JP7365310B2 - Encryption device, decryption device, encryption method and encryption program - Google Patents

Description

The present invention relates to an apparatus, method, and program for configuring Multi-Dimensional Range Encryption (MDRE).

BACKGROUND ART Conventionally, a method of configuring a time-specific encryption (TSE) that can be decrypted only with a secret key corresponding to a period (or numerical value) included in a specified range has been proposed.
For example, Patent Document 1 and Non-Patent Document 1 propose a general construction method of configuring a TSE from an arbitrary wildcarded identity-based encryption (WIBE).
Furthermore, Non-Patent Document 2 proposes a general construction method for configuring a TSE from arbitrary ID-based encryption (IBE).

Furthermore, regarding MDRE that multidimensionalizes one-dimensional TSE, Non-Patent Document 3 describes a specific MDRE method based on the configuration method of an existing specific hierarchical ID-based encryption (Hierarchical IBE, HIBE) method. A construction method has been proposed.

Patent Application No. 2020-18530

M. Ishizaka and S. Kiyomoto. Time-specific encryption with constant size secret-keys secure under standard assumption. Cryptology ePrint Archive: Report 2020/595, 2020. K. G. Paterson and E. A. Quaglia. Time-specific encryption. In SCN 2010, volume 6280 of LNCS, pages 1-16. Springer, 2010. K. Kasamatsu, T. Matsuda, G. Hanaoka and H. Imai. Ciphertext policy multi-dimensional range encryption. In ICISC 2012, volume 7839 of LNCS, pages 247-261. Springer, 2012.

However, a general configuration method for configuring an MDRE from arbitrary WIBEs has not been proposed. Furthermore, it is difficult to extend the TSE construction method proposed in Non-Patent Document 1 to MDRE, and multidimensionality has not been achieved.

An object of the present invention is to provide an encryption device, a decryption device, an encryption method, and an encryption program that can configure an MDRE from any WIBE.

The encryption device according to the present invention includes a binarization unit that allocates a bit string of logT bits to each of T numerical values, and a binarization unit that allocates a bit string of logT bits to each of T numerical values; a key generation unit that combines and generates a secret key based on a single multidimensional ID after the combination; and a wildcard ID that covers all of the bit strings assigned to a set value range for each dimension. An ID set generation unit that generates a set, and for each combination extracted one element from the wildcard ID set, all elements are combined into a single multidimensional wildcard ID, and the multidimensional wildcard ID of all combinations is A multidimensional ID set generation unit that generates a set with elements of and an encryption unit that outputs as .

The encryption device may include a conversion unit that replaces bit positions indicated by a bijection function with respect to the multidimensional ID and the multidimensional wildcard ID.

The binarization unit recursively divides the sequence of numerical values into two, inverting only one bit of the bit string included in blocks on both sides around the division point, and making the other bits symmetrical. You may assign 0 or 1 so that

The binarization unit may allocate the bit string in which adjacent numerical values differ by only one bit in the sequence of numerical values.

The numerical value may be cyclically shifted by a predetermined number and associated with the value for each dimension.

The ID set generation unit divides the range at the starting point of the largest block included in the range among the blocks obtained by recursively dividing the sequence of numbers into two, and generates the divided portion. The wildcard ID set may be generated for each range.

The ID set generation unit may generate the wildcard ID set that covers the entire set generated for each partial range.

The decryption device according to the present invention provides, when the multidimensional ID indicated by the private key matches any condition of the multidimensional wildcard ID used in the ciphertext generated by the encryption device, The ciphertext is decrypted using the wildcard ID-based encryption method.

The encryption method according to the present invention includes a binarization step of assigning a bit string of logT bits to each of T numerical values, and a binarization step of assigning a bit string of logT bits to each of T numerical values; a key generation step of combining and generating a secret key based on a single multidimensional ID after combination; and a wildcard ID that covers all of the bit strings assigned to a set value range for each dimension. an ID set generation step of generating a set, and for each combination extracted one element from the wildcard ID set, all elements are combined into a single multidimensional wildcard ID, and the multidimensional wildcard ID of all combinations is a multidimensional ID set generation step of generating a set with elements, and encrypting plaintext using a wildcard ID-based encryption method based on each of the multidimensional wildcard IDs, and converting all the results of the encryption into ciphertext. The computer executes the encryption step of outputting as .

The encryption program according to the present invention is for causing a computer to function as the encryption device.

According to the present invention, an MDRE can be configured from any WIBE.

FIG. 2 is a diagram showing a functional configuration of an encryption device that implements a first configuration method. FIG. 2 is a diagram showing definitions of a setup algorithm, a key generation algorithm, an encryption algorithm, and a decryption algorithm that constitute WIBEtoMDRE. FIG. 3 is a diagram illustrating a complete binary tree regarding IBEtoTSE _PQ . It is a figure which shows the definition of algorithm _Coverl . Binarization algorithm PQ. Binarize _l and wildcard ID set generation algorithm PQ. It is a figure which shows the definition of _GenWIDl . It is a diagram comparing and evaluating WIBEtoMDRE _PQ realized by WIBE _IK and WIBEtoMDRE _PQ realized by WIBE _BGP . FIG. 3 is a diagram showing a functional configuration of an encryption device that implements a second configuration method. It is a figure which shows the definition of function (phi) _f . FIG. 3 is a diagram showing the definition of a generalized MDRE scheme WIBEtoMDRE _f . Binarization algorithm IK. Binarize _l and wildcard ID set generation algorithm IK. It is a figure which shows the definition of _GenWIDl . Wildcard ID set generation algorithm IK. Auxiliary algorithm used by GenWID _IK . Classify _l and IK. It is a figure which shows the definition of Divide _I. Wildcard ID set generation algorithm IK. Auxiliary algorithm used by GenWID _IK . Latter _l , IK. Former _l , and IK. It is a figure which shows the definition of Merge _I. Binarization algorithm IK. FIG. 7 is a diagram illustrating the correspondence between input and output when Binarize _I is executed. Class classification algorithm IK. It is a figure which shows the execution example of _Classifyl . Division algorithm IK. It is a figure which shows the example of execution of Divide ₁ . Second half wID set determination algorithm IK. Latter _l , first half wID set determination algorithm IK. Former _l , and front and rear wID set merging algorithm IK. FIG. 3 is a diagram illustrating the state after each execution of Merge _I ; Binarization algorithm IK. ^{Binarize general} _and wildcard ID set generation algorithm IK. It is a figure which shows the definition of _GenWIDl ^general . Wildcard ID set generation algorithm IK. FIG. ₃ is ^{a diagram showing definitions of auxiliary algorithms Classify general} _{and Divide} ^general used by GenWID ^general . Wildcard ID set generation algorithm IK. _Auxiliary algorithm IK ^. _Latter ^general , IK. Former _general and IK ^. It is a figure which shows the definition ^{of Merge general} _. Binarization algorithm IK. under certain parameters. It is a figure which shows the execution example of Binarize _l ^general .

An example of an embodiment of the present invention will be described below.
The present embodiment relates to a method of constructing a multidimensional range cipher (MDRE). First, MDRE will be explained, and then a wildcard ID-based cipher (WIBE) will be explained.

[Multidimensional range encryption (MDRE)]
MDRE is composed of the following four polynomial time algorithms {Setup, KGen, Enc, Dec}. Note that Dec is a deterministic algorithm, and the others are probabilistic algorithms.

First, where λ∈N (natural number), 1 ^λ is a security parameter that determines the secret key length and the like. Further, D∈N represents the total number of dimensions. For each dimension i∈[1,D], for a natural number T _i ∈N, [0,T _i −1] represents the total number of numerical values.

The setup algorithm Setup receives (1 ^λ , D, T ₁ , . . . , T _D ) as input and outputs a master public key mpk and a master private key msk. The execution of this algorithm is expressed as (mpk, msk)←Setup(1 ^λ , D, T ₁ ,..., T _D ). It is assumed that the plaintext space M is uniquely determined by the master public key mpk.
The setup algorithm is executed by a trusted third party (Trusted Authority, TA). The master private key msk is held secretly by the TA. Further, the master public key mpk is implicitly input to three algorithms {KGen, Enc, Dec}.

The key generation algorithm KGen receives as input the master secret key msk and D numerical values Q:=(t ₁ , . . . , t _D ), and outputs the secret key sk _Q. However, for all i∈[1, D], t _i ∈[0, T _i −1]. The execution of this algorithm is written as sk _Q ←KGen(msk, t ₁ ,..., t _D ).
This key generation algorithm KGen is executed by the TA using msk. It is assumed that the generated private key _skQ is transferred to the key owner by a predetermined secure means.

The encryption algorithm Enc receives as input a plaintext m∈M and D ranges R:=([L ₁ , R ₁ ], ..., [L _D , R _D ]), and outputs a ciphertext _CR. . However, for all i∈[1, D], [L _i ∈[0, T _i −1]∧R _i ∈[0, T _i −1]]. At this time, for each i∈[1,D], if L _i ≦R _i , [L _i , R _i ] is the set {L _i , L _i +1, ..., R _i -1, R _i } If L _i >R _i , [L _i , R _i ] is equivalent to the set {L _i , . . . , T _i -1}∪{0, . . . , R _i }. The execution of this algorithm is expressed as C _R ←Enc(m, [L ₁ , R ₁ ], ..., [L _D , R _D ]).

The decryption algorithm Dec receives the secret key _skQ and the ciphertext _CR as input, and outputs the plaintext m∈M or a special symbol ⊥ representing decryption failure. The execution of this algorithm is expressed as m/⊥←Dec(sk _Q , C _R ).

Here, any MDRE method is required to be correct.
MDRE method Σ _MDRE = {Setup, KGen, Enc, Dec} is valid if a certain plaintext m is correctly encrypted under a certain D range R, then this ciphertext is valid within the range R. This refers to a case where decoding can be performed correctly by using a properly created secret key as a key corresponding to the D numbers Q included, and is defined as follows.
∀λ∈N, ∀D∈N, ∀T ₁ ∈N, ..., ∀T _D ∈N, ∀ (mpk, msk)←Setup (1 ^λ , D, T ₁ , ..., T _D ), ∀t ₁ ∈[0,T ₁ -1],...,∀t _D ∈[0,T _D -1],∀sk _Q ←KGen(msk,t ₁ ,...,t _D ), where Q:=(t ₁ , ..., t _D ), ∀m∈M, ∀L ₁ ∈[0, T ₁ -1], ∀R ₁ ∈[0, T ₁ -1], ..., ∀L _D ∈[0, T _D -1 ], ∀R _D ∈[0, T _D −1] s. t. ∧ _i∈[1,D] t _i ∈[L _i , R _i ], ∀C _R ←Enc(m, [L ₁ , R ₁ ], ..., [L _D , R _D ]), where R:= ([L ₁ , R ₁ ],..., [L _D , R _D ]), m←Dec(sk _Q , C _R ).

[Wildcard ID-based encryption (WIBE)]
WIBE is composed of the following four polynomial time algorithms {Setup, KGen, Enc, Dec}. Note that Dec is a deterministic algorithm, and the others are probabilistic algorithms.
Here, λ∈N (natural number) is 1. ^λ is a security parameter that determines the secret key length and the like. Furthermore, l∈N represents the ID length and wildcard ID length.

The setup algorithm Setup receives (1 ^λ , l) as input and outputs a master public key mpk and a master private key msk. The execution of this algorithm is expressed as (mpk, msk)←Setup (1 ^λ , l). It is assumed that the plaintext space M is uniquely determined by the master public key mpk. Further, the master public key mpk is implicitly input to three algorithms {KGen, Enc, Dec}.

The key generation algorithm KGen receives msk and ID∈{0,1} ^l as input, and outputs the secret key sk _ID . The execution of this algorithm is written as sk _ID ←KGen(msk, ID).

The encryption algorithm Enc receives as input the plaintext m∈M and the wildcard ID wID∈{0,1,*} ^l , and outputs the ciphertext C _wID . The execution of this algorithm is written as C _wID ←Enc(m, wID).

The decryption algorithm Dec receives the secret key sk _ID and the ciphertext C _wID as input, and outputs the plaintext m∈M or a special symbol ⊥ representing decryption failure. The execution of this algorithm is expressed as m/⊥←Dec(sk _ID , C _wID ).

Regarding the WIBE method, in addition to these main algorithms, the following auxiliary algorithms are introduced.
The wID condition matching determination algorithm Match _l receives ID∈{0,1} ^l and wID∈{0,1,*} ^l as input, determines whether the ID matches the wID condition, and selects bit b Output ∈{0,1}. Specifically, the wID condition matching algorithm Match _l is used for all i∈[0,l-1] s. t. For wID[i]∈{0,1}, if ID[i]=wID[i] holds, 1 is output; otherwise, 0 is output.

Here, any WIBE method is required to be correct.
WIBE method Σ _WIBE = {Setup, KGen, Enc, Dec} is valid if a certain plaintext m is correctly encrypted under a certain wID, then this ciphertext is an ID that satisfies the conditions of wID. This refers to the case where the data is correctly decrypted using a correctly created private key corresponding to the key, and is defined as follows.
∀λ∈N, ∀l∈N, ∀(mpk, msk)←Setup(1 ^λ , l), ∀ID∈{0,1} ^l , ∀sk _ID ←KGen(msk, ID), ∀m∈M ,∀wID∈{0,1,*} ^l s. t. Match _l (ID, wID) = 1, ∀C _wID ←Enc (m, wID), m←Dec (sk _ID , C _wID ).

[First configuration method of MDRE using WIBE]
In one form of the general configuration method of MDRE using WIBE (WIBE to MDRE), the MDRE method is an arbitrary valid WIBE method Σ _WIBE = {Setup', KGen', Enc', Dec', Match _l } is constructed using the deterministic algorithms Binarize _l and GenWID _l .
The functional configuration of the encryption device 1 that implements the MDRE configuration method will be shown below, and then the algorithm of the configured MDRE system will be explained.

FIG. 1 is a diagram showing the functional configuration of an encryption device 1 that implements the first configuration method.
The encryption device 1 is an information processing device (computer) such as a server device or a personal computer, and includes a control unit 10, a storage unit 20, various data input/output devices, communication devices, and the like.

The control unit 10 is a part that controls the entire encryption device 1, and realizes each function in this embodiment by appropriately reading and executing various programs stored in the storage unit 20. The control unit 10 may be a CPU.

The storage unit 20 is a storage area for various programs (encryption programs) and various data for making the hardware group function as the encryption device 1, and is a storage area such as ROM, RAM, flash memory, hard disk drive (HDD), etc. It's good to be there.

The control unit 10 includes a binarization unit 11, an ID set generation unit 12, a multidimensional ID set generation unit 13, a setup unit 14, a key generation unit 15, an encryption unit 16, and a decryption unit 17. Be prepared.

The binarization unit 11 allocates a bit string of logT bits to each of the T numerical values by executing the binarization algorithm Binarize _l . That is, when l∈N, the binarization unit 11 receives a numerical value t∈[0,2 ^l −1] as an input and outputs a bit string str∈{0,1} ^l . Here, it is assumed that the binarization algorithm must be valid.
A binary algorithm is valid if it is a bijection, and the bit string str does not necessarily match the binary representation of the numerical value t.

The ID set generation unit 12 generates a wildcard ID set that covers all bit strings assigned to a set value range for each dimension by executing a wildcard ID set generation algorithm _GenWIDl . That is, when l∈N, the ID set generation unit 12 receives as input a numerical range [L, R] (where L, R∈[0, 2 ^l −1]), and generates a wildcard ID set. Output T={str∈{0,1,*} ^l }. Here, it is assumed that the wildcard ID set generation algorithm must be valid under a valid binarization algorithm Binarize _l .

A wildcard ID set generation algorithm is valid if the output wildcard ID set covers only the numerical values included in the range [L, R], and all l∈N, all L For all R∈[0,2 ^l -1], T _{[L, R]} ←GenWID _l (L, R), and the following ^conditions hold. Refers to the case.
・∀t∈[L,R], ∃wid∈T _[L,R] , 1←Match _l (Binarize _l (t), wid).
・∀t∈[0,2 ^l −1]\[L,R],∀wid∈T _[L,R] ,0←Match _l (Binarize _l (t), wid).

The multidimensional ID set generation unit 13 extracts one element from the wildcard ID set of each dimension generated by the ID set generation unit 12, and combines all elements into a single multidimensional wildcard ID for each combination. , generates a set with all combinations of multidimensional wildcard IDs as elements.

The setup unit 14 uses the WIBE setup algorithm KGen' to output a master public key and a master private key, using the sum of the bit lengths of each dimension in MDRE as the ID length.

The key generation unit 15 combines the bit strings str assigned to numerical values corresponding to the values of each dimension in MDRE, uses the combined multidimensional bit string as an ID (multidimensional ID), and uses the WIBE method key generation algorithm KGen'. Generate a private key using

The encryption unit 16 encrypts the plaintext using the WIBE encryption algorithm Enc' based on each of the multidimensional wildcard IDs that are elements of the set generated by the multidimensional ID set generation unit 13, Output all encryption results as ciphertext.

If the multidimensional ID indicated by the private key matches any of the conditions of the multidimensional wildcard ID used in the ciphertext generated by the encryption unit 16, the decryption unit 17 converts the ciphertext into Decoding is performed using the WIBE method decoding algorithm Dec'.

FIG. 2 is a diagram showing definitions of a setup algorithm Setup, a key generation algorithm KGen, an encryption algorithm Enc, and a decryption algorithm Dec, which constitute WIBEtoMDRE.

Let the total number of dimensions of WIBEtoMDRE be D∈N, and the total number of numerical values of each dimension be T ₁ ,...T _D ∈N. WIBEtoMDRE employs a WIBE method in which the ID length is Σ _{i = 1} ^D logT _i as a component.

The secret key corresponding to D numbers t ₁ ,...,t _D (where t _i ∈[0, T _i -1]) is obtained by converting the binary bit string of each number into str _i ←Binarize _logTi (t _i )∈ {0,1} ^logTi , and a binary bit string obtained by simply combining all binary bit strings (i.e., ∥ _i=1 ^D str _i ) as a single ID, and then the WIBE method corresponding to the ID. Generated as a private key.

When encrypting plaintext m under D ranges [L ₁ , R ₁ ], ..., [L _D , R _D ], first, each range's wildcard ID set T _{[Li, Ri]} ← Find GenWID _logTi (L _i , R _i ) and extract one element from each set T [ _{Li, Ri]} of the multidimensional wildcard ID set T ^* _{[L1, R1], ..., [LD, RD].} It is obtained by simply combining all elements for each combination. That is, T ^* _{[L1, R1],..., [LD, RD]} :={∥ _i=1 ^D wid _i | wid ₁ ∈T _{[L1, R1]} ,..., wid _D ∈T _{[LD, RD]} } It is.

Plaintext m is encrypted using the WIBE encryption algorithm under each wildcard ID included in this multidimensional wildcard ID set T ^* _{[L1,R1], . . . , [LD,RD]} .

When decrypting the ciphertext corresponding to [L ₁ , _{R 1 ]} , ..., [L _D , R _D ] using the private key corresponding to t ₁ , ..., t D , each i∈[1, D ], check whether wid _i ∈T _{[Li, Ri]} that satisfies 1←Match _logTi (str _i , wid _i ) exists, and if it exists for all i∈[1, D], then t ₁ ,...,t Decrypt the WIBE ciphertext corresponding to the wildcard ID (∥ _i=1 ^D wid _i ) using the private key corresponding to _D (that is, the WIBE private key corresponding to _{∥ i=1} ^D str _i ). and outputs the decryption result.

Here, if the component WIBE method is valid and the two algorithms (Binarize _l , GenWID _l ) are valid, then it can be said that WIBE to MDRE is also valid.

Next, as a specific example of a valid algorithm (Binarize _l , GenWID _l ), PQ. Binarize _l and PQ. GenWID _l is shown. Further, WIBEtoMDRE based on these algorithms is expressed as WIBEtoMDRE _PQ .

The algorithms (PQ.Binarize _l , PQ.GenWID _l ) used in WIBEtoMDRE _PQ are based on the general construction method of timed encryption (TSE) using ID-based encryption (IBE) proposed by Non-Patent Document 2, IBEtoTSE _PQ . is used as a technical reference.
IBEtoTSE _PQ employs the IBE method with a total number of IDs of 2T-1. In IBEtoTSE _PQ , a complete binary tree with a total number of leaves T is introduced.

FIG. 3 is a diagram illustrating a complete binary tree for IBEtoTSE _PQ .
Here, a complete binary tree with a depth of 3 and a total number of leaves T=8 (=2 ³ ) is shown.
Each leaf node corresponds to each period (number) tε[0, T-1]. Specifically, a leaf node to which a binary number str∈{0,1} ^logT is assigned corresponds to a value t∈[0,T−1] obtained by converting this binary number into a decimal number.

The private key of each numerical value tε[0, T-1] is composed of the IBE private keys of a total of logT+1 nodes passed from the root node to the leaf node of the numerical value t. Specifically, when the (randomly generated) IBE private key corresponding to the ID is expressed as sk _ID , the private key with the numerical value t∈[0, T-1] is sk _t = (sk _ID=φ , sk _ID=t[0] , sk _{ID=t[0]∥t[1]} ,..., sk _{ID=t[0]∥t[1]∥...∥t[logT-1] )} . Note that t[i] represents the i-th upper bit in the binary representation of t.
For example, when T=8, the secret key for t=3 is sk _t=3 = (sk _φ , sk ₀ , sk ₀₁ , sk ₀₁₁ ).

Next, a method for generating ciphertext of plaintext m corresponding to the range [L, R] will be described. Here, a set S _str linked to the node str∈{0,1} ^≦logT is introduced. S _str is a set of leaf nodes where one of the ancestor nodes is node str. In short, S _str :={str∥ _{i∈[0,logT−|str|−1]} β _i |β _i ∈{0,1}}. Here, |str|∈[0,logT] represents the bit length of str.
For example, when T=8, S ₁ ={100,101,110,111}, S ₁₀ ={100,101}, and S ₁₁₀ ={110}.

When generating a ciphertext corresponding to the range [L, R], a set T _{[L, R]} = {str∈{0,1} ^≦logT } is first obtained. T _[L,R] is a set of nodes covering all leaf nodes from number L to number R in the binary tree. Specifically, T _{[L, R]} is determined by the following algorithm Cover _l .

FIG. 4 is a diagram showing the definition of the algorithm Cover _l .
Here, Parent _l is a function that receives a node (node) in a complete binary tree with a total number of leaves of 2 ^l and outputs the parent node of the node. Note that Cover ₁ is functionally the same as Algorithm 1 in Non-Patent Document 2.
For example, when T=8, T _[2,6] = {01,10,110}, T _[0,6] = {0,10,110}, and T _[7,7] = {111}. .

After deriving the set T _{[L, R]} , an IBE ciphertext of plaintext m is generated under each ID included in T _{[L, R]} . Then, all the generated ciphertexts are combined into one ciphertext in the range [L,R].

When decrypting a ciphertext in the range [L, R] with a private key of numerical value t, check whether there is a node included in the set T _{[L, R]} in the leaf node t or its ancestor nodes. , if the corresponding node exists, the IBE ciphertext corresponding to the corresponding node is decrypted using the IBE private key corresponding to the corresponding node. Note that in the case of t∈[L,R], the corresponding node definitely exists, and in other cases, the corresponding node does not exist.

FIG. 5 shows the binarization algorithm PQ. Binarize _l and wildcard ID set generation algorithm PQ. It is a figure which shows the definition of _GenWIDl .
Binarization algorithm PQ. Binarize _l receives a numerical value t∈[0,2 ^l −1] as an input, and outputs a bit string str∈{0,1} ^l .

Wildcard ID set generation algorithm PQ. GenWID _l receives the range [L, R] as input, and first creates a node set T _[L that covers from leaf node L to leaf node R in a complete binary tree with a total number of leaves of 2 ^l using a method similar to IBEtoTSE _{PQ. , R]} = {str∈{0,1} ^≦l } is derived. Then, among the nodes (bit strings) included in the set T _{[L, R]} , for nodes (bit strings) whose length is less than l, a wild card symbol (*) is added so that the length becomes l. The set T ^* _[L,R] after performing the transformation to complement from the right is output.

Next, an example of implementing WIBE to MDRE _PQ using the existing WIBE method will be shown.
As existing WIBE methods that embody WIBE to MDRE _PQ , we will take up the WIBE method WIBE _IK proposed in Non-Patent Document 1 and the WIBE method WIBE _BGP proposed in the following document A.
Document A: O. Blazy, P. Germouty, and DH Phan. Downgradable identity-based encryption and applications. In CT-RSA 2019, volume 11405 of LNCS, pages 44-61. Springer, 2019.

FIG. 6 is a diagram comparing and evaluating WIBEtoMDRE _PQ realized by WIBE _IK and WIBEtoMDRE _PQ realized by WIBE _BGP .
The former (with WIBE _IK ) is asymptotically inefficient in terms of ciphertext length and encryption calculation cost, especially the number of exponentiation calculations over groups, but the secret key length is two group elements of a symmetric bilinear pairing. It has the feature that it is constant and does not depend on any parameters D, T ₁ , . . . , _TD . On the other hand, the latter (based on WIBE _BGP ) differs from the former in that it is not significantly inferior in any particular item and is passably superior in all items. Another advantage is that the decoding calculation cost is constant.

[Second configuration method of MDRE using WIBE]
The MDRE method corresponding to the generalization of the first configuration method will be described below. This MDRE method is realized by an encryption device 1a that has added functionality to the encryption device 1 that implements the first configuration method.

FIG. 7 is a diagram showing the functional configuration of an encryption device 1a that implements the second configuration method.
The control unit 10a of the encryption device 1a includes a conversion unit 18 as a new functional unit.
The conversion unit 18 replaces the bit positions indicated by the bijective function with respect to the multidimensional ID used for key generation and the multidimensional wildcard ID used for encryption, and converts the key generation unit 15 and the encryption unit 16 and provided to the decoding unit 17.
That is, in the second configuration method, the following two types of functions are introduced in defining the MDRE method.

は、全単射であるとする。 Function f:

Suppose that is a bijection.

は、全単射関数ｆに紐づけられた関数である。 Function φ _f :

is a function linked to the bijection function f.

FIG. 8 is a diagram showing the definition of the function φ _f .
The function φ _f outputs a new bit string in which each bit (i bit) in the input bit string is moved to f(i) bits uniquely determined by the bijection function f.

FIG. 9 is a diagram showing the definition of the generalized MDRE method WIBEtoMDRE _f .
Compared to WIBEtoMDRE in FIG. 2, the parts indicated by symbols A to D have been changed.
That is, in the key generation algorithm KGen, the multidimensional ID converted by the function φ _f is input to the WIBE key generation algorithm KGen', and in the encryption algorithm Enc, the multidimensional ID converted by the function φ _f The wildcard ID is input to the WIBE encryption algorithm Enc'. Further, in the decoding algorithm Dec, the multidimensional ID and multidimensional wildcard ID after being converted by the function φ _f are input to the wID condition match determination algorithm Match.

Note that the validity of WIBEtoMDRE _f can be confirmed in the same way as the validity of WIBEtoMDRE according to the first configuration method.
Incidentally, in WIBEtoMDRE _f , WIBEtoMDRE according to the first construction method is one in which the function f is an identity mapping that outputs the input as it is.

[Modified example of binarization and wildcard ID set generation]
Patent Document 1 discloses two types of general configuration methods for time specified encryption (TSE) based on WIBE: the simplest configuration method and a generalized configuration method. Hereinafter, these configuration methods will be referred to as WIBEtoTSE _IK and WIBEtoTSE _IK ^general , respectively.

WIBEtoTSE _IK introduces the following restrictions to the above-mentioned WIBEtoMDRE.
・Set the total number of dimensions D=1.
- Algorithms Binarize _l and GenWID _l are respectively adapted from IK. Binarize _l and IK. Change to GenWID _l .
These algorithm changes can also be applied to WIBEtoMDRE with a total number of dimensions D>1, thereby achieving the same effect as WIBEtoTSE _IK .

FIG. 10 shows the binarization algorithm IK. Binarize _l and wildcard ID set generation algorithm IK. It is a figure which shows the definition of _GenWIDl .
FIG. 11 shows the wildcard ID set generation algorithm IK. Auxiliary algorithm used by GenWID _IK . Classify _l and IK. It is a figure which shows the definition of Divide _I.
FIG. 12 shows the wildcard ID set generation algorithm IK. Auxiliary algorithm used by GenWID _IK . Latter _l , IK. Former _l , and IK. It is a figure which shows the definition of Merge _I.

FIG. 13 shows the binarization algorithm IK. FIG. 7 is a diagram illustrating the correspondence between input t∈[0,2 ^l −1] and output str∈{0,1} ^l when Binarize _l is executed.
Although the case where l=5 is shown here, the bit string str is similarly allocated according to the following rule even in the case where l≠5.
- The most significant bit (l-1th bit) starts with 0 and then continues to switch between 0 and 1 at 2 ^l-1 intervals.
・The bit next to the most significant bit (1-2th bit) starts with 0, first switches to 1 at 2 ^l-2 intervals, and then switches between 0 and 1 at 2 ^l-1 intervals. keeps switching.
- The successive bits of the most significant bit (l-3rd bit) start with 0, first switch to 1 at 2 ^l-3 intervals, and then switch between 0 and 1 at 2 ^l-2 intervals. It keeps switching.
・(omitted)
・The bit before the least significant bit (first bit) starts with 0, first switches to 1 at intervals of 2 ¹ = 2, and then switches between 0 and 1 at intervals of 2 ² = 4. keeps switching.
- The least significant bit (0th bit) starts at 0, first switches to 1 at intervals of 2 ⁰ =1, and then continues to switch between 0 and 1 at intervals of 2 ¹ =2.

According to this rule, the following characteristics appear in the bit string str.
That is, when the sequence of numerical values t is recursively divided into two, only one bit of the bit string str included in blocks on both sides of the dividing point is inverted, and the other bits are symmetrical.
Further, only one bit differs between adjacent numerical values t.

Wildcard ID set generation algorithm IK. GenWID _l includes five auxiliary algorithms IK. Classify _l , IK. Divide _l , IK. Latter _l , IK. Former _l , IK. Use Merge _l .

Class classification algorithm IK. Classify _l receives a numerical value t∈[0,2 ^l −1] as input and outputs a class number i∈[0, l].
Specifically, if t=0, output l, and if t∈[1,2 ^l -1], output i∈[0, l-1] that satisfies t mod 2 ⁱ⁺¹ = 2 ⁱ . .

FIG. 14 shows the classification algorithm IK. It is a figure which shows the execution example of _Classifyl .
Here, outputs in the case of 2 ^l =T∈{4, 8, 16, 32} are shown.
When the ascending order of numerical values t is recursively divided into two, the leftmost t of the divided right block is assigned the class number minus 1 of the leftmost block of the left block. As a result, in the block of bit strings that are symmetrical except for one bit, the leftmost class number becomes the largest.

Division algorithm IK. Divide _l receives as input the range [L, R] that satisfies L, R∈[0,2 ^l -1], and divides this range into the first half range [L, D-1] and the second half range [D, R]. A dividing point D∈[L,R] for dividing into two is output.
This division point is the numerical value with the largest class number among the numerical values within the range [L, R]. That is, it is divided into two parts at the break of the largest block included in the range [L, R]. Note that when L>R, D=0.

FIG. 15 shows the division algorithm IK. It is a figure which shows the example of execution of Divide ₁ .
Here, l = 5, and the dividing points in the case of [L, R]∈{[0,30], [9,30], [1,30], [2,0]} are each indicated by △. ing.
For example, if the range is [0, 30], the division point D = 0 for the class number 5, and if the range is [9, 30] and [1, 31], the division point D = 4 for the class number. 16. If the range is [2,0], the division point D=0 with class number 5 is output.

が存在し、以下の２つの条件を満たす。 Second half wID set determination algorithm IK. Latter _l receives the second half range [D, R] as input and outputs a wildcard ID set T _{[D, R]} = {wID _i |i∈[1, n ₁ ]}. For all l∈N and all L, R satisfying L, R∈[0,2 ^l −1], D←IK. When Divide _l (L, R),

exists and satisfies the following two conditions.

（２）全てのｉ∈［１，ｎ_１］について、あるｗＩＤ_ｉ∈｛０，１，＊｝^ｌが存在し、ｗＩＤ_ｉは以下を満たす。
・｜ｗＩＤ_ｉ｜_＊＝ｋ_ｉ．
・後半範囲［Ｄ，Ｒ］の部分範囲である、

をカバーする。 (1) The latter half range [D, R] can be expressed as follows as a set of the aforementioned blocks consisting of 2 ^k numerical values.

(2) For every i∈[1, n ₁ ], there exists a certain wID _i ∈{0,1,*} ^l , and wID _i satisfies the following.
・|wID _i | _* = k _i .
・It is a partial range of the latter half range [D, R],

to cover.

が存在し、以下の２つの条件を満たす。 First half wID set determination algorithm IK. Former _l receives the first half range [L, D-1] as input and outputs a wildcard ID set T _{[L, D-1]} = {wID _i |i∈[n ₁ +1, n ₂ ]}. For all l∈N and all L, R satisfying L, R∈[0,2 ^l −1], D←IK. When Divide _l (L, R),

exists and satisfies the following two conditions.

（２）全てのｉ∈［ｎ_１＋１，ｎ_２］について、あるｗＩＤ_ｉ∈｛０，１，＊｝^ｌが存在し、ｗＩＤ_ｉは以下を満たす。
・｜ｗＩＤ_ｉ｜_＊＝ｋ_ｉ．
・ｗＩＤ_ｉは、前半範囲［Ｌ，Ｄ－１］の部分範囲である、

をカバーする。 (1) The first half range [L, D-1] can be expressed as a set of the aforementioned blocks consisting of 2 ^k numerical values as follows.

(2) For every i∈[n ₁ +1, n ₂ ], there exists a certain wID _i ∈{0,1,*} ^l , and wID _i satisfies the following.
・|wID _i | _* = k _i .
・wID _i is a partial range of the first half range [L, D-1],

to cover.

First and second half wID set merging algorithm IK. Merge _l receives the first and second half wildcard ID sets T _[D,R] , T _[L,D-1] and outputs the wildcard ID set T _[L,R] .

このとき、全てのｉ∈［１，ｎ^＊］について、以下の条件を満たすｗＩＤ′_ｉ∈｛０，１，＊｝^ｌが存在する。
・｜ｗＩＤ′_ｉ｜_＊＝ｋ_ｉ＋１＝ｋ_ｎ１＋ｉ＋１．
・ｗＩＤ′_ｉは、ｗＩＤ_ｉとｗＩＤ_ｎ１＋ｉによりカバーされる各範囲の和集合により定義される範囲、すなわち、

をカバーする。 First, define a natural number n ^* that satisfies the following conditions.

At this time, for all i∈[1,n ^* ], there exists wID′ _i ∈{0,1,*} ^l that satisfies the following condition.
・|wID′ _i | _* =k _i +1=k _n1+i +1.
・wID′ _i is a range defined by the union of each range covered by wID _i and wID _n1+i , that is,

to cover.

FIG. 16 shows the second half wID set determination algorithm IK. Latter _l , first half wID set determination algorithm IK. Former _l , and front and rear wID set merging algorithm IK. FIG. 3 is a diagram illustrating the state after each execution of Merge _I ;
Here, the case of l=5, [L,R]=[1,30], and D=16 is illustrated, and Step 1 includes the division algorithm IK. An example of executing Divide _I (FIG. 15) is shown.

Second half wID set determination algorithm IK. For Latter _l , T _{[D, R]} :={wID _i |iε[1, n ₁ ]} is output.
In the case of the execution example shown in Step 2, the numerical values t to which the same numbers are assigned in the figure are covered by a single wID ∈ {0, 1, *} ⁵ . Specifically, n ₁ =4, k ₁ =3, k ₂ =2, k ₃ =1, k ₄ =0, wID ₁ =11***, wID ₂ =101**, wID ₃ =1001*. , wID ₄ =10001. As a result, T _{[16, 30]} = {wID ₁ , wID ₂ , wID ₃ , wID ₄ }={11***, 101**, 1001*, 10001} is output.

First half wID set determination algorithm IK. Former _l outputs T _{[L, D-1]} :={wID _i |i∈[n ₁ +1, n ₂ ]}.
In the case of the execution example shown in Step 3, the numerical values t to which the same numbers are assigned in the figure are covered by a single wID ∈ {0, 1, *} ⁵ . Specifically, n ₂ =4, n ₁ +n ₂ =8, k ₅ =3, k ₆ =2, k ₇ =1, k ₈ =0, wID ₅ =01***, wID ₆ =001*. *, wID ₇ =0001*, wID ₈ =00001. As a result, T _{[1, 15]} = {wID ₅ , wID ₆ , wID ₇ , wID ₈ }={01***, 001**, 0001*, 00001} is output.

が出力される。
Ｓｔｅｐ４に示す実行例の場合、図中で同一の数字が割り当てられた数値ｔは、単一のｗＩＤ∈｛０，１，＊｝^５によりカバーされる。具体的には、ｎ^＊＝４，ｗＩＤ′_１＝＊１＊＊＊，ｗＩＤ′_２＝＊０１＊＊，ｗＩＤ′_３＝＊００１＊，ｗＩＤ′_４＝＊０００１である。結果として、Ｔ_{［１，３０］}＝｛ｗＩＤ′_１，ｗＩＤ′_２，ｗＩＤ′_３，ｗＩＤ′_４｝＝｛＊１＊＊＊，＊０１＊＊，＊００１＊，＊０００１｝が出力される。 First and second half wID set merging algorithm IK. In Merge _l ,

is output.
In the case of the execution example shown in Step 4, the numerical values t to which the same numbers are assigned in the figure are covered by a single wID ∈ {0, 1, *} ⁵ . Specifically, n ^* = 4, wID' ₁ = *1***, wID' ₂ = *01**, wID' ₃ = *001*, wID' ₄ = *0001. As a result, T _{[1, 30]} = {wID' ₁ , wID' ₂ , wID' ₃ , wID' ₄ }={*1***, *01**, *001*, *0001} is output. Ru.

Wildcard ID set generation algorithm IK. GenWID _l executes each algorithm in turn. Specifically, IK. GenWID _l first determines the dividing point D∈[L,R] for the range [L,R] by D←Divide _l (L,R), then T _[D,R] ←IK. The second half range wildcard ID set T _{[D, R]} is determined by Latter _l (D, R), and T _{[L, D-1]} ←IK. The first half range wildcard ID set T _{[L, D-1]} is determined by Former _l (L, D-1). Finally, IK. GenWID _l is T _{[L, R]} ←IK. A wildcard ID set T [L, _{R] is determined by Merge (T [D, R] , T [L, D - 1]} ).

Next, WIBEtoTSE _IK ^general introduces the following restrictions to the above-mentioned WIBEtoMDRE.
・Set the total number of dimensions D=1.
- Algorithms Binarize _l and GenWID _l are respectively adapted from IK. Binarize _l ^general and IK. Change to GenWID _l ^general .
These algorithm changes can also be applied to WIBEtoMDRE with a total number of dimensions D>1, thereby achieving the same effect as WIBEtoTSE _IK ^general .

FIG. 17 shows the binarization algorithm IK. ^{Binarize general} _and wildcard ID set generation algorithm IK. It is a figure which shows the definition of _GenWIDl ^general .
FIG. 18 shows the wildcard ID set generation algorithm IK. _Auxiliary algorithm IK ^. Classify _general and IK ^. It is a figure which shows the definition of Divide _l ^general .
FIG. 19 shows wildcard ID set generation algorithm IK. _Auxiliary algorithm IK ^. _Latter ^general , IK. Former _general and IK ^. It is a figure which shows the definition ^{of Merge general} _.

IK. Binarize _l ^general and IK. GenWID _l ^general is IK. Binarize _l and IK. It is a generalization of GenWID _l . These algorithms introduce a function f, a function h, and a constant δ in order to generalize the pattern of the bit string str.

As mentioned above, IK. In the correspondence between the numerical value t determined by Binarize _l and the binary bit string str, a different (0, 1) pattern is assigned to each bit of str. There are a total of l types of (0,1) patterns.
Specifically, a pattern that continues to switch at 2 ^l-1 intervals from beginning to end, a pattern that switches at 2 ^l-2 intervals only the first time and then continues to switch at 2 ^l-1 intervals, and a pattern that switches at 2 ^l-3 intervals only the first time and then 2 ^l-2 A pattern that continues to switch at intervals of 2 ¹ = 2 only the first time, and then continues to switch at 2 ² = 4 intervals, and a pattern that switches at 2 ⁰ = 1 intervals only for the first time, and then continues to switch at 2 ¹ = 2 intervals. For convenience, these patterns are expressed as P _1-1 , P _1-2 , . . . , P ₁ , P ₀ , respectively.

The bijective function f: {0,1,...,l-1}→{0,1,...,l-1} defines which (0,1) pattern each bit is assigned to. Specifically, bit i∈{0,1,...,l−1} is assigned to the (0,1) pattern P _f(i) .

Function h: {0,1,...,l-1}→{0,1} sets the initial value of the (0,1) pattern at each bit i∈{0,1,...,l-1} to Define whether to set it to 0 or 1.

The constant δ∈{0,...,2 ^l -1} sets the initial value str=h[l-1]∥h[l-2]∥...∥h[1]∥h[0] of the binary bit string to Define which numerical value t∈{0,...,2 ^l −1} to be associated with. Specifically, str=h[l-1]∥h[l-2]∥...∥h[1]∥h[0] is associated with δ.
That is, a correspondence relationship is obtained in which the numerical value t is cyclically shifted by δ for the (0,1) pattern.

For example, FIG. 13 shows the IK. In Binarize _l ^general , change the parameter to
l:=5
f({0,1,2,3,4}):={0,1,2,3,4}
h({0,1,2,3,4}):={0,0,0,0,0}
δ:=0
The algorithm IK. An example of executing Binarize _l ^general is shown below.

On the other hand, FIG. 20 shows IK. In Binarize _l ^general , change the parameter to
f({0,1,2,3,4}):={3,2,0,4,1}
h({0,1,2,3,4}):={0,1,1,0,0}
δ:=15
An example of the execution of the algorithm when set is shown below.

According to this embodiment, the encryption device 1 generates a secret key whose ID is a combination of bit strings assigned to numerical values for each dimension, and also generates a private key from a wildcard ID set generated based on the range of each dimension. For each combination extracted one element at a time, all the elements are combined to form a multidimensional wildcard ID, and a set is generated in which the multidimensional wildcard IDs of all combinations are elements. Then, the encryption device 1 encrypts the plaintext using a wildcard ID-based encryption method based on each of the multidimensional wildcard IDs, and outputs all the encryption results as ciphertext.
Therefore, the encryption device 1 can configure an MDRE method in which TSE is multidimensionally extended by using any legal binarization algorithm and wildcard ID set generation algorithm based on any legal WIBE method. .

As a result, various MDRE schemes can be constructed from various existing or future WIBE schemes.
For example, as described above, an MDRE method using WIBE _IK with a constant secret key length, and an MDRE method using WIBE _BGP that is reasonably excellent in all efficiency items can be specifically obtained. Further, in the future, for example, if a quantum-resistant WIBE system is created, this embodiment can configure a quantum-resistant MDRE system.

The encryption device 1 is equipped with a function of interchanging the bit positions indicated by a bijection function for multidimensional IDs and multidimensional wildcard IDs, so that an arbitrary arrangement of bit strings serving as IDs is possible, and MDRE method is used. can be generalized.

Regarding the correspondence of the bit string str to the numerical value t, the encryption device 1 inverts only one bit of the bit strings included in both blocks around the dividing point when recursively dividing the numerical sequence into two. , other bits are assigned 0 or 1 symmetrically, and bit strings in which adjacent numbers differ in only one bit are assigned.
This generates efficient wildcard IDs that cover the specified range in each dimension of the MDRE, resulting in an efficient multidimensional wildcard ID set. Therefore, the encryption device 1 can shorten the ciphertext length.

At this time, the encryption device 1 can generalize the algorithm by cyclically shifting the correspondence of the bit string str to the numerical value t by a predetermined number.

Furthermore, by dividing the range [L, R] into the first half and the second half, the encryption device 1 can efficiently generate a wildcard ID set in each partial range.
Furthermore, the encryption device 1 may be able to reduce the set by generating a wildcard ID set that covers the set determined for each subrange. As a result, it can be expected that the ciphertext will be shorter.

Although the embodiments of the present invention have been described above, the present invention is not limited to the embodiments described above. Further, the effects described in the embodiments described above are merely a list of the most preferable effects resulting from the present invention, and the effects according to the present invention are not limited to those described in the embodiments.

The encryption method by the encryption device 1 is implemented by software. When realized by software, a program constituting this software is installed in an information processing device (computer). Furthermore, these programs may be recorded on removable media such as CD-ROMs and distributed to users, or may be distributed by being downloaded to users' computers via a network. Furthermore, these programs may be provided to the user's computer as a web service via a network without being downloaded.

1, 1a Encryption device (decryption device)
10, 10a Control unit 11 Binarization unit 12 ID set generation unit 13 Multidimensional ID set generation unit 14 Setup unit 15 Key generation unit 16 Encryption unit 17 Decryption unit 18 Conversion unit 20 Storage unit

Claims (10)

a binarization unit that allocates a bit string of logT bits to each of the T numerical values;
a key generation unit that combines the bit strings assigned to numerical values corresponding to values of each dimension in the multidimensional range cryptography and generates a secret key based on a single multidimensional ID that is the result of the combination;
an ID set generation unit that receives a set value range as input for each dimension and generates a wildcard ID set that completely covers only the bit strings assigned to each value included in the range;
For each combination extracted one element at a time from the wildcard ID set, all elements are combined to form a single multidimensional wildcard ID, and a multidimensional set is created in which the multidimensional wildcard IDs of all combinations are elements. an ID set generation unit;
An encryption device comprising: an encryption unit that encrypts plaintext using a wildcard ID-based encryption method based on each of the multidimensional wildcard IDs, and outputs all the results of the encryption as ciphertext. The encryption device according to claim 1, further comprising a conversion unit that replaces bit positions indicated by a bijection function with respect to the multidimensional ID and the multidimensional wildcard ID. The binarization unit recursively divides the sequence of numerical values into two, inverting only one bit of the bit string included in blocks on both sides around the division point, and making the other bits symmetrical. The encryption device according to claim 1 or 2, wherein 0 or 1 is assigned so that 4. The encryption device according to claim 3, wherein the binarization unit allocates the bit string in which adjacent numerical values differ in only one bit in the sequence of numerical values. 5. The encryption device according to claim 3, wherein the numerical value is cyclically shifted by a predetermined number and corresponds to the value for each dimension. The ID set generation unit divides the range at the starting point of the largest block included in the range among the blocks obtained by recursively dividing the sequence of numbers into two, and generates the divided portion. The encryption device according to any one of claims 3 to 5, wherein the wildcard ID set is generated for each range. The encryption device according to claim 6, wherein the ID set generation unit generates the wildcard ID set that covers the entire set generated for each partial range. The ciphertext generated by the encryption device according to any one of claims 1 to 7 and the private key are input,
The binarization section;
the ID set generation unit;
the multidimensional ID set generation unit;
generated by the encryption unit when the single multidimensional ID corresponding to the private key matches any multidimensional wildcard ID included in the set generated by the multidimensional ID set generation unit . a decryption unit that decrypts a ciphertext corresponding to the single multidimensional wildcard ID included in a plurality of ciphertexts that are generated using the wildcard ID-based encryption method. a binarization step of assigning a bit string of logT bits to each of the T numerical values;
a key generation step of combining the bit strings assigned to numerical values corresponding to values of each dimension in the multidimensional range cryptography, and generating a secret key based on a single multidimensional ID that is the result of the combination;
For each dimension, an ID set generation step of receiving a set value range as input and generating a wildcard ID set that completely covers only the bit strings assigned to each value included in the range;
For each combination extracted one element at a time from the wildcard ID set, all elements are combined to form a single multidimensional wildcard ID, and a multidimensional set is created in which the multidimensional wildcard IDs of all combinations are elements. ID set generation step;
An encryption method in which a computer performs an encryption step of encrypting plaintext using a wildcard ID-based encryption method based on each of the multidimensional wildcard IDs, and outputting all the results of the encryption as ciphertext. . An encryption program for causing a computer to function as the encryption device according to any one of claims 1 to 7.

Images