Bryan Kumara,Mark Hooper,Carsten Maple,Timothy Hobson,Jon Crowcroft

DOI: https://doi.org/10.48550/arXiv.2310.17297

2023-10-26

Abstract:Redactable signature schemes and sanitizable signature schemes are methods that permit modification of a given digital message and retain a valid signature. This can be applied to decentralized identity systems for delegating identity issuance and redacting sensitive information for privacy-preserving verification of identity. We propose implementing these protocols on a digital credential and compare them against other privacy-enhancing techniques to assess their suitability

Cryptography and Security,Computers and Society

Junke Duan,Wei Wang,Licheng Wang,Lize Gu

DOI: https://doi.org/10.1109/tifs.2024.3436925

IF: 7.231

2024-08-20

IEEE Transactions on Information Forensics and Security

Abstract:Immutability is widely recognized as one of the blockchain's key security attributes. However, in recent years, incidents involving the use of blockchain for disseminating illegal or malicious information have raised concerns over its strict immutability. To address these issues, redactable blockchains are proposed as a novel solution, permitting authorized content redactions without compromising the structural integrity of the blockchain. Unfortunately, current solutions are unable to restrict the abuse of redaction privilege, except for relying on a trusted authority or committee, which contradicts the trustlessness principle of blockchain. In this paper, we propose a controlled redactable blockchain protocol that allows for a limited number of redactions and supports a transparent setup. The cryptographic tools enabling this functionality are our proposed t-times chameleon hash (t-CH) and signature (t-CS) schemes, where generating more than t collisions will expose the trapdoor. We present security models, discrete logarithm-based instantiations, and formal security proofs for both t-CH and t-CS. Subsequently, we present the construction of our redaction protocol in both permissioned and permissionless settings. Finally, we experimentally demonstrate the effectiveness of the proposed protocol in practice.

computer science, theory & methods,engineering, electrical & electronic

Thais Bardini Idalino,Lucia Moura,Carlisle Adams

DOI: https://doi.org/10.1007/978-3-030-35423-7_2

2022-07-31

Abstract:This paper considers malleable digital signatures, for situations where data is modified after it is signed. They can be used in applications where either the data can be modified (collaborative work), or the data must be modified (redactable and content extraction signatures) or we need to know which parts of the data have been modified (data forensics). A \new{classical} digital signature is valid for a message only if the signature is authentic and not even one bit of the message has been modified. We propose a general framework of modification tolerant signature schemes (MTSS), which can provide either location only or both location and correction, for modifications in a signed message divided into $n$ blocks. This general scheme uses a set of allowed modifications that must be specified. We present an instantiation of MTSS with a tolerance level of $d$, indicating modifications can appear in any set of up to $d$ message blocks. This tolerance level $d$ is needed in practice for parametrizing and controlling the growth of the signature size with respect to the number $n$ of blocks; using combinatorial group testing (CGT) the signature has size $O(d^2 \log n)$ which is close to the \new{best known} lower bound \new{of $\Omega(\frac{d^2}{\log d} (\log n))$}. There has been work in this very same direction using CGT by Goodrich et al. (ACNS 2005) and Idalino et al. (IPL 2015). Our work differs from theirs in that in one scheme we extend these ideas to include corrections of modification with provable security, and in another variation of the scheme we go in the opposite direction and guarantee privacy for redactable signatures, in this case preventing any leakage of redacted information.

Cryptography and Security

Jinhua Ma,Shengmin Xu,Jianting Ning,Xinyi Huang,Robert H. Deng

DOI: https://doi.org/10.1109/TIFS.2022.3156808

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Immutability has been widely accepted as a fundamental property protecting the security of blockchain technology. However, this property impedes the development of blockchain because of the abuse of blockchain storage and legal obligations. To mitigate this issue, a novel construction of blockchain, called redactable blockchain, was introduced. It enables a central authority to issue the rewriting privilege to a particular party who can rewrite a registered object, e.g., a block or a transaction, in a controlled way. Unfortunately, the central authority must be fully trusted and is an obvious target suffering from various attacks. In this paper, we introduce a redactable blockchain controlled at a fine-grained level in a decentralized setting. In our solution, the rewriting privilege is issued by multiple authorities for reducing the vulnerability of the centralized setting. To formalize our solution, we introduce a novel cryptographic notion, called decentralized policy-based chameleon hash (DPCH), with the formal definition and security model. By applying several simple cryptographic tools, such as chameleon hash, digital signature, and multi-authority attribute-based encryption, we present the generic construction of DPCH along with rigorous security proofs. By applying RSA-based chameleon hash and BLS short signature, we give a practical instantiation of DPCH with performance evaluation. The comprehensive evaluation shows that our solution has superior performance than the state-of-the-art solution.

Meng Jia,Jing Chen,Kun He,Ruiying Du,Li Zheng,Mingxi Lai,Donghui Wang,Fei Liu

DOI: https://doi.org/10.1109/tifs.2022.3192716

IF: 7.231

2022-08-09

IEEE Transactions on Information Forensics and Security

Abstract:Blockchain is a technology with decentralization and immutability features and has been employed for auditing by many applications. However, immutability sometimes limits the application of blockchain technology. For example, vulnerable smart contracts on blockchain cannot be redacted due to immutability. The existing redactable blockchain solutions either have a low efficiency or violate the decentralization feature. Moreover, those solutions lack mechanisms for tracing redaction history and checking block consistency. In this paper, we present an efficient redactable blockchain with traceability in the decentralized setting. Specifically, we propose a decentralized chameleon hash function for redactable blockchain that every redaction must be approved by multiple blockchain nodes. We also design a redactable blockchain structure that maintains all redactions of a block and encodes the redacted blocks into an RSA accumulator. Then, we propose an efficient block consistency check protocol based on the RSA accumulator. Finally, we conduct experiments and compare our scheme with another decentralized redactable blockchain to demonstrate that our solution is efficient in practice.

computer science, theory & methods,engineering, electrical & electronic

Da Teng,Yanqing Yao

DOI: https://doi.org/10.1016/j.csi.2024.103960

IF: 3.721

2024-12-09

Computer Standards & Interfaces

Abstract:t -out-of- n threshold ring signature (TRS) is a type of anonymous signature designed for t signers to jointly sign a message while hiding their identities among n parties that include themselves. However, can TRS address those needs if one of the signers wants to revoke his signature? Can non-signers be clipped without compromising anonymity? Current research has only addressed the functionally opposite property, namely, extendability. In this paper, we introduce the revocability of TRS, addressing the need for improved flexibility and privacy security. Specifically, we innovatively define two properties: revocability, allowing signers to revoke their identities non-interactively and update the signature from t -out-of- n to t−1 -out-of- n ; and clippability, enabling removal of non-signers from the ring. The synergy of these two properties enables dynamic revocation while keeping the signature size minimal. We analyze and define the boundaries of these operations, provide the DL-based constructions, and prove the security of the schemes. The asymptotic complexity of our approach reaches the same level as that of existing solutions, and especially when using larger ring sizes, experimental results demonstrate that it can effectively reduce the signature size.

computer science, software engineering, hardware & architecture

Kwangsu Lee,Dong Hoon Lee,Moti Yung

DOI: https://doi.org/10.1016/j.tcs.2015.02.019

2015-02-24

Abstract:The notion of aggregate signature has been motivated by applications and it enables any user to compress different signatures signed by different signers on different messages into a short signature. Sequential aggregate signature, in turn, is a special kind of aggregate signature that only allows a signer to add his signature into an aggregate signature in sequential order. This latter scheme has applications in diversified settings such as in reducing bandwidth of certificate chains and in secure routing protocols. Lu, Ostrovsky, Sahai, Shacham, and Waters (EUROCRYPT 2006) presented the first sequential aggregate signature scheme in the standard model. The size of their public key, however, is quite large (i.e., the number of group elements is proportional to the security parameter), and therefore, they suggested as an open problem the construction of such a scheme with short keys. In this paper, we propose the first sequential aggregate signature schemes with short public keys (i.e., a constant number of group elements) in prime order (asymmetric) bilinear groups that are secure under static assumptions in the standard model. Furthermore, our schemes employ a constant number of pairing operations per message signing and message verification operation. Technically, we start with a public-key signature scheme based on the recent dual system encryption technique of Lewko and Waters (TCC 2010). This technique cannot directly provide an aggregate signature scheme since, as we observed, additional elements should be published in a public key to support aggregation. Thus, our constructions are careful augmentation techniques for the dual system technique to allow it to support sequential aggregate signature schemes. We also propose a multi-signature scheme with short public parameters in the standard model.

Cryptography and Security

Fagen Li,Masaaki Shirase,Tsuyoshi Takagi

DOI: https://doi.org/10.1007/978-3-642-01440-6_6

2009-01-01

Abstract:Recently, Tan proposed an insider secure signcryption key encapsulation mechanism (KEM) and an insider secure signcryption tag-KEM. His schemes are secure without random oracles (in the standard model). In this paper, we proposed a more efficient construction for signcryption KEM and tag-KEM. We prove their semantic security and existential unforgeability in the standard model. Compared to Tan's schemes, our corresponding schemes have 20% faster speed in the key encapsulation, 33% faster speed in the key decapsulation, 33% shorter public key, 60% shorter private key, and |p | bits shorter ciphertext.

李保红,牛慧芳,赵银亮

DOI: https://doi.org/10.3321/j.issn:0253-987x.2009.12.010

2009-01-01

Abstract:Aiming at the problem of fair exchange of digital signatures,a scheme of revocable concurrent signatures is proposed.In the step of signing,the signer chooses a piece of special information named keystone.The one-way function is then used to compute the keystone footprint,and then the encryption of the signer's public key is obtained by raising the keystone footprint to the power of his secret key.The keystone footprints are computed once more from the released keystones after the exchange of signatures,and each signer's public key is raised to the power of the keystone footprint.Then the identities of signers are recognized by comparing the results with the encryptions of the public keys produced in the step of signing,and the ambiguity of signatures can be revoked.Compared with traditional concurrent signatures schemes,the proposed scheme can avoid various attacks.Moreover,when a pair of revocable concurrent signatures is produced,only one keystone is required so that exchange protocols are simplified.It has been verified in a concrete construction that the proposed scheme is secure in the random oracle model under the decisional Diffie-Hellman assumption and the discrete logarithms assumption.

Fei Li,Wei Gao,Yilei Wang,Xueli Wang

DOI: https://doi.org/10.4304/jsw.8.12.2983-2990

2013-01-01

Abstract:Undeniable signatures, introduced by Chaumand van Antwerpen, require a verifier to interact with thesigner to verify a signature, and hence allow the signerto control the verifiability of his signatures. Convertibleundeniable signatures allow the signer to convert undeniablesignatures into ordinary signatures. In this paperwe propose some extended variants of the famous Diffie-Hellman assumption on bilinear group system, then designa new convertible undeniable signature scheme and provideproofs for all relevant security properties based on the newassumption in the random oracle model. The advantages ofour scheme are the short length of the signatures, the lowcomputational cost of the signature, the receipt generationand the provable security.

Tomoyuki Morimae,Alexander Poremba,Takashi Yamakawa

2023-12-21

Abstract:We study digital signatures with revocation capabilities and show two results. First, we define and construct digital signatures with revocable signing keys from the LWE assumption. In this primitive, the signing key is a quantum state which enables a user to sign many messages and yet, the quantum key is also revocable, i.e., it can be collapsed into a classical certificate which can later be verified. Once the key is successfully revoked, we require that the initial recipient of the key loses the ability to sign. We construct digital signatures with revocable signing keys from a newly introduced primitive which we call two-tier one-shot signatures, which may be of independent interest. This is a variant of one-shot signatures, where the verification of a signature for the message ``0'' is done publicly, whereas the verification for the message ``1'' is done in private. We give a construction of two-tier one-shot signatures from the LWE assumption. As a complementary result, we also construct digital signatures with quantum revocation from group actions, where the quantum signing key is simply ``returned'' and then verified as part of revocation. Second, we define and construct digital signatures with revocable signatures from OWFs. In this primitive, the signer can produce quantum signatures which can later be revoked. Here, the security property requires that, once revocation is successful, the initial recipient of the signature loses the ability to find accepting inputs to the signature verification algorithm. We construct this primitive using a newly introduced two-tier variant of tokenized signatures. For the construction, we show a new lemma which we call the adaptive hardcore bit property for OWFs, which may enable further applications.

Quantum Physics,Cryptography and Security

Jiang Zhang,Yu Yu,Dengguo Feng,Shuqin Fan,Zhenfeng Zhang

DOI: https://doi.org/10.1007/s11432-022-3893-3

2024-09-29

Science China Information Sciences

Abstract:In this work, we introduce a class of black-box (BB) reductions called committed-programming reduction (CPRed) in the random oracle model (ROM) and obtain the following interesting results: (1) we demonstrate that some well-known schemes, including the full-domain hash (FDH) signature (Eurocrypt 1996) and the Boneh-Franklin identity-based encryption (IBE) scheme (Crypto 2001), are provably secure under CPReds; (2) we prove that a CPRed associated with an instance-extraction algorithm implies a reduction in the quantum ROM (QROM). This unifies several recent results, including the security of the Gentry-Peikert-Vaikuntanathan IBE scheme by Zhandry (Crypto 2012) and the key encapsulation mechanism (KEM) variants using the Fujisaki-Okamoto transform by Jiang et al. (Crypto 2018) in the QROM. Finally, we show that CPReds are incomparable to non-programming reductions (NPReds) and randomly-programming reductions (RPReds) formalized by Fischlin et al. (Asiacrypt 2010).

computer science, information systems,engineering, electrical & electronic

Shengmin Xu,Jianting Ning,Jinhua Ma,Xinyi Huang,Robert H. Deng

DOI: https://doi.org/10.1109/tifs.2021.3107146

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:As an immutable append-only distributed ledger, blockchain allows a group of participants to reach a consensus in an untrustworthy ecosystem. Immutability is a blockchain feature that persists data forever, but it is no longer legal in reality. Blockchain has unchangeable improper contents that violate laws. Moreover, data regulation toward “the right to be forgotten” requires blockchain must be modifiable. To address this problem, redactable blockchain has been introduced to relax immutability in a controlled way. However, once a participant is authorized, she/he can rewrite any content and no penalty for the malicious behavior that hinders the wide deployment of redactable blockchain in practice. In this paper, we introduce a new notion, dubbed k-time modifiable and epoch-based redactable blockchain (KERB) with a monetary penalty to control rewriting privileges and penalize malicious behaviors. Our solution is built up from simple building blocks: digital signatures and chameleon hashes. We give a formal definition and security models of KERB, and present a generic construction along with formal proofs. The extensive comparison and experimental analysis illustrate that our solution enjoys superior functionalities and performances than the state-of-the-art solutions.

Zhuo Xu,Xinyi Luo,Kaiping Xue,David Wei,Ruidong Li

DOI: https://doi.org/10.1109/icdcs57875.2023.00090

2023-01-01

Abstract:The immutability of blockchains is an important security feature, but applications and studies have shown that it poses some problems. For instance, harmful information and vulnerable programs can be permanently stored on public blockchains such as Bitcoin and Ethereum, causing continuous damage. Therefore, researchers proposed the redactable blockchain to delete or modify those harmful data. Existing schemes usually adopt the Chameleon hash function (CHF) to keep the block hash unchanged so that other blocks remain unaffected. However, these schemes suffer from two security problems: (i) (unknown-version) users cannot determine whether a received block is the up-to-date version because different versions have the same hash; and (ii) (lazy-redaction) miners have no motivations to update historical blocks, causing continuous spreading of data which should have been discarded. To solve the problems, we propose SEREDACT, a secure and efficient redactable blockchain protocol with verifiable modification. Specifically, we design a Merkle tree-based verification mechanism with efficient dynamic updating that supports quick version checks and forcible modification updates, and further integrate it with restricted redaction policies to guarantee security. Our security and performance analyses show that SEREDACT has adequate security as a redactable blockchain protocol and retains close efficiency compared with the immutable blockchain.

Xiao Zhang,Shengli Liu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-60055-0_24

2017-01-01

Abstract:In this paper, we construct the first tightly secure signature scheme against adaptive chosen message attacks (CMA) from the Decisional Composite Residuosity (DCR) Assumption. Moreover, the verification key in our scheme is of constant size. Based on the DCR assumption, we design a one-time secure signature scheme first, then we employ a flat tree structure to obtain a signature scheme that is secure against non-adaptive chosen message attacks (NCMA). By combining the one-time scheme and NCMA-secure scheme, we obtain the final CMA-secure signature scheme with a tight security reduction to the DCR assumption.

Hu Xiong,Songyang Wu,Fagen Li,Zhiguang Qin

DOI: https://doi.org/10.1007/s11277-014-2106-3

IF: 2.017

2015-01-01

Wireless Personal Communications

Abstract:As an important approach to resist the threat of key leakage, key insulated security allows secret keys to be periodically updated by using a physically-secure but computation-limited device. Recently, key insulated mechanism has been introduced into identity based (ID-based) signature to solve the key-leakage problem in ID-based signature scenarios. In this paper, we present two compact ID-based key-insulated signature schemes that try to minimize the total amount of message and signature. Compared with the up-to-date ID-based key-insulated signatures, our schemes enjoy the minimum net bandwidth and computation overhead. We also provide formal security proofs of our schemes under the Computational Diffie–Hellman assumption in the random oracle model. We focus on potential applications of our schemes to secret handshakes, but we believe they will find many other applications as well.

Ke Huang,Xiaosong Zhang,Yi Mu,Fatemeh Rezaeibagha,Xiaojiang Du

DOI: https://doi.org/10.1016/j.ins.2020.07.016

IF: 8.1

2021-02-01

Information Sciences

Abstract:Internet-of-Things (IoT) envisions communications between heterogeneous devices and utilization of the associated data for smart decision making. Blockchain bridges the gap between widely-distributed IoT devices and the need for a universal trust-layer. When applying blockchain for IoT, some concerns can arise. Among them, scalability is a crucial factor because it decides whether blockchain can keep empowering IoT in the long term . According to a recent survey by Ali et al., some newly launched blockchains are suffering from powerful attacks (e.g. 51% attack) when the computing pool is small, and the number of participated nodes is inadequate (USENIX 2016). To ensure the scalability of initially-deployed blockchains, a proper countermeasure is important to be devised. Ateniese et al. proposed the notion of the redactable blockchain (EuroS&P 2017) which allows block history to be rewritten by using chameleon hash. However, the distribution and management of trapdoor key is crucial for the scalability of chameleon hash as well as redactable blockchain. To deal with the above problems, we propose two cryptographic schemes as the new theoretic tools for blockchain redaction: time updatable chameleon hash (TUCH) and linkable-and-redactable ring signature (LRRS). The use of TUCH and LRRS schemes enables redaction to take place scalably and anonymously where the spontaneous ring is generated for redaction, which costs little expenditures to rewrite a block content. Specifically, the redaction will be processed without assigning and splitting trapdoor key among multiple users in a complex way, and achieve transaction anonymity for users . What is more, we briefly instantiate how to build a redactable blockchain with update and anonymity (SRB) with our proposed TUCH and LRRS. While security analysis confirms that our proposals are theoretically secure, the experimental results show that our proposals are efficient for implementation purposes.

computer science, information systems

Xuan Hong,Ke-fei Chen,Yu Long

DOI: https://doi.org/10.1007/s12204-008-0659-6

2008-01-01

Abstract:Recently some efforts were made towards capturing the security requirements within the composable security framework. This modeling has some significant advantages in designing and analyzing complex systems. The threshold signature was discussed and a definition was given based on the universal composability framework, which is proved to be equivalent to the standard security definition. Furthermore, a simple, efficient and proactive threshold RSA signature protocol was presented. It is proved to be correct, consistent and unforgeable relative to the environment that at most t − 1 parties are corrupted in each proactive stage. It is also secure under the universal composability framework. It is a UC based security and is proved to be equivalent to the standard security.

Da Gaofeng,Xu Maochao,Chan Ping Shing

DOI: https://doi.org/10.1080/24725854.2018.1429694

2018-01-01

IISE Transactions

Abstract:Computing the system signature is an attractive but challenging problem in system reliability. In this article, we propose a novel algorithm to compute the signature of a system with exchangeable components. This new algorithm relies only on the information of minimal cut sets or minimal path sets, which is very intuitive and efficient. The new results in this article are used to address the problem of the aging property of the system signature in the literature. We further discuss the bounds for the system signature when only partial information is available. The application of these new results to cyberattacks is also highlighted.

Yanli Ren,Dawu Gu

DOI: https://doi.org/10.1109/isdpe.2007.76

2007-01-01

Abstract:Identity based crypto system is a public key cryptosystem where the public key can be represented as an arbitrary string. However, an identity based signature scheme that is fully secure in the standard model with a tight reduction has not been proposed until now. In this paper, we propose an identity based signature scheme that is fully secure in the standard model and has several advantages-computational efficiency, short public parameters, and a tight security reduction. In many situations we want to enjoy confidentiality and authenticity simultaneously. A traditional approach to achieve this objective is to "sign-then-encrypt" this message, or we can employ special cryptographic scheme like signcryption. To the best of our knowledge, reference [15] proposes the only identity based signcryption scheme in the standard model. But its security proof is based on a weaker model-"sample-ID" model and the reduction is not tight. Combining an identity based encryption scheme, we also propose the first identity based signcryption scheme that is fully secure in the standard model with a tight reduction. Moreover, our signcryption scheme has public verifiability.