ISO/IEC 23264-1:2021

INTERNATIONAL ISO/IEC
STANDARD 23264-1
First edition
Information security — Redaction of
authentic data —
Part 1:
General
Sécurité de l'information — Rédaction de données authentifées —
Partie 1: Généralités
PROOF/ÉPREUVE
Reference number
ISO/IEC 23264-1:2021(E)
©
ISO/IEC 2021

---------------------- Page: 1 ----------------------
ISO/IEC 23264-1:2021(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 23264-1:2021(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and conventions . 5
4.1 Symbols . 5
4.2 Conventions . 5
5 General model and processes . 5
5.1 General . 5
5.2 Parties and processes . 5
5.3 General model . 6
5.4 Specification of processes. 7
5.4.1 Key generation process . 7
5.4.2 Redactable attestation process. 7
5.4.3 Redaction process . 8
5.4.4 Verification process . 8
6 Cryptographic properties of redactable attestation schemes . 9
6.1 Required cryptographic properties . 9
6.1.1 Correctness . 9
6.1.2 Unforgeability . 9
6.1.3 Privacy . 9
6.2 Optional cryptographic properties .10
6.2.1 Undetectability of redactions .10
6.2.2 Detectability of redactions .10
6.2.3 Unlinkability of redactions .10
6.2.4 Disclosure control .10
6.2.5 Consecutive redaction control .10
6.2.6 Mergeability .10
Bibliography .11
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE iii

---------------------- Page: 3 ----------------------
ISO/IEC 23264-1:2021(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see http:// patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 23264 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 23264-1:2021(E)

Introduction
Digital attestation schemes, in particular digital signature schemes or message authentication codes,
can be used to provide data integrity and data origin authentication. A redactable attestation scheme
enables the attestation of a message in such a way that, if certain parts of the attested message (known
as fields) are redacted (erased, blanked out or permanently removed), the attestation of the redacted
message can still be verified. More precisely, upon attesting a message, the attestor knowing the
private attestation key can define which parts of the message can later be redacted (in the sense of
ISO/IEC 27038) by any entity only knowing the message, the attestation, and the attestor’s redaction
key. Any other modification of the attested message (e.g. redaction of other message parts or insertion/
modification of any parts) invalidates the attestation.
Redactable attestation schemes are a basic building block in many privacy-preserving applications,
such as privacy-preserving data sharing or authentication, where a entity can decide to only reveal the
information that is absolutely necessary to forward to a receiver, while the latter is still assured that
the received information was previously attested, e.g. by a public authority.
The goal of the ISO/IEC 23264 series is to remedy existing incompatibilities or inconsistently defined
properties in existing specifications of such schemes, and to ease the real-world adoption of this
technology. Specifically, the goal of this document is to lay the foundations for subsequent parts (e.g.
focusing on concrete algorithms for the authenticity-preserving redaction of specific document formats
like text, pictures, video, etc.) by specifying and defining common terminology and properties for such
schemes.
The ISO/IEC 23264 series complements ISO/IEC 27038, which specifies the redaction of digital
documents without addressing the authenticity of the data.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 23264-1:2021(E)
Information security — Redaction of authentic data —
Part 1:
General
1 Scope
This document specifies properties of cryptographic mechanisms to redact authentic data. In particular,
it defines the processes involved in those mechanisms, the participating parties, and the cryptographic
properties.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
admissible changes
description of all possible modifications of a message (3.12) attested with a redactable attestation
scheme (3.16) that can be applied within the redaction process (3.23) without invalidating the resulting
redacted attestation (3.18)
Note 1 to entry: The set of admissible changes is called non-trivial, if the admissible changes allow for at least one
modification of the original message yielding a redacted message different from the original message.
Note 2 to entry: In the context of this document, the possible modifications of a message are limited to removal of
some fields of a message.
3.2
attestation key
private attestation key
secret data item specific to an attestor (3.4) and usable only by this entity in the redactable attestation
process (3.15)
Note 1 to entry: Except for the term “redactable attestation process” instead of “signature process”, this definition
is consistent with “signature key” as defined in ISO/IEC 14888-1:2008, 3.13.
3.3
attested message
set of data items consisting of the redactable attestation (3.14), the admissible changes (3.1) and the
fields (3.10) of the message (3.12) which are attested
Note 1 to entry: Depending on the instantiation, if not all admissible changes are part of the attested message,
then at least those admissible changes that are relevant for the verification process can be reconstructed from the
redactable attestation in combination with the fields of the message which are attested and the verification key.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 1

---------------------- Page: 6 ----------------------
ISO/IEC 23264-1:2021(E)

3.4
attestor
entity using its private attestation key (3.2) to perform the redactable attestation process (3.15),
producing an attested message (3.3)
3.5
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities or
processes
[SOURCE: ISO/IEC 7498-2:1989, 3.3.16, modified — The article has been removed.]
3.6
data integrity
property that data has not been altered or destroyed in an unauthorized manner
[SOURCE: ISO/IEC 7498-2:1989, 3.3.21, modified — The article has been removed.]
3.7
digital attestation
data appended to, or a cryptographic transformation of, a message (3.12) that allows a recipient of the
data to verify the source and data integrity (3.6) of the message (3.12)
3.8
domain
set of entities operating under a single security policy
Note 1 to entry: In the context of this document, a domain contains all participating attestors, redactors and
verifiers.
[SOURCE: ISO/IEC 14888-1:2008, 3.4, modified — Note 1 to entry has been added.]
3.9
domain parameter
data item which is common to and known by or accessible to all entities within the domain (3.8)
[SOURCE: ISO/IEC 14888-1:2008, 3.5, modified — The article has been removed.]
3.10
field
sub-string of any length of the message (3.12)
3.11
key generation process
process for generating cryptographic keys
3.12
message
string of bits of any length
Note 1 to entry: In the context of this document, the message is always composed of one or several field(s). The
exact composition and a decomposition is always obtainable from the message.
[SOURCE: ISO/IEC 14888-1:2008, 3.10, modified — Note 1 to entry has been added.]
3.13
modification instruction
instruction that describes the message redaction, i.e. how a message (3.12) is to be redacted by the
redactor (3.24) within a redaction process (3.23)
Note 1 to entry: Modification instructions are called non-trivial if the message input to, and the message obtained
by, the redaction process are not identical.
2 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 23264-1:2021(E)

3.14
redactable attestation
redactable digital attestation
data resulting from the redactable attestation process that is appended to a message (3.12) that allows
a recipient of this data to verify the source and integrity of the message (3.12)
Note 1 to entry: This string of bits may have an internal structure that is specific to the attestation mechanism.
3.15
redactable attestation process
process which takes as inputs the message (3.12), the private attestation key (3.2), the admissible changes
(3.1) and the domain parameters (3.9), and which outputs a redactable attestation (3.14)
3.16
redactable attestation scheme
set of processes that achieves digital attestation (3.7) and supports the creation and verification of
redactable attestations (3.14) together with a redaction process (3.23)
3.17
redacted admissible changes
admissible changes (3.1) that are the output of the redaction process (3.23)
Note 1 to entry: The redacted admissible changes are derived during the redaction process from the given
admissible changes by applying modification instructions.
3.18
redacted attestation
redacted digital attestation
attestation resulting from applying the redaction process (3.23) at least once with some modification
instructions (3.13)
Note 1 to entry: This string of bits may have an internal structure that is specific to the attestation mechanism.
3.19
redacted attested message
set of data items resulting from the redaction process (3.23) which consists of the redacted attestation
(3.18), the redacted admissible changes (3.17) and the redacted message (3.20) composed from those
fields (3.10) that have not been subject to any redaction
Note 1 to entry: Depending on the instantiation, if not all redacted admissible changes are part of the redacted
attested message, then at least those redacted admissible changes that are relevant for the verification process
can be reconstructed from the redacted attestation in combination with the redacted message and the
verification key.
3.20
redacted message
message (3.12) that is the output from the redaction process (3.23)
3.21
redaction
removal of a field (3.10) such that it results in the irreversible and permanent removal of information
contained within that field from the message (3.12)
Note 1 to entry: The removal of a field only removes the information contained within that field. Information that
can be derived from other fields of the message or from other sources is not removed.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 3

---------------------- Page: 8 ----------------------
ISO/IEC 23264-1:2021(E)

3.22
redaction key
set of public data elements which is related to an attestor’s (3.4) private attestation key (3.2) and which
is used by the redactor (3.24) in the redaction process (3.23)
Note 1 to entry: Depending on the instantiation, the redaction key may be private or public. In any case,
knowledge of the redaction key does not result in information about the attestor’s private attestation key.
3.23
redaction process
process w
...