Public-Key Cryptography – PKC 2016 pp 301-330

# Efficient Unlinkable Sanitizable Signatures from Signatures with Re-randomizable Keys

- First Online:

## Abstract

In a sanitizable signature scheme the signer allows a designated third party, called the sanitizer, to modify certain parts of the message and adapt the signature accordingly. Ateniese et al. (ESORICS 2005) introduced this primitive and proposed five security properties which were formalized by Brzuska et al. (PKC 2009). Subsequently, Brzuska et al. (PKC 2010) suggested an additional security notion, called unlinkability which says that one cannot link sanitized message-signature pairs of the same document. Moreover, the authors gave a generic construction based on group signatures that have a certain structure. However, the special structure required from the group signature scheme only allows for inefficient instantiations.

Here, we present the first efficient instantiation of unlinkable sanitizable signatures. Our construction is based on a novel type of signature schemes with re-randomizable keys. Intuitively, this property allows to re-randomize both the signing and the verification key separately but consistently. This allows us to sign the message with a re-randomized key and to prove in zero-knowledge that the derived key originates from either the signer or the sanitizer. We instantiate this generic idea with Schnorr signatures and efficient \(\varSigma \)-protocols, which we convert into non-interactive zero-knowledge proofs via the Fiat-Shamir transformation. Our construction is at least one order of magnitude faster than instantiating the generic scheme of Brzuska et al. with the most efficient group signature schemes.

## 1 Introduction

Sanitizable signature schemes were introduced by Ateniese et al. [1] and similar primitives were concurrently proposed by Steinfeld et al. [42], by Miyazaki et al. [36], and by Johnson et al. [34]. The basic idea of this primitive is that the signer specifies parts of a (signed) message such that a dedicated third party, called the sanitizer, can change the message and adapt the signature accordingly. Sanitizable signatures have numerous applications, such as the anonymization of medical data, replacing commercials in authenticated media streams, or updates of reliable routing information [1]. After the first introduction of sanitizable signatures in [1], the desired security properties were later formalized by Brzuska et al. [11]. At PKC 2010, Brzuska et al. [12] identified an important missing property called unlinkability. Loosely speaking, this notion ensures that one cannot link sanitized message-signature pairs of the same document. This property is essential in applications like the sanitization of medical records because it prevents the attacker from combining information of several sanitized versions of a document in order to reconstruct (parts of) the original document. The authors also showed that unlinkable sanitizable signatures can be constructed from group signatures [4] having the property that the keys of the signers can be computed independently, and in particular before the keys of the group manager. However, to this date, no efficient group signature scheme *that has the required properties* is known, which also means that no efficient unlinkable sanitizable signature scheme is known. This leaves us in an unsatisfactory situation. Either we use efficient sanitizable signature schemes that only achieve a subset of the security properties [1, 11] or we have to rely on an inefficient black-box construction of unlinkable sanitizable signatures.

In this work, we close this gap by presenting the first efficient unlinkable sanitizable signature scheme that achieves all security properties. The instantiation of our scheme only requires 15 exponentiations for signing, 17 for the verification, and 14 for sanitizing a message-signature pair. This is at least one order of magnitude faster than the fastest previously known construction. For a detailed performance comparison, refer to Sect. 1.2.

### 1.1 Overview of Our Construction

In this section, we describe the main idea of our construction and the underlying techniques. Our solution is based on a novel type of digital signature schemes called *signatures with perfectly re-randomizable keys*. This type of signature schemes allows to re-randomize both the signing and the verification key separately. It is required that the re-randomization is perfect, meaning that re-randomized keys must have the same distribution as the original key. The new unforgeability notion for this type of signature scheme requires that it is infeasible for an attacker to output a forgery under either the original or a re-randomized key, even if the randomness is controlled by the attacker.

We show that this notion does not trivially follow from the regular notion of unforgeability. In fact, only a few signature schemes having this property achieve our notion of unforgeability under re-randomizable keys. We demonstrate this fact by showing concrete attacks against some well known unforgeable signature schemes that have re-randomizable keys. In particular, we show that the signature scheme of Boneh and Boyen [6] and the one of Camenisch and Lysyanskaya [15] have re-randomizable keys, but are insecure with respect to our stronger security notion. We stress that these attacks have no implications on the original security proof, but that they cannot be used as an instantiation. On the positive side, we prove that Schnorr’s signature scheme [40, 41] has re-randomizable keys and fulfills our security notion. It is well known that Schnorr’s signature scheme [40, 41] is one of the most efficient signature schemes based on the discrete logarithm assumption. Moreover, we also propose an instantiation of signature schemes with re-randomizable keys in the standard model by slightly modifying the signature scheme of Hofheinz and Kiltz [31, 32].

Apart from their usefulness in constructing highly efficient sanitizable signatures, this primitive may also be of independent interest. A second possible application of signature schemes with re-randomizable keys are stealth addresses [27] in Bitcoin or other cryptocurrencies. On a very high level, Bitcoin replaces bank accounts with keys of a signature scheme. Money transactions in Bitcoin transfer money from one public key to another and are only valid if they are signed with the secret key of the payer. All transactions are logged in a public log data structure, the block chain, which can be used to verify the validity of new transactions as well as to track money flow in Bitcoin. Our signatures with re-randomizable keys provide a conceptually very simple solution for so called stealth addresses. Consider a Bitcoin donation address on a website to support the host of the website or donate money to the website for a good cause. A donor may be unwilling to donate money if he can be linked to the website or other donors by the block chain. Using signatures with re-randomizable keys a donor can take the donation address, re-randomize it, and pay the money to the re-randomized address and transmit the re-randomization factor to the recipient through a non-public channel, such as email. The recipient can use the given re-randomization factor to re-randomize his corresponding secret key to further transfer the received money. Such addresses that are related in some invisible way to the recipient are called stealth addresses. For a more detailed treatment of Bitcoin and the existing stealth address mechanism see [27].

*Construction of Unlinkable Sanitizable Signature Schemes.* Our construction is based on signature schemes that have perfectly re-randomizable keys. To sign a message *m*, the signer first splits the message into the parts that cannot be modified by the sanitizer and those that may be changed. Subsequently, the signer authenticates the entire messages using a signature scheme with re-randomized keys. However, the signer cannot sign this part directly as this would reveal the identity of the signer. Instead, the signer chooses a randomness \(\rho \), re-randomizes their key-pair, and then proves, in zero-knowledge, that the derived public key is a re-randomization of either the signer’s or the sanitizer’s key.

Sanitizing a message follows the same idea: the sanitizer modifies the message and signs it with a re-randomized version of their key pair and appends a zero-knowledge proof for the same language.

To turn this idea into an efficient scheme, we propose an efficient sigma protocol tailored to our problem that we then convert via the Fiat-Shamir transformation [24] into an efficient non-interactive zero-knowledge proof. The main observation is that our zero-knowledge proofs prove only simple statements about the keys and *not* about encrypted signatures that verify under either the signer or the sanitizers public-key. Since the corresponding language is much simpler than this standard “encrypt-and-proof” approach, it has much shorter statements and thus the resulting zero-knowledge proofs are significantly more efficient.

### 1.2 Evaluation and Comparison

Comparison of the dominant operations in our construction instantiated as described in Sect. 5 with the construction of Brzuska et al. [12] instantiated with Schnorr signatures and the group signature schemes of Groth [30] and Furukawa and Yonezawa [29] respectively. E and P stand for group exponentiations and pairing evaluations respectively.

Comparison of the key, signature, and proof sizes in our construction instantiated as described in Sect. 5 with the construction of Brzuska et al. [12] instantiated with Schnorr signatures and the group signature schemes of Groth [30] and Furukawa and Yonezawa [29] respectively. Here \(\mathsf {pk}_{sig}\), \(\mathsf {sk}_{sig}\), \(\mathsf {pk}_{san}\), and \(\mathsf {sk}_{san}\) refer to the signer’s and sanitizer’s public and secret keys, while \(\sigma \) refers to the signature, and \(\pi \) refers to the proof that is used to determine accountability. The sizes are measured in group elements. For the sake of simplicity we do not distinguish between elements of different groups such as \(\mathbb {Z} _q\) and \(\mathbb {G} \). This simplification slightly favors [12] using [30], since group signatures in this scheme consist exclusively of \(\mathbb {G} \)-elements.

Thus, it is easy to see that our solutions is the first scheme that is efficient enough to be used in practice today.

### 1.3 Related Work

Ateniese et al. [1] first introduced sanitizable signatures and gave an informal description of the following properties: *Unforgeability* ensures that only the honest signer and sanitizer can create valid signatures. *Immutability* says that the (malicious) sanitizer can only modify designated parts of the message. *Transparency* guarantees that signatures computed by the signer and the sanitizer are indistinguishable. *Accountability* demands that, with the help of the signer, a proof of authorship can be generated, such that neither the malicious signer nor the malicious sanitizer can deny authorship of the message. These properties were later formalized by Brzuska et al. [11] and the *Unlinkability* property was introduced by Brzuska et al. in [12]. Later, in [13], Brzuska et al. introduce the notion of non-interactive public accountability, which allows a third party, without help from the signer, to determine, whether a message originates from the signer or the sanitizer. In [14], the same authors provide a slightly stronger unlinkability notion and an instantiation that has non-interactive public accountability and achieves their new unlinkability notion. However, non-interactive accountability and transparency are mutually exclusive. That is, no scheme can fulfill both properties at the same time. In this work we focus on schemes that have (interactive) accountability and transparency. Another line of research initiated by Klonowski and Lauks [35] and continued by Canard and Jambert [16] considers different methods for limiting the allowed operations of the sanitizer. That is, they show how to limit the set of possible modifications on one single block and how to enforce the same modifications on different message blocks. In [17], Canard et al. extend sanitizable signatures to the setting with multiple signers and sanitizers. Recently, Derler and Slamanig suggested a security notion that is stronger than privacy but weaker than unlinkability [23].

Other closely related types of malleable signature schemes, such as homomorphic signatures [2, 8, 18, 28, 33, 34] or redactable signatures [10, 19, 34, 37, 42], where parts of the signed message can be removed, are closely related to sanitizable signatures, but aim to solve related but different problems, have different security notions, and are not directly applicable to solve the problem of efficient unlinkable sanitizable signatures. In [5] Boldyreva et al. deal with proxy signature schemes for delegating signing rights. In such signature schemes a designator can delegate signing rights to a proxy signer, who can then sign messages on behalf of the designator. However, in such a scheme the proxy signatures are publicly distinguishable from signatures created by the designator. This would break the transparency property of sanitizable signature schemes. Policy-based signatures [3] allows a signer to delegate signing rights in connection with a policy that specifies, which messages can be signed with the delegated signing key. In addition, they require that they delegation policy shall remain hidden. In a similar vein to [3] in [9] the authors explore the possibilities of delegating signing keys for arbitrary functions. That is, using the delegated signing key one can sign functions of the message that correspond to the key. These works show theoretical solutions to the discussed problems, but are too slow for practical use due to the cryptographic tools they use.

## 2 Sanitizable Signatures

Sanitizable signature schemes allow the delegation of signing capabilities to a designated third party, called the sanitizer. These delegation capabilities are realized by letting the signer “attach” a description of the admissible modifications \(\textsc {Adm} \) for this particular message and sanitizer. The sanitizer may then change the message according to some modification \(\textsc {Mod} \) and update the signature using their private key. More formally, the signer holds a key pair \((\mathsf {sk}_{sig},\mathsf {pk}_{sig})\) and signs a message *m* and the description of the admissible modifications \(\textsc {Adm} \) for some sanitizer \(\mathsf {pk}_{san}\) with its private key \(\mathsf {sk}_{sig}\). The sanitizer, having a matching private key \(\mathsf {sk}_{san}\), can update the message according to some modification \(\textsc {Mod} \) and compute a signature using his secret key \(\mathsf {sk}_{san}\). In case of a dispute about the origin of a message-signature pair, the signer can compute a proof \(\pi \) (using an algorithm \(\mathsf {Proof} \)) from previously signed messages that proves that a signature has been created by the sanitizer. The verification of this proof is done by an algorithm \(\mathsf {Judge}\) (that only decides the origin of a valid message-signature pair in question; for invalid pairs such decisions are in general impossible).

*Admissible Modifications.* Following [11, 12] closely, we assume that \(\textsc {Adm}\) and \(\textsc {Mod}\) are (descriptions of) efficient deterministic algorithms such that \(\textsc {Mod} \) maps any message *m* to the modified message \(m' = \textsc {Mod} (m)\), and \(\textsc {Adm} (\textsc {Mod})\in \{0,1\}^{}\) indicates if the modification is admissible and matches \(\textsc {Adm} \), in which case \(\textsc {Adm} (\textsc {Mod}) = 1\). By \(\textsc {Fix} _\textsc {Adm} \) we denote an efficient deterministic algorithm that is uniquely determined by \(\textsc {Adm} \) and which maps *m* to the immutable message part \(\textsc {Fix} _\textsc {Adm} (m)\), e.g., for block-divided messages \(\textsc {Fix} _\textsc {Adm} (m)\) is the concatenation of all blocks not appearing in \(\textsc {Adm} \). We require that admissible modifications leave the fixed part of a message unchanged, i.e., \(\textsc {Fix} _\textsc {Adm} (m)=\textsc {Fix} _\textsc {Adm} (\textsc {Mod} (m))\) for all \(m\in \{0,1\}^{*}\) and all \(\textsc {Mod} \) with \(\textsc {Adm} (\textsc {Mod})=1\). Analogously, to avoid choices like \(\textsc {Fix} _\textsc {Adm} \) having empty output, we also require that the fixed part must be “maximal” given \(\textsc {Adm} \), i.e., \(\textsc {Fix} _\textsc {Adm} (m')\ne \textsc {Fix} _\textsc {Adm} (m)\) for \(m'\notin \left\{ \textsc {Mod} (m) \, \left| \, \textsc {Mod} \text { with }\textsc {Adm} (\textsc {Mod})=1 {\textsc {Mod} (m)}\right. \right\} \).

### 2.1 Definition of Sanitizable Signatures

The following definition of sanitizable signature schemes is taken in verbatim from [11, 12].

**Definition 1**

**(Sanitizable Signature Scheme).** A sanitizable signature scheme \(\mathrm {SanS} =(\mathsf {KGen}_{sig}, \mathsf {KGen}_{san}, \mathsf {Sign}, \mathsf {Sanit}, \mathsf {Verify}, \mathsf {Proof}, \mathsf {Judge})\) consists of seven algorithms:

*m*by the sanitizer and outputs a signature \(\sigma \). We assume that \(\textsc {Adm} \) can be recovered from any signature:

*m*, a signature \(\sigma \), the signer’s public key \(\mathsf {pk}_{sig}\), and a sanitizer secret key \(\mathsf {sk}_{san}\). It modifies the message

*m*according to the modification instruction \(\textsc {Mod} \) and outputs a new signature \(\sigma '\) for the modified message \(m'=\textsc {Mod} (m)\) or possibly \(\bot \) in case of an error:

*m*, a candidate signature \(\sigma \), a signer public key \(\mathsf {pk}_{sig}\), as well as a sanitizer public key \(\mathsf {pk}_{san}\) and outputs a bit

*b*:

*m*, a signature \(\sigma \), and a sanitizer public key \(\mathsf {pk}_{san}\) and outputs a proof \(\pi \):

*m*, a signature \(\sigma \), signer and sanitizer public keys \(\mathsf {pk}_{sig},\mathsf {pk}_{san}\), and proof \(\pi \). It outputs a decision \(d\in \{\mathtt {Sign},\mathtt {San} \}\) indicating whether the message-signature pair was created by the signer or the sanitizer:

For a sanitizable signature scheme the usual correctness properties should hold, saying that genuinely signed or sanitized messages are accepted and that a genuinely created proof by the signer leads the judge to decide in favor of the signer. For a formal approach to correctness see [11].

### 2.2 Security of Sanitizable Signatures

In this section we recall the security notions of sanitizable signatures given by Brzuska et al. [11, 12] and we follow their description closely. The authors defined unforgeability, privacy, immutability, accountability, transparency, and unlinkability and showed that signer and sanitizer accountability together implies unforgeability and that unlinkability implies privacy. Therefore, we only focus on the necessary definitions and omit unforgeability and privacy.

*Immutability.* Informally, this property says that a malicious sanitizer cannot change inadmissible blocks. This is formalized in a model where the malicious sanitizer \(\mathcal {A} \) interacts with the signer to obtain signatures \(\sigma _i\) for messages \(m_i\), descriptions \(\textsc {Adm} _i\) and keys \({\mathsf {pk}_{san}}_{,i}\) of its choice. Eventually, the attacker stops, outputting a valid pair \( (\mathsf {pk}_{san}^*,m^*,\sigma ^*)\) such that message \(m^*\) is not a “legitimate” transformation of one of the \(m_i\)’s under the same key \(\mathsf {pk}_{san}^*={\mathsf {pk}_{san}}_{,i}\). The latter is formalized by requiring that for each query \(\mathsf {pk}_{san}^*\ne {\mathsf {pk}_{san}}_{,i}\) or \(m^*\notin \left\{ \textsc {Mod} (m_i) \, \left| \, \textsc {Mod} \text { with }\textsc {Adm} _i(\textsc {Mod})=1 {\textsc {Mod} (m_i)}\right. \right\} \) for the value \(\textsc {Adm} _i\) in \(\sigma _i\). This requirement enforces that for block-divided messages \(m^*\) and \(m_i\) differ in at least one inadmissible block. Observe that this definition covers also the case where the adversary interact with several sanitizers simultaneously, because it can query the signer for several sanitizer keys \(\mathsf {pk}_{san,i}\).

**Definition 2**

**(Immutability).**A sanitizable signature scheme \(\mathrm {SanS} \) is said to be

*immutable*if for all PPT adversaries \(\mathcal {A} \) the probability that the experiment \(\mathsf {Immut^{\mathrm {SanS}}_{\mathcal {A}}}(\kappa )\) evaluates to 1 is negligible (in \(\kappa \)), where

*Accountability.* This property demands that the origin of a (possibly sanitized) signature should be undeniable. We distinguish between *sanitizer-accountability* and *signer-accountability* and formalize each security property in the following. *Signer-accountability* says that, if a message and its signature have not been sanitized, then even a malicious signer should not be able to make the judge accuse the sanitizer.

In the sanitizer-accountability game let \(\mathcal {A}_{\mathsf {Sanit}}\) be an efficient adversary playing the role of the malicious sanitizer. Adversary \(\mathcal {A} _\mathsf {Sanit} \) has access to a \(\mathsf {Sign} \) and \(\mathsf {Proof} \) oracle and it succeeds if it outputs a valid message signature pair such that \(m^*,\sigma ^*\), together with a key \(\mathsf {pk}_{san}^*\) (with \((\mathsf {pk}_{san}^*,m^*)\) such that the output is different from pairs \((\mathsf {pk}_{san,i}, m_i)\) previously queried to the \(\mathsf {Sign} \) oracle). Moreover, it is required that the proof produced by the signer via \(\mathsf {Proof}\) still leads the judge to decide “\(\mathtt {Sign}\) ”, i.e., that the signature has been created by the signer.

**Definition 3**

**(Sanitizer-Accountability).**A sanitizable signature scheme \(\mathrm {SanS} \) is

*sanitizer-accountable*if for all PPT adversaries \(\mathcal {A} \) the probability that the experiment \(\mathsf {San\textsf {-}Acc^{\mathrm {SanS}}_{\mathcal {A}}}(\kappa )\) evaluates to 1 is negligible (in \(\kappa \)), where

In the signer-accountability game a malicious signer \(\mathcal {A} _\mathsf {Sign} \) gets a public sanitizing key \(\mathsf {pk}_{san}\) as input and has access to a sanitizing oracle, which takes as input tuples \((m_i,\textsc {Mod} _i,\sigma _i,{\mathsf {pk}_{sig}}_{,i})\) and returns \((m_i',\sigma _i')\). Eventually, the adversary \(\mathcal {A}_{\mathsf {Sign}}\) outputs a tuple \((\mathsf {pk}_{sig}^*, m^*, \sigma ^*,\pi ^*)\) and is considered successful if \(\mathsf {Judge}\) accuses the sanitizer for the new key-message pair \(\mathsf {pk}_{sig}^*,m^*\) with a valid signature \(\sigma ^*\).

**Definition 4**

**(Signer-Accountability).**A sanitizable signature scheme \(\mathrm {SanS} \) is said to be

*signer-accountable*if for all PPT adversaries \(\mathcal {A} \) the probability that the experiment \(\mathsf {Sig\textsf {-}Acc^{\mathrm {SanS}}_{\mathcal {A}}}(\kappa )\) evaluates to 1 is negligible (in \(\kappa \)), where

*Transparency.*Informally, this property says that one cannot decide whether a signature has been sanitized or not. Formally, this is defined in a game where an adversary \(\mathcal {A}\) has access to \(\mathsf {Sign} \), \(\mathsf {Sanit} \), and \(\mathsf {Proof} \) oracles with which the adversary can create signatures for (sanitized) messages and learn proofs. In addition, \(\mathcal {A} \) gets access to a \(\mathsf {Sanit}/\mathsf {Sign} \) box which contains a secret random bit \(b\in \{0,1\}\) and which, on input a message

*m*, a modification information \(\textsc {Mod} \) and a description \(\textsc {Adm} \) behaves as follows:

for \(b=0\) runs the signer algorithm to create \(\sigma \leftarrow \mathsf {Sign} (m,\mathsf {sk}_{sig},\mathsf {pk}_{sig},\textsc {Adm})\), then runs the sanitizer algorithm and returns the sanitized message \(m'\) with the new signature \(\sigma '\), and

for \(b=1\) acts as in the case \(b=0\) but also signs \(m'\) from scratch with the signing algorithm to create a signature \(\sigma '\) and returns the pair \((m',\sigma ')\).

Adversary \(\mathcal {A}\) eventually produces an output *a*, the guess for *b*. A sanitizable signature is now *transparent* if for all efficient algorithms \(\mathcal {A}\) the probability for a right guess \(a=b\) in the above game is negligibly close to \(\tfrac{1}{2}\). Below we also define a relaxed version called *proof-restricted transparency*.

**Definition 5**

**((Proof-Restricted) Transparency).**A sanitizable signature scheme \(\mathrm {SanS} \) is said to be

*proof-restrictedly transparent*if for all PPT adversaries \(\mathcal {A} \) the probability that the experiment \(\mathsf {Trans^{\mathrm {SanS}}_{\mathcal {A}}}(\kappa )\) evaluates to 1 is negligibly bigger than \(1{\slash }2\) (in \(\kappa \)), where

*Unlinkability.* This security notion demands that it is not feasible to use the signatures to identify sanitized message-signature pairs originating from the same source. This should even hold if the adversary itself provides the two source message-signature pairs and modifications of which one is sanitized. It is required that the two modifications yield the same sanitized message, because otherwise predicting the source is easy, of course. This, however, is beyond the scope of signature schemes: the scheme should only prevent that *signatures* can be used to link data. In the formalization of [12], the adversary is given access to a signing oracle and a sanitizer oracle (and a proof oracle since this step depends on the signer’s secret key and may leak valuable information). The adversary is also allowed to query a left-or-right oracle \(\mathsf {LoRSanit}\) which is initialized with a secret random bit *b* and keys \(\mathsf {pk}_{sig},\mathsf {sk}_{san}\). The adversary may query this oracle on tuples \(((m_0,\textsc {Mod} _0,\sigma _0),(m_1,\textsc {Mod} _1,\sigma _1))\) and returns \(\mathsf {Sanit} (m_b,\textsc {Mod} _b,\sigma _b,\mathsf {pk}_{sig},\mathsf {sk}_{san})\) if \(\mathsf {Verify} (m_i,\sigma _i,\mathsf {pk}_{sig},\mathsf {pk}_{san})=1\) for \(i=0,1\), \(\textsc {Adm} _0 = \textsc {Adm} _1\) and if the modifications map to the same message, i.e., \(\textsc {Adm} _0(\textsc {Mod} _0) = 1 , \textsc {Adm} _1(\textsc {Mod} _1) = 1\) and \(\textsc {Mod} _0(m_0) = \textsc {Mod} _1(m_1)\). Otherwise, the oracle returns \(\bot \). The adversary should eventually predict the bit *b* significantly better than with the guessing probability of \(\tfrac{1}{2}\).

**Definition 6**

**(Unlinkability).**A sanitizable signature scheme \(\mathrm {SanS} \) is

*unlinkable*if for all PPT adversaries \(\mathcal {A} \) the probability that the experiment \(\mathsf {Link^{\mathrm {SanS}}_{\mathcal {A}}}(\kappa )\) evaluates to 1 is negligibly bigger than \(1{\slash }2\) (in \(\kappa \)), where

## 3 Signatures Schemes with Re-randomizable Keys

In this section, we introduce signature schemes that have re-randomizable keys and which serve as the main building block for our construction. Signature schemes with this property have the advantage that one can re-randomize the key-pair \((\mathsf {sk},\mathsf {pk})\) to a key-pair \((\mathsf {sk}',\mathsf {pk}')\) and sign a message *m* with a seemingly unrelated key. Jumping ahead, this property allows us to sign messages with a fresh key and prove, in zero-knowledge, the origin of the key. For one of the signature schemes we require bilinear maps, which are defined as follows. Let \(e : \mathbb {G} _1 \times \mathbb {G} _2 \rightarrow \mathbb {G} _t\) be an efficient, non-degenerate bilinear map, for system-wide available groups, where \(g_1\) and \(g_2\) are generators of \(\mathbb {G} _1\) and \(\mathbb {G} _2\), respectively.

### 3.1 Defining Signature Schemes with Re-randomizable Keys

To define this property and the corresponding security notion formally, we denote by \(\varSigma = (\mathsf {SSetup}, \mathsf {SGen}, \mathsf {SSign},\mathsf {SVerify})\) a standard digital signature scheme, where \(\mathsf {pp} \leftarrow \mathsf {SSetup} (1^{\kappa }), (\mathsf {sk}, \mathsf {pk})\leftarrow \mathsf {SGen} (1^{\kappa }), \sigma \leftarrow \mathsf {SSign} (\mathsf {sk},m), b \leftarrow \mathsf {SVerify} (\mathsf {pk},m,\sigma )\) are the standard algorithms of a digital signature scheme.

**Definition 7**

**(Signatures with Perfectly Re-randomizable Keys).**A signature scheme \(\varSigma = (\mathsf {SSetup}, \mathsf {SGen},\mathsf {SSign},\mathsf {SVerify})\) has perfectly re-randomizable keys if there exist two PPT algorithms \((\mathsf {RandSK}, \mathsf {RandPK})\) and a randomness space \(\chi \) such that:

\(\mathsf {RandSK} (\mathsf {sk},\rho )\): The secret key re-randomization algorithm takes as input a secret key \(\mathsf {sk}\) and a randomness \(\rho \in \chi \) and outputs a new secret key \(\mathsf {sk}'\).

\(\mathsf {RandPK} (\mathsf {pk},\rho )\): The public key re-randomization algorithm takes as input a public key \(\mathsf {pk}\) and a randomness \(\rho \in \chi \) and outputs a new public key \(\mathsf {pk}'\).

*correct*if and only if all of the following holds:

- 1.
For all \(\kappa \in \mathbb {N} \), all key-pairs \((\mathsf {sk}, \mathsf {pk}) \leftarrow \mathsf {SGen} (1^\kappa )\), all messages \(m \in \{0,1\}^{*}\), and all signatures \(\sigma \leftarrow \mathsf {SSign} (\mathsf {sk}, m)\), it holds that \(\mathsf {SVerify} (\mathsf {pk}, m, \sigma ) = 1\).

- 2.
For all \(\kappa \in \mathbb {N} \), all key-pairs \((\mathsf {sk}, \mathsf {pk}) \leftarrow \mathsf {SGen} (1^\kappa )\), all randomness \(\rho \in \chi \), all messages \(m \in \{0,1\}^{*}\), and \(\sigma \leftarrow \mathsf {SSign} (\mathsf {RandSK} (\mathsf {sk},\rho ), m)\), it holds that \(\mathsf {SVerify} (\mathsf {RandPK} (\mathsf {pk},\rho ), m, \sigma ) = 1\).

- 3.
For all key pairs \((\mathsf {sk},\mathsf {pk})\), and a uniformly chosen randomness \(\rho \in \chi \), the distribution of \((\mathsf {sk}',\mathsf {pk}')\) and \((\mathsf {sk}'',\mathsf {pk}'')\) is identical, where \(\mathsf {pk}' \leftarrow \mathsf {RandPK} (\mathsf {pk},\rho )\), \(\mathsf {sk}' \leftarrow \mathsf {RandSK} (\mathsf {sk},\rho )\), and \((\mathsf {sk}'',\mathsf {pk}'') \leftarrow \mathsf {SGen} (1^\kappa )\)

### 3.2 Security of Signature Schemes with Re-randomizable Keys

The security of signature scheme with re-randomizable keys is defined analogously to the unforgeability of regular signature schemes, but allows the adversary to learn message/signature pairs under re-randomized keys. This should even hold if the randomness to re-randomize the keys is chosen by the attacker. In this definition, the adversary has access to two oracles. The first one, denoted by \(\mathcal {O}_1\) is a regular signing oracle. The second one, denoted by \(\mathcal {O}_2\) is an oracle that takes as input a message *m* and some randomness \(\rho \). It then re-randomizes the private key according to \(\rho \) and signs the message using this key.

**Definition 8**

**(Unforgeability under Re-randomized Keys).**A signature scheme with perfectly re-randomizable keys \(\varSigma =(\mathsf {SGen},\mathsf {SSign},\mathsf {SVerify}, \mathsf {RandSK}, \mathsf {RandPK})\) is

*unforgeable under re-randomized keys*(\(\mathsf {UFRK}\)) if for all PPT adversaries \(\mathcal {A} \) the probability that the experiment \(\mathsf {UFRK}^{\varSigma }_{\mathcal {A}}(\kappa )\) evaluates to 1 is negligible (in \(\kappa \)), where

Given this definition of unforgeability, one can easily obtain the “standard” notion of existential unforgeability by giving the adversary only access to \(\mathcal {O}_1\) and only checking the first condition.

**Definition 9**

**(Existential Unforgeability).** A signature scheme with perfectly re-randomizable keys \(\varSigma =(\mathsf {SGen},\mathsf {SSign}, \mathsf {SVerify}, \mathsf {RandSK}, \mathsf {RandPK})\) is said to be *existentially unforgeable under chosen message attacks *(\(\mathsf {EUF}\)) if for all PPT adversaries \(\mathcal {A} \) the probability that the experiment \(\mathsf {EUF}^{\varSigma }_{\mathcal {A}}(\kappa )\) evaluates to 1 is negligible (in \(\kappa \)), where \(\mathsf {EUF}^{\varSigma }_{\mathcal {A}}(\kappa )\) is defined as \(\mathsf {UFRK}^{\varSigma }_{\mathcal {A}}(\kappa )\), but the adversary only gets access to \(\mathcal {O}_1\) and wins if the first condition is fulfilled.

For our construction, we also need signature schemes that are strongly unforgeable, meaning that it is computationally hard to compute a *new* signature \(\sigma ^*\) on a message *m*, i.e., the adversary is allowed to submit *m* to the oracle and learn a signature \(\sigma \) and wins the game if \(\sigma ^*\) is valid but different from \(\sigma \).

**Definition 10**

**(Strong Existential Unforgeability).** A signature scheme with perfectly re-randomizable keys \(\varSigma =(\mathsf {SGen},\mathsf {SSign},\mathsf {SVerify}, \mathsf {RandSK}, \mathsf {RandPK})\) is *strongly existentially unforgeable under chosen message attacks *(\(\mathsf {s\textsf {-}EUF}\)) if for all PPT adversaries \(\mathcal {A} \) the probability that the experiment \(\mathsf {s\textsf {-}EUF}^{\varSigma }_{\mathcal {A}}(\kappa )\) evaluates to 1 is negligible (in \(\kappa \)), where \(\mathsf {s\textsf {-}EUF}^{\varSigma }_{\mathcal {A}}(\kappa )\) is defined as \(\mathsf {UFRK}^{\varSigma }_{\mathcal {A}}(\kappa )\), but the adversary only gets access to \(\mathcal {O}_1\) and \(\mathcal {O}_1\) maintains \(Q:= Q\cup \{m, \sigma \}\). The adversary wins only if the following condition is fulfilled: \(\mathsf {SVerify} (\mathsf {pk},m^{*},\sigma ^{*})= 1 \text { and } (m^{*}, \sigma ^*) \not \in Q\).

### 3.3 Counter Examples

In this section, we show that unforgeability under re-randomizable keys (Definition 8) does not trivially follow from regular unforgeability (Definition 9). In fact, very few standard model signatures, that have re-randomizable keys, are unforgeable under re-randomizable keys. We demonstrate this by giving concrete attacks against some well known schemes, such as the Boneh and Boyen [7] and Camenisch and Lysyanskaya [15] signature schemes. We remark that these attacks have no implications on the original security proof and that our attacks are outside of the regular unforgeability model.

**Boneh-Boyen Signature Scheme.** The scheme of Boneh and Boyen [7] works in a bilinear groups setting and is existentially unforgeable under the *q*-SDH assumption. The scheme works as follows: The secret key consists of \(x,y \in \mathbb {Z} _q^*\) and the public key consists of the corresponding \(\mathbb {G} _2\) elements \(u := g_2^x\) and \(v := g_2^y\). To sign a message \(m \in \mathbb {Z} _q^*\), the signer chooses a random \(r \leftarrow \mathbb {Z} _q^*\), computes \(s:=g_1^{1/(x+m+yr)}\), and outputs the signature \(\sigma =(r,s)\). To verify that a signature is valid, the verifier checks that \(e(s,u\cdot g_2^m\cdot v^r) = e(g_1,g_2)\) holds. The keys of the scheme can be re-randomized additively, i.e., given randomness \((\rho _1,\rho _2) \in \mathbb {Z} _q^2\), secret keys are randomized as \((x',y') := (x+\rho _1,y+\rho _2)\) and public keys are randomized as \((u',v') := (u\cdot g_2^{\rho _1},v\cdot g_2^{\rho _2})\).

*q*-SDH assumption and has perfectly re-randomizable keys, it is forgeable under re-randomized keys. The attack is as follows: The adversary \(\mathcal {A} \) on input the public key (

*u*,

*v*) chooses a random message \(m\in \mathbb {Z} _q^*\) as well as a random value \(\rho _1\in \mathbb {Z} _q^*\). It then queries \((m,(\rho _1,0))\) to its signing oracle receiving back a signature \(\sigma = (r,s)\). Then, it computes \(m' := m + \rho _1\) and outputs \(\sigma ,m',(0,0)\) as a forgery. It is easy to verify, that the verification equation actually holds for the output of \(\mathcal {A} \):Furthermore, the adversary is efficient and the only message queried to the signing oracle is

*m*, and \(m' \ne m\). Therefore, it follows that \(\mathcal {A} \) breaks the unforgeability under re-randomizable keys with probability 1.

**Camenisch-Lysyanskaya Signature Scheme.** The signature scheme of Camenisch and Lysyanskaya [15] works in a symmetric bilinear groups setting and is existentially unforgeable under the LRSW assumption. The scheme works as follows: The secret key consists of \(x,y \in \mathbb {Z} _q\) and the public key consists of the corresponding group elements \(X := g^x\) and \(Y := g^y\). To sign a message \(m \in \mathbb {Z} _q\), the signer chooses a random \(a \leftarrow \mathbb {G} \), computes \(b:=a^y\) and \(c:=a^{x+mxy}\), and outputs the signature \(\sigma =(a,b,c)\). To verify that a signature is valid, the verifier checks that \(e(a,Y) = e(g,b)\) and \(e(X,a)\cdot e(X,b)^m=e(g,c)\) hold. The keys of the scheme can be re-randomized multiplicatively^{1}. I.e., given randomness \((\rho _1,\rho _2) \in \mathbb {Z} _q^2\), secret keys are randomized as \((x',y') := (x\cdot \rho _1,y\cdot \rho _2)\) and public keys are randomized as \((X',Y') := (X^{\rho _1},Y^{\rho _2})\).

*X*,

*Y*) chooses a random message \(m\in \mathbb {Z} _q^*\) as well as a random value \(\rho _2\in \mathbb {Z} _q^*{\setminus }\{1\}\). It then queries \((m,(1,\rho _2))\) to its signing oracle receiving back a signature \(\sigma = (a,b,c)\). It it finally computes \(m' := m\cdot \rho _2\) and \(b' := b^{(\rho _2^{-1})}\) and outputs \((a,b',c),m',(1,1)\) as a forgery. It is easy to verify, that the verification equation actually holds for the output of \(\mathcal {A} \). For the first check equation we have:For the second verification equation we have:Furthermore, the adversary is efficient and the only message queried to the signing oracle is

*m*, and \(m' \ne m\), since \(\rho _2\ne 1\). Therefore, it follows that \(\mathcal {A} \) wins the unforgeability game with re-randomizable keys with probability 1.

### 3.4 Instantiations

In this section, we show that our security notion is achievable in the random oracle and the standard model. In the random oracle model, we prove that Schnorr’s signature scheme [40, 41] is unforgeable under re-randomized keys and in the standard model we show that a slightly modified version of the signature scheme due to Hofheinz and Kiltz [31, 32] satisfies our notion.

**Random Oracle Model.** We show that Schnorr’s signature scheme [40, 41] is unforgeable under re-randomized keys. Our proof technique relies on an idea that was previously observed by Fischlin and Fleischhacker [25] in the context of an impossibility result. The core of this technique, that we call randomness switching technique, allows moving a signature from one public key to another one knowing only the difference between the two corresponding secret keys.

**Definition 11**

**(Schnorr Signature Scheme).**Let \(\mathbb {G} \) be a cyclic group of prime order

*q*with generator

*g*and let \(\mathcal {H}: \{0,1\}^{*} \rightarrow \mathbb {Z} _q\) be a hash function. The Schnorr signature scheme \(\mathsf {SSS} \), working over \(\mathbb {G} \), is defined as follows:

\(\mathsf {SGen} (1^{\kappa })\): Pick \(\mathsf {sk}\leftarrow \mathbb {Z} _q\) at random, compute \(\mathsf {pk}:= g^{\mathsf {sk}}\), and output \((\mathsf {sk},\mathsf {pk})\).

\(\mathsf {SSign} (\mathsf {sk},m)\): Pick \(r \leftarrow \mathbb {Z} _q\) at random and compute \(R := g^{r}\), compute \(c:= \mathcal {H}(R, m)\) and \(y:= r + \mathsf {sk}\cdot c \mod q\). Output \(\sigma := (c,y)\).

\(\mathsf {SVerify} (\mathsf {pk},m,\sigma )\): Parse \(\sigma \) as (

*c*,*y*). If \(c = \mathcal {H}(\mathsf {pk}^{-c}g^{y}, m)\), then output 1, otherwise output 0.\(\mathsf {RandSK} (\mathsf {sk},\rho )\): Compute \(\mathsf {sk}' := \mathsf {sk}+ \rho \mod q\) and output \(\mathsf {sk}'\).

\(\mathsf {RandPK} (\mathsf {pk},\rho )\): Compute \(\mathsf {pk}' := \mathsf {pk}\cdot g^{\rho }\) and output \(\mathsf {pk}'\).

Obviously all three correctness conditions hold. It remains to show that \(\mathsf {SSS} \) is unforgeable under re-randomized keys.

**Theorem 1**

**(Unforgeability of Schnorr Signatures Under Re-randomized Keys).** The signature scheme \(\mathsf {SSS} \) (Definition 11) is unforgeable under re-randomized keys (Definition 8) in the random oracle model if the discrete logarithm problem in \(\mathbb {G} \) is hard.

*Proof*

*m*, obtaining a signature (

*c*,

*y*), and then adapting the signatures by adding the value \(\rho \cdot c\) to

*y*. Eventually, the adversary \(\mathcal {A} \) outputs a forgery \((\sigma ^*,m^*,\rho ^*)\) with \(\sigma ^*=(c,y)\). The reduction \(\mathcal {B} \) adapts the signature in order to serve as a forgery under the key \(\mathsf {pk}\) by subtracting \(\rho ^*\cdot c\) from

*y*. A formal description of the adversary and the simulation of the oracle \(\mathcal {O}_2(\mathsf {sk},\rho ,m)\) is given in the following:

*c*and

*y*. The

*c*value is independent of the signing key, therefore only the

*y*value needs to be adapted. The adapted value is computed as

*m*under \(\mathsf {pk}\cdot g^\rho \) with the same randomness as (

*c*,

*y*). It follows that the answers to signing queries are distributed exactly as in the \(\mathsf {UFRK}^{\mathsf {SSS}}_{\mathcal {A}}(\kappa )\) experiment.

*m*under \(\mathsf {pk}\). Further, in answering signing queries for \(\mathcal {A} \), the adversary \(\mathcal {B} \) queries the exact same messages as \(\mathcal {A} \) and therefore whenever \(\mathcal {A} \) wins in the \(\mathsf {UFRK}^{\mathsf {SSS}}_{\mathcal {A}}(\kappa )\) experiment, \(\mathcal {B} \) wins in the \(\mathsf {EUF}^{\mathsf {SSS}}_{\mathcal {A}}(\kappa )\) experiment. Combining this with the well known proof of existential unforgeability of Schnorr signatures by Pointcheval and Stern [38, 39] rules out the existence of \(\mathcal {A} \) under the discrete logarithm assumption in the random oracle model.

**Standard Model.** In the following we show that a modified version of the signature schemes due to Hofheinz and Kiltz [31, 32] is unforgeable under re-randomized keys. The original construction of Hofheinz and Kiltz works on type 1 and type 2 pairings and the element *s* in their scheme is a random bit string. However, in our case we choose *s* as a random element from \(\mathbb {Z} _q\). This modification slightly increases the signature’s size, but does not influence the original functionality or security proof. To prove the security formally, we adapt the randomness switching technique to this setting, which allows us to reduce the unforgeability under re-randomized keys to standard existential unforgeability. The scheme of Hofheinz and Kiltz requires a programmable hash function [31, 32], but since security properties of programmable hash functions are not relevant to our proofs, we omit them here and refer the interested reader to [31, 32].

**Definition 12**

**(Programmable Hash Function**[31, 32]

**).**A programmable hash function \((\mathsf {Gen}, \mathsf {Eval})\) consists of two algorithms:

\(k \leftarrow \mathsf {Gen} (1^{\kappa })\): The key generation algorithm takes as input the security parameter \(1^{\kappa }\) and generates a public key

*k*.\(y \leftarrow \mathsf {Eval} (k,m)\): The deterministic evaluation algorithm takes as input a key

*k*and a message \(m \in \{0,1\}^{\ell }\) and outputs a hash value*y*.

Given the definition of programmable hash functions, we define the slightly modified signature scheme due to Hofheinz Kiltz and define the re-randomization algorithms.

**Definition 13**

**(Hofheinz Kiltz Signature Scheme**[31, 32]

**).**Let \(\mathsf {PHF} = (\mathsf {Gen},\mathsf {Eval})\) be a programmable hash function with domain \(\{0,1\}^{*}\) and range \(\mathbb {G} _1\). The signature scheme \(\mathsf {HKSS} \) is defined as follows:

\(\mathsf {SSetup} (1^{\kappa })\): Generate a key for \(\mathsf {PHF} \) as \(k \leftarrow \mathsf {Gen} (1^\kappa )\) and output \(\mathsf {pp} =k\).

\(\mathsf {SGen} (1^{\kappa })\): Pick \(\mathsf {sk}\leftarrow \mathbb {Z} _q\) at random, compute \(\mathsf {pk}:= g_2^{\mathsf {sk}}\), and output \((\mathsf {sk},\mathsf {pk})\).

\(\mathsf {SSign} (\mathsf {sk},m)\): Parse

*k*from \(\mathsf {pp}\). Pick \(s \leftarrow \mathbb {Z} _q\) uniformly at random and compute \(y := \mathsf {Eval} (k,m)^{\frac{1}{\mathsf {sk}+s}}\). Output \(\sigma := (s,y)\).\(\mathsf {SVerify} (\mathsf {pk},m,\sigma )\): Parse \(\sigma \) as (

*s*,*y*). If \(e(y,\mathsf {pk}\cdot g_2^s) = e(\mathsf {Eval} (k,m),g_2)\) then output 1, otherwise output 0.\(\mathsf {RandSK} (\mathsf {sk},\rho )\): Compute \(\mathsf {sk}' := \mathsf {sk}+ \rho \mod q\) and output \(\mathsf {sk}'\).

\(\mathsf {RandPK} (\mathsf {pk},\rho )\): Compute \(\mathsf {pk}' := \mathsf {pk}\cdot g_2^{\rho }\) and output \(\mathsf {pk}'\).

Obviously all three correctness conditions hold. It remains to show that \(\mathsf {HKSS} \) is unforgeable under re-randomized keys.

**Theorem 2**

**(Unforgeability of **\(\mathsf {HKSS} \)**Under Re-randomized Keys).** The signature scheme \(\mathsf {HKSS} \) as defined in Definition 13 is unforgeable under re-randomized keys (Definition 8) in the standard model, if \(\mathsf {HKSS} \) is unforgeable under chosen message attacks (Definition 9).

*Proof*

*m*and adjusts the key by subtracting \(\rho \) from

*s*. The formal description of \(\mathcal {B} \) and the oracle \(\mathcal {O}_2\) is given in the following:

For the analysis, let us assume that \(\mathcal {A} \)’s success probability in the experiment \(\mathsf {UFRK}^{\mathsf {HKSS}}_{\mathcal {A}}(\kappa )\) is bigger than \(1/\mathsf {poly}(\kappa )\). It is easy to see that \(\mathcal {B} \) is efficient and that the simulation of \(\mathcal {A} \)’s signing oracle \(\mathcal {O}_1\) is perfect. Now, we show that \(\mathcal {B} \) also provides a perfect simulation of the oracle \(\mathcal {O}_2\). Whenever \(\mathcal {A} \) sends \((\rho , m)\) to \(\mathcal {O}_2\), then \(\mathcal {B} \) returns a signature \((s',y)\) for which it holds that \(e(y, \mathsf {pk}\cdot g_2^\rho \cdot g_2^{s'}) = e(\mathsf {Eval} (k,m)^{\frac{1}{\mathsf {sk}+s}}, g_2^{\mathsf {sk}+ \rho + (s - \rho )}) = e(\mathsf {Eval} (k,m),g_2)\), which has obviously the correct distribution.

Finally, we argue that \(\mathcal {B}\) outputs a valid signature whenever \(\mathcal {A} \) outputs a valid forgery. To see this, note that \((s' = s+\rho ^*, y)\) for \(m^*\) under \(\mathsf {pk}\), whenever \(\mathcal {A}\) returns a valid signature (*s*, *y*) for \(m^*\) under the re-randomized key \(\mathsf {pk}\cdot g_2^\rho \), since \(e(y, (\mathsf {pk}\cdot g_2^{\rho })\cdot g_2^{s}) = e(y, \mathsf {pk}\cdot g_2^{\rho + s}) = e(y, \mathsf {pk}\cdot g_2^{s'})\). Combining this with the proof of existential unforgeability of the modified version of the Hofheinz Kiltz signature schemes from [31, 32] rules out the existence of \(\mathcal {A}\).

## 4 Efficient Sanitizable Signatures

In this section we show how to build efficient unlinkable sanitizable signatures from signatures with perfectly re-randomizable keys.

### 4.1 Preliminaries

We recall the definitions and security notions of the other building blocks required for our construction of sanitizable signatures. Namely we recall the definitions of CCA secure public key-encryption and non-interactive zero-knowledge proof systems.

**CCA Secure Public-Key Encryption.** A public key encryption scheme \(\mathcal {E}=(\mathsf {EGen},\mathsf {Enc}, \mathsf {Dec})\) consists of a key generation algorithm \((\mathsf {dk}, \mathsf {ek})\leftarrow \mathsf {EGen} (1^{\kappa })\), an encryption algorithm \(c\leftarrow \mathsf {Enc} (\mathsf {ek},m)\), and a decryption algorithm \(m\leftarrow \mathsf {Dec} (\mathsf {dk},c)\). We omit the standard correctness condition and recall the standard notion of CCA security.

**Definition 14**

**(Indistinguishability under Chosen Ciphertext Attacks).**A public key encryption scheme \(\mathcal {E}= (\mathsf {EGen}, \mathsf {Enc},\mathsf {Dec})\) has

*indistinguishable encryptions under chosen ciphertext attacks*(\(\mathsf {IND\textsf {-}CCA}\)) if for all (possibly stateful) PPT adversaries \(\mathcal {A} =(\mathcal {A} _0,\mathcal {A} _1)\) the probability that the experiment \(\mathsf {IND\textsf {-}CCA}^{\mathcal {E}}_{\mathcal {A}}(\kappa )\) evaluates to 1 is negligibly bigger than \(1{\slash }2\) (in \(\kappa )\), where

**Non-interactive Zero-Knowledge Proof System.** We recall the definitions of non-interactive zero-knowledge proof systems. A non-interactive zero-knowledge proof system \((\mathsf {Setup_{ZK}}, \mathsf {P_{ZK}}, \mathsf {V_{ZK}})\) for a language \(\mathcal {L} \) with the corresponding relation \(\mathcal {R} \) consists of a setup algorithm \(\mathsf {crs} \leftarrow \mathsf {Setup_{ZK}} (1^{\kappa })\) that generates a common reference string, a prover algorithm \(\pi \leftarrow \mathsf {P_{ZK}} (\mathsf {crs}, x, w)\) that takes as input the common reference string \(\mathsf {crs} \), a statement *x*, and a witness *w* and outputs a zero-knowledge proof \(\pi \); and a verification algorithm \(b\leftarrow \mathsf {V_{ZK}} (\mathsf {crs}, x, \pi )\) that outputs 1 iff \(x\in \mathcal {L} \) and 0 otherwise. We omit the standard definition of correctness and recall the definitions of (perfect) soundness, zero-knowledge, and proof of knowledge.

**Definition 15**

**(Perfect Soundness).**A NIZK scheme has

*perfect soundness*if and only if for all \(\kappa \in \mathbb {N} \) and all adversaries \(\mathcal {A} \) it holds that

**Definition 16**

**(Zero-knowledge).**A NIZK scheme has

*computational zero-knowledge*if for all \(\kappa \in \mathbb {N} \) there exists an efficient simulator \(\mathsf {S} = (\mathsf {S} _0, \mathsf {S} _1)\) such that for all adversaries \(\mathcal {A} \) it holds that

**Definition 17**

**(Proof of Knowledge).** A NIZK scheme is a *proof of knowledge* if there exists an efficient extractor \(\mathsf {Ext} = (\mathsf {Ext} _0,\mathsf {Ext} _1)\) such that the following conditions hold:

### 4.2 Our Construction

In the following, we describe our construction of a sanitizable signature scheme based on signatures with re-randomizable keys. Similar to previous constructions [11, 12], we sign the parts of the message that cannot be changed by the sanitizer and a description of valid modifications \(\textsc {Adm} \) with a separate signature scheme. The main part of our construction, and which is very different from all previous schemes, is the computation of the signature on the parts that can be modified by the sanitizer. The basic idea here is that we compute this signature using a signature scheme with re-randomizable keys. That is, we compute this signature using a re-randomized private and public key-pair \((\mathsf {sk}',\mathsf {pk}')\), which was either re-randomized by the signer or the sanitizer. To allow for an easy \(\mathsf {Proof} \) and \(\mathsf {Judge} \) algorithm and avoid rewinding in the proof, we have to provide a way to check that \(\mathsf {pk}'\) is in fact the re-randomization of the signer’s or the sanitizer’s public key. Therefore, we also include an encryption of the actual public key. In the \(\mathsf {Proof} \) algorithm the signer can then decrypt and return this public key along with a proof of correct decryption.

In the following, for the sake of brevity all algorithms are assumed to implicitly take the public parameters as input.

**Construction 1**

*c*, thus revealing who computed the signature. Moreover, it computes a zero-knowledge proof asserting that the decryption was performed correctly. The \(\mathsf {Judge} \) checks whether the proof of decryption is correct. If the proof \(\pi \) contains \(\mathsf {pk}_{san}\), then the \(\mathsf {Judge} \) algorithm outputs \(\mathtt {San} \). In all other cases, \(\mathsf {Judge} \) returns \(\mathtt {Sign} \).

### 4.3 Security Proof

We are now ready to state the main theorem about the security of the construction described above.

**Theorem 3**

If \(\varSigma = (\mathsf {SSetup}, \mathsf {SGen}, \mathsf {SSign},\mathsf {SVerify}, \mathsf {RandSK}, \mathsf {RandPK})\) is a signature scheme that is unforgeable under re-randomized keys, \(\varSigma _\textsc {Fix} = (\mathsf {SSetup_\textsc {Fix}}, \mathsf {SGen_\textsc {Fix}}, \mathsf {SSign_\textsc {Fix}},\mathsf {SVerify_\textsc {Fix}})\) is a signature scheme that is strongly existentially unforgeable, \(\varPi _{PoK} = (\mathsf {Setup_{PoK}},\mathsf {P_{PoK}},\mathsf {V_{PoK}})\) is a computationally zero-knowledge perfectly sound proof of knowledge system, \(\varPi _{ZK} = (\mathsf {Setup_{ZK}}, \mathsf {P_{ZK}}, \mathsf {V_{ZK}})\) is a computationally zero-knowledge perfectly sound proof system, \(\mathcal {E}= (\mathsf {EGen},\mathsf {Enc},\mathsf {Dec})\) is a CCA-secure public key encryption scheme, then Construction 1 is sanitizer-accountable, signer-accountable, immutable, (proof-restrictedly) transparent, and unlinkable.

We sketch the basic ideas of the proofs here. The full proofs for each security property are deferred to the [26].

*Sanitizer Accountability.*Consider an efficient adversary \(\mathcal {A} \) against the sanitizer accountability of \(\mathrm {SanS} \), whose final output is a tuple \((\mathsf {pk}_{san}^*, m^*, \sigma ^*)\). The signature \(\sigma ^*\) can be parsed as \((\sigma _\textsc {Fix} ,\sigma ', \textsc {Adm},\mathsf {pk}',c,\tau )\) and the public-key as \(\mathsf {pk}_{sig}= (\mathsf {pk_\textsc {Fix}}, \mathsf {pk}, \mathsf {ek})\). Whenever \(\mathcal {A} \) wins, then \(\mathcal {A} \) never queried \((\mathsf {pk}_{san}^*,m^*)\) to its sign oracle \(\mathsf {Sign} \), the signature verifies, and \(\mathsf {Judge} \) outputs \(\mathtt {Sign} \). This implies that

*Signer Accountability.*Let \(\mathcal {A} \) be an efficient adversary against the signer accountability of \(\mathrm {SanS} \), whose final output is a tuple \((\mathsf {pk}_{sig}^*, m^*, \sigma ^*, \pi ^*)\), where \(\mathsf {pk}_{sig}^*\) can be parsed as \((\mathsf {pk_\textsc {Fix}} ^*, \mathsf {pk}^*, \mathsf {ek} ^*)\), the signature \(\sigma ^*\) as \((\sigma _\textsc {Fix} ,\sigma ',\textsc {Adm}, \mathsf {pk}',c,\tau )\), and \(\pi ^*\) as \((\widehat{\mathsf {pk}}, \phi )\). Whenever \(\mathcal {A} \) wins, then \(\mathcal {A} \) never queried \((\mathsf {pk}_{sig}^*,m^*)\) to its sanitizer oracle \(\mathsf {Sanit} \), the signature is valid, and \(\mathsf {Judge} \) outputs \(\mathtt {San} \). This implies that

*Immutability.*Let \(\mathcal {A} \) be an efficient adversary against the immutability of \(\mathrm {SanS} \), whose final output is tuple \((\mathsf {pk}_{san}^*,m^*,\sigma ^*)\). The signature \(\sigma ^*\) can be parsed as \((\sigma _\textsc {Fix} ,\sigma ',\textsc {Adm},\mathsf {pk}',c,\tau )\). From the winning conditions of \(\mathcal {A} \) we can conclude, that the tuple \((\textsc {Fix} _\textsc {Adm} (m^*),\textsc {Adm},\mathsf {pk}_{san}^*)\) is different from any such tuple corresponding to one of the \(\mathsf {Sanit} \) queries and that

*(Proof Restricted) Transparency.* The proof of transparency is the most involved one and proceeds in several game-hops. We start with the transparency game with the bit \(b=0\). Then, first, we use the simulatability of the zero knowledge proofs, to switch to a game, where all proofs are simulated. We can then change the \(\mathsf {Sanit/Sign}\) oracle to no longer encrypt the re-randomized public key, but an independently chosen public key instead. The answers of \(\mathsf {Proof} \) queries can be changed accordingly. The difference between the two games can be bounded by reducing it to the CCA security of the encryption scheme. Next, the bit *b* is flipped to 1. Due to the simulated proofs, the outputs of \(\mathsf {Sanit/Sign}\) are distributed identically before and after the switch. The outputs of the \(\mathsf {Proof} \) oracle, however, may differ, if the attacker manages to ask a valid query, such that the signature reuses one of the ciphertexts computed by \(\mathsf {Sanit/Sign}\). This leads to two different cases. If the attacker uses a new \(\mathsf {pk}_{san}'\) in its query, then it must also compute a new proof of knowledge, which means that it has to know the content of the ciphertext, leading to a trivial reduction to CCA security (or even one-wayness) of the encryption scheme. In the other case, the fact that the signature must verify, leads to a forgery under a re-randomized key, which would contradict the unforgeability under re-randomized keys of \(\varSigma \). Finally, we can switch back to real ciphertexts instead of random ones and undo the simulation of the zero knowledge proofs, thus arriving at the transparency game with the bit \(b=1\).

Since the distances between all hops can be bounded by negligible functions, the difference between the two cases of the game is also negligible.

*Unlinkability.*Let \(\mathcal {A} \) be an efficient adversary against the signer unlinkability of \(\mathrm {SanS} \) and consider a query

*b*in the experiment. The signature \(\sigma ^*_b\) can be parsed as \((\sigma _{\textsc {Fix},b}, \sigma '_b, \textsc {Adm} _b, \mathsf {pk}'_b, c_b,\tau _b)\). The conditions required for the \(\mathsf {LoRSanit}\) oracle to provide such an answer implies that the distribution of \((\sigma '_0,\textsc {Adm} _0,\mathsf {pk}'_0,c_0,\tau _0)\) and \((\sigma '_1,\textsc {Adm} _1,\mathsf {pk}'_1,c_1,\tau _1)\) are identical. Therefore, the only way to distinguish between the two cases is if it holds that \(\sigma _{\textsc {Fix},i} ^0 \ne \sigma _{\textsc {Fix},i} ^1\). However, since \(\varSigma _\textsc {Fix} \) is deterministic, such a query would imply that one of \((m_\textsc {Fix} ^0,\sigma _\textsc {Fix} ^0)\) and \((m_\textsc {Fix} ^1,\sigma _\textsc {Fix} ^1)\) must necessarily be a valid forgery under \(\mathsf {pk_\textsc {Fix}} \), which contradicts the strong existential unforgeability of \(\varSigma _\textsc {Fix} \).

## 5 Instantiating the Construction

We instantiate our generic construction with compatible and efficient instantiations in the random oracle model. For the two signature schemes, we choose standard Schnorr signatures as defined in Definition 11 for \(\varSigma \), as well as a derandomized^{2} version of Schnorr signatures for \(\varSigma _\textsc {Fix} \)^{3}. The encryption scheme and proof systems are instantiated with the Cramer Shoup encryption scheme [22], and \(\varSigma \)-protocols that we convert into a non-interactive zero-knowledge proof via the Fiat-Shamir transform [24]. The Cramer Shoup encryption scheme is defined as follows:

**Definition 18**

**(Cramer Shoup Encryption Scheme).**Let \(\mathbb {G} \) be a cyclic group of prime order

*q*with two random generators \(g_1,g_2\) and let \(\mathcal {H}: \{0,1\}^{*} \rightarrow \mathbb {Z} _q\) be a hash function. The Cramer Shoup encryption scheme, working over \(\mathbb {G} \), is defined as follows:

\(\mathsf {EGen} (1^{\kappa })\): The key generation algorithm proceeds as follows: Pick \(x,y,a,b,a', b' \leftarrow \mathbb {Z} _q\) uniformly at random, compute \(h:= g_1^xg_2^y\), \(h:= g_1^ag_2^b\), \(h:= g_1^{a'}g_2^{b'}\), set \(\mathsf {dk}:=(x,y,a,b,a',b')\) and \(\mathsf {ek}:=(h,c,d)\) and output \((\mathsf {dk},\mathsf {ek})\).

\(\mathsf {Enc} (\mathsf {ek},m)\): The encryption algorithm proceeds as follows: Parse \(\mathsf {ek} \) as (

*h*,*c*,*d*) and choose \(r \leftarrow \mathbb {Z} _q\) uniformly at random. Compute \(\alpha := \mathcal {H}(g_1^r,g_2^r,h^r\cdot m)\) and \(C:=(g_1^r,g_2^r,h^r\cdot m,(cd^\alpha )^r)\). Output*C*.\(\mathsf {Dec} (\mathsf {dk},C)\): The decryption algorithm proceeds as follows: Parse \(\mathsf {dk} \) as \((x,y,a,b, a', b')\) and

*C*as (*u*,*v*,*w*,*e*). Compute \(\alpha := \mathcal {H}(u,v,w)\) and check if \(u^{a+\alpha a'}\cdot v^{b+ab'} = e\) holds. If it holds output \(w/(u^x\cdot v^y)\). Otherwise output \(\bot \).

Note that the statement that we are proving can be expressed as a logical combination of discrete logarithm proofs of knowledge. For the design of each single discrete logarithm proofs we deploy Schnorr’s \(\varSigma \)-protocols from [40]. We then formulate the complete proof using standard parallel composition techniques, first introduced in [20, 21]. The complete protocol is depicted in Fig. 1. It is worth mentioning that, in order to express the logical disjunction of our statement, the prover must run the simulator \(\mathsf {S} \) provided by the zero-knowledge property (Definition 16). For the specific case of \(\varSigma \)-protocols \(\mathsf {S} _{\varSigma }\) works by randomly sampling \(z_i, s_i\) from \(\mathbb {Z} _q\) and computing \(T_i\) as \(g_1^{s_i}/(\frac{\mathsf {pk}'}{\mathsf {pk}})^{z_i}\) (or \(g_1^{s_i}/(\frac{\mathsf {pk}'}{\mathsf {pk}_{san}})^{z_i}\), respectively). Finally, as mentioned above, the protocol can be made non-interactive by using the Fiat-Shamir transformation. Note that this allow us to drop the first tuple of elements \((T_0, \dots , T_5)\) since they can be simply recomputed from the public parameters and the further messages of the protocol and their integrity can be checked by recomputing the hash function.

## 6 Conclusion

In this paper, we formalized the novel notion of signature schemes that are unforgeable under re-randomized keys. Furthermore, we showed that Schnorr’s signature scheme [40, 41] is unforgeable under re-randomized keys in the random oracle model and that Hofheinz’ and Kiltz’ signature scheme [31, 32] is unforgeable under re-randomized keys in the standard model.

Based on signature schemes with re-randomizable keys we then gave a construction of unlinkable sanitizable signatures and an instantiation, which is at least one order of magnitude faster than all previously known schemes.

The keys can also be re-randomized additively, however in that case neither a proof of security nor an attack are apparent.

## Acknowledgments

This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA – www.cispa-security.org) and the project PROMISE. Moreover, it was supported by the Initiative for Excellence of the German federal and state governments through funding for the Saarbrücken Graduate School of Computer Science and the DFG MMCI Cluster of Excellence. Part of this work was also supported by the German research foundation (DFG) through funding for the collaborative research center 1223. Dominique Schröder was also supported by an Intel Early Career Faculty Honor Program Award.