WO2021009860A1 - 暗号システム、関数値計算方法及びプログラム - Google Patents

暗号システム、関数値計算方法及びプログラム Download PDF

Info

Publication number
WO2021009860A1
WO2021009860A1 PCT/JP2019/027996 JP2019027996W WO2021009860A1 WO 2021009860 A1 WO2021009860 A1 WO 2021009860A1 JP 2019027996 W JP2019027996 W JP 2019027996W WO 2021009860 A1 WO2021009860 A1 WO 2021009860A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
random number
pseudo
encryption
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2019/027996
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
寛人 田宮
寿幸 一色
バトニヤマ エンケタイワン
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to PCT/JP2019/027996 priority Critical patent/WO2021009860A1/ja
Priority to JP2021532612A priority patent/JP7272439B2/ja
Priority to US17/624,929 priority patent/US12120229B2/en
Publication of WO2021009860A1 publication Critical patent/WO2021009860A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present invention relates to a cryptosystem, a function value calculation method and a program.
  • Functional encryption is one of the technologies for analyzing data while it is encrypted.
  • Functional encryption is an encryption method that can decrypt only the function value of data from a ciphertext.
  • the key issuing institution creates a private key s_f corresponding to the function f.
  • the decryptor is the private key s_f created by the key issuing institution and the data x_1, x_2, created by the user. .. .. , X_n ciphertexts CT_1, CT_2 ,. .. . , CT_n can be used to calculate f (x_1, x_2, ..., x_n).
  • x_1, x_2 ,. .. .. , X_n information will not be leaked to the outside.
  • Functional cryptography is a cryptographic method with attractive functions as described above, but it has been reported that functional cryptography for general functions is not feasible in terms of simulation-based security. In order to avoid this infeasibility, a functional encryption method using a secure execution environment has been proposed.
  • a safe execution environment is assumed to be an environment in which no information about the intermediate results of the executed program is leaked.
  • the decryptor is made to decrypt the ciphertext and calculate the function in the secure execution environment.
  • no information about data other than the function value is leaked to the decoder, and the decoder can calculate the function value.
  • Non-Patent Document 1 proposes a functional encryption method using a stateless device in which an execution environment is protected called a hardware token.
  • Non-Patent Document 2 proposes a functional encryption method using a hardware-assisted memory encryption function (hereinafter referred to as a memory encryption function) that isolates the code and data of a specific application existing in the memory. Has been done.
  • a memory encryption function a hardware-assisted memory encryption function
  • Non-Patent Document 3 proposes a multi-input functional encryption method that can be controlled on a user-by-user basis using a memory encryption function.
  • the key issuing organization distributes random numbers to each user.
  • the user encrypts the data together with the distributed random numbers.
  • the key issuing organization sends control information based on the random numbers distributed to the user to the decryptor.
  • the decoder attempts to calculate the function value using a secure execution environment as in Non-Patent Document 2.
  • the input to the function of each user is controlled by using the control information issued by the key issuing institution and the random number in the ciphertext in the secure execution environment, and the data created by the user authorized by the key issuing institution. You can only get the function value of the function that takes.
  • Non-Patent Document 3 In order to further improve safety, it is conceivable to introduce finer granularity control than for each user. For example, control of data units such as monthly, daily, and minute can be considered. In such a case, if the method proposed in Non-Patent Document 3 is simply extended, the following measures are required.
  • the key issuing institution distributes a random number of the number of data to be encrypted by the user to the user.
  • the user encrypts the data with a different random number for each data to be encrypted.
  • the key issuing institution sends control information based on the random numbers embedded in each data by the user to the decryptor.
  • the decoder performs input control to the function of the data unit and calculation of the function value by using the safe execution environment in the same manner as in Non-Patent Document 3.
  • An object of the present invention is to provide a cryptographic system, a function value calculation method, and a program that contribute to controlling input to a function in data units while suppressing communication costs from a key issuing institution to a user. ..
  • an encryption device that generates different pseudo random numbers for each data and encrypts the generated pseudo random numbers together with the data, and the encryption device is used for encrypting each data.
  • the control information is based on a signing device that reproduces the pseudo-random number obtained and generates control information proving the validity of the data from the reproduced pseudo-random number, and a pseudo-random number obtained by decrypting the encrypted text of the data. Is verified, and when the verification of the control information is successful, a cryptographic system including a safe execution device for calculating a function value of data obtained by decrypting the cipher statement is provided.
  • a step of generating a pseudo random number different for each data and encrypting the generated pseudo random number together with the data and a pseudo random number used for encrypting the data are reproduced.
  • a function value calculation method including a step of calculating a function value of the data obtained by decrypting the ciphertext is provided.
  • a process of generating different pseudo random numbers for each data in a computer and encrypting the generated pseudo random numbers together with the data, and a pseudo random number used for encrypting the data The control information is verified based on the process of generating the control information proving the validity of the data from the reproduced pseudo random number and the pseudo random number obtained by decrypting the ciphertext of the data.
  • a program for executing a process of calculating a function value of the data obtained by decrypting the ciphertext and a program for executing the process are provided.
  • a cryptographic system a function value calculation method, and a program that contribute to controlling the input to a function on a data-by-data basis while suppressing the communication cost from the key issuing institution to the user are provided. ..
  • other effects may be produced in place of or in combination with the effect.
  • the encryption system includes an encryption device 10, a signature device 20, and a security execution device 30 (see FIG. 1).
  • the encryption device 10 generates a pseudo-random number different for each data, and encrypts the generated pseudo-random number together with the data.
  • the signature device 20 reproduces the pseudo-random numbers used by the encryption device 10 for encrypting each data, and generates control information proving the validity of the data from the reproduced pseudo-random numbers.
  • the safety execution device 30 verifies the control information based on the pseudo-random number obtained by decrypting the ciphertext of the data, and when the verification of the control information is successful, the function value of the data obtained by decrypting the ciphertext. To calculate.
  • a random number seed is distributed to the user (encryption device 10).
  • the user creates a pseudo-random number using the distributed random number seed and encrypts it together with the data.
  • the signature device 20 reproduces a pseudo-random number encrypted by the user together with the data by using the random number seed distributed to the user, and creates control information by using the reproduced pseudo-random number.
  • the safety execution device 30 decrypts the ciphertext in a secure execution environment to obtain data and a pseudo-random number, and verifies the control information by using the pseudo-random number. If the verification is successful, the safety execution device 30 calculates a function value that inputs the data obtained by decoding.
  • the key issuing institution (random number seed management device) needs to send only one random number seed to the user. Good.
  • the communication cost from the key issuing institution to each user is limited to one random number seed without depending on the number of data registered by the user in the database, and the communication cost from the key issuing institution to each user can be kept low. It will be possible.
  • the data is encrypted in the data unit, it is possible to control the input to the function in the data unit. That is, the disclosure of the present application provides a multi-input functional cryptosystem in which the input to a function can be controlled in data units.
  • RSA-OAEP Rivest Shamir Adleman Optimal Asymmetric Encryption Padding
  • ECDSA Elliptic Curve Digital Signature Algorithm
  • SHA-2 SecureHashAlgorithm-2
  • AES Advanced Encryption Standard
  • CTR mode Counter Mode
  • the safety execution device handled by the system disclosed in the present application may be an environment in which it is assumed that the information in the device being executed does not leak to the outside of the safety execution device.
  • a secure execution device the above-mentioned memory encryption function, TEE (Trusted Execution Environment), a hardware token, and a device managed by a trusted third party can be considered.
  • the user index may be a number or a character string.
  • a decryption key distribution device that distributes the decryption key to the secure execution device may be added to the system disclosed in the present application as in the case of Non-Patent Document 2 and Non-Patent Document 3.
  • the decryption key is distributed from the decryption key distribution device to the security execution device, it is desirable to verify the decryption key distribution device and the security execution device by the same method as in Non-Patent Document 2 and Non-Patent Document 3.
  • FIG. 2 is a block diagram showing an example of the configuration of the functional encryption system 100 according to the first embodiment.
  • the functional encryption system 100 includes a key management device 110, an encryption device 120, a random number seed management device 130, a ciphertext storage device 140, a decryption device 150, and a signature device 160. Includes safety execution device 170.
  • the key management device 110, the random seed seed management device 130, and the signature device 160 correspond to the key issuing organization. Further, the encryption device 120 corresponds to the user. The decoding device 150 and the safety execution device 170 correspond to the decoder.
  • the ciphertext storage device 140 is a database that stores ciphertexts created by the user.
  • the key management device 110 is connected to the encryption device 120, the random number seed management device 130, the signature device 160, and the security execution device 170, respectively, via a predetermined communication path (for example, the Internet). ..
  • the encryption device 120 is connected to the random number seed management device 130 and the ciphertext storage device 140 via a predetermined communication path.
  • the random number seed management device 130 is connected to the signature device 160 via a predetermined communication path.
  • the ciphertext storage device 140 is connected to the decryption device 150 via a predetermined communication path.
  • the decoding device 150 is connected to the signature device 160 and the security execution device 170 via a predetermined communication path.
  • each device does not have to be mounted on a different device, and for example, the key management device 110, the random number seed management device 130, and the signature device 160 may be mounted on the same device. Further, as in Non-Patent Document 2, a part of the signature device 160 and the key management device may be implemented in a secure execution environment. Further, the decryption device 150 and the safe execution device 170 may be mounted on the same device when a secure execution environment can be constructed in the decryption device 150 as in the memory encryption function described above.
  • the key management device 110 is a device that generates a signing key pair consisting of a verification key and a signing key and an encryption key pair consisting of an encryption key and a decryption key.
  • the key management device 110 includes an encryption key pair generation unit 111, a signature key pair generation unit 112, an encryption key storage unit 113, a decryption key storage unit 114, and a verification key storage unit 115.
  • the encryption device 120 is a device that generates different pseudo-random numbers for each data and encrypts the generated pseudo-random numbers together with the data.
  • the encryption device 120 includes a random number seed storage unit 121, an encryption key storage unit 122, a data input unit 123, a user index input unit 124, a data index generation unit 125, a pseudo-random number generation unit 126, and an encryption unit. It includes 127.
  • the random number seed management device 130 is a device in which the encryption device 120 generates a random number seed for generating a pseudo-random number and distributes the generated random number seed to the encryption device 120.
  • the random number seed management device 130 includes a user index acquisition unit 131, a random number seed generation unit 132, and a random number seed storage unit 133.
  • the ciphertext storage device 140 includes a ciphertext storage unit 141 and an index acquisition unit 142.
  • the decoding device 150 is a device that mediates the transmission and reception of data between the signature device 160 and the safety execution device 170.
  • the decoding device 150 acquires a function program from the outside, an index pair of data input to the function program, and an index pair associated with the user's index corresponding to the data input to the function program.
  • the decoding device 150 transmits the acquired function program and index pair to the signing device 160.
  • the decoding device 150 acquires a signature (control information) from the signature device 160, and transmits the acquired signature to the safety execution device 170.
  • the decryption device 150 includes a function program input unit 151, a ciphertext acquisition unit 152, an index input unit 153, a signature acquisition unit 154, and a function value acquisition unit 155.
  • the signing device 160 reproduces the pseudo-random number used by the encryption device 120 to encrypt each data, and the legitimacy of the data (the source of the data input to the function program) is obtained from the reproduced pseudo-random number. It is a device that generates control information that proves (validity).
  • the signing device 160 includes a signature key storage unit 161, a function program acquisition unit 162, a ciphertext acquisition unit 163, an index acquisition unit 164, a random number seed acquisition unit 165, a hash value calculation unit 166, and a pseudo-random number generation unit. It includes 167 and a signature generation unit 168.
  • the safety execution device 170 verifies the control information based on the pseudo-random number obtained by decrypting the ciphertext of the data, and when the verification of the control information is successful, the function value of the data obtained by decrypting the ciphertext. It is a device that calculates.
  • the safety execution device 170 includes a decryption key storage unit 171, a verification key storage unit 172, a function program acquisition unit 173, a ciphertext acquisition unit 174, a signature acquisition unit 175, a decryption unit 176, and a hash value calculation unit 177.
  • a signature verification unit 178 and a function value calculation unit 179 are provided.
  • the functional encryption system 100 executes an operation related to key generation, an operation related to encryption preparation, an operation related to encryption, an operation related to decryption preparation, and an operation related to decryption. ..
  • the key management device 110 In the operation related to key generation, the key management device 110 generates a key (encryption key, decryption key) pair for public key cryptography and a key (signature key, verification key) pair for signing.
  • the encryption key is transmitted to the encryption device 120.
  • the signing key is transmitted to the signing device 160.
  • the decryption key and the verification key are transmitted to the security execution device 170.
  • the encryption device 120 receives the user index (user identifier) from outside the system. Further, the encryption device 120 receives the encryption key from the key management device 110. Further, the encryption device 120 receives a random number seed associated with the user index from the random number seed management device 130.
  • the encryption device 120 receives data from outside the system. Further, the encryption device 120 generates a pseudo-random number from the random number seed associated with the user index and the generated data index, and encrypts the pseudo-random number together with the data. In this way, the encryption device 120 uses the random number seeds distributed from the random number seed management device 130 to generate different pseudo-random numbers for each data.
  • the encryption device 120 may receive the data index from the outside.
  • the encryption device 120 sends the obtained ciphertext and index pair (pair consisting of the user index and data index) to the ciphertext storage device 140.
  • the ciphertext storage device 140 stores the index pair and the ciphertext in association with each other.
  • the security execution device 170 receives the decryption key and the verification key from the key management device 110.
  • the decoding device 150 receives a list of function programs and index pairs from outside the system. Further, the decryption device 150 receives a ciphertext (a list of ciphertexts; a list composed of a plurality of ciphertexts) corresponding to the list of index pairs from the ciphertext storage device 140.
  • a ciphertext a list of ciphertexts; a list composed of a plurality of ciphertexts
  • the decoding device 150 transmits a list of function programs and index pairs to the signing device 160.
  • the signing device 160 receives from the random seed seed management device 130 a list of random seeds corresponding to the list of user indexes included in the list of index pairs.
  • the signing device 160 also uses the list of random number seeds and data indexes to generate a list of pseudo-random numbers.
  • the signing device 160 combines each element of the created pseudo-random number list to calculate a hash function (hash value).
  • the signature device 160 combines each element of the hash value of the function program and the list of pseudo-random numbers to generate a signature for the combined hash function column.
  • the signature device 160 generates the signature using the signature key obtained from the key management device 110.
  • the signature device 160 sends the generated signature to the decryption device 150.
  • the decryption device 150 sends the list of ciphertexts received from the ciphertext storage device 140, the signature received from the signature device 160, and the function program to the security execution device 170.
  • the security execution device 170 decrypts the ciphertext of the data using the decryption key, and verifies the control information (signature generated by the signature device 160) using the verification key. Specifically, the security execution device 170 decrypts each ciphertext in the list of ciphertexts received from the decryption device 150 with a decryption key that stores the ciphertexts, and obtains a list of data and a list of pseudo-random numbers. Further, the safety execution device 170 calculates the hash value of the function program.
  • the safety execution device 170 combines the signature received from the decoding device 150 with the hash value of the function program and each element of the list of pseudo-random numbers, and the sequence obtained by combining the hash functions, and the stored verification key. Verify using.
  • the safety execution device 170 calculates the function value by executing the function program that inputs the list of data, and transmits the calculated function value to the decoding device 150.
  • FIG. 4 is a sequence diagram showing an example of processing executed by the functional encryption system 100 according to the first embodiment when generating a key. With reference to FIG. 4, a process executed by the functional encryption system 100 according to the first embodiment at the time of key generation will be described.
  • the signature key pair generation unit 112 of the key management device 110 generates a signature key pair (sk, vk) for signing (step A1).
  • the signature key pair generation unit 112 may receive the security parameter and generate the signature key pair according to the security parameter, or generate the signature key pair by using the predetermined security parameter. May be good.
  • the verification key storage unit 115 of the key management device 110 stores the verification key vk among the signature key pairs generated by the signature key pair generation unit 112 (step A2).
  • the signature key pair generation unit 112 sends the signature key sk out of the generated signature key pairs to the signature device 160 (step A3).
  • the signature key storage unit 161 of the signature device 160 receives and stores the signature key sk (step A4).
  • the encryption key pair generation unit 111 of the key management device 110 generates encryption key pairs (ek, dk) for public key cryptography (step A5).
  • the encryption key pair generation unit 111 may receive the security parameter and generate the encryption key pair according to the security parameter, or generate the encryption key pair by using the predetermined security parameter. You may.
  • the encryption key storage unit 113 of the key management device 110 stores the encryption key ek of the encryption key pairs generated by the encryption key pair generation unit 111 (step A6).
  • the decryption key storage unit 114 of the key management device 110 stores the decryption key dk among the encryption key pairs generated by the encryption key pair generation unit 111 (step A7).
  • FIG. 5 is a sequence diagram showing an example of processing executed by the functional encryption system 100 according to the first embodiment in preparation for encryption. With reference to FIG. 5, a process executed by the functional encryption system 100 according to the first embodiment when preparing for encryption will be described.
  • the encryption key storage unit 113 of the key management device 110 sends the stored encryption key ek to the encryption device 120 (step B1).
  • the encryption key storage unit 122 of the encryption device 120 receives and stores the encryption key ek (step B2).
  • the storage of the encryption key ek may be executed in the operation related to the key generation.
  • the user index input unit 124 of the encryption device 120 receives the user index i from outside the system (step B3).
  • the user index input unit 124 sends the user index i to the random number seed management device 130 (step B4).
  • the user index acquisition unit 131 of the random number seed management device 130 receives the user index i (step B5).
  • the user index acquisition unit 131 requests the random number seed generation unit 132 of the random number seed management device 130 to generate a random number seed.
  • the random number seed generation unit 132 generates the random number seed s_i of the user i in response to the request (step B6).
  • the random number seed generation unit 132 may generate the random number seed s_i in advance before receiving the request.
  • the random number seed is generated based on the time when the random number seed is generated.
  • the random number seed generation unit 132 sends the random number seed s_i to the random number seed storage unit 133.
  • the random number seed storage unit 133 stores the user index i and the random number seed s_i in association with each other (step B7).
  • the random number seed storage unit 133 sends the random number seed s_i to the encryption device 120 (step B8). Instead of the random number seed storage unit 133, the random number seed generation unit 132 may send the random number seed s_i to the encryption device 120.
  • the random number seed storage unit 121 of the encryption device 120 stores the random number seeds_i (step B9).
  • FIG. 6 is a sequence diagram showing an example of processing executed by the functional encryption system 100 according to the first embodiment at the time of encryption. With reference to FIG. 6, a process executed by the functional encryption system 100 according to the first embodiment at the time of encryption will be described.
  • the encryption device 120 receives data x_ (i, j) from outside the system (step C1). j is a positive integer for identifying the data (the same applies hereinafter).
  • the data x_ (i, j) indicates the j-th data of the user i.
  • the data index generation unit 125 of the encryption device 120 generates a data index j which is a unique natural number (step C2). For example, the data index generation unit 125 generates the data index j by incrementing in order from 1.
  • the encryption unit 127 of the encryption device 120 combines the data x_ (i, j) received by the data input unit 123 and the pseudo-random number r_ (i, j) generated by the pseudo-random number generation unit 126, and the join sequence x_ ( i, j)
  • is an operator indicating a combination.
  • Enc indicates a ciphertext generation process.
  • the encryption unit 127 sends the ciphertext ct_ (i, j) and the index pair (i, j) used for ciphertext generation to the ciphertext storage device 140 (step C5).
  • the ciphertext storage unit 141 of the ciphertext storage device 140 stores the received ciphertext ct_ (i, j) and the index pair (i, j) in association with each other (step C6).
  • FIG. 7 is a sequence diagram showing an example of processing executed by the functional encryption system 100 according to the first embodiment in preparation for decryption. With reference to FIG. 7, a process executed by the functional encryption system 100 according to the first embodiment in preparation for decryption will be described.
  • the decryption key storage unit 114 of the key management device 110 sends the decryption key dk to the security execution device 170 (step D1).
  • the decryption key storage unit 171 of the safety execution device 170 stores the decryption key dk (step D2).
  • the verification key storage unit 115 of the key management device 110 sends the decryption key vk to the security execution device 170 (step D3).
  • the verification key storage unit 172 of the safety execution device 170 stores the decryption key vk (step D4).
  • FIG. 8 is a sequence diagram showing an example of processing executed by the functional encryption system 100 according to the first embodiment at the time of decryption. With reference to FIG. 8, a process executed by the functional encryption system 100 according to the first embodiment at the time of decryption will be described.
  • the index input unit 153 sends the index list l_p to the ciphertext storage device 140 (step E2).
  • the index acquisition unit 142 of the ciphertext storage device 140 receives the index pair l_p (step E3).
  • the ciphertext acquisition unit 152 of the decryption device 150 receives the ciphertext list l_ct (step E5).
  • the function program input unit 151 of the decoding device 150 receives the function program P from outside the system (step E6).
  • the function program input unit 151 sends the function program P, and the index input unit 153 sends the index pair list l_p to the signing device 160 (step E7).
  • the function program acquisition unit 162 of the signature device 160 receives the function program P in which the function f is implemented, and the index acquisition unit 164 of the signature device 160 receives the index pair list l_p (step E8).
  • the function program acquisition unit 162 transmits the function program P to the hash value calculation unit 166.
  • a list L_u user index (i 1, i 2, ... , i k) the sending to the random number seed management apparatus 130 (step E10).
  • the user index acquisition unit 131 of the random number seed management device 130 receives the list l_u of the user index (step E11).
  • the random number seed acquisition unit 165 of the signing device 160 receives the random number seed list l_s (step E13).
  • the hash value calculation unit 166 combines each element of the pseudo-random number list l_r.
  • the combination of each element in the above list l_r is r_ (i 1 , j 1 )
  • the hash value calculation unit 166 calculates the hash value g of the combination of each element in the list l_r (step E15).
  • the hash function G and the hash function H may be the same or different.
  • the signature generation unit 168 sends the signature ⁇ to the decoding device 150 (step E17).
  • the signature acquisition unit 154 of the decryption device 150 receives the signature ⁇ (step E18).
  • the function program input unit 151, the ciphertext acquisition unit 152, and the signature acquisition unit 154 of the decryption device 150 send the function program P, the ciphertext list l_ct, and the signature ⁇ to the safety execution device 170, respectively (step E19).
  • the function program acquisition unit 173, the ciphertext acquisition unit 174, and the signature acquisition unit 175 of the safety execution device 170 receive the function program P, the ciphertext list l_ct, and the signature ⁇ , respectively (step E20).
  • the decryption unit 176 of the security execution device 170 decrypts each element of the cipher list l_ct, and (x_ (i 1 , j 1 )
  • r_ (i k , j k )) is obtained (step E22).
  • the hash value calculation unit 177 of the safety execution device 170 obtained by decoding (x_ (i 1 , j 1 )
  • the hash value calculation unit 177 combines r_ (i 1 , j 1 )
  • Hash value g G (r_ (i 1 , j 1 )
  • r_ (i k , j k )) Can be written as.
  • the signature verification unit 178 of the safety execution device 170 verifies the signature ⁇ by using the verification key vk, the hash value h of the function program, and the hash value g of the value obtained by combining each element of the pseudo-random number list (step). E24).
  • step E25 the function value calculation unit 179 of the safety execution device 170 executes the function program P that inputs the list l_x of the decoded data, and executes the function program P that inputs the list l_x. Calculate the value (step E25).
  • the function value calculation unit 179 sends the function value f (x_ (i 1 , j 1 ), x_ (i 2 , j 2 ), ..., x_ (i k , j k )) to the decoding device 150 ( Step E26).
  • Function value acquisition unit 155 of the decoding device 150 receives a (step E27).
  • the effect of the above embodiment is that it is possible to control the input to the function of the data unit while keeping the communication cost from the key issuing institution to the user low.
  • the reason is that it includes the following configurations. That is, the random number seed management device 130 sends the random number seed to the encryption device 120 and the signature device 160.
  • the encryption device 120 generates a pseudo-random number different for each data from the random number seed and the data index, and encrypts the pseudo-random number together with the data.
  • the signing device 160 reproduces a different pseudo-random number for each data encrypted by the encryption device 120 together with the data by using the random number seed managed by the random number seed management device 130, and reproduces the pseudo-random number and the signature based on the function program. Generate.
  • the security execution device 170 decrypts the acquired ciphertext, obtains data and pseudo-random numbers different for each data, and verifies the signature based on the pseudo-random numbers and the function program. If the signature verification is not successful, the security execution device 170 cannot input the ciphertext data that does not include the pseudo-random number used by the signature device 160 for signature generation into the function.
  • the user himself / herself generates a different random number for each data used at the time of encryption based on the random number seed. Therefore, it is sufficient for the key issuer to send one random number seed to the user. As a result, the communication cost from the key issuing institution to each user is limited to one random number seed without depending on the number of data registered by the user in the database, and the communication cost from the key issuing institution to each user can be kept low. It will be possible.
  • FIG. 9 is a diagram showing an example of the hardware configuration of the encryption device 120.
  • the encryption device 120 can be configured by an information processing device (so-called computer), and includes the configuration illustrated in FIG.
  • the encryption device 120 includes a processor 311, a memory 312, an input / output interface 313, a communication interface 314, and the like.
  • the components such as the processor 311 are connected by an internal bus or the like so that they can communicate with each other.
  • the configuration shown in FIG. 9 is not intended to limit the hardware configuration of the encryption device 120.
  • the encryption device 120 may include hardware (not shown), and may not include an input / output interface 313 if necessary.
  • the number of processors 311 and the like included in the encryption device 120 is not limited to the example of FIG. 9, and for example, a plurality of processors 311 may be included in the encryption device 120.
  • the processor 311 is a programmable device such as a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or a DSP (Digital Signal Processor). Alternatively, the processor 311 may be a device such as an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit). The processor 311 executes various programs including an operating system (OS; Operating System).
  • OS Operating System
  • the memory 312 is a RAM (RandomAccessMemory), a ROM (ReadOnlyMemory), an HDD (HardDiskDrive), an SSD (SolidStateDrive), or the like.
  • the memory 312 stores an OS program, an application program, and various data.
  • the input / output interface 313 is an interface of a display device or an input device (not shown).
  • the display device is, for example, a liquid crystal display or the like.
  • the input device is, for example, a device that accepts user operations such as a keyboard and a mouse.
  • the communication interface 314 is a circuit, module, or the like that communicates with another device.
  • the communication interface 314 includes a NIC (Network Interface Card) and the like.
  • the function of the encryption device 120 is realized by various processing modules.
  • the processing module is realized, for example, by the processor 311 executing a program stored in the memory 312.
  • the program can also be recorded on a computer-readable storage medium.
  • the storage medium may be a non-transient such as a semiconductor memory, a hard disk, a magnetic recording medium, or an optical recording medium. That is, the present invention can also be embodied as a computer program product.
  • the program can be downloaded via a network or updated using a storage medium in which the program is stored.
  • the processing module may be realized by a semiconductor chip.
  • the random seed management device 130 and the like can also be configured by an information processing device like the encryption device 120, and the basic hardware configuration thereof is not different from that of the encryption device 120, so the description thereof will be omitted.
  • [Appendix 1] An encryption device (10, 120) that generates a different pseudo-random number for each data and encrypts the generated pseudo-random number together with the data.
  • the signature device (20, 160) reproduces the pseudo-random number used by the encryption device (10, 120) for encrypting each data, and generates control information proving the validity of the data from the reproduced pseudo-random number. )When, The control information is verified based on the pseudo-random number obtained by decrypting the ciphertext of the data, and when the verification of the control information is successful, the function value of the data obtained by decrypting the ciphertext is calculated.
  • Safety execution device (30, 170) and Cryptographic system including.
  • the signature device (20, 160) calculates a signature based on a function program for obtaining a function value of the data and the reproduced pseudo-random number, and treats the calculated signature as the control information.
  • [Appendix 3] A random number seed management device (10, 120) in which the encryption device (10, 120) generates a random number seed for generating the pseudo-random number and distributes the generated random number seed to the encryption device (10, 120). 130) further included The encryption system according to Appendix 2, wherein the encryption device (10, 120) generates a different pseudo-random number for each of the data using the distributed random number seed.
  • Appendix 4 Further including a key management device (110) that generates a signing key pair consisting of a verification key and a signing key and an encryption key pair consisting of an encryption key and a decryption key.
  • the key management device (110) transmits the signature key to the signature device (20, 160), and transmits the decryption key and the verification key to the security execution device (30, 170), according to Appendix 3.
  • Cryptographic system [Appendix 5] The encryption system according to Appendix 4, wherein the signature devices (20, 160) generate the control information using the signature key.
  • Appendix 6 The cryptosystem according to Appendix 4 or 5, wherein the security execution device (30, 170) decrypts the ciphertext of the data using the decryption key and verifies the control information using the verification key.
  • Appendix 7 An index pair in which the function program is externally associated with an index of data input to the function program and an index of a user corresponding to the data input to the function program is acquired, and the acquired function program and index pair are acquired. Is further included in the decoding device (150), which transmits the above to the signing device (20, 160).
  • the signing device (20, 160) acquires a random number seed for reproducing the pseudo-random number from the random number seed management device (130) based on the index pair, and based on the acquired function program and the random number seed.
  • the signature is calculated, and the calculated signature is transmitted to the decoding device (150).
  • [Appendix 8] The encryption system according to any one of Supplementary note 1 to 7, wherein the security execution device (30, 170) calculates the function value by using a hardware-assisted memory encryption function.
  • [Appendix 9] The encryption system according to any one of Supplementary note 1 to 8, wherein the security execution device (30, 170) executes a functional encryption.
  • [Appendix 10] The cryptosystem according to any one of Supplementary note 1 to 9, wherein the signature device (20, 160) generates an ECDSA (Elliptic Curve Digital Signature Algorithm) signature.
  • [Appendix 11] A step of generating a different pseudo-random number for each data and encrypting the generated pseudo-random number together with the data.
  • the control information is verified based on the pseudo-random number obtained by decrypting the ciphertext of the data, and when the verification of the control information is successful, the function value of the data obtained by decrypting the ciphertext is calculated. Steps to do and Function value calculation method including. [Appendix 12] On the computer (311) A process of generating different pseudo-random numbers for each data and encrypting the generated pseudo-random numbers together with the data. A process of reproducing the pseudo-random number used for encrypting the data and generating control information proving the validity of the data from the reproduced pseudo-random number.
  • the control information is verified based on the pseudo-random number obtained by decrypting the ciphertext of the data, and when the verification of the control information is successful, the function value of the data obtained by decrypting the ciphertext is calculated. Processing to do and A program that executes. Note that the form of Appendix 11 and the form of Appendix 12 can be expanded to the forms of Appendix 2 to the form of Appendix 10 in the same manner as the form of Appendix 1.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
PCT/JP2019/027996 2019-07-17 2019-07-17 暗号システム、関数値計算方法及びプログラム Ceased WO2021009860A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/JP2019/027996 WO2021009860A1 (ja) 2019-07-17 2019-07-17 暗号システム、関数値計算方法及びプログラム
JP2021532612A JP7272439B2 (ja) 2019-07-17 2019-07-17 暗号システム、関数値計算方法及びプログラム
US17/624,929 US12120229B2 (en) 2019-07-17 2019-07-17 Encryption system, function value calculation method, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/027996 WO2021009860A1 (ja) 2019-07-17 2019-07-17 暗号システム、関数値計算方法及びプログラム

Publications (1)

Publication Number Publication Date
WO2021009860A1 true WO2021009860A1 (ja) 2021-01-21

Family

ID=74210355

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/027996 Ceased WO2021009860A1 (ja) 2019-07-17 2019-07-17 暗号システム、関数値計算方法及びプログラム

Country Status (3)

Country Link
US (1) US12120229B2 (https=)
JP (1) JP7272439B2 (https=)
WO (1) WO2021009860A1 (https=)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220311752A1 (en) * 2021-03-10 2022-09-29 Quantropi Inc. Quantum-safe cryptographic methods and systems
US12192318B2 (en) 2021-03-10 2025-01-07 Quantropi Inc. Quantum-safe cryptographic method and system
WO2025225074A1 (ja) * 2024-04-24 2025-10-30 三菱電機株式会社 安全性評価装置、安全性評価システム、安全性評価方法、及び安全性評価プログラム

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3901797A1 (en) * 2020-04-23 2021-10-27 Nagravision SA Method for processing digital information
WO2022054130A1 (ja) * 2020-09-08 2022-03-17 日本電信電話株式会社 暗号システム、方法及びプログラム

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11831409B2 (en) * 2018-01-12 2023-11-28 Nok Nok Labs, Inc. System and method for binding verifiable claims

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
RYUYA UDA; YUTAKA MATSUSHITA: "Voice Stream Authentication Method for IP Telephony", IPSJ JOURNAL, vol. 47, no. 8, 15 August 2006 (2006-08-15), pages 2535 - 2547, XP009526302, ISSN: 0387-5806 *
SHINJI YOSHINO; MASAYUKI TEZUKA; KAZUMASA SHINAGAWA; KEISUKE TANAKA: "Multi-input functional encryption that can control input using Intel SGX", PREPRINTS OF 2019 SYMPOSIUM ON CRYPTOGRAPHY AND INFORMATION SECURITY; JANUARY 22-25, 2019, 15 January 2019 (2019-01-15), pages 1 - 8, XP009526319 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220311752A1 (en) * 2021-03-10 2022-09-29 Quantropi Inc. Quantum-safe cryptographic methods and systems
US11641347B2 (en) * 2021-03-10 2023-05-02 Quantropi Inc. Quantum-safe cryptographic methods and systems
US12192318B2 (en) 2021-03-10 2025-01-07 Quantropi Inc. Quantum-safe cryptographic method and system
WO2025225074A1 (ja) * 2024-04-24 2025-10-30 三菱電機株式会社 安全性評価装置、安全性評価システム、安全性評価方法、及び安全性評価プログラム

Also Published As

Publication number Publication date
JP7272439B2 (ja) 2023-05-12
JPWO2021009860A1 (https=) 2021-01-21
US20220286280A1 (en) 2022-09-08
US12120229B2 (en) 2024-10-15

Similar Documents

Publication Publication Date Title
US12375304B2 (en) Mutual authentication of confidential communication
US10880100B2 (en) Apparatus and method for certificate enrollment
JP7272439B2 (ja) 暗号システム、関数値計算方法及びプログラム
US11212082B2 (en) Ciphertext based quorum cryptosystem
US20180013555A1 (en) Data transmission method and apparatus
US20140050318A1 (en) Re-encryption key generator, re-encryption apparatus, and program
CN110855671A (zh) 一种可信计算方法和系统
CN109818752B (zh) 信用评分生成方法、装置、计算机设备和存储介质
JP6194886B2 (ja) 暗号化統計処理システム、復号システム、鍵生成装置、プロキシ装置、暗号化統計データ生成装置、暗号化統計処理方法、および、暗号化統計処理プログラム
JP6041864B2 (ja) データの暗号化のための方法、コンピュータ・プログラム、および装置
US11496287B2 (en) Privacy preserving fully homomorphic encryption with circuit verification
JPWO2021009860A5 (https=)
CN104734847A (zh) 面向公钥密码应用的共享对称密钥数据加密和解密方法
JP5324813B2 (ja) 鍵生成装置、証明書生成装置、サービス提供システム、鍵生成方法、証明書生成方法、サービス提供方法およびプログラム
CN114726536A (zh) 一种时间戳生成方法、装置、电子设备及存储介质
CN106713349B (zh) 一种能抵抗选择密文攻击的群组间代理重加密方法
EP3010173B1 (en) Key storage device, key storage method, and program therefor
Surya et al. Single sign on mechanism using attribute based encryption in distributed computer networks
CN102324994B (zh) 用于广播加密最优化和可扩展性的系统和方法
Ruan Building blocks of the security and management engine
CN105357010B (zh) 一种针对计算资源受限装置的密码运算方法
WO2023181134A1 (ja) 鍵配送システム、鍵配送方法及びプログラム
Pavlović et al. Development of a Cryptographic Solution Based on Kerberos for Database Security
JP2004159043A (ja) 暗号通信システム、情報処理装置、および方法、並びにコンピュータ・プログラム
Verheul Polymorphic pseudonyms in the education sector

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19937458

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021532612

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19937458

Country of ref document: EP

Kind code of ref document: A1