JP5799635B2 - ENCRYPTED DATA SEARCH SYSTEM, DEVICE, METHOD, AND PROGRAM - Google Patents

Description

  The present invention relates to an encrypted data search system, an encrypted data search device, an encrypted data search method, and an encrypted data search program.

  In recent years, the importance of security in cloud services has been widely recognized. For example, there is a service for storing encrypted data in a database on a cloud network and retrieving the data from the database when necessary. At this time, it is necessary to confirm which encryption data the user needs. For example, it is conceivable to extract all the encrypted data stored in the database and decrypt it to find the necessary data. However, with this method, every time data is to be extracted from the database, all the encrypted data must be downloaded to the user side, which is undesirable from the viewpoint of convenience and communication cost. Therefore, a service using a searchable encryption method that searches encrypted data while being encrypted has been proposed. As a related technique, for example, Non-Patent Document 1 describes a searchable encryption method.

D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, "Public Key Encryption with Keyword Search", EUROCRYPT2004, LNCS3027, pp.506--522, 2004.

  Many of the common searchable encryption methods generate encrypted data by encrypting the data using a public key of a certain user, and encrypt it by generating a search query using the secret key of the user. Search is possible as it is. Therefore, the user who can search for one encryption data is limited to only a user having a secret key.

  However, in consideration of document management in a company, there are cases where it is desired that a plurality of persons have the authority to access one data, and that only a plurality of persons having the authority can search. When using the above general searchable encryption method, a method such as sharing a secret key between authorized persons is used in order to allow retrieval by authorized persons with respect to one data. Need to be realized. However, this method is generally undesirable because it increases the risk of secret key leakage.

  It is also possible to set up a server holding a secret key and manage the access right to the server to permit a plurality of people to search for encrypted data. However, in this method, since the server holds the secret key, all encrypted data can be retrieved by taking over the server. For this reason, the server is likely to be the target of the attack, and security measures are important, leading to an increase in cost. Further, in this method, the server administrator can arbitrarily access the server, and therefore, when the administrator accesses the server maliciously, safety cannot be ensured.

  Non-Patent Document 1 describes a searchable cryptographic system that allows a plurality of people to search for one data using a proxy key composed of a service provider and a user's private key. However, with the method described in Non-Patent Document 1, all users who can access the database can perform a search. Therefore, when the data stored in the database is leaked, anyone who can obtain the data can perform a search, which may cause enormous damage.

  Therefore, the present invention provides an encrypted data search system, an encrypted data search apparatus, an encryption data search system, which can answer a search result to a search request from a plurality of users having different public / private keys and can reduce damage caused by data leakage. An object of the present invention is to provide a data search method and an encrypted data search program.

  An encrypted data search system according to the present invention includes a service providing device, a data registration device, a database device, a user device, and a proxy device. The service providing device includes a service public key and a service for encrypting data. Generate a service secret key corresponding to the public key, generate a proxy key for each user device, using the user secret key and service secret key generated by the user device requesting data search as inputs, and send to the proxy device The data registration device receives the service public key and data as input, and generates searchable encryption data. The database device stores searchable encryption data. The user device stores the searchable encryption data stored in the database device. On the other hand, a user query for requesting a data search is generated and transmitted to the proxy device. The proxy device receives a user query received from the user device and a proxy key for each user device received from the service providing device, and inputs a search query for requesting a search for searchable encrypted data stored in the database device. The user device is further characterized by generating a user query using the user secret key.

An encrypted data search apparatus according to the present invention is an encrypted data search apparatus for searching for data from searchable encrypted data generated using a service public key for encrypting data, wherein the user secret key generated by the user apparatus And the proxy key generated using the service secret key corresponding to the service public key and the user query requesting the search of the data generated by the user device using the user secret key are stored in the database device. characterized by comprising means for generating a search query order to retrieve data from the searchable encrypted data are.

Encrypted data search method according to the present invention, the service providing apparatus, generates a service public key and service secret key corresponding to the service's public key to encrypt the data, and user private key User chromatography The device has generated as input and service secret key to generate a proxy key for each user device, the data registration apparatus, as an input the service's public key and data to generate a searchable encrypted data, the generated searchable encrypted data in the database system It was stored, the user equipment, for the search cryptographic data stored in the database system to generate a user query for requesting retrieval of data using the user private key, the proxy device, the user query and the user equipment as inputs and proxy key generated every from searchable encrypted data stored in the database unit And generating a search query order to find the chromatography data.

Encrypted data retrieval program according to the present invention is a cryptographic data retrieval program for retrieving data from a searchable encrypted data generated by using the service's public key to encrypt the data, to a computer, the user equipment As an input, a proxy key generated using the generated user secret key and a service secret key corresponding to the service public key, and a user query requesting a search for data generated by the user device using the user secret key , characterized in that to execute a process of generating a search query order to retrieve data from the searchable encrypted data stored in the database system.

  According to the present invention, a search result can be answered in response to a search request from a plurality of users having different public keys / private keys, and damage caused by data leakage can be reduced.

It is a block diagram which shows the structural example of the encryption data search system by this invention. It is a block diagram which shows the structural example of a service provider apparatus. It is a block diagram which shows the structural example of a proxy server apparatus. It is a block diagram which shows the structural example of a user apparatus. It is a block diagram which shows the structural example of a data registration apparatus. It is a flowchart which shows an example of a service provider key generation process. It is a flowchart which shows an example of a user registration process. It is a flowchart which shows an example of a data registration process. It is a flowchart which shows an example of a search process. It is a flowchart which shows the specific example of a service provider key generation process. It is a flowchart which shows the specific example of a user registration process. It is a flowchart which shows the specific example of a data registration process. It is a flowchart which shows the specific example of a search process. It is a block diagram which shows the structural example of the data registration apparatus of 2nd Embodiment. It is a block diagram which shows the minimum structural example of an encryption data search system.

Embodiment 1. FIG.
Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a block diagram showing a configuration example of an encrypted data retrieval system according to the present invention. As shown in FIG. 1, the encrypted data retrieval system of the present embodiment includes a data registration device 10 for registering encrypted data, a database device 50 for storing encrypted data, a service provider device 20, and one or more user devices. 40-1, 40-2,..., 40-N and the proxy server device 30 are included. Each device is connected to each other via a communication network such as a LAN or the Internet.

  The service provider device 20 generates a public key pk_s used for generating encrypted data and a secret key sk_s corresponding thereto. Specifically, the service provider device 20 is realized by an information processing device such as a personal computer that operates according to a program.

  FIG. 2 is a block diagram illustrating a configuration example of the service provider device. As shown in FIG. 2, the service provider device 20 includes a key generation unit 201, a proxy key generation unit 202, and a data registration unit 203.

  Specifically, the key generation unit 201 is realized by a CPU of an information processing apparatus that operates according to a program. The key generation unit 201 has a function of generating a public key pk_s of a service provider used for encrypting data and a secret key sk_s corresponding thereto.

  Specifically, the proxy key generation unit 202 is realized by a CPU of an information processing apparatus that operates according to a program. The proxy key generation unit 202 has a function of generating a proxy key rk_i that allows a search for encrypted data while being encrypted, using the secret key sk_s and the secret key sk_i of the user i as inputs.

  Specifically, the data registration unit 203 is realized by a CPU and a network interface unit of an information processing apparatus that operates according to a program. The data registration unit 203 has a function of registering the proxy key rk_i in the proxy server device 30.

  The proxy server device 30 responds to a search request received from the user device 40-i (a comprehensive representation of the user devices 40-1 to 40-3, i = 1 to 3). Using a proxy key corresponding to user i generated from the provider's private key and user i's private key, a search query that enables a search while being encrypted is generated. In addition, the proxy server device 30 searches the database device 50 for encrypted data corresponding to the search query. Specifically, the proxy server device 30 is realized by an information processing device such as a personal computer that operates according to a program.

  FIG. 3 is a block diagram illustrating a configuration example of the proxy server apparatus. As illustrated in FIG. 3, the proxy server device 30 includes a query conversion unit 301, a search request unit 302, and a search result transmission unit 303.

  Specifically, the query conversion unit 301 is realized by a CPU of an information processing apparatus that operates according to a program. The query conversion unit 301 receives the user query Q_i received from the user device 40-i and the stored proxy key rk_i as input, and performs a search while encrypting the encrypted data stored in the database device 50 It has a function to generate search query Q_s.

  Specifically, the search request unit 302 is realized by a CPU and a network interface unit of an information processing apparatus that operates according to a program. The search request unit 302 has a function of making a search request to the database device 50 using the search query Q_s.

  Specifically, the search result transmission unit 303 is realized by a CPU and a network interface unit of an information processing apparatus that operates according to a program. The search result transmission unit 303 has a function of transmitting a search result extracted from the database device 50 in response to a search request to the user device 40-i.

  The user device 40-i issues a search request for performing a search while encrypting the encrypted data. Specifically, the user device 40-i is realized by an information processing device such as a personal computer that operates according to a program.

  FIG. 4 is a block diagram illustrating a configuration example of the user apparatus. As shown in FIG. 4, the user device 40-i includes a registration request unit 401-i, a key generation unit 402-i, a proxy key generation unit 403-i, and a query generation unit 404-i.

  Specifically, the registration request unit 401-i is realized by a CPU and a network interface unit of an information processing apparatus that operates according to a program. The registration request unit 401-i has a function of requesting registration for a service.

  Specifically, the key generation unit 402-i is realized by a CPU of an information processing apparatus that operates according to a program. The key generation unit 402-i has a function of generating the public key pk_i of user i and the corresponding private key sk_i.

  Specifically, the proxy key generation unit 403-i is realized by a CPU of an information processing device that operates according to a program. The proxy key generation unit 403-i has a function of generating a proxy key rk_i that allows the search of encrypted data while being encrypted, with the service provider secret key sk_s and the user i secret key sk_i as inputs. Yes.

  Specifically, the query generation unit 404-i is realized by a CPU of an information processing apparatus that operates according to a program. The query generation unit 404-i has a function of generating a user query Q_i for searching for data.

  FIG. 5 is a block diagram illustrating a configuration example of the data registration device 10. Specifically, the data registration device 10 is realized by an information processing device such as a personal computer that operates according to a program.

  As shown in FIG. 5, the data registration device 10 receives the service provider's public key pk_s and data M (hereinafter also referred to as a message M), and generates encrypted data (hereinafter also referred to as searchable encrypted data). A possible encryption data generation unit 101 is included. Specifically, the searchable encryption data generation unit 101 is realized by a CPU of an information processing apparatus that operates according to a program. In this embodiment, searchable encrypted data is encrypted data that can be searched under a predetermined condition. However, the searchable encryption data can be searched under a predetermined condition and is not searchable unconditionally.

  The database device 50 includes a storage device such as an optical disk device or a magnetic disk device. The storage device of the database device 50 stores a database including searchable encrypted data. The database device 50 is a database server, for example, and is realized by an information processing device such as a personal computer. The database device 50 has a function of receiving and processing a request for data search and registration, and returning a result.

  Next, the operation of the encrypted data search system will be described. The encrypted data search system according to the present embodiment executes service provider key generation processing, user registration processing, data registration processing, and search processing. Hereinafter, each process will be described.

(Service provider key generation process)
The service provider key generation process will be described. FIG. 6 is a flowchart illustrating an example of the service provider key generation process.

  When the service administrator performs an input operation, the service provider device 20 generates a service provider public key pk_s and a secret key sk_s according to the input operation of the service administrator, and generates a public key pk_s and a secret key sk_s of the service provider (KEYGEN1 in FIG. 6).

  Next, the service provider device 20 publishes the public key pk_s (that is, enables distribution according to access via the network), and manages the secret key sk_s secretly (that is, without publishing) (FIG. 6 KEYGEN2).

(User registration process)
Next, user registration processing will be described. FIG. 7 is a flowchart showing an example of the user registration process.

  When the user i performs an input operation, the user device 40-i inputs the security parameter according to the input operation of the user i, and generates the public key pk_i and the secret key sk_i of the user i. In the example illustrated in FIG. 7, the user device 40-A inputs the security parameters according to the input operation of the user A, and generates the public key pk_A and the secret key sk_A of the user A (UREG1 in FIG. 7).

  Next, the user device 40-i transmits a user registration request to the service provider device 20. In the example shown in FIG. 7, the user device 40-A transmits a user registration request to the service provider device 20 (UREG2 in FIG. 7).

  The service provider device 20 that has received the user registration request and the user device 40-i generate a proxy key rk_i while interacting (specifically, communicating with each other). At this time, the service provider device 20 can independently generate the proxy key rk_i by transmitting the user registration request including the secret key sk_i of the user i. In that case, the service provider device 20 and the user device 40-i do not particularly interact. In the example shown in FIG. 7, the service provider device 20 and the user device 40-A generate the proxy key rk_A while interacting (UREG3 in FIG. 7).

  Next, the service provider device 20 transmits to the proxy server device 30 data (user i, rk_i) that associates the data for identifying the user with the generated proxy key rk_i and stores the data. In the example shown in FIG. 7, the service provider device 20 transmits to the proxy server device 30 data (user A, rk_A) in which the data for identifying the user and the generated proxy key rk_A are associated with each other (FIG. 7). 7 UEG4).

(Data registration process)
Next, the data registration process will be described. FIG. 8 is a flowchart showing an example of the data registration process.

  When the data registrant performs a registration operation, the data registration device 10 receives the service provider's public key pk_s and the message M to be registered in accordance with the data registrant's registration operation, and uses the searchable ciphertext E (pk_s, M ) Is generated (DREG1 in FIG. 8).

  Next, the data registration device 10 transmits the searchable ciphertext E (pk_s, M) to the database device 50 and stores it (DREG2 in FIG. 8).

(Search process)
Next, the search process will be described. FIG. 9 is a flowchart illustrating an example of the search process.

  When the user i performs an input operation, the user device 40-i inputs the secret key sk_i of the user i and the search target keyword KW according to the input operation of the user i, and generates a user query TR (sk_i, KW) To do. Then, the user device 40-i transmits the generated user query TR (sk_i, KW) to the proxy server device 30.

  In the example shown in FIG. 9, when the user A performs an input operation, the user device 40-A inputs the user A's secret key sk_A and the search target keyword KW according to the user A's input operation, and the user query TR (sk_A, KW) is generated (SRC1 in FIG. 9). Then, the user device 40-A transmits the generated user query TR (sk_A, KW) to the proxy server device 30.

  Next, the proxy server device 30 receives the received user query TR (sk_i, KW) and the stored proxy key rk_i as input, generates a search query TR (sk_s, KW), and transmits it to the database device 50. . For example, the proxy server device 30 is based on the received user query TR (sk_i, KW) and data (user i, rk_i) that associates the stored user identification data with the generated proxy key rk_i. Specify the proxy key. Then, the proxy server device 30 receives the received user query TR (sk_i, KW) and the specified proxy key rk_i as input, and generates a search query TR (sk_s, KW).

  In the example shown in FIG. 9, the proxy server device 30 receives the received user query TR (sk_A, KW) and the stored proxy key rk_A as input, generates a search query TR (sk_s, KW), and creates a database. The data is transmitted to the device 50 (SRC2 in FIG. 9).

  Next, the database device 50 receives the set of ciphertexts stored therein and the search query TR (sk_s, KW) as input, generates a search result Result, and transmits the search result Result to the proxy server device 30 (FIG. 9). SRC3). Specifically, the database 50 device searches and extracts data based on the received search query TR (sk_s, KW) from the stored searchable encrypted data, and transmits it to the proxy server device 30 as a search result. To do.

  Next, the proxy server device 30 transmits the search result Result to the user device 40-i. In the example illustrated in FIG. 9, the proxy server device 30 transmits the search result Result to the user device 40-A (SRC4 in FIG. 9).

  Next, the operation of the encrypted data search system will be described using a specific example. In the following, a ^ b represents the bth power of a.

First, the pairing function will be described. When G and G_T are cyclic groups with order q and g_1 and g_2 are G generators, respectively, the pairing function e: G × G → G_T is the following for any Z_q elements a and b: Is a 2-input 1-output function that satisfies the properties of
・ E (g_1 ^ a, g_2 ^ b) = e (g_1, g_2) ^ {ab}
・ E (g_1, g_2) ≠ 1

  Next, the searchable encryption method described in Non-Patent Document 1 will be described. The method described in Non-Patent Document 1 is a searchable encryption method that can be searched only by a user having a secret key. For each entity, q, G, G_T, G generator g, pairing function e: G × G → G_T, arbitrary bit string to G hash function H_1, k_bit bit string from G_T element for each entity A hash function H_2 to is given.

(Key generation process described in Non-Patent Document 1)
The user randomly selects x from Z_q. The user then calculates g ^ x. Then, the user makes the secret key x, the public key g ^ x, and makes the public key public. Specifically, the information processing apparatus executes these processes in accordance with user operations.

(Searchable encryption data generation process described in Non-Patent Document 1)
The data registrant inputs the public key g ^ x and the data M to be registered, selects r at random from Z_q, and the searchable encrypted data (C_1, C_2) = (H_2 (e (H_1 (M), (g ^ x) ^ r)), g ^ r) is generated and sent to the database for storage. Specifically, the information processing apparatus executes these processes according to the operation of the data registrant.

(Search process described in Non-Patent Document 1)
The user receives the search keyword KW and the secret key x, generates Q = H_1 (KW) ^ s, and transmits it to the database as a search query. Specifically, the information processing apparatus executes these processes in accordance with user operations. The database confirms whether or not C_1 = H_2 (e (Q, C_2)) holds for each element of the set of searchable encrypted data {(C_1, C_2)} stored in itself. Then, the database outputs searchable encryption data (C_1, C_2) for which the equal sign is established as a search result. Specifically, an information processing apparatus including a storage device that stores a database receives a search query and executes these processes.

  Next, service provider key generation, user registration, data registration, and search processes executed by the encrypted data search system of this embodiment will be described. For each entity, q, G, G_T, G generator g, pairing function e: G × G → G_T, hash function H_1 from arbitrary bit string to G, k bits from G_T element as system parameters The hash function H_2 for the bit string of is given.

(Service provider key generation process)
A specific example of service provider key generation processing will be described. FIG. 10 is a flowchart showing a specific example of service provider key generation processing.

  As shown in FIG. 10, the service provider device 20 executes a process similar to the key generation process described in Non-Patent Document 1 (KEYGEN1 in FIG. 10).

  Next, the service provider device 20 publishes the generated public key of the service provider as pk_s = g ^ s and stores the secret key as sk_s = s (KEYGEN2 in FIG. 10).

(User registration process)
Next, a specific example of user registration processing will be described. FIG. 11 is a flowchart showing a specific example of the user registration process.

  The user device 40-i executes a process similar to the key generation process of Non-Patent Document 1 according to the operation of the user i, and generates a public key pk_i = g ^ {x_i} and a secret key (x_i) ( UEG1 in FIG. 11).

  Next, the user device 40-i transmits a user registration request to the service provider device 20 (UREG2 in FIG. 11).

  Further, the user device 40-i transmits the secret key x_i to the service provider device 20. Then, the service provider device 20 generates a proxy key rk_i = s / x_i, and transmits data (user i, rk_i) in which the data for identifying the user and the generated proxy key are associated with each other to the proxy server device 30 ( UREG3 in FIG. 11).

  Next, the proxy server device 30 stores data (user i, rk_i) in which the data for identifying the user and the proxy key are associated with each other in the storage unit (UREG4 in FIG. 11).

(Data registration process)
Next, a specific example of the data registration process will be described. FIG. 12 is a flowchart showing a specific example of the data registration process.

  The data registration device 10 executes the searchable encryption data generation process of Non-Patent Document 1 with the service provider's public key pk_s and the data M to be registered as input in accordance with the registration operation of the data registrant (DREG1 in FIG. 12). Specifically, the data registration device 10 generates (C_1, C_2) = (H_2 (e (H_1 (M), pk_s ^ r)), g ^ r) as searchable encryption data.

  Next, the data registration device 10 transmits the searchable encrypted data (C_1, C_2) to the database device 50 and stores it (DREG2 in FIG. 12).

(Search process)
Next, a specific example of search processing will be described. FIG. 13 is a flowchart showing a specific example of the search process. Here, it is assumed that the database device 50 stores N pieces of searchable encrypted data {(C_1, C_2) _i} by data registration processing.

  The user device 40-i generates a user query TR (sk_i, KW) = H_1 (KW) ^ {x_i} by inputting the secret key sk_i and the search target keyword KW according to the input operation of the user i, and generates a proxy The data is transmitted to the server device 30 (SRC1 in FIG. 13).

  Next, the proxy server device 30 receives the received user query TR (sk_i, KW) and the proxy key rk_i as input, and uses the search query TR (sk_s, KW) = TR (sk_i, KW) ^ {rk_i} = H_1 ( KW) ^ {s} is generated and transmitted to the database device 50 (SRC2 in FIG. 13).

  Next, the database device 50 stores C_1 = H_2 (e (TR (sk_i, KW), C_2)) for each element of the set {(C_1, C_2)} of searchable encryption data stored in itself. Check if it is true. Then, the database device 50 transmits the searchable encryption data (C_1, C_2) for which the equal sign is established to the proxy server device 30 as a search result (SRC3 in FIG. 13).

  Next, the proxy server device 30 transmits the received search result to the user device 40-i (SRC4 in FIG. 13).

  Note that it is desirable for the proxy server device 30 to perform user authentication before performing a search for safety. As a user authentication method, for example, a method using an existing ID / Password or a method using an electronic signature can be used.

  Regarding proxy key generation processing, it is known that s / x_i can be calculated by performing multi-party calculation while keeping the secret key s of the service provider and the secret key x_i of the user i secret. Also in this system, s / x_i may be calculated using multi-party calculation.

  Furthermore, in the present embodiment, the hash function H_2 is used to reduce the data size of the searchable encrypted data, but H_2 may be omitted.

  In the present embodiment, the searchable encryption data is (C_1, C_2) = (H_2 (e (H_1 (M), pk_s ^ r)), g ^ r). It is difficult to perform the search process using only the public key of the service provider and (C_1, C_2) without using the secret key sk_s or the secret key sk_i of the user i and the proxy key rk_i. Further, the proxy server device holds s / a, but it is also impossible to generate a search query unless s or a (that is, the service provider private key or the user private key) is known. Therefore, even when the administrator of the proxy server device acts maliciously, it is not possible to perform a search for an arbitrary keyword with respect to a set of searchable encrypted data stored in the database.

  As described above, the first effect of the present embodiment is that a search result can be answered in response to a search request from a plurality of users having different public / private keys. As a result, it becomes possible for a plurality of users to perform a search with respect to one piece of data.

  In addition, the second effect of the present embodiment is that even if searchable encrypted data stored in the database is leaked, any information regarding the contents of the data is leaked if the secret key of the service provider is not leaked. There is to not. As a result, even if the data in the database is leaked, the damage of information leakage can be reduced.

  Therefore, the encrypted data search system of this embodiment can answer search results to search requests from a plurality of users having different public keys and secret keys, and can reduce damage caused by data leakage.

Embodiment 2. FIG.
Next, a second embodiment of the present invention will be described. The encrypted data search system of this embodiment has the same configuration as that of the first embodiment. In the present embodiment, as shown in FIG. 14, the user apparatus includes a signature / verification key generation unit 405-i and a signature data generation unit 406-i in addition to the configuration of the first embodiment. . Specifically, the signature / verification key generation unit 405-i and the signature data generation unit 406-i are realized by a CPU of an information processing apparatus that operates according to a program.

  In this embodiment, an electronic signature is used. First, the electronic signature will be described. There are three algorithms for electronic signature: key generation, signature generation, and signature verification.

  The key generation algorithm receives a security parameter and generates a signature key sk that is a key for generating a signature and a verification key vk that is a key for verifying the signature. For example, in this embodiment, the signature / verification key generation unit 405-i receives a security parameter and generates a signature key sk and a verification key vk.

  The signature generation algorithm receives the signature target message M and the signer's signature key sk, and outputs signature data (M, σ). For example, in the present embodiment, the signature data generation unit 406-i receives the signature target message M and the signature key sk of the signer, and generates and outputs signature data (M, σ).

  The signature verification algorithm receives signature data (M, σ) and the signer's verification key vk, and outputs a verification result indicating acceptance or non-acceptance. For example, in this embodiment, the database device 50 receives the signature data (M, σ) and the signer's verification key vk, and outputs a verification result indicating acceptance or non-acceptance.

  Next, each process of service provider key generation, user registration, data registration, and search of the encrypted data search system of this embodiment will be described. Here, as a system parameter for each entity, q, G, G_T, G generator g, pairing function e: G × G → G_T, from any bit string to G hash function H_1, G_T A hash function H_2 for a bit string of k bits is given.

(Service provider key generation process)
The service provider key generation process of this embodiment will be described. The service provider device 20 executes a process similar to the key generation process described in Non-Patent Document 1. Next, the service provider device 20 discloses the generated public key of the service provider as pk_s = g ^ s, and stores the secret key as sk_s = s.

(User registration process)
Next, user registration processing will be described. The user device 40-i generates a signature generation key according to the operation of the user i, and generates a verification key vk_i and a secret key sk_i.

  Next, the user device 40-i transmits a user registration request to the service provider device 20. Further, the user device 40-i transmits the verification key vk_i to the service provider device 20.

  Next, the service provider device 20 transmits the service provider secret key sk_s and the user verification key vk_i to the proxy server device 30.

  Next, the proxy server device 30 stores data (user i, vk_i) in which the information for identifying the user and the verification key are associated with each other and the secret key sk_s of the service provider in the storage unit.

(Data registration process)
Next, the data registration process will be described. The data registration process of this embodiment is the same as the data registration process of the first embodiment.

  The data registration device 10 executes the searchable encrypted data generation process of Non-Patent Document 1 with the public key pk_s of the service provider and the data M to be registered as input according to the registration operation of the data registrant. Specifically, the data registration device 10 generates (C_1, C_2) = (H_2 (e (H_1 (M), pk_s ^ r)), g ^ r) as searchable encryption data.

  Next, the data registration device 10 transmits the searchable encrypted data (C_1, C_2) to the database device 50 and stores it.

(Search process)
Next, the search process will be described. Here, it is assumed that the database device 50 stores N pieces of searchable encrypted data {(C_1, C_2) _i} by data registration processing.

  The user device 40-i generates a user query H_1 (KW) using the search target keyword KW as an input in accordance with the input operation of the user i, and transmits it to the proxy server device 30.

  Next, the proxy server device 30 receives the received user query H_1 (KW) and the service provider's private key sk_s as input, and generates a search query TR (sk_s, KW) = H_1 (KW) ^ {s} Transmit to user device 40-i.

  Next, the user device 40-i receives the received search query TR (sk_s, KW) and the signature key sk_i as input, and the signature data (TR (sk_s, KW), σ) is generated and transmitted to the database device 50.

  Next, the database device 50 performs signature verification using the signature data (TR (sk_s, KW), σ) received from the user device 40-i and the verification key vk_i of the user i as inputs.

  When the signature verification result is rejected, the database device 50 notifies the user i that the signature is rejected and stops the operation. On the other hand, if the signature verification result is accepted, the database device 50 performs C_1 = H_2 (e (TR ()) for each element of the set of searchable encrypted data {(C_1, C_2)} stored in itself. Check whether (sk_i, KW), C_2)) holds. Then, the database device 50 transmits the searchable encryption data (C_1, C_2) for which the equal sign is established to the user device 40-i as a search result.

  The proxy server device 30 desirably performs user authentication before performing a search for safety. As a user authentication method, for example, a method using an existing ID / Password or a method using an electronic signature can be used.

  In the present embodiment, when the database performs a search, the electronic signature given to the search query is verified. Further, since the proxy server device holds s (that is, the service provider's private key), it can generate a search query for an arbitrary keyword, but cannot generate a user's electronic signature. Therefore, even if the administrator of the proxy server device acts maliciously, it is not possible to perform a search for an arbitrary keyword with respect to a set of searchable encrypted data stored in the database.

  Therefore, the encrypted data search system of this embodiment can answer search results to search requests from a plurality of users having different public keys and secret keys, and can reduce damage caused by data leakage.

  The present invention is not limited to the embodiment described above, and can be implemented by appropriately changing the examples within the scope of the technical idea of the present invention.

  Next, the minimum configuration of the encrypted data retrieval system according to the present invention will be described. FIG. 15 is a block diagram illustrating a minimum configuration example of the encrypted data search system. As shown in FIG. 15, the encrypted data search system includes a service providing device 2, a data registration device 1, a database device 5, a user device 4, and a proxy device 3 as minimum components.

  In the encryption data search system with the minimum configuration shown in FIG. 15, the service providing apparatus 2 generates a service public key for encrypting data and a service secret key corresponding to the service public key. Further, the service providing device 2 receives the user secret key and the service secret key generated by the user device 4 requesting the data search, generates a proxy key for each user device 4, and transmits the proxy key to the proxy device 3. Further, the database device 5 stores searchable encryption data generated by the data registration device 1 using the service public key and data as inputs.

  The user device 4 generates a user query for requesting data search for the searchable encrypted data stored in the database device 5 using the user secret key, and transmits the user query to the proxy device 3. Then, the proxy device 3 receives the user query received from the user device 4 and the proxy key for each user device 4 received from the service providing device 2 and searches for searchable encrypted data stored in the database device 5. Generate a search query to request.

  Therefore, according to the encryption data search system having the minimum configuration, the search result can be answered in response to a search request from a plurality of users having different public keys and secret keys, and damage caused by data leakage can be reduced.

  In this embodiment, the characteristic configuration of the encrypted data retrieval system as shown in the following (1) to (5) is shown.

  (1) The encrypted data search system includes a service providing device (for example, realized by the service provider device 20), a data registration device (for example, realized by the data registration device 10), and a database device (for example, a database device). 50), a user device (for example, realized by the user device 40-i), and a proxy device (for example, realized by the proxy server device 30). A service public key (for example, pk_s) for encryption and a service secret key (for example, sk_s) corresponding to the service public key are generated (for example, realized by the key generation unit 201), and a data search is requested. The user secret key (for example, pk_i) generated by the user device and the service secret key are input to A data key (for example, rk_i) is generated and transmitted to the proxy device (for example, realized by the proxy key generation unit 202), and the data registration device receives the service public key and data (for example, data M) as inputs, Searchable encryption data is generated (for example, realized by the searchable encryption data generation unit 101), the database device stores the searchable encryption data, and the user device stores the searchable encryption data stored in the database device. On the other hand, a user query (for example, Q_i) for requesting data search is generated and transmitted to the proxy device (for example, realized by the query generation unit 404-i), and the proxy device receives from the user device. The user query and the proxy key for each user device received from the service providing device are input, and the data stored in the database device is detected. A search query (for example, Q_s) for requesting a search for possible encryption data is generated (for example, realized by the query conversion unit 301), and the user device further generates a user query using the user secret key It is characterized by that.

  (2) In the cryptographic data search system, the service providing device generates a proxy key for each user device by inputting the service secret key and the user secret key, and the proxy device performs a search by inputting the user query and the proxy key. The query may be generated, and the database device may be configured to generate a search result with the search query and searchable encrypted data stored in the database device as inputs.

(3) In the cryptographic data retrieval system, the data registration apparatus includes a pairing function g that is a mapping of groups G, G_T, e () having a prime number q to G_T groups with two elements G as inputs. Is the generator of the group G, H_1 is a hash function from any bit string to G, H_2 is a hash function from G_T to a k-bit bit string, M is a message, Z_q random numbers r and s are service secret keys, g ^{When s} is a service public key, searchable encrypted data including H_2 (e (H_1 (M), g ^s ) ^r ), g ^r is generated, and the user device generates a as a user private key and g as ^a user. When the public key is used and the search keyword is KW, a user query including H_1 (KW) ^a may be generated.

(4) In the encrypted data search system, the proxy device is configured to generate a search query including H_1 (KW) ^s when the proxy key of the user device includes s / a and the search keyword is KW. May be.

  (5) In the encrypted data search system, the user device generates a verification key and a signature key (for example, realized by the verification / signature key generation 405-i), and the search query and signature key generated by the proxy device The signature data is generated (for example, realized by the signature data generation 406-i), and the database device may be configured to perform signature verification using the signature data and the verification key as inputs. .

  The present invention can be suitably applied to anonymous authentication in which authentication is performed while concealing a user ID via a communication network.

DESCRIPTION OF SYMBOLS 1 Data registration apparatus 2 Service provision apparatus 3 Proxy apparatus 4 User apparatus 5 Database apparatus

Claims (8)

A service providing device, a data registration device, a database device, a user device, and a proxy device;
The service providing apparatus includes:
Generating a service public key for encrypting data and a service secret key corresponding to the service public key;
Using the user secret key generated by the user device that requests data search and the service secret key as input, a proxy key for each user device is generated, and transmitted to the proxy device.
The data registration device receives the service public key and data, generates searchable encrypted data,
The database device stores the searchable encryption data,
The user device generates a user query for requesting data search for the searchable encrypted data stored in the database device, and transmits the user query to the proxy device.
The proxy device inputs the user query received from the user device and the proxy key for each user device received from the service providing device, and searches for the searchable encrypted data stored in the database device. Generate a search query to request,
The user device further generates the user query using the user secret key. An encrypted data search system, wherein: The service providing device receives the service secret key and the user secret key, generates a proxy key for each user device,
The proxy device receives the user query and the proxy key as input, generates a search query,
The encrypted data search system according to claim 1, wherein the database device receives the search query and searchable encrypted data stored in the database device as input, and generates a search result. The data registration device
Groups G, G_T with prime order q,
A pairing function that is a mapping to a group of G_T with e () as the input of the two G elements,
g is the generator of group G,
H_1 is a hash function from G to G
A hash function of H_2 from G_T onto a bit string of k bits,
Message M,
Z_q random number r,
When s is a service secret key and g ^s is a service public key, searchable encrypted data including H_2 (e (H_1 (M), g ^s ) ^r ), g ^r is generated,
User equipment
The encrypted data search system according to claim 1, wherein a user query including H_1 (KW) ^a is generated when a is a user secret key, g ^a is a user public key, and a search keyword is KW. The encrypted data search system according to claim 3, wherein the proxy device generates a search query including H_1 (KW) ^s when the proxy key of the user device includes s / a and the search keyword is KW. User equipment
Generate a verification key and a signing key,
Using the search query generated by the proxy device and the signature key as input, generate signature data,
The encryption data search system according to any one of claims 1 to 4, wherein the database device performs signature verification using the signature data and the verification key as inputs. An encrypted data search device for searching for data from searchable encrypted data generated using a service public key for encrypting data,
A proxy key generated using a user secret key generated by a user device and a service secret key corresponding to the service public key, and a user requesting a search for data generated by the user device using the user secret key as input and query, encrypted data retrieval apparatus characterized by comprising means for generating a search query order to retrieve data from the searchable encrypted data stored in the database system. Service providing device
Generating a service public key for encrypting data and a service secret key corresponding to the service public key;
As input user private key Yoo over The device has generated and with said service private key to generate the proxy key for each said user device,
Data registration apparatus, as an input the service public key and data, searchable encrypted data to generate, stores generated the searchable encrypted data in a database system,
The user device generates a user query for requesting data search using the user secret key for the searchable encrypted data stored in the database device ,
The proxy device, as input and proxy key generated for each of the user device and the user query, generating a search query order to retrieve data from the searchable encrypted data stored in said database device A method for retrieving encrypted data. An encryption data search program for searching data from searchable encryption data generated using a service public key for encrypting data,
On the computer,
A proxy key generated using a user secret key generated by a user device and a service secret key corresponding to the service public key, and a user requesting a search for data generated by the user device using the user secret key as input and query, encrypted data retrieval program for executing a process of generating a search query order to retrieve data from the searchable encrypted data stored in the database system.

Images