A Scheme for Partial Disclosure of Transaction Log - Semantic Scholar

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

222

PAPER

Special Section on Cryptography and Information Security

A Scheme for Partial Disclosure of Transaction Log Yasuhiro OHTAKI†a) , Masaru KAMADA† , and Kaoru KUROSAWA† , Members

SUMMARY To investigate cyber-criminals, Police sometimes asks Administrator of a computer system to disclose the whole transaction log. Administrator, however, wants to protect the privacy of innocent users. This paper presents a solution for the disclosure/privacy problem of transaction log. In this scheme, Police can search over the encrypted records of the transaction log by keywords. The administrator discloses only the records which include the keyword, but nothing more. Police can verify that the administrator faithfully disclosed all the records which include the keyword. key words: computer forensics, transaction log, privacy

1.

Introduction

Transaction logs are one of the basic information in computer forensics for tracing cyber-criminals. The lawenforcement agency (referred to as Police hereafter) usually confiscates the whole log, sometimes even the physical media containing the log, from the server administrator (Admin in short). Today, Admin usually comply with the request from Police. However, since the whole log obviously includes records of clients who have no relation with the crime, their individual privacy may be violated. Admin who thinks that protecting clients’ privacy is much more important than being cooperative to the investigation may refuse the request. If we had a scheme that only and every record related to the crime is disclosed to Police, Admin could be much cooperative to the investigation. The present paper provides such a scheme under the restriction that “a record related to a crime” is the record which include a word which exactly matches a particular keyword specified by Police. In this scheme, Admin gives Police an encrypted version of the whole log. Then, (1)Police can search over the encrypted records of the transaction log by keywords; (2)Admin discloses only the records which include the keyword, but nothing more; (3)Police can verify that Admin faithfully disclosed all the records which include the keyword. Related works include a scheme for searches on encrypted data [1]. In this scheme, a user can ask a proxy to search on his own encrypted data without disclosing to the proxy what he is searching for. This scheme does not work for the present case of Police versus Admin because it is not Manuscript received March 22, 2004. Manuscript revised June 18, 2004. Final manuscript received August 12, 2004. † The authors are with the Department of Computer and Information Sciences, Ibaraki University, Hitachi-shi, 316-8511 Japan. a) E-mail: [email protected]

Admin but Police who wants to search on the log generated by Admin. Another work provided the scheme of symmetrically private information retrieval [2], [3] which lets a user privately retrieve only a specific datum from an encrypted database. It is not applicable to the present case since the user must specify the datum by its location. Police being a user does not know where an interesting datum is. There is an extension for private information retrieval which allows retrieval by indexed keywords [4]. But this extended scheme allows retrieval of any data from the indexed database. In the private equality test protocol [5], Police can privately detect if a record at Admin’s hand contains some keyword. Admin, however, can hide any record in the first place since Police does not have a firm copy of the transaction log. 2.

Problem Formulation

In this section, we review the conventional way of investigation to formulate the problem. The current practice of logging is characterized by the following three points: (a) Admin decides what to record in the log at his disposal. (b) Admin can rewrite the existing logs at anytime as long as they are at his hand. (c) The logs are written in plain text. Point (a) implies that the log may or may not contain information useful for criminal investigation. But the log is the only possible clue that Police can obtain from Admin. Police wants to seize the whole log as early as possible because of (b). Seizure of the whole log ensures that Police holds the firm copy of the log at that moment, which will never be tampered afterwards. By (c), however, the seizure is equivalent to disclosure of the whole log in the plain text format, which endangers individual privacy. The whole log may be in an encrypted format as long as it is firmly fixed and decryptable afterwards. Assume that, every time a record is generated, Admin sends its encrypted version to Police. This ensures that Police holds an encrypted firm copy of the transaction log as it is recorded. However, this requires a huge amount of storage at Police side. Alternatively, Police may just digitally sign the record and send it back to Admin. Then at the beginning of investigation, Police seizes the encrypted log and its signature. By verifying the signature, Police can be sure that the seized log has not been tampered since he signed. On the above assumption, the problem is formulated as to constructing a partial disclosure scheme having the following properties:

c 2005 The Institute of Electronics, Information and Communication Engineers Copyright


OHTAKI et al.: A SCHEME FOR PARTIAL DISCLOSURE OF TRANSACTION LOG

223

Property 0 The records not to be disclosed are kept secret from Police. Property 1 Police can detect all the records which have a word that exactly matches a particular keyword, with no false hits. Property 2 Police can verify that the disclosed records are identical with the contents of the log when it was recorded, not when it was seized. Property 0 will persuade Admin to be more cooperative to the investigation. Properties 1 and 2 are indispensable for Police to accept the scheme. Let the plain log M be a set of records R1 , R2 , . . . , Rn , i.e., M = {(I 1 , R1 ), (I 2 , R2 ), . . . , (I n , Rn )}, where I i is an identifier of each record. Usually I i may be the sequential record number. Let wij denote the j-th word of the record Ri . Each record Ri is a sequence of m words, i.e., Ri = wi1 , wi2 , . . . , wim . Search by Police for a keyword W means to determine the record identifier I L of the record RL containing wLj such that wLj = W. The contribution of this paper is a solution for the disclosure/privacy problem of transaction log under the assumption that the log is properly recorded. Police can search over the encrypted records of the log by keywords, and Admin discloses only the records which include the keyword, but nothing more. The proposed scheme does not assure that the transaction log is properly recorded just as the conventional investigation does not. The rest of this paper is organized as follows: In Section 3, a basic scheme which satisfies Properties 1 and 2 is shown. Its weakness with respect to Property 0 are fixed in Sections 4 and 5. The scheme presented in Section 5 is the final proposal. The schemes in Sections 3 and 4 are intermediate steps to discuss the basic structure of the proposed scheme and are not our proposal. The feasibility of the proposed scheme is discussed in Section 6. An example scenario is shown in Section 7. 3.

Basic Idea

Assume that we have a one-way function shared by Admin and Police. Let Admin convert each word in the log into its one-way function value and submit it to Police. Then Police can search for a keyword over the converted log by checking if any of the submitted values match the one-way function value of the keyword. So Police can locate all the keywords in the converted log. Admin discloses the records in the plain log which the located keywords concern. Admin keeps the rest of the plain log undisclosed. Police verifies that the one-way function value of the disclosed record is consistent with the submitted values. If the one-way function is unique (one-to-one mapping), then false hits never occur and so that this scheme satisfies Property 1. Property 2 is automatically satisfied in this case. Such a unique one-way function is implementable

Fig. 1

Overview of the basic scheme.

by a sort of a public key cipher system. The scheme employing the public key system is illustrated in Fig. 1 and its algorithm is compiled as follows: Step 0. Preparation: Admin generates his public key P1 and secret key S 1 , and publishes P1 . Step 1. Logging: Every time a record Ri = wi1 , wi2 , . . . , wim  is generated, Admin encrypts each word with his public key P1 , i.e., uij = E P1 (wij ),

j = 1, 2, . . ., m

to make an encrypted record C i = ui1 , ui2 , . . . , uim . Admin sends (I i , C i ) to Police and Police sends back his digital signature Gi of I i |C i . Here, “|” denotes concatenation. Let C denote the encrypted log which is a set of encrypted records with the identifier and their signature, i.e., C = {(I 1 , C 1 , G1 ), (I 2 , C 2 , G2 ), . . . , (I n , C n , Gn )}. Step 2. Seizure: At the beginning of investigation, Police seizes the encrypted log C. For every record i, Police calculates his digital signature of I i |C i and checks whether it matches Gi . Step 3. Keyword-to-template conversion: Let W denote the keyword of interest. Police encrypts W with the public key P1 and generates a matching template E P1 (W). Step 4. Search: Police searches through the encrypted log C and finds records of which entry uij (= E P1 (wij )) matches the template E P1 (W). Let I L denote the identifier of such a record C L .

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

224

Step 5. Disclosure: Police tells Admin the identifier I L and asks to disclose the plain record RL . Police receives from Admin what is claimed to be RL , denoted by
L , w
L , . . . , w
L = w
L . Here,  R • means that • is not m 1 2 yet verified. Step 6. Verification: Police checks whether it holds good that
L ) = uL , j = 1, 2, . . . , m E (w P1

j

j

in order to verify that the disclosed records are identical with what was recorded, i.e.,
L = wL , w j j

j = 1, 2, . . . , m.

This scheme has three weak points with respect to Property 0. One is that Police can search over the encrypted log for arbitrarily many different keywords. If we can believe that Police is searching only for a keyword related to a crime, there is no problem. However, Admin who wants to protect innocent clients’ privacy may want to ensure that the search is limited to what is written in the search warrant. Another weak point is that, because a plain word is converted into a unique encrypted word throughout the entire log, full statistical distribution of words is revealed to Police, even though the log is concealed by encryption. Combining this weak point with the one mentioned above, Police can incrementally uncover the plain log by trying a vast number of keywords that commonly occur. The other weak point concerns the disclosure. After the disclosure, Police learns the following correspondence: u1L ↔ w1L ,

u2L ↔ w2L ,

...,

Then Police knows some part of other undisclosed records Ri (i
L) that includes wLj . 4.

Fig. 2

Overview of the improved scheme.

umL ↔ wmL .

How to Improve

To fix the first weak point, we have to limit the search keyword to what is written in the search warrant. We shall let Admin check whether the keyword is relevant to the warrant. Admin’s digital signature [6], [7] can be used to implement Admin’s agreement. Verification of the signed keyword convinces Police of no cheats. In this way, all words and keywords are converted into their signature by Admin in advance of encryption. To overcome the second weak point, the same word in different records should be converted into different encrypted words. This can be implemented by letting some record-related information, such as I i , be involved in the encryption. This may also overcome the third weak point. We shall replace the encrypted word E P1 (wi ) in the basic scheme by E P1 (I i |ES 0 (wi )). Here, ES 0 (wi ) is wi digitally signed using Admin’s another private key S 0 . With this change, the disclosure in the form of plain words becomes irrelevant since Police can no longer verify the consistency of the disclosed plain record with the seized encrypted record. A plain record signed by Admin, instead of

the plain record itself, works for both verification and disclosure. By the above replacement, we have an improved scheme as is illustrated in Fig. 2 and follows: Step 0. Preparation: Admin generates two pairs of keys P0 ,S 0 and P1 ,S 1 in a public key system and publishes public keys P0 , P1 . Step 1. Logging: Every time a record Ri = wi1 , wi2 , . . . , wim  is generated, Admin first signs each word with his secret key S 0 , concatenates the record identifier I i , and then encrypts it together with the public-key P1 , i.e., uij = E P1 (I i |ES 0 (wij )),

j = 1, 2, . . ., m.

Let C i denote the encrypted record, i.e., C i = ui1 , . . . , uim . Admin sends (I i , C i ) to Police and Police sends back his digital signature Gi of I i |C i . Let C denote the encrypted log which is a set of encrypted records with identifier and their signature, i.e., C = {(I 1 , C 1 , G1 ), (I 2 , C 2 , G2 ), . . . , (I n , C n , Gn )}.

OHTAKI et al.: A SCHEME FOR PARTIAL DISCLOSURE OF TRANSACTION LOG

225

Step 2. Seizure: At the beginning of investigation, Police seizes and verifies the encrypted log C. Step 3.1 Presenting a keyword: Police shows the keyword W of interest to Admin. Step 3.2 Keyword to signed keyword conversion: Admin encrypts W with his secret key S 0 and makes a signed keyword W  = ES 0 (W) and passes W  to Police. Step 3.3 Verification of the signed keyword: Police verifies the signed keyword W  by decrypting the received
 ) = W,
 with the public key P0 . If DP0 (W value W Police can be sure that W  = ES 0 (W). Step 4.1 Signed-keyword-to-template conversion: Police makes matching template ωi for each record by concatenating the signed word W  to the record identifier I i and encrypting it with the public key P1 , i.e., ωi = E P1 (I i |W  ),

i = 1, . . . , n.

Step 4.2 Search: Police searches the encrypted log C by checking whether record C i has an entry which matches ωi . Denote by I L the identifier of such a record C L. Step 5.1 Presenting the requested identifier: Police tells the identifier I L to Admin. Step 5.2 Passing disclosure information: Admin passes disclosure information to Police in a signed form, i.e., L L R L = wL 1 , w2 , . . . , wm  L = ES 0 (w1 ), ES 0 (w2L ), . . . , ES 0 (wmL ). L by encrypting Step 5.3 Verification: Police verifies R
L with the public key P . If concatenation of I L and w
1 i L L E P1 (I L |w
j ) = uj

j = 1, 2, . . . , m,

holds good, then Police can be sure that w Lj = ES 0 (wLj )

j = 1, 2, . . . , m,

which means the disclosure RL is consistent with the seized log. Step 5.4 Disclosure: Police decrypts R L with P0 and obtains plain record RL . In the improved scheme, the matching template ω = E P1 (ES 0 (W)) cannot be made without Admin’s secret key S 0 . Therefore Police’s search needs Admin’s cooperation in the process of signing the keyword. Admin’s faithfulness in this cooperation is verifiable by Police. There is still a weak point with respect to Property 0. After the disclosure of RL = w1L , w2L , . . . , wmL  in the form of RL = ES 0 (w1L ), ES 0 (w2L ), . . . , ES 0 (wmL ), Police learns the correspondence uLj → ES 0 (wLj ) ↔ wLj . Then Police can search for wLj in any other record Ri (i
L) by the matching template E P1 (I i |ES 0 (wLj )) that Police can make from ES 0 (wLj ) for any I i . Thus Police can locate all the records having a word included in a disclosed record even though they should be concealed. Disclosure information V L for record RL should satisfy

the following three conditions: • Police must be able to obtain the plain record RL using the disclosure V L . • Police must be able to verify that the records disclosed from V L are identical with RL . • Police must not be able to produce a template for searching on any other records than the disclosed one, using the disclosure, plain text, or whatever Police knows. A signed plain record R L = ES 0 (w1L ), ES 0 (w2L ), . . . , ES 0 (wmL ), satisfies the first two conditions. Police can obtain the plain text RL by decrypting R L with public key P0 . Police also can verify that the record disclosed from R L is identical with what was recorded by checking if E P1 (I L |ES 0 (wLj )) = uLj ,

j = 1, 2, . . . , m.

However, as we have already seen, disclosing in the form of RL cannot satisfy the third condition. It seems that any disclosure information V L which needs C and M for its verification results in giving Police clues to search for non-permitted keywords. We have to devise a different disclosure method. 5.

Proposed Scheme

Let Admin generates not only the encrypted record C i for search, but also another encrypted record V i which is dedicated to the record-wise disclosure. The detailed procedure to generate V i is described later. Admin sends both C i and V i to Police, and receives Police’s signature Gi for them. At the beginning of investigation, Police seizes the encrypted log and verifies Gi . Since V i is generated during daily operation, Police can be sure that he has a firm copy of V i as well as C i , and that V i surely corresponds to C i . The disclosure information V i would be generated by simply encrypting Ri with a symmetric cipher system. For record-wise disclosure, the key to encrypt each record should be different. Let K i denote the key to encrypt the Ri . Receiving K L from Admin, Police obtains RL by decrypting V L . Encryption key K i should satisfy the following three conditions: • Police must be able to verify the correctness of K L to ensure he can decrypt V L . • Generation of K i should require Admin’s operation. • The operation at Admin’s side should be done automatically. This condition is required to generate V L in daily logging operation. To satisfy these conditions, K i is chosen as the record identifier I i signed by Admin’s secret key S 0 , i.e., K i = ES 0 (I i ). By decrypting with P0 , Police can verify the signature and ensure it is for record V i . Additionally, after generating V i

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

226

Fig. 3

Overview of the proposed scheme.

with K i , Admin does not have to keep K i . With adding steps for this new encrypted record V i to the improved scheme, we have a final scheme as illustrated in Fig. 3 and follows. The steps for searching are not changed from those in the improved scheme. Step 0. Preparation: Admin generates two pairs of keys P0 ,S 0 and P1 ,S 1 in a public key system and publishes public keys, P0 , P1 . Step 1.1 Generating a record for search: Every time a record Ri = wi1 , wi2 , . . . , wim  is generated, Admin first signs each word with his secret key S 0 , concatenates the record identifier I i , and then encrypts it together with the public-key P1 , i.e., uij = E P1 (I i |ES 0 (wij )),

j = 1, 2, . . ., m.

Let C i denote the encrypted record, i.e., C i = ui1 , . . . , uim . Step 1.2 Generating a record for disclosure: Every time a record Ri is generated, Admin also makes another encrypted record V i by encrypting the whole record Ri

with a symmetric cipher system F. The encryption key K i of F is generated by encrypting the identifier I i with Admin’s secret key S 0 , i.e., K i = ES 0 (I i ), V i = F K i (Ri ). Step 1.3 Logging: Admin sends (I i , C i , V i ) to Police and receives Police’s digital signature Gi for I i |C i |V i . Let C denote the encrypted log which is a set of encrypted records with identifier and their signature, i.e., C = {(I 1 , C 1 , V 1 , G1 ), (I 2 , C 2 , V 2 , G2 ), . . . , (I n , C n , V n , Gn )}. Step 2. Seizure: At the beginning of investigation, Police seizes and verifies the encrypted log C. Step 3.1 Presenting a keyword: Police shows the keyword W of interest to Admin. Step 3.2 Keyword-to-signed-keyword conversion: Admin encrypts W with his secret key S 0 and makes a signed keyword W  = ES 0 (W) and passes W  to Police. Step 3.3 Verification of the signed keyword: Police verifies the signed keyword W  by decrypting the received

OHTAKI et al.: A SCHEME FOR PARTIAL DISCLOSURE OF TRANSACTION LOG

227


 with the public key P0 . If DP0 (W
 ) = W, value W  Police can be sure that W = ES 0 (W). Step 4.1 Signed-keyword-to-template conversion: Police makes matching templates for each record by concatenating the signed word W  to the record identifier I i and encrypting it with the public key P1 , i.e., ωi = E P1 (I i |W  ),

Table 1 Admin

Police

i = 1, . . . , n.

Step 4.2 Search: Police searches over the encrypted log C for a record C i having an entry which matches ωi . Denote by I L the identifier of such a record C L . Step 5.1 Presenting the identifier: Police tells the identifier I L to Admin. Step 5.2 Generating decryption key for disclosure: Admin signs the presented identifier I L with his secret key S 0 and generates the decryption key K L for the record V L , i.e., K L = ES 0 (I L ). Admin passes K L to Police. Step 5.3 Verification of decryption key: Police verifies
L with the corthe decryption key K L by decrypting K
L responding public key P0 . If DP0 (K ) = I L , Police can be sure that K L = ES 0 (I L ). Step 5.4 Disclosure: Police decrypts the encrypted record V L with the verified key K L and obtains plain record RL , i.e., F K−1L (V L ) = F K−1L (F K L (RL ))

Table 2 Ci Vi

Computational cost in daily operation.

Cost to encrypt one record Ri having m words. 2m public key encryption (to generate C i ). 1 public key encryption + 1 symmetric key encryption (to generate V i ). 2 public key encryption (to sign C i and V i ).

Required storage space in daily operation.

Required storage space. m× the bit length of the longest public key. the same as the plain record Ri .

(See Section 5 for C i and V i .) Table 3

Admin Police

Table 4 Admin Police

Computational cost for searching.

Cost to search one keyword over n encrypted records {C i }(i = 1, . . . , n) having m words. 1 public key encryption (to generate a signed keyword) 1 public key decryption (to verify the signed keyword) n public key encryption (to generate a matching template for each record).

Computational cost for disclosure.

Cost to disclose one record V i having m words. 1 public key encryption (to generate K i ). 1 public key decryption (to verify K i ). 1 symmetric key decryption (to decrypt V i ).

= RL . 6.

Feasibility

In comparison with the conventional transaction log, the proposed scheme obviously requires much more computation and storage space. The computational cost is evaluated by the number of cryptographic operations as shown in Tables 1, 3 and 4. To generate V i , one public key encryption for K i and one symmetric cipher encryption is required. To generate C i , publickey encryption is required twice for every word. A record containing m words requires 2m times of public key encryption. Signing by Police requires a public key encryption for each C i and V i . Search by Police requires one public key encryption on Admin’s side to make a signed keyword. On Police’s side, one public key decryption is required for verification. During the search, one public key encryption is required for every record. To disclose one record, Admin need one public key encryption to generate K i . On Police’s side, one public key decryption for verification and one symmetric decryption to obtain the plain record is necessary. The size of encrypted log is summarized in Table 2. The actual size varies for the adopted cipher systems. Using a block-wise symmetric cipher system, the size of V i is roughly about the size of Ri . Since C i is encrypted word by word, the size of C i is the product of the size of cipher text for one word and the number of words in the record. If the traditional RSA scheme is used for public key encryption, the size of cipher text becomes roughly the size

of N, where N is the product of two large primes. Assume that the size of N for P0 and S 0 is 1024 bits and that for P1 and S 1 is 2048 bits. Then the cipher text for one word becomes 2048 bits, the bit length of the longest public key. One record of transaction log for a typical FTP server has 7 fields. They are date, time, client-IP, process-ID, action, filename and data size. If we encrypt this record field-wise, the total size of one encrypted record becomes 14336 bits. Thus the computational cost and storage space required for the proposed scheme is very large. It is still feasible, but far from efficient. There is much left for future improvement. The communication cost for the Police to sign during the daily operation is rather unrealistic. Signing the generated record by Police makes Admin able to prove his faithfulness during the period between the sign and the seizure. This is an advantage of proposed scheme over the conventional investigation which could not eliminate the possibility of forgery before seizure. However, for the period from the generation of record to the sign by Police, neither Admin nor Police could prove the faithfulness of Admin. To make this unprovable period short as possible, signing by Police right after the record generation is necessary. But the frequency of the communications becomes unrealistically high. If Admin and Police could allow for existence of a longer period unprovable, the frequency of the sign by Police could be reduced, e.g. weekly or monthly.

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

228

7.

Example Scenario

Admin of a free web-space site generates two pair of keys P0 , S 0 and P1 , S 1 , and publishes P0 , P1 . As a daily operation, all transaction of file uploads and downloads are recorded in the form of Ri = datei , timei , client-IPi , process-IDi , actioni , filenamei , sizei . Every time a record Ri is generated, Admin generates two encrypted records C i , V i , where C i = E P1 (I i |ES 0 ({Ri })), V i = F K i (Ri ), K i = ES 0 (I i ). Admin sends (I i , C i , V i ) to Police and receives Police’s signature for them. Admin archives {(I i , C i , V i , Gi )} as an encrypted log C. Suppose that a software maker found out that a CDROM image file of his own expensive software product and its license key had been uploaded with a filename ‘pirate.zip’ and had been illegally distributed. The software maker accuses the case to Police without knowing the suspect. Police wishes to obtain all the records about uploads and downloads of the file ‘pirate.zip.’ Police seizes C from Admin of the site with the search warrant from the court for investigation. Police asks Admin to disclose all the records which include the keyword ‘pirate.zip.’ Admin checks whether this search does not constitute an invasion of privacy. If he agrees to the search, he calculates a keyword template W  = ES 0 (‘pirate.zip’) and passes it to Police. Police generates a matching template for each encrypted record C i , and searches for matching entries. As a result, he obtains the identifier I L of the records RL which includes something like ‘upload pirate.zip’ or ‘download pirate.zip.’ Police does not recognize ‘upload’ or ‘download’ at this stage. Police shows the record identifier I L to Admin and asks for disclosure. Admin signs I L with his secret key S 0 and returns the signature K L = ES 0 (I L ) to Police. This K L becomes the decryption key for the corresponding record V L . Police decrypts the corresponding record V L and obtains the plain record RL . Police now learns the time when pirate.zip was uploaded and the client-IP which committed it. The times and the client-IPs of downloading pirate.zip are also disclosed. If all the sites with the client-IPs were recording the transaction log in the same manner, Police can now search the log by the connection time as a search keyword and trace the connection. Then, Police will reach and identify the suspect, eventually. 8.

Conclusions

A scheme is proposed in which Police can detect every

record which includes a specified keyword in an encrypted log file. Admin has only to disclose the detected records to Police. This scheme needs a vast number of public key operations, and each of them must be a one-to-one mapping. Although that is still feasible, the size of the encrypted log and the computational cost are very large as discussed in Section 6. More efficient implementation with security analysis is yet to be done. In this scheme, Police needs Admin’s cooperation. Admin is informed what Police is looking for, and in the case that the search for a specified keyword seems to violate the privacy of other clients, he can disagree to the search. If Police has to keep secret what he is looking for from Admin, they can ask the court to stand in the middle. Police send a keyword to Court. Court checks its relevancy with the search warrant and orders Admin to sign the keyword in the blind signature scheme. The authors recognize that the exact match condition is too tight for real investigation and are now working on extending the scheme to allow more flexible search conditions. References [1] D.X. Song, D. Wagner, and A. Perrig, “Practical techniques for searches on encrypted data,” Proc. IEEE Security and Privacy Symposium, May 2000. [2] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, “Private information retrieval,” Proc. 36th FOCS, pp.41–50, 1995. [3] S.K. Mishra and P. Sarkar, “Symmetrically private information retrieval,” Proc. INDOCRYPT, pp.225–236, 2000. [4] B. Chor, N. Gilboa, and M. Naor, “Private informaiton retrieval by keywords,” TR CS0917, Department of Computer Science, Technion, 1997. [5] H. Lipmaa, “Verifiable homomorphic oblivious transfer and private equality test,” Proc. ASIACRYPT2003, pp.416–433,2003. [6] R.L. Rivest, A. Shamir, and L.M. Adelman, “A method for obtaining digital signatures and public-key cryptosystems,” Commun. ACM, vol.21, no.2, pp.120–126, 1978. [7] A. Lysyanskaya, “Signature schemes and applications to cryptographic protocol design,” Computer Security—ESORICS ’96, vol.1146 of Lecture Notes in Computer Science, pp.33–43, SpringerVerlag, 1996.

Yasuhiro Ohtaki was born in Yamagata, Japan in 1966. He received his bachelor’s degree from the University of Tsukuba in 1989, and his Ph.D. (in Engineering) from the same university in 1994. From 1994 to 2001, he has been an research associate at the Department of Computer and Information Sciences at Ibaraki University. Since 2001 he has been a Lecturer. His current research interests include superdistribution and computer forensices. Dr. Ohtaki is a member of IPSJ.

OHTAKI et al.: A SCHEME FOR PARTIAL DISCLOSURE OF TRANSACTION LOG

229

Masaru Kamada was born in Ibaraki, Japan in 1962. He received his bachelor’s (1984), master’s (1986) and doctoral (1988) degrees in engineering from the University of Tsukuba and worked for the same university for 1988–1992. Since 1992, he has been an associate professor with the Department of Computer and Information Sciences, Ibaraki University, Hitachi. He was an academic guest at ETH Z¨urich on the JSPS post doctoral fellowship for 1993–1995. He served the engineering science society of IEICE as an associate editor of its Japanese transactions (1997–2000), publications secretary (1998–1999) and webmaster (1999). His current research interests include signal and image processing, web applications, and applied cryptography. Dr. Kamada is a member of IEEE and EURASIP.

Kaoru Kurosawa was born in Ibaraki, Japan, on September 23, 1954. He received the B.E. and Dr. Eng. degrees in electrical engineering in 1976 and 1981, respectively, from Tokyo Institute of Technology. From 1997 to 2001, he was a Professor in Tokyo Institute of Technology. He is currently a Professor in the Department of Computer and Information Sciences at Ibaraki University. His current research interest is cryptography. Dr. Kurosawa is a member of IEEE, IACR, and SITA. He received the excellent paper award of IEICE in 1981 and the young engineer award of IEICE in 1986.