Klaus Stranacher et al.
5.2.1 Assessment of sanitizable signatures by Ateniese et al.( 2005)
Ateniese et al.( 2005) states“[…] as a secure digital signature scheme that allows a semi‐trusted censor to modify certain designated portions of the message […]” 7. That means the requirement for designated redactor and designated parts is fulfilled. In addition the privacy is also fulfilled as“[…] the indistinguishhability requirement provides for privacy”. The author also state that“ accountability follows from the unforgeability requirement”, but this has been proven by Brzuska et al.( 2009) as not true. So the Ateniese sanitizable signature scheme does not provide accountability.
5.2.2 Assessment of extended sanitizable signatures by Klonowski and Lauks( 2006)
The extended sanitizable signature scheme of Klonowski and Lauks( 2006) provides a designated redactor and designated parts as stated by the authors:“[…] in this scheme the designated censor can change the content of designated( so called mutable) parts of a signed message […]”. They also state that privacy is fulfilled due to the basement of their extended scheme on Ateniese et al.( 2005). Concerning accountability we have to distinguish between the two characteristics of this scheme. The accumulator technique provides accountability whereas bloom filter does not. Nevertheless, the authors miss a concrete security model and proofs for their proposed schema.
5.2.3 Assessment of extended sanitizable signature schemes by Canard and Jambert( 2010)
As this scheme strongly bases on Ateniese et al.( 2005), it provides designated redactors as needed by our defined requirements. In addition, Canard and Jambert( 2010) state that“[…] to force some admissible blocks of a signed message to be modified only into a predefined set of sub‐messages.” 8 and“[…] privacy is also included by transparency in the extended model.”. Thus, the scheme fulfils the requirements for designated parts and privacy. In addition, the authors prove that“ Unforgeability( and thus accountability) is reached thanks to the computation of a new tag per message.”. This is one of the major extensions of Ateniese et al.( 2005).
5.2.4 Assessment of blank digital signatures by Slamanig and Hanser( 2013)
Slamanig and Hanser( 2013) state that“ Immutability guarantees that no malicious proxy can compute message templates or templates instantiations not intended by the signer.” and“[…] is called private, if for any polynomial‐time algorithm A the probability of winning Game 2 is negligible as a function of security parameter k.” It follows that the proposed scheme provides a designated redactor and privacy. The requirement, that designated parts must definable, is fulfilled because of the proposed template mechanism, where the signatory defines a message template. Additionally accountability is also fulfilled as the proxy signs the template instantiations with a conventional signature, which provides accountability.
5.2.5 Technical assessment summary
The requirements for applicability to structured data and compatibility with existing signature standards can be assessed together for all examined schemes. Pöhls et al.( 2011) have shown several implementations of sanitizable signatures based upon XML and the W3C Recommendation( 2008) on XML‐Signature Syntax and Processing( XMLDSIG). The authors have proven that sanitizable signatures are applicable to structured data and fit into XMLDSIG without invalidating the recommendation. In addition, the findings of Pöhls et al.( 2011) may be applied to the examined schemes with slight changes.
Table 1 summarizes the results of the assessment. It shows that Ateniese et al.( 2005) lacks on the requirement on accountability. Furthermore Klonowski and Lauks( 2006) miss a security model and proofs for the proposed scheme. Therefore these two schemes are assessed to be not suitable for the public sector data use cases.
In contrast, the sanitizable signature schemes of Canard and Jambert( 2010) and Slamanig and Hanser( 2013) meet all technical requirements. Hence these schemes are appropriate to the use cases of redacted public sector data as defined in Stranacher et al.( 2013).
7 They used the name censor for the redactor.
8 Message parts which can be modified by a redactor are often called admissible blocks.
514