WO2021144842A1 - Système de traitement d'informations confidentielles, dispositif arithmétique homomorphe, dispositif de décodage, procédé de traitement d'informations confidentielles et programme de traitement d'informations confidentielles - Google Patents

Système de traitement d'informations confidentielles, dispositif arithmétique homomorphe, dispositif de décodage, procédé de traitement d'informations confidentielles et programme de traitement d'informations confidentielles Download PDF

Info

Publication number
WO2021144842A1
WO2021144842A1 PCT/JP2020/000865 JP2020000865W WO2021144842A1 WO 2021144842 A1 WO2021144842 A1 WO 2021144842A1 JP 2020000865 W JP2020000865 W JP 2020000865W WO 2021144842 A1 WO2021144842 A1 WO 2021144842A1
Authority
WO
WIPO (PCT)
Prior art keywords
signature
encryption
calculation
key
post
Prior art date
Application number
PCT/JP2020/000865
Other languages
English (en)
Japanese (ja)
Inventor
聖 安田
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2020/000865 priority Critical patent/WO2021144842A1/fr
Publication of WO2021144842A1 publication Critical patent/WO2021144842A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • This disclosure relates to a secret information processing system, a homomorphic arithmetic unit, a decoding device, a secret information processing method, and a secret information processing program.
  • Homomorphic encryption is a cryptographic technology that allows data to be calculated while it is encrypted.
  • the process of calculating data as ciphertext is called homomorphism.
  • the types and number of operations that can be performed for homomorphic operations differ depending on the specific method of homomorphic encryption.
  • homomorphic encryption it is possible to outsource the analysis of data in a hidden state to a cloud server.
  • Non-Patent Document 1 describes a verifiable homomorphic encryption.
  • Non-Patent Document 1 discloses, for example, a homomorphic encryption capable of homomorphic operation for addition.
  • the data user entrusts the collection of ciphertext data from the data supplier and the calculation of the collected ciphertext data using homomorphic operations to an aggregator using a cloud server. The data user can obtain only the final calculation result by decoding the calculation result received from the aggregator. In addition, the data user can verify that the outsourced homomorphic operation was executed correctly.
  • Non-Patent Document 1 has a problem that the verifiable ciphertext size after the homomorphic operation increases depending on the number of data input to the homomorphic operation.
  • the main purpose of the present disclosure is to realize a configuration in which the ciphertext size after the homomorphism operation does not depend on the number of data input to the homomorphism operation.
  • the confidential information processing system related to this disclosure is A public key is used to encrypt plain text as encrypted data using a quasi-isotype encryption encryption algorithm, and a signature key is used to calculate a signature representing the validity of the encrypted data as an encryption signature using a quasi-isotype signature signing algorithm.
  • An encryption device including an encryption unit that generates an encrypted text including the encrypted data and the encrypted signature. The encryption is performed by executing the quasi-isotypic operation algorithm of the quasi-identical cipher using the arithmetic function which is a function representing the quasi-identical operation on the cipher statement, the public key, and the encrypted data included in the cipher statement.
  • the post-calculation encrypted data obtained by performing a quasi-identical operation by the arithmetic function on the encrypted data is calculated, and the verification key corresponding to the arithmetic function and the signing key and the encrypted signature included in the encrypted text are obtained.
  • the quasi-isotypic operation algorithm of the quasi-isomorphic signature By executing the quasi-isotypic operation algorithm of the quasi-isomorphic signature, the post-calculation encryption signature representing the validity of the post-calculation encrypted data is calculated, and the post-calculation encrypted data and the post-calculation encryption are performed. It is provided with a quasi-same type calculation device including a quasi-same type calculation unit that generates a post-calculation cipher including a signature.
  • the homomorphic calculation unit executes a homomorphic calculation algorithm for an encrypted signature that depends on the number of encrypted data for which the homomorphic calculation is performed. Calculates the post-encryption signature that represents the validity of the post-encryption data. Therefore, according to the secret information processing system according to the present disclosure, the post-calculation encrypted signature can be calculated regardless of the number of encrypted data that performs homomorphic calculation, so that the size of the verifiable post-calculation ciphertext can be determined. It has the effect of being able to be suppressed.
  • FIG. 1 The system block diagram of the secret information processing system which concerns on Embodiment 1.
  • FIG. The block diagram of the homomorphic arithmetic unit which concerns on Embodiment 1.
  • FIG. The block diagram of the decoding apparatus which concerns on Embodiment 1.
  • FIG. The flowchart which shows the operation of the common parameter generation apparatus which concerns on Embodiment 1.
  • FIG. The system block diagram of the secret information processing system which concerns on Embodiment 2.
  • FIG. 1 is a system configuration diagram of the secret information processing system 100 according to the present embodiment.
  • the secret information processing system 100 includes a common parameter generation device 200, a signature key generation device 300, an encryption key generation device 400, an encryption device 500, a homomorphic arithmetic device 600, and a decryption device.
  • the Internet 101 is a communication path that connects a common parameter generation device 200, a signature key generation device 300, an encryption key generation device 400, an encryption device 500, a homomorphic arithmetic unit 600, and a decryption device 700.
  • the Internet 101 is an example of a network. Other types of networks may be used instead of the Internet 101.
  • the common parameter generation device 200 is, for example, a PC (Personal Computer).
  • the common parameter generation device 200 generates public parameters commonly used in the secret information processing system 100. Then, the common parameter generation device 200 sets the public parameters to the signature key generation device 300, the encryption key generation device 400, the encryption device 500, the homomorphic arithmetic unit 600, and the decryption device 700 via the Internet 101. Send to.
  • the signature key generation device 300 is, for example, a PC.
  • the signature key generation device 300 generates a signature key and a verification key.
  • the signature key generation device 300 transmits the signature key to the encryption device 500, and transmits the verification key to the homomorphic arithmetic unit 600 and the decryption device 700.
  • the signature key generation device 300 generates a signature key and a verification key for a data supplier that supplies data.
  • the signature key generation device 300 is also referred to as a data supplier key generation device.
  • the encryption key generation device 400 is, for example, a PC.
  • the encryption key generation device 400 generates a public key and a private key.
  • the encryption key generation device 400 transmits the public key to the encryption device 500 and the homomorphic arithmetic unit 600, and transmits the private key to the decryption device 700.
  • the encryption key generation device 400 generates a public key and a private key for a data user who uses the data.
  • the encryption key generation device 400 is also referred to as a data user key generation device.
  • the encryption device 500 functions as a data encryption device.
  • the encryption device 500 is, for example, a PC.
  • the encryption device 500 receives the signature key from the signature key generation device 300. Further, the encryption device 500 receives the public key from the encryption key generation device 400. Further, the encryption device 500 inputs a plain text from the outside and outputs the cipher text.
  • the homomorphic arithmetic unit 600 is, for example, a computer having a large-capacity storage medium.
  • the homomorphic arithmetic unit 600 also functions as a data storage device.
  • the homomorphic arithmetic unit 600 stores the ciphertexts as a storage ciphertext if the encryption device 500 requests the storage of the ciphertexts.
  • the homomorphic arithmetic unit 600 also functions as an apparatus that performs homomorphic arithmetic on the stored ciphertext.
  • the quasi-same type arithmetic device 600 generates a post-calculation ciphertext from a stored ciphertext, an arithmetic function input from the outside, a public key, and a verification key, and transmits the post-calculation ciphertext to the decryption device 700.
  • the decoding device 700 is, for example, a PC.
  • the decryption device 700 receives the verification key from the signature key generation device 300. Further, the decryption device 700 receives the private key from the encryption key generation device 400. Further, the decryption device 700 receives the post-calculation ciphertext from the homomorphic arithmetic unit 600. Further, the decoding device 700 acquires an arithmetic function input from the outside and outputs the decryption result of the ciphertext.
  • the signature key generation device 300 and the encryption device 500 may be included in the same PC at the same time. Further, any one of the common parameter generation device 200, the encryption key generation device 400, and the decryption device 700 may be included in the same PC at the same time.
  • each device included in the secret information processing system 100 will be described with reference to FIGS. 2 to 7.
  • Each of the common parameter generation device 200, the signature key generation device 300, the encryption key generation device 400, the encryption device 500, the homomorphic arithmetic device 600, and the decryption device 700 may be referred to as each device of the secret information processing system 100.
  • Each device of the secret information processing system 100 is a computer.
  • Each device of the secret information processing system 100 includes a processor 910 and other hardware such as a memory 921, an auxiliary storage device 922, an input interface 930, an output interface 940, and a communication device 950.
  • the processor 910 is connected to other hardware via a signal line and controls these other hardware.
  • each device of the secret information processing system 100 will be described with a common code. However, when each device of the secret information processing system 100 is a different computer, each device of the secret information processing system 100 has hardware individually.
  • FIG. 2 is a configuration diagram of the common parameter generation device 200 according to the present embodiment.
  • the common parameter generation device 200 has an input unit 201, a common parameter generation unit 202, a transmission unit 203, and a storage unit 204 as functional elements.
  • each unit of the input unit 201, the common parameter generation unit 202, and the transmission unit 203 may be referred to as each unit of the common parameter generation device 200.
  • the input unit 201 receives the parameter ⁇ and transmits it to the common parameter generation unit 202.
  • the common parameter generation unit 202 receives the parameter ⁇ from the input unit 201, generates the public parameter pp used in the secret information processing system 100, and transmits it to the transmission unit 203.
  • the common parameter generation unit 202 may have a random number generation function in order to generate the public parameter pp.
  • the transmission unit 203 transfers the public parameter pp generated by the common parameter generation unit 202 to the signature key generation device 300, the encryption key generation device 400, the encryption device 500, the homomorphic arithmetic unit 600, and the decryption device 700. Send.
  • the storage unit 204 stores data used in each unit of the common parameter generation device 200.
  • the functions of the input unit 201, the common parameter generation unit 202, and the transmission unit 203 are realized by software.
  • the storage unit 204 is provided in the memory 921.
  • the storage unit 204 may be provided in the auxiliary storage device 922, or may be provided in the memory 921 and the auxiliary storage device 922 in a distributed manner.
  • FIG. 3 is a configuration diagram of the signature key generation device 300 according to the present embodiment.
  • the signature key generation device 300 has a reception unit 301, a signature key generation unit 302, a signature key transmission unit 303, and a storage unit 304 as functional elements.
  • each unit of the receiving unit 301, the signature key generating unit 302, and the signature key transmitting unit 303 may be referred to as each unit of the signature key generating device 300.
  • the receiving unit 301 receives the public parameter pp from the common parameter generation device 200 and transmits it to the signature key generation unit 302.
  • the signature key generation unit 302 receives the public parameter pp from the reception unit 301, generates the signature key ssk and the verification key spk, and transmits the signature key ssk and the verification key spk to the signature key transmission unit 303.
  • the signature key generation unit 302 may have a random number generation function in order to generate the signature key ssk and the verification key spk.
  • the signature key transmission unit 303 transmits the signature key ssk to the encryption device 500. Further, the signature key transmission unit 303 transmits the verification key spk to the homomorphic arithmetic unit 600 and the decoding device 700.
  • the storage unit 304 stores data used in each unit of the signature key generation device 300.
  • the functions of the receiving unit 301, the signature key generating unit 302, and the signature key transmitting unit 303 are realized by software.
  • the storage unit 304 is provided in the memory 921.
  • the storage unit 304 may be provided in the auxiliary storage device 922, or may be provided in the memory 921 and the auxiliary storage device 922 in a distributed manner.
  • FIG. 4 is a configuration diagram of the encryption key generation device 400 according to the present embodiment.
  • the encryption key generation device 400 has a reception unit 401, an encryption key generation unit 402, an encryption key transmission unit 403, and a storage unit 404 as functional elements.
  • each part of the receiving unit 401, the encryption key generation unit 402, and the encryption key transmission unit 403 may be referred to as each part of the encryption key generation device 400.
  • the receiving unit 401 receives the public parameter pp from the common parameter generation device 200 and transmits it to the encryption key generation unit 402.
  • the encryption key generation unit 402 receives the public parameter pp from the reception unit 401, generates the public key rpk and the private key rsk, and transmits them to the encryption key transmission unit 403.
  • the encryption key generation unit 402 may have a random number generation function in order to generate the public key rpk and the private key rsk.
  • the encryption key transmission unit 403 transmits the public key rpk to the encryption device 500 and the homomorphic arithmetic unit 600. Further, the encryption key transmission unit 403 transmits the private key rsk to the decryption device 700.
  • the storage unit 404 stores data used in each unit of the encryption key generation device 400.
  • the functions of the receiving unit 401, the encryption key generation unit 402, and the encryption key transmission unit 403 are realized by software.
  • the storage unit 404 is provided in the memory 921.
  • the storage unit 404 may be provided in the auxiliary storage device 922, or may be provided in the memory 921 and the auxiliary storage device 922 in a distributed manner.
  • FIG. 5 is a configuration diagram of the encryption device 500 according to the present embodiment.
  • the encryption device 500 has a receiving unit 501, a key storage unit 502, an input unit 503, an encryption unit 504, a transmitting unit 505, and a storage unit 506 as functional elements.
  • each unit of the receiving unit 501, the key storage unit 502, the input unit 503, the encryption unit 504, and the transmitting unit 505 may be referred to as each unit of the encryption device 500.
  • the receiving unit 501 receives the signature key ssk from the signature key generation device 300 and the public key rpk from the encryption key generation device 400, and transmits the public key rpk to the key storage unit 502.
  • the key storage unit 502 receives and stores the signature key ssk and the public key rpk from the reception unit 501.
  • the input unit 503 receives the plaintext m from the outside and transmits it to the encryption unit 504.
  • the encryption unit 504 receives the signature key ssk and the public key rpk from the key storage unit 502, receives the plaintext m from the input unit 503, generates the ciphertext c, and transmits the ciphertext c to the transmission unit 505.
  • the encryption unit 504 may have a random number generation function or the like in order to generate the ciphertext c.
  • the transmission unit 505 transmits the ciphertext c generated by the encryption unit 504 to the homomorphic arithmetic unit 600.
  • the storage unit 506 stores data used in each unit of the encryption device 500.
  • the functions of the receiving unit 501, the key storage unit 502, the input unit 503, the encryption unit 504, and the transmitting unit 505 are realized by software.
  • the storage unit 506 is provided in the memory 921.
  • the storage unit 506 may be provided in the auxiliary storage device 922, or may be distributed in the memory 921 and the auxiliary storage device 922.
  • FIG. 6 is a configuration diagram of the homomorphic arithmetic unit 600 according to the present embodiment.
  • the homomorphic arithmetic unit 600 has a receiving unit 601, a ciphertext storage unit 602, a key storage unit 603, an input unit 604, a homomorphic arithmetic unit 605, a transmitting unit 606, and a storage unit 607 as functional elements.
  • each unit of the receiving unit 601, the ciphertext storage unit 602, the key storage unit 603, the input unit 604, the homomorphic arithmetic unit 605, and the transmitting unit 606 may be referred to as each unit of the homomorphic arithmetic unit 600.
  • the receiving unit 601 receives the ciphertext c from the encryption device 500 and transmits it to the ciphertext storage unit 602. Further, the receiving unit 601 receives the verification key spk from the signature key generation device 300 and the public key rpk from the encryption key generation device 400, and transmits the public key rpk to the key storage unit 603.
  • the ciphertext storage unit 602 receives the ciphertext c from the reception unit 601 and stores it.
  • the key storage unit 603 receives the verification key spk and the public key rpk from the reception unit 601 and stores them.
  • the input unit 604 receives the arithmetic function f from the outside and transmits it to the homomorphic arithmetic unit 605.
  • the quasi-same type calculation unit 605 receives the ciphertext c from the ciphertext storage unit 602, receives the public key rpk and the verification key spk from the key storage unit 603, receives the calculation function f from the input unit 604, and encrypts after calculation.
  • the sentence c * is generated and transmitted to the transmission unit 606.
  • the transmission unit 606 transmits the post-calculation ciphertext c * generated by the homomorphism calculation unit 605 to the decryption device 700.
  • the storage unit 607 stores data used in each unit of the homomorphic arithmetic unit 600.
  • the functions of the receiving unit 601, the ciphertext storage unit 602, the key storage unit 603, the input unit 604, the homomorphic calculation unit 605, and the transmission unit 606 are realized by software.
  • the storage unit 607 is provided in the memory 921.
  • the storage unit 607 may be provided in the auxiliary storage device 922, or may be distributed in the memory 921 and the auxiliary storage device 922.
  • FIG. 7 is a configuration diagram of the decoding device 700 according to the present embodiment.
  • the decoding device 700 has a decoding / receiving unit 701, a key storage unit 702, an input unit 703, a decoding processing unit 704, a transmission unit 705, and a storage unit 706 as functional elements.
  • each unit of the decoding / receiving unit 701, the key storage unit 702, the input unit 703, the decoding processing unit 704, and the transmitting unit 705 may be referred to as each unit of the homomorphic arithmetic unit 600.
  • the decryption / reception unit 701 receives the verification key spk from the signature key generation device 300, receives the private key rsk from the encryption key generation device 400, and transmits it to the key storage unit 702. Further, the decryption receiving unit 701 receives the ciphertext c * after the calculation from the homomorphic arithmetic unit 600 and transmits it to the decryption processing unit 704.
  • the key storage unit 702 receives the verification key spk and the private key rsk from the decryption reception unit 701 and stores them.
  • the input unit 703 receives the arithmetic function f from the outside and transmits it to the decoding processing unit 704.
  • the decryption processing unit 704 receives the ciphertext c * after the calculation from the decryption reception unit 701, receives the secret key rsk and the verification key spk from the key storage unit 702, receives the calculation function f from the input unit 703, and receives the decryption result. Generate m * and transmit it to the transmission unit 705.
  • the transmission unit 705 outputs the decoding result m * generated by the decoding processing unit 704 via the output interface 940. Alternatively, the transmission unit 705 transmits the decoding result m * generated by the decoding processing unit 704 to another device via the communication device 950.
  • the storage unit 706 stores data used in each unit of the decoding device 700.
  • the functions of the decryption receiving unit 701, the key storage unit 702, the input unit 703, the decoding processing unit 704, and the transmitting unit 705 are realized by software.
  • the storage unit 706 is provided in the memory 921.
  • the storage unit 706 may be provided in the auxiliary storage device 922, or may be provided in the memory 921 and the auxiliary storage device 922 in a distributed manner.
  • the processor 910 is a device that executes a secret information processing program.
  • the secret information processing program is a program that realizes the functions of each device of the secret information processing system 100.
  • the processor 910 is an IC (Integrated Circuit) that performs arithmetic processing. Specific examples of the processor 910 are a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit).
  • the memory 921 is a storage device that temporarily stores data.
  • a specific example of the memory 921 is a SRAM (Static Random Access Memory) or a DRAM (Dynamic Random Access Memory).
  • the auxiliary storage device 922 is a storage device that stores data.
  • a specific example of the auxiliary storage device 922 is an HDD.
  • the auxiliary storage device 922 may be a portable storage medium such as an SD (registered trademark) memory card, CF, NAND flash, flexible disc, optical disk, compact disc, Blu-ray (registered trademark) disc, or DVD.
  • HDD is an abbreviation for Hard Disk Drive.
  • SD® is an abbreviation for Secure Digital.
  • CF is an abbreviation for CompactFlash®.
  • DVD is an abbreviation for Digital Versatile Disc.
  • the input interface 930 is a port connected to an input device such as a mouse, keyboard, or touch panel. Specifically, the input interface 930 is a USB (Universal Serial Bus) terminal. The input interface 930 may be a port connected to a LAN (Local Area Network).
  • LAN Local Area Network
  • the output interface 940 is a port to which a cable of an output device such as a display is connected.
  • the output interface 940 is a USB terminal or an HDMI (registered trademark) (High Definition Multimedia Interface) terminal.
  • the display is an LCD (Liquid Crystal Display).
  • the output interface 940 is also referred to as a display interface.
  • the communication device 950 has a receiver and a transmitter.
  • the communication device 950 is connected to a communication network such as a LAN, the Internet, or a telephone line.
  • the communication device 950 is a communication chip or a NIC (Network Interface Card).
  • the secret information processing program is executed in each device of the secret information processing system 100.
  • the secret information processing program is read into the processor 910 and executed by the processor 910.
  • the memory 921 not only the secret information processing program but also the OS (Operating System) is stored.
  • the processor 910 executes a secret information processing program while executing the OS.
  • the secret information processing program and the OS may be stored in the auxiliary storage device 922.
  • the secret information processing program and the OS stored in the auxiliary storage device 922 are loaded into the memory 921 and executed by the processor 910. A part or all of the secret information processing program may be incorporated in the OS.
  • Each device of the secret information processing system 100 may include a plurality of processors that replace the processor 910. These plurality of processors share the execution of the secret information processing program.
  • Each processor like the processor 910, is a device that executes a secret information processing program.
  • Data, information, signal values and variable values used, processed or output by the secret information processing program are stored in the memory 921, the auxiliary storage device 922, or the register or cache memory in the processor 910.
  • the "part" of each part of each device of the secret information processing system 100 may be read as “processing", “procedure”, or “process”.
  • the secret information processing program causes the computer to execute each process in which the "part" of each part of each device of the secret information processing system 100 is read as “process”.
  • the "part" of each part of each device of the secret information processing system 100 is a "program”, a “program product”, a "computer-readable storage medium that stores a program", or a "computer-readable recording medium that records a program”. It may be read as.
  • the secret information processing method is a method performed by each device of the secret information processing system 100 executing a secret information processing program.
  • the confidential information processing program may be provided stored in a computer-readable recording medium or storage medium. Further, the confidential information processing program may be provided as a program product.
  • each device of the secret information processing system 100 is calculated by using a homomorphic encryption composed of five algorithms and a homomorphic signature composed of five algorithms.
  • the five algorithms that make up homomorphic encryption are HE. Setup, HE. KGen, HE. Enc, HE. Eval, and HE. Dec.
  • the five algorithms constituting the homomorphic signatures are specifically described in HS. Setup, HS. KGen, HS. Sign, HS. Eval, and HS. Ver.
  • the homomorphic signature is S.I. Gorbunov, V.I. Vaikuntanathan and D. Witches, "Leveled Fully Homomorphic Signature from Lattice Lattices", STOC2015, pp. 42-65. This is the method described in.
  • each device of the secret information processing system 100 which corresponds to the calculation method of each device of the secret information processing system 100 according to the present embodiment, will be described.
  • the operation procedure of each device of the secret information processing system 100 corresponds to the secret information processing method.
  • the program that realizes the operation of each device of the secret information processing system 100 corresponds to the secret information processing program.
  • FIG. 8 is a flowchart showing the operation of the common parameter generation device 200 according to the present embodiment.
  • the input unit 201 receives the parameter ⁇ and transmits it to the common parameter generation unit 202.
  • the common parameter generation unit 202 executes the setup algorithm Setup based on the parameter ⁇ to generate the public parameter pp. Then, the common parameter generation unit 202 transmits the public parameter pp to the transmission unit 203.
  • Setup is an algorithm that generates a public parameter pp as follows.
  • the common parameter generation unit 202 generates the public parameters of the homomorphic encryption by using the public parameter generation algorithm of the homomorphic encryption. Specifically, the common parameter generation unit 202 uses the homomorphic encryption public parameter generation algorithm HE. Execute Setup (1 ⁇ ), and the homomorphic encryption public parameter HE. Generate pp. The common parameter generation unit 202 generates the public parameters of the homomorphic signature by using the public parameter generation algorithm of the homomorphic signature. Specifically, the common parameter generation unit 202 uses the homomorphic signature public parameter generation algorithm HS. Execute Setup (1 ⁇ ) and publish the homomorphic signature public parameter HS. Generate pp.
  • step S203 the transmission unit 203 decrypts the public parameter pp with one or more signature key generation devices 300, an encryption key generation device 400, one or more encryption devices 500, a homomorphic arithmetic unit 600, and so on. It transmits to the device 700.
  • FIG. 9 is a flowchart showing the operation of the signature key generation device 300 according to the present embodiment.
  • the receiving unit 301 receives the public parameter pp from the common parameter generation device 200 and transmits it to the signature key generation unit 302.
  • the signature key generation unit 302 generates a signature key ssk and a verification key spk by the key generation algorithm of the homomorphic signature using the public parameter of the homomorphic signature included in the public parameter pp.
  • the signature key generation unit 302 executes the data supplier's key generation algorithm SKGen based on the public parameter pp, and generates the signature key ssk and the verification key spk.
  • the signature key generation unit 302 transmits the signature key ssk and the verification key spk to the signature key transmission unit 303.
  • SKGen is an algorithm that generates (ssk, spk) as follows.
  • step S303 the signature key transmission unit 303 transmits the signature key ssk generated by the signature key generation unit 302 to the encryption device 500. Further, the signature key transmission unit 303 transmits the verification key spk generated by the signature key generation unit 302 to the homomorphic arithmetic unit 600 and the decryption device 700.
  • FIG. 10 is a flowchart showing the operation of the encryption key generation device 400 according to the present embodiment.
  • the receiving unit 401 receives the public parameter pp from the common parameter generation device 200 and transmits it to the encryption key generation unit 402.
  • the encryption key generation unit 402 generates the public key rpk and the private key rsk by the key generation algorithm of the homomorphic encryption using the public parameter of the homomorphic encryption included in the public parameter pp.
  • the encryption key generation unit 402 executes the data user's key generation algorithm RKGen based on the public parameter pp, and generates the public key rpk and the private key rsk.
  • the encryption key generation unit 402 transmits the public key rpk and the private key rsk to the encryption key transmission unit 403.
  • RKGen is an algorithm that generates (rpk, rsk) as follows.
  • step S403 the encryption key transmission unit 403 transmits the public key rpk generated by the encryption key generation unit 402 to the encryption device 500 and the homomorphic arithmetic unit 600. Further, the encryption key transmission unit 403 transmits the private key rsk generated by the encryption key generation unit 402 to the decryption device 700.
  • FIG. 11 is a flowchart showing the operation of the encryption device 500 according to the present embodiment.
  • the receiving unit 501 receives the signature key ssk from the signature key generation device 300. Further, the receiving unit 501 receives the public key rpk from the encryption key generation device 400. The receiving unit 501 transmits the signature key ssk and the public key rpk to the key storage unit 502.
  • the key storage unit 502 receives and stores the signature key ssk and the public key rpk.
  • the input unit 503 receives the plaintext m and transmits it to the encryption unit 504.
  • step S504 the encryption unit 504 executes the encryption algorithm Enc based on the signing key ssk, the public key rpk, and the plaintext m, and generates the ciphertext c.
  • the encryption unit 504 transmits the ciphertext c to the transmission unit 505.
  • Enc is an algorithm that generates ciphertext c as follows.
  • the encryption unit 504 generates a label L composed of an arbitrary bit string.
  • the label must be uniquely generated for each ciphertext.
  • the encryption unit 504 generates the ciphertext c by the following procedure. (1) The encryption unit 504 uses the public key rpk to encrypt the plaintext m by the encryption algorithm of the homomorphic encryption data HE. Encrypt as c. Specifically, the encryption unit 504 uses the homomorphic encryption encryption algorithm HE. Enc (rpk, m) is executed, and the encrypted data HE. c is generated. (2) The encryption unit 504 uses the signature key ssk to use the signature algorithm of the homomorphic signature to encrypt the encrypted data HE. The signature representing the legitimacy of c is encrypted signature HS. Calculated as ⁇ . Specifically, the encryption unit 504 uses the signature algorithm HS.
  • Execute Sign (ssk, L, HE.c) and encrypt the signature HS. Generate ⁇ . (3)
  • step S505 the transmission unit 505 transmits the ciphertext c generated by the encryption unit 504 to the homomorphic arithmetic unit 600.
  • FIG. 12 is a flowchart showing the operation of the homomorphic arithmetic unit 600 according to the present embodiment.
  • the receiving unit 601 receives the verification key spk from the signature key generation device 300. Further, the receiving unit 601 receives the public key rpk from the encryption key generation device 400. The receiving unit 601 transmits the verification key spk and the public key rpk to the key storage unit 603.
  • the key storage unit 603 receives and stores the verification key spk and the public key rpk.
  • the receiving unit 601 receives the ciphertext c from the encryption device 500 and transmits it to the ciphertext storage unit 602.
  • step S604 the ciphertext storage unit 602 receives and stores the ciphertext c.
  • step S605 the input unit 604 receives the arithmetic function f and transmits it to the homomorphic arithmetic unit 605.
  • step S606 the quasi-isomorphic arithmetic unit 605 executes the quasi-identical arithmetic algorithm Eval based on the stored public key rpk, the verification key spk, one or more ciphertexts c, and the arithmetic function f. Generates the ciphertext c * after the calculation.
  • the homomorphic calculation unit 605 transmits the post-calculation ciphertext c * to the transmission unit 606.
  • Eval is an algorithm that generates a post-calculation ciphertext c * as follows.
  • the homomorphic arithmetic unit 605 uses an arithmetic function f, which is a function representing a homomorphic operation on the ciphertext c, a public key rpk, and encrypted data HE.
  • Homomorphic encryption algorithm is executed using c. By this execution, the homomorphic calculation unit 605 can use the encrypted data HE.
  • Post-calculation encrypted data HE Obtained by performing a homomorphic operation on c by the operation function f. Calculate c *.
  • the homomorphic arithmetic unit 605 uses the encryption signature HS.
  • the homomorphic calculation unit 605 can perform the post-calculation encrypted data HE. Post-calculation encryption signature HS. Calculate ⁇ *.
  • the homomorphic operation unit 605 has a homomorphic operation function g representing a homomorphic operation algorithm of the homomorphic encryption, a verification key spk, and an encryption signature HS. Use ⁇ to execute a homomorphic algorithm for homomorphic signatures.
  • the homomorphic arithmetic unit 605 has the homomorphic arithmetic function g encrypted signature HS. Encrypted data whose validity has been verified by ⁇ HE. Post-calculation encryption signature HS. Calculate ⁇ *. Then, the homomorphic calculation unit 605 uses the post-calculation encrypted data HE. C * and post-calculation encryption signature HS. Generates the post-operation ciphertext c * including ⁇ *.
  • the function g is an example of a homomorphic operation function g representing a homomorphic operation algorithm of homomorphic encryption.
  • the homomorphic calculation unit 605 uses the homomorphic calculation algorithm HS. Execute Eval (g, spk, HS. ⁇ 1, ..., HS. ⁇ n) and sign HS. Generate ⁇ *. (5)
  • step S607 the transmission unit 606 transmits the post-calculation ciphertext c * generated by the homomorphic calculation unit 605 to the decryption device 700.
  • FIG. 13 is a flowchart showing the operation of the decoding device 700 according to the present embodiment.
  • the decryption receiving unit 701 receives the verification key spk from the signature key generation device 300. Further, the decryption receiving unit 701 receives the private key rsk from the encryption key generation device 400. The decryption receiving unit 701 transmits the verification key spk and the private key rsk to the key storage unit 702. In step S702, the key storage unit 702 receives and stores the verification key spk and the private key rsk.
  • step S703 the decryption receiving unit 701 receives the post-calculation ciphertext c * from the homomorphic arithmetic unit 600 and transmits it to the decryption processing unit 704.
  • step S704 the input unit 703 receives the arithmetic function f and transmits it to the decoding processing unit 704.
  • step S705 the decryption processing unit 704 executes a verification algorithm for homomorphic signatures based on the arithmetic function f, the verification key spk, and the post-calculation ciphertext c *.
  • the decryption processing unit 704 uses the post-calculation encryption signature HS.
  • ⁇ * is the encrypted data after calculation HE. Verify whether it is a valid signature of c *.
  • the decryption processing unit 704 executes a verification algorithm for homomorphic signatures by using the homomorphic arithmetic function g, one or more verification keys spk, and the post-operation ciphertext c *.
  • the decryption processing unit 704 performs the post-calculation encryption signature HS.
  • ⁇ * is the encrypted data after calculation HE. Verify whether it is a valid signature of c *.
  • step S706 the decryption processing unit 704 uses the post-calculation encryption signature HS. After calculation using the private key rsk corresponding to the public key rpk when ⁇ * is valid, the encrypted data HE. Decrypt c * (step S707). On the other hand, the post-calculation encryption signature HS. If ⁇ * is not valid, the encrypted data after calculation HE. Do not decrypt c *.
  • step S707 the decryption processing unit 704 uses the secret key rsk and the post-calculation encrypted data HE. Based on c *, the homomorphic encryption decryption algorithm HE. Execute Dec and generate the decoding result m *. The decoding processing unit 704 transmits the decoding result m * to the transmission unit 705.
  • Homomorphic signature verification algorithm HS Homomorphic encryption decryption algorithm HE. Together with Dec, it is used as the decoding algorithm Dec.
  • the decryption processing unit 704 executes the decryption algorithm Dec based on one or more verification keys spk, the secret key rsk, the post-calculation ciphertext c *, and the calculation function f, and the decryption result m *. Is generated and transmitted to the transmission unit 705.
  • Dec is an algorithm that generates a decoding result m * as follows.
  • c * (HE.c *, HS. ⁇ *) will be used for explanation.
  • the decoding processing unit 704 defines the function g in the same manner as the Eval algorithm.
  • the function g is an example of a homomorphic operation function g representing a homomorphic operation algorithm of homomorphic encryption.
  • the decoding processing unit 704 uses the verification algorithm HS. Execute Ver (g, spk, HE.c *, HS. ⁇ *). As a result of verification, HS. ⁇ * is HS. If it is a valid signature for c *, proceed to the next step.
  • the decryption processing unit 704 uses the homomorphic encryption decryption algorithm HE. Dec (rsk, HE.c *) is executed to generate the decoding result m *. (4) The decoding processing unit 704 outputs the decoding result m *.
  • step S706 the transmission unit 705 outputs the decoding result m * generated by the decoding processing unit 704.
  • each device of the secret information processing system 100 are realized by software.
  • the functions of each device of the secret information processing system 100 may be realized by hardware.
  • each device of the secret information processing system 100 includes an electronic circuit 909 instead of the processor 910.
  • the common parameter generation device 200 among the devices of the secret information processing system 100 will be described as an example.
  • FIG. 14 is a configuration diagram of a common parameter generation device 200 according to a modified example of the present embodiment.
  • the common parameter generator 200 includes an electronic circuit 909 instead of the processor 910.
  • the electronic circuit 909 is a dedicated electronic circuit that realizes the functions of each part of the common parameter generation device 200.
  • the electronic circuit 909 is specifically a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA, an ASIC, or an FPGA.
  • GA is an abbreviation for Gate Array.
  • ASIC is an abbreviation for Application Special Integrated Circuit.
  • FPGA is an abbreviation for Field-Programmable Gate Array.
  • each part of the common parameter generator 200 may be realized by one electronic circuit or may be distributed and realized by a plurality of electronic circuits.
  • each part of the common parameter generator 200 may be realized by an electronic circuit, and the remaining functions may be realized by software. Further, some or all the functions of each part of the common parameter generation device 200 may be realized by the firmware.
  • each device of the secret information processing system 100 may be realized by hardware as in the common parameter generation device 200.
  • Each of the processor and the electronic circuit is also called a processing circuit. That is, the function of each device of the secret information processing system 100 is realized by the processing circuit.
  • one post-calculation encrypted signature can be calculated regardless of the number of encrypted data for performing homomorphic calculation. Therefore, it is possible to prevent the size of the verifiable post-calculation ciphertext from increasing with the number of encrypted data for which the homomorphic operation is performed.
  • the secret information processing system 100 by using a homomorphic arithmetic unit, it is possible to safely outsource data collection and calculation to an aggregator using a cloud server or the like.
  • the meaning of "safely" is that the data of the data supplier is not leaked to the aggregator and the data user, the calculation result is not leaked to the data supplier and the aggregator, and the calculation result is due to the correct calculation. Indicates that can be confirmed.
  • the decoding device outputs the decoding result m * only when the calculation executed by the homomorphic arithmetic unit and the calculation input to the decoding device match. Therefore, if the homomorphic arithmetic unit does not correctly execute the calculation, the decoding result by the decoding device cannot be obtained, and it can be detected that the arithmetic executed by the homomorphic arithmetic unit is incorrect.
  • the homomorphic encryption and the homomorphic signature used for the configuration can be configured without depending on a specific method. Therefore, by using a method called homomorphic encryption as a homomorphic encryption and a method called a homomorphic signature as a homomorphic signature, it is possible to perform an operation and verification of a function f composed of an arbitrary operation.
  • Embodiment 2 points different from the first embodiment and points to be added to the first embodiment will be mainly described.
  • the same reference numerals are given to the configurations having the same functions as those in the first embodiment, and the description thereof will be omitted.
  • FIG. 15 is a system configuration diagram of the secret information processing system 100a according to the present embodiment.
  • the secret information processing system 100a includes a common parameter generation device 200, one or more signature key generation devices 300, an encryption key generation device 400, and one or more encryption devices 500. It has the same type arithmetic device 600 and a decoding device 700. The difference from FIG. 1 described in the first embodiment is that there is one or more signature key generation devices 300 and one or more encryption devices 500. Other configurations are the same as those described in the first embodiment.
  • the configurations of the common parameter generation device 200, the signature key generation device 300, the encryption key generation device 400, the encryption device 500, the homomorphic arithmetic device 600, and the decryption device 700 included in the secret information processing system 100a will be described. Similar to the first embodiment, the common parameter generation device 200, the signature key generation device 300, the encryption key generation device 400, the encryption device 500, the quasi-same type arithmetic device 600, and the decryption device 700 included in the secret information processing system 100a are used. , Each device of the secret information processing system 100a. The configuration of each device of the secret information processing system 100a is the same as that described with reference to FIGS. 2 to 7 of the first embodiment.
  • the common parameter generation device 200 sets the public parameter pp via the Internet 101 to one or more signature key generation devices 300, an encryption key generation device 400, and one or more encryption devices 500. Is transmitted to the homomorphic arithmetic device 600 and the decoding device 700.
  • the transmission unit 203 of the common parameter generation device 200 sets the public parameter pp to one or more signature key generation devices 300, an encryption key generation device 400, and one or more encryption devices 500. It is transmitted to the homomorphic arithmetic device 600 and the decoding device 700.
  • the homomorphic arithmetic unit 605 of the homomorphic arithmetic unit 600 receives one or more ciphertexts c from the ciphertext storage unit 602. Further, the homomorphic calculation unit 605 receives the public key rpk and one or more verification keys spk from the key storage unit 603. Further, the homomorphic calculation unit 605 receives the calculation function f from the input unit 604. The homomorphic calculation unit 605 generates a post-calculation ciphertext c * based on one or more ciphertexts c, a public key rpk, one or more verification keys spk, and an arithmetic function f.
  • the signature key ssk is a plurality of signature keys ssk1, ..., Sskn.
  • the verification key spk is a plurality of verification keys spk1, ..., Spkn corresponding to each signature key of the plurality of signature keys.
  • the ciphertext c is the encrypted data HE.
  • c a plurality of ciphertext data HE., Each of which is encrypted with a public key.
  • c1, ..., HE. Includes cn.
  • the ciphertext c is the encryption signature HS.
  • a plurality of cryptographic signatures representing the validity of each ciphertext data of a plurality of ciphertext data, each of which is a plurality of cryptographic signatures (spk1) calculated using each signing key of the plurality of signing keys. , HS. ⁇ 1), ..., (Spkn, HS. ⁇ n).
  • the decryption processing unit 704 of the decryption device 700 of FIG. 7 receives the post-calculation ciphertext c * from the decryption reception unit 701, and verifies one or more with the secret key rsk from the key storage unit 702.
  • the key spk is received, the arithmetic function f is received from the input unit 703, and the decoding result m * is generated.
  • each device of the secret information processing system 100a is calculated by using a homomorphic encryption composed of five algorithms and a plurality of key homomorphic signatures composed of five algorithms.
  • the five algorithms constituting the homomorphic encryption are the same as those in the first embodiment. Setup, HE. KGen, HE. Enc, HE. Eval, and HE. Dec.
  • the five algorithms constituting the multi-key homomorphic signature are the same as those of the first embodiment of the HS. Setup, HS. KGen, HS. Sign, HS. Eval, and HS. Ver.
  • the multiple key homomorphic signature is described in D.I. Fiore, A. Mitrokotsa, L. et al. Nizzardo and E. Pagenin “Multi-key Homomomorphic Authenticators”, Asiacript 2016 pp. 499-530. This is the method described in.
  • each device of the secret information processing system 100a which corresponds to the calculation method of each device of the secret information processing system 100a according to the present embodiment, will be described.
  • the operation procedure of each device of the secret information processing system 100a corresponds to the secret information processing method.
  • the program that realizes the operation of each device of the secret information processing system 100a corresponds to the secret information processing program.
  • FIG. 16 is a flowchart showing the operation of the common parameter generation device 200 according to the present embodiment.
  • the input unit 201 receives the parameter ⁇ and transmits it to the common parameter generation unit 202.
  • the common parameter generation unit 202 executes the setup algorithm Setup based on the parameter ⁇ to generate the public parameter pp. Then, the common parameter generation unit 202 transmits the public parameter pp to the transmission unit 203.
  • Setup is an algorithm that generates a public parameter pp as follows.
  • the common parameter generation unit 202 uses the homomorphic encryption public parameter generation algorithm HE. Execute Setup (1 ⁇ ), and the homomorphic encryption public parameter HE. Generate pp.
  • the common parameter generation unit 202 is a public parameter generation algorithm HS. Execute Setup (1 ⁇ ), and the public parameter HS. Generate pp.
  • step S1203 the transmission unit 203 decrypts the public parameter pp with one or more signature key generation devices 300, an encryption key generation device 400, one or more encryption devices 500, a homomorphic arithmetic unit 600, and so on. It transmits to the device 700.
  • the process of FIG. 16 is basically the same as the process of FIG. 8, except that the public parameter generation algorithm for multiple key homomorphic signatures is mainly used.
  • FIG. 17 is a flowchart showing the operation of the signature key generation device 300 according to the present embodiment.
  • the receiving unit 301 receives the public parameter pp from the common parameter generation device 200 and transmits it to the signature key generation unit 302.
  • the signature key generation unit 302 executes the data supplier key generation algorithm SKGen based on the public parameter pp, and generates the signature key ssk and the verification key spk.
  • the signature key generation unit 302 transmits the signature key ssk and the verification key spk to the signature key transmission unit 303.
  • SKGen is an algorithm that generates (ssk, spk) as follows.
  • step S1303 the signature key transmission unit 303 transmits the signature key ssk generated by the signature key generation unit 302 to the encryption device 500. Further, the signature key transmission unit 303 transmits the verification key spk generated by the signature key generation unit 302 to the homomorphic arithmetic unit 600 and the decryption device 700.
  • the process of FIG. 17 is basically the same as the process of FIG. 9, except that the signature key generation unit 302 mainly executes a key generation algorithm for multiple key homomorphism signatures.
  • FIG. 18 is a flowchart showing the operation of the encryption key generation device 400 according to the present embodiment.
  • the receiving unit 401 receives the public parameter pp from the common parameter generation device 200 and transmits it to the encryption key generation unit 402.
  • the encryption key generation unit 402 executes the data user key generation algorithm RKGen based on the public parameter pp, and generates the public key rpk and the private key rsk.
  • the encryption key generation unit 402 transmits the public key rpk and the private key rsk to the encryption key transmission unit 403.
  • RKGen is an algorithm that generates (rpk, rsk) as follows.
  • step S1403 the encryption key transmission unit 403 transmits the public key rpk generated by the encryption key generation unit 402 to the encryption device 500 and the homomorphic arithmetic unit 600. Further, the encryption key transmission unit 403 transmits the private key rsk generated by the encryption key generation unit 402 to the decryption device 700.
  • FIG. 19 is a flowchart showing the operation of the encryption device 500 according to the present embodiment.
  • the receiving unit 501 receives the signature key ssk from the signature key generation device 300. Further, the receiving unit 501 receives the public key rpk from the encryption key generation device 400. The receiving unit 501 transmits the signature key ssk and the public key rpk to the key storage unit 502.
  • the key storage unit 502 receives and stores the signature key ssk and the public key rpk.
  • the input unit 503 receives the plaintext m and transmits it to the encryption unit 504.
  • step S1504 the encryption unit 504 executes the encryption algorithm Enc based on the signing key ssk, the public key rpk, and the plaintext m, and generates the ciphertext c.
  • the encryption unit 504 transmits the ciphertext c to the transmission unit 505.
  • Enc is an algorithm that generates ciphertext c as follows.
  • the encryption unit 504 generates a label L composed of an arbitrary bit string.
  • the label must be uniquely generated for each ciphertext. For example, it is generated from the ID (Identifier) corresponding to the signature key ssk and the generation time of the ciphertext.
  • step S1505 the transmission unit 505 transmits the ciphertext c generated by the encryption unit 504 to the homomorphic arithmetic unit 600.
  • the process of FIG. 19 is basically the same as the process of FIG. 11, except that a signature algorithm for multiple key homomorphism signatures is mainly used.
  • FIG. 20 is a flowchart showing the operation of the homomorphic arithmetic unit 600 according to the present embodiment.
  • the receiving unit 601 receives one or more verification keys spk from the signature key generation device 300. Further, the receiving unit 601 receives the public key rpk from the encryption key generation device 400. The receiving unit 601 transmits the verification key spk and the public key rpk to the key storage unit 603.
  • the key storage unit 603 receives and stores one or more verification key spk and public key rpk.
  • the receiving unit 601 receives the ciphertext c from the encryption device 500 and transmits it to the ciphertext storage unit 602.
  • step S1604 the ciphertext storage unit 602 receives and stores the ciphertext c.
  • step S1605 the input unit 604 receives the arithmetic function f and transmits it to the homomorphic arithmetic unit 605.
  • step S1606 the quasi-isomorphic arithmetic unit 605 uses the stored public key rpk, one or more verification keys spk, one or more ciphertexts c, and the quasi-identical arithmetic algorithm Eval. Execute and generate ciphertext c * after calculation. The homomorphic calculation unit 605 transmits the post-calculation ciphertext c * to the transmission unit 606.
  • Eval is an algorithm that generates a post-calculation ciphertext c * as follows.
  • these ciphertexts c1, ..., Cn are generated by the signature keys ssk1, ..., Sskn corresponding to the verification keys spk1, ..., Spkn, respectively.
  • the verification keys spk1, ..., Spkn may be the same verification key, all different verification keys, or some of the same verification keys.
  • the homomorphic calculation unit 605 uses the homomorphic encryption algorithm HE. Eval (f, rpk, HE.ci, ..., HE.cn) is executed, and the ciphertext HE. Generate c *.
  • the homomorphic arithmetic unit 605 takes a function g * as an input of a function, a public key, and one or more ciphertexts. Let it be a function that represents the calculation of Eval.
  • the homomorphic calculation unit 605 uses the homomorphic calculation algorithm HS. Eval (g, (spk1, HS. ⁇ 1), ..., (Spkn, HS. ⁇ n) is executed to generate the signature HS. ⁇ *. (5)
  • step S1607 the transmission unit 606 transmits the post-calculation ciphertext c * generated by the homomorphic calculation unit 605 to the decryption device 700.
  • the process of FIG. 20 is basically the same as the process of FIG. 12, except that a homomorphic calculation algorithm for a multi-key homomorphic signature is mainly used.
  • FIG. 21 is a flowchart showing the operation of the decoding device 700 according to the present embodiment.
  • the decryption receiving unit 701 receives the verification key spk from the signature key generation device 300. Further, the decryption receiving unit 701 receives the private key rsk from the encryption key generation device 400. The decryption receiving unit 701 transmits the verification key spk and the private key rsk to the key storage unit 702.
  • the key storage unit 702 receives and stores the verification key spk and the private key rsk.
  • step S1703 the decryption receiving unit 701 receives the post-calculation ciphertext c * from the homomorphic arithmetic unit 600 and transmits it to the decryption processing unit 704.
  • step S1704 the input unit 703 receives the arithmetic function f and transmits it to the decoding processing unit 704.
  • step S1705 the decryption processing unit 704 executes a verification algorithm for multiple key homomorphism signatures based on the arithmetic function f, one or more verification keys spk, and the post-calculation ciphertext c *.
  • the decryption processing unit 704 uses the post-calculation encryption signature HS.
  • ⁇ * is the encrypted data after calculation HE. Verify whether it is a valid signature of c *.
  • step S1706 the decryption processing unit 704 uses the post-calculation encryption signature HS. After calculation using the private key rsk corresponding to the public key rpk when ⁇ * is valid, the encrypted data HE. Decrypt c * (step S707). On the other hand, the post-calculation encryption signature HS. If ⁇ * is not valid, the encrypted data after calculation HE. Do not decrypt c *.
  • step S1707 the decryption processing unit 704 uses the secret key rsk and the post-calculation encrypted data HE. Based on c *, the homomorphic encryption decryption algorithm HE. Execute Dec and generate the decoding result m *. The decoding processing unit 704 transmits the decoding result m * to the transmission unit 705.
  • the decryption processing unit 704 executes the decryption algorithm Dec based on one or more verification keys spk, the secret key rsk, the post-calculation ciphertext c *, and the calculation function f.
  • the decoding result m * is generated.
  • the decoding processing unit 704 transmits the decoding result m * to the transmission unit 705.
  • Dec is an algorithm that generates a decoding result m * as follows.
  • c * (HE.c *, HS. ⁇ *) will be used for explanation.
  • the verification keys spk1, ..., Spkn are used when c * is generated.
  • the decoding processing unit 704 defines the function g in the same manner as the Eval algorithm.
  • the decryption processing unit 704 uses the verification algorithm HS. Ver (g, spk1, ..., spkn, HE.c *, HS. ⁇ *) is executed. As a result of verification, HS. ⁇ * is HS. If it is a valid signature for c *, proceed to the next step.
  • the decryption processing unit 704 uses the homomorphic encryption decryption algorithm HE. Dec (rsk, HE.c *) is executed to generate the decoding result m *. (4) The decoding processing unit 704 outputs the decoding result m *.
  • step S1706 the transmission unit 705 outputs the decoding result m * generated by the decoding processing unit 704.
  • the process of FIG. 21 is basically the same as the process of FIG. 13, except that a verification algorithm for multiple key homomorphism signatures is mainly used.
  • each part of each device of the secret information processing system has been described as an independent functional block.
  • the configuration of each device of the secret information processing system does not have to be the configuration as in the above-described embodiment.
  • the functional block of each device of the secret information processing system may have any configuration as long as the functions described in the above-described embodiment can be realized.
  • each device of the secret information processing system may be a system composed of a plurality of devices instead of one device.
  • a plurality of parts may be combined and carried out.
  • one part of these embodiments may be implemented.
  • these embodiments may be implemented in any combination as a whole or partially. That is, in the first and second embodiments, it is possible to freely combine the embodiments, modify any component of each embodiment, or omit any component in each embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

L'invention concerne un dispositif arithmétique homomorphe (600) qui reçoit, depuis un dispositif de chiffrement (500), un texte chiffré (c) comprenant des données chiffrées en utilisant une clé publique (rpk) et une signature chiffrée générée en utilisant une clé de signature (ssk). Une unité arithmétique homomorphe (605) utilise une fonction opération (f), la clé publique (rpk), et les données chiffrées pour exécuter un algorithme d'opération homomorphe de chiffrement homomorphe, et calcule des données chiffrées post-calcul obtenues en effectuant l'opération homomorphe sur les données chiffrées par l'intermédiaire de la fonction opération (f). En outre, l'unité arithmétique homomorphe (605) exécute l'algorithme arithmétique homomorphe de la signature homomorphe, sur la base de la fonction arithmétique (f), d'une clé de vérification (spk), et de la signature chiffrée pour calculer une signature de chiffrement post-calcul qui représente la validité des données chiffrées post-calcul. Ensuite, l'unité arithmétique homomorphe (605) génère un texte chiffré post-calcul (c *) comprenant les données chiffrées post-calcul et la signature de chiffrement post-calcul.
PCT/JP2020/000865 2020-01-14 2020-01-14 Système de traitement d'informations confidentielles, dispositif arithmétique homomorphe, dispositif de décodage, procédé de traitement d'informations confidentielles et programme de traitement d'informations confidentielles WO2021144842A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/000865 WO2021144842A1 (fr) 2020-01-14 2020-01-14 Système de traitement d'informations confidentielles, dispositif arithmétique homomorphe, dispositif de décodage, procédé de traitement d'informations confidentielles et programme de traitement d'informations confidentielles

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/000865 WO2021144842A1 (fr) 2020-01-14 2020-01-14 Système de traitement d'informations confidentielles, dispositif arithmétique homomorphe, dispositif de décodage, procédé de traitement d'informations confidentielles et programme de traitement d'informations confidentielles

Publications (1)

Publication Number Publication Date
WO2021144842A1 true WO2021144842A1 (fr) 2021-07-22

Family

ID=76863890

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/000865 WO2021144842A1 (fr) 2020-01-14 2020-01-14 Système de traitement d'informations confidentielles, dispositif arithmétique homomorphe, dispositif de décodage, procédé de traitement d'informations confidentielles et programme de traitement d'informations confidentielles

Country Status (1)

Country Link
WO (1) WO2021144842A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190013950A1 (en) * 2017-07-06 2019-01-10 Robert Bosch Gmbh Method And System For Privacy-Preserving Social Media Advertising
WO2019130528A1 (fr) * 2017-12-28 2019-07-04 三菱電機株式会社 Dispositif de génération de clés de conversion, dispositif de conversion de texte chiffré, système de traitement d'informations secrètes, procédé de génération de clés de conversion, programme de génération de clés de conversion, procédé de conversion de texte chiffré, et programme de conversion de texte chiffré

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190013950A1 (en) * 2017-07-06 2019-01-10 Robert Bosch Gmbh Method And System For Privacy-Preserving Social Media Advertising
WO2019130528A1 (fr) * 2017-12-28 2019-07-04 三菱電機株式会社 Dispositif de génération de clés de conversion, dispositif de conversion de texte chiffré, système de traitement d'informations secrètes, procédé de génération de clés de conversion, programme de génération de clés de conversion, procédé de conversion de texte chiffré, et programme de conversion de texte chiffré

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
UENOYAMA, DAIKI ET AL.: "Reputation System with Confidentiality to Administrator by Using Linear Homomorphic Signatures", IEICE TECHNICAL REPORT, vol. 117, no. 369, 14 December 2017 (2017-12-14), pages 75 - 81 *

Similar Documents

Publication Publication Date Title
US9792427B2 (en) Trusted execution within a distributed computing system
JP2020528224A (ja) 信頼できる実行環境におけるスマート契約動作のセキュアな実行
JP6058237B1 (ja) 暗号文変換装置、暗号文変換プログラム及び暗号文変換方法
US20080301436A1 (en) Method and apparatus for performing authentication between clients using session key shared with server
US10880100B2 (en) Apparatus and method for certificate enrollment
TWI809292B (zh) 資料的加解密方法、裝置、存儲介質及加密文件
EP3264671A1 (fr) Système de commande de direction de remplacement de clés, et procédé de commande de direction de remplacement de clés
US8817986B2 (en) Cross enterprise communication
CN111193703B (zh) 在分散式网络中使用的通信装置和通信方法
US20150043735A1 (en) Re-encrypted data verification program, re-encryption apparatus and re-encryption system
JP2015104119A (ja) 完全性検証を含むブロック暗号化方法およびブロック復号化方法
US20230299947A1 (en) Computer implemented system and method for sharing a common secret
US11431489B2 (en) Encryption processing system and encryption processing method
US20230128879A1 (en) Knowledge proof method, storage medium, and information processing device
KR20200002501A (ko) 퍼블릭 블록체인의 노드 인증 방법과 이를 수행하기 위한 장치 및 시스템
WO2018105038A1 (fr) Dispositif de communication et système de registre distribué
US20240063999A1 (en) Multi-party cryptographic systems and methods
US20240048377A1 (en) Ciphertext conversion system, conversion key generation method, and non-transitory computer readable medium
WO2021144842A1 (fr) Système de traitement d'informations confidentielles, dispositif arithmétique homomorphe, dispositif de décodage, procédé de traitement d'informations confidentielles et programme de traitement d'informations confidentielles
US11496287B2 (en) Privacy preserving fully homomorphic encryption with circuit verification
KR102199464B1 (ko) 컨소시엄 블록체인 참가 노드 간의 인증 방안
US20200358604A1 (en) Apparatus and method for sharing data
EP3644545A1 (fr) Appareil et procédé de cryptage et de décryptage
JP7466791B2 (ja) 暗号化装置、復号装置、復号可能検証装置、暗号システム、暗号化方法、及び暗号化プログラム
JP6949276B2 (ja) 再暗号化装置、再暗号化方法、再暗号化プログラム及び暗号システム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20914410

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: JP

122 Ep: pct application non-entry in european phase

Ref document number: 20914410

Country of ref document: EP

Kind code of ref document: A1