JP2013105065A - Security system, encryption device, decryption device, re-encryption device, obfuscation device, method thereof, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a re-encryption method having an inner product predicate encryption function.SOLUTION: A method includes the steps of: generating W'=W(0,1)*(h(1)), Θ'=Θ(0,1)*(h(1)), Y'=Y(0,1)*h(1), U'=U(0,1)+(REV), Λ'=Λ(0,1)*h(1), Ψ=e(W',Z), Ψ=e(Θ',Z), Ψ=e(Y',Z), Ω=e(U',k) and Ω=e(Λ',k), from an encrypted text ct (0,1) including W(0,1)=(h(1)), Θ(0,1)=(h(1)), Y(0,1)=h(1)*m, U(0,1)=(CV)and Λ(0,1)=h(1); and generating a re-encrypted text ct (1,2) including E(1,2)=Ψ, F(1,2)=Ψ, G(1,2)=Ψ*Ω, Z(1,2)=Zand H(1,2)=Ω.

Description

  The present invention relates to an encryption technique, and more particularly, to a re-encryptable encryption technique.

  In the conventional re-encryption method, if the re-encryption key possessed by the proxy device is used, the proxy device can unconditionally decrypt the ciphertext that can be decrypted by the first decryption device by the second decryption device. It can be converted into ciphertext (for example, see Non-Patent Documents 1 and 2).

  Examples of predicate encryption and function encryption that do not have a proxy re-encryption function include inner product predicate encryption described in Non-Patent Documents 3 and 4 and function encryption described in Non-Patent Document 5.

S. Hohenberger, G. N. Rothblum, A. Shelat, and V. Vaikuntanathan, “Securely Obfuscating Re-encryption,” In TCC, volume 4392 of Lecture Notes in Computer Science, pages 233-252, Springer, 2007. N. Chandran, M. Chase, and V. Vaikuntanathan, “Collusion Resistant Obfuscation and Functional Re-encryption,” [online], 22 Jun 2011, [October 27, 2011 search], Internet <http: // eprint .iacr.org / 2011/337.> J. Katz, A. Sahai, and B. Waters, “Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products,” In EUROCRYPT, volume 4965 of Lecture Notes in Computer Science, pages 146-162, Springer, 2008. AB Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, “Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption,” In EUROCRYPT, volume 6110 of Lecture Notes in Computer Science , pages 62-91, Springer, 2010. T. Okamoto and K. Takashima, “Fully Secure Functional Encryption with General Relations from the Decisional Linear Assumption,” In CRYPTO, volume 6223 of Lecture Notes in Computer Science, pages 191-208, Springer, 2010.

  However, there is no re-encryption method having the inner product predicate encryption function. The present invention has been made in view of these points, and provides a re-encryption method having a function of inner product predicate encryption.

In the present invention, G and G _T are cyclic groups, g is a generator of the cyclic group G, F _q is a finite field of order q, and F _q ^× = F _q \ {0}, n is an integer greater than or equal to 1, μ is an integer greater than or equal to 2, and each of b _i ∈G ^{n + μ} (i = 1, ..., n + μ) is n + μ of the cyclic group G N + μ-dimensional basis vectors whose elements are elements, and B = (b ₁ , ..., b _{n + μ} ) is n + μ basis vectors b _i (i = 1, ..., n + μ), and each of b _i ^* ∈G ^{n + μ} (i = 1, ..., n + μ) is an element of n + μ elements of cyclic group G B ^* = (b ₁ ^* , ..., b _{n + μ} ^* ) from n + μ basis vectors b _i ^* (i = 1, ..., n + μ) is comprised basis, ^* the base B and the basis B are dual orthogonal basis, n + mu dimensional vector _{^{d → = (d 1, ...}} , d n + μ) ∈F q n + for ^mu (d ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b _i and (f ^→ ) for n + μ dimensional vector f ^→ = (f ₁ , ..., f _{n + μ} ) ∈F _q ^{n + μ} _{B *} is Σ _{i = 1} ^{n + μ} f _i・ b _i ^* , and Γ is n + 1 ≦ Γ <N + μ is an integer, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, and B ^ = (b _{ι (1),.} .., b _{ι (Γ)} ) and the first decryption device has a secret key a (1), b (1), c (1), τ (1) ∈F _q ^× The public keys of (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1) = c ( 1) ・ τ (1) ・ B ^), and the secret key of the second decryption device is a (2), b (2), c (2), τ (2) ∈F _q ^× The public key of the decryption device is (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (2)} , h (2) ^{c (2)} , B (2) = c (2) ・ τ (2) ・ B ^), z, ρ, σ∈F _q ^× , and v ^→ is an n-dimensional vector v ^→ = (v _{ι (1)} , ..., v _{ι (n)} ) ∈F _q ⁿ , B (1,2) ^* = (ρ / c (1)) ・ c (2) ・ τ (2) ・ B ^* , and the re-encryption key is Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} , where RV ^→ is an n + μ-dimensional vector RV ^→ = (RV _{ι (1)} , ..., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} , ι (i) ∈ {1, ..., n + μ} (i = 1, ..., n + μ) and {ι (1), ..., ι (n)} ⊂ {1, ..., n + μ} and (RV _{ι (1),.} .., RV _{ι (n)} ) is an n-dimensional vector σ · v ^→ = (σ · v _{ι (1)} , ..., σ · v _{ι (n)} ), and any one RV _κ ∈ {RV _{ι (n + 1)} , ..., RV _{ι (Γ)} } is 1, ξ is an integer _{equal to} or greater than 1, and e _ξ is a cyclic group for an element of the Cartesian product group G ^ξ × G ^ξ is a bilinear map to obtain the original G _T.

The encryption device selects r, s, ζ, ωεF _q, and the public keys (h (1), h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1)) and n-dimensional vector x ^→ = (x _{ι (1)} , ..., x _{ι (n)} ) ∈F _q ⁿ The first ciphertext ct (0,1) is generated. However, the first ciphertext ct (0,1) is W (0,1) = (h (1) ^{a (1)} ) ^r , Θ (0,1) = (h (1) ^{b (1)} ) ^s , Y (0,1) = h (1) ^{r + s}・ m, U (0,1) = (CV ^→ ) _{B (1)} , Λ (0,1) = h (1) ^ζ and CV ^→ is an n + μ dimensional vector CV ^→ = (CV _{ι (1)} , ..., CV _{ι (n + μ)} ) ∈F _q ^{n + μ} and (CV _{ι (1)} , ..., CV _{ι (n)} ) is an n-dimensional vector ω ・ x ^→ = (ω ・ x _{ι (1)} , ..., ω ・ x _{ι (n)} ), and any one of CV _κ ∈ {CV _{ι ( n + 1)} , ..., CV _{ι (Γ)} } is ζ, and a vector composed of elements obtained by removing CV _κ from CV _{ι (n + 1)} , ..., CV _{ι (Γ)} and RV _{ι (n + 1)} ,..., RV _{ι (Γ)} has an inner product of 0 with a vector composed of elements obtained by removing RV _κ .

The re-encryption device selects r ′, s ′, ζ′∈F _q , and W ′ = W (0,1) · (h (1) ^{a (1)} ) ^{r ′} , Θ ′ = Θ (0 , 1) ・ (h (1) ^{b (1)} ) ^s' , Y '= Y (0,1) ・ h (1) ^{r' + s'} , U '= U (0,1) + (REV ^→ ) _{B (1)} , Λ '= Λ (0,1) ・ h (1) ^ζ' , Ψ ₁ = e ₁ (W ', Z ₁ ), Ψ ₂ = e ₁ (Θ', Z ₂ ) , Ψ ₃ = e ₁ (Y ', Z ₃ ), Ω ₁ = e _{n + μ} (U', k ^* ), Ω ₂ = e ₁ (Λ ', k ₀ ), y, y'∈F E for ^{_{q × (1,2) = Ψ 1}} y, F (1,2) = Ψ 2 y, G (1,2) = Ψ 3 y · Ω 1 y ', Z (1,2) = Z 3 A re-ciphertext ct (1,2) including ^y , H (1,2) = Ω ₂ ^{y ′} is generated. REV ^→ is an n + μ-dimensional vector REV ^→ = (REV _{ι (1)} , ..., REV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and any one REV _κ ∈ {REV _{ι (1)} , ..., REV _{ι (n + μ)} } is ζ ', and REV _{ι (1)} , ..., REV _{ι (n + μ)} excluding REV _κ is 0∈F _q .

The second decoding device is e ₁ (m ′, Z (1,2)) = G (1,2) / {H (1,2) ^{c (2)} · E (1,2) ^{1 / a (2 )} · F (1,2) ^{1 / b (2)} } is obtained as a decoded value.

  In the present invention, a re-encryption scheme having a function of inner product predicate encryption can be realized.

FIG. 1 is a diagram for explaining the overall configuration of the security system of the embodiment. FIG. 2 is a diagram for explaining the configuration of the encryption apparatus according to the embodiment. FIG. 3 is a diagram for explaining the configuration of the decoding apparatus according to the embodiment. FIG. 4 is a diagram for explaining the configuration of the decoding apparatus according to the embodiment. FIG. 5 is a diagram for explaining the configuration of the obfuscation apparatus according to the embodiment. FIG. 6 is a diagram for explaining the configuration of the re-encryption apparatus according to the embodiment. 7A and 7B are flowcharts for explaining a method for generating a secret key and a public key of the decryption apparatus, and FIG. 7C is a flowchart for explaining a method for generating a re-encryption key. FIG. 8 is a flowchart for explaining the encryption method of the embodiment. FIG. 9 is a flowchart for explaining the re-encryption method of the embodiment. 10A and 10B are flowcharts for explaining the decoding method of the embodiment.

An embodiment will be described.
[Definition]
Define basic terms and notations.
sec is an integer of 1 or more representing a security parameter. q is a prime number of sec bits, G and G _T are cyclic groups (cyclic multiplicative group) of order q, g∈G is a generator of cyclic group G, and g _T ∈G _T is cyclic group G. It is a generator of _T. F _q is a finite field of order q, and F _q ^× = F _q \ {0} is a set obtained by removing zero element (additive unit element) 0 from finite field F _q .

In the embodiment, in principle, operations in the cyclic groups G and G _T are multiplicatively expressed as multiplicative groups. However, as an exception to the notation convenience, only vector unit operations (results) with elements of cyclic group G as elements and matrix unit operations (results) with elements of cyclic group G as elements are expressed additively. (Hereinafter referred to as “convenient additive expression”). Note that each element of such a vector or matrix is an element of a cyclic group G (an element of a cyclic multiplicative group) even if it is expressed additively.

n is an integer greater than or equal to 1, and x ^→ = (x ₁ , ..., x _n ) ∈F _q ⁿ is an n-dimensional vector whose elements are elements x _i ∈F _q of n finite fields F _q ( For example, an attribute vector), and v ^→ = (v ₁ , ..., v _n ) ∈F _q ⁿ is an n-dimensional vector (eg, predicate) whose elements are elements v _i ∈F _q of n finite fields F _q Vector). Two vectors x ^→, v x ^→ · for ^→ v ^→ represents the inner product _{^{x → · v → = Σ i}} = 1 n x i · v i ∈F q. 1 ^→ represents the unit vector 1 ^→ = (1, ..., 1). I _N represents an N-by-N unit matrix having elements of the finite field F _q as elements.

e _ξ (ξ is an integer of 1 or more) is a bilinear map for obtaining an element of the cyclic group G _T with respect to an element of an arbitrary product group G ^ξ × G ^ξ .
e _ξ : G ^ξ × G ^ξ → G _T … (1)
The bilinear map _eξ satisfies the following properties.
[Bilinearity] The bilinear map e _ξ satisfies the following relationship for arbitrary λ ₁ , λ ₂ εG ^ξ and ν1, ν2εF _q .
e (λ ₁ ^ν1 , λ ₂ ^ν2 ) = e (λ ₁ , λ ₂ ) ^{ν1 ・ ν2} … (2)
[Non-degenerate] There exist λ ₁ and λ ₂ ∈G ^ξ satisfying e _ξ (λ ₁ , λ ₂ ) ≠ 1∈G _T. For all ^{_{λ 1 ∈G ξ e ξ (λ}} 1, λ 2) is a = If a ^{_{1∈G T λ 2 = 0 ξ ∈G}} ξ. e _ξ (g, g) = g _T ∈G _T is satisfied.
[Computability] E (λ ₁ , λ ₂ ) can be calculated efficiently (ie, in polynomial time) for any λ ₁ , λ ₂ ∈G ^ξ .

The bilinear map e _ξ of this form is an arbitrary ξ, γ = (γ ₁ , ..., γ _ξ ) ∈G ^ξ , γ ^* = (γ ₁ ^* , ..., γ _ξ ^* ) ∈G ^ξ , Γ _ι ∈ G and γ _ι ^* ∈ G (ι = 1,..., Ξ) are constructed as follows.
e _ξ (γ, γ ^* ) = Π _{ι = 1} ^ξ e ₁ (γ _ι , γ _ι ^* )… (3)
A specific example of the bilinear map e ₁ is pairing such as Weil pairing or Tate pairing defined for two points on an elliptic curve defined on the finite field F _q . Therefore, for example, a bilinear map e _ξ with respect to an arbitrary ξ can be defined by using a known pairing. For details on bilinear mapping such as pairing, see Reference 1 “D. Boneh and MK Franklin,“ Identity-Based Encryption from the Weil Pairing, ”In CRYPTO'01, volume 2139 of Lecture Notes in Computer Science, pages 213-229, Springer, 2001. ”and Reference 2“ Akira Kurosawa, “Invitation to Contemporary Cryptography”, Science, September 10, 2010, ISBN 978-4-7819-1262-2, No. 2 Please refer to Chapter 13 etc.

a _i ∈ G ^N (i = 1,..., N) represents an N-dimensional basis vector having N elements of the cyclic group G as elements. However, μ is an integer of 2 or more, and N = n + μ. An example of a basis vector a _i is an N-1 dimensional element with g∈G as the i-th element and the remaining N-1 elements as unit elements of the cyclic group G (multiplicatively expressed as “1”) It is a basis vector. Each element of the N-dimensional basis vector a _i (i = 1,..., N) is listed and expressed as follows.
a ₁ = (g, 1,1, ..., 1)
a ₂ = (1, g, 1, ..., 1)… (4)
...
a _N = (1,1,1, ..., g)

a _i ^* ∈G ^N (i = 1,..., N) represents an N-dimensional basis vector having N elements of the cyclic group G as elements. An example of a basis vector a _i ^* is an N-1 dimension where g∈G is an i-th element and the remaining N-1 elements are unit elements of the cyclic group G (multiplicatively expressed as “1”) Basis vectors. Each element of the N-dimensional basis vector a _i ^* (i = 1,..., N) is listed and expressed as follows.
a ₁ ^* = (g, 1,1, ..., 1)
a ₂ ^* = (1, g, 1, ..., 1)… (5)
...
a _N ^* = (1,1,1, ..., g)

A basis A composed of N basis vectors a _i (i = 1,..., N) is an orthogonal basis and spans an N-dimensional vector space V = G × ... × G on a cyclic group G (V _{= span <a 1 ,...,a N>)} . An arbitrary element γ = (γ ₁ , ..., γ _N ) ∈V on the N-dimensional vector space V is expressed by the basis vectors a _i (i = 1, ..., N) and d _i ∈F _q (i = 1, ..., N) and can be expressed additively as follows for convenience (convenient additive expression).
γ = Σ _{i = 1} ^N d _i・ a _i (6)
Expression (6) is expressed in a multiplicative manner as follows.
γ = (g ^d1 , ..., g ^dN )… (7)
However, the superscripts “d1”,..., “ _DN ” represent “d ₁ ”,.
A vector d ^→ = (d ₁ from a basis A consisting of N basis vectors a _i (i = 1, ..., N) and N d _i ∈F _q (i = 1, ..., N) , ..., d _N ) and an arbitrary element γ on the N-dimensional vector space V is expressed as follows.
γ = (d ^→ ) _A = (d ₁ , ..., d _N ) _A … (8)

A basis A ^* consisting of N basis vectors a _i ^* (i = 1, ..., N) is an orthogonal basis, and an N-dimensional vector space V ^* = G × ... × G on a cyclic group G put _{^{(V * = span <a 1 *}} ,...,a N *>). Any original upper N-dimensional vector space _{^{V * γ * = (γ 1}} *, ..., γ N *) ∈V * is basis vector ^{_{a i * (i = 1,}} ..., N) and f _{Using i} ∈ F _q (i = 1, ..., N), it can be expressed additively as follows for convenience (convenient additive expression).
γ ^* = Σ _{i = 1} ^N f _i・ a _i ^* (9)
Expression (9) is expressed in a multiplicative manner as follows.
γ ^* = (g ^f1 , ..., g ^fN )… (10)
However, "f1" of the superscript, ..., "fN" is "f _1", ..., represents a "f _N".
From the basis A ^* consisting of N basis vectors a _i ^* (i = 1, ..., N) and N f _i ∈F _q (i = 1, ..., N), the vector f ^→ = ( An arbitrary element γ ^* on the N-dimensional vector space V ^* is expressed as follows using f ₁ , ..., f _N ).
γ ^* = (f ^→ ) _{A *} = (f ₁ , ..., f _N ) _{A *} … (11)
However, the subscript “A *” represents A ^* .

From equations (2) (3) (7) (10), γ = (d ^→ ) _A = (d ₁ , ..., d _N ) _A ∈V, γ ^* = (f ^→ ) _{A *} = (f ₁ , ..., f _N ) For _{A *} ∈ V ^* , the following relation holds:
e _N (γ, γ ^* ) = Π _{i = 1} ^N e ₁ (γ _i , γ _i ^* )
= Π _{i = 1} ^N e ₁ (g ^di , g ^fi )
= e ₁ (g, g) ^{d1 ・ f1 + ... + dN ・ fN}
= e ₁ (g, g) ^{d → ・ f →}
= g _T ^{d → ・ f →} … (12)
However, the superscripts “d ^→ ” and “f ^→ ” represent “d ^→ ” and “f ^→ ”, respectively.

Further, from the equations (2) and (3), the basis vectors a _i (i = 1,..., N) and the basis vectors a _j ^* (j = 1,..., N) satisfy the following relationship. That is, the base A and the base A ^* are mutually orthogonal orthogonal bases (dual orthogonal bases).
e _N (a _i , a _j ^* ) = g _T ^{δ (i, j)} … (13)
Here, δ (i, j) represents the Kronecker delta function. That, i = in the case of j δ (i, j) = meets 1∈F _q, in the case of i ≠ j δ (i, j ) = satisfy 0∈F _q.

When the bilinear map e _N is constructed by pairing, the set of the order q, the N-dimensional vector space V, V ^* , the cyclic group G, G _T , the generator g, and the bilinear map e _N as described above It is called “Dual Paring Vector Space (DPVS) with Symmetric Pairing Group”.

A basis A consisting of N basis vectors a _i (i = 1, ..., N) is a uniform random N-by-N regular matrix X = (χ _{i, j} ) ← ^U GL (N, F _q ) can be used to convert to the basis B = (b ₁ ,..., b _N ) of the N-dimensional vector space V. GL (N, F _q ) represents an N-dimensional general linear group on the finite field F _q , and (χ _{i, j} ) represents a matrix having χ _{i, j} as elements of i rows and j columns. “MENBER ← ^U SET” means that the element “MENBER” of the set “SET” is uniformly selected at random. Each element b _i ∈G ^N (i = 1, ..., N) of basis B is an N-dimensional basis vector whose elements are N elements of cyclic group G. Can be expressed additively (for convenience).
b _i = Σ _{j = 1} ^N χ _{i, j}・ a _j (i = 1, ..., N)… (14)
Expression (14) is expressed in a multiplicative manner as follows.
b _i = (g ^{χi, 1} , ..., g ^{χi, N} ) (i = 1, ..., N)… (15)
However, of the superscript "χi, j" represents "χ _{i, j".}
That is, the basis B = (b ₁ ,..., B _N ) can be regarded as an N × N matrix having elements of the cyclic group G as elements, and can be expressed as follows in a multiplicative manner.
B = ((g ^{χi, j} ) _{i, j} )… (16)

A basis A ^* consisting of N basis vectors a _i ^* (i = 1, ..., N) uses a regular matrix (θ _{i, j} ) = (X ^T ) ⁻¹ and uses an N-dimensional vector space V ^*. Can be converted to an orthogonal basis B ^* = (b ₁ ^* ,..., B _N ^* ). Where Ξ ^T is the transpose of Ξ, Ξ ^-1 is the inverse of Ξ, and (θ _{i, j} ) is θ _{i, j} (i = 1, ..., N, j = 1, ... ., N) represents a matrix having i rows and j columns. Each of the elements b _i ^* ∈ G ^N (i = 1, ..., N) of the orthogonal basis B ^* is an N-dimensional basis vector whose elements are the N elements of the cyclic group G. (Additive expression for convenience).
b _i ^* = Σ _{j = 1} ^N θ _{i, j}・ a _j ^* (i = 1, ..., N)… (17)
Expression (17) is expressed in a multiplicative manner as follows.
b _i ^* = (g ^{θi, 1} , ..., g ^{θi, N} ) (i = 1, ..., N)… (18)
However, "θi, j" in the superscript represents a "θ _{i, j".}
That is, the basis B ^* = (b ₁ , ..., b _N ) can be viewed as an N × N matrix with elements of the cyclic group G as elements, and can be expressed in the following multiplicative manner .
B ^* = ((g ^{θi, j} ) _{i, j} )… (19)

_{(θ i, j) = (} X T) from _{^{-1 (θ i, j) ·}} (X i, j) from the fact ^{that T} = I _{N ^{holds, χ i → = (χ i}} , 1, ..., χ _{i, N} ), θ _j ^→ = (θ _{j, 1} , ..., θ _{j, N} ), the following holds.
χ _i ^→・ θ _j ^→ = (χ _{i, 1} , ..., χ _{i, N} ) ・ (θ _{j, 1} , ..., θ _{j, N} )
= δ (i, j) ∈F _q ^× … (20)

From the equations (3), (15), (18), and (20), the following holds.
e _N (b _i , b _j ^* ) = Π _{ι = 1} ^N e ₁ (g ^{χi, ι} , g ^{θj, ι} )
= e ₁ (g, g) ^{χi → ・ θj →}
= e ₁ (g, g) ^{δ (i, j)}
= g _T ^{δ (i, j)} … (21)
That is, the base B and the base B ^* are mutually orthogonal orthogonal bases (dual orthogonal bases). The base B stretches the N-dimensional vector space V = G × ... × G on the cyclic group G (V = span <b ₁ , ..., b _N >), and the base B ^* is N on the cyclic group G A dimensional vector space V ^* = G × ... × G is stretched (V ^* = span <b ₁ ^* , ..., b _N ^* >).

基底Bとベクトルd^→=(d₁,...,d_N)とを用い、N次元ベクトル空間V^*上の任意の元γを以下のように表記する。
γ=(d^→)_B=(d₁,...,d_N)_B …(24) An arbitrary element γ = (γ ₁ , ..., γ _N ) ∈V on the N-dimensional vector space V is expressed by the basis vectors b _i (i = 1, ..., N) and d _i ∈F _q (i = 1, ..., N) and can be expressed additively as follows for convenience (convenient additive expression).
γ = Σ _{i = 1} ^N d _i・ b _i (22)
From equation (16), equation (22) is expressed in a multiplicative manner as follows.

An arbitrary element γ on the N-dimensional vector space V ^* is expressed as follows using a base B and a vector d ^→ = (d ₁ ,..., D _N ).
γ = (d ^→ ) _B = (d ₁ , ..., d _N ) _B … (24)

基底B^*とベクトルf^→=(f₁,...,f_N)とを用い、N次元ベクトル空間V^*上の任意の元γ^*を以下のように表記する。
γ^*=(f^→)_B*=(f₁,...,f_N)_B* …(27) Any original upper N-dimensional vector space _{^{V * γ * = (γ 1}} *, ..., γ N *) ∈V * is basis vector ^{_{b i * (i = 1,}} ..., N) and f _{Using i} ∈ F _q (i = 1, ..., N), it can be expressed additively as follows for convenience (convenient additive expression).
γ ^* = Σ _{i = 1} ^N f _i・ b _i ^* (25)
From equation (19), equation (25) is expressed in a multiplicative manner as follows.

An arbitrary element γ ^* on the N-dimensional vector space V ^* is expressed as follows using a base B ^* and a vector f ^→ = (f ₁ ,..., F _N ).
γ ^* = (f ^→ ) _{B *} = (f ₁ , ..., f _N ) _{B *} … (27)

From equations (2) (3) (20), γ = (d ^→ ) _B = (γ ₁ , ..., γ _N ) = (d ₁ , ..., d _N ) _B ∈V, γ ^* = (f ^→ ) _{B *} = (γ ₁ ^* , ..., γ _N ^* ) = (f ₁ , ..., f _N ) _{B *} ∈V ^*
e _N (γ, γ ^* ) = e _N (b ₁ , b ₁ ^* ) ^{d1 ・ f1}・ ... ・ e _N (b _N , b _N ^* ) ^{dN ・ fN}
= g _T ^{(d1 ・ f1 + ... + dN ・ fN)}
= g _T ^{d → ・ f →} … (28)

〔Overview〕
Next, an outline of the embodiment will be described.
The security system of the embodiment includes a parameter generation device, a first decryption device, a second decryption device, an obfuscation device, an encryption device, and a re-encryption device.

The parameter generation device has a function of generating system parameters common to the entire security system and a function of outputting the generated system parameters.
The parameter generator receives 1 ^sec (sec 1) as an input, bilinear mapping parameter param _V = (q, g, G, G _T , e _N ) corresponding to security parameter sec, regular matrix X = (χ _{i, j} ), basis B = (b ₁ , ..., b _N ), B ^* = (b ₁ ^* , ..., b _N ^* ) (N = n + μ). The parameter generation device stores the bilinear mapping parameter param _V in the storage unit.
The parameter generator uses Γ basis vectors b _{ι (1)} ,... That are part of n + μ basis vectors b _i ∈G ^{n + μ} (i = 1, ..., n + μ). Generate B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) consisting of., b _{ι (Γ)} . However, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, n + 1 ≦ Γ <n + μ. For example, μ = 2 · n + 2, Γ = n + 2, {ι (n + 3), ..., ι (3 · n + 2)} ⊂ {1, ..., 3 N + 2} and B ^ = (b _{ι (1)} , ..., b _{ι (n + 2)} ). To give a more specific example, B ^ = (b ₁ ,..., B _n , b _{2 · n + 1} , b _{3 · n + 2} ).
The parameter generation device outputs the following system parameters crs as public parameters.
crs = (param _V , B ^)… (29)

The first decryption device has a function of generating a public key and a secret key, a function of storing the public key and the secret key in a storage unit, and a function of outputting the public key. The first decryption device receives the system parameter crs as input, selects a (1), b (1), c (1), τ (1) ∈F _q ^× and selects the secret key sk (1) = (a ( 1), b (1), c (1), τ (1)) and public key pk (1) = (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1 ) ^{b (1)} , h (1) ^{c (1)} , B (1) = c (1) · τ (1) · B ^) are generated. The secret key sk (1) and the public key pk (1) are stored in the storage unit of the first decryption device, and the public key pk (1) can be transmitted to any device.
B (1) = c (1) ・ τ (1) ・ B ^ represents the operation result in vector units with elements of the cyclic group G as elements, and is expressed additively for convenience (convenient additive expression) ).
From equation (16), B (1) = c (1) · τ (1) · B ^ is expressed in a multiplicative manner as follows. This can be calculated from B ^, c (1), and τ (1).
B (1) = ((g ^{c (1) ・ τ (1) ・ χi, j} ) _{i, j} )… (30)
However, i∈ {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, j∈ {1, ..., n + μ}.

The second decryption device has a function of generating a public key and a secret key, a function of storing the public key and the secret key in a storage unit, and a function of outputting the public key. The second decryption apparatus receives the system parameter crs as input, selects a (2), b (2), c (2), τ (2) ∈F _q ^× and selects the secret key sk (2) = (a ( 2), b (2), c (2), τ (2)) and public key pk (2) = (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2 ) ^{b (1)} , h (2) ^{c (1)} , B (2) = c (2) ・ τ (2) ・ B ^) are generated. The secret key sk (2) and the public key pk (2) are stored in the storage unit of the second decryption device, and the public key pk (2) can be transmitted to any device.
B (2) = c (2) ・ τ (2) ・ B ^ represents the result of vector unit operation with elements of cyclic group G as elements, and is expressed additively for convenience (convenient additive expression) ).
From equation (16), B (2) = c (2) · τ (2) · B ^ is multiplicatively expressed as follows. This can be calculated from B ^, c (2), and τ (2).
B (2) = ((g ^{c (2) ・ τ (2) ・ χi, j} ) _{i, j} )… (31)
However, i∈ {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, j∈ {1, ..., n + μ}.

The obfuscation device has a secret key sk (1) of the first decryption device, a public key pk (2) of the second decryption device, an n-dimensional vector v ^→ = (v _{ι (1)} , ..., v _{ι (n )} ) ∈F _q ⁿ and a regular matrix X generated at the time of system parameter generation, and a function of generating a re-encryption key Obf (rk _{1 → 2} ). Since the regular matrix X is confidential information, the parameter generation device and the obfuscation device are the same, or the obfuscation device uses some safe means (information transmission via a dedicated line or recording medium, etc.) It is necessary to obtain the regular matrix X from the generator. Similarly, since the secret key sk (1) is secret information, it is necessary for the obfuscation device to acquire the secret key sk (1) from the first decryption device using some secure means.

The obfuscation device is sk (1) = (a (1), b (1), c (1), τ (1)), pk (2) = (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (1)} , h (2) ^{c (1)} , B (2) = c (2) ・ τ (2) ・ B ^), v ^→ = (v _{ι (1)} , ..., v _{ι (n)} ) ∈F _q ⁿ and regular matrix X as inputs, Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} A re-encryption key Obf (rk _{1 → 2} ) including is generated.
RV ^→ is an n + μ dimensional vector RV ^→ = (RV _{ι (1)} , ..., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} , z, ρ, σ∈F _q ^× are random numbers And B (1,2) ^* = (ρ / c (1)) ・ c (2) ・ τ (2) ・ B ^* and ι (i) ∈ {1, ..., n + μ } (i = 1, ..., n + μ) and {ι (1), ..., ι (n)} ⊂ {1, ..., n + μ} and (RV _{ι (1)} , ..., RV _{ι (n)} ) is an n-dimensional vector σ · v ^→ = (σ · v _{ι (1)} , ..., σ · v _{ι (n)} ), any one RV _κ ∈ {RV _{ι (n + 1)} , ..., RV _{ι (Γ)} } is 1∈F _q . For example, RV ^→ is a 3 · n + 2 dimensional vector RV ^→ = (RV _{ι (1)} , ..., RV _{ι (3 · n + 2)} ), and one RV _κ ∈ {RV _{ι (n +1)} , RV _{ι (n + 2)} } is 1∈F _q , and one RV _φ ∈ {RV _{ι (n + 1)} , RV _{ι (n + 2)} } other than RV _κ is 0∈ F _q and n RV _{ε (1)} , ..., RV _{ε (n)} ∈ {RV _{ι (n + 3)} , ..., RV _{ι (3 ・ n + 2)} } are random numbers η _{ε (1)} , ..., η _{ε (n)} ∈F _q , and n RV _{υ (1)} , ..., other than RV _{ε (1)} , ..., RV _{ε (n)} Each of RV _{υ (n)} ∈ {RV _{ι (n + 3)} ,..., RV _{ι (3 · n + 2)} } is 0∈F _q . Thereby, higher safety can be secured. To give a more specific example, v ^→ = (v ₁ , ..., v _n ), (RV ₁ , ..., RV _n ) = (σ · v ₁ , ..., σ · v _n ) = σ ・ v ^→ , (RV _{n + 1} , ..., RV _{2 ・ n} ) = (0, ..., 0) = 0 ⁿ , RV _{2 ・ n + 1} = 1, (RV _{2 ・ n +2} , ..., RV _{3 ・ n + 1} ) = (η _{2 ・ n + 2} , ..., η _{3 ・ n + 1} ) = η ^→ ∈F _q ⁿ , RV _{3 ・ n + 2} = 0 An example of RV ^→ is as follows.
RV ^→ = (σ ・ v ^→ , 0 ⁿ , 1, η ^→ , 0) ∈F _q ^{3 ・ n + 2} (32)

B (1, 2) ^* = (ρ / c (1)), c (2), τ (2), B ^* represents the operation result in vector units with elements of the cyclic group G as elements, It is expressed additively (convenient additive expression). From equation (19), B (1,2) ^* = (ρ / c (1)) · c (2) · τ (2) · B ^* is expressed in a multiplicative manner and transformed as follows.
B (1,2) ^* = ((g ^{θi, j ・ (ρ / c (1)) ・ c (2) ・ τ (2)} ) _{i, j} )
= ((g ^{χi, j ・ c (2) ・ τ (2) ・ (ρ ・ θi, j / c (1) ・ χi, j)} ) _{i, j} )… (33)

The obfuscation device is B (2) = ((g ^{c (2) · τ (2) · χ i, j} ) _{i, j} ) (i∈ {ι (1), ..., ι (Γ)}, j∈ {1, ..., n + μ}) and regular matrix X, g ^{c (2) ・ τ (2) ・ χi ', j'} = (g ^{c (2) ・ τ (2 ) · Χi, j} ) ^{χi ′, j ′ / χi, j} (i ≠ i ′, j ≠ j ′) can be calculated, and the following B (2) ′ can be generated.
B (2) '= ((g ^{χi, j ・ c (2) ・ τ (2)} ) _{i, j} ) (i, j∈ {1, ..., n + μ})… (34)
From equations (33) and (34), it can be seen that the obfuscation device can calculate B (1,2) ^* using B (2) ′.

The encryption device has system parameters crs, the public key of the first decryption device (h (1), h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1)) or the public key of the second decryption device (h (2), h (2) ^{a (2)} , h (2) ^{b (2)} , h (2) ^{c (2)} , B (2)) , Mode selection parameter β, n-dimensional vector x ^→ = (x _{ι (1)} , ..., x _{ι (n)} ) ∈F _q ⁿ and message m∈G and ciphertext of message m∈G And a function of outputting ciphertext.

  When the encryption device generates a ciphertext that can be decrypted by the first decryption device, the encryption device uses the ciphertext ct (0,1) (first ciphertext) and the ciphertext ct (1,1) (second One of the ciphertexts). The ciphertext ct (0,1) is a ciphertext in a re-encryptable mode (hereinafter referred to as “first mode”), and the ciphertext ct (1,1) is a non-re-encryptable mode (hereinafter “first”). 2 mode "). The re-encryption scheme of this embodiment is a “unidirectional single-hop type”, and when the ciphertext in the first mode is re-encrypted, it becomes a ciphertext in the second mode. The mode selection parameter β represents whether the mode is the first mode or the second mode. In the first mode, the mode selection parameter β is set to the first value, and in the second mode, the mode selection parameter β is set to the second value (≠ first value). In the example of this embodiment, the first value is “0”, and the second value is “1” (β∈ {0,1}).

The ciphertext ct (0,1) is W (0,1) = (h (1) ^{a (1)} ) ^r , Θ (0,1) = (h (1) ^{b (1)} ) ^s , Y ( 0,1) = h (1) ^{r + s} · m, U (0,1) = (CV ^→ ) _{B (1)} , Λ (0,1) = h (1) ^ζ . In the present embodiment, an example is shown in which the ciphertext ct (0,1) further includes the first value mode selection parameter β = 0. However, the ciphertext ct (0, 1) does not have to include the mode selection parameter as long as it is possible to identify which mode has been used without using the mode selection parameter.
CV ^→ is an n + μ dimensional vector CV ^→ = (CV _{ι (1)} , ..., CV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and (CV _{ι (1)} , ..., CV _{ι (n)} ) is an n-dimensional vector ω ・ x ^→ = (ω ・ x _{ι (1)} , ..., ω ・ x _{ι (n)} ), and r, s, ω∈F _q are random numbers Any one of CV _κ ∈ {CV _{ι (n + 1)} ,..., CV _{ι (Γ)} } is a random number ζεF _q . CV _{ι (n + 1)} , ..., CV _{ι (Γ)} minus CV _κ vector and RV _{ι (n + 1)} , ..., RV _{ι (Γ)} to RV _κ The dot product with a vector consisting of elements excluding is 0. For example, CV ^→ is a 3 ・ n + 2 dimensional vector CV ^→ = (CV _{ι (1)} , ..., CV _{ι (3 ・ n + 2)} ), and (CV _{ι (1)} , ..., CV _{ι (n)} ) is an n-dimensional vector ω ・ x ^→ = (ω ・ x _{ι (1)} , ..., ω ・ x _{ι (n)} ), and one CV _κ ∈ {CV _{ι (n +1)} , CV _{ι (n + 2)} } is a random number ζ, and one CV _φ ∈ {CV _{ι (n + 1)} , CV _{ι (n + 2)} } other than CV _κ is obtained by the encryption device. The selected random number ψ∈F _q , and each of 2 · n CV _{ι (n + 3)} ,..., CV _{ι (3 · n + 2)} is 0. Thereby, higher safety can be secured. To give a more specific example, x ^→ = (x ₁ , ..., x _n ), (CV ₁ , ..., CV _n ) = (ω ・ x ₁ , ..., ω ・ x _n ) = ω ・ x ^→ , (CV _{n + 1} , ..., CV _{2 ・ n} ) = (0, ..., 0) = 0 ⁿ , CV _{2 ・ n + 1} = ζ, (CV _{2 ・ n +2} ,..., CV _{3 · n + 1} ) = (0,..., 0) = 0 ⁿ , CV _{3 · n + 2} = ψ, and an example of CV ^→ is as follows.
CV ^→ = (ω ・ x ^→ , 0 ⁿ , ζ, 0 ⁿ , ψ) ∈F _q ^{3 ・ n + 2} (35)

The ciphertext ct (1,1) is E (1,1) = e ₁ ((h (1) ^{a (1)} ) ^r , t), F (1,1) = e ₁ ((h (1) ^{b (1)} ) ^s , t), G (1,1) = e ₁ ((h (1) ^{r + s}・ m, t)) ・ e ₁ (t ^~ , (h (1) ^{c (1)} ) ^zeta), including Z (1,1) = t, H (1,1) = e 1 (t ~, h a (1) ^ζ). t and t ^~ ∈G are random numbers. In the present embodiment, an example is shown in which the ciphertext ct (1,1) further includes a second value mode selection parameter β = 1. However, the ciphertext ct (1,1) does not have to include the mode selection parameter as long as other devices can identify which mode is used without using the mode selection parameter.

When the encryption device generates a ciphertext that can be decrypted by the second decryption device, the encryption device uses the first mode ciphertext ct (0,2) and the second mode ciphertext ct (1,2) ′. One of the above is generated.
The ciphertext ct (0,2) is W (0,2) = (h (2) ^{a (2)} ) ^r , Θ (0,2) = (h (2) ^{b (2)} ) ^s , Y ( 0,2) = h (2) ^{r + s} · m, U (0,2) = (CV ^→ ) _{B (1)} , Λ (0,2) = h (2) ^ζ . In the present embodiment, an example is shown in which the ciphertext ct (0,2) further includes the first value mode selection parameter β = 0. However, the ciphertext ct (0, 2) does not have to include the mode selection parameter as long as it is possible to identify which mode has been used without using the mode selection parameter.
The ciphertext ct (1,2) 'is E (1,2)' = e ₁ ((h (2) ^{a (2)} ) ^r , t), F (1,2) '= e ₁ ((h (2) ^{b (2)} ) ^s , t), G (1,2) '= e ₁ ((h (2) ^{r + s}・ m, t)) ・ e ₁ (t ^~ , (h (2) ^{c (2)) ζ),} Z (1,2) '= t, H (1,2)' = e 1 (t ~, including h (2) ^ζ). In the present embodiment, an example is shown in which the ciphertext ct (1,2) ′ further includes the second value mode selection parameter β = 1. However, the ciphertext ct (1,2) ′ does not have to include the mode selection parameter as long as other devices can identify which mode is used without using the mode selection parameter.

The re-encryption device has the public key pk (1) = (h (1), h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1) of} the first decryption device , B (1)), ciphertext ct (0,1), and re-encryption key Obf (rk _{1 → 2} ) as input, ciphertext ct (1,2) (re-encoded by the second decryption device) A ciphertext) and a ciphertext ct (1,2) output function.
The re-encryption device uses random numbers r ′, s ′, ζ′∈F _q , and W ′ = W (0,1) · (h (1) ^{a (1)} ) ^{r ′} , Θ ′ = Θ (0 , 1) ・ (h (1) ^{b (1)} ) ^s' , Y '= Y (0,1) ・ h (1) ^{r' + s'} , U '= U (0,1) + (REV ^→ ) _{B (1)} , Λ '= Λ (0,1) ・ h (1) ^ζ' , Ψ ₁ = e ₁ (W ', Z ₁ ), Ψ ₂ = e ₁ (Θ', Z ₂ ) , Ψ ₃ = e ₁ (Y ', Z ₃ ), Ω ₁ = e _{n + μ} (U', k ^* ), Ω ₂ = e ₁ (Λ ', k ₀ ), random numbers y, y'∈ E (1,2) = Ψ ₁ ^y , F (1,2) = Ψ ₂ ^y , G (1,2) = Ψ ₃ ^y・ Ω ₁ ^{y '} , Z (1,2) = Z for F _q ^× ₃ Generates ciphertext ct (1,2) including ^y , H (1,2) = Ω ₂ ^{y ′} . REV ^→ is an n + μ-dimensional vector REV ^→ = (REV _{ι (1)} , ..., REV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and any one REV _κ ∈ {REV _{ι (1)} , ..., REV _{ι (n + μ)} } is a random number ζ ', and REV _{ι (1)} , ..., REV _{ι (n + μ)} excluding REV _κ is 0∈F _q is there. For example, REV ^→ is a 3 · n + 2 dimensional vector REV ^→ = (REV _{ι (1)} , ..., REV _{ι (3 · n + 2)} ) ∈F _q ^{n + μ} , one of which REV _kappa ∈ a _{{REV ι (1), ...} , REV ι (3 · n + 2)} is a random number _ζ ', REV ι ₍₁₎ excluding the _{REV κ, ..., REV ι (} 3 · _{n + 2)} is 0∈F _q . To give a more specific example, (REV ₁ , ..., REV _{2 · n} ) = (0, ..., 0) = 0 ^{2 · n} , REV _{2 · n + 1} = ζ ′, (REV _{2 · n + 2} , ..., REV _{3 · n + 2} ) = (0, ..., 0) = 0 ^{n + 1} , and an example of REV ^→ is as follows.
REV ^→ = (0 ⁿ , 0 ⁿ , ζ ′, 0 ⁿ , 0) ∈F _q ^{3 · n + 2} (36)
As described above, the ciphertext ct (1,2) is the ciphertext in the second mode. In this embodiment, an example is shown in which the ciphertext ct (1,2) further includes a second value mode selection parameter β = 1. However, the ciphertext ct (1, 2) does not have to include the mode selection parameter as long as it is possible to identify which mode was used without using the mode selection parameter.

The first decryption device further has a function of decrypting the input ciphertext to obtain a decrypted value m ′ and a function of outputting the decrypted value m ′. When the ciphertext ct (0,1) (the input ciphertext including the mode selection parameter β = 0 representing the first value) is obtained as the input ciphertext, the first decryption device m ′ = Y (0,1 ) / (W (0,1) ^{1 / a (1)} · Θ (0,1) ^{1 / b (1)} ) is obtained as a decoded value. When the ciphertext ct (1,1) (the input ciphertext including the mode selection parameter β = 1 representing the second value) is obtained as the input ciphertext, the first decryption device e ₁ (m ′, Z ( 1,1)) = G (1,1) / {H (1,1) ^{c (1)}・ E (1,1) ^{1 / a (1)}・ F (1,1) ^{1 / b (1)} } Is obtained as a decrypted value. e ₁ (m ', Z (1,1)) = G (1,1) / {H (1,1) ^{c (1)}・ E (1,1) ^{1 / a (1)}・ F (1, 1) The search for m′∈G that satisfies ^{1 / b (1)} } is performed by, for example, searching all elements of the finite field G.

The second decryption device also has a function of decrypting the input ciphertext to obtain a decrypted value m ′ and a function of outputting the decrypted value m ′. When the ciphertext ct (0,2) (the input ciphertext including the mode selection parameter β = 0 representing the first value) is obtained as the input ciphertext, the second decryption device m ′ = Y (0,2 ) / (W (0,2) ^{1 / a (2)} · Θ (0,2) ^{1 / b (2)} ) is obtained as a decoded value. When the ciphertext ct (1,2) (the input ciphertext including the mode selection parameter β = 1 representing the second value) is obtained as the input ciphertext, the second decryption device e ₁ (m ′, Z ( 1,2)) = G (1,2) / {H (1,2) ^{c (2)}・ E (1,2) ^{1 / a (2)}・ F (1,2) ^{1 / b (2)} } Is obtained as a decrypted value. e ₁ (m ', Z (1,2)) = G (1,2) / (H (1,2) ^{c (2)}・ E (1,2) ^{1 / a (2)}・ F (1, 2) The search for m′∈G that satisfies ^{1 / b (2)} } is performed by, for example, searching all elements of the finite field G. Similarly, when the ciphertext ct (1,2) ′ is obtained, the second decryption device e ₁ (m ′, Z (1,2) ′) = G (1,2) ′ / {H ( 1, 2) ′ ^{c (2)} · E (1,2) ′ ^{1 / a (2)} · F (1,2) ′ ^{1 / b (2)} } m′∈G satisfying the condition is obtained as a decoded value.

<Derivation of decryption result>
Decoding results are derived below.
[For ciphertext ct (0,1) before re-encryption]
From the following, it can be seen that a correct decoded value can be obtained.
m '= Y (0,1) / (W (0,1) ^{1 / a (1)}・ Θ (0,1) ^{1 / b (1)} )
= h (1) ^{r + s}・ m / h (1) ^{(r + s)}
= m
[For ciphertext ct (1,1) before re-encryption]
From equation (3), the following relationship holds for the equation for search at the time of decoding.
e ₁ (m ', Z (1,1)) = e ₁ (m', t)
G (1,1) / {H (1,1) ^{c (1)}・ E (1,1) ^{1 / a (1)}・ F (1,1) ^{1 / b (1)} }
= e ₁ ((h (1) ^{r + s}・ m, t)) ・ e ₁ (t ^~ , (h (1) ^{c (1)} ) ^ζ ) / (e ₁ (t ^~ , h (1) ^ζ ) ^{c (1)}・ e ₁ ((h (1) ^{a (1)} ) ^r , t) ^{1 / a (1)}・ e ₁ ((h (1) ^{b (1)} ) ^s , t) ^{1 / b (1)} }
= e ₁ ((m, t)) ・ e ₁ (h (1), t) ^{(r + s)}・ e ₁ (t ^~ , h (1)) ^{c (1) ・ ζ} / {e ₁ (t ^~ , h (1)) ^{c (1) ・ ζ}・ e ₁ (h (1), t) ^{(r + s)} }
= e ₁ ((m, t))
Therefore, it can be seen that a correct decoded value can be obtained.
Similarly, it can be seen that decrypted values can be obtained correctly for the ciphertexts ct (0,2) and ct (1,2) ′ before re-encryption.

[For ciphertext ct (1,2) obtained by re-encryption]
From equation (2), E (1,2) included in the ciphertext ct (1,2) can be modified as follows.
E (1,2) = e ₁ ((g ^{τ (1) ・ a (1)} ) ^r・ (g ^{τ (1) ・ a (1)} ) ^{r '} , (g ^{τ (2) ・ a (2)} ) ^{z / a (1)} ) ^y
= e ₁ (g ^{τ (1) ・ (r + r ')} , g ^{τ (2) ・ a (2) ・ z} ) ^y
= e ₁ (g ^{(τ (1) / τ (2)) ・ τ (2) ・ a (2) ・ (r + r ')} , g ^{τ (2) ・ y ・ z} )
= e ₁ (h (2) ^{(τ (1) / τ (2)) ・ a (2) ・ (r + r ')} , h (2) ^{y ・ z} )… (37)
If L = τ (2) / τ (1), r ⁻ = (r + r ′) / L and t ⁻ = h (2) ^{y · z} , then expression (37) can be expressed as follows.
_{E (1,2) = e 1 (} h (2) a (2) · r-, t -) ... (38)
However, "r-" in the superscript represents ^- "r".

From Equation (2), F (1,2) included in the ciphertext ct (1,2) can be modified as follows.
F (1,2) = e ₁ ((g ^{τ (1) ・ b (1)} ) ^s・ (g ^{τ (1) ・ b (1)} ) ^s' , (g ^{τ (2) ・ b (2)} ) ^{z / b (1)} ) ^y
= e ₁ (g ^{τ (1) ・ (s + s')} , g ^{τ (2) ・ b (2) ・ z} ) ^y
= e ₁ (g ^{τ (1) ・ b (2) ・ (s + s')} , g ^{τ (2) ・ y ・ z} )
= e ₁ (g ^{(τ (1) / τ (2)) ・ τ (2) ・ b (2) ・ (s + s')} , g ^{τ (2) ・ y ・ z} )
= e ₁ (h (2) ^{b (2) ・ (τ (1) / τ (2)) ・ (s + s')} , h (2) ^{y ・ z} )… (39)
If L = τ (2) / τ (1), s ⁻ = (s + s ′) / L and t ⁻ = h (2) ^{y · z} , then equation (39) can be expressed as follows.
_{F (1,2) = e 1 (} h (2) b (2) · s-, t -) ... (40)
However, "s-" in the superscript represents ^- the "s".

From equations (2), (21), (28), (30), and (33), G (1,2) included in the ciphertext ct (1,2) can be modified as follows.
G (1,2)
= e ₁ (g ^{τ (1) ・ (r + s)}・ m ・ g ^{τ (1) ・ (r '+ s')} , g ^{τ (2) ・ z} ) ^y・ e _{n + μ} ((CV ^→ + REV ^→ ) _{B (1)} , (RV ^→ ) _{B (1,2) *} ) ^{y '}
= e ₁ (g ^{τ (1) ・ (r + s + r '+ s')}・ m, g ^{τ (2) ・ z} ) ^y・ e _{n + μ} ((c (1) ・ τ (1) ・CV ' ^→ ) _B , ((ρ / c (1)) ・ c (2) ・ τ (2) ・ RV ^→ ) _{B *} ) ^y'
= e ₁ (h (2) ^{(τ (1) / τ (2)) ・ (r + s + r '+ s')}・ m, h (2) ^{y ・ z} ) ・ e ₁ (g, g) ^{c (2) ・ τ (1) ・ τ (2) ・ ρ ・ y '・ (CV' → ・ RV →)} … (41)
However, of the superscript "CV '→" is "CV' represents a ^→", "RV →" represents "RV ^→". CV ′ ^→ is an n + μ-dimensional vector that satisfies CV ′ ^→ = CV ^→ + REV ^→ . CV ′ ^→ is obtained by replacing one element CV _κ = ζ included in the n + μ-dimensional vector CV ^→ with ζ + ζ ′.
Where RV ^→ = (RV _{ι (1)} , ..., RV _{ι (n + μ )} ) is an n-dimensional vector σ (RV _{ι (1)} , ..., RV _{ι (n)} ) V ^→ = (σ · v _{ι (1)} , ..., σ · v _{ι (n)} ), and one RV _κ is 1. CV ^→ = (CV _{ι (1)} , ..., CV _{ι (n + μ)} ) (CV _{ι (1)} , ..., CV _{ι (n)} ) is an n-dimensional vector ω ・ x ^→ = (ω · x _{ι (1)} , ..., ω · x _{ι (n)} ), and one CV _κ is ζ. A vector consisting of the elements of (CV _{ι (n + 1)} , ..., CV _{ι (Γ)} ) minus CV _κ and RV ^→ = (RV _{ι (n + 1)} , ..., RV _{ι (Γ )} ) The inner product with the vector consisting of the elements excluding RV _κ is 0. Therefore, CV ′ ^→ · RV ^→ = ζ + ζ ′ + ω · σ · x ^→ · v ^→ . It is as follows when it derives using the specific example of Formula (32) (35) (36).
CV ' ^→ = (ω ・ x ^→ , 0 ⁿ , ζ + ζ', 0 ⁿ , ψ)
CV ' ^→・ RV ^→ = (ω ・ x ^→ , 0 ⁿ , ζ + ζ ′, 0 ⁿ , ψ) ・ (σ ・ v ^→ , 0 ⁿ , 1, η ^→ , 0)
= ζ + ζ '+ ω ・ σ ・ x ^→・ v ^→
Therefore, equation (41) can be modified as follows.
G (1,2)
= e ₁ (h (2) ^{(τ (1) / τ (2)) ・ (r + s + r '+ s')}・ m, h (2) ^{y ・ z} ) ・ e ₁ (g, g) ^{c (2) ・ τ (1) ・ τ (2) ・ ρ ・ y '・ (ζ + ζ' + ω ・ σ ・ x → ・ v →)}
= e ₁ (h (2) ^{(τ (1) / τ (2)) ・ (r + s + r '+ s')}・ m, h (2) ^{y ・ z} ) ・ e ₁ (h (1) ^{L ・ ρ ・ y '} , h (2) ^{c (2) ・ (ζ + ζ' + ω ・ σ ・ x → ・ v →) / L} )… (42)
Here, L = τ (2) / τ (1), ζ - = (ζ + ζ ') / L, ν = (ω · σ · x → · v →) / L, r - = (r + r ^{') / L, s - =} (s + s') / L, t - = h (2) y · z and t ^- putting a ^{'= h (1) L ·} ρ · y', formula (42) Can be written as:
_{G (1,2) = e 1 (} h (2) ((r -) + (s-)) · m, t -) · e 1 (t - ', h (2) c (2) · (( ^{ζ-) + ν)} )… (43)
However, the superscript “r-” represents “r ⁻ ”, “s-” represents “s ⁻ ”, and “ζ-” represents “ζ ⁻ ”.

If t ⁻ = h (2) ^{y · z} , Z (1,2) included in the ciphertext ct (1,2) can be expressed as follows.
^{_{Z (1,2) = Z 3 y}} = h (2) y · z = t - ... (44)
From equation (2), H (1,2) included in the ciphertext ct (1,2) can be modified as follows.
H (1,2) = e ₁ (h (1) ^{(ζ + ζ ')} , h (2) ^ρ ) ^y'
= e ₁ (h (1) ^{ρ ・ y '} , h (2) ^{L ・ (ζ + ζ') / L} )… (45)
Here, if ζ ⁻ = (ζ + ζ ′) / L and t ⁻ ′ = h (1) ^{L · ρ · y ′} , the equation (45) can be expressed as follows.
_{H (1,2) = e 1 (} t - ', h (2) ζ-) ... (46)

From the expressions (38), (40), (43), (44), and (46), the following expression is established for the expression for searching at the time of decoding.
_{e 1 (m ', Z (} 1,2)) = e 1 (m', t -)
G (1,2) / {H (1,2) ^{c (2)}・ E (1,2) ^{1 / a (2)}・ F (1,2) ^{1 / b (2)} }
_{= e 1 (h (2)} ((r -) + (s-)) · m, t -) · e 1 (t - ', h (2) c (2) · ((ζ -) + ν) ^{_{) / {e 1 (t -}} ', h (2) ζ-) c (2) · e 1 (h (2) a (2) · r-, t -) 1 / a (2) · e 1 ( ^{h (2) b (2)} · s-, t -) 1 / b (2)}
^{_{= e 1 (m, t -}} ) · e 1 (h (2), t -) ((r -) + (s-)) · e 1 (t - ', h (2)) c (2) · ^{((ζ -) + ν)} / {e 1 (t - ', h (2)) c (2) · ζ- · e 1 (h (2), t -) ((r -) + (s- ⁾⁾ }
^{_{= e 1 (m, t -}} ) · e 1 (t - ', h (2)) c (2) · ((ζ -) + ν) / e 1 (t -', h (2)) c ( ^{2) ・ ζ-} … (47)
In the equation (47), when ν = 0, that is, when the inner product x ^→ · v ^→ = 0, it becomes e ₁ (m, t ⁻ ), and m ′ = m, so that decoding is performed correctly. On the other hand, when the inner product x ^→ · v ^→ ≠ 0, equation (47) does not become e ₁ (m, t ⁻ ) and cannot be correctly decoded. From the above, it can be seen that the re-encryption scheme is realized in the inner product predicate encryption that can be decrypted when the inner product of the n-dimensional vector x ^→ and the n-dimensional vector v ^→ is zero. As described above, in this embodiment, the n-dimensional vector x ^→ is embedded in the ciphertext and the n-dimensional vector v ^→ is embedded in the re-encryption key, and re-encryption is correctly performed depending on whether x ^→ · v ^→ = 0 holds Can be controlled.

<Predicate confidentiality>
The security system of the embodiment has predicate confidentiality. The predicate confidentiality means the confidentiality of the n-dimensional vector v ^→ corresponding to the key in the predicate encryption method. The name “predicate confidentiality” is based on the premise that a predicate vector corresponds to a key and an attribute vector corresponds to a ciphertext. However, an attribute vector may correspond to the key, and a predicate vector may correspond to the ciphertext. When the n-dimensional vector v ^→ corresponding to the key is an attribute vector, “predicate secrecy” means secrecy of the attribute. There is no predicate secrecy in the predicate encryption methods so far. This is because in the conventional predicate encryption method, an attacker generates a key using an arbitrary n-dimensional vector v ′ ^→ and decrypts the ciphertext with the key to search whether a correct message can be obtained. This is because information about the n-dimensional vector v ^→ can be obtained. In contrast, in this embodiment, the n-dimensional vector x ^→ is embedded in the ciphertext, and the n-dimensional vector v ^→ is embedded in the re-encryption key. Therefore, even if an attacker generates a re-encryption key using an arbitrary n-dimensional vector v ′ ^→ and re-encrypts the ciphertext with the re-encryption key, the ciphertext is obtained by that, The attacker cannot determine whether the ciphertext has been correctly re-encrypted. Therefore, predicate confidentiality can be realized in this embodiment.

<Obfuscation of re-encryption key>
It will be described that the re-encryption code including the re-encryption key Obf (rk _{1 → 2} ) becomes obfuscated information.
[Definition of obfuscation]
Code CODE that outputs OUT = CODE (IN) for input value IN, information Obf (CODE) corresponding to code CODE, Oracle that outputs output value OUT = CODE (IN) for any input value IN, Assume a virtual attacker ADV, a simulator SIM, and a classifier DIS. The attacker ADV is given the information Obf (CODE), but the simulator SIM is not given the information Obf (CODE). The attacker ADV, the simulator SIM, and the discriminator DIS are not given a code CODE from the Oracle ORA, but can give an arbitrary input value IN to the Oracle ORA and obtain an output value OUT = CODE (IN) corresponding thereto. The attacker ADV gives information obtained by using the information Obf (CODE) and Oracle ORA to the discriminator DIS. The simulator SIM gives the information obtained using the Oracle ORA to the discriminator DIS. The discriminator DIS identifies whether the information given by the Oracle ORA and the given information is an attacker ADV or a simulator SIM. The discriminator DIS outputs 1 when it is identified that the given information is the attacker ADV, and outputs 0 when it is identified as the simulator SIM. Obf (CODE) is information in which CODE is obfuscated when the following conditions (I) to (III) are satisfied.
(I) for any input value ^∀ IN, satisfy CODE (IN) = Obf (CODE (IN)).
(II) Obf (CODE (IN)) can be calculated in polynomial time for the size of an arbitrary input value ^∀IN .
(III) Arbitrary attackers ^∀ There are simulators ^∃ SIM that satisfy the following conditions for ADV and discriminator ^∀ DIS.
Pr [DIS ^ORA (ADV ^ORA (Obf (CODE))) → 1] -Pr [DIS ^ORA (SIM ^ORA ) → 1] <NEGL (sec)… (48)
However, Pr [DIS ^ORA (ADV ^ORA (Obf (CODE))) → 1] identifies that the discriminator DIS to which information is given from the attacker ADV identifies that the attacker is ADV. Represents the probability of outputting 1. Pr [DIS ^ORA (SIM ^ORA ) → 1] represents a probability that the discriminator DIS to which information is given from the simulator SIM recognizes that the information given by the simulator is an attacker ADV and outputs 1. NEGL (sec) is a function that outputs a value that can be ignored. The output value of NEGL (sec) is smaller as the security parameter sec is larger.

[Obfuscation of re-encryption code including re-encryption key Obf (rk _{1 → 2} )]
The re-encryption key Obf (rk _{1 → 2} ) is Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b ( 1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} . From equations (38), (40), (43), (44), and (46), even if z and ρ are constants (for example, z = 1, ρ = 1), the re-encrypted ciphertext ct (1, 2) can be generated. However, by using z and ρ as random numbers, the re-encryption code including the re-encryption key Obf (rk _{1 → 2} ) is obfuscated. For comparison, assume that z = 1.
When z = 1, the re-encryption key Obf (rk _{1 → 2} ) is Z ₁ = h (2) ^{a (2) / a (1)} , Z ₂ = h (2) ^{b (2) / b (1 )} , Z ₃ = h (2), k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} . The attacker ADV can calculate the following using the re-encryption key Obf (rk _{1 → 2} ) and the public key of the first decryption device.
e ₁ (h (2) ^{a (2) / a (1)} , h (1) ^{a (1)} ) = e ₁ (h (2) ^{a (2)} , h (1)) = Υ… (49)
Therefore, the attacker ADV can obtain information on the secret key a (2) by searching for a KEY satisfying Υ = e ₁ (h (2) ^KEY , h (1)). On the other hand, a simulator SIM that does not have the re-encryption key Obf (rk _{1 → 2} ) cannot find Υ by the calculation of Equation (49), and searches for the KEY to obtain information on the secret key a (2). I can't. Therefore, Equation (48) is not satisfied, and it cannot be said that the re-encryption code including the re-encryption key Obf (rk _{1 → 2} ) has been obfuscated.

Now assume that z is a random number. Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^For a re-encryption key Obf (rk _{1 → 2} ) containing ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} , the attacker ADV Using Obf (rk _{1 → 2} ) and the public key of the first decryption device, the following can be calculated:
e ₁ (h (2) ^{a (2) ・ z / a (1)} , h (1) ^{a (1)} ) = e ₁ (h (2) ^{a (2) ・ z} , h (1)) = Υ '… (50)
The attacker ADV can search for KEY · z that satisfies Υ '= e ₁ (h (2) ^{KEY · z} , h (1)), but z is a random number, so the Computational Diffie-Hellman assumption If true, it is not possible to obtain information about the private key a (2). Similarly, the attacker ADV, if z and ρ are random numbers, has a secret key b (2) or n-dimensional vector v ^→ for other elements of the re-encryption key Obf (rk _{1 → 2} ). I can't get information. Therefore, when z and ρ are random numbers, the equation (48) is satisfied and the condition (III) is satisfied. It can be said that the re-encryption code including the re-encryption key Obf (rk _{1 → 2} ) is obfuscated because it satisfies other conditions (I) and (II).

<Safety>
In this embodiment, a re-encryption method having high security can be realized. In particular, RV ^→ = (RV _{ι (1)} , ..., RV _{ι (3 ・ n + 2)} ), and one RV _κ ∈ {RV _{ι (n + 1)} , RV _{ι (n + 2 )} } Is 1∈F _q , and one RV _φ ∈ {RV _{ι (n + 1)} , RV _{ι (n + 2)} } other than RV _κ is 0∈F _q and RV _{ε (1)} , ..., RV _{ε (n)} ∈ {RV _{ι (n + 3)} , ..., RV _{ι (3 ・ n + 2)} } is a random number η _{ε (1)} , ..., η _{ε (n )} ∈F _q and n RV _{υ (1)} , ..., RV _{υ (n)} ∈ {RV _{ι (n + 3 )} other than RV _{ε (1)} , ..., RV _{ε (n) )} , ..., RV _{ι (3 ・ n + 2)} } is 0∈F _q and CV ^→ = (CV _{ι (1)} , ..., CV _{ι (3 ・ n + 2)} ) (CV _{ι (1)} , ..., CV _{ι (n)} ) is an n-dimensional vector ω ・ x ^→ = (ω ・ x _{ι (1)} , ..., ω ・ x _{ι (n)} ) And one CV _κ ∈ {CV _{ι (n + 1)} , CV _{ι (n + 2)} } is a random number ζ, and one CV _φ ∈ {CV _{ι (n + 1)} other than CV _κ , CV _{ι (n + 2)} } is the random number ψ∈F _q selected by the encryption device, and 2 · n CV _{ι (n + 3)} , ..., CV _{ι (3 · n + 2 )} Is 0, REV ^→ = (REV _{ι (1)} , ..., REV _{ι (3 ・ n + 2)} ) ∈F _q ^{n + μ} , and any one REV _κ ∈ { _{REV ι (1), ...,} REV ι (3 · n + 2)} A random number zeta ', REV except _{REV κ ι (1), ...} , when _{REV ι (3 · n + 2} ) is 0∈F _q (e.g. formula (32) (35) (36) If satisfied), if the decision linear assumption (DLIN assumption) and strong Diffe-Hellman identification assumption (SDHI assumption) are true, then it can be said to be IND-CPA safe.

Embodiment
Next, embodiments will be described with reference to the drawings.
<Configuration>
As illustrated in FIG. 1, the security system 1 of this embodiment includes, for example, a parameter generation device 11, an encryption device 12, decryption devices 13 and 14 (first and second decryption devices), an obfuscation device 15, and re-encryption. The apparatus 16 is comprised so that these can communicate through a network. In this embodiment, for convenience of explanation, a security system having one parameter generation device, encryption device, obfuscation device, re-encryption device, and two decryption devices is illustrated, but the security system has more parameters. You may have a production | generation apparatus, an encryption apparatus, an obfuscation apparatus, a re-encryption apparatus, and a decryption apparatus. Alternatively, the parameter generation device and the obfuscation device may be the same device, or the obfuscation device and any of the decoding devices may be the same device. Each of the parameter generation device 11, the encryption device 12, the decryption devices 13 and 14 (first and second decryption devices), the obfuscation device 15 and the re-encryption device 16 includes, for example, a CPU (central processing unit), a RAM (random -access memory), ROM (read-only memory), etc., a special device configured by reading a special program into a known or dedicated computer.

[Encryption device 12]
As illustrated in FIG. 2, the encryption device 12 according to the present embodiment includes an input unit 12a, an interface unit 12b, a temporary memory 12c, a storage unit 12d, a control unit 12e, a mode switching unit 21f, selection units 12g and 12h, and It has encryption parts 12i and 12j. The encryption device 12 executes each process under the control of the control unit 12e. The data obtained in each process is stored in the temporary memory 12c, and the data stored in the temporary memory 12c is read out as necessary and used in other processes.

[Decoding device 13]
As illustrated in FIG. 3, the decryption device 13 of this embodiment includes an output unit 13 a, an interface unit 13 b, a temporary memory 13 c, a storage unit 13 d, a control unit 13 e, a selection unit 13 f, public key generation units 13 g to 13 k, and mode switching. 13m and decoding units 13n and 13p. The decryption device 13 executes each process under the control of the control unit 13e. The data obtained in each process is stored in the temporary memory 13c, and the data stored in the temporary memory 13c is read as necessary and used in other processes.

[Decoding device 14]
As illustrated in FIG. 4, the decryption device 14 of this embodiment includes an output unit 14 a, an interface unit 14 b, a temporary memory 14 c, a storage unit 14 d, a control unit 14 e, a selection unit 14 f, public key generation units 14 g to 14 k, and mode switching. 14m and decoding units 14n and 14p. The decryption device 14 executes each process under the control of the control unit 14e. Data obtained in each process is stored in the temporary memory 14c, and the data stored in the temporary memory 14c is read out as necessary and used in other processes.

[Obfuscation device 15]
As illustrated in FIG. 5, the obfuscation apparatus 15 of this embodiment includes an input unit 15a, an interface unit 15b, a temporary memory 15c, a storage unit 15d, a control unit 15e, selection units 15f and 15g, and re-encryption key generation. Parts 15h, 15i, and 15j. The obfuscation apparatus 15 executes each process under the control of the control unit 15e. The data obtained in each process is stored in the temporary memory 15c, and the data stored in the temporary memory 15c is read out as necessary and used in other processes.

[Re-encryption device 16]
As illustrated in FIG. 6, the re-encryption device 16 of the present embodiment includes an interface unit 16a, 16b, a temporary memory 16c, a storage unit 16d, a control unit 16e, a selection unit 16f, 16i, a group calculation unit 16ga-16ge, The linear mapping operation units 16ha to 16he and the re-encryption units 16ja to 16je are included. The re-encryption device 16 executes each process under the control of the control unit 16e. The data obtained in each process is stored in the temporary memory 16c, and the data stored in the temporary memory 16c is read as necessary and used in other processes.

<Processing>
The processing of this embodiment will be described. In this embodiment, an example will be described in which a ciphertext that can be decrypted by the decryption device 13 is created by the encryption device 12. The ciphertext created by the encryption device 12 is decrypted as it is by the decryption device 13 or re-encrypted by the re-encryption device 16 into a ciphertext that can be decrypted by the decryption device 14 and then decrypted by the decryption device 14. Is done.
[Parameter generation]
The parameter generation device 11 according to the present embodiment generates the system parameter crs as described above and transmits it through the network. The system parameter crs is received by the interface units 12b, 13b, 14b, 15b, and 16b of the encryption device 12, the decryption devices 13 and 14, the obfuscation device 15, and the re-encryption device 16, respectively, and the storage units 12d and 13d. , 14d, 15d, and 16d. Each of the encryption device 12, the decryption devices 13, 14, the obfuscation device 15, and the re-encryption device 16 reads the system parameters crs stored in the storage units 12d, 13d, 14d, 15d, and 16d as necessary. Use. The storage unit 15d of the obfuscation apparatus 15 further stores a regular matrix X generated at the time of system parameter generation.

[Generate private and public keys]
As illustrated in FIG. 7A, the selection unit 13f of the decoding device 13 (FIG. 3) uniformly randomizes a (1), b (1), c (1), τ (1) ← ^U F _q ^×. These are stored in the storage unit 13d as the secret key sk (1) = (a (1), b (1), c (1), τ (1)) of the decryption device 13 (step S101).
The public key generation units 13g to 13k use the secret key sk (1) and the system parameter crs stored in the storage unit 13d, respectively, and h (1) = g ^{τ (1)} εG, h (1) ^{a (1 )} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1) = c (1) · τ (1) · B ^ and calculate them as the public key pk of the decryption device 13 (1) = (h (1), h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1)) is stored in the storage unit 13d ( Steps S102 to S106). The public key pk (1) is transmitted from the interface unit 13b to other devices as necessary. Although the secret key sk (1) is not publicly disclosed, the secret key sk (1) is given only to the obfuscation device 15 and the secret key sk (1) is stored in the storage unit 15d of the obfuscation device 15.

As illustrated in FIG. 7B, the selection unit 14f of the decoding device 14 (FIG. 4) uniformly randomizes the random numbers a (2), b (2), c (2), τ (2) ← ^U F _q ^×. These are stored in the storage unit 14d as the secret key sk (2) = (a (2), b (2), c (2), τ (2)) of the decryption device 14 (step S111).
The public key generation units 14g to 14k use the secret key sk (2) and the system parameter crs stored in the storage unit 14d, respectively, and h (2) = g ^{τ (2)} ∈ G and h (2) ^{a (2 )} , h (2) ^{b (2)} , h (2) ^{c (2)} , B (2) = c (2) · τ (2) · B ^ and calculate them as the public key pk of the decryption device 14 (2) = (h (2), h (2) ^{a (2)} , h (2) ^{b (2)} , h (2) ^{c (2)} , B (2)) is stored in the storage unit 14d ( Steps S112 to S116). The public key pk (2) is transmitted from the interface unit 14b to other devices as necessary.

[Generate re-encryption key]
The obfuscation apparatus 15 (FIG. 5) acquires the public key pk (2) via the network and interface unit 13b and stores it in the storage unit 15d. Further, an n-dimensional vector v ^→ = (v _{ι (1)} ,..., V _{ι (n)} ) εF _q ⁿ is input to the input unit 15a. As illustrated in FIG. 7C, the selection unit 15f of the obfuscation apparatus 15 selects random numbers z, ρ, σ ← ^U F _q ^× uniformly and randomly (Step S121), and the selection unit 15g selects the random number η _{ε ( 1)} , ..., η _{ε (n)} ∈ ← ^U F _q is chosen uniformly at random. As mentioned above, an example of random numbers η ^→ = (η _{ε (1)} , ..., η _{ε (n)} ) is η ^→ = (η _{2 ・ n + 2} , ..., η _{3 ・ n + 1} (Step S122). The re-encryption key generation unit 15h uses the system parameter crs, the regular matrix X, and the public key pk (2) stored in the storage unit 15d, and uses the aforementioned B (2) ′ = c (2) · τ (2 ) · B (represented in a multiplicative manner in the above equation (34)) is generated (step S123). B (2) ′ is input to the re-encryption key generation unit 15i. The re-encryption key generation unit 15i uses B (2) ′, the system parameter crs stored in the storage unit 15d, the regular matrix X, and the secret key sk (1) as described above (Formula (33) ( 34)) B (1,2) ^* = (ρ / c (1)) · c (2) · τ (2) B ^* is calculated (step S124). The re-encryption key generation unit 15j uses the input n-dimensional vector v ^→ , random numbers z, ρ, σ, random number η ^→ , the system parameter crs stored in the storage unit 15d, and the public key pk (2). , Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) A re-encryption key Obf (rk _{1 → 2} ) composed of ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} is generated. As described above, an example of the RV ^→ the ^{RV → = (σ · v →} , 0 n, 1, η →, 0) is (step S125).
The generated re-encryption key Obf (rk _{1 → 2} ) is sent to the interface unit 15b and sent to the re-encryption device 16 via the network. The re-encryption key Obf (rk _{1 → 2} ) is received by the interface unit 16b of the re-encryption device 16 (FIG. 6) and stored in the storage unit 16d.

[Encryption processing]
The encryption device 12 (FIG. 2) acquires the public key pk (1) via the network and interface unit 12b and stores it in the storage unit 12d. As illustrated in FIG. 8, a mode selection parameter βε {0,1}, an n-dimensional vector x ^→ = (x _{ι (1)} , ..., x _{ι (n )} ) ΕF _q ⁿ and message mεG are input (step S131). The selection unit 12g uniformly selects random numbers r, s, ζ, ω, ψ ← ^U F _q (step S132). The mode switching unit 12f selects an encryption method according to the input mode selection parameter β (step S133). When β = 0, the mode switching unit 12f selects the first mode encryption method. In this case, the encryption unit 12i includes the system parameter crs and the public key pk (1) stored in the storage unit 12d, and the input n-dimensional vector x ^→ = (x _{ι (1)} , ..., x _{ι (n)} ), message m and random numbers r, s, ζ, ω, ψ, and ciphertext ct (0,1) = [0, W (0,1) = (h (1) ^{a (1)} ) ^r , Θ (0,1) = (h (1) ^{b (1)} ) ^s , Y (0,1) = h (1) ^{r + s}・ m, U (0,1) = (CV ^→ ) _{B (1)} , Λ (0,1) = h (1) ^ζ ] is generated. An example of a CV ^→ As described above, CV ^→ = a ^{(ω · x →, 0 n} , ζ, 0 n, ψ) ( step S134). If β = 1, the mode switching unit 12f selects the second mode encryption method. In this case, first, the selection unit 12h is a random number t, t ^~ ← ^U G to select uniformly random (step S135). Next, the encryption unit 12j receives the system parameter crs and the public key pk (1) stored in the storage unit 12d and the input n-dimensional vector x ^→ = (x _{ι (1)} , ..., x _{ι (n)} ), message m and random numbers r, s, ζ, t, t ^~, and ciphertext ct (1,1) = [1, E (1,1) = e ₁ ((h (1) ^{a (1)} ) ^r , t), F (1,1) = e ₁ ((h (1) ^{b (1)} ) ^s , t), G (1,1) = e ₁ ((h (1) ^{r + s}・ m, t)) ・ e ₁ (t ^~ , (h (1) ^{c (1)} ) ^ζ ), Z (1,1) = t, H (1,1) = e ₁ (t ^~ , h (1) ^ζ )] is generated (step S136). The generated ciphertext ct (β, 1) (β∈ {0,1}) is sent to the interface unit 13 and transmitted (output) therefrom. The ciphertext ct (0,1) generated when β = 0 is transmitted to the decryption device 13 or the re-encryption device 16 via the network, or after being transmitted to the decryption device 13, the re-encryption device 16 is transferred. The ciphertext ct (1,1) generated when β = 1 is transmitted to the decryption device 13 via the network (step S137).

[Re-encryption process]
When the ciphertext ct (0,1) is transmitted or transferred to the re-encryption device 16 (FIG. 6), the ciphertext ct (0,1) is received by the interface unit 12b as shown in FIG. The ciphertext ct (0,1) is stored in the storage unit 16d. Further, the re-encryption device 16 acquires the public key pk (1) via the network and interface unit 12b, and stores it in the storage unit 16d (step S141). The selection unit 16f selects random numbers r ′, s ′, ζ ′ ← ^U F _q uniformly and randomly (step S142). The group calculation units 16ga to 16ge receive the input random numbers r ′, s ′, ζ ′, the system parameter crs stored in the storage unit 16, the ciphertext ct (0,1), and the public key pk (1). W '= W (0,1) ・ (h (1) ^{a (1)} ) ^r' , Θ '= Θ (0,1) ・ (h (1) ^{b (1)} ) ^s' , Y' = Y (0,1) ・ h (1) ^{r '+ s'} , U '= U (0,1) + (REV ^→ ) _{B (1)} , Λ' = Λ (0,1) ・ h (1 ) ^{ζ ′} is calculated (steps S143 to 147). The bilinear mapping arithmetic units 16ha to 16he receive the input W ′, Θ ′, Y ′, U ′, Λ ′, the system parameter crs stored in the storage unit 16d, and the re-encryption key Obf (rk _{1 → 2} ) And Ψ ₁ = e ₁ (W ', Z ₁ ), Ψ ₂ = e ₁ (Θ', Z ₂ ), Ψ ₃ = e ₁ (Y ', Z ₃ ), Ω ₁ = e _{n + μ} (U ′, k ^* ) and Ω ₂ = e ₁ (Λ ′, k ₀ ) are respectively calculated (steps S148 to S152). The selection unit 16i selects random numbers y, y ′ ← ^U F _q ^× uniformly and randomly (step S153). The re-encryption units 16ja to 16je use the inputted Ψ ₁ =, Ψ ₂ , Ψ ₃ , Ω ₁ , Ω ₂ and random numbers y, y ′, and E (1,2) = Ψ ₁ ^y , F ( 1,2) = Ψ ₂ ^y , G (1,2) = Ψ ₃ ^y・ Ω ₁ ^{y '} , Z (1,2) = Z ₃ ^y , H (1,2) = Ω ₂ ^y' (Steps S153 to S159). The interface unit 16a uses the ciphertext ct (1,2) = [1, E (1,2), F (1,2), G (1,2), Z (1,2), H (1,2 )] Is sent (output). The ciphertext ct (1,2) is transmitted to the decryption device 14 via the network (step S160).

[Decryption process]
When the ciphertext ct (β, 1) (β∈ {0,1}) is transmitted to the decryption device 13 (FIG. 3), the ciphertext ct (β, 1) is decrypted as illustrated in FIG. 10A. Are received (input) to the 13 interface units 13b (step S161). The mode switching unit 13m determines whether “β” located at the head of the ciphertext ct (β, 1) = [β,...] Is 0 (step S162). If β = 0, the decryption unit 13n uses the input ciphertext ct (0,1) and the secret key sk (1) stored in the storage unit 13d, and m ′ = Y (0,1) / (W (0,1) ^{1 / a (1)} · Θ (0,1) ^{1 / b (1)} ) is calculated as a decoded value (step S163), and the output unit 13a outputs the decoded value m ′. (Step S165). If β = 1, the decryption unit 13p uses the input ciphertext ct (1,1) and the secret key sk (1) stored in the storage unit 13d, and uses e ₁ (m ′, Z (1 , 1)) = G (1,1) / {H (1,1) ^{c (1)}・ E (1,1) ^{1 / a (1)}・ F (1,1) ^{1 / b (1)} } M′∈G that satisfies the condition is calculated as a decoded value (step S164), and the output unit 13a outputs the decoded value m ′ (step S165).

[Decryption process]
When the ciphertext ct (β, 2) (β∈ {0,1}) is transmitted to the decryption device 14 (FIG. 4), the ciphertext ct (β, 2) is decrypted as illustrated in FIG. 10B. 14 interface units 14b (step S171). The mode switching unit 14m determines whether “β” located at the head of the ciphertext ct (β, 2) = [β,...] Is 0 (step S172). If β = 0, the decryption unit 14n receives the input ciphertext ct (0,2) = [0, W (0,2) = (h (2) ^{a (2)} ) ^r , Θ (0, 2) = (h (2) ^{b (2)} ) ^s , Y (0,2) = h (2) ^{r + s}・ m, U (0,2) = (CV ^→ ) _{B (1)} , Λ ( 0,2) = h (2) ^ζ ] and the secret key sk (2) stored in the storage unit 14d, m ′ = Y (0,2) / (W (0,2) ^{1 / a (2)} · Θ (0,2) ^{1 / b (2)} ) is calculated as a decoded value (step S173), and the output unit 14a outputs the decoded value m ′ (step S175). If β = 1, the decryption unit 14p uses the input ciphertext ct (1,2) and the secret key sk (2) stored in the storage unit 14d, and uses e ₁ (m ′, Z (1 , 2)) = G (1,2) / {H (1,2) ^{c (2)}・ E (1,2) ^{1 / a (2)}・ F (1,2) ^{1 / b (2)} } M′∈G that satisfies the condition is calculated as a decoded value (step S174), and the output unit 14a outputs the decoded value m ′ (step S175).

[Modifications, etc.]
The present invention is not limited to the above-described embodiment. For example, in the above-described embodiment, a uniform random value is used as a random number from the viewpoint of safety. However, a random number that is not uniform random may be used depending on the application and usage environment. The random number is a concept including both a true random number and a pseudo random number, and a true random number may be used as the random number, or a pseudo random number may be used. Further random number covered in the above embodiments ^{(e.g., t, t ~, ρ,} σ, r, s, ζ, ω, r ', s', ζ ', y, y', z, η ε (1) ,..., .eta..epsilon. _(n) ) may be a value selected from predetermined candidates or a constant. Cyclic group G as described above, can ensure high safety when order of the G _T is the same as the order q of the finite field F _q, the cyclic group G in some applications, the order of the G _T Co. The order of the field F _q may be different. In the above-described embodiment, an example in which q is a prime number and the finite field F _q is a prime field is shown, but the finite field F _q may be an extension field. In the above embodiment, an example is shown in which each device communicates information via a network. However, at least part of information communication between devices may be replaced with exchange of information via a portable recording medium. Good. The various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. Needless to say, other modifications are possible without departing from the spirit of the present invention.

  When the above configuration is realized by a computer, the processing contents of the functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer. The program describing the processing contents can be recorded on a computer-readable recording medium. An example of a computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, and the like.

  This program is distributed, for example, by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, this computer reads the program stored in its own recording device and executes the process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

DESCRIPTION OF SYMBOLS 1 Security system 11 Parameter production | generation apparatus 12 Encryption apparatus 13,14 Decryption apparatus 15 Obfuscation apparatus 16 Reencryption apparatus

Claims (25)

A security system having an encryption device, a first decryption device, a second decryption device, and a re-encryption device,
G and G _T are cyclic groups, g is a generator of the cyclic group G, F _q is a finite field of order _q , F _q ^× = F _q \ {0}, and n is 1 ^N is an integer greater than or ^{equal to 2} , and each of b _i ∈G ^{n + μ} (i = 1, ..., n + μ) represents ^{n + μ} elements of the cyclic group G. N + μ dimensional basis vectors as elements, and B = (b ₁ , ..., b _{n + μ} ) is n + μ basis vectors b _i (i = 1, ..., n + μ), and each of b _i ^* ∈ G ^{n + μ} (i = 1, ..., n + μ) is an element of n + μ elements of the cyclic group G Dimensional basis vectors, B ^* = (b ₁ ^* , ..., b _{n + μ} ^* ) is n + μ basis vectors b _i ^* (i = 1, ..., n + μ) The basis B and the basis B ^* are dual orthogonal basis, and the n + μ dimensional vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ^{n + μ} (d ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b _i , and n + μ dimension vector f ^→ = (f ₁ , ..., f _{n + μ} ) ∈F _q ^{n + μ} f ^→) _{B *} is ^{_{Σ i = 1 n + μ f}} i · b i * Γ is an integer n + 1 ≦ Γ <n + μ, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, and B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) and the secret key of the first decryption device is a (1), b (1), c (1), τ (1) ∈ F _q ^× and the public key of the first decryption device is (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1) = c (1) · τ (1) · B ^), and the secret key of the second decryption device is a (2), b (2), c (2), τ (2) ∈F _q ^× and the public key of the second decryption device is (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (2)} , h (2) ^{c (2)} , B (2) = c (2) ・ τ (2) ・ B ^), z, ρ, σ∈F _q ^× , and v ^→ is an n-dimensional vector v ^→ = (v _{ι (1)} , ..., v _{ι (n)} ) ∈F _q ⁿ , B (1,2) ^* = (ρ / c (1)) ・ c (2) ・ τ (2)・ B ^* and the re-encryption key is Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} , RV ^→ is an n + μ dimensional vector RV ^→ = (RV _{ι (1)} , ..., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} , ι (i) ∈ {1, ..., n + μ} (i = 1, ..., n + μ) and {ι (1) ,. .., ι (n)} ⊂ {1, ..., n + μ}, and (RV _{ι (1)} , ..., RV _{ι (n)} ) is an n-dimensional vector σ · v ^→ = ( σ ・ v _{ι (1)} , ..., σ ・ v _{ι (n)} ), and any one RV _κ ∈ {RV _{ι (n + 1)} , ..., RV _{ι (Γ)} } There is 1, xi] is an integer of 1 or more, a bilinear mapping e _xi] to obtain the original said cyclic group G _T with respect to the original direct product group G ^ξ × G ^ξ,
The encryption device is:
a first selector for selecting r, s, ζ, ω∈F _q ;
Public key (h (1), h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1)) and n-dimensional vector of the first decryption device x ^→ = (x _{ι (1)} , ..., x _{ι (n)} ) ∈F _q ⁿ and the first ciphertext ct (0,1) of message m∈G is generated. And
The first ciphertext ct (0,1) is W (0,1) = (h (1) ^{a (1)} ) ^r , Θ (0,1) = (h (1) ^{b (1)} ) ^s , Y (0,1) = h (1) ^{r + s}・ m, U (0,1) = (CV ^→ ) _{B (1)} , Λ (0,1) = h (1) ^ζ , CV ^→ Is an n + μ dimensional vector CV ^→ = (CV _{ι (1)} , ..., CV _{ι (n + μ)} ) ∈F _q ^{n + μ} and (CV _{ι (1)} , ..., CV _{ι (n)} ) is an n-dimensional vector ω ・ x ^→ = (ω ・ x _{ι (1)} , ..., ω ・ x _{ι (n)} ), and any one CV _κ ∈ {CV _{ι (n +1)} , ..., CV _{ι (Γ)} } is ζ, and a vector composed of elements obtained by removing CV _κ from CV _{ι (n + 1)} , ..., CV _{ι (Γ)} and RV _{ι (n + 1)} , ..., RV _{ι (Γ)} and the inner product with a vector consisting of elements obtained by removing RV _κ is 0,
The re-encryption device is
a second selector for selecting r ′, s ′, ζ′∈F _q ;
W '= W (0,1) ・ (h (1) ^{a (1)} ) ^r' , Θ '= Θ (0,1) ・ (h (1) ^{b (1)} ) ^s' , Y' = Y (0,1) ・ h (1) ^{r '+ s'} , U '= U (0,1) + (REV ^→ ) _{B (1)} , Λ' = Λ (0,1) ・ h (1) ^{ζ A} group operation unit to obtain ^'
Ψ ₁ = e ₁ (W ', Z ₁ ), Ψ ₂ = e ₁ (Θ', Z ₂ ), Ψ ₃ = e ₁ (Y ', Z ₃ ), Ω ₁ = e _{n + μ} (U', k ^* ), Ω ₂ = e ₁ (Λ ', k ₀ )
E (1,2) = Ψ ₁ ^y , F (1,2) = Ψ ₂ ^y , G (1,2) = Ψ ₃ ^y・ Ω ₁ ^{y '} , Z (1 for y, y'∈F _q ^× , 2) = Z ₃ ^y , H (1,2) = Ω ₂ ^{y ′} to generate a re-ciphertext ct (1,2), and a re-encryption unit,
REV ^→ is an n + μ-dimensional vector REV ^→ = (REV _{ι (1)} , ..., REV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and any one REV _κ ∈ {REV _{ι (1)} , ..., REV _{ι (n + μ)} } is ζ ′, and REV _{ι (1)} , ..., REV _{ι (n + μ)} excluding REV _κ is 0∈F _q Yes,
The second decoding device
e ₁ (m ', Z (1,2)) = G (1,2) / (H (1,2) ^{c (2)}・ E (1,2) ^{1 / a (2)}・ F (1, 2) ^{1 / b (2)} }
A security system including a second decryption unit that obtains m′∈G that satisfies The security system of claim 1,
A security system, wherein z and ρ are random numbers. The security system according to claim 1 or 2,
The encryption device further includes:
a third selector for selecting t, t ^~ ∈G;
E (1,1) = e ₁ ((h (1) ^{a (1)} ) ^r , t), F (1,1) = e ₁ ((h (1) ^{b (1)} ) ^s , t), G (1,1) = e ₁ ((h (1) ^{r + s}・ m, t)) ・ e ₁ (t ^~ , (h (1) ^{c (1)} ) ^ζ ), Z (1,1) = including t, H (1,1) = e 1 (t ~, h (1) ζ) and a second encryption unit for generating a second encrypted text ct (1, 1) including, a security system. The security system according to claim 3,
When the first ciphertext ct (0,1) is obtained as the input ciphertext, the first decryption device m ′ = Y (0,1) / (W (0,1) ^{1 / a (1 )} · Θ (0,1) ^{1 / b (1)} ) as a decrypted value, and e ₂ (m ′, Z () when the second ciphertext ct (1,1) is obtained as an input ciphertext. 1,1)) = G (1,1) / {H (1,1) ^{c (1)}・ E (1,1) ^{1 / a (1)}・ F (1,1) ^{1 / b (1)} }, A security system including a first decryption unit that obtains m′∈G that satisfies} as a decrypted value. The security system according to claim 3 or 4,
Security system where t and t ^~ ∈G are random numbers. The security system according to any one of claims 1 to 5,
A security system, wherein the ρ, σ, r, s, ζ, ω, r ′, s ′, ζ ′, y, y ′ are random numbers. The security system according to any one of claims 1 to 6,
The cyclic group G, the order of the G _T is q, the security system. The security system according to any one of claims 1 to 7,
μ = 2 ・ n + 2, Γ = n + 2, B ^ = (b _{ι (1)} , ..., b _{ι (n + 2)} ), {ι (n + 3) , ..., ι (3 ・ n + 2)} ⊂ {1, ..., 3 ・ n + 2}, RV ^→ is a 3 ・ n + 2 dimensional vector RV ^→ = (RV _{ι (1)} , ..., RV _{ι (3 ・ n + 2)} ), and one RV _κ ∈ {RV _{ι (n + 1)} , RV _{ι (n + 2)} } is 1, and other than RV _κ One RV _φ ∈ {RV _{ι (n + 1)} , RV _{ι (n + 2)} } is 0, and n RV _{ε (1)} , ..., RV _{ε (n)} ∈ {RV _{ι (n + 3)} , ..., RV _{ι (3 ・ n + 2)} } is a random number η _{ε (1)} , ..., η _{ε (n)} εF _q , and RV _{ε (1)} ,. .., RV ε _(n) other than the n-number of _{RV υ (1), ...,} RV υ (n) ∈ {RV ι (n + 3), ..., RV ι (3 · n + 2 ₎ } Is 0, and CV ^→ is a 3 · n + 2 dimensional vector CV ^→ = (CV _{ι (1)} , ..., CV _{ι (3 · n + 2)} ), and one CV _κ ∈ {CV _{ι (n + 1)} , CV _{ι (n + 2)} } is the ζ, and one CV _φ ∈ {CV _{ι (n + 1)} , CV _{ι (n + 2 )} other than CV _{κ )} } Is a random number ψ∈F _q , and each of 2 · n CV _{ι (n + 3)} , ..., CV _{ι (3 · n + 2)} is 0. An encryption device having a selection unit and an encryption unit,
G is a cyclic group, g is a generator of the cyclic group G, F _q is a finite field of order _q , F _q ^× = F _q \ {0}, and n is an integer of 1 or more , Μ is an integer of 2 or more, and each of b _i ∈G ^{n + μ} (i = 1,..., N + μ) has n + μ elements of the cyclic group G as elements. n + μ dimensional basis vectors, and B = (b ₁ , ..., b _{n + μ} ) is obtained from n + μ basis vectors b _i (i = 1, ..., n + μ). (D ^→ ) _B for n + μ dimensional vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ⁿ is Σ _{i = 1} ^{n + μ} d _i・ b _i Γ is an integer n + 1 ≦ Γ <n + μ, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, and B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) and the secret key of the first decryption device is a (1), b (1), c (1), τ (1) ∈F _q ^× , and the public key of the first decryption device is (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c ( 1)} , B (1) = c (1) ・ τ (1) ・ B ^)
The selection unit selects r, s, ζ, ω∈F _q ,
The encryption unit includes public keys (h (1), h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1 )) And the n-dimensional vector x ^→ = (x _{ι (1)} , ..., x _{ι (n)} ) ∈F _q ⁿ and the first ciphertext ct (0,1) of message m∈G And the first ciphertext ct (0,1) is W (0,1) = (h (1) ^{a (1)} ) ^r , Θ (0,1) = (h (1) ^{b (1)} ) ^s , Y (0,1) = h (1) ^{r + s}・ m, U (0,1) = (CV ^→ ) _{B (1)} , Λ (0,1) = h (1) ^ζ included , CV ^→ is an n + μ dimensional vector CV ^→ = (CV _{ι (1)} , ..., CV _{ι (n + μ)} ) ∈F _q ^{n + μ} and (CV _{ι (1)} , ... , CV _{ι (n)} ) is an n-dimensional vector ω · x ^→ = (ω · x _{ι (1)} , ..., ω · x _{ι (n)} ), and any one CV _κ ∈ {CV _{ι (n + 1)} , ..., CV _{ι (Γ)} } is the ζ. A decoding device having an interface unit and a decoding unit,
G and G _T are cyclic groups, g is a generator of the cyclic group G, F _q is a finite field of order _q , F _q ^× = F _q \ {0}, and n is 1 ^N is an integer greater than or ^{equal to 2} , and each of b _i ∈G ^{n + μ} (i = 1, ..., n + μ) represents ^{n + μ} elements of the cyclic group G. N + μ dimensional basis vectors as elements, and B = (b ₁ , ..., b _{n + μ} ) is n + μ basis vectors b _i (i = 1, ..., n + μ), and each of b _i ^* ∈ G ^{n + μ} (i = 1, ..., n + μ) is an element of n + μ elements of the cyclic group G Dimensional basis vectors, B ^* = (b ₁ ^* , ..., b _{n + μ} ^* ) is n + μ basis vectors b _i ^* (i = 1, ..., n + μ) The basis B and the basis B ^* are dual orthogonal basis, and the n + μ dimensional vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ^{n + μ} (d ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b _i , and n + μ dimension vector f ^→ = (f ₁ , ..., f _{n + μ} ) ∈F _q ^{n + μ} f ^→) _{B *} is ^{_{Σ i = 1 n + μ f}} i · b i * Γ is an integer n + 1 ≦ Γ <n + μ, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, and B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) and the secret key of the decryption device is a (1), b (1), c (1), τ (1) ∈F _q ^X and the public key of the decryption device is (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1) = c (1) ・ τ (1) ・ B ^) and the secret key of the other decryption device is a (2), b (2), c (2), τ (2) ∈F _q ^× and the public key of the other decryption device is (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (2)} , h (2) ^{c ( 2)} , B (2) = c (2) ・ τ (2) ・ B ^), z, ρ, σ∈F _q ^× , and v ^→ is an n-dimensional vector v ^→ = (v _{ι (1 )} , ..., v _{ι (n)} ) ∈F _q ⁿ and B (1,2) ^* = (ρ / c (1)) ・ c (2) ・ τ (2) ・ B ^* , The re-encryption key is Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} , RV ^→ is an n + μ dimensional vector RV ^→ = (RV _{ι (1),.} .., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and ι (i) ∈ {1, ..., n + μ} (i = 1, ..., n + μ) Yes, {ι (1), ..., ι (n)} ⊂ {1, .. ., n + μ} and (RV _{ι (1)} , ..., RV _{ι (n)} ) is an n-dimensional vector σ ・ v ^→ = (σ ・ v _{ι (1)} , ..., σ ・v _{ι (n)} ), any one RV _κ ∈ {RV _{ι (n + 1)} , ..., RV _{ι (Γ)} } is 1, ξ is an integer greater than or _{equal to 1} , e _ξ is a bilinear map for obtaining the element of the cyclic group G _{T with} respect to the element of the direct product group G ^ξ × G ^ξ ,
The interface unit is W (0,1) = (h (1) ^{a (1)} ) ^r , Θ (0,1) = (h (1) ^{b (1)} ) ^s , Y (0,1) = h (1) ^{r + s} · m, U (0,1) = (CV ^→ ) _{B (1)} , Λ (0,1) = h (1) First ciphertext ct (0,1) containing ^ζ Or E (1,1) = e ₁ ((h (1) ^{a (1)} ) ^r , t), F (1,1) = e ₁ ((h (1) ^{b (1)} ) ^s , t), G (1,1) = e ₁ ((h (1) ^{r + s}・ m, t)) ・ e ₁ (t ^~ , (h (1) ^{c (1)} ) ^ζ ), Z (1 , 1) = t, H (1,1) = e ₁ (t ^~ , h (1) ^ζ ), the second ciphertext ct (1,1) is received, and CV ^→ n + μ dimensional vector CV ^→ = (CV _{ι (1)} , ..., CV _{ι (n + μ)} ) ∈F _q ^{n + μ} and (CV _{ι (1)} , ..., CV _{ι ( n)} ) is an n-dimensional vector ω · x ^→ = (ω · x _{ι (1)} , ..., ω · x _{ι (n)} ), and any one of CV _κ ∈ {CV _{ι (n + 1)} , ..., CV _{ι (Γ)} } is the ζ, and a vector composed of elements obtained by removing CV _κ from CV _{ι (n + 1)} , ..., CV _{ι (Γ)} and RV _{ι ( n + 1)} , ..., RV _{ι (Γ)} and the inner product with the vector consisting of the elements excluding RV _κ is 0,
When the decryption unit inputs the first ciphertext ct (0,1) as an input ciphertext to the interface unit, m ′ = Y (0,1) / (W (0,1) ^{1 / a (1)} · Θ (0,1) ^{1 / b (1)} ) is obtained as a decrypted value, and e ₁ when the second ciphertext ct (1,1) is input to the interface unit as an input ciphertext. (m ', Z (1,1)) = G (1,1) / {H (1,1) ^{c (1)}・ E (1,1) ^{1 / a (1)}・ F (1,1) ^A decoding device that obtains m′∈G satisfying ^{1 / b (1)} } as a decoded value. A decoding device having an interface unit and a decoding unit,
G and G _T are cyclic groups, g is a generator of the cyclic group G, F _q is a finite field of order _q , F _q ^× = F _q \ {0}, and n is 1 ^N is an integer greater than or ^{equal to 2} , and each of b _i ∈G ^{n + μ} (i = 1, ..., n + μ) represents ^{n + μ} elements of the cyclic group G. N + μ dimensional basis vectors as elements, and B = (b ₁ , ..., b _{n + μ} ) is n + μ basis vectors b _i (i = 1, ..., n + μ), and each of b _i ^* ∈ G ^{n + μ} (i = 1, ..., n + μ) is an element of n + μ elements of the cyclic group G Dimensional basis vectors, B ^* = (b ₁ ^* , ..., b _{n + μ} ^* ) is n + μ basis vectors b _i ^* (i = 1, ..., n + μ) The basis B and the basis B ^* are dual orthogonal basis, and the n + μ dimensional vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ^{n + μ} (d ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b _i , and n + μ dimension vector f ^→ = (f ₁ , ..., f _{n + μ} ) ∈F _q ^{n + μ} f ^→) _{B *} is ^{_{Σ i = 1 n + μ f}} i · b i * Γ is an integer n + 1 ≦ Γ <n + μ, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, and B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) and the secret key of the decryption device is a (2), b (2), c (2), τ (2) ∈F _q ^× , and the public key of the decryption device is (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (2)} , h (2) ^{c (2)} , B (2) = c (2) ・ τ (2) ・ B ^) and the secret key of the other decryption device is a (1), b (1), c (1), τ (1) ∈F _q ^× , and the public keys of the other decryption devices are (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c ( 1)} , B (1) = c (1) ・ τ (1) ・ B ^), z, ρ, σ∈F _q ^× , and v ^→ is an n-dimensional vector v ^→ = (v _{ι (1 )} , ..., v _{ι (n)} ) ∈F _q ⁿ and B (1,2) ^* = (ρ / c (1)) ・ c (2) ・ τ (2) ・ B ^* , The re-encryption key is Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} , where RV ^→ is an n + μ dimensional vector RV ^→ = (RV _{ι (1),.} .., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and ι (i) ∈ {1, ..., n + μ} (i = 1, ..., n + μ) Yes, {ι (1), ..., ι (n)} ⊂ {1, ... , n + μ} and (RV _{ι (1)} , ..., RV _{ι (n)} ) is an n-dimensional vector σ ・ v ^→ = (σ ・ v _{ι (1)} , ..., σ ・ v _{ι (n)} ), any one RV _κ ∈ {RV _{ι (n + 1)} , ..., RV _{ι (Γ)} } is 1, ξ is an integer greater than or _{equal to 1} , e _ξ is a bilinear map for obtaining an element of the cyclic group G _{T with} respect to an element of the direct product group G ^ξ × G ^ξ , and W ′ = W (0,1) · (h (1) ^{a (1)} ) ^{r '} , Θ' = Θ (0,1) ・ (h (1) ^{b (1)} ) ^s' , Y '= Y (0,1) ・ h (1) ^{r' + s'} , U '= U ( 0,1) + (REV ^→ ) _{B (1)} , Λ '= Λ (0,1) ・ h (1) ^ζ' , Ψ ₁ = e ₁ (W ', Z ₁ ), Ψ ₂ = e ₁ (Θ ', Z ₂ ), Ψ ₃ = e ₁ (Y', Z ₃ ), Ω ₁ = e _{n + μ} (U ', k ^* ), Ω ₂ = e ₁ (Λ', k ₀ ) REV ^→ is an n + μ-dimensional vector REV ^→ = (REV _{ι (1)} , ..., REV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and any one REV _κ ∈ { REV _{ι (1)} , ..., REV _{ι (n + μ)} } is ζ ', and REV _{ι (1)} , ..., REV _{ι (n + μ)} excluding REV _κ is 0∈F _q ,
Wherein the interface unit _{is, E (1,2) = Ψ 1} y, F (1,2) = Ψ 2 y, G (1,2) = Ψ 3 y · Ω 1 y ', Z (1,2) = Accept re-ciphertext ct (1,2) input including Z ₃ ^y , H (1,2) = Ω ₂ ^{y '}
The decoding unit is e ₁ (m ′, Z (1,2)) = G (1,2) / {H (1,2) ^{c (2)} · E (1,2) ^{1 / a (2)}・ F (1,2) ^{1 / b (2)} }
A decoding apparatus that obtains m′∈G satisfying the condition as a decoded value. A re-encryption device having a selection unit, a group operation unit, a bilinear mapping operation unit, and a re-encryption unit,
G and G _T are cyclic groups, g is a generator of the cyclic group G, F _q is a finite field of order _q , F _q ^× = F _q \ {0}, and n is 1 ^N is an integer greater than or ^{equal to 2} , and each of b _i ∈G ^{n + μ} (i = 1, ..., n + μ) represents ^{n + μ} elements of the cyclic group G. N + μ dimensional basis vectors as elements, and B = (b ₁ , ..., b _{n + μ} ) is n + μ basis vectors b _i (i = 1, ..., n + μ), and each of b _i ^* ∈ G ^{n + μ} (i = 1, ..., n + μ) is an element of n + μ elements of the cyclic group G Dimensional basis vectors, B ^* = (b ₁ ^* , ..., b _{n + μ} ^* ) is n + μ basis vectors b _i ^* (i = 1, ..., n + μ) The basis B and the basis B ^* are dual orthogonal basis, and the n + μ dimensional vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ^{n + μ} (d ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b _i , and n + μ dimension vector f ^→ = (f ₁ , ..., f _{n + μ} ) ∈F _q ^{n + μ} f ^→) _{B *} is ^{_{Σ i = 1 n + μ f}} i · b i * Γ is an integer n + 1 ≦ Γ <n + μ, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, and B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) and the secret key of the first decryption device is a (1), b (1), c (1), τ (1) ∈F _q ^× , and the public key of the first decryption device is (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c ( 1)} , B (1) = c (1) · τ (1) · B ^) and the secret key of the second decryption device is a (2), b (2), c (2), τ (2 ) ∈F _q ^× and the public key of the second decryption device is (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (2)} , h (2 ) ^{c (2)} , B (2) = c (2) ・ τ (2) ・ B ^), z, ρ, σ∈F _q ^× , and v ^→ is an n-dimensional vector v ^→ = (v _{ι (1)} , ..., v _{ι (n)} ) ∈F _q ⁿ and B (1,2) ^* = (ρ / c (1)) ・ c (2) ・ τ (2) ・ B ^{* And} the re-encryption key is Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} , where RV ^→ is an n + μ dimensional vector RV ^→ = (RV _{ι (1 )} , ..., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and ι (i) ∈ {1, ..., n + μ} (i = 1, ..., n + μ) and {ι (1), ..., ι (n)} ⊂ {1, ..., n + μ}, and (RV _{ι (1)} , ..., RV _{ι (n)} ) is an n-dimensional vector σ ・ v ^→ = (σ ・ v _{ι (1),.} .., σ ・ v _{ι (n)} ), and any one RV _κ ∈ {RV _{ι (n + 1)} , ..., RV _{ι (Γ)} } is 1, and ξ is 1 or more E _ξ is a bilinear map for obtaining an element of the cyclic group G _{T with} respect to an element of the Cartesian product group G ^ξ × G ^ξ ,
The selection unit selects r ′, s ′, ζ′∈F _q ,
The group operation unit includes a first ciphertext ct (0,1) including W (0,1), Θ (0,1), Y (0,1), U (0,1), Λ (0,1). 1), W '= W (0,1) ・ (h (1) ^{a (1)} ) ^r' , Θ '= Θ (0,1) ・ (h (1) ^{b (1)} ) ^{s '} , Y' = Y (0,1) ・ h (1) ^{r '+ s'} , U '= U (0,1) + (REV ^→ ) _{B (1)} , Λ' = Λ (0,1)・ H (1) ^{ζ '} is obtained, REV ^→ is an n + μ dimensional vector REV ^→ = (REV _{ι (1)} , ..., REV _{ι (n + μ)} ) ∈F _q ^{n + μ} Or REV _κ ∈ {REV _{ι (1)} , ..., REV _{ι (n + μ)} } is the ζ ′, and REV _{ι (1)} , ..., REV _{ι (} excluding REV _{κ n + μ)} is 0∈F _q ,
The bilinear map calculation unit includes Ψ ₁ = e ₁ (W ′, Z ₁ ), Ψ ₂ = e ₁ (Θ ′, Z ₂ ), Ψ ₃ = e ₁ (Y ′, Z ₃ ), Ω ₁ = e _{n + μ} (U ', k ^* ), Ω ₂ = e ₁ (Λ', k ₀ )
The re-encryption unit is configured such that E (1,2) = Ψ ₁ ^y , F (1,2) = Ψ ₂ ^y , G (1,2) = Ψ ₃ ^y · Ω for y, y′∈F _q ^× ₁ ^{y ′} , Z (1,2) = Z ₃ ^y , H (1,2) = Ω ₂ Re-encryption device that generates re-ciphertext ct (1,2) including ^{y ′} . An obfuscation device having a selection unit and a re-encryption key generation unit,
G and G _T are cyclic groups, g is a generator of the cyclic group G, F _q is a finite field of order _q , F _q ^× = F _q \ {0}, and n is 1 ^N is an integer greater than or ^{equal to 2} , and each of b _i ∈G ^{n + μ} (i = 1, ..., n + μ) represents ^{n + μ} elements of the cyclic group G. N + μ dimensional basis vectors as elements, and B = (b ₁ , ..., b _{n + μ} ) is n + μ basis vectors b _i (i = 1, ..., n + μ), and each of b _i ^* ∈ G ^{n + μ} (i = 1, ..., n + μ) is an element of n + μ elements of the cyclic group G Dimensional basis vectors, B ^* = (b ₁ ^* , ..., b _{n + μ} ^* ) is n + μ basis vectors b _i ^* (i = 1, ..., n + μ) The basis B and the basis B ^* are dual orthogonal basis, and the n + μ dimensional vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ^{n + μ} (d ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b _i , and n + μ dimension vector f ^→ = (f ₁ , ..., f _{n + μ} ) ∈F _q ^{n + μ} f ^→) _{B *} is ^{_{Σ i = 1 n + μ f}} i · b i * Γ is an integer n + 1 ≦ Γ <n + μ, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, and B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) and the secret key of the first decryption device is a (1), b (1), c (1), τ (1) ∈F _q ^× , and the public key of the first decryption device is (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c ( 1)} , B (1) = c (1) · τ (1) · B ^) and the secret key of the second decryption device is a (2), b (2), c (2), τ (2 ) ∈F _q ^× and the public key of the second decryption device is (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (2)} , h (2 ) ^{c (2)} , B (2) = c (2) ・ τ (2) ・ B ^)
The selection unit generates z, ρ, σ∈F _q ^× ,
The re-encryption key generation unit performs Z ₁ = (h (2) ^{a (} ) for an n-dimensional vector v ^→ = (v _{ι (1)} , ..., v _{ι (n)} ) ∈F _q ⁿ . ²⁾ ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^{* _{= (RV →) B (1,2}} ) * generate re-encryption key ^{containing, B (1,2) * = (} ρ / c (1)) · c (2) · τ (2) · B ^{* And} RV ^→ is an n + μ dimensional vector RV ^→ = (RV _{ι (1)} , ..., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} and ι (i) ∈ {1 , ..., n + μ} (i = 1, ..., n + μ) and {ι (1), ..., ι (n)} ⊂ {1, ..., n + μ}, and (RV _{ι (1)} , ..., RV _{ι (n)} ) is an n-dimensional vector σ ・ v ^→ = (σ ・ v _{ι (1)} , ..., σ ・ v _{ι (n )} ), And any one RV _κ ∈ {RV _{ι (n + 1)} ,..., RV _{ι (Γ)} } is 1. The obfuscation device of claim 13,
An obfuscation device, wherein z and ρ are random numbers. Selecting r, s, ζ, ω∈F _q in the encryption device;
In the encryption device, the public key (h (1), h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1) of the first decryption device ) And n-dimensional vector x ^→ = (x _{ι (1)} , ..., x _{ι (n)} ) ∈F _q ⁿ to generate the first ciphertext ct (0,1) of message m∈G And steps to
Selecting r ′, s ′, ζ′∈F _q in the re-encryption device;
In the re-encryption device, W ′ = W (0,1) · (h (1) ^{a (1)} ) ^{r ′} , Θ ′ = Θ (0,1) · (h (1) ^{b (1)} ) ^{s '} , Y' = Y (0,1) ・ h (1) ^{r '+ s'} , U '= U (0,1) + (REV ^→ ) _{B (1)} , Λ' = Λ (0,1 ) ・ H (1) ^{ζ '}
In the re-encryption device, Ψ ₁ = e ₁ (W ′, Z ₁ ), Ψ ₂ = e ₁ (Θ ′, Z ₂ ), Ψ ₃ = e ₁ (Y ′, Z ₃ ), Ω ₁ = e obtaining _{n + μ} (U ', k ^* ), Ω ₂ = e ₁ (Λ', k ₀ ),
In the re-encryption device, E (1,2) = Ψ ₁ ^y , F (1,2) = Ψ ₂ ^y , G (1,2) = Ψ ₃ ^y · Ω for y, y′∈F _q ^× Generating a re-ciphertext ct (1,2) including ₁ ^{y ′} , Z (1,2) = Z ₃ ^y , H (1,2) = Ω ₂ ^{y ′} ;
In the second decoding device, e ₁ (m ′, Z (1,2)) = G (1,2) / {H (1,2) ^{c (2)} · E (1,2) ^{1 / a (2 )} · F (1,2) ^{1 / b (2)} } satisfying m′∈G as a decoded value,
G and G _T are cyclic groups, g is a generator of the cyclic group G, F _q is a finite field of order _q , F _q ^× = F _q \ {0}, and n is 1 ^N is an integer greater than or ^{equal to 2} , and each of b _i ∈G ^{n + μ} (i = 1, ..., n + μ) represents ^{n + μ} elements of the cyclic group G. N + μ dimensional basis vectors as elements, and B = (b ₁ , ..., b _{n + μ} ) is n + μ basis vectors b _i (i = 1, ..., n + μ), and each of b _i ^* ∈ G ^{n + μ} (i = 1, ..., n + μ) is an element of n + μ elements of the cyclic group G Dimensional basis vectors, B ^* = (b ₁ ^* , ..., b _{n + μ} ^* ) is n + μ basis vectors b _i ^* (i = 1, ..., n + μ) The basis B and the basis B ^* are dual orthogonal basis, and the n + μ dimensional vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ^{n + μ} (d ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b _i , and n + μ dimension vector f ^→ = (f ₁ , ..., f _{n + μ} ) ∈F _q ^{n + μ} f ^→) _{B *} is ^{_{Σ i = 1 n + μ f}} i · b i * Γ is an integer n + 1 ≦ Γ <n + μ, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, and B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) and the secret key of the first decryption device is a (1), b (1), c (1), τ (1) ∈ F _q ^× and the public key of the first decryption device is (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1) = c (1) · τ (1) · B ^), and the secret key of the second decryption device is a (2), b (2), c (2), τ (2) ∈F _q ^× and the public key of the second decryption device is (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (2)} , h (2) ^{c (2)} , B (2) = c (2) ・ τ (2) ・ B ^), z, ρ, σ∈F _q ^× , and v ^→ is an n-dimensional vector v ^→ = (v _{ι (1)} , ..., v _{ι (n)} ) ∈F _q ⁿ , B (1,2) ^* = (ρ / c (1)) ・ c (2) ・ τ (2)・ B ^* and the re-encryption key is Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} , RV ^→ is an n + μ dimensional vector RV ^→ = (RV _{ι (1)} , ..., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} , ι (i) ∈ {1, ..., n + μ} (i = 1, ..., n + μ) and {ι (1) ,. .., ι (n)} ⊂ {1, ..., n + μ}, and (RV _{ι (1)} , ..., RV _{ι (n)} ) is an n-dimensional vector σ · v ^→ = ( σ ・ v _{ι (1)} , ..., σ ・ v _{ι (n)} ), and any one RV _κ ∈ {RV _{ι (n + 1)} , ..., RV _{ι (Γ)} } Is 1 and ξ is an integer equal to or greater than 1, e _ξ is a bilinear map for obtaining an element of the cyclic group G _{T with} respect to an element of the direct product group G ^ξ × G ^ξ , and the first ciphertext ct (0,1) is W (0,1) = (h (1) ^{a (1)} ) ^r , Θ (0,1) = (h (1) ^{b (1)} ) ^s , Y (0,1) = h (1) ^{r + s}・ m, U (0,1) = (CV ^→ ) _{B (1)} , Λ (0,1) = h (1) ^ζ , CV ^→ is n + μ dimensional vector CV ^→ = (CV _{ι (1)} , ..., CV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and (CV _{ι (1)} , ..., CV _{ι (n)} ) is n Dimension vector ω ・ x ^→ = (ω ・ x _{ι (1)} , ..., ω ・ x _{ι (n)} ), and any one of CV _κ ∈ {CV _{ι (n + 1)} , ... ., CV _{ι (Γ)} } is the ζ, and CV _{ι (n + 1)} , ..., CV _{ι (Γ) is} a vector composed of elements excluding CV _κ and RV _{ι (n + 1)} , ..., RV _iota inner product of the _(gamma) and vector of element except RV _kappa is 0, REV ^→ the n + mu dimensional vector REV _{= (REV ι (1),} ..., REV ι (n + μ)) ∈F q n + a ^mu, any one _{REV κ ∈ {REV ι (1} ), ..., REV ι _{(n + μ)} } is the ζ ′, and REV _{ι (1)} ,..., REV _{ι (n + μ)} excluding REV _κ is 0∈F _q . An encryption method executed by an encryption device having a selection unit and an encryption unit,
G is a cyclic group, g is a generator of the cyclic group G, F _q is a finite field of order _q , F _q ^× = F _q \ {0}, and n is an integer of 1 or more , Μ is an integer of 2 or more, and each of b _i ∈G ^{n + μ} (i = 1,..., N + μ) has n + μ elements of the cyclic group G as elements. n + μ dimensional basis vectors, and B = (b ₁ , ..., b _{n + μ} ) is obtained from n + μ basis vectors b _i (i = 1, ..., n + μ). (D ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b for n + μ dimensional vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ^{n + μ} _i , Γ is an integer n + 1 ≦ Γ <n + μ, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) and the secret key of the first decryption device is a (1), b (1), c (1), τ (1) ∈ F _q ^× , and the public key of the first decryption device is (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1) = c (1) ・ τ (1) ・ B ^)
Selecting r, s, ζ, ω∈F _q in the selection unit;
In the encryption unit, the public key (h (1), h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1 )) And the n-dimensional vector x ^→ = (x _{ι (1)} , ..., x _{ι (n)} ) ∈F _q ⁿ and the first ciphertext ct (0,1) of message m∈G Generating, and
The first ciphertext ct (0,1) is W (0,1) = (h (1) ^{a (1)} ) ^r , Θ (0,1) = (h (1) ^{b (1)} ) ^s , Y (0,1) = h (1) ^{r + s}・ m, U (0,1) = (CV ^→ ) _{B (1)} , Λ (0,1) = h (1) ^ζ , CV ^→ Is an n + μ dimensional vector CV ^→ = (CV _{ι (1)} , ..., CV _{ι (n + μ)} ) ∈F _q ^{n + μ} and (CV _{ι (1)} , ..., CV _{ι (n)} ) is an n-dimensional vector ω ・ x ^→ = (ω ・ x _{ι (1)} , ..., ω ・ x _{ι (n)} ), and any one CV _κ ∈ {CV _{ι (n +1)} , ..., CV _{ι (Γ)} } is the encryption method. A decoding method executed by a decoding device having an interface unit and a decoding unit,
G and G _T are cyclic groups, g is a generator of the cyclic group G, F _q is a finite field of order _q , F _q ^× = F _q \ {0}, and n is 1 ^N is an integer greater than or ^{equal to 2} , and each of b _i ∈G ^{n + μ} (i = 1, ..., n + μ) represents ^{n + μ} elements of the cyclic group G. N + μ dimensional basis vectors as elements, and B = (b ₁ , ..., b _{n + μ} ) is n + μ basis vectors b _i (i = 1, ..., n + μ), and each of b _i ^* ∈ G ^{n + μ} (i = 1, ..., n + μ) is an element of n + μ elements of the cyclic group G Dimensional basis vectors, B ^* = (b ₁ ^* , ..., b _{n + μ} ^* ) is n + μ basis vectors b _i ^* (i = 1, ..., n + μ) The basis B and the basis B ^* are dual orthogonal basis, and the n + μ dimensional vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ^{n + μ} (d ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b _i , and n + μ dimension vector f ^→ = (f ₁ , ..., f _{n + μ} ) ∈F _q ^{n + μ} f ^→) _{B *} is ^{_{Σ i = 1 n + μ f}} i · b i * Γ is an integer n + 1 ≦ Γ <n + μ, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, and B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) and the secret key of the decryption device is a (1), b (1), c (1), τ (1) ∈F _q ^X and the public key of the decryption device is (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1) = c (1) ・ τ (1) ・ B ^) and the secret key of the other decryption device is a (2), b (2), c (2), τ (2) ∈F _q ^× and the public key of the other decryption device is (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (2)} , h (2) ^{c ( 2)} , B (2) = c (2) ・ τ (2) ・ B ^), z, ρ, σ∈F _q ^× , and v ^→ is an n-dimensional vector v ^→ = (v _{ι (1 )} , ..., v _{ι (n)} ) ∈F _q ⁿ and B (1,2) ^* = (ρ / c (1)) ・ c (2) ・ τ (2) ・ B ^* , The re-encryption key is Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} , where RV ^→ is an n + μ dimensional vector RV ^→ = (RV _{ι (1),.} .., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and ι (i) ∈ {1, ..., n + μ} (i = 1, ..., n + μ) Yes, {ι (1), ..., ι (n)} ⊂ {1, ... , n + μ} and (RV _{ι (1)} , ..., RV _{ι (n)} ) is an n-dimensional vector σ ・ v ^→ = (σ ・ v _{ι (1)} , ..., σ ・ v _{ι (n)} ), any one RV _κ ∈ {RV _{ι (n + 1)} , ..., RV _{ι (Γ)} } is 1, ξ is an integer greater than or _{equal to 1} , e _ξ is a bilinear map for obtaining an element of the cyclic group G _{T with} respect to an element of the direct product group G ^ξ × G ^ξ ,
In the interface unit, W (0,1) = (h (1) ^{a (1)} ) ^r , Θ (0,1) = (h (1) ^{b (1)} ) ^s , Y (0,1) = h (1) ^{r + s} · m, U (0,1) = (CV ^→ ) _{B (1)} , Λ (0,1) = h (1) First ciphertext ct (0,1) containing ^ζ Or E (1,1) = e ₁ ((h (1) ^{a (1)} ) ^r , t), F (1,1) = e ₁ ((h (1) ^{b (1)} ) ^s , t), G (1,1) = e ₁ ((h (1) ^{r + s}・ m, t)) ・ e ₁ (t ^~ , (h (1) ^{c (1)} ) ^ζ ), Z (1 , 1) = t, H (1,1) = e ₁ (t ^~ , h (1) ^ζ ), and receiving an input ciphertext that is the second ciphertext ct (1,1);
When the first ciphertext ct (0,1) is input to the interface unit as an input ciphertext, m ′ = Y (0,1) / (W (0,1) ^{1 / a (1)} · Θ (0,1) ^{1 / b (1)} ) as a decrypted value, and when the second ciphertext ct (1,1) is input to the interface unit as an input ciphertext, In the decoding unit, e ₁ (m ′, Z (1,1)) = G (1,1) / {H (1,1) ^{c (1)} · E (1,1) ^{1 / a (1)} Obtaining m′∈G satisfying F (1,1) ^{1 / b (1)} } as a decoded value,
CV ^→ is an n + μ dimensional vector CV ^→ = (CV _{ι (1)} , ..., CV _{ι (n + μ)} ) ∈F _q ^{n + μ} and (CV _{ι (1)} , ..., CV _{ι (n)} ) is an n-dimensional vector ω · x ^→ = (ω · x _{ι (1)} , ..., ω · x _{ι (n)} ), and any one of CV _κ ∈ {CV _{ι (n + 1)} , ..., CV _{ι (Γ)} } is ζ, and a vector composed of elements obtained by removing CV _κ from CV _{ι (n + 1)} , ..., CV _{ι (Γ)} A decoding method in which an inner product with a vector composed of elements obtained by removing RV _κ from RV _{ι (n + 1) ,.} A decoding method executed by a decoding device having an interface unit and a decoding unit,
G and G _T are cyclic groups, g is a generator of the cyclic group G, n is an integer of 1 or more, μ is an integer of 2 or more, and b _i ∈G ^{n + μ} (i = 1, ..., n + μ) are n + μ-dimensional basis vectors whose elements are n + μ elements of the cyclic group G, and B = (b ₁ , ..., b _{n + μ} ) is a basis composed of n + μ basis vectors b _i (i = 1, ..., n + μ), and b _i ^* ∈G ^{n + μ} (i = 1, ..., n + μ) are n + μ-dimensional basis vectors whose elements are n + μ elements of the cyclic group G, and B ^* = (b ₁ ^* , ..., b _{n + μ} ^* ) Is a basis composed of n + μ basis vectors b _i ^* (i = 1,..., N + μ), the base B and the base B ^* are dual orthogonal bases, and n + μ Dimension vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ^{n + μ} , (d ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b _i , n + μ dimension (F ^→ ) _{B *} for the vector f ^→ = (f ₁ , ..., f _{n + μ} ) ∈F _q ^{n + μ} is Σ _{i = 1} ^{n + μ} f _i・ b _i ^* and Γ is n + 1 ≦ Γ <n + μ and {ι (1), ..., ι ( )} ⊂ {1, ..., a n + μ}, B ^ = (b ι (1), ..., a _b ι _(Γ)), the secret key of the decryption apparatus has a (2 ), b (2), c (2), τ (2) ∈F _q ^× , and the public key of the decryption device is (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (2)} , h (2) ^{c (2)} , B (2) = c (2) ・ τ (2) ・ B ^), and the secret key of the other decryption device is a ( 1), b (1), c (1), τ (1) ∈F _q ^× , and the public key of the other decryption device is (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c (1)} , B (1) = c (1) ・ τ (1) ・ B ^), z, ρ, σ∈F _q ^× and v ^→ is an n-dimensional vector v ^→ = (v _{ι (1)} , ..., v _{ι (n)} ) ∈F _q ⁿ and B (1,2) ^* = (ρ / c (1)) ・ c (2) ・ τ (2) ・ B ^* and the re-encryption key is Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} RV ^→ is an n + μ dimensional vector RV ^→ = (RV _{ι (1)} , ..., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} , ι (i) ∈ {1, ... , n + μ} (i = 1, ..., n + μ) and {ι (1), ..., ι (n)} ⊂ {1, ..., n + μ} _{, (RV ι (1),} ..., RV ι (n)) is an n-dimensional vector ^{· V → = (σ · v} ι (1), ..., σ · v ι (n)) is, any one of the _{RV κ ∈ {RV ι (n} + 1), ..., RV _{ι (Γ)} } is 1, ξ is an integer equal to or greater than 1, e _ξ is a bilinear map for obtaining an element of the cyclic group G _{T with} respect to an element of the direct product group G ^ξ × G ^ξ , and W '= W (0,1) ・ (h (1) ^{a (1)} ) ^r' , Θ '= Θ (0,1) ・ (h (1) ^{b (1)} ) ^s' , Y' = Y ( 0,1) ・ h (1) ^{r '+ s'} , U' = U (0,1) + (REV ^→ ) _{B (1)} , Λ '= Λ (0,1) ・ h (1) ^ζ' REV ^→ is an n + μ-dimensional vector REV ^→ = (REV _{ι (1)} , ..., REV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and any one REV _κ ∈ {REV _{ι (1)} , ..., REV _{ι (n + μ)} } is the ζ ′, and REV _{ι (1)} , ..., REV _{ι (n + μ)} excluding REV _κ is 0∈ F _q , Ψ ₁ = e ₁ (W ', Z ₁ ), Ψ ₂ = e ₁ (Θ', Z ₂ ), Ψ ₃ = e ₁ (Y ', Z ₃ ), Ω ₁ = e _{n + μ} (U ', k ^* ), Ω ₂ = e ₁ (Λ', k ₀ )
In the interface section, E (1,2) = Ψ ₁ ^y , F (1,2) = Ψ ₂ ^y , G (1,2) = Ψ ₃ ^y · Ω ₁ ^{y ′} , Z (1,2) = Receiving a re-ciphertext ct (1,2) containing Z ₃ ^y , H (1,2) = Ω ₂ ^{y ′} ;
In the decoding unit, e ₁ (m ′, Z (1,2)) = G (1,2) / {H (1,2) ^{c (2)} · E (1,2) ^{1 / a (2)}・ F (1,2) ^{1 / b (2)} }
Obtaining m′∈G satisfying the above as a decoded value. A re-encryption method executed by a re-encryption device having a selection unit, a group operation unit, a bilinear mapping operation unit, and a re-encryption unit,
G and G _T are cyclic groups, g is a generator of the cyclic group G, F _q is a finite field of order _q , F _q ^× = F _q \ {0}, and n is 1 ^N is an integer greater than or ^{equal to 2} , and each of b _i ∈G ^{n + μ} (i = 1, ..., n + μ) represents ^{n + μ} elements of the cyclic group G. N + μ dimensional basis vectors as elements, and B = (b ₁ , ..., b _{n + μ} ) is n + μ basis vectors b _i (i = 1, ..., n + μ), and each of b _i ^* ∈ G ^{n + μ} (i = 1, ..., n + μ) is an element of n + μ elements of the cyclic group G Dimensional basis vectors, B ^* = (b ₁ ^* , ..., b _{n + μ} ^* ) is n + μ basis vectors b _i ^* (i = 1, ..., n + μ) The basis B and the basis B ^* are dual orthogonal basis, and the n + μ dimensional vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ^{n + μ} (d ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b _i , and n + μ dimension vector f ^→ = (f ₁ , ..., f _{n + μ} ) ∈F _q ^{n + μ} f ^→) _{B *} is ^{_{Σ i = 1 n + μ f}} i · b i * Γ is an integer n + 1 ≦ Γ <n + μ, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, and B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) and the secret key of the first decryption device is a (1), b (1), c (1), τ (1) ∈F _q ^× , and the public key of the first decryption device is (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c ( 1)} , B (1) = c (1) · τ (1) · B ^) and the secret key of the second decryption device is a (2), b (2), c (2), τ (2 ) ∈F _q ^× and the public key of the second decryption device is (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (2)} , h (2 ) ^{c (2)} , B (2) = c (2) ・ τ (2) ・ B ^), z, ρ, σ∈F _q ^× , and v ^→ is an n-dimensional vector v ^→ = (v _{ι (1)} , ..., v _{ι (n)} ) ∈F _q ⁿ and B (1,2) ^* = (ρ / c (1)) ・ c (2) ・ τ (2) ・ B ^{* And} the re-encryption key is Z ₁ = (h (2) ^{a (2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* = (RV ^→ ) _{B (1,2) *} , where RV ^→ is an n + μ dimensional vector RV ^→ = (RV _{ι (1 )} , ..., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} , and ι (i) ∈ {1, ..., n + μ} (i = 1, ..., n + μ) and {ι (1), ..., ι (n)} ⊂ {1, ..., n + μ}, and (RV _{ι (1)} , ..., RV _{ι (n)} ) is an n-dimensional vector σ ・ v ^→ = (σ ・ v _{ι (1),.} .., σ ・ v _{ι (n)} ), and any one RV _κ ∈ {RV _{ι (n + 1)} , ..., RV _{ι (Γ)} } is 1, and ξ is 1 or more E _ξ is a bilinear map for obtaining an element of the cyclic group G _{T with} respect to an element of the Cartesian product group G ^ξ × G ^ξ ,
Selecting r ′, s ′, ζ′∈F _q in the selection unit;
In the group operation unit, the first ciphertext ct (0,1) including W (0,1), Θ (0,1), Y (0,1), U (0,1), Λ (0,1) 1), W '= W (0,1) ・ (h (1) ^{a (1)} ) ^r' , Θ '= Θ (0,1) ・ (h (1) ^{b (1)} ) ^{s '} , Y' = Y (0,1) ・ h (1) ^{r '+ s'} , U '= U (0,1) + (REV ^→ ) _{B (1)} , Λ' = Λ (0,1) Obtaining h (1) ^{ζ '} ;
In the bilinear mapping operation unit, Ψ ₁ = e ₁ (W ′, Z ₁ ), Ψ ₂ = e ₁ (Θ ′, Z ₂ ), Ψ ₃ = e ₁ (Y ′, Z ₃ ), Ω ₁ = obtaining e _{n + μ} (U ', k ^* ), Ω ₂ = e ₁ (Λ', k ₀ ),
In the re-encryption unit, E (1,2) = Ψ ₁ ^y , F (1,2) = Ψ ₂ ^y , G (1,2) = Ψ ₃ ^y · Ω for y, y′∈F _q ^× Generating a re-ciphertext ct (1,2) including ₁ ^{y ′} , Z (1,2) = Z ₃ ^y , H (1,2) = Ω ₂ ^{y ′} ;
A re-encryption method. A key obfuscation method executed by an obfuscation apparatus having a selection unit and a re-encryption key generation unit,
G and G _T are cyclic groups, g is a generator of the cyclic group G, F _q is a finite field of order _q , F _q ^× = F _q \ {0}, and n is 1 ^N is an integer greater than or ^{equal to 2} , and each of b _i ∈G ^{n + μ} (i = 1, ..., n + μ) represents ^{n + μ} elements of the cyclic group G. N + μ dimensional basis vectors as elements, and B = (b ₁ , ..., b _{n + μ} ) is n + μ basis vectors b _i (i = 1, ..., n + μ), and each of b _i ^* ∈ G ^{n + μ} (i = 1, ..., n + μ) is an element of n + μ elements of the cyclic group G Dimensional basis vectors, B ^* = (b ₁ ^* , ..., b _{n + μ} ^* ) is n + μ basis vectors b _i ^* (i = 1, ..., n + μ) The basis B and the basis B ^* are dual orthogonal basis, and the n + μ dimensional vector d ^→ = (d ₁ , ..., d _{n + μ} ) ∈F _q ^{n + μ} (d ^→ ) _B is Σ _{i = 1} ^{n + μ} d _i・ b _i , and n + μ dimension vector f ^→ = (f ₁ , ..., f _{n + μ} ) ∈F _q ^{n + μ} f ^→) _{B *} is ^{_{Σ i = 1 n + μ f}} i · b i * Γ is an integer n + 1 ≦ Γ <n + μ, {ι (1), ..., ι (Γ)} ⊂ {1, ..., n + μ}, and B ^ = (b _{ι (1)} , ..., b _{ι (Γ)} ) and the secret key of the first decryption device is a (1), b (1), c (1), τ (1) ∈F _q ^× , and the public key of the first decryption device is (h (1) = g ^{τ (1)} , h (1) ^{a (1)} , h (1) ^{b (1)} , h (1) ^{c ( 1)} , B (1) = c (1) · τ (1) · B ^) and the secret key of the second decryption device is a (2), b (2), c (2), τ (2 ) ∈F _q ^× and the public key of the second decryption device is (h (2) = g ^{τ (2)} , h (2) ^{a (2)} , h (2) ^{b (2)} , h (2 ) ^{c (2)} , B (2) = c (2) ・ τ (2) ・ B ^)
Generating z, ρ, σ∈F _q ^× in the selection unit;
In the re-encryption key generation unit, for an n-dimensional vector v ^→ = (v _{ι (1)} , ..., v _{ι (n)} ) ∈F _q ⁿ , Z ₁ = (h (2) ^{a ( 2)} ) ^{z / a (1)} , Z ₂ = (h (2) ^{b (2)} ) ^{z / b (1)} , Z ₃ = h (2) ^z , k ₀ = h (2) ^ρ , k ^* Generating a re-encryption key including = (RV ^→ ) _{B (1,2) *} ,
B (1,2) ^* = (ρ / c (1)) ・ c (2) ・ τ (2) ・ B ^* , where RV ^→ is an n + μ dimensional vector RV ^→ = (RV _{ι (1)} , ..., RV _{ι (n + μ)} ) ∈F _q ^{n + μ} and ι (i) ∈ {1, ..., n + μ} (i = 1, ..., n + μ) {Ι (1), ..., ι (n)} ⊂ {1, ..., n + μ} and (RV _{ι (1)} , ..., RV _{ι (n)} ) Is an n-dimensional vector σ · v ^→ = (σ · v _{ι (1)} , ..., σ · v _{ι (n)} ), and any one of RV _κ ∈ {RV _{ι (n + 1)} , ..., RV _{ι (Γ)} } is 1, obfuscation method. The obfuscation method of claim 20,
An obfuscation method wherein z and ρ are random numbers.   A program for causing a computer to function as the encryption apparatus according to claim 9.   The program for functioning a computer as a decoding apparatus of Claim 10 or 11.   A program for causing a computer to function as the re-encryption device according to claim 12.   A program for causing a computer to function as the obfuscation device according to claim 13 or 14.

Images