PublicKey Cryptography – PKC 2016 pp 301330  Cite as
Efficient Unlinkable Sanitizable Signatures from Signatures with Rerandomizable Keys
 23 Citations
 1.7k Downloads
Abstract
In a sanitizable signature scheme the signer allows a designated third party, called the sanitizer, to modify certain parts of the message and adapt the signature accordingly. Ateniese et al. (ESORICS 2005) introduced this primitive and proposed five security properties which were formalized by Brzuska et al. (PKC 2009). Subsequently, Brzuska et al. (PKC 2010) suggested an additional security notion, called unlinkability which says that one cannot link sanitized messagesignature pairs of the same document. Moreover, the authors gave a generic construction based on group signatures that have a certain structure. However, the special structure required from the group signature scheme only allows for inefficient instantiations.
Here, we present the first efficient instantiation of unlinkable sanitizable signatures. Our construction is based on a novel type of signature schemes with rerandomizable keys. Intuitively, this property allows to rerandomize both the signing and the verification key separately but consistently. This allows us to sign the message with a rerandomized key and to prove in zeroknowledge that the derived key originates from either the signer or the sanitizer. We instantiate this generic idea with Schnorr signatures and efficient \(\varSigma \)protocols, which we convert into noninteractive zeroknowledge proofs via the FiatShamir transformation. Our construction is at least one order of magnitude faster than instantiating the generic scheme of Brzuska et al. with the most efficient group signature schemes.
Keywords
Sanitizable Signatures Signature Scheme Brzuska FiatShamir Transformation Messagesignature Pair1 Introduction
Sanitizable signature schemes were introduced by Ateniese et al. [1] and similar primitives were concurrently proposed by Steinfeld et al. [42], by Miyazaki et al. [36], and by Johnson et al. [34]. The basic idea of this primitive is that the signer specifies parts of a (signed) message such that a dedicated third party, called the sanitizer, can change the message and adapt the signature accordingly. Sanitizable signatures have numerous applications, such as the anonymization of medical data, replacing commercials in authenticated media streams, or updates of reliable routing information [1]. After the first introduction of sanitizable signatures in [1], the desired security properties were later formalized by Brzuska et al. [11]. At PKC 2010, Brzuska et al. [12] identified an important missing property called unlinkability. Loosely speaking, this notion ensures that one cannot link sanitized messagesignature pairs of the same document. This property is essential in applications like the sanitization of medical records because it prevents the attacker from combining information of several sanitized versions of a document in order to reconstruct (parts of) the original document. The authors also showed that unlinkable sanitizable signatures can be constructed from group signatures [4] having the property that the keys of the signers can be computed independently, and in particular before the keys of the group manager. However, to this date, no efficient group signature scheme that has the required properties is known, which also means that no efficient unlinkable sanitizable signature scheme is known. This leaves us in an unsatisfactory situation. Either we use efficient sanitizable signature schemes that only achieve a subset of the security properties [1, 11] or we have to rely on an inefficient blackbox construction of unlinkable sanitizable signatures.
In this work, we close this gap by presenting the first efficient unlinkable sanitizable signature scheme that achieves all security properties. The instantiation of our scheme only requires 15 exponentiations for signing, 17 for the verification, and 14 for sanitizing a messagesignature pair. This is at least one order of magnitude faster than the fastest previously known construction. For a detailed performance comparison, refer to Sect. 1.2.
1.1 Overview of Our Construction
In this section, we describe the main idea of our construction and the underlying techniques. Our solution is based on a novel type of digital signature schemes called signatures with perfectly rerandomizable keys. This type of signature schemes allows to rerandomize both the signing and the verification key separately. It is required that the rerandomization is perfect, meaning that rerandomized keys must have the same distribution as the original key. The new unforgeability notion for this type of signature scheme requires that it is infeasible for an attacker to output a forgery under either the original or a rerandomized key, even if the randomness is controlled by the attacker.
We show that this notion does not trivially follow from the regular notion of unforgeability. In fact, only a few signature schemes having this property achieve our notion of unforgeability under rerandomizable keys. We demonstrate this fact by showing concrete attacks against some well known unforgeable signature schemes that have rerandomizable keys. In particular, we show that the signature scheme of Boneh and Boyen [6] and the one of Camenisch and Lysyanskaya [15] have rerandomizable keys, but are insecure with respect to our stronger security notion. We stress that these attacks have no implications on the original security proof, but that they cannot be used as an instantiation. On the positive side, we prove that Schnorr’s signature scheme [40, 41] has rerandomizable keys and fulfills our security notion. It is well known that Schnorr’s signature scheme [40, 41] is one of the most efficient signature schemes based on the discrete logarithm assumption. Moreover, we also propose an instantiation of signature schemes with rerandomizable keys in the standard model by slightly modifying the signature scheme of Hofheinz and Kiltz [31, 32].
Apart from their usefulness in constructing highly efficient sanitizable signatures, this primitive may also be of independent interest. A second possible application of signature schemes with rerandomizable keys are stealth addresses [27] in Bitcoin or other cryptocurrencies. On a very high level, Bitcoin replaces bank accounts with keys of a signature scheme. Money transactions in Bitcoin transfer money from one public key to another and are only valid if they are signed with the secret key of the payer. All transactions are logged in a public log data structure, the block chain, which can be used to verify the validity of new transactions as well as to track money flow in Bitcoin. Our signatures with rerandomizable keys provide a conceptually very simple solution for so called stealth addresses. Consider a Bitcoin donation address on a website to support the host of the website or donate money to the website for a good cause. A donor may be unwilling to donate money if he can be linked to the website or other donors by the block chain. Using signatures with rerandomizable keys a donor can take the donation address, rerandomize it, and pay the money to the rerandomized address and transmit the rerandomization factor to the recipient through a nonpublic channel, such as email. The recipient can use the given rerandomization factor to rerandomize his corresponding secret key to further transfer the received money. Such addresses that are related in some invisible way to the recipient are called stealth addresses. For a more detailed treatment of Bitcoin and the existing stealth address mechanism see [27].
Construction of Unlinkable Sanitizable Signature Schemes. Our construction is based on signature schemes that have perfectly rerandomizable keys. To sign a message m, the signer first splits the message into the parts that cannot be modified by the sanitizer and those that may be changed. Subsequently, the signer authenticates the entire messages using a signature scheme with rerandomized keys. However, the signer cannot sign this part directly as this would reveal the identity of the signer. Instead, the signer chooses a randomness \(\rho \), rerandomizes their keypair, and then proves, in zeroknowledge, that the derived public key is a rerandomization of either the signer’s or the sanitizer’s key.
Sanitizing a message follows the same idea: the sanitizer modifies the message and signs it with a rerandomized version of their key pair and appends a zeroknowledge proof for the same language.
To turn this idea into an efficient scheme, we propose an efficient sigma protocol tailored to our problem that we then convert via the FiatShamir transformation [24] into an efficient noninteractive zeroknowledge proof. The main observation is that our zeroknowledge proofs prove only simple statements about the keys and not about encrypted signatures that verify under either the signer or the sanitizers publickey. Since the corresponding language is much simpler than this standard “encryptandproof” approach, it has much shorter statements and thus the resulting zeroknowledge proofs are significantly more efficient.
1.2 Evaluation and Comparison
Comparison of the dominant operations in our construction instantiated as described in Sect. 5 with the construction of Brzuska et al. [12] instantiated with Schnorr signatures and the group signature schemes of Groth [30] and Furukawa and Yonezawa [29] respectively. E and P stand for group exponentiations and pairing evaluations respectively.
\(\mathsf {KGen}_{sig}\)  \(\mathsf {KGen}_{san}\)  \(\mathsf {Sign}\)  \(\mathsf {Sanit}\)  \(\mathsf {Verify}\)  \(\mathsf {Proof}\)  \(\mathsf {Judge}\)  

This paper  7E  1E  15E  14E  17E  23E  6E 
1E  1E  194E + 2P  186E + 1P  207E + 62P  14E + 1P  1E + 2P  
1E  4E  2831E  2814E  2011E  18E  2E 
Comparison of the key, signature, and proof sizes in our construction instantiated as described in Sect. 5 with the construction of Brzuska et al. [12] instantiated with Schnorr signatures and the group signature schemes of Groth [30] and Furukawa and Yonezawa [29] respectively. Here \(\mathsf {pk}_{sig}\), \(\mathsf {sk}_{sig}\), \(\mathsf {pk}_{san}\), and \(\mathsf {sk}_{san}\) refer to the signer’s and sanitizer’s public and secret keys, while \(\sigma \) refers to the signature, and \(\pi \) refers to the proof that is used to determine accountability. The sizes are measured in group elements. For the sake of simplicity we do not distinguish between elements of different groups such as \(\mathbb {Z} _q\) and \(\mathbb {G} \). This simplification slightly favors [12] using [30], since group signatures in this scheme consist exclusively of \(\mathbb {G} \)elements.
Thus, it is easy to see that our solutions is the first scheme that is efficient enough to be used in practice today.
1.3 Related Work
Ateniese et al. [1] first introduced sanitizable signatures and gave an informal description of the following properties: Unforgeability ensures that only the honest signer and sanitizer can create valid signatures. Immutability says that the (malicious) sanitizer can only modify designated parts of the message. Transparency guarantees that signatures computed by the signer and the sanitizer are indistinguishable. Accountability demands that, with the help of the signer, a proof of authorship can be generated, such that neither the malicious signer nor the malicious sanitizer can deny authorship of the message. These properties were later formalized by Brzuska et al. [11] and the Unlinkability property was introduced by Brzuska et al. in [12]. Later, in [13], Brzuska et al. introduce the notion of noninteractive public accountability, which allows a third party, without help from the signer, to determine, whether a message originates from the signer or the sanitizer. In [14], the same authors provide a slightly stronger unlinkability notion and an instantiation that has noninteractive public accountability and achieves their new unlinkability notion. However, noninteractive accountability and transparency are mutually exclusive. That is, no scheme can fulfill both properties at the same time. In this work we focus on schemes that have (interactive) accountability and transparency. Another line of research initiated by Klonowski and Lauks [35] and continued by Canard and Jambert [16] considers different methods for limiting the allowed operations of the sanitizer. That is, they show how to limit the set of possible modifications on one single block and how to enforce the same modifications on different message blocks. In [17], Canard et al. extend sanitizable signatures to the setting with multiple signers and sanitizers. Recently, Derler and Slamanig suggested a security notion that is stronger than privacy but weaker than unlinkability [23].
Other closely related types of malleable signature schemes, such as homomorphic signatures [2, 8, 18, 28, 33, 34] or redactable signatures [10, 19, 34, 37, 42], where parts of the signed message can be removed, are closely related to sanitizable signatures, but aim to solve related but different problems, have different security notions, and are not directly applicable to solve the problem of efficient unlinkable sanitizable signatures. In [5] Boldyreva et al. deal with proxy signature schemes for delegating signing rights. In such signature schemes a designator can delegate signing rights to a proxy signer, who can then sign messages on behalf of the designator. However, in such a scheme the proxy signatures are publicly distinguishable from signatures created by the designator. This would break the transparency property of sanitizable signature schemes. Policybased signatures [3] allows a signer to delegate signing rights in connection with a policy that specifies, which messages can be signed with the delegated signing key. In addition, they require that they delegation policy shall remain hidden. In a similar vein to [3] in [9] the authors explore the possibilities of delegating signing keys for arbitrary functions. That is, using the delegated signing key one can sign functions of the message that correspond to the key. These works show theoretical solutions to the discussed problems, but are too slow for practical use due to the cryptographic tools they use.
2 Sanitizable Signatures
Sanitizable signature schemes allow the delegation of signing capabilities to a designated third party, called the sanitizer. These delegation capabilities are realized by letting the signer “attach” a description of the admissible modifications \(\textsc {Adm} \) for this particular message and sanitizer. The sanitizer may then change the message according to some modification \(\textsc {Mod} \) and update the signature using their private key. More formally, the signer holds a key pair \((\mathsf {sk}_{sig},\mathsf {pk}_{sig})\) and signs a message m and the description of the admissible modifications \(\textsc {Adm} \) for some sanitizer \(\mathsf {pk}_{san}\) with its private key \(\mathsf {sk}_{sig}\). The sanitizer, having a matching private key \(\mathsf {sk}_{san}\), can update the message according to some modification \(\textsc {Mod} \) and compute a signature using his secret key \(\mathsf {sk}_{san}\). In case of a dispute about the origin of a messagesignature pair, the signer can compute a proof \(\pi \) (using an algorithm \(\mathsf {Proof} \)) from previously signed messages that proves that a signature has been created by the sanitizer. The verification of this proof is done by an algorithm \(\mathsf {Judge}\) (that only decides the origin of a valid messagesignature pair in question; for invalid pairs such decisions are in general impossible).
Admissible Modifications. Following [11, 12] closely, we assume that \(\textsc {Adm}\) and \(\textsc {Mod}\) are (descriptions of) efficient deterministic algorithms such that \(\textsc {Mod} \) maps any message m to the modified message \(m' = \textsc {Mod} (m)\), and \(\textsc {Adm} (\textsc {Mod})\in \{0,1\}^{}\) indicates if the modification is admissible and matches \(\textsc {Adm} \), in which case \(\textsc {Adm} (\textsc {Mod}) = 1\). By \(\textsc {Fix} _\textsc {Adm} \) we denote an efficient deterministic algorithm that is uniquely determined by \(\textsc {Adm} \) and which maps m to the immutable message part \(\textsc {Fix} _\textsc {Adm} (m)\), e.g., for blockdivided messages \(\textsc {Fix} _\textsc {Adm} (m)\) is the concatenation of all blocks not appearing in \(\textsc {Adm} \). We require that admissible modifications leave the fixed part of a message unchanged, i.e., \(\textsc {Fix} _\textsc {Adm} (m)=\textsc {Fix} _\textsc {Adm} (\textsc {Mod} (m))\) for all \(m\in \{0,1\}^{*}\) and all \(\textsc {Mod} \) with \(\textsc {Adm} (\textsc {Mod})=1\). Analogously, to avoid choices like \(\textsc {Fix} _\textsc {Adm} \) having empty output, we also require that the fixed part must be “maximal” given \(\textsc {Adm} \), i.e., \(\textsc {Fix} _\textsc {Adm} (m')\ne \textsc {Fix} _\textsc {Adm} (m)\) for \(m'\notin \left\{ \textsc {Mod} (m) \, \left \, \textsc {Mod} \text { with }\textsc {Adm} (\textsc {Mod})=1 {\textsc {Mod} (m)}\right. \right\} \).
2.1 Definition of Sanitizable Signatures
The following definition of sanitizable signature schemes is taken in verbatim from [11, 12].
Definition 1
(Sanitizable Signature Scheme). A sanitizable signature scheme \(\mathrm {SanS} =(\mathsf {KGen}_{sig}, \mathsf {KGen}_{san}, \mathsf {Sign}, \mathsf {Sanit}, \mathsf {Verify}, \mathsf {Proof}, \mathsf {Judge})\) consists of seven algorithms:
For a sanitizable signature scheme the usual correctness properties should hold, saying that genuinely signed or sanitized messages are accepted and that a genuinely created proof by the signer leads the judge to decide in favor of the signer. For a formal approach to correctness see [11].
2.2 Security of Sanitizable Signatures
In this section we recall the security notions of sanitizable signatures given by Brzuska et al. [11, 12] and we follow their description closely. The authors defined unforgeability, privacy, immutability, accountability, transparency, and unlinkability and showed that signer and sanitizer accountability together implies unforgeability and that unlinkability implies privacy. Therefore, we only focus on the necessary definitions and omit unforgeability and privacy.
Immutability. Informally, this property says that a malicious sanitizer cannot change inadmissible blocks. This is formalized in a model where the malicious sanitizer \(\mathcal {A} \) interacts with the signer to obtain signatures \(\sigma _i\) for messages \(m_i\), descriptions \(\textsc {Adm} _i\) and keys \({\mathsf {pk}_{san}}_{,i}\) of its choice. Eventually, the attacker stops, outputting a valid pair \( (\mathsf {pk}_{san}^*,m^*,\sigma ^*)\) such that message \(m^*\) is not a “legitimate” transformation of one of the \(m_i\)’s under the same key \(\mathsf {pk}_{san}^*={\mathsf {pk}_{san}}_{,i}\). The latter is formalized by requiring that for each query \(\mathsf {pk}_{san}^*\ne {\mathsf {pk}_{san}}_{,i}\) or \(m^*\notin \left\{ \textsc {Mod} (m_i) \, \left \, \textsc {Mod} \text { with }\textsc {Adm} _i(\textsc {Mod})=1 {\textsc {Mod} (m_i)}\right. \right\} \) for the value \(\textsc {Adm} _i\) in \(\sigma _i\). This requirement enforces that for blockdivided messages \(m^*\) and \(m_i\) differ in at least one inadmissible block. Observe that this definition covers also the case where the adversary interact with several sanitizers simultaneously, because it can query the signer for several sanitizer keys \(\mathsf {pk}_{san,i}\).
Definition 2
Accountability. This property demands that the origin of a (possibly sanitized) signature should be undeniable. We distinguish between sanitizeraccountability and signeraccountability and formalize each security property in the following. Signeraccountability says that, if a message and its signature have not been sanitized, then even a malicious signer should not be able to make the judge accuse the sanitizer.
In the sanitizeraccountability game let \(\mathcal {A}_{\mathsf {Sanit}}\) be an efficient adversary playing the role of the malicious sanitizer. Adversary \(\mathcal {A} _\mathsf {Sanit} \) has access to a \(\mathsf {Sign} \) and \(\mathsf {Proof} \) oracle and it succeeds if it outputs a valid message signature pair such that \(m^*,\sigma ^*\), together with a key \(\mathsf {pk}_{san}^*\) (with \((\mathsf {pk}_{san}^*,m^*)\) such that the output is different from pairs \((\mathsf {pk}_{san,i}, m_i)\) previously queried to the \(\mathsf {Sign} \) oracle). Moreover, it is required that the proof produced by the signer via \(\mathsf {Proof}\) still leads the judge to decide “\(\mathtt {Sign}\) ”, i.e., that the signature has been created by the signer.
Definition 3
In the signeraccountability game a malicious signer \(\mathcal {A} _\mathsf {Sign} \) gets a public sanitizing key \(\mathsf {pk}_{san}\) as input and has access to a sanitizing oracle, which takes as input tuples \((m_i,\textsc {Mod} _i,\sigma _i,{\mathsf {pk}_{sig}}_{,i})\) and returns \((m_i',\sigma _i')\). Eventually, the adversary \(\mathcal {A}_{\mathsf {Sign}}\) outputs a tuple \((\mathsf {pk}_{sig}^*, m^*, \sigma ^*,\pi ^*)\) and is considered successful if \(\mathsf {Judge}\) accuses the sanitizer for the new keymessage pair \(\mathsf {pk}_{sig}^*,m^*\) with a valid signature \(\sigma ^*\).
Definition 4

for \(b=0\) runs the signer algorithm to create \(\sigma \leftarrow \mathsf {Sign} (m,\mathsf {sk}_{sig},\mathsf {pk}_{sig},\textsc {Adm})\), then runs the sanitizer algorithm and returns the sanitized message \(m'\) with the new signature \(\sigma '\), and

for \(b=1\) acts as in the case \(b=0\) but also signs \(m'\) from scratch with the signing algorithm to create a signature \(\sigma '\) and returns the pair \((m',\sigma ')\).
Adversary \(\mathcal {A}\) eventually produces an output a, the guess for b. A sanitizable signature is now transparent if for all efficient algorithms \(\mathcal {A}\) the probability for a right guess \(a=b\) in the above game is negligibly close to \(\tfrac{1}{2}\). Below we also define a relaxed version called proofrestricted transparency.
Definition 5
Unlinkability. This security notion demands that it is not feasible to use the signatures to identify sanitized messagesignature pairs originating from the same source. This should even hold if the adversary itself provides the two source messagesignature pairs and modifications of which one is sanitized. It is required that the two modifications yield the same sanitized message, because otherwise predicting the source is easy, of course. This, however, is beyond the scope of signature schemes: the scheme should only prevent that signatures can be used to link data. In the formalization of [12], the adversary is given access to a signing oracle and a sanitizer oracle (and a proof oracle since this step depends on the signer’s secret key and may leak valuable information). The adversary is also allowed to query a leftorright oracle \(\mathsf {LoRSanit}\) which is initialized with a secret random bit b and keys \(\mathsf {pk}_{sig},\mathsf {sk}_{san}\). The adversary may query this oracle on tuples \(((m_0,\textsc {Mod} _0,\sigma _0),(m_1,\textsc {Mod} _1,\sigma _1))\) and returns \(\mathsf {Sanit} (m_b,\textsc {Mod} _b,\sigma _b,\mathsf {pk}_{sig},\mathsf {sk}_{san})\) if \(\mathsf {Verify} (m_i,\sigma _i,\mathsf {pk}_{sig},\mathsf {pk}_{san})=1\) for \(i=0,1\), \(\textsc {Adm} _0 = \textsc {Adm} _1\) and if the modifications map to the same message, i.e., \(\textsc {Adm} _0(\textsc {Mod} _0) = 1 , \textsc {Adm} _1(\textsc {Mod} _1) = 1\) and \(\textsc {Mod} _0(m_0) = \textsc {Mod} _1(m_1)\). Otherwise, the oracle returns \(\bot \). The adversary should eventually predict the bit b significantly better than with the guessing probability of \(\tfrac{1}{2}\).
Definition 6
3 Signatures Schemes with Rerandomizable Keys
In this section, we introduce signature schemes that have rerandomizable keys and which serve as the main building block for our construction. Signature schemes with this property have the advantage that one can rerandomize the keypair \((\mathsf {sk},\mathsf {pk})\) to a keypair \((\mathsf {sk}',\mathsf {pk}')\) and sign a message m with a seemingly unrelated key. Jumping ahead, this property allows us to sign messages with a fresh key and prove, in zeroknowledge, the origin of the key. For one of the signature schemes we require bilinear maps, which are defined as follows. Let \(e : \mathbb {G} _1 \times \mathbb {G} _2 \rightarrow \mathbb {G} _t\) be an efficient, nondegenerate bilinear map, for systemwide available groups, where \(g_1\) and \(g_2\) are generators of \(\mathbb {G} _1\) and \(\mathbb {G} _2\), respectively.
3.1 Defining Signature Schemes with Rerandomizable Keys
To define this property and the corresponding security notion formally, we denote by \(\varSigma = (\mathsf {SSetup}, \mathsf {SGen}, \mathsf {SSign},\mathsf {SVerify})\) a standard digital signature scheme, where \(\mathsf {pp} \leftarrow \mathsf {SSetup} (1^{\kappa }), (\mathsf {sk}, \mathsf {pk})\leftarrow \mathsf {SGen} (1^{\kappa }), \sigma \leftarrow \mathsf {SSign} (\mathsf {sk},m), b \leftarrow \mathsf {SVerify} (\mathsf {pk},m,\sigma )\) are the standard algorithms of a digital signature scheme.
Definition 7

\(\mathsf {RandSK} (\mathsf {sk},\rho )\): The secret key rerandomization algorithm takes as input a secret key \(\mathsf {sk}\) and a randomness \(\rho \in \chi \) and outputs a new secret key \(\mathsf {sk}'\).

\(\mathsf {RandPK} (\mathsf {pk},\rho )\): The public key rerandomization algorithm takes as input a public key \(\mathsf {pk}\) and a randomness \(\rho \in \chi \) and outputs a new public key \(\mathsf {pk}'\).
 1.
For all \(\kappa \in \mathbb {N} \), all keypairs \((\mathsf {sk}, \mathsf {pk}) \leftarrow \mathsf {SGen} (1^\kappa )\), all messages \(m \in \{0,1\}^{*}\), and all signatures \(\sigma \leftarrow \mathsf {SSign} (\mathsf {sk}, m)\), it holds that \(\mathsf {SVerify} (\mathsf {pk}, m, \sigma ) = 1\).
 2.
For all \(\kappa \in \mathbb {N} \), all keypairs \((\mathsf {sk}, \mathsf {pk}) \leftarrow \mathsf {SGen} (1^\kappa )\), all randomness \(\rho \in \chi \), all messages \(m \in \{0,1\}^{*}\), and \(\sigma \leftarrow \mathsf {SSign} (\mathsf {RandSK} (\mathsf {sk},\rho ), m)\), it holds that \(\mathsf {SVerify} (\mathsf {RandPK} (\mathsf {pk},\rho ), m, \sigma ) = 1\).
 3.
For all key pairs \((\mathsf {sk},\mathsf {pk})\), and a uniformly chosen randomness \(\rho \in \chi \), the distribution of \((\mathsf {sk}',\mathsf {pk}')\) and \((\mathsf {sk}'',\mathsf {pk}'')\) is identical, where \(\mathsf {pk}' \leftarrow \mathsf {RandPK} (\mathsf {pk},\rho )\), \(\mathsf {sk}' \leftarrow \mathsf {RandSK} (\mathsf {sk},\rho )\), and \((\mathsf {sk}'',\mathsf {pk}'') \leftarrow \mathsf {SGen} (1^\kappa )\)
3.2 Security of Signature Schemes with Rerandomizable Keys
The security of signature scheme with rerandomizable keys is defined analogously to the unforgeability of regular signature schemes, but allows the adversary to learn message/signature pairs under rerandomized keys. This should even hold if the randomness to rerandomize the keys is chosen by the attacker. In this definition, the adversary has access to two oracles. The first one, denoted by \(\mathcal {O}_1\) is a regular signing oracle. The second one, denoted by \(\mathcal {O}_2\) is an oracle that takes as input a message m and some randomness \(\rho \). It then rerandomizes the private key according to \(\rho \) and signs the message using this key.
Definition 8
Given this definition of unforgeability, one can easily obtain the “standard” notion of existential unforgeability by giving the adversary only access to \(\mathcal {O}_1\) and only checking the first condition.
Definition 9
(Existential Unforgeability). A signature scheme with perfectly rerandomizable keys \(\varSigma =(\mathsf {SGen},\mathsf {SSign}, \mathsf {SVerify}, \mathsf {RandSK}, \mathsf {RandPK})\) is said to be existentially unforgeable under chosen message attacks (\(\mathsf {EUF}\)) if for all PPT adversaries \(\mathcal {A} \) the probability that the experiment \(\mathsf {EUF}^{\varSigma }_{\mathcal {A}}(\kappa )\) evaluates to 1 is negligible (in \(\kappa \)), where \(\mathsf {EUF}^{\varSigma }_{\mathcal {A}}(\kappa )\) is defined as \(\mathsf {UFRK}^{\varSigma }_{\mathcal {A}}(\kappa )\), but the adversary only gets access to \(\mathcal {O}_1\) and wins if the first condition is fulfilled.
For our construction, we also need signature schemes that are strongly unforgeable, meaning that it is computationally hard to compute a new signature \(\sigma ^*\) on a message m, i.e., the adversary is allowed to submit m to the oracle and learn a signature \(\sigma \) and wins the game if \(\sigma ^*\) is valid but different from \(\sigma \).
Definition 10
(Strong Existential Unforgeability). A signature scheme with perfectly rerandomizable keys \(\varSigma =(\mathsf {SGen},\mathsf {SSign},\mathsf {SVerify}, \mathsf {RandSK}, \mathsf {RandPK})\) is strongly existentially unforgeable under chosen message attacks (\(\mathsf {s\textsf {}EUF}\)) if for all PPT adversaries \(\mathcal {A} \) the probability that the experiment \(\mathsf {s\textsf {}EUF}^{\varSigma }_{\mathcal {A}}(\kappa )\) evaluates to 1 is negligible (in \(\kappa \)), where \(\mathsf {s\textsf {}EUF}^{\varSigma }_{\mathcal {A}}(\kappa )\) is defined as \(\mathsf {UFRK}^{\varSigma }_{\mathcal {A}}(\kappa )\), but the adversary only gets access to \(\mathcal {O}_1\) and \(\mathcal {O}_1\) maintains \(Q:= Q\cup \{m, \sigma \}\). The adversary wins only if the following condition is fulfilled: \(\mathsf {SVerify} (\mathsf {pk},m^{*},\sigma ^{*})= 1 \text { and } (m^{*}, \sigma ^*) \not \in Q\).
3.3 Counter Examples
In this section, we show that unforgeability under rerandomizable keys (Definition 8) does not trivially follow from regular unforgeability (Definition 9). In fact, very few standard model signatures, that have rerandomizable keys, are unforgeable under rerandomizable keys. We demonstrate this by giving concrete attacks against some well known schemes, such as the Boneh and Boyen [7] and Camenisch and Lysyanskaya [15] signature schemes. We remark that these attacks have no implications on the original security proof and that our attacks are outside of the regular unforgeability model.
BonehBoyen Signature Scheme. The scheme of Boneh and Boyen [7] works in a bilinear groups setting and is existentially unforgeable under the qSDH assumption. The scheme works as follows: The secret key consists of \(x,y \in \mathbb {Z} _q^*\) and the public key consists of the corresponding \(\mathbb {G} _2\) elements \(u := g_2^x\) and \(v := g_2^y\). To sign a message \(m \in \mathbb {Z} _q^*\), the signer chooses a random \(r \leftarrow \mathbb {Z} _q^*\), computes \(s:=g_1^{1/(x+m+yr)}\), and outputs the signature \(\sigma =(r,s)\). To verify that a signature is valid, the verifier checks that \(e(s,u\cdot g_2^m\cdot v^r) = e(g_1,g_2)\) holds. The keys of the scheme can be rerandomized additively, i.e., given randomness \((\rho _1,\rho _2) \in \mathbb {Z} _q^2\), secret keys are randomized as \((x',y') := (x+\rho _1,y+\rho _2)\) and public keys are randomized as \((u',v') := (u\cdot g_2^{\rho _1},v\cdot g_2^{\rho _2})\).
CamenischLysyanskaya Signature Scheme. The signature scheme of Camenisch and Lysyanskaya [15] works in a symmetric bilinear groups setting and is existentially unforgeable under the LRSW assumption. The scheme works as follows: The secret key consists of \(x,y \in \mathbb {Z} _q\) and the public key consists of the corresponding group elements \(X := g^x\) and \(Y := g^y\). To sign a message \(m \in \mathbb {Z} _q\), the signer chooses a random \(a \leftarrow \mathbb {G} \), computes \(b:=a^y\) and \(c:=a^{x+mxy}\), and outputs the signature \(\sigma =(a,b,c)\). To verify that a signature is valid, the verifier checks that \(e(a,Y) = e(g,b)\) and \(e(X,a)\cdot e(X,b)^m=e(g,c)\) hold. The keys of the scheme can be rerandomized multiplicatively^{1}. I.e., given randomness \((\rho _1,\rho _2) \in \mathbb {Z} _q^2\), secret keys are randomized as \((x',y') := (x\cdot \rho _1,y\cdot \rho _2)\) and public keys are randomized as \((X',Y') := (X^{\rho _1},Y^{\rho _2})\).
3.4 Instantiations
In this section, we show that our security notion is achievable in the random oracle and the standard model. In the random oracle model, we prove that Schnorr’s signature scheme [40, 41] is unforgeable under rerandomized keys and in the standard model we show that a slightly modified version of the signature scheme due to Hofheinz and Kiltz [31, 32] satisfies our notion.
Random Oracle Model. We show that Schnorr’s signature scheme [40, 41] is unforgeable under rerandomized keys. Our proof technique relies on an idea that was previously observed by Fischlin and Fleischhacker [25] in the context of an impossibility result. The core of this technique, that we call randomness switching technique, allows moving a signature from one public key to another one knowing only the difference between the two corresponding secret keys.
Definition 11

\(\mathsf {SGen} (1^{\kappa })\): Pick \(\mathsf {sk}\leftarrow \mathbb {Z} _q\) at random, compute \(\mathsf {pk}:= g^{\mathsf {sk}}\), and output \((\mathsf {sk},\mathsf {pk})\).

\(\mathsf {SSign} (\mathsf {sk},m)\): Pick \(r \leftarrow \mathbb {Z} _q\) at random and compute \(R := g^{r}\), compute \(c:= \mathcal {H}(R, m)\) and \(y:= r + \mathsf {sk}\cdot c \mod q\). Output \(\sigma := (c,y)\).

\(\mathsf {SVerify} (\mathsf {pk},m,\sigma )\): Parse \(\sigma \) as (c, y). If \(c = \mathcal {H}(\mathsf {pk}^{c}g^{y}, m)\), then output 1, otherwise output 0.

\(\mathsf {RandSK} (\mathsf {sk},\rho )\): Compute \(\mathsf {sk}' := \mathsf {sk}+ \rho \mod q\) and output \(\mathsf {sk}'\).

\(\mathsf {RandPK} (\mathsf {pk},\rho )\): Compute \(\mathsf {pk}' := \mathsf {pk}\cdot g^{\rho }\) and output \(\mathsf {pk}'\).
Obviously all three correctness conditions hold. It remains to show that \(\mathsf {SSS} \) is unforgeable under rerandomized keys.
Theorem 1
(Unforgeability of Schnorr Signatures Under Rerandomized Keys). The signature scheme \(\mathsf {SSS} \) (Definition 11) is unforgeable under rerandomized keys (Definition 8) in the random oracle model if the discrete logarithm problem in \(\mathbb {G} \) is hard.
Proof
Standard Model. In the following we show that a modified version of the signature schemes due to Hofheinz and Kiltz [31, 32] is unforgeable under rerandomized keys. The original construction of Hofheinz and Kiltz works on type 1 and type 2 pairings and the element s in their scheme is a random bit string. However, in our case we choose s as a random element from \(\mathbb {Z} _q\). This modification slightly increases the signature’s size, but does not influence the original functionality or security proof. To prove the security formally, we adapt the randomness switching technique to this setting, which allows us to reduce the unforgeability under rerandomized keys to standard existential unforgeability. The scheme of Hofheinz and Kiltz requires a programmable hash function [31, 32], but since security properties of programmable hash functions are not relevant to our proofs, we omit them here and refer the interested reader to [31, 32].
Definition 12

\(k \leftarrow \mathsf {Gen} (1^{\kappa })\): The key generation algorithm takes as input the security parameter \(1^{\kappa }\) and generates a public key k.

\(y \leftarrow \mathsf {Eval} (k,m)\): The deterministic evaluation algorithm takes as input a key k and a message \(m \in \{0,1\}^{\ell }\) and outputs a hash value y.
Given the definition of programmable hash functions, we define the slightly modified signature scheme due to Hofheinz Kiltz and define the rerandomization algorithms.
Definition 13

\(\mathsf {SSetup} (1^{\kappa })\): Generate a key for \(\mathsf {PHF} \) as \(k \leftarrow \mathsf {Gen} (1^\kappa )\) and output \(\mathsf {pp} =k\).

\(\mathsf {SGen} (1^{\kappa })\): Pick \(\mathsf {sk}\leftarrow \mathbb {Z} _q\) at random, compute \(\mathsf {pk}:= g_2^{\mathsf {sk}}\), and output \((\mathsf {sk},\mathsf {pk})\).

\(\mathsf {SSign} (\mathsf {sk},m)\): Parse k from \(\mathsf {pp}\). Pick \(s \leftarrow \mathbb {Z} _q\) uniformly at random and compute \(y := \mathsf {Eval} (k,m)^{\frac{1}{\mathsf {sk}+s}}\). Output \(\sigma := (s,y)\).

\(\mathsf {SVerify} (\mathsf {pk},m,\sigma )\): Parse \(\sigma \) as (s, y). If \(e(y,\mathsf {pk}\cdot g_2^s) = e(\mathsf {Eval} (k,m),g_2)\) then output 1, otherwise output 0.

\(\mathsf {RandSK} (\mathsf {sk},\rho )\): Compute \(\mathsf {sk}' := \mathsf {sk}+ \rho \mod q\) and output \(\mathsf {sk}'\).

\(\mathsf {RandPK} (\mathsf {pk},\rho )\): Compute \(\mathsf {pk}' := \mathsf {pk}\cdot g_2^{\rho }\) and output \(\mathsf {pk}'\).
Obviously all three correctness conditions hold. It remains to show that \(\mathsf {HKSS} \) is unforgeable under rerandomized keys.
Theorem 2
(Unforgeability of \(\mathsf {HKSS} \) Under Rerandomized Keys). The signature scheme \(\mathsf {HKSS} \) as defined in Definition 13 is unforgeable under rerandomized keys (Definition 8) in the standard model, if \(\mathsf {HKSS} \) is unforgeable under chosen message attacks (Definition 9).
Proof
For the analysis, let us assume that \(\mathcal {A} \)’s success probability in the experiment \(\mathsf {UFRK}^{\mathsf {HKSS}}_{\mathcal {A}}(\kappa )\) is bigger than \(1/\mathsf {poly}(\kappa )\). It is easy to see that \(\mathcal {B} \) is efficient and that the simulation of \(\mathcal {A} \)’s signing oracle \(\mathcal {O}_1\) is perfect. Now, we show that \(\mathcal {B} \) also provides a perfect simulation of the oracle \(\mathcal {O}_2\). Whenever \(\mathcal {A} \) sends \((\rho , m)\) to \(\mathcal {O}_2\), then \(\mathcal {B} \) returns a signature \((s',y)\) for which it holds that \(e(y, \mathsf {pk}\cdot g_2^\rho \cdot g_2^{s'}) = e(\mathsf {Eval} (k,m)^{\frac{1}{\mathsf {sk}+s}}, g_2^{\mathsf {sk}+ \rho + (s  \rho )}) = e(\mathsf {Eval} (k,m),g_2)\), which has obviously the correct distribution.
Finally, we argue that \(\mathcal {B}\) outputs a valid signature whenever \(\mathcal {A} \) outputs a valid forgery. To see this, note that \((s' = s+\rho ^*, y)\) for \(m^*\) under \(\mathsf {pk}\), whenever \(\mathcal {A}\) returns a valid signature (s, y) for \(m^*\) under the rerandomized key \(\mathsf {pk}\cdot g_2^\rho \), since \(e(y, (\mathsf {pk}\cdot g_2^{\rho })\cdot g_2^{s}) = e(y, \mathsf {pk}\cdot g_2^{\rho + s}) = e(y, \mathsf {pk}\cdot g_2^{s'})\). Combining this with the proof of existential unforgeability of the modified version of the Hofheinz Kiltz signature schemes from [31, 32] rules out the existence of \(\mathcal {A}\).
4 Efficient Sanitizable Signatures
In this section we show how to build efficient unlinkable sanitizable signatures from signatures with perfectly rerandomizable keys.
4.1 Preliminaries
We recall the definitions and security notions of the other building blocks required for our construction of sanitizable signatures. Namely we recall the definitions of CCA secure public keyencryption and noninteractive zeroknowledge proof systems.
CCA Secure PublicKey Encryption. A public key encryption scheme \(\mathcal {E}=(\mathsf {EGen},\mathsf {Enc}, \mathsf {Dec})\) consists of a key generation algorithm \((\mathsf {dk}, \mathsf {ek})\leftarrow \mathsf {EGen} (1^{\kappa })\), an encryption algorithm \(c\leftarrow \mathsf {Enc} (\mathsf {ek},m)\), and a decryption algorithm \(m\leftarrow \mathsf {Dec} (\mathsf {dk},c)\). We omit the standard correctness condition and recall the standard notion of CCA security.
Definition 14
Noninteractive ZeroKnowledge Proof System. We recall the definitions of noninteractive zeroknowledge proof systems. A noninteractive zeroknowledge proof system \((\mathsf {Setup_{ZK}}, \mathsf {P_{ZK}}, \mathsf {V_{ZK}})\) for a language \(\mathcal {L} \) with the corresponding relation \(\mathcal {R} \) consists of a setup algorithm \(\mathsf {crs} \leftarrow \mathsf {Setup_{ZK}} (1^{\kappa })\) that generates a common reference string, a prover algorithm \(\pi \leftarrow \mathsf {P_{ZK}} (\mathsf {crs}, x, w)\) that takes as input the common reference string \(\mathsf {crs} \), a statement x, and a witness w and outputs a zeroknowledge proof \(\pi \); and a verification algorithm \(b\leftarrow \mathsf {V_{ZK}} (\mathsf {crs}, x, \pi )\) that outputs 1 iff \(x\in \mathcal {L} \) and 0 otherwise. We omit the standard definition of correctness and recall the definitions of (perfect) soundness, zeroknowledge, and proof of knowledge.
Definition 15
Definition 16
Definition 17
(Proof of Knowledge). A NIZK scheme is a proof of knowledge if there exists an efficient extractor \(\mathsf {Ext} = (\mathsf {Ext} _0,\mathsf {Ext} _1)\) such that the following conditions hold:
4.2 Our Construction
In the following, we describe our construction of a sanitizable signature scheme based on signatures with rerandomizable keys. Similar to previous constructions [11, 12], we sign the parts of the message that cannot be changed by the sanitizer and a description of valid modifications \(\textsc {Adm} \) with a separate signature scheme. The main part of our construction, and which is very different from all previous schemes, is the computation of the signature on the parts that can be modified by the sanitizer. The basic idea here is that we compute this signature using a signature scheme with rerandomizable keys. That is, we compute this signature using a rerandomized private and public keypair \((\mathsf {sk}',\mathsf {pk}')\), which was either rerandomized by the signer or the sanitizer. To allow for an easy \(\mathsf {Proof} \) and \(\mathsf {Judge} \) algorithm and avoid rewinding in the proof, we have to provide a way to check that \(\mathsf {pk}'\) is in fact the rerandomization of the signer’s or the sanitizer’s public key. Therefore, we also include an encryption of the actual public key. In the \(\mathsf {Proof} \) algorithm the signer can then decrypt and return this public key along with a proof of correct decryption.
In the following, for the sake of brevity all algorithms are assumed to implicitly take the public parameters as input.
Construction 1
4.3 Security Proof
We are now ready to state the main theorem about the security of the construction described above.
Theorem 3
If \(\varSigma = (\mathsf {SSetup}, \mathsf {SGen}, \mathsf {SSign},\mathsf {SVerify}, \mathsf {RandSK}, \mathsf {RandPK})\) is a signature scheme that is unforgeable under rerandomized keys, \(\varSigma _\textsc {Fix} = (\mathsf {SSetup_\textsc {Fix}}, \mathsf {SGen_\textsc {Fix}}, \mathsf {SSign_\textsc {Fix}},\mathsf {SVerify_\textsc {Fix}})\) is a signature scheme that is strongly existentially unforgeable, \(\varPi _{PoK} = (\mathsf {Setup_{PoK}},\mathsf {P_{PoK}},\mathsf {V_{PoK}})\) is a computationally zeroknowledge perfectly sound proof of knowledge system, \(\varPi _{ZK} = (\mathsf {Setup_{ZK}}, \mathsf {P_{ZK}}, \mathsf {V_{ZK}})\) is a computationally zeroknowledge perfectly sound proof system, \(\mathcal {E}= (\mathsf {EGen},\mathsf {Enc},\mathsf {Dec})\) is a CCAsecure public key encryption scheme, then Construction 1 is sanitizeraccountable, signeraccountable, immutable, (proofrestrictedly) transparent, and unlinkable.
We sketch the basic ideas of the proofs here. The full proofs for each security property are deferred to the [26].
(Proof Restricted) Transparency. The proof of transparency is the most involved one and proceeds in several gamehops. We start with the transparency game with the bit \(b=0\). Then, first, we use the simulatability of the zero knowledge proofs, to switch to a game, where all proofs are simulated. We can then change the \(\mathsf {Sanit/Sign}\) oracle to no longer encrypt the rerandomized public key, but an independently chosen public key instead. The answers of \(\mathsf {Proof} \) queries can be changed accordingly. The difference between the two games can be bounded by reducing it to the CCA security of the encryption scheme. Next, the bit b is flipped to 1. Due to the simulated proofs, the outputs of \(\mathsf {Sanit/Sign}\) are distributed identically before and after the switch. The outputs of the \(\mathsf {Proof} \) oracle, however, may differ, if the attacker manages to ask a valid query, such that the signature reuses one of the ciphertexts computed by \(\mathsf {Sanit/Sign}\). This leads to two different cases. If the attacker uses a new \(\mathsf {pk}_{san}'\) in its query, then it must also compute a new proof of knowledge, which means that it has to know the content of the ciphertext, leading to a trivial reduction to CCA security (or even onewayness) of the encryption scheme. In the other case, the fact that the signature must verify, leads to a forgery under a rerandomized key, which would contradict the unforgeability under rerandomized keys of \(\varSigma \). Finally, we can switch back to real ciphertexts instead of random ones and undo the simulation of the zero knowledge proofs, thus arriving at the transparency game with the bit \(b=1\).
Since the distances between all hops can be bounded by negligible functions, the difference between the two cases of the game is also negligible.
5 Instantiating the Construction
We instantiate our generic construction with compatible and efficient instantiations in the random oracle model. For the two signature schemes, we choose standard Schnorr signatures as defined in Definition 11 for \(\varSigma \), as well as a derandomized^{2} version of Schnorr signatures for \(\varSigma _\textsc {Fix} \)^{3}. The encryption scheme and proof systems are instantiated with the Cramer Shoup encryption scheme [22], and \(\varSigma \)protocols that we convert into a noninteractive zeroknowledge proof via the FiatShamir transform [24]. The Cramer Shoup encryption scheme is defined as follows:
Definition 18

\(\mathsf {EGen} (1^{\kappa })\): The key generation algorithm proceeds as follows: Pick \(x,y,a,b,a', b' \leftarrow \mathbb {Z} _q\) uniformly at random, compute \(h:= g_1^xg_2^y\), \(h:= g_1^ag_2^b\), \(h:= g_1^{a'}g_2^{b'}\), set \(\mathsf {dk}:=(x,y,a,b,a',b')\) and \(\mathsf {ek}:=(h,c,d)\) and output \((\mathsf {dk},\mathsf {ek})\).

\(\mathsf {Enc} (\mathsf {ek},m)\): The encryption algorithm proceeds as follows: Parse \(\mathsf {ek} \) as (h, c, d) and choose \(r \leftarrow \mathbb {Z} _q\) uniformly at random. Compute \(\alpha := \mathcal {H}(g_1^r,g_2^r,h^r\cdot m)\) and \(C:=(g_1^r,g_2^r,h^r\cdot m,(cd^\alpha )^r)\). Output C.

\(\mathsf {Dec} (\mathsf {dk},C)\): The decryption algorithm proceeds as follows: Parse \(\mathsf {dk} \) as \((x,y,a,b, a', b')\) and C as (u, v, w, e). Compute \(\alpha := \mathcal {H}(u,v,w)\) and check if \(u^{a+\alpha a'}\cdot v^{b+ab'} = e\) holds. If it holds output \(w/(u^x\cdot v^y)\). Otherwise output \(\bot \).
Note that the statement that we are proving can be expressed as a logical combination of discrete logarithm proofs of knowledge. For the design of each single discrete logarithm proofs we deploy Schnorr’s \(\varSigma \)protocols from [40]. We then formulate the complete proof using standard parallel composition techniques, first introduced in [20, 21]. The complete protocol is depicted in Fig. 1. It is worth mentioning that, in order to express the logical disjunction of our statement, the prover must run the simulator \(\mathsf {S} \) provided by the zeroknowledge property (Definition 16). For the specific case of \(\varSigma \)protocols \(\mathsf {S} _{\varSigma }\) works by randomly sampling \(z_i, s_i\) from \(\mathbb {Z} _q\) and computing \(T_i\) as \(g_1^{s_i}/(\frac{\mathsf {pk}'}{\mathsf {pk}})^{z_i}\) (or \(g_1^{s_i}/(\frac{\mathsf {pk}'}{\mathsf {pk}_{san}})^{z_i}\), respectively). Finally, as mentioned above, the protocol can be made noninteractive by using the FiatShamir transformation. Note that this allow us to drop the first tuple of elements \((T_0, \dots , T_5)\) since they can be simply recomputed from the public parameters and the further messages of the protocol and their integrity can be checked by recomputing the hash function.
6 Conclusion
In this paper, we formalized the novel notion of signature schemes that are unforgeable under rerandomized keys. Furthermore, we showed that Schnorr’s signature scheme [40, 41] is unforgeable under rerandomized keys in the random oracle model and that Hofheinz’ and Kiltz’ signature scheme [31, 32] is unforgeable under rerandomized keys in the standard model.
Based on signature schemes with rerandomizable keys we then gave a construction of unlinkable sanitizable signatures and an instantiation, which is at least one order of magnitude faster than all previously known schemes.
Footnotes
Notes
Acknowledgments
This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for ITSecurity, Privacy and Accountability (CISPA – www.cispasecurity.org) and the project PROMISE. Moreover, it was supported by the Initiative for Excellence of the German federal and state governments through funding for the Saarbrücken Graduate School of Computer Science and the DFG MMCI Cluster of Excellence. Part of this work was also supported by the German research foundation (DFG) through funding for the collaborative research center 1223. Dominique Schröder was also supported by an Intel Early Career Faculty Honor Program Award.
References
 1.Ateniese, G., Chou, D.H., de Medeiros, B., Tsudik, G.: Sanitizable signatures. In: di Vimercati, S.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 159–177. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 2.Attrapadung, N., Libert, B., Peters, T.: Efficient completely contexthiding quotable and linearly homomorphic signatures. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 386–404. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 3.Bellare, M., Fuchsbauer, G.: Policybased signatures. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 520–537. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 4.Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 5.Boldyreva, A., Palacio, A., Warinschi, B.: Secure proxy signature schemes for delegation of signing rights. Cryptology ePrint Archive, Report 2003/096 (2003). http://eprint.iacr.org/2003/096
 6.Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 7.Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. J. Crypt. 21(2), 149–177 (2008)MathSciNetCrossRefGoogle Scholar
 8.Boneh, D., Freeman, D.M.: Homomorphic signatures for polynomial functions. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 149–168. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 9.Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 10.Brzuska, C., Busch, H., Dagdelen, O., Fischlin, M., Franz, M., Katzenbeisser, S., Manulis, M., Onete, C., Peter, A., Poettering, B., Schröder, D.: Redactable signatures for treestructured data: definitions and constructions. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 87–104. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 11.Brzuska, C., Fischlin, M., Freudenreich, T., Lehmann, A., Page, M., Schelbert, J., Schröder, D., Volk, F.: Security of sanitizable signatures revisited. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 317–336. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 12.Brzuska, C., Fischlin, M., Lehmann, A., Schröder, D.: Unlinkability of sanitizable signatures. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 444–461. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 13.Brzuska, C., Pöhls, H.C., Samelin, K.: Noninteractive public accountability for sanitizable signatures. In: De Capitani di Vimercati, S., Mitchell, C. (eds.) EuroPKI 2012. LNCS, vol. 7868, pp. 178–193. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 14.Brzuska, C., Pöhls, H.C., Samelin, K.: Efficient and perfectly unlinkable sanitizable signatures without group signatures. In: Katsikas, S., Agudo, I. (eds.) EuroMPI 2013. LNCS, vol. 8341, pp. 12–30. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 15.Camenisch, J.L., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 16.Canard, S., Jambert, A.: On extended sanitizable signature schemes. In: Pieprzyk, J. (ed.) CTRSA 2010. LNCS, vol. 5985, pp. 179–194. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 17.Canard, S., Jambert, A., Lescuyer, R.: Sanitizable signatures with several signers and sanitizers. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 35–52. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 18.Catalano, D.: Homomorphic signatures and message authentication codes. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 514–519. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 19.Chang, E.C., Lim, C.L., Xu, J.: Short redactable signatures using random trees. In: Fischlin, M. (ed.) CTRSA 2009. LNCS, vol. 5473, pp. 133–147. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 20.Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993)CrossRefGoogle Scholar
 21.Cramer, R., Damgård, I.B., Schoenmakers, B.: Proof of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)CrossRefGoogle Scholar
 22.Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)CrossRefGoogle Scholar
 23.Derler, D., Slamanig, D.: Rethinking privacy for extended sanitizable signatures and a blackbox construction of strongly private schemes. In: Au, M.H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 455–474. Springer, Heidelberg (2015). doi: 10.1007/9783319260594_25 CrossRefGoogle Scholar
 24.Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)CrossRefGoogle Scholar
 25.Fischlin, M., Fleischhacker, N.: Limitations of the metareduction technique: the case of Schnorr signatures. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 444–460. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 26.Fleischhacker, N., Krupp, J., Malavolta, G., Schneider, J., Schröder, D., Simkin, M.: Efficient unlinkable sanitizable signatures from signatureswith rerandomizable keys. Cryptology ePrint Archive, Report 2015/395 (2015). http://eprint.iacr.org/2015/395
 27.Franco, P.: Understanding Bitcoin: Cryptography: Engineering and Economics. Wiley, Chichester (2015)Google Scholar
 28.Freeman, D.M.: Improved security for linearly homomorphic signatures: a generic framework. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 697–714. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 29.Furukawa, J., Yonezawa, S.: Group signatures with separate and distributed authorities. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 77–90. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 30.Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 31.Hofheinz, D., Kiltz, E.: Programmable hash functions and their applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 21–38. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 32.Hofheinz, D., Kiltz, E.: Programmable hash functions and their applications. J. Crypt. 25(3), 484–527 (2012)MathSciNetCrossRefGoogle Scholar
 33.Johnson, R., Walsh, L., Lamb, M.: Homomorphic signatures for digital photographs. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 141–157. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 34.Johnson, R., Molnar, D., Song, D., Wagner, D.: Homomorphic signature schemes. In: Preneel, B. (ed.) CTRSA 2002. LNCS, vol. 2271, pp. 244–262. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 35.Klonowski, M., Lauks, A.: Extended sanitizable signatures. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 343–355. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 36.Mitsunari, S., Saka, R., Kasahara, M.: A new traitor tracing. IEICE Trans. E85–A(2), 481–484 (2002)Google Scholar
 37.Pöhls, H.C., Samelin, K.: On updatable redactable signatures. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 457–475. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 38.Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996)CrossRefGoogle Scholar
 39.Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Crypt. 13(3), 361–396 (2000)CrossRefGoogle Scholar
 40.Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar
 41.Schnorr, C.P.: Efficient signature generation by smart cards. J. Crypt. 4(3), 161–174 (1991)CrossRefGoogle Scholar
 42.Steinfeld, R., Bull, L., Zheng, Y.: Content extraction signatures. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 285–304. Springer, Heidelberg (2002)CrossRefGoogle Scholar