Skip to main content
SpringerLink
Log in
Book cover

International Conference on E-Business and Telecommunications

ICETE 2012: E-Business and Telecommunications pp 155–171Cite as

Redactable Signature Schemes for Trees with Signer-Controlled Non-Leaf-Redactions

  • Conference paper
  • First Online:

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 455))

Abstract

Redactable signature schemes (\(\mathsf{RSS }\)) permit to remove parts from signed documents, while the signature remains valid. Some \(\mathsf{RSS }\)s for trees allow to redact non-leaves. Then, new edges have to be added to the tree to preserve it’s structure. This alters the position of the nodes’ children and may alter the semantic meaning encoded into the tree’s structure. We propose an extended security model, where the signer explicitly controls among which nodes new edges can be added. We present a provably secure construction based on accumulators with the enhanced notions of indistinguishability and strong one-wayness.

This is an extended and heavily revised version of [1]

The research leading to these results has received support from the European Union’s Seventh Framework Programme (FP7/2007–2013) under grant agreement no 609094.

Was supported by “Regionale Wettbewerbsfähigkeit und Beschäftigung”, Bayern, 2007–2013 (EFRE) as part of the SECBIT project (http://www.secbit.de) and the European Community’s Seventh Framework Programme through the EINS Network of Excellence under grant agreement no 288021, while at the University of Passau.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Indeed, the randomization step does not hide anything [26, 34].

References

  1. Pöhls, H.C., Samelin, K., de Meer, H., Posegga, J.: Flexible redactable signature schemes for trees - extended security model and construction. In: SECRYPT, pp. 113–125 (2012)

    Google Scholar 

  2. Miyazaki, K., et al.: Digitally signed document sanitizing scheme with disclosure condition control. IEICE Trans. 88–A, 239–246 (2005)

    Article  Google Scholar 

  3. Kundu, A., Bertino, E.: Privacy-preserving authentication of trees and graphs. Int. J. Inf. Sec. 12, 467–494 (2013)

    Article  Google Scholar 

  4. Pöhls, H.C., Samelin, K., Posegga, J.: Sanitizable signatures in XML signature — performance, mixing properties, and revisiting the property of transparency. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 166–182. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  5. Slamanig, D., Rass, S.: Generalizations and extensions of redactable signatures with applications to electronic healthcare. In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 201–213. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  6. Wu, Z.Y., Hsueh, C.W., Tsai, C.Y., Lai, F., Lee, H.C., Chung, Y.: Redactable Signatures for Signed CDA Documents. J. Med. Syst. 36(3), 1795–1808 (2012)

    Article  Google Scholar 

  7. Becker, A., Jensen, M.: Secure combination of xml signature application with message aggregation in multicast settings. In: ICWS, pp. 531–538 (2013)

    Google Scholar 

  8. Hanser, C., Slamanig, D.: Blank digital signatures. In: AsiaCCS, pp. 95–106. ACM (2013)

    Google Scholar 

  9. Rass, S., Slamanig, D.: Cryptography for Security and Privacy in Cloud Computing. Artech House, Boston (2013)

    Google Scholar 

  10. Johnson, R., Molnar, D., Song, D., Wagner, D.: Homomorphic signature schemes. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 244–262. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  11. Steinfeld, R., Bull, L., Zheng, Y.: Content extraction signatures. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 285–304. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  12. Izu, T., Kanaya, N., Takenaka, M., Yoshioka, T.: PIATS: a partially sanitizable signature scheme. In: Qing, S., Mao, W., López, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 72–83. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  13. Izu, T., Takenaka, M., Yajima, J., Yoshioka, T.: Integrity assurance for real-time video recording. In: 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), pp. 651–655. IEEE (2012)

    Google Scholar 

  14. Miyazaki, K., Hanaoka, G.: Invisibly sanitizable digital signature scheme. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 91, 392–402 (2008)

    Article  Google Scholar 

  15. Miyazaki, K., Hanaoka, G., Imai, H.: Digitally signed document sanitizing scheme based on bilinear maps. In: ASIACCS, pp. 343–354. ACM (2006)

    Google Scholar 

  16. Ateniese, G., Chou, D.H., de Medeiros, B., Tsudik, G.: Sanitizable signatures. In: di Vimercati, S.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 159–177. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  17. Brzuska, C., Fischlin, M., Freudenreich, T., Lehmann, A., Page, M., Schelbert, J., Schröder, D., Volk, F.: Security of sanitizable signatures revisited. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 317–336. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  18. Brzuska, C., Fischlin, M., Lehmann, A., Schröder, D.: Sanitizable signatures: How to partially delegate control for authenticated data. In: Proceedings of BIOSIG. LNI, vol. 155, pp. 117–128. GI (2009)

    Google Scholar 

  19. Brzuska, C., Fischlin, M., Lehmann, A., Schröder, D.: Unlinkability of sanitizable signatures. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 444–461. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  20. Gong, J., Qian, H., Zhou, Y.: Fully-secure and practical sanitizable signatures. In: Lai, X., Yung, M., Lin, D. (eds.) Inscrypt 2010. LNCS, vol. 6584, pp. 300–317. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  21. Lai, J., Ding, X., Wu, Y.: Accountable trapdoor sanitizable signatures. In: Deng, R.H., Feng, T. (eds.) ISPEC 2013. LNCS, vol. 7863, pp. 117–131. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  22. de Meer, H., Pöhls, H.C., Posegga, J., Samelin, K.: On the relation between redactable and sanitizable signature schemes. In: Jürjens, J., Piessens, F., Bielova, N. (eds.) ESSoS 2014. LNCS, vol. 8364, pp. 113–130. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  23. Pöhls, H.C., Peters, S., Samelin, K., Posegga, J., de Meer, H.: Malleable signatures for resource constrained platforms. In: Cavallaro, L., Gollmann, D. (eds.) WISTP 2013. LNCS, vol. 7886, pp. 18–33. Springer, Heidelberg (2013)

    Google Scholar 

  24. Chang, E.-C., Lim, C.L., Xu, J.: Short redactable signatures using random trees. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 133–147. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  25. Samelin, K., Pöhls, H.C., Bilzhause, A., Posegga, J., de Meer, H.: Redactable signatures for independent removal of structure and content. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 17–33. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  26. Brzuska, C., et al.: Redactable signatures for tree-structured data: definitions and constructions. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 87–104. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  27. Haber, S., Hatano, Y., Honda, Y., Horne, W.G., Miyazaki, K., Sander, T., Tezoku, S., Yao, D.: Efficient signature schemes supporting redaction, pseudonymization, and data deidentification. In: ASIACCS, pp. 353–362 (2008)

    Google Scholar 

  28. Ahn, J.H., Boneh, D., Camenisch, J., Hohenberger, S., Shelat, A., Waters, B.: Computing on authenticated data. ePrint Report 2011/096 (2011)

    Google Scholar 

  29. Attrapadung, N., Libert, B., Peters, T.: Computing on authenticated data: new privacy definitions and constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 367–385. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  30. Attrapadung, N., Libert, B., Peters, T.: Efficient completely context-hiding quotable and linearly homomorphic signatures. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 386–404. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  31. Backes, M., Meiser, S., Schröder, D.: Delegatable functional signatures. IACR Cryptology ePrint Archive 2013, 408 (2013)

    Google Scholar 

  32. Boneh, D., Freeman, D.M.: Homomorphic signatures for polynomial functions. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 149–168. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  33. Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. IACR Cryptology ePrint Archive 2013, 401 (2013)

    Google Scholar 

  34. Samelin, K., Pöhls, H.C., Bilzhause, A., Posegga, J., de Meer, H.: On structural signatures for tree data structures. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 171–187. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  35. Gottlob, G., Koch, C., Pichler, R.: The complexity of XPath query evaluation. In: Symposium on Principles of Database Systems, PODS, pp. 179–190. ACM, New York (2003)

    Google Scholar 

  36. Barić, N., Pfitzmann, B.: Collision-free accumulators and fail-stop signature schemes without trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  37. Benaloh, J.C., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures (extended abstract). In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994)

    Chapter  Google Scholar 

  38. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM JoC 17, 281–308 (1988)

    MathSciNet  MATH  Google Scholar 

  39. Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28, 270–299 (1984)

    Article  MathSciNet  MATH  Google Scholar 

  40. Lipmaa, H.: Secure accumulators from euclidean rings without trusted setup. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 224–240. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  41. Sander, T.: Efficient accumulators without trapdoor extended abstract. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 252–262. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  42. Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  43. Buldas, A., Laud, P., Lipmaa, H.: Accountable certificate management using undeniable attestations. In: ACM Conference on Computer and Communications Security, pp. 9–17 (2000)

    Google Scholar 

  44. Nyberg, K.: Fast accumulated hashing. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 83–87. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  45. de Meer, H., Liedel, M., Pöhls, H.C., Posegga, J., Samelin, K.: Indistinguishability of one-way accumulators. Technical report MIP-1210, University of Passau (2012)

    Google Scholar 

  46. Hirose, S., Kuwakado, H.: Redactable signature scheme for tree-structured data based on merkle tree. In: SECRYPT, pp. 313–320 (2013)

    Google Scholar 

  47. Brzuska, C., Pöhls, H.C., Samelin, K.: Non-interactive public accountability for sanitizable signatures. In: De Capitani di Vimercati, S., Mitchell, C. (eds.) EuroPKI 2012. LNCS, vol. 7868, pp. 178–193. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  48. Brzuska, C., Pöhls, H.C., Samelin, K.: Efficient and perfectly unlinkable sanitizable signatures without group signatures. In: Katsikas, S., Agudo, I. (eds.) EuroPKI 2013. LNCS, vol. 8341, pp. 12–30. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Chair of Computer Networks and Communications, University of Passau, Passau, Germany

    Hermann de Meer

  2. Chair of IT-Security, University of Passau, Passau, Germany

    Henrich C. Pöhls & Joachim Posegga

  3. Institute of IT-Security and Security Law (ISL), University of Passau, Passau, Germany

    Hermann de Meer, Henrich C. Pöhls, Joachim Posegga & Kai Samelin

Authors
  1. Hermann de Meer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Henrich C. Pöhls
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Joachim Posegga
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kai Samelin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Henrich C. Pöhls .

Editor information

Editors and Affiliations

  1. Monmouth University, West Long Branch, New Jersey, USA

    Mohammad S. Obaidat

  2. Polytechnic Institute of Setúbal, INSTICC, Setubal, Portugal

    Joaquim Filipe

Appendix

Appendix

1.1 Security Proofs of the Construction

We now show that our construction fulfills the given definitions. Namely, these are unforgeability, privacy, and transparency. We prove each property on its own.

Our Scheme is Unforgeable. If \(\mathcal {AH}\) is strongly one-way, while the signature scheme \(\varPi \) is unforgeable, our scheme is unforgeable.

Proof. Let \(\mathcal {A}\) be an algorithm winning the unforgeability game. We can then use \(\mathcal {A}\) in an algorithm \(\mathcal {B}\) to either to forge the underlying signature scheme \(\varPi \) or to break the strong one-wayness of \(\mathcal {AH}\). Given the game in Fig. 5 we can derive that a forgery must fall in at least one of the two following cases, for at least one node \(d\) in the tree:

  • Type 1 Forgery: The value \(d\) protected by \(\sigma _s\) has never been signed by the signing oracle.

  • Type 2 Forgery: The value \(d\) protected by \(\sigma _s\) has been signed, but \(T^* \notin \text {span}_\vdash (T, \sigma , \) \(\mathtt{ADM })\) for any tree \(T\) signed by the signing oracle.

Type 1 Forgery. In the first case, we can use the forgery generated by \(\mathcal {A}\) to create \(\mathcal {B}\) which forges a signature. We construct \(\mathcal {B}\) using \(\mathcal {A}\) as follows:

  1. 1.

    \(\mathcal {B}\) generates the key pair of \(\mathcal {AH}\), i.e., \(\mathtt{pk }\leftarrow \mathsf{KeyGen }(1^\lambda )\). It passes \(\mathtt{pk }\) to \(\mathcal {A}\). This is also true for \(\mathtt{pk }_S\) of the signature scheme to forge.

  2. 2.

    All queries to the signing oracle from \(\mathcal {A}\) are genuinely answered with one exception: instead of signing digests itself, \(\mathcal {B}\) asks it own signing oracle to generate the signature. Afterward, \(\mathcal {B}\) returns the signature generated to \(\mathcal {A}\).

  3. 3.

    Eventually, \(\mathcal {A}\) outputs a pair \((T^*, \sigma ^*)\). \(\mathcal {B}\) looks for the message/signature pair \((m^*,\) \(\sigma _s^*)\) inside the transcript not queried to its own signing oracle, i.e., the accumulator value with the signature \(\sigma _s^*\) of the root of \((T^*, \sigma ^*)\). Hence, there exists a value not signed by \(\mathcal {B}\)’s signing oracle. This pair is then returned as \(\mathcal {B}\)’s own forgery attempt.

As every tree/signature pair was accepted as valid, but not signed by the signing oracle, \(\mathcal {B}\) breaks the unforgeability of the signature algorithm. Here, we have a tight reduction for the first case.

Type 2 Forgery. In the case of a type 2 forgery, we can use \(\mathcal {A}\) to construct \(\mathcal {B}\), which breaks the strong one-wayness of the underlying accumulator. We construct \(\mathcal {B}\) using \(\mathcal {A}\) as follows:

  1. 1.

    \(\mathcal {B}\) generates a key pair of a signature scheme \(\varPi \).

  2. 2.

    It receives \(\mathtt{pk }\) of \(\mathcal {AH}\). Both public keys are forwarded to \(\mathcal {A}\).

  3. 3.

    For every request to the signing oracle, \(\mathcal {B}\) uses its hashing oracle to generate the witnesses and the accumulators. All other steps are genuinely performed. The signature is returned to \(\mathcal {A}\).

  4. 4.

    Eventually, \(\mathcal {A}\) outputs \((T^*, \sigma ^*)\). Given the transcript of the simulation, \(\mathcal {A}\) searches for a pair \((w^*,y^*)\) matching an accumulator \(a\), while \(y^*\) has not been queried to hashing oracle under \(a\). Note, the root accumulator has been returned: otherwise, we have a type 1 forgery. \(\mathcal {B}\) outputs \((a, w^*,y^*)\).

As every new element accepted as being part of the accumulator, while not been hashed by the hashing oracle, breaks the strong one-wayness of the accumulator, we have a tight reduction again.

Our Scheme is Private. If \(\mathcal {AH}\) is indistinguishable our scheme is private. Note: the random numbers do not leak any information, as they are distributed uniformly and are not ordered. Hence, we do not need to take them into account.

Proof. Let \(\mathcal {A}\) be an algorithm winning the privacy game. We can then use \(\mathcal {A}\) in an algorithm \(\mathcal {B}\) to break the indistinguishability of the accumulator \(\mathcal {AH}\). We construct \(\mathcal {B}\) using \(\mathcal {A}\) as follows:

  1. 1.

    \(\mathcal {B}\) generates a key pair of a signature scheme \(\varPi \).

  2. 2.

    It receives \(\mathtt{pk }\) of \(\mathcal {AH}\). Both public keys are forwarded to \(\mathcal {A}\).

  3. 3.

    For every request to the signing oracle, \(\mathcal {B}\) produces the expanded trees given \(\mathtt{ADM }\). Then, it uses its hashing-oracle to generate the accumulators, and then proceeds honestly as the original algorithm would do. Finally, it returns the generated signature \(\sigma \) to \(\mathcal {A}\).

  4. 4.

    For queries to the Left-or-Right oracle, \(\mathcal {B}\) extracts the common elements to be accumulated for both trees — this set is denoted \(\mathcal {S}\). Note, \(\mathcal {S}\) may be empty. The additional elements for the first hash are denoted \(\mathcal {R}_0\), and \(\mathcal {R}_1\) for the second one. \(\mathcal {B}\) now queries its own Left-or-Right oracle with \((\mathcal {S},\mathcal {R}_0,\mathcal {R}_1)\) for each hash. The result is used as the accumulator and the witnesses required: \(\mathcal {B}\) genuinely performs the rest of the signing algorithm and hands over the result to \(\mathcal {A}\).

  5. 5.

    Eventually, \(\mathcal {A}\) outputs its own guess \(d\).

  6. 6.

    \(\mathcal {B}\) outputs \(d\) as its own guess.

As we only pass queries, \(\mathcal {B}\) succeeds, whenever \(\mathcal {A}\) succeeds.

Our Construction is Transparent. We already know that our scheme is private. As neither the underlying signature, nor the witness’ values, nor the accumulator itself change during a redaction, no building block leaks additional information. Transparency follows.

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

de Meer, H., Pöhls, H.C., Posegga, J., Samelin, K. (2014). Redactable Signature Schemes for Trees with Signer-Controlled Non-Leaf-Redactions. In: Obaidat, M., Filipe, J. (eds) E-Business and Telecommunications. ICETE 2012. Communications in Computer and Information Science, vol 455. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44791-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-44791-8_10

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-44790-1

  • Online ISBN: 978-3-662-44791-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation