JP5841955B2 - Functional cryptographic system and method - Google Patents

Description

  The present invention relates to a technique in which a plurality of servers simultaneously and securely authenticate users in authentication on a network.

  Hereinafter, functional encryption will be described. For this purpose, ID-based encryption will be described first.

  ID-based cryptography (in a narrow sense) is a public key cryptosystem that can be encrypted using a receiver identifier (ID) as a public key without requiring preliminary communication such as public key inquiry. The ID-based encryption is generally composed of the following four algorithms.

Setup (1 ^k ) → (pk, sk): Setup—A stochastic polynomial time algorithm that takes the security parameter 1 ^k as input and outputs the public parameter pk and master key sk.

KeyGen (sk, i) → sk _i : Key generation—A probabilistic polynomial time algorithm that receives a master key sk and a key identifier i and outputs a secret key sk _i corresponding to the key identifier i.

Enc (pk, j, m) → c _j : Encryption—A stochastic polynomial time algorithm that takes the public parameter pk, the recipient identifier j, and plaintext m as input and outputs ciphertext c _j .

Dec (sk _i , c _j ) → m ′: Decryption—A stochastic polynomial time algorithm that receives the secret key sk _i and the ciphertext c _j and outputs plaintext m ′.

  Functional encryption is an extension of ID-based encryption, and there is no syntactic difference between the two. That is, functional encryption is also composed of the above four algorithms.

m '= Dec (pk, KeyGen (sk, i), Enc (pk, j, m))
Then, in the ID-based encryption, when the key identifier i and the recipient identifier j match, that is, when i = j, it can be decrypted with an overwhelming probability of m ′ = m. In ID-based encryption, the public key (recipient identifier) and secret key (key identifier) always correspond to 1: 1.

  The generalized cryptosystem does not have this 1: 1 relationship, and is extended so that it can be decrypted when the key identifier i and the recipient identifier j satisfy some special relationship. For example, suppose that it is desired to use ambiguous data such as a face photograph instead of a general identifier. In such a case, it is desirable that decoding is possible when the relation i≈j (identifier is close in some sense) is satisfied instead of the equation i = j. At this time, the recipient identifier j corresponding to the key identifier i is not necessarily unique.

  In the extended encryption, one private key corresponds to various public keys (recipient identifiers), and one public key (recipient identifier) corresponds to various private keys to configure an encryption system. If such generalization proceeds, an encryption that can be decrypted only when a special relationship R is satisfied between the key identifier i and the receiver identifier j, that is, when R (i, j) = True. Concept is born. A relationship is a function that takes two strings as input and outputs a truth value. The relation R is a function that differs for each application, and it is not realistic to redesign the cipher every time the application is designed, so the cipher that realizes the universal R applicable to various purposes, that is, the functional cipher Reach the concept. In functional cryptography, one of the above i and j is regarded as a program (predicate) and the other is regarded as input data for the program (value of a predicate variable), and R is determined whether the input data is accepted by the program. Is realized. A functional cipher that uses the key identifier i as a predicate variable and the recipient identifier j as a predicate is called a ciphertext policy functional encryption (CP-FE).

  Hereinafter, the decentralized multi-station function type encryption will be described.

  In the above functional cipher (ID-based cipher) model, a single key generator defines a variable that is common to all users, and all recipients query the key generator to determine the value of the variable. do that for me. If we try to build an encryption system that can be used by users all over the world, there is the only key generation authority in the world that holds all the keys of the world. Someone will have super powers that can freely access all sorts of secrets such as personal bank accounts and history of Hirose. Cryptographic applications designed based on such a view of the world cannot easily be said to be an abstraction of the real world, and the application area of cryptographic protocols is naturally narrowed to avoid the establishment of super power.

  In the real world, government authorities, foreign governments, military authorities, currency authorities, legal authorities, foreign authorities, local governments, public security, post offices, telephone offices, banks, universities, credit sales companies, network operators, SNS operators, etc. A number of power organizations have been established, each managing their secrets independently. If a cryptographic protocol can be designed based on this view of the world, the application area can be expanded without worrying about the establishment of super power.

  In other words, it is necessary to consider decentralized multi-station functional encryption. The decentralized multi-station function type encryption is an extended concept of the ciphertext policy function type encryption. In the decentralized multi-station function type encryption, the key generation station issues a secret key to the user based on the value of the predicate variable managed by the key generation station. A plurality of key generation stations exist independently, and at the time of encryption, a predicate is defined using a combination of predicate variables independently defined by a plurality of key generation stations, and is encrypted as a receiver identifier.

  For example, suppose that the Musashino City Hall, Mitaka City Hall, and the Tokyo Metropolitan Public Safety Commission operate key generation stations. Assume that Alice, who lives in Musashino City, is given a secret key with the Musashino City residence attribute by Musashino City Hall. Bob living in Mitaka City is given a secret key with the Mitaka City residence attribute from Mitaka City Office. In addition, Alice is given a secret key with a driver's license ownership attribute from the Tokyo Public Safety Commission.

  If you want to create a ciphertext that can only be decrypted by a driver who is resident in Mitaka City and a driver's license, the ciphertext creator uses the public parameters of the Mitaka City Office and the public parameters of the Tokyo Public Safety Commission to encrypt Create a statement. Since Alice and Bob do not have a private key that satisfies this predicate, they cannot decrypt the ciphertext.

  In general, when each key generation station is an independent organization that does not make any preliminary contact, when Alice and Bob collaborate and bring each key together, it actually does not have such attributes but Mitaka You can make a private key pair that lives in the city and has a driver's license office.

  In a secure decentralized multi-station function type cipher, in order to prevent such collusion attacks, the key generation station issues a secret key using a user-specific identifier called a globally veriable identifier (GID). . Then, when the secret key has a different GID, a method is designed so that it cannot be used in combination (for example, see Non-Patent Document 1).

  The decentralized multi-station function type cipher consists of the following five algorithms (GSetup; ASetup; AttrGen; Enc; Dec).

GSetup (1 ^λ ) → ^$ gparam: Global setup-Stochastic polynomial time algorithm that takes security parameter 1 ^k as input and outputs common reference string gparam. “→ ^$ ” and “← ^$ ” represent selection at random.

ASetup (gparam, aparam) → ^$ (ask, apk): Station setup—A stochastic polynomial time algorithm that receives the common reference character string gparam and the station parameter aparam and outputs the station public parameter apk and the station master key ask.

AttrGen (ask, gid, i) → ^$ sk _i : Attribute generation-Common reference character string gparam, station master key ask and GID gid, and key identifier (value of predicate variable) i are input, and secret corresponding to gid, i A stochastic polynomial time algorithm that outputs the key sk _i .

Enc ({apk ₁ , ..., apk _n }, j, m) → ^$ c _j : Encryption-Public parameter apk ₁ , ..., apk _n, receiver identifier j and plaintext m are input, and ciphertext c _j A stochastic polynomial time algorithm that outputs

Dec ({sk _i1 , ..., sk _{in '} }, c _j ) → ^$ m': Decryption-Probabilistic output of plaintext m 'with secret key sk _i1 , ..., sk _in' and ciphertext c _j as input Polynomial time algorithm. In the decentralized multi-station function type cipher, the recipient of the ciphertext has a set of secret keys {sk _i1 ,…, sk _{in '} } with key identifiers (values of predicate variables) i ₁ ,…, i _{n ′} If the predicate variable values i ₁ ,..., I _{n ′} satisfy the predicate j, then m = m ′ with an overwhelming probability.

Tatsuaki Okamoto and Katsuyuki Takashima, “Decentralized Attribute-Based Signatures”, 2011,

  By the way, in general, a certain key generation station may manage two or more attributes. For example, let us assume that the Tokyo Metropolitan Public Safety Committee manages the accident-free attribute in addition to the driver's license ownership attribute.

  Furthermore, a certain key generation station may issue a secret key to a single user more than once. For example, a key generator operated by the Tokyo Metropolitan Public Safety Commission will update the private key when the license is updated. At this time, assuming that Alice issues a secret key with the same GID as the original GID, Alice has two secret keys by himself, so it actually combines two secret keys like a collusion attack. Has the problem that it can construct keys with incorrect attributes.

  If a key is issued to Alice using a GID that is different from the original GID in order to prevent such a key reissue attack, the new secret key is the secret of the Musashino city residence attribute that Alice already has It can no longer be used in combination with a key.

  The present invention provides a functional encryption system and method for preventing a key reissue attack, which is an attack in which a user constructs a key having no legitimacy, by combining two secret keys issued by a certain key generation station at different timings The purpose is to do.

  A functional cryptographic system according to an aspect of the present invention is a functional cryptographic system using linear secret sharing by a monotone circuit configuration method, wherein each of a plurality of leaves constituting a tree expressing a predicate S used in the linear secret sharing is described. Is associated with a key generation station apparatus corresponding to a literal predicate corresponding to each leaf, and a degenerate tree corresponding to a certain key generation station apparatus is converted to the key generation station apparatus among the plurality of leaves. Is calculated by the predicate of each degenerate tree in the upper descriptive word S using a random number corresponding to the leaf of each degenerate tree corresponding to each key generation station device. An encryption device that generates random numbers corresponding to the plurality of leaves so that the root value of each of the degenerate trees is 0, and encrypts the plaintext using the generated random numbers.

  By introducing an identifier that is locally determined for each key generation station, that is, a local identifier (LID: Local IDentier), encryption can be configured so that different LIDs cannot be combined, and key reissue attacks are prevented. be able to.

The block diagram for demonstrating the example of a functional encryption system apparatus. The flowchart for demonstrating the example of a functional cryptographic system method. The figure for demonstrating the example of realization of GID. The figure for demonstrating the example of realization of LID. The figure for demonstrating the example of realization of LID. The figure for demonstrating the example of realization of LID. The figure for demonstrating the example of a data structure.

  Hereinafter, an embodiment of a functional encryption system will be described with reference to the drawings.

  First, the predicate description mechanism of functional encryption will be described.

In the background section, functional cryptography functions as a kind of program evaluation machine that takes a program (predicate) and data (value of a predicate variable) as input, and has a 1-bit output. Explained that decryption is possible. This section describes the data structure of programs (predicates) and data (values of predicate variables) in the implementation of functional encryption.
The predicate description mechanism of functional encryption is
(1) Primitive predicate (literal predicate) description mechanism based on inner product vector space
(2) It is composed of two types of mechanisms, a formula description mechanism based on linear secret sharing. (1) is located in a lower layer than (2), and a plurality of predicates described in (1) are synthesized in (2) to form one large predicate. FIG. 7 illustrates a data structure.

  Hereinafter, (1) a primitive predicate description mechanism based on the inner product vector space will be described.

Let X ₁ and X ₂ each be a set of variables. Predicates Q (X ₁ ), R (X ₂ ) and polynomials g (X ₁ ), h (X ₂ ) are respectively
{Q (X ₁ ) = True} ⇔ {g (X ₁ ) = 0}, {R (X ₂ ) = True} ⇔ {h (X ₂ ) = 0}
When r is a sufficiently large random number, under reasonable assumptions regarding the range and domain of the polynomial,
{Q (X ₁ ) ∨R (X ₂ ) = True} ⇔ {g (X ₁ ) h (X ₂ ) = 0}, {Q (X ₁ ) ∧R (X ₂ ) = True} ⇔ {g ( _{X 1) + rh (X 2} ) = 0}
Holds. Therefore, monotonic synthesis of predicates Q (X ₁ ) and R (X ₂ ) (composition consisting only of ∨ and ∧) is based on the product and linear sum of g (X ₁ ) and h (X ₂ ) under reasonable assumptions. It can be equated with a composite polynomial. Furthermore, if we can assume x∈ {I ₀ , I ₁ } for the predicate variable x, we can say that it is stronger.

P (x) = (x = I ₁ ), N (x) = (x = I ₀ )
Consider the predicates P (x) and N (x). Since P (I _b ) = b for any b∈ {0,1}, x can be regarded as a 1-bit logical variable if the variable x and the predicate P (x) are identified. At this time, since it is _{N (I b) = ¬P (} I b) for any B∈ {0, 1}, can be equated formulas ¬x and predicate N (x). by the way,
p (x) = (xI ₁ ), n (x) = (xI ₀ )
Given the polynomials p (x) and n (x)
{P (x) = True} ⇔ {p (x) = 0}, {N (x) = True} ⇔ {n (x) = 0}
Therefore _, the monotonic synthesis of the logical expression {x _i , ¬x _i } _{i = 1, ..., n} is under the assumption that {p (x _i ), n (x _i )} _{i = 1, ..., n} It can be equated with the composite polynomial by the product and linear sum. {x _i } _{i = 1, ..., n} arbitrary dendritic logic circuit is expressed by monotonic synthesis of {x _i , ¬x _i } _{i = 1, ..., n} using de Morgan's law recursively it can. _{Therefore, {x i} i = 1} , ..., under any logical expression reasonable assumptions of _{n {p (x i),} n (x i)} i = 1, ..., the product of _n and linear sum Can be equated with the composite polynomial by.

However if the K and body, polynomial ring _{K [x 1, ..., x} n] is generally x _1, ..., because a K a vector space to base the monomials x _n, the set of predicates variables {x ₁ ,..., X _n } and the vector space, the predicate expressed by the polynomial of x ₁ ,..., X _n can be regarded as an element of the vector space. A vector space based on a monomial is generally infinite dimension and is not suitable for computers. However, if a range of predicates that can be described is limited, a predicate can be an element on a finite-dimensional subspace. For example, it is assumed that the one-variable predicate F (x) can be identified with the n-th order polynomial f (x). f (x) is a monomial basis x ^→ = (x ⁰ , x ¹ ,…, x ⁿ ) and coefficient vector f ^→ = (f ₀ , f ₁ ,…, f _n ), and f (x) = f ^→・ x ^→ can be described. At this time, a predicate that can be identified as a polynomial of order n + 1 or higher cannot be described. When (x ₁ = I ₁ ) ∨ ... ∨ (x _n = I _n ) type predicates are expressed in this form, the vector dimension grows exponentially with the number of variables. In this case, (2) a predicate description mechanism based on linear secret sharing is used. Even in the functional encryption of Non-Patent Document 1, a large predicate is constructed using this method.

In the predicate description mechanism based on the inner product vector space, a predicate variable (x ₁ ,..., X _n ) is designated by designating a vector space (a monomial basis). The specific value (x ₁ ,..., X _n ) = (I ₁ ,..., I _n ) of the predicate variable is specified by a vector in which the value of the variable is substituted into the monomial base specified above. For example, in the above example of one variable, an instance where x = 2 is (x ⁰ , x ¹ ,..., X ⁿ ) = (2 ⁰ , 2 ¹ ,..., 2 ⁿ ). The predicate is specified by a vector of coefficients. A predicate whose polynomial expression does not fit in the specified subspace cannot be described.

  The following describes (2) the formula description mechanism based on linear secret sharing.

  Here, the predicate (vector) described by the predicate description mechanism based on the inner product vector space is called “primitive predicate”, and the primitive predicate and its negation are called “literal predicate”. I will decide. In functional encryption, a single predicate is constructed by monotonically synthesizing a plurality of literal predicates using a predicate description mechanism based on linear secret sharing. Arbitrary logical expressions of primitive predicates can be expressed in a tree-like monotonic composition of literal predicates using recursive de Morgan's law.

In the predicate description mechanism based on linear secret sharing, predicate synthesis is performed based on the concept of linear secret sharing. For example, when the secret f ₁ is 2-out-of-2 secret distributed to the distributed values f ₂ and f _3, that is, when s ₁ + f ₂ + f ₃ = 0, both f ₂ and f ₃ the value of the variable is not aligned Failure to restore the values of f _1. When f ₂ and f ₃ are encrypted in some way. To restore the secret f ₁ is required to decode both of the cipher. This is equivalent to realizing the predicate trap. Or, when the secret f ₁ is 1-out-of-2 secret distributed to the distributed values f ₂ and f ₃ , that is, when f ₁ = f ₂ = f ₃ , if either one of the variables is aligned f ₁ can be restored. When f ₂ and f ₃ are respectively encrypted, in order to restore the secret f ₁ , either one of the ciphers may be decrypted. This is equivalent to realizing the predicate trap. Such a method can be constructed for any monotonic predicate as well as simple ∧ and ∨. For example, as shown in FIGS. 4 to 6, when a predicate is described in a tree expression having a node such as AND or OR as a node, the independent variable necessary for linear secret sharing every time it falls from the root toward the leaf and hits the gate. Can be described as a linear sum of independent variables. If some of the leaf variables are available and the rest are unavailable, the monotonic circuit will output accept if the root variable can be described as a linear sum of the available leaf variables, and reject if it cannot. In other words, a matrix that describes this leaf variable as an independent variable can be equated with an AND or OR tree structure. Using this method, an arbitrary predicate can be described by a matrix representing several literal predicates and linear secret sharing. A functional encryption predicate is a set of this linear secret sharing matrix and a literal predicate.

  Hereinafter, implementation of LID using linear secret sharing will be described.

  Reference 1 uses the matrix obtained by the above monotonic circuit configuration method to implement GID with functional encryption, and if the GIDs of all keys used in the predicate match, the circuit is The ciphertext is composed of random numbers that can be erased successfully when evaluated. See, for example, FIG. 3 for this.

  [Reference 2] David Freeman, Michael Scott and Edlyn Teske, “taxonomy of pairing-friendly elliptic curves”, 2006,

In FIG. 3, s ′ ₁ ,..., S ′ ₇ are random numbers corresponding to GID. Based on these random numbers s ′ ₁ ,..., S ′ ₇ , random numbers s ′ ₁ ,..., S ′ ₇ are determined so as to be 0 when the root value of the tree corresponding to the predicate S is obtained. For example, f ′ ₁ = 0 and f ′ ₂ , f ′ ₃ , f ′ ₄ , f ′ ₅ , and f ′ ₆ are determined at random. Then, by multiplying (f ' ₁ , f' ₂ , f ' ₃ , f' ₄ , f ' ₅ , f' ₆ ) ^T by a matrix M representing the predicate S, (s' ₁ , ..., s ' ₇ ) ^{Find T.} In other _{words, (f '1, f'} 2, f '3, f' 4, f '5, f' 6) from _{^{T (s '1, ...,}} s' 7) T to be able to seek, The matrix M is defined.

In a functional encryption system using linear secret sharing with a simple circuit configuration, a value corresponding to f ′ ₁ is calculated based on a secret key (value of a predicate variable) possessed by a decryption apparatus at the time of decryption, and this calculated f ' ₁ is a plaintext m' noise. If the GIDs match, in other words, if the plaintext m ′ can be decrypted based on s ′ ₁ ,..., S ′ ₇ set so that f ′ ₁ = 0, Since f ′ ₁ = 0 and noise becomes 0, plaintext m ′ can be correctly decrypted. If the GIDs do not match, in other words, if the plaintext m ′ cannot be decrypted based on s ′ ₁ ,..., S ′ ₇ set so that f ′ ₁ = 0, f ′ ₁ Since ≠ 0 and noise does not become 0, plaintext m ′ cannot be correctly decrypted.

  LID is realized using a mechanism similar to that of GID. In order to realize LID, as illustrated in FIGS. 4 to 6, a cipher is constructed using random numbers that can be erased well during circuit evaluation. 4 to 6, the leaves to which the literal predicates defined by the predicate variables created by the same key generation station apparatus are joined are grouped.

Each of a plurality of leaves constituting the tree expressing the predicate S used in the linear secret sharing is associated with a key generation station apparatus corresponding to the literal predicate corresponding to each leaf. 4 to 6, the key generation station apparatus 2-1 is associated with the literal predicate corresponding to the leaf associated with (s " ₁ , s" ₂ , s " ₄ , s" ₇ ). The key generation station apparatus 2-2 is associated with the literal predicates corresponding to the leaves associated with (s " ₃ , s" ₅ , s " ₆ ).

Here, the tree representing the predicate S is at least one degenerated tree composed of leaves corresponding to the key generation station apparatus 2-1, and at least one composed of leaves corresponding to the key generation station apparatus 2-2. Can be divided into two degenerate trees. As shown in Fig. 5, (1) leaves that use variables of the key generation station device of interest are valid, and (2) leaves that use variables of other key generation station devices are invalid.
(3) An AND node with one valid child node is valid, (4) An OR node with one invalid child node is invalid, (5) An AND node with all invalid child nodes is invalid, (6 The degenerate tree can be determined by the steps (1) to (6) in which OR nodes whose child nodes are all valid are valid.

FIG. 5 shows a degenerate tree corresponding to the key generation station apparatus 2-1. The degenerate tree corresponding to the key generation station apparatus 2-1 is associated with a degenerate tree composed of leaves associated with the random numbers s " ₁ , s" ₂ , and s " ₄ , and with a random number s" _7. It is a degenerate tree that is constructed. Similarly, FIG. 6 shows a degenerate tree corresponding to the key generation station apparatus 2-2. In FIG. 6, the degenerate tree corresponding to the key generation station apparatus 2-2 is associated with a degenerate tree composed of leaves associated with the random numbers s ″ ₃ and s ″ ₅ , respectively, and a random number s ″ _6. It is a degenerate tree that is composed.

  In this way, a degenerate tree corresponding to a certain key generation station apparatus is set to at least one tree composed of leaves corresponding to the key generation station apparatus among a plurality of leaves constituting the tree representing the predicate S.

And pay attention to the roots of those degenerate trees. In order to determine the leaf random number so that the value of the portion corresponding to the root of the degenerate tree is 0, the above-described monotone circuit configuration method is executed for each degenerate tree, as shown in FIGS. A random number s ” ₁ ,..., S” ₇ is determined using the obtained matrix.

  That is, the root value of each degenerate tree calculated by the predicate of each degenerate tree in the predicate S using a random number corresponding to the leaf of each degenerate tree corresponding to each key generation station is 0. Generate random numbers corresponding to multiple leaves.

In the example of FIG. 5, the degenerate tree composed of leaves associated with the random numbers s ″ ₁ , s ″ ₂ , and s ″ ₄ corresponding to the key generation station device 2-1 is f ″ ₁ , f If “ ₂ ” is a random number and s ” ₁ = f” ₂ , s ” ₂ = f” ₁ -f ” ₂ , s” ₁ = -f ” ₂ , the root value of the degenerate tree can be set to zero. . In addition, the degenerate tree that is associated with the random number s ″ ₇ and corresponds to the key generation station apparatus 2-1 may have the degenerate tree root value set to 0 by setting s ″ ₇ = 0. it can.

In the example of FIG. 6, the degenerate tree composed of leaves corresponding to the key generation station apparatus 2-2 and associated with the random numbers s ″ ₃ , s ″ ₅ is s ″ with f ″ ₃ as a random number. By setting ₃ = f ″ ₃ , s ″ ₅ = −f ″ ₃ , the root value of the degenerate tree can be set to 0. Also, the random number s ″ ₆ corresponding to the key generation station apparatus 2-2 is The root value of the degenerated tree can be set to 0 by setting s ” ₆ = 0 for the configured degenerated tree that is associated.

As in the case of GID, in a functional cryptographic system using linear secret sharing with a simple circuit configuration, the root value corresponding to each degenerate tree based on the secret key (predicate variable value) that the decryption device has at the time of decryption Is calculated, and the calculated root value becomes the noise of plaintext m ′. If the LIDs match, in other words, the plaintext m ′ is decrypted based on a random number (for example, s ” ₁ ,..., S” ₇ ) set so that the root value of each degenerate tree = 0. Is possible, the root value of each degenerate tree is 0 and the noise is 0, so that plaintext m ′ can be correctly decrypted. If the LIDs do not match, in other words, if the plaintext m ′ cannot be decrypted based on a random number (for example, s ” ₁ ,..., S”) set so that the root value of each degenerate tree is 0 Since the root value of each degenerate tree ≠ 0 and the noise does not become 0, the plaintext m ′ cannot be correctly decrypted.

  In this way, if the LID does not match in the degenerate tree, even if the circuit is evaluated to the end, the random number is not erased and the cipher cannot be decrypted. On the other hand, even with different LIDs in different groups, the random numbers are erased and the encryption can be decrypted.

  As shown in FIG. 1, the functional cryptographic system includes, for example, a standardization institution apparatus 1, a key generation station apparatus 2, an encryption apparatus 3, and a decryption apparatus 4. There may be a plurality of key generation station apparatuses 2 and decryption apparatuses 4.

The standardization engine apparatus 1 generates a common reference character string gparam from the security parameter 1 ^λ (step S1). The standardization engine apparatus 1 generates the common reference character string gparam by, for example, the GSetup algorithm exemplified below. The generated common reference character string gparam is disclosed in a form that anyone can refer to. In order to avoid any traps being placed on the common reference character string gparam, it is desirable that the generation process of the common reference character string gparam can be publicly verified.

GSetup is a stochastic polynomial time algorithm that receives the security parameter 1 ^λ and outputs the common reference character string gparam1. In the GSetup algorithm, λ is a predetermined positive integer, 1 ^λ is a security parameter, q is a predetermined prime number, G ₁ and G _T are cyclic groups of order q, and e is a pairing function G is a function for generating q, G ₁ , G _T , G, e from the security parameter 1 ^λ , g _bpg (1 ^λ ).
GSetup (1 ^λ ) {
param _G : = (q, G ₁ , G _T , G, e) ← ^$ g _bpg (1 ^λ );
H ← ^$ {RandomOracle: {0,1} ^* → G ₁ };
g ₀ ← H (0 ^λ );
g ₁ ← H (0 ^λ-1 1);
g _T ← e (g ₀ , g ₁ );
gparam ← (param _G , H, g ₀ , g ₁ , g _t );
return gparam;
}

  The key generation station apparatus 2 generates a station public parameter apk and a master key ask using the common reference character string gparam (step S2). The generated master key ask is secretly held in the key generation station apparatus 2, and the generated station public parameter apk is disclosed in a form that anyone can refer to. When there are a plurality of key generation station apparatuses 2, each of the plurality of key generation station apparatuses 2 performs a process of generating a station public parameter apk and a master key ask.

The key generation station device 2 generates a station public parameter apk and a master key ask by, for example, the ASetup algorithm exemplified below. ASetup is a probabilistic polynomial time algorithm that receives a common reference character string gparam and outputs a publicly disclosed parameter apk and a master key ask. In the ASetup algorithm, d is the number of predicate variables managed by the key generation station apparatus 2, and n _i is the dimension of the i-th predicate variable.
ASetup (gparam) {
for i∈ {1,…, d} do {
(vsk _i , var _i ) ← GenerateVar (gparam, n _i );
}
ask ← (vsk ₁ ,…, vsk _d );
apk ← (var ₁ ,…, var _d );
return (ask, apk)
}

For example, GenerateVar, which is a subroutine of the ASetup algorithm, is shown as follows. n means n _i in the above ASetup algorithm. Thus, it should be noted that indexes such as i and j may be omitted in the subroutine. The same applies to subroutines of other algorithms.

n is a predetermined positive integer. GL is an N × N regular matrix in which each element is F _q and has an inverse matrix. As i = 1,..., N, B _i is the i-th column vector constituting the matrix B.
GenerateVar (gparam, n) {
(param _G , H, g ₀ , g ₁ , g _t ) ← gparam;
N ← 7n + 1;
X ← ^$ GL (N, F _q );
B ← X ・ g ₀ ;
B ^ ← (B ₁ ,…, B _3n , B _N );
Y ← (X ^-1 ) ^T ;
var ← (B ^, n, gparam);
vsk ← (Y, var);
}

The key generation station apparatus 2 generates a corresponding secret key sk _x based on the master key ask, GID gid, and key identifier (assignment of values to predicate variables) x (step S3). The generated secret key sk _x is transmitted to the decryption device 4 which is a computer possessed by the user corresponding to gid. When there are a plurality of key generation station apparatuses 2 and users, each key generation station apparatus 2 performs a process of generating a secret key sk _x for each user.

The key generation station apparatus 2 generates the secret key sk _x by, for example, the AttrGen algorithm exemplified below. AttrGen is a stochastic polynomial time algorithm that generates a corresponding secret key sk _x based on a master key ask, GID gid, and key identifier (assignment of value to predicate variable) x. x: = ((t ₁ , x ^→ ₁ ),..., (t _a , x ^→ _a )) is a list of values assigned to predicate variables. As i = 1,..., a, t _i is an index of the list (subscript of the predicate variable to be assigned), and x _i is a value or vector assigned to the predicate variable represented by the index. In this way, the key generation station device 2 issues a different local identifier G _lid each time a secret key is generated, and generates a secret key including information on the issued local identifier G _lid . The key generation station apparatus 2 further issues a global verifiable identifier G _gid of the user who transmits the generated secret key, and generates a secret key further including information on the issued global verifiable identifier G _gid. .
AttrGen (ask, gid, x) {
(vsk ₁ ,…, vsk _d ) ← ask;
((t ₁ , x ^→ ₁ ),…, (t _a , x ^→ _a )) ← x;
G _gid ← H (gid);
G _lid ← ^$ G ₁ ;
for i∈ {1,…, a} do {
j ← t _i ;
k _i ← ^$ AssignVar (vsk _j , G _gid , G _lid , x ^→ _i );
}
sk _x ← (k ₁ ,…, k _a )
return sk _x
}

AssignVar, which is a subroutine of the AttrGen algorithm, is shown as follows, for example. 0 is the point at infinity.
AssignVar (vsk, G _gid , G _lid , x ^→ ) {
(Y, var) ← vsk;
(B ^, n, gparam) ← var;
(param _G , H, g ₀ , g ₁ , g _t ) ← gparam;
φ ^→ → ^$ F _q ⁿ ;
k ^* ← Y ・ (x ^→・ g ₁ , x ^→・ G _gid , x ^→・ G _lid , O ³ⁿ , φ ^→・ g ₁ , 0);
k ← (k ^* , x ^→ , var);
return k;
}

The encryption device 3 generates a ciphertext c _S based on the receiver identifier (also referred to as a predicate) S and the plaintext m described using the station public parameter apk of each key generation station device 2 (step S4). . The generated ciphertext c _S is transmitted to the decryption device 4 held by the user having the recipient identifier S. The encryption device 3 generates the ciphertext c _S using, for example, the Enc algorithm exemplified below.

The Enc algorithm is a probabilistic polynomial time algorithm that generates a ciphertext c _S with a predicate S and a plaintext m as inputs. The predicate S is composed of M, M ″, ρ. M is a secret sharing generator matrix representing the predicate S, and M ″ is a tuned secret sharing generator matrix representing the predicate of the degenerate tree of the predicate S. ρ is a list of literal predicates. ρ _i is the i-th literal predicate and is composed of Neg, var, v ^→ . Neg is information indicating whether the literal predicate is positive (Neg = 0) or negative (Neg = 1), var is a predicate variable, v ^→ is a conditional expression indicating the value of the predicate variable, var and v ^→ is a primitive predicate. e ₁ ^→ is (1,0, ..., 0).
Enc (S, m) {
(M, M ”, ρ) ← S;
f ← ^$ F _q ^r ; f '← ^$ {0} × F _q ^r-1 ; f ”← ^$ F _q ^r” ;
s ← M ・ f; s '← M ・ f'; s ”← M” ・ f ”;
s ₀ ← f ₁ ;
for i∈ {1,…, l} do {
(Neg, var, v ^→ ) = ρ _i ;
(B ^, n, gparam) ← var;
N ← 7n + 1;
η ← ^$ F _q ;
if Neg = 0 then {
(θ, θ ', θ'') ← ^$ F _q ³ ;
_{c i ← (s i e 1} → + θv →, s i 'e 1 → + θ'v →, s i "e 1 → + θ" v →, η) B ^;
} else {
c _i ← (s _i v ^→ , s _i 'v ^→ , s _i ″ v ^→ , η) _{B ^} ;
}
};
c _{l + 1} ← mg _T ^s0 ;
c _s ← (S, c ₁ ,…, c _l , c _{l + 1} );
return c _s ;
}

The decryption device 4 generates plaintext m ′ using the secret keys sk _x1 ,..., Sk _{xn ′} and the ciphertext c _S. n ′ is the number of secret keys used (step S5). The decryption device 4 generates plaintext m ′ using, for example, the Dec algorithm exemplified below. For example, the decryption device 4 decrypts the plaintext so that a correct plaintext is generated only when the local identifiers included in the secret key for decrypting the plaintext are the same.

The Dec algorithm is a probabilistic polynomial time algorithm that receives the secret keys sk _x1 ,..., Sk _{xn ′} and the ciphertext c _S and outputs the plaintext m ′. acc is a variable that indicates whether plaintext m 'can be correctly decrypted. When acc = True, plaintext m' can be decrypted correctly, and when acc ≠ True, plaintext is correctly represented. This represents that m ′ cannot be decrypted. When acc ≠ True, NG that is information indicating that plaintext m ′ cannot be correctly decrypted is output. β is a correction factor, and J is a mapping from a literal index to a key index.
Dec algorithm
Dec ({sk _x1 ,…, sk _{xn '} }, c _s ) {
{k ₁ ,…, k _a } ← U _i sk _xi ;
(S, c ₁ ,…, c _l , c _{l + 1} ) ← c _s ;
(acc, β, J) ← Accept (S, {k ₁ ,…, k _a });
if acc = True then {
K = 1;
for i∈ {1,…, l} do {
if β _i ≠ 0 then {
j ← J _i ;
(k ^* , x ^→ , var) ← k _j ;
K ← ^× e (c _i , k ^* ) ^βi ;
}
}
m '← c _{l + 1} / K;
return m ';
} else {
return NG;
}
}

The Accept algorithm, which is a subroutine of the Dec algorithm, is expressed as follows, for example.
Accept (S, k) {
(M, M ”, ρ) ← S;
for i∈ {1,…, l} do {
(Neg, var, v ^→ ) ← ρ _i ;
if (∃j st k _j = (k ^* , var, x ^→ ) st (
((Neg = 0) ∧ (x ^→・ v ^→ = 0)) ∨
((Neg ≠ 0) ∧ (x ^→・ v ^→ ≠ 0))) then {
J _i ← j;
γ _i ← x ^→・ v ^→ ;
} else {
J _i ← NG;
M _i ← 0 ^→ ;
}
}
(M ', V, w, l') ← GaussianElimination (M);
σ ← (1,0,…, 0)
α ← 0 ^→ ; // (α ₁ ,…, α _l ) ← (0,…, 0) Initialization
for i∈ {1,…, l '} do {
t ← w _i ;
α ← ⁺ σ _t・ V _i ; σ ← ⁺ σ _t・ M _i ';
}
acc ← (σ = ^? 0 ^→ );
// True if the σ a linear combination of M _i can be zero
β ← α;
for i∈ {1,…, l} do {
(Neg, var, v ^→ ) → ρ _i ;
if (β _i ≠ 0) ∧ (Neg ≠ 0) ∧ (γ _i ≠ 0) then β _i → ^÷ γ _i ;
}
return (acc, β, J);
}

For example, GaussianElimination (M), which is a subroutine of the Accept algorithm, is expressed as follows. I _l is an l × l identity matrix. GaussianElimination (M) is an algorithm that converts M into M ′, which is a step matrix of M. V is an l × l matrix for making M a step matrix. That is, M ′ = V · M. w is the index of the first non-zero component element whose w _i is M _i ′. l 'is the number of non-zero rows of M'.
GaussianElimination (M) {
V ← I _l ;
t ← 0;
l '← 0;
for i∈ {1,…, l} do {
// Start partial pivot selection
t ++; if t> r then goto last;
j ← i;
while M _{j, t} = 0 do {
j ++;
if j> l then {
t ++; if t> r then goto last;
j ← i;
}
}
swap (M _i , M _j ); swap (V _i , V _j ); // swap rows
// end partial pivot selection
l '← I;
w '← t;
V _i ← ^÷ M _{i, t} ; M _i ← ^÷ M _{i, t} ;
for j∈ {i + 1,…, l} do {
if M _{j, t} ≠ 0 then {
^{_{V j ← - M j, t}} · V i; M j ← M j, t · M i;
}
}
}
last: return (M, V, w, l ');
}

  Hereinafter, the Accept algorithm will be described.

When the cipher can be decrypted with the correct procedure, ie in the Dec algorithm
(acc, β, J) ← Accept (S, {k ₁ ,…, k _a });
If acc returns True at, the key (specific variable assignment) {k ₁ ,..., K _a } satisfies the predicate S.

This means that only the part satisfied by {k ₁ ,…, k _a } in the list ρ of literal predicates (the leaf part of the tree) contained in the predicate S is used for the root part of the tree. It means that the corresponding information can be restored.

To determine whether the key (specific variable assignment) {k ₁ ,…, k _a } satisfies the predicate S, only the leaf portion of the tree that can be used is used. It is only necessary to determine whether or not the root information can be restored.

Now, information s ₁ of the leaves of the tree by a linear secret sharing, ..., s _l is the independent variable f _1, ..., and is described as follows by f _r.

In general, since only a part of {ρ ₁ , ..., ρ _l } is a literal predicate that satisfies the key {k ₁ , ..., k _a }, the leaf information that can actually be used for decryption is s ₁ , …, Sl only some information in _l . define l × l matrix Z, keys _{{k 1, ..., k a} } Z i when satisfies the i-th literal predicate [rho _{i, i} = 1 otherwise Z _i, and _j = 1 Naru diagonal matrix Then, the relational expression between the leaf variable s _i and the independent variable f _i that can actually be used for decoding can be described as follows.

In the first half of the Accept algorithm, overwriting some rows of the matrix M with 0 ^→ is calculating M ← Z · M. Then, s _1, ..., partial information Z · of _{s l (s 1, ...,} s l) from ^T, information of the root of the _{tree s 0 = f 1 = (} 1,0, ..., 0) · (f 1 ,..., F _r ) ^T can be calculated, and the fact that a row vector of (1,0,..., 0) can be generated by linear combination of the rows of the matrices Z and M is equivalent.

Therefore, in order to determine whether the key (specific variable assignment) {k ₁ ,..., K _a } satisfies the predicate S, the linear combination of the rows of the matrix Z · M (1, It may be determined whether or not a row vector (0,..., 0) can be generated.

  For this purpose, first, a staircase type matrix M ′ is generated by Z · M row basic deformation using Gaussian elimination. The Gaussian Elimination algorithm, which is a subroutine of the Accept algorithm, creates the staircase type matrix M ′. At this time, M ′ = V · Z · M can be described by the regular matrix V.

  Since V is a regular matrix, a row vector of (1,0, ..., 0) can be generated by linear combination of the rows of the matrix Z and M, and the linearity of the rows of M '= V, Z and M It is equivalent to the fact that a row vector (1,0,..., 0) can be generated by combining.

Since M 'is a step matrix, whether or not a row vector of (1,0, ..., 0) can be generated by linear combination of the rows of M' depends on the step of M 'as in the for loop in the middle of the Accept algorithm. While paying attention to the elements of the matrix, each row of M ′ is successively subtracted from (1,0,..., 0) to determine whether or not it can be transformed into (0,..., 0). If M ′'s linear combination (ζ ₁ ,…, ζ _l ) · M ′ is
(ζ ₁ ,…, ζ _l ) ・ M '= (1,0,…, 0)
If you meet
(ζ ₁ ,…, ζ _l ) ・ V ・ Z ・ M = (1,0,…, 0)
Because
(α ₁ ,…, α _l ) = (ζ ₁ ,…, ζ _l ) ・ V ・ Z
(Α ₁ ,…, α _l ) · M = (1,0,…, 0)

It becomes. That is, if the key {k ₁ ,…, k _a } satisfies the predicate S,

It becomes. This α _i is calculated in the for loop in the middle of the Accept algorithm. Similarly,

It becomes. Further, when there are n degenerate trees and j _i ∈ {1,..., N} and the i-th leaf and the i′-th leaf are included in the same degenerated tree, j _i = j _{i ′} is defined. Let χ _j be an indefinite element, and consider the sum of Σ _{i = 1} ^l α _i s _i ”χ _ji ,

It becomes. Through the same restoration process as the original secret sharing within the degenerate tree, the definition of the tuned secret sharing is 0.

So that the identity of the indefinite element χ _j

It becomes.

Last for loop Accept algorithm when computing the information about the s _i from negative literal predicate calculations are seeking beta _i is a value obtained by correcting the alpha _i so as to be simple. See below for details.

K calculated in the first for statement in the Dec algorithm is δ ^gid and δ _j ^lid

Defined as

Therefore, Correctness is satisfied. In the above explanation, δ _ji ^lid is substituted for χ _ji . B ^* is a dual basis of the so-called ^{B, B * = Y · g} 0 = (X -1) is ^T · g _0.

  Finally, the reason why the noise does not disappear due to the attacker's attack will be explained. Now, from an attacker's standpoint, let's consider applying a combination of several keys with different lids to a certain degenerate tree, and somehow decrypting the ciphertext that should not be decrypted.

At this time, even if the i-th leaf and the i'-th leaf are included in the same degenerate tree, i, i 'exists such that j _i ≠ j _i', and the identity (1) is used. Can not do it. Therefore, the attacker

For each ciphertext, it is necessary to find a convenient combination of χ _ji to establish However, the specific value of χ _ji is determined by the discrete logarithm of G _lid in the AttrGen algorithm, and as long as the target key generation station device correctly performs AttrGen, χ _ji is randomly selected, and the attacker Chi- _ji , which is convenient, can be derived only with an overwhelmingly low probability.

[Modification]
The processes described in the above apparatus and method are not only executed in time series according to the description order, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the process.

  Further, when each process in the functional cryptographic system method is realized by a computer, processing contents of functions that the functional cryptographic system method should have are described by a program. Then, by executing this program on the computer, the processing means in the functional cryptographic system method is realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  Each processing means may be configured by executing a predetermined program on a computer, or at least a part of these processing contents may be realized by hardware.

  Needless to say, other modifications are possible without departing from the spirit of the present invention.

DESCRIPTION OF SYMBOLS 1 Standardization organization apparatus 2 Key generation station apparatus 3 Encryption apparatus 4 Decryption apparatus

Claims (3)

In a functional cryptosystem using linear secret sharing by a monotone circuit construction method,
Each of a plurality of leaves constituting the tree expressing the predicate S used in the linear secret sharing is associated with a key generation station device corresponding to a literal predicate corresponding to each leaf,
A degenerate tree corresponding to a certain key generation station device is at least one tree composed of leaves corresponding to the key generation station device among the plurality of leaves,
The root value of each degenerate tree calculated by a predicate of each degenerate tree in the above descriptive word S using a random number corresponding to the leaf of each degenerate tree corresponding to each key generation station apparatus is 0. An encryption device that generates random numbers corresponding to a plurality of leaves and encrypts plaintext using the generated random numbers;
Functional cryptographic system including The functional cryptographic system according to claim 1,
The encryption device further generates random numbers corresponding to the plurality of leaves such that the root value of the tree calculated by the upper descriptive word S is 0 using the random numbers corresponding to the plurality of leaves, Encrypt the plaintext by further using the generated random number,
Functional cryptographic system. In a functional encryption method using linear secret sharing by a monotone circuit construction method,
Each of a plurality of leaves constituting the tree expressing the predicate S used in the linear secret sharing is associated with a key generation station device corresponding to a literal predicate corresponding to each leaf,
A degenerate tree corresponding to a certain key generation station device is at least one tree composed of leaves corresponding to the key generation station device among the plurality of leaves,
The value of the root of each degenerate tree calculated by the predicate of the portion of each degenerate tree in the upper descriptive word S using the random number corresponding to the leaf of each degenerate tree corresponding to each key generation station apparatus is 0. An encryption step for generating random numbers corresponding to the plurality of leaves and encrypting the plaintext using these generated random numbers,
Functional encryption method including

Images