JP4758110B2 - Communication system, encryption apparatus, key generation apparatus, key generation method, restoration apparatus, communication method, encryption method, encryption restoration method - Google Patents

Description

  The present invention relates to a communication system, an encryption device, a key generation device, a key generation method, a restoration device, a communication method, an encryption method, and an encryption restoration method, and more particularly, a communication system adopting a public key encryption method and a threshold encryption method, The present invention relates to an encryption device, a key generation device, a key generation method, a restoration device, a communication method, an encryption method, and an encryption restoration method.

  Conventionally, public key cryptosystems are used to perform secure communication. In the public key cryptosystem, storing a decryption key for a public key safely is one of the major issues. As one of solutions to this problem, various threshold encryption methods have been developed. The threshold encryption method is a method in which a decryption key in a public key encryption method is distributed to a plurality of distributed keys, and plain text cannot be restored unless a plurality of devices having the distributed keys cooperate.

  How to securely store a decryption key when using public key cryptography is one of the major issues, and various threshold cryptosystems have been developed as one of the solutions. Here, threshold encryption is a method in which a decryption key for decryption in public key cryptography is distributed into several so-called distributed keys, and decryption is not possible unless a plurality of centers having the distributed keys cooperate. . As such a threshold encryption method, for example, a method using a prime factorization type encryption method (for example, Non-Patent Document 1, Non-Patent Document 2, Non-Patent Document 3) or a discrete logarithmic encryption method is used. A method (for example, Non-Patent Document 4) is known.

Pierre-Alain Fouque and David Pointcheval, Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks. ASIACRYPT 2001, pp.351-368 (2001) Takeshi Ishihara, Hiroshi Aono, Nobuyuki Hongo, Junji Shikata, Improvement of Threshold Type Paillier Cipher, IEICE Technical Report ISEC2004-12 (2004-05), IEICE V.Shoup and R. Gennaro, Securing Threshold Cryptosystems against Chosen Ciphertext Attack, Journal of Cryptology, vol.15, no.2, pp.75-96 (2002) J. Katz and M. Yung, “Threshold Cryptosystems Based on Factoring”, ASIACRYPT2002, Lecture Notes in Computer Science, 2501, pp.192-205, Springer-Verlag, 2002

However, although the technique described in Non-Patent Document 1 shows safety against a selected ciphertext attack, it is necessary to perform many exponentiation operations at the time of encryption, and there are exponentiation operations that cannot be pre-computed before encryption. It existed (Problem 1).
Further, although the technique described in Non-Patent Document 2 has a small amount of calculation for encryption, security is shown only under a selected plaintext attack, and security under a selected ciphertext attack is not shown. (Problem 2). In addition, the safety was demonstrated based on the strong assumption of the e-root determination problem as the basis of safety (Problem 2 ′).

Further, the technique described in Non-Patent Document 3 needs to prepare a large prime number as compared with a method based on prime factorization. Since prime numbers larger than the prime number theorem have few numbers, preparing a large prime number has a problem that it is difficult to find the target prime number and there are few prime numbers that can be used (Problem 3).
Further, in the prime factorization type threshold encryption method shown in Non-Patent Document 4, although encryption and decryption can be performed by calculation under the modulus N to ensure safety against a selected plaintext attack, only 1 bit is available. Could not encrypt. For this reason, the efficiency of encryption and decryption is very poor and not practical (Problem 4).

In particular, with regard to Problem 1 and Problem 4, since the mobile communication terminal that places importance on portability is difficult to mount a high-speed CPU, the above-described threshold encryption method of the above-described prior art is calculated at the time of encryption. Is inefficient because of inefficiency.
The first object of the present invention is to solve the above-mentioned problems 1, 2 ', 3, and 4, and to encrypt a plaintext of a plurality of bits, to make a decision problem, and to be a prime factorization type and advance Communication system, encryption device, key generation device, key generation method, restoration device, communication adopting threshold encryption method or public key encryption method, which can be practically used in mobile communication terminals with low calculation capability by calculation It is to provide a method, an encryption method, and an encryption restoration method.

  The second object of the present invention is to solve the above-mentioned problems 1, 2, 3 and 4, and can encrypt a multi-bit plaintext, is a prime factorization type, and has a low computing power by pre-computation. A communication system, encryption device, key generation device, key generation method, restoration device, communication method, encryption method, encryption restoration that employs a threshold encryption method or a public key encryption method that can also be used in terminals and the like. Is to provide a method.

Communication system according to claim 1 of the present invention, a composite number as a modulo generates g ^r from disjoint g and the random number r from each other with the composite number is held dispersed in the g ^r and a plurality of devices, by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the ciphertext using the distributed key that can decrypt the plaintext m by them a plurality of devices cooperate, it is at least a portion of the random number r the rmodN calculated, Ru can decrypt the plaintext m using the rmodN at least a portion of the calculated the random number r, the ciphertext said plaintext m by encryption scheme using equation (9) C = (c , U, w, e, f) (in Expression (9), H1 and H2 are hash functions, N is a composite number (N = pq , p and q are prime numbers ), and M is a composite number (M = p ₂ q _2, p ₂ and q ₂ is a prime number , E, f, w and w 'is ^{w × u e = g f,} w' × u 'e = g 2 verification data to verify the validity of the ciphertext ^{by f} to confirm that established , s is a value selected during the encryption, * the exclusive logical sum), by Moto modulo said number of synthetic, u = g ^r modN ² of formula (9) for encryption, w, u ′ = g ₂ ^r mod M ² (g ₂ is ∈ Z ^* M 2 ( a set of values that are relatively prime to M ² among elements of Z _M ² , M ² is M ² ) ), w ′, H 1 (rmodN) An encryption device that pre-calculates the part of
Wherein said rmodN is at least a part of the random number r from the calculated the g ^r a is the u composite numbers modulo calculated, the rmodN at least a portion of the calculated the random number r used for encryption a key generating unit for generating the distributed key to restore the plaintext m by substituting the equation (9),
The ciphertext the encrypted device by encrypting the plaintext m C = (c, u, w, e, f) for, performs partial decoding process to obtain a partial decoding information by decoding using the distributed key A partial decoding device (for example, corresponding to the decoding servers 50 ₁ to 50 _n in FIGS. 1 to 3) that generates partial decoding information that is information obtained by
Using the partial decoding information for decoding to calculate the rmodN is at least a part of said random number r, the rmodN at least a portion of the calculated the random number r, when encrypting the plaintext m by substituting the equation (9) used, the ciphertext C = said encryption device has generated (c, u, w, e, f) and restoring device for restoring said plaintext m from
The distributed key is transmitted from the key generation device to the partial decryption device,
The ciphertext C = (c, u, w, e, f) generated in the encryption device is transmitted to the partial decryption device,
The partial decoding information generated in the partial decoding device is transmitted to the restoration device;
By restoring the plaintext m using the random number r calculated by calculating the rmodN that is at least a part of the random number r using the partial decryption information in the restoration device,
The encrypted communication of the plaintext m is performed between the encryption device and the restoration device . If comprised in this way, the communication system which employ | adopted the safe and efficient threshold value encryption system is realizable.

Encryption device according to claim 2 of the present invention is an encryption device for use in a threshold encryption scheme that can restore the plaintext m using partial decoding information sigma, the combined number of composite numbers with modulo When generating the g ^r from disjoint g and the random number r from each other, the ciphertext using the g ^r and said distributed key C = (c, u, w , e, f) the partial decoding information by decoding the by row Ukoto the partial decryption process to obtain the random number to calculate the rmodN is at least a part of the r, Ru can decrypt the plaintext m using the rmodN at least a portion of the calculated the random number r, the encryption said plaintext m using equation (9) the ciphertext C = (c, u, w , e, f) in the case of encryption, by Moto modulo said number of synthesized by scheme, encryption u = g ^r modN ² of the formula (9) _{for, w, u '= g 2} r mo M ^2, w ', H1 and ciphertext generating means for performing a pre-calculated for the portion of (rmodN), the ciphertext C = generated by the ciphertext generating means (c, u, w, e , f) the ciphertext A ciphertext transmitting means for transmitting to the management server, storing the ciphertext in the ciphertext management server, and communicating the encrypted plaintext m between the own device and the restoration device that restores the plaintext m It is characterized by being used for If comprised in this way, the encryption apparatus in the communication system which employ | adopted the safe and efficient threshold value encryption system is realizable.

The key generation apparatus according to claim 3 of the present invention is from the u defined by the g ^r can be calculated by the combined number of the disjoint g and the random number r a composite number as a modulo on at least a portion of the random number r the rmodN a key for calculating a, a key the rmodN at least a portion of the calculated random number r can the plaintext m is restored by substituting the equation (9) used for encrypting a plurality of keys a distributed key generation means for generating a dispersed the distributed key, and a distributed key transmission means for transmitting the distributed key generated by said distributed key generation means to the partial decoding device, the distributed key in the partial decoding device It is characterized in that partial decryption information that is information obtained by partially decrypting ciphertext C = (c, u, w, e, f) is generated. If comprised in this way, the key generation apparatus in the communication system which employ | adopted the safe and efficient threshold value encryption system is realizable.

The key generation apparatus according to claim 4 of the present invention, in claim 3, wherein g the ciphertext said defined by ^r u to the encryption device encrypts the plain text m C = (c, u, w , E, f) public information (composite numbers N, M, g, g ₂ , hash functions H1, H2, θ (θ = θ) ALbetamodN, L? is secret information), origin [nu, [nu ₂₎ further comprises public information creating means for creating, modulo ^N 2, ^{M 2} square excess and ^N 2, ^{M 2} and relatively prime integers A verification key is generated using generation sources ν and ν ₂ of a set subgroup. If comprised in this way, the key generation apparatus in the communication system which employ | adopted the threshold-value encryption method which raised safety | security more is realizable.
A key generation method according to claim 5 of the present invention is a key generation device including distributed key generation means for generating a distributed key , and is realized in the key generation device of the communication system according to claim 1. a is a key for calculating said rmodN is at least a part of the random number r from the u defined by the g ^r which can calculate the composite number as a modulo, at least a portion of the calculated the random number r distributed key generation step of the said distributed key to the plaintext m by substituting the equation (9) is dispersed a key can be restored to a plurality of keys used for encrypting RmodN, wherein the distributed key generation means for generating is It is characterized by including. If comprised in this way, the key generation method which employ | adopted the safe and efficient threshold value encryption system is realizable.

A key generation method according to a sixth aspect of the present invention includes a key generation method including a distributed key generation unit that generates a distributed key, and a public information generation unit that generates public information necessary for generating ciphertext verification data. an apparatus, and a key generation method implemented in the key generation apparatus of a communication system according to claim 1, wherein said from u random number r defined by the g ^r can be calculated the number of the synthesis modulo at least a portion the rmodN can calculate a, the rmodN at least a portion of the calculated the random number r can the plaintext m is restored by substituting the equation (9) using the encryption key the said distributed key distributed to a plurality of keys, said the distributed key generation step of distributed key generation means generates ciphertext wherein said defined by g ^r u to the encryption device encrypts the plain text m C = (c, Public information (composite numbers N, M, g, g ₂ , hash functions H 1, H 2, θ) necessary for creating ciphertext verification data for verifying the relationship with u, w, e, f) (Θ = aLβmodN, where Lβ is secret information), a generation source ν, ν ₂ ) including a public information creation step created by the public information creation means, and a square surplus under the moduli N ² and M ² and N ^The verification key is generated using the generation sources ν and ν ₂ of the subgroups of sets of integers that are relatively prime to ² and M ² . If comprised in this way, the key generation method which employ | adopted the threshold-value encryption method which raised safety | security more is realizable.

Restoring apparatus according to claim 7 of the present invention, the to decrypt the encrypted using the distributed key generated by the key generation device that generates a distributed key sentence C = (c, u, w , e, f) by partial decryption information generated in the partial decoding device, a recovery device comprising a restoring means for restoring said plaintext m using the restoring means, said using said partial decoding information for decoding by the rmodN is at least part of the random number r is calculated and the rmodN at least a portion of the calculated the random number r, into equation (9) used in encrypting the plaintext m, the ciphertext C = said encryption device has generated (c, u, w, e , f) characterized in that to restore the plaintext m from. If comprised in this way, the decompression | restoration apparatus in the communication system which employ | adopted the safe and efficient threshold value encryption system is realizable.

The communication method according to claim 8 of the present invention generates an encrypted device that encrypts plaintext m and a distributed key that is distributed and held in a plurality of devices and that can decrypt the plaintext by the cooperation of the plurality of devices. Partial decryption, which is information obtained by decrypting the ciphertext C = (c, u, w, e, f) obtained by encrypting the plaintext m by the key generation device and the encryption device using the distributed key a partial decoding unit for generating information, is implemented in a communication system including a restoration device which restores the plaintext m from the encryption device is the cipher text C is generated = (c, u, w, e, f) A communication method,
The composite numbers with modulo generates g ^r from disjoint g and the random number r from each other with the composite number, said using g ^r and said distributed key ciphertext C = (c, u, w , e, by the partial decryption process to obtain a partial decoding information by decoding the f), the calculated the rmodN is at least part of the random number r, the plaintext using the rmodN at least a portion of the calculated the random number r m Ru can decrypt the encryption method the cryptogram C = plaintext m using equation (9) by (c, u, w, e, f) in the case of encryption, also a composite number modulo For the encryption, the encryption apparatus performs pre-calculation on the parts of u = g ^r modN ² , w, u ′ = g ₂ ^r modM ² , w ′, H1 (rmodN) of the equation (9). Steps to do,
Wherein rmodN is at least a part from the u defined by the g ^r can be calculated the random number r can be calculated a composite number modulo the rmodN at least a portion of the calculated the random number r the distributed key to the plaintext m is dispersed a key can be restored to a plurality of keys by substituting the equation (9) used for the encryption, the steps of the key generating apparatus generates,
The ciphertext C = said encryption device encrypting said plaintext m (c, u, w, e, f) for the partial decryption information is information obtained by decoding using the distributed key, Generating by the partial decoding device;
The rmodN is at least part of the random number r by using the partial decryption information calculated during the decoding, the rmodN at least a portion of the calculated the random number r, use in encrypting the plaintext m by substituting have the formula (9), a step wherein the ciphertext C = said encryption device has generated the (c, u, w, e, f) the plaintext m from the restoration device to restore,
The distributed key is transmitted from the key generation device to the partial decryption device,
The ciphertext C = (c, u, w, e, f) generated in the encryption device is transmitted to the partial decryption device,
The partial decoding information generated in the partial decoding device is transmitted to the restoration device;
By calculating the rmodN that is at least a part of the random number r using the partial decryption information in the restoration device, and restoring the plaintext m using the calculated rmodN,
The encrypted communication of the plaintext m is performed between the encryption device and the restoration device . If comprised in this way, the communication method which employ | adopted the safe and efficient threshold value encryption system is realizable.

Communication system according to claim 9 of the present invention is a communication system using a threshold encryption scheme that can restore the plaintext m using partial decoding information sigma, it is defined by g ^r which can calculate the composite number as a modulo the rmodN information is at least part of the random number r from u, said by substituting the plaintext m in the formula (9) used when encrypting the ciphertext encrypted device-generated C = (c, u, w, e, and private key generating device for generating a secret information Lβ from f) a secret key which is required for restoring the plaintext m,
The composite numbers with modulo generate the g ^r from disjoint g and the random number r from each other with the composite number, the g ^r and said using the distributed key ciphertext C = (c, u, w , e, wherein the row Ukoto the partial decryption process to obtain a partial decoding information by decoding the f), the calculated the rmodN is at least part of the random number r, which is at least a part of the calculated the random number r Ru can decrypt the plaintext m using RmodN, the said plaintext m by encryption scheme using equation (9) the ciphertext C = (c, u, w , e, f) in the case of encryption, in Moto modulo said number of ^{synthetic, u = g r modN 2,} w of the formula (9) for ^{_{encryption, u '= g 2 r modM}} 2, w', pre for the portion of the H1 (RmodN) An encryption device that performs the calculation;
The rmodN is at least a part of said random number r in the decoding, at the using the secret key generated by the secret key generating unit restores by calculating the equation (3) (the formula (3), L? Is secret information, λ is an interpolation coefficient, S is a plurality of parts that generate partial decryption information that is information obtained by decrypting ciphertext C = (c, u, w, e, f) using a distributed key of decoder, set of partial decoding device accepts the decryption request from the restoring device, sigma partial decoding information, θ = aLβmodN, Δ = n !, a∈Z n), at least a portion of the restored the random number r A restoration device for obtaining the plaintext m from the ciphertext C = (c, u, w, e, f) using the rmodN ,
And the encrypted communication is performed for the plaintext m. If comprised in this way, the communication system which employ | adopted the safe and efficient threshold value encryption system is realizable.

According to a tenth aspect of the present invention, there is provided a distributed key generation means for generating a distributed key that is distributed and held in a plurality of devices and that can decrypt the plaintext m through cooperation of the plurality of devices, and for encryption. A key generation method realized in a key generation device including: a ciphertext generation unit that performs pre-calculation on the data; and a restoration unit that restores plaintext from the ciphertext generated by the ciphertext generation unit,
The rmodN is at least part of the random number r from u defined by g ^r which can calculate the composite number as a modulo, by substituting the equation (9) used in encrypting the plaintext m, the plaintext m A key generation step by which the distributed key generation means generates a secret key necessary for restoring
The composite numbers with modulo generate the g ^r from disjoint g and the random number r from each other with the composite number, the ciphertext by using the g ^r a distributed key C = (c, u, w , e , by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the f), the rmodN is at least a part of said random number r is calculated and the calculated at least a portion of the random number r the rmodN Ru can decrypt the plaintext m using the using equation (9) the plaintext m by encryption method ciphertext C = (c, u, w , e, f) in the case of encryption, the the composite number is Moto ^{modulo, u = g r modN 2,} w of the formula (9) for ^{_{encryption, u '= g 2 r modM}} 2, w', pre-calculated for portions of H1 (RmodN) The ciphertext generation means performs,
The rmodN is at least a part of said random number r to the decoding, the key generated using the secret key generated in step restores by calculating the equation (3), the restored the random number r at least a the ciphertext C = the parts in which the rmodN the encryption device using the generated (c, u, w, e , f) the plaintext m from the recovery step of the restoring means obtains,
And the encrypted communication is performed for the plaintext m. If comprised in this way, the communication method which employ | adopted the safe and efficient threshold value encryption system is realizable.

Encryption device according to claim 11 of the present invention is an encryption device for use in a communication system using a threshold encryption scheme that can restore the plaintext m using partial decoding information sigma, the composite number modulo generates a g ^r from disjoint g and the random number r from each other with the composite number Te, the ciphertext using the g ^r and said distributed key C = (c, u, w , e, f) by decrypting the the partial decryption process rows Ukoto obtaining partial decoded information, at least is part said rmodN calculates, decodes the plaintext m using the rmodN at least a portion of the calculated the random number r of the random number r Ru can be said using equation (9) the plaintext m by encryption method ciphertext C = (c, u, w , e, f) to encrypt only once, in the plaintext m encrypted, further wherein g wherein u is defined by ^r ciphertext C = (c, u w, e, and adds the encrypted verification data for verifying that the ciphertext when an element of f) is valid, the number of the synthesis by Moto modulo, for encryption A ciphertext generating means for performing pre-calculation on the parts of u = g ^r modN ² , w, u ′ = g ₂ ^r modM ² , w ′, H1 (rmodN) in the formula (9), and the ciphertext generating means generated the ciphertext C = (c, u, w , e, f) a and a ciphertext transmitting unit that transmits the encrypted message management server, the ciphertext in the ciphertext management server C = (c, u, w, e, f) storing, characterized in that the plaintext m encrypted as adapted to use for communication between the restoration device which restores the plaintext m and the own apparatus. If comprised in this way, the encryption apparatus in the communication system which employ | adopted the safe and efficient threshold value encryption system is realizable.

A communication system according to claim 12 of the present invention comprises:
The composite numbers with modulo generates g ^r from disjoint g and the random number r from each other with the composite number, encrypted using the distributed key and ^{g r C = (c, u} , w, e, f) for by row Ukoto the partial decryption process to obtain a partial decoding information by decoding, at least is part rmodN calculated, the plaintext m using the rmodN at least a portion of the calculated random number r of the random number r Ru can decode, the using equation (9) the plaintext m by encryption method ciphertext C = (c, u, w , e, f) to encrypt only once, in the plaintext m encrypted, further, the g ^r the u defined by said ciphertext C = (c, u, w , e, f) for the ciphertext verification for verifying the ciphertext to be valid when an element of Add the data and modulo the composite number, then u in Equation (9) for encryption ^{g r modN 2, w, u} '= g 2 r modM 2, w', and ciphertext generating means for performing a pre-calculated for portions of H1 (rmodN),
Wherein rmodN is at least a part from the u defined by the g ^r can be calculated the random number r can be calculated a composite number modulo the rmodN at least a portion of the calculated the random number r a key generating unit for generating a distributed key to the plaintext m is dispersed a key can be restored to a plurality of keys by substituting the equation (9) used for encryption,
Partial encryption device to about said ciphertext plaintext m is encrypted C = (c, u, w , e, f), generates the partial decryption information is information obtained by decoding using the distributed key Decryption means (for example, corresponding to the decryption servers 50 ₁ to 50 _n in FIGS. 1 to 3);
The ciphertext C = using the verification data (c, u, w, e , f) performs partial decoding performed with respect to the u, which is part of the same for u ', the reconstruction result are both random number r verifies that the g ^r the u defined by said ciphertext C = (c, u, w , e, f) is the ciphertext when an element of a legitimate by verifying whether Verification means;
Using the partial decoding information for decoding to calculate the rmodN is at least a part of said random number r, the rmodN at least a portion of the calculated the random number r, when encrypting the plaintext m by substituting the equation (9) using a restore means the ciphertext C = said encryption device has generated (c, u, w, e, f) from you recover the plaintext m,
And the encrypted communication of the plaintext m is performed between the encryption device and the restoration device having the restoration means . If comprised in this way, the communication system which employ | adopted the safe and efficient threshold value encryption system is realizable.

Communication method according to claim 13 of the present invention is held distributed across multiple devices, and distributed key generation means for generating a distributed key that can decrypt the plaintext by the plurality of devices to cooperate, for encryption Information obtained by decrypting ciphertext generating means for performing pre-calculation and ciphertext C = (c, u, w, e, f) obtained by encrypting plaintext m using the distributed key a partial decoding unit for generating a partial decryption information is, the ciphertext C = with verification data (c, u, w, e , f) and verification means for verifying the, said ciphertext generating unit generates the ciphertext C = who (c, u, w, e , f) a key generation method implemented in the key generation apparatus and a restoring means for restoring the plaintext m from,
The composite numbers with modulo generates g ^r from disjoint g and the random number r from each other with the composite number, said using g ^r and said distributed key ciphertext C = (c, u, w , e, by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the f), the calculated the rmodN is at least part of the random number r, the rmodN at least a portion of the calculated the random number r wherein Ru be decrypted plaintext m, the encrypted only once the ciphertext C = (c, u, w , e, f) using equation (9) the plaintext m by encryption method, and encrypted using the plaintext m, further the g ^r the u defined by said ciphertext C = (c, u, w , e, f) to verify that the ciphertext when an element of it is justifiable adds the encrypted verification data, the number of the synthesis by Moto modulo encryption ^{U = g r modN 2, w} , u '= g 2 r modM 2, w', H1 ciphertext generation step of pre-calculated for part, performed by the ciphertext generating means (RmodN) of formula (9) in order When,
Wherein rmodN is at least a part from the u defined by the g ^r can be calculated the random number r can be calculated a composite number modulo the rmodN at least a portion of the calculated the random number r the distributed key dispersed a key can be restored the plaintext m is a plurality of keys by substituting the equation (9) used for the encryption, and key generating step of generating said distributed key generation means,
The ciphertext C = the encryption device encrypts the plaintext m (c, u, w, e, f) for the partial decryption information is information obtained by decoding using the distributed key, the A partial decoding step generated by the partial decoding means;
The ciphertext C = using the verification data (c, u, w, e , f) performs partial decoding performed with respect to the u, which is part of the same for u ', the reconstruction result are both random number r wherein g wherein ^r is defined by u is the cipher text C = by checking whether (c, u, w, e , f) the ciphertext when a component of the verification that is valid, A verification step performed by the verification means;
Using the partial decoding information for decoding to calculate the rmodN is at least a part of said random number r, the rmodN at least a portion of the calculated the random number r, when encrypting the plaintext m by substituting the equation (9) used, the ciphertext C = said encryption device has generated (c, u, w, e, f) the plaintext m from the recovery step of the restoring means restores ,
And encrypting the plaintext m between the encryption device and a restoration device that restores the plaintext m from the ciphertext C = (c, u, w, e, f) generated by the encryption device. It is characterized by making it possible to perform communication. If comprised in this way, the communication method which employ | adopted the safe and efficient threshold value encryption system is realizable.

A communication system according to claim 14 of the present invention comprises:
A communication system using a threshold cryptosystem can restore the plaintext m using partial decoding information sigma, generates a g ^r a composite number modulo the composite number as a from disjoint g and the random number r from each other and the g ^r is a holding distributed across multiple devices, the plurality of devices ciphertext C = using the distributed key that can decrypt the plaintext by cooperation (c, u, w, e , f) by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the said random number to calculate the rmodN is at least a part of r, using the rmodN at least a portion of the calculated the random number r wherein Ru be decrypted plaintext m, it encrypts only once the ciphertext C = (c, u, w , e, f) using equation (9) the plaintext m by encryption scheme, the plaintext encrypted in m, as defined in further wherein g ^r Wherein u is the ciphertext C = (c, u, w , e, f) by adding the ciphertext verification data for verifying that the ciphertext when an element of is valid, the synthetic in Moto modulo ^{number, u = g r modN 2,} w of the formula (9) for ^{_{encryption, u '= g 2 r modM}} 2, w', the partial pre-calculated for the H1 (RmodN) Encryption means to perform;
Assignment information of the rmodN is at least a part of said from u random number r defined by the g ^r can be calculated the number of the synthesis modulo, the formula (9) used in encrypting the plaintext m by a secret key generation means for generating a secret key that is required when the cipher text C = said encryption device has generated the (c, u, w, e , f) from restoring the plaintext m,
The ciphertext C = using the verification data (c, u, w, e , f) performs partial decoding performed with respect to the u, which is part of the same for u ', the reconstruction result are both random number r verifies that the g ^r the u defined by said ciphertext C = (c, u, w , e, f) is the ciphertext when an element of a legitimate by verifying whether Verification means;
The rmodN is at least a part of said random number r to the decoding, using said secret key generated by the secret key generating means restores by calculating the equation (3), at least the restored the random number r and restoration means for obtaining the plaintext m using a part the RmodN,
And the encrypted communication is performed for the plaintext m. If comprised in this way, the communication system which employ | adopted the safe and efficient threshold value encryption system is realizable.

A communication method according to claim 15 of the present invention comprises:
Generated by the ciphertext generating means, the ciphertext generating means for performing pre-computation for encryption, the secret key generating means for generating the secret key, the verification means for verifying the ciphertext using the verification data, and the ciphertext generating means A communication method realized in a communication system including a restoring means for restoring plaintext from ciphertext,
The composite numbers with modulo generates g ^r from disjoint g and the random number r from each other with the composite number, said the g ^r and dispersed held in a plurality of devices, the plurality of devices plaintext by cooperation ciphertext C = with a distributed key to decode it (c, u, w, e , f) by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the at least a portion of the random number r some rmodN calculated, using the rmodN at least a portion of the calculated the random number r Ru can decrypt the plaintext m, the said plaintext m by encryption scheme using equation (9) ciphertext C = (c, u, w, e , f) to encrypt only once, in the plaintext m encrypted, further wherein g ^r the u defined by said ciphertext C = (c, u, w , e, test the cipher text to be justified at the time is an element of f) By adding the ciphertext verification data for, by Moto modulo said number of ^{synthetic, u = g r modN 2,} w of the formula (9) for encryption, u '= _{g 2} ^r modM ² , w ′, H1 (rmodN) for the pre-calculation, the ciphertext generating means performs an encryption step;
Substituting the rmodN is at least a part of the random number r from the u defined by the g ^r can be calculated the number of the synthesis modulo, the formula (9) used in encrypting the plaintext m Accordingly, the secret key generating step of a secret key which is required for restoring the plaintext m, the secret key generating unit for generating,
The ciphertext C = using the verification data (c, u, w, e , f) performs partial decoding performed with respect to the u, which is part of the same for u ', the reconstruction result are both random number r wherein g wherein ^r is defined by u is the cipher text C = by checking whether (c, u, w, e , f) the ciphertext when a component of the verification that is valid, A verification step performed by the verification means;
The rmodN is at least a part of said random number r to the decoding, using said secret key generated by the secret key generating means restores by calculating the equation (3), at least the restored the random number r using a part the RmodN, the restoration step said ciphertext encryption device has generated C = the (c, u, w, e , f) the plaintext m from the restoring means obtains,
And the encrypted communication is performed for the plaintext m. If comprised in this way, the communication method which employ | adopted the safe and efficient threshold value encryption system is realizable.

Encryption method according to claim 16 of the present invention, a communication system according to claim 14 comprising an encryption device which performs encryption using a threshold cryptosystem can restore the plaintext m using partial decoding information σ a cryptographic method used for the synthesis number as a modulo generates g ^r from disjoint g and the random number r from each other with the composite number, the ciphertext C by using said distributed key and the g ^r = (c, u, w, e , f) by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the, said rmodN is at least part of the random number r is calculated and calculated for the random number r Ru can decrypt the plaintext m using the rmodN is at least partially, the plaintext m by the encryption method, the encryption device encrypts the plaintext with the plaintext m encrypted with the encryption device restore device to restore m Characterized in that as used in the communication between. With this configuration, a random number r determined independently of the plaintext m can be determined in advance and g ^r can be calculated in advance, and an encryption method in a communication system employing an efficient threshold encryption method Encryption in a communication system that employs a secure threshold encryption method because the basis of security can be placed in a decision problem from the necessity of accurately obtaining rmodN information that is at least part of the random number r. The method can be realized.

An encryption method according to claim 17 of the present invention includes partial decryption means for generating partial decryption information that is information obtained by decrypting a ciphertext using a distributed key, and plaintext m using partial decryption information σ. the possible a encryption method used in a communication system according to claim 14 with a threshold cryptosystem restore, g composite numbers modulo said composite number as a from disjoint g and the random number r from each other ^r generates the ciphertext using the g ^r and said distributed key C = (c, u, w , e, f) by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the said the rmodN is at least part of the random number r is calculated and the calculated using the rmodN is at least a part of said random number r Ru can decrypt the plaintext m, the plaintext m by the encryption method, the partial decoding It means before Encrypted only once ciphertext C = (c, u, w , e, f), the plaintext m encrypted, further wherein g ^r the u defined by said ciphertext C = (c, u, added w, e, the ciphertext verification data for verifying that the ciphertext is valid when an element of f), the plaintext m encrypted, encrypting the plaintext m It is used for communication between an encryption device and a restoration device for restoring the plaintext m. By configuring in this way, it becomes possible to predetermine a random number r determined independently of the plaintext m and calculate g ^r in advance, and to further efficiently calculate most of the verification data in advance. Encryption in a communication system that employs a secure threshold cryptosystem, and that is resistant to selected ciphertext attacks by ciphertext verification data, and is encrypted in a communication system that employs a secure threshold cryptosystem The method can be realized.

An encryption restoration method according to claim 18 of the present invention includes restoration means for restoring said plaintext m from ciphertext C = (c, u, w, e, f) generated by an encryption device , and claim 14. The encryption restoration method realized in the restoration device used in the communication system according to claim 1, wherein the encryption device generates g ^r from g and a random number r that are relatively prime to the composite number, using the composite number as a modulus . The plaintext m is encrypted by an encryption method that performs partial decryption processing using the g ^r and the distributed key, calculates the random number r, and decrypts the plain text m using the calculated random number r. ,
Said portion for use in the threshold encryption scheme can restore the plaintext m using the decoded information sigma, the encryption device is the cipher text C = (c obtained by encrypting the plaintext m, u, w, e, for f), the calculated the rmodN is at least a part of said random number r by using the partial decryption information is information obtained by decoding using the distributed key, in at least some of the calculated the random number r some said RmodN, by substituting the equation (9) used in encrypting the plaintext m, the ciphertext C = said encryption device has generated (c, u, w, e , f) from The plaintext m is restored by the restoration means. With this configuration, the basis of security can be placed in the decision problem from the necessity of accurately obtaining information on rmodN that is at least part of the random number r, and in a communication system employing a secure threshold encryption method An encryption restoration method can be realized.

Encryption restoring method according to claim 19 of the present invention comprises a restoration device to restore the plaintext m from ciphertext encryption device has generated, the partial decryption information threshold cryptosystem that can restore the plaintext m using σ 15. The encryption restoration method used in the communication system according to claim 14 , wherein the encryption apparatus generates g ^r from g and the random number r that are relatively prime to the composite number using the composite number as a modulus. And performing partial decryption using the g ^r and the distributed key, calculating the random number r, and decrypting the plain text m using the calculated random number r. The ciphertext C = (c, u, w, e, f) is encrypted,
The restoration device verifies the ciphertext to be justified when u defined by the g ^r before decoding is an element of the ciphertext C = (c, u, w , e, f) based on the ciphertext verification data for the portion performed for u the encryption device is a part of said ciphertext plaintext m is encrypted C = (c, u, w , e, f) decoding, the restoration apparatus performs similarly for u ', the g ^r the u defined by said ciphertext C = (c by checking whether the reconstruction result are both the random number r, u, w, e, was confirmed to be the element of f), the rmodN at least a portion of then the random number r to the decoding if the verification is established, using a secret key used in public key cryptography Te, the restoration device restores by calculating the equation (3), restored the random number r And obtaining the plain data m from the said ciphertext encryption device has generated C = (c, u, w , e, f) using the rmodN at least partially. According to this configuration, the ciphertext verification data is added with resistance against a selected ciphertext attack, and a cipher restoration method in a communication system employing a safe threshold cryptosystem can be realized.

Restoration apparatus according to claim 20 of the present invention is held distributed across multiple devices, the distributed key generated by the key generation device that generates a distributed key that can decrypt the plaintext m by the plurality of devices to cooperate 15. A restoration means for restoring the plaintext m using the partial decryption information generated in the partial decryption device by decrypting the ciphertext using the data, and used in the communication system according to claim 14 The ciphertext generates g ^r from g and a random number r that are relatively prime to the composite number using the composite number as a modulus, and performs partial decryption processing using the g ^r and the distributed key, The plaintext m is encrypted by an encryption method that can calculate the random number r and decrypt the plaintext m using the calculated random number r.
The distributed key s is generated by calculating s _i = f (i) mod LN (i = 1, 2,... N) using equation (6).
The restoring means, said rmodN is at least a part of said random number r to the decoding, by using a secret key used in public key cryptography restored by calculating equation (3), restored the using the rmodN is at least part of the random number r, and wherein the restoring the plaintext m from ciphertext encryption device was produced. With this configuration, it is possible to place the basis of security in the decision problem from the necessity of accurately obtaining the information of rmodN that is at least a part of the random number r, and in a communication system employing a secure public key cryptosystem A restoration device can be realized.

According to the present invention, even a terminal with low calculation capability can be encrypted by performing pre-calculation, so that it is possible to realize a communication system employing an efficient threshold encryption method or public key encryption method.
In addition, according to the present invention, a communication system adopting a safe threshold encryption method or a public key encryption method because it is based on a reasonable assumption that resistance against a selected ciphertext attack is added or a decision problem is difficult. There is an effect that can be realized.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the drawings referred to in the following description, the same parts as those in the other drawings are denoted by the same reference numerals. In addition, English letters and Greek letters used in the following description have the same significance in each embodiment.
In the present invention, the composite number N is defined as N = pq, p and q are different odd prime numbers, and both are Λ / 2 bits. Z _N ² is a set of integers greater than or equal to 0 and less than N ² , Z ^* _N ² is a set of integers that are relatively prime to N ² among the elements of Z _N ² , and Q _N ² is a source of modulus N ² A set of values that are integers that are square surplus and disjoint from N ² .

Furthermore, the present invention assumes the following assumption 1 and assumption 2.
(Assumption 1)
(Partial Discrete Logarithm Assumption)
N (= pq), gεZ ^* _N2 , g ^r (g to the power of r) (rεZ _N2 ) (N2 means N ² )
When r is given, it is almost impossible to find congruent r ′ (which may of course be completely equal to r) with r and modulus N. Note that “almost impossible” means that the accuracy rate is close to zero as long as several questions are given.
Here, the order of g is a non-zero multiple of N.

(Assumption 2)
(Decisional Small Diffie-Hellman Assumption)
N (= pq), M ( = p 2 q 2), g∈Z * N2, g 2 ∈Z * M2, g r (g of r-th power) (r∈Z _{N2) (N2} means the N ² , M2 means M ² )
When Z ₀ or Z ₁ defined below is further given, the probability that the prediction is true is almost the same as 1/2 (the difference from 1/2 is almost as close to 0 as possible) ).
Z ₀ = g ₂ ^r mod M ² , Z ₁ = R (∈Z ^* _{M 2} ) (M ² means M ² )
Here, the order of g is a multiple of N that is not 0, and the order of g ₂ is a multiple of N ₂ that is not 0. However, it is assumed that N> N ₂ but the difference is negligible.

(First embodiment)
〔Communications system〕
As illustrated in FIG. 1, the communication system 100 includes an encryption terminal 10, a restoration terminal 20, a key generation server 30, a ciphertext management server 40, a plurality of decryption servers 50 ₁ to 50 _n, and a network 60. Is provided. The encryption terminal 10, the restoration terminal 20, the key generation server 30, the ciphertext management server 40, and the plurality of decryption servers 50 ₁ to 50 _n transmit and receive information via the network 60.

The key generation server 30 is a key generation device that generates public information (g, N, θ, H1) used for encryption of μ-bit plaintext m, secret information Lβ used for decryption of the ciphertext C, and its distributed key. is there. The key generation server 30 includes a key generation unit 31, a key database 32, and a transmission unit 33. The key generation unit 31 generates public information (g, N, θ, H1), secret information Lβ corresponding thereto, and a distributed key in which the secret information Lβ is distributed in a plurality. The key generation unit 31 generates n distributed keys . Furthermore, n verification keys vk for verifying that the partial decryption information is correct and its generation source v are generated. When distinguishing each verification key, the i-th verification key is represented as “vki”. Therefore, when distinguishing each distributed key, the i-th distributed key is represented as “s _i ”. Thus, numbers 1 to n are assigned to the verification key vk and the distributed key s _i . Note that “n”, which is the number of decryption servers, and “t”, which represents the number of partial decryption information necessary for decryption in the (t, n) threshold encryption method, are publicly available information. These “n” and “t” are transmitted to the restoration terminal 20.

The key database 32 stores public information (g, N, θ, H1). The transmission unit 33 transmits the public information (g, N, θ, H1) generated by the key generation unit 31 to the encryption terminal 10, the restoration terminal 20, and the ciphertext management server 40. Further, the verification keys vk1 to vkn are transmitted to at least the restoration terminal 20. Also, transmitter 33, a distributed key s ₁ ~s _n, and transmits the decryption server 50 ₁ to 50 _n. Such a key generation server 30 can be realized by executing a program for causing a computer to function as the key generation unit 31, the key database 32, and the transmission unit 33.

The encryption terminal 10 is an encryption device that encrypts plaintext m and generates ciphertext C. The encryption terminal 10 includes a reception unit 11, a ciphertext generation unit 12, a transmission unit 13, an input unit 14, and a storage unit 15.
The receiving unit 11 receives public information (g, N, θ, H1) from the key generation server 30. The storage unit 15 stores H1 (rmodN) and u = g ^r modN ² calculated in advance by the ciphertext generation unit 12. The receiving unit 11 may receive the plaintext m and input it to the ciphertext generation unit 12.

The input unit 14 acquires the plaintext m input from the outside and inputs it to the ciphertext generation unit 12. The ciphertext generation unit 12 encrypts the plaintext m using H1 (rmodN) and u = g ^r modN ² that are pre-calculated and stored in the storage unit 15. When generating the ciphertext C, the ciphertext generating unit 12 hides the random number r as g ^{r from} g that is not a composite number based on the composite number, and at least part of the random number r is hidden. Use to encrypt plaintext m. The ciphertext generation unit 12 acquires the plaintext m from the input unit 14 and the reception unit 11. Note that it is r∈ _U Z _{N2 (N2} means N ^2). Here, “Xε _U G” represents that the element X is selected from the set G with a uniform probability.

The ciphertext generation unit 12 preferably generates the ciphertext C (c, u) by encrypting the plaintext m by calculating the following equations (1) and (2).
c = H1 (rmodN) * m (1)
u = g ^r modN ² (2)
The hash function H1 is Z _N → {0, 1} μ. The above “*” indicates an exclusive OR. The same applies to the following description.

  The transmission unit 13 transmits the ciphertext C generated by the ciphertext generation unit 12 to the ciphertext management server 40. As will be described later, the storage unit 15 temporarily stores a result of partial precalculation when encrypting. In such an encryption terminal 10, the computer executes a program for causing the computer to function as the reception unit 11, the ciphertext generation unit 12, the transmission unit 13, the input unit 14, and the storage unit 15. Can be realized.

The ciphertext management server 40 is a ciphertext management apparatus that receives the ciphertext C from the encryption terminal 10 and provides the ciphertext C to each device. The ciphertext management server 40 includes a reception unit 41, a ciphertext management unit 42, a ciphertext database 43, and a transmission unit 44. The receiving unit 41 receives the ciphertext C from the encryption terminal 10. The receiving unit 41 receives a request for the ciphertext C from the restoration terminal 20 and the decryption servers 50 ₁ to 50 _n . Further, the receiving unit 41 receives public information (g, N, θ, H1) from the key generation server 30.

The ciphertext database 43 stores the ciphertext C. The transmission unit 44 transmits the ciphertext C to the restoration terminal 20 and the decryption servers 50 ₁ to 50 _n . Such a ciphertext management server 40 can be realized by the computer executing a program for causing the computer to function as the reception unit 41, the ciphertext management unit 42, the ciphertext database 43, and the transmission unit 44. .

The decryption servers 50 ₁ to 50 _n generate partial decryption information σ. The partial decryption information σ is information used when the plaintext m is restored from the ciphertext C, and is information necessary for the restoration terminal 20 to restore the plaintext m. The partial decryption information σ is information obtained by performing a calculation using the ciphertext C and the distributed key s _i , that is, by partially decrypting the ciphertext C using the distributed key s _i . The plurality of decryption servers 50 ₁ to 50 _n generate partial decryption information σ by using different shared keys s _i , thereby generating a plurality of partial decryption information σ. The partial decryption information generated using the distributed key s _i is expressed as “σ _i ”. Therefore, partial decryption information σ _{1 to} σ _n is generated as a plurality of partial decryption information σ using the distributed keys s _{1 to} s _n . In this way, the numbers from 1 to n are assigned to the partial decoding information σ. The decryption servers 50 ₁ to 50 _n are also given numbers ₁ to _n . Note that Δ = n! = N · (n-1) · (n-2) ... 2 · 1.

Each of the decryption servers 50 ₁ to 50 _n includes reception units 51 _{1 to} 51 _n , partial decryption information generation units 52 _{1 to} 52 _n , and transmission units 53 _{1 to} 53 _n . The receiving units 51 _{1 to} 51 _n receive the public information (g, N, θ, H1) and the distributed key s _i from the key generation server 30. The receiving units 51 _{1 to} 51 _n receive a request for partial decoding information σ (hereinafter referred to as “decoding request”) from the restoration terminal 20. Furthermore, the receiving units 51 _{1 to} 51 _n receive the ciphertext C from the ciphertext management server 40.

Among the partial decoding information generation unit 52 ₁ to 52 _n, partial decryption information generation unit who agree to decrypt the ciphertext C sends σ _i ≡u ² Δ ^Si modN ² to restore the terminal 20. σ _i ≡u ² Δ ^Si modN ² restore terminal 20 which has received the information sent from the partial decoding information generation unit which agree to the above is whether to verify correct. In this confirmation, it is confirmed whether σ _i ² and vk _i have the same logarithm with u ⁴ Δ and vΔ as the bases, respectively. If the restoration terminal 20 cannot confirm that σ _i is the correct share, the restoration terminal 20 issues an invalid symbol and terminates the process. If it can be confirmed, the restoration terminal 20 performs the following calculation.

ただし、

However,

である。そして、ｒｍｏｄＮ並びに式（１）及び式（２）により、平文ｍが得られる。式（３）、式（４）において、「Ｓ」は、復元端末２０からの復号要求を受け入れた復号サーバ５０₁〜５０_nの番号の集合を表す。

It is. Then, plaintext m is obtained by rmodN and equations (1) and (2). In Expressions (3) and (4), “S” represents a set of numbers of the decryption servers 50 ₁ to 50 _n that have accepted the decryption request from the restoration terminal 20.

The decoding servers 50 ₁ to 50 _n as described above are programs for causing a computer to function as the receiving units 51 _{1 to} 51 _n , the partial decoded information generating units 52 _{1 to} 52 _n, and the transmitting units 53 _{1 to} 53 _n. Can be realized by a computer executing.
The restoration terminal 20 is a restoration device that restores the plaintext m from the ciphertext C. The restoration terminal 20 includes a reception unit 21, a plaintext restoration unit 22, a transmission unit 23, and an output unit 24.
The receiving unit 21 receives a plurality of partial decoding information σ from a plurality of decoding servers 50 ₁ to 50 _n . The receiving unit 21 receives the ciphertext C from the ciphertext management server 40. Furthermore, the receiving unit 21, the public information from the key generation server 30 (g, N, θ, H1) and receives the verification key vk ₁ ~vk _n.

  The plaintext restoration unit 22 restores the plaintext m from the ciphertext C using a plurality of partial decryption information σ. The plaintext restoration unit 22 outputs the restored plaintext m to the output unit 24. The transmission unit 23 transmits a ciphertext C request and a decryption request. Such a restoration terminal 20 can be realized by the computer executing a program for causing the computer to function as the reception unit 21, the plaintext restoration unit 22, the transmission unit 23, and the output unit 24.

Next, the processing performed by the communication system 100 in the decryption from the plaintext m encryption will be described in detail with reference to FIGS. 1 and 2. In the communication system 100, decryption is performed by the (t, n) threshold encryption method. The (t, n) threshold cryptosystem is t partial decryption information among _n partial decryption information σ _{1 to} σ n generated using _n distributed keys s _{1 to} sn. If used, this is a threshold encryption method that can restore plaintext m. Therefore, “t” represents the number of pieces of partial decryption information σ required in the (t, n) threshold encryption method.

An encryption method in which the communication system 100 conceals a random number r as g ^r with respect to g that is not a composite number based on the composite number, and encrypts the plaintext m using at least a part of the random number r. The case where it is used will be described. The key generation unit 31 of the key generation server 30 first selects two large Λ / 2-bit strong prime numbers p and q, calculates a product thereof, and generates a composite number N = pq. The strong prime numbers p and q mean that p ′ is a prime number at p = 2p ′ + 1 and q ′ is a prime number at q = 2q ′ + 1.

Here, L = p′q ′ is calculated and kept secret. Also, g = (1 + aN) b ^N modN ² is determined based on a∈Z _N and b∈Z ^* _N , and g is disclosed. Further, the value β∈Z ^* _N is selected at random, and θ = aLβmodN is calculated. θ is disclosed, and the hash function H1: Z _N → {0, 1} μ used for encryption is also disclosed.
Next, the key generation unit 31 generates secret information Lβ corresponding to the public information (g, N, θ, H1). The secret information Lβ is

を満たす。更に、鍵生成部３１は、秘密情報Ｌβを複数に分散して複数の分散鍵ｓ _i 、即ち、ｎ個の分散鍵ｓ₁〜ｓ_nを生成する。分散鍵ｓ₁〜ｓ_nは、相互に異なる秘密情報である。

Meet. Further, the key generation unit 31, a plurality of distributed key s _i distributed across multiple secret information L?, I.e., generating n distributed key s ₁ ~s _n. Distributed key s ₁ ~s _n are different from each other secret information.

In the present embodiment, the number n of distributed keys s _{1 to} sn is _{equal to} the number of decryption servers 50 ₁ to 50 _n . However, one decryption server may use a plurality of distributed keys. Therefore, the number of distributed keys s _{i and} the number of decryption servers do not necessarily match. In this embodiment the number of decoding server 50 ₁ to 50 _n and the number of distributed key s ₁ ~s _n match, decryption server 50i is used distributed key s _i. For example, the key generation unit 31 can distribute the secret information Lβ into a plurality using the method proposed by Shamir.

Specifically, the key generation unit 31 selects a _i ∈ _U {0, 1,..., LN−1}, (i = 1, 2,..., T−1) as random numbers, Further, a distributed key s _i is generated by defining as a ₀ = Lβ. “Z _X ” represents a set of integers of 0 or more and less than X (Z _X = Z / XZ). In this case, the key generation unit 31, by calculating equation (6) below, to produce a plurality of distributed key s ₁ ~s _n. The key generation unit 31 generates a distributed key s _i by calculating s _i = f (i) mod LN using equation (6).

Key generating unit 31, a plurality of the distributed key s ₁ ~s _n that generated and input to the transmitter 33.
Furthermore, the key generation unit 31 generates a plurality of verification keys vk used when determining whether or not the partial decryption information σ is correctly obtained by partially decrypting the ciphertext C. Key generating unit 31 generates the distributed key s ₁ ~s _n same number of n verification key vk ₁ ~vk _n. Key generating unit 31 generates a verification key vk ₁ ~vk _n by calculating equation (7) shown below.

In Expression (7), ν is a generator of a subgroup of Q _N2 (N2 means N ² ). “Q _X ” represents a set of integers that are square surplus under the modulus X and relatively prime to X. Therefore, “Q _X ” is a set of values obtained by obtaining one element from Z ^* _X and squaring it. Key generating unit 31 inputs a plurality of verification keys vk ₁ ~vk _n that generated, Q _N2 (N2 means N ²⁾ the sum of n + 1 values of the origin ν subgroup of, the transmitter 33 To do.

  As shown in FIG. 2, the transmission unit 33 transmits only the public information (g, N, θ, H1) corresponding to the restoration terminal 20 while keeping the prime numbers p and q secret, the encryption terminal 10, and the ciphertext management server. 40, transmitted to the restoration terminal 20. The receiving unit 11 of the encryption terminal 10 receives the public information (g, N, θ, H1) from the key generation server 30 and inputs it to the ciphertext generation unit 12. The receiving unit 41 of the ciphertext management server 40 receives the public information (g, N, θ, H1) from the key generation server 30 and inputs it to the ciphertext management unit 42.

Furthermore, transmitter 33, public information (g, N, θ, H1 ) and in association with a plurality of distributed key s ₁ ~s _n, and transmits to the plurality of decoded servers 50 ₁ to 50 _n. In this case, transmitter 33, a plurality of distributed key _{s 1, ···, s i,} ···, respectively s _n, decoding server _{50 1, ···, 50 i,} ···, a 50 _n Send. Reception unit 51 ₁ to 51 _n of the decoding server 50 ₁ to 50 _n from the key generation server 30, receives the public information (g, N, θ, H1 ) and the distributed key s ₁ ~s _n, partial decryption information generation Input to the sections 52 _{1 to} 52 _n . In this way, the transmission unit 33 functions as a key transmission unit that transmits a plurality of distributed keys s _i to the decryption device.

Thus, the transmission unit 33, the distributed key s ₁ ~s _n dispersed secret information Lβ needed when taking out at least part of r from u, distributed across multiple decoding servers 50 ₁ to 50 _n provide. Further, the key generation server 30 itself does not store the secret information Lβ in the key database 32. As a result, the secret information Lβ is not managed in one place, but is distributed and managed by the plurality of decryption servers 50 ₁ to 50 _n .

Also, transmitter 33, public information (g, N, θ, H1 ) and associates the verification key vk ₁ ~vk _n, and Q _N2 (N2 means N ²⁾ generator of a subgroup of ν To the restoration terminal 20. Receiving unit 21 of the recovery device 20, from the key generation server 30, public information (g, N, θ, H1 ), verification key _{vk 1 ~vk n, Q N2 (} N2 means N ²⁾ of the subgroup of The generation source ν is received and input to the plaintext restoration unit 22.

The ciphertext generation unit 12 of the encryption terminal 10 encrypts using the public information (g, N, θ, H1) received from the key generation server 30. Specifically, the ciphertext generation unit 12 conceals the random number r as g ^r modN ² from the value g, and generates the ciphertext C based on the plaintext m using at least part of the information of r. For example, the ciphertext generation unit 12 encrypts the plaintext m and generates the ciphertext C by calculating the above formula (1) and the above formula (2). The plain text m is information that the encryption terminal 10 wants to encrypt and keep secret. Plaintext m in the present embodiment, unless a plurality of distributed key s ₁ ~s _n, by not be decrypted plaintext m from the ciphertext C, the encryption device 10 is information to be distributed management.

The ciphertext generation unit 12 selects the random number r from Z _N2 . The ciphertext generation unit 12 inputs the generated ciphertext C to the transmission unit 13. As shown in FIG. 2, the transmission unit 13 transmits the ciphertext C and the public key used for encryption to the ciphertext management server 40.
The receiving unit 41 of the ciphertext management server 40 receives the ciphertext C from the encryption terminal 10 as shown in FIG. The receiving unit 41 inputs the received ciphertext C to the ciphertext management unit 42. The ciphertext management unit 42 stores the ciphertext C in the ciphertext database 43 in association with the public information (g, N, θ, H1) received from the key generation server 30.

  After that, the plaintext restoration unit 22 of the restoration terminal 20 requests the ciphertext C created based on the public information (g, N, θ, H1), the public information (g, N, θ, H1), and the secret information. A decoding request for requesting the partial decoding information σ created based on the above is generated and input to the transmission unit 23. The transmission unit 23 transmits a request for the ciphertext C to the ciphertext management server 40. The reception unit 41 of the ciphertext management server 40 receives the request for the ciphertext C from the restoration terminal 20 and inputs the request to the ciphertext management unit 42. The ciphertext management unit 42 acquires the ciphertext C corresponding to the public information (g, N, θ, H1) specified in the request for the ciphertext C from the ciphertext database 43, and public information (g, N , Θ, H1) are input to the transmitter 44 in association with each other. The transmission unit 44 transmits the ciphertext C associated with the public information (g, N, θ, H1) to the restoration terminal 20 as shown in FIG. Thus, the public information (g, N, θ, H1) can be used as identification data for identifying the ciphertext C.

The transmission unit 23 transmits the decryption request to the plurality of decryption servers 50 ₁ to 50 _n . At this time, the transmitting unit 23 may transmit the decryption request to all the decryption servers 50 ₁ to 50 _n by broadcast, and decrypts only the number t of partial decryption information necessary in the (t, n) threshold encryption method. A server may be selected and transmitted.
The receiving units 51 _{1 to} 51 _n of the decoding servers 50 ₁ to 50 _n receive the decoding request and input them to the partial decoding information generating units 52 _{1 to} 52 _n . When the partial decryption information generation units 52 _{1 to} 52 _n accept the decryption request, the partial decryption information generation units 52 _{1 to} 52 _n generate and transmit a request for the ciphertext C specifying the public information (g, N, θ, H1) specified in the decryption request. Input to the sections 53 _{1 to} 53 _n . The transmission units 53 _{1 to} 53 _n transmit the ciphertext C request to the ciphertext management server 40. The partial decryption information generation units 52 _{1 to} 52 _n may reject the decryption request.

The reception unit 41 of the ciphertext management server 40 receives requests for the ciphertext C from the decryption servers 50 ₁ to 50 _n and inputs them to the ciphertext management unit 42. The ciphertext management unit 42 acquires the ciphertext C corresponding to the specified public information (g, N, θ, H1) from the ciphertext database 43 and associates it with the public information (g, N, θ, H1). To the transmitter 44. The transmission unit 44 transmits the ciphertext C associated with the public information (g, N, θ, H1) to the decryption servers 50 ₁ to 50 _{n as shown} in FIG.

The receiving units 51 _{1 to} 51 _n of the decryption servers 50 ₁ to 50 _n receive the ciphertext C and input it to the partial decryption information generation units 52 _{1 to} 52 _n . Partial decoding information generation unit 52 ₁ to 52 _n, respectively, using the distributed key s ₁ ~s _n ciphertext C received by calculating the ^{_{σ i ≡u 2 Δ Si modN 2}} , part a ciphertext C The partial decoding information [sigma] _1- [sigma] _n is generated. Partial decoding information generation unit 52 ₁ to 52 _n, the public information that is specified in the decryption request (g, N, θ, H1 ) using the distributed key s ₁ ~s _n corresponding to.

For example, in the case of the decryption server 50i, using the ciphertext C and the distributed key s _i ,
σ _i = u ² Δ ^Si mod N ²
To generate partial decoding information σ _i .
The partial decoding information generation unit 52 inputs the generated partial decoding information σ _{1 to} σ _n to the transmission units 53 _{1 to} 53 _n . Each of the transmission units 53 _{1 to} 53 _n transmits partial decoding information σ _{1 to} σ _n to the restoration terminal 20 as illustrated in FIG. Note that it is not necessary for all the decryption servers 50 ₁ to 50 _n to generate and transmit the partial decryption information σ _{1 to} σ _n , and at least t partial decryptions necessary in the (t, n) threshold encryption method. Information σ may be generated and transmitted to the restoration terminal 20.

Receiving unit 21 of the recovery device 20 receives a plurality of partial decoding information σ ₁ ~σ _n from a plurality of decryption servers 50 ₁ to 50 _n. The receiving unit 21 inputs the received pieces of partial decryption information σ _{1 to} σ _n to the plaintext restoration unit 22. In this way, the receiving unit 21 functions as a decoding information receiving unit that receives a plurality of pieces of partial decoding information σ from a plurality of decoding devices. Incidentally, the receiving unit 21 does not need to receive all the partial decryption information σ ₁ ~σ _n from all of the decoding server 50 ₁ to 50 _n, t pieces required in the least (t, n) threshold cryptosystem Of the partial decoding information σ.

The plaintext restoration unit 22 restores the plaintext m from u, which is a part of the ciphertext C, using the plurality of pieces of partial decryption information σ _{1 to} σ _n . The plaintext restoration unit 22 first determines whether or not the partial decryption information σ has been correctly decrypted. The plaintext restoration unit 22 calculates the logarithm of the square “σ ² ” of the partial decryption information with u as a part of the ciphertext C to the ^4th power “u ⁴ Δ” and Q _N2 (N2 means N ²⁾ . It is determined whether the logarithms of the verification keys vk with the Δ power “νΔ” of the generation source of the subgroups of Eq. The plaintext restoration unit 22 determines that the partial decryption information σ is correctly decrypted when the logarithm is equal, and determines that the partial decryption information σ is not correctly decrypted when the logarithm is different.

Plaintext restoring unit 22, a plurality of partial decryption information σ ₁ ~σ _n, determination is performed using each verification key vk ₁ ~vk _n. In order to determine whether the logarithms are equal, a general method, for example, the document “FPS00: P.-A. Fouque, G. Poupard and J. Stern,“ Sharing Decryption in the Context of Voting or Lotteries ”, Financial Cryptography 2000 Lecture Notes in Computer Science, pp. 90-104, 2000 ”can be used.

The plaintext restoration unit 22 first calculates part of the information on the random number r used for encrypting the plaintext m, using the partial decryption information σ _{1 to} σ _n determined to be correctly decrypted. Incidentally, the plaintext restoring unit 22 does not need to use all of the partial decryption information σ ₁ ~σ _n from all of the decoding server 50 ₁ to 50 _n, t pieces required in the (t, n) threshold cryptosystem Are selected and used.
The plaintext restoration unit 22 first calculates the above-described equation (3). The plaintext restoration unit 22 is similar to the document “Sho00: victor Shoup,“ Practical Threshold Signatures ”, EUROCRYPT, Lecture Notes in Computer Science, pp.207-220, 2000” under the condition shown in the equation (4) (3 ).

In Expressions (3) and (4), “S” represents a set of numbers of the decryption servers 50 ₁ to 50 _n that have accepted the decryption request from the restoration terminal 20. That is, for example, when the decryption server assigned the numbers 1, 2, and 5 accepts the decryption request, S = {1, 2, 5} is described. However, the number of numbers included in the set S is limited to the number t that requires the partial decryption information σ in the (t, n) threshold encryption method. Further, “λ” in the equations (3) and (4) is an interpolation coefficient. “Λ” is used to calculate f (0) = a ₀ in equation (4), and has the relationship shown in equation (8).

“Π _j ∈ _{S / [i]} (i−j)” represents the product of all the numbers included in the set S except for i and subtracted from i. Similarly, “Π _j ∈ _{S / [i]} (−j)” indicates a product of values obtained by reversing the sign of all the numbers excluding i among the numbers included in the set S.
Next, the plaintext restoration unit 22 restores the plaintext m from the ciphertext C using at least a part of the calculated random number r. Specifically, the plaintext restoration unit 22 conceals the random number r as g ^r with respect to g that is not a composite number based on the composite number, and uses the at least part of the random number r to convert the plain text m into a plain text m. The rmod is calculated based on an equation used for encryption, for example, the above equation (3), and the calculated rmod and the received ciphertext C are substituted into the equation (1) to restore the plaintext m. As described above, restore the terminal 20, based on the plurality of partial decryption information σ ₁ ~σ _n received from the decoding server 50 ₁ to 50 _n, can restore the plaintext m is a secret information.

  If the plaintext restoration unit 22 determines that the partial decryption information σ is not correctly decrypted, the plaintext restoration unit 22 generates a partial decryption information rejection notification to the decryption server that transmitted the partial decryption information σ, and sends it to the transmission unit 23. input. The transmission unit 23 transmits a rejection notice to the decryption server, and ends the process. Alternatively, the plaintext restoration unit 22 restores the secret information based on other valid partial decryption information.

[Modifications to enhance safety]
By the way, in the communication system described above, the following processing, which is different from the above, is performed in the key generation by the key generation unit 31, the encryption by the encryption terminal 10, and the decryption by the restoration terminal 20. Can have sex.
(1) In key generation by the key generation unit 31, the following matters are different.
The key generation unit 31 generates public information (g, g ₂ , N, M, θ, H1, H2). First, four large Λ / 2-bit strong prime numbers p, p ₂ , q, q ₂ are used to create a composite number N = pq, M = p ₂ q ₂ , and p, p ₂ , q, q ₂ are N and M are disclosed as public information while keeping them secret. Here, L = p′q ′ and L ₂ = p ₂ 'q ₂ ′ are also calculated and kept secret. Note that N> M. The same can be done when N <M.

Also, g = (1 + aN) b ^N modM based on a∈Z _N and b∈Z ^* _N , and g ₂ = (1 + a ₂ M) based on a ₂ ∈Z _M and b ₂ ∈Z ^* _M. b ₂ ^M mod ^{M 2} is determined, and g and g ₂ are disclosed. Further, the value beta, the beta ₂ ∈ Z ^* _N randomly selected, θ = aLβmodN, advance to calculate the _{θ 2 = a 2 L 2 β} 2 modM. Also, hash functions H1: Z _N → {0,1} μ and H2: {0,1} μ × Z _N ² × Z _N ² × Z _M ² × Z _M ² → {0, 1} ^{B is} also released. Here, in addition to a single distributed key to be passed to the decryption servers 50 ₁ to 50 _n , a method of passing two each is also conceivable. In this case, the key generation unit 31 also distributes the secret information L ₂ β _{2 into a} plurality using the method proposed by Shamir.

Specifically, the key generation unit 31 selects b _i ∈ _U {0, 1,..., L ₂ M−1}, (i = 1, 2,..., T−1) as a random number. Furthermore, a distributed key t _i is generated by defining as b ₀ = L ₂ β ₂ . In this case, the key generation unit 31 generates a plurality of distributed keys t _{1 to} t _n by calculating Expression (6) ′ shown below. The key generation unit 31 generates a distributed key t _i by calculating t _i = f ₂ (i) mod L ₂ M using equation (6) ′.

The key generation unit 31 also inputs the generated plurality of distributed keys t _{1 to} t _n to the transmission unit 33.
Further, the key generation unit 31 generates a plurality of verification keys wk used for determining whether or not the partial decryption information σ'≡u ^'2 Δ ^ti modM ² was decoded correctly the ciphertext C partially . Key generating unit 31 generates the distributed key t ₁ ~t _n same number of n verification key wk ₁ ~wk _n. Key generating unit 31 generates a verification key wk ₁ ~wk _n by calculating equation (7) 'shown below.

In Expression (7) ′, ν ₂ is a generator of a subgroup of Q _M2 (M2 means M ² ).
(2) The following matters are different in the encryption by the encryption terminal 10.
Instead of the formula (1) and the formula (2), the following formula (9) is used. However, sεZ _N4 (N4 means N ⁴ ).

(3) The following matters are different in decoding.
Before decrypting the ciphertext, the ciphertext is verified in at least one of the restoration terminal 20, the ciphertext management server 40, and the decryption servers 50 ₁ to 50 _n . In this case, it is desirable to verify the ciphertext at least at the restoration terminal 20.
Here, in the case of the method of passing two distributed keys to be passed to the decryption servers 50 ₁ to 50 _n , partial decryption and combination performed on u are also performed on u ′ in the same manner, and it is confirmed whether the restoration results are both r. . If it is not the same, it is recognized as an illegal ciphertext.
However, as long as each decryption server communicates and is convinced, either u or u ′ may be decrypted to obtain r.
As described above, before the decryption is performed, at least the restoration terminal 20 verifies the ciphertext, thereby providing security against the selected ciphertext attack.

〔Communication method〕
Next, with reference to FIG. 3, the procedure of the communication method performed using the communication system 100 is demonstrated. First, the key generation server 30, public information (g, N, θ, H1 ), a plurality of distributed key s ₁ ~s _n, generates a plurality of verification keys vk ₁ ~vk _n (S101). The key generation server 30 transmits the public information (g, N, θ, H1) to the restoration terminal 20, the decryption servers 50 ₁ to 50 _n , the ciphertext management server 40, and the encryption terminal 10 (S102 to S105). Key generating server 30 transmits a plurality of distributed key s ₁ ~s _n to the decoding server 50 ₁ ~50 _n (S106). Key generating server 30 transmits at least restore the terminal 2,0 vk ₁ ~vk _n, v a (S107).

The encryption terminal 10 uses, for example, Equation (2), conceals the random number r as g ^{r from} g that is not a composite number based on the composite number, and uses Equation (1) to generate a random number. The plaintext m is encrypted using at least a part of r to generate a ciphertext C (S108). The encryption terminal 10 transmits the generated ciphertext C to the ciphertext management server 40 (S109). The ciphertext management server 40 stores the received ciphertext C in the ciphertext database 43 (S110).

The restoration terminal 20 requests the ciphertext C from the ciphertext management server 40 (S111). In response to the request from the restoration terminal 20, the ciphertext management server 40 transmits the ciphertext C stored in the ciphertext database 43 to the restoration terminal 20 (S112).
The restoration terminal 20 transmits a decryption request to the decryption servers 50 ₁ to 50 _n (S113). The decryption servers 50 ₁ to 50 _n request the ciphertext C from the ciphertext management server 40 (S114).

The ciphertext management server 40 transmits the ciphertext C stored in the ciphertext database 43 to the decryption servers 50 ₁ to 50 _n in response to requests from the decryption servers 50 ₁ to 50 _n (S115).
Decoding server 50 ₁ to 50 _n, respectively, using the ciphertext C and the distributed key s ₁ ~s _n, by calculating the ^{_{σ i ≡u 2 Δ Si modN 2}} , the partial decoding information σ ₁ ~σ _n Generate (S116). Each of the decryption servers 50 ₁ to 50 _n transmits the generated partial decryption information σ _{1 to} σ _n to the restoration terminal 20 (S117).

Restoring terminal 20, whether or not the received partial decryption information σ ₁ ~σ _n is decoded correctly, it determines by using the verification key vk ₁ ~vk _n (S118). When it is determined that the partial decoding information σ _{1 to} σ _n has been correctly decoded, the restoration terminal 20 calculates at least part of the random number r using the partial decoding information σ _{1 to} σ _n . Then, restore terminal 20, a ciphertext C which has received at least a portion of the information of the calculated random number r, the random number r with respect to disjoint g the composite number in Moto to composite numbers modulo g ^r The plaintext m is restored by substituting it into the equation used when encrypting the plaintext m using at least a part of the random number r (S119). In this way, the plaintext m that is secret information can be managed between the encryption terminal 10 and the plurality of decryption servers 50 ₁ to 50 _n . Instead of steps (S103) and (S115), public information (g, N, θ, H1) and ciphertext C may be transmitted from the restoration terminal 20 to the decryption servers 50 ₁ to 50 _n .

In the case of the above-described modified example for enhancing security, the ciphertext is verified in at least one of the steps S110, S116, and S118. In this case, it is desirable to verify the ciphertext at least in step S116 performed by the decryption servers 50 ₁ to 50 _n . As described above, it is possible to provide security against the selected ciphertext attack by performing ciphertext verification at least at the restoration terminal before performing decryption.

〔effect〕
According to the communication system 100, the encryption terminal 10, the restoration terminal 20, the key generation server 30, the ciphertext management server 40, the plurality of decryption servers 50 ₁ to 50 _n and the communication method according to the present embodiment, the composite number is modulo. based a hidden random number r with respect to disjoint g the composite number as g ^r, a method for encrypting a plaintext m can be applied to the threshold cryptosystem using at least a portion of the random number r. For this reason, in order to ensure safety, the amount of calculation is increased, or in contrast to the conventional threshold encryption method in which only one bit can be encrypted, the communication system 100 uses a plurality of bits of plaintext m as g ^r Can be calculated and encrypted with H1 (rmodN) to ensure safety.

In the above encryption process, u = g ^r modN ² and H1 (rmodN) are calculated in advance, and only c = H1 (rmodN) * m needs to be calculated when encrypting. It can be seen that the amount of calculation can be reduced. In other words, according to the communication system 100, the pre-calculation is partially performed, so that a threshold encryption method with high processing efficiency can be realized.

  In particular, even when the encryption terminal 10 and the restoration terminal 20 are devices that are difficult to mount a high-speed CPU, such as a mobile communication terminal that places importance on portability, the threshold encryption of the present invention with a small amount of calculation Any method can be used. Furthermore, in the modified example for enhancing security, it is not necessary to have two distributed keys in one decryption server, as is often the case with prime factorization type threshold encryption. Even if the storage capacity is small because the number is reduced, the threshold encryption method of the present invention is applicable. As described above, the threshold encryption method according to the present invention is an encryption device, a decryption device, a restoration device having a low calculation capability, or an encryption device or a decryption device having a low storage capacity even when safety is improved. The restoration apparatus can also be used, and encryption and decryption can be performed efficiently.

In addition, when the above-described modified example for enhancing security is adopted, data for performing ciphertext verification can be almost pre-calculated. An encryption method can be realized.
Further, for example, in order to obtain m from the property of the hash function by encrypting m as H1 (rmodN) * m, it is necessary to uniquely determine rmodN. For this reason, if this embodiment is adopted, it is possible to secure a security against a decision problem or to protect against a selected ciphertext attack, and it is possible to realize a threshold encryption method with added security.

By the way, the communication system 100 of this embodiment can be variously changed. For example, the encryption terminal 10, a part of the decryption servers 50 ₁ to 50 _n , or the restoration terminal 20 may include a part or all of the functions of the key generation server 30 and function as a key generation apparatus. In addition, an apparatus having at least two functions among all or a part of the functions of the encryption terminal 10, the restoration terminal 20, the key generation server 30, the ciphertext management server 40, and the decryption servers 50 ₁ to 50 _n. The communication system 100 may be provided. Note that the communication system 100 may include a plurality of ciphertext management servers 40 and encryption terminals 10.

  In the above embodiment, public information (g, N, θ, H1) is used as identification data for identifying the ciphertext C. However, data other than public information can be used as identification data. The key generation server 30 may omit the transmission of the public information (g, N, θ, H1) to the ciphertext management server 40. In this case, the ciphertext management server 40 uses the ciphertext C other than public information (g, N, θ, H1) as identification data for associating the ciphertext C request with the ciphertext C. The identification data is given to the restoration terminal 20 and the ciphertext C is stored in the ciphertext database 43 in association with the identification data.

Alternatively, the key generation server 30 does not transmit the public information (g, N, θ, H1) to the encryption terminal 10, the restoration terminal 20, the ciphertext management server 40, and the decryption servers 50 ₁ to 50 _n. These devices may be freely browsed and acquired. Also, the encryption device 10, restoring the terminal 20, the ciphertext management server 40, the decoding server 50 ₁ to 50 _n and the like, previously published information (g, N, θ, H1 ) and distributed key s ₁ ~s _n, verification key by keeping vk ₁ ~vk _n like, it may be omitted key generation server 30.
Further, when the decryption servers 50 ₁ to 50 _n can be completely trusted, the verification key may not be used. In this case, the restoration terminal 20 does not determine whether or not the partial decoding information σ is correct, so that the processing can be performed at higher speed and the efficiency can be improved.

(Second Embodiment)
〔Communications system〕
As shown in FIG. 4, the public key communication system 200 includes an encryption terminal 10, a restoration terminal 20, a key generation server 30, a ciphertext management server 40, and a network 60. The encryption terminal 10, the restoration terminal 20, the key generation server 30, and the ciphertext management server 40 transmit and receive information via the network 60.
The key generation server 30 is a key generation device that generates public information (g, N, H1) used for encryption of μ-bit plaintext m and a secret key used for decryption of the ciphertext C. The key generation server 30 includes a key generation unit 31, a key database 32, and a transmission unit 33. The key generation unit 31 generates public information (g, N, H1) and a secret key for it.

  The key database 32 stores public information (g, N, H1). The transmission unit 33 transmits the public information (g, N, H1) generated by the key generation unit 31 to the encryption terminal 10, the restoration terminal 20, and the ciphertext management server 40. In addition, the transmission unit 33 transmits the secret key 2L to the restoration terminal 20. Such a key generation server 30 can be realized by executing a program for causing a computer to function as the key generation unit 31, the key database 32, and the transmission unit 33.

The encryption terminal 10 is an encryption device that encrypts plaintext m and generates ciphertext C. The encryption terminal 10 includes a reception unit 11, a ciphertext generation unit 12, a transmission unit 13, an input unit 14, and a storage unit 15.
The receiving unit 11 receives public information (g, N, H1) from the key generation server 30. The storage unit 15 stores H1 (rmodN) and u = g ^r modN ² calculated in advance by the ciphertext generation unit 12. The receiving unit 11 may receive the plaintext m and input it to the ciphertext generation unit 12.

The input unit 14 acquires the plaintext m input from the outside and inputs it to the ciphertext generation unit 12. The ciphertext generation unit 12 encrypts the plaintext m using H1 (rmodN) and u = g ^r modN ² that are pre-calculated and stored in the storage unit 15. When generating the ciphertext C, the ciphertext generating unit 12 hides the random number r as g ^{r from} g that is not a composite number based on the composite number, and at least part of the random number r is hidden. Use to encrypt plaintext m. The ciphertext generation unit 12 acquires the plaintext m from the input unit 14 and the reception unit 11. The ciphertext generation unit 12 preferably generates the ciphertext C (c, u) by encrypting the plaintext m by calculating the above-described equations (1) and (2).
c = H1 (rmodN) * m (1)
u = g ^r modN ² (2)
The hash function H1 is Z _N → {0, 1} μ. The above “*” indicates an exclusive OR.

  The transmission unit 13 transmits the ciphertext C generated by the ciphertext generation unit 12 to the ciphertext management server 40. As will be described later, the storage unit 15 temporarily stores a result of partial precalculation when encrypting. In such an encryption terminal 10, the computer executes a program for causing the computer to function as the reception unit 11, the ciphertext generation unit 12, the transmission unit 13, the input unit 14, and the storage unit 15. Can be realized.

  The ciphertext management server 40 is a ciphertext management apparatus that receives the ciphertext C from the encryption terminal 10 and provides the ciphertext C to each device. The ciphertext management server 40 includes a reception unit 41, a ciphertext management unit 42, a ciphertext database 43, and a transmission unit 44. The receiving unit 41 receives the ciphertext C from the encryption terminal 10. The receiving unit 41 receives a request for the ciphertext C from the restoration terminal 20. Further, the receiving unit 41 receives public information (g, N, H1) from the key generation server 30.

The ciphertext database 43 stores the ciphertext C. The transmission unit 44 transmits the ciphertext C to the restoration terminal 20. Such a ciphertext management server 40 can be realized by the computer executing a program for causing the computer to function as the reception unit 41, the ciphertext management unit 42, the ciphertext database 43, and the transmission unit 44. .
The restoration terminal 20 performs a decoding process using the following equation.
u ^2L modN ² = (1 + 2raLN)
It is. Then, plaintext m is obtained by rmodN and equations (1) and (2).

The restoration terminal 20 is a restoration device that restores the plaintext m from the ciphertext C. The restoration terminal 20 includes a reception unit 21, a plaintext restoration unit 22, a transmission unit 23, and an output unit 24.
The receiving unit 21 receives the secret key 2L from the key generation server 30. The receiving unit 21 receives the ciphertext C from the ciphertext management server 40. Further, the receiving unit 21 receives public information (g, N, H1) from the key generation server 30.

  The plaintext restoration unit 22 restores the plaintext m from the ciphertext C using the secret key 2L. The plaintext restoration unit 22 outputs the restored plaintext m to the output unit 24. The transmission unit 23 transmits a ciphertext C request and a decryption request. Such a restoration terminal 20 can be realized by the computer executing a program for causing the computer to function as the reception unit 21, the plaintext restoration unit 22, the transmission unit 23, and the output unit 24.

Next, a process performed by the public key communication system 200 in encryption and restoration of plaintext m will be described in detail with reference to FIGS. 4 and 5. In the public key communication system 200, decryption is performed by a public key cryptosystem.
A cipher in which the public key communication system 200 conceals a random number r as g ^r with respect to g that is not a composite number based on the composite number, and encrypts plaintext m using at least a part of the random number r. The case where the method is used will be described. In this example, the key generation unit 31 of the key generation server 30 first selects two large Λ / 2-bit strong primes p and q, and creates public information (g, N, H1). Further, the prime number p and the prime number q are stored, and the secret key 2L is generated. Further, the key generation unit 31 of the key generation server 30 generates the composite number N = pq. The strong prime numbers p and q mean that p ′ is a prime number at p = 2p ′ + 1 and q ′ is a prime number at q = 2q ′ + 1.

The key generation unit 31 configures L = p′q ′ from the prime numbers p ′ and q ′, and generates a secret key 2L corresponding to the public information (g, N, H1).
The key generation unit 31 inputs the generated plurality of secret keys 2L to the transmission unit 33.
As illustrated in FIG. 5, the transmission unit 33 transmits only the public information (g, N, H1) corresponding to the restoration terminal 20 while keeping the prime numbers p and q secret, the encryption terminal 10, the ciphertext management server 40, It transmits to the restoration terminal 20. The reception unit 11 of the encryption terminal 10 receives the public information (g, N, H1) from the key generation server 30 and inputs it to the ciphertext generation unit 12. The receiving unit 41 of the ciphertext management server 40 receives the public information (g, N, H1) from the key generation server 30 and inputs it to the ciphertext management unit 42.

Further, the transmission unit 33 transmits the secret key 2L to the restoration terminal 20.
The ciphertext generation unit 12 of the encryption terminal 10 performs encryption using the public information (g, N, H1) received from the key generation server 30. Specifically, the ciphertext generation unit 12 conceals the random number r as g ^r modN ² from the value g, and generates the ciphertext C based on the plaintext m using at least part of the information of r. For example, the ciphertext generation unit 12 encrypts the plaintext m and generates the ciphertext C by calculating the above formula (1) and the above formula (2). The plain text m is information that the encryption terminal 10 wants to encrypt and keep secret. The plaintext m in the present embodiment is information that the encryption terminal 10 wants to encrypt by preventing the plaintext m from being decrypted from the ciphertext C unless the secret key 2L is used.

The ciphertext generation unit 12 selects the random number r from Z _N2 . The ciphertext generation unit 12 inputs the generated ciphertext C to the transmission unit 13. The transmission unit 13 transmits the ciphertext C to the ciphertext management server 40 as illustrated in FIG.
The receiving unit 41 of the ciphertext management server 40 receives the ciphertext C from the encryption terminal 10 as shown in FIG. The receiving unit 41 inputs the received ciphertext C to the ciphertext management unit 42. The ciphertext management unit 42 stores the ciphertext C in the ciphertext database 43 in association with the public information (g, N, H1) received from the key generation server 30.

Thereafter, the plaintext restoration unit 22 of the restoration terminal 20 generates a request for the ciphertext C created based on the public information (g, N, H1), and inputs the request to the transmission unit 23. The transmission unit 23 transmits a request for the ciphertext C to the ciphertext management server 40. The receiving unit 41 of the ciphertext management server 40 receives the ciphertext C request from the restoration terminal 20 at the receiving unit 41, and the ciphertext management unit 42 receives the public information (g, N) specified in the ciphertext C request. , H1) is obtained from the ciphertext database 43 and input to the transmission unit 44 in association with the public information (g, N, H1). The transmission unit 44 transmits the ciphertext C associated with the public information (g, N, H1) to the restoration terminal 20 as illustrated in FIG . Thus, the public information (g, N, H1) can be used as identification data for identifying the ciphertext C.

The transmission unit 33 transmits the secret key 2L. The private key 2L transmitted from the transmission unit 33 of the key generation server 30 is received by the reception unit 21 of the restoration terminal 20.
The receiving unit 21 of the restoration terminal 20 inputs the received secret key 2L to the plaintext restoration unit 22. In this way, the receiving unit 21 functions as a decryption information receiving unit that receives the secret key 2L from the key generation server 30.
The plaintext restoration unit 22 restores the plaintext m from u, which is a part of the ciphertext C, using the secret key 2L. In this case, the plaintext restoration unit 22
u ^2L = (1 + 2raLN) modN ²
RmodN is calculated from
c = H1 (rmodN) * m
Thus, plaintext m is obtained.

[Modifications to enhance safety]
By the way, in the communication system described above, the following processing, which is different from the above, is performed in the key generation by the key generation unit 31, the encryption by the encryption terminal 10, and the decryption by the restoration terminal 20. Can have sex.
(1) In key generation by the key generation unit 31, the following matters are different.
The key generation unit 31 generates public information (g, g ₂ , N, M, H1, H2). First, four large Λ / 2-bit strong prime numbers p, p ₂ , q, q ₂ are used to create a composite number N = pq, M = p ₂ q ₂ , and p, p ₂ , q, q ₂ are N and M are disclosed as public information while keeping them secret. Here, L = p′q ′ and L ₂ = p ₂ 'q ₂ ′ are also calculated and kept secret. Note that N> M.

Also, g = (1 + aN) b ^N modM based on a∈Z _N and b∈Z ^* _N , and g ₂ = (1 + a ₂ M) based on a ₂ ∈Z _M and b ₂ ∈Z ^* _M. b ₂ ^M mod ^{M 2} is determined, and g and g ₂ are disclosed. Also, hash functions H1: Z _N → {0,1} μ and H2: {0,1} μ × Z _N ² × Z _N ² × Z _M ² × Z _M ² → {0, 1} ^{B is} also released. Here, in addition to using one secret key for the restoration terminal 20, a method of using two is also conceivable. In this case, the restoration terminal 20 performs a decoding process using the following equation.
^{u '2L2 modM 2 = (1} + 2ra 2 L 2 M)
(2) The following matters are different in the encryption by the encryption terminal 10.
Instead of the formulas (1) and (2), the above formula (9) is used.

(3) The following matters are different in decoding.
Before decrypting the ciphertext, the ciphertext is verified at at least one location of the restoration terminal 20 and the ciphertext management server 40. In this case, it is desirable to verify the ciphertext at least at the restoration terminal 20.
Here, in the case of the method having two secret keys possessed by the restoration terminal 20, partial decryption performed on u is similarly performed on u ', and it is confirmed whether both restoration results are r. If it is not the same, it is recognized as an illegal ciphertext. Even when there are two keys, it is possible to restore only one of u and u ′ in order to shorten the calculation time.
As described above, before the decryption is performed, at least the restoration terminal 20 verifies the ciphertext, thereby providing security against the selected ciphertext attack.

〔Communication method〕
Next, referring to FIG. 6, the procedure of the communication method using the public key communication system 200. First, the key generation server 30 generates public information (g, N, H1) and a secret key 2L (S201). The key generation server 30 transmits the public information (g, N, H1) to the restoration terminal 20, the ciphertext management server 40, and the encryption terminal 10 (S202, S204, S205). The key generation server 30 transmits the secret key to the restoration terminal 20 (S207).

The encryption terminal 10 uses, for example, Equation (1) and Equation (2), and conceals the random number r as g ^{r from} g that is not the composite number based on the composite number, and the random number r The plaintext m is encrypted using at least a part to generate a ciphertext C (S208). The encryption terminal 10 transmits the generated ciphertext C to the ciphertext management server 40 (S209). The ciphertext management server 40 stores the received ciphertext C in the ciphertext database 43 (S210).

The restoration terminal 20 requests the ciphertext C from the ciphertext management server 40 (S211). In response to the request from the restoration terminal 20, the ciphertext management server 40 transmits the ciphertext C stored in the ciphertext database 43 to the restoration terminal 20 (S212).
The restoration terminal 20 calculates a random number r mod N using the secret key 2L. Then, restore terminal 20, a ciphertext C which has received, hiding the calculated random number RMOD N, the random number r with respect to disjoint g the composite number in Moto to composite numbers modulo a g ^r, the random number r The plaintext m is restored by substituting it into the expression used when encrypting the plaintext m using at least a part of the plaintext m (S219).

  In the case of the above-described modified example for enhancing security, the ciphertext is verified in step S210 described above or before the processing in step S219. In this case, it is desirable to verify the ciphertext at least before the process of step S219 performed by the restoration terminal 20. As described above, it is possible to provide security against the selected ciphertext attack by performing ciphertext verification at least at the restoration terminal before performing decryption.

〔effect〕
According to the public key communication system 200, the encryption terminal 10, the restoration terminal 20, the key generation server 30, the ciphertext management server 40, and the communication method of this embodiment, the composite number is a prime number based on the composite number. hide random number r as a g ^r with respect to a g, a method of encrypting a plaintext m using at least a part of the random number r can be applied to the threshold cryptosystem. For this reason, the public key communication system 200 uses a composite number as a modulo in contrast to the conventional threshold encryption method in which only one bit is encrypted in order to ensure safety. a random number r with respect to disjoint g the composite number hidden as g ^r, at least a portion of the random number r plaintext m multibit can ensure safety since the encryption used with.

In the above encryption process, u = g ^r modN ² and H1 (rmodN) are calculated in advance, and only c = H1 (rmodN) * m needs to be calculated when encrypting. It can be seen that the amount of calculation can be reduced. In other words, according to the public key communication system 200, pre-computation is partially performed, so that a public key cryptosystem with high processing efficiency can be realized. In addition, when the above-described modified example for enhancing security is adopted, data for performing ciphertext verification can be almost pre-computed. A scheme can be realized.

Further, for example, in order to obtain m from the property of the hash function by encrypting m as H1 (rmodN) * m, it is necessary to uniquely determine rmodN. For this reason, if this embodiment is adopted, security can be secured against a decision problem or against a selected ciphertext attack, and a public key value encryption scheme with security can be realized.
In particular, even in the case where the encryption terminal 10 is a device that is difficult to mount a high-speed CPU, such as a mobile communication terminal that places importance on portability, the encryption terminal 10 is of the threshold encryption method of the present invention with a small amount of calculation. Is available. As described above, the public key cryptosystem of the present invention can be used even in an encryption apparatus having a low calculation capability, and can be efficiently encrypted.

  By the way, the public key communication system 200 of the present embodiment can be variously changed. For example, the restoration terminal 20 or the ciphertext management server 40 may include a part or all of the functions of the key generation server 30 and function as a key generation device. In this case, it is desirable that the restoration terminal 20 has all the functions of the key generation server 30. In addition, the public key communication system 200 includes a device having at least two functions among all or some of the functions of the encryption terminal 10, the restoration terminal 20, the key generation server 30, and the ciphertext management server 40. Also good. The public key communication system 200 may include a plurality of encryption terminals 10 and ciphertext management servers 40.

In the above embodiment, public information (g, N, H1) is used as identification data for identifying the ciphertext C, but data other than public information can be used as identification data. The key generation server 30 may omit the transmission of the public information (g, N, H1) to the ciphertext management server 40. In this case, the ciphertext management server 40 gives the ciphertext C something other than the public information (g, N, H1) as identification data for associating the ciphertext C request with the ciphertext C. Then, the identification data is given to the restoration terminal 20, and the ciphertext C is stored in the ciphertext database 43 in association with the identification data.
Alternatively, the key generation server 30 can freely browse and acquire the public information (g, N, H1) without transmitting the public information (g, N, H1) to the encryption terminal 10, the restoration terminal 20, and the ciphertext management server 40. You may do it.

(Summary)
The first embodiment and the second embodiment described above both have a feature that encryption can be performed at high speed by performing pre-calculation, and there are few problems when generating prime numbers because of the prime factorization type.
Further, in the first embodiment, the safety is shown only under the selected plaintext attack, but there is an advantage that the safety can be shown under a relatively weak assumption that is a decision problem. The second embodiment has an advantage that security under a selected ciphertext attack is shown.

  The present invention can be used to construct a communication system that employs a safe and efficient threshold encryption method and public key encryption method.

It is a figure which shows the structure of the communication system which concerns on 1st Embodiment of this invention. It is a figure which shows the flow of the information which concerns on 1st Embodiment of this invention. It is a flowchart which shows the procedure of the communication method which concerns on 1st Embodiment of this invention. It is a figure which shows the structure of the communication system which concerns on 2nd Embodiment of this invention. It is a figure which shows the flow of the information which concerns on 2nd Embodiment of this invention. It is a flowchart which shows the procedure of the communication method which concerns on 2nd Embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Encryption terminal 11 Reception part 12 Ciphertext generation part 13 Transmission part 14 Input part 15 Storage part 20 Restoration terminal 21 Reception part 22 Plaintext restoration part 23 Transmission part 24 Output part 30 Key generation server 31 Key generation part 32 Key database 33 Transmission Unit 40 ciphertext management server 41 reception unit 42 ciphertext management unit 43 ciphertext database 44 transmission unit 50 _i decryption server 60 network 100 communication system 200 public key communication system 51 _i reception unit 52 _i partial decryption information generation unit 53 _i transmission unit

Claims (20)

The composite numbers with modulo generates g ^r from disjoint g and the random number r from each other with the composite number, the g ^r and dispersed and held in a plurality of apparatuses, plain text m by the plurality of devices to cooperate by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the ciphertext using the distributed key that can decrypt the said at least part of the random number r RmodN is calculated and calculated for the random number r Ru can decrypt the plaintext m using the rmodN is at least partially, the ciphertext C = the plaintext m by encryption scheme using equation (9) (c, u, w, e, f) the cryptographic in case of reduction (equation (9), H1, H2 is a hash function, N is the composite number (N = pq, p and q are prime numbers), M is a composite number _{(M = p 2 q 2,} p 2 and q ₂ prime), e, f, w and w 'is w × ^u e = g , Verification data for verifying the validity of the ciphertext by confirming that ^{w '× u' e = g} 2 f is satisfied, s is a value selected during the encryption, * exclusive logical OR), the number of the synthesis by Moto ^{modulo, u = g r modN 2,} w, u '= g 2 r modM 2 (g 2 of the formula (9) for the encryption ∈ Z ^* M2 ( A set of values that are relatively prime to M ² among the elements of Z _M ² , _M ² is M ² ) ), an encryption device that performs pre-calculation on the parts w ′ and H1 (rmodN),
Wherein said rmodN is at least a part of the random number r from the calculated the g ^r a is the u composite numbers modulo calculated, the rmodN at least a portion of the calculated the random number r used for encryption a key generating unit for generating the distributed key to restore the plaintext m by substituting the equation (9),
The ciphertext the encrypted device by encrypting the plaintext m C = (c, u, w, e, f) for, performs partial decoding process to obtain a partial decoding information by decoding using the distributed key A partial decoding device that generates partial decoding information that is information obtained by
Using the partial decoding information for decoding to calculate the rmodN is at least a part of said random number r, the rmodN at least a portion of the calculated the random number r, when encrypting the plaintext m by substituting the equation (9) used, the ciphertext C = said encryption device has generated (c, u, w, e, f) and restoring device for restoring said plaintext m from
The distributed key is transmitted from the key generation device to the partial decryption device,
The ciphertext C = (c, u, w, e, f) generated in the encryption device is transmitted to the partial decryption device,
The partial decoding information generated in the partial decoding device is transmitted to the restoration device;
By restoring the plaintext m using the random number r calculated by calculating the rmodN that is at least a part of the random number r using the partial decryption information in the restoration device,
A communication system , wherein encrypted communication of the plaintext m is performed between the encryption device and the restoration device .

A partial decryption information σ encryption device used for threshold encryption scheme that can restore the plaintext m using the g ^r a composite number modulo to with the composite number of disjoint g and the random number r from each other generated, wherein g ciphertext using ^r and with said distributed key C = (c, u, w , e, f) by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the said random number the rmodN calculates at least part of the r, Ru can decrypt the plaintext m using the rmodN at least a portion of the calculated the random number r, the formula (9) with the plaintext m by ciphers To encrypt the ciphertext C = (c, u, w, e, f) (in equation (9), H1 and H2 are hash functions, N is a composite number (N = pq , p and q) the prime), M is a composite number _{(M = p 2 q 2,} p 2 and q ₂ are Number), e, f, w and w 'is ^{w × u e = g f,} w' verification to confirm the validity of the ciphertext by confirming that the × u ^'e = _g ^{2 f} is satisfied use data, s is a value selected during the encryption, * exclusive OR), in Moto modulo said number of synthetic, u = g ^r modN ² of formula (9) for encryption , W, u ′ = g ₂ ^r mod M ² (g ₂ is ∈Z ^* M 2 ( set of values that are relatively prime to M ² among elements of Z _M ² , M ² is M ² )) , w ′, H 1 (rmodN a ciphertext generating means for performing a pre-calculated for portions of), the ciphertext C = (c generated by the ciphertext generating unit, u, w, e, f) ciphertext transmitting unit that transmits the encrypted message management server wherein the door, and storing the ciphertext in the ciphertext management server, the restoring instrumentation for the encrypted plaintext m to restore the plaintext m and the own device Encrypting device of the communication system according to claim 1, characterized in that the the like used for the communications between the.

A key for calculating said rmodN is at least a part of the random number r from the u defined by the g ^r can be calculated a composite number modulo by the composite number and disjoint g and the random number r, calculated distributed key generation to generate the distributed key dispersed keys the rmodN is at least a part can the plaintext m is restored by substituting the equation (9) used to encrypt the random number r into a plurality of keys and includes a means, a distributed key transmission means for transmitting the distributed key generated by said distributed key generation means to the partial decoding device, the ciphertext using the distributed key at said partial decoding device C = (c, u, 2. The key generation apparatus for a communication system according to claim 1, wherein partial decryption information that is information obtained by partially decrypting w, e, f) is generated.

Wherein g wherein ^r is defined by u and the encryption device encrypts the plaintext m ciphertext C = (c, u, w , e, f) for the ciphertext verification for verifying the relationship between Create public information (composite numbers N, M, g, g ₂ , hash functions H1, H2, θ (θ = aLβmodN, Lβ is secret information), generation sources ν, ν ₂ ) necessary for creating data further comprising a public information creation unit, modulo N ^2, square under M ² excess and N ^2, the subgroup disjoint integers of the set and M ² generation source [nu, the verification key with [nu ₂ The key generation apparatus according to claim 3, wherein the key generation apparatus generates the key. A key generation apparatus including a distributed key generation means for generating a distributed key , and a key generation method realized in the key generation apparatus of the communication system according to claim 1, wherein the composite number can be calculated as a modulus. g is the key to the said u defined by ^r to calculate the rmodN is at least a part of said random number r, the rmodN at least a portion of the calculated the random number r used for encryption formula ( key generation method which comprises the distributed key to the plaintext m is dispersed a key can be restored to a plurality of keys by assigning to 9), the distributed key generation step of the distributed key generation means generates.

The key generation device according to claim 1, comprising: a distributed key generation unit that generates a distributed key; and a public information generation unit that generates public information necessary for generating ciphertext verification data . a key generation method implemented in the key generation apparatus of the communication system, to calculate the rmodN is at least a part of the random number r from the u defined by the g ^r can be calculated the number of the synthesis modulo can be, the distributed key to the plaintext m is dispersed a key can be restored to a plurality of keys of said rmodN is at least part by substituting the equation (9) used for encrypting the calculated the random number r, a distributed key generation step of generating said distributed key generation means, the g cryptographic said u and defined by ^r encryption device encrypting said plaintext m statement C = (c, u, w , e, f ) To verify the relationship Public information (combined numbers N, M, g, g ₂ , hash functions H 1, H 2, θ (θ = aLβmodN, Lβ is secret information) necessary to create the ciphertext verification data for the generation source ν , [nu _2), wherein and a public information creating step public information creating means creates, law N ^2, square excess and N ² under the M ^2, M ² and relatively prime subgroup of integers of the set A key generation method characterized in that a verification key is generated using generation sources ν and ν ₂ of.

The portion generated in the partial decryption device by decrypting the ciphertext C = (c, u, w, e, f) using the distributed key generated by the key generation device that generates the distributed key decoding information, a restoration apparatus comprising restoring means for restoring said plaintext m using the restoration means, the rmodN is at least a part of said random number r by using the partial decoding information for decoding calculated, the rmodN at least a portion of the calculated the random number r, said by substituting the plaintext m in the formula (9) used when encrypting the cipher text C the encryption device has generated The restoration apparatus for a communication system according to claim 1, wherein the plaintext m is restored from = (c, u, w, e, f) . An encryption device that encrypts plaintext m, a key generation device that generates a distributed key that is distributed and held in a plurality of devices and can decrypt plaintext by cooperation of the devices, and the encryption device a partial decryption device that generates partial decryption information that is information obtained by decrypting ciphertext C = (c, u, w, e, f) obtained by encrypting m using the distributed key; a communication method of device that is implemented in a communication system wherein the ciphertext C = generated that (c, u, w, e , f) from including restoring device and to restore the plaintext m,
The composite numbers with modulo generates g ^r from disjoint g and the random number r from each other with the composite number, said using g ^r and said distributed key ciphertext C = (c, u, w , e, by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the f), the calculated the rmodN is at least part of the random number r, using the rmodN at least a portion of the calculated the random number r wherein Ru be decrypted plaintext m, the using equation (9) the plaintext m by encryption method ciphertext C = (c, u, w , e, f) to encrypt the Te (equation (9 ), H1 and H2 are hash functions, N is a composite number (N = pq , p and q are prime numbers ), M is a composite number (M = p ₂ q ₂ , p ₂ and q ₂ are prime numbers ), e, f , w and w 'is ^{w × u e = g f,} w' to verify that × u ^'e = _g ^{2 f} is satisfied Verification data to verify the validity of the ciphertext by, s is a value selected during the encryption, * exclusive OR), in Moto modulo said composite number, encryption set of ^{u = g r modN 2, w} , u '= g 2 r modM 2 (g 2 are disjoint value and ^{M 2} the elements of ∈ Z ^* M2 (Z _M ² of the formula (9) in order, M2 is M ² )) , w ′, H1 (rmodN) for the pre-calculation by the encryption device;
Wherein rmodN is at least a part from the u defined by the g ^r can be calculated the random number r can be calculated a composite number modulo the rmodN at least a portion of the calculated the random number r the distributed key to the plaintext m is dispersed a key can be restored to a plurality of keys by substituting the equation (9) used for the encryption, the steps of the key generating apparatus generates,
The ciphertext C = said encryption device encrypting said plaintext m (c, u, w, e, f) for the partial decryption information is information obtained by decoding using the distributed key, Generating by the partial decoding device;
The rmodN is at least part of the random number r by using the partial decryption information calculated during the decoding, the rmodN at least a portion of the calculated the random number r, use in encrypting the plaintext m by substituting have the formula (9), a step wherein the ciphertext C = said encryption device has generated the (c, u, w, e, f) the plaintext m from the restoration device to restore,
The distributed key is transmitted from the key generation device to the partial decryption device,
The ciphertext C = (c, u, w, e, f) generated in the encryption device is transmitted to the partial decryption device,
The partial decoding information generated in the partial decoding device is transmitted to the restoration device;
By calculating the rmodN that is at least a part of the random number r using the partial decryption information in the restoration device, and restoring the plaintext m using the calculated rmodN,
A communication method , wherein encrypted communication of the plaintext m is performed between the encryption device and the restoration device .

A communication system using a threshold encryption scheme that can restore the plaintext m using partial decoding information sigma, at least a portion of the random number r from u defined by g ^r which can calculate the composite number as a modulo rmodN the information, by substituting the equation (9) used in encrypting the plaintext m, the plaintext from the ciphertext encrypted device-generated C = (c, u, w , e, f) a secret key generation device that generates secret information Lβ, which is a secret key necessary for restoring m,
The composite numbers with modulo generate the g ^r from disjoint g and the random number r from each other with the composite number, the g ^r and said using the distributed key ciphertext C = (c, u, w , e, wherein the row Ukoto the partial decryption process to obtain a partial decoding information by decoding the f), the calculated the rmodN is at least part of the random number r, which is at least a part of the calculated the random number r Ru can decrypt the plaintext m using RmodN, the using equation (9) the plaintext m by encryption method ciphertext C = (c, u, w , e, f) in the case of encryption ( In Expression (9), H1 and H2 are hash functions, N is a composite number (N = pq , p and q are prime numbers ), M is a composite number (M = p ₂ q ₂ , p ₂ and q ₂ are prime numbers ), e, f, w and w 'is ^{w × u e = g f,} w' × u 'e = g 2 f is satisfied Preparative verification data to verify the validity of the ciphertext by checking, s is a value selected during the encryption, * exclusive OR), the number of the synthesis by Moto modulo , I relatively prime to ^{M 2} of ^{u = g r modN 2, w} , u '= g 2 r modM 2 (g 2 is ∈ Z ^* M2 (Z _M ² element in the formula (9) for encryption A set of values, M2 is M ² )) , w ′, an encryption device that performs pre-calculation on H1 (rmodN),
The rmodN is at least a part of said random number r in the decoding, at the using the secret key generated by the secret key generating unit restores by calculating the equation (3) (the formula (3), L? Is secret information, λ is an interpolation coefficient, S is a plurality of parts that generate partial decryption information that is information obtained by decrypting ciphertext C = (c, u, w, e, f) using a distributed key of decoder, set of partial decoding device accepts the decryption request from the restoring device, sigma partial decoding information, θ = aLβmodN, Δ = n !, a∈Z n), at least a portion of the restored the random number r a restoration device for determining the plaintext m from the ciphertext C = (c, u, w , e, f) using the rmodN is,
A communication system encrypted with respect to the plaintext m.

A distributed key generation unit that generates a distributed key that is distributed and held in a plurality of devices and that can decrypt the plaintext m through cooperation of the plurality of devices ; a ciphertext generation unit that performs pre-computation for encryption; A key generation method realized in a key generation device including a restoration unit that restores a plaintext from a ciphertext generated by the ciphertext generation unit,
The rmodN is at least part of the random number r from u defined by g ^r which can calculate the composite number as a modulo, by substituting the equation (9) used in encrypting the plaintext m, the plaintext m A key generation step by which the distributed key generation means generates a secret key necessary for restoring
The composite numbers with modulo generate the g ^r from disjoint g and the random number r from each other with the composite number, the ciphertext by using the g ^r a distributed key C = (c, u, w , e , by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the f), the rmodN is at least a part of said random number r is calculated and the calculated at least a portion of the random number r the rmodN Ru can decrypt the plaintext m using a case (equation encrypting the ciphertext C = (c, u, w , e, f) using equation (9) the plaintext m by ciphers In (9), H1 and H2 are hash functions, N is a composite number (N = pq , p and q are prime numbers ), M is a composite number (M = p ₂ q ₂ , p ₂ and q ₂ are prime numbers ), e , f, w and w 'is ^{w × u e = g f,} w' be × u ^'e = _g ^{2 f} is satisfied Verification data to verify the validity of the ciphertext by checking, s is a value selected during the encryption, * exclusive OR), in Moto modulo said number of synthetic, encryption u = g ^r modN ² of formula (9) for the _{reduction, w, u '= g 2} r modM 2 (g 2 are disjoint values and ^{M 2} of ∈ Z ^* M2 (Z _M ² elements A set, where M2 is M ² )) , w ′, H1 (rmodN), the ciphertext generating means performing pre-calculation
In the rmodN is at least a part of said random number r to the decoding, by using the secret key generated in the key generating step restore by calculating the equation (3) (the formula (3), L? Is Secret information, λ is an interpolation coefficient, S is a plurality of partial decryptions that generate partial decryption information that is information obtained by decrypting ciphertext C = (c, u, w, e, f) using a distributed key of the devices, a set of partial decoding device accepts the decryption request from the restoring device, sigma partial decoding information, θ = aLβmodN, Δ = n !, a∈Z n), at least some of the restored the random number r a restoration step is said ciphertext rmodN said encryption device using the generated C = the (c, u, w, e , f) the plaintext m from the restoring means obtains,
And performing encrypted communication on the plaintext m.

A cryptographic apparatus for use in a communication system using a threshold encryption scheme that can restore the plaintext m using partial decoding information sigma, disjoint from each other with the composite number composite numbers with modulo g and the random number r generating a g ^r from then, the g ^r and the distributed key ciphertext using C = (c, u, w , e, f) rows partial decoding process to obtain a partial decoding information by decoding the Ukoto by the calculated said rmodN is at least part of the random number r, calculated using the rmodN is at least a part of said random number r Ru can decrypt the plaintext m, the plaintext m by encryption scheme formula (9) is used to encrypt the ciphertext C = (c, u, w, e, f) only once (in Expression (9), H1 and H2 are hash functions, N is a composite number (N = pq , p and q are prime numbers ), M is a composite number (M = p ₂ q ₂ , p _2, and q ₂ are prime numbers ), e, f, w, and w ′ are encrypted by confirming that w × u ^e = g ^f and w ′ × u ′ ^e = g ₂ ^f . verification data to verify the validity, s is a value selected during the encryption, * exclusive OR), the plaintext m encrypted, said u is as defined further above g ^r ciphertext C = (c, u, w , e, f) by adding the ciphertext verification data for verifying that the ciphertext when an element of is valid, and modulo the number of the synthesis Moto is ^{to, u = g r modN 2,} w, u '= g 2 r modM 2 (g 2 is ∈ Z ^* M2 (of Z _M ² element ^{M 2} of the formula (9) for encryption And a set of disjoint values, M2 is M ² )) , w ′, H1 (rmodN), a ciphertext generation means for performing a pre-computation, and a ciphertext generation means Said ciphertext C = (c, u, w , e, f) a and a ciphertext transmitting unit that transmits the encrypted message management server, the ciphertext in the ciphertext management server C = (c, u, w , e, stores f), communication according to claim 1, characterized in that the plaintext m encrypted as adapted to use for communication between the restoration device which restores the plaintext m and the own device System encryption device.

The composite numbers with modulo generates g ^r from disjoint g and the random number r from each other with the composite number, encrypted using the distributed key and ^{g r C = (c, u} , w, e, f) for by row Ukoto the partial decryption process to obtain a partial decoding information by decoding, at least is part rmodN calculated, the plaintext m using the rmodN at least a portion of the calculated random number r of the random number r in Ru can decrypt and encrypt only once the said plaintext m by encryption scheme using equation (9) the ciphertext C = (c, u, w , e, f) ( equation (9), H1, H2 is a hash function, N is a composite number (N = pq , p and q are prime numbers ), M is a composite number (M = p ₂ q ₂ , p ₂ and q ₂ are prime numbers ), e, f, w and w ′ dark by confirming that the ^{w × u e = g f,} w '× u' e = g 2 f is satisfied Verification data to verify the validity of the statement, s is a value selected during the encryption, * exclusive OR), the plaintext m encrypted, u defined in further wherein g ^r When ciphertext C = (c, u, w, e, f) is an element, ciphertext verification data for verifying that the ciphertext is valid is added to calculate the composite number in Moto to, M of ^{u = g r modN 2, w} , u '= g 2 r modM 2 (g 2 is ∈Z ^* M2 (Z _M ² element in the formula (9) for encryption ² is a set of values that are relatively prime to each other, M2 is M ² )) , w ′, H1 (rmodN),
Wherein rmodN is at least a part from the u defined by the g ^r can be calculated the random number r can be calculated a composite number modulo the rmodN at least a portion of the calculated the random number r a key generating unit for generating a distributed key to the plaintext m is dispersed a key can be restored to a plurality of keys by substituting the equation (9) used for encryption,
Partial encryption device to about said ciphertext plaintext m is encrypted C = (c, u, w , e, f), generates the partial decryption information is information obtained by decoding using the distributed key Decryption means;
The ciphertext C = using the verification data (c, u, w, e , f) performs partial decoding performed with respect to the u, which is part of the same for u ', the reconstruction result are both random number r verifies that the g ^r the u defined by said ciphertext C = (c, u, w , e, f) is the ciphertext when an element of a legitimate by verifying whether Verification means;
Using the partial decoding information for decoding to calculate the rmodN is at least a part of said random number r, the rmodN at least a portion of the calculated random number r, use in encrypting the plaintext m by substituting have the formula (9), the ciphertext C = said encryption device has generated and restoring means for restoring (c, u, w, e, f) the plaintext m from
A communication system encrypted with respect to the plaintext m between the encryption device and the restoration device having the restoration means .

Distributed key generation means for generating a distributed key that is distributed and held in a plurality of devices and can decrypt plaintext by cooperation of the plurality of devices, ciphertext generation means for performing pre-computation for encryption, and encryption Partial decryption means for generating partial decryption information which is information obtained by decrypting the ciphertext C = (c, u, w, e, f) obtained by encrypting the plaintext m using the distribution key When, using said verification data ciphertext C = (c, u, w , e, f) the ciphertext verification unit for verifying the, said ciphertext generating unit to generate C = (c, u, a key generation method realized in a key generation device including a restoration means for restoring plaintext m from w, e, f) ,
The composite numbers with modulo generates g ^r from disjoint g and the random number r from each other with the composite number, said using g ^r and said distributed key ciphertext C = (c, u, w , e, by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the f), the calculated the rmodN is at least part of the random number r, the rmodN at least a portion of the calculated the random number r Ru can decrypt the plaintext m using encrypts only once the said plaintext m by encryption scheme using equation (9) the ciphertext C = (c, u, w , e, f) ( equation (9) H1, H2 are hash functions, N is a composite number (N = pq , p and q are prime numbers ), M is a composite number (M = p ₂ q ₂ , p ₂ and q ₂ are prime numbers ), e, f, w and w 'is ^{w × u e = g f,} w' to make sure that × u ^'e = _g ^{2 f} is satisfied Defined in the verification data, s is a value selected during the encryption to verify the validity of the ciphertext, * exclusive OR), the plaintext m encrypted, further wherein g ^r by wherein said u is the ciphertext C = (c, u, w , e, f) by adding the ciphertext verification data for verifying that the ciphertext when an element of is valid, in Moto modulo said number of ^{synthetic, u = g r modN 2,} w, u '= g 2 r modM 2 (g 2 of the formula (9) for the encryption ∈Z ^* M2 (Z _M ² set of disjoint values and ^{M 2} the elements of, M2 is ^M 2)), w ', and the ciphertext generation step of precalculated, performed by the ciphertext generating means for the portion of the H1 (rmodN),
Wherein rmodN is at least a part from the u defined by the g ^r can be calculated the random number r can be calculated a composite number modulo the rmodN at least a portion of the calculated the random number r the distributed key dispersed a key can be restored the plaintext m is a plurality of keys by substituting the equation (9) used for the encryption, and key generating step of generating said distributed key generation means,
The ciphertext C = the encryption device encrypts the plaintext m (c, u, w, e, f) for the partial decryption information is information obtained by decoding using the distributed key, the A partial decoding step generated by the partial decoding means;
The ciphertext C = using the verification data (c, u, w, e , f) performs partial decoding performed with respect to the u, which is part of the same for u ', the reconstruction result are both random number r wherein g wherein ^r is defined by u is the cipher text C = by checking whether (c, u, w, e , f) the ciphertext when a component of the verification that is valid, A verification step performed by the verification means;
Using the partial decoding information for decoding to calculate the rmodN is at least a part of said random number r, the rmodN at least a portion of the calculated the random number r, when encrypting the plaintext m by substituting the equation (9) used, the ciphertext C = said encryption device has generated (c, u, w, e, f) the plaintext m from the recovery step of the restoring means restores ,
And encrypting the plaintext m between the encryption device and a restoration device that restores the plaintext m from the ciphertext C = (c, u, w, e, f) generated by the encryption device. A communication method, characterized in that a structured communication is performed.

A communication system using a threshold cryptosystem can restore the plaintext m using partial decoding information sigma, generates a g r a composite number modulo the composite number as a from disjoint g and the random number r from each other and the g r is a holding distributed across multiple devices, the plurality of devices ciphertext C = using the distributed key that can decrypt the plaintext by cooperation (c, u, w, e , f) by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the said computes the rmodN is at least part of the random number r, said using said rmodN at least a portion of the calculated the random number r Ru can decrypt the plaintext m, the using equation (9) the plaintext m by encryption method ciphertext C = (c, u, w , e, f) in encrypted only once (equation (9), H1 and H2 are hash functions, N is a combined function The number (N = pq, p and q are prime numbers), M is a composite number (M = p 2 q 2, p 2 and q 2 are prime numbers), e, f, w and w 'is w × u e = g f , W ′ × u ′ e = g 2 f by confirming that the validity of the ciphertext is confirmed, s is a value selected at the time of encryption, and * is exclusive logical OR), the plaintext m encrypted, justified further the g r the u defined by said ciphertext C = (c, u, w , e, is the ciphertext when an element of f) by adding the ciphertext verification data for verifying that is, the number of the synthesis by Moto modulo, u = g r modN 2, w of the formula (9) for encryption, u ' = g 2 r modM 2 (a set of disjoint value and M 2 of the g 2 ∈Z * M2 (Z M 2 of the element, M2 is M 2)), w ', things for the portion of the H1 (rmodN) And encryption means for performing the calculation,
Substituting the rmodN is at least a part of the random number r from the u defined by the g r can be calculated the number of the synthesis modulo, the formula (9) used in encrypting the plaintext m Accordingly, a private key generating means for generating a secret key that is required when the dark the ciphertext Goka device has generated C = the (c, u, w, e , f) from restoring the plaintext m,
The ciphertext C = using the verification data (c, u, w, e , f) performs partial decoding performed with respect to the u, which is part of the same for u ', the reconstruction result are both random number r verifies that the g r the u defined by said ciphertext C = (c, u, w , e, f) is the ciphertext when an element of a legitimate by verifying whether Verification means;
The rmodN is at least a part of said random number r in the decoding, at the using the secret key generated by the secret key generating means restores by calculating the equation (3) (the formula (3), L? Is secret information, λ is an interpolation coefficient, S is a plurality of parts that generate partial decryption information that is information obtained by decrypting ciphertext C = (c, u, w, e, f) using a distributed key of decoder, set of partial decoding device accepts the decryption request from the restoring device, sigma partial decoding information, θ = aLβmodN, Δ = n !, a∈Z n), at least a portion of the restored the random number r and restoration means for obtaining the plaintext m using the rmodN is,
A communication system encrypted with respect to the plaintext m.

Generated by the ciphertext generating means, the ciphertext generating means for performing pre-computation for encryption, the secret key generating means for generating the secret key, the verification means for verifying the ciphertext using the verification data, and the ciphertext generating means A communication method realized in a communication system including a restoring means for restoring plaintext from ciphertext,
The composite numbers with modulo generates g ^r from disjoint g and the random number r from each other with the composite number, said the g ^r and dispersed held in a plurality of devices, the plurality of devices plaintext by cooperation ciphertext C = with a distributed key to decode it (c, u, w, e , f) by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the at least a portion of the random number r some rmodN calculated, using the rmodN at least a portion of the calculated the random number r Ru can decrypt the plaintext m, the said plaintext m by encryption scheme using equation (9) ciphertext C = (C, u, w, e, f) is encrypted only once (in Equation (9), H1 and H2 are hash functions, N is a composite number (N = pq , p and q are prime numbers ), and M is a composite number. _{(M = p 2 q 2,} p 2 and q ₂ are prime numbers), e, , W and w 'is ^{w × u e = g f,} w' × u 'e = g 2 f verification data to verify the validity of the ciphertext by confirming that the established, s cryptographic value selected upon reduction, * exclusive OR), the plaintext m encrypted, further wherein g ^r the u defined by said ciphertext C = (c, u, w , e, by adding the ciphertext verification data for verifying that the ciphertext when an element of f) is valid, by Moto modulo said number of synthetic formula for encryption (9 ) U = g ^r mod N ² , w, u ′ = g ₂ ^r mod M ² (g ₂ is ∈Z ^* M 2 ( a set of values relatively disjoint from M ² among elements of Z _M ² , M ² is M ² )) ), W ′, and H1 (rmodN), an encryption step in which the ciphertext generation unit performs pre-calculation,
Substituting the rmodN is at least a part of the random number r from the u defined by the g ^r can be calculated the number of the synthesis modulo, the formula (9) used in encrypting the plaintext m Accordingly, the secret key generating step of a secret key which is required for restoring the plaintext m, the secret key generating unit for generating,
The ciphertext C = using the verification data (c, u, w, e , f) performs partial decoding performed with respect to the u, which is part of the same for u ', the reconstruction result are both random number r wherein g wherein ^r is defined by u is the cipher text C = by checking whether (c, u, w, e , f) the ciphertext when a component of the verification that is valid, A verification step performed by the verification means;
The rmodN is at least a part of said random number r in the decoding, at the using the secret key generated by the secret key generating means restores by calculating the equation (3) (the formula (3), L? Is secret information, λ is an interpolation coefficient, S is a plurality of parts that generate partial decryption information that is information obtained by decrypting ciphertext C = (c, u, w, e, f) using a distributed key of decoder, set of partial decoding device accepts the decryption request from the restoring device, sigma partial decoding information, θ = aLβmodN, Δ = n !, a∈Z n), at least a portion of the restored the random number r and restoration step using the RmodN, the encryption device is the cipher text C = generated that (c, u, w, e , f) the plaintext m from the restoring means finding is,
And performing encrypted communication on the plaintext m.

15. The encryption method used in the communication system according to claim 14, further comprising: an encryption device that performs encryption using a threshold encryption method capable of restoring the plaintext m using partial decryption information σ. the by modulo generates g ^r from disjoint g and the random number r from each other with the composite number, the ciphertext using the g ^r and said distributed key C = (c, u, w , e, f) for by row Ukoto the partial decryption process to obtain a partial decoding information by decoding, the calculate the rmodN is at least part of the random number r, the plaintext using the rmodN at least a portion of the calculated the random number r m Ru can decode, the plaintext m by the encryption scheme, the communication between the recovery device the encryption apparatus encrypts and said plaintext m encrypted restore the plaintext m and the encrypted device Specially used Encryption method to be. It includes partial decoding means for generating a partial decryption information is information obtained by decoding the ciphertext using the distributed key, use a threshold encryption scheme that can restore the plaintext m using partial decoding information σ a cryptographic method for use in a communication system according to claim 14, had, composite numbers with modulo generates g ^r from disjoint g and the random number r from each other with the composite number, the dispersion and the g ^r ciphertext by using the key C = (c, u, w , e, f) by row Ukoto the partial decryption process to obtain a partial decoding information by decoding the said at least part of the random number r RmodN the calculated, computed using the rmodN is at least a part of said random number r Ru can decrypt the plaintext m, the plaintext m by the encryption method, the partial decoding means the ciphertext C = (c, u, w, e, f) Encrypted once, the plaintext m encrypted, further wherein g ^r the u defined by said ciphertext C = (c, u, w , e, f) is the ciphertext when an element of adding the encrypted verification data for verifying that it is correct, the plaintext m encrypted, the plaintext m between the restoration device which restores the plaintext m to the encryptor for encrypting An encryption method characterized by being used for communication. It implement | achieves in the decompression | restoration apparatus used for the communication system of Claim 14 including the decompression | restoration means to decompress | restore the said plaintext m from the ciphertext C = (c, u, w, e, f) which the encryption apparatus produced | generated Wherein the encryption device generates g ^r from g and a random number r that are relatively prime to the composite number using the composite number as a modulus , and uses the g ^r and the distributed key to generate a partial Performing a decryption process, calculating the random number r, encrypting the plaintext m by an encryption method capable of decrypting the plaintext m using the calculated random number r,
Said portion for use in the threshold encryption scheme can restore the plaintext m using the decoded information sigma, the encryption device is the cipher text C = (c obtained by encrypting the plaintext m, u, w, e, for f), the calculated the rmodN is at least a part of said random number r by using the partial decryption information is information obtained by decoding using the distributed key, in at least some of the calculated the random number r some said RmodN, by substituting the equation (9) used in encrypting the plaintext m, the ciphertext C = said encryption device has generated (c, u, w, e , f) from An encryption restoration method, wherein the plaintext m is restored by the restoration means.

It includes a restoration device which restores the plaintext m from ciphertext encryption device has generated, communication according to claim 14 with a threshold encryption scheme that can restore the plaintext m using the partial decoding information σ An encryption restoration method used in the system , wherein the encryption device generates g ^r from g and the random number r that are relatively prime to the composite number using the composite number as a modulo , and obtains the g ^r and the distributed key. The plaintext m can be decrypted using an encryption scheme, and the ciphertext C = (c, u) can be decrypted using the calculated random number r. , W, e, f),
The restoration device verifies the ciphertext to be justified when u defined by the g ^r before decoding is an element of the ciphertext C = (c, u, w , e, f) based on the ciphertext verification data for the portion performed for u the encryption device is a part of said ciphertext plaintext m is encrypted C = (c, u, w , e, f) decoding, the restoration apparatus performs similarly for u ', the g ^r the u defined by said ciphertext C = (c by checking whether the reconstruction result are both the random number r, u, w, e, was confirmed to be the element of f), the rmodN at least a portion of then the random number r to the decoding if the verification is established, using a secret key used in public key cryptography Then, the restoration device restores by calculating equation (3) (in equation (3), β is secret information, lambda is the interpolation coefficient, S is a plurality of generating partial decryption information is information obtained by decoding using the distributed key ciphertext C = (c, u, w , e, f) among the partial decoding device, set of partial decoding device accepts the decryption request from the restoring device, sigma partial decoding information, θ = aLβmodN, Δ = n !, a∈Z n), the restored the random number r at least a encryption restoring method characterized by obtaining the plain data m from the encryption device is the cipher text C is generated = (c, u, w, e, f) a is using the rmodN parts.

Held distributed across multiple devices, by decoding the ciphertext using the distributed key generated by the key generation device that generates a distributed key that can decrypt the plaintext m by the plurality of devices to cooperate, 15. A restoration device for use in the communication system according to claim 14, further comprising: a restoration unit that restores the plaintext m using partial decryption information generated in the partial decryption device, wherein the ciphertext is synthesized G ^r is generated from g and a random number r that are relatively prime with the composite number using a number as a modulus, and partial decryption processing is performed using the g ^r and the distributed key, and the random number r is calculated. the plaintext m can be decrypted using r, and the plaintext m is encrypted by an encryption method;
The distributed key s is generated by calculating s _i = f (i) mod LN (i = 1, 2,... N) using equation (6).
The restoring means, said rmodN is at least a part of said random number r to the decoding, by using a secret key used in public key cryptography restored by calculating equation (3) (the formula (3 ), Lβ is secret information, λ is an interpolation coefficient, S is information obtained by decrypting a ciphertext using the distributed key, and among the partial decryption devices that generate partial decryption information, set of the decryption request receiving portion decoding device, sigma partial decoding information, θ = aLβmodN, Δ = n !, a∈Z n), using the rmodN is at least part of the restored the random number r, 2. The restoration apparatus for a communication system according to claim 1, wherein the plaintext m is restored from a ciphertext generated by an encryption apparatus.

Images