JP2010049214A - Encryption device, decryption device, cryptography verifying device, encryption method, decryption method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an encryption technique which can reduce the size of data while restraining increase in processing time in a public key cryptosystem, which has basis of safety on discrete logarithm problem on a sub-group of a multiplication group. <P>SOLUTION: An encryption device compresses some cryptography components of the respective cryptography components of a cryptography (c1, c2) and generates the other cryptography components at the same time. Meanwhile, a decryption device expands the compressed cryptography components of the respective cryptography components of the cryptography (c1, c2) and performs various operations such as exponentiation and multiplication using the non-compressed cryptography components or already expanded cryptography components and a private key at the same time to thereby obtain a plaintext. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an encryption device, a decryption device, a ciphertext verification device, an encryption method, a decryption method, and a program according to an encryption method that bases security on the discrete logarithm problem of a multiplicative group on a finite field.

  There is a method using encryption in order to protect the information flowing through the communication path. Some methods using encryption require a key to be shared in advance with a communication partner. Such a method requires a great deal of time for key sharing and management. On the other hand, in the method using public key cryptography, secure communication can be realized without sharing a key in advance. For this reason, it is widely used as a basic technology for network security. In addition, with the diversification of information terminals, various schemes and protocols using public keys have been used in small devices by devising methods and implementations.

  Some public-key cryptosystems, such as ElGamal cipher and Cramer-Shoop cipher, use the difficulty of the discrete logarithm problem as the basis of security. The discrete logarithm problem is a problem of finding x satisfying ‘y = g ^ x’ when ‘yεG’ is given in the cyclic group ‘G = <g>’. Note that '^' represents a power. As the cyclic group G, a multiplicative group of a finite field or an additive group (Jacobi group) formed by rational points of an elliptic curve is used. Algorithms that solve discrete logarithm problems can be applied to discrete logarithm problems defined on any cyclic group, such as Shank's algorithm or Pollard's rho method, and finite numbers like order calculation methods. Some are applicable only to discrete logarithm problems defined on field multiplicative groups.

  Since the order calculation method is efficient, public key cryptography using the discrete logarithm problem on the multiplicative group of finite fields is easily deciphered. Therefore, in order to ensure the same security, public key cryptography using the discrete logarithm problem on the multiplicative group of finite fields is more key length and ciphertext length than public key cryptography using the discrete logarithm problem on the elliptic curve. Need to be larger.

  Currently, typical security parameters in public key cryptography are 1024 bits to 2048 bits. The security parameter is a parameter that determines the public key size and the ciphertext size, and is a parameter that affects the security of the encryption method. As this security parameter increases, the public key size and ciphertext size also increase. Security parameters that are difficult to decipher are increasing year by year. This is because the attacker's ability improves with the progress of computers. In public key cryptography, the public key size and ciphertext size differ depending on the encryption method, but are several times the security parameters.

  Therefore, a method for compressing the public key size and ciphertext size in public key cryptography has been proposed (see, for example, Non-Patent Document 1). This method is based on the fact that using a subset called an algebraic torus out of a set of numbers used in public key cryptography, the components of the set can be expressed with a small number of bits. When the degree n of the extension field to which the algebraic torus belongs is the product of l of at most two prime numbers p and q 'l = (p ^ m) · (q ^ n)', the compression rate (= the number of bits before compression) / (Number of bits after compression) is known to be 'l / φ (l)'. Here, φ (·) is an Euler function. p ^ m is the mth power of p. The conversion to a representation with a small number of bits is performed by a mapping ρ that converts the extended field representation into a projective representation and a mapping τ that converts the projection representation into an affine representation. A specific example in the case of compressing a ciphertext is shown. Calculation is performed using the ciphertext c of the expanded field representation as an input to obtain a compressed ciphertext γ (see Equation 1).

ρ (c) = γ (Formula 1)

  To return to the original representation of the number of bits, inverse mappings of ρ and τ may be calculated, respectively. The inverse mapping of ρ is written as ψ, and the inverse mapping of τ is written as τ−1. When γ is given as the compressed ciphertext, calculation is performed to obtain c (see Equation 2).

ψτ−1 (γ) = c (Formula 2)

  Further, in Non-Patent Documents 1 and 2, the configuration methods of the compressed maps 1 and 2 and the extended maps 1 and 2 and the mapping ρ6 and the affine representation for compressing the following expanded field representation into the affine representation using them. A method of constructing a map 'ρ6 ^ (-1)' that expands to an expanded field representation is shown. The compression map ρ6 is calculated using an arbitrary element t of the torus T of the extension field representation on the sixth-order extension field F {(p ^ m) ^ 6} as an input, and the affine expression F {p ^ m} × F {p A set with the elements of ^ m} ^ * is obtained (see Equation 3).

ρ6 (t) = (a, b) ∈F {p ^ m} × F {p ^ m} ^ * (Equation 3)

Here, “×” represents a direct product. When A is a set, A ^ m is a direct product set of m A's. For example, “A ^ 3 = A × A × A”. Specifically, for example, '{0, 1, 2} ^ 2 = {(0, 0), (0, 1), (0, 2), (1, 0), (1, 1), (1 , 2), (2, 0), (2, 1), (2, 2)} ′. Here, F {p ^ m} is an m-th order extension field of the prime field F {p}, and the elements of F {p ^ m} are {0,. } ^ M can be expressed as an element. F {p ^ m} ^ * is a multiplicative group of F {p ^ m}, and the elements of F {p ^ m} ^ m are {0,. It is represented by an element of \ {0} ^ m. '\' Represents a set subtraction.
6 ^ (− 1) ′ is calculated using (a, b) εF {p ^ m} × F {p ^ m} ^ * as an input, and a sixth-order extension field F {(p ^ m) ^ 6} The element t of the torus T in the above expanded field representation is obtained (see equation 4).

ρ-1 (a, b) = tεT (Expression 4)

  Further, in Non-Patent Document 2, an extension field expression {0,..., P−1} ^ {6 ^ m} of a torus element on a sixth extension field of F {p ^ m} and a projection expression {0 ,..., P−1} ^ {6 * m} and the affine expression F {p ^ m} × F {p ^ m} ^ *, the configuration of ρ, ψ, τ, and τ−1. Based on this, the mapping of (Equation 3) and (Equation 4) is constructed. At this time, the operations for the expanded field expression and the projective expression are both F {p ^ (6 * m)}. In Non-Patent Documents 1 and 2, the calculation of F {p ^ (6 * m)} is F. It is realized as an operation of {((p ^ m) ^ 3) ^ 2}. An affine element can be expressed with a bit length shorter than that of an extended field expression or projective expression, but cannot be calculated.

  Compression and decompression using an algebraic torus can be applied not only to public keys and ciphertexts in public key cryptography, but also to signatures in digital signatures and exchange messages in key exchange schemes.

  In recent years, various public key cryptosystems based on the difficulty of the discrete logarithm problem have been proposed. For example, the Cramer-Shoup cipher (see Non-Patent Document 3) is a method that has been proven to be secure with a standard model, but has a feature that there are many public key and ciphertext components. Specifically, the ciphertext of the Cramer-Shoup cipher consists of four components (c1, c2, c3, c4), and the public key also includes five components (g, g˜, e, f, h). Moreover, there is a problem in that each component is represented by a larger expression than the group actually used for encryption. In other words, the Cramer-Shoup cipher is defined on the prime order subgroup G of the finite group G˜, but the public key and the components of the ciphertext are represented by the representation of the finite group G˜. Specifically, the Cramer-Shoup cipher is defined by the prime order subgroup of the multiplication group of the prime field, but the public key and the components of the ciphertext are represented by the representation of the prime field.

  In the Cramer-Shoop cipher and other public key ciphers, the public key and the ciphertext are limited by making the group G that is a subgroup of the finite group G ~ and actually used for the cipher to be a subgroup of the algebraic torus T. It is possible to express not by the size of the group G˜ but by the size of the algebraic torus T, that is, by the number of bits smaller than the group G˜. For example, ElGamal encryption and a DH key exchange (see Non-Patent Documents 1 and 4) using an algebraic torus on a prime field use this concept and reduce the size of a public key or ciphertext.

  Here, an outline of the processing of Cramer-Shop encryption will be described. The public key (q, g, g˜, e, f, h) generated by the key generation device is input to the encryption device that encrypts the plaintext m. Note that q is a prime number and the order of the subgroup G of the finite group G˜, g is a generation source of the subgroup G in which the cipher is defined, and g˜, e, f, and h are also elements of the subgroup G. The plaintext m must also be an element of G. The encryption device performs random number generation, power calculation, multiplication, and hash calculation, and calculates ciphertexts (c1, c2, c3, c4) corresponding to the plaintext m. The ciphertext (c1, c2, c3, c4) is input to the decryption device. In addition, a secret key (x1, x2, y1, y2, z1, z2) corresponding to the public key is input to the decryption device. This secret key is an integer from '1' to 'q-1' (or an integer from '0' to 'q-1'). The decryption device uses the secret key (x1, x2, y1, y2, z1, z2) and the ciphertext (c1, c2, c3, c4) to check whether it is a valid ciphertext, and the plaintext m Calculate

K. Rubin and A. Silverberg, “Torus-Based Cryptography”, CRYPTO 2003, LNCS 2729, 349-365, 2003. Robert Granger, Dan Page, Martijn Stam: A Comparison of CEILIDH and XTR. ANTS 2004: 235-249 R. Cramer and V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertextattack”, CRYPTO'98, LNCS 1462, pp.13-25, 1998. M. van Dijkand D. Woodruff, “Asymptotically Optimal Communication for Torus-Based Cryptography”, CRYPTO 2004, LNCS 3152, 157-178, 2004.

  However, for example, encryption, decryption, compression, and decompression were considered in a public key cryptosystem based on a discrete logarithm problem on a subgroup of a multiplicative group such as Cramer-Shoup cipher. In this case, the processing is usually performed in a procedure in which data is transmitted after being encrypted and compressed by the encryption device, and the data received by the decryption device is decompressed and decrypted. When such compression is performed by the encryption device, the size of data to be transmitted can be reduced compared to a case where this is not performed, and thus the communication time is reduced, but the processing time is increased. When decompression is performed by the decoding device, the processing time increases as compared with the case where this is not performed.

  The present invention has been made in view of the above, and reduces the size of data while suppressing an increase in processing time in an encryption method based on the safety of a discrete logarithm problem on a subgroup of a multiplicative group. It is an object to provide a possible encryption device, decryption device, encryption method, decryption method, and program.

  In order to solve the above-described problem, the present invention encrypts plaintext by an encryption method based on the safety of the discrete logarithm problem of a multiplicative group on a finite field, and outputs ciphertext including a plurality of ciphertext components. A plaintext receiving unit that receives plaintext, a public key receiving unit that receives a public key including one or more public key components, and a ciphertext using the received plaintext and the public key component A first ciphertext component generating unit that generates at least one first ciphertext component that is a component, and compressing at least one of the first ciphertext components to obtain a first compressed ciphertext component The ciphertext component compression unit to obtain, the received plaintext, the public key component, the first ciphertext component, and the first compressed ciphertext component using at least one or more. A second ciphertext component generation unit for generating two ciphertext components; and at least Characterized in that it comprises a ciphertext output unit for outputting the ciphertext that includes serial first compressed encrypted component and a second cipher text component.

  The present invention also provides a decryption device for decrypting a ciphertext including a plurality of ciphertext components that has been encrypted by an encryption method based on the safety of the discrete logarithm problem of a multiplicative group over a finite field, and obtaining a plaintext. A ciphertext receiving unit that receives a ciphertext including a compressed ciphertext component in which at least one of the ciphertext components is compressed, and one or more secrets corresponding to a public key used for encrypting the ciphertext An intermediate for generating intermediate data used for decryption of the ciphertext using at least one of the received ciphertext component and the secret key component, and a secret key receiving unit that receives a secret key including a key component A data generation unit; a ciphertext component decompression unit that decompresses the compressed ciphertext component into a decompressed compressed ciphertext component expressed in an operable expression; a part of the intermediate data; and the decompressed compressed ciphertext component; , With the ciphertext component Characterized in that it comprises the decoded plaintext generation unit for generating at least using plaintext decoded by or displaced, the decoded plaintext output unit for outputting the decoded plaintext.

  The present invention also provides a decryption device for decrypting a ciphertext including a plurality of ciphertext components that has been encrypted by an encryption method based on the safety of the discrete logarithm problem of a multiplicative group over a finite field, and obtaining a plaintext. A ciphertext receiving unit that receives a ciphertext including a compressed ciphertext component in which at least one of the ciphertext components is compressed, and one or more secrets corresponding to a public key used for encrypting the ciphertext A secret key receiving unit that receives a secret key including a key component, a plaintext calculation unit that calculates a plaintext using at least one of the received ciphertext component and the secret key component, and the received A verification data generation unit that generates verification data for verifying the validity of the ciphertext using at least one of the ciphertext component and the secret key component, the compressed ciphertext component, and the verification For data and at least A validity verification unit that verifies the validity of the ciphertext, and outputs the plaintext when the ciphertext is verified to be valid, and verifies that the ciphertext is invalid. And a decrypted plaintext output unit that outputs that the sentence is not valid.

  The present invention also relates to a ciphertext validity verification device that verifies the validity of a ciphertext that is encrypted by a cryptosystem that has a basis of security for the discrete logarithm problem of a multiplicative group over a finite field and includes a plurality of ciphertext components. A ciphertext receiving unit that receives a ciphertext including a compressed ciphertext component in which at least one of the ciphertext components is compressed, and one corresponding to a public key used for encrypting the ciphertext Using at least one of the secret key receiving unit that receives a secret key including the secret key component and the received ciphertext component and the secret key component, intermediate data used for decrypting the ciphertext is obtained. An intermediate data generation unit to generate, a ciphertext component decompression unit that decompresses the compressed ciphertext component expression into an expanded compressed ciphertext component that is an expression that can be computed, a part of the intermediate data, and the decompressed compression The ciphertext component and the dark A validity verification unit using at least one of the sentences component to verify the validity of the ciphertext, characterized in that it comprises a verification result output unit for outputting a verification result of the validity verifying unit.

  The present invention is also a ciphertext verification apparatus that verifies the validity of a ciphertext that is encrypted by an encryption method that lays the grounds of safety on the discrete logarithm problem of a multiplicative group over a finite field and includes a plurality of ciphertext components. A ciphertext receiving unit that receives a ciphertext containing a compressed ciphertext component in which at least one of the ciphertext components is compressed, and one or more public keys used for encrypting the ciphertext A secret key receiving unit that receives a secret key including a secret key component, a plaintext calculation unit that calculates a plaintext using at least one of the received ciphertext component and the secret key component, and received Using at least one of the ciphertext component and the secret key component, a verification data generation unit that generates verification data for verifying the validity of the ciphertext, the compressed ciphertext component, and the Less data for verification Be used, characterized in that it comprises a validity verifying part for verifying the validity of the ciphertext, the verification result output unit for outputting a verification result of the validity verifying unit.

  Further, the present invention is executed by an encryption apparatus that encrypts plaintext by an encryption method that lays the grounds for safety on the discrete logarithm problem of the multiplicative group over a finite field, and outputs a ciphertext including a plurality of ciphertext components. A plaintext receiving step for receiving a plaintext, a public key receiving step for receiving a public key including one or more public key components, and the received plaintext and public key component. A first ciphertext component generating step for generating at least one first ciphertext component that is a ciphertext component; and compressing at least one of the first ciphertext components to obtain a first compressed ciphertext A first ciphertext component compression step for obtaining a component; at least one of the received plaintext, the public key component, the first ciphertext component, and the first compressed ciphertext component; Is used to generate the second ciphertext component 2 ciphertext component generating step, characterized in that it comprises a ciphertext output step of outputting the ciphertext including at least said first compressed encrypted component and the second ciphertext components.

  Further, the present invention is executed by a decryption device that decrypts a ciphertext including a plurality of ciphertext components that is encrypted by an encryption method based on the safety of the discrete logarithm problem of the multiplicative group over a finite field, and obtains a plaintext. A ciphertext receiving step for receiving a ciphertext including a compressed ciphertext component in which at least one of the ciphertext components is compressed, and a public key used for encrypting the ciphertext A secret key receiving step for receiving a secret key including one or more secret key components, and at least one of the received ciphertext component and the secret key component is used for decrypting the ciphertext An intermediate data generation step for generating intermediate data; a ciphertext component decompression step for decompressing the compressed ciphertext component into a decompressed compressed ciphertext component expressed in an expressible expression; a part of the intermediate data; A decrypted plaintext generation step for generating a decrypted plaintext using at least one of the stretched compressed ciphertext component and the ciphertext component; and a decrypted plaintext output step for outputting the decrypted plaintext It is characterized by that.

  In addition, the present invention is a program that causes a computer to execute the above method.

  According to the present invention, it is possible to reduce the size of data while suppressing an increase in processing time in an encryption method that bases security on the discrete logarithm problem on a subgroup of a multiplicative group.

  Exemplary embodiments of an encryption device, a decryption device, a ciphertext verification device, an encryption method, a decryption method, and a program according to the present invention will be described below in detail with reference to the accompanying drawings.

[First embodiment]
(1) Configuration <General Cryptographic Configuration>
A basic configuration for verifying the validity of a ciphertext including a plurality of ciphertext components using a cryptosystem based on the discrete logarithm problem of the multiplicative group over a finite field will be described with reference to FIG. First, the public key component pk included in the public key and the secret key component sk included in the secret key corresponding to the public key component are generated by a key generation device (not shown). The public key component pk is received by the encryption device, and the secret key component sk corresponding to the public key component pk is received by the ciphertext verification device. The encryption device calculates the ciphertext (c1, c2) corresponding to the plaintext m using the public key component pk and outputs it. On the other hand, when the ciphertext verification apparatus 20 receives the ciphertext (c1, c2), it verifies whether the ciphertext (c1, c2) is valid using this and the secret key component sk. Note that if the public key component pk and the plaintext m are compressed expressions, that is, affine expressions (pk *, m *), they are expanded into an expanded field expression and a projected expression before input to the encryption device 10 ( Conversion).

  Next, configurations of the encryption device and the ciphertext verification device according to the present embodiment will be described. Each of the encryption device and the ciphertext verification device includes a control device such as a CPU (Central Processing Unit) that controls the entire device, a ROM (Read Only Memory) that stores various data and various programs, a RAM (Random Access Memory), and the like A storage device, an external storage device such as an HDD (Hard Disk Drive) or a CD (Compact Disk) drive device for storing various data and various programs, and a communication I / F (interface) for controlling communication of the external device, And a bus that connects them, and has a hardware configuration using a normal computer.

<Configuration of encryption device>
Next, various functions peculiar to the present embodiment that are realized when the CPU of the encryption apparatus according to the present embodiment executes various programs stored in the storage device or the external storage device will be described. FIG. 2 is a diagram illustrating a functional configuration of the encryption device according to this embodiment. The encryption device 10 includes a plaintext receiving unit 11, a public key receiving unit 12, a first ciphertext generation unit 13, a ciphertext component compression unit 14, a second ciphertext generation unit 15, and a ciphertext output unit 16. And have. The entities of these units are generated on a storage device such as a RAM when the CPU of the encryption device 10 executes a program.

  The plaintext receiving unit 11 receives plaintext m. The public key receiving unit 12 receives the public key component pk. The first ciphertext generating unit 13 generates a ciphertext component c1 using the plaintext m received by the plaintext receiving unit 11 and the public key component pk received by the public key receiving unit 12. The ciphertext component compression unit 14 converts the ciphertext component c1 generated by the first ciphertext generation unit 13 into an affine expression, and generates a compressed ciphertext component c1 *. That is, in the present embodiment, the encryption device 10 compresses the ciphertext component c1 among the plurality of ciphertext components. At the same time, the second ciphertext generation unit 15 generates a ciphertext component c2 using the ciphertext component c1 generated by the first ciphertext generation unit 13 and the public key component pk received by the public key reception unit 12. The ciphertext output unit 16 outputs the compressed ciphertext component c1 * generated by the ciphertext component compression unit 14 and the ciphertext component c2 generated by the second ciphertext generation unit 15.

<Configuration of ciphertext verification device>
Next, various functions realized when the CPU included in the ciphertext verification apparatus according to the present embodiment executes various programs stored in the storage device or the external storage device will be specifically described. FIG. 3 is a diagram illustrating a functional configuration of the ciphertext verification apparatus according to the present embodiment. The ciphertext verification apparatus 20 includes a ciphertext reception unit 21, a secret key reception unit 22, an intermediate data generation unit 23, a ciphertext component decompression unit 24, a validity verification unit 25, and a verification result output unit 26. Have. Each of these units is generated on a storage device such as a RAM when the program of the CPU of the ciphertext verification apparatus 20 is executed.

  The ciphertext receiving unit 21 receives the ciphertext (c1 *, c2). The secret key receiving unit 22 receives the secret key component sk. The intermediate data generation unit 23 uses the ciphertext component c2 received by the ciphertext reception unit 21 and the secret key component sk received by the secret key reception unit 22 to generate intermediate data k used for decryption of the ciphertext. At the same time as the intermediate data generation unit 23 generates the intermediate data k, the ciphertext component decompression unit 24 decompresses the compressed ciphertext component c1 * received by the ciphertext reception unit 21 into a ciphertext component c1 that is an expanded field representation ( Convert. The validity verification unit 25 verifies the validity of the ciphertext using the intermediate data k generated by the intermediate data generation unit 23 and the ciphertext component c1 expanded by the ciphertext component expansion unit 24. The verification result output unit 26 outputs the verification result of the validity verification unit 25.

(2) Operation <Encryption processing>
Next, the procedure of the encryption process performed by the encryption device 10 according to the present embodiment will be described with reference to FIG. The encryption device 10 receives the public key component pk and the plaintext m, which are public keys, performs calculation using the public key component pk and the plaintext m, and generates a ciphertext component c1 (step ST1). Next, the encryption device 10 compresses (converts) the expression of c1 into an affine expression (step ST2). Subsequently, calculation is performed using the ciphertext component c1 and the public key component pk obtained in step ST1, and a ciphertext component c2 is generated (step ST3).

<Ciphertext verification processing>
Next, the procedure of the ciphertext verification process performed by the ciphertext verification apparatus 20 according to the present embodiment will be described with reference to FIG. The ciphertext verification apparatus 20 receives the ciphertext (c1 *, c2) and the secret key component sk included in the secret key, and generates intermediate data k using the ciphertext component c2 and the secret key component sk ( Step ST11). Next, the ciphertext verification apparatus 20 expands (converts) the compressed ciphertext component c1 * in the affine representation into the ciphertext component c1 in the expanded field representation (step ST12). Next, the ciphertext verification apparatus 20 compares the ciphertext component c1 and the intermediate data k to verify the validity of the ciphertext (step ST13).

  When the ciphertext component c2 is generated using the ciphertext component c1 due to the dependency on the generation of the ciphertext component, if the ciphertext component c2 is compressed into an affine expression, the process of compressing the ciphertext component c2 Compared to the case where only the ciphertext component c2 is not compressed, processing time is required. If the ciphertext component compression unit 14 and the second ciphertext generation unit 15 can operate in parallel, the second ciphertext generation unit 15 generates c2 after the first ciphertext generation unit 13 generates the ciphertext component c1. If the ciphertext component compression unit 14 compresses the ciphertext component c1 into an affine expression and generates (c1 *, c2) as a ciphertext, the encryption processing time is concealed, A part of a sentence can be compressed.

  On the other hand, when the ciphertext verification apparatus 20 generates the intermediate data k using the ciphertext component c2 and compares it with the ciphertext component c1, the intermediate data immediately after receiving the ciphertext if the ciphertext component c2 is not an affine expression. A process of generating k can be performed. If the ciphertext component c2 is an affine expression, the affine expression cannot perform an operation, so conversion to an expanded field expression or a projected expression is necessary (in this embodiment, conversion to an expanded field expression). This requires extra processing time. However, according to the present embodiment, since it is not necessary to expand the component used for generating the intermediate data k, it is possible to conceal the processing time required to expand the compressed component.

  In addition, although the structure concerning the above-mentioned embodiment was applied to the ciphertext verification apparatus 20, you may apply to the decryption apparatus which decrypts a ciphertext. In this case, in addition to the ciphertext receiving unit 21, the secret key receiving unit 22, the intermediate data generating unit 23, and the ciphertext component decompressing unit 24 described above, the decrypting device includes a decrypted plaintext generating unit and a decrypted plaintext. What is necessary is just to comprise so that it may have an output part. The decrypted plaintext generation unit generates a decrypted plaintext using the intermediate data generated by the intermediate data generation unit 23 and the ciphertext component c1 expanded by the ciphertext component expansion unit 24. The decrypted plaintext output unit outputs the decrypted plaintext generated by the decrypted plaintext generation unit. According to such a decryption device and the above-described ciphertext verification device, ciphertext can be compressed and decompressed while suppressing an increase in processing time, and thus it is suitable for use when it is desired to shorten the processing time.

  In this example, ciphertext components are compressed without changing both the processing time required for encryption and the processing time required for verifying the validity of the ciphertext. However, the processing time required for encryption and the validity of the ciphertext are shown. It is also possible to configure so that only one of the processing time required for verification and the processing time required for decoding has the effect of reducing the processing time. Further, in the present embodiment, the expanded body expression is adopted as the expression that can be calculated, but the above-described effects are not changed even if the calculation is performed using the projective expression.

[Second Embodiment]
Next, a second embodiment of the encryption device, the decryption device, the ciphertext verification device, the encryption method, the decryption method, and the program will be described. In addition, about the part which is common in the above-mentioned 1st Embodiment, it demonstrates using the same code | symbol or abbreviate | omits description.

(1) Configuration <ElGamal encryption>
An ElGamal cipher will be taken up as a specific example of speeding up the decryption process. FIG. 6 is a diagram illustrating an encryption device that encrypts plaintext m and generates a ciphertext and a decryption device that decrypts the ciphertext in the ElGamal cipher. A key generation device (not shown) selects a generation source g, randomly selects x, calculates 'h = g ^ x', uses (q, g, h) as a public key, and secrets x Use as a key. Note that q is a prime number and the order of the subgroup G of the group G˜, and g and h are generation sources of the subgroup G (order is q) in which encryption is defined. The plaintext m must also be an element of the subgroup G. The encryption device receives the public key (q, g, h) generated by the key generation device and the plaintext m. The encryption device generates a random number r, performs exponentiation and multiplication, and outputs ciphertext (c1, c2) corresponding to the plaintext m. The ciphertext (c1, c2) is input to the decryption device. Further, the secret key component x corresponding to the public key is input to the decryption device as the secret key. The secret key component x is an integer from '1' to 'q' (or an integer from '0' to 'q-1'). The decryption device obtains the decrypted plaintext m using the secret key component x and the ciphertext (c1, c2).

  Next, the configuration of the encryption device and the decryption device according to the present embodiment will be described. Each of the encryption device and the decryption device is a control device such as a CPU (Central Processing Unit) that controls the entire device, and a storage such as a ROM (Read Only Memory) or a RAM (Random Access Memory) that stores various data and various programs. Devices, external storage devices such as HDD (Hard Disk Drive) and CD (Compact Disk) drive devices that store various data and various programs, communication I / F (interface) that controls communication between external devices, and these And a hardware configuration using a normal computer.

<Configuration of encryption device>
Next, various functions unique to the present embodiment that are realized when the CPU of the encryption apparatus according to the present embodiment executes various programs stored in the storage device or the external storage device will be described. FIG. 7 is a diagram illustrating a functional configuration of the encryption device according to this embodiment. As in the first embodiment, the encryption device 10 ′ includes a plaintext receiving unit 11, a public key receiving unit 12, a first ciphertext generation unit 13, a ciphertext component compression unit 14, and a second ciphertext. A text generation unit 15 and a ciphertext output unit 16 are included. The entities of these units are generated on a storage device such as a RAM when the CPU of the encryption device 10 ′ executes a program.

  The plaintext receiving unit 11 receives plaintext m. The public key receiving unit 12 receives a public key (q, g, h). The first ciphertext generating unit 13 generates a random number r satisfying “0 ≦ r <q”, and the public key component h included in the plaintext m received by the plaintext receiving unit 11 and the public key received by the public key receiving unit 12. Then, 'c2 = m · h ^ r' is calculated to generate a ciphertext component c2. The ciphertext component compression unit 14 converts the ciphertext component c2 generated by the first ciphertext generation unit 13 into an affine representation, and generates a compressed ciphertext component c2 *. That is, in this embodiment, the encryption device 10 compresses the ciphertext component c2 among the plurality of encryption components. At the same time, the second ciphertext generation unit 15 calculates 'c1 = g ^ r' using the random number r generated by the first ciphertext generation unit 13 and the public key component g received by the public key reception unit 12, A ciphertext component c1 is generated. The ciphertext output unit 16 outputs the compressed ciphertext component c2 * generated by the ciphertext component compression unit 14 and the ciphertext component c1 generated by the second ciphertext generation unit 15.

<Configuration of decoding device>
Next, specific description will be given of various functions realized by the CPU included in the decoding device according to the present embodiment executing various programs stored in the storage device or the external storage device. FIG. 8 is a diagram illustrating a functional configuration of the decoding device according to the present embodiment. The decryption device 30 includes a ciphertext receiving unit 31, a secret key receiving unit 32, an intermediate data generating unit 33, a ciphertext component decompressing unit 34, a decrypted plaintext generating unit 35, and a decrypted plaintext output unit 36. Have. Each of these units is generated on a storage device such as a RAM when the CPU of the decoding device 30 executes the program.

  The ciphertext receiving unit 31 receives the ciphertext (c1, c2 *). The secret key receiving unit 32 receives the secret key component x. The intermediate data generating unit 33 uses the ciphertext component c1 received by the ciphertext receiving unit 31 and the secret key component x received by the secret key receiving unit 32 to generate 'k = (c1 ^ x) ^ (-1)'. To generate intermediate data k. At the same time as the intermediate data generation unit 33 generates the intermediate data k, the ciphertext component decompression unit 24 decompresses the compressed ciphertext component c2 * received by the ciphertext reception unit 31 into a ciphertext component c2 that is an expanded field representation ( Convert. The decrypted plaintext generation unit 35 calculates 'm = c2 · k' using the intermediate data k generated by the intermediate data generation unit 33 and the ciphertext component c2 expanded by the ciphertext component expansion unit 34, Generate decrypted plaintext. The decrypted plaintext output unit 36 outputs the decrypted plaintext generated by the decrypted plaintext generation unit 35.

(2) Operation <Encryption processing>
Next, the procedure of the encryption process performed by the encryption device 10 ′ according to the present embodiment will be described with reference to FIG. The encryption device 10 ′ receives the public key (q, g, h) and the plaintext m, and generates a random number r (step ST21). Next, the encryption device 10 ′ generates a ciphertext component c2 using the random number r, the public key component h, and the plaintext m (step ST22). Next, the encryption device 10 ′ compresses the ciphertext component c2 by converting the expression of the ciphertext component c2 into an affine expression (step ST23). Subsequently, the encryption device 10 ′ generates a ciphertext component c1 using the random number r and the public key component g (step ST24).

<Decryption process>
Next, the procedure of the encryption process performed by the decryption device 30 according to the present embodiment will be described with reference to FIG. Decryption apparatus 30 receives ciphertext (c1, c2 *) and secret key component x included in the secret key, and generates intermediate data k using ciphertext component c1 and secret key component x (step ST31). ). Next, the decryption apparatus 30 expands the compressed ciphertext component c2 * that is an affine representation into the ciphertext component c2 that is an expanded representation (step ST32). Next, the decryption device 30 multiplies the ciphertext component c2 expanded in step ST32 and the intermediate data k generated in step ST31 to generate a decrypted plaintext m (step ST33).

  According to the above configuration, the compressed ciphertext component c2 * can be expanded to the ciphertext component c2 in step ST32 while the intermediate data k is generated in step ST31. Therefore, the compressed ciphertext component c2 * is expanded. It is possible to expand the compressed ciphertext component while concealing the processing time required for.

[Third embodiment]
Next, a third embodiment of an encryption device, a decryption device, a ciphertext verification device, an encryption method, a decryption method, and a program will be described. In addition, about the part which is common in the above-mentioned 1st Embodiment or 2nd Embodiment, it demonstrates using the same code | symbol or abbreviate | omits description.

(1) Configuration <Cramer-Shoup encryption scheme>
Next, as another specific embodiment, a basic configuration of the Cramer-Shoup encryption scheme described in the above-mentioned prior art section will be described with reference to FIG. First, a public key and a secret key corresponding to the public key are generated by the key generation device. The public key is input to the encryption device, and the secret key corresponding to the public key is input to the decryption device. The public key is (q, g, g ~, e, f, h) described above. The secret key is (x1, x2, y1, y2, z1, z2) described above. The encryption device calculates the ciphertext (c1, c2, c3, c4) corresponding to the plaintext m using the public key. Specifically, the encryption device generates a random number r satisfying “0 ≦ r <q−1” using the public key component q. Then, the encryption apparatus obtains “g ^ r” as the ciphertext component c1 using the random number r and the public key component g. Further, the encryption apparatus obtains “g˜ ^ r” as the ciphertext component c2 using the random number r and the public key component g˜. Further, the encryption apparatus obtains “h ^ r” as the coefficient b using the random number r and the public key component h. Then, the encryption apparatus obtains “b × m” as the ciphertext component c3 using the coefficient b and the plaintext m. Next, the encryption apparatus obtains a hash value 'v = H (c1, c2, c3)' by calculation using a hash function for each ciphertext component c1, c2, c3. Then, the encryption apparatus uses the random number r, the public key components e and f, and the hash value v to obtain “e ^ r × f ^ (rv)” as the ciphertext component c4. As a result, ciphertexts (c1, c2, c3, c4) are obtained. The encryption device outputs this ciphertext (c1, c2, c3, c4).

  On the other hand, when the decryption device receives the ciphertext (c1, c2, c3, c4), whether or not the ciphertext is valid from this and the secret key (x1, x2, y1, y2, z1, z2). If a determination is made and the determination result is affirmative, plaintext m is calculated. Specifically, the decryption apparatus determines whether each ciphertext component c1, c2, c3, c4 is an element of the group G˜ and whether each ciphertext component c1, c2, c3 is an element of the group G. Determine whether. If the determination result is affirmative, the decryption device uses the ciphertext components c1 and c2 and the secret key components z1 and z2 to obtain ‘c1 ^ z1 × c2′z2’ as the coefficient b. Further, the decryption apparatus performs calculation by a hash function using the ciphertext components c1, c2, and c3, and performs exponentiation and multiplication using the ciphertext components c1 and c2 and the secret key components x1, x2, y1, and y2. Thus, 'c1 ^ (x1 + y1 * v) * c2 ^ (x2 + y2 * v)' is obtained as the verification data k used in the check equation. The verification data is for verifying the validity of the ciphertext. Then, the decryption apparatus 200 determines whether or not the check expression “c4 = k” using the verification data k and the ciphertext component c4 is established. Also, the decryption device 200 performs power calculation using the ciphertext components c1 and c2 and the secret key components z1 and z2, derives the inverse element of the calculation result as intermediate data, and then uses the ciphertext component c3. By performing multiplication, a decrypted plaintext m is obtained.

  The ciphertext component c3 is a plaintext generating ciphertext component used for generating plaintext during decryption, and the ciphertext components c1 and c2 are comprehensive ciphers used for generating plaintext and verifying the validity of the ciphertext during decryption. The ciphertext component c4 is a verification ciphertext component used for verifying the validity of the ciphertext at the time of decryption.

<Public key and secret key generation>
Next, an overview of key generation processing in which the key generation device generates a public key and a secret key will be described with reference to FIG. The key generation device selects the public key component g from the expanded field expression or the projection expression so as to be the basis of the group G˜, and generates a random number w other than 0 (GS1). Next, the key generation device generates a random number as each secret key component x1, x2, y1, y2, z1, z2 (GS2). Then, the key generation device obtains “g ^ w” as the public key component g˜, obtains “g ^ x1 × g˜ ^ 2” as the public key component e, and obtains “g ^ y1 × g” as the public key component f. ~ ^ y2 'is obtained, and' g ^ z1 × g ~ ^ z2 'is obtained as the public key component h (GS3). Then, the key generation device outputs the secret key (x1, x2, y1, y2, z1, z2) and the public key (q, g, g˜, e, f, h).

  In this example, the expressions of the public key components g, g˜, e, f, h are not converted into affine expressions, but the key length may be shortened by converting into affine expressions, that is, by compressing. it can. In this case, it is necessary to convert the expression of the public key component into an expanded field expression or a projected expression before the encryption process or the decryption process. An affine expression can also be used for plain text.

  In the Cramer-Shoop cipher as described above, in the present embodiment, the encryption device compresses some of the components of the ciphertext (c1, c2, c3, c4) and All or part of it is used when obtaining a hash value. On the other hand, the decryption device expands the compressed component of each component of the ciphertext (c1, c2, c3, c4) and performs multiplication or multiplication using the uncompressed component and the secret key component. A decrypted plaintext is obtained by performing various operations.

  Each of the encryption device and the decryption device according to the present embodiment includes a control device such as a CPU (Central Processing Unit) that controls the entire device, a ROM (Read Only Memory) and a RAM that store various data and various programs. (Random Access Memory) and other storage devices such as HDD (Hard Disk Drive) and CD (Compact Disk) drive devices that store various data and various programs, and communication I / that controls communication between the external devices An F (interface) and a bus for connecting them are provided, and a hardware configuration using a normal computer is employed.

<Configuration of encryption device>
Next, various functions unique to the present embodiment that are realized when the CPU of the encryption apparatus according to the present embodiment executes various programs stored in the storage device or the external storage device will be described. FIG. 13 is a diagram illustrating a functional configuration of the encryption device according to the present embodiment. The encryption apparatus 100 includes a random number generation unit 101, a first power calculation unit 102, a multiplication unit 103, a ciphertext component compression unit 104, a hash value calculation unit 105, a second power calculation unit 106, and a second power calculation unit 106. The ciphertext component compression unit 107 and an output unit (not shown) are included. The entities of these units are generated on a storage device such as a RAM when the CPU of the encryption device 100 executes a program.

  The random number generation unit 101 generates a random number u. The first power calculation unit 102 uses the random number u generated by the random number generation unit 101 and the public key components g, g˜, h to obtain “g ^ u” as the ciphertext component c1, and the ciphertext component c2 'G ~ ^ u' is obtained, and 'h ^ u' is obtained as the coefficient b. The multiplication unit 103 obtains ‘m × b’ as the ciphertext component c <b> 3 using b obtained by the first power calculation unit 102 and the plaintext m. The ciphertext component compression unit 104 compresses the ciphertext component c3 obtained by the multiplication unit 103 and is the original ciphertext component c3 on the torus, thereby converting it into a compressed ciphertext component c3 * that is an affine expression. . That is, torus compression is performed on the ciphertext component c3. The hash value calculation unit 105 performs a calculation by a hash function using the ciphertext components c1 and c2 obtained by the first power calculation unit 102 and c3 * converted by the ciphertext component compression unit 104 to obtain the hash value v. Ask. Note that the conventional encryption apparatus uses c3 together with the ciphertext components c1 and c2 when performing hash calculation here. However, the encryption apparatus 100 according to the present embodiment uses the compressed ciphertext component c3 * obtained by converting c3 into an affine expression for hash calculation.

  The second power calculation unit 106 uses the public key components e and f, the random number u generated by the random number generation unit 101, and the hash value v obtained by the hash value calculation unit 105 as the ciphertext component c4. e ^ u * f ^ (uv) 'is obtained. The second ciphertext component compression unit 107 converts the ciphertext component c4 obtained by the second power calculation unit 106 and the original ciphertext component c4 on the torus into a compressed ciphertext component c4 * that is an affine expression. To do. The output unit outputs the ciphertext (c1, c2, c3 *, c4 *). Here, the random number generation unit 101, the first power calculation unit 102, and the multiplication unit 103 function as a first ciphertext generation unit, and the hash value calculation unit 105 and the second power calculation unit 106 function as a second ciphertext generation unit. is doing.

  As described above, when torus compression is performed in the Cramer-Shoup cipher, the encryption apparatus 100 according to the present embodiment uses two ciphertexts that do not need to be first calculated at the time of decryption among the four components of the ciphertext. If only the components c3 and c4 are compressed, the processing time required for decompression at the time of decoding can be concealed.

<Configuration of decoding device>
Next, specific description will be given of various functions realized by the CPU included in the decoding device according to the present embodiment executing various programs stored in the storage device or the external storage device. FIG. 14 is a diagram illustrating a functional configuration of the decoding apparatus according to the present embodiment. The decryption apparatus 200 includes a receiving unit (not shown), a hash calculation unit 201, a ciphertext component decompression unit 202, a first power calculation unit 203, a second power calculation unit 204, and an inverse element calculation unit 205. The first multiplication unit 206, the second multiplication unit 207, the third multiplication unit 208, the torus element verification unit 209, the validity verification unit 210, and the decrypted plaintext output unit 211. Each of these units is generated on a storage device such as a RAM when the CPU of the decoding device 200 executes a program.

  The decryption device 200 receives the secret key (x1, x2, y1, y2, z1, z2) corresponding to the public key (q, g, g˜, e, f, h). The receiving unit receives the ciphertext (c1, c2, c3 *, c4 *) from the encryption device 100. The hash calculation unit 201 performs a calculation by a hash function using the ciphertext components c1 and c2 and the compressed ciphertext component c3 * to obtain a hash value v. The conventional decryption apparatus uses the ciphertext component c3 together with the ciphertext components c1 and c2 when performing the hash calculation here. However, the decryption apparatus 200 according to the present embodiment uses the compressed ciphertext component c3 * obtained by converting the ciphertext component c3 into the affine representation for the hash calculation.

  The second power calculation unit 204 uses the hash value v obtained by the hash calculation unit 201 and the secret key components x1, x2, y1, y2 to obtain “c1 ^ (x1 + y1 × v)” as the coefficient k1, 'C2 ^ (x2 + y2 × v)' is obtained as the coefficient k2. The second multiplication unit 207 uses the coefficients k1 and k2 obtained by the second power calculation unit 204 to obtain “k1 × k2” as the verification data k used in the check equation. The ciphertext component decompression unit 202 decompresses the compressed ciphertext components c3 * and c4 * that are affine expressions, respectively, thereby converting them into ciphertext components c3 and c4 that are expanded representations. The first power calculator 203 uses the ciphertext components c1 and c2 and the secret key components z1 and z2 to obtain ‘c1 ^ z1’ as the coefficient b1 and ‘c2 ^ z2’ as the coefficient b2. The first multiplication unit 206 obtains ‘b1 × b2’ as the coefficient b using the coefficients b1 and b2 obtained by the first power calculation unit 203. The inverse element calculation unit 205 obtains the inverse element ‘b ^ (− 1)’ of the coefficient b obtained by the first multiplication unit 206 as intermediate data. The third multiplication unit 208 uses the intermediate data 'b ^ (-1)' obtained by the inverse element calculation unit 205 and the ciphertext component c3 converted by the ciphertext component decompression unit 202 to decrypt the plaintext m 'C3 × b ^ (-1)' is obtained.

  The torus element verification unit 209 verifies the validity of the ciphertext by checking whether each component of the ciphertext (c1, c2, c3 *, c4 *) is a correct group element. Specifically, the torus element verification unit 209 determines whether each component c1, c2, c3 *, c4 * is an element of the group G˜ and whether each component c1, c2 is an element of the group G. Determine. The determination of whether or not it is an element of the group G can be confirmed, for example, by confirming whether c1 and c2 are each ‘1’ (unit element). Conventionally, it is determined whether or not each component c1, c2, c3 is an element of the group G, but here, the compressed ciphertext component c3 * obtained by converting the ciphertext component c3 is subjected to compression to the group. Since it is clear that it is the origin of G, the determination regarding c3 * is not performed. The torus source verification unit 209 outputs a verification result that the ciphertext is valid if the determination result is affirmative, and verifies that the ciphertext is not correct if the determination result is negative. Output the result.

  The validity verification unit 210 compares the verification data k obtained by the second multiplication unit 207 with the compressed ciphertext component c4 converted by the ciphertext component decompression unit 202. Here, the validity verification unit 210 determines whether or not they are equivalent by this comparison. That is, the validity verification unit 210 verifies whether or not the ciphertext is valid by determining whether or not the check expression “k = c4” is satisfied. Then, the validity verification unit 210 outputs the verification result. The decrypted plaintext output unit 211 outputs the plaintext m when the verification result output by the torus source verification unit 209 and the verification result output by the validity verification unit 210 indicate that the ciphertext is valid. If any one of the verification results indicates that the ciphertext is invalid, an error is output. In the present embodiment, the first power calculation unit 203, the inverse element calculation unit 205, and the first multiplication unit 206 function as an intermediate data generation unit, and the hash value calculation unit 201, the second power calculation unit 204, and the first multiplication unit 206 The 2 multiplication unit 207 functions as a verification data generation unit, and the third multiplication unit 208 functions as a decrypted plaintext generation unit.

  As described above, when torus compression is performed in the Cramer-Shoop cipher, the decryption apparatus 200 in the present embodiment decompresses only the compressed components c3 and c4 out of the four components of the ciphertext, Decrypt.

(2) Operation <Encryption processing>
Next, the procedure of the encryption process performed by the encryption device 100 according to the present embodiment will be described with reference to FIG. It is assumed that the encryption device 100 has previously acquired the public key (q, g, g˜, e, f, h) and the plaintext m. The encryption device 100 generates a random number u (step S1). Next, using the public key components g, g˜, h, the encryption device 100 obtains “g ^ u” as the ciphertext component c1, obtains “g˜ ^ u” as the ciphertext component c2, and uses the coefficients “h ^ u” is obtained as b (step S2). Next, the encryption apparatus 100 performs plaintext masking by obtaining 'm × b' as the ciphertext component c3 using b obtained in step S2 and plaintext m (step S3). Then, the encryption apparatus 100 converts the ciphertext component c3 that is the ciphertext component c3 obtained in step S3 and is the original on the torus into a compressed ciphertext component c3 * that is an affine expression (step S4). Next, the encryption apparatus 100 calculates a hash value v by performing a calculation using a hash function using the ciphertext components c1 and c2 obtained in step S2 and the compressed ciphertext component c3 * obtained in step S4 ( Step S5). Subsequently, the encryption device 100 uses the public key components e and f, the random number u generated in step S1, and the hash value v obtained in step S5 as' e ^ u × as the ciphertext component c4. f ^ (uv) 'is obtained (step S6). Then, the encryption apparatus 100 converts the ciphertext component c4, which is the ciphertext component c4 obtained in step S4, and is the original on the torus, into a compressed ciphertext component c4 * that is an affine expression (step S7). Then, the encryption device 100 transmits the ciphertext (c1, c2, c3 *, c4 *) to the decryption device 200.

<Decryption process>
Next, the procedure of the decoding process performed by the decoding device 200 according to the present embodiment will be described with reference to FIG. It is assumed that the decryption apparatus 200 has previously obtained a secret key (x1, x2, y1, y2, z1, z2) corresponding to the public key (q, g, g˜, e, f, h). . When the decryption device 200 receives the ciphertext (c1, c2, c3 *, c4 *) transmitted from the encryption device 100, each component of the ciphertext is correct as specifically described in the configuration section above. The validity of the ciphertext is verified by checking whether it is a group member or not. If the decryption apparatus 200 determines that the ciphertext is valid (step S20: YES), the decryption apparatus 200 then performs a calculation using a hash function using the ciphertext components c1 and c2 and the compressed ciphertext component c3 *. Thus, the hash value v is obtained (step S21).

  Then, using the hash value v obtained in step S21 and the secret key components x1, x2, y1, and y2, the decryption apparatus 200 obtains “c1 ^ (x1 + y1 × v)” as the coefficient k1 and sets it as the coefficient k2. 'c2 ^ (x2 + y2 × v)' is obtained (step S22). Next, the decoding apparatus 200 obtains “k1 × k2” as the verification data k used in the check equation (step S23).

  Also, the decryption apparatus 200 expands the compressed ciphertext component c4 * to obtain a ciphertext component c4 that is an expanded field representation (step S24). In addition, the decryption apparatus 200 determines whether or not the check expression “k = c4” is satisfied by using the verification data k obtained in step S23 and the ciphertext component c4 expanded in step S24, and the ciphertext component c4 is encrypted. The validity of the sentence is verified (step S25). Then, when the decryption apparatus 200 determines that the check expression in step S25 is established, that is, the ciphertext is valid (step S25: YES), the ciphertext components c1 and c2 and the secret key components z1 and z2 Is used to determine 'c1 ^ z1' as the coefficient b1 and 'c2 ^ z2' as the coefficient b2 (step S26). Next, the decoding apparatus 200 uses the coefficients b1 and b2 obtained in step S26 to obtain ‘b1 × b2’ as the coefficient b (step S27). Thereafter, the decoding apparatus 200 obtains the inverse element ‘b ^ (− 1)’ of the coefficient b obtained in step S27 as intermediate data (step S28). Also, the decryption device 200 decompresses the compressed ciphertext component c3 * to obtain c3 (step S29). Then, the decryption apparatus 200 uses the intermediate data “b ^ (− 1)” obtained in step S28 and c3 expanded in step S29 as “c3 × b ^ (− 1) as the decrypted plaintext m. 'Is obtained (step S30). If the determination results in step S20 and step S25 are affirmative, the decryption apparatus 200 outputs the decrypted plaintext obtained in step S30. If the determination result in step S20 or step S25 is negative, the decryption apparatus 200 outputs an error and does not output the decrypted plaintext.

  In addition, the process of step S20, the process of steps S21-S23, the process of step S24, the process of steps S26-S28, and the process of step S29 can be performed in parallel. That is, in FIG. 6, when each component c1, c2, c3 *, c4 * is given, each part surrounded by a broken line can be immediately executed in parallel. In addition, since the first group, the second group, and the third group can perform processing independently, the processing of each of these groups can be performed in parallel. For this reason, the processing time required for expansion can be concealed.

  That is, as described above, in the case of Cramer-Shoop cipher, the ciphertext is a set of four components, and it is very easy to handle these components independently, and parallel processing is possible. In the environment, the ciphertext component is selectively compressed. Thereby, a part of increase of processing time can be concealed. Therefore, it is possible to realize an encryption method in which the Torus compression is combined with the Cramer-Shop cipher while concealing the processing time required for compression and expansion.

  However, in the case where the processes are executed in parallel, a mechanism for removing an illegal ciphertext in which the determination result in step S20 or the determination result in step S25 is negative is necessary. For this reason, in the present embodiment, as shown in FIG. 14, the decryption apparatus 200 is configured to have the decrypted plaintext output unit 211, and the determination in step S <b> 20 that is the determination result of the torus source verification unit 209. Using the result and the determination result of step S25, which is the determination result of the validity verification unit 210, finally determines whether or not the ciphertext is valid. The decryption apparatus 200 can remove illegal ciphertext as a result by not outputting the decrypted plaintext m obtained in step S30.

  In the present invention, if the output of the hash function is the same between the encryption device 100 and the decryption device 200, encryption and decryption are possible. For this reason, the ciphertext component to be compressed is not limited as long as the component and the expression used in obtaining the hash value in step S5 and step S21 described above are the same without performing the conversion of the expression.

  Further, in the present embodiment, each calculation is performed using an expanded field expression, but may be performed using a projective expression. However, since the projection expression can take a plurality of values for the same data, it is necessary to be careful when deriving the input to the hash function or the decrypted plaintext or when determining the equivalence by the validity verification unit 210. is there.

[Fourth embodiment]
Next, a fourth embodiment of the encryption device, the decryption device, the ciphertext verification device, the encryption method, the decryption method, and the program will be described. In addition, about the part which is common in the above-mentioned 1st Embodiment thru | or 3rd Embodiment, it demonstrates using the same code | symbol or abbreviate | omits description.

(1) Configuration US Pat. No. 7,221,758 B2 describes a variation of the encryption method in the Cramer-Shoop cipher, and the number of secret key components can be reduced by using this method. A configuration in which a part of the ciphertext component is compressed can also be applied to this variation. In the present embodiment, encryption or decryption is performed with one z instead of the secret key components z1 and z2.

  Here, an outline of a key generation process in which the key generation apparatus according to the present embodiment generates a public key and a secret key will be described with reference to FIG. The key generation device selects the public key g (gεG) from the extended field representation, and generates a random number w other than 0 (GS11). Next, the key generation device generates random numbers as secret key components x1, x2, y1, y2, and z (GS12). Then, the key generation device obtains “g ^ w” as the public key component g˜, obtains “g ^ x1 × g˜ ^ 2” as the public key component e, and obtains “g ^ y1 × g” as the public key component f. ~ ^ y2 'is obtained, and "g ^ z" is obtained as the public key component h (GS13). Then, the key generation device outputs the secret key (x1, x2, y1, y2, z) and the public key (q, g, g˜, e, f, h).

Since the configuration of the encryption device 100 is the same as that of the third embodiment described above, description thereof is omitted. FIG. 18 is a diagram illustrating a functional configuration of the decoding device 200 ′ according to the present embodiment.
The functional configuration of the decoding device 200 ′ according to the present embodiment is different from the functional configuration of the decoding device 200 according to the third embodiment described below. The secret key (x1, x2, y1, y2, z) is input to the decryption device 200 ′. The decoding device 200 ′ does not have the first multiplication unit 206. The first power calculation unit 203 uses the ciphertext component c1 and the secret key component z to obtain “c1 ^ z” as the coefficient b. The inverse element calculation unit 205 calculates the inverse element 'b ^ (-1)' of the coefficient b obtained by the first power calculation unit 203 as intermediate data. In the present embodiment, the first power calculation unit 203 and the inverse element calculation unit 205 function as an intermediate data generation unit.

(2) Operation <Decoding process>
Next, the procedure of the decoding process performed by the decoding device 200 ′ according to the present embodiment will be described with reference to FIG. Note that the procedure of the encryption process performed by the encryption device 100 is the same as that in the third embodiment described above, and thus the description thereof is omitted. It is assumed that the decryption device 200 ′ has previously obtained a secret key (x1, x2, y1, y2, z) corresponding to the public key (q, g, g˜, e, f, h). Steps S20 to S25 are the same as those in the first embodiment. In step S40, the decryption apparatus 200 ′ obtains “c1 ^ z” as the coefficient b by using the ciphertext component c1 and the secret key component z. Next, in step S28, the decoding apparatus 200 ′ obtains the inverse element “b ^ (− 1)” of the coefficient b obtained in step S40 as intermediate data. The processes in S29 to S30 are the same as those in the third embodiment.

  In the present embodiment, the process of step S20, the processes of steps S21 to S23, the process of step S24, the processes of steps S40 and S28, and the process of step S29 can be performed in parallel. That is, in FIG. 19, when each component c1, c2, c3 *, c4 * is given, each part surrounded by a broken line can be immediately executed in parallel. In addition, since the first group, the second group, and the third group can perform processing independently, the processing of each of these groups can be performed in parallel. For this reason, even when the number of secret key components is reduced as in the present embodiment in the Cramer-Shoop cipher, the processing time required for expansion can be concealed.

  In this embodiment, c3 is compressed among a plurality of ciphertext components, but if c1 and c2 are compressed and c3 is generated while c1c2 is being compressed, the processing time required for compression also in the encryption processing Can be concealed. Depending on which ciphertext component is compressed, it is determined whether the processing time required for encryption and decryption, or both, and the processing time required for expansion can be concealed.

[Fifth embodiment]
Next, a fifth embodiment of an encryption device, a decryption device, a ciphertext verification device, an encryption method, a decryption method, and a program will be described. In addition, about the part which is common in the above-mentioned 1st Embodiment thru | or 4th Embodiment, it demonstrates using the same code | symbol or abbreviate | omits description.

(1) Configuration In the fourth embodiment described above, the number of secret key components is reduced by using z instead of the secret key components z1 and z2. Here, the number of secret key components is further reduced, and x is used instead of the secret key components x1 and x2, and y is used instead of the secret key components y1 and y2. However, the random number w used to generate the public key is added as a secret key component. Here, a case where the ciphertext component to be compressed includes not only c3 and c4 but also c2.

  Here, an outline of a key generation process in which the key generation apparatus according to the present embodiment generates a public key and a secret key will be described with reference to FIG. The key generation device selects the public key component g (gεG) from the extended field representation, and generates a random number w other than “0” (GS21). Next, the key generation device generates random numbers as the secret key components x, y, and z (GS22). Then, the key generation device obtains “g ^ w” as the public key component g˜, obtains “g ^ x” as the public key component e, obtains “g ^ y” as the public key component f, and public key component “g ^ z” is obtained as h (GS23). Then, the key generation device outputs a secret key (x, y, z, w) and a public key (q, g, g˜, e, f, h).

  Next, the functional configuration of the encryption device 100 ′ according to the present embodiment will be described with reference to FIG. The functional configuration of the encryption device 100 ′ is different from the functional configuration of the encryption device 100 according to the third embodiment described above. The ciphertext component compression unit 104 compresses the ciphertext component c2 obtained by the first power calculation unit 102 and the ciphertext component c3 obtained by the multiplication unit 103, thereby compressing the ciphertext component c2 *, which is an affine expression. Convert each to c3 *. The hash value calculation unit 105 performs a calculation by a hash function using the ciphertext component c1 obtained by the first power calculation unit 102 and the compressed ciphertext components c2 * and c3 * converted by the ciphertext component compression unit 104. To obtain the hash value v. The output unit transmits the ciphertext (c1, c2 *, c3 *, c4 *) to the decryption device 200 ″.

  Next, the functional configuration of the decoding apparatus 200 ″ according to the present embodiment will be described with reference to FIG. 22. The functional configuration of the decoding apparatus 200 ″ according to the present embodiment is the same as that of the above-described third embodiment. Differences from the functional configuration of the decoding device 200 are as follows. The decryption device 200 ″ does not include the first multiplication unit 206 and the second multiplication unit 207, but further includes a third power calculation unit 212. The decryption device 200 ″ includes a secret key (x, y, z, w). ) Is entered. The receiving unit receives the ciphertext (c1, c2 *, c3 *, c4 *) from the encryption device 100 ′. The ciphertext component decompression unit 202 decompresses the compressed ciphertext components c2 *, c3 *, and c4 * that are affine expressions, respectively, thereby converting them into ciphertext components c2, c3, and c4 that are expanded field expressions. The first power calculation unit 203 obtains ‘c1 ^ z’ as the coefficient b using the ciphertext component c1 and the secret key component z in the same manner as in the second embodiment. The inverse element calculation unit 205 calculates an inverse element ‘b ^ (− 1)’ of the coefficient b obtained by the first power calculation unit 203. The hash calculation unit 201 performs a calculation by a hash function using the ciphertext component c1 and the compressed ciphertext components c2 * and c3 * to obtain a hash value v. The second power calculation unit 204 uses the hash value v obtained by the hash calculation unit 201 and the secret key components x and y to obtain “c1 ^ (x + y × v)” as verification data k2. The third power calculation unit 212 calculates ‘c1 ^ w’ as the verification data k1 using the random number w and the ciphertext component c1.

  The torus element verification unit 209 verifies the validity of the ciphertext by checking whether each component of the ciphertext (c1, c2 *, c3 *, c4 *) is a correct group element. That is, the torus element verification unit 209 determines whether or not the ciphertext component c1 and the compressed ciphertext components c2 *, c3 *, and c4 * are elements of the group G˜, and each component c1 is an element of the group G. Or not, and outputs the determination result. Note that the compressed ciphertext components c2 * and c3 * are clearly determined to be the basis of the group G due to compression, and are not determined here. The validity verification unit 210 uses the verification data k1 obtained by the third power calculation unit 212 and the ciphertext component c2 to determine whether or not the check formula 1′k1 = c2 ′ is satisfied, and the second It is determined whether or not the check expression 2′k2 = c4 ′ is satisfied using the verification data k2 and the component c4 obtained by the power calculation unit 204. In the present embodiment, the hash value calculation unit 201, the second power calculation unit 204, and the third power calculation unit 212 function as a verification data generation unit.

(2) Operation <Encryption processing>
The procedure of the encryption process performed by the encryption device 100 ′ according to the present embodiment will be described with reference to FIG. The processing in steps S1 to S3 is the same as that in the third embodiment described above. In step S50, the encryption device 100 ′ converts the ciphertext component c2 obtained in step S2 and the ciphertext component c3 obtained in step S3 into compressed ciphertext components c2 * and c3 * which are affine expressions, respectively. . Next, the encryption device 100 ′ calculates a hash value v by performing a calculation using a hash function using c1 obtained in step S2 and the compressed ciphertext components c2 * and c3 * converted in step S50 (step S51). ). The processing in steps S6 to S7 is the same as that in the first embodiment. Then, the encryption device 100 ′ transmits the ciphertext (c1, c2 *, c3 *, c4 *) to the decryption device 200 ″.

<Decryption process>
Next, the procedure of the decryption process performed by the decryption apparatus 200 ″ according to the present embodiment will be described with reference to FIG. 24. The decryption apparatus 200 ″ has a public key (q, g, g˜, e, f, h). It is assumed that the secret key (x, y, z, w) corresponding to is previously acquired. When receiving the ciphertext (c1, c2 *, c3 *, c4 *) transmitted from the encryption device 100 ′, the decryption device 200 ″ receives each ciphertext as specifically described in the configuration section above. It is checked whether or not the component is an element of a correct group, and the validity of the ciphertext is verified. When the decryption device 200 ″ determines that the ciphertext is valid (step S60: YES). Then, 'c1 ^ w' is obtained as the verification data k1 using the random number w and the ciphertext component c1 (step S61). Next, the decryption device 200 ″ performs a calculation by a hash function using the ciphertext component c1 and the compressed ciphertext components c2 * and c3 * to obtain a hash value v (step S62). Uses the hash value v obtained in step S62, the secret key component x, y, and the ciphertext component c1 to obtain “c1 ^ (x + y × v)” as verification data k2 (step S63). Also, the decrypting device 200 ″ converts the compressed ciphertext components c2 * and c4 * into decompressed ciphertext components c2 and c4, respectively (step S64). Then, it is determined whether or not the check expression 1′k1 = c2 ′ and the check expression 2′k2 = c4 ′ are satisfied (step S65). If both inspection formulas are satisfied (step S65: YES), the process of step S40 is performed in the same manner as in the fourth embodiment described above. The processes in steps S28 to S30 are the same as those in the third embodiment described above. If the determination results in step S60 and step S65 are affirmative, the decryption apparatus 200 "outputs the decrypted plaintext obtained in step S30. The determination result in step S60 or step S65 is negative. The decryption device 200 ″ outputs an error and does not output the decrypted plaintext.

  In the present embodiment, the processing in step S60, the processing in step S61, the processing in steps S62 to S63, the processing in step S64, the processing in steps S40 and S28, and the processing in step S29 are performed in parallel. Can be done. That is, in FIG. 14, when the ciphertext components c1 and c4 and the compressed ciphertexts c2 * and c3 * are given, the portions surrounded by the broken lines can be immediately executed in parallel. In addition, since the first group, the second group, and the third group can perform processing independently, the processing of each of these groups can be performed in parallel. For this reason, even when the number of secret key components is reduced as in the present embodiment in the Cramer-Shoop cipher, the processing time required for expansion can be concealed.

[Sixth Embodiment]
Next, a sixth embodiment of the encryption device, the decryption device, the ciphertext verification device, the encryption method, the decryption method, and the program will be described. In addition, about the part which is common in the above-mentioned 1st Embodiment thru | or 5th Embodiment, it demonstrates using the same code | symbol or abbreviate | omits description.

  In the validity verification unit 25 of the ciphertext verification device 20 described in the first embodiment and the validity verification unit 210 of the decryption device described in the third to fifth embodiments, The validity of the ciphertext is verified using the ciphertext component after the compressed ciphertext component has been expanded to an expanded representation, but if the ciphertext component identity between different representations can be determined, the compressed ciphertext In some cases, it is not necessary to stretch sentence components. In the present embodiment, an example will be described. Note that the encryption method according to the present embodiment is the same as that of the fifth embodiment, and the ciphertext components to be compressed are c2 and c4.

  Since the key generation processing for generating the public key and the secret key by the key generation device according to the present embodiment is the same as that of the fifth embodiment, a description thereof will be omitted. However, the key generation device does not include the secret key (x, y, z, w) and public key (q, g, g ~, e, f, h) are output.

  Next, the functional configuration of the encryption device 100 ″ according to the present embodiment will be described with reference to FIG. 25. The functional configuration of the encryption device 100 ″ is the encryption device 100 according to the fifth embodiment described above. Differences from the functional configuration of ′ are as follows. The ciphertext component compression unit 104 converts the ciphertext component c2 obtained by the first power calculation unit 102 into a ciphertext component c2 * that is an affine expression. The hash value calculation unit 105 includes a ciphertext component c1 obtained by the first power calculation unit 102, a compressed ciphertext component c2 * compressed by the first ciphertext component compression unit 104, and a ciphertext obtained by the multiplication unit 103. A hash value v is obtained by performing a calculation by a hash function using the component c3. The output unit transmits the ciphertext (c1, c2 *, c3, c4 *) to the decryption device 200 ′ ″.

  Next, a functional configuration of the decoding device 200 ″ ″ according to the present embodiment will be described with reference to FIG. The functional configuration of the decoding device 200 ′ ″ according to the present embodiment is different from the functional configuration of the decoding device 200 ″ according to the fifth embodiment described above. The decoding device 200 ′ ″ is as follows. Does not have the ciphertext component decompression unit 202. The decryption device 200 ′ ″ receives the secret key (x, y, z, w). The receiving unit receives the compressed ciphertext (c1, c2 *, c3, c4 *) are received from the encryption device 100 ″. The first power calculation unit 203 obtains ‘c1 ^ z’ as the coefficient b using the ciphertext component c1 and the secret key component z in the same manner as in the fifth embodiment described above. The inverse element calculation unit 205 obtains the inverse element ‘b ^ (− 1)’ of the coefficient b obtained by the first power calculation unit 203 as intermediate data. The hash calculation unit 201 performs a calculation by a hash function using the ciphertext components c1 and c3 and the compressed ciphertext component c2 * to obtain a hash value v. The second power calculation unit 204 uses the hash value v obtained by the hash calculation unit 201 and the secret key components x and y to obtain “c1 ^ (x + y × v)” as verification data k2. The third power calculation unit 212 calculates ‘c1 ^ w’ as the verification data k1 using the random number w and the ciphertext component c1.

  The torus element verification unit 209 verifies the validity of the ciphertext by checking whether each component of the ciphertext (c1, c2 *, c3, c4 *) is a correct group element. That is, the torus element verification unit 209 determines whether each component c1, c2 *, c3, c4 * is an element of the group G and whether each component c1, c3 is an element of the group G, The determination result is output. Since it is clear that the compressed ciphertext component c2 * is an element of the group G by compression, the determination is not performed here. The validity verification unit 210 uses the verification data k1 obtained by the third power calculation unit 212 and the compressed ciphertext component c2 * to determine whether k1 and c2 * are equivalent, and the second The validity of the ciphertext is verified by determining whether k2 and c4 * are equivalent using the verification data k2 obtained by the power calculation unit 204 and the compressed ciphertext component c4 *. That is, in the present embodiment, the validity verification unit 210 does not use the ciphertext components c2 and c4 that are the expanded field representations obtained by expanding the compressed ciphertext components c2 * and c4 *, but instead uses the compressed ciphertext components. The validity of the ciphertext is verified using c2 * and c4 * itself. In the present embodiment, the first power calculation unit 203, the inverse element calculation unit 205, and the third multiplication unit 208 function as a decrypted plaintext generation unit.

(2) Operation <Encryption processing>
The procedure of the encryption process performed by the encryption apparatus 100 ″ according to the present embodiment will be described with reference to FIG. 27. The processes in steps S1 to S3 are the same as those in the fifth embodiment. In step S70. The encryption device 100 ″ converts the ciphertext component c2 obtained in step S2 into a compressed ciphertext component c2 * that is an affine expression. Next, the encryption device 100 ″ uses the ciphertext component c1 obtained in step S2, the compressed ciphertext component c2 * converted in step S70, and the ciphertext component c3 generated in step S3 to calculate by the hash function. To obtain the hash value v (step S71) The processing of steps S6 to S7 is the same as that of the fifth embodiment described above, and the encryption device 100 ″ uses the ciphertext (c1, c2 *, c3, c4 *) are transmitted to the decoding device 200.

<Decryption process>
Next, the procedure of the decoding process performed by the decoding device 200 ′ ″ according to the present embodiment will be described with reference to FIG. It is assumed that the decryption device 200 ′ ″ has previously acquired a secret key (x, y, z, w) corresponding to the public key (q, g, g˜, e, f, h). When receiving the compressed ciphertext (c1, c2 *, c3, c4 *) transmitted from the encryption device 100 ″, the decryption device 200 ′ ″ receives the compressed cipher as described in the configuration section above. It is checked whether or not each component of the sentence is a correct group element to verify the validity of the ciphertext (step S80), and the decryption apparatus 200 ′ ″ determines that the ciphertext is valid. If it is determined (step S80: YES), then “c1 ^ w” is obtained as the verification data k1 using the random number w and the ciphertext component c1 as in the fifth embodiment (step S61). Next, the decryption device 200 ′ ″ performs a calculation by a hash function using the ciphertext components c1 and c3 and the compressed ciphertext c2 * to obtain a hash value v (step S81). “” Indicates the value obtained in step S81. 'C1 ^ (x + y × v)' is obtained as verification data k2 using the cache value v, the secret key components x, y, and the ciphertext component c1 (step S63). 'Determines whether the verification data k1 and the c-compressed ciphertext component c2 * are equivalent, and whether the verification data k2 and the compressed ciphertext component c4 * are equivalent (step S82). If both values are the same (step S82: YES), the decoding device 200 ′ ″ performs the processing of step S40 and step 28 in the same manner as in the fifth embodiment described above. Using the obtained intermediate data and the ciphertext component c3, 'm = b ^ (-1) · c3' is calculated (step S30) to obtain the decrypted plaintext m, which is determined in step S80 and step S82. If the result is positive, The device 200 ′ ″ outputs the decrypted plaintext obtained in step S30. If the determination result in step S80 or step S82 is negative, the decryption device 200 ′ ″ outputs an error, Do not output decrypted plaintext.

  As described above, when the identity of the ciphertext component can be determined between different expressions, the processing time for decompression can be reduced by not decompressing the compressed ciphertext component.

[Modification]
Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent components without departing from the scope of the invention in the implementation stage. In addition, various inventions can be formed by appropriately combining a plurality of components disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent components over different embodiments may be appropriately combined. Further, various modifications as exemplified below are possible.

<Modification 1>
In each of the above-described embodiments, various programs executed by the encryption apparatus 10 may be stored on a computer connected to a network such as the Internet and provided by being downloaded via the network. good. The various programs are recorded in a computer-readable recording medium such as a CD-ROM, a flexible disk (FD), a CD-R, and a DVD (Digital Versatile Disk) in a file in an installable or executable format. May be configured to be provided. The same applies to various programs executed by the encryption devices 10 ′, 100, 100 ′, 100 ″, the decryption devices 30, 200, 200 ′, 200 ″, 200 ′ ″ and the ciphertext verification device 20, respectively.

  Further, in the above-described embodiment, each unit of the encryption device 10 is generated on a storage device such as a RAM when the CPU program is executed, but all or a part thereof is configured by hardware. You may do it. The same applies to the units included in the encryption devices 10 ′, 100, 100 ′, 100 ″, the decryption devices 30, 200, 200 ′, 200 ″, 200 ″ ″ and the ciphertext verification device 20.

  In the encryption device and the decryption device of each of the above embodiments, the power calculation unit and the multiplication unit are configured to perform the power calculation and multiplication, respectively. However, the power calculation unit and the multiplication unit are used as one calculation unit. The handling and calculation unit may be configured to perform power calculation and multiplication.

<Modification 2>
In the above-described fourth embodiment, the encryption device 100 is configured to compress not only c3 and c4 but also c2 out of the ciphertext components, but in the same manner as in the third embodiment, Only the sentence components c3 and c4 may be compressed.

  In each embodiment, the number of ciphertext components to be compressed is not limited to two or three, but may be one or four. Further, which ciphertext component is compressed is not limited to the above example.

  In the third to sixth embodiments, the ciphertext is configured to include four ciphertext components (c1, c2, c3, c4), but the number of ciphertext components is as follows. Not limited to this.

  Further, in the encryption processing of the third to sixth embodiments, power calculation is performed as a method for obtaining the ciphertext component c4 using the hash value v and the public key component. However, the method is not limited to power calculation.

It is a figure which illustrates the basic composition which verifies the legitimacy of the ciphertext containing a some ciphertext component by the encryption system which makes the grounds of security the discrete logarithm problem of the multiplicative group on a finite field. It is a figure which illustrates the functional structure of the encryption apparatus concerning 1st Embodiment. It is a figure which illustrates the functional structure of the ciphertext verification apparatus concerning the embodiment. It is a flowchart which shows the procedure of the encryption process which the encryption apparatus 10 concerning the embodiment performs. It is a flowchart which shows the procedure of the ciphertext verification process which the ciphertext verification apparatus 20 concerning the embodiment performs. It is a figure which illustrates the encryption apparatus which encrypts plaintext m in ElGamal encryption, and produces | generates a ciphertext, and the decryption apparatus which decrypts a ciphertext. It is a figure which illustrates the functional structure of the encryption apparatus concerning 2nd Embodiment. It is a figure which illustrates the functional structure of the decoding apparatus concerning the embodiment. It is a flowchart which shows the procedure of the encryption process which encryption apparatus 10 'concerning the embodiment performs. It is a flowchart which shows the procedure of the encryption process which the decoding apparatus 30 concerning the embodiment performs. It is a figure which illustrates the basic composition of a Cramer-Shoup encryption scheme. It is a figure which illustrates the outline | summary of the key production | generation process in which the key production | generation apparatus concerning 3rd Embodiment produces | generates a public key and a secret key. It is a figure which illustrates the functional structure of the encryption apparatus 100 concerning the embodiment. It is a figure which illustrates the functional structure of the decoding apparatus 200 concerning the embodiment. It is a flowchart which shows the procedure of the encryption process which the encryption apparatus 100 concerning the embodiment performs. It is a flowchart which shows the procedure of the decoding process which the decoding apparatus 200 concerning the embodiment performs. It is a figure which illustrates the outline | summary of the key production | generation process in which the key production | generation apparatus concerning 4th Embodiment produces | generates a public key and a secret key. It is a figure which illustrates the functional structure of decoding apparatus 200 'concerning the embodiment. It is a flowchart which shows the procedure of the decoding process which decoding apparatus 200 'concerning the embodiment performs. It is a figure which illustrates the outline | summary of the key production | generation process in which the key production | generation apparatus concerning 5th Embodiment produces | generates a public key and a secret key. It is a figure which illustrates the functional structure of the encryption apparatus 100 concerning the embodiment. It is a figure which illustrates the functional structure of the decoding apparatus 200 '' concerning the embodiment. It is a flowchart which shows the procedure of the encryption process which the encryption apparatus 100 concerning the embodiment performs. It is a flowchart which shows the procedure of the decoding process which the decoding apparatus 200 '' concerning the embodiment performs. It is a figure which illustrates the functional structure of encryption apparatus 100 '' concerning 6th Embodiment. It is a figure which illustrates the functional structure of the decoding apparatus 200 '' '' concerning the embodiment. It is a flowchart which shows the procedure of the encryption process which encryption apparatus 100 '' concerning the embodiment performs. It is a flowchart which shows the procedure of the decoding process which the decoding apparatus 200 '' '' concerning the embodiment performs.

Explanation of symbols

10, 10 ', 100, 100', 100 "encryption device 11 plaintext receiving unit 12 public key receiving unit 13 first ciphertext generation unit 14 ciphertext component compression unit 15 first ciphertext generation unit 16 ciphertext output unit 20 Ciphertext verification device 21 Ciphertext reception unit 22 Secret key reception unit 23 Intermediate data generation unit 24 Ciphertext component decompression unit 25 Validity verification unit 26 Verification result output unit 30 Decryption device 31 Ciphertext reception unit 32 Private key reception unit 33 Intermediate Data generation unit 34 Ciphertext component decompression unit 35 Decrypted plaintext generation unit 36 Decrypted plaintext output unit 101 Random number generation unit 102 First power calculation unit 103 Multiplication unit 104 Ciphertext component compression unit 105 Hash value calculation unit 106 Second power calculation Unit 107 second ciphertext component compression unit 200, 200 ′, 200 ″, 200 ′ ″ decryption device 201 hash calculation unit 202 compression ciphertext component decompression unit 203 first Power calculation unit 204 Second power calculation unit 205 Inverse element calculation unit 206 First multiplication unit 207 Second multiplication unit 208 Third multiplication unit 209 Torus element verification unit 210 Validity verification unit 211 Decoded plaintext output unit 212 Third power calculation Part

Claims (24)

An encryption device that encrypts plaintext by an encryption method based on the safety of a discrete logarithm problem of a multiplicative group on a finite field and outputs a ciphertext including a plurality of ciphertext components,
A plaintext receiver for receiving plaintext;
A public key receiving unit that receives a public key including one or more public key components;
A ciphertext component generation unit that generates at least one first ciphertext component that is a ciphertext component using the received plaintext and the public key component;
A first ciphertext component compression section that compresses at least one first ciphertext component to obtain a first compressed ciphertext component;
A second ciphertext component is generated using at least one of the received plaintext, the public key component, the first ciphertext component, and the first compressed ciphertext component. A second ciphertext component generation unit;
An encryption apparatus comprising: a ciphertext output unit that outputs a ciphertext including at least the first compressed ciphertext component and the second ciphertext component. An encryption device that encrypts plaintext by an encryption method based on the safety of a discrete logarithm problem of a multiplicative group on a finite field and outputs a ciphertext including a plurality of ciphertext components,
A plaintext receiver for receiving plaintext;
A public key receiving unit that receives a public key including one or more public key components;
A first ciphertext component generation unit that generates at least one first ciphertext component that is a ciphertext component using the received plaintext and the public key component;
A first ciphertext component compression section that compresses at least one first ciphertext component to obtain a first compressed ciphertext component;
A second ciphertext component is generated using at least one of the received plaintext, the public key component, the first ciphertext component, and the first compressed ciphertext component. A second ciphertext component generation unit;
A second ciphertext component compression unit that compresses at least one of the second ciphertext components to obtain a second compressed ciphertext component;
An encryption apparatus comprising: a ciphertext output unit that outputs a ciphertext including at least the first compressed ciphertext component and the second compressed ciphertext component. The second ciphertext generation unit
A hash calculation unit that calculates a hash value using at least one of the first compressed ciphertext components;
The encryption apparatus according to claim 1, further comprising: a generation unit that generates the second ciphertext component using the hash value. The ciphertext is a compressed plaintext obtained by compressing a plaintext generating ciphertext component used for generating a plaintext at the time of decryption or the plaintext generating ciphertext by the first ciphertext component compressing unit or the second ciphertext component compressing unit. The ciphertext component for generation and the general ciphertext component or the general ciphertext component used for generating the plaintext and verifying the validity of the ciphertext at the time of decryption are used as the first ciphertext component compression unit or the second ciphertext. The compressed overall ciphertext component compressed by the component compression unit, the verification ciphertext component used for verifying the validity of the ciphertext at the time of decryption, or the verification ciphertext component are used as the first ciphertext component compression unit or the second ciphertext component compression unit. A ciphertext component for compression verification compressed by the ciphertext component compression section of
The first ciphertext component includes at least the plaintext generating ciphertext component and the general ciphertext component,
The first ciphertext generation unit calculates a first encryption coefficient by performing multiplication using the public key, and performs multiplication of the first encryption coefficient and the plaintext to perform the plaintext. Calculate a ciphertext component for generation, calculate the overall ciphertext component by performing multiplication using the public key,
The hash value calculation unit calculates a hash value using at least the plaintext generation ciphertext component or the compressed plaintext generation ciphertext component, and the general ciphertext component or the compression general ciphertext component,
The generating unit generates the second ciphertext component including the verification ciphertext component by performing multiplication and exponentiation using the hash value and the public key. The encryption device according to claim 3. The first ciphertext generation unit
A random number generator for generating random numbers;
A first encryption coefficient is calculated by performing multiplication by which an exponent should be the random number using the first public key component included in the public key, and the first encryption coefficient and the plaintext are calculated. The plaintext generation ciphertext component is calculated by performing multiplication, and the overall ciphertext component is calculated by performing multiplication in which the exponent should be the random number using the second public key component included in the public key. A calculation unit for calculating,
The generation unit calculates a second encryption coefficient by performing multiplication by which an exponent should be the random number using a third public key component included in the public key, and includes a second encryption coefficient included in the public key. A third encryption coefficient is calculated by multiplying the exponent that should be the product of the random number and the hash value using the public key component of 4, and the second encryption coefficient and the third encryption coefficient The encryption apparatus according to claim 4, wherein the second ciphertext component including the verification ciphertext component is generated by multiplying an encryption coefficient. The calculation unit calculates a first encryption coefficient by performing a multiplication in which an exponent should be the random number using a first public key component included in the public key, and the first encryption coefficient The plaintext generation ciphertext component is calculated by multiplying the plaintext by multiplying the plaintext by using the at least two second public key components included in the public key. 6. The encryption apparatus according to claim 5, wherein at least two of the total ciphertext components are calculated by performing. The first ciphertext component compression unit compresses at least one of the first ciphertext components to obtain a first compressed ciphertext component expressed in an affine expression. The encryption apparatus as described in any one of thru | or 6. The second ciphertext component compression unit compresses at least one of the second ciphertext components to obtain a second compressed ciphertext component expressed in an affine expression. The encryption device according to any one of 2 to 7. The encryption apparatus according to any one of claims 2 to 8, wherein the first ciphertext component compression unit and the second ciphertext generation unit are operable in parallel. A decryption device that obtains a plaintext by decrypting a ciphertext including a plurality of ciphertext components that is encrypted by a cryptosystem based on the safety of the discrete logarithm problem of a multiplicative group on a finite field,
A ciphertext receiving unit that receives a ciphertext including a compressed ciphertext component in which at least one of the ciphertext components is compressed;
A secret key receiving unit that receives a secret key including one or more secret key components corresponding to the public key used for encrypting the ciphertext;
An intermediate data generation unit that generates intermediate data used for decryption of the ciphertext using at least one of the received ciphertext component and the secret key component;
A ciphertext component decompression unit that decompresses the compressed ciphertext component into a decompressed compressed ciphertext component that is expressed in an operable expression;
A decrypted plaintext generation unit that generates a decrypted plaintext using at least one of the intermediate data, the decompressed compressed ciphertext component, and the ciphertext component;
And a decrypted plaintext output unit that outputs the decrypted plaintext. Verification data for generating verification data for verifying the validity of the ciphertext using at least one of the part of the intermediate data, the decompressed compressed ciphertext component, and the ciphertext component A generator,
A validity verification unit that verifies the validity of the ciphertext using at least a part of the verification data and the ciphertext component for verification,
The decrypted plaintext output unit outputs the plaintext when the ciphertext is verified as valid, and outputs that the ciphertext is not valid when the ciphertext is verified as invalid. The decoding device according to claim 10. The ciphertext includes a plaintext generating ciphertext component which is a ciphertext component used for generating the plaintext, or a compressed plaintext generating ciphertext component obtained by compressing the plaintext generating ciphertext component, and the generation of the plaintext and the ciphertext. A ciphertext component that is a ciphertext component used for verifying the validity of the ciphertext, or a compressed general ciphertext component that is a compression of the total ciphertext component, and a ciphertext component that is used for verifying the validity of the ciphertext Including four ciphertext components including a ciphertext component or a compressed verification ciphertext component obtained by compressing the verification ciphertext component,
The intermediate data generation unit
A hash value calculation unit that calculates a hash value using at least the plaintext generation ciphertext component or the compressed plaintext generation ciphertext component, and the total ciphertext component or the compression total ciphertext component;
The generation unit that generates the intermediate data using at least one of the hash value and the received ciphertext component and the secret key component. Decoding device. 13. The ciphertext component decompression unit decompresses the compressed ciphertext component into an expanded compressed ciphertext component expressed by an expanded field expression or a projective expression that is an expression that can be calculated. The decoding device according to claim 1. The validity verification unit verifies the validity of the ciphertext by verifying the equivalence between the verification data and the verification ciphertext component or the compressed verification ciphertext component. The decoding device according to claim 12. 15. The hash value calculation unit, the ciphertext component decompression unit, the verification data generation unit, and the decrypted plaintext generation unit can operate in parallel. Decoding device. 15. The hash value calculation unit, the ciphertext component decompression unit, the verification data generation unit, the decrypted plaintext generation unit, and the generation unit can operate in parallel. The decoding device according to one item. A decryption device that obtains a plaintext by decrypting a ciphertext including a plurality of ciphertext components that is encrypted by a cryptosystem based on the safety of the discrete logarithm problem of a multiplicative group on a finite field,
A ciphertext receiving unit that receives a ciphertext including a compressed ciphertext component in which at least one of the ciphertext components is compressed;
A secret key receiving unit that receives a secret key including one or more secret key components corresponding to the public key used for encrypting the ciphertext;
A plaintext calculation unit for calculating a plaintext using at least one of the received ciphertext component and the secret key component;
A verification data generation unit that generates verification data for verifying the validity of the ciphertext using at least one of the received ciphertext component and the secret key component;
A validity verification unit that verifies the validity of the ciphertext using at least the compressed ciphertext component and the verification data;
A decrypted plaintext output unit that outputs the plaintext when the ciphertext is verified as valid and outputs that the ciphertext is invalid when the ciphertext is verified as invalid A decoding device characterized by the above. The ciphertext is used for plaintext generation ciphertext components used for generation of the plaintext, a general ciphertext component used for generation of the plaintext and verification of the validity of the ciphertext, and verification of the validity of the ciphertext. Including four ciphertext components including a verification ciphertext component or a compressed verification ciphertext component obtained by compressing the verification ciphertext component,
The verification data generation unit includes:
A hash value calculation unit that calculates a hash value using at least the plaintext generation ciphertext component and the general ciphertext component;
The decryption according to claim 17, further comprising: a generation unit that generates the verification data using at least one of the hash value, the received ciphertext component, and the secret key component. apparatus. The decryption apparatus according to any one of claims 10 to 18, further comprising a torus element verification unit that verifies whether each ciphertext component is a correct torus element. A ciphertext validity verification device that verifies the validity of a ciphertext that is encrypted by a cryptosystem that is based on the safety of the discrete logarithm problem of a multiplicative group on a finite field and includes a plurality of ciphertext components,
A ciphertext receiving unit that receives a ciphertext including a compressed ciphertext component in which at least one of the ciphertext components is compressed;
A secret key receiving unit that receives a secret key including one or more secret key components corresponding to the public key used for encrypting the ciphertext;
An intermediate data generation unit that generates intermediate data used for decryption of the ciphertext using at least one of the received ciphertext component and the secret key component;
A ciphertext component decompression unit that decompresses the compressed ciphertext component expression into an expanded compressed ciphertext component that is an operable expression;
A validity verification unit that verifies the validity of the ciphertext using at least one of the intermediate data, the decompressed compressed ciphertext component, and the ciphertext component;
A ciphertext verification apparatus comprising: a verification result output unit that outputs a verification result of the validity verification unit. A ciphertext verification apparatus that verifies the validity of a ciphertext that is encrypted by a cryptosystem that is based on the safety of the discrete logarithm problem of a multiplicative group on a finite field and includes a plurality of ciphertext components,
A ciphertext receiving unit that receives a ciphertext including a compressed ciphertext component in which at least one of the ciphertext components is compressed;
A secret key receiving unit that receives a secret key including one or more secret key components corresponding to the public key used for encrypting the ciphertext;
A plaintext calculation unit for calculating a plaintext using at least one of the received ciphertext component and the secret key component;
A verification data generation unit that generates verification data for verifying the validity of the ciphertext using at least one of the received ciphertext component and the secret key component;
A validity verification unit that verifies the validity of the ciphertext using at least the compressed ciphertext component and the verification data;
A ciphertext verification apparatus comprising: a verification result output unit that outputs a verification result of the validity verification unit. An encryption method that is executed by an encryption device that encrypts plaintext by an encryption method that lays the grounds for safety in a discrete logarithm problem of a multiplicative group over a finite field and outputs a ciphertext containing a plurality of ciphertext components ,
A plaintext receiving step for receiving plaintext;
A public key receiving step of receiving a public key including one or more public key components;
A first ciphertext component generation step of generating at least one first ciphertext component that is a ciphertext component using the received plaintext and the public key component;
A first ciphertext component compression step of compressing at least one of the first ciphertext components to obtain a first compressed ciphertext component;
A second ciphertext component is generated using at least one of the received plaintext, the public key component, the first ciphertext component, and the first compressed ciphertext component. 2 ciphertext component generation step;
A ciphertext output step of outputting a ciphertext including at least the first compressed ciphertext component and the second ciphertext component. A decryption method executed by a decryption device that decrypts a ciphertext containing a plurality of ciphertext components encrypted by a cryptosystem based on the safety of the discrete logarithm problem of a multiplicative group over a finite field, and obtains plaintext ,
A ciphertext receiving step of receiving a ciphertext including a compressed ciphertext component in which at least one of the ciphertext components is compressed;
A secret key receiving step of receiving a secret key including one or more secret key components corresponding to the public key used for encrypting the ciphertext;
An intermediate data generation step of generating intermediate data necessary for decryption using at least one of the received ciphertext component and the secret key component;
A ciphertext component decompression step for decompressing the compressed ciphertext component into a decompressed compressed ciphertext component expressed in an operable expression;
A decrypted plaintext generation step for generating a decrypted plaintext using at least one of the intermediate data, the decompressed compressed ciphertext component, and the ciphertext component;
A decrypted plaintext output step for outputting the decrypted plaintext.   24. A program for causing a computer to execute the method according to claim 22 or 23.

Images