1. Sanitizable and Deletable Signature
Tetsuya Izu, Noboru Kunihiro, Kazuo Ohta, Makoto Sano, and Masahiko Takenaka
WISA 2008, LNCS 5379, pp. 130–144, 2009.
Adviser: 鄭錦楸 ,郭文中 教授
Reporter: 林彥宏

2. Outline Introduction 1 Preliminaries 2 Proposed Schemes 3 Comparison 4
Concluding Remarks 3 5

3. Introduction sanitizable signature was introduced in 2001
Steinfeld, R., Bull, L., Zheng, Y.: Content Extraction Signatures. In: Kim, K.-c. (ed.) ICISC LNCS, vol. 2288, pp. 285–304. Springer, Heidelberg (2002)
deletable signature was introduced in 2006
Miyazaki, K., Hanaoka, G., Imai, H.: Digitally Signed Document Sanitizing Scheme Based on Bilinear Maps. In: 1st ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS 2006), pp. 343–354. ACM Press, New York (2006)
Contribution of this Paper
introduce the sanitizable and deletable signature
revisers, are allowed to sanitize or delete subdocuments for hiding partial information
SDS1 and SDS2

4. Preliminaries
G1, G2, GT are multiplicative cyclic groups with order p (prime)
g1, g2 are generators of G1, G2
Computational Diffie-Hellman (CDH) problem in these groups are hard
e be a bilinear map from G1 × G2 to GT : e(ua, vb)=e(u, v)ab, u G1, v G2
(Non-degeneracy) , e(g1, g2) ≠1
H0:{0, 1}*→ {0, 1}l H : {0, 1}*→ G2

5. Preliminaries BGLS’s aggregate signature
Boneh, D., Gentry, G., Lynn, B., Shacham, H.: Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. In: Biham, E. (ed.) EUROCRYPT LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)
KeyGen: ski←Z/pZ , pki←g2ski ,(ski , pki) G1
Sign: σi ←H(Mi) ski G1
Agg: σ’ ← σ × σi G1
AggVerify:
Diffie–Hellman problem (DH problem): given g and the values of gx and gy, what is the value of gxy
co-CDH problem: given g1, g1a G1 and h G2, compute ha

6. Preliminaries
co-DDH: decision problem to determine whether a = b or not from given g1, g1a G1 and h, hb G2
Sanitizable Signature
replaces Mi by H0(Mi)
it was hard to delete the subdocument Mi
Deletable Signature
deleters: allowed to delete subdocuments for hiding partial information
Miyazaki, K., Hanaoka, G., Imai, H.: Digitally Signed Document Sanitizing Scheme Based on Bilinear Maps. In: 1st ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS 2006), pp. 343–354. ACM Press, New York (2006)

7. Preliminaries σ1 σ2 σ3 σ1 Signer Deleter Verifier M[1] M[2] M[3] M[1]
SANI ：
update σ ← σ/ σ2
remove M[2] & σ2
DASP ：
remove σ3
DASA ：
M[3] nothing to do
M[1]
→h1x
→σ1
M[2]
→h2x
→σ2
M[3]
→h3x
→σ3
e(h1, v) ×e(h3, v) =
e(h1, g2x) ×e(h3, g2x) =
e(h1x, g2) ×e(h3x, g2) =
e(σ1, g2) ×e(σ3, g2) =
e(σ1 × σ3 , g2) =
e(σ , g2)

8. Proposed Schemes consider order of subdocument Mi ← ID||IDi||Mi
σ i ← H(ID||IDi||H0(Mi))sk, sanitizing subdocument was replaced by (ID||IDi||H0(Mi))

9. Proposed Schemes
Subdocument Status: SDS1, SDS2

10. Proposed Schemes SDS1 σ { Mi, σ, σi } σ ← σ/ σ3 Delete M3 & σ3× =
{ Mi, σ, σi }
σ ← σ/ σ3
Delete M3 & σ3
Delete σ0

11. Proposed Schemes
the sanitized subdocument is updated by its hash value, it is infeasible to recover the subdocument
for deleted subdocuments, it entirely hard to recover the subdocument

12. SDS2 uses two aggregate signatures σ and τ
Proposed Schemes
SDS2 uses two aggregate signatures σ and τ
SDS2 supports six status SPDP, SADP, SDP, SADA, SDA and D
H(ID||IDi||H0(Mi)||0)sk
H(ID||IDi||H0(Mi)||1)sk

13. Proposed Schemes

14. Proposed Schemes

15. SADA SPDP SDP SADP SDA 刪除σi與 τi SPDP 刪除σi 刪除τi SDP Mi ←H(Mi) SDP
Mi ←H(Mi), 更新σ ← σ/ σi ,移除σi與 τi
SDA
SDP
Mi ←H(Mi)刪除σi
Mi ←H(Mi)
SDP
更新σ ← σ/ σi ,移除σi與 τi

16. Comparison
the efficiency is not better than previous schemes. Especially,SDS2 requires much signatures than other schemes.

17. Concluding Remarks
This paper proposes a concept of the sanitizable and deletable signature as a combination of the sanitizable signature and the deletable signature.
Constructing a scheme in which all subdocument status (including SPDA) will be a next task.
Another task is to reduce the number of signatures in the proposed schemes.

18. Thank You !