JP6057150B2 - Public key encryption system, receiving apparatus, public key encryption method, program, and recording medium - Google Patents

Description

  The present invention relates to a public key encryption system, a transmission device, a reception device, a public key encryption method, a program, and a recording medium, and in particular, a technique for controlling access to main body information using attached information attached to the main body information. About.

  In recent years, encryption systems based on public key cryptography (hereinafter, public key cryptosystems) have become widespread. Public key cryptosystems are widely used to securely distribute software and various contents via the Internet and to securely transmit mail and web data.

  With respect to public key cryptosystems, various techniques for further improving security and functionality have been studied. As an example, in Non-Patent Document 1 and Patent Document 1, in an ID (IDentity) -based encryption system which is a kind of public key encryption system, an inquiry for a key state or a key escrow that causes a decrease in security A public key infrastructure (PKI) is disclosed.

  In the PKI of Patent Document 1, the authenticator provides the receiver with a signature on the receiver's unique information (including the receiver's ID and expiration date) as a decryption key using the authenticator's private key, An encryption key corresponding to the decryption key is provided to the sender. By using the decryption key / encryption key pair provided by the PKI in combination with the conventional recipient private key / recipient public key pair, the message is double encrypted and decrypted. An ID-based encryption system that does not require state inquiry or key escrow is realized.

JP 2005-537711 A

Craig Gentry, "Certificate-Based Encryption and the Certificate Revocation Problem," Biham (Ed.): LNCS2656, Advances in Cryptology-Eurocrypt 2003, Springer-Verlag, pp. 272-293, 2003.

  In addition to the above, there are various demands for improving the security and functionality of public key cryptosystems.

  For example, many software packages have a function that requires the user to agree to a license agreement before use. Such a function is usually realized by a user interface such as displaying a license agreement at the time of software installation and then prompting the user to select an agreement button.

  However, with such a user interface alone, any user who selects the consent button is permitted to use the software, and thus access to the software cannot be controlled for each user. For this reason, if it is assumed that the user agrees to the license agreement, and the access to the software is controlled for each user, for example, after the vendor distributes the software package encrypted and the request is received from the user For the first time, extra communication between the vendor and the user is required, such as the vendor sending a password to the user.

  Therefore, the present invention provides a public key encryption system that controls access to main body information (for example, software package) using attached information (for example, a license agreement attached to the software package) attached to the main body information. Provides a public key encryption system and a public key encryption method in which consent to attached information by a recipient and control of access to main body information are guaranteed without extra communication.

In order to solve the above-described problem, one aspect of a public key cryptosystem in the present disclosure is configured using a transmission device and a reception device, and attached information attached to the main body information is attached to the main body information. A public key cryptosystem controlled by using a transmitter setup unit and a receiver setup unit, which are provided in the transmission device and the reception device and set common parameters and parameters for a decryptor's signature scheme; and the reception A reception unit including a signature key generation unit provided in the apparatus, wherein the signature key generation unit generates a key pair including a signature private key and a signature public key based on parameters for the decryptor's signature scheme; A key pair consisting of the recipient's private key and the recipient's public key, including the signature public key, based on the common parameters and the parameters for the decryptor's signature scheme. And a key generation unit that generates the information, the information arbitrarily selected by a sender is acquired as the attached information, and the main body information is obtained using the public key of the recipient and the attached information. An encryption unit that encrypts the ciphertext; and a signature unit that is provided in the receiving device and generates a signature for the attached information using the signature private key, and based on the signature public key When the signature is valid, the signature is used to decrypt the ciphertext into correct body information, and when the signature is not valid, a signature decryption unit that outputs a value different from the body information, and the attached display information, thereafter, it comprises a user interface unit that receives an operation by the user, and the signature decoding unit, only when a specific operation by the user is accepted, the said encrypted body information body That be decoded in the broadcast.

According to the public key cryptosystem according to the present disclosure, after signifying the attached information with a valid signature private key in the receiving device, the user is warned of the attached information. Only in the case (that is, only when a legitimate recipient agrees to the attached information), the correct main body information is obtained in the receiving device, so that the consent to the attached information by the receiver and the control of access to the main body information are: Guaranteed without extra communication.

FIG. 1 is a functional block diagram showing a configuration example of a public key cryptosystem according to an embodiment of the present invention. FIG. 2 is a flowchart showing an example of the public key encryption method according to the embodiment of the present invention. FIG. 3 is a diagram showing an example of an attached information presentation screen according to the embodiment of the present invention.

In order to solve the above-described problem, one aspect of a public key cryptosystem in the present disclosure is configured using a transmission device and a reception device, and attached information attached to the main body information is attached to the main body information. A public key cryptosystem controlled by using a transmitter setup unit and a receiver setup unit, which are provided in the transmission device and the reception device and set common parameters and parameters for a decryptor's signature scheme; and the reception A reception unit including a signature key generation unit provided in the apparatus, wherein the signature key generation unit generates a key pair including a signature private key and a signature public key based on parameters for the decryptor's signature scheme; A key pair consisting of the recipient's private key and the recipient's public key, including the signature public key, based on the common parameters and the parameters for the decryptor's signature scheme. And a key generation unit that generates the information, the information arbitrarily selected by a sender is acquired as the attached information, and the main body information is obtained using the public key of the recipient and the attached information. An encryption unit that encrypts the ciphertext; and a signature unit that is provided in the receiving device and generates a signature for the attached information using the signature private key, and based on the signature public key When the signature is valid, the signature is used to decrypt the ciphertext into correct body information, and when the signature is not valid, a signature decryption unit that outputs a value different from the body information, and the attached information displays, thereafter, comprises a user interface unit that receives an operation by the user, and the signature decoding unit, only when a specific operation by the user is accepted, the body information of the encrypted body information You decoded.

According to such a configuration, after the user is warned of the attached information, only when the attached information is signed by the receiving device with a valid signature private key (that is, Only when a legitimate recipient agrees to the attached information), the correct main body information can be obtained in the receiving device, so that the consent to the attached information by the receiver and the control of access to the main body information can be used for extra communication. Guaranteed without doing.

  In one aspect of the public key cryptosystem of the present invention, the sender setup unit and the receiver setup unit perform a pairing operation having bilinearity as a part of parameters for the signature scheme of the decryptor. And the encryption unit generates a value obtained by raising the value obtained by performing the pairing operation on the attached information and the signature public key with the random number as a sender common key, and the sender The main body information is encrypted into encrypted main body information using a common key, the encrypted main body information, information for generating a common key corresponding to the random number, and the attached information are transmitted to the receiving device, and the signature The decryption unit receives the encrypted main body information, information for generating a common key corresponding to the random number, and the attached information from the transmitting device, and signs the attached information with the signature private key and A value obtained by performing the pairing operation on the common key generation information corresponding to the random number is generated as the receiver common key, and the encrypted main body information is generated using the receiver common key. Information may be decrypted.

  According to such a configuration, the public key cryptosystem for performing the signature decryption can be specifically configured using the pairing operation.

  Further, in one aspect of the public key cryptosystem of the present invention, the key generation unit generates a key pair including a secret key for encryption of a recipient and a public key, and the public key cryptosystem includes the signature In addition to the key pair composed of the private key for signature and the public key for signature, processing using the key pair composed of the private key for encryption of the recipient and the public key may be performed.

  According to such a configuration, when a signature given to the attached information by a legitimate recipient leaks, the encrypted body information is decrypted by a person other than the legitimate recipient who obtained the signature. I can stop.

  These general or specific aspects may be realized by a system, a transmission device, a reception device, a method, an integrated circuit, a computer program or a recording medium, and the system, transmission device, reception device, method, integrated circuit, computer You may implement | achieve with arbitrary combinations of a program and a recording medium.

  Hereinafter, a public key encryption system according to an aspect of the present invention will be specifically described with reference to the drawings.

  Note that each of the embodiments described below shows a specific example of the present invention. The numerical values, shapes, materials, constituent elements, arrangement positions and connecting forms of the constituent elements, steps, order of steps, and the like shown in the following embodiments are merely examples, and are not intended to limit the present invention. In addition, among the constituent elements in the following embodiments, constituent elements that are not described in the independent claims indicating the highest concept are described as optional constituent elements.

(Embodiment)
In the embodiment, a signature decryption scheme that is a basic idea of the present invention will be described, and then a specific configuration example of the signature decryption scheme will be described.

  First, the basic concept used in this specification will be described.

The groups G ₁ and G ₂ are two cyclic groups whose order is a prime number q. In this specification, the operations in the groups G ₁ and G ₂ are described in a multiplicative manner, but this does not limit the groups G ₁ and G ₂ to the multiplicative group. A suitable additive group may be used for the groups G ₁ and G ₂ .

(Definition 1) Pairing A mapping ^ e: G ₁ × G ₁ → G ₂ that satisfies the following properties is called pairing ^ e. In addition, although pairing is normally represented by the symbol which attached | subjected ^ on e, in this specification, it describes with ^ e for the convenience of description.

Bilinearity: For any x, yεG ₁ and any a, bε integer, ^ e (x ^a , y ^b ) = ^ e (x, y) ^ab ,
And non-degenerate: there is x, for _{y∈G 1, ^ e (x,} y) ≠ 1,
· Computability: any x, the _{y∈G 1, ^ e (x,} y) there is an efficient algorithm for computing.

(Definition 2) BDH (Bilinear Diffie-Hellman) parameter generator For security parameter k> 0, description of _two cyclic groups G ₁ and G ₂ whose order is prime q, and pairing ^ e: G ₁ × G _The probabilistic algorithm IG that outputs a description of ₁ → G ₂ in k polynomial time is a BDH parameter generator.

(Definition 3) BDH (Bilinear Diffie-Hellman ) computational problem given ^{g, g a, g b,} g c ∈G 1 ( here, g is a random generator of _{G 1,} a, b, c Calculate Ｚe (g, g) ^abc for ∈Z _{q is} also chosen at random.

  Next, the definition of the signature decryption scheme will be described. In the following description, the message m is an example of main body information, and the condition Cond is an example of attached information. The present invention does not limit the specific contents of the message m and the condition Cond, but as an example, as described in the problem column, the message m is a software package, and the condition Cond is a use attached to the software package. It may be a license agreement.

  The signature decryption scheme Γ is composed of seven algorithms (Setup, KeyGen, KeyGenSig, Encrypt, Signcrypt, Sign, Veri).

(Param, param_sig) ← Setup (1 ^k ):
The setup algorithm Setup takes a security parameter k and outputs a common parameter param and a parameter param_sig for a signature scheme by a decryptor.

(Sk _R , pk _R ) ← KeyGen (param, param_sig):
The recipient key generation algorithm KeyGen takes the common parameter param and the parameter param_sig for the decryptor's signature scheme as input, and outputs a key pair (sk _R , pk _R ). Here, sk _R = (sk _{R, enc} , sk _{R, sig} ) and pk _R = (pk _{R, enc} , pk _{R, sig} ). sk _{R, enc} and pk _{R and enc} represent the private key and public key for encryption of the recipient, and sk _{R, sig} and pk _{R and sig} represent the private key and public key for the signature of the recipient. . A key generation algorithm KeyGen for the signature scheme is used to generate (sk _{R, sig} , pk _{R, sig} ). That is, (sk _{R, sig} , pk _{R, sig} ) ← KeyGenSig (param_sig).

(C, Cond) ← Encrypt (pk _{R, enc} , pk _{R, sig} , param, param_sig, m, Cond):
The encryption algorithm Encrypt for the signature decryption scheme receives the recipient's public key pk _{R, enc} , pk _{R, sig} , the common parameter param, the parameter param_sig for the decryptor's signature scheme, the message m, and the condition Cond. The ciphertext C for decrypting the signature is output together with the condition Cond.

M or ¬m (≠ m) ← Signcrypt (sk _{R, enc} , sk _{R, sig} , param, param_sig, C, Cond):
The signature decryption algorithm Signcrypt is composed of a receiver's encryption secret key sk _{R, enc} , a signature secret key sk _{R, sig} , a common parameter param, a parameter param_sig for the decryptor's signature scheme, a ciphertext C, and a condition By taking Cond as input and performing the following operation, a correct message m or an incorrect value ¬m (≠ m) is output.

(1) σ ← Sign (sk _{R, sig} , param_sig, Cond):
The signature algorithm Sign takes the recipient's signature private key sk _{R, sig} , the decryptor's signature scheme parameter param_sig, and the condition Cond, and outputs the signature σ.

(2) Decrypt (sk _{R, enc} , param, param_sig, σ, C, Cond) = m (when Veri (pk _{R, sig} , param_sig, σ, Cond) = T) or ¬m (other cases):
The decryption algorithm Decrypt takes the recipient's encryption private key sk _{R, enc} , common parameters param, parameters param_sig for the decryptor's signature scheme, signature σ, and condition Cond as inputs, When the verification algorithm Veri, which takes the public key pk _{R, sig} , the common parameter param, the parameter param_sig for the decryptor's signature scheme, the signature σ, and the condition Cond, outputs a symbol T indicating that the signature is correct, The correct message m is output from the ciphertext C, and an appropriate message ¬m (≠ m) is output in other cases.

According to the signature decryption scheme Γ defined in this way, the output (C, Cond) of Encrypt (pk _{R, enc} , pk _{R, sig} , param, param_sig, m, Cond) is a part of the input of Signcrypt. Given, Signcrypt (sk _{R, enc} , sk _{R, sig} , param, param_sig, C, Cond) outputs the correct message m contained in the message space. For any condition Cond included in the message space, Veri (pk _{R, sig} , param_sig, Sign (sk _{R, sig} , param_sig, Cond), Cond) = T.

  Note that the signature algorithm Sign and the verification algorithm Veri used in the signature decryption scheme are not limited to the above example. The signature algorithm Sign and the verification algorithm Veri take the parameter param_sig for the decryptor's signature scheme as an argument, and perform signature and verification based on one independent signature scheme. The signature algorithm Sign and the verification algorithm Veri modified to handle the extended signature scheme may be used by taking both the parameter param_sig and the common parameter param for the signature scheme as arguments.

Further, the sender may additionally use the encryption algorithm Enc ′ of the receiver when calculating Encrypt. Correspondingly, the recipient may use the decryption algorithm Dec ′ when calculating Signcrypt. In that case, 'using a key generation algorithm KeyGenEnc' param_enc which is part of the param _{:( sk R, enc} from _{', pk R, enc')} ← KeyGenEnc '(param_enc'), sk R, part of _enc Sk _{R, enc ′} and pk _{R, enc} ′ that are part of pk _{R, enc} are generated.

C ′ ← Enc ′ (pk _{R, enc ′} , param, m ′):
The recipient's encryption algorithm Enc ′ takes the recipient's public key pk _{R, enc ′} , common parameter param, and message m ′ as input, and outputs ciphertext C ′.

_M ′ ← Dec ′ (sk _{R, enc ′} , param, C ′):
The decryption algorithm Dec ′ takes the recipient's private key sk _{R, enc ′} , common parameter param and ciphertext C ′ as input, and outputs a correct message m ′ or an incorrect value ¬m ′ (≠ m ′). .

For any message m ′ included in the message space, m ′ ← Dec ′ (sk _{R, enc ′} , param, Enc ′ (pk _{R, enc ′} , param, m ′)).

  The signature decryption scheme described above is executed by, for example, a public key cryptosystem configured using a transmission device and a reception device.

  FIG. 1 is a functional block diagram illustrating a configuration example of a public key cryptosystem for executing a signature decryption scheme.

  A public key cryptosystem 1 shown in FIG. 1 is a public key cryptosystem that controls access to main body information using attached information attached to the main body information, and uses a transmission device 10 and a reception device 20. Configured. The transmission device 10 and the reception device 20 are connected by a non-confidential communication path 40 such as the Internet.

  The transmission device 10 includes a setup unit 11, an encryption unit 14, a communication unit 18, and a storage unit 19. The receiving device 20 includes a setup unit 21, a key generation unit 22, a user interface unit 23, a signature decryption unit 24, a communication unit 28, and a storage unit 29.

  Each component may be configured by dedicated hardware or may be realized by executing a software program suitable for each component. Each component may be realized by a program execution unit such as a processor reading and executing a software program recorded on a recording medium such as a hard disk or a semiconductor memory.

  The setup units 11 and 21 set the common parameter param and the parameter param_sig for the decryptor's signature scheme. The common parameter param and the parameter param_sig for the decryptor's signature scheme are generated according to the Setup algorithm. The set common parameter param and the parameter param_sig for the decryptor's signature scheme may be stored in the storage units 19 and 29, for example.

The key generation unit 22 follows the KeyGenSig algorithm and based on the parameter param_sig for the decryptor's signature scheme, a key pair (sk _R) composed of the recipient's signature private key sk _{R, sig} and the signature public key pk _{R, sig. , Sig,} pk _{R, sig} ). Then, according to the KeyGen algorithm, based on the common parameter param and the parameter param_sig for the decryptor's signature scheme, the receiver's private key sk _R including the signature private key sk _{R, sig} and the signature public key pk _{R, sig} A key pair (sk _R, pk _R ) composed of the public key pk _R of the recipient including

The receiver's private key sk _R is kept secret in the receiver 20, and the receiver's public key pk _R is sent from the receiver 20 to the transmitter 10 via the communication units 28 and 18.

The encryption unit 14 encrypts the message m into the ciphertext C using the recipient's public key pk _R and the condition Cond according to the Encrypt algorithm.

  The condition Cond and the ciphertext C are sent from the transmission device 10 to the reception device 20 via the communication units 18 and 28.

  Before decrypting the ciphertext C, the user interface unit 23 presents a condition Cond to the user and receives an operation indicating whether or not the condition Cond is agreed with from the user.

The signature decryption unit 24 generates the signature σ for the condition Cond using the signature secret key skR, sig according to the Sign algorithm, and the validity of the signature σ using the signature public key p kR, sig according to the Veri algorithm. And if the signature σ is valid according to the Signcrypt algorithm, the ciphertext C is decrypted into the correct message m using the recipient's private key skR, and if the signature σ is not valid, A value different from the message m is output.

  The public key encryption system 1 configured as described above satisfies the following in accordance with each algorithm of the signature decryption scheme.

When the output (C, Cond) of Encrypt (pk _{R, enc} , pk _{R, sig} , param, param_sig, m, Cond) in the encryption unit 14 is given as part of the input of Signdecrypt in the signature decryption unit 24, Signcrypt (sk _{R, enc} , sk _{R, sig} , param, param_sig, C, Cond) outputs the correct message m included in the message space.

For any condition Cond included in the message space, Veri (pk _{R, sig} , param_sig, Sign (sk _{R, sig} , param_sig, Cond), Cond) = T.

As a result, only when the signature to the condition Cond by the signature private key sk _{R, sig} is valid in the receiving apparatus 20 (that is, only when the receiver agrees with the condition Cond), the correct message m is received in the receiving apparatus 20. As a result, the agreement of the condition Cond by the recipient and the control of the access to the message m are guaranteed without extra communication.

  The public key cryptosystem based on the signature decryption scheme of the present invention is characterized by satisfying the relationship between Encrypt and Signcrypt and the relationship between Veri and Sign described above. Therefore, a specific configuration of a public key cryptosystem based on a signature decryption scheme that satisfies the above-described relationship between Encrypt and Signcrypt and Veri and Sign is included in the present invention. However, the Veri algorithm is not explicitly implemented depending on a specific configuration, and may be implicitly included in the Signcrypt algorithm.

  Next, a specific configuration example of the signature decryption scheme will be described. First, some techniques related to this configuration example will be described.

  Non-Patent Document 2: Dan Boneh and Matthew Franklin, “Identity-Based Encryption from the Weil Pairing,” SIAM J. of Computing, Vol. 32, no. 3, pp. 586-615, 2003. According to, it is known that Moni Naor can construct a public key signature scheme using any identity-based encryption (IBE) scheme. The IBE master private key functions as the signer's private key, and the identification ID is regarded as the message m. Therefore, obtaining the decryption key of the other party that owns the ID means obtaining the signature of the message m (ie, ID).

  Gentry uses such a relationship in Patent Document 1 and Non-Patent Document 1 to make it possible to implicitly authenticate a public key. With implicit authentication, the receiver can decrypt only when the authenticator signs the updated public key and gives the receiver a decryption key, but the sender Furthermore, it does not know whether the recipient can perform such processing.

  Gentry's scheme is called certificate-based encryption (Certificate-Based Encryption). This scheme is based on the Bonhe-Franklin IBE and the BGLS aggregate signature scheme, which is a public key aggregate signature scheme of Boneh-Gentry-Lynn-Shacham by two signers (Non-Patent Document 3: Dan Boneh, Craig Gentry, Ben Lynn and Hovav Shacham, "Aggregate and Verifiably Encrypted Signatures from Bilinear Maps," E.Biham (Ed.), LNCS 2656, Advances in Cryptology -Eurocrypt 2003, Springer-Verlag, pp.416-432, 2003.) and the It is a combination.

  The configuration example of the signature decryption scheme described below is common to Gentry's certificate-based encryption in that the IBE scheme is used, but the message signed by the receiver is not an identification ID, and the sender arbitrarily This is different from Gentry's certificate-based encryption in that it is selectable information and it is not necessary to aggregate signatures.

  In the signature decryption scheme, since it is not necessary to aggregate the signature, the public key signature scheme of Boneh-Lynn-Shacham (Non-Patent Document 4: Dan Boneh, BenLynn and Hovav Shacham, “Short Signature from Pamphlet”). "Journal of Cryptology, Vol. 17, pp. 297-319, 2004.).

  FIG. 2 is a flowchart showing an operation of a configuration example of a signature decryption scheme embodied using the IBE scheme. The signature decryption scheme according to this configuration example is executed in, for example, the public key encryption system 1 shown in FIG.

  A configuration example of the signature decryption scheme will be described in detail with reference to FIGS.

1. (Param, param_sig) ← Setup (1 ^k ):
The following steps are performed on input ^1k .

1-1. The BDH parameter generator IG described above is executed for the input 1 ^k , and _two groups G ₁ and G ₂ and pairing ^ e: G ₁ × G ₁ → G ₂ are generated.

1-2. Select any generator gεG ₁ .

1-3. Hash function H ₁ : G ₂ → {0,1} ⁿ and hash function H ₂ : {0,1} ^* → G ₁ are selected for a certain n.

Specific examples of the groups G ₁ , G ₂ , pairing ^ e, hash functions H ₁ , H ₂ are described in detail in, for example, Non-Patent Document 2, and thus detailed description thereof is omitted here.

  Non-Patent Document 2, 5. A concrete IBE system using the Weil Pairing, 6. Specific configuration methods of Bayeux pairing and Tate pairing are described in “Tate pairing and other curves” and “Appendix A Definition of the Weil Pairing” in “Extensions and Observations”.

  The hash function is described in 5.2 Admiscible encoding function: MapToPoint in a form combined with the technique described in 4.3 Relaxing the hashing requirements of Non-Patent Document 2.

  As an example, these pairing and hash functions can be applied to the signature decryption scheme disclosed in this specification.

The common parameters are param = (G ₁ , G ₂ , ^ e, g, H ₁ , H ₂ ), and the parameters for the decryptor's signature scheme are param_sig = (G ₁ , G ₂ , ^ e, g, H ₂ ). The message space S _m and the condition space S _Cond are S _m = {0, 1} ⁿ and S _Cond = {0, 1} ^* , respectively.

  The common parameter param and the parameter param_sig for the decryptor's signature scheme may be generated by either the transmission device 10 or the reception device 20 if there is no room for any fraud related to the parameter. It may be generated by an entity (not shown) other than the device 20.

  The setup units 11 and 21 share the common parameter param and the parameter param_sig for the decryptor's signature scheme via the communication units 18 and 28 between the transmission device 10 and the reception device 20 (S11 and S21). The shared common parameter param and the parameter param_sig for the decryptor's signature scheme may be stored in the storage units 19 and 29, for example.

2. (Sk _R , pk _R ) ← KeyGen (param, param_sig):
The following steps are executed for the input (param, param_sig). In the following, for generalization, both the common parameter param and the parameter param_sig for the decryptor's signature scheme are described as inputs to the algorithm. For example, as shown in the above specific example, the common parameter param_sig is described. When param is given, when all the values of the parameter param_sig for the decryptor's signature scheme are determined, only the common parameter param may be input to the algorithm.

2-1. After randomly selecting the secret key s∈Z _q by executing KeyGenSig on the input (G ₁ , G ₂ , ^ e, g, H ₂ ), the public key v∈G _{1 is changed} to v ← g Generated by ^s . The key pair for the decryptor's signature is (sk _{R, sig} , pk _{R, sig} ) = (s, v).

For the sake of simplicity, in this configuration example, (sk _{R, enc} , pk _{R, enc} ) = (Λ, Λ) (Λ is an empty value), and the output of KeyGen is (sk _R , pk _R ) = (s , V).

The key generation unit 22 generates a pair of the signature private key s and the signature public key g ^s of the reception device 20 as described above (S22). The signature private key s is kept secret in the reception device 20, and the signature public key g ^s is notified to the transmission device 10 (S12).

3. (C, Cond) ← Encrypt (pk _{R, enc} , pk _{R, sig} , param, param_sig, m, Cond):
The sender encrypts the message mεS _m under the condition CondεS _Cond for decrypting the signature by performing the following steps: Encrypt (Λ, v, param, param_sig, m, Cond) Calculate

3-1. h ← H ₂ (Cond) εG ₁ is calculated.

3-2. A random number rεZ _q is selected.

3-3. The ciphertext C is set by C = (g ^r , m XOR H ₁ (^ e (h, v) ^r )). Here, the operation XOR represents an exclusive OR.

  The encryption unit 14 acquires the message m and the condition Cond (S13), and calculates the above-mentioned Encrypt using the acquired message m and the condition Cond as part of the input.

The encryption unit 14 generates a random number r (S14), and from the random number r, the condition Cond, and the signature public key v (= g ^s ) of the receiving device 20, the hash functions H ₁ , H ₂ , and pairing ^ The sender common key is generated by e (S15). The encryption unit 14 performs a pairing operation on the digest h = H ₂ (Cond) εG ₁ of the condition Cond and the signature public key v, and transmits the result of the pairing operation by a power of a random number r. Common key H ₁ (^ e (h, v) ^r ) is generated.

The encryption unit 14 performs an exclusive OR operation on the message m with the sender common key H ₁ (^ e (h, v) ^r ), so that the encrypted message V ← m XOR H ₁ (^ e (h V) ^r ), and ciphertext C = (g ^r , V) composed of the common key generation information g ^r corresponding to the random number r and the encrypted message V is set.

  The communication unit 18 transmits the ciphertext C and the condition Cond to the receiving device 20 (S17). It is assumed that the random number r is safely discarded in the transmission device 10 and does not leak from the transmission device 10.

4). m or ¬m (≠ m) ← Signcrypt (sk _{R, enc} , sk _{R, sig} , param, param_sig, C, Cond):
The decryptor calculates Signcrypt (Λ, s, param, param_sig, C, Cond) by performing the following steps to decrypt the received ciphertext C = (U, V).

4-1. σ ← Sign (sk _{R, sig} , param_sig, Cond):
The decryptor calculates Sign (s, param_sig, Cond) as follows.

(A) Calculate h ← H ₂ (Cond).

(B) Generate a signature σ by σ ← h ^s εG ₁ .

The output of Sign (s, param_sig, Cond) is σ = h ^s .

4-2. m or ¬m (≠ m) ← Decrypt (sk _{R, enc} , param, param_sig, σ, C, Cond):
The decryptor calculates Decrypt (Λ, param, param_sig, σ, C, Cond) by m ← V XOR H ₁ (^ e (σ, U)).

  The output of Decrypt (Λ, param, param_sig, σ, C, Cond) is a message m, which is the output of SignDecrypt (Λ, param, param_sig, σ, C, Cond).

  The communication unit 28 receives the ciphertext C = (U, V) and the condition Cond, which are a part of the input of the above-described Signcrypt, from the transmission device 10 (S23).

  The user interface unit 23 may display the received condition Cond (S24) as before, and then accept an operation by the user (S25). Only when a specific operation indicating acceptance of the condition Cond is accepted by the user (YES in S25), signature decryption is executed (S26 to S28).

  FIG. 3 is a diagram illustrating an example of a condition presentation screen for displaying the condition Cond. In FIG. 3, the setup program is an example of the message m, and the license agreement 31 is an example of the condition Cond.

  On the condition presentation screen in FIG. 3, several buttons for accepting user operations are displayed together with the license agreement 31. As an example of a specific operation by the user, the signature decryption of the encrypted setup program is executed only when the click operation on the agree button 32 and the click operation on the next button 33 are performed in this order.

Signature decoding unit 24, signing secret key s of the receiving apparatus 20, the condition Cond, and from the public key ^{g r} of the transmitter 10, the transmitter 10 and the common hash function _H 1, _{H 2,} and pairing ^ e A receiver common key is generated (S26). The signature decryption unit 24 calculates the digest h = H ₂ (Cond) εG ₁ of the condition Cond, and uses the signature σ = h ^s to the condition Cond by the signature private key s of the receiving apparatus 20 to be common to the receivers. A key H ₁ (^ e (σ, U)) is generated.

Here, when the receiver's signature public key g ^s used for encryption in the transmission apparatus 10 and the receiver's signature private key s used for signature decryption in the reception apparatus 20 correspond correctly, the generation is performed. The receiver common key H ₁ (^ e (σ, U)) = H ₁ (^ e (h ^s , g ^r )) is the sender common key H ₁ ( ^ E (h, v) ^r ) = H ₁ (^ e (h, g ^s ) ^r ) and the same value H ₁ (^ e (h, g) ^sr ).

The decryption unit 24 performs an exclusive OR operation on the encrypted message V included in the ciphertext C with the recipient common key H ₁ (^ e (σ, U)), whereby the message m ← V XOR H ₁ ( ^ E (σ, U)) (S27), and the decoded message m is output (S28).

According to the public key cryptosystem 1 configured as described above, the receiver 20 can generate the receiver common key having the same value as the sender common key, and the random number r is not leaked from the transmitter 10. On the premise, it can be considered only when the receiving device 20 has signed the condition Cond with the secret key s = h ^s (that is, when the receiver knows the condition Cond).

  From this, it is guaranteed that the receiving device 20 that has successfully decrypted the encrypted message V has agreed to the condition Cond. Therefore, the agreement of the condition Cond by the receiver and the control of the access to the message m are guaranteed without performing extra communication. For example, in the example shown in FIG. 3, since the software installation by the setup program is performed correctly only when the user agrees with the license agreement 31, the user's consent to the license agreement 31 and the software Protection without extra communication.

  In the public key cryptosystem 1, since the above-described explanation holds for the optional condition Cond input to the transmission apparatus 10, the sender of the main body information guarantees that the user has agreed to control access to the main body information. Whatever you think you want, you can describe it in the attached information.

  In the above embodiment, each component may be configured by dedicated hardware or may be realized by executing a software program suitable for each component. Each component may be realized by a program execution unit such as a processor reading and executing a software program recorded on a recording medium such as a hard disk or a semiconductor memory.

(Modification)
The public key cryptosystem according to one aspect of the present invention has been described based on the embodiment, but the present invention is not limited to this embodiment. Unless it deviates from the gist of the present invention, one or more of the present invention may be applied to various modifications that can be conceived by those skilled in the art, or forms constructed by combining components in different embodiments. It may be included within the scope of the embodiments.

For example, in the specific example of the signature decryption scheme according to the above-described embodiment, a person who can obtain the signature applied to the condition Cond by the recipient can decrypt the encrypted message V into the correct message m. Therefore, in order to prevent such decryption, a process using not only the signature but also another recipient's private key may be introduced. For example, the above-described private key / public key pair (sk _{R, enc} , pk _{R, enc} ) for encryption of the recipient is not an empty value, but a valid private key / public key pair. As another example, a process using the encryption key pair may be introduced separately from the signature key pair of the recipient.

  Further, for example, by applying Fujisaki-Okamoto transformation to the specific example of the above embodiment, the safety can be further improved. Specific application examples of the Fujisaki-Okamoto transformation are described in, for example, Patent Document 1, Non-Patent Document 1, and Non-Patent Document 2.

  The present invention can be widely applied to public key cryptosystems that control access to main body information using attached information attached to the main body information.

DESCRIPTION OF SYMBOLS 1 Public key encryption system 10 Transmission apparatus 11 Setup part 14 Encryption part 18 Communication part 19 Storage part 20 Reception apparatus 21 Setup part 22 Key generation part 23 User interface part 24 Signature decryption part 28 Communication part 29 Storage part 31 License agreement 32 Agree button 33 Next button 40 Channel

Claims (7)

A public key cryptosystem configured using a transmission device and a reception device and controlling access to main body information using attached information attached to the main body information,
A transmitter setup unit and a receiver setup unit, which are provided in the transmission device and the reception device and set common parameters and parameters for a decryptor's signature scheme;
A signature key generating unit that is provided in the receiving device and generates a key pair including a signature private key and a signature public key based on parameters for the decryptor's signature scheme; A key generation unit that generates a key pair composed of a recipient's private key and a recipient's public key that includes the signature public key based on the common parameter and a parameter for the decryptor's signature scheme;
Encryption that is provided in the transmitting device, acquires information arbitrarily selected by a sender as the attached information, and encrypts the main body information into ciphertext using the recipient's public key and the attached information And
Provided in the receiving apparatus has a signature unit which generates a signature to the accompanying information using the signing secret key, if the signature based on the signature public key is valid, the signature And decrypting the ciphertext into correct body information, and when the signature is not valid, a signature decrypting unit that outputs a value different from the body information;
A user interface unit that displays the attached information and then accepts an operation by a user,
The signature decryption unit is a public key cryptosystem that decrypts the encrypted main body information into the main body information only when a specific operation by the user is accepted . The sender setup unit and the receiver setup unit set a pairing operation having bilinearity as a part of parameters for the decryptor's signature scheme,
The encryption unit generates, as a sender common key, a value obtained by raising the value obtained by performing the pairing operation to the attached information and the signature public key with the random number, and The main body information is encrypted into encrypted main body information, the encrypted main body information, information for generating a common key corresponding to the random number, and the attached information are transmitted to the receiving device,
The signature decryption unit receives the encrypted main body information, information for generating a common key corresponding to the random number, and the attached information from the transmitting device, and signs the attached information with the signature private key; A value obtained by performing the pairing operation on the common key generation information corresponding to the random number is generated as the receiver common key, and the encrypted main body information is generated using the receiver common key. Decrypt into information,
The public key encryption system according to claim 1. The key generation unit generates a key pair including a private key for encryption of the receiver and a public key,
The public key cryptosystem performs a process using a key pair composed of a private key for encryption of the recipient and a public key separately from a key pair composed of the private key for signature and the public key for signature. Item 2. The public key encryption system according to Item 1. A public key cryptosystem that controls access to main body information using attached information attached to the main body information, and a receiving apparatus that configures with a transmitting apparatus,
A setup unit that shares common parameters and parameters for the decryptor's signature scheme with the transmitting device;
A signature key generation unit configured to generate a key pair composed of a signature private key and a signature public key based on parameters for the decryptor's signature scheme, and the receiver's private key including the signature private key; A key generation unit that generates a key pair composed of the public key of the recipient including the public key for signature based on the common parameter and the parameter for the signature scheme of the decryptor;
Has a signature unit generating a signature to the accompanying information using the signing secret key, if the signature based on the signature public key is valid, the encryption from the body information using the signature Decrypting the encrypted encrypted body information into correct body information using the recipient's private key, and outputting a value different from the body information when the signature is invalid,
A user interface unit that displays the attached information and then accepts an operation by a user,
The signature decryption unit decrypts the encrypted body information into the body information only when a specific operation by the user is accepted.
Receiver device. A public key encryption method for controlling access to main body information using attached information attached to the main body information,
The public key encryption method is executed in a public key encryption system configured using a transmission device and a reception device,
The transmission device includes a sender setup unit and an encryption unit,
The receiving device includes a receiver setup unit, a key generation unit, a signature decryption unit, and a user interface unit ,
In the sender setup section and the receiver setup section, setting common parameters and parameters for the decryptor's signature scheme;
The key generation unit generates a key pair including a signature private key and a signature public key based on the parameters for the decryptor's signature scheme, and the receiver's private key including the signature private key Generating a key pair consisting of the recipient's public key including the signature public key based on the common parameter and the parameter for the decryptor's signature scheme;
In the encryption unit, acquiring information arbitrarily selected by a sender as the attached information, and encrypting the main body information into ciphertext using the recipient's public key and the attached information;
In the signature decoding unit, by using the signing secret key to generate a signature to the attached information, wherein when the signature is valid based on the signature public key, the ciphertext using the signature Decrypting the correct body information and outputting a value different from the body information if the signature is not valid;
In the user interface unit, displaying the attached information, and thereafter receiving an operation by a user,
Only when a specific operation by the user is accepted, the signature decrypting unit decrypts the encrypted body information into the body information.
Public key encryption method. A computer-executable program used in a public key cryptosystem that controls access to main body information using attached information attached to the main body information,
The public key cryptosystem is configured using a transmission device and a reception device each having a computer,
The program is
Setting the common parameters and the parameters for the decryptor's signature scheme to be executed by the computer of the transmitting device and the computer of the receiving device;
A key pair composed of a signature private key and a signature public key is generated based on parameters for the decryptor's signature scheme, and the recipient's private key including the signature private key and the signature public key are generated. Including a step of generating a key pair comprising the recipient's public key based on the common parameters and the parameters for the decryptor's signature scheme;
The step of acquiring information arbitrarily selected by a sender as the attached information and encrypting the main body information into ciphertext using the recipient's public key and the attached information is performed on the computer of the transmitting device. Let it run
A signature for the attached information is generated using the signature private key, and when the signature is valid based on the signature public key , the ciphertext is decrypted into correct body information using the signature And, when the signature is not valid, outputting a value different from the body information ;
Displaying the attached information, and then allowing the computer of the receiving device to execute a step of accepting an operation by a user ,
The encrypted body information is decrypted into the body information only when a specific operation by the user is accepted.
program.   A computer-readable recording medium that stores the program according to claim 6.

Images