JP2008124988A - Public key encryption method, encrypting device, decoding device, public key encryption system, program, and recording medium - Google Patents

Public key encryption method, encrypting device, decoding device, public key encryption system, program, and recording medium Download PDF

Info

Publication number
JP2008124988A
JP2008124988A JP2006309155A JP2006309155A JP2008124988A JP 2008124988 A JP2008124988 A JP 2008124988A JP 2006309155 A JP2006309155 A JP 2006309155A JP 2006309155 A JP2006309155 A JP 2006309155A JP 2008124988 A JP2008124988 A JP 2008124988A
Authority
JP
Japan
Prior art keywords
key
unit
ciphertext
plaintext
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
JP2006309155A
Other languages
Japanese (ja)
Other versions
JP4861134B2 (en
Inventor
Tatsuaki Okamoto
龍明 岡本
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nippon Telegraph and Telephone Corp
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Priority to JP2006309155A priority Critical patent/JP4861134B2/en
Publication of JP2008124988A publication Critical patent/JP2008124988A/en
Application granted granted Critical
Publication of JP4861134B2 publication Critical patent/JP4861134B2/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

<P>PROBLEM TO BE SOLVED: To provide an encryption method which can verify validity of a ciphertext only by public information with comparatively less computational complexity. <P>SOLUTION: The public key encryption method can verify validity of a ciphertext only by public information, using a secret key of a one-time signature as a random number of a public key encryption, and attain an efficient encryption scheme. In an encryption step, a public key PK of a decoding device is obtained and a random number R is selected. The random number R is used for a secret key of the one-time signature and a public key encryption. A signature verification key U is calculated, w is obtained by encrypting a plain text m, a signature Σ is created using the random number R, and a ciphertext (U, w, Σ) is obtained. In a decoding step, the ciphertext (U, w, Σ) is received, and it is verified that Σ is a valid signature for (U, w) using the signature verification key U. When the verification is successful, a plain text m is obtained from (U, w) using a secret key SK. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

本発明は、公開鍵暗号方法、暗号化装置、復号化装置、公開鍵暗号システム、プログラムおよび記録媒体に関する。   The present invention relates to a public key encryption method, an encryption device, a decryption device, a public key encryption system, a program, and a recording medium.

従来、高い安全性を持つ(能動的攻撃に対しても安全な)公開鍵暗号方式が数多く提案されている。これらのほとんどの暗号方式は、暗号文の正当性(暗号文が、平文から正当な手続きで作られたか)を受信者の秘密鍵を用いて検証する(非特許文献1、非特許文献2)。例えば、このような暗号方式を、受信者の秘密鍵を分散して保有し、復号を分散処理で行うシステムで用いた場合、暗号文の正当性を検証するためには、暗号文を復号しなければならない。つまり、復号のための膨大な計算を行わなければ暗号文の正当性が判断できず、正当でないと判断された場合には、膨大な計算が無駄になる。したがって、受信者の秘密鍵を分散して保有するシステムなどでは、公開情報だけで暗号文の正当性を検証できることが重要である。   Conventionally, many public key cryptosystems with high security (secure against active attacks) have been proposed. Most of these cryptosystems verify the validity of ciphertext (whether the ciphertext was created from plaintext by a legitimate procedure) using the recipient's private key (Non-Patent Document 1, Non-Patent Document 2). . For example, when such an encryption method is used in a system in which the recipient's private key is distributed and held and decryption is performed by distributed processing, the ciphertext is decrypted in order to verify the validity of the ciphertext. There must be. In other words, the validity of the ciphertext cannot be determined unless an enormous calculation for decryption is performed. If it is determined that the ciphertext is not valid, the enormous calculation is wasted. Therefore, in a system that holds the recipient's private key in a distributed manner, it is important that the validity of the ciphertext can be verified using only public information.

公開情報だけで暗号文の正当性を検証できる方法としては、pairing処理を行う方法がある(非特許文献3)。しかし、pairing処理を行う復号化では、一般的な楕円曲線を用いる暗号方式の復号化に比べ、多くの計算量が必要となってしまう。
M. Bellare and P. Rogaway, “Optimal asymmetric encryption”, In Advances in Cryptology-Eurocrypt’94, LNCS, Springer-Verlag, pp.92-111, 1994. R. Cramer and V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack”, In Advances in Cryptology-Crypto’98, LNCS, Springer-Verlag, pp.13-25, 1998. X. Boyen, Q. Mei, and B. Waters, “Direct Chosen Ciphertext Security from Identity-Based Techniques”, the proceedings of 12th ACM Conference on Computer and Communications Security-CCS 2005, 2005. As a method for verifying the validity of a ciphertext using only public information, there is a method of performing a pairing process (Non-Patent Document 3). However, in the decryption that performs the pairing process, a large amount of calculation is required as compared with the decryption of the encryption method using a general elliptic curve.
M. Bellare and P. Rogaway, “Optimal asymmetric encryption”, In Advances in Cryptology-Eurocrypt'94, LNCS, Springer-Verlag, pp.92-111, 1994. R. Cramer and V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack”, In Advances in Cryptology-Crypto'98, LNCS, Springer-Verlag, pp.13-25, 1998. X. Boyen, Q. Mei, and B. Waters, “Direct Chosen Ciphertext Security from Identity-Based Techniques”, the proceedings of 12th ACM Conference on Computer and Communications Security-CCS 2005, 2005.

本発明の目的は、公開情報だけで暗号文の正当性を検証でき、かつ効率的な(計算量が比較的少ない)暗号方式(pairingを用いない暗号方式)を提供することである。   An object of the present invention is to provide an efficient encryption system (encryption system that does not use pairing) that can verify the validity of a ciphertext using only public information.

本発明の公開鍵暗号方法では、使い捨て(one-time)署名の秘密鍵を、公開鍵暗号の乱数としても用いることで、公開情報だけで暗号文の正当性を検証でき、かつ効率的な暗号方式を実現する。   In the public key cryptography method of the present invention, the validity of the ciphertext can be verified only with public information by using a private key of a one-time signature as a random number for public key cryptography, and an efficient encryption Realize the scheme.

以下に基本的な考え方を説明する。まず、fとhを一方向性関数、mを平文とする。本発明の公開鍵暗号方法では、公開ステップ、暗号化ステップ、復号化ステップを有する。公開ステップでは、復号化装置が、あらかじめ秘密鍵SKと公開鍵PKを生成して公開鍵PKを公開する。暗号化ステップでは、暗号化装置が、復号化装置の公開鍵PKを取得し、乱数Rを選ぶ。乱数Rが使い捨て(one-time)署名の秘密鍵、かつ公開鍵暗号に用いる乱数である。署名検証鍵U=f(R)を計算し、w=h(PK,R,m)を計算し、署名Σを乱数Rを用いて作成し、暗号文(U,w,Σ)を復号化装置に送信する。復号化ステップでは、復号化装置が、暗号文(U,w,Σ)を受信し、Σが(U,w)に対する正しい署名であることを署名検証鍵Uを用いて検証し、検証が成功すれば秘密鍵SKを用いて(U,w)から平文mを求める。   The basic concept is explained below. First, let f and h be one-way functions and m be plaintext. The public key encryption method of the present invention includes a public step, an encryption step, and a decryption step. In the publishing step, the decryption device generates a secret key SK and a public key PK in advance and publishes the public key PK. In the encryption step, the encryption device acquires the public key PK of the decryption device and selects a random number R. The random number R is a private key for a one-time signature and a random number used for public key cryptography. Calculate signature verification key U = f (R), calculate w = h (PK, R, m), create signature Σ using random number R, and decrypt ciphertext (U, w, Σ) Send to device. In the decryption step, the decryption device receives the ciphertext (U, w, Σ), verifies that Σ is a correct signature for (U, w) using the signature verification key U, and the verification is successful. Then, the plaintext m is obtained from (U, w) using the secret key SK.

第1の具体例としては、まず、Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x∈{0,1,…,p−1}、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像とする。暗号化装置では、乱数Rとして、{0,1,…,p−1}からランダムに選択されたr1、r2、t1、t2を用いる。署名検証鍵Uとしてu=g r1 r2、v=g t1 t2を用い、平文の暗号化には鍵(PK,R)としてy r1 r2を用いる。そして、署名Σとして、σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを用いる。復号化装置では、uvH(u,v,w)=g σ1 σ2が成立するかを検証することで、暗号文の正当性を検証する。成立すれば、uを鍵として平文に復号化する。 As a first specific example, first, G is a finite group in which the discrete logarithm problem of order p is difficult, g 1 and g 2 are G generators, x∈ {0, 1,..., P−1}, H Is a mapping from predetermined {0, 1,..., P−1} 3 to {0, 1,. In the encryption apparatus, r1, r2, t1, and t2 randomly selected from {0, 1,..., P−1} are used as the random number R. U = g 1 r1 g 2 r2 and v = g 1 t1 g 2 t2 are used as the signature verification key U, and y 1 r1 y 2 r2 is used as the key (PK, R) for plaintext encryption. Then, σ1 = r1 + H (u, v, w) t1 modp and σ2 = r2 + H (u, v, w) t2 modp are used as signatures Σ. In the decryption device, the validity of the ciphertext is verified by verifying whether uv H (u, v, w) = g 1 σ 1 g 2 σ 2 holds. If established, the decrypted plaintext u x as the key.

第2の具体例としては、まず、Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x,s∈{0,1,…,p−1}、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像とする。暗号化装置では、乱数Rとして、{0,1,…,p−1}からランダムに選択されたr1、r2、t1、t2を用いる。署名検証鍵Uとしてu=g r1 r2、v=g t1 t2を用い、平文の暗号化には鍵(PK,R)としてy r1 r2 t1 t2を用いる。そして、署名Σとして、σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを用いる。復号化装置では、uvH(u,v,w)=g σ1 σ2が成立するかを検証することで、暗号文の正当性を検証する。成立すれば、uを鍵として平文に復号化する。 As a second specific example, first, G is a finite group in which the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x, sε {0, 1,..., P−1} , H is a mapping from a predetermined {0, 1,..., P−1} 3 to {0, 1,. In the encryption apparatus, r1, r2, t1, and t2 randomly selected from {0, 1,..., P−1} are used as the random number R. Signature verification key U as u = g 1 r1 g 2 r2 , v = g 1 t1 g 2 with t2, y 1 as a key (PK, R) to encrypt plaintext r1 y 2 r2 z 1 t1 z 2 t2 Is used. Then, σ1 = r1 + H (u, v, w) t1 modp and σ2 = r2 + H (u, v, w) t2 modp are used as signatures Σ. In the decryption device, the validity of the ciphertext is verified by verifying whether uv H (u, v, w) = g 1 σ 1 g 2 σ 2 holds. If it is established, u x v s is decrypted into plaintext using the key.

第3の具体例としては、まず、Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x,s∈{0,1,…,p−1}、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、Gをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像とする。暗号化装置では、乱数Rとして、{0,1,…,p−1}からランダムに選択されたr1、r2、t1、t2を用いる。署名検証鍵Uとしてu=g r1 r2、v=g t1 t2を用い、平文の暗号化には鍵(PK,R)としてy r1+G(u,v)t1 r2+G(u,v)t2を用いる。そして、署名Σとして、σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを用いる。復号化装置では、uvH(u,v,w)=g σ1 σ2が成立するかを検証することで、暗号文の正当性を検証する。成立すれば、uG(u,v)xを鍵として平文に復号化する。 As a third specific example, first, G is a finite group in which the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x, sε {0, 1,..., P−1} , H is a predetermined {0, 1,..., P−1} 3 to {0, 1,..., P−1}, G is predetermined {0, 1,. Let 2 be a mapping from {0, 1, ..., p-1}. In the encryption apparatus, r1, r2, t1, and t2 randomly selected from {0, 1,..., P−1} are used as the random number R. Signature verification key U as u = g 1 r1 g 2 r2 , v = g 1 t1 g 2 with t2, key to encrypt the plain text (PK, R) as y 1 r1 + G (u, v) t1 y 2 r2 + G (U, v) t2 is used. Then, σ1 = r1 + H (u, v, w) t1 modp and σ2 = r2 + H (u, v, w) t2 modp are used as signatures Σ. In the decryption device, the validity of the ciphertext is verified by verifying whether uv H (u, v, w) = g 1 σ 1 g 2 σ 2 holds. If it is established, u x v G (u, v) x is decrypted into plaintext using the key.

本発明の公開鍵暗号方法によれば、使い捨て(one-time)署名の秘密鍵を、公開鍵暗号の乱数としても用いるので、適当な関数を選択すれば、公開情報だけで暗号文の正当性を検証できる。また、pairingを用いなくてもよいので、効率的な暗号方式を実現できる。   According to the public key encryption method of the present invention, the private key of a one-time signature is also used as a random number for public key encryption. Therefore, if an appropriate function is selected, the validity of the ciphertext can be determined only by public information. Can be verified. In addition, since pairing is not necessary, an efficient encryption method can be realized.

以下にこの発明の実施形態を、図面を参照して説明する。
[第1実施形態]
図1に本発明の第1実施形態の暗号化装置の機能構成例を、図2に暗号化処理のフローを示す。図3に本発明の第1実施形態の復号化装置の機能構成例を、図4に復号化処理のフローを示す。暗号化装置100は、公開鍵取得部110、署名検証鍵計算部120、平文暗号部130、署名計算部140、暗号文送信部150、記録部190で構成される。復号化装置200は、暗号文受信部210、署名検証部220、平文復号部230、秘密鍵・公開鍵生成部270、公開鍵公開部280、記録部290で構成される。また、fとhを一方向性関数、mを平文とする。 Embodiments of the present invention will be described below with reference to the drawings.
[First Embodiment]
FIG. 1 shows a functional configuration example of the encryption apparatus according to the first embodiment of the present invention, and FIG. 2 shows a flow of encryption processing. FIG. 3 shows a functional configuration example of the decoding apparatus according to the first embodiment of the present invention, and FIG. 4 shows a flow of decoding processing. The encryption device 100 includes a public key acquisition unit 110, a signature verification key calculation unit 120, a plaintext encryption unit 130, a signature calculation unit 140, a ciphertext transmission unit 150, and a recording unit 190. The decryption apparatus 200 includes a ciphertext receiving unit 210, a signature verification unit 220, a plaintext decryption unit 230, a secret key / public key generation unit 270, a public key disclosure unit 280, and a recording unit 290. Also, let f and h be one-way functions and m be plaintext.

復号化装置200は、あらかじめ秘密鍵・公開鍵生成部270で秘密鍵SKと公開鍵PKを生成し記録部290に記録する。そして、公開鍵公開部280で公開鍵PKを公開しておく。また、平文mは、あらかじめ暗号化装置100の記録部190に記録させておく。   In the decryption apparatus 200, the secret key / public key generation unit 270 generates the secret key SK and the public key PK in advance and records them in the recording unit 290. Then, the public key public unit 280 discloses the public key PK. The plain text m is recorded in advance in the recording unit 190 of the encryption apparatus 100.

暗号化装置100では、公開鍵取得部110が、復号化装置200の公開鍵PKを取得する(S110)。公開鍵PKは必要に応じて記録部190に記録される。署名検証鍵計算部120は、ランダムに署名生成鍵R(乱数)を選び、署名検証鍵U=f(R)を計算する(S120)。署名生成鍵Rが使い捨て(one-time)署名の秘密鍵、かつ公開鍵暗号に用いる乱数である。平文暗号部130は、公開鍵PKと署名生成鍵Rを用いて(署名生成鍵Rを公開鍵暗号の乱数として用いて)、w=h(PK,R,m)を得る(S130)。署名計算部140は、Uとw(を含む情報)に対する署名Σを、署名生成鍵Rを用いて生成する(S140)。暗号文送信部150は、(U,w,Σ)を暗号文として復号化装置200に送信する(S150)。   In the encryption device 100, the public key acquisition unit 110 acquires the public key PK of the decryption device 200 (S110). The public key PK is recorded in the recording unit 190 as necessary. The signature verification key calculation unit 120 randomly selects a signature generation key R (random number) and calculates a signature verification key U = f (R) (S120). The signature generation key R is a private key for a one-time signature and a random number used for public key encryption. The plaintext encryption unit 130 obtains w = h (PK, R, m) using the public key PK and the signature generation key R (using the signature generation key R as a random number for public key encryption) (S130). The signature calculation unit 140 generates a signature Σ for U and w (including information) using the signature generation key R (S140). The ciphertext transmission unit 150 transmits (U, w, Σ) as ciphertext to the decryption apparatus 200 (S150).

復号化装置200では、暗号文受信部210が、暗号文(U,w,Σ)を暗号化装置100から受信する(S210)。署名検証部220は、署名Σが(U,w)に対する正しい署名であることを、署名検証鍵Uを用いて検証する(S220)。検証が成功すれば、平文復号部230が、秘密鍵SKを用いて(U,w)から平文mを求める(S230)。検証が失敗すれば、復号化処理を終了する。   In the decryption device 200, the ciphertext receiving unit 210 receives the ciphertext (U, w, Σ) from the encryption device 100 (S210). The signature verification unit 220 verifies that the signature Σ is a correct signature for (U, w) using the signature verification key U (S220). If the verification is successful, the plaintext decryption unit 230 obtains the plaintext m from (U, w) using the secret key SK (S230). If the verification fails, the decoding process ends.

なお、Uの一部を、暗号化装置100と復号化装置200が記録しておけば、Uの残りの部分を個々の暗号化処理では生成すればよいので、暗号化処理の高速化が期待できる。
このように使い捨て(one-time)署名の秘密鍵を、公開鍵暗号の乱数としても用いるので、公開情報だけで暗号文の正当性を検証できる。また、pairingを用いなくてもよいので、効率的な暗号方式を実現できる。 Note that if a part of U is recorded by the encryption device 100 and the decryption device 200, the remaining part of U can be generated by individual encryption processing, so that the speed of the encryption processing is expected. it can.
Since the private key for a one-time signature is also used as a random number for public key cryptography, the validity of the ciphertext can be verified using only public information. In addition, since pairing is not necessary, an efficient encryption method can be realized.

[第2実施形態]
まず、第2実施形態で使ういくつかの記号の説明を行う。第2実施形態では、離散対数問題が難しいような有限群Gを用いる。有限群Gの位数をpとする。有限群Gの具体例としては、楕円曲線暗号がある(岡本龍明、山本博資、「現代暗号」、産業図書、pp.119-123.)。gとgをGの生成元、秘密鍵x∈{0,1,…,p−1}とする。また、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像とする。Hには、例えば、ハッシュ関数のような一方向性関数を用いればよい。mを平文、SymEnc(K,m)を、鍵Kを用いて平文mの暗号化する共通鍵暗号関数、SymDec(K,c)を、鍵Kを用いて暗号文cの復号化する共通鍵復号関数とする。 [Second Embodiment]
First, some symbols used in the second embodiment will be described. In the second embodiment, a finite group G is used so that the discrete logarithm problem is difficult. Let p be the order of the finite group G. Specific examples of the finite group G include elliptic curve cryptography (Tatsuaki Okamoto, Hiroshi Yamamoto, “Contemporary Cryptography”, Industrial Books, pp.119-123.). Let g 1 and g 2 be the G generator and the secret key xε {0, 1,..., p−1}. Also, let H be a mapping from a predetermined {0, 1,..., P−1} 3 to {0, 1,. For H, for example, a one-way function such as a hash function may be used. m is plaintext, SymEnc (K, m) is a common key encryption function for encrypting plaintext m using the key K, SymDec (K, c) is a common key for decrypting the ciphertext c using the key K Let it be a decryption function.

図5に第2実施形態の暗号化装置の機能構成例を、図6に暗号化処理のフローを示す。図7に第2実施形態の復号化装置の機能構成例を、図8に復号化処理のフローを示す。暗号化装置300は、公開鍵取得部310、べき乗演算部320、平文暗号部330、署名計算部340、暗号文送信部350、記録部390で構成される。署名計算部340は、H計算手段341と剰余加算手段342を有している。復号化装置400は、暗号文受信部410、署名検証部420、平文復号部430、秘密鍵・公開鍵生成部470、公開鍵公開部480、記録部490で構成される。平文復号部430は、べき乗演算手段431と復号化手段432を有している。   FIG. 5 shows a functional configuration example of the encryption apparatus according to the second embodiment, and FIG. 6 shows a flow of encryption processing. FIG. 7 shows a functional configuration example of the decoding apparatus according to the second embodiment, and FIG. 8 shows a flow of decoding processing. The encryption device 300 includes a public key acquisition unit 310, a power operation unit 320, a plaintext encryption unit 330, a signature calculation unit 340, a ciphertext transmission unit 350, and a recording unit 390. The signature calculation unit 340 includes an H calculation unit 341 and a remainder addition unit 342. The decryption device 400 includes a ciphertext receiving unit 410, a signature verification unit 420, a plaintext decryption unit 430, a secret key / public key generation unit 470, a public key disclosure unit 480, and a recording unit 490. The plaintext decryption unit 430 includes a power calculation unit 431 and a decryption unit 432.

復号化装置400は、あらかじめ秘密鍵・公開鍵生成部470で秘密鍵xを生成して記録部490に記録する。また、秘密鍵・公開鍵生成部470は、gとgを選択し、y=g とy=g を計算し、(g、g、y、y)を公開鍵として記録部490に記録する。公開鍵公開部480は、公開鍵(g、g、y、y)を公開する。また、平文mは、あらかじめ暗号化装置300の記録部390に記録しておく。 In the decryption apparatus 400, the secret key / public key generation unit 470 generates the secret key x in advance and records it in the recording unit 490. Also, the secret key / public key generation unit 470 selects g 1 and g 2 and calculates y 1 = g 1 X and y 2 = g 2 X , and (g 1 , g 2 , y 1 , y 2 ) As a public key. The public key public unit 480 discloses public keys (g 1 , g 2 , y 1 , y 2 ). The plain text m is recorded in advance in the recording unit 390 of the encryption device 300.

暗号化装置300では、公開鍵取得部310が、復号化装置400の公開鍵(g、g、y、y)を取得する(S310)。公開鍵(g、g、y、y)は記録部390に記録される。べき乗演算部320は、{0,1,…,p−1}からランダムに署名生成鍵r1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2を計算する(S320)。べき乗演算部320は、y r1 r2も計算する。(u,v)が署名検証鍵、y r1 r2が共通鍵暗号関数SymEncの鍵である。署名生成鍵(r1、r2、t1、t2)が使い捨て(one-time)署名の秘密鍵、かつ公開鍵暗号に用いる乱数である。平文暗号部330は、w=SymEnc(y r1 r2,m)の計算により、wを得る(S330)。署名計算部340は、H計算手段341で、H(u,v,w)を計算する(S341)。剰余加算手段342は、σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算し、署名(σ1,σ2)を生成する(S342)。この処理で、署名生成鍵(r1、r2、t1、t2)が使い捨て(one-time)署名の秘密鍵として用いられている。暗号文送信部350は、(u,v,w,σ1,σ2)を暗号文として復号化装置400に送信する(S350)。 In the encryption device 300, the public key acquisition unit 310 acquires the public keys (g 1 , g 2 , y 1 , y 2 ) of the decryption device 400 (S310). Public keys (g 1 , g 2 , y 1 , y 2 ) are recorded in the recording unit 390. Power operation unit 320, {0,1, ..., p- 1} randomly selects the signature generation key r1, r2, t1, t2 from, u = g 1 r1 g 2 r2, v = g 1 t1 g 2 t2 Is calculated (S320). The power calculation unit 320 also calculates y 1 r1 y 2 r2 . (U, v) is the signature verification key, and y 1 r1 y 2 r2 is the key of the common key encryption function SymEnc. The signature generation key (r1, r2, t1, t2) is a one-time signature private key and a random number used for public key encryption. The plaintext encryption unit 330 obtains w by calculating w = SymEnc (y 1 r1 y 2 r2 , m) (S330). The signature calculation unit 340 calculates H (u, v, w) by the H calculation means 341 (S341). The remainder adding unit 342 calculates σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) t2 modp, and generates a signature (σ1, σ2) (S342). In this process, the signature generation key (r1, r2, t1, t2) is used as a secret key for a one-time signature. The ciphertext transmission unit 350 transmits (u, v, w, σ1, σ2) as the ciphertext to the decryption device 400 (S350).

復号化装置400では、暗号文受信部410が、暗号文(u,v,w,σ1,σ2)を暗号化装置300から受信する(S410)。署名検証部420は、署名(σ1,σ2)が(u,v,w)に対する正しい署名であること(暗号文の正当性)を、uvH(u,v,w)=g σ1 σ2が成立するかで検証する(S420)。成立すれば、平文復号部430のべき乗演算手段が、uを計算する(S431)。そして、復号化手段432が、m=SymDec(u,w)を計算し、平文mを得る(S432)。ステップS420が成立しなければ、復号化処理を終了する。 In the decryption device 400, the ciphertext receiving unit 410 receives the ciphertext (u, v, w, σ1, σ2) from the encryption device 300 (S410). The signature verification unit 420 indicates that the signature (σ1, σ2) is the correct signature for (u, v, w) (the validity of the ciphertext), uv H (u, v, w) = g 1 σ1 g 2 Whether σ2 is satisfied is verified (S420). If satisfied, the exponentiation means plaintext decryption unit 430 calculates a u x (S431). Then, the decryption unit 432 calculates m = SymDec (u x , w) and obtains plaintext m (S432). If step S420 is not established, the decoding process ends.

上述の処理で、暗号と復号が正しく行われることを説明する。u,v,σ1,σ2が正しく作られていれば、次のようにステップS420の式(暗号文の正当性を検証する式)が成り立つ。
uvH(u,v,w)=g r1 r2(g t1 t2H(u,v,w)
=g r1+H(u,v,w)t1 r2+H(u,v,w)t2
=g σ1 σ2
この式が成り立つならば、ステップS330で用いた共通鍵暗号関数SymEnc(y r1 r2,m)の鍵y r1 r2は、次のように変形できる。
r1 r2=g xr1 xr2
=(g r1 r2
=u
つまり、ステップS432で用いた共通鍵復号関数SymDec(u,c)の鍵uは、共通鍵暗号関数SymEnc(y r1 r2,m)の鍵と同じである。したがって、上述の処理で暗号と復号が正しく行われる。 It will be described that encryption and decryption are correctly performed in the above-described processing. If u, v, σ1, and σ2 are correctly created, the formula of step S420 (the formula for verifying the validity of the ciphertext) is established as follows.
uv H (u, v, w) = g 1 r1 g 2 r2 (g 1 t1 g 2 t2 ) H (u, v, w)
= G 1 r1 + H (u , v, w) t1 g 2 r2 + H (u, v, w) t2
= G 1 σ1 g 2 σ2
If this equation holds, the key y 1 r1 y 2 r2 of the common key encryption function SymEnc (y 1 r1 y 2 r2 , m) used in step S330 can be modified as follows.
y 1 r1 y 2 r2 = g 1 xr1 g 2 xr2
= (G 1 r1 g 2 r2 ) x
= U x
That is, the key u x of the common key decryption function SymDec (u x , c) used in step S432 is the same as the key of the common key encryption function SymEnc (y 1 r1 y 2 r2 , m). Therefore, encryption and decryption are correctly performed by the above-described processing.

なお、uとvのいずれか一方を、暗号化装置300と復号化装置400が記録しておき、uとvの他方を個々の暗号化処理では生成すれば、暗号化処理の高速化が期待できる。
このように使い捨て(one-time)署名の秘密鍵を、公開鍵暗号の乱数としても用いるので、公開情報だけで暗号文の正当性を検証できる。また、pairingを用いなくてもよいので、効率的な暗号方式を実現できる。 Note that if either the encryption device 300 or the decryption device 400 records one of u and v and the other of u and v is generated by individual encryption processing, speeding up of the encryption processing is expected. it can.
Since the private key for a one-time signature is also used as a random number for public key cryptography, the validity of the ciphertext can be verified using only public information. In addition, since pairing is not necessary, an efficient encryption method can be realized.

[変形例1]
第2実施形態の変形例1では、さらに、s∈{0,1,…,p−1}を復号化装置の秘密鍵として用いる。その他の記号の意味は第2実施形態と同じである。 [Modification 1]
In Modification 1 of the second embodiment, sε {0, 1,..., P−1} is further used as the secret key of the decryption device. The meanings of the other symbols are the same as in the second embodiment.

図9に変形例1の暗号化装置の機能構成例を、図10に暗号化処理のフローを示す。図11に変形例1の復号化装置の機能構成例を、図12に復号化処理のフローを示す。暗号化装置500は、公開鍵取得部510、べき乗演算部520、平文暗号部530、署名計算部540、暗号文送信部550、記録部590で構成される。署名計算部540は、H計算手段541と剰余加算手段542を有している。復号化装置600は、暗号文受信部610、署名検証部620、平文復号部630、秘密鍵・公開鍵生成部670、公開鍵公開部680、記録部690で構成される。平文復号部630は、べき乗演算手段631と復号化手段632を有している。   FIG. 9 shows a functional configuration example of the encryption apparatus according to the first modification, and FIG. 10 shows a flow of encryption processing. FIG. 11 shows a functional configuration example of the decoding apparatus according to the first modification, and FIG. 12 shows a flow of decoding processing. The encryption device 500 includes a public key acquisition unit 510, a power operation unit 520, a plaintext encryption unit 530, a signature calculation unit 540, a ciphertext transmission unit 550, and a recording unit 590. The signature calculation unit 540 includes an H calculation unit 541 and a remainder addition unit 542. The decryption apparatus 600 includes a ciphertext receiving unit 610, a signature verification unit 620, a plaintext decryption unit 630, a secret key / public key generation unit 670, a public key disclosure unit 680, and a recording unit 690. The plaintext decryption unit 630 includes a power calculation unit 631 and a decryption unit 632.

復号化装置600は、あらかじめ秘密鍵・公開鍵生成部670で秘密鍵xとsを生成して記録部690に記録する。また、秘密鍵・公開鍵生成部670は、gとgを選択し、y=g 、y=g 、z=g 、z=g を計算し、(g、g、y、y、z、z)を公開鍵として記録部690に記録する。公開鍵公開部680は、公開鍵(g、g、y、y、z、z)を公開する。また、平文mは、あらかじめ暗号化装置500の記録部590に記録しておく。 Decryption apparatus 600 generates secret keys x and s by secret key / public key generation unit 670 in advance and records them in recording unit 690. The secret key / public key generation unit 670 selects g 1 and g 2 and calculates y 1 = g 1 X , y 2 = g 2 X , z 1 = g 1 s , z 2 = g 2 s . Then, (g 1 , g 2 , y 1 , y 2 , z 1 , z 2 ) is recorded in the recording unit 690 as a public key. The public key public unit 680 publishes public keys (g 1 , g 2 , y 1 , y 2 , z 1 , z 2 ). The plain text m is recorded in advance in the recording unit 590 of the encryption apparatus 500.

暗号化装置500では、公開鍵取得部510が、復号化装置600の公開鍵(g、g、y、y、z、z)を取得する(S510)。公開鍵(g、g、y、y、z、z)は記録部590に記録される。べき乗演算部520は、{0,1,…,p−1}からランダムに署名生成鍵r1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2を計算する(S520)。べき乗演算部520は、y r1 r2 t1 t2も計算する。(u,v)が署名検証鍵、y r1 r2 t1 t2が共通鍵暗号関数SymEncの鍵である。署名生成鍵(r1、r2、t1、t2)が使い捨て(one-time)署名の秘密鍵、かつ公開鍵暗号に用いる乱数である。平文暗号部530は、w=SymEnc(y r1 r2 t1 t2,m)を計算し、wを得る(S530)。署名計算部540は、H計算手段541で、H(u,v,w)を計算する(S541)。剰余加算手段542は、σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算し、署名(σ1,σ2)を生成する(S542)。この処理で、署名生成鍵(r1、r2、t1、t2)が使い捨て(one-time)署名の秘密鍵として用いられている。暗号文送信部550は、(u,v,w,σ1,σ2)を暗号文として復号化装置600に送信する(S550)。 In the encryption device 500, the public key acquisition unit 510 acquires the public keys (g 1 , g 2 , y 1 , y 2 , z 1 , z 2 ) of the decryption device 600 (S510). Public keys (g 1 , g 2 , y 1 , y 2 , z 1 , z 2 ) are recorded in the recording unit 590. Power operation unit 520, {0,1, ..., p- 1} randomly selects the signature generation key r1, r2, t1, t2 from, u = g 1 r1 g 2 r2, v = g 1 t1 g 2 t2 Is calculated (S520). Power operation unit 520, y 1 r1 y 2 r2 z 1 t1 z 2 t2 is also calculated. (U, v) is the signature verification key, and y 1 r1 y 2 r2 z 1 t1 z 2 t2 is the key of the common key encryption function SymEnc. The signature generation key (r1, r2, t1, t2) is a one-time signature private key and a random number used for public key encryption. Plaintext encryption unit 530, w = SymEnc the (y 1 r1 y 2 r2 z 1 t1 z 2 t2, m) is calculated, obtaining w (S530). The signature calculation unit 540 calculates H (u, v, w) by the H calculation unit 541 (S541). The remainder adding unit 542 calculates σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) t2 modp, and generates a signature (σ1, σ2) (S542). In this process, the signature generation key (r1, r2, t1, t2) is used as a secret key for a one-time signature. The ciphertext transmission unit 550 transmits (u, v, w, σ1, σ2) to the decryption apparatus 600 as ciphertext (S550).

復号化装置600では、暗号文受信部610が、暗号文(u,v,w,σ1,σ2)を暗号化装置500から受信する(S610)。署名検証部620は、署名(σ1,σ2)が(u,v,w)に対する正しい署名であること(暗号文の正当性)を、uvH(u,v,w)=g σ1 σ2が成立するかで検証する(S620)。成立すれば、平文復号部630のべき乗演算手段が、uを計算する(S631)。そして、復号化手段632が、m=SymDec(u,w)を計算し、平文mを得る(S632)。ステップS620が成立しなければ、復号化処理を終了する。 In the decryption device 600, the ciphertext receiving unit 610 receives the ciphertext (u, v, w, σ1, σ2) from the encryption device 500 (S610). The signature verification unit 620 confirms that the signature (σ1, σ2) is the correct signature for (u, v, w) (the validity of the ciphertext), uv H (u, v, w) = g 1 σ1 g 2 It is verified whether σ2 is satisfied (S620). If it is established, the power calculation means of the plaintext decryption unit 630 calculates u x v s (S631). Then, the decryption unit 632 calculates m = SymDec (u x v s , w) to obtain plain text m (S632). If step S620 is not established, the decoding process ends.

上述の処理で、暗号と復号が正しく行われることを説明する。u,v,σ1,σ2が正しく作られていれば、次のようにステップS620の式(暗号文の正当性を検証する式)が成り立つ。
uvH(u,v,w)=g r1 r2(g t1 t2H(u,v,w)
=g r1+H(u,v,w)t1 r2+H(u,v,w)t2
=g σ1 σ2
この式が成り立つならば、ステップS530で用いた共通鍵暗号関数SymEnc(y r1 r2 t1 t2,m)の鍵y r1 r2 t1 t2は、次のように変形できる。
r1 r2 t1 t2=g xr1 xr2 sr1 sr2
=(g r1 r2(g t1 t2
=u
つまり、ステップS632で用いた共通鍵復号関数SymDec(u,c)の鍵uは、共通鍵暗号関数SymEnc(y r1 r2 t1 t2,m)の鍵と同じである。したがって、上述の処理で暗号と復号が正しく行われる。 It will be described that encryption and decryption are correctly performed in the above-described processing. If u, v, σ1, and σ2 are correctly created, the expression of step S620 (an expression for verifying the validity of the ciphertext) is established as follows.
uv H (u, v, w) = g 1 r1 g 2 r2 (g 1 t1 g 2 t2 ) H (u, v, w)
= G 1 r1 + H (u , v, w) t1 g 2 r2 + H (u, v, w) t2
= G 1 σ1 g 2 σ2
If this expression is true, the key y 1 r1 y 2 r2 z 1 t1 z 2 t2 of common key encryption function SymEnc (y 1 r1 y 2 r2 z 1 t1 z 2 t2, m) used in the step S530, the following Can be transformed.
y 1 r1 y 2 r2 z 1 t1 z 2 t2 = g 1 xr1 g 2 xr2 g 1 sr1 g 2 sr2
= (G 1 r1 g 2 r2 ) x (g 1 t1 g 2 t2 ) s
= U x v s
That is, the key u x v s of the common key decryption function SymDec (u x v s , c) used in step S632 is the same as the common key encryption function SymEnc (y 1 r1 y 2 r2 z 1 t1 z 2 t2 , m). Same as key. Therefore, encryption and decryption are correctly performed by the above-described processing.

なお、uとvのいずれか一方を、暗号化装置500と復号化装置600が記録しておき、uとvの他方を個々の暗号化処理では生成すれば、暗号化処理の高速化が期待できる。
本変形例でも、使い捨て(one-time)署名の秘密鍵を、公開鍵暗号の乱数としても用いるので、公開情報だけで暗号文の正当性を検証できる。また、pairingを用いなくてもよいので、効率的な暗号方式を実現できる。 Note that if either the encryption device 500 or the decryption device 600 records either u or v and the other of u and v is generated by individual encryption processing, the encryption processing can be speeded up. it can.
Also in this modification, since the private key of the one-time signature is also used as a random number for public key cryptography, the validity of the ciphertext can be verified only with public information. In addition, since pairing is not necessary, an efficient encryption method can be realized.

[変形例2]
第2実施形態の変形例2では、さらに、Gをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像とする。Gも、例えばハッシュ関数のような一方向性関数を用いればよい。その他の記号の意味は第2実施形態と同じである。 [Modification 2]
In the second modification of the second embodiment, G is a mapping from a predetermined {0, 1,..., P−1} 2 to {0, 1,. For G, for example, a one-way function such as a hash function may be used. The meanings of the other symbols are the same as in the second embodiment.

図13に変形例2の暗号化装置の機能構成例を、図14に暗号化処理のフローを示す。図15に変形例2の復号化装置の機能構成例を、図16に復号化処理のフローを示す。暗号化装置700は、公開鍵取得部710、べき乗演算部720、平文暗号部730、署名計算部740、暗号文送信部750、記録部790で構成される。べき乗演算部720は、G計算手段も有している。署名計算部740は、H計算手段741と剰余加算手段742を有している。復号化装置800は、暗号文受信部810、署名検証部820、平文復号部830、秘密鍵・公開鍵生成部870、公開鍵公開部880、記録部890で構成される。平文復号部630は、G計算手段831、べき乗演算手段832、復号化手段833を有している。   FIG. 13 shows a functional configuration example of the encryption apparatus according to the second modification, and FIG. 14 shows a flow of encryption processing. FIG. 15 shows a functional configuration example of the decoding apparatus according to the second modification, and FIG. 16 shows a flow of decoding processing. The encryption device 700 includes a public key acquisition unit 710, a power operation unit 720, a plaintext encryption unit 730, a signature calculation unit 740, a ciphertext transmission unit 750, and a recording unit 790. The power calculation unit 720 also includes G calculation means. The signature calculation unit 740 has H calculation means 741 and remainder addition means 742. The decryption apparatus 800 includes a ciphertext receiving unit 810, a signature verification unit 820, a plaintext decryption unit 830, a secret key / public key generation unit 870, a public key disclosure unit 880, and a recording unit 890. The plaintext decryption unit 630 includes a G calculation unit 831, a power operation unit 832, and a decryption unit 833.

復号化装置800は、あらかじめ秘密鍵・公開鍵生成部870で秘密鍵xとsを生成して記録部890に記録する。また、秘密鍵・公開鍵生成部870は、gとgを選択し、y=g とy=g を計算し、(g、g、y、y)を公開鍵として記録部890に記録する。公開鍵公開部880は、公開鍵(g、g、y、y)を公開する。また、平文mは、あらかじめ暗号化装置700の記録部790に記録しておく。 Decryption apparatus 800 generates secret keys x and s by secret key / public key generation unit 870 in advance and records them in recording unit 890. Also, the secret key / public key generation unit 870 selects g 1 and g 2 , calculates y 1 = g 1 X and y 2 = g 2 X , and (g 1 , g 2 , y 1 , y 2 ) As a public key. The public key public unit 880 publishes public keys (g 1 , g 2 , y 1 , y 2 ). The plain text m is recorded in advance in the recording unit 790 of the encryption apparatus 700.

暗号化装置700では、公開鍵取得部710が、復号化装置800の公開鍵(g、g、y、y)を取得する(S710)。公開鍵(g、g、y、y)は記録部790に記録される。べき乗演算部720は、{0,1,…,p−1}からランダムに署名生成鍵r1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2を計算する(S720)。べき乗演算部720のG計算手段721はG(u,v)を計算する。そして、べき乗演算部720は、さらにy r1+G(u,v)t1 r2+G(u,v)t2も計算する。(u,v)が署名検証鍵、y r1+G(u,v)t1 r2+G(u,v)t2が共通鍵暗号関数SymEncの鍵である。署名生成鍵(r1、r2、t1、t2)が使い捨て(one-time)署名の秘密鍵、かつ公開鍵暗号に用いる乱数である。平文暗号部730は、w=SymEnc(y r1+G(u,v)t1 r2+G(u,v)t2,m)の計算により、wを得る(S730)。署名計算部740は、H計算手段741で、H(u,v,w)を計算する(S741)。剰余加算手段742は、σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算し、署名(σ1,σ2)を生成する(S742)。この処理で、署名生成鍵(r1、r2、t1、t2)が使い捨て(one-time)署名の秘密鍵として用いられている。暗号文送信部750は、(u,v,w,σ1,σ2)を暗号文として復号化装置800に送信する(S750)。 In the encryption device 700, the public key acquisition unit 710 acquires the public keys (g 1 , g 2 , y 1 , y 2 ) of the decryption device 800 (S710). Public keys (g 1 , g 2 , y 1 , y 2 ) are recorded in the recording unit 790. Power operation unit 720, {0,1, ..., p- 1} randomly selects the signature generation key r1, r2, t1, t2 from, u = g 1 r1 g 2 r2, v = g 1 t1 g 2 t2 Is calculated (S720). The G calculation means 721 of the power calculation unit 720 calculates G (u, v). The power operation unit 720, further y 1 r1 + G (u, v) t1 y 2 r2 + G (u, v) t2 also calculated. (U, v) is the signature verification key, and y 1 r1 + G (u, v) t1 y 2 r2 + G (u, v) t2 is the key of the common key encryption function SymEnc. The signature generation key (r1, r2, t1, t2) is a one-time signature private key and a random number used for public key encryption. Plaintext encryption unit 730, w = SymEnc (y 1 r1 + G (u, v) t1 y 2 r2 + G (u, v) t2, m) by calculation of obtaining w (S730). The signature calculation unit 740 calculates H (u, v, w) by the H calculation unit 741 (S741). The remainder adding means 742 calculates σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) t2 modp, and generates a signature (σ1, σ2) (S742). In this process, the signature generation key (r1, r2, t1, t2) is used as a secret key for a one-time signature. The ciphertext transmission unit 750 transmits (u, v, w, σ1, σ2) to the decryption apparatus 800 as ciphertext (S750).

復号化装置800では、暗号文受信部810が、暗号文(u,v,w,σ1,σ2)を暗号化装置700から受信する(S810)。署名検証部820は、署名(σ1,σ2)が(u,v,w)に対する正しい署名であること(暗号文の正当性)を、uvH(u,v,w)=g σ1 σ2が成立するかで検証する(S820)。成立すれば、平文復号部830のG計算手段831がG(u,v)を計算し(S831)、べき乗演算手段832がuG(u,v)xを計算する(S832)。そして、復号化手段833が、m=SymDec(uG(u,v)x,w)を計算し、平文mを得る(S833)。ステップS820が成立しなければ、復号化処理を終了する。 In the decryption apparatus 800, the ciphertext receiving unit 810 receives the ciphertext (u, v, w, σ1, σ2) from the encryption apparatus 700 (S810). The signature verification unit 820 confirms that the signature (σ1, σ2) is the correct signature for (u, v, w) (the validity of the ciphertext), and uv H (u, v, w) = g 1 σ1 g 2 It is verified whether σ2 is satisfied (S820). If established, the G calculation means 831 of the plaintext decryption unit 830 calculates G (u, v) (S831), and the power calculation means 832 calculates u x v G (u, v) x (S832). Then, the decryption unit 833 calculates m = SymDec (u x v G (u, v) x , w) to obtain plain text m (S833). If step S820 is not established, the decoding process ends.

上述の処理で、暗号と復号が正しく行われることを説明する。u,v,σ1,σ2が正しく作られていれば、次のようにステップS820の式(暗号文の正当性を検証する式)が成り立つ。
uvH(u,v,w)=g r1 r2(g t1 t2H(u,v,w)
=g r1+H(u,v,w)t1 r2+H(u,v,w)t2
=g σ1 σ2
この式が成り立つならば、ステップS730で用いた共通鍵暗号関数SymEnc(y r1+G(u,v)t1 r2+G(u,v)t2,m)の鍵y r1+G(u,v)t1 r2+G(u,v)t2は、次のように変形できる。
r1+G(u,v)t1 r2+G(u,v)t2=g x(r1+G(u,v)t1) x(r2+G(u,v)t2)
=(g r1 r2(g t1 t2G(u,v)x
=uG(u,v)x
つまり、ステップS832で用いた共通鍵復号関数SymDec(uG(u,v)x,c)の鍵uG(u,v)xは、共通鍵暗号関数SymEnc(y r1+G(u,v)t1 r2+G(u,v)t2,m)の鍵と同じである。したがって、上述の処理で暗号と復号が正しく行われる。 It will be described that encryption and decryption are correctly performed in the above-described processing. If u, v, σ1, and σ2 are correctly created, the expression of step S820 (an expression for verifying the validity of the ciphertext) is established as follows.
uv H (u, v, w) = g 1 r1 g 2 r2 (g 1 t1 g 2 t2 ) H (u, v, w)
= G 1 r1 + H (u , v, w) t1 g 2 r2 + H (u, v, w) t2
= G 1 σ1 g 2 σ2
If this equation is satisfied, the common key encryption function SymEnc used in step S730 (y 1 r1 + G ( u, v) t1 y 2 r2 + G (u, v) t2, m) of the key y 1 r1 + G (u, v) t1 y 2 r2 + G (u, v) t2 can be modified as follows.
y 1 r1 + G (u, v) t1 y 2 r2 + G (u, v) t2 = g 1 x (r1 + G (u, v) t1) g 2 x (r2 + G (u, v) t2)
= (G 1 r1 g 2 r2 ) x (g 1 t1 g 2 t2) G (u, v) x
= U x v G (u, v) x
That is, the common key decryption function SymDec used in step S832 (u x v G (u , v) x, c) the key u x v G (u, v ) of x, the common key encryption function SymEnc (y 1 r1 + G ( u, v) t1 y 2 r2 + G (u, v) t2 , m) is the same key. Therefore, encryption and decryption are correctly performed by the above-described processing.

なお、uとvのいずれか一方を、暗号化装置700と復号化装置800が記録しておき、uとvの他方を個々の暗号化処理では生成すれば、暗号化処理の高速化が期待できる。   Note that if either the encryption device 700 or the decryption device 800 records one of u and v and the other of u and v is generated in each encryption processing, the encryption processing is expected to speed up. it can.

本変形例でも使い捨て(one-time)署名の秘密鍵を、公開鍵暗号の乱数としても用いるので、公開情報だけで暗号文の正当性を検証できる。また、pairingを用いなくてもよいので、効率的な暗号方式を実現できる。   In this modified example, the private key of the one-time signature is also used as a random number for public key cryptography, so that the validity of the ciphertext can be verified only with public information. In addition, since pairing is not necessary, an efficient encryption method can be realized.

なお、上記の実施形態は、図17に示すコンピュータの記録部2020に、上記方法の各ステップを実行させるプログラムを読み込ませ、制御部2010、入力部2030、出力部2040などに動作させることで実施できる。また、コンピュータに読み込ませる方法としては、プログラムをコンピュータ読み取り可能な記録媒体に記録しておき、記録媒体からコンピュータに読み込ませる方法、サーバ等に記録されたプログラムを、電気通信回線等を通じてコンピュータに読み込ませる方法などがある。   Note that the above embodiment is implemented by causing the recording unit 2020 of the computer illustrated in FIG. 17 to read a program that executes each step of the above method and causing the control unit 2010, the input unit 2030, the output unit 2040, and the like to operate. it can. In addition, as a method of causing the computer to read, the program is recorded on a computer-readable recording medium, and the program recorded on the server or the like is read into the computer through a telecommunication line or the like. There is a method to make it.

第1実施形態の暗号化装置の機能構成例を示す図。The figure which shows the function structural example of the encryption apparatus of 1st Embodiment. 第1実施形態の暗号化装置の処理フローを示す図。The figure which shows the processing flow of the encryption apparatus of 1st Embodiment. 第1実施形態の復号化装置の機能構成例を示す図。The figure which shows the function structural example of the decoding apparatus of 1st Embodiment. 第1実施形態の復号化装置の処理フローを示す図。The figure which shows the processing flow of the decoding apparatus of 1st Embodiment. 第2実施形態の暗号化装置の機能構成例を示す図。The figure which shows the function structural example of the encryption apparatus of 2nd Embodiment. 第2実施形態の暗号化装置の処理フローを示す図。The figure which shows the processing flow of the encryption apparatus of 2nd Embodiment. 第2実施形態の復号化装置の機能構成例を示す図。The figure which shows the function structural example of the decoding apparatus of 2nd Embodiment. 第2実施形態の復号化装置の処理フローを示す図。The figure which shows the processing flow of the decoding apparatus of 2nd Embodiment. 変形例1の暗号化装置の機能構成例を示す図。The figure which shows the function structural example of the encryption apparatus of the modification 1. 変形例1の暗号化装置の処理フローを示す図。The figure which shows the processing flow of the encryption apparatus of the modification 1. 変形例1の復号化装置の機能構成例を示す図。The figure which shows the function structural example of the decoding apparatus of the modification 1. 変形例1の復号化装置の処理フローを示す図。The figure which shows the processing flow of the decoding apparatus of the modification 1. 変形例2の暗号化装置の機能構成例を示す図。The figure which shows the function structural example of the encryption apparatus of the modification 2. 変形例2の暗号化装置の処理フローを示す図。The figure which shows the processing flow of the encryption apparatus of the modification 2. 変形例2の復号化装置の機能構成例を示す図。The figure which shows the function structural example of the decoding apparatus of the modification 2. 変形例2の復号化装置の処理フローを示す図。The figure which shows the processing flow of the decoding apparatus of the modification 2. コンピュータの機能構成例を示す図。The figure which shows the function structural example of a computer.

Claims (18)

fとhを一方向性関数、mを平文とするときに、
あらかじめ復号化装置が、秘密鍵SKと公開鍵PKを生成して公開鍵PKを公開する公開ステップと、
暗号化装置が、乱数Rを選び、署名検証鍵U=f(R)を計算し、w=h(PK,R,m)を計算し、署名Σを乱数Rを用いて作成し、暗号文(U,w,Σ)を送信する暗号化ステップと、
復号化装置が、暗号文(U,w,Σ)を受信し、Σが(U,w)に対する正しい署名であることを署名検証鍵Uを用いて検証し、検証が成功すれば秘密鍵SKを用いて(U,w)から平文mを求める復号化ステップ
を有する公開鍵暗号方法。 When f and h are one-way functions and m is plaintext,
A public step in which the decryption device generates a secret key SK and a public key PK in advance and discloses the public key PK;
The encryption device selects a random number R, calculates a signature verification key U = f (R), calculates w = h (PK, R, m), creates a signature Σ using the random number R, An encryption step of transmitting (U, w, Σ);
The decryption device receives the ciphertext (U, w, Σ), verifies that Σ is a correct signature for (U, w) using the signature verification key U, and if the verification is successful, the secret key SK A public key encryption method including a decryption step of obtaining plaintext m from (U, w) using Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x∈{0,1,…,p−1}、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymEnc(K,m)を鍵Kを用いて平文mの暗号化する共通鍵暗号関数、SymDec(K,c)を鍵Kを用いて暗号文cの復号化する共通鍵復号関数とするときに、
あらかじめ復号化装置が、秘密鍵xを生成して記録部に記録し、gとgを選択し、y=g とy=g を計算し、(g、g、y、y)を記録部に記録するとともに公開鍵として公開する公開ステップと、
暗号化装置が、{0,1,…,p−1}からランダムにr1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2、w=SymEnc(y r1 r2,m)、σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算し、暗号文(u,v,w,σ1,σ2)を送信する暗号化ステップと、
復号化装置が、暗号文(u,v,w,σ1,σ2)を受信し、uvH(u,v,w)=g σ1 σ2が成立するかを検証し、成立すればm=SymDec(u,w)を計算し、平文mを得る復号化ステップ
を有する公開鍵暗号方法。 G is a finite group where the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x∈ {0, 1,..., P−1}, H is predetermined {0, 1,. , P−1} 3 to {0, 1,..., P−1}, m is plaintext, SymEnc (K, m) is a common key encryption function that encrypts plaintext m using the key K, SymDec When (K, c) is a common key decryption function for decrypting ciphertext c using key K,
The decryption device generates a secret key x in advance and records it in the recording unit, selects g 1 and g 2 , calculates y 1 = g 1 X and y 2 = g 2 X , and (g 1 , g 2 , y 1 , y 2 ) recorded in the recording unit and published as a public key;
The encryption device randomly selects r1, r2, t1, t2 from {0, 1,..., P−1}, and u = g 1 r1 g 2 r2 , v = g 1 t1 g 2 t2 , w = SymEnc (Y 1 r1 y 2 r2 , m), σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) t2 modp is calculated, and ciphertext (u, v, w, σ1) , Σ2) for transmitting,
The decryption device receives the ciphertext (u, v, w, σ1, σ2), verifies whether uv H (u, v, w) = g 1 σ1 g 2 σ2 is satisfied, and if it is satisfied, m = A public key encryption method having a decrypting step of calculating SymDec (u x , w) and obtaining plaintext m. Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x,s∈{0,1,…,p−1}、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymEnc(K,m)を鍵Kを用いて平文mの暗号化する共通鍵暗号関数、SymDec(K,c)を鍵Kを用いて暗号文cの復号化する共通鍵復号関数とするときに、
あらかじめ復号化装置が、秘密鍵xとsを生成して記録部に記録し、gとgを選択し、y=g 、y=g 、z=g 、z=g を計算し、(g、g、y、y、z、z)を記録部に記録するとともに公開鍵として公開する公開ステップと、
暗号化装置が、{0,1,…,p−1}からランダムにr1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2、w=SymEnc(y r1 r2 t1 t2,m)、σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算し、暗号文(u,v,w,σ1,σ2)を送信する暗号化ステップと、
復号化装置が、暗号文(u,v,w,σ1,σ2)を受信し、uvH(u,v,w)=g σ1 σ2が成立するかを検証し、成立すればm=SymDec(u,w)を計算し、平文mを得る復号化ステップ
を有する公開鍵暗号方法。 G is a finite group where the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x, sε {0, 1,..., P−1}, and H is predetermined {0, 1 ,..., P-1} 3 to {0, 1,..., P-1}, m is plaintext, and SymEnc (K, m) is encrypted using the key K. , SymDec (K, c) is a common key decryption function for decrypting ciphertext c using key K,
The decryption device generates secret keys x and s in advance and records them in the recording unit, selects g 1 and g 2 , and y 1 = g 1 X , y 2 = g 2 X , z 1 = g 1 s , Z 2 = g 2 s , and (g 1 , g 2 , y 1 , y 2 , z 1 , z 2 ) are recorded in the recording unit and published as a public key,
The encryption device randomly selects r1, r2, t1, t2 from {0, 1,..., P−1}, and u = g 1 r1 g 2 r2 , v = g 1 t1 g 2 t2 , w = SymEnc (y 1 r1 y 2 r2 z 1 t1 z 2 t2, m), σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) and t2 modp calculates the ciphertext (u , V, w, σ1, σ2),
The decryption device receives the ciphertext (u, v, w, σ1, σ2), verifies whether uv H (u, v, w) = g 1 σ1 g 2 σ2 is satisfied, and if it is satisfied, m = A public key encryption method including a decrypting step of calculating SymDec (u x v s , w) and obtaining plaintext m. Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x,s∈{0,1,…,p−1}、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、Gをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymEnc(K,m)を鍵Kを用いて平文mの暗号化する共通鍵暗号関数、SymDec(K,c)を鍵Kを用いて暗号文cの復号化する共通鍵復号関数とするときに、
あらかじめ復号化装置が、秘密鍵xとsを生成して記録部に記録し、gとgを選択し、y=g 、y=g を計算し、(g、g、y、y)を記録部に記録するとともに公開鍵として公開する公開ステップと、
暗号化装置が、{0,1,…,p−1}からランダムにr1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2、w=SymEnc(y r1+G(u,v)t1 r2+G(u,v)t2,m)、σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算し、暗号文(u,v,w,σ1,σ2)を送信する暗号化ステップと、
復号化装置が、暗号文(u,v,w,σ1,σ2)を受信し、uvH(u,v,w)=g σ1 σ2が成立するかを検証し、成立すればm=SymDec(uG(u,v)x,w)を計算し、平文mを得る復号化ステップ
を有する公開鍵暗号方法。 G is a finite group where the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x, sε {0, 1,..., P−1}, and H is predetermined {0, 1 ,..., P-1} 3 to {0, 1,..., P-1}, G is predetermined {0, 1,..., P-1} 2 to {0, 1,. -1}, m is plaintext, SymEnc (K, m) is a common key encryption function that encrypts plaintext m using key K, and SymDec (K, c) is encrypted using ciphertext c using key K When using a common key decryption function to decrypt,
The decryption device generates secret keys x and s in advance and records them in the recording unit, selects g 1 and g 2 , calculates y 1 = g 1 X , y 2 = g 2 X , and (g 1 , G 2 , y 1 , y 2 ) in the recording unit and publishing as a public key,
The encryption device randomly selects r1, r2, t1, t2 from {0, 1,..., P−1}, and u = g 1 r1 g 2 r2 , v = g 1 t1 g 2 t2 , w = SymEnc (y 1 r1 + G (u , v) t1 y 2 r2 + G (u, v) t2, m), σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) calculate t2 modp An encryption step for transmitting ciphertext (u, v, w, σ1, σ2);
The decryption device receives the ciphertext (u, v, w, σ1, σ2), verifies whether uv H (u, v, w) = g 1 σ1 g 2 σ2 is satisfied, and if it is satisfied, m = SymDec (u x v G (u, v) x , w) is calculated, and a public key encryption method including a decryption step of obtaining plaintext m. fとhを一方向性関数、mを平文とするときに、
情報を記録する記録部と、
復号化装置の公開鍵PKを取得し、前記記録部に記録する公開鍵取得部と、
乱数Rを選び、署名検証鍵U=f(R)を計算する署名検証鍵計算部と、
w=h(PK,R,m)を計算する平文暗号部と、
署名Σを、乱数Rを用いて作成する署名計算部と、
暗号文(U,w,Σ)を送信する暗号文送信部と
を備える暗号化装置。 When f and h are one-way functions and m is plaintext,
A recording unit for recording information;
A public key acquisition unit that acquires the public key PK of the decryption device and records the public key PK in the recording unit;
A signature verification key calculator that selects a random number R and calculates a signature verification key U = f (R);
a plaintext encryption unit for calculating w = h (PK, R, m);
A signature calculator that creates a signature Σ using a random number R;
An encryption device comprising: a ciphertext transmission unit that transmits ciphertext (U, w, Σ). Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x∈{0,1,…,p−1}、y=g とy=g 、(g、g、y、y)を復号化装置の公開鍵、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymEnc(K,m)を鍵Kを用いて平文mの暗号化する共通鍵暗号関数とするときに、
情報を記録する記録部と、
復号化装置の公開鍵(g、g、y、y)を取得し、前記記録部に記録する公開鍵取得部と、
{0,1,…,p−1}からランダムにr1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2、y r1 r2を計算するべき乗演算部と、
w=SymEnc(y r1 r2,m)を計算する平文暗号部と、
σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算する署名計算部と、
暗号文(u,v,w,σ1,σ2)を送信する暗号文送信部と、
を備える暗号化装置。 G is a finite group where the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x∈ {0, 1,..., P−1}, y 1 = g 1 X and y 2 = g 2 X , (g 1 , g 2 , y 1 , y 2 ) is the public key of the decryption device, H is determined in advance from {0, 1,..., P−1} 3 to {0, 1,. -1}, m is plaintext, and SymEnc (K, m) is a common key encryption function that encrypts plaintext m using the key K.
A recording unit for recording information;
A public key acquisition unit that acquires a public key (g 1 , g 2 , y 1 , y 2 ) of the decryption device and records the public key in the recording unit;
Choose r1, r2, t1, t2 randomly from {0,1, ..., p-1} and calculate u = g 1 r1 g 2 r2 , v = g 1 t1 g 2 t2 , y 1 r1 y 2 r2 A power calculator to be
a plaintext encryption unit for calculating w = SymEnc (y 1 r1 y 2 r2 , m);
a signature calculator that calculates σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) t2 modp;
A ciphertext transmitting unit for transmitting ciphertext (u, v, w, σ1, σ2);
An encryption device comprising: Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x,s∈{0,1,…,p−1}、y=g 、y=g 、z=g 、z=g 、(g、g、y、y、z、z)を復号化装置の公開鍵、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymEnc(K,m)を鍵Kを用いて平文mの暗号化する共通鍵暗号関数とするときに、
情報を記録する記録部と、
復号化装置の公開鍵(g、g、y、y、z、z)を取得し、前記記録部に記録する公開鍵取得部と、
{0,1,…,p−1}からランダムにr1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2、y r1 r2 t1 t2を計算するべき乗演算部と、
w=SymEnc(y r1 r2 t1 t2,m)を計算する平文暗号部と、
σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算する署名計算部と、
暗号文(u,v,w,σ1,σ2)を送信する暗号文送信部と、
を備える暗号化装置。 G is a finite group in which the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x, sε {0, 1,..., P−1}, y 1 = g 1 X , y 2 = G 2 X , z 1 = g 1 s , z 2 = g 2 s , (g 1 , g 2 , y 1 , y 2 , z 1 , z 2 ) are the public key of the decryption device, and H is predetermined {0,1, ..., p-1} 3 to {0,1, ..., p-1}, m is plaintext, and SymEnc (K, m) is encrypted with plaintext m using key K When the common key encryption function is
A recording unit for recording information;
A public key acquisition unit that acquires a public key (g 1 , g 2 , y 1 , y 2 , z 1 , z 2 ) of the decryption device, and records it in the recording unit;
{0,1, ..., p-1 } randomly select r1, r2, t1, t2, u = g 1 r1 g 2 r2, v = g 1 t1 g 2 t2, y 1 r1 y 2 r2 z 1 a power calculator for calculating t1 z 2 t2 ;
a plaintext encryption unit for calculating w = SymEnc (y 1 r1 y 2 r2 z 1 t1 z 2 t2 , m);
a signature calculator that calculates σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) t2 modp;
A ciphertext transmitting unit for transmitting ciphertext (u, v, w, σ1, σ2);
An encryption device comprising: Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x,s∈{0,1,…,p−1}、y=g 、y=g 、(g、g、y、y)を復号化装置の公開鍵、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、Gをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymEnc(K,m)を鍵Kを用いて平文mの暗号化する共通鍵暗号関数とするときに、
情報を記録する記録部と、
復号化装置の公開鍵(g、g、y、y)を取得し、前記記録部に記録する公開鍵取得部と、
{0,1,…,p−1}からランダムにr1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2、y r1+G(u,v)t1 r2+G(u,v)t2を計算するべき乗演算部と、
w=SymEnc(y r1+G(u,v)t1 r2+G(u,v)t2,m)を計算する平文暗号部と、
σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算する署名計算部と、
暗号文(u,v,w,σ1,σ2)を送信する暗号文送信部と、
を備える暗号化装置。 G is a finite group in which the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x, sε {0, 1,..., P−1}, y 1 = g 1 X , y 2 = G 2 X , (g 1 , g 2 , y 1 , y 2 ) is the public key of the decryption device, H is determined in advance from {0, 1,..., P−1} 3 to {0, 1,. , P−1}, G is defined in advance from {0, 1,..., P−1} 2 to {0, 1,..., P−1}, m is plaintext, SymEnc (K, When m) is a common key encryption function for encrypting plaintext m using a key K,
A recording unit for recording information;
A public key acquisition unit that acquires a public key (g 1 , g 2 , y 1 , y 2 ) of the decryption device and records the public key in the recording unit;
R1, r2, t1, t2 are selected randomly from {0, 1,..., P−1}, and u = g 1 r1 g 2 r2 , v = g 1 t1 g 2 t2 , y 1 r1 + G (u, v) a power calculator for calculating t1 y 2 r2 + G (u, v) t2 ,
a plaintext encryption unit for calculating w = SymEnc (y 1 r1 + G (u, v) t1 y 2 r2 + G (u, v) t2 , m);
a signature calculator that calculates σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) t2 modp;
A ciphertext transmitting unit for transmitting ciphertext (u, v, w, σ1, σ2);
An encryption device comprising: SKを秘密鍵、PKを公開鍵、fとhを一方向性関数、Rを乱数、U=f(R)を署名検証鍵、w=h(PK,R,m)を平文mを暗号化した情報、Σを署名とするときに、
秘密鍵SK、公開鍵PKなどの情報を記録する記録部と、
暗号文(U,w,Σ)を受信する暗号文受信部と、
Σが(U,w)に対する正しい署名であることを、署名検証鍵Uを用いて検証する署名検証部と、
秘密鍵SKを用いて(U,w)から平文mを求める平文復号部と
を備える復号化装置。 SK is a private key, PK is a public key, f and h are one-way functions, R is a random number, U = f (R) is a signature verification key, and w = h (PK, R, m) is encrypted as plaintext m Information, Σ as a signature,
A recording unit for recording information such as a secret key SK and a public key PK;
A ciphertext receiving unit for receiving ciphertext (U, w, Σ);
A signature verification unit that verifies, using the signature verification key U, that Σ is a correct signature for (U, w);
And a plaintext decryption unit that obtains plaintext m from (U, w) using a secret key SK. Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x∈{0,1,…,p−1}、y=g とy=g 、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymDec(K,c)を鍵Kを用いて暗号文cの復号化する共通鍵復号関数とするときに、
秘密鍵x、公開鍵(g、g、y、y)などの情報を記録する記録部と、
暗号文(u,v,w,σ1,σ2)を受信する暗号文受信部と、
uvH(u,v,w)=g σ1 σ2が成立するかを検証する署名検証部と、
m=SymDec(u,w)を計算する平文復号部と
を備える復号化装置。 G is a finite group where the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x∈ {0, 1,..., P−1}, y 1 = g 1 X and y 2 = g 2 X , H is a predetermined mapping from {0, 1,..., P-1} 3 to {0, 1,..., P-1}, m is plaintext, SymDec (K, c) is key K When a common key decryption function for decrypting ciphertext c is used,
A recording unit for recording information such as a secret key x and a public key (g 1 , g 2 , y 1 , y 2 );
A ciphertext receiving unit for receiving ciphertext (u, v, w, σ1, σ2);
a signature verification unit that verifies whether uv H (u, v, w) = g 1 σ 1 g 2 σ 2 holds;
and a plaintext decryption unit that calculates m = SymDec (u x , w). Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x,s∈{0,1,…,p−1}、y=g 、y=g 、z=g 、z=g 、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymDec(K,c)を鍵Kを用いて暗号文cの復号化する共通鍵復号関数とするときに、
秘密鍵xとs、公開鍵(g、g、y、y、z、z)などの情報を記録する記録部と、
暗号文(u,v,w,σ1,σ2)を受信する暗号文受信部と、
uvH(u,v,w)=g σ1 σ2が成立するかを検証する署名検証部と、
m=SymDec(u,w)を計算する平文復号部と
を備える復号化装置。 G is a finite group in which the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x, sε {0, 1,..., P−1}, y 1 = g 1 X , y 2 = G 2 X , z 1 = g 1 s , z 2 = g 2 s , H from predetermined {0, 1,..., P−1} 3 to {0, 1,. When a mapping, m is plaintext, and SymDec (K, c) is a common key decryption function for decrypting ciphertext c using key K,
A recording unit for recording information such as secret keys x and s, public keys (g 1 , g 2 , y 1 , y 2 , z 1 , z 2 );
A ciphertext receiving unit for receiving ciphertext (u, v, w, σ1, σ2);
a signature verification unit that verifies whether uv H (u, v, w) = g 1 σ 1 g 2 σ 2 holds;
and a plaintext decryption unit that calculates m = SymDec (u x v s , w). Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x,s∈{0,1,…,p−1}、y=g 、y=g 、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、Gをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymDec(K,c)を鍵Kを用いて暗号文cの復号化する共通鍵復号関数とするときに、
秘密鍵xとs、公開鍵(g、g、y、y)などの情報を記録する記録部と、
暗号文(u,v,w,σ1,σ2)を受信する暗号文受信部と、
uvH(u,v,w)=g σ1 σ2が成立するかを検証する署名検証部と、
m=SymDec(uG(u,v)x,w)を計算する平文復号部と
を備える復号化装置。 G is a finite group in which the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x, sε {0, 1,..., P−1}, y 1 = g 1 X , y 2 = G 2 X , mapping from {0, 1,..., P−1} 3 with a predetermined H to {0, 1,..., P−1}, {0, 1,. p-1} 2 to {0, 1,..., p-1}, m is a plaintext, and SymDec (K, c) is a common key decryption function for decrypting ciphertext c using key K sometimes,
A recording unit for recording information such as secret keys x and s, public keys (g 1 , g 2 , y 1 , y 2 ),
A ciphertext receiving unit for receiving ciphertext (u, v, w, σ1, σ2);
a signature verification unit that verifies whether uv H (u, v, w) = g 1 σ 1 g 2 σ 2 holds;
A plaintext decryption unit that calculates m = SymDec (u x v G (u, v) x , w). fとhを一方向性関数、mを平文とするときに、
暗号化装置と復号化装置から構成され、
前記暗号化装置は、
情報を記録する暗号化装置記録部と、
前記復号化装置の公開鍵PKを取得し、前記暗号化装置記録部に記録する公開鍵取得部と、
乱数Rを選び、署名検証鍵U=f(R)を計算する署名検証鍵計算部と、
w=h(PK,R,m)を計算する平文暗号部と、
署名Σを、乱数Rを用いて作成する署名計算部と、
暗号文(U,w,Σ)を送信する暗号文送信部と
を備え、
前記復号化装置は、
秘密鍵SK、公開鍵PKなどの情報を記録する復号化装置記録部と、
暗号文(U,w,Σ)を受信する暗号文受信部と、
Σが(U,w)に対する正しい署名であることを、署名検証鍵Uを用いて検証する署名検証部と、
秘密鍵SKを用いて(U,w)から平文mを求める平文復号部と
を備える
ことを特徴とする公開鍵暗号システム。 When f and h are one-way functions and m is plaintext,
It consists of an encryption device and a decryption device,
The encryption device is:
An encryption device recording unit for recording information;
A public key acquisition unit that acquires a public key PK of the decryption device and records the public key PK in the encryption device recording unit;
A signature verification key calculator that selects a random number R and calculates a signature verification key U = f (R);
a plaintext encryption unit for calculating w = h (PK, R, m);
A signature calculator that creates a signature Σ using a random number R;
A ciphertext transmission unit that transmits ciphertext (U, w, Σ),
The decoding device
A decryption device recording unit for recording information such as a secret key SK and a public key PK;
A ciphertext receiving unit for receiving ciphertext (U, w, Σ);
A signature verification unit that verifies, using the signature verification key U, that Σ is a correct signature for (U, w);
And a plaintext decryption unit that obtains plaintext m from (U, w) using a secret key SK. Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x∈{0,1,…,p−1}、y=g とy=g 、(g、g、y、y)を復号化装置の公開鍵、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymEnc(K,m)を鍵Kを用いて平文mの暗号化する共通鍵暗号関数、SymDec(K,c)を鍵Kを用いて暗号文cの復号化する共通鍵復号関数とするときに、
暗号化装置と復号化装置から構成され、
前記暗号化装置は、
情報を記録する暗号化装置記録部と、
前記復号化装置の公開鍵(g、g、y、y)を取得し、前記暗号化装置記録部に記録する公開鍵取得部と、
{0,1,…,p−1}からランダムにr1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2、y r1 r2を計算するべき乗演算部と、
w=SymEnc(y r1 r2,m)を計算する平文暗号部と、
σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算する署名計算部と、
暗号文(u,v,w,σ1,σ2)を送信する暗号文送信部と、
を備え、
前記復号化装置は、
秘密鍵x、公開鍵(g、g、y、y)などの情報を記録する復号化装置記録部と、
暗号文(u,v,w,σ1,σ2)を受信する暗号文受信部と、
uvH(u,v,w)=g σ1 σ2が成立するかを検証する署名検証部と、
m=SymDec(u,w)を計算する平文復号部と
を備える
ことを特徴とする公開鍵暗号システム。 G is a finite group where the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x∈ {0, 1,..., P−1}, y 1 = g 1 X and y 2 = g 2 X , (g 1 , g 2 , y 1 , y 2 ) is the public key of the decryption device, H is determined in advance from {0, 1,..., P−1} 3 to {0, 1,. -1}, m is plaintext, SymEnc (K, m) is a common key encryption function that encrypts plaintext m using key K, and SymDec (K, c) is encrypted using ciphertext c using key K When using a common key decryption function to decrypt,
It consists of an encryption device and a decryption device,
The encryption device is:
An encryption device recording unit for recording information;
A public key acquisition unit that acquires public keys (g 1 , g 2 , y 1 , y 2 ) of the decryption device and records the public keys in the encryption device recording unit;
Choose r1, r2, t1, t2 randomly from {0,1, ..., p-1} and calculate u = g 1 r1 g 2 r2 , v = g 1 t1 g 2 t2 , y 1 r1 y 2 r2 A power calculator to be
a plaintext encryption unit for calculating w = SymEnc (y 1 r1 y 2 r2 , m);
a signature calculator that calculates σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) t2 modp;
A ciphertext transmitting unit for transmitting ciphertext (u, v, w, σ1, σ2);
With
The decoding device
A decryption device recording unit for recording information such as a secret key x and a public key (g 1 , g 2 , y 1 , y 2 );
A ciphertext receiving unit for receiving ciphertext (u, v, w, σ1, σ2);
a signature verification unit that verifies whether uv H (u, v, w) = g 1 σ 1 g 2 σ 2 holds;
and a plaintext decryption unit for calculating m = SymDec (u x , w). Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x,s∈{0,1,…,p−1}、y=g 、y=g 、z=g 、z=g 、(g、g、y、y、z、z)を復号化装置の公開鍵、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymEnc(K,m)を鍵Kを用いて平文mの暗号化する共通鍵暗号関数、SymDec(K,c)を鍵Kを用いて暗号文cの復号化する共通鍵復号関数とするときに、
暗号化装置と復号化装置から構成され、
前記暗号化装置は、
情報を記録する暗号化装置記録部と、
復号化装置の公開鍵(g、g、y、y、z、z)を取得し、前記暗号化装置記録部に記録する公開鍵取得部と、
{0,1,…,p−1}からランダムにr1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2、y r1 r2 t1 t2を計算するべき乗演算部と、
w=SymEnc(y r1 r2 t1 t2,m)を計算する平文暗号部と、
σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算する署名計算部と、
暗号文(u,v,w,σ1,σ2)を送信する暗号文送信部と、
を備え、
前記復号化装置は、
秘密鍵xとs、公開鍵(g、g、y、y、z、z)などの情報を記録する復号化装置記録部と、
暗号文(u,v,w,σ1,σ2)を受信する暗号文受信部と、
uvH(u,v,w)=g σ1 σ2が成立するかを検証する署名検証部と、
m=SymDec(u,w)を計算する平文復号部と
を備える
ことを特徴とする公開鍵暗号システム。 G is a finite group in which the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x, sε {0, 1,..., P−1}, y 1 = g 1 X , y 2 = G 2 X , z 1 = g 1 s , z 2 = g 2 s , (g 1 , g 2 , y 1 , y 2 , z 1 , z 2 ) are the public key of the decryption device, and H is predetermined {0,1, ..., p-1} 3 to {0,1, ..., p-1}, m is plaintext, and SymEnc (K, m) is encrypted with plaintext m using key K When the common key encryption function, SymDec (K, c) is a common key decryption function for decrypting the ciphertext c using the key K,
It consists of an encryption device and a decryption device,
The encryption device is:
An encryption device recording unit for recording information;
A public key acquisition unit that acquires a public key (g 1 , g 2 , y 1 , y 2 , z 1 , z 2 ) of the decryption device and records it in the encryption device recording unit;
{0,1, ..., p-1 } randomly select r1, r2, t1, t2, u = g 1 r1 g 2 r2, v = g 1 t1 g 2 t2, y 1 r1 y 2 r2 z 1 a power calculator for calculating t1 z 2 t2 ;
a plaintext encryption unit for calculating w = SymEnc (y 1 r1 y 2 r2 z 1 t1 z 2 t2 , m);
a signature calculator that calculates σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) t2 modp;
A ciphertext transmitting unit for transmitting ciphertext (u, v, w, σ1, σ2);
With
The decoding device
A decryption device recording unit for recording information such as secret keys x and s, public keys (g 1 , g 2 , y 1 , y 2 , z 1 , z 2 );
A ciphertext receiving unit for receiving ciphertext (u, v, w, σ1, σ2);
a signature verification unit that verifies whether uv H (u, v, w) = g 1 σ 1 g 2 σ 2 holds;
m = SymDec (u x v s , w) public key encryption system, characterized in that it comprises a plaintext decryption unit for calculating a. Gを位数pの離散対数問題が難しい有限群、gとgをGの生成元、x,s∈{0,1,…,p−1}、y=g 、y=g 、(g、g、y、y)を復号化装置の公開鍵、Hをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、Gをあらかじめ定めた{0,1,…,p−1}から{0,1,…,p−1}への写像、mを平文、SymEnc(K,m)を鍵Kを用いて平文mの暗号化する共通鍵暗号関数、SymDec(K,c)を鍵Kを用いて暗号文cの復号化する共通鍵復号関数とするときに、
暗号化装置と復号化装置から構成され、
前記暗号化装置は、
情報を記録する暗号化装置記録部と、
復号化装置の公開鍵(g、g、y、y)を取得し、前記暗号化装置記録部に記録する公開鍵取得部と、
{0,1,…,p−1}からランダムにr1、r2、t1、t2を選び、u=g r1 r2、v=g t1 t2、y r1+G(u,v)t1 r2+G(u,v)t2を計算するべき乗演算部と、
w=SymEnc(y r1+G(u,v)t1 r2+G(u,v)t2,m)を計算する平文暗号部と、
σ1=r1+H(u,v,w)t1 modp、σ2=r2+H(u,v,w)t2 modpを計算する署名計算部と、
暗号文(u,v,w,σ1,σ2)を送信する暗号文送信部と、
を備え、
前記復号化装置は、
秘密鍵xとs、公開鍵(g、g、y、y)などの情報を記録する復号化装置記録部と、
暗号文(u,v,w,σ1,σ2)を受信する暗号文受信部と、
uvH(u,v,w)=g σ1 σ2が成立するかを検証する署名検証部と、
m=SymDec(uG(u,v)x,w)を計算する平文復号部と
を備える
ことを特徴とする公開鍵暗号システム。 G is a finite group in which the discrete logarithm problem of order p is difficult, g 1 and g 2 are generators of G, x, sε {0, 1,..., P−1}, y 1 = g 1 X , y 2 = G 2 X , (g 1 , g 2 , y 1 , y 2 ) is the public key of the decryption device, H is determined in advance from {0, 1,..., P−1} 3 to {0, 1,. , P−1}, G is defined in advance from {0, 1,..., P−1} 2 to {0, 1,..., P−1}, m is plaintext, SymEnc (K, m) is a common key encryption function for encrypting plaintext m using key K, and SymDec (K, c) is a common key decryption function for decrypting ciphertext c using key K.
It consists of an encryption device and a decryption device,
The encryption device is:
An encryption device recording unit for recording information;
A public key acquisition unit that acquires a public key (g 1 , g 2 , y 1 , y 2 ) of the decryption device and records it in the encryption device recording unit;
R1, r2, t1, t2 are selected randomly from {0, 1,..., P−1}, and u = g 1 r1 g 2 r2 , v = g 1 t1 g 2 t2 , y 1 r1 + G (u, v) a power calculator for calculating t1 y 2 r2 + G (u, v) t2 ,
a plaintext encryption unit for calculating w = SymEnc (y 1 r1 + G (u, v) t1 y 2 r2 + G (u, v) t2 , m);
a signature calculator that calculates σ1 = r1 + H (u, v, w) t1 modp, σ2 = r2 + H (u, v, w) t2 modp;
A ciphertext transmitting unit for transmitting ciphertext (u, v, w, σ1, σ2);
With
The decoding device
A decryption device recording unit for recording information such as secret keys x and s, public keys (g 1 , g 2 , y 1 , y 2 );
A ciphertext receiving unit for receiving ciphertext (u, v, w, σ1, σ2);
a signature verification unit that verifies whether uv H (u, v, w) = g 1 σ 1 g 2 σ 2 holds;
public key encryption system, characterized in that it comprises m = SymDec (u x v G (u, v) x, w) and a plaintext decryption unit for calculating a. 請求項5から16のいずれかに記載の装置の各構成部を、コンピュータにより実現するプログラム。   The program which implement | achieves each structure part of the apparatus in any one of Claim 5 to 16 with a computer. 請求項17記載のプログラムを記録したコンピュータ読み取り可能な記録媒体。
A computer-readable recording medium on which the program according to claim 17 is recorded.
JP2006309155A 2006-11-15 2006-11-15 Public key encryption method, encryption device, decryption device, public key encryption system, program, and recording medium Expired - Fee Related JP4861134B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2006309155A JP4861134B2 (en) 2006-11-15 2006-11-15 Public key encryption method, encryption device, decryption device, public key encryption system, program, and recording medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2006309155A JP4861134B2 (en) 2006-11-15 2006-11-15 Public key encryption method, encryption device, decryption device, public key encryption system, program, and recording medium

Publications (2)

Publication Number Publication Date
JP2008124988A true JP2008124988A (en) 2008-05-29
JP4861134B2 JP4861134B2 (en) 2012-01-25

Family

ID=39509256

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2006309155A Expired - Fee Related JP4861134B2 (en) 2006-11-15 2006-11-15 Public key encryption method, encryption device, decryption device, public key encryption system, program, and recording medium

Country Status (1)

Country Link
JP (1) JP4861134B2 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0659626A (en) * 1992-08-13 1994-03-04 Nippon Telegr & Teleph Corp <Ntt> Digital signature system
JP2003173139A (en) * 2001-12-05 2003-06-20 Nippon Telegr & Teleph Corp <Ntt> Publicly verifiable encryption apparatus, its decoder, encryption program, and decoding program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0659626A (en) * 1992-08-13 1994-03-04 Nippon Telegr & Teleph Corp <Ntt> Digital signature system
JP2003173139A (en) * 2001-12-05 2003-06-20 Nippon Telegr & Teleph Corp <Ntt> Publicly verifiable encryption apparatus, its decoder, encryption program, and decoding program

Also Published As

Publication number Publication date
JP4861134B2 (en) 2012-01-25

Similar Documents

Publication Publication Date Title
US8429408B2 (en) Masking the output of random number generators in key generation protocols
US7657037B2 (en) Apparatus and method for identity-based encryption within a conventional public-key infrastructure
Rao et al. Efficient attribute-based signature and signcryption realizing expressive access structures
US20100098253A1 (en) Broadcast Identity-Based Encryption
JP2006163164A (en) Id base signature, encryption system, and encryption method
US20150043735A1 (en) Re-encrypted data verification program, re-encryption apparatus and re-encryption system
JP2004208262A (en) Apparatus and method of ring signature based on id employing bilinear pairing
JPWO2006085430A1 (en) Member certificate acquisition device, member certificate issuing device, group signature device, group signature verification device
JP2006109107A (en) Signature formation method, signature verification method, public key distribution method, and information processing apparatus
KR101516114B1 (en) Certificate-based proxy re-encryption method and its system
CN110784314A (en) Certificateless encrypted information processing method
CN113162773A (en) Heterogeneous blind signcryption method capable of proving safety
CN110519226B (en) Quantum communication server secret communication method and system based on asymmetric key pool and implicit certificate
Kim et al. An efficient identity-based broadcast signcryption scheme for wireless sensor networks
KR100396740B1 (en) Provably secure public key encryption scheme based on computational diffie-hellman assumption
JP6294882B2 (en) Key storage device, key storage method, and program thereof
CA2742530C (en) Masking the output of random number generators in key generation protocols
Dutta et al. An efficient signcryption scheme based on ECC with forward secrecy and encrypted message authentication
Yang et al. Efficient certificateless encryption withstanding attacks from malicious KGC without using random oracles
JP4563037B2 (en) ENCRYPTION APPARATUS, DECRYPTION APPARATUS, ENCRYPTION SYSTEM HAVING THEM, ENCRYPTION METHOD, AND DECRYPTION METHOD
CN112733176B (en) Identification password encryption method based on global hash
JP4861134B2 (en) Public key encryption method, encryption device, decryption device, public key encryption system, program, and recording medium
JP2002023626A (en) Method for ciphering public key and communication system using public key cryptograph
Yang et al. On the authentication of certificateless RSA public key
Raveendranath et al. Efficient multi-receiver heterogenous signcryption

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20090105

RD03 Notification of appointment of power of attorney

Free format text: JAPANESE INTERMEDIATE CODE: A7423

Effective date: 20110818

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20110823

A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20111006

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20111025

A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20111104

R150 Certificate of patent or registration of utility model

Ref document number: 4861134

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150

Free format text: JAPANESE INTERMEDIATE CODE: R150

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20141111

Year of fee payment: 3

S531 Written request for registration of change of domicile

Free format text: JAPANESE INTERMEDIATE CODE: R313531

R350 Written notification of registration of transfer

Free format text: JAPANESE INTERMEDIATE CODE: R350

LAPS Cancellation because of no payment of annual fees