JP2013156675A - Ciphertext retrieval system, retrieval information generation device, retrieval execution device, retrieval request device, ciphertext retrieval method, retrieval information generation method, retrieval execution method, retrieval request method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent estimation of a retrieval keyword by dictionary attack and suppress increase of storage capacity which is added in response to increase of a retrieval processing amount.SOLUTION: In a ciphertext retrieval system 20, a retrieval information generation device 101 transmits a ciphertext Cobtained by encrypting a plaintext M to a cipher information storage device 500, and a retrieval index Cwhich is a set composed of information R, information Robtained by encrypting the information Rand information Rfor uniquely identifying the ciphertext Cto a retrieval information storage device 400. A retrieval request device 200 transmits a retrieval query kto a retrieval execution device 300. The retrieval execution device 300 acquires the retrieval index Cfrom the retrieval information storage device 400, determines whether or not a decryption result R obtained by decrypting the information Rmatches the information R, and transmits a matching retrieval index to the retrieval request device 200. The retrieval request device 200 acquires the ciphertext Cidentified by the information Rfrom the cipher information storage device 500.

Description

  The present invention provides, for example, a ciphertext search system, a search information generation device, a search execution device, and a search request device capable of performing a keyword search cryptographically and safely with respect to encrypted information stored in a cloud storage or the like The present invention relates to a ciphertext search method, a search information generation method, a search execution method, a search request method, and a program.

  2. Description of the Related Art In recent years, there has been a use form of a computer called cloud computing (hereinafter referred to as a cloud) that uses computer resources and functions (for example, a network / server / storage / application / service) as a service via a network such as the Internet. It is expanding. In particular, a service providing form that uses storage resources on the cloud as external storage for storing information is called a cloud storage service or an online storage service.

  Cryptographic cloud storage that safely realizes information storage in an online storage service on the cloud by applying cryptography has been proposed (see Non-Patent Document 1). Cryptographic cloud storage described in Non-Patent Document 1 is a technology that prevents information leakage from messages stored on the cloud, a search technology that does not leak except for information on which documents have been searched, and documents Is composed of technology that guarantees that it is stored without being tampered with.

  However, since the cryptographic cloud storage described in Non-Patent Document 1 uses a common-key searchable encryption, a search query must be obtained directly from the document creator in order to perform a search. Accordingly, there is a problem that the search function cannot be used unless communication with the document creator is possible.

  Inner product predicate searchable cipher, which is a public key searchable cipher converted from inner product predicate encryption (see Non-Patent Document 2), as a method for realizing search with equivalent security without directly communicating with the document creator Has been proposed (see Non-Patent Document 3, Non-Patent Document 4, and Non-Patent Document 5). The public key type searchable cipher is a ciphertext search method in the inner product predicate encryption using a ciphertext as a search index, a secret key as a search query, an attribute as a registered keyword, and a predicate as a search keyword. By using public key searchable encryption, it is possible to search for ciphertext without leaking information about what keyword is being searched to a third party without communicating with the document creator. Non-Patent Document 3 is an inner product predicate searchable cipher that enables partial matching search using the hierarchical inner product predicate encryption described in Non-Patent Document 2. Non-Patent Document 4 is an inner product predicate searchable cipher that can be used by a plurality of users by using the hierarchical inner product predicate cipher described in Non-Patent Document 2. Non-Patent Document 5 is an inner product predicate searchable cipher that realizes an efficient search process by enabling batch search in the hierarchical inner product predicate cipher described in Non-Patent Document 2.

S. Kamara and K. Lauter. “Cryptographic cloud storage.” In Financial Cryptography Workshops, pp. 136-149, 2010. T. Okamoto and K. Takashima. “Hierarchical predicate encryption for inner-products.” In ASIACRYPT, pp. 214-231, 2009. R. Yoshida, S. Oda, and T. Kobayashi. “Public-key encryption with partial matching keyword search.” In Symp. On Cryptography and Information Security, 2010. R. Yoshida, A. Nagai, and T. Kobayashi. “Hierarchical predicate encryption with keyword search in multi-user setting.” In Computer Security Symposium, 2010. R. Yoshida, A. Nagai, T. Kobayashi, and H. Fuji. “An algorithm for inner-product batch searchable encryption.” In Symp. On Cryptography and Information Security, 2011.

  However, since a conventional ciphertext search system can generate a search index only from public information, it is known that a search keyword specified in a search query can be estimated by a dictionary attack (for details, see “ JW Byun, HS Rhee, H. Park, and DH Lee. See “Off-line keyword guessing attacks on recent keyword search schemes over encrypted data.” In Secure Data Management, pp. 75-83, 2006.).

  In the conventional ciphertext search system, the device that stores the cipher information including the search index and the ciphertext and the device that executes the search are configured as the same device. For this reason, when adding a search agent device in order to cope with an increase in search processing amount, it is necessary to store all encryption information in each search agent device to be added, and the storage capacity required for the entire system There has been a problem of increasing.

  The present invention has been made in view of these points, and prevents an estimation of a search keyword due to a dictionary attack and suppresses a storage capacity required for an increase in the amount of search processing, a ciphertext search system, a cipher An object is to provide a sentence search method, a search information generation device, a search execution device, a search request device, and a program.

The ciphertext search system of the present invention includes a search information generation device, a search request device, and a search execution device. Ciphertext search system of the invention uses a search index C ₂ stored in the search information storage unit, with respect to the ciphertext C ₁ to the plaintext M is stored in the encryption information storage apparatus encrypts containing the string Perform a keyword search. The search information generation device includes a search index generation unit. Search index generation unit generates information R ₁ comprising an arbitrary bit string. Information R _1, the public key pk that is previously generated by encrypting using the keywords W _T is a keyword associated with the plaintext M, generates information R _2. Information R ₃ for uniquely identifying the ciphertext C ₁ is generated. A search index C ₂ : = (R ₁ , R ₂ , R ₃ ) including information R ₁ , information R _2, and information R ₃ as a set is transmitted to the search information storage device. The search request device includes a search query generation unit and a ciphertext acquisition unit. Search query generation unit includes a search keyword W _Q, using the master secret key sk to be the public key pk paired to generate a search query k ^* is the private key for decrypting the information R _2. A search query k ^* is transmitted to the search execution device. Ciphertext acquisition unit acquires the ciphertext C ₁ identified by information R ₃ included in the search results C ₃ received from the search execution unit from the encryption information storage unit. The search execution device includes a search index acquisition unit, a search result determination unit, and a search result transmission unit. Search index acquiring unit acquires a search index C ₂ from the search information storage device. Search result determination unit generates the decryption result R by decrypting with the search index C ₂ search information R ₂ which are included in the query k ^*. It determines whether information R ₁ contained the decryption result R in the search index C ₂ coincide. The search result transmission unit extracts at least information R ₃ from the search index C ₂ determined to be matched by the search result determination unit, and generates a search result C ₃ . It sends the search results C ₃ to the search request unit.

  According to the ciphertext search system of the present invention, since the search query does not leak to the device that stores the cipher information, it is possible to prevent the search keyword from being estimated by a dictionary attack. Therefore, security can be improved with respect to the conventional ciphertext search system. In addition, since the device that stores the encryption information and the device that executes the search are configured separately, the storage capacity to be added can be suppressed with respect to an increase in the search processing amount.

The block diagram which shows the structural example of the conventional ciphertext search system. The block diagram which shows the structural example of the apparatus which comprises the conventional ciphertext search system. The figure which shows the operation example in which the conventional ciphertext search system produces | generates and preserve | saves a ciphertext. The figure which shows the operation example in which the conventional ciphertext search system searches and decodes a ciphertext. 1 is a block diagram illustrating a configuration example of a ciphertext search system according to a first embodiment. 1 is a block diagram illustrating a configuration example of an apparatus that configures a ciphertext search system according to a first embodiment. FIG. 5 is a diagram illustrating an operation example in which the ciphertext search system according to the first embodiment generates and stores a ciphertext. FIG. 6 is a diagram illustrating an operation example in which the ciphertext search system according to the first embodiment searches and decrypts ciphertext. The block diagram which shows the structural example of the ciphertext search system of Example 1 modification. The block diagram which shows the structural example of the apparatus which comprises the ciphertext search system of Example 1 modification. FIG. 3 is a block diagram illustrating a configuration example of a ciphertext search system according to a second embodiment. FIG. 6 is a block diagram illustrating a configuration example of an apparatus configuring the ciphertext search system according to the second embodiment. The figure which shows the operation example which the ciphertext search system of Example 2 produces | generates and preserve | saves a ciphertext. The figure which shows the operation example in which the ciphertext search system of Example 2 searches and decodes a ciphertext. FIG. 9 is a block diagram illustrating a configuration example of a ciphertext search system according to a third embodiment. FIG. 9 is a block diagram illustrating a configuration example of an apparatus configuring the ciphertext search system according to the third embodiment. FIG. 10 is a diagram illustrating an operation example in which the ciphertext search system according to the third embodiment searches and decrypts a ciphertext. The block diagram which shows the structural example of the ciphertext search system of Example 3 modification. The block diagram which shows the structural example of the apparatus which comprises the ciphertext search system of Example 3 modification. The figure which shows the operation example in which the ciphertext search system of Example 3 modification searches and decrypts a ciphertext.

  Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the component which has the same function in drawing, and duplication description is abbreviate | omitted.

[Description of conventional ciphertext search system]
Prior to the description of the embodiment, the operation of the ciphertext search system 10 using the conventional inner product predicate searchable cipher will be described in detail with reference to FIGS. FIG. 1 is a block diagram showing a configuration of a conventional ciphertext search system 10. FIG. 2 is a block diagram showing the configuration of each device constituting the conventional ciphertext search system 10. FIG. 3 is a flowchart showing an operation in which the conventional ciphertext search system 10 generates and stores ciphertext. FIG. 4 is a flowchart showing an operation in which the conventional ciphertext search system 10 searches and decrypts ciphertext.

  The configuration of a conventional ciphertext search system 10 will be described with reference to FIGS. A conventional ciphertext search system 10 includes the Internet 1, a network 2, a search information generation device 100, a search request device 200, and a search proxy device 800. The search proxy device 800 is connected to the Internet 1. The search information generation device 100 and the search request device 200 are connected to the network 2. The Internet 1 and the network 2 are connected by various network devices such as a router and a firewall, and the search information generating device 100, the search requesting device 200, and the search proxy device 800 are configured to be able to communicate with each other. The search information generation device 100 includes a ciphertext generation unit 110 and a search index generation unit 120. The search request device 200 includes a search query generation unit 210 and a decryption unit 290. The search proxy device 800 includes a search result determination unit 810, a search result transmission unit 820, and a storage unit 890.

  With reference to FIG. 3, the operation | movement in which the conventional ciphertext search system 10 produces | generates and preserve | saves a ciphertext is demonstrated according to the order of the procedure actually performed.

Ciphertext generator 110 of the retrieval information generating apparatus 100 encrypts the plaintext M to generate a ciphertext _{C 1} (S110). Search index generator 120 of the information generating device 100 generates an arbitrary bit string as the information _{R 1} (S1210). Subsequently, the search index generation unit 120 of the retrieval information generating apparatus 100, the information R _1, using the keywords W _T and the public key pk that is previously generated by encrypting the inner product predicate encryption scheme, information R ₂ is generated (S1220). Subsequently, the search index generation unit 120 of the retrieval information generating apparatus 100, the information _{R 1} and information _{R 2} a pair with the search index _C 2: _{= (R} 1, _{R 2)} generates a search index _{C 2} Cryptographic information C ₀ = (C ₂ , C ₁ ) with ciphertext C ₁ as a set is transmitted to search proxy device 800. The proxy search device 800 stores the encrypted information C ₀ received from the search information generation device 100 in the storage unit 890 (S890).

With reference to FIG. 4, the operation of the conventional ciphertext search system 10 for searching and decrypting ciphertext will be described according to the order of procedures actually performed. Search query generation unit 210 of the search request unit 200 uses the search keyword W _Q, the master secret key sk to be the public key pk paired, it is a secret key for decoding information R ₂ by the inner product predicate encryption scheme A search query k ^* is generated (S210). Subsequently, the search query generation unit 210 of the search request device 200 transmits the search query k ^* to the search proxy device 800. The search result determination unit 810 of the search proxy device 800 uses the search query k ^* received from the search request device 200 to determine whether or not the search is successful for each piece of encrypted information C ₀ stored in the storage unit 890. (S810). Whether the search is successful or not is determined by decrypting the information R ₂ included in the search index C ₂ by the inner product predicate encryption method using the search query k ^* for all the encrypted information C _0. It is generated depending on whether or not the information R ₁ included in the search index C ₂ matches the decryption result R. Then, the search result transmitting unit 820 of the search proxy apparatus 800 extracts all the ciphertext _{C 1} included in the encrypted information _{C 0} which is determined per transmitted to the search request unit 200 (S820). Decoding unit 290 of the search request unit 200 acquires plaintext M by decrypting the ciphertext _{C 1} received from the search proxy device 800 (S290).

[Problems of conventional ciphertext search system]
The search agent device 800 and the search request device 200 are connected via the Internet 1. Therefore, the search query k ^* generated by the search request device 200 and transmitted to the search agent device 800 is transmitted / received via the Internet. When the search agent device 800 is configured as an online storage service on the cloud, the search agent device 800 is provided by a service provider that is an external third party. This means that the search query k ^*, which is a secret key of the inner product predicate encryption method, is leaked to an external third party. Information that same search query k ^* or ciphertext C ₁ it is determined that the hit is either by also means that leakage to outside parties. On the other hand, the search index C ₂ is to be generated using the keywords W _T that specifies the public key pk and optionally, it is also possible to search proxy device 800 to generate a search index to specify any keywords . Therefore, the search proxy device 800, the search index generated by any keywords, by decoding a search query k ^*, obtained, it is possible to estimate the search keyword W _Q specified in the search query k ^* is there. Further, the proxy search device 800 can infer the contents of the ciphertext C ₁ determined to be a hit by the search. Thus, the conventional ciphertext search system is vulnerable to dictionary attacks.

In addition, the search proxy device 800 includes a search result determination unit 810 that executes a search and a storage unit 890 that stores encryption information C _{0. The} storage unit 890 includes a combination of a search index C ₂ and a ciphertext C ₁ . All the encryption information _C0 is stored. Therefore, the storage capacity required for the entire system is a capacity obtained by multiplying the combined capacity of all the encryption information C ₀ by the number of search proxy devices 800. For this reason, when the search proxy device 800 is added to cope with the increase in the search processing amount, it is necessary to store all the encryption information C ₀ in each search proxy device 800 to be added, and the required storage capacity There has been a problem of increasing.

  This embodiment is an embodiment in which the present invention is applied to an inner product predicate searchable cipher capable of partial match search. Refer to Non-Patent Document 3 for details of the inner product predicate searchable cipher capable of partial match search.

  With reference to FIGS. 5-8, operation | movement of the ciphertext search system 20 of Example 1 of this invention is demonstrated in detail. FIG. 5 is a block diagram showing the configuration of the ciphertext search system 20 of the present embodiment. FIG. 6 is a block diagram showing the configuration of the apparatus that constitutes the ciphertext search system 20 of the present embodiment. FIG. 7 is a flowchart showing an operation in which the ciphertext search system 20 of this embodiment generates and stores a ciphertext. FIG. 8 is a flowchart showing an operation in which the ciphertext search system 20 of this embodiment searches and decrypts a ciphertext.

  The configuration of the ciphertext search system 20 according to this embodiment will be described with reference to FIGS. The ciphertext search system 20 according to this embodiment includes the Internet 1, the network 2, a search information generation device 101, a search request device 201, a search execution device 300, a search information storage device 400, and a cipher information storage device 500. The search information storage device 400 and the encryption information storage device 500 are connected to the Internet 1. The search information generation device 101, the search request device 201, and the search execution device 300 are connected to the network 2. The Internet 1 and the network 2 are connected by various network devices such as a router and a firewall, and the search information generation device 101, the search request device 201, the search execution device 300, the search information storage device 400, and the encryption information storage device 500 are mutually connected. It is configured to be able to communicate with. The search information generation apparatus 101 includes a ciphertext generation unit 110 and a search index generation unit 121. The search request device 201 includes a search query generation unit 210, a ciphertext acquisition unit 220, and a decryption unit 290. The search execution device 300 includes a search index acquisition unit 310, a search result determination unit 320, and a search result transmission unit 330. The search information storage device 400 includes a search index storage unit 490. The cipher information storage device 500 includes a ciphertext storage unit 590.

  The search information storage device 400 and the encryption information storage device 500 may be configured as a file sharing service using a file server, NAS (Network Attached Storage), SAN (Storage Area Network), or provided as an online storage service on the cloud. May be. In the present embodiment, an example in the case of being configured as an online storage service on the cloud will be described. The search information storage device 400 and the encryption information storage device 500 are connected to the Internet 1 because they are configured as an online storage service on the cloud, and the search information storage device 400 and the encryption information storage device 500 share files. When configured as a service, the search information storage device 400 and the encryption information storage device 500 can be connected to the network 2. The same applies to Examples 2 and 3 described later.

  With reference to FIG. 7, the operation of the ciphertext search system 20 of the present embodiment for generating and storing a ciphertext will be described in the order of procedures actually performed.

First, as an initialization process, the administrator receives the security parameter 1 ^λ as input and executes Setup to generate a public key pk and a master secret key sk. The master secret key sk is transmitted to the search request device 201.

Ciphertext generator 110 of the retrieval information generating apparatus 101 encrypts the plaintext M including a character string to generate a ciphertext _{C 1} (S110). The encryption method here is not limited. For example, a common key cryptosystem or a public key cryptosystem can be used. In the case of the common key cryptosystem, the plaintext M is encrypted with a common key shared between the search information generation device 101 and the search request device 201. In the case of the public key cryptosystem, the plaintext M is encrypted with the public key of the search request device 201 that is made public by, for example, the public key infrastructure (PKI). Subsequently, the ciphertext generation unit 110 of the search information generation apparatus 101 transmits the ciphertext C ₁ to the cipher information storage apparatus 500.

Encryption information storage unit 500, the ciphertext _{C 1} received from retrieval information generating apparatus 101 stores the ciphertext storage unit 590 (S590).

Search index generation unit 121 of the search information generating device 101 generates an arbitrary bit string as the information _{R 1} (S1210). For example, it sets to zero as the number in the information R _1. Subsequently, the search index generation unit 121 of the retrieval information generating apparatus 101, the information R _1, using the keywords W _T and the public key pk that is previously generated by encrypting the inner product predicate encryption scheme, information R ₂ is generated (S1220). Keywords W _T is the keyword to be retrieved, it is arbitrarily set by the user. For example, a character string included in the plaintext M, a word indicating the content of the plaintext M, or the like can be set.

  The inner product predicate encryption method is a predicate encryption using an inner product in which the ciphertext can be correctly decrypted on the condition that the inner product of the attribute vector and the predicate vector is zero. For details on inner product predicate encryption, see “J. Katz, A. Sahai, and B. Waters.“ Predicate encryption supporting disjunctions, polynomial equations, and inner products. ”In EUROCRYPT, pp. 146-162, 2008.” “AB Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters.“ Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. ”In EUROCRYPT, pp. 62-91, 2010 . ”Or Non-Patent Document 2.

The inner product predicate searchable cipher is a cipher text search method using the ciphertext as a search index, a secret key as a search query, an attribute as a registered keyword, and a predicate as a search keyword in the inner product predicate cipher described above. In inner product predicate searchable encryption, using the registration keyword W _T generates the attribute vector x ^→, to generate a predicate vector v ^→ using a search keyword W _Q. The inner product of the attribute vector x ^→ and the predicate vector v ^→ is 0, that is, <x ^→ , v ^→ > = 0 means matching between the registered keyword and the search keyword.

Specifically, the attribute vector x ^→ is generated as follows. r number of attribute value variable X _{1, ...,} in order to handle the logical sum of d times for the X _r, X 1, ..., to provide all of the degree d following the following monomials consisting of X _r. A vector having each component in the order in which this monomial is included in a lexicographic order including 1 is called a d-th order variable vector for the attribute value variables X ₁ ,..., X _r . Here, the variable vector is described as X ^→ _{r, d} .

Let the i-th character of the r-letter registered keyword W _{T be} w _i (1 ≦ i ≦ r). For the attribute variable X _i , X _i = w _i . When x ^→ satisfies the equation (1), the attribute vector x ^→ is also referred to as an attribute vector on the variable vector X ^→ _{r, d} .

  r is set as a system specification to an integer fixed value satisfying 1 ≦ r. d is set as a system specification to an integer fixed value satisfying 1 ≦ d ≦ r. In this embodiment, d = r. That is, a logical sum corresponding to the number of characters of the registered keyword is allowed in the predicate polynomial.

Subsequently, the search index generation unit 121 of the search information generating device 101 generates information _{R 3} for uniquely identifying the ciphertext _{C 1} (S1230). The information R ₃ may be any information as long as it can uniquely identify the ciphertext C ₁ , and can be, for example, an output of a hash function using the ciphertext C ₁ as an input. Then, the search index generation unit 121 of the search information generation apparatus 101 generates a search index C ₂ : = (R ₁ , R ₂ , R ₃ ) that includes the information R ₁ , the information R _2, and the information R ₃ as a set. And transmitted to the search information storage device 400.

Search information storage device 400 stores the search index _{C 2} received from retrieval information generating apparatus 101 to the search index storage unit 490 (S490).

  With reference to FIG. 8, the ciphertext search system 20 according to the present embodiment will be described in accordance with the order of procedures in which ciphertext is retrieved and decrypted.

Search query generation unit 210 of the search request unit 201 generates a predicate vector v ^→ from the search keyword _{W Q.} The master secret key sk becomes the predicate vector v ^→ and the public key pk paired with, generating a search query k ^* is the private key for decrypting the information R ₂ by the inner product predicate encryption scheme (S210). The search keyword W _Q is a keyword specified as a search condition, and is arbitrarily specified by the user. Subsequently, the search query generation unit 210 of the search request device 201 transmits the search query k ^* to the search execution device 300.

Specifically, the predicate vector v ^→ is generated as follows. When r attribute value variables X ₁ ,..., X _r are allowed to be ORed up to d times, a multivariate polynomial p (X _α ,..., X _β ) (1 ≦ α ≦ β ≦ r) is called a predicate polynomial on the variable vector X ^→ _{r, d} . Variable vector X ^→ _r, predicate polynomial p on the _{d (X α, ..., X} β) , and variable vector X ^→ _{r, d} and a predicate vector v ^→ of the inner product _{^{<X → r, d, v}} →> and think The coefficients of the predicate polynomial p (X _α ,..., X _β ) are the components of the predicate vector v ^{→ in} the order corresponding to the components of the variable vector X ^→ _{r, d} . The other components of the predicate vector v ^→ are 0. The predicate vector v ^→ is also called a predicate vector on the variable vector X ^→ _{r, d} .

the search keyword _{W Q} i-th character of the t character and _{s i (1 ≦ i ≦ t} ≦ r). The predicate polynomial p (X _α ,..., X _β ) on the variable vector X ^→ _{r, d} is determined corresponding to the search method specified at the time of search. Search methods that can be specified include complete match search, forward match search, backward match search, and partial match search. Note that rd _{i, j} (1 ≦ i, j ≦ r) is a random number.

The exact match search is a case where w _i = s _i holds for an arbitrary i (1 ≦ i ≦ r). The predicate polynomial p (X _α ,..., X _β ) in the exact match search is given by equation (2).

The forward matching search is a case where w _i = s _i holds for an arbitrary i (1 ≦ i ≦ t). The predicate polynomial p (X _α ,..., X _β ) in the forward matching search is given by equation (3).

The backward matching search is a case where w _i = s _i holds for an arbitrary i (r−t + 1 ≦ i ≦ r). The predicate polynomial p (X _α ,..., X _β ) in the backward matching search is given by equation (4).

The partial match search is a case where w _i = s _i holds for all i satisfying j ≦ i ≦ t + j−1 ≦ r for an arbitrary j. The predicate polynomial p (X _α ,..., X _β ) in the partial match search is given by equation (5).

Search index acquiring unit 310 of the execution unit 300 downloads the search index _{C 2} stored in the search index storage unit 490 of the search information storage unit 400 (S310). Always all of the search index C ₂ may be downloaded, in order to reduce the network bandwidth used, holds the search index C ₂ that was used at the time of the last execution, it may be downloaded only the difference.

Search result judging unit 320 of the execution unit 300 uses the search query ^{k *} received from the search request unit 201 determines whether per search Search index _{C 2,} respectively (S320). Whether or not the search is successful is determined by decrypting the information R ₂ included in the search index C ₂ by the inner product predicate encryption method using the search query k ^* for all the search indexes C _2. generates, is performed by whether the search index C ₂ to the information R ₁ and decoding result included R match.

The search result transmission unit 330 of the search execution device 300 extracts information R ₃ that uniquely identifies the ciphertext C ₁ from the search index C ₂ determined to be a hit by the search result determination unit 320 and generates a search result C ₃ . And it transmits to the search request | requirement apparatus 201 (S330).

Retrieval request device 201 ciphertext acquisition unit 220 of refers to the information R ₃ included in the search results C ₃ received, all the information R _3, the ciphertext C ₁ that is uniquely identified by the information R ₃ Downloaded from the encryption information storage device 500 (S220).

Decoding unit 290 of the search request unit 201 acquires plaintext M by decrypting the ciphertext _{C 1} downloaded from the encryption information storage unit 500 (S290). The information processing for decrypting the plaintext M is a decryption algorithm corresponding to the encryption method used by the ciphertext generation unit 110 of the search information generation device 100 in S110. For example, when encryption is performed using a common key cryptosystem, the plaintext M is decrypted with a common key shared between the search information generation apparatus 101 and the search request apparatus 201. When the encryption is performed by the public key cryptosystem, the plaintext M is decrypted by the secret key of the search requesting device 201.

With this configuration, the present embodiment can prevent the search query k ^* from leaking to the devices constituting the cloud in the inner product predicate searchable cipher capable of partial match search, Estimation can be prevented. Therefore, security can be improved with respect to the conventional ciphertext search system. In addition, since the encryption information storage device that stores the encryption information and the search execution device that executes the search can be configured as different devices, the search execution device is added in response to the increase in the search processing amount of the entire system. In addition, the storage capacity to be added can be suppressed.

[Modification]
With reference to FIGS. 9 and 10, the configuration of a ciphertext search system 20 ′ according to a modification of the first embodiment will be described. FIG. 9 is a block diagram showing the configuration of the ciphertext search system 20 ′ of the present embodiment. FIG. 10 is a block diagram showing the configuration of the apparatus constituting the ciphertext search system 20 ′ of the present embodiment.

  The ciphertext search system 20 ′ of this embodiment includes the Internet 1, the network 2, a search information generation device 101, a search request device 201 ′, a search information storage device 400, and an encryption information storage device 500. The search information storage device 400 and the encryption information storage device 500 are connected to the Internet 1. The search information generation device 101 and the search request device 201 ′ are connected to the network 2. The Internet 1 and the network 2 are connected by various network devices such as a router and a firewall, and the search information generation device 101, the search request device 201 ′, the search information storage device 400, and the encryption information storage device 500 can communicate with each other. Configured as follows. The search request device 201 ′ includes a search query generation unit 210, a ciphertext acquisition unit 220, a decryption unit 290, a search index acquisition unit 310, and a search result determination unit 320.

  Therefore, the ciphertext search system 20 ′ of the present modified example uses the search index acquisition unit 310 and the search result determination unit 320 provided in the search execution device 300 as a search request device, compared to the ciphertext search system 20 of the first embodiment. The difference is that 201 'is provided and the search execution device 300 is omitted.

  When the amount of search processing required for the entire ciphertext search system is not large and the number of search requesting devices is small, the number of devices in the entire system can be reduced by configuring as in this modification. The idea of this modification can also be applied to Examples 2 and 3 described later.

  The present embodiment is an embodiment in which the present invention is applied to an inner product predicate searchable cipher that can be used by a plurality of users. Refer to Non-Patent Document 4 for details of the inner product predicate searchable encryption that can be used by a plurality of users.

  The operation of the ciphertext search system 30 according to the second embodiment of the present invention will be described in detail with reference to FIGS. FIG. 11 is a block diagram illustrating the configuration of the ciphertext search system 30 according to the present embodiment. FIG. 12 is a block diagram illustrating a configuration of an apparatus that constitutes the ciphertext search system 30 according to the present embodiment. FIG. 13 is a flowchart illustrating an operation in which the ciphertext search system 30 according to the present embodiment generates and stores a ciphertext. FIG. 14 is a flowchart showing an operation in which the ciphertext search system 30 of the present embodiment searches and decrypts a ciphertext.

  The configuration of the ciphertext search system 30 according to this embodiment will be described with reference to FIGS. The ciphertext search system 30 of this embodiment includes the Internet 1, the network 2, a search information generation device 102, a search request device 202, a search execution device 301, a search information storage device 400, and a cipher information storage device 500. The search information storage device 400 and the encryption information storage device 500 are connected to the Internet 1. The search information generation device 102, the search request device 202, and the search execution device 301 are connected to the network 2. The Internet 1 and the network 2 are connected by various network devices such as a router and a firewall, and the search information generation device 102, the search request device 202, the search execution device 301, the search information storage device 400, and the encryption information storage device 500 are mutually connected. It is configured to be able to communicate with. The search information generation device 102 includes a ciphertext generation unit 111, a search index generation unit 122, and a hash value calculation unit 130. The search request device 202 includes a search query generation unit 211, a ciphertext acquisition unit 220, and a decryption unit 290. The search execution device 301 includes a search index acquisition unit 310, a search result determination unit 321, a search result transmission unit 330, a user registration unit 340, and a coefficient calculation unit 350.

  Therefore, the search information generation apparatus 102 of the present embodiment and the search information generation apparatus 101 of the first embodiment include the hash value calculation unit 130, and the difference is that the processing of the ciphertext generation unit and the search index generation unit is different. is there. The difference between the search request device 202 of the present embodiment and the search request device 201 of the first embodiment is that the processing of the search query generation unit is different. The difference is that the search execution device 301 of the present embodiment and the search execution device 300 of the first embodiment include a user registration unit 340 and a coefficient calculation unit 350, and the processing of the search result determination unit is different.

In the following description, ^ represents a power, S is a key seed space, W is a keyword space, G ₁ and G ₂ are cyclic groups of order p, g is a generator of the cyclic group G ₁ , and e is G ₁ × G ₁ → G ₂ pairing function, h _σ is S × W → G ₁ keyed hash function, σ is keyed hash function h _σ random seed, x and ζ are original numbers p It is assumed that the integer is randomly selected in advance from the finite field F _p ^* . The pairing function is, for example, Weil pairing or Tate pairing. The keyed hash function is, for example, SHA-1 or MD5.

  With reference to FIG. 13, the operation of the ciphertext search system 30 according to the present embodiment for generating and storing a ciphertext will be described in the order of procedures actually performed.

First, as an initialization process, the administrator executes the setup twice with the security parameter 1 ^λ as an input, and outputs (public key pk, master secret key sk) and (cipher public key pk _e , encryption master). The secret key sk _e ). Subsequently, the administrator randomly selects x and ζ from the finite field F _p ^* . Subsequently, the administrator randomly selects a random seed σ of the keyed hash function h _σ from the key seed space S. Then, the master secret key sk and x are transmitted to the search execution device 301.

The user registration unit 340 of the search execution device 301 generates a predicate vector v ^→ from a user identifier U for uniquely identifying a user to be registered and attribute information AFL _U corresponding to the user identifier U by an inner product predicate encryption method. To do. The search secret key sk _U is generated using the predicate vector v ^→ and the public key pk generated in advance and the master secret key sk paired with the public key pk. Also, the encryption secret keys sk _{e and U} are generated using the predicate vector v ^→ and the previously generated encryption public key pk _e and the master secret key sk _e paired with the encryption public key pk _e . Subsequently, a random number x _U is randomly selected from the finite field F _p ^* to calculate a complementary key ck _U = g ^ x / x _U. Then, the search secret key sk _U , the encryption secret key sk _{e, U,} and the random number x _U are transmitted to the search information generation device 102 and the search request device 202 (S340).

Ciphertext generator 110 of the retrieval information generating apparatus 102 encrypts the plaintext M including a character string to generate a ciphertext _{C 1} (S110). Ciphertext _{C 1} is, to generate the attribute vector x ^→ from the search authority information AC. Encryption is performed by the inner product predicate encryption method using the attribute vector x ^→ and the encryption public key pk _e . Search authority information AC includes a user identifier U of the user which allows decrypting the ciphertext C _1, consisting of the attribute information AFL _U corresponding to the user identifier U. Subsequently, the ciphertext generation unit 110 of the search information generation apparatus 102 transmits the ciphertext C ₁ to the cipher information storage apparatus 500.

Encryption information storage unit 500, the ciphertext _{C 1} received from the search information generating apparatus 102 stores the ciphertext storage unit 590 (S590).

The hash value calculation unit 130 of the search information generation device 102 randomly selects the random number r _w from the finite field F _p ^* , and uses the registered keyword W _T to generate a hash value H = (h _σ (W _T )) ^ r. _A hash value H is generated by calculating _w x _U (S130). Subsequently, the hash value calculation unit 130 of the search information generation device 102 transmits the hash value H to the search execution device 301.

The coefficient calculation unit 350 of the search execution device 301 calculates the coefficient f = e (H, ck _U ) using the hash value H received from the search information generation device 102 (S350). Subsequently, the coefficient calculation unit 350 of the search execution device 301 transmits the coefficient f to the search information generation device 102.

Search index generation unit 122 of the search information generating device 102 randomly selects a random number r from the cyclic group G _2. The coefficient r ′ = rf is calculated using the random number r and the coefficient f received from the search execution device 301. Then, it generates a random number r as the information _{R 1} (S1210). Subsequently, the search index generation unit 122 of the retrieval information generating apparatus 102, the inner product predicate encryption scheme, and keywords W _T, user identifier U and the user identifier of the user to allow search using the keywords W _T The attribute vector x ^→ is generated from the search authority information AC including the attribute information AFL _U corresponding to _U. (T ₁ ,..., T _N ) is generated by encrypting information R ₁ by the inner product predicate encryption method using the attribute vector x ^→ and the public key pk. Subsequently, τ = g ^ζ is calculated using ζ randomly selected in advance from the generator g of the cyclic group G ₁ and the finite field F _p ^* . Then, information R ₂ : = (T ₁ ,..., T _N , τ, H) is generated with (T ₁ ,..., T _N ), τ, and hash value H as a set (S1220).

Subsequently, the search index generation unit 122 of the search information generating device 102 generates information _{R 3} for uniquely identifying the ciphertext _{C 1} (S1230). Then, the search index generation unit 122 of the search information generation apparatus 102 generates a search index C ₂ : = (R ₁ , R ₂ , R ₃ ) that includes the information R ₁ , the information R _2, and the information R ₃ as a set. And transmitted to the search information storage device 400.

Search information storage device 400 stores the search index _{C 2} received from retrieval information generating apparatus 101 to the search index storage unit 490 (S490).

  With reference to FIG. 14, the ciphertext search system 30 of the present embodiment will be described in the order of procedures actually performed for retrieving and decrypting ciphertext.

Search query generation unit 211 of the search request unit 202, the inner product predicate encryption scheme, generates a predicate vector v ^→ from the search keyword W _Q. Search query k ^* : = (Q ₁ ,..., Q, which is a secret key for decrypting information R ₂ by the inner product predicate encryption method using generated predicate vector v ^→ , public key pk, and search secret key sk _{U N} ) is generated (S211). Subsequently, the search query generation unit 211 of the search request device 202 transmits the search query k ^* to the search execution device 301.

Search index acquiring unit 310 of the execution apparatus 301 downloads the search index _{C 2} stored in the search index storage unit 490 of the search information storage unit 400 (S310).

The search result determination unit 321 of the search execution device 301 uses the search query k ^* : = (Q ₁ ,..., Q _N ) received from the search request device 202 to search the search index C ₂ for all search indexes C _2. information R ₂ contained in ₂ determines whether satisfy equation (6). Determines that the case which satisfies the equation (6), the search index _{C 2} is per search (S321).

The search result transmission unit 330 of the search execution device 301 extracts the information R ₃ that uniquely identifies the ciphertext C ₁ from the search index C ₂ determined to be successful, generates the search result C _3, and the generated search result sending a C ₃ to the search request unit 202 (S330).

The ciphertext acquisition unit 220 of the search requesting device 202 refers to the information R ₃ included in the search result C ₃ received from the search execution device 301 and uniquely identifies all the information R ₃ by the information R _3. Download the ciphertext _{C 1} from the encryption information storage unit 500 (S220).

Decoding unit 290 of the search request unit 202 acquires plaintext M by decrypting the ciphertext _{C 1} downloaded from the encryption information storage unit 500 (S290).

With this configuration, this embodiment can prevent the search query k ^* from leaking to the devices constituting the cloud in the inner product predicate searchable cipher that can be used by a plurality of users. Can be prevented. Therefore, security can be improved with respect to the conventional ciphertext search system. In addition, since the encryption information storage device that stores the encryption information and the search execution device that executes the search can be configured as different devices, the search execution device is added in response to the increase in the search processing amount of the entire system. In addition, the storage capacity to be added can be suppressed.

  The present embodiment is an embodiment in which the present invention is applied to an inner product predicate searchable cipher capable of batch search. Refer to Non-Patent Document 5 for details of the inner product predicate searchable cipher capable of batch search.

  With reference to FIGS. 15-17, the operation | movement of the ciphertext search system 40 of Example 3 of this invention is demonstrated in detail. FIG. 15 is a block diagram showing the configuration of the ciphertext search system 40 of this embodiment. FIG. 16 is a block diagram illustrating a configuration of an apparatus that constitutes the ciphertext search system 40 of the present embodiment. FIG. 17 is a flowchart showing an operation in which the ciphertext search system 40 of this embodiment searches and decrypts a ciphertext.

  The configuration of the ciphertext search system 40 of this embodiment will be described with reference to FIGS. The ciphertext search system 40 of this embodiment includes the Internet 1, the network 2, a search information generation device 102, a search request device 203, a search execution device 302, a search information storage device 400, and a cipher information storage device 500. The search information storage device 400 and the encryption information storage device 500 are connected to the Internet 1. The search information generation device 102, the search request device 203, and the search execution device 302 are connected to the network 2. The Internet 1 and the network 2 are connected by various network devices such as a router and a firewall. It is configured to be able to communicate with. The search request device 203 includes a search query generation unit 212, a ciphertext acquisition unit 220, and a decryption unit 290. The search execution device 302 includes a search index acquisition unit 310, a search result determination unit 322, a search result transmission unit 330, a user registration unit 340, a coefficient calculation unit 350, and a batch tag generation unit 360.

  Therefore, the search request device 203 of the present embodiment and the search request device 202 of the second embodiment are different in the processing of the search query generation unit. The difference is that the search execution device 302 according to the present embodiment and the search execution device 301 according to the second embodiment include a batch tag generation unit 360 and the processing of the search result determination unit is different.

In the following description, ^ represents a power, t is the total number of search indexes C ₂ , j is the number of the search index C ₂ , K (= log ₂ t + 1) is the number of hierarchies of the batch tag BTag, and k (0 ≦ k ≦ K -1) is the number of the layer of the batch tag BTag, M (= 2 ^ (log ₂ tk)) is the number of elements in each layer of the batch tag BTag, and m (1 ≦ m ≦ M) is an element in each layer of the batch tag BTag Number.

  The operation of the ciphertext search system 40 according to the present embodiment for generating and storing a ciphertext is the same as the operation of the ciphertext search system 30 according to the second embodiment generating and storing a ciphertext, and thus description thereof is omitted.

  With reference to FIG. 17, the ciphertext search system 40 according to the present embodiment will be described in accordance with the order of procedures in which ciphertext is retrieved and decrypted.

The search query generating unit 212 of the search requesting device 203 generates a predicate vector v ^→ from a negative keyword W _Qあ る that is a set obtained by removing the search keyword W _Q from the keyword space W by the inner product predicate encryption method. Using the generated predicate vector v ^→ , public key pk, and search secret key sk _U , a search query k ^* : = (Q ₁ ￣,..., Which is a secret key for decrypting information R ₂ by the inner product predicate encryption method Q _N ￣) is generated (S212). Subsequently, the search query generation unit 212 of the search request device 202 transmits the search query k ^* to the search execution device 300.

A method of generating the predicate vector v ^→ from the negative keyword W _Q ￣ of the search keyword W _Q can be performed as follows, for example. First, keywords _{X 1} is a search keyword _{Y 1,} or keywords _{X 2} is a search keyword _{Y 2,} ..., or keywords _{X m} is a search keyword _{Y m,} that conditions in the formula (7) Can be expressed as:

The negative expression of Equation (7) is a set W \ {Y ₁ ,..., Y _m }: = {Vi} (1 ≦ i ≦ K, K = | W \ {) obtained by removing the search keyword Y _i from the keyword space W. Y ₁ ,..., Y _m } |) and a random number r _j (1 ≦ j ≦ m) can be used to express the equation (8).

From the above, the registered keyword vector W _T ^→ = (X ₁ ^K , X ₁ ^K−1 ,..., X ₁ , 1,..., X _m ^K , 1) is used as the attribute vector, and the negative keyword vector W _Q ￣ ^→ = ( r ₁ s _K , r ₁ s _K−1 ,..., r ₁ s ₁ , r ₁ s ₀ ,..., r _m s _K , r _m s ₀ ) may be used as predicate vectors.

Search index acquiring unit 310 of the execution apparatus 302 downloads the search index _{C 2} stored in the search index storage unit 490 of the search information storage unit 400 (S310).

The batch tag generation unit 360 of the search execution device 302 searches the search index C _{2 (j)} : = (T _{(j, 1)} ,..., T _{(j, N)} , τ _(j) , H _(j) , r _{(j )} ) From (1 ≦ j ≦ t), a batch tag BTag _{(k, m)} : = (BT _{(k, m, 1)} ,..., BT _{(k, m, N)} Bτ _{(k, m)} , BH _{(k, m)} , Br _{(k, m)} ) are generated (S360). The batch tag BTag _{(0, m)} of the hierarchy 0 is generated by setting the component of each element as shown in Expression (9).

BT _{(0, m, i)} = T _{(j, i)} ,
Bτ _{(0, m)} = τ _(j) ,
BH _{(0, m)} = H _(j) ,
Br _{(0, m)} = r _(j) (9)
(However, 1 ≦ i ≦ N)
Other batch tags BTag _{(k, m)} are generated by setting the components of each element as shown in Expression (10).

BT _{(k, m, i)} = BT _{(k-1,2m-1, i)} + BT _{(k-1,2m, i)} ,
Bτ _{(k, m)} = Bτ _{(k−1,2m−1)} Bτ _(k−1,2m) ,
BH _{(k, m)} = BH _{(k-1, 2m-1)} + BH _{(k-1, 2m)} ,
Br _{(k, m)} = Br _{(k-1, 2m-1)} Br _{(k- 1, 2m)} (10)
(However, 1 ≦ i ≦ N)

The search result determination unit 322 of the search execution device 302 uses the search query k ^* : = (Q ₁ ￣,..., Q _N ￣) received from the search request device 203 to the hierarchy (K−1) to the hierarchy 1. of Batchitagu _{BTag (k, m)} for each, and determines whether the Batchitagu _{BTag (k, m)} satisfies the formula (11). However, when the expression (11) is satisfied for the batch tag BTag _{(k, m)} of the hierarchy k, the batch tag BTag _{(k-1, 2m-1)} and the batch tag BTag _{( k-1 and 2m)} are not judged. Then, it is determined whether or not Expression (11) is satisfied for each of the batch tag BTag _{(0, m) of} the hierarchy 0. If the expression (11) is not satisfied, it is determined that the search index C ₂ corresponding to the batch tag BTag _{(0, m)} of the hierarchy 0 is successful (S322).

The search result transmission unit 330 of the search execution device 302 generates the search result C ₃ by extracting the information R ₃ that uniquely identifies the ciphertext C ₁ from the search index C ₂ determined to be a hit, and the generated search result sending a C ₃ to the search request unit 203 (S330).

Ciphertext acquisition unit 220 of the search request unit 203 refers to the information R ₃ included in the search results C ₃ received from the search execution unit 302, all the information R _3, it is uniquely identified by the information R ₃ Download the ciphertext _{C 1} from the encryption information storage unit 500 (S220).

Decoding unit 290 of the search request unit 203 acquires plaintext M by decrypting the ciphertext _{C 1} downloaded from the encryption information storage unit 500 (S290).

By adopting such a configuration in the present embodiment, in the inner product predicate searchable cipher capable of batch search, it is possible to prevent the search query k ^* from leaking to the devices constituting the cloud, and to estimate the search keyword due to the dictionary attack Can be prevented. Therefore, security can be improved with respect to the conventional ciphertext search system. In addition, since the encryption information storage device that stores the encryption information and the search execution device that executes the search can be configured as different devices, the search execution device is added in response to the increase in the search processing amount of the entire system. In addition, the storage capacity to be added can be suppressed.

[Modification]
In the third embodiment, the search execution device is configured to generate a batch tag. However, the search information storage device may be configured to generate a batch tag.

  With reference to FIGS. 18 to 20, the operation of the ciphertext search system 40 ′ of this modification will be described in detail. FIG. 18 is a block diagram showing a configuration of a ciphertext search system 40 ′ according to this modification. FIG. 19 is a block diagram illustrating a configuration of an apparatus constituting the ciphertext search system 40 ′ according to the present modification. FIG. 20 is a flowchart showing an operation in which the ciphertext search system 40 ′ according to the present modification searches and decrypts a ciphertext.

  The configuration of the ciphertext search system 40 'according to the present modification will be described with reference to FIGS. The ciphertext search system 40 ′ according to the present modification includes the Internet 1, the network 2, the search information generation device 102, the search request device 203, the search execution device 302 ′, the search information storage device 400 ′, and the encryption information storage device 500. The The search information storage device 400 ′ and the encryption information storage device 500 are connected to the Internet 1. The search information generation device 102, the search request device 203, and the search execution device 302 'are connected to the network 2. The Internet 1 and the network 2 are connected by various network devices such as a router and a firewall, and the search information generation device 102, the search request device 203, the search execution device 302 ′, the search information storage device 400 ′, and the encryption information storage device 500. Are configured to communicate with each other. The search execution device 302 ′ includes a search index acquisition unit 310 ′, a search result determination unit 322, a search result transmission unit 330, a user registration unit 340, and a coefficient calculation unit 350. The search information storage device 400 ′ includes a batch tag generation unit 360, a search index storage unit 495, and a search index storage unit 490.

  Therefore, the ciphertext search system 40 ′ according to the present modification and the ciphertext search system 40 according to the third embodiment include the batch tag generation unit 360 in the search information storage device instead of the search execution device. The difference is that the batch tag storage unit 495 is provided and the operation of the search index acquisition unit of the search execution device is different.

Batchitagu generator 360 of the retrieval information storage apparatus 400 ', Batchitagu _{BTag (k, m)} to produce a using the search index _{C 2} stored in the search index storage unit 490 (S360). The generated batch tag BTag _{(k, m)} is stored in the batch tag storage unit 495. Generation of Batchitagu BTag (k, _m) may be executed each time it receives a search index C ₂ from the search information generating device 102, may be executed periodically. Further, if the processing speed of batch tag generation is sufficient, the search execution device 302 ′ may execute it every time it requests download of the batch tag BTag _{(k, m)} . Since the method for generating the batch tag BTag _{(k, m)} is the same as that in the third embodiment, the description thereof is omitted.

The search index acquisition unit 310 ′ of the search execution device 302 ′ downloads the batch tag BTag _{(k, m)} stored in the batch tag storage unit 495 of the search information storage device 400 ′ (S310 ′). Always all Batchitagu BTag (k, _m) may be downloaded, in order to reduce the network bandwidth used, Batchitagu BTag (k, _m), which was used at the time of the previous execution holds the, to download the difference only May be.

[Program, recording medium]
The present invention is not limited to the above-described embodiment, and it goes without saying that modifications can be made as appropriate without departing from the spirit of the present invention. The various processes described in the above-described embodiments are not only executed in time series according to the order described, but may be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  When various processing functions in each device described in the above embodiment are realized by a computer, the processing contents of the functions that each device should have are described by a program. Then, by executing this program on a computer, various processing functions in each of the above devices are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

  The present invention can be used in a ciphertext search system that performs keyword search for encrypted information stored in a cloud storage in a cryptographically safe manner.

10-40 Ciphertext Search System 1 Internet 2 Network 100-102 Search Information Generation Device 110, 111 Ciphertext Generation Unit 120-122 Search Index Generation Unit 130 Hash Value Calculation Unit 200-203 Search Request Device 210-212 Search Query Generation Unit 220 Ciphertext Acquisition Unit 290 Decryption Unit 300-302 Search Execution Device 310 Search Index Acquisition Unit 320-322 Search Result Determination Unit 330 Search Result Transmission Unit 340 User Registration Unit 350 Coefficient Calculation Unit 360 Batch Tag Generation Unit 400 Search Information Storage Device 490 Search Index storage unit 495 Batch tag storage unit 500 Encryption information storage device 590 Ciphertext storage unit 800 Search proxy device 810 Search result determination unit 820 Search result transmission unit 890 Storage unit

Claims (14)

A cipher that includes a search information generation device, a search request device, and a search execution device, encrypts plaintext M including a character string using a search index C ₂ stored in the search information storage device, and stores it in the encryption information storage device a cipher text search system to perform a keyword search for the statement C _1,
The search information generation device includes:
It generates information R ₁ comprising an arbitrary bit string, the information R _1, the public key pk that is previously generated by encrypting using the keywords W _T is a keyword associated with the plaintext M, information R ₂ is generated, information R ₃ for uniquely identifying the ciphertext C ₁ is generated, and the search index C _{2 including the} information R ₁ , the information R _2, and the information R ₃ as a set: = A search index generation unit that transmits (R ₁ , R ₂ , R ₃ ) to the search information storage device,
The search request device includes:
A search keyword W _Q, using the master secret key sk to be the public key pk paired with the information R ₂ generates a search query k ^* is the private key for decrypting, and sends to the search execution device A search query generator,
A ciphertext acquisition unit that acquires the ciphertext C ₁ identified by the information R ₃ included in the search result C ₃ received from the search execution device from the cipher information storage device;
The search execution device includes:
A search index acquiring unit that acquires the search index C ₂ from said search information storage device,
The information R ₂ included in the search index C ₂ is decoded using the search query k ^* to generate a decoding result R, and the decoding result R and the information R ₁ included in the search index C ₂ are A search result determination unit for determining whether or not they match,
The search from the search index C ₂ that is determined to match the result judging unit, to generate the search results C ₃ to extract at least the information R _3, search results and transmits the search result C ₃ to the retrieval request device A ciphertext search system comprising a transmission unit. The ciphertext search system according to claim 1,
The search information storage device and the encrypted information storage device are online storage services connected to the search information generation device, the search information storage device, the search request device, and the search execution device via the Internet. Ciphertext search system characterized by The ciphertext search system according to claim 1 or 2,
r is the maximum number of characters of the registered keyword W _T , w _i is the i th character of the registered keyword W _T , t is the maximum number of characters of the search keyword W _Q , and s _i is the i th character of the search keyword W _Q , Let rd _{i, j} (1 ≦ i, j ≦ r) be a random number,
The search index generation unit, the inner product predicate encryption scheme to decrypt the ciphertext condition that the attribute vector x ^→ and the predicate vector v ^→ of the inner product is 0, generating the attribute vectors x ^→ from the keywords W _T And generating the information R ₂ by encrypting the information R ₁ using the attribute vector x ^→ and the public key pk,
The search query generation unit generates a previous description word vector v ^→ from the search keyword W _Q by the inner product predicate encryption method, and uses the predicate vector v ^→ and the master secret key sk to search the search query k ^*. Produces
The search result determination unit generates the decryption result R by decrypting the information R ₂ using the search query k ^* by the inner product predicate encryption method,
The attribute vector x ^→ is a variable vector X ^→ _{r, r} having components as components in the order in which all mononomials of the order r order or less composed of _r attribute value variables X ₁ ,..., X _r are arranged in lexicographic order. Each character w _i of the registered keyword is

Is generated by setting
The predescription vector v ^→ is generated by setting the coefficients of the predicate polynomial representing the predicate logic of the inner product predicate cryptosystem in the order corresponding to the components of the variable vector X ^→ _{r, r} ,
The predescriptor polynomial is used when the search method is exact match search.

Represented by
The predescriptor polynomial is used when the search method is a prefix search.

Represented by
When the search method is a backward match search,

Represented by
The predescriptor polynomial is used when the search method is partial match search.

A ciphertext search system characterized by the following: The ciphertext search system according to claim 1 or 2,
^ Represents a power, S is a key seed space, W is a keyword space, G ₁ and G ₂ are cyclic groups of order p, g is a generator of the cyclic group G ₁ , and e is G ₁ × G ₁ → G ₂ A pairing function, h _σ is a keyed hash function of S × W → G ₁ , σ is a random seed of the keyed hash function h _σ , and x, ζ are finite fields F _p ^* whose original number is p As an integer selected in advance from
The search execution device includes:
The inner product predicate encryption scheme attribute vector x ^→ and the predicate vector v ^→ inner product to decrypt the ciphertext the proviso that 0, said predicate vector from attribute information AFL _U corresponding to the user identifier U and the user identifier U v ^→ is generated, a search secret key sk _U is generated using the predicate vector v ^→ , the public key pk and the master secret key sk, and a random number x _U is randomly selected from the finite field F _p ^*. A user registration unit that calculates a complementary key ck _U = g ^ x / x _U and transmits the search secret key sk _U and the random number x _U to the search information generation device and the search request device;
A coefficient calculation unit that calculates a coefficient f = e (H, ck _U ) using the hash value H received from the search information generation apparatus, and transmits the coefficient f to the search information generation apparatus;
Further comprising
The search information generation device includes:
Using the random number r _w randomly selected from the registered keyword W _T and the finite field F _p ^* , the hash value H = (h _σ (W _T )) ^ r _w x _U is calculated, and the hash value H A hash value calculation unit for transmitting to the search execution device;
Further comprising
The search index generation unit, the search execution device coefficient f received from from the cyclic group G ₂ by using the random number r randomly selected to calculate the coefficients r '= rf, the random number r as the information R ₁ set, the by inner product predicate encryption scheme to generate the keywords W _T and the keywords W from said search authority information AC including information of a user to allow search using the _T attribute vector x ^→, the attribute (T ₁ ,..., T _N ) is generated by encrypting the information R ₁ using the vector x ^→ and the public key pk, and τ = g ^ζ is calculated using the g and the ζ. , (T ₁ ,..., T _N ), τ and the hash value H as a set to generate the information R ₂ : = (T ₁ ,..., T _N , τ, H),
The search query generation unit generates a previous description word vector v ^→ from the search keyword W _Q by the inner product predicate encryption method, and uses the predicate vector v ^→ , the public key pk, and the search secret key sk _U. , The search query k ^* : = (Q ₁ ,..., Q _N )
The search result determination unit, the search query _{^{k *: = (Q 1,}} ..., Q N) using, for all the search index _{C 2} respectively, the information _R 2 contained in the search index _{C 2:} = (T ₁ ,..., T _N , τ, H) is

A ciphertext search system characterized by determining whether or not the above is satisfied. The ciphertext search system according to claim 4,
^ Represents a power, t is the total number of search indexes C ₂ , j is the number of the search index C ₂ , K (= log ₂ t + 1) is the number of layers of the batch tag BTag, and k (0 ≦ k ≦ K−1) is the batch tag BTag hierarchy number, M (= 2 ^ (log ₂ tk)) is the number of elements in each layer of the batch tag BTag, and m (1 ≦ m ≦ M) is the element number in each layer of the batch tag BTag. ,
The search execution device includes:
From the search index C _{2 (j)} : = (T _{(j, 1)} ,..., T _{(j, N)} , τ _(j) , H _(j) , r _(j) ), a binary tree of the K hierarchy Batch tag BTag _{(k, m)} : = (BT _{(k, m, 1)} ,..., BT _{(k, m, N)} , Bτ _{(k, m)} , BH _{(k, m)} , Br _{(k , M)} )
If it is a batch tag BTag _{(0, m)} of level 0,
BT _{(0, m, i)} = T _{(j, i)} ,
Bτ _{(0, m)} = τ _(j) ,
BH _{(0, m)} = H _(j) ,
Br _{(0, m)} = r _(j)
(However, 1 ≦ i ≦ N)
Produces as
For other batch tags BTag _{(k, m)}
BT _{(k, m, i)} = BT _{(k-1,2m-1, i)} + BT _{(k-1,2m, i)} ,
Bτ _{(k, m)} = Bτ _{(k−1,2m−1)} Bτ _(k−1,2m) ,
BH _{(k, m)} = BH _{(k-1, 2m-1)} + BH _{(k-1, 2m)} ,
Br _{(k, m)} = Br _{(k-1, 2m-1)} Br _{(k- 1, 2m)}
(However, 1 ≦ i ≦ N)
It further includes a batch tag generator that generates as
The search query generation unit generates a predescription vector v ^→ from a negative keyword W _Qあ る that is a set obtained by removing the search keyword W _Q from the keyword space W by the inner product predicate encryption method, and the predicate vector v ^→ and the public key pk and the search secret key sk _U are used to generate the search query k ^* : = (Q ₁ ￣,..., Q _N ￣)
The search result determination unit uses the search query k ^* : = (Q ₁ ￣,..., Q _N ￣) and uses the batch tag BTag _{(k, m) For} each

A ciphertext search system characterized by determining whether or not the above is satisfied. The ciphertext search system according to claim 4,
^ Represents a power, t is the total number of search indexes C ₂ , j is the number of the search index C ₂ , K (= log ₂ t + 1) is the number of layers of the batch tag BTag, and k (0 ≦ k ≦ K−1) is the batch tag BTag hierarchy number, M (= 2 ^ (log ₂ tk)) is the number of elements in each layer of the batch tag BTag, and m (1 ≦ m ≦ M) is the element number in each layer of the batch tag BTag. ,
The search information storage device includes:
Bisect of the K hierarchy generated from the search index C _{2 (j)} : = (T _{(j, 1)} ,..., T _{(j, N)} , τ _(j) , H _(j) , r _(j) ) Batch tag BTag _{(k, m)} : = (BT _{(k, m, 1)} ,..., BT _{(k, m, N)} , Bτ _{(k, m)} , BH _{(k, m)} , Br _{( k, m)} )
The batch tags BTag _{(k, m)} : = (BT _{(k, m, 1)} ,..., BT _{(k, m, N)} , Bτ _{(k, m)} , BH _{(k, m)} , Br _{(k, m )} )
If it is a batch tag BTag _{(0, m)} of level 0,
BT _{(0, m, i)} = T _{(j, i)} ,
Bτ _{(0, m)} = τ _(j) ,
BH _{(0, m)} = H _(j) ,
Br _{(0, m)} = r _(j)
(However, 1 ≦ i ≦ N)
Is generated as
For other batch tags BTag _{(k, m)}
BT _{(k, m, i)} = BT _{(k-1,2m-1, i)} + BT _{(k-1,2m, i)} ,
Bτ _{(k, m)} = Bτ _{(k−1,2m−1)} Bτ _(k−1,2m) ,
BH _{(k, m)} = BH _{(k-1, 2m-1)} + BH _{(k-1, 2m)} ,
Br _{(k, m)} = Br _{(k-1, 2m-1)} Br _{(k- 1, 2m)}
(However, 1 ≦ i ≦ N)
Is generated as
The search index acquisition unit acquires the batch tag BTag _{(k, m)} from the search information storage device,
The search query generation unit generates a predescription vector v ^→ from a negative keyword W _Qあ る that is a set obtained by removing the search keyword W _Q from the keyword space W by the inner product predicate encryption method, and the predicate vector v ^→ and the public key pk and the search secret key sk _U are used to generate the search query k ^* : = (Q ₁ ￣,..., Q _N ￣)
The search result determination unit uses the search query k ^* : = (Q ₁ ￣,..., Q _N ￣) and uses the batch tag BTag _{(k, m) For} each

A ciphertext search system characterized by determining whether or not the above is satisfied. Search and index C ₂ stores retrieval information storage apparatus, a retrieval information generating apparatus connected via the encryption information storage unit that stores a ciphertext C ₁ encrypted, the network plaintext M containing the string ,
It generates information R ₁ comprising an arbitrary bit string, the information R _1, the public key pk that is previously generated by encrypting using the keywords W _T is a keyword associated with the plaintext M, information R ₂ is generated, information R ₃ for uniquely identifying the ciphertext C ₁ is generated, and the search index C _{2 including the} information R ₁ , the information R _2, and the information R ₃ as a set: A search information generation device comprising: a search index generation unit that transmits = (R ₁ , R ₂ , R ₃ ) to the search information storage device. A retrieval request unit, a retrieval information storage device for storing search index C _2, a connected search execution device via the network,
A search index acquiring unit that acquires the search index C ₂ from said search information storage device,
Or the search information R ₂ included in the index C ₂ search query k ^* was used to generate a decryption result R by decrypting the information R ₁ included in the decryption result R and the search index C ₂ matches A search result determination unit for determining whether or not,
The search result determination unit from the search index C ₂ that is determined to match with, generates a search result C ₃ to extract at least the information R _3, search result transmission for transmitting the search result C ₃ to the retrieval request device And
A search execution device comprising: A retrieval execution unit, a search information storage device for storing search index C _2, and the encryption information storage unit that stores a ciphertext C ₁ obtained by encrypting plaintext M containing the string, search requests that are connected via a network A device,
A search keyword W _Q, using the master secret key sk that is previously generated, the generating the search index C ₂ is a secret key for decoding the information R ₂ included in the search query k ^*, the search execution device A search query generator to send to
A ciphertext acquisition unit that acquires the ciphertext C ₁ identified by the information R ₃ included in the search result C ₃ received from the search execution device, from the cipher information storage device;
A search requesting device comprising: Generates information R ₁ comprising an arbitrary bit string, the information R _1, the public key pk that are generated in advance, be encrypted with the keywords W _T is a keyword associated with the plaintext M containing the string Then, information R ₂ is generated, information R ₃ for uniquely identifying the ciphertext C ₁ obtained by encrypting the plaintext M is generated, and the information R ₁ , the information R _2, and the information R ₃ are combined. A search index generation step of transmitting a set search index C ₂ : = (R ₁ , R ₂ , R ₃ ) to the search information storage device;
A search keyword W _Q, using the master secret key sk to be the public key pk paired with the search query generation step of generating a search query k ^* is the private key for decrypting the information R _2,
A search index acquiring step of acquiring the search index C ₂ from said search information storage device,
The information R ₂ included in the search index C ₂ is decoded using the search query k ^* to generate a decoding result R, and the decoding result R and the information R ₁ included in the search index C ₂ are A search result determination step for determining whether or not they match,
A search result transmission step of extracting at least the information R ₃ from the search index C ₂ determined to match by the search result determination step and generating the search result C ₃ ;
A ciphertext acquisition step of acquiring the ciphertext C ₁ identified by the information R ₃ included in the search result C ₃ from the cipher information storage device;
Ciphertext search method including Generates information R ₁ comprising an arbitrary bit string, the information R _1, the public key pk that are generated in advance, be encrypted with the keywords W _T is a keyword associated with the plaintext M containing the string Then, information R ₂ is generated, information R ₃ for uniquely identifying the ciphertext C ₁ obtained by encrypting the plaintext M is generated, and the information R ₁ , the information R _2, and the information R ₃ are combined. A search information generation method including a search index generation step of transmitting a set search index C ₂ : = (R ₁ , R ₂ , R ₃ ) to a search information storage device. A search index obtaining step of obtaining search index C ₂ from the search information storage device,
Or the search information R ₂ included in the index C ₂ search query k ^* was used to generate a decryption result R by decrypting the information R ₁ included in the decryption result R and the search index C ₂ matches A search result determination step for determining whether or not,
A search result transmission step of extracting at least the information R ₃ from the search index C ₂ determined to match by the search result determination step and generating the search result C ₃ ;
Search execution method including A search query generation step for generating a search query k ^* , which is a secret key for decrypting the information R ₂ included in the search index C ₂ , using the search keyword W _Q and the master secret key sk generated in advance;
A ciphertext acquisition step of acquiring the ciphertext C ₁ identified by the information R ₃ included in the search result C ₃ from the cipher information storage device;
Search request method including   A program for causing a computer to function as the search information generation device according to claim 7, the search execution device according to claim 8, or the search request device according to claim 9.

Images