This library includes 3 verifiable redaction schemes:
- A naive scheme
- A Merkle tree-based scheme by Johnson et al.
- An RSA-based scheme by Johnson et al.
Currently, all schemes use SHA256 for hashing, and the Merkle and Naive scheme use ECDSA for signing.
For examples, look at the tests.
To keep the signatures small and the sign/verify/redact operations efficient, the input data is stored in partitions of data.
We provide a helper struct PartitionedData with many helper functions to handle this.
- Make hash function modular
- Make used base signature scheme modular for naive and merkle
- Probably replace
PartitionedDatawith something more sensible? - Merkle tree-based scheme
- Bitstrings very weird way to save nodes position
- Implement support for redacting redacted signatures
- RSA:
- Make used prime bits configurable
- Is this way to generate the coprimes even sane and safe?
NaiveSignature simply uses the underlying ECDSA key to sign each partition individually.
To prohibit the reuse of each partition (reordering attack), we append an ID on each hash, as well as its position. We hard coded the hash of the data as ID. For a message m of length n, the signature is:
Sig(H(n || ID)) || Sig(H(ID || 0 || m_0)) || ... || Sig(H(ID || n || m_n))
JohnsonMerkleSignature is based on Johnson et al. and uses a Merkle tree-based structure to sign the data.
The signature benefits from consecutive redactions, as neighboring redacted nodes in the Merkle tree will be merged. Thus the signature is largest, if the redaction is sparse.
JohnsonRSASignature is based on Johnson et al. and uses the RSA accumulator technique to achieve a constant sized signature.
This currently use a hash function which maps to the primes, I don't know if this is safe or even sane...
Due to the repeated exponentiations, this scheme can get really slow!