JP2020161945A - Cryptographic system, user terminal, storage device, encryption method, authentication method, encryption program, and authentication program - Google Patents

Abstract

To manage writing authority without indicating a user's attribute.SOLUTION: A cryptographic system comprises a first user terminal and a storage device. The first user terminal encrypts data to be encrypted using a first attribute set for reading and a first encryption key for attribute-based encryption to generate encryption data; inputs an input value to a unidirectional function to generate an arithmetic result; and encrypts the input value using a second attribute set for writing and a second encryption key for attribute-based encryption to generate an encryption text. The storage device stores the encryption text, the unidirectional function, and the arithmetic result together with the encryption data; and, when a writing request for the encryption data is received from a second user terminal having a user attribute set, permits the second user terminal to perform writing to the encryption data on the condition that decryption of the encryption text by the second user is successful.SELECTED DRAWING: Figure 7

Description

The present invention relates to a cryptographic system, a user terminal, a storage device, a cryptographic method, an authentication method, a cryptographic program, and an authentication program.

In recent years, cloud storage services have become widespread as the number and size of electronic files have increased. When using cloud storage, electronic files are encrypted in order to protect personal and confidential information. Attribute-based encryption is known as an encryption method. Attribute-based encryption is an encryption technology in which a plurality of attributes are assigned to each user and only a user who satisfies the decryption conditions (policy) set based on the user's attributes can decrypt the ciphertext.

Normally, in a file sharing system, read permission and write permission are set for each file as file access rights. In attribute-based encryption, the decryption conditions (combination of attributes) set when encrypting a file correspond to the read permission of the file. However, since there is no such correspondence regarding the write authority of the file, problems such as falsification due to rewriting the file may occur as it is. On the other hand, authentication using an attribute-based signature may be performed (see, for example, Patent Document 1 and Patent Document 2).

JP-A-2007-295430 Japanese Patent Application Laid-Open No. 2013-527712

In the authentication using the attribute-based signature, the authentication by the attribute at the time of writing the file becomes possible. However, it is necessary to clarify the attributes of the user on the system side. Therefore, for example, if privacy information such as the place of origin is given as an attribute, there is a possibility of privacy infringement. In addition, if attributes for important information such as financial information are given, the possibility of being the target of an attack increases.

In the present technology, it is desired to manage write authority without showing the attribute of the user.

The cryptosystem according to one aspect of the present invention is a system using attribute-based cryptography. This cryptographic system includes a first user terminal and a storage device that stores cryptographic data generated by the first user terminal. The first user terminal generates encrypted data by encrypting the data to be encrypted using the first attribute set, which is a combination of attributes having read authority, and the first encryption key of the attribute-based encryption. To do. The first user terminal generates an input value and also generates an operation result by inputting the input value to the one-way function. The first user terminal generates a ciphertext by encrypting an input value using a second attribute set which is a combination of attributes having write authority and a second encryption key of attribute-based encryption. The storage device stores the ciphertext, the one-way function, and the calculation result together with the encrypted data. When the storage device receives a write request for encrypted data from a second user terminal having a user attribute set including one or more attributes, the second user terminal is subject to the condition that the second user terminal can decrypt the ciphertext. Allows writing to encrypted data.

In this encryption system, a ciphertext is generated by encrypting an input value using a second attribute set, which is a combination of attributes having write authority, and a second encryption key of attribute-based encryption. Therefore, the ciphertext can be decrypted when the second user terminal has an attribute corresponding to the write authority. Therefore, the second user terminal is allowed to write to the encrypted data on condition that the second user terminal can decrypt the ciphertext. In this way, it is determined whether or not the second user terminal has the write authority without sending the information regarding the attributes of the second user terminal to the storage device. In other words, it is possible to manage the write authority without showing the attribute of the user (second user terminal).

When the storage device receives the write request for the encrypted data from the second user terminal, the storage device may transmit the ciphertext to the second user terminal. The second user terminal may generate a decryption result by decrypting the ciphertext. When the calculation result is obtained by inputting the decryption result generated by the second user terminal into the one-way function, the storage device may determine that the second user terminal has been able to decrypt the ciphertext. .. In this case, if the calculation result is obtained by inputting the ciphertext decrypted by the second user terminal into the one-way function, it can be considered that the second user terminal has decrypted the ciphertext. In this way, it is possible to manage the write authority without indicating the attribute of the user (second user terminal).

When the storage device receives the write request for the encrypted data from the second user terminal, the storage device may further transmit the one-way function and the calculation result to the second user terminal. The second user terminal may verify whether or not the ciphertext is valid data by using the decryption result, the one-way function, and the operation result. For example, if the storage device transmits the encrypted data instead of the ciphertext, the second user terminal decrypts the encrypted data and transmits the decryption result of the encrypted data to the storage device. As a result, the storage device can acquire the decryption result of the encrypted data. On the other hand, since it is verified whether the ciphertext is legitimate data, if the ciphertext is invalid data, it is possible to take measures such as not sending the decryption result to the storage device. Become.

The storage device may generate an input value by inputting data to be encrypted into another one-way function. The storage device may store another one-way function in addition to the encrypted data, the ciphertext, the one-way function, and the operation result. When the storage device receives a write request for the encrypted data from the second user terminal, the storage device may further transmit the encrypted data and another one-way function to the second user terminal in addition to the ciphertext. The second user terminal verifies whether or not the ciphertext is legitimate data by using another decryption result obtained by decrypting the encrypted data, another one-way function, and the decryption result. You may. In this case, since the input value is generated from the data to be encrypted, the second user terminal asks whether the ciphertext corresponds to the data to be encrypted, that is, whether the ciphertext is legitimate data. Whether or not it can be confirmed with certainty.

The storage device may determine whether or not the second user terminal was able to decrypt the ciphertext using the zero-knowledge proof. In this case, it is possible to prove to the storage device that the second user terminal was able to decrypt the ciphertext without the second user terminal transmitting the decryption result of the ciphertext to the storage device. Therefore, it is possible to improve safety.

When the storage device receives the read request for the encrypted data from the second user terminal, the storage device may transmit the encrypted data to the second user terminal. In the above encryption system, encryption data is generated by encrypting data to be encrypted using a first attribute set which is a combination of attributes having read authority and a first encryption key of attribute-based encryption. To. Therefore, the encrypted data can be decrypted when the second user terminal has an attribute corresponding to the read authority. Therefore, the storage device only needs to transmit the encrypted data to the second user terminal. In this way, it is determined whether or not the second user terminal has the read authority without sending the information regarding the attributes of the second user terminal to the storage device. In other words, it is possible to manage the read authority without showing the attribute of the user (second user terminal).

A user terminal according to another aspect of the present invention encrypts data to be encrypted by using a first attribute set, which is a combination of attributes having read authority, and a first encryption key of attribute-based encryption. By doing so, encrypted data is generated, input values are generated, and operation results are generated by inputting input values to the unidirectional function. The second attribute set, which is a combination of attributes that have write permission, and the attribute base. An encrypted text is generated by encrypting the input value using the second encryption key of the cipher, and the encrypted text, the unidirectional function, and the calculation result are transmitted to the storage device together with the encrypted data.

In this user terminal, encrypted data is generated by encrypting the data to be encrypted using the first attribute set, which is a combination of attributes having read permission, and the first encryption key of the attribute-based encryption. , A cipher is generated by encrypting an input value using a second attribute set, which is a combination of attributes having write permission, and a second encryption key of attribute-based encryption. Along with the encrypted data, the ciphertext, the one-way function, and the calculation result generated by inputting the input value into the one-way function are transmitted to the storage device. If another user terminal has an attribute corresponding to the write authority, the ciphertext can be decrypted. Therefore, for example, writing to the encrypted data may be permitted to the other user terminal on condition that the ciphertext can be decrypted by the other user terminal. This makes it possible to manage the write authority without showing the attribute of the user (another user terminal).

The storage device according to still another aspect of the present invention encrypts data to be encrypted by using a first attribute set which is a combination of attributes having read authority and a first encryption key of attribute-based encryption. The cryptographic data generated in, the unidirectional function, the calculation result obtained by inputting the input value to the unidirectional function, and the second attribute set and attribute-based cipher which are a combination of attributes having write permission. Acquires the encrypted text generated by encrypting the input value using the second encryption key of the above, stores the encrypted text, the unidirectional function, and the calculation result together with the encrypted data, and stores the user terminal. When a write request for encrypted data is received from, it is determined whether or not the user terminal can decrypt the encrypted text, and when it is determined that the user terminal can decrypt the encrypted text, the user terminal is allowed to write to the encrypted data. ..

The ciphertext acquired and stored by this storage device is generated by encrypting the input value using the second attribute set, which is a combination of attributes having write authority, and the second encryption key of the attribute-based encryption. Will be done. Therefore, the ciphertext can be decrypted when the user terminal has an attribute corresponding to the write authority. Therefore, the user terminal is allowed to write to the encrypted data on condition that the user terminal can decrypt the ciphertext. In this way, it is determined whether or not the user terminal has the write authority without sending the information regarding the attributes of the user terminal to the storage device. In other words, it is possible to manage the write authority without indicating the attribute of the user (user terminal).

The encryption method according to still another aspect of the present invention is an encryption method performed by a user terminal. This encryption method generates encrypted data by encrypting data to be encrypted using a first attribute set, which is a combination of attributes having read authority, and a first encryption key of attribute-based encryption. A step, a step of generating an input value and a step of generating an operation result by inputting an input value to a unidirectional function, a second attribute set which is a combination of attributes having write permission, and a second attribute-based cipher. 2 A step of generating an encrypted text by encrypting an input value using an encryption key, and a step of transmitting the encrypted text, a unidirectional function, and a calculation result to a storage device together with the encrypted data. Be prepared.

In this encryption method, encrypted data is generated by encrypting the data to be encrypted using the first attribute set, which is a combination of attributes having read authority, and the first encryption key of the attribute-based encryption. , A cipher is generated by encrypting an input value using a second attribute set, which is a combination of attributes having write permission, and a second encryption key of attribute-based encryption. Along with the encrypted data, the ciphertext, the one-way function, and the calculation result generated by inputting the input value into the one-way function are transmitted to the storage device. If the user terminal has an attribute corresponding to the write authority, the ciphertext can be decrypted. Therefore, for example, the user terminal may be permitted to write to the encrypted data on condition that the user terminal can decrypt the ciphertext. This makes it possible to manage the write authority without indicating the attribute of the user (user terminal).

An authentication method according to still another aspect of the present invention is an authentication method performed by a storage device. This authentication method includes encrypted data generated by encrypting data to be encrypted using a first attribute set which is a combination of attributes having read authority and a first encryption key of attribute-based encryption. The unidirectional function, the calculation result obtained by inputting the input value to the unidirectional function, the second attribute set which is a combination of the attributes having write permission, and the second encryption key of the attribute-based cipher. A step to acquire the encrypted text generated by encrypting the input value using the data, a step to store the encrypted text, the unidirectional function, and the calculation result together with the encrypted data, and a step for the encrypted data from the user terminal. When a write request is received, a step of determining whether or not the user terminal can decrypt the encrypted text, and a step of permitting the user terminal to write to the encrypted data when it is determined that the user terminal can decrypt the encrypted text. And.

In this authentication method, a ciphertext generated by encrypting an input value using a second attribute set, which is a combination of attributes having write authority, and a second encryption key of attribute-based encryption, is acquired. , Stored. Therefore, the ciphertext can be decrypted when the user terminal has an attribute corresponding to the write authority. Therefore, the user terminal is allowed to write to the encrypted data on condition that the user terminal can decrypt the ciphertext. In this way, it is determined whether or not the user terminal has the write authority without sending the information regarding the attributes of the user terminal to the storage device. In other words, it is possible to manage the write authority without indicating the attribute of the user (user terminal).

A cryptographic program according to yet another aspect of the present invention encrypts data to be encrypted by using a first attribute set, which is a combination of attributes having read authority, and a first encryption key of attribute-based encryption. The second attribute, which is a combination of the step of generating encrypted data by doing this, the step of generating the input value by inputting the input value to the unidirectional function, and the step of generating the calculation result, and the attribute having write permission. A step to generate a cipher by encrypting an input value using a set and a second encryption key of an attribute-based cipher, and storage of the cipher, a unidirectional function, and an operation result together with the cipher data. It is a cryptographic program that causes a computer to execute a step to send to a device.

In this encryption program, encrypted data is generated by encrypting the data to be encrypted using the first attribute set, which is a combination of attributes having read authority, and the first encryption key of attribute-based encryption. , A cipher is generated by encrypting an input value using a second attribute set, which is a combination of attributes having write permission, and a second encryption key of attribute-based encryption. Along with the encrypted data, the ciphertext, the one-way function, and the calculation result generated by inputting the input value into the one-way function are transmitted to the storage device. If the user terminal has an attribute corresponding to the write authority, the ciphertext can be decrypted. Therefore, for example, the user terminal may be permitted to write to the encrypted data on condition that the user terminal can decrypt the ciphertext. This makes it possible to manage the write authority without indicating the attribute of the user (user terminal).

An authentication program according to yet another aspect of the present invention encrypts data to be encrypted by using a first attribute set which is a combination of attributes having read authority and a first encryption key of attribute-based encryption. The cryptographic data generated in, the unidirectional function, the calculation result obtained by inputting the input value to the unidirectional function, and the second attribute set and attribute-based cipher which are a combination of attributes having write permission. A step of acquiring an encrypted text generated by encrypting an input value using the second encryption key of the above, and a step of storing the encrypted text, a unidirectional function, and an operation result together with the encrypted data. When a write request for encrypted data is received from the user terminal, a step of determining whether or not the user terminal can decrypt the encrypted text, and when it is determined that the user terminal can decrypt the encrypted text, the user terminal is notified. It is an authentication program for causing a computer system including one or more computers to execute a step of permitting writing to encrypted data.

In this authentication program, the ciphertext generated by encrypting the input value using the second attribute set, which is a combination of attributes having write authority, and the second encryption key of the attribute-based encryption, is acquired. , Stored. Therefore, the ciphertext can be decrypted when the user terminal has an attribute corresponding to the write authority. Therefore, the user terminal is allowed to write to the encrypted data on condition that the user terminal can decrypt the ciphertext. In this way, it is determined whether or not the user terminal has the write authority without sending the information regarding the attributes of the user terminal to the storage device. In other words, it is possible to manage the write authority without indicating the attribute of the user (user terminal).

According to the present invention, the write authority can be managed without indicating the attribute of the user.

FIG. 1 is a diagram showing a configuration of a cryptographic system according to an embodiment. FIG. 2 is a diagram showing a hardware configuration of the user terminal shown in FIG. FIG. 3 is a diagram showing an example of an access structure used in attribute-based encryption. FIG. 4 is a sequence diagram showing an initial setting process in the encryption system shown in FIG. FIG. 5 is a sequence diagram showing an encryption key generation process in the encryption system shown in FIG. FIG. 6 is a sequence diagram showing a decryption key generation process in the encryption system shown in FIG. FIG. 7 is a sequence diagram showing a new write process in the encryption system shown in FIG. FIG. 8 is a sequence diagram showing a read process in the encryption system shown in FIG. FIG. 9 is a sequence diagram showing a write process in the encryption system shown in FIG. FIG. 10 is a sequence diagram showing another example of the new write process in the encryption system shown in FIG. FIG. 11 is a sequence diagram showing another example of the write process in the encryption system shown in FIG. FIG. 12 is a sequence diagram showing still another example of the new write process in the encryption system shown in FIG. FIG. 13 is a sequence diagram showing still another example of the write process in the encryption system shown in FIG.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In the description of the drawings, the same elements are designated by the same reference numerals, and duplicate description is omitted.

FIG. 1 is a diagram showing a configuration of a cryptographic system according to an embodiment. FIG. 2 is a diagram showing a hardware configuration of the user terminal shown in FIG. As shown in FIG. 1, the encryption system 1 is a system for sharing information among a plurality of users, and is a system that performs encryption and decryption using attribute-based encryption. The encryption system 1 is, for example, a file sharing system. Attribute-based encryption is an encryption technology that allows only users who meet the decryption conditions (policy) set based on the user's attributes to decrypt the encrypted data. The encryption system 1 includes a user system 10, a plurality of key issuing institutions (key issuing institutions 20A to 20C in this embodiment), a public server 30, and a cloud storage 40 (storage device). The user system 10, the key issuing institutions 20A to 20C, the public server 30, and the cloud storage 40 are connected to each other by a network NW so as to be able to communicate with each other. The network NW may be configured by either wired or wireless. Examples of the network NW include a mobile communication network, the Internet, and a WAN (Wide Area Network).

The user system 10 is a user-side system that uses attribute-based encryption. The user system 10 includes a plurality of user terminals (user terminals 11A to 11C in this embodiment). The user terminal is a terminal device used by the user. Examples of user terminals include desktop PCs (Personal Computers), notebook PCs, smartphones, tablet terminals, and the like. Here, the user terminals 11A to 11C belong to the same organization. The user terminals 11A to 11C are communicably connected to each other by a LAN or the like, and are connected to the network NW via a gateway device (not shown). The user terminals 11A to 11C do not have to belong to the same organization.

As shown in FIG. 2, each of the user terminals 11A to 11C physically has one or more processors 101, a main storage device 102, an auxiliary storage device 103, an input device 104, an output device 105, and a communication device. It can be configured as a computer with hardware such as 106. An example of the processor 101 is a CPU (Central Processing Unit). The main storage device 102 is composed of, for example, a RAM (Random Access Memory) and a ROM (Read Only Memory). The auxiliary storage device 103 is composed of, for example, a hard disk device or a flash memory, and generally has a capacity capable of storing a larger amount of data than the main storage device 102. The input device 104 includes, for example, a keyboard, a mouse, a touch panel, and operation buttons. The output device 105 is composed of, for example, a display and a speaker. The communication device 106 is composed of, for example, a network interface card (NIC) or a wireless communication module.

Each of the users UA to UC has a user attribute set that is a combination of attributes including one or more attributes (hereinafter, may be referred to as an "attribute set"). The user UA uses the user terminal 11A, the user UB uses the user terminal 11B, and the user UC uses the user terminal 11C. The users UA to UC encrypt the data by the attribute-based encryption by using the application for the attribute-based encryption in the user terminals 11A to 11C, and the encrypted data (hereinafter, referred to as "encrypted data"). Is stored in the cloud storage 40. Further, the users UA to UC acquire the encrypted data from the cloud storage 40 and decrypt the encrypted data. The users UA to UC use the encryption and decryption of the attribute-based encryption to write the encrypted data (new creation, deletion, update, etc.) and read the encrypted data. Details of the encryption data writing process and reading process will be described later.

Each of the key issuing institutions 20A to 20C generates a public key and a private key of attribute-based cryptography. The public key is a key common to all users (user terminals 11A to 11C). The private key is a key unique to each user (user terminals 11A to 11C) and is generated according to the user attribute set of the user. A detailed description of the generation of the public key and the private key will be described later. The key issuing institutions 20A to 20C are provided outside the user system 10. Each of the key issuing institutions 20A to 20C transmits public information including the public key to the public server 30. Each of the key issuing institutions 20A to 20C is composed of one or more computers having the same hardware configuration as the user terminals 11A to 11C. Each of the key issuing institutions 20A to 20C may not include the input device 104 and the output device 105.

The public server 30 is a server device for disclosing (global) public information. The public server 30 receives public information from each of the key issuing institutions 20A to 20C, and stores the public information in a storage device (not shown). The public server 30 transmits public information to each institution in response to a request from each institution included in the encryption system 1. The public server 30 is composed of one or more computers having the same hardware configuration as the user terminals 11A to 11C. The public server 30 does not have to include the input device 104 and the output device 105.

The cloud storage 40 is also called online storage and is a service for sharing data on a network NW. The cloud storage 40 includes, for example, a single or multiple file servers. The cloud storage 40 receives data (including encrypted data) from the user terminals 11A to 11C and stores the received data. The cloud storage 40 transmits the stored data to the user terminals 11A to 11C in response to a request from the user terminals 11A to 11C. The method of managing the read authority and the write authority for the encrypted data will be described later.

Instead of the cloud storage 40, a storage device (local storage) provided in the user system 10 may be used. The cloud storage 40 is composed of one or more computers having the same hardware configuration as the user terminals 11A to 11C. The cloud storage 40 does not have to include the input device 104 and the output device 105.

Next, the attribute-based cipher will be described with reference to FIG. FIG. 3 is a diagram showing an example of an access structure used in attribute-based encryption. The access structure shown in FIG. 3 is shown in a tree format. The access structure represents a decryption condition (policy) that allows decryption. The policy is represented by the logical sum and the logical product of the attributes. In FIG. 3, a user who satisfies the condition of {attribute AT1∧ (attribute AT2∧attribute AT3)} ∨ attribute AT4 can decrypt the encrypted data. "∨" indicates the logical sum, and "∧" indicates the logical product. Each user specifies an access structure when encrypting data using an application for attribute-based cryptography.

For example, assume that the user UA of the user terminal 11A belongs to the development department, has experience in an overseas branch office, and is in charge of project P. In this case, the attributes of the user UA are, for example, "development department", "experienced person in overseas branch office", and "person in charge of project P". It is assumed that the user UB of the user terminal 11B belongs to the information group and is in charge of IoT (Internet of Things). In this case, the attributes of the user UB are, for example, "information G" and "IoT". It is assumed that the user UC of the user terminal 11C belongs to the general affairs section. In this case, the attribute of the user UC is, for example, "general affairs section".

In the access structure of FIG. 3, the attribute AT1 is the "development department", the attribute AT2 is the "experienced person in the overseas branch office", the attribute AT3 is the "project P person in charge", and the attribute AT4 is the "general affairs department". Suppose. In this case, the user attribute set of the user UA and the user UC satisfies the policy, so that the user UA and the user UC can decrypt the encrypted data. On the other hand, since the user attribute set of the user UB does not satisfy the policy, the user UB cannot decrypt the encrypted data.

Next, an operation example of the encryption system 1 will be described with reference to FIGS. 4 to 9. FIG. 4 is a sequence diagram showing an initial setting process in the encryption system shown in FIG. FIG. 5 is a sequence diagram showing an encryption key generation process in the encryption system shown in FIG. FIG. 6 is a sequence diagram showing a decryption key generation process in the encryption system shown in FIG. FIG. 7 is a sequence diagram showing a new write process in the encryption system shown in FIG. FIG. 8 is a sequence diagram showing a read process in the encryption system shown in FIG. FIG. 9 is a sequence diagram showing a write process in the encryption system shown in FIG.

For convenience of explanation, only the user UA is shown as the user. Here, the key issuing institutions 20A to 20C function as key issuing institutions for the private key and the public key in the cryptosystem 1, and any of the key issuing institutions is the key issuing institution for the private key and the public key in the cryptosystem 1. Is set in advance. Alternatively, the key issuing institution 20A may designate an institution to be the key issuing institution.

As shown in FIG. 4, in the encryption system 1, the initial setting process is first performed. Specifically, each user applies for a usage attribute. Here, only the user UA will be described, but the same applies to other users. The user UA applies the usage attribute to the key issuing institution 20A using the user terminal 11A (step S11). The application for usage attributes includes a combination of attributes including user attributes or attributes that the user wants to use (user attribute set), and identification information for identifying the user (user identification information). As the user identification information, a combination of a login ID (identifier) and a password registered in advance on a web page or the like can be used. The IP (Internet Protocol) address of the user terminal used by the user may be used as the user identification information.

Subsequently, when the key issuing institution 20A receives the application for the usage attribute from each user, the key issuing institution 20A performs the initial setting (step S12). In step S12, the key issuing authority 20A is a cyclic group G1 consisting of a generator _{g 1} of the prime p1 and quantile, a cyclic group G2 consisting of a generator _{g 2} for the prime p2 and of order, the formula (1) The cyclic group GT having the bilinear mapping e represented by is determined. The cyclic group G1 is a cyclic group having a prime number p1 as an order, and is a cyclic group in which multiplication is defined. The cyclic group G2 is a cyclic group having a prime number p2 as an order, and is a cyclic group in which multiplication is defined. The cyclic group GT is a cyclic group in which addition and multiplication are defined. Then, the key issuing institution 20A determines the bilinear map e satisfying the equation (1). The bilinear map e is a map that has two arguments and is represented by e (・, ・).

Subsequently, the key issuing institution 20A randomly determines a random number b (b ∈ Z _p1 ) and calculates the element g ₁ ^b .

In addition, the key issuing institution 20A has random numbers h ₁ , h ₂ , ..., h _N (h ₁ , h ₂ , ..., From the cyclic group G1) for the N attributes applied by each user. h _N ∈ G1) is randomly selected.

Then, the key issuing institution 20A includes a generator g ₁ , a generator g ₂ , a generator g ₁ ^b , a bilinear map e, a random number h ₁ , h ₂ , ..., H _N , and a key issuing institution (here, the key issuing institution 20A). In order to disclose the identification information (issuing institution identification information) for identifying the key issuing institution 20A to 20C) as public information, the public information is transmitted to the public server 30 (step S13). As the issuing institution identification information, for example, the IP address of the key issuing institution is used. Then, the public server 30 stores the public information in a storage device (not shown) (step S14).

The key issuing institution 20A executes step S12 after receiving applications for usage attributes from all users, but the execution timing of step S12 is not limited to this. For example, the key issuing authority 20A may perform the generation option based g ₁ and a generator g _2, calculation of the original g ₁ ^b, as well as determination of the bilinear mapping e before receiving the request usage attribute from the user, The generator g ₁ , the generator g ₂ , the generator g ₁ ^b , the bilinear map e, and the issuing institution identification information may be transmitted to the public server 30 before receiving the application for the usage attribute from the user. When the key issuing institution 20A receives an application for a new attribute from the user, it selects a random number h _n (n is an integer of 1 to N) corresponding to the attribute and transmits the selected random number h _n to the public server 30. You may. Further, each user and the user attribute set of the user may be associated with each other, and the correspondence relationship between each user and the user attribute set of the user may be managed by the key issuing institution 20A. The key issuing institution 20A may transmit the correspondence between each user and the user attribute set of the user to another key issuing institution.

Subsequently, each user (user terminal 11A) and a key issuing institution other than the key issuing institution 20A (here, the key issuing institution 20B, 20C) among the plurality of key issuing institutions acquire public information from the public server 30. (Step S15). Each institution in the encryption system 1 has acquired the IP address of the public server 30 in advance.

Subsequently, as shown in FIG. 5, the encryption system 1 performs an encryption key generation process. In the encryption key generation process, first, each key issuing institution (here, key issuing institution 20A to 20C) generates a public key PK ^j (step S21). A number j (j is an integer of 1 to Nc) is assigned to each key issuing institution. The total number Nc is the total number of key issuing institutions that generate the public key PK ^j and the private key SK _u ^j . In step S21, the j-th key issuing institution generates a random number a _j , performs the calculation shown in the equation (2), and generates the public key PK ^j .

Each key issuing authority sends the public key PK ^j to the public server 30 to publish the public key PK ^j (step S22). Then, the public server 30 stores the public key PK ^j as public information in a storage device (not shown) (step S23).

Subsequently, each institution in the cryptosystem 1 (here, the user terminal 11A and the key issuing institution 20A to 20C) acquires Nc public keys PK ^j from the public server 30 (step S24). Then, each institution generates an encryption key PK for encryption of the attribute-based encryption using Nc public keys PK ^j (step S25). Specifically, each institution adds each public key PK ^j as shown in the equation (3), and calculates the addition result e (g ₁ , g ₂ ) ^a .

Then, as shown in the equation (4), each institution uses the public information and the addition result e (g ₁ , g ₂ ) ^a as the encryption key PK for encrypting the attribute-based encryption.

Thus, the encryption key generating process, each of the key issuing authority 20A-20C, and generates a public key PK ^j, publishes the public key PK ^j. The user terminal 11A acquires the public key PK ^j generated by the key issuing institutions 20A to 20C, and uses these public key PK ^j to generate the encryption key PK for encrypting the attribute-based encryption.

Subsequently, as shown in FIG. 6, the encryption system 1 performs a decryption key generation process. Here, the case where the user terminal 11A generates the decryption key will be described. In the decryption key generation process, the user terminal 11A first requests a private key from each key issuing institution (here, key issuing institution 20A to 20C) (step S31). At this time, the user terminal 11A specifies a combination of attributes of the user UA (user attribute set) and requests a private key corresponding to the user attribute set of the user UA.

Then, when each key issuing institution (here, the key issuing institution 20A to 20C) receives the request for the private key from the user terminal 11A, each key issuing institution generates a private key according to the user attribute set of the user UA (step S32). At this time, each key issuing authority may reject the user attribute set of the designated user UA when the user attribute set of the designated user UA includes attributes unrelated to the user UA.

In step S32, first, each key issuing institution randomly determines a random number _su ^j for the user terminal 11A (user UA), and performs the calculation represented by the equation (5). The random number s _u ^j is a value determined for each user. The total number X of the attributes of the user UA (attributes included in the user attribute set of the user UA) is N or less of the total number of attributes used in the user system 10. The random number h _ux is a random number h _n corresponding to the xth attribute of the X attributes of the user UA.

Subsequently, the key issuing authority, transmitting the secret key _SK ^{u j} represented by the formula (6) to the user terminal 11A for (distributed) (step S33).

Then, the user terminal 11A uses Nc private keys SK _u ^j to generate a decryption key SK _u for decrypting the attribute-based encryption (step S34). Specifically, as shown in the equations (7) and (8), the user terminal 11A adds Nc private keys SK _u ^j for each element, and the addition result is used as the decryption key SK _u . .. Note that the decryption key SK _u, includes X number of attribute keys (attribute key _K u1 _{~K uX)} is.

As described above, in the decryption key generation process, the user terminal 11A requests the key issuing institutions 20A to 20C for the private key SK _u ^j according to the user attribute set of the user UA. Each of the key issuing authority 20A-20C, in response to a request from the user terminal 11A, to distribute the secret key _SK ^{u j} to the user terminal 11A generates the secret key _SK ^{u j.} The user terminal 11A acquires the private key SK _u ^j from the key issuing institutions 20A to 20C, and uses these private keys SK _u ^j to generate the decryption key SK _u for decrypting the attribute-based encryption.

Next, a new writing process of encrypted data will be described. Before the user uses the cloud storage 40, the initial setting process, the encryption key generation process, and the decryption key generation process are completed. Here, a case where the user terminal 11A (first user terminal) performs new writing will be described. The new write process is a process of newly writing to a place or the like where the write authority is not set.

As shown in FIG. 7, a new writing process, first, the user UA to generate an encrypted data _{Msg enc} by encrypting desired data Msg using the user terminal 11A (step S41). For example, a cryptographic application for attribute-based cryptography is pre-installed on the user terminal 11A. The user UA sets the read authority and the write authority of the data in the encryption application. Read permission and write permission are set by the user specifying an attribute set (access structure) which is a combination of attributes.

In the example of FIG. 3, a user who has a combination of attributes of "development department", "experienced person in overseas branch office", and "person in charge of project P", or a user who has a combination of attributes of "general affairs section" has read and write authority. The access structure is specified so as to have. In addition, each user can specify an arbitrary access structure, and for example, an access structure to which the user does not have read / write authority can be specified. The user may specify the same access structure for the read authority and the write authority, or may specify different access structures from each other.

Then, the user terminal 11A expresses the designated read access structure (first attribute set) in the form of a matrix Mr of l rows and m columns by using the linear secret sharing method. The total number of rows l is an attribute included in the access structure, and is equal to the number of attributes when the duplicated attributes are counted separately. For example, in the example of FIG. 3, the matrix Mr represented by the equation (9) is generated as an example of the matrix satisfying the policy.

Then, the user terminal 11A randomly generates a vector v including m elements corresponding to the matrix Mr. As shown in the equation (10), the vector v includes the secret information s and the random numbers z _{2 to} z _m .

Then, the user terminal 11A, as shown in equation (11), the vector v and, i of the matrix Mr (i is an integer of 1 to L) calculates the value lambda _i with a row Mr _i th row To do.

Subsequently, the user terminal 11A randomly determines l random numbers r _i . Then, as shown in the equation (12), the user terminal 11A encrypts the data Msg to be encrypted using the value λ _i , the random number r _i, and the encryption key PK (first encryption key). to generate the encrypted data _{Msg enc.} In other words, the user terminal 11A generates the encrypted data Msg _ench by encrypting the data Msg to be encrypted using the access structure for reading and the encryption key PK. The random number h _{ρ (i)} is a random number h _n corresponding to the attribute of the i-th row.

Subsequently, the user terminal 11A prepares (generates) the one-way function f, generates the input value x, and inputs the input value x to the one-way function f to generate the calculation result f (x). (Step S42). The one-way function f is a function that can be easily calculated, but the calculation of the inverse function is very difficult or impossible. The input value x is an argument of the one-way function f. Examples of the one-way function f include multiplication of two different prime numbers and a hash function.

Here, as the one-way function f, multiplication with a prime number having a large value is used. In this case, the input value x is a prime number having a large value. As described above, the one-way function f of the present embodiment can easily calculate the multiplication result of two prime numbers having different large values, but the original two prime numbers are obtained by factoring the multiplication result into prime factors. It is a function that takes advantage of the property that it is difficult to obtain. Prime numbers are generated, for example, as follows. The user terminal 11A generates a random numerical value and determines whether or not the generated numerical value is a prime number by using a prime number determination method such as the Miller-Rabin primality test method. By repeating the above procedure, the user terminal 11A randomly generates a numerical value until a prime number is obtained.

Subsequently, the user terminal 11A generates the ciphertext x _ench of the input value x by encrypting the input value x (step S43). Similar to step S41, the user terminal 11A first expresses the access structure for writing (second attribute set) in the form of a matrix Mw. Then, the user terminal 11A generates a vector v corresponding to the matrix Mw and calculates the value λ _i . Then, the user terminal 11A randomly determines random numbers r _i for the number of rows in the matrix Mw. Then, as shown in the equation (12), the user terminal 11A encrypts the input value x using the value λ _i , the random number r _i, and the encryption key PK (second encryption key), and the ciphertext x. Generate an _enc . In other words, the user terminal 11A generates the ciphertext x _ench by encrypting the input value x using the access structure for writing and the encryption key PK. The vector v, the value λ _i , and the random number r _i used for encrypting the input value x are given the same codes as the vector v, the value λ _i , and the random number r _i used for encrypting the data Msg. but the vector v to be used to encrypt the input value x, the value lambda _i, and the random number r _i, the vector used to encrypt the data Msg v, the value lambda _i, and the random number r _i, are different from each other.

Subsequently, the user terminal 11A transmits the encrypted data _Msgenc , the ciphertext _xenc , the one-way function f, and the calculation result f (x) to the cloud storage 40 (step S44). When the cloud storage 40 receives the cryptographic data _Msgenc , the ciphertext x _ench , the one-way function f, and the calculation result f (x) from the user terminal 11A, the cloud storage 40 receives the cryptographic data _Msgenc , the ciphertext x _ench , and the one-way function. f and the calculation result f (x) are associated with each other as one set and stored in a storage device (not shown) (step S45). As a result, the new writing process is completed.

Next, the process of reading the encrypted data will be described. Here, a case where the user terminal 11B (second user terminal) performs reading will be described. As shown in FIG. 8, a read process, first the user UB is using the user terminal 11B, and transmits the read request encrypted data _{Msg enc} the cloud storage 40 (step S51). The cloud storage 40 transmits, when receiving a request to read encrypted data _{Msg enc} from the user terminal 11B, the encrypted data _{Msg enc} being requested read from the storage device (not shown), the encrypted data _{Msg enc} to the user terminal 11B (Step S52).

Subsequently, the user terminal 11B receives the encrypted data _{Msg enc} from the cloud storage 40, decodes the encrypted data _{Msg enc} using the decryption key SK _u user UB (step S53). At this time, the user terminal 11B, when satisfying policy user attribute set of the user UB is set to the encrypted data _{Msg enc} can calculate the value _{w i} satisfying Equation (13).

Then, the user terminal 11B, as shown in equation (14), decrypts the encrypted data _{Msg enc} by using the decryption key SK _u values _{w i} and the user UB, obtain the original data Msg. With the above, the reading process is completed. The attribute key K _{ρ (i)} is the attribute key K _ux corresponding to the attribute on the i-th row of the l attributes included in the matrix Mr (access structure for reading).

Thus, each user, only if they meet the policy which the user set of attributes itself is set to the encrypted data Msg _enc, decryption of the encrypted data Msg _enc is possible using a decryption key of the user. The security of attribute-based cryptography is due to the difficulty of the discrete logarithm problem. From one example, a generator g ₁ of the original g ₁ ^a1 Tokyo, is the property that it is difficult to calculate the random number a _1. Due to this property, it can be said that the above attribute-based cipher is secure.

Next, the writing process for the encrypted data will be described. Here, the case where the user terminal 11B writes is described. The writing process includes updating and deleting the encrypted data. As shown in FIG. 9, in the writing process, first the user UB is using the user terminal 11B, and transmits the write request to the cloud storage 40 for encrypted data _{Msg enc} (the update request) (step S61). The cloud storage 40 receives a write request for the encrypted data _{Msg enc} from the user terminal 11B, the ciphertext _{x enc} that is associated with the encrypted data _{Msg enc} being requested, one-way function f, and the operation result f (x) is read from a storage device (not shown), and the ciphertext x _ench , the one-way function f, and the calculation result f (x) are transmitted to the user terminal 11B (step S62).

Subsequently, the user terminal 11B, the ciphertext _{x enc} from the cloud storage 40, one-way function f, and the operation result upon receiving the f (x), the decoding of the ciphertext _{x enc} using the decryption key SK _u user UB (Step S63). In this case, as in step S53, the user terminal 11B, when satisfying policy user attribute set of the user UB is set to the ciphertext x _enc is able to calculate the value w _i satisfying Equation (13) it can. Then, the user terminal 11B, similarly as the equation (14), decrypts the ciphertext _{x enc} by using the decryption key SK _u values _{w i} and the user UB, the original input value x (hereinafter, the ciphertext x _The input value obtained by decoding the _ench is expressed as "input value x _dec ").

Subsequently, the user terminal 11B verifies whether or not the ciphertext x _ench received from the cloud storage 40 is legitimate data (step S64). Specifically, the user terminal 11B inputs the input value x _dec (decoding result) obtained in step S63 into the one-way function f received from the cloud storage 40 as an argument, thereby inputting the calculation result f (x). _dec ) is generated. Then, the user terminal 11B collates the calculation result f (x _dec ) with the calculation result f (x) received from the cloud storage 40. When the two calculation results are the same (match), the user terminal 11B determines that the ciphertext x _ench received from the cloud storage 40 is legitimate data, and sets the input value x _dec to the cloud storage 40. Transmit (step S65). At this time, the user terminal 11B, and transmits the additional information for specifying the encrypted data Msg _enc requesting writing. On the other hand, when the two calculation results are different from each other, the user terminal 11B determines that the ciphertext x _ench received from the cloud storage 40 is invalid data, and does not transmit the input value x _dec to the cloud storage 40.

Subsequently, when the cloud storage 40 receives the input value x _dec from the user terminal 11B, the cloud storage 40 determines whether or not the user UB has the write authority (step S66). Specifically, cloud storage 40 reads out the one-way function f that is associated with encrypted data Msg _enc being requested from the storage device (not shown), the input value x _dec received from the user terminal 11B , The operation result f (x _dec ) is generated by inputting it as an argument to the read one-way function f.

The cloud storage 40 reads the requested Cipher data _{Msg enc} and correlated its dependent computation result f (x) from a storage device (not shown), the operation result f (x) and the operation result _{f (x dec)} And match. When the two calculation results are the same (match), the cloud storage 40 determines that the user UB of the user terminal 11B has the write authority and permits the write (step S67). On the other hand, when the two calculation results are different from each other, the cloud storage 40 determines that the user UB of the user terminal 11B does not have the write authority and does not allow the write.

Then, when the user terminal 11B obtains write permission from the cloud storage 40, the user terminal 11B updates the encrypted data _{Msgenc and} the like. Since the subsequent processing is the same as the new writing processing, the description thereof will be omitted. With the above, the writing process is completed. The user terminal 11B may use the input value x and the one-way function f used for writing the data Msg in updating the encrypted data _Msgenc , etc., and newly adds the input value x and the one-way function f. The input value x and the one-way function f may be changed, respectively.

In this way, when the user terminal 11A newly writes to the cloud storage 40, the user terminal 11A encrypts the data Msg by using the read access structure and the encryption key PK. In addition to generating the data Msg _ench , the ciphertext x _ench is generated by encrypting the input value x using the access structure for writing and the encryption key PK. Then, the user terminal 11A transmits the encrypted data Msg _ench , the ciphertext x _ench , the one-way function f, and the calculation result f (x) to the cloud storage 40, and the cloud storage 40 uses the encrypted data Msg _ench and the ciphertext. The x _ench , the one-way function f, and the operation result f (x) are stored.

If the user terminal 11B that can decrypt the encrypted data _{Msg enc,} be considered to have the permission to read encrypted data _{Msg enc.} Therefore, when the user terminal 11B reads the encrypted data Msg _enc from the cloud storage 40, cloud storage 40 without determining whether the user terminal 11B (user UB) has read permission, the user terminal The encrypted data _Msgenc is transmitted to 11B. On the other hand, when the user terminal 11B writes against encrypted data _{Msg enc} stored in cloud storage 40, cloud storage 40 first ciphertext _{x enc,} one-way function f, and the operation result f (x ) Is sent to the user terminal 11B. Then, the user terminal 11B obtains the input value x _dec by decrypting the ciphertext x _ench . The cloud storage 40, the one-way function f that is associated with the encrypted data _{Msg enc,} by inputting an input value _{x dec} of the user terminal 11B is generated, to obtain the operation result _f the _{(x dec).} The cloud storage 40, a cryptographic data _{Msg enc} and correlated its dependent computation result f (x), if the operation result of the _{f (x dec),} are matched, the user terminal 11B (user UB) write It determines that the user has authority to allow writing to the encrypted data _{Msg enc} to the user terminal 11B.

Step S64 may be omitted. In this case, in step S62, cloud storage 40 receives a write request for the encrypted data _{Msg enc} from the user terminal 11B, stores the ciphertext _{x enc} that is associated with the encrypted data _{Msg enc} being requested not shown It may be read from the device and the ciphertext x _ench may be transmitted to the user terminal 11B.

Next, the functional configurations of the user terminals 11A to 11C and the cloud storage 40 will be described. Each of the user terminals 11A to 11C is step S11, S15 in FIG. 4, steps S24, S25 in FIG. 5, steps S31, S33, S34 in FIG. 6, steps S41 to S44 in FIG. 7, and steps S51 to S53 in FIG. , And a plurality of functional units for executing the encryption method including steps S61 to S65 and S67 of FIG. The plurality of functional parts correspond to each step of the encryption method.

For example, for the new write process shown in FIG. 7, each of the user terminals 11A to 11C encrypts the data Msg using the read access structure and the encryption key PK to obtain the encrypted data _Msgenc . A first encryption unit to be generated, an arithmetic unit that generates an input value x and an arithmetic result f (x) by inputting an input value x to the unidirectional function f, and an access structure for writing. A second encryption unit that generates an encryption sentence x _ench by encrypting an input value x using an encryption key PK, and an encryption data Msg _{ench, as} well as an encryption sentence x _ench , a unidirectional function f, and an operation. It includes a transmission unit that transmits the result f (x) to the cloud storage 40.

Similarly, the cloud storage 40 has a plurality of functional units for executing an authentication method including steps S44 and S45 of FIG. 7, steps S51 and S52 of FIG. 8, and steps S61, S62 and S65 to S67 of FIG. I have. The plurality of functional units correspond to each step of the authentication method. For example, for the new write process shown in FIG. 7, the cloud storage 40 has an acquisition unit for acquiring the encrypted data _Msgenc , the ciphertext _xenc , the one-way function f, and the operation result f (x), and the encryption. Along with the data Msg _ench , a storage unit for storing the ciphertext x _ench , the one-way function f, and the calculation result f (x) is provided. Further, the write processing shown in FIG. 9, cloud storage 40, when receiving a write request for the encrypted data _{Msg enc} from the user terminal 11B, the user terminal 11B is determined whether it can decrypt the ciphertext _{x enc} a determination unit that, when the user terminal 11B is determined by the determination unit can be decrypted ciphertext x _enc, comprises and authorization unit for permitting writing to encrypted data Msg _enc to the user terminal 11B, the.

Each function of the user terminals 11A to 11C is realized by a predetermined computer program (encryption program) for causing the computer to execute the encryption method. Specifically, by having the hardware such as the main storage device 102 of the computer read the encryption program, each hardware is operated under the control of one or more processors 101, and the main storage device 102 and the auxiliary are assisted. This is realized by reading and writing data in the storage device 103. The encryption program may be provided in a state of being fixedly recorded on a tangible recording medium such as a CD-ROM (Compact Disk Read Only Memory), a DVD-ROM (Digital Versatile Disk Read Only Memory), and a semiconductor memory. .. The cryptographic program may be provided via a communication network as a data signal superimposed on a carrier wave. The provided cryptographic program is stored in the auxiliary storage device 103.

Each function of the cloud storage 40 is realized by a predetermined computer program (authentication program) for causing a computer system including one or more computers to execute an authentication method. Specifically, by loading a predetermined authentication program into hardware such as the main storage device 102 of the computer system, each hardware is operated under the control of one or more processors 101, and the main storage device is operated. It is realized by reading and writing data in the 102 and the auxiliary storage device 103. The authentication program may be provided in a state of being fixedly recorded on a tangible recording medium such as a CD-ROM, a DVD-ROM, and a semiconductor memory. The authentication program may be provided via a communication network as a data signal superimposed on a carrier wave.

As described above, in the encryption system 1, the user terminal 11A encrypts the data Msg by using the read access structure, which is a combination of attributes having read authority, and the encryption key PK. The data _Msgenc is generated and stored in the cloud storage 40. Therefore, the cloud storage 40 cannot peep into the data Msg. Further, in the encryption system 1, the ciphertext x _enc is obtained by encrypting the input value x using the access structure for writing, which is a combination of attributes having write authority, and the encryption key PK of the attribute-based encryption. Will be generated. Therefore, when the user terminal 11B (user UB) has an attribute corresponding to the write authority, the ciphertext _xenc can be decrypted. Therefore, on condition that the user terminal 11B could decrypt the ciphertext _{x enc,} writing to the encrypted data _{Msg enc} is permitted to the user terminal 11B. In this way, it is determined whether or not the user terminal 11B (user UB) has the write authority without the user terminal 11B sending the information regarding the attributes of the user terminal 11B (user UB) to the cloud storage 40. .. In other words, it is possible to manage the write authority without showing the attribute of the user terminal 11B (user UB). As a result, it is possible to reduce the possibility of invading privacy and being the target of attacks.

If the user terminal 11B can decrypt the ciphertext x _enc , the calculation result obtained by inputting the input value x _dec obtained by decrypting the ciphertext x _enc into the one-way function f. f _{(x dec)} matches the encrypted data _{Msg enc} and correlated its dependent computation result f (x) in the cloud storage 40. Thus, cloud storage 40, when receiving a write request for the encrypted data _{Msg enc} from the user terminal 11B, and transmits at least the ciphertext _{x enc} to the user terminal 11B. Then, the ciphertext is decrypted by the user terminal 11B _{x enc} (input value _{x dec)} the one-way function calculation result obtained by inputting the _f f _{(x dec)} is associated with the encrypted data _{Msg enc} when matching the in which the operation result f (x), the user terminal 11B is can be regarded as can be decrypted ciphertext _{x enc,} writing to the encrypted data _{Msg enc} is permitted to the user terminal 11B. In this way, it is possible to manage the write authority without showing the attribute of the user UB (user terminal 11B). In the above embodiment, the cloud storage 40 generates the calculation result f (x _dec ), but the user terminal 11B may generate the calculation result f (x _dec ).

For example, if the user terminal 11B does not perform step S64, and the cloud storage 40 transmits the encrypted data Msg _ench instead of the encrypted text x _ench , the user terminal 11B decrypts the encrypted data Msg _ench and the original data. Msg (hereinafter, the data Msg obtained by decrypting the encrypted data Msg _ench is referred to as "data Msg _dec ") is transmitted to the cloud storage 40. As a result, the cloud storage 40 can acquire the data Msg _dec . On the other hand, the user terminal 11B verifies whether or not the ciphertext x _ench received from the cloud storage 40 is legitimate data. Therefore, if the ciphertext x _ench is invalid data, the input value x It is possible to take measures such as not transmitting the _dec to the storage device.

In the encryption system 1, the encrypted data Msg _ench is generated by encrypting the data Msg using the access structure for reading, which is a combination of attributes having read authority, and the encryption key PK. Therefore, when it has the attributes of the user terminal 11B corresponding to the read permission, it is possible to decrypt the encrypted data Msg _enc. Thus, cloud storage 40, when receiving a read request for the encrypted data _{Msg enc} from the user terminal 11B, it is only necessary to transmit the encrypted data _{Msg enc} to the user terminal 11B. In this way, it is determined whether or not the user terminal 11B has the read authority without sending the information regarding the attributes of the user terminal 11B to the cloud storage 40. In other words, it is possible to manage the read authority without showing the attribute of the user UB (user terminal 11B).

User terminals 11A to 11C, cloud storage 40, encryption method performed by user terminals 11A to 11C, authentication method performed by cloud storage 40, encryption program for causing user terminals 11A to 11C to execute encryption method, and authentication to cloud storage 40. The same effect as that of the encryption system 1 is obtained in the authentication program for implementing the method.

The encryption system, user terminal, storage device, encryption method, authentication method, encryption program, and authentication program according to the present invention are not limited to the above embodiments.

In the above embodiment, each user applies for the usage attribute to the key issuing institution 20A, but the usage attribute may be applied to another key issuing institution. For example, when a key issuing institution in which a user of one organization applies for a usage attribute is different from a key issuing institution in which a user of another organization applies for a usage attribute, the usage attribute is applied to two or more key issuing institutions. Application may be made. In such a case, one key issuing institution (for example, the key issuing institution 20A) may compile the attributes applied to the other key issuing institution. The other key issuing institution applies to the key issuing institution 20A for the usage attribute for the usage attribute applied to itself. The key issuing institution 20A performs the initial setting in the same manner as in the above embodiment.

The encryption system 1 does not have to include the public server 30. In this case, the public information is directly distributed to each institution in the encryption system 1 by e-mail or the like.

User attributes may be determined by predetermined rules. For example, when the user is a company employee, attributes such as the department to which the user belongs and the year of joining the company are managed. In this case, these attributes may be collectively applied for in the management department of the company, and each user does not have to apply for the usage attribute.

The user system 10 may include not only user terminals belonging to one organization but also user terminals belonging to different organizations. In this case, attributes with the same name may be used by two or more organizations. Therefore, the attribute name and the like are set so that the attributes of each organization can be uniquely identified. For example, when the user UA belongs to company E, the user UB belongs to company F, and the user UA and the user UB apply for the usage attribute for the attribute of "general affairs section", the attribute name is "general affairs section E". The two attributes are distinguished as "company" and "general affairs section F company", or the attribute of the company name and the attribute of "general affairs section" are logically multiplied.

The user terminal 11A~11C includes encryption key PK for reading, may be generated, and the encryption key PK for writing, a decryption key SK _u for reading, a decryption key SK _u for writing, May be generated. In this case, the key issuing authority 20A is for N attributes request by the user, 2N random numbers _h 1 from a cyclic group _{G1, h 2, ···, h} 2N (h 1, h 2, ..., H _2N ∈ G1) is randomly selected. That is, a read attribute and a write attribute are prepared as user attributes.

Further, the new writing process and the writing process are not limited to the examples shown in FIGS. 7 and 9. For example, zero-knowledge proofs may be used to increase security. FIG. 10 is a sequence diagram showing another example of the new write process in the encryption system shown in FIG. FIG. 11 is a sequence diagram showing another example of the write process in the encryption system shown in FIG. Here, a case where the user terminal 11A performs new writing and the user terminal 11B writes is described.

In the new writing process shown in FIG. 10, as in step S41, the user UA first encrypts the desired data Msg using the user terminal 11A to generate encrypted data Msg _ench (step S71). Subsequently, the user terminal 11A prepares (generates) the one-way function f and the hash function h to generate the input value x, and inputs the input value x to the one-way function f to obtain the calculation result f ( x) is generated (step S72). Further, the user terminal 11A generates a prime number p, a random number g, and a random number q, and calculates an output value y using the equation (15).

Subsequently, similarly to step S43, the user terminal 11A generates the ciphertext x _ench of the input value x by encrypting the input value x (step S73). Then, the user terminal 11A stores the cryptographic data Msg _ench , the ciphertext x _ench , the one-way function f, the calculation result f (x), the output value y, the random number g, the prime number p, the random number q, and the hash function h in the cloud storage. It is transmitted to 40 (step S74). The cloud storage 40 receives the encrypted data _Msgenc , the encrypted text _xenc , the one-way function f, the calculation result f (x), the output value y, the random number g, the prime number p, the random number q, and the hash function h from the user terminal 11A. Upon receipt, the cryptographic data _Msgenc , the cryptographic text _xenc , the one-way function f, the operation result f (x), the output value y, the random number g, the prime number p, the random number q, and the hash function h are associated as one set. Is stored in a storage device (not shown) (step S75). As a result, the new writing process is completed.

In the write processing is shown in FIG. 11, first, the user UB is using the user terminal 11B, and transmits the write request to the cloud storage 40 for encrypted data _{Msg enc} (the update request) (step S81). The cloud storage 40 receives a write request for the encrypted data _{Msg enc} from the user terminal 11B, the ciphertext _{x enc} that is associated with the encrypted data _{Msg enc} being requested, one-way function f, computation result f (X), output value y, random number g, prime number p, random number q, and hash function h are read from a storage device (not shown), and the cipher statement x _ench , one-way function f, calculation result f (x), output. The value y, the random number g, the prime number p, the random number q, and the hash function h are transmitted to the user terminal 11B (step S82).

Subsequently, when the user terminal 11B receives the ciphertext x _ench , the one-way function f, the calculation result f (x), the output value y, the random number g, the prime number p, the random number q, and the hash function h from the cloud storage 40. , as in step S63, it decodes the ciphertext _{x enc} using the decryption key SK _u of the user UB, obtain the input value _{x dec} (step S83).

Subsequently, the user terminal 11B verifies whether or not the ciphertext x _ench received from the cloud storage 40 is legitimate data, as in step S64. (Step S84). When the user terminal 11B determines that the ciphertext x _ench received from the cloud storage 40 is legitimate data, the user terminal 11B generates a random number r and uses the equations (16) to (18) to generate the values α and β. And the value γ are calculated (step S85).

Then, the user terminal 11B transmits the value α and the value γ to the cloud storage 40 (step S86). At this time, the user terminal 11B, and transmits the additional information for specifying the encrypted data Msg _enc requesting writing. On the other hand, when the user terminal 11B determines that the ciphertext x _ench received from the cloud storage 40 is invalid data, the user terminal 11B does not perform the processing after step S85.

Subsequently, when the cloud storage 40 receives the value α and the value γ from the user terminal 11B, the cloud storage 40 determines whether or not the user UB has the write authority (step S87). Specifically, cloud storage 40, the encrypted data Msg _enc and association are output values are y being requested, a random number g, primes p, a random number q, and read a hash function h from the storage device (not shown) , By performing the calculation shown in the equation (17) using the value α received from the user terminal 11B, the value β (hereinafter, the value β calculated by the cloud storage 40 is referred to as “value β _serv ”). To get. Then, the cloud storage 40 determines whether or not the equation (19) is satisfied. The fact that this equation (19) holds means that the user terminal 11B was able to decrypt the ciphertext x _ench .

When the equation (19) is satisfied, the cloud storage 40 determines that the user UB of the user terminal 11B has the write authority and permits the write (step S88). On the other hand, if the equation (19) is not satisfied, the cloud storage 40 determines that the user UB of the user terminal 11B does not have the write authority and does not allow the write. Then, when the user terminal 11B obtains write permission from the cloud storage 40, the user terminal 11B updates the encrypted data _{Msgenc and} the like. Since the subsequent processing is the same as the new writing processing shown in FIG. 10, the description thereof will be omitted. With the above, the writing process is completed.

In the examples shown in FIGS. 10 and 11, a non-interactive zero-knowledge proof is used, but an interactive zero-knowledge proof may be used.

The encryption system 1 according to the modified example also has the same effect as the encryption system 1 according to the above embodiment. In this configuration, it is possible to prove to the cloud storage 40 that the user terminal 11B was able to decrypt the ciphertext x _ench without transmitting the input value x _dec to the cloud storage 40. Therefore, it is possible to improve safety.

For example, in order to improve safety, encrypted data _Msg to the user terminal performing the write request to _enc, that is sending the cloud storage 40 ciphertext _{x enc} like corresponding to the encrypted data _{Msg enc,} the user terminal The cryptosystem 1 may be configured so that it can be reliably verified. FIG. 12 is a sequence diagram showing still another example of the new write process in the encryption system shown in FIG. FIG. 13 is a sequence diagram showing still another example of the write process in the encryption system shown in FIG. Here, a case where the user terminal 11A performs new writing and the user terminal 11B writes is described.

In the new writing process shown in FIG. 12, similarly to step S41, the user UA first encrypts the desired data Msg using the user terminal 11A to generate encrypted data Msg _ench (step S91). Subsequently, the user terminal 11A prepares (generates) a one-way function f ₁ (another one-way function) and a one-way function f ₂ . Then, the user terminal 11A generates the operation result _f 1 (Msg) by entering the data Msg one-way function _{f 1,} an input value x the computation result _f 1 (Msg). Further, the user terminal 11A generates the calculation result f ₂ (x) by inputting the input value x into the one-way function f ₂ (step S92).

Subsequently, similarly to step S43, the user terminal 11A generates the ciphertext x _ench of the input value x by encrypting the input value x (step S93). Then, the user terminal 11A transmits the encrypted data Msg _ench , the ciphertext x _ench , the one-way function f ₁ , the one-way function f ₂ , and the calculation result f ₂ (x) to the cloud storage 40 (step S94). .. Cloud storage 40, the encrypted data _{Msg enc} from the user terminal 11A, the ciphertext _{x enc,} the one-way function _{f 1,} one-way function _{f 2,} and receives the operation result _f 2 (x), the encrypted data _{Msg enc,} The cipher statement x _ench , the one-way function f ₁ , the one-way function f ₂ , and the calculation result f ₂ (x) are associated with each other as one set and stored in a storage device (not shown) (step S95). As a result, the new writing process is completed.

In the write processing is shown in FIG. 13, first, the user UB is using the user terminal 11B, and transmits the write request to the cloud storage 40 for encrypted data _{Msg enc} (the update request) (step S101). The cloud storage 40 receives a write request for the encrypted data _{Msg enc} from the user terminal 11B, the encrypted data _{Msg enc} being requested, the ciphertext _{x enc} being associated with the encrypted data _{Msg enc,} unidirectional The sexual function f ₁ and the unidirectional function f ₂ are read from a storage device (not shown), and the encrypted data _Msgenc , the cipher statement x _ench , the unidirectional function f ₁ and the unidirectional function f ₂ are transferred to the user terminal 11B. Is transmitted to (step S102).

Subsequently, when the user terminal 11B receives the encrypted data _Msgenc , the ciphertext x _ench , the one-way function f ₁ and the one-way function f ₂ from the cloud storage 40, the user terminal 11B decrypts the user UB as in step S63. The encrypted data Msg _ench and the ciphertext x _ench are decrypted using the key SK _u , and the data Msg _dec (another decryption result) and the input value x _dec are obtained (step S103). Note that the policy set in the encrypted data Msg _enc, and the policy that is set to the ciphertext x _enc, may be the same as each other or may be different from each other. Policy, which is set to encrypted data _{Msg enc} is either the same as the policy that is set to the ciphertext _{x enc,} loose than the policy that is set to the ciphertext _{x enc.} In other words, the decodable user the ciphertext _{x enc} (writable user) can decrypt the encrypted data _{Msg enc} (readable).

Subsequently, the user terminal 11B verifies whether or not the ciphertext x _ench received from the cloud storage 40 is legitimate data (step S104). Specifically, the user terminal 11B inputs the data Msg _dec obtained in step S103 as an argument to the one-way function f ₁ received from the cloud storage 40, thereby inputting the calculation result f ₁ (Msg _dec ). Generate. Then, the user terminal 11B collates the calculation result f ₁ (Msg _dec ) with the input value x _dec obtained in step S103. The user terminal 11B, the two values are the same (match) in the case, it is determined that the ciphertext x _enc received from cloud storage 40 is a valid data, the input value x to the one-way function f ₂ By inputting the _dec , the calculation result f ₂ (x _dec ) is generated (step S105).

Then, the user terminal 11B transmits the calculation result f ₂ (x _dec ) to the cloud storage 40 (step S106). At this time, the user terminal 11B, and transmits the additional information for specifying the encrypted data Msg _enc requesting writing. On the other hand, in the user terminal 11B, when the calculation result f ₁ (Msg _dec ) and the input value x _dec obtained in step S103 are different from each other, the ciphertext x _ench received from the cloud storage 40 is invalid data. Is determined, and the processing after step S105 is not performed.

Subsequently, cloud storage 40 receives the operation result _f 2 _{(x dec)} from the user terminal 11B, being requested encrypted data _{Msg enc} and correlated its dependent computation result _f 2 (x) the storage (not shown) It is read from the apparatus, and the calculation result f ₂ (x) and the calculation result f ₂ (x _dec ) are collated (step S107). When the two calculation results are the same (match), the cloud storage 40 determines that the user UB of the user terminal 11B has the write authority and permits the write (step S108). On the other hand, when the two calculation results are different from each other, the cloud storage 40 determines that the user UB of the user terminal 11B does not have the write authority and does not allow the write.

Then, when the user terminal 11B obtains write permission from the cloud storage 40, the user terminal 11B updates the encrypted data _{Msgenc and} the like. Since the subsequent processing is the same as the new writing processing, the description thereof will be omitted. With the above, the writing process is completed.

The encryption system 1 according to the other modification also has the same effect as the encryption system 1 according to the embodiment. Further, in the encryption system 1 according to another modification, since the input value x is generated from the data Msg to be encrypted, in the user terminal 11B, the ciphertext x _ench received from the cloud storage 40 is the data to be encrypted. It is possible to surely confirm whether or not it corresponds to Msg, that is, whether or not the ciphertext x _ench received from the cloud storage 40 is legitimate data.

As described above, the cloud storage 40, when receiving a write request for the encrypted data _{Msg enc} from the user terminal 11B, on condition that the user terminal 11B could decrypt the ciphertext _{x enc,} encrypted data Msg to the user terminal 11B Allow writing to _ench . The method for determining whether or not the user terminal 11B has been able to decrypt the ciphertext x _ench is not limited to the example shown in FIG. 9, the example shown in FIG. 11, and the example shown in FIG.

1 ... Cryptographic system, 11A ... User terminal (first user terminal), 11B ... User terminal (second user terminal), 11C ... User terminal, 40 ... Cloud storage (storage device), UA ... User, UB ... User, UC …User.

Claims (12)

A cryptosystem that uses attribute-based cryptography
With the first user terminal
A storage device that stores the encrypted data generated by the first user terminal, and
With
The first user terminal encrypts the data to be encrypted by using the first attribute set, which is a combination of attributes having read authority, and the first encryption key of the attribute-based encryption, thereby encrypting the encrypted data. To generate
The first user terminal generates an input value and also generates an operation result by inputting the input value into a one-way function.
The first user terminal generates a ciphertext by encrypting the input value using a second attribute set which is a combination of attributes having write authority and a second encryption key of attribute-based encryption. ,
The storage device stores the ciphertext, the one-way function, and the calculation result together with the encrypted data.
When the storage device receives a write request for the encrypted data from a second user terminal having a user attribute set including one or more attributes, the storage device is subject to the condition that the second user terminal can decrypt the ciphertext. An encryption system that allows the second user terminal to write to the encrypted data. When the storage device receives a write request for the encrypted data from the second user terminal, the storage device transmits the ciphertext to the second user terminal.
The second user terminal generates a decryption result by decrypting the ciphertext, and the second user terminal generates a decryption result.
When the calculation result is obtained by inputting the decryption result generated by the second user terminal into the one-way function, the second user terminal decrypts the ciphertext in the storage device. The encryption system according to claim 1, which is determined to be completed. When the storage device receives a write request for the encrypted data from the second user terminal, the storage device further transmits the one-way function and the calculation result to the second user terminal.
The encryption according to claim 2, wherein the second user terminal verifies whether or not the ciphertext is valid data by using the decryption result, the one-way function, and the calculation result. system. The storage device generates the input value by inputting the data to be encrypted into another one-way function.
The storage device stores the other unidirectional function in addition to the encrypted data, the ciphertext, the one-way function, and the calculation result.
When the storage device receives a write request for the encrypted data from the second user terminal, the storage device further transmits the encrypted data and the other one-way function to the second user terminal in addition to the ciphertext. And
In the second user terminal, the ciphertext is legitimate data using another decryption result obtained by decrypting the encrypted data, the other one-way function, and the decryption result. The cryptosystem according to claim 2, which verifies whether or not. The encryption system according to claim 1, wherein the storage device determines whether or not the second user terminal can decrypt the ciphertext by using zero-knowledge proof. The method according to any one of claims 1 to 5, wherein when the storage device receives a read request for the encrypted data from the second user terminal, the storage device transmits the encrypted data to the second user terminal. Cryptographic system. Cryptographic data is generated by encrypting the data to be encrypted using the first attribute set, which is a combination of attributes having read permission, and the first encryption key of attribute-based encryption.
Along with generating the input value, the calculation result is generated by inputting the input value into the one-way function.
A ciphertext is generated by encrypting the input value using a second attribute set which is a combination of attributes having write authority and a second encryption key of attribute-based encryption.
A user terminal that transmits the ciphertext, the one-way function, and the calculation result together with the encrypted data to the storage device. Cryptographic data generated by encrypting the data to be encrypted using the first attribute set, which is a combination of attributes having read permission, and the first encryption key of the attribute-based encryption, and a unidirectional function. , The input using the calculation result obtained by inputting the input value to the unidirectional function, the second attribute set which is a combination of the attributes having the write permission, and the second encryption key of the attribute-based encryption. Get the cipher statement generated by encrypting the value,
The ciphertext, the one-way function, and the calculation result are stored together with the encrypted data.
When a write request for the encrypted data is received from the user terminal, it is determined whether or not the user terminal can decrypt the ciphertext.
A storage device that allows the user terminal to write to the encrypted data when it is determined that the user terminal has been able to decrypt the ciphertext. It is an encryption method performed by the user terminal.
A step of generating encrypted data by encrypting data to be encrypted using a first attribute set which is a combination of attributes having read authority and a first encryption key of attribute-based encryption.
A step of generating an input value and a step of generating an operation result by inputting the input value into a one-way function, and
A step of generating a ciphertext by encrypting the input value using a second attribute set which is a combination of attributes having write authority and a second encryption key of attribute-based encryption.
A step of transmitting the ciphertext, the one-way function, and the calculation result to the storage device together with the encrypted data.
Cryptographic method. It is an authentication method performed by the storage device.
Cryptographic data generated by encrypting the data to be encrypted using the first attribute set, which is a combination of attributes having read permission, and the first encryption key of the attribute-based encryption, and a unidirectional function. , The input using the calculation result obtained by inputting the input value to the unidirectional function, the second attribute set which is a combination of the attributes having the write permission, and the second encryption key of the attribute-based encryption. The cipher statement generated by encrypting the value, the steps to get it, and
A step of storing the ciphertext, the one-way function, and the calculation result together with the encrypted data.
When a write request for the encrypted data is received from the user terminal, a step of determining whether or not the user terminal can decrypt the ciphertext, and
A step of permitting the user terminal to write to the encrypted data when it is determined that the user terminal has been able to decrypt the ciphertext.
An authentication method that includes. On the computer
A step of generating encrypted data by encrypting data to be encrypted using a first attribute set which is a combination of attributes having read authority and a first encryption key of attribute-based encryption.
A step of generating an input value and a step of generating an operation result by inputting the input value into a one-way function, and
A step of generating a ciphertext by encrypting the input value using a second attribute set which is a combination of attributes having write authority and a second encryption key of attribute-based encryption.
A step of transmitting the ciphertext, the one-way function, and the calculation result to the storage device together with the encrypted data.
Cryptographic program to execute. For computer systems that include one or more computers
Cryptographic data generated by encrypting the data to be encrypted using the first attribute set, which is a combination of attributes having read permission, and the first encryption key of the attribute-based encryption, and a unidirectional function. , The input using the calculation result obtained by inputting the input value to the unidirectional function, the second attribute set which is a combination of the attributes having the write permission, and the second encryption key of the attribute-based encryption. The cipher statement generated by encrypting the value, the steps to get it, and
A step of storing the ciphertext, the one-way function, and the calculation result together with the encrypted data.
When a write request for the encrypted data is received from the user terminal, a step of determining whether or not the user terminal can decrypt the ciphertext, and
A step of permitting the user terminal to write to the encrypted data when it is determined that the user terminal has been able to decrypt the ciphertext.
Authentication program to execute.

Images