This document proposes a one-time redaction model for redactable signature schemes. It introduces the notion of multi-redactor redactable signature schemes that allow a document to be redacted by multiple redactors. It defines security properties of unforgeability, privacy, and transparency for this model. The document also presents a construction of a multi-redactor redactable signature scheme based on computational co-Diffie-Hellman assumptions in the random oracle model.

1. 1
A !– #$!– #%– & redactable signature scheme
Masayuki Tezuka, Xiangyu Su, Keisuke Tanaka
Tokyo Institute of Technology
Version: 2020/12/23
CANS 2019 Full presentation slide

2. Digital signature scheme
2
Goverment
・Secret Info
・Public Info 1
・Public Info 2
σ
Citizen
Disclosure request
Disclose Document !′
Document !

3. Digital signature scheme
3
Goverment
・Secret Info
・Public Info 1
・Public Info 2
σ
Citizen
Disclosure request
Disclose Document !′
Document !
・ Public Info 1
・ Public Info 2
Remove
Invalid
Document !′

4. What is redactable signature scheme ?
4
Goverment Citizen
Disclosure request
Disclose Document !′
・Secret Info
・Public Info 1
・Public Info 2
σ
Document !
・ Public Info 1
・ Public Info 2
Remove
Document !′
σ

5. Pioneerings of redactable signatature scheme
5
□ Steinfeld, Bull, Zheng (ICISC’01)
➡ Content extraction signature
□ Johnson, Molnar, Song, Wagner (CT-RSA’02)
➡ Redactable signature
□ Miyazaki，Susaki，Iwamura，Matsumoto，
Sasaki，Yoshiura (IEICE’03)
➡ Digital document sanitizing problem，
SUMI-4

6. Types of redactable signature
6
Remove Hide (Black out)
Redactable Signature
(with transparency)
・ Public Info 1
σ
・ Public Info 1
σ
・ Secret Info2
・ Public Info 1
σ
Redactable Signature
(no transparency)

7. Redactable signature scheme
7
Verifier
Signer Redactor 1 Redactor !
⋯
($%, '%) ($), ')) ($*+), '*+))
($*, '*)
,-
($%, ADM)
v-
・ anyone can be redactor
・ anonimity of redactors

8. Syntax of redactable signature scheme
8
KeyGen
1"
($%, '%)
Sign
('%, ), ADM) (), -)
Redact
(), -, MOD) ()/
, -/
)
Verify
($%, )/
, -/
) 0 or 1
Derler, Pöhls, Samelin, Slamanig (ICISC’15)
ADM can be extracted from ), - .

9. Security of redactable signature scheme
9
Barzska, Busch, Dagdelen, Fischkin, Franz,
Katzenbeisser, Manulis, Onete, Peter,
Poettering, Schröder (ACNS’10)
□ Unforgeability
□ Privacy
□ Transparency

10. Unforgeability
10
Redactor
・ Male
・ Tezuka
σ
・ Age 25
・ Age 25
・ Tezuka
σ
・ Tokyo
・ Tezuka
・ Japan
Redactor
・ Tokyo
・ Tezuka
・ Japan
σ

11. Privacy
11
・ Age 30
・ Tezuka
σ
・ Tokyo
・ Age 20
・ Tezuka
・ Tokyo
σ
・ Tokyo
・ Tezuka
σ
②
①
① or ② ?

12. Transparency
12
Signer
Redactor
・ Tokyo
・ Tezuka
σ
・ Age 22
①
② ②
① or ② ?
Barzska et al. (ACNS’10)
Transparency ⟹ Privacy

13. Constructions of redactable signature schemes
13
□ Merkle hash tree based
□ Accumulator based
□ Aggregate signature based

14. Constructions of redactable signature schemes
14
□ Merkle hash tree based
□ Accumulator based
□ Aggregate signature based
Miyazaki, Hanaoka, Imai （ASIACCS’06）
(Based on BLS-signature scheme)

15. Redactable signature scheme
based on aggregate signature （KeyGen）
15
!! = ($, &', &(, &), *, +', +() ← .(10
)
・ 12 ←
$
45,
・ v2 ← +(
67
Output (82, 12)

16. Redactable signature scheme
based on aggregate signature （Sign）
16
![0] ![1] ![2] ![3]
()*+ (, (- (.
ℎ(![1])34
(56, ! = {:,, :-, :.}, ADM = :, )
・ DID ←
$
{0, 1}B
,
・ ! 0 ← (DID ∥ ord(ADM)), ! G ← (DID ∥ :H)

17. Redactable signature scheme
based on aggregate signature （Sign）
17
![0] ![1] ![2] ![3]
()*+ (, (- (.
ℎ(![1])34
Σ
Aggregate
signature
(67, ! = {;,, ;-, ;.}, ADM = ;, )
・ DID ←
$
{0, 1}C
,
・ ! 0 ← (DID ∥ ord(ADM)), ! H ← (DID ∥ ;I)

18. Redactable signature scheme
based on aggregate signature （Sign）
18
![0] ![1] ![2] ![3]
()*, ! = {./, .0, .1}, ADM = ./ )
・ DID ←
$
{0, 1}:
,
・ ! 0 ← (DID ∥ ord(ADM)), ! ? ← (DID ∥ .@)
ℎ(![B])CD
Σ
F/ F0 F1
= ( )
F
Output (!, F)
Aggregate
signature

19. Redactable signature scheme
based on aggregate signature (Redact)
19
![0] ![1] ![2] ![3]
() (* (+
( Σ
(! = {0), 0*, 0+}, (, MOD = {0*})
= ( )

20. Redactable signature scheme
based on aggregate signature (Redact)
20
!’
($ = {'(, '*, '+}, !, MOD = {'*})
・ $1
← $/{'*}
= ( )
Σ 5 (!*)6(
Σ′
$[0] $[1] $[3]
!( !+
Output ($’, !’)

21. Redactable signature scheme
based on aggregate signature (Redact)
21
!’
($%, ' = {*+, *,}, !)
・ '/
← '/{*2}
= ( )
Σ 4 (!2)5+
Σ′
'[0] '[1] '[3]
The final redactor can prohibit further redac6on
by discarding all but the aggregate signature.

22. Redactable signature scheme
based on aggregate signature (Verify)
22
("#, %′ = {)*
+, )*
,}, .′)
・ Parse .’ as (ADM = )′+ , DID, .4 45+
6
, Σ)
・ Check ADM ⊆ %′
・ Check
e Σ, :, = ;(ℎ DID ∥ ord ADM , "#)
A ∏45+
,
;(ℎ DID ∥ )′4 , "#)
Output ``1 (Accept)” or ``0 (Reject)”

23. ! – #$!– #%– & redactable signature scheme
23
Redactor 1
Redactor &
Combiner
Signer
'(
・
・
・
)([1]
)([&]
'(
&, !

24. ! – #$!– #%– & redactable signature scheme
24
Redactor 1
Redactor &
Combiner
Signer
'(
・
・
・
)([1]
)([&]
(., ADM, DID, 4)
(., ADM, DID, 4)
(., ADM, DID, 4)
'(
&, !

25. ! – #$!– #%– & redactable signature scheme
25
Redactor 1
Redactor &
Combiner
Signer
'(
・
・
・
)([1]
)([&]
(., ADM, DID, 4)
(., ADM, DID, 4)
(., ADM, DID, 4)
RI7
RI8
&, !

26. ! – #$!– #%– & redactable signature scheme
26
Redactor 1
Redactor &
Combiner
Signer
・
・
・
'([1]
'([&]
(-, ADM, DID, 3)
(-, ADM, DID, 3)
(-, ADM, DID, 3)
RI6
RI7
(-′, ADM, DID, 3′)
9(
&, !

27. ! – #$!– #%– & redactable signature
scheme construction for set （KeyGen）
27
KeyGen (1)
, !, &)
,, = (., /0, /1, /2, 3, 40, 41) ← 6(1)
)
・ Choose polynomial % 7 = ∑9:;
<=0
>9?9
・ @A B ← (B, ?9 = %(B)) for B ∈ [&]
・ FA ← %(0) , ,A ← 41
HI
・ vA ← (41
HI
, !, &)
Output (JA, FA, @A 1 , ⋯ @A & )
Shamir’s secret sharing

28. ! – #$!– #%– & redactable signature
scheme construction （Sign）
28
Sign ((), + = {./, .0, .1}, ADM = ./ )
・ DID ←
$
{0, 1}<
,
・ + 0 ← (DID ∥ ord(ADM)), + A ← (DID ∥ .B)
C = Σ
Aggregate
Signature
Output (+, ADM, DID, C)
+[0] +[1] +[2] +[3]
CIJK C/ C0 C1
ℎ(+[M])NO
Not including C

29. ! – #$!– #%– & redactable signature
scheme construction （Redactor '）
29
([1] ([2] ([3]
∅ RI1,34 ∅
RedInf (67, ( = {:;, :4, :<}, ADM,
DID, A, MOD = {:4})
・ ( D ← (DID||:G)
ℎ(([D])IJ[1]
RI1 = ( )
Output RI1

30. = ( )
= ( )
= ( )
# – %&#– %'– ( redactable signature
scheme construction （Combiner）
30
)[1] )[2] )[3]
∅ RI2,45 ∅
RI5,42 ∅ ∅
∅ RI6,45 RI6,46
RI2
RI5
RI6
75
・ )8
← )/{<5}, 7′ ← Σ8
= Σ A (75)B2
Output ()′, ADM, DID, 7′)
ThrRed (JK, ) = {<2, <5, <6}, ADM, DID, 7, {LMN}NO2
P
)
The case o f
( = 3, # = 2

31. ! – #$!– #%– & redactable signature
scheme construction (Verify)
31
Verify ((), +′ = {/′0, /′1}, ADM = /′0 , DID, 7)
・ Check ADM ⊆ +′
・ Check
e 7, ;1 = <(ℎ(DID ∥ ord ADM ), ())
B ∏DE0
1
<(ℎ DID ∥ /′D , ())
Output ``1 (Accept)” or ``0 (Reject)”

32. Conclusion
32
□ Introduce the notion of !– #$!– #%– &
redactable signature schemes
（One-time redaction model）
□ Define security notions of unforgeability, privacy,
and transparency for !– #$!– #%– &
redactable signature schemes
□ Give a construction based on computational
co-Diffie-Hellman (co-CDH) assumption in ROM.