Cryptology ePrint Archive: Report 2009/025
Short Redactable Signatures Using Random Trees
Ee-Chien Chang and Chee Liang Lim and Jia Xu
Abstract: A redactable signature scheme for a string of objects supports
verification even if multiple substrings are removed from the
original string. It is important that the redacted string and
its signature do not reveal anything about the content of the
removed substrings. Existing schemes completely or partially
leak a piece of information: the lengths of the removed substrings.
Such length information could be crucial for many applications,
especially when the removed substring has low entropy. We
propose a scheme that can hide the length. Our scheme consists
of two components. The first component $\mathcal{H}$, which is a
``collision resistant'' hash, maps a string to an unordered set,
whereby existing schemes on unordered sets can then be applied.
However, a sequence of random numbers has to be explicitly stored
and thus it produces a large signature of size at least $(m
k)$-bits where $m$ is the number of objects and $k$ is the size of a
key sufficiently large for cryptographic operations. The second
component uses RGGM tree, a variant of GGM tree, to
generate the pseudo random numbers from a short seed, expected to be
of size $O(k+ tk\log m)$ where $t$ is the number of removed
substrings. Unlike GGM tree, the structure of the proposed RGGM tree
is random. By an intriguing statistical property of the random tree,
the redacted tree does not reveal the lengths of the substrings
removed. The hash function $\mathcal{H}$ and the RGGM tree can be of
independent interests.
Category / Keywords: public-key cryptography / Redactable Signature, Privacy, Random tree
Publication Info: CT-RSA 2009
Date: received 9 Jan 2009, last revised 26 May 2009
Contact author: xujia at comp nus edu sg
Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation
Version: 20090526:132607 (All versions of this report)
Short URL: ia.cr/2009/025
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]