WO2014010202A1 - Encrypted statistical processing system, decrypting system, key generation device, proxy device, encrypted statistical data generation device, encrypted statistical processing method, and encrypted statistical processing program - Google Patents

Abstract

[Problem] To provide a technique for performing statistical processing of encrypted data encrypted using different public keys while the data remains encrypted. [Solution] Provided are: a key-retention means for retaining homomorphically encrypted public keys and private keys; a full-public-key acquisition means for acquiring a full public key for generating encrypted information that can be decrypted in a distributed manner; a proxy-key generation means for generating a proxy key for converting encrypted data encrypted using a public key into reencrypted data that can be decrypted in a distributed manner; a reencryption means for converting encrypted data encrypted using a public key into reencrypted data using the proxy key; and an encrypted statistical data generation means for generating encrypted statistical data that can be decrypted into statistical information related to the original data, by performing a calculation using homomorphism on at least one of the reencrypted data items converted using the reencryption means from at least one of the encrypted data items encrypted using at least one of the public keys.

Description

Encryption statistical processing system, decryption system, key generation device, proxy device, encrypted statistical data generation device, encryption statistical processing method, and encryption statistical processing program

The present invention relates to a technique for performing statistical processing on encrypted data.

In recent years, the importance of security in cloud services has been widely recognized. As an example of a cloud service, there is a recommendation service that provides information about recommended products to users. In such a service, for example, information provided by a user is collected in a database on the cloud. Statistical data is obtained from the collected information. Then, services based on statistical data are performed. In such a service, information provided by the user often includes personal information such as purchase information and attributes (age, gender, occupation, residential area, etc.) of the user.

On the other hand, it is often not clear who, where and how the database on the cloud is managed. Therefore, it is said that the user has anxiety about security with respect to the database on the cloud. That is, the user often cannot trust the administrator of the database on the cloud. In such a case, the information leakage countermeasure using the access authority to the data in the database does not make sense.

Therefore, it is conceivable to encrypt the data so that the administrator of the database on the cloud does not know the user information. The data is encrypted so that only the service provider can decrypt the information provided by the user. The encrypted data is stored in a database on the cloud. In this case, for example, data encrypted using a homomorphic encryption method is stored in a database on the cloud. By doing so, statistical processing can be performed on the encrypted data stored in the database while the data is encrypted. The encrypted data obtained as a result of the statistical processing while being encrypted in this way can be decrypted into the statistical data of the original data.

Non-patent document 1 describes an example of technology related to the homomorphic encryption method. In the homomorphic encryption method described in Non-Patent Document 1, for a plurality of encrypted data encrypted using a certain public key, statistics about plaintext are obtained without using a secret key while the data is encrypted. Processing can be performed.

In the homomorphic encryption method described in Non-Patent Document 1, all encrypted data that can be statistically processed must be encrypted with the same public key. Therefore, according to this related technique, when at least a part of encrypted data to be subjected to statistical processing is encrypted with a different public key, the statistical processing cannot be performed with encryption.

If at least part of the encrypted data to be statistically processed is encrypted with a different public key, for example, all encrypted data to be statistically processed is extracted, decrypted, and statistically processed. Possible ways to do this. However, with this method, all encrypted data must be downloaded to the service provider side. Therefore, there are problems in terms of convenience and communication cost. In the cloud environment, it is assumed that there are few calculation resources on the service provider side. For this reason, it is desired that the statistical processing is performed by a device on the cloud side as much as possible. Furthermore, since the encrypted data subject to statistical processing is once decrypted, it is necessary to prevent leakage of data from the device on the service provider side. For this reason, there arises a problem that costs for information leakage countermeasures are high.

The present invention has been made to solve the above-described problem, and mainly provides a technique for performing statistical processing on encrypted data encrypted using different public keys while being encrypted. Objective.

The encryption statistical processing system of the present invention generates encryption information that can be distributed and decrypted by a key holding means for holding a public key and a secret key of a cryptographic method having homomorphism and one or more secret keys for distributed decryption An entire public key acquisition means for acquiring the entire public key, and the encrypted data encrypted using the public key is converted into re-encrypted data that can be distributed and decrypted by the one or more distributed decryption secret keys Proxy key generation means for generating a proxy key based on the secret key and the entire public key, and re-encryption of encrypted data encrypted by the public key using the proxy key Re-encryption means for converting to data, and one or more re-encrypted data obtained by converting one or more encrypted data respectively encrypted with one or more public keys by the re-encryption means. An encryption that generates encrypted statistical data that can be decrypted into statistical information about the original data before encryption of one or more of the encrypted data by performing an operation using the homomorphism Statistical data generation means.

The key generation apparatus of the present invention generates key information that holds public keys and secret keys of encryption schemes having homomorphism, and generates encryption information that can be distributed and decrypted by one or more secret keys for distributed decryption. Whole public key acquisition means for acquiring a public key, and a proxy that converts encrypted data encrypted using the public key into re-encrypted data that can be distributed and decrypted with the one or more distributed decryption private keys Proxy key generation means for generating a key based on the secret key and the entire public key.


The encryption statistical processing method of the present invention obtains an entire public key for generating encryption information that can be distributed and decrypted by using one or more secret keys for distributed decryption, and uses the public key of the encryption method having homomorphism. A proxy key for converting encrypted encrypted data into re-encrypted data that can be distributed and decrypted by the one or more distributed decryption secret keys, a secret key corresponding to the public key, the entire public key, One of the encrypted data encrypted based on the public key and encrypted with the public key into the re-encrypted data, each encrypted with one or more public keys. Before one or more of the encrypted data is encrypted by performing an operation using the homomorphism on one or more of the re-encrypted data converted from the encrypted data, respectively. On the original data of To generate encrypted statistical data decodable statistics.

The encryption statistical processing program of the present invention includes a general public key acquisition means for acquiring an overall public key for generating encrypted information that can be distributed and decrypted by using one or more distributed decryption secret keys, and homomorphism. A proxy key that converts encrypted data encrypted using a public key of an encryption method having the encryption method into re-encrypted data that can be distributed and decrypted by the one or more secret keys for distributed decryption corresponds to the public key Proxy key generating means for generating based on a private key and the entire public key, and re-encryption for converting encrypted data encrypted with the public key into the re-encrypted data using the proxy key The homomorphism is utilized for the re-encrypted data obtained by converting the encryption means and the one or more encrypted data respectively encrypted by the one or more public keys. By performing an operation, the encrypted statistical data generating unit generates encrypted statistical data that can be decrypted into statistical information on the original data before the encrypted data is encrypted. .

Note that the present invention can also be realized by a computer-readable recording medium storing the above-described encrypted statistical processing program.

The present invention has an effect that it is possible to provide a technique for performing statistical processing while encrypting encrypted data encrypted using different public keys.

FIG. 1 is a block diagram showing the configuration of the encrypted statistical processing system according to the first embodiment of this invention. FIG. 2 is a hardware configuration diagram of the encrypted statistical processing system according to the first embodiment of this invention. FIG. 3 is a functional block diagram of the encrypted statistical processing system according to the first embodiment of this invention. FIG. 4 is a flowchart illustrating the proxy key generation operation of the encrypted statistical processing system according to the first embodiment of this invention. FIG. 5 is a flowchart illustrating an encrypted statistical data generation operation of the encrypted statistical processing system according to the first embodiment of this invention. FIG. 6 is a block diagram illustrating a configuration of a decoding system according to the second embodiment of this invention. FIG. 7 is a hardware configuration diagram of the decoding system according to the second embodiment of this invention. FIG. 8 is a functional block diagram of the decoding system according to the second embodiment of this invention. FIG. 9 is a flowchart illustrating the decoding operation of the decoding system according to the second embodiment of this invention. FIG. 10 is a block diagram illustrating the configuration of the encryption statistical processing system and the decryption system according to the third embodiment of this invention. FIG. 11 is a functional block diagram of an encryption statistical processing system and a decryption system according to the third embodiment of this invention. FIG. 12 is a flowchart for explaining the entire public key generation operation according to the third embodiment of the present invention. FIG. 13 is a flowchart illustrating the proxy key generation operation of the encrypted statistical processing system according to the third embodiment of this invention. FIG. 14 is a flowchart illustrating an encrypted statistical data generation operation of the encrypted statistical processing system according to the third embodiment of this invention. FIG. 15 is a flowchart illustrating the decoding operation of the decoding system according to the third embodiment of this invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(First embodiment)
FIG. 1 is a block diagram showing the configuration of the encrypted statistical processing system 1 according to the first embodiment of this invention. In FIG. 1, a figure surrounded by a solid line represents a component of the encrypted statistical processing system 1. A figure surrounded by a broken line represents a device connected to the outside of the encrypted statistical processing system 1. In FIG. 1, the encrypted statistical processing system 1 includes N (N is an integer equal to or greater than 1) key generation devices 100_1 to 100_N, N proxy devices 200_1 to 200_N, and an encrypted statistical data generation device 300. Including. The N key generation devices 100_1 to 100_N are also collectively referred to as the key generation device 100. The N proxy devices 200_1 to 200_N are also collectively referred to as the proxy device 200.

Further, the key generation device 100_i and the proxy device 200_i (i = 1 to N) are connected so that they can communicate with each other. Further, the proxy device 200_i and the encrypted statistical data generation device 300 are connected so that they can communicate with each other.

Also, the key generation device 100 is connected to an external data registration device 700 so that they can communicate with each other. Here, the data registration device 700 encrypts the data to be registered using the public key published by the key generation device 100 to generate encrypted data, and encrypts the generated encrypted data, which will be described later. This is a device registered in the data storage device 800.

Further, the proxy device 200_i (i = 1 to N) is connected to the external encrypted data storage device 800_i so that they can communicate with each other. Here, the encrypted data storage device 800 — i is a device that stores encrypted data encrypted using the public key disclosed by the key generation device 100 — i.

Also, the encrypted statistical data generation device 300 is connected to an external encrypted statistical data storage device 900 so that they can communicate with each other. Here, the encrypted statistical data storage device 900 is a device that stores encrypted statistical data in which statistical information is encrypted.

In FIG. 1, communication between devices that require communication is possible via a network constituted by the Internet, a LAN (Local Area Network), a public line network, a wireless communication network, or a combination thereof. Connected as is. In addition, at least a part of these devices may be connected by a network different from the network connecting the other devices.

FIG. 1 also shows N key generation devices 100, N proxy devices 200, N encrypted data storage devices 800, one encrypted statistical data generation device 300, and one encryption. A statistical data storage device 900 is shown. However, the number of devices included in the encrypted statistical processing system of the present invention and the number of connected devices are not limited to the number shown in FIG.

Next, FIG. 2 is a diagram showing the hardware configuration of each device constituting the encrypted statistical processing system 1. In FIG. 2, a key generation device 100 includes a CPU (Central Processing Unit) 1001, a RAM (Random Access Memory) 1002, a ROM (Read Only Memory) 1003, a storage device 1004 such as a hard disk, and a network interface 1005. It is comprised by the computer apparatus provided.

The ROM 1003 and the storage device 1004 store computer programs and various data that cause the computer device to function as the key generation device 100 of the present embodiment.

The CPU 1001 loads the computer program and various data stored in the ROM 1003 and the storage device 1004 into the RAM 1002, and executes the loaded computer program.

The network interface 1005 is a module that communicates with other devices via a network.

The proxy device 200 is configured by a computer device including a CPU 2001, a RAM 2002, a ROM 2003, a storage device 2004 such as a hard disk, and a network interface 2005.

The ROM 2003 and the storage device 2004 store computer programs and various data that cause the computer device to function as the proxy device 200 of the present embodiment.

The CPU 2001 loads the computer program and various data stored in the ROM 2003 and the storage device 2004 into the RAM 2002, and executes the loaded computer program.

The network interface 2005 is a module that communicates with other devices via a network.

The encrypted statistical data generation device 300 is configured by a computer device including a CPU 3001, a RAM 3002, a ROM 3003, a storage device 3004 such as a hard disk, and a network interface 3005.

The ROM 3003 and the storage device 3004 store a computer program and various data that cause the computer device to function as the encrypted statistical data generation device 300 of the present embodiment.

The CPU 3001 loads the computer program and various data stored in the ROM 3003 and the storage device 3004 into the RAM 3002, and executes the loaded computer program.

The network interface 3005 is a module that communicates with other devices via a network.

Note that the hardware configuration of each device constituting the encrypted statistical processing system 1 is not limited to the above-described configuration.

Next, functional blocks of each device constituting the encrypted statistical processing system 1 will be described with reference to FIG. FIG. 3 is a block diagram showing functional blocks of each device constituting the encrypted statistical processing system 1.

First, functional blocks of the key generation device 100 will be described. In FIG. 3, the key generation device 100 includes a key holding unit 101, an entire public key acquisition unit 102, and a proxy key generation unit 103. Here, the key holding unit 101 is realized by the storage device 1004. The entire public key acquisition unit 102 and the proxy key generation unit 103 are realized by a network interface 1005 and a CPU 1001 that reads a computer program and various data stored in the ROM 1003 and the storage device 1004 into the RAM 1002 and executes them. Note that the hardware configuration of each functional block of the key generation device 100 is not limited to the above-described configuration.

The key holding unit 101 stores a public key and a secret key that is a pair of the public key. The public key and the secret key are keys used in a public key cryptosystem having homomorphism. The public key is held so that it can be acquired from the outside. The private key is held so that it cannot be obtained from the outside. The public key and secret key held in the key holding unit 101 may be generated by the key generation device 100 or may be acquired from another device.

The entire public key acquisition unit 102 acquires the entire public key. The entire public key is a public key for generating encrypted information that can be distributed and decrypted using one or more secret keys for distributed decryption. Distributed decryption generates data (partial decryption results) in the middle of decryption using one or more distributed decryption secret keys for one encrypted information, and based on these partial decryption results, This is a decoding method for obtaining completely decoded data. Such an entire public key can be generated using a generally known technique. For example, such an entire public key can be generated from one or more distributed decryption public keys that are each a pair of the one or more distributed decryption private keys described above. Therefore, the entire public key acquisition unit 102 may generate such an entire public key based on one or more distributed decryption public keys disclosed by other devices. Alternatively, the entire public key acquisition unit 102 may acquire an entire public key generated and released by another device based on one or more distributed decryption public keys.

The proxy key generation unit 103 re-encrypts the encrypted data encrypted using the public key held in the key holding unit 101, using the one or more distributed decryption private keys described above. Generate a proxy key to convert to data. The proxy key converts encrypted data encrypted using a public key pk_A into encrypted data that can be decrypted using a private key sk_B that is a public key pk_B pair different from the public key pk_A. Is the key. It is known that such a proxy key can be generated based on the secret key sk_A and the public key pk_B. That is, in this case, the proxy key generation unit 103 can generate a proxy key using the secret key held in the key holding unit 101 and the entire public key. As a proxy key generation technique, for example, Reference A (G. Ateniese, K. Fu, M. Green, and S. Hohenberger, "Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage", The technology described in ACMTransactions (on) Information (and System Security (TISSEC), 2006) is applicable.

Next, functional blocks of the proxy device 200 will be described. In FIG. 3, the proxy device 200 includes a re-encryption unit 201. Here, the re-encryption unit 201 is realized by the network interface 2005 and the CPU 2001. The CPU 2001 loads the aforementioned computer program and various data stored in the ROM 2003 and the storage device 2004 into the RAM 2002, and executes the loaded computer program. Note that the hardware configuration of the re-encryption unit 201 is not limited to the above-described configuration.

The re-encryption unit 201 uses the proxy key generated by the proxy key generation unit 103 of the key generation device 100 to encrypt using the public key held in the key holding unit 101 of the key generation device 100 that generated the proxy key. The encrypted data is converted into re-encrypted data. For example, as a re-encryption technique using such a proxy key, the technique described in the above-mentioned reference A can be applied.

Next, functional blocks of the encrypted statistical data generation apparatus 300 will be described. In FIG. 3, the encrypted statistical data generation apparatus 300 includes an encrypted statistical data generation unit 301. Here, the encrypted statistical data generation unit 301 is realized by a network interface 3005 and a CPU 3001 that reads a computer program and various data stored in the ROM 3003 and the storage device 3004 into the RAM 3002 and executes them. The CPU 3001 loads the computer program and various data stored in the ROM 3003 and the storage device 3004 into the RAM 3002, and executes the loaded computer program. Note that the hardware configuration of the encrypted statistical data generation unit 301 is not limited to the above-described configuration.

The encrypted statistical data generation unit 301 has homomorphism with respect to the re-encrypted data obtained by converting the encrypted data respectively stored in the N encrypted data storage devices 800 by the N proxy devices 200. Perform operations using. Here, the re-encrypted data is re-encrypted into information that can be decrypted by using one or more distributed decryption private keys corresponding to the same entire public key. It is encrypted data. Therefore, the encrypted statistical data generation unit 301 can perform an operation using homomorphism on these re-encrypted data. Then, the encrypted statistical data generation unit 301 sets the calculation result as encrypted statistical data. That is, such encrypted statistical data corresponds to information obtained by encrypting statistical information regarding the original plaintext of the encrypted data before the re-encrypted data is re-encrypted with the entire public key.

In addition, the encrypted statistical data generation unit 301 stores the generated encrypted statistical data in the encrypted statistical data storage device 900.

The operation of the encrypted statistical processing system 1 configured as described above will be described with reference to FIGS. In the drawings referred to in the following description, the key generation device 100_i (i = 1 to N) is also described as the i-th key generation device. The proxy device 200_i (i = 1 to N) is also described as the i-th proxy device. The public key held in the key holding unit 101 of the key generation device 100_i is described as spk_i. The secret key held in the key holding unit 101 of the key generation device 100_i is described as ssk_i. Also, the encrypted data storage device 800_i has n_i (n_i is an integer of 1 or more) pieces of encrypted data ENC (spk_i, M_ {i, 1}) ˜ ENC () each encrypted using the public key spk_i. spk_i, M_ {i, n_i}) is stored. Here, ENC represents an encryption algorithm having homomorphism. M_ {i, j} represents the jth plaintext encrypted with the public key spk_i. Also, the entire public key gpk for generating information that can be distributed and decrypted using one or more private keys for distributed decryption is disclosed by an external device.

First, FIG. 4 is a flowchart showing the proxy key generation operation of the encrypted statistical processing system 1.

In FIG. 4, first, the entire public key acquisition unit 102 of the key generation device 100_i acquires the entire public key gpk (step S1).

Next, the proxy key generation unit 103 of the key generation device 100_i uses the secret key ssk_i held in the key holding unit 101 of the key generation device 100_i and the entire public key gpk acquired in step S1 to use the proxy key. rk_i is generated (step S2). The proxy key rk_i converts encrypted data encrypted using the public key spk_i into re-encrypted data that can be distributed and decrypted using one or more private keys for distributed decryption related to the entire public key gpk. It is the key to do.

Next, the proxy key generation unit 103 of the key generation device 100_i transmits the generated proxy key rk_i to the proxy device 200_i (step S3).

Thus, the encrypted statistical processing system 1 ends the proxy key generation operation.

FIG. 5 is a flowchart showing the encrypted statistical data generation operation of the encrypted statistical processing system 1.

In FIG. 5, the re-encryption unit 201 of the proxy device 200_i acquires the proxy key rk_i (step S11).

Next, the re-encryption unit 201 of the proxy device 200_i encrypts a set of encrypted data {ENC (spk_i, M_ {i, j})} (j = 1 to n_i) encrypted with the public key spk_i. Obtained from the data storage device 800_i (step S12).

Next, the re-encryption unit 201 of the proxy device 200_i uses the proxy key rk_i to convert the encrypted data set {ENC (spk_i, M_ {i, j}}} into the re-encrypted data set {ENC ( gpk, M_ {i, j})} is converted (step S13).

Next, the re-encryption unit 201 of the proxy device 200_i transmits a set of re-encrypted data {ENC (gpk, M_ {i, j})} to the encrypted statistical data generation device 300 (step S14).

Next, the encrypted statistical data generation unit 301 of the encrypted statistical data generation device 300 receives each set of re-encrypted data from the proxy devices 200_1 to 200_N {ENC (gpk, M_ {1, j})} (j = 1 ～ n_1) ～ {ENC (gpk, M_ {N, j})} (j = 1 ～ n_N) is received (step S15). Thereafter, these N sets of re-encrypted data are collectively expressed as a set of re-encrypted data {ENC (gpk, M_ {1,1}),…, ENC (gpk, M_ {N, n_N}) } Also described as.

Next, the encrypted statistical data generation unit 301 performs encryption based on a set of re-encrypted data {ENC (gpk, M_ {1,1}), ..., ENC (gpk, M_ {N, n_N})}. Generate statistical data ENC (gpk, S) (step S16).

Here, S represents statistical data obtained by performing statistical processing on plaintext M_ {1,1} to M_ {N, n_N}. For example, if S = M_ {1,1} + M_ {1,2} +... + M_ {N, n_N}, S represents the sum of M_ {1,1} to M_ {N, n_N}. Utilizing that ENC is an encryption algorithm having homomorphism, the encrypted statistical data generation unit 301 uses a set of re-encrypted data {ENC (gpk, M_ {1,1}),…, {ENC Without decrypting (ENgpk 統計, M_ {N, n_N})}, it is possible to obtain the encrypted statistical data ENC (gpk, S) in which the sum represented by S is encrypted. For example, S = n (M_ {1,1} ^ 2 +… + M_ {N, n_N}) ^ 2) − (－ (M_ {1,1} +… + M_ {N, n_N})) ^ 2 For example, S represents the variance of M_ {1,1} to M_ {N, n_N}. Here, n represents the number of plaintexts M_ {1,1} to M_ {N, n_N}. A ^ b represents a to the power of b. Also in this case, the encrypted statistical data generation unit 301 decrypts the set of re-encrypted data {ENC (gpk, M_ {1,1}) to ENC (gpk, M_ {N, n_N})}, It is possible to obtain encrypted statistical data ENC (gpk, S) in which the variance represented by S is encrypted.

Next, the encrypted statistical data generation unit 301 stores the generated encrypted statistical data ENC (gpk, S) in the encrypted statistical data storage device 900 (step S17).

Thus, the encrypted statistical processing system 1 ends the encrypted statistical data generation operation.

Next, the effect of the first embodiment of the present invention will be described.

The encrypted statistical processing system according to the first embodiment of the present invention can perform statistical processing on encrypted data encrypted using different public keys while the data is encrypted.

The reason is that the proxy key generation unit 103 generates a proxy key based on the secret key held in the key holding unit 101 and the entire public key. The proxy key is a key for converting encrypted data encrypted using the public key held in the key holding unit 101 into re-encrypted data that can be distributed and decrypted by one or more private keys for distributed decryption. It is. The entire public key acquisition unit 102 acquires an entire public key for generating information that can be distributed and decrypted by using one or more distributed decryption secret keys. This is because the re-encryption unit 201 converts the encrypted data encrypted using the public key held in the key holding unit 101 into re-encrypted data using the proxy key. As a result, encrypted data encrypted using one or more different public keys corresponds to information encrypted using the same entire public key by a proxy key generated based on each public key. Converted to re-encrypted data. Then, the encrypted statistical data generation unit 301 performs an operation using homomorphism on such re-encrypted data. As a result, the encrypted statistical data generation unit 301 generates encrypted statistical data corresponding to information obtained by encrypting statistical information about the original data without decrypting the encrypted data into the original data. is there.

As described above, the encrypted statistical processing system 1 according to the first embodiment of the present invention uses, for example, the entire public key disclosed by the decryption system to convert the encrypted data using a different public key. On the other hand, statistical processing is performed with encryption. Thus, the encrypted statistical processing system 1 according to the first embodiment of the present invention can generate encrypted statistical data that can be distributed and decrypted by such a decryption system. Therefore, this embodiment is also suitable when the service provider side that performs a service using a public key for generating encrypted data is different from the statistical data user who wants to use statistical data.

(Second Embodiment)
Next, a second embodiment of the present invention will be described in detail with reference to the drawings. In the present embodiment, a decryption system that decrypts encrypted statistical data generated by the encrypted statistical processing system 1 according to the first embodiment of the present invention will be described. Note that, in each drawing referred to in the description of the present embodiment, the same components as those in the first embodiment of the present invention are denoted by the same reference numerals, and detailed description thereof will be omitted.

First, FIG. 6 is a block diagram showing the configuration of the decoding system 2 according to the second embodiment of the present invention. In FIG. 6, a figure surrounded by a solid line represents a component of the decoding system 2. A figure surrounded by a broken line represents a device connected to the outside of the decoding system 2. In FIG. 6, the decoding system 2 includes L (L is an integer equal to or greater than 1) distributed decoding apparatuses 400_1 to 400_L and a statistical information decoding apparatus 500. Hereinafter, the L distributed decoding apparatuses 400_1 to 400_L are also collectively referred to as the distributed decoding apparatus 400.

In FIG. 6, the distributed decoding device 400 and the statistical information decoding device 500 are connected so that they can communicate with each other. Further, the distributed decryption device 400 and the statistical information decryption device 500 are connected so as to be able to communicate with the external encrypted statistical data storage device 900, respectively. Here, the encrypted statistical data storage device 900 is a device that stores the encrypted statistical data generated by the encrypted statistical processing system 1 according to the first embodiment of this invention.

In FIG. 6, the devices that need to communicate with each other are connected so that they can communicate via a network constituted by the Internet, a LAN, a public line network, a wireless communication network, or a combination thereof. The In addition, at least a part of these devices may be connected by a network different from the network connecting the other devices.

FIG. 6 also shows L distributed decryption devices 400, one statistical information decryption device 500, and one encrypted statistical data storage device 900. However, the number of devices included in the decoding system of the present invention and the number of connected devices are not limited to the numbers in FIG.

Next, FIG. 7 is a block diagram showing the hardware configuration of each device constituting the decoding system 2.

7, the distributed decoding device 400 is configured by a computer device including a CPU 4001, a RAM 4002, a ROM 4003, a storage device 4004 such as a hard disk, and a network interface 4005.

The ROM 4003 and the storage device 4004 store computer programs and various data that cause the computer device to function as the distributed decoding device 400 of the present embodiment.

CPU 4001 loads the computer program and various data stored in ROM 4003 and storage device 4004 to RAM 4002 and executes the loaded computer program.

The network interface 4005 is a module that communicates with other devices via a network.

The statistical information decoding device 500 is configured by a computer device including a CPU 5001, a RAM 5002, a ROM 5003, a storage device 5004 such as a hard disk, and a network interface 5005.

The ROM 5003 and the storage device 5004 store a computer program and various data for causing the computer device to function as the statistical information decoding device 500 of the present embodiment.

The CPU 5001 loads the computer program and various data stored in the ROM 5003 and the storage device 5004 to the RAM 5002, and executes the loaded computer program.

The network interface 5005 is a module that communicates with other devices via a network.

Next, functional blocks of each device constituting the decoding system 2 will be described with reference to FIG. FIG. 8 is a block diagram showing functional blocks of each device constituting the decoding system 2.

First, each functional block of the distributed decoding device 400 will be described. In FIG. 8, the distributed decryption apparatus 400 includes a distributed decryption key holding unit 401 and a distributed decryption unit 402. Here, the distributed decryption key holding unit 401 is realized by the storage device 4004. The distributed decoding unit 402 is realized by the network interface 4005 and the CPU 4001. The CPU 4001 loads the above-described computer program and various data stored in the ROM 4003 and the storage device 4004 into the RAM 4002, and executes the loaded computer program. Note that the hardware configuration of each functional block of the distributed decoding apparatus 400 is not limited to the above-described configuration.

The distributed decryption key holding unit 401 stores a distributed decryption public key and a distributed decryption secret key. Here, the distributed decryption public key and the distributed decryption secret key are keys used in a public key cryptosystem capable of distributed decryption. This distributed decryption public key is held so that other devices can obtain it. Also, the distributed decryption secret key is held so that other devices cannot obtain it.

The distributed decryption unit 402 generates a partial decryption result by decrypting the encrypted statistical data stored in the encrypted statistical data storage device 900 using the distributed decryption secret key. Here, the encrypted statistical data storage device 900 stores the encrypted statistical data generated by the encrypted statistical processing system 1 according to the first embodiment of this invention. The encrypted statistical processing system 1 generates encrypted statistical data by using the entire public key for generating information that can be distributed and decrypted by the distributed decryption secret keys held in the L distributed decryption devices 400.

The distributed decryption apparatus 400 uses the encrypted statistical processing system 1 based on the distributed decryption public key disclosed by the distributed decryption apparatus 400 and other distributed decryption public keys disclosed by the other distributed decryption apparatuses 400. The entire public key used above may be generated. Then, the distributed decryption apparatus 400 may disclose the generated entire public key.

Next, functional blocks of the statistical information decoding apparatus 500 will be described. In FIG. 8, the statistical information decoding apparatus 500 includes a statistical information decoding unit 501. Here, the statistical information decoding unit 501 includes a network interface 5005 and a CPU 5001. The CPU 5001 loads the above-described computer program and various data stored in the ROM 5003 and the storage device 5004 into the RAM 5002, and executes the loaded computer program. Note that the hardware configuration of the statistical information decoding unit 501 is not limited to the above-described configuration.

The statistical information decryption unit 501 acquires a complete decryption result of the encrypted statistical data based on the L partial decryption results obtained by the L distributed decryption devices 400. As a result, the statistical information decrypting unit 501 encrypts the encrypted data stored in the encrypted data storage device 800 connected to the encrypted statistical processing system 1 according to the first embodiment of this invention. Get statistical information about the original data of.

The decoding operation of the decoding system 2 configured as described above will be described with reference to FIG.

In the drawings referred to in the following description, the distributed decoding device 400_i (i = 1 to L) is also described as the i-th distributed decoding device. Further, the distributed decryption public key held in the distributed decryption key holding unit 401 of the distributed decryption device 400_i is described as dpk_i. The distributed decryption secret key is described as dsk_i. Also, the entire public key gpk is generated and released based on L distributed decryption public keys dpk_i. Further, the encrypted statistical data storage device 900 stores the encrypted statistical data ENC (gpk, S) related to the entire public key gpk generated by the encrypted statistical processing system 1 according to the first embodiment of the present invention. Is remembered.

In FIG. 9, first, the distributed decryption unit 402 of the distributed decryption device 400_i acquires the encrypted statistical data ENC (gpk, S) from the encrypted statistical data storage device 900 (step S21).

Next, the distributed decryption unit 402 of the distributed decryption device 400_i partially decrypts the encrypted statistical data ENC (gpk, S) using the distributed decryption private key dsk_i held in the distributed decryption key holding unit 401, A partial decoding result RESULT_i is generated (step S22).

Next, the distributed decoding unit 402 of the distributed decoding device 400_i transmits the partial decoding result RESULT_i to the statistical information decoding device 500 (step S23).

Next, the statistical information decoding unit 501 of the statistical information decoding apparatus 500 receives L partial decoding results RESULT_1 to RESULT_L from the distributed decoding apparatuses 400_1 to 400_L (step S24).

Next, the statistical information decoding unit 501 acquires the decoding result S based on the L partial decoding results RESULT_1 to RESULT_L (step S25).

Thus, the decryption system 2 finishes the operation.

Next, effects of the second exemplary embodiment of the present invention will be described.

In the decryption system according to the second embodiment of the present invention, encrypted statistical data obtained by performing statistical processing on encrypted data encrypted using different public keys is converted into statistical information about the original data. Can be decrypted.

The reason is that the distributed decryption key holding unit holds the distributed decryption public key and the distributed decryption private key, and publicizes the distributed decryption public key. As a result, it is possible to generate an entire public key for generating encrypted information that can be distributed and decrypted using one or more of these distributed decryption secret keys. Thereby, the encrypted data encrypted using a different public key is converted into re-encrypted data corresponding to the information encrypted using such an entire public key. The encrypted data is statistically processed as it is without being decrypted, and the encrypted statistical data is generated. Then, the distributed decryption unit generates partial decryption results by performing partial decryption on such encrypted statistical data using the distributed decryption secret key. Then, the statistical information decoding unit obtains a complete decoding result based on one or more partial decoding results. That is, the decryption system according to the present embodiment can obtain statistical information on the original data of encrypted data encrypted using different public keys as a decryption result by performing distributed decryption on the encrypted statistical data. it can.

(Third embodiment)
Next, a third embodiment of the present invention will be described in detail with reference to the drawings. Note that, in each drawing referred to in the description of the present embodiment, the same components as those in the first and second embodiments of the present invention are denoted by the same reference numerals, and detailed description in the present embodiment is omitted. To do.

First, FIG. 10 is a block diagram showing the configurations of the encryption statistical processing system 3 and the decryption system 4 according to the third embodiment of the present invention. In FIG. 10, a figure surrounded by a solid line represents a component of the encrypted statistical processing system 3 or the decryption system 4. A figure surrounded by a broken line represents a device connected to the outside of the encryption statistical processing system 3 and the decryption system 4. In FIG. 10, the encrypted statistical processing system 3 includes N key generation devices 130_1 to 130_N, N proxy devices 230_1 to 230_N, and an encrypted statistical data generation device 330. Hereinafter, the N key generation devices 130_1 to 130_N are also collectively referred to as the key generation device 130. The N proxy devices 230_1 to 230_N are hereinafter also collectively referred to as the proxy device 230. The hardware configuration of each device constituting the encrypted statistical processing system 3 is the same as that of each device constituting the encrypted statistical processing system 1 according to the first embodiment of the present invention described with reference to FIG. Can be configured.

In FIG. 10, the decoding system 4 includes L distributed decoding devices 430_1 to 430_L and a statistical information decoding device 530. The L distributed decoding apparatuses 430_1 to 430_L are hereinafter collectively referred to as the distributed decoding apparatus 430. The hardware configuration of each device constituting the decoding system 4 can be configured in the same manner as each device constituting the decoding system 2 according to the second embodiment of the present invention described with reference to FIG.

In FIG. 10, the key generation device 130, the proxy device 230, and the encrypted statistical data generation device 330 are the key generation device 100, the proxy device 200, and the encrypted statistical data generation device 300 according to the first embodiment of the present invention. Similarly, they are connected so that they can communicate with each other. Furthermore, the key generation device 130, the proxy device 230, and the encrypted statistical data generation device 330 can communicate with the external data registration device 700, the external encrypted data storage device 800, and the external encrypted statistical data storage device 900, respectively. Connected to be.

Also, in FIG. 10, distributed decoding apparatus 430 and statistical information decoding apparatus 530 can communicate with each other in the same manner as distributed decoding apparatus 400 and statistical information decoding apparatus 500 in the second embodiment of the present invention. Connected. Further, the distributed decryption device 430 and the statistical information decryption device 530 are connected to the external encrypted statistical data storage device 900 so as to be able to communicate with each other.

In FIG. 10, the devices that require communication are connected so as to be able to communicate via a network constituted by the Internet, a LAN, a public line network, a wireless communication network, or a combination thereof. The In addition, at least a part of these devices may be connected by a network different from the network connecting the other devices.

FIG. 10 also shows N key generation devices 130, N proxy devices 230, N encrypted data storage devices 800, one encrypted statistical data generation device 330, and one encryption. A statistical data storage device 900 is shown. However, the number of devices included in the encrypted statistical processing system of the present invention and the number of connected devices are not limited to the example of FIG. FIG. 10 shows L distributed decoding apparatuses 430 and one statistical information decoding apparatus 530. However, the number of devices included in the decoding system of the present invention and the number of connected devices are not limited to the example of FIG.

Next, functional blocks of the devices constituting the encrypted statistical processing system 3 and the decryption system 4 will be described with reference to FIG. FIG. 11 is a block diagram showing functional blocks of each device constituting the encrypted statistical processing system 3 and the decryption system 4.

First, each functional block of the key generation device 130 will be described. In FIG. 11, the key generation device 130 is different from the key generation device 100 according to the first embodiment of the present invention in that a proxy key generation unit 133 is provided instead of the proxy key generation unit 103.

The proxy key generation unit 133 is held in the random number generated by the key generation device 130 including the proxy key generation unit 133, another random number generated by another key generation device 130, and the key holding unit 101. An integration conversion key is generated based on the secret key. The key holding unit 101 that holds the secret key used to generate the conversion key for integration by the proxy key generation unit 133 is the key holding unit 101 of the key generation device 130 that includes the proxy key generation unit 133. The integration conversion key is a key for converting encrypted data encrypted by the public key held in the key holding unit 101 into integration re-encrypted data that can be decrypted by the integration secret key. The integration secret key can be generated based on a random number generated by the key generation device 130 including the proxy key generation unit 133 that generates the integration secret key and another random number generated by another key generation device 130. It is a secret key. For this purpose, for example, the proxy key generation unit 133 generates a random number. The proxy key generation unit 133 further acquires information regarding other random numbers generated by the proxy key generation unit 133 of the other key generation device 130.

Further, the proxy key generation unit 133 generates random number encryption information by encrypting the random number generated by the key generation device 130 including the proxy key generation unit 133 with the above-described entire public key. Then, the proxy key generation unit 133 generates information including the integration conversion key and the random number encryption information as a proxy key.

Further, the proxy key generation unit 133 may generate a proxy key including the above-described integration conversion key and random number encryption information using a proxy public key described later disclosed by the proxy device 230. Specifically, the proxy key generation unit 133 publishes the random number generated by the key generation device 130 including the proxy key generation unit 133 by the proxy device 230 associated with the key generation device 130. You may encrypt using a key. Further, the proxy key generation unit 133 may encrypt other random numbers generated by other key generation devices 130 using the same proxy public key. Then, the proxy key generation unit 133 corresponds to the information obtained by encrypting the integration conversion key with the proxy public key based on the information representing the encrypted random number and the private key of the own device. Integration conversion key encryption information may be generated. In this case, the proxy key generation unit 133 generates information including integration conversion key encryption information and random number encryption information as a proxy key. For example, the proxy key generation unit 133 encrypts the random numbers generated by the key generation device 130 including the proxy key generation unit 133 using N proxy public keys disclosed by the N proxy devices 230, respectively. N pieces of encrypted information may be generated. Then, the proxy key generation unit 133 may transmit the generated information to another key generation apparatus 130 related to the proxy public key used for encryption. As a result, the proxy key generation unit 133 can acquire information obtained by encrypting N random numbers using the same proxy public key.

Next, each functional block of the proxy device 230 will be described. In FIG. 11, the proxy device 230 includes a re-encryption unit 231 instead of the re-encryption unit 201 with respect to the proxy device 200 according to the first embodiment of the present invention, and further includes a proxy key holding unit 232. The point to prepare is different. Here, the proxy key holding unit 232 is configured by the storage device 2004.

The proxy key holding unit 232 stores a proxy public key and a proxy secret key. The proxy public key and the proxy secret key are a public key and a secret key used in a public encryption system having homomorphism. This proxy public key is held so that other devices can obtain it. Also, the proxy secret key is held so that other devices cannot obtain it.

The re-encryption unit 231 generates the integration secret key encryption information based on the N random number encryption information included in the N proxy keys generated by the N key generation devices 130. Here, each of the N pieces of random number encryption information is information obtained by encrypting the random number generated by each key generation device 130 with the entire public key. Therefore, for example, the re-encryption unit 231 performs an operation using homomorphism on each of the N pieces of random number encryption information, and based on these random numbers without decrypting each random number encryption information. It is possible to obtain integration secret key encryption information that can be decrypted into an integration secret key that can be generated.

In addition, the re-encryption unit 231 converts the encrypted data into the re-encrypted data for integration using the conversion key for integration. The integration conversion key is an integration conversion key included in the proxy key generated by the key generation device 130 associated with the proxy device 230 in which the re-encryption unit 231 is included. The encrypted data is encrypted data that is encrypted with a public key that is disclosed by the key generation device 130. When the proxy key includes the above-described integration conversion key encryption information, the re-encryption unit 231 uses the proxy secret key held in the proxy key holding unit 232 to decrypt the integration conversion key encryption information. Thus, the conversion key for integration may be acquired. Then, the re-encryption unit 231 outputs information including the integration re-encryption data and the above-described integration secret key encryption information as re-encryption data.

Next, functional blocks of the encrypted statistical data generation apparatus 330 will be described. In FIG. 11, the encrypted statistical data generation device 330 is different from the encrypted statistical data generation device 300 according to the first embodiment of the present invention in place of the encrypted statistical data generation unit 301. The difference is that 331 is provided.

The encrypted statistical data generation unit 331 performs an operation using homomorphism on the re-encrypted data for integration included in the re-encrypted data output from the proxy device 230. Then, the encrypted statistical data generation unit 331 converts the information including the integrated re-encrypted data calculation result, which is the calculation result, and the integrated private key encryption information included in the re-encrypted data, into the encrypted statistical data. Generate as The integration secret key encryption information included in such encrypted statistical data can be decrypted into the integration secret key by being distributed and decrypted using one or more distributed decryption secret keys. In addition, the integration re-encrypted data calculation result included in such encrypted statistical data can be decrypted into statistical information by such an integration secret key. Therefore, it can be said that such encrypted statistical data can be decrypted into statistical information using one or more distributed decryption secret keys.

Next, each functional block of the distributed decoding device 430 will be described. In FIG. 11, the distributed decoding device 430 is different from the distributed decoding device 400 according to the second embodiment of the present invention in that a distributed decoding unit 432 is provided instead of the distributed decoding unit 402.

The distributed decryption unit 432 distributes the private key encryption information for integration included in the encrypted statistical data stored in the encrypted statistical data storage device 900 and held in the distributed decryption key holding unit 401 of the own device. A partial decryption result is generated by performing partial decryption using the decryption secret key.

Next, functional blocks of the statistical information decoding device 530 will be described. In FIG. 11, the statistical information decoding device 530 is different from the statistical information decoding device 500 in the second embodiment of the present invention in that a statistical information decoding unit 531 is provided instead of the statistical information decoding unit 501.

Based on the L partial decryption results output from the L distributed decryption devices 430, the statistical information decryption unit 531 is used for integration as a complete decryption result of the integration secret key encryption information included in the encrypted statistical data. Obtain a secret key. Then, the statistical information decrypting unit 531 decrypts the integration re-encrypted data calculation result included in the encrypted statistical data, using the acquired integration secret key. As a result, the statistical information decryption unit 531 acquires statistical information regarding data before the encrypted data stored in the encrypted data storage device 800 is encrypted.

Operations of the encrypted statistical processing system 3 and the decryption system 4 configured as described above will be described with reference to the drawings. Here, the operation will be described focusing on an example in which the El Gamal encryption method is applied in the present embodiment.

First, the El Gamal encryption method used in this embodiment will be described. The El Gamal cipher is a public key cryptosystem consisting of three processes: key generation, encryption, and decryption. Hereinafter, for the sake of simplicity, the remainder set obtained by dividing the integer by p is referred to as Z_p.

<Key generation> The key generation algorithm of the El Gamal encryption is a stochastic algorithm that outputs a public key (p, g, y) and a secret key (x) with the security parameter k as an input. The key generation is performed as follows.

1: Generate a prime number p of k bits.

2: Generate Z_p 生成 generation source g randomly.

3: Select x randomly from Z_p and calculate y = g ^ x.

4: Output (p, g, y) as public key and x as secret key.

<Encryption> The encryption algorithm of the El Gamal encryption is a probabilistic algorithm that outputs a ciphertext C = (c_1, c_2) with the message MεZ_p and the public key (p, g, y) as inputs. The encryption is performed as follows.

1: Select r at random from Z_p.

2: Calculate c_1 = y ^ r, c_2 = g ^ M · g ^ r. Here, “·” is an operator representing multiplication defined on the group.

3: Output C = (c_1, c_2).

<Decryption> The decryption algorithm of the El Gamal cipher is a definitive algorithm that outputs the plaintext M with the ciphertext C = (c_1, c_2) and the secret key x as inputs. The decoding is performed as follows.

1: Calculate P = c_2 / (c_1) ^ {1 / x} 1 /.

2: Find 見 つ け る M that satisfies g ^ M = P.

3: Outputs M.

Such an El Gamal cipher has a proxy re-encryption function and an additive homomorphism, and therefore is different from the widely known El Gamal cipher. However, it can be mathematically proved that such an Elgamal cipher has the same security as a normal Elgamal cipher. Hereinafter, operations of the encrypted statistical processing system 3 and the decryption system 4 will be described focusing on a specific example in the case where such an El Gamal encryption method is adopted.

In the following description of the operation, different public keys spk_i = (p, g, y_i) and secret key ssk_i = (x_i) are already stored in the key holding unit 101 of each of the N key generation devices 130_i. ing.

However, the generation source g of the prime numbers p and Z_p used to generate each public key spk_i is common. For example, the public key spk_i = (p, g, y_i) and the private key ssk_i = (x_i) are obtained by executing the above-described El Gamal encryption key generation process using the common p and g. May be generated. The key generation device 130_i may hold the generated public key spk_i and secret key ssk_i in the key holding unit 101. The public key spk_i is made public and can be acquired from the outside.

Further, in the following description of the operation, the proxy public key ppk_i = (p, g, y_ {p, i}) and the proxy secret key psk_i = (x_) are stored in the proxy key holding unit 232 of each of the N proxy devices 230_i. {p, i}) is already stored.

However, for generation of each proxy public key ppk_i, the same generation source g of the common prime numbers p and Z_p used for generating each of the public keys spk_i described above is used. For example, the proxy device 230_i uses the common p and g to execute the above-described El Gamal encryption key generation process, whereby the proxy public key ppk_i = (p, g, y_ {p, i}) And the proxy secret key psk_i = (x_ {p, i}) may be generated. The proxy device 230_i may hold the generated proxy public key ppk_i and proxy secret key psk_i in the proxy key holding unit 232. The proxy public key ppk_i is made public and can be acquired from the outside.

In the following description of the operation, the distributed decryption key holding unit 401 of each of the L distributed decryption devices 430_i includes the distributed decryption public key dpk_i = (p, g, y_ {d, i}) and the distributed decryption. Private key dsk_i = (x_ {d, i}) is already stored.

However, for the generation of each distributed public key dpk_i, the same generators g as the common prime numbers p and Z_p used for generating each public key spk_i described above are used. For example, the distributed decryption device 430_i uses the common p and g to execute the above-described El Gamal encryption key generation process, thereby performing the distributed decryption public key dpk_i = (p, g, y_ {d, i}) and the secret key for distributed decryption dsk_i = (x_ {d, i}) may be generated. The distributed decryption device 430_i may hold the generated distributed decryption public key dpk_i and the distributed decryption secret dsk_i key in the distributed decryption key holding unit 401. The distributed decryption public key dpk_i is made public and can be acquired from the outside.

In the following description of the operation, the N encrypted data storage devices 800_i each include a set of encrypted data in which plaintext M_ {i, j} j (j = 1 to n_i) is encrypted with the public key spk_i. {ENC (spk_i, M_ {i, j})} is already stored. However, the number of encrypted data stored in the encrypted data storage device 800_i is n_i. Note that such encrypted data is generated by the data registration apparatus 700 by executing the encryption process of the above-described El Gamal encryption with the public key spk_i and the data M_ {i, j} to be registered as inputs. The

First, the overall public key generation operation will be described. FIG. 12 is a diagram illustrating the generation operation of the entire public key. Here, the description will be made assuming that the distributed decryption device 430_i generates and publishes the entire public key.

In FIG. 12, first, the distributed decryption device 430_i acquires the distributed decryption public keys dpk_1 to dpk_N by communicating with the other distributed decryption devices 430_i (step S101).

Next, the distributed decryption device 430_i generates the entire public key gpk based on the N distributed decryption public keys dpk_1 to dpk_N. Then, the distributed decryption device 430_i publishes the generated entire public key gpk (step S102).

Specifically, the distributed decoding device 430_i calculates y_ {d} = y_ {d, 1} (•)... (•) y_ {d, N}. Here, “(•)” is a binary operator, and the encryption algorithm ENC represents a binary operator having homomorphism with respect to the operation. In general, the operator “(•)” is determined according to the encryption of ENC. Then, the distributed decryption device 430_i publishes (p, g, y_ {d}) as the entire public key gpk.

Thus, the distributed decryption device 430_i ends the operation of generating the entire public key gpk. Note that such an operation of generating the entire public key gpk does not need to be executed by all L distributed decryption devices 430. The generation operation of the entire public key gpk may be executed by at least one distributed decryption device 430. Alternatively, devices such as the key generation device 130, the encrypted statistical data generation device 330, and the statistical information decryption device 530 may perform the generation process of the entire public key gpk.

Next, the proxy key generation operation of the encrypted statistical processing system 3 will be described. FIG. 13 is a diagram illustrating the proxy key generation operation of the encrypted statistical processing system 3.

In FIG. 13, first, the entire public key acquisition unit 102 of the key generation device 130_i acquires the entire public key gpk (step S201). Here, the entire public key acquisition unit 102 may acquire the entire public key gpk published by the device (for example, the distributed decryption device 430_i) that has performed the operation illustrated in FIG.

Next, the proxy key generation unit 133 acquires the secret key ssk_i = (x_i) held in the key holding unit 101 of the key generation device 130_i including the proxy key generation unit 133 (Step S202).

Next, the proxy key generation unit 133 generates a random number h_i (step S203). Specifically, the proxy key generation unit 133 selects h_i randomly from Z_p.

Next, the proxy key generation unit 133 uses the information obtained by encrypting the generated random number h_i with the proxy public key ppk_i and the random number generated by another key generation device 130_j (j = 1 to N, where j ≠ i). Information obtained by encrypting h_j with the same proxy public key ppk_i is acquired (step S204).

Specifically, the proxy key generation unit 133 of the key generation device 130_i may acquire information obtained by encrypting these N random numbers with the proxy public key ppk_i by operating as follows.

The proxy key generation unit 133 of the key generation device 130_i encrypts the random number h_i using the proxy public keys ppk_1 to ppk_N disclosed by the proxy devices 230_1 to 230_N, respectively, and ENC (ppk_1, h_i), ..., ENC ( ppk_N, h_i) is generated.

Next, the proxy key generation unit 133 of the key generation device 130_i transmits the generated ENC (ppk_j, h_i) (j = 1 to N, where j ≠ i) to each of the other key generation devices 130_j.

Next, the proxy key generation unit 133 of the key generation device 130_i receives ENC (ppk_i, h_j) in which the random number h_j is encrypted with the proxy public key ppk_i from each of the other key generation devices 130_j.

In this way, in step S204, the proxy key generation unit 133 of the key generation device 130_i uses the information ENC (ppk_i, h_1),..., ENC () in which the random numbers h_1 to h_N are encrypted with the same proxy public key ppk_i. ppk_i, h_N) is acquired.

Next, the proxy key generation unit 133 of the key generation device 130_i integrates the random numbers h_1 to h_N based on the information encrypted with the same proxy public key ppk_i and the private key ssk_i of the own device acquired in step S202. Conversion key encryption information ENC (ppk_i, rk-1_i) is generated (step S205). Here, rk-1_i represents an integration conversion key.

Here, as described above, the integration conversion key encryption information is information obtained by encrypting the integration conversion key rk-1_i with the proxy public key ppk_i. Further, as described above, the integration conversion key rk-1_i is used to convert encrypted data encrypted using the public key spk_i into integration re-encrypted data that can be decrypted with the integration secret key. Information.

Specifically, the key generation device 130_i generates the conversion key encryption information for integration by operating as follows. Here, the integration conversion key encryption information is described as ENC (ppk_i, h_j) = (c_ {1, j}, c_ {2, j}).

First, the proxy key generation unit 133 of the key generation device 130_i performs C_ {1, i} = c_ {1,1} (•) ... (•) c_ {1, N}, C_ {2, i} = c_ {2,1} (•)… (•) c_ {2, N} is calculated.

Next, the proxy key generation unit 133 of the key generation device 130_i performs C ′ _ {1, i} = C_ {1, i} ^ {1 / ssk_i}, C ′ _ {2, i} = C_ {2 , i} ^ {1 / ssk_i}.

Next, the proxy key generation unit 133 of the key generation device 130_i converts (C ′ _ {1, i}, C ′ _ {2, i}) into the conversion key encryption information ENC (ppk_i, rk-1_i for integration). ).

In this way, in step S205, the proxy key generation unit 133 of the key generation device 130_i generates the conversion key encryption information ENC (ppk_i, rk-1_i) for integration.

Next, the proxy key generation unit 133 of the key generation device 130_i transmits the integration conversion key encryption information ENC (ppk_i, rk-1_i) generated in step S205 to the proxy device 230_i as a part of the proxy key. (Step S206).

Next, the proxy key generation unit 133 of the key generation device 130_i performs an Elgamal encryption encryption process on the random number h_i generated in step S203 using the entire public key gpk, thereby generating the random number encryption information ENC. (gpk, h_i) is calculated (step S207).

Next, the proxy key generation unit 133 of the key generation device 130_i transmits the random number encryption information ENC (gpk, h_i) generated in step S207 to each of the proxy devices 230_1 to 230_N as a part of the proxy key. (Step S208).

Next, the re-encryption unit 231 of the proxy device 230_i uses the proxy secret key psk_i for the conversion key encryption information ENC (ppk_i, rk-1_i) for integration transmitted from the key generation device 130_i in step S206. The Elgamal encryption is decrypted. As a result, the re-encryption unit 231 obtains the integration conversion key rk-1_i (step S209).

Next, the re-encryption unit 231 of the proxy device 230_i transmits the random number encryption information ENC (gpk, h_1),..., ENC (gpk, h_N) transmitted from the key generation device 130_1 to the key generation device 130_N in step S208, respectively. Is subjected to computation using homomorphism. As a result, the re-encryption unit 231 generates integration secret key encryption information (step S210).

Specifically, the re-encryption unit 231 of the proxy device 230_i operates as follows with ENC (gpk, h_i) = (c_ {1, i}, c_ {2, i}).

First, the re-encryption unit 231 of the proxy device 230_i performs C_1 = c_ {1,1} (•) ... (•) c_ {1, N}, C_2 = c_ {2,1} (•). ) Calculate c_ {2, N}.

Next, the re-encryption unit 231 of the proxy device 230_i sets (C_1, C_2) と す る as the integration private key encryption information ENC (gpk, H). Here, H represents an integration secret key.

Thus, the encrypted statistical processing system 3 ends the proxy key generation operation.

Note that the integration conversion key rk-1_i obtained in step S209 of the proxy key generation operation and the integration secret key encryption information ENC (gpk, H) obtained in step S210 are encrypted statistical data described below. Used in the generation operation.

Next, the encrypted statistical data generation operation of the encrypted statistical processing system 3 will be described. FIG. 14 is a diagram illustrating the encrypted statistical data generation operation of the encrypted statistical processing system 3.

In FIG. 14, first, the re-encryption unit 231 of the proxy device 230_i performs the proxy key integration conversion key rk-1_i obtained by the proxy key generation operation of FIG. 13 and the integration secret key encryption information ENC (gpk, H) is acquired (step S301).

Next, the re-encryption unit 231 of the proxy device 230_i encrypts a set of encrypted data {ENC (spk_i, M_ {i, j})} (j = 1 to n_i) encrypted with the public key spk_i. Obtained from the data storage device 800_i (step S302).

Next, the re-encryption unit 231 of the proxy device 230_i re-encrypts the set {ENC (spk_i, _M_ {i, j})} of the encrypted data using the integration conversion key rk-1_i. Convert to a set of data.

Specifically, the re-encryption unit 231 of the proxy device 230_i sets each encrypted data ENC (spk_i, M_ {i, j}) = (c_1, c_2) = ({y_i} ^ r, g ^ {M_ { i, j}} g ^ {r}) is re-encrypted as follows.

First, the re-encryption unit 231 of the proxy device 230_i calculates c_1 ′ = c_1 ^ {rk-1_i}.

Next, the re-encryption unit 231 of the proxy device 230_i sets (c_1 ′, c_2) as integration re-encrypted data ENC (gH, M_ {i, j}). Here, gH represents an integration public key corresponding to the integration secret key H described above. That is, (c_1 ′, c_2) calculated in this way is reintegrated data for integration that can be decrypted into plaintext M_ {i, j} using the integration secret key H.

In this way, in step S303, the re-encryption unit 231 of the proxy device 230_i sets the reencrypted data for integration {ENC (gH, gM_ {i, 1}),..., ENC (gH, M_ {i , n_i})}.

Next, the re-encryption unit 231 of the proxy device 230_i re-encrypts information including the set of integration re-encrypted data generated in step S303 and the integration secret key encryption information ENC (gpk, H). The encrypted data set ENC_i (gpk, M) is transmitted to the encrypted statistical data generation apparatus 330 (step S304).

Specifically, the re-encryption unit 231 of the proxy device 230_i sets ENC_i (gpk, M) = {ENC (gH, M_ {i, 1}),..., ENC (gH, M_ {i, n_i}), ENC (gpk, H)} may be transmitted. That is, through steps S303 to S304, the re-encryption unit 231 of the proxy device 230_i converts the encrypted data set {ENC (spk_i, M_ {i, j})} into the re-encrypted data set ENC_i (gpk, M ).

Next, the encrypted statistical data generation unit 331 of the encrypted statistical data generation apparatus 330 sets N re-encrypted data sets ENC_1 (gpk, M),..., ENC_N (gpk, M) from the proxy devices 230_1 to 230_N. Is received (step S305).

Next, the encrypted statistical data generation unit 331 performs integration re-encryption by performing an operation using homomorphism on the integration re-encrypted data included in the set of N re-encrypted data. A data calculation result is generated (step S306).

Specifically, the encrypted statistical data generation unit 331 may operate as follows. However, ENC (gH, M_ {i, j}) included in ENC_i (gpk, M) is denoted as (c_ {1, j}, c_ {2, j}).

First, the encrypted statistical data generation unit 331 performs C_ {1, i} = c_ {1,1} (•) ... (•) c_ for each set ENC_i (gpk, M) of re-encrypted data. {1, n_i}, C_ {2, i} = c_ {2,1} (•) ... (•) c_ {2, n_i} is calculated. Thus, N pieces of partial encrypted statistical data ENC_i (gH, S_i) = (C_ {1, i}, C_ {2, i}) are obtained. Here, the partial encryption statistical data ENC_i (gH, S_i) is partial encryption statistical information that can decrypt the statistical information about the plaintexts M_ {i, 1} to M_ {i, n_i} with the integration secret key H. (Partially encrypted statistical data).

Next, the encrypted statistical data generation unit 331 further performs C_1 = C_ {1,1} (•) ... (•) C_ {1, N}, C_2 = C_ {2,1} (•) ... (・) Calculate C_ {2, N}.

Next, the encrypted statistical data generation unit 331 sets (C_1, C_2) as the re-encrypted data operation result for integration ENC (gH, S). That is, the integration re-encrypted data operation result ENC (gH, S) is information that can be decrypted into statistical information on plaintext M_ {1,1} to M_ {N, n_N} using the integration secret key H. . In this way, in step S306, the encrypted statistical data generation unit 331 generates a re-encrypted data calculation result for integration.

Next, the encrypted statistical data generation unit 331 converts the information including the integration re-encrypted data calculation result ENC (gH, S) and the integrated secret key encryption information ENC (gpk, H) into the encrypted statistical data. Is stored in the encrypted statistical data storage device 900 (step S307).

For the encrypted statistical data generated in this way, the re-encrypted data calculation for integration that can be decrypted into the statistical information on plaintext M_ {1,1} to M_ {N, n_N} using the integration secret key H The result and the integration secret key encryption information obtained by encrypting the integration secret key H with the entire public key gpk are included. That is, it can be said that such a set of re-encrypted data is data that can be distributed and decrypted with one or more secret keys for distributed decryption corresponding to the entire public key.

Thus, the encrypted statistical processing system 3 ends the encrypted statistical data generation operation.

Next, the decoding operation of the decoding system 4 will be described. FIG. 15 is a diagram illustrating a decoding operation of the decoding system 4.

In FIG. 15, first, the distributed decryption unit 432 of the distributed decryption device 430 — i receives from the encrypted statistical data storage device 900 the integrated secret key encryption information ENC (gpk, H) = (C_1, C_2) is received (step S401).

Next, the distributed decryption unit 432 of the distributed decryption device 430_i partially decrypts the integrated secret key encryption information ENC (gpk, H) using the distributed decryption secret key dsk_i of the own device, and generates a partial decryption result To do.

Specifically, the distributed decoding unit 432 of the distributed decoding device 430_i calculates C ′ _ {i, 1} = C_1 ^ {1 / dsk_i}. Then, the distributed decoding unit 432 of the distributed decoding device 430_i sets (C ′ _ {i, 1}, C_2) as the partial decoding result PRESULT_i.

Next, the distributed decoding unit 432 of the distributed decoding device 430_i transmits the partial decoding result PRESULT_i to the statistical information decoding device 530 (step S403).

Next, the statistical information decoding unit 531 of the statistical information decoding device 530 receives partial decoding results PRESULT_1 to PRESULT_L from the distributed decoding devices 430_1 to 430_L (step S404).

Next, the statistical information decryption unit 531 obtains the integration secret key H as a decryption result based on the L partial decryption results PRESULT_1 to PRESULT_L (step S405).

Specifically, the statistical information decoding unit 531 operates as follows with PRESULT_i = (C ′ _ {i, 1}, C_2).

First, the statistical information decoding unit 531 calculates C′_1 = C ′ _ {1,1} (•)... (•) C ′ _ {N, 1}.

Next, the statistical information decoding unit 531 calculates M ′ = C_2 / C′_1.

Next, the statistical information decoding unit 531 searches for H that satisfies g ^ H = M ′. The obtained H is the integration secret key.

Next, the statistical information decryption unit 531 receives the integration re-encrypted data calculation result ENC (gH, S) included in the encrypted statistical data from the encrypted statistical data storage device 900 (step S406).

Next, the statistical information decryption unit 531 obtains statistical information for the original data by decrypting the integration re-encrypted data operation result using the integration secret key H obtained in step S405 (step S407). ).

Specifically, the statistical information decryption unit 531 executes the Elgamal encryption decryption process on the integration re-encrypted data operation result ENC (gH, S) using the integration secret key H. The obtained plaintext S is output as a decryption result.

Thus, the decoding system 4 finishes the decoding operation.

In this embodiment, the encrypted statistical data generation unit 331 of the encrypted statistical data generation device 330 obtains partial encrypted statistical data for each set of N re-encrypted data. Then, the encrypted statistical data generation unit 331 obtains encrypted statistical data based on the obtained N pieces of partial encrypted statistical data. Such processing for obtaining the partial encrypted statistical data may be performed by the re-encryption unit 231 of the proxy device 230. In this case, the re-encryption unit 231 performs re-encryption processing and partial encryption statistical data generation processing each time new encrypted data is registered in the encrypted data storage device 800 by the data registration device 700. You may make it leave. In this case, for example, the proxy device 230 stores such partially encrypted statistical data in the encrypted data storage device 800. Then, the encrypted statistical data generation unit 331 of the encrypted statistical data generation device 330 may obtain the encrypted statistical data from these N pieces of partial encrypted statistical data. Alternatively, in the present embodiment, the encrypted statistical data generation unit 331 of the encrypted statistical data generation device 330 obtains partial encrypted statistical data from the re-encrypted data included in the N sets of re-encrypted data. Alternatively, the encrypted statistical data may be obtained.

In the present embodiment, the example in which the distributed decryption apparatus 430 performs the generation process of the entire public key has been described. However, the key generation apparatus 130 may generate the entire public key. Alternatively, any device inside or outside the encryption statistical processing system and the decryption system according to the present embodiment may generate and publish the entire public key based on the distributed decryption public key disclosed by the distributed decryption device. .

Further, in the present embodiment, the example in which the proxy device performs the generation process of the integration secret key encryption information has been described. However, the generation process of the integration secret key encryption information is performed by, for example, the encrypted statistical data generation apparatus. May do.

In this embodiment, the example in which the El Gamal encryption is applied has been mainly described, but other encryption methods having homomorphism and a re-encryption function are also applicable.

Next, the effect of the third embodiment of the present invention will be described.

The encrypted statistical processing system according to the third embodiment of the present invention can perform statistical processing as encrypted on encrypted data encrypted using different public keys in more various encryption methods. There is an effect.

The reason is that each part of the encrypted statistical processing system according to the third embodiment operates as follows. The proxy key generation unit generates a random number. The proxy key generation unit converts the encrypted data encrypted with the public key into re-encrypted data for integration that can be decrypted with an integration private key that can be generated based on one or more random numbers including the generated random number. To generate a conversion key for integration. The proxy key generation unit generates, as a proxy key, information including the generated conversion key for integration and random number encryption information obtained by encrypting the above random number with the entire public key. Then, the re-encryption unit re-encrypts the encrypted data using such an integration conversion key to generate integration re-encrypted data. The re-encryption unit generates integration secret key encryption information corresponding to information obtained by encrypting the integration secret key with the entire public key based on one or more random number encryption information. Then, the encrypted statistical data generation unit performs an operation using homomorphism on the re-encrypted data for integration in which the encrypted data encrypted using one or more different public keys is converted. . The encrypted statistical data generation unit generates, as encrypted statistical data, information including the integration re-encrypted data calculation result, which is the calculation result, and the integration secret key encryption information. Thus, the following effects can be obtained even when it is difficult to re-encrypt from the encrypted data of the encryption method adopted by the encryption statistical processing system to the encrypted data of the encryption method adopted by the decryption system. That is, encrypted data encrypted using a different public key can be converted into integrated re-encrypted data that can be decrypted using the same integrated private key. Therefore, it is possible to perform statistical calculation while encrypting the re-encrypted data for integration. The encrypted statistical data including the integration re-encrypted data calculation result and the integration secret key encryption information thus obtained is a decryption system capable of decrypting the information encrypted with the entire public key. Can be decrypted. That is, the decryption system can obtain the integration secret key by distributing and decrypting the integration secret key encryption information using the distributed decryption secret key. As a result, the decryption system can obtain statistical data by decrypting the integration re-encrypted data operation result using the integration secret key.

Also, the decryption system according to the third embodiment of the present invention has an effect that more various encryption methods can be applied as the encryption method used when decrypting the encrypted statistical data. The encrypted data is data generated by performing statistical processing while encrypting encrypted data encrypted using different public keys.

The reason is that each part of the decoding system according to the third embodiment of the present invention operates as follows. The distributed decryption unit generates a partial decryption result by decrypting the integrated secret key encryption information included in the encrypted statistical data using the distributed decryption secret key. The statistical information decryption unit acquires the integration secret key as a decryption result based on one or more partial decryption results. The statistical information decryption unit decrypts the integration re-encrypted data calculation result included in the encrypted statistical data, using the acquired integration secret key. Thus, the statistical information decoding unit acquires statistical information regarding the original data. As a result, the decryption system according to the present embodiment can be used in the case where it is difficult to re-encrypt from the encrypted data of the encryption method adopted by the encryption statistical processing system to the encrypted data of the encryption method adopted by the decryption system The effect is obtained. That is, the integrated private key for decrypting the integrated re-encrypted data operation result obtained by statistically processing encrypted data encrypted using different public keys is obtained by distributed decryption. It becomes possible.

In each of the embodiments of the present invention described above, the key generation device can be applied to a service provider side device that provides a service using a public key. In this case, the data registration device may be a user terminal that encrypts and registers data using a public key published by the device on the service provider side. Further, the proxy device can be applied to an administrator-side device that can be trusted by a service provider. Further, the encrypted statistical data generation device can be applied to a device on the database administrator side that operates a cloud database. In this case, the encrypted statistical data storage device is used to implement a cloud database. Further, the distributed decoding device and the statistical information decoding device can be applied to a device on the statistical data user side who wants to use statistical data. With this configuration, the device on the service provider side can encrypt the user data used in the service using the public key that it discloses and store it in the cloud database. The device on the cloud database administrator side can perform statistical processing on encrypted data encrypted using different public keys of different services and store the encrypted data in the database. Then, if the statistical data user side device discloses the public key for distributed decryption associated with the secret key for distributed decryption for decrypting such encrypted statistical data, the encrypted statistical data Statistical data can be obtained by distributed decoding. Therefore, the apparatus on the service provider side need not perform a process of calculating the statistical data by once decrypting the encrypted data in order to provide the statistical information of the user data. As a result, the load on the device on the service provider side is reduced. Furthermore, since it is not necessary for the device on the service provider side to once decrypt the encrypted data, it is not necessary to take measures to prevent user data leakage. Further, the device on the cloud database side can perform such statistical data calculation processing without decrypting the encrypted data into the original data. As a result, the original data is not leaked to the cloud database administrator.

In the description of each embodiment of the present invention described above, each functional block of the encrypted statistical processing system and the decryption system is different from each other (ie, key generation device, proxy device, encrypted statistical data generation device, distributed decryption). Device and statistical information decoding device). However, these functional blocks may be configured by one computer device. Alternatively, these functional blocks may be distributed to a plurality of apparatuses in a combination different from each embodiment of the present invention.

For example, at least a part or all of the N key generation devices may be realized by the same computer device. Further, at least a part or all of the N proxy devices may be realized by the same computer device. Further, at least part or all of the L distributed decoding devices may be realized by the same computer device. Further, the statistical information decoding apparatus may be realized by the same computer apparatus as any one of the distributed decoding apparatuses. Further, at least part or all of the N encrypted data storage devices may be realized by the same computer device. Further, at least a part or all of the N encrypted data storage devices may be realized by the physically same storage device. Further, at least a part of functional blocks of the encrypted statistical processing system and at least a part of functional blocks of the decryption system may be arranged in the same computer apparatus. Further, the encrypted statistical processing system may be realized by one computer device, and the decryption system may be realized by one computer device.

In each embodiment of the present invention described above, the operation of each device described with reference to each flowchart is stored as a computer program of the present invention in a storage device (storage medium) of the computer device, and the computer The program may be read and executed by the CPU. In such a case, the present invention is realized by a code of the computer program or a storage medium storing the code.

In one embodiment of the present invention, the decryption system of the present invention includes a distributed decryption key holding unit that holds a public key for distributed decryption and a secret key for distributed decryption, and one or more secret keys for distributed decryption. A partial decryption result is obtained by partially decrypting the encrypted statistical data generated by the encrypted statistical processing system using the entire public key that generates encrypted information that can be distributed and decrypted using the secret key for distributed decryption. The statistical information on the original data before the encryption of one or more of the encrypted data is acquired based on the partial decryption results obtained by the distributed decryption means for outputting and the one or more of the distributed decryption means Statistical information decoding means.

In one embodiment of the present invention, the proxy device of the present invention converts encrypted data encrypted by the public key into the re-encrypted data using the proxy key generated by the key generation device. Re-encrypting means for conversion is provided.

In one embodiment of the present invention, the encrypted statistical data generation apparatus of the present invention has one or more encrypted data encrypted by the public key held in one or more of the key generation apparatuses. By performing an operation using the homomorphism on one or more re-encrypted data respectively converted by one or more proxy devices respectively corresponding to the one or more key generation devices Encrypted statistical data generating means for generating encrypted statistical data that can be decrypted into statistical information relating to original data before the one or more encrypted data is encrypted.

In one embodiment of the present invention, the decryption method of the present invention partially decrypts encrypted statistical data generated by executing the encrypted statistical processing method, using the distributed decryption secret key. Thus, a partial decryption result is output, and the statistical information on the original data before the one or more encrypted data is encrypted is acquired based on the one or more partial decryption results.

Also, the above-described embodiments can be implemented in appropriate combination.

Further, the present invention is not limited to the above-described embodiments, and can be implemented in various modes.

As mentioned above, although this invention was demonstrated with reference to embodiment, this invention is not limited to the said embodiment. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

Further, a part or all of the above-described embodiments can be described as in the following supplementary notes, but is not limited to the following.

(Appendix 1)
A key holding means for holding a public key and a secret key of a cryptographic method having homomorphism, and
An overall public key acquisition means for acquiring an entire public key for generating encrypted information that can be distributed and decrypted by one or more distributed decryption secret keys;
A proxy key for converting encrypted data encrypted using the public key into re-encrypted data that can be distributed and decrypted by the one or more distributed decryption secret keys, the secret key, and the entire public key Proxy key generation means for generating based on
Re-encryption means for converting encrypted data encrypted by the public key into the re-encrypted data using the proxy key;
Utilizing the homomorphism with respect to one or more re-encrypted data obtained by converting one or more encrypted data respectively encrypted with one or more public keys by the re-encryption means Encrypted statistical data generation means for generating encrypted statistical data that can be decrypted into statistical information on the original data before the encrypted data is encrypted,
Encryption statistical processing system with

(Appendix 2)
The proxy key generation means generates a random number, whereby the encrypted data encrypted with the public key can be decrypted with an integration secret key that can be generated based on the one or more random numbers. Random number encryption information generated by generating an integration conversion key to be converted into encrypted data based on the one or more random numbers and the private key, and encrypting the generated conversion key and the random number with the entire public key Generating information including the proxy key,
The re-encryption means converts the encrypted data into the re-encrypted data for integration using the integration conversion key, and based on the one or more random number encryption information, the integration secret key Generates the integration secret key encryption information encrypted with the entire public key, and uses the integration re-encrypted data and the information including the integration secret key encryption information as the re-encryption data. Generate and
The encrypted statistical data generating means is a re-encryption for integration which is a result of performing an operation using the homomorphism on the re-encrypted data for integration included in one or more of the re-encrypted data The encrypted statistical processing system according to appendix 1, wherein information including a data calculation result and the integration secret key encryption information is generated as the encrypted statistical data.

(Appendix 3)
The re-encryption means holds a proxy public key and a proxy secret key,
The proxy key generation means uses the proxy secret key to convert the integration conversion key into the integration conversion key based on information obtained by encrypting the one or more random numbers using the proxy public key and the secret key. By generating decryptable integration conversion key encryption information, information including the integration conversion key encryption information and the random number encryption information is generated as the proxy key,
The re-encryption means acquires the integration conversion key by decrypting the integration conversion key encryption information included in the proxy key using the proxy secret key, and acquires the acquired integration conversion key. The encrypted statistical processing system according to appendix 2, wherein the encrypted data is converted into the re-encrypted data for integration.

(Appendix 4)
A distributed decryption key holding means for holding a distributed decryption public key and a distributed decryption secret key;
A cipher generated by the encryption statistical processing system according to any one of appendix 1 to appendix 3, using an entire public key that generates encrypted information that can be distributed and decrypted by one or more private keys for distributed decryption Distributed decryption means for outputting a partial decryption result by partially decrypting the statistical data using the secret key for distributed decryption,
Statistical information decryption means for obtaining the statistical information on the original data before one or more of the encrypted data is encrypted based on the partial decryption results obtained by one or more of the distributed decryption means;
A decryption system.

(Appendix 5)
When the encryption statistical data generated by the encryption statistical processing system includes the integration secret key encryption information,
The distributed decryption means generates the partial decryption result by decrypting the integrated secret key encryption information using the distributed decryption secret key;
The statistical information decryption means acquires the integration secret key as a decryption result based on one or more partial decryption results, and uses the acquired integration secret key to re-integrate the integration re-key included in the encrypted statistical data. The decryption system according to appendix 4, wherein the statistical information about the original data is obtained by decrypting an encrypted data calculation result.

(Appendix 6)
A key holding means for holding a public key and a secret key of a cryptographic method having homomorphism, and
An overall public key acquisition means for acquiring an entire public key for generating encrypted information that can be distributed and decrypted by one or more distributed decryption secret keys;
A proxy key for converting encrypted data encrypted using the public key into re-encrypted data that can be distributed and decrypted by the one or more distributed decryption secret keys, the secret key, and the entire public key Proxy key generation means for generating based on
A key generation device comprising:

(Appendix 7)
A proxy apparatus comprising re-encryption means for converting encrypted data encrypted with the public key into the re-encrypted data using a proxy key generated by the key generation apparatus according to attachment 6.

(Appendix 8)
One or more encrypted data respectively encrypted with the public key held in one or more key generation devices according to supplementary note 6 are one or more corresponding to the one or more key generation devices, respectively. The one or more encrypted data is encrypted by performing an operation using the homomorphism on the one or more re-encrypted data respectively converted by the proxy device according to appendix 7. An encrypted statistical data generation device comprising encrypted statistical data generation means for generating encrypted statistical data that can be decrypted into statistical information relating to the original data prior to processing.

(Appendix 9)
A distributed decryption key holding means for holding a distributed decryption public key and a distributed decryption secret key;
Any one of appendix 1 to appendix 3 using an entire public key that generates encrypted information that can be distributed and decrypted by using one or more distributed decryption secret keys including the distributed decryption secret key held in its own device Distributed decryption means for outputting a partial decryption result by partially decrypting encrypted statistical data generated by the encrypted statistical processing system according to any one of the above using the distributed decryption secret key;
A distributed decoding apparatus comprising:

(Appendix 10)
The statistical information on the original data before the one or more encrypted data is encrypted is acquired based on the partial decryption results respectively obtained by the one or more distributed decryption devices according to Supplementary Note 9. A statistical information decoding device comprising statistical information decoding means.

(Appendix 11)
Obtain an entire public key that generates encrypted information that can be distributed and decrypted with one or more private keys for distributed decryption,
A proxy key for converting encrypted data encrypted using a public key of an encryption method having homomorphism into re-encrypted data that can be distributed and decrypted by the one or more secret keys for distributed decryption. Generated based on the private key corresponding to the key and the entire public key,
Using the proxy key, the encrypted data encrypted with the public key is converted into the re-encrypted data,
By performing an operation using the homomorphism on one or more re-encrypted data converted from one or more encrypted data respectively encrypted by one or more public keys An encryption statistical processing method for generating encrypted statistical data that can be decrypted into statistical information relating to original data before one or more of the encrypted data is encrypted.

(Appendix 12)
A partial decryption result is output by partially decrypting encrypted statistical data generated by executing the encrypted statistical processing method according to appendix 11, using the distributed decryption secret key,
The decryption method, wherein the statistical information on the original data before the one or more encrypted data is encrypted is acquired based on the one or more partial decryption results.

(Appendix 13)
Computer
An overall public key acquisition means for acquiring an entire public key for generating encrypted information that can be distributed and decrypted by one or more distributed decryption secret keys;
A proxy key for converting encrypted data encrypted using a public key of an encryption method having homomorphism into re-encrypted data that can be distributed and decrypted by the one or more secret keys for distributed decryption. Proxy key generation means for generating a secret key corresponding to the key and the entire public key;
Re-encryption means for converting encrypted data encrypted by the public key into the re-encrypted data using the proxy key;
By performing an operation using the homomorphism on one or more re-encrypted data converted from one or more encrypted data respectively encrypted by one or more public keys Encrypted statistical data generation means for generating encrypted statistical data that can be decrypted into statistical information on the original data before the one or more encrypted data is encrypted;
Encrypted statistical processing program that operates as

(Appendix 14)
Computer
A distributed decryption means for outputting a partial decryption result by partially decrypting encrypted statistical data generated by executing the encrypted statistical processing program according to attachment 13, using the distributed decryption secret key;
Statistical information decryption means for obtaining the statistical information on the original data before the one or more encrypted data are encrypted based on one or more partial decryption results;
Decryption program that operates as

This application claims priority based on Japanese Patent Application No. 2012-156041 filed on July 12, 2012, the entire disclosure of which is incorporated herein.

1, 3 Encryption statistical processing system 2, 4 Decryption system 100, 130 Key generation device 101 Key holding unit 102 Overall public key acquisition unit 103, 133 Proxy key generation unit 200, 230 Proxy device 201, 231 Re-encryption unit 232 Proxy Key holding unit 300, 330 Encrypted statistical data generation device 301, 331 Encrypted statistical data generation unit 400, 430 Distributed decryption device 401 Distributed decryption key holding unit 402, 432 Distributed decryption unit 500, 530 Statistical information decryption device 501, 531 Statistical information decryption unit 700 Data registration device 800 Encrypted data storage device 900 Encrypted statistical data storage device

Claims (10)

1. A key holding means for holding a public key and a secret key of a cryptographic method having homomorphism, and
   An overall public key acquisition means for acquiring an entire public key for generating encrypted information that can be distributed and decrypted by one or more distributed decryption secret keys;
   A proxy key for converting encrypted data encrypted using the public key into re-encrypted data that can be distributed and decrypted by the one or more distributed decryption secret keys, the secret key, and the entire public key Proxy key generation means for generating based on
   Re-encryption means for converting encrypted data encrypted by the public key into the re-encrypted data using the proxy key;
   Utilizing the homomorphism with respect to one or more re-encrypted data obtained by converting one or more encrypted data respectively encrypted with one or more public keys by the re-encryption means Encrypted statistical data generation means for generating encrypted statistical data that can be decrypted into statistical information on the original data before the encrypted data is encrypted,
   Encryption statistical processing system with
2. The proxy key generation means generates a random number, whereby the encrypted data encrypted with the public key can be decrypted with an integration secret key that can be generated based on the one or more random numbers. Random number encryption information generated by generating an integration conversion key to be converted into encrypted data based on the one or more random numbers and the private key, and encrypting the generated conversion key and the random number with the entire public key Generating information including the proxy key,
   The re-encryption means converts the encrypted data into the re-encrypted data for integration using the integration conversion key, and based on the one or more random number encryption information, the integration secret key Generates the integration secret key encryption information encrypted with the entire public key, and uses the integration re-encrypted data and the information including the integration secret key encryption information as the re-encryption data. Generate and
   The encrypted statistical data generating means is a re-encryption for integration which is a result of performing an operation using the homomorphism on the re-encrypted data for integration included in one or more of the re-encrypted data 2. The encrypted statistical processing system according to claim 1, wherein information including a data operation result and the integration secret key encryption information is generated as the encrypted statistical data.
3. A distributed decryption key holding means for holding a distributed decryption public key and a distributed decryption secret key;
   The encrypted statistical data generated by the encrypted statistical processing system according to claim 1 or 2, using an entire public key that generates encrypted information that can be distributed and decrypted by using one or more of the secret keys for distributed decryption. A partial decryption means for outputting a partial decryption result by partial decryption using the distributed decryption secret key;
   Statistical information decryption means for obtaining the statistical information on the original data before one or more of the encrypted data is encrypted based on the partial decryption results obtained by one or more of the distributed decryption means;
   A decryption system.
4. The encrypted statistical data generated by the encrypted statistical processing system includes the integration secret key encryption information,
   The distributed decryption means generates the partial decryption result by decrypting the integrated secret key encryption information using the distributed decryption secret key;
   The statistical information decryption means acquires the integration secret key as a decryption result based on one or more partial decryption results, and uses the acquired integration secret key to re-integrate the integration re-key included in the encrypted statistical data. The decryption system according to claim 3, wherein the statistical information on the original data is obtained by decrypting an encrypted data operation result.
5. A key holding means for holding a public key and a secret key of a cryptographic method having homomorphism, and
   An overall public key acquisition means for acquiring an entire public key for generating encrypted information that can be distributed and decrypted by one or more distributed decryption secret keys;
   A proxy key for converting encrypted data encrypted using the public key into re-encrypted data that can be distributed and decrypted by the one or more distributed decryption secret keys, the secret key, and the entire public key Proxy key generation means for generating based on
   A key generation device comprising:
6. A proxy apparatus comprising re-encryption means for converting encrypted data encrypted by the public key into the re-encrypted data, using the proxy key generated by the key generation apparatus according to claim 5.
7. One or more encrypted data respectively encrypted with the public key held in one or more key generation devices according to claim 5, respectively corresponding to the one or more key generation devices The computation using the homomorphism is performed on the one or more re-encrypted data respectively converted by the proxy device according to claim 6 so that the one or more encrypted data are encrypted. An encrypted statistical data generation device comprising encrypted statistical data generation means for generating encrypted statistical data that can be decrypted into statistical information relating to original data before being converted into data.
8. Obtain an entire public key that generates encrypted information that can be distributed and decrypted with one or more private keys for distributed decryption,
   A proxy key for converting encrypted data encrypted using a public key of an encryption method having homomorphism into re-encrypted data that can be distributed and decrypted by the one or more secret keys for distributed decryption. Generated based on the private key corresponding to the key and the entire public key,
   Using the proxy key, the encrypted data encrypted with the public key is converted into the re-encrypted data,
   By performing an operation using the homomorphism on one or more re-encrypted data converted from one or more encrypted data respectively encrypted by one or more public keys An encryption statistical processing method for generating encrypted statistical data that can be decrypted into statistical information relating to original data before one or more of the encrypted data is encrypted.
9. A partial decryption result is output by partially decrypting encrypted statistical data generated by executing the encryption statistical processing method according to claim 8 using the secret key for distributed decryption,
   The decryption method, wherein the statistical information on the original data before the one or more encrypted data is encrypted is acquired based on the one or more partial decryption results.
10. Computer
    An overall public key acquisition means for acquiring an entire public key for generating encrypted information that can be distributed and decrypted by one or more distributed decryption secret keys;
    A proxy key for converting encrypted data encrypted using a public key of an encryption method having homomorphism into re-encrypted data that can be distributed and decrypted by the one or more secret keys for distributed decryption. Proxy key generation means for generating a secret key corresponding to the key and the entire public key;
    Re-encryption means for converting encrypted data encrypted by the public key into the re-encrypted data using the proxy key;
    By performing an operation using the homomorphism on one or more re-encrypted data converted from one or more encrypted data respectively encrypted by one or more public keys Encrypted statistical data generation means for generating encrypted statistical data that can be decrypted into statistical information on the original data before the one or more encrypted data is encrypted;
    Encrypted statistical processing program that operates as

Images