I. Introduction

The increasingly developed technologies of telecommunication, computer networking, data processing and storage have brought us into the era of information society. However, neither the communication network nor the third party is secure or trustworthy. It is clear that with the widespread implementation and deployment of these systems, senders and receivers of sensitive or valuable information require secure means to validate and authenticate the message they exchange. The validation and authentication of information refer to the methods for certifying its integrity and source. Digital signatures, an indispensable primitive in modern cryptography, provide integrity and source authentication of a digital document [1]. It is widely applied in management protocols, financial transactions, distributing software updates, blockchain, and many other important fields. The standard security definition of conventional digital signature schemes (DSSs) is “existentially unforgeable under adaptive chosen-message attacks (EUF-CMA)” [2], which means that without the signing secret key, no one can generate a valid signature for any message in probabilistic polynomial-time (PPT). Under the conventional digital signature framework, the entire message is signed, forcing message holder to disclose the entire message to a third party for signature verification. This indicates that general DSSs do not allow any alteration on the signed digital document without invalidating the signature. While conventional digital signatures can protect signed documents from being tampered, they also hamper signed documents to be processed for some flexible and efficient applications. There are everyday situations where, for reasons of security or privacy preservation, message holders only want to public certain parts of a signed message. This practical requirement can be specifically interpreted by electronic health records (EHRs) system.