|
1.INTRODUCTIONData sharing is an effective way to activate the huge value contained in different data, but the issue of data leakage accompanied by it has been haunted by experts and scholars. Therefore, the leaking traceability has become an open problem that needs to be resolved. The credibility of data sharing is the primary prerequisite for achieving leak traceability. Blockchain as a distributed storage technology, each block in the chain can be abstractly described as a distributed ledger that introduces time attribute into it to form the time dimension, which improves the verifiability and traceability of transaction. Therefore, the blockchain is widely used to construct trusted data sharing and tracking schemes for Internet of Vehicles1, supply chain2, medical care 3-4, digital copyright protection5 and other fields. Even though the combination of attribute-based encryption6, federated learning7 and other technologies with blockchain can well realize the verifiability and privacy of shared data, it is difficult to obtain the traceability after data leakage8. Digital watermarking is a technology about information hiding that embeds specific identity in the form of a bitstream into digital carrier without affecting the use value of the original works, which is a common method to complete copyright protection and anti-counterfeiting traceability. As an important branch of digital watermarking, database watermarking9 is an effective means to realize the ownership protection of structured data10-12. A robust watermarking can still correctly extract the identity hidden in the digital works to realize the ownership confirmation even if a carrier is attacked to varying degrees13-14. But for watermarking, the ability to trace out the leaker is limited 15-19 in that it directly converts the user identity into bit stream and embeds these bits in the digital carrier. Digital fingerprint is a traitor tracking technology developed based on digital watermarking. The principle of this method is to embed the unique identification code20 representing the buyer’s identity into a digital carrier (such as DVD) to form a digital fingerprint21-22, which achieve the binding of the buyer’s identity and digital products. When illegal copies appear on the market, data owner can identify illegal users by extracting the fingerprinting from digital carriers to achieve the purpose of tracking down the traitor. To ensure anti-collusion, the length of the fingerprint code will expand as the number of users increases23-24. Embedding a long fingerprint code in a multimedia carrier (such as video, audio, image, etc.) with a lot of redundant space will not significantly change the imperceptibility in visual or auditory. However, the imperceptibility and reusability of the structured data (such as CSV) is seriously damaged if a large number of watermark codes are embedded into the digital work with limited embedding space. In addition, the monitor algorithm needs to detect all sharers when the potential leaker is unknown so as to result in extremely low efficiency in leaking detection. Therefore, there is an urgent need for an approach to track traitor through a shorter code length and higher detection efficiency when structured data is leaked. Chameleon signature25 is a one-to-many signature algorithm first proposed by Krawczyk and Rabin in 2000. It is consisted by a chameleon hash function and an ordinary signature scheme, which follows also the paradigm that “hash first and then sign”. The generation of the message digest is completed by a special function, chameleon hash, which is a one-way function with trapdoor: the collision can be easily constructed when the trapdoor information is obtained; conversely, it is the same as the ordinary hash function and is collision resistant when there is no trapdoor. Therefore, the chameleon signature is not only undeniable and unforgeable, but also has characteristics for specific recipients, which is suitable for constructing a credible sharing scheme of one-to-many to achieve leak traceability. There is a defect of key exposure in the chameleon proposed earlier26-27, that is, the signer’s chameleon private key is likely to be leaked when calculating the collision, which weakens the security of the chameleon signature in a certain extent. For this, Feng et al.28 and Chen et al.29 introduced identity parameters to construct an identity-based chameleon-hash function signature. On this basis, Camenisch et al. 30 designed a hash function with ephemeral trapdoors to prevent the trapdoor holder from finding collision in “all-or-nothing” way in that the collision in the previous scheme is completely generated by the trapdoor holder. However, a series of encryption algorithms and zero-knowledge proofs are introduced in his scheme to avoid the leakage of private key and emphemeral key, which seriously reduces the computational efficiency of the Chameleon-hash. Later, Khalili et al.31 analyzed the problem of low efficiency in many schemes32-34 and constructed an enhanced collision-resistant and high-efficiency chameleon function based on bilinear mapping, which greatly shortens the length of the chameleon hash while solving the above problems. Although the above scheme can effectively avoid the key exposure and improve the execution performance to a certain extent, it still lacks a chameleon signature that possess a shorter coding length, a higher performance and the same security to realize trusted data sharing and traitor tracing for structured data. In response, we present a chameleon short signature based on Khalili’s chameleon hash [31] and Boneh’s short signature35 to ensure the non-repudiation of shared data, and construct a traceability chain with a cascading structure based on the characteristics of chameleon short signature to achieve effective traitor tracking in the big data scenario. The contributions in this work are as follows:
2.PRELIMINARIES2.1NotationsThe main parameters involved in the chameleon short signature and the traitor tracking model in this article are shown in Table 1. Table 1.Notations used in the paper.
2.2Chameleon hashChameleon hash function25 CH = (KeyGen, Hash, Check, Adapt) can be consisted by four probability polynomial time algorithms, which are described as follows:
2.3Short signatureA short signature scheme35 BLS = (KeyGen, Sign, Verify) is composed of three probability polynomial time algorithms, which are defined as follows:
2.4Computational Diffie-Hellman assumption (CDH)Let 𝔾 be a multiplicative cyclic group of prime order p related to the security parameters λ, where g is a generator of 𝔾, on given g, ga, gb ∈ 𝔾 for any a, b ∈ Zp to compute the gab ∈ 𝔾. If the probability of successfully outputting gab ∈ 𝔾 by polytime algorithm A is Pr[A(g, ga, gb) = gab] ≥ ε, A has the advantage ε in 𝔾 to solve the CDH problem. Definition 1. We say that the Computational Diffie-Hellman Assumption (CDH) holds if no polytime algorithm has a non-negligible advantage in solving the CDH problem. 3.CHAMELEON SHORT SIGNATUREThis part, we improve the chameleon hash function31 and combine the short signature scheme35 to construct the chameleon short signature algorithm. It consists by seven parts and the framework is shown in Figure 1. 3.1Algorithm descriptionDuring system initialization, Setup construct two groups 𝔾, 𝔾T and bilinear mapping ê from security parameters λ. To get the keys, KeyGen generates the chameleon hash key pair and the short signature key pair (xσ, yσ) according to the public parameters. In the process of hash generation, Hash utilizes the chameleon public key to compute a chameleon hash h and its check parameter R with respect to the plaintext M. We can leverage Check to detect the compatibility of output parameters (h, M, R). When signing, Sign constructs a short signature message σh related to h from the signature private key xσ ← sk. During the check of the signed message, Verify utilizes the signature public key yσ ← pk and the public parameter g to verify the legitimacy of σh with respect to h. To obtain the check parameters that suitable for the new plaintext M ’ and the chameleon hash h, Adapt first detects the compatibility of (h, M, R) by Check, and then calculates the check parameters R ’ of the plaintext M ’ according to the chameleon private key xh ← sk. The specific definition of the above algorithm is as follows:
3.2Security modelThe security model of the chameleon short signature is composed of an enhanced Collision-Resistance game of the chameleon hash function and an Existential-Unforgeability game of the short signature scheme. Each game contains a challenger B and an adversary A. The B simulates the operation of the system and answers the queries from the A. The formal definitions of each game are shown in Figures 2a and 2b, respectively. Collision Resistance. Collision resistance says, even if an adversary has access to an adapt oracle, it cannot find any collisions for messages other than the ones queried to the adapt oracle. Note, this is an even stronger definition than keyexposure, which only requires that one cannot find a collision for some new plaintext, i.e., for some auxiliary value for which the adversary has never seen a collision. Definition 2 (Collision-Resistance). A chameleon-hash is collision-resistant, if for any polytime adversary A there exists a negligible function ω such that . The corresponding experiment is depicted in Figure 2a. Existential-Unforgeability. The existential unforgeability of a digital signature means that an adversary cannot achieve a valid forged signature for at least one message even if the adversary has access to a sign oracle. Definition 3 (EUF-CMA). A chameleon short signature scheme becomes existential unforgeability against adaptive selection message attack, referred to as EUF-CMA security, if for any polytime adversary A there exists a negligible function ω such that . The corresponding experiment is depicted in Figure 2a. 4.TRAITOR TRACING MODELBlockchain relying on its decentralization, proof-tampering, openness and traceability, is extremely suitable for building a data sharing and leakage tracing framework. However, the blockchain usually stores the blocks in a sequential structure, which results in all the blocks on the chain need to be traversed when data querying for tracking, so the efficiency to traitor tracking is low. In response, first, we construct trusted a data sharing framework based on the chameleon short signature algorithm (3.1); Then, design a cascade chain to achieve the efficient tracing on the data leaker according to the constructed framework. Through the above design, we complete finally the trusted sharing to data and the efficient tracking to leaker. 4.1Trusted sharingThe trusted sharing framework embeds the short chameleon signatures of both parties in the transaction as a watermark into the shared data to reduce the amount of signatures held in the entire system and the size of the watermark in the digital carrier, so as to provide conditions for effective tracking while ensuring the availability and robustness of the digital carrier. The trusted data sharing framework is shown in Figure 3. In publishing original data D, first, the data provider A generates a chameleon hash h based on its own identity information Ma={IDa, Ka, Sa}, where IDa is the unique identifier of user A, Ka is the embedding key for watermark, and Sa is the regular signature to (IDa, Ka); Then, the user A signs h with his own signature private key xσ, and embeds the chameleon short signature σh as watermark into D through Ka to obtain the watermarked carrier Dσ containing the chameleon signature message; Finally, the provider publishes the parameter {IDa, Ka, Sa, Ra, h, σh} generated in the above process to the blockchain system to form copyright information about D. To get a trusted copy of data D, user B first submits his identity information Mb ={IDb, Kb, Sb}; Then, the provider A generates the check parameter Rb w.r.t (h, Mb), and embeds σh into the original data D using B’s watermark key Kb to obtain the watermarked carrier Dσ ’ so as to ensure that the transaction behavior of both parties is unforgeable and undeniable; Finally, the above-mentioned parameters{IDb, Kb, Sb, Rb} are all recorded on the blockchain to keep the traitor can be tracked when the data is leaked. 4.2Efficient trackingFor achieve the efficient tracing to the data leaker, the cascade chain consists of three parts: the copyright chain, the transaction chain, and the copyright block index, the structure is shown in Figure 4. During the publishing of data Di, the consensus node generates a new copyright block Bn with relevant parameters {IDa, Ka, Sa, R, h, σh} and appends Bn to the chain to form a copyright chain {Bi}i=1,2,…,n. In the process of each sharing data Di, the consensus node generates a transaction block Bim based on the parameters {IDm, Km, Sm, Rm}, and appends Bim below the corresponding copyright block Bi to form a transaction chain {Bij}j=1,2,…,m, which makes sure that the transaction information of the same copyright data belongs to the same transaction chain. In order to further improve the query efficiency of traceability information, we let σh in the watermarked carrier as the query key key ← Hp (σh) to build an index on the copyright block, where . If someone checks the transaction, he can extract the signature σh in the carrier and quickly locate the copyright block through binary search to effectively obtain the copyright information and all transaction information in the corresponding transaction block. If there is a suspected illegal copy on the market, the data owner can quickly query the corresponding copyright block Bi and all transaction blocks {Bij}j=1,2,…,n in the cascade chain with the keyword key ← Hp(σh) to collect the copyright information {IDi,Ki,Si,Ri,h,σh} and all transaction information {IDij,Kij,Sij,Rij}j=1,2,…,m. To track down a traitor, the owner utilizes the corresponding watermark extraction algorithm to obtain the signature information in the carrier through the watermark key Kij, verifies the correctness of copyright information by Verify, and checks the consistency of the transaction by , where . If the above detects are passed, can be inferred as a potential data leaker. 5.ANALYSIS5.1SecurityThis part mainly analyzes the credibility and traceability about the traitor tracking model based on the security of the proposed chameleon short signature (see the appendix for the security analysis). The credibility considered in this model refers to the trustworthiness of both parties in the transaction, that is, the transaction initiator is the data purchaser himself and the seller is the data provider himself. The Traceability considered in this traitor tracing model refers to the undeniability of both parties in the transaction, that is, the purchaser cannot deny that he is the transaction initiator and the provider cannot deny that he is the transaction executor. Property 1 (credibility): Let the ordinary signature submitted by the data purchaser be unforgeable, if the chameleon signature in the traitor tracing model is existential unforgeability, the data sharing approach is credible. Proof: From Section 4.1, the data purchaser B initiates a transaction to the data provider A with his ordinary signature message Sb. Because of the ordinary signature is unforgeable, the data provider A can confirm whether the initiator is the purchaser himself by verifying the legality of Sb. When the data purchaser B receives the shared copy from provider, he can extract the chameleon signature σb in the carrier by his own watermark key Kb ← Mb = (IDb, Kb, Sb) and verify the legality of (h, σb) to confirm that the shared data really comes from the data provider himself. Therefore, the sharing approach between the data purchaser and the provider is credible. (Property 1 is proved) Property 2 (Traceability) Let the ordinary signature submitted by the data purchaser be unforgeable, if the chameleon hash is collision resistant and the chameleon signature is existential unforgeability, the data sharing approach is traceable. Proof: It is known from Section 4.2 that if there is an illegal shared copy on the market, the data inspector can extract the chameleon signature through the purchaser’s watermark key Kb ← Mb. Since the ordinary signature Sb about (IDb, Kb) is unforgeable, the purchaser cannot deny that the transaction was initiated by him. Because of the chameleon hash h w.r.t. Mb is collision resistant, the inspector can check the compatibility of (h, Mb, Rb) to prevent the purchaser from denying that the illegal copy comes from himself. Since the provider’s chameleon signature related to h is existential unforgeability, the provider cannot deny that the data carrier is authorized by himself. Thus, the data sharing approach between the data purchaser and the provider is traceable (Property 2 is proved). 5.2SimulationThis experiment leverages 1 host (CPU is Intel Core i5 7500, memory is 8 GB, operating system is Windows 10) to simulate the big data platform and watermark center, and 4 hosts (CPU is Intel Core i3 2120, memory is 4 GB), operating system is Windows 7) to simulate the consensus node. We choose C++ as the main programming language to build the chameleon short signature algorithm, the watermarking algorithm and the PBFT consensus. Based on the above experimental environment, we take 20,000 rows and 50 columns of structured data as a carrier, and conduct multiple data sharing and tracing experiments. In order to analyze the performance of the improved chameleon hash, we conduct experiments on the proposed scheme and the Khalili scheme with different sizes of data, and the time consumption is shown in Figure 5. From it, we can observe that the time consumption of the Hash and the Check is reduced by about 15ms, the Adapt is reduced by about 45ms. The reason is that the proposed algorithm reduces the mapping operation of the plaintext hash and the inverse operation of the group 𝔾, so the time comparison of each part is reduced except for the key generation KeyGen. Overall, there is a certain improvement in the performance of the proposed algorithm. We conducted 100 data sharing experiments on 5 published digital works to obtain the time cost of the chameleon short signature, and randomly selected 5 sharing instances of A, B, C, D and E from the 5 works for time analysis, which is shown in Fgure 6. It shows that the time consumption of the hash generation (Hash)and compatibility check (Check)about the proposed chameleon hash is approximately 35ms, the time cost of the adjustment to check parameter (Adapt) is approximately 75ms, and the time consumption of the signature (Sign)and verify (Verify) are maintained at 15ms and 25ms, respectively. On the whole, the execution time of the proposed chameleon short signature can well meet the practical requirements to achieve trusted sharing. The traditional blockchain leverages a sequential chain to link blocks, while we use a cascade chain to connect blocks. In order to further compare and analyze the retrospective time cost of the two chain, we respectively conducted 100 data sharing on 5 digital work to ensure that 500 transaction blocks are recorded on the chain; then, each work randomly selects a leaked copy for tracing. For the same node, the consumption of leak detection in the two traceability chains is shown in Figure 7. What can be seen from the figure is that the detection efficiency of the cascade chain is about 3 times that of the traditional chain. The reason is that the cascaded chain only detects transaction blocks related to the original data, and does not compare all blocks, so the efficiency of leakage tracking is significantly better than that of the traditional chain. In order to fully analyze the time consumption of the traitor tracking system, we embed the chameleon short signature into the digital carrier by the watermarking algorithm GAHSW19, and write the transaction information on the chain by the PBFT algorithm. Based on the above design, we randomly selected five shared instances of A, B, C, D and E for analysis. The overall performance is shown in Figure 8. The time consumption in data sharing includes embedded watermarks and consensus writing blocks, and the consumption in traitor tracing includes block reading and watermark detection. From the figure, we can see that the entire sharing and tracing time consumption is concentrated on the embedding and extraction of the watermark. Therefore, it is the key to improve the efficiency of the watermarking algorithm for improving the efficiency of traitor detection. Malicious users usually attack authorized copies with watermarks to varying degrees to obtain illegal copies that cannot be held accountable. For a single attacker, row deletion and column deletion are the easiest attacks, but for multiple attackers, collusion combinations, maximum, minimum and average attacks are the most common attacks. Among them, the attack of collusion combination refers to each conspirator taking out the same amount of different data to form an illegal copy; the attack of maximum (minimum, average) is to use the maximum (minimum, average) of the element at the corresponding position in all authorized copies as the element of the illegal copy. In order to analyze the traceability of the traitor tracking model under different watermarking algorithms, we respectively embed the chameleon short signature into the digital carrier based on four robust watermarking algorithms such as GAHSW19, GADEW15, RLW11, RRW14 and attack those carries to varying degrees. The detection effect is shown in Tables 2-4. Table 2.Detection effect on single traitor.
Table 2 shows the detection results of digital carriers under different watermarking algorithms and different degrees of deletion attacks in a single attacker scenario. From the table, we can get that for the scheme GAHSW, whether it is row deletion or column deletion, the tracking algorithm can correctly detect the signed message about owners and consumers as long as the attack degree it suffers does not exceed 50%; And for the scheme GADEW, as long as the attack degree does not exceed 40%, it can also correctly detect the signed message. In comparison, the GAHSW algorithm can deal with the deletion attack in a single traitor well. If it is defined that the matching rate between the original signature and the extracted signature is η=(lenσ – dishc) / lens, where lenσ is the length of the original signed message, and dishc is the distance of Hamming code between the original signed signature and the extracted. Under environment of the different colluders, the different attack strategy and the different watermarking algorithms, we let “○” means participating in collusion and “×” indicates not participating, then the matching rate under 2 colluders (A, B) and 3 colluders (A, B, C) is show in Tables 3 and 4, separately. Table 3.The matching rate of two colluders.
Table 4The matching rate of three colluders.
It can be seen from Table 3 that all the watermarking algorithms can well detect out potential traitors in the case of 2 colluders. From Table 4, we can get that if 3 colluders conduct the attack of combined substitution on the digital carrier, all algorithms can also detect out potential traitors well. However, for maximum and minimum attacks, the algorithms GAHSW, GADEW, and RLW have relatively better anti-collusion attacks; for average attacks, the algorithms GAHSW and GADEW are more resistant to collusion; On the whole, the efficiency of identifying colluders is GADEW > GAHSW > RLW > RRW, but the scheme GADEW modifies the original carrier to a greater extent and makes the data availability relatively low, so the GAHSW algorithm is more suitable for detecting data leakers in the traitor tracking model. 6.CONCLUSIONThe traceability of data leaks in the big data environment is an issue that people have been paying attention to. This paper takes structured data as the main research point. A chameleon short signature is designed to complete trusted data sharing, and a cascade chain is established to effectively achieve traitor tracking. The security and efficiency of the scheme are analyzed through provable security model and experimental simulation. We hope to provide valuable reference information for related researchers. ACKNOWLEDGMENTSThis work was supported by National Natural Science Foundation of China under Grant Nos. 61662009 and 61772008; Science and Technology Major Support Program of Guizhou Province under Grant No.20183001; Key Program of the National Natural Science Union Foundation of China under Grant No.U1836205; Science and Technology Program of Guizhou Province under Grant No.[2019]1098; Project of High-level Innovative Talents of Guizhou Province under Grant No. [2020]6008; Science and Technology Program of Guiyang under Grant No.[2021]1-5; Graduate Research Foundation of Guizhou Province No.[2021]. REFERENCES
“A secure and verifiable data sharing scheme based on blockchain in vehicular social networks,”
IEEE Transactions on Vehicular Technology, 69
(6), 5826
–5835
(2020). https://doi.org/10.1109/TVT.25 Google Scholar
“Cpds: Enabling compressed and private data sharing for industrial IoT over blockchain,”
IEEE Transactions on Industrial Informatics, 17
(4), 2376
–2387
(2020). https://doi.org/10.1109/TII.9424 Google Scholar
“Privacy protection and intrusion avoidance for cloudlet-based medical data sharing,”
IEEE Transactions on Cloud Computing, 8
(4), 1274
–1283
(2020). https://doi.org/10.1109/TCC.6245519 Google Scholar
“A blockchain-based medical data sharing and protection scheme,”
IEEE Access, 7 118943
–118953
(2019). https://doi.org/10.1109/Access.6287639 Google Scholar
“Spatial image data traceability and interaction mechanism based on alliance chain,”
in IEEE 10th Inter. Conf. on Software Engineering and Service Science (ICSESS),
586
–591
(2019). Google Scholar
“RPEDS: A recoverable and revocable privacy-preserving edge data sharing scheme,”
IEEE Internet of Things Journal, 7
(9), 8077
–8089
(2020). https://doi.org/10.1109/JIoT.6488907 Google Scholar
“Blockchain empowered asynchronous federated learning for secure data sharing in internet of vehicles,”
IEEE Transactions on Vehicular Technology, 69
(4), 4298
–4311
(2020). https://doi.org/10.1109/TVT.25 Google Scholar
“Blockchain-based P2P multimedia content distribution using collusion-resistant fingerprinting,”
in 2019 Asia-Pacific Signal and Information Processing Association Annual Summ. and Conf. (APSIPA ASC),
1606
–1615
(2019). Google Scholar
“Watermarking relational databases,”
in Proc. of the 28th Inter. Conf. on Very Large Data Bases (VLDB’02),
155
–166
(2002). Google Scholar
“Watermarking relational databases using optimization-based technique,”
IEEE Transactions on Knowledge and Data Engineering, 20
(1), 116
–129
(2008). https://doi.org/10.1109/TKDE.2007.190668 Google Scholar
“Robust lossless watermarking of relational databases based on circular histogram modulation,”
IEEE Transactions on Information Forensics & Security, 9
(3), 397
–410
(2017). https://doi.org/10.1109/TIFS.2013.2294240 Google Scholar
“Semantic-driven watermarking of relational textual databases,”
Expert Systems with Applications, 167
(2), 368
–379
(2020). Google Scholar
“A robust, distortion minimizing technique for watermarking relational databases using once-for-all usability constraints,”
IEEE Transactions on Knowledge and Data Engineering, 25
(12), 2694
–2707
(2013). https://doi.org/10.1109/TKDE.2012.227 Google Scholar
“RRW-a robust and reversible watermarking technique for relational data,”
IEEE Transactions on Knowledge & Data Engineering, 27
(4), 1132
–1145
(2015). https://doi.org/10.1109/TKDE.2014.2349911 Google Scholar
“Reversible and blind database watermarking using difference expansion,”
International Journal of Digital Crime and Forensics, 1
(2), 42
–54
(2008). https://doi.org/10.4018/IJDCF Google Scholar
“Genetic algorithm and difference expansion based reversible watermarking for relational databases,”
Journal of Systems and Software, 11
(86), 2742
–2753
(2013). Google Scholar
“A new reversible database watermarking approach with firefly optimization algorithm,”
Mathematical Problems in Engineering, 1
–14
(2017). https://doi.org/10.1155/2017/1387375 Google Scholar
“Reversible water-marking for relational database authentication,”
Journal of Computers, 17 59
–65
(2006). Google Scholar
“A new robust approach for reversible database watermarking with distortion control,”
IEEE Transactions on Knowledge and Data Engineering, 31 1024
–1037
(2019). https://doi.org/10.1109/TKDE.69 Google Scholar
“Collusion-secure fingerprinting for digital data,”
IEEE Transactions on Information Theory, 44
(5), 1897
–1905
(1998). https://doi.org/10.1109/18.705568 Google Scholar
“Collusion-resistant video fingerprinting for large user group,”
IEEE Transactions on Information Forensics and Security, 2
(4), 697
–709
(2007). https://doi.org/10.1109/TIFS.2007.908179 Google Scholar
“A novel anti-collusion audio fingerprinting scheme based on fourier coefficients reversing,”
IEEE Signal Processing Letters, 27 1794
–1798
(2020). https://doi.org/10.1109/LSP.97 Google Scholar
“Fingerprinting codes under the weak marking assumption,”
IEEE Transactions on Information Forensics & Security, 13
(6), 1495
–1508
(2017). https://doi.org/10.1109/TIFS.2017.2779112 Google Scholar
“Signature codes for weighted binary adder channel and multimedia fingerprinting,”
IEEE Transactions on Information Theory, 67
(1), 200
–216
(2021). https://doi.org/10.1109/TIT.18 Google Scholar
“Chameleon signatures,”
NDSS Symp, 143
–154
(2000). Google Scholar
“Identity-based chameleon hash and applications,”
Lecture Notes in Computer Science, 167 164
–180
(2004). https://doi.org/10.1007/b98935 Google Scholar
“On the key exposure problem in chameleon hashes,”
in Inter. Conf. on Security in Communication Networks,
165
–179
(2005). Google Scholar
“Hierarchical identity-based chameleon hash and its applications,”
in Inter. Conf. on Applied Cryptography & Network Security,
201
–219
(2011). Google Scholar
“Identity-based chameleon hashing and signatures without key exposure,”
Information Sciences, 265 198
–210
(2014). https://doi.org/10.1016/j.ins.2013.12.020 Google Scholar
“Chameleon-hashes with ephemeral trapdoors and applications to invisible sanitizable signatures,”
IACR Inter. Work. on Public Key Cryptography, 152
–182
(2017). Google Scholar
“Efficient chameleon hash functions in the enhanced collision resistant model,”
Information Sciences, 510 155
–164
(2020). https://doi.org/10.1016/j.ins.2019.09.001 Google Scholar
“Quadratic span programs and succinct NIZKs without PCPs,”
in Annual Inter. Conf. on the Theory and Applications of Cryptographic Techniques,
626
–645
(2013). Google Scholar
“Redactable blockchain-or-rewriting history in bitcoin and friends,”
IEEE European Symp. on Security and Privacy, 111
–126
(2017). Google Scholar
“Snarky signatures: Minimal signatures of knowledge from simulation-extractable snarks,”
in Annual International Cryptology Conf,
581
–612
(2017). Google Scholar
“Short group signatures,”
in 24th Annual Inter. Cryptology Conf,
227
–242
(2004). Google Scholar
AppendicesAPPENDIXThis part is to analyze the security of the proposed chameleon short signature based on the and game model (3.2). Theorem 1 Let 𝔾 be the gap group and H𝔾 be the random oracle on 𝔾. If the CDH assumption holds on 𝔾, then the chameleon hash function is collision resistance. Specifically, suppose there is a polynomial adversary A that breaks the chameleon hash scheme with the advantage of ω(κ), then there must be an adversary B to solve the CDH on 𝔾 at least by the advantage of where e is the base of the natural logarithm, qH is the maximum number of queries to H𝔾. Proof: From Section 3.2, the process of the game between A and B is as follows.
Analysis: Knowing R’ = (h/m’)x from equation (3) in Section 3.1, if B can find a certain r*, such that r* = h / m’,then (r*)x = (h / m’)x. If m’ is the hash value of a certain plaintext M ’, then (h / m’)x is the check parameter for (M’, h). Since adversary B knows {g, h, y = gx, m’= H𝔾(M’) } and want to leverage A as a subroutine to attack the chameleon hash algorithm, its goal is to find out R’ = (r*)x =(h / m’)x. In step (3) of the above game (M’*, R’*) is generated by adversary A, but H𝔾(M’*) is generated by B, so B can be set . When B lets r* be the potential hash of a target plaintext, his goal is to call A to calculate (r*)x based on the triple (g, gx, r*),which is to solve the CDH problem. Throughout the game, B doesn’t know which plaintext will be generated by A to forge a check parameter. Therefore, he has to make a guess that the j-th query Hr corresponds to A ’s final forged result. For simplicity without loss of generality, we assume that 1). Adversary A must have asked (h, M, R)before asking Hr(M’); 2). Adversary A will not initiate the same query Hr(M’) twice to M’; 3). Adversary A must have asked Hr(M’) before querying the check parameters of M’; 4). Adversary A he must have asked (h*, M*, R*) and Hr(M’*) before he outputs (M’*, R’*). In the actual process, B implicitly regards u = ga in the known tuple (g, и = ga, r*) as its own public key (in fact, B does not know the specific value of a), then (r*)a is a forgery check parameter of a certain plaintext, namely R’* = (r*)a =(Hr(M’))a = (h/H𝔾(M’))a where (r*)a is forged by A. To hide instance u = ga, B needs to select a randomness t and send и · gt to A as the public key of В. The following proves that the collision resistance game of the chameleon hash can be reduced to the CDH problem.
Theorem 2 Let 𝔾 be a gap group, and the chameleon hash function Hh is collision resistance on 𝔾, if the CDH problem on 𝔾 is difficult, the chameleon short signature is EUF-CMA. Specifically, suppose there is an EUF-CMA adversary A who breaks the short signature scheme with the advantage of ω(κ), then there must be an adversary B to solve the CDH on 𝔾 at least by the advantage of where e is the base of the natural logarithm, qH is the maximum number of queries to Hh. Proof: The game process of is similar to the .
Analysis: Knowing σ = hx from formula (3.4), if B can find a certain chameleon hash triple (h*, M*, R*), such that σ* = (h*)x, then σ* is the signature of the chameleon hash h* related to the plaintext M*. Since adversary B knows {g, у = gx, h = Hash(pk, M)} and want to leverage A as a subroutine to attack the chameleon short signature, its goal is to find out σ* = (h*)x. In step (3) of the game , (h*, σ*) is generated by adversary A, but h* is generated by B, so B can be set h* ← Hh(M*) ← Hash(pk, M*). When B lets h* be the chameleon hash of a target “plaintext-parameter” pair (M*,R*), his goal is to call A to calculate (h*)x based on the triple (g, gx, h*), which is to solve the CDH problem. Throughout the game, B doesn’t know which chameleon hash will be generated by A to forge a short signature, Therefore, he has to make a guess that the j-th query Hh corresponds to A’s final forged result. For simplicity without loss of generality, we assume that 1). Adversary A only initiates a plaintext chameleon hash query Hh, and doesn’t initiate a adapt query; 2). Adversary A will not initiate the same query twice Hh(M)to M; 3). Adversary A must have asked h ← Hh(M) before requesting the signature; 4). Adversary A must have inquired about h* ← Hh(M*) before outputs the signature (h*, σ*). In the actual process, B implicitly regards u = ga in the known tuple (g, и = ga, h*) as its own public key (in fact, B does not know the specific value of a), then (h*)a is a forgery signature of the chameleon hash h* related to (M*,R*), where h* is generated by B Randomly, (h*)a is forged by A. To hide instance u = ga, B needs to select a random number t and send и · gt to A as the public key of B. The following proves the Existential-Unforgeability game of the short signature can be reduced to the CDH problem.
|