• PDF / 500,734 Bytes
• 18 Pages / 439.37 x 666.142 pts Page_size
• 35 Downloads / 182 Views

DOWNLOAD

REPORT

AIT Austrian Institute of Technology GmbH, Vienna, Austria [email protected] 2 IBM Research – Zurich, Zurich, Switzerland {ksa,dso}@zurich.ibm.com 3 Technical University of Darmstadt, Darmstadt, Germany

Abstract. Sanitizable signature schemes (SSS) enable a designated party (called the sanitizer ) to alter admissible blocks of a signed message. This primitive can be used to remove or alter sensitive data from already signed messages without involvement of the original signer. Current state-of-the-art security definitions of SSSs only define a “weak” form of security. Namely, the unforgeability, accountability and transparency definitions are not strong enough to be meaningful in certain use-cases. We identify some of these use-cases, close this gap by introducing stronger definitions, and show how to alter an existing construction to meet our desired security level. Moreover, we clarify a small yet important detail in the state-of-the-art privacy definition. Our work allows to deploy this primitive in more and different scenarios.

1

Introduction

Traditional digital signature schemes such as RSA-PSS require that a signature σ on a message m becomes invalid as soon as a single bit of m is altered [1,2]. Contrary, many use-cases require subsequent changes to the signed data by a semi-trusted third party. As a simple example, consider a driver’s license which is signed by the issuing state. To prove majority, the holder wants to remove all information but the date of birth and its picture to preserve his privacy. Obviously, having the data re-signed by the state every time the holder needs to prove its age induces too much overhead to be practical in this scenario. This constellation is widely known as the “digital document sanitization problem” [3]. Sanitizable signature schemes (SSS) [4] address the aforementioned shortcomings. They allow for altering all signer-chosen admissible blocks m[i] of a given message m = (m[1], . . . , m[i], . . . , m[]) to different bitstrings m[i] ∈ {0, 1}∗ by the sanitizer, which holds its own private key. In particular, a sanitization of a message m creates an altered message m = (m[1] , . . . , m[i] , . . . , m[] ), where m[i] = m[i] for every non-admissible block, and a signature σ  , verifying under the given public keys. This work was supported by the Horizon 2020 project PRISMACLOUD under grant agreement no. 644962, and the FP7 projects FutureID and AU2EU under grant agreement nos. 318424 and 611659. Parts of this work were done while the first author was at IBM Research – Zurich. c Springer International Publishing Switzerland 2016  J. Garcia-Alfaro et al. (Eds.): DPM and QASA 2015, LNCS 9481, pp. 100–117, 2016. DOI: 10.1007/978-3-319-29883-2 7

Stronger Security for Sanitizable Signatures

101

Application scenarios include secure routing, privacy-preserving handling of patient data, official document disclosure, and blank signatures [4–9]. Organization. This paper is structured as follows. The remainder of this section is devoted for pointing out the problems in curre

Recommend Documents

Stronger Security and Constructions of Multi-designated Verifier Signatures

139 48 29MB

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-randomizable Keys

172 29 565KB

Outer Space Policy with a Stronger Security Orientation

184 28 3MB

Verifiably Encrypted Signatures: Security Revisited and a New Construction

150 19 18MB

Signatures with Tight Multi-user Security from Search Assumptions

147 45 39MB

Signatures

212 30 2MB

Digital Signatures Using Hardware Security Modules for Electronic Bills in Vietnam: Open Problems and Research Direction

170 38 80MB

Digital Signatures

207 84 11MB

Digital Signatures

178 71 2MB

Stronger Targeted Poisoning Attacks Against Malware Detection

175 82 25MB

Non-malleable Encryption: Simpler, Shorter, Stronger

164 63 1MB

Digital Signatures

156 81 3MB