JP2018112612A - Encryption system, set up device, key generation device, encryption device, decryption device, obfuscation device, execution device, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To configure a functional type encryption having a collusion simplicity.SOLUTION: A master public-key generation program Σ is generated by acquiring a key k0 of a pseudo-random function F ' and a random bit sequence ρ, and an unidentifiable and obfuscated obfuscation program sxi0(Σ) is defined as mpk 2, and (KO, ρ0) is defined as msk 2. Both mpk1and msk1randomized by F '(Ko,(ρ0,i) ) are obtained, and skf=(sk,i) are obtained with respect to msk1i and a function f2. In the encryption, a cipher text generation program η'is generated and the obfuscation program ct=sxi0(η') making it unidentifiable and obfuscated is obtained. In the decryption, ctis obtained with respect to i taken from a secrete key sk, thereby decoding ctby sk.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a functional encryption technique, and more particularly to an indistinguishability obfuscation technique.

  “Obfuscation” refers to converting an input program into a different program. In particular, when two different programs with the same function are converted, “obfuscation” that cannot determine which program is obtained by converting which program is converted to “Indistinguishability (Indistinguishability) Obfuscation) "(see, for example, Non-Patent Document 1). A configuration method using a general encryption function is known as one of the configuration methods of an indistinguishability obfuscation device that performs such obfuscation (see, for example, Non-Patent Documents 2 to 5). For example, in the configuration methods described in Non-Patent Documents 2 and 3, an indistinguishability obfuscator is configured using 1-keyweakly-succinct public key function type encryption. Further, in the configuration method described in Non-Patent Document 5, an indistinguishability obfuscator is configured by using unbounded-key non-succinct secret key function encryption and (standard) public key encryption. (Definition of terms will be described later).

Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters, “Candidate indistinguishability obfuscation and functional encryption for all circuits,” In 54th FOCS, pages 40-49. IEEE Computer Society Press, October 2013. Prabhanjan Ananth and Abhishek Jain, “Indistinguishability obfuscation from compact functional encryption,” In Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part I, volume 9215 of LNCS, pages 308-326. Springer, Heidelberg, August 2015. Nir Bitansky and Vinod Vaikuntanathan, “Indistinguishability obfuscation from functional encryption,” In Guruswami [Gur15], pages 171-190. Prabhanjan Ananth, Abhishek Jain, and Amit Sahai, “Indistinguishability obfuscation from functional encryption for simple functions,” Cryptology ePrint Archive, Report 2015/730, 2015. Nir Bitansky, Ryo Nishimaki, Alain Passel`egue, and Daniel Wichs, “From cryptomania to obfustopia through secret-key functional encryption,” IACR Cryptology ePrint Archive, 2016: 558, 2016.

In the conventional configuration method, the function type encryption whose size of the encryption circuit depends on the size of the function f corresponding to the secret key (1-key weakly-succinct public key function type encryption or unbounded-key non-succinct secret key function type Cryptography) was used to construct an indistinguishability obfuscation device. However, if it is possible to use a functional encryption with a collusion simplicity that is less dependent on the size of the function f of the size of the encryption circuit, the calculation cost and storage capacity required for obfuscation of indistinguishability are further reduced. it can.
The present invention has been made in view of these points, and an object thereof is to provide a functional encryption having collusion simplicity.

Second function type encryption setup algorithm PKFE2. setup, key generation algorithm FE2. keygen, encryption algorithm PKFE2. enc and the decoding algorithm FE2. Dec is executed. However, q is an integer greater than or equal to 1, and PKFE1. setup is a first functional encryption setup algorithm for generating a master public key mpk1 and a master secret key msk1, and FE1. keygen is a first function encryption key generation algorithm that receives a master secret key msk1 and a predetermined function f1, and generates a secret key sk _f1 for the function f1, and PKFE1. enc is a first functional encryption algorithm that receives the master public key mpk1 and the message m and generates the ciphertext c1 of the message m, and includes FE1. Dec is a decryption algorithm of the first functional encryption that receives the secret key sk _f1 and the ciphertext c1 and generates the function value f1 (m) of the message m.

Setup algorithm PKFE2. In the setup, (1) a key K ₀ and a random bit string ρ ₀ of the pseudo random function F ′ are obtained, and (2) a pseudo random number r _i ′ = F ′ (K ₀ , (ρ ₀ ) for the input i∈ [q]. , I)) and PKFE1. A master public that executes a setup to generate a set of a master public key mpk1 _i and a master secret key msk1 _i randomized with a pseudo-random number r _i ′, and outputs a master public key mpk1 _i A key generation program Σ is generated, and (3) an obfuscation program sxiO (Σ) obtained by obfuscating the master public key generation program Σ is obtained as a master public key mpk2, and (K ₀ , ρ ₀ ) is a master secret Obtained as key msk2.

FE2. In keygen, one of i∈ [q], master secret key msk2, and a predetermined function f2 is input, and PKFE1. Execute setup to obtain a master public key mpk1 _i and a master secret key msk1 _i randomized with pseudorandom numbers F ′ (K ₀ , (ρ ₀ , i)), and FE1. Keygen is executed to generate a master secret key msk1 _i and a secret key sk _f2 ⁽ⁱ⁾ for the function f2, and obtain a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i).

Encryption algorithm PKFE2. In enc, (1) obtaining a key K of a puncturable pseudorandom function F, and (2) executing an obfuscated program sxiO (Σ) on the input i∈ [q] to obtain a master public key mpk1 _i And a step of generating a pseudo random number r _i = F (K, i) for the input i∈ [q], and the master public key mpk1 _i , the message m, and the pseudo random number r _i as inputs. executing enc to obtain a ciphertext ct _i randomized with a pseudo-random number r _i , obtaining a ciphertext generation program η ′ for executing, and (3) reading the ciphertext generation program η ′ indistinguishable The obfuscated program ct = sxiO (η ′) is obtained.

Decoding algorithm FE2. In dec, as input the secret key _{sk f2} and obfuscated program ct, resulting ciphertext ct _i for i∈ was removed from the secret key _{sk f2} [q], enter the secret key _sk ^{f2 (i)} and the ciphertext ct _i As FE1. Dec is executed to obtain a restoration value.

  This makes it possible to configure a functional encryption with collusion simplicity.

FIG. 1 is a block diagram exemplifying a functional cryptosystem having q-key collusion simplicity. FIG. 2 is a block diagram illustrating a functional cryptographic system having q-key collusion simplicity. FIG. 3 is a block diagram illustrating an example of a functional cryptosystem having 1-key complete simplicity. FIG. 4 is a block diagram illustrating an indistinguishability obfuscation device using 1-key complete simplicity public key function type encryption.

Embodiments of the present invention will be described below.
[Assumption]
First, the premise of the embodiment will be described.
“Obfuscation” refers to converting an input program into a different program (see, for example, Non-Patent Document 1). The function of the program after conversion is completely the same as the function of the program before conversion. The converted program does not leak information about the program before conversion. In particular, “Indistinguishability Obfuscation” means that when two different programs with the same function are converted, it is impossible to determine which program is obtained by converting the converted program. It means “obfuscated”. “Obfuscator” means an obfuscation device, and “Indistinguishability Obfuscator (iO)” means an indistinguishability obfuscation device. The “indistinguishability obfuscator” for the circuit family {C _λ } _λ∈N to which the circuit described by the program belongs is described as “functionality” and “identification”. Satisfying “impossibility”.
“Functionality” means that any security parameter λ∈N, any program C∈ {C _λ } _λ∈N , and any input x satisfy the following. Where N represents a natural number, Pr [α] represents the probability of event α, iO (C) represents obfuscation of C by iO, and α ← β represents that the result of β is α .
Pr [C '(x) = C (x): C' ← iO (C)] = 1
That is, iO satisfies the functionality means that when an arbitrary program C is converted into a program C ′ by a stochastic polynomial time machine iO, the output C ′ (x) of the program C ′ with respect to the input x and the output C of the program C (X) means equal.
“Indistinguishability” means that for any polynomial size discriminator D, there is a negligible function δ (•), an arbitrary security parameter λ∈N, an arbitrary program pair (circuit pair) having the same size. ) For C ₀ , C ₁ ∈ C _λ and C ₀ (x) = C ₁ (x) for any input x, this means that:
Pr [D (iO (C ₀ )) = 1] -Pr [D (iO (C ₁ )) = 1] ≦ δ (λ)
That is, the iO satisfies the impossibility identification, iO determination result _D (iO (C 0)) of the _{(C 0) (iO (C} 0) or that such one obtained by obfuscating _{C 0 C 1} And the probability that iO (C ₀ ) is obtained by obfuscating C ₁ ) and iO (C ₁ the determination result D of) (iO _(C 1)) is 1 (e.g., iO _{(C 1)} that is negligible difference between the discrimination to) the probability that the one obtained by obfuscating _{C 1} Means.

“Public-Key Functional Encryption (PKFE)” means functional encryption that performs encryption using a master public key. The public key function type encryption algorithm (PKFE.setup, FE.keygen, PKFE.enc, FE.dec) is shown below (for example, Non-Patent Document 5, Reference Document 1 (Dan Boneh, Amit Sahai, Brent Waters, " Functional Encryption: Definitions and Challenges, "Proceedings of Theory of Cryptography Conference (TCC) 2011)).
Setup algorithm (PKFE.setup): An arbitrary security parameter λεN representing a key length (bit length) is input, and a master public key mpk (system parameter) and a master secret key msk are generated.
(mpk, msk) ← PKFE.setup (1 ^λ )
Key generation algorithm (FE.keygen): A master secret key msk and a function f are input, and a secret key sk _f for the function _f is generated. The function f may be an arbitrary function, for example, a function satisfying f (m) = m or f (m) = ⊥. However, ⊥ represents an error.
sk _f ← FE.keygen (msk, f)
Encryption algorithm (PKFE.enc): A master public key mpk and a message m are input and a ciphertext c is generated.
c ← PKFE.enc (mpk, m)
Decryption algorithm (FE.dec): The function key f (m) of the message m is generated by inputting the secret key sk _f and the ciphertext c for the function f.
f (m) ← FE.dec (sk _f , c)

“Secret-key functional encryption (SKFE)” means functional encryption that performs encryption using a master secret key. The secret key function type encryption algorithm (SKFE.setup, FE.keygen, SKFE.enc, FE.dec) is shown below (see, for example, Non-Patent Document 5).
Setup algorithm (SKFE.setup): An arbitrary security parameter λεN representing a key length (bit length) is input and a master secret key msk is generated.
msk ← SKFE.setup (1 ^λ )
Key generation algorithm (FE.keygen): A master secret key msk and a function f are input, and a secret key sk _f for the function _f is generated. The function f may be an arbitrary function, for example, a function satisfying f (m) = m or f (m) = ⊥. However, ⊥ represents an error.
sk _f ← FE.keygen (msk, f)
Encryption algorithm (SKFE.enc): A master secret key msk and a message m are input and a ciphertext c is generated.
c ← SKFE.enc (msk, m)
Decryption algorithm (FE.dec): The function key f (m) of the message m is generated by inputting the secret key sk _f and the ciphertext c for the function f.
f (m) ← FE.dec (sk _f , c)

The “1-key (single-key) method” means that the security is maintained when the number of times the key is issued by the key generation algorithm (that is, the number of times the attacker obtains the key) is one, This is an encryption method in which the security is not always maintained when the number of times of issuance is two or more.
The “bounded-key method” means that the security is maintained when the number of keys issued by the key generation algorithm is less than the number (multiple times) set in advance (when the setup algorithm is executed). An encryption method in which the security is not always maintained when the number of times of issuance exceeds a predetermined number. In particular, safety is maintained when the number of key issuances by the key generation algorithm is equal to or less than a predetermined q (where q ≧ 2), but safety is maintained when the number of key issuances exceeds q. An encryption method that is not always maintained is called a “q-Key method”.
The “unbounded-key scheme” refers to an encryption scheme that maintains security regardless of the number of times a key is issued by a key generation algorithm.

The “non-succinct method” refers to an encryption method in which the encryption circuit size | E | described by the encryption algorithm satisfies the following relationship. However, poly (α) represents a polynomial of α, n represents the length (bit length) of the message m, and | f | represents the size of the function f described above.
| E | = poly (λ, n, | f |)
The “weakly-succinct method” refers to an encryption method in which the size | E | of the encryption circuit described by the encryption algorithm satisfies the following relationship. However, ε satisfies 0 <ε <1.
| E | = poly (λ, n) ・ | f | ^1-ε
The “succinct (complete simplicity) method” refers to an encryption method in which the size | E | of the encryption circuit described by the encryption algorithm satisfies the following relationship.
| E | = poly (λ, n)
The “q-key collusion-succinctness (q-key collusion simplicity) method” means an encryption method in which the size | E | of the encryption circuit described by the encryption algorithm satisfies the following relationship. However, q represents the number of key issuance times by the key generation algorithm, and ε satisfies 0 <ε <1.
| E | = poly (λ, n, | f |) ・ q ^1-ε

  The “α method” function-type encryption defined above is called “α function type encryption”, the “α method” public key function type encryption is called “α public key function type encryption”, and the secret of “α method” The key function type encryption is called “α secret key function type encryption”. For example, a 1-key functional encryption is called a “1-key functional encryption”, a 1-key public key functional encryption is called a “1-key public key functional encryption”, and a 1-key method. Is called “1-key secret key function type encryption”. Also, by combining the terms of the plurality of methods defined above, an encryption method that combines the properties of those methods will be expressed. For example, a public key function cipher that has the properties of both the 1-key method and the weakly-succinct method is called `` 1-key weakly-succinct public key function cipher '', and both the bounded-key method and the non-succinct method The secret key function type cipher with the properties of `` slave key function cipher '' is called `` bounded-key non-succinct secret key function type cipher '' and the secret key function type cipher with the properties of both 1-key and succinct methods This is called “secret key function type encryption”.

“Strong Exponentially-Efficient Indistinguishability Obfuscator (SXIO)” refers to an indistinguishability obfuscation device iO in which the circuit size | iO | for realizing the obfuscation algorithm satisfies the following (for example, see Non-Patent Document 5). Where λ represents a security parameter, | C | represents the size of the circuit described by the program C to be obfuscated, n represents the magnitude (number of bits) of the input value to the circuit, and ε represents 0 <ε <1 is satisfied. 2 ⁿ is the total number of input values to the encryption algorithm.
| iO | = poly (λ, | C |) ・ 2 ^{n (1-ε)}

“Γ-compressing Strong Exponentially-Efficient Indistinguishability Obfuscator (γ-SXIO)” is the execution time of SXIO for input (1 ^λ , C) for any security parameter λ∈N and program C∈ {C _λ } _λ∈N. Is at most 2 ^nγ · poly (λ, | C |) (Non-trivial time efficiency) an indistinguishability obfuscation device iO (see, for example, Non-Patent Document 5). However, γ satisfies 0 <γ <1.

[principle]
Next, the principle will be described.
<Q-key collusion-succinctness PKFE (I)>
Using the first function type cipher that is a 1-key public key function type cipher and γ-SXIO, the second function type cipher (PKFE2.setup, FE2.keygen, PKFE2.enc, FE2.dec).
However, q is an integer greater than or equal to 1 (for example, q is an integer greater than or equal to 2), and PKFE1. setup is a first functional encryption setup algorithm for generating a master public key mpk1 and a master secret key msk1, and FE1. keygen is a first function encryption key generation algorithm that receives a master secret key msk1 and a predetermined function f1, and generates a secret key sk _f1 for the function f1, and PKFE1. enc is a first functional encryption algorithm that receives the master public key mpk1 and the message m and generates the ciphertext c1 of the message m, and includes FE1. Dec is a decryption algorithm of the first functional encryption that receives the secret key sk _f1 and the ciphertext c1 and generates the function value f1 (m) of the message m.
Reference 2 (Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee, “Functional encryption with bounded collusions via multi-party computation,” In Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 162-179 Springer, Heidelberg, August 2012) discloses a method for constructing an r-key public key functional cipher from public key cryptography (where r is an integer of 1 or more, for example, r is 2 or more). Is an integer). Since the r-key public key function encryption is also a 1-key public key function encryption, the r-key public key function encryption obtained in Reference 2 can be used as the first function encryption. Non-Patent Document 5 discloses a method of constructing γ-SXIO satisfying 1/2 ≦ γ ≦ 1 from a known 1-key complete simplicity secret key function type encryption.

Setup algorithm (PKFE2.setup (1 ^λ)):
PKFE2. setup (1 ^λ ) takes PKFE1... for each i∈ [q] with λ as input. Execute setup to generate a set of master public key mpk1 _i and master secret key msk1 _i . That is, PKFE2. setup generates q pairs of (mpk1 _i , msk1 _i ) (where i∈ [q], [q] means {1, 2,..., q}).
(mpk1 _i , msk1 _i ) ← PKFE1.setup (1 ^λ ) for i∈ [q]
Where λ is a positive integer security parameter and PKFE1. setup gets randomized (mpk1 _i , msk1 _i ) for each iε [q]. PKFE2. The setup is obtained from (mpk1 _i , msk1 _i ) obtained for each i∈ [q], and the master public key (system parameter) mpk2 = (mpk1 ₁ ,..., mpk1 _q ) and the master secret key msk2 = (msk1 ₁ , ..., and outputs it to obtain a msk1 _q).

Key generation algorithm (FE2.keygen (msk2, f2, i)):
FE2. keygen (msk2, f2, i) is input to FE1... FE1... with any iε [q], master secret key msk2, and a predetermined function f2. The keygen is executed to generate the secret key sk _f2 ⁽ⁱ⁾ for the function f2, and the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) for the function f2 is obtained and output.
sk _f2 ⁽ⁱ⁾ ← FE1.keygen (msk1 _i , f2)

Encryption algorithm (PKFE2.enc (mpk2, m)):
PKFE2. enc (mpk2, m) generates a key K of the puncturable pseudorandom function F, generates a ciphertext generation program η, and obfuscation program ct = Obtain sxiO (η). However, PKFE2. PKFE1 enc ciphertext generator η of the steps of generating a pseudo-random number _{r i} for the inputted i ∈ [q], the master public key MPK1 _i, message m, and a pseudo-random number _{r i} as input. executing enc to obtain a ciphertext ct _i randomized with a pseudo-random number r _i (where ct _i is a ciphertext of the message m). The punchable pseudo random function F receives the key K and the index i and outputs a pseudo random number F (K, i) corresponding to them. The concept of a puncturable pseudorandom function is described in, for example, Reference 3 (Amit Sahai, Brent Waters, “How to Use Indistinguishability Obfuscation: Deniable Encryption, and More,” Proceeding STOC '14 Proceedings of the 46th Annual ACM Symposium on Theory of Computing, Pages 475-484). The specific structure of the puncturable pseudorandom function is described in Reference 4 (Dan Boneh, Brent Waters, “Constrained Pseudorandom Functions and Their Applications,” Advances in Cryptology-ASIACRYPT 2013, Volume 8270 of the series Lecture Notes in Computer Science pp. 280-300). Note that a puncturable pseudorandom function F may be used as the above-described pseudorandom function F ′.

≪PKFE2. enc's ciphertext generation program η >>
Hardwired: K, m, mpk1 ₁ ,…, mpk1 _q
Input: A certain index i∈ [q]
1. Calculate r _i = F (K, i).
2. Ciphertext ct _i <-PKFE1.enc (mpk1 _i , m; r _i ) is generated.
3. Output ciphertext ct _i .
The obfuscated program ct = sxiO (η) is the ciphertext generation program η obfuscated by γ-SXIO.

Decoding algorithm (FE2.dec (sk _f2 , ct)):
FE2. dec (sk _f2 , ct) receives the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) and the obfuscated program ct = sxiO (η) as input, and i∈ [q] extracted from the secret key sk _f2 The ciphertext ct _i is obtained by inputting ct = sxiO (η) and executing ct = sxiO (η). By inputting i into the obfuscated program ct due to the “functionality” of obfuscation, the ciphertext ct _i that is the output of the ciphertext generation program η with respect to _i is obtained. Furthermore, FE2. dec _(sk f2, ct) is, FE1 as input a secret key _sk ^{f2 (i)} and the resulting ciphertext ct _i taken out from the secret key _{sk f2.} Dec is executed to obtain and output a restoration value m ′.
m '← FE1.dec (sk _f2 ⁽ⁱ⁾ , ct _i )
When decoding is performed correctly, m ′ = f2 (m).

<Q-key collusion simplicity public key function type encryption (II)>
The other structure of q-key collusion simplicity public key functional encryption is shown. Using the first function type cipher that is a 1-key public key function type cipher and γ-SXIO, the second function type cipher (PKFE2.setup, FE2.keygen, PKFE2.enc, FE2.dec).

Setup algorithm (PKFE2.setup (1 ^λ)):
PKFE2. The setup (1 ^λ ) first obtains a key K ₀ and a random bit string ρ ₀ ε {0, 1} ^λ of the pseudo-random function F ′ by using λ as an input. The key K ₀ and the random bit string ρ ₀ are selected at random, for example. Next, PKFE2. setup (1 ^λ ) generates a master public key generation program Σ. However, PKFE2. The setup master public key generation program Σ obtains a pseudo random number r _i ′ = F ′ (K ₀ , (ρ ₀ , i)) for the input i∈ [q], and PKFE1. a program for executing a setup to generate a set of a master public key mpk1 _i and a master secret key msk1 _i randomized with a pseudorandom number r _i ′, and outputting a master public key mpk1 _i is there. The pseudo-random function F ′ receives the key K ₀ and the index (ρ ₀ , i) and outputs a pseudo-random number F ′ (K ₀ , (ρ ₀ , i)) corresponding to them. The index (ρ ₀ , i) is uniquely determined from (ρ ₀ , i), and is, for example, a bit combination value of ρ ₀ and i. Furthermore, PKFE2. The setup (1 ^λ ) obtains and outputs the obfuscated program sxiO (Σ) obtained by obfuscating the master public key generation program Σ as the master public key mpk2, and outputs (K ₀ , ρ ₀ ) as the master secret key. Obtained as msk2 and output.
mpk2: = sxiO (Σ)
msk2: = (K ₀ , ρ ₀ )

≪PKFE2. setup master public key generation program Σ >>
Hardwired: K ₀ , ρ ₀
Input: A certain index i∈ [q]
1. Calculate r _i '= F' (K ₀ , (ρ ₀ , i)).
2. A key pair (mpk1 _i , msk1 _i ) ← PKFE1.setup (1 ^λ ; r _i ′) is generated.
3. Outputs master public key mpk1 _i .

Key generation algorithm (FE2.keygen (msk2, f2, i)):
FE2. keygen (msk2, f2, i) is input with λ, one of i∈ [q], the master secret key msk2 = (K ₀ , ρ ₀ ), and a predetermined function f2, and PKFE1. The setup is executed to obtain the master public key mpk1 _i and the master secret key msk1 _i randomized by the pseudorandom number F ′ (K ₀ , (ρ ₀ , i)).
(mpk1 _i , msk1 _i ) ← PKFE1.setup (1 ^λ ; F '(K ₀ , (ρ ₀ , i)))
Also, FE2. keygen (msk2, f2, i) is FE1. Execute keygen to generate a master secret key msk1 _i and a secret key sk _f2 ⁽ⁱ⁾ for function f2.
sk _f2 ⁽ⁱ⁾ ← FE1.keygen (msk1 _i , f2)
Furthermore, FE2. The keygen (msk2, f2, i) obtains and outputs the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) for the function f2.
sk _f2 : = (sk _f2 ⁽ⁱ⁾ , i)

Encryption algorithm (PKFE2.enc (mpk2, m)):
PKFE2. enc (mpk2, m) obtains the key K of the puncturable pseudorandom function F. For example, the key K is randomly generated. Also, PKFE2. enc (mpk2, m) generates a ciphertext generation program η ′. However, PKFE2. The enc ciphertext generation program η ′ executes the obfuscation program sxiO (Σ) for the input i∈ [q] to obtain the master public key mpk1 _i , and the pseudo for the input i∈ [q]. A step of generating a random number r _i = F (K, i), a master public key mpk1 _i , a message m, and a pseudo-random number r _i as inputs, executing enc to obtain a ciphertext ct _i randomized with a pseudo-random number r _i (where ct _i is a ciphertext of the message m). From the “functionality” of obfuscation, the value sxiO (Σ) (i) obtained by executing the obfuscation program sxiO (Σ) for a certain i∈ [q] is the master public key for this i∈ [q]. It is equal to the value Σ (i) obtained by executing the generation program Σ. Furthermore, PKFE2. enc (mpk2, m) obtains and outputs an obfuscated program ct = sxiO (η ′) obtained by obfuscating the ciphertext generation program η ′.

≪PKFE2. enc's ciphertext generation program η '>>
Hardwired: K, m, mpk2 = sxiO (Σ)
Input: An index i∈ [q]
1. mpk1 _i ← sxiO (Σ) (i)
2. Calculate r _i = F (K, i).
3. Ciphertext ct _i <-PKFE1.enc (mpk1 _i , m; r _i ) is generated.
4). Output ciphertext ct _i .

Decoding algorithm (FE2.dec (sk _f2 , ct)):
FE2. dec (sk _f2 , ct) receives the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) and the obfuscation program ct, and inputs the ciphertext ct _i for i∈ [q] extracted from the secret key sk _f2. obtain. By inputting i to the obfuscated program ct by the “functionality” of obfuscation, the ciphertext ct _i that is the output of the ciphertext generation program η ′ for _i is obtained.
ct _i ← ct (i)
Also, FE2. dec _(sk f2, ct) is, FE1 as input the secret key _sk ^{f2 (i)} and the resulting ciphertext ct _i extracted from the secret key _{sk f2.} Dec is executed to obtain and output a restoration value m ′.
m '← FE1.dec (sk _f2 ⁽ⁱ⁾ , ct _i )

<Q-key collusion-succinctness SKFE (I)>
Using the first function type cipher that is a 1-key secret key function type cipher and γ-SXIO, the second function type cipher (SKFE2.setup, FE2.keygen, SKFE2.enc, FE2.dec).
However, q is an integer greater than or equal to 1 (for example, q is an integer greater than or equal to 2), and SKFE1. setup is the first functional encryption setup algorithm for generating the master secret key msk1, FE1. keygen is a key generation algorithm of a first functional encryption that receives a master secret key msk1 and a predetermined function f1 as input and generates a secret key sk _f1 for the function f1, SKFE1. enc is a first functional encryption algorithm that receives the master secret key msk1 and the message m and generates the ciphertext c1 of the message m, and includes FE1. Dec is a decryption algorithm of the first functional encryption that receives the secret key sk _f1 and the ciphertext c1 and generates the function value f1 (m) of the message m. Reference 2 discloses a method of constructing an r-key secret key function type encryption from a one-way function. Since the r-key secret key function type cipher is also a 1-key secret key function type cipher, the r-key secret key function type cipher obtained in Reference 2 can be used as the first secret type cipher.

Setup algorithm (SKFE2.setup (1 ^λ)):
SKFE2. setup (1 ^λ ) takes λ as an input, and for each i∈ [q], SKFE1. Execute setup to generate a set of master secret keys msk1 _i . That is, SKFE2. setup generates q msk1 _i (where i∈ [q], [q] means {1, 2,..., q}).
msk1 _i ← SKFE1.setup (1 ^λ ) for i∈ [q]
Where λ is a positive integer security parameter and SKFE1. setup obtains a random msk1 _i for each iε [q]. SKFE2. The setup obtains and outputs the master secret key msk2 = (msk1 ₁ ,..., msk1 _q ) from msk1 _i obtained for each i∈ [q].

Key generation algorithm (FE2.keygen (msk2, f2, i)):
FE2. keygen (msk2, f2, i) is input to FE1... FE1... with any iε [q], master secret key msk2, and a predetermined function f2. The keygen is executed to generate the secret key sk _f2 ⁽ⁱ⁾ for the function f2, and the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) for the function f2 is obtained and output.
sk _f2 ⁽ⁱ⁾ ← FE1.keygen (msk1 _i , f2)

Encryption algorithm (SKFE2.enc (msk2, m)):
SKFE2. enc (msk2, m) generates a key K of the puncturable pseudorandom function F, generates a ciphertext generation program μ, and obfuscates the program ct = Obtain sxiO (μ). However, SKFE2. SKFE1 enc ciphertext generator μ of the steps of generating a pseudo-random number _{r i} for the inputted i ∈ [q], the master secret key MSK1 _i, message m, and a pseudo-random number _{r i} as input. executing enc to obtain a ciphertext ct _i randomized with a pseudo-random number r _i . The punchable pseudo random function F receives the key K and the index i and outputs a pseudo random number F (K, i) corresponding to them.
≪SKFE2. enc's ciphertext generation program μ >>
Hardwired: K, m, msk1 ₁ ,…, msk1 _q
Input: A certain index i∈ [q]
1. Calculate r _i = F (K, i).
2. Cipher text ct _i ← SKFE1.enc (msk1 _i , m; r _i ) is generated.
3. Output ciphertext ct _i .
The obfuscated program ct = sxiO (μ) is obtained by obfuscating the ciphertext generation program μ with γ-SXIO.

Decoding algorithm (FE2.dec (sk _f2 , ct)):
FE2. dec (sk _f2 , ct) receives the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) and the obfuscated program ct = sxiO (μ) as input, and i∈ [q] extracted from the secret key sk _f2 The ciphertext ct _i is obtained by inputting ct = sxiO (μ) and executing ct = sxiO (μ). Furthermore, FE2. dec _(sk f2, ct) is, FE1 as input the secret key _sk ^{f2 (i)} and the resulting ciphertext ct _i extracted from the secret key _{sk f2.} Dec is executed to obtain and output a restoration value m ′.
m '← FE1.dec (sk _f2 ⁽ⁱ⁾ , ct _i )
When decoding is performed correctly, m ′ = f2 (m).

<Q-key collusion simplicity secret key function type encryption (II)>
The other structure of q-key collusion simplicity secret key function type | mold encryption is shown. Using the first function type cipher that is a 1-key secret key function type cipher and γ-SXIO, the second function type cipher (SKFE2.setup, FE2.keygen, SKFE2.enc, FE2.dec).

Setup algorithm (SKFE2.setup (1 ^λ)):
SKFE2. The setup (1 ^λ ) first receives ^λ, and obtains a key K ₀ and a random bit string ρ ₀ ε {0, 1} ^λ of the pseudo-random function F ′. The key K ₀ and the random bit string ρ ₀ are selected at random, for example. SKFE2. The setup (1 ^λ ) obtains and outputs the master secret key msk2 = (K ₀ , ρ ₀ ).

Key generation algorithm (FE2.keygen (msk2, f2, i)):
FE2. The keygen (msk2, f2, i) receives λ, one of i∈ [q], the master secret key msk2 = (K ₀ , ρ ₀ ), and a predetermined function f2, and executes the following processing.
FE2. keygen (msk2, f2, i) receives a key K ₀ and an index (ρ ₀ , i) as input and obtains a pseudo random number F ′ (K ₀ , (ρ ₀ , i)), and SKFE1. The setup is executed to obtain the master secret key msk1 _i randomized with the pseudo random number F ′ (K ₀ , (ρ ₀ , i)).
msk1 _i ← SKFE1.setup (1 ^λ ; F '(K ₀ , (ρ ₀ , i)))
Next, FE2. keygen (msk2, f2, i) is FE1. Execute keygen to generate a master secret key msk1 _i and a secret key sk _f2 ⁽ⁱ⁾ for function f2.
sk _f2 ⁽ⁱ⁾ ← FE1.keygen (msk1 _i , f2)
FE2. The keygen (msk2, f2, i) obtains and outputs the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) for the function f2.
sk _f2 : = (sk _f2 ⁽ⁱ⁾ , i)

Encryption algorithm (SKFE2.enc (msk2, m)):
SKFE2. enc (msk2, m) obtains the key K of the puncturable pseudorandom function F. For example, the key K is randomly generated. Also, SKFE2. enc (msk2, m) obtains the ciphertext generation program μ ′. However, SKFE2. enc's ciphertext generation program μ ′ receives the master secret key msk2 = (K ₀ , ρ ₀ ) and i∈ [q] and inputs SKFE1. executing setup and obtaining a master secret key msk1 _i randomized with a pseudorandom number F ′ (K ₀ , (ρ ₀ , i)), and generating a pseudorandom number r _i = F (K, i) And the master secret key msk1 _i , the message m, and the pseudorandom number r _i as inputs. executing enc to obtain a ciphertext ct _i randomized with a pseudo-random number r _i (where ct _i is a ciphertext of the message m).

≪SKFE2. enc's ciphertext generation program μ '>>
Hardwired: K, m, K ₀ , ρ ₀
Input: A certain index i∈ [q]
1. msk1 _i ← SKFE1.setup (1 ^λ ; F '(K ₀ , (ρ ₀ , i)))
2. Calculate r _i = F (K, i).
3. Cipher text ct _i ← SKFE1.enc (msk1 _i , m; r _i ) is generated.
4). Output ciphertext ct _i .

Furthermore, SKFE2. enc (msk2, m) obtains and outputs an obfuscated program ct = sxiO (μ ′) obtained by obfuscating the ciphertext generation program μ ′.
ct: = sxiO (μ ')

Decoding algorithm (FE2.dec (sk _f2 , ct)):
FE2. Dec (sk _f2 , ct) receives the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) and the obfuscation program ct, and executes the following processing.
First, FE2. dec (sk _f2 , ct) obtains ciphertext ct _i for i∈ [q] extracted from the secret key sk _f2 . By inputting i to the obfuscated program ct due to the obfuscation “functionality”, the ciphertext ct _i that is the output of the ciphertext generation program μ ′ for _i is obtained.
ct _i ← ct (i)
Also, FE2. dec _(sk f2, ct) is, FE1 as input the secret key _sk ^{f2 (i)} and the resulting ciphertext ct _i extracted from the secret key _{sk f2.} Dec is executed to obtain and output a restoration value m ′.
m '← FE1.dec (sk _f2 ⁽ⁱ⁾ , ct _i )

<Q-key collusion simplicity>
The encryption algorithms (PKFE2.enc and SKFE2.enc) described above do not generate a ciphertext for each i∈ [q], but instead generate a ciphertext generation program η or μ that generates a ciphertext for i γ-SXIO. The obfuscated program ct = sxiO (η) or ct = sxiO (μ) obfuscated in (1) is generated. Due to the above-described property of SXIO, the size of the encryption circuit described by the encryption algorithm is poly (λ, | μ |) · ^2nγ . Here, since the total number of iε [q] that are input values to the obfuscated program ct is q = ²ⁿ , the size can be described as poly (λ, | μ |) · q ^γ . Also, since γ satisfies 0 <γ <1 and ε satisfies 0 <ε <1, it can be set as γ = 1−ε, and | μ | in the encryption algorithm is | f | Since it depends on the length L, it satisfies the requirement of q-key collusion simplicity. Therefore, the encryption schemes configured as described above are q-key collusion simplicity public key function type encryption and q-key collusion simplicity secret key function type encryption. By using such a functional encryption of the q-key collusion simplicity method for indistinguishability obfuscation, the calculation cost and storage capacity required for indistinguishability obfuscation can be reduced.

<1-key succinct PKFE (1-key succinct PKFE)>
By using the q-key collusion simple public key function type encryption described above, the 1-key complete simplicity public key function type encryption can be configured as follows.
PK-1. As described above, Reference 2 discloses a method of constructing r-key public key function type encryption from public key encryption.
PK-2. As described above, the q-key collusion simplicity public key function type is obtained by using the r-key public key function type cipher as the 1-key public key function type cipher (first function type cipher) and further using γ-SXIO. A cipher (second functional cipher) can be configured.
PK-3. Non-Patent Documents 3 and 4 disclose a method of configuring a 1-key complete simplicity public key function encryption (third function encryption) using q-key collusion simplicity public key function encryption. .

As a result, the r-key public key function type cipher configured using the public key cipher is referred to as “first function type cipher”, and the following 1-key complete simplicity public key function type cipher (1-key complete cipher) 3rd functional encryption with simplicity) can be constructed.
Setup algorithm (PKFE3.setup):
PKFE3. setup is PKFE2. Using setup, a master public key mpk3 and a master secret key msk3 of 1-key complete simplicity public key function type encryption are generated and output.
Key generation algorithm (FE3.keygen):
FE3. The keygen receives the master secret key msk3 and a predetermined function f3, and inputs FE2. Using keygen, a secret key sk _f3 (secret key sk _{f3 for} function _f3 ) of 1-key complete simplicity public key function type encryption is generated and output.
Encryption algorithm (PKFE3.enc):
PKFE3. enc receives the master public key mpk3 and the message m and inputs PKFE2. Using enc, the ciphertext c3 of the message m is generated and output in accordance with the 1-key complete simplicity public key function type encryption.
Decoding algorithm (FE3.dec):
FE3. dec receives the private key sk _f3 and the ciphertext c3, and inputs FE2. Dec is used to generate and output a function value f3 (m) of the message m in accordance with the 1-key complete simplicity public key function type encryption.

<Indistinguishability obfuscator>
As described above, γ-SXIO can be configured using a known 1-key complete simplicity secret key function type encryption (see Non-Patent Document 5). Non-Patent Documents 2 and 3 describe that an indistinguishability obfuscator can be configured using 1-key complete simplicity public key function type encryption. Therefore, the indistinguishability obfuscator can be configured by using the 1-key complete simplicity public key function type encryption (third function type encryption having 1-key complete simplicity) configured as described above. Furthermore, an indistinguishability obfuscator can be constructed from the public key cryptography and γ-SXIO from the above PK-1 to PK-3. That is, in total, an indistinguishability obfuscator can be constructed from 1-key complete simplicity secret key function type cipher and public key cipher (public key cipher obviously implies a one-way function).

  Public key function type ciphers must satisfy stronger security assumptions than secret key function type ciphers (public key function type ciphers can be converted to secret key function type ciphers), and private key function type ciphers are more public key functions. The requirements are lower and easier to handle than type encryption. For this reason, it is desirable to configure an indistinguishability obfuscation device using secret key function type encryption rather than public key function type encryption. In addition, the 1-key method, which maintains security when the number of key issuance times is 1, has more requirements than the unbounded-key encryption method, which maintains security regardless of the number of key issuances. Low and easy to handle. Therefore, it is preferable to use the 1-key method. Furthermore, since the size of the encryption circuit does not depend on the size of the function f, the complete simplicity method can reduce the calculation cost and the storage capacity. Therefore, it is preferable to use the complete simplicity method. Standard public key cryptography is one of the most standard cryptographic functions whose configuration methods are widely known, and is sufficiently low as a requirement. In this embodiment, an indistinguishability obfuscator can be constructed from 1-key complete simplicity secret key function cipher and public key cipher, so an indistinguishability obfusator can be constructed from weaker cryptographic assumptions than in the past. It can be said.

<1-key succinct SKFE (1-key succinct SKFE)>
In addition, by using the q-key collusion simple secret key function type encryption described above, a 1-key complete simplicity secret key function type encryption can be configured as follows.
SK-1. As described above, Reference 2 discloses a method of constructing an r-key secret key function type encryption from a one-way function.
SK-2. As described above, the r-key secret key function type cipher is used as the 1-key secret key function type cipher (first function type cipher), and the γ-SXIO is used to make the q-key collusion simple secret key function type. A cipher (second functional cipher) can be configured.
SK-3. Non-Patent Documents 3 and 4 disclose a method of configuring a 1-key complete simplicity secret key function type encryption (third function type encryption) using q-key collusion simple secret key function type encryption. .

As a result, the r-key secret key function cipher configured using the one-way function is referred to as “first function cipher”, and the following 1-key complete simplicity secret key function cipher (1-key) A third functional encryption with complete simplicity) can be constructed.
Setup algorithm (SKFE3.setup):
SKFE3. setup is SKFE2. Using setup, a master secret key msk3 of 1-key complete simplicity secret key function type encryption is generated and output.
Key generation algorithm (FE3.keygen):
FE3. The keygen receives the master secret key msk3 and a predetermined function f3, and inputs FE2. Using keygen, a secret key sk _f3 (secret key sk _{f3 for} function _f3 ) of 1-key complete simplicity secret key function type encryption is generated and output.
Encryption algorithm (SKFE3.enc):
SKFE3. enc receives the master secret key msk3 and the message m, and inputs SKFE2. Using enc, the ciphertext c3 of the message m is generated and output in accordance with the 1-key complete simplicity secret key function type encryption.
Decoding algorithm (FE3.dec):
FE3. dec receives the private key sk _f3 and the ciphertext c3, and inputs FE2. Dec is used to generate and output a function value f3 (m) of the message m in accordance with the 1-key complete simplicity secret key function type encryption.

[First Embodiment]
A first embodiment of the present invention will be described with reference to the drawings.
This embodiment is a specific example of <q-key collusion simplicity public key function encryption (I)> described above.
<Configuration>
As illustrated in FIG. 1, the encryption system 1 of this embodiment includes a setup device 11, a key generation device 12, an encryption device 13, and a decryption device 14. The setup device 11 includes, for example, a memory 111, a master key generation unit 112, and a communication unit 113. The key generation device 12 includes, for example, a memory 121, a pseudo random number generation unit 122, a secret key generation unit 123, and a communication unit 124. The encryption device 13 includes, for example, a memory 131, a pseudo random number generation unit 132, a pseudo random number key generation unit 133, a program generation unit 134, an obfuscation unit 135, and a communication unit 136. The decryption device 14 includes, for example, a memory 141, a ciphertext generation unit 142, a decryption unit 143, and a communication unit 144.

  The setup device 11, the key generation device 12, the encryption device 13, and the decryption device 14 store input information, information that needs to be saved in the calculation process, and calculation result information in the memories 111, 121, 131, and 141, respectively. Read out and use as necessary. In addition, the setup device 11, the key generation device 12, the encryption device 13, and the decryption device 14 transmit and receive information through the communication units 113, 124, 136, and 144, respectively. Information transmitted from each device is transmitted to other devices through a network, for example.

  Each of the setup device 11, the key generation device 12, the encryption device 13, and the decryption device 14 includes, for example, a communication device, a processor (hardware processor) such as a CPU (central processing unit), and a RAM (random-access memory). ) A device configured by a general-purpose or dedicated computer having a memory such as a ROM (read-only memory) executing a predetermined program. The computer may include a single processor and memory, or may include a plurality of processors and memory. This program may be installed in a computer, or may be recorded in a ROM or the like in advance. In addition, some or all of the processing units are configured using an electronic circuit that realizes a processing function without using a program, instead of an electronic circuit (circuitry) that realizes a functional configuration by reading a program like a CPU. May be. In addition, an electronic circuit constituting one device may include a plurality of CPUs.

  1 illustrates one setup device 11, one key generation device 12, one encryption device 13, and one decryption device 14, but a plurality of at least some of these devices may exist.

<Processing>
Next, the processing of this embodiment will be described.
«Execution process of the setup algorithm (PKFE2.setup (1 ^λ))»
The master key generation unit 112 of the setup device 11 performs PKFE1. Execute setup to generate a set of master public key mpk1 _i and master secret key msk1 _i , and store the generated q pair (mpk1 _i , msk1 _i ) (where i∈ [q]) in memory 111 . However, (mpk1 _i , msk1 _i ) is randomized by a pseudorandom number generated for each i∈ [q]. The master key generation unit 112 obtains the master public key mpk2 = (mpk1 ₁ ,..., Mpk1 _q ) and the master secret key msk2 = (msk1 ₁ , mk1 _i ) from (mpk1 _i , msk1 _i ) obtained for each i∈ [q]. .., Msk1 _q ) are generated and stored in the memory 111. The communication unit 113 transmits the master public key mpk2 to the encryption device 13 and transmits the master secret key msk2 to the key generation device 12.

<< Execution Process of Key Generation Algorithm (FE2.keygen (msk2, f2, i)) >>
Any iε [q], a predetermined function f2, and a master secret key msk2 transmitted from the decryption device 14 are input to the communication unit 124 of the key generation device 12. These are stored in the memory 121. The pseudo random number generator 122 generates and outputs a pseudo random number. The secret key generation unit 123 receives iε [q], the function f2, the master secret key msk2 input to the communication unit 124, and the pseudorandom number generated by the pseudorandom number generation unit 122, and inputs FE1. The keygen is executed to generate a secret key sk _f2 ⁽ⁱ⁾ for the function f2, and a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) for the function f2 is obtained and stored in the memory 121. Note that the secret key sk _f2 ⁽ⁱ⁾ is randomized by the pseudo random number. The communication unit 124 transmits the secret key sk _f2 to the decryption device 14.

≪Encryption algorithm (PKFE2.enc (mpk2, m)) execution process≫
The master public key mpk2 is input to the communication unit 136 of the encryption device 13, and the master public key mpk2 is stored in the memory 131. The pseudo random number generation unit 132 generates a pseudo random number and sends it to the pseudo random number key generation unit 133. The pseudo random number key generation unit 133 generates a key K of the puncturable pseudo random function F using the transmitted pseudo random number and stores the key K in the memory 131. The key K is randomized by this pseudo random number. The program generation unit 134 receives the message m, the master public key mpk2, and the key K and inputs the above-described PKFE2. The enc ciphertext generation program η is generated and stored in the memory 121. The obfuscation unit 135 generates an obfuscated program ct = sxiO (η) obtained by obfuscating the ciphertext generation program η with γ-SXIO and stores the generated obfuscation program in the memory 121. The communication unit 136 transmits the obfuscation program ct to the decryption device 14.

<< Execution Process of Decoding Algorithm (FE2.dec (sk _f2 , ct)) >>
A secret key sk _f2 and an obfuscation program ct are input to the communication unit 144 of the decryption device 14, and these are stored in the memory 141. The ciphertext generation unit 142 receives the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) and the obfuscated program ct = sxiO (η) as input, and i∈ [q] (key generation) extracted from the secret key sk _f2 The i) transmitted to the apparatus 12 is input to ct = sxiO (η), and the ciphertext ct _i is generated by executing sxiO (η), and the ciphertext ct _i is stored in the memory 141. Decoding unit 143, FE1 as input the secret key _sk ^{f2 (i)} and the ciphertext ct _i extracted from the secret key _{sk f2.} Dec is executed, and the ciphertext ct _i is decrypted with the secret key sk _f2 ⁽ⁱ⁾ to obtain and output a restoration value m ′.

[Second Embodiment]
A second embodiment of the present invention will be described with reference to the drawings.
The present embodiment is a specific example of <q-key collusion simplicity secret key function type encryption (I)> described above. In the following, the same reference numerals are used for the matters already described, and the description is omitted.
<Configuration>
As illustrated in FIG. 1, the encryption system 2 of the present embodiment includes a setup device 21, a key generation device 12, an encryption device 23, and a decryption device 14. The setup device 21 includes, for example, a memory 111, a master key generation unit 212, and a communication unit 113. The encryption device 23 includes, for example, a memory 131, a pseudo random number generation unit 132, a pseudo random number key generation unit 133, a program generation unit 234, an obfuscation unit 135, and a communication unit 136. The setup device 21 and the encryption device 23 store the input information, information that needs to be saved in the calculation process, and calculation result information in the memories 111 and 131, respectively, and read and use them as necessary. The setup device 21 and the encryption device 23 transmit and receive information through the communication units 113 and 136, respectively. The setup device 21 and the encryption device 23 are devices configured by the above-described computer executing a predetermined program, for example. In FIG. 1, one setup device 21 and encryption device 23 are illustrated, but at least one of the setup device 21 and the encryption device 23 may exist.

<Processing>
«Execution of the setup algorithm (SKFE2.setup (1 ^λ))» described below a process of the present embodiment
The master key generation unit 212 of the setup device 21 performs SKFE1. Execute setup to generate a master secret key msk1 _i and store the generated q msk1 _i (where i∈ [q]) in the memory 111. However, msk1 _i is randomized by a pseudo-random number generated for each i∈ [q]. The master key generation unit 212 generates a master secret key msk2 = (msk1 ₁ ,..., Msk1 _q ) from msk1 _i obtained for each i∈ [q] and stores it in the memory 111. The communication unit 113 transmits the master secret key msk2 to the key generation device 12 and the encryption device 23.

<< Execution Process of Key Generation Algorithm (FE2.keygen (msk2, f2, i)) >>
The execution process of the key generation algorithm of this embodiment is the same as that of the first embodiment.

≪Encryption algorithm (SKFE2.enc (msk2, m)) execution process≫
The master secret key msk2 transmitted from the setup device 21 is input to the communication unit 136 of the encryption device 23, and the master secret key msk2 is stored in the memory 131. The pseudo random number generation unit 132 generates a pseudo random number and sends it to the pseudo random number key generation unit 133. The pseudo random number key generation unit 133 generates a key K of the puncturable pseudo random function F using the transmitted pseudo random number and stores the key K in the memory 131. The key K is randomized by this pseudo random number. The program generation unit 234 receives the message m, the master secret key msk2, and the key K, and inputs the SKFE2. The enc ciphertext generation program μ is generated and stored in the memory 121. The obfuscation unit 135 generates an obfuscation program ct = sxiO (μ) obtained by obfuscating the ciphertext generation program μ with γ-SXIO and stores the generated obfuscation program in the memory 121. The communication unit 136 transmits the obfuscation program ct to the decryption device 14.

<< Execution Process of Decoding Algorithm (FE2.dec (sk _f2 , ct)) >>
The decryption algorithm (FE2.dec (sk _f2 , ct)) according to the present embodiment is executed by the encryption device 23 instead of the obfuscation program ct transmitted from the encryption device 13 being input to the communication unit 144. Except that the obfuscation program ct transmitted from is input to the communication unit 144 and the obfuscation program ct is sxiO (μ) instead of the obfuscation program ct being sxiO (η). This is the same as that of the first embodiment.

[Third Embodiment]
A first embodiment of the present invention will be described with reference to the drawings. The present embodiment is a specific example of <q-key collusion simplicity public key function type encryption (II)> described above. In the following, the same reference numerals are used for the matters already described, and the description is omitted.
<Configuration>
As illustrated in FIG. 2, the encryption system 6 of this embodiment includes a setup device 61, a key generation device 62, an encryption device 63, and a decryption device 64. The setup device 61 includes, for example, a memory 111, a setting unit 612, a program generation unit 613, a master key generation unit 614, and a communication unit 113. The key generation device 62 includes, for example, a memory 121, a master key generation unit 622, a secret key generation unit 623, and a communication unit 124. The encryption device 63 includes, for example, a memory 131, a setting unit 632, a program generation unit 634, an obfuscation unit 635, and a communication unit 136. The decoding device 64 includes, for example, a memory 141, an execution unit 642, a decoding unit 643, and a communication unit 144.

  The setup device 61, the key generation device 62, the encryption device 63, and the decryption device 64 store the input information, information that needs to be saved in the calculation process, and calculation result information in the memories 111, 121, 131, and 141, respectively. Read out and use as necessary. Further, the setup device 61, the key generation device 62, the encryption device 63, and the decryption device 64 perform transmission / reception of information by the communication units 113, 124, 136, and 144, respectively. Information transmitted from each device is transmitted to other devices through a network, for example. Each of the setup device 61, the key generation device 62, the encryption device 63, and the decryption device 64 is, for example, a device configured by the above-described computer executing a predetermined program. Although FIG. 2 illustrates one setup device 61, one key generation device 62, one encryption device 63, and one decryption device 64, a plurality of at least some of these devices may exist.

<Processing>
Next, the processing of this embodiment will be described.
«Execution process of the setup algorithm (PKFE2.setup (1 ^λ))»
The setting unit 612 of the setup device 61 receives λ as an input, obtains a key K ₀ and a random bit string ρ ₀ ε {0, 1} ^λ of the pseudorandom function F ′, and stores them in the memory 111. The key K ₀ and the random bit string ρ ₀ are selected at random, for example. Next, the program generation unit 613 receives the key K ₀ and the random bit string ρ ₀ as input, and the PKFE2. A setup public public key generation program Σ is generated and stored in the memory 111. The master key generation unit 614 receives the master public key generation program Σ as an input, obtains and outputs the obfuscation program sxiO (Σ) obtained by obfuscating the master public key generation program Σ as the master public key mpk2, Obtain (K ₀ , ρ ₀ ) as the master secret key msk2 and output it. The master public key mpk2 and the master secret key msk2 are stored in the memory 111. The communication unit 113 transmits the master public key mpk2 to the encryption device 63 and transmits the master secret key msk2 to the key generation device 62.

<< Execution Process of Key Generation Algorithm (FE2.keygen (msk2, f2, i)) >>
Any iε [q], a predetermined function f2, and a master secret key msk2 transmitted from the decryption device 64 are input to the communication unit 124 of the key generation device 62. These are stored in the memory 121. The master key generation unit 622 receives λ, one of i∈ [q], the master secret key msk2 = (K ₀ , ρ ₀ ), and the function f2, and inputs PKFE1. The setup is executed to obtain the master public key mpk1 _i and the master secret key msk1 _i randomized by the pseudo random number F ′ (K ₀ , (ρ ₀ , i)) and store them in the memory 121. The secret key generation unit 623 receives the master secret key msk1 _i and the function f2, and inputs FE1. The keygen is executed to generate a master secret key msk1 _i and a secret key sk _f2 ⁽ⁱ⁾ for the function f2 and store them in the memory 121. Further, the secret key generation unit 623 receives any iε [q] transmitted from the decryption device 64 and the predetermined function f2, and uses the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) for the function f2. Obtained and stored in the memory 121. The communication unit 124 transmits the secret key sk _f2 to the decryption device 64.

≪Encryption algorithm (PKFE2.enc (mpk2, m)) execution process≫
The master public key mpk2 = sxiO (Σ) is input to the communication unit 136 of the encryption device 63, and the master public key mpk2 is stored in the memory 131. The setting unit 632 generates a key K of the puncturable pseudorandom function F and stores it in the memory 131. For example, the key K is randomly generated. The program generation unit 634 receives the master public key mpk2 = sxiO (Σ), the message m, and the key K, and inputs the above-described PKFE2. An enc ciphertext generation program η ′ is generated. The obfuscation unit 635 receives the ciphertext generation program η ′ as an input, obtains an obfuscation program ct = sxiO (η ′) obtained by obfuscating the ciphertext generation program η ′ and stores it in the memory 131. The communication unit 136 transmits the obfuscation program ct to the decryption device 64.

<< Execution Process of Decoding Algorithm (FE2.dec (sk _f2 , ct)) >>
The communication unit 144 of the decryption device 64 receives the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) and the obfuscation program ct, which are stored in the memory 141. The execution unit 642 receives the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) and the obfuscated program ct, obtains a ciphertext ct _i for i∈ [q] extracted from the secret key sk _f2, and stores the memory 141. To store. The ciphertext ct _i is obtained by inputting i into the obfuscation program ct. Decoding unit 643, FE1 as input the secret key ^{_{sk f2 = (sk f2 (i}} ), i) the private key was removed from _sk ^{f2 (i)} and the resulting ciphertext ct _i. Dec is executed, the ciphertext ct _i is decrypted with the secret key sk _f2 ⁽ⁱ⁾ , and a restored value m ′ is obtained and output.

[Fourth Embodiment]
A fourth embodiment of the present invention will be described with reference to the drawings. The present embodiment is a specific example of <q-key collusion simplicity secret key function type encryption (II)> described above. In the following, the same reference numerals are used for the matters already described, and the description is omitted.
<Configuration>
As illustrated in FIG. 2, the encryption system 7 of this embodiment includes a setup device 71, a key generation device 72, an encryption device 73, and a decryption device 64. The setup device 71 includes, for example, a memory 111, a setting unit 612, a master key generation unit 714, and a communication unit 113. The key generation device 72 includes, for example, a memory 121, a master key generation unit 622, a secret key generation unit 623, and a communication unit 124. The encryption device 73 includes, for example, a memory 131, a setting unit 632, a program generation unit 734, an obfuscation unit 735, and a communication unit 136. The decoding device 64 includes, for example, a memory 141, an execution unit 642, a decoding unit 643, and a communication unit 144.

  The setup device 71, the key generation device 72, the encryption device 73, and the decryption device 64 store the input information, information that needs to be saved in the calculation process, and calculation result information in the memories 111, 121, 131, and 141, respectively. Read out and use as necessary. In addition, the setup device 71, the key generation device 72, the encryption device 73, and the decryption device 64 transmit and receive information through the communication units 113, 124, 136, and 144, respectively. Information transmitted from each device is transmitted to other devices through a network, for example. Each of the setup device 71, the key generation device 72, the encryption device 73, and the decryption device 64 is an apparatus configured by, for example, the above-described computer executing a predetermined program. Although FIG. 2 illustrates one setup device 71, one key generation device 72, one encryption device 73, and one decryption device 64, a plurality of at least some of these devices may exist.

<Processing>
Next, the processing of this embodiment will be described.
«Execution process of the setup algorithm (SKFE2.setup (1 ^λ))»
The setting unit 612 of the setup device 71 receives λ as an input, obtains the key K ₀ and the random bit string ρ ₀ ε {0, 1} ^λ of the pseudorandom function F ′, and stores them in the memory 111. The key K ₀ and the random bit string ρ ₀ are selected at random, for example. The master key generation unit 714 receives the key K ₀ and the random bit string ρ ₀ , obtains a master secret key msk 2 = (K ₀ , ρ ₀ ), and stores it in the memory 111. The communication unit 113 transmits the master secret key msk2 to the key generation device 72 and the encryption device 73.

<< Execution Process of Key Generation Algorithm (FE2.keygen (msk2, f2, i)) >>
Any iε [q] and a predetermined function f2 transmitted from the decryption device 64 and the master secret key msk2 = (K ₀ , ρ ₀ ) are input to the communication unit 124 of the key generation device 72. These are stored in the memory 121. The master key generation unit 722 receives the key K ₀ and the index (ρ ₀ , i) as input, obtains a pseudo random number F ′ (K ₀ , (ρ ₀ , i)), and stores it in the memory 121. Further, the master key generation unit 722 receives λ and a pseudo random number F ′ (K ₀ , (ρ ₀ , i)) as inputs, and SKFE 1. A setup is executed to obtain a master secret key msk1 _i randomized with a pseudorandom number F ′ (K ₀ , (ρ ₀ , i)) and store it in the memory 121. The secret key generation unit 623 receives the master secret key msk1 _i and the function f2 as inputs, and E1. The keygen is executed to generate a master secret key msk1 _i and a secret key sk _f2 ⁽ⁱ⁾ for the function f2 and store them in the memory 121. Further, the secret key generation unit 623 receives sk _f2 ⁽ⁱ⁾ and i as inputs, obtains a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) for the function f2, and stores it in the memory 121. The communication unit 124 transmits the secret key sk _f2 to the decryption device 64.

≪Encryption algorithm (SKFE2.enc (msk2, m)) execution process≫
The master secret key msk2 = (K ₀ , ρ ₀ ) is input to the communication unit 136 of the encryption device 73, and this master public key mpk 2 is stored in the memory 131. The setting unit 632 obtains the key K of the puncturable pseudorandom function F and stores it in the memory 131. For example, the key K is randomly generated. The program generation unit 734 receives the key K ₀ , the random bit string ρ ₀ , the key K, and the message m, and inputs the above-described SKFE2. The enc ciphertext generation program μ ′ is obtained and stored in the memory 131. The obfuscation unit 735 receives the ciphertext generation program μ ′, obtains an obfuscation program ct = sxiO (μ ′) obtained by obfuscating the ciphertext generation program μ ′, and stores it in the memory 131. The communication unit 136 transmits the obfuscation program ct to the decryption device 64.

<< Execution Process of Decoding Algorithm (FE2.dec (sk _f2 , ct)) >>
The execution process of the decryption algorithm (FE2.dec (sk _f2 , ct)) of this embodiment is performed by the encryption device 73 instead of the obfuscation program ct transmitted from the encryption device 63 being input to the communication unit 144. The obfuscated program ct transmitted from the computer is input to the communication unit 144, and the obfuscated program ct is sxiO (μ ') instead of the obfuscated program ct being sxiO (η'). Is the same as that of the third embodiment.

[Fifth Embodiment]
A fifth embodiment of the present invention will be described with reference to the drawings.
This embodiment is a specific example of <1-key complete simplicity public key function type encryption> described above.
<Configuration>
As illustrated in FIG. 3, the encryption system 3 of the present embodiment includes a setup device 31, a key generation device 32, an encryption device 33, and a decryption device 34. The setup device 31 includes, for example, a memory 311, a master key generation unit 312, and a communication unit 313. The key generation device 32 includes, for example, a memory 321, a secret key generation unit 322, and a communication unit 323. The encryption device 33 includes, for example, a memory 331, an encryption unit 332, and a communication unit 333. The decoding device 34 includes, for example, a memory 341, a decoding unit 342, and a communication unit 343.

  The setup device 31, the key generation device 32, the encryption device 33, and the decryption device 34 store the input information, information that needs to be saved in the calculation process, and calculation result information in the memories 311, 321, 331, and 341, respectively. Read out and use as necessary. In addition, the setup device 31, the key generation device 32, the encryption device 33, and the decryption device 34 transmit and receive information through the communication units 313, 323, 333, and 344, respectively. Information transmitted from each device is transmitted to other devices through a network, for example. Each of the setup device 31, the key generation device 32, the encryption device 33, and the decryption device 34 is, for example, a device configured by the above-described computer executing a predetermined program. Although FIG. 3 illustrates one setup device 31, one key generation device 32, one encryption device 33, and one decryption device 34, a plurality of at least some of these devices may exist.

<Processing>
Next, the processing of this embodiment will be described. In this embodiment, the q-key collusion simplicity public key function type encryption (second function type encryption) of either the first embodiment or the third embodiment is used, and according to the method described in Non-Patent Document 4. Each algorithm of the 1-key complete simplicity public key function type encryption (third function type encryption) shown below is executed.
≪Setup algorithm (PKFE3.setup) execution process≫
The master key generation unit 312 of the setup device 31 uses the setup algorithm (PKFE2.setup) of the first embodiment or the third embodiment, and uses the 1-key complete simplicity public key function type encryption described in Non-Patent Document 4. A setup algorithm (PKFE3.setup) of (third function type encryption) is executed, and a master public key mpk3 and a master secret key msk3 are generated and stored in the memory 311. The communication unit 313 transmits the master public key mpk3 to the encryption device 33 and transmits the master secret key msk3 to the key generation device 32.

≪Key generation algorithm (FE3.keygen) execution process≫
A master secret key msk3, i transmitted from the decryption device 34, and a predetermined function f3 are input to the communication unit 323 of the key generation device 32, and these are stored in the memory 321. The secret key generation unit 322 receives the master secret key msk3 and a predetermined function f3 as inputs, and uses the key generation algorithm (FE2.keygen) of the first embodiment or the third embodiment. The key generation algorithm (FE3.keygen) of the key complete simplicity public key function type encryption is executed, and the secret key sk _f3 for the function _f3 is generated and stored in the memory 321. The communication unit 323 transmits the secret key sk _f3 to the decryption device 34.

≪Encryption algorithm (PKFE3.enc) execution process≫
The master public key mpk3 is input to the communication unit 333 of the encryption device 33 and is stored in the memory 331. The encryption unit 332 receives the master public key mpk3 and the message m, uses the encryption algorithm (PKFE2.enc) of the first embodiment or the third embodiment, and uses the 1-key completeness described in Non-Patent Document 4. The encryption algorithm (PKFE3.enc) of the simple public key function type encryption is executed, and the ciphertext c3 of the message m is generated and stored in the memory 331. The communication unit 333 transmits the ciphertext c3 to the decryption device 34.

<< Execution process of decryption algorithm (FE3.dec) >>
The secret key sk _f3 and the ciphertext c3 are input to the communication unit 343 of the decryption device 34, and these are stored in the memory 341. The decryption unit 342 receives the secret key sk _f3 and the ciphertext c3, and uses the decryption algorithm FE2. Dec is used to execute the encryption algorithm (FE3.dec) of the 1-key complete simplicity public key function type encryption described in Non-Patent Document 4 to generate and output the function value f3 (m) of the message m To do.

[Sixth Embodiment]
A sixth embodiment of the present invention will be described with reference to the drawings.
This embodiment is a specific example of the above-described <1-key complete simplicity secret key function type encryption>.
<Configuration>
As illustrated in FIG. 3, the encryption system 4 of this embodiment includes a setup device 41, a key generation device 32, an encryption device 43, and a decryption device 34. The setup device 41 includes, for example, a memory 311, a master key generation unit 412, and a communication unit 313. The encryption device 43 includes, for example, a memory 331, an encryption unit 332, and a communication unit 333.

  The setup device 41 and the encryption device 43 store input information, information that needs to be saved in the calculation process, and calculation result information in the memories 311 and 331, respectively, and read and use them as necessary. In addition, the setup device 41 and the encryption device 43 perform transmission / reception of information through the communication units 313 and 333, respectively. Information transmitted from each device is transmitted to other devices through a network, for example. The setup device 41 and the encryption device 43 are devices configured by the above-described computer executing a predetermined program. In FIG. 3, one setup device 41 and encryption device 43 are illustrated, but at least one of the setup device 41 and the encryption device 43 may exist.

<Processing>
Next, the processing of this embodiment will be described. In this embodiment, the q-key collusion simplicity secret key function type encryption (second function type encryption) of either the second embodiment or the fourth embodiment is used, and according to the method described in Non-Patent Document 4. Each algorithm of the 1-key complete simplicity secret key function type encryption (third function type encryption) shown below is executed.

≪Setup algorithm (SKFE3.setup) execution process≫
The master key generation unit 412 of the setup device 41 uses the setup algorithm (SKFE2.setup) of the second embodiment or the fourth embodiment, and uses the 1-key complete simplicity secret key function type encryption described in Non-Patent Document 4. A setup algorithm (SKFE3.setup) of (third function type encryption) is executed to generate a master secret key msk3 and store it in the memory 311. The communication unit 313 transmits the master secret key msk3 to the key generation device 32 and the encryption device 43.

≪Key generation algorithm (FE3.keygen) execution process≫
The execution process of the key generation algorithm (FE3.keygen) of the present embodiment is the same as that of the fifth embodiment.

<< Encryption algorithm (SKFE3.enc) execution process >>
The master secret key msk3 is input to the communication unit 333 of the encryption device 43 and stored in the memory 331. The encryption unit 332 receives the master secret key msk3 and the message m, uses the encryption algorithm (SKFE2.enc) of the second embodiment or the fourth embodiment, and uses the 1-key completeness described in Non-Patent Document 4. The encryption algorithm (SKFE3.enc) of the simple secret key function type encryption is executed, and the ciphertext c3 of the message m is generated and stored in the memory 331. The communication unit 333 transmits the ciphertext c3 to the decryption device 34.

<< Execution process of decryption algorithm (FE3.dec) >>
In the decryption algorithm execution processing of this embodiment, instead of the ciphertext c3 transmitted from the encryption device 33 being input to the communication unit 344, the ciphertext c3 transmitted from the encryption device 43 is transmitted to the communication unit 343. Input, the decoding algorithm FE2. In place of dec, the decoding algorithm FE2. Except that dec is used, it is the same as that of the fifth embodiment.

[Seventh Embodiment]
A seventh embodiment of the present invention will be described with reference to the drawings.
In this embodiment, the 1-key complete simplicity public key function encryption of the fifth embodiment is used, and the indistinguishability obfuscation described in Non-Patent Documents 2 and 3 is performed.

<Configuration>
As illustrated in FIG. 4, the cryptographic system 5 of this embodiment includes a setup device 31, a key generation device 32, an obfuscation device 53, and an execution device 54. The obfuscation device 53 includes a memory 431, an encryption device 33, an obfuscation unit 532, and a communication unit 533. The execution device 54 includes a memory 541, a decryption device 34, an execution unit 542, and a communication unit 543.

  The obfuscation device 53 and the execution device 54 store the input information, information that needs to be saved in the calculation process, and calculation result information in the memories 531 and 541, respectively, and read and use them as necessary. In addition, the obfuscation device 53 and the execution device 54 transmit and receive information through the communication units 533 and 543, respectively. Information transmitted from each device is transmitted to other devices through a network, for example. The obfuscation device 53 and the execution device 54 are devices each configured by the above-described computer executing a predetermined program. In FIG. 4, one obfuscation device 53 and execution device 54 are illustrated, but at least one of these may exist.

<Processing>
Next, the processing of this embodiment will be described.
≪Setup algorithm (PKFE3.setup) execution process≫
The execution process of the setup algorithm (PKFE3.setup) of the present embodiment is the same as that of the fifth embodiment.

≪Key generation algorithm (FE3.keygen) execution process≫
The key generation algorithm (FE3.keygen) of this embodiment is the same as that of the fifth embodiment.

≪Program obfuscation execution process≫
The obfuscation unit 532 of the obfuscation apparatus 53 uses the encryption apparatus 33 that receives the program pro to be obfuscated as input and executes the encryption algorithm (PKFE3.enc), and the identification described in Non-Patent Document 2 or 3 Program pro is obfuscated by impossibility obfuscation (that is, program pro is obfuscated using PKFE3.enc as an encryption algorithm executed in the process of indistinguishability obfuscation described in Patent Document 2 or 3) ), Obfuscation program iO (pro) is obtained and stored in memory 531. The communication unit 533 transmits the obfuscation program iO (pro) to the execution device 54.

≪Obfuscated program execution process≫
The obfuscation program iO (pro) is input to the communication unit 543 of the execution device 54 and stored in the memory 541. The execution unit 542 receives the obfuscation program iO (pro) as an input and uses the decryption device 34 that executes the decryption algorithm (FE3.dec), and executes the obfuscation program iO (pro) described in Non-Patent Document 2 or 3. Perform the execution process (that is, execute the obfuscation program iO (pro) using FE3.dec as a decoding algorithm executed in the process of the obfuscation program execution process described in Patent Document 2 or 3) Get the execution result and output it.

[Modifications, etc.]
The present invention is not limited to the embodiment described above. For example, instead of each device exchanging information via a network, at least some of the devices may exchange information via a portable recording medium. Alternatively, at least some of the devices may exchange information via a non-portable recording medium. The combination which consists of a part of these apparatuses may be the same apparatus. For example, the obfuscation apparatus 53 may execute a setup algorithm (PKFE3.setup) and a key generation algorithm (FE3.keygen). In this case, the obfuscated program iO (pro) sent from the obfuscation device 53 to the execution device 54 includes the secret key sk _f2 . Further, the execution unit 542 may receive the obfuscation program iO (pro) and the input value x as input, and execute the obfuscation program iO (pro) on the input value x.

  The various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. Needless to say, other modifications are possible without departing from the spirit of the present invention.

  When the above configuration is realized by a computer, the processing contents of the functions that each device should have are described by a program. By executing this program on a computer, the above processing functions are realized on the computer. The program describing the processing contents can be recorded on a computer-readable recording medium. An example of a computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, and the like.

  This program is distributed, for example, by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, this computer reads a program stored in its own recording device and executes a process according to the read program. As another execution form of the program, the computer may read the program directly from the portable recording medium and execute processing according to the program, and each time the program is transferred from the server computer to the computer. The processing according to the received program may be executed sequentially. The above-described processing may be executed by a so-called ASP (Application Service Provider) type service that realizes a processing function only by an execution instruction and result acquisition without transferring a program from the server computer to the computer. Good.

  In the above embodiment, the processing functions of the apparatus are realized by executing a predetermined program on a computer. However, at least a part of these processing functions may be realized by hardware.

1-5 Cryptographic system

Claims (22)

q is an integer of 1 or more, and PKFE1. setup is a first functional encryption setup algorithm for generating a master public key mpk1 and a master secret key msk1, and FE1. keygen is the key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1, PKFE1. enc is the first functional encryption algorithm that receives the master public key mpk1 and the message m and generates the ciphertext c1 of the message m, and FE1. dec is a decryption algorithm of the first functional encryption that receives the secret key sk _f1 and the ciphertext c1 as input and generates a function value f1 (m) of the message m;
(1) A key K ₀ and a random bit string ρ ₀ of a pseudo random function F ′ are obtained, and (2) a pseudo random number r _i ′ = F ′ (K ₀ , (ρ ₀ , i) for input i∈ [q]. ) And the PKFE1. executing a setup to generate a set of a master public key mpk1 _i and a master secret key msk1 _i randomized with the pseudo-random number r _i ′, and outputting the master public key mpk1 _i A master public key generation program Σ is generated, and (3) an obfuscation program sxiO (Σ) obtained by obfuscating the master public key generation program Σ is obtained as a master public key mpk2, and (K ₀ , ρ ₀ ) Is set up as a master secret key msk2, a second functional encryption setup algorithm PKFE2. a setup device for executing the setup;
Any of i∈ [q], the master secret key msk2, and a predetermined function f2 are input, and the PKFE1. Execute setup and obtain a master public key mpk1 _i and a master secret key msk1 _i randomized with a pseudo-random number F ′ (K ₀ , (ρ ₀ , i)). keygen is executed to generate a secret key sk _f2 ⁽ⁱ⁾ for the master secret key msk1 _i and the function f2 to obtain a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) Key generation algorithm FE2. a key generation device that executes keygen;
(1) obtaining a key K of a puncturable pseudorandom function F, (2) executing the obfuscation program sxiO (Σ) for the input i∈ [q] to obtain the master public key mpk1 _i ; Generating a pseudo-random number r _i = F (K, i) for the input i∈ [q], and receiving the master public key mpk1 _i , the message m, and the pseudo-random number r _i as input, the PKFE1. executing enc to obtain a ciphertext ct _i randomized with the pseudo-random number r _i , and obtaining a ciphertext generation program η ′ for executing (3) the ciphertext generation program η ′ cannot be identified Encryption algorithm PKFE2 of the second functional encryption to obtain the obfuscated obfuscation program ct = sxiO (η ′). an encryption device for executing enc;
Using the secret key sk _f2 and the obfuscated program ct as inputs, the ciphertext ct _i is obtained for i∈ [q] extracted from the secret key sk _f2 , and the secret key sk _f2 ⁽ⁱ⁾ and the ciphertext ct are obtained. _i as an input, the FE1. The second functional encryption decryption algorithm FE2. a decoding device for executing dec;
A cryptographic system. q is an integer of 1 or more, and PKFE1. setup is a first functional encryption setup algorithm for generating a master public key mpk1 and a master secret key msk1, and FE1. keygen is the key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1, PKFE1. enc is the first functional encryption algorithm that receives the master public key mpk1 and the message m and generates the ciphertext c1 of the message m, and FE1. dec is a decryption algorithm of the first functional encryption that receives the secret key sk _f1 and the ciphertext c1 as input and generates a function value f1 (m) of the message m;
For each i∈ [q], the PKFE1. Execute setup to generate a set of a master public key mpk1 _i and a master secret key msk1 _i , and a master public key mpk2 = (mpk1 ₁ ,..., mpk1 _q ) and a master secret key msk2 = (msk1 ₁ ,..., msk1 _q ) To obtain the second functional encryption setup algorithm PKFE2. a setup device for executing the setup;
Any one of iε [q], the master secret key msk2, and a predetermined function f2 are input to the FE1. Keygen is executed to generate a secret key sk _f2 ⁽ⁱ⁾ for the function f2 and obtain a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i). a key generation device that executes keygen;
Wherein the inputted i ∈ [q] and generating a pseudo-random number _{r i,} the master public key MPK1 _i, said message m, and the pseudo random number _{r i} as input PKFE1. executing enc to obtain a ciphertext ct _i randomized with the pseudo-random number r _i , obtaining a ciphertext generation program η that executes the obfuscation that obfuscates the ciphertext generation program η Encryption algorithm PKFE2 of the second functional encryption to obtain the encryption program ct = sxiO (η). an encryption device for executing enc;
Using the secret key sk _f2 and the obfuscated program ct as inputs, the ciphertext ct _i is obtained for i∈ [q] extracted from the secret key sk _f2 , and the secret key sk _f2 ⁽ⁱ⁾ and the ciphertext ct are obtained. _i as an input, the FE1. The second functional encryption decryption algorithm FE2. a decoding device for executing dec;
A cryptographic system. q is an integer of 1 or more, and SKFE1. setup is the first functional encryption setup algorithm for generating the master secret key msk1, FE1. keygen is a key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1, and SKFE1. enc is the encryption algorithm of the first functional encryption that receives the master secret key msk1 and the message m and generates the ciphertext c1 of the message m, and FE1. dec is a decryption algorithm of the first functional encryption that receives the secret key sk _f1 and the ciphertext c1 as input and generates a function value f1 (m) of the message m;
A second functional encryption setup algorithm SKFE2. That obtains a key K ₀ and a random bit string ρ ₀ of a pseudo-random function F ′ and obtains a master secret key msk 2 = (K ₀ , ρ ₀ ). a setup device for executing the setup;
Any one of iε [q], the master secret key msk2 = (K ₀ , ρ ₀ ), and a predetermined function f2 are input, and the SKFE1. Execute setup and obtain a master secret key msk1 _i randomized with a pseudo-random number F ′ (K ₀ , (ρ ₀ , i)), and the FE1. keygen is executed to generate a secret key sk _f2 ⁽ⁱ⁾ for the master secret key msk1 _i and the function f2 to obtain a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) Key generation algorithm FE2. a key generation device that executes keygen;
(1) A key K of a puncturable pseudorandom function F is obtained. (2) The master secret key msk2 = (K ₀ , ρ ₀ ) and i∈ [q] are input, and the input i∈ [q] is input. SKFE1. executing setup and obtaining a master secret key msk1 _i randomized with a pseudorandom number F ′ (K ₀ , (ρ ₀ , i)), and generating a pseudorandom number r _i = F (K, i) And the master secret key msk1 _i , the message m, and the pseudorandom number r _i as inputs. obtaining a ciphertext ct _i randomized with the pseudo-random number r _i by executing enc, and obtaining a ciphertext generation program μ ′ for executing (3) the ciphertext generation program μ ′ cannot be identified Encryption algorithm SKFE of the second functional encryption to obtain the obfuscated obfuscation program ct = sxiO (μ ′). an encryption device for executing enc;
Using the secret key sk _f2 and the obfuscated program ct as inputs, the ciphertext ct _i is obtained for i∈ [q] extracted from the secret key sk _f2 , and the secret key sk _f2 ⁽ⁱ⁾ and the ciphertext ct are obtained. _i as an input, the FE1. The second functional encryption decryption algorithm FE2. a decoding device for executing dec;
A cryptographic system. q is an integer of 1 or more, and SKFE1. setup is the first functional encryption setup algorithm for generating the master secret key msk1, FE1. keygen is a key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1, and SKFE1. enc is the encryption algorithm of the first functional encryption that receives the master secret key msk1 and the message m and generates the ciphertext c1 of the message m, and FE1. dec is a decryption algorithm of the first functional encryption that receives the secret key sk _f1 and the ciphertext c1 as input and generates a function value f1 (m) of the message m;
For each i∈ [q], the SKFE1. A second functional encryption setup algorithm SKFE2. which generates a master secret key msk1 _i by executing setup and obtains a master secret key msk2 = (msk1 ₁ ,..., msk1 _q ). a setup device for executing the setup;
Any one of iε [q], the master secret key msk2, and a predetermined function f2 are input to the FE1. Keygen is executed to generate a secret key sk _f2 ⁽ⁱ⁾ for the function f2 and obtain a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i). a key generation device that executes keygen;
Wherein the inputted i ∈ [q] and generating a pseudo-random number _{r i,} the master secret key MSK1 _i, said message m, and the pseudo random number _{r i} as input SKFE1. executing enc to obtain a ciphertext ct _i randomized with the pseudo-random number r _i , obtaining a ciphertext generation program μ for executing the obfuscation, wherein the ciphertext generation program μ is obfuscated Encryption algorithm SKFE2 .. of the second functional encryption for obtaining the encryption program ct = sxiO (μ). an encryption device for executing enc;
Using the secret key sk _f2 and the obfuscated program ct as inputs, the ciphertext ct _i is obtained for i∈ [q] extracted from the secret key sk _f2 , and the secret key sk _f2 ⁽ⁱ⁾ and the ciphertext ct are obtained. _i as an input, the FE1. The second functional encryption decryption algorithm FE2. a decoding device for executing dec;
A cryptographic system. The cryptographic system according to any one of claims 1 to 4,
The cryptographic system, wherein the first functional encryption is a 1-key functional encryption. The encryption system according to any one of claims 1 to 5,
The obfuscation program ct is an encryption system in which the ciphertext generation program η is obfuscated by γ-SXIO. q is an integer of 1 or more, and PKFE1. setup is a first functional encryption setup algorithm for generating a master public key mpk1 and a master secret key msk1, a setting unit for obtaining a key K ₀ and a random bit string ρ ₀ of a pseudo-random function F ′;
Obtaining a pseudo-random number r _i ′ = F ′ (K ₀ , (ρ ₀ , i)) for the input i∈ [q], and the PKFE1. executing a setup to generate a set of a master public key mpk1 _i and a master secret key msk1 _i randomized with the pseudo-random number r _i ′, and outputting the master public key mpk1 _i A program generation unit for generating a master public key generation program Σ;
A master key generator that obtains an obfuscated program sxiO (Σ) obtained by obfuscating the master public key generation program Σ as a master public key mpk2, and obtains (K ₀ , ρ ₀ ) as a master secret key msk2.
Having a setup device. q is an integer of 1 or more, and PKFE1. setup is a first functional encryption setup algorithm for generating a master public key mpk1 and a master secret key msk1, and FE1. keygen is a key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1,
(1) A key K ₀ and a random bit string ρ ₀ of a pseudo random function F ′ are obtained, and (2) a pseudo random number r _i ′ = F ′ (K ₀ , (ρ ₀ , i) for input i∈ [q]. ) And the PKFE1. executing a setup to generate a set of a master public key mpk1 _i and a master secret key msk1 _i randomized with the pseudo-random number r _i ′, and outputting the master public key mpk1 _i A master public key generation program Σ is generated, and (3) an obfuscation program sxiO (Σ) obtained by obfuscating the master public key generation program Σ is obtained as a master public key mpk2, and (K ₀ , ρ ₀ ) Is set up as a master secret key msk2, a second functional encryption setup algorithm PKFE2. setup is running,
Any of i∈ [q], the master secret key msk2, and a predetermined function f2 are input, and the PKFE1. a master key generation unit that executes setup and obtains a master public key mpk1 _i and a master secret key msk1 _i randomized with a pseudorandom number F ′ (K ₀ , (ρ ₀ , i));
The FE1. a secret key generation unit that executes keygen to generate the master secret key msk1 _i and the secret key sk _f2 ⁽ⁱ⁾ for the function f2, and obtains the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i);
A key generation device. q is an integer of 1 or more, and PKFE1. setup is a first functional encryption setup algorithm for generating a master public key mpk1 and a master secret key msk1, and PKFE1. enc is an encryption algorithm of the first functional encryption that receives the master public key mpk1 and the message m as input and generates a ciphertext c1 of the message m,
(1) A key K ₀ and a random bit string ρ ₀ of a pseudo random function F ′ are obtained, and (2) a pseudo random number r _i ′ = F ′ (K ₀ , (ρ ₀ , i) for input i∈ [q]. ) And the PKFE1. executing a setup to generate a set of a master public key mpk1 _i and a master secret key msk1 _i randomized with the pseudo-random number r _i ′, and outputting the master public key mpk1 _i A master public key generation program Σ is generated, and (3) an obfuscation program sxiO (Σ) obtained by obfuscating the master public key generation program Σ is obtained as a master public key mpk2, and (K ₀ , ρ ₀ ) Is set up as a master secret key msk2, a second functional encryption setup algorithm PKFE2. setup is running,
A setting unit for obtaining a key K of the puncturable pseudorandom function F;
The obfuscation program sxiO (Σ) is executed for the input i∈ [q] to obtain the master public key mpk1 _i , and the pseudorandom number r _i = F (K, i for the input i∈ [q]. ) And the master public key mpk1 _i , the message m, and the pseudorandom number r _i as inputs. executing enc to obtain a ciphertext ct _i randomized with the pseudo-random number r _i , and a program generation unit for obtaining a ciphertext generation program η ′ for executing
An obfuscation unit that obtains an obfuscation program ct = sxiO (η ′) obtained by obfuscating the ciphertext generation program η ′;
An encryption device. q is an integer of 1 or more, and PKFE1. setup is a first functional encryption setup algorithm for generating a master public key mpk1 and a master secret key msk1, and FE1. keygen is the key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1, PKFE1. enc is the first functional encryption algorithm that receives the master public key mpk1 and the message m and generates the ciphertext c1 of the message m, and FE1. dec is a decryption algorithm of the first functional encryption that receives the secret key sk _f1 and the ciphertext c1 as input and generates a function value f1 (m) of the message m;
(1) A key K ₀ and a random bit string ρ ₀ of a pseudo random function F ′ are obtained, and (2) a pseudo random number r _i ′ = F ′ (K ₀ , (ρ ₀ , i) for input i∈ [q]. ) And the PKFE1. executing a setup to generate a set of a master public key mpk1 _i and a master secret key msk1 _i randomized with the pseudo-random number r _i ′, and outputting the master public key mpk1 _i A master public key generation program Σ is generated, and (3) an obfuscation program sxiO (Σ) obtained by obfuscating the master public key generation program Σ is obtained as a master public key mpk2, and (K ₀ , ρ ₀ ) Is set up as a master secret key msk2, a second functional encryption setup algorithm PKFE2. setup is running,
Any of i∈ [q], the master secret key msk2, and a predetermined function f2 are input, and the PKFE1. Execute setup and obtain a master public key mpk1 _i and a master secret key msk1 _i randomized with a pseudo-random number F ′ (K ₀ , (ρ ₀ , i)). keygen is executed to generate a secret key sk _f2 ⁽ⁱ⁾ for the master secret key msk1 _i and the function f2 to obtain a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) Key generation algorithm FE2. keygen is running,
(1) obtaining a key K of a puncturable pseudorandom function F, (2) executing the obfuscation program sxiO (Σ) for the input i∈ [q] to obtain the master public key mpk1 _i ; Generating a pseudo-random number r _i = F (K, i) for the input i∈ [q], and receiving the master public key mpk1 _i , the message m, and the pseudo-random number r _i as input, the PKFE1. executing enc to obtain a ciphertext ct _i randomized with the pseudo-random number r _i , and obtaining a ciphertext generation program η ′ for executing (3) the ciphertext generation program η ′ cannot be identified Encryption algorithm PKFE2 of the second functional encryption to obtain the obfuscated obfuscation program ct = sxiO (η ′). enc is running,
An execution unit that receives the secret key sk _f2 and the obfuscation program ct and obtains the ciphertext ct _i for iε [q] extracted from the secret key sk _f2 ,
Using the secret key sk _f2 ⁽ⁱ⁾ and the ciphertext ct _i as inputs, the FE1. a decoding unit that executes dec to obtain a restored value;
A decoding device. q is an integer of 1 or more, and PKFE1. setup is a first functional encryption setup algorithm for generating a master public key mpk1 and a master secret key msk1, and PKFE1. enc is an encryption algorithm of the first functional encryption that receives the master public key mpk1 and the message m as input and generates a ciphertext c1 of the message m,
For each i∈ [q], the PKFE1. Execute setup to generate a set of a master public key mpk1 _i and a master secret key msk1 _i , and a master public key mpk2 = (mpk1 ₁ ,..., mpk1 _q ) and a master secret key msk2 = (msk1 ₁ ,..., msk1 _q ) To obtain the second functional encryption setup algorithm PKFE2. setup is running,
Wherein the inputted i ∈ [q] and generating a pseudo-random number _{r i,} the master public key MPK1 _i, said message m, and the pseudo random number _{r i} as input PKFE1. executing enc to obtain a ciphertext ct _i randomized with the pseudo-random number r _i ; and a program generation unit for obtaining a ciphertext generation program η for executing
An encryption algorithm PKFE2 of the second functional encryption that obtains an obfuscation program ct = sxiO (η) obtained by obfuscating the ciphertext generation program η. an obfuscation unit that executes enc;
An encryption device. q is an integer of 1 or more, and PKFE1. setup is a first functional encryption setup algorithm for generating a master public key mpk1 and a master secret key msk1, and FE1. keygen is the key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1, PKFE1. enc is the first functional encryption algorithm that receives the master public key mpk1 and the message m and generates the ciphertext c1 of the message m, and FE1. dec is a decryption algorithm of the first functional encryption that receives the secret key sk _f1 and the ciphertext c1 as input and generates a function value f1 (m) of the message m;
For each i∈ [q], the PKFE1. Execute setup to generate a set of a master public key mpk1 _i and a master secret key msk1 _i , and a master public key mpk2 = (mpk1 ₁ ,..., mpk1 _q ) and a master secret key msk2 = (msk1 ₁ ,..., msk1 _q ) To obtain the second functional encryption setup algorithm PKFE2. setup,
Any one of iε [q], the master secret key msk2, and a predetermined function f2 are input to the FE1. Keygen is executed to generate a secret key sk _f2 ⁽ⁱ⁾ for the function f2 and obtain a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i). keygen,
Wherein the inputted i ∈ [q] and generating a pseudo-random number _{r i,} the master public key MPK1 _i, said message m, and the pseudo random number _{r i} as input PKFE1. executing enc to obtain a ciphertext ct _i randomized with the pseudo-random number r _i , obtaining a ciphertext generation program η that executes the obfuscation that obfuscates the ciphertext generation program η Encryption algorithm PKFE2 of the second functional encryption to obtain the encryption program ct = sxiO (η). enc is executed,
A ciphertext generation unit that receives the secret key sk _f2 and the obfuscation program ct and obtains the ciphertext ct _i for any i∈ [q];
Using the secret key sk _f2 ⁽ⁱ⁾ and the ciphertext ct _i as inputs, the FE1. The second functional encryption decryption algorithm FE2. a decoding unit for executing dec;
A decoding device. q is an integer of 1 or more, and SKFE1. setup is the first functional encryption setup algorithm for generating the master secret key msk1, FE1. keygen is a key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1,
A second functional encryption setup algorithm SKFE2. That obtains a key K ₀ and a random bit string ρ ₀ of a pseudo-random function F ′ and obtains a master secret key msk 2 = (K ₀ , ρ ₀ ). setup is running,
Any one of iε [q], the master secret key msk2 = (K ₀ , ρ ₀ ), and a predetermined function f2 are input, and the SKFE1. a master key generation unit that performs setup and obtains a master secret key msk1 _i randomized with a pseudorandom number F ′ (K ₀ , (ρ ₀ , i));
The FE1. a secret key generation unit that executes keygen to generate the master secret key msk1 _i and the secret key sk _f2 ⁽ⁱ⁾ for the function f2, and obtains the secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i);
A key generation device. q is an integer of 1 or more, and SKFE1. setup is a first functional encryption setup algorithm for generating the master secret key msk1, and SKFE1. enc is the encryption algorithm of the first functional encryption that receives the master secret key msk1 and the message m and generates the ciphertext c1 of the message m, and the key K ₀ and the random bit string of the pseudo-random function F ′ A second functional encryption setup algorithm SKFE2... obtaining ρ ₀ and obtaining a master secret key msk2 = (K ₀ , ρ ₀ ). setup is running,
A setting unit for obtaining a key K of the puncturable pseudorandom function F;
The master secret key msk2 = (K ₀ , ρ ₀ ) and i∈ [q] are input, and the input SKFE1. executing setup and obtaining a master secret key msk1 _i randomized with a pseudorandom number F ′ (K ₀ , (ρ ₀ , i)), and generating a pseudorandom number r _i = F (K, i) And the master secret key msk1 _i , the message m, and the pseudorandom number r _i as inputs. a program generating section for obtaining the ciphertext generator mu 'to perform the steps of obtaining a random ciphertext ct _i running enc in the pseudo-random number r _i, a,
An obfuscation unit that obtains an obfuscation program ct = sxiO (μ ′) obtained by obfuscating the ciphertext generation program μ ′;
An encryption device. q is an integer of 1 or more, and SKFE1. setup is the first functional encryption setup algorithm for generating the master secret key msk1, FE1. keygen is a key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1, and SKFE1. enc is the encryption algorithm of the first functional encryption that receives the master secret key msk1 and the message m and generates the ciphertext c1 of the message m, and FE1. dec is a decryption algorithm of the first functional encryption that receives the secret key sk _f1 and the ciphertext c1 as input and generates a function value f1 (m) of the message m;
A second functional encryption setup algorithm SKFE2. That obtains a key K ₀ and a random bit string ρ ₀ of a pseudo-random function F ′ and obtains a master secret key msk 2 = (K ₀ , ρ ₀ ). setup,
Any one of iε [q], the master secret key msk2 = (K ₀ , ρ ₀ ), and a predetermined function f2 are input, and the SKFE1. Execute setup and obtain a master secret key msk1 _i randomized with a pseudo-random number F ′ (K ₀ , (ρ ₀ , i)), and the FE1. keygen is executed to generate a secret key sk _f2 ⁽ⁱ⁾ for the master secret key msk1 _i and the function f2 to obtain a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) Key generation algorithm FE2. keygen,
(1) A key K of a puncturable pseudorandom function F is obtained. (2) The master secret key msk2 = (K ₀ , ρ ₀ ) and i∈ [q] are input, and the input i∈ [q] is input. SKFE1. executing setup and obtaining a master secret key msk1 _i randomized with a pseudorandom number F ′ (K ₀ , (ρ ₀ , i)), and generating a pseudorandom number r _i = F (K, i) And the master secret key msk1 _i , the message m, and the pseudorandom number r _i as inputs. obtaining a ciphertext ct _i randomized with the pseudo-random number r _i by executing enc, and obtaining a ciphertext generation program μ ′ for executing (3) the ciphertext generation program μ ′ cannot be identified Encryption algorithm SKFE of the second functional encryption to obtain the obfuscated obfuscation program ct = sxiO (μ ′). enc is executed,
An execution unit that receives the secret key sk _f2 and the obfuscation program ct and obtains the ciphertext ct _i for iε [q] extracted from the secret key sk _f2 ,
Using the secret key sk _f2 ⁽ⁱ⁾ and the ciphertext ct _i as inputs, the FE1. a decoding unit that executes dec to obtain a restored value;
A decoding device. q is an integer of 1 or more, and SKFE1. setup is a first functional encryption setup algorithm for generating the master secret key msk1, and SKFE1. enc is the encryption algorithm of the first functional encryption that receives the master secret key msk1 and the message m as input and generates the ciphertext c1 of the message m,
For each i∈ [q], the SKFE1. A second functional encryption setup algorithm SKFE2. which generates a master secret key msk1 _i by executing setup and obtains a master secret key msk2 = (msk1 ₁ ,..., msk1 _q ). setup is running,
Wherein the inputted i ∈ [q] and generating a pseudo-random number _{r i,} the master secret key MSK1 _i, said message m, and the pseudo random number _{r i} as input SKFE1. executing enc to obtain a ciphertext ct _i randomized with the pseudo-random number r _i ; and a program generation unit for obtaining a ciphertext generation program μ for executing
An encryption algorithm SKFE for the second functional encryption that obtains an obfuscated program ct = sxiO (μ) obtained by obfuscating the ciphertext generation program μ. an obfuscation unit that executes enc;
An encryption device. q is an integer of 1 or more, and SKFE1. setup is the first functional encryption setup algorithm for generating the master secret key msk1, FE1. keygen is a key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1, and SKFE1. enc is the encryption algorithm of the first functional encryption that receives the master secret key msk1 and the message m and generates the ciphertext c1 of the message m, and FE1. dec is a decryption algorithm of the first functional encryption that receives the secret key sk _f1 and the ciphertext c1 as input and generates a function value f1 (m) of the message m;
For each i∈ [q], the SKFE1. A second functional encryption setup algorithm SKFE2. which generates a master secret key msk1 _i by executing setup and obtains a master secret key msk2 = (msk1 ₁ ,..., msk1 _q ). setup,
Any one of iε [q], the master secret key msk2, and a predetermined function f2 are input to the FE1. Keygen is executed to generate a secret key sk _f2 ⁽ⁱ⁾ for the function f2 and obtain a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i). keygen,
Wherein the inputted i ∈ [q] and generating a pseudo-random number _{r i,} the master secret key MSK1 _i, said message m, and the pseudo random number _{r i} as input SKFE1. executing enc to obtain a ciphertext ct _i randomized with the pseudo-random number r _i , obtaining a ciphertext generation program μ for executing the obfuscation, wherein the ciphertext generation program μ is obfuscated Encryption algorithm SKFE2 .. of the second functional encryption for obtaining the encryption program ct = sxiO (μ). enc is executed,
A ciphertext generating unit that receives the secret key sk _f2 and the obfuscation program ct and obtains the ciphertext ct _i for i∈ [q] extracted from the secret key sk _f2 ,
Using the secret key sk _f2 ⁽ⁱ⁾ and the ciphertext ct _i as inputs, the FE1. The second functional encryption decryption algorithm FE2. a decoding unit for executing dec;
A decoding device. q is an integer of 1 or more, r is an integer of 1 or more, and PKFE1. setup is a first functional encryption setup algorithm for generating a master public key mpk1 and a master secret key msk1, and FE1. keygen is the key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1, PKFE1. enc is the first functional encryption algorithm that receives the master public key mpk1 and the message m and generates the ciphertext c1 of the message m, and FE1. dec is the decryption algorithm of the first functional cipher that receives the secret key sk _f1 and the ciphertext c1 and generates the function value f1 (m) of the message m, and the first functional cipher is public R-key public key function type encryption configured using key encryption,
PKFE2. setup is said PKFE1. Execute setup to generate a set of a master public key mpk1 _i and a master secret key msk1 _i , and a master public key mpk2 = (mpk1 ₁ ,..., mpk1 _q ) and a master secret key msk2 = (msk1 ₁ ,..., msk1 _q ) To obtain a second functional encryption setup algorithm. The keygen receives any iε [q], the master secret key msk2, and the predetermined function f2 as inputs. a key generation algorithm of the second functional encryption, wherein keygen is executed to generate a secret key sk _f2 ⁽ⁱ⁾ for the function f2 to obtain a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i), PKFE2 . enc is the generating a pseudo-random number _{r i} for i ∈ [q] entered, the master public key MPK1 _i, said message m, and the pseudo random number _{r i} as input PKFE1. executing enc to obtain a ciphertext ct _i randomized with the pseudo-random number r _i , obtaining a ciphertext generation program η that executes the obfuscation that obfuscates the ciphertext generation program η The encryption algorithm of the second functional encryption that obtains the encryption program ct = sxiO (η), FE2. Dec receives the secret key sk _f2 and the obfuscated program ct as input, obtains the ciphertext ct _i for i∈ [q] extracted from the secret key sk _f2 , and obtains the secret key sk _f2 ⁽ⁱ⁾ and the secret key sk _f2 ⁽ⁱ⁾ and Using the ciphertext ct _i as an input, the FE1. a decryption algorithm of the second functional encryption that executes dec to obtain a restored value;
The PKFE2. A setup algorithm PKFE3. of a third functional encryption having 1-key complete simplicity using setup. a setup device that executes setup and generates a master public key mpk3 and a master secret key msk3;
The master secret key msk3 and a predetermined function f3 are input, and the FE2. the key generation algorithm FE3.3 of the third functional encryption using keygen. a key generation device that executes keygen and generates a secret key sk _f3 for the function f3;
The master public key mpk3 and the message m are input, and the PKFE2. enc is used to encrypt the third functional encryption algorithm PKFE3. an encryption device that executes enc and generates ciphertext c3 of the message m;
The secret key sk _f3 and the ciphertext c3 are input, and the FE2. dec, the decryption algorithm FE3. a decoding device that executes dec and generates a function value f3 (m) of the message m;
A cryptographic system. q is an integer of 1 or more, r is an integer of 1 or more, and SKFE1. setup is the first functional encryption setup algorithm for generating the master secret key msk1, FE1. keygen is a key generation algorithm of the first functional encryption that receives the master secret key msk1 and a predetermined function _f1 and generates a secret key sk _f1 for the function f1, and SKFE1. enc is the encryption algorithm of the first functional encryption that receives the master secret key msk1 and the message m and generates the ciphertext c1 of the message m, and FE1. dec is the decryption algorithm of the first functional cipher that receives the secret key sk _f1 and the ciphertext c1 and generates the function value f1 (m) of the message m, and the first functional cipher is a secret R-key secret key function type encryption configured using key encryption,
SKFE2. setup is the SKFE1. This is a second functional encryption setup algorithm that executes setup and generates a master secret key msk1 _i to obtain a master secret key msk2 = (msk1 ₁ ,..., msk1 _q ), and FE2. The keygen receives any iε [q], the master secret key msk2, and the predetermined function f2 as inputs. SKFE2 is a key generation algorithm of the second function type encryption that executes keygen to generate a secret key sk _f2 ⁽ⁱ⁾ for the function f2 and obtains a secret key sk _f2 = (sk _f2 ⁽ⁱ⁾ , i) . enc is the generating a pseudo-random number _{r i} for i ∈ [q] entered, the master secret key SPK1 _i, said message m, and the pseudo random number _{r i} as input SKFE1. executing enc to obtain a ciphertext ct _i randomized with the pseudo-random number r _i , obtaining a ciphertext generation program μ for executing the obfuscation, wherein the ciphertext generation program μ is obfuscated The encryption algorithm of the second function type encryption to obtain the encryption program ct = sxiO (μ), FE2. Dec receives the secret key sk _f2 and the obfuscated program ct as input, obtains the ciphertext ct _i for i∈ [q] extracted from the secret key sk _f2 , and obtains the secret key sk _f2 ⁽ⁱ⁾ and the secret key sk _f2 ⁽ⁱ⁾ and Using the ciphertext ct _i as an input, the FE1. a decryption algorithm of the second functional encryption that executes dec to obtain a restored value;
The SKFE2. A setup algorithm SKFE3. of a third functional encryption having 1-key complete simplicity using setup. a setup device for executing setup and generating a master secret key msk3;
The master secret key msk3 and a predetermined function f3 are input, and the FE2. the key generation algorithm FE3.3 of the third functional encryption using keygen. a key generation device that executes keygen and generates a secret key sk _f3 for the function f3;
The master secret key msk3 and the message m are input, and the SKFE2. enc is used to encrypt the third functional encryption algorithm PKFE3. an encryption device that executes enc and generates ciphertext c3 of the message m;
The secret key sk _f3 and the ciphertext c3 are input, and the FE2. dec, the decryption algorithm FE3. a decoding device that executes dec and generates a function value f3 (m) of the message m;
A cryptographic system.   An obfuscation apparatus that generates an obfuscated program by obfuscating an input program using the encryption apparatus included in the encryption system according to claim 18.   An execution device that executes the obfuscation program generated by the obfuscation device of claim 20, using the decryption device included in the encryption system of claim 18.   A setup device according to claim 7, a key generation device according to claim 8 or 13, an encryption device according to claim 9, 11, 14 or 16, a decryption device according to claim 10, 12, 15 or 17, and an obfuscation according to claim 20. 23. A program for causing a computer to execute the function of the computer or the execution device of claim 21.

Images