Results 1  10
of
10
Computing on authenticated data
 In Theory of Cryptography — TCC 2012, Springer LNCS 7194
, 2012
"... In tandem with recent progress on computing on encrypted data via fully homomorphic encryption, we present a framework for computing on authenticated data via the notion of slightly homomorphic signatures, or Phomomorphic signatures. With such signatures, it is possible for a third party to derive ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
(Show Context)
In tandem with recent progress on computing on encrypted data via fully homomorphic encryption, we present a framework for computing on authenticated data via the notion of slightly homomorphic signatures, or Phomomorphic signatures. With such signatures, it is possible for a third party to derive a signature on the object m ′ from a signature of m as long as P (m, m ′ ) = 1 for some predicate P which captures the “authenticatable relationship ” between m ′ and m. Moreover, a derived signature on m ′ reveals no extra information about the parent m. Our definition is carefully formulated to provide one unified framework for a variety of distinct concepts in this area, including arithmetic, homomorphic, quotable, redactable, transitive signatures and more. It includes being unable to distinguish a derived signature from a fresh one even when given the original signature. The inability to link derived signatures to their original sources prevents some practical privacy and linking attacks, which is a challenge not satisfied by most prior works. Under this strong definition, we then provide generic constructions for all univariate and closed predicates, and specific efficient constructions for a broad class of natural predicates such as quoting, subsets, weighted sums, averages, and Fourier transforms. To our knowledge, these are the first efficient constructions for these predicates (excluding subsets) that provably satisfy this strong security notion. Supported by NSF, DARPA, and AFOSR. Applying to all authors, the views and conclusions contained in this
Malleable Signatures: New Definitions and Delegatable Anonymous Credentials
"... Abstract—A signature scheme is malleable if, on input a message and a signature, it is possible to efficiently compute a signature on a related message, for a transformation that is allowed with respect to this signature scheme. In this paper, we first provide new definitions for malleable signature ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract—A signature scheme is malleable if, on input a message and a signature, it is possible to efficiently compute a signature on a related message, for a transformation that is allowed with respect to this signature scheme. In this paper, we first provide new definitions for malleable signatures that allow us to capture a broader range of transformations than was previously possible. We then give a generic construction based on malleable zeroknowledge proofs that allows us to construct malleable signatures for a wide range of transformation classes, with security properties that are stronger than those that have been achieved previously. Finally, we construct delegatable anonymous credentials from signatures that are malleable with respect to an appropriate class of transformations (that we show our malleable signature supports). The resulting instantiation satisfies a stronger security notion than previous schemes while also scaling linearly with the number of delegations. Index Terms—signatures; malleability; anonymous credentials; delegation; definitions; I.
Delegatable Functional Signatures
, 2013
"... We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without v ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We introduce delegatable functional signatures (DFS) which support the delegation of signing capabilities to another party, called the evaluator, with respect to a functionality F. In a DFS, the signer of a message can choose an evaluator, specify how the evaluator can modify the signature without voiding its validity, allow additional input and decide how the evaluator can further delegate its capabilities. The main contribution of this paper is twofold. First, we propose DFS, a novel cryptographic primitive that unifies several seemingly different signature primitives, including functional signatures as defined by Boyle, Goldwasser, and Ivan (eprint 2013/401), sanitizable signatures, identity based signatures, and blind signatures. To achieve this unification, we present several definitions of unforgeability and privacy. Finding appropriate and meaningful definitions in this context is challenging due to the natural mealleability of DFS and due to the multiparty setting that may involve malicious keys. Second, we present a complete characterization of the instantiability of DFS under common assumptions, like the existence of oneway functions. Here, we present both positive and negative
Rethinking Privacy for Extended Sanitizable Signatures and a BlackBox Construction of Strongly Private Schemes?
"... Abstract. Sanitizable signatures, introduced by Ateniese et al. at ESORICS’05, allow to issue a signature on a message where certain predefined message blocks may later be changed (sanitized) by some dedicated party (the sanitizer) without invalidating the original signature. With sanitizable sign ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Sanitizable signatures, introduced by Ateniese et al. at ESORICS’05, allow to issue a signature on a message where certain predefined message blocks may later be changed (sanitized) by some dedicated party (the sanitizer) without invalidating the original signature. With sanitizable signatures, replacements for modifiable (admissible) message blocks can be chosen arbitrarily by the sanitizer. However, in various scenarios this makes sanitizers too powerful. To reduce the sanitizers power, Klonowski and Lauks at ICISC’06 proposed (among others) an extension that enables the signer to limit the allowed modifications per admissible block to a well defined set each. At CTRSA’10 Canard and Jambert then extended the formal model of Brzuska et al. from PKC’09 to additionally include the aforementioned and other extensions. We, however, observe that the privacy guarantees of their model do not capture privacy in the sense of the original definition of sanitizable signatures. That is, if a scheme is private in this model it is not guaranteed that the sets of allowed modifications remain concealed. To this end, we review a stronger notion of privacy, i.e., (strong) unlinkability (defined by Brzuska et al. at EuroPKI’13), in this context. While unlinkability fixes this problem, no efficient unlinkable scheme supporting the aforementioned extensions exists and it seems to be hard to construct such schemes. As a remedy, in this paper, we propose a notion stronger than privacy, but weaker than unlinkability, which captures privacy in the original sense. Moreover, it allows to easily construct efficient schemes satisfying our notion from secure existing schemes in a blackbox fashion. 1
An IdentityBased Group Signature with Membership Revocation in the Standard Model
"... Abstract. Group signatures allow group members to sign an arbitrary number of messages on behalf of the group without revealing their identity. Under certain circumstances the group manager holding a tracing key can reveal the identity of the signer from the signature. Practical group signature sche ..."
Abstract
 Add to MetaCart
Abstract. Group signatures allow group members to sign an arbitrary number of messages on behalf of the group without revealing their identity. Under certain circumstances the group manager holding a tracing key can reveal the identity of the signer from the signature. Practical group signature schemes should support membership revocation where the revoked member loses the capability to sign a message on behalf of the group without influencing the other nonrevoked members. A model known as verifierlocal revocation supports membership revocation. In this model the trusted revocation authority sends revocation messages to the verifiers and there is no need for the trusted revocation authority to contact nonrevoked members to update their secret keys. Previous constructions of verifierlocal revocation group signature schemes either have a security proof in the random oracle model or are nonidentity based. A security proof in the random oracle model is only a heuristic proof and nonidentitybased group signature suffer from standard Public Key Infrastructure (PKI) problems, i.e. the group public key is not derived from the group identity and therefore has to be certified. In this work we construct the first verifierlocal revocation group signature scheme which is identitybased and which has a security proof in the standard model. In particular, we give a formal security model for the proposed scheme and prove that the scheme has the property of selflessanonymity under the decision Linear (DLIN) assumption and it is fullytraceable under the Computation DiffieHellman (CDH) assumption. The proposed scheme is based on prime order bilinear groups.
Sanitizable Signcryption: Sanitization over Encrypted Data (Full Version)
"... We initiate the study of sanitizable signatures over encrypted data. While previous solutions for sanitizable signatures require the sanitizer to know, in clear, the original messagesignature pair in order to generate the new signature, we investigate the case where these data should be hidden fro ..."
Abstract
 Add to MetaCart
(Show Context)
We initiate the study of sanitizable signatures over encrypted data. While previous solutions for sanitizable signatures require the sanitizer to know, in clear, the original messagesignature pair in order to generate the new signature, we investigate the case where these data should be hidden from the sanitizer and how this can be achieved with encryption. We call this primitive sanitizable signcryption, and argue that there are two options concerning what the sanitizer learns about the sanitized output: in semioblivious sanitizable signcryption schemes the sanitizer may get to know the sanitized messagesignature pair, while fully oblivious sanitizable signcryption schemes even protect the output data. Depending on the application, either notion may be preferable. We continue to show that semioblivious sanitizable signcryption schemes can be constructed in principle, using the power of multiinput functional encryption. To this end, we wrap a regular sanitizable signature scheme into a multiinput functional encryption scheme, such that functional decryption corresponds to the sanitization process. Remarkably, the multiinput functional encryption scheme cannot easily be transferred to a fully oblivious sanitizable signcryption version, so we give a restricted solution based on fully homomorphic encryption for this case. 1 1
Highly Controlled, Finegrained Delegation of Signing Capabilities
, 2013
"... Delegation of signing rights is a central problem in security. Whereas delegating by giving power of attorney is well studied and digitally realized via delegatable anonymous credentials, directly delegating signing possibilities without the need for an external logic, can be done via malleable sign ..."
Abstract
 Add to MetaCart
(Show Context)
Delegation of signing rights is a central problem in security. Whereas delegating by giving power of attorney is well studied and digitally realized via delegatable anonymous credentials, directly delegating signing possibilities without the need for an external logic, can be done via malleable signature schemes. However, the existing schemes do not allow for privacy preserving, finegrained malleability and they do not allow for a controlled way of further delegating the malleability. We bridge this gap by introducing delegatable functional signatures (DFS). We present the first construction of a DFS scheme. This construction is based on standard cryptographic primitives and shows that our strong unforgeability and privacy notions are achievable for arbitrary efficiently computable forms of malleability and delegatability. 1
Provably Security Identitybased Sanitizable Signature Scheme without Random Oracles
"... Abstract—A sanitizable signature scheme is a signature which allows a semitrusted party called sanitizer to hide parts of the original message after the message is signed, without interacting with the signer. A verifier can confirm the integrity of disclosed parts of the sanitized document from the ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract—A sanitizable signature scheme is a signature which allows a semitrusted party called sanitizer to hide parts of the original message after the message is signed, without interacting with the signer. A verifier can confirm the integrity of disclosed parts of the sanitized document from the signature. Sanitizable signatures are quite useful in governmental or military offices, where there is a dilemma between disclosure requirements of documents and private secret. In this paper, we give a formal definition and secure model of identitybased sanitizable signature by combining identitybased cryptography and sanitizable signature. Motivated by Waters ’ signature scheme, we present an identitybased sanitizable signature scheme without random oracles (in the standard model) using bilinear pairing. Finally, security analysis shows that our proposed scheme satisfies all the security requirements. Index Terms—identitybased signature, sanitizable signature, random oracle, bilinear pairing, security I.
Efficient Unlinkable Sanitizable Signatures from Signatures with
"... Abstract. Sanitizable signature schemes are a type of malleable signatures where the signer grants a designated third party, called the sanitizer, signing rights in the sense that the sanitizer can modify designated parts and adapt the signature accordingly. Ateniese et al. (ESORICS 2005) introduced ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Sanitizable signature schemes are a type of malleable signatures where the signer grants a designated third party, called the sanitizer, signing rights in the sense that the sanitizer can modify designated parts and adapt the signature accordingly. Ateniese et al. (ESORICS 2005) introduced this primitive and proposed five security properties, which were formalized by Brzuska et al. (PKC 2009). Subsequently, Brzuska et al. (PKC 2010) suggested an additional security notion, called unlinkability, which says one cannot link sanitized messagesignature pairs of the same document and gave a generic construction based on group signatures that have a certain structure. Here, we present the first efficient instantiation of unlinkable sanitizable signatures. Our construction is based on a novel type of signature schemes with rerandomizable keys. Intuitively, this property allows to rerandomize both the signing and the verification key independently but consistently. This allows us to sign the message with a rerandomized key and to prove in zeroknowledge that the derived key originates from either the signer or the sanitizer. We instantiate this generic idea with Schnorr signatures and efficient Σprotocols which we convert into noninteractive zeroknowledge proofs via the FiatShamir transformation. Our construction is at least one order of magnitude faster than the fastest known construction. 1
A General Framework for Redactable Signatures and New Constructions
"... Abstract. A redactable signature scheme (RSS) allows removing parts of a signed message by any party without invalidating the respective signature. Stateoftheart constructions thereby focus on messages represented by one specific datastructure, e.g., lists, sets or trees, and adjust the securi ..."
Abstract
 Add to MetaCart
Abstract. A redactable signature scheme (RSS) allows removing parts of a signed message by any party without invalidating the respective signature. Stateoftheart constructions thereby focus on messages represented by one specific datastructure, e.g., lists, sets or trees, and adjust the security model accordingly. To overcome the necessity for this myriad of models, we present a general framework covering arbitrary datastructures and even more sophisticated possibilities. For example, we cover fixed elements which must not be redactable and dependencies between elements. Moreover, we introduce the notion of designated redactors, i.e., the signer can give some extra information to selected entities which become redactors. In practice, this often allows to obtain more efficient schemes. We then present two RSSs; one for sets and one for lists, both constructed from any EUFCMA secure signature scheme and indistinguishable cryptographic accumulators in a blackbox way and show how the concept of designated redactors can be used to increase the efficiency of these schemes. Finally, we present a blackbox construction of a designated redactor RSS by combining an RSS for sets with noninteractive zeroknowledge proof systems. All the three constructions presented in this paper provide transparency, which is an important property, but quite hard to achieve, as we also conceal the length of the original message and the positions of the redactions. 1