Trapdoor Sanitizable and Redactable Signatures with Unlinkability, Invisibility and Strong Context-Hiding

Abstract

In trapdoor sanitizable signatures (TSS) (ACNS’08), a signer can partially delegate its signing ability to someone. When signing a message, the signer chooses its sanitizable parts. Each signature is associated with a trapdoor, enabling any entity arbitrarily to modify the sanitizable parts while retaining validity of the signature. In previous TSS, the sanitizable parts are permanently sanitizable. We formalize sanitization-controllable TSS, where the sanitizable parts can be partially (and irreversibly) changed into fixed. We formally define its security notions, including unlinkablity (any sanitized signature and its trapdoor cannot be linked to their original ones), invisibility (each signature leaks no information about its sanitizable parts) and strong context-hiding (SCH) (any sanitized signature and its trapdoor distribute like fresh ones). We propose a generic transformation from a downgrade-controllable downgradable affine MAC (DAMAC), which is a generalization of DAMAC (CT-RSA’19). Our TSS scheme is the first TSS scheme satisfying unlinkability or invisibility. In redactable signatures (ICISC’01), we can partially black out a signed message. We formalize disclosure-controllable trapdoor redactable signatures (TRS). We propose a generic transformation from a sanitization-controllable TSS. Our TRS scheme is the first unlinkable and disclosure-controllable (T)RS scheme.

A Proof of Theorem 5 (on Six Implications among the Security Notions of TSS)

Each implication holds in either of the statistical and perfect formalizations. For instance, if a TSS scheme is statistically (resp. perfectly) \(\texttt {TRN}\), then it is statistically (resp. perfectly) \(\texttt {PRV}\). In this subsection, we prove only the statistical implications. The perfect ones can be proven analogously.

(1) \(\texttt {wEUF-CMA}' \wedge \texttt {SCH}\implies \texttt {wEUF-CMA}\). Let \(\boldsymbol{Expt}_0\) denote the standard \(\texttt {wEUF-CMA}\) experiment, i.e., \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS},\mathcal {A},l}^\texttt {wEUF-CMA}\). Let \(q_{\textsf{z}}\in \mathbb {N}\) denote number that \(\mathcal {A}\) uses the sanitizing oracle \(\mathfrak {Sanit}\). We introduce some experiments. For \(i\in [1,q_{\textsf{z}}]\), \(\boldsymbol{Expt}_{i}\) is identical to \(\boldsymbol{Expt}_{i-1}\) except that on the i-th query to \(\mathfrak {Sanit}\) the signature \(\overline{\sigma }\) is generated directly by the signing algorithm \(\texttt{Sig}\) but not by the sanitizing algorithm \(\texttt{Sanit}\). Let \(W_i\) denote the event where \(\boldsymbol{Expt}_{i}\) outputs 1. We obtain \(\texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {A},l}^{\texttt {wEUF-CMA}}(\lambda ) = \Pr [W_0] \le \sum _{i=1}^{q_{\textsf{z}}} \left| \Pr [W_{i-1}]-\Pr [W_i]\right| + \Pr [W_{q_{\textsf{z}}}] \le q_{\textsf{z}}\cdot \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B}_1,l}^{\texttt {SCH}}(\lambda ) + \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B}_2,l}^{\texttt {wEUF-CMA}'}(\lambda )\). The last inequality is because of the following two statements. We omit their proofs because they are straightforward.

• For any \(i\in [1,q_{\textsf{z}}]\), there exists a PPTA \(\mathcal {B}_1\), \(|\Pr [W_{i-1}]-\Pr [W_i]| \le \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B}_1,l}^{\texttt {SCH}}(\lambda )\).

• There exists a PPTA \(\mathcal {B}_2\), \(\Pr [W_{q_{\textsf{z}}}] \le \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B}_2,l}^{\texttt {wEUF-CMA}'}(\lambda )\).

   \(\square \)

(2) \(\texttt {INV}' \wedge \texttt {SCH}\implies \texttt {INV}\). This proof is basically the same as the proof of the first implication (1), which is omitted because of the page restriction.    \(\square \)

(3) \(\texttt {TRN}\) \(\implies \) \(\texttt {PRV}\). We temporarily introduce an experiment \(\boldsymbol{Expt}_{temp}\). The experiment is the same as the standard \(\texttt {PRV}\) experiment w.r.t. \(\varSigma _\textrm{TSS}\) parameterized by \(b\in \{0,1\}\), i.e., \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS},\mathcal {A},b}^{\texttt {PRV}}\), except that the signature \(\overline{\sigma }\) and its trapdoor \(\overline{td}\) on \(\mathfrak {SigSanitLR}\) are directly generated by the signing algorithm \(\texttt{Sig}\). The experiment is formally described as follows.

Let \(W_{0}\) (resp. \(W_{1}, W_{temp}\)) denote the event where \(\boldsymbol{Expt}_{\varSigma _{\textrm{TSS}},\mathcal {A},0}^{\texttt {PRV}}\) (resp. \(\boldsymbol{Expt}_{\varSigma _{\textrm{TSS}},\mathcal {A},0}^{\texttt {PRV}}\), \(\boldsymbol{Expt}_{temp}\)) outputs 1. By the triangle inequality, we obtain \(\texttt {Adv}_{\varSigma _\textrm{TSS}, \mathcal {A}, l}^\texttt {PRV}= | \Pr [W_0] - \Pr [W_1] | \le | \Pr [W_0] - \Pr [W_{temp}] | + | \Pr [W_{temp}] - \Pr [W_{1}] |\). Obviously, if we can prove that \(\forall b\in \{0,1\}\), \(\exists \) a PPT simulator \(\mathcal {B}_{b}\) s.t. \(|\Pr [W_b] - \Pr [W_{temp}] | = \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B}_{b},l}^\texttt {TRN}(\lambda )\), then the proof of the theorem is done. The simulator \(\mathcal {B}_b\) uses \(\mathcal {A}\) which tries to distinguish \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS}, \mathcal {A}, b}^\texttt {PRV}\) from \(\boldsymbol{Expt}_{temp}\) as a sub-routine to distinguish the \(\texttt {TRN}\) experiments. \(\mathcal {B}_{b}\) behaves as follows.

Firstly, let us consider the case where the \(\texttt {TRN}\) experiment is the first one parameterized by 0, i.e., \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS}, \mathcal {B}_{b}, 0}^\texttt {TRN}\). In this case, \(\mathcal {B}_{b}\) unconsciously perfectly simulates the \(\texttt {PRV}\) experiment, i.e., \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS}, \mathcal {A}, b}^\texttt {PRV}\), to \(\mathcal {A}\). Since \(\mathcal {B}_b\) directly outputs what \(\mathcal {A}\) outputs, it holds that \(\Pr [W_b] = \Pr [1\leftarrow \boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {B}_b, 0}^{\texttt {TRN}}(1^\lambda , l)]\). Secondly, let us consider the case where the \(\texttt {TRN}\) experiment is the second one parameterized by 1, i.e., \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS}, \mathcal {B}_{b}, 1}^\texttt {TRN}\). In this case, \(\mathcal {B}_{b}\) perfectly simulates \(\boldsymbol{Expt}_{temp}\) to \(\mathcal {A}\). It holds that \(\Pr [W_{temp}] = \Pr [1\leftarrow \boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {B}_b, 1}^{\texttt {TRN}}(1^\lambda , l)]\).    \(\square \)

(4) \(\texttt {UNL}\implies \texttt {PRV}\). The standard \(\texttt {PRV}\) experiment parameterized by \(b\in \{0,1\}\) is denoted by \(\boldsymbol{Expt}_{b}\). Let \(W_{b}\) denote the event where \(\boldsymbol{Expt}_{b}\) outputs 1. We prove that there exists a PPT simulator \(\mathcal {B}\) such that \( \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {A},l}^{\texttt {PRV}}(\lambda ) = |\Pr [W_0] - \Pr [W_1] | = \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B},l}^\texttt {UNL}(\lambda )\). The simulator \(\mathcal {B}\) uses \(\mathcal {A}\) which tries to distinguish the \(\texttt {PRV}\) experiments as a sub-routine to distinguish the \(\texttt {UNL}\) experiments.

If the \(\texttt {UNL}\) experiment is \(\boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {B}, 0}^{\texttt {UNL}}\), then \(\mathcal {B}\) perfectly simulates \(\boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {A}, 0}^{\texttt {PRV}}\) to \(\mathcal {A}\). Since \(\mathcal {B}\) directly outputs what \(\mathcal {A}\) outputs, \(\Pr [W_0] = \Pr [1\leftarrow \boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {B}, 0}^{\texttt {UNL}}(1^\lambda , l)]\). Analogously, we obtain \(\Pr [W_1] = \Pr [1\leftarrow \boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {B}, 1}^{\texttt {UNL}}(1^\lambda , l)]\).    \(\square \)

(5) \(\texttt {SCH}\implies \texttt {TRN}\). In this proof, \(q_{\textsf{z}\textsf{s}}\in \mathbb {N}\) denotes total number that \(\mathcal {A}\) uses the oracle of \(\mathfrak {Sanit/Sig}\). For each \(i\in [0,q_{\textsf{z}\textsf{s}}]\), we define an experiment \(\boldsymbol{Expt}_{i}\). \(\boldsymbol{Expt}_0\) is identical to the standard \(\texttt {TRN}\) experiment parameterized by \(b=0\). For \(i\in [1,q_{\textsf{z}\textsf{s}}]\), \(\boldsymbol{Expt}_i\) is identical to \(\boldsymbol{Expt}_{i-1}\) except that on the i-th query to \(\mathfrak {Sanit/Sig}\) a pair \((\overline{\sigma },\overline{td})\) of signature and trapdoor is directly generated by the algorithm of \(\texttt{Sig}\), i.e., \((\overline{\sigma },\overline{td})\leftarrow \texttt{Sig}({sk},\overline{{m}},\overline{\mathbb {T}})\). Obviously, \(\boldsymbol{Expt}_{q_{\textsf{z}\textsf{s}}}\) is identical to the standard \(\texttt {TRN}\) experiment parameterized by \(b=1\). We obtain \(\texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {A},l}^{\texttt {TRN}}(\lambda ) = |\Pr [1\leftarrow \boldsymbol{Expt}_0(1^\lambda , l)] - \Pr [1\leftarrow \boldsymbol{Expt}_{q_{\textsf{z}\textsf{s}}}(1^\lambda , l)] | \le \sum _{i=1}^{q_{\textsf{z}\textsf{s}}} |\Pr [1\leftarrow \boldsymbol{Expt}_{i-1}(1^\lambda , l)] - \Pr [1\leftarrow \boldsymbol{Expt}_{i}(1^\lambda , l)] | \le q_{\textsf{z}\textsf{s}}\cdot \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B},l}^\texttt {SCH}(\lambda )\). The last transformation is because of the fact that for every i there exists a probabilistic algorithm \(\mathcal {B}\) s.t. \(|\Pr [1\leftarrow \boldsymbol{Expt}_{i-1}(1^\lambda , l)] - \Pr [1\leftarrow \boldsymbol{Expt}_{i}(1^\lambda , l)] |\le \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B},l}^\texttt {SCH}(\lambda )\). We omit its proof because it is straightforward.    \(\square \)

(6) \(\texttt {SCH}\implies \texttt {UNL}\). In this proof, the standard \(\texttt {UNL}\) experiment parameterized by \(b\in \{0,1\}\) is shortly denoted by \(\boldsymbol{Expt}_{b,0}\). Let \(q_{\textsf{z}},q_{\textsf{z}}'\in \mathbb {N}\) denote total number that \(\mathcal {A}\) uses the oracles of \(\mathfrak {Sanit}\) and \(\mathfrak {SanitLR}\), respectively. For \(i\in [1,q_{\textsf{z}}+q_{\textsf{z}}']\), \(\boldsymbol{Expt}_{b,i}\) denotes an experiment which is the same as \(\boldsymbol{Expt}_{b,i-1}\) except that on the i-th query to \(\mathfrak {Sanit}\) or \(\mathfrak {SanitLR}\) a sanitized signature \(\overline{\sigma }\) and its trapdoor \(\overline{td}\) are directly generated by \(\texttt{Sig}\). For \(b\in \{0,1\},i\in [0,q_{\textsf{z}}+q_{\textsf{z}}']\), \(W_{b,i}\) denotes the event where \(\boldsymbol{Expt}_{b,i}\) outputs 1. We obtain \(\texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {A},l}^{\texttt {UNL}}(\lambda ) = |\Pr [W_{0,0}] - \Pr [W_{1,0}] | \le \sum _{b=0}^{1} \sum _{i=1}^{q_{\textsf{z}}+q_{\textsf{z}}'} |\Pr [W_{b,i-1}] - \Pr [W_{b,i}] | \le 2(q_{\textsf{z}}+q_{\textsf{z}}') \cdot \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B},l}^\texttt {SCH}(\lambda )\). We used the following statement, which can be proven straightforwardly.

• For each \(b \in \{0,1\}\) and each \(i\in [1,q_{\textsf{z}}+q_{\textsf{z}}']\), there exists a probabilistic algorithm \(\mathcal {B}\) s.t. \(|\Pr [W_{b,i-1}] - \Pr [W_{b,i}] |\le \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B},l}^\texttt {SCH}(\lambda )\).

   \(\square \)