Content Extraction Signatures
RonSteinfeld
Schoolof Network Computing,Monash University,
Frankston3199 Australia
[email protected] onas h.ed u.a u
Laurence Bull
School of Computer Science and Software Engineering, Monash University,
Cauleld East 3145 Australia
[email protected] onas h.ed u.a u
Yuliang Zheng
Dept. Software and Info. Systems,
University of North Carolinaat Charlotte,Charlotte, NC 28223
February 8, 2002
Abstract
Motivatedbyemergingneedsinonlineinteractions,wedeneanewtypeofdigitalsignature
called a`ContentExtraction Signature'(CES).A CES allowstheowner, Bob,of adocument
signedbyAlice,toproducean`extractedsignature'onselectedextractedportionsoftheoriginal
document,whichcanbeveriedtooriginatefromAlicebyanythirdpartyCathy,whilehiding
theunextracted(removed)documentportions. Thenewsignaturethereforeachievesveriable
content extraction with minimal multi-partyinteraction. We specify desirablefunctional and
securityrequirementsforaCES(includinganeÆciencyrequirement: aCESshouldbemore
eÆ-cientin eithercomputationorcommunicationthanthesimplemultiplesignaturesolution). We
propose andanalyzefour CESconstructionswhich areprovably securewithrespectto known
cryptographicassumptionsandcomparetheirperformancecharacteristics.
Key Words. Content-extraction, privacy, fragment-extraction, content blinding, fact
veri-cation,contentverication,digitalsignatures,provablesecurity.
1 Introduction
Duringthecourseofa person'slifetimeone hastheneedto use`formaldocuments'such as: Birth
Certicates;MarriageCerticates;PropertyDeeds;andAcademicTranscriptsetc. Suchdocuments
areissuedbysomerecognizedandtrustedauthorityandarethereafterusedbytheownerindealings
withother peopleororganizations, to prove thetruth ofcertain statements(based on thetrustof
theverier intheissuingauthority).
Inan electronicworld,digitalsignatures,together witha PublicKeyInfrastructure(PKI), can
beused to ensure authenticity and integrity of electronic versionsof formal documents. However,
as digital signatures become more widely used, situations can arise where their use signicantly
increases the cost of desirable document processing operations, which do not constitute a
secu-rity breach. In other words, the standard use of digital signatures sometimes places additional
constraints on legitimate users beyond what is reallyrequired to prevent forgeries by illegitimate
users.
In thispaper we considerone particular document processing operation which is made costly
bytheuse of signatures,namely the extraction ofcertain selected portions of a signeddocument.
That is,weconsiderthecasewhen Bob,theownerofa document whichwassignedbyAlice,does
notwishtopass onthewholedocumentto athird(verifying)partyCathyorDavid. Instead,Bob
extractsaportionof thedocumentand sendsonlythatportiontoCathyorDavidasillustratedin
Fig. 1. Weare assuminghere(andwillgive motivatingexamples later)that Aliceis agreeablefor
Bob to perform such an extraction. Still, Cathy and Davidwould like to verify that Alice is the
originator ofthedocument portiontheyreceived from Bob.
Ignoringfornowourotherrequirements,weexplainthediÆcultywithstandardusesofdigital
signaturesinthiscontext. ItisclearthatifAlicesimplysignsthewholedocumentusingastandard
digital signature, then Cathy and David will not be able to verify it unless Bob sends the whole
document. The simplest solution is for Alice to divide the message into (say n) fragments and
sign each fragment, giving a set of signatures to Bob, who can then forward a subset of them,
corresponding to the extracted document fragments, to Cathy and David. Some problems with
thissimplisticapproachinclude bothhigh computation(n signatures) forAlice,Cathy and David
as wellas high communicationoverhead from Alice to Bob, Bobto Cathyand Bob to David (up
to n times the lengthof one signature). We want to do better than this simple scheme in
either:
i communicationoverhead savings;OR
ii computationsavings;
as well as:
iii givingthe signerabilityto specifyallowedextraction of documentcontent; and
iv achievingprovablesecurity.
We call schemes that perform better at document fragment extraction than the simple scheme
Detailed denitions and some proofsare omitted in this version of the paper | they will be
in-cludedin thefullversion of this paper, underpreparation. This paperis organized as follows. In
Section 2 we explain the real-life background motivating the introduction of Content Extraction
Signatures,andreviewrelatedwork. InSection3,wedescribeourdesirablefunctionalandsecurity
requirements from aCES (whichdier from those of a standarddigitalsignature| there iseven
a new privacy requirement which has no counterpart in standarddigital signatures),leading to a
denitionof aCES asa new primitivesatisfyingthese requirements. Section4 presents fourCES
schemesmeetingourdenitionwhichareprovablysecureunderwell-knowncryptographic
assump-tions. Our CES schemes do not employ new cryptographic techniques. However, we believe this
applicationfortheseknowncryptographictechniquesis novel, and inthecaseof theRSA schemes
exploits additional properties which are useful in thisapplication (namely to reduce
communica-tionbandwidth) butarenotused toadvantagein mostof theoriginalusesof these techniques. In
Section5 we closewith someconcludingcomments.
2 Background
2.1 The Emerging Need
Tomotivatetherestofthepaper,considerthecommonplacealthoughpertinentexampleillustrated
inFig.2below. Inthisexample,a university(A)issuesastudent (B)withaformaldocument: an
AcademicTranscript(Originaldocument). Thestudentisrequiredtoincludetheformaldocument
with a job application document sent to a prospective employer (C). Note that the Academic
Transcript document is likelyto include the student's personal details, inparticular the student's
dateof birth(DOB).Toavoidage-based discrimination,thestudent Bmaynotwish to reveal his
DOBto theemployerC(indeed,insomecountriesit isillegalfortheprospective employertoseek
the applicant's DOB). The university (A) understands this and is willing to allow employers to
verify academictranscripts withtheDOB removed (andpossiblywithother eldsagreed to byA
removed as well, butnotothers whichA may requireto be included inanyextracted document).
YetifAsignstheAcademicTranscriptusingastandarddigitalsignaturethestudentBmustsend
thewhole document to Cto allowC to verifyit.
Instead, we proposein thissituation the use of a Content Extraction Signature (CES), as
de-scribed in this paper. The university (A) uses the Sign algorithm of a CES scheme to sign the
original document, dividedinto portions (submessages m
0 , m
1
,...) and produce a content
extrac-tion signature, given to student B along with the full document. The student then extracts a
subdocument A' ofthe originaldocument consistingof a selected subset of thedocument
submes-sages(e.g. notincludingm
1
,theDOBofB,butincludingallothersubmessages). Hethenrunsan
Extractalgorithmof theCES schemeto produceanextracted signature bytheuniversityAforthe
extractedsubdocumentA'. StudentBthenforwardsthesubdocumentA'andtheextracted
signa-tureforA'.TheemployerusestheVerify algorithmoftheCESto verifytheextractedsignatureon
A'. Thisprocesscan also berepeatedforother prospective employers asillustrated inFig.2.
2.2 Virtues of Content Extraction Signatures
If one views a document as a collection of facts orstatements, the use of a CES withdocuments
enablesausertohandleandprocessthesestatementsinamoreselectivemannerratherthanhaving
to use the entiredocument. Apart from theeÆciency of only sending the pertinent information,
more importantly,it enables theuser, Bob, to embrace a minimal information model whereby all
oftheextradetailsthatarenotrequiredcan beomittedfromthetransaction. Oncethedocument
Original
Document
m
1 The quick brown fox ju over the
m
2 The q brown fox jumped over the
m
3 The quick brfox jumped over the
.
.
m
n The quickn fox jumped over the
+
CES
ORIG
Subdocument B
m
1 The quick browumped over the
m
4 The quick brown fox jumped the
m
10 The quick brown mped over the
+
CES
B
Subdocument A
m
2 The quick browumped over the
m
4 The quick brown fox jumped the
m
7 The quick brown mped over the
m
10 The quick brown mped over the
+
CES
A
A
(University)
B
(Student)
C
(Prospective Employer)
D
(Prospective Employer)
Figure 2: A real-lifeapplication forContent ExtractionSignatures.
theeasewithwhichitcan beelectronicallyrelayedand stored. Thisisespeciallytrue withrespect
to theInternet.
Our approach views a document as not just a collection of facts or statements. It also
recog-nises that the document, through its name or title, also provides a contextual framework for the
collection of facts or statements. Inthe simplisticapproach of signing each fragment sothat Bob
can selectivelyforwardthem to Cathy,Alicehas no protectionfrom contextual orsemantic abuse
dueto reorderingof thefragments sent to CathybyBob.
Inordertoaordthedocumentsignersomecontroloverwhatsub-documentsmaybegenerated,
we have included the notion of an Extraction Policy as a fundamental element of the CES. The
Extraction Policy enablesthe signerto have some controlovertheuse ofthe content even though
the document has beenforwarded to the user and no furthercontact will occur. A CES doesnot
requireanyfurtherinteractionwith theauthor(after theinitialsigning),meaningthat theauthor
is obliviousto all furtheruses of (andextraction from) thedocument by theuser. It also permits
thelifespanofthe document to beindependentto thelifespanof theauthor.
While there may be others, we currently envisage two types of situations that may create a
needinpractice to extract portionsof a signeddocument beforeforwardingto theverier:
i Privacy Protection: The full document contains some sensitive/secret portions, which the
documentownermay notwishto revealto some veriers.
ii Bandwidth Saving: Thefulldocumentmaybevery long,whiletheverier isonlyinterested
ina smallportionof it.
2.3 Subdocument Presentation
The extraction of a subdocument along with its extracted signature (CES) raises the question:
Shouldweenforce therequirement thatpositionsoftheblindedcontent beagged withsome sort
of `blinded fragment indicator' for the verier? The simplistic multiple-signature approach does
not enforce this requirement. In our security model for CES (see section 3), we dene a
`CES-Unforgeability' notion which does enforce it (it preserves the total number of fragments in the
originaldocumentaswellasthepositionsof blinded/unblindedfragments). Thisfeature mightbe
usedto simplifythesigner'sExtractionPolicydiscussedabove,byalertingtheverierto positions
of deleted fragments (e.g. fragments deleted by an attacker in order to change meaning of the
very largeinthecase of largedocuments).
In some applications, itmay be preferableto notdisplaythepositionsofblinded fragmentsto
theverifyingperson to achievea betterpresentation,asthedocument isnotclutteredthroughout
with blinded fragment indicators. This might be achieved by letting the signer add an optional
statementto theExtractionPolicyallowingsuchadisplayto bespeciedbytheuserwhoextracts
a subdocument, although the blinded fragment positions are still communicated to and veried
bythe verication algorithm. In some other cases, the verier, Cathy, might have some negative
attitudestowards Aliceifshe receivesa subdocument thathas indicators ofblinded content in it,
eventhoughitcontainedalloftheinformationCathywasseeking. Soonecanalsorequireaspecial
privacyrequirement,namelythatacuriousCathycannot,bylookingattheextractedsubdocument
and signature, tell whether she received all the submessagesin the originaldocument ornot. We
do notdealwith thisrequirement inthecurrent model.
2.4 Related Work
Bellare, Goldreichand Goldwasser[14]introduced`incremental'signatures whichallow asigner to
eÆcientlyupdateasignatureafter makinganincrementaloperationonthesigneddocument. Our
`ContentExtractionSignatures'canbeviewedasaddressingthe`deletion'operationeÆciently,but
allowingthisoperationtobeperformedwithout thesigner'ssecretkey. While[14 ]usethestandard
signaturemodelwherethisoperationwouldconstituteforgery,itisnotnecessarilyaforgeryinour
`Content Extraction Access Structure'-based CES-unforgeabilitydenition (see section 3), which
allows thesignerto specifywhichdeletions areto beregarded asforgeries.
The `dualsignature' dened forthe Secure Electronic Transaction(SET) protocol [6], can be
considereda special caseof one of our schemes, althoughinthat application itis again thesigner
whoperformsthe`extraction',andthereareonlytwosubmessages(paymentinformationandorder
information). It is thereforea dierent settingto ours.
The `XML-Signature'[7 ] proposed recommendation of the WWW Consortium (W3C) denes
a scheme whichallows the signingof documentsconsisting of multipleonline `data objects', some
of which may become unavailable after signing. However, the content extraction application and
its requirementsarenotaddressed intherecommendation. Indeed, theproposedrecommendation
cannot be used without modication to achieve our privacy requirement for content extraction
signatures. Furthermore,ourapproach dealswithself-containeddocuments.
Three of our CES schemes are modications of batch signature generation and verication
schemes[16 ][8][11]. However, ourschemesareanewapplicationforthesetechniques. Inparticular,
we use in a novel way the homomorphic propertyof the RSA schemes which is not used to save
bandwidthin standard batch signing and verifying where theoutput (in thecase of signing)is n
signatures and the input(inthe case of verifying) is n signatures. We are able to take advantage
of this feature because in our setting all the n signatures are intended for the same user (from
thepoint ofview of batch signing)oraretransmittedfrom asingle user(but notthesigner) from
thepoint ofview ofbatchverication. Fiat[11]mentions anotherapplication ofthelength-saving
featureof hisbatching scheme forthepurposeofsaving bandwidthindistributeddecryption.
3 Requirements and Denition of Content Extraction Digital
Sig-natures
In thissectionwe explaininformallythe requirementswhicha CES scheme shouldsatisfyleading
to an (informal) denitionfor a CES scheme and its desirable security notions. Refer to the full
Firstweintroducesometerminology. Wewillassumethatadocumentisdividedintoanumbernof
smallersubmessages,andthatsuchdocumentsarerepresentedinaformwhichencodesanordering
of the n submessages, their number, and allows some of them to be `blank'. We use length(M)
to denote the numberof submessages in M. We use [n] to denote the set of submessage indices
f1;:::;ng. We use bold letters (e.g. M = (m
1 ;m
2
;:::;m
n
)) to denote such a representation of
documents. ThisrepresentationofadocumentMallowsextraction of asubdocument M 0
specied
byanextractionsubset X consistingoftheindicesofthesubmessagestobeextractedandincluded
in the subdocument. The subdocument M 0
then stillhas n submessages, where thesubmessages
withindicesnotin X are setto `blank', whilethesubmessages withindicesinX are equalto the
correspondingsubmessageswiththesame indicesintheoriginaldocumentM. We denotebyM[i]
the i'th submessage in document M. We use Cl(M) to denote the set of indices of `clear' (i.e.
non-blank)submessagesina documentM.
For example, if the original document is M = (m
1 ;m
2 ;m
3 ;m
4
) and the extraction subset is
X = f1;3g, then the extracted subdocument is M 0
= (m
1 ;?;m
3
;?), where ? denotes a blank
submessage. Also, we have Cl(M 0
) =f1;3g. Note that by our denitionsM 0
is distinct from the
documents(m
1 ;m
3
;?;?),(m
3 ;?;m
1
;?),or(m
1 ;?;m
3
;?;?)whicharenot subdocumentsof M.
3.2 Functional Requirements from a CES
Herewediscussthefunctional requirementsfromaCES,i.e. thosewhichareconcernedwithhonest
usersof thescheme. The basicrequirement from aCES scheme can be statedasfollows.
Extraction Requirement: A Content Extraction Signature should allow anyone, given a
signed document, to extract a publicly veriable extracted signature for a specied subdocument of
a signed document, without interaction with the signer of the original document.
As explained inthe introduction, the extraction requirement can be met by a simplesolution
of signing each submessage seperately using a standard digital signature. In order to make this
problemmore interestingwehave asked foraneÆciency requirement asfollows.
EÆciency Requirement: A Content Extraction Signatureshould be more eÆcient,either in
communication overhead (length of original or extracted signatures), or in computational r
equire-ments (signing or verifying), than the simple `multiplesignature' solution.
An additional requirement which may be useful in some applications is the following one. It
allows theextraction to continue `downstream' asthedocument ispassed fromverier to verier,
allowingeach one to continue the extractionprocess. Itmaybeconsideredoptional.
Iterative Extraction Requirement: A ContentExtraction Signature
should allow the extraction of a signature for a subdocument of a source subdocument, given the
source subdocument andthe extracted signature for it.
3.3 Security Requirements from a CES
Now we discuss the security requirements from a CES,i.e. those which prevent undesirable
dis-honest operations.
Themostbasicsecurityrequirementis,asforstandarddigitalsignatures,toensureauthenticity
viatheunforgeability requirement. TheunforgeabilityrequirementforaCESmustdier,however,
from the standard`existential unforgeability' one, because inthe latter, any propersubdocument
(i.e. a subdocument which is not equal to the original document) of the signed document is
considered a `new message' and therefore the extraction (using publicknowledge only) of a valid
signatureforitconstitutesexistentialforgery. Aswehavepointedout,however,weareconsidering
situations where it is desirable to relax thismodel,and allow extraction of signatures for certain
subdocuments. However, itisclearthatinthismodelthesignermusthavefullcontrol todetermine
against changes inmeaning ofextracted portions dueto certaindeletions.
WewilladdresstheaboveconsiderationthroughanExtractionPolicyasanadditionalinputto
the signing algorithm of the CES scheme, called the Content Extraction Access Structure (CEAS
for short). The signer uses this to specify which subdocuments the signer is allowing signatures
to be extracted for (the CEAS is therefore an encoding of the allowed extraction subsets, using
the terminology introduced above). This leads to the following unforgeability requirement for a
CES, assuming the strong `chosen message' attack, where the attacker can query a CES signing
oracle on documents of the attacker's choice. Note that anydocument D queried by theattacker
to thesigning oracle is accompanied by a corresponding CEAS (also under the attacker's choice)
specifyingallowed extractedsubdocuments.
CES-Unforgeability Requirement: It is infeasible for an attacker, having access to a CES
signingoracle,toproducea document/signaturepair(M;), suchthat: (i) passes theverication
testforMand(ii) Miseither(A)Nota subdocumentof anydocumentqueried totheCESsigning
oracle, or (B) Is a subdocument of a queried document D, but not allowed to be extracted by the
CEAS attached to the sign query D.
We remark that the denition of CES-unforgeability above is as strong as one may hope for
in oursetting, i.e. it prevents forgeriesfor anydocuments which are not subdocumentsof signed
documents. Thisimplies,inparticular,securityagainst`submessagereorderingattacks'(wherethe
submessagesintheforgeddocumentarethesameasthoseinsubdocumentofasigneddocumentbut
indierentpositionsororder)aswellas`mixedsubdocumentattacks'(wheretheforgeddocument
containssubmessageswhichhaveallappearedinsigneddocumentsbuthaveneverappearedtogether
in a signed document). Note that the simple multiple signature scheme is not secure against
bothof the latterattacks and hencedoesnot even have theCES-unforgeabilityproperty without
modication.
Unlike standardsignatures,where unforgeabilityisthe onlysecurityrequirement,many
appli-cations of content extraction signatures by nature may also have a privacy security requirement.
Indeed,asmentionedintheintroduction,thereasonfortheusertodeletesomesubmessagesinthe
signeddocumentpriortohandingitovertotheveriermaybeinordertohidethesensitivecontent
of these submessagesfrom theverier. But noneof theabove requirementson a CESexclude the
possibilitythattheextractedsignaturemayingeneralleaksomeinformationonthecontentofthe
unextracted (deleted) submessages. Indeed, this considerationhas important implications on the
design and eÆciency of our rst two proposed CES schemes (see section 4). Hence, the privacy
requirementforaCESmustbedenedinordertoallowanassessmentofwhetheraschemesatises
therequirement ornot. Wegive thisdenitionhere. We notethat asimilarrequirement hasbeen
denedinthe context of `incremental cryptography' [15 ].
CES-Privacy Requirement: It is infeasible for an attacker to distinguish between two
ex-tracted signatures
0 and
1
, where
0
isextracted for a subdocument D
0
of the document
(m
0 ;:::;m
i 1 ;M
0 ;m
i+1 ;:::;m
n
) specied by extraction subset X such that i 2= X (i.e. D
0 has a
blank submessagein position i), and
1
is extracted for subdocument D
1
of the document
(m
0 ;:::;m
i 1 ;M
1 ;m
i+1 ;:::;m
n
) specied by the same extraction subset X(i.e. D
1 = D
0
). This
holds evenif the attackercan choose(M
0 ;M
1
), X, i,and the remaining submessages m
i .
The abovedenitionissimilartothe`indistinguishability'baseddenitionofsemanticsecurity
for encryption schemes. It ensures the attacker cannot obtain information about submessages
which have beenblanked (i.e. those not extractedinto thesubdocument). Itsprecise formulation
(included in the fullpaper) follows the standard two-stage `nd/guess ' attack experiment [17 , 1].
Inthisformulationtheattacker'sndalgorithmchooses(M
0 ;M
1
),X,i, andthem
i
's. Auniformly
random bit b is chosen and the attacker's guess algorithm is given
b
and tries to guess b. The
requirement isthatitisinfeasible forguess to guessb correctlywithnon-negligibleadvantageover
Consistent with the requirementsdiscussed above, a Content Extraction Digital Signature (CES)
scheme D can be denedto consist of 4algorithms:
1 KeyGen| Takesa securityparameterk and generates a secret/publickey pair(SK ;PK).
2 Sign| Takes asecret key SK,a document M=(m
1 ;m
2 ;:::;m
n
),and a content extraction
accessstructureCEAS,andoutputs acontent extraction signature
Ful l .
3 Extract | Takes a document M, a content extraction signature
Ful l
, an extraction subset
X[n]and apublic keyPK,and outputsan extractedsignature
Ext .
4 Verify | Takesanextracted subdocumentM 0
,an extractedsignature
Ext
anda publickey
PK,and outputsaverication decisiond2fAccept;R ejectg.
Intheabovedenition,themaindierencesfromastandarddigitalsignaturearethefollowing.
TheExtractalgorithmallowstheusertoextract(froma`full'contentextractionsignature
Ful l )
a signatureforthe subdocumentconsisting of thesubmessageswhose indexesarespeciedbythe
extractionsubsetX. Theextractedsignature
Ext
canthenbeforwardedtotheverieralongwith
theextractedsubdocumentM 0
.
The`ContentExtractionAccessStructure'(CEAS)isanencodingofthesubsetsofsubmessage
indexesintheoriginaldocumentwhichthesignercanusetospecifywhichextractedsubdocuments
the user is \allowed" to extract valid signatures for. Therefore the CEAS is an encoding of a
collectionsofsubsetsof[n], wheren=length(M)andMisthesigneddocument. Weassumethese
subsetsareencodedasbitstringsinf0;1g n
sothatifCl(M 0
)2CEAS forsome documentM 0
then
length(M 0
)=n=length(M).
4 Proposed Content Extraction Signature Schemes
4.1 Schemes based on General Cryptographic Primitives
4.1.1 SchemeCommitVector.
We buildthisCESscheme outof two standardcryptographic primitives:
(i) Astandarddigitalsignaturescheme S withsignatureandverication algorithms(S;V ) and
key generationalgorithm K. We requirethat S satisesthe standardunforgeabilitynotion,i.e. it
isexistentiallyunforgeable underadaptive chosen message attacks [19 ].
(ii) A message commitment scheme C with committing algorithm Com(:;:) and common
pa-rametersgenerationalgorithmGenPar. Givenamessagem,Com(m;r;cp)denotesthecommitment
to message m under random value r and common parameters cp. We require that C satisfy the
followingstandardproperties|
1 Hiding: Given Com (m;r;cp), themessage m is semanticallysecure [17]
2 Binding: Itishardto ndanytwo distinctmessagesm6=m 0
andcorrespondingrandomness
valuesr2Rand(m;cp)and r 0
2Rand(m 0
;cp)suchthat Com (m;r;cp)=Com (m 0
;r 0
;cp)
3 EÆcient Verication: Given m and r it is easy to compute c = Com (m;r;cp), or output
`Reject' ifr2=Rand(m;cp).
In (2) and (3) above, we denote byRand(m;cp)the set of validrandomness values fora
com-mitted message m.
The scheme is simple. To sign a document, one commits to the submessages and signs the
appended. Extraction of a subset of submessages requires one to recompute thecommitmentsto
theremoved(unextracted)submessagesandappendthem. Therandomnessvaluesfortheremoved
submessagesareremoved. Theresult isthe extractedsignature. Toverify theextractedsignature
onanextractedsubdocument,onerecomputesthecommitmentsfortheextractedsubmessagesand
veries thesignatureon allof thecommitments.
Computation. The main advantage of this scheme over the multiple signature one is that n
signatures are replaced by 1 signature (on a message of length proportional to n), but at a cost
of n commitments. This can give a saving in computation if the commitments can be computed
faster than signatures. In most practical cases the signature would probably be number-theory
based and signaturecomputationwouldinvolve amodularexponentiation. Thisrules outtheuse
of number-theory based commitments, which would result in little or no savings. Fortunately,
an eÆcient provablysecure statistically hiding commitment scheme can be constructed from any
collision-resistant hash function [20 ], and there exist fast candidates for such functions, such as
thewellknownSecure HashAlgorithm (SHA)[4 ]. Usingthiscommitmentscheme witha
number-theory based signature, one can achieve a computational saving by a factor close to n over the
multiplesignaturescheme, forsuÆcientlyshortsubmessages.
Signature Length. The signature lengthsavingof this scheme over the simpleone is smallor
non-existent. This is because one must appendthe commitment randomnessvalues forextracted
submessagesand thecommitmentsforthe unextracted(removed)submessages.
Security. TheschememeetsoursecurityrequirementsforCES(asdenedinSection3),andwe
can state thefollowingresults.
Theorem 1 (1)Ifthe standard signaturescheme S isexistentially unforgeableunderchosen
mes-sage attack and the commitment scheme C is binding, then scheme CommitVector has the
CES-Unforgeability property. (2)If the commitment schemeC is hiding, then schemeCommitVector has
the CES-Privacy property.
Proof. (Sketch) (1) We use an eÆcient CES-Unforgeability attacker A
CES
for scheme
CommitVector to construct two eÆcient attackers: A
sig
to break the unforgeability of scheme S
andA
com
to breakthebindingofschemeC. WewillproveourclaimbyshowingthatoneofA
sig or
A
com
succeeds inits attack withnon-negligibleprobability. Attacker A
sig
worksasfollows. It runs
A
CES
,and answersthelatter'ssign queriesusingthesigningoracle S(:)forscheme S. While doing
so, A
sig
stores ina table both D
j
,the jth document queriedby A
CES
to Sign(for j 2f1;:::;q
S g,
where q
S
is the number of sign queries made by A
CES
), and also (c
j [i];r
j
[i]), where c
j
[i] denotes
the commitment to theith submessage of D
j
underrandomness r
j
[i], used by A
sig
to answerthe
jth query to Sign. We let CEAS
j
denote the CEAS attached to the jth Sign query of A
CES .
Since A
CES
sees a perfect simulation of the real attack, it byassumption succeeds to break
CES-unforgeabilityofCommitVector withnon-negligibleprobabilitybyoutputtingaCESforgery pair
(D ; Ext ),where Ext =CEAS k kConc i2Cl (M ) r [i]kConc i2[n
] Cl (M ) c [i], n def = length(M ).
For each i2Cl(D
), denote by c
[i] the commitment to thei'th submessage of D
reconstructed
from randomness value r
[i] in
Ext
. By denition of CES-unforgeability, we have that for each
j2f1;:::;q
S
g,at leastone of thefollowingthree events occurs:
(i) Thereexistsi2Cl(M
) suchthat D
[i]6=D
j
[i]and c
[i]=c
j [i].
(ii) Thereexistsi2Cl(M
) suchthat D
[i]6=D
j
[i]and c
[i]6=c
(1) KeyGen(k): (1.1) Compute (SK
S ;PK
S
) K(k) (1.2) Compute
cp GenPar(k) (1.3) OutputPK=PK
S
kcp and SK =SK
S .
(2) Sign(M;CEAS;SK): (2.1) Parse PK = PK
S
kcp (2.2) Compute
commitments c[i] Com (M[i];r[i];cp) for i 2 [n]. (2.3) Dene
c Conc
n
i=1
c[i] (2.4) Compute
c
S(CEASkc;SK). (2.5)
Output
Ful l
CEASk c kConc n i=1 r[i]. (3) Extract(M;
Ful l
;X;PK): (3.1) Parse PK = PK
S
kcp (3.2) Parse
Ful l
CEASk
c kConc
n
i=1
r[i] (3.3) Compute missing
commit-ments c[i] Com (M[i];r[i];cp) for i 2 [n] X (3.4) Output
Ext CEASk c kConc i2X r[i]kConc i2[n] X c[i].
(4) Verify (M 0
;
Ext
;PK): (4.1)ParsePK =PK
S
kcp(4.2)Parse
Ext = CEASk c kConc i2Cl (M 0 ) r[i]kConc
i2[n] Cl (M 0
)
c[i](4.3) Recompute
commitments c[i] Com (M 0
[i];r[i];cp) for i 2 Cl(M 0
) or
out-put \Reject" if r[i] 2= Rand(M 0
[i]) for some i. (4.4) Compute
c Conc n
i=1
c[i](4.5) Verifysignatured V (CEASkc;
c ;PK
S ).
(4.6) Output\Accept"i d=\Accept" and Cl(M 0
)2CEAS.
(iii) Cl(M
)2= CEAS
j .
Attacker A
sig
outputs the forgery pair (m
;
), where m def = CEAS kc
[1]k:::kc [n ]. The attackerA com
worksasA
sig
,exceptthatitusesaself-generatedsignaturesecretkeyto answerSign
queries. Itthensearches forsome j2f1;:::;q
S
gand i2Cl(M
) such thatevent (i)holds, andif
foundoutputsa bindingcollision[(D [i];r [i]);(D j [i];r j [i])].
Now note that if event (i) occurs for some j 2 f1;:::;q
S
g then attacker A
com
succeeds in
breakingthe bindingof commitment scheme C. If event (i) does notoccur forall j 2f1;:::;q
S g,
thenA
sig
succeedsinbreakingtheunforgeabilityofsignatureschemeSbecausethemessagem
was
neverqueriedto S(:)byA
sig and
isavalidsignatureform
. Thisisbecause foreachj,ifevent
(ii) occursfor some i then m
diersfrom the jth queried message m
j def = CEAS j kc j
[1]:::c
j [n
j ]
to S(:) in the ith commitment, that is c
[i] 6= c
j
[i]. And for each j for which event (iii) occurs,
we again have m
6= m
j
because Cl(M
) 2 CEAS
and consequently CEAS
j
6= CEAS
. So in
any outcome where A
CES
succeeds, one of A
com or A
sig
also succeed. This proves that one of the
attackers A
sig and A
com
succeeds withprobabilityat least=2.
(2)WeuseaCES-PrivacyattackerA
CES
toconstructanattackerA
c
tobreakthehidingproperty
ofcommitmentschemeC. AttackerA
c
simplyrunsthendstageofA
CES
togetapairofsubmessages
(M
0 ;M
1
),and then completes thecommitment to M
b
given to it (for a randombitb unknownto
A
c
) to form a CES signaturewith M
b
unextracted. It then gives the CES signature to theguess
stage ofA
CES
anduses itsoutput to predictb. SinceA
CES
sees aperfectsimulation,itfollowsthat
A
c
succeeds inpredicting b withA
CES
's success probability,hence breakingthe hidingpropertyof
commitment scheme C. ut
4.1.2 A Variant: Scheme HashTree.
This scheme is a modication of the previous scheme in order to improve its main shortcoming,
namely its large signature length. This length consists of two components (besides the single
S signature): the rst is due to the randomness values for extracted submessages (this one is
proportional to m) and the second is due to the commitments for the unextracted submessages
resistant hashfunctionH(:)to constructa hashtreebymodifyingthesigningalgorithm toregard
thesetofcommitmentsastheleavesofabinary\hashtree". Thehashtreeisabinarytreehaving
n =2 k
leaf nodes, which are associated with the commitments (h
1 ;:::;h
n
) of the n submessages.
Then,startingatthehighestlevelofthetreebelowtheleaves,weassociatewitheachinternalnode
of the tree (down to theroot node) the hashvalue of the concatenation of its two childrennodes
aboveit. Thetreehask+1levels,thelowestoneconsistingofasinglerootnode,withitsassociated
hash value h
root
. The signersigns theroot hashvalue h
root
withappendedCEAS encoding,asin
schemeCommitVector. Extractionconsistsofappendingtothesignaturethehashvaluesassociated
withintermediatetree nodeswhich arerequiredinorder to computetheroot hashvalue fromthe
commitmentsof theextractedsubmessagesavailableinthesubdocument. The randomnessvalues
for the extracted submessage commitments are also appendedas before. Verication recomputes
theroot hash andveries thesignatureon it.
Hash trees have beenwidely discussed intheliterature forimprovingthe eÆciency of
authen-tication protocols (see [18]). This scheme can be regarded a modicationof the batch signature
of Pavlovski and Boyd [16 ] except that in our application the verier recomputes the root hash
valuefromanynumbermofleaves(extractedsubmessagecommitments)whileintheirapplication
it wasrecomputed from only one leaf. For simplicity we have omitted some details in the above
description. We refer the reader to [16] for a discussion of how to handleany number of leaves
(submessages). We also note also that the privacy aorded by the use of commitments in our
scheme mayalsobeusefulinthebatch signaturesof[16],wherethesignereectivelyperformsthe
extractionintosubdocumentsofone submessageeach,andmaynotwishoneverierfromlearning
anythingaboutthecontent of theother submessagessignedinthebatch.
Computation. ThisschememaintainsthecomputationaleÆciencyofthepreviousscheme,apart
from some additionalhashing (of total lengthproportionalto n) to buildthe hashtree. As
men-tioned before, since fast collision-resistant hash functions are available thisdoes not reduce
com-putationaleÆciency signicantlyexcept forvery largen.
Signature Length. As for the previous scheme the extracted signature still contains the m
randomness value forthe extracted m submessages, sothis component of signature lengthis still
proportional to m. But in this variant, the component of signature length due to unextracted
submessages (which in previous scheme was proportional to the number n m of unextracted
submessages)issignicantlyreducedforsmallm. Forexample,intheextremecasewhenweextract
asinglesubmessage(m=1),thepreviousschemerequiredtheusertosendn 1commitmentsfor
theremoved submessages,whileinthisscheme theuseronlyneeds tosendthelog
2
(n)hashvalues
associatedwiththe`sibling'nodesofthenodesonthepathfromtheclearsubmessagecommitment
leaf node to the tree root. More generally,one can show that theworst-case overhead for a given
m isapproximatelymlog
2
(n=m) siblinghashvaluesform<n=2 andn m form>n=2.
Security. The securitypropertiesof the scheme can be proved asforthe previousscheme. The
maindierenceisthatforthisscheme,theCES-unforgeabilitypropertyalsoreliesonthe
collision-resistance of the hash function H(:) used to build the hash tree. We have the following results,
whose proof is similar to that of Theorem 1, together with the well known collision-resistance
propertyof theHashtree.
Theorem 2 (1)Ifthe standard signaturescheme S isexistentially unforgeableunderchosen
mes-sage attack,the commitment schemeC isbinding, andthe hash functionH(:) iscollision-resistant
then scheme HashTree has the CES-Unforgeability property. (2) If the commitment scheme C is
ment`randomnessvalues'r
i
and usersendstheveriera subsetofm of these. Awell-knowntrick
to reduce the signer-to-user communication is for the signer to generate the r
i
's using a
Pseudo-Random NumberGenerator (PRNG)from a single shortseed (sayr) and send justr to theuser.
The CES-Privacy property we dened can still be proven in this case if the PRNG is secure in
the standard `indistinguishabilityfrom random' sense. This trick does not, however, reduce the
user-to-verier communication. To also reduce the latter,one may ask ifit ispossibleto design a
specialPRNG with a `seedextraction' property,which can beinformally statedas follows: Given
a(short) seedr (generatingPseudorandomnumbersr
1 ;:::;r
n
),andanysubsetX[n],itiseasy
to compute ashort `extracted seed'r
X
which allows one to generate ther
i
fori2X,but noneof
theother r
i
's fori2= X (moreover ther
i
for i2= X shouldbe indistinguishablefrom randomeven
knowing r
X
). An RSA-based candidate for thistype of PRNG, having constant (independent of
jXj) lengthextracted seeds, is suggested in [3]. Briey, in thisPRNG, the original seed consists
of the prime factors of an RSA modulusN = pq and a random element r 2 ZZ
N
. There are also
n xed relatively prime public exponents e
1 ;:::;e
n
. From the seed we generate a sequence of n
pseudorandomnumbersr
i
=H(r Q
k 2[n] i e
k
modN)forsome one-wayhashfunctionH(:). The
ex-tractedseedr
X =r
Q
k 2[n] X e
k
modN caneasilybeusedtogenerater
i
fori2X. Unfortunatelywe
cannot prove thepseudorandomness of thisPRNG withrespectto theRSA one-wayness
assump-tion withoutadditional `non-standard' assumptions(e.g. assuming H(:) to be a random oracle).
ThisPRNG would also increasethecomputationalrequirementsof thescheme. Finally,notethat
essentiallythesame construction was previouslyproposed[2 ] inthecontext of `hierarchicalaccess
control'.
4.2 Schemes Based on RSA
The previous two CES schemes improve upon the computation of the simple multiple signature
solution. Buttheirsignaturelengthislinearinthenumberofsubmessages. Inthissectionweshow
howtoachievethereversetradeo. WeproposeRSA-basedCESschemeswhosesignaturelengthis
signicantlyshorterthanthatofthesimplemultiplesignaturesolution. TheCESsignaturelength
forthese schemes isapproximately equalto that ofa single standardRSA signature, independent
ofn. However,incomputationthese schemesdo notsaveoverthatrequiredforthe(batchversion)
of thesimplemultiple-signaturesolution.
4.2.1 SchemeRSAProd
Thisschemedoesnot reducethe lengthof signaturescommunicated betweenthesigner and user.
However itreduces thelengthofextracted signaturescommunicated to theverier.
TheschemeisamodicationofanRSAbatch\screening"verier,proposedbyBellareetal.[8].
ThisverierisbasedonthehomomorphicpropertyofRSA,i.e. h d
1 h
d
2
modN =(h
1 h
2 )
d
modN.
TheveriermultipliestheRSAsignaturesinabatch andcheckswhethertheresultisthesignature
of theproduct ofthe hashvalues. Thisallows \screening" of m signaturesat the cost ofonly one
RSA vericationplus2(m 1) multiplicationsmoduloN.
The crucial observation whichforms the basisof this scheme is that inthe content extraction
signaturesetting,all thesignatures inthe`batch'(where abatch correspondshereto the
submes-sages containedintheextracted subdocumentand theirsignatures) areavailableto theuser,who
can perform the signature multiplication step above prior to forwarding to the verier. Now all
the user has to send is a single product of signatures modulo N, which is the same length as a
single RSA signature, independent of thenumber ofsubmessages m. Theverierthen onlyneeds
(1) KeyGen(k): Pick 2 randomk=2 bit primesp and q. ComputeN =
pq. Choosea publicexponenterelativelyprime to (p 1)(q 1).
Computed=e 1
mod(p 1)(q 1). SetPK =(N;e) andSK=
(N;d). Output(SK ;PK).
(2) Sign(M;CEAS;SK): Compute T: In version 1 (Non-Stateful),
choose T uniformlyrandom in f0;1g l
tag
. In version 2 (Stateful),
T counter and counter counter+1. Foreach i2[n], dene
h
i def
= H(CEASkTkikM[i]). Compute
i def
= h d
i
modN. Output
Ful l def
= (CEASkTk
1
k:::k
n ).
(3) Extract(M;
Ful l
;X;PK): Parse
Ful l
= CEASkTk
1
k:::k
n .
Compute
f def
= Q
i2X
i
modN. Set
Ext def
= TkCEASk
f .
Out-put
Ext .
(4) Verify (M 0
;
Ext
;PK): Set X = Cl(M 0
). Parse
Ext =
TkCEASk
f
. For each i 2 X compute h
i def
=
H(CEASkTkikM 0
[i]). Test whether e
f =
Q
i2X h
i
modN.
Output\Accept"i thetest ispassed, andX 2CEAS.
Computation. The scheme needs the signer to produce n standard RSA signatures, so signer
computation is identical to that of the trivialsolution. The verier's work is one signature
veri-cation plus(m 1) multiplications modulo N. Our Verify algorithm is faster than the screener
of [8 ], due to two reasons. First, we ooad the signature multiplication step to theExtract
algo-rithm. Second, we do not need to perform the `pruning step' of eliminating duplicate messages,
which is necessary in[8] in order to avoid theattackdescribed in [9 ]. In oursetting the sequence
numbersappendedtothesubmessagesbytheverierguaranteedistinctnessand allowusto prove
CES-unforgeability withoutpruning. This is an additional use for the sequence numbers besides
theneedto avoid submessagereorderingattacks.
Signature Length. Although the full signature length from signer to user is still n times the
length of a single RSA signature, once the user extracts a subdocument the resulting extracted
signaturehasonlythe lengthof one RSA modulus(plusa smalloverhead fortheCEAS encoding
and CES tag). It is therefore much shorter than boththe simple multiplesignature solution and
theprevioustwo commitment-based schemes.
Security. Wehave thefollowingsecurityresultforthescheme. Thisresultholdsinthestandard
model, i.e. without any randomoracle assumption on the hash function H(:). In this model the
hash function H(:) is chosen by the signer at key generation time and the algorithm for H(:) is
publishedwiththesigner's publickey.
Theorem 3 (1) If the Full-Domain-Hash RSA signature m ! H(m) d
modN (FDH RSA) is
existentially unforgeableunder chosen message attack and CES-Tags are never reused by the CES
Signalgorithm thenschemeRSAProd hastheCES-Unforgeabilityproperty(2)SchemeRSAProd has
the CES-Privacy property.
CES-is appended). We usea `weak ordered' CES-Unforgeabilityattacker A
CES
forscheme RSAProd to
construct a chosen message attacker A
FDH
to break the existential unforgeabilityof thesignature
scheme FDH RSA. Attacker A
FDH
works as follows. It runs A
CES
, and answers the latter's
sign queries by simulating the Sign algorithm using the signing oracle S
FDH
: = H(:) d
modN for
scheme FDH RSA. While doing so, A
FDH
stores in a table the documents queried by A
CES to
Sign(we denotebyD
j
thejth querieddocument). SinceA
CES
seesa perfect simulationof thereal
attack, itbyassumptionsucceedstobreakWO-CES-unforgeabilityofRSAProdwithnon-negligible
probability by outputting a forgery pair (D ; Ext ), where Ext =
. By denition of
WO-CES-unforgeability, there is a submessage index i such that D
[i] 6= D
j
[i] for all j. Hence the
message m
def
= ikD
[i]hasneverbeenqueriedbyA
FDH
to its signingoracleS
FDH . So A
FDH
breaks
theexistentialunforgeabilityofFDH RSAbyoutputingtheforgery(m
;
FDH
)ifitcancompute
FDH def = S FDH (m
)=H(m
) d
modN withoutqueryingm
toS
FDH . A
FDH
doessoasfollows. Since
isbyassumptionavalidCESsignaturefordocumentD
,wehave = Q k2X H(kkD [k]) d mod
N, that is
=
FDH
RmodN,where R def = Q k2X fig H(kkD [k]) d
modN and X def = Cl(M ). So A FDH
queries the messages kkD
[k] for all k 2 X fig to S
FDH
and multiplies the answered
signatures modulo N to compute R , which it then uses to compute the desired forged signature
FDH =
=RmodN. TheproofiscompletedbyobservingthatthequeriedmessageskkD
[k]for
k6=iareall distinctintheirsequence prexfrom theforgerymessage m
.
(2) The CES-Privacy istrivialsincethe extractedsignatureis independent of theunextracted
submessages. ut
Ifweusetherandomoraclemodel[13 ]forthehashfunctionH(:),thenTheorem3andLemma2
inappendixgive thefollowingresult.
Corollary 1 If the RSA function is one-way and CES-Tags are never re-used by Sign, then then
RSAProd has the CES-unforgeability property in the random oracle model.
Remark 1: To achieveCES-unforgeabilityitisessentialthatCEStagsareneverre-usedbythe
Sign algorithm. In the stateful version of Sign a tag length of l
T
= 80 bit suÆces for up to 2 80
CES signatures,but forthe unstatefulversion, one needs l
T
=160 bit forapprox. the number of
signatures to avoid birthdaycollisions.
Remark 2: Thisscheme doesnot havetheoptional`IterativeExtraction'propertydescribedin
section 3. Indeed, it isnot hardto showthat iterative extraction is ashard asinvertingthe RSA
one-wayfunction. However, iterative extraction would notberequired inmanyapplications. The
followingvariant does allow iterativeextraction.
Remark 3: It is clearfrom theproof of Theorem3 that the scheme can be generalized to use
anyone-to-onetrapdoorone-waygrouphomomorphisminplaceofRSA,wherethegroupoperation
and inversion areeÆcient.
4.2.2 A Variant: Scheme MERSAProd
The previous scheme achieves very low extracted signaturelength forthe user to verier
commu-nication. However the initial signature produced by the signer and given to the user is still n
RSAsignatureslong. Thefollowingvariantscheme MERSAProdalsoreducesthis`initial'signature
lengthdowntoalmostthelengthofasingleRSAsignature. Itisamodicationofabatchsignature
generationalgorithmdueto Fiat[11 ] andassuchalsogivessavingsinsignercomputationoverthe
previousscheme. However, thescheme loses thefastverication propertyofthe previousscheme.
Fiat[11 ]discoveredthatwhilestandardRSA ishardtobatch(see [12 ]),`Multi-ExponentRSA'
(MERSA) can be batched. In MERSA, thesigner's publickey consistsof a uniqueRSA modulus
N =pq butmany publicexponents e
i
publicexponente
i
thereexistsacorrespondingsecretexponentd
i =e
1
i
mod(p 1)(q 1). Given
asequenceh
1 ;:::;h
n
ofnmessagehashvaluestobesigned,Fiat'sbatchsigningalgorithmcomputes
(more eÆcientlythan performingnexponentiations) then `distinct-exponent' signatures h d
i
i mod
N. Fiat's algorithm is dividedinto 3 stages. Stage 1 outputs the productr def = n i=1 h e=e i i modN, where e def = Q n i=1 e i
. Stage 2 signs the product and outputs r 1=e = Q n i=1 h 1=ei i
modN. Stage 3
`separates' the product into the n indvidual multi-exponent signatures h 1=e
i
i
modN. A crucial
property of Fiat's algorithm for application in our scheme MERSAProd is the following one: the
separation algorithm (Stage3) does not require the signer'ssecret key.
OurschemeMERSAProdisanaturalextensionofschemeRSAProdtotheMERSAcase,modied
to take advantage ofthe above usefulpropertyof Fiat's algorithmto save on signature length. It
isdescribedasfollows. Thekeygenerationalgorithm publishesinthepublickeyan RSA modulus
N and the rst n
B
primes e
i
(i = 1;:::;n) as public exponents, keeping the corresponding d
i as
secretexponents. The Signalgorithmruns onlystages1 and 2of Fiat'salgorithm to computethe
productr= Q i2[n] h d i i
modN,whereh
i
denotesthehashh
i
oftheithsubmessage(withappended
CEAS,CES Tag and submessage sequencenumberi, asinscheme RSAProd). Onlythe productr
(singleRSA signaturelength)issent totheuser(together withCEASand CESTag). TheExtract
algorithmrunsstage 3ofFiat'salgorithmto breakuptheproductr into theindividualsignatures
h d
i
i
and then multiplies the ones corresponding to the extracted submessages in the extraction
subset X as in scheme RSAProd, to compute
f = Q i2X h d i i
modN, to achieve the same single
RSAsignaturelengthofextractedsignatures. TheVerify algorithmveries
f
ondocumentM 0 by checking if e f = Q i2X h e=e i i
modN, where e def = Q i2X e i
, and X =Cl(M 0
). Note that thistest is
equivalent to testing if Q i2X h e=e i i
= 1modN where
h
i = h
i
for all iexcept i =L def = min i2X e i ,
for which we dene h L = h L = eL f
modN. Fiat's stage 1 algorithm is again used to compute the
product Q i2X h e=e i i
modN eÆciently.
Computation. One canshowthatinusingFiat'salgorithm intheabove scheme, the
computa-tion involved (ignoring one-o computations which are dependant onlyon the public exponents)
forthesigner(Stages 1and 2) is boundedinthe orderof nlog 2
2
(n)+log
2
(N) multiplications mod
N. Theextractioncomputationisinthesameorder,althoughwenotethattheuserneedonlyrun
Fiat's Stage 3 algorithm to extract and store the n signatures once, and then is able to combine
any subset of m of them using onlym 1 modular multiplications. This might be useful if the
useris supplyingseveral distinctextractedsubdocumentsto multipleveriers. Finally,theverier
performs theStage 1 of Fiat's algorithmbut usingonlym messages, giving a computationalload
intheorder of mlog
2 (n)log
2
(m)multiplications moduloN.
Signature Length. Bothinitial signaturelength(as output by signer) and extractedsignature
lengthareonlya littlelongerthanthana single RSAsignaturelength(due to appendedCEStag
and CEAS encoding).
Security. We can state thefollowing. Theproof isanalogous to theproof of Theorem3.
Theorem 4 (1)Ifeachofthendistinct-exponentFDHsignatureschemesS
i (m) def = H(ikm) d i mod
N (for i=1;:::;n) is existentially unforgeable even under a chosen messageattack giving acccess
simultaneously to all the n oracles S
i
(:), and if CES-Tags are never reused by the CES Sign
algo-rithm, then scheme MERSAProd has the CES-Unforgeability property (2) Scheme MERSAProd has
i
CES-Tags are never reused by Sign, then MERSAProd has the CES-unforgeability property in the
random oraclemodel.
4.3 Performance Summary
A summaryof theperformanceparameters of theproposed CESschemes isgiven inTables1 and
2. We use the following symbols in the tables: n (no. of submessages in original document),
m (no. submessages in extracted subdocument), T
S
(sig. gen. time), T
V
(sig. ver. time), T
C
(commitment generation time), T
HA
(Hashing time), N (RSA modulus), T RSA
MULT
(mult. time
modulo N), l
S
(signature length), l
H
(hash length), l
C
(commitment length), l
r
(commitment
randomnesslength), l
T
(CEStaglength),l
CEAS
(CEASencodinglength), l
m
(submessage
length-assumeduniform),l
seq
(submessagesequencenumberlength). Wedenel
R def = l m +l CEAS +l T +l seq .
For algorithm running time variables the value inbrackets denotes the input length. We dened
f(n;m) def
= min(mlog
2
(n=m);n m). For Extract time of scheme MERSAProd, we only count the
signaturemultiplicationstep.
Scheme Approx. SignTime Typ. T.S. S-U Length
CommitVector TS(nlC+lCEAS)+nTC(lm) 100 lCEAS+lS+nlr
HashTree T
S
(lH+lCEAS)+nTC(lm)+(n=2)(THA(2lC)+THA(2lH)) 100 lCEAS+l
S +nlr
RSAProd n(THA(lR)+T
RSA
S
) 1 lCEAS+lT +nl
RSA
S
MERSAProd O(nlog 2
2 n+log
2 N)T RSA MULT +nT HA (l R
) 1 l
CEAS +l T +l RSA S Trivial nT S
(lR) 1 lCEAS+lT+nl
S
Table 1: Comparison of signer computation time and signer to user communication overhead.
Column`Typ. T-S'denotestypical SignTimeSavingfactor. Column`S-ULength'denotes
Signer-to-User sig. length.
Scheme Extract Extract Typ. Approx. Verify
Time Length Length Time
CommitVector negligible lCEAS+lS+mlr+ 169kb TV(nlC+lCEAS)+mTC(lm)
(n m)l
C
HashTree negligible lCEAS+lS+mlr+ 169kb TV(lH+lCEAS)+mTC(lm)+
f(n;m)l
C
m(T
HA (2l
C )+log
2 (n)T HA (2l H )) RSAProd mTM ULT
lCEAS+lT +l RSA S 1:28kb T RSA V +m(T RSA MULT +THA(lR)) MERSAProd mTM ULT
lCEAS+lT +l RSA
S
1:28kb O(mlog
2 mlog
2
n)TMULT +mTHA(lm)
Trivial negligible lCEAS+lT +ml
S
32:3kb mT
V (lm)
Table 2: Comparisonofuser and veriercomputation, user to verier communicationoverhead.
The `Typ. Time Saving' (Approximate Sign time saving ratio over simple multiple signature
scheme, orover thebatched one in thecase of scheme MERSAProd) and `Typ. Length' (referring
to extractedsignaturelength)gureswereestimated forthefollowingpracticalexample. Wetook
n = 100, m = 99 (one unextracted submessage), l
CEAS
= 100 bit (a simple CEAS specifying
whether a submessage is optional or mandatory forextraction), and l
m
=64 bit (typ. numerical
elds). For the rst two schemes we assumed a DSS signature [5 ] with l
S
= 320 bit, and the
commitment scheme of [20],usingSHA-1 [4 ] asthecollision-resistanthashfunction (k=160 bit),
and an aÆne universal hash family h
A;b
: f0;1g L
! f0;1g k
with h(r) = Ar+b, A 2 f0;1g Lk
a
Toeplitz matrix, and b 2 f0;1g k
, where arithmetic is performed in the vector space f0;1g k
over
thebinaryeld f0;1g. Thecommitrandomnesslengthisl
r
=2(k+L) 1. To achievea provable
upperboundof 2 Æ
on distinguishingadvantage of aprivacy-breakingattacker, itis shown in[20 ]
r C
assumed jNj=1024 bitand l
T
=160 bit.
Notice thereversed tradeobetween thecommitment-based schemes (eÆcient incomputation
butnotinsignaturelength)andtheRSA schemes(eÆcient insignaturelengthbutnotin
compu-tation), wherein bothcases the savingfactor over the simplemultiple signaturescheme is inthe
order ofn.
5 Conclusion
Motivatedbyemergingneedsinonlineinteractionsandtheneedtoembraceaminimalinformation
model, we introduced a Content Extraction Signature (CES) as a digitalsignature which can be
veried with knowledge of only selected extracted portions of the signed document (while hiding
unextracted portions), at a communication or computation cost which is lower than the simple
multiplesignaturesolution. Wedenedthesecurityandfunctionalrequirementsforsuchsignatures,
and proposed four CES schemes with various performance tradeos. Practical application and
implementationissuesofourCES schemesare thesubjectofa forthcomingpaper.
References
[1] M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations Among Notions of Security
forPublic-KeyEncryptionSchemes. InCRYPTO'98, LNCS1462.
[2] G.C.Chickand S.E. Tavares.FlexibleAccess ControlwithMaster Keys.InCRYPTO '89.
[3] R.Steinfeld.A Pseudo-RandomGenerator withSeedExtraction.Manuscript,Sep. 2001.
[4] NIST. Secure Hash Standard (SHS). Federal Information Processing Standards Publication
180-1. April1995.
[5] NIST.DigitalSignature Standard(DSS). Federal InformationProcessing Standards
Publica-tion186. November1994.
[6] MasterCardandVISA.Secure ElectronicTransaction(SET)SpecicationBooks1-3(Version
1.0).May 31,1997.
[7] XML Core Working Group. XML-Signature Syntax and Processing: W3C Proposed
Recom-mendation.August 20,2001. Availablefrom http://www.w3.org/TR/xmldsig-core.
[8] M.BellareandJ.A.GarayandT.Rabin.FastBatch VericationforModularExponentiation
and DigitalSignatures.In EUROCRYPT '98,LNCS1403. Springer-Verlag, Berlin,1998.
[9] J.S. Coron and D. Naccache. On the Security of RSA Screening. In PKC '99, LNCS 1560.
Springer-Verlag, Berlin,1999.
[10] D.Naccache and D. M'Raihiand S.Vaudenay and D.Raphaeli.Can D.S.Abe improved? In
EUROCRYPT '94, LNCS950.Springer-Verlag,Berlin, 1999.
[11] A.Fiat. Batch RSA. InCRYPTO '89, LNCS435. Springer-Verlag,Berlin,1990.
[12] H.ShachamandD.Boneh.ImprovingSSLHandshakePerformanceviaBatching.InCT-RSA
2001,LNCS2020. Springer-Verlag, Berlin,2001.
Hashingand Signing.InCRYPTO '94,LNCS839, Springer-Verlag,Berlin,1994.
[15] M. Bellare and O. Goldreich and S.Goldwasser. Incremental Cryptographyand Application
to VirusProtection. InProc.of 27th STOC ACM, 1995.
[16] C.J. Pavlovski and C. Boyd. EÆcient Batch Signature Generation Using Tree Structures. In
CrypTEC'99. CityUniversityof HongKongPress, 1999.
[17] S.Goldwasser and S. Micali.Probabilistic Encryption.J. of Computer and System Sciences,
pages270-299, vol. 28,no.2, 1984.
[18] A.Menezes and P.van Oorschotand S.Vanstone.Handbookof Applied Cryptography.CRC
Press,1997.
[19] S.GoldwasserandS.Micaliand R.Rivest.A DigitalSignature Scheme Secure against
Adap-tivelyChosen Message Attacks. SIAM Journal on Computing, pages 281-308, vol. 17, no. 2,
1988.
[20] S.Haleviand S.Micali.Practicaland Provably-Secure Commitment Schemesfrom
Collision-FreeHashing. In CRYPTO'96, LNCS1109. Springer-Verlag, Berlin,1996.
A Appendix
Thefollowingdenition andLemmasarerequiredforsecurityresultsstatedin thepaper. Referto thefull
paperfor proofs. Thefollowingdenition isfor aweakernotionofunforgeabilitythanthefull onedened
inthepaper.
Denition1 A CES scheme D is said to have the weak ordered (WO)
CES-unforgeability property if the following holds: It is infeasible for an attacker, having access to a CES
signing oracle, to produce a document/signature pair (M;), such that: (i) passes the verication test
for M and (ii) M contains asubmessage atsome position i which has never appeared inposition i in any
documentqueriedtothe CESsigningoracle.
Lemma1 AnyCESschemewhichhastheweakorderedCES-Unforgeabilitypropertycanbeusedtoconstruct
aCES scheme whichhas the fullCES-unforgeability property.
TheconstructionusedinprovingLemma1involveschoosingaunique`CEStag'foreachsigneddocument
and appending it (and a A CEAS encoding) to each submessage before applying the original CES Sign
algorithm.
ThefollowinglemmaswerealsousedinthesecurityanalysisoftheRSAschemes.
Lemma2 (Bellare-Rogaway[13]) If H(:) is a random oracle onto ZZ
N
andthe RSA function is one-way,
thenthe FDH signatureS(m) def
= H(m) d
modN isexistentially unforgeable underchosen messageattack.
Lemma3 IfH(:)is arandom oracle ontoZZ
N
andthe RSAfunction isone-way foreache
i
(i=1;:::;n),
then the n distinct-exponent FDH signatureschemes S
i (m)
def
= H(ikm) d
i
modN (for i=1;:::;n) are
exis-tentially unforgeable even under achosen messageattack giving acccess simultaneously toall the nsigning
oracles S
