 0 1 0 1 0 1 test 3 0 0 1 0 1 1 test 4 pass pass fail fail 10/31

  12. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Combinatorial group testing Cover-free families A d -cover free family d -CFF( t , n ): A t × n binary matrix; Every set of d + 1 columns contains a permutation submatrix of order d + 1. B 1 B 2 B 3 B 4 B 5 B 6 1 1 1 0 0 0 1 1 0 0 1 1 0 2 log n 0 1 0 1 0 1 3 0 0 1 0 1 1 4 11/31

  13. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 d -Modification-Tolerant Signature Scheme Schemes Three instantiations of d -MTSS using d -cover-free families. Scheme 1: A known 1 d -CFF approach to provide location . Scheme 2: Extend Scheme 1 to further provide correction . Scheme 3: Variation of d -MTSS for redactable signatures . 1 T. B. Idalino, L. Moura, R. F. Cust´ odio, and D. Panario. Locating modifications in signed data for partial data integrity. Information Processing Letters, 2015. 12/31

  14. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location 1-CFF(4,6) Matrix Document Signature 1 2 3 4 5 6 T[1] m[1] h(h 1 ||h 2 ||h 3 ) test 1 1 1 1 0 0 0 T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] test 2 1 0 0 1 1 0 h(h 2 ||h 4 ||h 6 ) m[3] T[4] test 3 h(h 3 ||h 5 ||h 6 ) 0 1 0 1 0 1 m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] sign(sk, T) σ’ m[6] 13/31

  15. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location 1-CFF(4,6) Matrix Document Signature 1 2 3 4 5 6 m[1] T[1] h(h 1 ||h 2 ||h 3 ) test 1 T[2] 1 1 1 0 0 0 m[2] h(h 1 ||h 4 ||h 5 ) test 2 1 0 0 1 1 0 T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] test 3 0 1 0 1 0 1 h(h 3 ||h 5 ||h 6 ) m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] σ’ sign(sk, T) m[6] Verification 3) h(h 1 ||h 2 ||h 3 ) T’[1] 1) σ’ OK? T’[2] h(h 1 ||h 4 ||h 5 ) h(h 2 ||h 4 ||h 6 ) 2) h* ≟ h(m') no T’[3] h(h 3 ||h 5 ||h 6 ) T’[4] ≟ 14/31

  16. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location Document 1-CFF(4,6) Matrix Signature 1 2 3 4 5 6 X T[1] h(h 1 ||h 2 ||h 3 ) test 1 1 1 1 0 0 0 T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) test 2 1 0 0 1 1 0 m[3] T[4] test 3 h(h 3 ||h 5 ||h 6 ) 0 1 0 1 0 1 m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] sign(sk, T) σ’ m[6] Verification T 1 h(h 1 ||h 2 ||h 3 ) T' 1 h(h 1 ||h 2 ||h 3 ) T' 2 T 2 h(h 1 ||h 4 ||h 5 ) h(h 1 ||h 4 ||h 5 ) T 3 h(h 2 ||h 4 ||h 6 ) T' 3 h(h 2 ||h 4 ||h 6 ) T 4 h(h 3 ||h 5 ||h 6 ) h(h 3 ||h 5 ||h 6 ) T' 4 Locate modifications with t ∼ log n extra hash values. Existentially unforgeable. 15/31

  17. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 1 - location 1-CFF(4,6) Matrix Document Signature 1 2 3 4 5 6 X T[1] h(h 1 ||h 2 ||h 3 ) test 1 T[2] 1 1 1 0 0 0 m[2] h(h 1 ||h 4 ||h 5 ) test 2 1 0 0 1 1 0 T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] test 3 0 1 0 1 0 1 h(h 3 ||h 5 ||h 6 ) m[4] test 4 0 0 1 0 1 1 h* h(m) m[5] σ’ sign(sk, T) m[6] Verification T 1 T' 1 h(h 1 ||h 2 ||h 3 ) h(h 1 ||h 2 ||h 3 ) T 2 T' 2 h(h 1 ||h 4 ||h 5 ) h(h 1 ||h 4 ||h 5 ) T' 3 T 3 h(h 2 ||h 4 ||h 6 ) h(h 2 ||h 4 ||h 6 ) T 4 h(h 3 ||h 5 ||h 6 ) h(h 3 ||h 5 ||h 6 ) T' 4 How can I correct the modified block? 16/31

  18. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31

  19. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Compute h 2 = h ( m [2]) and h 3 = h ( m [3]); Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31

  20. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Compute h 2 = h ( m [2]) and h 3 = h ( m [3]); Try all possible values for m [1] and corresponding hash h ( m [1]); Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31

  21. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction Pick row T [1] = h ( h 1 || h 2 || h 3 ) of the signature; Compute h 2 = h ( m [2]) and h 3 = h ( m [3]); Try all possible values for m [1] and corresponding hash h ( m [1]); Stop when h ( h ( m [1]) || h 2 || h 3 ) = T [1]. Document Signature X T[1] h(h 1 ||h 2 ||h 3 ) T[2] h(h 1 ||h 4 ||h 5 ) m[2] T[3] h(h 2 ||h 4 ||h 6 ) m[3] T[4] h(h 3 ||h 5 ||h 6 ) m[4] h* h(m) m[5] sign(sk, T) σ’ m[6] 17/31

  22. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Scheme 2 - correction “Brute force” search on the original block; Efficient for blocks of small enough size s ; If there there are two or more possible values, return fail. We can always choose a hash function h where no two inputs of size up to s have the same hash value. Since s is small, we can compute all of them and check. We can always correct modifications. 18/31

  23. Definitions Introduction Scheme 1 MTSS Scheme 2 Conclusion Scheme 3 Security notions Valid signature A pair ( m , σ ) of message and signature is valid if there exists m ′ such that: σ was generated from m ′ ; m and m ′ differ in at most d positions. m’ m 19/31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford

Signature Schemes from La2ces Ananth Raghunathan Stanford University ISI Kolkata, Jan 2012 Short Integer Solu5ons (SIS) A: Z m --&gt; (Z q ) n m

279 views • 15 slides
Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure

Designated Verifier Signature Schemes - An Overview Liina Kamm October 10, 2005 Structure The Jakobsson-Sako-Impagliazzo Scheme Security notions for DVS schemes DVS Scheme with tight reduction to DDH in NPRO Universal Designated

620 views • 42 slides
Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Number-Theoretic Methods in Cryptology 2019 Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter: Giovanni Di Crescenzo Perspecta Labs Inc. (also doing business as Applied Communication Sciences)

548 views • 33 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th

LMS vs XMSS: Comparison of Stateful Hash-Based Signature Schemes on ARM Cortex-M4 12th International Conference on Cryptology, Africacrypt 2020 Fabio Campos 1 Tim Kohlstadt 1 Steffen Reith 1 ottinger 2 Marc St July 19, 2020 1 RheinMain

399 views • 29 slides
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benot Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 .N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological

1.33k views • 92 slides
Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt

Group-Signature Schemes on Constrained Devices Raphael Spreitzer and J orn-Marc Schmidt Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria

335 views • 14 slides
Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram

Enforcing honesty of certification authorities: Tagged one-time signature schemes Bertram Poettering and Douglas Stebila Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013

454 views • 41 slides
Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin

Formally Certifying the Security of Digital Signature Schemes Santiago Zanella 1 , 2 Benjamin Grgoire 1 , 2 Gilles Barthe 3 Federico Olmedo 3 1 Microsoft Research - INRIA Joint Centre, France 2 INRIA Sophia Antipolis - Mditerrane, France 3

837 views • 51 slides
Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval

Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval

Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern - David Pointcheval Ecole normale suprieure - France John Malone-Lee - Nigel Smart University of Bristol - UK Summary Summary The methodology of provable

479 views • 12 slides
Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline

Harnessing Biased Faults in Attacks on ECC-based Signature Schemes Kimmo Jrvinen 1 , Cline Blondeau 1 , Dan Page 2 , Michael Tunstall 2 1 Aalto University, Department of Information and Computer Science, Finland 2 University of Bristol,

590 views • 39 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of

Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of

Cryptography V: Digital Signatures Computer Security Lecture 6 David Aspinall School of Informatics University of Edinburgh 31st January 2013 Outline Basics Constructing signature schemes Security of signature schemes ElGamal DSA

1.15k views • 91 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is

439 views • 33 slides
Approximation of mean curvature motion with nonlinear Neumann conditions Yves Achdou joint work

Approximation of mean curvature motion with nonlinear Neumann conditions Yves Achdou joint work

Approximation of mean curvature motion with nonlinear Neumann conditions Yves Achdou joint work with M. Falcone Laboratoire J-L Lions, Universit e Paris Diderot Padova 2012 Y. Achdou HYP2012 Padova The boundary value problem The PDE

843 views • 34 slides
Sobriety and congruence biframes Graham Manuell graham@manuell.me University of Edinburgh

Sobriety and congruence biframes Graham Manuell graham@manuell.me University of Edinburgh

Sobriety and congruence biframes Graham Manuell graham@manuell.me University of Edinburgh Workshop on Algebra, Logic and Topology September 2018 1 Overview Sober spaces are the only topological spaces that can be faithfully represented

570 views • 36 slides
TE Mode Ridg TE idged Waveguid ide Ca Cavit itie ies for r ADMX Rese search Al l Moretti,

TE Mode Ridg TE idged Waveguid ide Ca Cavit itie ies for r ADMX Rese search Al l Moretti,

Managed by Fermi Research Alliance, LLC for the U.S. Department of Energy TE Mode Ridg TE idged Waveguid ide Ca Cavit itie ies for r ADMX Rese search Al l Moretti, FN FNAL nd Workshop on 2 nd on Mic icrowave Cavitie ies an and De

616 views • 17 slides
fourteen wood construction: column design Wood Columns 1 Elements of Architectural Structures

fourteen wood construction: column design Wood Columns 1 Elements of Architectural Structures

E LEMENTS OF A RCHITECTURAL S TRUCTURES : F ORM, B EHAVIOR, AND D ESIGN ARCH 614 D R. A NNE N ICHOLS S PRING 2019 lecture fourteen wood construction: column design Wood Columns 1 Elements of Architectural Structures S2019abn Lecture 14

517 views • 18 slides
Analysis of Simple CS Amplifier Conditions for using Miller Two poles approximation? Assume

Analysis of Simple CS Amplifier Conditions for using Miller Two poles approximation? Assume

4 Analysis of Simple CS Amplifier Conditions for using Miller Two poles approximation? Assume there is one dominant pole, called P D in the circuit and that pole is mainly determined by the input section of the circuit. [ ] 1 ( )

410 views • 8 slides
BECOLA facility; recent CLS studies on neutron-deficient K &amp; Fe isotopes Kei Minamisono

BECOLA facility; recent CLS studies on neutron-deficient K &amp; Fe isotopes Kei Minamisono

BECOLA facility; recent CLS studies on neutron-deficient K &amp; Fe isotopes Kei Minamisono NUSTAR annual meeting 2016, GSI, Germany, March 1-4, 2016 Laser spectroscopy measurements - I , m , Q , &lt; r 2 &gt; - : stable nuclei : known :

390 views • 24 slides
Compiling Uncertainty Away: Solving Conformant Planning Problems Using a Classical Planner

Compiling Uncertainty Away: Solving Conformant Planning Problems Using a Classical Planner

WS on Planning with Uncertainty and Execution - ICAPS - 2006 Palacios &amp; Geffner Compiling Uncertainty Away: Solving Conformant Planning Problems Using a Classical Planner (Sometimes) H ector Palacios H ector Geffner UPF ICREA/UPF

688 views • 54 slides
EDMs, CP-odd Nucleon Correlators &amp; QCD Sum Rules Adam Ritz University of Victoria Based on

EDMs, CP-odd Nucleon Correlators &amp; QCD Sum Rules Adam Ritz University of Victoria Based on

Hadronic Matrix Elements for Probes of CP Violation - ACFI, UMass Amherst - Jan 2015 EDMs, CP-odd Nucleon Correlators &amp; QCD Sum Rules Adam Ritz University of Victoria Based on (older) work with M. Pospelov, see e.g. the review M. Pospelov

664 views • 38 slides

More recommend