Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rennes, 07/11/2014 Cristina Onete CIDRE/ INRIA Controlled malleability. Sanitizable Signatures.

Published byPosy McKinney Modified over 9 years ago

Similar presentations

Presentation on theme: "Rennes, 07/11/2014 Cristina Onete CIDRE/ INRIA Controlled malleability. Sanitizable Signatures."— Presentation transcript:

1 Rennes, 07/11/2014 Cristina Onete CIDRE/ INRIA maria-cristina.onete@irisa.fr Controlled malleability. Sanitizable Signatures

2  Cristina Onete || 07/11/2014 || 2 What is malleability? “Capacité d’un métal à se laisser réduire en feuilles, par forgeage ou par laminage.” Larousse, www.larousse.fr “(Of a metal or other material) able to be hammered or pres- sed into shape without breaking or cracking” Oxford dict., www.oxforddictionaries.com

3  Reminder: Signatures Medical record Name: Julie Martin Address: 101 Rue de Fougères, Rennes Diagnosis: Lung cancer ……………… Treatment:.................................... Signed: Signer (Hospital) Ensures authenticity Cristina Onete || 07/11/2014 || 3

4  Reminder: Signatures Signer (Hospital) Verifier (CPAM) m sk Sign(sk, m) pk Verify(pk,m, σ) Adversary m* Verify(pk,m, σ*) Correctness Unforgeability m1m1 m2m2 … mqmq Cristina Onete || 07/11/2014 || 4

5  Signatures vs. Malleability  Regular Signatures:  (Probabilistic) signatures: m   (σ 1, σ 2, … σ n )  Unforgeability: If Verify(m,σ)=1, then Verify(m*,σ)=0 with overwhelming probability (for m ≠ m*) m m*  Strong Unforgeability: even given (m, σ), hard to get σ* such that Verify(m, σ*) = 1 mI agree m* I disagree m m* I agree. Julie I disagree. Julie Cristina Onete || 07/11/2014 || 5

6  Signatures vs. Malleability  Malleability  Message mauling:  Signature mauling I agree. Julie m I disagree. Julie m* I agree. Julie m m (m,σ) (m*,σ) Else, (m*, σ) is a forgery (m,σ) (m,σ*) (m, σ*) is strong forgery Cristina Onete || 07/11/2014 || 6

7  Signatures vs. Malleability  Third-party access to data  Proof: CPAM has Julie’s signed medical record CPAM shows Employer Julie’s record Employer learns what Julie’s disease is CPAM asks Signer (hospital) to sign another record, without sensitive data Breach of Privacy! High Complexity Ideally: CPAM “cleans” up record so signature still verifies Sanitizable signatures chronic disease special needs Employer (Inria) Can I work from home? Yes, if you can prove you need it Cristina Onete || 07/11/2014 || 7

8  Contents  What are sanitizable signatures?  Architecture  Properties  Constructing sanitizable signatures  Chameleon Hash Functions  Sanitizable signatures  Extended sanitizable signatures  Unlinkability  Further malleability  Controlled malleability in proofs of knowledge

9  Sanitizable Signatures  Architecture Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Diagnosis: Lung cancer Signed: Verifier (CPAM) Signer (Hospital) Employer (Inria) Work from home Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Cristina Onete || 07/11/2014 || 9

10  Sanitizable Signatures  Sanitizable Signatures – idea: Message m ……………. m[1]m[2]m[3]m[4]m[5]m[k] blocks Fixed message blockAdmissible message block  can sign any message  can decide which are the admissible blocks  can decide who changes which blocks Cristina Onete || 07/11/2014 || 10

11  Sanitizable Signatures  Sanitizable Signatures – idea: Message m ……………. m[1]m[2]m[3]m[4]m[5]m[k] blocks Fixed message blockAdmissible message block  can change admissible blocks (sanitizes m)  uses secret key to maul signature  cannot change fixed message blocks or blocks it is not allowed to change Cristina Onete || 07/11/2014 || 11

12  Sanitizable Signatures  Sanitizable Signatures – idea: ……………. m[1]m[2]m[3]m[4]m[5]m[k] ……………. m[1]m’[2]m[3]m’[4]m’[5]m[k] m’[1] Cristina Onete || 07/11/2014 || 12

13  Sanitizable Signatures  Properties: Unforgeability: Nobody can output valid (m*, σ*) without or Signer (Hospital) Adversary Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois Diagnosis: Influenza Cristina Onete || 07/11/2014 || 13

14  Sanitizable Signatures  Properties: Immutability: Not even the sanitizer can change fixed blocks, or blocks it is not allowed to change Sanitizer (CPAM) Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois Cristina Onete || 07/11/2014 || 14

15  Sanitizable Signatures  Properties: Privacy: Given sanitized m*, nothing leaks about original m Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois Medical record Name: Jean Dupont Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois ? ? ? Cristina Onete || 07/11/2014 || 15

16  Sanitizable Signatures  Properties: Transparency: Can’t tell whether σ* is only signed or sanitized Medical record Name: Jean Dupont Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Name: Julie Dubois ? ? ? Cristina Onete || 07/11/2014 || 16

17  Sanitizable Signatures  Properties: Accountability: A signer can prove to a judge that a sanitizer signed a message Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Medical record Name: Julie Martin Address: 21 Rue de Fougères………… Signed: Work from home Diagnosis: Lung cancer Diagnosis: Influenza Cristina Onete || 07/11/2014 || 17

18  Sanitizable Signatures  Properties: Unforgeability: Nobody can output valid (m*, σ*) without or Immutability: Not even the sanitizer can change fixed blocks, or blocks it is not allowed to change Privacy: Given sanitized m*, nothing leaks about original m Transparency: Can’t tell whether σ* is only signed or sanitized An authorized Judge can tell the difference Accountability Cristina Onete || 07/11/2014 || 18

19  Contents  What are sanitizable signatures?  Architecture  Properties  Constructing sanitizable signatures  Chameleon Hash Functions  Sanitizable signatures  Extended sanitizable signatures  Unlinkability  Further malleability  Controlled malleability in proofs of knowledge

20  Chameleon Hash Functions  What are hash functions? ……… m[1]m[2]m[N] ………h[1]h[2]h[k] Hash m[1]m[2] Hash ………h[1]h[2]h[k] Turns messages of arbitrary length to hashed mes- sages of constant length Cristina Onete || 07/11/2014 || 20

21  Chameleon Hash Functions  What are chameleon hash functions? ……… m[1]m[2]m[N] ………h[1]h[2]h[k] Hash ……… m’[1]m’[2]m’[N] Chameleon hashes: still collision resistant Unless you have a trapdoor… Cristina Onete || 07/11/2014 || 21

22  Chameleon Hash Functions  Two types of users Users w/out trapdoor Users with trapdoor ………h[1]h[2]h[k] …… m[1]m[N] …… m’[1]m’[N] …… m[1]m[N] …… m’[1]m’[N] Cristina Onete || 07/11/2014 || 22

23  Chameleon Hash Functions  How do you construct a Chameleon Hash? CHash = (Gen, Hash, Adapt) Secret-Keys: generate key K and trapdoor TD Evaluation: Chameleon property: finding collision: Cristina Onete || 07/11/2014 || 23

24  Chameleon Hash Functions  How do you construct a Chameleon Hash? Key generation: Hashing: Chameleon property: finding collision: Cristina Onete || 07/11/2014 || 24

25  Sanitizable Signatures  Sanitizable Signatures – idea: ……………. m[1]m[2]m[3]m[4]m[5]m[k] ……………. m[1]m’[2]m[3]m’[4]m’[5]m[k] Cristina Onete || 07/11/2014 || 25

26  Sanitizable Signatures  Using Chameleon Hashes to get malleability ……………. m[1]m[2]m[3]m[4]m[5]m[k] ……………. m[1]H[2]m[3]H[4]H[5]m[k] Cristina Onete || 07/11/2014 || 26

27  Sanitizable Signatures  Using Chameleon Hashes to get malleability ……………. m[1]m[2]m[3]m[4]m[5]m[k] ……………. m[1]H[2]m[3]H[4]H[5]m[k] Cristina Onete || 07/11/2014 || 27

28  Sanitizable Signatures  Using Chameleon Hashes to get malleability Fixed blocks: included in the signature Admissible blocks: Hashed with chameleon hash m[i] m[j]m[j], r[j], H(m[j, r[j]]) Signature generation: Verification: check H for fixed blocks, check signature Cristina Onete || 07/11/2014 || 28

29  Sanitizable Signatures  Using Chameleon Hashes to get malleability Fixed blocks: included in the signature Admissible blocks: Hashed with chameleon hash m[i] m[j]m[j], r[j], H(m[j, r[j]]) Sanitization: m[j]m’[j]r’[j] m’[j], r’[j], H(m’[j, r’[j]]) Cristina Onete || 07/11/2014 || 29

30  Sanitizable Signatures  Properties Unforgeability: Nobody can output valid (m*, σ*) without or Fixed blocks: Unforgeability of signatures w/out Admissible blocks: Collision-resistance of H w/out Immutability: Not even the sanitizer can change fixed blocks, or blocks it is not allowed to change Fixed blocks: Unforgeability of signatures w/out Cristina Onete || 07/11/2014 || 30

31  Sanitizable Signatures  Properties Privacy: Given sanitized m*, nothing leaks about original m m[j], r[j], H(m[j], r[j]]) m’[j], r’[j], H(m’[j], r’[j]]) ? ? ? Transparency: Can’t tell whether σ* is only signed or sanitized m’[j], r’[j], H(m’[j], r’[j]])m’[j], r’’[j], H(m’[j], r’’[j]]) m[j], r[j], H(m[j], r[j]])m*[j], r*[j], H(m*[j], r*[j]]) Cristina Onete || 07/11/2014 || 31

32  Sanitizable Signatures  Properties Accountability A judge can tell the difference between a signed and a sanitized signature Adds complexity: see original paper for details: “Security of Sanitizable Signatures Revisited” Brzuska, Fischlin, Freudenreich, Lehmann, Page, Schelbert, Schröder, Volk Cristina Onete || 07/11/2014 || 32

33  Contents  What are sanitizable signatures?  Architecture  Properties  Constructing sanitizable signatures  Chameleon Hash Functions  Sanitizable signatures  Extended sanitizable signatures  Unlinkability  Further malleability  Controlled malleability in proofs of knowledge

34  Extended Sanitizable Signatures  Properties Unlinkability Replace Chameleon Hash by Group Signatures (see next lectures) “Unlinkability of Sanitizable Signatures” Brzuska, Fischlin, Lehmann, Schröder Cristina Onete || 07/11/2014 || 34

35  Further Malleability  Multiple Sanitizers Construction with 1 signer and m sanitizers  Nobody should know which party sanitized  Except a judge, who should always be able to trace it Construction with n signers and m sanitizers  Nobody should know who signed OR sanitized  Except a judge, who should always be able to trace it Uses group signatures and non-interactive Zero- knowledge Cristina Onete || 07/11/2014 || 35

36  Proofs of Knowledge  General proofs of knowledge Malleability: “Malleable Proof Systems and Applications” Chase, Lysyanskaya, Kohlweiss, Meiklejohn Cristina Onete || 07/11/2014 || 36

37 CIDRE Thanks!

38  Cristina Onete || 23/05/2014 || 38 Signatures vs. Malleability  Regular Signatures:  Unforgeability:  Strong unforgeability: I agree. Julie m I disagree. Julie m* I agree. Julie m m

Download ppt "Rennes, 07/11/2014 Cristina Onete CIDRE/ INRIA Controlled malleability. Sanitizable Signatures."

Similar presentations

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.

Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
 Cristina Onete || 25/09/2014 || 1 TD – Cryptography 25 Sept: Public Key Encryption + RSA 02 Oct: RSA Continued 09 Oct: NO TD 16 Oct: Digital Signatures.

 Cristina Onete || 25/09/2014 || 1 TD – Cryptography 25 Sept: Public Key Encryption + RSA 02 Oct: RSA Continued 09 Oct: NO TD 16 Oct: Digital Signatures.
Rennes, 27/11/2014 Cristina Onete Subject Review, Questions, and Exam Practice.

Rennes, 27/11/2014 Cristina Onete Subject Review, Questions, and Exam Practice.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.

Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google