JP5513444B2 - Vector configuration system, method, apparatus, program, and encryption system - Google Patents

Description

  The present invention relates to information security technology. In particular, the present invention relates to a technique for sharing the same information between two parties.

Non-patent document 1 proposes predicate encryption with attribute concealment, and by using inner product predicates, various logical sums can be embedded in ciphertexts and keys using encryption functions and key generation functions. In the inner product predicate, for example, there are t logical products of n attributes, and predicate logic in which these t logical products are combined with logical sum, that is, a predicate on the logical sum of t logical products of n attributes. Can handle logic. An example of predicate logic when n = 2, t = 2 is as follows: the attribute “position” is the general manager and the attribute “department” is the personnel department, or the attribute “position” is the general manager and the attribute “ “Department” is the Human Resources Department.
(Title = General Manager and Department = Human Resources Department)
Or (Title = Manager and Department = General Affairs Department)

In general, the predicate logic for a logical product t of logical sums of n attributes is n attribute values x _i (i = 1,2, ..., n) ∈F _q , t × n predicate values v _{j, i} (j = 1,2,…, t, i = 1,2,…, n) ∈F _q , t × n random numbers r _{j, i} (j = 1,2,…, t, i = 1,2, ..., n) ∈F _q can be described as follows. F _q is a finite field of order q. Here, V _j = −Σ _{i = 1} ⁿ r _{j, i} v _{j, i} .

(r _1,1 (x ₁ -v _1,1 ) + r _1,2 (x ₂ -v _1,2 ) + r _1,3 (x ₃ -v _1,3 ) +… + r _{1, n} ( x _n -v _{1, n} )]
× [r _2,1 (x ₁ -v _2,1 ) + r _2,2 (x ₂ -v _2,2 ) + r _2,3 (x ₃ -v _2,3 ) +… + r _{2, n} (x _n -v _{1, n} )]
× ...
× [r _{t, 1} (x ₁ -v _{t, 1} ) + r _{t, 2} (x ₂ -v _{t, 2} ) + r _{t, 3} (x ₃ -v _{t, 3} ) +… + r _{t, n} (x _n -v _{t, n} )]
= Π _{j = 1} ^t Σ _{i = 1} ⁿ r _{j, i} (x _i -v _{j, i} )
= Π _{j = 1} ^t (Σ _{i = 1} ⁿ r _{j, i} x _i -Σ _{i = 1} ⁿ r _{j, i} v _{j, i} )
= Π _{j = 1} ^t (Σ _{i = 1} ⁿ r _{j, i} x _i + V _j )
If the value of this expression becomes 0, it can be determined that the predicate logic satisfies a predetermined condition.

Σ _{i = 1} ⁿ r _{j, i} x _i + V _j is composed of n + 1 terms when viewed as a polynomial for x _i . Therefore, Π _{j = 1} ^t (Σ _{i = 1} ⁿ r _{j, i} x _i + V _j ) is _{n + 1} H _t = _{n + 1 + t-1} C _{t when} viewed as a polynomial for x _i = (n + t)! / n! t! Therefore, Π _{j = 1} ^t (Σ _{i = 1} ⁿ r _{j, i} x _i + V _j ) is expressed as (n + t)! / N! T! Dimension attribute vector and (n + t)! It can be regarded as an inner product with a / n! t! -dimensional predicate vector. An attribute vector is a vector composed of attribute values x _i , and a predicate vector is a vector composed of predicate values v _{j, i} .

Jonathan Katz, Amit Sahai, Brent Waters, “Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products”, EUROCRYPTO 2008, LNCS 4965, pp.146-162, 2008

  In the technique described in the background art, each of the attribute vector and the predicate vector has (n + t)! / N! T! Dimensions.

  An object of the present invention is to provide a vector configuration system, a method, an apparatus, a program, and an encryption system that make each dimension number of an attribute vector and a predicate vector equal to or less than the dimension number of the technique described in the background art.

The vector configuration system according to one aspect of the present invention generates common parameters r ₁ , r ₂ ,..., R _n that are elements or integers of F _q , where n is a positive integer and F _q is a finite field. and a device, a t a positive integer, x _1, x _2, ..., and x _n ∈F _q, as ^{_{X = Σ i = 1 n r}} i x i, X t, X t-1, ..., X 1 , X ⁰ and an attribute vector generation device for generating an attribute vector, and v _{j, 1} , v _{j, 2} ,..., V _{j, n} ∈F _q, and V _j = −Σ _{i = 1} ⁿ r _i v _j, and _i, and s ₀ = 1, a s _k as k-th symmetric polynomials of _{V j, s 0, s 1} , ..., and a predicate vector generation apparatus for generating a predicate vector with a s _t elements, including.

  The number of dimensions of the attribute vector and the predicate vector related to the predicate logic for the logical product t of the n attributes can be set to t + 1.

The block diagram for demonstrating the structure of the vector structure system of embodiment. The block diagram for demonstrating the structure of the modification of the vector structure system of embodiment. The block diagram for demonstrating the structure of the modification of the vector structure system of embodiment. The block diagram for demonstrating the structure of the modification of the vector structure system of embodiment. The block diagram for demonstrating the structure of an example of an encryption system. The flowchart for demonstrating the vector structure system of embodiment.

  An embodiment of the present invention will be described below with reference to the drawings.

[Technical background]
First, the technical background will be described.

In the background art, there are t logical products of n attributes, and predicate logic in which these t logical products are combined with logical sum, that is, predicate logic for t logical sums of n attributes. N attribute values x _i (i = 1,2, ..., n) ∈F _q , t × n predicate values v _{j, i} (j = 1,2, ..., t, i = 1, 2, ..., n) ∈F _q and t × n random numbers r _{j, i} (j = 1,2, ..., t, i = 1,2, ..., n) ∈F _q . Each of n and t is a positive integer, and F _q is a finite field of order q.

On the other hand, in this embodiment, instead of t × n random numbers r _{j, i} (j = 1, 2,..., T, i = 1, 2,..., N) ∈F _q , F _q The predicate logic is described using n common parameters r _i (i = 1, 2,..., N) that are elements or integers. Attribute value x _i (i = 1,2, ..., n) ∈F _q and predicate value v _{j, i} (j = 1,2, ..., t, i = 1,2, ..., n) ∈F _q The same as the background art. Specifically, the predicate logic for the logical product t of the logical product of n attributes is expressed as follows. If the value of this expression becomes 0, it can be determined that the predicate logic satisfies a predetermined condition.

(r ₁ (x ₁ -v _1,1 ) + r ₂ (x ₂ -v _1,2 ) + r ₃ (x ₃ -v _1,3 ) +… + r _n (x _n -v _{1, n} ) ]
× [r ₁ (x ₁ -v _2,1 ) + r ₂ (x ₂ -v _2,2 ) + r ₃ (x ₃ -v _2,3 ) +… + r _n (x _n -v _{1, n} )]
× ...
× [r ₁ (x ₁ -v _{t, 1} ) + r ₂ (x ₂ -v _{t, 2} ) + r ₃ (x ₃ -v _{t, 3} ) +… + r _n (x _n -v _{t, n} )]
= Π _{j = 1} ^t Σ _{i = 1} ⁿ r _i (x _i -v _{j, i} )
= Π _{j = 1} ^t (Σ _{i = 1} ⁿ r _i x _i -Σ _{i = 1} ⁿ r _i v _{j, i} )
= Π _{j = 1} ^t (X + V _j )
= X ^t + (V ₁ + V ₂ +… + V _t ) X ^t-1 + (V ₁ V ₂ + V ₁ V ₃ … + V _t-1 V _t ) X ^t-2 +… + (V ₁ V ₂ … V _t-1 V _t ) X ⁰
= Σ _{k = 1} ^t s _k X ^tk
= (X ^t , X ^t-1 , X ^t-2 ,…, X, 1) (s ₀ , s ₁ ,…, s _t ) ^T
Where X = Σ _{i = 1} ⁿ r _i x _i , V _j = −Σ _{i = 1} ⁿ r _i v _{j, i} , s ₀ = 1, s _k is the k-th order basic symmetry formula of V _j , ( ) ^T is the transpose of For example, a first order symmetric polynomials _{s 1 = V 1 + V 2} + ... + V n, is a quadratic symmetric polynomials _{s 2 = V 1 V 2 +} V 1 V 3 ... + V n-1 V n . The k-th order basic symmetric expression s _k can be written as follows, _{where k} is a positive integer less than or equal to t.

Where X ^t , X ^t-1 , X ^t-2 , ..., X, 1 elements, ie, (X ^t , X ^t-1 , X ^t-2 , ..., X, 1) are attributes Let it be a vector. Further, it s _0, s _1, ..., vector with a s _t elements, i.e. _{(s 0, s 1, ...} , s t) and ^T is the predicate vector.

Thus, by using n common parameters r _i (i = 1, 2,..., N), the number of dimensions of the attribute vector and the predicate vector becomes t + 1, and the number of dimensions of the background technology (n + t)! / n! t! Thereby, the calculation amount of the cryptographic technique using this attribute vector and predicate vector can be reduced. In this way, by sharing a common parameter r _i, even with a reduced number of these common parameters r _i, there is no problem in safety.

[Embodiment]
One embodiment of a vector configuration system and method is shown below.

  As shown in FIG. 1, the vector configuration system includes, for example, a common parameter generation device 1, an attribute vector generation device 2, a predicate vector generation device 3, and a determination device 4. The vector construction system performs processing of each step of the vector construction method illustrated in FIG.

The common parameter generation device 1 generates n common parameters r _i (i = 1, 2,..., N), which are elements or integers of F _q (step S1). For example, let r _i be a random number. That is, let r _i be an element selected at random from F _q . The generated common parameter r _i is transmitted to the attribute vector generation device 2 and the predicate vector generation device 3.

Attribute vector generating apparatus 2, by using the attribute value x _i and the common parameters ^{_{r i, X t, X t}} -1, ..., X 1, attribute vector to the X ⁰ element ^{(X t, X t-1} , X ^t-2 ,..., X, 1) are generated (step S2). As explained in the technical background section, X = Σ _{i = 1} ⁿ r _i x _i . The generated attribute vector is transmitted to the determination device 4 in this example.

Here, X = Σ _{i = 1} ⁿ r _i x _i . The calculation of the power of X may be performed by repeating the operation of multiplying the already calculated power of X by X. For example, an efficient calculation method described in Reference 1 may be used. It may be used.

  [Reference 1] WIEB BOSMA, “Signed bits and fast exponentiation”, Journal de Theorie des Nombres de Bordeaux, tome 13, n0 1, pp.27-41, 2001

The attribute vector generation device 2 itself may generate the attribute value x _i , or a device other than the attribute vector generation device 2, for example, the setup device 5 of FIG. 4 may generate the attribute value x _i .

Predicate vector generation device 3, with the predicate value v _{j, i} and the common parameter _{r i, s 0, s 1} , ..., a predicate vector with a s _t element _{(s 0, s 1, ...} , s t) ^T is generated (step S3). As described in the technical background section, let v _{j, 1} , v _{j, 2} , ..., v _{j, n} ∈F _q , V _j = -Σ _{i = 1} ⁿ r _i v _{j, i} , s _k is the k-th order basic symmetry formula of V _j . However, s ₀ = 1. The generated predicate vector is transmitted to the determination device 4 in this example.

The predicate vector generation device 3 itself may generate the predicate value v _{j, i} , or a device other than the predicate vector generation device 3, for example, the setup device 5 in FIG. 4 may generate the predicate value v _{j, i.} .

Determination unit 4, the attribute vector ^{(X t, X t-1} , X t-2, ..., X, 1) and the predicate vector _{(s 0, s 1, ...} , s t) the inner product of the ^T becomes 0 (Step S4). If the inner product is 0, it can be determined that the predetermined condition is satisfied, and if the inner product is not 0, it can be determined that the predetermined condition is not satisfied.

[Example of application to cryptographic system]
The attribute vector and the predicate vector generated by the vector construction system and method can be used for a cryptographic system using function encryption or inner product predicate encryption. That is, a cryptographic system for function encryption or inner product predicate encryption using an attribute vector and a predicate vector may have the above-described vector configuration system. For the encryption system of inner product predicate encryption using attribute vectors and predicate vectors, see, for example, References 2 to 4. Further, the inner product predicate encryption using the attribute vector and the predicate vector can hierarchically use the search for the encryption information of the file server as in Reference 5, for example. For a cryptographic system for function encryption using attribute vectors and predicate vectors, see Reference Document 6, for example.

[Reference 2] ABLewko, T. Okamoto, A. Sahai, K. Takashima, B. Waters, “Fully
secure functional encryption: Attribute-based encryption and (hierarchical)
inner product encryption ”, In EUROCRYPT, pp.62-91, 2010
[Reference 3] N.Matsuda, M.Hattori, T.Ito, T.Yoneda, “Secure datacenter systems with hierarchical predicate encryption”, In Symp. On Cryptography and Information Security, 2010
[Reference 4] T.Okamoto, K. Takashima, “Hierarchical predicate encryption for innerproducts”, In ASIACRYPT, pp.214-231, 2009
[Reference 5] R. Yoshida, A. Nagai, T. Kobayashi, “Hierarchical predicate encryption with keyword search in multi-user setting”, In Computer Security Symposium, 2010
[Reference 6] T. Okamoto, K. Takashima, “Fully secure functional encryption with general relations from the decisional linear assumption”, In CRYPTO, pp.191-208, 2010.

  Hereinafter, an example of an encryption system including the vector configuration system will be described with reference to FIG. The encryption system of this example includes a common parameter generation device 1, an attribute vector generation device 2, a predicate vector generation device 3, an encryption device 6, a key generation device 7, and a decryption device 8. In this example, the attribute vector generation device 2 is included in the encryption device 6, and the predicate vector generation device 3 is included in the key generation device 7.

  A public parameter prm and a master secret key msk are generated by a setup device (not shown), the public parameter prm is distributed to each device, and the master secret key msk is distributed to the key generation device 7.

Since the processes of the common parameter generation device 1, the attribute vector generation device 2, and the predicate vector generation device 3 are the same as those described above, a duplicate description is omitted. Hereinafter, the attribute vector (X ^t , X ^t−1 , X ^t−2 ,..., X, 1) generated by the attribute vector generation device 2 is expressed as x ^→, and the predicate generated by the predicate vector generation device 3. The vector (s ₀ , s ₁ ,..., St _t ) ^T is expressed as u ^→ .

The encryption device 6 encrypts the plaintext m by the predetermined encryption algorithm Enc using the public parameter prm and the attribute vector x ^→ to generate a ciphertext c. The ciphertext c is transmitted to the decryption device 8.
c = Enc (prm, x ^→ , m)

The key generation device 7 generates a key k from a predetermined key generation algorithm KeyGen using the master secret key msk, the predicate vector u ^→, and the public parameter prm. The key k is transmitted to the decryption device 8.
k = KeyGen (msk, u ^→ , prm)

The decryption device 8 decrypts the ciphertext c using a predetermined decryption algorithm Dec using the key k, and generates plaintext m.
m = Dec (k, c)

[Modifications, etc.]
The common parameter generation device 1 may be included in the attribute vector generation device 2 as shown in FIG. Similarly, the common parameter generation device 1 may be included in the predicate vector generation device 3 as shown in FIG.

  Further, as shown in FIG. 4, the common parameter generation device 1 may be included in the setup device 5.

In this case, the setup device 5 first generates an attribute value x _i . Then, the setup device 5 calculates a new attribute value r _i x _i that is the product of the common parameter r _i generated by the common parameter generation device 1 and the attribute value x _i , and calculates the calculated new attribute value r _i x _i. Is transmitted to the attribute vector generation device 2. The attribute vector generation device 2 generates an attribute vector using the new attribute value r _i x _i . The setup device 5 first generates a predicate value v _{j, i} . Then, the setup device 5 calculates a new predicate value r _i v _{j, i} that is the product of the common parameter r _i generated by the common parameter generation device 1 and the predicate value v _{j, i} , and the calculated new predicate value r _i v _{j, i} is transmitted to the predicate vector generation device 3. The predicate vector generation device 3 generates a predicate vector using the new predicate value r _i v _{j, i} .

  Data exchange between the devices may be performed directly or via a storage unit (not shown). Similarly, data exchange within each device may be performed directly or via a storage unit (not shown).

  In addition, the present invention is not limited to the above-described embodiment. For example, the various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  Further, when the above-described configuration is realized by a computer, the processing content of each unit that each device should have is described by a program. Each part is realized on the computer by executing this program on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  Needless to say, other modifications are possible without departing from the spirit of the present invention.

DESCRIPTION OF SYMBOLS 1 Common parameter generation apparatus 2 Attribute vector generation apparatus 3 Predicate vector generation apparatus

Claims (6)

a common parameter generator for generating common parameters r ₁ , r ₂ ,..., r _n which are elements or integers of F _q , where n is a positive integer, F _q is a finite field,
a t a positive _{integer, x 1, x 2, ...} , and x _n ∈F _q, as ^{_{X = Σ i = 1 n r}} i x i, X t, X t-1, ..., X 1, X 0 An attribute vector generation device for generating an attribute vector having an element as an element,
v _{j, 1} , v _{j, 2} , ..., v _{j, n} ∈F _q , V _j = -Σ _{i = 1} ⁿ r _i v _{j, i} , s ₀ = 1, s _k is V _j as k order symmetric polynomials, s _0, s _1, ..., and a predicate vector generation apparatus for generating a predicate vector with a s _t elements,
Vector composition system including   A cryptosystem of function cryptography or inner product predicate cryptography comprising the vector configuration system of claim 1. Common parameter generating device, and n is a positive integer, the F _q as finite field, a common parameter generating step of generating a common parameter _{r 1, r 2, ... r} n is the original or an integer of F _q,
The attribute vector generation device sets t to a positive integer, x ₁ , x ₂ ,..., X _n ∈ F _q , X = Σ _{i = 1} ⁿ r _i x _i , X ^t , X ^t−1 ,. , X ¹ , Attribute vector generation step for generating an attribute vector having X ⁰ as elements,
The predicate vector generation device has v _{j, 1} , v _{j, 2} ,..., V _{j, n} ∈F _q , V _j = −Σ _{i = 1} ⁿ r _i v _{j, i} , s ₀ = 1, the s _k as k-th symmetric polynomials of _{V j, s 0, s 1} , ..., and a predicate vector generation step of generating a predicate vector with a s _t elements,
A vector construction method including: n is a positive integer, F _q is a finite field, F _q is a common parameter r ₁ , r ₂ ,..., r _n , t is a positive integer, x ₁ , x ₂ ,. x _n ∈ F _q , X = Σ _{i = 1} ⁿ r _i x _i , X ^t , X ^t−1 ,..., X ¹ , X ⁰ , X ¹ , X ⁰ , X ⁰ n is a positive integer, F _q is a finite field, F _q is a common parameter r ₁ , r ₂ ,..., r _n , v _{j, 1} , v _{j, 2 ,. n} ∈ F _q , V _j = -Σ _{i = 1} ⁿ r _i v _{j, i} , s ₀ = 1, s _k is the k-th basic symmetric expression of V _j , s ₀ , s ₁ ,. A vector constructing device that generates a predicate vector having s _t as an element.   The program for functioning a computer as each part of the vector structure apparatus of Claim 4 or 5.

Images