JP5863683B2 - Commitment system, common reference information generation device, commit generation device, commit reception device, commitment method, and program - Google Patents

Description

  The present invention relates to information security technology, and more particularly, to commitment technology that maintains high security even in an environment in which a plurality of cryptographic protocols are incorporated and operate simultaneously.

  A cryptographic commitment is an electronic “sealing hand”. The commitment method is a protocol performed between a committing sender (committer) and a commitment receiving receiver. The sender deposits (commits) information with the receiver in the commit phase. At this time, the receiver cannot know the contents of the deposited information (confidentiality). Next, the sender discloses the information concealed in the disclosure phase in a form that is convincing to the receiver, but cannot disclose the information different from the information deposited in the commit phase to satisfy the receiver (binding). . Commitment must basically satisfy such confidentiality and binding. Applications that come to mind immediately are electronic janken and coin-throwing (of course, you can use sealers for shogi and samurai), but the range of practical applications is far wider.

  Since commitment is the most basic cryptographic protocol, it is frequently used in higher-level cryptographic protocols. In recent years, commitments have been increasingly used in more complex combinations to bring cryptographic protocols closer to the real environment. In such a complex combination, the commitment made with the classic cryptographic security model cannot satisfy both confidentiality and constraint at the same time. A general-purpose combinable commitment is a commitment designed to satisfy confidentiality and restraint even when commitments are used in such a complex combination. , 2).

  It is known that a common reference string (hereinafter also referred to as CRS) created by a third party that can be accessed by both the sender and the receiver is necessary in order to be able to construct a universal combinable commitment. (Refer nonpatent literature 3). Due to technical problems, this CRS is divided into a case where it must be disposable for each commit (that is, a new CRS is required for the number of commits) and a case where the same CRS can be reused without being disposable. Of course, the “CRS reuse type” commitment method that can use CRS all the time is more practical. Conventional CRS reusable general-purpose combinable commitments include techniques described in Non-Patent Documents 1, 3, 4, 5, and 6.

  In the universal combinable commitment, there are a method in which the sender and receiver cannot guarantee the security without discarding the data during or after the protocol, and a method in which the safety can be ensured without discarding. . Of course, the latter “information disposal-free” general-purpose combinable commitment is more secure and desirable.

  Furthermore, the amount of calculation, the amount of communication, the number of communication, etc. are also indicators for judging whether the general-purpose combined commitment is good or bad. Naturally, the smaller the amount of calculation, the amount of communication, and the number of communications, the higher the practicality. In particular, a scheme in which a commitment is completed simply by sending from a sender to a receiver is called “non-interactive” general-purpose combinable commitment.

R. Canetti, “Universally composable security: A new paradigm for cryptographic protocols”, 42nd Annual IEEE Symposium on Foundations of Computer Science (FOCS 2001), pp. 136-145, IEEE Computer Society, 2001. Ran Canetti, “Universally composable security: A new paradigm for cryptograpic protocols”, Technical report, Cryptology ePrint Archive, Report 2000/067, 2005. Preliminary version appeared in FOCS’01. R. Canetti and M. Fischlin, “Universally composable commitments”, CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pp. 19-40, 2001. R. Canetti, Y. Lindell, R. Ostrovsky, and A. Sahai, “Universally composable two-party and multiparty secure computation”, STOC 2002, pp. 494-503, 2002. Ivan Damgard and Jesper Buus Nielsen, “Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor”, CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pp. 581-596, 2002. Ivan Damgard and Jens Groth, “Non-interactive and reusable non-malleable commitment schemes”, STOC 2003, pp. 426-437, 2003. Ryo Nishimaki, Eiichiro Fujisaki, and Keisuke Tanaka, “Efficient non-interactive universally composable string-commitment schemes”, ProvSec 2009, volume 5848 of Lecture Notes in Computer Science, pp. 3-18, 2009. Yehuda Lindell, “Highly-efficient universally-composable commitments based on the DDH assumption”, EUROCRYPT 2011, volume 6632 of Lecture Notes in Computer Science, pp. 446-466, 2011. Marc Fischlin, Beno ^ it Libert, and Mark Manulis, “Non-interactive and re-usable universally composable string commitments with adaptive security”, ASIACRYPT 2011, volume 7073 of Lecture Notes in Computer Science, pp. 468-485, 2011. Eiichiro Fujisaki, “A framework for efficient fully-equipped UC commitments”, IACR Cryptology ePrint Archive, 2012: 379, 2012.

  Conventional schemes other than Non-Patent Documents 5 and 6 are selective ciphertext attacks that have a plaintext space of O (к) bits (where к is a security parameter and к = 2048,160) to commit 1-bit secret information. However, at least two public key ciphers that are secure are necessary. That is, in order to commit 1-bit secret information, an information amount of O (к) bits is required, which is inefficient.

  In the methods of Non-Patent Documents 5 and 6, the efficiency is improved because only O (к) bits are required to commit the secret information of к bits. However, these protocols require three communications between the sender and receiver. In the method of Non-Patent Document 5, the size of CRS increases in proportion to the number of participants. This means that as the number of participants in the higher-level protocol that uses the commitment method as a sub-protocol increases, the size of the CRS increases accordingly. On the other hand, in the method of Non-Patent Document 6, the size of the CRS is fixed, but there is a possibility that safety is not ensured unless data on the way is discarded at an appropriate time. In any case, each of the non-patent documents 5 and 6 has a drawback that three communications are required between the sender and the receiver.

  In recent years, efficient methods such as Non-Patent Documents 7, 8, and 9 have been proposed, but the method of Non-Patent Document 7 is non-interactive but not CRS reuse type. The method of Non-Patent Document 8 has a small amount of communication, but is a five-communication interactive type, and it must be able to discard the data appropriately. The method of Non-Patent Document 9 is non-interactive, but it must be able to discard data on the way.

  Thus, in the prior art, CRS reuse type, non-interactive, no information discard type efficient (ideally, O (к) bits are required to commit к bits of secrets). There was no possible commitment.

Recently, the method of Non-Patent Document 10 invented an efficient general-purpose combinable commitment of CRS reuse type, non-interactive type, and no information discard type. However, the method of Non-Patent Document 10 requires a CRS having a size of O (к ² ) for the size к of the security parameter.

  An object of the present invention is to shorten common reference information in a CRS reusable, non-interactive, and information discard-free efficient universal combinable commitment.

  In order to solve the above problems, a commitment system of the present invention includes a common reference information generation device, a commit generation device, and a commit reception device. In this invention, к is a positive integer security parameter, COIN is a random space uniquely determined by the plaintext m and the public key pk, U is a predetermined set, and MSP is uniquely determined by the public key pk. It is a plain text space.

  The common reference information generation device includes a key generation unit that generates a public key pk and a secret key sk based on a security parameter к, a key discard unit that discards the secret key sk, and a public unit that discloses the public key pk. Have.

  The commit generation device selects a random number r from the random number space COIN, selects a sample value u from the set U, a plaintext m on the plaintext space MSP, a public key pk, a random number r, and a к-bit tag t An encryption unit that encrypts using the sample value u to generate a ciphertext c, a commit unit that transmits the ciphertext c, the tag t, and the sample value u to the commit receiver, a plaintext m, and a random number r And a disclosure unit that transmits the data to the commit receiving device.

  The commit receiver confirms that the tag t is a bit string of к bits, the random number r is an element of the random space COIN, the sample value u is an element of the set U, and the plaintext m is an element of the plaintext space MSP And a ciphertext c ′ obtained by encrypting the plaintext m using the public key pk, the random number r, the tag t, and the sample value u, and confirming that the ciphertext c ′ and the ciphertext c are equal. And an opening portion.

  The present invention can shorten common reference information in a CRS reuse type, non-interactive type, and information discard-free efficient general-purpose combinable commitment.

The figure which illustrates the functional composition of a commitment system. The figure which illustrates the function structure of a common reference information generation apparatus. The figure which illustrates the function structure of a commit production | generation apparatus. The figure which illustrates the function structure of a commit receiver. The figure which illustrates the processing flow of common reference information generation. The figure which illustrates the processing flow of a commit and a decommitment.

  Prior to the description of the embodiments, notation methods and terms used in this specification are defined.

[Notation]
・ The superscript represents the power. For example, x ^y is x to the power of y.
・ ^ Represents power. For example, x ^ y is x to the power of y.
・ ∃ is an existence symbol. For example, ∃x represents “at least one x exists”.
・ The following symbols represent floor functions. That is, it represents the largest integer less than or equal to x.

[All-But-Many encryption]
In the present invention, All-but-many encryption (hereinafter referred to as ABM encryption) is used. The ABM cipher can be configured by combining a (weak) extractable Sigma protocol and a stochastic pseudo-random function whose output value is unpredictable. For more details on the (weak) extractable Sigma protocol, see Eiichiro Fujisaki, “New constructions of efficient simulation-sound commitments using encryption and their applications”, CT-RSA, volume 7178 of Lecture Notes in Computer Science, pp. 136-155, 2012. (Reference 1) ”. Refer to Non-Patent Document 10 for details of the configuration method of the ABM encryption.

  Hereinafter, an outline of the ABM encryption will be described. The ABM cipher has five algorithms: key generation algorithm (ABM.gen), sampling algorithm (ABM.spl), encryption algorithm (ABM.enc), decryption algorithm (ABM.dec), and collision algorithm (ABM.col). It is a public key cryptosystem consisting of

The key generation algorithm (ABM.gen) is a stochastic algorithm. The security parameter 1 ^к is input, and the public key pk and secret key sk key pair (pk, sk) is output. The public key pk includes a description of the set pair (S, L). ^{However, S = {0,1} к ×} U, L = {0,1} к × L u, is L _u subset of U, U is a set of predetermined. For simplification of description, it is assumed that the secret key sk includes the public key pk.

The sampling algorithm (ABM.spl) is a stochastic algorithm. The secret key sk and the tag t∈ {0,1} ^к are input, and the sample value u (= ABM.spl _L (sk, t; r)) is output. However, (t, u) ∈L (that is, u∈L _u ). An area for sampling a random number r used when outputting the sample value u is defined as COIN _spl . The area COIN _spl is uniquely determined by the public key pk.

The encryption algorithm (ABM.enc) is a stochastic algorithm. The public key pk, the tag t∈ {0,1} ^к and the sample value u (t, u) ∈S and plaintext x∈MSP are input and the ciphertext c (= ABM.enc ^{(t, u)} ( pk, x; r)) is output. However, r is a random number, MSP is a plaintext space, and COIN is a random space. The plaintext space MSP is uniquely determined from the public key pk. The random space COIN is uniquely determined by the public key pk and the plaintext x∈MSP.

The decryption algorithm (ABM.dec) is a deterministic algorithm. The private key sk, the tag t∈ {0,1} ^к and the sample value u (t, u) ∈S, and the ciphertext c are input, and plaintext x (= ABM.dec ^{(t, u)} (sk, c)) is output.

The collision algorithm (ABM.col) is a set of two probabilistic algorithms (ABM.col ¹ and ABM.col ² ). The first collision algorithm (ABM.col ¹ ) receives a secret key sk, a random number ^ r∈COIN _spl , a tag t∈ {0,1} ^к , and a pair (c, ξ) of a ciphertext c and a value ξ. (← ABM.col ¹ (sk, ^ r; t)) is output. The second collision algorithm (ABM.col ² ) takes the value ξ and plaintext x∈MSP as input, u = ABM.spl (sk, t; ^ r) and c = ABM.enc ^{(t, u)} (pk , x; r), a random number r∈COIN is output.

ABM cryptography is a public key cryptosystem with all-but-many characteristics and dual mode characteristics. The all-but-many characteristic means that the key generation algorithm (ABM.gen) and the sampling algorithm (ABM.spl) have the property of a probabilistic pseudo random function (PPRF). The stochastic pseudo-random function (PPRF) is a function that satisfies various safety requirements such as easy sampling, pseudo randomness, and unforgeability. The dual mode characteristic refers to having both a decryption mode and a trap-door mode. In Decryption mode, ABM.dec ^{(t, u)} (sk, ABM.enc ^{(t, u)} (pk, x) for all (t, u) ∈S \ L _pk , x∈MSP ) = x. In trap-door mode, all (t, u) ∈L _pk , v∈COIN _spl , (c, ξ) ← ABM.col ¹ (sk, v, t), x∈MSP c = ABM.enc ^{(t, u)} (pk, x; ABM.col ² (ξ, x)) holds. Refer to Non-Patent Document 10 for details and proof of various safety conditions.

  Using ABM cryptography, a CRS reusable, non-interactive, information discard-free general-purpose combinable commitment can be constructed. Specifically, the public key pk is used as common reference information, and the ciphertext c = ABM.enc (pk, x; r) is used as a commitment. In order to disclose the commitment, a random number r may be given as evidence.

  In the universal combinable commitment of the present invention, only the ABM encryption key generation algorithm (ABM.gen) and the encryption algorithm (ABM.enc) are used. The sampling algorithm (ABM.spl), the decryption algorithm (ABM.dec), and the collision algorithm (ABM.col) are not used in commitments, but are necessary for proving the security of the ABM cipher.

[Damgard-Jurik cipher]
The Damgard-Jurik cipher (hereinafter also referred to as DJ cipher) is an encryption method that cannot be identified against a selected plaintext attack with homomorphism. Damgard-Jurik cipher security is based on DCR (Decision Composite Residuosity) assumptions.

  The Damgard-Jurik cipher is a public key cryptosystem composed of three algorithms: a key generation algorithm (K), an encryption algorithm (E), and a decryption algorithm (D).

The key generation algorithm (K) performs the following processing. The security parameter k is input, k-bit prime numbers p and q are selected, and n = pq is calculated. g = (1 + n) ^j x mod n ^{s + 1} is calculated, where ^s is an integer greater than or equal to 1 and j is an integer relatively prime to n. The least common multiple λ of p−1 and q−1 is calculated, and a value d satisfying d mod n ∈Z _n and d = 0 mod λ is selected. Let (n, g) be the public key and d be the secret key.

The encryption algorithm (E) performs the following processing. a n ^{s + 1} to select the residue ring Z _{n ^ s + 1} from the random number r modulo. The plaintext i∈Z _{n ^ s} is input and the ciphertext c = g ⁱ r ^{n ^ s} mod n ^{s + 1} is calculated.

The decryption algorithm (D) performs the following processing. c ^d mod n ^{s + 1} and g ^d mod n ^{s + 1} are calculated. Since c ^d = (1 + n) ^{jid mod n ^ s} , g ^d = (1 + n) ^{jid mod n ^ s} , calculate jid mod n ^s , jd mod n ^s , and plaintext i = (jid ) · (Jd) ⁻¹ mod n ^d is calculated.

  For details on each algorithm of Damgard-Jurik cipher, see “I. Damgard and M. Jurik,“ A generalization, a simplification and some applications of Paillier's probabilistic public-key system ”, PKC 2001, volume 1992 of Lecture Notes in Computer Science, pp. 125-140, 2001 (reference 2). For details on the DCR assumption, see “P. Pallier,“ Public-Key Cryptosystems based on Composite Degree Residue Classes ”, Proceedings of EuroCrypt 99, pp.223-238.

[Embodiment]
Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the component which has the same function in drawing, and duplication description is abbreviate | omitted.

  The first embodiment of the present invention is a universal combinable commitment composed of arbitrary ABM ciphers. The second embodiment is a universal combinable commitment configured based on the Non-Mult assumption using Damgard-Jurik encryption. Details of the Non-Mult assumption are described in Non-Patent Document 10.

[First embodiment]
As described above, the first embodiment is a universally joinable commitment composed of an arbitrary ABM cipher. Any encryption method having the above-mentioned ABM encryption property can be applied.

<Configuration>
With reference to FIG. 1, the example of a structure of the commitment system 1 of this embodiment is demonstrated. The commitment system 1 includes a common reference information generating device 2, a commit generating device 3, and a commit receiving device 4. The common reference information generation device 2, the commit generation device 3, and the commit reception device 4 are connected to the network 5, respectively. The network 5 only needs to be configured so that the connected devices can communicate with each other. For example, the network 5 can be configured with the Internet, a LAN (Local Area Network), a WAN (Wide Area Network), or the like. Each device does not necessarily need to be able to communicate online via a network. For example, information output from the commit generation device 3 may be stored in a portable recording medium such as a magnetic tape or a USB memory, and may be input to the commit reception device 4 from the portable recording medium offline. The same applies to information propagation between other devices, and a detailed description thereof will be omitted.

  A configuration example of the common reference information generation device 2 included in the commitment system 1 will be described with reference to FIG. The common reference information generation apparatus 2 includes a control unit 201, a memory 202, an input unit 21, a key generation unit 22, a key discard unit 23, and a disclosure unit 24. The common reference information generation device 2 is a special device configured by reading a special program into a known or dedicated computer having a CPU (Central Processing Unit), a RAM (Random Access Memory), and the like. The common reference information generation device 2 executes each process under the control of the control unit 201. Data input to the common reference information generating apparatus 2 and data obtained in each process are stored in the memory 202, and the data stored in the memory 202 is read out as necessary and used for other processes.

  A configuration example of the commit generation device 3 included in the commitment system 1 will be described with reference to FIG. The commit generation device 3 includes a control unit 301, a memory 302, a storage unit 303, an input unit 31, a random number generation unit 32, an encryption unit 33, a commit unit 34, a disclosure unit 35, and an output unit 36. The commit generation device 3 is a special device configured by reading a special program into a known or dedicated computer having a CPU (Central Processing Unit), a RAM (Random Access Memory), and the like. The commit generation device 3 executes each process under the control of the control unit 301. Data input to the commit generation device 3 and data obtained in each process are stored in the memory 302, and the data stored in the memory 302 is read out as necessary and used for other processes. The storage unit 303 includes, for example, a main storage device such as a RAM (Random Access Memory), an auxiliary storage device configured by a semiconductor memory element such as a hard disk, an optical disk, or a flash memory, middleware such as a relational database or a key value store, and the like. Can be configured.

  With reference to FIG. 4, a configuration example of the commit reception device 4 included in the commitment system 1 will be described. The commit receiver 4 includes a control unit 401, a memory 402, a storage unit 403, an input unit 41, a confirmation unit 42, an opening unit 43, and an output unit 44. The commit receiver 4 is a special device configured by reading a special program into a known or dedicated computer having a CPU (Central Processing Unit), a RAM (Random Access Memory), and the like. The commit reception device 4 executes each process under the control of the control unit 401. Data input to the commit receiver 4 and data obtained in each process are stored in the memory 402, and the data stored in the memory 402 is read out as needed and used for other processes. The storage unit 403 includes, for example, a main storage device such as a RAM (Random Access Memory), an auxiliary storage device configured by a semiconductor memory element such as a hard disk, an optical disk, or a flash memory, middleware such as a relational database or a key value store, and the like. Can be configured.

<Common reference information generation processing>
With reference to FIG. 5, the operation example of the common reference information generation process which the common reference information generation apparatus 2 performs is demonstrated.

The security parameter 1 ^к is input to the key generation unit 22 via the input unit 21 of the common reference information generation device 2 (step S21). The key generation unit 22 receives the security parameter 1 ^к , executes an arbitrary ABM cipher key generation algorithm (ABM.gen) as (pk, sk) ← ABM.gen (1 ^к ), and generates a public key pk and a secret A key pair (pk, sk) for the key sk is generated (step S22).

  The key pair (pk, sk) is input to the key discarding unit 23. The key discarding unit 23 discards the secret key sk included in the key pair (pk, sk) (step S23).

  The public key pk is input to the public unit 24. The public unit 24 publishes the public key pk as common reference information (step S24). The public method may be any method as long as the commit generation device 3 and the commit reception device 4 can refer to the public key pk. The public key pk may be transmitted from the common reference information generating device 2 to the commit generating device 3 and the commit receiving device 4 through individual communication paths, or using an arbitrary public key infrastructure (Public Key Infrastructure; PKI) or the like. The public key pk may be disclosed so that the commit generation device 3 and the commit reception device 4 can refer to the public key pk at an arbitrary timing. The commit generation device 3 stores the public key pk disclosed as common reference information in the storage unit 303. Similarly, the commit receiver 4 stores the public key pk disclosed as common reference information in the storage unit 403.

<Commit (sealing) phase>
With reference to FIG. 6, an example of the operation of the commit (sealing) phase executed between the commit generation device 3 and the commit reception device 4 will be described in detail according to the order of procedures.

A tag tε {0,1} ^к and plaintext mεMSP are input to the input unit 31 of the commit generation device 3 (step S31). However, MSP is a plaintext space uniquely determined by the public key pk.

  The random number generation unit 32 generates a random number rεCOIN and a sample value uεU (step S32). Here, COIN is a random space uniquely determined by the public key pk and plaintext m, and U is a predetermined set. The random number generation unit 32 may select the random number r and the sample value u at random one by one, or select the random number r and the sample value u according to a predetermined rule from a plurality of values generated in advance and stored in the memory 302 May be.

The plaintext m, the random number r, the tag t, and the sample value u are input to the encryption unit 33. The encryption unit 33 acquires the public key pk from the storage unit 303. Next, the encryption unit 33 receives the plaintext m, and uses the public key pk, the random number r, the tag t, and the sample value u to convert an arbitrary ABM encryption algorithm (ABM.enc) to c ← ABM. This is executed as enc ^{(t, u)} (pk, m; r) to generate a ciphertext c (step S33).

  The plaintext m, the random number r, the tag t, the sample value u, and the ciphertext c are input to the commit unit 34. The commit unit 34 outputs the tag t, the sample value u, and the ciphertext c to the commit receiving device 4 via the output unit 36 (step S34). The commit receiving device 4 stores the received tag t, sample value u, and ciphertext c in the storage unit 403 (step S403). At the same time, the commit unit 34 stores the plaintext m and the random number r in the storage unit 303 (step S303).

<Decommitting (disclosure) phase>
With reference to FIG. 6, an operation example of a decommit (disclosure) phase executed between the commit generation device 3 and the commit reception device 4 will be described in detail according to the order of procedures.

  The disclosure unit 35 included in the commit generation device 3 acquires the plaintext m and the random number r from the storage unit 303 and outputs the plaintext m and the random number r to the commit reception device 4 via the output unit 36 (step S35).

The plaintext m and the random number r are input to the confirmation unit 42 via the input unit 41 of the commit reception device 4 (step S41). The confirmation unit 42 reads the tag t and the sample value u from the storage unit 403, and verifies the following conditions (step S42). If it is confirmed that any of the following conditions is not satisfied, the process is interrupted.
1. The tag t acquired from the storage unit 403 is a bit string of к bits (tε {0,1} ^к ).
2. The sample value u acquired from the storage unit 403 is an element of the set U (uεU).
3. The input plaintext m is an element of the plaintext space MSP (m∈MSP).
4). The input random number r is an element of the random space COIN (r∈COIN).

When the confirmation unit 42 confirms that all of the above conditions are satisfied, the tag t and the sample value u acquired from the storage unit 403 and the input plaintext m and random number r are input to the opening unit 43. The unsealing unit 43 receives the plaintext m, and uses the public key pk, the random number r, the tag t, and the sample value u to convert an arbitrary ABM encryption algorithm (ABM.enc) to c ′ ← ABM.enc ^{(t , u)} (pk, m; r), and generates a ciphertext c ′ (step S43).

  Next, the unsealing unit 43 acquires the ciphertext c from the storage unit 403, and confirms that the generated ciphertext c 'is equal to the acquired ciphertext c. When the ciphertext c ′ and the ciphertext c are equal, the opening is approved. If the ciphertext c 'and the ciphertext c are not equal, the opening is refused.

  An unsealing result indicating whether the unsealing is approved or unsealed is output via the output unit 44 (step S44).

[Second Embodiment]
As described above, the second embodiment is a universal combinable commitment configured based on the Non-Mult assumption using Damgard-Jurik encryption. In the second embodiment, the amount of information for committing к bits of information is efficient because only O (к) bits are required, and the size of the common reference information is O (к) bits for the security parameter к. It is shorter than before.

  In this embodiment, an example in which the commitment system is configured using the Damgard-Jurik cipher will be described. However, if it is an encryption method that cannot be identified against a selected plaintext attack having homomorphism, it can be easily replaced. Is possible.

<Definition>
In this embodiment, symbols are defined as follows.
P and q are prime numbers, and n = pq.
D is a positive integer greater than or equal to 1 (d ≧ 1).
Π = (K, E, D) is each algorithm of Damgard-Jurik encryption. K is a key generation algorithm. E is an encryption algorithm. D is a decoding algorithm. Refer to Reference 2 for details of each algorithm of Damgard-Jurik encryption.
• Z _{n ^ d} is a remainder ring modulo n ^d .
Z _{n ^ d + 1} is a remainder ring modulo n ^{d + 1} .
・ Z _{n ^ d + 1} ^× is a singular group of remainder ring Z _{n ^ d + 1} . That is, it is a set of elements that are relatively prime to n ^{d + 1} in the remainder ring Z _{n ^ d + 1} .
H is a hash function such that (Z _{n ^ d + 1} ) ³ → Z _{n ^ d} .
S is a set of S = {0,1} ^к × (Z _{n ^ d + 1} ) ⁴
L is a set of L = {0,1} ^к × L _u . Here, L _u = {(u ₁ , u ₂ , e, π) | ∃ (r, k ₁ , k ₂ )}. Where the values u ₁ , u ₂ , e, π, r, k ₁ , k ₂ are r = D (u ₁ ) = D (u ₂ ), D (e) = k ₁ k ₂ + rD (h) , D (π) = rD (h ₁ h ₂ ^t ).

<ABM cipher configured using Damgard-Jurik cipher>
In the first embodiment, the commitment system is configured using an arbitrary ABM cipher, but in the second embodiment, an ABM cipher configured using a Damgard-Jurik cipher is used.

The key generation algorithm (ABM.gen) of the second embodiment receives a security parameter к and outputs a key pair (pk, sk) of a public key pk and a secret key sk. Specifically, the following processing is executed. Select prime numbers p and q having a length of к bits and calculate n = pq. Random numbers k ₁ , k ₂ , ζ ₁ , ζ ₂ , z ₁ , z ₂ , x ₁ , x ₂ , y ₁ , y ₂ are selected from the remainder ring Z _{n ^ d} modulo n ^d . n ^{d + 1} to select a random number R _g from residue ring Z _{n ^ d + 1} modulo. The value g = (1 + n) R _g ^{n ^ d} mod n ^{d + 1} is calculated. Generate the value g ₁ = E (ζ ₁ ). Generate the value g ₂ = E (ζ ₂ ). The value h = E (ζ ₁ z ₁ + ζ ₂ z ₂ ) is generated. The value h ₁ = E (ζ ₁ x ₁ + ζ ₂ x ₂ ) is generated. The value h ₂ = E (ζ ₁ y ₁ + ζ ₂ y ₂ ) is generated. Generate the sets S and L defined above. Public key pk: = (n, d, g, g ₁ , g ₂ , h, h ₁ , h ₂ , (S, L)) and private key sk: = (pk, k ₁ , k ₂ , ζ ₁ , ζ ₂ , z ₁ , z ₂ , x ₁ , x ₂ , y ₁ , y ₂ ) are generated.

The sampling algorithm (ABM.spl) of the second embodiment has a secret key sk: = (pk, k ₁ , k ₂ , ζ ₁ , ζ ₂ , z ₁ , z ₂ , x ₁ , x ₂ , y ₁ , y ₂ ) And the tag t∈ {0,1} ^к are input and the sample value u is output. Specifically, the following processing is executed. to select a random number w a n ^d from the residue ring Z _{n ^ d} modulo. n ^{d +} remainder rings ¹ and the modulo Z _{n ^} random number _{d + 1 R u1, R u2} , selects a R _e, R _π. Random numbers γ: = (w, R _u1 , R _u2 , R _e , R _π ) are generated. Generate the value u ₁ = E (w; R _u1 ). Generate the value u ₂ = E (w; R _u2 ). The value e = E (k ₁ k ₂ ; R _e ) · h ^w is generated. The value π = E (0; R _π ) · (h ₁ h ₂ ^t ) ^w is generated. A sample value u: = (u ₁ , u ₂ , e, π) is generated.

The encryption algorithm (ABM.enc) of the second embodiment has a public key pk: = (n, d, g, g ₁ , g ₂ , h, h ₁ , h ₂ , (S, L)), tag t∈ The ciphertext c is output with the input (t, u) ∈S and plaintext m∈Z _{n ^ d} of {0,1} ^к and sample values u: = (u ₁ , u ₂ , e, π). Specifically, the following processing is executed. n ^d the residue ring modulo Z _{n ^ d} from the random number s, v to select. n ^{d + 1} remainder a modulo ring Z _{n ^ d + 1} singular group Z _{n ^ d + 1} random number ^× R _A, selects the _{R a, R b1, R b2} , R b3. Generating a; (R _A 0) value ^{_{A = K 1 s h v e}} m · E. The value a = g ^s K ₂ ^m · E (0; R _a ) is generated. The value b ₁ = g ₁ ^v u ₁ ^m · E (0; R _b1 ) is generated. The value b ₂ = g ₂ ^v u ₂ ^m · E (0; R _b2 ) is generated. The value b ₃ = (h ₁ h ₂ ^t ) ^v π ^m · E (0; R _b3 ) is generated. Ciphertext c: = (A, a, b ₁ , b ₂ , b ₃ ) is generated.

The decryption algorithm (ABM.dec) of the second embodiment has a secret key sk: = (pk, k ₁ , k ₂ , ζ ₁ , ζ ₂ , z ₁ , z ₂ , x ₁ , x ₂ , y ₁ , y ₂ ), Pair of tag t and sample value u (t, u) ∈S, ciphertext c: = (A, a, b ₁ , b ₂ , b ₃ ) as input and output plaintext m∈Z _{n ^ d} . Specifically, the following processing is executed. First, it is confirmed whether the following formula (1) is satisfied.

  If equation (1) does not hold, plaintext m is generated according to equation (2) below.

  When the formula (1) holds, the plaintext m is generated by the following formula (3).

The first collision algorithm (ABM.col ¹ ) of the second embodiment has a secret key sk: = (pk, k ₁ , k ₂ , ζ ₁ , ζ ₂ , z ₁ , z ₂ , x ₁ , x ₂ , y ₁ , y ₂ ), random number γ: = (w, R _u1 , R _u2 , R _e , R _π ), tag t∈ {0,1} ^к as input and a pair of ciphertext c and value ξ (c, ξ ) Is output. Specifically, the following processing is executed. random number from residue ring Z _{n ^ d} to a n ^d modulo ω, to select the η. residue ring to the n ^{d + 1} modulo Z _{n ^ d + 1} singular group Z _{n ^ d + 1} random number _{^{× R 'A, R' a}} , selects the _{R 'b1, R' b2,} R 'b3 . The value A = K ₁ ^ω h ^η · E (0; R ′ _A ) is generated. The value a = g ^ω · E (0; R ′ _a ) is generated. The value b ₁ = g ₁ ^η · E (0; R ′ _b1 ) is generated. The value b ₂ = g ₂ ^η · E (0; R ′ _b2 ) is generated. The value b ₃ = (h ₁ h ₂ ^t ) ^η π ^m · E (0; R ′ _b3 ) is generated. Ciphertext c: = (A, a, b ₁ , b ₂ , b ₃ ) and value ξ: = (sk, γ, ω, η, R ' _A , R' _a , R ' _b1 , R' _b2 , R ' _b3 ) is generated.

The second collision algorithm (ABM.col ² ) of the second embodiment has the value ξ: = (sk, γ, ω, η, R ′ _A , R ′ _a , R ′ _b1 , R ′ _b2 , R ′ _b3 ) The plaintext x∈MSP is input and (s, v, R _A , R _a , R _b1 , R _b2 , R _b3 ) is output. Specifically, the following processing is executed. Generate the value s = ω-mk ₂ mod n ^d . Generate the value v = η-mr mod n ^d . The value α is generated by the following equation (4). The value β is generated by the following equation (5).

Also, the value R _A = R ′ _A K ₁ ^−α h ^−β R _e ^−m is generated. Generate the value R _a = R ′ _a g ^−α R _k1 ^−m . Generate the value R _b1 = R ′ _b1 g ₁ ^-β R _u1 ^-m . Generate the value R _b2 = R ' _b2 g ₂ ^-β R _u2 ^-m . The value R _b3 = R ′ _b3 (h ₁ h ₂ ^t ) ^−β R _u3 ^−m is generated. Then, (s, v, R _A , R _a , R _b1 , R _b2 , R _b3 ) are generated. At this time, A = g ₁ ^s h ^v e ^m・ E (0; R _A ), a = g ^s K ₂ ^m・ E (0; R _a ), b ₁ = g ₁ ^v u ₁ ^m・ E (0 ; R _b1 ), b ₂ = g ₂ ^v u ₂ ^m · E (0; R _b2 ), b ₃ = (h ₁ h ₂ ^t ) ^v π ^m · E (0; R _b3 ) always holds.

<Common reference information generation processing>
An operation example of the common reference information generation process of the second embodiment will be described in detail according to the order of procedures. However, the description of the same steps as in the first embodiment is omitted.

The key generation unit 22 included in the common reference information generation apparatus 2 receives the security parameter 1 ^к and generates a key pair (pk, sk) of the public key pk and the secret key sk (step S22). Specifically, the following processing is executed.

First, the random number k ₁ from residue ring Z _{n ^ d} modulo ^{_{n d, k 2, ζ 1}} , ζ 2, z 1, z 2, x 1, x 2, selects the y _1, y _2. n ^{d + 1} to select a random number R _g from residue ring Z _{n ^ d + 1} modulo. The value g = (1 + n) R _g ^{n ^ d} mod n ^{d + 1} is calculated. Generate the value g ₁ = E (ζ ₁ ). Generate the value g ₂ = E (ζ ₂ ). The value h = E (ζ ₁ z ₁ + ζ ₂ z ₂ ) is generated. The value h ₁ = E (ζ ₁ x ₁ + ζ ₂ x ₂ ) is generated. The value h ₂ = E (ζ ₁ y ₁ + ζ ₂ y ₂ ) is generated.

Also selects a random number w from residue ring Z _{n ^ d} modulo n ^d. n ^{d +} remainder rings ¹ and the modulo Z _{n ^} random number _{d + 1 R u1, R u2} , selects a R _e, R _π. Generate the value u ₁ = E (w; R _u1 ). Generate the value u ₂ = E (w; R _u2 ). The value e = E (k ₁ k ₂ ; R _e ) · h ^w is generated. The value π = E (0; R _π ) · (h ₁ h ₂ ^t ) ^w is generated. The set L _u : = {(u ₁ , u ₂ , e, π) | ∃w, k ₁ , k ₂ } is generated. A set S = {0,1} ^к × (Z _{n ^ d + 1} ) ⁴ is generated. A set L = {0,1} ^к × L _u is generated.

Then, the public key pk: = (n, d, g, g ₁ , g ₂ , h, h ₁ , h ₂ , (S, L)) is generated. A secret key sk: = (pk, k ₁ , k ₂ , ζ ₁ , ζ ₂ , z ₁ , z ₂ , x ₁ , x ₂ , y ₁ , y ₂ ) is generated.

<Commit (sealing) phase>
An example of the operation of the commit (sealing hand) phase of the second embodiment will be described in detail according to the order of procedures. However, the description of the same steps as in the first embodiment is omitted.

The random number generation unit 32 included in the commit generation device 3 generates a random number r and a sample value u (step S32). Specifically, the following processing is executed. n ^d the residue ring modulo Z _{n ^ d} from the random number s, v to select. n ^{d + 1} remainder a modulo ring Z _{n ^ d + 1} singular group Z _{n ^ d + 1} random number ^× R _A, selects the _{R a, R b1, R b2} , R b3. Random numbers r: = (s, v, R _A , R _a , R _b1 , R _b2 , R _b3 ) are generated. A sample value u: = (u ₁ , u ₂ , e, π) is generated.

The encryption unit 33 included in the commit generation device 3 converts the plaintext mεZ _{n ^ d} into the public key pk: = (n, d, g, g ₁ , g ₂ , h, h ₁ , h ₂ , (S, L )) And random number r: = (s, v, R _A , R _a , R _b1 , R _b2 , R _b3 ), tag t∈ {0,1} ^к and sample value u: = (u ₁ , u ₂ , e, π) and encrypted using the Damgard-Jurik encryption algorithm E to generate a ciphertext c (step S33). Specifically, the following processing is executed. Generate the value K ₁ = E (k ₁ ). Generate the value K ₂ = E (k ₂ ). Generating a; (R _A 0) value ^{_{A = K 1 s h v e}} m · E. The value a = g ^s K ₂ ^m · E (0; R _a ) is generated. The value b ₁ = g ₁ ^v u ₁ ^m · E (0; R _b1 ) is generated. The value b ₂ = g ₂ ^v u ₂ ^m · E (0; R _b2 ) is generated. The value b ₃ = (h ₁ h ₂ ^t ) ^v π ^m · E (0; R _b3 ) is generated. Ciphertext c: = (A, a, b ₁ , b ₂ , b ₃ ) is generated.

<Decommitting (disclosure) phase>
An operation example of the decommitment (disclosure) phase of the second embodiment will be described in detail according to the order of procedures. However, the description of the same steps as in the first embodiment is omitted.

The unsealing unit 43 of the commit receiver 4 uses the plaintext mεZ _{n ^ d} as the public key pk: = (n, d, g, g ₁ , g ₂ , h, h ₁ , h ₂ , (S, L) ) And random number r: = (s, v, R _A , R _a , R _b1 , R _b2 , R _b3 ), tag t∈ {0,1} ^к and sample value u: = (u ₁ , u ₂ , e , π) to generate a ciphertext c ′ by encrypting with the encryption algorithm E of Damgard-Jurik encryption (step S43). Specifically, the following processing is executed. Generate the value K ₁ = E (k ₁ ). Generate the value K ₂ = E (k ₂ ). The value A ′ = K ₁ ^{sh v} e ^m · E (0; R _A ) is generated. Generate the value a ′ = g ^s K ₂ ^m · E (0; R _a ). The value b ′ ₁ = g ₁ ^v u ₁ ^m · E (0; R _b1 ) is generated. The value b ′ ₂ = g ₂ ^v u ₂ ^m · E (0; R _b2 ) is generated. The value b ′ ₃ = (h ₁ h ₂ ^t ) ^v π ^m · E (0; R _b3 ) is generated. Ciphertext c ′: = (A ′, a ′, b ′ ₁ , b ′ ₂ , b ′ ₃ ) is generated.

Next, the unsealing unit 43 confirms that the ciphertext c and the ciphertext c ′ are equal. It is assumed that ciphertext c and ciphertext c ′ are equal when each element of ciphertext c is equal to each element of ciphertext c ′. That is, if A = A ', a = a', b ₁ = b ' ₁ , b ₂ = b' ₂ , b ₃ = b ' ₃ are all satisfied, ciphertext c and ciphertext c' are equal And If any of the conditions is not satisfied, it is assumed that the ciphertext c and the ciphertext c ′ are not equal.

[Program, recording medium]
The present invention is not limited to the above-described embodiment, and it goes without saying that modifications can be made as appropriate without departing from the spirit of the present invention. The various processes described in the above-described embodiments are not only executed in time series according to the order described, but may be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  When various processing functions in each device described in the above embodiment are realized by a computer, the processing contents of the functions that each device should have are described by a program. Then, by executing this program on a computer, various processing functions in each of the above devices are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

DESCRIPTION OF SYMBOLS 1 Commitment system 2 Common reference information generation apparatus 3 Commit generation apparatus 4 Commit reception apparatus 5 Network 21 Input part 22 Key generation part 23 Key discard part 24 Disclosure part 31 Input part 32 Random number generation part 33 Encryption part 34 Commit part 35 Disclosure part 36 output unit 41 input unit 42 confirmation unit 43 unsealing unit 44 output unit 201 control unit 202 memory 203 storage unit 301 control unit 302 memory 303 storage unit 401 control unit 402 memory 403 storage unit

Claims (6)

A commitment system including a common reference information generating device, a commit generating device, and a commit receiving device ,
к is a positive integer security parameter, COIN is a random space determined uniquely by plaintext m and public key pk, U is a predetermined set, and MSP is a plaintext space uniquely determined by public key pk. Yes, t is a к-bit tag, ^ represents a power, p and q are prime numbers, n = pq, d is an integer greater than 1, Z _{n ^ d} modulo n ^d Z _{n ^ d + 1} is a modulo ring modulo n ^{d + 1} , Z _{n ^ d + 1} ^× is a singular group of the remainder ring Z _{n ^ d + 1} , and Π It is an encryption method that is indistinguishable against a selected plaintext attack with homomorphism, E is an encryption algorithm of the encryption method 、, and S is {0,1} ^к × (Z _{n ^ d + 1} ) Is a set of ⁴ , L _u is a true subset of the set U, L is a set of {0,1} ^к × L _u ,
The common reference information generation device includes:
Choose Back Symbol residue ring Z _{n ^} random number k ₁ from _{d, k 2, ζ 1,} ζ 2, z 1, z 2, x 1, x 2, y 1, y 2, w, the residue ring Z _{n ^ d + 1} from the random number R _g, select _{R u1, R u2, R e} , R π, compute the value g = (1 + n) R g n ^ d mod n d + 1, the values g ₁ = E (ζ ₁ ), value g ₂ = E (ζ ₂ ), value h = E (ζ ₁ z ₁ + ζ ₂ z ₂ ), value h ₁ = E (ζ ₁ x ₁ + ζ ₂ x ₂ ), value h ₂ = E (ζ ₁ y ₁ + ζ ₂ y ₂ ), value u ₁ = E (w; R _u1 ), value u ₂ = E (w; R _u2 ), value e = E (k ₁ k ₂ ; R _e ) ・ h ^w , value π = E (0; R _π ) ・ (h ₁ h ₂ ^t ) ^w Generating the set S, generating the set L including the values u ₁ , u ₂ , e, π, w, k ₁ , k ₂ in the set L _u , and public key pk: = ( n, d, g, g ₁ , g ₂ , h, h ₁ , h ₂ , (S, L)) and generates a secret key sk: = (pk, k ₁ , k ₂ , ζ ₁ , ζ ₂ , z ₁ , z ₂ , x ₁ , x ₂ , y ₁ , y ₂ ) ,
A key discarding unit for discarding the secret key sk;
A public part for publishing the public key pk;
Have
The commit generation device includes:
Choose Back Symbol residue ring Z _{n ^ d} from the random number s, v, the singular group Z _{n ^ d + 1} random number ^× R _A, R _a, select _{R b1, R b2, R b3} , the random number r : = (s, v, R _A , R _a , R _b1 , R _b2 , R _b3 ) and a random number generator for generating the sample value u: = (u ₁ , u ₂ , e, π) ,
The before and SL plaintext m the public key pk and the random number r and the tag t and the sample value u as input, and generates the value _{K 1 = E (k 1)} , the value K ₂ = E a (k ₂₎ And generate the value A = K ₁ ^s h ^v e ^m · E (0; R _A ), generate the value a = g ^s K ₂ ^m · E (0; R _a ), and the value b ₁ = g ₁ ^v u ₁ ^m・ E (0; R _b1 ), value b ₂ = g ₂ ^v u ₂ ^m・ E (0; R _b2 ), value b ₃ = (h ₁ h ₂ ^t ) ^{v π m} · E; generates (0 R _b3), the ciphertext c: = a _{(a, a, b 1,} b 2, b 3) encryption unit for generating,
A commit unit that transmits the ciphertext c, the tag t, and the sample value u to the commit receiver;
A disclosure unit that transmits the plaintext m and the random number r to the commit receiver;
Have
The commit receiver
The tag t is a bit string of к bits, the random number r is an element of the random space COIN, the sample value u is an element of the set U, and the plaintext m is an element of the plaintext space MSP A confirmation unit to confirm
As input the previous SL plaintext m and the public key pk and the random number r and the tag t and the sample value u and the ciphertext c, and generates the value _{K 1 = E (k 1)} , the value K ₂ = E (k ₂ ), value A '= K ₁ ^s h ^v e ^m · E (0; R _A ), value a' = g ^s K ₂ ^m · E (0; R _a ) Generates the value b ' ₁ = g ₁ ^v u ₁ ^m・ E (0; R _b1 ), generates the value b' ₂ = g ₂ ^v u ₂ ^m・ E (0; R _b2 ), and the value b ' ₃ = (h ₁ h ₂ ^t ) ^v π ^m · E (0; R _b3 ) is generated, and the ciphertext c': = (A ', a', b ' ₁ , b' ₂ , b ' ₃ ) And confirming whether or not the ciphertext c ′ and the ciphertext c are equal ,
Having a commitment system. The said common reference information generation apparatus used in the commitment system of Claim 1 . The commit generation device used in the commitment system according to claim 1 . The commit receiver used in the commitment system according to claim 1 . к is a positive integer security parameter, COIN is a random space determined uniquely by plaintext m and public key pk, U is a predetermined set, and MSP is a plaintext space uniquely determined by public key pk. Yes , t is a к-bit tag, ^ represents a power, p and q are prime numbers, n = pq, d is an integer greater than 1, Z _{n ^ d} modulo n ^d Z _{n ^ d + 1} is a modulo ring modulo n ^{d + 1} , Z _{n ^ d + 1} ^× is a singular group of the remainder ring Z _{n ^ d + 1} , and Π It is an encryption method that is indistinguishable against a selected plaintext attack with homomorphism, E is an encryption algorithm of the encryption method 、, and S is {0,1} ^к × (Z _{n ^ d + 1} ) Is a set of ⁴ , L _u is a true subset of the set U, L is a set of {0,1} ^к × L _u ,
The key generation unit selects random numbers k ₁ , k ₂ , ζ ₁ , ζ ₂ , z ₁ , z ₂ , x ₁ , x ₂ , y ₁ , y ₂ , w from the remainder ring Z _{n ^ d} , Select a random number R _g , R _u1 , R _u2 , R _e , R _π from the remainder ring Z _{n ^} ^{d + 1} , calculate the value g = (1 + n) R _g ^{n ^ d} mod n ^{d + 1} , Generate value g ₁ = E (ζ ₁ ), value g ₂ = E (ζ ₂ ), value h = E (ζ ₁ z ₁ + ζ ₂ z ₂ ), value h ₁ = E (ζ ₁ x ₁ + ζ ₂ x ₂ ), the value h ₂ = E (ζ ₁ y ₁ + ζ ₂ y ₂ ), the value u ₁ = E (w; R _u1 ), Generate the value u ₂ = E (w; R _u2 ), generate the value e = E (k ₁ k ₂ ; R _e ) ・ h ^w, and generate the value π = E (0; R _π ) ・ (h ₁ h ₂ ^t ) ^w is generated, the set S is generated, the set L is generated by including the values u ₁ , u ₂ , e, π, w, k ₁ , k ₂ into the set L _u , and the public key pk: = (n, d, g, g ₁ , g ₂ , h, h ₁ , h ₂ , (S, L)) and generates a secret key sk: = (pk, k ₁ , k ₂ , ζ ₁ , ζ ₂ , z ₁ , z ₂ , x ₁ , x ₂ , y ₁ , y ₂ ) ,
A key discarding step in which a key discarding unit discards the secret key sk;
A publishing step for publishing the public key pk,
Random number generation section, the residue ring Z _{n ^ d} from the random number s, v and select, the singular group Z _{n ^ d + 1} random number ^× R _A, select _{R a, R b1, R b2} , R b3 The random number r: = (s, v, R _A , R _a , R _b1 , R _b2 , R _b3 ) is generated, and the sample value u: = (u ₁ , u ₂ , e, π) is generated A random number generation step;
An encryption unit receives the plaintext m, the public key pk, the random number r, the tag t, and the sample value u , generates a value K ₁ = E (k ₁ ), and a value K ₂ = E ( k ₂ ), value A = K ₁ ^s h ^v e ^m · E (0; R _A ), value a = g ^s K ₂ ^m · E (0; R _a ), value b ₁ = g ₁ ^v u ₁ ^m ・ E (0; R _b1 ), value b ₂ = g ₂ ^v u ₂ ^m ・ E (0; R _b2 ), value b ₃ = (h ₁ h ₂ ^t ) ^v π ^m · E (0; R _b3 ) to generate the ciphertext c: = (A, a, b ₁ , b ₂ , b ₃ ) ,
A commit unit that transmits the ciphertext c, the tag t, and the sample value u to a commit receiver;
A disclosure step in which the disclosure unit transmits the plaintext m and the random number r to the commit receiver;
The confirmation unit is configured such that the tag t is a bit string of к bits, the random number r is an element of the random number space COIN, the sample value u is an element of the set U, and the plaintext m is the plaintext space MSP. A confirmation step to confirm that it is original,
The unsealing unit receives the plaintext m, the public key pk, the random number r, the tag t, the sample value u, and the ciphertext c, and generates a value K ₁ = E (k ₁ ), and a value K ₂ = E (k ₂ ), value A '= K ₁ ^s h ^v e ^m ・ E (0; R _A ), value a' = g ^s K ₂ ^m ・ E (0; R _a ), The value b ' ₁ = g ₁ ^v u ₁ ^m ・ E (0; R _b1 ), and the value b' ₂ = g ₂ ^v u ₂ ^m ・ E (0; R _b2 ) B ′ ₃ = (h ₁ h ₂ ^t ) ^v π ^m · E (0; R _b3 ), and the ciphertext c ′: = (A ′, a ′, b ′ ₁ , b ′ ₂ , b ′ ₃ ) and confirming that the ciphertext c ′ and the ciphertext c are equal; and
Including commitment methods. A program for causing a computer to function as the common reference information generation device according to claim 2 , the commit generation device according to claim 3 , or the commit reception device according to claim 4 .

Images