JP2010113181A - Key management method, key generation method, encryption processing method, decryption processing method, access control method, communication network system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve the Ateniese file encryption scheme. <P>SOLUTION: An encryption processing system obtained by reconstructing an encryption processing system by combining ID-based cryptography which is highly convenient since the confirmation of the certificate of a public key is not needed and which is Selective-ID CPA Secure and hybrid cryptography of Kurosawa and Desmedt is adopted as an encryption processing system and, in the system, the administrator of a group generates a public key for encryption to be shared in the group. The encryption processing system is adopted wherein an element which is a component of a part of a secret key of the user and set by an integer b of a generator g of a cyclic group is defined to be Q as the public information to be used for transferring the decryption authority of the public key to the secret key distributed to each member of the group with the function of the ID-based cryptography and the value of the integer b is kept secret to the user, and electronic data created for transferring the decryption authority is provided through converting the public information Q. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a method of use such as confidential transmission / reception or sharing of electronic data used on a communication network system, and shares the confidential electronic data with a plurality of users in a specified specific group. Key management method suitable for an information security system in which the electronic data provider of the group encrypts the electronic data and the group user decrypts and uses the electronic data The present invention relates to a decryption authority delegation method, an encryption processing method, an access management method, and a communication network system.

In today's society, public key cryptography for network penetration and communication security and electronic payment has already been put into practical use and supports the information society as an essential fundamental technology.
Electronic data storage devices in which multiple users share electronic data in various organizations and departments are widely used, and it is easy to encrypt and conceal this electronic data using common key encryption, for example, AES. Became available.
In an electronic data storage device using encryption, as shown in Ateniese et.al (2005) Non-Patent Document 1, in consideration of an operation error by the administrator of the electronic data storage device, The electronic data must be handled such that it is not exposed in the electronic data storage device to be used.
Generally, software for managing an electronic data storage device includes NFS (Network File System) in the uinx system and CIFS (Common internet file system) in the windows system. Such management software and storage media such as HDD (hard disk) are combined and used as an electronic data storage device called NAS (Network Access Server).
Since access management for the user to be used is supported only for passwords, security reliability is low. Therefore, in order to avoid a security attack, it is necessary not to have a key management function related to cryptographic processing in the electronic data storage device.
For this reason, in a file encryption system using common key encryption, a common key administrator writes a common key on an electronic medium such as an IC card and distributes it to each user.
In the case of a public key cryptosystem, it is possible to individually distribute different secret keys to users who use it. Even if the secret key is leaked due to an operation error of one user, the leaked electronic data It is possible to avoid the risk of leakage of electronic data of the entire system, which is electronic data related to the user. Further, in the public key cryptosystem, it is possible to specify the creator of the electronic data cryptographically using the electronic signature function. When using this public key cipher as a file cipher, a method of encrypting electronic data with a common key and encrypting and storing this common key with the public key owned by each user is adopted due to the high speed of encryption processing. Is done.
When Bob (the other party user) uses the electronic data encrypted by Alice (sender), Bob decrypts the encrypted electronic data so that it is not exposed in the electronic data storage device as described above. It is necessary to convert to an encryption format that can be provided.

  The method of Patent Document 1 is a method of sending a decryption key to Bob. Since Bob is a method of requesting the common key for decryption from Alice, the common key is stored securely without being encrypted. Then, in accordance with Bob's request, it is necessary to take out this common key or to decrypt and use the common key encrypted by Alice (transmission side). In addition, it is necessary to authenticate whether the request source is Bob. Also, it is safer to encrypt this common key with Bob's key, but this encryption is not mentioned.

The method of Patent Document 2 defines a method of encrypting a common key with Bob's key, which was not described in the method of Patent Document 1. This method is a method of encrypting a common key for encrypting electronic data using a public key owned by Bob.
Cryptographically, if n users Bob-i (1 ≤ i ≤ n) are requested to use the encrypted data, they are authenticated n times as to whether or not the requester is a valid requester. It is necessary to confirm.
Furthermore, when there is a new usage request from another user, it is necessary to encrypt and send a common key for electronic data encryption to this user.
Therefore, even with this method, Alice (the electronic data provider) needs to handle and process the common key for electronic data encryption safely for the user.

In these methods, public key cryptography is used. Regarding the security of public keys, having CCA security is the de facto today. In general, public key cryptography takes time for calculation processing when compared with common key cryptography. Therefore, a method is adopted in which a common key is used for encryption of electronic information, this common key is encrypted with a public key, and the public key is used for key distribution of the common key.
From the viewpoint of preventing information leakage, it is desirable to renew the common key for encrypting this electronic information to some extent frequently. KEM / DEM hybrid ciphers, which are thought to be updating the common key for each encryption process, have been proposed as a method for improving the efficiency of encryption processing using a combination of a common key and public key. Yes. V.Shoup et .al (2004) proposed a reconsideration of Kurosawa and Desmedt's hybrid cipher, and gave a detailed proof by game about the security of the de facto CCA. .
In addition, ID-based cryptography has been proposed as one of the convenient public key cryptosystems. ID-based encryption is an encryption method that uses a user-specific ID, such as a department name, IP address, or telephone number, as a public key, and does not require authentication verification for the public key required by PKI (public key infrastructure). Therefore, it is a method that is very easy for users to use. Practical ID-based ciphers have been studied in various ways since around 2000, when a bilinear operation on elliptic curves called pairing was proposed by Kasahara and D.Boneh et.al. D.Boneh et.al (2004) (Non-Patent Document 3) proposes an ID-based cipher having the security of selective ID CPA, which is slightly weaker than the security of CCA.

G. Ateniese et al (2005) (Non-Patent Document 1) proposed an electronic data storage method using proxy cryptography of a public key with an electronic data storage device as an untrusted device. Proxy cryptograsphy is an encryption technology that converts encrypted data that has been encrypted with the key of a certain user (Alice) into encrypted data so that it can be decrypted with the key of another user (Bob). Several applications are expected for such a function of delegating the decryption authority to another user (Bob).
(1) What to do if Alice loses her private key
(2) Decryption by a legitimate agent other than Alice
The delegation of decryption authority proposed in G. Ateniese's electronic data storage method is a method called a re-encryption scheme based on ElGamal encryption and using bilinear mapping. A method that is the basis of the encrypted data conversion method called proxy cryptography that delegates the decryption authority is the concept of “atomic proxy cryptography” of M. Blaze et.al (1998) (non-patent document 4). M.Blaze et.al examined the function of atomic proxy function in ElGamal cipher that converts ciphertext without converting it back to plaintext.

The G. Ateniese method creates a re-encryption key with conversion information for encrypted electronic data when Alice (electronic data provider) grants Bob (another user) permission to decrypt the electronic data encrypted. And provide. This re-encryption key is created with Bob's (other user) public key and Alice's (electronic data provider's) private key, and is stored and used in the electronic data storage device.
In this method,
(1) Using public key cryptography, between Alice (electronic data provider) and Bob (other users)
This is a method for performing cryptographic operation processing and satisfies the methods described in Patent Documents 1 and 2.
(2) The re-encryption key that converts the ciphertext is created between Alice (electronic data provider) and Bob (other users) and encrypted by Alice (electronic data provider). The common key can be used as encrypted, and the common key for electronic data encryption is not exposed in the electronic data storage device. For this reason, the management of the common key of Alice (electronic data provider) is secure, and it has an effective function not found in Patent Documents 1 and 2.
As described above, the Ateniese method is a method with improved security safety that does not require key management on the electronic data storage device side. However, Ateniese's method is based on ElGamal encryption, which is public key encryption, and requires PKI as in Patent Document 2.
That is, when Alice (electronic data provider) creates a re-encryption key for giving decryption authority to Bob (another user), it is necessary to confirm and obtain Bob's public key through authentication. In addition, the Atenees method leaves room for generating a key other than the re-encryption key created by Alice (electronic data provider) by the collusion attack of the user. For this reason, the re-encryption key is stored in an electronic data storage device that can be trusted with some security, and if there is a usage request from Bob, the re-encryption key is stored in the encrypted data of Alice (electronic data provider). It is necessary to use a method that provides Bob with the data resulting from the proxy operation processing using key, and does not send a re-encryptrion key directly to Bob. Because of this need, Ateniese named the semi-trusted server by assigning semi to the electronic data storage device that stores the re-encryption key and requires some security trust to perform proxy operation processing.

In the re-encryption method of G. Ateniese et al (2005) (Non-Patent Document 1), while considering file encryption, using Tate-paring (a type of bilinear mapping on an elliptic curve), A Collusion-safe function, that is, a function that makes it impossible to derive the secret key of the transmission source user even if the proxy (semi-trusted server) and the communication partner user collide with each other, is provided.
However, even if a user other than the source user collaborates with the non-transferable function, that is, the re-encryption key, it becomes impossible to generate a re-encryption key other than the key registered by the source user. I couldn't provide the function. Therefore, when operating the scheme proposed by Atenisee, the re-encryption key cannot be handled as public data, and access control by a trusted third party and (trusted) proxy processing related to the re-encryption key are required. For example, there are restrictions such as the loss of convenience in system construction.

The ID-base cipher (IBE) proposed by D. Boneh, M. Franklin, etc. in 2001 uses IDs such as name, department, mail-address, and phone-number as public keys for cryptographic processing. (Non-patent Document 3), and the public key infrastructure (PKI) eliminates the need for an authentication function for the required public key, making it very easy for users to use. In public encryption technology, the electronic signature function is also important. For ID-based encryption, a method by which an ID is used to create and verify an electronic signature is also a Short by D.Boneh et.al (Non-Patent Document 5). There is a signature method. As for ID-based encryption, there is a proposal of application by B. Waters. Et.al (Non-Patent Document 6).
When an n-user shares an encrypted file, it is necessary to encrypt and distribute a common key for electronic data encryption to n users. In the case of ID-based encryption, it is considered that the common key can be encrypted and distributed easily n times based on the IDs of n users. However, if the common key is leaked once, all the encrypted files for n users will be leaked. Therefore, it is desirable to update the common key for electronic data encryption appropriately. In particular, when a user creates important data or a new business is started, it is considered that the common key for electronic data encryption should be updated. When each n user updates the common key for encrypting electronic data, it is necessary to encrypt and distribute the common key to other users. Even when ID-based encryption is used, if each n user updates the common key for encrypting electronic data in order to share the encrypted file with n users, each n user frequently uses the common for encrypting electronic data. The key encryption process will be implemented, and there is a concern that operation errors will occur, such as changing the shared user ID. As described above, in order to share an encrypted file among a plurality of n users, a method that facilitates key management and encryption processing is desired for more users.
When secret data is shared by such a group, it is assumed that a plurality of such groups are configured in units of departments and units of work projects. If there are multiple groups, such as group A and group B, the group is a combination of the multiple groups, and the confidential data is shared, or the shared data is shared only by the common members of the multiple groups The situation is also envisaged. There is a demand for a method for key management and encryption processing that can easily cope with such a set-theoretic composition of groups sharing secret data.

Patent application publication number JP-A-2004-234538 Encrypted data sharing system Patent application publication number JP-A-2005-115479 Electronic data sharing apparatus, method and program Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger `` Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage (eprint) '' ACM Transactions on Information and System Security (TISSEC), February 2005 R. Gennaro and V. Shoup. “A note on an encyption scheme of Kurosawa and Desmedt” Technical Report 2004/194, IACR ePrint archive, 2004 D. Boneh and X. Boyen, “Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles”, Adv. In Cryptology-Eurocrypt 2004 LNCS vol. 3027, Springer-Verlag, pp 223-238, 2004. Matt Blaze, G. Bleumer, and M. Strauss. “Divertible protocols and atomic proxy cryptography.” In Proceedinds of Eurocrypt ‘98, volume 1403, pages 127-144, 1998 D. Boneh, B. Lynn, and H. Shacham, `` Short Signiture from the Weil Paring '', J. Cryptology 17 (4): 297-319 (2004) A. Sahai and B. Waters. “Fussy Identity Based Encryption” In Advances in Cryptology -Eurocrypt. Volume 3494 of LNCS, pages 457-473. Springer, 2005

In a group consisting of multiple users, as a method of sharing confidential data, a variety of research has recently been carried out with the proposed method as file encryption of Ateniese using ElGamal encryption and bilinear operation pairing. ID-based cryptography and CCA secure public key cryptosystem were explained.
(a) In Ateniese's data sharing method, the key that delegates decryption authority is subjected to a collusion attack.
Assuming pRK.A_Bi (1 ≤ i ≤ n) as the re-encryption key that delegates the decryption authority to n members Bobi (1 ≤ i ≤ n) sharing data with Alice's public key, Alice N members' re-encryption key without any involvement, and users other than this member
It is possible to generate a re-encryption key.
(b) Therefore, pRK.A_Bi (1 ≤ i ≤ n) cannot be made public to the re-encryption key that delegates the decryption authority, and this key re-encryption key is sent to the trusted server. It is necessary to store the data and further perform arithmetic processing on the server. in this way,
The key re-encryption key cannot be sent directly to the user.
(c) When creating a re-encryption key, the other party to whom the delegation authority is delegated is valid
It is necessary to confirm whether it is n member Bobi (1 ≦ i ≦ n) by authentication.
(d) Further, assume that a plurality of data providers, for example, Alice_a generates a key for delegating the decryption authority to a specific member, and Alice_b generates a key for delegating the decryption authority to a specific member.
By encrypting with the public keys of Alice_a and Alice_b and creating a plurality of ciphertexts, secret data can be shared by members of both groups. On the other hand, an easy encryption processing method for sharing secret data among members belonging to both groups of Alice_a and Alice_b is not defined. In other words, the key management and encryption processing that can easily cope with the set-theoretic composition of the group sharing the secret data is not provided.
As described above, the proposed method for file encryption by Ateniese needs to be improved as the data sharing method by the group is still inefficient and the convenience of use is increased.

Therefore, in the present invention, in the proposed method as the file encryption of this Ateniese,
To make it a secure and convenient secret data sharing method,
(a) The key that delegates the decryption authority shall not be subject to collusion attacks.
(b) To make the key for delegating the decryption authority safe enough to be disclosed.
(c) When a key for delegating the decryption authority is generated, it is possible to generate it safely without requiring a procedure for authenticating the partner member.
(d) The method shall be a key management and encryption process that can easily cope with the set-theoretic composition of groups sharing secret data.
(e) Based on the progress of the current public key cryptography technology, the CCA secure KEM / DEM cryptosystem function that is considered to update the common key for electronic information processing for each cryptographic process To look into.
The purpose is to solve such problems.

  In order to solve the above-mentioned problem, first, a public key encryption method called a hybrid ID-based encryption that resolves the problem (d) was reconfigured by combining the ID-based encryption and the hybrid KEM / DEM method. On this public key cryptosystem, a secret data sharing system that is safe and convenient for the user who has solved the problems (a), (b), and (c) can be constructed.

First, a method for reconstructing a public key encryption system, also called a hybrid ID-based encryption, will be described.
The ID-based encryption of D.Boneh et.al (2004) (Non-Patent Document 3) is composed of a bilinear operation on an elliptic curve called pairing. Therefore, the KEM / DEM hybrid cipher of V.Shoup (2005) (Non-Patent Document 2) incorporates bilinear arithmetic processing called pairing, and the procedure for proof of security by the hybrid cipher CCA game is almost the same. Restructured to be.
Next, the ID-based cipher of D.Boneh et.al (2004) (Non-patent Document 3) has been improved so that a mechanism that exhibits CCA security accompanied by bilinear arithmetic processing called pairing of the reconstructed cipher is applied. did. Detailed configuration contents will be described in the embodiments.

In order to solve the collusion problem of (a) above, a secret data sharing system having a function of delegating the decryption authority was configured on this CCA secure hybrid encryption ID-based encryption system.
B. Watters et.al (2005) (Non-Patent Document 6) Based on the assumption of computational difficulty of MBDH (Modified Bilinear Diffie Hellman) used in fazzy ID-based encryption, the key to delegate the decryption authority is , Can be shown to be safe from collusion attacks.
In addition, by taking a means for constructing a key for delegating safe decryption authority from such a collusion attack, this key can be made publicly available, and the problem relating to the disclosure of (b) above is also solved. be able to.

Next, means for solving the authentication-related problem (c) will be described.
As described above, the secret data sharing system of the present invention is configured using ID-based encryption of a CCA-safe hybrid cryptosystem. In ID-based encryption, a secret key sk (ID) corresponding to an ID is distributed to and owned by each ID user. In the embodiment, details will be described. This secret key is composed of two sets of elements K_ID and Q_ID as follows.
sk (ID) = {K_ID, Q_ID}
K_ID is created based on confidential data other than ID, and is an element accessible only to the owner of the private key. On the other hand, Q_ID is an element created from the ID. Specifically, Q_ID = H (ID) is determined from the hash function H based on the ID.
Thus, Q_ID, which is an element of the secret key sk (ID), is data that can be acquired from other than the owner of the secret key. Therefore, if the key pRK (ID) that delegates the decryption authority is configured based on this Q_ID, the decryption can be performed without requiring the procedure for authenticating the other party member as in the case of the normal ID-based encryption. A key pRK (ID) for delegating authority can be generated. In the present invention, as shown in the embodiment, the user who is given the key pRK (ID) for delegating the decryption authority replaces Q_ID with this pRK (ID), and decrypts the private key {K_ID, pRK (ID } Is set as a decryption secret key for secret data to be shared.
If Q_ID is defined as H (ID) by the hash function, this Q_ID is
It can be used as a key for electronic signature of D.Boneh (Non-Patent Document 5), and it is possible to incorporate an electronic signature function as ID-based encryption.

Next, means for solving the problem (d) related to the group will be described.
A plurality of groups sharing secret data are assumed to be Ga, Gb, Gc,. Administrators Adm.Ga, Adm.Gb, Adm.Gc, who manage keys for data sharing are defined for each group. This administrator can set the secret key sk (ID) corresponding to the ID separately from the PKG responsible for generation and distribution. The administrator of each group sets the confidential data msk.Ga, msk.Gb, msk.Gc, and uses the CCA secure hybrid cryptosystem ID-based encryption framework described above to store the confidential data. In addition, public keys PK.Ga, PK.Gb, and PK.Gc, which are used to share confidential data among each group, are generated and made public. The manager of each group generates and distributes the key for delegating the public key decryption authority based on the IDs of the members of each group and the previously set secret data.
In other words, the group Ga administrator Adm.Ga, for each ID member of the group,
Key that delegates the decryption authority of public key PK.Ga based on Q_ID = H (ID) and secret data msk.Ga
Generate and distribute pRK.Ga (ID). If the decryption private key of the public key PK.Ga is SDK.A (ID),
This decryption secret key is the element Q_ID of the secret key sk (ID) = {K_ID, Q_ID} owned by this member
Is replaced with pRK.A (ID) and SDK.A (ID) = {K_ID, pRK.A (ID)} is reset.
Similarly, if an ID member belongs to the group Gb, this member is distributed a key pRK.Gb (ID) that delegates the decryption authority of the public key PK.Gb, and the decryption secret key SDK.Gb (ID ) Can be reset.
When it is desired to share secret data in a group that merges both groups Ga and Gb, the secret data can be shared by encrypting the electronic information with two sets of public keys PK.Ga and PK.Gb. It is also possible to share secret data with a group composed of common members of the groups Ga and Gb by the encryption processing means shown here. In other words, a key that encrypts electronic information with two sets of public keys PK.Ga and PK.Gb and delegates the authority to decrypt the encrypted data.
Decryption secret key SDK.Ga_Gb (ID) reset based on pRK.Ga (ID), pRK.Gb (ID)
It can be decrypted and acquired with {K_ID, pRK.Ga (ID), pRK.Gb (ID)}. A detailed mathematical configuration will be described in the embodiment.

The present invention has the following effects by using the configuration of the solving means described above. The effects provided by the method of the present invention will be described.
1. Cryptographic processing by the function to delegate the decryption authority
1.1 Features and effects of cryptographic processing that delegates decryption authority
(1) Self-generation
When Adm creates the key proxy-key pRK_A (ID) that delegates the decryption authority of the public key PK_A to the member of the user ID, the msk.A (master secret key of Adoministrator) owned by Adm itself and the member Based on the ID of the PKG, Adm can create it efficiently without the intervention of third parties such as PKG, and it does not generate a burdensome protocol such as information exchange with the PKG. The effect which becomes easy is acquired.
(2) Self-management (original-access)
Members of the group sharing secret data encrypt the data with the public key PK_A and store it, but the decryption secret key reset with their own ID SDK-A (ID) can be decrypted and the stored data The effect that the maintenance management can be implemented is obtained.
(3) Key-distinguishability of decryption secret key
For the member whose user ID is IDa, reset the decryption secret key SDK-A (IDa) = (K_IDa, pRK-A (IDa)) corresponding to the public key PK.A, and change the user ID to the member whose ID is IDb. On the other hand, the decryption secret key SDK-A (IDb) = (K_IDb, pRK-A (IDb)) is reset. The reset decryption secret keys SDK-A (IDa) and SDK-A (IDb) can be identified as data even though the decryption secret key of the same public key PK_A is given. This has the effect that it becomes possible to trace who the decryption secret key has leaked when the decryption secret key is illegally leaked.
(4) public-key, proxy-key size invariance (key-optimal)
Regardless of the number of users who join the system, the sizes of public-key PK_A and proxy-key pRK (ID) are determined only by a system such as an elliptic curve equipped with encryption and are unchanged.

1.2 Security of proxy-key to delegate decryption authority The present invention is configured as a secret data sharing system by incorporating a public key decryption authority delegation function on CCA-safe hybrid ID-based encryption. The key proxy-key pRK_A (ID) that delegates the decryption authority for the public key PK_A has security against the following collusion attack. Therefore, the key proxy-key for delegating the decryption authority can be generated and released only by the group administrator Adm, and an effect of facilitating the operation of the security system can be obtained.

(1) Non-transitionality With the public key PK_A, the ID of any n member Bob-i (1 ≤ i ≤ n) of the group sharing secret data is ID-i, and the corresponding proxy-key is pRK-A ( ID-i). When the ID of a user Carroll different from this member is ID-c, proxy-key pRK-A (ID-c) of this Carroll is replaced with proxy-keypRK-A (ID-i) of this n member (1 ≦ It is difficult to calculate from i ≦ n).
(2) Collision avoidance With the public key PK_A, the ID of any n member Bob-i (1 ≤ i ≤ n) of the group sharing secret data is ID-i, and the corresponding proxy-key is pRK-A ( ID-i). From this n member proxy-keypRK-A (ID-i) (1≤i≤n), the decryption secret key SDK-A (ID-j) of any member Bob-j or the secret data msk of the administrator Adm It is computationally difficult to calculate -A.
(3) Release of decryption authority transfer
The proxy-key pRK_A (ID) corresponding to the ID has the safety shown in the items (1) and (2), and can be operated publicly. That is, even if the proxy-key is disclosed, it is possible to ensure the security of the CCA of the cryptographic processing system.

1.3 Creation of decryption authority delegation key and data management ・ According to the mode of claim 1, since a reliable administrator creates data to give the decryption authority, each user of the group makes a mistake in the group concerned. It is possible to reduce the operation error by providing the ciphertext to another user.
According to the second and fourth aspects, each time the electronic data is encrypted with the public key, the common key is updated, and the security safety can be improved.
According to the second and sixth aspects, once the decryption authority for the group is acquired, it is not necessary to change the key owned by each user of the group, and the electronic data is encrypted with the public key. Each time, the common key is updated, the security safety is improved, and the operation mistake of each user key management can be reduced.
According to the aspect described in claim 7, it is possible to obtain an effect that it is possible to share confidential data without delegating a new decryption authority in a group composed of common members of a plurality of groups.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

FIG. 1 shows an embodiment of an operation system according to the present invention in which a secret data sharing system pBE (proxy-base Encryption) is configured on a communication network such as a LAN.
An embodiment of the present invention will be described with reference to FIG.
Administrator is an administrator of a specific group, Bob-i (1 ≦ i ≦ n) is a user who becomes a member of the group, and is connected to the LAN by a terminal device such as a PC (personal computer). PKG (Public key generator) creates and distributes the private keys of these users. The administrator Administrator generates a public key PK.A for data sharing of this group by msk.A (master secret key of Administrator) and also delegates the decryption authority of this public key PK.A Create and distribute.
The user ID of Bob-i (1 ≦ i ≦ n) is IDb-i, and the corresponding secret key is sk (IDb-i).
File server is connected to this LAN as Data Storage (untrusted server)
The electronic data owned by each user is encrypted with the public key PK.A and stored in this File server.
In the present embodiment, an embodiment in which the Administrator creates a proxy-key for delegating the decryption authority is shown.
Administrator opens the Delegation registration screen for delegation registration of decryption authority of this cryptographic processing system, and with the ID of the group member who gives decryption authority, in this example, the ID of Bob-i, Bob-j, Bob-k A certain IDb-i, IDb-j, IDb-k is input.
After this input, proxy-key creation processing is performed based on msk.A owned by Administrator, and created proxy-key pRK.A (IDb-i), pRK.A (IDb-j), pRK .A (IDb-k), is stored in Proxy-Key DB (database) connected to File-server.
When Bob-i tries to use encrypted electronic data with the public key PK.A, it obtains proxy-key pRK.A (IDb-i), stored in Proxy-Key DB, and owns it. In combination with the secret key sk (IDb-i), the decryption secret key SDK.A (IDb-i) is reset, and the encrypted electronic data with the public key PK.A is decrypted and used.

The secret data sharing system pBE (proxy-base Encryption) of the present invention is an ID-based encryption having the security of selective ID CPA of D.Boneh et.al (2004) (non-patent document 3), and V.Shoup et al. It is constructed on the CCA-safe hybrid ID-based cipher mIBE, which combines both ciphers of Kurosawa and Desmedt's KEM / DEM hybrid ciphers reconsidered by .al (2005) (Non-Patent Document 2). ing.

2. Hybrid cryptography First, the mathematical framework used to construct the Kurosawa and Desmedt hybrid cryptosystem described in Non-Patent Document 2 is described.

By using this mathematical framework, KEM / DEM hybrid encryption Pub is constructed.
The hybrid cipher Pub is composed of the following three algorithms as shown below.
Pub = {KeyGen, Pub.Enc, Pub.Dec}
KeyGen (Key Generation)

Pub.Enc (encryption)

Pub.Dec (decryption)
The above is the encryption scheme proposed by V.Shoup Non-Patent Document 2 by reconsidering the Kurosawa and Desmedt hybrid cipher. This hybrid cipher Pub is given a proof of the security of IND-CCA2 under the assumption of computational complexity of DDH.

A practical proposal for ID-based encryption was made around 2000 by Kasahara and D.Boneh et al. Using a bilinear map on an elliptic curve called pairing. Since then, various studies have been made. Non-Patent Document 3 proposes an ID-based cipher sIBE having the security of selective ID CPA by D.Boneh et al.
ID-based cryptography sIBE places security on the computational difficulty of the BDH problem.
Next, we will explain the pairing and BDH problems, which are mathematical frameworks for constructing ID-based encryption.

(1) Bilinear Groups

(2) Computational difficulty

In this hybrid encryption Pub,

This shows the possibility of a similar encryption scheme by incorporating a pairing into V.Shoup's hybrid cipher Pub. Focusing on this point, the hybrid cipher PKE of V.Shoup is reconstructed as a hybrid cipher PKE by incorporating a pair of bilinear operations (pairing). The hybrid cipher PKE is composed of the following four algorithms as shown below.
PKE = {PKE.Setup, PKE.Gen, PKE.Enc, PKE.Dec}
PKE.Setup
Establish a mathematical framework for constructing hybrid ciphers.

PKE.Gen (Key Generation)


PKE.Enc (Encryption)

PKE.Dec (Decryption)

3. Modification of ID-based encryption
The hybrid cipher PKE, which incorporates pairing operations, is almost the same as the procedure for proof of security by the hybrid cipher game proposed by V.Shoup, and the assumption of the computational difficulty of DDH is the computational complexity of BDH. By replacing with the assumption of difficulty, the safety of CCA can be proved. The ID-based cipher sIBE is composed of a pairing operation, and the sIBE is modified so that the CCA secure mechanism of the hybrid cipher PKE incorporating the pairing operation process can be applied. Let mIBE be a modified ID-based cipher. As shown below, mIBE consists of four sets of algorithms.
mIBE = {mIBE.Setup, mIBE.Gen, mIBE.Enc, mIBE.Dec}

mIBE.Setup
The framework that composes the cipher is the same as the mathematical framework of the hybrid cipher PKE constructed by pairing operations.
That is, mIBE.Setup = PKE.Setup = {group G, W; e (bilinear map), TCR, KDF, SEK}
mIBE.Gen
PKG (public key genrator) generates a key for use with mIBE using the mathematical framework of mIBE.Setup.
msk.mIBE (master secret key) is used as secret data that PKG uses to set the key (secret key), and is used to encrypt the data (plaintxt) m based on the public key ID. Public data to be used is Params (master public key). Params is generated by msk.mIBE.

mIBE.Enc: Encryption of m (encryption of plaintext m)

mIBE.Dec: Decryption of C _M (decoding of ciphertxt C _M)


The CCA secure mechanism of the hybrid cipher PKE is the ID-based cipher mIBE.
The MAC key k and the variable v for deriving the common key K of the common key encryption are incorporated by deriving by a pairing operation.

Next, the data sharing system pBE of the present invention is configured using the ID base mIBE configured here. In this data sharing system, a specific group A is set by members who share data, and an administrator Adm (Adoministrotor) that manages a key for sharing data is set in this group. In mIBE, PKG (public key generator) sets msk.mIBE, Params, generates a secret key sk (ID) corresponding to the ID based on this value, and distributes it to the ID user. The key manager Adm newly defined in (3) is a reliable third party different from PKG.
The data sharing system pBE is composed of the following six algorithms using mIBE elemental technology. pBE = {pBE.Setup, pBE.Gen, pBE.Der, pBE.Ktr, pBE.Dec}

Four. Electronic data sharing system with public key decryption authority delegation function
4.1 Configuration of Electronic Data Sharing System Having Public Key Decryption Authority Delegation Function FIG. 2 shows a configuration of an electronic data sharing system having a public key decryption authority delegation function according to the present invention.
With reference to FIG. 2, an embodiment of a system configuration related to cryptographic processing according to the present invention will be described.
(1) PKG (Public key Generator)
PKG uses the hybrid ID-based encryption mIBE described above to set the encryption processing framework of this data sharing system. At the same time, it has a key management function for users who use this data sharing system.
・ Set secret data msk.mIBE (master secret key of mIBE), and generate and publish Params (master public key) that each user uses for encryption processing.
・ A secret key sk (ID) corresponding to each user's ID is generated and distributed to each user by a secure channel.
FIG. 2 shows that the ID of each user Bob-i (1 ≦ i ≦ n) is IDb-i and the corresponding secret key sk (IDb-i) is distributed.
(2) Adm (Administrator)
An administrator Adm is set for each group that shares confidential data, and key management related to the public key shared by the group is implemented.
-Administrator Adm of a specific group sets secret data msk.A (master secret key of Adm) and generates a public key PK.A (public key generated by Adm) shared by the group.
・ For each member of the group, Adm is the secret data msk.A (master secret key
of Adm) and a key for delegating the authority to decrypt the public key PK.A based on each member's ID
Generate and distribute proxy-key pRK.A (ID).
In FIG. 2, groups Ga and Gb exist as data sharing groups, and an administrator Adm.A and an administrator Adm.B are set in each group. Administrator Adm.A sets secret data msk.A and generates public key PK.A. Similarly, the administrator Adm.B sets the secret data msk.B and generates the public key PK.B.
(3) Data Storage (untrusted server, file server)
・ Each member of a specific group sharing data encrypts the electronic data using a public key, and stores the encrypted electronic data as a file for use.
-Does not have key management functions related to cryptographic processing.
In FIG. 2, each member belonging to the group Ga encrypts and shares the electronic data with the public key PK.A, and similarly each member belonging to the group Gb encrypts and shares the electronic data with the public key PK.B. It shows that.
(Note) The file management software is NFS (Network File
CIFS (Common Internet File System) is known in the Windows system.
Those that support passwords are considered to be less reliable.
(4) proxy-key DB (Decryption authority delegation key database)
Each member Bob-i (1 ≤ i ≤ n) of a specific group sharing the data is given a key proxy-key that delegates the decryption authority of the public key PK.A created by the administrator Adm of the group .
Each member Bob-i (1 ≦ i ≦ n) obtains the authority to decrypt the electronic data encrypted with the public key PK.A by obtaining this proxy-key.
In Fig. 2, Adm.A, manager of group Ga, based on the ID of each member of the group
Create proxy-key pRK.A (ID) and register the created proxy-key in proxy-key DB (proxy-key database).
Giving Bob-i the ID of each member Bob-i (1 ≦ i ≦ n) of group Ga as IDb-i
proxy-key pRK.A (IDb-i) is the secret data msk.A (master
secret key of Adm) and IDb-i that is the ID of each user Bob-i (1 ≦ i ≦ n).
Each member Bob-i (1 ≤ i ≤ n) has a secret key sk (IDb-i) and given
proxy-key Based on pRK.A (IDb-i), regenerate the private key sk (IDb-i) that you own, and set the public key
A decryption secret key SDK.A (IDb-i) corresponding to PK.A can be generated. In this way
Each member of the group Ga can share the encrypted data.
Similarly, each member of the group Gb uses the public key PK.B to share the encrypted data.

4.2 Configuration of Key of Cryptographic Processing System Used in Data Sharing System pBE First, the configuration of the key of the cryptographic processing system used in the data sharing system pBE of the present invention will be described.
(1) Public key PK.A (Public key)
Public key used to keep data secret in Group Ga.
Generated and distributed by administrator Adm set to group Ga.
(2) Params (master Public key)
Public data used to create ciphertext CM with public key PK.A.
Public key PK.A is generated with various values, but Params is a cryptographic processing system.
It is fixed.
(3) ID (user's ID)
For the data encrypted with the public key PK.A, specify the member of the delegation destination group that delegates the decryption authority using the ID. In ID-based encryption mIBE, ID is used as a public key for encryption. However, in the data sharing system pBE of the present invention, the public key is the above-mentioned PK.A, and the ID is used as a public key for data encryption. Not used as.
(4) K (File encryption key)
A common key for encrypting data such as files using SEK.Enc, a common key encryption such as AES (Advanced encryption standard).
plaintxt m, ciphertext with cipher key K e_M
e_M = SEK.Enc (K, m)
(5) k (Message authentication key)
Generates an authenticator tag for the two inputs plaintext e and key k. That is,
tag = MAC (k, e)
(Safety assumption)
If the attacker is given an arbitrarily chosen plaintext e_p and authenticator tag_p = MAC (k, e_p),
It is computationally difficult to obtain two sets of data {e, tag} (tag = MAC (k, e)) with e ≠ e_p within polynomial time.
(6) sk (ID) (user's secret key)
This is a private key for decryption corresponding to the public key ID in the ID-based encryption mIBE, and mIBE.Gen
Create based on ID. In pBE system, pBE.Gen is generated in the same way as mIBE.Gen.
Distribute to users. However, the public key of the pBE system is PK.A, not an ID.
sk (ID) = {K_ID, Q_ID}
One element Q_ID of the secret key sk (ID) can be created with the value of the user ID.
For example, with hash function H, Q_ID = H (ID)
(7) pRK.A (ID) (member's proxy key)
A key that gives the member of the user ID of the group sharing the data the function to delegate the decryption authority for the public key PK.A. Set and distributed by the group's public key administrator Adm.
(8) SDK.A (ID) (reformatted secret decryption key)
The decryption secret key that was reset for members of the user ID of the group as the decryption secret key for the public key PK.A. The secret key sk (ID) owned by the member of the user ID and the distributed proxy key
Reset by yourself with pFK.A (ID).
(9) msk.mIBE (master secret key of mIBE)
mIBE releases public data Params
Secret data required to generate sk (ID) other than public data Params.
(10) msk.Adm (master secret key of Administrator)
Secret data required by the administrator Adm in addition to the public data Params to generate the public key PK.A.
(11) σ (master public proxy key)
Public data required for the administrator Adm to generate proxy-key pRK.A (ID) that delegates the decryption authority for the public key PK.A. pRK.A (ID) is generated based on the secret data msk.Adm and the public data σ. The public data σ is generated based on the confidential data msk..mIBE.

4.3 Functional configuration of the data sharing system pBE based on the ID-based encryption mIBE framework.
mIBE consists of the following four algorithms {mIBE.Setup, mIBE.Gen, mIBE.Enc, mIBE.Dec}.
It is made. The data sharing system pBE of the present invention is configured using the framework of this ID-based encryption mIBE. pBE has the following six algorithms {pBE.Setup, pBE.Gen, pBE.Der,
pBE.Ktr, pBE.Dec}. The function of the data sharing system pBE of the present invention will be described below.
(1) pBE.Setup
With mIBE.Setup, set the group to operate the cryptographic processing system, then msk.mIBE,
Based on this secret data, Params and σ are generated and released.
Also, by using mIBE.Gen, a secret key sk (ID) corresponding to the ID of each user who joins the system is generated, and the secret key sk (ID) is distributed through a reliable and secure channel.
As described above, the framework of the ID-based encryption mIBE is configured.
(2) pBE.Gen (pBE Generator)
Define a specific group to share data in the system, and set an administrator Adm (administrator) different from mIBE.Gen to this group. This administrator Adm is the secret data msk.Adm
Based on this secret data msk.Adm and public data Params, a public key PK.A used to share secret data with the group is generated.
(3) pBE.Enc (Encryption)
Plaintext m ciphertext based on public key PK.A and public data Params
Generate C_M. That is,
pBE.Enc (Params, PK.A, m) = C_M
(4) pBE.Der (Generate key proxy-key to delegate decryption authority)
The group administrator Adm generates a key pRK.A (ID) that gives the members of each user ID of the group the authority to decrypt the public key PK.A based on the ID and the confidential data msk.Adm. To do. That is,
pBE.Der (msk.Adm, ID) = pRK.A (ID)
(5) pBE.Ktr (Reset decryption secret key)
Each member of the user ID of the group uses the public key PK based on the private key sk (ID) that it owns and the proxy-key pRK.A (ID) that delegates the decryption authority generated by the administrator Adm. Reset the decryption private key SDK.A (ID) corresponding to .A. That is,
pBE.Ktr (sk (ID), pRK.A (ID) = SDK.A (ID)
(6) pBE.Dec (Decryption)
Decrypt ciphertext C_M of public key PK.A based on the reset decryption secret key SDK.A (ID) to obtain plaintext m. That is,
pBE.Dec (SDK.A (ID), C_M) = m

5. Decryption authority delegation function by pBE The data sharing system pBE of the present invention is a system that shares secret data among specific groups by a method of delegating public key decryption authority. FIG. 3 is a processing flow diagram of the decryption authority delegation method of the present invention. With reference to FIG. 3, an embodiment of the encryption processing of the secret data sharing method using the delegation authority transfer function according to the present invention will be described based on the function of pBE.

5.1 Reliability of PKG, Adm In the data sharing system pBE of the present invention, the PKG generates a secret key sk (ID) corresponding to the user ID for all users who are subscribed to the system, and is a reliable transmission line. It is distributed to users with each ID. That is, PKG sets secret data msk.mIBE by pBE.Setup, generates public data Paramas and σ, and publishes them. A secret key sk (ID) corresponding to the ID of Administrator (Alice) as an administrator and Carroll-i (1 ≦ i ≦ n) as each user of the group is generated and distributed.
In Fig. 3, the ID of the subscriber user Carroll-i (1≤i≤n) of the pBE system is IDc-i, and the corresponding secret key sk (IDc-i) = (K_IDc-i, Q_IDc-i) is distributed. ing. The component K_IDc-i of this secret key sk (IDc-i) is generated based on the secret data msk.mIBE and IDc-i, but the component Q_IDc-i is generated only from the public data IDc-i It can be generated from an external third party based on the public data IDc-i and can be accessed from the outside.
In the data sharing system pBE of the present invention, a plurality of groups Ga, Gb, Gc, which share secret data can be set. Each group has a different administrator (Adoministrator) from the PKG.
The administrator (Adoministrator) generates a public key shared by the group, and generates and distributes a key that delegates the decryption authority of the shared public key to each member belonging to the group.
Therefore, the PKG and the administrator (Adoministrator) need to be trusted (trusted third party).
In FIG. 3, the manager of group Ga is Adm.A, the manager of group Gb is Adm.B, and the manager of group Gc is Adm.C.

5.2 Cryptographic processing by public key decryption authority delegation function
(1) Generation of group-shared public key Administrator Adm.A of group Ga uses secret data msk.A (smaster secret key
of Adm.A) and based on this secret data msk.A, the public key shared by group Ga
Generate and publish PK.A.
(2) Creating and registering Proxy-key pRK
(i) Each member belonging to group Ga is Boba-i (1≤i≤n), and ID of Boba-i is IDa-i
(1 ≦ i ≦ n). Let sk (IDa-i) = (K_IDa-i, Q-IDa-i) be the secret key generated and distributed by PKG corresponding to this member's IDa-i. As described above, the secret key component Q-IDa-i can be created based on IDa-i.
Therefore, the administrator Adm.A, IDa-i (1 ≦ i ≦ n) of the member to whom the decryption authority is delegated
Based on the above, the constituent element Q-IDa-i (1 ≦ i ≦ n) of the corresponding secret key is acquired.
(ii) Administrator Adm.A has the secret data msk.A (master secret key of
Administrator) and the key that delegates the decryption authority for the public key PK.A based on the acquired Q_IDa-i (1 ≦ i ≦ n) proxy-key pRK.A (IDa-i) = pBE.Der (msk. A, IDa-i) (1≤i≤n) is created and registered in the file server (untrusted).
The file server also stores electronic data that each member of the group Ga has encrypted with the public key PK.A. If electronic data is m and this ciphertext is C_M,
C_M = pBE.Enc (Params, PK.A, m)
(3) Reconfiguration of the public key decryption private key SDK using the proxy-key pRK delegating the decryption authority Group Ga member Boba-i delegates the public key PK.A decryption authority to the file server
Check if proxy-key pRK.A (IDa-i) is registered. If registered, this
proxy-key Obtain pRK.A (IDa-i) and own the private key
Replace element Q-IDa-I and pRK-A (IDa-i) of sk (IDa-i) = (K_IDa-i, Q_IDa-i).
In this way, the decryption secret key for the public key PK.A
SDK.A (IDa-i) = pBE.Ktr (sk (IDa-i), pRK.A (IDa-i)) = (K_IDa-i, pRK.A (IDa-i)) To do.
(4) Encryption of electronic data with public key PK.A
(i) Data U related to the key is created by using the public key PK.A and the public data Params.
(ii) Generate MAC key k and common key FEK based on U.
(iii) Electronic data m (plaintext) is encrypted data using the common key FEK.
e_M = SEK.Enc (FEK, m)
(iv) Create an authenticator tag from the MAC key k for the encrypted data e_M.
tag = MAC (k, e_M)
(v) From above, the ciphertext C_M of electronic data m (plaintext)
C_M = {U, e_M, tag}
Create as.
The authenticator tag is created to ensure the safety of CCA.
(5) Decryption of encrypted data of public key PK.A with decryption private key
(i) Member Boba-i belonging to group Ga corresponds to IDa-i and decryption secret key
SDK.A (IDa-i) is reconfigured and obtained.
Ciphertext C_M = Data U for key of (U, e_M, tag) and decryption secret key
Generate MAC key k and common key FEK based on SDK.A (IDa-i).
(ii) An authenticator MAC (k, e_M) is created from the encrypted data e_M.
Check if this authenticator matches the tag of ciphertext C_M.
(iii) If tag ≠ MAC (k, e_M) does not match, there is some risk of information leakage, so the decoding operation is stopped.
(iv) When tag = MAC (k, e_M) matches, the encrypted data e_M is decrypted with the common key FEK.
m = SEK.Dec (FEK, e_M)
The plaintext m (plaintext) is acquired as described above.
(Note: For the public key PK.A, create an electronic certificate with the administrator's signature key dQ_IDa,
It is necessary to verify the validity of this electronic certificate in advance with the Administrator verification key Q_IDa. )

5.3 Configuration example of data sharing system pBE
The functions of the data sharing system pBE of the present invention shown in section 4.2 can be implemented mathematically. An embodiment in which the data sharing system pBE of the present invention is mathematically constructed will be described. In the present invention, the pBE encryption pBE.Enc and decryption pBE.Dec algorithms are composed of the same algorithms as the hybrid ID-based encryption mIBE encryption mIBE.Enc and decryption mIBE.Dec.
・ PBE.Setup

・ PBE.Gen
A group sharing data is set, and an administrator Adm (adoministrator) different from mIBE.Gen is set in the group. The administrator Adm sets secret data msk.Adm (master secret key of Adoministrator), and generates a public key PK.A for sharing data among the groups based on the secret data.
In the ID-based encryption mIBE, the ID is used as a public key, but the public key PK.A of pBE is not the ID of the administrator Adm.

・ PBE.Enc (Encryption)
pBE.Enc encrypts plaintext m based on public data Params and public key PK.A.
Create ciphertext C_M. This encryption process is the same as the encryption process when the ID is the secret data S (= msk.mIBE) in mIBE.Enc.

・ PBE.Der (proxy-key setting)
The group administrator Adm receives the proxy-key pRK.A (ID) for delegating the authority to decrypt the public key PK.A to each member of the user ID, the user ID, the public data σ, and the secret data msk.Adm. Create and distribute based on.
The function H is a hash function from the residue group Fq to the group G.

(5) pBE.Ktr (Reset decryption secret key)
Each member of the group has a secret key sk (ID) corresponding to the user ID.
Each member uses the public key PK.A based on the proxy-key pRK.A (ID) and secret key sk (ID), which are distributed by the group administrator Adm and delegate the decryption authority for the public key PK.A. A method for resetting the decryption secret key SKD.A (ID) will be described.

(6) pBE.Dec (Decryption)
The ciphertext (ciphertext) C_M created with the public key PK.A is decrypted with the reset decryption secret key SDK.A (ID) to obtain plaintext (plaintext) m.
This decryption process is the same as the decryption calculation process of the ID-based cipher mIBE.Dec.

6. Access Management by Group Next, an embodiment of an access management system using the data sharing system pBE of the present invention will be described. FIG. 4 shows an encryption processing system using the data sharing system pBE of the present invention. PBE.Gen (PKG) is defined in this system, and public data Params used for public key encryption is set and published, and a secret key sk (ID) corresponding to each user ID is set. It is set. In this system, the groups sharing data are Ga and Gb.
Administrators for sharing data, Adm.Ga and Adm.Gb, are set in the groups Ga and Gb. The public key of group Ga is PK.Ga, the secret data of administrator Adm.Ga msk.Ga = Sa
If the group Gb public key is PK.Gb administrator Adm.Gb secret data msk.Gb = Sb,

Data shared with the group Ga is encrypted with the public key PK.Ga, and data shared with the group Gb is encrypted with the public key PK.Gb. If the user with user ID belongs to group Ga and group Gb, this user will delegate the decryption authority for public key PK.Ga.
pRK.Ga (ID) and proxy-key pRK.Gb (ID) for delegating the authority to decrypt the public key PK.Gb are distributed. Corresponding to the public key PK.Ga, the decryption secret key SDK.G (ID) from the secret key sk (ID) and pRK.Ga (ID)
And the decryption private key SDK.G (ID) from the private key sk (ID) and pRK.Gb (ID) according to the public key PK.Gb
Reconfigure and use.
In the data sharing system of the present invention, the public keys PK.Ga and PK.Gb can be used to encrypt so that only members belonging to both the group Ga and the group Gb can be decrypted. is there.
Members belonging to both groups Ga and Gb have a proxy-key that delegates the decryption authority of both public keys PK.Ga and PK.Gb. Encrypting data using public keys PK.Ga and PK.Gb, and using a proxy-key that delegates the authority to decrypt both, the encrypted data is decrypted, Since a proxy-key that delegates both decryption authorities is required for decryption, only members belonging to both groups Ga and Gb can be decrypted.

The user with the user ID belongs to both groups Ga and Gb, the secret key is sk (ID), and the keys to delegate the decryption authority are proxy-key pRK.Ga (ID), pRK.Gb (ID) An encryption processing method using the public keys PK.Ga and PK.Gb of the present invention and a decryption processing method using sk (ID), pRK.Ga (ID), and pRK.Gb (ID) will be described.
・ PBE.Enc (Encryption)

(2) pBE.Ktr (Reset decryption secret key)
Each member of the group has a secret key sk (ID) corresponding to the user ID.
This member is a public-distributed proxy-key pRK.Ga (ID) that delegates the decryption authority of the public key PK.Ga distributed by the administrator Adm.Ga of the group Ga and an administrator Adm.Gb of the group Gb. A public key synthesized based on proxy-key pRK.Gb (ID) and secret key sk (ID) that delegates the decryption authority for key PK.Gb
A method for resetting the decryption private key SDK.Ga_Gb (ID) of PK.Ga_Gb will be described.

・ PBE.Dec (Decryption)

7. Security of key proxy-key that delegates decryption authority of public key
7.1 Modified Bilinear Diffie-Hellman Assumption (Non-Patent Document 6)

7.2 Security against collusion attacks of proxy-key, which delegates the authority to decrypt public keys
(1) Non-transitional safety

(2) Security of collusion avoidance Assume that Bob, who owns the secret key sk (Ib) of the hybrid cipher mIBE, is given the Caroll proxy-key pRK.A (Ic). If the secret key sk (Ib) is reset to another secret key sk (W) by proxy-key,
Therefore, in order to reset W = S, that is, the secret key sk (msk.A) = sk (S) corresponding to the public key PK.A, it is necessary to satisfy Ib = Ic. This is because Bob reconfigures the secret key sk (S)
pRK.A (Ib) is required, which is equivalent to obtaining pRK.A (Ib) from the given pRK.A (Ic). This indicates that it is difficult in terms of calculation because of the non-transitional safety described above.

8. Electronic signature function The public key PK.A needs to indicate by electronic signature that the provider is a valid administrator Administrator. This electronic signature function can be introduced using a system different from the cryptographic processing, but in the proposed method, the electronic signature function can be incorporated using the same cryptographic processing system. is there. The configuration method of this electronic signature function is shown below.

8.1 Built-in electronic signature (signiture) function

8.2 Short Signature function setting
According to D. Boneh et al (Non-Patent Document 5), it is possible to incorporate the function of Short Signature. The configuration using NMT curve is shown. Since this configuration uses two different sets of generators on the equidistant point on the elliptic curve (Non-Patent Document 9), it requires a little modification for encryption and decryption, but with almost the same algorithm. It can be easily confirmed that it is established. The calculation of the electronic signature is the same as (Non-Patent Document 5), and the description is omitted.

The electronic data sharing system pBE of the present invention is operated in combination with the electronic signature function shown here. In the present invention, since the hybrid encryption processing method is adopted, the common key is used without being conscious of it. Keys that are consciously used by users of the system of the present invention are public keys and private keys used for encryption processing and electronic signatures.
In the embodiment of the pBE system of the present invention shown in FIG. 3, referring to FIG. 4, the administrator Adm.Ga (Administrator) of the group Ga who shares PKG, data, and the user Boba-i (1 .Ltoreq.i.ltoreq.n), the encrypted electronic data stored in the File-server, and the encryption process and keys related to the electronic signature will be described.
PKG owns msk.mIBE (master-secret-key) and creates Params (master public key). Then, a secret key sk (ID) corresponding to the ID of each user of the secret data sharing system and a secret key for creating an electronic signature are created and distributed to each user using a secure channel.
The secret keys are sk (ID) = (K_ID, Q_ID) and Q_ID = H (ID).
The public key corresponding to the signature creation user ID is Q_ID = H (ID), and this signature creation public key is a constituent element of each user's private key.
(1) Administrator Adm.Ga
The ID of the administrator Adm.Ga is IDAa. The key owned by the administrator Adm.Ga is
Private key sk (IDAa) = (K_IDAa, Q_IDAa), Q_IDAa = H (IDAa)
Public key corresponding to IDAa for signature verification Q_IDAa = H (IDAa)
Private key for signature creation dQ_IDAa
It is.
Administrator Adm.Ga is distributed a private key sk (IDAa) and a private key dQ_IDAa for signature creation from PKG.
The administrator Adm.Ga sets the secret data msk.Ga, generates a public key PK.Ga shared by the group Ga, and publishes it. In addition, a public key PK.Ga certificate is created with the private key dQ_IDAa for signature creation.
A user of group Ga who uses this public key PK.Ga can verify the certificate of public key PK.Ga using IDAa of administrator Adm.Ga.
(2) Group Ga user Boba-i (1≤i≤n)
The ID of the user Gaba-i (1 ≦ i ≦ n) of the group Ga is assumed to be IDa-i (1 ≦ i ≦ n).
The key owned by user Boba-i is
Secret key sk (IDa-i) = (K_IDa-i, Q_IDa-i), Q_IDa-i = H (IDa-i)
Public key corresponding to IDa-i for signature verification Q_IDa-i = H (IDa-i)
Private key for signature creation dQ_IDa-i
It is.
The user Boba-i receives the secret key sk (IDa-i) and the signature creation secret key dQ_IDa-i from the PKG.
User Boba-i encrypts the electronic data with the public key PK.Ga and shares the confidential data with the group Ga. If it is necessary to prove that the electronic data is created by the user Boba-i, the user Boba-i will use the private key dQ_IDa for creating the signature for the electronic data. -i can be used to create an electronic signature.
A user who uses the electronic data can verify the IDa-i of Boba-i.
In this embodiment, each user of the group Ga encrypts plain text Mi (plaintext) (1 ≦ i ≦ m) and stores it in the File-server. The encrypted electronic data created is
pBE.Enc (Params, PK.Ga, Mi).
Administrator Adm.Ga delegates the decryption authority of public key PK.Ga to Boba-i (1 ≦ i ≦ n)
proxy-key pRK-A (IDa-i) is created and registered.
Based on this proxy-key, the decryption private key of the public key PK.Ga set is SDK.Ga (IDa-i).
In the embodiment of the encrypted data sharing system pBE of the present invention, since the hybrid encryption is used, the proxy-key remains the same, the common key is newly updated for each encryption process, and the key management is efficient. Well improved.
Similarly, an administrator Adm.Gb is set for the group Gb, and a public key PK.Gb shared by the group is set. Each member of the group Gb and the administrator Adm.Gb
PKG distributes a private key for cryptographic processing and a private key for electronic signature corresponding to the ID.

The present invention designates a specific communication partner or a specific plurality of users, particularly in a field related to confidential transmission / reception or sharing of electronic information used on a communication network system. Thus, the security system is a security system that gives the authority to use the electronic information, encrypts the electronic information by the provider, and decrypts and uses the authority delegated.
When data is encrypted and stored in a file server and shared by multiple users, it is used for data storage or data encryption within the file server, taking into account operational mistakes by the administrator. It is necessary to take measures such as not exposing the common key in the file server. In the present invention, the authority to use the electronic information is given by a method of converting a ciphertext encrypted with one secret key into a secret key element so that the ciphertext can be decrypted with another secret key. Therefore, the ciphertext is processed without manipulating the original plaintext, and the use authority of the data by another third party is not given. In addition, the encryption method has the security of CCA, which is the de facto today, and can be expected as a very effective encrypted data sharing method by this file server.
Further, since it is possible to safely give the decryption authority transfer of the encrypted data, it is very effective as an authority management system for the database user.

FIG. 1 is a configuration diagram of an operation system in which an encryption processing system using a public key decryption authority delegation function according to the present invention is implemented on a communication network such as a LAN. FIG. 2 is a block diagram of a secret electronic data sharing system having a public key decryption authority delegation function to which the present invention is applied. FIG. 3 is a flowchart showing the relationship of functions required by PKG (Public Key Generator) and Adm.A (Adoministrator) of a secret electronic data sharing system having a public key decryption authority delegation function to which the present invention is applied. . FIG. 4 is an operation explanatory diagram of an access management system for each group to which the present invention is applied. FIG. 5 shows the security-related electronic data used by PKG, Adm, user, File-Server in the network of FIG. 2 in which the present invention is applied to operate the cryptographic processing function and the electronic signature function. It is explanatory drawing which shows the detail of.

Claims (7)

In a group composed of a specific user of the communication network system system, when concealing and sharing certain electronic information, in order to conceal the electronic information from other than this specific designated user, The electronic data is encrypted with an electronic data concealment public key common to the group, and only this specific designated user generates a decryption private key corresponding to the electronic data concealment public key to generate the electronic information In the form of decrypting and using the public key and the common key, the encryption key is updated every time the electronic data is encrypted, and the public key for concealing the electronic data common to the group can be trusted. In order to conceal electronic information from persons other than a plurality of users of this specific group, it is created and released with electronic data concealed by a third party. The electronic data that is encrypted with a common electronic data concealing public key and stored in the electronic data storage device, and the electronic data for giving the authority to decrypt and use the ciphertext to the users of the group can be trusted. Cryptographic processing method, key configuration method, and decryption authority that convert and give publicly available electronic data that is a part of the private key owned by the user based on the electronic data that the three parties keep confidential How to create data. In the encryption processing method of the communication network system according to claim 1, the key configuration method, and the data creation method for giving a decryption authority, in the encryption processing for creating the secret data with the electronic data secret public key common to the group, An arbitrarily defined value is set as encryption processing data, and based on the encryption processing data and the electronic data concealment public key, the key setting electronic data is once calculated, and the key setting electronic data and A common key and an authentication key are calculated from the electronic data concealment public key. Next, the electronic data is encrypted with the calculated common key to create encrypted data, and an authenticator is created by performing an authentication operation on the encrypted data with the authentication key. An encryption processing method in which the three types of data created here, that is, electronic data for key setting, encrypted data using a common key, and an authenticator using an authentication key are used as encrypted data using the public key of the electronic data, Key configuration method, data creation method to give decryption authority. 3. In the encryption processing method, key configuration method, and data creation method for granting decryption authority of the communication network system according to claim 2, when a provider provides certain electronic information, it indicates that the provider is the electronic information Electronic data to be disclosed is created with a private key for confirmation of provision of electronic data of the provider, and the user can make publicly available electronic data corresponding to the secret key for confirmation of provision of electronic data on a one-to-one basis In the electronic information processing system, when the public key for providing electronic data to be disclosed is one-to-one correspondence with the electronic data for identifying a specific user when the public key for providing is verified and confirmed, the group A key configuration method in which electronic data constituting a private key for decryption corresponding to a common public key for concealing electronic data is configured using data of a public key for electronic data provision confirmation that can be made public, Child data encryption method. 3. The encryption processing method, key configuration method, and data creation method for granting decryption authority of the communication network system according to claim 2, wherein the electronic data for key setting and the encrypted data by the common key are used as encrypted data by the public key of the electronic data. When three kinds of data of an authenticator using an authentication key are given, electronic data for giving authority to decrypt and use the ciphertext is obtained from a trusted third party and owned by itself. One of the elements of the secret key is replaced with the electronic data for giving the authority to decrypt and use, and the decryption secret key is reset.
Next, based on the reset decryption secret key and the public key for concealing electronic data, key setting electronic data is once calculated, and a common key and an authentication key are calculated from the key setting electronic data. . Next, an authenticator is calculated based on the calculated authentication key and the encrypted data using the common key, and whether the authentication matches the authenticator using the public key encrypted data authentication key. judge.
If they do not match, the processing of the electronic data is interrupted so far, and if they match, the encryption processing that decrypts the encrypted data using the common key with the common key calculated from the key setting electronic data and obtains the electronic data Method, key configuration method, and data creation method for granting decryption authority. 3. The encryption method, the key configuration method, and the data creation method for giving decryption authority of the communication network system according to claim 2, wherein a common key and an authentication key are calculated from the key setting electronic data and the electronic data concealment public key. In the encryption processing method of the communication network system according to claim 4, the key configuration method, and the data creation method for granting the decryption authority, based on the reset decryption secret key and the public key for concealing electronic data, Cryptographic processing method for communication network system, key configuration method, and data creation method for giving decryption authority, which are configured by using bilinear calculation on an elliptic curve for arithmetic processing for calculating electronic data for key setting The electronic data encryption processing method and key configuration method according to claim 1, 2, 3, and 4, wherein the electronic data is encrypted with a public key for concealing electronic data of the group, and another electronic data is claimed. The electronic data for authorizing the authority to decrypt and use the ciphertext created with the electronic data concealing public key common to the group described in 1, 2, 3, 4 is not updated, and the same electronic data is used. Cryptographic processing method, data creation method to give decryption authority. In the encryption processing method, the key configuration method, and the data creation method for giving the decryption authority of the communication network system according to claim 2, in a group composed of a specific user, an electronic data concealment public key common to the group is set. Electronic data concealed by a third party who owns and trusts the user who uses the group to give the authority to decrypt and use the ciphertext, and which is different from the group. When the electronic data for giving the authority to decrypt and use the ciphertext is given from another trusted third party who owns the public key for the group to two users of the group, two of the two groups Encrypt electronic data based on the public key for electronic data concealment to create encrypted electronic data. A user belonging to the group re-sets the decryption secret key based on the electronic data to which two decryption authorities are given and the private key owned by the user, and obtains the electronic data by decrypting the encrypted electronic data. Cryptographic processing method and key configuration of communication network system in which user users belonging to both groups of two groups share secret data, and common user users belonging to all of a plurality of groups share secret data Method, data creation method for giving decryption authority, and secret data sharing method.