JP5047638B2 - Ciphertext decryption right delegation system - Google Patents

Description

  The present invention relates to a ciphertext decryption right delegation system that enables a ciphertext generated using a public key to be decrypted using a secret key different from a secret key corresponding to the public key.

  Conventionally, in encryption using public key cryptography, a ciphertext encrypted with a certain public key can be decrypted only by a person having a secret key corresponding to the public key. In recent years, due to its usefulness, research on a ciphertext decryption right delegation system that enables decryption of ciphertext encrypted with a public key using a secret key that is different from the secret key corresponding to the public key Has been done.

  The ciphertext decryption right delegation system is composed of three parties: a delegator, a delegate, and a ciphertext converter, or four parties including a conversion key generator (trusted third party). The transfer of the decryption right in the configuration is performed by the transferor or the conversion key generator generating a conversion key for ciphertext conversion and transferring it to the ciphertext converter. When the plaintext held by the delegate is shared with the delegate, the delegate first transmits the ciphertext obtained by encrypting the plaintext with his public key to the ciphertext converter. The plaintext is data before encryption that is not subjected to processing such as concealment and concealment, and the plaintext is not limited to a character string but may be image data or audio data.

  Then, the ciphertext converter holding the conversion key converts the ciphertext received from the delegate so that it can be decrypted with the secret key held by the delegate, and transmits it to the delegate. The delegatee decrypts the received converted ciphertext using his / her private key to reproduce the plaintext. Such a ciphertext decryption right delegation system is required to satisfy the following requirements from a cryptographic point of view. That is, (1) the delegator does not need to transfer his / her decryption secret key to anyone other than himself / herself, and (2) the delegator can reproduce the plaintext unless the ciphertext converter performs the conversion. There are three requirements: (3) the ciphertext converter cannot reproduce the plaintext from the delegate's ciphertext alone.

  As a device for realizing delegation, a device used by a delegator and a delegee (hereinafter referred to as a decryption right delegation device and a decryption right delegation device, respectively) is a computer such as a personal computer, a mobile phone terminal, a PDA (Personal Digital Assistant) terminal is applied. Further, as an apparatus used by the ciphertext converter (hereinafter referred to as a ciphertext conversion apparatus), an apparatus configured by a server called a proxy is applied. Each of the computers that realize the decryption right transfer device and the decryption right transfer device is equipped with a function for executing a public key encryption algorithm, and stores a public key necessary for encryption and a secret key required for decryption. In addition, the proxy that implements the ciphertext conversion apparatus is equipped with a function for executing a conversion algorithm for converting the ciphertext transmitted from the delegator's apparatus, and stores a conversion key.

  Such a ciphertext decryption right delegation system can be applied to a content supply technology via a storage device used by an unspecified number of users as follows. That is, it is assumed that the delegator stores the content encrypted using his / her public key in a storage device used by an unspecified number of users. Here, when sharing content with a third party, the delegator designates the third party as the delegee, generates a delegation key for the delegee, and sends it to the ciphertext conversion apparatus that is the access controller of the storage device. Send.

  The ciphertext conversion device that has received the content request from the delegator's decryption right delegation device re-encrypts the content's ciphertext using the conversion key, and transmits the converted ciphertext to the decryption right transfer device. . The decryption right delegation device decrypts the content using the delegate key stored internally. The encrypted conversion text device alone cannot decrypt the content, and since the content is stored in an encrypted state in the storage device of the encrypted conversion text device, the delegate and the delegee safely share the content be able to. In addition, when the content is shared, the delegate does not need to perform additional calculations, so that the content can be shared efficiently.

  The public encryption scheme used to realize the ciphertext decryption right delegation system includes a standard public key encryption scheme (hereinafter referred to as PKE: Public Key Encryption) that uses a value (for example, a random number) that does not make sense for itself as a public key. ) And an ID-based encryption method (hereinafter referred to as IBE: Identity Based Encryption). The IBE method is a public key encryption method that uses an arbitrary character string such as a telephone number or an e-mail address as a public key, and is a technique that greatly reduces the complexity of key management in standard public key encryption (PKE). It is attracting attention (for example, Non-Patent Document 1). According to the IBE method, since the public key is a meaningful character string such as the above-described telephone number or mail address, it is easy to associate the public key with its owner, and the expiration date is a character that is a public key. If it is included in the column, there is an advantage that it is easy to check the expiration date.

Further, the IBE method requires a third party called a secret key generator that generates a secret key. The secret key generator generates a secret key for each user using the main secret key and distributes it to each user. Since the secret key generator can decrypt all the ciphertext encrypted with the public key of each user, it must be a reliable third party.
Conventionally, a technique for realizing the ciphertext decryption right delegation system using only one of the PKE method and the IBE method has been proposed. The PKE method and the IBE method have different advantages and disadvantages, and are generally used properly according to required requirements.
[BF01] D. Boneh, M. Franklin, “Identity based encryption from the Weil paring“, Aug. 2001, extended abstract in Advances in Cryptology − Crypto 2001, Lecture Notes in Computer Science, Vol. 2139, Springer-Verlag, p .213-229

In recent years, both the PKE method and the IBE method as described above have been widely used, and the use situations thereof are mixed. However, as described above, since the ciphertext decryption right delegation can be performed only between users who use the public key cryptosystem of only one of the PKE scheme and the IBE scheme, users who use different public key cryptosystems Ciphertext decryption right delegation cannot be realized between them.
Further, in order to delegate the decryption right between users using the IBE method, it is necessary to generate a new secret key for the delegate.

  In order to solve the above-described problem, the present invention provides a ciphertext encrypted with a public key by a decryption right delegation device, a secret key different from a secret key corresponding to the public key and an ID based on the main secret key A ciphertext decryption right delegation system for decryption by a decryption right delegation device using a base encryption method secret key, wherein the ID-based encryption method secret key used by the decryption right delegation device based on the main secret key An IBE private key generating means for generating an electronic signature, an electronic signature means for generating an electronic signature based on a part of the private key of the ID-based encryption method, an electronic signature verifying means for determining the validity of the electronic signature, and the electronic signature When it is determined by the signature verification means that the electronic signature is valid, the encryption encrypted with the public key based on the private key corresponding to the public key and a part of the private key of the ID-based encryption method Sentence A conversion key generating means for generating a conversion key for converting into a ciphertext decrypted with a secret key of the ID-based encryption method, and the ciphertext encrypted with the public key using the conversion key A ciphertext decryption right delegation system comprising: ciphertext conversion means for converting into ciphertext that can be decrypted with a secret key of a base encryption method.

  The present invention provides a ciphertext encrypted with a public key by a decryption right delegation device, a secret key different from a secret key corresponding to the public key, and a secret key of an ID-based cryptosystem based on a main secret key. A ciphertext decryption right delegation system that uses the decryption right delegation apparatus to decrypt the secret key generation apparatus, wherein the secret key generation apparatus uses the ID-based encryption secret key used by the decryption right delegation apparatus based on the main secret key An IBE secret key generating means for generating, and an electronic signature means for generating an electronic signature based on a part of the secret key of the ID-based encryption method, wherein the decryption right delegation device is a PKE public key based on the PKE encryption method A PKE encryption unit that encrypts a plaintext by using a key to generate a PKE ciphertext, an electronic signature verification unit that determines the validity of the electronic signature generated by the secret key generation device, and the electronic signature verification unit When it is determined that the electronic signature is valid, encryption is performed with the PKE public key based on a PKE private key that is a private key corresponding to the PKE public key and a part of the private key of the ID-based encryption method. Conversion key generation means for generating a conversion key for converting the converted PKE ciphertext into a converted ciphertext that is decrypted with a secret key of the ID-based encryption method, and the ciphertext conversion apparatus A ciphertext converting unit that converts the PKE ciphertext into a converted ciphertext of the ID-based encryption method using the conversion key generated by the right transfer device, and the decryption right transfer device includes the ID-based encryption A ciphertext decryption right delegation system comprising IBE decryption means for decrypting the converted ciphertext based on a system secret key.

  The present invention provides a ciphertext encrypted with a public key by a decryption right delegation device, a secret key different from a secret key corresponding to the public key, and a secret key of an ID-based cryptosystem based on a main secret key. A ciphertext decryption right delegation system that is decrypted by the decryption right delegation apparatus, wherein the secret key generation apparatus generates a secret key of an ID-based encryption scheme used by the decryption right delegation apparatus based on the main secret key And a digital signature means for generating an electronic signature based on a part of the secret key of the ID-based encryption method, and the decryption right delegation device encrypts the plaintext by the ID-based encryption method. An IBE encryption unit that generates an encrypted IBE ciphertext, and the conversion key generation device includes: an electronic signature verification unit that determines validity of the electronic signature generated by the secret key generation device; and the electronic signature verification unit By If it is determined that the electronic signature is valid, the IBE ciphertext generated by the decryption right delegation device based on a part of the main secret key and a part of the secret key based on the ID-based encryption method is applied to the subject. Conversion key generation means for generating a conversion key for conversion to a converted ciphertext that is decrypted with a secret key of an ID-based encryption method used by the decryption right transfer device, and the ciphertext conversion device includes the conversion key Using the conversion key generated by the generation device, the IBE ciphertext encrypted by the ID-based encryption method is converted into a converted ciphertext that is decrypted by the secret key of the ID-based encryption method used by the decryption right transfer device A ciphertext decryption right, wherein the decryption right delegation device has IBE decryption means for decrypting the ciphertext to be converted based on a secret key of the ID-based encryption method. transfer It is a stem.

  The present invention provides a ciphertext encrypted with a public key by a decryption right delegation device, a secret key different from a secret key corresponding to the public key, and a secret key of an ID-based cryptosystem based on a main secret key. The ID-based encryption method used by the decryption right delegation device based on the main secret key as a secret key generation device in a computer included in the ciphertext decryption right delegation system that is decrypted by the decryption right delegation device An IBE secret key generation step for generating a secret key; an electronic signature step for generating an electronic signature based on a part of the secret key of the ID-based encryption method as a secret key generation device; and a PKE cipher as the decryption right delegation device A PKE encryption step for generating a PKE ciphertext by encrypting a plaintext using a PKE public key according to a scheme, and the secret key generation device as the decryption right delegation device An electronic signature verification step for determining the validity of the electronic signature; and when the decryption right delegation device determines that the electronic signature is valid, a PKE private key that is a private key corresponding to the PKE public key and the Conversion for converting a PKE ciphertext encrypted with the PKE public key into a converted ciphertext decrypted with the ID-based cryptographic key based on a part of the secret key of the ID-based cryptographic method A conversion key generation step for generating a key, and a ciphertext for converting the PKE ciphertext to a converted ciphertext of the ID-based encryption method using the conversion key generated by the decryption right transfer device as a ciphertext conversion device A cipher for executing a conversion step and an IBE decryption step of decrypting the ciphertext to be converted based on a secret key of the ID-based encryption method as the decryption right transfer device A decryption rights delegation program.

  The present invention provides a ciphertext encrypted with a public key by a decryption right delegation device, a secret key different from a secret key corresponding to the public key, and a secret key of an ID-based cryptosystem based on a main secret key. The ID-based encryption scheme secret used by the decryption right delegation device based on the main secret key as a secret key generation device in a computer included in the ciphertext decryption right delegation system used by the decryption right delegation device An IBE private key generation step for generating a key; an electronic signature step for generating an electronic signature based on a part of the private key of the ID-based encryption method as a private key generation device; and an ID-based encryption as the decryption right delegation device An IBE encryption step for generating an IBE ciphertext obtained by encrypting a plaintext by a method, and a validity of the electronic signature generated by the secret key generation device as a conversion key generation device. The electronic signature verification step to be determined, and as the conversion key generation device, when it is determined that the electronic signature is valid, based on a part of the main secret key and a part of the secret key by the ID-based encryption method, A conversion key generating step for generating a conversion key for converting the IBE ciphertext generated by the decryption right delegating device into a converted ciphertext that is decrypted with a secret key of an ID-based encryption scheme used by the decryption right delegation device; The ID-based encryption private key used by the decryption right delegation device as the ciphertext conversion device uses the IBE ciphertext encrypted by the ID-based encryption method using the conversion key generated by the conversion key generation device. A ciphertext conversion step for converting into a converted ciphertext decrypted in step (b) and a decryption right delegation device that decrypts the converted ciphertext based on a secret key of the ID-based encryption method A ciphertext decryption right transfer program for executing the IBE decryption step.

As described above, according to the present invention, in the ciphertext decryption right delegation system, an IBE secret key generation unit that generates a secret key of an ID-based encryption method used by the decryption right transfer apparatus based on the main secret key; An electronic signature means for generating an electronic signature based on a part of the secret key of the ID-based encryption method, an electronic signature verification means for determining the validity of the electronic signature, and the electronic signature verification means determined that the electronic signature is valid In this case, the ciphertext encrypted with the public key is converted into a ciphertext decrypted with the secret key of the ID-based cryptosystem based on the secret key corresponding to the public key and a part of the secret key of the ID-based cryptosystem. Conversion key generation means for generating a conversion key for performing the conversion, and ciphertext conversion means for converting the ciphertext encrypted with the public key into a ciphertext that can be decrypted with the secret key of the ID-based encryption method using the conversion key And a configuration comprising It was.
According to this, as long as it is determined that an electronic signature based on a part of the secret key of the ID-based encryption method is valid, the decryption right transfer device uses the same ID-based encryption method private key. Delegation can be performed.

  In other words, as long as the IBE secret key generation means proves the validity of the secret key of the ID-based encryption method generated for the decryption right delegation device, the decryption right delegation device decrypts from a plurality of different decryption right delegation devices. Even when there is a request for delegation of rights, a conversion key can be generated by causing the conversion key generation means to use a part of a secret key and an electronic signature of the same ID-based encryption method. In other words, only one secret key is required to be stored and managed by the decryption right delegation device for the transfer of the decryption right, greatly increasing the secret key generation cost of the IBE secret key generation means and the secret key management cost of the decryption right delegation device. The plaintext can be exchanged with a mathematical safety.

According to the present invention, the secret key generation device in the ciphertext decryption right delegation system includes an IBE secret key generation unit that generates a secret key of an ID-based encryption scheme used by the decryption right transfer device based on the main secret key. And an electronic signature means for generating an electronic signature based on a part of the secret key of the ID-based encryption method, and the decryption right delegation device encrypts the plaintext using the PKE public key in the PKE encryption method, PKE encryption means for generating a sentence, electronic signature verification means for determining the validity of the electronic signature generated by the secret key generation apparatus, and when the electronic signature verification means determines that the electronic signature is valid, the PKE public key The PKE ciphertext encrypted with the PKE public key is decrypted with the ID-based encryption key based on the PKE secret key that is the secret key corresponding to the ID and the part of the ID-based encryption key A conversion key generating means for generating a conversion key for converting into a converted ciphertext to be converted, and the ciphertext conversion apparatus converts the PKE ciphertext into an ID-based cipher using the conversion key generated by the decryption right delegation apparatus. The ciphertext converting means for converting to a system-converted ciphertext is provided, and the decryption right delegating device has an IBE decrypting means for decrypting the ciphertext to be converted based on the secret key of the ID-based encryption scheme.
According to this, a ciphertext decryption right delegation system in which a device that performs encryption / decryption using the PKE encryption method is a decryption right delegation device, and a device that performs encryption / decryption using an ID-based encryption method is a decryption right delegation device. Can be provided.

According to the present invention, the secret key generation device in the ciphertext decryption right delegation system includes an IBE secret key generation unit that generates a secret key of an ID-based encryption scheme used by the decryption right transfer device based on the main secret key. And an electronic signature means for generating an electronic signature based on a part of the secret key of the ID-based encryption method, and the decryption right delegation device generates an IBE ciphertext obtained by encrypting plaintext by the ID-based encryption method When the conversion key generation device has an encryption means, the electronic signature verification means for determining the validity of the electronic signature generated by the secret key generation device, and the electronic signature verification means determines that the electronic signature is valid, Based on a part of the main secret key and a part of the secret key based on the ID-based encryption method, the IBE ciphertext generated by the decryption right transfer device is decrypted with the ID-based encryption key used by the decryption right transfer device. A conversion key generating means for generating a conversion key for conversion into a converted ciphertext to be converted, and the ciphertext conversion device encrypts it by an ID-based encryption method using the conversion key generated by the conversion key generation device. The encrypted IBE ciphertext is converted into a converted ciphertext that is decrypted with a secret key of an ID-based encryption scheme used by the decryption right delegation device. The IBE decrypting means for decrypting the converted ciphertext based on the secret key of
According to this, as long as it is determined that an electronic signature based on a part of the secret key of the ID-based encryption method is valid, the decryption right transfer device uses the same ID-based encryption method private key. Delegation can be performed.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
In the description of this embodiment, a public key based on the PKE method is referred to as a PKE public key. Also, a secret key based on the PKE method is called a PKE secret key, encryption based on the PKE method is called PKE encryption, decryption based on the PKE method is called PKE decryption, and a ciphertext encrypted by the PKE encryption is called a PKE ciphertext.

  In the description of the present embodiment, a public key based on the IBE method is referred to as an IBE public key or ID (IDentifier). In the following description, the ID is identification information stored in advance in each terminal. Further, a secret key based on the IBE method is referred to as an IBE secret key, encryption based on the IBE method is referred to as IBE encryption, decryption based on the IBE method is referred to as IBE decryption, and a ciphertext encrypted according to the IBE encryption is referred to as an IBE ciphertext.

Each device constituting the ciphertext decryption right delegation system described below has a random number generation function. For example, in the description of this embodiment, when “random element AεB is selected”, a random number is used. This means that an arbitrary element A corresponding to the generated random number is selected from an arbitrary range B using the generation function. In the description of the present embodiment, when an arbitrary public key is disclosed, it means that an arbitrary public key generated by each device is set in a state where it can be received from another device through a connected network.
Next, the symbols used in the description of the present embodiment are defined in equation (1).

<First Embodiment>
FIG. 1 shows that, according to the first embodiment, a decryption right delegation device 10 that performs encryption / decryption of the PKE encryption method is transferred to a decryption right transfer device 20 that performs encryption / decryption of the IBE encryption method. It is a block diagram of the ciphertext decryption right delegation system which performs.
The ciphertext decryption right transfer system according to the present invention includes a PKG (Private Key Generator) device 40, a decryption right transfer device 10, a decryption right transfer device 20, and a ciphertext conversion device 30. These devices are managed and used by different users.

The PKG device 40 is a device in which a trusted third party manages various keys, and includes a setup processing unit 41, an IBE private key generation unit 42, a signature key generation unit 43, a signature processing unit 44, and a PKG information storage. Unit 45 and transmission / reception unit 46.
The setup processing unit 41 generates a main secret key mk and a public parameter parms for performing decryption right delegation according to the present invention. Here, in the setup algorithm performed by the setup processing unit 41, first, the security parameter is k, the generator gεG on the group G is randomly selected, and the random elements g ₂ and hεG on the group G are selected. Select. _Then, select the _Z ^{p *} random element of the above α∈Z _p ^*, to calculate the main secret key ^{_{mk (mk = g 2 α)}} . In addition, g ₁ (g ₁ = g ^α ) is calculated, and public parameters parms (parms = (g, g ₁ , g ₂ , h)) are calculated. In this embodiment, the PKG device 40 includes the setup processing unit 41. However, a device managed by a reliable third party independent of the PKG device 40 may include the setup processing unit 41.

The IBE secret key generation unit 42 generates an IBE secret key used by each device in the network. Here, in the IBE secret key generation algorithm performed by the IBE secret key generation unit 42, first, a main secret key mk (mk = g ₂ ^α ), an ID, and a public parameter parms are input, and Z _p ^* Select a random element uεZ _p ^* . Then, the IBE secret key sk _ID is calculated by the following equation (2).

The signature key generation unit 43 generates a signature key / verification key pair.
The signature processing unit 44 calculates a signature σ _e based on the plain text and the signature key generated by the signature key generation unit 43. As a signature algorithm, a commonly used electronic signature can be applied.
The PKG information storage unit 45 includes, for example, a main secret key mk generated by the setup processing unit 41, a public parameter palms, an IBE secret key generated by the IBE secret key generation unit 42, and a signature generated by the signature key generation unit 43. A key and a verification key are stored. The transmission / reception unit 46 transmits / receives information, for example, transmits a part of the IBE private key and a signature.

The decryption right transfer device 10 is a device that encrypts and decrypts data by the PKE method, and includes a PKE key generation unit 11, a PKE encryption processing unit 12, a PKE decryption unit 13, a conversion key generation unit 14, A signature verification unit 15, a decryption right delegation information storage unit 16, and a transmission / reception unit 17 are provided.
The PKE key generation unit 11 generates a PKE public key and a PKE private key. Here, in the PKE key generation algorithm that is performed by the PKE key generation unit 11 and generates the PKE public key and the PKE private key, first, public parameters params are input, and random elements β, θ, δ on Z _p ^* are input. Select ∈ Z _p ^* . Then, g ₃ = g ^θ , g ₄ = g ₁ ^β, h ₁ = h ^δ are calculated, and the PKE public key pk (pk = (g ₃ , g _4, h ₁ )) and the PKE private key sk (sk = (Β, θ, δ)).

The PKE encryption processing unit 12 generates a PKE ciphertext CPK by encrypting the plaintext M using the PKE public key. Here, the PKE encryption algorithm performed by the PKE encryption processing unit 12 is first a PKE public key pk (pk = (g ₃ , g _4, h ₁ )), plaintext M (M∈G1), and public. parameters parms and are inputted _to select a _Z ^{p *} random element above r ∈ Z _p ^*, the PKE ciphertext CPK, is calculated by the following equation (3).

The PKE decrypting unit 13 decrypts the plaintext M from the PKE ciphertext C _PK using the PKE private key. The PKE decoding algorithm will be described below.
The PKE ciphertext C _PK (C _PK = (C ₁ , C ₂ , C ₃ , C ₄ )), the public parameter parms, and the secret key sk (sk = (β, θ, δ)) are input, and plain text M is calculated by the following equation (4).

The conversion key generation unit 14 generates a conversion key for converting a PKE ciphertext into an IBE ciphertext. The conversion key generation algorithm will be described below.
A PKE private key sk (sk = (β, θ, δ)) stored in a decryption right delegation information storage unit 16 to be described later, and a part d ₁ of the IBE private key sk _ID corresponding to the ID of the decryption right transfer device 20 = and ^{g u,} and inputs the public parameters parms, conversion key ^{_{rk ID (rk ID = (g}} u / β, g u, θ, δ)) is calculated.

The signature verification unit 15 is a function corresponding to the signature key generation unit 43 and the signature processing unit 44, and includes an arbitrary plaintext, an arbitrary plaintext signature σ _e generated by the signature processing unit 44, and a signature key generation unit 43. The generated verification key is input, and it is determined whether the signature σe is a valid signature or an illegal signature.
The decryption right delegation information storage unit 16 includes the public parameters palms of the PKG device 40, the PKE public key pk generated by the PKE key generation unit 11, the PKE private key sk, and the conversion key rk _ID generated by the conversion key generation unit 14. And remember.
The transmission / reception unit 17 transmits / receives information and receives, for example, a part of an IBE private key and a signature.

The decryption right transfer device 20 is a device that encrypts and decrypts data by the IBE method, and includes an IBE encryption processing unit 21, an IBE decryption unit 22, an IBE information storage unit 23, and a transmission / reception unit 24. .
The IBE encryption processing unit 21 generates an IBE ciphertext C _ID of plaintext M using the IBE public key. Here, the IBE encryption algorithm performed by the IBE encryption processing unit 21 first receives an ID (IDεZ _p ^* ), a plaintext M (MεG1), and a public parameter palms. _Also, to select the _Z ^{p *} random element of the above r∈Z _p ^*. Then, the ciphertext C _ID is calculated by the following equation (5).

The IBE decrypting unit 22 decrypts the plaintext M from the IBE ciphertext CID using the IBE private key. Here, the IBE decryption algorithm performed by the IBE decryption unit 22 is as follows. First, the secret key sk _ID (sk _ID = (d ₀ , d ₁ )) corresponding to the _ID , the public parameter parms, and the IBE ciphertext C _ID ( C _ID = (C ′ ₁ , C ′ ₂ , C ′ ₃ )) is input, and plaintext M (M∈G ₁ ) is calculated by the following equation (6).

The IBE information storage unit 23 stores the IBE private key sk _ID and the signature σ _e .
The transmission / reception unit 24 transmits / receives information and receives, for example, an IBE private key and a signature.
The ciphertext conversion device 30 is a device that receives and stores the conversion key transmitted from the decryption right transfer device 10, and includes a ciphertext conversion unit 31, a conversion key storage unit 32, and a transmission / reception unit 33.
The ciphertext conversion unit 31 converts the PKE ciphertext into a converted ciphertext that is an IBE ciphertext using the conversion key. The conversion key storage unit 32 stores a conversion key and a public parameter. The transmission / reception unit 33 receives the conversion key from the decryption right transfer device 10, receives the PKE ciphertext from the decryption right transfer device 10, and transmits the IBE ciphertext to the decryption right transfer device 20. The ciphertext conversion algorithm will be described below.
A conversion key rk _ID (rk _ID = (g ^{u / β} , g ^u , θ, δ)) represented by an ID, a public parameter palms, and C _PK (C _PK = (C ₁ , C ₂ , C ₃ , C ₄ )) and the converted ciphertext C _ID is calculated by the following equation (7).

Hereinafter, an operation example of the first embodiment according to the present invention will be described with reference to FIGS.
The PKG device 40 operates the setup processing unit 41 to generate the main secret key mk and the public parameter palms, and stores them in the PKG information storage unit 45 (step S101). Note that the setup processing unit 41 has a device managed by a trusted third party that is not the PKG device 40, and the trusted third party device generates the main secret key mk and the public parameter palms, and the PKG device 40 It may be sent.

In addition, the PKG device 40 publishes public parameters params. The PKG device 40 operates the signature key generation unit 43 (step S102), generates a signature key / verification key pair, and stores the pair in the PKG information storage unit 45. Then, the PKG device 40 discloses the verification key. The signature key generation unit 43 performs the process of generating the signature key and the verification key before the signature processing unit 44 performs the process of generating the signature of the IBE private key. There is no need to do it.
On the other hand, the decryption right delegation device 10 operates the PKE key generation unit 11 to generate a pair of the PKE private key sk and the PKE public key pk, and stores the pair in the decryption right delegation information storage unit 16. In addition, the decryption right delegation device 10 discloses the PKE public key pk (step S103).

Further, the PKG device 40 operates the IBE secret key generation unit 42 to generate the IBE secret key sk _ID (sk _ID = (d ₀ , d ₁ )). The PKG device 40 operates the signature processing unit 44 by inputting the combined data of the signature key generated by the signature key generation unit 43, d1 which is a part of the IBE private key, and the ID of the decryption right transfer device 20 The signature σ _e is generated (step S104). Then, the PKG device 40 transmits the IBE secret key sk _ID (sk _ID = (d ₀ , d ₁ )) and the signature σ _e to the decryption right transfer device 20 (step S105). The decryption right transfer device 20 receives the IBE secret key sk _ID and the signature σ _e and stores them in the IBE information storage unit 23 (step S106). Then, the decryption right transfer device 20 transmits the ID, d ₁ that is a part of the IBE private key, and the signature σ _e to the decryption right transfer device 10 (step S201).

At this time, the PKG device 40 has already generated the IBE secret key sk _ID and the signature σ _e and transmitted them to the decryption right delegation device 20, and the IBE information storage unit 23 of the decryption right delegation device 20 stores the IBE secret key sk. _{When the ID} and signature σ _e are stored, the PKG device 40 does not need to newly generate the IBE private key sk _ID and signature σ _e . That is, the processing of step S104, step S105, and step S106 may not be performed. In this case, the decryption right transfer device 20 reads the IBE secret key sk _ID and the signature σ _e from the IBE information storage unit 23, and the decryption right transfer device 10 receives the ID and d ₁ that is a part of the IBE secret key. The signature σ _e is transmitted.

The decryption right delegation device 10 operates the signature verification unit 15 by inputting the _ID , d ₁ that is a part of the IBE private key sk _ID , the signature σ _e, and the verification key of the PKG device 40. That is, the signature verification unit 15 receives the verification key published by the PKG device 40, and determines the validity of the signature σ _e using the received verification key (step S202).
If the signature σ _e is valid, the decryption right delegation device 10 operates the conversion key generation unit 14 to generate a conversion key rk _ID (step S203) and transmits it to the ciphertext conversion device 30 (step S204). The ciphertext conversion apparatus 30 receives the conversion key rk _ID and stores it in the conversion key storage unit 32 (step S205). On the other hand, if the signature σ _e is invalid, the decryption right transfer device 10 does not operate the conversion key generation unit 14 and does not generate the conversion key rk _ID .

Next, an operation example in which the ciphertext conversion apparatus 30 converts the ciphertext will be described.
The decryption right transfer device 10 inputs the plaintext to be encrypted, the PKE public key, and the public parameter to the PKE encryption processing unit 12, and the PKE encryption processing unit 12 generates a PKE ciphertext C _PK (step) S206). Then, the decryption right transfer device 10 transmits the PKE ciphertext C _PK to the ciphertext conversion device 30 (step S207).

When the ciphertext conversion apparatus 30 receives the PKE ciphertext C _PK , the ciphertext conversion unit 31 inputs the PKE ciphertext C _PK , the conversion key rk _ID, and the public parameter parms to the ciphertext conversion unit 31 to operate the PKE ciphertext C _PK . Conversion into converted ciphertext C _ID (step S208). Then, the ciphertext conversion apparatus 30 transmits the converted ciphertext C _ID to the decryption right transfer apparatus 20 (step S209).
When the decryption right transfer device 20 operates the IBE decryption unit 22 by inputting the converted ciphertext C _ID , the IBE private key sk _ID stored in the IBE information storage unit 23, and the public parameter parms, the IBE decryption unit 22 outputs plaintext M (step S210).

As described above, according to the first embodiment, the decryption right delegation apparatus is an apparatus that performs encryption by the PKE method, and even in a network environment in which the decryption right delegation apparatus performs decryption by the IBE method, it can be safely performed. Ciphertext decryption rights can be delegated. Further, information necessary for generating the conversion key (part of the IBE private key d ₁ ) is generated in advance by the PKG device 40, and is generated based on the combined data of the part of the IBE private key and the IBE public key. It is transmitted to the decryption right delegation apparatus 20 together with the signature, and the decryption right delegation apparatus 20 stores a part of the IBE private key and the electronic signature, and transmits them to the decryption right delegation apparatus 10 at the time of delegation of the decryption right. I made it. As a result, the number of secret keys stored in the decryption right transfer device 20 need only be one regardless of the number of decryption right transfers. Further, once the PKG device 40 generates the IBE private key and the electronic signature based on the combined data of the IBE private key and a part of the IBE private key, it is necessary to generate the key every time the decryption right is transferred. Absent.

  That is, as long as it is determined that the electronic signature based on the combined data of a part of the IBE private key and the IBE public key is valid, the decryption right transfer device 20 uses the same ID-based encryption private key. Decryption rights can be delegated. In other words, as long as the PKG device 40 proves the validity of the secret key of the ID-based encryption method generated for the decryption right delegation device 20, the decryption right delegation device 20 decrypts from a plurality of different decryption right delegation devices. Even when there is a request for delegation of rights, a conversion key can be generated by causing the decryption right delegation device 10 to use a part of the secret key and the electronic signature of the same ID-based encryption method. Therefore, only one secret key is required to be stored and managed by the decryption right transfer device 20 for the transfer of the decryption right, and the secret key generation cost of the PKG device 40 and the secret key management cost of the decryption right transfer device 20 are sufficient. Can be greatly reduced and simplified, and exchange of plain text with mathematical safety is possible.

<Second Embodiment>
FIG. 2 is a conceptual diagram of an IBE ciphertext decryption right delegation system according to the second embodiment.
Hereinafter, when a plurality of IDs are mixed in the description, they are indicated as IDi, IDj and the like.
The ciphertext decryption right delegation system according to the present invention includes a PKG device 80, a decryption right delegation device 50, a decryption right delegation device 60, a ciphertext conversion device 70, and an RKG (Re-encryption Key Generator) device 90. Composed. These apparatuses are managed and used by different users. However, the PKG device 80 and the RKG device 90 may be managed by the same user. Therefore, for example, one server machine has a function of each processing unit that the PKG device 80 and the RKG device 90 have. Also good.
The ciphertext decryption right delegation system according to the second embodiment has some configurations similar to those of the first embodiment, and the same configuration is clearly indicated and description thereof is omitted.

The PKG device 80 is an IBE private key generation device, and includes a setup processing unit 81, an IBE private key generation unit 82, a signature key generation unit 83, a signature processing unit 84, a PKG information storage unit 85, and a transmission / reception unit 86. Is provided.
The PKG device 80 and each processing unit provided therein have the same configuration and function as the PKG device 40 and each processing unit provided in the first embodiment.

  The decryption right transfer device 50 and the decryption right transfer device 60 have the same configuration, and include an IBE encryption processing unit 51, an IBE decryption unit 52, an IBE information storage unit 53, and a transmission / reception unit 54. The IBE encryption processing unit 51 is the IBE encryption processing unit 21 in the first embodiment, the IBE decryption unit 52 is the IBE decryption unit 22 in the first embodiment, and the IBE information storage unit 53 is the first embodiment. The IBE information storage unit 23 and the transmission / reception unit 54 have the same configuration and function as the transmission / reception unit 24 in the first embodiment.

The ciphertext conversion device 70 is a device that receives and stores the conversion key transmitted from the RKG device 90. The ciphertext verification unit 71, the ciphertext conversion unit 72, the conversion key storage unit 73, and the transmission / reception unit 74. Is provided.
The ciphertext verification unit 71 determines whether or not the ciphertext format is appropriate. ID _i which is identification information of the decryption right transfer device 50, public parameters palms (parms = (g, g ₁ , g ₂ , h)), ciphertext C _IDi corresponding to ID _i (C _IDi = (C ₁ , C ₂ , C ₃ )) are input, and the values x and y are calculated by the following equation (8).

The ciphertext verification unit 71 compares the values of x and y calculated above, and outputs 1 when x = y, and outputs 0 in other cases.
Ciphertext conversion unit 72 converts the IBE ciphertext _{C IDi} decryption right transfer device 50 to the IBE ciphertext _{C IDj} of the decoder right transfer device 60. The ciphertext conversion algorithm will be described below.
IBE public key ID _i of the decryption right transfer device 50, IBE public key ID _j of the decryption right transfer device 60, and a conversion key rk _IDj (rk _{IDj ==)} corresponding to the IBE public key ID _j of the decryption right transfer device 60 g ^ujα ), public parameter parms, and IBE ciphertext C _IDi (C _IDi = (C ₁ , C ₂ , C ₃ )) encrypted with the IBE public key of the decryption right transfer device 60 The IBE ciphertext C _IDi is converted into the IBE ciphertext C _IDj by the equation (9).

The conversion key storage unit 73 stores a combination of an arbitrary ID and another arbitrary _ID in association with the conversion key rk _ID . In the following description, a combination of an arbitrary ID _i and another arbitrary ID _j is expressed as IDi → IDj, and when expressed as (ID _i → ID _j , rk _IDj ), the IBE ciphertext C _{IDi Indicates} that the key to be converted from IBE ciphertext C _IDj is the conversion key rk _IDj .
The transmission / reception unit 74 receives the conversion key from the RKG device 90, receives the IBE ciphertext from the decryption right transfer device 50, and transmits the converted IBE ciphertext to the decryption right transfer device 60.

The RKG device 90 is a device that generates a conversion key, and includes a conversion key generation unit 91, an RKG storage unit 92, a signature verification unit 93, and a transmission / reception unit 94.
The conversion key generation unit 91 decodes a part of the main secret key α of the PKG device 80, the IBE public key ID _j of the decryption right transfer device 60, and the decryption target corresponding to the IBE public key IDj of the decryption right transfer device 60. The conversion key rk _IDj is calculated by the following equation (10) with the part of the IBE private key d ₁ (d ₁ = g ^uj ) of the right transfer device 60 and the public parameter parms as input.

The RKG storage unit 92 stores the conversion key, a part α of the main secret key of the PKG device 80, and the public parameter parms. The signature verification unit 93 has the same configuration as the signature verification unit 15, and the transmission / reception unit 94 has the same configuration as the transmission / reception unit 17.
Hereinafter, an operation example of the second embodiment according to the present invention will be described with reference to FIGS.
The PKG device 80 operates the setup processing unit 81 to generate a main secret key mk (mk = (g ₂ ^α , α)) and a public parameter parms, and stores them in the PKG information storage unit 85 (step S301). The PKG device 80 transmits a part α of the generated main secret key mk to the RKG device 90 (step S302).

The PKG device 80 operates the signature key generation unit 83 (step S303), generates a signature key / verification key pair, and stores the pair in the PKG information storage unit 85. The signature key generation unit 83 may perform the process of generating the signature key and the verification key before the signature processing unit 84 performs the process of generating the signature of the IBE private key later.
When the PKG device 80 operates by inputting ID _j to the IBE secret key generation unit 82, the IBE secret key generation unit 82 generates an IBE secret key sk _IDj (sk _IDj = (d ₀ , d ₁ )). (Step S304). The IBE secret key generation unit 82 may perform the process of generating the IBE secret key before the corresponding decryption right transfer device 60 performs the transfer of the decryption right, and is not necessarily performed continuously with the setup process. Absent.

The PKG device 80 inputs the signature key generated by the signature key generation unit 83 and data obtained by combining d ₁ and ID _j to the signature processing unit 84 to generate a signature σ _e . Then, the PKG device 80 _transmits the IBE private key sk _IDj and the signature σ _e to the decryption right transfer device 60 (step S305). Moreover, there is no restriction | limiting in the order which produces | generates an IBE private key, What is necessary is just to produce | generate by the time of ciphertext decryption right transfer.

An operation example in which the decryption right transfer device 50 transfers the decryption right to the decryption right transfer device 60 will be described below.
The decryption right transfer device 60 transmits IDj, d ₁ (d ₁ = g ^uj ), which is a part of the IBE private key sk _IDj , and the signature σ _e to the RKG device 90 (step S401). Upon receiving d ₁ , signature σ _e, and IDj, the RKG device 90 inputs and operates the signature verification unit 93 together with the verification key of the PKG device 80 to verify the validity of the signature σ _e (step S402).

If the signature σ _e is valid, the RKG device 90 sends the IBE public key ID _j of the decryption right transfer device 60 to the conversion key generation unit 91 and the part α of the main secret key stored in the RKG storage unit 92. The public parameter palms is input to generate a conversion key rk _IDj (rk _IDj = ^gujα ) (step S403). The RKG device 90 transmits the index ID _i → ID _j and the conversion key rk _IDj to the ciphertext conversion device 70 (step S404). The ciphertext conversion apparatus 70 stores the index ID _i → ID _j and the conversion key rk _IDj in the conversion key storage unit 73.

Next, an operation example in which the ciphertext conversion apparatus 70 converts the ciphertext will be described.
The decryption right transfer device 50 _transmits the user ID _i of the decryption right transfer device 50, the IBE ciphertext C _IDi, and the ID _j that is the ID of the conversion destination of the converted ciphertext to the ciphertext conversion device 70 (step) S405).
When the ciphertext conversion apparatus 70 receives the user ID _i of the decryption right transfer apparatus 50, the IBE ciphertext C _IDi, and ID _j that is the ID of the conversion destination of the ciphertext to be converted, the ciphertext conversion apparatus 70 _reads the corresponding index from the conversion key table. It is determined whether there is a combination of (ID _i → ID _j ) and a conversion key (rk _IDj ) (step S406). When there is no combination of the corresponding index (ID _i → ID _j ) and conversion key (rk _IDj ), ciphertext conversion is not performed.

On the other hand, when there is a combination of the corresponding index (ID _i → ID _j ) and conversion key (rk _IDj ), the ciphertext conversion apparatus 70 receives the ciphertext using C _IDi , parms, and ID _i as input. The verification unit 71 is operated (step S407). The ciphertext verification unit 71 outputs a result of either 0 or 1. If the output result of the ciphertext verification unit 71 is 0, the ciphertext conversion apparatus 70 stops the conversion process. On the other hand, if the output result of the ciphertext verification unit 71 is 1, C _IDi , conversion key rk _IDj , public parameter parms, ID _i , and ID _j are input to the ciphertext conversion unit 72 to be converted. The ciphertext C _IDj is converted (step S408). If the conversion key is generated based on a part of the secret key of the delegator, the ciphertext verification unit 71 does not have to determine whether the ciphertext format is appropriate. . The ciphertext conversion apparatus 70 transmits the converted ciphertext C _IDj to the decryption right transfer apparatus 60 (step S409).
The decryption right transfer device 60 receives the converted ciphertext C _IDj , the IBE private key sk _IDj stored in the IBE information storage unit, and the public parameter parms as input, and detects the corresponding plaintext ( Step S410).

  As described above, according to the second embodiment, at the time of delegation right delegation, the decryption right delegation apparatus transmits the decryption right delegation apparatus from the plurality of decryption right delegation apparatuses using the IBE private key already used. The ciphertext converted by the text conversion device can be decrypted. In addition, an environment can be efficiently constructed by installing an RKG device in an environment for decryption right delegation by the IBE method that is commonly used in general.

  Information necessary for generating the conversion key is generated in advance by the PKG device 80 and transmitted to the decryption right delegation device 60 together with the electronic signature, and the decryption right delegation device 60 receives a part of the IBE private key and the electronic signature. And is transmitted to the RKG device 90 at the time of delegation of the decryption right, so that the number of secret keys held by the decryption right delegation device 60 is only one regardless of the number of times of decryption right delegation. . Further, once the PKG device 80 generates the IBE private key and the electronic signature based on the combined data of the IBE private key and a part of the IBE private key, it is necessary to generate the key every time the decryption right is transferred. Absent.

That is, as long as the PKG device 80 proves the validity of the secret key of the ID-based encryption method generated for the decryption right delegation device 60, the decryption right delegation device 60 decrypts from a plurality of different decryption right delegation devices. Even when there is a request for delegation of rights, a conversion key can be generated by causing the RKG device 90 to use a part of the same IBE private key, the IBE public key, and the electronic signature. That is, only one secret key is required to be stored and managed by the decryption right delegation device 60 for the transfer of the decryption right, and the secret key generation cost of the PKG device 80 and the management cost of the secret key of the decryption right delegation device 60 are greatly increased. The plaintext can be exchanged with a mathematical safety.
Further, a ciphertext decryption right provided with a decryption right delegation device 50, a decryption right delegation device 60, a PKG device 80, and a ciphertext conversion device 70, which are widely used in general and perform encryption / decryption by an ID-based encryption method. By adding the RKG device 90 to the delegation system, an environment can be constructed utilizing the existing system.

  The program for realizing the function of the processing unit in the present invention is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed to execute a ciphertext decryption right. Delegation may be performed. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer system” includes a WWW system having a homepage providing environment (or display environment). The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

1 is a block diagram showing a system according to a first embodiment of the present invention. It is a sequence diagram which shows operation | movement of the system by the 1st Embodiment of this invention. It is a sequence diagram which shows operation | movement of the system by the 1st Embodiment of this invention. It is a block diagram which shows the system by the 2nd Embodiment of this invention. It is a sequence diagram which shows operation | movement of the system by the 2nd Embodiment of this invention. It is a sequence diagram which shows operation | movement of the system by the 2nd Embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Decryption right transfer apparatus 11 PKE key generation part 12 PKE encryption process part (PKE encryption means)
13 PKE decryption unit 14 Conversion key generation unit (conversion key generation means)
15 Signature verification unit (electronic signature verification means)
16 Decryption Right Delegation Information Storage Unit 17 Transmission / Reception Unit 20 Decrypted Right Delegation Device 21 IBE Encryption Processing Unit 22 IBE Decryption Unit (IBE Decryption Unit)
23 IBE Information Storage Unit 24 Transmission / Reception Unit 30 Ciphertext Conversion Device 31 Ciphertext Conversion Unit (Ciphertext Conversion Unit)
32 Conversion key storage unit 33 Transmission / reception unit 40 PKG device (secret key generation device)
41 Setup processing unit 42 IBE private key generation unit (IBE private key generation means)
43 Signature key generation unit 44 Signature processing unit (electronic signature means)
45 PKG information storage unit 46 Transmission / reception unit 50 Decryption right delegation device 51 IBE encryption processing unit (IBE encryption means)
52 IBE Decryption Unit 53 IBE Secret Key Storage Unit 54 Transmission / Reception Unit 60 Decrypted Right Delegation Device 70 Ciphertext Conversion Device 71 Ciphertext Verification Unit (ciphertext verification means)
72 Ciphertext conversion unit (ciphertext conversion means)
73 Conversion key storage unit 74 Transmission / reception unit 80 PKG device (secret key generation device)
81 Setup processing unit 82 IBE private key generation unit (IBE private key generation means)
83 Signature Key Generation Unit 84 Signature Processing Unit (Electronic Signature Means)
85 PKG information storage unit 86 Transmission / reception unit 90 RKG device (conversion key generation device)
91 Conversion key generation unit (conversion key generation means)
92 RKG storage unit 93 Signature verification unit (electronic signature verification means)
94 Transceiver

Claims (5)

The ciphertext encrypted with the public key by the decryption right delegation device is decrypted by using a secret key that is different from the secret key corresponding to the public key and is based on the ID-based encryption method based on the main secret key. A ciphertext decryption right delegation system for decryption by a right delegation device,
IBE secret key generation means for generating a secret key of the ID-based encryption scheme used by the decryption right transfer device based on the main secret key;
An electronic signature means for generating an electronic signature based on a part of the secret key of the ID-based encryption method;
An electronic signature verification means for determining the validity of the electronic signature;
When the electronic signature verification means determines that the electronic signature is valid, the electronic signature is encrypted with the public key based on a private key corresponding to the public key and a part of the private key of the ID-based encryption method. A conversion key generating means for generating a conversion key for converting the ciphertext into a ciphertext decrypted with the secret key of the ID-based encryption method;
Ciphertext converting means for converting ciphertext encrypted with the public key into ciphertext that can be decrypted with the secret key of the ID-based encryption method using the conversion key;
A ciphertext decryption right delegation system comprising: The ciphertext encrypted with the public key by the decryption right delegation device is decrypted by using a secret key that is different from the secret key corresponding to the public key and is based on the ID-based encryption method based on the main secret key. A ciphertext decryption right delegation system for decryption by a right delegation device,
The secret key generation device
IBE secret key generation means for generating a secret key of the ID-based encryption scheme used by the decryption right transfer device based on the main secret key;
Electronic signature means for generating an electronic signature based on a part of the secret key of the ID-based encryption method,
The decryption right transfer device
PKE encryption means for generating a PKE ciphertext by encrypting a plaintext using a PKE public key in a PKE encryption method;
Electronic signature verification means for determining the validity of the electronic signature generated by the secret key generation device;
When the electronic signature verification means determines that the electronic signature is valid, based on a PKE private key that is a private key corresponding to the PKE public key and a part of the private key of the ID-based encryption method, Conversion key generation means for generating a conversion key for converting a PKE ciphertext encrypted with a PKE public key into a converted ciphertext decrypted with a secret key of the ID-based encryption method,
The ciphertext conversion device
Ciphertext conversion means for converting the PKE ciphertext into a converted ciphertext of the ID-based encryption method using the conversion key generated by the decryption right transfer device;
The decryption right transfer device
A ciphertext decryption right delegation system comprising IBE decryption means for decrypting the converted ciphertext based on a secret key of the ID-based encryption method. The ciphertext encrypted with the public key by the decryption right delegation device is decrypted by using a secret key that is different from the secret key corresponding to the public key and is based on the ID-based encryption method based on the main secret key. A ciphertext decryption right delegation system for decryption by a right delegation device,
The secret key generation device
IBE secret key generation means for generating a secret key of an ID-based encryption method used by the decryption right transfer device based on the main secret key;
Electronic signature means for generating an electronic signature based on a part of the secret key of the ID-based encryption method,
The decryption right transfer device
Having an IBE encryption means for generating an IBE ciphertext obtained by encrypting a plaintext by an ID-based encryption method;
The conversion key generation device
Electronic signature verification means for determining the validity of the electronic signature generated by the secret key generation device;
When it is determined by the electronic signature verification means that the electronic signature is valid, the decryption right transfer device generates the decryption right delegation device based on a part of the main secret key and a part of the secret key by the ID-based encryption method Conversion key generation means for generating a conversion key for converting an IBE ciphertext into a converted ciphertext decrypted with a secret key of an ID-based encryption scheme used by the decryption right delegation device;
The ciphertext conversion device
Using the conversion key generated by the conversion key generation device, the IBE ciphertext encrypted by the ID-based encryption method is decrypted by the secret key of the ID-based encryption method used by the decryption right transfer device Having ciphertext conversion means for converting into a sentence,
The decryption right transfer device
A ciphertext decryption right delegation system comprising IBE decryption means for decrypting the converted ciphertext based on a secret key of the ID-based encryption method. The ciphertext encrypted with the public key by the decryption right delegation device is decrypted by using a secret key that is different from the secret key corresponding to the public key and is based on the ID-based encryption method based on the main secret key. In the computer provided in the ciphertext decryption right delegation system that the right delegation device decrypts,
An IBE secret key generation step for generating a secret key of the ID-based encryption scheme used by the decryption right transfer device based on the main secret key as a secret key generation device;
An electronic signature step for generating an electronic signature based on a part of the secret key of the ID-based encryption method as a secret key generation device;
A PKE encryption step for generating a PKE ciphertext by encrypting a plaintext using a PKE public key by a PKE encryption method as the decryption right delegation device;
An electronic signature verification step for determining the validity of the electronic signature generated by the secret key generation device as the decryption right transfer device;
When it is determined that the electronic signature is valid as the decryption right transfer device, based on a PKE private key that is a private key corresponding to the PKE public key and a part of the private key of the ID-based encryption method, A conversion key generating step for generating a conversion key for converting the PKE ciphertext encrypted with the PKE public key into a converted ciphertext decrypted with the secret key of the ID-based encryption method;
A ciphertext conversion step for converting the PKE ciphertext into a converted ciphertext of the ID-based cryptosystem using the conversion key generated by the decryption right transfer device as a ciphertext conversion device;
A ciphertext decryption right delegation program for executing, as the decryption right transfer device, an IBE decryption step of decrypting the converted ciphertext based on a secret key of the ID-based encryption method. The ciphertext encrypted with the public key by the decryption right delegation device is decrypted by using a secret key that is different from the secret key corresponding to the public key and is based on the ID-based encryption method based on the main secret key. In the computer provided in the ciphertext decryption right delegation system that the right delegation device decrypts,
An IBE secret key generating step for generating a secret key of an ID-based encryption method used by the decryption right transfer device based on the main secret key as a secret key generating device;
An electronic signature step for generating an electronic signature based on a part of the secret key of the ID-based encryption method as a secret key generation device;
An IBE encryption step for generating an IBE ciphertext obtained by encrypting a plaintext by an ID-based encryption method as the decryption right transfer device;
An electronic signature verification step for determining the validity of the electronic signature generated by the secret key generation device as a conversion key generation device;
When it is determined that the electronic signature is valid as a conversion key generation device, the decryption right delegation device generates the decryption right delegation device based on a part of the main secret key and a part of the secret key by the ID-based encryption method. A conversion key generating step for generating a conversion key for converting an IBE ciphertext into a converted ciphertext decrypted with a secret key of an ID-based encryption scheme used by the decryption right delegation device;
Using the conversion key generated by the conversion key generation device as the ciphertext conversion device, the IBE ciphertext encrypted by the ID-based encryption method is a secret key of the ID-based encryption method used by the decryption right transfer device. A ciphertext conversion step for converting the decrypted ciphertext to be decrypted;
A ciphertext decryption right delegation program for executing, as the decryption right transfer device, an IBE decryption step of decrypting the converted ciphertext based on a secret key of the ID-based encryption method.

Images