Accountable Trapdoor Sanitizable Signatures - A*Star

**Accountable** **Trapdoor** **Sanitizable** **Signatures**No Author GivenNo Institute GivenAbstract. **Sanitizable** signature (SS) allows a signer to partly delegate signing rights to a predeterminedparty, called sanitizer, who can later modify certain designated parts of a message originallysigned by the signer and generate a new signature on the sanitized message without interacting withthe signer. One of the important security requirements of sanitizable signatures is accountability, whichallows the signer to prove, in case of dispute, to a third party that a message was modified by thesanitizer. **Trapdoor** sanitizable signature (TSS) enables a signer of a message to delegate the power ofsanitization to any parties at anytime but at the expense of losing the accountability property. In thispaper, we introduce the notion of accountable trapdoor sanitizable signature (ATSS) which lies betweenSS and TSS. As a building block for constructing ATSS, we also introduce the notion of accountablechameleon hash (ACH), which is an extension of chameleon hash (CH) and might be of independentinterest. We propose a concrete construction of ACH and show how to use it to construct an ATSSscheme.Key words: **Trapdoor** **Sanitizable** Signature, Accountability, Chameleon Hash1 IntroductionAteniese et al. [1] introduced the notion of sanitizable signature (SS) and presented a generic constructionbased on chameleon hash (CH) [18]. **Sanitizable** signatures allow a signer to partly delegate signing rightsto a predetermined party, called a sanitizer. During signature generation on a message, the signer chooses aspecific sanitizer who, with the knowledge of the putative signature, can later modify certain designated partsof the message and generate a new signature on the sanitized message without interacting with the signer. Thecapability of modification renders sanitizable signatures useful in many applications, such as authenticatedmulticast, authenticated database outsourcing and authenticated multimedia content distribution.**Sanitizable** signatures are required to possess the following five security properties [1]:Unforgeability. An outsider (i.e., neither the signer nor the sanitizer) should not be able to forge thesigner’s or the sanitizer’s signature.Immutability. The sanitizer should not be able to produce valid signatures for messages where it hasmodified other than the designated parts.Privacy. Sanitized messages and their signatures should not reveal the original data.Transparency. An outsider should not be able to decide whether a message has been sanitized or not.Accountability. In case of a dispute, the signer can prove to a trusted third party that a certain messagewas modified by the sanitizer.Subsequently Canard et al. [8] introduced the notion of trapdoor sanitizable signature (TSS), which isan extension of SS. TSS enables a signer to delegate the power of sanitization for a signed message to anyparty. They also proposed a generic construction of TSS based on identity-based chameleon hash (IBCH)[2]. However, TSS does not satisfy the security requirement of accountability.In this paper, we introduce the notion of accountable TSS (ATSS) which lies between TSS and SS.Like SS, our ATSS scheme satisfies the accountability property; it allows a signer to generate an ATSSsignature on a message for a predetermined candidate sanitizer. The ATSS signature alone does not providethe candidate sanitizer the power to modify the underlying message and generate a valid signature on themodified message. In order to generate a valid signature on a modified message, similar to TSS, the candidatesanitizer needs to obtain a trapdoor from the signer, in addition to the signer’s signature.

1.3 OrganizationThe rest of the paper is organized as follows. Some preliminaries are given in Section 2. The notion andsecurity requirements of ATSS are introduced in Section 3. In Section 4, we present the notion and securityrequirements of ACH, and propose a concrete construction. In Section 5, we propose a generic constructionof ATSS from ACH and present a specific ATSS scheme based on our ACH scheme. Finally, we state ourconclusion in Section 6.2 PreliminariesIf L is a positive integer, then [1, L] = {1, 2, . . . , L}. If A, B are two sets, A\B = {x ∈ A|x /∈ B}. If x 1 , x 2 , . . .are strings, then x 1 ∥x 2 ∥ . . . denotes their concatenation. We denote by R the range of random number. Wesay that a function f(λ) is negligible if for every c > 0 there exists an λ c such that f(λ) < 1/λ c for all λ > λ c .2.1 Bilinear PairingsLet G be a cyclic multiplicative group of prime order p and G T be a cyclic multiplicative group of the sameorder p. A bilinear pairing is a map e : G × G → G T with the following properties:– Bilinearity: ∀g 1 , g 2 ∈ G, ∀a, b ∈ Z ∗ p, we have e(g a 1, g b 2) = e(g 1 , g 2 ) ab ;– Non-degeneracy: There exist g 1 , g 2 ∈ G such that e(g 1 , g 2 ) ≠ 1;– Computability: There exists an efficient algorithm to compute e(g 1 , g 2 ) for ∀g 1 , g 2 ∈ G.2.2 Computational Diffie-Hellman (CDH) AssumptionThe security of our ACH scheme will be reduced to the hardness of the computational Diffie-Hellman (CDH)problem in the bilinear map group system ⟨p, G, G T , e⟩ in which the ACH scheme is constructed.Definition 1 Given a bilinear map group system ⟨p, G, G T , e⟩, a generator g of G and elements g a , g b ∈ Gwhere a, b are selected uniformly at random from Z ∗ p, the CDH problem in the bilinear map group system isto compute g ab . We say that the CDH assumption holds in a bilinear map group system ⟨p, G, G T , e⟩ if noprobabilistic polynomial-time algorithm can solve the CDH problem in the bilinear map group system withnon-negligible probability.3 **Accountable** **Trapdoor** **Sanitizable** Signature and Its Security RequirementsATSS lies between sanitizable signature and trapdoor sanitizable signature. Like a TSS scheme, an ATSSscheme includes the algorithms: GlobalSetup, KeyGen, Sign, **Trapdoor**, Sanitize and Verify. However, in ATSS,besides the private key of the signer, the inputs of the Sign algorithm include the public key of a candidatesanitizer and a transaction identifer TID. In order to generate a new signature on a sanitized message, inATSS, the inputs of the Sanitize algorithm include the private key of the candidate sanitizer and a trapdoorassociated with the transaction identifier TID generated by the signer using **Trapdoor** algorithm, not just atrapdoor associated with the transaction identifier as in TSS or just the private key of the sanitizer as in SS.In addition, to settle disputes about the origin of a message-signature pair, an algorithm Proof enablesthe signer to produce a proof π. The proof π is generated from a set of previously signed messages. A Judgealgorithm then uses the proof π to decide if a valid message-signature pair was created by the signer or thesanitizer (the lack of such a proof is interpreted as a signer origin).Concretely, an ATSS scheme is a tuple of algorithms described as follows:GlobalSetup takes as input a security parameter λ. It produces a common public parameter param to beused by all parties in the system.param ← GlobalSetup(λ).3

KeyGen takes as input a security parameter λ and the common public parameter param. It generates apublic/private key pair (pk, sk). Every party in the system uses this randomized algorithm to generatea private/public key pair himself or herself.(pk, sk) ← KeyGen(λ, param).For presentation simplicity, we assume there exist a single singer and multiple sanitizers in the system.We denote by (pk sig , sk sig ) the key pair of the signer, and by (pk san , sk san ) the key pair of a sanitizer.Sign takes as input a sanitizer’s public key pk san , a message m = m 1 ∥ · · · ∥m L , a set of indices I ⊆ [1, L]that are sanitizable, a transaction identifier TID and the signer’s private key sk sig . It outputs a signatureσ on m.σ ← Sign(pk san , m, I, TID, sk sig ).We assume that each message signed has a unique transaction identifier.**Trapdoor** takes as input a message m, a set of indices I that are sanitizable, a transaction identifier TID,a valid signature σ on (pk sig , pk san , m, I, TID) and the signer’s private key sk sig . It outputs a trapdoortd TID .td TID ← **Trapdoor**(m, I, TID, σ, sk sig ).Sanitize takes as input the signer’s public key pk sig , a message m, a set of the indices I that are sanitizable,a transaction identifier TID, a valid signature σ on (pk sig , pk san , m, I, TID), a trapdoor td TID associatedwith TID, the sanitizer’s private key sk san and a new message m ′ . It outputs a new signature σ ′ on(pk sig , pk san , m ′ , I, TID).σ ′ ← Sanitize(pk sig , m, I, TID, σ, m ′ , td TID , sk san ).Verify takes as input param, the signer’s public key pk sig , a sanitizer’s public key pk san , a message m, a setof the indices I that are sanitizable, a transaction identifier TID and a putative signature σ. It outputs1 if the signature σ on m is valid and 0 otherwise.0/1 ← Verify(param, pk sig , pk san , m, I, TID, σ).Proof takes as input param, the signer’s private key sk sig , a valid signature σ on (pk sig , pk san , m, I, TID), anda set of (polynomially many) additional message-signature pairs ((pk sig , pk san, (i) m (i) , I (i) , TID (i) ), σ (i) ) i=1,2,...,q .It outputs a proof π ∈ {0, 1} ∗ .π ← Proof(param, sk sig , ((pk sig , pk san , m, I, TID), σ), ((pk sig , pk (i)san, m (i) , I (i) , TID (i) ), σ (i) ) i=1,2,...,q ).Judge takes as input param, the signer’s public key pk sig , the sanitizer’s public key pk san , a valid signatureσ on (pk sig , pk san , m, I, TID) and a proof π. It outputs a decision d ∈ {Sig/San} indicating whether themessage-signature pair ((pk sig , pk san , m, I, TID), σ) was created by the signer or the sanitizer.d ← Judge(param, ((pk sig , pk san , m, I, TID), σ), π).The usual correctness properties should hold for an ATSS scheme, saying that genuinely signed orsanitized messages are accepted. Formally, for any security parameter λ, any message m = m 1 ∥ · · · ∥m L ,any set of indices I ⊆ [1, L], any transaction identifier TID, param ← GlobalSetup(λ), (pk sig , sk sig ) ←KeyGen(λ, param), (pk san , sk san ) ← KeyGen(λ, param), σ ← Sign(pk san , m, I, TID, sk sig ), td TID ← **Trapdoor**(m,I, TID, σ, sk sig ), and σ ′ ← Sanitize(pk sig , m, I, TID, σ, m ′ , td TID , sk san ), we must haveVerify(param, pk sig , pk san , m, I, TID, σ) = 1 and Verify(param, pk sig , pk san , m ′ , I, TID, σ ′ ) = 1.4

The security requirements of an ATSS scheme include unforgeability, indistinguishability and accountability.The unforgeability and indistinguishability requirements of ATSS are extended from the securityrequirements of TSS [8]. Informally, unforgeability requires that an outsider be not able to forge a signatureon the original or the sanitized message, and indistinguishability requires that an outsider be not able todecide whether a message has been sanitized or not.Accountability requires that the origin of a (sanitized) signature be undeniable. We distinguish betweensanitizer- and signer-accountability, as did in [7]. Informally, sanitizer-accountability implies that if a messagehas not been signed by the signer, then even a malicious sanitizer should not be able to make a judge accusethe signer, and signer-accountability implies that if a signed message has not been sanitized, then even amalicious signer should not be able to make the judge accuse the sanitizer.Unforgeability: An ATSS scheme is existentially unforgeable under adaptive chosen message attacks, iffor any probabilistic polynomial-time adversary A, the probability that A succeeds in the following gamebetween A and a challenger is negligible in the security parameter λ:Setup The challenger runsparam ← GlobalSetup(λ), (pk sig , sk sig ) ← KeyGen(λ, param), (pk san , sk san ) ← KeyGen(λ, param),and sends the common public parameter param, the signer’s public key pk sig and the sanitizer’s publickey pk san to the adversary A.Query phase The adversary A adaptively issues queries:1. O SignAT SSquery on (m, I, TID), where I ⊆ [1, L] is a set of indices and TID is a transaction identifier:The challenger forwards the valid signature σ on (pk sig , pk san , m, I, TID) to the adversary.2. O **Trapdoor**AT SSquery on (m, I, TID, σ), where σ is a valid signature on (pk sig , pk san , m, I, TID): The challengerforwards the corresponding trapdoor td TID to the adversary.3. OAT SanitizeSS query on (m, I, TID, σ, m′ ), where m i = m ′ i for all i /∈ I: The challenger forwards the newvalid signature σ ′ on (pk sig , pk san , m ′ , I, TID) to the adversary.Output A outputs (m ∗ , I ∗ , TID ∗ , σ ∗ ) and succeeds if the following conditions hold.1. Verify(param, pk sig , pk san , m ∗ , I ∗ , TID ∗ , σ ∗ ) = 1.2. A never queries O SignAT SS oracle on (m∗ , I ∗ , TID ∗ ).3. (m ∗ , σ ∗ ) does not come from OAT SanitizeSS oracle, i.e., A never queries OSanitize AT SS oracle on (m, I∗ , TID ∗ , σ, m ∗ ),where σ is a valid signature on (pk sig , pk san , m, I ∗ , TID ∗ ) and m i = m ∗ i for all i /∈ I∗ .4. A never queries O **Trapdoor**AT SS oracle on (m, I∗ , TID ∗ , σ), where σ is a valid signature on (pk sig , pk san , m, I ∗ , TID ∗ )and m i = m ∗ i for all i /∈ I∗ .Indistinguishability: The indistinguishability of an ATSS scheme requires that the output distributions ofSign algorithm and Sanitize algorithm be computational indistinguishable. In other words, for all sufficientlylarge λ, any param ← GlobalSetup(λ), (pk sig , sk sig ) ← KeyGen(λ, param), (pk san , sk san ) ← KeyGen(λ, param),any set of indices I ⊆ [1, L], any message pairs m, m ′ such that m i = m ′ i for all i /∈ I, any transaction identifierTID, the following distribution ensembles D Sanitize and D Sign are computational indistinguishable:D Sanitize = {(m ′ , ˆσ)|σ ← Sign(pk san , m, I, TID, sk sig ), td TID ← **Trapdoor**(m, I, TID, σ, sk sig ),D Signˆσ ← Sanitize(pk sig , m, I, TID, σ, m ′ , td TID , sk san )} λ,param,pksig,pk san,I,TID,= {(m ′ , σ ′ )|σ ′ ← Sign(pk san , m ′ , I, TID, sk sig )} λ,param,pksig ,pk san ,I,TID.Sanitizer-accountability: An ATSS scheme is sanitizer-accountable, if for any probabilistic polynomialtimeadversary A, the probability that A succeeds in the following game between A and a challenger isnegligible in the security parameter λ:Setup The challenger runsparam ← GlobalSetup(λ), (pk sig , sk sig ) ← KeyGen(λ, param),and sends the common public parameter param and the signer’s public key pk sig to the adversary A.5

Query phase The adversary A adaptively issues queries:1. O SignAT SS query on (pk san, m, I, TID), where pk san is a sanitizer’s public key chosen by A, I ⊆ [1, L] isa set of indices and TID is a transaction identifier: The challenger forwards the valid signature σ on(pk sig , pk san , m, I, TID) to the adversary.2. O **Trapdoor**AT SSquery on (pk san , m, I, TID, σ), where σ is a valid signature on (pk sig , pk san , m, I, TID): Thechallenger forwards the corresponding trapdoor td TID to the adversary.Output A outputs (pk sig , pksan, ∗ m ∗ , I ∗ , TID ∗ , σ ∗ ) and succeeds if the following conditions hold.1. Verify(param, pk sig , pksan, ∗ m ∗ , I ∗ , TID ∗ , σ ∗ ) = 1.2. ((pk sig , pksan, ∗ m ∗ , I ∗ , TID ∗ ), σ ∗ ) ≠ ((pk sig , pk san, (i) m (i) , I (i) , TID (i) ), σ (i) ) for all i = 1, 2, . . . , q, where(pk san, (i) m (i) , I (i) , TID (i) ) and σ (i) for i = 1, 2, . . . , q denote the queries and answers to and from oracleO SignAT SS .3. Sig ← Judge(param, ((pk sig , pksan, ∗ m ∗ , I ∗ , TID ∗ ), σ ∗ ), π ∗ ), whereπ ∗ ← Proof(param, sk sig , ((pk sig , pk ∗ san, m ∗ , I ∗ , TID ∗ ), σ ∗ ), ((pk sig , pk (i)san, m (i) , I (i) , TID (i) ), σ (i) ) i=1,2,...,q ).Signer-accountability: An ATSS scheme is signer-accountable, if for any probabilistic polynomial-timeadversary A, the probability that A succeeds in the following game between A and a challenger is negligiblein the security parameter λ:Setup The challenger runsparam ← GlobalSetup(λ), (pk san , sk san ) ← KeyGen(λ, param),and sends the common public parameters param and the sanitizer’s public key pk san to the adversaryA.Query phase The adversary A adaptively issues OAT SanitizeSS query on (pk sig, m, I, TID, σ, td TID , m ′ ), wherepk sig is a singer’s public key chosen by A, σ is a valid signature on (pk sig , pk san , m, I, TID), td TID is thetrapdoor associated with TID and m i = m ′ i for all i /∈ I: The challenger forwards the new valid signatureσ ′ on (pk sig , pk san , m ′ , I, TID) to the adversary.Output A outputs (pksig ∗ , pk san, m ∗ , I ∗ , TID ∗ , σ ∗ , π ∗ ) and succeeds if the following conditions hold.1. Verify(param, pksig ∗ , pk san, m ∗ , I ∗ , TID ∗ , σ ∗ ) = 1.2. San ← Judge(param, ((pksig ∗ , pk san, m ∗ , I ∗ , TID ∗ ), σ ∗ ), π ∗ ).3. ((pksig ∗ , pk san, m ∗ , I ∗ , TID ∗ ), σ ∗ ) ≠ ((pk (i)sig , pk san, m (i) , I (i) , TID (i) ), σ (i) ) for all i = 1, 2, . . . , q, where((pk (i)sig , pk san, m (i) , I (i) , TID (i) ), σ (i) ) for i = 1, 2, . . . , q denote the answers from oracle OAT SanitizeSS .4 **Accountable** Chameleon Hash and Its ConstructionIn this section, we first introduce and formulate accountable chameleon hash (ACH). Then, we present aconstruction of ACH and analyze its security in the random oracle model.4.1 **Accountable** Chameleon HashACH is a new paradigm which lies between chameleon hash (CH) and identity-based chameleon hash (IBCH).The inputs of the Hash algorithm of an ACH include two users’ public keys and a transaction identifier TID,not just the public key of a single user as in a CH scheme or just an identity as in an IBCH scheme. In orderto find a collision, the inputs of the Forge algorithm of an ACH scheme include one user’s private key and atrapdoor information associated with the transaction identifer TID generated by the other user, not just asingle user’s private key as in a CH scheme or just a trapdoor information associated with an identity as inan IBCH scheme.Concretely, an ACH scheme consists of the following algorithms:6

GlobalSetup takes as input a security parameter λ. It produces a common public parameter param to beused by all parties in the system.param ← GlobalSetup(λ).KeyGen takes as input a security parameter λ and the common public parameter param. It generates apublic/private key pair (pk, sk). All parties in the system use this randomized algorithm to generate aprivate/public key pair himself or herself.(pk, sk) ← KeyGen(λ, param).Hash takes as input param, user i’s public key pk i , user j’s public key pk j , a message m and a uniquetransaction identifier TID. It chooses a random r and outputs a hash value h.h ← Hash(param, pk i , pk j , TID, m, r).**Trapdoor** takes as input user i’s private key sk i and a transaction identifier TID. It outputs the trapdoorinformation td i,TID associated with user i and the transaction identifier TID.td i,TID ← **Trapdoor**(sk i , TID).Forge takes as input user j’s private key sk j , the trapdoor information td i,TID associated with user i and atransaction identifier TID, the hash value h on a message m with user i’s public key pk i , user j’s publickey pk j , the transaction identifier TID, random r, and a message m ′ . It outputs a random r ′ .For correctness, we require thatwherer ′ ← Forge(sk j , td i,TID , pk i , pk j , TID, m, r, h, m ′ ).Hash(param, pk i , pk j , TID, m, r) = h = Hash(param, pk i , pk j , TID, m ′ , r ′ ) and m ′ ≠ m,r ′ ← Forge(sk j , td i,TID , pk i , pk j , TID, m, r, h, m ′ ), td i,TID ← **Trapdoor**(sk i , TID).The security of an ACH scheme consists of two requirements: resistance to collision forgery under activeattacks and forgery indistinguishability.Resistance to collision forgery under active attacks: The accountable chameleon hash scheme issecure against (existential) collision forgery under active attacks if, for any probabilistic polynomial-timealgorithm A, the probability that A succeeds in the following game between A and a challenger is negligiblein the security parameter λ:Setup The challenger runsparam ← GlobalSetup(λ), (pk i , sk i ) ← KeyGen(λ, param), (pk j , sk j ) ← KeyGen(λ, param),and sends the common public parameter param, user i’s public key pk i and user j’s public/private keypair (pk j , sk j ) to the adversary A.Query phase The adversary A adaptively issues queries O **Trapdoor**ACHon a transaction identifier TID. Thechallenger forwards the trapdoor information td i,TID associated with user i and the transaction identifierTID to the adversary.Output A outputs (TID ∗ , m, r, m ′ , r ′ ) and succeeds if the following conditions hold.1. Hash(param, pk i , pk j , TID ∗ , m, r) = Hash(param, pk i , pk j , TID ∗ , m ′ , r ′ ) and m ′ ≠ m.2. A never queries O **Trapdoor**ACHon TID ∗ .7

Forgery indistinguishability: An ACH scheme is said to be forgery indistinguishable if, for all sufficientlylarge λ, any param ← GlobalSetup, (pk i , sk i ) ← KeyGen(λ, param), (pk j , sk j ) ← KeyGen(λ, param), alltransaction identifier TID, and all pairs of messages m and m ′ , the following distribution ensembles arecomputational indistinguishable:D Forge= {(m ′ , ˆr, h)|r $ ← R, h ← Hash(param, pk i , pk j , TID, m, r), td i,TID ← **Trapdoor**(sk i , TID),ˆr ← Forge(sk j , td i,TID , pk i , pk j , TID, m, r, h, m ′ )} λ,param,pki ,pk j ,TID,D Hash = {(m ′ , r ′ , h ′ )|r ′ $← R, h ′ ← Hash(param, pk i , pk j , TID, m ′ , r ′ )} λ,param,pki,pk j,TID.4.2 ConstructionOur specific construction of an ACH scheme consists of the following algorithms:GlobalSetup Given a security parameter λ, it first generates a bilinear map group system ⟨p, G, G T , e⟩. Then,it picks a generator g of G and chooses a cryptographic hash function H : {0, 1} ∗ → G. The commonpublic parameter isparam = (p, G, G T , e, g, H).KeyGen Given a security parameter λ and the common public parameter param, user i first chooses x i ∈ Z ∗ prandomly. Then, set his public key aspk i = g x i,and the private key as sk i = x i .Hash Given param, user i’s public key pk i , user j’s public key pk j , a message m ∈ Z ∗ p and a uniquetransaction identifier TID, it chooses R ∈ G uniformly at random and computesh = e(R, g) · e(H(TID) m , pk i · pk j ),Finally, it outputs the hash value h.**Trapdoor** Given user i’s private key sk i = x i and a transaction identifier TID, it computestd i,TID = H(TID) ski = H(TID) xi ,and outputs the trapdoor information td i,TID associated with user i and transaction identifier TID.Forge Given user j’s private key sk j , the trapdoor information td i,TID associated with user i and transactionidentifier TID, the hash value h on a message m with user i’s public key pk i , user j’s public key pk j ,transaction identifier TID, random R, and a message m ′ , it computes and outputsNote that, for a forgery, we haveR ′ = R · (H(TID) skj · td i,TID ) m−m′ .Hash(param, pk i , pk j , TID, m ′ , R ′ ) = e(R ′ , g) · e(H(TID) m′ , pk i · pk j )= e(R · (H(TID) skj · td i,TID ) m−m′ , g) · e(H(TID) m′ , pk i · pk j )= e(R, g) · e((H(TID) skj · td i,TID ) m−m′ , g) · e(H(TID) m′ , pk i · pk j )= e(R, g) · e((H(TID) xj · H(TID) xi ) m−m′ , g) · e(H(TID) m′ , g xi+xj )= e(R, g) · e((H(TID) x i+x j) m−m′ , g) · e((H(TID) x i+x j) m′ , g)= e(R, g) · e((H(TID) xi+xj ) m , g),= e(R, g) · e(H(TID) m , g x i+x j)= e(R, g) · e(H(TID) m , pk i · pk j )= Hash(param, pk i , pk j , TID, m, R).So, the above scheme satisfies correctness. We now turn to security.8

Theorem 1 In the random oracle model, the above construction of accountable CH is secure against (existential)collision forgery under active attacks, assuming that the CDH assumption holds in the bilinear mapgroup system ⟨p, G, G T , e⟩.Proof. Suppose there exists an adversary A against the collision resistance of above accountable CH scheme.We are going to construct another PPT B that makes use of A to solve the CDH problem in a bilinear mapgroup system ⟨p, G, G T , e⟩ with non-negligible probability.B is given as input a random 3-tuple (g, g a , g b ), and B’s goal is to compute g ab . B runs A executing thefollowing steps.Setup B first chooses x j ∈ Z ∗ p randomly. Then, set the common public parameters as param = (p, G, G T , e, g, H),user i’s public key as pk i = g a , and user j’s public/private key pair as (pk j , sk j ) = (g xj , x j ). The user i’sprivate key sk i = a, which is unknown to B. Here H is a random oracle controlled by B. B also maintainsa list L which is initially empty. Finally, B sends (param, pk i , (pk j , sk j )) to the adversary A.Query phase The adversary A adaptively issues queries:1. H query on a transaction identifier TID: B responds as follows:– If a tuple (TID, Q, t, coin) appears in the list L, B forwards Q to A.– Otherwise, B picks coin ∈ {0, 1} at random such that Pr[coin = 0] = ρ. (ρ will be determinedlater.) Then B chooses t ∈ Zp ∗ randomly and computes Q = (g b ) coin · g t . Finally, the tuple(TID, Q, t, coin) is added to the list L and Q is sent to A.2. O **Trapdoor**ACHon a transaction identifier TID: Let (TID, Q, t, coin) be the corresponding tuple in the listL. B responds as follows:– If coin = 0, B computes td i,TID = (g a ) t and sends td i,TID to A. Observe that td i,TID = H(TID) sk i,which is the trapdoor information associated with user i and the transaction identifier TID.– Otherwise, B aborts and terminates.Output A outputs (TID ∗ , m, R, m ′ , R ′ ) such thatHash(param, pk i , pk j , TID ∗ , m, R) = Hash(param, pk i , pk j , TID ∗ , m ′ , R ′ ) and m ′ ≠ m.Let (TID ∗ , Q ∗ , t ∗ , coin ∗ ) be the corresponding tuple in the list L. B proceeds as follows:– If coin ∗ = 0, B aborts and terminates.– Otherwise, B computes and outputs(R/R ′ ) 1/(m′ −m)(g b g t∗ ) x j · (ga ) t∗ .Observe that,Hash(param, pk i , pk j , TID ∗ , m, R) = e(R, g) · e(H(TID ∗ ) m , pk i · pk j ) = e(R · (H(TID ∗ ) xi+xj ) m , g),andHash(param, pk i , pk j , TID ∗ , m ′ , R ′ ) = e(R ′ , g) · e(H(TID ∗ ) m′ , pk i · pk j ) = e(R ′ · (H(TID ∗ ) xi+xj ) m′ , g).If Hash(param, pk i , pk j , TID ∗ , m, R) = Hash(param, pk i , pk j , TID ∗ , m ′ , R ′ ), we haveIf coin ∗ = 1, H(TID ∗ ) = g b g t∗ ; henceR · (H(TID ∗ ) x i+x j) m = R ′ · (H(TID ∗ ) x i+x j) m′ ,(R/R ′ ) 1/(m′ −m) = H(TID ∗ ) x i+x j.(R/R ′ ) 1/(m′ −m) = (g b g t∗ ) a+x j,(R/R ′ ) 1/(m′ −m)(g b g t∗ ) x j · (ga ) t∗ = g ab .9

Then, it picks a key κ sig ∈ {0, 1} λ for the hash function H 1 , sets the public key pk = (pk Σ , pk Π )and the private key sk = (sk Σ , sk Π , κ sig ). Finally, it publishes pk and keeps sk secret. We denote bypk sig = (pk sig,Σ , pk sig,Π ) and sk sig = (sk sig,Σ , sk sig,Π , κ sig ) the public key and private key of the signer,and by pk san = (pk san,Σ , pk san,Π ) and sk san = (sk san,Σ , sk san,Π , κ san ) the public key and private keyof a sanitizer.Sign Given a sanitizer’s public key pk san = (pk san,Σ , pk san,Π ), a message m = m 1 ∥ · · · ∥m L , a set ofindices I ⊆ [1, L] that are sanitizable, a transaction identifier TID and the signer’s private key sk sig =(sk sig,Σ , sk sig,Π , κ sig ), it proceeds as follows.1. Compute z = H 1 (κ sig , TID).2. For all i ∈ [1, L]\I, set ˜m i = m i .3. For all i ∈ I, compute r i = H 2 (z, i) andh i = Π.Hash(param, pk sig,Π , pk san,Π , TID, m i , r i )and set ˜m i = h i . Let r be the concatenation of all r i , i ∈ I.4. Set ˜m = ˜m 1 ∥ · · · ∥ ˜m L and run˜σ ← Σ.Sign( ˜m, sk sig,Σ ).5. Finally, set σ = ˜σ∥r and output the signature σ on m.**Trapdoor** Given a message m, a set of the indices I that are sanitizable, a transaction identifier TID, a validsignature σ on (pk sig , pk san , m, I, TID) and the signer’s private key sk sig = (sk sig,Σ , sk sig,Π , κ sig ), it runstd TID ← Π.**Trapdoor**(sk sig,Π , TID),and outputs the trapdoor td TID associated with TID.Sanitize Given the signer’s public key pk sig = (pk sig,Σ , pk sig,Π ), a message m = m 1 ∥ · · · ∥m L , a set ofindices I ⊆ [1, L] that are sanitizable, the transaction identifier TID, a valid signature σ = ˜σ∥r on(pk sig , pk san = (pk san,Σ , pk san,Π ), m, I, TID), a trapdoor td TID associated with TID, the sanitizer’s privatekey sk san = (sk san,Σ , sk san,Π , κ san ) and a new message m ′ = m ′ 1∥ · · · ∥m ′ L , it proceeds as follows.1. Let I ′ = {i ∈ [1, L]|m i ≠ m ′ i }. Check whether I′ ⊆ I. If not, output ⊥, denoted an error.2. Retrieve {r i , i ∈ I} from the signature σ = ˜σ∥r.3. For all i ∈ I ′ , compute h i ← Π.Hash(param, pk sig,Π , pk san,Π , TID, m i , r i ) andr ′ i ← Π.Forge(sk san,Π , td TID , pk sig,Π , pk san,Π , TID, m i , r i , h i , m ′ i).4. For all i ∈ I\I ′ , set r ′ i = r i. Let r ′ be the concatenation of all r ′ i , i ∈ I.5. Set σ ′ = ˜σ∥r ′ and output the new signature σ ′ on (pk sig , pk san , m ′ , I, TID).Verify Given param, the signer’s public key pk sig = (pk sig,Σ , pk sig,Π ), a sanitizer’s public key pk san =(pk san,Σ , pk san,Π ), a message m = m 1 ∥ · · · ∥m L , a set of indices I ⊆ [1, L] that are sanitizable, a transactionidentifier TID and a putative signature σ = ˜σ∥r, it proceeds as follows.1. Retrieve {r i , i ∈ I} from the signature σ = ˜σ∥r.2. For all i ∈ [1, L]\I, set ˜m i = m i .3. For all i ∈ I, computeh i = Π.Hash(param, pk sig,Π , pk san,Π , TID, m i , r i )and set ˜m i = h i .4. Set ˜m = ˜m 1 ∥ · · · ∥ ˜m L and output Σ.Verify(pk sig,Σ , ˜m, ˜σ).Proof Given param, the signer’s private key sk sig = (sk sig,Σ , sk sig,Π , κ sig ), a valid message-signature pair((pk sig = (pk sig,Σ , pk sig,Π ), pk san = (pk san,Σ , pk san,Π ), m, I, TID), σ), and a set of (polynomially many)additional message-signature pairs MesSigS = ((pk sig , pk (i)san, m (i) , I (i) , TID (i) ), σ (i) ) i=1,2,...,qgeneratedoriginally by the signer, it first searches the set MesSigS to find a tuple ((pk sig , pk san, (i) m (i) , I (i) , TID (i) ), σ (i) )such that1. pk san = pk (i)san, I = I (i) and TID = TID (i) .11

2. I ′ ⊆ I, where I ′ = {j ∈ [1, L]|m j ≠ m (i)j }. Note that, m = m 1∥ · · · ∥m L and m (i) = m (i)1 ∥ · · · ∥m(i)3. Π.Hash(param, pk sig,Π , pk san,Π , TID, m j , r j ) = Π.Hash(param, pk sig,Π , pk (i)san,Πall j ∈ I ′ , where σ = ˜σ∥r, r = {r j , j ∈ I}, σ (i) = ˜σ∥r (i) and r (i) = {r (i)j , j ∈ I}., TID, m(i) jThen, it computes z i = H 1 (TID (i) , κ sig ). Finally, it outputs the proof π = (pk sig , pk san, (i) m (i) , I (i) , TID (i) , σ (i) , z i ).Judge Given param, the signer’s public key pk sig = (pk sig,Σ , pk sig,Π ), the sanitizer’s public key pk san =(pk san,Σ , pk san,Π ), a valid message-signature pair ((pk sig , pk san , m, I, TID), σ) and a proof π = (pk sig , pk san,(i)m (i) , I (i) , TID (i) , σ (i) , z i ). Let σ = ˜σ∥r where r = {r j , j ∈ I}, and σ (i) = ˜σ∥r (i) where r (i) = {r (i)j , j ∈ I},it first checks whether the following conditions hold:1. pk san = pk san, (i) I = I (i) and TID = TID (i) ;2. (m, σ) ≠ (m (i) , σ (i) );3. I ′ ⊆ I, where I ′ = {j ∈ [1, L]|m j ≠ m (i)j }. Note that, m = m 1∥ · · · ∥m L and m (i) = m (i)1 ∥ · · · ∥m(i) L ;4. Π.Hash(param, pk sig,Π , pk san,Π , TID, m j , r j ) = Π.Hash(param, pk sig,Π , pk san,Π , TID, m (i)j , r(i) j ) forall j ∈ I ′ ;5. r (i)j = H 2 (z i , j) for all j ∈ I.If so, it outputs San indicating the message-signature pair ((pk sig , pk san , m, I, TID), σ) was created bythe sanitizer; else it outputs Sig indicating the message-signature pair ((pk sig , pk san , m, I, TID), σ) wascreated by the signer.It is obvious that the above ATSS scheme satisfies correctness. We now state the security theorems of thescheme, including unforgeability, indistinguishability and accountability.Theorem 3 (Unforgeability) If the signature scheme Σ is existential unforgeable under adaptive chosenmessage attacks and the ACH scheme Π is resistant to collision forgery under active attacks, the aboveconstruction of ATSS is existential unforgeable under adaptive chosen message attacks.Proof. As usual [8], for presentation simplicity, we assume that a message consists of a single block (extensionto the general case is straightforward). Let A be a forger against the above ATSS scheme and let (m ∗ , I ∗ ={1}, TID ∗ , σ ∗ ) be the forgery produced by A. We distinguish between two cases of forgery:Case 1: m ∗ is a non-sanitized message and A never queries O SignAT SS oracle on (m∗ , I ∗ , TID ∗ ).Case 2: m ∗ is a sanitized message. A never queries OAT SanitizeSS on (m, I∗ , TID ∗ , σ, m ∗ ) or O **Trapdoor**AT SSon (m, I∗ , TID ∗ , σ),where σ is a valid signature on (pk sig , pk san , m, I ∗ , TID ∗ ) and m ≠ m ∗ .To prove this theorem, we will show that in the first case, we can use A as a sub-routine to construct anotheralgorithm B, which is a forgery against the signature scheme Σ, and in the second case, we can use A asa sub-routine to construct another algorithm B, which is a forgery against the ACH scheme Π. Initially, Bwill choose a random bit b ∈ {1, 2} that indicates its guess for the case of forgery that A will produce. Bproceeds differently for each case.Case 1. Given a public key pk ∗ and a signing oracle O SignΣof the signature scheme Σ, using A as a subroutine,B simulates a forger against the signature scheme Σ. B proceeds as follows.Setup B first runs Π.Setup algorithm to generate a pair of keys (pk Π , sk Π ) and picks a key κ sig ∈ {0, 1} λfor the hash function H 1 . Then, B sets the signer’s public key pk sig of the above ATSS scheme aspk sig = (pk ∗ , pk Π ). The signer’s private key sk sig = (sk ∗ , sk Π , κ sig ) and sk ∗ is unknown to B. Next,B runs KeyGen algorithm of the above ATSS to generate a pair of key(pk san = (pk san,Σ , pk san,Π ), sk san = (sk san,Σ , sk san,Π , κ san ))for the sanitizer. Finally, B gives the signer’s public key pk sig and the sanitizer’s public key pk san toA.Query phase A adaptively issues queries:, r(i) jL .) for12

1. O SignAT SS queries: B runs Sign algorithm of the above ATSS scheme with the knowledge of κ sig andthe help of its O SignΣoracle, and sends the results to A.2. O **Trapdoor**AT SSqueries: B runs **Trapdoor** algorithm of the above ATSS scheme with the knowledge ofsk Π , and sends the results to A.3. OAT SanitizeSS queries: B runs Sanitize algorithm of the above ATSS scheme with the knowledge of sk Πand sk san , and sends the results to A.Output A outputs a forgery (m ∗ , I ∗ = {1}, TID ∗ , σ ∗ = ˜σ ∗ ∥r ∗ ) against the above ATSS scheme. Bproceeds as follows.1. Computes h ∗ = Π.Hash(param, pk Π , pk san,Π , TID ∗ , m ∗ , r ∗ ) and set ˜m ∗ = h ∗ .2. Output ( ˜m ∗ , ˜σ ∗ ).It is obvious that if (m ∗ , I ∗ , TID ∗ , σ ∗ = ˜σ ∗ ∥r ∗ ) is a successful forgery against the above ATSS scheme,( ˜m ∗ , ˜σ ∗ ) is a successful forgery against the signature scheme Σ.Case 2. Given user i’s public key pk i , user j’s public/private key pair (pk j , sk j ) and a trapdoor generationoracle O **Trapdoor**Πof the ACH scheme Π, using A as a sub-routine, B simulates a forger against the ACHscheme Π. B proceeds as follows.Setup B first runs Σ.KeyGen algorithm to generate a pair of keys (pk Σ , sk Σ ) and picks a key κ sig ∈{0, 1} λ for the hash function H 1 . Then, B sets the signer’s public key pk sig of the above ATSS schemeas pk sig = (pk Σ , pk i ). The signer’s private key sk sig = (sk Σ , sk i , κ sig ) and sk i are unknown to B.Next, B runs Σ.KeyGen algorithm to obtain another pair of key (pk Σ ′ , sk′ Σ ) and picks another keyκ san ∈ {0, 1} λ for the hash function H 1 , and sets the sanitizer’s public/private key pair aspk san = (pk ′ Σ, pk j ), sk san = (sk ′ Σ, sk j , κ san ).Finally, B gives the signer’s public key pk sig and the sanitizer’s public key pk san to A.Query phase A adaptively issues the following queries:1. O SignAT SS queries: B runs Sign algorithm of the above ATSS scheme with the knowledge of sk Σ andκ sig , and sends the results to A.2. O **Trapdoor**AT SSqueries: B runs **Trapdoor** algorithm of the above ATSS scheme with the help of itsO **Trapdoor**Πoracle, and sends the results to A.3. OAT SanitizeSS queries: B runs Sanitize algorithm of the above ATSS scheme with the help of its O**Trapdoor**Πoracle and the knowledge of sk san , and sends the results to A.Output A outputs a forgery (m ∗ , I ∗ , TID ∗ , σ ∗ = ˜σ ∗ ∥r ∗ ) against the above ATSS scheme. Note that,in this case, m ∗ is a sanitized message. So, there exists a message m, corresponding to a signatureσ = ˜σ ∗ ∥r, which has been asked to O SignAT SSoracle, such thatHash(param, pk i , pk j , TID ∗ , m ∗ , r ∗ ) = Hash(param, pk i , pk j , TID ∗ , m, r).B outputs (TID ∗ , m ∗ , r ∗ , m, r).It is obvious that if (m ∗ , I ∗ , TID ∗ , σ ∗ = ˜σ ∗ ∥r ∗ ) is a successful forgery against the above ATSS scheme,(TID ∗ , m ∗ , r ∗ , m, r) is a collision against the ACH scheme Π.This completes the proof.Theorem 4 (Indistinguishability) If the ACH scheme Π is forgery indistinguishable, in the random oraclemodel, the following distributions D Sanitize and D Sign are computational indistinguishable for all sufficientlylarge λ, any param ← GlobalSetup, (pk sig , sk sig ) ← KeyGen(λ, param), (pk san , sk san ) ← KeyGen(λ, param),any set of indices I ⊆ [1, L], any message pairs m, m ′ such that m i = m ′ i for all i /∈ I, and any transactionidentifier TID:D Sanitize = {(m ′ , ˆσ)|σ ← Sign(pk san , m, I, TID, sk sig ), td TID ← **Trapdoor**(m, I, TID, σ, sk sig ),D Signˆσ ← Sanitize(pk sig , m, I, TID, σ, m ′ , td TID , sk san )} λ,param,pksig ,pk san ,I,TID,= {(m ′ , σ ′ )|σ ′ ← Sign(pk san , m ′ , I, TID, sk sig )} λ,param,pksig,pk san,I,TID.13

Proof. To keep the presentation compact and without loss of generality, we assume that messages m and m ′consists of a single block. In the above ATSS scheme, D Sanitize = {(m ′ , ˆσ = ˜σ∥ˆr)} λ,param,pksig ,pk san ,I,TID andD Sign = {(m ′ , σ ′ = ˜σ ′ ∥r ′ )} λ,param,pksig,pk san,I,TID, whereandr $ ← R, h ← Π.Hash(param, pk sig,Π , pk san,Π , TID, m, r), ˜σ ← Σ.Sign(h, sk sig,Σ ),Π.Hash(param, pk sig,Π , pk san,Π , TID, m, r) = Π.Hash(param, pk sig,Π , pk san,Π , TID, m ′ , ˆr),r ′ $← R, h ′ ← Π.Hash(param, pk sig,Π , pk san,Π , TID, m, r), ˜σ ′ ← Σ.Sign(h ′ , sk sig,Σ ).Note that, r ← $ R and r ′ $← R are derived from the assumption that H2 is a random oracle. Because Πis forgery indistinguishable, it is obvious that D Sanitize and D Sign are indistinguishable. This completes theproof.Theorem 5 (Sanitizer-accountability) If the signature scheme Σ is existential unforgeable under adaptivechosen message attacks, the above construction of ATSS is sanitizer-accountable.Proof. Assume that the scheme is not sanitizer-accountable and there is a successful adversary A. We willshow that we can use A as a sub-routine to construct another algorithm B, which is a forgery against thesignature scheme Σ. Again, without loss of generality, we assume that a message consists of a single block.Given a public key pk ∗ and a signing oracle O SignΣof the signature scheme Σ, using A as a sub-routine,B simulates a forger against the signature scheme Σ. B proceeds as follows.Setup B first runs Π.Setup algorithm to generate a pair of keys (pk Π , sk Π ) and picks a key κ sig ∈ {0, 1} λfor the hash function H 1 . Then, B sets the signer’s public key pk sig of the above ATSS scheme aspk sig = (pk ∗ , pk Π ). The signer’s private key sk sig = (sk ∗ , sk Π , κ sig ) and sk ∗ is unknown to B. Finally, Bgives the signer’s public key pk sig to A.Query phase A adaptively issues queries:1. O SignT SSqueries on (pk san, m, I, TID): B runs Sign algorithm of the above ATSS scheme with theknowledge of κ sig and the help of its O SignΣoracle, and sends the results to A.2. O **Trapdoor**T SSqueries on (pk san , m, I, TID, σ): B runs **Trapdoor** algorithm of the above ATSS scheme withthe knowledge of sk Π , and sends the results to A.Output A outputs (pk sig , pksan ∗ = (pksan,Σ ∗ , pk∗ san,Π ), m∗ , I ∗ = {1}, TID ∗ , σ ∗ = ˜σ ∗ ∥r ∗ ) against the sanitizeraccountabilityof above ATSS scheme. B does as follows.1. Compute h ∗ = Π.Hash(param, pk Π , pk san,Π , TID ∗ , m ∗ , r ∗ ) and set ˜m ∗ = h ∗ .2. Output ( ˜m ∗ , ˜σ ∗ ).Let (pk san, (i) m (i) , I (i) , TID (i) ) and σ (i) for i = 1, 2, . . . , q denote the queries and answers to and from oracleO SignAT SS . If A is a successful adversary, then the message-signature pair ((pk sig, pksan, ∗ m ∗ , I ∗ , TID ∗ ), σ ∗ ) is notsanitized from ((pk sig , pk san, (i) m (i) , I (i) , TID (i) ), σ (i) ) i=1,2,...,q . Hence, ( ˜m ∗ , ˜σ ∗ ) is a successful forgery againstthe signature scheme Σ. This completes the proof.Theorem 6 (Signer-accountability) If the ACH scheme Π is resistant to collision forgery under activeattacks, in the random oracle model, the above construction of ATSS is signer-accountable.Proof. Assume that the scheme is not signer-accountable and there is a successful adversary A. We will showthat we can use A as a sub-routine to construct another algorithm B, which is a forgery against the ACHscheme Π. As before, we assume that a message consists of a single block. B proceeds as follows.Setup B first runs KeyGen algorithm of the above ATSS to generate a pair of keys(pk san = (pk san,Σ , pk san,Π ), sk san = (sk san,Σ , sk san,Π , κ san ))for the sanitizer. Then, B gives the sanitizer’s public key pk san to A.14

Query phase A adaptively issues queries OAT SanitizeSS query (pk sig, m, I, TID, σ, td TID , m ′ ): B runs Sanitize algorithmof the above ATSS scheme with the knowledge of the private key sk san and the trapdoor td TID ,and sends the results to A.Output A outputs (pksig ∗ , pk san, m ∗ , I ∗ = {1}, TID ∗ , σ ∗ , π ∗ ) against the signer-accountability of aboveATSS scheme. Let σ ∗ = ˜σ ∗ ∥r ∗ and π ∗ = (pksig ∗ , pk san, m ′ , I ∗ = {1}, TID ∗ , σ ′ = ˜σ ′ ∥r ′ , z ′ ), B outputs(TID ∗ , m ∗ , r ∗ , m ′ , r ′ ).Now, we show that (TID ∗ , m ∗ , r ∗ , m ′ , r ′ ) is a collision against the accountable CH scheme Π. Let ((pk (i)sig , pk san,m (i) , I (i) , TID (i) ), σ (i) ) for i = 1, 2, . . . , q denote the answers from oracle OAT SanitizeSS . If A is a successful adversary,then1. ((pk ∗ sig , pk san, m ∗ , I ∗ , TID ∗ ), σ ∗ ) ≠ ((pk (i)sig , pk san, m (i) , I (i) , TID (i) ), σ (i) ) i=1,2,...,q ;2. ˜σ ∗ = ˜σ ′ and H 2 (z ′ , 1) = r ′ ;3. Hash(param, pk sig,Π , pk san,Π , TID ∗ , m ∗ , r ∗ ) = Hash(param, pk sig,Π , pk san,Π , TID ∗ , m ′ , r ′ ).Note that, B does not know the trapdoor td TID ∗ associated with TID ∗ since ((pk ∗ sig , pk san, m ∗ , I ∗ , TID ∗ ), σ ∗ ) ≠((pk (i)sig , pk san, m (i) , I (i) , TID (i) ), σ (i) ) i=1,2,...,q . Assuming that H 2 is a random oracle, then((pk ∗ sig, pk san , m ′ , I ∗ , TID ∗ ), σ ′ ) ≠ ((pk (i)sig , pk san, m (i) , I (i) , TID (i) ), σ (i) ) i=1,2,...,q ,with overwhelming probability, because A cannot find z ′ such that H 2 (z ′ , 1) = r ′ . Therefore, (TID ∗ , m ∗ , r ∗ , m ′ , r ′ )is a collision against the accountable CH scheme Π. This completes the proof.6 Conclusion and Future WorkIn this paper, we motivated and introduced the notion of accountable trapdoor sanitizable signature (ATSS).As a building block of ATSS and that might be of independent interest, we also introduced the notion ofaccountable chameleon hash (ACH), which is an extension of chameleon hash. We defined the securityrequirements for ACH, and proposed a concrete construction that satisfies the requirements based on theCDH assumption in the random oracle model. Finally, Based on ACH, we proposed a generic construction ofATSS. Instantiating the generic construction with our ACH scheme, we constructed the first ATSS scheme.An important future research problem is to construct ACH schemes (and thus accordingly, ATSS schemes)in the standard model.References1. Giuseppe Ateniese, Daniel H. Chou, Breno de Medeiros, and Gene Tsudik. **Sanitizable** signatures. In ESORICS,pages 159–177, 2005.2. Giuseppe Ateniese and Breno de Medeiros. Identity-based chameleon hash and applications. In Financial Cryptography,pages 164–180, 2004.3. Giuseppe Ateniese and Breno de Medeiros. On the key exposure problem in chameleon hashes. In SCN, pages165–179, 2004.4. Feng Bao, Robert H. Deng, Xuhua Ding, Junzuo Lai, and Yunlei Zhao. Hierarchical identity-based chameleonhash and its applications. In ACNS, pages 201–219, 2011.5. Mihir Bellare, Oded Goldreich, and Shafi Goldwasser. Incremental cryptography: The case of hashing and signing.In CRYPTO, pages 216–233, 1994.6. Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols.In ACM Conference on Computer and Communications Security, pages 62–73, 1993.7. Christina Brzuska, Marc Fischlin, Tobias Freudenreich, Anja Lehmann, Marcus Page, Jakob Schelbert, DominiqueSchröder, and Florian Volk. Security of sanitizable signatures revisited. In Public Key Cryptography, pages 317–336, 2009.8. Sébastien Canard, Fabien Laguillaumie, and Michel Milhau. **Trapdoor** sanitizable signatures and their applicationto content protection. In ACNS, pages 258–276, 2008.15

9. Xiaofeng Chen, Fangguo Zhang, and Kwangjo Kim. Chameleon hashing without key exposure. In ISC, pages87–98, 2004.10. Xiaofeng Chen, Fangguo Zhang, Willy Susilo, Haibo Tian, Jin Li, and Kwangjo Kim. Identity-based chameleonhash scheme without key exposure. In ACISP, pages 200–215, 2010.11. Xiaofeng Chen, Fangguo Zhang, Haibo Tian, Baodian Wei, and Kwangjo Kim. Key-exposure free chameleonhashing and signatures based on discrete logarithm systems. Cryptology ePrint Archive, Report 2009/035, 2009.http://eprint.iacr.org/.12. Robert H. Deng and Yanjiang Yang. A study of data authentication in proxy-enabled multimedia deliverysystems: Model, schemes and application. ACM T. on Multimedia Computing, Communications and Applications,5(4):28.1–28.20, 2009.13. Wei Gao, Fei Li, and Xueli Wang. Chameleon hash without key exposure based on schnorr signature. ComputerStandards & Interfaces, 31(2):282–285, 2009.14. Wei Gao, Xueli Wang, and Dongqing Xie. Chameleon hashes without key exposure based on factoring. J.Comput. Sci. Technol., 22(1):109–113, 2007.15. Tetsuya Izu, Nobuyuki Kanaya, Masahiko Takenaka, and Takashi Yoshioka. Piats: A partially sanitizable signaturescheme. In ICICS, pages 72–83, 2005.16. Robert Johnson, David Molnar, Dawn Xiaodong Song, and David Wagner. Homomorphic signature schemes. InCT-RSA, pages 244–262, 2002.17. Marek Klonowski and Anna Lauks. Extended sanitizable signatures. In ICISC, pages 343–355, 2006.18. Hugo Krawczyk and Tal Rabin. Chameleon signatures. In NDSS, 2000.19. Silvio Micali and Ronald L. Rivest. Transitive signature schemes. In CT-RSA, pages 236–243, 2002.20. Kunihiko Miyazaki, Goichiro Hanaoka, and Hideki Imai. Invisibly sanitizable digital signature scheme. IEICETransactions, 91-A(1):392–402, 2008.21. Kunihiko Miyazaki, Mitsuru Iwamura, Tsutomu Matsumoto, Ryôichi Sasaki, Hiroshi Yoshiura, Satoru Tezuka,and Hideki Imai. Digitally signed document sanitizing scheme with disclosure condition control. IEICE Transactions,88-A(1):239–246, 2005.22. Henrich Christopher Pöhls, Kai Samelin, and Joachim Posegga. **Sanitizable** signatures in xml signature - performance,mixing properties, and revisiting the property of transparency. In ACNS, pages 166–182, 2011.23. Adi Shamir. Identity-based cryptosystems and signature schemes. In CRYPTO, pages 47–53, 1984.24. Ron Steinfeld, Laurence Bull, and Yuliang Zheng. Content extraction signatures. In ICISC, pages 285–304, 2001.25. Dae Hyun Yum, Jae Woo Seo, and Pil Joong Lee. **Trapdoor** sanitizable signatures made easy. In ACNS, pages53–68, 2010.26. Fangguo Zhang, Reihaneh Safavi-Naini, and Willy Susilo. Id-based chameleon hashes from bilinear pairings.Cryptology ePrint Archive, Report 2003/208, 2003. http://eprint.iacr.org/.16