WO2010122926A1 - 暗号処理システム - Google Patents

暗号処理システム Download PDF

Info

Publication number
WO2010122926A1
WO2010122926A1 PCT/JP2010/056639 JP2010056639W WO2010122926A1 WO 2010122926 A1 WO2010122926 A1 WO 2010122926A1 JP 2010056639 W JP2010056639 W JP 2010056639W WO 2010122926 A1 WO2010122926 A1 WO 2010122926A1
Authority
WO
WIPO (PCT)
Prior art keywords
vector
key
information
encryption
space
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2010/056639
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
克幸 高島
龍明 岡本
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mitsubishi Electric Corp
NTT Inc
Original Assignee
Mitsubishi Electric Corp
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp, Nippon Telegraph and Telephone Corp filed Critical Mitsubishi Electric Corp
Priority to CN201080017994.8A priority Critical patent/CN102415047B/zh
Priority to ES10766983T priority patent/ES2873230T3/es
Priority to US13/266,002 priority patent/US8559638B2/en
Priority to EP10766983.0A priority patent/EP2424154B1/en
Priority to KR1020117027936A priority patent/KR101359200B1/ko
Publication of WO2010122926A1 publication Critical patent/WO2010122926A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • the present invention relates to a hierarchical predicate key concealment method and a hierarchical predicate encryption.
  • Non-patent Document 19 There is a proposal related to predicate encryption (PE) (Non-patent Document 19). In addition, a proposal regarding authority delegation in predicate encryption has been made (Non-patent Document 26). Furthermore, a proposal regarding a distortion eigenvector space has been made (Non-Patent Document 21).
  • Non-Patent Document 19 does not describe authority delegation in predicate encryption. Further, in Non-Patent Document 26, although there is a description about authority delegation in predicate encryption, it is limited to predicate encryption for the class of equality relation test. An object of the present invention is, for example, to provide a predicate encryption process capable of delegating authority with a wide application range.
  • the cryptographic processing system is, for example, a cryptographic processing system that performs cryptographic processing using a space V and a space V * that are dual vector spaces associated by a pairing operation, An encryption device that generates a vector in the space V and embedded with predetermined information as a cryptographic vector by a processing device; A predetermined vector in the space V * is used as a key vector, and the encryption vector generated by the encryption device and the key vector are subjected to a pairing operation by a processing device to decrypt the encryption vector and relate to the predetermined information And a decoding device for extracting information.
  • FIG. 1 is a configuration diagram of a cryptographic processing system 10.
  • FIG. 5 is a flowchart showing operations of the key generation device 100, the first layer encryption device 200, and the decryption device 300 of the cryptographic processing system 10.
  • 4 is a flowchart showing operations of an L-th layer key delegation device 400, an (L + 1) -th layer encryption device 200, and a decryption device 300 of the cryptographic processing system 10.
  • FIG. 4 is a functional block diagram showing functions of the cryptographic processing system 10 according to the second embodiment.
  • 5 is a flowchart showing the operation of the key generation device 100.
  • 5 is a flowchart showing the operation of the encryption device 200.
  • 5 is a flowchart showing the operation of the decoding device 300.
  • 10 is a flowchart showing the operation of the key delegation apparatus 400.
  • FIG. 6 is a conceptual diagram showing a base structure of a dual distortion vector space according to the second embodiment.
  • the figure for demonstrating that the session key K cannot be calculated with a low-order key.
  • the figure for demonstrating that the session key K can be calculated with a high-order key.
  • FIG. 20 is a flowchart showing the operation of the encryption device 200 shown in FIG. 20 is a flowchart showing the operation of the decoding device 300 shown in FIG.
  • FIG. 6 is a functional block diagram showing functions of a cryptographic processing system 10 according to a fourth embodiment.
  • 5 is a flowchart showing the operation of the encryption device 200.
  • 5 is a flowchart showing the operation of the decoding device 300.
  • FIG. 10 is a conceptual diagram showing a base structure of a dual distortion vector space according to the fourth embodiment.
  • FIG. 6 is a diagram (1) for explaining an n-copy vector space.
  • FIG. 2 is a diagram (2) for explaining an n-copy vector space.
  • FIG. 9 is a functional block diagram showing functions of a cryptographic processing system 10 according to a sixth embodiment.
  • 5 is a flowchart showing the operation of the key generation device 100.
  • 5 is a flowchart showing the operation of the encryption device 200.
  • 5 is a flowchart showing the operation of the decoding device 300.
  • 10 is a flowchart showing the operation of the key delegation apparatus 400.
  • FIG. 10 is a functional block diagram showing functions of a cryptographic processing system 10 according to a seventh embodiment.
  • 5 is a flowchart showing the operation of the encryption device 200.
  • 5 is a flowchart showing the operation of the decoding device 300.
  • the figure which shows an example of the hardware constitutions of the key generation apparatus 100, the encryption apparatus 200, the decoding apparatus 300, and the key transfer apparatus 400.
  • the processing device is a CPU 911 or the like which will be described later.
  • the storage device is a ROM 913, a RAM 914, a magnetic disk 920, etc., which will be described later.
  • the communication device is a communication board 915 or the like which will be described later.
  • the input device is a keyboard 902, a communication board 915, and the like which will be described later.
  • the output device is a RAM 914, a magnetic disk 920, a communication board 915, an LCD 901, etc., which will be described later. That is, the processing device, the storage device, the communication device, the input device, and the output device are hardware.
  • Equation 43 represents selecting y from A randomly according to the distribution of A.
  • Equation 44 represents selecting y from A uniformly.
  • Expression 45 represents that y is a set defined by z, or y is a set to which z is substituted.
  • Equation 46 represents that machine (algorithm) A outputs a for input x.
  • the vector notation represents a vector representation in the finite field Fq . That is, Equation 47.
  • Equation 48 represents the inner product shown in Equation 50 between the two vectors x ⁇ and v ⁇ shown in Equation 49.
  • 0 ⁇ represents that for any n, it is a 0 vector in the finite field number F q n .
  • X T represents the transpose of the matrix X.
  • Formula 51 represents that the (i, j) -th value of the matrix X is set to x i, j .
  • encryption processing includes encryption processing, decryption processing, and key generation processing, and includes key concealment processing.
  • Embodiment 1 FIG.
  • HPKEM Hierarchical Predicate Key Encapsulation Method
  • HPE Hierarchical Predicate Encryption
  • HPE Basics for Implementing Hierarchical Predicate Encryption
  • the hierarchical predicate key concealment method and the hierarchical predicate encryption described in later embodiments are a hierarchical inner product predicate encryption and a hierarchical inner product predicate key concealment method.
  • hierarchical inner product predicate encryption the concept of “hierarchical” will be explained first.
  • inner product predicate encryption the concept of “hierarchical” will be described.
  • hierarchical inner product predicate encryption “hierarchical inner product predicate key concealment method)” in which the concept of hierarchical is added to inner product predicate encryption will be described.
  • an application example of the hierarchical inner product predicate encryption will be described.
  • Hierarchical inner product predicate encryption in vector space will be described.
  • the hierarchical predicate key concealment method and the hierarchical predicate encryption are realized in a vector space.
  • Third, the basic configuration of the “hierarchical predicate key concealment method” and “hierarchical predicate encryption” according to this embodiment and later embodiments will be described.
  • an outline of the “cryptographic processing system 10” that executes the hierarchical predicate key concealment method and the hierarchical predicate encryption will be described.
  • Fourth, the concept for realizing the hierarchical predicate key concealment method and the hierarchical predicate encryption will be described. First, a bilinear pairing group will be described.
  • DDVS Dual Distortion Vector Spaces
  • FIG. 1 is a diagram for explaining the concept of “hierarchical”. “Hierarchical” in the hierarchical predicate key concealment scheme and the hierarchical predicate encryption is to have a mechanism capable of delegating authority (delegation system). Authority delegation means that a user who has a higher-order key generates a lower-order key whose function is more limited than that of the key (high-order key).
  • delegation system delegating authority
  • a Root (key generation device) generates a secret key to a user in the first layer (Level-1) using a master secret key. That is, Root generates keys 1, 2, and 3 for users 1, 2, and 3 in the first layer. For example, if the user 1 is used, the key 11 is used to generate the keys 11, 12, and 13 for the users 11, 12, and 13, which are users lower than the user 1 (first layer). can do.
  • the functions of the keys 11, 12, and 13 held by the users 11, 12, and 13 are more limited than those of the key 1 held by the user 1. The function is restricted that the ciphertext that can be decrypted by the secret key is limited.
  • the ciphertext that can be decrypted with the upper secret key can be decrypted with the lower secret key. That is, among ciphertexts that can be decrypted with the key 1 possessed by the user 1, only some ciphertexts can be decrypted with the keys 11, 12, and 13 possessed by the users 11, 12, and 13. Normally, the ciphertext that can be decrypted by the key 11, the key 12, and the key 13 is different. On the other hand, a ciphertext that can be decrypted by the key 11, the key 12, and the key 13 can be decrypted by the key 1.
  • the attribute information x is embedded in the ciphertext
  • the predicate information f v is embedded in the secret key. That is, in the predicate encryption, the encrypted ciphertext c based on the attribute information x, decrypts the secret key SK f generated based on the predicate information f v.
  • the predicate encryption is described in detail in Non-Patent Document 19.
  • Hierarchical inner product predicate encryption is “inner product predicate encryption” having the concept of “hierarchical” described above. That is, the hierarchical inner product predicate encryption (hierarchical inner product predicate key concealment method) is an inner product predicate encryption having an authority delegation system.
  • the hierarchical inner product predicate encryption has a hierarchical structure in attribute information and predicate information in order to give the inner product predicate encryption an authority delegation system.
  • FIG. 2 is a diagram illustrating a hierarchical structure of attribute information and predicate information.
  • attribute information and predicate information corresponding to codes correspond to each other (that is, the inner product is 0). That is, the inner product of attribute 1 and predicate 1 is 0, the inner product of attribute 11 and predicate 11 is 0, the inner product of attribute 12 and predicate 12 is 0, and the inner product of attribute 13 and predicate 13 is 0. To do.
  • the ciphertext c1 encrypted with the attribute 1 can be decrypted if it is a secret key k1 generated based on the predicate 1.
  • the ciphertext c11 encrypted with the attribute 11 can be decrypted if it is a secret key k11 generated based on the predicate 11.
  • the same can be said for attribute 12 and predicate 12, and attribute 13 and predicate 13.
  • the hierarchical inner product predicate encryption has an authority delegation system. Therefore, the secret key k11 can be generated based on the secret key k1 generated based on the predicate 1 and the predicate 11.
  • the user having the higher secret key k1 can generate the lower secret key k11 of the secret key k1 from the secret key k1 and the lower order predicate 11.
  • a secret key k12 can be generated from the secret key k1 and the predicate 12
  • a secret key k13 can be generated from the secret key k1 and the predicate 13.
  • a ciphertext encrypted with a key (public key) corresponding to a lower secret key can be decrypted with the upper secret key.
  • a ciphertext encrypted with a key (public key) corresponding to the upper secret key cannot be decrypted with the lower secret key.
  • the ciphertexts c11, c12, and c13 encrypted by the attribute 11, attribute 12, and attribute 13 can be decrypted if they are the secret key k1 generated based on the predicate 1.
  • the ciphertext c1 encrypted with the attribute 1 cannot be decrypted with the secret keys k11, k12, and k13 generated based on the predicate 11, the predicate 12, and the predicate 13. That is, the inner product of attribute 11, attribute 12, attribute 13 and predicate 1 is zero.
  • the inner product of attribute 1 and predicate 11, predicate 12, and predicate 13 is not zero.
  • FIG. 3 is a diagram showing an example of hierarchical ID-based encryption (HIBE), which is an application example of hierarchical inner product predicate encryption described later.
  • the hierarchical ID-based encryption is an encryption process in which the ID-based encryption is hierarchical.
  • ID-based encryption is a kind of predicate encryption, and is a matching predicate encryption that can decrypt a ciphertext when the ID included in the ciphertext matches the ID included in the secret key.
  • the Root key generation device
  • the Root generates a secret key (key A) corresponding to the ID “A” based on the master secret key sk and “A” that is the ID of the A company.
  • the security officer of company A generates a secret key corresponding to the ID based on the key A and the ID of each department. For example, the security officer generates a secret key (key 1) corresponding to “A-1” which is the ID of the sales department.
  • the manager of each department generates a secret key corresponding to the ID based on the secret key of the department and the ID of each section belonging to the department.
  • the manager of the sales department generates a secret key (key 11) corresponding to “A-11” that is the ID of the sales department 1.
  • the ciphertext encrypted with the sales department 1 ID “A-11” can be decrypted with the key 11 which is a secret key corresponding to the sales department 1 ID “A-11”.
  • the ciphertext encrypted with the ID of the sales section 2 or the sales section 3 cannot be decrypted by the key 11.
  • the ciphertext encrypted with the sales department ID cannot be decrypted by the key 11.
  • the ciphertext encrypted with the sales department ID “A-1” can be decrypted with the key 1 which is the secret key corresponding to the sales department ID “A-1”.
  • the ciphertext encrypted with the ID of the section belonging to the sales department can be decrypted with the key 1. That is, the ciphertext encrypted with the IDs of the sales section 1, the sales section 2, and the sales section 3 can be decrypted with the key 1.
  • the ciphertext encrypted with the ID of the manufacturing department (ID: A-2) or the staff department (ID: A-3) cannot be decrypted with the key 1.
  • the ciphertext encrypted with the ID of Company A cannot be decrypted with the key 1.
  • the ciphertext encrypted with the ID “A” of the A company can be decrypted with the key A which is a secret key corresponding to the ID “A” of the A company. Also, it is possible to decrypt the ciphertext encrypted with the ID of each department belonging to the company A and the section belonging to the department.
  • the cryptographic processing described below is not limited to the equality-related test class, it can be applied in many ways.
  • the predicate encryption having a conventional authority delegation system, such as limiting the searchable range for each hierarchy using conditional expressions such as AND conditions and OR conditions, etc.
  • Applications that could not be realized are possible. That is, the hierarchical predicate key concealment method and the hierarchical predicate encryption described in later embodiments can be widely applied to ID-based encryption, searchable encryption, and the like.
  • Hierarchical inner product predicate encryption in vector space The hierarchical predicate key concealment method and the hierarchical predicate encryption are realized in a high-dimensional vector space called a dual distortion vector space described later. Thus, hierarchical inner product predicate encryption in vector space will be described.
  • FIG. 4 is a diagram for explaining the basis and the basis vector.
  • FIG. 4 shows a vector v in a two-dimensional vector space.
  • the vector v is c 0 a 0 + c 1 a 1 .
  • the vector v is y 0 b 0 + y 1 b 1 .
  • c 0 , c 1 , y 0 , and y 1 are coefficients for each base vector.
  • FIG. 1 since it is a two-dimensional vector space, there are two basis vectors in each basis. However, in the N-dimensional vector space, there are N basis vectors in each basis.
  • f v (x) 1 when the inner product of the attribute information x and the predicate information f v is a predetermined value (here, 0).
  • FIG. 5 is a diagram for explaining a method for realizing a hierarchical structure in a vector space.
  • d is a number representing the depth of the hierarchy.
  • the ciphertext is generated using not only the L-layer attribute information but also the attribute information from the first layer to the L-th layer. To do.
  • the secret key is generated using not only the L-layer predicate information but also the predicate information from the first layer to the L-th layer.
  • ⁇ 3 basis vectors c i (i 0,..., Assigned from the first layer to the third layer).
  • ciphertext is generated representing the attribute information from the first layer to the third layer.
  • ⁇ 3 ⁇ 1 the predicate information from the first layer to the third layer is expressed to generate a secret key. That is, the attribute information and predicate information used in the lower layer includes attribute information and predicate information used in the upper layer. Thereby, the attribute information and the predicate information have a hierarchical structure. Then, by using a hierarchical structure for the attribute information and the predicate information, the inner product predicate encryption has an authority delegation system.
  • Hierarchical information ⁇ ⁇ is used to indicate a hierarchical structure in the vector space.
  • Hierarchical information ⁇ ⁇ is shown in Formula 53. That is, the hierarchy information ⁇ ⁇ is for indicating n indicating the number of basis vectors (number of dimensions) assigned to represent the hierarchical structure, d indicating the depth of the hierarchy, and basis vectors assigned to each hierarchy.
  • the inner product predicate is defined as in Expression 55. That is, in the space of each hierarchy, when the inner product of the attribute vector x ⁇ and the predicate vector v ⁇ is 0, the result of inputting the attribute information x to the predicate information f v is 1 (True). That is, when the inner product of the attribute vector x ⁇ of a certain hierarchy and the predicate vector v ⁇ of the same hierarchy is 0, the result of inputting the attribute information x to the predicate information f v is 1 (True).
  • the union in the hierarchical attribute space ⁇ and the hierarchical predicate space F shown in Expression 56 is a disjoint union.
  • the hierarchical predicate information shown in Formula 58 for the hierarchical attribute information shown in Formula 57 is defined as shown in Formula 59.
  • the hierarchical inner product predicate encryption in the vector space is (1) the hierarchy L v of the hierarchical predicate vector v ⁇ is the same as or higher than the hierarchy L x of the hierarchical attribute vector x ⁇ , and (2) the attribute space
  • it is a predicate encryption in which the result of inputting the hierarchical attribute information shown in Expression 57 to the hierarchical predicate information shown in Expression 58 is 1 (True).
  • Hierarchical predicate key concealment method The configuration of the hierarchical predicate key concealment method will be briefly described.
  • GenKey In the GenKey algorithm, the master public key pk, the master secret key sk, and the predicate vector v ⁇ 1 shown in Expression 60 (the predicate vector v ⁇ 1 may be simply described as v ⁇ 1 ) may be input. The first layer secret key shown is output.
  • the master public key pk, the L v layer private key (1 ⁇ L v ⁇ d) shown in Expression 62, and the ciphertext c are input, and the session key K or the identification information ⁇ is output.
  • the identification information ⁇ is information indicating that decoding has failed.
  • the ciphertext c is decrypted with the secret key of the Lv layer, information on the predetermined information ( ⁇ ) is extracted, and the session key K is generated. If the decoding fails, the identification information ⁇ is output.
  • the master public key pk, the L-th layer private key shown in Equation 63, and the (L + 1) -th layer predicate vector v ⁇ L + 1 (note that the predicate vector v ⁇ L + 1 is simply v ⁇ L + 1 .
  • the secret key of the (L + 1) th layer shown in Formula 65 is output. That is, in the Delegate L algorithm, a lower secret key is output.
  • the secret key of the L v th layer is calculated by Derive Lv algorithm using the algorithm of the GenKey and Delegate i shown in Formula 66.
  • the GenKey algorithm receives the master public key pk, the master secret key sk, and the predicate vector v ⁇ 1 shown in Equation 67, and outputs the first-layer secret key shown in Equation 68. Is done.
  • the master public key pk, the L v layer private key (1 ⁇ L v ⁇ d) shown in Equation 69, and the ciphertext c are input, and plaintext information m or identification information ⁇ is output.
  • the identification information ⁇ is information indicating that decoding has failed. That is, the Dec algorithm, the ciphertext c is decrypted by the secret key of the L v-th, extracts the plaintext information m.
  • Delegate L Similarly to the hierarchical predicate key concealment method, in Delegate L , the master public key pk, the L-th layer secret key shown in Equation 70, and the L + 1-layer predicate vector v ⁇ L + 1 shown in Equation 71 are input, The secret key for the (L + 1) th layer shown in Equation 72 is output. That is, in the Delegate L algorithm, a lower secret key is output. Note that the secret key of the L v th layer, like the HPKEM scheme is calculated by Derive Lv algorithm shown in Formula 66 described above.
  • FIG. 6 is a configuration diagram of the cryptographic processing system 10.
  • the cryptographic processing system 10 includes a key generation device 100, an encryption device 200, a decryption device 300, and a key delegation device 400.
  • decryption apparatus 300 includes key delegation apparatus 400.
  • the cryptographic processing system 10 since the cryptographic processing system 10 performs hierarchical cryptographic processing, the cryptographic processing system 10 includes a plurality of encryption devices 200, a plurality of decryption devices 300, and a plurality of key delegation devices. 400.
  • the key generation device 100 executes the Setup and GenKey algorithms of the hierarchical predicate key concealment method and the hierarchical predicate encryption.
  • the encryption device 200 executes the Enc algorithm of the hierarchical predicate key concealment method and the hierarchical predicate encryption.
  • the decryption apparatus 300 executes the Dec algorithm of the hierarchical predicate key concealment method and the hierarchical predicate encryption.
  • the key delegation apparatus 400 executes the Delegate L algorithm of the hierarchical predicate key concealment method and the hierarchical predicate encryption.
  • FIG. 7 is a flowchart showing operations of the key generation device 100, the first layer encryption device 200, and the decryption device 300 of the cryptographic processing system 10. That is, FIG. 7 is a flowchart showing operations from generation of a master key (master public key and master secret key) and generation of a first layer private key to encryption and decryption in the first layer.
  • S101 Key generation step
  • the key generation device 100 generates a master public key pk and a master secret key sk by executing the Setup algorithm.
  • the decryption apparatus 300 executes the algorithm Dec based on the master public key pk distributed by the key generation apparatus 100 in (S101) and the first layer private key, and the ciphertext c received from the encryption apparatus 200 is obtained. Decrypt. As a result of decrypting the ciphertext c, the decryption apparatus 300 obtains the session key K if the hierarchical predicate key concealment method, and obtains plaintext information m if the hierarchical predicate encryption. The decoding device 300 outputs the identification information ⁇ when the decoding fails.
  • FIG. 8 is a flowchart showing the operations of the L-th layer key delegation device 400, the (L + 1) -th layer encryption device 200, and the decryption device 300 of the cryptographic processing system 10. That is, FIG. 8 is a flowchart showing operations from generation of the (L + 1) th layer secret key to encryption and decryption in the (L + 1) th layer.
  • the L-th layer key delegation device 400 secretly distributes the generated secret key to the (L + 1) -th layer decryption device 300.
  • the encryption device 200 also generates a session key K. Then, the encryption device 200 transmits the generated ciphertext c to the decryption device 300 via a network or the like.
  • S203 Decoding step
  • the decryption device 300 executes the algorithm Dec based on the master public key pk distributed by the key generation device 100 in (S101) and the secret key distributed by the L-level key delegation device 400 in (S201).
  • the ciphertext c received from the encryption device 200 is decrypted.
  • the decryption apparatus 300 obtains the session key K if the hierarchical predicate key concealment method, and obtains plaintext information m if the hierarchical predicate encryption.
  • Bilinear Pairing Group The bilinear pairing group (G 1 , G 2 , G T , g 1 , g 2 , q) will be described.
  • Bilinear pairing groups (G 1, G 2, G T, g 1, g 2, q) is the set of order three cyclic groups of q G 1, G 2, G T.
  • g 1 is a generator of G 1
  • g 2 is a generator of G 2 .
  • the bilinear pairing group (G 1 , G 2 , G T , g 1 , g 2 , q) satisfies the following non-degenerate bilinear pairing conditions.
  • Non-degenerate bilinear pairing There is a non-degenerate bilinear pairing shown in Equation 73 that can be calculated in polynomial time.
  • G 1 ⁇ G 2 it is called target bilinear pairing.
  • Target bilinear pairings can be constructed using hypersingular (super) elliptic curves.
  • asymmetric bilinear pairing can be constructed using any (super) elliptic curve.
  • the asymmetric bilinear pairing can be constructed using, for example, a normal elliptic curve.
  • the description will be made using asymmetric bilinear pairing. That is, the bilinear pairing group (G 1 , G 2 , G T , g 1 , g 2 , q) is assumed to be an asymmetric bilinear pairing group. And the case where the dual distortion vector space mentioned later is constructed
  • Equation 77 shows the standard basis A.
  • the standard base A and the standard base A * satisfy the condition shown in Formula 80. That is, the standard base A and the standard base A * are dual orthonormal bases, and the space V and the space V * are dual vector spaces associated by the pairing operation e. It supplements about the standard base A and standard base A * satisfy
  • e (a 0 , a * 0 ) e (g 1 , g 2 ) ⁇ e (0, 0) ⁇ ,. . . , Xe (0, 0).
  • e (g 1 , g 2 ) u.
  • a linear transformation called distortion mapping for the generator x of the space V in the standard basis A will be described.
  • a distortion map ⁇ i, j in the standard base A of the space V is a map shown in Formula 81. Since Expression 82 is established, the distortion map ⁇ i, j can be converted into Expression 83. That is, the element of the basis vector j of the vector x of the standard basis A can be converted into the element of the basis vector i. At this time, all the elements other than the element of the converted basis vector j are 0. That is, the element of the basis vector j of the vector x is the element of the basis vector i, and the other elements are zero.
  • the distortion map ⁇ * i, j in the standard basis A * of the space V * can also be expressed in the same manner as the distortion map ⁇ i, j in the standard basis A of the space V.
  • Equation 85 a linear transformation W expressed as an N ⁇ N matrix shown in Equation 84, and any linear transformation W for x ⁇ V is efficient by Equation 85. Can be calculated automatically.
  • FIG. 9 is a diagram for explaining the basis conversion method.
  • the uniformly selected linear transformation X shown in Expression 86 the standard base A in the space V is converted to another base B in the space V as shown in Expression 87.
  • GL is an abbreviation for General Linear.
  • GL is a general linear group, a set of square matrices whose determinants are not 0, and a group for multiplication.
  • the base B is used as a public parameter (public key).
  • X is used as trapdoor information (secret key).
  • base B * from the canonical basis A * in space V * in the space V *: (b * 0 , ..., b * N-1) can be efficiently computed.
  • the base B and the base B * are dual orthonormal bases in the dual spaces V and V * . That is, even if the standard bases A and A * are transformed using X, the dual orthonormal bases are preserved.
  • the base B * can be used as a secret key (instead of X).
  • a secret key layered from an upper layer secret key to a lower layer secret key is created by setting the uppermost layer secret key as X and using the lower level secret key as partial information of the base B *. be able to.
  • Non-Patent Document 21 includes a description of calculation problems and determination problems in (V, B), and a description of survey results regarding the relationship between these problems.
  • the calculation vector decomposition problem (Computational Vector Decomposition Problem, CVDP) and the decision subspace problem (Decisional Subspace Problem, DSP) described in Non-Patent Document 21 will be briefly described.
  • CVDP is a high-dimensional spatial analog of the Subgroup Decomposition Problem.
  • the assumption of (N 1 , N 2 ) CVDP is that it is difficult to calculate u shown in Equation 91 when v shown in Equation 90 is given.
  • the above problem will be described in a simplified manner.
  • a vector v is given in FIG. 4, it is difficult (not possible) to extract the component y 0 b 0 (or y 1 b 1 ) of the vector v in the base B from the vector v. )That's what it means.
  • Inner product predicate encryption using key pair (B, B * )> A dual orthonormal basis (B, B * ) is applied to the calculation of the inner product of two vectors to realize the inner product predicate encryption.
  • To apply the dual orthonormal basis (B, B * ) to the calculation of the inner product of two vectors is to calculate the number 94.
  • the inner product predicate encryption is realized as follows. Here, the key concealment method will be described, but naturally the encryption method can be similarly realized.
  • the ciphertext c is generated as shown in Equation 95.
  • the secret key k * is generated as shown in Equation 96.
  • Equation 97 That is, if the inner product of the attribute vector x ⁇ and the predicate vector v ⁇ is 0, the equation 98 is obtained. This is because the number is 99 as described above.
  • the shared information K is obtained from the ciphertext c on the receiving side. (Session key) can be acquired.
  • the session key K is concealed. That is, an attacker who does not have the secret key k * cannot obtain information on the session key K from the ciphertext c. This is because ⁇ b n which is a component of the ciphertext c cannot be extracted according to the CVDP assumption described above. Further, not only the session key K but also the attribute vector x ⁇ is concealed. That is, an attacker who does not have the secret key k * cannot obtain information about the attribute vector x ⁇ as well as the session key K from the ciphertext c.
  • the DSP assumption described above plays a central role in explaining that the attribute information x ⁇ is concealed. This is to show that the number 100 cannot be distinguished from the number 101 according to the DSP assumption.
  • Dual distortion vector space Based on the concept described in the fourth, the dual distortion vector space will be described. As described above, the hierarchical predicate key concealment method and the hierarchical predicate encryption described later are realized in the dual distortion vector space.
  • DDVS V, V *, G T , A, A *, q
  • V: (a 0, ...
  • Non-degenerate bilinear pairing (see 4-1 above) A non-degenerate bilinear pairing e that can be calculated in polynomial time exists. That is, the second condition is that the non-degenerate bilinear pairing e shown in Equation 103 exists.
  • Dual orthonormal basis (see 4-2 above) The standard base A of the space V and the standard base A * of the space V * are dual orthonormal bases. That is, the third condition is that the standard base A of the space V and the standard base A * of the space V * satisfy the condition shown in Formula 104. Note that, by satisfying the third condition, it can also be said that the space V and the space V * are dual spaces associated by the pairing operation e (see 4-2 above).
  • End Fq (V) is to be F q vector space homomorphic space V on F q.
  • End Fq a (V *) to be F q vector space of the space V * homomorphic on F q.
  • distortion mapping ⁇ i, j forms the basis of the N 2-dimensional F q vector space End Fq (V) (resp.End Fq (V *)).
  • the homomorphism that can be calculated in random polynomial time of V / F q (resp.V * / F q ) shown in Equation 106 can be efficiently sampled.
  • an example of a dual distortion vector space will be described.
  • the cryptographic processing system 10 uses the hierarchical predicate key concealment method and the hierarchical predicate encryption. A method for realizing the above will be briefly described. First, the cryptographic processing system 10 implements a hierarchical predicate key concealment method and a hierarchical predicate encryption in a dual distortion vector space.
  • the cryptographic processing system 10 is a high-dimensional vector space having a distortion map, a non-degenerate bilinear pairing, and a dual orthonormal basis, and is associated with the pairing operation e in the high-dimensional dual vector space.
  • a hierarchical predicate key concealment method and a hierarchical predicate encryption are realized.
  • a pairing operation e (a pairing operation in a high-dimensional vector space) for associating two spaces is the pairing operation defined in the above 4-2.
  • the cryptographic processing system 10 uses the dual orthonormal bases B and B * generated by a predetermined transformation from the standard bases A and A * of the spaces V and V *.
  • a hierarchical predicate key concealment method and a hierarchical predicate encryption are realized using a key pair (a pair of a public key and a secret key).
  • the key generation apparatus 100 of the cryptographic processing system 10 uses one of the dual orthonormal bases B and B * (hereinafter referred to as the base B) as the master public key, and the other (hereinafter referred to as the base B *). ) As the master secret key. That is, in (S101) of FIG. 7, the key generation device 100 generates information including the base B of the dual distortion vector space, which is a high-dimensional vector space, as the master public key, and uses the information including the base B * as the master secret key. Generate.
  • the information ⁇ for generating the session key K or the plaintext information m is embedded in the vector in FIG. In (S103) of FIG.
  • the decryption apparatus 300 performs a pairing operation e on the ciphertext c, which is a vector in the base B, and the first-layer secret key, which is a vector in the base B * .
  • the embedded session key K or plaintext information m is extracted.
  • the pairing operation e on the high-dimensional vector executed by the decoding apparatus 300 is the pairing operation defined in the above 4-2.
  • the decryption apparatus 300 performs a pairing operation e on the ciphertext c that is a vector in the base B and the L + 1 layer private key that is a vector in the base B * ,
  • the embedded session key K or plaintext information m is extracted. Note that the security of the encryption process (the confidentiality of the session key K or the plaintext information m and the attribute vector) is guaranteed based on the calculation difficulty problem described in the above 4-6.
  • Embodiment 2 FIG. In this embodiment, a cryptographic processing system 10 that realizes a hierarchical predicate key concealment method will be described based on the concept described in the first embodiment.
  • FIG. 10 is a functional block diagram showing functions of the cryptographic processing system 10 according to this embodiment.
  • the cryptographic processing system 10 includes the key generation device 100, the encryption device 200, the decryption device 300, and the key delegation device 400. Also here, it is assumed that the decryption device 300 includes the key delegation device 400.
  • FIG. 11 is a flowchart showing the operation of the key generation device 100.
  • FIG. 12 is a flowchart showing the operation of the encryption device 200.
  • FIG. 13 is a flowchart showing the operation of the decoding device 300.
  • FIG. 14 is a flowchart showing the operation of the key delegation device 400.
  • FIG. 15 is a conceptual diagram showing the base structure of the dual distortion vector space.
  • the key generation device 100 includes a master key generation unit 110, a master key storage unit 120, a key vector generation unit 130, a key generation vector generation unit 140, and a key distribution unit 150.
  • G Ddvs as inputs the 1 lambda and N, dual distortion vector outputted security parameter 1 lambda and for the N-dimensional space V of (V, V *, G T , A, A *, q) a It is a space generation algorithm.
  • the master key generation unit 110 generates the base B * from the base A * based on the generated linear transformation (X T ) ⁇ 1 .
  • the master key generation unit 110 outputs the generated basis B * was a master secret key sk, including the generated basis B (1 ⁇ , ⁇ ⁇ , V, V *, G T, A, A *, q, Let B) be the master public key pk.
  • the master key generation unit 110 executes the Setup algorithm shown in Equation 108 to generate the master public key pk and the master secret key sk.
  • the key generation vector generation unit 140 calculates the number 110 based on the master public key pk, the master secret key sk, and the predicate vector v ⁇ 1, and generates a lower secret key (lower key vector).
  • the key generation vector k * 1, j is generated by the processing device.
  • the key vector generation unit 130 and the key generation vector generation unit 140 execute the GenKey algorithm shown in Formula 111 to generate the key vector k * 1,0 and the key generation
  • a first-layer private key (key information k ⁇ * 1 ) including vectors k * 1, j is generated by the processing device.
  • the key distribution unit 150 communicates the master public key generated by the master key generation unit 110 and the key information k ⁇ * 1 generated by the key vector generation unit 130 and the key generation vector generation unit 140 to the decryption device 300. To send through. In addition, the key distribution unit 150 transmits the master public key to the encryption device 200 via the communication device.
  • the key information k ⁇ * 1 is secretly transmitted to the decryption device 300.
  • any method may be used to transmit the key information k ⁇ * 1 secretly to the decryption device 300. I do not care. For example, transmission may be performed using conventional cryptographic processing.
  • the encryption device 200 includes a transmission information setting unit 210, an encryption vector generation unit 220, a data transmission unit 230, and a session key generation unit 240.
  • the transmission information setting unit 210 Based on the master public key pk, the transmission information setting unit 210 generates the transmission information vector ⁇ v by calculating Formula 112 using the processing device. That is, the transmission information setting unit 210 sets the transmission information ⁇ (here, a random number) as a coefficient for the base vector b n of the base B included in the master public key pk, and generates the transmission information vector ⁇ v. .
  • the cryptographic vector generation unit 220 sets the random number ⁇ n + 1 as a coefficient for the base vector b n + 1 of the base B included in the master public key pk, and generates a random vector rv.
  • the encryption vector generation unit 220 adds the generated attribute information vector xv and the random number vector rv to the transmission information vector ⁇ v generated by the transmission information setting unit 210 to generate the encryption vector c by the processing device.
  • the data transmission unit 230 transmits the encryption vector c generated by the encryption vector generation unit 220 to the decryption device 300 via the communication device.
  • the session key generating unit 240 generates the session key K by calculating the expression 114 by the processing device.
  • the encryption apparatus 200 executes the Enc algorithm shown in Formula 115 to generate the encryption vector c and the session key K.
  • the decryption apparatus 300 includes a vector input unit 310, a key vector storage unit 320, and a pairing calculation unit 330.
  • the vector input unit 310 receives and inputs the encryption vector c transmitted from the data transmission unit 230 of the encryption device 200 via the communication device.
  • the session key K ′ is calculated by performing a pairing operation e for associating V with the space V * by the processing device.
  • the key vector storage unit 320 stores the key vector k * L, 0 in the storage device.
  • the fact that the session key K can be calculated by this pairing operation will be described later in detail.
  • the decryption apparatus 300 executes the Dec algorithm expressed by Equation 117 to generate a session key K ′.
  • the key delegation apparatus 400 includes a key vector acquisition unit 410, a key vector generation unit 420, a key generation vector generation unit 430, and a key distribution unit 440.
  • the secret key (key information k ⁇ * L ) in the Lth layer including the key generation vector k * L, j that is the element of 1) is acquired via the communication device.
  • Key information k ⁇ * L including L, 0 and key generation vector k * L, j is acquired via a communication device.
  • the key generation vector generation unit 430 calculates Formula 119 based on the master public key pk, the key information k ⁇ * L, and the predicate vector v ⁇ L + 1 to generate a lower secret key (lower key vector).
  • J randomized predicate vectors v ⁇ L + 1 are added to each vector to set a key vector k * L + 1, j for generating a key vector subordinate to key vector k * L + 1,0.
  • the key vector generation unit 420 and the key generation vector generation unit 430 execute the Delegate L algorithm shown in Formula 120 to generate the key vector k * L + 1 , 0 and the key generation.
  • a secret key (key information k ⁇ * L + 1 ) in the ( L + 1 ) th layer including the vector k * L + 1, j is generated by the processing device. That is, among the key information k ⁇ * L + 1 shown in Expression 120, the first (first) element k * L, 0 is the key vector k * L + 1,0 that becomes the decryption key L + 1.
  • the second and subsequent elements of the key information k ⁇ * L + 1 shown in Expression 120 are tags for key delegation.
  • the key distribution unit 440 transmits the key information k ⁇ * L + 1 generated by the key vector generation unit 420 and the key generation vector generation unit 430 to the lower decryption device 300 via the communication device.
  • the key information k ⁇ * L + 1 is secretly transmitted to the decryption apparatus 300.
  • any method may be used to transmit the key information k ⁇ * L + 1 secretly to the decryption apparatus 300. I do not care. For example, transmission may be performed using conventional cryptographic processing.
  • the subscripts of the random number ⁇ and the random number ⁇ are omitted for simplicity.
  • the key vector k * L, 0 is set to 1 as a coefficient for the base vector b * n . Further, the key vector k * L, 0 is set to 0 as a coefficient for the base vector b n + 1 .
  • a base vector b i (i 0,..., ⁇ L ⁇ 1) in which an attribute vector is set as a coefficient in the ciphertext c, and a predicate vector is set as a coefficient in the key vector k * L, 0
  • FIG. 17 is a diagram for explaining that the session key K cannot be calculated with a lower key.
  • the pairing calculation unit 330 uses the pair 116 shown in the above equation 116 for the ciphertext c encrypted based on the upper layer attribute vector and the lower layer key vector k * Lv, 0. It will be explained that the session key K cannot be extracted by ring calculation.
  • the subscripts of the random number ⁇ and the random number ⁇ are omitted for simplicity.
  • the ciphertext c is, [rho is set as the coefficient of the basis vector b n.
  • a random number ⁇ is set as a coefficient for the base vector b n + 1 .
  • the key vector k * Lv, 0 is set to 1 as a coefficient for the base vector b * n .
  • the key vector k * Lv, 0 is set to 0 as a coefficient for the base vector b n + 1 .
  • a basis vector b i (i 0,..., ⁇ Lx ⁇ 1) in which an attribute vector is set as a coefficient in the ciphertext c, and a predicate vector is set as a coefficient in the key vector k * L, 0
  • a base vector b i (i ⁇ Lx ,..., ⁇ Lv ⁇ 1) in which a random number is set as a coefficient in the ciphertext c, and a predicate vector is set as a coefficient in the key vector k * L, 0
  • FIG. 18 is a diagram for explaining that the session key K can be calculated using a higher-order key.
  • the pairing calculation unit 330 performs the pair shown in the above equation 116 for the ciphertext c encrypted based on the lower layer attribute vector and the upper layer key vector k * Lv, 0. It will be described that the session key K can be extracted by ring calculation.
  • the subscripts of the random number ⁇ and the random number ⁇ are omitted for simplicity.
  • the coefficients for the base vectors of the ciphertext c and the key vector k * Lv, 0 are set in the same manner as in FIG.
  • a basis vector b i (i 0,..., ⁇ Lv ⁇ 1) in which an attribute vector is set as a coefficient in the ciphertext c, and a predicate vector is set as a coefficient in the key vector k * L, 0
  • the cryptographic processing system 10 can realize the hierarchical predicate key concealment method based on the concept described in the first embodiment.
  • the key vector generation unit 130 obtains the mathematical expression 122 based on the master public key pk, the master secret key sk, and the predicate vector (v ⁇ 1 ,..., V ⁇ L ) shown in the mathematical expression 121. And a key vector k * L, 0 , which is the leading element of the L-th layer (level L) secret key, is generated by the processing device.
  • the key generation vector generation unit 140 calculates Formula 123 based on the master public key pk, the master secret key sk, and the predicate vector (v ⁇ 1 ,..., V ⁇ L ) shown in Formula 121.
  • a key generation vector k * 1, j for generating a lower secret key is generated by the processing device.
  • the key vector generation unit 130 and the key generation vector generation unit 140 execute the GenKey algorithm shown in Formula 124 to generate the key vector k * L, 0 and the key generation.
  • the L-th layer secret key (key information k ⁇ * 1 ) including the vector k * L, j may be generated by the processing device.
  • the key generation device 100 may generate a secret key for the Lth layer.
  • FIG. 19 is a functional block diagram illustrating functions of the cryptographic processing system 10 that implements hierarchical predicate encryption.
  • the key generation device 100 and the key delegation device 400 of the cryptographic processing system 10 shown in FIG. 19 are the same as the key generation device 100 and the key delegation device 400 of the cryptographic processing system 10 shown in FIG.
  • the encryption device 200 of the encryption processing system 10 illustrated in FIG. 19 does not include the session key generation unit 240 included in the encryption device 200 of the encryption processing system 10 illustrated in FIG.
  • FIG. 19 includes a discrete logarithm calculation unit 340 in addition to the functions of the decryption device 300 of the cryptographic processing system 10 illustrated in FIG.
  • FIG. 20 is a flowchart showing the operation of the encryption apparatus 200 shown in FIG.
  • FIG. 21 is a flowchart showing the operation of the decoding device 300 shown in FIG.
  • the operations of the key generation device 100 and the key delegation device 400 are the same as the operations of the key generation device 100 and the key delegation device 400 of the cryptographic processing system 10 shown in FIG.
  • transmitting information setting unit 210 of the encryption device 200 instead of the ⁇ transmission information in (S401), and sets the processing device message m as the coefficient of the basis vector b n, plaintext vector mv Is generated.
  • the cryptographic vector generation unit 220 generates the attribute information vector xv and the random number vector rv in the same manner as in (S402). Then, the encryption vector generation unit 220 adds the generated attribute information vector xv and random number vector rv to the plaintext vector mv to generate the encryption vector c by the processing device.
  • the data transmission unit 230 transmits the generated encryption vector c to the decryption device 300 through the communication device in the same manner as in (S402).
  • the vector input unit 310 of the decryption device 300 receives and inputs the encryption vector c via the communication device, as in (S501).
  • the plaintext information m input here is assumed to be a number smaller than a predetermined small integer ⁇ .
  • the above-described hierarchical predicate key concealment method and hierarchical predicate encryption do not use the distortion map included in the condition of being a dual distortion vector space.
  • the distortion map is not used in an algorithm that realizes cryptographic processing, but is used to prove the security of cryptographic processing. Therefore, it can be said that the above-described hierarchical predicate key concealment method and hierarchical predicate encryption are established even in a space without distortion mapping. That is, it is not essential that there is a distortion map in the space for realizing the above-described hierarchical predicate key concealment method and hierarchical predicate encryption.
  • Embodiment 3 the security of the hierarchical predicate key concealment method described in the second embodiment will be described.
  • the validity of the hierarchical predicate key concealment method will be described.
  • the hierarchical predicate key concealment method described in the second embodiment satisfies this validity requirement.
  • attribute concealment safety for the hierarchical predicate key concealment method
  • adaptive attribute concealment for CPA Chosen Plaintext Attacks
  • the hierarchical predicate key concealment method described in the second embodiment satisfies the requirement for adaptive attribute concealment for CPA.
  • Hierarchical predicate key concealment method needs to satisfy the requirements shown in Expression 126.
  • Lemma 1 Let L be 1 ⁇ L ⁇ d.
  • the secret key for the L-th layer shown in Expression 128 is given by a linear combination of the coefficients ⁇ L, i, j ⁇ F q in the expression shown in Expression 129. (Explanation that Lemma 1 is true) This will be explained using the induction method in L.
  • L 1
  • Lemma 1 holds because the number is 130.
  • Lemma 1 holds for L-1. That is, Formula 131.
  • Formula 132 This indicates that Equation 129 holds for k * L, 0 .
  • the attribute concealment security for the hierarchical predicate key concealment method means that the concealment of the attribute vector used for generating the ciphertext (cipher vector) is maintained. That is, in the hierarchical predicate key concealment method that is attribute concealment safety, even if the attacker A acquires the ciphertext, the attacker A has information on the transmission information ⁇ about the attribute vector used to generate the ciphertext ( Like the session key K), it cannot be known.
  • the exact definition of the attribute concealment security for the predicate key concealment method is described in Non-Patent Document 19. Note that Non-Patent Document 19 does not consider the concept of “hierarchical”.
  • the attacker A is given a key corresponding to the request shown in Formula 147. 3.
  • Attacker A outputs Formula 149 under the limit of Formula 148. 4).
  • a random bit ⁇ is selected.
  • the number 150 is calculated.
  • the key K ′ is randomly selected from the associated session key space, as shown in Formula 151. 5).
  • Attacker A can continue to request keys for the vector shown in Formula 152 under the above restrictions. 6).
  • the advantage of the attacker A is defined as Formula 153.
  • Embodiment 2 The hierarchical predicate key concealment method described in Embodiment 2 satisfies the requirement for adaptive attribute concealment for CPA.
  • Embodiment 4 a highly secure hierarchical predicate encryption to which the hierarchical predicate key concealment method described in the second embodiment is applied will be described.
  • high security means that the security of adaptive attribute concealment for CCA (Chosen Ciphertext Attacks) described in the following embodiment is satisfied.
  • CCA Chosen Ciphertext Attacks
  • a cryptographic processing system 10 that implements hierarchical predicate encryption that satisfies the security of adaptive attribute concealment for CCA will be described using the above four concepts.
  • (Mac, Vrfy) be a message authentication code that is secure against one-time chosen-message attacks.
  • the definition of a message authentication code that is safe against a one-time selection message attack is described in Non-Patent Document 7.
  • Vrfy is a process for verifying authentication information generated by Mac.
  • (Setup enc , Senc , R enc ) be a secure concealment scheme. Further, together with (Setup enc , Senc , Renc ), first verification information com, second verification information dec, and third verification information r described later are used. Note that the definition of a secure concealment method is described in Non-Patent Document 7.
  • (Setup enc , Senc , R enc ) is an integrated process, and operates as follows. Setup enc as input the security parameter 1 k, selects and outputs a character string pub randomly.
  • Senc receives 1 k and a character string pub as input, and randomly selects and outputs the first verification information com, the second verification information dec, and the third verification information r with r ⁇ ⁇ 0,1 ⁇ k. To do. R enc receives the character string “pub”, the first verification information “com”, and the second verification information “dec”, and outputs the third verification information “r” that satisfies r ⁇ ⁇ 0, 1 ⁇ k ⁇ ⁇ .
  • R enc if Setup enc and the string pub outputted, and a first verification information com and the second verification information dec outputted is S enc entered by the pub, r ⁇ ⁇ 0,1 ⁇
  • the third verification information r that is k is output, and when other information is input, the third verification information r that is r ⁇ ⁇ is output.
  • SE, SD be a secure common key cryptosystem.
  • the definition of the secure common key cryptosystem is described in Non-Patent Document 1.
  • SE, SD is a paired process, and operates as follows.
  • SE is a process of encrypting using a common key.
  • SD is a process of decrypting using a common key.
  • KDF be a secure key generation function.
  • the definition of the secure key generation function is described in Non-Patent Document 1.
  • FIG. 22 is a functional block diagram showing functions of the cryptographic processing system 10 according to this embodiment. Similar to the cryptographic processing system 10 according to the second embodiment, the cryptographic processing system 10 includes a key generation device 100, an encryption device 200, a decryption device 300, and a key delegation device 400. Also here, it is assumed that the decryption device 300 includes the key delegation device 400.
  • FIG. 23 is a flowchart showing the operation of the encryption device 200.
  • FIG. 24 is a flowchart showing the operation of the decoding device 300.
  • FIG. 25 is a conceptual diagram showing the base structure of the dual distortion vector space.
  • the function and operation of the key generation device 100 will be described.
  • the functional configuration of the key generation device 100 is the same as the functional configuration of the key generation device 100 according to Embodiment 2 shown in FIG.
  • the operation flow of the key generation apparatus 100 is also the same as the operation flow of the key generation apparatus 100 according to the second embodiment shown in FIG. Therefore, the function and operation of the key generation device 100 will be described with reference to FIG.
  • the master key generation unit 110 outputs the generated basis B * was a master secret key sk, including the generated basis B (1 ⁇ , ⁇ ⁇ , V, V *, G T, A, A *, q,
  • B, pub be the master public key pk. That is, the master public key pk is different from the master key generated by the master key generating unit 110 according to the second embodiment in that the character string pub is included in the master public key pk.
  • Another one of the remaining four basis vectors is a basis vector for randomizing the ciphertext c.
  • the other two basis vectors (n + 2, n + 3th basis vectors) among the remaining four basis vectors are basis vectors for verification information (first verification information com).
  • the master key generation unit 110 executes the Setup algorithm shown in Formula 155 to generate the master public key pk and the master secret key sk.
  • the key vector generation unit 130 calculates the equation 156 and generates the key vector k * 1,0 by the processing device.
  • the key vector generation unit 130 and the key generation vector generation unit 140 execute the GenKey algorithm shown in Formula 158 to generate the key vector k * 1,0 and the key generation
  • a first-layer secret key (key information k ⁇ * 1 ) including vectors k * 1, j is generated by the processing device.
  • the key distribution unit 150 includes a master public key generated by the master key generation unit 110, and a key generated by the key vector generation unit 130 and the key generation vector generation unit 140.
  • Information k ⁇ * 1 is transmitted to the decoding device 300 via the communication device.
  • the key distribution unit 150 transmits the master public key to the encryption device 200 via the communication device.
  • the encryption device 200 includes a verification information generation unit 250, a verification information setting unit 260, and a signature information generation unit 270 (c2 generation unit, c3 generation) in addition to the functions of the encryption device 200 according to Embodiment 2 shown in FIG. Part, c4 generation part).
  • the verification information generation unit 250 generates the first verification information com, the second verification information dec, and the third verification information r by calculating Formula 159 by the processing device.
  • the verification information generation unit 250 receives the character string pub included in the master public key and executes Senc (1 ⁇ , pub) by the processing device, so that the first verification information com, the second verification information dec, Third verification information r is generated.
  • the transmission information setting unit 210 Similar to the second embodiment, the transmission information setting unit 210 generates the transmission information vector ⁇ v by calculating Formula 160 by the processing device.
  • the verification information setting unit 260 generates the verification information vector cv by calculating Formula 161 by the processing device based on the master public key pk. That is, (1) the verification information setting unit 260 generates a random number ⁇ n + 2 by the processing device. (2) The verification information setting unit 260 sets a predetermined value (here, 1) randomized with a random number ⁇ n + 2 as a coefficient for the base vector b n + 2 of the base B included in the master public key pk by the processing device. Then, the first verification information com randomized with the random number ⁇ n + 2 is set as a coefficient for the base vector b n + 3 by the processing device, and the verification information vector cv is generated.
  • a predetermined value here, 1 randomized with a random number ⁇ n + 2 as a coefficient for the base vector b n + 2 of the base B included in the master public key pk by the processing device.
  • the encryption vector generation unit 220 generates the generated attribute information vector xv, the random number vector rv, the transmission information vector ⁇ v generated by the transmission information setting unit 210, and the verification information vector cv generated by the verification information setting unit 260.
  • the encryption vector c (data c1) is generated by the processing device by addition.
  • the session key generation unit 240 generates the session key K by calculating Formula 163 by the processing device.
  • the signature information generation unit 270 calculates data 164 by the processing device to generate data c2. That is, the signature information generation unit 270 generates a common key by executing KDF from the session key K by the processing device. Using the generated common key, the signature information generation unit 270 executes SE by the processing device, encrypts the plaintext information m and the second verification information dec, and generates data c2.
  • the signature information generation unit 270 sets the first verification information com as data c3.
  • the signature information generation unit 270 generates the data c4 by calculating the following expression 165 by the processing device. That is, the signature information generation unit 270 encrypts the data c1 generated by the encryption vector generation unit 220 and the data c2 generated by the signature information generation unit 270 by the processing device based on the third verification information r.
  • the data transmission unit 230 transmits the data c1 generated by the encryption vector generation unit 220 and the data c2, c3, c4 generated by the signature information generation unit 270 to the decryption device 300 via the communication device.
  • the encryption device 200 executes the Enc algorithm shown in Formula 166 to generate data c1, c2, c3, and c4.
  • the decoding device 300 includes a vector transformation unit 350, a decoding unit 360 (c2 decoding unit), and a falsification verification unit 370 in addition to the functions of the decoding device 300 according to Embodiment 2 shown in FIG.
  • the vector input unit 310 receives and inputs the data c1, c2, c3, and c4 transmitted by the data transmission unit 230 of the encryption device 200 via the communication device.
  • the vector deforming unit 350 calculates Equation 167 by the processing device , and deforms the key vector k * L, 0 . That is, the vector transformation unit 350 erases the verification information com set by the verification information generation unit 250 of the encryption device 200 by a pairing operation executed in a later step (a basis vector (set with information including the verification information com) (
  • the key vector k * L, 0 which is the first element of the L-th layer secret key, is represented as data c3 so that the inner product of the base vectors bn + 2 , bn + 3 and the base vectors b * n + 2 , b * n + 3 ) is 0). It is deformed according to (verification information com).
  • the session key K ′ is calculated by performing a pairing operation e for associating the space V * with the space V * .
  • the pairing calculation unit 330 can generate the same session key K as the session key K generated by the encryption device 200.
  • the decoding unit 360 calculates the number 169 by the processing device and decodes the data c2. That is, the decryption unit 360 executes the KDF from the session key K by the processing device and generates a common key.
  • the third verification information r generated by the encryption device 200 executing Senc is generated.
  • the identification information ⁇ is generated instead of the third verification information r. That is, when the data that is not the identification information ⁇ is generated, the falsification verification unit 370 can determine that the data is the correct third verification information r generated by executing the Senc by the encryption device 200.
  • the falsification verification unit 370 executes Vrfy by the processing device based on the generated third verification information r ′ and the data c1, c2, and c4 received from the encryption device 200, as shown in Expression 171. . If the third verification information r ′ is correct and the data c1, c2, and c4 are not falsified, the execution result of Vrfy is 1. On the other hand, if the third verification information r ′ is not correct, or if any of the data c1, c2, and c4 has been falsified, the execution result of Vrfy is zero.
  • the falsification verification unit 370 determines that the generated plaintext information m ′ is the plaintext information m transmitted by the encryption device 200. . When it is determined that the plaintext information m ′ is the plaintext information m, the falsification verification unit 370 outputs the plaintext information m ′. On the other hand, when it is determined that the plaintext information m ′ is not the plaintext information m, the falsification verification unit 370 outputs the identification information ⁇ .
  • the decryption apparatus 300 executes the Dec algorithm represented by Equation 172 to generate plaintext information m ′ or identification information ⁇ .
  • the function and operation of the key delegation device 400 will be described.
  • the functional configuration of key delegation apparatus 400 is the same as the functional configuration of key delegation apparatus 400 according to Embodiment 2 shown in FIG.
  • the operation flow of key delegation apparatus 400 is also the same as the operation flow of key delegation apparatus 400 according to Embodiment 2 shown in FIG. Therefore, the function and operation of the key delegation device 400 will be described with reference to FIG.
  • the key vector generation unit 420 calculates the equation 173 and generates a key vector k * L + 1,0 , which is the head element of the (L + 1) th layer secret key, by the processing device.
  • the key generation vector generation unit 430 calculates the equation 174 and generates the key generation vector k * L + 1, j by the processing device.
  • the key generation vector k * L + 1, j is the jth element of the secret key of the (L + 1) th layer.
  • the key vector generation unit 420 and the key generation vector generation unit 430 execute the Delegate L algorithm shown in Formula 175 to generate the key vector k * L + 1 , 0 and the key generation.
  • a secret key (key information k ⁇ * L + 1 ) in the ( L + 1 ) th layer including the vector k * L + 1, j is generated by the processing device.
  • the key distribution unit 440 transmits the key information k ⁇ * L + 1 generated by the key vector generation unit 420 and the key generation vector generation unit 430 to the lower-level decryption device 300 via the communication device. To do.
  • the cryptographic processing system 10 implements the hierarchical predicate encryption by applying the hierarchical predicate key concealment method described in the second embodiment.
  • the hierarchical predicate encryption described in this embodiment is a highly secure encryption method that satisfies the security of adaptive attribute concealment for CCA.
  • the above-described hierarchical predicate encryption is constructed by applying the method described in Non-Patent Document 7 to the hierarchical predicate key concealment method described in the second embodiment.
  • the method described in Non-Patent Document 11 is applied to the hierarchical predicate key concealment method described in the second embodiment, and the security is high (the security of adaptive attribute concealment for CCA is increased).
  • each algorithm of Setup, Genkey, Enc, Dec, and Delegate L will be briefly described.
  • the hierarchical predicate encryption is realized using a secure one-time signature method.
  • “safe” means that it cannot be counterfeited.
  • the definition of a secure one-time signature scheme is described in Non-Patent Document 11. Therefore, a brief description will be given here.
  • Sig: (G sig , Sign, Vrfy) be a secure one-time signature scheme.
  • G sig (1 ⁇ ) is a process for outputting F q authentication keys (verification key vk, signature key sk).
  • Sign sk (x) is a process for generating signature information ⁇ for the data x with the signature key sk.
  • Vrfy vk (x, ⁇ ) is a process that returns 1 when the signature information ⁇ is correct signature information generated with the signature key sk for the data x, and returns 0 when it is not correct signature information.
  • Equation 176 shows the Setup algorithm.
  • Formula 177 shows the Genkey algorithm.
  • Equation 178 shows the Enc algorithm.
  • the Dec algorithm is shown in Formula 179.
  • Equation 180 shows the Delegate L algorithm.
  • the hierarchical predicate The cipher can be transformed into a hierarchical predicate key concealment method.
  • a hierarchical predicate key concealment method For example, by applying the method described in Non-Patent Document 7 to the hierarchical predicate key concealment method described in the second embodiment by expressing the Enc algorithm and the Dec algorithm as shown in Equations 181 and 182, respectively.
  • the constructed hierarchical predicate encryption can be changed to a hierarchical predicate key concealment method. Note that the Setup algorithm, GenKey algorithm, and Delegate L algorithm need not be changed.
  • the random number rn is used in place of the plaintext information m.
  • the hierarchical predicate encryption is performed even if the plaintext information m in the Enc algorithm is simply omitted, that is, m is not used in the calculation of the data c2. It can be transformed into a hierarchical predicate key concealment method.
  • transmission information ⁇ is simply replaced with plain text information m by the Enc algorithm.
  • Enc algorithm By generating the embedded encryption vector c and extracting the information u ⁇ related to the transmission information ⁇ with the Dec algorithm, it can be easily converted into a hierarchical predicate key concealment method.
  • Embodiment 5 FIG.
  • the security of the hierarchical predicate encryption described in the fourth embodiment will be described.
  • the validity of the hierarchical predicate encryption will be described.
  • adaptive attribute concealment for CCA Chosen Ciphertext Attacks
  • the hierarchical predicate encryption described in Embodiment 4 satisfies the requirement for adaptive attribute concealment for CCA.
  • the attacker A is given a key corresponding to the request shown in Expression 185. 3.
  • An attacker can make an inquiry using the ciphertext c and the attribute vector shown in Equation 186 and adaptively request decryption of the ciphertext c with respect to the attribute vector.
  • the attacker A is given plaintext information m ′ shown in Formula 187. 4).
  • the attacker A outputs the number 189 under the limit of the number 188. 5).
  • a random bit ⁇ is selected.
  • the attacker A is given c ⁇ shown in Formula 190. 6). Attacker A can continue to request keys for the vector shown in Equation 191, further under the above restrictions. 7).
  • the advantage of the attacker A is defined as Formula 193.
  • Attacker A ′ is defined as follows: 1.
  • the attacker A ′ (1 ⁇ ) executes Setup enc (1 ⁇ ) to generate a pub.
  • the public key pk: (pk HPKEM , pub) of the hierarchical predicate encryption is set and given to the attacker A. 2.
  • the attacker A sends the vector shown in Expression 194 to the key inquiry oracle (see the definition of adaptive attribute concealment for CCA), the attacker A ′ sends the vector shown in Expression 194 to the key inquiry oracle (adaptive attribute for CPA). To the definition of secrecy). Then, a response is returned to the attacker A. 3. If the attacker A sends the ciphertext (c 1 , c 2 , c 3 , c 4 ) to the decryption oracle together with the attribute vector (x ⁇ 1 ,..., X ⁇ L ), the attacker A ′ Processes (1) to (3) are performed. (1) The attacker A ′ calculates a predicate vector shown in Formula 195.
  • the attacker A ′ transmits the vector (d + 1 level) shown in Formula 196 to the key inquiry oracle (see the definition of adaptive attribute concealment for CPA), and k * d + 1,0 is returned as a response.
  • the attacker A ′ sets 197.
  • the attacker A ' is, Dec (k * L, 0 , k * L, n + 2, k * L, n + 3, (c 1, c 2, c 3, c 4)) is calculated.
  • Dec (k * L, 0 , k * L, n + 2, k * L, n + 3, (c 1, c 2, c 3, c 4)) is a Dec algorithm in HPE scheme.
  • the Enc algorithm shown in Formula 201 is an Enc algorithm in hierarchical predicate encryption.
  • the attacker A ′ returns (c ( ⁇ ) 1 , c ( ⁇ ) 2 , c ( ⁇ ) 3 , c ( ⁇ ) 4 ) to the attacker A. 5).
  • the attacker A transmits the vector shown in Expression 202 to the key inquiry oracle (refer to the definition of adaptive attribute concealment for the CCA)
  • the processing of (2) is performed.
  • Equation 203 can be expressed.
  • Embodiment 6 FIG.
  • a description will be given of cryptographic processing that has been changed so as to be more secure than the cryptographic processing described in the above embodiments.
  • the encryption process satisfies the security of adaptive attribute concealment for CPA, and the encryption process is changed so as to increase safety.
  • a cryptographic process that satisfies the security of adaptive attribute concealment for CCA and is modified to increase safety will be described.
  • the concept of “n copy vector space” used to increase security will be described.
  • a description will now be given of cryptographic processing that has been changed based on the n-copy vector space so as to increase security.
  • hierarchical predicate encryption will be described, but a hierarchical predicate key concealment scheme can also be realized.
  • an n-copy vector space and a plurality of random numbers that are not used in the hierarchical predicate encryption according to the above embodiment are used.
  • the cryptographic processing is realized in one dual orthonormal specification of the base B generated from the standard base A in the space V and the base B * generated from the standard base A * in the space V * .
  • the base (B [0], ..., B [n-1]) and the base (B [0] *, ... , B [n-1] *) n pieces of dual orthonormal with Cryptographic processing is realized in the regulations.
  • 26 and 27 are diagrams for explaining the n-copy vector space. As shown in FIG. 26, n dual vector spaces (V [0] , ..., V [n-1] ) and (V [0] * , ..., V [n-1] * ) There is.
  • the bases B [0] and B [0] * are dual orthonormal bases
  • the bases B [1] and B [1] * are dual orthonormal bases
  • Base B [n ⁇ 1] and B [n ⁇ 1] * are dual orthonormal bases.
  • n bases (B [0] ,..., B [n ⁇ ) are obtained from the standard bases A and A * of one dual space V and V *. 1] ) and bases (B [0] * ,..., B [n-1] * ) are generated to realize cryptographic processing.
  • n bases (B [0] ,..., B [n-1] ) and bases (B [0] * ,..., B [n-1] * ) are generated, respectively.
  • FIG. 28 is a functional block diagram illustrating functions of the cryptographic processing system 10 that implements a highly secure hierarchical predicate encryption using an n-copy vector space. Similar to the cryptographic processing system 10 according to the second embodiment, the cryptographic processing system 10 includes a key generation device 100, an encryption device 200, a decryption device 300, and a key delegation device 400. Also here, it is assumed that the decryption device 300 includes the key delegation device 400.
  • FIG. 29 is a flowchart showing the operation of the key generation device 100.
  • FIG. 30 is a flowchart showing the operation of the encryption device 200.
  • FIG. 31 is a flowchart showing the operation of the decoding device 300.
  • FIG. 32 is a flowchart showing the operation of the key delegation device 400.
  • the function and operation of the key generation device 100 will be described.
  • the functional configuration of the key generation device 100 is the same as the functional configuration of the key generation device 100 according to Embodiment 2 shown in FIG.
  • a linear transformation ((X [t] ) T ) ⁇ 1 is generated from the linear transformation X [t] by the processing device.
  • the master key generation unit 110 generates the base B [t] * from the base A * based on the generated linear transformation ((X [t] ) T ) ⁇ 1 .
  • the master key storage unit 120 stores the master public key pk and master secret key sk generated by the master key generation unit 110 in the storage device.
  • the master key generation unit 110 executes the Setup algorithm shown in Expression 205 to generate the master public key pk and the master secret key sk.
  • the key vector generation unit 130 calculates the number 206 based on the master public key pk, the master secret key sk, and the predicate vector v ⁇ 1, and is the head element of the first layer (level 1) secret key.
  • the key vector k [t] * 1,0 is generated by the processing device. That is, (1) the key vector generation unit 130 generates a random number ⁇ 1 , a random number ⁇ 1,0 and a random number ⁇ [t] 1,0 by the processing device.
  • the key vector generation unit 130 obtains a predetermined value (here, 1) randomized with a random number ⁇ [t] 1 , 0 as a coefficient for the base vector b [t] * n in the base B [t] * .
  • a predetermined value here, 1 randomized with a random number ⁇ [t] 1 , 0 as a coefficient for the base vector b [t] * n in the base B [t] * .
  • a key vector k [t] * 1,0 is set by the processing device and randomized with a random number ⁇ 1 as a whole.
  • the key generation vector generation unit 140 uses a predetermined value (here, 1 ) randomized with a random number ⁇ [t] 1,1 as a coefficient for the base vector b [t] * n in the base B [t] * .
  • each predicate vector v ⁇ 1 randomized with random numbers ⁇ 1,1 as coefficients for the basis vector b [t] * i (i 0,..., ⁇ 1 ⁇ 1)
  • Elements are set by the processing device, and a key generation vector k [t] * 1 , 1 is generated by randomizing the whole with a random number ⁇ 1 .
  • a predetermined value (here, 1) is set as a coefficient for the basis vector b [t] * j in the basis B [t] * by the processing unit, and the basis vector b [t] *
  • a predetermined value (in this case, 1) randomized with a random number ⁇ [t] 1, j is set as a coefficient with respect to the key generation vector k [t] * 1, j randomized as a whole with a random number ⁇ 1 Is generated.
  • the key vector generation unit 130 and the key generation vector generation unit 140 execute the GenKey algorithm shown in Formula 208 to obtain the key vector k [t] * 1,0 .
  • a first layer private key (key information k ⁇ [t] * 1 ) including the key generation vector k [t] * 1, j is generated by the processing device.
  • the function and operation of the encryption device 200 will be described.
  • the functional configuration of the encryption apparatus 200 is the same as the functional configuration of the encryption apparatus 200 according to Embodiment 2 shown in FIG.
  • t 0,. . .
  • the data transmission unit 230 transmits the encryption vector c [t] generated by the encryption vector generation unit 220 to the decryption device 300 via the communication device.
  • the encryption device 200 executes the Enc algorithm expressed by Equation 211 to generate the encryption vector c [t] .
  • decryption device 300 The function and operation of the decryption device 300 will be described.
  • the functional configuration of decoding apparatus 300 is the same as the functional configuration of decoding apparatus 300 according to Embodiment 2 shown in FIG.
  • the discrete logarithm calculation unit 340 solves the discrete logarithm problem with the information g as a base and calculates plaintext information m for the information f. That is, the discrete logarithm calculation unit 340 calculates the number 214.
  • the plaintext information m input here is a number smaller than a predetermined small integer ⁇ , similarly to the cryptographic processing system 10 that implements the hierarchical predicate encryption described in the second embodiment. This is because, as described above, when the decryption apparatus 300 calculates the plaintext information m, it is necessary to solve the discrete logarithm problem. Further, similarly to the cryptographic processing system 10 that realizes the hierarchical predicate encryption described in the second embodiment, it is possible to set the plaintext information m in a plurality of basis vectors.
  • the decryption apparatus 300 executes the Dec algorithm expressed by Equation 215 to generate plaintext information m ′ or identification information ⁇ .
  • the function and operation of the key delegation device 400 will be described.
  • the functional configuration of key delegation apparatus 400 is the same as the functional configuration of key delegation apparatus 400 according to Embodiment 2 shown in FIG.
  • the key vector acquisition unit 410 obtains a key vector k [t] * L, 0 , which is the leading element of the L-th layer secret key,
  • the key vector k [t] * L, 0 is added to the key vector k [t] * L, 0 to generate the key vector k [t] * L + 1,0 by the processing device.
  • the key generation vector generation unit 430 calculates Formula 217 based on the master public key pk, the key information k ⁇ [t] * L, and the predicate vector v ⁇ L + 1, and generates a lower secret key (lower key vector).
  • the key generation vector k [t] * L + 1, j for generating is generated by the processing device.
  • Key generation vector k [t] * L + 1, j is the jth element of the (L + 1) th layer secret key.
  • the key vector generation unit 420 and the key generation vector generation unit 430 execute the Delegate L algorithm shown in Formula 218, and the key vector k [t] * L + 1, 0 And the key generation vector k [t] * L + 1, j , the L + 1 layer private key (key information k ⁇ [t] * L + 1 ) is generated by the processing device.
  • the key distribution unit 440 transmits the key information k ⁇ [t] * L + 1 generated by the key vector generation unit 420 and the key generation vector generation unit 430 to the lower-level decryption device 300 via the communication device.
  • the cryptographic processing system 10 is a hierarchical predicate encryption that satisfies the security of adaptive attribute concealment for CPA, and uses a hierarchical predicate encryption that has been changed so as to increase safety. Realize. Note that the cryptographic processing system 10 according to this embodiment can easily realize the hierarchical predicate key concealment method, similarly to the cryptographic processing system 10 according to the above embodiment.
  • Embodiment 7 FIG. In this embodiment, a cryptographic process that satisfies the adaptive attribute concealment requirement for CCA constructed based on the cryptographic process that satisfies the adaptive attribute concealment requirement for CPA described in the sixth embodiment will be described.
  • FIG. 33 is a functional block diagram showing functions of the cryptographic processing system 10 according to this embodiment. Similar to the cryptographic processing system 10 according to the second embodiment, the cryptographic processing system 10 includes a key generation device 100, an encryption device 200, a decryption device 300, and a key delegation device 400. Also here, it is assumed that the decryption device 300 includes the key delegation device 400.
  • FIG. 34 is a flowchart showing the operation of the encryption device 200.
  • FIG. 35 is a flowchart showing the operation of the decoding device 300.
  • Sig: (G sig , Sign, Vrfy) is the secure one-time signature scheme described in the fourth embodiment.
  • the function and operation of the key generation device 100 will be described.
  • the functional configuration of the key generation device 100 is the same as the functional configuration of the key generation device 100 according to Embodiment 6 shown in FIG. Further, since the operation flow of the key generation device 100 is the same as the operation flow of the key generation device 100 according to the sixth embodiment shown in FIG. 29, the function and operation of the key generation device 100 will be described based on FIG. To do.
  • the master key generation unit 110 generates a master public key pk and a master secret key sk by the processing device and stores them in the master key storage unit 120.
  • the master key generation unit 110 executes the Setup algorithm shown in Equation 220 to generate the master public key pk and the master secret key sk.
  • the key vector generation unit 130 calculates the number 221 and processes the key vector k [t] * 1,0 that is the first element of the first layer (level 1) private key. Generated by the device.
  • the key generation vector generation unit 140 calculates the number 222 and generates the key generation vector k [t] * 1, j by the processing device.
  • the key generation vector k [t] * 1, j is the j-th element of the first-layer secret key.
  • the key vector generation unit 130 and the key generation vector generation unit 140 execute the GenKey algorithm shown in Equation 223 to obtain the key vector k [t] * 1,0 .
  • a first-layer secret key (key information k ⁇ [t] * 1 ) including the key generation vector k [t] * 1, j is generated by the processing device.
  • the encryption device 200 includes a verification information generation unit 250, a verification information setting unit 260, and a signature information generation unit 270 in addition to the functions of the encryption device 200 according to Embodiment 6 shown in FIG.
  • the verification information generation unit 250 generates the verification key vk and the signature key sk by calculating Formula 224 by the processing device.
  • a predetermined value (here, 1) randomized by ⁇ [t] n + 2 is set by the processing device, and a verification key vk randomized by random number ⁇ [t] n + 2 is used as a coefficient for base vector b [t] n + 3 .
  • the signature information generation unit 270 calculates the number 228 by the processing device and generates the signature information ⁇ . That is, the signature information generation unit 270 generates the signature information ⁇ by executing the Sign by the processing device based on the signature key sk.
  • the data transmission unit 230 decrypts the cryptographic vector c [t] generated by the cryptographic vector generation unit 220, the verification key vk generated by the verification information generation unit 250, and the signature information ⁇ generated by the signature information generation unit 270. It transmits to 300 via a communication apparatus.
  • Decoding apparatus 300 includes a tampering verification unit 370 in addition to the functions of decoding apparatus 300 according to Embodiment 6 shown in FIG.
  • the falsification verification unit 370 determines whether the number 230 is established by the processing device. That is, the falsification verification unit 370 verifies the signature information ⁇ by executing Vrfy with the verification key vk.
  • the vector deforming unit 350 calculates the number 231 by the processing device and deforms the key vector k [t] * L, 0 . That is, the vector transformation unit 350 erases the verification key vk set by the verification information generation unit 250 of the encryption device 200 by the pairing operation executed in a later step (the basis vector set with information including the verification key vk). The key vector is transformed by the verification key vk so that the coefficient becomes 0).
  • the discrete logarithm calculation unit 340 solves the discrete logarithm problem with the information g as the base for the information f and calculates the plaintext information m. That is, the discrete logarithm calculation unit 340 calculates the number 234.
  • the plaintext information m input here is a number smaller than a predetermined small integer ⁇ , similarly to the cryptographic processing system 10 that implements the hierarchical predicate encryption described in the second embodiment. This is because, as described above, when the decryption apparatus 300 calculates the plaintext information m, it is necessary to solve the discrete logarithm problem. Further, similarly to the cryptographic processing system 10 that implements the hierarchical predicate encryption described in the second embodiment, it is also possible to set the plaintext information m in a plurality of basis vectors.
  • the decryption apparatus 300 executes the Dec algorithm expressed by Equation 235 to generate plaintext information m ′ or identification information ⁇ .
  • the function and operation of the key delegation device 400 will be described.
  • the functional configuration of key delegation apparatus 400 is the same as the functional configuration of key delegation apparatus 400 according to Embodiment 6 shown in FIG.
  • the operation flow of the key delegation apparatus 400 is also the same as the operation flow of the key delegation apparatus 400 according to Embodiment 2 shown in FIG. 32, and therefore the function and operation of the key delegation apparatus 400 will be described based on FIG. To do.
  • the key generation vector generation unit 430 calculates Formula 237 and generates a key generation vector k [t] * L + 1, j by the processing device.
  • Key generation vector k [t] * L + 1, j is the jth element of the (L + 1) th layer secret key.
  • the key vector generation unit 420 and the key generation vector generation unit 430 execute the Delegate L algorithm shown in Formula 238 to generate the key vector k [t] * L + 1,0.
  • key generation vector k [t] * L + 1, j key information k ⁇ [t] * L + 1 is generated by the processing device.
  • the key distribution unit 440 sends the key information k ⁇ [t] * L + 1 generated by the key vector generation unit 420 and the key generation vector generation unit 430 to the lower-level decryption device 300. Send through.
  • the cryptographic processing system 10 applies the hierarchical predicate encryption that satisfies the security of adaptive attribute concealment for CPA described in the sixth embodiment, and adaptive attribute concealment for CCA.
  • Hierarchical predicate encryption that satisfies the security of
  • Embodiment 8 FIG. In this embodiment, a method for realizing a dual distortion vector space will be described. First, a description will be given of a realization method by a direct product of an asymmetric bilinear pairing group used as an example of a dual distortion vector space in the above embodiment. Next, a method for realizing a product of symmetric bilinear pairing groups by direct product will be described. And the realization method by the Jacobian manifold of the super singular curve more than 1 kind is demonstrated.
  • Asymmetric bilinear pairing group (G 1 , G 2 , G T , g 1 , g 2 , q) and asymmetric bilinear pairing group (G 1 , G 2 , G T , g 1 , g 2 , q) Is given a pairing operation e.
  • the asymmetric bilinear pairing group (G 1 , G 2 , G T , g 1 , g 2 , q) and the pairing calculation are as described in the first embodiment.
  • a dual distortion vector space is realized as follows. V, V * , a 0,. . . , A N ⁇ 1 , a * 0,. . .
  • a * N ⁇ 1 is as shown in Equation 239.
  • the vectors x and y are as shown in Equation 240.
  • a pairing operation e in (V, V * ) is defined as in Formula 241.
  • the notation e of the pairing operation e is used in both (G 1 , G 2 ) and (V, V * ).
  • the non-degeneracy and bilinearity of the pairing operation e are clearly established.
  • Formula 242 Further, the distortion map ⁇ i, j is simply defined as in Expression 243.
  • ⁇ i, j Pr j is called a distortion map.
  • Embodiment 9 FIG. In the above embodiment, the method for realizing the cryptographic processing in the dual vector space has been described. In this embodiment, a method for realizing cryptographic processing in a dual module will be described.
  • cryptographic processing is realized in a cyclic group with a prime number q.
  • the cryptographic processing described in the above embodiment can be applied to modules with the ring R as a coefficient.
  • the hierarchical predicate key concealment method described in the second embodiment is realized in a module with the ring R as a coefficient
  • the following formulas 246 to 250 are obtained. That is, in principle, by replacing the processing described as the field F q in the above embodiment with the ring R, the cryptographic processing described in the above embodiment can be realized in a module with the ring R as a coefficient. .
  • FIG. 36 is a diagram illustrating an example of a hardware configuration of the key generation device 100, the encryption device 200, the decryption device 300, and the key delegation device 400.
  • the key generation device 100, the encryption device 200, the decryption device 300, and the key delegation device 400 include a CPU 911 (Central Processing Unit, a central processing unit, a processing unit, an arithmetic unit, a micro unit that executes a program.
  • the CPU 911 is connected to the ROM 913, the RAM 914, the LCD 901 (Liquid Crystal Display), the keyboard 902 (K / B), the communication board 915, and the magnetic disk device 920 via the bus 912, and controls these hardware devices.
  • the magnetic disk device 920 (fixed disk device)
  • a storage device such as an optical disk device or a memory card read / write device may be used.
  • the magnetic disk device 920 is connected via a predetermined fixed disk interface.
  • the ROM 913 and the magnetic disk device 920 are examples of a nonvolatile memory.
  • the RAM 914 is an example of a volatile memory.
  • the ROM 913, the RAM 914, and the magnetic disk device 920 are examples of a storage device (memory).
  • the keyboard 902 and the communication board 915 are examples of input devices.
  • the communication board 915 is an example of a communication device (network interface).
  • the LCD 901 is an example of a display device.
  • an operating system 921 OS
  • a window system 922 a program group 923
  • a file group 924 are stored in the magnetic disk device 920 or the ROM 913.
  • the programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922.
  • the program group 923 includes “master key generation unit 110”, “master key storage unit 120”, “key vector generation unit 130”, “key generation vector generation unit 140”, and “key distribution unit 150” in the above description.
  • the program is read and executed by the CPU 911.
  • information such as “master public key pk”, “master secret key sk”, “encryption vector c”, “key vector”, data, signal values, variable values, and parameters are “ It is stored as each item of “file” and “database”.
  • the “file” and “database” are stored in a recording medium such as a disk or a memory.
  • Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated.
  • Used for the operation of the CPU 911 such as calculation / processing / output / printing / display.
  • Information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during the operation of the CPU 911 for extraction, search, reference, comparison, calculation, calculation, processing, output, printing, and display. Is remembered.
  • the arrows in the flowchart mainly indicate input / output of data and signals, and the data and signal values are recorded in a memory of the RAM 914, other recording media such as an optical disk, and an IC chip.
  • Data and signals are transmitted online by a bus 912, signal lines, cables, other transmission media, and radio waves.
  • what is described as “to part” in the above description may be “to circuit”, “to device”, “to device”, “to means”, and “to function”. It may be “step”, “ ⁇ procedure”, “ ⁇ processing”.
  • ⁇ device may be “ ⁇ circuit”, “ ⁇ device”, “ ⁇ equipment”, “ ⁇ means”, “ ⁇ function”, and “ ⁇ step”, “ It may be “procedure” or “procedure”.
  • to process may be “to step”. That is, what is described as “ ⁇ unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, only hardware such as elements, devices, substrates, wirings, etc., or a combination of software and hardware, and further a combination of firmware.
  • Firmware and software are stored in a recording medium such as ROM 913 as a program. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes a computer or the like to function as the “ ⁇ unit” described above. Alternatively, the procedure or method of “to unit” described above is executed by a computer or the like.
  • 10 cryptographic processing system 100 key generation device, 110 master key generation unit, 120 master key storage unit, 130 key vector generation unit, 140 key generation vector generation unit, 150 key distribution unit, 200 encryption device, 210 transmission information setting Unit, 220 encryption vector generation unit, 230 data transmission unit, 240 session key generation unit, 250 verification information generation unit, 260 verification information setting unit, 270 signature information generation unit, 300 decryption device, 310 vector input unit, 320 key vector storage Unit, 330 pairing calculation unit, 340 discrete logarithm calculation unit, 350 vector transformation unit, 360 decryption unit, 370 falsification verification unit, 400 key delegation device, 410 key vector acquisition unit, 420 key vector generation unit, 430 key generation vector Generation unit, 440 key distribution .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Physics (AREA)
  • Computing Systems (AREA)
  • Computational Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
PCT/JP2010/056639 2009-04-23 2010-04-14 暗号処理システム Ceased WO2010122926A1 (ja)

Priority Applications (5)

Application Number Priority Date Filing Date Title
CN201080017994.8A CN102415047B (zh) 2009-04-23 2010-04-14 密码处理系统
ES10766983T ES2873230T3 (es) 2009-04-23 2010-04-14 Sistema de procesamiento de encriptado
US13/266,002 US8559638B2 (en) 2009-04-23 2010-04-14 Cryptographic processing system
EP10766983.0A EP2424154B1 (en) 2009-04-23 2010-04-14 Encryption processing system
KR1020117027936A KR101359200B1 (ko) 2009-04-23 2010-04-14 암호 처리 시스템

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2009-104915 2009-04-23
JP2009104915 2009-04-23
JP2009-264576 2009-11-20
JP2009264576A JP5349261B2 (ja) 2009-04-23 2009-11-20 暗号処理システム、鍵生成装置、鍵委譲装置、暗号化装置、復号装置、暗号処理方法及び暗号処理プログラム

Publications (1)

Publication Number Publication Date
WO2010122926A1 true WO2010122926A1 (ja) 2010-10-28

Family

ID=43011044

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/056639 Ceased WO2010122926A1 (ja) 2009-04-23 2010-04-14 暗号処理システム

Country Status (7)

Country Link
US (1) US8559638B2 (enExample)
EP (1) EP2424154B1 (enExample)
JP (1) JP5349261B2 (enExample)
KR (1) KR101359200B1 (enExample)
CN (1) CN102415047B (enExample)
ES (1) ES2873230T3 (enExample)
WO (1) WO2010122926A1 (enExample)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012108100A1 (ja) * 2011-02-09 2012-08-16 三菱電機株式会社 暗号処理システム、鍵生成装置、暗号化装置、復号装置、鍵委譲装置、暗号処理方法及び暗号処理プログラム

Families Citing this family (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010123112A1 (ja) * 2009-04-24 2010-10-28 日本電信電話株式会社 暗号化装置、復号装置、暗号化方法、復号方法、セキュリティ方法、プログラム及び記録媒体
US8488780B2 (en) * 2009-04-24 2013-07-16 Nippon Telegraph And Telephone Corporation Finite field calculation apparatus, finite field calculation method and recording medium
US8577030B2 (en) * 2009-11-20 2013-11-05 Mitsubishi Electric Corporation Cryptographic processing system, key generation device, key delegation device, encryption device, decryption device, cryptographic processing method, and cryptographic processing program
JP5334873B2 (ja) * 2010-01-08 2013-11-06 三菱電機株式会社 暗号処理システム、鍵生成装置、鍵委譲装置、暗号化装置、復号装置、暗号処理方法及び暗号処理プログラム
WO2011086687A1 (ja) 2010-01-15 2011-07-21 三菱電機株式会社 秘匿検索システム及び暗号処理システム
JP5424974B2 (ja) 2010-04-27 2014-02-26 三菱電機株式会社 暗号処理システム、鍵生成装置、暗号化装置、復号装置、署名処理システム、署名装置及び検証装置
US9276746B2 (en) 2011-01-18 2016-03-01 Mitsubishi Electric Corporation Encryption system, encryption processing method of encryption system, encryption device, decryption device, setup device, key generation device, and key delegation device using a user identifier for a user who belongs to a k-th hierarchy in an organization
JP5677273B2 (ja) 2011-11-18 2015-02-25 三菱電機株式会社 暗号処理システム、暗号処理方法、暗号処理プログラム及び鍵生成装置
JP5680007B2 (ja) * 2012-03-06 2015-03-04 三菱電機株式会社 暗号システム、暗号方法及び暗号プログラム
JP5730805B2 (ja) * 2012-04-04 2015-06-10 日本電信電話株式会社 格子問題に基づく階層型内積暗号システム,格子問題に基づく階層型内積暗号方法,装置
JP6057725B2 (ja) * 2013-01-15 2017-01-11 三菱電機株式会社 情報処理装置
CN104871477B (zh) * 2013-01-16 2018-07-10 三菱电机株式会社 加密系统、重加密密钥生成装置、重加密装置、加密方法
WO2014112170A1 (ja) * 2013-01-16 2014-07-24 三菱電機株式会社 情報処理装置及び情報処理方法及びプログラム
US8559631B1 (en) * 2013-02-09 2013-10-15 Zeutro Llc Systems and methods for efficient decryption of attribute-based encryption
EP2860905A1 (en) * 2013-10-09 2015-04-15 Thomson Licensing Method for ciphering a message via a keyed homomorphic encryption function, corresponding electronic device and computer program product
US9979536B2 (en) * 2013-10-09 2018-05-22 Mitsubishi Electric Corporation Cryptographic system, encryption device, re-encryption key generation device, re-encryption device, and cryptographic program
US20160344708A1 (en) * 2014-01-14 2016-11-24 Mitsubishi Electric Corporation Cryptographic system, re-encryption key generation device, re-encryption device, and cryptographic computer readable medium
CN106031080B (zh) 2014-02-24 2019-07-16 三菱电机株式会社 加密系统
DE112014007235B4 (de) 2014-12-05 2024-10-10 Mitsubishi Electric Corporation Kryptografisches System, Hauptschlüsselaktualisierungseinrichtung und Hauptschlüsselaktualisierungsprogramm
US9438412B2 (en) * 2014-12-23 2016-09-06 Palo Alto Research Center Incorporated Computer-implemented system and method for multi-party data function computing using discriminative dimensionality-reducing mappings
US10965459B2 (en) 2015-03-13 2021-03-30 Fornetix Llc Server-client key escrow for applied key management system and process
JP6305638B2 (ja) 2015-04-07 2018-04-04 三菱電機株式会社 暗号システム及び鍵生成装置
CN105635135B (zh) * 2015-12-28 2019-01-25 北京科技大学 一种基于属性集及关系谓词的加密系统及访问控制方法
US10931653B2 (en) * 2016-02-26 2021-02-23 Fornetix Llc System and method for hierarchy manipulation in an encryption key management system
CN106533697B (zh) * 2016-12-06 2019-11-08 上海交通大学 随机数生成与提取方法及其在身份认证上的应用
US10205713B2 (en) * 2017-04-05 2019-02-12 Fujitsu Limited Private and mutually authenticated key exchange
WO2019016185A1 (en) 2017-07-18 2019-01-24 Legic Identsystems Ag METHOD AND DEVICES FOR SECURE COMMUNICATION BETWEEN DEVICES
JP6456451B1 (ja) 2017-09-25 2019-01-23 エヌ・ティ・ティ・コミュニケーションズ株式会社 通信装置、通信方法、及びプログラム
CN115004559A (zh) * 2020-01-20 2022-09-02 上海诺基亚贝尔股份有限公司 基于数据隐私保护的极性编码
US12099997B1 (en) 2020-01-31 2024-09-24 Steven Mark Hoffberg Tokenized fungible liabilities

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2744309B1 (fr) * 1996-01-26 1998-03-06 Bull Cp8 Procede de communicatin cryptographique asymetrique, et objet portatif associe
CN100588131C (zh) * 2003-02-12 2010-02-03 松下电器产业株式会社 发送装置及无线通信方法
US20070223686A1 (en) * 2004-09-16 2007-09-27 Shidong Li Methods and apparatus for data and signal encryption and decryption by irregular subspace leaping
US8190553B2 (en) * 2007-12-20 2012-05-29 Routt Thomas J Methods and systems for quantum search, computation and memory
CN101911582B (zh) 2008-01-18 2012-09-05 三菱电机株式会社 密码参数设定装置、密钥生成装置、密码系统、密码参数设定方法和密钥生成方法
WO2010123112A1 (ja) * 2009-04-24 2010-10-28 日本電信電話株式会社 暗号化装置、復号装置、暗号化方法、復号方法、セキュリティ方法、プログラム及び記録媒体

Non-Patent Citations (33)

* Cited by examiner, † Cited by third party
Title
A. SAHAI, B. WATERS: "EUROCRYPT 2005, LNCS", 2005, SPRINGER VERLAG, article "Fuzzy identity-based encryption"
C. COCKS: "Proceedings of the 8th IMA International Conference on Cryptography and Coding", 2001, SPRINGER-VERLAG, article "An identity based encryption scheme based on quadratic residues", pages: 360 - 363
C. GENTRY, A. SILVERBERG: "ASIACRYPT 2002, LNCS", 2002, SPRINGER-VERLAG, article "Hierarchical ID-based cryptography"
C. GENTRY: "EUROCRYPT 2006, LNCS", 2006, SPRINGER-VERLAG, article "Practical identity-based encryption without random oracles"
CRAIG GENTRY ET AL.: "Hierarchical Identity Based Encryption with Polynomially Many Levels", LNCS, vol. 5444, March 2009 (2009-03-01), pages 437 - 456, XP019115082 *
D. BONEH, B. WATERS: "TCC 2007, LNCS", vol. 4392, 2007, SPRINGER VERLAG, article "Conjunctive, subset, and range queries on encrypted data", pages: 535 - 554
D. BONEH, J. KATZ: "RSA-CT 2005, LNCS", 2005, SPRINGER VERLAG, article "Improved efficiency for cca-secure cryptosystems built using identity based encryption"
D. BONEH, M. FRANKLIN: "CRYPTO 2001, LNCS", vol. 2139, 2001, SPRINGER VERLAG, article "Identity-based encryption from the Weil pairing", pages: 213 - 229
D. BONEH, X. BOYEN, E. GOH: "EUROCRYPT 2005, LNCS", 2005, SPRINGER-VERLAG, article "Hierarchical identity based encryption with constant size ciphertext", pages: 440 - 456
D. BONEH, X. BOYEN, H. SHACHAM: "CRYPTO 2004, LNCS", vol. 3152, 2004, SPRINGER VERLAG, article "Short group signatures", pages: 41 - 55
D. BONEH, X. BOYEN: "CRYPTO 2004, LNCS", 2004, SPRINGER-VERLAG, article "Secure identity based encryption without random oracles"
D. BONEH, X. BOYEN: "EUROCRYPT 2004, LNCS", 2004, SPRINGER-VERLAG, article "Efficient selective-ID secure identity based encryption without random oracles"
D. HOFHEINZ, E. KILTZ: "CRYPTO 2007, LNCS", vol. 4622, 2007, SPRINGER VERLAG, article "Secure hybrid encryption from weakened key encapsulation", pages: 553 - 571
E. SHI, B. WATERS: "ICALP 2008, LNCS", 2008, SPRINGER VERLAG, article "Delegating capability in predicate encryption systems"
EMILY SHEN ET AL.: "Predicate Privacy in Encryption Systems", LNCS, vol. 5444, March 2009 (2009-03-01), pages 457 - 473, XP019115083 *
H. SHACHAM: "A Cramer-Shoup encryption scheme from the linear assumption and from progressively weaker linear variants", IACR, vol. 074, 2007
J. BETHENCOURT, A. SAHAI, B. WATERS: "Ciphertext-policy attribute-based encryption", PROCEEDINGS OF THE 2007 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, 2007
J. GROTH, A. SAHAI: "EUROCRYPT 2008, LNCS", vol. 4965, 2008, SPRINGER VERLAG, article "Efficient non-interactive proof systems for bilinear groups", pages: 415 - 432
J. HORWITZ, B. LYNN: "EUROCRYPT 2002, LNCS", 2002, SPRINGER VERLAG, article "Towards hierarchical identity-based encryption"
J. KATZ, A. SAHAI, B. WATERS: "EUROCRYPT 2008, LNCS", vol. 4965, 2008, SPRINGER VERLAG, article "Predicate encryption supporting disjunctions, polynomial equations, and inner products", pages: 146 - 162
J. KATZ, B. WATERS: "Compact signatures for network coding", IACR, vol. 316, 2008
K. TAKASHIMA: "ANTS, LNCS", vol. 5011, 2008, SPRINGER VERLAG, article "Efficiently computable distortion maps for supersingular curves", pages: 88 - 101
LUAN IBRAIMI ET AL.: "Ciphertect- Polocy Attribute-Based Threshold Decryption with Flexible Delegation and Revocation of User Attributes", INTERNAL REPORT, 2009, XP008157320 *
M. ABE, R. GENNARO, K. KUROSAWA, V SHOUP: "Tag-KEM/DEM: A New Framework for Hybrid Encryption and New Analysis of Kurosawa-Desmedt KEM", EUROCRYPT, 2005, LNCS, vol. 3494, pages 128 - 146
M. PIRRETTI, P. TRAYNOR, P. MCDANIEL, B. WATERS: "Secure attribute-based systems", ACM CCS 2006, 2006
R. CANETTI, S. HALEVI, J. KATZ: "EUROCRYPT 2004, LNCS", 2004, SPRINGER-VERLAG, article "Chosen-ciphertext security from identity-based encryption"
R. OSTROVSKY, A. SAHAI, B. WATERS: "Attribute-based encryption with non-monotonic access structures", ACM CCS 2007, 2007
See also references of EP2424154A4
T. OKAMOTO, K. TAKASHIMA: "Pairing 2008. LNCS", vol. 5209, 2008, SPRINGER VERLAG, article "Homomorphic encryption and signatures from vector decomposition", pages: 57 - 74
TATSUAKI OKAMOTO ET AL.: "Hierarchical Predicate Encryption for Inner- Products", LNCS, vol. 5912, December 2009 (2009-12-01), pages 214 - 231, XP019134479 *
TATSUAKI OKAMOTO ET AL.: "Relations among Computational and Decisional Problems concerning Vector Decomposition Problems", NEN SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY, 20 January 2009 (2009-01-20), XP008157297 *
V. GOYAL, O. PANDEY, A. SAHAI, B. WATERS: "ACM-CCCS 2006, LNCS", 2006, SPRINGER VERLAG, article "Attribute-based encryption for fine-grained access control of encrypted data"
X. BOYEN, B. WATERS: "Anonymous hierarchical identity-based encryption (without random oracles", CRYPTO 2006, 2006, pages 290 - 307

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012108100A1 (ja) * 2011-02-09 2012-08-16 三菱電機株式会社 暗号処理システム、鍵生成装置、暗号化装置、復号装置、鍵委譲装置、暗号処理方法及び暗号処理プログラム
JP2012163917A (ja) * 2011-02-09 2012-08-30 Mitsubishi Electric Corp 暗号処理システム、鍵生成装置、暗号化装置、復号装置、鍵委譲装置、暗号処理方法及び暗号処理プログラム
US9385867B2 (en) 2011-02-09 2016-07-05 Mitsubishi Electric Corporation Cryptographic processing system, key generation device, encryption device, decryption device, key delegation device, cryptographic processing method, and cryptographic processing program

Also Published As

Publication number Publication date
ES2873230T3 (es) 2021-11-03
JP2010273317A (ja) 2010-12-02
CN102415047B (zh) 2015-12-09
KR101359200B1 (ko) 2014-02-05
KR20120068762A (ko) 2012-06-27
EP2424154A1 (en) 2012-02-29
US8559638B2 (en) 2013-10-15
US20120045056A1 (en) 2012-02-23
CN102415047A (zh) 2012-04-11
JP5349261B2 (ja) 2013-11-20
EP2424154A4 (en) 2017-07-12
EP2424154B1 (en) 2021-04-07

Similar Documents

Publication Publication Date Title
JP5349261B2 (ja) 暗号処理システム、鍵生成装置、鍵委譲装置、暗号化装置、復号装置、暗号処理方法及び暗号処理プログラム
KR101386294B1 (ko) 암호 처리 시스템, 키 생성 장치, 암호화 장치, 복호 장치, 서명 처리 시스템, 서명 장치 및 검증 장치
JP5769401B2 (ja) 暗号処理システム、鍵生成装置、鍵委譲装置、暗号化装置、復号装置、暗号処理方法及びプログラム
KR101443553B1 (ko) 암호 처리 시스템, 키 생성 장치, 암호화 장치, 복호 장치, 암호 처리 방법 및 암호 처리 프로그램을 기록한 컴퓨터 판독 가능한 기록 매체
KR101393899B1 (ko) 암호 처리 시스템, 키 생성 장치, 암호화 장치, 복호 장치, 암호 처리 방법 및 암호 처리 프로그램을 기록한 컴퓨터 판독 가능한 기록 매체
KR101310439B1 (ko) 암호 처리 시스템, 키 생성 장치, 키 위양 장치, 암호화 장치, 복호 장치, 암호 처리 방법 및 암호 처리 프로그램을 기록한 컴퓨터 판독 가능한 기록 매체
KR101588992B1 (ko) 암호 시스템, 암호 방법 및 암호 프로그램을 기록한 컴퓨터 판독 가능한 기록 매체
JP5606344B2 (ja) 署名処理システム、鍵生成装置、署名装置、検証装置、署名処理方法及び署名処理プログラム
JP5606351B2 (ja) 暗号処理システム、鍵生成装置、暗号化装置、復号装置、鍵委譲装置、暗号処理方法及び暗号処理プログラム
Lin et al. Cca-secure identity-based matchmaking encryption from standard assumptions

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201080017994.8

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10766983

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2010766983

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 13266002

Country of ref document: US

ENP Entry into the national phase

Ref document number: 20117027936

Country of ref document: KR

Kind code of ref document: A