Redactable Signature Scheme for Tree-structured Data

based on Merkle Tree

Shoichi Hirose

and Hidenori Kuwakado

Graduate School of Engineering, University of Fukui, Fukui, Japan

Faculty of Informatics, Kansai University, Osaka, Japan

Keywords:

Redactable Signature Scheme, Tree-structured Data, Hash Function, Merkle Tree.

Abstract:

In 2008, Kundu and Bertino proposed a structural signature scheme for tree-structured data. A signature

generated by the scheme is redactable: for given tree-structured data and its signature, it is possible to compute

signatures of subtrees of the given tree without the secret signing key. Brzuska et al. formalized security

requirements of such kind of redactable signature schemes. They also proposed a provably secure redactable

signature scheme for tree-structured data using an ordinary signature scheme. This paper presents a new

redactable signature scheme for tree-structured data using an ordinary signature scheme and a Merkle tree

constructed by a keyed hash function such as HMAC. The proposed scheme assumes that the out-degree of

each node in a tree is at most constant. It is also shown that the proposed scheme is provably secure under

standard security assumptions of the underlying primitives. The proposed scheme ﬁrst generates a digest of

given tree-structured data based on the Merkle tree using the keyed hash function, and computes a single

signature for the digest using the ordinary signature scheme. On the other hand, the total number of signatures

required by previous provably secure schemes is at least as large as that of the nodes of the tree.

1 INTRODUCTION

Background. It is expected that database outsourc-

ing using cloud service will be popular. An out-

sourced database is required to provide proofs of the

correctness of answers to queries. A digital signature

scheme is a cryptographic technique useful for this

kind of purposes. A signature makes it possible to

verify whether the corresponding data are corrupted

or not. On the other hand, even if queries are made on

the same data, answers vary according to contents of

queries or users’ access rights. It is obviously unrea-

sonable, however,to prepare signatures of all possible

answers in advance.

In 2008, Kundu and Bertino proposed a struc-

tural signature scheme for tree-structureddata (Kundu

and Bertino, 2008). A signature generated by their

scheme is redactable: for given tree-structured data

and its signature, it is possible to compute signa-

tures of subtrees of the given tree without the se-

cret signing key. Their security analysis of their

scheme was informal, and some attacks against it

were presented (Brzuska et al., 2010; Samelin et al.,

2012a; Samelin et al., 2012b). Brzuska et al. formal-

ized unforgeability, privacy and transparency as se-

curity requirements of such kind of redactable signa-

ture schemes and showed that privacy is implied by

transparency (Brzuska et al., 2010). They also pro-

posed a provably secure redactable signature scheme

for tree-structured data using an ordinary signature

scheme. Their scheme satisﬁes unforgeability and

transparency if the underlying signature scheme sat-

isﬁes unforgeability.

Our Contribution. This paper presents a new

redactable signature scheme for tree-structured data

using an ordinary signature scheme and the Merkle

tree (Merkle, 1989a). The proposed scheme only al-

lows redaction of cutting leaf nodes. Iteration of cut-

ting leaf nodes enables cutting any subtree. In the pro-

posed scheme, to achieve secure redaction, a keyed

hash function such as HMAC (Bellare et al., 1996a)

is used to construct Merkle trees. It is also shown

that the proposed scheme satisﬁes unforgeability and

transparency if the underlying signature scheme sat-

isﬁes unforgeability and the underlying keyed hash

function is a pseudorandom function and collision-

resistant. HMAC satisﬁes both of the properties under

reasonable standard assumptions.

Unlike the previous schemes, the proposed

313

Hirose S. and Kuwakado H..

Redactable Signature Scheme for Tree-structured Data based on Merkle Tree.

DOI: 10.5220/0004507003130320

In Proceedings of the 10th International Conference on Security and Cryptography (SECRYPT-2013), pages 313-320

ISBN: 978-989-8565-73-0

 2013 SCITEPRESS (Science and Technology Publications, Lda.)

scheme uses the Merkle tree based on a crypto-

graphic hash function such as SHA-2 (FIPS PUB

180-4, 2012). An advantage of this approach is that

the proposed scheme is more efﬁcient than the pre-

vious schemes. In our scheme, an ordinary signature

scheme is used only once for each signature gener-

ation to sign the digest corresponding to the root of

a Merkle tree. The previous schemes need at least as

many calls for the underlying signing procedure as the

number of the nodes of the tree-structured data. Gen-

erally, the amount of computation required for hash-

ing is much smaller than the amount of computation

required for signing. On the other hand, a disadvan-

tage of the proposed scheme is that the out-degree of

each node in tree-structured data should be at most

constant.

Related Work. The scheme of Kundu and

Bertino (Kundu and Bertino, 2008) is based on the

fact that a tree is uniquely identiﬁed by the pre-order

and post-order of its nodes.

The scheme of Brzuska et al. (Brzuska et al.,

2010) simply signs the nodes and the edges of tree-

structured data separately using an ordinary signature

scheme. When their scheme is applied to an ordered

tree, the orders of children of nodes are also authen-

ticated by ordinary signatures, which costs O(αβ

)

calls for the underlying signing procedure in the worst

case, where α is the number of the nodes and β is

the maximum of out-degrees of the nodes. They only

considered redaction of cutting leaf nodes.

The scheme of Samelin et al. (Samelin et al.,

2012a) signs the lists of the nodes of a tree in their

pre-order and post-order using a redactable signature

scheme for lists. Their scheme allows more ﬂexible

redaction than the scheme of (Brzuska et al., 2010)

and ours: Non-leaf nodes as well as leaf nodes can

be redactable. Their scheme needs O(α) calls for the

underlying signing procedure.

The scheme of P¨ohls et al. (P¨ohls et al., 2012) also

allows redaction of non-leaf nodes. Their scheme is

based on the Merkle tree and the out-degrees of nodes

are not limited. Thus, their scheme is more ﬂexible

than ours. However, their construction uses a collision

resistant one-way accumulator (Benaloh and de Mare,

1993; Bari´c and Pﬁtzmann, 1997) for the Merkle tree,

which makes the scheme less efﬁcient.

Redactable signature schemes for general

graph-structured data have also been proposed

recently (Kundu and Bertino, 2010; Kundu et al.,

2012). Other types of redactable signature schemes

can be found in (Steinfeld et al., 2001; Johnson et al.,

2002; Miyazaki et al., 2003; Nojima et al., 2009;

Chang et al., 2009; Samelin et al., 2012b), which are

not explicitly intended for tree or graph-structured

data.

Sanitizable signature schemes (Ateniese et al.,

2005; Brzuska et al., 2009) originated from motiva-

tions similar to those of redactable signatures. Saniti-

zable signature schemes allow redaction only by priv-

ileged entities called censors or sanitizers.

Ahn et al. (Ahn et al., 2012) provided a general

framework for computing on signed data including

redactable signature schemes and sanitizable signa-

ture schemes. Their privacy notion called context hid-

ing is stronger than transparency in that the former re-

quires the unlinkability between an original signature

and the derived signatures.

Organization. The rest of the paper is organized

as follows. Section 2 gives some notations and def-

initions of signature schemes, collision-resistant hash

functions and pseudorandom functions. Section 3 de-

ﬁnes redactable signature schemes and their security

requirements. The proposed scheme is presented in

Sec. 4. Its security is discussed in Sec. 5. Section 6

concludes the paper.

2 PRELIMINARIES

Let N be the set of natural integers. Let F

F(X ,Y ) be

the set of the functions from X to Y .

Let F = hF

ℓ

ℓ∈N

be a sequence of keyed functions

ℓ

: K

ℓ

× X

ℓ

→ Y

ℓ

, where K

ℓ

is the key space. F

ℓ

can

also be regarded as a set of functions from X

ℓ

to Y

ℓ

(K,·)|K ∈ K

ℓ

}. It is assumed to be easy to sample

an element uniformly at random from X

ℓ

and K

ℓ

For a set S, the notation s ← S represents an as-

signment of an element chosen uniformly at random

from S to a variable s. For an algorithm M , the nota-

tion y ← M (x) represents an assignment of an output

of M with an input x to a variable y.

2.1 Collision-resistant Hash Function

Collision resistance is a property of many-to-one

functions. It informally means that it is difﬁcult to

ﬁnd a pair of distinct inputs transformed to a same

output.

Deﬁnition 1. Let F = hF

ℓ

ℓ∈N

, where F

ℓ

is a keyed

hash function. If

Pr[A(1

ℓ

,K) = (x,x

′

) ∧ F

ℓ

(K,x) = F

ℓ

(K,x

′

) ∧ x 6= x

′

]

is negligibly small as a function of ℓ for any efﬁcient

collision-ﬁnder A, then F is called a sequence of

collision-resistant hash functions. K is uniformly dis-

tributed over K

ℓ

SECRYPT2013-InternationalConferenceonSecurityandCryptography

314

2.2 Pseudorandom Function

Deﬁnition 2. For a sequence of keyed functions F =

ℓ

ℓ∈N

, let

Adv

prf

(A) =



Pr[A

ℓ

(K,·)

ℓ

) = 1] − Pr[A

ℓ

) = 1]



be the advantage of a distinguisher A against F . K

is uniformly distributed over K

ℓ

, and ρ is uniformly

distributed over F

F(X

ℓ

). If Adv

prf

(A) is negligibly

small as a function of ℓ for any efﬁcient A, then F is

called a sequence of pseudorandom functions.

During security analysis of the proposed scheme,

we will deal with distinguishers with independent

multiple oracles. Let

Adv

m-prf

(A) =



Pr[A

ℓ

,·),...,F

ℓ

,·)

ℓ

) = 1]−

Pr[A

,...,ρ

ℓ

) = 1]



where (K

,..., K

) are uniformly distributed over

ℓ

and (ρ

,ρ

,..., ρ

) are uniformly distributed

over F

F(X

ℓ

)

. The following lemma is a para-

phrase of Lemma 3.3 in (Bellare et al., 1996b):

Lemma 1. Let A be a distinguisher for F with access

to m oracles. Then, a distinguisher B for F can be

constructed with A as a subroutine such that

Adv

m-prf

(A) = m· Adv

prf

(B) .

The running time of B is approximately total of the

running time of A and the time required to compute

ℓ

to answer to the queries made by A. B makes at

most max{q

|1 ≤ i ≤ m} queries to its oracle, where

is the number of the queries made by A to its i-th

oracle.

2.3 Iterated Hash Function and HMAC

The proposed redactable signature scheme uses a hash

function with arbitrary input length satisfying that it is

collision-resistant and its keyed mode is a pseudoran-

dom function.

Widely deployed hash functions such as SHA-

1/2 are called iterated hash functions. An iterated

hash function H consists of iteration of a compres-

sion function f with ﬁxed length input and output as

follows: H(M) = f( f(··· f( f(IV, M

),M

),...),M

where M = M

k···kM

is an input message and

IV is a ﬁxed initial value. A compression func-

tion is a kind of hash function with inputs of ﬁxed

length. This iteration is called Merkle-Damg˚ard con-

struction (Damg˚ard, 1989; Merkle, 1989b). An it-

erated hash function with appropriate input prepro-

cessing (padding with the Merkle-Damg˚ard strength-

ening (Menezes et al., 1996)) is collision-resistant

if the underlying compression function is collision-

resistant (Damg˚ard, 1989; Merkle, 1989b).

HMAC (Bellare et al., 1996a) is a keyed function

for generating message authentication codes, which

is constructed with an iterated hash function in the

following way:

HMAC(K,M) = H((K⊕

opad

)kH((K⊕

ipad

)kM)) ,

where H is a hash function, K is a secret key and

opad

and

ipad

are distinct constants. It was shown

that HMAC is a pseudorandom function if the under-

lying compression function is a pseudorandom func-

tion (Bellare, 2006). Additionally, it is easy to see

that HMAC is collision-resistant in the sense that it

is difﬁcult to ﬁnd a pair of distinct inputs (K,M) and

′

) such that HMAC(K,M) = HMAC(K

′

) if

H is collision-resistant.

2.4 Signature Scheme

A signature scheme Sig consists of three algorithms

(K,S,V) deﬁned as follows.

Key Generation (sk,pk) ← K(1

ℓ

For a given security parameter ℓ, the key genera-

tion algorithm K generates a pair of a secret (sign-

ing) key sk and a corresponding public (veriﬁca-

tion) key pk.

Signing (M,σ) ← S(sk,M).

Given a secret key sk and a message M, the sign-

ing algorithm S outputs M and its signature σ.

Veriﬁcation d ← V(pk, M,σ), where d ∈ {0,1}.

Given a public key pk, a message M and a sig-

nature σ, the veriﬁcation algorithm V decides

whether σ is a valid signature for M with respect

to pk. If valid, V outputs 1. Otherwise, it outputs

Existential unforgeability against adaptive chosen

message attacks is deﬁned as follows.

Deﬁnition 3. A signature scheme Sig = (K,S,V)

is existentially unforgeable against adaptive chosen

message attacks if the probability that the experiment

Sig

given in Algorithm 1 outputs 1 is negligibly

small as a function of ℓ for any efﬁcient forger A.

3 REDACTABLE SIGNATURE

SCHEME FOR

TREE-STRUCTURED DATA

3.1 Tree-structured Data

The proposed redactable signature scheme is used to

sign directed-tree-structured data. A directed tree has

RedactableSignatureSchemeforTree-structuredDatabasedonMerkleTree

315

Algorithm 1: Experiment EU

Sig

(ℓ).

(sk, pk) ← K(1

ℓ

)

(M,σ) ← A

S(sk,·)

(pk)

⊲ Let M

,..., M

be A’s queries to S.

if V(pk,M,σ) = 1∧ M 6= M

for 1 ≤ i ≤ q then

return 1

else

return 0

a unique node with in-degree 0, which is called the

root. In the remaining part, a directed tree is simply

called a tree. For tree-structureddata T and T

′

, T

′

 T

means that T

′

is a subtree of T and T

′

and T share the

root.

3.2 Redactable Signature Scheme for

Tree Structured Data

A redactable signature scheme tSig for tree-structured

data consists of four algorithms (tK, tS, tV,tC) de-

ﬁned below.

Key Generation (sk,pk) ← tK(1

ℓ

Given a security parameter ℓ, the key generation

algorithm tK generates a secret (signing) key sk

and a corresponding public (veriﬁcation) key pk.

Signing (T,σ) ← tS(sk, T).

Given a secret key sk and tree-structured data T,

the signing algorithm tS outputs T and its signa-

ture σ.

Veriﬁcation d ← tV(pk, T,σ), where d ∈ {0,1}.

Given a public key pk, tree-structured data T and a

signature σ, the veriﬁcation algorithm tV decides

whether σ is a valid signature for T with respect

to pk. If valid, then tV outputs 1. Otherwise, it

outputs 0.

Cutting (T

′

,σ

′

) ← tC(pk,T,σ,L).

Given a public key pk, tree-structured data T, a

signature σ and a leaf L of T, the cutting algorithm

tC outputs T

′

= T\L and its signature σ

′

Notice that the secret key sk is not given to the

cutting algorithm.

3.3 Security

Brzuska et al. formalized unforgeability, privacy and

transparency as security requirements of redactable

signature schemes for tree-structured data (Brzuska

et al., 2010). They also showed that transparency

implies privacy. Namely, if a redactable signature

scheme satisﬁes transparency, then it also satisﬁes pri-

vacy.

Deﬁnition 4 (Unforgeability (Brzuska et al., 2010)).

A redactable signature scheme for tree-structured

data tSig = (tK,tS,tV, tC) is existentially unforge-

able against adaptive chosen message attacks if the

probability that the experiment EU

tSig

given in Algo-

rithm 2 outputs 1 is negligibly small as a function of ℓ

for any efﬁcient forger A.

Algorithm 2: Experiment EU

tSig

(ℓ).

(sk, pk) ← tK(1

ℓ

)

(T,σ) ← A

tS(sk,·)

(pk)

⊲ Let T

,..., T

be A’s queries to tS.

if tV(pk,T,σ) = 1 ∧ T 6 T

for 1 ≤ i ≤ q then

return 1

else

return 0

Transparency informally states that no one should

be able to tell whether a signature of a tree is created

only with a signing algorithm or with both a signing

algorithm and a cutting algorithm.

Deﬁnition 5 (Transparency (Brzuska et al., 2010)). A

redactable signature scheme for tree-structured data

tSig = (tK,tS,tV,tC) is transparent if

Adv

tSig

(A) =



Pr[Tr

tSig

(ℓ) = 1] − 1/2



is negligibly small as a function of ℓ for any efﬁcient

distinguisher A. The experiment Tr

tSig

is given in Al-

gorithm 3.

Algorithm 3: Experiment Tr

tSig

(ℓ).

(sk, pk) ← tK(1

ℓ

)

b ← {0,1}

d ← A

tS(sk,·),SorC(·,·,sk,b)

(pk)

if d = b then

return 1

else

return 0

function SorC(T,L,sk, b)

if b = 0 then

(T,σ) ← tS(sk,T)

′

,σ

′

) ← tC(pk,T,σ, L)

else

′

← T\L

′

,σ

′

) ← tS(sk,T

′

)

return (T

′

,σ

′

)

4 PROPOSED SCHEME

The proposed scheme requires that the out-degree of

SECRYPT2013-InternationalConferenceonSecurityandCryptography

316

each node of given tree-structured data is at most d.

The proposed scheme is suitable for positional trees.

A positional tree is an ordered tree such that chil-

dren of a node are assigned distinct integers (e.g., in

{0,1, . . . , d − 1} in the current case) compatible with

their order. Nevertheless, the proposed scheme is also

applicable to unordered trees, which will be men-

tioned later.

The algorithms for key generation, signing, veri-

ﬁcation and cutting of the proposed scheme are pre-

sented below. In the descriptions, a node of the tree

T = (V

) is denoted by v

and the subscript i is

used as an ID of the node. In tree-structured data,

nodes and edges are assigned some data items in gen-

eral. It is assumed that data items assigned to a node

include the data items assigned to its incoming edge.

Key Generation (H,K;sk, pk) ← tK(1

ℓ

H is an iterated hash function composed of a com-

pression function chosen uniformly at random from a

set of functions corresponding to a given security pa-

rameter ℓ. K is a secret key used for HMAC using H.

We will slightly abuse the notation and denote HMAC

using H with key K by H

. sk and pk are a secret key

and a corresponding public key of a signature scheme

Sig, respectively. Sig is an ordinary signature scheme.

H is public, and K is secret for a signer.

Signing (T,σ) ← tS(H,K,sk,T).

The signing process proceeds as follows:

1. For each node of the tree-structured data T, if it

has less than d children, then add dummy child

nodes and the corresponding dummy edges so that

it has exactly d children. This process is also ap-

plied to the leaves of T. Let V

′

and E

′

represent

the set of dummy nodes and the set of dummy

edges, respectively.

2. Select a nonce r ∈ {0,1}

uniformly at random,

where n = ℓ

O(1)

, and for each node v

∈ V

∪V

′

compute the key r

= H

(rki). n should be large

enough to preventcollision of nonces. It is usually

sufﬁcient if n = |K|.

3. Construct a Merkle tree using HMAC in the fol-

lowing way:

(a) For each dummy node v

∈ V

′

, compute the di-

gest a

= H

(λ), where λ is an empty string. No

data items are assigned to dummy nodes and

their incoming edges.

(b) For each node v

∈ V

, compute the digest

= H

i,0

k···ka

i,d−1

) ,

where D

is data assigned to v

, and

i,0

,..., a

i,d−1

are digests corresponding to the

children of v

4. Compute a signature σ

of the digest a

corre-

sponding to the root v

of T using the signature

scheme Sig.

The signature σ of T consists of

• σ

• digests corresponding to the dummy nodes, and

• keys corresponding to the nodes of T.

Namely, σ = (σ

,{a

∈ V

′

},{r

∈ V

}). No-

tice that the secret keys corresponding to the dummy

nodes are never disclosed.

Figure 1 shows an example of binary-tree-

structured data augmented with dummy nodes and

edges by the proposed signing algorithm. Dummy

nodes and edges are represented by dotted lines. a

’s

and r

’s are digests and keys, respectively, included in

the signature.

000

001

010

011

110

111

0100

0101

Figure 1: An example of binary-tree-structured data aug-

mented with dummy nodes and edges by the proposed sign-

ing algorithm. Dummy nodes and edges are represented by

dotted lines.

Veriﬁcation d ← tV(H, pk,T,σ).

The veriﬁcation process proceeds as follows:

1. For the signature σ = (σ

,{a

∈ V

′

},{r

∈

}), compute the digest a

′

corresponding to the

root from the digensts in {a

∈ V

′

} and the

keys in {r

∈ V

2. Output 1 if σ

is a valid signature of a

′

with re-

spect to pk by Sig. Otherwise, output 0.

Cutting (T

′

,σ

′

) ← tC(H, pk,T,σ, L).

Since L is a leaf of T and T

′

= T\L, the signature

′

of T

′

consists of

• σ

• the digests corresponding to L and the dummy

nodes except for the dummy children of L, and

RedactableSignatureSchemeforTree-structuredDatabasedonMerkleTree

317

• the keys corresponding to the nodes in V

\{L}.

Namely, σ

′

= (σ

,{a

∈ (V

′

\Child(L)) ∪

L},{r

∈ V

\{L}}), where Child(L) is the

set of children of L. It is easy to see that σ

′

can

easily be obtained from σ. The cutting is simply a

process to regard the leaf cut off as a dummy node.

Figure 2 gives an example of binary-tree-structured

data obtained from the tree in Figure 1 by cutting a

leaf labeled by 010.

000

001

010

011

110

111

Figure 2: An example of binary-tree-structured data ob-

tained from the tree given in Figure 1 by cutting a leaf la-

beled by 010. a

’s and r

’s are digests and keys, respectively,

included in the signature.

Remark 1. The proposed scheme presented above

can also be applied to unordered trees with slight

modiﬁcation of HMAC. When constructing a Merkle

tree in Step 3(b) of Signing, compute the digest as fol-

lows:

= H

i, j

k···ka

i, j

d−1

) ,

where a

i, j

k···ka

i, j

d−1

is concatenation of sorted

i,0

,..., a

i,d−1

in the lexicographical order. This mod-

iﬁcation is based on the commutative hash func-

tion introduced by Goodrich and Tamassia (Anagnos-

topoulos et al., 2001). HMAC with this modiﬁca-

tion remains pseudorandom as a keyed function and

collision-resistant since the modiﬁcation only makes

the domain smaller.

5 SECURITY ANALYSIS OF

PROPOSED SCHEME

In this section, the security of the proposed redactable

signature scheme is proved under standard assump-

tions on the security of the building blocks. Adver-

saries are assumed to be computationally bounded.

5.1 Unforgeability

The following theorem shows that unforgeability of

the proposed scheme is reducible to unforgeability of

the underlying ordinary signature scheme and colli-

sion resistance of the underlying hash function.

Theorem 1. If Sig is existentially unforgeable against

adaptive chosen message attacks and H is collision-

resistant, then tSig is existentially unforgeable.

Proof. Let A be any forger of tSig. For EU

tSig

(ℓ), let

(H,K;sk, pk) ← tK(1

ℓ

) ,

(

σ) ← A

tS(H,K,sk,·)

(H, pk) .

Let T

,...,T

be queries to the oracle tS made by

A. Let a

ε,i

be the digest corresponding to the root of

and ˆa

be the digest corresponding to the root of

Let A(q) = {a

ε,i

|1 ≤ i ≤ q}.

Suppose that

T 6 T

for 1 ≤ i ≤ q. Then, for the

success probability of A,

Pr[tV(H, pk,

σ) = 1]

= Pr[ ˆa

6∈ A(q) ∧ tV(H, pk,

σ) = 1] +

Pr[ ˆa

∈ A(q) ∧ tV(H, pk,

σ) = 1]

≤ Pr[tV(H, pk,

σ) = 1| ˆa

6∈ A(q)] + Pr[ ˆa

∈ A(q)] .

The ﬁrst term Pr[tV(H, pk,

σ) = 1| ˆa

6∈ A(q)] is

equal to the success probability of a forger B for Sig.

B can be constructed with A as a subroutine. The

running time of B is total of the running time of A

and the time required to execute the signing algorithm

tS of tSig using the signing oracle S of Sig to answer

to the queries made by A. The number of the queries

to S made by B equals that of the queries to tS made

by A.

The second term Pr[ ˆa

∈ A(q)] is equal to the suc-

cess probability of a collision-ﬁnder C of H. C can

also be constructed with A as a subroutine. The run-

ning time of C is total of the running time of A and

the time required to execute the signing algorithm tS

of tSig.

If the random oracle model is required for the exis-

tential unforgeability of the underlying signature Sig,

then Theorem 1 is valid only in the random oracle

model.

5.2 Transparency

The following theorem implies that the trans-

parency of the proposed scheme is reducible to the

pseudorandom-function property of the underlying

HMAC.

Theorem 2. If HMAC is a pseudorandom function,

then tSig is transparent.

Proof. Let A be any distinguisher for tSig. In the ex-

periment Tr

tSig

(ℓ), suppose that A makes q

queries

to tS and q

queries to SorC. Suppose that the total

SECRYPT2013-InternationalConferenceonSecurityandCryptography

318

number of the nodes of tree-structured data in queries

made by A is N.

Let

tSig be same astSig except for using a random

function ρ instead of HMAC H

when generating the

secret keys r

for the nodes in the trees. The domain

and range of ρ equal those of H

, respectively. ρ be-

haves as a random oracle: it selects the output uni-

formly at random for a new input. Then,

Adv

tSig

(A) ≤



Pr[Tr

tSig

(ℓ) = 1] − 1/2



Pr[Tr

tSig

(ℓ) = 1] − Pr[Tr

tSig

(ℓ) = 1]



For the second term, there exists a distinguisher D for

HMAC using H such that



Pr[Tr

tSig

(ℓ) = 1] − Pr[Tr

tSig

(ℓ) = 1]



= Adv

prf

(D) .

D can be constructed with A as a subroutine. The

running time of D is total of the running time of A

and the time required to execute the signing algorithm

tS of tSig and the sign-or-cut algorithm SorC using

its oracle to answer to the queries made by A in the

experiment. The oracle of D is H

for tSig and it is

ρ for

tSig. D makes at most N(d + 1) queries to its

oracle.

Let

tSig be same as tSig (

tSig) except for gener-

ating the secret keys r

for the nodes in the trees uni-

formly at random. Then,



Pr[Tr

tSig

(ℓ) = 1] − 1/2



≤



Pr[Tr

tSig

(ℓ) = 1] − 1/2



Pr[Tr

tSig

(ℓ) = 1] − Pr[Tr

tSig

(ℓ) = 1]



Notice that

tSig and

tSig are completely indistin-

guishable as long as there exists no collision in the

nonces r. Thus, the second term of the inequality

above is bounded from above by

Pr[Collision in r] ≤ (q

+ q

)

n+1

where n is the length of the nonce r. Hence,

Adv

tSig

(A) ≤



Pr[Tr

tSig

(ℓ) = 1] − 1/2



Adv

prf

(D) + (q

+ q

)

n+1

For the experiment Tr

tSig

(ℓ), let us consider the

following distinguisher B for H. B has q

oracles.

They are either H

,..., H

or ρ

,ρ

,...,ρ

where s

,..., s

are chosen independently and

uniformly at random, and ρ

,ρ

,..., ρ

are indepen-

dent random oracles. B runs Tr

tSig

(ℓ) except that, for

the j-th query to SorC made by A, B computes the

digest corresponding to the leaf cut off using its j-th

oracle. Then,



Pr[Tr

tSig

(ℓ) = 1] − 1/2



= Adv

-prf

(B)

since

Pr[B

,...,O

= 1]

(

Pr[Tr

tSig

(ℓ) = 1] if O

= H

for 1 ≤ j ≤ q

1/2 if O

= ρ

for 1 ≤ j ≤ q

From Lemma 1, there exists a distinguisher for H

such that Adv

-prf

(B) = q

Adv

prf

(C ). C makes at

most 1 query. The running time of C is approximately

total of the running time of B and the time required to

compute H to answer to the queries made by B.

Thus,

Adv

tSig

(A) ≤ q

Adv

prf

(C ) + Adv

prf

(D) +

+ q

)

n+1

This completes the proof.

6 CONCLUSIONS

A redactable signature scheme for tree-structured data

has been proposed in this paper. It has also been

shown that it satisﬁes both unforgeability and trans-

parency. The proposed scheme is based on the Merkle

tree and expected to be quite efﬁcient compared to

previous provably secure schemes. Future work in-

cludes experimental performance evaluation of the

proposed scheme together with previous schemes. It

does not seem difﬁcult to extend the proposed scheme

to directed acyclic graphs, which is also left as future

work.

ACKNOWLEDGEMENTS

The authors would like to thank the anonymous re-

viewers for their valuable comments. This work

was supported by JSPS KAKENHI Grant Number

20300003 and 25330150.

REFERENCES

Ahn, J. H., Boneh, D., Camenisch, J., Hohenberger, S., She-

lat, A., and Waters, B. (2012). Computing on authen-

ticated data. In Cramer, R., editor, TCC, volume 7194

of Lecture Notes in Computer Science, pages 1–20.

Springer.

Anagnostopoulos, A., Goodrich, M. T., and Tamassia, R.

(2001). Persistent authenticated dictionaries and their

applications. In Davida, G. I. and Frankel, Y., editors,

ISC, volume 2200 of Lecture Notes in Computer Sci-

ence, pages 379–393. Springer.

Ateniese, G., Chou, D. H., de Medeiros, B., and Tsudik,

G. (2005). Sanitizable signatures. In di Vimercati,

RedactableSignatureSchemeforTree-structuredDatabasedonMerkleTree

319

S. D. C., Syverson, P. F., and Gollmann, D., editors,

ESORICS, volume 3679 of Lecture Notes in Computer

Science, pages 159–177. Springer.

Bari´c, N. and Pﬁtzmann, B. (1997). Collision-free accumu-

lators and fail-stop signature schemes without trees.

In Fumy, W., editor, EUROCRYPT, volume 1233 of

Lecture Notes in Computer Science, pages 480–494.

Springer.

Bellare, M. (2006). New proofs for NMAC and HMAC:

Security without collision-resistance. In CRYPTO

2006 Proceedings, Lecture Notes in Computer Sci-

ence 4117, pages 602–619. The full version is

“Cryptology ePrint Archive: Report 2006/043” at

http://eprint.iacr.org/.

Bellare, M., Canetti, R., and Krawczyk, H. (1996a). Keying

hash functions for message authentication. In Koblitz,

N., editor, CRYPTO, volume 1109 of Lecture Notes in

Computer Science, pages 1–15. Springer.

Bellare, M., Canetti, R., and Krawczyk, H. (1996b). Pseu-

dorandom functions revisited: The cascade construc-

tion and its concrete security. In Proceedings of the

37th IEEE Symposium on Foundations of Computer

Science, pages 514–523.

Benaloh, J. C. and de Mare, M. (1993). One-way accumu-

lators: A decentralized alternative to digital sinatures

(extended abstract). In Helleseth, T., editor, EURO-

CRYPT, volume 765 of Lecture Notes in Computer

Science, pages 274–285. Springer.

Brassard, G., editor (1990). Advances in Cryptology -

CRYPTO ’89, 9th Annual International Cryptology

Conference, Santa Barbara, California, USA, August

20-24, 1989, Proceedings, volume 435 of Lecture

Notes in Computer Science. Springer.

Brzuska, C., Busch, H., Dagdelen,

O., Fischlin, M., Franz,

M., Katzenbeisser, S., Manulis, M., Onete, C., Pe-

ter, A., Poettering, B., and Schr¨oder, D. (2010).

Redactable signatures for tree-structured data: Deﬁ-

nitions and constructions. In Zhou, J. and Yung, M.,

editors, ACNS, volume 6123 of Lecture Notes in Com-

puter Science, pages 87–104.

Brzuska, C., Fischlin, M., Freudenreich, T., Lehmann, A.,

Page, M., Schelbert, J., Schr¨oder, D., and Volk, F.

(2009). Security of sanitizable signatures revisited. In

Jarecki, S. and Tsudik, G., editors, Public Key Cryp-

tography, volume 5443 of Lecture Notes in Computer

Science, pages 317–336. Springer.

Chang, E.-C., Lim, C. L., and Xu, J. (2009). Short

redactable signatures using random trees. In Fischlin,

M., editor, CT-RSA, volume 5473 of Lecture Notes in

Computer Science, pages 133–147. Springer.

Damg˚ard, I. (1989). A design principle for hash functions.

In (Brassard, 1990), pages 416–427.

FIPS PUB 180-4 (2012). Secure hash standard (SHS).

Johnson, R., Molnar, D., Song, D. X., and Wagner, D.

(2002). Homomorphic signature schemes. In Preneel,

B., editor, CT-RSA, volume 2271 of Lecture Notes in

Computer Science, pages 244–262. Springer.

Kundu, A., Atallah, M. J., and Bertino, E. (2012). Leakage-

free redactable signatures. In Bertino, E. and Sandhu,

R. S., editors, CODASPY, pages 307–316. ACM.

Kundu, A. and Bertino, E. (2008). Structural signatures for

tree data structures. Proceedings of the Very Large

Data Base Endowment, 1(1):138–150.

Kundu, A. and Bertino, E. (2010). How to authenticate

graphs without leaking. In Manolescu, I., Spaccapi-

etra, S., Teubner, J., Kitsuregawa, M., L´eger, A., Nau-

mann, F., Ailamaki, A., and

Ozcan, F., editors, EDBT,

volume 426 of ACM International Conference Pro-

ceeding Series, pages 609–620. ACM.

Menezes, A. J., van Oorschot, P. C., and Vanstone, S. A.

(1996). Handbook of Applied Cryptography. CRC

Press.

Merkle, R. C. (1989a). A certiﬁed digital signature. In

(Brassard, 1990), pages 218–238.

Merkle, R. C. (1989b). One way hash functions and DES.

In (Brassard, 1990), pages 428–446.

Miyazaki, K., Susaki, S., Iwamura, M., Matsumoto, T.,

Sasaki, R., and Yoshiura, H. (2003). Digital document

sanitizing problem. Technical Report ISEC2003–20,

IEICE.

Nojima, R., Tamura, J., Kadobayashi, Y., and Kikuchi, H.

(2009). A storage efﬁcient redactable signature in the

standard model. In Samarati, P., Yung, M., Martinelli,

F., and Ardagna, C. A., editors, ISC, volume 5735 of

Lecture Notes in Computer Science, pages 326–337.

Springer.

P¨ohls, H. C., Samelin, K., de Meer, H., and Posegga, J.

(2012). Flexible redactable signature schemes for

trees - extended security model and construction. In

Samarati, P., Lou, W., and Zhou, J., editors, SE-

CRYPT, pages 113–125. SciTePress.

Samelin, K., P¨ohls, H. C., Bilzhause, A., Posegga, J., and

de Meer, H. (2012a). On structural signatures for tree

data structures. In Bao, F., Samarati, P., and Zhou,

J., editors, ACNS, volume 7341 of Lecture Notes in

Computer Science, pages 171–187. Springer.

Samelin, K., P¨ohls, H. C., Bilzhause, A., Posegga, J., and

de Meer, H. (2012b). Redactable signatures for inde-

pendent removal of structure and content. In Ryan,

M. D., Smyth, B., and Wang, G., editors, ISPEC,

volume 7232 of Lecture Notes in Computer Science,

pages 17–33. Springer.

Steinfeld, R., Bull, L., and Zheng, Y. (2001). Content ex-

traction signatures. In Kim, K., editor, ICISC, volume

2288 of Lecture Notes in Computer Science, pages

285–304. Springer.

SECRYPT2013-InternationalConferenceonSecurityandCryptography

320