JP2010141618A - Information processing apparatus, information processing method, and program - Google Patents

Abstract

An information processing apparatus, an information processing method, and a program capable of suppressing an encryption processing amount and a ciphertext size are provided.
A group selection unit for generating a cyclic group used in encrypted communication based on a multi-recipient public key encryption technique performed between a plurality of key processing devices in an information processing device according to the present invention; Parameter selection that is used for processing executed by the key processing device and that does not include secret information unique to each of the plurality of key processing devices and includes a plurality of parameters that are commonly used by each of the plurality of key processing devices And a function selection unit that selects a function that is used for processing related to ciphertext generation or decryption and that realizes a predetermined mapping.
[Selection] Figure 14

Description

  The present invention relates to an information processing apparatus, an information processing method, and a program.

  There are two types of encryption methods: a common key encryption method and a public key encryption method. The common key cryptosystem requires a secret sharing in advance for communication, but has a property that processing is fast. On the other hand, the public key cryptosystem does not require prior secret sharing for communication, but has a property of slow processing. Due to the difference in properties, each encryption method is desired to be used in accordance with each situation.

  For example, it is possible to embed secret information in the company's devices in advance, and in a situation where communication is performed only between the devices of the company, the use of the common key cryptosystem is preferred. In addition, for example, when secret information is exchanged with others on the Internet on the Internet, it is assumed that secret sharing is not possible in advance, so use of a public key cryptosystem is preferred.

  In recent years, with the development of Internet web applications, communication between individual users via the Internet, such as SNS, online shopping, and net auction, has increased. In the service as described above, there may be a situation where the user transmits private information or valuable content. In such a situation, there may be a situation in which one-to-one or one-to-many encrypted communication is desired depending on the user's situation. As an encryption method suitable for both one-to-one and one-to-many communication in a small market via the Internet as described above, there is a multiple recipient public key encryption method. This technique is a method for improving efficiency by collectively performing processes that can be shared, instead of simply performing public key encryption processing for each user when transmitting ciphertexts to a plurality of users.

  Here, usually, in an encryption method using a public key encryption method, communication is performed using only the public key encryption method, and a hybrid encryption method combining the public key encryption method with a common key encryption method is often used. . In the hybrid cryptosystem, the plaintext portion is encrypted using a secret key in a common key cryptosystem with high processing speed, and the secret key used in the common key cryptosystem is encrypted using an encrypted public key cryptosystem. By doing so, it is possible to speed up the processing compared to using only the public key cryptosystem. In this case, the part processed using the public key encryption technology is called a multiple recipient key encapsulation mechanism (KEM). Further, the part processed using the common key encryption technology is called a multi-recipient data encapsulation mechanism (DEM).

  In the multi-recipient KEM, not only security but also public key size, secret key size, encryption processing, decryption processing, ciphertext size, etc. are important. From such a point of view, one of the methods that can be noticed as a multi-recipient KEM is a method in which the method described in Non-Patent Document 1 is changed to a multi-recipient KEM using an existing method. This method is an excellent method in terms of the balance between safety and efficiency.

E. Kiltz, “Chosen-ciphertext secure key-encapsulation based on gap hashed diffie-hellman” Public Key Cryptography, volume 4450 of Letter 28, 4450 of Letter. G. Hanaoka and K.H. Kurosawa, “Efficient chosen ciphertext public key encryption under the computational diffraction-hellman assumption, Cryptology ePrint2200 / CryptologiePrint8 http: // eprint. iacr. org /. D. Cash, E.M. Kiltz, V.M. Shop, “The Twin Diffie-Hellman Problem and Applications” EUROCRYPT, volume 4965 of Lecture Notes in Computer Science, pages 127-145, Spring. M.M. Barbosa and P.A. Farshim, “Randomness reuse: Extensions and improvements” IMA Int. Conf. , Volume 4887 of Lecture Notes in Computer Science, pages 257-276, Springer, 2007. A. J. et al. Menezes, P.M. C. Oorschot, S .; A. Vanstone, “Handbook of Applied Cryptography” CRC Press, 2007.

  However, in the method as described above, there is a problem that the efficiency of the encryption processing amount and the ciphertext size increases in proportion to the number of recipients.

  Therefore, the present invention has been made in view of such problems, and it is an object of the present invention to provide an information processing apparatus, an information processing method, and a program capable of suppressing an encryption processing amount and a ciphertext size.

  In order to solve the above-described problem, according to an aspect of the present invention, a group for generating a cyclic group used in encrypted communication based on a multi-recipient public key encryption technique performed between a plurality of key processing devices. The selection unit is used for processing executed by the key processing device during the encrypted communication, and does not include secret information unique to each of the plurality of key processing devices, and is common to each of the plurality of key processing devices. A parameter selection unit that selects a plurality of parameters including parameters to be used; a function selection unit that is used for processing related to generation or decryption of ciphertext in the encrypted communication and that selects a function that realizes a predetermined mapping; and the group Using the cyclic group selected by the selection unit, the plurality of parameters selected by the parameter selection unit, and the function selected by the function selection unit, the plurality of recipients are disclosed. The information processing apparatus and a system parameter generation unit for generating a system parameter that is used in cryptography is provided.

  According to such a configuration, the group selection unit generates a cyclic group that is used in encrypted communication based on a multi-recipient public key encryption technique performed between a plurality of key processing devices. The parameter selection unit is used for processing executed by the key processing device at the time of encrypted communication, and does not include secret information unique to each of the plurality of key processing devices, and is common to the plurality of key processing devices. Select a plurality of parameters, including the parameters to be used. The function selection unit is used for processing related to generation or decryption of ciphertext in encrypted communication, and selects a function that realizes a predetermined mapping. Further, the system parameter generation unit uses a cyclic group selected by the group selection unit, a plurality of parameters selected by the parameter selection unit, and a function selected by the function selection unit, and uses a plurality of recipient public keys. Generate system parameters used for cryptographic techniques.

  The parameters used in the process executed by the key processing device during the encrypted communication and not including secret information unique to each of the plurality of key processing devices are commonly used for each of the plurality of key processing devices. The key processing device may be a parameter used when generating a verification parameter used in ciphertext verification processing.

  The parameters used in the process executed by the key processing device during the encrypted communication and not including secret information unique to each of the plurality of key processing devices are commonly used for each of the plurality of key processing devices. A parameter used when generating a session key used when generating a ciphertext in the key processing device may be used.

  The parameter selection unit further selects a first parameter belonging to the cyclic group selected by the group selection unit, and performs only a predetermined group operation on the first parameter to thereby change the first parameter belonging to the cyclic group. Two parameters may be generated.

  The parameter selection unit further selects a first parameter belonging to the cyclic group selected by the group selection unit, and assigns a value obtained by substituting the first parameter to a predetermined function, the cyclic group. It is good also as the 2nd parameter which belongs to.

  The function selection unit selects at least one conversion function that converts the input value to a value that is difficult to generate an output value even if only a predetermined group operation is performed on the input values belonging to the predetermined group. The parameter selection unit may further select a parameter using the first parameter selected from the cyclic group and the conversion function.

The group selection unit selects two groups G ₁ and G ₂ that are different from each other, and the selected group G ₁ and group G ₂ have an isomorphism mapping that realizes mapping from the group G ₁ to the group G ₂ . May be present.

  It is preferable that the function selection unit selects a function having target collision difficulty.

  The function selection unit preferably selects a function whose output is uniformly distributed in the value range when the input value is selected from the definition range to be uniformly distributed.

  In order to solve the above-mentioned problem, according to another aspect of the present invention, a session key used for encrypted communication based on a multi-recipient public key encryption technology performed with another information processing apparatus is generated. A multi-recipient key encapsulation mechanism unit, and a data encapsulation mechanism unit that generates a ciphertext to be transmitted in the encrypted communication using the session key. , A key generation unit that generates a public key and a secret key unique to the device used in the encrypted communication based on the acquired system parameters, and verification used for the verification process of the session key and the ciphertext An encryption unit for generating a parameter for the system based on the system parameter; And the system parameter is used for processing executed by the own device at the time of the encrypted communication, and the secret information unique to each of the own device and the other information processing device. Provided by the information processing apparatus that includes the parameters commonly used by the own apparatus and other information processing apparatuses, and that generates the session key or the verification parameter common to the plurality of recipients. Is done.

  Used for processing executed by the own device during the encrypted communication, and does not include secret information unique to the own device and other information processing devices, and is used in common by the own device and other information processing devices. The parameter to be used may be a parameter used when generating the verification parameter.

  Used for processing executed by the own device during the encrypted communication, and does not include secret information unique to the own device and other information processing devices, and is used in common by the own device and other information processing devices. The parameter to be used may be a parameter used when generating the session key.

  In order to solve the above-described problem, according to still another aspect of the present invention, a cyclic group used in encrypted communication based on a multi-recipient public key encryption technique performed between a plurality of key processing devices is generated. And a step executed by the key processing device during the encrypted communication, and does not include secret information unique to each of the plurality of key processing devices, and is common to each of the plurality of key processing devices. A step of selecting a plurality of parameters including a parameter to be used; a step of selecting a function used to generate or decrypt a ciphertext in the encrypted communication and realizing a predetermined mapping; and a selection by the group selection unit The plurality of recipient public key encryptions using the selected cyclic group, the plurality of parameters selected by the parameter selection unit, and the function selected by the function selection unit Generating a system parameters used in surgery, an information processing method comprising is provided.

  In order to solve the above-described problem, according to still another aspect of the present invention, there is provided a self-device used in encrypted communication based on a multi-recipient public key encryption technology performed with another information processing device. A key generation step for generating a unique public key and a secret key based on the acquired system parameters, and a verification key used for verification processing of a session key and ciphertext used in the encrypted communication, An encryption step that is generated based on the parameter, and a decryption step that obtains a ciphertext relating to the session key and decrypts it based on the system parameter. Used for processing executed in the system, and does not include secret information unique to each of its own device and other information processing devices. It includes a parameter used in common in each location, the encryption unit, an information processing method for generating the session key or the verification parameter common to the plurality recipient is provided.

  In order to solve the above-described problem, according to still another aspect of the present invention, a computer is used for cyclic communication that is performed during encrypted communication based on a multi-recipient public key encryption technique performed between a plurality of key processing devices. A group selection function for generating a group, and a process executed by the key processing device at the time of the encrypted communication. The plurality of key processing devices do not include secret information unique to each of the plurality of key processing devices. Parameter selection function for selecting a plurality of parameters including parameters used in common with each other, and function selection for selecting a function that realizes a predetermined mapping, which is used for processing related to ciphertext generation or decryption in the encrypted communication A function, a cyclic group selected by the group selection unit, a plurality of parameters selected by the parameter selection unit, and a function selected by the function selection unit. There are a program for implementing the, and the system parameter generation function of generating a system parameter that is used in the plurality recipients public key cryptography is provided.

  In order to solve the above-described problem, according to still another aspect of the present invention, a computer capable of performing encrypted communication with another information processing apparatus based on a multi-recipient public key encryption technique, Parameters that are used for processing executed by the own device during encrypted communication, do not include secret information unique to the own device and other information processing devices, and are used in common by the own device and other information processing devices A function for generating a public key and a private key unique to the device used in the encrypted communication based on a system parameter including the session key and ciphertext verification process used in the encrypted communication A function for generating verification parameters used in the system based on the system parameters, and obtaining ciphertext relating to the session key and based on the system parameters Program for realizing a function of decoding, is provided.

  According to the present invention, it is possible to suppress the encryption processing amount and the ciphertext size.

  Exemplary embodiments of the present invention will be described below in detail with reference to the accompanying drawings. In addition, in this specification and drawing, about the component which has the substantially same function structure, duplication description is abbreviate | omitted by attaching | subjecting the same code | symbol.

The description will be made in the following order.
(1) Purpose (2) Technology underlying the present invention (3) First embodiment (3-1) Configuration of information processing apparatus (3-2) Information processing method according to the present embodiment (3-3) Information processing method (3-4) Calculation amount and ciphertext size during encryption (3-5) First modification (4) Second embodiment 4-1) Configuration of information processing apparatus (4-2) Encryption processing method that is the basis of the information processing method according to the present embodiment (4-3) Information processing method (4-4) Calculation at the time of encryption About the amount and the size of the ciphertext (4-5) About the first modification (4-6) About the calculation amount and the size of the ciphertext at the time of encryption (5) Third embodiment (5-1) Information processing device (5-2) Information processing method according to this embodiment (5-3) Information processing method (5-4) Computation amount and ciphertext size during encryption (6) Fourth embodiment (6-1) Information processing device (6-2) Cryptographic processing method that is the basis of the information processing method according to the present embodiment (6-3) Information processing method (6-4) First modification (7) Each of the present invention Hardware configuration of information processing apparatus according to embodiment (8) Summary

<Purpose>
An information processing apparatus and an information processing method according to each embodiment of the present invention described below relate to the above-described multiple recipients KEM. Prior to describing the information processing apparatus and the information processing method according to each embodiment of the present invention, the present invention will be described in detail while explaining the current situation where a multi-recipient public key cryptosystem is placed. explain.

  The multi-recipient public key cryptosystem focused on in the present invention is not to simply perform public key cryptography processing for each user, but to perform processing that can be shared when sending ciphertext to a plurality of users. This is an efficient system. Here, in order to increase the efficiency of the processing to be executed, a hybrid type technology combining public key encryption technology and common key encryption technology is used.

  As a technique similar to the multi-recipient public key encryption technique, there is a technique called public-key broadcast encryption scheme. These technologies differ in their assumed usage. That is, the public-key broadcast encryption scheme assumes a large-scale large-scale system that places a heavy burden on the system administrator. On the other hand, the multi-recipient public key encryption technology assumes a simple small-scale system that does not require an administrator after the system configuration.

  In the public-key broadcast encryption scheme, an administrator must basically generate a key each time a user joins the system and pass the generated key to the user. Therefore, the system administrator needs to manage the system during the system configuration. On the other hand, in the multi-recipient public key cryptosystem, once the system is constructed, the user can generate the key by himself and can freely join the system. For this reason, the system administrator need not manage the system once the system is constructed. However, the multi-recipient public key cryptosystem is not suitable for a situation in which ciphertext is transmitted to the majority because the system efficiency decreases as the number of recipients increases.

  Therefore, in the information processing apparatus and the information processing method according to each embodiment of the present invention, the information processing apparatus and information capable of suppressing the encryption processing amount to about half and suppressing the ciphertext size to about half. It is an object to provide a processing method and a program.

<Technology that is the basis of the present invention>
First, prior to detailed description of each embodiment according to the present invention, technical matters forming the basis for realizing each embodiment of the present invention will be described with reference to FIGS. In addition, each embodiment of this invention is comprised so that a more remarkable effect can be acquired by adding improvement on the fundamental technique described below. Therefore, the technology relating to the improvement is the only part that characterizes each embodiment of the present invention. That is, each embodiment of the present invention follows the basic concept of the technical matters described here, but the essence is rather concentrated in the improved portion, the configuration is clearly different, and the effect is the basic technology. Note that is a clear line.

[About public key cryptosystem]
First, a public key cryptosystem will be described with reference to FIGS. 1 to 3 are explanatory diagrams for explaining a public key cryptosystem.

  As shown in FIG. 1, for example, each user who uses a public key encryption system sets various parameters called system parameters, and generates a private key and a public key used by each user after setting the system parameters. The system parameters are parameters that do not include user secret information, such as hash functions used in public key cryptosystems, groups used in various operations, and bilinear mapping. Subsequently, each user participating in the public key cryptosystem discloses the system parameters determined by the user and the public key.

For example, in the example shown in FIG. 1, the user 1 is to set the system parameters _{I 1,} and the public key pk _1, generates a secret key sk _1. The secret key sk ₁ is concealed by the user 1 as a key that only the user 1 knows, and the system parameter I ₁ and the public key pk ₁ are disclosed to other users.

Similarly, the user 2 sets the system parameter I ₂ , the public key pk ₂ , and the secret key sk ₂ , and discloses the system parameter I ₂ and the public key pk ₂ . Further, the user 3 sets the system parameter I ₃ , the public key pk ₃ , and the secret key sk ₃ , and discloses the system parameter I ₃ and the public key pk ₃ .

Further, when a message is transmitted using the public key cryptosystem, the message sender encrypts the message to be transmitted using the public key and system parameters disclosed by the receiver. For example, as shown in FIG. 1, consider a case where user 1 sends a message to user 2 and user 3. The user 1 encrypts the message m ₂ using the public key pk ₂ and the system parameter I ₂ disclosed by the user 2 and transmits the message m ₂ to the user 2. Similarly, the user 1 encrypts the message m ₃ using the public key pk ₃ disclosed by the user 3 and the system parameter I ₃ and transmits the message m ₃ to the user 3. In FIG. 1, the notation Enc (pk ₂ , m ₂ , I ₂ ) represents the message m ₂ encrypted using the public key pk ₂ and the system parameter I ₂ .

Moreover, since each user can generate the public key pk and the private key sk, the user who wishes to newly join the system can participate in the public key cryptosystem at an arbitrary timing. For example, as shown in FIG. 2, when the user 4 wishes to participate in the public key encryption system, the user 4 itself set the system parameters I _4, and generates a public key pk ₄ and the secret key sk ₄ The system parameter I ₄ and the public key pk ₄ are disclosed above. When the user 3 transmits the message m ₄ to the user 4, the user 3 encrypts the message m ₄ using the public key pk ₄ and the system parameter I ₄ disclosed by the user 4, and the user 3 4 to send.

  In addition, since the system parameters used in the public key cryptosystem are parameters that do not include user secret information, they can be shared among users. Therefore, as shown in FIG. 3, a third party that generates system parameters that are commonly used in the public key cryptosystem can be set as a system parameter generator. Further, the system parameter generator can participate in the public key cryptosystem as a user.

[About multi-recipient public key cryptosystem]
Next, the multiple recipient public key cryptosystem will be described with reference to FIGS. 4 to 7 are explanatory diagrams for explaining the multi-recipient public key cryptosystem.

  A multi-recipient public-key encryption system is a cryptographic system that shares and uses a system parameter I generated by a system parameter generator, for example, as shown in FIG.

  Each user who uses the multi-recipient public key encryption system generates a secret key and a public key to be used by each user by using a publicly available system parameter I as shown in FIG. Subsequently, each user participating in the multi-recipient public key cryptosystem discloses the public key determined by the user.

  In a multi-recipient public key cryptosystem, a message to be transmitted is encrypted using a public key of a plurality of recipients and common system parameters. By using common system parameters, it is possible to perform encryption processing for several people all at once.

For example, as shown in FIG. 5, consider a case where user 1 transmits a message to each of user 2 and user 3. In this case, the user 1 encrypts all the messages to be transmitted to the user 2 and the user 3 using the public keys pk ₂ and pk ₃ of the user 2 and the user 3 and the common system parameter I. In FIG. 5, the notation MEnc ((pk ₂ , pk ₃ ), (m ₂ , m ₃ ), I) indicates that the message m ₂ and the message m ₃ are the public keys pk ₂ , pk _3, and the system parameter I. It is encrypted using, and sent to multiple recipients at once.

Also, in the multi-recipient public key cryptosystem, when the same message is transmitted to a plurality of recipients, such as m ₂ = m ₃ , more efficient encryption specialized for such usage It is possible to use a method.

In addition, since the user can generate the public key pk and the secret key sk by using the common system parameter I, a user who wishes to newly join the system can enter the multi-recipient public key cryptosystem at an arbitrary timing. Can participate. For example, as shown in FIG. 6, when the user 4 wishes to participate in the multi-recipient public key cryptosystem, the user 4 himself / herself generates the public key pk ₄ and the private key sk ₄ and then uses the public key. pk ₄ is released. When the user 3 transmits the message m ₄ to the user 4, the user 3 encrypts the message m ₄ using the public key pk ₄ disclosed by the user ₄ and the common system parameter I, Send to user 4.

  As an example of the multiple recipient public key cryptosystem, there is a method of performing one-to-many communication. Examples of this one-to-many communication method include a method of encrypting different messages for a plurality of recipients and a method of encrypting the same message for a plurality of recipients.

The example shown in FIG. 7 is a multi-recipient public key encryption system based on ElGamal encryption. In this method, the message m is encrypted using the public key pk _i = (g _i , y _i ) set by each user. However, since this encrypted message includes all messages addressed to each recipient, sending a message to n people requires n times more processing than sending the message to one person. There is a problem.

[About hybrid encryption]
Subsequently, the hybrid encryption will be described in detail with reference to FIGS. 8-13 is explanatory drawing for demonstrating a hybrid encryption.

  First, the advantages and disadvantages of the public key cryptosystem will be described with reference to FIG. The public key cryptosystem has the advantage that no prior secret sharing is required between communicating users. In the public key cryptosystem, as shown in FIG. 8, the plaintext desired to be transmitted is converted into ciphertext using the public key pk and transmitted to the receiver. The recipient who has received the ciphertext decrypts the ciphertext using his / her private key sk.

  However, when transmitting a large amount of data, there is a disadvantage that more processing time is required because the data to be processed is large.

  On the other hand, the common key encryption system has an advantage that the encryption process is fast although there is a disadvantage that a secret sharing is necessary between users performing communication.

  Therefore, it is possible to improve the efficiency of processing by using a hybrid cipher that performs processing by the common key cryptosystem inside the processing by the public key cryptosystem. In other words, large-capacity data is converted into ciphertext using common key encryption processing, and a key used for common key encryption processing is encrypted using public key encryption processing. Here, a processing unit that performs cryptographic processing using public key cryptographic processing is referred to as a key encapsulation mechanism unit (hereinafter also referred to as KEM), and a processing unit that performs cryptographic processing using common key cryptographic processing is referred to as data It will be referred to as an encapsulation mechanism (hereinafter also referred to as DEM).

The hybrid cryptosystem is illustrated in FIG.
The sender uses the session key dk to encrypt a large amount of data to be transmitted by the DEM encryption processing unit (DEM.enc). Further, the sender encrypts the session key dk using the public key pk by the KEM encryption processing unit (KEM.enc). The sender transmits φ that has encrypted the session key dk and χ that has encrypted the data as ciphertext.

  The recipient of the ciphertext processes φ included in the ciphertext by the KEM decryption processing unit (KEM.dec) using the secret key sk, and generates a session key dk. Further, χ included in the ciphertext is processed by the decryption processing unit (DEM.dec) of the DEM using the generated session key dk to decrypt the data.

  Thus, in order to hybridize the public key encryption system, as shown in FIG. 10, a KEM and a DEM are provided in the apparatus. The public key pk is input to the KEM, and the session key dk is generated together with the ciphertext using a random number generated inside the KEM algorithm. Also, plaintext m is input to the DEM and encrypted using the session key dk generated by the KEM.

  Note that KEM is a technology specialized for use in encrypting a session key, which is a random number, with a public key encryption technology when configuring a hybrid encryption. Moreover, although all public key ciphers can be used as KEM, it cannot be said that all public key ciphers can be used as KEM.

  The hybrid method as described above can be applied to a multi-recipient public key encryption system. When hybridizing a multi-recipient public key system, there are mainly three types of methods as shown in FIGS.

  In the first method, as shown in FIG. 11, for example, a multi-recipient public key cipher that encrypts and transmits different messages to a plurality of recipients is hybridized.

  The first method is a method of providing a mm-KEM (multi-recipient multi-KEM) described below instead of the KEM introduced when the normal public key cryptosystem is hybridized.

As shown in FIG. 11, the MmKEM, is input the public key _pk 1 _{~pk n} of each recipient, and the session key _dk 1 to Dk _n for each recipient, the session key _dk 1 to Dk _n Φ ₁ to φ _n are output. Further, DEM is a message _m 1 ~m _n which is transmitted to the respective recipients, then encrypted with the corresponding session key _dk 1 to Dk _n, and outputs the χ ₁ ~χ _n. Sender, a ciphertext, and phi ₁ to [phi] _n, and χ ₁ ~χ _n, and transmits to a plurality of recipients at one time.

  In the second and third methods, as shown in FIGS. 12 and 13, for example, a multi-recipient public key cipher that encrypts and transmits a common message to a plurality of recipients is hybridized. is there.

As shown in FIG. 12, for example, the second method uses a pseudo random number generator (PRNG), mmKEM, and DEM, and uses session keys dk ₁ to dk ₁ for each receiver. to encrypt the dk _n.

More specifically, one of the session key dk outputted from PRNG, common key encryption by DEM using the session key _dk 1 to Dk _n for each recipient that is output from mmKEM, χ ₁ ~ χ _n is generated. Further, the message m transmitted in common to each recipient is subjected to common key encryption using one session key dk output from PRNG, and an encrypted message χ is generated. Sender, and phi ₁ to [phi] _n by encrypting each of the session key dk ₁ to Dk _n, and χ ₁ ~χ _n that encrypted the session key dk using the common key encryption process, encrypted The message χ is transmitted as ciphertext to a plurality of recipients at a time.

  The third method is a method of providing ms-KEM (multi-recipient single-KEM), which will be described below, instead of the KEM introduced when a normal public key cryptosystem is hybridized.

As shown in FIG. 13, the public keys pk _{1 to} pk _n of the respective recipients are input to the msKEM, and the common session key dk and session key dk are assigned to each recipient. The encrypted φ ₁ to φ _n are output. In addition, the DEM encrypts the common message m transmitted to each receiver using the session key dk, and outputs an encrypted message χ. The sender transmits φ _{1 to} φ _n and χ as ciphertexts to a plurality of recipients at a time.

  As described above, the multiple recipient public keys can be selected by appropriately selecting the first to third methods described above depending on whether a different message or a common message is sent to each recipient. It is possible to hybridize the cryptographic system.

[Lagrange interpolation formula]
Next, Lagrange's interpolation formula will be briefly described. In each embodiment of the present invention described below, a Lagrangian interpolation formula for a quadratic function is used.

In general, when arbitrary three points are given, a quadratic function passing through these three points is uniquely determined. More specifically, given three points (x ₁ , f (x ₁ )), (x ₂ , f (x ₂ )), (x ₃ , f (x ₃ )), the quadratic function f (X) can be expressed as Equation 1 below. Here, λ used in the following formula 1 is as shown in the following formulas 2 to 4.

  That is, given any three points, f (x) can be calculated for any x.

This Lagrangian interpolation formula is applied as follows in each embodiment of the present invention. In other words, the generation content of the group having the prime p in the order is g, and the following contents hold for the quadratic function f (x) = a ₀ + a ₁ x + a ₂ x ² .

Generated when a generation source g and arbitrary three points (x ₁ , g ^f (x ₁ ⁾ ), (x ₂ , g ^{f (x 2)} ), (x ₃ , g ^{f (} x ₃ ⁾ ) are given It is possible to calculate the value shown in the following Expression 5 in which the coefficients a ₀ , a ₁ , and a _{2 of the} quadratic function are on the power of the element g.

[About bilinear mapping in bilinear groups]
Next, a bilinear map on the bilinear group will be described. The _{G 1, G 2, G e} , and each cyclic group to position number prime p. The bilinear map e means that the bilinearity shown in the following equation 6 and the non-linearity shown in the following equation 7 for any generators g ₁ ∈G ₁ , g ₂ ∈G ₂ and a, b∈Zp. A map that satisfies the two properties of degeneracy. In the following formula 7, 1 _e is a unit element of G _e .

Incidentally, bilinear mapping from the relationship between G ₁ and G _2, can be classified roughly into the following three types.

Bilinear mapping when G ₁ and G ₂ are the same group Bilinear when G ₁ and G ₂ are different groups but there is an efficient isomorphic mapping ψ: G ₁ → G ₂ Mapping • G ₁ and G ₂ are different groups, and bilinear mapping when there is no efficient isomorphism of ψ: G ₁ → G ₂

  In the following, the information processing apparatus and the information processing method according to each embodiment of the present invention will be described in detail, based on the basic technology described above.

(First embodiment)
<Configuration of information processing device>
Hereinafter, the configuration of the information processing apparatus according to the first embodiment of the present invention will be described in detail with reference to FIGS. 14 to 16. FIG. 14 is a block diagram for explaining the configuration of the information processing apparatus according to the present embodiment that functions as a system parameter generation apparatus. 15 and 16 are block diagrams for explaining the configuration of the information processing apparatus according to the present embodiment that functions as a key processing apparatus.

[Configuration of system parameter generator]
First, the configuration of the information processing apparatus 10 according to the present embodiment that functions as a system parameter generation apparatus used by a system parameter generator will be described in detail with reference to FIG.

  The information processing apparatus 10 according to the present embodiment includes, for example, a group selection unit 101, a function selection unit 103, a parameter selection unit 105, a system parameter generation unit 107, a system parameter disclosure unit 109, and a communication control unit 111. The storage unit 114 is mainly provided.

The group selection unit 101 includes, for example, a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), and the like. The group selection unit 101 randomly selects a k-bit prime number p using a random number or the like based on the input security parameter 1 ^k . Next, the group selection unit 101 selects a group _{G 1, G 2, G e} to position number prime p selected. The group selection unit 101 also selects a bilinear map e that satisfies G ₁ × G ₂ → G _e . Here, the number of bits of the prime number p can be set to an arbitrary value according to the required security level, but for example, k = 160 can be set.

  Here, the group selected by the group selection unit 101 may be an arbitrary group as long as it can realize a bilinear mapping.

The group selection unit 101 transmits the selected prime number p, groups G ₁ , G ₂ , G _e , and bilinear mapping e to the system parameter generation unit 107 described later. Further, the group selection unit 101 may record the selected bilinear group G ₁ , G ₂ , G _e and the determined bilinear mapping e in the storage unit 113 described later.

The function selection unit 103 includes, for example, a CPU, a ROM, a RAM, and the like. The function selection unit 103 uses the group selected by the group selection unit 101 to select various functions to be used when the key processing device described later performs processing. More specifically, the function selection unit 103 is configured such that, for example, the function selection unit 103 realizes a function H ₁ that realizes a mapping G ₁ → Z _p and a function H ₁ that realizes a mapping G ₁ → {0, 1} ^l. ₂ is selected. Here, l is the bit length of the results generated value using a function H _2, but can be set to any value depending on the security level required, for example, l = 128 (i.e., 128 Bit).

As the two types of functions selected by the function selection unit 103, any function can be selected as long as it realizes the above mapping. Further, if the function H ₁ and the function H ₂ satisfy the following properties, it is possible to prove safety.

The function H ₁ is a function TCR that satisfies the property of target collision resistance.
The function H ₂ is a function H whose output is uniformly distributed in the range when the input value is selected from the domain to the uniform distribution.

  The function selection unit 103 transmits the selected various functions to the system parameter generation unit 107 described later. The function selection unit 103 may record the selected various functions in the storage unit 113 described later.

  The parameter selection unit 105 includes, for example, a CPU, a ROM, a RAM, and the like. The parameter selection unit 105 selects various parameters used by the information processing apparatus 10 according to the present embodiment to generate system parameters based on a predetermined method. The parameter selection unit 105 randomly determines a value using, for example, a random number or the like when selecting various parameters. The parameter selection unit 105 transmits the selected parameters to the system parameter generation unit 107 described later. The parameter selection unit 105 may record the selected various parameters in the storage unit 113 described later.

  The system parameter generation unit 107 includes, for example, a CPU, a ROM, a RAM, and the like. The system parameter generation unit 107 uses the various data transmitted from the group selection unit 101, the parameter selection unit 103, and the function selection unit 105 to generate system parameters in the multi-receiver public key cryptosystem. The generated system parameters are recorded in the storage unit 113 including an HDD, a memory having a secure module, and the like. In addition, the system parameter generation unit 107 transmits the generated system parameter to a system parameter disclosure unit 109 described later.

  The system parameter disclosure unit 109 includes, for example, a CPU, a ROM, a RAM, and the like. The system parameter disclosure unit 109 distributes the system parameters generated by the system parameter generation unit 107 to the information processing device 20 that functions as a key processing device via the communication network 3.

  The communication control unit 111 includes, for example, a CPU, a ROM, a RAM, a communication device, and the like. The communication control unit 111 controls communication performed between the information processing apparatus 10 that functions as a system parameter generation apparatus and the information processing apparatus 20 that functions as a key processing apparatus.

  The storage unit 113 records the prime p selected by the group selection unit 101, the group and the bilinear mapping, the various functions selected by the function selection unit 103, and the various parameters selected by the parameter selection unit 105. In addition to these various types of data, the storage unit 113 also stores various parameters that the information processing apparatus 10 needs to store when performing some processing, the progress of processing, or various databases. Can be stored as appropriate. The storage unit 113 can be freely read and written by the group selection unit 101, the function selection unit 103, the parameter selection unit 105, the system parameter generation unit 107, the system parameter disclosure unit 109, the communication control unit 111, and the like. .

  Note that the communication network 3 to which the information processing device 10 can be connected enables bidirectional communication or one-way communication between the information processing device 10 that functions as a system parameter generation device and the information processing device 20 that functions as a key processing device. It is a communication network to be connected. This communication network is, for example, a public network such as the Internet, a telephone network, a satellite communication network, a broadcast communication channel, a WAN (Wide Area Network), a LAN (Local Area Network), an IP-VPN (Internet Protocol-Virtual). Private network), a dedicated line network such as a wireless LAN, etc., whether wired or wireless.

  Heretofore, an example of the function of the information processing apparatus 10 according to the present embodiment has been shown. Each component described above may be configured using a general-purpose member or circuit, or may be configured by hardware specialized for the function of each component. In addition, the CPU or the like may perform all functions of each component. Therefore, it is possible to appropriately change the configuration to be used according to the technical level at the time of carrying out the present embodiment.

  It should be noted that a computer program for realizing each function of the information processing apparatus according to the present embodiment as described above can be produced and installed in a personal computer or the like. In addition, a computer-readable recording medium storing such a computer program can be provided. The recording medium is, for example, a magnetic disk, an optical disk, a magneto-optical disk, a flash memory, or the like. Further, the above computer program may be distributed via a network, for example, without using a recording medium.

[Configuration of key processing device]
Next, the configuration of the information processing apparatus 20 according to the present embodiment that functions as a key processing apparatus used by each user who uses the multi-recipient public key cryptosystem will be described in detail with reference to FIGS. 15 and 16. To do.

  The information processing apparatus 20 according to the present embodiment includes, for example, a multi-recipient key encapsulation mechanism unit (mKEM) 201, a data encapsulation mechanism unit (DEM) 203, a communication control unit 205, and a storage unit 207. Prepare mainly.

  The mKEM 201 is composed of, for example, a CPU, a ROM, a RAM, and the like. The mKEM 201 performs an operation based on public key encryption processing using the public key of the recipient who is the message transmission target, and generates a session key for encrypting the message to be transmitted. Further, the mKEM 201 encrypts the generated session key and transmits the encrypted session key to the information processing apparatus 20 used by the sender via the communication control unit 205 described later. The mKEM 201 transmits the generated session key to the DEM 203 described later. The mKEM 201 will be described in detail later.

  The DEM 203 includes, for example, a CPU, a ROM, a RAM, and the like. The DEM 203 uses the session key transmitted from the mKEM 201 to encrypt a message to be transmitted to the recipient based on the common key encryption process. Further, the DEM 203 transmits the encrypted message to another information processing apparatus (key processing apparatus) 20 via the communication control unit 205 described later. As the common key encryption process performed by the DEM 203, for example, any method can be selected according to the characteristics of the message to be transmitted and various conditions.

  The communication control unit 205 includes, for example, a CPU, a ROM, a RAM, a communication device, and the like. The communication control unit 205 controls communication performed with the information processing apparatus 10 that functions as a system parameter generation apparatus. Further, the communication control unit 205 controls communication performed with another information processing apparatus 20 used by the receiver.

  The storage unit 207 records system parameters generated by the information processing apparatus 10 that functions as a system parameter generation apparatus. In addition to the system parameters, the storage unit 207 appropriately stores various parameters that need to be saved when the information processing apparatus 20 performs some processing, the progress of processing, or various databases. It is possible to memorize. The storage unit 207 can be freely read and written by the mKEM 201, the DEM 203, the communication control unit 205, and the like.

  Next, the mKEM 201 included in the information processing apparatus 20 according to the present embodiment will be described in detail with reference to FIG.

  For example, as illustrated in FIG. 16, the information processing apparatus 20 according to the present embodiment mainly includes a key generation unit 211, an encryption unit 221, and a decryption unit 231.

  The key generation unit 211 includes, for example, a CPU, a ROM, a RAM, and the like. The key generation unit 211 generates a public key pk and a secret key sk that are used by a user who possesses the information processing apparatus 20 by using the system parameters acquired from the information processing apparatus 10 that functions as a system parameter generation apparatus. The key generation unit 211 further includes a parameter generation unit 213, a secret key generation unit 215, a public key generation unit 217, and a public key disclosure unit 219.

  The parameter generation unit 213 includes, for example, a CPU, a ROM, a RAM, and the like. The parameter generation unit 213 generates various parameters required for the key generation process in accordance with the key generation method defined in the multi-recipient public key encryption process executed by the mKEM 201. When generating various parameters, the parameter generation unit 213 refers to the system parameters stored in the storage unit 207 or the like. The parameter generation unit 213 transmits the generated various parameters to a secret key generation unit 215 and a public key generation unit 217 described later.

  The secret key generation unit 215 is constituted by, for example, a CPU, a ROM, a RAM, and the like. The secret key generation unit 215 uses the parameters transmitted from the parameter generation unit 213 and the system parameters stored in the storage unit 207 and the like, and is defined in the multi-recipient public key encryption process executed by the mKEM 201 A secret key sk is generated according to the generation method. The secret key generation unit 215 stores the generated secret key sk in the storage unit 207 or the like to conceal it.

  The public key generation unit 217 includes, for example, a CPU, a ROM, a RAM, and the like. The public key generation unit 217 uses the parameters transmitted from the parameter generation unit 213 and the system parameters stored in the storage unit 207 and the like, and is defined in the multi-recipient public key encryption process executed by the mKEM 201 A public key pk is generated according to the generation method. The public key generation unit 217 stores the generated public key pk in the storage unit 207 and the like, and transmits the public key pk to the public key disclosure unit 219 described later.

  The public key public unit 219 is composed of, for example, a CPU, a ROM, a RAM, and the like. The public key disclosure unit 219 discloses the public key pk transmitted from the public key generation unit 217 to the other information processing apparatus 20 via the communication control unit 205.

  The encryption unit 221 includes, for example, a CPU, a ROM, a RAM, and the like. The encryption unit 221 uses the system parameters acquired from the information processing apparatus 10 functioning as a system parameter generation apparatus, and the public key pk publicized by the information processing apparatus 20 possessed by the message recipient, Generate and encrypt session keys. The encryption unit 221 further includes a parameter selection unit 223, a verification parameter generation unit 225, and a session key generation unit 227.

  The parameter selection unit 223 includes, for example, a CPU, a ROM, a RAM, and the like. The parameter selection unit 223 selects and generates various parameters necessary for the encryption process in accordance with the encryption method defined in the multi-recipient public key encryption process executed by the mKEM 201. When selecting and generating various parameters, the parameter selection unit 223 refers to the system parameters stored in the storage unit 207 or the like. The parameter selection unit 223 transmits the generated various parameters to a verification parameter generation unit 225 and a session key generation unit 227 described later.

  The verification parameter generation unit 225 includes, for example, a CPU, a ROM, a RAM, and the like. The verification parameter generation unit 225 performs verification parameters required for the verification process executed in the decryption process by the message receiver in accordance with the encryption method defined in the multi-receiver public key encryption process executed by the mKEM 201. Is generated. When generating the verification parameter, the verification parameter generation unit 225 uses the system parameter and the parameter transmitted from the parameter selection unit 223 and does not use the public key pk disclosed by the message recipient.

  The session key generation unit 227 is constituted by, for example, a CPU, a ROM, a RAM, and the like. The session key generation unit 227 generates a session key used for the common key encryption process executed by the DEM 203 in accordance with the encryption method defined in the multi-recipient public key encryption process executed by the mKEM 201. In addition, the session key generation unit 227 transmits the generated session key to the DEM 203.

  The encryption unit 221 associates the generated verification parameter and the session key with each other and transmits the encrypted message generated by the DEM 203 to the other information processing apparatus 20 via the communication control unit 205. . In other words, the encryption unit 221 is a processing unit that is used when the owner of the information processing apparatus 20 is a message sender.

  For example, the decoding unit 231 includes a CPU, a ROM, a RAM, and the like. The decryption unit 231 includes the system parameters acquired from the information processing apparatus 10 functioning as a system parameter generation apparatus, the ciphertext transmitted from the information processing apparatus 20 possessed by the sender of the message, and its own secret key sk. Is used to decrypt the session key. The decryption unit 231 further includes a parameter calculation unit 233, a verification unit 235, and a session key calculation unit 237.

  The parameter calculation unit 233 includes, for example, a CPU, a ROM, a RAM, and the like. The parameter calculation unit 233 calculates various parameters necessary for the decryption process in accordance with the decryption method defined in the multi-receiver public key encryption process executed by the mKEM 201. When calculating various parameters, the parameter calculation unit 233 refers to the system parameters stored in the storage unit 207 and the information transmitted from the message sender. The parameter calculation unit 233 can also use its own secret key sk when calculating the parameters. The parameter calculation unit 233 transmits the various parameters calculated to the verification unit 235 and the session key calculation unit 237 described later.

  The verification unit 235 includes, for example, a CPU, a ROM, a RAM, and the like. The verification unit 235 performs verification processing (so-called validity check) of the ciphertext transmitted from the message sender in accordance with a decryption method defined in the multi-receiver public key encryption processing executed by the mKEM 201. If the verification unit 235 determines that the ciphertext transmitted from the sender of the message is valid as a result of the verification, the verification unit 235 transmits the fact to the session key calculation unit 237 described later. If the verification unit 235 determines that the ciphertext transmitted from the sender of the message is not valid as a result of verification, the verification unit 235 outputs an error message and ends the decryption process.

  The session key calculation unit 237 is constituted by, for example, a CPU, a ROM, a RAM, and the like. When the information indicating that the verification is successful is transmitted from the verification unit 235, the session key calculation unit 237 performs the decryption by the DEM 203 in accordance with the decryption method stipulated in the multi-recipient public key encryption process executed by the mKEM 201. A session key required for processing is calculated. When calculating the session key, the session key calculation unit 237 uses its own secret key sk, system parameters stored in the storage unit 207 and the like, and information transmitted from the message sender. The session key calculation unit 237 transmits the calculated session key to the DEM 203.

  Heretofore, an example of the function of the information processing apparatus 20 according to the present embodiment has been shown. Each component described above may be configured using a general-purpose member or circuit, or may be configured by hardware specialized for the function of each component. In addition, the CPU or the like may perform all functions of each component. Therefore, it is possible to appropriately change the configuration to be used according to the technical level at the time of carrying out the present embodiment.

  It should be noted that a computer program for realizing each function of the information processing apparatus according to the present embodiment as described above can be produced and installed in a personal computer or the like. In addition, a computer-readable recording medium storing such a computer program can be provided. The recording medium is, for example, a magnetic disk, an optical disk, a magneto-optical disk, a flash memory, or the like. Further, the above computer program may be distributed via a network, for example, without using a recording medium.

<Encryption Processing Method that is the Base of the Information Processing Method According to the Present Embodiment>
Subsequently, prior to describing the information processing method according to the present embodiment, an encryption processing method that is the basis of the information processing method according to the present embodiment will be described in detail with reference to FIGS. 17 to 20 are flowcharts for explaining an encryption processing method that is a basis of the information processing method according to the present embodiment. The cryptographic processing method that is the basis of the information processing method according to the present embodiment is a method in which the cryptographic processing method described in Non-Patent Document 1 is applied to a plurality of recipients KEM.

[About system parameter generation]
First, a system parameter generation method that is a basis of the information processing method according to the present embodiment will be described in detail with reference to FIG. This system parameter generation method is executed in a system parameter generation apparatus which is an information processing apparatus possessed by the system parameter generator.

First, the system parameter generation unit, based on the security parameter input, select the prime number p of k bits, group and position number p G, selects the G _e. Also, selecting a bilinear mapping e to realize _G × G → G _e (step S1001).

Next, the system parameter generation unit selects a function TCR realizing mapping that G → _{Z p,} and function H to achieve a mapping of G → ^{{0,1} l,} the (step S1002).

Subsequently, the system parameter generation unit selects the parameter g∈ _R G (step S1003).

Next, the system parameter generation device configures the system parameter I as I = (p, G, G _e , g, e, TCR, H), and discloses it to each key processing device (step S1004).

  By passing through such a procedure, the system parameter generation device can generate system parameters required when the multiple recipients KEM of the key processing device execute the cryptographic processing.

[Key generation method]
Next, a key generation method serving as a basis of the information processing method according to the present embodiment will be described in detail with reference to FIG. This key generation method is executed in a key processing device which is an information processing device possessed by a user who performs communication by multi-recipient public key encryption. This key generation method is executed when a user who owns the key processing device generates his / her public key and secret key. This key generation method can be performed at an arbitrary timing as long as the key processing apparatus has acquired the system parameters generated by the system parameter generation apparatus.

First, the key processing device selects the parameter xε _R Z _p as secret information unique to the key processing device (step S1011).

Next, the key processing device calculates a parameter c = g ^x using the selected parameter x and g disclosed as a system parameter (step S1012).

Then, the key processing unit selects the parameter d∈ _R G (step S1013).

  Thereafter, the key processing device generates a secret key sk = (x, c, d) unique to the user who owns the key processing device (step S1014). Further, the key processing device generates a public key pk = (c, d) unique to the user who possesses the key processing device (step S1015).

  Thereafter, the key processing device outputs the generated public key pk and secret key sk to the user (step S1016). Also, the generated public key pk is disclosed to other key processing devices.

  Through such a procedure, the key processing device can generate a secret key sk and a public key pk that are unique to the user who owns the key processing device.

[Encryption method]
Next, an encryption method that is a basis of the information processing method according to the present embodiment will be described in detail with reference to FIG. This encryption method is executed in a key processing device which is an information processing device possessed by a user who performs communication by multi-recipient public key encryption. This encryption method is executed when a user who has a key processing device and transmits a message generates a ciphertext using a plurality of recipients KEM.

First, the key processing unit selects the parameter r∈ _R Z _p randomly (step S1021).

Next, the key processing device calculates a parameter u = g ^r εG using the selected parameter r and the parameter g disclosed as a system parameter (step S1022).

Subsequently, the key processing device calculates the parameter α = TCR (u) εZ _p using the calculated parameter u and the function TCR disclosed as a system parameter (step S1023).

Next, the key processing device uses the public key pk _i (i = 1,... N) of the destination key processing device for all the key processing devices that transmit the message, for the following verification. The parameter v _i is calculated (step S1024).

Subsequently, the key processing device uses the public key pk _i (i = 1,... N) of the destination key processing device to all the key processing devices that transmit the message, and uses the following session key: to calculate the dk _i (step S1025).

Next, the key processing unit, phi ₌ and _{(u, v 1, v 2} , ···, v n) _{and, (φ, dk 1, dk} 2, ···, dk n) outputs a (step S1026 ). In FIG. 19, the vector v means that v _i for all recipients is collectively represented. Further, in FIG. 19, the vector dk is meant those denoted collectively dk _i for all recipients.

  Through such a procedure, the key processing device can generate a session key dk used for common key encryption processing executed in the DEM of the key processing device.

[About decryption method]
Next, with reference to FIG. 20, a decoding method that is the basis of the information processing method according to the present embodiment will be described in detail. This decryption method is executed in a key processing device that is an information processing device that has received the ciphertext.

Prior to the decryption process, the key processing device determines a part (u, v _i ) related to itself from φ = (u, v ₁ , v ₂ ,..., V _n ) included in the ciphertext. To extract. This extraction process is realized by using a label that associates the order of v _i described with the corresponding relationship with the user, or by setting the sender so that only necessary information reaches each receiver. Is possible.

First, the key processing device calculates the parameter α = TCR (u) εZ _p using the parameter u included in the ciphertext and the function TCR disclosed as a system parameter (step S1031).

Next, the key processing apparatus performs a secret key sk _i itself, and system parameters, and the parameter α that calculated, u contained in the ciphertext, by using the v _i, verifies the ciphertext. More specifically, the key processing device performs ciphertext verification processing based on whether or not an equal sign in Expression 1003 below holds (step S1032).

  If the equal sign of the above expression 1003 is not established, the key processing apparatus determines that the received ciphertext is invalid, outputs an error message (step S1033), and ends the decryption process.

If the equal sign of the above expression 1003 is established, the key processing device determines that the received ciphertext is valid, and its own secret key ski _i and the parameter u included in the ciphertext. Then, using the system parameters, the session key dk _i = H (u ^x ) ε {0, 1} ^l corresponding to itself is calculated (step S1034). Then, the key processing unit, the calculated session key dk _i, and outputs it to the DEM of the apparatus (step S1035).

  Through such a procedure, the key processing device can calculate the session key dk used for the decryption process in the DEM of the key processing device.

[Problems of cryptographic processing method, which is a basic technology]
The cryptographic processing method that is the basic technology of the information processing method according to the present embodiment as described above has the following problems. That is, in the fundamental technology, the encryption method, verifying the parameter v ₁ using the public key of each _recipient, v _2, · · ·, a v _n calculated, are inserted into ciphertext phi. The receiver of the ciphertext can eliminate the illegal ciphertext by verifying whether or not the equal sign in Expression 1003 holds in the decryption method. However, in order to realize this verification method, n multi-scalar multiplexing processes are required for encryption when the number of recipients is n. Furthermore, n + 1 elements are required also in the generated ciphertext. The fact that these values are large is a problem in basic technology.

<About information processing method>
In the information processing method according to this embodiment, in order to solve the above-described problem, the efficiency of the entire information processing method is realized by adding elements necessary for performing the verification process to the system parameters. As a result, in the basic technology encryption method, a parameter generation process using a public key for each recipient is required, and verification that is common to all users can be performed only once using a common element for all users. Parameters can be generated.

  Hereinafter, the information processing method according to the present embodiment will be described in detail with reference to FIGS. 21 to 24 are flowcharts for explaining the information processing method according to the present embodiment.

[About system parameter generation]
First, the system parameter generation method according to the present embodiment will be described in detail with reference to FIG. This system parameter generation method is executed in the information processing apparatus 10 according to the present embodiment that functions as a system parameter generation apparatus.

First, the group selection unit 101 of the information processing unit 10, based on the security parameter input, select the prime number p of k bits, to select the group G _1, G _2, G _e to position number to p. Also, selecting a bilinear mapping e to realize _{G 1 × G 2 → G e} ( step S101).

Next, the function selection unit 103 of the information processing apparatus 10 selects a function TCR that realizes a mapping G ₁ → Z _p and a function H that realizes a mapping G ₁ → {0, 1} ^l ( Step S102).

  Subsequently, the parameter selection unit 105 of the information processing apparatus 10 selects parameters shown in the following formula 101 and formula 102 (step S103).

  Next, the system parameter generation unit 107 of the information processing apparatus 10 configures the system parameter I as shown in the following expression 103 and discloses it to each key processing apparatus (step S104).

  Through such a procedure, the information processing apparatus 10 that functions as a system parameter generation apparatus generates system parameters that are necessary when the mKEM 201 of the information processing apparatus 20 that functions as a key processing apparatus executes cryptographic processing. be able to.

Regarding groups G ₁ and G ₂ described above, G ₁ and G ₂ may be the same group or different groups. When G ₁ and G ₂ are the same group, the processing described below is executed with g ₁ = g ₂ .

[Key generation method]
Next, the key generation method according to the present embodiment will be described in detail with reference to FIG. This key generation method is executed in the key generation unit 211 of the information processing apparatus 20 possessed by a user who performs communication by multi-recipient public key encryption and functions as a key processing apparatus. This key generation method is executed when a user who possesses the information processing apparatus 20 generates his / her public key and secret key. This key generation method can be performed at an arbitrary timing as long as the information processing apparatus 20 has acquired the system parameters.

First, the parameter generation unit 213 selects the parameter xε _R Z _p as secret information unique to the information processing apparatus 20 (step S111).

Next, the parameter generation unit 213 calculates a parameter c = g ₁ ^x ∈ _R G ₁ using the selected parameter x and g ₁ disclosed as a system parameter (step S112).

  Subsequently, the secret key generation unit 215 sets the selected parameter x as a secret key sk unique to the user who possesses the information processing apparatus 20 (step S113). Further, the public key generation unit 217 sets the calculated parameter c as a public key pk unique to the user who possesses the information processing apparatus 20 (step S114).

  Thereafter, the key generation unit 211 outputs the generated public key pk and secret key sk to the user (step S115). In addition, the public key disclosure unit 219 discloses the generated public key pk to other information processing apparatuses 20.

  Through such a procedure, the key generation unit 211 of the information processing device 20 can generate a secret key sk and a public key pk that are unique to the user who possesses the information processing device.

[Encryption method]
Next, the encryption method according to the present embodiment will be described in detail with reference to FIG. This encryption method is executed by the encryption unit 221 of the information processing apparatus 20 possessed by a user who performs communication using the multi-recipient public key encryption and functions as a key processing apparatus. This encryption method is executed when a user who has the information processing apparatus 20 and transmits a message generates a ciphertext using a plurality of recipients KEM.

First, the parameter selection unit 223 randomly selects a parameter rε _R Z _p (step S121).

Next, the parameter selection unit 223 calculates the parameter u = g ₁ ^r εG ₁ using the selected parameter r and the parameter g ₁ disclosed as a system parameter (step S122).

Subsequently, the parameter selection unit 223 calculates a parameter α = TCR (u) εZ _p using the calculated parameter u and the function TCR disclosed as a system parameter (step S123).

  Next, the verification parameter generation unit 225 generates a verification parameter that is common to all the information processing apparatuses 20 that transmit the message, based on the following formula 111 (step S124). As is apparent from the following formula 111, this verification parameter can be generated using the system parameter and the parameter selected by the parameter selection unit 223.

Subsequently, the session key generation unit 227 uses the public key pk _i (i = 1,... N) of the information processing apparatus 20 that is the transmission destination for all the information processing apparatuses 20 that transmit messages. calculates the following session key dk _i (step S125).

  Next, the encryption unit 221 outputs a session key represented by the following expression 113 (step S126).

  Through such a procedure, the information processing apparatus 20 can generate a session key dk used for the common key encryption process executed in the DEM 203.

As described above, in the encryption method in the basic technology, the verification parameter v _i is calculated for each receiver using the public key pk _i of the receiver, but in the encryption method according to the present embodiment, Then, a verification parameter is generated using a value disclosed as a system parameter. Thereby, in the encryption method according to the present embodiment, the number of calculations can be reduced.

[About decryption method]
Next, the decoding method according to the present embodiment will be described in detail with reference to FIG. This decryption method is executed in the decryption unit 231 of the information processing apparatus 20 that has received the ciphertext.

First, the parameter calculation unit 233 calculates the parameter α = TCR (u) εZ _p using the parameter u included in the ciphertext and the function TCR disclosed as a system parameter (step S131).

  Next, the verification unit 235 performs ciphertext verification processing using the system parameter, the calculated parameter α, and the parameters included in the ciphertext. More specifically, the verification unit 235 performs ciphertext verification processing based on whether or not an equal sign in the following expression 121 holds (step S132).

  If the equal sign of Expression 121 is not satisfied, the verification unit 235 determines that the received ciphertext is invalid, outputs an error message (step S133), and ends the decryption process.

When the equal sign of the above formula 121 is established, the verification unit 235 determines that the received ciphertext is valid, and stores information indicating that the ciphertext is valid as the session key. The data is transmitted to the calculation unit 237. The session key calculation unit 237 uses its own secret key sk _i , the parameter u included in the ciphertext, and the system parameter, and the session key dk _i = H (u ^x ) ∈ {0, 1 corresponding to itself. } ^L is calculated (step S134). Subsequently, the session key calculating unit 237, the calculated session key dk _i, and outputs it to DEM203 of its own device (step S135).

  Through such a procedure, the decryption unit 231 of the information processing apparatus 20 can calculate the session key dk used for the decryption process in the DEM 203.

As described above, in the decryption method in the basic technology, the verification process using the verification parameter is performed using the public key pk _i of the recipient, but in the decryption method according to the present embodiment, it is disclosed as a system parameter. The verification process is carried out using the values.

<Computation amount and ciphertext size during encryption>
In the following, the calculation amount and the ciphertext size at the time of encryption of the information processing method according to the present embodiment will be described in comparison with the encryption processing method in the basic technology.

[Computation amount for encryption]
First, when the number of recipients is n, the amount of computation in the encryption method in the basic technology is compared with the amount of computation in the encryption method according to the present embodiment. In both methods, since the amount of calculation of single-scalar multiplication and multi-scalar multiplication is dominant, the number of operations was compared. Table 1 below shows the result of comparing the amount of calculation at the time of encryption.

Note that the single-scalar multiplication, as ^{g r,} which means that the scalar multiplication for one group element. Also, multi-scalar multiplication means that scalar multiplication of different values is performed on two group elements, such as g ₁ ^r1 · g ₂ ^r2 .

  From Table 1, it can be seen that (n + 1) single-scalar multiplication and n multi-scalar multiplication are necessary in the encryption method in the basic technology. It can also be seen that the encryption method according to the present embodiment requires (n + 1) single-scalar multiplication and one multi-scalar multiplication. That is, it can be seen that the encryption method according to the present embodiment can reduce (n−1) multi-scalar multiplication.

  As described in Non-Patent Document 5, it is generally considered that multi-scalar multiplication requires 1.5 times the processing of single-scalar multiplication. In consideration of this, the encryption method in the basic technology requires (2.5n + 1) times of single-scalar multiplexing calculation amount. On the other hand, in the encryption method according to the present embodiment, it can be seen that the processing is completed with a calculation amount of (n + 2.5) times of single-scalar multiplication.

[Ciphertext size]
Next, the ciphertext size in the basic technology when the number of recipients is n is compared with the ciphertext size in the information processing method according to the present embodiment. Both methods were considered to use the same group and were compared using the number of elements included in the ciphertext. The obtained results are shown in Table 2 below.

From Table 2, in the basic technology, there are n + 1 elements including the elements of G ₁ and G ₂ , whereas in this embodiment, the number of elements is two without depending on the number of recipients. . As is clear from this result, in the information processing method according to the present embodiment, the size of the ciphertext can be made constant without depending on the number of recipients.

<About the first modification>
In the system parameter generation method according to the present embodiment, the group selection unit 101 of the information processing apparatus 10 selects the groups G ₁ and G ₂ so that an efficient isomorphism that satisfies ψ: G ₁ → G ₂ exists. Think about the case. In this case, it is possible to perform all operations on the group G ₁ except for calculating the value of the bilinear mapping executed by the decoding unit 231 (more specifically, the verification unit 235) of the information processing apparatus 20, ciphertext, it becomes possible to represent only element on G _1. Furthermore, as a method for selecting the groups G ₁ and G ₂ , the calculation on G ₁ is lighter than the calculation on G ₂ , and the expression size of the element is expressed with G ₁ smaller than G _2. It may be possible.

  In such a case, the amount of calculation and the ciphertext size according to the present embodiment can be reduced. In order to realize the above-described modification, the system parameter generation method, the encryption method, and the decryption method according to the first embodiment of the present invention are modified as follows.

[About system parameter generation]
First, the system parameter generation method according to this modification will be described in detail with reference to FIG. FIG. 25 is a flowchart for explaining a system parameter generation method according to this modification.

First, the group selection unit 101 of the information processing apparatus 10 selects a k-bit prime number p based on the input security parameter so that an efficient isomorphism of ψ: G ₁ → G ₂ exists. , P, the groups G ₁ , G ₂ , G _e are selected. Also, selecting a bilinear mapping e to realize _{G 1 × G 2 → G e} ( step S141).

Next, the function selection unit 103 of the information processing apparatus 10 selects a function TCR that realizes a mapping G ₁ → Z _p and a function H that realizes a mapping G ₁ → {0, 1} ^l ( Step S102).

  Subsequently, the parameter selection unit 105 of the information processing apparatus 10 selects a parameter represented by the following expression 131 (step S142).

  Next, the system parameter generation unit 107 of the information processing apparatus 10 configures the system parameter I as shown in the following expression 132 and discloses it to each key processing apparatus (step S143).

[Encryption method]
Next, an encryption method according to this modification will be described in detail with reference to FIG. FIG. 26 is a flowchart for explaining the encryption method according to the present modification.

First, the parameter selection unit 223 randomly selects a parameter rε _R Z _p (step S121).

Next, the parameter selection unit 223 calculates the parameter u = g ₁ ^r εG ₁ using the selected parameter r and the parameter g ₁ disclosed as a system parameter (step S122).

Subsequently, the parameter selection unit 223 calculates a parameter α = TCR (u) εZ _p using the calculated parameter u and the function TCR disclosed as a system parameter (step S123).

Next, the verification parameter generation unit 225 generates a verification parameter that is common to all the information processing apparatuses 20 that transmit the message based on the following equation 133 (step S144). As is clear from the following equation 133, this verification parameter can be generated using an operation on the group G ₁ using the system parameter and the parameter selected by the parameter selection unit 223. is there.

Subsequently, the session key generation unit 227 uses the public key pk _i (i = 1,... N) of the information processing apparatus 20 that is the transmission destination for all the information processing apparatuses 20 that transmit messages. calculates the following session key dk _i (step S125).

  Next, the encryption unit 221 outputs a session key represented by the following expression 113 (step S126).

[Decoding method]
Next, the decoding method according to this modification will be described in detail with reference to FIG. FIG. 27 is a flowchart for explaining the decoding method according to the present modification.

First, the parameter calculation unit 233 calculates the parameter α = TCR (u) εZ _p using the parameter u included in the ciphertext and the function TCR disclosed as a system parameter (step S131).

  Next, the verification unit 235 performs ciphertext verification processing using the system parameter, the calculated parameter α, and the parameters included in the ciphertext. More specifically, the verification unit 235 performs ciphertext verification processing based on whether or not an equal sign in Expression 134 below is satisfied (step S145).

As is clear from the above equation 134, the bilinear mapping e can be calculated by mapping the elements on the group G ₁ onto the group G ₂ using the isomorphic mapping ψ.

  If the equal sign of Expression 134 is not satisfied, the verification unit 235 determines that the received ciphertext is invalid, outputs an error message (step S133), and ends the decryption process.

When the equal sign of the above expression 134 is established, the verification unit 235 determines that the received ciphertext is valid, and stores information indicating that the ciphertext is valid as the session key. The data is transmitted to the calculation unit 237. The session key calculation unit 237 uses its own secret key sk _i , the parameter u included in the ciphertext, and the system parameter, and the session key dk _i = H (u ^x ) ∈ {0, 1 corresponding to itself. } ^L is calculated (step S134). Subsequently, the session key calculating unit 237, the calculated session key dk _i, and outputs it to DEM203 of its own device (step S135).

  As described above, in the information processing apparatus and the information processing method according to the first embodiment of the present invention, the mmKEM shown in FIG. 11 is introduced as the mKEM 201 in the information processing apparatus 20 that functions as the key processing apparatus. A multi-recipient public key cryptosystem is realized.

(Second Embodiment)
Subsequently, an information processing apparatus and an information processing method according to the second embodiment of the present invention will be described in detail with reference to FIGS. 28 to 37.

<Configuration of information processing device>
First, the configuration of the information processing apparatus according to the present embodiment will be described. The information processing apparatus according to the present embodiment includes an information processing apparatus 10 that functions as a system parameter generation apparatus and an information processing apparatus 20 that functions as a key processing apparatus.

  Here, the information processing apparatus 10 that functions as the system parameter generation apparatus in the present embodiment has the configuration of the information processing apparatus 10 according to the first embodiment of the present invention illustrated in FIG. 14 and is executed by each processing unit. Only the processing contents to be processed are different. Therefore, the function of each processing unit included in the information processing apparatus 10 according to the present embodiment will be described below while describing the information processing method according to the present embodiment.

  Similarly, the information processing apparatus 20 that functions as the key processing apparatus in the present embodiment has the configuration of the information processing apparatus 20 according to the first embodiment of the present invention illustrated in FIGS. 15 and 16, and each processing unit. Only the processing content executed in is different. Therefore, the function of each processing unit included in the information processing apparatus 20 according to the present embodiment will be described below while describing the information processing method according to the present embodiment.

<Encryption Processing Method that is the Base of the Information Processing Method According to the Present Embodiment>
Next, prior to describing the information processing method according to the present embodiment, an encryption processing method that is the basis of the information processing method according to the present embodiment will be described in detail with reference to FIGS. FIG. 28 to FIG. 31 are flowcharts for explaining the cryptographic processing method that is the basis of the information processing method according to the present embodiment. The cryptographic processing method that is the basis of the information processing method according to the present embodiment is the cryptographic processing method described in Non-Patent Document 2.

[About system parameter generation]
First, with reference to FIG. 28, a system parameter generation method that is the basis of the information processing method according to the present embodiment will be described in detail. This system parameter generation method is executed in a system parameter generation apparatus which is an information processing apparatus possessed by the system parameter generator.

  First, the system parameter generation device selects a k-bit prime number p based on the input security parameters, and selects a group G having p as a rank (step S2001).

Next, the system parameter generation unit selects a function TCR realizing mapping that G → _{Z p,} and function H to achieve a mapping of G → ^{{0,1} l,} the (step S2002).

Subsequently, the system parameter generation unit selects the parameter g∈ _R G (step S2003).

  Next, the system parameter generation device configures the system parameter I as I = (p, G, g, TCR, H), and discloses it to each key processing device (step S2004).

  By passing through such a procedure, the system parameter generation device can generate system parameters required when the multiple recipients KEM of the key processing device execute the cryptographic processing.

[Key generation method]
Next, a key generation method serving as a basis of the information processing method according to the present embodiment will be described in detail with reference to FIG. This key generation method is executed in a key processing device which is an information processing device possessed by a user who performs communication by multi-recipient public key cryptography. This key generation method is executed when a user who owns the key processing device generates his / her public key and secret key. This key generation method can be performed at an arbitrary timing as long as the key processing apparatus has acquired the system parameters generated by the system parameter generation apparatus.

First, the key processing device selects parameters a ₀ , a ₁ , a ₂ ∈ _R Z _p as secret information unique to the key processing device (step S2011). In this embodiment, selecting such three types of parameters has the same meaning as defining a quadratic function f (x) = a ₀ + a ₁ x + a ₂ x ² having the selected parameters as coefficients. Have

Next, the key processing device uses the selected parameters a ₀ , a ₁ , a ₂ and the system parameter g, and uses the Lagrangian interpolation formula described above, and uses the following equations 2001 to 2003: The parameters y ₀ , y ₁ , y ₂ shown in ( ₂₎ are calculated (step S2012).

Thereafter, the key processing device generates a secret key sk = (a ₀ , a ₁ , a ₂ ) unique to the user possessing the key processing device (step S2013). Further, the key processing device generates a public key pk = (y ₀ , y ₁ , y ₂ ) unique to the user who owns the key processing device (step S2014).

  Thereafter, the key processing device outputs the generated public key pk and secret key sk to the user (step S2015). Also, the generated public key pk is disclosed to other key processing devices.

  Through such a procedure, the key processing device can generate a secret key sk and a public key pk that are unique to the user who owns the key processing device.

[Encryption method]
Next, an encryption method serving as a basis of the information processing method according to the present embodiment will be described in detail with reference to FIG. This encryption method is executed in a key processing device which is an information processing device possessed by a user who performs communication by multi-recipient public key encryption. This encryption method is executed when a user who has a key processing device and transmits a message generates a ciphertext using a plurality of recipients KEM.

First, the key processing unit selects the parameter r∈ _R Z _p randomly (step S2021).

Next, the key processing device calculates the parameter u = g ^r εG using the selected parameter r and the parameter g disclosed as a system parameter (step S2022).

Subsequently, the key processing device calculates the parameter α = TCR (u) εZ _p using the calculated parameter u and the function TCR disclosed as a system parameter (step S2023).

Next, the key processing device uses the public key pk _i (i = 1,... N) of the destination key processing device for all the key processing devices that transmit the message, and uses the Lagrange interpolation formula. using, it calculates the following verification parameter _{v i} (step S2024).

Then, the key processing unit, to the key processing unit all that transmits message, the public key _{pk i (i = 1, ···} n) of the destination key processing apparatus using a following session key to calculate the dk _i (step S2025).

Next, the key processing unit, phi ₌ and _{(u, v 1, v 2} , ···, v n) _{and, (φ, dk 1, dk} 2, ···, dk n) outputs a (step S2026 ).

  Through such a procedure, the key processing device can generate a session key dk used for common key encryption processing executed in the DEM of the key processing device.

[Decoding method]
Next, with reference to FIG. 31, a decoding method that is the basis of the information processing method according to the present embodiment will be described in detail. This decryption method is executed in a key processing device that is an information processing device that has received the ciphertext.

Prior to the decryption process, the key processing device determines a part (u, v _i ) related to itself from φ = (u, v ₁ , v ₂ ,..., V _n ) included in the ciphertext. To extract. This extraction process is realized by using a label that associates the order of v _i described with the corresponding relationship with the user, or by setting the sender so that only necessary information reaches each receiver. Is possible.

First, the key processing device calculates the parameter α = TCR (u) εZ _p using the parameter u included in the ciphertext and the function TCR disclosed as a system parameter (step S2031).

Next, the key processing device uses its own secret key sk _i (that is, the quadratic function f (x)), the system parameter, the calculated parameter α, and u and v _i included in the ciphertext. Perform ciphertext verification processing. More specifically, the key processing device performs ciphertext verification processing based on whether or not an equal sign in the following expression 2006 holds (step S2032).

  If the equal sign of Expression 2006 is not satisfied, the key processing apparatus determines that the received ciphertext is invalid, outputs an error message (step S2033), and ends the decryption process.

If the equal sign of the above expression 2006 is established, the key processing device determines that the received ciphertext is valid, and the private key ski _{i of} itself and the parameter u included in the ciphertext and Then, using the system parameters, a session key dk _i corresponding to itself is calculated using the following formula 2007 (step S2034). Then, the key processing unit, the calculated session key dk _i, and outputs it to the DEM of the apparatus (step S2035).

  Through such a procedure, the key processing device can calculate the session key dk used for the decryption process in the DEM of the key processing device.

[Problems of cryptographic processing method, which is a basic technology]
The cryptographic processing method that is the basic technology of the information processing method according to the present embodiment as described above has the following problems. That is, in the fundamental technology, the encryption method, verifying the parameter v ₁ using the public key of each _recipient, v _2, · · ·, a v _n calculated, are inserted into ciphertext phi. The recipient of the ciphertext can eliminate the illegal ciphertext by verifying whether or not the equal sign in Expression 2006 holds in the decryption method. However, in order to realize this verification method, n multi-scalar multiplexing processes are required for encryption when the number of recipients is n. Furthermore, n + 1 elements are required also in the generated ciphertext. The fact that these values are large is a problem in basic technology.

<About information processing method>
In the information processing method according to the present embodiment, the following points are focused on in order to solve the above problems. That is, in the encryption processing in the basic technology, parameters are calculated for each receiver using a quadratic function f _i (x) unique to the receiver. Therefore, the inventors have come up with the point that the encryption method can be efficiently executed by making some shared information exist in the quadratic function unique to the receiver. In the information processing method according to the present embodiment shown below, the efficiency corresponding to the entire information processing method is improved by adding a parameter corresponding to the y-intercept of the quadratic function among the quadratic functions unique to the receiver to the system parameters. Is realized.

  Hereinafter, the information processing method according to the present embodiment will be described in detail with reference to FIGS. 32 to 35 are flowcharts for explaining the information processing method according to the present embodiment.

[About system parameter generation]
First, the system parameter generation method according to the present embodiment will be described in detail with reference to FIG. This system parameter generation method is executed in the information processing apparatus 10 according to the present embodiment that functions as a system parameter generation apparatus.

  First, the group selection unit 101 of the information processing apparatus 10 selects a k-bit prime number p based on the input security parameters, and selects a group G in which p is an order (step S201).

Next, the function selection unit 103 of the information processing apparatus 10 selects a function TCR realizing mapping that G → _{Z p,} and function H to achieve a mapping of G → ^{{0,1} l,} the (step S202 ).

Subsequently, the parameter selection unit 105 of the information processing apparatus 10 selects the parameter g, _{y 0} ∈ _R G (step S203).

Next, the system parameter generation unit 107 of the information processing device 10 configures the system parameter I as I = (p, G, g, y ₀ , TCR, H), and discloses it to each key processing device (step) S204).

  Through such a procedure, the information processing apparatus 10 that functions as a system parameter generation apparatus generates system parameters that are necessary when the mKEM 201 of the information processing apparatus 20 that functions as a key processing apparatus executes cryptographic processing. be able to.

[Key generation method]
Next, the key generation method according to the present embodiment will be described in detail with reference to FIG. This key generation method is executed in the key generation unit 211 of the information processing apparatus 20 possessed by a user who performs communication by multi-recipient public key encryption and functions as a key processing apparatus. This key generation method is executed when a user who possesses the information processing apparatus 20 generates his / her public key and secret key. This key generation method can be performed at an arbitrary timing as long as the information processing apparatus 20 has acquired the system parameters.

First, the parameter generation unit 213 selects parameters s, t, F _s , and F _t ∈ _R Z _p as secret information unique to the information processing apparatus 20, and (f (0), f (s), f ( t)) = (log _g y ₀ , F _s , F _t ) (step S211). In the present embodiment, selecting such four types of parameters and defining f (0), f (s), and f (t) means that f (x) = a ₀ + a ₁ x + a ₂ x ² It has the same meaning as defining the quadratic function.

Next, the parameter generation unit 213 uses the selected parameters f (0), f (s), f (t) and the system parameter g, and uses Lagrange's interpolation formula to obtain the following expression 201. The parameters y ₁ and y ₂ shown in Equation 202 are calculated (step S212).

Thereafter, the secret key generation unit 215 generates a secret key sk = (s, t, F _s , F _t ) unique to the user who possesses the information processing apparatus 20 (step S213). In addition, the public key generation unit 217 generates a public key pk = (y ₁ , y ₂ ) unique to the user who possesses the information processing apparatus 20 (step S214).

  Thereafter, the key generation unit 211 outputs the generated public key pk and secret key sk to the user (step S215). In addition, the public key disclosure unit 219 discloses the generated public key pk to other information processing apparatuses 20.

  Through such a procedure, the key generation unit 211 of the information processing device 20 can generate a secret key sk and a public key pk that are unique to the user who possesses the information processing device.

[Encryption method]
Next, the encryption method according to the present embodiment will be described in detail with reference to FIG. This encryption method is executed by the encryption unit 221 of the information processing apparatus 20 possessed by a user who performs communication using the multi-recipient public key encryption and functions as a key processing apparatus. This encryption method is executed when a user who has the information processing apparatus 20 and transmits a message generates a ciphertext using a plurality of recipients KEM.

First, the parameter selection unit 223 randomly selects a parameter rε _R Z _p (step S221).

Next, the parameter selection unit 223, by using the parameter r selected, a parameter g which is published as a system parameter, to calculate the parameters u = ^{g r} ∈G (step S222).

Subsequently, the parameter selection unit 223 calculates a parameter α = TCR (u) εZ _p using the calculated parameter u and the function TCR disclosed as a system parameter (step S223).

Next, the verification parameter generation unit 225 calculates a verification parameter v _i based on the following equation 203 for all the information processing apparatuses 20 that transmit the message, using Lagrange's interpolation formula. (Step S224). As is clear from the following equation 203, the verification parameter vi is selected by the public key pk _i (i = 1,... N) of the transmission destination information processing apparatus 20, the system parameter, and the parameter selection unit 223. And the calculated parameters can be calculated.

  Subsequently, the session key calculation unit 237 calculates the following session key dk using the system parameters for all the information processing apparatuses 20 that transmit messages (step S225).

Next, the encryption unit 221, phi ₌ and _{(u, v 1, v 2} , ···, v n) , and outputs the (phi, dk) (step S226).

  Through such a procedure, the information processing apparatus 20 can generate a session key dk used for the common key encryption process executed in the DEM 203.

As described above, in, I had calculated the session key dk _i for each recipient using the public key pk _i recipients in encryption method according to the present embodiment encryption method in the fundamental technology, A session key dk is generated using a value disclosed as a system parameter. Thereby, in the encryption method according to the present embodiment, the number of calculations can be reduced.

[Decoding method]
Next, the decoding method according to the present embodiment will be described in detail with reference to FIG. This decryption method is executed in the decryption unit 231 of the information processing apparatus 20 that has received the ciphertext.

Prior to the decryption process, the decryption unit 231 selects (u, v _i ) related to itself from φ = (u, v ₁ , v ₂ ,..., V _n ) included in the ciphertext. To extract. This extraction process is realized by using a label that associates the order of v _i described with the corresponding relationship with the user, or by setting the sender so that only necessary information reaches each receiver. Is possible.

First, the parameter calculation unit 233 calculates the parameter α = TCR (u) εZ _p using the parameter u included in the ciphertext and the function TCR disclosed as a system parameter (step S231).

Next, the session key calculation unit 237 uses its own secret key sk _i , the calculated parameter α, and u and v _i included in the ciphertext, based on the following formula 205, the parameter f ′ ( α), f ′ (s), and f ′ (t) are defined (step S232).

Defining the parameters as shown in the above expression 205 indicates that the quadratic function f ′ (x) is defined. Here, F _s and F _t are secret keys set by themselves. Here, if the calculated verification parameter v _i to duly in the encryption method, the quadratic function f '(x) defined by equation 205 defined in the key generation method quadratic function f ( x).

  Subsequently, the session key calculation unit 237 calculates the value of the parameter f ′ (0) using Expression 205 and the Lagrange interpolation formula, and calculates the session key dk based on Expression 206 below ( Step S233). Subsequently, the session key calculation unit 237 outputs the calculated session key dk to the DEM 203 of its own device (step S234).

  Through such a procedure, the decryption unit 231 of the information processing apparatus 20 can calculate the session key dk used for the decryption process in the DEM 203.

<Computation amount and ciphertext size during encryption>
In the following, the calculation amount and the ciphertext size at the time of encryption of the information processing method according to the present embodiment will be described in comparison with the encryption processing method in the basic technology.

[Computation amount for encryption]
First, when the number of recipients is n, the amount of computation in the encryption method in the basic technology is compared with the amount of computation in the encryption method according to the present embodiment. In both methods, since the amount of calculation of single-scalar multiplication and multi-scalar multiplication is dominant, the number of operations was compared. Table 3 below shows the result of comparing the amount of calculation at the time of encryption.

  From Table 3, it can be seen that (n + 1) single-scalar multiplication and n multi-scalar multiplication are necessary in the encryption method in the basic technology. It can also be seen that the encryption method according to the present embodiment requires two single-scalar multiplications and n multi-scalar multiplications.

  As described in Non-Patent Document 5, it is generally considered that multi-scalar multiplication requires 1.5 times the processing of single-scalar multiplication. In consideration of this, the encryption method in the basic technology requires (2.5n + 1) times of single-scalar multiplexing calculation amount. On the other hand, in the encryption method according to the present embodiment, it can be seen that the processing is completed with the amount of single-scalar multiplication of (1.5n + 2) times.

[Ciphertext size]
Next, the ciphertext size in the basic technology when the number of recipients is n is compared with the ciphertext size in the information processing method according to the present embodiment. In both methods, the number of elements included in the ciphertext and the number of ciphertexts generated by the DEM included in the mKEM were compared. The results obtained are shown in Table 4 below.

  From Table 4, although the number of elements in the group remains the same as n + 1 in the basic technology and the present embodiment, the number of ciphertexts generated by the DEM included in the mKEM can be eliminated. As is apparent from this result, in the information processing method according to the present embodiment, the size of the ciphertext can be reduced.

  As described above, in the information processing apparatus and the information processing method according to the present embodiment, by introducing the msKEM shown in FIG. 13 as the mKEM 201 in the information processing apparatus 20 that functions as a key processing apparatus, multiple recipients are disclosed. A key encryption system is realized.

<About the first modification>
The information processing apparatus and information processing method according to a second embodiment of the present invention, using the parameters y _0, which is set as a system parameter, it has been described a case of calculating the common session key dk to the recipient. Here, using the parameter y ₀ , it is also possible to calculate a verification parameter common to the recipients, instead of the session key dk common to the recipients. That is, in the information processing apparatus 20 according to the second embodiment of the present invention, the case where msKEM is introduced as the mKEM 201 has been described, but it is also possible to introduce mmKEM as the mKEM 201. Below, the case where mmKEM is introduce | transduced into the information processing apparatus 20 which concerns on 2nd Embodiment as a 1st modification is demonstrated in detail.

  In order to realize the above modification, the encryption method and the decryption method according to the second embodiment of the present invention are modified as follows.

[Encryption method]
First, an encryption method according to this modification will be described in detail with reference to FIG. FIG. 36 is a flowchart for explaining the encryption method according to the present modification.

First, the parameter selection unit 223 randomly selects a parameter rε _R Z _p (step S221).

Next, the parameter selection unit 223 calculates a parameter u = g ^r εG using the selected parameter r and the parameter g disclosed as a system parameter (step S222).

Subsequently, the parameter selection unit 223 calculates a parameter α = TCR (u) εZ _p using the calculated parameter u and the function TCR disclosed as a system parameter (step S223).

The verification parameter generation unit 225, for all of the information processing apparatus 20 that transmits messages using the system parameter, is calculated on the basis of the verification parameter v _i in Equation 211 below (step S241 ).

Then, the key processing unit, for all of the information processing apparatus 20 that transmits messages, by using the Lagrange interpolation formula to calculate the session key dk _i represented by the following formula 212 (step S242 ).

Next, the encryption unit 221, phi = a (u, v), (φ , dk 1, dk 2, ···, dk n) outputs a (step S243).

[Decoding method]
Next, the decoding method according to this modification will be described in detail with reference to FIG. FIG. 37 is a flowchart for explaining the decoding method according to the present modification.

First, the parameter calculation unit 233 calculates the parameter α = TCR (u) εZ _p using the parameter u included in the ciphertext and the function TCR disclosed as a system parameter (step S231).

Next, the session key calculation unit 237 uses its own secret key sk _i , u and v included in the ciphertext, and system parameters, based on the following equation 213, and sets the parameter f ′ (0), f ′ (s) and f ′ (t) are defined (step S244).

  Defining the parameters as shown in the above equation 213 indicates that the quadratic function f ′ (x) is defined. Here, the quadratic function f ′ (x) defined by Expression 213 is equal to the quadratic function f (x) defined in the key generation method.

  Subsequently, the session key calculation unit 237 calculates the value of the parameter f ′ (α) using Expression 213 and the Lagrange interpolation formula, and calculates the session key dk based on Expression 214 below ( Step S233). Subsequently, the session key calculation unit 237 outputs the calculated session key dk to the DEM 203 of its own device (step S234).

<Computation amount and ciphertext size during encryption>
Hereinafter, the amount of calculation and the size of the ciphertext when encrypting the information processing method according to this modification will be described in comparison with the encryption processing method in the basic technology.

[Computation amount for encryption]
First, when the number of recipients is n, the amount of computation in the encryption method in the basic technology is compared with the amount of computation in the encryption method according to this modification. In both methods, since the amount of calculation of single-scalar multiplication and multi-scalar multiplication is dominant, the number of operations was compared. Table 5 below shows the result of comparing the amount of calculation at the time of encryption.

  From Table 5, it can be seen that (n + 1) single-scalar multiplication and n multi-scalar multiplication are necessary in the encryption method in the basic technology. It can also be seen that the encryption method according to the present modification requires two single-scalar multiplications and n multi-scalar multiplications.

  As described in Non-Patent Document 5, it is generally considered that multi-scalar multiplication requires 1.5 times the processing of single-scalar multiplication. In consideration of this, the encryption method in the basic technology requires (2.5n + 1) times of single-scalar multiplexing calculation amount. On the other hand, in the encryption method according to the present modification, it can be seen that the processing is completed with the amount of single-scalar multiplication of (1.5n + 2) times.

[Ciphertext size]
Next, the ciphertext size in the basic technology when the number of recipients is n is compared with the ciphertext size in the information processing method according to this modification. In both methods, the number of elements included in the ciphertext was compared. The results obtained are shown in Table 6 below.

  According to Table 6, in the basic technology, the number of elements in the group is n + 1, whereas in the present modification, the number of elements in the group is 2 regardless of the number of recipients n. As is clear from this result, in the information processing method according to the present embodiment, the size of the ciphertext can be reduced so as not to depend on the number of recipients n.

(Third embodiment)
Subsequently, an information processing apparatus and an information processing method according to the third embodiment of the present invention will be described in detail with reference to FIGS. 38 to 45.

<Configuration of information processing device>
First, the configuration of the information processing apparatus according to the present embodiment will be described. The information processing apparatus according to the present embodiment includes an information processing apparatus 10 that functions as a system parameter generation apparatus and an information processing apparatus 20 that functions as a key processing apparatus.

  Here, the information processing apparatus 10 that functions as the system parameter generation apparatus in the present embodiment has the configuration of the information processing apparatus 10 according to the first embodiment of the present invention illustrated in FIG. 14 and is executed by each processing unit. Only the processing contents to be processed are different. Therefore, the function of each processing unit included in the information processing apparatus 10 according to the present embodiment will be described below while describing the information processing method according to the present embodiment.

  Similarly, the information processing apparatus 20 that functions as the key processing apparatus in the present embodiment has the configuration of the information processing apparatus 20 according to the first embodiment of the present invention illustrated in FIGS. 15 and 16, and each processing unit. Only the processing content executed in is different. Therefore, the function of each processing unit included in the information processing apparatus 20 according to the present embodiment will be described below while describing the information processing method according to the present embodiment.

<Encryption Processing Method that is the Base of the Information Processing Method According to the Present Embodiment>
Next, prior to describing the information processing method according to the present embodiment, an encryption processing method serving as the basis of the information processing method according to the present embodiment will be described in detail with reference to FIGS. 38 to 41 are flowcharts for explaining the cryptographic processing method that is the basis of the information processing method according to the present embodiment. The cryptographic processing method that is the basis of the information processing method according to the present embodiment is the cryptographic processing method described in Non-Patent Document 3.

[About system parameter generation]
First, with reference to FIG. 38, a system parameter generation method that is the basis of the information processing method according to the present embodiment will be described in detail. This system parameter generation method is executed in a system parameter generation apparatus which is an information processing apparatus possessed by the system parameter generator.

  First, the system parameter generation device selects a k-bit prime number p based on the input security parameters, and selects a group G in which p is an order (step S3001).

Next, the system parameter generation unit selects a function TCR realizing mapping that G → _{Z p,} and function H to achieve a mapping of G → ^{{0,1} l,} the (step S3002).

Subsequently, the system parameter generation unit selects the parameter g∈ _R G (step S3003).

  Next, the system parameter generation device configures the system parameter I as I = (p, G, g, TCR, H) and discloses it to each key processing device (step S3004).

  By passing through such a procedure, the system parameter generation device can generate system parameters required when the multiple recipients KEM of the key processing device execute the cryptographic processing.

[Key generation method]
Next, a key generation method serving as a basis of the information processing method according to the present embodiment will be described in detail with reference to FIG. This key generation method is executed in a key processing device which is an information processing device possessed by a user who performs communication by multi-recipient public key cryptography. This key generation method is executed when a user who owns the key processing device generates his / her public key and secret key. This key generation method can be performed at an arbitrary timing as long as the key processing apparatus has acquired the system parameters generated by the system parameter generation apparatus.

First, the key processing device selects parameters x ₁ , x ₂ , y ₁ , y ₂ ∈ _R Z _p as secret information unique to the key processing device (step S3011).

Next, the key processing device uses the selected parameters x ₁ , x ₂ , y ₁ , y ₂ and the system parameter g, and parameters c ₁ , c ₂ , d shown in the following equations 3001 to 3004. _1, it calculates the _{d 2} (step S3012).

Thereafter, the key processing device generates a secret key sk = (x ₁ , x ₂ , y ₁ , y ₂ ) unique to the user who owns the key processing device (step S3013). Further, the key processing device generates a public key pk = (c ₁ , c ₂ , d ₁ , d ₂ ) unique to the user who owns the key processing device (step S3014).

  Thereafter, the key processing device outputs the generated public key pk and secret key sk to the user (step S3015). Also, the generated public key pk is disclosed to other key processing devices.

  Through such a procedure, the key processing device can generate a secret key sk and a public key pk that are unique to the user who owns the key processing device.

[Encryption method]
Next, an encryption method that is a basis of the information processing method according to the present embodiment will be described in detail with reference to FIG. This encryption method is executed in a key processing device which is an information processing device possessed by a user who performs communication by multi-recipient public key encryption. This encryption method is executed when a user who has a key processing device and transmits a message generates a ciphertext using a plurality of recipients KEM.

First, the key processing unit selects the parameter r∈ _R Z _p randomly (step S3021).

Next, the key processing device calculates the parameter u = g ^r εG using the selected parameter r and the parameter g disclosed as a system parameter (step S3022).

Subsequently, the key processing device calculates the parameter α = TCR (u) εZ _p by using the calculated parameter u and the function TCR disclosed as a system parameter (step S3023).

Next, the key processing device uses the public key pk _i (i = 1,... N) of the destination key processing device for all the key processing devices that transmit the message, and uses Equation 3005 and Equation 3006. The two types of verification parameters v _{1, i,} v _{2, i shown} in (2) are calculated (step S3024).

Then, the key processing unit, to the key processing unit all that transmits message, the public key _{pk i (i = 1, ···} n) of the destination key processing apparatus using a following session key to calculate the dk _i (step S3025).

Next, the key processing _{unit, φ = (u, v 1,1} , v 1,2, ···, v 1, n, v 2,1, v 2,2, ···, v 2, n ) _{and, (φ, dk 1, dk} 2, ···, and outputs a dk _n) (step S3026).

  Through such a procedure, the key processing device can generate a session key dk used for common key encryption processing executed in the DEM of the key processing device.

[Decoding method]
Next, with reference to FIG. 41, a decoding method that is the basis of the information processing method according to the present embodiment will be described in detail. This decryption method is executed in a key processing device that is an information processing device that has received the ciphertext.

Prior to the decryption process, the key processing device includes φ = (u, v _1,1 , v _1,2 ,..., V _{1, n,} v _2,1 , v _2,2 included in the ciphertext. ,..., V _{2, n} ), a portion (u, v _{1, i} , v _{2, i} ) related to itself is extracted. In this extraction process, a label that associates the order of v _{1, i} , v _{2, i} and the corresponding relationship with the user is used, or only information necessary for the sender to reach each recipient is received. It can be realized by setting.

First, the key processing apparatus includes a parameter u included in the ciphertext, by using the function TCR published as a system parameter, and calculates the parameter _{α = TCR (u) ∈Z p} ( step S3031).

Next, the key processing device uses its own secret key sk _i , system parameter, calculated parameter α, and u, v _{1, i} , v _{2, i} included in the ciphertext, Perform verification processing. More specifically, the key processing device performs ciphertext verification processing based on whether or not both equal signs in the following Expression 3008 and Expression 3009 hold (Step S3032).

  The key processing device determines that the received ciphertext is invalid when both of the equal signs of the above formula 3008 and formula 3009 are not satisfied, outputs an error message (step S3033), and performs the decryption process. finish.

In addition, when both of the above equations 3008 and 3009 are equal, the key processing device determines that the received ciphertext is valid, and includes the private key ski _i and the ciphertext. a parameter u included, by using the system parameter, the session key dk _i corresponding to itself, is calculated using the formula 3010 follows (step S3034). Then, the key processing unit, the calculated session key dk _i, and outputs it to the DEM of the apparatus (step S3035).

Through such procedure, the key processing unit can calculate the session key dk _i used in the decoding process in the DEM the key processing unit.

[Problems of cryptographic processing method, which is a basic technology]
The cryptographic processing method that is the basic technology of the information processing method according to the present embodiment as described above has the following problems. That is, in the basic technology, the verification parameters v _1,1 , v _1,2 ,..., V _{1, n,} v _2,1 , v ₂ using the public keys of the respective recipients in the encryption method. _{, 2} ,..., V _{2, n} are calculated and inserted into the ciphertext φ. The recipient of the ciphertext can eliminate the illegal ciphertext by verifying whether or not the equal sign in Expression 2006 holds in the decryption method. However, in order to realize this verification method, when the number of recipients is n, 2n multi-scalar multiplexing processes are required for encryption. Furthermore, 2n + 1 elements are required in the generated ciphertext. The fact that these values are large is a problem in basic technology.

<About information processing method>
In the information processing method according to the present embodiment, in order to solve the above problem, one of the parameters used for calculating the session key is made common and added to the system parameter, thereby improving the efficiency of the entire information processing method. ing.

  Hereinafter, the information processing method according to the present embodiment will be described in detail with reference to FIGS. 42 to 45. 42 to 45 are flowcharts for explaining the information processing method according to the present embodiment.

[About system parameter generation]
First, the system parameter generation method according to the present embodiment will be described in detail with reference to FIG. This system parameter generation method is executed in the information processing apparatus 10 according to the present embodiment that functions as a system parameter generation apparatus.

  First, the group selection unit 101 of the information processing apparatus 10 selects a k-bit prime number p based on the input security parameters, and selects a group G having p as a rank (step S301).

Next, the function selection unit 103 of the information processing apparatus 10 selects a function TCR realizing mapping that G → _{Z p,} and function H to achieve a mapping of G → ^{{0,1} l,} the (step S302 ).

Subsequently, the parameter selection unit 105 of the information processing apparatus 10 selects the parameter g, _{c 1} ∈ _R G (step S303).

Next, the system parameter generation unit 107 of the information processing apparatus 10 configures the system parameter I as I = (p, G, g, c ₁ , TCR, H) and discloses it to each key processing apparatus (steps) S304).

  Through such a procedure, the information processing apparatus 10 that functions as a system parameter generation apparatus generates system parameters that are necessary when the mKEM 201 of the information processing apparatus 20 that functions as a key processing apparatus executes cryptographic processing. be able to.

[Key generation method]
Next, the key generation method according to the present embodiment will be described in detail with reference to FIG. This key generation method is executed in the key generation unit 211 of the information processing apparatus 20 possessed by a user who performs communication by multi-recipient public key encryption and functions as a key processing apparatus. This key generation method is executed when a user who possesses the information processing apparatus 20 generates his / her public key and secret key. This key generation method can be performed at an arbitrary timing as long as the information processing apparatus 20 has acquired the system parameters.

First, the parameter generator 213, the information processing apparatus 20 as a unique secret information, the parameters s, selects t∈ _R Z _p (step S311).

Next, the parameter generator 213, the selected parameter s, using a t, g is a system parameter, and _{c 1,} calculates a parameter _{c 2} shown in Equation 301 below (step S312).

  Subsequently, the parameter generation unit 213 selects three types of parameters shown in the following expression 302 as confidential information unique to the information processing apparatus 20 (step S313).

Next, the parameter generation unit 213 generates parameters d ₁ and d ₂ shown in the following equations 303 and 304 using the generated parameters and system parameters (step S314).

  Thereafter, the secret key generation unit 215 generates a secret key sk unique to the user who possesses the information processing apparatus 20 based on the following expression 305 (step S315).

Further, the public key generation unit 217 generates a public key pk = (c ₂ , d ₁ , d ₂ ) unique to the user who possesses the information processing apparatus 20 (step S316).

  Thereafter, the key generation unit 211 outputs the generated public key pk and secret key sk to the user (step S317). In addition, the public key disclosure unit 219 discloses the generated public key pk to other information processing apparatuses 20.

  Through such a procedure, the key generation unit 211 of the information processing device 20 can generate a secret key sk and a public key pk that are unique to the user who possesses the information processing device.

[Encryption method]
Next, the encryption method according to the present embodiment will be described in detail with reference to FIG. This encryption method is executed by the encryption unit 221 of the information processing apparatus 20 possessed by a user who performs communication using the multi-recipient public key encryption and functions as a key processing apparatus. This encryption method is executed when a user who has the information processing apparatus 20 and transmits a message generates a ciphertext using a plurality of recipients KEM.

First, the parameter selection unit 223 selects a parameter r∈ _R Z _p randomly (step S321).

Next, the parameter selection unit 223 calculates the parameter u = g ^r εG using the selected parameter r and the parameter g disclosed as a system parameter (step S322).

Subsequently, the parameter selection unit 223 calculates the parameter α = TCR (u) εZ _p using the calculated parameter u and the function TCR disclosed as a system parameter (step S323).

The verification parameter generation unit 225 calculates for all information processing device 20 transmits a message, two types of the verification parameter _{v 1} shown in Formula 306 and Formula 307, _i, the _{v 2, i} (Step S324). As is clear from the following equations 306 and 307, the verification parameters v _{1, i,} v _{2, i} are the public key pk _i (i = 1,... N) of the information processing apparatus 20 that is the transmission destination. And can be calculated using the system parameters and the selected parameters.

  Subsequently, the session key calculation unit 237 calculates the following session key dk using the system parameter and the selected parameter r for all the information processing apparatuses 20 that transmit the message (step S325).

Next, the encryption unit 221 uses φ = (u, v _1,1 , v _1,2 ,..., V _{1, n,} v _2,1 , v _2,2 ,..., V _2, and _n), and outputs a (φ, dk) (step S326).

  Through such a procedure, the information processing apparatus 20 can generate a session key dk used for the common key encryption process executed in the DEM 203.

As described above, in, I had calculated the session key dk _i for each recipient using the public key pk _i recipients in encryption method according to the present embodiment encryption method in the fundamental technology, A session key dk is generated using a value disclosed as a system parameter. Thereby, in the encryption method according to the present embodiment, the number of calculations can be reduced.

[Decoding method]
Next, the decoding method according to the present embodiment will be described in detail with reference to FIG. This decryption method is executed in the decryption unit 231 of the information processing apparatus 20 that has received the ciphertext.

Prior to the decryption processing, the decryption unit 231 includes φ = (u, v _1,1 , v _1,2 ,..., V _{1, n,} v _2,1 , v _2,2 included in the ciphertext. extracts _..., from the _{v 2, n),} the portion relating to itself _{(u, v} 1, _i, the _{v 2, i).} In this extraction process, a label that associates the order of v _{1, i} , v _{2, i} and the corresponding relationship with the user is used, or only information necessary for the sender to reach each recipient is received. It can be realized by setting.

First, the parameter calculation unit 233 calculates the parameter α = TCR (u) εZ _p using the parameter u included in the ciphertext and the function TCR disclosed as a system parameter (step S331).

Next, the parameter calculation unit 233 uses the private key sk _i , the system parameter, the calculated parameter α, and u, v _{1, i} , v _{2, i} included in the ciphertext as follows: Two types of parameters shown in Expression 309 and Expression 310 are calculated (step S332).

Then, the verification unit 235 performs a secret key sk _i itself, and two parameters calculated, by using the u included in the ciphertext, the verification process of the ciphertext. More specifically, the verification unit 235 performs ciphertext verification processing based on whether or not an equal sign in the following expression 311 holds (step S333).

  If the equal sign of Equation 311 is not satisfied, the verification unit 235 determines that the received ciphertext is invalid, outputs an error message (step S334), and ends the decryption process.

  When the equal sign of the above expression 311 is established, the verification unit 235 determines that the received ciphertext is valid, and stores information indicating that the ciphertext is valid as the session key. The data is transmitted to the calculation unit 237. The session key calculation unit 237 calculates the session key dk using the system parameter and the parameter calculated based on the equation 309 using the following equation 312 (step S335). Subsequently, the session key calculation unit 237 outputs the calculated session key dk to the DEM 203 of its own device (step S336).

  Through such a procedure, the decryption unit 231 of the information processing apparatus 20 can calculate the session key dk used for the decryption process in the DEM 203.

<Computation amount and ciphertext size during encryption>
In the following, the calculation amount and the ciphertext size at the time of encryption of the information processing method according to the present embodiment will be described in comparison with the encryption processing method in the basic technology.

[Computation amount for encryption]
First, when the number of recipients is n, the amount of computation in the encryption method in the basic technology is compared with the amount of computation in the encryption method according to the present embodiment. In both methods, since the amount of calculation of single-scalar multiplication and multi-scalar multiplication is dominant, the number of operations was compared. Table 7 below shows the result of comparing the amount of calculation at the time of encryption.

  From Table 7, it can be seen that (n + 1) single-scalar multiplication and 2n multi-scalar multiplication are necessary in the encryption method in the basic technology. It can also be seen that the encryption method according to the present embodiment requires n + 3 single-scalar multiplication and n multi-scalar multiplication.

  As described in Non-Patent Document 5, it is generally considered that multi-scalar multiplication requires 1.5 times the processing of single-scalar multiplication. Considering this, the encryption method in the basic technology requires a calculation amount of (4n + 1) times of single-scalar multiplexing. On the other hand, in the encryption method according to the present embodiment, it can be seen that the processing is completed with a calculation amount of (1.5n + 3) times of single-scalar multiplication.

[Ciphertext size]
Next, the ciphertext size in the basic technology when the number of recipients is n is compared with the ciphertext size in the information processing method according to the present embodiment. In both methods, the number of elements included in the ciphertext and the number of ciphertexts generated by the DEM included in the mKEM were compared. The results obtained are shown in Table 8 below.

  From Table 8, it is possible to eliminate the number of ciphertexts generated by the DEM included in the mKEM, although the number of elements in the group remains the same as 2n + 1 in the basic technology and this embodiment. As is apparent from this result, in the information processing method according to the present embodiment, the size of the ciphertext can be reduced.

  As described above, in the information processing apparatus and the information processing method according to the present embodiment, by introducing the msKEM shown in FIG. 13 as the mKEM 201 in the information processing apparatus 20 that functions as a key processing apparatus, multiple recipients are disclosed. A key encryption system is realized.

(Fourth embodiment)
Subsequently, an information processing apparatus and an information processing method according to the fourth embodiment of the present invention will be described in detail with reference to FIGS. 46 to 56.

  First, the points focused on by the information processing apparatus and the information processing method according to the present embodiment will be briefly described with reference to FIG.

  In the multi-recipient public key cryptosystem focused on each embodiment of the present invention, each user generates a secret key and a public key based on common system parameters generated by the system parameters. In addition, the ciphertext transmitted between the users is generated based on the common system parameters and the public key of the recipient of the ciphertext.

  Here, as shown in FIG. 46, in order for a malicious system parameter generator to steal the contents of ciphertext transmitted between users, secret information that only the generator knows is embedded in the system parameters. Consider the case where system parameters are disclosed to each user.

  Each user participating in the system generates his / her private key and public key using system parameters in which secret information is embedded, and ciphertext is transmitted based on the public key. In this case, the malicious system parameter generator may be able to acquire the contents of the ciphertext based on the secret information embedded in the system parameters.

  For example, in a system that requires two or more groups of elements as system parameters, each element of the group that should be originally selected independently is not selected independently, but some association is made between these elements. There may be cases where other elements are generated from one element.

  Therefore, in the information processing apparatus and information processing method according to the present embodiment described below, the system has been improved so that the secret information cannot be embedded in such system parameters.

<Configuration of information processing device>
First, the configuration of the information processing apparatus according to the present embodiment will be described. The information processing apparatus according to the present embodiment includes an information processing apparatus 10 that functions as a system parameter generation apparatus and an information processing apparatus 20 that functions as a key processing apparatus.

  Here, the information processing apparatus 10 that functions as the system parameter generation apparatus in the present embodiment has the configuration of the information processing apparatus 10 according to the first embodiment of the present invention illustrated in FIG. 14 and is executed by each processing unit. Only the processing contents to be processed are different. Therefore, the function of each processing unit included in the information processing apparatus 10 according to the present embodiment will be described below while describing the information processing method according to the present embodiment.

  Similarly, the information processing apparatus 20 that functions as the key processing apparatus in the present embodiment has the configuration of the information processing apparatus 20 according to the first embodiment of the present invention illustrated in FIGS. 15 and 16, and each processing unit. Only the processing content executed in is different. Therefore, the function of each processing unit included in the information processing apparatus 20 according to the present embodiment will be described below while describing the information processing method according to the present embodiment.

<Encryption Processing Method that is the Base of the Information Processing Method According to the Present Embodiment>
Next, prior to describing the information processing method according to the present embodiment, an encryption processing method that is the basis of the information processing method according to the present embodiment will be described in detail with reference to FIGS. 47 to 50 are flowcharts for explaining the cryptographic processing method that is the basis of the information processing method according to the present embodiment. The cryptographic processing method that is the basis of the information processing method according to the present embodiment is the cryptographic processing method described in Non-Patent Document 4.

[About system parameter generation]
First, with reference to FIG. 47, a system parameter generation method that is the basis of the information processing method according to the present embodiment will be described in detail. This system parameter generation method is executed in a system parameter generation apparatus which is an information processing apparatus possessed by the system parameter generator.

  First, the system parameter generation device selects a k-bit prime number p based on the input security parameters, and selects a group G in which p is an order (step S4001).

Next, the system parameter generation unit selects a function TCR realizing mapping that G → _{Z p,} and function H to achieve a mapping of G → ^{{0,1} l,} the (step S4002).

Subsequently, the system parameter generation unit selects the parameter _{g 1, g 2 ∈ R G} ( step S4003).

Next, the system parameter generation device configures the system parameter I as I = (p, G, g ₁ , g ₂ , TCR, H) and discloses it to each key processing device (step S4004).

  By passing through such a procedure, the system parameter generation device can generate system parameters that are necessary when the key processing device executes cryptographic processing.

[Key generation method]
Next, with reference to FIG. 48, a key generation method that is the basis of the information processing method according to the present embodiment will be described in detail. This key generation method is executed in a key processing device which is an information processing device possessed by a user who performs communication by multi-recipient public key cryptography. This key generation method is executed when a user who owns the key processing device generates his / her public key and secret key. This key generation method can be performed at an arbitrary timing as long as the key processing apparatus has acquired the system parameters generated by the system parameter generation apparatus.

First, the key processing device selects parameters x ₁ , x ₂ , y ₁ , y ₂ , zε _R Z _p as secret information unique to the key processing device (step S4011).

Next, the key processing apparatus uses the selected parameters x ₁ , x ₂ , y ₁ , y ₂ , z and the system parameters g ₁ , g ₂ , and uses the parameters c 1 to 400 3 shown below as parameters c. , D, h are calculated (step S4012).

Thereafter, the key processing device generates a secret key sk = (x ₁ , x ₂ , y ₁ , y ₂ , z) unique to the user who owns the key processing device (step S4013). Further, the key processing device generates a public key pk = (c, d, h) unique to the user who possesses the key processing device (step S4014).

  Thereafter, the key processing device outputs the generated public key pk and secret key sk to the user (step S4015). Also, the generated public key pk is disclosed to other key processing devices.

  Through such a procedure, the key processing device can generate a secret key sk and a public key pk that are unique to the user who owns the key processing device.

[Encryption method]
Next, an encryption method that is a basis of the information processing method according to the present embodiment will be described in detail with reference to FIG. This encryption method is executed in a key processing device which is an information processing device possessed by a user who performs communication by multi-recipient public key encryption. This encryption method is executed when a user who has a key processing device and transmits a message generates a ciphertext.

First, the key processing unit selects the parameter r∈ _R Z _p randomly (step S4021).

Next, the key processing device calculates a parameter u ₁ = g ₂ ^r εG using the selected parameter r and the parameter g ₂ disclosed as a system parameter (step S4022).

Subsequently, the key processing device generates ciphertext χ = mg ₁ ^r using the data m corresponding to the message to be transmitted, the parameter g ₁ disclosed as a system parameter, and the selected parameter r ( Step S4023).

Next, the key processing device uses the public key pk _i (i = 1,... N) of the destination key processing device and the selected parameter r for all the key processing devices that transmit the message. Then, the parameter u _{2, i} = h _i ^r is calculated (step S4024).

Subsequently, the key processing device uses the calculated parameters u ₁ , u _{2, i} , the ciphertext χ, and the public function TCR for all the key processing devices that transmit messages. α = TCR (u ₁ , u _{2, i} , χ) is calculated (step S4025).

Next, the key processing device uses the public key pk _i (i = 1,... N) of the transmission destination key processing device for all the key processing devices that transmit the message, and is expressed by Expression 4004. to calculate the verification parameters _{v i} (step S4026).

Subsequently, the key processing device transmits (u ₁ , u ₂ , ₁ , u ₂ , ₂ ,..., U _{2, n,} v ₁ , v ₂ ,. .., V _n , χ) are output (step S4027).

  Through such a procedure, the key processing device can encrypt the message m to be transmitted to the other key processing device.

[Decoding method]
Next, the decoding method that is the basis of the information processing method according to the present embodiment will be described in detail with reference to FIG. This decryption method is executed in a key processing device that is an information processing device that has received the ciphertext.

Prior to the decryption process, the key processing device is included in the ciphertext (u _2,1 , u _2,2 ,..., U _{2, n,} v ₁ , v ₂ ,..., V _n ). The part (u _{2, i} , v _i ) related to itself is extracted from the list. The extraction process, or with a label that associates the relationship between u _{2, i,} v _i of order and the user that is described, the sender sets so that only the information required for each recipient arrives It can be realized by doing.

First, the key processing device uses the parameters u ₁ , u _{2, i} , χ included in the ciphertext and the function TCR disclosed as a system parameter to set the parameter α = TCR (u ₁ , u _{2, i} , Χ) is calculated (step S4031).

Next, the key processing device calculates a parameter u ′ represented by Expression 4005 using its own secret key sk _i and u _{2, i} included in the ciphertext (step S4032).

Subsequently, the key processing device performs ciphertext verification processing using its own secret key sk _i , u ₁ and v _i included in the ciphertext, and the calculated parameters α and u ′. More specifically, the key processing device performs ciphertext verification processing based on whether or not an equal sign in the following expression 4006 holds (step S4033).

  If the equal sign of the above expression 4006 does not hold, the key processing apparatus determines that the received ciphertext is invalid, outputs an error message (step S4034), and ends the decryption process.

  If the equal sign of the above expression 4006 is established, the key processing apparatus determines that the received ciphertext is valid and newly calculates u ′ using the expression 4007 (step S4035). . Subsequently, the key processing device decrypts the ciphertext and outputs plaintext m (step S4036).

  By going through such a procedure, the key processing device can decrypt the ciphertext and output the plaintext m.

[Problems of cryptographic processing method, which is a basic technology]
Here, in the fundamental technology described above, a malicious system parameters creator, the system parameters g ₂ without selecting independently of the g _1, g 2 ₌ g only be known system parameters creator of ₁ ^w using the relationship, consider the case of calculating the g ₂ from g _1. Here, the parameter w used in calculating g ₂ corresponds to secret information that only the system parameter generator can know.

When the parameter g ₂ and the parameter g ₁ are secretly associated using the parameter w, the expression 4007 in the decryption process can be transformed into the following expression 4008. Therefore, the malicious system parameter generator can use the parameters included in the ciphertext and the secret information w to see the contents of messages that can only be known by users who are originally communicating. End up.

<Regarding System Parameter Generation Method According to Second Embodiment>
Further, even in a system parameter generation method according to a second embodiment of the present invention, in selecting the parameters y _0, and the parameter g of the previously selected, and the secret information w not be known only system parameters creator using Thus, y ₀ = g ^w can be set. When the parameter g and the parameter y ₀ have the relationship as described above, the equation 206 of the decoding method can be transformed as the following equation 4009. Therefore, the malicious system parameter generator can use the parameters included in the ciphertext and the secret information w to see the contents of messages that can only be known by users who are originally communicating. End up.

<About information processing method>
Therefore, in the information processing method according to the present embodiment, in order to solve the above problem, the elements to be selected from the group are set to be selected in order, and the selected elements are input to the function T described below. Thus, the output of the function T is adopted as a candidate for the next element. This makes it difficult to grasp the output parameters and the group structure related to the input parameters. In addition, by disclosing such functions as system parameters, each user who participates in the system can verify whether parameters are properly selected.

[About a method capable of solving the problems of the basic technology according to this embodiment]
First, an information processing method (more specifically, a system parameter generation method) according to this embodiment capable of solving the problems in the method described in Non-Patent Document 4 will be described in detail with reference to FIG. To do.

  First, the group selection unit 101 of the information processing apparatus 10 selects a k-bit prime number p based on the input security parameter, and selects a group G having p as a rank (step S401).

Next, the function selection unit 103 of the information processing apparatus 10 selects a function TCR realizing mapping that G → _{Z p,} and function H to achieve a mapping of G → ^{{0,1} l,} the (step S402 ).

Subsequently, the parameter selection unit 105 of the information processing apparatus 10 selects the parameters _{g 1} ∈ _{R G} (step S403).

Next, the function selection unit 103 of the information processing apparatus 10 selects the function T, and the parameter selection unit 105 sets the parameter g ₂ = T (g ₁ ) (step S404).

Subsequently, the system parameter generation unit 107 of the information processing apparatus 10 configures the system parameter I as I = (p, G, g ₁ , g ₂ , TCR, H, T) and discloses it to each key processing apparatus. (Step S405).

Here, as a function T used for calculating the parameters g _2, for example it is possible to use a function such as the following.

  For example, even if the function T to be used obtains an element input to the function and an element output from the function, the function T is configured from the input element using only the group operation. Has a property that makes it difficult.

Here, p and q are prime numbers that satisfy p = 2q + 1. At this time, a subgroup G _q having an order _q exists in Z _p . This partial group is defined as a group G selected by the group selection unit 101. Here, it is assumed that the prime number p is, for example, 1024-bit.

At this time, as shown in FIG. 52, for example, after the _first system parameter g ₁ is selected, the higher order bit of the parameter g ₁ is input to the pseudo random number generator (PRNG) and output 1024- bit is referred to as another element _{g 2} candidates. Parameter g ₂ candidate is not beyond the p, and, when the value obtained by multiplication q at Z _p is 1, as it is a parameter g ₂ candidate parameter g _2. When it is not satisfied the above conditions, and be redone from the selection of the parameter g _1.

By using the function T that performs the processing as described above, it is difficult to estimate the relationship of the group structure between the parameter g ₁ and the parameter g ₂ .

  The function T as described above can also be set for a group of prime orders configured as a subset of rational points on an elliptic curve. For such a group of prime orders, a function called map to point that maps from an arbitrary prime field to the group is known. By using this function, it is possible to obscure the relationship of the group structure between the elements of the system parameter.

For example, consider an elliptic curve: y ² = x ³ +1 over Fp for prime numbers p, q (| p | = 160, p = 2 mod 3, p = sq + 1). When the _first element of the system parameter is g ₁ , the function T can be set as a processing unit that realizes the processing shown in FIG. 53, for example. That is, input as seed upper bits of the parameters _{g 1} to the pseudo-random number generator, the outputted example 160-bit and elements _{y 0} of _{Z p.} Next, let x ₀ = (y ₀ ² −1) ^1/3 ∈Z _p . Next, Q ₀ = (x ₀ , y ₀ ) is set as a point on the elliptic curve, and a point multiplied by s scalar is set as g ₂ and is output as a second system parameter.

Using only one type of such a function T, the input for calculating the next parameter of the function output is as follows: g ₂ = T (g ₁ ), g ₃ = T (g ₂ ). As a result, it is possible to select a plurality of parameters. Further, when a plurality of types of such functions T are used and the parameter g ₂ is calculated using a certain function T ₁ , the parameter g ₃ is calculated using a certain function T _2. The parameters may be selected.

  In addition, an existing hash function can be used instead of the function T as described above.

[About a method capable of solving the problems of the basic technology according to this embodiment]
Subsequently, an information processing method (more specifically, a system parameter generation method) obtained by improving the method described in the second embodiment of the present invention will be described in detail with reference to FIG.

  First, the group selection unit 101 of the information processing apparatus 10 selects a k-bit prime number p based on the input security parameters, and selects a group G having p as a rank (step S411).

Next, the function selection unit 103 of the information processing apparatus 10 selects a function TCR realizing mapping that G → _{Z p,} and function H to achieve a mapping of G → ^{{0,1} l,} the (step S412 ).

Subsequently, the parameter selection unit 105 of the information processing apparatus 10 selects the parameter g∈ _R G (step S413).

Next, the function selection unit 103 of the information processing apparatus 10 selects the function T, and the parameter selection unit 105 sets the parameter y ₀ = T (g) (step S414).

Subsequently, the system parameter generation unit 107 of the information processing apparatus 10 configures the system parameter I as I = (p, G, g, y ₀ , TCR, H, T) and discloses it to each key processing apparatus. (Step S415).

  As described above, by using the function T as described above when determining the elements of the system parameters, it is possible to prevent malicious system parameter generators from eavesdropping on the contents of ciphertext transmitted between users. It becomes possible to do.

<About the first modification>
In the above description, the case where a malicious system parameter generator steals the contents of ciphertext transmitted between users has been described. Here, for example, it is convenient to set the system parameters so that only the person who has a certain special authority, such as the designer of the encryption system or the superior of the company, can decrypt the contents of all ciphertext transmitted between users. In many cases. Therefore, in the first modification of the present embodiment, a method (so-called key escrow method) in which the system parameter generator can decrypt the contents of all ciphertexts will be described in detail with reference to FIGS. 55 and 56. To do.

[Information processing method improved from the basic technology according to this embodiment]
First, an information processing method obtained by improving the basic technology according to the present embodiment will be described in detail with reference to FIG. The method, by providing a special relationship between the parameters g ₁ and parameter g _2, which is selected as a system parameter, the system parameter generation who, in manner to allow decoding all ciphertext is there.

  First, the group selection unit 101 of the information processing apparatus 10 selects a k-bit prime number p based on the input security parameters, and selects a group G having p as a rank (step S421).

Next, the function selection unit 103 of the information processing apparatus 10 selects a function TCR realizing mapping that G → _{Z p,} and function H to achieve a mapping of G → ^{{0,1} l,} the (step S422 ).

Subsequently, the parameter selection unit 105 of the information processing apparatus 10 selects the parameters _{g 1} ∈ _{R G} (step S403).

Next, the parameter selection unit 105 of the information processing apparatus 10 selects the parameter ^w and sets the parameter g ₂ = g ₁ ^w (step S424).

Subsequently, the system parameter generation unit 107 of the information processing apparatus 10 configures the system parameter I as I = (p, G, g ₁ , g ₂ , TCR, H) and discloses it to each key processing apparatus ( Step S425).

Since the parameter g ₂ and the parameter g ₁ are associated using the parameter w, the expression 4007 in the decoding process can be transformed into the expression 4008 as described above. Therefore, a system parameter generator having special authority can decrypt all ciphertexts using the parameters included in the ciphertext and the parameter w.

[Information processing method improved from the method according to the second embodiment of the present invention]
Next, an information processing method obtained by improving the method according to the second embodiment of the present invention will be described in detail with reference to FIG. The method, by providing a special relationship between the parameters g and the parameter y ₀ is selected as a system parameter, the system parameter generation who is the manner to allow decoding all ciphertext .

  First, the group selection unit 101 of the information processing apparatus 10 selects a k-bit prime number p based on the input security parameters, and selects a group G having p as a rank (step S431).

Next, the function selection unit 103 of the information processing apparatus 10 selects a function TCR realizing mapping that G → _{Z p,} and function H to achieve a mapping of G → ^{{0,1} l,} the (step S432 ).

Subsequently, the parameter selection unit 105 of the information processing apparatus 10 selects the parameter g∈ _R G (step S433).

Next, the parameter selection unit 105 of the information processing apparatus 10 selects the parameter ^w and sets the parameter y ₀ = g ^w (step S434).

Subsequently, the system parameter generation unit 107 of the information processing device 10 configures the system parameter I as I = (p, G, g, y ₀ , TCR, H), and discloses it to each key processing device (step) S435).

Since the parameter g and the parameter y ₀ are related using the parameter w, the expression 206 in the decoding method can be transformed into an expression 4009 as described above. Therefore, a system parameter generator having special authority can decrypt all ciphertexts using the parameters included in the ciphertext and the parameter w.

  It is also possible to disclose both system parameters in which a predetermined relationship is introduced so that all ciphertexts can be decrypted and system parameters in which a predetermined function T is introduced so that all ciphertexts cannot be decrypted. It is. Thus, by exposing the two types of system parameters, the sender of the message can select whether or not to use the key escape method.

<About hardware configuration>
Next, the hardware configuration of the information processing apparatus 10 according to each embodiment of the present invention will be described in detail with reference to FIG. FIG. 57 is a block diagram for explaining a hardware configuration of the information processing apparatus 10 according to each embodiment of the present invention.

  The information processing apparatus 10 mainly includes a CPU 901, a ROM 903, and a RAM 905. The information processing apparatus 10 further includes a host bus 907, a bridge 909, an external bus 911, an interface 913, an input device 915, an output device 917, a storage device 919, a drive 921, and a connection port 923. And a communication device 925.

  The CPU 901 functions as an arithmetic processing unit and a control unit, and controls all or a part of the operation in the information processing apparatus 10 according to various programs recorded in the ROM 903, the RAM 905, the storage device 919, or the removable recording medium 927. The ROM 903 stores programs used by the CPU 901, calculation parameters, and the like. The RAM 905 primarily stores programs used in the execution of the CPU 901, parameters that change as appropriate during the execution, and the like. These are connected to each other by a host bus 907 constituted by an internal bus such as a CPU bus.

  The host bus 907 is connected to an external bus 911 such as a PCI (Peripheral Component Interconnect / Interface) bus via a bridge 909.

  The input device 915 is an operation unit operated by the user, such as a mouse, a keyboard, a touch panel, a button, a switch, and a lever. Further, the input device 915 may be, for example, remote control means (so-called remote controller) using infrared rays or other radio waves, or an external connection device such as a mobile phone or a PDA corresponding to the operation of the information processing device 10. 929 may be used. Furthermore, the input device 915 includes an input control circuit that generates an input signal based on information input by a user using the above-described operation means and outputs the input signal to the CPU 901, for example. The user of the information processing apparatus 10 can input various data and instruct a processing operation to the information processing apparatus 10 by operating the input device 915.

  The output device 917 is configured by a device capable of visually or audibly notifying acquired information to the user. Examples of such devices include CRT display devices, liquid crystal display devices, plasma display devices, EL display devices and display devices such as lamps, audio output devices such as speakers and headphones, printer devices, mobile phones, and facsimiles. For example, the output device 917 outputs results obtained by various processes performed by the information processing apparatus 10. Specifically, the display device displays results obtained by various processes performed by the information processing device 10 as text or images. On the other hand, the audio output device converts an audio signal composed of reproduced audio data, acoustic data, and the like into an analog signal and outputs the analog signal.

  The storage device 919 is a data storage device configured as an example of a storage unit of the information processing device 10. The storage device 919 includes, for example, a magnetic storage device such as an HDD (Hard Disk Drive), a semiconductor storage device, an optical storage device, or a magneto-optical storage device. The storage device 919 stores programs executed by the CPU 901, various data, various data acquired from the outside, and the like.

  The drive 921 is a recording medium reader / writer, and is built in or externally attached to the information processing apparatus 10. The drive 921 reads information recorded on a removable recording medium 927 such as a mounted magnetic disk, optical disk, magneto-optical disk, or semiconductor memory, and outputs the information to the RAM 905. In addition, the drive 921 can write a record on a removable recording medium 927 such as a magnetic disk, an optical disk, a magneto-optical disk, or a semiconductor memory. The removable recording medium 927 is, for example, a DVD medium, an HD-DVD medium, a Blu-ray medium, or the like. Further, the removable recording medium 927 may be a compact flash (registered trademark) (CompactFlash: CF), a memory stick, an SD memory card (Secure Digital memory card), or the like. Further, the removable recording medium 927 may be, for example, an IC card (Integrated Circuit card) on which a non-contact IC chip is mounted, an electronic device, or the like.

  The connection port 923 is a port for directly connecting a device to the information processing apparatus 10. An example of the connection port 923 is a USB (Universal Serial Bus) port, i. There are IEEE 1394 ports such as Link, SCSI (Small Computer System Interface) ports, and the like. As another example of the connection port 923, there are an RS-232C port, an optical audio terminal, a high-definition multimedia interface (HDMI) port, and the like. By connecting the external connection device 929 to the connection port 923, the information processing apparatus 10 acquires various data directly from the external connection device 929 or provides various data to the external connection device 929.

  The communication device 925 is a communication interface including a communication device for connecting to the communication network 931, for example. The communication device 925 is, for example, a communication card for wired or wireless LAN (Local Area Network), Bluetooth, or WUSB (Wireless USB). The communication device 925 may be a router for optical communication, a router for ADSL (Asymmetric Digital Subscriber Line), or a modem for various communication. The communication device 925 can transmit and receive signals and the like according to a predetermined protocol such as TCP / IP, for example, with the Internet or other communication devices. The communication network 931 connected to the communication device 925 is configured by a wired or wireless network, and may be, for example, the Internet, a home LAN, infrared communication, radio wave communication, satellite communication, or the like. .

  Heretofore, an example of the hardware configuration capable of realizing the function of the information processing apparatus 10 according to each embodiment of the present invention has been shown. Each component described above may be configured using a general-purpose member, or may be configured by hardware specialized for the function of each component. Therefore, the hardware configuration to be used can be changed as appropriate according to the technical level at the time of carrying out the present embodiment.

  Further, the hardware configuration of the information processing apparatus 20 according to each embodiment of the present invention has the same configuration as the hardware configuration of the information processing apparatus 10 according to each embodiment of the present invention, and thus detailed description will be made. Is omitted.

<Summary>
As described above, in the information processing apparatus and the information processing method according to each embodiment of the present invention, among the system parameters commonly used by each user, it is used in the encryption process and the decryption process, and is unique to the user. Add a parameter that does not contain confidential information. As a result, the amount of calculation required for the encryption process can be reduced, and further, the ciphertext size can be reduced.

  As mentioned above, although preferred embodiment of this invention was described referring an accompanying drawing, it cannot be overemphasized that this invention is not limited to this example. It will be apparent to those skilled in the art that various changes and modifications can be made within the scope of the claims, and these are naturally within the technical scope of the present invention. Understood.

It is explanatory drawing for demonstrating a public key encryption system. It is explanatory drawing for demonstrating a public key encryption system. It is explanatory drawing for demonstrating a public key encryption system. It is explanatory drawing for demonstrating a multiple recipient public key encryption system. It is explanatory drawing for demonstrating a multiple recipient public key encryption system. It is explanatory drawing for demonstrating a multiple recipient public key encryption system. It is explanatory drawing for demonstrating a multiple recipient public key encryption system. It is explanatory drawing for demonstrating a hybrid encryption. It is explanatory drawing for demonstrating a hybrid encryption. It is explanatory drawing for demonstrating a hybrid encryption. It is explanatory drawing for demonstrating a hybrid encryption. It is explanatory drawing for demonstrating a hybrid encryption. It is explanatory drawing for demonstrating a hybrid encryption. It is a block diagram for demonstrating the structure of the information processing apparatus which concerns on the 1st Embodiment of this invention. It is a block diagram for demonstrating the structure of the information processing apparatus which concerns on the 1st Embodiment of this invention. It is a block diagram for demonstrating the structure of the information processing apparatus which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the 1st modification of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the 1st modification of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the 1st modification of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the 2nd Embodiment of this invention. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the 1st modification of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the 1st modification of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the 3rd Embodiment of this invention. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is explanatory drawing for demonstrating the point which the information processing method which concerns on the 4th Embodiment of this invention pays attention. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the encryption processing method used as the foundation of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the information processing method which concerns on the embodiment. It is explanatory drawing for demonstrating the information processing method which concerns on the embodiment. It is explanatory drawing for demonstrating the information processing method which concerns on the embodiment. It is explanatory drawing for demonstrating the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the 1st modification of the information processing method which concerns on the embodiment. It is a flowchart for demonstrating the 1st modification of the information processing method which concerns on the embodiment. It is a block diagram for demonstrating the hardware constitutions of the information processing apparatus which concerns on each embodiment of this invention.

Explanation of symbols

3 Communication network 10 Information processing device (system parameter generation device)
20 Information processing device (key processing device)
101 group selection unit 103 function selection unit 105 parameter selection unit 107 system parameter generation unit 109 system parameter disclosure unit 111 communication control unit 113 storage unit 201 mKEM
203 DEM
205 communication control unit 207 storage unit 211 key generation unit 213 parameter generation unit 215 secret key generation unit 217 public key generation unit 219 public key disclosure unit 221 encryption unit 223 parameter selection unit 225 verification parameter generation unit 227 session key generation unit 231 Decryption unit 233 Parameter calculation unit 235 Verification unit 237 Session key calculation unit

Claims (16)

A group selection unit for generating a cyclic group used in encrypted communication based on a multi-recipient public key encryption technique performed between a plurality of key processing devices;
A parameter that is used for processing executed by the key processing device during the encrypted communication, does not include secret information unique to each of the plurality of key processing devices, and is commonly used by each of the plurality of key processing devices. A parameter selection unit for selecting a plurality of parameters including,
A function selection unit that is used for processing related to generation or decryption of ciphertext in the encrypted communication, and that selects a function that realizes a predetermined mapping;
Using the cyclic group selected by the group selection unit, the plurality of parameters selected by the parameter selection unit, and the function selected by the function selection unit, used for the multiple recipient public key encryption technology A system parameter generation unit for generating a system parameter to be executed;
An information processing apparatus comprising:   A parameter used for processing executed by the key processing device during the encrypted communication and not including secret information unique to each of the plurality of key processing devices and commonly used by each of the plurality of key processing devices is The information processing apparatus according to claim 1, wherein the information processing apparatus is a parameter used when generating a verification parameter used in a ciphertext verification process in the key processing apparatus.   A parameter used for processing executed by the key processing device during the encrypted communication and not including secret information unique to each of the plurality of key processing devices and commonly used by each of the plurality of key processing devices is The information processing apparatus according to claim 1, wherein the information processing apparatus is a parameter used when generating a session key used when generating a ciphertext in the key processing apparatus. The parameter selection unit
Further selecting a first parameter belonging to the cyclic group selected by the group selection unit;
The information processing apparatus according to claim 1, wherein a second parameter belonging to the cyclic group is generated by performing only a predetermined group operation on the first parameter. The parameter selection unit
Further selecting a first parameter belonging to the cyclic group selected by the group selection unit;
The information processing apparatus according to claim 1, wherein a value obtained by substituting the first parameter into a predetermined function is set as a second parameter belonging to the cyclic group. The function selection unit selects at least one conversion function that converts the input value to a value that is difficult to generate an output value even if only a predetermined group operation is performed on the input values belonging to the predetermined group. And
The information processing apparatus according to claim 5, wherein the parameter selection unit further selects a parameter using the first parameter selected from the cyclic group and the conversion function. The group selection unit selects two different groups G ₁ and G ₂ from each other,
_2. The information processing apparatus according to claim 1, wherein the selected group G ₁ and group G ₂ have an isomorphism mapping that realizes a mapping from the group G ₁ to the group G ₂ .   The information processing apparatus according to claim 1, wherein the function selection unit selects a function having target collision difficulty.   The information processing apparatus according to claim 8, wherein the function selection unit selects a function whose output is uniformly distributed in a value range when an input value is selected from the definition range to a uniform distribution. A multi-recipient key encapsulation mechanism that generates a session key used in encrypted communication based on a multi-recipient public key encryption technology performed with another information processing apparatus;
A data encapsulation mechanism that generates a ciphertext to be transmitted in the encrypted communication using the session key;
With
The multi-recipient key encapsulation mechanism is
A key generation unit that generates a public key and a secret key unique to the device used in the encrypted communication based on the acquired system parameters;
An encryption unit that generates a verification parameter used in the verification process of the session key and the ciphertext based on the system parameter;
A decryption unit that obtains ciphertext related to the session key and decrypts it based on the system parameters;
Have
The system parameter is used for processing executed by the own device during the encrypted communication, and does not include secret information unique to the own device and the other information processing device. Including commonly used parameters,
The information processing apparatus, wherein the encryption unit generates the session key or the verification parameter common to the plurality of recipients.   Used for processing executed by the own device during the encrypted communication, and does not include secret information unique to the own device and other information processing devices, and is used in common by the own device and other information processing devices. The information processing apparatus according to claim 10, wherein the parameter to be used is a parameter used when generating the verification parameter.   Used for processing executed by the own device during the encrypted communication, and does not include secret information unique to the own device and other information processing devices, and is used in common by the own device and other information processing devices. The information processing apparatus according to claim 10, wherein the parameter to be used is a parameter used when generating the session key. Generating a cyclic group used in encrypted communication based on a multi-recipient public key encryption technology performed between a plurality of key processing devices;
A parameter that is used for processing executed by the key processing device during the encrypted communication, does not include secret information unique to each of the plurality of key processing devices, and is commonly used by each of the plurality of key processing devices. Selecting a plurality of parameters to include;
A step of selecting a function used for processing related to generation or decryption of ciphertext in the encrypted communication and realizing a predetermined mapping;
Using the cyclic group selected by the group selection unit, the plurality of parameters selected by the parameter selection unit, and the function selected by the function selection unit, used for the multiple recipient public key encryption technology Generating generated system parameters;
Including an information processing method. A key that generates a public key and a private key specific to its own device that are used for encrypted communication based on the multi-recipient public key encryption technology performed with other information processing devices based on the acquired system parameters Generation step;
An encryption step for generating a verification parameter used for verification processing of a session key and ciphertext used in the encrypted communication based on the system parameters;
A decrypting step of obtaining ciphertext relating to the session key and decrypting based on the system parameters;
Including
The system parameter is used for processing executed by the own device during the encrypted communication, and does not include secret information unique to the own device and the other information processing device. Including commonly used parameters,
The information processing method, wherein the encryption unit generates the session key or the verification parameter common to the plurality of recipients. On the computer,
A group selection function for generating a cyclic group used in encrypted communication based on a multi-recipient public key encryption technology performed between a plurality of key processing devices;
A parameter that is used for processing executed by the key processing device during the encrypted communication, does not include secret information unique to each of the plurality of key processing devices, and is commonly used by each of the plurality of key processing devices. A parameter selection function for selecting a plurality of parameters including,
A function selection function that is used for processing related to generation or decryption of ciphertext in the encrypted communication and selects a function that realizes a predetermined mapping;
Using the cyclic group selected by the group selection unit, the plurality of parameters selected by the parameter selection unit, and the function selected by the function selection unit, used for the multiple recipient public key encryption technology A system parameter generation function for generating a system parameter to be processed;
A program to realize To a computer capable of performing encrypted communication based on a multi-recipient public key encryption technology with another information processing apparatus,
Used for processing executed by the own device during the encrypted communication, and does not include secret information unique to the own device and other information processing devices, and is used in common by the own device and other information processing devices. A function for generating a public key and a secret key specific to the device used in the encrypted communication based on system parameters including parameters;
A function for generating a verification parameter used for verification processing of a session key and ciphertext used in the encrypted communication based on the system parameters;
A function of acquiring ciphertext relating to the session key and decrypting it based on the system parameters;
A program to realize

Images