JP2021125810A - Encoding device, decoding device, encoding method, and encoding program - Google Patents

Abstract

To provide an encoding device capable of reducing the length of a cypher text when structuring a TSE by using a WIBE, a decoding device, an encoding method, and an encryption program.SOLUTION: An encoding device 1 comprises: a binarization part 11 assigning a bit stream of a d-bit to 2d numeric values; a wID collection determination part 14 that determines a collection of wild card IDs covering all of the bit streams assigned to each of the numeric values corresponding to a period in a time designation cypher in a range [L, R]; and an encoding part 17 that encodes a plain text by a wild card ID base encoding method on the basis of each of the determined wild card IDs, and outputs all of results obtained by encoding as a cypher text related to the range [L, R]. The binarization part 11 assigns 0 or 1 so that any one bit in the bit strain contained in a block on both sides is only reversed by using a division point as an axis and the other bits become symmetry when the arrangement of the numeric values is recursively divided into two parts.SELECTED DRAWING: Figure 4

Description

The present invention relates to an apparatus, method and program for constructing a time-designated encryption (TSE).

Conventionally, a method for constructing a TSE that can be decrypted only by a private key corresponding to a period (or a numerical value) included in a specified range has been proposed.
For example, Non-Patent Document 1 proposes a method for constructing TSE using ID-based encryption (IBE) (see, for example, Non-Patent Document 2).

However, in the TSE construction method using IBE, the secret key length increases according to the total number of cycles and cannot be a fixed length. Therefore, instead of IBE, a method of constructing TSE using wildcard ID-based encryption (Wibe) (see, for example, Non-Patent Documents 3 to 5) can be considered. That is, by adopting the WIBE method in which the secret key length is a fixed length, the TSE secret key has a fixed length.

K. G. Paterson and E. A. Quaglia. Time-specific encryption. In SCN 2010, volume 6280 of LNCS, pages 1-16. Springer, 2010. A. Shamir. Identity-based cryptosystems and signature schemes. In CRYPTO 1984, volume 196 of LNCS, pages 47-53. Springer, 1984. M. Abdalla, J. Birkett, D. Catalano, AW Dent, J. Malone-Lee, G. Neven, JCN Schuldt, and NP Smart. Wildcarded identity-based encryption. Journal of Cryptology, 24 (1): 42-82 , 2011. M. Abdalla, D. Catalano, A.W. Dent, J. Malone-Lee, G. Neven, and N.P. Smart. Identity-based encryption gone wild. In ICALP 2006, volume 4052 of LNCS, pages 300-311. Springer, 2006. J. Birkett, A.W Dent, G. Neven, and J.C.N. Schuldt. Efficient chosen-ciphertext secure identity-based encryption with wildcards. In ACISP 2007, volume 4586 of LNCS, pages 274-292. Springer, 2007.

However, the trivial TSE construction method using WIBE has a problem that it is not practically convenient because the ciphertext length is long.

An object of the present invention is to provide an encryption device, a decryption device, an encryption method, and an encryption program capable of shortening the ciphertext length when constructing a TSE using WIBE.

The encryption device according to the present invention has a ^{binarization unit that assigns a d-bit bit string to each of 2 d} numerical values, and the numerical values corresponding to the period in the time-designated cipher of the range [L, R]. The plaintext is encrypted by the wildcard ID-based encryption method based on each of the wID set determination unit that determines the set of wildcard IDs that cover all of the bit strings assigned to the and the determined wildcard IDs. It is provided with an encryption unit that outputs all the results of the encryption as a ciphertext relating to the range [L, R], and the binarization unit recursively divides the sequence of numerical values into two. Only one bit of the bit string included in the blocks on both sides with the division point as the axis is inverted, and 0 or 1 is assigned so that the other bits are symmetrical.

The binarization unit may assign the bit string in which only one bit differs between adjacent numerical values in the arrangement of the numerical values.

The encryption unit may associate the numerical value with respect to the period by cyclically shifting the numerical value by a predetermined number.

The encryption device recursively divides the sequence of numerical values into two blocks, and at the start point of the largest block included in the range [L, R], the range [L, R] ] Is provided, and the wID set determination unit may determine the set of wildcard IDs for each partial range divided by the division unit.

The wID set determination unit may determine a set of wildcard IDs that covers the entire set determined for each subrange.

The decryption device according to the present invention decrypts the ciphertext encrypted by the encryption device by the wildcard ID-based encryption method.

The encryption method according to the present invention is a ^{binarization step in which a d-bit bit string is assigned to each of 2 d} numerical values, and the numerical values corresponding to the cycles in the time-designated cipher of the range [L, R]. The plaintext is encrypted by the wildcard ID-based encryption method based on each of the wID set determination step for determining the set of wildcard IDs covering all of the bit strings assigned to the and the determined wildcard IDs. The computer executes an encryption step of outputting all the results of the encryption as a ciphertext relating to the range [L, R], and in the binarization step, the sequence of the numerical values is recursively divided into two. At that time, only one bit of the bit string included in the blocks on both sides is inverted around the division point, and 0 or 1 is assigned so that the other bits are symmetrical.

The encryption program according to the present invention is for operating a computer as the encryption device.

According to the present invention, when constructing a TSE using WIBE, the ciphertext length can be shortened.

It is a figure which shows the definition of the wID condition match determination algorithm. It is a figure which illustrates the complete binary tree which the total number of leaf nodes is T about the construction method of TSE using IBE. It is a figure exemplifying a complete binary tree in which the total number of leaf nodes is T, regarding the method of constructing a trivial TSE using WIBE. It is a figure which shows the functional structure of the encryption apparatus. It is a figure which shows the definition of a binarization algorithm. It is a figure which shows the execution example of the binarization algorithm. It is a figure which shows the definition of the classification algorithm. It is a figure which shows the execution example of the classification algorithm. It is a figure which shows the definition of a division algorithm. It is a figure which shows the execution example of a division algorithm. It is a figure which shows the definition of the latter half wID set determination algorithm. It is a figure which shows the definition of the first half wID set determination algorithm. It is a figure which shows the definition of the wID union union algorithm of the first half and the second half. It is a figure which illustrates the state after execution of each of the latter half wID set determination algorithm, the first half wID set determination algorithm, and the first half wID set merge algorithm. It is a figure which shows the definition of a setup algorithm. It is a figure which shows the definition of a key generation algorithm. It is a figure which shows the definition of the encryption algorithm. It is a figure which shows the definition of a decoding algorithm. It is a figure which shows the definition of the binarization algorithm which introduced the function f and the function h. It is a figure which shows the 1st execution example which modified the binarization algorithm. It is a figure which shows the 2nd execution example which modified the binarization algorithm. It is a figure which shows the 3rd execution example which modified the binarization algorithm. It is a figure which shows the 4th execution example which modified the binarization algorithm. It is a figure which shows the definition of the latter half wID set determination algorithm which introduced the function f. It is a figure which shows the definition of the first half wID set determination algorithm which introduced the function f. It is a figure which shows the definition of the first-half wID union union algorithm which introduced the function f. It is a figure which shows the definition of the key generation algorithm which introduced the integer δ. It is a figure which shows the definition of the encryption algorithm which introduced the integer δ. It is a figure which shows the definition of the decoding algorithm which introduced the integer δ.

Hereinafter, an example of the embodiment of the present invention will be described.
In this embodiment, regarding the method of constructing time-designated cryptography (TSE), first, TSE is explained, and then ID-based cryptography (IBE) and wildcard ID-based cryptography (WIBE) are used, and the conventional self-evident using these is used. A method of constructing a TSE will be described.

[Timed encryption (TSE)]
The TSE is composed of the following four polynomial time algorithms {Setup, KGen, Enc, Dec}. Note that Dec is a deterministic algorithm, and other than that, it is a probabilistic algorithm.

^{As λ} ∈ N (natural number), 1 λ is a security parameter that determines the secret key length and the like. T ∈ N represents the total number of cycles.
The setup algorithm Setup receives (1 ^λ , 1 ^T ) as input and outputs the system public key mpk and the master private key msk. This is expressed as (mpk, msk) ← Setup (1 ^λ , 1 ^T ).
This Setup algorithm is executed by a trusted third party (Trusted Authority, TA). The master private key msk is kept secret by TA. Further, the system public key mpk is input to three algorithms {KGen, Enc, Dec}.

The key generation algorithm KGen receives the master secret key msk and the period (or numerical value) t ∈ [0, T-1] as inputs, and outputs the _{secret key sk t.} This is _expressed as sk t ← KGen (msk, t).
This key generation algorithm KGen is executed by TA using msk. The generated private key sk _t shall be assigned to the key owner by certain secure means.

The encryption algorithm Enc receives the plaintext m ∈ M (plaintext space) and the range [L, R] ⊆ [0, T-1] as inputs, and outputs the _{ciphertext C [L, R].} This is expressed as C _{[L, R]} ← Enc (m, [L, R]).

The decryption algorithm Dec receives the private key sk _t and the ciphertext C _{[L, R]} as inputs, and outputs the plaintext m ∈ M or the special symbol ⊥ meaning that decryption is not possible. This is expressed as m / ⊥ ← Dec (sk _t , C _{[L, R]).}

Here, it is assumed that any TSE method must be correct. TSE method Σ _TSE = {Setup, KGen, Enc, Dec} is valid when a certain plaintext m is correctly encrypted under a certain range [L, R]. This refers to the case where the correct decryption can be performed by using the correctly created private key as the key corresponding to the period t ∈ [L, R] included in. The strict definition of legitimacy is as follows.
∀λ, T ∈ N, ∀ (mpk, msk) ← Setup (1 ^λ , 1 ^T ), ∀t ∈ [0, T-1], ∀sk _t ← KGen (msk, t), ∀m ∈ M, ∀ [L, R] ⊆ [0, T-1] s. t. t ∈ [L, R], ∀C _{[L, R]} ← Enc (m, [L, R]), m ← Dec (sk _t , C _{[L, R]} ).

In addition, the following safety that the TSE method should satisfy is assumed.
-No polynomial time attacker can obtain any information (even 1-bit information) about the plaintext m from the ciphertext _{C [L, R]} under a certain plaintext m range [L, R].
It is assumed that the attacker can freely obtain the private key corresponding to any cycle not included in [L, R].

[ID-based cryptography (IBE)]
The IBE is composed of the following four polynomial time algorithms {Setup, KGen, Enc, Dec}.
Incidentally, N∈N (natural number) represents the ID total, the ID space, denoted as ^{{0, 1} logN.} Further, in the present embodiment, the base of the logarithmic log is 2.

The setup algorithm Setup receives (1 ^λ , 1 ^N ) as input and outputs mpk and msk. This is expressed as (mpk, msk) ← Setup (1 ^λ , 1 ^N ).

The key generation algorithm KGen receives msk and ID ∈ {0,1} ^{log N} as inputs and outputs the private key sk _ID. This is _{expressed as sk ID} ← KGen (msk, ID).

Encryption algorithm Enc receives a plaintext M∈M, and ID∈ ^{{0,1} logN} as input, and outputs the ciphertext _{C ID.} This _{is expressed as C ID} ← Enc (m, ID).

Decryption algorithm Dec receives as input a secret key sk _t ciphertext C _ID, and outputs the special symbols ⊥ meaning plaintext m∈M or decoding impossible. This is expressed as m / ⊥ ← Dec (sk _t , C _ID).

Here, it is assumed that any IBE method must be correct. IBE method Σ _IBE = {Setup, KGen, Enc, Dec} is valid when a certain plaintext m is correctly encrypted under a certain ID, and this ciphertext is used as the key corresponding to the ID. The case where it is correctly decrypted by a properly created private key. The strict definition of legitimacy is as follows.
∀λ, N∈N (natural number), ∀ (mpk, msk) ← Setup (1 λ, 1 N), ∀ID∈ {0,1} logN, ∀sk ID ← KGen (msk, ID), ∀m∈ M, ∀C _ID ← Enc (m, ID), m ← Dec (sk _ID , C _ID ).

[Wildcard ID-based cryptography (WIBE)]
WIBE is composed of the following four polynomial time algorithms {Setup, KGen, Enc, Dec}.
Incidentally, N∈N (natural number) represents the ID total, the ID space, denoted as ^{{0, 1} logN.} Furthermore, wildcards ID (wID) space, denoted as ^{{0,1, *} logN.}

The setup algorithm Setup receives (1 ^λ , 1 ^N ) as input and outputs mpk and msk. This is expressed as (mpk, msk) ← Setup (1 ^λ , 1 ^N ).

The key generation algorithm KGen receives msk and ID ∈ {0,1} ^{log N} as inputs and outputs the private key sk _ID. This is _{expressed as sk ID} ← KGen (msk, ID).

Encryption algorithm Enc receives a plaintext ^m∈M, wID∈ {0,1, ^*} and ^logN as input, and outputs the ciphertext _{C wID.} This is _expressed as C wID ← Enc (m, wID).

The decryption algorithm Dec receives the private key sk _ID and the ciphertext C _{wID as inputs, and outputs the plaintext m ∈ M} or the special symbol ⊥ meaning that decryption is not possible. This is expressed as m / ⊥ ← Dec (sk _ID , C _wID).

Here, regarding the WIBE method, the wID condition match determination algorithm Match is defined as follows.

Figure 1 is a diagram showing the definition of wID condition matching determination algorithm _{Match logN.}
Match _logN receives as input ID∈ ^{{0,1} logN} and wID∈ ^{{0,1, *} logN,} true if the ID matches the condition of wID, and outputs a false if not met. This will be referred to _{true / false ← Match logN (ID} , wID) and.

It is assumed that any WIBE method must be correct. WIBE method Σ _WIBE = {Setup, KGen, Enc, Dec} is valid when a certain plaintext m is correctly encrypted under a certain wID, and this ciphertext is an ID that satisfies the condition of wID. This refers to the case where the private key correctly created as the key corresponding to is decrypted correctly. The strict definition of legitimacy is as follows.
∀λ, N∈N (natural number), ∀ (mpk, msk) ← Setup (1 λ, 1 N), ∀ID∈ {0,1} logN, ∀sk ID ← KGen (msk, ID), ∀m∈ ^{M, ∀wID∈ {0,1, *}} logN s. t. _{true ← Match logN (ID, wID} ), ∀C wID ← Enc (m, wID), m ← Dec (sk ID, C wID).

[Construction method of TSE using IBE]
The method for constructing TSE using IBE as a black box proposed in Non-Patent Document 1 is as follows.
First, let T ∈ N be the total number of cycles.

FIG. 2 is a diagram illustrating a complete binary tree in which the total number of leaf nodes is T, regarding the method of constructing TSE using IBE.
Here, the case of T = 8 is illustrated.
Each leaf node shall correspond to each cycle. Specifically, leaf node _{b t} ∈ ^{{0,1} logT} corresponds to the period ^{_{Σ i = 0 logT-1 2}} i b t [i] ∈ [0, T-1].
In the present embodiment, for the bit string ^{b ∈ {0,1} N} , b [i] represents the i ∈ [0, N-1] bit of b.

Hereinafter, the i∈ [0, logT-1] , b t, i: = b t [logT-1] || ... and _{‖b t [logT-1-i} ]. Further, _{bt, -1} : = φ.
For node b ∈ {0,1} ^{≤ logT} _{, let Anc} logT be a deterministic function that receives b as input and outputs a set of leaf nodes corresponding to the descendants of b. For example, Anc ₃ (0) = {000,001,010,011}, Anc ₃ (11) = {110,111}.
Further, the deterministic function Cover _logT receives a range [L, R] satisfying 0 ≦ L ≦ R ≦ T-1 as an input, and a node set Cover _logT ([L, R]) = {b that satisfies the following conditions. Output ∈ {0,1} ^{≤ logT} }.
{∪ _{b ∈ Cover_logT ([L, R])} Anc (b)} = [L, R], and the number of elements in the set | Cover _logT ([L, R]) | is the minimum.
For example, Cover ₃ ([1,3]) = {001,01}, Cover ₃ ([1,6]) = {001,01,10,110}.

The secret key of the period t ∈ [0, T-1] is sk _t : = {sk _{t, i} : = IBE. It is generated by KGen (msk, bt _{, i} ) | i ∈ [-1, logT-1]}. The ciphertext of the plaintext m on the range [L, R] is C _{m, [L, R]} : = {C _{m, b} : = IBE. It is generated by Enc (m, b) | b ∈ Cover _logT ([L, R])}.

The procedure for decrypting the ciphertexts C _{m and [L, R] using} the private key sk _{t is as follows.}
First, if t ∈ [L, R], then a certain i ∈ [-1, logT-1] exists, and bt _{, i ∈ Cover logT} ([L, R]) holds. Secret key sk _t and ciphertext _{C m,} denoted _{[L, R] b t} in _the partial private key and partial ciphertext corresponding to _{i, sk t, i,} and _{C m, bt, i)} and. Using these, m / ⊥ ← IBE. Dec (sk _t , C _{m, bt, i} ) is used as the decoding result.

[Trivial construction method of TSE using WIBE]
In the above-mentioned method of constructing TSE using IBE, the secret key sk _{t in} each period t is composed of log T + 1 (IBE method Σ _IBE ^{T with} a total number of IDs T) secret key. When the secret key length of the IBE method Σ _IBE ^T _{is expressed as K (Σ IBE} ^T ), the secret key length of the TSE is expressed by (log ^T _{+ 1) and K (Σ IBE} T). That is, the secret key length of TSE is increased linearly for at least log T + 1, even if the K (Σ _IBE ^T) is a fixed-length secret key length of TSE is not be a fixed length.
In order to solve this problem, a trivial method of constructing TSE using WIBE instead of IBE can be considered.

FIG. 3 is a diagram illustrating a complete binary tree in which the total number of leaf nodes is T for a trivial TSE construction method using WIBE.
In this binary tree, a shortage of wildcard bits (*) is added to the end of a node whose bit length is less than logT, as compared with the case of the TSE construction method using IBE (FIG. 2). _{Further, the secret key sk t of} the period t ∈ [0, T-1] is sk _t : = WIBE. It is generated by KGen (msk, t) and consists of only a single WIBE private key as a component.
Therefore, the secret key length according to this construction method is represented by _{K (Σ WIBE} ^T). That is, by adopting the WIBE method in which the secret key length is a fixed length as a component, the secret key length of the TSE can be made a fixed length.

Here, in the trivial TSE construction method using WIBE, the bit lengths of the _{ciphertexts C m and [L, R] in the range [L, R] are Σ b ∈ Cover_logT (L, R)} | C _m, It is written as _{b |.} However, C _{m, b} : = WIBE. Enc (m, b).
This trivial TSE construction method does not fully utilize the properties of WIBE, leaving room for shortening the ciphertext length by devising the construction method. In the present embodiment, a non-trivial construction method is shown in which _{the ciphertext length | Cm, [L, R]} | is shorter for the entire range [L, R] as compared with the trivial construction method.

[First construction method of non-trivial TSE using WIBE]
In the non-trivial TSE construction method using WIBE in the present embodiment, the TSE method {TSE. Setup, TSE. KGen, TSE. Enc, TSE. Dec} is the WIBE method {WIBE. Setup, WIBE. KGen, WIBE. Enc, WIBE. It is constructed using Dec} and six auxiliary algorithms {Binarise _logT , Classify _logT , Divide _logT , Later_WID _logT , Former_WID _logT , Merge _logT}.
Hereinafter, the functional configuration of the encryption device 1 that realizes the non-trivial TSE configuration method will be shown, and subsequently, the auxiliary algorithm and the configured TSE method algorithm will be described.

FIG. 4 is a diagram showing a functional configuration of the encryption device 1.
The encryption device 1 is an information processing device (computer) such as a server device or a personal computer, and includes a control unit 10 and a storage unit 20, as well as various data input / output devices and communication devices.

The control unit 10 is a part that controls the entire encryption device 1, and realizes each function in the present embodiment by appropriately reading and executing various programs stored in the storage unit 20. The control unit 10 may be a CPU.

The storage unit 20 is a storage area for various programs (encryption programs) for making the hardware group function as the encryption device 1 and various data, and is a ROM, RAM, flash memory, hard disk drive (HDD), or the like. It may be there.

The control unit 10 includes a binarization unit 11, a classification unit 12, a division unit 13, a wID set determination unit 14, a setup unit 15, a key generation unit 16, an encryption unit 17, and a decryption unit 18. And.
Further, the wID set determination unit 14 includes a second half wID set determination unit 141, a first half wID set determination unit 142, and a first half wID set merge unit 143.

FIG. 5 is a diagram showing a definition of the _{binarization algorithm Binarize logT.}
The binarization unit 11 receives the period t ∈ [0, T-1] (or t ∈ {0, 1} ^logT ) as an input by the binarization algorithm, and is not necessarily a binary bit string corresponding to t. Outputs a special bit string b ∈ {0,1} ^logT that does not match. In the figure, d = logT.

FIG. 6 is a diagram showing an execution example of the binarization algorithm.
Here, T = 32, and the correspondence between the input period t ∈ [0,31] and the output bit string (binary numerical value) b ∈ {0,1} ^{5 is shown.}

The output bit string is different from the binary bit string corresponding to t and has the following characteristics.
-Only one bit is different between adjacent t.
-When the ascending order of t is recursively divided into two, the arrangement of the divided left and right bit strings is symmetrical except for one bit.

FIG. 7 is a diagram showing a definition of the _{classification algorithm Classify logT.}
The class classification unit 12 receives the period t ∈ [0, T-1] as an input and outputs the class number i ∈ [0, logT] by the class classification algorithm. Specifically, when t = 0, logT is output, and when t ∈ [1, T-1], ⁱ ∈ [0, logT-1] satisfying ^{t mod 2 i + 1} = 2 i is output.

FIG. 8 is a diagram showing an execution example of the classification algorithm.
Here, the output in the case of T ∈ {4,8,16,32} is shown.
When the ascending order of t is recursively divided into two, the leftmost class number -1 of the leftmost block is assigned to the leftmost t of the divided right block. As a result, the leftmost class number becomes the maximum in the block of the bit string that is symmetrical except for one bit.

FIG. 9 is a diagram showing a definition of the _{division algorithm Divide logT.}
The division unit 13 uses a division algorithm to satisfy [L, R] (when L> R, [L, T-1] ∪] satisfying L ∈ [0, T-1] and R ∈ [0, T-1]. [0, R]) is received as an input, and the division point D ∈ [L, R] that divides this range into the first half range [L, D-1] and the second half range [D, R] is output.
The division point D is the numerical value having the largest class number among the numerical values in the range [L, R]. That is, it is divided into two by the division of the largest block included in the range [L, R]. If L> R, then D = 0.

FIG. 10 is a diagram showing an execution example of the division algorithm.
Here, T = 32, and the division points in the case of [L, R] ∈ {[0,30], [9,30], [1,30], [2,0]} are indicated by Δ, respectively. ing.
For example, when the range is [0,30], the division point D = 0 with the class number 5, and when the range is [9,30] and [1,31], the division point D = with the class number 4. 16. When the range is [2,0], the division point D = 0 having the class number 5 is output.

が存在し、以下の２つの条件を満たす。 FIG. 11 is a diagram showing a definition of the latter half wID set determination algorithm Later_WID _logT.
The latter half wID set determination unit 141 receives the latter half range [D, R] as an input by the latter half wID set determination algorithm, and sets wID set T _{[D, R]} = {wID _i | i ∈ [1, n ₁ ]}. Output. All T ∈ N s. t. _{When D ← Divide logT} (L, R) is set for all L and R satisfying logT ∈ N and L ∈ [0, T-1] and R ∈ [0, T-1],

Exists and satisfies the following two conditions.

（２）全てのｉ∈［１，ｎ_１］について、あるｗＩＤｉ∈｛０，１，＊｝^ｌｏｇＴが存在し、ｗＩＤ_ｉは以下を満たす。
・｜ｗＩＤ_ｉ｜_＊＝ｋ_ｉ．
・後半範囲［Ｄ，Ｒ］の部分範囲である、

をカバーする。 (1) The latter half range [D, R] can be expressed as follows as a set of the above-mentioned blocks consisting of ^{2 k numerical values.}

(2) For all i ∈ [1, n ₁ ], a certain wIDi ∈ {0,1, *} ^logT exists, and wID _i satisfies the following.
・ ｜ wID _i ｜ _* = k _i .
・ It is a partial range of the latter half range [D, R].

Cover.

である。
また、「ｗＩＤ∈｛０，１，＊｝^ｌｏｇＴが［ｘ，ｙ］⊆［０，Ｔ−１］をカバーする」とは、［０，Ｔ−１］に含まれる全数値のうち、範囲［ｘ，ｙ］に含まれる数値に対応する二進数数値のみが、ｗＩＤの条件を満たす場合をいう。 However, for wID ∈ {0,1, *} ^logT , | wID | _* ∈ [0, logT] represents the total number of wildcard bits. in short,

Is.
Further, "wID ∈ {0,1, *} ^{logT covers} [x, y] ⊆ [0, T-1]" means that the range of all the numerical values included in [0, T-1] is ranged. This refers to the case where only the binary numerical value corresponding to the numerical value included in [x, y] satisfies the wID condition.

が存在し、以下の２つの条件を満たす。 FIG. 12 is a diagram showing a definition of the first half wID set determination algorithm Former_WID _logT.
The first half wID set determination unit 142 receives the first half range [L, D-1] as an input by the first half wID set determination algorithm, and wID set T _{[L, D-1]} = {wID _i | i ∈ [n ₁ + 1]. , N ₂ ]} is output. All T ∈ N s. t. _{When D ← Divide logT} (L, R) is set for all L and R satisfying logT ∈ N and L ∈ [0, T-1] and R ∈ [0, T-1],

Exists and satisfies the following two conditions.

（２）全てのｉ∈［ｎ_１＋１，ｎ_２］について、あるｗＩＤ_ｉ∈｛０，１，＊｝^ｌｏｇＴが存在し、ｗＩＤ_ｉは以下を満たす。
・｜ｗＩＤ_ｉ｜_＊＝ｋ_ｉ．
・ｗＩＤ_ｉは、前半範囲［Ｌ，Ｄ−１］の部分範囲である、

をカバーする。 (1) The first half range [L, D-1] can be expressed as follows as a set of the above-mentioned blocks consisting of ^{2 k numerical values.}

(2) For all _{i ∈ [n 1} + 1, n ₂ ], a certain wID i ∈ {0,1, *} ^logT exists, and wID _i satisfies the following.
・ ｜ wID _i ｜ _* = k _i .
-WID _i is a partial range of the first half range [L, D-1].

Cover.

FIG. 13 is a diagram showing a definition of the first-second union union union algorithm Merge _logT.
The first and second half wID set union unit 143 receives the first and second half wID sets T _{[D, R]} and T _{[L, D-1]} by the first and second half wID set merge algorithm, and outputs the wID set T _{[L, R].} ..

このとき、全てのｉ∈［１，ｎ^＊］について、以下の条件を満たすｗＩＤ′_ｉ∈｛０，１，＊｝^ｌｏｇＴが存在する。
・｜ｗＩＤ′_ｉ｜_＊＝ｋ_ｉ＋１＝ｋ_ｎ１＋ｉ＋１．
・ｗＩＤ′_ｉは、ｗＩＤ_ｉとｗＩＤ_ｎ１＋ｉによりカバーされる各範囲の和集合により定義される範囲、すなわち、

をカバーする。 First, a natural number n ^* that satisfies the following conditions is defined.

At this time, for all _i ^{∈ [1, n *} ], there exists a ^wID'i ∈ {0,1, *} logT that satisfies the following conditions.
_{· | WID 'i | * =} k i + 1 = k n1 + i +1.
· WID _'i, the range defined by the union of the range covered by wID _i and _{wID n1 + i,} i.e.,

Cover.

FIG. 14 is a diagram illustrating the states after execution of the latter half wID set determination algorithm, the first half wID set determination algorithm, and the first half wID set merge algorithm.
Here, the cases of T = 32, [L, R] = [1,30], and D = 16 are illustrated, and Step 1 shows an execution example (FIG. 10) of the division algorithm.

In the latter half wID set determination algorithm, T _{[D, R]} : = {wID _i | i ∈ [1, n ₁ ]} is output.
In the case of the execution example shown in Step 2, the period t to which the same number is assigned in the figure is covered by a ^{single wID ∈ {0,1, *} 5.} Specifically, n ₁ = 4, k ₁ = 3, k ₂ = 2, k ₃ = 1, k ₄ = 0, wID ₁ = 11 ***, wID ₂ = 101 **, wID ₃ = 1001 * , WID ₄ = 10001. As a result, T _[16,30] = {wID ₁ , wID ₂ , wID ₃ , wID ₄ } = {11 ***, 101 **, 1001 *, 10001} is output.

In the first half wID set determination algorithm, T _{[L, D-1]} : = {wID _i | i ∈ [n ₁ + 1, n ₂ ]} is output.
In the case of the execution example shown in Step 3, the period t to which the same number is assigned in the figure is covered by a ^{single wID ∈ {0,1, *} 5.} Specifically, n ₂ = 4, n ₁ + n ₂ = 8, k ₅ = 3, k ₆ = 2, k ₇ = 1, k ₈ = 0, wID ₅ = 01 ***, wID ₆ = 001 * *, WID ₇ = 0001 *, wID ₈ = 000001. As a result, T _[ 1,15] = {wID ₅ , wID ₆ , wID ₇ , wID ₈ } = {01 ***, 001 **, 0001 *, 00000} is output.

が出力される。
Ｓｔｅｐ４に示す実行例の場合、図中で同一の数字が割り当てられた周期ｔは、単一のｗＩＤ∈｛０，１，＊｝^５によりカバーされる。具体的には、ｎ^＊＝４，ｗＩＤ′_１＝＊１＊＊＊，ｗＩＤ′_２＝＊０１＊＊，ｗＩＤ′_３＝＊００１＊，ｗＩＤ′_４＝＊０００１である。結果として、Ｔ_{［１，３０］}＝｛ｗＩＤ′_１，ｗＩＤ′_２，ｗＩＤ′_３，ｗＩＤ′_４｝＝｛＊１＊＊＊，＊０１＊＊，＊００１＊，＊０００１｝である。 In the first and second half wID union union algorithm,

Is output.
In the case of the execution example shown in Step 4, the period t to which the same number is assigned in the figure is covered by a ^{single wID ∈ {0,1, *} 5.} Specifically, n ^* = 4, wID ′ ₁ = * 1 ***, wID ′ ₂ = * 01 **, wID ′ ₃ = * 001 *, wID ′ ₄ = * 0001. As a result, T _[ 1,30] = {wID ′ ₁ , wID ′ ₂ , wID ′ ₃ , wID ′ ₄ } = {* 1 ***, * 01 **, * 001 *, * 0001}.

FIG. 15 shows the setup algorithm TSE. It is a figure which shows the definition of Setup.
The setup unit 15 executes the above-mentioned WIBE method setup algorithm as the setup algorithm.

FIG. 16 shows the key generation algorithm TSE. It is a figure which shows the definition of KGen.
The key generation unit 16 uses the above-mentioned WIBE-type key generation algorithm by the key generation algorithm to generate a secret key corresponding to _{ID: = Binarize logT (t).}

FIG. 17 shows the encryption algorithm TSE. It is a figure which shows the definition of Enc.
_{The encryption unit 17 executes} Divide logT, Later_WID _logT , Former_WID _logT , and Merge _logT in order by the encryption algorithm, and derives the _{wID set T [L, R]} corresponding to the range [L, R]. After that, the encryption unit 17 encrypts the plaintext m by the WIBE encryption algorithm under each wID in the set, and all of these ciphertexts are used as the plaintext m ciphertexts related to the range [L, R]. Output.

FIG. 18 shows the decoding algorithm TSE. It is a figure which shows the definition of Dec.
_{Let t} ∈ [0, T-1] be the period associated with the private key sk _{t, and let [L, R]} be the range associated with the ciphertext C [L, R]. Further, ID: = Binarize _logT (t). If t ∈ [L, R], true ← WIBE. There is _definitely a wID ∈ {0,1, *} ^logT that satisfies the Match logT (ID, wID) in the set T _{[L, R]} .
The decoding unit 18 uses a decoding algorithm to set the _{ciphertext element in C [L, R]} corresponding to this wID as C, and outputs the result of decoding _{C by the WIBE decoding algorithm using sk t.}

According to the non-trivial TSE construction method using WIBE according to the present embodiment, the following effects can be expected as compared with the trivial TSE construction method.

First, in the non-trivial TSE construction method using WIBE, the wID set created in the execution process of the encryption process is T _{[D, R]} , T _{[L, D-1]} , T _{[L, R].} Notated as. On the other hand, the wID set in the trivial TSE construction method using WIBE is expressed as T' _{[L, R]} .
_{At this time, T [D, R]} ∪T _{[L, D-1]} and T' _{[L, R]} are structurally equivalent for any L, R, D. ^{That is, if there is a wID ∈ {0,1, *} logT} that covers a partial range [l, r] ⊆ [L, R] with [L, R] in one set, then the other set also There is a wID'∈ {0,1, *} ^logT that covers the same subrange.

が成り立つ。したがって、Ｔ_{［Ｄ，Ｒ］}∪Ｔ_{［Ｌ，Ｄ−１］}をもとにして作られるＷＩＢＥ暗号文の長さと、Ｔ′_{［Ｌ，Ｒ］}をもとにして作られるＷＩＢＥ暗号文の長さとは等価になる。
さらに、Ｔ_{［Ｌ，Ｒ］}をもとにして作られるＷＩＢＥ暗号文の長さと、Ｔ_{［Ｄ，Ｒ］}∪Ｔ_{［Ｌ，Ｄ−１］}をもとにして作られるＷＩＢＥ暗号文の長さは、前者の方がいかなる［Ｌ，Ｒ］に関しても、より短くなるか、等価になる。 In addition, any T, L, R, D, any plaintext m, and any WIBE method are created based on two structurally equivalent wID sets T _{[L, R]} and T' _{[L, R].} The lengths of the WIBE ciphertexts that are created are equivalent. in short,

Is established. Therefore, _{the length of the WIBE ciphertext created based on T [D, R]} ∪T _{[L, D-1]} and the length of the WIBE ciphertext created based on T' _{[L, R].} Is equivalent to.
Furthermore, _{the length of the WIBE ciphertext created based on T [L, R]} and the length of the WIBE ciphertext created based on T _{[D, R]} ∪T _{[L, D-1].} Is shorter or equivalent for any [L, R] in the former.

Depending on [L, R], both wID sets are equivalent (for example, [9,30], [2,0] in FIG. 10). In such a case, the WIBE ciphertext lengths created based on each wID set are equivalent.
On the other hand, both wID sets may not be equivalent (for example, [0,30], [1,30] in FIG. 10). In such a case, the WIBE ciphertext length created based on each wID set is shorter in the former.

The ciphertext length is relatively short when L and R are symmetrically located with respect to D. This corresponds to, for example, [1,30] in FIG. In addition, for example, when T = 32, there are many examples such as [1,14], [17,22], [15,16]. In these cases, the bit length of the ciphertext is halved or almost halved.

Here, when the existing WIBE method is classified by paying attention to the ciphertext length, a method in which the ciphertext length ^{is fixed for any wID ∈ {0,1, *} N} (for example, Non-Patent Document 3-4). Boneh-Boyen WIBE method and Waters WIBE method) and a method in which the ciphertext length _{increases linearly with respect to | wID | *} ∈ {0,1, *} ^N (for example, Boneh-Boyen in Non-Patent Document 3-4). -Goh WIBE method) and can be roughly divided into two types. According to the present embodiment, in the former case, the bit length of the ciphertext is exactly halved, and in the latter case, it is almost halved.

As described above, the non-trivial TSE construction method using WIBE according to the present embodiment is specifically produced as a result of determining the WIBE method to be used as compared with the trivial TSE construction method using WIBE. The ciphertext length of the TSE method becomes shorter. Specifically, for the entire range [L, R], the length of the ciphertext for that range is shorter or equivalent and never longer.

Further, the encryption device 1 can efficiently determine the wID set in each subrange by dividing the range [L, R] into the first half and the second half.
Further, the encryption device 1 may be able to reduce the wID set by determining the wID set that covers the wID set obtained for each subrange. As a result, the ciphertext can be expected to be shortened.

[Second construction method of non-trivial TSE using WIBE]
This embodiment is effective not only for the bit pattern corresponding to the period t shown in FIG. 6 but also for various bit patterns. For example, it is effective for all patterns obtained by executing any one of the following three operations or an operation in which a plurality of the bit patterns in FIG. 6 are combined.
1. 1. Swap multiple lines.
2. Replace 0 and 1 in each line.
3. 3. All columns are cyclically shifted to the right for a certain number of minutes.

In order to define these operations strictly, we introduce the function f, the function h, and the integer δ.
For example, the bit pattern of FIG. 6 is obtained by executing _{Binarize 5} of FIG. 5 for all t ∈ [0, T-1] when T = 32. Similarly, for any T (where logT is a natural number), the correspondence between the period t ∈ [0, T-1] and the binary number b ∈ {0,1} ^{logT as shown in FIG.} You can ask for a relationship.

In the correspondence between t and b obtained in this way, different (0,1) patterns are assigned to each bit of b. The patterns (0 and 1) have a total of b bit number (logT) types, and the switching interval (frequency) between 0 and 1 is different for each type. Strictly ^speaking, the lowest frequency of the pattern is switched in ^{2 log T-1 interval,} the pattern is switched in ^{2 log T-1} interval after switching by ^{2 log T-2} interval, ..., pattern switched at 4 intervals after switching at two intervals, 1 There is the most frequent pattern that switches at two intervals after switching at intervals.

The bijective function f: {0,1, ..., logT-1} → {0,1, ..., logT-1} defines which (0,1) pattern each bit is assigned to. Specifically, the bit i ∈ {0,1, ..., logT-1} is first changed to a pattern (0,1) in which f (i) ∈ {0,1, ..., logT-1} is switched at intervals. assign.

The function h: {0,1, ..., logT-1} → {0,1} sets the initial value of the pattern (0,1) in each bit i ∈ {0,1, ..., logT-1}. , 0 or 1 is defined.

The integer δ ∈ {0, ..., T-1} is the binary value b = h [logT-1] ‖h [logT-2] ‖… ‖h [1] ‖h [0], which period t∈ Define the shift amount to be associated with {0, ..., T-1}.

FIG. 19 is a diagram showing the definition of the _{binarize logT in which} the function f and the function h are introduced.
The binarization unit 11 receives the period t ∈ [0, T-1] (or t ∈ {0, 1} ^logT ) as an input by the binarization algorithm, and does not necessarily match the binary bit string corresponding to t. Does not output a special bit string b ∈ {0,1} ^logT. In the figure, d = logT.

Although the integer δ is not considered in this definition, t is cyclically shifted to the right by δ by inputting ^{t-δ mod 2 d instead of t when calling the binarization algorithm.} Correspondence can be obtained.

For example, the execution example of FIG. 6 is
T: = 32
f ({0,1,2,3,4}): = {0,1,2,3,4}
h ({0,1,2,3,4}): = {0,0,0,0,0}
δ: = 0
The correspondence between the period t ∈ [0,31] determined by the above and the binary numerical value b ∈ {0,1} ^{5 is shown.}

FIG. 20 is a diagram showing a first execution example in which the binarization algorithm is modified.
This example shows the correspondence between t and b obtained by changing only the function f as follows with respect to the execution example of FIG.
f ({0,1,2,3,4}): = {4,3,2,1,0}

FIG. 21 is a diagram showing a second execution example in which the binarization algorithm is modified.
This example shows the correspondence between t and b obtained by changing only the function h as follows with respect to the execution example of FIG.
h ({0,1,2,3,4}): = {1,1,1,1,1}

FIG. 22 is a diagram showing a third execution example in which the binarization algorithm is modified.
This example shows the correspondence between t and b obtained by changing only the integer δ as follows with respect to the execution example of FIG.
δ: = 3

FIG. 23 is a diagram showing a fourth execution example in which the binarization algorithm is modified.
This example shows the correspondence between t and b obtained by changing the function f, the function h, and the integer δ as follows with respect to the execution example of FIG.
f ({0,1,2,3,4}): = {3,2,0,4,1}
h ({0,1,2,3,4}): = {0,1,1,0,0}
δ: = 15

Regarding the classification algorithm Classify _logT and the division algorithm Divide _logT, there is no change from the first construction method described above, but the input t, L, and R parameters are shifted by δ as in the binarization algorithm. Value.

FIG. 24 is a diagram showing the definition of the latter half wID set determination algorithm Later_WID _{logT in which the function f is introduced.}
Here, the reference destination of the bit position of wID is replaced by the function f.

FIG. 25 is a diagram showing the definition of the first half wID set determination algorithm Former_WID _{logT in which the function f is introduced.}
Here, as in the latter half wID set determination algorithm, the reference destination of the bit position of wID is replaced by the function f.

FIG. 26 is a diagram showing the definition of the first- _{second union union union algorithm Merge logT} in which the function f is introduced.
Here, as in the latter half wID set determination algorithm and the first half wID set determination algorithm, the reference destination of the bit position of wID is replaced by the function f.

Setup algorithm TSE. Regarding Setup, there is no change from the first configuration method described above, that is, the WIBE method setup algorithm.

FIG. 27 shows a key generation algorithm TSE. It is a figure which shows the definition of KGen.
The key generation unit 16 uses the above-mentioned WIBE-type key generation algorithm by the key generation algorithm to generate a secret key corresponding to _{ID: = Binarize logT} (t-δ mod 2 ^d).

FIG. 28 shows an encryption algorithm TSE. It is a figure which shows the definition of Enc.
_{The encryption unit 17 executes} Divide logT, Later_WID _logT , Former_WID _logT , and Merge _logT in order by the encryption algorithm, and derives the _{wID set T [L, R]} corresponding to the range [L, R]. At this time, as described above, the encryption unit 17 passes the values obtained by shifting L and R by δ as parameters, so that the wID set _{[L] based on the correspondence between t and b that have been sequentially shifted. , R]} is obtained.
After that, the encryption unit 17 encrypts the plaintext m under each wID in the set, and outputs all of these ciphertexts as the ciphertext of the plaintext m relating to the range [L, R].

FIG. 29 shows a decoding algorithm TSE. It is a figure which shows the definition of Dec.
The decryption unit 18 sets the ciphertext element in _{CL and R} corresponding to the wID matching the ID as C by the decryption algorithm, and outputs the result of decoding _{C by sk t.}
At this time, the decoding unit 18 inputs a value shifted by δ with respect to the auxiliary algorithm as described above.

Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments. Moreover, the effects described in the above-described embodiments are merely a list of the most preferable effects arising from the present invention, and the effects according to the present invention are not limited to those described in the embodiments.

The encryption method by the encryption device 1 is realized by software. When realized by software, the programs that make up this software are installed in the information processing device (computer). Further, these programs may be recorded on a removable medium such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network. Further, these programs may be provided to the user's computer as a Web service via a network without being downloaded.

1 Encryption device (decryption device)
10 Control unit 11 Binarization unit 12 Class classification unit 13 Division unit 14 wID set determination unit 15 Setup unit 16 Key generation unit 17 Encryption unit 18 Decryption unit 20 Storage unit 141 Second half wID set confirmation unit 142 First half wID set confirmation unit 143 First and second half wID collective merger

Claims (8)

A binarizer that assigns a bit string of d bits to each of ^{2 d numbers,}
A wID set determination unit that determines a set of wildcard IDs that covers all of the bit strings assigned to each of the numerical values corresponding to the cycles in the time-designated cipher of the range [L, R].
Based on each of the determined wildcard IDs, a plaintext is encrypted by a wildcard ID-based encryption method, and all the results of the encryption are output as a ciphertext related to the range [L, R]. , Equipped with
When the binarization unit recursively divides the sequence of numerical values into two, only one bit of the bit string included in the blocks on both sides with the division point as the axis is inverted, and the other bits are symmetrical. An encryption device that assigns 0 or 1 so as to be. The encryption device according to claim 1, wherein the binarization unit allocates the bit string in which only one bit differs between adjacent numerical values in the arrangement of the numerical values. The encryption device according to claim 1 or 2, wherein the encryption unit cyclically shifts the numerical value by a predetermined number with respect to the cycle and associates the numerical value with the cycle. A division portion that divides the range [L, R] at the start point of the largest block included in the range [L, R] among the blocks obtained when the sequence of numerical values is recursively divided into two. With
The encryption device according to any one of claims 1 to 3, wherein the wID set determination unit determines a set of wildcard IDs for each partial range divided by the division unit. The encryption device according to claim 4, wherein the wID set determination unit determines a set of wildcard IDs that covers the entire set determined for each subrange. A decryption device that decrypts a ciphertext encrypted by the encryption device according to any one of claims 1 to 5 by the wildcard ID-based encryption method. A binarization step that assigns a bit string of d bits to each of ^{2 d numbers,}
A wID set determination step for determining a set of wildcard IDs covering all of the bit strings assigned to each of the numerical values corresponding to the period in the time-designated cipher of the range [L, R], and a wID set determination step.
An encryption step in which plaintext is encrypted by a wildcard ID-based encryption method based on each of the determined wildcard IDs, and all the results of the encryption are output as ciphertexts related to the range [L, R]. The computer runs,
In the binarization step, when the sequence of numerical values is recursively divided into two, only one bit of the bit string included in the blocks on both sides with the division point as the axis is inverted, and the other bits are symmetric. An encryption method that assigns 0 or 1 so that An encryption program for operating a computer as the encryption device according to any one of claims 1 to 5.

Images