Redactable signature scheme for tree-structured data based on Merkle tree

In 2008, Kundu and Bertino proposed a structural signature scheme for tree-structured data. A signature generated by the scheme is redactable: for given tree-structured data and its signature, it is possible to compute signatures of subtrees of the given tree without the secret signing key. Brzuska et al. formalized security requirements of such kind of redactable signature schemes. They also proposed a provably secure redactable signature scheme for tree-structured data using an ordinary signature scheme. This paper presents a new redactable signature scheme for tree-structured data using an ordinary signature scheme and a Merkle tree constructed by a keyed hash function such as HMAC. The proposed scheme assumes that the out-degree of each node in a tree is at most constant. It is also shown that the proposed scheme is provably secure under standard security assumptions of the underlying primitives. The proposed scheme first generates a digest of given tree-structured data based on the Merkle tree using the keyed hash function, and computes a single signature for the digest using the ordinary signature scheme. On the other hand, the total number of signatures required by previous provably secure schemes is at least as large as that of the nodes of the tree.