JP6115573B2 - Cryptographic system, data storage system, and apparatus and method used therefor - Google Patents

Description

  The present invention relates to an encryption system capable of designating a plurality of users who can decrypt, a data storage system using the encryption system, and a key derivation device, a decryption device, a proxy key generation device, and a data processing method used therefor.

  One of the encryption methods that can specify a plurality of users that can be decrypted is a functional encryption method. In functional cryptography, whether or not a recipient can decrypt the ciphertext is determined by a function value that uses an attribute owned by the recipient as input, and is encrypted by specifying this function. is there. In addition, it can be said that the functional encryption method is an encryption method in which whether or not a receiver can decrypt a ciphertext is determined by an attribute specified at the time of generating the ciphertext and a predicate possessed by the receiver. it can. Non-Patent Document 1 describes an example of a functional encryption scheme.

  FIG. 13 is an explanatory diagram showing an outline of the functional encryption method described in Non-Patent Document 1. As shown in FIG. 13, the functional encryption method described in Non-Patent Document 1 includes a setting function 901, a key derivation function 902, an encryption function 903, and a decryption function 904.

  The setting function 901 generates a public key 911 and a master key 912. The key derivation function 902 generates a secret key 914 corresponding to the attribute from the public key 911, the master key 912, and the predicate vector 913 corresponding to the attribute vector 916 designating the authority (attribute) that can be decrypted. The encryption function 903 generates a ciphertext 917 from the public key 911, the document to be encrypted (plaintext) 915, and an attribute vector 916 that specifies the authority to decrypt the document. The decryption function 904 generates a plaintext 918 that is a decrypted text of the ciphertext 917 from the public key 911, a private key 914 (for example, the private key 914-1) possessed by the decryptor, and the received ciphertext 917. .

  For example, it is assumed that the setting function 901 outputs the public key pk and the master key mk. Assume that the key derivation function 902 inputs the public key pk, the master key mk, and the predicate vector v, and outputs the secret key sk of the attribute set. The encryption function 903 inputs the public key pk generated by the setting function 901, the document m to be encrypted, and the attribute vector x that designates the authority to decrypt the document m, and uses the ciphertext of the document m. A certain C is output. The decryption function 904 performs a decryption process by inputting the public key pk generated by the setting function 901, the received ciphertext C, and the private key sk of the attribute set possessed by the decryptor. At this time, if v · x = 0, the decryption is successful, and thus a document m which is a decrypted text is generated and output.

  In this way, if a functional encryption scheme is used, a receiver having a secret key sk generated by specifying a predicate vector v corresponding to an attribute vector x specified when generating a ciphertext. For example, since the ciphertext can be decrypted, a plurality of recipients can decrypt one ciphertext. By using such a functional encryption method, for example, it is possible to easily realize access control that permits browsing only to a specific set of users with respect to a file that can be accessed by a plurality of persons. Accordingly, it is possible to contribute to enhancing the safety of a data storage service using a cloud or the like. For example, consider a case where an organization such as a company stores data in a storage device on a network. In this case, data that should be read only by a member with a certain qualification of this organization may be encrypted using a functional encryption method and stored in a storage device on the network. At this time, the qualification to read data is represented by a predicate vector v, and the ciphertext that can be decrypted by the member having this qualification is encrypted by specifying the attribute x where v · x = 0. When members of the organization need data, they access the storage device holding the data via the network and obtain necessary data. This data is encrypted by the functional encryption method as described above, but if it is a member of the organization having the predicate vector v corresponding to the attribute x, it should be decrypted according to the decryption method in the functional encryption method and used. Can do.

  In general, in order to obtain data via a network such as a cloud, it is possible to secure the request by authenticating the request and limiting the access permission to the members of the corresponding organization, but there is a mistake in the authentication process. There is a possibility. In addition, if the management of the cloud side (network side) holding the data is insufficient, or if the administrator acts illegally, the data may be passed on to those who do not have access authority. In particular, when using the cloud, the user is an external person in terms of network management, so the external user can check whether the network management is sufficient, There was a problem that it was difficult to obtain confirmation that it did not work, and there was a greater concern about information leakage. However, even in such a case, if the data is encrypted using a functional encryption method, even if a member other than the member having the secret key of the correct predicate vector set obtains the data, the data is decrypted. It is not possible to prevent the contents from being unfairly revealed.

  Another example of an encryption method that can designate a plurality of users that can be decrypted is a broadcast encryption method. The broadcast encryption method is an encryption method in which a set of recipients that can be decrypted is specified for encryption, and the same ciphertext is received by a plurality of recipients each having a different secret key. This is an encryption method in which the decrypted result is the same plaintext. Non-Patent Document 2 describes an example of a broadcast encryption scheme.

  FIG. 14 is an explanatory diagram showing an outline of the broadcast encryption method described in Non-Patent Document 2. As shown in FIG. 14, the broadcast encryption method described in Non-Patent Document 2 includes a setting function 801, a key derivation function 802, an encryption function 803, and a decryption function 804.

  The setting function 801 generates a public key 811 and a master key 812. The key derivation function 802 generates a secret key 814 corresponding to the decryption person (hereinafter referred to as a decryption person private key 814) from the master key 812, the public key 811, and the decryption person identifier 813. The encryption function 803 generates a ciphertext 817 from the public key 811, a decryptable person set 816 that designates a set of decryptable persons, and a document (plain text) 815 to be encrypted. The decryption function 804 includes a public key 811, the received ciphertext 817, a decryptable person set 816 (for example, a decryptable person set 816-1) that designates a set of decryptable persons recognized by the decryptor, A plaintext 818 that is a decrypted text of the ciphertext 817 is generated from the decryptor private key 814 (for example, the decryptor private key 814-1) possessed by the decryptor.

  The decryptable person set 816 input to the encryption function 803 and the decryptable person set 816 input to the decryption function 804 are the same, and the ciphertext 817 output by the encryption function 803 and the decryption function 804 are input. If the ciphertext 817 is the same, and the decryptor private key 814 input to the decryption function 804 is the private key of the decryptor belonging to the decryptable person set 816 input to the decryption function 804, the encryption function 803 The plaintext 815 input to the plaintext 818 and the plaintext 818 output from the decryption function 804 have the same contents.

  As described above, the broadcast encryption method can contribute to improving the safety of the data storage service using the cloud or the like, similarly to the functional encryption method. For example, consider a case where an organization such as a company stores data in a storage device on a network. In this case, data that should be readable only by members of this organization is encrypted using a broadcast encryption method after designating data indicating a set of decryptable persons to which each member of the organization belongs. What is necessary is just to preserve | save in a memory | storage device. Each member of the organization is given a corresponding private key along with data indicating the set of decryptable persons. When members of the organization need data, they access the storage device holding the data via the network and obtain necessary data. This data is encrypted by the broadcast encryption method as described above, but if it is a member of an organization, it can be decrypted and used according to the decryption method of this broadcast encryption.

  The broadcast encryption method is different from the functional encryption method in that it is possible to control whether or not decryption is possible for each recipient. That is, if the decryptable person set 816 is appropriately changed when the member is changed, the decryptable person can be changed according to the changed decryptable person set. For example, when a new member joins the organization, the key derivation function 802 generates a decryptor private key 814 for the new member, and the encryption function 803 adds this member in the subsequent encryption processing. Data may be encrypted using the new decryptable person set 816. Further, for example, when a member leaves the organization, the data may be encrypted by using the new decryptable person set 816 from which the member is deleted in the subsequent encryption processing in the encryption function 803. With these processes, only the latest member belonging to the new decryptable person set 816 can be decrypted with respect to the data encrypted using the new decryptable person set 816.

Tatsuaki Okamoto, Katsuyuki Takashima, "Adaptively Attribute-Hiding (Hierarchical) Inner Product Encryption.", EUROCRYPT 2012, 2012, p.591-608. Dan Boneh, Craig Gentry, Brent Waters, "Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys", Advances in Cryptology-CRYPTO 2005, 25th Annual International Cryptology Conference, 2005, p.258-275.

  Functional encryption can control whether or not decryption can be performed on an attribute-by-attribute basis by specifying the attribute when encrypting, so even if a new member is added, only the secret key is distributed to the added member. While each member has the advantage of being able to decrypt all target data including already encrypted data, if a member is missing, the missing member can also be decrypted if the target data is available Have the problem of

  On the other hand, in the broadcast encryption method, a decryptable user set is specified when encrypting, but by changing the user in the set, whether or not the decryption can be performed can be controlled for each user. While it has the advantage of being able to handle it safely, it is decided when encryption can be done and when it is encrypted, it will be fixed afterwards, so if you try to allow new members to see already encrypted data, There is a problem that the existing encrypted data must be decrypted and encrypted again every time it is changed.

  Further, even if a functional encryption method and a broadcast encryption method are used in combination, it is not simply possible to obtain the advantages of both. For example, a set of recipients that can decrypt the document M is encrypted using a broadcast encryption method, and a set of recipient attributes that can be decrypted is further encrypted using a functional encryption method. Suppose that Then, it seems that only a receiver having the specified attribute and included in the specified receiver set can decrypt. However, if a recipient who has the specified attribute but is not included in the specified recipient set cooperates with a recipient who does not have the specified attribute but is included in the specified recipient set, the decryption is not possible. It is possible and need not be a recipient with both conditions simultaneously. That is, the collusion resistance is not sufficient. The same applies even if the order of encryption is reversed.

  Furthermore, in such a combination by multi-stage encryption, it is not possible to utilize the access restriction that the functional encryption method can restore if the attribute matches the already stored data. This is because if the broadcast encryption method is used, the restorer who can restore it is determined when it is encrypted and cannot be changed thereafter.

  Here, for example, when the members constituting the organization are changed, all the currently stored encrypted data is extracted and decrypted using the old decryptable person set, and then the new decryptable person set is used. Consider re-encrypting and saving again. However, in many organizations that exist in the world, especially large organizations, changing their members is a common occurrence and includes decryption and re-encryption of all existing encrypted data at each member change. Performing a series of processing is extremely burdensome.

  In other words, using existing encryption methods or simply combining them, when considering a data storage service using the cloud, etc., when access members are changed, the security is not sufficient, and If all the target data including already encrypted data is to be secured, there is a problem that a burdensome work has to be done.

  In view of the above, an object of the present invention is to enable safe and efficient response to changes in members while enabling decryption control in attribute units. More specifically, whether or not decryption is possible can be specified in attribute units, and even when the member is changed, it takes time and effort to decrypt and re-encrypt the already encrypted data. And providing an encryption system, a data storage system, a key derivation device, a decryption device, a proxy key generation device, and a data processing method that can ensure safety for all target data including already encrypted data. With the goal.

  The cryptographic system according to the present invention is a part that is changed in accordance with a change of a user set, which is a set of users that can be decrypted, in addition to a main body generated by a method that complies with a functional cryptosystem, and is randomly When a setting unit that generates a public key and a master key including an update unit that is a part in which a value based on a selected public key update factor is set, and a public key, a master key, a predicate vector, and a user identifier are input A user identification factor that is unique to the user and unknown to the user, a predicate part that is generated based on the master key, the predicate vector, and the user identification factor, and the user identification factor and the master key A key derivation unit that generates a secret key including a user-dependent value cancellation unit that is generated based on the above, and an encryption unit that generates a ciphertext by specifying an attribute vector by a method that complies with a functional encryption scheme When a public key, a secret key, and a ciphertext are input, based on the ciphertext and the predicate part of the secret key, a user-dependent value that depends on the user identification factor used to generate the secret key And a user-dependent value cancellation value for canceling the user-dependent value based on the ciphertext and the user-dependent value cancellation unit of the secret key, and the generated user-dependent value When the decryption means for decrypting the ciphertext using the user-dependent value cancellation value, the public key, the master key, and the changed user set are input, a new public key update factor is generated and generated. Based on the public key update factor that has been generated, the public key update unit, the update key that is the update part of the private key, and the master key update unit are generated, and the generated public key update factor and the pre-change key are generated. Based on the public key update factor obtained from the public key and the master key before the change Updating the proxy key and master key to convert the ciphertext that can be decrypted with the private key of the user belonging to the user set before the change into the ciphertext that can be decrypted with the private key of the user belonging to the user set after the change A decryption of the ciphertext from a ciphertext that can be decrypted with the private key of the user belonging to the user set before the change using the proxy key generated by the proxy key generation means And re-encrypting means for generating a new ciphertext that can be decrypted with the secret key of the user belonging to the user set after the change.

  A data storage system according to the present invention includes a management device used by a data administrator, a data storage device used by a data storage user who stores encrypted data, a decryption device, and an encryption device. Is a part of the public key that is selected at random, in addition to the main part generated by a method that complies with the functional encryption method, as well as the part that is changed in accordance with the change of the set of users that can be decrypted Setting means for generating a public key and a master key including an update unit, which is a part for which a value based on an update factor is set, and a public key, a master key, a predicate vector, and a user identifier A user identification factor that is unknown to the user and is generated based on the master key, the predicate vector, and the user identification factor, and the user identification factor and the master key. When a key derivation means for generating a secret key including a generated user-dependent value cancellation unit, a public key, a master key, and a changed user set are input, a public key update factor is newly generated. Based on the generated public key update factor, a public key update unit, an update key that is an update part of the secret key, and a master key update unit are generated, and the generated public key update factor is Based on the public key update factor obtained from the public key before change and the master key before change, the ciphertext that can be decrypted with the private key of the user belonging to the user set before change is changed to the user set after change. Including a proxy key for converting into a ciphertext that can be decrypted with the private key of the user to which it belongs, and a proxy key generation unit that generates a master key update unit, and the data storage device is generated by the proxy key generation unit Uses proxy key and belongs to user set before change Re-encryption means for generating new ciphertext that can be decrypted with the secret key of the user belonging to the changed user set without decrypting the ciphertext from the ciphertext that can be decrypted with the user's private key; Storage means for storing data encrypted by the re-encryption means, and the encryption device includes encryption means for specifying the attribute vector and generating ciphertext by a method compliant with the functional encryption method When the public key, the secret key, and the ciphertext are input, the decryption device depends on the user identification factor used in generating the secret key based on the ciphertext and the predicate part of the secret key. Generates a user-dependent value, generates a user-dependent value cancellation value for canceling the user-dependent value based on the ciphertext and the user-dependent value cancellation unit of the secret key, and uses the generated usage The ciphertext using the user-dependent value and the user-dependent value cancellation value Decoding means for decoding is included.

  The key derivation device according to the present invention is a part that is changed in accordance with a change of a user set, which is a set of users that can be decrypted, in addition to a main body generated by a method that complies with a functional cryptosystem, and is randomly When a public key and master key including an update unit, a predicate vector, and a user identifier are input, a value that is set based on the public key update factor selected by the user is input. A user identification factor that is unknown to the user, a predicate part that is generated based on the master key, predicate vector, and user identification factor, and a usage that is generated based on the user identification factor and the master key And a key derivation unit for generating a secret key including a person-dependent value canceling unit.

  The decryption device according to the present invention is a part that is changed in accordance with a change of a user set, which is a set of users that can be decrypted, in addition to a main body generated by a method that complies with a functional cryptosystem, and is randomly A public key that includes at least an update part, which is a part for which a value based on the selected public key update factor is set, and a secret key with a predicate vector specified, which is unique to the user and known to the user When a secret key including a predicate part based on a non-user identification factor, a master key, and a predicate vector, a user-dependent value cancellation part based on the user identification factor and the master key, and a ciphertext are input, Based on the ciphertext and the predicate part of the secret key, a user-dependent value depending on the user identification factor used when generating the secret key is generated, and a user-dependent value of the ciphertext and the secret key is generated. On the basis of the cancellation part A decryption unit that generates a user-dependent value cancellation value for canceling the dependency value and decrypts the ciphertext using the generated user-dependent value and the user-dependent value cancellation value is provided. .

  The proxy key generation device according to the present invention is a part that is changed in accordance with a change of a user set that is a set of users that can be decrypted, in addition to a main body generated by a method that complies with a functional cryptosystem. In addition to a public key that includes at least an updater, which is a part for which a value based on a randomly selected public key update factor is set, and a main part generated by a method that complies with a functional encryption method, a user who can decrypt A master key including at least an update part that is a part that is changed in accordance with a change in the user set that is a set of the key and a value that is set based on a public key update factor that is randomly selected, and a post-change key When the user set is input, a public key update factor is newly generated, and based on the generated public key update factor, an update part of the public key, an update key that is an update part of the secret key, Master key update part And the private key of the user belonging to the user set before change based on the generated public key update factor, the public key update factor obtained from the public key before change, and the master key before change A proxy key generation means for generating a proxy key for converting a ciphertext that can be decrypted with the secret key of a user belonging to the changed user set and a master key update unit It is characterized by.

  The data processing method according to the present invention is a data processing method for transferring confidential data via a network, and can be decrypted in addition to a main body generated by a method compliant with a functional encryption method. A public key and a master key including an update unit that is a part that is changed in accordance with a change of a user set that is a set of users and that is a part in which a value based on a public key update factor selected at random is set. Generate and generate a user identification factor that is unique to the user and that the user does not know for each user who is permitted to decrypt data, and based on the master key, predicate vector, and user identification factor A secret key including a generated predicate part, a user-dependent value cancellation part generated based on a user identification factor and a master key is generated, and used when decrypting data or a ciphertext of the data When a message key is encrypted by specifying an attribute vector and a data ciphertext or message key ciphertext is received, it is based on the received ciphertext and the predicate part of the private key possessed by the user. Generating a user-dependent value that depends on the user identification factor used when generating the secret key, and based on the ciphertext and the user-dependent value cancellation unit for the secret key, A user-dependent value canceling value for canceling is generated, and the ciphertext is decrypted using the generated user-dependent value and the user-dependent value canceling value.

  According to the present invention, it is possible to safely and efficiently cope with the change of the member while making it possible to control whether or not decryption is possible in attribute units.

It is a whole block diagram of the encryption system of 1st Embodiment. 3 is a block diagram illustrating a configuration example of a setting unit 11. FIG. 3 is a block diagram illustrating a configuration example of a key derivation unit 12. FIG. 3 is a block diagram illustrating a configuration example of an encryption unit 13. FIG. It is a block diagram which shows the other structural example of the encryption part. 3 is a block diagram illustrating a configuration example of a decoding unit 14. FIG. 3 is a block diagram illustrating a configuration example of a proxy key generation unit 15. FIG. 3 is a block diagram illustrating a configuration example of a re-encryption unit 16. FIG. 3 is a block diagram illustrating a configuration example of a key update unit 17. FIG. It is a block diagram which shows an example of the whole structure of the data storage system of 2nd Embodiment. It is a block diagram which shows the other structural example of the data storage system of 2nd Embodiment. It is a block diagram which shows the outline | summary of this invention. It is explanatory drawing which shows the outline of a functional encryption system. It is explanatory drawing which shows the outline of a broadcast type encryption system.

  First, the encryption method used by the present invention (hereinafter referred to as the encryption method of the present invention) will be described. The encryption method of the present invention is an improvement of the functional encryption method, and solves the above-described problems by adding the following functions to the functional encryption method.

(1) Proxy key generation function More specifically, a ciphertext that can be decrypted with a secret key of a user belonging to a certain “user set U” is converted to a secret key of the user belonging to a new “user set U ′”. A function that generates a proxy key for conversion into ciphertext that can be decrypted based on the master key.

(2) Re-encryption function More specifically, a decryption key is obtained from a ciphertext that can be decrypted with a private key of a user belonging to a certain “user set U” using the proxy key generated by the proxy key generation function. A function for generating a ciphertext that can be decrypted with the secret key of the user belonging to the new “user set U ′” without undergoing a decryption process using.

  By adding these two functions, when access to data stored in the cloud or the like is controlled by an encryption method, the set of users permitted to access can be dynamically changed as follows: To do. Here, “access to data is controlled by an encryption method” specifically means that data subject to access restriction is encrypted using a predetermined encryption method and stored as encrypted data. The person who can view the contents of the data is limited to those who can decrypt the encrypted data. That is, in the present invention, when the expression “access control” is used, it means that the person who can decrypt the encrypted data is controlled.

  That is, the encryption method of the present invention adds these two functions, and the user set that permits decryption of the data encrypted and stored by this method is as follows. It can be changed dynamically.

  First, it is assumed that the target data is encrypted by specifying the authority to decrypt it. At this time, a user set U that is a set of users having the authority is specified, and each user is assigned a secret key corresponding to the authority specified at the time of encryption and specifying the user. It is done. As a result, the ciphertext can be decrypted only by users who belong to the user set U and hold the authority specified at the time of ciphertext generation. This is because access to each ciphertext is restricted by the authority requested, and the distribution of the secret key is also restricted by the set of users.

  Here, the one having all access rights to data has the master key. In addition, the secret key of each user belonging to the user set can be generated using the master key. In the present invention, a person having this master key is called an administrator. It is assumed that this administrator entrusts another person without saving the encrypted data. A person who saves encrypted data is called a data saver. The data storage person will be described as an example of a person who performs data storage work in the cloud or the like. However, the data storage person may simply be a receiver who has received the ciphertext.

  Now, suppose you want to add or delete users who are allowed to access data due to organizational changes. This is nothing but to change the user set U that can decrypt the encrypted data as long as the authority matches. Here, the user set to be changed is U ′.

  Using the above-described proxy key generation function, the administrator generates the proxy key rk and other various data required for changing the user set from the user set U, user set U ′, and master key To do. Then, the generated proxy key rk is sent to the data saver. Various data required in accordance with the change of the user set includes, for example, the secret key of each user belonging to the new user set U ′.

  The data storage person uses the above-described re-encryption function to re-encrypt each cipher text stored by himself / herself based on the cipher text and the proxy key, thereby generating a new cipher text. Then, the original ciphertext is replaced with this new ciphertext. The new ciphertext can be decrypted by the users belonging to the new user set U 'who have the same authority. Accordingly, it can be considered that access to these data is restricted to users belonging to the user set U '. That is, as long as the authority matches, it can be considered that the user set that can be decrypted has been successfully changed.

Embodiment 1. FIG.
Next, an encryption system using the encryption method of the present invention will be described with reference to the drawings.

[Definitions]
First, definitions of various terms in the encryption method used in the encryption system of the present embodiment will be described. G, G _T is a respective cyclic group and of order prime q, and e: shall have the G × G → G _T becomes bilinear map. g is a generator of group G. Fq is a prime field of order q. V represents a vector space ^{G N} on Fq. Further, A is a standard base of V, and A: = (a [i]) ^T _{i = 1,.} Here, all elements of a [i] are 0 on V except for the i-th element, and the i-th element is g. In addition, when x: = (g [i]) ^T _{i = 1,..., N} ∈V, y: = (h [i]) ^T _{i = 1} ,. (x, y): = Πe (g [i], [i]) and _{i =} ^{1 N} ∈G _T. However, g [i] is treated as a different symbol from g which is a generator of the group G.

Group G is described as an additive cyclic group. Multiplication is defined for the element of Fq and the element of group G. If the element of Fq is α and the element of group G is g, those multiplications are described as αg. Further, the group G _T is described as multiplicative cyclic group. The Fq original with original group G _T are defined a power multiplication, the original group G _T in Fq former is alpha is if g _T, their multiplication is described as g _T ^alpha. As method for realizing the group G and the group G _T, methods and the like are known using elliptic curve.

Further, DOBG (·, ·), once an integer λ and N are _{input, paramsV = (q, V,} G T, A, e (·, ·), g T, B, B *) dual outputs a This is an orthonormal basis generation function. The superscript * attached to the symbol is used as a mere identification symbol for distinguishing B from B ^* . In DOBG (), paramsV is generated as follows. First, generators of q, G _T , V, A, e (•, •), g: G of size λ are selected. Further, ψ of Fq is selected at random to generate g _T : = e (g, g) ^ψ . Next, X is randomly selected from an N × N reversible matrix GL (N, Fq) having elements of Fq as elements, and Θ: = ψ · (X ^T ) ⁻¹ is generated. Further, B: = XA, B ^* : = ΘA. Note that (b [0],..., B [N−1]): = B, (b ^* [0],..., B ^* [N−1]): = B ^* . Then, paramsV (q, V, G _T , A, e (•, •), g _T , B, B ^* ) is output.

[Constitution]
FIG. 1 is an overall configuration diagram of the cryptographic system according to the first embodiment. 1 includes a setting unit 11, a key derivation unit 12, an encryption unit 13, a decryption unit 14, a proxy key generation unit 15, a re-encryption unit 16, and a key update unit 17. Prepare.

[Setting function]
The setting unit 11 generates a public key 201 and a master key 202.

  FIG. 2 is a block diagram illustrating a configuration example of the setting unit 11. As shown in FIG. 2, the setting unit 11 may include a setting unit 111.

  The generation method of the public key and the master key may be basically the same as the generation method in a general functional encryption scheme. However, as shown below, at least an update unit that is updated in accordance with the generation of the proxy key 213 is added to the public key 201, and the update that is updated in accordance with the generation of the proxy key 213 in the master key 202 At least a part is added. Both the update unit of the public key 201 and the update unit of the master key 202 include an area for setting a value based on a public key update factor generated by the proxy key generation unit 15 described later. Since the public key update factor is generated when the user set is changed, the temporary public key update factor randomly selected by the setting unit 11 at the time of public key generation and master key generation A value based on is set in the area. Hereinafter, a part other than the “update part” and generated by a method based on the functional encryption method may be referred to as a “main part”.

For example, the setting unit 11 generates the public key 201 and the master key 202 as follows. First, integers λ and n are input. Then, setting means 111, DOBG (λ, 4n + 3 ) output _{(paramsV: = (q, V} , G T, A, e (·, ·), g T, B, B *), B: = (b [1],..., B [4n + 3]), B ^* : = (b ^* [1],..., B ^* [4n + 3])). The setting means 111 then selects B ′: = (b [1],..., B [n], b [4n + 1], b [4n + 2], b [4n + 3]), B ′ ^* : = (b ^* [1], ..., b ^* [n], b ^* [3n + 1], ..., b ^* [4n], b ^* [4n + 1], b ^* [4n + 2], b ^* [4n + 3]) To do. Next, γ is randomly selected from Fq, and f = γgεV and h = (ψ / γ) g. Then, output means or the like (not shown) outputs (λ, paramsV, B ′, f): = pk as the public key 201 and (B ′ ^* , h): = mk as the master key 202. In the case of this example, f = γg of pk corresponds to the “update unit” of the public key 201, and the other corresponds to the “main body unit”. Of mk, h corresponds to the “update part” of the master key, and the other corresponds to the “main part”. Here, the following formula (1) is established for a certain two 4n + 3 component vectors z and z ^* . In addition, the right-hand side of equation (1) is a z and ^{z *} of the inner product ^z · z ^*.

^{z * B (B *) z} T = z * z T ··· formula (1)

[Key derivation function]
The key derivation unit 12 is included in the public key 201, the master key 202, the predicate vector 203 corresponding to the authority granted to the secret key 206 generated by the key derivation unit 12, and the user set U having the authority. Based on the user identifier 204 of the user, a secret key 206 corresponding to the user is generated.

  FIG. 3 is a block diagram illustrating a configuration example of the key derivation unit 12. As shown in FIG. 3, the key derivation unit 12 may include a predicate part generation unit 121, a cancellation unit generation unit 122, and a user identification factor generation unit 123.

  The method for generating the secret key 206 by the key derivation unit 12 may be the same as the method for generating the secret key in the functional encryption method for the basic part. However, in this example, a user-specific element is added using a user identification factor 205 that is specific to the user and that the user does not know.

The key derivation unit 12 generates the secret key 206 as follows, for example. First, the latest public key 201: = pk, the latest master key 202: = mk, the predicate vector 203: = v, and the user identifier 204 (for example, the user identifier 204-1): = I are input. Is done. Here, pk: = (λ, paramsV, B ′, f), mk: = (B ′ ^* , h). Then, the user identification factor generation means 123 randomly selects the user identification factor 205 of the user (for example, the user identification factor 205-1): = α _I and σ from Fq. Further, the user identification factor generation means 123 randomly selects a vector u from Fq ⁿ . Note that the user identification factor 205: = α _I may be deterministically derived from the combination of the user identifier 204 and, in some cases, the master key 202.

  Since the user identification factor 205 selected at this time is shared with a proxy key generation unit 15 described later, the user identification factor 205 is managed in association with the input user identifier 204. For example, a correspondence table between the user identifier 204 and the user identification factor 205 may be generated and held. For example, when the hash value of the user identifier 204 and the master key 202 is used as the user identification factor 205, that fact may be determined in advance.

Next, the predicate part generation unit 121 generates k ^* : = (σv, 0 ²ⁿ , u, 1, 0, α _I ) B ^* as the predicate part 2061 of the secret key 206. Further, the cancellation unit generation unit 122 generates d _I = α _I h as the user-dependent value cancellation unit 2062 of the secret key 206. Then, the output means or the like (not shown) outputs sk _{v, I} : = (k ^* , d _I ) as the secret key 206 (for example, the secret key 206-1) corresponding to the input user identifier 204. To do. Note that “0 ²ⁿ ” included in the predicate part 2061 represents a vector having 2n elements where all elements are 0. In the following, similarly, when a superscript numerical value or symbol is added to 0, the number of elements in which all the elements are 0 represents the vector of the number represented by the superscript numeric value or symbol. And

Here, the user identification factor α _I is not known to the user and is regarded as a value unique to the user. Further, in the encryption method of the present invention, when the ciphertext in which the attribute vector x is designated using the predicate part 2061 of the secret key generated here, that is, k ^* is decrypted, this user identification factor α _I is set in the intermediate stage. A “user-dependent value” that is dependent data is generated. Further, the user identification factor α _I has the following relationship with this user-dependent value. That is, when x · v = 0 is obtained as a result of using the designated secret key, this is performed using g _I and d _I included in the user-dependent value canceling unit 2062 of the secret key in the subsequent step. The user-dependent value can be erased, and a final decoding result can be obtained. On the other hand, when x · v = 0 is not satisfied, a random value is added to the user-dependent value, which cannot be erased in a later step of the decoding process, and decoding fails.

In this way, in this encryption method, by using the user identification factor α _I when generating the secret key, a different value is passed for every user in the decryption process, and the encryption is made for each user. It is possible to control whether or not to allow sentence decoding.

  In the example shown in FIG. 3, when one user identifier 204-1 is input, one secret key 206-1 corresponding to the user is generated and output. The deriving unit 12 may input a user set U including a set of user identifiers 204, and generate and output a secret key corresponding to each user identifier included in the user set U.

[Encryption function]
The encryption unit 13 generates the ciphertext 209 based on the public key 201 and the attribute vector 207 that specifies the authority to decrypt the ciphertext 209 generated by the encryption unit 13.

  FIG. 4 is a block diagram illustrating a configuration example of the encryption unit 13. As shown in FIG. 4, the encryption unit 13 may include an encryption unit 131.

  The encryption method may be basically the same as the encryption method in a general functional encryption method. However, as shown below, at least the second element generated based on the public key update unit is added to the ciphertext.

  In the present embodiment, it is assumed that a document is transmitted using the hybrid encryption method. For this reason, FIG. 1 shows an example in which the encryption unit 13 does not encrypt the document to be protected but generates a message key to be used when encrypting the document and encrypts it. ing. Here, the hybrid encryption method refers to an encryption method that uses a combination of a common key encryption method and a public key encryption method. More specifically, the sender can arbitrarily generate a message key, encrypt the document using the generated message key using a common key encryption method, and publish the message key using the public key. Encryption is performed using a key encryption method, and the encrypted document and the encrypted message key are transmitted to the receiver side. The receiver side first decrypts the message key encrypted with the public key cryptosystem using the public key to obtain the message key, and encrypts it with the common key cryptosystem using the obtained message key. The obtained document is decrypted to obtain a plain text (document). Since the encryption method of the present invention, which is an extension of the functional encryption method, is one of the public key encryption methods, the encryption method of the present invention can be used in a system that transmits a document using such a hybrid encryption method. .

  In general, the public key cryptosystem has an advantage that it is easy to distribute and manage keys, but it takes time to process and is not suitable for encryption of a large capacity file. However, if the hybrid encryption method is used, it is possible to use both the advantage of the common key encryption method that “processing is fast” and the advantage of the public key encryption method that key distribution and management are easy.

The encryption unit 13 generates the message key 208 and its ciphertext 209 as follows, for example. First, the latest public key 201: = pk and the attribute vector 207: = xεFq ⁿ (0,..., 0) are input. Here, pk: = (λ, paramsV, B ′, f). Then, the encryption unit 131 randomly selects w, φ, ζ, and ξ from Fq. The encryption means 131 then generates K: = g _T ^ζ as the message key 208, and c [1]: = (wx, 0 ²ⁿ , 0 ⁿ , ζ, φ, ξ) B, c [2] : = Ζf is generated. Then, output means or the like (not shown) outputs K as the message key 208 and outputs Cx: = (c [1], c [2]) as the ciphertext 209.

  Although not shown in FIG. 1, as a hybrid encryption system, a second encryption unit that encrypts a document by a common key encryption method using a message key generated by the encryption unit 13; A second decryption unit that decrypts the encrypted document using a message key associated with the document may be provided.

  In such a case, the second encryption unit uses the message key 208 output from the encryption unit 13 to encrypt the document to be protected using the common key encryption method. Then, the encrypted message key 209 together with the encrypted document is transmitted to the receiver side (more specifically, the data storage person).

  If the size of the document to be protected is small and the processing time is in a range that does not affect performance, the document can be directly encrypted using the encryption method of the present invention without using hybrid encryption. It is also possible to transmit. In such a case, as illustrated in FIG. 5, the encryption unit 13 receives the public key 201, the attribute vector 207, and the document 208 to be encrypted, and inputs the ciphertext 209 of the document 208. The structure which outputs may be sufficient. FIG. 5 is a block diagram illustrating another configuration example of the encryption unit 13. In this case, the method for encrypting the document 208 may be the same as that for the message key. In the configuration shown in FIG. 5, a random number (corresponding to ζ described above) serving as the message key 208 may be input instead of the document 208 to be encrypted. In that case, the above-described hybrid cryptosystem can be supported as it is. However, in the encryption method of the present invention, it is assumed that the message key is generated by combining the input random number and the public key, not the random number = message key.

[Decryption function]
Based on the public key 201, the secret key 206, and the ciphertext 209, the decryption unit 14 generates a plaintext 210 that is a decrypted text of the ciphertext 209.

  FIG. 6 is a block diagram illustrating a configuration example of the decoding unit 14. As shown in FIG. 6, the decoding unit 14 may include a dependency value generation unit 141, a cancellation value generation unit 142, and a cancellation unit 143.

  The decryption method may be basically the same as the decryption method in a general functional encryption scheme. However, as will be described below, at least new processing is added with the addition of the user-dependent value. More specifically, a user-dependent value 214 is generated from the ciphertext based on the predicate part 2061 of the secret key 206 in the intermediate stage of the decryption process, and the user-dependent value 214 is then used as the user-dependent value of the secret key 206. At least processing for canceling based on the value canceling unit 2062 is added.

For example, the decryption unit 14 generates the plaintext 210 as follows. First, the latest public key 201: = pk, the private key 206 (for example, private key 206-1) held by the decryptor: = sk _{v, I,} and the ciphertext 209: = Cx are input. . Here, pk: = (λ, paramsV, B ′, f), sk _{v, I} : = (k ^* , d _I ), Cx: = (c [1], c [2]), c [1] : = (Ζ, wx, 0 ²ⁿ , 0 ⁿ , φ) B, c [2]: = ζf. Then, the dependency value generation unit 141 generates the user dependency value 214 as r _I : = e (c [1], k ^* ) using k ^* which is the predicate part 2061 of the input secret key 206. . Further, the cancellation value generation unit 142 uses the d _I which is the user-dependent value cancellation unit 2062 of the input private key 206 to set the user-dependent value cancellation value 215 as R _I : = e (c [2]. , D _I ). Next, the canceling unit 143 generates K ′ = r _I / R _I = {e (c [1], k ^* ) / e (c [2], d _I )} as a decrypted text. Then, output means or the like (not shown) outputs the message key K ′ as the plaintext 210 that is a decrypted text.

  Thereafter, if the ciphertext of the document encrypted by the common key cryptosystem transmitted together with the ciphertext 209 of the message key is decrypted using the message key K ′, the plaintext of the document is obtained as a decryption result. be able to. In addition, when the 2nd decoding part which performs the decoding process by a common key encryption system is provided, the plaintext of this document may be obtained using the 2nd decoding part.

  Further, the decryption unit 14 may perform the decryption process similar to the decryption process of the message key even when the encrypted text is directly input as the ciphertext 209.

[Proxy key generation function]
Based on the public key 201, the master key 202, and the changed user set 211 that is the changed user set U ′, the proxy key generating unit 15 includes the proxy key 213, the new public key 201, A new master key 202 and an update key 212 for each user are generated. Here, the new public key 201 refers to the one obtained by changing the update part of the public key 201 before changing the user set based on the public key update factor shown below. The new master key 202 refers to a master key 202 update unit that has been changed based on the same public key update factor before the user set is changed. The update key 212 is a part of the new secret key 206. Further, as described above, the proxy key 213 decrypts a ciphertext that can be decrypted with the secret key of the user belonging to a certain “user set U” with the secret key of the user belonging to the new “user set U ′”. It is a key that contains information necessary for conversion to ciphertext that can be made.

  FIG. 7 is a block diagram illustrating a configuration example of the proxy key generation unit 15. As shown in FIG. 7, the proxy key generation unit 15 includes an update factor selection unit 151, a public key update unit 152, a proxy key generation unit 153, a master key update unit 154, and an identification factor acquisition / generation unit 155. The update key generation means 156 may be included.

The proxy key generation unit 15 generates, for example, as follows, various data necessary for changing the proxy key and other user sets. First, the latest public key 201: = pk, master key 202: = mk, and new user set 211: = U ′ are input. Here, pk: = (λ, paramsV, B ′, f), mk: = (B ′ ^* , h). Also, U∋I. Then, the update factor selection unit 151 first randomly selects the public key update factor 216: = γ ′ related to the update of the current user set from Fq. Next, the public key update unit 152 generates the public key update unit 217 as f ′ = γ′g. Further, the proxy key generation unit 153 generates the proxy key 213 as ρ = γ ′ / γ. Also, the master key update unit 154 generates a master key update unit 218 as h ′ = (1 / ρ) h from the master key 202 and the public key update factor γ ′.

Next, the identification factor acquisition / generation means 155, based on each user identifier 204 included in the changed user set U ′, the user identification factor 205 associated with each user identifier 204: = (α _I ) _{Obtain I∈U} . It is assumed that the user identification factor 205 obtained here is the same value as the user identification factor 205 used for generating the user's private key for the users included in the user set before the change. To do. For example, the identification factor acquisition / generation unit 155 may obtain the corresponding user identification factor 205 by referring to the correspondence table managed by the key derivation unit 12. Further, for example, when the key derivation unit 12 has derived the user identification factor 205 deterministically from the combination of the user identifier 204 and possibly the master key 202, the identification factor acquisition / generation unit 155. The user identification factor 205 having the same value can be obtained by deriving the user identification factor 205 deterministically using the same method. Note that the proxy key generation unit 15 may newly generate a user newly included in the changed user set using the same method as the key derivation unit 12. In addition, after requesting the key deriving unit 12 to generate a secret key of a newly joined user, the user identification factor 205 of the user may be obtained by the same method as described above.

Then, the update key generation unit 156, based on the public key update factor 216, the update key 212 is changed portions of the private key 206 of each _{user, (uk I) I∈U = (} d 'I) I∈ _U : = (α _I h ′) _I∈U is generated. Then, output means or the like (not shown) outputs pk ′: = (λ, paramsV, B ′, f ′) as a new public key 201 and mk ′: = (B ^* ′, h as a new master key 202. '), _Rk : = ρ is output as the proxy key 213, and (uk _I ) _I∈U = (d ′ _I ) _I∈U : = (α _I h ′) _I∈U as the update key 212 Output.

[Re-encryption function]
With the change of the user set, the re-encryption unit 16 uses the public key 201 and the proxy key 213 to decrypt the ciphertext 209 that can be decrypted with the private key 206 before the change with the private key 206 after the change. A new ciphertext 209 that can be decrypted is generated.

  FIG. 8 is a block diagram illustrating a configuration example of the re-encryption unit 16. As shown in FIG. 8, the re-encryption unit 16 may include re-encryption means 161.

For example, the re-encryption unit 16 generates a new (re-encrypted) ciphertext 209 from the existing ciphertext 209 as follows. First, the latest public key 201: = pk, proxy key 213: = rk, and ciphertext 209: = Cx before change are input. Here, pk: = (λ, paramsV, B ′, f), rk: = ρ, Cx: = (c [1], c [2]), c [1]: = (wx, 0 ²ⁿ , 0 ⁿ , ζ, φ, ξ) B, c [2]: = ζf. Then, the re-encryption unit 161 generates c ′ [2]: = ρ · c [2] and sets Cx ′ = (c [1], c ′ [2]). Then, output means or the like (not shown) outputs Cx ′ as the re-encrypted ciphertext 209.

[Key update function]
The key update unit 17 includes a public key 201, a private key 206 (for example, a private key 206-1) before the change, and an update key 212 (for example, an update key 212-1) that is a changed part of the private key 206. Based on the above, a new secret key 206 (for example, secret key 206-1) is generated.

  FIG. 9 is a block diagram illustrating a configuration example of the key update unit 17. As shown in FIG. 9, the key update unit 17 may include a key update unit 171.

The key update unit 17 generates a new secret key 206 as follows, for example. First, the latest public key 201: = pk, a certain user's private key 206: = sk _{v, I} , and the user's update key 212: uk _I : = are input. Here, pk: = (λ, paramsV, B ′, f), uk _I = d ′ _I = (α _I h ′), sk _{v, I} : = (k ^* , d _I ). Then, the key update unit 171 generates sk ′ _{v, I} : = (k ^* , d ′ _I ). That is, d _I that is a part of the user-dependent value cancellation unit 2062 included in the existing secret key 206 is updated to d ′ _I input as an update key. Then, sk′v _{, I} is output as a new secret key 206.

[Cryptographic verification]
It can be seen from the following that the above-described encryption scheme operates correctly. First, when re-encryption is not performed, the message key K (plaintext 208) that has been encrypted by the encryption unit 13 described above and the message key K ′ obtained by the decryption process by the decryption unit 14 described above. It can be seen that (plaintext 210) is equal as follows. However, A ^ B represents the ^{A B.}

K ′ = (e (c [1], k ^* ) / e (c [2], d _I ))
_{= (G T ^ (ζ +} ζα I + wσvx)) / (g T ^ (ζα I))
= G _T ^ ζ

If this is v · x = 0,
K ′ = g _T ^ ζ = ek
It can be seen that the data is correctly decoded.

By imposing the condition of v · x = 0, the condition that the attribute v of the user should satisfy can be used using the predicate x. That is, access control according to the attribute can be performed. Here, e (c [1], k ^* ) is a user-dependent value.

Further, it can be understood that if the decryption is performed using the updated secret key sk′v _{, I} , the decryption result does not change even if the re-encryption is performed.

The updated secret key sk ′ _{v, I} is (k ^* , d ′ _I ), and the updated part of the re-encrypted ciphertext is c ′ [2]: = ρc [2]. . Here, d ′ _I = (α _I h ′), f ′ = γ′g, and ρ = γ ′ / γ. Then, the element c [2] = ζf = ζγg of the ciphertext before being re-encrypted, but when updated, c ′ [2] = ρc [2] = (γ ′ / γ) ζγg = ( γ ′) ζg = ζf ′, which is the same value as when encrypted with the updated public key pk ′. The secret key sk ′ _{v, I} has the same value as when d _I is replaced by d ′ _I = (α _I h ′), which is also created using the new public key pk ′. Therefore, when the re-encrypted ciphertext is decrypted using the updated secret key by the same calculation as before the update, g _T ^ ζ = ek, and the same value as before the re-encryption is decrypted. The

On the other hand, when the updated secret key sk ′ _{v, I} is not available, that is, when only the old secret key sk _{v, I} is obtained, the re-encrypted ciphertext cannot be decrypted. This is a secret key before and after the update has been changed _{(γ'-γ) α I g} , for user identification factor α _I have been chosen at random, is updated as long as that does not solve the Diffie-Hellman problem This is because the key cannot be obtained.

  From the above properties, it can be seen that people who can decrypt a ciphertext can be dynamically controlled using a simple re-encryption process. Note that the predicate vector specified at the time of encryption is not disclosed to those that cannot decrypt this ciphertext for the same reason as in Non-Patent Document 1. In addition, unlike the case of once decrypting and re-encrypting, according to the encryption method of the present invention, it is not necessary to know this predicate vector at the time of re-encryption. Safety can be maintained.

  Note that the above-described method is merely an example, and other methods used in general functional encryption may be used, except for the portion related to the function added by the encryption method of the present invention.

  Further, the portion related to the function added by the encryption method of the present invention is not limited to the above example. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention. For example, the user identification factor may be anything unique to the user and not known to the user. Further, in relation to the decryption process, the function for generating the user identification factor may calculate a bilinear map with a part of the ciphertext and the predicate part of the secret key as inputs. In such a case, the function for generating the user-dependent value may calculate a bilinear map with a part of the ciphertext and the user-dependent value cancellation unit of the secret key as inputs.

  Moreover, the predicate part of a secret key should just be produced | generated using a master key, a predicate vector, and a user identification factor. Further, in the relationship between the user cancellation unit and the public key, the secret key predicate unit may be a product of a vector including a user identification factor in its component and a component of the public key as a matrix. In such a case, the private key user revocation unit may consist of two or more components, two of which may contain a term consisting of the product of one element of the public key and the user identifier. Good.

  Moreover, the public key update factor should just be selected at random. The public key update unit may be generated using the public key update factor and the public key selected as described above. The master key update unit may be generated based on a public key update factor. The proxy key may be a value obtained by dividing the public key update factor by a part of the master key. In addition, the update key is preferably not part of the predicate vector and is part of the secret part generated from the new master key.

  As described above, according to the present embodiment, whether or not decryption is possible can be controlled in attribute units (for example, organizational units), and changes in the members can be handled safely and efficiently.

Embodiment 2. FIG.
Next, a second embodiment of the present invention will be described. This embodiment is an example in which the encryption method of the present invention is applied to a data storage system. FIG. 10 is a block diagram illustrating an example of the overall configuration of the data storage system according to the second embodiment. Note that the same functional parts as those of the cryptographic system of the first embodiment are denoted by the same reference numerals and description thereof is omitted. As shown in FIG. 10, the data storage system according to the present embodiment is used by the management device 31 used by the “manager”, the encryption device 32 used by the “data registrant”, and the “data store”. A data holding / re-encrypting device 33 and a decrypting device 34 used by a “data user” are provided. In the present embodiment, it is assumed that there are two or more decryption devices 34 and each user (each “data user”) included in the set of users permitted to decrypt. Also, two or more encryption devices 32 may be provided so that a plurality of users can use them. Further, the “data user” may be a “data registrant” at the same time. In this case, the encryption device 32 and the decryption device 34 are realized by the same device. For example, the encryption device 32 and the decryption device 34 may be mounted in one user terminal.

  The management device 31 includes a setting unit 11, a key derivation unit 12, and a proxy key generation unit 15. The encryption device 32 includes a hybrid encryption unit 321. The hybrid encryption unit 321 includes an encryption unit 13 and a second encryption unit 322. The data holding / re-encrypting device 33 includes a re-encrypting unit 16 and a data holding unit 331. Further, the decryption device 34 includes a key update unit 17 and a hybrid decryption unit 341. The hybrid decoding unit 341 includes a decoding unit 14 and a second decoding unit 342. Note that FIG. 10 shows device classification based on user classification, but examples of realizing each device shown here (for example, a management device, an encryption device, a decryption device, and a data holding / re-encryption device). As such, they may be realized by two or more devices. For example, the setting unit 11, the key derivation unit 12, and the proxy key generation unit 15 are mounted on different devices, and operate as one management device 31 by being connected by a secure communication path. May be.

  In this embodiment, when the hybrid encryption unit 321 receives the document 219 to be encrypted and the attribute vector 207, the hybrid encryption unit 321 encrypts the document 219 using the common key encryption method, The ciphertext 209 obtained by encrypting the message key 208 used for encrypting the ciphertext 220 by using a public key cryptosystem (more specifically, the cipher scheme of the present invention) is output as an encrypted data set. To do. The second encryption unit 322 receives the document 219 to be encrypted in the hybrid encryption unit 321 and the message key 208 generated by the encryption unit 13 as input, and uses the document 219 as a message key. The ciphertext 220 of the document 219 is generated by encrypting with the common key cryptosystem using 208.

  When the ciphertext 220 of the document and the ciphertext 209 of the message key used when encrypting the ciphertext 220 are input, the hybrid decryption unit 341 tries to decrypt the ciphertext 220 of the document, If successful, a document 221 that is a decrypted text of the ciphertext 220 is output. In addition, the second decryption unit 342 receives the ciphertext 220 of the document and the message key 210 decrypted by the decryption unit 14 in the hybrid decryption unit 341, and uses the ciphertext 220 as the message key 210. The document 221 which is a decrypted text of the ciphertext 220 is generated by decrypting.

  The data storage unit 331 is a storage unit that stores the ciphertext 220 of the document and the ciphertext 209 of the message key used when encrypting the ciphertext 220 in association with each other as a single encrypted data set. .

  In this embodiment, it is assumed that the management device 31, the encryption device 32, the data holding / re-encryption device 33, and the decryption device 34 are connected via a network. Note that the encryption device 32 and the decryption device 34 may not be connected so as to be able to communicate directly as long as the encrypted data set can be transmitted and received via the data holding / re-encryption device 33.

  The setting unit 11, the key derivation unit 12, and the proxy key generation unit 15 are realized by an information processing device that operates according to a program such as a CPU provided in the management device 31, for example. The encryption unit 13 and the second encryption unit 322 are realized by an information processing device that operates according to a program such as a CPU provided in the encryption device 32, for example. The re-encryption unit 16 is realized by an information processing device that operates according to a program such as a CPU provided in the data holding / re-encryption device 33, for example. The data holding unit 331 is realized by a database system, a storage device, or the like provided in the data holding / re-encrypting device 33, for example. The key update unit 17, the decryption unit 14, and the second decryption unit 342 are realized by an information processing device that operates according to a program such as a CPU provided in the decryption device 34, for example.

  Next, the operation of this embodiment will be described. The operation of this embodiment is largely divided into a preparation phase, an encryption phase, a re-encryption phase, and a decryption phase. First, the preparation phase will be described. The preparation phase is performed as follows as a process in the stage before operating this system. First, the administrator issues an instruction to the management apparatus 31 to cause the setting unit 11 to generate the public key 201 and the master key 202. The master key 202 is stored in the management device 31 and is not disclosed to other devices. The public key 201 is continuously updated as will be described later. Although the public key 201 that continues to be updated is omitted in FIG. 10, the latest contents include at least the key update unit 17 and the encryption unit 13 in addition to the key derivation unit 12 and the proxy key generation unit 15. The re-encryption unit 16 and the decryption unit 14 are open to the public so that they can be used. Note that this is not the case during a series of processing at the time of key update (for example, during the distribution of a private key or during re-encryption), and it is also conceivable that the disclosure is stopped until re-encryption is completed.

  Next, the administrator determines users (data users) who are allowed to read data, and sets a set of these identifiers (user identifiers 204) as a user set. Then, a predicate vector 203 corresponding to each authority is defined for each user identifier 204 included in the user set, and the key derivation unit 12 is caused to generate a secret key 206 corresponding to each user. Then, the generated secret key 206 is distributed to the decryption device 34 used by the corresponding user. As a distribution method, for example, it may be sent directly through a secure communication path. Further, for example, the encrypted data may be sent to the data holding / re-encrypting device 33 as an encrypted text that can be decrypted only by each user. When the distribution of each user to the decryption device 34 is completed, the preparation phase ends.

  Next, the encryption phase will be described. The encryption phase is performed as follows when the data registrant wants to entrust data storage to the data storage person. First, the data registrant obtains the latest public key 201. The public key 201 may be obtained not only from the management device 31 but also from the data holding / re-encrypting device 33. Next, the data registrant specifies the document 219 that is the plaintext of the data that the data saver wants to hold, and the attribute vector 207 that specifies the authority to decrypt the document 219, and then sends it to the hybrid encryption unit 321. An instruction is issued, and the ciphertext 220 of the document 219 and the ciphertext 209 of the message key 208 used when the ciphertext 220 is generated are generated. In the hybrid encryption unit 321, in response to the instruction, the encryption unit 13 first generates the message key 208 and the ciphertext 209 of the message key 208, and then the second encryption unit 322 is generated. Processing for generating a ciphertext 220 of the document 219 using the message key 208 is performed. The designation by the attribute vector 207 here is access control to the document.

  The data registrant stores and re-encrypts an encrypted data set including the ciphertext 220 of the document obtained in this way and the ciphertext 209 of the message key used when encrypting the ciphertext 220. Transmit to device 33. The data holding / re-encrypting device 33 that has received the encrypted data set causes the data holding unit 331 to store the received encrypted data set.

  Next, the re-encryption phase will be described. The re-encryption phase is performed as follows when the administrator wants to change the users included in the user set having the authority to decrypt data. The change of the user set is nothing but an individual change of the users who can decrypt the encrypted text if it is generated by designating the authority that matches the authority of the user. Such a change in the user set occurs when a new person is added to the organization or when the person leaves the organization. First, the administrator designates a new user set 211 and a master key 202 and issues an instruction to the proxy key generation unit 15 to create a new public key 201, proxy key 213, new master key 202, and new An update key 212 corresponding to each user included in the user set is generated. Then, the generated proxy key 213 is sent to the data holding / re-encrypting device 33. At this time, the generated update key 212 of each user is also distributed to the decryption device 34 used by each user. The distribution method may be the same as in the case of the private key 206. At this time, the conventional public key and master key are rewritten with the generated new public key 201 and master key 202. Thus, the public key 201 and the master key 202 are continuously updated. As will be described later, the secret key 206 of each user is continuously updated along with the update of the public key 201 and the master key 202.

  When the data holding / re-encrypting device 33 receives the proxy key 213, the data holding / re-encrypting device 33 issues an instruction to the re-encrypting unit 16, and the ciphertext 209 (that is, the message) of each encrypted data set held in the data holding unit 331. Re-encryption processing is sequentially performed on the ciphertext of the key. The re-encryption unit 16 sequentially rewrites the designated ciphertext 209 with a new ciphertext 209 by the re-encryption process described above. By this rewriting process, the user who can decrypt the ciphertext 209 held is changed to each user included in the new user set.

  In the decryption device 34, when the update key 212 is received, the key update unit 17 updates the own secret key 206. This update is performed every time the update key 212 is received, and the secret key 206 is continuously updated. If the ciphertext of the update key is entrusted to the data holding / re-encrypting device 33, the decryptor accesses the data holding / re-encrypting device 33 and updates the data holding unit 331 from its own. It is only necessary to receive the key 212 in the form of ciphertext and decrypt it using the private key before the change or the like to obtain an updated key. Note that the access to the data holding / re-encrypting device 33 for obtaining the update key may be performed, for example, when an update key 212 update notification is received, or the data holding / re-encrypting device. It is also possible to check the presence / absence of registration of the update key when obtaining the ciphertext from 33.

  Next, the decoding phase will be described. The decryption phase is performed as follows when the data user obtains a desired document (more specifically, an encrypted data set including the ciphertext 220 of the document) from the data holding / re-encrypting device 33. . It is assumed that a certain data user obtains an encrypted data set including a ciphertext 220 of a desired document from the data holding / re-encrypting device 33. The data user designates his / her private key 206 and then instructs the hybrid decryption unit 341 to perform decryption processing on the obtained encrypted data set. In the hybrid decryption unit 341, in response to the instruction, the decryption unit 14 first attempts to decrypt the ciphertext 209 of the message key included in the encrypted data set. If the decryption is successful, the second decryption unit 341 uses the message key 210 obtained to The decryption unit 342 decrypts the ciphertext 220 of the document.

  At this time, if the data user holds the authority specified at the time of encrypting the ciphertext 209 of the message key, the message key is decrypted by the decrypting unit 14 by using its own private key 206. 210 can be obtained. A desired document 221 can be obtained by decrypting the ciphertext 220 of the document by the second decryption unit 342 using the message key 210.

  As described above, according to the present embodiment, even when using a data storage service provided by an external organization such as a cloud, while reducing the risk of data leakage to the outside including the data storage person, Access control to data can be performed safely and efficiently in attribute units (for example, organizational units).

  In particular, it is possible to flexibly control access to data by designating the authority of users who can decrypt data and changing the set of users who can decrypt data. Access control in many data storage services is required to be able to be revoked in addition to control of access authority by authority and user subscription. Such a request can be accommodated also in access control by encryption. Access control by encryption is a powerful method in the sense that the data custodian does not have to worry about the possibility of stealing data. In contrast to this powerful method, it is possible to set access rights for multiple users at once, and to provide a method that allows users to be added and revoked at any time. This broadens the usage target of.

  FIG. 10 shows an example of a configuration in which the data holding system encrypts and holds data using the hybrid cipher, but the data is directly transferred to the encryption method of the present invention without using the hybrid cipher. It is also possible to encrypt and hold using. In such a case, for example, a configuration as shown in FIG. 11 may be used.

  FIG. 11 is a block diagram showing another configuration example of the data holding system of this embodiment. The data holding system shown in FIG. 11 is different in that the encryption device 32 simply includes the encryption unit 13 instead of the hybrid encryption unit 321. Further, the decoding device 34 is different from the hybrid decoding unit 341 in that it simply includes the decoding unit 14. Thereby, the encryption target in the encryption unit 13 is not the message key 208 but the plaintext (document) 219, and the decryption target in the decryption unit 14 is not the message key ciphertext 209 but the ciphertext of the document. 220, and the data storage unit 331 retains the ciphertext 220 of the document, not the cipher data set, but the basic operation is the same as in FIG.

  FIG. 12 is a block diagram showing an outline of the invention. As shown in FIG. 12, the encryption system of the present invention includes setting means 101, key derivation means 102, encryption means 103, decryption means 104, proxy key generation means 105, and re-encryption means 106. Prepare.

  The setting unit 101 (for example, the setting unit 11) is a part that is changed in accordance with a change of a user set that is a set of users that can be decrypted, in addition to a main body generated by a method that complies with a functional encryption method. A public key and a master key including an update unit, which is a part in which a value based on a public key update factor selected at random is set, are generated.

  When the public key, the master key, the predicate vector, and the user identifier are input, the key derivation unit 102 (for example, the key derivation unit 12) determines a user identification factor that is unique to the user and that the user does not know. And generating a secret key including a predicate part generated based on the master key, the predicate vector, and the user identification factor, and a user-dependent value cancellation part generated based on the user identification factor and the master key. Generate.

  The encryption unit 103 (for example, the encryption unit 13) generates an encrypted text by designating an attribute vector by a method compliant with the functional encryption method.

  The decryption means 104 (for example, the decryption unit 14) is used when generating the secret key based on the ciphertext and the predicate part of the secret key when the public key, the secret key, and the ciphertext are input. Generates a user-dependent value that depends on the user identification factor, and generates a user-dependent value cancellation value for canceling the user-dependent value based on the ciphertext and the user-dependent value cancellation unit of the secret key Then, the ciphertext is decrypted using the generated user-dependent value and user-dependent value cancellation value.

  When the public key, the master key, and the changed user set are input, the proxy key generation unit 105 (for example, the proxy key generation unit 15) newly generates a public key update factor and generates the generated public key. Based on the key update factor, a public key update unit, an update key that is a secret key update unit, and a master key update unit are generated, and the generated public key update factor and the public key before change are generated. The ciphertext that can be decrypted with the private key of the user belonging to the user set before the change based on the public key update factor obtained from the master key before the change and the secret key of the user belonging to the user set after the change A proxy key for conversion into a ciphertext that can be decrypted by the user and a master key update unit are generated.

  The key derivation unit 102 includes a predicate part that is a product of a vector including a user identification factor in its component and one component of the public key that is a matrix, and two or more components, two of which are public key A secret key including a user-dependent value canceling unit including a term composed of a product of one element and a user identification factor may be generated.

  Further, the decryption means 104 generates a user-dependent value by calculating a bilinear mapping using a part of the input ciphertext and the predicate part of the secret key, and also generates a user-dependent value. A user-dependent value cancellation value may be generated by calculating a bilinear map using a part and a user-dependent value cancellation unit of the secret key.

  In addition, the proxy key generation unit 105 includes a public key update factor in the master key update unit, and a proxy key including a value obtained by dividing the newly generated public key update factor by a part of the master key before the change. The update key may be generated as part of a secret key generated from a new master key without requiring a predicate vector.

  By providing such a configuration, it is possible to safely and efficiently respond to changes in the member while making it possible to control whether or not decryption is possible on an attribute basis.

  This application claims the priority on the basis of the JP Patent application 2012-262555 for which it applied on November 30, 2012, and takes in those the indications of all here.

  Although the present invention has been described with reference to the embodiments, the present invention is not limited to the above-described embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

Industrial applicability

  The present invention can be suitably applied to a case in which confidential data is transferred via a network and access control to the data is desired to be specified in attribute units such as an organization.

DESCRIPTION OF SYMBOLS 11 Setting part 12 Key derivation part 13 Encryption part 14 Decryption part 15 Proxy key generation part 16 Re-encryption part 101 Setting means 102 Key derivation means 103 Encryption means 104 Decryption means 105 Proxy key generation means 106 Re-encryption means 201 Disclosure Key 202 Master key 203 Predicate vector 204 User identifier 205 User identification factor 206 Private key 2061 Predicate part 2061 User dependent value cancellation part 207 Attribute vector 208,210 Plain text (message key or document)
209 Ciphertext (message key or document)
211 User set after change 212 Update key 213 Proxy key 214 User dependent value 215 User dependent value cancellation value 216 Public key update factor 217 Public key update unit 218 Master key update unit 219, 221 Document 220 Document encryption Sentence 31 Management device 32 Encryption device 321 Hybrid encryption unit 322 Second encryption unit 33 Data holding / re-encryption device 331 Data holding unit 34 Decryption device 341 Hybrid decryption unit 342 Second decryption unit

Claims (10)

In addition to the main part generated by a method that complies with the functional encryption method, a public key update factor that is randomly selected and is a part that is changed when the user set that can be decrypted is changed. A setting means for generating a public key and a master key including an update unit, which is a part in which a value based on is set;
When a public key, a master key, a predicate vector, and a user identifier are input, a user identification factor that is unique to the user and that the user does not know is generated, and the master key, the predescription vector, and the usage are generated. A key derivation unit that generates a secret key including a predicate part generated based on a user identification factor, and a user-dependent value cancellation part generated based on the user identification factor and the master key;
An encryption means for generating ciphertext by specifying an attribute vector by a method compliant with a functional cryptosystem;
When a public key, a secret key, and a ciphertext are input, based on the ciphertext and the predicate part of the secret key, a user dependency that depends on a user identification factor used to generate the secret key A user-dependent value cancellation value for canceling the user-dependent value based on the ciphertext and a user-dependent value cancellation unit for the secret key, and a generated user Decryption means for decrypting the ciphertext using a dependence value and a user dependence value cancellation value;
When the public key, the master key, and the changed user set are input, a public key update factor is newly generated, and based on the generated public key update factor, the public key update unit and the private key An update key that is an update part of the key and an update part of the master key, and based on the generated public key update factor, the public key update factor obtained from the public key before change, and the master key before change A proxy key for converting a ciphertext that can be decrypted with the private key of the user belonging to the user set before the change into a ciphertext that can be decrypted with the private key of the user belonging to the user set after the change, and a master key Proxy key generation means for generating the update part of
The user after the change without decrypting the ciphertext from the ciphertext that can be decrypted with the secret key of the user belonging to the user set before the change using the proxy key generated by the proxy key generation means An encryption system comprising: re-encryption means for generating new ciphertext that can be decrypted with a private key of a user belonging to the set. The key derivation means comprises a predicate part that is a product of a vector including a user identification factor in its component and one component of the public key that is a matrix, and two or more components, two of which are one element of the public key The encryption system according to claim 1, wherein a secret key including a user-dependent value canceling unit including a term composed of a product of the user identification factor and the user identification factor is generated. The decryption means generates a user-dependent value by calculating a bilinear map using a part of the input ciphertext and the predicate part of the secret key,
The decryption unit generates a user-dependent value cancellation value by calculating a bilinear map using a part of the input ciphertext and a user-dependent value cancellation unit of a secret key. Cryptosystem. The proxy key generation means includes a public key update factor in the master key update unit, and generates a proxy key including a value obtained by dividing the newly generated public key update factor by a part of the master key before the change, The encryption system according to any one of claims 1 to 3, wherein the update key is generated as a part of a secret key generated from a new master key without requiring a predicate vector. A management device used by a data administrator, a data storage device used by a data storage user for storing encrypted data, a decryption device, and an encryption device,
The management device
In addition to the main part generated by a method that complies with the functional encryption method, a public key update factor that is randomly selected and is a part that is changed when the user set that can be decrypted is changed. A setting means for generating a public key and a master key including an update unit, which is a part in which a value based on is set;
When a public key, a master key, a predicate vector, and a user identifier are input, a user identification factor that is unique to the user and that the user does not know is generated, and the master key, the predescription vector, and the usage are generated. A key derivation unit that generates a secret key including a predicate part generated based on a user identification factor, and a user-dependent value cancellation part generated based on the user identification factor and the master key;
When the public key, the master key, and the changed user set are input, a public key update factor is newly generated, and based on the generated public key update factor, the public key update unit and the private key An update key that is an update part of the key and an update part of the master key, and based on the generated public key update factor, the public key update factor obtained from the public key before change, and the master key before change A proxy key for converting a ciphertext that can be decrypted with the private key of the user belonging to the user set before the change into a ciphertext that can be decrypted with the private key of the user belonging to the user set after the change, and a master key Proxy key generation means for generating
The data storage device includes:
Using the proxy key generated by the proxy key generation means, from the ciphertext that can be decrypted with the private key of the user belonging to the user set before the change, the user set after the change without decrypting the ciphertext Re-encryption means for generating new ciphertext that can be decrypted with the private key of the user belonging to
Storage means for storing the data encrypted by the re-encryption means,
The encryption device is:
Including encryption means for generating ciphertext by specifying an attribute vector by a method compliant with the functional cryptosystem;
The decoding device
When a public key, a secret key, and a ciphertext are input, based on the ciphertext and the predicate part of the secret key, a user dependency that depends on a user identification factor used to generate the secret key A user-dependent value cancellation value for canceling the user-dependent value based on the ciphertext and a user-dependent value cancellation unit for the secret key, and a generated user A data storage system comprising decryption means for decrypting the ciphertext using a dependence value and a user dependence value cancellation value. In addition to the main part generated by a method that complies with the functional encryption method, a public key update factor that is randomly selected and is a part that is changed when the user set that can be decrypted is changed. When a public key and master key including an update unit, a predicate vector, and a user identifier are input, a value that is set based on, a user that is unique to the user and is unknown to the user Generating an identification factor, a predicate portion generated based on the master key, a predescription vector, and the user identification factor; and a user dependency generated based on the user identification factor and the master key A key derivation device comprising key derivation means for generating a secret key including a value cancellation unit. In addition to the main part generated by a method that complies with the functional encryption method, a public key update factor that is randomly selected and is a part that is changed when the user set that can be decrypted is changed. A public key including at least an update unit, which is a part to which a value based on the above is set, a secret key to which a predicate vector is designated, a user identification factor that is unique to the user and that the user does not know, and When a secret key including a predicate part based on a master key and a predicate vector, a user-dependent value cancellation part based on the user identification factor and the master key, and ciphertext are input, the ciphertext Based on the predicate part of the secret key, a user-dependent value depending on a user identification factor used when generating the secret key is generated, and a user-dependent value of the ciphertext and the secret key On the basis of the cancellation part A decryption unit that generates a user-dependent value cancellation value for canceling the user-dependent value and decrypts the ciphertext using the generated user-dependent value and the user-dependent value cancellation value. A characteristic decoding apparatus. In addition to the main part generated by a method that complies with the functional encryption method, a public key update factor that is randomly selected and is a part that is changed when the user set that can be decrypted is changed. In addition to the public key that includes at least the update part, which is the part for which values are set based on the URL, and the main part that is generated by a method that complies with the functional encryption method, the user set that is the set of users that can be decrypted is changed. When a master key including at least an updating unit that is a part to be changed along with a value set based on a public key update factor selected at random and a user set after the change are input , A new public key update factor is generated, and based on the generated public key update factor, a public key update unit, an update key that is a secret key update unit, and a master key update unit are generated Is generated with After changing the ciphertext that can be decrypted with the private key of the user belonging to the user set before the change based on the public key update factor, the public key update factor obtained from the public key before the change, and the master key before the change A proxy key generating device comprising: a proxy key for converting a ciphertext that can be decrypted with a secret key of a user belonging to a set of users and a master key update unit . A data processing method for transferring confidential data via a network,
In addition to the main part generated by a method that complies with the functional encryption method, a public key update factor that is randomly selected and is a part that is changed when the user set that can be decrypted is changed. Generate a public key and a master key including an update part that is a part to which a value based on is set,
For each user who is permitted to decrypt data, a user identification factor that is unique to the user and that the user does not know is generated and generated based on the master key, the predicate vector, and the user identification factor. A secret key including a predicate part to be generated, and a user-dependent value cancellation part generated based on the user identification factor and the master key,
Data or a message key used when decrypting the ciphertext of the data is encrypted by specifying an attribute vector,
When the ciphertext of data or the ciphertext of the message key is received, it was used to generate the secret key based on the received ciphertext and the predicate part of the secret key possessed by the user A user-dependent value cancellation value for generating a user-dependent value depending on a user identification factor and canceling the user-dependent value based on the ciphertext and a user-dependent value cancellation unit of the secret key And decrypting the ciphertext using the generated user-dependent value and user-dependent value cancellation value. When the set of users that can be decrypted is changed, a public key update factor is newly generated, and based on the generated public key update factor, the public key update unit and the private key update And generating an update key that is a part and an update part of the master key, and based on the generated public key update factor, the public key update factor obtained from the public key before the change, and the master key before the change The proxy key for converting the ciphertext that can be decrypted with the private key of the user belonging to the user set before the change into the ciphertext that can be decrypted with the private key of the user belonging to the user set after the change, and the master key An update part and
Using the generated proxy key, from the ciphertext that can be decrypted with the secret key of the user belonging to the user set before the change, the secret of the user belonging to the user set after the change without decrypting the ciphertext The data processing method according to claim 9, wherein a new ciphertext that can be decrypted with a key is generated.

Images