JP2013130825A - Partial match search processing system and method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To suppress the increase of a data amount due to encryption in a general search processing system by ensuring the security of data entrusted to a server and a search word for use for search in order to prevent unauthorized operations of a server manager.SOLUTION: A registration agent encrypts an index for search including data for exclusion of random number information and registers the encrypted index for search with a management server, and a search agent encrypts a token for search including data for exclusion of random number information and transmits the encrypted token for search to the management server. The management server uses data for exclusion of random number information, which is included in the encrypted index for search and the encrypted token for search, to determine whether the token for search corresponds to the index for search or not and, if it corresponds to the index for search, transmits encrypted data to the search agent as a search result, and the search agent decrypts the encrypted data.

Description

  The present invention relates to a search processing system in a server / client model in which a server searches at high speed a partial match search for entrusted encrypted data without decrypting the encrypted data in accordance with a client request.

  In recent years, with the aim of improving the efficiency of information system development / operations and management costs, cloud computing that uses information systems provided by other organizations in part or in full, rather than maintaining them alone An operation management form called cloud computing (hereinafter abbreviated as “cloud computing”) is in the spotlight. On the other hand, in the cloud, the organization that manages the information system is different from the organization that uses the information system, so it is difficult for the organization itself to establish information leakage prevention measures, cause investigations after accidents, and recurrence prevention measures. . Therefore, it is necessary to ensure the confidentiality of data in advance by using encryption technology as a preventive measure against illegal data leakage.

  In the server / client model, a method using encryption technology is known in which a client can freely withdraw data from a server while depositing the data in the server. For example, Non-Patent Document 1 and Non-Patent Document 2 describe a search processing method for searching without decrypting encrypted data using an encrypted search index according to a client request.

Yoshino Masayuki, Naganuma Ken, Sato Naoyoshi. Study of searchable encryption for DB (2), Inproceedings of The 2011 Symposium on Cryptography and Information Security (2011). Emily Shen, Elaine Shi, Brent Waters. Predicate privacy in encryption systems. In TCC, volume 5444 of Lecture Notes in Computer Science, pages 457-473 (2009). Dan Boneh, Eu-Jin Goh, Kobbi Nissim, Evaluating 2-DNF Formulas on Ciphertexts, In TCC, Volume 3378 of Lecture Notes in Computer Science, pages 325-341 (2005).

  Both the technologies of Non-Patent Document 1 and Non-Patent Document 2 probabilistically encrypt both a data search index deposited in advance with a server and a search token transmitted by a client at the time of search, thereby improving safety. However, in the technique of Non-Patent Document 1, the safety is high, but only the complete match search process of data is the target of the search function, and partial match search is not possible. For example, when searching for data “abc”, even if the partial character string “ab” is used as a search token, “abc” cannot be searched. On the other hand, in the technique of Non-Patent Document 2, the data size of the ciphertext depends on a public parameter N configured by a product of four prime numbers (N = pqrs). Here, p, q, r, and s, which are prime factors of N, must be sufficiently large numbers. Since the data size of a message that can be encrypted depends on the data size of q, which is a prime factor of N, it is known in the technique of Non-Patent Document 2 that the efficiency of a message that can be actually encrypted is low. .

(Encryptable message efficiency) = q / N = 1 / (prs)
Therefore, there is a need for an encryption technique that enables partial match search while realizing high security, and further enables high efficiency of messages that can be encrypted.

  An object of the present invention is to provide a system and a method that enable a partial match search while encrypting a search index.

  To achieve the above object, the present invention provides a management server that stores data, a registration processing program, and a search processing program in a storage unit, a registration agent that registers encrypted data and a registration request program in the management server, and a search request Provided is a search processing system in which a search agent that stores a program in a storage unit cooperates via a network.

The registration agent generates three prime numbers (p, q, r), constructs a public parameter N (= pqr) from these products, and converts these into a rank (the element a which is an element constituting the group a The index and data for search are encrypted by the element on the bilinear group with the smallest integer n) satisfying ⁿ ≡ e (unit element), and the encrypted search index excludes two random numbers information inside. And request to register the encrypted search index in the management server.

  The search agent encrypts a token for search (a token, a character string made up of words and symbols that make up the plain code) based on the bilinear group, and there are two encrypted search tokens inside. Holds data for eliminating random number information, and requests the management server to perform a search process using the encrypted search token.

  The management server stores the encrypted search index and data in the storage unit, and holds the encrypted search index and search token when requested to search. Using the data for eliminating random number information, it is determined whether the search token corresponds to the search index. If so, the encrypted data stored in the storage unit of the management server is used as the search agent. The search result is transmitted, and the search agent decodes it and outputs it.

  The registration agent can encrypt the search index at high speed. Further, the search agent can entrust the partial match search to the management server with the index encrypted.

In a first embodiment, it is a figure which illustrates the outline of a search processing consignment system. In the first embodiment, it is a diagram illustrating an outline of functions of a registration agent. FIG. 3 is a diagram illustrating an outline of a function of a search agent in the first embodiment. In 1st embodiment, it is a figure which illustrates the outline of the function of a management server. It is a figure which illustrates schematic structure of a computer. 6 is a diagram illustrating a processing flow of registration processing of encrypted data 134 and an encrypted index 135 performed by a registration agent and a management server via a network 400 in the first embodiment. FIG. 7 is a diagram illustrating an index table 700 configured with an address value 702 indicating an encrypted index 701 and encrypted data 712 stored in the storage unit 320 of the management server in the first embodiment. FIG. 6 is a diagram illustrating a data table 710 illustrating encrypted data 712 and addresses 711 of the encrypted data 712 stored in the storage unit 320 of the management server in the first embodiment. FIG. 6 is a diagram illustrating a processing flow in which a registration agent creates a secret key 151 and a public parameter in the first embodiment. FIG. 6 is a diagram illustrating a processing flow in which a registration agent creates an encrypted index 135 in the first embodiment. FIG. 6 is a diagram illustrating a processing flow of a search process using an encryption token 236, which is executed by a search agent and a management server via a network 400 in the first embodiment. FIG. 6 is a diagram illustrating a processing flow in which a search agent creates an encryption token 236 in the first embodiment. FIG. It is a figure which illustrates the processing flow of the search process which a management server implements in 1st embodiment. It is a figure which shows the process outline | summary of a partial matching search process. It is a figure which shows the outline | summary of a search result data generation process.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that, in the embodiment, the same members are, in principle, given the same reference numerals, and repeated description is omitted.

(Embodiment 1)
(System configuration)
FIG. 1 is a schematic diagram of a search processing system according to the first embodiment of the present invention. As illustrated, the search processing system includes a registration agent 100, a search agent 200, and a management server 300. The registration agent 100 and the management server 300, and the search agent 200 and the management server 300 are connected to each other via a network 400. It is designed to send and receive information.

  The registration agent 100 according to the present embodiment functions as a transmission / reception device that transmits data and a search index (hereinafter referred to as an index) to the management server 300 and receives a reception result from the management server. It functions as a transmission / reception device that transmits a processing entrustment token to the management server 300 and receives the search result from the management server 300. The management server 300 stores data and searches for data using the received token. It functions as a transmission / reception device.

  FIG. 2 is a functional schematic diagram of the registration agent 100. As illustrated, the registration agent 100 includes a control unit 110, a storage unit 120, an input unit 101, an output unit 102, and a communication unit 103.

  The storage unit 120 includes a data storage unit 130, a key storage unit 150, a program storage unit 160, and a temporary information storage unit 180.

  The data storage unit 130 stores information related to a transmission sentence that is data to be transmitted to the management server 300. In the present embodiment, information related to the plaintext data 131 registered in the management server 300 (after encryption) information related to the received plaintext data 131 and information related to the plaintext index 132 used for the search process via the input unit 101. And information on the parameter 137 is stored. In addition, information related to the encrypted index 135 output from the index encryption unit 113 and information related to the encrypted data 134 output from the data encryption unit 117 are also stored.

  The key storage unit 150 stores information related to the secret key 151 that should be secretly managed by the registration agent 100 from the viewpoint of security.

  The program storage unit 160 stores a program related to the registration process of the encrypted data 134 and the encrypted index 135 including the entire encryption processes such as key generation, encryption, and decryption. The registration process of the encrypted data 134 and the encrypted index 135 will be described in detail later with reference to FIG.

  The temporary information storage unit 180 stores information necessary for processing by the control unit 110 and the like.

  The control unit 110 includes an overall processing unit 111, a key setting unit 112, an index encryption unit 113, an encoding unit 115, a random number generation unit 116, and a data encryption unit 117.

  The overall processing unit 111 loads a program related to the registration processing of the encrypted data 134 and the encrypted index 135 from the program storage unit 160, performs control between the modules in the registration agent 100, and performs simpler arithmetic processing. . For example, the overall processing unit 111 performs processing for storing the information received through the input unit 101 in the data storage unit 130 as the plaintext data 131 and the plaintext index 132.

  In the present embodiment, the overall processing unit 111 performs processing for displaying the plaintext data 131 on the output unit 102.

  In the present embodiment, the overall processing unit 111 reads the plaintext data 131 stored in the data storage unit 130, inputs the plaintext data 131 to the data encryption unit 117, and outputs the output data to the data storage unit 130. The process of storing as 134 is performed.

  In the present embodiment, the overall processing unit 111 reads the plaintext index 132 stored in the data storage unit 130, inputs the plaintext index 132 to the index encryption unit 113, and outputs the output data to the data storage unit 130. As 135, the storing process is performed.

  In this embodiment, the overall processing unit 111 transmits the encrypted index 135 and the encrypted data 134 to the management server 300 via the communication unit 103, and performs a process of receiving the reception result from the management server 300. .

  Furthermore, in the present embodiment, the overall processing unit 111 stores the encrypted data 134 received from the management server 300 via the communication unit 103 in the temporary information storage unit 180 and the process for displaying it on the output unit 102. I do.

  The key setting unit 112 performs processing for generating a secret key 151 and a public parameter. For example, in the present embodiment, the overall processing unit 111 performs a process of inputting a security parameter and the key setting unit 112 outputting a secret key 151. The overall processing unit 111 may load a security parameter stored as a part of the parameter 137 or may input the security parameter to the key setting unit 112 via the input unit 101.

  The method for realizing the private key 151 for the data encryption unit 117 can be realized by implementing a standard key generation algorithm (AES (Advanced Encryption Standard) encryption, DES (Data Encryption Standard) encryption, etc.). Detailed explanation is omitted.

  A method for realizing the secret key 151 and the public parameters used by the index encryption unit 113 (and the token encryption unit 213 of the search agent 200) will be described in detail later with reference to FIG.

  The index encryption unit 113 performs a process of encrypting the plaintext index 132 in cooperation with the encoding unit 115. The plaintext index 132 is data (not only a character string but also a binary data string) indicating characteristics of the plaintext data 131 when the plaintext data 131 is searched. For example, in the case of a character string, from the plaintext data “Tom is cryptographic researcher”, the characteristic character string “Tom” or “researcher” may be used as a plaintext index. Of course, the plaintext index 132 may not be a complete word in the data. In the above case, for example, “res (part of the researcher)” may be used as the plaintext index 132. Further, data not included in the plaintext data 131 may be used as the plaintext index 132. In the above case, for example, the character string “cryptography” may be used as the plaintext index 132.

  In the present embodiment, the overall processing unit 111 inputs the plaintext index 132 and the secret key 151 to the index encryption unit 113, and the index encryption unit 113 performs a process of outputting the encrypted index 135. A method for realizing the encrypted index 135 will be described in detail later with reference to FIG.

The encoding unit 115 performs processing for converting the input plaintext index 132 into fixed-length data. In the present embodiment, the overall processing unit 111 inputs the plaintext index 132 to the encoding unit 115, and the encoding unit 115 converts the input plaintext data 131 into an nlog ₂ <q> -bit index vector and outputs it. Do. However, <> means rounding up the first decimal place. The index vector is divided into n for each log ₂ <q> -bit element data (x1, x2,..., Xn). Each element data is a value corresponding to each character included in the character string constituting the plaintext index 132, and is represented by an integer of 0 or more and less than q. The encoding unit 115 can be realized by, for example, implementation of a standard cryptographic hash function algorithm (SHA-1, SHA-2, etc.) that converts input data of an arbitrary length into fixed length data. Therefore, the detailed description is omitted.

  The random number generator 116 performs a process of outputting a pseudo random number. For example, the random number generation unit 116 outputs a random number from physical phenomena such as temperature, time, and electric energy. In the present embodiment, the random number generation unit 116 receives an output command from the overall processing unit 111 and outputs a random number. The realization method of the random number generation unit 116 can be realized by a standard random number generator, and a detailed description thereof will be omitted.

  In realizing the random number generator 116, a pseudo-random number generator may be used instead of the random number generator. For example, the overall processing unit 111 inputs the secret key 151 to the pseudo-random number generator, and the pseudo-random number generator outputs a pseudo-random number (a number that looks like a random number sequence, but is included in the number sequence obtained by deterministic calculation). You may make it do.

  The data encryption unit 117 performs processing for encrypting the input plaintext data 131. For example, in the present embodiment, the overall processing unit 111 inputs the plaintext data 131 and the secret key 151 to the data encryption unit 117, and the data encryption unit 117 performs a process of outputting the encrypted data 134. Note that the method for realizing the data encryption unit 117 can be realized by mounting a general encryption algorithm (AES encryption, DES encryption, etc.), and thus detailed description thereof is omitted.

  FIG. 3 is a functional schematic diagram of the search agent 200. As illustrated, the search agent 200 includes a control unit 210, a storage unit 220, an input unit 201, an output unit 202, and a communication unit 203.

  The storage unit 220 includes a data storage unit 230, a key storage unit 250, a program storage unit 260, and a temporary information storage unit 280.

  The data storage unit 230 stores information related to a transmission sentence that is data to be transmitted to the management server 300. In the present embodiment, information regarding the plaintext token 233 received via the input unit 201 and information regarding the parameter 237 are stored. Also, information related to the encrypted token 236 output from the token encryption unit 213, encrypted data 712 transmitted from the management server 300 via the network 400, and information related to the plaintext data 231 output from the data decryption unit 218 are also stored. The

  The key storage unit 250 stores information related to the secret key 251 that should be secretly managed by the search agent 200 from the viewpoint of security.

  The program storage unit 260 stores a program related to a search process using the encryption token 236 including all encryption processes such as key generation, encryption, and decryption. The search process using the encryption token 236 will be described in detail later with reference to FIG.

  The temporary information storage unit 280 stores information necessary for processing by the control unit 210 and the like.

  The control unit 210 includes an overall processing unit 211, a token encryption unit 213, an encoding unit 215, a random number generation unit 216, and a data decryption unit 218.

  The overall processing unit 211 loads a program related to the search processing using the encryption token 236 from the program storage unit 260, performs control between modules in the search agent 200, and further performs simple arithmetic processing. For example, the overall processing unit 211 performs processing for storing the information received through the input unit 201 as the plaintext token 233 in the data storage unit 230.

  In the present embodiment, the overall processing unit 211 performs processing for displaying the plaintext token 233 on the output unit 202.

  In the present embodiment, the overall processing unit 211 reads the plaintext token 233 stored in the data storage unit 230, inputs it to the token encryption unit 213, and outputs the output data to the data storage unit 230 as an encryption token. The process stored as 236 is performed.

  In the present embodiment, the overall processing unit 211 performs a process of transmitting the encryption token 236 to the management server 300 via the communication unit 203 and receiving a data search result from the management server 300. A process of storing a part of the data search result in the data storage unit 230 as the encrypted data 234 is performed.

  In the present embodiment, the overall processing unit 211 reads the encrypted data 231 stored in the data storage unit 230, inputs the data to the data decryption unit 218, and outputs the output data to the data storage unit 230 in the plaintext data 231. Are stored in the temporary information storage unit 280 and displayed on the output unit 202.

  The token encryption unit 213 performs a process of encrypting the plaintext token 233 in cooperation with the encoding unit 215. The plaintext token 233 is data (not only a character string but also a binary data string). The plaintext token 233 may be a complete word such as “researcher”, or a partial character string may be the plaintext token 233 such as “res” (part of the researcher). Further, a wild card “*” may be used for the plaintext token 233. For example, “re * earch * r” may be used instead of “researcher”.

  In the present embodiment, the overall processing unit 211 inputs the plaintext token 233 and the secret key 251 to the token encryption unit 213, and the token encryption unit 213 performs processing for outputting the encrypted token 236. A method for realizing the encryption token 236 will be described in detail later with reference to FIG.

The encoding unit 215 performs processing for converting the input plaintext token 233 into fixed-length data. In the present embodiment, the overall processing unit 211 inputs a plaintext token 233 to the encoding unit 215, and the encoding unit 215 converts the input plaintext token 233 into an nlog ₂ <q> -bit token vector and outputs the token vector. Do. However, <> means rounding up the first decimal place.

  For example, the encoding unit 215 can be realized by implementing a standard cryptographic hash function algorithm (SHA-1, SHA-2, etc.) that converts input data having an arbitrary length into fixed length data. Therefore, detailed description thereof is omitted.

  The random number generation unit 216 performs a process of outputting a pseudo random number. For example, the random number generation unit 216 outputs a random number from information regarding physical phenomena such as temperature, time, and electric energy. In the present embodiment, the random number generation unit 216 receives an output command from the overall processing unit 211 and outputs a random number. The realization method of the random number generation unit 216 can be realized by a standard random number generator, and thus detailed description thereof is omitted.

  In realizing the random number generation unit 216, a pseudo random number generator may be used instead of the random number generator. For example, the overall processing unit 211 inputs the secret key 251 to the pseudo-random number generator, and the pseudo-random number generator outputs a pseudo-random number (a number that looks like a random number sequence but is included in the number sequence obtained by deterministic calculation). You may make it do.

  The data decryption unit 218 performs a process of decrypting the input encrypted data 234. For example, in the present embodiment, the overall processing unit 211 inputs the encrypted data 234 and the secret key 251 to the data decrypting unit 218, and the data decrypting unit 218 performs processing for outputting the plaintext data 231. Note that the method for realizing the data decryption unit 218 can be realized by mounting a general encryption algorithm (AES encryption, DES encryption, etc.), and thus detailed description thereof is omitted.

  FIG. 4 is a functional schematic diagram of the management server 300. As illustrated, the management server 300 includes a control unit 310, a storage unit 320, an input unit 301, an output unit 302, and a communication unit 303.

  The storage unit 320 includes a program storage unit 360, a data storage unit 330, and a temporary information storage unit 380.

  The data storage unit 330 stores information related to data received from the registration agent 100 via the communication unit 303. In the present embodiment, information related to the encrypted data 134 and the encrypted index 135 received via the communication unit 303 is stored. Further, information regarding the parameter 337 is stored. In addition, information related to data received from the search agent 200 via the communication unit 303 is stored. In the present embodiment, information regarding the received encryption token 236 is temporarily stored via the communication unit 303.

  The program storage unit 360 stores a program related to encrypted data search processing. The encrypted data search process will be described in detail later with reference to FIG.

  The temporary information storage unit 380 stores information necessary for processing in the control unit 310.

  The control unit 310 includes an overall processing unit 311 and a search unit 312.

  The overall processing unit 311 loads a program related to the encrypted data search processing from the program storage unit 360, performs control between the modules in the management server 300, and performs further simple arithmetic processing. For example, the overall processing unit 311 performs processing for receiving the encrypted data 134 and the encrypted index 135 from the registration agent 100 via the communication unit 303 and storing them in the data storage unit 330. A method for storing the encrypted data 134 and the encrypted index 135 will be described in detail later with reference to FIGS. 7A and 7B.

  In the present embodiment, the overall processing unit 311 receives the encrypted token 236 from the search agent 200 via the communication unit 303, and stores the encrypted token 236 in the data storage unit 330 as the encrypted token 336.

  In the present embodiment, the overall processing unit 311 inputs the encryption token 336 and the encrypted index 701 to the search unit 312, and sends the data output by the search unit 312 to the search agent 200 via the communication unit 303. Process to send.

  Furthermore, the overall processing unit 311 performs processing for storing information related to data received from the search agent 200 or the registration agent 100 via the communication unit 303 in the temporary information storage unit 380 and processing for displaying the information on the output unit 302. .

  The registration agent 100, the search agent 200, and the management server 300 described above include, for example, a CPU 501, a memory 502, an external storage device 503 such as an HDD, a CD, and the like as shown in FIG. 5 (schematic diagram of a computer). A reading device 507 for reading / writing information from / to a portable storage medium 508 such as a DVD, an input device 506 such as a keyboard and a mouse, an output device 505 such as a display, and a NIC for connecting to a communication network This can be realized by a general computer including a communication device 504 and an internal communication line (referred to as a system bus) such as a system bus that connects these devices.

  For example, the storage units 120, 220, and 320 can be realized by the CPU 501 using the memory 502 or the external storage device 503, and each process included in the control units 110, 210, and 310 and the control units 110, 210, and 310 is performed. The unit can be realized by loading a predetermined program stored in the external storage device 503 into the memory 502 and executing it by the CPU 501. The input units 101, 201, and 301 use the input device 506 by the CPU 501. The output units 102, 202, and 302 can be realized by the CPU 501 using the output device 505. The communication units 103, 203, and 303 can be realized by the CPU 501 using the communication device 504. It is feasible.

  This predetermined program is stored (downloaded) in the external storage device 503 from the storage medium 508 via the reading device 507 or from the network 400 via the communication device 504, and then loaded onto the memory 502, It may be executed by the CPU 501. Alternatively, the program may be directly loaded onto the memory 502 from the storage medium 508 via the reading device 507 or from the network 400 via the communication device 504 and executed by the CPU 501.

(Processing procedure)
The outline of the partial match search process of the present embodiment will be described with reference to FIG.

  The registration agent 100 primes the public parameter N (integer) input by a user who registers desired data and an index related to the data into the management server 300 to obtain three prime numbers p, q, and r. Using these prime numbers, the data and index registered in the management server 300 are respectively encrypted, and the encrypted data and index are transmitted to the management server 300. The management server 300 stores the encrypted data and the index in the storage unit 320 in association with each other.

  The search agent 200 receives a search token composed of a partial character string from a data search user, encrypts the token using the three prime numbers generated from the public parameters, and transmits the encrypted token to the management server 300. Note that the plaintext of the search token may include a wild card, and encryption is performed in consideration of the wild card.

  The management server 300 performs a search by executing a matching between the encrypted token received from the search agent 200 and the encrypted index using a bilinear mapping, and if the matching is successful, the management server 300 is encrypted. The encrypted data associated with the index is searched, and the search result is transmitted to the search agent 200.

  The search agent 200 decrypts the encrypted data received from the management server 300 using the three prime numbers generated from the public parameters and outputs a plaintext search result to the data search user. Present.

  FIG. 6 is a sequence diagram illustrating a process in which the management server 300 registers the encrypted index 135 transmitted by the registration agent 100 via the network 400 in the storage unit 320 in the present embodiment.

  The entire processing unit 111 of the registration agent 100 loads the plaintext data 131 and inputs it to the data encryption unit 117, and the entire processing unit 111 loads the plaintext index 132 and inputs it to the index encryption unit 113 ( S601).

  The data encryption unit 117 of the registration agent 100 loads the secret key 151 stored in the storage unit 120 and converts the plaintext data 131 into the encrypted data 134. The conversion method can be realized by implementing a standard encryption algorithm (AES encryption, DES encryption, etc.), and thus detailed description thereof is omitted. Also, the index encryption unit 113 of the registration agent 100 loads the secret key 151 and the parameter 137 stored in the storage unit 120 and converts the plaintext index 132 into the encryption index 135. The conversion method will be described in detail later with reference to FIG. 9 (S602).

  The communication unit of the registration agent 100 transmits the encrypted data 134 output from the data encryption unit 117 and the encrypted index 135 output from the index encryption unit 113 to the management server 300 via the network 400. Processing is performed (S603).

  A process of receiving the encrypted data 134 and the encrypted index 135 transmitted by the registration agent 100 from the communication unit 303 of the management server 300 via the network 400 is performed (S604).

  The overall processing unit 311 of the management server 300 stores the encrypted data 134 and the encrypted index 135 in the storage unit 320. In storing, as shown in FIG. 7B, the encrypted data 134 (701) is stored as a part of the data table (E1, E2, and E3 in FIG. 7B correspond to the encrypted data 134). The transmitted encrypted index 135 is stored as a part of the index table in association with the address (virtual address or physical address) of the storage unit 320 storing the encrypted data 134 transmitted together ( 7A, I1, I2, I3, I4, and I5 correspond to the encrypted index 701 (135), and address 1 is a value indicating the address of the encrypted data E1, and similarly, address 2 is encrypted. A value indicating the address of the data E2, and address 3 is a value indicating the address of the encrypted data E3.) (S605).

  When the management server 300 finishes storing the encrypted data 134 and the encrypted index 135 in the storage unit 320, the management server 300 sets “registration success” and indicates “registration success” from the communication unit 303 via the network 400. A process of transmitting data to the registration agent 100 is performed. In addition, if the storage process of the encrypted data 134 or the encrypted index 135 to the storage unit 320 cannot be completed due to storage capacity limitations or the like, “registration failure” occurs and the communication unit 303 passes through the network 400. Then, a process of transmitting data indicating “registration failure” to the registration agent 100 is performed (S606).

  Processing for receiving data indicating “registration success” or “registration failure” sent from the management server 300 via the network 400 from the communication unit 103 of the registration agent 100 is performed (S607).

  Through the above processing (S601 to S607), the registration agent 100 can instruct the management server 300 to store the encrypted data 134 and the encrypted index 135 in the storage unit 120 via the network 400, and can confirm the processing result. .

  Note that the above processing procedure is not fixed, and the processing procedure may be changed. For example, the registration agent 100 may change S602 and S603 so that the encrypted index 135 is created and transmitted after the encrypted data 134 is created and transmitted. Also, the management server 300 may individually receive and store the encrypted data 134 and the encrypted index 135. Similarly, other processing contents may be changed. For example, the registration agent 100 may collectively create and transmit a plurality of encrypted data 134 and encrypted index 135. Also, the management server 300 may receive and store a plurality of encrypted data 134 and encrypted index 135 in a lump.

  The outline of the search result data generation process of this embodiment will be described with reference to FIG.

  In this embodiment, in order to reinforce the encryption of the index and the encryption of the token, the encrypted data of each other is disturbed by the other factor (for encryption). That is, by disturbing each other's encrypted data by factors used in encryption performed independently of each other, such as index encryption performed by the registration agent 100 and token encryption performed by the search agent 200, The confidentiality of the encryption is enhanced by preventing the encryption process from being closed within itself.

  A detailed description of the various symbols shown in FIG. 14 will be described later.

(1) Generating Factors and Information for Encryption First, as shown on the left side of FIG. 14, in the processes of FIGS. 8, 9 and 11 described later, (a) Factors for encrypting indexes with the group Gp (B) Group Gq is used to generate information that is the source of the encryption index. (C) A vector orthogonal to the token vector obtained by vectorizing the token character string and the group Gq (D) A factor for encrypting the token is generated by the group Gr.

These factors or information can be broadly divided into those related to indexes or tokens, but some of the factors related to the index (a) ({gp ^vk }, (gp ^Σvkpk )) are factors of disturbance to token encryption. In addition, some of the factors ({gr ^uk }, (gr ^Σukrk )) related to the token in (d) are disturbance factors for index encryption.

(2) Generation of Encrypted Index and Token Next, as shown in the center of FIG. 14, in the process of FIG. 9 to be described later, factors or information relating to the index generated in the above (a) and (b), and the above An encrypted index obtained by encrypting the plaintext index is generated using the disturbance factor generated with respect to the token of (d). Similarly, in the process of FIG. 11 described later, the plaintext token is converted using the factor or information related to the token generated in (c) and (d) above and the disturbance factor generated regarding the index in (a) above. Generate an encrypted encryption token. Further, in the same way as the above-described encryption index and encryption token generation process, factors for releasing the encryption of the index and token are also generated in a later process.

  Some of these decryption factors include factors that disturb the other party's encryption, as described above. Therefore, in FIG. 14, with respect to factors that disturb the other party's encryption, a part of the arrow from the index side and a part of the arrow from the token side intersect each other, and each of the encryption index and the encryption token Have joined.

(3) Generation of search result data Finally, as shown on the right side of FIG. 14, in the process of FIG. 12 described later, the encryption index, the encryption token, and the decryption of the encryption index generated in (2) above. The search result data for determining whether or not the verification of the encrypted index and the token is successful is generated using the factor for the above.

  The dashed arrows in FIG. 14 indicate that the process (2) is performed using the inverse element of the factor generated in (1) above, and the thick arrows indicate the data in the data string indicated by {*}. Indicates multiplication (product). In the upper right of FIG. 14, the domain of various random numbers (public parameters N (integer) used for generating factors and information in (1) above are related to three prime numbers p, q, and r by prime factorization. And the correspondence relationship between the random numbers associated with the group Gp and the group Gr. The lower part of FIG. 14 shows details of the intermediate data (encryption index and token, decryption factor, and encryption disturbance factor) generated in (2) above.

  FIG. 8 is a sequence diagram showing a secret key and public parameter generation process of the registration agent 100. In the registration agent 100, the overall processing unit 111 instructs the key setting unit 112 to generate a key.

  The key setting unit 112 reads the parameter 137 stored in the storage unit 120 (S801). The parameter 137 describes a parameter N-length related to the length of the encryption key and a parameter n-kinds related to the type of ciphertext.

  First, the key setting unit 112 generates a prime number p. The method for generating prime numbers can be realized by implementing a standard prime number generation algorithm (such as a key generation method for RSA encryption), and a detailed description thereof will be omitted. Next, a group Gp related to multiplication with the order p is generated. However, the order is the number of data (hereinafter referred to as original) having different values belonging to a certain group. In other words, there are at most p elements having different binary values in the group Gp. For simplicity, in this embodiment, the element on the group Gp is data having an integer value of 0 or more and less than p.

  Similar processing is performed for the prime number q and the prime number r. That is, the key setting unit 112 generates a prime number q and a prime number r, and generates a group Gq related to multiplication with the order q and a group Gr related to multiplication with the order r. In the present embodiment, the element on the group Gq is an integer value of 0 or more and less than q, and the element on the group Gr is an integer value of 0 or more and less than r (S802).

For example, the element gp on the group Gp is an arbitrary gp generated by a congruence formula of gp ^p ≡1 (where p is an order). The element gq on the group Gq and the element gr on the group Gr are similarly generated using the prime numbers q and r, respectively.

  Here, the name and role of each group will be described.

Gp (token vector disturbance group): a group for disturbing plaintext information (token vector) embedded in the group Gq Gq (plaintext information encoding group): plaintext information (as an index vector and a token vector) ) Embedded Group Gr (Index Vector Disturbance Group): Group for Disturbing Plain Text Information (Index Vector) Embedded in Group Gq The names and roles of Gp and Gr described above are mutually encrypted. Is related to the encryption of its own index or token, as described in the description of FIG.

The key setting unit 112 generates an integer N (= pqr) that is a product of prime numbers p, q, and r. At this time, the integer N is a number greater than or equal to the key length parameter N-length. Next, a group GN having a bilinearity map is generated for multiplication, where the order is N. A bilinear map is a map e (e: GN × GN → GN ′) that takes two elements on GN as input and projects to another element on GN ′, and indicates a map that satisfies the following two conditions. .
Condition 1: e (g, h) it is based on the group GN 'Condition 2: satisfying the number 1 of the following formula (Equation ^{1) e (g a, h} b) = e (g, h) ab
However, the element g and the element h are arbitrary values on the group GN. Further, a and b are arbitrary integers, g ^a is a value obtained by raising the element g to the a power on the group GN, and h ^b is a value obtained by raising the element h to the b power on the group GN. Further, a mapping (hereinafter referred to as a corresponding mapping) from elements on the group GN to each element on the group Gp, the group Gq, and the group Gr is generated. For example, an element e (g, h) on the group Gp is generated from elements g and h on the group GN. The details of the generation procedure of the group GN having the composite number N as the order and the relationship between the group Gp, the group Gq, and the group Gr are described in, for example, Non-Patent Document 3, and thus detailed description thereof is omitted (S803). ).

Here, the derivation of the relational expression 1 will be described. In the map e (g, h), if the relationship e (xy, z) = e (x, z) e (y, z) holds, when m is an integer, ^{(x m, z) = e} (x, z) m holds is because similarly holds true with respect to ^{z, e (g a, h} b) = e (g, h b) a = [e (g, h) ^b ] ^a = e (g, h) ^ab, and the relationship of Formula 1 is established.

Incidentally, f (xy) = f ( x) satisfies the relationship of f (y) f (x) is expressed as f ^(x) = x ^k. However, k = f (1) ′. (Y = 1 + Δ / x, f (1) = 1 is used to create a differential equation, Δ → 0 to create a differential equation and solve it.)
The key setting unit 112 randomly creates the element gp on the group Gp. In order to generate the original gp at random, the key setting unit 112 requests the overall processing unit 111 to generate a random number (integer) of 0 or more and less than p, and the overall processing unit 111 sends the random number generation unit 116 of 0 or more and less than p. A random number is generated, and the generated random number is input to the key setting unit 112. The key setting unit 112 may generate an element gp on the group Gp using the input random number. Similarly, the key setting unit 112 randomly creates an element gq on the group Gq and an element gr on the group Gr.

  The key setting unit 112 performs the following processing according to the number of ciphertext type parameters n-kinds (hereinafter referred to as n).

The key setting unit 112 creates a random number p1 that is greater than or equal to 0 and less than p, and creates gp ^p1 that is an element on the group Gp by multiplying the element gp on the group Gp by the power of p1. In order to generate the random number p1, the key setting unit 112 requests the entire processing unit 111 to generate a random number (integer) of 0 or more and less than p, and the entire processing unit 111 sends a random number of 0 or more and less than p to the random number generation unit 116. The generated random number is input to the key setting unit 112 as the random number p1, and the key setting unit 112 may calculate the p1 power of the element gp on the group Gp. Similarly, to create a random number p2 from 0 to less than p, the original gp on the group Gp and p2 power, creating a ^{gp p2} is the original on the group Gp. This process is repeated n times to create gp ^p1 ,..., Gp ^pn .

Furthermore, zero or more random number less than r r1, r2, · · ·, to create a rn, creating original ^gr r1 on the group Gr, · · ·, a ^{gr rn} (S804).

The key processing unit includes mapping e, group GN, group GN ', element gp, element gp ^p1 , ..., element gp ^pn , element gp, element gq ^q1 , ..., element gq ^qn , element gr, The element gr ^r1 ,..., The element gr ^rn are used as public parameters, and the element gq and the corresponding mapping are output as secret keys. The overall processing unit 111 stores the public parameter output from the key processing unit in the storage unit 120 as part of the parameter 137, and the secret key stores the element gq, prime p, prime q, and prime r in the key storage unit 150. Saved as the key 151 (S805).

  Through the above processing (S801 to S805), the registration agent 100 can create the secret key 151 and the public parameters required for creating the encryption index 135 and the encryption token 236, and store them in the storage unit 120.

Note that the above processing procedure is not fixed, and the processing procedure may be changed. For example, the registration agent 100 may change S802 to S805 so as to sequentially perform the processes related to the prime p, prime q, and prime r. For example, after generating the prime number p, the group Gp having the order of p is generated, and the elements gp, gp ^p1 ,..., Gp ^pn on the group Gp are generated and stored in the storage unit 120. The processing related to the prime number q and the processing related to the prime number r may be performed. Similarly, other processing contents may be changed.

  In the above processing, a bilinear map e (e: GN × GN → GN ′) that takes two elements on GN as input and projects to another element on GN ′ is used. A linear map e ′ (e ′: GN1 × GN2 → GN3, where GN1, GN2, and GN3 have different orders) can be similarly realized.

  In the above processing, a group related to multiplication is generated, but other groups such as an additive group on an elliptic curve can be similarly realized.

FIG. 9 is a sequence diagram showing processing for realizing the encrypted index 135 for the exact match search in the registration processing of the encrypted data 134 and the encrypted index 135 of the registration agent 100. In the processing flow of FIG. 9, not only the plaintext index 132 for search is converted, but also the encrypted index 135 including the two types of search data (ID _{n + 1} , ID _{n + 2} ) created for the management server 300 is included. (Unlike the technique of Non-Patent Document 2, in the present invention, since there are two types of data for search, the public parameter N can be a product of three prime numbers). Probabilistic encryption of the plaintext index 132 (when a plaintext index 132 having the same value is input, a different encryption index 135 is created each time), and high security for the encryption index 135 is realized.

First, the overall processing unit 111 performs a process of inputting the plaintext index 132 to the encoding unit 115 and outputting an nlog ₂ <q> -bit index vector output from the encoding unit 115. However, <> means rounding up the first decimal place. The index vector is divided into n pieces of element data (x1, x2,..., Xn) for each log ₂ <q> bit. An integer corresponding to each Ck of the character strings C1C2... Cn constituting the index is xk. Each element data is represented by an integer of 0 or more and less than q. The overall processing unit 111 instructs the index encryption unit 113 to encrypt the index vector.

The index encryption unit 113 reads the parameter 137 stored in the storage unit 120 (S901). The parameter 137 includes a parameter N-length related to the length of the encryption key, a parameter n-kinds related to the type of ciphertext, and public parameters such as mapping e, group GN, group GN ′, element gp, element gp ^p1 ,. .., element gp ^pn , element gr, element gr ^r1 ,..., Element gr ^rn are stored. As the secret key 151, an element gq, a prime number p, a prime number q, and a prime number r are stored.

Index encryption unit 113 creates a random number s from 0 to less than p, the original gp generated at S804, the original ^gp p1, · · ·, the former ^{gp pn} the multiplication s, original gp ^s, original gp ^sp1, · ^-Create the original gp ^spn . In order to generate the random number s, the key setting unit 112 requests the overall processing unit 111 to generate a random number (integer) of 0 or more and less than p, and the overall processing unit 111 asks the random number generation unit 116 to create a random number of 0 or more and less than p. to create a random number, enter the random number created in the key setting unit 112 as a random number s, the original gp on the key setting unit 112 group gp, based gp ^p1, · · ·, by calculating the multiplication s original gp ^pn Good (S902).

Similarly, the index encryption unit 113, random numbers u1 from 0 to less than r, the random number u2, · · ·, to create a random number un, from the original gr, original ^gr u1, · · ·, to create the original ^{gr un} ( S903).

Index encryption unit 113, random numbers u1 created in S903, the random number u2, · · ·, using random numbers un, based ^gr r1 generated in S804, · · ·, respectively based ^{gr rn} u1, u2, · · · The element gr ^u1r1 ,..., and element gr ^unrn are generated by ^raising to un. Further, gr ^{u1r1 +... + Unrn} which is the product of each ^element is calculated. This processing is related to element data in an index vector related to search. That is, if only an exact match search with the index vector is requested, gr ^{u1r1 +... + Unrn} may be created. Also, when partial search with a part of the index vector is possible, for example, when correspondence with the first to (n-1) th element data of the index vector (when the nth is desired to be ignored) is taken. ^Needs to create gr ^{u1r1 +... + U (n-1) r (n-1)} , and corresponds only to the first, third and fifth element data of the index vector (if other are to be ignored) In this case, gr ^{u1r1 + u3r3 + u5r5} may be created. The product calculation can be processed by multiplication as shown in the following equation (2) (S904).
( ^Equation 2) gr ^{u1r1 +... + Unrn} = gr ^u1r1 gr ^u2r2 ... Gr ^unrn
The index encryption unit 113 creates gq ^x1 , gq ^x2 ,..., Gq ^xn from the element gq using the element data (x1, x2,..., Xn) (S905).

The index encryption unit 113 calculates gq ^x1 gp ^sp1 gr ^u1 , gq ^x2 gp ^sp2 gr ^u2 ,..., ^{Gq xn} gp ^spn gr ^un , which is the product of each element, and uses the corresponding mapping to calculate GN. the data transferred onto the original, each _ID 1 ^{(corresponding} to _{^{gq x1 gp sp1 gr u1),}} ( corresponding to ^{gq x2 gp sp2 gr u2) ID} 2, ( corresponding to ^{gq xn gp spn gr un) ···} IDn (S906).

The index encryption unit 113 outputs gp ^s as ID _{n + 1} , gr ^{u1r1 +... + Unrn} as ID _{n + 2,} and ID ₁ , ID ₂ ,..., ID _{n + 2} as a set of data. The overall processing unit 111 stores the output data in the storage unit 120 as the encrypted index 135 (S907). Unlike the technique of Non-Patent Document 2 in which the public parameter N requires a product of four prime numbers (N = pqrs), the public parameter N may be a product of three prime numbers (N = pqr) in the present invention. This is because there are two types of data (ID _{n + 1} , ID _{n + 2} ).

  Here, the names and roles of IDk, TDk, Uk (k = 1 to n, n + 1, n + 2), which are intermediate data, will be described. The relationship between these data is shown in FIG.

(1) Index-related IDk (index / vector expression index):
Part of encrypted index for embedding plaintext information (index / vector) ID _{n + 1} (index for deleting token / vector disturbance group):
Part of the encryption index ID _{n + 2} (index for deleting vector / vector disturbance group) that deletes the token / vector disturbance group Gp element from the encryption token in cooperation with the token / vector disturbance group deletion token ):
Part of the encrypted index that deletes the element of the index / vector disturbance group Gr from the encrypted index in cooperation with the “index / vector disturbance group deletion token” (2) Token related TDk (index vector expression token) :
Part of encryption token for embedding plaintext information (token vector) TD _{n + 1} (token / vector disturbance group deletion token):
Part of encryption token TD _{n + 2} (deletion token for index / vector disturbance group) that deletes the origin of token / vector disturbance group Gp from the encryption token in cooperation with “Index for deleting token / vector disturbance group” :
Part of the encryption token that deletes the source of the index / vector disturbance group Gr from the encryption index in cooperation with the “Index for deleting the index / vector disturbance group” (3) Search result data related Uk (Inter-element verification data):
The product of “index vector expression index” and “index vector expression token”. Matching result of each element of the index vector and token vector. (x_k z_k) is included.

U _{n + 1} (token / vector disturbance group cancellation data):
Disturbance information by the token vector disturbance group Gp is removed from the “inter-element matching data”.
U _{n + 2} (data for releasing the index vector disturbance group):
Disturbance information by the index / vector disturbance group Gr is removed from the “inter-element verification data”.

Through the above processing (S901 to S907), the registration agent 100 can create the encryption index 135 based on the secret key 151 and the public parameter stored in the storage unit 120. In particular, the index vector (x1, x2,..., Xn) is handled as an index of gq which is the secret key 151 and is further sandwiched between Gp and Gq having sufficiently high randomness (for example, ID ₁ is gq ^x1 gp ^sp1 gr ^u1 and is disturbed by gp ^sp1 obtained by raising the public parameter gp ^p1 to the power of the random number s and gr ^{u1 obtained} by ^raising the public parameter gr to the power of the random number u1). Since the random number generated every time is different for the vector, the encryption index 135 having a different value is created. Therefore, the encryption index 135 can be expected to have high security.

  In addition, since the public parameter N configured by the product of three prime numbers is used to create the encryption index 135, the message to be encrypted is also more efficient than the technique of Non-Patent Document 2.

(Encrypted message efficiency) = q / N = 1 / pr (> 1 / (pqr))
Furthermore, by selecting index vector element data to be incorporated into the encrypted index 135 in the processing of S905, it is possible to create an encrypted index 135 for partial match search as well as complete match search. Further, the encryption index 135 does not need to be configured only with ID ₁ ... ID _{n + 2} , and the number of components may be increased particularly for partial match search.

  Note that the above processing procedure is not fixed, and the processing procedure may be changed. For example, S903 and S904 may be performed after S901, and S902 may be performed after S904. Further, S905 may be performed before S902, S903, and S904.

  In the above processing, a group related to multiplication is generated, but other groups such as an additive group on an elliptic curve can be similarly realized.

  FIG. 10 is a sequence diagram illustrating a process in which the management server 300 searches the encrypted data 712 based on the encryption token 236 transmitted by the search agent 200 via the network 400 in the present embodiment.

  The entire processing unit 211 of the search agent 200 loads the plaintext data 231 and inputs it to the token encryption unit 213 (S1001).

  The token encryption unit 213 of the search agent 200 loads the secret key 251 and the parameter 237 stored in the storage unit 220, and converts the plaintext token 233 into the encryption token 236. The conversion method will be described in detail later with reference to FIG. 11 (S1002).

  The communication unit of the search agent 200 performs a process of transmitting the encrypted token 236 output from the token encryption unit 213 to the management server 300 via the network 400 (S1003).

  A process of receiving the encryption token 236 transmitted by the search agent 200 from the communication unit 303 of the management server 300 via the network 400 is performed (S1004).

  The overall processing unit 311 of the management server 300 inputs the received encryption token 236 and the number of the encryption index 701 to be loaded into the search unit 312 (S1005). For example, when searching the encrypted index 701 stored in the storage unit 320 comprehensively, the overall processing unit 311 assigns a number to the encrypted index 701 stored in the index table in advance (for example, 1 to 1000). Etc.), the processing from 1 to 1000 may be sequentially input to the search unit 312.

  The search unit 312 of the management server 300 outputs data related to the search result (S1006). The processing of the search unit 312 will be described in detail later with reference to FIG.

  When the search result is 1 (the encryption token 236 and the encryption index 701 are related), the overall processing unit 311 of the management server 300 relates to the corresponding encryption index 701 from the index table shown in FIG. 7A. The address is loaded (for example, when the encrypted index I1 (701) corresponds to the index table in FIG. 7A, the overall processing unit 311 loads address 1), and the encrypted data 712 stored in the address is stored. (For example, in the data table of FIG. 7B, the overall processing unit 311 loads the encrypted data E1 stored in address 1). The overall processing unit 311 stores the loaded encrypted data 712 in the storage unit 320 as a part of the search result (S1007).

  The search unit 312 of the management server 300 repeats the processing from S1005 to S1007 until the overall processing unit 311 stops (S1008).

  The management server 300 performs processing for transmitting all the loaded encrypted data 712 from the communication unit 303 to the search agent 200 via the network 400 as part of the search result. If the encrypted data 712 is not loaded, “N / A” is set, and data indicating “N / A” is transmitted from the communication unit 303 via the network 400 to the search agent 200 (S1009). .

  A process of receiving encrypted data 712 or data indicating “not applicable” transmitted from the management server 300 via the network 400 from the communication unit 203 of the search agent 200 is performed (S1010).

  When the search agent 200 receives the encrypted data 712, the overall processing unit 211 inputs the encrypted data 712 to the data decrypting unit 218, and the data decrypting unit 218 loads the secret key 251 stored in the storage unit 220. Then, the encrypted data 712 is converted into plaintext data 231. Note that the conversion method can be realized by mounting a standard decryption algorithm (AES encryption, DES encryption, etc.), and thus detailed description thereof is omitted (S1011).

  The overall processing unit 211 of the search agent 200 stores the plaintext data 231 output from the data decryption unit 218 in the storage unit 220 (S1012).

  Through the above processing (S1001 to S1012), the search agent 200 can instruct the management server 300 to search the encrypted data 712 via the network 400 and check the search result.

Note that the above processing procedure is not fixed, and the processing procedure or the processing content may be changed. For example, the management server 300 may perform a search process for a plurality of encrypted indexes 701 at once (S1005 to S1007), and further omit the repeated process (S1008). Also, the management server 300 may create (S1007) and transmit (S1009) search results for each search of the encrypted index 701, or may collect the search results for a plurality of records.

  FIG. 11 is a sequence diagram showing a process for generating the encryption token 236 in the search process using the encryption token 236 of the search agent 200.

  In the processing flow of FIG. 11, not only the plaintext token 233 for search is converted, but also an encryption token 236 is created including two types of search data created for the management server 300 (the technology of Non-Patent Document 2). Unlike in the present invention, since there are two types of search data, the public parameter N is a product of three prime numbers). Probabilistic encryption of the plaintext token 233 (a different encryption token 236 is created every time the same value of the plaintext token 233 is input) realizes high security for the encryption token 236.

  The overall processing unit 211 instructs the token encryption unit 213 to encrypt the token vector.

The token encryption unit 213 reads the parameter 237 and the secret key 251 stored in the storage unit 220 (S1101). The parameter 237 includes a parameter N-length related to the length of the encryption key, a parameter n-kinds related to the type of ciphertext, and public parameters such as mapping e, group GN, group GN ′, element gp, element gp ^p1 ,. .., element gp ^pn , element gr, element gr ^r1 ,..., Element gr ^rn are stored. As the secret key 251, an element gq, a prime number p, a prime number q, and a prime number r are stored.

The overall processing unit 211 inputs the plaintext token 233 to the encoding unit 215 and performs processing for outputting an nlog ₂ <q> -bit token vector output from the encoding unit 215. However, <> means rounding up the first decimal place. The token vector is divided into n pieces of element data (y1, y2,..., Yn) for each log ₂ <q> bit. An integer corresponding to each Ck of the character strings C1C2... Cn constituting the token is yk. Each element data is represented by an integer of 0 or more and less than q. The overall processing unit 211, when taking the inner product with the token vector, creates an orthogonal vector whose value is equal to 0 on the GN. This orthogonal vector is also divided into n pieces of element data (z1, z2,..., Zn) for each log ₂ <q> bit, and each element data is represented by an integer of 0 or more and less than q.

In the generation of the orthogonal vector, an integer of 0 or more and less than q may be set to z1, z2,.
(Expression 3) y1z1 +... + Ynzn = kq (k is an arbitrary integer)
The above equation 3 is equivalent to y1z1 +... + Ynzn≡0 (mod q).
Specifically, the overall processing unit 211 causes the random number generation unit 216 to generate a random number from 0 to less than q, and sets the generated random numbers as z1, z2, and z (n−1), respectively. Further, since the value of zn satisfying Equation 3 is uniquely obtained (by solving simultaneous linear equations), the value is set to zn (S1102).

Orthogonal vectors (z1, z2,..., Zn) satisfying y1z1 +... + Ynzn = 0 expressed by Equation 3 are obtained by the following procedure, for example. When obtaining the components of the orthogonal vector original vector {yk} as a base, an orthogonal vector {zk} ^{is, z1 = y1-yn 2 /} y1, zk = yk- (y (k-1)) 2 / yk (k = 2 to n). In particular, when yk> y (k−1) (k = 2 to n), zk> 0 (k = 2 to n) and z1 <0. Furthermore, the orthogonality condition is satisfied even if the least common multiple M of {yk} is multiplied in order to convert {zk} into an integer.

If z1 ′ = z1 + Δ (> 0) is set to z1 <0, where z1 <0 (+0) (| z1 | <Δ), the orthogonality condition is y1z1 ′ + y2z2 +... + ynzn = y1Δ (= kq It will be). When z1 ′ = w (> 0), Δ = w−z1 = w + | z1 | = w + (yn ² / y1) −y1.

  When the plaintext token 233 includes a wild card “*”, the element data of the corresponding token vector is ignored and created. For example, when “a * b * e” is input to the plaintext token 233 instead of “abced” (and n = 5), the plaintext token 233 is encoded for each character in the token vector element data. In this case, an orthogonal vector (z1, z2, z3, z4, z5) is created based on Equation 4 below.

(Expression 4) y1z1 + y2z2 + y3z3 + y4z4 + y5z5 = kq (k is an arbitrary integer)
On the other hand, when the plaintext token is “a * b * e” including a wild card, since the wild card is input in the second and fourth in which “*” is input, based on Equation 5 below To obtain orthogonal vectors (z1, *, z3, *, z5).

(Expression 5) y1z1 + y3z3 + y5z5 = kq (k is an arbitrary integer)
Expression 5 is obtained by setting element data z2 and z4 corresponding to the wild card to 0 in the expression of Expression 3.

In S1103, the token encryption unit 213 creates a random number t that is greater than or equal to 0 and less than r, and the element gr ^t , element gr ^obtained by powering the element gr, element gr ^r1 ,. ^tr1 ,..., the original gr ^trn is created. In order to generate the random number t, the token encryption unit 213 requests the whole processing unit 211 to generate a random number (integer) of 0 or more and less than r, and the whole processing unit 211 sends the random number generation unit 216 to 0 or more and less than r. And the generated random number is input to the token encryption unit 213 as a random number t, and the token encryption unit 213 calculates the element gr, element gr ^{r1 ,.} What is necessary is just to calculate (S1103).

Similarly, the token encryption unit 213 creates a random number v1, a random number v2,..., A random number vn of 0 or more and less than r, and creates an element gp ^{v1 ,.} S1104).

The token encryption unit 213 uses the random number v1, the random number v2,..., The random number vn created in S1104, and the original gp ^p1 generated in S804 is converted into the original gp ^pn as V1, V2,. Each element gp ^v1p1 ,..., ^Element gp ^vnpn is generated by ^raising to the power of Vn. Further, gp ^{v1p1 +... + Vnpn} which is the original product of each is calculated. This processing is related to element data in the token vector related to the search. That is, when only a complete match search with a token vector is requested, gp ^{v1p1 +... + Vnpn} may be created. In addition, when a partial search with a part of the token vector is enabled, for example, the correspondence with the first to (n-1) th element data of the token vector (the nth element data is a wild card). In order to take this, it is ^sufficient to create gp ^{v1p1 +... + V (n-1) p (n-1)} , corresponding to only the first, third and fifth element data of the token vector (other element data Can be ^used to create gp ^{v1p1 + v3p3 + v5p5} . That is, among the element data in the token vector, the random numbers pk corresponding to the wild card, that is, the values of p2 and p4 are set to zero. The product calculation can be processed by multiplication as shown in the following equation (6) (S1105).
( ^Equation 6) gr ^{v1p1 +... + Vnpn} = gr ^v1p1 gr ^v2p2 ... Gr ^vnpn
The token encryption unit 213 creates gq ^z1 , gq ^z2 ,..., Gq ^zn from the element gq using the orthogonal vector element data (z1, z2,... Zn) (S1106).

The token encryption unit 213 calculates gq ^z1 gp ^v1 gr ^tr1 , gq ^z2 gp ^v2 gr ^tr2 ,..., ^{Gq zn} gp ^vn gr ^trn , which is a product of each element, and uses GN the data transferred onto the original, ^{(corresponding} to _{^{gq z1 gp v1 gr tr1) TD}} 1 respectively, ^{(corresponding} to _{^{gq z2 gp v2 gr tr2) TD}} 2, corresponding to the ^{··· TD n (gq zn gp vn} gr trn (S1107).

  It should be noted that the public parameter N is a product of four prime numbers (N = pqrs), and the disclosed technique of Non-Patent Document 2 in which three groups (Gp, Gr, Gs) can be used to disturb the index and the token In the present invention, since the public parameter N is a product of three prime numbers (N = pqr), only two groups (Gp, Gr) can be used to disturb the index and the token. Therefore, as shown in S1107, a token / vector disturbance group deletion token and an index / vector disturbance group deletion token are created, and the disturbance information can be deleted.

S1107 is also related to element data in the token vector related to the search, similar to S1105. That is, if only a complete match search with a token vector is requested, all TD ₁ , TD ₂ ,..., TD _n may be created. TD ₁ , TD ₂ ,..., TD _n-1 are created when correspondence with the first to (n-1) th element data of the token vector is taken (the nth element data is a wild card). In the above example including a wild card, only the first, third, and fifth element data of the token vector correspond to each other (other element data is a wild card), and TD ₁ , TD ₃ , TD ₅ may be created. Further, TD ₆ and TD ₇ are created as search data.

Token encryption unit ^{213, gp v1p1 + ··· + vnpn} the inverse element ^{gp - (v1p1 + ··· + vnpn} ) was calculated, which was the _{TD n + 1,} the inverse element ^{gr -t} of gr ^t and _{TD n + 2, TD 1} , TD ₂ ,..., TD _{n + 2} are output as a set of data. The overall processing unit 211 stores the output data in the storage unit 220 as an encryption token 236. Further, the created subscript number of TD (from which the wild card number is removed) is also stored in the storage unit 220 as the encryption token 236 (S1108).

Through the above processing (S1101 to S1108), the search agent 200 can create the encryption token 236 based on the secret key 251 and the public parameter stored in the storage unit 220. In particular, the token vector (z1, z2,..., Zn) is handled as an index of gq which is the secret key 251, and is further sandwiched between the group Gp and the group Gq having sufficiently high randomness. (For example, TD ₁ is gq ^z1 gp ^v1 gr ^tr1 , and is disturbed by gp ^{v1 obtained} by raising the public parameter gp to the power of the random number ^v1 and gr ^{tr1 obtained} by ^raising the public parameter gr ^r1 to the power of the random number t). Since the generated random numbers are different for each token vector, encryption tokens 236 having different values are created, so that the encryption token 236 can be expected to have high security. In addition, since the public parameter N configured by the product of three prime numbers is used to create the encryption token 236, the use efficiency of the message to be encrypted is higher than that of the technique of Non-Patent Document 2.

(Encrypted message efficiency) = q / N = 1 / pr (> 1 / (pqr))
Further, by selecting the element data of the token vector to be taken into the encryption token 236 in the processing of S1105, it is possible to create the encryption token 236 for partial match search as well as complete match search. Also, the encryption token 236 need not be composed of TD ₁ ... TD _{n + 2} alone, and the number of components may be increased particularly for partial match search.

  Note that the above processing procedure is not fixed, and the processing procedure may be changed. For example, the registration agent 100 may change the order of S1103, S1104, and S1105 to create the encryption token 236.

FIG. 12 is a sequence diagram illustrating a process for searching the encrypted data of the management server 300. In the management server 300, the overall processing unit 311 inputs the encryption token 336 and the number of the encryption index 701 to the search unit 312, and instructs the search processing of the encrypted data 712. In the search, two types of search data (ID _{n + 1} (= gp ^s ), ID _{n + 2} (= gr ^Σukrk ), TD _{n + 1} (= gp ⁻ ) created for the management server 300 are used. ^Σvkpk ), TD _{n + 2} (= gr ^−t )) is used to eliminate random number information (group Gp element and group Gr element) in the encryption index 701 and the encryption token 336.
(Unlike the technique of Non-Patent Document 2, in the present invention, since there are two types of search data, partial search is possible even if the public parameter N is a product of three prime numbers).

  The search unit 312 reads the parameters stored in the storage unit 320 (S1201). The parameter 337 describes a parameter N-length related to the length of the encryption key, a parameter n-kinds related to the type of ciphertext, a bilinear mapping, and the like.

  The search unit reads the encrypted index 701 from the index table stored in the storage unit 320 based on the input number of the encrypted index 701 (S1202).

  Thereafter, the management server 300 performs verification processing of the encryption index 701 and the encryption token 336.

  First, the search unit 312 extracts the TD subscript number from the encryption token 336 (S1203). In the following, for simplicity, the case where all the subscript numbers of TD exist from 1 to n + 2 will be introduced.

The search unit 312 extracts ID ₁ (corresponding to the original gq ^x1 gp ^sp1 gr ^u1 ) from the encryption index 701 and TD ₁ (corresponding to the original gq ^z1 gp ^v1 gr ^tr1 ) from the encryption token 336. A bilinear map of ID ₁ and TD ₁ is calculated according to the following equation (7), and this is defined as U ₁ .
(Expression 7) U ₁ = e (gq ^x1 gp ^sp1 gr ^u1 , gq ^z1 gp ^v1 gr ^tr1 )
= E (gp, gp) ^sp1v1 e (gq, gq) ^x1z1 e (gr, gr) ^u1tr1
Here, derivation of the relational expression of Expression 7 will be described.

Using the relationship e (xy, z) = e (x, z) e (y, z) associated with Equation 1, if we include two variables x and y,
e (x ^m1 y ⁿ¹ , x ^m2 y ⁿ² ) = e (x ^m1 , x ^m2 y ⁿ² ) e (y ⁿ¹ , x ^m2 y ⁿ² )
= E (x ^m1 , x ^m2 ) e (x ^m1 , y ⁿ² ) e (y ⁿ¹ , x ^m2 ) e (y ⁿ¹ , y ⁿ² )
= E (x, x) ^m1m2 e (x, y) ^m1n2 e (y, x) ^n1m2 e (y, y) ⁿ¹ⁿ² . In particular, when e (x, y) = e (y, x) = 1 when x∈X, y∈Y and X ≠ Y (when x and y belong to different groups), e (x ^m1 y ⁿ¹ , x ^m2 y ⁿ² ) = e (x, x) ^m1m2 e (y, y) ⁿ¹ⁿ² . When the number of variables further increases, when the above relation is repeatedly applied, the relational expression of Expression 7 is obtained. In addition, in the relationship of e (xy, z) = e (x, z) e (y, z), when the above relationship is arranged by a logarithm such as a variable and e (xy, z), the above relationship becomes two. It is shown to be a linear mapping (bilinear mapping) to a variable.

Next, the search unit 312 extracts ID ₂ (corresponding to the original gq ^x2 gp ^sp2 gr ^u2 ) from the encryption index 701 and TD ₂ (corresponding to the original gq ^z2 gp ^v2 gr ^tr2 ) from the encryption token 336, and similarly A bilinear map is calculated and U ₂ is created. This procedure is performed for ID ₁ , ID ₂ ,... D _{n + 2} of the encryption index 701 and Uk = e (IDk, TD _n , TD _{n + 1} , TD _{n + 2} of the encryption token 336 and TD ₁ , TD ₂ ,. TDk) (k = 1 to n, n + 1, n + 2) is performed, and intermediate data U ₁ , U ₂ ,..., U _n , U _{n + 1} , U _{n + 2} are created. (S1204)
Next, the management server 300 calculates a product of the intermediate data U1, U2,... Un, Un + 1, Un + 2, and sets this as search result data v (S1205). Thereafter, Un + 1 and Un + 2 are used to exclude random number information composed of elements of the group Gp and elements of the group Gr in the bilinear maps U1, U2,. Since there are two types of search data (ID _{n + 1} , ID _{n + 2} , TD _{n + 1} , TD _{n + 2} ) in the encryption index 701 and the encryption token 336, the data Un + 1 and Un + 2 for eliminating these random number information can be created.
(Equation 8) v = U ₁ U ₂ ... U _{n + 2}
= E (gp, gp) ^sp1v1 e (gq, gq) ^x1z1 e (gr, gr) ^u1tr1
e (gp, gp) ^sp2v2 e (gq, gq) ^x2z2 e (gr, gr) ^u2tr2
...
...
e (gp, gp) ^spnvn e (gq, gq) ^xnzn e (gr, gr) ^untrn
e (gp, gp) ^−sΣvkpk e (gr, gr) ^−tΣukrk
= E (gp, gp) ^sΣpkkk e (gr, gr) ^tΣukrk
e (gq, gq) ^{(x1z1 + x2z2 + ... + xnzn)}
e (gp, gp) ^−sΣpkkk e (gr, gr) ^−tΣukrk
= E (gq, gq) ^{(x1z1 + x2z2 + ... + xnzn)}
The third equation on the right side of Equation 8 is schematically expressed as (index disturbance factor), (token disturbance factor), (inner product of index vector and token vector orthogonal vector), (index disturbance) (Deletion factor) ・ (token disturbance deletion factor) It is expressed as a product of multiple factors, and each disturbance factor of index and token and its deletion factor are offset (index vector and token vector Only the inner product with the orthogonal vector) remains, and the fourth equation on the right side of Equation 8 is obtained.

Here, x1z1 +... + Xnzn = kq (k is an arbitrary integer)
Is established, the unit element 1 on the group GN is obtained from the following equation (9).
(Equation 9) v = e (gq, gq) ⁰ = 1
Further, when x1z1 +... + Xnzn = kq (k is an arbitrary integer) is not established, Expression 9 cannot be established. Therefore, if the plaintext index 132 and the plaintext token 233 are equal, the encoded index vector is equal to the token vector, and further, the formula 9 is established by the index vector and the orthogonal vector. it can.

  The search unit 312 outputs the search result data v to the overall processing unit 311 (S1206).

  If the value of the search result data v is 1, the overall processing unit 311 loads the address associated with the encrypted index 701 from the storage unit 320 (S1207).

  The overall processing unit 311 loads the corresponding encrypted data 712 from the loaded address, and stores it in the storage unit 320 as a part of the search result (S1208).

  Through the above processing (S1201 to S1208), the management server 300 can find the encryption index 701 associated with the encryption token 336 based on the public parameters stored in the storage unit 320, and can relate to the encryption index 701. A search result including the encrypted data 712 can be created.

Note that the above processing procedure is not fixed, and the processing procedure and processing content may be changed and executed. For example, the management server 300 may collectively perform the process of creating the intermediate data U ₁ ,..., U _{n + 2} (S1204). Further, for each search of a plurality of encrypted indexes 701, search result data v may be created (S1205) and output (S1206). In S1204 and S1205, the case of an exact match search in which all subscript numbers of TD exist from 1 to n + 2 was introduced. Similarly, for example, when 1 to (n−1), n + 1, and n + 2 are stored, U ₁ U ₂ ... U _n−1 U _{n + 1} U _{n + 2} may be used as the search result v. If No. 1, No. 3, No. 5, No. n + 1 and No. n + 2 are stored, a partial match search can be performed if U ₁ U ₃ U ₅ U _{n + 1} U _{n + 2} is used as the search result v.

  In the above processing, a bilinear map e (e: GN × GN → GN ′) that takes two elements on GN as input and projects to another element on GN ′ is used. A linear map e ′ (e ′: GN1 × GN2 → GN3, where GN1, GN2, and GN3 have different orders) can be similarly realized.

  In the above processing, a group related to multiplication is used, but other groups such as an additive group on an elliptic curve can be similarly realized.

(Embodiment 2)
Unlike the first embodiment of the present invention, in the second embodiment, the search processing system includes a registration agent 100 and a management server 300. The registration agent 100 and the management server 300 are designed to be able to send and receive information to and from each other via the network 400.

  The registration agent 100 according to the present embodiment functions as a transmission / reception device that transmits data and a search index (hereinafter referred to as an index) to the management server 300 and receives a reception result from the management server 300. Also, the registration agent 100 functions as a transmission / reception device that transmits a search processing entrustment token to the management server 300 and receives the search result from the management server 300. The management server 300 stores and receives data. It functions as a transmission / reception device that searches for data using a token.

  At this time, the function of the management server 300 is the same as that of the first embodiment. Further, the function of the registration agent 100 includes the function of the search agent 200 in addition to the function of the registration agent 100 shown in the first embodiment. That is, for the registration agent 100 shown in the first embodiment, the token encryption unit 213 is further stored in the control unit 110, the plaintext token 233 and the encryption token 236 are stored in the storage unit 120, and the program storage unit 160 is further stored in the program storage unit 160. A program related to the search process using the encryption token 236 is stored.

  The processing contents of the management server 300 in the second embodiment are the same as those in the first embodiment, and a description thereof will be omitted. The processing contents of the registration agent 100 in the second embodiment also serve as the processing contents of the registration agent 100 and the search agent 200 in the first embodiment, and will not be described in the same manner.

100: registration agent, 200: search agent, 300: management server 400: network, 500: computer, 101, 201, 301: input unit, 102, 202, 302: output unit, 103, 203, 303: communication unit, 110 210, 310: Control unit, 111, 211, 311: Overall processing unit, 112: Key setting unit, 113: Index encryption unit, 115, 215: Encoding unit, 116, 216: Random number generation unit, 117 Data encryption , 213: token encryption unit, 218: data decryption unit, 312: search unit, 120, 220, 320: storage unit,
130, 230, 330: Data storage unit, 131, 231: Plain text data, 132: Plain text index, 134, 234: Encrypted data, 135: Encryption index, 137, 237, 337: Parameter, 233: Plain text token, 236 336: Encryption token, 331: Encryption data table, 332: Encryption index table, 150, 250: Key storage unit, 151, 251: Private key, 160, 260, 360: Program storage unit, 180, 280, 380: Temporary information storage unit, 501: CPU (Central Processing Unit), 502: Memory, 503: External storage device, 508: Storage medium, 507: Reading device, 506: Input device, 505: Output device, 504: Communication device 509: Internal communication line 700: Index table 701: Encryption Index, 702: address value, 710: data table, 711: address, 712: encrypted data

Claims (14)

A search processing system in which a management server that stores a registration processing program and a search processing program in a storage unit, a registration agent that stores a registration request program in the storage unit, and a search agent that stores a search request program in the storage unit cooperate via a network Because
The registration agent generates three prime numbers (p, q, r), constructs a public parameter N (= pqr) from these products, and stores a group element with q as an order as a secret key And a data storage unit for storing, as public parameters, elements of a group whose order is p and q,
The registration agent converts the plaintext index for search into an encrypted index for search using the secret key and the public parameter, and registers the encrypted index in the storage unit of the management server.
The search agent converts the plaintext token for search into an encryption token for search using the secret key and the public parameter, and transmits the encryption token to the storage unit of the management server via the network.
The management server uses search result data obtained by bilinearly mapping the encryption token and the encryption index to determine whether the received encryption token corresponds to the encryption index stored in the storage unit. Judging,
A search processing system characterized by The search processing system according to claim 1,
The encrypted index is composed of encrypted plaintext index information and data for excluding two random number information,
The encryption token is composed of encrypted plaintext token information and data for excluding two random number information,
The management server uses the data for eliminating the random number information held by the encryption index and the encryption token, and determines whether or not the encrypted plaintext index information and the encrypted plaintext token information are collated. Extracting information indicating, and determining whether the encryption token corresponds to the index;
A search processing system characterized by The search processing system according to claim 2,
The conversion from the plaintext index to the encrypted index is performed by embedding information about the plaintext index in the original index of the group Gq, and further, the elements of the group Gp and the elements of the group Gr stored in the storage unit of the search agent as public parameters. Is multiplied by the group Gq,
A search processing system characterized by this. The search processing system according to claim 3,
The conversion from the plaintext token to the encryption token is performed by embedding data information of the plaintext token in the original index of the bilinear group Gq, and further, the element of the bilinear group Gp stored in the storage unit of the search agent as a public parameter. And the elements of the bilinear group Gr are multiplied by the elements of the bilinear group Gq,
A search processing system characterized by this. The search processing system according to claim 4,
The search agent creates an orthogonal vector orthogonal to a token vector corresponding to the plaintext token, and creates an inner product with an index vector corresponding to the plaintext index;
A search processing system characterized by this. The search processing system according to claim 5, wherein
The registration agent includes an index encryption unit that converts a plaintext index into the encrypted index for partial match search,
The search agent converts the plaintext token in which a wild card is input into the encryption token obtained by thinning a part corresponding to the wild card,
The registration server stores the encryption index in a storage unit of a management server, and determines whether the encryption token corresponds to the stored encryption index;
A search processing system characterized by this. The search processing system according to claim 6,
The registration server requests registration of the encrypted data in the storage unit of the management server;
The management server stores the encrypted data in the storage unit of the management server,
The encrypted index is stored in the storage unit in a state associated with the stored address value of the encrypted data;
A search processing system characterized by The search processing system according to claim 7, wherein
The management server determines whether or not the encryption token corresponds to the index, and if it is determined to be applicable, the encrypted data stored in an address value associated with the encryption index From the storage unit, and making the encrypted data a part of the search result,
A search processing system characterized by The search processing system according to claim 8, wherein
The search agent decrypts the search result received from the management server and extracts the encrypted data;
A search processing system characterized by A partial match search method in a search processing system in which a registration agent for registering data, a search agent for searching for data, and a management server for managing data are connected via a network,
The registered agent is:
The integer N which is a public parameter input by a user who registers desired data and an index related to the data in the management server is primed to obtain three prime numbers,
Using the prime number, the data and index to be registered in the management server are encrypted,
Sending the encrypted data and index to the management server;
The management server
Storing the encrypted data and the index in association with each other in a storage unit;
The search agent is
Receives a search token consisting of a substring entered by the user of the data search,
Using the three prime numbers generated from the public parameters, a token is encrypted and sent to the management server,
The management server
A search is performed by performing a match between the encrypted token received from the search agent and the encrypted index using a bilinear map;
If the verification is successful, search the encrypted data associated with the encrypted index, and send the searched encrypted data to the search agent;
The search agent is
The encrypted data received from the management server is decrypted using the three prime numbers generated from the public parameters, and a plaintext search result is output and presented to a user of the data search.
A partial match search method characterized by the above.   11. The partial match search method according to claim 10, wherein when a plain card of the search token includes a wild card, the encryption token is generated by thinning out a part corresponding to the wild card. In the partial match search method,
Factoring the public parameters to obtain first, second and third prime numbers;
Generating a first factor for encrypting the index by a first group generated based on the first prime number;
Generating a first information as a source of the encrypted index by a second group generated based on the second prime number;
Generating a second information as a source of the encryption token by a vector orthogonal to a token vector obtained by vectorizing the token character string and the second group;
Generating a second factor for encrypting the token by a third group generated based on the third prime number;
The partial match search method according to claim 10. The partial match search method further includes:
Generating the encrypted index by encrypting the plaintext index using the first factor, the first information, and the first disturbance factor generated in relation to the second factor;
Using the second information, the second factor, and a second perturbation factor generated in relation to the first factor to generate the encrypted token that is the encrypted plaintext token;
For the index and the token, generate a decryption factor for decrypting each encryption,
The partial match search method according to claim 12, wherein: The partial match search method further includes:
Search result data for determining whether or not the verification of the encryption index and the encryption token is successful using the generated encryption index, the encryption token, and the respective decryption factors. Generate
The partial match search method according to claim 13.

Images