Efficient Unlinkable Sanitizable Signatures fromSignatures with Re-Randomizable Keys
Nils Fleischhacker Johannes Krupp Giulio MalavoltaJonas Schneider Dominique Schroder Mark Simkin
March 7, 2016
Security of Sanitizable Signatures
I Formalized by Brzuska et al. [BFFLPSSV09]I ImmutabilityI Sanitizer AccountabilityI Signer AccountabilityI TransparencyI UnforgeabilityI Privacy
I Missing property identified by Brzuska et al. [BFLS10]I Unlinkability
Security of Sanitizable Signatures
I Formalized by Brzuska et al. [BFFLPSSV09]I ImmutabilityI Sanitizer AccountabilityI Signer AccountabilityI TransparencyI UnforgeabilityI Privacy
I Missing property identified by Brzuska et al. [BFLS10]I Unlinkability
Security of Sanitizable Signatures
I Formalized by Brzuska et al. [BFFLPSSV09]I ImmutabilityI Sanitizer AccountabilityI Signer AccountabilityI TransparencyI UnforgeabilityI Privacy
I Missing property identified by Brzuska et al. [BFLS10]I Unlinkability
Sanitizer-Accountability [ACdMT05][BFFLPSSV09]
Nurse
Bob
Influenza
$ 800
Π
Yes!This message was sanitized.
Sanitizer-Accountability [ACdMT05][BFFLPSSV09]
Nurse
Bob
Influenza
$ 800
ΠYes!
This message was sanitized.
Signer-Accountability [ACdMT05][BFFLPSSV09]
Nurse
Bob
Stupid
$ 800
Π
Nope!This message was not
sanitized.
Signer-Accountability [ACdMT05][BFFLPSSV09]
Nurse
Bob
Stupid
$ 800
Π Nope!This message was not
sanitized.
Unforgeability under Re-Randomized Keys
σ ← Sign(sk,m)m
σ
The attacker wins if Verify(pk,m∗, σ∗) = 1 and m 6= m∗
sk′ ←RandSK(sk, ρ)
σ ←Sign(sk′,m)
m, ρ
σ
or Verify(pk′,m∗, σ∗) = 1 and m 6= m∗ with pk′ ← RandPK(pk, ρ∗)
(sk, pk)← Gen(1κ)pk
(m∗, σ∗)
Unforgeability under Re-Randomized Keys
σ ← Sign(sk,m)m
σ
The attacker wins if Verify(pk,m∗, σ∗) = 1 and m 6= m∗
sk′ ←RandSK(sk, ρ)
σ ←Sign(sk′,m)
m, ρ
σ
or Verify(pk′,m∗, σ∗) = 1 and m 6= m∗ with pk′ ← RandPK(pk, ρ∗)
(sk, pk)← Gen(1κ)pk
(m∗, σ∗)
Unforgeability under Re-Randomized Keys
σ ← Sign(sk,m)m
σ
The attacker wins if Verify(pk,m∗, σ∗) = 1 and m 6= m∗
sk′ ←RandSK(sk, ρ)
σ ←Sign(sk′,m)
m, ρ
σ
or Verify(pk′,m∗, σ∗) = 1 and m 6= m∗ with pk′ ← RandPK(pk, ρ∗)
(sk, pk)← Gen(1κ)pk
(m∗, σ∗, ρ∗)
Unforgeability under Re-Randomized Keys
I Nontrivial PropertyI Does not follow from standard unforgeability.I Many schemes with re-randomizable keys not unforgeable
under re-randomized keysI e.g. Boneh-Boyen, Camenisch-Lysyanskaya
I Instantiations in ROM and Standard ModelI SchnorrI Hofheinz-Kiltz
Unforgeability under Re-Randomized Keys
I Nontrivial PropertyI Does not follow from standard unforgeability.I Many schemes with re-randomizable keys not unforgeable
under re-randomized keysI e.g. Boneh-Boyen, Camenisch-Lysyanskaya
I Instantiations in ROM and Standard ModelI SchnorrI Hofheinz-Kiltz
Our Construction
Sign σFix
m1 m2 m3 m4 m5
Signsk′
pk′
RandSK
RandPK
sksig
pksig
pksan
PPoK τ
Enc c
σ′
σ
Our Construction
Sign σFix
m1 m2 m3 m4 m5
Sign
sk′
pk′
RandSK
RandPK
sksig
pksig
pksan
PPoK τ
Enc c
σ′
σ
Our Construction
Sign σFix
m1 m2 m3 m4 m5
Signsk′
pk′
RandSK
RandPK
sksig
pksig
pksan
PPoK τ
Enc c
σ′
σ
Our Construction
Sign σFix
m1 m2 m3 m4 m5
Signsk′
pk′
RandSK
RandPK
sksig
pksig
pksan PPoK τ
Enc c
σ′
σ
Our Construction
Sign σFix
m1 m2 m3 m4 m5
Signsk′
pk′
RandSK
RandPK
sksig
pksig
pksan PPoK τ
Enc c
σ′
σ
Our Construction
Sign σFix
m1 m2 m3 m4 m5
Signsk′
pk′
RandSK
RandPK
sksig
pksig
pksan PPoK τ
Enc c
σ′
σ
Our Construction Immutability
Sign σFix
m1 m2 m3 m4 m5
Signsk′
pk′
RandSK
RandPK
sksig
pksig
pksan PPoK τ
Enc c
σ′
σ
Our Construction Sanitizer-Accountability
Sign σFix
m1 m2 m3 m4 m5
Signsk′
pk′
RandSK
RandPK
sksig
pksig
pksan PPoK τ
Enc c
σ′
σ
Our Construction Signer-Accountability
Sign σFix
m1 m2 m3 m4 m5
Signsk′
pk′
RandSK
RandPK
sksig
pksig
pksan PPoK τ
Enc c
σ′
σ
Our Construction Transparency
Sign σFix
m1 m2 m3 m4 m5
Signsk′
pk′
RandSK
RandPK
sksig
pksig
pksan PPoK τ
Enc c
σ′
σ
Our Construction Unlinkability
Sign σFix
m1 m2 m3 m4 m5
Signsk′
pk′
RandSK
RandPK
sksig
pksig
pksan PPoK τ
Enc c
σ′
σ
ComparisonComputation
This Paper1BFLS10 using
Groth07 FY04KGensig 7E 1E 1EKGensan 1E 1E 4ESign 15E 194E+2P 2831ESanit 14E 186E+1P 2814EVerify 17E 207E + 62P 2011EProof 23E 14E+1P 18EJudge 6E 1E+2P 2E
E=modular exponentiation,P= pairing evaluation
1Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ-protocols.
ComparisonComputation
This Paper1BFLS10 using
Groth07 FY04KGensig 7E 1E 1EKGensan 1E 1E 4ESign 15E 194E+2P 2831ESanit 14E 186E+1P 2814EVerify 17E 207E + 62P 2011EProof 23E 14E+1P 18EJudge 6E 1E+2P 2E
E=modular exponentiation,P= pairing evaluation
1Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ-protocols.
ComparisonStorage
This Paper2BFLS10 using
Groth07 FY04pksig 7 1 1
sksig 14 1 1pksan 1 1 5sksan 1 1 1σ 14 69 1620π 4 1 3
measured in group elements
2Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ-protocols.
ComparisonStorage
This Paper2BFLS10 using
Groth07 FY04pksig 7 1 1
sksig 14 1 1pksan 1 1 5sksan 1 1 1σ 14 69 1620π 4 1 3
measured in group elements
2Instantiated with Schnorr signatures, Cramer-Shoup Encryption, and Fiat-Shamir transformed Σ-protocols.
Conclusion
We construct an unlinkable sanitizable signature scheme thatcan be instantiated at least one order of magnitude more
efficiently than previously known schemes.