A t-out-of-n Redactable Signature Scheme

TL;DR

This paper introduces a new t-out-of-n redactable signature scheme enabling multiple redactors to collaboratively remove sensitive information from signed messages, with formal security definitions and a pairing-based construction for one-time redactions.

Contribution

The paper formalizes the t-out-of-n redactable signature scheme, introduces the one-time redaction model, and provides a pairing-based construction with security proofs.

Findings

Formal definition of t-out-of-n redactable signatures

Construction based on pairing-based aggregate signatures

Security proven in the random oracle model

Abstract

A redactable signature scheme allows removing parts of a signed message without invalidating the signature. Currently, the need to prove the validity of digital documents issued by governments and enterprises is increasing. However, when disclosing documents, governments and enterprises must remove privacy information concerning individuals. A redactable signature scheme is useful for such a situation. In this paper, we introduce the new notion of the t-out-of-n redactable signature scheme. This scheme has a signer, n redactors, a combiner, and a verifier. The signer designates n redactors and a combiner in advance and generates a signature of a message M. Each redactor decides parts that he or she wants to remove from the message and generates a piece of redaction information. The combiner collects pieces of redaction information from all redactors, extracts parts of the message that more than t redactors want to remove, and generate a redacted message. We consider the one-time redaction model which allows redacting signatures generated by the signer only once. We formalize the one-time redaction t-out-of-n redactable signature scheme, define security, and give a construction using the pairing based aggregate signature scheme in the random oracle model.