JP2013161154A - Retrieval system, retrieval method and retrieval program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect not only deletion, addition and alteration for files but also replacement of the files as illegality in a server.SOLUTION: In a user terminal of a retrieval system which stores a plurality of files in a server and acquires a set of desired files from the server by keyword retrieval, a verification information generation unit generates verification information according to a prescribed generation algorithm for a pair for generation composed of a keyword and all files including the keyword, and stores the generated verification information in the server. The user terminal transmits a retrieval keyword to the server and acquires a set of files including the retrieval keyword and the verification information corresponding to the retrieval keyword from the server. A verification unit checks whether or not the acquired verification information is verification information for a pair for verification composed of the retrieval keyword and the acquired set of files, using a prescribed verification algorithm, approves if the check result is correct, and refuses if not.

Description

  The present invention relates to a search system, a search method, and a search program, and more particularly, to a search system, a search method, and a search program that can detect server fraud in keyword search.

  As is well known in this technical field, in data storage (data storage) services such as Yahoo! Data Box, user terminals store and store many files such as photos on a server (such as Yahoo! Data Box). can do. The user terminal can also perform a keyword search for the file name and acquire a desired set of files from the server. The user terminal is also called a client.

  On the other hand, Non-Patent Document 1 discloses an encrypted search method that conceals content from a server when searching for files and keywords. This encrypted search method is a method for encrypting files and keywords.

  On the other hand, a malicious server or a virus-contaminated server does not return all the corresponding files correctly when searching for keywords, but deletes, adds, alters, or replaces some of the files. It is possible to cheat.

  In response to this problem, Non-Patent Document 1 discloses a search system in which a user terminal can detect file deletion, addition, and alteration. Hereinafter, the search system disclosed in Non-Patent Document 1 will be referred to as a “preceding search system”.

  In general, the operation of the search system is divided into a “storage phase” in which the user terminal stores a file in the server and a “search phase” in which the user terminal searches for a desired file from the server.

  The general operation of the advance search system will be described below.

  In the storage phase, the user terminal sets a set (E (Dn), sign (E (Dn))) of the ciphertext E (Dn) of each file Dn and the digital signature sign (E (Dn)) of the ciphertext. Is stored in the server. Here, n is an integer of 1 to N (1 ≦ n ≦ N), and N is the total number of files. The user terminal also stores the digital signature Yi of the number of files including each keyword i in the server. Here, i is an integer between 1 and I (1 ≦ i ≦ I), and I is the total number of keywords.

  In the search phase, the user terminal sends the ciphertext E (keyword i) of the keyword i to the server. At that time, the server returns each set (E (Dn), sign (E (Dn))) including the keyword i and the corresponding digital signature Yi to the user terminal. The user terminal can detect falsification of the file Dn by checking each returned digital signature sign (E (Dn)). Further, the user terminal can detect a change in the number of files including the keyword i by checking the returned digital signature Yi.

Y.Chang and M. Mitzenmacher, “Privacy Preserving Keyword Searches on Remote Encrypted Data”, ACNS 2005: pp. 442-455 (2005)

  However, the prior search system disclosed in Non-Patent Document 1 cannot detect file replacement as a server fraud. The reason is as follows.

  For example, it is assumed that the file Dn is replaced with another file Dm (n ≠ m). In this case, in response to the ciphertext E (keyword i) of the keyword i, the server sends one of each pair (E (Dn), sign (E (Dn))) to the user terminal to another pair. It will be returned to (E (Dm), sign (E (Dm))). Since the user terminal only checks the digital signature sign (E (Dn)) or sign (E (Dm)) as described above, it cannot be determined that the file Dn has been replaced with another file Dm. . In addition, the digital signature Yi is returned to the user terminal, but in the case of replacement, the number of files does not change, so it is determined to be correct. Therefore, file replacement cannot be automatically detected.

  In Non-Patent Document 1, it is described (asserted) that the user himself / herself can check file replacement by checking whether the file Dm includes the keyword i by hand. However, when the files Dn and Dm are photographs or the like, it is impossible to perform such a check.

  Accordingly, an object of the present invention is to provide a search system, a search method, and a search program capable of detecting not only file deletion, addition, and alteration but also file replacement as a server fraud.

  A search system according to a first aspect of the present invention is a search system in which a user terminal stores a plurality of files in a server, and the user terminal acquires a set of desired files from the server by keyword search. Generating verification information according to a predetermined generation algorithm for a file storage means for storing a plurality of files in a server and a generation set of a keyword and a set of all files including the keyword, and generating the verification information A verification information generation unit to be stored in the server, a file acquisition means for transmitting a search keyword to the server, and acquiring a set of files including the search keyword and verification information corresponding to the search keyword from the server, and the acquired verification information , Whether or not the verification information of the verification pair between the search keyword and the set of acquired files is predetermined Checked by verification algorithm, to obtain a set of files acquired approved is correct a check result as a set of desired file, and a reject verification unit otherwise.

  A search system according to a second aspect of the present invention is a search system in which a user terminal stores a plurality of encrypted files in a server, and the user terminal acquires a set of desired files from the server by keyword search. A cryptographic file storage means for encrypting a plurality of files using an encryption private key and storing the plurality of encrypted files on a server, and a generation set of a keyword and a set of all encrypted files including the keyword On the other hand, a verification information generation unit that generates verification information according to a predetermined generation algorithm, stores the generated verification information in the server, and an encrypted search keyword obtained by encrypting the search keyword using the encryption secret key To the set of encrypted files containing the encrypted search keyword and the search corresponding to the searched keyword. The encryption file acquisition means for acquiring information, and whether the acquired verification information is verification information of a verification pair between the search keyword and the acquired set of encrypted files is checked by a predetermined verification algorithm. A verification unit that decrypts a set of encrypted files that are approved and acquired if the result is correct, obtains a desired set of files, and rejects otherwise.

  In the present invention, verification information is generated according to a predetermined algorithm for a generation set of a keyword and a set of all files (encrypted files) including the keyword, and the generated verification information is stored in the server. It is possible to detect not only file deletion, addition, and alteration as well as file replacement as a server fraud.

It is a schematic block diagram for demonstrating operation | movement of the storage phase of the search system which concerns on the 1st Embodiment of this invention. It is a schematic block diagram for demonstrating operation | movement of the search phase of the search system which concerns on the 1st Embodiment of this invention. It is a schematic block diagram for demonstrating operation | movement of the storage phase of the search system which concerns on the 2nd Embodiment of this invention. It is a schematic block diagram for demonstrating operation | movement of the search phase of the search system which concerns on the 2nd Embodiment of this invention. It is a schematic block diagram for demonstrating operation | movement of the storage phase of the search system which concerns on the 3rd Embodiment of this invention. It is a schematic block diagram for demonstrating operation | movement of the search phase of the search system which concerns on the 3rd Embodiment of this invention. It is a schematic block diagram for demonstrating the operation | movement of the storage phase of the search system which concerns on the 4th Embodiment of this invention. It is a schematic block diagram for demonstrating operation | movement of the search phase of the search system which concerns on the 4th Embodiment of this invention. It is a block diagram which shows the structure of the search system which concerns on 1st Example of this invention. It is a figure which shows one specific example of the index used for the search system shown in FIG. It is a flowchart for demonstrating operation | movement of the verification information generation part of a client used for the search system shown in FIG. It is a figure which shows an example of an operation | movement of the verification information generation part shown in FIG. It is a flowchart for demonstrating operation | movement of the verification part of a client used for the search system shown in FIG. It is a figure which shows an example of operation | movement of the verification part shown in FIG. It is a block diagram which shows the structure of the search system which concerns on 2nd Example of this invention. FIG. 16 is a diagram illustrating a specific example of an index used in the search system illustrated in FIG. 15. It is a flowchart for demonstrating operation | movement of the verification information production | generation part of a client used for the search system shown in FIG. It is a figure which shows an example of an operation | movement of the verification information generation part shown in FIG. It is a flowchart for demonstrating operation | movement of the verification part of a client used for the search system shown in FIG. It is a figure which shows an example of an operation | movement of the verification part shown in FIG.

[Overview]
Hereinafter, an outline of an embodiment of the present invention will be described.

  The search system according to the embodiment of the present invention is a system that detects server fraud in keyword search. However, as server fraud, not only “deletion”, “addition”, and “tampering” of files but also “replacement” of files. It is a search system that can detect "

  The search system according to the present embodiment can be applied to both a case where a file is encrypted and a case where a file is not encrypted. As is well known in this technical field, the message authentication function includes a case where a digital signature is used and a case where an authenticator is generated using a message authentication code (Message Authentication Code, MAC). The digital signature and the authenticator are collectively referred to as verification information. Therefore, the search system according to this embodiment is divided into the following first to fourth embodiments.

  In general, the verification information is generated by a predetermined generation algorithm and verified (checked) by the predetermined verification algorithm. When the verification information is a digital signature, the predetermined generation algorithm is a signature generation algorithm, and the predetermined verification algorithm is a signature verification algorithm. On the other hand, when the verification information is an authenticator, the predetermined generation algorithm is a MAC generation algorithm, and the predetermined verification algorithm is a MAC verification algorithm.

  The search system according to the first embodiment of the present invention is a search system that uses a digital signature as a message authentication function (verification information) when a user terminal stores a file in a server without encryption. is there.

  When such a user terminal stores a file in the server without encrypting it, conventionally, a method for detecting fraud of the server is not known. In such a case, the search system according to the first embodiment can detect server fraud as described later.

  The search system according to the second embodiment of the present invention is a case where a user terminal stores a file in a server without encrypting the file, and uses a MAC (authenticator) as a message authentication function (verification information). Search system.

  As is well known in the art, unlike digital signatures, MACs are not capable of trial evidence. Instead, MAC has the advantage of being faster than digital signatures.

  The search system according to the third embodiment of the present invention is a search system in which a user terminal encrypts a file and a keyword and stores them in a server, and uses a digital signature as a message authentication function (verification information). is there.

  As described above, in the preceding search system, the user terminal can detect only the deletion, addition, and alteration of the file as the server fraud. In contrast, in the search system according to the third embodiment, in addition to them, file replacement can also be detected. Further, the search system according to the third embodiment has a smaller communication volume than the preceding search system.

  The search system according to the fourth embodiment of the present invention is a case where a user terminal encrypts a file and a keyword and stores them in a server, and uses a MAC (authenticator) as a message authentication function (verification information). Search system.

  As described above, the search system operates in a “storage phase” in which the user terminal stores a file (encrypted file) in the server and a “search phase” in which the user terminal searches for a desired file from the server. Divided.

  Hereinafter, a search system according to first to fourth embodiments of the present invention will be described with reference to the drawings.

[First Embodiment]
A search system 100 according to the first embodiment of the present invention will be described with reference to FIGS. 1 and 2. The search system 100 according to the illustrated first embodiment includes a user terminal 200 and a server 300.

  The search system 100 is a system in which the user terminal 200 stores a plurality of files in the server 300 and the user terminal 200 acquires a desired set of files from the server 300 by keyword search.

  First, the storage phase in the search system 100 according to the first embodiment of the present invention will be described with reference to FIG.

  In the storage phase, the user terminal 200 performs the following operation.

  First, the user terminal 200 stores files 1,..., File N, which are N (N is an integer equal to or greater than 1) files, in the server 300. Further, as necessary, the user terminal 200 generates an index and stores the generated index in the server 300. Here, the index refers to a correspondence table between keywords and files.

  The user terminal 200 generates a digital signature public key vk and a secret key sk according to a key generation algorithm. Here, the user terminal 200 publishes the public key vk and holds the secret key sk secretly. The public key vk is also called a verification key or a check key, and the secret key sk is also called a signature key or a generation key.

Next, the user terminal 200 performs the following operation for each keyword. Here, it is assumed that the total number of keywords is I (I is an integer equal to or greater than 1), and that the keywords 1,. A set P _i of files including the keyword i (1 ≦ i ≦ I) is set as follows.
P _i = {file j | file j contains keyword i}

The user terminal 200 uses the secret key sk to set the digital signature σ _i for the generation set (keyword i, P _i ) of the keyword i and the set P _i of all files including the keyword i according to the signature generation algorithm: Generate as in the formula.
σ _i = sign {keyword i, P _i }

Then, the user terminal 200 stores the generated digital signature σ _i in the server 300.

  Next, a search phase in the search system 100 according to the first embodiment of the present invention will be described with reference to FIG.

  Assume that the user of the user terminal 200 wants to search for the keyword i in the search phase. Therefore, the keyword i is the search keyword i.

In this case, the user terminal 200 sends the search keyword i to the server 300. FIG. 2 shows an example in which the keyword 1 is sent to the server 300 as a search keyword. In this example, a set P _{1 of} files including the keyword 1 is assumed to be the following mathematical formula.
P ₁ = {file 2, file 5}

Therefore, the digital signature σ ₁ is expressed by the following mathematical formula.
σ ₁ = sign (keyword 1, file 2, file 5)

The server 300 returns a set P _{i of} files including the search keyword i and a digital signature σ _i corresponding to the search keyword i to the user terminal 200. Therefore, the user terminal 200 acquires a set of files P _i and a digital signature σ _i .

Next, the user terminal 200 uses the public key vk, and whether the acquired digital signature σ _i is a digital signature of a verification set (keyword i, P _i ) between the search keyword i and the acquired set of files P _i . Whether or not is checked according to the signature generation algorithm. The user terminal 200, is correct a check result obtained by approved (the accept), the set P _i of the acquired file as a set of desired file, refuse otherwise (reject).

As described above, in the first embodiment of the present invention, the user terminal 200 sets each keyword i and the set P _i of all files including the keyword i as one set (generation set), and the digital signature σ corresponding thereto. _{Since i} is generated and the generated digital signature σ _i is stored in the server 300, it is possible to detect not only the deletion, addition, and alteration of the file but also the replacement of the file as a fraud of the server 300 during the search. .

[Second Embodiment]
With reference to FIG. 3 and FIG. 4, a search system 100A according to a second embodiment of the present invention will be described. A search system 100A according to the illustrated second embodiment includes a user terminal 200A and a server 300A.

  The search system 100A is a system in which the user terminal 200A stores a plurality of files in the server 300A, and the user terminal 200A acquires a desired set of files from the server 300A by keyword search.

  First, the storage phase in the search system 100A according to the second embodiment of the present invention will be described with reference to FIG.

  In the storage phase, the user terminal 200A performs the following operation.

  First, the user terminal 200A stores files 1,..., File N, which are N (N is an integer of 1 or more) files, in the server 300A. Further, as necessary, the user terminal 200A generates an index and stores the generated index in the server 300A. Here, the index refers to a correspondence table between keywords and files.

  The user terminal 200A generates a MAC secret key K and keeps the secret key K secret.

Next, the user terminal 200A performs the following operation for each keyword. Here, it is assumed that the total number of keywords is I (I is an integer equal to or greater than 1), and that the keywords 1,. A set P _i of files including the keyword i (1 ≦ i ≦ I) is set as follows.
P _i = {file j | file j contains keyword i}

The user terminal 200A uses the MAC secret key K to generate an authenticator Tag _i for the generation set (keywords i, P _i ) of the keyword i and a set P _i of all files including the keyword i, using the MAC generation algorithm According to the following formula.
Tag _i = sign {keyword i, P _i }

Then, the user terminal 200A stores the generated authenticator Tag _i in the server 300A.

  Next, with reference to FIG. 4, the search phase in the search system 100A according to the second embodiment of the present invention will be described.

  Assume that the user of the user terminal 200A wants to search for the keyword i in the search phase. Therefore, the keyword i is the search keyword i.

In this case, the user terminal 200A sends the search keyword i to the server 300. FIG. 4 shows an example in which the user terminal 200A sends the keyword 1 as a search keyword to the server 300A. In this example, it is assumed that a set P _{1 of} files including the keyword 1 is the following mathematical formula.
P ₁ = {file 2, file 5}

Therefore, the authenticator Tag ₁ is expressed by the following mathematical formula.
Tag ₁ = sign (keyword 1, file 2, file 5)

The server 300A returns a set P _{i of} files including the search keyword i and an authenticator Tag _i corresponding to the search keyword i to the user terminal 200A. Therefore, the user terminal 200A obtains a set of files P _i and an authenticator Tag _i .

Whether the user terminal 200A uses the MAC secret key K and the acquired authenticator Tag _i is an authenticator of a verification pair (keywords i and P _i ) between the search keyword i and the acquired set of files P _i Whether or not is checked according to the MAC verification algorithm. If the check result is correct, the user terminal 200A accepts (accept), obtains the acquired file set _Pi as a desired file set, and otherwise rejects (reject).

Thus, in the second embodiment of the present invention, the user terminal 200A sets each keyword i and a set P _i of all files including the keyword i as one set (generation set), and an authenticator Tag for the set. _{Since i} is generated and the generated authenticator Tag _i is stored in the server 300A, not only the deletion, addition, and alteration of the file but also the replacement of the file can be detected as a fraud of the server 300A. it can.

[Third Embodiment]
With reference to FIGS. 5 and 6, a search system 100B according to a third embodiment of the present invention will be described. A search system 100B according to the illustrated third embodiment includes a user terminal 200B and a server 300B.

  The search system 100B is a system in which the user terminal 200B stores a plurality of encrypted files in the server 300B, and the user terminal 200B acquires a desired set of files from the server 300B by keyword search.

  First, the storage phase in the search system 100B according to the third embodiment of the present invention will be described with reference to FIG.

  In the storage phase, the user terminal 200B performs the following operation.

  First, the user terminal 200B generates an encryption secret key K, and keeps the secret key K secret.

  Next, the user terminal 200B uses the encryption secret key K, and N (N is an integer of 1 or more) files, file 1,..., Ciphertext E of file N (file 1), ..., E (file N) is calculated, and the ciphertext (encrypted file) is stored in the server 300B. Further, as necessary, the user terminal 200B generates an index, encrypts the generated index, and stores it in the server 300B. Here, the index refers to a correspondence table between keywords and files.

  Also, the user terminal 200B generates a digital signature public key (verification key) vk and a secret key (signature key) sk according to a key generation algorithm. Here, the user terminal 200B publishes the public key (verification key) vk and holds the secret key (signature key) sk secretly.

Next, the user terminal 200B performs the following operation for each keyword. Here, it is assumed that the total number of keywords is I (I is an integer equal to or greater than 2), and that the keywords 1,. A set Q _i of ciphertexts (encrypted files) of files including the keyword i (1 ≦ i ≦ I) is set as in the following equation.
Q _i = {E (file j) | file j contains keyword i}

The user terminal 200B uses the digital signature private key sk to sign the digital signature σ _i for the generation set (keyword i, Q _i ) of the keyword i and the set Q _i of all encrypted files including the keyword i. According to the generation algorithm, it is generated as in the following formula.
σ _i = sign {keyword i, Q _i }

Then, the user terminal 200B stores the generated digital signature σ _i in the server 300B.

Instead, the user terminal 200B uses the secret key sk of the digital signature and encrypts the keyword i using the encryption secret key K, and the encryption keyword E ′ (keyword i) and the encryption keyword E ′ ( A digital signature σ _i for a generation set (E ′ (keyword i), Q _i ) with a set Q _i of all encrypted files including the keyword i) is generated according to the signature generation algorithm as follows:
σ _i = sign {E ′ (keyword i), Q _i }
The generated digital signature σ _i may be stored in the server 300B.

  Next, with reference to FIG. 6, the search phase in the search system 100B according to the third embodiment of the present invention will be described.

  Assume that the user of the user terminal 200B wants to search for the keyword i in the search phase. Therefore, the keyword i is the search keyword i.

In this case, the user terminal 200B sends an encrypted search keyword E ′ (keyword i) obtained by encrypting the search keyword i using the encryption secret key K to the server 300B. FIG. 6 shows an example in which an encrypted search keyword E ′ (keyword 1), which is a ciphertext of keyword 1, is sent to the server 300B as a search keyword. In this example, it is assumed that a set Q ₁ of ciphertexts (encrypted files) of files including the keyword 1 is the following mathematical formula.
Q ₁ = {E (file 2), E (file 5)}

Therefore, the digital signature σ ₁ is expressed by the following mathematical formula.
σ ₁ = sign (keyword 1, E (file 2), E (file 5))

Alternatively, the digital signature σ ₁ is expressed by the following mathematical formula.
σ ₁ = sign (E ′ (keyword 1), E (file 2), E (file 5))

The server 300B returns a ciphertext (encrypted file) set Q _{i of} files including the keyword i and its digital signature σ _i to the user terminal 200B. Therefore, the user terminal 200B acquires the set Q _{i of} encrypted files and the digital signature σ _i thereof.

The user terminal 200B uses the public key vk of the digital signature, and the acquired digital signature σ _i is a digital signature of a verification pair (keyword i, Q _i ) between the search keyword i and the acquired set of encrypted files Q _i. Check if it exists, according to the signature verification algorithm.

Alternatively, the user terminal 200B uses the public key vk of the digital signature, and the acquired digital signature σ _i is a verification pair (E for the encryption search keyword (E ′ (keyword i)) and the acquired set of encrypted files Q _i (E It is checked according to the signature verification algorithm whether or not it is a digital signature of '(keyword i), Q _i ).

If the check result is correct, the user terminal 200B accepts (accept), decrypts the acquired set Q _{i of} encrypted files to obtain a desired set of files P _i , otherwise rejects (reject) .

Thus, in the third embodiment of the present invention, the user terminal 200B sets each keyword i (or encryption keyword) and a set Q of ciphertexts (encryption files) of all files including the keyword i (or encryption keyword). _i is set as a set (generation set), and a digital signature σ _i is generated for the set and the generated digital signature σ _i is stored in the server 300B. It can detect not only additions and alterations, but also file replacements.

[Fourth Embodiment]
With reference to FIG. 7 and FIG. 8, a search system 100C according to a fourth embodiment of the present invention will be described. The search system 100C according to the fourth embodiment shown in the figure is configured by a user terminal 200C and a server 300C.

  The search system 100C is a system in which the user terminal 200C stores a plurality of encrypted files in the server 300C, and the user terminal 200C acquires a desired set of files from the server 300C by keyword search.

  First, the storage phase in the search system 100C according to the fourth embodiment of the present invention will be described with reference to FIG.

  In the storage phase, the user terminal 200C performs the following operation.

  First, the user terminal 200C generates an encryption secret key K0 and a MAC secret key K1, and keeps both secret.

  Next, the user terminal 200C uses the encryption key K0 for encryption, and the encrypted text (encrypted file) E (file 1) of the files 1,... Files 1),..., E (file N) are stored in the server 300C. Further, as necessary, the user terminal 200C generates an index, encrypts the generated index, and stores it in the server 300C. Here, the index refers to a correspondence table between keywords and files.

Next, the user terminal 200C performs the following operation for each keyword. Here, it is assumed that the total number of keywords is I (I is an integer equal to or greater than 1), and that the keywords 1,. A set Q _i of ciphertexts (encrypted files) of a file including the keyword i (1 ≦ i ≦ I) is set as in the following equation.
Q _i = {E (file j) | file j contains keyword i}

The user terminal 200C uses the MAC secret key K1 to generate an authenticator Tag _i for the generation set (keyword i, Q _i ) of the keyword i and a set Q _i of all the encrypted files including the keyword i by MAC generation. According to the algorithm, the following formula is generated.
Tag _i = sign {keyword i, Q _i }

Then, the user terminal 200C stores the generated authenticator Tag _i in the server 300C.

Instead, the user terminal 200C uses the MAC secret key K1 and the encryption keyword E ′ (keyword i) obtained by encrypting the keyword i using the encryption key K0 and the encryption keyword E ′ (keyword). i) An authenticator Tag _i for a generation set (E ′ (keyword i), Q _i ) with a set Q _i of all encrypted files including i) is generated according to the MAC generation algorithm as shown in the following equation:
Tag _i = sign {E ′ (keyword i), Q _i }
The generated authenticator Tag _i may be stored in the server 300C.

  Next, a search phase in the search system 100C according to the fourth embodiment of the present invention will be described with reference to FIG.

  Assume that the user of the user terminal 200C wants to search for the keyword i in the search phase. Therefore, the keyword i is the search keyword i.

In this case, the user terminal 200C sends an encrypted search keyword E ′ (keyword i) obtained by encrypting the search keyword i using the encryption secret key K0 to the server 300C. FIG. 8 shows an example in which an encryption search keyword E ′ (keyword 1), which is a ciphertext of keyword 1, is sent to the server 300A as a search keyword. In this example, it is assumed that a set Q ₁ of ciphertexts (encrypted files) of files including the keyword 1 is the following mathematical formula.
Q ₁ = {E (file 2), E (file 5)}

Therefore, the authenticator Tag ₁ is expressed by the following mathematical formula.
Tag ₁ =
sign (keyword 1, E (file 2), E (file 5))

Alternatively, the authenticator Tag ₁ is represented by the following mathematical formula.
Tag ₁ =
sign (E '(keyword 1), E (file 2), E (file 5))

The server 300C returns a ciphertext (encrypted file) set Q _{i of} files including the search keyword i and its authenticator Tag _i to the user terminal 200C. Therefore, the user terminal 200C acquires the set Q _{i of} encrypted files and the authenticator Tag _i .

The user terminal 200C uses the MAC secret key K1, and the acquired authenticator Tag _i is an authenticator of a verification set (keyword i, Q _i ) between the search keyword i and the acquired set of encrypted files Q _i. Is checked according to the MAC verification algorithm.

Alternatively, the user terminal 200C uses the MAC secret key K1, and the acquired authenticator Tag _i is a verification set (E ′ () between the encrypted search keyword E ′ (keyword i) and the acquired set Q _{i of} encrypted files. It is checked according to the MAC verification algorithm whether it is an authenticator of the keywords i) and Q _i ).

If the check result is correct, the user terminal 200C accepts (accept), decrypts the acquired encrypted file set Q _i to obtain a desired file set P _i , otherwise rejects (reject). .

As described above, in the fourth embodiment of the present invention, the user terminal 200C has a set Q of ciphertexts (encrypted files) of all files including each keyword i (or encrypted keyword) and the keyword i (or encrypted keyword). _{Since i} is set as a set (generation set), an authenticator Tag _i is generated for the set, and the generated authenticator Tag _i is stored in the server 300C. It can detect not only additions and alterations, but also file replacements.

  With reference to FIG. 9, a search system 100D according to the first embodiment of the present invention will be described. The illustrated search system 100D is a verification system corresponding to the above-described search system according to the second embodiment (or the first embodiment) of the present invention. The search system 100D includes a client 200D and a server 300D. The client 200D is also called a user terminal.

  The illustrated search system 100D is a system in which a client (user terminal) 200D stores a plurality of files in a server 300D, and the client (user terminal) 200D acquires a desired set of files from the server 300D by keyword search.

  The client 200D includes a secret key generation unit 210, a secret key holding unit 220, a verification information generation unit 230, a verification unit 240, and first to third signal lines (transmission lines) 260, 270, and 280. It is configured. On the other hand, the server 300D includes a storage area 310 and a search unit 320.

  The secret key generation unit 210 generates a MAC secret key K. The secret key holding unit 220 holds the generated MAC secret key K.

  The client 200D transmits N files to the server 300D via the first signal line (transmission line) 260. The server 300D stores the sent N files in the storage area 310. Accordingly, the first signal line (transmission line) 260 functions as a file storage unit that stores N files in the server 300D.

  In addition, the client 200D generates an index, and transmits the generated index to the server 300D via the second signal line (transmission line) 270. The server 300D stores the sent index in the storage area 310. Therefore, the second signal line (transmission line) 270 functions as an index storage unit that stores the generated index in the server 300D.

  FIG. 10 shows a specific example of the index. As described above, the index is a correspondence table of keywords and file numbers (file numbers) corresponding to the keywords.

  In the illustrated example, “information engineering” is stored as a keyword in index number 1 and “1”, “6”, “8”, and “11” are stored as file numbers corresponding to the keyword. Yes. In index number 2, “Ibaraki University” is stored as a keyword, and “3”, “6”, and “10” are stored as file numbers corresponding to the keyword.

  The operation of the search information generation unit 230 of the client 200D will be described with reference to FIG.

The verification information generation unit 230 reads the MAC secret key K, the index, and the set of files {D1, D2,...} (Step S110). Then, verification information generating section 230 executes the following process for each keyword _{W i} (step S120). In this case, the file number that corresponds to the keyword _{W i (i1, i2, ...} ) to be. In this case, the search information generation unit 230 uses the MAC secret key K to calculate the authenticator Tag _i corresponding to the generation set (W _i , D _i1 , D _i2 ,...) According to the following equation.
Tag _i = f _K (W _i , D _i1 , D _i2 ,...)
Here, f is a MAC generation algorithm.

When the digital signature σ _i is used instead of the authenticator Tag _i as verification information, f is a signature generation algorithm, and the search information generation unit 230 uses the secret of the digital signature instead of the MAC secret key K. Using the key sk, the digital signature σ _i corresponding to the generation set (W _i , D _i1 , D _i2 ,...) _Is calculated by the following formula.
σ _i = f _sk (W _i , D _i1 , D _i2 ,...)

The search information generation unit 230 outputs verification information (Tag ₁ , Tag ₂ ,...) Obtained by calculation (step S130). The verification information (authentication code) is sent to the server 300D, and the server 300D stores the verification information (authentication code) in the storage area 310.

  Next, the operation of the verification information generation unit 230 will be described with a specific example with reference to FIG. Here, a case where the keyword is “Ibaraki University” with index number 2 will be described as an example.

In this case, the verification information generation unit 230 refers to the index and selects a set of corresponding files including the keyword “Ibaraki University”. In this case, the file number of the index number 2, "3", "6", since "10" is stored, the search information generating unit 230, as a set P ₂ of the file, the file D3, D6, And D10.

Then, the verification information generation unit 230 uses the MAC secret key K to indicate the verification information (authenticator) Tag ₂ for the generation set (Ibaraki University, D3, D6, D10) according to the MAC generation algorithm using the following formula. To be generated.
Tag ₂ = f _K (Ibaraki University, D3, D6, D10)

In this way, the verification information generating unit 230 generates verification information (authenticator) Tag _i for each keyword i. The generated verification information (authenticator) Tag _i is sent to the server 300D, and the server 300D stores the sent verification information (authenticator) Tag _i in the storage area 310.

When the verification information is the digital signature σ _i , the server 300D stores the digital signature σ _i in the storage area 310.

During the search, the client 200D sends the search keyword W to the server 300D via the third signal line (transmission line) 280. In the server 300D, in response to the search keyword W, the search unit 320 _obtains a set P _i = (D _i1 , D _i2 ,...) Including the search keyword W and verification information (authenticator) Tag. Return to client 200D. Therefore, the client 200D acquires a set of files P _i = (D _i1 , D _i2 ,...) And verification information (authenticator) Tag. That is, the second signal line (transmission line) 280 sends the search keyword W to the server 300D, and from the server 300D, a set of files P _i = (D _i1 , D _i2 ,...) Including the search keyword W and its It functions as a file acquisition means for acquiring verification information (authenticator) Tag.

  Next, the operation of the verification unit 240 of the client 200D will be described with reference to FIG.

The verification unit 240 reads the MAC secret key K held in the secret key holding unit 220 and the search keyword W (step S210). Next, the verification unit 240 reads the set of files P _i = (D _i1 , D _i2 ,...) And the verification information (authenticator) Tag sent from the server 300D (step S220).

The verification unit 240 uses the MAC secret key K to determine whether the verification information (authenticator) Tag is an authenticator of the verification pair (W, D _i1 , D _i2 ,...) According to the MAC verification algorithm. Calculation is performed as shown in the following equation (step S230).
Verify _K (W, D _i1 , D _i2 ,..., Tag) = accept or reject

The verification unit 240 outputs the acquired set of files P _i = (D _i1 , D _i2 ,...) As a desired set of files if accept (Yes in step S240) (step S250), and if reject (step S240). No) and reject are output (step S260).

If the verification information is a digital signature σ, the verification unit 240 uses the public key (verification key) vk of the digital signature, and the digital signature σ is a verification pair (W, D _i1 , D _i2 ,...). Whether or not it is an authenticator is calculated according to the signature verification algorithm as shown in the following equation.
Verify _vk (W, D _i1 , D _i2 ,..., Σ) = accept or reject

  Next, the operation of the verification unit 240 will be described with a specific example with reference to FIG. Here, a case where the search keyword W is “Ibaraki University” with index number 2 will be described as an example.

In this case, the verification unit 240 reads the MAC secret key K from the secret key holding unit 220, reads “Ibaraki University” as a search keyword, and sends a set of files P ₂ = (D3, D6) sent from the server 300D. D10) and verification information (authenticator) Tag ₂ are read.

Then, the verification unit 240 uses the MAC secret key K to determine whether the verification information (authenticator) Tag ₂ is an authenticator of the verification group (Ibaraki University, D3, D6, D10). According to the following formula.
Verify _K (Ibaraki University, D3, D6, D10, Tag ₂ ) = accept or reject

The verification unit 240 outputs the acquired file set P ₂ = (D3, D6, D10) as a set of desired files if accept, and outputs reject if reject.

  Next, effects of the first embodiment will be described.

The search system 100D of the first embodiment can detect not only file deletion, addition, and alteration but also file replacement as fraudulent server 300D. The reason is that the client (user terminal) 200D sets each keyword W _i and a set P _i = (D _i1 , D _i2 ,...) Including all the keywords W _i as one set (generation set). This is because the verification information Tag _i (or σ _i ) corresponding thereto is generated, and the generated verification information Tag _i (or σ _i ) is stored in the server 300D.

  A search system 100E according to a second example of the present invention will be described with reference to FIG. The illustrated search system 100E is a verification system corresponding to the above-described search system according to the fourth embodiment (or the third embodiment) of the present invention. The search system 100E includes a client 200E and a server 300E. The client 200E is also called a user terminal.

  The search system 100E is a system in which a client (user terminal) 200E stores a plurality of encrypted files in the server 300E, and the client (user terminal) 200E acquires a desired set of files from the server 300E by keyword search.

  The client 200E includes a secret key generation unit 210A, a secret key holding unit 220A, a verification information generation unit 230A, a verification unit 240A, and first to third encryption units 260A, 270A, and 280A. ing. On the other hand, the server 300E includes a storage area 310 and a search unit 320.

  The secret key generation unit 210A generates an encryption secret key K0 and a MAC secret key K1. The secret key holding unit 220 holds the generated encryption secret key K0 and MAC secret key K1.

  When the verification information is a digital signature, the secret key generation unit 210A generates an encryption secret key K, a digital signature public key vk, and a secret key sk.

  The first encryption unit 260A calculates an encrypted file {E (D1), E (D2),...} That is a ciphertext of N files using the encryption secret key K0. These encrypted files {E (D1), E (D2),...} Are sent to the server 300E, and the server 300E stores the sent encrypted files {E (D1), E (D2),. Store in area 310. Accordingly, the first encryption unit 260A functions as an encrypted file storage unit that encrypts a plurality of files using the encryption secret key K0 and stores the plurality of encrypted files in the server 300E.

  When the verification information is a digital signature, the first encryption unit 260A calculates ciphertexts (encrypted files) of N files using the encryption secret key K.

  In addition, the client 200E generates an index.

  FIG. 16 shows a specific example of the index. As described above, the index is a correspondence table of keywords and file numbers (file numbers) corresponding to the keywords.

  In the illustrated example, “information engineering” is stored as a keyword in index number 1 and “1”, “6”, “8”, and “11” are stored as file numbers corresponding to the keyword. Yes. In index number 2, “Ibaraki University” is stored as a keyword, and “3”, “6”, and “10” are stored as file numbers corresponding to the keyword.

  The second encryption unit 270A encrypts the generated index using the encryption secret key K0, and transmits the encryption index to the server 300E. The server 300E stores the sent cryptographic index in the storage area 310. Therefore, the second encryption unit 270A functions as an encryption index storage unit that encrypts the generated index and stores the encryption index in the server 300E.

  The operation of the verification information generation unit 230A of the client 200E will be described with reference to FIG.

The verification information generation unit 230A reads the MAC secret key K1, the index, and the set of encrypted files {E (D1), E (D2),...}} (Step S110A). Then, verification information generating section 230A performs the following process for each keyword _{W i} (step S120A). In this case, the file number that corresponds to the keyword _{W i (i1, i2, ...} ) to be. In this case, the search information generation unit 230 uses the MAC secret key K1 and uses the verification information (authenticator) Tag _i corresponding to the generation set (W _i , E (D _i1 ), E (D _i2 ),...). Is calculated as in the following formula.
Tag _i = f _K1 (W _i , E (D _i1 ), E (D _i2 ),...)
Here, f is a MAC generation algorithm.

When the digital signature σ _i is used instead of the authenticator Tag _i as the verification information, f is a signature generation algorithm, and the verification information generation unit 230A uses the secret of the digital signature instead of the MAC encryption key K1. Using the key sk, the digital signature σ _i corresponding to the generation set (W _i , E (D _i1 ), E (D _i2 ),...) _Is calculated as in the following equation.
σ _i = f _sk (W _i , E (D _i1 ), E (D _i2 ),...)

The search information generation unit 230A outputs verification information (Tag ₁ , Tag ₂ ,...) Obtained by calculation (step S130A). The verification information (authentication code) is sent to the server 300E, and the server 300E stores the verification information (authentication code) in the storage area 310.

  Next, the operation of the verification information generation unit 230A will be described with a specific example with reference to FIG. Here, a case where the keyword is “Ibaraki University” with index number 2 will be described as an example.

In this case, the verification information generation unit 230A refers to the index, including the keyword "Ibaraki", selects a set Q ₂ of the corresponding encrypted file (encryption file). In this case, the file number of the index number 2, "3", "6", since "10" is stored, the search information generating unit 230A as a set Q ₂ of the corresponding ciphertext file, encrypted file E ( D3), E (D6), and E (D10) are selected.

Then, the verification information generation unit 230A uses the MAC secret key K1, and generates verification information (authenticator) Tag ₂ for the generation set (Ibaraki University, E (D3), E (D6), E (D10)), According to the MAC generation algorithm, it is generated as shown in the following formula.
Tag ₂ = f _K1 (Ibaraki University, E (D3), E (D6), E (D10))

In this way, the verification information generation unit 230A generates verification information (authenticator) Tag _i for each keyword i. The generated verification information (authenticator) Tag _i is sent to the server 300E, and the server 300E stores the sent verification information (authenticator) Tag _i in the storage area 310.

When the verification information is the digital signature σ _i , the server 300E stores the digital signature σ _i in the storage area 310.

At the time of the search, in the client 200E, the third encryption unit 280A encrypts the search keyword W using the encryption secret key K0 and sends the encrypted search keyword E ′ (W) to the server 300E. In the server 300E, in response to the encryption search keyword E ′ (W), the search unit 320 sets a set of encryption files Q _i = (E (D _i1 ), E (D _i2 ) _,. ) And its verification information (authenticator) Tag are returned to the client 200E. Therefore, the client 200E acquires the set of encrypted files Q _i = (E (D _i1 ), E (D _i2 ),...) And the verification information (authenticator) Tag. That is, the third encryption unit 280A sends the encrypted search keyword E ′ (W) obtained by encrypting the search keyword W using the encryption secret key K0 to the server 300E, and the server 300E sends the encrypted file of the set _{Q i = (E (D i1} ), E (D i2), ...) to work as a search corresponding to the keyword W verification information (authenticator) encrypted file acquisition means for acquiring and Tag.

  Next, the operation of the verification unit 240A of the client 200E will be described with reference to FIG.

The verification unit 240A reads the MAC secret key K1 held in the secret key holding unit 220A and the search keyword W (step S210A). Next, the verification unit 240A includes an encryption file (E (D _i1 ), E (D _i2 ),...) That is a set Q _i of encryption files sent from the server 300E, and its verification information (authenticator) Tag. Is read (step S220A).

The verification unit 240A uses the MAC secret key K1 and determines whether the verification information (authenticator) Tag is an authenticator of the verification pair (W, E (D _i1 ), E (D _i2 ),...). According to the MAC verification algorithm, calculation is performed as shown in the following equation (S230A).
Verify _K1 (W, E (D _i1 ), E (D _i2 ),..., Tag) = accept or reject

If the calculation result is accept (Yes in step S240A), the verification unit 240A decrypts the acquired encrypted file set Q _i = (E (D _i1 ), E (D _i2 ),...) The set P _i = (D _i1 , D _i2 ,...) Is output (step S250A). If reject (No in step S240A), reject is output (step S260A).

If the verification information is a digital signature σ, the verification unit 240A uses the public key vk of the digital signature, and the digital signature σ is a verification pair (W, E (D _i1 ), E (D _i2 ),...) Is calculated as shown in the following equation according to the signature verification algorithm.
Verify _vk (W, E (D _i1 ), E (D _i2 ),..., Σ) = accept or reject

  Next, the operation of the verification unit 240A will be described with a specific example with reference to FIG. Here, a case where the search keyword W is “Ibaraki University” with index number 2 will be described as an example.

In this case, the verification unit 240A, from the secret key storage unit 220A reads the secret key K1 of the MAC, read the "Ibaraki" as a search keyword, sent from the server 300E, encrypted file is a set _{Q 2} of the encrypted file (E (D3), E (D6), E (D10)) and verification information (authenticator) Tag ₂ are read.

Then, the verification unit 240A uses the MAC secret key K1, and the verification information (authenticator) Tag ₂ is an authenticator of the verification group (Ibaraki University, E (D3), E (D6), E (D10)). Whether or not there is is calculated according to the MAC verification algorithm as shown in the following equation.
Verify _K1 (Ibaraki University, E (D3), E (D6), E (D10), Tag ₂ )
= Accept or reject

If the calculation result is accept, the verification unit 240A decrypts the encrypted file set Q ₂ = (E (D3), E (D6), E (D10)), and the desired file set P ₂ = (D3, D6 and D10) are output. If reject, reject is output.

  Next, the effect of the second embodiment will be described.

The search system 100E according to the second embodiment can detect not only file deletion, addition, and alteration but also file replacement as a server fraud. The reason is that the client (user terminal) 200E encrypts all the files including each keyword W _i and the keyword W _i Q _i = {E (D _i1 , E (D _i2 ), This is because the verification information Tag _i (or σ _i ) is generated as a set (generation set), and the generated verification information Tag _i (or σ _i ) is stored in the server 300E. .

  As mentioned above, although this invention was demonstrated with reference to embodiment (Example), this invention is not limited to the said embodiment (Example). Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

  Part or all of the above-described embodiments (examples) can be described as in the following supplementary notes, but are not limited thereto.

(Supplementary note 1) A search system in which a user terminal stores a plurality of files in a server, and the user terminal acquires a set of desired files from the server by keyword search, wherein the user terminal includes:
File storage means for storing the plurality of files in the server;
A verification information generating unit that generates verification information according to a predetermined generation algorithm for a generation set of a keyword and a set of all files including the keyword, and stores the generated verification information in the server;
A file acquisition means for sending a search keyword to the server and acquiring a set of files including the search keyword and verification information corresponding to the search keyword from the server;
Whether the acquired verification information is verification information of a verification set of the search keyword and the acquired set of files is checked by a predetermined verification algorithm, and if the check result is correct, it is approved and acquired. A verification unit that obtains the set of files obtained as the set of desired files, and rejects otherwise.
Search system having

(Supplementary note 2) The predetermined generation algorithm comprises a signature generation algorithm,
The predetermined verification algorithm comprises a signature verification algorithm;
The verification information generation unit generates a digital signature for the generation set as the verification information according to the signature generation algorithm using a digital signature private key,
The verification unit checks whether the acquired digital signature is a digital signature of the verification set according to the signature verification algorithm using a public key of the digital signature.
The search system according to attachment 1.

(Supplementary Note 3) The predetermined generation algorithm includes a MAC (Message Authentication Code) generation algorithm,
The predetermined verification algorithm comprises a MAC verification algorithm;
The verification information generation unit generates an authenticator for the generation set as the verification information according to the MAC generation algorithm using a MAC secret key,
The verification unit uses the MAC secret key to check whether the acquired authenticator is an authenticator of the verification set according to the MAC verification algorithm.
The search system according to attachment 1.

(Supplementary Note 4) A search method in which a user terminal stores a plurality of files in a server, and the user terminal acquires a desired set of files from the server by keyword search,
The user terminal storing the plurality of files in the server;
The user terminal generating verification information according to a predetermined generation algorithm for a generation set of a keyword and a set of all files including the keyword;
The user terminal storing the generated verification information in the server;
The user terminal sends a search keyword to the server, and acquires a set of files including the search keyword and verification information corresponding to the search keyword from the server;
The user terminal checking whether the acquired verification information is verification information of a verification set of the search keyword and the acquired set of files by a predetermined verification algorithm;
The user terminal approves if the check result is correct, obtains the acquired set of files as the desired set of files, and rejects otherwise;
Search method including

(Supplementary Note 5) The predetermined generation algorithm includes a signature generation algorithm,
The predetermined verification algorithm comprises a signature verification algorithm;
The generating step generates a digital signature for the generation set as the verification information according to the signature generation algorithm using a digital signature private key,
The checking step checks whether the obtained digital signature is a digital signature of the verification set according to the signature verification algorithm using a public key of the digital signature;
The search method according to attachment 4.

(Supplementary Note 6) The predetermined generation algorithm includes a MAC (Message Authentication Code) generation algorithm,
The predetermined verification algorithm comprises a MAC verification algorithm;
The generating step generates an authenticator for the generation set as the verification information according to the MAC generation algorithm using a MAC secret key,
The checking step checks whether the acquired authenticator is the authenticator of the verification set according to the MAC verification algorithm using the secret key of the MAC.
The search method according to attachment 4.

(Supplementary note 7) A search program for storing a plurality of files in a server and causing a user terminal, which is a computer, to execute a process of acquiring a desired set of files from the server by keyword search.
Storing the plurality of files on the server;
A procedure for generating verification information in accordance with a predetermined generation algorithm for a generation set of a keyword and a set of all files including the keyword;
A procedure for storing the generated verification information in the server;
Sending a search keyword to the server, and obtaining a set of files containing the search keyword and verification information corresponding to the search keyword from the server;
A procedure for checking whether or not the acquired verification information is verification information of a verification set of the search keyword and the acquired set of files by a predetermined verification algorithm;
If the check result is correct, approve and obtain the acquired set of files as the desired set of files, otherwise reject,
Search program to execute.

(Supplementary Note 8) The predetermined generation algorithm includes a signature generation algorithm,
The predetermined verification algorithm comprises a signature verification algorithm;
The generating step causes the computer to generate a digital signature for the generation set as the verification information according to the signature generation algorithm using a digital signature private key,
The checking step causes the computer to check whether the obtained digital signature is a digital signature of the verification set according to the signature verification algorithm using a digital signature public key.
The search program according to appendix 7.

(Supplementary Note 9) The predetermined generation algorithm includes a MAC (Message Authentication Code) generation algorithm,
The predetermined verification algorithm comprises a MAC verification algorithm;
The generating step causes the computer to generate an authenticator for the generation set as the verification information according to the MAC generation algorithm using a MAC secret key,
The checking step causes the computer to check whether the acquired authenticator is the authenticator of the verification set according to the MAC verification algorithm using the MAC secret key.
The search program according to appendix 7.

(Supplementary Note 10) A search system in which a user terminal stores a plurality of encrypted files in a server, and the user terminal acquires a set of desired files from the server by keyword search, wherein the user terminal includes:
Encrypted file storage means for encrypting each of a plurality of files using an encryption private key and storing the plurality of encrypted files in the server;
A verification information generating unit for generating verification information according to a predetermined generation algorithm for a generation set of a keyword and a set of all encrypted files including the keyword, and storing the generated verification information in the server;
Sending an encrypted search keyword obtained by encrypting a search keyword using the encryption private key to the server, a set of encrypted files including the encrypted search keyword from the server, and verification information corresponding to the search keyword; Encrypted file acquisition means for acquiring
Whether the acquired verification information is verification information of a verification set of the search keyword and the acquired set of encrypted files is checked by a predetermined verification algorithm, and if the check result is correct, it is approved and A verification unit that decrypts the obtained set of encrypted files to obtain the desired set of files, and rejects otherwise;
Search system having

(Supplementary Note 11) A search system in which a user terminal stores a plurality of encrypted files in a server, and the user terminal acquires a set of desired files from the server by keyword search, wherein the user terminal includes:
Encrypted file storage means for encrypting each of a plurality of files using an encryption private key and storing the plurality of encrypted files in the server;
Generating verification information according to a predetermined generation algorithm for a generation set of an encryption keyword obtained by encrypting a keyword using the encryption private key and a set of all encryption files including the encryption keyword, A verification information generation unit for storing the generated verification information in the server;
A cryptographic search keyword obtained by encrypting a search keyword using the encryption private key is sent to the server, and a set of cryptographic files including the cryptographic search keyword from the server and verification information corresponding to the cryptographic search keyword Encrypted file acquisition means for acquiring
Whether the acquired verification information is verification information of a verification set of the cryptographic search keyword and the acquired set of encrypted files is checked by a predetermined verification algorithm, and if the check result is correct, it is approved. A verification unit that decrypts the obtained set of encrypted files to obtain the desired set of files, and rejects otherwise;
Search system having

(Supplementary Note 12) The predetermined generation algorithm includes a signature generation algorithm,
The predetermined verification algorithm comprises a signature verification algorithm;
The verification information generation unit generates a digital signature for the generation set as the verification information according to the signature generation algorithm using a digital signature private key,
The verification unit checks whether the acquired digital signature is a digital signature of the verification set according to the signature verification algorithm using a public key of the digital signature.
The search system according to appendix 10 or 11.

(Supplementary note 13) The predetermined generation algorithm comprises a MAC (Message Authentication Code) generation algorithm,
The predetermined verification algorithm comprises a MAC verification algorithm;
The verification information generation unit generates an authenticator for the generation set as the verification information according to the MAC generation algorithm using a MAC secret key,
The verification unit uses the MAC secret key to check whether the acquired authenticator is an authenticator of the verification set according to the MAC verification algorithm.
The search system according to appendix 10 or 11.

(Supplementary note 14) A search method in which a user terminal stores a plurality of encrypted files in a server, and the user terminal acquires a desired set of files from the server by keyword search,
The user terminal encrypts each of a plurality of files using an encryption private key, and stores the plurality of encrypted files in the server;
The user terminal generating verification information according to a predetermined generation algorithm for a generation set of a keyword and a set of all encrypted files including the keyword;
The user terminal storing the generated verification information in the server;
The user terminal sends an encrypted search keyword obtained by encrypting a search keyword using the encrypted secret key to the server, and a set of encrypted files including the encrypted search keyword and the search keyword are sent from the server. Obtaining corresponding verification information;
The user terminal checks whether the acquired verification information is verification information of a verification set of the search keyword and the acquired set of encrypted files by a predetermined verification algorithm;
The user terminal approves if the check result is correct and decrypts the acquired set of encrypted files to obtain the desired set of files, otherwise rejects;
Search method including

(Supplementary note 15) A search method in which a user terminal stores a plurality of encrypted files in a server, and the user terminal acquires a set of desired files from the server by keyword search,
The user terminal encrypts each of a plurality of files using an encryption private key, and stores the plurality of encrypted files in the server;
The user terminal generates verification information according to a predetermined generation algorithm for a generation set of an encryption keyword obtained by encryption using the encryption private key and a set of all encryption files including the encryption keyword And steps to
The user terminal storing the generated verification information in the server;
The user terminal sends an encryption search keyword obtained by encrypting a search keyword using the encryption private key to the server, and a set of encrypted files including the encryption search keyword from the server and the encryption search keyword Obtaining verification information corresponding to
The user terminal checks whether or not the acquired verification information is verification information of a verification set of the cryptographic search keyword and the acquired set of encrypted files by a predetermined verification algorithm;
The user terminal approves if the check result is correct and decrypts the acquired set of encrypted files to obtain the desired set of files, otherwise rejects;
Search method including

(Supplementary Note 16) The predetermined generation algorithm includes a signature generation algorithm,
The predetermined verification algorithm comprises a signature verification algorithm;
The generating step generates a digital signature for the generation set as the verification information according to the signature generation algorithm using a digital signature private key,
The checking step checks whether the obtained digital signature is a digital signature of the verification set according to the signature verification algorithm using a public key of the digital signature;
The search method according to appendix 14 or 15.

(Supplementary Note 17) The predetermined generation algorithm includes a MAC (Message Authentication Code) generation algorithm,
The predetermined verification algorithm comprises a MAC verification algorithm;
The generating step generates an authenticator for the generation set as the verification information according to the MAC generation algorithm using a MAC secret key,
The checking step checks whether the acquired authenticator is the authenticator of the verification set according to the MAC verification algorithm using the secret key of the MAC.
The search method according to appendix 14 or 15.

(Supplementary Note 18) A search program for storing a plurality of encrypted files in a server and causing a user terminal, which is a computer, to execute a process of acquiring a desired set of files from the server by keyword search,
Encrypting each of a plurality of files using an encryption private key, and storing the plurality of encrypted files in the server;
Generating verification information according to a predetermined generation algorithm for a generation set of a keyword and a set of all encrypted files including the keyword;
A procedure for storing the generated verification information in the server;
Sending an encrypted search keyword obtained by encrypting a search keyword using the encryption private key to the server, a set of encrypted files including the encrypted search keyword from the server, and verification information corresponding to the search keyword; With the steps to get
A procedure for checking whether or not the acquired verification information is verification information of a verification set of the search keyword and the acquired set of encrypted files by a predetermined verification algorithm;
Approve if the check result is correct, decrypt the acquired set of encrypted files to obtain the desired set of files, otherwise reject,
Search program to execute.

(Supplementary Note 19) A search program for storing a plurality of encrypted files in a server and causing a user terminal, which is a computer, to execute a process of acquiring a desired set of files from the server by keyword search,
Encrypting each of a plurality of files using an encryption private key, and storing the plurality of encrypted files in the server;
A procedure for generating verification information according to a predetermined generation algorithm for a generation set of an encryption keyword obtained by encrypting a keyword using the encryption secret key and a set of all encryption files including the encryption keyword; ,
A procedure for storing the generated verification information in the server;
A cryptographic search keyword obtained by encrypting a search keyword using the encryption private key is sent to the server, and a set of cryptographic files including the cryptographic search keyword from the server and verification information corresponding to the cryptographic search keyword And steps to get and
A procedure for checking whether or not the acquired verification information is verification information of a verification set of the cryptographic search keyword and the acquired set of encrypted files by a predetermined verification algorithm;
Approve if the check result is correct, decrypt the acquired set of encrypted files to obtain the desired set of files, otherwise reject,
Search program to execute.

(Supplementary note 20) The predetermined generation algorithm includes a signature generation algorithm,
The predetermined verification algorithm comprises a signature verification algorithm;
The generating step causes the computer to generate a digital signature for the generation set as the verification information according to the signature generation algorithm using a digital signature private key,
The checking step causes the computer to check whether the acquired digital signature is a digital signature of the verification set according to the signature verification algorithm using a public key of the digital signature.
The search program according to appendix 18 or 19.

(Supplementary note 21) The predetermined generation algorithm includes a MAC (Message Authentication Code) generation algorithm,
The predetermined verification algorithm comprises a MAC verification algorithm;
The generating step causes the computer to generate an authenticator for the generation set as the verification information according to the MAC generation algorithm using a MAC secret key,
The checking step causes the computer to check whether the acquired authenticator is the authenticator of the verification set according to the MAC verification algorithm using the MAC secret key.
The search program according to appendix 18 or 19.

  The present invention can be used for a method for detecting fraud of a server in keyword search.

100, 100A, 100B, 100C, 100D, 100E Search system 200, 200A, 200B, 200C User terminal 200D, 200E Client 210, 210A Private key generation unit 220, 220A Private key holding unit 230, 230A Verification information generation unit 240, 240A Verification unit 260 First signal line (file storage means)
260A First encryption unit (encrypted file storage means)
270 Second signal line (index storage means)
270A Second encryption unit (cryptographic index storage means)
280 Third signal line (file acquisition means)
280A Third encryption unit (encrypted file acquisition means)
300, 300A, 300B, 300C, 300D, 300E Server 310 Storage area 320 Search unit

Claims (10)

A user terminal stores a plurality of files in a server, and the user terminal acquires a desired set of files from the server by keyword search, wherein the user terminal includes:
File storage means for storing the plurality of files in the server;
A verification information generating unit that generates verification information according to a predetermined generation algorithm for a generation set of a keyword and a set of all files including the keyword, and stores the generated verification information in the server;
A file acquisition means for sending a search keyword to the server and acquiring a set of files including the search keyword and verification information corresponding to the search keyword from the server;
Whether the acquired verification information is verification information of a verification set of the search keyword and the acquired set of files is checked by a predetermined verification algorithm, and if the check result is correct, it is approved and acquired. A verification unit that obtains the set of files obtained as the set of desired files, and rejects otherwise.
Search system having The predetermined generation algorithm comprises a signature generation algorithm;
The predetermined verification algorithm comprises a signature verification algorithm;
The verification information generation unit generates a digital signature for the generation set as the verification information according to the signature generation algorithm using a digital signature private key,
The verification unit checks whether the acquired digital signature is a digital signature of the verification set according to the signature verification algorithm using a public key of the digital signature.
The search system according to claim 1. The predetermined generation algorithm comprises a MAC (Message Authentication Code) generation algorithm,
The predetermined verification algorithm comprises a MAC verification algorithm;
The verification information generation unit generates an authenticator for the generation set as the verification information according to the MAC generation algorithm using a MAC secret key,
The verification unit uses the MAC secret key to check whether the acquired authenticator is an authenticator of the verification set according to the MAC verification algorithm.
The search system according to claim 1. A search method in which a user terminal stores a plurality of files in a server, and the user terminal acquires a set of desired files from the server by keyword search,
The user terminal storing the plurality of files in the server;
The user terminal generating verification information according to a predetermined generation algorithm for a generation set of a keyword and a set of all files including the keyword;
The user terminal storing the generated verification information in the server;
The user terminal sends a search keyword to the server, and acquires a set of files including the search keyword and verification information corresponding to the search keyword from the server;
The user terminal checking whether the acquired verification information is verification information of a verification set of the search keyword and the acquired set of files by a predetermined verification algorithm;
The user terminal approves if the check result is correct, obtains the acquired set of files as the desired set of files, and rejects otherwise;
Search method including A search program for storing a plurality of files in a server and causing a user terminal, which is a computer, to execute processing for acquiring a set of desired files from the server by keyword search,
Storing the plurality of files on the server;
A procedure for generating verification information in accordance with a predetermined generation algorithm for a generation set of a keyword and a set of all files including the keyword;
A procedure for storing the generated verification information in the server;
Sending a search keyword to the server, and obtaining a set of files containing the search keyword and verification information corresponding to the search keyword from the server;
A procedure for checking whether or not the acquired verification information is verification information of a verification set of the search keyword and the acquired set of files by a predetermined verification algorithm;
If the check result is correct, approve and obtain the acquired set of files as the desired set of files, otherwise reject,
Search program to execute. A user terminal stores a plurality of encrypted files in a server, and the user terminal acquires a desired set of files from the server by keyword search, wherein the user terminal includes:
Encrypted file storage means for encrypting each of a plurality of files using an encryption private key and storing the plurality of encrypted files in the server;
A verification information generating unit for generating verification information according to a predetermined generation algorithm for a generation set of a keyword and a set of all encrypted files including the keyword, and storing the generated verification information in the server;
Sending an encrypted search keyword obtained by encrypting a search keyword using the encryption private key to the server, a set of encrypted files including the encrypted search keyword from the server, and verification information corresponding to the search keyword; Encrypted file acquisition means for acquiring
Whether the acquired verification information is verification information of a verification set of the search keyword and the acquired set of encrypted files is checked by a predetermined verification algorithm, and if the check result is correct, it is approved and A verification unit that decrypts the obtained set of encrypted files to obtain the desired set of files, and rejects otherwise;
Search system having The predetermined generation algorithm comprises a signature generation algorithm;
The predetermined verification algorithm comprises a signature verification algorithm;
The verification information generation unit generates a digital signature for the generation set as the verification information according to the signature generation algorithm using a digital signature private key,
The verification unit checks whether the acquired digital signature is a digital signature of the verification set according to the signature verification algorithm using a public key of the digital signature.
The search system according to claim 6. The predetermined generation algorithm comprises a MAC (Message Authentication Code) generation algorithm,
The predetermined verification algorithm comprises a MAC verification algorithm;
The verification information generation unit generates an authenticator for the generation set as the verification information according to the MAC generation algorithm using a MAC secret key,
The verification unit uses the MAC secret key to check whether the acquired authenticator is an authenticator of the verification set according to the MAC verification algorithm.
The search system according to claim 6. A search method in which a user terminal stores a plurality of encrypted files in a server, and the user terminal acquires a set of desired files from the server by keyword search,
The user terminal encrypts each of a plurality of files using an encryption private key, and stores the plurality of encrypted files in the server;
The user terminal generating verification information according to a predetermined generation algorithm for a generation set of a keyword and a set of all encrypted files including the keyword;
The user terminal storing the generated verification information in the server;
The user terminal sends an encrypted search keyword obtained by encrypting a search keyword using the encrypted secret key to the server, and a set of encrypted files including the encrypted search keyword and the search keyword are sent from the server. Obtaining corresponding verification information;
The user terminal checks whether the acquired verification information is verification information of a verification set of the search keyword and the acquired set of encrypted files by a predetermined verification algorithm;
The user terminal approves if the check result is correct and decrypts the acquired set of encrypted files to obtain the desired set of files, otherwise rejects;
Search method including A search program for storing a plurality of encrypted files in a server and causing a user terminal, which is a computer, to execute a process of acquiring a desired set of files from the server by keyword search.
Encrypting each of a plurality of files using an encryption private key, and storing the plurality of encrypted files in the server;
Generating verification information according to a predetermined generation algorithm for a generation set of a keyword and a set of all encrypted files including the keyword;
A procedure for storing the generated verification information in the server;
Sending an encrypted search keyword obtained by encrypting a search keyword using the encryption private key to the server, a set of encrypted files including the encrypted search keyword from the server, and verification information corresponding to the search keyword; With the steps to get
A procedure for checking whether or not the acquired verification information is verification information of a verification set of the search keyword and the acquired set of encrypted files by a predetermined verification algorithm;
Approve if the check result is correct, decrypt the acquired set of encrypted files to obtain the desired set of files, otherwise reject,
Search program to execute.

Images