A General Framework for Redactable Signatures and New Constructions

Transcription

1 S C I E N C E P A S S I O N T E C H N O L O G Y A General Framework for Redactable Signatures and New Constructions David Derler, Henrich C. Pöhls, Kai Samelin, Daniel Slamanig, Graz University of Technology, Austria University of Passau, Germany IBM Research Zurich, Switzerland & TU Darmstadt, Germany

2 Outline 1. Introduction 2. General Framework 3. Generic Construction 4. Conclusions 2

3 Outline 1. Introduction 2. General Framework 3. Generic Construction 4. Conclusions 3

4 Redactable Signature Schemes (RSS) 4

5 Redactable Signature Schemes (RSS) 4

6 Redactable Signature Schemes (RSS) 4

7 Redactable Signature Schemes (RSS) 4

8 Redactable Signature Schemes (RSS) 4

9 Applications Blacking out data from signed documents Document is signed Contains sensitive information Black out sensitive parts Still carries the original signature (timestamp, etc.) Medical research, accounting, government, etc. 5

10 History Introduced Johnson et al. (CT-RSA 02) as a variant of homomorphic signatures and Steinfeld et al. (ICISC 01) as content extraction signatures Initial security requirements Unforgeability and privacy Evolved over time 6

11 Development Over the Years Additional functionality Consecutive redaction control Dependencies between (redactable) parts Different message structures Lists, sets, trees, graphs Additional security properties Transparency Many models and messy terminology unification 7

12 Outline 1. Introduction 2. General Framework 3. Generic Construction 4. Conclusions 8

13 Motivation I/II Many different models used Tailored to message structure, e.g., trees Different interpretation of redactions Arbitrary redactions possible Fine-grained redaction control Different naming of security properties 9

14 Motivation II/II Generalized model Inspired by sanitizable signatures (Brzuska et al. PKC 09) Similar to RSS for trees (Brzuska et al. ACNS 10) Introducing designated redactors Auxilliary information for redaction Allows more efficient constructions Not to be confused with keyed redaction (sanitization) 10

15 Security of Redactable Signatures Correctness, Unforgeability Straight forward 11

16 Security of Redactable Signatures Correctness, Unforgeability Straight forward Privacy Redacted information not recoverable 11

17 Security of Redactable Signatures Correctness, Unforgeability Privacy Straight forward Redacted information not recoverable Transparency Original signature and redacted versions indistinguishable 11

18 Transparency Property Stronger privacy notion Redaction not noticeable Technically hard to achieve Challenging issue 12

19 Outline 1. Introduction 2. General Framework 3. Generic Construction 4. Conclusions 13

20 Overview Generic constructions of transparent RSS RSS for sets RSS for linear documents Designated redactor RSS for linear documents Existing constructions are often instantiations thereof 14

21 Indistinguishable Accumulators Finite set Accumulator 15

22 Indistinguishable Accumulators Finite set Accumulator Witnesses wit x certifying membership of x in acc X Efficiently computable x X, intractable x / X 15

23 Indistinguishable Accumulators Finite set Accumulator Witnesses wit x certifying membership of x in acc X Efficiently computable x X, intractable x / X Indistinguishability (Derler et al. CT-RSA 15) Neither accu nor witnesses leak information about X 15

24 RSS for Sets Simple construction Indistinguishable accumulator EUF-CMA secure digital signature scheme 16

25 RSS for Sets Simple construction Indistinguishable accumulator EUF-CMA secure digital signature scheme Accumulate set, sign accumulator 16

26 RSS for Sets Simple construction Indistinguishable accumulator EUF-CMA secure digital signature scheme Accumulate set, sign accumulator Additionally include witnesses in signature 16

27 RSS for Sets Simple construction Indistinguishable accumulator EUF-CMA secure digital signature scheme Accumulate set, sign accumulator Additionally include witnesses in signature Verify: signature & accu membership 16

28 RSS for Sets Simple construction Indistinguishable accumulator EUF-CMA secure digital signature scheme Accumulate set, sign accumulator Additionally include witnesses in signature Verify: signature & accu membership Redact: Remove witnesses from signature 16

29 RSS for Sets Simple construction Indistinguishable accumulator EUF-CMA secure digital signature scheme Accumulate set, sign accumulator Additionally include witnesses in signature Verify: signature & accu membership Redact: Remove witnesses from signature 16

30 RSS for Linear Documents Using RSS for sets and encode positions of blocks? Breaks transparency Sample independent randomness r i for each block m i For i th block accumulate randomness (r j ) i j=1 Redaction as before On verification check if for i th block there are i witnesses 17

31 RSS for Linear Documents 18

32 RSS for Linear Documents 18

33 RSS for Linear Documents 18

34 RSS for Linear Documents 18

35 RSS for Linear Documents 18

36 RSS for Linear Documents 18

37 RSS for Linear Documents 18

38 RSS for Linear Documents 18

39 RSS for Linear Documents 18

40 RSS for Linear Documents 18

41 RSS for Linear Documents 18

42 Designated Redactor RSS 19

43 Designated Redactor RSS 19

44 Designated Redactor RSS 19

45 Designated Redactor RSS Non-interactive zero-knowledge proofs (ordering) Designated info: Openings of commitments 19

46 Outline 1. Introduction 2. General Framework 3. Generic Construction 4. Conclusions 20

47 Conclusion Messy terminology and models Generalized framework for RSS Designated redactor RSS Generic constructions Sets Linear documents 21

48 Thank you. Full version: Supported by