JP4762673B2 - Information processing apparatus, information processing system, and program - Google Patents

Description

  The present invention relates to an information processing apparatus, an information processing system, and a program suitable for preventing unauthorized use of encrypted secret information and limiting decryption.

  Images taken by surveillance cameras are treated as important evidence when a crime or accident occurs. Furthermore, in recent years, due to an increase in crimes and accidents, studies such as mounting a car recorder in an automobile and collecting driving records and the like are being advanced.

  By the way, information obtained using a surveillance camera, a car recorder, or the like often includes a lot of privacy information. In many cases, the original owner of the privacy information and the discloser of the privacy information are different. And there is a risk that the privacy information is disclosed and the privacy is infringed unintentionally without the knowledge of the original owner of the privacy information. Therefore, it is indispensable to take measures to conceal the privacy information using various encryption technologies or restrict the disclosure of the information.

For example, as in Patent Document 1 and Patent Document 2, a secret sharing method is used in which secret information is distributed to limit the disclosure of information. According to this secret sharing method, for example, a secret key for decrypting encrypted secret information is divided into m (m is an integer of 1 or more), and a proper decryptor having this secret key is predetermined. Decoding is possible only when n people (n is an integer of 1 to m) gather.
JP 2005-167794 A JP 2005-141436 A

  However, in the secret sharing method described above, as long as n consenters are collected in order to decrypt the secret information, the secret is not known to anyone other than these consenters (for example, the original owner of the privacy information). It is possible to decrypt the information. Also, according to the prior art, the other person cannot know when the secret information has been decrypted or by whom. Therefore, there is a possibility that privacy information is acquired and decrypted where the original owner of the privacy information cannot be grasped, and the confidential information may be misused, and it is not possible to determine whether the information is being used illegally. There is.

  The present invention has been made in view of the above circumstances, and provides an information processing apparatus, an information processing system, and a program suitable for preventing unauthorized use of encrypted secret information and limiting decryption. Objective.

In order to achieve the above object, an information processing system according to the first aspect of the present invention provides:
An information processing system having an evidence presenter terminal, a public server, and a decryptor terminal ,
The evidence presenter terminal
An acquisition unit for acquiring the source of the public information group of the evidence presenter who uses the evidence presenter terminal;
The encrypted secret information is obtained by encrypting the secret information using the first public key of the public server, the second public key of the decryptor terminal, and the acquired source. and the encryption unit that generates,
The generated encrypted secret information, the stored element, the encrypted data generated based on the element, and the hash value of the secret information are output to the decryptor terminal. An output section;
Equipped with a,
The public server is
A request receiving unit which receives the request data for requesting the permission to decrypt the encrypted secret information from the decoding terminal,
Before Ki受 only attached was based on the request data, the determining whether the determination unit permits decrypt the encrypted private information,
If it is determined to permit by the determination unit, and the signature data generation unit that generates signature data used from the received request data to decrypt the encrypted secret information,
A signature data storage unit that stores the received request data and the generated signature data in association with each other;
And signature data output section for outputting the stored signed data to the decoding terminal,
Equipped with a,
The decryptor terminal is
A secret key storage unit for storing a secret key and the second public key corresponding to the secret key;
A receiver that receives the encrypted secret information, the source, the encrypted data, and a hash value of the secret information from the evidence presenter terminal ;
And a private key that is the storage, the encrypted data to the received the hash value to the received, based on a request generating unit for generating a request data for requesting the permission to decrypt the encrypted private information ,
A request output unit for outputting the generated request data to the public server ;
And signature data receiving unit that receives the signature data corresponding to the output request data from the public server,
Obtaining the original of the received and encrypted the received data, and a private key that is the storage, using a signature data received above, by decoding the secret information the encrypted, the secret information A decoding unit to
Equipped with a,
And wherein a call.

  According to the present invention, it is possible to provide an information processing apparatus, an information processing system, and a program suitable for restricting decryption of encrypted secret information and preventing unauthorized use.

  FIG. 1 is a diagram illustrating a configuration of an information processing system 10 according to the present embodiment. As shown in the figure, the information processing system 10 includes a key center server 11, an evidence presenter terminal 12, a decryptor terminal 13, a public server 14, and a network 15.

  In the following description, the evidence presenter is the original owner of the secret information msg, and is the person who encrypts the secret information msg and transmits the encrypted secret information Enc (msg). It is.

  The key center server 11 generates and stores common parameters used by the evidence presenter terminal 12, the decryptor terminal 13, and the public server 14, and stores these common parameters as required by the evidence presenter terminal 12 and the decryptor terminal 13. And provided to the public server 14. Details will be described later.

  The evidence presenter terminal 12 encrypts the secret information msg and transmits the encrypted secret information Enc (msg) to the decryptor terminal 13. This encryption is performed using the public key PKs owned by the public server 14 and the public key PKi owned by the decryptor terminal 13. Details will be described later.

  The decryptor terminal 13 receives the encrypted secret information Enc (msg) from the evidence presenter terminal 12. The decryption person terminal 13 generates the decryption related information EVi before performing decryption, and transmits the decryption related information EVi to the public server 14 as a declaration for performing decryption. Then, when the public server 14 discloses that the decryption is performed and the decryption is permitted, the encrypted secret information Enc (msg) is decrypted. That is, the original secret information msg can be acquired. Details will be described later.

  When the public server 14 receives the decryption-related information EVi from the decryption person terminal 13, the public server 14 publishes a declaration that the decryption person terminal 13 performs decryption. Then, it is determined whether or not the decryption is permitted. When the decryption is permitted, the decryptor terminal 13 generates signature data SNs necessary for decryption. Details will be described later.

  The network 15 includes a LAN (Local Area Network), a WAN (Wide Area Network), the Internet, and the like, and transmits and receives information to and from the key center server 11, the evidence presenter terminal 12, the decryptor terminal 13, and the public server 14. Used to do The network 15 is not limited to these. For example, the key center server 11, the evidence presenter terminal 12, the decryptor terminal 13, and the public server 14 may be a telephone line or a dedicated line that can communicate with each other. Good.

  Next, the configuration of the key center server 11 will be described with reference to FIG. As shown in this figure, the key center server 11 includes a control unit 110, a RAM (Random Access Memory) 111, a ROM (Read Only Memory) 112, a storage unit 113, an output unit 114, an I / F (Interface). ) 115, input unit 116, and system bus 117.

  The control unit 110 includes an arithmetic processing device such as a CPU (Central Processing Unit) and controls the entire key center server 11. In addition, the control unit 110 reads a program or the like stored in the ROM 112 or the storage unit 113, and executes predetermined processing based on the read program or the like.

  For example, the control unit 110 performs a process of generating common parameters to be described later and storing them in the storage unit 113. In addition, for example, when the control unit 110 receives a request for acquiring a common parameter stored in the storage unit 113 from the evidence presenter terminal 12, the decryptor terminal 13, and the public server 14, a process of transmitting the requested common parameter I do.

  The RAM 111 is a volatile memory that stores a program read by the control unit 110 to execute a predetermined process and data necessary for the control unit 110 to execute the program.

  The ROM 112 is a non-volatile memory that stores an operating system (hereinafter referred to as “OS”), a program, and the like necessary for overall control of the key center server 11. The control unit 110 reads an OS, a program, and the like from the ROM 112 as necessary, and executes predetermined processing based on the OS, the program, and the like. Note that the OS, the program, and the like may be stored in the storage unit 113, and the control unit 110 may be configured to read out the OS, the program, and the like from the storage unit 113 as necessary and execute predetermined processing.

The storage unit 113 includes a storage device such as a hard disk drive. For example, the storage unit 113 stores a bilinear map e: (G1 × G1 → G2) used in each process described later. Here, G1 and G2 represent cyclic groups having order q (q is an integer of 1 or more). Note that q is desirably a sufficiently large prime number. Further, the storage unit 113 generates a hash function H1 that generates an arbitrary bit string of data of the size of the group G1 (for example, pseudorandom numbers) and an arbitrary bit string of data of the size of the secret information msg (for example, pseudorandom numbers). And a hash function H2 for generating, and an arbitrary element P of the cyclic group G1 are stored. For example, the traveling group G1 is public information of the evidence presenter.
These pieces of information stored in the storage unit 113 are common parameters used in common by the key center server 11, the evidence presenter terminal 12, the decryptor terminal 13, and the public server 14, and are provided as necessary. Public information.

  The output unit 114 includes a display device such as a monitor and an output device such as a speaker. The output unit 114 outputs result data of processing executed by the control unit 110 according to a program stored in the ROM 112 or the like according to an instruction from the control unit 110. .

  The I / F 115 is an interface connected to a drive device such as a CD-ROM drive for reading and writing to a removable disk such as a CD (Compact Disc), a NIC (Network Interface Card) connected to the external network 15, and the like. .

  The input unit 116 includes input devices such as a keyboard and a mouse, receives data input by the user using these input devices, and inputs the input data to the control unit 110.

  The system bus 117 is a transmission path for transferring commands and data among the control unit 110, RAM 111, ROM 112, storage unit 113, output unit 114, I / F 115, and input unit 116.

  Next, the configuration of the evidence presenter terminal 12 will be described. The evidence presenter terminal 12 includes a control unit 120, a random access memory (RAM) 121, a read only memory (ROM) 122, a storage unit 123, an output unit 124, an interface (I / F) 125, and an input. Part 126 and system bus 127.

  The block diagram showing the configuration of the evidence presenter terminal 12 is substantially the same as that in FIG. 2, and in this figure, the control unit 110 is stored in the control unit 120, the RAM 111 is stored in the RAM 121, and the ROM 112 is stored in the ROM 122. Unit 113 as storage unit 123, output unit 114 as output unit 124, I / F 115 as I / F 125, input unit 116 as input unit 126, system bus 117 as system bus 127, and key center server 11 as evidence It shall be read as the presenter terminal 12, and the drawing is omitted.

  The control unit 120 includes an arithmetic processing device such as a CPU (Central Processing Unit), and controls the entire evidence presenter terminal 12. In addition, the control unit 120 reads a program or the like stored in the ROM 122 or the storage unit 123, and executes a predetermined process based on the read program or the like.

  For example, the control unit 120 encrypts arbitrary secret information msg using the common parameters stored in the key center server 11, the public key PKi owned by the decryptor terminal 13, the public key PKs owned by the public server 14, and the like. Perform processing. Details of this encryption processing will be described later.

  The RAM 121 is a volatile memory that stores a program read by the control unit 120 to execute a predetermined process and data necessary for the control unit 120 to execute the program.

  The ROM 122 is a non-volatile memory that stores an OS, a program, and the like necessary for overall control of the evidence presenter terminal 12. The control unit 120 reads an OS, a program, and the like from the ROM 122 as necessary, and executes predetermined processing based on the OS, the program, and the like. Note that the OS, the program, and the like may be stored in the storage unit 123, and the control unit 120 may be configured to read the OS, the program, and the like from the storage unit 123 as necessary and execute predetermined processing.

  The storage unit 123 includes a storage device such as a hard disk drive.

  The output unit 124 includes a display device such as a monitor and an output device such as a speaker. The output unit 124 outputs, as an instruction from the control unit 120, result data of processing executed by the control unit 120 according to a program stored in the ROM 122 or the like. .

  The I / F 125 is an interface that connects to a drive device such as a CD-ROM drive for reading and writing to a removable disk such as a CD (Compact Disc), a NIC (Network Interface Card) connected to the external network 15, and the like. .

  The input unit 126 includes input devices such as a keyboard and a mouse, receives data input by the user using these input devices, and inputs the input data to the control unit 120.

  The system bus 127 is a transmission path for transferring commands and data among the control unit 120, RAM 121, ROM 122, storage unit 123, output unit 124, I / F 125, and input unit 126.

  Next, the configuration of the decryption person terminal 13 will be described. The decryptor terminal 13 includes a control unit 130, a RAM (Random Access Memory) 131, a ROM (Read Only Memory) 132, a storage unit 133, an output unit 134, an I / F (Interface) 135, and an input unit. 136 and a system bus 137.

  The block diagram showing the configuration of the decryption person terminal 13 is substantially the same as that in FIG. 2, and therefore, in this figure, the control unit 110 is the control unit 130, the RAM 111 is the RAM 131, the ROM 112 is the ROM 132, and the storage unit. 113 is the storage unit 133, the output unit 114 is the output unit 134, the I / F 115 is the I / F 135, the input unit 116 is the input unit 136, the system bus 117 is the system bus 137, and the key center server 11 is the decrypter. It shall be read as terminal 13 and the drawing is omitted.

  The control unit 130 includes an arithmetic processing device such as a CPU (Central Processing Unit) and controls the entire decryption person terminal 13. In addition, the control unit 130 reads a program or the like stored in the ROM 132 or the storage unit 133, and executes predetermined processing based on the read program or the like.

  For example, the control unit 130 uses the common parameters stored in the key center server 11, the secret key SKi owned by the decryptor terminal 13, and the like, the decryption related information EVi serving as a declaration to decrypt the secret information msg. Is generated (hereinafter referred to as “decoding related information generation processing”). Further, for example, when the public server 14 permits the decryption of the encrypted secret information Enc (msg), the control unit 130 has the common parameter stored in the key center server 11 and the decryptor terminal 13. For decrypting the encrypted secret information Enc (msg) received from the evidence presenter terminal 12 using the secret key SKi to be received, the signature data SNs indicating that the decryption received from the public server 14 is permitted, etc. I do. Details of the decryption related information generation process and the decryption process will be described later.

  The RAM 131 is a volatile memory that stores a program read for the control unit 130 to execute a predetermined process and data necessary for the control unit 130 to execute the program.

  The ROM 132 is a nonvolatile memory that stores an OS, a program, and the like necessary for overall control of the decryption person terminal 13. The control unit 130 reads an OS, a program, and the like from the ROM 132 as necessary, and executes predetermined processing based on the OS, the program, and the like. Note that the OS, the program, and the like may be stored in the storage unit 133, and the control unit 130 may be configured to read the OS, the program, etc. from the storage unit 133 as necessary and execute a predetermined process.

  The storage unit 133 includes a storage device such as a hard disk drive.

  The output unit 134 includes a display device such as a monitor and an output device such as a speaker. The output unit 134 outputs result data of processing executed by the control unit 130 according to a program stored in the ROM 132 or the like according to an instruction from the control unit 130. .

  The I / F 135 is an interface that is connected to a drive device such as a CD-ROM drive for reading and writing to a removable disk such as a CD (Compact Disc), a NIC (Network Interface Card) connected to the external network 15, and the like. .

  The input unit 136 includes input devices such as a keyboard and a mouse, receives data input by the user using these input devices, and inputs the input data to the control unit 130.

  The system bus 137 is a transmission path for transferring commands and data among the control unit 130, RAM 131, ROM 132, storage unit 133, output unit 134, I / F 135, and input unit 136.

  Next, the configuration of the public server 14 will be described. The public server 14 includes a control unit 140, a RAM (Random Access Memory) 141, a ROM (Read Only Memory) 142, a storage unit 143, an output unit 144, an I / F (Interface) 145, and an input unit 146. And a system bus 147.

  The block diagram showing the configuration of the public server 14 is substantially the same as that in FIG. 2, and in this figure, the control unit 110 is the control unit 140, the RAM 111 is the RAM 141, the ROM 112 is the ROM 142, and the storage unit 113. In the storage unit 143, the output unit 114 in the output unit 144, the I / F 115 in the I / F 145, the input unit 116 in the input unit 146, the system bus 117 in the system bus 147, and the key center server 11 in the public server 14 The drawing shall be omitted.

  The control unit 140 includes an arithmetic processing device such as a CPU (Central Processing Unit) and controls the entire public server 14. In addition, the control unit 140 reads a program or the like stored in the ROM 142 or the storage unit 143, and executes predetermined processing based on the read program or the like.

  For example, the control unit 140 receives the decryption-related information EVi from the decryption person terminal 13, and declares that the decryption person terminal 13 decrypts the encrypted secret information Enc (msg), as will be described later. The process posted in 610 (hereinafter referred to as “decryption declaration disclosure process”) is performed. Further, for example, when permitting the decryptor terminal 13 to decrypt, the control unit 140 permits the decryption using the received decryption-related information EVi, the private key SKs owned by the public server 14, and the like. Is generated (hereinafter referred to as “signature data generation process”). Details of the decryption declaration disclosure process and the signature data generation process will be described later.

  The RAM 141 is a volatile memory that stores a program read by the control unit 140 to execute a predetermined process and data necessary for the control unit 140 to execute the program.

  The ROM 142 is a non-volatile memory that stores an OS, a program, and the like necessary for overall control of the public server 14. The control unit 140 reads an OS, a program, and the like from the ROM 142 as necessary, and executes predetermined processing based on the OS, the program, and the like. Note that the OS, the program, and the like may be stored in the storage unit 143, and the control unit 140 may be configured to read the OS, the program, etc. from the storage unit 143 as necessary and execute a predetermined process.

  The storage unit 143 includes a storage device such as a hard disk drive. For example, the storage unit 143 stores the decryption-related information database 600 that stores the decryption-related information EVi that is received from the decryption person terminal 13 and indicates the declaration of decryption in association with the signature data SNs, or the decryption-related information database 600. A public bulletin board 610 for posting public information based on the information is stored. Details of the decryption related information database 600 and the public bulletin board 610 will be described later.

  The output unit 144 includes a display device such as a monitor and an output device such as a speaker. The output unit 144 outputs result data of a process executed by the control unit 140 according to a program stored in the ROM 142 or the like according to an instruction from the control unit 140. .

  The I / F 145 is an interface connected to a drive device such as a CD-ROM drive for reading and writing to a removable disk such as a CD (Compact Disc), a NIC (Network Interface Card) connected to the external network 15, and the like. .

  The input unit 146 includes input devices such as a keyboard and a mouse, receives data input by the user using these input devices, and inputs the input data to the control unit 140.

  The system bus 147 is a transmission path for transferring commands and data among the control unit 140, RAM 141, ROM 142, storage unit 143, output unit 144, I / F 145, and input unit 146.

(Encryption processing)
Next, the encryption process which the control part 120 of the evidence presenter terminal 12 performs is demonstrated using the flowchart of FIG.

  For example, the secret information msg is the privacy information of the evidence presenter himself / herself or a message that he / she wants to send to the other party while keeping the secret state so as not to be known to a third party.

In the encryption process, the control unit 120 generates the following four data as data to be transmitted to the decrypter terminal 13.
(1) Hash value of secret information msg: H1 (msg)
(2) One element on the public information group G1 of the evidence presenter: X
(3) Encrypted data unique to the presenter other than the secret information msg: R
(4) Encrypted secret information: Enc (msg)
Details will be described below.

  The control unit 120 acquires the hash function H1 from the key center server 11 and obtains the hash value H1 (msg) of the secret information msg (step S301). That is, the hash value H1 (msg) of the secret information msg is obtained using a hash function H1 that generates data of a predetermined length from the given secret information msg. The hash function H1 is one of the common parameters stored in the key center server 11, and is public information in the information processing system 10 of the present embodiment.

  Generally, a hash function is an irreversible one-way function, and original data cannot be generated from the obtained hash value. Therefore, it is widely used in fields such as communication encryption and digital signature. Note that the present invention does not define a specific mathematical expression (or logical expression or the like) of the hash function H1. Further, it is desirable that the hash function H1 is defined so that a close hash value cannot be obtained from similar secret information msg, there is no bias in the range, and the same hash value is not easily generated from different secret information msg.

  The control unit 120 acquires one element X on the evidence presenter's public information group G1 from the key center server 11 (step S302). One element X on the evidence presenter's public information group G1 is data associated with the evidence presenter, such as the user name of the evidence presenter, and is public information in the information processing system 10 of the present embodiment. .

  The control unit 120 acquires the random number r and an arbitrary element P on the public information G1 of the evidence presenter stored in the key center server 11, and generates the encrypted data R using the number 1 (step S303). ). That is, the encrypted data R is obtained by adding P times r times using an arbitrary source P on the evidence presenter's public information G1 and a random number r generated by the evidence presenter terminal 12. Here, the random number r is a secret value that is not disclosed.

  In the following description, a black circle symbol as in Equation 1 indicates an addition operation on an elliptic curve.

  The encrypted data R is a value that is not substantially the same even when the same secret information msg is encrypted again. In order for the decryption person to decrypt, the encrypted data R correctly associated with the encrypted secret information Enc (msg) is required.

  The control unit 120 obtains the obtained H1 (msg), X, and r, the hash functions H1 and H2 that are public information stored in the key center server 11 and the bilinear map e, and the public key owned by the public server 14 Secret information Enc (msg) encrypted using Equation 2 is generated from the PKs and the public key PKi possessed by the decryptor terminal 13 (step S304).

  In the following description, a symbol with + in a circle as in Equation 2 represents an exclusive OR.

  The decryptor terminal 13 has a set of secret key SKi and public key PKi, and only the public key PKi is a key that can be acquired by the evidence presenter terminal 12. For example, the public key PKi is stored in the storage unit 123 in advance.

  The four data obtained as described above, that is, H1 (msg), X, R, and Enc (msg) are transmitted to the decryptor terminal 13 via the network 15 together with the evidence presenter information. Here, the evidence presenter information is identification information of the evidence presenter (or the evidence presenter terminal 12).

  It should be noted that the above-described formulas and the like for generating the encrypted data R and the encrypted secret information Enc (msg) are just an example, and the present invention is not limited to this, and various modifications are possible.

(Decryption related information generation process)
Next, decryption related information generation processing executed by the control unit 130 of the decryption person terminal 13 will be described with reference to the flowchart of FIG.

  In the decryption related information generation process, the control unit 130 generates decryption related information EVi that is a declaration to decrypt the encrypted secret information Enc (msg). Details will be described below.

  The control unit 130 receives the hash value H1 (msg) and the encrypted data R from the evidence presenter terminal 12 (step S401).

  Further, the control unit 130 acquires the secret key SKi owned by the decryption person terminal 13 (step S402). For example, the secret key SKi is stored in advance in the storage unit 133.

  Furthermore, the control unit 130 acquires the hash function H1 and the bilinear map e that are public information stored in the key center server 11 (step S403).

  The control unit 130 generates the decryption related information EVi from the hash value H1 (msg), the encrypted data R, the secret key SKi, the hash function H1, and the bilinear map e using Equation (3) (step S404).

  That is, the decryption related information EVi is a hash value obtained by using the hash function H1 with the length of the public information group G1 of the evidence presenter.

  The decryption related information EVi generated in this way is transmitted to the public server 14 together with the hash value H1 (msg) and the evidence presenter information, and a declaration that the encrypted secret information Enc (msg) is decrypted. Become. Then, the public server 14 posts on the public bulletin board 610 that the decryptor terminal 13 performs decryption. In other words, a person other than the decryption person terminal 13 can know that the decryption person terminal 13 has decrypted certain encrypted information by browsing the public bulletin board 610.

  The above-described mathematical formula for generating the decryption related information EVi is one example, and is not limited to this, and various modifications are possible.

  As will be described later, the decryption person terminal 13 cannot perform decryption only by transmitting the decryption related information EVi to the public server 14, but is generated when decryption is permitted by the public server 14. If the signature data SNs is not received, it cannot be decrypted. Further, since the decryption related information EVi is generated using the secret key SKi owned by the decryptor terminal 13, it is impossible to declare that the decryption is performed illegally by impersonation or alteration by another person.

(Decryption declaration disclosure process)
Next, the decryption declaration disclosure process executed by the control unit 140 of the disclosure server 14 will be described with reference to the flowchart of FIG.

  In the decryption declaration disclosure process, the control unit 140 indicates that the decryptor terminal 13 performs decryption based on the decryption related information EVi, the hash value H1 (msg) and the evidence presenter information received from the decryptor terminal 13. Posted on public bulletin board 610. Details will be described below.

  When receiving the decryption related information EVi, the hash value H1 (msg), and the evidence presenter information from the decryptor terminal 13 (step S501), the control unit 140 stores each received data in the storage unit 143 of the public server 14. (Step S502). For example, the public server 14 stores the decryption related information database 600 as illustrated in FIG. In the case of this figure, the decryption related information database 600 stores the reception date and time, the decryptor, and the contents in association with the decryption related information EVi, the hash value H1 (msg), and the evidence presenter information.

  The information stored in the decryption related information database 600 is not limited to the information described above. Moreover, you may memorize | store using other methods, such as the table which matched decryption relevant information EVi, hash value H1 (msg), and evidence presenter information. Furthermore, the location where the decryption related information database 600 or data corresponding thereto is stored is not limited to the storage unit 143.

  Furthermore, the control unit 140 posts a notice to the public bulletin board 610 that the decrypter terminal 13 decrypts the encrypted secret information Enc (msg) based on the data stored in the decryption related information database 600. (Step S503). The public bulletin board 610 is a bulletin board that can be browsed from other evidence presenter terminals 12 and decryptor terminals 13 connected to the network 15 and can be displayed on a monitor or the like provided in the output units 124 and 134. For example, the user can browse the public bulletin board 610 using commonly used browsing application software (hereinafter referred to as “browser”).

  For example, FIG. 6B is a configuration example of a public bulletin board 610 displayed using a browser. In the case of this figure, the public bulletin board 610 posts the public information number, the decryptor (or the identifier of the decryptor terminal 13), the content of the public information, the status indicating the status of the public information, and the posting date and time. Here, the status includes, for example, “decryption complete” indicating that the decryption of the encrypted secret information Enc (msg) is completed, and decryption is permitted by a signature data generation process described later. However, it is desirable that “authenticated” indicating that decryption has not been performed yet, “authenticating” indicating that decryption is not yet permitted, and the like.

  In this way, the public server 14 posts on the public bulletin board 610 a declaration that the decryptor terminal 13 will decrypt the encrypted secret information Enc (msg) based on the data received from the decryptor terminal 13. To do. As a result, a person other than the person who actually performs decryption can know when (or when) the decryption is going to be performed, and can prevent unauthorized or secret decryption. . For example, the original owner of the secret information msg can monitor when and by whom the privacy information is decrypted (or decrypted).

  The information posted on the public bulletin board 610 is not limited to the information described above. Further, the method of displaying the public bulletin board 610 is not limited to the above-described content, and may be realized using dedicated application software, for example.

  Further, the original owner of the secret information msg can browse the public bulletin board 610 with a browser or the like, and can explicitly refuse (or permit) the decryption.

  In this case, the public server 14 assigns a user name and a password to a legitimate user in advance and stores the contents in order to determine whether or not the legitimate user can set “permit” or “reject”. It is desirable to store the authentication database in the storage unit 143 or the like. The public bulletin board 610 may be provided with an operation button or the like that can be set to refuse (or permit) decryption by a legitimate user. When “permitted” is set by a legitimate user, the control unit 140 allows the corresponding secret information Enc (msg) to be decrypted and notifies the decryptor terminal 13 of the decryption. Alternatively, when “permitted” is not set by a legitimate user or “rejected” is set by a legitimate user, the control unit 140 does not permit the decryption of the corresponding secret information Enc (msg).

  Specifically, for example, FIG. 7A is a configuration example of a public bulletin board 610 displayed on a browser having a button that can set whether to refuse or permit decryption. In the case of this figure, the public bulletin board 610 includes a “permit button” for explicitly permitting decryption and a “reject button” for explicitly denying decryption for each number of information to be disclosed. Is provided.

  When the permission button or the rejection button of the public bulletin board 610 displayed on the evidence presenter terminal 12 by a browser or the like is pressed, the control unit 120 displays an authentication screen as shown in FIG. The user is requested to input a user name and password assigned in advance to a legitimate user who can set (permission) (for example, the original owner of the secret information msg). Then, when the user name and password are input by the user using the keyboard of the input unit 126, the control unit 120 sends the input user name, password, and reject (or permission) request information to the I / F 125. The data is transmitted to the public server 14 via the network 15 by the connected NIC.

  The control unit 140 of the public server 14 determines whether or not the user name and password received by the NIC connected to the I / F 145 are a valid user name and password. For example, this determination is performed based on the contents of the authentication database stored in the storage unit 143. When it is determined that the user is a valid user, the control unit 140 notifies the decryption person terminal 13 that the authentication is successful by the NIC connected to the I / F 145. Alternatively, when it is determined that the user is not a valid user, the control unit 140 notifies the decryptor terminal 13 of the authentication failure by the NIC connected to the I / F 145.

  The control unit 120 of the evidence presenter terminal 12 receives a notification indicating that the user has been successfully authenticated (or failed) through the NIC connected to the I / F 125. In the case of successful authentication, the control unit 120 displays a confirmation screen as shown in FIG. This figure is an example of a confirmation screen when “reject” is set. Then, when an instruction for refusal (or permission) is given by a legitimate user, the control unit 120 transmits request information of “rejection” (or “permission”) to the public server 14 by the NIC connected to the I / F 125. . In the case of authentication failure, it is only necessary to request input of a user name and a password assigned in advance to a legitimate user.

  Upon receiving request information “rejected” (or “permitted”) by the NIC connected to the I / F 145 from the evidence presenter terminal 12 that has been successfully authenticated, the control unit 140 of the public server 14 receives the original information of the secret information msg. Information indicating that decryption is rejected (or permitted) by the owner is stored in the decryption related information database 600. That is, the public bulletin board 610 posts that the decryption is rejected (or permitted) by the original owner of the secret information msg.

  Note that the public bulletin board 610, the authentication screen, and the confirmation screen described above are merely examples, and the present invention is not limited thereto, and various modifications can be made.

  As described above, the public server 14 can also explicitly reject or permit the decryption request requested from the decryption person terminal 13 based on the data received from the evidence presenter terminal 12. For example, the original owner of the secret information msg can know in advance when and by whom the secret information msg is decrypted, and can refuse if the decryption is not desired. Thereby, the confidentiality of secret information msg can be strengthened.

(Signature data generation process)
Next, the signature data generation process executed by the control unit 140 of the public server 14 will be described with reference to the flowchart of FIG.

  The signature data generation process is performed when decryption is permitted in the above-described decryption declaration disclosure process. Based on the decryption related information EVi received from the decryption person terminal 13, the public server 14 generates signature data SNs indicating that the decryption by the requested decryption person terminal 13 is permitted. Details will be described below.

The control unit 140 acquires the secret key SKs owned by the public server 14 (Step 801). For example, the secret key SKs is stored in the storage unit 143.
The control unit 140 acquires the decryption related information EVi from the decryption person terminal 13 (step S802). Note that the decryption related information EVi may be the information acquired in step S501 of the decryption declaration disclosure process described above.

  The control unit 140 generates the signature data SNs using Equation 4 from the secret key SKs and the decryption related information EVi (step S803).

  Note that the above-described mathematical formula for generating the signature data SNs is an example, and the present invention is not limited to this, and various modifications can be made.

  The signature data SNs generated in this way is transmitted to the decryptor terminal 13 that requested it. Upon receiving the signature data SNs, the decryption person terminal 13 can decrypt the encrypted secret information Enc (msg). That is, the decryption person terminal 13 cannot perform decryption only by transmitting the decryption related information EVi to the public server 14, and cannot decrypt it unless the corresponding signature data SNs is received from the public server 14. . Further, since the signature data SNs is generated using the secret key SKs owned by the public server 14, it cannot be decrypted by impersonating or tampering with others.

  Alternatively, the public server 14 may post the signature data SNs on the public bulletin board 610, and the decryptor terminal 13 may sequentially obtain the desired signature data SNs from the public bulletin board 610.

  Specifically, when the control unit 140 of the public server 14 generates the signature data SNs in step S803, for example, as illustrated in FIG. 9A, the control unit 140 associates the signature data SNs with the decryption related information EVi in the storage unit 143. Remember. The signature data SNs may be stored in the decryption related information database 600. FIG. 9B shows a configuration example of the public bulletin board 610 that can acquire the signature data SNs. In the case of this figure, the public bulletin board 610 includes an “acquisition button” for acquiring signature data SNs corresponding to each publicly disclosed information.

  When the acquisition button of the public bulletin board 610 displayed on the decryptor terminal 13 by a browser or the like is pressed, the control unit 130 displays an authentication screen as shown in FIG. Requesting the input of a user name and a password assigned in advance to the decryptor who generated the corresponding decryption-related information EVi). When a user name and password are input by the user using the keyboard of the input unit 136 or the like, the control unit 130 displays the input user name, password, and acquisition request information on the NIC connected to the I / F 135. To the public server 14 via the network 15.

  The control unit 140 of the public server 14 determines whether or not the user name and password received by the NIC connected to the I / F 145 are a valid user name and password. For example, this determination is performed based on the contents of the authentication database stored in the storage unit 143. When it is determined that the user is a valid user, the control unit 140 notifies the decryption person terminal 13 that the authentication is successful by the NIC connected to the I / F 145. Alternatively, when it is determined that the user is not a valid user, the control unit 140 notifies the decryptor terminal 13 of the authentication failure by the NIC connected to the I / F 145.

  The control unit 130 of the decryption person terminal 13 receives a notification that the user authentication has succeeded (or failed) by the NIC connected to the I / F 135. In the case of successful authentication, the control unit 130 displays a confirmation screen as shown in FIG. 9C, for example. This figure shows an example of a confirmation screen when authentication is successful. When an acquisition instruction is issued by a legitimate user, the control unit 130 transmits the acquisition request information to the public server 14 via the NIC connected to the I / F 135. In the case of authentication failure, it is only necessary to request input of a user name and a password assigned in advance to a legitimate user.

  When receiving the acquisition request information by the NIC connected to the I / F 145, the control unit 140 of the public server 14 transmits the signature data SNs to the decryptor terminal 13 and the signature for decrypting the secret information Enc (msg). Information indicating that the data SNs has been acquired is stored in the decryption related information database 600. That is, the public bulletin board 610 posts that the signature data SNs has been acquired by the decryptor terminal 13.

  As described above, the public server 14 can also transmit the signature data SNs necessary for decrypting the encrypted secret information Enc (msg) in response to a request from the decryptor terminal 13. For example, a person who wants to decrypt the secret information Enc (msg) does not acquire the signature data SNs until just before the secret information Enc (msg) needs to be decrypted. In addition, the risk of losing the signature data SNs is reduced. Thereby, the confidentiality of secret information msg can be strengthened.

(Decryption process)
Next, decryption processing executed by the control unit 130 of the decryption person terminal 13 will be described with reference to the flowchart of FIG.

  The decryptor terminal 13 receives the encrypted secret information Enc (msg), the hash value H1 (msg), the encrypted data R, and one element X on the evidence presenter's public information group G1 from the evidence presenter terminal 12. When the corresponding signature data SNs is received from the public server 14, decryption becomes possible and the original secret information msg can be obtained. Details will be described below.

  The control unit 130 acquires the encrypted secret information Enc (msg), the hash value H1 (msg), the encrypted data R, and one element X on the evidence presenter's public information group G1 from the evidence presenter terminal 12. (Step S1001). In addition, what is necessary is just to use what was acquired by the decoding relevant-information production | generation process mentioned above as these data.

  The control unit 130 acquires the corresponding signature data SNs from the public server 14 (step S1002). This data is obtained by receiving the data generated by the public server 14 in the signature data generation process described above. Alternatively, it can be obtained by selecting and obtaining the signature data SNs published on the public bulletin board 610 as described above.

  The control unit 130 acquires the bilinear map e from the key center server 11 (step S1003).

  The control unit 130 acquires the secret key SKi owned by the decryptor terminal 13 (step S1004). For example, the secret key SKi is stored in advance in the storage unit 133.

  The control unit 130 decrypts the data acquired in steps S1001 to S1004 using Equation 5 to obtain secret information msg. (Step S1005).

  The above-described mathematical expression for performing decoding is an example, and the present invention is not limited to this, and various modifications are possible.

For example, after performing decryption in step S1005, the control unit 130 transmits a notification that the decryption has been performed to the public server 14, and the public server 14 that has received this notification is decrypted by the decryptor terminal 13. You may make it announce on the public bulletin board 610 to the effect that it was made.
As a result, a person other than the decryption person terminal 13 (for example, the original owner of the secret information msg) can know when and who has performed the decryption, and the effect of suppressing unauthorized use of the secret information msg can be obtained.

  The secret information msg thus obtained is displayed on, for example, the monitor of the output unit 134, and as a result, the decryptor can receive the secret information msg while maintaining confidentiality.

(Overall operation of the information processing system)
Next, the overall operation of the information processing system 10 realized by cooperation of the above-described processes will be described with reference to FIG.

  First, as a setup of the information processing system 10, the key center server 11 discloses common parameters (that is, hash functions H1, H2, bilinear mapping e and element P) (step S1).

  The evidence presenter terminal 12 encrypts the secret information msg and generates a ciphertext (step S2). This is performed by the encryption process described above. For example, the original owner of the secret information msg encrypts privacy information and the like that he wants to send to the other party in a secret state. This ciphertext includes encrypted secret information Enc (msg), hash value H1 (msg), encrypted data R, and one element X of the public information group G1.

  The evidence presenter terminal 12 transmits the generated ciphertext to the decryptor terminal 13 (step S3). For example, the original owner of the secret information msg transmits it via the network 15 using a commonly used e-mail service, messenger service, file exchange service, or the like.

  The decryption person terminal 13 receives the ciphertext and generates decryption related information EVi (step S4). This is performed by the decoding related information generation process described above.

  The decryption person terminal 13 transmits the generated decryption related information EVi to the public server 14 (step S5). This transmission is preferably performed using a protocol or the like that can encrypt and transmit information.

  The public server 14 receives the decryption related information EVi and posts the decryptor on the public bulletin board 610 as shown in FIG. 7A for example (step S6). This is performed by the decryption declaration disclosure process described above. As a result, it is known that the decryptor terminal 13 is trying to decrypt the encrypted secret information Enc (msg).

  The public server 14 generates signature data SNs from the received decryption related information EVi, and signs the decryption related information EVi (step S7). This is performed by the signature data generation process described above.

  The public server 14 posts the generated signature data SNs on the public bulletin board 610 as shown in FIG. 9B, for example (step S8). This is performed by the decryption declaration disclosure process described above. The signature data SNs may be directly transmitted to the decryption person terminal 13.

  The decryption person terminal 13 acquires the signature data SNs posted on the public bulletin board 610 (step S9).

  The decryptor terminal 13 decrypts the encrypted secret information Enc (msg) to obtain the original secret information msg (step S10). This is performed by the decoding process described above.

  As described above, according to the information processing system 10 of the present embodiment, it is possible to obtain the effect of preventing the unauthorized use of the encrypted secret information and restricting the decryption.

  That is, since the decryption related information EVi is generated using the secret key SKi owned by the decryptor terminal 13, it is not possible to generate the decryption related information EVi or use the signature data SNs by impersonating another person. It is possible to send and receive secret information while maintaining the characteristics. Since the signature data SNs is indispensable for decryption, the decryptor cannot perform decryption unless decryption is permitted by the public server 14, and there is an effect of preventing illegal decryption.

  Further, when a request for decryption is made, it is posted on the public bulletin board 610, so that the other person can know when the decryption is being performed by whom. Also, the other person can know whether the secret information msg has been decrypted or by whom. For this reason, there is an effect that it is possible to suppress an illegal act in which decryption is performed against the intention of the original owner of the secret information msg.

  Furthermore, the original owner of the secret information msg can also refuse if the decryption is not desired, and the confidentiality of the secret information msg can be strengthened whenever necessary.

  The present invention is not limited to the above embodiment, and various modifications and applications are possible.

For example, an expiration date may be set for the signature data SNs generated in the signature data generation process, and decryption using the signature data SNs can be performed only within the expiration date.
In this case, for example, the control unit 140 of the public server 14 generates the signature data SNs including the expiration date in a part of the signature data SNs, and the control unit 130 of the decryptor terminal 13 starts the decryption process. Decryption should not be permitted if the expiration date has passed. Alternatively, for example, the control unit 140 stores the signature data SNs in the storage unit 143 in association with the decryption related information EVi and the expiration date, and the control unit 130 of the decryption person terminal 13 starts the decryption. The public server 14 may be inquired of the expiration date so that it can be decrypted only within the expiration date.
As a result, even if the signature data SNs leaks against the intention of a decryptor, for example, it can be prevented from being decrypted if the expiration date has passed, and the confidentiality of the secret information msg can be enhanced. it can.

For example, an expiration date may be set for the encrypted secret information Enc (msg) generated by the encryption process, and decryption can be performed only within the expiration date.
In this case, for example, the control unit 120 of the evidence presenter terminal 12 generates Enc (msg) including the expiration date in a part of the encrypted secret information Enc (msg), and the control unit of the decryptor terminal 13 If the expiration date has passed when starting the decryption process 130, the decryption may be prohibited. Alternatively, for example, when the encrypted secret information Enc (msg) is generated, the control unit 120 transmits the encrypted secret information Enc (msg) to the public server 14, and the control unit 140 of the public server 14 Stores the received encrypted secret information Enc (msg) in the decryption-related information database 600 in association with the expiration date, and when the decryption request is made after the expiration date, You do not need to give permission.
As a result, even if the encrypted secret information Enc (msg) leaks against the intention of the original owner of the secret information msg, it can be prevented from being decrypted if the expiration date has passed, The confidentiality of the secret information msg can be enhanced.

For example, the common parameters stored in the key center server 11 can be changed periodically.
In this case, the control unit 110 of the key center server 11 is a part or all of the hash functions H1, H2, the bilinear map e, and the public information G1 of the evidence presenter at a predetermined timing (for example, one week). May be set again and stored in the storage unit 113. In addition, the evidence presenter terminal 12, the decryptor terminal 13, and the public server 14 may re-import and use these sets of common parameters sequentially when starting the above-described processes. Alternatively, the control unit 110 notifies the evidence presenter terminal 12, the decryptor terminal 13, and the public server 14 that the common parameter has been reset at the timing when the common parameter is reset, and resets the common parameter. What is necessary is just to urge acquisition (or to acquire automatically).
Thereby, the confidentiality of the confidential information msg in the information processing system 10 can be strengthened.

  In the above embodiment, the case where there is one decryption person terminal 13 has been described. However, there may be two or more decryption person terminals 13.

  Moreover, you may implement | achieve using the decoding terminal which has both the function of both the evidence presenter terminal 12 and the decryption person terminal 13. FIG.

  In the above embodiment, the program has been described as being stored in advance in the ROM 112, the ROM 122, the ROM 132, the ROM 142, and the like. However, a program for operating the key center server 11, the evidence presenter terminal 12, the decryptor terminal 13, and the public server 14 as all or a part of each of them, or for executing the above-described processing is stored in a memory card, CD -Stored in a computer-readable recording medium such as ROM (Compact Disc Read-Only Memory), DVD (Digital Versatile Disk), MO (Magneto Optical disk), etc., installed on another computer, and You may make it operate | move as a means or may perform the above-mentioned process.

  Furthermore, the program may be stored in a disk device or the like included in a server device on the Internet, and may be downloaded onto a computer by being superimposed on a carrier wave, for example.

  As described above, according to the present invention, it is possible to provide an information processing apparatus, an information processing system, and a program suitable for preventing unauthorized use of encrypted secret information and limiting decryption.

It is a figure for demonstrating the structure of the information processing system which concerns on this embodiment. It is a block diagram for demonstrating the structure of a key center server. It is a flowchart for demonstrating an encryption process. It is a flowchart for demonstrating a decoding relevant information generation process. It is a flowchart for demonstrating a decoding declaration disclosure process. (A) It is a figure which shows the example of the information memorize | stored in a decoding relevant information database. (B) It is a figure which shows the example of a display of a public bulletin board. (A) It is a figure which shows the example of a display of a public bulletin board. (B) It is a figure which shows the example of a display of an authentication screen. (C) It is a figure which shows the example of a display of a confirmation screen. It is a flowchart for demonstrating a signature data generation process. (A) It is a figure which shows the example of the decryption relevant information memorize | stored in a memory | storage part, and signature data. (B) It is a figure which shows the example of a display of a public bulletin board. (C) It is a figure which shows the example of a display of a confirmation screen. It is a flowchart for demonstrating a decoding process. It is a figure for demonstrating the operation | movement of the whole information processing system which concerns on this embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Information processing system 11 Key center server 12 Evidence presenter terminal 13 Decryptor terminal 14 Public server 15 Network 110 Control part 111 RAM
112 ROM
113 Storage unit 114 Output unit 115 I / F
116 Input unit 117 System bus 120 Control unit 121 RAM
122 ROM
123 Storage unit 124 Output unit 125 I / F
126 Input unit 127 System bus 130 Control unit 131 RAM
132 ROM
133 Storage unit 134 Output unit 135 I / F
136 Input unit 137 System bus 140 Control unit 141 RAM
142 ROM
143 Storage unit 144 Output unit 145 I / F
146 Input unit 147 System bus 600 Decoding related information database 610 Public bulletin board

Claims (1)

An information processing system having an evidence presenter terminal, a public server, and a decryptor terminal ,
The evidence presenter terminal
An acquisition unit for acquiring the source of the public information group of the evidence presenter who uses the evidence presenter terminal;
The encrypted secret information is obtained by encrypting the secret information using the first public key of the public server, the second public key of the decryptor terminal, and the acquired source. and the encryption unit that generates,
The generated encrypted secret information, the stored element, the encrypted data generated based on the element, and the hash value of the secret information are output to the decryptor terminal. An output section;
Equipped with a,
The public server is
A request receiving unit which receives the request data for requesting the permission to decrypt the encrypted secret information from the decoding terminal,
Before Ki受 only attached was based on the request data, the determining whether the determination unit permits decrypt the encrypted private information,
If it is determined to permit by the determination unit, and the signature data generation unit that generates signature data used from the received request data to decrypt the encrypted secret information,
A signature data storage unit that stores the received request data and the generated signature data in association with each other;
And signature data output section for outputting the stored signed data to the decoding terminal,
Equipped with a,
The decryptor terminal is
A secret key storage unit for storing a secret key and the second public key corresponding to the secret key;
A receiver that receives the encrypted secret information, the source, the encrypted data, and a hash value of the secret information from the evidence presenter terminal ;
And a private key that is the storage, the encrypted data to the received the hash value to the received, based on a request generating unit for generating a request data for requesting the permission to decrypt the encrypted private information ,
A request output unit for outputting the generated request data to the public server ;
And signature data receiving unit that receives the signature data corresponding to the output request data from the public server,
Obtaining the original of the received and encrypted the received data, and a private key that is the storage, using a signature data received above, by decoding the secret information the encrypted, the secret information A decoding unit to
Equipped with a,
Information processing system comprising a call.

Images