Digitally Signed Document Sanitizing Scheme with ... - CiteSeerX

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

239

PAPER

Special Section on Cryptography and Information Security

Digitally Signed Document Sanitizing Scheme with Disclosure Condition Control Kunihiko MIYAZAKI†,††a) , Member, Mitsuru IWAMURA†††b) , Nonmember, Tsutomu MATSUMOTO††††c) , Ryoichi SASAKI†††††d) , Hiroshi YOSHIURA††††††e) , Members, Satoru TEZUKA†f) , Nonmember, and Hideki IMAI††g) , Fellow

SUMMARY A digital signature does not allow any alteration of the document to which it is attached. Appropriate alteration of some signed documents, however, should be allowed because there are security requirements other than that for the integrity of the document. In the disclosure of official information, for example, sensitive information such as personal information or national secrets is masked when an official document is sanitized so that its nonsensitive information can be disclosed when it is demanded by a citizen. If this disclosure is done digitally by using the current digital signature schemes, the citizen cannot verify the disclosed information correctly because the information has been altered to prevent the leakage of sensitive information. That is, with current digital signature schemes, the confidentiality of official information is incompatible with the integrity of that information. This is called the digital document sanitizing problem, and some solutions such as digital document sanitizing schemes and content extraction signatures have been proposed. In this paper, we point out that the conventional digital signature schemes are vulnerable to additional sanitizing attack and show how this vulnerability can be eliminated by using a new digitally signed document sanitizing scheme with disclosure condition control. key words: digital signature, disclosure of official information, privacy issue

1.

Introduction

The digital signature has been an essential tool in e-society, and the current digital signature schemes, such as DSA, ECDSA [7] and RSA-FDH [2], are designed to prevent alteration of a signed digital document. While this protects the document from alteration by a malicious attacker, it also means that a signed document is not proccessable and thus Manuscript received March 22, 2004. Manuscript revised June 28, 2004. Final manuscript received August 31, 2004. † The authors are with Systems Development Laboratory, Hitachi Ltd., Kawasaki-shi, 212–8567 Japan. †† The authors are with University of Tokyo, Tokyo, 153–8505 Japan. ††† The author is with Waseda University, Tokyo, 169–0051 Japan. †††† The author is with Yokohama National University, Yokohamashi, 240–8501 Japan. ††††† The author is with Tokyo Denki University, Tokyo, 101–8456 Japan. †††††† The author is with University of Electro-Communications, Chofu-shi, 182–8585 Japan. a) E-mail: [email protected] b) E-mail: [email protected] c) E-mail: [email protected] d) E-mail: [email protected] e) E-mail: [email protected] f) E-mail: [email protected] g) E-mail: [email protected]

hinders more flexible and efficient use of digital documents. Moreover, in some situations it is incompatible with the confidentiality of the document. One such situation is the disclosure of official information. Consider, for example, what happens when a citizen demands the public release of information in an official document that someone on the staff of an administrative agency has drawn up and archived with his/her signature. The administrative office then deletes sensitive data such as personal information or national secrets and discloses a sanitized version of the document. The citizen cannot use the current digital signature schemes to verify the authenticity of the disclosed official document, that is, to determine who the author of the document is and whether or not the disclosed document is the same as the original one, because parts of the official document are altered in the disclosure procedure. Even if the alterations are legitimate ones removing sensitive data, the verification will fail just as it will when the document has been altered maliciously. Current digital signature schemes thus cannot assure both the integrity and the confidentiality of a document. This is called the digital document sanitizing problem, and one proposed solution is to use digital document sanitizing schemes [5] that verify the authenticity of a sanitized document, except for masked portions sanitized after signature generation. Another solution uses a content extraction signature (CES) [6] that allows the owner of formal documents, such as birth certificates or marriage certificates signed by some trusted authority, to produce an extracted signature on selected extracted portions of the original document, which any third party can verify originated from the original signer. These conventional schemes can be classified into two types: one that allows additional sanitizing and one that does not. In this paper, we point out the problems of each in public information disclosure systems. For example, we show how the conventional schemes allowing additional sanitizing leave documents vulnerable to additional sanitizing attack. We also propose a new digitally signed document sanitizing scheme with disclosure condition control. It protects documents from additional sanitizing attacks by enabling a sanitizer to select one of three disclosure conditions for each portion of the signed document: (1) sanitized, (2) disclosed and additional sanitizing is allowed, or (3) disclosed and ad-

c 2005 The Institute of Electronics, Information and Communication Engineers Copyright


IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

240

ditional sanitizing is prohibited. This paper is organized as follows. In section 2 we review previous work and classify conventional schemes according to whether or not they allow additional sanitizing. In section 3 we explain the problems of using the conventional schemes in public information disclosure. In section 4 we describe our new digitally signed document sanitizing scheme with disclosure condition control and discuss its security. In section 5 we conclude with a brief summary. 2.

Previous Work

In this section we review previous and related work on the digital document sanitizing problem. Hereinafter we refer to the solutions to this problem as digitally signed document sanitizing schemes. We explain a model for digitally signed document sanitizing schemes, present a brief overview of the conventional schemes, and then we classify these schemes according to whether or not they allow additional sanitizing. 2.1 Model A digitally signed document sanitizing scheme enables the authenticity of a disclosed document to be verified in the following three-party model consisting of a signer, a sanitizer, and a verifier [5]. Signer The signer generates a digital signature assuring the authenticity of the original document without knowing which portions of the document will be sanitized after the signature is generated. Sanitizer A sanitizer decides which portions of the signed document should (or should not) be disclosed and accordingly modifies the signed document to be disclosed. A sanitizer does not know which portions of the document will be disclosed before the signer generates a digital signature for the document. A sanitizer may know the original document but cannot generate it. Verifier A verifier accepts a disclosed document only if he/she verifies the authenticity of the disclosed document by a signer. 2.2 Conventional Schemes In this subsection we briefly overview the conventional schemes. We assume that every original document consists of subdocuments that are the minimum components that can be sanitized by a sanitizer. Hereinafter we identify the original document as a set of n subdocuments. 2.2.1 Digital Document Sanitizing Schemes Miyazaki et al. [5] proposed the following four digital document sanitizing schemes† :

Scheme 1 (SUMI-1) The signer generates a signature for every set of subdocuments in the original document (i.e., the signer generates 2n signatures for the original document). A sanitizer selects and discloses one set of subdocuments and the signature for it. Scheme 2 (SUMI-2) The signer generates a signature for every subdocument (i.e., the signer generates n signatures for the original document). A sanitizer selects some signed subdocuments and discloses them and the signatures for them. Scheme 3 (SUMI-3) The signer calculates hash values for all subdocuments and generates a signature for the concatenation of them (i.e., the signer generates one signature for the original document). A sanitizer selects subdocuments for disclosure and discloses those subdocuments and the hash values of all other subdocuments, instead of subdocuments themselves, along with the original signature. Scheme 4 (SUMI-4) A variant of SUMI-3. For greater security, the signer generates random numbers for all subdocuments. Then he/she calculates hash values for all subdocuments with corresponding random numbers and generates a signature for the concatenation of those hash values. 2.2.2 Content Extraction Signatures Steinfeld et al. [6] proposed four content extraction signature schemes: Scheme CommitVector (CES-CV) Similar to SUMI-4. The signer calculates a commit for each subdocument by using a message commitment scheme and generates a signature for the concatenation of commits. Scheme HashTree (CES-HT) A variant of CES-CV. The signer constructs a hash tree of message commits and generates a signature for the root node of the hash tree. Scheme RSAProd (CES-RSAP) The scheme is specific to RSA-type signatures. As in SUMI-2, the signer generates n signatures for the n subdocuments. A sanitizer multiplies the signatures for the disclosed parts of the original document by using batch verification technique for RSA signature [1]. Scheme MERSAProd (CES-MERP) A variant of CESRSAP. The size of the signature is reduced by using multi-exponent RSA signatures [3]. Note: In CES schemes, the signer of the original document also signs a Content Extraction Access Structure (CEAS) that specifies which parts of the document can be altered by a sanitizer†† . In the scheme we propose, a sanitizer can specify which parts of document can be sanitized by subsequent sanitizers. As a special case, the signer can specify them by playing the first sanitizer’s role. † ††

In [5] these are called Suminuri schemes in Japanese. In [6] the sanitizer is called the owner.

MIYAZAKI et al.: DIGITALLY SIGNED DOCUMENT SANITIZING SCHEME WITH DISCLOSURE CONDITION CONTROL

241 Table 1

Possibility of additional sanitizing.

Scheme

Additional sanitizing

SUMI-1 SUMI-2 SUMI-3 SUMI-4 CES-CV CES-HT CES-RSAP CES-MERP

no yes yes yes yes yes no yes

Fig. 1

Basic procedure of public information disclosure.

2.3 Additional Sanitizing These conventional schemes are classified into two types according to whether they allow additional sanitizing. That is, some schemes allow anyone to sanitize a disclosed document that has already been sanitized. Whether the conventional schemes outlined in subsection 2.2 do or do not allow additional sanitizing is summarized in Table 1. 3.

Problems of Conventional Schemes in Public Information Disclosure

As explained in subsection 2.3, conventional schemes are classified into two types according to whether they do or do not allow additional sanitizing. Subsections 3.2 and 3.3 show that each type of scheme has its own problems. 3.1 Document Flow in Public Information Disclosure According to information disclosure law in Japan [8], the basic procedure of public information disclosure is as follows (many countries have laws or regulations requiring similar procedures). • An administrative office staff member draws up an official document and archives it. • A disclosure requester (e.g., a citizen) submits to the chief of that administrative office (or to a staff member designated by the chief) a demand for the public release of information. • The chief of the administrative office (or the designated staff member) discloses the official document. He/she has to delete the sensitive information such as personal data and national secrets, the disclosure of which is proscribed in the law, from the official document before the document is disclosed. We call the staff member who draws up an official document the signer, we call the chief of the administrative office the sanitizer, and we call the disclosure requester the verifier (Figure 1). 3.2 Problem with the Schemes Allowing Additional Sanitizing In this subsection we show that the schemes that allow additional sanitizing are vulnerable to what we call an additional

Fig. 2

Problem with the schemes that allow additional sanitizing.

sanitizing attack. Additional sanitizing attack An attacker intercepts the disclosed document that has been sanitized by the chief of the administrative office, deletes portions he/she deems undesirable, and forwards the additionally sanitized document to the requester. This attack will succeed because the requester cannot distinguish whether the received document is the same as the one disclosed by the chief of the administrative office or is a version that has been additionally and maliciously sanitized by an attacker (Figure 2). 3.3 Problem with the Schemes Not Allowing Additional Sanitizing Although the schemes not allowing additional sanitizing are not vulnerable to an additional sanitizing attack, they cannot be used as widely as the schemes allowing additional sanitizing. Consider, for example, the case in which there are multiple staff members who have responsibility for disclosure on behalf of the chief of the administrative office. Each staff member has his/her own part of the original official document and must decide which information in that part can or cannot be disclosed. A copy of minutes of meeting including some supporting documents is a concrete example of these kinds of documents. Disclosure of a main

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

242

part of minutes should be decided from the aspect of participants’ privacy by some staff member, but disclosure of each supporting document should be done from different aspect by some other staff member (e.g., the supporting document might contain estimated price of land acquisition if the meeting was held to discuss urban renewal). Once one of the staff members sanitizes the part of the document for which he/she is responsible, the other staff members can no longer sanitize the parts they are responsible for because the scheme does not allow additional sanitizing. 4.

Proposed Scheme

In this section we describe a new digitally signed document sanitizing scheme that can prevent additional sanitizing attacks and allow multiple individuals to sanitize a digitally signed document. 4.1 Goal Our goal was to develop a digitally signed document sanitizing scheme that lets the sanitizer control the disclosure condition of each portion of the document by assigning to each portion of the signed original document one of following three conditions: 1. Sanitized (i.e., masked) 2. Disclosed and additional sanitizing is allowed 3. Disclosed and additional sanitizing is prohibited Note that the sanitizer in conventional schemes allowing additional sanitizing can assign either condition 1 or 2 only, and the sanitizer in conventional schemes not allowing additional sanitizing can assign either condition 1 or 3 only. Our proposed scheme solves problems of conventional schemes as follows. Additional sanitizing attacks can be prevented by assigning the condition “1. Sanitized” or “3. Disclosed and additional sanitizing is prohibited.” When there are multiple sanitizers, each assigns either condition “1. Sanitized” or condition “3. Disclosed and additional sanitizing is prohibited” to the parts of the document he/she is responsible for and assigns condition “2. Disclosed and additional sanitizing is allowed” to other parts of the document. Other sanitizers can then still sanitize the parts they are responsible for, because condition “2. Disclosed and additional sanitizing is allowed” has been assigned to these parts by previous sanitizers. In addition they cannot sanitize the parts the condition “3. Disclosed and additional sanitizing is prohibited” has been assigned or recover the parts the condition “1. Sanitized” has been assigned, so excess of sanitizing can be prevented. In case of public information disclosure, after the last sanitizer has assigned disclosure condition there are no portions assigned the condition “2. Disclosed and additional sanitizing is allowed” in the disclosed document, so additional sanitizing attacks for the disclosed document by malicious person can be prevented.

4.2 Model In this subsection we extend model the conventional model described in subsection 2.1 to deal with our proposed scheme. The major difference between that model and the extended model is the existence of multiple sanitizers. In our model each sanitizer can assign disclosure condition for the document, and other subsequent sanitizer can modify that condition under the condition assigned by previous sanitizer. Signer The signer generates a digital signature assuring the authenticity of the original document without knowing which portions of the document will be sanitized. Sanitizer A sanitizer assigns to the portion, for which the condition “disclosed and additional sanitizing is allowed” has been assigned, one of the conditions “sanitized,” “disclosed and additional sanitizing is allowed,” or “disclosed and additional sanitizing is prohibited” and send the document to other sanitizers or to the verifier. A sanitizer does not know which portions of the document will be disclosed before the signer generates a digital signature for the document. A sanitizer may know the content of the portions of the original document to which the condition “disclosed and allowed additional sanitizing” or “disclosed and prohibited additional sanitizing” have been assigned, but he/she cannot generate the original document. Verifier A verifier accepts disclosed document only if he/she verifies the authenticity of the signature on it. 4.3 Security Requirements In this subsection we describe the security requirements for digitally signed document sanitizing schemes in our model. Similar requirements are given in [6]. It is, however, unclear whether additional sanitizing are forbidden or not in these requirements because multiple sanitizers have not been taken into account explicitly. On the contrary, there are multiple sanitizers in our model and each sanitizer can assign disclosure conditions. We extend these requirements in order to deal with multiple sanitizers setting as follows. Requirement 1 (Privacy) It is infeasible for an attacker to obtain information about sanitized portions of the original document. Requirement 2 (Unforgeability) It is infeasible for an attacker to produce a signed document whose authenticity can be verified and whose subdocuments are either subdocuments of a document that has not been signed by the authorized signer or are subdocuments of some document that has been signed by an authorized signer but are not allowed by a sanitizer to be additionally sanitized. Formal definitions for these two requirements are as follows:

MIYAZAKI et al.: DIGITALLY SIGNED DOCUMENT SANITIZING SCHEME WITH DISCLOSURE CONDITION CONTROL

243

Definition 1 (Privacy): Let DSDSS be a digitally signed document sanitizing scheme and A be probabilistic polynomial-time Turing machine. A chooses a pair of documents M0 and M1 which are identical except that they differ in the subdocument in some position i, where each document consists of at most n subdocuments each of length at most l bits. Then A receives a signed document for Mb sanitized in position i, where b is randomly chosen. DSDSS is indistinguishable, if for any A the advantage of A’s guess for b is negligible. Definition 2 (Unforgeability): Let DSDSS be a digitally signed document sanitizing scheme. DSDSS is unforgeable if for any probabilistic polynomial-time Turing machine A which makes at most q s queries to the signing oracle with a document and the closure configuration sets for the conditions “Sanitized (masked),” “Disclosed and additional sanitizing is allowed,” and “Disclosed and additional sanitizing is prohibited,” where each queried document consists of at most n subdocuments each of length at most l bits, the probability of success to produce a signed document whose authenticity can be verified and whose subdocuments are either subdocuments of a document that has not been queried to the signing oracle or are subdocuments of some document that has been queried to the signing oracle with the condition “Disclosed and additional sanitizing is prohibited” is negligible. 4.4 Digitally Signed Document Sanitizing Scheme with Disclosure Condition Control 4.4.1 Idea In a conventional scheme allowing additional sanitizing, the data corresponding to a “mask” for sanitizing a portion of the document is nothing (SUMI-2, CES-MERP) or is data calculated from original document, such as a hash value (SUMI-3,4, CES-CV, HT). Consequently, anyone who knows the original document can generate a “mask” and thus can additionally sanitize the document. In our scheme, the signer generates a “legitimate mask” for each portion of the original document randomly and independently from the original document when the signer generates his/her signature. A sanitizer generates a sanitized document that consists of the kinds of data listed in the right-hand column of Table 2 corresponding to the disclosure condition for each portion of the original document. No sanitizer can sanitize the portion of the document where “legitimate mask” data is not given to him/her. (Figure 3)

Table 2

Disclosure condition and type of disclosed data.

Disclosure Condition

Disclosed Data

Sanitized

Mask data only Original message and mask data Original message only

Disclosed and additional sanitizing is allowed Disclosed and additional sanitizing is prohibited

Fig. 3

Basic idea of our scheme.

scheme which has hiding and relaxed-biding properties (e.g. [4]). Definitions of these properties of a message commitment scheme are given as follows. A message commitment scheme CM = (Ini, Com) consists of two algorithms. On input a security parameter k, the initialization algorithm Ini outputs a scheme parameter sp. On input a scheme parameter string sp, a message string m, and a random string r, the commitment algorithm Com outputs a commitment string c for the message m. The commitment scheme is also used to verify that a given string c is a valid commitment of a message m under random string input r by recomputing c = Com(sp, m; r) and verifying that c = c. In the following we will use simpler notation Com(m; r) to mean Com(sp, m; r) where sp is understood by context. Definition 3 (Hiding): Let CM be a message commitment scheme. CM is hiding if the commitment c(= Com(m; r)) does not leak any information on the message m if r is not given, i.e., the message m is semantically secure. Definition 4 (Relaxed-binding): Let CM be a message commitment scheme and A = (A1 , A2 ) be a probabilistic polynomial-time Turing machine. After a commitment c to a message m1 chosen by A1 under truly random string r1 has been produced, A2 finds a new message m2 (
m1 ) and a matching random string r2 such that c = Com(m2 ; r2 ). CM is relaxed-binding if for any A the advantage of A’s success to find is negligible.

4.4.2 Building Blocks 4.4.3 Scheme In our proposed scheme we use a digital signature scheme and a message commitment scheme as building blocks. We assume that these cryptographic primitives are secure, that is, we use an existentially unforgeable signature scheme against chosen message attack and a message commitment

We describe our proposed scheme based on the idea above. The digitally signed document sanitizing scheme consists four algorithms: key pair generation, signature generation, document sanitizing, and signature verification.

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

244

(1)

1. The signer generates a private/public key pair (sk, pk) in manner of the signature scheme used as a building block. (2)

Signature Generation

1. The signer divides a original document M into n subdocuments {M1 , M2 , . . . , Mn }. 2. The signer generates a k-bit length random number ri for each subdocument Mi (1 ≤ i ≤ n) where k is a security parameter. We refer the concatenation of the subdocument Mi and the random number ri as the randomized subdocument Ri (= Mi ||ri ). 3. The signer generates n other 2k-bit length random numbers S i (1 ≤ i ≤ n). We refer to the random number S i as the mask data for each subdocument Mi . We denote leftmost or rightmost k bits of S i as S L i or S R i . 4. The signer calculates two values Qi and Pi for each subdocument Mi such that the two points (0, Qi ), (3, Pi ) are on the line li through the two points (1, c(Ri )) and (2, c(S i )), where c(Ri ) := Com(Mi ; ri ) and c(S i ) := Com(S iL ; S iR ), i.e., c(Ri ) is the message commitment of Mi under the random number ri and c(S i ) is the message commitment of S iL under the random number S iR . 5. The signer generates a signature S IGN for the concatenation Q1 ||Q2 || · · · ||Qn ||P1 ||P2 || · · · ||Pn with the signer’s private-key sk. 6. The signed original document for the original document M is the set of the signature S IGN, the randomized subdocuments {Ri }ni=1 † , the masks {S i }ni=1 , and the auxiliary points {Pi }ni=1 . The closure configuration sets for the conditions “Sanitized (masked),” “Disclosed and additional sanitizing is allowed,” and “Disclosed and additional sanitizing is prohibited” are respectively the sets C = ∅, DA = {i|1 ≤ i ≤ n}, and DB = ∅. (3)

{Ri }i∈C , the masks {S i }ni=1 \ {S i }i∈DB , and the auxiliary points {Pi }ni=1 .

Key Pair Generation

Document Sanitizing

1. A sanitizer assigns one of the following three disclosure conditions to each subdocument Mi (i ∈ DA) of the signed original document (or one sanitized by any other sanitizer). a. Sanitized (masked) b. Disclosed and additional sanitizing is allowed c. Disclosed and additional sanitizing is prohibited The disclosure condition configuration sets are updated as follows in accordance with condition assigned to Mi (i ∈ DA). C := C ∪ {i | (a) is selected for Mi } DA := DA \ {i | (a) or (c) is selected for Mi } DB := DB ∪ {i | (c) is selected for Mi } 2. The sanitized signed document is the set of the signature S IGN, the randomized subdocuments {Ri }ni=1 \

(4)

Signature Verification

1. If Ri is in a signed sanitized document, the verifier calculates the value Qi such that the point (0, Qi ) is on the line li through the two points (1, c(Ri )) and (3, Pi ). If S i is in a signed sanitized document, the verifier calculates the value Qi such that the point (0, Qi ) is on the line li through the two points (2, c(S i )) and (3, Pi ). 2. The verifier verifies the signature S IGN for the concatenation Q1 ||Q2 || · · · ||Qn ||P1 ||P2 || · · · ||Pn with the signer’s public-key pk. 4.5 Security Evaluation 4.5.1 Privacy Proposition 1: Proposed scheme is indistinguishable. Proof. Information about a sanitized subdocument Mi consists of the mask S i , the auxiliary point Pi , and the signature S IGN. It is equivalent to information about S i , the commitment c(Ri ) of Ri and S IGN because the pair of points (1, c(S i )), (3, Pi ) and the pair of points (2, c(Ri )) and (3, Pi ) define the same line li . Since the mask S i has been generated independently of the corresponding subdocument Mi , it is sufficient to show that it is not feasible for an attacker to obtain information about subdocument Mi from the commitment c(Ri ) and S IGN. This has been proven by Theorem 1 (2) in [6]. 4.5.2 Unforgeability Proposition 2: Proposed scheme is unforgeable. Proof. We will show that if an attacker ADSDSS for proposed scheme succeeds to forge a signed document with non-negligible probability, then at least one of an attacker ADS for the standard signature scheme or an attacker ACOM for the message commitment scheme who succeeds to attack with non-negligible probability exists. We construct an attacker ADS for standard signature scheme by using an attacker ADSDSS for proposed scheme as follows: ADS runs key pair generation algorithm of the standard signature scheme, which is same as proposed scheme, then runs ADSDSS with public-key pk. If ADSDSS makes query to the signing oracle for proposed scheme with a document M ( j) and closure configuration sets, ADS answer it by simulating signature generation algorithm and document sanitizing algorithm of proposed scheme by itself except for step 5 of signature generation algorithm. This step can be simulated by making query to the signing oracle for standard signature scheme with a message Q1( j) || · · · ||Qn( j) ||P1( j) || · · · ||Pn( j) calculated from M ( j) . Finally, †

Ri contains subdocument Mi .

MIYAZAKI et al.: DIGITALLY SIGNED DOCUMENT SANITIZING SCHEME WITH DISCLOSURE CONDITION CONTROL

245

ADSDSS outputs forged signed document i.e., the set of the

signature S IGN ∗ , the randomized subdocuments {R∗i }ni=1 \ {R∗i }i∈C , the masks {S i∗ }ni=1 \ {S i∗ }i∈DB , and the auxiliary points {P∗i }ni=1 . ADS calculates T ∗ = Q∗1 ||Q∗2 || · · · ||Q∗n ||P∗1 ||P∗2 || · · · ||P∗n from the forged document as same as verification algorithm of proposed scheme. If T ∗ has not been queried to the signing oracle for standard signature, the pair of T ∗ and S IGN ∗ is valid forged signature for standard signature scheme. Thus, Pr[Succ(ADS )] ≥ Pr[Succ(ADSDDS ) ∧ NewT] = Pr[Succ(ADSDDS )] − Pr[Succ(ADSDDS ) ∧ ¬NewT] (1) where Succ(ADS ) and Succ(ADSDDS ) denote events that an attacker ADS succeeds to produce forged signature (T ∗ , S IGN ∗ ) and an attacker Succ(ADSDDS ) succeeds to produce forged signed document respectively, and NewT denotes event that T ∗ has not been queried to the signing oracle for standard signature scheme. Since information about Q∗i and P∗i is equivalent to information about c(R∗i ) and c(S i∗ ), Succ(ADSDDS ) ∧ ¬NewT means that ∃(i, j) (1 ≤ i ≤ n, 1 ≤ j ≤ q s ) such that either Ri( j)
R∗i and c(Ri( j) ) = c(R∗i ) or S i( j)
S i∗ and c(S i( j) ) = c(S i∗ ). Now we construct an attacker ACOM = (A1 , A2 ) for the message commitment scheme by using ADSDSS as follows: A1 runs key pair generation algorithm as same as proposed scheme and chooses (β, α, γ) ∈ {1, . . . , q s }×{1, . . . , n}×{0, 1} uniformly at random, then runs ADSDSS with public-key pk. If ADSDSS makes j-th query to the signing oracle for proposed scheme, A1 answers it by simulating signature generation algorithm and document sanitizing algorithm of proposed scheme by itself. When j = β, A1 outputs Mα(β) (β) (if γ = 0) or S L α (if γ = 1). The attack experiment (β) chooses random number rα(β) (or S R α ) and computes the (β) (β) commitment c(Rα ) (or c(S α )). Then A1 runs A2 on input (β) β R (β) c(R(β) α ), rα (or c(S α ), S α ). A2 completes the answer to ADSDSS ’s β-th query with them and answers all subsequent queries by simulating as same as A1 . Finally, ADSDSS outputs forged signed document i.e., the set of the signature S IGN ∗ , the randomized subdocuments {R∗i }ni=1 \ {R∗i }i∈C , the masks {S i∗ }ni=1 \ {S i∗ }i∈DB , and the auxiliary points {P∗i }ni=1 . A2 outputs R∗α (if γ = 0) or S α∗ (if γ = 1) as the collision corre(β) sponding to R(β) α or S α respectively. Now we get following inequality. Pr[Succ(ACOM )] 
1 · Pr[Succ(ADSDDS ) ∧ ¬NewT] ≥ 2 · qs · n

(2)

where Succ(ACOM ) denotes events that an attacker ACOM succeeds to produce the collision for the message commitment scheme. From (1) and (2), following inequality holds: Pr[Succ(ADS )] + 2 · q s · n · Pr[Succ(ACOM )] ≥ Pr[Succ(ADSDDS )]

(3)

This shows that if an attacker ADSDSS for proposed scheme succeeds to forge a signed document with non-negligible probability, then at least one of an attacker ADS for the standard signature scheme or an attacker ACOM for the message commitment scheme who succeeds to attack with nonnegligible probability exists. 5.

Conclusion

In this paper we focused on a digital document sanitizing problem that arises in the public release of digital information. We classified conventional schemes proposed as solutions to this problem according to whether they do or do not allow additional sanitizing and pointed out the problem for each type of scheme, such as the vulnerability to additional sanitizing attack of schemes that allow additional sanitizing and the limited utility of schemes that do not. We then described a new digitally signed document sanitizing scheme that can solve the problems that limit the use of the conventional schemes. By introducing “legitimate mask data,” a sanitizer using our scheme can assign one of the following three disclosure conditions to each subdocument of a document being sanitized: sanitized, disclosed and additional sanitization is allowed, or disclosed and additional sanitizing is prohibited. Acknowledgement The authors would like to thank Prof. Yuliang Zheng of University of North Carolina at Charlotte, USA, for his helpful comments. The authors also would like to thank the anonymous reviewers for their helpful comments. References [1] M. Bellare, J.A. Garay, and T. Rabin, “Fast batch verification for modular exponentiation and digital signatures,” Eurocrypt’98, LNCS 1403, pp.236–250, Springer-Verlag, Berlin, 1998. [2] M. Bellare and P. Rogaway, “The exact security of digital signatures: How to sign with RSA and Rabin,” Eurocrypt’96, LNCS 1070, pp.399–416, Springer-Verlag, Berlin, 1996. [3] A. Fiat, “Batch RSA,” J. Cryptol., vol.10, pp.75–88, Springer-Verlag, 1997. [4] S. Halevi and S. Micali, “Practical and provably-secure commitment schemes from collision-free hashing,” Crypto’96, LNCS 1109, pp.201–215, Springer-Verlag, Berlin, 1996. [5] K. Miyazaki, S. Susaki, M. Iwamura, T. Matsumoto, R. Sasaki, and H. Yoshiura, “Digital documents sanitizing problem,” IEICE Technical Report, ISEC2003-20, 2003. [6] R. Steinfeld, L. Bull, and Y. Zheng, “Content extraction signatures,” International Conference on Information Security and Cryptology ICISC 2001, LNCS 2288, pp.285–304, Springer-Verlag, Berlin, 2001. [7] National Institute of Standards and Technology (NIST), “Digital signature standard (DSS),” Federal Information Processing Standards Publication 186–2, 2000. [8] “Gyosei kikan no hoyusuru joho no kokai ni kansuru horitsu (information disclosure law in Japan),” 1999. http://law.e-gov.go.jp/htmldata/ H11/H11HO042.html

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

246 Kunihiko Miyazaki was born in Kanagawa, Japan on November 16, 1973. He received B.S. and M.S. (Mathematical Sciences) from the University of Tokyo in 1996 and 1998, respectively. He has been engaged in research on information security and cryptography at Systems Development Lab., Hitachi Ltd. since 1998. He has also been Ph.D. student at the University of Tokyo since April 2003. He is a member of IPSJ.

Mitsuru Iwamura received a B.A. in Economics from the University of Tokyo in 1974, and received Doctor of Science in Information Studies from Waseda University in 2002. He worked at the Bank of Japan from 1974 to 1997. Since January 1998, he is engaged in a study of Information Society and Electronic Commerce and also engaged in a study of Financial Systems, as a Professor of Graduate School of AsiaPacific Studies, Waseda University.

Tsutomu Matsumoto was born in Maebashi, Japan, on October 20, 1958. He received the Dr. Eng. Degree from the University of Tokyo in 1986 and since then his base has been in Yokohama National University where he is enjoying research and teaching in the field of cryptography and information security as a Professor in Graduate School of Environment and Information Sciences. He is a member of Cryptography Research and Evaluation Committee of Japan and chairing the CRYPTREC Cryptographic Module SubCommittee. He is on the board of International Association for Cryptologic Research. He served as the general chair of ASIACRYPT 2000. He is a member of IEICE Technical Group on Information Security and of IPSJ Special Interest Group on Computer Security. He received Achievement Award from the IEICE in 1996.

Ryoichi Sasaki received his B.S. Degree in health science and Ph.D. Degree in system engineering from the University of Tokyo in 1971 and 1981, respectively. From April of 1971 to March of 2001, he was engaged in the research and research management on systems safety, network management and information security at Systems Development Laboratory of Hitachi Ltd. From April of 2001, he is a Professor of School of Engineering, Tokyo Denki University, and engaged in the research and education on information security. He received the Best Paper Award and Best Author Award of the Institute of Electrical Engineering Society of Japan in 1983 and 1998, respectively. He also received the Best Paper Award from Information Processing Society of Japan in 2002. He is the member of IEEE, Institute of Electrical Engineering Society of Japan, and Information Processing Society in Japan, et al. He is a Director and Fellow of Information Processing Society in Japan. In addition, he is the representative of IFIP TC11. His authored books are “Information Science” NihonRikoshuppankai (1995, in Japanese),“Internet Security” Ohmusha (1996, in Japanese), “Introduction to Internet Security” Iwanamishinsho (1999, Japanese) etc. He is a member of CRYPTREC committee held by METI and MGAM, and is a member of Security Related Technology Promotion Committee of IPA (Information-technology Promotion Agency, Japan).

Hiroshi Yoshiura received B.S. and D.Sc. degrees from the University of Tokyo, Japan, in 1981 and 1997. He joined Hitachi, Ltd. in 1998 and until March 2003 was a Senior Research Engineer in the company’s Systems Development Laboratory. He is currently an Associate Professor in the Department of Human Communications, the Faculty of Electro-Communications, the University of Electro-Communications. He has been engaged in research on information security and copyright protection technologies. He is a member of the IPSJ and JSAI.

Satoru Tezuka received B.S. and Ph.D. degrees from Keio University, Japan, in 1984 and 2000. In 1984 he joined Hitachi, Ltd. and has been engaged in research on information security, public key infrastructure, and copyright protection. He is now a Senior Research Manager in the Systems Development Laboratory, Kawasaki, Japan.

Hideki Imai was born in Shimane, Japan on May 31, 1943. He received the B.E., M.E., and Ph.D. degrees in electrical engineering from the University of Tokyo in 1966, 1968, 1971, respectively. From 1971 to 1992 he was on the faculty of Yokohama National University. In 1992 he joined the faculty of the University of Tokyo, where he is currently a Full Professor in the Institute of Industrial Science. His current research interests include information theory, coding theory, cryptography, spread spectrum systems and their applications. From IEICE (the Institute of Electronics, Information and Communication Engineers) he received Best Book Awards in 1976 and 1991, Best Paper Awards in 1992, 2003 and 2004, Yonezawa Memorial Paper Award in 1992, Achievement Award in 1995, Inose Award in 2003, and Distinguished Achievement and Contributions Award in 2004. He also received Golden Jubilee Paper Award from the IEEE Information Theory Society in 1998, and official Commendations from the Minster of Public Management, Home Affairs, Posts and Telecommunications in June 2002 and from the Minister of Economy, Trade and Industry in October 2002. He was awarded Honor Doctor Degree by Soonchunhyang University, Korea in 1999 and Docteur Honoris Causa by the University of Toulon Var, France in 2002. He was elected an IEEE Fellow in 1992 and an IEICE Fellow in 2001. He chaired several committees of scientific societies and organized many international conferences such as IEEE-ITW, IEEE-ISIT, AAECC, PKC, FSE, and WPMC. He served as the leader of research projects supported by JSPS (Japan Society for the Promotion of Science), IPA (Information-technology Promotion Agency, Japan) etc. and as the editor for scientific journals of IEICE, IEEE etc. Dr. Imai was on the board of IEICE (1992–1994, 1996–1999), the IEEE Information Theory Society (IT-SOC, 1993–1998), Japan Society of Security Management (1988–present) and the Society of Information Theory and Its Applications (SITA, 1981–1997). He served as the president of SITA (1997), IEICE Engineering Sciences Society (1998–1999), IEEE Information Theory Society (2004–present), and as the chairman of CRYPTREC (Cryptography Techniques Research and Evaluation Committee of Japan) (2000–present).