JP2013217970A - Hierarchical type inner product cipher system based on lattice problem, hierarchical type inner product cipher method, device based on lattice problem - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a hierarchical inner product cipher technology based on a lattice problem, whose key size and cipher text size are small.SOLUTION: Key size and cipher text size are suppressed by making a parameter R of inner product cipher into GF(q). As a result, the key size becomes Ω(μnlgq), and the cipher text size becomes Ω(μn lgq). Even when it is required that 1/|R| can be ignored, it becomes that 1/|R|=1/q, it can be ignored. Even in such a case, it can be put that q=poly(n), and thereby, the key size Ω(μnlgn), the cipher text size Ω(μn lgn) can be achieved.

Description

  The present invention relates to a hierarchical inner product encryption technique based on a lattice problem.

In the public key cryptosystem, a ciphertext encrypted with a certain public key can be decrypted only by a person having a corresponding secret key. For example, when the plaintext m is transmitted from the user device h to the user device i, the user device h generates the ciphertext c _i using the encryption key ek _i of the user device i, and the ciphertext c _i is transmitted to the user device _i. Send. Only a user equipment with a decryption key dk _i corresponding to the encryption key ek _i can decrypt this ciphertext c _i.

In ID-based encryption, the key generation station and the user device are separated. During setup, the key generation station generates (mpk, msk). Each user apparatus has a unique id, and the key generation station issues a secret key dk _id to each user. With ID-based encryption, the ciphertext encrypted with a certain id can be decrypted only by a user device having the secret key dk _id (note that the key generation station can also have the secret key dk _id. ).

Inner product cryptography has been proposed to increase the variety of combinations of users (devices) and ciphers. During setup, the key generation station generates (mpk, msk). Each user device has a key attribute vector v ^ ∈R ^μ . The key generation authority issues dk _{v ^} to each user apparatus. At the time of encryption, encryption is performed using the encryption attribute vector w ^ ∈R ^μ . In the inner product cipher, a ciphertext encrypted with a certain w ^ can be decrypted only by a user device having dk _{v ^} where the inner product w ^ ^T v ^ = 0.

  Inner product encryption was first proposed in Non-Patent Document 1. Since then, various inner product ciphers and variants have been proposed based on the elliptic discrete logarithm problem. There is Non-Patent Document 2 as an inner product encryption based on the lattice problem.

A hierarchical inner product cipher is a layered inner product cipher. This was first proposed in Non-Patent Document 3. Let the depth of the hierarchy be d at the maximum (when d = 1, it matches the inner product cipher). Key generating stations at the time of setup to generate a _{(mpk, msk = dk ┬)} . Each user device has a key attribute vector (v ^ ₁ , ..., v ^ _j ) ∈ (R ^μ ) ^{≦ d} = R ^μ ∪ (R ^μ ) ² ∪ (R ^μ ) ³ ∪… ∪ (R ^μ ) ^d ( 1 ≦ j ≦ d). The key generation station issues dk _{(v ^ 1, ..., v ^ j)} to each user equipment. In hierarchical inner product cryptography, the key generation function can be delegated. That is the key _{dk (v ^ 1, ...,} v ^ j) the user device with is, any of _{v ^ j + 1, ...,} v ^ s for key _{dk (v ^ 1, ...,} v ^ j, v ^ j _{+1, ..., v ^ s)} can be generated. At the time of encryption, encryption is performed using the encryption attribute vector (w ^ ₁ , ..., w ^ _h ) ∈ ( ^Rμ ) ^{≤ d} . In hierarchical inner product cryptography, when the key attribute vector is (v ^ ₁ ,…, v ^ _j ) and the cryptographic attribute vector (w ^ ₁ ,…, w ^ _h ), the cipher encrypted with this cryptographic attribute vector Only user devices with dk _{(v ^ 1, ..., v ^ j)} for which w ^ _i ^T v ^ _i = 0 for j≤h and 1≤i≤j can decrypt the sentence.

JP 2011-141472 JP 2011-128609 JP 2010-273317 A

Jonathan Katz, Amit Sahai, and Brent Waters.Predicate encryption supporting disjunctions, polynomial equations, and inner products.In Nigel P. Smart, editor, EUROCRYPT 2008, volume 4965 of Lecture Notes in Computer Science, pages 146-162.Springer-Verlag The full version is available at http://eprint.iacr.org/2007/404. Shweta Agrawal, David Mandell Freeman, and Vinod Vaikuntanathan.Function encryption for inner product predicates from learning with errors.In Dong Hoon Lee and Xiaoyun Wang, editors, ASIACRYPT 2011, volume 7073 of Lecture Notes in Computer Science, pages 21-40. -Verlag, 2011. The full version is available at http://eprint.iacr.org/2011/410. Tatsuaki Okamoto and Katsuyuki Takashima. Hierarchical predicate encryption for inner-products. In Mitsuru Matsui, editor, ASIACRYPT 2009, volume 5912 of Lecture Notes in Computer Science, pages 214-231. Springer-Verlag, 2009.

Let n be a security parameter. The vector base of the inner product encryption based on the lattice problem of Non-Patent Document 1 is R = Z _q . At this time, the key size is Ω (μn ² lg ³ q), and the ciphertext size is Ω (μn lg ³ q). μ represents the length of the attribute vector, and lg represents the logarithm with base 2. Some applications require q = 2 ^{O (n)} because 1 / | R | must be negligible. In this case, the key size is Ω (μn ⁵ ) and the ciphertext size is Ω (μn ⁴ ), which is very large. In addition, there is no existing method that proposes a hierarchical inner product cipher based on the lattice problem.

  An object of the present invention is to provide a hierarchical inner product encryption technique based on a lattice problem with a small key size and ciphertext size.

と定義し，
ηを，η：GF(qⁿ)→Z_q ⁿ，aa=a₀+a₁X+…+a_n-1X^n-1 → (a₀，…，a_n-1)^Tと定義し，
Hを，H:GF(qⁿ)→Z_q ^n×n，aa=a₀+a₁X+…+a_n-1X^n-1 → [η(aa)η(aX)…η(aX^n-1)]と定義している。 The hierarchical inner product encryption technology of the present invention suppresses the key size and ciphertext size by setting the parameter R of the inner product encryption to GF (q ⁿ ). In particular,
Security parameters kappa, d a hierarchy of maximum depth, the length of the attribute vectors mu, the bit length of plaintext L, n, q, parameters for each grating m, sigma _1, ..., key a sigma _d Issuing parameters, D _Χ distribution on Z _q , b, k = ┌log _b q┐, m '= nk are size parameters, g = (1, b, ..., b ^k-1 ) ∈ Z _q ^k, gg = gg the (x) ∈Z _q [x] and _{^{GF (q n) = Z q}} [x] / monic irreducible polynomial that defines the <gg>, {1 for a natural number n, ..., n } the expressed as [n], the lattice lambda _q ^⊥ for the matrix ^{_{A∈Z q n × m (a)}} = {z∈Z m: there is s∈Z _q ⁿ to be z≡A ^T s (mod q) Do}
age,
Setup algorithm Setup (1 ^κ , d, μ, L, n, q, m, m ′, {σ _i } _{i∈ [d]} , b, k, gg):
_{1. (A, T ┬) ←} GenTrap (1 κ, q, n, m),
2. For δ∈ [d] and i∈ [μ], choose A _{δ, i} ← Z _q ^{n × m '} at random,
3. By selecting U ← Z _q ^{n × L} at random, the common parameters pp = ((κ, d, μ, L, n, q, m, m ′, {σ _i } _{i∈ [d]} , b, k, gg), A, {A _{δ, i} }, U) and master secret key msk = (T _，, pp)
The key issuing device
Key generation algorithm Gen (pp, msk, (v ^ ₁ , ..., v ^ _j )): (v ^ ₁ , ..., v ^ _j ) is a key attribute vector, 1≤j≤d, and δ∈ [j] V ^ _δ = (vv _{δ, 1} , ..., vv _{δ, μ} ) ∈GF (q ⁿ ) ^μ , C _{v ^ δ} = Σ _{i = 1} ^μ A _{δ, i} · H _g (vv _{δ, i} ) ∈Z _q ^{n × m '} , F _{(v ^ 1,…, v ^ j)} = [A | C _{v ^ 1} |… | C _{v ^ j} ] ∈Z _q ^{n × (m + jm')} _{(v ^ 1, ..., v} ^ j) ← DelgBasis (T ┬, F (v ^ 1, ..., v ^ j), σ j), the execution, the secret key _{dk (v ^ 1, ...,} v ^ _j) includes a key generator that outputs = T _{(v ^ 1, ..., v ^ j)} ,
The encryption device
Encryption algorithm _{Enc (pp, (w ^ 1} , ..., w ^ h), m∈ {0,1} L) :( w ^ 1, ..., w ^ h) the encryption attribute vector, the I _n n rows An identity matrix of n columns, (×) is a Kronecker product, and for δ∈ [h], w ^ _δ = (ww _{δ, 1} , ..., ww _{δ, μ} ) ∈GF (q ⁿ ) ^μ , G ← I _n (×) (1, b, ..., b ^k-1 )
a selection unit that randomly selects s ← Z _q ⁿ , and selects e ← D _Χ ^m and f ← D _Χ ^L at random;
a first cryptographic element calculation unit for calculating c ₀ ← A ^T s + e;
For δ∈ [h] and i∈ [μ], R _{δ, i} ← {-1, + 1} ^{m × m '} is chosen at random, and c _{δ, i} ← (A _{δ, i} + H (ww _{δ, i} ) · G) ^T s + R _{δ, i} ^T e∈Z _q ^{m ′}
a third cryptographic element calculation unit for calculating c ′ ← U ^T s + f + └q / 2┘m;
A ciphertext generator that outputs ct = (c ₀ , {c _{δ, i} } _{δ∈ [h], i∈ [μ]} , c ′) as ciphertext,
Including
The decryption device
Decoding algorithm Dec (pp, dk _{(v ^ 1, ..., v ^ j)} , ct):
Secret key dk _{(v ^ 1, ..., v ^ j)} = T _{(v ^ 1, ..., v ^ j)} and ciphertext ct = (c ₀ , {c _{δ, i} } _{δ∈ [h], i∈ [μ]} , c ')
δ∈ for _{[j] c v ^ δ ←} Σ i = 1 μ H g (vv δ, i) · c δ, a first calculation unit for calculating a _i,
c ← [c ₀ | c _{v ^ 1} |… | c _{v ^ j} ], s ← Invert (F _{(v ^ 1,…, v ^ j)} , T _{(v ^ 1,…, v ^ j)} , a second calculation unit for calculating c);
a third calculation unit for calculating d ← c'-U ^T s;
Rounded each element of (2 / q) d to the nearest integer, and made each even and odd correspond to 0/1, and the resulting vector is the decrypted plaintext m∈ {0,1} ^L A hierarchical inner product cryptosystem including an output decryption unit is configured.
However,
GenTrap (1 ^κ , q, n, m):
An algorithm that outputs a set of bases T (A, T) ∈Z _q ^{n × m} × Z ^{m × m} of matrix A∈Z _q ^{n × m} , Λ _q ^⊥ (A),
Invert (A, T, c):
An algorithm that outputs s∈Z _q ^{n such} that c = A ^T s + e when ^T is the basis of Λ _q ^⊥ (A),
H _g is defined as H _g : GF (q ⁿ ) → Z _q ^{nk × nk} , H _g (aa) = D _g (H (aa)) ∈B ^{nk × nk} ⊆Z _q ^{nk × nk}
For positive integer b ≧ 2, B = {0,1, ..., b-1} ⊆Z _q , g = (1, b, ..., b ^k-1 ) ∈Z _q ^k , q ≦ b ^k For a∈Z _q , d _g (a) = (a ₁ , ..., a _k ) ^T ∈B ^k is a function such that a = Σ _{i = 1} ^k a _i · b ^i-1 Defined as
D _g is ^{defined as} D _g : Z _q → B ^{k × k} , a → [d _g (a) d _g (ba)… d _g (b ^k−1 a)] ∈B ^{k × k}
An extension of the domain of D _{g for} the matrix A = {a _{i, j} } ∈Z _q ^{n × m}

Defined as
η is defined as η: GF (q ⁿ ) → Z _q ⁿ , aa = a ₀ + a ₁ X +… + a _n-1 X ^n-1 → (a ₀ ,…, a _n-1 ) ^T
H, GF (q ⁿ ) → Z _q ^{n × n} , aa = a ₀ + a ₁ X +… + a _n-1 X ^n-1 → [η (aa) η (aX)… η (aX ^{n -1} )]].

The decryption device
Key generation algorithm Delg (pp, dk _{(v ^ 1, ..., v ^ j)} , (v ^ _{j + 1} , ..., v ^ _s )):
For dk _{(v ^ 1, ..., v ^ j)} = T _{(v ^ 1, ..., v ^ j)} and δ∈ [s], v ^ _δ = (vv _{δ, 1} , ..., vv _{δ, μ} ) ∈GF (q ⁿ ) ^μ
For δ∈ [s], let C _{v ^ δ} = Σ _{i = 1} ^μ A _{δ, i} · H _g (vv _{δ, i} ) ∈Z _q ^{n × m '} and F _{(v ^ 1,…, v ^ j, v ^ j + 1,…, v ^ s)} = [A | C _{v ^ 1} |… | C _{v ^ s} ] ∈Z _q ^{n × (m + sm ')} , T _{(v ^ 1,…, v ^ j, v ^ j + 1,…, v ^ s)} ← DelgBasis (T _{(v ^ 1,…, v ^ j)} , F _{(v ^ 1,…, v ^ j)} , σ _s ) , Dk _{(v ^ 1, ..., v ^ s)} = T _{(v ^ 1, ..., v ^ s)} may be further included.
However,
ExtBasis (T, A ^ = [A | C]):
When T is a base of the Λ _q ^⊥ (A), an algorithm that outputs the base T 'of Λ _q ^⊥ (A ^),
RandBasis (S, s):
When S is a basis of a lattice Λ _q ^⊥ (A), an algorithm that outputs a random basis S 'of the lattice Λ _q ^⊥ (A),
DelgBasis (T, A ^ = [A | C], s):
An algorithm that outputs a matrix T 'corresponding to A ^ when T is the basis of Λ _q ^⊥ (A), given by S ← ExtBasis (T, A ^), T' ← RandBasis (S, s) It is done.

According to the present invention, details will be given to the embodiment described later. Specifically, the key size is Ω (μn ² lg ² q), and the ciphertext size is Ω (μn lg ² q). Even applications that require 1 / | R | to be negligible, this is negligible because 1 / | R | = 1 / q ⁿ . Even in such an application, q = poly (n) can be set, and the key size Ω (μn ² lg ² n) and the ciphertext size Ω (μn lg ² n) can be achieved.

The figure which shows the function structure of the key issuing apparatus, encryption apparatus, and decryption apparatus which are the system configuration | structure of the hierarchical inner product encryption system in connection with embodiment, and its component.

<Preparation>
For natural number n, {1, ..., n} is represented by [n]. For a matrix A∈Z _q ^{n × m} , Λ _q ^⊥ (A) = {There exists s∈Z _q ^{n such} that z∈Z ^m : z≡A ^T s (mod q)}
Define in. The symbol T on the right shoulder of a matrix or vector represents transposition.

The following algorithm is used.
(1) GenTrap (1 ^κ , q, n, m):
This is an algorithm that outputs (A, T) ∈Z _q ^{n × m} × Z ^{m × m} . T is the basis of Λ _q ^⊥ (A). Specific examples are described in Reference 1, Reference 2, and Reference 3.
(Reference 1) Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Richard E. Ladner and Cynthia Dwork, editors, STOC 2008, pages 197-206. ACM, 2008.
(Reference 2) Joel Alwen and Chris Peikert. Generating shorter bases for hard random lattices. In Susanne Albers and Jean-Yves Marion, editors, STACS 2009, volume 3 of LIPIcs, pages 75-86, Germany, 2009.
Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Germany
(Reference 3) Daniele Micciancio and Chris Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. Cryptology ePrint Archive, Report 2011/501, 2011. To appear in EUROCRYPT 2012. Available at http: //eprint.iacr. org / 2011/501.
(2) ExtBasis (T, A ^ = [A | C]):
When T is a base of the Λ _q ^⊥ (A), it is an algorithm that outputs the base T 'of Λ _q ^⊥ (A ^). Specific examples are described in Reference 4.
(Reference 4) David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert. Bonsai trees, or how to delegate a lattice basis. In Gilbert [6], pages 523-552.
(3) RandBasis (S, s):
When S is a basis of a lattice Λ _q ^⊥ (A), it is an algorithm that outputs a random basis S 'of the lattice Λ _q ^⊥ (A). Specific examples are described in Reference 4.
(4) Invert (A, T, c):
T is an algorithm that outputs s∈Z _q ⁿ to be c = A ^T s + e when a base of the Λ _q ^⊥ (A).

Furthermore, the following algorithm that abstracts the algorithm disclosed in Reference 4 is defined.
(5) DelgBasis (T, A ^ = [A | C], s):
This algorithm outputs the matrix T 'corresponding to A ^ when T is the basis of Λ _q ^⊥ (A). In particular,
1. Set S ← ExtBasis (T, A ^).
2. Output T '← RandBasis (S, s).

Reference 5 (Shweta Agrawal, Dan Boneh, and Xavier Boyen. Efficient lattice (H) IBE in the standard model. In Gilbert [6], pages 553-572.) ⁿ ) → Z _q ^{n × n} is defined below. <gg> represents a unary ideal generated by the polynomial gg∈Z _q [X]. GF (q ⁿ⁾ is assumed to be defined as _{^{GF (q n) = Z q}} [X] / <gg> using n order irreducible polynomial gg∈Z _q [X].
First, the mapping η is ^{expressed as} η: GF (q ⁿ ) → Z _q ⁿ , aa = a ₀ + a ₁ X +… + a _n-1 X ^n-1 → (a ₀ ,…, a _n-1 ) ^T Define.
Next, map H is ^{expressed as} H: GF (q ⁿ ) → Z _q ^{n × n} , aa = a ₀ + a ₁ X +… + a _n−1 X ⁿ⁻¹ → [η (aa) η (aaX)… η (aaX ^n-1 )].

For a positive integer b ≧ 2, let B = {0, 1, ..., b-1} ⊆Z _q . Assume that g = (1, b,..., b ^k−1 ) ∈Z _q ^k, and q ≦ b ^k holds. For a∈Z _q, we define d _g (a) = (a ₁ ,..., a _k ) ^T ∈B ^k as a function such that a = Σ _{i = 1} ^k a _i · b ⁱ⁻¹ . The mapping D _g is defined as D _g : Z _q → B ^{k × k} , a → [d _g (a) d _g (ba)... D _g (b ^k−1 a)] ∈B ^{k × k} .

と定義する。 In addition, the domain of D _g is expanded for an appropriate matrix A = {a _{i, j} } ∈Z _q ^{n × m.}

It is defined as

Using the above, mapping ^{_{H g: GF (q n)}} → Z q nk × nk the _{H g (aa) = D g} (H (aa)) ∈B nk × nk ⊆Z q nk × nk to define.

[Example]
Based on the above preparation, the hierarchical inner product cipher Π = (Setup; Gen; Enc; Dec; Delg) is constructed.
The hierarchical inner product encryption system 1 based on the hierarchical inner product cipher Π = (Setup; Gen; Enc; Dec; Delg) includes a key issuing device 100, an encryption device 200, and a decryption device 300.
= Explanation of parameters =
κ: Security parameter
d: Parameter that sets the maximum depth of the hierarchy μ: Length of attribute vector
L: Bit length of plaintext
n, q, m: Parameters for the grid. However, q is a prime number.
σ ₁ , ..., σ _d : Parameters for key issuance
D _Χ : Distribution on the body Z _q
b, k = ┌log _b q┐, m '= nk: Size parameters (symbols ┌ and ┐ represent ceiling functions)
(1, b, ..., b ^k-1 ) ∈Z _q ^k
gg = gg (x) ∈Z _q [x]: Monic irreducible polynomial defining GF (q ⁿ ) = Z _q [x] / <gg>

Setup (1 ^κ , d, μ, L, n, q, m, m ′, {σ _i } _{i∈ [d]} , b, k, gg):
_{1. (A, T ┬) ←} GenTrap (1 κ, q, n, m)
2. For δ∈ [d] and i∈ [μ], choose A _{δ, i} ← Z _q ^{n × m ′} at random.
3. Select U ← Z _q ^{n × L} at random.
And pp = ((κ, d, μ, L, n, q, m, m ′, {σ _i } _{i∈ [d]} , b, k, gg), A, {A _{δ, i} }, U ) And msk = (T _，, pp).

Gen (pp, msk, (v ^ ₁ , ..., v ^ _j )): (v ^ ₁ , ..., v ^ _j ) is a key attribute vector. However, 1 ≦ j ≦ d.
1. For δ∈ [j], we call v ^ _δ = (vv _{δ, 1} , ..., vv _{δ, μ} ) ∈GF (q ⁿ ) ^μ and C _{v ^ δ} = Σ _{i = 1} ^μ A _{δ, i Let} H _g (vv _{δ, i} ) ∈Z _q ^{n × m ′} .
2. ^Let F _{(v ^ 1, ..., v ^ j)} = [A | C _{v ^ 1} | ... | C _{v ^ j} ] ∈Z _q ^{n × (m + jm ')} .
3. The key generation unit 101 of the key issuing apparatus _{100, T (v ^ 1, ...} , v ^ j) ← DelgBasis (T ┬, F (v ^ 1, ..., v ^ j), σ j) and.
Then, dk _{(v ^ 1, ..., v ^ j)} = T _{(v ^ 1, ..., v ^ j)} is output.

Enc (pp, (w ^ ₁ , ..., w ^ _h ), m∈ {0,1} ^L ): (w ^ ₁ , ..., w ^ _h ) is a cryptographic attribute vector.
For δ∈ [h], let w ^ _δ = (ww _{δ, 1} , ..., ww _{δ, μ} ) ∈GF (q ⁿ ) ^μ .
1. _Let G ← I _n (×) (1, b, ..., b ^k-1 ). I _n is a unit matrix of n rows and n columns. (×) represents the Kronecker product.
2. The selection unit 201 of the encryption device 200 randomly selects s ← Z _q ⁿ .
3. selection unit 201 of the encryption device 200 selects the e ← D _chi ^m and f ← D _chi ^L randomly.
4. The first cryptographic element calculation unit 202a of the encryption device 200 calculates c ₀ ← A ^T s + e.
5. The second cryptographic element calculation unit 202b of the encryption device 200 randomly selects R _{δ, i} ← {-1, + 1} ^{m × m ′} for δ∈ [h] and i∈ [μ], c _{δ, i} ← (A _{δ, i} + H (ww _{δ, i} ) · G) Calculate ^T s + R _{δ, i} ^T e∈Z _q ^{m ′} .
6. The third cryptographic element calculation unit 202c of the encryption device 200 calculates c ′ ← U ^T s + f + └q / 2┘m (the symbols └ and ┘ represent floor functions).
Then, the ciphertext generation unit 202 outputs ct = (c ₀ , {c _{δ, i} } _{δε [h], iε [μ]} , c ′).

Dec (pp, dk _{(v ^ 1, ..., v ^ j)} , ct):
dk _{(v ^ 1, ..., v ^ j)} = T _{(v ^ 1, ..., v ^ j)} and ciphertext ct = (c ₀ , {c _{δ, i} } _{δ∈ [h], i∈ [μ ]} , C '),
1. The first calculating unit 301a of the decoding device 300, Deruta∈ for _{[j] c v ^ δ ←} Σ i = 1 μ H g (vv δ, i) · c δ, computes the _i.
2. Set c ← [c ₀ | c _{v ^ 1} |… | c _{v ^ j} ].
3. The second calculation unit 301b of the decoding device 300 calculates s ← Invert (F _{(v ^ 1, ..., v ^ j)} , T _{(v ^ 1, ..., v ^ j)} , c).
4. The third calculation unit 301c of the decoding device 300 calculates d ← c′−U ^T s.
5. The decoding unit 301 of the decoding device 300 rounds each element of (2 / q) d to the nearest integer and associates even / odd with 0/1. As a result, the obtained vector is output as m∈ {0, 1} ^L.

Delg (pp, dk _{(v ^ 1, ..., v ^ j)} , (v ^ _{j + 1} , ..., v ^ _s )):
dk _{(v ^ 1, ..., v ^ j)} = T _{(v ^ 1, ..., v ^ j)} . For δ∈ [s], let v ^ _δ = (vv _{δ, 1} , ..., vv _{δ, μ} ) ∈GF (q ⁿ ) ^μ .
1. For δ∈ [s], let C _{v ^ δ} = Σ _{i = 1} ^μA _{δ, i} · H _g (vv _{δ, i} ) ∈Z _q ^{n × m ′} .
2. F _{(v ^ 1,…, v ^ j, v ^ j + 1,…, v ^ s)} = [A | C _{v ^ 1} |… | C _{v ^ s} ] ∈Z _q ^{n × (m + sm ')} .
3. The key generation unit 302 of the decryption apparatus 300 uses T _{(v ^ 1, ..., v ^ j, v ^ j + 1, ..., v ^ s)} ← DelgBasis (T _{(v ^ 1, ..., v ^ j )} , F _{(v ^ 1,…, v ^ j)} , σ _s ).
Then, dk _{(v ^ 1, ..., v ^ s)} = T _{(v ^ 1, ..., v ^ s)} is output.

<Supplementary note>
Hardware entities (key issuing device, encryption device, decryption device) that can be included in a hierarchical inner product encryption system are an input unit that can be connected to a keyboard, an output unit that can be connected to a liquid crystal display, etc. A communication unit that can be connected to a communication device (for example, a communication cable), a CPU (Central Processing Unit) [a cache memory, a register, or the like may be provided. ], A RAM or ROM that is a memory, an external storage device that is a hard disk, and a bus that connects the input unit, output unit, communication unit, CPU, RAM, ROM, and external storage device so that data can be exchanged between them. have. If necessary, a hardware entity may be provided with a device (drive) that can read and write a recording medium such as a CD-ROM. A physical entity having such hardware resources includes a general-purpose computer.

  The external storage device of the hardware entity stores a program necessary for realizing the above functions and data necessary for processing the program (not limited to the external storage device, for example, reading a program) It may be stored in a ROM that is a dedicated storage device). Data obtained by the processing of these programs is appropriately stored in a RAM or an external storage device.

  In the hardware entity, each program stored in an external storage device (or ROM, etc.) and data necessary for processing each program are read into the memory as necessary, and are interpreted and executed by the CPU as appropriate. . As a result, the CPU implements predetermined functions (for example, a key generation unit, a selection unit, a ciphertext generation unit, a decryption unit, etc.).

In the details of the hardware entity described in each embodiment, numerical calculation processing in number theory may be required, but numerical calculation processing in number theory itself is achieved in the same manner as well-known techniques. A detailed description of the arithmetic processing method and the like has been omitted (software that can perform numerical calculation processing in number theory indicating the technical level of this point includes, for example, PARI / GP, KANT / KASH, etc. About PARI / GP For example, see the Internet <URL: http://pari.math.u-bordeaux.fr/> [searched on March 21, 2012] For KANT / KASH, for example, the Internet <URL: http: / /page.math.tu-berlin.de/~kant/kash.html> [Search on March 21, 2012].
Reference literature A can be cited as a literature relating to this point.
(Reference A) H. Cohen, “A Course in Computational Algebraic Number Theory”, GTM 138, Springer-Verlag, 1993.

  The present invention is not limited to the above-described embodiment, and can be modified as appropriate without departing from the spirit of the present invention. In addition, the processing described in the above embodiment may be executed not only in time series according to the order of description but also in parallel or individually as required by the processing capability of the device that executes the processing. . In the above-described embodiment, the description related to transmission / reception of information such as data used for information processing between devices is omitted. However, as a matter of course, information Y used for certain information processing in a certain device X is: Note that if the device X does not have the information Y, it is acquired by the device X from the device that has the information Y before the information processing is executed. In addition, transmission / reception of information such as data between devices is performed using a known technique.

  When the processing functions in the hardware entity described in the above embodiment are realized by a computer, the processing contents of the functions that the hardware entity should have are described by a program. Then, by executing this program on a computer, the processing functions in the hardware entity are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As a computer-readable recording medium, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used. Specifically, for example, as a magnetic recording device, a hard disk device, a flexible disk, a magnetic tape or the like, and as an optical disk, a DVD (Digital Versatile Disc), a DVD-RAM (Random Access Memory), a CD-ROM (Compact Disc Read Only). Memory), CD-R (Recordable) / RW (ReWritable), etc., magneto-optical recording medium, MO (Magneto-Optical disc), etc., semiconductor memory, EEP-ROM (Electronically Erasable and Programmable-Read Only Memory), etc. Can be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Further, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  For example, a computer that executes such a program first stores a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads the program stored in the recording medium of the computer and executes the process according to the read program. As another execution form of the program, the computer may directly read the program from the portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, a configuration in which the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes a processing function only by an execution instruction and result acquisition without transferring a program from the server computer to the computer. It is good. Note that the program in this embodiment includes information provided for processing by an electronic computer and equivalent to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, a hardware entity is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized in hardware.

Claims (7)

A hierarchical inner product cryptosystem based on a lattice problem, including a key issuing device, an encryption device, and a decryption device,
Security parameters kappa, d a hierarchy of maximum depth, the length of the attribute vectors mu, the bit length of plaintext L, n, q, parameters for each grating m, sigma _1, ..., key a sigma _d Issuing parameters, D _Χ distribution on Z _q , b, k = ┌log _b q┐, m '= nk are size parameters, g = (1, b, ..., b ^k-1 ) ∈ Z _q ^k, gg = gg the (x) ∈Z _q [x] and _{^{GF (q n) = Z q}} [x] / monic irreducible polynomial that defines the <gg>, {1 for a natural number n, ..., n } the expressed as [n], the lattice lambda _q ^⊥ for the matrix ^{_{A∈Z q n × m (a)}} = {z∈Z m: there is s∈Z _q ⁿ to be z≡A ^T s (mod q) Do}
age,
Setup algorithm Setup (1 ^κ , d, μ, L, n, q, m, m ′, {σ _i } _{i∈ [d]} , b, k, gg):
_{1. (A, T ┬) ←} GenTrap (1 κ, q, n, m),
2. For δ∈ [d] and i∈ [μ], choose A _{δ, i} ← Z _q ^{n × m '} at random,
3. By selecting U ← Z _q ^{n × L} at random, the common parameters pp = ((κ, d, μ, L, n, q, m, m ′, {σ _i } _{i∈ [d]} , b, k, gg), A, {A _{δ, i} }, U) and master secret key msk = (T _，, pp)
The key issuing device
Key generation algorithm Gen (pp, msk, (v ^ ₁ , ..., v ^ _j )): (v ^ ₁ , ..., v ^ _j ) is a key attribute vector, 1≤j≤d, and δ∈ [j] V ^ _δ = (vv _{δ, 1} , ..., vv _{δ, μ} ) ∈GF (q ⁿ ) ^μ , C _{v ^ δ} = Σ _{i = 1} ^μ A _{δ, i} · H _g (vv _{δ, i} ) ∈Z _q ^{n × m '} , F _{(v ^ 1,…, v ^ j)} = [A | C _{v ^ 1} |… | C _{v ^ j} ] ∈Z _q ^{n × (m + jm')} _{(v ^ 1, ..., v} ^ j) ← DelgBasis (T ┬, F (v ^ 1, ..., v ^ j), σ j), the execution, the secret key _{dk (v ^ 1, ...,} v ^ _j) includes a key generator that outputs = T _{(v ^ 1, ..., v ^ j)} ,
The encryption device
Encryption algorithm _{Enc (pp, (w ^ 1} , ..., w ^ h), m∈ {0,1} L) :( w ^ 1, ..., w ^ h) the encryption attribute vector, the I _n n rows An identity matrix of n columns, (×) is a Kronecker product, and for δ∈ [h], w ^ _δ = (ww _{δ, 1} , ..., ww _{δ, μ} ) ∈GF (q ⁿ ) ^μ , G ← I _n (×) (1, b, ..., b ^k-1 )
a selection unit that randomly selects s ← Z _q ⁿ , and selects e ← D _Χ ^m and f ← D _Χ ^L at random;
a first cryptographic element calculation unit for calculating c ₀ ← A ^T s + e;
For δ∈ [h] and i∈ [μ], R _{δ, i} ← {-1, + 1} ^{m × m '} is chosen at random, and c _{δ, i} ← (A _{δ, i} + H (ww _{δ, i} ) · G) ^T s + R _{δ, i} ^T e∈Z _q ^{m ′}
a third cryptographic element calculation unit for calculating c ′ ← U ^T s + f + └q / 2┘m;
A ciphertext generator that outputs ct = (c ₀ , {c _{δ, i} } _{δ∈ [h], i∈ [μ]} , c ′) as ciphertext,
Including
The decryption device
Decoding algorithm Dec (pp, dk _{(v ^ 1, ..., v ^ j)} , ct):
Secret key dk _{(v ^ 1, ..., v ^ j)} = T _{(v ^ 1, ..., v ^ j)} and ciphertext ct = (c ₀ , {c _{δ, i} } _{δ∈ [h], i∈ [μ]} , c ')
δ∈ for _{[j] c v ^ δ ←} Σ i = 1 μ H g (vv δ, i) · c δ, a first calculation unit for calculating a _i,
c ← [c ₀ | c _{v ^ 1} |… | c _{v ^ j} ], s ← Invert (F _{(v ^ 1,…, v ^ j)} , T _{(v ^ 1,…, v ^ j)} , a second calculation unit for calculating c);
a third calculation unit for calculating d ← c'-U ^T s;
Rounded each element of (2 / q) d to the nearest integer, and made each even and odd correspond to 0/1, and the resulting vector is the decrypted plaintext m∈ {0,1} ^L A hierarchical inner product cryptosystem including an output decryption unit.
However,
GenTrap (1 ^κ , q, n, m):
An algorithm that outputs a set of bases T (A, T) ∈Z _q ^{n × m} × Z ^{m × m} of matrix A∈Z _q ^{n × m} , Λ _q ^⊥ (A),
Invert (A, T, c):
An algorithm that outputs s∈Z _q ^{n such} that c = A ^T s + e when ^T is the basis of Λ _q ^⊥ (A),
H _g is defined as H _g : GF (q ⁿ ) → Z _q ^{nk × nk} , H _g (aa) = D _g (H (aa)) ∈B ^{nk × nk} ⊆Z _q ^{nk × nk}
For positive integer b ≧ 2, B = {0,1, ..., b-1} ⊆Z _q , g = (1, b, ..., b ^k-1 ) ∈Z _q ^k , q ≦ b ^k For a∈Z _q , d _g (a) = (a ₁ , ..., a _k ) ^T ∈B ^k is a function such that a = Σ _{i = 1} ^k a _i · b ^i-1 Defined as
D _g is ^{defined as} D _g : Z _q → B ^{k × k} , a → [d _g (a) d _g (ba)… d _g (b ^k−1 a)] ∈B ^{k × k}
An extension of the domain of D _{g for} the matrix A = {a _{i, j} } ∈Z _q ^{n × m}

Defined as
η is defined as η: GF (q ⁿ ) → Z _q ⁿ , aa = a ₀ + a ₁ X +… + a _n-1 X ^n-1 → (a ₀ ,…, a _n-1 ) ^T
H, GF (q ⁿ ) → Z _q ^{n × n} , aa = a ₀ + a ₁ X +… + a _n-1 X ^n-1 → [η (aa) η (aX)… η (aX ^{n -1} )]]. In the hierarchical inner product cryptosystem according to claim 1,
The decryption device
Key generation algorithm Delg (pp, dk _{(v ^ 1, ..., v ^ j)} , (v ^ _{j + 1} , ..., v ^ _s )):
For dk _{(v ^ 1, ..., v ^ j)} = T _{(v ^ 1, ..., v ^ j)} and δ∈ [s], v ^ _δ = (vv _{δ, 1} , ..., vv _{δ, μ} ) ∈GF (q ⁿ ) ^μ
For δ∈ [s], let C _{v ^ δ} = Σ _{i = 1} ^μ A _{δ, i} · H _g (vv _{δ, i} ) ∈Z _q ^{n × m '} and F _{(v ^ 1,…, v ^ j, v ^ j + 1,…, v ^ s)} = [A | C _{v ^ 1} |… | C _{v ^ s} ] ∈Z _q ^{n × (m + sm ')} , T _{(v ^ 1,…, v ^ j, v ^ j + 1,…, v ^ s)} ← DelgBasis (T _{(v ^ 1,…, v ^ j)} , F _{(v ^ 1,…, v ^ j)} , σ _s ) , Dk _{(v ^ 1,..., V ^ s)} = T _{(v ^ 1,..., V ^ s)} is further included.
However,
ExtBasis (T, A ^ = [A | C]):
When T is a base of the Λ _q ^⊥ (A), an algorithm that outputs the base T 'of Λ _q ^⊥ (A ^),
RandBasis (S, s):
When S is a basis of a lattice Λ _q ^⊥ (A), an algorithm that outputs a random basis S 'of the lattice Λ _q ^⊥ (A),
DelgBasis (T, A ^ = [A | C], s):
An algorithm that outputs a matrix T 'corresponding to A ^ when T is the basis of Λ _q ^⊥ (A), given by S ← ExtBasis (T, A ^), T' ← RandBasis (S, s) It is done. A hierarchical inner product encryption method in a hierarchical inner product encryption system based on a lattice problem, comprising a key issuing device, an encryption device, and a decryption device,
Security parameters kappa, d a hierarchy of maximum depth, the length of the attribute vectors mu, the bit length of plaintext L, n, q, parameters for each grating m, sigma _1, ..., key a sigma _d Issuing parameters, D _Χ distribution on Z _q , b, k = ┌log _b q┐, m '= nk are size parameters, g = (1, b, ..., b ^k-1 ) ∈ Z _q ^k, gg = gg the (x) ∈Z _q [x] and _{^{GF (q n) = Z q}} [x] / monic irreducible polynomial that defines the <gg>, {1 for a natural number n, ..., n } the expressed as [n], the lattice lambda _q ^⊥ for the matrix ^{_{A∈Z q n × m (a)}} = {z∈Z m: there is s∈Z _q ⁿ to be z≡A ^T s (mod q) Do}
age,
Setup algorithm Setup (1 ^κ , d, μ, L, n, q, m, m ′, {σ _i } _{i∈ [d]} , b, k, gg):
_{1. (A, T ┬) ←} GenTrap (1 κ, q, n, m),
2. For δ∈ [d] and i∈ [μ], choose A _{δ, i} ← Z _q ^{n × m '} at random,
3. By selecting U ← Z _q ^{n × L} at random, the common parameters pp = ((κ, d, μ, L, n, q, m, m ′, {σ _i } _{i∈ [d]} , b, k, gg), A, {A _{δ, i} }, U) and master secret key msk = (T _，, pp)
The key generation unit of the key issuing device
Key generation algorithm Gen (pp, msk, (v ^ ₁ , ..., v ^ _j )): (v ^ ₁ , ..., v ^ _j ) is a key attribute vector, 1≤j≤d, and δ∈ [j] V ^ _δ = (vv _{δ, 1} , ..., vv _{δ, μ} ) ∈GF (q ⁿ ) ^μ , C _{v ^ δ} = Σ _{i = 1} ^μ A _{δ, i} · H _g (vv _{δ, i} ) ∈Z _q ^{n × m '} , F _{(v ^ 1,…, v ^ j)} = [A | C _{v ^ 1} |… | C _{v ^ j} ] ∈Z _q ^{n × (m + jm')} _{(v ^ 1, ..., v} ^ j) ← DelgBasis (T ┬, F (v ^ 1, ..., v ^ j), σ j), the execution, the secret key _{dk (v ^ 1, ...,} v ^ _j) a key generation step for outputting = T _{(v ^ 1, ..., v ^ j)} ;
In the encryption device,
Encryption algorithm _{Enc (pp, (w ^ 1} , ..., w ^ h), m∈ {0,1} L) :( w ^ 1, ..., w ^ h) the encryption attribute vector, the I _n n rows An identity matrix of n columns, (×) is a Kronecker product, and for δ∈ [h], w ^ _δ = (ww _{δ, 1} , ..., ww _{δ, μ} ) ∈GF (q ⁿ ) ^μ , G ← I _n (×) (1, b, ..., b ^k-1 )
A selection step in which the selection unit randomly selects s ← Z _q ^n, and randomly selects e ← D _Χ ^m and f ← D _Χ ^L ;
A first cryptographic element calculation unit for calculating c ₀ ← A ^T s + e;
The second cryptographic element calculation unit randomly selects R _{δ, i} ← {-1, + 1} ^{m × m ′} for δ∈ [h] and i∈ [μ], and c _{δ, i} ← (A _{δ , I} + H (ww _{δ, i} ) · G) ^T s + R _{δ, i} ^T e∈Z _q ^{m ′} ;
A third cryptographic element calculation unit for calculating c ′ ← U ^T s + f + └q / 2┘m;
A ciphertext generation unit that outputs ct = (c ₀ , {c _{δ, i} } _{δ∈ [h], i∈ [μ]} , c ′) as ciphertext, and
In the decoding device,
Decoding algorithm Dec (pp, dk _{(v ^ 1, ..., v ^ j)} , ct):
Secret key dk _{(v ^ 1, ..., v ^ j)} = T _{(v ^ 1, ..., v ^ j)} and ciphertext ct = (c ₀ , {c _{δ, i} } _{δ∈ [h], i∈ [μ]} , c ')
The first calculation unit, Deruta∈ for _{[j] c v ^ δ ←} Σ i = 1 μ H g (vv δ, i) · c δ, a first calculation step of calculating a _i,
The second calculation unit sets c ← [c ₀ | c _{v ^ 1} | ... | c _{v ^ j} ] and s ← Invert (F _{(v ^ 1, ..., v ^ j)} , T _{(v ^ 1, ... , V ^ j)} , c), a second calculation step,
A third calculation unit for calculating d ← c′−U ^T s;
And the decryption unit rounds each element of (2 / q) d to the nearest integer and associates even / odd with 0/1, resulting in the decrypted plaintext m∈ {0 , 1} A hierarchical inner product encryption method having a decryption step of outputting as ^L.
However,
GenTrap (1 ^κ , q, n, m):
An algorithm that outputs a set of bases T (A, T) ∈Z _q ^{n × m} × Z ^{m × m} of matrix A∈Z _q ^{n × m} , Λ _q ^⊥ (A),
Invert (A, T, c):
An algorithm that outputs s∈Z _q ^{n such} that c = A ^T s + e when ^T is the basis of Λ _q ^⊥ (A),
H _g is defined as H _g : GF (q ⁿ ) → Z _q ^{nk × nk} , H _g (aa) = D _g (H (aa)) ∈B ^{nk × nk} ⊆Z _q ^{nk × nk}
For positive integer b ≧ 2, B = {0,1, ..., b-1} ⊆Z _q , g = (1, b, ..., b ^k-1 ) ∈Z _q ^k , q ≦ b ^k For a∈Z _q , d _g (a) = (a ₁ , ..., a _k ) ^T ∈B ^k is a function such that a = Σ _{i = 1} ^k a _i · b ^i-1 Defined as
D _g is ^{defined as} D _g : Z _q → B ^{k × k} , a → [d _g (a) d _g (ba)… d _g (b ^k−1 a)] ∈B ^{k × k}
An extension of the domain of D _{g for} the matrix A = {a _{i, j} } ∈Z _q ^{n × m}

Defined as
η is defined as η: GF (q ⁿ ) → Z _q ⁿ , aa = a ₀ + a ₁ X +… + a _n-1 X ^n-1 → (a ₀ ,…, a _n-1 ) ^T
H, GF (q ⁿ ) → Z _q ^{n × n} , aa = a ₀ + a ₁ X +… + a _n-1 X ^n-1 → [η (aa) η (aX)… η (aX ^{n -1} )]]. The hierarchical inner product encryption method according to claim 3,
In the decoding device,
Key generation algorithm Delg (pp, dk _{(v ^ 1, ..., v ^ j)} , (v ^ _{j + 1} , ..., v ^ _s )):
For dk _{(v ^ 1, ..., v ^ j)} = T _{(v ^ 1, ..., v ^ j)} and δ∈ [s], v ^ _δ = (vv _{δ, 1} , ..., vv _{δ, μ} ) ∈GF (q ⁿ ) ^μ
The key generator sets C _{v ^ δ} = Σ _{i = 1} ^μA _{δ, i} · H _g (vv _{δ, i} ) ∈Z _q ^{n × m '} for δ∈ [s], and F _{(v ^ 1, ... , V ^ j, v ^ j + 1,…, v ^ s)} = [A | C _{v ^ 1} |… | C _{v ^ s} ] ∈Z _q ^{n × (m + sm ')} , T _{(v ^ 1, ..., v ^ j, v ^ j + 1, ..., v ^ s)} ← DelgBasis (T _{(v ^ 1, ..., v ^ j)} , F _{(v ^ 1, ..., v ^ j)} , σ _s ), and a key generation step of outputting dk _{(v ^ 1, ..., v ^ s)} = T _{(v ^ 1, ..., v ^ s)} .
However,
ExtBasis (T, A ^ = [A | C]):
When T is a base of the Λ _q ^⊥ (A), an algorithm that outputs the base T 'of Λ _q ^⊥ (A ^),
RandBasis (S, s):
When S is a basis of a lattice Λ _q ^⊥ (A), an algorithm that outputs a random basis S 'of the lattice Λ _q ^⊥ (A),
DelgBasis (T, A ^ = [A | C], s):
An algorithm that outputs a matrix T 'corresponding to A ^ when T is the basis of Λ _q ^⊥ (A), given by S ← ExtBasis (T, A ^), T' ← RandBasis (S, s) It is done.       An encryption device included in the hierarchical inner product encryption system according to claim 1 or 2.       A decryption device included in the hierarchical inner product cryptosystem according to claim 1 or 2.       A key issuing device included in the hierarchical inner product encryption system according to claim 1 or 2.

Images