JP2019121999A - Data sharing method, data sharing system, communication terminal, data sharing server, and program - Google Patents

Abstract

To provide a highly secure data sharing technique that makes the possibility to extremely low that the contents of encrypted data gets known even if a re-encryption key and a key before update are leaked.SOLUTION: A data sharing method includes: a re-encryption key generation step of generating, by a communication terminal U, a re-encryption key rk from a public key pk, a secret key sk, and a public key pk' and transmitting the re-encryption key rk to a data sharing server; and an encryption data update step of re-encrypting, by the data sharing server, encrypted data C, ..., Cusing the re-encryption key rk received from the communication terminal Uand thereby generating encrypted data C', ..., C'.SELECTED DRAWING: Figure 8

Description

  The present invention relates to application of information security technology, and more particularly to data sharing technology in which a plurality of communication terminals forming a group share data.

  With the spread of smartphones and tablets, services that store data in a server and share data with many people are increasing. Examples of such data sharing services include services called online storage, group chat, and group mail.

  In a system that provides this data sharing service (data sharing system), the communication path is encrypted to prevent eavesdropping on the communication path, or by not leaving data in the communication terminal, the communication terminal is lost or illegal. May prevent information leakage caused by taking out. Thus, while the conventional data sharing system copes with threats to "communication path" and "communication terminal", it is not always sufficient to cope with threats to servers (data sharing servers) that store data to be shared. It could not be said that it was a thing.

  The threats to the server mentioned here include "external attack on server" and "internal fraud by server administrator etc.". To cope with these threats, it is conceivable to encrypt the data to be shared and store it in a server. However, if the data can be decrypted on the server side, there is still the possibility of data leakage from the server against the aforementioned threats. In order to prevent data leakage from the server, it is important that the data to be shared is concealed from the server (that is, not intercepted on the server side).

  One possible method for dealing with eavesdropping on the server side is to conceal data from the server and to realize end-to-end encrypted communication that can be decrypted only by the communication terminal. In this case, the problem is how to share the key used by the communication terminal for data encryption between the communication terminals. A solution to this problem is disclosed, for example, in Non-Patent Document 1. Non-Patent Document 1 proposes a protocol in which keys are shared between communication terminals in a star network having an authentication server at the center without sharing any information with the authentication server. As a result, data can be exchanged between communication terminals while the data is kept secret from the server.

  In addition, in a group sharing data, an event such as a new communication terminal being added or an existing communication terminal leaving the group occurs. In such a case, since the communication terminals currently participating in the group need to be able to view the data, the encrypted data stored in the server at the same time as the key is updated by an event such as addition or withdrawal Need to re-encrypt. Non-Patent Document 2 discloses such a technique.

K. Yoneyama, R. Yoshida, Y. Kawahara, T. Kobayashi, H. Fuji, and T. Yamamoto, "Multi-Cast Key Distribution: Scalable, Dynamic and Provably Secure Construction", Cryptology ePrint Archive, Report 2016/833, http://eprint.iacr.org/2016/833, 2016. Hiroki Okano, Reio Yoshida, Tetsutaro Kobayashi, Hironobu Okuyama, "Retrievable Encryption with Agent Re-encryption in Secure Business Chat", SCIS 2017, Jan. 2017.

  However, in the technique described in this non-patent document 2, since the re-encryption key is generated from the key before and after the update, the re-encryption key and the key before the update are lost due to eavesdropping on the communication path or loss of the communication terminal. If leaked, there is a problem that the current key is known and the contents of the encrypted data are easily known.

  Therefore, it is an object of the present invention to provide a highly secure data sharing technology in which the possibility of knowing the contents of encrypted data is extremely low even if the re-encryption key and the key before update leak. .

One aspect of the present invention is data including a data sharing server that manages encrypted data obtained by encrypting data shared between two or more communication terminals belonging to a group sharing data and communication terminals belonging to the group In the sharing system, the data sharing server is a data sharing method for managing encrypted data C generated from data m to be shared by any of the communication terminals U _{i_0} belonging to the group, the communication terminal U _{i_0.} The recording unit records a key pair of a public key pk and a secret key sk generated from the public parameter params generated by the data sharing server and the session key SK shared between communication terminals belonging to the group, the communication terminal U _{i_0,} the using the public key pk to generate the encrypted data C by encrypting the data m, the data sharing the encrypted data C And the encrypted data generating step of transmitting to the over server, the data sharing server, the encrypted data management step of managing to be able to share the encrypted data C received from the communication terminal U _{i_0} between communication terminals belonging to the group And.

One aspect of the present invention is data including a data sharing server that manages encrypted data obtained by encrypting data shared between two or more communication terminals belonging to a group sharing data and communication terminals belonging to the group In the sharing system, data sharing in which any communication terminal U _{i_1} belonging to the group generates data m which is original data before generating the encrypted data C from the encrypted data C managed by the data sharing server In the method, the recording unit of the communication terminal U _{i_1} is a public key pk generated from the public parameter params generated by the data sharing server and a session key SK shared between communication terminals belonging to the group, and a secret key keeps track of the sk key pair, the communication terminal U _{i_1} generates encrypted data acquisition request for specifying the encrypted data C, collected by the encrypted data And the encrypted data acquisition request generation step of transmitting a request to said data sharing server, the data sharing server obtains the encrypted data C using the encrypted data acquisition request received from the communication terminal U _{i_1,} An encrypted data acquisition step of transmitting the encrypted data C to the communication terminal U _{i_1;} and the communication terminal U _{i_1} decrypting the encrypted data C received from the data sharing server using the secret key sk. And d) generating the data m.

One aspect of the present invention is data including a data sharing server that manages encrypted data obtained by encrypting data shared between two or more communication terminals belonging to a group sharing data and communication terminals belonging to the group In the sharing system, when the session key shared between the communication terminals belonging to the group is updated from SK to SK ′, the data sharing server shares data m ₁ , ..., m _k (k is an integer of 1 or more) encrypted data C ₁ obtained by encrypting, ..., encrypted data C from the C _{k '1,} ..., C' a data sharing method for generating _k, communication wherein the terminal U _{i_2} data sharing server the encrypted data C _'1, ..., C' and one of the communication terminals belonging to said group to generate a re-encryption key rk used to generate the _k, the communication terminal recording portion of the U _{i_2,} the data sharing service Key pair generated from the session key SK and a public key pk generated from the session key SK and a public key pk 'generated from the public parameter params and the session key SK' and the secret key sk The communication terminal U _{i_2} generates the re-encryption key rk from the public key pk, the secret key sk, and the public key pk ′, and the re-encryption key rk is a re-encryption key generation step of transmitting to said data sharing server, the data sharing server, the encrypted data C ₁ using the re-encryption key rk received from the communication terminal U _{i_2,} ..., a C _k And an encrypted data update step of generating the encrypted data C ′ ₁ ,..., C ′ _k by re-encryption.

  According to the present invention, even if the re-encryption key and the pre-update key are leaked, highly secure data sharing can be realized with an extremely low possibility of knowing the contents of the encrypted data.

FIG. 1 is a diagram showing an example of the configuration of a data sharing system 10; FIG. 2 is a block diagram showing an example of the configuration of a data sharing server 100. FIG. 2 is a block diagram showing an example of the configuration of a communication terminal 200. The figure which shows an example of a setup process. The figure which shows an example of the production | generation process of an encryption key and a decoding key. The figure which shows an example of the encryption process of data. The figure which shows an example of the decoding process of encryption data. The figure which shows an example of the re-encryption process of encryption data.

  Hereinafter, embodiments of the present invention will be described in detail. Note that components having the same function will be assigned the same reference numerals and redundant description will be omitted.

^ (Caret) represents a superscript. For example, x ^{^ z} indicates that ^yz is a superscript for x, and x _{^ z} indicates that ^yz is a subscript for x. Also, _ (underscore) represents a subscript. For example, ^xy_z represents that _yz is a superscript for x, and _{xy_z} represents that _yz is a subscript for x.
<Definition>
Let N be the set of all positive integers.

  Unidirectional multi-hop proxy re-encryption scheme PRE is comprised of the following six algorithms: Setup, KeyGen, ReKeyGen, Enc, ReEnc, Dec. That is, PRE = (Setup, KeyGen, ReKeyGen, Enc, ReEnc, Dec).

Setup, KeyGen, ReKeyGen, Enc, ReEnc, Dec are algorithms with the following inputs and outputs. Here, λ∈N is a security parameter.
[Setup (1 ^λ )]
The setup algorithm Setup is an algorithm which receives the security parameter λ and outputs the public parameter params. That is, Setup (1 ^λ ) → params.
[KeyGen (params; r)]
Key Generation Algorithm KeyGen is an algorithm that receives a public parameter params and a random number r, and outputs a key pair of a public key pk and a secret key sk. That is, KeyGen (params; r) → (pk, sk). The secret key sk is determined only from the public parameter params and the random number r.
[ReKeyGen (pk, sk, pk ')]
Re-Encryption Key Generation Algorithm ReKeyGen is an algorithm that receives one key pair (pk, sk) and another public key pk ′ and outputs a re-encryption key rk. That is, ReKeyGen (pk, sk, pk ′) → rk.
[Enc (pk, m)]
The encryption algorithm Enc is an algorithm that receives the public key pk and the plaintext m and outputs the ciphertext C. That is, Enc (pk, m) → C.
[ReEnc (rk, C)]
The re-encryption algorithm ReEnc is an algorithm that receives the re-encryption key rk and the ciphertext C and outputs a re-encryption ciphertext C ′. That is, ReEnc (rk, C) → C ′.
[Dec (sk, C)]
The decryption algorithm Dec is an algorithm that receives the secret key sk and the ciphertext C as an input, and outputs a plaintext m '. That is, Dec (sk, C) → m '. If decryption is unsuccessful, ⊥ (error) is output instead of plaintext.

The above encryption scheme PRE satisfies the following conditions.
(Condition 1) Arbitrary public parameter params Setup Setup (1 ^λ ), arbitrary random number r, key pair of arbitrary public key and private key (pk, sk) Key KeyGen (params; r), arbitrary plain text m Thus, Dec (sk, Enc (pk, m)) = m holds.
(Condition 2) KeyGen any positive integer n, any public parameters params ← Setup (1 ^λ), any random number sequence _{{r i} 1 ≦ i ≦} n, for each i (1 ≦ i ≦ n) Arbitrary key pair sequence {(pk _i , sk _i )} _{1 ≦ i ≦ n} outputted by (params; r _i ), ReKeyGen (pk _i , sk for each i (1 ≦ i ≦ n−1) _i, pk _{i + 1)} any re-encryption key sequence rk _{1 → 2} output _{by, ..., rk n-1 →} n, for any plaintext _{m, Dec (sk n, ReEnc} (rk n- _{1 → n} ,..., ReEnc (rk _{1 → 2} , Enc (pk ₁ , m))...)) = M.

The above encryption scheme PRE further satisfies the following condition.
(Condition 3) For the ciphertext C that can be decrypted with the secret key sk _i , the secret key sk _j (j ≦ i−1) before that may be leaked or the re-encryption key rk _{j → j + 1} Even though rk _{i-1 → i} is known, the probability that the content of the ciphertext C is known is negligible with respect to the security parameter λ.

Examples of the encryption method PRE satisfying (condition 1), (condition 2), and (condition 3) are described in Reference Non-Patent Document 1 and Reference Non-Patent Document 2.
(Reference Non-Patent Document 1: N. Chandran, M. Chase, F.-H. Liu, R. Nishikaki, and K. Xagawa, “Re-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security and instantiations from lattices ”, in Proc. PKC 2014, pp. 95-112, 2014.)
(Reference Non-Patent Document 2: Y. Aono, X. Boyen, LT Phong, and L. Wang, “Key-private proxy re-encryption under LWE”, in Proc. INDOCRYPT 2013, pp. 1-18, 2013.)
In addition, about the definition regarding the disregardability of (condition 3), it describes in the reference nonpatent literature 3. FIG.
(Reference Non-Patent Document 3: Daisuke Moriyama, Nishimaki Ling, Takuaki Okamoto, "Mathematics of Public-Key Cryptography (Series Applied Mathematics 2), Kyoritsu Publishing, 2011.)
The processing of the key generation algorithm KeyGen (params; r) will be described below using a specific example. The key generation algorithm in Reference Non-Patent Document 1 is taken as an example. The q and prime, finite field target number q of Z _q, m-dimensional vector space over the Z _q ^m Z _q, M-dimensional vector space over the Z _q ^M Z _q, the Z _q ^{M × m} each component Let a set of M × m matrices be Z _q . Also, let τ be the smallest integer greater than or equal to log ₂ q. The function G is a pseudorandom number generator which receives a random number r and outputs a τ × m bit string. Such a pseudo random number generator can be configured using a hash function such as SHA256. Details are described in, for example, Reference Non-Patent Document 4. Furthermore, the setup algorithm Setup (1 ^λ ) uniformly and randomly generates a matrix AεZ _q ^{M × m,} and sets params = A.
(Reference Non-Patent Document 4: Hiroshi Yuki, “Introduction to Cryptography 3rd Edition”, SB Creative, pp 317-331, 2015.)
In the key generation algorithm KeyGen (params; r), first, G (r) is calculated to obtain a τ × m bit string. After converting this into an integer value, q-ary expansion is performed, and an element s of Z _q ^m is obtained with each obtained coefficient as a component of a vector. An M-dimensional vector b: = As + e is calculated by taking an M-dimensional vector e in which each component is a real value randomly selected according to a Gaussian normal distribution rounded to an integer value. As is a product of matrices. Let sk = s and pk = (A, b). This pair (pk, sk) is the output of KeyGen (params; r).

The above is an example of calculation of KeyGen (params; r), and the calculation method changes according to the encryption method to be used.
First Embodiment
[System configuration]
The data sharing system 10 will be described below with reference to FIG. FIG. 1 is a diagram showing an example of the configuration of a data sharing system 10. The data sharing system 10 includes a data sharing server 100, communication terminals 200 ₁ ,..., Communication terminals 200 _n (n ≧ 2).

The data sharing server 100, the communication terminals 200 ₁ ,..., The communication terminals 200 _n are connected to a network 900 such as the Internet. The data sharing server 100 can communicate with each of the communication terminals 200 _{1 to} 200 _n . The communication terminals 200 ₁ ,..., And the communication terminals 200 _n may not be able to communicate with each other.

The data sharing system 10 is a system for n communication terminals 200 ₁ ,..., Communication terminals 200 _n to share data. When the communication terminal 200 _i (1 ≦ i ≦ n) shares data with another communication terminal 200 _j (1 ≦ j ≦ n), encrypted data is generated by encrypting the data to be shared. And share via the data sharing server 100.

The data sharing server 100 records the encrypted data transmitted from the communication terminal _200i, and transmits the encrypted data to the other communication terminal _200j .

A person sharing data using the communication terminal 200 is referred to as a user. The communication terminals form a group for sharing data. Each group is given a group identifier. For example, it is assumed that the communication terminals 200 _{1 to} 200 _n belong to a group having a group identifier groupID. Communication terminal 200 may be any terminal as long as it has a communication function that can be used by the user, such as a personal computer or a smartphone.

The communication terminal 200 _i share the other communication terminal 200 _j and the session key. The session key is generated on a group basis and is a key shared only between the communication terminals 200 belonging to the group. It is assumed that the session key is shared between the communication terminals 200 in such a manner that any information related to the session key is not leaked to the data sharing server 100. As such a sharing method, for example, the protocol described in Non-Patent Document 1 can be mentioned. However, the session key sharing method is not limited to the protocol described in Non-Patent Document 1, and any method may be used to share the session key.

  In order to ensure the security of the session key, for example, when a predetermined event such as addition of a new communication terminal to a group, withdrawal of a communication terminal from a group (deletion) occurs or a predetermined time has elapsed New session keys will be generated and updated.

  Next, each device of the data sharing server 100 and the communication terminal 200 will be described with reference to FIGS. 2 to 3. FIG. 2 is a block diagram showing an example of the configuration of the data sharing server 100. As shown in FIG. The data sharing server 100 includes a setup unit 110, an encrypted data management unit 120, an encrypted data acquisition unit 130, an encrypted data update unit 140, and a recording unit 190. The recording unit 190 is a component that appropriately records information necessary for the process of the data sharing server 100. For example, encrypted data is recorded. Also, record the security parameters.

  FIG. 3 is a block diagram showing an example of the configuration of communication terminal 200. As shown in FIG. The communication terminal 200 includes a key pair generation unit 210, an encrypted data generation unit 220, an encrypted data acquisition request generation unit 230, an encrypted data decryption unit 240, a re-encryption key generation unit 250, and a recording unit 290. The recording unit 290 is a configuration unit that records information necessary for processing of the communication terminal 200 as appropriate. For example, the session key is recorded.

In the following description, symbols are defined as follows. S indicates the data sharing server _{100, U i (i∈ {1} , ..., n}) is a communication device 200 ₁ of n units, ..., denote the 200 _n.

[Setup process]
The setup process will be described with reference to FIG.

In S110, the setup unit 110 of the data sharing server S generates the public parameter params from the security parameter λ and records the public parameter params in the recording unit 190. Setup of PRE is used to generate the public parameter params. Specifically, params ← Setup (1 ^λ ). Further, the data sharing server S publishes the public parameter params to the communication terminal U _i (iε {1,..., N}). For example, the public parameter params may be uploaded to an area where the communication device U _i can access, and the communication terminal U _i may be appropriately downloaded. The process regarding the public parameter params is not limited to the above, and the public parameters params will be recorded in each recording unit of the data sharing server S and the communication terminal U _i ( _i ({1,..., N}). If it is, it may be anything.

  The generation of the public parameter is a process performed for each group sharing data.

[Generation process of encryption key / decryption key]
The generation process of the encryption key / decryption key will be described with reference to FIG. Here, the encryption key generated in the communication terminal U _i is used to encrypt data to be shared and generate encrypted data. The decryption key is used to decrypt the generated encrypted data to generate the original data.

It is assumed that a session key shared among communication terminals U ₁ ,..., Communication terminals U _n belonging to a group having a group identifier groupID is newly generated. Let this session key be SK. The communication terminal U _i (iε {1,..., N}) acquires the session key SK and records it in the recording unit 290.

In S210, the key pair generation unit 210 of the communication terminal U _i (iε {1,..., N}) uses the public parameter params and the session key SK recorded in the recording unit 290 to generate a public key that is an encryption key. A key pair (pk, sk) of pk and a secret key sk which is a decryption key is generated. To generate a key pair (pk, sk), use KeyGen of PRE. Specifically, (pk, sk) ← KeyGen (params; SK). The generated key pair (pk, sk) is recorded in the recording unit 290. Note that even if the session keys SK are identical, the public key pk is not always the same. On the other hand, the same secret key sk is always generated from the definition of PRE.

[Data encryption process]
Data encryption processing will be described with reference to FIG. It is assumed that the session key SK is shared among the communication terminals U ₁ ,..., The communication terminals U _n belonging to the group having the group identifier groupID, and is recorded in the recording unit 290. Further, in the communication terminal U _{i_0} (1 ≦ i ₀ ≦ n), a key pair (pk, sk) of a public key and a secret key generated from the public parameter params and the session key SK is recorded in the recording unit 290 I assume.

In S220, the encrypted data generation unit 220 of the communication terminal U _{i_0} (1 ≦ i ₀ ≦ n) generates the encrypted data C from the data m to be shared, using the public key pk which is the encryption key Do. For generation of the encrypted data C, Enc of PRE is used. Specifically, CCEnc (pk, m). The encrypted data generation unit 220 transmits the generated encrypted data C to the data sharing server S.

In S120, the encrypted data management unit 120 of the data sharing server S receives the encrypted data C transmitted by the communication terminal U _{i_0} and allows the recording unit 190 to share the encrypted data C among the communication terminals belonging to the group. Record and manage. For example, when recording the encrypted data, so that the group can share the encrypted data can be identified, by recording the encrypted data together with the group identifier groupID of group communication terminals U _{i_0} that has transmitted the encrypted data belongs Just do it.

[Decryption processing of encrypted data]
Decryption processing of encrypted data will be described with reference to FIG. Similarly to the above, it is assumed that the session key SK is shared among the communication terminals U ₁ ,..., And the communication terminals U _n belonging to the group having the group identifier groupID, and is recorded in the recording unit 290. In addition, in the communication terminal U _{i_1} (1 ≦ i ₁ ≦ n), a key pair (pk, sk) of a public key and a secret key generated from the public parameter params and the session key SK is recorded in the recording unit 290 I assume.

In S230, the encrypted data acquisition request generation unit 230 of the communication terminal U _{i_1} (1 ≦ i ₁ ≦ n) generates an encrypted data acquisition request for specifying the encrypted data C, and the data acquisition request is shared Send to server S. The method of specifying encrypted data C to be acquired may be any method. For example, it may be selected from a list of data shared by the group.

In S130, the encrypted data acquisition unit 130 of the data sharing server S receives the encrypted data acquisition request transmitted by the communication terminal U _{i_1} , and uses the encrypted data acquisition request to acquire encrypted data C to be acquired. get. The data sharing server S transmits the acquired encrypted data C to the communication terminal U _{i_1} .

In S240, the encrypted data decryption unit 230 of the communication terminal U _{i_1} receives the encrypted data C transmitted by the data sharing server S, decrypts the encrypted data C using the secret key sk, and transmits the encrypted data C. To generate data m which is the original data before generating. For decryption of the encrypted data C, Dec of PRE is used. Specifically, mmDec (sk, C).

[Re-encryption processing of encrypted data]
The re-encryption processing of the encrypted data will be described with reference to FIG. It is assumed that the session key SK is shared among the communication terminals U ₁ ,..., And the communication terminals U _n belonging to the group having the group identifier group ID, but it is updated and a session key SK ′ is newly shared. As a result, it is assumed that the session key SK and the session key SK ′ are recorded in the recording unit 290 of the communication terminal U _i (1 ≦ i ≦ n).

Hereinafter, in the data sharing server S, encrypted data C ₁ ,..., C _{k in} which the sharing object data m ₁ ,..., M _k (k is an integer of 1 or more) of the group is encrypted It shall be recorded. Also, the recording unit 290 of the communication terminal U _{i_2} (1 ≦ i ₂ ≦ n) is generated from the public key params and the key pair (pk, sk) generated from the session key SK, and the public parameter params and the session key SK ′ It is assumed that the key pair (pk ', sk') is also recorded.

In S250, the re-encryption key generation unit 250 of the communication terminal U _{i_2} generates a re-encryption key rk from the key pair (pk, sk) recorded in the storage unit 290 and the public key pk ′. The ReKeyGen of PRE is used to generate the re-encryption key rk. Specifically, rk rk ReKeyGen (pk, sk, pk '). The re-encryption key generation unit 250 transmits the generated re-encryption key rk to the data sharing server S.

In S140, the encrypted data update unit 140 of the data sharing server S receives the re-encryption key rk transmitted by the communication terminal U _{i_2, and} is recorded in the recording unit 190 using the re-encryption key rk, The encrypted data C ₁ ,..., C _k of the data to be shared in the group to which the communication terminal U _{i — 2} belongs is re-encrypted to generate encrypted data C ′ _{1 ,.} The ReEnc of PRE is used for re-encryption of the encrypted data C ₁ ,..., C _k . Specifically, C ' _i Re Re En c (rk, C _i ) (i = 1,..., K). The generated encrypted data C ′ ₁ ,..., C ′ _k are recorded in the recording unit 190. Preferably, the encrypted data C ₁ ,..., C _k before re-encryption is deleted.

  According to the present embodiment, in the process of re-encrypting the encrypted data so that the data sharing server can decrypt the encrypted data with the secret key generated from the updated session key at the timing when the session key is updated, the updated session key And the data sharing server can not know the contents of the encrypted data. In addition, since it is difficult to know the current session key from the re-encryption key or the past session key, the encrypted data currently shared is not illegally decrypted, and data to the data sharing server is not The data can be shared safely between the communication terminals while keeping the

<Supplementary Note>
The apparatus according to the present invention is, for example, an input unit to which a keyboard or the like can be connected, an output unit to which a liquid crystal display or the like can be connected as a single hardware entity, or a communication device (for example, communication cable) capable of communicating outside the hardware entity. Communication unit that can be connected, CPU (central processing unit, cache memory, registers, etc. may be provided), RAM or ROM that is memory, external storage device that is hard disk, input unit for these, output unit, communication unit , CPU, RAM, ROM, and a bus connected so as to enable exchange of data between external storage devices. If necessary, the hardware entity may be provided with a device (drive) capable of reading and writing a recording medium such as a CD-ROM. Examples of physical entities provided with such hardware resources include general purpose computers.

  The external storage device of the hardware entity stores a program necessary for realizing the above-mentioned function, data required for processing the program, and the like (not limited to the external storage device, for example, the program is read) It may be stored in the ROM which is a dedicated storage device). In addition, data and the like obtained by processing of these programs are appropriately stored in a RAM, an external storage device, and the like.

  In the hardware entity, each program stored in the external storage device (or ROM etc.) and data necessary for processing of each program are read into the memory as necessary, and interpreted and processed appropriately by the CPU . As a result, the CPU realizes predetermined functions (each component requirement expressed as the above-mentioned,...

  The present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the spirit of the present invention. Further, the processing described in the above embodiment may be performed not only in chronological order according to the order of description but also may be performed in parallel or individually depending on the processing capability of the device that executes the processing or the necessity. .

  As described above, when the processing function in the hardware entity (the apparatus of the present invention) described in the above embodiment is implemented by a computer, the processing content of the function that the hardware entity should have is described by a program. Then, by executing this program on a computer, the processing function of the hardware entity is realized on the computer.

  The program describing the processing content can be recorded in a computer readable recording medium. As the computer readable recording medium, any medium such as a magnetic recording device, an optical disc, a magneto-optical recording medium, a semiconductor memory, etc. may be used. Specifically, for example, as a magnetic recording device, a hard disk drive, a flexible disk, a magnetic tape or the like as an optical disk, a DVD (Digital Versatile Disc), a DVD-RAM (Random Access Memory), a CD-ROM (Compact Disc Read Only) Memory), CD-R (Recordable) / RW (Rewritable), etc. as magneto-optical recording medium, MO (Magneto-Optical disc) etc., as semiconductor memory EEP-ROM (Electronically Erasable and Programmable Only Read Memory) etc. Can be used.

  Further, this program is distributed, for example, by selling, transferring, lending, etc. a portable recording medium such as a DVD, a CD-ROM or the like in which the program is recorded. Furthermore, this program may be stored in a storage device of a server computer, and the program may be distributed by transferring the program from the server computer to another computer via a network.

  For example, a computer that executes such a program first temporarily stores a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. Then, at the time of execution of the process, the computer reads the program stored in its own recording medium and executes the process according to the read program. Further, as another execution form of this program, the computer may read the program directly from the portable recording medium and execute processing according to the program, and further, the program is transferred from the server computer to this computer Each time, processing according to the received program may be executed sequentially. In addition, a configuration in which the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes processing functions only by executing instructions and acquiring results from the server computer without transferring the program to the computer It may be Note that the program in the present embodiment includes information provided for processing by a computer that conforms to the program (such as data that is not a direct command to the computer but has a property that defines the processing of the computer).

  Further, in this embodiment, the hardware entity is configured by executing a predetermined program on a computer, but at least a part of the processing content may be realized as hardware.

Claims (7)

A data sharing system comprising: a data sharing server that manages encrypted data obtained by encrypting data shared between two or more communication terminals belonging to a group sharing data and communication terminals belonging to the group; A data sharing method in which a server manages encrypted data C generated from data m to be shared by any communication terminal U _{i_0} belonging to the group,
The recording unit of the communication terminal U _{i_0} is a key pair of a public key pk generated from the public parameter params generated by the data sharing server and a secret key sk generated from a session key SK shared between communication terminals belonging to the group. I have recorded,
The communication terminal U _{i_0} generates encrypted data C by encrypting the data m using the public key pk, and transmits the encrypted data C to the data sharing server. When,
A data sharing method, comprising: the data sharing server managing the encrypted data C received from the communication terminal U _{i_0 so} that the encrypted data C received from the communication terminal U _{i_0} can be shared among the communication terminals belonging to the group. A data sharing system comprising: two or more communication terminals belonging to a group sharing data; and a data sharing server managing encrypted data obtained by encrypting data shared between the communication terminals belonging to the group, A data sharing method according to any one of the communication terminals U _{i — 1} that generates data m, which is original data before generating the encrypted data C from the encrypted data C managed by the data sharing server,
The recording unit of the communication terminal U _{i_1} is a key pair of a public key pk generated from the public parameter params generated by the data sharing server and a secret key sk generated from a session key SK shared between communication terminals belonging to the group. I have recorded,
The communication terminal U _{i — 1} generates an encrypted data acquisition request for specifying the encrypted data C, and transmits an encrypted data acquisition request to the data sharing server, the encrypted data acquisition request generating step;
Said data sharing server, the using the encrypted data acquisition request received from the communication terminal U _{i_1} obtains the encrypted data C, the encrypted data acquisition for transmitting the encrypted data C to the communication terminal U _{i_1} Step and
The communication terminal U _{i_1,} using the secret key sk, the by decrypting the encrypted data C received from the data sharing server, data sharing method comprising a decoding step of generating the data m. A data sharing system comprising: two or more communication terminals belonging to a group sharing data; and a data sharing server managing encrypted data obtained by encrypting data shared between the communication terminals belonging to the group, Data m ₁ , ..., m _k (k is shared by the data sharing server among the communication terminals belonging to the group when the session key shared among the communication terminals belonging to the group is updated from SK to SK ' encrypted data C ₁ 1 or more integer) the encrypted, ..., encrypted data C from the C _{k '1,} ..., C' a data sharing method for generating _k,
Wherein the communication terminal U _{i_2} data sharing server the encrypted data C _'1, ..., C' and one of the communication terminals belonging to said group to generate a re-encryption key rk used to generate the _k,
The recording unit of the communication terminal U _{i_2} is a key pair of the public parameter params generated by the data sharing server, the public key pk generated from the session key SK, and a secret key sk, the public parameter params, and the session key SK A key pair of 'public key pk' generated from 'and private key sk' is recorded,
The communication terminal U _{i_2} generates the re-encryption key rk from the public key pk, the secret key sk, and the public key pk ′, and transmits the re-encryption key rk to the data sharing server. A key generation step,
The data sharing server, the encrypted data C ₁ using the re-encryption key rk received from the communication terminal U _{i_2,} ..., by re-encrypting the C _k, the encrypted data C _'1, , C ′ _k generating encrypted data update step and the data sharing method.   A data sharing system for executing the data sharing method according to any one of claims 1 to 3.   The communication terminal contained in the data sharing system which performs the data sharing method of any one of Claims 1 thru | or 3.   A data sharing server included in a data sharing system that executes the data sharing method according to any one of claims 1 to 3.   A program for causing a computer to function as a communication terminal or data sharing server included in a data sharing system that executes the data sharing method according to any one of claims 1 to 3.

Images