1

Digitally Signed Document Sanitizing Scheme Based on Bilinear Maps

Kunihiko Miyazaki , Goichiro Hanaoka , Hideki ImaiASIACCS’06, March 21–24, 2006, Taipei, Taiwan

Adviser: 鄭錦楸 , 郭文中 教授 Reporter: 林彥宏

2

Outline

IntroductionPreliminariesDigitally signed Document Sanitizing Scheme Based on Bilinear MapsModifications and ExtensionsConclusions

3

Introduction

protect documents from alteration by malicious attackersdigital document sanitizing problemcurrent digital signature schemes cannot assure both the confidentiality and integrity of a document

4

Introduction

Content extraction signatureR. Steinfeld, L. Bull, and Y. Zheng. ; ICISC 2001, volume 2288 of LNCSextracted signature on selected portions extracted from the original documents

Sanitizable signatureG. Ateniese, D. H. Chou, B. de Medeiros, and G. Tsudik ;ESORICS 2005, volume 3679 of LNCSuses the chameleon hash function instead of an usual hash function

5

Introduction

Digitally Signed Document Sanitizing Scheme with Disclosure Condition Control

K. Miyazaki, M. Iwamura, T. Matsumoto, R. Sasaki, H. Yoshiura, S. Tezuka, and H. Imai ; IEICE Fundamentals, Vol. E88-A, No.1, 2005SUMI-5, that protects documents from additional sanitizingthree disclosure conditions:

1. Sanitized2. disclosed and additional sanitizing is allowed3. disclosed and additional sanitizing is prohibited

6

Motivation of Work

sanitizing should be invisibleno one should be able to determine whether or not the disclosed document has been sanitized

7

Our Contribution

propose a digitally signed document invisible sanitizing scheme with disclosure condition controlSUMI-5, disclosure condition:

Sanitized: sanitized document that consists of only the legitimate mask datadisclosed and additional sanitizing is allowed: both the original document and the legitimate mask datadisclosed and additional sanitizing is prohibited: only the original document

8

Our Contribution

legitimate mask data can be used to count up how many masks appear in a sanitized documentAggregate and Verifiably Encrypted Signatures from Bilinear Maps

D. Boneh, C. Gentry, B. Lynn, and H. Shacham ; In Eurocrypt 2003, volume 2656 of LNCSallow to aggregate all of the individual signatures into one aggregate signaturehelpful to hide the number of sanitized portion of the document

9

Preliminaries

Security Definition: proposed scheme has the following three properties

Privacy: verifier is difficult to retrieve sanitized information about subdocuments of the documentUnforgeability: It is difficult for everyone to generate a signed and sanitized document that has not been signed beforeInvisibility: verifier is difficult to know how many and whether the document has been sanitized

niiM 1 ][ tssubdocumen ofset unorder of consists

, Mdocument original

10

Aggregate Signature

scheme based on bilinear maps

T

T

GGGee

ggG G

GG , gg

p , G , GG

21

1221

2121

21

: map atenondegenerbilinear computable a is

)( with tofrom misomorphis computable a is

and of generatorsly respective are

order prime of groups cyclic tivemultiplica are

abba , gge , gge

Za , b

)()( 2121

11

Aggregate Signature

Key Generation:

Signing:

Verification:

PPR

x

ZZx

Gvgv

x, iskey secret

, iskey public suser' 22

1

*

is signature the

; )(

1 , 0 message a

Gσ

hσMHh

Mx

validityis signature the)()( if ; )(

) ( receiveverifier

2 h , veσ , geMHh

v , M , σ

12

Aggregate Signature

Aggregation:

Aggregate Verification:1

1

1

, signature aggregatecomputer

signature a provides user each

to1 from ranging index user

Gσσ

GσUu

Uki

k

ii

ii

k

iiiii

i

ii

, vheσ , geUkiMHh

M

, vσ , M

12 )()( ifaccept and ,1for )(computer 2.

otherwisereject and distinct, all are message that theensure 1.

)(

),(...),(),(),(...),(),(

),(...),(),(),...(),...(

221122221

22221221221

21

2121

kkx

kxx

xk

xxxk

xxk

vhevhevheghegheghe

gheghegheghhhegek

kk

13

Digitally signed Document Sanitizing Scheme Based on Bilinear Maps

(SANI)

(DASP)

(DASA)

14

Detailed Description of Scheme

Key Generation:

Signing:

xgvx 2 iskey public and iskey private ssigner'

][||:][~

, :]0[~

)(IDDocument :number random

)1( ][t subdocumen

iMDIDiMDIDM

DID

niiM

n

ii

xiii

σ

hσiMhh

0

: signature aggregatecomputer

then , ])[~

(

) , , , ][~

(Output

)1( setscondition disclosure

ii

i

CiM

niDASAC

15

Detailed Description of Scheme

Sanitizing:

documentinput from remove :""condition if-

doucmentinput from and , ][~

remove

then, :""condition if-

DASA

, ][t subdoucmeneach toconditions disclosure assignssanitizer

)][~

( receivessanitizer

i

DASP

C σiM

SANI

C

iM

, C , σ, σ iM

ii

i

i

ii

)1( , ,

where)0(][~

document signed sanitizedoutput

niCσ

n nni iM

ii

16

Detailed Description of Scheme

Verification:

DASAC where v), h e()g , (

)()( , ])[~

(

0][~

in toequal are s all

ii2

02

i

n

iii

e

, vheσ , geiMHh

MDIDDID

17

Security Analysis

Indistinguishable: no information about sanitized portions of the document remains in the sanitized documentUnforgeable: attacker cannot forge a signature for a document M that has not been signed beforePerfectly Invisible: attacker cannot distinguish the input document is signed and sanitized

18

Modifications and Extensions

Binding Subdocuments:ensure a subsequent sanitizer cannot sanitize two individually but can both be sanitized togetherassign another condition “bound” to any two subdocument

Multiple Signers:sanitizer can merge documents signed by different signers into a document

jijiji DASACCjMiM , , such that ][ ],[

19

Modifications and Extensions

20

Conclusions

Sanitizer can hide the number of sanitized portions.

Assign a different disclosure condition for each portion of the document.

Their scheme is suitable for application for log files archiving.