Sanitizable Signatures ESORICS 2005, LNCS 3679, pp. 159–177, Springer-Verlag Berlin Heidelberg 2005 Author: Giuseppe Ateniese, Daniel H. Chou, Breno de Medeiros, and Gene Tsudi Adviser: 鄭錦楸, 郭文中 教授 Reporter: 林彥宏
2 Outline Introduction and Motivation Related Work Sanitizable Signatures Construction Based on Chameleon Hashes Extensions and Other Constructions Implementation Conclusions
3 Introduction and Motivation Security Clearance : determination by the United States government that a person or company is eligible for access to classified information Freedom of Information Act (FOIA) Homomorphic Signature Schemes: R. Johnson, D. Molnar, D. Song, and D.Wagner. Topics in Cryptology–CT- RSA 2002 Redactable Signatures: anyone with the knowledge of the public key to generate a valid signature
4 Introduction and Motivation semi-trusted censor to modify designated portions of the document illustrate the utility of sanitizable signatures Multicast and Database Applications Medical Applications Secure Routing subscriber DB adminer sponsor
5 Related Work Incremental cryptography: Incremental cryptography: the case of hashing and signing. Springer- Verlag, update the function value based on the old value rather than re- computing it Homomorphic signatures: Redactable Signatures Sanitized Signatures: only the censor would be able to generate a valid signature on a modified (sanitized) document Transitive signatures: signer pick a pair i, j of nodes and create a signature of { i, j }; another signature of an edge { j, k } anyone in possession of the public key can create a signature of the edge { i, k } M P1 P2 P3
6 Sanitizable Signatures Sanitizable Signature scheme must have the following properties: Immutability: censor not be able to modify the part of message Privacy: sanitized information is unrecoverable Accountability: the signer can prove to a trusted third party (e.g., court) that a certain message was sanitized by the censor Transparency: no party be able to correctly guess whether the message has been sanitized
7 Sanitizable Signatures Transparency: Weak Transparency: verifier knows exactly which parts of the message are potentially sanitizable Strong Transparency: verifier does not know which parts of the message are immutable strong transparency is not always better: the Freedom of Information Act (FOIA)
8 Model four efficient algorithms: Key generation: Sign: Verify:
9 Model Sanitize: Security Requirements of Sanitizable Signatures: Correctness: Unforgeability: without the knowledge of the private signing key it is difficult to produce a valid signature
10 Model Indistinguishability: and are computationally indistinguishability Identical Distribution:
11 Construction Based on Chameleon Hashes Setup:
12 Sanitizable Signing Mutable block: Immutable block: Construction Based on Chameleon Hashes signer censor
13 Chameleon Hash
14 Chameleon Hash
15 Security Requirements Correctness Indistinguishability: Identical distribution of sanitized and original signatures Unforgeability
16 Extensions and Other Constructions multiple censors, each able to modify different portions of document Strong transparency: assign public keys of non-existing (dummy) censors to the blocks the signer wish to remain unmodified
17 Extensions and Other Constructions Hybrid Scheme: combine the redactable and sanitizable signatures Redacted block can redact by anyone Unredacted block can be sanitized by a censor
18 Attribute Tags the new parts satisfy prescribed semantics or policies immutable attribute tag m1m3 (Address:) m2
19 Implementation operation 1000 times SHA-1 as the generic hash algorithm RSA as the generic signature algorithm Nyberg-Rueppel-based chameleon hash
20 Conclusions Sanitizable signatures allow a semi-trusted censor to modify designated portions of a document. Verifier cannot determine whether a received signature has been sanitized by the censor. The performance results obtained demonstrate that the scheme is practical and efficient.