JP7276767B2 - Dynamic Searchable Cryptographic Processing System - Google Patents

Description

The present invention relates to a dynamically searchable encryption system in which a terminal and a server are connected via a network and an encrypted data table is used.

In recent years, with the spread of cloud services, companies are increasingly using external storage services such as online storage to store and manage a large number of internal document files on a management server (cloud server). Document files stored and managed on the management server are encrypted before being stored on the management server. The encrypted document file is then stored in the encrypted database of the management server provided by the external storage service. Encrypted document files can be searched with keywords while they are still encrypted, and such an encryption processing technique is known as searchable symmetric encryption (SSE).

Furthermore, among searchable encryption, research to enable dynamic updating such as addition and deletion of encrypted document files at any time for encrypted document files stored in the encrypted database on the management server has been advanced and is known as Dynamic Searchable Symmetric Encryption (DSSE).

With dynamic search encryption, in addition to being able to perform keyword searches for files on the encrypted database stored on the management server, even during the protocol, the encrypted database of files and accompanying keywords can be searched. can be added to or deleted from. In the past, it is theoretically possible to achieve the highest degree of security (for example, no information is leaked about files in the search database no matter how many times the search is performed). Since it was known, research was conducted on an efficient method that satisfies the minimum level of security (for example, allowing some non-essential information to be leaked depending on the number of searches). In addition to the security that must be satisfied, there is a known method that satisfies forward security (newly added files do not contain keywords that have been searched in the past) (for example, non-patent literature 1).

In the technology disclosed in Non-Patent Document 1, information about keywords (the number of times each keyword has been searched so far, the number of files containing each keyword) is held as state information on the terminal side, and the state information is used to create an encrypted index. It is characterized by creating the address part of the table, and the address part is created on the server side. A method for adding dummy entries to the encrypted index table is not disclosed.

M. Etemad, A. Kupcu, C. Papamanthou, D. Evans, "Efficient dynamic searchable encryption with forward privacy", In Proceedings of Privacy Enhancing Technologies (PoPETs), 2018, p.5-20

In the technology disclosed in Non-Patent Document 1, it is necessary for the terminal side to hold information about keywords as state information, and since the state information depends on the number of keywords held by the terminal, there is a problem with the efficiency of the size of the target data. there were. In addition, since the address part is generated on the server side, it is necessary to re-register the address part at the time of searching in order to achieve forward security. Since two processes of search and re-registration are required instead of only search process, operations for re-registration and processing occur, and efficiency is reduced. Furthermore, it is unclear how to add dummy entries to the encrypted index table, and it is unclear whether stronger security consistent with real-world situations can be achieved.

SUMMARY OF THE INVENTION Accordingly, the present invention has been devised in view of the above-mentioned problems, and an object of the present invention is to improve efficiency and satisfy forward safety. The object is to provide a searchable cryptographic processing system.

A dynamically searchable cryptographic processing system according to a first invention is a dynamically searchable cryptographic system in which a terminal and a server are connected via a network and using an encrypted data table, wherein an identifier corresponding to a document file extraction means for extracting the keyword contained in the document file as an extraction keyword and an identifier corresponding to the document file as an extraction identifier from a reference table showing the relationship between the document and the keyword; a first table generating means for connecting the extracted keyword and the extracted identifier to generate a first table showing the relationship between address information as a set and the extracted identifier included in the address information; a second table generating means for generating a conversion address by converting the address in one table into randomization information by a pseudo-random number generation function, and generating a second table showing the relationship between the conversion address and the extraction identifier; It is characterized by having

A dynamically searchable cryptographic processing system according to a second invention is the first invention, wherein the second table generating means is based on key information related to a pseudorandom number generation function held by the terminal and state information held by the terminal, It is characterized by generating a second table in which the extraction identifier is initialized, and transmitting the generated second table to the server after storing the key information and the state information.

A dynamically searchable cryptographic processing system according to a third aspect of the invention is, in the first aspect of the invention or the second aspect of the invention, wherein the terminal, from a reference table showing the relationship between an identifier and a keyword corresponding to a document file to be added, searches the document file. extracting the included keyword as an extraction keyword, extracting an identifier corresponding to the document file as an extraction identifier, linking the extracted extraction keyword and the extraction identifier to form a set; address information; generating a first table showing the relationship with the extracted identifier included in the address information; converting the address into randomized information by a pseudo-random number generating function to generate a converted additional address; storing the extracted identifier in the state information; and the conversion address and the extracted identifier are transmitted to the server, the server receives the conversion address transmitted by the terminal, and stores the received It is characterized by storing the extraction identifier and updating the second table.

A dynamically searchable cryptographic processing system according to a fourth invention is, in the first to third inventions, wherein the terminal deletes the extracted identifier corresponding to the document file to be deleted from the state information, transmitting an extraction identifier to the server, the server receiving the extraction identifier transmitted by the terminal, converting all storage areas corresponding to the extraction identifier to NULL in a second table of the server; and updating the second table.

A dynamically searchable encryption processing system according to a fifth aspect of the invention is, in the first to fourth aspects of the invention, wherein the second table generating means selects the most extracted keyword from the document files having the same size as the document file to be added. identification information indicating a dummy flag, counter information, until the number of conversion addresses corresponding to the additional document file reaches the number of extracted keywords included in the specified document file; The extracted identifier of the additional document file is concatenated to form a set of dummy address information, the dummy address information is converted into randomized information by a pseudo-random number generation function to generate a conversion dummy address, and the conversion dummy address information is generated. Storing the extracted identifier in the indicated address is repeated to generate the second table.

A dynamically searchable cryptographic processing system according to a sixth aspect of the invention is, in the first to fifth aspects of the invention, wherein the terminal connects the keyword to be searched and each identifier included in the state information as a search identifier to form a set. generating a conversion address by converting address information and said address information into randomized information by a pseudo-random number generation function, and transmitting said conversion address to said server, said server receiving said conversion address sent by said terminal; , refers to all storage areas corresponding to the conversion address in the second table of the server, acquires an extraction identifier of a storage destination in which the storage area is not NULL and a predetermined identifier is stored, and and transmitting to a terminal.

According to the first to sixth inventions, the dynamically searchable system extracts address information indicating the correspondence between the document file and the search keyword from the reference table, and generates the first table and the second table. As a result, the correspondence between all document files held by the terminal and keywords can be manipulated using the identifiers, and only the identifiers need to be saved, so that the information held by the terminal can be reduced. This can improve the efficiency of the terminal and the server.

In particular, according to the first invention, the first table generating means connects the extracted keyword and the identifier of the document file to form a set of address information and the relationship between the extracted identifier included in the address information. Generate a first table shown. Therefore, the state information does not depend on the number of keywords. This can improve efficiency.

In particular, according to the first invention, the second table generating means converts the address information into randomized information on the terminal side by a pseudo-random number generating function held by the terminal. Therefore, there is no need to generate a key for generating pseudo-random numbers for each keyword, pass it to the server, and have the server generate the pseudo-random numbers. As a result, it is possible to prevent leakage of information more than necessary to a third party and achieve forward security.

Especially according to the second invention, the second table generating means generates the initialized second table based on the key information related to the pseudo-random number generating function held by the terminal and the state information held by the terminal, and transmits it to the server. Therefore, the terminal and the server can communicate via a common initialization table.

In particular, according to the third invention, the terminal connects the extraction identifier and the extraction keyword corresponding to the document file to be added, and determines the relationship between the address information as a set and the extraction identifier included in the address information. converts the address into randomized information by a pseudo-random number generation function to generate a converted additional address; stores the extracted identifier in the state information; stores the converted address and the extracted identifier in the server , the server receives the translation address transmitted by the terminal, stores the received extraction identifier in the address indicated by each of the randomization information of the translation address, and stores the second table in Update. Therefore, the requested extraction identifier can be stored in an appropriate location.

In particular, according to the fourth invention, the terminal deletes the extraction identifier corresponding to the document file to be deleted from the state information, transmits the extraction identifier to the server, the server receives the extraction identifier, and stores the extraction identifier in the second table. to NULL and update the second table. Therefore, it is possible to set all the locations where the deletion-requested extraction identifiers are stored to null (NULL).

In particular, according to the fifth aspect, the number of conversion addresses stored in the second table specifies the document file containing the largest number of extracted keywords among the document files having the same size as the target document file. Therefore, among the document files having the same size as the document file to be registered, dummy entries can be easily generated so that the number of keywords is equal to the number of keywords in the document file containing the largest number of keywords. This prevents the server from narrowing down the document file candidates, thereby realizing stronger security.

In particular, according to the sixth invention, the terminal uses each identifier stored on the terminal, generates randomized information by a pseudo-random number generation function based on the concatenation of the search keyword and each identifier, and generates all of them The data is sent to the server, and the server checks the stored values of the second table indicated by each piece of randomization information as the address information, and sends back all the stored values other than NULL to the terminal. Therefore, the information exchanged between the terminal and the server does not include information about the document file. This makes it possible to satisfy forward security.

FIG. 1 is a block diagram showing the overall configuration of a dynamically searchable cryptographic processing system according to the first embodiment. FIG. 2(a) is a schematic diagram showing an example of the configuration of the dynamically searchable cryptographic processing system 100 according to the first embodiment, and FIG. 2(b) is an example of the functions of the dynamically searchable cryptographic processing system 100. It is a schematic diagram showing. FIG. 3A is a management table showing an example of a correspondence table in setup processing in the first embodiment, and FIG. 3B is a management table showing an example of a first table in setup processing in the first embodiment. , and FIG. 3C is a management table showing an example of the second table in the setup process in the first embodiment. FIG. 4 is an explanatory diagram showing correspondence of search processing in the first embodiment. FIG. 5 is an explanatory diagram showing correspondence of search processing in the first embodiment. FIG. 6 is an explanatory diagram showing the maximum number of keywords that a document file can contain in the first embodiment. FIGS. 7A and 7B are flowcharts showing an example of the operation of the dynamically searchable cryptographic processing system according to the first embodiment.

An example of a dynamically searchable cryptographic processing system 100 according to an embodiment of the present invention will be described below with reference to the drawings.

(First embodiment)
FIG. 1 is a block diagram showing the overall configuration of a dynamically searchable cryptographic processing system 100 according to this embodiment.

A dynamically searchable cryptographic processing system 100 of this embodiment, as shown in FIG. It is composed of a server 3 configured as The server 3 has an encrypted database 4 and stores encrypted document files and encrypted index tables (or second tables).

The registration terminal 2a and the search terminal 2b are electronic devices such as personal computers (PCs), encrypt document files, and perform registration operations and processing in the server 3. FIG. The server 3 is, for example, an electronic device such as a cloud server that operates an external storage service such as online storage. The server 3 updates and searches (dynamic search) encrypted document files stored in the encrypted database 4 .

FIG. 2 is a block diagram showing an example of the configuration of a dynamically searchable cryptographic processing system to which the present invention is applied.

FIG. 2(a) is a schematic diagram showing an example of the configuration of the dynamically searchable cryptographic processing system 100 according to the first embodiment.

As shown in FIG. 2(a), the terminal 2 constituting the dynamically searchable cryptographic processing system 100 includes a housing 10, a CPU (Central Processing Unit) 11, a ROM (Read Only Memory) 12, and a RAM ( Random Access Memory) 13, a storage portion 14, and I/Fs 15-17. The I/Fs 15 to 18 of each configuration are connected by an internal bus 18 .

The CPU 11 controls the dynamic searchable cryptographic processing system 100 as a whole. The ROM 12 stores operation codes for the CPU 11 . The RAM 13 is a work area used when the CPU 11 operates. The storage unit 14 stores, for example, terminal attribute information, related information, tables generated in the registered terminal 2a, pseudo-random functions, and information such as cryptographic common keys. The storage part 14 may store, for example, information on the operator of the terminal, various information such as authentication information on the operator, and various other information such as registration, update, search log, etc. in association with each other. Note that, for example, the dynamically searchable cryptographic processing system 100 may have a GPU (Graphics Processing Unit) not shown. Having a GPU enables higher-speed arithmetic processing than usual.

The I/F 15 is an interface for transmitting and receiving various information with the terminal 2 and the like via the public communication network 5 . The I/F 16 is an interface for transmitting and receiving information with the input section 20 . A keyboard, for example, is used as the input section 20 , and the administrator of the dynamically searchable cryptographic processing system 100 inputs various information or control commands for the server 3 through the input section 20 . The I/F 17 is an interface for transmitting and receiving various information to and from the output section 19 . The output section 19 outputs various information stored in the storage section 14, the processing status of the server 3, and the like. A display is used as the output part 19, and may be of a touch panel type, for example.

FIG. 2(b) is a schematic diagram showing an example of the functions of the dynamically searchable cryptographic processing system 100. As shown in FIG. The functions of the terminal 2 and the server 3 that constitute the dynamically searchable cryptographic processing system 100 are shown.

The terminal 2 includes, for example, a control unit 21 that controls the entire terminal 2, an extraction unit 22 that extracts keywords contained in document files, an identifier corresponding to the document file as an extraction identifier, and a first table that generates a first table. 1 table generation unit 23, second table generation unit 24 for generating the second table, transmission/reception unit 25 for exchanging data with the server 3 via the public communication network 5, document files, keywords, each table, pseudorandom number generation It includes at least a storage unit 26 that stores data and information such as functions, key information, status information, and various applications.

The server 3 includes, for example, a control unit 31 that controls the entire server 3 and the encrypted database 4, an update unit 32 that initializes, adds, and deletes the second table received from the terminal 2, and performs searches from the terminal 2. A search unit 33 that executes and outputs search results, a transmission/reception unit 35 that exchanges data with a plurality of terminals 2 via the public communication network 5, an encrypted document file, a second table, a pseudorandom number generation function, key information, At least a storage unit 35 for storing data and information such as various applications is provided.

The functions of the terminal 2 and the server 3 shown in FIG. 2B are realized by the CPU 11 using the RAM 13 as a work area and executing a program stored in the storage section 14 or the like.

As the storage unit 26 and the storage unit 35, for example, a data storage device such as an SSD is used in addition to the HDD, and may be embodied integrally with the encrypted database 4, for example. The storage unit 26 and the storage unit 35 include, for example, RAM and ROM, and store programs and the like to be executed respectively. Each function executed by the terminal 2 and the server 3 can be realized by each control unit executing a program stored in each storage unit using the RAM as a work area.

FIG. 3 is a management table showing an example of each table in the setup process of the dynamically searchable cryptographic processing system 100. As shown in FIG.

FIG. 3(a) is, for example, a reference table 40a held in the terminal 2, which corresponds to a document file (f _n ), an identifier (id _n ) corresponding to each document file, and each document file (f _n ). It is stored in association with the relationship with the keyword. FIG. 3(b) shows a first table 40b generated by the terminal 2, which is extracted by the extraction unit 22 from the reference table 40a, connects the extracted keyword (w _d ) and the extracted identifier (id _n ), The paired address information and the extraction identifier (id _n ) included in the address information are stored in association with each other. FIG. 3(c) shows that the addresses in the first table 40b are converted into random number information by a pseudo-random number generation function to generate conversion addresses, and the conversion addresses and extraction identifiers (id _n ) are stored in association with each other. be.

Here, the document files represent a set of document files by F, and each document file f _id εF is assigned a corresponding identifier idε{0, 1} ^l (l is a polynomial of k). Write the file f _id simply as id. Let Λ:={0,1}λ (where λ is a polynomial in k) be the set of all possible keywords, which may be represented, for example, as character strings instead of bit strings. Also, let W _i be a set of keywords included in the document file with the identifier id _i .

The dynamically searchable cryptographic processing system 100 is initialized with a time stamp t:=0 when setup is executed, and the registration terminal 2a or the search terminal 2b performs search and update operations. The timestamp may be incremented each time.

FIG. 3A is a reference table showing an example of the reference table 40a in the first embodiment. The reference table 40a associates a document file to be encrypted with a keyword set (id, W _id ) included in the document file. The reference table 40a, for example, associates all the keywords w ₁ to w _d included in the document file f ₁ (identifier id ₁ ) to document file f _n (identifier id _n ) at time t. If the document file f ₁ contains the keyword w ₁ , for example, the corresponding location in the reference table 40a is marked with a flag (for example, x) and stored.

FIG. 3B is a management table showing an example of the first table 40b in the first embodiment. The index table 40b is obtained by extracting only corresponding portions (portions marked with a flag x) where keywords are included in each document file from the corresponding table 40a.

Next, the first table 40b is configured by the relationship between pairs of address information (sections) and extraction identifiers (for example, document management numbers). The address information is, for example, the concatenation of the keyword _wi and the document number id of the document file ( _wi ||id), and the extraction identifier is, for example, the extraction identifier _id of the document file fid.

FIG. 3C is a management table showing an example of the second table in the first embodiment. The second table 40c hides the relationship between the pair of address information (part) and extraction identifier (eg, document management number) in the first table 40b. Generated as pairs of transformed relationships.

In the second table 40c, the concatenation (w _i ||id) of the keyword _wi in the first table 40b and the document number id of the document file is randomized using the pseudo-random number generating function π. The addresses are converted, for example, as π(k, w _i ||id), and the identifiers are stored, for example, by associating the identifier id of the document file f _id with the address π(k, w _i ||id). .

FIG. 4 is an explanatory diagram showing correspondence of search processing in the first embodiment. The encrypted document files stored in the encrypted database 4 of the server 3 are searched using the search keyword q input from the search terminal 2b.

In the second table 40c, the second table generator 24 randomizes the concatenation (q||id) of the search keyword q in the first table 40b and the document number id of the document file using a pseudo-random number generation function π, The search terminal 2b transmits the conversion address to the server 3, and the server 3 receives the conversion address transmitted by the search terminal 2b. All the storage areas corresponding to the translation address are referred to in the second table 40c of the server 3, and the extraction identifier of the storage destination where the storage area is not NULL and the predetermined identifier is stored is acquired.

FIG. 5 is an explanatory diagram showing correspondence of search processing in the first embodiment. The encryption server 3, for example, receives the converted address transmitted from the search terminal 2b, refers to the second table 40c, and among the address information requested for the search, π(k, q||id ₁ ) and Since the document files associated with the address information π(k, q||id ₃ ) by the search identifier paired are registered, the corresponding search identifiers id ₁ and id ₃ are sent to the search terminal 2b.

FIG. 6 is an explanatory diagram showing the maximum number of keywords that a document file f _id can contain. A document file f _id is regarded as a file consisting of a combination of keywords contained in w _id , and let max _id be the maximum number of keywords that f _id can contain (eg, 10). The maximum number of keywords in the document file is the total number of keywords w _j added up to the point where |f _id | is exceeded, starting with the smallest keyword wεΛ.

At the same time as registering the maximum number of keywords in the document file, for example μ _id entries, (max _id - μ _id ) dummy entries may be added, thereby increasing the number of addresses storing id can always be unified into |f _id | pieces. Therefore, the server cannot narrow down the candidates for the document file f _id .

Next, FIGS. 7A and 7B are flow charts showing an example of the operation of the dynamically searchable cryptographic processing system in the first embodiment.

First, the registration terminal 2a of the dynamically searchable cryptographic processing system 100 executes the extraction step S110 to the second table generation step S130.

<Extraction step S110>
The extraction unit 22 of the registration terminal 2a extracts the document file and the extraction keyword (extraction step S110). In the extraction step S110, keywords included in the document file are extracted as extracted keywords from a reference table showing the relationship between identifiers and keywords corresponding to the document file. Then, an identifier corresponding to the document file is extracted as an extraction identifier.

<First table generation step S120>
Next, the first table generation unit 23 generates the correspondence between the address information and the identifiers extracted in the extraction step S110 as the first table 40b (first table generation step S120). The first table generation unit links the extraction keyword and the extraction identifier extracted in the extraction step S110, and generates a first table showing the relationship between the address information as a set and the extraction identifier included in the address information. do.

Also, the first table generation unit 23 determines whether or not all the address information and identifiers extracted in the extraction step S110 are updated. If there is a change such as addition or deletion, the encrypted document file is added or deleted in accordance with the change of the extraction identifier specifying the document file included in the address information.

<Second Table Generation Step S130>
The second table generation unit 24 converts each address information in the first table into randomized information to generate a second table (second table generation step S130). The second table generation unit 24 converts each piece of address information included in the first table 40b into randomized information using a pseudo-random number generation function and its key stored in the storage unit 26 of the registration terminal 2a, and converts each address information into a second table 40c. Generate as

(Second embodiment)
FIG. 7B shows the search processing in the server 3 of the dynamically searchable cryptographic processing system 100, in which the reception step S210 to the result transmission step S230 are executed.

First, the search terminal 2b connects each identifier included in the keyword to be searched and the state information as a search identifier to generate a set of address information.

Next, the address is converted into randomized information by a pseudo-random number generation function to generate a conversion address, and the conversion address is transmitted to the server 3 .

<Reception step S210>
The transmission/reception unit 34 of the server 3 receives the conversion address transmitted from the search terminal 2b (reception step S210).

<Update step S220>
The search unit 33 refers to the second table stored in the encrypted database 4, refers to all storage areas corresponding to the conversion address in the second table 40c, and stores a predetermined identifier instead of NULL in the storage area. Gets the extraction identifier of the storage location where the data is stored. (Search step S220). Depending on the result of the determination, in addition to X _q ^(t) , check all translation addresses of the value sent. Here, t represents the current time.

<Result Transmission Step S230>
The transmitting/receiving unit 34 transmits the search identifier, which is the search result, to the search terminal 2b that requested the search. (Transmission step S230). Each document file f _id εF, which is the search result, is encrypted with common key encryption (not shown) and stored in the encrypted database 4 of the server 3 . All encrypted document files are stored in the encrypted database 4 of the server 3 together with the document file identifier id.

This completes the operation of the dynamically searchable cryptographic processing system 100 in this embodiment.

(Third Embodiment)
Next, initialization processing of the second table in terminal 2 (registered terminal 2a) will be described. In the second table generation step S130, the terminal 2 generates the second table 40c in which the extraction identifier is initialized based on the key information related to the pseudo-random number generation function held by the terminal 2a and the state information held by the terminal 2a. The information and the state information are stored in the storage unit 26 of the terminal 2b. After that, the generated second table 40 c is transmitted to the server 3 .

According to this embodiment, the search terminal 2b generates and transmits a conversion address generated according to all search identifiers id included in the search keyword to be searched and the state information stored in the terminal. The server 3 confirms the value stored at the address indicated by the conversion address of the second table from the received conversion address. Therefore, the server 3 refers only to the storage area corresponding to the translation address for the identifier included in the state information. As a result, only the information necessary for the search at that time is exchanged between the search terminal 2b and the server 3, re-registration of the address after the search becomes unnecessary, and forward security can be achieved. Efficiency can be improved.

(Fourth embodiment)
Next, document file addition processing in the terminal 2 and the server 3 in the dynamically searchable cryptographic processing system 100 will be described.

First, the registration terminal 2a extracts the keyword included in the document file as an extraction keyword from the reference table 40a showing the relationship between the identifier and the keyword corresponding to the document file to be added. Then, an identifier corresponding to the document file is extracted as an extraction identifier, the extracted extraction keyword and the extraction identifier are linked, and a first table showing the relationship between the address information and the extraction identifier included in the address information is formed as a set. to generate

Next, the pseudo-random number generation function stored in the storage unit 26 of the registration terminal 2a is used to convert the address information into randomized information to generate a converted additional address. The registration terminal 2a stores the extracted identifier in the state information, and then transmits the converted address and the extracted identifier to the server 3. FIG.

The update (addition) of the document file in the registration terminal 2a is executed, for example, by the following processing.

<<Addition of document file (id, W _id ) at time t>>
The terminal 2 (registered terminal 2a) calculates π(k, w||id) for all wεW _id using an application (Update algorithm: not shown) registered in the storage unit 26 . To indicate that it is not a dummy address, π(k, 0||w||id) may be used. The value calculated here becomes the address of the second table 40c. The registration terminal 2a transmits all the calculated values and id to the server 3, adds the id to the state information σ ^(t) stored in the registration terminal 2a, and sets the state information σ ^(t+1) .

The server 3 receives the conversion address and the extraction identifier transmitted by the registration terminal 2a, stores the received extraction identifier in the address indicated by each of the conversion address randomization information in the second table 40c, and stores the extraction identifier in the second table 40c. to be EDB ^(t+1) .

(Fifth embodiment)
Next, document file deletion processing in the terminal 2 and the server 3 in the dynamically searchable cryptographic processing system 100 will be described.

According to this embodiment, (max _id -μ _id ) number of keywords is adjusted in order to adjust the number μ _id of id contained in the second table as a stored value to the maximum number of keywords max _id that can be included in the corresponding document file f _id . π(k, 1||1||id) to π(k, 1|| max _id -μ _id ||id) are generated as dummy addresses of , and id is assigned to the address in the second table indicated by each may be stored. Therefore, dummy entries for id can be added up to the maximum number of keywords (max _id ) that the document file f _id can contain. This makes it possible to provide stronger safety.

The registration terminal 2 a deletes the extraction identifier corresponding to the document file to be deleted from the state information stored in the storage unit 26 and transmits the deleted extraction identifier to the server 3 .

<<Deletion of document file corresponding to id at time t>>
The registration terminal 2 a transmits an extraction identifier (id) to be operated to the server 3 . Then, the target extraction identifier (id) is deleted from the state information σ ^(t) stored in the storage unit 26 to obtain state information σ ^(t+1) .

The server 3 receives the extraction identifier to be deleted, repeats the process of replacing all the extraction identifier (id) portions stored in the second table 40c with NULL, and replaces the entire replaced second table 40c with NULL. Update to EDB ^(t+1) .

Furthermore, according to this embodiment, the dynamically searchable cryptographic processing system 100 can be applied to, for example, search services in databases across multiple medical institutions. This makes it possible to prevent the personal information stored in the hospital database from leaking more than necessary when the patient chart (file) is updated or searched.

Furthermore, according to the present embodiment, the dynamically searchable cryptographic processing system 100 encrypts e-mails exchanged in the past or archived e-mails by users in e-mail services exchanged via a cloud server, for example. It is possible to search for Therefore, it is possible to prevent the content of the email from being leaked to the cloud side.

In the dynamically searchable cryptographic processing system 100, the state information does not necessarily need to be stored in the terminal, and the state information held by the terminal may be made public. Therefore, even if the state information is stored in the server instead of the terminal, security is not compromised.

While embodiments of the invention have been described, each embodiment is provided by way of example and is not intended to limit the scope of the invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and modifications can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the scope of the invention described in the claims and equivalents thereof.

10: Housing 11: CPU
12: ROM
13: RAM
14: Storage part 15: I/F
16: I/F
17: I/F
18: Internal bus 19: Output unit 100: Dynamically searchable cryptographic processing system 2: Terminal 2a: Registration terminal 2b: Search terminal 20: Input unit 21: Control unit 22: Extraction unit 23: First table generation unit 24: Second 2 Table generation unit 25 : Transmission/reception unit 26 : Storage unit 3 : Server 31 : Control unit 32 : Update unit 33 : Search unit 34 : Transmission/reception unit 35 : Storage unit 4 : Encrypted database 40a : Reference table 40b : First table 40c : Second table 5 : Public communication network S110 : Extraction step S120 : First table generation step S130 : Second table generation step S210 : Reception step S220 : Update step S230 : Result transmission step

Claims (6)

A dynamic searchable encryption system in which a terminal and a server are connected via a network and using an encrypted data table,
extracting means for extracting the keyword included in the document file as an extraction keyword from a reference table showing the relationship between the identifier and the keyword corresponding to the document file, and extracting the identifier corresponding to the document file as an extraction identifier;
A first table for linking the extracted keyword and the extracted identifier extracted by the extracting means to generate a first table showing a relationship between address information as a set and the extracted identifier included in the address information. a generating means;
a second table generating means for generating a conversion address by converting the address in the first table into random number information by a pseudo-random number generation function, and generating a second table showing the relationship between the conversion address and the extraction identifier; ,
A dynamically searchable cryptosystem, comprising: The second table generation means is
generating a second table in which the extraction identifier is initialized based on key information related to a pseudo-random number generation function held by the terminal and state information held by the terminal; transmitting the second table to the server;
The dynamically searchable cryptosystem of claim 1, characterized by: The terminal is
extracting the keyword included in the document file as an extraction keyword from a reference table showing the relationship between the identifier and the keyword corresponding to the document file to be added, and extracting the identifier corresponding to the document file as an extraction identifier; linking the extracted keyword and the extracted identifier to generate a first table showing the relationship between address information as a set and the extracted identifier included in the address information; generating a converted additional address by converting into randomized information by, storing the extracted identifier in the state information, transmitting the converted address and the extracted identifier to the server;
The server is
receiving the translation address transmitted by the terminal, storing the received extraction identifier in an address indicated by each piece of randomization information of the translation address, and updating the second table;
3. A dynamically searchable cryptosystem according to claim 1 or 2, characterized by: The terminal is
deleting the extraction identifier corresponding to the document file to be deleted from the state information, transmitting the deleted extraction identifier to the server;
The server is
receiving the extraction identifier transmitted by the terminal, converting all storage areas corresponding to the extraction identifier to NULL in the second table of the server, and updating the second table;
The dynamically searchable cryptosystem according to any one of claims 1 to 3, characterized by: The second table generation means is
Among document files having the same size as the document file to be added, a document file that can contain the largest number of extracted keywords is specified, and the number of conversion addresses corresponding to the additional document file is included in the specified document file. The identification information indicating the dummy flag, the counter information, and the extraction identifier of the additional document file are concatenated until the number of extracted keywords is reached to form a set of dummy address information. converting into conversion information to generate a conversion dummy address, and storing the extracted identifier in the address indicated by the conversion dummy address information, and generating the second table repeatedly. 5. The dynamically searchable cryptosystem according to any one of 4. The terminal is
A keyword to be searched and each identifier included in the state information are concatenated as a search identifier to form a set of address information, and the address information is converted into randomized information by a pseudorandom number generation function to generate a converted address, sending a translated address to the server;
The server is
receiving the translation address transmitted by the terminal, referring to all storage areas corresponding to the translation address in the second table of the server, and storing a predetermined identifier instead of NULL in the storage area obtaining a previous extraction identifier and sending it to the terminal;
The dynamically searchable cryptosystem according to any one of claims 1 to 5, characterized by:

Images