Signatures vs. Malleability in Data Security

controlled malleability sanitizable signatures n.w
1 / 38
Embed
Share

Explore the concept of signatures vs. malleability in data security, discussing the implications for authenticity and integrity. Learn about the challenges of maintaining data integrity in the face of potential manipulation and forgery, and how sanitizable signatures can help protect sensitive information from unauthorized access.

  • Signatures
  • Malleability
  • Data Security
  • Sanitizable Signatures
  • Authentication
rayaanacharya
chle715 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Controlled malleability. Sanitizable Signatures Rennes, 07/11/2014 Cristina Onete maria-cristina.onete@irisa.fr CIDRE/ INRIA

  2. What is malleability? (Of a metal or other material) able to be hammered or pres- sed into shape without breaking or cracking Oxford dict., www.oxforddictionaries.com Capacit d un m tal se laisser r duire en feuilles, par forgeage ou par laminage. Larousse, www.larousse.fr Cristina Onete || 07/11/2014 || 2

  3. Reminder: Signatures Medical record Name: Julie Martin Address: 101 Rue de Foug res, Rennes Diagnosis: Lung cancer Treatment: .......... .......................... Signer (Hospital) Signed: Ensures authenticity Cristina Onete || 07/11/2014 || 3

  4. Reminder: Signatures Verify(pk,m, ) Sign(sk, m) sk pk m Correctness Signer (Hospital) Verifier (CPAM) m* Unforgeability Adversary Verify(pk,m, *) m1 m2 mq Cristina Onete || 07/11/2014 || 4

  5. Signatures vs. Malleability Regular Signatures: Unforgeability: If Verify(m, )=1, then Verify(m*, )=0 with overwhelming probability (for m m*) m I agree m I disagree m* m I agree. Julie m* m* I disagree. Julie (Probabilistic) signatures: m ( 1, 2, n) Strong Unforgeability: even given (m, ), hard to get * such that Verify(m, *) = 1 Cristina Onete || 07/11/2014 || 5

  6. Signatures vs. Malleability Malleability Message mauling: (m, ) (m*, ) m* m I disagree. Julie I agree. Julie Else, (m*, ) is a forgery Signature mauling (m, ) (m, *) m m I agree. Julie I agree. Julie (m, *) is strong forgery Cristina Onete || 07/11/2014 || 6

  7. Signatures vs. Malleability Third-party access to data Can I work from home? Yes, if you can prove you need it chronic disease special needs Employer (Inria) Proof: CPAM has Julie s signed medical record CPAM shows Employer Julie s record Employer learns what Julie s disease is Breach of Privacy! CPAM asks Signer (hospital) to sign another record, without sensitive data High Complexity Ideally: CPAM cleans up record so signature still verifies Sanitizable signatures Cristina Onete || 07/11/2014 || 7

  8. Contents What are sanitizable signatures? Architecture Properties Constructing sanitizable signatures Chameleon Hash Functions Sanitizable signatures Extended sanitizable signatures Unlinkability Further malleability Controlled malleability in proofs of knowledge

  9. Sanitizable Signatures Architecture Medical record Medical record Name: Julie Martin Address: 21 Rue de Foug res Name: Julie Martin Address: 21 Rue de Foug res Work from home Diagnosis: Lung cancer Work from home Employer (Inria) Signer (Hospital) Verifier (CPAM) Signed: Signed: Cristina Onete || 07/11/2014 || 9

  10. Sanitizable Signatures Sanitizable Signatures idea: blocks Message m m[1] m[2] m[3] m[4] m[5] m[k] . Fixed message block Admissible message block can sign any message can decide which are the admissible blocks can decide who changes which blocks Cristina Onete || 07/11/2014 || 10

  11. Sanitizable Signatures Sanitizable Signatures idea: blocks Message m m[1] m[2] m[3] m[4] m[5] m[k] . Fixed message block Admissible message block can change admissible blocks (sanitizes m) uses secret key to maul signature cannot change fixed message blocks or blocks it is not allowed to change Cristina Onete || 07/11/2014 || 11

  12. Sanitizable Signatures Sanitizable Signatures idea: m[1] m[2] m[3] m[4] m[5] m[k] . m[1] m [2] m[3] m [4]m [5] m [1] m[k] . Cristina Onete || 07/11/2014 || 12

  13. Sanitizable Signatures Properties: Medical record Name: Julie Martin Address: 21 Rue de Foug res Name: Julie Dubois Signer (Hospital) Adversary Diagnosis: Diagnosis: Lung cancer Influenza Work from home Signed: Unforgeability: Nobody can output valid (m*, *) without or Cristina Onete || 07/11/2014 || 13

  14. Sanitizable Signatures Properties: Medical record Name: Julie Dubois Name: Julie Martin Address: 21 Rue de Foug res Sanitizer (CPAM) Diagnosis: Lung cancer Work from home Signed: Immutability: Not even the sanitizer can change fixed blocks, or blocks it is not allowed to change Cristina Onete || 07/11/2014 || 14

  15. Sanitizable Signatures Properties: Medical record Medical record Name: Julie Dubois Name: Julie Dubois Name: Julie Martin Address: 21 Rue de Foug res Diagnosis: Lung cancer Name: Jean Dupont Address: 21 Rue de Foug res Diagnosis: Lung cancer ??? Work from home Work from home Signed: Signed: Privacy: Given sanitized m*, nothing leaks about original m Cristina Onete || 07/11/2014 || 15

  16. Sanitizable Signatures Properties: Medical record Medical record Name: Julie Dubois Name: Julie Dubois Name: Julie Martin Address: 21 Rue de Foug res Diagnosis: Lung cancer Name: Jean Dupont Address: 21 Rue de Foug res Diagnosis: Lung cancer ??? Work from home Work from home Signed: Signed: Transparency: Can t tell whether * is only signed or sanitized Cristina Onete || 07/11/2014 || 16

  17. Sanitizable Signatures Properties: Medical record Medical record Name: Julie Martin Address: 21 Rue de Foug res Diagnosis: Lung cancer Name: Julie Martin Address: 21 Rue de Foug res Diagnosis: Lung cancer Influenza Diagnosis: Work from home Work from home Signed: Signed: Accountability: A signer can prove to a judge that a sanitizer signed a message Cristina Onete || 07/11/2014 || 17

  18. Sanitizable Signatures Properties: Unforgeability: Nobody can output valid (m*, *) without Immutability: Not even the sanitizer can change fixed blocks, or blocks it is not allowed to change Privacy: Given sanitized m*, nothing leaks about original m Transparency: Can t tell whether * is only signed or sanitized An authorized Judge can tell the difference Accountability or Cristina Onete || 07/11/2014 || 18

  19. Contents What are sanitizable signatures? Architecture Properties Constructing sanitizable signatures Chameleon Hash Functions Sanitizable signatures Extended sanitizable signatures Unlinkability Further malleability Controlled malleability in proofs of knowledge

  20. Chameleon Hash Functions What are hash functions? Hash m[1] m[2] m[N] h[1] h[2] h[k] Hash h[1] h[2] h[k] m[1] m[2] Turns messages of arbitrary length to hashed mes- sages of constant length Collision resistance: hard to find ?,? such that: ? ? = ?(? ) 1st Preimage resistance: hard to find ? given ?(?) 2nd Preimage resistance: given ?, hard to find ? with ? ? = ?(? ) Cristina Onete || 07/11/2014 || 20

  21. Chameleon Hash Functions What are chameleon hash functions? h[1] h[2] h[k] Hash m[1] m[2] m[N] m [1] m [2] m [N] Collision resistance: hard to find ?,? such that: ? ? = ?(? ) Chameleon hashes: still collision resistant Unless you have a trapdoor Cristina Onete || 07/11/2014 || 21

  22. Chameleon Hash Functions Two types of users m[1] m[N] m [1] m [N] Users w/out trapdoor Users with trapdoor h[1] h[2] h[k] m[1] m[N] m [1] m [N] Cristina Onete || 07/11/2014 || 22

  23. Chameleon Hash Functions How do you construct a Chameleon Hash? Two inputs: message ?, randomness ? CHash = (Gen, Hash, Adapt) Secret-Keys: generate key K and trapdoor TD ???() (?,??) Evaluation: ??? (?,?,?) Chameleon property: finding collision: ?????(??,?,?,?,? ) ? such that ??? (?,?,?) =??? (?,? ,? ) Cristina Onete || 07/11/2014 || 23

  24. Chameleon Hash Functions How do you construct a Chameleon Hash? Finite field G?with ? prime: integers mod p Take arbitrary ? G? \ {0,1}. Then ? generates G? \ {0} Key generation: ???() (? = G,?,?,? = ??,?? = ?) Hashing: ??? (?,?,?) ??? ? (??? ?) Chameleon property: finding collision: ?????(?,?,?,? ,?) ? = ? + ?? ? ? 1 (??? ?) ??? (?,?,?) = ??? ? = ?????= ??+?? ??? (?,? ,? ) = ?? +?? = ?? +?+?? ? = ??+?? Cristina Onete || 07/11/2014 || 24

  25. Sanitizable Signatures Sanitizable Signatures idea: m[1] m[2] m[3] m[4] m[5] m[k] . m[1] m [2] m[3] m [4] m [5] m[k] . Cristina Onete || 07/11/2014 || 25

  26. Sanitizable Signatures Using Chameleon Hashes to get malleability m[1] m[2] m[3] m[4] m[5] m[k] . m[1] H[2] m[3] H[4] H[5] m[k] . ?[2],?[2] ?[4],?[4] ?[5],?[5] Cristina Onete || 07/11/2014 || 26

  27. Sanitizable Signatures Using Chameleon Hashes to get malleability m[1] m[2] m[3] m[4] m[5] m[k] . m[1] H[2] m[3] H[4] H[5] m[k] . ? [2],? [2] ? [4],? [4] ? [5],? [5] Cristina Onete || 07/11/2014 || 27

  28. Sanitizable Signatures Using Chameleon Hashes to get malleability Fixed blocks: included in the signature m[i] m[i] Admissible blocks: Hashed with chameleon hash m[j] m[j], r[j], H(m[j, r[j]]) Signature generation: = [????[?????? ?|?(?,?),?????,???? ];?,????] Verification: check H for fixed blocks, check signature Cristina Onete || 07/11/2014 || 28

  29. Sanitizable Signatures Using Chameleon Hashes to get malleability Fixed blocks: included in the signature m[i] m[i] Admissible blocks: Hashed with chameleon hash m[j] m[j], r[j], H(m[j, r[j]]) Sanitization: m[j] m [j] r [j] m [j], r [j], H(m [j, r [j]]) = [????[?????? ?|?(?,?),?????,???? ];? ,????] Cristina Onete || 07/11/2014 || 29

  30. Sanitizable Signatures Properties Unforgeability: Nobody can output valid (m*, *) without or Fixed blocks: Unforgeability of signatures w/out Admissible blocks: Collision-resistance of H w/out Immutability: Not even the sanitizer can change fixed blocks, or blocks it is not allowed to change Fixed blocks: Unforgeability of signatures w/out Cristina Onete || 07/11/2014 || 30

  31. Sanitizable Signatures Properties Privacy: Given sanitized m*, nothing leaks about original m m*[j], r*[j], H(m*[j], r*[j]]) m[j], r[j], H(m[j], r[j]]) m [j], r [j], H(m [j], r [j]]) m [j], r [j], H(m [j], r [j]]) Transparency: Can t tell whether * is only signed or sanitized ?? ? m[j], r[j], H(m[j], r[j]]) m [j], r [j], H(m [j], r [j]]) Cristina Onete || 07/11/2014 || 31

  32. Sanitizable Signatures Properties Accountability A judge can tell the difference between a signed and a sanitized signature Adds complexity: see original paper for details: Security of Sanitizable Signatures Revisited Brzuska, Fischlin, Freudenreich, Lehmann, Page, Schelbert, Schr der, Volk Cristina Onete || 07/11/2014 || 32

  33. Contents What are sanitizable signatures? Architecture Properties Constructing sanitizable signatures Chameleon Hash Functions Sanitizable signatures Extended sanitizable signatures Unlinkability Further malleability Controlled malleability in proofs of knowledge

  34. Extended Sanitizable Signatures Properties Unlinkability A sanitizer first sanitizes a specific message m to m , then alters the signature ? to ? The same sanitizer then sanitizes m to m and alters the signature ? to ? Nobody should be able to link ? to ? Replace Chameleon Hash by Group Signatures (see next lectures) Unlinkability of Sanitizable Signatures Brzuska, Fischlin, Lehmann, Schr der Cristina Onete || 07/11/2014 || 34

  35. Further Malleability Multiple Sanitizers Construction with 1 signer and m sanitizers Nobody should know which party sanitized Except a judge, who should always be able to trace it Construction with n signers and m sanitizers Nobody should know who signed OR sanitized Except a judge, who should always be able to trace it Uses group signatures and non-interactive Zero- knowledge Cristina Onete || 07/11/2014 || 35

  36. Proofs of Knowledge General proofs of knowledge I know a value ? such that some ? ?holds Usually: generate a proof ? that proves this, without revealing the input ? Malleability: ?: ? ? holds ? ?: ? = ? ? ? : ? ? holds ? Malleable Proof Systems and Applications Chase, Lysyanskaya, Kohlweiss, Meiklejohn Cristina Onete || 07/11/2014 || 36

  37. Thanks! CIDRE

  38. Signatures vs. Malleability Regular Signatures: Unforgeability: m m* I agree. Julie I disagree. Julie Strong unforgeability: m m I agree. Julie I agree. Julie Cristina Onete || 23/05/2014 || 38

Related


No related presentations.

More Related Content