JP2006060722A - Certification method for authenticity of electronic document and publication system thereof - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a technology to be able to confirm authenticity of an original document after editing the electronic document without changing its electronic signature, keep a length of black painting part secret, and make a condition for simultaneously painting several parts with black ink. <P>SOLUTION: The electronic document is divided into components, and signatures corresponding to individual components and a signature which put these signatures together are given. The signatures corresponding to individual components and the putting-together signature are under a finite group. The putting-together signature is a summation of the signatures corresponding to the individual components under the finite group. When deleting a component A from an electronic document with a signature, an inversed original signature to the component A is put on the put-together signature, the signature to the component A is deleted, and the component A is disclosed, as well as the signature to the component A is deleted in order to make it possible to delete later. When simultaneously deleting the component A and a component B, the signatures to the component A and B are deleted, and signatures gained by putting these signatures are used instead. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a technique for assuring the authenticity of electronic data.

  Conventionally, there is a digital signature (also referred to as digital signature) technique as a technique for guaranteeing the authenticity of electronic data such as an electronic document. (For example, refer nonpatent literature 1).

  In addition, as an issue in the electronic signature technology, it is designed to be able to detect even a 1-bit modification of an electronic document, so it is very useful in terms of protecting the electronic document from tampering by an unauthorized person. From the standpoint of effective use of electronic documents, it has been pointed out that since any processing is not allowed, it can be an obstacle, and as a technology to solve this, it is called Digital Document Sanitizing Scheme Technology is known. (For example, refer nonpatent literature 2).

As a technique for electronic signatures, a technique called Aggregate signature is known, which can combine signatures applied to respective electronic documents by a plurality of signers. (For example, see Non-Patent Document 3)
"Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition" by Bruce Schneier, John Wiley & Sons, (October 18, 1995) Kunihiko Miyazaki, Mitsuru Iwamura, Tsutomu Matsumoto, Ryoichi Sasaki, Hiroshi Yoshiura, Satoru Tezuka, Hideki Imai “Electronic document sanitization technology with controllable disclosure conditions” Proceedings of 2004 Symposium on Cryptography and Information Security, (January 27, 2004 Day) "Aggregate and Verifiably Encrypted Signatures from Bilinear Maps" Advances in Cryptology EUROCRYPT 2003, LNCS2656, Springer Verlag (May 4, 2003) by Don Boneh, Craig Gentry, Ben Lynn, Hovav Shacham

  The current electronic signature technology, which is an important technology that supports the security of electronic documents, is designed so that even a one-bit modification to an electronic document can be detected. This property is very useful in terms of protecting an electronic document from tampering by an unauthorized person, but from the viewpoint of effective use of the electronic document, since no processing is allowed, it can be an obstacle.

  An example of a usage scene that directly illustrates this problem is information disclosure in administrative institutions. For example, the following usage forms of electronic signatures are assumed.

  That is, a document (administrative document) created by a staff member in an administrative organization is stored with an electronic signature attached in order to identify the creator and prevent tampering. When this document is disclosed under the Information Disclosure Law, it will be disclosed after the personal information and national security information described therein are deleted.

  In the conventional digital signature technique listed in Non-Patent Document 1, the authenticity of a document disclosed according to the above-described series of procedures, that is, who is the document creator, and the disclosed document is a document originally created Cannot be confirmed. This is because part of the document is deleted during the information disclosure process. Regardless of whether it is falsified by malicious means or deleted personal information for the protection of privacy information, there is no difference in that some kind of modification has been made to the document to be signed. As a result, the use of conventional digital signature technology cannot satisfy both of the two important security requirements of “guaranteeing the authenticity of published documents” and “protecting privacy information”, and must give up one of them. . Aggregate Signature listed in Non-Patent Document 3 has the feature that multiple signatures can be combined into one signature for each electronic document, but when part of the document is deleted The point that the signature cannot be correctly verified is the same as the conventional digital signature technique described in Non-Patent Document 1.

  Considering that the information disclosure system is a system for fulfilling the accountability (accountability) of administrative agencies, the identity of the original administrative documents, even from the disclosure documents after the deletion of personal information, etc. It is desirable to be able to verify

In the technique described in Non-Patent Document 2, an electronic document sanitization technique is disclosed as a technique for confirming the authenticity of a document after a part has been deleted (sanitized). However, in the technique described in Non-Patent Document 2,
1. The length of the sanitized area can be estimated from the document after sanitization, and it is difficult to hide it.
2. Each component included in the document can be independently sanitized, and it is difficult to condition multiple components to be sanitized at the same time.
There is a problem. The above point 1 is that, for example, when the personal name is sanitized from the viewpoint of privacy protection, the conventional technique described in Non-Patent Document 2 may estimate the number of characters in the name of the sanitized person. This suggests that improvement is desired. In addition, the above two points are, for example, in the case where the name of the same person to be sanitized appears in a plurality of places in one document, and only a certain part is sanitized intentionally or unintentionally, Other parts suggest the possibility of causing a state of not being inked, and an improvement is desired.

  Therefore, it is possible to verify the authenticity of an electronic document that allows appropriate modifications to the document subject to authenticity assurance, in other words, a technology that can verify the authenticity of an original document without changing the original electronic signature after editing the electronic document. Thus, a technique capable of concealing the length of the sanitized area and a technique capable of conditioning so that a plurality of areas are inked simultaneously are desired.

  The present invention provides an electronic document authenticity assurance technique and a document management system that allow appropriate modification of an authenticity assurance target document.

  In one aspect, the present invention provides an electronic signature method that divides an electronic document into constituent elements and assigns an electronic signature to an arbitrary subset of a set including the entire constituent elements.

  According to one aspect of the electronic document authenticity guarantee method of the present invention, an electronic document is divided into constituent elements, and a signature for each of the constituent elements and a signature in which the signatures for the respective constituent elements are collectively provided. It is characterized by doing.

  Further, in the above aspect, the signature for each of the constituent elements and the combined signature are elements of a finite group, and the combined signature is a total product as an element of the finite group of signatures for each of the constituent elements. It is characterized by being.

  In the above aspect, when the generated electronic document with signature is edited, when the component A of the electronic document is deleted, the component A is deleted from the electronic document, and the component is added to the collective signature. When the signature for A is deleted, the signature for the component A is deleted, the component A of the electronic document is disclosed, and a condition is set so that it can be deleted later, the signature for the component A is It is characterized by deleting.

  In the above aspect, when only one of the component A and the component B is deleted from the component A and the component B of the electronic document, the authenticity is set to be lost. The product of the signature for the component A and the signature for the component B is used as a signature for the component C newly generated by combining the component A and the component B. The component B, the signature for the component A, and the signature for the component B are deleted.

According to another aspect of the electronic document authenticity guarantee method of the present invention, the electronic document is divided into components, a binary tree having leaf nodes equal to or more than the number of the components is generated, and the binary Assign a hash value of the component to the leaf node of the tree, and assign dummy data that is a node random number to which the hash value of the component is not assigned among the leaf nodes of the binary tree,
Assign the data that combines the hash value of the lower left leaf node and the hash value of the lower right leaf node to the node one level above the leaf node (on the side closer to the root node), and recursively to the root node Repeatedly, an electronic signature is assigned to the value assigned to the root node.

  In the above aspect, when editing a generated electronic document with a signature, when deleting a component of the electronic document, one or more parts including only the component to be deleted or dummy data as a leaf node Search the tree, and for each of the above sub-trees, add the hash value of the lower left leaf node and the hash value of the lower right leaf node to the node above the leaf node (on the side closer to the root node) Assign, recursively repeat until the root node of each subtree, remove each subtree contained in the binary tree, replace with a new leaf node, and replace the value of the root node of each subtree with a new leaf node It is characterized by assigning to.

  ADVANTAGE OF THE INVENTION According to this invention, even after partial information is deleted, the authenticity guarantee technique of the electronic document which can verify the authenticity of an electronic document and can conceal the length of a deletion part is provided. In addition, an information disclosure system capable of guaranteeing confidentiality of important information such as personal information and authenticity of a disclosed document is provided.

  Embodiments of the present invention will be described below.

  FIG. 1 is a schematic configuration diagram of a system in a plurality of embodiments in which the present invention is applied to an information disclosure system. In the following, an information disclosure system of an administrative organization is taken as an example, but the present invention can be similarly applied to an information disclosure system in an organization or an individual other than an administrative organization.

  As shown in the figure, this system includes the original document creator device 102, the document management device 103, and the disclosed document creator device 104, which are used by the staff of the administrative agency on the information disclosure side via the network 101. The receiver device 105 used by the general public on the information disclosure requesting side and the verification side is connected.

  In the following embodiments, the original document creator device 102, the document management device 103, the disclosed document creator device 104, and the recipient device 105 used by the general public are used by the staff of the administrative organization. Although an example of being connected to the same network 101 has been described, a different connection form may be used. For example, the original document creator device 102, the document management device 103, and the disclosed document creator device 104, which are used by the staff of the administrative organization, are connected to the local government's local area network (LAN), and The LAN may be connected to the network 101 to which the receiver device 105 used by the general public is connected via a gateway server. When such a connection form is adopted, the LAN of the administrative institution can be protected from attacks such as unauthorized access from the external network 101 by the gateway server, which is preferable from the viewpoint of information security.

  The original document creator device 102 creates an administrative document (document created for the job) as electronic data by an original document creator who is an employee of an administrative organization, and gives an electronic signature to the created administrative document. This is used to request a signed administrative document from the document management apparatus 103. In the following description of each form, the administrative document to which the original document creator applies a signature is hereinafter referred to as the original document 106. In each of the following forms, an example in which an original document is created and a signature is attached to the original document 106 is shown in the original document creator device. However, unlike this, the original document is created and the original document is created. The original document 106 may be transferred between these apparatuses using the network 101 or a portable storage medium.

  In response to a request from the original document creator apparatus 102, the document management apparatus 103 stores the signed original document 107 created by the original document creator apparatus 102. In response to a request from the disclosed document creator device 104, the signed original document 107 to be disclosed, which has been stored in advance, is transmitted to the disclosed document creator device 102. In addition, when receiving a storage request from the original document creator device 102 and when receiving a disclosure target document transmission request from the disclosure document creator device 104, it is possible to perform access control by performing appropriate user authentication processing, etc. It is preferable from the viewpoint of information security.

  The disclosure document creator device 104 receives an information disclosure request by an operation of a general citizen who is a user of the recipient device 105, searches for a disclosure target document according to the information disclosure request, and is the disclosure target document. The document management apparatus 103 is requested to transmit the signed original document 107. Next, from the viewpoint of protecting personal information and information related to national secrets among information included in the original document 107 with a signature received from the document management apparatus 103 by the operation of the operator of the disclosed document creator apparatus 104. Then, a disclosure document 108 from which information inappropriate for disclosure is removed (ie, painted in black) is created, and the created disclosure document is disclosed to the recipient apparatus 105.

  At this time, if the signature attached to the original document 106 is a signature generated by a conventional digital signature technique, even if “deletion of information inappropriate for publication” is performed, the original document 106 is illegally altered. As in the case where there is, the result of verification failure is the result of signature verification. Also, with the conventional electronic document sanitization technique, signature verification succeeds, but no consideration is given to concealing the length of the sanitized part. In each embodiment, a new electronic signature technique that can be verified even after inappropriate information deletion and that can keep the length of the sanitized portion concealed is applied.

  The method of publishing may be arbitrarily designed, for example, by sending it by e-mail or uploading it to a Web server operated by an administrative organization or other organization. In the case of the method of uploading to the Web server, there is an advantage that even the general public other than the user of the recipient device 105 who has requested information disclosure can view the published information.

  In each embodiment, information disclosure request reception from the general public, disclosure target document search, disclosure target document request to the document management apparatus 103, disclosure document 108 creation, disclosure document 108 disclosure are the same disclosure. Although an example performed in the document creator device 105 is shown, it may be different. For example, an information disclosure request from the general public, a search for a disclosure target document, and a request to the document management apparatus 103 for a disclosure target document are performed on a different device from the disclosure document creator device 105, and the disclosure document 108 Creation and disclosure of the disclosed document 108 may be performed by the disclosed document creator device 105.

  The recipient device 105 is used by a general citizen, who is a user, to request information disclosure from an administrative institution and verify the authenticity of the disclosed document 108 released as a result. The recipient device 105 transmits information necessary for specifying the disclosure target document to the disclosure document creation device 104 and requests information disclosure. Further, it is verified whether or not the contents of the disclosed disclosure document 108 and the original document 106 are the same except for the part removed from the viewpoint of information protection.

  In addition, the recipient device 105 displays or prints the disclosed disclosure document 108 in an inked state so that the user can browse.

  In each embodiment, an example in which the information disclosure request and the authenticity verification of the disclosed document 108 are performed by the same recipient device 105 is shown, but this may be different. For example, the information disclosure request may be performed by a device different from the recipient device 105, and the authenticity verification of the disclosed document 108 disclosed as a result may be performed by the recipient device 105.

  FIG. 2 is a diagram showing a schematic configuration of the original document creator apparatus 102 in each of the following forms.

  The original document creator device 102 reads data from the CPU 201, the RAM 202 functioning as a work area of the CPU 201, the external storage device 203 such as a hard disk device, and the portable storage medium 205 such as a CD-ROM or FD. A device 204, an input device 206 such as a keyboard and a mouse, a display device 207 such as a display, a communication device 208 for communicating with other devices via a network, and data transmission / reception between the above-described components. It can be constructed by an electronic computer 210 having a general configuration, which includes an interface 209 that governs it.

  Stored in the external storage device 203 of the original document creator device 102 are an original document creation PG (program) 221, a signature generation PG (program) 222, and a document storage request PG (program) 223. These programs are loaded on the RAM 202 and are embodied by the CPU 201 as processes of an original document creation processing unit 241, a signature generation processing unit 242, and a document storage request processing unit 243, respectively. In addition, data (original document 106, signature-added original document 107, signature private key 211) and the like which are input / output of each processing unit are stored. The signature private key 211 is required to be particularly strictly managed from the viewpoint of security. Therefore, the data may be stored in a tamper-resistant device different from the external storage device storing other data.

  The document management device 103, the disclosed document creator device 104, and the recipient device 105 also have the same configuration as the original document creator device 102. However, a document storage PG (program) 224 and a disclosure target document transmission PG (program) 225 are stored in the external storage device of the document management apparatus 103, and an original document with a signature requested to be stored is stored. In addition, the external storage device of the disclosure document creator device 104 includes an information disclosure request reception PG (program) 226, a disclosure target document search PG (program) 227, a disclosure target document request PG (program) 228, a disclosure location determination PG ( (Program) 229, disclosure document creation PG (program) 230, and disclosure document release PG (program) 231 are stored. The external storage device of the recipient device 105 stores an information disclosure request PG (program) 232 and a disclosed document verification PG (program) 233.

  In the following description of each embodiment, each program is stored in the external storage device 203 in advance. However, when necessary, the Internet is another storage medium such as an FD or CDROM or a communication medium. The network may be introduced into the external storage device 203 or the RAM 202 via the external interface via a network or a digital signal propagating through the network or a carrier wave.

  FIG. 3 is a flowchart showing an outline when an administrative document that is an original document is created and stored in the document management apparatus in each of the following embodiments. In the stage of creating and storing an original document, when a request for disclosure of information is received in the future, which part of the document stored in the document management apparatus is information to be disclosed and which part is stored. It is not always possible to determine whether the information should not be disclosed. In general, it is considered that there are many cases that cannot be determined. Note that the name of the program that performs the processing of the step is shown in parentheses in each step.

Original document creation / storage flow:
(Processing of original document creator apparatus 102)
301: Beginning 302: Creating an original document (original document creation PG 221)
303: Generate signature for created original document (signature generation PG222)
304: Send original document with signature to document management apparatus 103 and request registration (document storage request PG223)
(Processing of the document management apparatus 103)
305: Register received original document with signature (document storage PG 224)
306: End FIG. 4 is a flowchart showing an outline when information is disclosed in response to a request for information disclosure from the general public in each of the following forms. Note that the name of the program that performs the processing of the step is shown in parentheses in each step.

Information disclosure flow:
(Processing of Recipient Device 105)
401: First.
402: In order to request information disclosure to the disclosure document creator device 104, information that can specify the range of information desired to be disclosed is transmitted (information disclosure request PG232).
(Processing of Disclosure Document Creator Device 104)
403: Receive information specifying the range of information desired to be disclosed (information disclosure request reception PG 226), search for a document to be disclosed based on the information specifying the range (disclosure target document search PG 227), and document management device The document is requested to 103 (disclosure target document request PG228).
(Processing of the document management apparatus 103)
404: Send the requested signed original document to be disclosed to the disclosed document creation apparatus 104 (disclosed target document transmission PG 225).
(Processing of Disclosure Document Creator Device 104)
405: Confirm the contents of the received original document with a signature in accordance with a predetermined information disclosure policy, determine an appropriate location for disclosure (disclosure location decision PG229), and disclose personal information and information related to national secrets, etc. A disclosure document subjected to a non-disclosure process for preventing inappropriate information from leaking is created (disclosure document creation PG 230), and the disclosure document is transmitted to the receiver device 105 (disclosure document disclosure PG 231).
(Processing of Recipient Device 105)
406: The authenticity of the received disclosure document is verified (disclosure document verification PG233).
407: End.

  In the information disclosure system outlined above, special attention should be paid to both ensuring the authenticity of the disclosed document and deleting information inappropriate for disclosure.

  If the disclosed document is always in the same operation form as the original document, the original document creator applies a well-known digital signature technology and pre-signs the original document. The authenticity of the document (in this case, the same data as the original document) can be confirmed by applying a known electronic signature verification technique.

  However, in the information disclosure system described in this embodiment, the original document and the disclosed document are not always the same. This is because the original document may contain information that is inappropriate to disclose at the time of information disclosure (eg, information related to personal privacy, information that should not be disclosed due to national security). Therefore, these pieces of information need to be removed (ie, painted) from the disclosed document. From the point of view of information disclosure such as sanitization in this case, even if it is a change to the original document that is considered appropriate or essential, the publicly known digital signature technology is subject to alteration by a malicious third party As with, only the result of “cannot be verified” is obtained.

  Accordingly, there is a need for a new electronic document authenticity assurance technique that can both ensure the authenticity of a disclosed document and delete information inappropriate for disclosure.

The properties desired for the electronic document authenticity assurance technique in this embodiment are summarized in the following two.
(Characteristic 1) The information originally contained in the sanitized portion of the sanitized document is not leaked. (Property 2) An electronically signed document that has been subjected to an unauthorized modification other than sanitization. Inability to forge a document Note that property 1 is not only easy to estimate the information of the sanitized part, but also that the estimation result is correct even if the information of the sanitized part is estimated. It shall also include that it cannot be used as a judgment material. Also, note that property 2 does not mean that all modifications such as sanitization are allowed. As will be described later, in the electronic document authenticity assurance technique according to the present embodiment, permitted sanitization and disallowed sanitization can be set.

  In this embodiment, a plurality of methods that can be applied as techniques for assuring the authenticity of an electronic document that satisfies the above properties are disclosed.

  First, the first embodiment will be described. In order to explain how it is implemented, a signature generation PG 222 that operates on the original document creator device 102, a disclosed document creation PG 230 that operates on the disclosed document creator device 104, and a disclosed document that operates on the recipient device 105 Details of the verification PG 233 will be described.

  In the first embodiment, an electronic document authenticity guarantee technique is configured using a signature technique called an aggregate signature. Therefore, in order to explain the first embodiment, first, Aggregate Signature will be explained.

  Aggregate signature is an electronic signature technique characterized by being able to combine signatures applied to respective electronic documents by a plurality of signers. The outline of each process of key generation, signature generation, aggregation, and signature verification in aggregate signature is as follows. Hereinafter, G_1, G_2, and G_T are assumed to be a cyclic group having a prime order p. The generators of G_1 and G_2 are g_1 and g_2. Let phi be an isomorphism that can be computed from G_1 to G_2, and phi (g_1) = g_2. Let e be a computable, non-degenerate bilinear map from G_1 × G_2 to G_T. Examples of groups and bilinear maps that are considered to satisfy such properties include groups generated by rational points on elliptic curves, and maps called Weil pairing and Tate pairing defined there. ing.

  (Key generation) Each signer U_i generates a random number x_i from 0 to p-1 and calculates v_i = g_1 ^ x_i. x_i becomes U_i's private key and v_i becomes the public key. Where a ^ b represents a to the power of b.

  (Signature generation) When each signer U_i generates a signature for the message M_i, it first calculates h_i = h (M_i), and then calculates Sig_i = h_i ^ x_i. Sig_i is a signature for the message M_i of the signer U_i. Here, h is a hash function that receives a message of arbitrary length and outputs the element of G_2.

  (Aggregation) When the messages Sig_ {j_1},... Sig_ {j_k} are aggregated, Sig = Sig_ {j_1} ×... × Sig_ {j_k} is calculated. Sig is an aggregated signature of Sig_ {j_1} ,,, Sig_ {j_k}.

  (Signature verification) When verifying (aggregated) signature Sig for message M_ {j_1} ,,, M_ {j_k}, e (g_1, Sig) = e (v_ {j_1}, h_ {j_1}) ×・ ・ Confirm that xe (v_ {j_k}, h_ {j_k}). Here, h_i = h (M_i).

FIG. 5 is a diagram showing a processing flow of the signature generation PG 222 according to the first embodiment.
501: First.
502: The original document is divided into constituent elements (hereinafter referred to as blocks). As for how to define the components, for example, it may be determined as one component for each byte from the beginning of the original document, or like a document described using XML (eXtensible Markup Language) If it is a pre-structured document, its minimum components may be used. Hereinafter, the original document is regarded as a column of N blocks, and this is represented as M_1,.
503: For each N block that is an original document, a signature is generated using the secret key x of the original document creator in accordance with the signature generation method of the aggregate signature (N signatures Sig_1, Sig_N are generated) become).
504: Aggregate N signatures generated by the original document creator. This is expressed as Sig. Data including the original documents M_1,,, M_N, the signatures Sig_1,,, Sig_N, and the aggregated signature Sig is defined as a signed original document.
505: End.

FIG. 6 is a diagram showing a processing flow of the disclosed document creation PG 230 according to the first embodiment.
601: First.
602: A block including information inappropriate for disclosure is searched from the signed original document to be disclosed. Let this be M_ {j_1} ,, M_ {j_k}.
603: Sig = Sig / (Sig_ {j_1} ×... × Sig_ {j_k}). (Note that the updated Sig is an aggregate of signatures for blocks of the original document other than M_ {j_1} ,,, M_ {j_k})
604: An original document block other than M_ {j_1},... M_ {j_k} and data composed of Sig, which is an aggregated signature corresponding to the partial sequence, are used as a disclosure document.
605: End FIG. 7 is a diagram showing a processing flow of the disclosed document verification PG 233 according to the first embodiment.
701: Beginning.
702: Disclosure document (data consisting of block of original document other than M_ {j_1} ,,, M_ {j_k} and Sig which is an aggregated signature corresponding to the partial sequence), and public key of original document creator Using v, verify according to the verification procedure of the aggregate signature, and output the verification result. Note that the public key of the original document creator used for verification may be sent from the disclosed document creator apparatus 104 together with the disclosed document, for example, or from the original document creator apparatus 102 as necessary. It may be made available. It is desirable that the public key can be used with a public key certificate issued by applying a publicly known PKI (Public-key infrastructure) technology and confirming that it is an original document creator.
703: End The following describes that the electronic document authenticity guarantee technique (first embodiment) satisfies the above (Property 1) (Property 2).

  In the first embodiment, the disclosed document is composed of a partial sequence of the original document and the signature of the original document creator with respect to the partial sequence, and includes data of a non-disclosed (ie, sanitized) portion. Absent. Therefore, (Property 1) is satisfied. It also satisfies (Property 2) from the safety of the aggregate signature (difficulty of tampering).

  Furthermore, according to the first embodiment, it is difficult to estimate the length of the sanitized portion from the document after sanitization. This is because the disclosed document does not include the non-disclosure (i.e. sanitized) data in the original document. Therefore, since it is impossible to deny the possibility that the original document has been painted in blocks from the disclosed document, it is not known how many blocks have been painted.

  By the way, the disclosed document configured according to the first embodiment described above cannot be additionally sanitized. A second embodiment will be described in which this is improved so that additional sanitization permission / non-permission can be set.

  In the second embodiment, it is possible to set permission / non-permission of additional sanitization by changing the disclosed document creation processing as follows.

  Such a technique capable of controlling the permission / non-permission of sanitization is effective, for example, when there are a plurality of disclosure document creators and the responsibilities are different. For example, the creator of the first disclosure document may make additional disclosure disapproval after making a judgment on disclosure of his / her responsibility, and allow disclosure and additional sanitization outside the scope of his / her responsibility. If set, the second and subsequent disclosure document creators can similarly make a disclosure determination for each area of responsibility.

FIG. 8 is a diagram showing a processing flow of the signature generation PG 222 according to the second embodiment.
801: First.
802: A random number DID is generated as a document ID for identifying a signature target document, and a document information block M_0 including the DID is generated. M_0 may further include meta information for the document such as a document name, a creator name, and usage conditions. However, information that will not be disclosed in the future should not be included.
803: The original document is divided into constituent elements (hereinafter referred to as blocks). As for how to define the components, for example, it may be determined as one component for each byte from the beginning of the original document, or like a document described using XML (eXtensible Markup Language) If it is a pre-structured document, its minimum components may be used. Hereinafter, the original document is regarded as a column of N blocks, and data obtained by concatenating each block and the document ID DID is represented as M_1,.
804: For each of the document information block and the original document N block, a signature is generated by using the secret key x of the original document creator according to the signature generation method of the aggregate signature (N + 1 signatures Sig_0, Sig_1,. Sig_N will be generated).
805: Aggregate N + 1 signatures generated by the original document creator. This is expressed as Sig. Data including the document information block M_0, the original documents M_1,..., M_N, the signatures Sig_1,, and Sig_N, and the aggregated signature Sig is defined as a signed original document.
806: End.

FIG. 9 is a diagram showing a processing flow of the disclosed document creation PG 230 according to the second embodiment. In the second embodiment, there may be a plurality of disclosure document creators. In that case, each disclosure document creator may execute the disclosure document creation PG sequentially. At this time, the disclosed document creator executed later can be sanitized within the range of the conditions set by the previous disclosed document creator.
901: The beginning.
902: A block including information inappropriate for disclosure from the signed original document to be disclosed (or a block permitted to be additionally sanitized in a disclosure document created by another disclosure document creator). Search. Let this be M_ {j_1} ,, M_ {j_k}.
903: Search for blocks that allow additional sanitization from among the disclosed blocks. Let this be M_ {i_1} ,, M_ {i_n}. However, the set {j_1 ,,, j_k} and the set {i_1 ,,, i_k} do not have a common part.
904: Sig = Sig / (Sig_ {j_1} ×... × Sig_ {j_k}). (Note that the updated Sig is an aggregate of signatures for blocks of the original document other than M_ {j_1} ,,, M_ {j_k})
905: An original document block other than M_ {j_1},, M_ {j_k}, an Sig that is an aggregated signature corresponding to the partial sequence, and a Sig_ that is a signature for a block that permits additional sanitization Data consisting of {i_1} ,,, Sig_ {i_n} is a disclosure document.
906: End Before the disclosure document creation PG 230 shown in FIG. 9 is processed, the disclosure document creator device performs the following disclosure document verification PG 233 so that the disclosure document creator can perform another disclosure. It is desirable to verify the disclosed document created by the document creator, and to perform the disclosed document creation PG 230 when the verification is successful.

FIG. 10 is a diagram showing a processing flow of the disclosed document verification PG 233 according to the second embodiment.
1001: Beginning.
1002: Confirm that the document information block M_0 is included in the disclosed document. If not included, a verification failure is output and the process ends.
1003: Confirm that DID included in document information block M_0 is also included in all original document blocks (blocks of original documents other than M_ {j_1} ,,, M_ {j_k}) included in the disclosed document To do. If not included, a verification failure is output and the process ends.
1004: When the disclosed document includes a signature Sig_i for each original document block, the public document v of the original document creator is used to verify that Sig_i is a valid signature for M_i. If even one of the verifications fails, a verification failure is output and the process ends.
1005: The aggregate signature Sig for the disclosed document is verified according to the verification procedure of the aggregate signature using the original document creator's public key v, and the verification result is output. Note that the public key of the original document creator used for verification may be sent from the disclosed document creator apparatus 104 together with the disclosed document, for example, or from the original document creator apparatus 102 as necessary. It may be made available. It is desirable that it is possible to confirm that the public key belongs to the original document creator. For example, it is desirable that a public key certificate issued by applying a publicly known PKI (Public-key infrastructure) technique can be used with a public key certificate that can be confirmed to be an original document creator.
1006: End.

  According to the second embodiment described above, the disclosure document creator (sanitizer) (1) sanitizes each block, (2) discloses and permits additional sanitization. (3) Three disclosure conditions can be set: disclosure and disallowing additional sanitization. In addition, other disclosure document creators (sanitizers) who have received this disclosure-conditional disclosure document, “(2) Disclose and allow additional sanitization among the blocks included in the disclosure document. The above three disclosure conditions can be further set for the block for which the condition “is set”. This is repeated recursively, and the final disclosure document creator will either “(1) Sanitize” or “(3) Disclose and disallow additional sanitization” for each block. The final disclosure document obtained by this series of operations can be confirmed for authenticity while the inappropriate disclosure is made undisclosed (sanitized), and the final It is possible to detect alterations (including sanitization) made after creating a publicly disclosed document. This is desirable for information disclosure of administrative documents.

  In the second embodiment, three disclosure conditions can be set for each block, but the condition setting is independent for each block. On the other hand, there are cases where it is desired to associate a plurality of blocks with a condition. For example, if the same character string (person name, etc.) is included in different blocks in the same document, it is desirable that the disclosure / non-disclosure judgments for these blocks be the same. However, when the condition is set independently, for example, it is possible to make only one block undisclosed and the other to be disclosed. Therefore, a description will be given of a third embodiment improved so that a plurality of blocks can be associated with each other for conditioning.

  In the third embodiment, by changing the disclosed document creation process as follows, a plurality of blocks can be associated with each other and can be conditioned.

FIG. 11 is a diagram showing a processing flow of the disclosed document creation PG 230 according to the third embodiment. In the third embodiment, there may be a plurality of disclosed document creators as in the second embodiment. In that case, each disclosure document creator may execute the disclosure document creation PG sequentially. At this time, the disclosed document creator executed later can be sanitized within the range of the conditions set by the previous disclosed document creator.
1101: Beginning.
1102: A block including information inappropriately disclosed from the original document with a signature to be disclosed (or a block permitted to be additionally sanitized in a disclosure document created by another disclosure document creator). Search. Let this be M_ {j_1} ,, M_ {j_k}.
1103: Search for blocks that allow additional sanitization among the disclosed blocks. Let this be M_ {i_1} ,, M_ {i_n}. However, the set {j_1 ,,, j_k} and the set {i_1 ,,, i_k} do not have a common part.
1104: Sig = Sig / (Sig_ {j_1} ×... × Sig_ {j_k}). (Note that the updated Sig is an aggregate of signatures for blocks of the original document other than M_ {j_1} ,,, M_ {j_k})
1105: A set {M_ {s_1} ,,, M_ {s_t}} of blocks to be associated with each other is retrieved from M_ {i_1},, M_ {i_n}. Sig_ {s_1 ,,, s_t} = Sig_ {s_1} × ... × Sig_ {j_k}, and then a new set of blocks {M_ {s_1} ,,, M_ {s_t}} Considering the block M_ {s_1 ,,, s_t}, Sig_ {s_1 ,,, s_t} is used as a signature for the block M_ {s_1 ,,, s_t}. If there are a plurality of sets of blocks to be associated with each other, the same processing is repeated for each set.
1106: The entire disclosed block, Sig which is an aggregated signature corresponding to the entire disclosed block, and Sig_ {i_1},, which is a signature for a block which allows additional sanitization of the disclosed blocks Data consisting of Sig_ {i_n} is a disclosure document.
1107: The end.

  FIG. 12 is a diagram schematically showing the state of the disclosed document obtained by executing the disclosed document creation PG shown in FIG. The original document created by the original document creator 1201 includes blocks M_0 to M_6 (1210 to 1216), signatures Sig_1 to Sig_6 (1221 to 1226) for each block, and a signature Sig (1230) obtained by aggregating the signatures. ing. Based on this, the disclosed document created according to the third embodiment includes signatures Sig_1 (1221) and Sig_4 (1224) for each of the associated blocks, that is, M_1 (1211) and M_4 (1214). The signature Sig_ {1,4} (1240) for the set of associated blocks is included. Therefore, other disclosure document creators who have received this disclosure document can sanitize the entire set of associated blocks, but individually inspect each block included in the associated block set. Cannot be painted (ie if individually painted, it will not be possible to construct a properly verified (aggregated) signature).

  According to the third embodiment described above, after a part of a signed electronic document is sanitized, the original document can be verified without changing the original electronic signature. There is provided a technique that can conceal the length of the part and can condition the plurality of places to be inked simultaneously.

  In each of the above-described embodiments, the case where there is only one original document creator (signer) has been described as an example. However, the present invention is not limited to this, and the present invention is also applicable to cases where there are a plurality of signers. .

  FIG. 13 shows a technique for verifying the authenticity of an original document without changing the original electronic signature after sanitizing a part of the signed electronic document shown in the third embodiment. Schematic representation of the original document and the disclosed document when applying the technology that can conceal the length of the painted area and condition the multiple areas to be sanitized at the same time. FIG.

  In each of the above embodiments, the administrative document has been described, but here, medical information is shown as an example. Specifically, a plurality of original document creators (signers) are a doctor 1301 and a nurse 1302, respectively, and are included in each of the electronic medical record 1310 created by the doctor 1301 and the temperature measurement table 1311 created by the nurse. Based on the first disclosure document creator associated with the “patient name” and the first disclosure document created by the first disclosure document creator 1303, the disclosure document in which the “disease name” is sanitized for the patient 1305 In this example, there is a second disclosure document creator 1304 that creates and discloses a disclosure document in which “patient name” is painted out for the pharmaceutical company 1306. According to the method shown in the third embodiment, since a plurality of blocks can be associated, for example, the second disclosure document creator 1304 is written in the electronic medical record 1310 created by the doctor 1301 with respect to the pharmaceutical company 1306. However, it is possible to prevent an undesirable disclosure in which the patient name is blacked out, but the patient name recorded in the temperature measurement table 1311 created by the nurse 1302 is not blacked out.

  In each of the embodiments described above, the authenticity assurance method for an electronic document configured using an aggregate signature has been described. However, other methods can be used without changing the original electronic signature after sanitizing the electronic document. It is possible to configure a technique that can confirm the authenticity of the original document and that can conceal the length of the sanitized portion.

FIG. 14 is a diagram illustrating a processing flow of the signature generation PG 222 according to the fourth embodiment.
1401: Beginning.
1402: Same as step 502.
1403: A binary tree having N or more leaf nodes is randomly generated.
1404: For each of the N blocks, data that combines the block data and the random number generated for the block (this is called a block with random numbers) is generated.
1405: A hash value of a block with a random number is randomly assigned to each leaf node of the binary tree. Dummy data (random numbers) is assigned to leaf nodes to which a block with random numbers has not been assigned.
1406: Data obtained by combining the hash value of the lower left leaf node and the hash value of the lower right leaf node is assigned to a node immediately above the leaf node (side closer to the root node). This is recursively repeated until reaching the root node.
1407: A signature is generated for the value assigned to the root node (the signature may use a known electronic signature technique).
1408: The data defining the binary tree structure, the value of each leaf node (random number block or dummy data), and the signature value generated in step 1407 are output as an original document with a signature.
1409: End.

FIG. 15 is a diagram illustrating a processing flow of the disclosed document creation PG 230 according to the fourth embodiment.
1501: Beginning.
1502: A block including information inappropriate for disclosure is searched from the original document with signature to be disclosed.
1503: A subtree (a plurality of subtrees) including only these inappropriately disclosed blocks or dummy blocks as leaf nodes is searched, and the value of the root node of each subtree is calculated in the same manner as in step 1406.
1504: From the data defining the structure of the binary tree included in the original document, the part of the partial tree searched in step 1503 is removed, and data defining the structure of the new binary tree is created. Further, the calculated value of the root node of the subtree is set as the value of the leaf node of the binary tree from which the subtree has been removed (considered as new dummy data).
1505: Output data defining the structure of a newly created binary tree, the value of each leaf node (random number block or dummy data), and the signature value included in the signed original document as a disclosure document.
1506: End.

FIG. 16 is a diagram showing a processing flow of the disclosed document verification PG 233 according to the fourth embodiment.
1601: First.
1602: The value of the root node is calculated in the same manner as in step 1406.
1603: It is verified whether or not the given signature value is correct as the signature for the value of the root node (a known signature verification technique corresponding to the signature generation method used in step 1407 may be used).
1604: End.

  According to the present embodiment, since the dummy data prepared in advance (step 1405) and the dummy data calculated in the process of the disclosure document creation PG 230 (step 1504) cannot be distinguished, how many blocks are painted. , The effect that can be lost.

  In each of the above-described embodiments, the non-disclosure portion is disclosed as being blacked out, that is, blacked out. However, the non-disclosure process may be performed by other methods.

  In addition, although each said embodiment demonstrated mainly the administrative document, it is not limited to this, It is applicable to various electronic documents for which the appropriate modification of a signature object part may be desired after a signature is given. .

  Further, the present invention is not limited to electronic documents, and more generally can be applied to digital data such as image data, moving image data, and music data. In this case, the block may be set appropriately according to the structure of each digital data.

It is a schematic block diagram of the network system which implement | achieves 1st Embodiment. It is a schematic block diagram of the computer which implement | achieves the original document creator apparatus 102 in 1st Embodiment. It is a figure explaining the flow at the time of the original document preparation and storage in 1st Embodiment. It is a figure explaining the flow at the time of information disclosure in a 1st embodiment. It is a figure showing a processing flow of signature generation PG222 according to the 1st embodiment. It is the figure which showed the processing flow of the disclosure document preparation PG230 according to 1st 1st Embodiment. It is the figure which showed the processing flow of the disclosure document verification PG233 according to 1st 1st Embodiment. It is the figure which showed the processing flow of signature generation PG222 according to 2nd Embodiment. It is the figure which showed the processing flow of the disclosure document preparation PG230 according to 2nd Embodiment. It is the figure which showed the processing flow of the disclosure document verification PG233 according to 2nd Embodiment. It is the figure which showed the processing flow of the disclosure document preparation PG222 according to 3rd Embodiment. It is the figure which demonstrated typically the mode of the disclosure document produced according to 3rd Embodiment. It is the figure which demonstrated typically the mode of the disclosed document produced according to 3rd Embodiment when there exist several signers. It is the figure which showed the processing flow of signature generation PG222 according to 4th Embodiment. It is the figure which showed the processing flow of the disclosure document preparation PG230 according to 4th Embodiment. It is the figure which showed the processing flow of the disclosure document verification PG233 according to 4th Embodiment.

Explanation of symbols

101: Network, 102: Original document creator device, 103: Document management device, 104: Disclosure document creator device, 105: Recipient device, 106: Original document, 107: Original document with signature, 108: Disclosure document

Claims (6)

A method for guaranteeing the authenticity of an electronic document,
Divide electronic documents into components,
A method for guaranteeing the authenticity of an electronic document, comprising: providing a signature for each component and a signature obtained by combining the signatures for each component. A method for guaranteeing authenticity of an electronic document according to claim 1,
Further, the signature for each of the constituent elements and the combined signature are elements of a finite group, and the combined signature is a total product as an element of a finite group of signatures for each of the constituent elements. A method for guaranteeing the authenticity of electronic documents. An electronic document authenticity guarantee method according to claim 2,
In addition, when editing the generated signed electronic document,
When deleting the component A of the electronic document, delete the component A from the electronic document, multiply the combined signature by the inverse element of the signature for the component A, delete the signature for the component A,
An electronic document authenticity guarantee method, comprising: disclosing the component A of the electronic document and setting a condition so that the component A can be deleted later. An electronic document authenticity guarantee method according to claim 3,
Furthermore, when only one of the component A and the component B is deleted with respect to the component A and the component B of the electronic document, the authenticity of the component A is set to be lost. The product of the signature and the signature for the component B is a signature for the component C newly generated by combining the component A and the component B, and the component A and the component B Deleting the signature for the component A and the signature for the component B;
A method for guaranteeing the authenticity of an electronic document. A method for guaranteeing the authenticity of an electronic document,
Divide electronic documents into components,
Generating a binary tree having leaf nodes equal to or greater than the number of components;
Assign a hash value of the component to a leaf node of the binary tree,
Of the leaf nodes of the binary tree, assign dummy data that is a node random number to which the hash value of the component is not assigned,
Assign the data that combines the hash value of the lower left leaf node and the hash value of the lower right leaf node to the node one level above the leaf node (on the side closer to the root node), and recursively to the root node repetition,
An electronic signature is given to the value assigned to the root node.
A method for guaranteeing the authenticity of an electronic document. An electronic document authenticity guarantee method according to claim 5,
In addition, when editing the generated signed electronic document,
When deleting a component of the electronic document, search for one or more subtrees including only the component to be deleted or dummy data as a leaf node,
For each of the subtrees, a data obtained by combining the hash value of the lower left leaf node and the hash value of the lower right leaf node is assigned to a node immediately above the leaf node (side closer to the root node). Recursively iterates to the root node of each subtree,
A method for assuring the authenticity of an electronic document, comprising: removing each subtree included in a binary tree and replacing it with a new leaf node, and assigning a value of a root node of each subtree to the new leaf node.

Images