WO2014132552A1 - 順序保存暗号化システム、装置、方法およびプログラム - Google Patents
順序保存暗号化システム、装置、方法およびプログラム Download PDFInfo
- Publication number
- WO2014132552A1 WO2014132552A1 PCT/JP2014/000378 JP2014000378W WO2014132552A1 WO 2014132552 A1 WO2014132552 A1 WO 2014132552A1 JP 2014000378 W JP2014000378 W JP 2014000378W WO 2014132552 A1 WO2014132552 A1 WO 2014132552A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- ciphertext
- plaintext
- encryption
- key
- value
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
- H04L9/0656—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
- H04L9/0662—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
Definitions
- the present invention relates to an order storage encryption system, an encryption device, a database system, an order storage encryption method, and an order storage encryption program.
- the encryption method is used to ensure the confidentiality of data in communication.
- completely concealing data is not always useful in application, and there are cases where usefulness is impaired because data is concealed too much.
- An example in which the usefulness is impaired because the data is concealed too much is, for example, a case where the magnitude of two numerical data is to be compared.
- Non-Patent Document 1 There is a method described in Non-Patent Document 1, for example, in relation to a technique for enhancing usability while keeping data secret. For example, there is a method described in Patent Document 1. Each of these uses an encryption method called order-preserving encryption.
- Order-preserving cipher is a technology that makes it possible to compare the size of plaintexts with encryption. If plaintexts m and m ′ satisfy m ⁇ m ′, those ciphertexts Enc_m and Enc_m ′ are also Enc_m ⁇ Enc_m ′. It is an encryption method that satisfies the above.
- Non-Patent Document 1 As the authors of Non-Patent Document 1 acknowledge, the method described in Non-Patent Document 1 has only been incompletely considered for safety, and this is the reason for using this method. It becomes an obstacle.
- the present invention provides an order storage encryption system, an encryption apparatus, a database system, an order storage encryption method, and an order storage encryption program that perform order storage encryption with a simpler algorithm while maintaining safety guarantees.
- the purpose is to provide.
- the order-preserving encryption system when receiving plaintext as input, sets a value determined from the plaintext and a set generated from the plaintext space included in the secret key using a uniform distribution or a key to a predetermined pseudorandom function. And an encryption means for generating ciphertext stored in order according to a predetermined probability distribution in which the conditional probability is expressed using a binomial distribution. .
- the encryption device when receiving plaintext as input, converts a value determined from the plaintext and a key to a set or pseudo-random function generated using a uniform distribution from the plaintext space included in the secret key. It is characterized by comprising encryption means for generating ciphertexts that are stored in order according to a predetermined probability distribution which is a probability distribution generated on the basis of which a conditional probability is expressed using a binomial distribution.
- the database system when the database system according to the present invention receives plaintext as input, it is based on a value determined from the plaintext and a key to a set or pseudo-random function generated using a uniform distribution from the plaintext space included in the secret key.
- the order-preserving encryption method generates data including a set generated from a plaintext space using a uniform distribution or a key to a predetermined pseudorandom function as a secret key, and receives the plaintext as input. And a probability distribution generated based on a value determined from the plaintext and a set generated using a uniform distribution from the plaintext space included in the secret key or a key to a predetermined pseudorandom function, and the conditional probability is According to a predetermined probability distribution expressed using a binomial distribution, ciphertexts that are stored in order are generated.
- the order-preserving encryption program when a plaintext is received as input to a computer, is a set or pseudo-random function generated using a uniform distribution from a value determined from the plaintext and a plaintext space included in the secret key.
- a probability distribution generated on the basis of the key to and executing a process of generating ciphertext stored in order according to a predetermined probability distribution in which the conditional probability is expressed using a binomial distribution.
- Enc (K, m) is the sum from - ⁇ to m.
- This method can be executed for any X in principle, but from the viewpoint of safety, it is desirable that the distribution has a large number of bits with a low probability.
- B [1] is a probability distribution that outputs non-negative integers with a bit length of n [1] or less
- B [U] is a probability distribution that outputs non-negative integers with a bit length of n [U] or less
- X is the distribution that ⁇ follows when ⁇ is selected by the method “integer j chooses according to D [p [1], ..., p [U]] and then chooses ⁇ according to B [j]” .
- X When X is defined as above, X outputs a non-negative integer having a bit length less than or equal to length n [1] with probability p [1], and a bit length greater than n [1] with probability p [2] Output a non-negative integer with n [2], output a non-negative integer with bit length n [3] greater than n [2] with probability p [3]. Therefore, if p [1], ..., p [U], n [1], ..., n [U] are appropriately selected, X satisfies the above-described property.
- K ( ⁇ [ ⁇ ],..., ⁇ [N]), and ⁇ [1],.
- the distribution B [j] is a binomial distribution B ( ⁇ [j], q).
- ⁇ [1],..., ⁇ [U] and q are used as parameters.
- the binomial distribution B (k, p ′) is a distribution that follows the number of tables that appear when k coins having the probability of appearing on the table are p ′.
- the calculation efficiency of encryption is increased by efficiently calculating C ′ and C ′′. Therefore, in the second embodiment, B is set to a binomial distribution. Then, since C ′ is the sum of values ⁇ [i] according to the binomial distribution, C ′ itself follows the binomial distribution. Here, since P is Bernoulli distribution, it is also binomial distribution. Therefore, C ′′ also follows the binomial distribution from the above equation.
- the hypergeometric distribution is used in both the calculation of C ′ and C ′′, but in the present invention, the method is improved so that the hypergeometric distribution is not required in any calculation. .
- j [i] is 0 with probability p, so the expected value of the original number of S is MesSpSize / p.
- the method of Patent Document 1 uses a probability distribution P such that the probability p becomes 1, (1)
- the elements of S are randomly distributed on ⁇ 0, ..., MesSpSize ⁇ (2)
- the original number of S is set to approximately MesSpSize / p.
- the safety of the method of Patent Document 1 is guaranteed by these properties.
- the elements of S are selected uniformly and randomly from the plaintext space ⁇ 0, ..., MesSpSize ⁇ .
- the conditional probability is not a hypergeometric distribution.
- the conditional probability distribution described above is binomial and Binom (n, 1/2) Therefore, the hypergeometric distribution is not necessary.
- Binom (n, p) is a probability distribution formed by the number of coins that appear when n independent coins whose probability of appearing is p are dropped. Since the binomial distribution is known to have an algorithm that efficiently generates an element even for a large parameter, even in the order-preserving encryption method of the present invention, a parameter with a large distribution (for example, 2 A source can be generated for a security parameter squared).
- the method of selecting C ′ is fundamentally changed.
- the value MaxVal is fixed.
- C ′ can be obtained by the bisection method based on the binomial distribution. In the second embodiment of the present invention, C ′ is efficiently obtained based on such a bisection method.
- the first embodiment and the second embodiment of the present invention are realized by making the above-described changes to the method of Patent Document 1.
- the “ciphertext” of the first embodiment and the second embodiment cannot be decrypted.
- this method since this method has the property that the order can be compared without decrypting the cipher, the decryption operation is not necessarily required for an application that requires only this property. Therefore, the first embodiment and the second embodiment are also useful.
- the first embodiment and the second embodiment are improved to enable decoding.
- FIG. 1 is a block diagram illustrating an example of an apparatus included in the order storage encryption system according to the present embodiment.
- the order storage encryption system of this embodiment includes an encryption device 10.
- the encryption device 10 includes a calculation unit 11, a storage unit 12, and an input / output unit 13.
- the encryption device 10 is realized by an information processing device such as a personal computer that operates according to a program, for example.
- the calculation unit 11, the storage unit 12, and the input / output unit 13 are realized by a CPU, a memory, and various input / output devices (for example, a keyboard, a mouse, a network interface unit, and the like), respectively.
- FIG. 2 is a block diagram showing an example of the functional configuration of the order storage encryption system according to this embodiment.
- the encryption device 10 (more specifically, the calculation unit 11 of the encryption device 10) includes a parameter generation unit 101, a key generation unit 102, and an encryption unit 103.
- Each of these means is realized by a CPU that operates according to a program, for example.
- an example is shown in which one device includes the parameter generation unit 101, the key generation unit 102, and the encryption unit 103, but these may be implemented separately in a plurality of devices.
- a ciphertext generated by the encryption algorithm of the present embodiment is referred to as an “OPE Part” in order to distinguish it from a decryptable ciphertext.
- OPE Part a ciphertext generated by the encryption algorithm of the present embodiment
- an encryption algorithm will be described, but each operation included in the algorithm is specifically executed by a CPU of one or a plurality of information processing apparatuses that realize an order storage encryption system according to the algorithm. It is realized by doing.
- the parameter generation unit 101 calculates a parameter OPEParam necessary for encryption.
- the key generation unit 102 calculates the secret key OPEKey.
- the encryption means 103 calculates OPEPart when the secret key OPEKey and plaintext Message are input.
- the parameter generation unit 101 calculates a parameter OPEParam necessary for encryption according to the present embodiment.
- the key generation unit 102 calculates the secret key OPEKey using the parameter OPEParam calculated by the parameter generation unit 101.
- the encryption unit 103 performs an encryption process on the plaintext message input via the input / output unit 13 using the secret key OPEKey calculated by the key generation unit 102, and generates an OPEPart as an output thereof To do.
- parameter OPEParam and the secret key OPEkey may be calculated in advance and stored in the storage unit 12.
- FIG. 3 is a flowchart illustrating an example of parameter generation processing according to the present embodiment.
- the parameter generation unit 101 executes the following processing, for example.
- the parameter generation unit 101 receives SecPar, MesSpSize, k, ⁇ , ⁇ as inputs (step S111).
- FIG. 4 is a flowchart illustrating an example of a key generation process according to the present embodiment.
- the key generation unit 102 executes the following processing, for example.
- the key generation unit 102 sets N to (a value obtained by truncating the decimal point of 4 ⁇ MesSpSize / p) (step S122).
- the key generation unit 102 selects a uniform random number c [1],..., C [MaxVal] that takes a value of S (step S124).
- FIG. 5 is a flowchart illustrating an example of the encryption processing according to the present embodiment.
- the encryption means 103 performs the following processes, for example.
- plaintext message are received as input (step S131).
- C ′′ be the original number of ⁇ S ′′ ⁇ (step S133).
- Embodiment 2 a second embodiment of the present invention will be described with reference to the drawings.
- the apparatus configuration and functional configuration of this embodiment are the same as those of the first embodiment.
- the following subroutine called PseudoBinom is used in the encryption processing by the encryption means 103.
- PseudoBinom () is a subroutine that performs the following processing. Receives a natural number n, a bit string u, v, and a pseudorandom function key PRFKey as input. ⁇ Enter the key PRFKey and input u
- v is a concatenation of bit strings u and v.
- -An algorithm for generating random numbers according to the binomial distribution Binom (n, 1/2) is executed, and its output R is obtained. At this time, R is used as a random number source of the algorithm.
- FIG. 6 is a flowchart illustrating an example of parameter generation processing according to the present embodiment.
- MesSpSize is a natural number
- the plaintext space is ⁇ 0, ..., MesSpSize ⁇ .
- SecPar is a security parameter.
- k and ⁇ are integers representing safety measures.
- ⁇ is a real number representing a safety measure.
- the parameter generation unit 101 executes the following processing, for example.
- the parameter generation unit 101 receives SecPar, MesSpSize, k, ⁇ , ⁇ as inputs (step S211).
- the parameter generation unit 101 calculates B, Max, MaxNum, and MaxVal by the same method as in the first embodiment (Steps S212 to S215).
- steps S211 to S215 may be the same as steps S111 to S115 of the first embodiment.
- FIG. 7 is a flowchart illustrating an example of a key generation process according to the present embodiment.
- the key generation unit 102 executes the following processing, for example.
- the key generation means 102 randomly selects a bit string PRFKey of SecPar bits (step S222).
- FIG. 8 is a flowchart illustrating an example of the encryption processing of the present embodiment.
- the encryption means 103 performs the following processes, for example.
- the encryption unit 103 performs the following (1) to (3) while High> MB (first While loop: steps S2332 to S2334).
- the encryption unit 103 performs the following (1) to (3) while HighNum> MBNum (second While loop: steps S2342 to S2344).
- (1) MidNum ((LowNum + HighNum) / 2 rounded down) is calculated (step S2343).
- (2) MidVal LowVal + PseudoBinom (HighVal-LowVal, High, Low, PRFKey) is calculated (step S2343).
- -MBNum is calculated based on the bisection method (steps S2331 to S2335)
- -MBVal is further calculated based on the bisection method using the obtained NBNum (steps S2341 to S2345) Has the structure.
- the encryption processing by the encryption means 103 in the second embodiment is speeded up by improving the encryption processing by the encryption means 103 in the first embodiment by a bisection method.
- the above two bisection methods are the calculation of S ′′ in the procedure of the first embodiment (step S133 in FIG. 5) and the original number C of i
- s ⁇ S ′′ ⁇ where ⁇ c [i] s. It corresponds to the calculation of ''.
- the second dichotomy (steps S2341 to S2345) can be operated only by obtaining NBNum, which is the output of the first dichotomy (steps S2331 to S2335). Can not. This is different from the method of Patent Document 1 in which the bisection method is performed only once.
- FIG. 9 is a block diagram illustrating a configuration example of the order storage encryption system according to the third embodiment.
- the order storage encryption system shown in FIG. 9 includes an encryption device 10, a decryption device 20, and a key generation device 30.
- the physical configuration of each device is the same as the configuration of the encryption device 10 shown in FIG.
- the encryption device 10 includes the encryption unit 203
- the decryption device 20 includes the decryption unit 204
- the key generation device 30 includes the parameter generation unit 201 and the key generation unit 202.
- one apparatus may be configured to include all of these units, or one apparatus may be configured to include both the encryption unit 203 and the decryption unit 204.
- the key generation device 30 is prepared separately from the encryption device 10 and the decryption device 20, and this device includes the parameter generation unit 201 and the key generation unit 202.
- the parameter generation unit 201 and / or the key generation unit 202 may be included in either the encryption device 10, the decryption device 20, or a third device different from them.
- FIG. 10 is a block diagram showing another configuration example of the order storage encryption system according to this embodiment.
- the encryption device 10 may include a parameter generation unit 201, a key generation unit 202, an encryption unit 203, and a decryption unit 204.
- ciphertext Cipher the ciphertext generated by the encryption algorithm of the present embodiment
- ciphertext Cipher the ciphertext generated by the encryption algorithm of the present embodiment
- the encryption algorithm and the decryption algorithm will be described. Specifically, each operation included in these algorithms is performed by the CPU of one or a plurality of information processing apparatuses that implement the order storage encryption system. This is realized by executing processing according to an algorithm.
- the parameter generation unit 201 calculates a parameter Param necessary for encryption and decryption.
- the key generation unit 202 calculates a secret key Key.
- the encryption unit 203 calculates the ciphertext Cipher when the secret key Key and the plaintext Message are input.
- the decryption means 204 When the secret key Key and the ciphertext Cipher are input, the decryption means 204 outputs the plaintext Message or outputs a character string indicating that the ciphertext Cipher is invalid.
- the parameter generation unit 201 calculates a parameter Param necessary for encryption and decryption according to the present embodiment.
- the key generation unit 202 calculates the secret key Key using the parameter Param calculated by the parameter generation unit 201.
- the encryption unit 203 performs an encryption process on the plaintext message input via the input / output unit 13 of the encryption device 10 using the secret key Key calculated by the key generation unit 202, and Generate ciphertext Cipher as output.
- parameter Param and the secret key Key may be calculated in advance and stored in the storage unit 12 of the encryption device.
- the decryption device 20 inputs the ciphertext Cipher via the input / output unit 13, for example.
- the decryption means 204 executes decryption processing on the ciphertext Cipher using the secret key Key calculated by the key generation means 202, and generates a plaintext message as an output thereof. Or, generate a character string that means that the ciphertext Cipher is invalid.
- the secret key Key may be stored in advance in the storage unit 12 of the decryption device.
- SymEnc (SymKey, M) represents that the document M is encrypted with the common key encryption method using SymKey as a secret key.
- SymDec (SymKey, C) represents that the ciphertext C is decrypted by the common key cryptosystem using the SymKey as a secret key.
- MAC indicates the operation of calculating the message authenticator of document M using the key MACKey
- Ver indicates the message authenticator of MAC with document M using the key MACKey.
- the message authenticator is also called a message authentication code (Message Authentication Code)
- a verifier having a common key MACKey can detect a change in the contents of the document M. Any method can be used as long as it can protect the authentication, and the specific generation method is not particularly limited.
- An existing method can be used as a method for generating a message authenticator and a method for confirming validity. In the example shown below, accept is returned if the input MAC is the message authenticator of document M, and a value other than accept is returned otherwise.
- parameter generation processing executed by the parameter generation unit 201 will be described.
- the processing executed by the parameter generation unit 201 is the same as that of the parameter generation unit 101 of the first embodiment.
- Param (SecPar, MesSpSize, B, MaxVal) is output in step S116 of FIG.
- FIG. 11 is a flowchart illustrating an example of a key generation process according to the present embodiment.
- the key generation unit 202 executes the following processing, for example.
- the key generation unit 202 generates OPEkey by the same method as the key generation unit 102 of the first embodiment with Param as OPEParam (step S322).
- the key generation unit 202 randomly selects the SecPar bit string MACKey, SymKey (step S323).
- FIG. 12 is a flowchart illustrating an example of the encryption processing of the present embodiment.
- the encryption means 203 performs the following processes, for example.
- the encrypting unit 203 generates OPEPart by the same method as the encrypting unit 103 of the first embodiment, with Param as OPEParam (step S332).
- SymPart represents a concatenation of OPEPart and SymPart.
- FIG. 13 is a flowchart illustrating an example of the decoding process according to the present embodiment.
- the decoding means 204 performs the following processes, for example.
- the decryption means 204 calculates Ver (MACKey, OPEPart
- the decryption means 204 returns an output indicating that the input ciphertext Cipher is invalid if Ver (MACKey, OPEPart
- SymPart, MACPart) accept (Yes in step S343, S344).
- the decoding unit 204 outputs Message as a decoding result (step S345).
- a common key encryption key SymKey and a message authenticator key MACKey are also generated, and in the encryption process, an OPEPart is generated for the plaintext message, and the plaintext is also generated.
- a ciphertext SymPart obtained by encrypting message with the common key SymKey is generated, and a ciphertext Cipher is obtained by adding a message authenticator MACPart using MACKey to the concatenation of the ciphertext SymPart and OPEPart.
- the ciphertext SymPart, the ciphertext OPEPart, and the message authenticator MACPart are restored from the input ciphertext Cipher, and the message authenticator for the concatenated message of the ciphertext SymPart and the ciphertext OPEPart is obtained.
- the validity of MACPart is confirmed, and when the validity is confirmed, plaintext is obtained by decrypting the ciphertext SymPart using the common key SymKey.
- decryption is possible by combining the order storage encryption method and the common key encryption method. That is, an encryption system that can compare the size of plaintext in a state where it is encrypted so as to be able to be decrypted while ensuring safety is realized with an easier implementation.
- the configuration of the “first embodiment” in the third embodiment is changed to the configuration of the “second embodiment”. That is, the configuration and the operation part that are the same as those in the first embodiment in the configuration and the operation shown in the third embodiment are the same as those in the second embodiment.
- an encryption process and a decoding process can be performed by a more efficient method.
- FIG. 14 and 15 are block diagrams showing application examples of the order storage encryption system according to the present invention to a database system.
- FIG. 14 shows an example including the encryption apparatus 10 that implements the encryption method of the first embodiment as an order storage encryption system included in the secure database system 500
- FIG. 15 shows a secure database system.
- An example in which an encryption apparatus 10 that implements the encryption method and the decryption method of the third embodiment is shown as an order storage encryption system included in 500 is shown.
- a secure database system 500 shown in FIG. 14 includes an encryption device 10 that implements the encryption method of the first embodiment, and a secure database 40.
- the secure database 40 includes a control unit (not shown) that collectively performs data operations on the database.
- One function of the control unit is a size comparison.
- Means 402 are included.
- the encryption device 10 in this example encrypts data held in the secure database 40.
- the parameter generation unit 101 and the key generation unit 102 execute parameter generation processing and key generation processing in advance (for example, before the operation of the secure database 40) to generate OPEParam and OPEkey. deep.
- Message [1] is a message to be registered in the secure database 40 from the user who uses the encryption device 10 (or some program installed in the encryption device 10), for example.
- ..., Message [n] is input.
- the encryption device 10 performs an encryption process on each message Message, and outputs them.
- OPEPart [1],..., OPEPart [n] may be calculated and sent to the secure database 40.
- OPEPartGen OPEPartGen
- OPEPartGen OPEPartGen
- OPEPartGen OPEPartGen
- OPEPartGen Message [n]
- OPEPartGen OPEPartGen
- the secure database 40 stores the transmitted data in the data storage unit 401.
- each OPEPart is saved in a format of (i, OPEPart [i]). That is, the secure database 40 stores (1, OPEPart [1]),..., (N, OPEPart [n]) in the data storage unit 401.
- the subscript i of OPEPart [i] is referred to as OPEPart [i] or Message [i] ID.
- a user using the encryption device 10 has a value M or higher in the message Message [] stored in the secure database 40, M ′. Assume that the following message ID is required.
- the size comparison means 402 of the secure database 40 outputs a list of i satisfying OPEPart_M ⁇ OPEPart [i] ⁇ OPEPart_M ′ from OPEPart [1] to OPEPart [n] as a search result.
- M ⁇ Message [i] ⁇ M ′ Due to the nature of order-preserving encryption, the necessary and sufficient condition for M ⁇ Message [i] ⁇ M ′ is OPEPart_M ⁇ OPEPart [i] ⁇ OPEPart_M ′. Therefore, a list of i satisfying M ⁇ Message [i] ⁇ M ′ is obtained by performing the above-described protocol.
- the above protocol is useful in the following situations, for example.
- the size comparison means 402 of the secure database 40 may output the number of i satisfying OPEPart_M ⁇ OPEPart [i] ⁇ OPEPart_M ′ as a search result.
- the encryption device 10 is the encryption device 10 that implements the encryption method of the second embodiment, the encryption process can be performed more efficiently.
- a secure database 500 shown in FIG. 15 includes an encryption device 10 that implements the encryption method and the decryption method of the third embodiment, and a secure database 40.
- the secure database 40 includes a control unit (not shown) that collectively performs data operations on the database. One function of the control unit is a size comparison. Means 402 are included.
- the encryption device 10 of this example encrypts and decrypts data held in the secure database 40.
- Message [1] is a message to be registered in the secure database 40 from the user who uses the encryption device 10 (or some program installed in the encryption device 10), for example.
- ..., Message [n] is input.
- the encryption device 10 performs an encryption process on each message Message, and outputs them.
- CipherGen (OPEParam, Key, Message)
- CipherGen (OPEParam, Key, Message [1])
- CipherGen (OPEParam, Key, By executing Message [n])
- the output Cipher [1], ..., Cipher [n] is obtained.
- Enc () includes processing for calling the encryption processing OPEPartGen (OPEParam,) Message) of the first embodiment as already described.
- Cipher [i] .OPEPart refers to OPEPart [i] included in Ciper [i].
- the secure database 40 stores the transmitted data in the data storage unit 401.
- each Cipher is saved in the format (i, Cipher [i]). That is, the secure database 40 stores (1, Cipher [1]),..., (N, Cipher [n]) in the data storage unit 401.
- the subscript i of Cipher [i] is referred to as the ID of Cipher [i] or Message [i].
- a user using the encryption device 10 has a value M or higher in the message Message [] stored in the secure database 40, M ′.
- M the message
- the size comparison means 402 of the secure database 40 outputs a list of i satisfying OPEPart_M ⁇ Cipher [i] .OPEPart ⁇ OPEPart_M ′ from Cipher [1] to Cipher [n] as a search result.
- CipherDec OPEParam, Key, Cipher
- CipherDec OPEParam, Key, Cipher [5]
- data size comparison can be performed without performing decryption processing. Therefore, when data is decrypted and extracted, the decryption processing is performed after narrowing down the necessary data. It becomes possible.
- FIG. 16 is a block diagram showing a minimum configuration example of the order-preserving encryption system according to the present invention.
- save encryption system by this invention contains the encryption means 1 as a minimum component.
- the encryption means 1 when the plaintext is received as input, the encryption means 1 is generated using a value determined from the plaintext and a uniform distribution from the plaintext space included in the secret key.
- a predetermined probability distribution that is generated based on a set or a key to a predetermined pseudo-random function and in which a conditional probability is expressed using a binomial distribution, a ciphertext that is stored in order is generated.
- sequence-preserving encryption system having the minimum configuration, it is possible to perform sequence-preserving encryption with a simpler algorithm while maintaining the safety guarantee.
- FIG. 17 is a block diagram showing a minimum configuration example of the database system according to the present invention.
- the database system according to the present invention includes an encryption unit 1, a data storage unit 2, and a size comparison unit 3 as minimum components.
- the encryption unit 1 when the encryption unit 1 receives plaintext as input, the encryption unit 1 converts the value determined from the plaintext and a set or pseudo-random function generated using a uniform distribution from the plaintext space included in the secret key.
- the encrypted ciphertext OPEPart is generated in accordance with a predetermined probability distribution that is generated based on the key and the conditional probability is expressed using a binomial distribution.
- the data storage unit 2 stores the ciphertext OPEPart generated by the encryption unit 1 as data.
- the size comparison means 3 encrypts the plaintext M encrypted in order by the encryption means 1 when determining the magnitude of the data stored in the data storage means 2 with respect to any plaintext M. Judgment is made by comparing the size of the sentence OPEPart_M with the data to be judged.
- An order-preserving encryption system comprising: encryption means for generating ciphertext that is pre-ordered according to a predetermined probability distribution in which a conditional probability is expressed using a binomial distribution.
- (Supplementary Note 2) Generate a first set S composed of elements uniformly and randomly selected from a plaintext space, and generate a second set L composed of uniform random numbers taking values in the first set S,
- a key generation unit configured to generate data including the first set S and the second set L as a secret key; and the encryption unit receives a plaintext as an input and follows a predetermined probability distribution based on the secret key.
- the number C ′′ of elements of the second set L corresponding to elements of a value MB or less determined from the plaintext among the elements of the first set S is calculated, and the second value according to a predetermined probability distribution
- a value C ′ determined from an element in the plaintext space is calculated, and a second value C ′ is added to the first value C ′′ to generate a ciphertext OPEPart that is stored in order.
- the bisection method that calculates the value MBVal by using the second value MBVal, generates the ciphertext OPEPart that is stored in order using the second value MBVal, and obtains the first value MBNum is the upper limit High and the lower limit Low of the bisection method. Based on the values HighNum and LowNum, the value MidNum in the middle Mid between the upper limit High and the lower limit Low is calculated using a binomial distribution, and the bisection method for obtaining the second value MBVal is a bisection method.
- the key generation means generates a common key of the common key cryptosystem and the MAC key of the message authenticator in addition to the secret key.
- a ciphertext OPEPart that is stored in order is generated, and a plaintext is encrypted using a common encryption method using a common key to generate a ciphertext SymPart, and a combination of the ciphertext OPEPart and the ciphertext SymPart
- the ciphertext Cipher is generated by adding the message authenticator MACPart generated using the MAC key to the ciphertext
- the ciphertext Cipher generated by the encryption means is input, the ciphertext Cipher
- the ciphertext OPEPart, the ciphertext SymPart, and the message authenticator MACPart are restored, and the validity of the restored message authenticator MACPart is combined with the restored ciphertext OPEPart and the restored ciphertext SymPart.
- Sentence and MAC key The sequence-preserving
- the predetermined probability distribution is a probability distribution in which the probability p is 0 and the probability 1-p is 1 when p is a real number. Encryption system.
- An encryption apparatus comprising: encryption means for generating ciphertext stored in order according to a predetermined probability distribution which is a distribution and a conditional probability is expressed using a binomial distribution.
- (Supplementary note 7) Generate a first set S consisting of elements uniformly and randomly selected from a plaintext space, and generate a second set L consisting of uniform random numbers taking values in the first set S,
- a key generation unit configured to generate data including the first set S and the second set L as a secret key; and the encryption unit receives a plaintext as an input and follows a predetermined probability distribution based on the secret key.
- the number C ′′ of elements of the second set L corresponding to elements of a value MB or less determined from the plaintext among the elements of the first set S is calculated, and the second value according to a predetermined probability distribution
- a value C ′ determined from an element in the plaintext space is calculated, and a second value C ′ is added to the first value C ′′ to generate a ciphertext OPEPart that is stored in order.
- a key generation unit that generates a key to a predetermined pseudo-random function as a secret key, and the encryption unit receives a plaintext as an input, calculates a value MB determined from the plaintext based on the secret key, As a first value according to a predetermined probability distribution, a value MBNum is obtained by a bisection method with the value MB as the accuracy of the approximate solution, and as a second value according to the predetermined probability distribution, the first value MBNum is determined as the accuracy of the approximate solution.
- the bisection method that calculates the value MBVal by using the second value MBVal, generates the ciphertext OPEPart that is stored in order using the second value MBVal, and obtains the first value MBNum is the upper limit High and the lower limit Low of the bisection method. Based on the values HighNum and LowNum, the value MidNum in the middle Mid between the upper limit High and the lower limit Low is calculated using a binomial distribution, and the bisection method for obtaining the second value MBVal is a bisection method.
- the key generation unit In addition to the secret key, the key generation unit generates a common key of the common key cryptosystem and the MAC key of the message authenticator.
- a ciphertext OPEPart that is stored in order is generated, and a plaintext is encrypted using a common encryption method using a common key to generate a ciphertext SymPart, and a combination of the ciphertext OPEPart and the ciphertext SymPart
- the ciphertext Cipher is generated by adding the message authenticator MACPart generated using the MAC key to the ciphertext
- the ciphertext Cipher generated by the encryption means is input, the ciphertext Cipher
- the ciphertext OPEPart, the ciphertext SymPart, and the message authenticator MACPart are restored, and the validity of the restored message authenticator MACPart is combined with the restored ciphertext OPEPart and the restored ciphertext SymPart.
- (Supplementary note 12) Generate a first set S consisting of elements uniformly and randomly selected from a plaintext space, and generate a second set L consisting of uniform random numbers taking values in the first set S, A key generation unit configured to generate data including the first set S and the second set L as a secret key; and the encryption unit receives a plaintext as an input and follows a predetermined probability distribution based on the secret key.
- the number C ′′ of elements of the second set L corresponding to elements of a value MB or less determined from the plaintext among the elements of the first set S is calculated, and the second value according to a predetermined probability distribution As described in appendix 11, a value C ′ determined from an element in the plaintext space is calculated, and a second value C ′ is added to the first value C ′′ to generate a ciphertext OPEPart stored in order. Database system.
- a key generation unit that generates a key to a predetermined pseudo-random function as a secret key, and the encryption unit receives a plaintext as an input, calculates a value MB determined from the plaintext based on the secret key, As a first value according to a predetermined probability distribution, a value MBNum is obtained by a bisection method with the value MB as the accuracy of the approximate solution, and as a second value according to the predetermined probability distribution, the first value MBNum is determined as the accuracy of the approximate solution.
- the bisection method that calculates the value MBVal by using the second value MBVal, generates the ciphertext OPEPart that is stored in order using the second value MBVal, and obtains the first value MBNum is the upper limit High and the lower limit Low of the bisection method. Based on the values HighNum and LowNum, the value MidNum in the middle Mid between the upper limit High and the lower limit Low is calculated using a binomial distribution, and the bisection method for obtaining the second value MBVal is a bisection method.
- the key generation unit In addition to the secret key, the key generation unit generates a common key of the common key cryptosystem and the MAC key of the message authenticator.
- the key generation unit receives the plaintext as input, the key generation unit A ciphertext OPEPart that is stored in order is generated, and a plaintext is encrypted using a common encryption method using a common key to generate a ciphertext SymPart, and a combination of the ciphertext OPEPart and the ciphertext SymPart
- the ciphertext Cipher is generated by adding the message authenticator MACPart generated using the MAC key to the ciphertext, and the ciphertext Cipher generated by the encryption means is input, the ciphertext Cipher
- the ciphertext OPEPart, the ciphertext SymPart, and the message authenticator MACPart are restored, and the validity of the restored message authenticator MACPart is combined with the restored ciphertext OPEPart and the restored ciphertext SymPart.
- the decrypted ciphertext SymPart is decrypted using a common key to obtain plaintext, and the data storage means is generated by the encrypting means.
- the ciphertext Cipher is stored as data, and the size comparison means compares the size of the plaintext M ciphertext OPEPart_M encrypted in order by the encryption means and the ciphertext OPEPart restored from the data to be determined.
- the database system according to supplementary note 12 or supplementary note 13, wherein the size of the data content and an arbitrary plaintext M is determined by doing so.
- a secret key a data including a set generated from a plaintext space using a uniform distribution or a key to a predetermined pseudorandom function is generated, and when a plaintext is received as an input, a value determined from the plaintext, A probability distribution generated based on a set generated from a plaintext space included in a secret key using a uniform distribution or a key to a predetermined pseudo-random function, where the conditional probability is expressed using a binomial distribution.
- An order-preserving encryption method that generates ciphertexts that are pre-ordered according to a predetermined probability distribution.
- (Supplementary note 17) Generate a first set S consisting of elements uniformly and randomly selected from a plaintext space, and generate a second set L consisting of uniform random numbers taking values in the first set S, When data including the first set S and the second set L is generated as a secret key and a plaintext is received as an input, the first set S is obtained as a first value according to a predetermined probability distribution based on the secret key.
- the value MBNum is obtained by the bisection method with the value MB as the accuracy of the approximate solution
- the value MBVal is obtained by the bisection method with the first value MBNum as the accuracy of the approximate solution as the second value according to the predetermined probability distribution
- the bisection method that generates the ciphertext OPEPart that is stored in order using the value MBVal of 2 and obtains the first value MBNum is the upper limit based on the upper and lower limits of the bisection method and the values HighNum and LowNum in them.
- the value MidNum in the middle Mid between High and the lower limit Low is calculated using a binomial distribution.
- the bisection method for obtaining the second value MBVal is the upper limit HighNum and the lower limit LowNum of the bisection method and the values in them.
- Intermediate Mi between upper limit HighNum and lower limit LowNum based on HighVal, LowVal The value MidVal in dNum is calculated using the binomial distribution, and the binomial distribution used in the bisection method for obtaining the first value MBNum and the dichotomy for obtaining the second value MBVal is secret to the pseudo-random function.
- Item 17 The order storage encryption method according to appendix 16, which is generated using a pseudo-random number obtained by inputting a key.
- a common key of the common key cryptosystem and a MAC key of the message authenticator are generated, and when the plaintext is received as input, the ciphertext OPEPart stored in order using the secret key is Generate a ciphertext SymPart by encrypting the plaintext using the common encryption method using the common key, and use the MAC key for the composite ciphertext combining the ciphertext OPEPart and the ciphertext SymPart
- the ciphertext Cipher is generated by adding the generated message authenticator MACPart, and when the ciphertext Cipher is input, the ciphertext OPEPart, ciphertext SymPart, and message authenticator MACPart are restored from the ciphertext Cipher.
- the validity of the restored message authenticator MACPart was verified using a composite ciphertext that combines the restored ciphertext OPEPart and the restored ciphertext SymPart and the MAC key, and the validity was confirmed. Is restored if The order storage encryption method according to Appendix 17 or E18 obtain plaintext decrypted using the common key ciphertext SymPart.
- the predetermined probability distribution is an order storage according to any one of Supplementary note 16 to Supplementary note 19, which is a probability distribution where probability p is 0 and probability 1-p is 1 when p is a real number. Encryption method.
- a computer generates a first set S consisting of elements uniformly and randomly selected from a plaintext space, and a second set L consisting of uniform random numbers taking values in the first set S.
- a first value according to a predetermined probability distribution based on the secret key a first value according to a predetermined probability distribution based on the secret key
- the number C ′′ of elements of the second set L corresponding to elements of a value MB or less determined from the plaintext among the elements of the first set S is calculated, and the second value according to a predetermined probability distribution is calculated as the second value of the plaintext space.
- Stored encryption program a first set S consisting of elements uniformly and randomly selected from a plaintext space, and a second set L consisting of uniform random numbers taking values in the first set S
- a value MB determined from the plaintext is calculated based on the secret key, and follows a predetermined probability distribution
- the value MBNum is obtained as a first value by a bisection method using the value MB as the accuracy of the approximate solution, and a value obtained by the dichotomy method using the first value MBNum as the accuracy of the approximate solution as a second value according to a predetermined probability distribution.
- the bisection method for obtaining MBVal, generating the ciphertext OPEPart stored in order using the second value MBVal, and obtaining the first value MBNum is the upper limit High and the lower limit Low of the bisection method and Based on the values HighNum and LowNum, the value MidNum at the middle Mid between the upper limit High and the lower limit Low is calculated using the binomial distribution, and the bisection method for obtaining the second value MBVal is the upper limit of the dichotomy HighNum, lower limit LowNum and their values HighVal, LowVal
- the value MidVal at the intermediate MidNum between the upper limit HighNum and the lower limit LowNum is calculated using the binomial distribution, and the bisection method for obtaining the first value MBNum and the bisection method for obtaining the second value MBVal
- the binomial distribution used for is the order-preserving encryption program according to appendix 21, wherein the binomial distribution is generated using a pseudorandom number obtained by inputting a secret key into a pseudorandom function
- the present invention can be suitably applied to applications in which it is desired to perform a size comparison in an encrypted state while ensuring the confidentiality of data.
- the present invention can be used for a secure database, for example.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
Description
{1,...,N}を平文空間とする。また、Xをほとんどの場合に正の値を出力する確率分布とし、ζを定数とする。各i∈{-ζ,...,N}に対し、平文m∈{1,...,N}の暗号文は、Enc(K,m)=Σi=-ζ,...,mα[i]という形で書ける。ここでα[i]は確率分布Xに従う乱数であり、秘密鍵Kを知っている人のみがα[i]を計算できる。暗号文Cを復号するには、C=Σi=-ζ,...,mα[i]を満たすmを平文として出力する。なお、Enc(K,m)は-ζからmまでの和である。当該方式では、Enc(K,m)=Σi=-ζ,...,mα[i]の右辺はmが大きければ大きいほど加えられるα[i]の数が増える。そのため、mが大きければ大きいほどEnc(K,m)は大きくなる。したがってm<m'ならEnc(K,m)<Enc(K,m')が成立する。
次に、本発明の順序保存暗号方式のアイデアを説明する。本発明では、特許文献1に記載されている第1の実施形態でU個の実数p[1],...,p[n]とU個の確率分布B[1],...,B[n]を用いていたところを、U=1の場合のみを用いて方式を実現させる。以下その場合について説明する。以下では、添字を省略し、p[1],B[1]のことをそれぞれ単にp,Bと書く。
・C= (Σj[i]=0となるi≦Mα[i]) + (Σj[i]=1となるi≦Mα[i])
と書き表せる。上式右辺第1項,上式右辺第2項をそれぞれC',C''とする。
なおj[i]=1の場合α[i]=1なので、C''は
・C''= (j[i]=1となるi≦Mの個数)
が成立する。
・「集合{a,..,a+2b}の元でj[i]=0となるようなα[i]の和がmである」という条件下における「{a,..,a+b}の元でj[i]=0となるようなα[i]の和」の確率分布
・(1)Sの元が{0,...,MesSpSize}上ランダムに分布し、
・(2)しかもSの元の数がおよそMesSpSize/pになる
ようにしている。特許文献1の方式の安全性はこれらの性質により保証されている。
・Nを(4×MesSpSize/pの小数点以下を切り捨てた値)とし、
・乱数u[1],...u[N]を{0,...,MesSpSize}から一様ランダムに選び、
・S={u[1],...u[N]}とする。
・(1)’Sの元が{0,...,MesSpSize}上ランダムに分布し、
・(2)’しかもSの元の数がおよそ4×MesSpSize/pになる
が成り立ち、上述の(1),(2)とほぼ同じ性質を備えていると言える。よって、この方式も特許文献1の方式と同様安全性が保証される。なお、Nを定義する際MesSpSize/pでなく4×MesSpSize/pを用いたのは、小数点以下の切り捨てに際してパラメータサイズが小さくなりすぎない様にしたためである。
・Binom(n,1/2)
になるため、超幾何分布は必要ない。ここでBinom(n,p)は、表が出る確率がpである独立なコインをn枚降った時に表が出る枚数のなす確率分布である。なお二項分布は巨大パラメータに対しても効率的に元を生成するアルゴリズムが知られているので、本発明の順序保存暗号方式においても、効率的に、巨大な分布のパラメータ(例えば、2のセキュリティパラメータ乗など)に対して元を生成できる。
・C' = Σj[i]=0となるi≦Mα[i]
である。
・集合Sを上述のように選ぶ。
・Sに値を取る一様乱数c[1], ..., c[MaxVal]を選ぶ。
・S={u[1],...u[N]},S''={MB以下Sの元}とし,集合{c[i] = sとなるi | s∈S''}の元の数をC'とする。
本発明による第1の実施形態に係る順序保存暗号化システムの構成例を図1,図2を参照して説明する。図1は、本実施形態の順序保存暗号化システムが備える装置の例を示すブロック図である。図1に示すように、本実施形態の順序保存暗号化システムは、暗号化装置10を備えている。暗号化装置10は、演算部11、記憶部12および入出力部13を含む。暗号化装置10は、例えばプログラムに従って動作するパーソナルコンピュータ等の情報処理装置によって実現される。また、この場合、演算部11、記憶部12および入出力部13は、それぞれCPU、メモリおよび各種入出力装置(例えば、キーボート、マウス、ネットワークインタフェース部等)によって実現される。
・パラメータ生成手段101は、SecPar,MesSpSize,k,θ,αを入力として受け取る(ステップS111)。
・パラメータ生成手段101は、B = kθ+1を計算する(ステップS112)。
・パラメータ生成手段101は、Max = 4 × MesSpSizeを計算する(ステップS113)。
・パラメータ生成手段101は、p=θ × kαを計算する(ステップS114)。
・パラメータ生成手段101は、MaxNum = (Max/pの小数点以下を切り捨てたもの)を計算する(ステップS114)。
・パラメータ生成手段101は、MaxVal= 2SecPar × MaxNumを計算する(ステップS115)。
・パラメータ生成手段101は、OPEParam=(SecPar, MesSpSize, B, MaxVal, p)を出力する(ステップS116)。
・鍵生成手段102は、OPEParam=(SecPar, MesSpSize, B, MaxVal, p)を入力として受け取る(ステップS121)。
・鍵生成手段102は、Nを(4×MesSpSize/pの小数点以下を切り捨てた値)とする(ステップS122)。
・鍵生成手段102は、乱数u[1],...u[N]を{0,...,MesSpSize}から一様ランダムに選び、S={u[1],...u[N]}とする(ステップS123)。
・鍵生成手段102は、Sに値を取る一様乱数c[1], ..., c[MaxVal]を選ぶ(ステップS124)。
・鍵生成手段102は、OPEKey = (u[1],...u[N],c[1], ..., c[MaxVal])を出力する(ステップS125)。
・暗号化手段103は、OPEParam=(SecPar, MesSpSize, B, MaxVal, p)、OPEKey = (u[1],...u[N],c[1], ..., c[MaxVal])および平文Messageを入力として受け取る(ステップS131)。
・暗号化手段103は、MB= Message + Bを計算する(ステップS132)。
・暗号化手段103は、S={u[1],...u[N]},S''={MB以下Sの元}とし、集合{c[i] = sとなるi | s∈S''}の元の数をC''とする(ステップS133)。
・暗号化手段103は、C' = 4 × MesSpSize - Nを計算する(ステップS134)。
・暗号化手段103は、OPEPart = C' + C''を出力する(ステップS135)。
次に、本発明の第2の実施形態について図面を参照して説明する。本実施形態の装置構成および機能構成は第1の実施形態と同様である。ただし、本実施形態では、暗号化手段103による暗号化処理において、以下のPseudoBinomというサブルーチンを用いる。
・入力として自然数n,ビット列u,v、および擬似ランダム関数の鍵PRFKeyを受け取る。
・擬似ランダム関数に鍵PRFKeyと入力u||vをいれて出力Qを得る。
ここでu||vはビット列u, vの連結である。
・二項分布Binom(n,1/2)に従った乱数を生成するアルゴリズムを実行し、その出力Rを得る。
この際アルゴリズムの乱数源としてRを使用する。
・パラメータ生成手段101は、SecPar,MesSpSize,k,θ,αを入力として受け取る(ステップS211)。
・パラメータ生成手段101は、第1の実施形態と同様の方法でB、Max、MaxNum、MaxValを計算する(ステップS212~S215)。
・パラメータ生成手段101は、OPEParam=(SecPar, B, Max, MaxNum, MaxVal)を出力をする(ステップS216)。
・鍵生成手段102は、OPEParam=(SecPar, B, Max, MaxNum, MaxVal)を入力として受け取る(ステップS221)。
・鍵生成手段102は、SecParビットのビット列PRFKeyをランダムに選ぶ(ステップS222)。
・鍵生成手段102は、OPEKey=PRFKeyを出力する(ステップS223)。
・暗号化手段103は、OPEParam=(SecPar, B, Max, MaxNum, MaxVal),OPEKey=PRFKeyおよび平文Messageを入力として受け取る(ステップS231)。
・暗号化手段103は、MB= Message + Bを計算する(ステップS232)。
・暗号化手段103は、Whileループの初期値として、(High,Low,HighNum,LowNum)=(Max,0,MaxNum,0)を計算する(ステップS2331)。
・暗号化手段103は、High > MBである間、以下の(1)~(3)を行う(第1のWhileループ:ステップS2332~S2334)。
(1)Mid = ((Low+ High)/2の小数点以下を切り捨てたもの)とする(ステップS2333)
(2)MidNum = LowNum + PseudoBinom(HighNum-LowNum,High,Low,PRFKey)を計算する(ステップS2333)。
(3)Mid ≧ MBなら(High,HighNum)=(Mid,MidNum)とし、そうでなければ(Low,LowNum)=(Mid,MidNum)とする(ステップS2333)。
・暗号化手段103は、MBNum = MidNumとする(ステップS2335)。
・暗号化手段103は、第2のWhileループの初期値として、(HighNum,LowNum,HighVal,LowVal)=(MaxNum,0,MaxVal,0)を計算する(ステップS2341)。
・暗号化手段103は、HighNum>MBNumである間、以下の(1)~(3)を行う(第2のWhileループ:ステップS2342~S2344)。
(1)MidNum= ((LowNum+HighNum)/2の小数点以下を切り捨てたもの)を計算する(ステップS2343)。
(2)MidVal=LowVal+PseudoBinom(HighVal-LowVal,High,Low,PRFKey)を計算する(ステップS2343)。
(3)MidNum ≧ MBNumなら(HighNum,HighVal)=(MidNum,MidVal)とし、そうでなければ (LowNum,LowVal)=(MidNum,MidVal)とする(ステップS2343)。
・暗号化手段103は、MBVal = MidValとする(ステップS2345)。
・暗号化手段103は、OPEPart=MB+MBValを出力する(ステップS235)。
・二分法に基づいてMBNumを計算し(ステップS2331~S2335)、
・得たNBNumを使ってさらに二分法に基づいてMBValを計算する(ステップS2341~S2345)
という構造をしている。
次に、本発明の第3の実施形態について図面を参照して説明する。図9は、第3の実施形態に係る順序保存暗号化システムの構成例を示すブロックである。図9に示す順序保存暗号化システムは、暗号化装置10と、復号装置20と、鍵生成装置30とを備えている。なお、各装置の物理的な構成は、図1に示した暗号化装置10の構成と同様である。
・鍵生成手段202は、Param=(SecPar, MesSpSize, B, MaxVal)を入力として受け取る(ステップS321)。
・鍵生成手段202は、ParamをOPEParamとして、第1の実施形態の鍵生成手段102と同様の方法でOPEkeyを生成する(ステップS322)。
ここでは、図4のステップS122~S125を実行し、OPEKey=(u[1],...,u[N], c[1],...c[MaxVal])を得る。
・鍵生成手段202は、SecParビットのビット列MACKey, SymKeyをランダムに選ぶ(ステップS323)。
・鍵生成手段202は、Key=(OPEKey, MACKey, SymKey)を出力する(ステップS324)。
・暗号化手段203は、Param,Key=(OPEKey, MACKey, SymKey),および平文Messageを入力として受け取る(ステップS331)。
・暗号化手段203は、ParamをOPEParamとして、第1の実施形態の暗号化手段103と同様の方法でOPEPartを生成する(ステップS332)。
ここでは、図5のステップS132~S135を実行し、OPEPart=C'+C''を得る。
・暗号化手段203は、SymPart = SymEnc(SymKey, Message)を計算する(ステップS333)。
・暗号化手段203は、MACPart = MAC(MACKey, OPEPart||SymPart)を計算する(ステップS334)。
ここで、OPEPart||SymPartは、OPEPartとSymPartを連結したものを表す。
・暗号化手段203は、暗号文Cipher = (OPEPart, SymPart, MACPart)を出力する(ステップS335)。
・復号手段204は、Param,Key=(OPEKey, MACKey, SymKey),Cipher = (OPEPart, SymPart, MACPart)を入力として受け取る(ステップS341)。
・復号手段204は、Ver(MACKey,OPEPart||SymPart,MACPart)を計算する(ステップS342)。
・復号手段204は、Ver(MACKey,OPEPart||SymPart,MACPart)≠acceptなら入力された暗号文Cipherは不正なものであることを示す出力を返して終了する(ステップS343のNo、S346)。
・復号手段204は、Ver(MACKey,OPEPart||SymPart,MACPart)=acceptならMessage=SymDec(SymKey,SymPart)を計算する(ステップS343のYes、S344)。
・復号手段204は、復号結果としてMessageを出力する(ステップS345)。
第4の実施形態は、第3の実施形態中にある「第1の実施形態」の構成を「第2の実施形態」の構成にかえたものである。すなわち、第3の実施形態で示した構成およびその動作において第1の実施形態と同様であるとした構成および動作部分を、第2の実施形態と同様としたものである。これにより、本実施形態では、第3の実施形態と比較して、より効率的な方法で暗号化処理および復号処理を行うことができる。
2 データ記憶手段
3 大小比較手段
10 暗号化装置
20 復号装置
30 鍵生成装置
40 セキュア・データベース
101、201 パラメータ生成手段
102、202 鍵生成手段
103、203 暗号化手段
204 復号手段
401 データ記憶手段
402 大小比較手段
500 セキュア・データベースシステム
Claims (10)
- 平文を入力として受け取ると、前記平文から定まる値と、秘密鍵に含まれる平文空間から一様分布を用いて生成される集合または所定の疑似ランダム関数への鍵とに基づいて生成される確率分布であって条件確率が二項分布を用いて表される所定の確率分布に従って、順序保存された暗号文を生成する暗号化手段を備えた
ことを特徴とする順序保存暗号化システム。 - 平文空間から一様ランダムに選ばれた元達からなる第1の集合Sを生成し、前記第1の集合Sに値を取る一様乱数からなる第2の集合Lを生成し、前記第1の集合Sと第2の集合Lとを含むデータを秘密鍵として生成する鍵生成手段を備え、
前記暗号化手段は、平文を入力として受け取ると、前記秘密鍵に基づき、前記所定の確率分布に従う第1の値として、前記第1の集合Sの元のうち前記平文から定まる値MB以下の元に対応する前記第2の集合Lの元の個数C''を算出し、前記所定の確率分布に従う第2の値として、平文空間の元数から定まる値C'を算出し、前記第1の値C''に前記第2の値C'を加えることにより、順序保存された暗号文OPEPartを生成する
請求項1に記載された順序保存暗号化システム。 - 所定の疑似ランダム関数への鍵を秘密鍵として生成する鍵生成手段を備え、
前記暗号化手段は、平文を入力として受け取ると、前記秘密鍵に基づき、前記平文から定まる値MBを計算し、前記所定の確率分布に従う第1の値として、前記値MBを近似解の精度とする二分法により値MBNumを求め、前記所定の確率分布に従う第2の値として、前記第1の値MBNumを近似解の精度とする二分法により値MBValを求め、前記第2の値MBValを利用して、順序保存された暗号文OPEPartを生成し、
前記第1の値MBNumを求める二分法は、二分法の上限Highと下限Lowとそれらにおける値HighNum,LowNumを基に前記上限Highと下限Lowの間にある中間Midにおける値MidNumを、二項分布を用いて計算するものであり、
前記第2の値MBValを求める二分法は、二分法の上限HighNumと下限LowNumとそれらにおける値HighVal,LowValを基に前記上限HighNumと下限LowNumの間にある中間MidNumにおける値MidValを、二項分布を用いて計算するものであり、
前記第1の値MBNumを求める二分法および前記第2の値MBValを求める二分法に用いられる二項分布は、前記疑似ランダム関数に前記秘密鍵を入力して得られる疑似乱数を用いて生成される
請求項1に記載の順序保存暗号化システム。 - 前記鍵生成手段は、前記秘密鍵に加えて、共通鍵暗号方式の共通鍵と、メッセージ認証子のMAC鍵とを生成し、
前記暗号化手段は、平文を入力として受け取ると、前記秘密鍵を用いて前記順序保存された暗号文OPEPartを生成し、さらに、前記共通鍵を用いて前記平文を共通暗号化方式により暗号化して暗号文SymPartを生成し、前記暗号文OPEPartと前記暗号文SymPartとを組み合わせてなる複合暗号文に対して、前記MAC鍵を用いて生成されるメッセージ認証子MACPartを付加することにより、暗号文Cipherを生成し、
前記暗号化手段により生成される暗号文Cipherを入力されると、前記暗号文Cipherから暗号文OPEPartと暗号文SymPartとメッセージ認証子MACPartとを復元し、復元されたメッセージ認証子MACPartの正当性を、復元された暗号文OPEPartと復元された暗号文SymPartとを組み合わせてなる複合暗号文と前記MAC鍵とを用いて検証し、正当性が確認された場合に、復元された前記暗号文SymPartを前記共通鍵を用いて復号して平文を得る復号手段を備えた
請求項2または請求項3に記載の順序保存暗号化システム。 - 前記所定の確率分布は、ある実数をpとするとき、確率pで0、確率1-pで1になる確率分布である
請求項1から請求項4のうちのいずれか1項に記載の順序保存暗号化システム。 - 平文を入力として受け取ると、前記平文から定まる値と、秘密鍵に含まれる平文空間から一様分布を用いて生成される集合または疑似ランダム関数への鍵とに基づいて生成される確率分布であって条件確率が二項分布を用いて表される所定の確率分布に従って、順序保存された暗号文を生成する暗号化手段を備えた
ことを特徴とする暗号化装置。 - 平文を入力として受け取ると、前記平文から定まる値と、秘密鍵に含まれる平文空間から一様分布を用いて生成される集合または疑似ランダム関数への鍵とに基づいて生成される確率分布であって条件確率が二項分布を用いて表される所定の確率分布に従って、順序保存された暗号文OPEPartを生成する暗号化手段と、
前記暗号化手段によって生成された暗号文OPEPartをデータとして記憶するデータ記憶手段と、
前記データ記憶手段に記憶されているデータの内容について、任意の平文Mとの大小を判定する大小比較手段とを備え、
前記大小比較手段は、前記暗号化手段によって順序保存暗号化された前記平文Mの暗号文OPEPart_Mと判定対象とされたデータとの大小を比較することにより、前記データの内容と任意の平文Mとの大小を判定する
ことを特徴とするデータベースシステム。 - 平文を入力として受け取ると、前記平文から定まる値と、秘密鍵に含まれる平文空間から一様分布を用いて生成される集合または疑似ランダム関数への鍵とに基づいて生成される確率分布であって条件確率が二項分布を用いて表される所定の確率分布に従って、順序保存された暗号文OPEPartを生成し、さらに、共通鍵を用いて前記平文を共通暗号化方式により暗号化して暗号文SymPartを生成し、前記暗号文OPEPartと前記暗号文SymPartとを組み合わせてなる複合暗号文に対して、MAC鍵を用いて生成されるメッセージ認証子MACPartを付加することにより、暗号文Cipherを生成する暗号化手段と、
暗号文Cipherを入力されると、前記暗号文Cipherから暗号文OPEPartと暗号文SymPartとメッセージ認証子MACPartとを復元し、復元されたメッセージ認証子MACPartの正当性を、復元された暗号文OPEPartと復元された暗号文SymPartとを組み合わせてなる複合暗号文と前記MAC鍵とを用いて検証し、正当性が確認された場合に、復元された前記暗号文SymPartを前記共通鍵を用いて復号して平文を得る復号手段と、
前記暗号化手段により生成される暗号文Cipherをデータとして記憶するデータ記憶手段と、
前記データ記憶手段に記憶されているデータの内容について、任意の平文Mとの間の大小を判定する大小比較手段とを備え、
前記大小比較手段は、前記暗号化手段によって順序保存暗号化された前記平文Mの暗号文OPEPart_Mと判定対象とされたデータから復元される暗号文OPEPartとの大小を比較することにより、前記データの内容と任意の平文Mとの大小を判定する
請求項7に記載のデータベースシステム。 - 秘密鍵として、平文空間から一様分布を用いて生成される集合を含むデータまたは所定の疑似ランダム関数への鍵を生成し、
平文を入力として受け取ると、前記平文から定まる値と、前記秘密鍵に含まれる前記集合または前記所定の疑似ランダム関数への鍵とに基づいて生成される確率分布であって条件確率が二項分布を用いて表される所定の確率分布に従って、順序保存された暗号文を生成する
ことを特徴とする順序保存暗号化方法。 - コンピュータに、
平文を入力として受け取ると、前記平文から定まる値と、秘密鍵に含まれる平文空間から一様分布を用いて生成される集合または疑似ランダム関数への鍵とに基づいて生成される確率分布であって条件確率が二項分布を用いて表される所定の確率分布に従って、順序保存された暗号文を生成する処理
を実行させるための順序保存暗号化プログラム。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2015502734A JP6477461B2 (ja) | 2013-02-28 | 2014-01-27 | 順序保存暗号化システム、装置、方法およびプログラム |
US14/770,692 US20160013933A1 (en) | 2013-02-28 | 2014-01-27 | Order-preserving encryption system, device, method, and program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2013-038238 | 2013-02-28 | ||
JP2013038238 | 2013-02-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014132552A1 true WO2014132552A1 (ja) | 2014-09-04 |
Family
ID=51427834
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/000378 WO2014132552A1 (ja) | 2013-02-28 | 2014-01-27 | 順序保存暗号化システム、装置、方法およびプログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US20160013933A1 (ja) |
JP (1) | JP6477461B2 (ja) |
WO (1) | WO2014132552A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2018174525A (ja) * | 2017-03-31 | 2018-11-08 | トヨタ モーター エンジニアリング アンド マニュファクチャリング ノース アメリカ,インコーポレイティド | プライバシー配慮型の信号監視システム及び方法 |
KR20190133350A (ko) * | 2018-05-23 | 2019-12-03 | 세종대학교산학협력단 | 암호문 비교 방법 및 이를 수행하기 위한 장치 |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10171230B2 (en) * | 2014-02-28 | 2019-01-01 | Empire Technology Development Llc | Homomorphic encryption scheme |
KR102192594B1 (ko) * | 2019-01-18 | 2020-12-17 | 세종대학교산학협력단 | 신뢰기관이 없는 다중 클라이언트 환경의 순서 노출 암호화를 위한 장치 및 방법 |
CN113630376B (zh) * | 2021-06-16 | 2023-04-07 | 新华三信息安全技术有限公司 | 一种网络安全设备及其处理报文的方法 |
US11727157B2 (en) * | 2021-07-22 | 2023-08-15 | International Business Machines Corporation | Building an encrypted document store |
CN113596824A (zh) * | 2021-07-30 | 2021-11-02 | 深圳供电局有限公司 | 一种5g安全协议中认证失败明文信息的加密方法 |
US20230388280A1 (en) * | 2022-05-25 | 2023-11-30 | CybXSecurity LLC | System, Method, and Computer Program Product for Generating Secure Messages for Messaging |
CN114969164B (zh) * | 2022-07-22 | 2022-10-21 | 华控清交信息科技(北京)有限公司 | 一种数据查询方法、装置和可读存储介质 |
CN115623159B (zh) * | 2022-12-05 | 2023-03-14 | 深圳码隆智能科技有限公司 | 一种智能化实验操作考试监控数据智能传输方法 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050147240A1 (en) * | 2004-01-05 | 2005-07-07 | Rakesh Agrawal | System and method for order-preserving encryption for numeric data |
US20070038579A1 (en) * | 2005-08-12 | 2007-02-15 | Tsys-Prepaid, Inc. | System and method using order preserving hash |
US20100306221A1 (en) * | 2009-05-28 | 2010-12-02 | Microsoft Corporation | Extending random number summation as an order-preserving encryption scheme |
US20120163586A1 (en) * | 2010-12-22 | 2012-06-28 | Electonics And Telecommunications Research Institute | Order-preserving encryption and decryption apparatus and method thereof |
WO2012157279A1 (ja) * | 2011-05-18 | 2012-11-22 | 日本電気株式会社 | 順序保存暗号化システム、装置、方法及びプログラム |
-
2014
- 2014-01-27 WO PCT/JP2014/000378 patent/WO2014132552A1/ja active Application Filing
- 2014-01-27 US US14/770,692 patent/US20160013933A1/en not_active Abandoned
- 2014-01-27 JP JP2015502734A patent/JP6477461B2/ja active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050147240A1 (en) * | 2004-01-05 | 2005-07-07 | Rakesh Agrawal | System and method for order-preserving encryption for numeric data |
US20070038579A1 (en) * | 2005-08-12 | 2007-02-15 | Tsys-Prepaid, Inc. | System and method using order preserving hash |
US20100306221A1 (en) * | 2009-05-28 | 2010-12-02 | Microsoft Corporation | Extending random number summation as an order-preserving encryption scheme |
US20120163586A1 (en) * | 2010-12-22 | 2012-06-28 | Electonics And Telecommunications Research Institute | Order-preserving encryption and decryption apparatus and method thereof |
WO2012157279A1 (ja) * | 2011-05-18 | 2012-11-22 | 日本電気株式会社 | 順序保存暗号化システム、装置、方法及びプログラム |
Non-Patent Citations (4)
Title |
---|
BELAZZOUGUI, D. ET AL.: "Monotone Minimal Perfect Hashing:Searching a Sorted Table with 0(1) Accesses", PROCEEDINGS OF THE 20TH ANNUAL ACM-SIAM SYMPOSIUM ON DISCRETE ALGORITHMS, 2009, pages 785 - 794 * |
BOLDYREVA, A. ET AL.: "Order-Preserving Encryption Revisited:Improved Security Analysis and Alternative Solutions", LECTURE NOTES IN COMPUTER SCIENCE, vol. 6841, 2011, pages 578 - 595, XP019161029 * |
BOLDYREVA, A. ET AL.: "Order-Preserving Symmetric Encryption", LECTURE NOTES IN COMPUTER SCIENCE, vol. 5479, 2009, pages 224 - 241 * |
MALKIN, T. ET AL.: "Order-Preserving Encryption Secure Beyond One-Wayness", CRYPTOLOGY EPRINT ARCHIVE, 21 January 2013 (2013-01-21) * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2018174525A (ja) * | 2017-03-31 | 2018-11-08 | トヨタ モーター エンジニアリング アンド マニュファクチャリング ノース アメリカ,インコーポレイティド | プライバシー配慮型の信号監視システム及び方法 |
KR20190133350A (ko) * | 2018-05-23 | 2019-12-03 | 세종대학교산학협력단 | 암호문 비교 방법 및 이를 수행하기 위한 장치 |
KR102126295B1 (ko) | 2018-05-23 | 2020-06-24 | 세종대학교산학협력단 | 암호문 비교 방법 및 이를 수행하기 위한 장치 |
Also Published As
Publication number | Publication date |
---|---|
US20160013933A1 (en) | 2016-01-14 |
JPWO2014132552A1 (ja) | 2017-02-02 |
JP6477461B2 (ja) | 2019-03-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6477461B2 (ja) | 順序保存暗号化システム、装置、方法およびプログラム | |
US9553722B2 (en) | Generating a key based on a combination of keys | |
CN108737115B (zh) | 一种具有隐私保护的私有属性集交集求解方法 | |
KR19990082665A (ko) | 공통키 통신방법 | |
JP2011130120A (ja) | 量子公開鍵暗号システム、鍵生成装置、暗号化装置、復号装置、鍵生成方法、暗号化方法、及び復号方法 | |
KR20150130788A (ko) | 데이터를 암호화하는 방법 및 그를 위한 장치 | |
US20090138698A1 (en) | Method of searching encrypted data using inner product operation and terminal and server therefor | |
US20120063592A1 (en) | Apparatus for encrypting data | |
US9037846B2 (en) | Encoded database management system, client and server, natural joining method and program | |
JP5929905B2 (ja) | 順序保存暗号化システム、装置、方法及びプログラム | |
KR20160131798A (ko) | 연산 에러 검출이 가능한 준동형 암호 방법 및 그 시스템 | |
WO2014007296A1 (ja) | 順序保存暗号化システム、暗号化装置、復号化装置、暗号化方法、復号化方法およびこれらのプログラム | |
US20180302220A1 (en) | User attribute matching method and terminal | |
WO2018043573A1 (ja) | 鍵交換方法、鍵交換システム | |
JPWO2016088453A1 (ja) | 暗号化装置、復号装置、暗号処理システム、暗号化方法、復号方法、暗号化プログラム、及び復号プログラム | |
WO2014030706A1 (ja) | 暗号化データベースシステム、クライアント装置およびサーバ、暗号化データ加算方法およびプログラム | |
CN113141247A (zh) | 一种同态加密方法、装置、系统及可读存储介质 | |
JP6368047B2 (ja) | 鍵交換方法、鍵交換システム、鍵配送装置、代表通信装置、一般通信装置、およびプログラム | |
WO2020213114A1 (ja) | Macタグリスト生成装置、macタグリスト検証装置、方法及びプログラム | |
KR20150122494A (ko) | 암호화 장치, 암호화 방법, 복호화 방법 및 컴퓨터 판독가능 기록매체 | |
CN116170142B (zh) | 分布式协同解密方法、设备和存储介质 | |
JP2017073716A (ja) | タグリスト生成装置、タグリスト検証装置、タグリスト更新装置、タグリスト生成方法及びプログラム | |
KR102284877B1 (ko) | 효율적인 교집합 연산을 위한 함수 암호 기술 | |
Wu et al. | Bit-oriented quantum public-key cryptosystem based on bell states | |
CN108632023A (zh) | 一种支持非单调访问结构的密文长度固定的属性基可搜索加密方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14756253 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2015502734 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14770692 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14756253 Country of ref document: EP Kind code of ref document: A1 |