Abstract
In trapdoor sanitizable signatures (TSS) (ACNS’08), a signer can partially delegate its signing ability to someone. When signing a message, the signer chooses its sanitizable parts. Each signature is associated with a trapdoor, enabling any entity arbitrarily to modify the sanitizable parts while retaining validity of the signature. In previous TSS, the sanitizable parts are permanently sanitizable. We formalize sanitization-controllable TSS, where the sanitizable parts can be partially (and irreversibly) changed into fixed. We formally define its security notions, including unlinkablity (any sanitized signature and its trapdoor cannot be linked to their original ones), invisibility (each signature leaks no information about its sanitizable parts) and strong context-hiding (SCH) (any sanitized signature and its trapdoor distribute like fresh ones). We propose a generic transformation from a downgrade-controllable downgradable affine MAC (DAMAC), which is a generalization of DAMAC (CT-RSA’19). Our TSS scheme is the first TSS scheme satisfying unlinkability or invisibility. In redactable signatures (ICISC’01), we can partially black out a signed message. We formalize disclosure-controllable trapdoor redactable signatures (TRS). We propose a generic transformation from a sanitization-controllable TSS. Our TRS scheme is the first unlinkable and disclosure-controllable (T)RS scheme.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In transparent SS, it is unknown whether signer or sanitizer generated the signature. In some applications, accountability is required. Specifically, any signer can prove the fact that she has (or has not) generated the signature. As related security requirements, signer-accountability and sanitizer-accountability have been defined [17].
- 2.
Verifying whether invisibility and unlinkability of the underlying TSS are inherited by the NASS is an open problem.
- 3.
\(\xleftarrow {\$}\) means that we select an element uniformly at random from a space.
- 4.
In the previous model [21], there is a trapdoor-generation algorithm, enabling the signer to generate a trapdoor from a signature using her signing-key.
- 5.
In this paper, \(\mathbb {I}_b(a)\) denotes a set of indices for all bits with value b in a.
- 6.
The name of (consecutive) downgrade-controllability comes from (consecutive) disclosure-controllability for redactable signatures [33].
- 7.
To make the inner-randomnesses explicit, we sometimes use notations like \(\tau \leftarrow \texttt{Tag}(sk_{{\textrm{MAC}}},{m},\mathbb {J}; \textbf{s},S)\) and \(\overline{\tau }\leftarrow \texttt{Down}({m},\tau ,\overline{{m}},\overline{\mathbb {J}};\overline{\textbf{s}},\overline{S})\).
- 8.
If the original tag has been honestly generated by \(\texttt{Tag}\) or \(\texttt{Down}\), it holds that \(\overline{\textbf{e}}_i = h_i(\overline{{m}})\textbf{x}_i^\textsf{T}\overline{T}\), \(\overline{d}_i = h_i(\overline{{m}})\textbf{x}_i^\textsf{T}\overline{\textbf{t}}\), \(\overline{\textbf{w}}= \sum _{i=0}^l f_i(\overline{{m}}) \textbf{x}_i^\textsf{T}\overline{T}\) and \(\overline{u}= \sum _{i=0}^l f_i(\overline{{m}}) \textbf{x}_i^\textsf{T}\overline{\textbf{t}}+ x\).
- 9.
When we say that a DAMAC system is \(\texttt {SCH}\)-secure, that means the statistical one.
- 10.
Let \(({\left[ \textbf{t}^*\right] }_{2},{\left[ u^*\right] }_{2},\cdots )\) denote the tag on \({m}^*\). She can correctly guess that by verifying whether \(e({\left[ h\right] }_{1},{\left[ u^*\right] }_{2}) = e({\left[ \textbf{h}_0\right] }_{1},{\left[ \textbf{t}^*\right] }_{2}) \cdot e({\left[ h_1\right] }_{1},{\left[ 1\right] }_{2})\) holds.
- 11.
The name \(\texttt {PR-CMA1}\) comes from \(\texttt {IND}\)-\(\texttt {CCA1}\) for public-key encryption.
- 12.
Precisely, they are deterministic and semi-probabilistic, respectively.
- 13.
Let \(\texttt {Z}\in \{\texttt {TRN},\texttt {PRV},\texttt {UNL},\texttt {INV},\texttt {SCH},\texttt {INV}',\texttt {INV}^\dagger \}\). When we shortly say that a scheme is \(\texttt {Z}\)-secure, that means it is statistically \(\texttt {Z}\)-secure..
- 14.
Precisely, we should probably say that TSS is a sub-class of P-trapdoor HS.
- 15.
From a secret-key for a set, we can derive a secret-key for any of its subsets.
- 16.
The derived secret-key is re-randomized and distributes like a fresh secret-key.
- 17.
This is because that invisibility is a notion meaningful only for disclosure-controllable TRS (or sanitization-controllable TSS) schemes.
References
Abdalla, M., et al.: Wildcarded identity-based encryption. J. Cryptol. 24(1), 42–82 (2011)
Abdalla, M., Catalano, D., Dent, A.W., Malone-Lee, J., Neven, G., Smart, N.P.: Identity-based encryption gone wild. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 300–311. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_26
Abdalla, M., Kiltz, E., Neven, G.: Generalized key delegation for hierarchical identity-based encryption. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 139–154. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74835-9_10
Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_12
Ahn, J.H., Boneh, D., Camenisch, J., Hohenberger, S., shelat, A., Waters, B.: Computing on authenticated data. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 1–20. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_1
Ateniese, G., Chou, D.H., de Medeiros, B., Tsudik, G.: Sanitizable signatures. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 159–177. Springer, Heidelberg (2005). https://doi.org/10.1007/11555827_10
Attrapadung, N., Libert, B., Peters, T.: Computing on authenticated data: new privacy definitions and constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 367–385. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_23
Attrapadung, N., Libert, B., Peters, T.: Efficient completely context-hiding quotable and linearly homomorphic signatures. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 386–404. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_24
Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 194–211. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_19
Bethencourt, J., Boneh, D., Waters, B.: Cryptographic methods for storing ballots on a voting machine. In: NDSS 2007, pp. 209–222 (2007)
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE SP 2007, pp. 321–334. IEEE (2007)
Birkett, J., Dent, A.W., Neven, G., Schuldt, J.C.N.: Efficient chosen-ciphertext secure identity-based encryption with wildcards. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 274–292. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73458-1_21
Blazy, O., Germouty, P., Phan, D.H.: Downgradable identity-based encryption and applications. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 44–61. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_3
Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) identity-based encryption from affine message authentication. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 408–425. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_23
Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_26
Boyen, X., Waters, B.: Anonymous hierarchical identity-based encryption (without random oracles). In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290–307. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_17
Brzuska, C., et al.: Security of sanitizable signatures revisited. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 317–336. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_18
Brzuska, C., Fischlin, M., Lehmann, A., Schröder, D.: Unlinkability of sanitizable signatures. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 444–461. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_26
Bultel, X., Lafourcade, P., Lai, R.W.F., Malavolta, G., Schröder, D., Thyagarajan, S.A.K.: Efficient invisible and unlinkable sanitizable signatures. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 159–189. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4_6
Camenisch, J., Derler, D., Krenn, S., Pöhls, H.C., Samelin, K., Slamanig, D.: Chameleon-hashes with ephemeral trapdoors. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 152–182. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_6
Canard, S., Laguillaumie, F., Milhau, M.: Trapdoor sanitizable signatures and their application to content protection. In: Bellovin, S.M., Gennaro, R., Keromytis, A., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 258–276. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68914-0_16
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie-Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_8
Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_24
Haber, S., et al.: Efficient signature schemes supporting redaction, pseudonymization, and data deidentification. In: AsiaCCS 2008, pp. 353–362. ACM (2008)
Kiltz, E., Mityagin, A., Panjwani, S., Raghavan, B.: Append-only signatures. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 434–445. Springer, Heidelberg (2005). https://doi.org/10.1007/11523468_36
Kiltz, E., Neven, G.: Identity-based signatures. Identity-Based Cryptogr. 2(31), 75 (2009)
Krawczyk, H., Rabin, T.: Chameleon hashing and signatures. In: NDSS 2000, pp. 143–154 (2000)
Langrehr, R., Pan, J.: Tightly secure hierarchical identity-based encryption. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 436–465. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4_15
Langrehr, R., Pan, J.: Hierarchical identity-based encryption with tight multi-challenge security. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 153–183. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_6
Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4
Libert, B., Joye, M., Yung, M., Peters, T.: Secure efficient history-hiding append-only signatures in the standard model. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 450–473. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_20
Miyazaki, K., Hanaoka, G., Imai, H.: Digitally signed document sanitizing scheme based on bilinear maps. In: AsiaCCS 2006, pp. 343–354. ACM (2006)
Miyazaki, K., et al.: Digitally signed document sanitizing scheme with disclosure condition control. IEICE Trans. 88-A(1), 239–246 (2005)
Samelin, K., Pöhls, H.C., Bilzhause, A., Posegga, J., de Meer, H.: Redactable signatures for independent removal of structure and content. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 17–33. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29101-2_2
Steinfeld, R., Bull, L., Zheng, Y.: Content extraction signatures. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 285–304. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45861-1_22
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_7
Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 53–70. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_4
Yum, D.H., Seo, J.W., Lee, P.J.: Trapdoor sanitizable signatures made easy. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 53–68. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13708-2_4
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 5 (on Six Implications among the Security Notions of TSS)
A Proof of Theorem 5 (on Six Implications among the Security Notions of TSS)
Each implication holds in either of the statistical and perfect formalizations. For instance, if a TSS scheme is statistically (resp. perfectly) \(\texttt {TRN}\), then it is statistically (resp. perfectly) \(\texttt {PRV}\). In this subsection, we prove only the statistical implications. The perfect ones can be proven analogously.
(1) \(\texttt {wEUF-CMA}' \wedge \texttt {SCH}\implies \texttt {wEUF-CMA}\). Let \(\boldsymbol{Expt}_0\) denote the standard \(\texttt {wEUF-CMA}\) experiment, i.e., \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS},\mathcal {A},l}^\texttt {wEUF-CMA}\). Let \(q_{\textsf{z}}\in \mathbb {N}\) denote number that \(\mathcal {A}\) uses the sanitizing oracle \(\mathfrak {Sanit}\). We introduce some experiments. For \(i\in [1,q_{\textsf{z}}]\), \(\boldsymbol{Expt}_{i}\) is identical to \(\boldsymbol{Expt}_{i-1}\) except that on the i-th query to \(\mathfrak {Sanit}\) the signature \(\overline{\sigma }\) is generated directly by the signing algorithm \(\texttt{Sig}\) but not by the sanitizing algorithm \(\texttt{Sanit}\). Let \(W_i\) denote the event where \(\boldsymbol{Expt}_{i}\) outputs 1. We obtain \(\texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {A},l}^{\texttt {wEUF-CMA}}(\lambda ) = \Pr [W_0] \le \sum _{i=1}^{q_{\textsf{z}}} \left| \Pr [W_{i-1}]-\Pr [W_i]\right| + \Pr [W_{q_{\textsf{z}}}] \le q_{\textsf{z}}\cdot \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B}_1,l}^{\texttt {SCH}}(\lambda ) + \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B}_2,l}^{\texttt {wEUF-CMA}'}(\lambda )\). The last inequality is because of the following two statements. We omit their proofs because they are straightforward.
-
For any \(i\in [1,q_{\textsf{z}}]\), there exists a PPTA \(\mathcal {B}_1\), \(|\Pr [W_{i-1}]-\Pr [W_i]| \le \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B}_1,l}^{\texttt {SCH}}(\lambda )\).
-
There exists a PPTA \(\mathcal {B}_2\), \(\Pr [W_{q_{\textsf{z}}}] \le \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B}_2,l}^{\texttt {wEUF-CMA}'}(\lambda )\).
\(\square \)
(2) \(\texttt {INV}' \wedge \texttt {SCH}\implies \texttt {INV}\). This proof is basically the same as the proof of the first implication (1), which is omitted because of the page restriction. \(\square \)
(3) \(\texttt {TRN}\) \(\implies \) \(\texttt {PRV}\). We temporarily introduce an experiment \(\boldsymbol{Expt}_{temp}\). The experiment is the same as the standard \(\texttt {PRV}\) experiment w.r.t. \(\varSigma _\textrm{TSS}\) parameterized by \(b\in \{0,1\}\), i.e., \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS},\mathcal {A},b}^{\texttt {PRV}}\), except that the signature \(\overline{\sigma }\) and its trapdoor \(\overline{td}\) on \(\mathfrak {SigSanitLR}\) are directly generated by the signing algorithm \(\texttt{Sig}\). The experiment is formally described as follows.
Let \(W_{0}\) (resp. \(W_{1}, W_{temp}\)) denote the event where \(\boldsymbol{Expt}_{\varSigma _{\textrm{TSS}},\mathcal {A},0}^{\texttt {PRV}}\) (resp. \(\boldsymbol{Expt}_{\varSigma _{\textrm{TSS}},\mathcal {A},0}^{\texttt {PRV}}\), \(\boldsymbol{Expt}_{temp}\)) outputs 1. By the triangle inequality, we obtain \(\texttt {Adv}_{\varSigma _\textrm{TSS}, \mathcal {A}, l}^\texttt {PRV}= | \Pr [W_0] - \Pr [W_1] | \le | \Pr [W_0] - \Pr [W_{temp}] | + | \Pr [W_{temp}] - \Pr [W_{1}] |\). Obviously, if we can prove that \(\forall b\in \{0,1\}\), \(\exists \) a PPT simulator \(\mathcal {B}_{b}\) s.t. \(|\Pr [W_b] - \Pr [W_{temp}] | = \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B}_{b},l}^\texttt {TRN}(\lambda )\), then the proof of the theorem is done. The simulator \(\mathcal {B}_b\) uses \(\mathcal {A}\) which tries to distinguish \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS}, \mathcal {A}, b}^\texttt {PRV}\) from \(\boldsymbol{Expt}_{temp}\) as a sub-routine to distinguish the \(\texttt {TRN}\) experiments. \(\mathcal {B}_{b}\) behaves as follows.
Firstly, let us consider the case where the \(\texttt {TRN}\) experiment is the first one parameterized by 0, i.e., \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS}, \mathcal {B}_{b}, 0}^\texttt {TRN}\). In this case, \(\mathcal {B}_{b}\) unconsciously perfectly simulates the \(\texttt {PRV}\) experiment, i.e., \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS}, \mathcal {A}, b}^\texttt {PRV}\), to \(\mathcal {A}\). Since \(\mathcal {B}_b\) directly outputs what \(\mathcal {A}\) outputs, it holds that \(\Pr [W_b] = \Pr [1\leftarrow \boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {B}_b, 0}^{\texttt {TRN}}(1^\lambda , l)]\). Secondly, let us consider the case where the \(\texttt {TRN}\) experiment is the second one parameterized by 1, i.e., \(\boldsymbol{Expt}_{\varSigma _\textrm{TSS}, \mathcal {B}_{b}, 1}^\texttt {TRN}\). In this case, \(\mathcal {B}_{b}\) perfectly simulates \(\boldsymbol{Expt}_{temp}\) to \(\mathcal {A}\). It holds that \(\Pr [W_{temp}] = \Pr [1\leftarrow \boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {B}_b, 1}^{\texttt {TRN}}(1^\lambda , l)]\). \(\square \)
(4) \(\texttt {UNL}\implies \texttt {PRV}\). The standard \(\texttt {PRV}\) experiment parameterized by \(b\in \{0,1\}\) is denoted by \(\boldsymbol{Expt}_{b}\). Let \(W_{b}\) denote the event where \(\boldsymbol{Expt}_{b}\) outputs 1. We prove that there exists a PPT simulator \(\mathcal {B}\) such that \( \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {A},l}^{\texttt {PRV}}(\lambda ) = |\Pr [W_0] - \Pr [W_1] | = \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B},l}^\texttt {UNL}(\lambda )\). The simulator \(\mathcal {B}\) uses \(\mathcal {A}\) which tries to distinguish the \(\texttt {PRV}\) experiments as a sub-routine to distinguish the \(\texttt {UNL}\) experiments.
If the \(\texttt {UNL}\) experiment is \(\boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {B}, 0}^{\texttt {UNL}}\), then \(\mathcal {B}\) perfectly simulates \(\boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {A}, 0}^{\texttt {PRV}}\) to \(\mathcal {A}\). Since \(\mathcal {B}\) directly outputs what \(\mathcal {A}\) outputs, \(\Pr [W_0] = \Pr [1\leftarrow \boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {B}, 0}^{\texttt {UNL}}(1^\lambda , l)]\). Analogously, we obtain \(\Pr [W_1] = \Pr [1\leftarrow \boldsymbol{Expt}_{\varSigma _{\textrm{TSS}}, \mathcal {B}, 1}^{\texttt {UNL}}(1^\lambda , l)]\). \(\square \)
(5) \(\texttt {SCH}\implies \texttt {TRN}\). In this proof, \(q_{\textsf{z}\textsf{s}}\in \mathbb {N}\) denotes total number that \(\mathcal {A}\) uses the oracle of \(\mathfrak {Sanit/Sig}\). For each \(i\in [0,q_{\textsf{z}\textsf{s}}]\), we define an experiment \(\boldsymbol{Expt}_{i}\). \(\boldsymbol{Expt}_0\) is identical to the standard \(\texttt {TRN}\) experiment parameterized by \(b=0\). For \(i\in [1,q_{\textsf{z}\textsf{s}}]\), \(\boldsymbol{Expt}_i\) is identical to \(\boldsymbol{Expt}_{i-1}\) except that on the i-th query to \(\mathfrak {Sanit/Sig}\) a pair \((\overline{\sigma },\overline{td})\) of signature and trapdoor is directly generated by the algorithm of \(\texttt{Sig}\), i.e., \((\overline{\sigma },\overline{td})\leftarrow \texttt{Sig}({sk},\overline{{m}},\overline{\mathbb {T}})\). Obviously, \(\boldsymbol{Expt}_{q_{\textsf{z}\textsf{s}}}\) is identical to the standard \(\texttt {TRN}\) experiment parameterized by \(b=1\). We obtain \(\texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {A},l}^{\texttt {TRN}}(\lambda ) = |\Pr [1\leftarrow \boldsymbol{Expt}_0(1^\lambda , l)] - \Pr [1\leftarrow \boldsymbol{Expt}_{q_{\textsf{z}\textsf{s}}}(1^\lambda , l)] | \le \sum _{i=1}^{q_{\textsf{z}\textsf{s}}} |\Pr [1\leftarrow \boldsymbol{Expt}_{i-1}(1^\lambda , l)] - \Pr [1\leftarrow \boldsymbol{Expt}_{i}(1^\lambda , l)] | \le q_{\textsf{z}\textsf{s}}\cdot \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B},l}^\texttt {SCH}(\lambda )\). The last transformation is because of the fact that for every i there exists a probabilistic algorithm \(\mathcal {B}\) s.t. \(|\Pr [1\leftarrow \boldsymbol{Expt}_{i-1}(1^\lambda , l)] - \Pr [1\leftarrow \boldsymbol{Expt}_{i}(1^\lambda , l)] |\le \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B},l}^\texttt {SCH}(\lambda )\). We omit its proof because it is straightforward. \(\square \)
(6) \(\texttt {SCH}\implies \texttt {UNL}\). In this proof, the standard \(\texttt {UNL}\) experiment parameterized by \(b\in \{0,1\}\) is shortly denoted by \(\boldsymbol{Expt}_{b,0}\). Let \(q_{\textsf{z}},q_{\textsf{z}}'\in \mathbb {N}\) denote total number that \(\mathcal {A}\) uses the oracles of \(\mathfrak {Sanit}\) and \(\mathfrak {SanitLR}\), respectively. For \(i\in [1,q_{\textsf{z}}+q_{\textsf{z}}']\), \(\boldsymbol{Expt}_{b,i}\) denotes an experiment which is the same as \(\boldsymbol{Expt}_{b,i-1}\) except that on the i-th query to \(\mathfrak {Sanit}\) or \(\mathfrak {SanitLR}\) a sanitized signature \(\overline{\sigma }\) and its trapdoor \(\overline{td}\) are directly generated by \(\texttt{Sig}\). For \(b\in \{0,1\},i\in [0,q_{\textsf{z}}+q_{\textsf{z}}']\), \(W_{b,i}\) denotes the event where \(\boldsymbol{Expt}_{b,i}\) outputs 1. We obtain \(\texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {A},l}^{\texttt {UNL}}(\lambda ) = |\Pr [W_{0,0}] - \Pr [W_{1,0}] | \le \sum _{b=0}^{1} \sum _{i=1}^{q_{\textsf{z}}+q_{\textsf{z}}'} |\Pr [W_{b,i-1}] - \Pr [W_{b,i}] | \le 2(q_{\textsf{z}}+q_{\textsf{z}}') \cdot \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B},l}^\texttt {SCH}(\lambda )\). We used the following statement, which can be proven straightforwardly.
-
For each \(b \in \{0,1\}\) and each \(i\in [1,q_{\textsf{z}}+q_{\textsf{z}}']\), there exists a probabilistic algorithm \(\mathcal {B}\) s.t. \(|\Pr [W_{b,i-1}] - \Pr [W_{b,i}] |\le \texttt {Adv}_{\varSigma _\textrm{TSS},\mathcal {B},l}^\texttt {SCH}(\lambda )\).
\(\square \)
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ishizaka, M., Fukushima, K., Kiyomoto, S. (2023). Trapdoor Sanitizable and Redactable Signatures with Unlinkability, Invisibility and Strong Context-Hiding. In: Seo, SH., Seo, H. (eds) Information Security and Cryptology – ICISC 2022. ICISC 2022. Lecture Notes in Computer Science, vol 13849. Springer, Cham. https://doi.org/10.1007/978-3-031-29371-9_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-29371-9_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-29370-2
Online ISBN: 978-3-031-29371-9
eBook Packages: Computer ScienceComputer Science (R0)