JPWO2017168798A1 - Encrypted search index merge server, encrypted search index merge system, and encrypted search index merge method - Google Patents

Abstract

Each of the first search index and the second search index includes one or more encryption keywords generated by the first non-deterministic encryption algorithm, and the second search index is one or more generated by the second non-deterministic encryption algorithm The search index merge server compares the encryption keyword included in the first search index with the encryption query included in the second search index in the process of merging the first search index and the second search index. The comparison process is executed, and it is determined whether or not the encryption keyword to be compared and the encryption query to be compared are generated from the same keyword.

Description

Capture by reference

  This application claims the priority of Japanese Patent Application No. 2016-067699 filed on March 30, 2016, which is incorporated into the present application by reference.

  The present invention relates to an encrypted search index merge server, an encrypted search index merge system, and an encrypted search index merge method.

  As background art of this technical field, there is JP, 2015-35072, A (patent documents 1). In this publication, "the registration client entrusts the server with encrypted data in which the size of the search tag created for the search is compressed by the probabilistic encryption method using the hash value and the mask by the output value of the homomorphic function. Then, the search client similarly probabilistically encrypts the search keyword and transmits it as a search keyword in which only a part of the encrypted data is encrypted to the management server, and the management server receives the random number of the encrypted data and the encryption keyword The management server searches for data corresponding to the search, detects an erroneous search of the search result, and decodes the search result, without removing the mask of (see summary).

JP, 2015-35072, A

  The technology described in Patent Document 1 executes a search process using a search index encrypted using nondeterministic encryption without decrypting a document and the search index. Each search index described in Patent Document 1 includes a plurality of combinations of an encryption keyword that is a keyword encrypted using non-deterministic encryption and metadata corresponding to the keyword.

  As the number of search indexes increases, the total number of combinations of encryption keywords and metadata also increases, thereby reducing the search processing speed. In order to suppress such a decrease in search processing speed, for example, merge processing is performed in which a plurality of search indexes are merged to generate one search index.

  When the same keyword is included in a plurality of search indexes to be merged in the merge process of a search index that is not encrypted, the same keyword and all metadata associated with the same keyword It links and generates one combination, and stores it in the search index which is a merge result. Such merge processing can reduce the total number of combinations of encryption keywords and metadata.

  However, since each encryption keyword included in the search index described in Patent Document 1 is encrypted using non-deterministic encryption, the encryption keywords are different even if they are encryption keywords generated from the same keyword. It is data. Therefore, in the technology described in Patent Document 1, since the encryption keywords included in the plurality of search target search indexes are basically all different data, the search is performed even if the above merge processing is executed in the encrypted state. The total number of combinations of encryption keywords and metadata included in the index can not be reduced.

  Further, in the technique described in Patent Document 1, if the encryption keyword is decrypted, the same merge processing as the search index which is not encrypted can be executed, but the security level is lowered by decrypting the encryption keyword. It will

  Therefore, an aspect of the present invention aims to merge search indexes without decrypting keywords included in the encrypted search index. Consequently, it is an object to improve search processing speed while securing security.

  In order to solve the above-mentioned subject, one mode of the present invention adopts the following composition, for example. A search index merge server for merging encrypted search indexes, comprising a processor and a storage device, wherein the storage device holds a first search index and a second search index, the first search index And each of the second search index associates and holds a cipher set generated from each of one or more keywords and metadata corresponding to each of the one or more keywords, and the first search index and the second search index (2) Each of the encryption sets of the search index includes an encryption keyword, each of the encryption set of the second search index includes an encryption query, and each of the encryption keywords is an encrypted text indicating a keyword encrypted using a random number , Transformation and irreversible transformation by the homomorphic function for the random number Each of the cryptographic queries includes a ciphertext representing a keyword encrypted using a random number, and a value obtained by performing conversion by the homomorphic function on the random number. And the search processor executes a merge process of merging the first search index and the second search index to generate a third search index which is a merge result, and the merge process Executing a comparison process of comparing an encryption keyword included in the first search index and an encryption query included in the second search index to specify an encryption set generated from the same keyword, and from the same keyword A cryptographic set including the first cryptographic keyword included in the generated cryptographic set, and a string associated with each of the identified cryptographic sets Data stored in the third search index, and in the comparison process, a part or all of the encrypted text of the second encryption keyword to be compared and the encrypted text of the first encrypted query to be compared And a value calculated from the homomorphic function is calculated, and a function value is calculated, and the value calculated from the function value and the value indicated by the search tag of the first cryptographic query is calculated. Calculating the irreversible conversion value subjected to the irreversible conversion, and based on the comparison result of the irreversible conversion value and the search tag of the second encryption keyword, a cipher set including the second encryption keyword, A search index merge server that determines whether or not a cryptographic set including one cryptographic query is generated from the same keyword.

  According to an aspect of the present invention, search indexes can be merged without decrypting keywords included in the encrypted search index. As a result, it is possible to reduce search data size and improve search processing speed while securing security.

  Problems, configurations, and effects other than those described above will be apparent from the description of the embodiments below.

FIG. 1 is a block diagram showing an example of the overall configuration of a full-text search system according to a first embodiment. FIG. 7 is a block diagram showing an example of a physical configuration of an index generation server in the first embodiment. FIG. 8 is an explanatory diagram of an example of a search index merge process according to the first embodiment. FIG. 8 is a sequence diagram showing an example of a search index creation process in the first embodiment. FIG. 8 is an explanatory view showing an example of random number generation processing in the first embodiment. FIG. 7 is an explanatory view showing an example of an intermediate ciphertext generation process according to the first embodiment. FIG. 8 is an explanatory view showing an example of encryption keyword generation processing in the first embodiment. FIG. 8 is an explanatory diagram of an example of cryptographic query generation processing according to the first embodiment; FIG. 7 is a sequence diagram showing an example of a search index merge process according to the first embodiment. FIG. 14 is an explanatory view showing an example of the comparison processing of the cipher set in the first embodiment. FIG. 18 is an explanatory drawing showing an example of a search index merge process in the second embodiment. FIG. 16 is a block diagram showing an example of the overall configuration of a full-text search system in a third embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. It should be noted that the present embodiment is merely an example for realizing the present invention, and does not limit the technical scope of the present invention. The same reference numerals are given to the same configuration in each drawing.

  FIG. 1 is a block diagram showing an example of the overall configuration of the full-text search system of this embodiment. The full-text search system 100 is a system that executes index-type full-text search, and includes, for example, a search engine server 120 and an index generation server 110 connected to each other. The index generation server 110 and the search engine server 120 may be configured on one computer.

  The full-text search system 100, the user terminal 130 used by the user, and the key server 140 storing the encryption key of the user are mutually connected via the network 150. The user terminal 130 holds encryption key information of the user. The encryption key information of the user includes information that can specify the data encryption key of the user (for example, the encryption key of the user, the function value encryption key, and the identifier of the function value decryption key). The data encryption key, the function value encryption key, the function value decryption key, and the secret key for random numbers will be described later.

  The key server 140 holds the data encryption key of the user, the function value encryption key, and the function value decryption key. The network 150 is, for example, the Internet, but may be a network in a predetermined organization (for example, an intranet).

  The search engine server 120 holds search index information of a document encrypted using nondeterministic encryption. The search engine server 120 searches, for example, a document including a keyword designated by the user using an index stored in the index storage unit 113 described later.

  The keywords included in the search index stored in the index storage unit 113 are encrypted by the searchable encryption process. The searchable encryption process is a series of generation of a search index including an encrypted keyword, and a document search using the search index without decrypting the encrypted keyword included in the search index. It is a process. It is assumed that nondeterministic encryption is used in searchable encryption processing in the present embodiment. That is, nondeterministic encryption is used to encrypt keywords registered in a search index. Also, in searchable encryption processing, when searching for an encrypted keyword that is an encrypted keyword from the search index, an encrypted query is generated in which the keyword specified by the user for search is encrypted, but an encrypted query is generated. Also use non-deterministic encryption. In the present embodiment, for example, searchable encryption processing described in Patent Document 1 can be used.

  When searching for a document including a keyword designated by the user, the search engine server 120 generates an encrypted query corresponding to the keyword by searchable encryption processing. The search engine server 120 compares the generated encrypted query with the encrypted keyword included in the search index to identify the encrypted keyword generated from the same keyword as the original keyword of the encrypted query, Search for documents containing that keyword.

  The details of the difference between the encryption keyword generation method and the encryption query generation method in the searchable encryption processing, the details of comparison processing of the encryption keyword and the encryption query, and the details of the document search method will be described later.

  The index generation server 110 includes, for example, an index generation unit 111, an index merge unit 112, an index storage unit 113, and a searchable encryption unit 114. The index generation unit 111 generates a search index for searching the document using the document before encryption.

  The index merge unit 112 merges a plurality of search indexes to generate one search index. The index storage unit 113 stores one or more search indexes. Each search index includes cryptographic keywords and cryptographic queries generated from keywords in the document. Details of the search index will be described later.

  The searchable encryption unit 114 performs encryption processing. The searchable encryption unit 114 includes, for example, an encryption keyword generation unit 115, an encryption query generation unit 116, and a match determination unit 117. The encryption keyword generation unit 115 generates an encryption keyword from each of the keywords extracted from the document by the index generation unit 111. The cryptographic query generation unit 116 generates a cryptographic query from each of the keywords. The match determination unit 117 determines whether the encryption keyword and the encryption query are generated from the same keyword.

  FIG. 2 is a block diagram showing an example of a physical configuration of the index generation server 110. As shown in FIG. Although FIG. 2 shows the configuration of the index generation server 110, the search engine server 120, the user terminal 130, and the key server 140 may have the same configuration.

  The index generation server 110 of the present embodiment is configured by a computer having a processor (CPU) 1, a memory 2, an auxiliary storage device 3, and a communication interface 4.

  The processor 1 executes a program stored in the memory 2. The memory 2 includes a ROM, which is a non-volatile storage element, and a RAM, which is a volatile storage element. The ROM stores an immutable program (for example, BIOS). The RAM is a high-speed and volatile storage element such as a dynamic random access memory (DRAM), and temporarily stores a program executed by the processor 1 and data used when the program is executed.

  The auxiliary storage device 3 is composed of, for example, a large-capacity and non-volatile storage device such as a magnetic storage device (HDD), a flash memory (SSD), etc. Store. That is, the program is read from the auxiliary storage device 3, loaded into the memory 2, and executed by the processor 1.

  The communication interface 4 is a network interface device that controls communication with another device (the search engine server 120, the user terminal 130, the key server 140, etc.) according to a predetermined protocol.

  The index generation server 110 may have an input interface 5 and an output interface 8. The input interface 5 is an interface to which a keyboard 6 and a mouse 7 are connected and which receives an input from an operator. The output interface 8 is an interface to which a display device 9 and a printer are connected, and which outputs the execution result of the program in a format that can be viewed by the operator.

  The program executed by the processor 1 is provided to the index generation server 110 via removable media (CD-ROM, flash memory, etc.) or via a network, and is stored in the non-volatile secondary storage device 3 which is a non-temporary storage medium. . Therefore, the index generation server 110 may have an interface for reading data from removable media.

  The index generation server 110 is a computer system configured physically on one computer, or on a plurality of logically or physically configured computers, and operates in separate threads on the same computer. It may operate on a virtual computer built on multiple physical computer resources.

  FIG. 3 is an explanatory diagram of an example of a process of merging search indexes stored in the index storage unit 113. As shown in FIG. FIG. 3 shows an example in which the search index 301 to be merged stored in the index storage unit 113 and the search index 302 are merged, and a search index 303 which is a merge result is generated.

  The search index 301 includes, for example, a keyword dictionary 311 and metadata 321. The keyword dictionary 311 is composed of one or more combinations of an encryption keyword and an encryption query. Hereinafter, each of the one or more combinations is called a cipher set. Metadata 321 includes metadata associated with each cipher set. The metadata associated with the encryption set includes, for example, a document including a keyword before the encryption of the encryption set, the frequency of appearance of the keyword in the document, and information indicating the appearance location of the keyword in the document. Including.

  Similarly, search index 302 includes keyword dictionary 312 and metadata 322, and search index 303 includes keyword dictionary 312 and metadata 322. For example, "EnckeywordX" in FIG. 3 is an encryption keyword obtained by encrypting the keyword "keywordX" with respect to a natural number X, and "EncqueryX" is an encryption query obtained by encrypting "keywordX".

  The index generation server 110 specifies a cipher set generated from the same keyword, and the cipher set of the keyword dictionary 311 and the metadata of the metadata 321, and the metadata of the cipher set of the keyword dictionary 312 and the metadata 322, It is stored in the keyword dictionary 313 and the metadata 323.

  In addition, when the encryption set generated from the same keyword is included in the keyword dictionary 311 and the keyword dictionary 312, the index generation server 110 aggregates and searches the encryption set and the metadata associated with each of the encryption set. It stores in the index 303.

  Specifically, in the example of FIG. 3, the key word dictionary 311 and the key word dictionary 312 include an encryption set including “Enckeyword 1” and “Encquery 1” generated from “keyword 1”. At this time, the index generation server 110 stores, in the keyword dictionary 313, an encryption set composed of the keyword dictionary 311 or “Enckeyword 1” of the keyword dictionary 312 and the keyword dictionary 311 or “Encquery 1” of the keyword dictionary 312. In addition, the index generation server 110 generates metadata 323 of “MetaA” which is metadata linked to “Enckeyword 1” in the keyword dictionary 311 and “MetaD” which is metadata linked to “Enckeyword 1” in the keyword dictionary 312. , And associated with the corresponding encryption set of the keyword dictionary 313.

  As described above, since the encryption keyword is generated using nondeterministic encryption, for example, “Enckeyword 1” in the keyword dictionary 311 and “Enckeyword 1” in the keyword dictionary 312 have different values. Similarly, since the encryption query is also generated using nondeterministic encryption, for example, “Encquery 1” in the keyword dictionary 311 and “Encquery 1” in the keyword dictionary 312 have different values. Details of the process of determining whether these cipher sets are generated from the same keyword will be described later.

  FIG. 4 shows an example of search index creation processing accompanying document addition or update. The user terminal 130 logs in to the search engine server 120, for example, in accordance with an instruction from the user, and transmits the user's encryption key information and the document addition / update request to the search engine server 120 (S401). The document addition / update request includes document information (for example, the document itself or the URL of the document) which can specify the text in the document.

  The search engine server 120 transmits the document information and the encryption key information to the index generation unit 111 (S402). The index generation unit 111 extracts the pre-encryption keyword and the metadata from the text in the document indicated by the document information (S403).

  Specifically, the index generation unit 111 extracts one or more keywords from the text using, for example, an algorithm such as morphological analysis or N-gram method, and further extracts metadata corresponding to each of the extracted keywords. (S403). The index generation unit 111 transmits the encryption key information and the extracted keyword to the searchable encryption unit 114 (S404).

  The searchable encryption unit 114 transmits the encryption key information to the key server 140 (S405). The key server 140 transmits the data encryption key of the user indicated by the encryption key information, the function value encryption key, the function value decryption key, and the random number secret key to the searchable encryption unit 114 (S406). Since the function value decryption key is not used in the process of FIG. 4 (used in the process of FIG. 9 described later), the exchange of the function value decryption key may not be performed in steps S405 to S406.

  The searchable encryption unit 114 generates an encrypted keyword corresponding to each of the extracted keywords using the received data encryption key and the extracted keywords (S407). Details of the encryption keyword generation process in step S407 will be described later.

  The searchable encryption unit 114 generates an encrypted query corresponding to each of the extracted keywords using the received data encryption key and function value encryption key and the extracted keyword (S408). Details of the cryptographic query generation process in step S408 will be described later.

  The searchable encryption unit 114 generates, for each of the extracted keywords, an encryption set which is a combination of an encryption keyword corresponding to the keyword and an encryption query, and generates, to the index generation unit 111, an encryption keyword dictionary including the generated encryption set. It transmits (S409). In step S409, the searchable encryption unit 114 transmits, to the index generation unit 111, information specifying the keyword corresponding to each of the encryption sets included in the encryption keyword dictionary.

  The index generation unit 111 associates the encryption set in the encryption keyword dictionary and the metadata generated from the same keyword with each other to generate a search index including the encryption keyword dictionary and the metadata, and generates the generated search index. It stores in the index storage unit 113 (S410). The index generation unit 111 transmits a search index generation completion notification to the search engine server 120 (S411). The search engine server 120 reads the search index stored in the index storage unit 113 (S412).

  Hereinafter, an example of the generation process of the encryption keyword and the encryption query will be described. Below, the example which produces | generates one encryption keyword and one encryption query from one keyword is demonstrated.

<Method of generating encryption keyword>
An example of the generation process of the encryption keyword in step S407 is shown using FIG. 6 and FIG.

  The encryption keyword generation unit 115 divides the keyword into a predetermined size that can be processed by the searchable encryption unit 114. For example, when the searchable encryption unit 114 implements the common key encryption AES, as shown in FIG. 5B, the encryption keyword generation unit 115 divides the keywords into blocks of 128 bits of M1, M2,. Do.

  The encryption keyword generation unit 115 generates blocks C1, C2,..., Cn of intermediate encryption keywords by encrypting each of the divided keywords using a predetermined initial vector and a data encryption key.

  In creating each block of the intermediate encryption keyword, the encryption keyword generation unit 115 uses the block for which the intermediate encryption keyword has been generated to create the block. For example, as shown in FIG. 5B, the encryption keyword generation unit 115 encrypts data obtained by calculating the exclusive OR (xor calculation) of the block for which the intermediate encryption keyword has been generated and the block of the keyword, Create keywords. Therefore, not only the contents of the block Mn but also the contents of the other blocks M1, M2, ..., Mn-1 are reflected in the block Cn of the intermediate encryption keyword corresponding to the block Mn.

  The encryption keyword generation unit 115 generates a random number for each block of the intermediate encryption keyword. Specifically, for example, the cryptographic keyword generation unit 115 generates a random number for each of n blocks of the intermediate cryptographic keyword using a pseudo random number generator. The index generation server 110 holds, for example, a pseudo random number generator in advance.

  For example, as shown in FIG. 5A, the cryptographic keyword generation unit 115 inputs data obtained by concatenating the initial vector and the constant into the pseudo random number generator (RNG) together with the random number secret key K2, Random numbers R1, R2,..., Rn are generated.

  The cryptographic keyword generation unit 115 inputs the n-th random number Rn to a predetermined homomorphic function, and acquires the output data as the function value X. For example, as shown in FIG. 7, the encryption keyword generation unit 115 inputs a 128-bit random number to the homomorphic function to obtain a 96-bit function value.

The homomorphic function F refers to a function in which the following equation 1 holds for the input variable x and the input variable y.
(Equation 1) F (x · y) = F (x)? F (y)

Here, “•” and “?” Represent binary arithmetic operation symbols, an addition operation symbol +, a multiplication operation symbol *, an XOR (eXclusive OR) operation which is an exclusive OR for each bit Operation symbols xor etc. At this time, when the XOR operation symbol xor is included in “·” and “?” In Expression 1, the following Expression 2 holds.
(Equation 2) F (x xor y) = F (x) xor F (y)

  The cryptographic keyword generation unit 115 executes predetermined irreversible conversion on the function value X, and acquires the value after the irreversible conversion is performed as the irreversible conversion value H. For example, when the irreversible conversion is the hash function SHA256, the cryptographic keyword generation unit 115 converts the 96-bit function value X into a 256-bit hash value (irreversible conversion value).

  For example, as shown in FIG. 6, the cryptographic keyword generation unit 115 extracts the least significant 32 bits of the 256-bit hash value, and obtains a search tag Dn + 1 for the cryptographic keyword. As a result, data for search having a smaller data size than the original data can be obtained.

  The cryptographic keyword generation unit 115 acquires a bit length indicated by a predetermined tag length from the irreversible conversion value H as a search tag Dn + 1 for a cryptographic keyword. For example, as shown in FIG. 6, the cryptographic keyword generation unit 115 extracts the least significant 32 bits of the 256-bit hash value to obtain collation data D ′ n + 1. The bits to be extracted from the irreversible conversion value H may be extracted not only from the least significant bit but also from the most significant bit, or predetermined bits may be extracted or each bit may be extracted at random. Moreover, the bit length to select is also arbitrary.

The encryption keyword generation unit 115 calculates the exclusive OR (XOR operation) of n blocks of the intermediate encryption keyword and the random number, as shown in the following equation 1, and outputs the output results D1, D2 ,..., Dn is acquired as a ciphertext body (ie, a portion corresponding to an encrypted keyword).
(Equation 3) Di = Ci xor Ri (i = 1,... N)

  The cryptographic keyword generation unit 115 links the prosecutor tag Dn + 1 with the ciphertext main body consisting of the initial vector, D1, D2,... Dn, and determines this as the cryptographic keyword.

  The procedure for creating the secret data does not necessarily have to be processed in the order as described above, and may be performed in a different order.

<Method of generating cryptographic query>
An example of the encrypted query generation process in step S407 is shown using FIG.

  The cryptographic query generation unit 116 acquires a keyword and divides the keyword into a predetermined size that can be processed by the searchable encryption unit 114. The cryptographic query generation unit 116 divides the keywords into M1, M2,..., Mn every 128 bits, as in the case of the keyword division in the example of FIG. 5B, for example.

  The cryptographic query generation unit 116 generates an intermediate cryptographic query consisting of n blocks C1, C2,... Cn by encrypting each of the divided keywords using a predetermined initial vector and a data encryption key. Do.

  Similar to the generation of the encryption keyword, the encryption query generation unit 116 uses the block for which the intermediate encryption query has been created, and creates the next intermediate encryption query block. For example, as shown in FIG. 5B, the cryptographic query generation unit 116 encrypts data obtained by xoring the block of the intermediate cryptographic query and the block of the keyword, and creates the next intermediate cryptographic query block.

  The cryptographic query generation unit 116 inputs, for example, the initial vector (W0) and the secret key for random number (K2) into the pseudo random number generator, and uses one random number for xor with the block Cn of the nth intermediate cryptographic query. Generate R'n.

  The cryptographic query generation unit 116 inputs the random number R′n to the homomorphic function, and acquires the output data as the function value X. The homomorphic function needs to be, for example, the same as the homomorphic function used to generate the encryption keyword. For example, as shown in FIG. 7, the cryptographic query generation unit 116 inputs a 128-bit random number R'n to the homomorphic function to obtain a 96-bit function value X.

  The cryptographic query generation unit 116 acquires data obtained by encrypting the function value X using the function value cryptographic key (K3) as a search tag Wn + 1 for the cryptographic query. For example, as shown in FIG. 7, the cryptographic query generation unit 116 encrypts the 128-bit ciphertext by encrypting the 96-bit function value X using the function-value cryptographic key (K3) and the initial vector (W0). Output and set it as search tag Wn + 1 for cryptographic query.

  The cryptographic query generation unit 116 calculates the exclusive OR (XOR operation) of the nth block Cn of the intermediate encryption keyword and the random number R'n, and the ciphertext in which the output result Wn is encrypted for the query Acquire as the main body.

  The cryptographic query generation unit 116 links the initial vector W0, the ciphertext main body Wn, and the prosecution tag Wn + 1 for the cryptographic query, and determines this as a cryptographic query. Note that the procedure for creating the above encrypted query does not necessarily have to be processed in the order as described above, and may be performed in a different order.

  FIG. 8 shows an example of merge processing of a plurality of search indexes. First, the search engine server 120 selects a plurality of search indexes to be merged from the search indexes stored in the index storage unit 113 according to a predetermined policy (S801).

  Specifically, when the search engine server 120 determines that the number of search indexes stored in the index storage unit 113 is equal to or more than a predetermined number, for example, when a predetermined time has elapsed from the previous merge process, or the search engine server If the administrator of 120 directly instructs the server to perform index merge, the process of step S801 is started. The search engine server 120 may start the process of step S801 when it is determined that a new search index has been generated.

  In addition, the search engine server 120 selects, for example, all search indexes stored in the index storage unit 113 as merge targets. Further, for example, the search engine server 120 may select a plurality of search indexes as merge targets so that the total number of encryption keywords included in the keyword dictionary of the selected plurality of search indexes is equal to or more than a predetermined number.

  Subsequently, the search engine server 120 transmits information indicating the selected search index to be merged to the index merge unit 112 (S802). The index merge unit 112 acquires a search index to be merged indicated by the received information from the index storage unit 113, and transmits a keyword dictionary of the acquired search index to the searchable encryption unit 114 (S803).

  The match determination unit 117 identifies a cipher set generated from the same keyword from the cipher sets included in the received keyword dictionary (S804). In addition, the match determination unit 117 compares the first encryption keyword included in the first encryption set with the encryption query included in the second encryption set to obtain the pre-encryption keyword corresponding to the first encryption set and the first encryption set. (2) It is determined whether or not the pre-encryption keyword corresponding to the encryption set matches.

  For example, the match determination unit 117 performs the process of step S804 by performing the comparison process on all the encryption sets included in the received keyword dictionary with the encryption set included in another keyword dictionary to which the encryption set does not belong. Run. The details of the comparison process will be described later.

  The match determination unit 117 transmits the determination result in step S804 to the index merge unit 112 (S805). The index merge unit 112 merges the search index to be merged based on the received determination result to generate one search index which is a merge result, stores the generated search index in the index storage unit 113, and merges Is deleted from the index storage unit 113 (S806).

  The merge process of step S806 will be described. The index merge unit 112 refers to the determination result, specifies a cipher set group consisting of cipher sets generated from the same keyword, and performs the following processing on each cipher set group.

  The index merge unit 112 stores the one encryption set in the index dictionary of the merge result for the encryption set group consisting of one encryption set, and merges the merge target metadata associated with the one encryption set Of the encryption set and the metadata in the merge result.

  In the example of FIG. 3, since the encryption set consisting of "Enckeyword 2" and "Encquery 2" generated from "keyword 2" is included only in the search index 301, that is, one encryption set is generated from "keyword 2". The encryption set and metadata “MetaB” associated with the encryption set are stored in the search index 303 as they are.

  The index merge unit 112 stores, for example, a cipher set consisting of a cryptographic keyword randomly selected from the plurality of cipher sets and a cryptographic query in a keyword dictionary of the merge result for a cipher set group consisting of a plurality of cipher sets Do. In addition, the index merging unit 112 acquires metadata associated with each of the plurality of encryption sets, and stores the acquired metadata in the metadata of the merge result. The index merge unit 112 associates the one cipher set with the metadata in the merge result.

  In the example of FIG. 3, each of the search index 301 and the search index 302 includes a cipher set generated from “keyword1”. Therefore, the index merge unit 112 stores the encryption set including the encryption keyword and the encryption query randomly selected from the encryption set in the keyword dictionary of the search index 303. In addition, the index merge unit 112 searches the search index 303 for “MetaA,” which is metadata linked to the encryption set in the search index 301, and “MetaD”, which is metadata linked to the encryption set in the search index 302. In the search index 303, the encryption set is associated with the metadata.

  Subsequently, the index merge unit 112 transmits a search index merge completion notification to the search engine server 120 (S807). The search engine server 120 reads the search index stored in the index storage unit 113 (S808).

  Hereinafter, an example of the comparison process of the encryption set in step S804 by the coincidence determination unit 117 will be described with reference to FIG. Specifically, the match determination unit 117 compares the first encryption keyword included in the first encryption set with the second query included in the second encryption set, and the first encryption set and the second encryption set An example of the process which determines whether it produced | generated from the same keyword is shown.

  If the index generation server 110 does not acquire the function value decryption key in steps S405 to S406, the match determination unit 117 acquires the function value decryption key of the user of the search index including the second encryption set from the key server 140. Do.

  The coincidence determination unit 117 acquires the ciphertext main body in the first encryption keyword, and extracts the n-th block among the blocks divided into the size processed by the encryption keyword generation unit 115. The coincidence determination unit 117, for example, regards the first encryption keyword D as a set of blocks divided into D0, D1, D2,... Dn, Dn + 1, and extracts the data Dn.

  The match determination unit 117 acquires the ciphertext body in the second encrypted query. For example, the coincidence determination unit 117 regards the second encrypted query W as a set of blocks divided into three with W0, Wn, and Wn + 1, and extracts the second data Wn.

The coincidence determination unit 117 calculates an exclusive OR (XOR operation) of the block Dn included in the ciphertext body of the first encryption keyword and the ciphertext body Wn of the second encryption query in accordance with the following Equation 4.
(Equation 4) Dn xor Wn = (Cn xor Rn) xor (Cn xor R'n)

Here, when the pre-encryption keyword of the first encryption keyword and the pre-encryption keyword value of the second encryption query are the same, since the intermediate encryption keyword obtained by encrypting them is equal to the value of the intermediate encryption query , The following number 5 can be derived.
(From (¬ (A xor B) = A · B + ¬A · ¬B, where ¬ is negative or complement))
(Equation 5) Dn xor Wn = Rn xor R'n
That is, only the information of the random numbers (Rn and R'n) is left in the equation 5.

  The coincidence determination unit 117 inputs the calculation result of the exclusive OR into the homomorphic function, and acquires the function value Y. For example, the homomorphic function needs to be the same as the homomorphic function used in the encryption keyword generation process of FIG. 6 and the encryption query generation process of FIG. 7.

For example, as illustrated in FIG. 9, the match determination unit 117 performs an exclusive logic between the nth 128-bit block Dn of the ciphertext body of the first encryption keyword and the 128-bit ciphertext body of the second cipher query. The sum (XOR) is input to the homomorphic function to obtain, for example, a 96-bit function value Y as shown in the following equation 6.
(Equation 6) Y = F (Dn xor Wn)
If Equation 5 holds, Equation 7 can be derived from Equation 6 below.
(Equation 7) Y = F (Rn xor R'n)

  The match determination unit 117 acquires a search tag of the second encrypted query. For example, the coincidence determination unit 117 regards the second encrypted query W as a set of blocks divided into three such as W0, Wn, and Wn + 1, and extracts the third data Wn + 1.

The match determination unit 117 decrypts the search tag Wn + 1 of the second encrypted query using the function value decryption key of the user corresponding to the second encryption set, and acquires the function value X that is the decryption result. The function value X is expressed by the following equation 8 using the random number Rn and the homomorphic function F in equation 2.
(Equation 8) X = F (Rn)

The match determination unit 117 calculates an exclusive OR (XOR operation) of the function value X and the function value Y, and obtains the function value Z that is the calculation result. For the function value Z, the following number 9 holds.
(A xor (A xor B) = A ¬ (A xor B) + ¬ A · (A xor B) = A · B + ・ A · B = B, according to the other data (A) in the data (B) The original data (B) can be obtained by performing the operation of exclusive OR twice
(Number 9)
Z = X xor Y
= F (Rn) xor (F (Rn xor R'n))
= F (Rn) xor (F (Rn) xor F (R'n)) (from equation 2)
= F (R'n)

  The coincidence determination unit 117 performs irreversible conversion on the function value Z, and acquires it as an irreversible conversion value H that is the execution result. In addition, the said irreversible conversion needs to be the same as the irreversible conversion used for the encryption keyword production | generation process of FIG. 6, for example. For example, as shown in FIG. 9, when the irreversible conversion is the hash function SHA256, the value of the exclusive OR of the 96-bit function value X and the function value Y is converted to a 256-bit hash value (irreversible conversion value) Do.

  The match determination unit 117 acquires, from the irreversible conversion value H, a bit length indicated by a predetermined tag length in the encryption keyword generation process of FIG. For example, as shown in FIG. 9, the match determination unit 117 extracts the least significant 32 bits of the 256-bit hash value, and obtains the match data D ′ n + 1. The bits to be extracted from the irreversible conversion value H may be extracted not only from the least significant bit but also from the most significant bit, or predetermined bits may be extracted or each bit may be extracted at random. Moreover, the bit length to select is also arbitrary.

  The match determination unit 117 acquires a search tag of the first encryption keyword. The match determination unit 117, for example, takes out data Dn + 1 in the first encryption keyword D.

  The match determination unit 117 compares the verification data D with the search tag of the first encryption keyword, and determines that the first encryption set and the second encryption set are generated from the same keyword if they are the same. It is determined that the first cipher set and the second cipher set are generated from different keywords.

  For example, as shown in FIG. 9, the match determination unit 117 compares the search tag Dn + 1 of the first encryption keyword with the verification data D'n + 1, and if the comparison data is identical, the first encryption set and the second encryption set are identical. It is determined that they are generated from keywords, and if they are not identical, it is determined that the first cipher set and the second cipher set are generated from different keywords. In addition, for example, by further executing detection of an erroneous search described in Patent Document 1, the coincidence determination unit 117 specifies a combination of a cryptographic set that has been erroneously determined to be generated from the same keyword, and specifies the combination. The result of the match determination in the combination may be changed.

  According to the above-described process, the coincidence determination unit 117 may generate the first and second cipher sets from the same keyword without decrypting the cipher keywords and the cipher query included in the first and second cipher sets. It can be determined whether or not. The above procedure for searching for confidential data does not necessarily have to be processed in the order as described above, and may be performed in a different order.

  As described above, the full-text search system 100 according to this embodiment can merge the plurality of search indexes without decrypting the encryption keywords included in the plurality of search indexes. As a result, the full-text search system 100 according to this embodiment can maintain search performance such as search processing speed while securing security.

  Although each of the cipher sets of the present embodiment includes a cipher keyword and a cipher query, instead of the cipher query, another cipher text which can be judged that the plaintext matches with the cipher keyword without decryption is judged. May be included.

  Hereinafter, an example of the document search process of the present embodiment will be described. The search engine server 120 receives a search query from the user terminal 130. The search engine server 120 sends a search query to the index generation server 110. The cryptographic query generation unit 116 generates a cryptographic query from the search query using the method of step S408.

  The match determination unit 117 performs match determination (S804) between the encryption query generated by the encryption query generation unit 116 and each encryption keyword of the search index included in the index storage unit 113. That is, the match determination unit 117 identifies an encrypted keyword generated from the same keyword as the search query accepted by the search engine server 120.

  The match determination unit 117 transmits, to the search engine server 120, information indicating the identified encryption keyword. The search engine server 120 extracts metadata associated with the encryption keyword indicated by the information from the read search index, and transmits the extracted metadata and / or the document indicated by the extracted metadata to the user terminal 130.

  In the following embodiments, the description of the same configuration and processing as those of the first embodiment will be omitted, and the differences from the first embodiment will be described. The index generation server 110 according to this embodiment does not include the cryptographic query in the keyword dictionary of the search index which is the merge result.

  FIG. 10 is an explanatory diagram of an example of the search index merge process of this embodiment. The difference from the first embodiment (FIG. 3) is that the search index 301 and the search index 303 are main indexes.

  The main index is a search index in which the keyword dictionary does not include a cryptographic query. That is, each cipher set in the main index consists only of cipher keywords. Also, the search index 302 is a sub index. The sub index is a search index in which the keyword dictionary includes a cryptographic query. That is, the search index described in the first embodiment is a sub index.

  Since the match determination unit 117 determines whether or not the encryption set is generated from the same keyword by comparing the encryption keyword and the encryption query, the index generation server 110 detects the difference between the main index and the sub index. Merge processing can be performed in the same manner as in the first embodiment. For example, in step S806, the index merge unit 112 generates a merge result which is a main index by not including the encryption query in the search index of the merge result.

  Although FIG. 10 shows an example in which the main index and the sub index are merged to generate the main index, the sub indexes may be merged to generate the main index.

  In addition, since each encryption set of the main index includes only the encryption keyword, the coincidence determination unit 117 can not determine whether the encryption keyword is generated from the same keyword between the main indexes. That is, the index generation server 110 can not execute merge processing between main indexes. Therefore, in step S801, the search engine server 120 selects a plurality of search indexes to be merged so as to include only one main index or not include any main index.

  Further, for example, when it is determined in step S801 that a predetermined number or more of sub-indexes are stored in the index storage unit 113, the search engine server 120 may select a plurality of search indexes to be merged.

  As described above, the index generation server 110 according to the present embodiment can execute the merge processing without decrypting the encryption keywords included in the main index and the sub index.

  Furthermore, since the main index does not include the encryption query, it is not possible to determine whether or not there is an encryption keyword generated from the same keyword among a plurality of main indexes unless the decryption key is used. That is, the index generation server 110 according to the present embodiment can secure stronger security by generating the main index by the merge process.

  FIG. 11 is a block diagram showing an example of the entire configuration of the full-text search system of this embodiment. Hereinafter, the difference between the first embodiment and the entire configuration of the full-text search system will be described. The user terminal 130 includes an index generation unit 131 and a searchable encryption unit 132. The searchable encryption unit 132 includes an encryption keyword generation unit 133 and an encryption query generation unit 134. Descriptions of the index generation unit 131, the encryption keyword generation unit 133, and the encryption query generation unit 134 are the same as the descriptions of the index generation unit 111, the encryption keyword generation unit 115, and the encryption query generation unit 116, respectively.

  In this embodiment, the index generation server 110 does not include the index generation unit 111, and the searchable encryption unit 114 of the index generation server 110 does not include the encryption keyword generation unit 115 and the encryption query generation unit 116. It differs from the first embodiment. That is, in the present embodiment, not the index generation server 110 but the user terminal 130 generates an index.

  Hereinafter, differences in the process of FIG. 4 will be described. The processing by the index generation unit 111 in FIG. 4 described in the first embodiment is executed by the index generation unit 131. The processing by the searchable encryption unit 114 in FIG. 4 described in the first embodiment is executed by the searchable encryption unit 132. In step S401, the index generation unit 131 receives the document addition / update request, and acquires encryption key information of the user held by the user terminal 130.

  Also, the process of step S402 is not performed. In addition, the index generation unit 131 transmits the index generated in step S410 to the index generation server 110, and the index generation server 110 stores the index in the received index storage unit 113. Thereafter, the index generation server 110 performs the process of step S411.

  As described above, in the present embodiment, since the user terminal 130 generates an index, there is no need for the index generation server 110 to acquire the data encryption key and the function value encryption key of the user, so more secure security can be ensured. .

  Further, an example in which the present embodiment is applied to the second embodiment will be described. In FIG. 4, it is a sub index generated by the index generation unit 131. For example, if the index generation server 110 executes a merge process each time a sub index is received, the time for holding the main index can be shortened, and more robust security can be ensured.

  The present invention is not limited to the embodiments described above, but includes various modifications. For example, the embodiments described above are described in detail in order to explain the present invention in an easy-to-understand manner, and are not necessarily limited to those having all the configurations described. In addition, part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. In addition, with respect to a part of the configuration of each embodiment, it is possible to add, delete, and replace other configurations.

  Further, each of the configurations, functions, processing units, processing means, etc. described above may be realized by hardware, for example, by designing part or all of them with an integrated circuit. Further, each configuration, function, etc. described above may be realized by software by the processor interpreting and executing a program that realizes each function. Information such as a program, a table, and a file for realizing each function can be placed in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

  Further, control lines and information lines indicate what is considered to be necessary for the description, and not all control lines and information lines in the product are necessarily shown. In practice, almost all configurations may be considered to be mutually connected.

Claims (7)

A search index merge server that merges encrypted search indexes, and
Including processor and storage,
The storage device holds a first search index and a second search index.
Each of the first search index and the second search index associates and holds an encryption set generated from each of one or more keywords and metadata corresponding to each of the one or more keywords,
Each of the first search index and the second search index cipher set includes an encryption keyword,
Each of the second search index's cipher set includes a cipher query,
Each of the cryptographic keywords includes a ciphertext indicating a keyword encrypted using a random number, and a search tag indicating a value obtained by performing transformation and irreversible transformation on the random number using a homomorphic function,
Each of the cryptographic queries includes a ciphertext indicating a keyword encrypted using a random number, and a search tag indicating a value obtained by performing conversion on the random number using a homomorphic function,
The processor is
Merging the first search index and the second search index to execute a merge process for generating a third search index as a merge result;
In the merge process,
Performing a comparison process of comparing an encryption keyword included in the first search index and an encryption query included in the second search index, and identifying a combination of encryption sets generated from the same keyword;
For each of the identified combinations, an encryption keyword included in one of the encryption sets included in the combination and metadata associated with each of the encryption sets included in the combinations are linked and stored in the third search index ,
In the comparison process,
A function value obtained by performing transformation using a homomorphic function on a value calculated from part or all of the encrypted text of the second encryption keyword to be compared and the encrypted text of the first encrypted query to be compared Calculate
Calculating an irreversible conversion value obtained by performing irreversible conversion on the value calculated from the function value and the value indicated by the search tag of the first cryptographic query;
Based on the comparison result of the irreversible conversion value and the search tag of the second encryption keyword, the encryption set including the second encryption keyword and the encryption set including the first encryption query are from the same keyword Search index merge server to determine if it was generated. The search index merge server according to claim 1, wherein
Each of the encrypted queries is encrypted using the same encryption algorithm as the encrypted search query used to search the encrypted keywords included in the first search index and the second search index. Index merge server. The search index merge server according to claim 1, wherein
Each of the cipher sets included in the third search index comprises only cipher keywords,
The search index merge server, wherein the processor deletes the first search index and the second search index after the end of the merge process. A search index merge system, including a user terminal and a search index merge server, for merging encrypted search indexes, comprising:
The user terminal is
A first keyword group consisting of one or more keywords and a metadata group corresponding to each keyword of the first keyword group are held,
For each of the keywords in the first keyword group,
Generate a ciphertext in which the keyword is encrypted using a random number,
Generate a search tag indicating a value obtained by performing the homomorphic function and the irreversible conversion on the random number,
Generating an encryption keyword including the generated encrypted text and the generated search tag;
For each of the keywords in the first keyword group,
Generate a ciphertext in which the keyword is encrypted using a random number,
Generate a search tag indicating the value of the random number transformed by the homomorphic function,
Generating a cryptographic query including the generated ciphertext and the generated search tag;
Include the encryption keyword and the encryption query corresponding to the same keyword in the same encryption set,
The encryption set corresponding to the same keyword is associated with metadata and stored in the second search index,
Sending the second search index to the search index merge server;
The search index merge server holds a first search index,
The first search index links and holds an encryption set generated from each keyword of the second keyword group including one or more keywords and metadata corresponding to each keyword of the second keyword group.
Each of the first search index's cryptographic set includes cryptographic keywords,
Each of the encryption keywords of the first search index includes: an encrypted text indicating a keyword encrypted using a random number; and a search tag indicating a value obtained by performing transformation and irreversible transformation on the random number using a homomorphic function. Including
The search index merge server is
Merging the first search index and the second search index to execute a merge process for generating a third search index as a merge result;
In the merge process,
Performing a comparison process of comparing an encryption keyword included in the first search index and an encryption query included in the second search index, and identifying a combination of encryption sets generated from the same keyword;
For each of the identified combinations, an encryption keyword included in one of the encryption sets included in the combination and metadata associated with each of the encryption sets included in the combinations are linked and stored in the third search index ,
In the comparison process,
A function value obtained by performing transformation using a homomorphic function on a value calculated from part or all of the encrypted text of the second encryption keyword to be compared and the encrypted text of the first encrypted query to be compared Calculate
Calculating an irreversible conversion value obtained by performing irreversible conversion on the value calculated from the function value and the value indicated by the search tag of the first cryptographic query;
Based on the comparison result of the irreversible conversion value and the search tag of the second encryption keyword, the encryption set including the second encryption keyword and the encryption set including the first encryption query are from the same keyword Search index merge system to determine if generated. A search index merge method in which a search index merge server merges encrypted search indexes,
The search index merge server holds the first search index and the second search index,
Each of the first search index and the second search index associates and holds an encryption set generated from each of one or more keywords and metadata corresponding to each of the one or more keywords,
Each of the first search index and the second search index cipher set includes an encryption keyword,
Each of the second search index's cipher set includes a cipher query,
Each of the cryptographic keywords includes a ciphertext indicating a keyword encrypted using a random number, and a search tag indicating a value obtained by performing transformation and irreversible transformation on the random number using a homomorphic function,
Each of the cryptographic queries includes a ciphertext indicating a keyword encrypted using a random number, and a search tag indicating a value obtained by performing conversion on the random number using a homomorphic function,
The search index merge method is
The search index merge server
Merging the first search index and the second search index to execute a merge process for generating a third search index as a merge result;
In the merge process,
Performing a comparison process of comparing an encryption keyword included in the first search index and an encryption query included in the second search index, and identifying a combination of encryption sets generated from the same keyword;
For each of the identified combinations, an encryption keyword included in one of the encryption sets included in the combination and metadata associated with each of the encryption sets included in the combinations are linked and stored in the third search index ,
In the comparison process,
A function value obtained by performing transformation using a homomorphic function on a value calculated from part or all of the encrypted text of the second encryption keyword to be compared and the encrypted text of the first encrypted query to be compared Calculate
Calculating an irreversible conversion value obtained by performing irreversible conversion on the value calculated from the function value and the value indicated by the search tag of the first cryptographic query;
Based on the comparison result of the irreversible conversion value and the search tag of the second encryption keyword, the encryption set including the second encryption keyword and the encryption set including the first encryption query are from the same keyword A search index merge method that determines whether or not it has been generated. The search index merging method according to claim 5, wherein
Each of the encrypted queries is generated using the same encryption algorithm as the encrypted search query used to search the encrypted keywords included in the first search index and the second search index. Merge method. The search index merging method according to claim 5, wherein
Each of the cipher sets included in the third search index comprises only cipher keywords,
The search index merge method is a search index merge method in which the search index merge server deletes the first search index and the second search index after the end of the merge process.

Images