Efficient Unlinkable Sanitizable Signatures from Signatures with Re-randomizable Keys

In a sanitizable signature scheme the signer allows a designated third party, called the sanitizer, to modify certain parts of the message and adapt the signature accordingly. Ateniese et al. ESORICS 2005 introduced this primitive and proposed five security properties which were formalized by Brzuska et al.i¾?PKC 2009. Subsequently, Brzuska et al. PKC 2010 suggested an additional security notion, called unlinkability which says that one cannot link sanitized message-signature pairs of the same document. Moreover, the authors gave a generic construction based on group signatures that have a certain structure. However, the special structure required from the group signature scheme only allows for inefficient instantiations. Here, we present the first efficient instantiation of unlinkable sanitizable signatures. Our construction is based on a novel type of signature schemes with re-randomizable keys. Intuitively, this property allows to re-randomize both the signing and the verification key separately but consistently. This allows us to sign the message with a re-randomized key and to prove in zero-knowledge that the derived key originates from either the signer or the sanitizer. We instantiate this generic idea with Schnorr signatures and efficient $$\varSigma $$Σ-protocols, which we convert into non-interactive zero-knowledge proofs via the Fiat-Shamir transformation. Our construction is at least one order of magnitude faster than instantiating the generic scheme of Brzuska et al.i¾?with the most efficient group signature schemes.

[1]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[2]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[3]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[4]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[5]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[6]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[7]  Ron Steinfeld,et al.  Content Extraction Signatures , 2001, ICISC.

[8]  M. Kasahara,et al.  A New Traitor Tracing , 2002, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[9]  Dawn Xiaodong Song,et al.  Homomorphic Signature Schemes , 2002, CT-RSA.

[10]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[11]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[12]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[13]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[14]  Jun Furukawa,et al.  Group Signatures with Separate and Distributed Authorities , 2004, SCN.

[15]  Gene Tsudik,et al.  Sanitizable Signatures , 2005, ESORICS.

[16]  Marek Klonowski,et al.  Extended Sanitizable Signatures , 2006, ICISC.

[17]  Jens Groth,et al.  Fully Anonymous Group Signatures without Random Oracles , 2007, IACR Cryptol. ePrint Arch..

[18]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[19]  Eike Kiltz,et al.  Programmable Hash Functions and Their Applications , 2008, CRYPTO.

[20]  Florian Volk,et al.  Security of Sanitizable Signatures Revisited , 2009, Public Key Cryptography.

[21]  Jia Xu,et al.  Short Redactable Signatures Using Random Trees , 2009, CT-RSA.

[22]  Sébastien Canard,et al.  On Extended Sanitizable Signature Schemes , 2010, CT-RSA.

[23]  Stefan Katzenbeisser,et al.  Redactable Signatures for Tree-Structured Data: Definitions and Constructions , 2010, ACNS.

[24]  Marc Fischlin,et al.  Unlinkability of Sanitizable Signatures , 2010, Public Key Cryptography.

[25]  Bogdan Warinschi,et al.  Secure Proxy Signature Schemes for Delegation of Signing Rights , 2010, Journal of Cryptology.

[26]  Dan Boneh,et al.  Homomorphic Signatures for Polynomial Functions , 2011, EUROCRYPT.

[27]  Rob Johnson,et al.  Homomorphic Signatures for Digital Photographs , 2011, Financial Cryptography.

[28]  David Mandell Freeman,et al.  Improved Security for Linearly Homomorphic Signatures: A Generic Framework , 2012, Public Key Cryptography.

[29]  Henrich Christopher Pöhls,et al.  Non-interactive Public Accountability for Sanitizable Signatures , 2012, EuroPKI.

[30]  Sébastien Canard,et al.  Sanitizable Signatures with Several Signers and Sanitizers , 2012, AFRICACRYPT.

[31]  Georg Fuchsbauer,et al.  Policy-Based Signatures , 2013, IACR Cryptol. ePrint Arch..

[32]  Henrich Christopher Pöhls,et al.  Efficient and Perfectly Unlinkable Sanitizable Signatures without Group Signatures , 2013, EuroPKI.

[33]  Marc Fischlin,et al.  Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures , 2013, IACR Cryptol. ePrint Arch..

[34]  Thomas Peters,et al.  Efficient Completely Context-Hiding Quotable and Linearly Homomorphic Signatures , 2013, Public Key Cryptography.

[35]  Pedro Franco,et al.  Understanding Bitcoin: Cryptography, Engineering and Economics , 2014 .

[36]  Henrich Christopher Pöhls,et al.  On Updatable Redactable Signatures , 2014, ACNS.

[37]  Dario Catalano,et al.  Homomorphic Signatures and Message Authentication Codes , 2014, SCN.

[38]  Shafi Goldwasser,et al.  Functional Signatures and Pseudorandom Functions , 2014, Public Key Cryptography.

[39]  Daniel Slamanig,et al.  Rethinking Privacy for Extended Sanitizable Signatures and a Black-Box Construction of Strongly Private Schemes , 2015, IACR Cryptol. ePrint Arch..

[40]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.