WO2020075224A1 - Secrecy analysis device, secrecy analysis system, secrecy analysis method, and secrecy analysis program - Google Patents

Secrecy analysis device, secrecy analysis system, secrecy analysis method, and secrecy analysis program Download PDF

Info

Publication number
WO2020075224A1
WO2020075224A1 PCT/JP2018/037603 JP2018037603W WO2020075224A1 WO 2020075224 A1 WO2020075224 A1 WO 2020075224A1 JP 2018037603 W JP2018037603 W JP 2018037603W WO 2020075224 A1 WO2020075224 A1 WO 2020075224A1
Authority
WO
WIPO (PCT)
Prior art keywords
ciphertext
token
encryption
decryption
key
Prior art date
Application number
PCT/JP2018/037603
Other languages
French (fr)
Japanese (ja)
Inventor
豊 川合
貴人 平野
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2018/037603 priority Critical patent/WO2020075224A1/en
Publication of WO2020075224A1 publication Critical patent/WO2020075224A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Definitions

  • the present invention relates to a technique for executing an operation while being encrypted.
  • inner product encryption There is a functional encryption that can calculate the inner product (hereinafter referred to as inner product encryption) (see Patent Document 1 and Non-Patent Document 1).
  • inner product encryption a vector x is set when the encryption is executed, a vector y is set in the user secret key, and an inner product ⁇ x, y> of the vector x and the vector y is output when the ciphertext is decrypted. That is, the inner product cipher is a cipher capable of calculating the inner product while being encrypted.
  • the inner product of the vector x and the vector y will be written as ⁇ x, y>.
  • the inner product cipher can be divided into a single input inner product cipher and a plurality of input inner product ciphers.
  • the inner product cipher that can be single-input can only calculate one inner product at the time of decryption.
  • the inner product cipher capable of inputting a plurality of numbers has N vectors y 1 ,. . . , Y N can be set, and when N pieces of ciphertext are input at the time of decryption, ⁇ x 1 , y 1 > + ⁇ x 2 , y 2 > + ... + ⁇ x N , y N >. Can be calculated.
  • Multi-Input Functional Encryption for Inner Products Function-Hiding Realizations and Constructions without Pairings Michel Abdalla and Dario Catalano and Dario Fiore and Romain Gay and Bogdan Ursu in Cryptology ePrint Archive:
  • Non-Patent Document 1 can calculate the sum of N inner products. However, in the method described in Non-Patent Document 1, a user who possesses at least one user private key and can execute encryption can infer a vector associated with a ciphertext. Is.
  • the inner product cryptography that allows multiple inputs is expected to be analyzed as an inner product without decrypting the multiple ciphertexts uploaded to the cloud.
  • information set in each ciphertext that should not be originally leaked for example, a vector value in the case of an inner product is leaked.
  • the purpose of this invention is to prevent the leakage of the information set in the ciphertext while enabling the calculation such as the inner product while being encrypted.
  • the ciphertext c ′ i in the multi-input function cryptography that outputs y and y to the function f to obtain the operation result is a ciphertext acquisition for obtaining the ciphertext c i encrypted using the encryption token etk Department, A decryption key acquisition unit for acquiring the secret key sk y of the plurality input function code, A token acquisition unit for acquiring a decryption token dtk corresponding to the encryption token etk; By the ciphertext c i and decrypted using the decryption token dtk 'generates a i, the ciphertext
  • the ciphertext c ′ i in the common-key multiple-input-function encryption is encrypted using the encryption token etk to obtain the ciphertext c i , and the ciphertext c i is decrypted using the decryption token dtk.
  • FIG. 1 is a configuration diagram of a confidentiality analysis system 10 according to the first embodiment.
  • FIG. 2 is a configuration diagram of a setup device 20 according to the first embodiment.
  • 3 is a configuration diagram of a key generation device 30 according to the first embodiment.
  • FIG. 3 is a configuration diagram of a token generation device 40 according to the first embodiment.
  • FIG. FIG. 3 is a configuration diagram of the encryption device 50 according to the first embodiment.
  • 1 is a configuration diagram of a confidentiality analysis device 60 according to the first embodiment.
  • 3 is a flowchart showing the operation of the setup device 20 according to the first embodiment.
  • 5 is a flowchart showing the operation of the key generation device 30 according to the first embodiment.
  • 3 is a flowchart showing the operation of the token generation device 40 according to the first embodiment.
  • FIG. 6 is a flowchart showing the operation of the encryption device 50 according to the first embodiment. 6 is a flowchart showing the operation of the confidentiality analysis device 60 according to the first embodiment.
  • the block diagram of the setup apparatus 20 which concerns on the modification 1.
  • FIG. 8 is a configuration diagram of a key generation device 30 according to Modification 1.
  • the block diagram of the token generation apparatus 40 which concerns on the modification 1.
  • the block diagram of the encryption apparatus 50 which concerns on the modification 1.
  • the block diagram of the confidentiality analysis apparatus 60 which concerns on the modification 1.
  • the confidentiality analysis system 10 includes a setup device 20, a key generation device 30, a token generation device 40, an encryption device 50, and a confidentiality analysis device 60.
  • the setup device 20, the key generation device 30, the token generation device 40, the encryption device 50, the confidentiality analysis device 60, and the confidentiality analysis device 60 are connected via a transmission line 90.
  • the transmission path 90 is, for example, the Internet or a LAN (Local Area Network).
  • the confidentiality analysis system 10 may include a plurality of key generation devices 30, token generation devices 40, encryption devices 50, and confidentiality analysis devices 60.
  • the setup device 20 includes hardware such as a processor 21, a memory 22, a storage 23, and a communication interface 24.
  • the processor 21 is connected to other hardware via a signal line, and controls the other hardware.
  • the setup device 20 includes a parameter acquisition unit 211, a master key generation unit 212, and a transmission unit 213 as functional components.
  • the function of each functional component of the setup device 20 is realized by software.
  • the storage 23 stores programs that implement the functions of the functional components of the setup device 20. This program is read into the memory 22 by the processor 21 and executed by the processor 21. As a result, the function of each functional component of the setup device 20 is realized.
  • the storage 23 also realizes the function of the master key storage unit 231.
  • the configuration of the key generation device 30 according to the first embodiment will be described with reference to FIG.
  • the key generation device 30 includes hardware such as a processor 31, a memory 32, a storage 33, and a communication interface 34.
  • the processor 31 is connected to other hardware via a signal line, and controls the other hardware.
  • the key generation device 30 includes a master key acquisition unit 311, a value acquisition unit 312, a secret key generation unit 313, and a transmission unit 314 as functional components.
  • the function of each functional component of the key generation device 30 is realized by software.
  • the storage 33 stores programs that implement the functions of the functional components of the key generation device 30. This program is read into the memory 32 by the processor 31 and executed by the processor 31. Thereby, the function of each functional component of the key generation device 30 is realized.
  • the storage 33 also realizes the function of the master key storage unit 331.
  • the configuration of the token generation device 40 according to the first embodiment will be described with reference to FIG.
  • the token generation device 40 includes hardware such as a processor 41, a memory 42, a storage 43, and a communication interface 44.
  • the processor 41 is connected to other hardware via a signal line and controls these other hardware.
  • the token generation device 40 includes a parameter acquisition unit 411, a token generation unit 412, and a transmission unit 413 as functional components.
  • the function of each functional component of the token generation device 40 is realized by software.
  • the storage 43 stores programs that implement the functions of the functional components of the token generation device 40. This program is read into the memory 42 by the processor 41 and executed by the processor 41. Thereby, the function of each functional component of the token generation device 40 is realized.
  • the configuration of the encryption device 50 according to the first embodiment will be described with reference to FIG.
  • the encryption device 50 includes hardware such as a processor 51, a memory 52, a storage 53, and a communication interface 54.
  • the processor 51 is connected to other hardware via a signal line, and controls these other hardware.
  • the encryption device 50 includes a master key acquisition unit 511, a token acquisition unit 512, a message acquisition unit 513, an encryption unit 514, and a transmission unit 515 as functional components.
  • the function of each functional component of the encryption device 50 is realized by software.
  • the storage 53 stores programs that implement the functions of the functional components of the encryption device 50. This program is read into the memory 52 by the processor 51 and executed by the processor 51. As a result, the function of each functional component of the encryption device 50 is realized.
  • the storage 53 also realizes the functions of the master key storage unit 531 and the token storage unit 532.
  • the confidentiality analysis device 60 includes hardware such as a processor 61, a memory 62, a storage 63, and a communication interface 64.
  • the processor 61 is connected to other hardware via a signal line, and controls these other hardware.
  • the confidentiality analysis device 60 includes a secret key acquisition unit 611, a token acquisition unit 612, a ciphertext acquisition unit 613, a decryption unit 614, and a transmission unit 615 as functional components.
  • the function of each functional component of the confidentiality analysis device 60 is realized by software.
  • the storage 63 stores a program that realizes the function of each functional component of the confidentiality analysis device 60. This program is read into the memory 62 by the processor 61 and executed by the processor 61. As a result, the function of each functional component of the confidentiality analysis device 60 is realized.
  • the storage 63 realizes the functions of the secret key storage unit 631, the token storage unit 632, and the ciphertext storage unit 633.
  • the processors 21, 31, 41, 51, 61 are ICs (Integrated Circuits) that perform arithmetic processing.
  • the processors 21, 31, 41, 51, 61 are, as specific examples, a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit).
  • the memories 22, 32, 42, 52, 62 are storage devices for temporarily storing data.
  • the memory 22, 32, 42, 52, 62 is, for example, SRAM (Static Random Access Memory) or DRAM (Dynamic Random Access Memory).
  • the storages 23, 33, 43, 53, 63 are storage devices for storing data.
  • the storages 23, 33, 43, 53, 63 are, as a specific example, HDDs (Hard Disk Drives).
  • the storages 23, 33, 43, 53, 63 are SD (registered trademark, Secure Digital) memory cards, CF (CompactFlash, registered trademark), NAND flash, flexible disk, optical disk, compact disk, Blu-ray (registered trademark) disk. It may be a portable storage medium such as a DVD (Digital Versatile Disk).
  • the communication interfaces 24, 34, 44, 54, 64 are interfaces for communicating with external devices.
  • the communication interfaces 24, 34, 44, 54, 64 are, as specific examples, Ethernet (registered trademark), USB (Universal Serial Bus), and HDMI (registered trademark, High-Definition Multimedia Interface) ports.
  • the setup device 20 may include a plurality of processors that replace the processor 21.
  • the key generation device 30 may include a plurality of processors that replace the processor 31.
  • the token generation device 40 may include a plurality of processors that replace the processor 41.
  • the encryption device 50 may include a plurality of processors that replace the processor 51.
  • the confidentiality analysis device 60 may include a plurality of processors that replace the processor 61. These multiple processors share the execution of programs that implement the functions of the functional components.
  • Each of the processors is an IC that performs arithmetic processing similarly to the processors 21, 31, 41, 51 and 61.
  • the secret analysis system 10 uses public key cryptography.
  • the public key cryptography is the following PKE. KeyGen algorithm and PKE. Enc algorithm and PKE. And the Dec algorithm. Any specific public key cryptosystem may be used.
  • the KeyGen algorithm is a key generation algorithm.
  • the KeyGen algorithm inputs the security parameter ⁇ and outputs a pair of the public key pk and the secret key sk.
  • the Enc algorithm is an encryption algorithm.
  • the Enc algorithm inputs the public key pk and the message x and outputs the ciphertext c obtained by encrypting the message x.
  • the Dec algorithm is a decoding algorithm.
  • PKE. The Dec algorithm inputs the secret key sk and the ciphertext c and outputs the message x or the special symbol ⁇ .
  • the Setup algorithm is a master key generation algorithm.
  • the Setup algorithm receives the security parameter ⁇ as an input and outputs a pair of the public key mpk and the master secret key msk.
  • the KeyGen algorithm is a secret key generation algorithm.
  • the KeyGen algorithm inputs the master secret key msk and the value y and outputs the secret key sk y in which the value y is set.
  • the Enc algorithm is an encryption algorithm.
  • M. The Enc algorithm inputs the master secret key msk, the index i, and the message x i, and outputs the ciphertext c i .
  • the Dec algorithm is a decoding algorithm.
  • the result f (x 1 , ..., X n , y) or the special symbol ⁇ is output.
  • the confidentiality analysis system 10 implements token-based multiple input function encryption using public key encryption and common key type multiple input function encryption.
  • the token-based multi-input function cryptography includes the following Setup algorithm, KeyGen algorithm, GenToken algorithm, Enc algorithm, and Dec algorithm.
  • ⁇ Setup algorithm> The Setup algorithm inputs the security parameter ⁇ and outputs the public key PK and the master secret key MSK.
  • ⁇ KeyGen algorithm> The KeyGen algorithm inputs the master secret key MSK and the value y and outputs the secret key sk y in which the value y is set.
  • ⁇ Enc algorithm> Enc algorithm, as input and a master secret key MSK, and the index i, and the encryption token etk i, and a message x i, and outputs the cipher text c i.
  • ⁇ Dec algorithm> Dec algorithm, and the decryption token dtk, and the secret key sk y, i 1 ,. . . , N of ciphertexts c i (c 1 , ..., C n ) for each integer i, and a message x i and a value y for each integer i input to a function f.
  • the result f (x 1 , ..., X n , y) or the special symbol ⁇ is output.
  • the operation of the setup device 20 according to the first embodiment corresponds to the setup method according to the first embodiment.
  • the operation of the setup device 20 according to the first embodiment corresponds to the process of the setup program according to the first embodiment.
  • the setup device 20 implements the Setup algorithm in token-based multiple input function encryption.
  • Step S11 Parameter acquisition process
  • the parameter acquisition unit 211 acquires the security parameter ⁇ . Specifically, the parameter acquisition unit 211 receives the security parameter ⁇ input by operating the input device by the user of the setup device 20. The parameter acquisition unit 211 writes the security parameter ⁇ in the memory 22.
  • the master key generation unit 212 reads the security parameter ⁇ from the memory 22.
  • the master key generation unit 212 receives the security parameter ⁇ as an input and outputs the M.
  • the Setup algorithm is executed to generate a public key mpk and a master secret key msk.
  • the master key generation unit 212 sets the public key mpk as the public key MPK and sets the master secret key msk as the master secret key MSK.
  • the master key generation unit 212 writes the public key MPK and the master secret key MSK in the memory 22 and the master key storage unit 231.
  • Step S13 transmission process
  • the transmission unit 213 reads the master secret key MSK from the memory 22.
  • the transmission unit 213 secretly transmits the master secret key MSK to the key generation device 30 and the encryption device 50 via the communication interface 24.
  • the secret transmission means, for example, that the data is encrypted by an existing encryption method and then transmitted.
  • the master key acquisition unit 311 of the key generation device 30 acquires the master secret key MSK and writes it in the master key storage unit 331.
  • the master key acquisition unit 511 of the encryption device 50 acquires the master secret key MSK and writes it in the master key storage unit 531.
  • the operation of the key generation device 30 according to the first embodiment corresponds to the key generation method according to the first embodiment.
  • the operation of the key generation device 30 according to the first embodiment corresponds to the processing of the key generation program according to the first embodiment.
  • the key generation device 30 implements the KeyGen algorithm in token-based multiple input function encryption.
  • Step S21 value acquisition process
  • the value acquisition unit 312 acquires the value y.
  • the value y is a value to be calculated. Specifically, the value acquisition unit 312 receives the value y input by operating the input device by the user of the key generation device 30. The value acquisition unit 312 writes the value y in the memory 32.
  • the secret key generation unit 313 reads the master secret key MSK from the master key storage unit 331.
  • the secret key generation unit 313 also reads the value y from the memory 32.
  • the secret key generation unit 313 receives the master secret key MSK and the value y as input, and outputs the M.M.
  • the KeyGen algorithm is executed to generate the secret key sk y with the value y set.
  • the secret key generating unit 313 writes the secret key sk y in the memory 32.
  • Step S23 transmission process
  • the transmission unit 314 reads the secret key sk y from the memory 32.
  • the private key acquiring section 611 of the concealment analyzer 60 obtains the private key sk y, written in the secret key storage unit 631.
  • the operation of the token generation device 40 according to the first embodiment corresponds to the token generation method according to the first embodiment.
  • the operation of the token generation device 40 according to the first embodiment corresponds to the processing of the token generation program according to the first embodiment.
  • the token generation device 40 implements the GenToken algorithm in token-based multiple input function cryptography.
  • Step S31 Parameter acquisition process
  • the parameter acquisition unit 411 acquires the security parameter ⁇ .
  • the security parameter ⁇ may be the same parameter as the security parameter ⁇ acquired in step S11, or may be a different parameter.
  • the parameter acquisition unit 411 receives the security parameter ⁇ input by operating the input device by the user of the token generation device 40.
  • the parameter acquisition unit 411 writes the security parameter ⁇ in the memory 42.
  • Step S32 token generation process
  • the token generation unit 412 reads the security parameter ⁇ from the memory 42.
  • the token generation unit 412 receives the security parameter ⁇ as an input and outputs the PKE.
  • the KeyGen algorithm is executed to generate a public key pk and private key sk pair.
  • Step S33 transmission process
  • the cryptographic token ETK i for each integer i of n via the communication interface 44, transmits secretly encryption device 50. Further, the transmission unit 413 secretly transmits the decryption token dtk to the confidentiality analysis device 60 via the communication interface 44.
  • N for each integer i of the encrypted token etk i , and writes it in the token storage unit 532. Further, the token acquisition unit 612 of the confidentiality analysis device 60 acquires the decryption token dtk and writes it in the token storage unit 632.
  • the operation of the encryption device 50 according to the first embodiment corresponds to the encryption method according to the first embodiment.
  • the operation of the encryption device 50 according to the first embodiment corresponds to the processing of the encryption program according to the first embodiment.
  • the encryption device 50 implements the Enc algorithm in token-based multiple input function encryption.
  • Step S41 message acquisition process
  • the message acquisition unit 513 acquires the index i and the message x i corresponding to the index i. Specifically, the message acquisition unit 513 receives the index x and the message x i input by the user of the encryption device 50 operating the input device. The message acquisition unit 513 writes the index i and the message x i in the memory 52. If the index i corresponds to the encryption device 50, the message acquisition unit 513 may acquire only the message x i .
  • Step S42 First encryption process
  • the encryption unit 514 reads the master secret key MSK from the master key storage unit 531.
  • the encryption unit 514 also reads the index i and the message x i from the memory 52.
  • the encryption unit 514 receives the master secret key MSK, the index i, and the message x i as inputs and outputs the M.M.
  • the Enc algorithm is executed to generate the ciphertext c ′ i .
  • the encryption unit 514 writes the ciphertext c ′ i in the memory 52.
  • Step S43 Second encryption process
  • Encryption unit 514 reads the encrypted token ETK i from the token storage unit 532.
  • the encryption unit 514 also reads the ciphertext c ′ i from the memory 52.
  • the Enc algorithm is executed to generate the ciphertext c i . That is, the encryption unit 514 determines that the PKE.
  • the ciphertext c ′ i is encrypted by the Enc algorithm to generate the ciphertext c i .
  • the encryption unit 514 writes the ciphertext c i in the memory 52.
  • Step S44 transmission process
  • the transmission unit 515 reads the ciphertext c i from the memory 52.
  • the transmission unit 515 transmits the ciphertext c i to the confidentiality analysis device 60 via the communication interface 54.
  • the ciphertext acquisition unit 613 of the concealment analyzer 60 acquires the ciphertext c i, writes the ciphertext storage unit 633.
  • the operation of the confidentiality analysis device 60 according to the first embodiment corresponds to the confidentiality analysis method according to the first embodiment.
  • the operation of the confidentiality analysis device 60 according to the first embodiment corresponds to the processing of the confidentiality analysis program according to the first embodiment.
  • the confidentiality analysis device 60 implements the Dec algorithm in the token-based multiple input function encryption.
  • Step S51 First decryption process
  • the dec algorithm is executed to generate the ciphertext c ′ i . That is, the decoding unit 614 decodes the cipher text c i, and generates a ciphertext c 'i.
  • the decryption unit 614 writes the ciphertext c ′ i in the memory 62.
  • Step S52 Second decoding process
  • the decoding unit 614 writes the calculation result f (x 1 , ..., X n , y) or the special symbol ⁇ in the memory 62.
  • Step S53 transmission process
  • the transmission unit 615 reads the calculation result f (x 1 , ..., X n , y) or the special symbol ⁇ from the memory 62.
  • the transmission unit 615 outputs the calculation result f (x 1 , ..., X n , y) or the special symbol ⁇ via the communication interface 64.
  • the confidentiality analysis device 60 allows the ciphertext c ′ i in the common-key multiple-input-function encryption to be encrypted using the encryption token etk. Get i . Then, concealment analyzer 60 decodes using the decoding token dtk ciphertext c i 'generates a i, ciphertext c using the private key sk y' ciphertext c by decoding the i, computation Calculate the result. Even if the user has the private key sk, the operation cannot be performed without the decryption token dtk. Therefore, it is possible to prevent the information from being leaked to the user who has the private key sk.
  • each functional component is realized by software. However, as a first modification, each functional component may be realized by hardware. Differences between the first modification and the first embodiment will be described.
  • the setup device 20 includes an electronic circuit 25 instead of the processor 21, the memory 22, and the storage 23.
  • the electronic circuit 25 is a dedicated circuit that realizes the functional components of the setup device 20 and the functions of the memory 22 and the storage 23.
  • the key generation device 30 includes an electronic circuit 35 instead of the processor 31, the memory 32, and the storage 33.
  • the electronic circuit 35 is a dedicated circuit that implements the functional components of the key generation device 30 and the functions of the memory 32 and the storage 33.
  • the token generation device 40 includes an electronic circuit 45 instead of the processor 41, the memory 42, and the storage 43.
  • the electronic circuit 45 is a dedicated circuit that realizes the functional components of the token generation device 40 and the functions of the memory 42 and the storage 43.
  • the encryption device 50 includes an electronic circuit 55 instead of the processor 51, the memory 52, and the storage 53.
  • the electronic circuit 55 is a dedicated circuit for realizing the functional components of the encryption device 50 and the functions of the memory 52 and the storage 53.
  • the confidentiality analysis device 60 includes an electronic circuit 65 instead of the processor 61, the memory 62, and the storage 63.
  • the electronic circuit 65 is a dedicated circuit for realizing the functional components of the confidentiality analysis device 60 and the functions of the memory 62 and the storage 63.
  • the electronic circuits 25, 35, 45, 55, 65 are a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), and an FPGA (FPGA). Field-Programmable Gate Array) is assumed.
  • the function of each functional constituent element of the setup device 20 may be realized by one electronic circuit 25, or the function of each functional constituent element may be distributed to a plurality of electronic circuits 25 and realized.
  • the token generation device 40, the encryption device 50, and the confidentiality analysis device 60 even if the functions of the respective functional components are realized by one electronic circuit 35, 45, 55, 65.
  • the function of each functional component may be distributed to a plurality of electronic circuits 35, 45, 55, and 65 to be realized.
  • ⁇ Modification 2> As a second modification, some functions may be realized by hardware and other functions may be realized by software. That is, among the functional components, some functions may be realized by hardware and other functions may be realized by software.
  • the processor 21, 31, 41, 51, 61, the memory 22, 32, 42, 52, 62, the storage 23, 33, 43, 53, 63 and the electronic circuit 25, 35, 45, 55, 65 are called a processing circuit. That is, the function of each functional component is realized by the processing circuit.
  • Embodiment 2 differs from the first embodiment in that a pseudo random function is used instead of public key encryption. In the second embodiment, these different points will be described, and description of the same points will be omitted.
  • the operation of the confidentiality analysis system 10 according to the second embodiment will be described with reference to FIGS. 9 to 11.
  • the operations of the setup device 20 and the key generation device 30 are the same as in the first embodiment. Therefore, the operations of the token generation device 40, the encryption device 50, and the confidentiality analysis device 60 will be described here.
  • K ⁇ D ⁇ R has the following PRF. KeyGen algorithm and PRF. And the Eval algorithm.
  • K is a key space
  • D is a domain of input values
  • R is a range of output values.
  • the KeyGen algorithm is a key generation algorithm.
  • the KeyGen algorithm inputs the security parameter ⁇ and outputs the key k ⁇ K of the pseudo-random function.
  • the Eval algorithm is an evaluation algorithm. PRF.
  • the Eval algorithm inputs the key k of the pseudo-random function and the value j ⁇ D, and outputs the value m ⁇ R.
  • the operation of the token generation device 40 according to the second embodiment corresponds to the token generation method according to the second embodiment.
  • the operation of the token generation device 40 according to the second embodiment corresponds to the processing of the token generation program according to the second embodiment.
  • the token generation device 40 implements the GenToken algorithm in token-based multiple input function cryptography.
  • step S31 and step S33 are the same as that of the first embodiment.
  • Step S32 token generation process
  • the token generation unit 412 reads the security parameter ⁇ from the memory 42.
  • the KeyGen algorithm is run to generate the key k i for the pseudo-random function.
  • the operation of the encryption device 50 according to the second embodiment corresponds to the encryption method according to the second embodiment.
  • the operation of the encryption device 50 according to the second embodiment corresponds to the processing of the encryption program according to the second embodiment.
  • the encryption device 50 implements the Enc algorithm in token-based multiple input function encryption.
  • step S41, step S42, and step S44 is the same as that of the first embodiment.
  • Step S43 Second encryption process
  • the encryption unit 514 also reads the ciphertext c ′ i from the memory 52.
  • Encryption unit 514 is input with a key k i and the value j of the pseudo random function in encrypted token ETK i, PRF. Run the Eval algorithm to generate the value m i .
  • the encryption unit 514 sets a pair of the ciphertext c * i and the value j in the ciphertext c i .
  • the encryption unit 514 writes the ciphertext c i in the memory 52.
  • the operation of the confidentiality analysis device 60 according to the second embodiment corresponds to the confidentiality analysis method according to the second embodiment.
  • the operation of the confidentiality analysis device 60 according to the second embodiment corresponds to the processing of the confidentiality analysis program according to the second embodiment.
  • the confidentiality analysis device 60 implements the Dec algorithm in the token-based multiple input function encryption.
  • steps S52 and S53 are the same as that of the first embodiment.
  • Step S51 First decryption process
  • the decryption unit 614 writes the ciphertext c ′ i in the memory 62.
  • the confidentiality analysis system 10 according to the second embodiment can achieve the same effect as that of the first embodiment by using the pseudo-random function instead of the public key encryption. Further, the concealment analysis system 10 according to the second embodiment, the value j for use in generating the value m i is different value for each encryption. Therefore, since the value m i is different for each encryption, high security can be realized.
  • 10 secret analysis system 20 setup device, 21 processor, 22 memory, 23 storage, 24 communication interface, 25 electronic circuit, 211 parameter acquisition unit, 212 master key generation unit, 213 transmission unit, 231 master key storage unit, 30 key generation Device, 31 processor, 32 memory, 33 storage, 34 communication interface, 35 electronic circuit, 311, master key acquisition unit, 312 value acquisition unit, 313 secret key generation unit, 314 transmission unit, 331 master key storage unit, 40 token generation device , 41 processor, 42 memory, 43 storage, 44 communication interface, 45 electronic circuit, 411 parameter acquisition part, 412 token generation part, 413 transmission part, 50 encryption device, 51 process Service, 52 memory, 53 storage, 54 communication interface, 55 electronic circuit, 511 master key acquisition unit, 512 token acquisition unit, 513 message acquisition unit, 514 encryption unit, 515 transmission unit, 531 master key storage unit, 532 token storage Section, 60 confidentiality analyzer, 61 processor, 62 memory, 63 storage, 64 communication interface, 65 electronic circuit, 611 private key acquisition section, 612 token acquisition section, 613 ciphertext acquisition section

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

This secrecy analysis device (60) accepts a ciphertext c'i obtained by encrypting a message xi and a secret key sky having a value set for y as inputs, and acquires a ciphertext ci which is obtained, using an encoding token etk, by encrypting the ciphertext c'i through a multiple-input functional encryption that outputs an arithmetic result when the message xi and the value y are inputted in function f. The secrecy analysis device (60) generates the ciphertext c'i by decoding the ciphertext ci using a decoding token dtk, and computes an arithmetic result by decoding the ciphertext c'i using the secret key sky.

Description

秘匿分析装置、秘匿分析システム、秘匿分析方法及び秘匿分析プログラムSecurity analysis device, security analysis system, security analysis method and security analysis program
 この発明は、暗号化したまま演算を実行する技術に関する。 The present invention relates to a technique for executing an operation while being encrypted.
 原則として、データを暗号化してしまうと復号しなければ内部のデータを閲覧及び編集することは不可能である。そのため、暗号文のデータを編集する場合には、暗号文を一度復号し平文にした上で編集を行い、再度暗号化する必要がある。 -In principle, once data is encrypted, it is impossible to view and edit internal data without decrypting it. Therefore, when editing the ciphertext data, it is necessary to decrypt the ciphertext once to make it plaintext, edit it, and then encrypt it again.
 内積を計算可能な関数型暗号(以下、内積暗号と呼ぶ)がある(特許文献1及び非特許文献1参照)。内積暗号では、暗号化実行時にベクトルxを設定し、ユーザ秘密鍵にベクトルyを設定し、暗号文を復号する際にはベクトルxとベクトルyとの内積<x,y>を出力する。つまり、内積暗号は、暗号化したまま内積計算が可能な暗号である。以下の説明では、ベクトルxとベクトルyとの内積を<x,y>と書く。 There is a functional encryption that can calculate the inner product (hereinafter referred to as inner product encryption) (see Patent Document 1 and Non-Patent Document 1). In the inner product encryption, a vector x is set when the encryption is executed, a vector y is set in the user secret key, and an inner product <x, y> of the vector x and the vector y is output when the ciphertext is decrypted. That is, the inner product cipher is a cipher capable of calculating the inner product while being encrypted. In the following description, the inner product of the vector x and the vector y will be written as <x, y>.
 内積暗号は、単一入力可能な内積暗号と、複数入力可能な内積暗号とに分けられる。単一入力可能な内積暗号は、復号時に計算できる内積が1つのみである。これに対して、複数入力可能な内積暗号は、秘密鍵にN個のベクトルy,...,yを設定することが可能であり、復号時にはN個の暗号文を入力として、<x,y>+<x,y>+・・・+<x,y>を計算できる。 The inner product cipher can be divided into a single input inner product cipher and a plurality of input inner product ciphers. The inner product cipher that can be single-input can only calculate one inner product at the time of decryption. On the other hand, the inner product cipher capable of inputting a plurality of numbers has N vectors y 1 ,. . . , Y N can be set, and when N pieces of ciphertext are input at the time of decryption, <x 1 , y 1 > + <x 2 , y 2 > + ... + <x N , y N >. Can be calculated.
特開2009-272995号公報JP, 2009-272995, A
 非特許文献1に記載されている方法は、N個の内積の和を計算することはできる。しかし、非特許文献1に記載されている方法は、1つでもユーザ秘密鍵を所持し、かつ、暗号化を実行できるユーザであれば、暗号文に紐づいているベクトルを類推することが可能である。 The method described in Non-Patent Document 1 can calculate the sum of N inner products. However, in the method described in Non-Patent Document 1, a user who possesses at least one user private key and can execute encryption can infer a vector associated with a ciphertext. Is.
 複数入力可能な内積暗号は、クラウドにアップロードされた複数の暗号文を復号せずに、内積のような分析することが期待される。しかし、非特許文献1に記載されている方法のように、本来は漏洩するべきではない、個々の暗号文に設定された情報、例えば内積の場合はベクトルの値が、漏洩してしまう。 The inner product cryptography that allows multiple inputs is expected to be analyzed as an inner product without decrypting the multiple ciphertexts uploaded to the cloud. However, unlike the method described in Non-Patent Document 1, information set in each ciphertext that should not be originally leaked, for example, a vector value in the case of an inner product is leaked.
 この発明は、暗号化したまま内積といった演算を可能にしつつ、暗号文に設定された情報の漏えいを防止することを目的とする。 The purpose of this invention is to prevent the leakage of the information set in the ciphertext while enabling the calculation such as the inner product while being encrypted.
 この発明に係る秘匿分析装置は、
 1以上の整数nに関して、i=1,...,nの各整数iについてのメッセージxを暗号化した暗号文c’と、値yが設定された秘密鍵skとを入力として、前記各整数iについての前記メッセージxと前記値yとを関数fに入力して得られる演算結果を出力する複数入力関数暗号における前記暗号文c’が、暗号化トークンetkを用いて暗号化された暗号文cを取得する暗号文取得部と、
 前記複数入力関数暗号における前記秘密鍵skを取得する復号鍵取得部と、
 前記暗号化トークンetkに対応する復号トークンdtkを取得するトークン取得部と、
 前記暗号文cを前記復号トークンdtkを用いて復号して前記暗号文c’を生成し、前記秘密鍵skを用いて前記暗号文c’を復号することにより、前記演算結果を計算する復号部と
を備える。
The confidentiality analysis device according to the present invention is
For integer n greater than or equal to 1, i = 1 ,. . . , Ciphertext c 'i of encrypted messages x i for each integer i of n, as inputs the secret key sk y value y is set, the said value and the message x i for each integer i The ciphertext c ′ i in the multi-input function cryptography that outputs y and y to the function f to obtain the operation result is a ciphertext acquisition for obtaining the ciphertext c i encrypted using the encryption token etk Department,
A decryption key acquisition unit for acquiring the secret key sk y of the plurality input function code,
A token acquisition unit for acquiring a decryption token dtk corresponding to the encryption token etk;
By the ciphertext c i and decrypted using the decryption token dtk 'generates a i, the ciphertext c using the secret key sk y' the ciphertext c decodes the i, the calculation result And a decoding unit for calculating.
 この発明では、共通鍵複数入力関数暗号における暗号文c’が暗号化トークンetkを用いて暗号化された暗号文cを取得し、暗号文cを復号トークンdtkを用いて復号して暗号文c’を生成し、秘密鍵skを用いて暗号文c’を復号することにより、演算結果を計算する。秘密鍵skを持っていても復号トークンdtkがなければ演算を行うことができないため、秘密鍵skを持ったユーザに情報が漏えいすることを防止できる。 In the present invention, the ciphertext c ′ i in the common-key multiple-input-function encryption is encrypted using the encryption token etk to obtain the ciphertext c i , and the ciphertext c i is decrypted using the decryption token dtk. 'generates a i, ciphertext c using the private key sk y' ciphertext c by decoding the i, to calculate the calculation result. Even if the user has the private key sk, the operation cannot be performed without the decryption token dtk. Therefore, it is possible to prevent the information from being leaked to the user who has the private key sk.
実施の形態1に係る秘匿分析システム10の構成図。1 is a configuration diagram of a confidentiality analysis system 10 according to the first embodiment. 実施の形態1に係るセットアップ装置20の構成図。FIG. 2 is a configuration diagram of a setup device 20 according to the first embodiment. 実施の形態1に係る鍵生成装置30の構成図。3 is a configuration diagram of a key generation device 30 according to the first embodiment. FIG. 実施の形態1に係るトークン生成装置40の構成図。3 is a configuration diagram of a token generation device 40 according to the first embodiment. FIG. 実施の形態1に係る暗号化装置50の構成図。FIG. 3 is a configuration diagram of the encryption device 50 according to the first embodiment. 実施の形態1に係る秘匿分析装置60の構成図。1 is a configuration diagram of a confidentiality analysis device 60 according to the first embodiment. 実施の形態1に係るセットアップ装置20の動作を示すフローチャート。3 is a flowchart showing the operation of the setup device 20 according to the first embodiment. 実施の形態1に係る鍵生成装置30の動作を示すフローチャート。5 is a flowchart showing the operation of the key generation device 30 according to the first embodiment. 実施の形態1に係るトークン生成装置40の動作を示すフローチャート。3 is a flowchart showing the operation of the token generation device 40 according to the first embodiment. 実施の形態1に係る暗号化装置50の動作を示すフローチャート。6 is a flowchart showing the operation of the encryption device 50 according to the first embodiment. 実施の形態1に係る秘匿分析装置60の動作を示すフローチャート。6 is a flowchart showing the operation of the confidentiality analysis device 60 according to the first embodiment. 変形例1に係るセットアップ装置20の構成図。The block diagram of the setup apparatus 20 which concerns on the modification 1. 変形例1に係る鍵生成装置30の構成図。FIG. 8 is a configuration diagram of a key generation device 30 according to Modification 1. 変形例1に係るトークン生成装置40の構成図。The block diagram of the token generation apparatus 40 which concerns on the modification 1. 変形例1に係る暗号化装置50の構成図。The block diagram of the encryption apparatus 50 which concerns on the modification 1. 変形例1に係る秘匿分析装置60の構成図。The block diagram of the confidentiality analysis apparatus 60 which concerns on the modification 1. FIG.
 実施の形態1.
 図1を参照して、実施の形態1に係る秘匿分析システム10の構成を説明する。
 秘匿分析システム10は、セットアップ装置20と、鍵生成装置30と、トークン生成装置40と、暗号化装置50と、秘匿分析装置60とを備える。
 セットアップ装置20と、鍵生成装置30と、トークン生成装置40と、暗号化装置50と、秘匿分析装置60と、秘匿分析装置60とは、伝送路90を介して接続される。伝送路90は、具体例としては、インターネット又はLAN(Local Area Network)である。
 秘匿分析システム10は、鍵生成装置30と、トークン生成装置40と、暗号化装置50と、秘匿分析装置60とを複数備えていてもよい。
Embodiment 1.
The configuration of the confidentiality analysis system 10 according to the first embodiment will be described with reference to FIG.
The confidentiality analysis system 10 includes a setup device 20, a key generation device 30, a token generation device 40, an encryption device 50, and a confidentiality analysis device 60.
The setup device 20, the key generation device 30, the token generation device 40, the encryption device 50, the confidentiality analysis device 60, and the confidentiality analysis device 60 are connected via a transmission line 90. The transmission path 90 is, for example, the Internet or a LAN (Local Area Network).
The confidentiality analysis system 10 may include a plurality of key generation devices 30, token generation devices 40, encryption devices 50, and confidentiality analysis devices 60.
 図2を参照して、実施の形態1に係るセットアップ装置20の構成を説明する。
 セットアップ装置20は、プロセッサ21と、メモリ22と、ストレージ23と、通信インタフェース24とのハードウェアを備える。プロセッサ21は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。
The configuration of the setup device 20 according to the first embodiment will be described with reference to FIG.
The setup device 20 includes hardware such as a processor 21, a memory 22, a storage 23, and a communication interface 24. The processor 21 is connected to other hardware via a signal line, and controls the other hardware.
 セットアップ装置20は、機能構成要素として、パラメータ取得部211と、マスター鍵生成部212と、送信部213とを備える。セットアップ装置20の各機能構成要素の機能はソフトウェアにより実現される。
 ストレージ23には、セットアップ装置20の各機能構成要素の機能を実現するプログラムが記憶されている。このプログラムは、プロセッサ21によりメモリ22に読み込まれ、プロセッサ21によって実行される。これにより、セットアップ装置20の各機能構成要素の機能が実現される。
 また、ストレージ23は、マスター鍵記憶部231の機能を実現する。
The setup device 20 includes a parameter acquisition unit 211, a master key generation unit 212, and a transmission unit 213 as functional components. The function of each functional component of the setup device 20 is realized by software.
The storage 23 stores programs that implement the functions of the functional components of the setup device 20. This program is read into the memory 22 by the processor 21 and executed by the processor 21. As a result, the function of each functional component of the setup device 20 is realized.
The storage 23 also realizes the function of the master key storage unit 231.
 図3を参照して、実施の形態1に係る鍵生成装置30の構成を説明する。
 鍵生成装置30は、プロセッサ31と、メモリ32と、ストレージ33と、通信インタフェース34とのハードウェアを備える。プロセッサ31は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。
The configuration of the key generation device 30 according to the first embodiment will be described with reference to FIG.
The key generation device 30 includes hardware such as a processor 31, a memory 32, a storage 33, and a communication interface 34. The processor 31 is connected to other hardware via a signal line, and controls the other hardware.
 鍵生成装置30は、機能構成要素として、マスター鍵取得部311と、値取得部312と、秘密鍵生成部313と、送信部314とを備える。鍵生成装置30の各機能構成要素の機能はソフトウェアにより実現される。
 ストレージ33には、鍵生成装置30の各機能構成要素の機能を実現するプログラムが記憶されている。このプログラムは、プロセッサ31によりメモリ32に読み込まれ、プロセッサ31によって実行される。これにより、鍵生成装置30の各機能構成要素の機能が実現される。
 また、ストレージ33は、マスター鍵記憶部331の機能を実現する。
The key generation device 30 includes a master key acquisition unit 311, a value acquisition unit 312, a secret key generation unit 313, and a transmission unit 314 as functional components. The function of each functional component of the key generation device 30 is realized by software.
The storage 33 stores programs that implement the functions of the functional components of the key generation device 30. This program is read into the memory 32 by the processor 31 and executed by the processor 31. Thereby, the function of each functional component of the key generation device 30 is realized.
The storage 33 also realizes the function of the master key storage unit 331.
 図4を参照して、実施の形態1に係るトークン生成装置40の構成を説明する。
 トークン生成装置40は、プロセッサ41と、メモリ42と、ストレージ43と、通信インタフェース44とのハードウェアを備える。プロセッサ41は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。
The configuration of the token generation device 40 according to the first embodiment will be described with reference to FIG.
The token generation device 40 includes hardware such as a processor 41, a memory 42, a storage 43, and a communication interface 44. The processor 41 is connected to other hardware via a signal line and controls these other hardware.
 トークン生成装置40は、機能構成要素として、パラメータ取得部411と、トークン生成部412と、送信部413とを備える。トークン生成装置40の各機能構成要素の機能はソフトウェアにより実現される。
 ストレージ43には、トークン生成装置40の各機能構成要素の機能を実現するプログラムが記憶されている。このプログラムは、プロセッサ41によりメモリ42に読み込まれ、プロセッサ41によって実行される。これにより、トークン生成装置40の各機能構成要素の機能が実現される。
The token generation device 40 includes a parameter acquisition unit 411, a token generation unit 412, and a transmission unit 413 as functional components. The function of each functional component of the token generation device 40 is realized by software.
The storage 43 stores programs that implement the functions of the functional components of the token generation device 40. This program is read into the memory 42 by the processor 41 and executed by the processor 41. Thereby, the function of each functional component of the token generation device 40 is realized.
 図5を参照して、実施の形態1に係る暗号化装置50の構成を説明する。
 暗号化装置50は、プロセッサ51と、メモリ52と、ストレージ53と、通信インタフェース54とのハードウェアを備える。プロセッサ51は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。
The configuration of the encryption device 50 according to the first embodiment will be described with reference to FIG.
The encryption device 50 includes hardware such as a processor 51, a memory 52, a storage 53, and a communication interface 54. The processor 51 is connected to other hardware via a signal line, and controls these other hardware.
 暗号化装置50は、機能構成要素として、マスター鍵取得部511と、トークン取得部512と、メッセージ取得部513と、暗号化部514と、送信部515とを備える。暗号化装置50の各機能構成要素の機能はソフトウェアにより実現される。
 ストレージ53には、暗号化装置50の各機能構成要素の機能を実現するプログラムが記憶されている。このプログラムは、プロセッサ51によりメモリ52に読み込まれ、プロセッサ51によって実行される。これにより、暗号化装置50の各機能構成要素の機能が実現される。
 また、ストレージ53は、マスター鍵記憶部531と、トークン記憶部532との機能を実現する。
The encryption device 50 includes a master key acquisition unit 511, a token acquisition unit 512, a message acquisition unit 513, an encryption unit 514, and a transmission unit 515 as functional components. The function of each functional component of the encryption device 50 is realized by software.
The storage 53 stores programs that implement the functions of the functional components of the encryption device 50. This program is read into the memory 52 by the processor 51 and executed by the processor 51. As a result, the function of each functional component of the encryption device 50 is realized.
The storage 53 also realizes the functions of the master key storage unit 531 and the token storage unit 532.
 図6を参照して、実施の形態1に係る秘匿分析装置60の構成を説明する。
 秘匿分析装置60は、プロセッサ61と、メモリ62と、ストレージ63と、通信インタフェース64とのハードウェアを備える。プロセッサ61は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。
The configuration of the confidentiality analysis device 60 according to the first embodiment will be described with reference to FIG.
The confidentiality analysis device 60 includes hardware such as a processor 61, a memory 62, a storage 63, and a communication interface 64. The processor 61 is connected to other hardware via a signal line, and controls these other hardware.
 秘匿分析装置60は、機能構成要素として、秘密鍵取得部611と、トークン取得部612と、暗号文取得部613と、復号部614と、送信部615とを備える。秘匿分析装置60の各機能構成要素の機能はソフトウェアにより実現される。
 ストレージ63には、秘匿分析装置60の各機能構成要素の機能を実現するプログラムが記憶されている。このプログラムは、プロセッサ61によりメモリ62に読み込まれ、プロセッサ61によって実行される。これにより、秘匿分析装置60の各機能構成要素の機能が実現される。
 ストレージ63は、秘密鍵記憶部631と、トークン記憶部632と、暗号文記憶部633との機能を実現する。
The confidentiality analysis device 60 includes a secret key acquisition unit 611, a token acquisition unit 612, a ciphertext acquisition unit 613, a decryption unit 614, and a transmission unit 615 as functional components. The function of each functional component of the confidentiality analysis device 60 is realized by software.
The storage 63 stores a program that realizes the function of each functional component of the confidentiality analysis device 60. This program is read into the memory 62 by the processor 61 and executed by the processor 61. As a result, the function of each functional component of the confidentiality analysis device 60 is realized.
The storage 63 realizes the functions of the secret key storage unit 631, the token storage unit 632, and the ciphertext storage unit 633.
 プロセッサ21,31,41,51,61は、演算処理を行うIC(Integrated Circuit)である。プロセッサ21,31,41,51,61は、具体例としては、CPU(Central Processing Unit)、DSP(Digital Signal Processor)、GPU(Graphics Processing Unit)である。 The processors 21, 31, 41, 51, 61 are ICs (Integrated Circuits) that perform arithmetic processing. The processors 21, 31, 41, 51, 61 are, as specific examples, a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit).
 メモリ22,32,42,52,62は、データを一時的に記憶する記憶装置である。メモリ22,32,42,52,62は、具体例としては、SRAM(Static Random Access Memory)、DRAM(Dynamic Random Access Memory)である。 The memories 22, 32, 42, 52, 62 are storage devices for temporarily storing data. The memory 22, 32, 42, 52, 62 is, for example, SRAM (Static Random Access Memory) or DRAM (Dynamic Random Access Memory).
 ストレージ23,33,43,53,63は、データを保管する記憶装置である。ストレージ23,33,43,53,63は、具体例としては、HDD(Hard Disk Drive)である。また、ストレージ23,33,43,53,63は、SD(登録商標,Secure Digital)メモリカード、CF(CompactFlash,登録商標)、NANDフラッシュ、フレキシブルディスク、光ディスク、コンパクトディスク、ブルーレイ(登録商標)ディスク、DVD(Digital Versatile Disk)といった可搬記憶媒体であってもよい。 The storages 23, 33, 43, 53, 63 are storage devices for storing data. The storages 23, 33, 43, 53, 63 are, as a specific example, HDDs (Hard Disk Drives). The storages 23, 33, 43, 53, 63 are SD (registered trademark, Secure Digital) memory cards, CF (CompactFlash, registered trademark), NAND flash, flexible disk, optical disk, compact disk, Blu-ray (registered trademark) disk. It may be a portable storage medium such as a DVD (Digital Versatile Disk).
 通信インタフェース24,34,44,54,64は、外部の装置と通信するためのインタフェースである。通信インタフェース24,34,44,54,64は、具体例としては、Ethernet(登録商標)、USB(Universal Serial Bus)、HDMI(登録商標,High-Definition Multimedia Interface)のポートである。 The communication interfaces 24, 34, 44, 54, 64 are interfaces for communicating with external devices. The communication interfaces 24, 34, 44, 54, 64 are, as specific examples, Ethernet (registered trademark), USB (Universal Serial Bus), and HDMI (registered trademark, High-Definition Multimedia Interface) ports.
 図2では、プロセッサ21は、1つだけ示されている。しかし、セットアップ装置20は、プロセッサ21を代替する複数のプロセッサを備えていてもよい。同様に、鍵生成装置30は、プロセッサ31を代替する複数のプロセッサを備えていてもよい。トークン生成装置40は、プロセッサ41を代替する複数のプロセッサを備えていてもよい。暗号化装置50は、プロセッサ51を代替する複数のプロセッサを備えていてもよい。秘匿分析装置60は、プロセッサ61を代替する複数のプロセッサを備えていてもよい。
 これら複数のプロセッサは、各機能構成要素の機能を実現するプログラムの実行を分担する。それぞれのプロセッサは、プロセッサ21,31,41,51,61と同じように、演算処理を行うICである。
In FIG. 2, only one processor 21 is shown. However, the setup device 20 may include a plurality of processors that replace the processor 21. Similarly, the key generation device 30 may include a plurality of processors that replace the processor 31. The token generation device 40 may include a plurality of processors that replace the processor 41. The encryption device 50 may include a plurality of processors that replace the processor 51. The confidentiality analysis device 60 may include a plurality of processors that replace the processor 61.
These multiple processors share the execution of programs that implement the functions of the functional components. Each of the processors is an IC that performs arithmetic processing similarly to the processors 21, 31, 41, 51 and 61.
 ***動作の説明***
 図7から図11を参照して、実施の形態1に係る秘匿分析システム10の動作を説明する。
*** Explanation of operation ***
The operation of the confidentiality analysis system 10 according to the first embodiment will be described with reference to FIGS. 7 to 11.
 **公開鍵暗号**
 秘匿分析システム10では、公開鍵暗号が用いられる。公開鍵暗号は、以下のPKE.KeyGenアルゴリズムと、PKE.Encアルゴリズムと、PKE.Decアルゴリズムとを含む。具体的な公開鍵暗号方式は、どの方式であってもよい。
** Public key cryptography **
The secret analysis system 10 uses public key cryptography. The public key cryptography is the following PKE. KeyGen algorithm and PKE. Enc algorithm and PKE. And the Dec algorithm. Any specific public key cryptosystem may be used.
 <PKE.KeyGenアルゴリズム>
 PKE.KeyGenアルゴリズムは、鍵生成アルゴリズムである。PKE.KeyGenアルゴリズムは、セキュリティパラメータλを入力として、公開鍵pkと、秘密鍵skとのペアを出力する。
 <PKE.Encアルゴリズム>
 PKE.Encアルゴリズムは、暗号化アルゴリズムである。PKE.Encアルゴリズムは、公開鍵pkと、メッセージxとを入力として、メッセージxを暗号化した暗号文cを出力する。
 <PKE.Decアルゴリズム>
 PKE.Decアルゴリズムは、復号アルゴリズムである。PKE.Decアルゴリズムは、秘密鍵skと、暗号文cとを入力として、メッセージx、又は、特別なシンボル⊥を出力する。
<PKE. KeyGen Algorithm>
PKE. The KeyGen algorithm is a key generation algorithm. PKE. The KeyGen algorithm inputs the security parameter λ and outputs a pair of the public key pk and the secret key sk.
<PKE. Enc algorithm>
PKE. The Enc algorithm is an encryption algorithm. PKE. The Enc algorithm inputs the public key pk and the message x and outputs the ciphertext c obtained by encrypting the message x.
<PKE. Dec Algorithm>
PKE. The Dec algorithm is a decoding algorithm. PKE. The Dec algorithm inputs the secret key sk and the ciphertext c and outputs the message x or the special symbol ⊥.
 **共通鍵型複数入力関数暗号**
 秘匿分析システム10では、共通鍵型複数入力関数暗号が用いられる。共通鍵型複数入力関数暗号は、以下のM.Setupアルゴリズムと、M.KeyGenアルゴリズムと、M.Encアルゴリズムと、M.Decアルゴリズムとを含む。具体的な共通鍵型複数入力関数暗号方式は、どの方式であってもよい。
** Common key type multiple input function encryption **
In the confidentiality analysis system 10, common key type multiple input function encryption is used. The common key type multiple input function encryption is described in M. Setup algorithm and M.G. KeyGen algorithm and M.G. Enc algorithm, and M.G. And the Dec algorithm. Any specific common key type multiple input function encryption method may be used.
 <M.Setupアルゴリズム>
 M.Setupアルゴリズムは、マスター鍵生成アルゴリズムである。M.Setupアルゴリズムは、セキュリティパラメータλを入力として、公開鍵mpkと、マスター秘密鍵mskのペアを出力する。
 <M.KeyGenアルゴリズム>
 M.KeyGenアルゴリズムは、秘密鍵生成アルゴリズムである。M.KeyGenアルゴリズムは、マスター秘密鍵mskと、値yとを入力として、値yが設定された秘密鍵skを出力する。
 <M.Encアルゴリズム>
 M.Encアルゴリズムは、暗号化アルゴリズムである。M.Encアルゴリズムは、マスター秘密鍵mskと、インデックスiと、メッセージxとを入力として、暗号文cを出力する。
 <M.Decアルゴリズム>
 M.Decアルゴリズムは、復号アルゴリズムである。M.Decアルゴリズムは、秘密鍵skと、1以上の整数nに関して、i=1,...,nの各整数iについての暗号文c(c,...,c)とを入力として、各整数iについてのメッセージxと値yとを関数fに入力して得られる演算結果f(x,...,x,y)、又は、特別なシンボル⊥を出力する。
<M. Setup algorithm>
M. The Setup algorithm is a master key generation algorithm. M. The Setup algorithm receives the security parameter λ as an input and outputs a pair of the public key mpk and the master secret key msk.
<M. KeyGen Algorithm>
M. The KeyGen algorithm is a secret key generation algorithm. M. The KeyGen algorithm inputs the master secret key msk and the value y and outputs the secret key sk y in which the value y is set.
<M. Enc algorithm>
M. The Enc algorithm is an encryption algorithm. M. The Enc algorithm inputs the master secret key msk, the index i, and the message x i, and outputs the ciphertext c i .
<M. Dec Algorithm>
M. The Dec algorithm is a decoding algorithm. M. The Dec algorithm is such that, for a secret key sk y and an integer n of 1 or more, i = 1 ,. . . , N of ciphertexts c i (c 1 , ..., C n ) for each integer i, and a message x i and a value y for each integer i input to a function f. The result f (x 1 , ..., X n , y) or the special symbol ⊥ is output.
 **トークンベース複数入力関数暗号**
 秘匿分析システム10は、公開鍵暗号及び共通鍵型複数入力関数暗号を用いてトークンベース複数入力関数暗号を実現する。トークンベース複数入力関数暗号は、以下のSetupアルゴリズムと、KeyGenアルゴリズムと、GenTokenアルゴリズムと、Encアルゴリズムと、Decアルゴリズムとを含む。
** Token-based multiple input function encryption **
The confidentiality analysis system 10 implements token-based multiple input function encryption using public key encryption and common key type multiple input function encryption. The token-based multi-input function cryptography includes the following Setup algorithm, KeyGen algorithm, GenToken algorithm, Enc algorithm, and Dec algorithm.
 <Setupアルゴリズム>
 Setupアルゴリズムは、セキュリティパラメータλを入力として、公開鍵PKと、マスター秘密鍵MSKとを出力する。
 <KeyGenアルゴリズム>
 KeyGenアルゴリズムは、マスター秘密鍵MSKと、値yとを入力として、値yが設定された秘密鍵skを出力する。
 <GenTokenアルゴリズム>
 GenTokenアルゴリズムは、公開鍵mpkを入力として、1以上の整数nに関して、i=1,...,uの各整数iについての暗号化トークンetk(etk,...,etk)と、復号トークンdtkとを出力する。
 <Encアルゴリズム>
 Encアルゴリズムは、マスター秘密鍵MSKと、インデックスiと、暗号化トークンetkと、メッセージxとを入力として、暗号文cを出力する。
 <Decアルゴリズム>
 Decアルゴリズムは、復号トークンdtkと、秘密鍵skと、i=1,...,nの各整数iについての暗号文c(c,...,c)とを入力として、各整数iについてのメッセージxと値yとを関数fに入力して得られる演算結果f(x,...,x,y)、又は、特別なシンボル⊥を出力する。
<Setup algorithm>
The Setup algorithm inputs the security parameter λ and outputs the public key PK and the master secret key MSK.
<KeyGen algorithm>
The KeyGen algorithm inputs the master secret key MSK and the value y and outputs the secret key sk y in which the value y is set.
<GenToken algorithm>
The GenToken algorithm takes a public key mpk as an input, and i = 1 ,. . . , Cryptographic token ETK i for each integer i of u (etk 1, ..., etk u) and outputs the decoded token dtk.
<Enc algorithm>
Enc algorithm, as input and a master secret key MSK, and the index i, and the encryption token etk i, and a message x i, and outputs the cipher text c i.
<Dec algorithm>
Dec algorithm, and the decryption token dtk, and the secret key sk y, i = 1 ,. . . , N of ciphertexts c i (c 1 , ..., C n ) for each integer i, and a message x i and a value y for each integer i input to a function f. The result f (x 1 , ..., X n , y) or the special symbol ⊥ is output.
 **セットアップ装置20の動作**
 図7を参照して、実施の形態1に係るセットアップ装置20の動作を説明する。
 実施の形態1に係るセットアップ装置20の動作は、実施の形態1に係るセットアップ方法に相当する。また、実施の形態1に係るセットアップ装置20の動作は、実施の形態1に係るセットアッププログラムの処理に相当する。
 セットアップ装置20は、トークンベース複数入力関数暗号におけるSetupアルゴリズムを実現する。
** Operation of the setup device 20 **
The operation of the setup device 20 according to the first embodiment will be described with reference to FIG. 7.
The operation of the setup device 20 according to the first embodiment corresponds to the setup method according to the first embodiment. The operation of the setup device 20 according to the first embodiment corresponds to the process of the setup program according to the first embodiment.
The setup device 20 implements the Setup algorithm in token-based multiple input function encryption.
 (ステップS11:パラメータ取得処理)
 パラメータ取得部211は、セキュリティパラメータλを取得する。
 具体的には、パラメータ取得部211は、セットアップ装置20の利用者によって入力装置が操作され入力されたセキュリティパラメータλを受け付ける。パラメータ取得部211は、セキュリティパラメータλをメモリ22に書き込む。
(Step S11: Parameter acquisition process)
The parameter acquisition unit 211 acquires the security parameter λ.
Specifically, the parameter acquisition unit 211 receives the security parameter λ input by operating the input device by the user of the setup device 20. The parameter acquisition unit 211 writes the security parameter λ in the memory 22.
 (ステップS12:マスター鍵生成処理)
 マスター鍵生成部212は、セキュリティパラメータλをメモリ22から読み出す。マスター鍵生成部212は、セキュリティパラメータλを入力として、M.Setupアルゴリズムを実行して、公開鍵mpkと、マスター秘密鍵mskとのペアを生成する。
 マスター鍵生成部212は、公開鍵mpkを公開鍵MPKに設定し、マスター秘密鍵mskをマスター秘密鍵MSKに設定する。マスター鍵生成部212は、公開鍵MPK及びマスター秘密鍵MSKをメモリ22及びマスター鍵記憶部231に書き込む。
(Step S12: Master Key Generation Processing)
The master key generation unit 212 reads the security parameter λ from the memory 22. The master key generation unit 212 receives the security parameter λ as an input and outputs the M. The Setup algorithm is executed to generate a public key mpk and a master secret key msk.
The master key generation unit 212 sets the public key mpk as the public key MPK and sets the master secret key msk as the master secret key MSK. The master key generation unit 212 writes the public key MPK and the master secret key MSK in the memory 22 and the master key storage unit 231.
 (ステップS13:送信処理)
 送信部213は、マスター秘密鍵MSKをメモリ22から読み出す。送信部213は、マスター秘密鍵MSKを、通信インタフェース24を介して、鍵生成装置30及び暗号化装置50に秘密裡に送信する。秘密裡に送信するとは、例えば、既存の暗号方式により暗号化した上で送信するという意味である。
 すると、鍵生成装置30のマスター鍵取得部311は、マスター秘密鍵MSKを取得し、マスター鍵記憶部331に書き込む。また、暗号化装置50のマスター鍵取得部511は、マスター秘密鍵MSKを取得し、マスター鍵記憶部531に書き込む。
(Step S13: transmission process)
The transmission unit 213 reads the master secret key MSK from the memory 22. The transmission unit 213 secretly transmits the master secret key MSK to the key generation device 30 and the encryption device 50 via the communication interface 24. The secret transmission means, for example, that the data is encrypted by an existing encryption method and then transmitted.
Then, the master key acquisition unit 311 of the key generation device 30 acquires the master secret key MSK and writes it in the master key storage unit 331. Also, the master key acquisition unit 511 of the encryption device 50 acquires the master secret key MSK and writes it in the master key storage unit 531.
 **鍵生成装置30の動作**
 図8を参照して、実施の形態1に係る鍵生成装置30の動作を説明する。
 実施の形態1に係る鍵生成装置30の動作は、実施の形態1に係る鍵生成方法に相当する。また、実施の形態1に係る鍵生成装置30の動作は、実施の形態1に係る鍵生成プログラムの処理に相当する。
 鍵生成装置30は、トークンベース複数入力関数暗号におけるKeyGenアルゴリズムを実現する。
** Operation of the key generation device 30 **
The operation of the key generation device 30 according to the first embodiment will be described with reference to FIG.
The operation of the key generation device 30 according to the first embodiment corresponds to the key generation method according to the first embodiment. The operation of the key generation device 30 according to the first embodiment corresponds to the processing of the key generation program according to the first embodiment.
The key generation device 30 implements the KeyGen algorithm in token-based multiple input function encryption.
 (ステップS21:値取得処理)
 値取得部312は、値yを取得する。値yは、演算対象となる値である。
 具体的には、値取得部312は、鍵生成装置30の利用者によって入力装置が操作され入力された値yを受け付ける。値取得部312は、値yをメモリ32に書き込む。
(Step S21: value acquisition process)
The value acquisition unit 312 acquires the value y. The value y is a value to be calculated.
Specifically, the value acquisition unit 312 receives the value y input by operating the input device by the user of the key generation device 30. The value acquisition unit 312 writes the value y in the memory 32.
 (ステップS22:秘密鍵生成処理)
 秘密鍵生成部313は、マスター秘密鍵MSKをマスター鍵記憶部331から読み出す。また、秘密鍵生成部313は、値yをメモリ32から読み出す。秘密鍵生成部313は、マスター秘密鍵MSKと値yとを入力として、M.KeyGenアルゴリズムを実行して、値yが設定された秘密鍵skを生成する。秘密鍵生成部313は、秘密鍵skをメモリ32に書き込む。
(Step S22: Private Key Generation Processing)
The secret key generation unit 313 reads the master secret key MSK from the master key storage unit 331. The secret key generation unit 313 also reads the value y from the memory 32. The secret key generation unit 313 receives the master secret key MSK and the value y as input, and outputs the M.M. The KeyGen algorithm is executed to generate the secret key sk y with the value y set. The secret key generating unit 313 writes the secret key sk y in the memory 32.
 (ステップS23:送信処理)
 送信部314は、秘密鍵skをメモリ32から読み出す。送信部314は、秘密鍵skを、通信インタフェース34を介して、秘匿分析装置60に秘密裡に送信する。
 すると、秘匿分析装置60の秘密鍵取得部611は、秘密鍵skを取得し、秘密鍵記憶部631に書き込む。
(Step S23: transmission process)
The transmission unit 314 reads the secret key sk y from the memory 32. Transmitting unit 314, a secret key sk y, via the communication interface 34, transmits secretly in the hidden analyzer 60.
Then, the private key acquiring section 611 of the concealment analyzer 60 obtains the private key sk y, written in the secret key storage unit 631.
 **トークン生成装置40の動作**
 図9を参照して、実施の形態1に係るトークン生成装置40の動作を説明する。
 実施の形態1に係るトークン生成装置40の動作は、実施の形態1に係るトークン生成方法に相当する。また、実施の形態1に係るトークン生成装置40の動作は、実施の形態1に係るトークン生成プログラムの処理に相当する。
 トークン生成装置40は、トークンベース複数入力関数暗号におけるGenTokenアルゴリズムを実現する。
** Operation of token generator 40 **
The operation of the token generation device 40 according to the first embodiment will be described with reference to FIG.
The operation of the token generation device 40 according to the first embodiment corresponds to the token generation method according to the first embodiment. The operation of the token generation device 40 according to the first embodiment corresponds to the processing of the token generation program according to the first embodiment.
The token generation device 40 implements the GenToken algorithm in token-based multiple input function cryptography.
 (ステップS31:パラメータ取得処理)
 パラメータ取得部411は、セキュリティパラメータλを取得する。セキュリティパラメータλは、ステップS11で取得されたセキュリティパラメータλと同じパラメータであってもよいし、異なるパラメータであってもよい。
 具体的には、パラメータ取得部411は、トークン生成装置40の利用者によって入力装置が操作され入力されたセキュリティパラメータλを受け付ける。パラメータ取得部411は、セキュリティパラメータλをメモリ42に書き込む。
(Step S31: Parameter acquisition process)
The parameter acquisition unit 411 acquires the security parameter λ. The security parameter λ may be the same parameter as the security parameter λ acquired in step S11, or may be a different parameter.
Specifically, the parameter acquisition unit 411 receives the security parameter λ input by operating the input device by the user of the token generation device 40. The parameter acquisition unit 411 writes the security parameter λ in the memory 42.
 (ステップS32:トークン生成処理)
 トークン生成部412は、セキュリティパラメータλをメモリ42から読み出す。トークン生成部412は、セキュリティパラメータλを入力として、PKE.KeyGenアルゴリズムを実行して、公開鍵pk及び秘密鍵skのペアを生成する。
 トークン生成部412は、i=1,...,nの各整数iについて、公開鍵pkを暗号化トークンetkに設定する。また、トークン生成部412は、秘密鍵skを復号トークンdtkに設定する。ここで、nは、1以上の整数である。つまり、etk,...,etk:=pkであり、dtk=skである。トークン生成部412は、i=1,...,nの各整数iについての暗号化トークンetkと、復号トークンdtkとをメモリ42に書き込む。
(Step S32: token generation process)
The token generation unit 412 reads the security parameter λ from the memory 42. The token generation unit 412 receives the security parameter λ as an input and outputs the PKE. The KeyGen algorithm is executed to generate a public key pk and private key sk pair.
The token generation unit 412 uses i = 1 ,. . . , N, the public key pk is set in the encryption token etk i . Further, the token generation unit 412 sets the private key sk in the decryption token dtk. Here, n is an integer of 1 or more. That is, etk 1 ,. . . , Etk n : = pk and dtk = sk. The token generation unit 412 uses i = 1 ,. . . Writes the encrypted token ETK i for each integer i of n, a decoding token dtk in memory 42.
 (ステップS33:送信処理)
 送信部413は、i=1,...,nの各整数iについての暗号化トークンetkと、復号トークンdtkとをメモリ42から読み出す。送信部413は、i=1,...,nの各整数iについての暗号化トークンetkを、通信インタフェース44を介して、暗号化装置50に秘密裡に送信する。また、送信部413は、復号トークンdtkを、通信インタフェース44を介して、秘匿分析装置60に秘密裡に送信する。
 すると、暗号化装置50のトークン取得部512は、i=1,...,nの各整数iについての暗号化トークンetkを取得し、トークン記憶部532に書き込む。また、秘匿分析装置60のトークン取得部612は、復号トークンdtkを取得し、トークン記憶部632に書き込む。
(Step S33: transmission process)
The transmission unit 413 determines that i = 1 ,. . . Reads an encrypted token ETK i for each integer i of n, a decoding token dtk from the memory 42. The transmission unit 413 determines that i = 1 ,. . . The cryptographic token ETK i for each integer i of n, via the communication interface 44, transmits secretly encryption device 50. Further, the transmission unit 413 secretly transmits the decryption token dtk to the confidentiality analysis device 60 via the communication interface 44.
Then, the token acquisition unit 512 of the encryption device 50 makes i = 1 ,. . . , N for each integer i of the encrypted token etk i , and writes it in the token storage unit 532. Further, the token acquisition unit 612 of the confidentiality analysis device 60 acquires the decryption token dtk and writes it in the token storage unit 632.
 なお、ここでは、暗号化装置50が複数存在する場合には、送信部413は、各暗号化装置50に必要な暗号化トークンetkを送信する。例えば、i=1,...,nの各整数iについての暗号化装置50iが存在する場合に、送信部413は、i=1,...,nの各整数iについて暗号化トークンetkを暗号化装置50i送信するといったことが考えられる。 Here, if the encryption device 50 there are a plurality of transmission unit 413 transmits the encrypted token ETK i required for each encryption device 50. For example, i = 1 ,. . . , N, when there is an encryption device 50i for each integer i, the transmission unit 413 determines that i = 1 ,. . . , N may be transmitted to the encryption device 50i with the encryption token etk i .
 **暗号化装置50の動作**
 図10を参照して、実施の形態1に係る暗号化装置50の動作を説明する。
 実施の形態1に係る暗号化装置50の動作は、実施の形態1に係る暗号化方法に相当する。また、実施の形態1に係る暗号化装置50の動作は、実施の形態1に係る暗号化プログラムの処理に相当する。
 暗号化装置50は、トークンベース複数入力関数暗号におけるEncアルゴリズムを実現する。
** Operation of the encryption device 50 **
The operation of the encryption device 50 according to the first embodiment will be described with reference to FIG.
The operation of the encryption device 50 according to the first embodiment corresponds to the encryption method according to the first embodiment. The operation of the encryption device 50 according to the first embodiment corresponds to the processing of the encryption program according to the first embodiment.
The encryption device 50 implements the Enc algorithm in token-based multiple input function encryption.
 (ステップS41:メッセージ取得処理)
 メッセージ取得部513は、インデックスiと、インデックスiに対応したメッセージxとを取得する。
 具体的には、メッセージ取得部513は、暗号化装置50の利用者によって入力装置が操作され入力されたインデックスiと、メッセージxとを受け付ける。メッセージ取得部513は、インデックスi及びメッセージxをメモリ52に書き込む。
 なお、暗号化装置50にインデックスiが対応している場合には、メッセージ取得部513は、メッセージxだけを取得してもよい。
(Step S41: message acquisition process)
The message acquisition unit 513 acquires the index i and the message x i corresponding to the index i.
Specifically, the message acquisition unit 513 receives the index x and the message x i input by the user of the encryption device 50 operating the input device. The message acquisition unit 513 writes the index i and the message x i in the memory 52.
If the index i corresponds to the encryption device 50, the message acquisition unit 513 may acquire only the message x i .
 (ステップS42:第1暗号化処理)
 暗号化部514は、マスター秘密鍵MSKをマスター鍵記憶部531から読み出す。また、暗号化部514は、インデックスi及びメッセージxをメモリ52から読み出す。暗号化部514は、マスター秘密鍵MSKと、インデックスiと、メッセージxとを入力として、M.Encアルゴリズムを実行して、暗号文c’を生成する。暗号化部514は、暗号文c’をメモリ52に書き込む。
(Step S42: First encryption process)
The encryption unit 514 reads the master secret key MSK from the master key storage unit 531. The encryption unit 514 also reads the index i and the message x i from the memory 52. The encryption unit 514 receives the master secret key MSK, the index i, and the message x i as inputs and outputs the M.M. The Enc algorithm is executed to generate the ciphertext c ′ i . The encryption unit 514 writes the ciphertext c ′ i in the memory 52.
 (ステップS43:第2暗号化処理)
 暗号化部514は、暗号化トークンetkをトークン記憶部532から読み出す。また、暗号化部514は、暗号文c’をメモリ52から読み出す。暗号化部514は、暗号化トークンetk(=pk)と、暗号文c’とを入力として、PKE.Encアルゴリズムを実行して、暗号文cを生成する。つまり、暗号化部514は、PKE.Encアルゴリズムにより暗号文c’を暗号化して、暗号文cを生成する。暗号化部514は、暗号文cをメモリ52に書き込む。
(Step S43: Second encryption process)
Encryption unit 514 reads the encrypted token ETK i from the token storage unit 532. The encryption unit 514 also reads the ciphertext c ′ i from the memory 52. The encryption unit 514 receives the encryption token etk i (= pk) and the ciphertext c ′ i as input and outputs the PKE. The Enc algorithm is executed to generate the ciphertext c i . That is, the encryption unit 514 determines that the PKE. The ciphertext c ′ i is encrypted by the Enc algorithm to generate the ciphertext c i . The encryption unit 514 writes the ciphertext c i in the memory 52.
 (ステップS44:送信処理)
 送信部515は、暗号文cをメモリ52から読み出す。送信部515は、通信インタフェース54を介して、暗号文cを秘匿分析装置60に送信する。
 すると、秘匿分析装置60の暗号文取得部613は、暗号文cを取得し、暗号文記憶部633に書き込む。
(Step S44: transmission process)
The transmission unit 515 reads the ciphertext c i from the memory 52. The transmission unit 515 transmits the ciphertext c i to the confidentiality analysis device 60 via the communication interface 54.
Then, the ciphertext acquisition unit 613 of the concealment analyzer 60 acquires the ciphertext c i, writes the ciphertext storage unit 633.
 **秘匿分析装置60の動作**
 図11を参照して、実施の形態1に係る秘匿分析装置60の動作を説明する。
 実施の形態1に係る秘匿分析装置60の動作は、実施の形態1に係る秘匿分析方法に相当する。また、実施の形態1に係る秘匿分析装置60の動作は、実施の形態1に係る秘匿分析プログラムの処理に相当する。
 秘匿分析装置60は、トークンベース複数入力関数暗号におけるDecアルゴリズムを実現する。
** Operation of the confidential analysis device 60 **
The operation of the confidentiality analysis device 60 according to the first embodiment will be described with reference to FIG.
The operation of the confidentiality analysis device 60 according to the first embodiment corresponds to the confidentiality analysis method according to the first embodiment. The operation of the confidentiality analysis device 60 according to the first embodiment corresponds to the processing of the confidentiality analysis program according to the first embodiment.
The confidentiality analysis device 60 implements the Dec algorithm in the token-based multiple input function encryption.
 (ステップS51:第1復号処理)
 復号部614は、復号トークンdtkをトークン取得部612から読み出す。また、復号部614は、i=1,...,nの各整数iについての暗号文cを暗号文記憶部633から読み出す。復号部614は、i=1,...,nの各整数iについて、復号トークンdtk(=sk)と、暗号文cとを入力として、PKE.Decアルゴリズムを実行して、暗号文c’を生成する。つまり、復号部614は、暗号文cを復号して、暗号文c’を生成する。復号部614は、暗号文c’をメモリ62に書き込む。
(Step S51: First decryption process)
The decryption unit 614 reads the decryption token dtk from the token acquisition unit 612. In addition, the decoding unit 614 determines that i = 1 ,. . . Reads ciphertext c i for each integer i of n from the ciphertext storage unit 633. The decoding unit 614 determines that i = 1 ,. . . , N for each integer i, the decryption token dtk (= sk) and the ciphertext c i are input, and PKE. The dec algorithm is executed to generate the ciphertext c ′ i . That is, the decoding unit 614 decodes the cipher text c i, and generates a ciphertext c 'i. The decryption unit 614 writes the ciphertext c ′ i in the memory 62.
 (ステップS52:第2復号処理)
 復号部614は、秘密鍵skを秘密鍵記憶部631から読み出す。また、復号部614は、i=1,...,nの各整数iについての暗号文c’をメモリ62から読み出す。復号部614は、秘密鍵skと、i=1,...,nの各整数iについての暗号文c’とを入力として、M.Decアルゴリズムを実行して、各整数iについてのメッセージxと値yとを関数fに入力して得られる演算結果f(x,...,x,y)、又は、特別なシンボル⊥を生成する。復号部614は、演算結果f(x,...,x,y)、又は、特別なシンボル⊥をメモリ62に書き込む。
(Step S52: Second decoding process)
Decoding unit 614 reads the secret key sk y from the secret key storage unit 631. In addition, the decoding unit 614 determines that i = 1 ,. . . , N, the ciphertext c ′ i for each integer i is read from the memory 62. Decoding unit 614, a secret key sk y, i = 1 ,. . . , N for ciphertexts c ′ i for each integer i of M. Executing the Dec algorithm and inputting the message x i and the value y for each integer i into the function f, the operation result f (x 1 , ..., X n , y) or a special symbol Generate ⊥. The decoding unit 614 writes the calculation result f (x 1 , ..., X n , y) or the special symbol ⊥ in the memory 62.
 (ステップS53:送信処理)
 送信部615は、演算結果f(x,...,x,y)、又は、特別なシンボル⊥をメモリ62から読み出す。送信部615は、演算結果f(x,...,x,y)、又は、特別なシンボル⊥を通信インタフェース64を介して出力する。
(Step S53: transmission process)
The transmission unit 615 reads the calculation result f (x 1 , ..., X n , y) or the special symbol ⊥ from the memory 62. The transmission unit 615 outputs the calculation result f (x 1 , ..., X n , y) or the special symbol ⊥ via the communication interface 64.
 ***実施の形態1の効果***
 以上のように、実施の形態1に係る秘匿分析システム10では、秘匿分析装置60は、共通鍵複数入力関数暗号における暗号文c’が暗号化トークンetkを用いて暗号化された暗号文cを取得する。そして、秘匿分析装置60は、暗号文cを復号トークンdtkを用いて復号して暗号文c’を生成し、秘密鍵skを用いて暗号文c’を復号することにより、演算結果を計算する。秘密鍵skを持っていても復号トークンdtkがなければ演算を行うことができないため、秘密鍵skを持ったユーザに情報が漏えいすることを防止できる。
*** Effects of Embodiment 1 ***
As described above, in the confidentiality analysis system 10 according to the first embodiment, the confidentiality analysis device 60 allows the ciphertext c ′ i in the common-key multiple-input-function encryption to be encrypted using the encryption token etk. Get i . Then, concealment analyzer 60 decodes using the decoding token dtk ciphertext c i 'generates a i, ciphertext c using the private key sk y' ciphertext c by decoding the i, computation Calculate the result. Even if the user has the private key sk, the operation cannot be performed without the decryption token dtk. Therefore, it is possible to prevent the information from being leaked to the user who has the private key sk.
 ***他の構成***
 <変形例1>
 実施の形態1では、各機能構成要素がソフトウェアで実現された。しかし、変形例1として、各機能構成要素はハードウェアで実現されてもよい。この変形例1について、実施の形態1と異なる点を説明する。
*** Other configuration ***
<Modification 1>
In the first embodiment, each functional component is realized by software. However, as a first modification, each functional component may be realized by hardware. Differences between the first modification and the first embodiment will be described.
 図12を参照して、変形例1に係るセットアップ装置20の構成を説明する。
 機能がハードウェアで実現される場合、セットアップ装置20は、プロセッサ21とメモリ22とストレージ23とに代えて、電子回路25を備える。電子回路25は、セットアップ装置20の機能構成要素と、メモリ22とストレージ23との機能とを実現する専用の回路である。
The configuration of the setup device 20 according to the first modification will be described with reference to FIG.
When the function is realized by hardware, the setup device 20 includes an electronic circuit 25 instead of the processor 21, the memory 22, and the storage 23. The electronic circuit 25 is a dedicated circuit that realizes the functional components of the setup device 20 and the functions of the memory 22 and the storage 23.
 図13を参照して、変形例1に係る鍵生成装置30の構成を説明する。
 機能がハードウェアで実現される場合、鍵生成装置30は、プロセッサ31とメモリ32とストレージ33とに代えて、電子回路35を備える。電子回路35は、鍵生成装置30の機能構成要素と、メモリ32とストレージ33との機能とを実現する専用の回路である。
The configuration of the key generation device 30 according to the first modification will be described with reference to FIG.
When the function is realized by hardware, the key generation device 30 includes an electronic circuit 35 instead of the processor 31, the memory 32, and the storage 33. The electronic circuit 35 is a dedicated circuit that implements the functional components of the key generation device 30 and the functions of the memory 32 and the storage 33.
 図14を参照して、変形例1に係るトークン生成装置40の構成を説明する。
 機能がハードウェアで実現される場合、トークン生成装置40は、プロセッサ41とメモリ42とストレージ43とに代えて、電子回路45を備える。電子回路45は、トークン生成装置40の機能構成要素と、メモリ42とストレージ43との機能とを実現する専用の回路である。
The configuration of the token generation device 40 according to the first modification will be described with reference to FIG.
When the function is realized by hardware, the token generation device 40 includes an electronic circuit 45 instead of the processor 41, the memory 42, and the storage 43. The electronic circuit 45 is a dedicated circuit that realizes the functional components of the token generation device 40 and the functions of the memory 42 and the storage 43.
 図15を参照して、変形例1に係る暗号化装置50の構成を説明する。
 機能がハードウェアで実現される場合、暗号化装置50は、プロセッサ51とメモリ52とストレージ53とに代えて、電子回路55を備える。電子回路55は、暗号化装置50の機能構成要素と、メモリ52とストレージ53との機能とを実現する専用の回路である。
The configuration of the encryption device 50 according to the first modification will be described with reference to FIG.
When the function is implemented by hardware, the encryption device 50 includes an electronic circuit 55 instead of the processor 51, the memory 52, and the storage 53. The electronic circuit 55 is a dedicated circuit for realizing the functional components of the encryption device 50 and the functions of the memory 52 and the storage 53.
 図16を参照して、変形例1に係る秘匿分析装置60の構成を説明する。
 機能がハードウェアで実現される場合、秘匿分析装置60は、プロセッサ61とメモリ62とストレージ63とに代えて、電子回路65を備える。電子回路65は、秘匿分析装置60の機能構成要素と、メモリ62とストレージ63との機能とを実現する専用の回路である。
The configuration of the confidentiality analysis device 60 according to the first modification will be described with reference to FIG.
When the function is realized by hardware, the confidentiality analysis device 60 includes an electronic circuit 65 instead of the processor 61, the memory 62, and the storage 63. The electronic circuit 65 is a dedicated circuit for realizing the functional components of the confidentiality analysis device 60 and the functions of the memory 62 and the storage 63.
 電子回路25,35,45,55,65は、単一回路、複合回路、プログラム化したプロセッサ、並列プログラム化したプロセッサ、ロジックIC、GA(Gate Array)、ASIC(Application Specific Integrated Circuit)、FPGA(Field-Programmable Gate Array)が想定される。
 セットアップ装置20の各機能構成要素の機能を1つの電子回路25で実現してもよいし、各機能構成要素の機能を複数の電子回路25に分散させて実現してもよい。同様に、鍵生成装置30とトークン生成装置40と暗号化装置50と秘匿分析装置60とのそれぞれについて、各機能構成要素の機能を1つの電子回路35,45,55,65で実現してもよいし、各機能構成要素の機能を複数の電子回路35,45,55,65に分散させて実現してもよい。
The electronic circuits 25, 35, 45, 55, 65 are a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), and an FPGA (FPGA). Field-Programmable Gate Array) is assumed.
The function of each functional constituent element of the setup device 20 may be realized by one electronic circuit 25, or the function of each functional constituent element may be distributed to a plurality of electronic circuits 25 and realized. Similarly, for each of the key generation device 30, the token generation device 40, the encryption device 50, and the confidentiality analysis device 60, even if the functions of the respective functional components are realized by one electronic circuit 35, 45, 55, 65. Alternatively, the function of each functional component may be distributed to a plurality of electronic circuits 35, 45, 55, and 65 to be realized.
 <変形例2>
 変形例2として、一部の機能がハードウェアで実現され、他の機能がソフトウェアで実現されてもよい。つまり、各機能構成要素のうち、一部の機能がハードウェアで実現され、他の機能がソフトウェアで実現されてもよい。
<Modification 2>
As a second modification, some functions may be realized by hardware and other functions may be realized by software. That is, among the functional components, some functions may be realized by hardware and other functions may be realized by software.
 プロセッサ21,31,41,51,61とメモリ22,32,42,52,62とストレージ23,33,43,53,63と電子回路25,35,45,55,65とを処理回路という。つまり、各機能構成要素の機能は、処理回路により実現される。 The processor 21, 31, 41, 51, 61, the memory 22, 32, 42, 52, 62, the storage 23, 33, 43, 53, 63 and the electronic circuit 25, 35, 45, 55, 65 are called a processing circuit. That is, the function of each functional component is realized by the processing circuit.
 実施の形態2.
 実施の形態2では、公開鍵暗号に代え、疑似ランダム関数を用いる点が実施の形態1と異なる。実施の形態2では、この異なる点を説明し、同一の点については説明を省略する。
Embodiment 2.
The second embodiment differs from the first embodiment in that a pseudo random function is used instead of public key encryption. In the second embodiment, these different points will be described, and description of the same points will be omitted.
 図9から図11を参照して、実施の形態2に係る秘匿分析システム10の動作を説明する。
 セットアップ装置20及び鍵生成装置30の動作は、実施の形態1と同じである。したがって、ここでは、トークン生成装置40と暗号化装置50と秘匿分析装置60との動作を説明する。
The operation of the confidentiality analysis system 10 according to the second embodiment will be described with reference to FIGS. 9 to 11.
The operations of the setup device 20 and the key generation device 30 are the same as in the first embodiment. Therefore, the operations of the token generation device 40, the encryption device 50, and the confidentiality analysis device 60 will be described here.
 **疑似ランダム関数**
 秘匿分析システム10では、疑似ランダム関数が用いられる。疑似ランダム関数F:K×D→Rは、以下のPRF.KeyGenアルゴリズムと、PRF.Evalアルゴリズムとを含む。ここで、Kは鍵空間であり、Dは入力値のドメインであり、Rは出力値のレンジである。
** Pseudo-random function **
The confidentiality analysis system 10 uses a pseudo-random function. The pseudo-random function F: K × D → R has the following PRF. KeyGen algorithm and PRF. And the Eval algorithm. Here, K is a key space, D is a domain of input values, and R is a range of output values.
 <PRF.KeyGenアルゴリズム>
 PRF.KeyGenアルゴリズムは、鍵生成アルゴリズムである。PRF.KeyGenアルゴリズムは、セキュリティパラメータλを入力として、疑似ランダム関数の鍵k∈Kを出力する。
 <PRF.Evalアルゴリズム>
 PRF.Evalアルゴリズムは、評価アルゴリズムである。PRF.Evalアルゴリズムは、疑似ランダム関数の鍵kと、値j∈Dとを入力として、値m∈Rを出力する。
<PRF. KeyGen Algorithm>
PRF. The KeyGen algorithm is a key generation algorithm. PRF. The KeyGen algorithm inputs the security parameter λ and outputs the key kεK of the pseudo-random function.
<PRF. Eval algorithm>
PRF. The Eval algorithm is an evaluation algorithm. PRF. The Eval algorithm inputs the key k of the pseudo-random function and the value jεD, and outputs the value mεR.
 **トークン生成装置40の動作**
 図9を参照して、実施の形態2に係るトークン生成装置40の動作を説明する。
 実施の形態2に係るトークン生成装置40の動作は、実施の形態2に係るトークン生成方法に相当する。また、実施の形態2に係るトークン生成装置40の動作は、実施の形態2に係るトークン生成プログラムの処理に相当する。
 トークン生成装置40は、トークンベース複数入力関数暗号におけるGenTokenアルゴリズムを実現する。
** Operation of token generator 40 **
The operation of the token generation device 40 according to the second embodiment will be described with reference to FIG.
The operation of the token generation device 40 according to the second embodiment corresponds to the token generation method according to the second embodiment. The operation of the token generation device 40 according to the second embodiment corresponds to the processing of the token generation program according to the second embodiment.
The token generation device 40 implements the GenToken algorithm in token-based multiple input function cryptography.
 ステップS31及びステップS33の処理は、実施の形態1と同じである。 The processing of step S31 and step S33 is the same as that of the first embodiment.
 (ステップS32:トークン生成処理)
 トークン生成部412は、セキュリティパラメータλをメモリ42から読み出す。トークン生成部412は、i=1,...,nの各整数iについて、セキュリティパラメータλを入力として、PRF.KeyGenアルゴリズムを実行して、疑似ランダム関数の鍵kを生成する。
 トークン生成部412は、i=1,...,nの各整数iについて、疑似ランダム関数の鍵kと値j=0との組を暗号化トークンetkに設定する。また、トークン生成部412は、i=1,...,nの各整数iについての疑似ランダム関数の鍵kを復号トークンdtkに設定する。つまり、i=1,...,nの各整数iについてetk:=(k,j=0)であり、dtk:=(k,...,k)である。トークン生成部412は、i=1,...,nの各整数iについての暗号化トークンetkと、復号トークンdtkとをメモリ42に書き込む。
(Step S32: token generation process)
The token generation unit 412 reads the security parameter λ from the memory 42. The token generation unit 412 uses i = 1 ,. . . , N for each integer i, with security parameter λ as input, PRF. The KeyGen algorithm is run to generate the key k i for the pseudo-random function.
The token generation unit 412 uses i = 1 ,. . . , N for each integer i of the pseudo-random function, the set of the key k i and the value j = 0 is set in the encryption token etk i . In addition, the token generation unit 412 uses i = 1 ,. . . , Sets the key k i of the pseudo random function for each integer i of n to the decoding token dtk. That is, i = 1 ,. . . , And n for each integer i, etk i : = (k i , j = 0) and dtk: = (k 1 , ..., K n ). The token generation unit 412 uses i = 1 ,. . . Writes the encrypted token ETK i for each integer i of n, a decoding token dtk in memory 42.
 **暗号化装置50の動作**
 図10を参照して、実施の形態2に係る暗号化装置50の動作を説明する。
 実施の形態2に係る暗号化装置50の動作は、実施の形態2に係る暗号化方法に相当する。また、実施の形態2に係る暗号化装置50の動作は、実施の形態2に係る暗号化プログラムの処理に相当する。
 暗号化装置50は、トークンベース複数入力関数暗号におけるEncアルゴリズムを実現する。
** Operation of the encryption device 50 **
The operation of the encryption device 50 according to the second embodiment will be described with reference to FIG.
The operation of the encryption device 50 according to the second embodiment corresponds to the encryption method according to the second embodiment. The operation of the encryption device 50 according to the second embodiment corresponds to the processing of the encryption program according to the second embodiment.
The encryption device 50 implements the Enc algorithm in token-based multiple input function encryption.
 ステップS41とステップS42とステップS44との処理は、実施の形態1と同じである。 The processing of step S41, step S42, and step S44 is the same as that of the first embodiment.
 (ステップS43:第2暗号化処理)
 暗号化部514は、暗号化トークンetk:=(k,j)をトークン記憶部532から読み出す。また、暗号化部514は、暗号文c’をメモリ52から読み出す。暗号化部514は、暗号化トークンetkに含まれる疑似ランダム関数の鍵kと値jとを入力として、PRF.Evalアルゴリズムを実行して、値mを生成する。
 暗号化部514は、暗号文c’と、値mとの排他的論理和を計算して、暗号文c を生成する。暗号化部514は、暗号文c と、値jとの組を暗号文cに設定する。暗号化部514は、暗号文cをメモリ52に書き込む。
 また、暗号化部514は、値jに1加算して、トークン記憶部532に記憶された暗号化トークンetk:=(k,j)を更新する。つまり、値jは、暗号化される毎に異なる値に更新される。例えば、読み出された暗号化トークンetkが(k,0)の場合には、暗号化トークンetkは(k,1)になる。これにより、同じインデックスiについて再び第2暗号化処理が実行される場合には、異なる値mが生成されることになる。なお、ここでは、値jに1加算しているが、値jが異なる値になる方法であれば、他の方法で値jを更新してもよい。
(Step S43: Second encryption process)
The encryption unit 514 reads the encrypted token etk i : = (k i , j) from the token storage unit 532. The encryption unit 514 also reads the ciphertext c ′ i from the memory 52. Encryption unit 514 is input with a key k i and the value j of the pseudo random function in encrypted token ETK i, PRF. Run the Eval algorithm to generate the value m i .
Encryption unit 514, a ciphertext c 'i, and calculates the exclusive OR between the value m i, to generate ciphertext c * i. The encryption unit 514 sets a pair of the ciphertext c * i and the value j in the ciphertext c i . The encryption unit 514 writes the ciphertext c i in the memory 52.
Further, the encryption unit 514 adds 1 to the value j to update the encrypted token etk i : = (k i , j) stored in the token storage unit 532. That is, the value j is updated to a different value each time it is encrypted. For example, when the read encrypted token ETK i is (k i, 0) is encrypted token ETK i becomes (k i, 1). Accordingly, when the second encryption process is executed again for the same index i, a different value m i will be generated. Although 1 is added to the value j here, the value j may be updated by another method as long as the value j has a different value.
 **秘匿分析装置60の動作**
 図11を参照して、実施の形態2に係る秘匿分析装置60の動作を説明する。
 実施の形態2に係る秘匿分析装置60の動作は、実施の形態2に係る秘匿分析方法に相当する。また、実施の形態2に係る秘匿分析装置60の動作は、実施の形態2に係る秘匿分析プログラムの処理に相当する。
 秘匿分析装置60は、トークンベース複数入力関数暗号におけるDecアルゴリズムを実現する。
** Operation of the confidential analysis device 60 **
The operation of the privacy analysis apparatus 60 according to the second embodiment will be described with reference to FIG.
The operation of the confidentiality analysis device 60 according to the second embodiment corresponds to the confidentiality analysis method according to the second embodiment. The operation of the confidentiality analysis device 60 according to the second embodiment corresponds to the processing of the confidentiality analysis program according to the second embodiment.
The confidentiality analysis device 60 implements the Dec algorithm in the token-based multiple input function encryption.
 ステップS52及びステップS53の処理は、実施の形態1と同じである。 The processing of steps S52 and S53 is the same as that of the first embodiment.
 (ステップS51:第1復号処理)
 復号部614は、復号トークンdtkをトークン取得部612から読み出す。また、復号部614は、i=1,...,nの各整数iについての暗号文cを暗号文記憶部633から読み出す。復号部614は、i=1,...,nの各整数iについて、復号トークンdtkに含まれる疑似ランダム関数の鍵kと、暗号文cに含まれる値jとを入力として、PRF.Evalアルゴリズムを実行して、値mを生成する。
 復号部614は、i=1,...,nの各整数iについて、暗号文c と、値mとの排他的論理和を計算して、暗号文c’を生成する。復号部614は、暗号文c’をメモリ62に書き込む。
(Step S51: First decryption process)
The decryption unit 614 reads the decryption token dtk from the token acquisition unit 612. In addition, the decoding unit 614 determines that i = 1 ,. . . Reads ciphertext c i for each integer i of n from the ciphertext storage unit 633. The decoding unit 614 determines that i = 1 ,. . . For each integer i of n, as inputs and the key k i of the pseudo random function that is included in the decoded token dtk, the value j included in the ciphertext c i, PRF. Run the Eval algorithm to generate the value m i .
The decoding unit 614 determines that i = 1 ,. . . , N for each integer i, the exclusive OR of the ciphertext c * i and the value m i is calculated to generate the ciphertext c ′ i . The decryption unit 614 writes the ciphertext c ′ i in the memory 62.
 ***実施の形態2の効果***
 以上のように、実施の形態2に係る秘匿分析システム10では、公開鍵暗号に代え、疑似ランダム関数を用いて、実施の形態1と同様の効果を奏することができる。
 また、実施の形態2に係る秘匿分析システム10では、値mを生成する際に使用する値jが暗号化毎に異なる値になる。そのため、暗号化毎に値mが異なる値になるため、高い安全性を実現することが可能である。
*** Effects of Embodiment 2 ***
As described above, the confidentiality analysis system 10 according to the second embodiment can achieve the same effect as that of the first embodiment by using the pseudo-random function instead of the public key encryption.
Further, the concealment analysis system 10 according to the second embodiment, the value j for use in generating the value m i is different value for each encryption. Therefore, since the value m i is different for each encryption, high security can be realized.
 10 秘匿分析システム、20 セットアップ装置、21 プロセッサ、22 メモリ、23 ストレージ、24 通信インタフェース、25 電子回路、211 パラメータ取得部、212 マスター鍵生成部、213 送信部、231 マスター鍵記憶部、30 鍵生成装置、31 プロセッサ、32 メモリ、33 ストレージ、34 通信インタフェース、35 電子回路、311 マスター鍵取得部、312 値取得部、313 秘密鍵生成部、314 送信部、331 マスター鍵記憶部、40 トークン生成装置、41 プロセッサ、42 メモリ、43 ストレージ、44 通信インタフェース、45 電子回路、411 パラメータ取得部、412 トークン生成部、413 送信部、50 暗号化装置、51 プロセッサ、52 メモリ、53 ストレージ、54 通信インタフェース、55 電子回路、511 マスター鍵取得部、512 トークン取得部、513 メッセージ取得部、514 暗号化部、515 送信部、531 マスター鍵記憶部、532 トークン記憶部、60 秘匿分析装置、61 プロセッサ、62 メモリ、63 ストレージ、64 通信インタフェース、65 電子回路、611 秘密鍵取得部、612 トークン取得部、613 暗号文取得部、614 復号部、615 送信部、631 秘密鍵記憶部、632 トークン記憶部、633 暗号文記憶部、90 伝送路。 10 secret analysis system, 20 setup device, 21 processor, 22 memory, 23 storage, 24 communication interface, 25 electronic circuit, 211 parameter acquisition unit, 212 master key generation unit, 213 transmission unit, 231 master key storage unit, 30 key generation Device, 31 processor, 32 memory, 33 storage, 34 communication interface, 35 electronic circuit, 311, master key acquisition unit, 312 value acquisition unit, 313 secret key generation unit, 314 transmission unit, 331 master key storage unit, 40 token generation device , 41 processor, 42 memory, 43 storage, 44 communication interface, 45 electronic circuit, 411 parameter acquisition part, 412 token generation part, 413 transmission part, 50 encryption device, 51 process Service, 52 memory, 53 storage, 54 communication interface, 55 electronic circuit, 511 master key acquisition unit, 512 token acquisition unit, 513 message acquisition unit, 514 encryption unit, 515 transmission unit, 531 master key storage unit, 532 token storage Section, 60 confidentiality analyzer, 61 processor, 62 memory, 63 storage, 64 communication interface, 65 electronic circuit, 611 private key acquisition section, 612 token acquisition section, 613 ciphertext acquisition section, 614 decryption section, 615 transmission section, 631 Private key storage unit, 632 token storage unit, 633 ciphertext storage unit, 90 transmission path.

Claims (8)

  1.  1以上の整数nに関して、i=1,...,nの各整数iについてのメッセージxを暗号化した暗号文c’と、値yが設定された秘密鍵skとを入力として、前記各整数iについての前記メッセージxと前記値yとを関数fに入力して得られる演算結果を出力する共通鍵型複数入力関数暗号における前記暗号文c’が、暗号化トークンetkを用いて暗号化された暗号文cを取得する暗号文取得部と、
     前記共通鍵型複数入力関数暗号における前記秘密鍵skを取得する復号鍵取得部と、
     前記暗号化トークンetkに対応する復号トークンdtkを取得するトークン取得部と、
     前記暗号文cを前記復号トークンdtkを用いて復号して前記暗号文c’を生成し、前記秘密鍵skを用いて前記暗号文c’を復号することにより、前記演算結果を計算する復号部と
    を備える秘匿分析装置。
    For integer n greater than or equal to 1, i = 1 ,. . . , Ciphertext c 'i of encrypted messages x i for each integer i of n, as inputs the secret key sk y value y is set, the said value and the message x i for each integer i The ciphertext c ′ i in the common key type multiple-input function cryptography that outputs the operation result obtained by inputting y and the function f obtains the ciphertext c i encrypted using the encryption token etk. Ciphertext acquisition unit,
    A decryption key acquisition unit for acquiring the secret key sk y in the common key type multiple input function code,
    A token acquisition unit for acquiring a decryption token dtk corresponding to the encryption token etk;
    By the ciphertext c i and decrypted using the decryption token dtk 'generates a i, the ciphertext c using the secret key sk y' the ciphertext c decodes the i, the calculation result A confidentiality analysis device comprising a decryption unit for calculating.
  2.  前記暗号化トークンetkは、公開鍵暗号における公開鍵であり、
     前記復号トークンは、前記公開鍵暗号における秘密鍵であり、
     前記暗号文cは、前記暗号化トークンetkを用いて前記公開鍵暗号の暗号化アルゴリズムにより前記暗号文c’が暗号化されて生成され、
     前記復号部は、前記暗号文cを前記復号トークンdtkを用いて前記公開鍵暗号の復号アルゴリズムにより復号して前記暗号文c’を生成する
    請求項1に記載の秘匿分析装置。
    The encryption token etk is a public key in public key cryptography,
    The decryption token is a secret key in the public key encryption,
    The ciphertext c i is generated by encrypting the ciphertext c ′ i by the encryption algorithm of the public key encryption using the encryption token etk,
    The confidentiality analysis device according to claim 1, wherein the decryption unit decrypts the ciphertext c i by the decryption algorithm of the public key encryption using the decryption token dtk to generate the ciphertext c ′ i .
  3.  前記暗号化トークンetk及び前記復号トークンは、疑似ランダム関数の鍵であり、
     前記暗号文cは、前記暗号化トークンetkを入力として前記疑似ランダム関数の評価アルゴリズムにより得られた評価値mを用いて、前記暗号文c’が暗号化されて生成され、
     前記復号部は、前記復号トークンを入力として前記疑似ランダム関数の評価アルゴリズムにより得られた評価値m’を用いて、前記暗号文cを復号して前記暗号文c’を生成する
    請求項1に記載の秘匿分析装置。
    The encryption token etk and the decryption token are keys of a pseudo-random function,
    The cipher text c i, using the evaluation value m i obtained by estimation algorithm of the pseudo random function said encrypted token etk as inputs, the ciphertext c 'i is generated encrypted,
    The decryption unit decrypts the ciphertext c i using the evaluation value m ′ i obtained by the evaluation algorithm of the pseudo-random function with the decryption token as an input to generate the ciphertext c ′ i. The confidentiality analysis device according to Item 1.
  4.  前記暗号化トークンetkは、疑似ランダム関数の鍵と、暗号化される毎に異なる値に更新される値jとの組であり、
     前記評価値mは、前記疑似ランダム関数の鍵と前記値jとを入力として、前記疑似ランダム関数の評価アルゴリズムにより得られ、
     前記暗号文cは、前記評価値mを用いて前記暗号文c’が暗号化された暗号文c と、前記評価値mを計算する際に入力された前記値jとを含み、
     前記評価値m’は、前記復号トークンと、前記暗号文cに含まれる前記値jとを入力として、前記疑似ランダム関数の評価アルゴリズムにより得られた
    請求項3に記載の秘匿分析装置。
    The encryption token etk is a set of a pseudo random function key and a value j that is updated to a different value each time encrypted.
    The evaluation value m i is obtained by an evaluation algorithm of the pseudo random function, using the key of the pseudo random function and the value j as inputs,
    The cipher text c i is the ciphertext c * i to the ciphertext c 'i is encrypted using the evaluation value m i, and the value j input in calculating the evaluation value m i Including,
    The confidentiality analysis device according to claim 3, wherein the evaluation value m ′ i is obtained by an evaluation algorithm of the pseudo-random function with the decryption token and the value j included in the ciphertext c i as inputs.
  5.  前記暗号文c は、前記暗号文c’と前記評価値mとの排他的論理和を計算して得られた暗号文であり、
     前記復号部は、前記暗号文c と前記評価値m’との排他的論理和を計算して、前記暗号文cを復号する
    請求項4に記載の秘匿分析装置。
    The ciphertext c * i is a ciphertext obtained by calculating an exclusive OR of the ciphertext c 'i and the evaluation value m i,
    The decoder calculates an exclusive OR of the evaluation value m 'i and the ciphertext c * i, concealment analyzer according to claim 4 for decoding the cipher text c i.
  6.  i=1,...,nの各整数iについてのメッセージxを暗号化した暗号文c’と、値yが設定された秘密鍵skとを入力として、前記各整数iについての前記メッセージxと前記値yとを関数fに入力して得られる演算結果を出力する共通鍵型複数入力関数暗号を用いた秘匿分析システムであり、
     前記共通鍵型複数入力関数暗号における前記暗号文c’を、暗号化トークンetkを用いて暗号化して暗号文cを生成する暗号化装置と、
     前記暗号文cを前記暗号化トークンetkに対応する復号トークンdtkを用いて復号して前記暗号文c’を生成し、前記共通鍵型複数入力関数暗号における前記秘密鍵skを用いて前記暗号文c’を復号することにより、前記演算結果を計算する復号装置と
    を備える秘匿分析システム。
    i = 1 ,. . . , Ciphertext c 'i of encrypted messages x i for each integer i of n, as inputs the secret key sk y value y is set, the said value and the message x i for each integer i A secret analysis system using common key type multi-input function encryption, which outputs a calculation result obtained by inputting y and a function f,
    An encryption device for encrypting the ciphertext c ′ i in the common key type multi-input function encryption using an encryption token etk to generate a ciphertext c i ;
    The ciphertext c i and decrypted using the decryption token dtk corresponding to the cryptographic token etk to generate the ciphertext c 'i, by using the secret key sk y in the common key type multiple input function cipher A confidentiality analysis system comprising: a decryption device that decrypts the ciphertext c ′ i to calculate the calculation result.
  7.  秘匿分析装置における暗号文取得部が、1以上の整数nに関して、i=1,...,nの各整数iについてのメッセージxを暗号化した暗号文c’と、値yが設定された秘密鍵skとを入力として、前記各整数iについての前記メッセージxと前記値yとを関数fに入力して得られる演算結果を出力する共通鍵型複数入力関数暗号における前記暗号文c’が、暗号化トークンetkを用いて暗号化された暗号文cを取得し、
     前記秘匿分析装置における復号鍵取得部が、前記共通鍵型複数入力関数暗号における前記秘密鍵skを取得し、
     前記秘匿分析装置におけるトークン取得部が、前記暗号化トークンetkに対応する復号トークンdtkを取得し、
     前記秘匿分析装置における復号部が、前記暗号文cを前記復号トークンdtkを用いて復号して前記暗号文c’を生成し、前記秘密鍵skを用いて前記暗号文c’を復号することにより、前記演算結果を計算する秘匿分析方法。
    The ciphertext acquisition unit in the confidentiality analysis device determines that i = 1 ,. . . , Ciphertext c 'i of encrypted messages x i for each integer i of n, as inputs the secret key sk y value y is set, the said value and the message x i for each integer i The ciphertext c ′ i in the common key type multi-input function encryption that outputs y and y to the function f to obtain the operation result acquires the ciphertext c i encrypted using the encryption token etk. ,
    The decryption key acquisition unit concealment analyzer acquires the secret key sk y in the common key type multiple input function code,
    A token acquisition unit in the confidentiality analysis device acquires a decryption token dtk corresponding to the encrypted token etk,
    Said decoding unit in the concealment analyzer, the cipher text c i and decrypted using the decryption token dtk 'generates a i, the ciphertext c using the secret key sk y' the ciphertext c to i A confidentiality analysis method for calculating the calculation result by decoding.
  8.  1以上の整数nに関して、i=1,...,nの各整数iについてのメッセージxを暗号化した暗号文c’と、値yが設定された秘密鍵skとを入力として、前記各整数iについての前記メッセージxと前記値yとを関数fに入力して得られる演算結果を出力する共通鍵型複数入力関数暗号における前記暗号文c’が、暗号化トークンetkを用いて暗号化された暗号文cを取得する暗号文取得処理と、
     前記共通鍵型複数入力関数暗号における前記秘密鍵skを取得する復号鍵取得処理と、
     前記暗号化トークンetkに対応する復号トークンdtkを取得するトークン取得処理と、
     前記暗号文cを前記復号トークンdtkを用いて復号して前記暗号文c’を生成し、前記秘密鍵skを用いて前記暗号文c’を復号することにより、前記演算結果を計算する復号処理と
    を行う秘匿分析装置としてコンピュータを機能させる秘匿分析プログラム。
    For integer n greater than or equal to 1, i = 1 ,. . . , Ciphertext c 'i of encrypted messages x i for each integer i of n, as inputs the secret key sk y value y is set, the said value and the message x i for each integer i The ciphertext c ′ i in the common key type multiple-input function cryptography that outputs the operation result obtained by inputting y and the function f obtains the ciphertext c i encrypted using the encryption token etk. Ciphertext acquisition process,
    A decryption key acquisition process of acquiring the secret key sk y in the common key type multiple input function code,
    A token acquisition process for acquiring a decryption token dtk corresponding to the encryption token etk;
    By the ciphertext c i and decrypted using the decryption token dtk 'generates a i, the ciphertext c using the secret key sk y' the ciphertext c decodes the i, the calculation result A confidentiality analysis program that causes a computer to function as a confidentiality analysis device that performs a decryption process for calculation.
PCT/JP2018/037603 2018-10-09 2018-10-09 Secrecy analysis device, secrecy analysis system, secrecy analysis method, and secrecy analysis program WO2020075224A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2018/037603 WO2020075224A1 (en) 2018-10-09 2018-10-09 Secrecy analysis device, secrecy analysis system, secrecy analysis method, and secrecy analysis program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2018/037603 WO2020075224A1 (en) 2018-10-09 2018-10-09 Secrecy analysis device, secrecy analysis system, secrecy analysis method, and secrecy analysis program

Publications (1)

Publication Number Publication Date
WO2020075224A1 true WO2020075224A1 (en) 2020-04-16

Family

ID=70164019

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/037603 WO2020075224A1 (en) 2018-10-09 2018-10-09 Secrecy analysis device, secrecy analysis system, secrecy analysis method, and secrecy analysis program

Country Status (1)

Country Link
WO (1) WO2020075224A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002077134A (en) * 2000-08-31 2002-03-15 Toshiba Corp Server client system, data server, data client, data providing and using method, and recording medium
US20070237327A1 (en) * 2006-03-23 2007-10-11 Exegy Incorporated Method and System for High Throughput Blockwise Independent Encryption/Decryption
JP2011166752A (en) * 2010-01-15 2011-08-25 Nippon Telegr & Teleph Corp <Ntt> Encryption system, encryption device, decryption apparatus, encryption method, and program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002077134A (en) * 2000-08-31 2002-03-15 Toshiba Corp Server client system, data server, data client, data providing and using method, and recording medium
US20070237327A1 (en) * 2006-03-23 2007-10-11 Exegy Incorporated Method and System for High Throughput Blockwise Independent Encryption/Decryption
JP2011166752A (en) * 2010-01-15 2011-08-25 Nippon Telegr & Teleph Corp <Ntt> Encryption system, encryption device, decryption apparatus, encryption method, and program

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ABDALLA, M. ET AL.: "Multi-Input Functional Encryption for Inner Products: Function-Hiding Realizations and Constructions without Pairings", LECTURE NOTES IN COMPUTER SCIENCE, vol. 10991, August 2018 (2018-08-01), pages 597 - 627, XP055700529 *
AGRAWAL, S. ET AL.: "Fully Secure Functional Encryption for Inner Products", FROM STANDARD ASSUMPTIONS, August 2016 (2016-08-01), XP061022140, Retrieved from the Internet <URL:https://www.iacr.org/archive/crypto2016/crypto2016-index.html> [retrieved on 20181226] *
NAVEED, M. ET AL.: "Controlled Functional Encryption", PROCEEDINGS OF THE 21ST ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, November 2014 (2014-11-01), pages 1280 - 1291, XP058060594, DOI: 10.1145/2660267.2660291 *

Similar Documents

Publication Publication Date Title
JP6732141B2 (en) Conversion key generation device, ciphertext conversion device, secret information processing system, conversion key generation method, conversion key generation program, ciphertext conversion method, and ciphertext conversion program
JP6522263B2 (en) Homomorphic arithmetic unit, cryptographic system and homomorphic arithmetic program
KR20150122513A (en) Encryption apparatus, method for encryption and computer-readable recording medium
KR20100138986A (en) Cryptographic system
JP6386198B1 (en) Encryption device and decryption device
JP2015184490A (en) Encryption device, encryption method, information processor, and encryption system
WO2016088453A1 (en) Encryption apparatus, decryption apparatus, cryptography processing system, encryption method, decryption method, encryption program, and decryption program
WO2019239776A1 (en) Decrypting device, encrypting device, and encryption system
KR20040065795A (en) Data Encryption apparatus and method
JP2018036418A (en) Encryption system, encryption method, and encryption program
WO2020044748A1 (en) Device for configuring id-based hash proof system, id-based encryption device, method for configuring id-based hash proof system, and program
US20240048377A1 (en) Ciphertext conversion system, conversion key generation method, and non-transitory computer readable medium
Kangavalli et al. A mixed homomorphic encryption scheme for secure data storage in cloud
JP7117964B2 (en) Decryption device, encryption system, decryption method and decryption program
CN115668334A (en) Secret information processing system, encryption device, encryption method, and encryption program
JP6452910B1 (en) Secret analysis device, secret analysis system, secret analysis method, and secret analysis program
JP6949276B2 (en) Re-encrypting device, re-encrypting method, re-encrypting program and cryptosystem
Hazzazi et al. Asymmetric Key Cryptosystem for Image Encryption by Elliptic Curve over Galois Field GF (2 n).
WO2020075224A1 (en) Secrecy analysis device, secrecy analysis system, secrecy analysis method, and secrecy analysis program
WO2022054130A1 (en) Cryptosystem, method, and program
JP6885325B2 (en) Cryptographic device, decryption device, encryption method, decryption method, program
JP7520255B2 (en) CONFIDENTIAL INFORMATION PROCESSING SYSTEM, CONFIDENTIAL INFORMATION PROCESSING METHOD, AND CONFIDENTIAL INFORMATION PROCESSING PROGRAM
KR20150139304A (en) Encryption device and method for protecting a master key
WO2024201635A1 (en) Confidential information processing system, confidential information processing method, and confidential information processing program
US12056549B1 (en) Method and apparatus for activating a remote device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18936481

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18936481

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP