Conventionally, as a technology to verify the authenticity of a digital document, techniques employing a digital signature have been provided. These digital signature techniques append digital signatures to electronic documents to enable the author of an electronic document to be authenticated and the validity of the electronic document to be determined, thereby guaranteeing the authenticity of the electronic document.
On the other hand, though such digital signature techniques are very useful in terms of preventing tampering by an unauthorized user, a problem exists in terms of practical use of the electronic document. For example, if an electronic document is edited, the authenticity of the electronic document is not guaranteed after editing.
Therefore, even when information that should not be disclosed or unnecessary information is included in an electronic document, the electronic document cannot be edited, e.g., the information cannot be deleted, a factor significantly reducing usability. Accordingly, a technique that enables the editing of an electronic document and verification of the authenticity of the edited electronic document is desired.
For example, a technique has been provided in which an electronic document is divided into partial documents, the partial documents respectively are designated for disclosure or nondisclosure, where the partial documents designated for nondisclosure are blacked out (see, for example, Miyazaki, Kunihiko; Iwamura, Mitsuru; Matsumoto, Tsutomu; Sasaki, Ryoichi; Yoshiura, Hiroshi; Satoru, Tezuka; and Imai, Hideki; “A Digital Document Sanitizing Scheme with Disclosure Condition Control”, Proceedings of the 2004 Symposium on Cryptography and Information Security). Use of this blacking-out signature technique guarantees the integrity of the portions to be disclosed and the confidentiality of the portions that are not to be disclosed (blacked out portions) in the electronic document.
Moreover, a technique has been provided in which an electronic document is divided into partial documents, a digital signature is appended each of the partial documents, the partial documents respectively are designated for disclosure or nondisclosure, where the partial documents designated for nondisclosure are deleted (see, for example, Japanese Laid-Open Patent Publication No. 2006-60722 and Miyazaki, Kunihiko; Hanaoka, Goichiro; and Imai, Hideki; “Digitally Signed Document Sanitizing Scheme from Bilinear Map”, Proceedings of the 2005 Symposium on Cryptography and Information Security). Use of this extraction signature technique guarantees the integrity of the portions to be disclosed and the confidentiality of the portions that are not to be disclosed (deleted portions) in the electronic document.
FIG. 19 is a diagram of exemplary conventional digital signature techniques. As depicted in FIG. 19, an original document 1900 is divided into partial documents 1901, 1902, and 1903 (for example, into pages) and a digital signature 1904 is appended with respect to the entire original document 1900.
A blacked out document 1910 is that obtained by blacking out sensitive portions of the original document 1900, e.g., the partial documents 1901 and 1903, according to the technique described by Miyazaki, et al in “A Digital Document Sanitizing Scheme with Disclosure Condition Control” cited above herein. The authenticity of the partial document 1902, the portion to be disclosed, is verifiable according to the digital signature 1904.
Further, an extracted document 1920 is that obtained by extracting the partial document 1902 from the original document 1900 according to the technique recited in Japanese Laid-Open Patent Publication No. 2006-60722 or the technique described by Miyazaki, et al in “Digitally Signed Document Sanitizing Scheme from Bilinear Map” cited above. The authenticity of the partial document 1902, the portion to be disclosed, is verifiable according to the digital signature 1904.
However, with the conventional digital signature techniques above, an electronic document can be subject to only one of the processes, the blacking out process or the deleting process (extracting process). Therefore, a mixture of partial documents to be blacked out and partial documents to be deleted cannot be designated in the same electronic document, thereby resulting in a problem of reduced usability.
For example, assuming that the original document 1900 depicted in FIG. 19 is minutes of a governmental agency, the partial document 1901 (the first page) includes a list of meeting attendees, the partial document 1902 (the second page) includes the main contents of the meeting, and the partial document 1903 (the third page) includes a list of delinquent taxpayers.
If the blacked out document 1910 is disclosed, although a viewer is unable to identify the specific contents of the first page and the third page, the viewer can conjecture that some information is included in the portions before and after the main contents of the meeting described on the second page in the original document 1900.
Therefore, even if the partial documents 1901 and 1903 including sensitive information are blacked out, the viewer can infer the presence of some information based on the portions blacked out. Thus, a problem has arisen in that the confidentiality of the blacked out document 1910 as a whole cannot be completely ensured.
Meanwhile if the extracted document 1920 is disclosed, the viewer is unable to know the existence of the first page and the third page and, therefore, the viewer is unable to identify the specific contents of the partial documents 1901 and 1903.
However, for example, it may be desirable to indicate the existence of the delinquent taxpayers by leaving the third page, in which case personal information, such as names, on the third page should be concealed. Nonetheless, according to this technique, the entire third page is deleted from the extracted document 1920. That is, in the extracted document 1920, the partial documents 1901 and 1903 can be sanitized only by deletion and, therefore, a problem has arisen in that information to be disclosed is also deleted.