WO2022254578A1 - Système cryptographique, dispositif de mise à jour de cryptogramme et programme - Google Patents

Système cryptographique, dispositif de mise à jour de cryptogramme et programme Download PDF

Info

Publication number
WO2022254578A1
WO2022254578A1 PCT/JP2021/020849 JP2021020849W WO2022254578A1 WO 2022254578 A1 WO2022254578 A1 WO 2022254578A1 JP 2021020849 W JP2021020849 W JP 2021020849W WO 2022254578 A1 WO2022254578 A1 WO 2022254578A1
Authority
WO
WIPO (PCT)
Prior art keywords
period
ciphertext
key
generates
plaintext
Prior art date
Application number
PCT/JP2021/020849
Other languages
English (en)
Japanese (ja)
Inventor
陵 西巻
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2021/020849 priority Critical patent/WO2022254578A1/fr
Publication of WO2022254578A1 publication Critical patent/WO2022254578A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system

Definitions

  • the present invention relates to updatable encryption.
  • Updatable ciphers are ciphers that can be prepared against loss of security due to key leaks by periodically updating the keys.
  • an updatable cipher for example, a bidirectional key update cipher described in Non-Patent Document 1 is known.
  • Non-Patent Document 1 The updatable cipher described in Non-Patent Document 1 is a cipher that is safe even for quantum computers, but since it is a two-way key update, the amount of information leaked, that is, information about other keys obtained from the leaked key There is a problem of large quantity. Since the amount of information to be leaked is smaller than that of bidirectional key update encryption, backward leaking one-way key update encryption and non-directional key update encryption are more preferable from a security point of view. do not have.
  • is a security parameter
  • Z q is a ring defining addition and multiplication modulo q (q is an integer of 2 or more)
  • PKE (Setup, Reg.KeyGen, Reg.Enc, Reg.Dec) is a variant of the Regev public-key cryptosystem
  • ceiling(lg(q))
  • a key generation device an encryption device that generates ciphertext ct e of plaintext ⁇ in period e from plaintext ⁇ using a subspecies PKE of Regev public key cryptography, public parameter pp, and key k e of period e; a decryption device that generates plaintext ⁇ ′ from ciphertext ct e of plaintext ⁇ in period e using a variant PKE of Regev public key cryptography, public parameter pp, and key k e in period e;
  • a token generation device that generates a token ⁇ e+1 of period e+1 from key k e of period e and key k e+1 of period e+1, and using a binary decomposition algorithm BD a ciphertext updater for generating a ciphertext ct e+1 of period e +1 from a token ⁇ e+1 of period e+1 and a ciphertext ct e of period e
  • is a security parameter
  • iO is an unidentifiable obfuscator
  • PPRF (PRF.Gen, PRF, Punc)
  • PRF.Gen ⁇ 0, 1 ⁇ ⁇ ⁇ ⁇ 0, 1 ⁇ ⁇
  • PRF ⁇ 0, 1 ⁇ ⁇ ⁇ ⁇ 0, 1 ⁇ n ⁇ ⁇ 0, 1 ⁇ m
  • PRG is a puncturable pseudo-random function
  • PRG ⁇ 0, 1 ⁇ ⁇ ⁇ ⁇ 0, 1 ⁇ n
  • C re io [k e , k e+1 ] be a pseudo-random number generator
  • C re io [k e , k e+1 ] be a ciphertext ct e of period e, vector r e+1 ⁇ 0, 1 ⁇ ⁇ as input, key k e of period e
  • a circuit that calculates and outputs a ciphertext ct e
  • FIG. 1 is a block diagram showing the configuration of a cryptographic system 10;
  • FIG. 1 is a block diagram showing the configuration of a public parameter generation device 100;
  • FIG. 4 is a flow chart showing the operation of the public parameter generation device 100.
  • FIG. 2 is a block diagram showing the configuration of a key generation device 200;
  • FIG. 4 is a flowchart showing the operation of the key generation device 200;
  • 3 is a block diagram showing the configuration of an encryption device 300;
  • FIG. 4 is a flowchart showing the operation of the encryption device 300;
  • 4 is a block diagram showing the configuration of a decoding device 400;
  • FIG. 4 is a flow chart showing the operation of the decoding device 400.
  • FIG. 3 is a block diagram showing the configuration of a token generation device 500;
  • FIG. 3 is a block diagram showing the configuration of a token generation device 500;
  • FIG. 1 is a block diagram showing the configuration of a public parameter generation device 100;
  • FIG. 4 is a flow chart
  • FIG. 5 is a flow chart showing the operation of the token generation device 500; 3 is a block diagram showing the configuration of a ciphertext update device 600; FIG. 6 is a flow chart showing the operation of the ciphertext update device 600.
  • FIG. 2 is a block diagram showing the configuration of a cryptographic system 20; FIG. 2 is a block diagram showing the configuration of a key generation device 1200; FIG. 4 is a flowchart showing the operation of the key generation device 1200; 3 is a block diagram showing the configuration of an encryption device 1300; FIG. 4 is a flow chart showing the operation of the encryption device 1300; 3 is a block diagram showing the configuration of decoding device 1400.
  • FIG. 14 is a flow chart showing the operation of the decoding device 1400.
  • FIG. 3 is a block diagram showing the configuration of a token generation device 1500;
  • FIG. 4 is a flow chart showing the operation of the token generation device 1500;
  • 3 is a block diagram showing the configuration of a ciphertext update device 1600;
  • FIG. 4 is a flow chart showing the operation of the ciphertext update device 1600.
  • FIG. It is a figure which shows an example of the functional structure of the computer which implement
  • ⁇ (caret) represents a superscript.
  • x y ⁇ z means that y z is a superscript to x
  • x y ⁇ z means that y z is a subscript to x
  • _ (underscore) represents a subscript.
  • x y_z means that y z is a superscript to x
  • x y_z means that y z is a subscript to x.
  • the uniform random selection of an element x from a finite set X is expressed as x ⁇ X.
  • the set ⁇ 1,...,k ⁇ and set ⁇ k,...,r ⁇ are represented as [k] and [k,r], respectively.
  • Z q ⁇ ceiling(-q/2), ..., -1, 0, 1, ..., floor(q/2 ) ⁇ represents a ring with addition and multiplication modulo q.
  • Y] ⁇ R m ⁇ (n_1+n_2) represents a matrix that concatenates the columns of matrix X and matrix Y.
  • [X;Y] ⁇ R (m_1+m_2) ⁇ n represents a matrix in which rows of matrix X and matrix Y are connected.
  • f ⁇ negl means that f is a negligible function
  • f ⁇ negl means that f is a non-negligible function
  • the updatable cipher UE for the plaintext space M is a set of 6 probabilistic polynomial-time algorithms (UE.Setup, UE.KeyGen, UE.Enc, UE.Dec, UE.TokGen, UE.Upd).
  • UE.Setup(1 ⁇ ) ⁇ pp The setup algorithm UE.Setup takes the security parameter ⁇ as input and outputs the public parameter pp. This algorithm is not necessarily required.
  • UE.KeyGen(pp) ⁇ k e The key generation algorithm UE.KeyGen takes as input the public parameter pp and outputs a key k e of period e.
  • UE.Enc(k e , ⁇ ) ⁇ ct e The encryption algorithm UE.Enc takes as input a key k e in period e and plaintext ⁇ M, and outputs ciphertext ct e of plaintext ⁇ in period e.
  • UE.Dec(k e , ct) ⁇ ′ Decryption algorithm
  • UE.Dec takes as input a key k e of period e and a ciphertext ct, and outputs a plaintext ⁇ ′ ⁇ M or ⁇ . However, ⁇ represents an error.
  • UE.TokGen (k e , k e+1 ) ⁇ e+1 :
  • the token generation algorithm UE.TokGen takes as input keys k e , k e+1 of two consecutive periods e, e +1 , and the period Output the token ⁇ e+1 in e+1 .
  • the update algorithm UE.Upd takes as input the token ⁇ e+1 in period e+1 and the ciphertext ct e in plaintext ⁇ in period e, Output ciphertext ct e+1 of plaintext ⁇ in period e+1.
  • updatable encryption is based on ciphertext independent tokens.
  • a ciphertext-independent token is a token that does not require the use of a part of the ciphertext to be updated to generate the token.
  • Other definitions of updatable cryptography are based on ciphertext-dependent tokens, where part of the ciphertext you want to update is required to generate the token.
  • ciphertext-independent token-based updatable ciphers are superior, and all updatable ciphers used in embodiments of the present invention are based on ciphertext-independent tokens.
  • updatable cryptography In updatable cryptography, there is information that cannot be avoided from being leaked from the token used to update the ciphertext. Based on the differences in how information is leaked by updatable ciphers, we classify updatable ciphers into four types.
  • Two-way key update key k e+1 can be easily derived given token ⁇ e+1 and key k e and key k e+1 given token ⁇ e+1 and key k e+1 Updatable ciphers such that k e can be easily derived are said to be bidirectional key updates.
  • Forward-leaky one-way key update is said to be an updatable cipher from which the key k e+1 can be easily derived given a token ⁇ e+1 and a key k e . In this case, it is not always possible to derive the key k e given the token ⁇ e+1 and the key k e+1 .
  • Backward leaking one-way key update Updatable ciphers from which the key k e can be easily derived given a token ⁇ e+1 and a key k e+1 are said to be backward leaking one-way key update. In this case, it is not always possible to derive the key k e+1 given the token ⁇ e+1 and the key k e .
  • Undirectional key update Given a token ⁇ e+1 and a key k e , it is not always possible to derive the key k e+1 , and given a token ⁇ e+1 and a key k e+1 Updatable ciphers for which the key k e cannot always be derived are said to be undirectional key updates.
  • Non-Patent Document 1 shows that updatable encryption for two-way key update and updatable encryption for forward leaking one-way key update are equivalent.
  • the most desirable one is updatable encryption for non-directional key update from the viewpoint of minimizing information leakage. So far, however, no updatable ciphers for undirectional key updates have been constructed. It is also clear that updatable cipher with one-way key update is preferable to updatable cipher with two-way key update. Forward leaking one-way key updates do not provide a security advantage since they have been shown to be only secure.
  • backward-leaky one-way key update updatable encryption is not implied by forward-leaky one-way key update or two-way key update updatable encryption, so there is a security advantage.
  • updatable ciphers for backward leaking one-way key updates have also not been constructed so far.
  • the updatable encryption used in the embodiment of the present invention is based on the lattice problem and obfuscated indistinguishability.
  • Updatable cryptography based on the lattice problem is a backward leaky one-way key update cryptography that is also secure against quantum computers.
  • updatable cryptography based on indistinguishability obfuscation is a potentially quantum-computer-secure cryptography for undirectional key updates.
  • N(0, ⁇ 2 ) be a Gaussian distribution with mean 0 and variance ⁇ 2 .
  • a Gaussian distribution is a distribution defined by the density function (1/ ⁇ (2 ⁇ ) 1/2 )exp(-x 2 /2 ⁇ 2 ) on R.
  • Discretized Gaussian - ⁇ ⁇ function that samples x from N(0, ⁇ 2 /2 ⁇ ) for ⁇ (0, 1), positive integer q and outputs q-ceiling(qx) mod q defined as
  • the LWE problem and LWE assumption are defined as follows.
  • the LWE(n, q, ⁇ ) problem on the distribution ⁇ is the oracle A(s, ⁇ ) and oracle A(s, U(Z q )) (where s ⁇ ).
  • the puncturable pseudorandom function PPRF is a set of two algorithms (F, Punc) that satisfy the following properties.
  • K ⁇ 0,1 ⁇ ⁇ as PRF.Gen: ⁇ 0, 1 ⁇ ⁇ ⁇ ⁇ 0, 1 ⁇ ⁇ , and let the puncturable pseudorandom function PPRF be a set of three algorithms (PRF.Gen, F, Punc).
  • Regev public-key cryptography variants in multi-user situations A variant of Regev public-key cryptography under multi-user situations is a set of four algorithms (Setup, Reg.KeyGen, Reg.Enc, Reg.Dec).
  • Reg.Enc(pk, ⁇ ): Encryption algorithm Reg.Enc takes public key pk and plaintext ⁇ as input, selects vector r ⁇ -1, +1 ⁇ m , e' ⁇ ns k , plaintext ⁇ ciphertext (u, c): (rA, rB+e'+floor(q/2) ⁇ ).
  • the setup algorithm Setup takes the security parameter ⁇ as input and executes the following steps.
  • setup algorithm Setup is the same as the setup algorithm Setup of the Regev public key cryptography variant.
  • Gen(pp) The key generation algorithm Gen takes the public parameter pp as input and performs the following steps.
  • Enc(k e , ⁇ ) The encryption algorithm Enc takes as input a key k e of period e and a plaintext ⁇ 0, 1 ⁇ k and performs the following steps.
  • decomposition means parsing.
  • Dec(k e ,ct) The decryption algorithm Dec takes the key k e of period e and the ciphertext ct as input and executes the following procedure.
  • TokGen(k e , k e+1 ) The token generation algorithm TokGen takes as input keys k e , k e+1 of two consecutive periods e, e+1 and performs the following steps.
  • the update algorithm Upd takes as input the token ⁇ e+1 in period e+1 and the ciphertext ct e of the plaintext ⁇ in period e, and performs the following procedure.
  • the updatable cipher based on the lattice problem is a secure updatable cipher that satisfies the backward leaking one-way key update.
  • KeyGen(1 ⁇ ) The key generation algorithm KeyGen takes the security parameter ⁇ as input and performs the following steps.
  • Enc(k e , ⁇ ) The encryption algorithm Enc takes as input a key k e of period e and a plaintext ⁇ 0, 1 ⁇ m and performs the following steps.
  • Dec(k e , ct) The decryption algorithm Dec takes the key k e of period e and the ciphertext ct as input and performs the following procedure.
  • TokGen(k e , k e+1 ) The token generation algorithm TokGen takes as input keys k e , k e+1 of two consecutive periods e, e+1 and performs the following steps.
  • the circuit C re io [k e , k e+1 ] receives the ciphertext ct e of the period e and the vector r e+1 ⁇ 0, 1 ⁇ ⁇ of the period e, the key k e of the period e, the period e Using +1 key k e+1 , compute and output ciphertext ct e+ 1 of period e+1.
  • the function C re io [k e , k e+1 ](ct e , r e+1 ) is also called an update function.
  • the operation of the circuit C re io [k e , k e+1 ] is as follows.
  • the update algorithm Upd takes as input the token ⁇ e+1 in period e+1 and the ciphertext ct e of the plaintext ⁇ in period e, and performs the following procedure.
  • Reference Non-Patent Document 3 can be used as an obfuscation technology that makes it unidentifiable.
  • the techniques described in Reference Non-Patent Document 4 and Reference Non-Patent Document 5 can be used for secure indistinguishability obfuscation for quantum computers.
  • Reference Non-Patent Document 6 Oded Goldreich, Shafi Goldwasser, and Silvio Micali, “How to construct random functions,” Journal of the ACM, 33(4):792-807, 1986.
  • Reference Non-Patent Document 7 Moni Naor and Omer Reingold, "Number-theoretic constructions of efficient pseudo-random functions,” Journal of the ACM, 51(2):231-262, 2004.
  • Reference non-patent document 8 Abhishek Banerjee, Chris Peikert, and Alon Rosen, “Pseudorandom functions and lattices,” In David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pp.719-737. Springer, Heidelberg , April 2012.
  • a pseudo-random number generator for example, the techniques described in Reference Non-Patent Document 8 and Reference Non-Patent Document 9 can be used.
  • FIG. 1 is a block diagram showing an example of the configuration of a cryptographic system 10.
  • the cryptographic system 10 includes a public parameter generator 100 , a key generator 200 , an encryptor 300 , a decryptor 400 , a token generator 500 and a ciphertext updater 600 .
  • the public parameter generation device 100, key generation device 200, encryption device 300, decryption device 400, token generation device 500, and ciphertext update device 600 are connected to a network 800 such as the Internet and can communicate with each other.
  • FIG. 2 is a block diagram showing an example of the configuration of the public parameter generation device 100.
  • Public parameter generation device 100 includes public parameter generation unit 110 , transmission/reception unit 180 , and recording unit 190 .
  • the transmitting/receiving unit 180 is a component for appropriately transmitting/receiving information that the public parameter generation device 100 needs to exchange with other devices.
  • the recording unit 190 is a component that appropriately records information necessary for the processing of the public parameter generation device 100 .
  • the recording unit 190 records, for example, the security parameter ⁇ .
  • the public parameter generation device 100 records the public parameter pp in the recording unit 190.
  • Public parameter generation device 100 also uses transmission/reception unit 180 to transmit public parameter pp to key generation device 200 , encryption device 300 , decryption device 400 , and token generation device 500 .
  • the key generation device 200, the encryption device 300, the decryption device 400, and the token generation device 500 record the received public parameter pp in the recording units 290, 390, 490, and 590, respectively.
  • FIG. 4 is a block diagram showing an example of the configuration of the key generation device 200.
  • the key generation device 200 includes a key generation section 210 , a transmission/reception section 280 and a recording section 290 .
  • the transmission/reception unit 280 is a component for appropriately transmitting/receiving information that the key generation device 200 needs to exchange with other devices.
  • the recording unit 290 is a component that appropriately records information necessary for processing of the key generation device 200 .
  • the operation of the key generation device 200 will be described according to FIG.
  • the key generation device 200 generates a key k e of period e from the public parameter pp using the Regev public key cryptography subspecies PKE. A specific description will be given below.
  • the key generation device 200 records the key k e for the period e in the recording unit 290 .
  • the key generation device 200 also uses the transmission/reception unit 280 to transmit the key k e for the period e to the encryption device 300 , the decryption device 400 , and the token generation device 500 .
  • the encryption device 300, the decryption device 400, and the token generation device 500 record the received key k e for the period e in the recording units 390, 490, and 590, respectively.
  • FIG. 6 is a block diagram showing an example of the configuration of the encryption device 300.
  • the encryption device 300 includes a ciphertext generator 310 , a transmitter/receiver 380 and a recorder 390 .
  • the transmitting/receiving unit 380 is a component for appropriately transmitting/receiving information that the encryption device 300 needs to exchange with other devices.
  • the recording unit 390 is a component that appropriately records information necessary for the processing of the encryption device 300 .
  • the operation of the encryption device 300 will be described with reference to FIG.
  • the encryption device 300 generates a ciphertext ct e of the plaintext ⁇ in the period e from the plaintext ⁇ using the Regev public key cryptographic subspecies PKE, the public parameter pp, and the key k e in the period e.
  • PKE Regev public key cryptographic subspecies
  • the encryption device 300 records the ciphertext ct e of the plaintext ⁇ in the period e in the recording unit 390 .
  • the encryption device 300 also uses the transmission/reception unit 380 to transmit the ciphertext ct e of the plaintext ⁇ in the period e to the decryption device 400 and the ciphertext updating device 600 .
  • the decryption device 400 and the ciphertext updating device 600 record the received ciphertext ct e of the plaintext ⁇ in the period e in the recording unit 490 and the recording unit 690, respectively.
  • FIG. 8 is a block diagram showing an example of the configuration of the decoding device 400.
  • the decryption device 400 includes a plaintext generation unit 410 , a transmission/reception unit 480 and a recording unit 490 .
  • the transmitting/receiving unit 480 is a component for appropriately transmitting/receiving information that the decoding device 400 needs to exchange with other devices.
  • the recording unit 490 is a component that appropriately records information necessary for processing of the decoding device 400 .
  • Decryption device 400 generates plaintext ⁇ ′ from ciphertext ct e of plaintext ⁇ in period e using a subspecies PKE of Regev public key encryption, public parameter pp, and key k e in period e. A specific description will be given below.
  • the decryption device 400 records the plaintext ⁇ ' in the recording unit 490 .
  • FIG. 10 is a block diagram showing an example of the configuration of the token generation device 500.
  • Token generator 500 includes first matrix generator 510 , second matrix generator 520 , token generator 530 , transmitter/receiver 580 , and recorder 590 .
  • the transmission/reception unit 580 is a component for appropriately transmitting/receiving information that the token generation device 500 needs to exchange with other devices.
  • the recording unit 590 is a component that appropriately records information necessary for the processing of the token generation device 500 .
  • the operation of the token generating device 500 will be described according to FIG.
  • the token generation device 500 generates a token ⁇ e+1 of period e+1 from key k e of period e and key k e +1 of period e +1 using 2 power algorithm P2 and public parameter pp. . A specific description will be given below.
  • k e+1 (S e+1 , B e+1 ).
  • Token generation device 500 records the token ⁇ e+1 for the period e+1 in the recording unit 590 .
  • Token generation device 500 also uses transmission/reception unit 580 to transmit token ⁇ e+ 1 for period e+1 to ciphertext update device 600 .
  • the ciphertext updating device 600 records the received token ⁇ e+1 for the period e+1 in the recording unit 690 .
  • FIG. 12 is a block diagram showing an example of the configuration of the ciphertext updating device 600.
  • the ciphertext update device 600 includes a first pair generator 610 , a second pair generator 620 , a ciphertext generator 630 , a transmitter/receiver 680 and a recorder 690 .
  • the transmitting/receiving unit 680 is a component for appropriately transmitting/receiving information that the ciphertext update device 600 needs to exchange with other devices.
  • the recording unit 690 is a component that appropriately records information necessary for the processing of the ciphertext update device 600 .
  • the operation of the ciphertext update device 600 will be described with reference to FIG.
  • the ciphertext updating device 1600 uses the binary decomposition algorithm BD to generate the ciphertext ct e+1 of the period e+1 from the token ⁇ e+1 of the period e+1 and the ciphertext ct e of the period e. A specific description will be given below.
  • the second pair generation unit 620 selects the vector ⁇ r ⁇ -1, +1 ⁇ m and generates the second pair ( ⁇ u , ⁇ v ).
  • the ciphertext update device 600 records the ciphertext ct e+1 of period e+1 in the recording unit 690 .
  • a cryptosystem 20 that performs updatable cryptography based on the indistinguishability obfuscation described in the Technical Background is described here.
  • the encryption system 20 will be described with reference to FIG. FIG. 14 is a block diagram showing an example of the configuration of the encryption system 20.
  • the cryptosystem 20 includes a key generation device 1200 , an encryption device 1300 , a decryption device 1400 , a token generation device 1500 and a ciphertext update device 1600 .
  • the key generation device 1200, encryption device 1300, decryption device 1400, token generation device 1500, and ciphertext update device 1600 are connected to a network 800 such as the Internet and can communicate with each other.
  • FIG. 15 is a block diagram showing an example of the configuration of the key generation device 1200.
  • Key generation device 1200 includes key generation unit 1210 , transmission/reception unit 280 , and recording unit 290 .
  • the transmission/reception unit 280 is a component for appropriately transmitting/receiving information that the key generation device 1200 needs to exchange with other devices.
  • the recording unit 290 is a component that appropriately records information necessary for processing of the key generation device 1200 .
  • the recording unit 290 records, for example, the security parameter ⁇ .
  • the operation of the key generation device 1200 will be described according to FIG.
  • the key generator 1200 uses the puncturable pseudo-random function PPRF to generate a key k e of duration e from the security parameter ⁇ . A specific description will be given below.
  • the key generation device 1200 records the key k e for the period e in the recording unit 290 .
  • the key generation device 1200 also uses the transmission/reception unit 280 to transmit the key k e for the period e to the encryption device 1300 , the decryption device 1400 and the token generation device 1500 .
  • the encryption device 1300, the decryption device 1400, and the token generation device 1500 record the received key k e for the period e in the recording units 390, 490, and 590, respectively.
  • FIG. 17 is a block diagram showing an example of the configuration of the encryption device 1300.
  • the encryption device 1300 includes a first component generator 1310 , a second component generator 1320 , a ciphertext generator 1330 , a transmitter/receiver 380 and a recorder 390 .
  • the transmitting/receiving unit 380 is a component for appropriately transmitting/receiving information that the encryption device 1300 needs to exchange with other devices.
  • the recording unit 390 is a component that appropriately records information necessary for the processing of the encryption device 1300 .
  • the operation of the encryption device 1300 will be described with reference to FIG.
  • the encryption device 1300 uses a pseudorandom number generator PRG, a puncturable pseudorandom function PPRF, and a key k e of period e to generate ciphertext ct e of plaintext ⁇ in period e from plaintext ⁇ .
  • PRG pseudorandom number generator
  • PPRF puncturable pseudorandom function
  • the encryption device 1300 records the ciphertext ct e of the plaintext ⁇ in the period e in the recording unit 390 .
  • the encryption device 1300 also uses the transmission/reception unit 380 to transmit the ciphertext ct e of the plaintext ⁇ in the period e to the decryption device 1400 and the ciphertext updating device 1600 .
  • the decryption device 1400 and the ciphertext updating device 1600 record the ciphertext ct e of the plaintext ⁇ in the received period e in the recording unit 490 and the recording unit 690, respectively.
  • FIG. 19 is a block diagram showing an example of the configuration of the decoding device 1400.
  • Decryption device 1400 includes plaintext generation section 1410 , transmission/reception section 480 , and recording section 490 .
  • the transmitting/receiving unit 480 is a component for appropriately transmitting/receiving information that the decoding device 1400 needs to exchange with other devices.
  • the recording unit 490 is a component that appropriately records information necessary for processing of the decoding device 1400 .
  • Decryption device 1400 generates plaintext ⁇ ′ from ciphertext ct e of plaintext ⁇ in period e using a puncturable pseudo-random function PPRF and key k e in period e. A specific description will be given below.
  • the decryption device 1400 records the plaintext ⁇ ' in the recording unit 490 .
  • FIG. 21 is a block diagram showing an example of the configuration of the token generation device 1500.
  • Token generator 1500 includes token generator 1510 , transmitter/receiver 580 , and recorder 590 .
  • the transmitting/receiving unit 580 is a component for appropriately transmitting/receiving information that the token generation device 1500 needs to exchange with other devices.
  • the recording unit 590 is a component that appropriately records information necessary for the processing of the token generation device 1500 .
  • Token generator 1500 generates token ⁇ e+1 of period e+1 from circuit C re io [k e , k e+1 ] using obfuscation circuit iO. A specific description will be given below.
  • the token generation device 1500 records the token ⁇ e+1 for the period e+1 in the recording unit 590 .
  • Token generation device 1500 also uses transmission/reception unit 580 to transmit token ⁇ e +1 for period e+1 to ciphertext update device 1600 .
  • the ciphertext updating device 1600 records the received token ⁇ e+1 for the period e+1 in the recording unit 690 .
  • FIG. 23 is a block diagram showing an example of the configuration of the ciphertext update device 1600.
  • Ciphertext update device 1600 includes ciphertext generator 1610 , transmitter/receiver 680 , and recorder 690 .
  • Transmitting/receiving unit 680 is a component for appropriately transmitting/receiving information that ciphertext update device 1600 needs to exchange with other devices.
  • the recording unit 690 is a component that appropriately records information necessary for the processing of the ciphertext update device 1600 .
  • the operation of the ciphertext update device 1600 will be described with reference to FIG.
  • the ciphertext updating device 1600 generates ciphertext ct e+1 of period e+1 from ciphertext ct e of period e using token ⁇ e+ 1 of period e+ 1 . A specific description will be given below.
  • the ciphertext generation unit 1610 selects the vector r e + 1 ⁇ 0, 1 ⁇ ⁇ , and generates Generate the ciphertext ct e+1 .
  • the ciphertext update device 1600 records the ciphertext ct e+1 of period e+1 in the recording unit 690 .
  • FIG. 25 is a diagram showing an example of a functional configuration of a computer that implements each of the devices (that is, each node) described above.
  • the processing in each device described above can be performed by causing the recording unit 2020 to read a program for causing the computer to function as each device described above, and causing the control unit 2010, the input unit 2030, the output unit 2040, and the like to operate.
  • the apparatus of the present invention includes, for example, a single hardware entity, which includes an input unit to which a keyboard can be connected, an output unit to which a liquid crystal display can be connected, and a communication device (for example, a communication cable) capable of communicating with the outside of the hardware entity.
  • a communication device for example, a communication cable
  • CPU Central Processing Unit
  • memory RAM and ROM hard disk external storage device
  • input unit, output unit, communication unit a CPU, a RAM, a ROM, and a bus for connecting data to and from an external storage device.
  • the hardware entity may be provided with a device (drive) capable of reading and writing a recording medium such as a CD-ROM.
  • a physical entity with such hardware resources includes a general purpose computer.
  • the external storage device of the hardware entity stores a program necessary for realizing the functions described above and data required for the processing of this program (not limited to the external storage device; It may be stored in a ROM, which is a dedicated storage device). Data obtained by processing these programs are appropriately stored in a RAM, an external storage device, or the like.
  • each program stored in an external storage device or ROM, etc.
  • the data necessary for processing each program are read into the memory as needed, and interpreted, executed and processed by the CPU as appropriate.
  • the CPU realizes a predetermined function (each structural unit represented by the above, . . . unit, . . . means, etc.).
  • a program that describes this process can be recorded on a computer-readable recording medium.
  • Any computer-readable recording medium may be used, for example, a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, or the like.
  • magnetic recording devices hard disk devices, flexible disks, magnetic tapes, etc., as optical discs, DVD (Digital Versatile Disc), DVD-RAM (Random Access Memory), CD-ROM (Compact Disc Read Only Memory), CD-R (Recordable) / RW (ReWritable), etc.
  • magneto-optical recording media such as MO (Magneto-Optical disc), etc. as semiconductor memory, EEP-ROM (Electronically Erasable and Programmable-Read Only Memory), etc. can be used.
  • this program is carried out, for example, by selling, assigning, lending, etc. portable recording media such as DVDs and CD-ROMs on which the program is recorded.
  • the program may be distributed by storing the program in the storage device of the server computer and transferring the program from the server computer to other computers via the network.
  • a computer that executes such a program for example, first stores the program recorded on a portable recording medium or the program transferred from the server computer once in its own storage device. When executing the process, this computer reads the program stored in its own storage device and executes the process according to the read program. Also, as another execution form of this program, the computer may read the program directly from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to this computer. Each time, the processing according to the received program may be executed sequentially. In addition, the above-mentioned processing is executed by a so-called ASP (Application Service Provider) type service, which does not transfer the program from the server computer to this computer, and realizes the processing function only by its execution instruction and result acquisition. may be It should be noted that the program in this embodiment includes information that is used for processing by a computer and that conforms to the program (data that is not a direct instruction to the computer but has the property of prescribing the processing of the computer, etc.).
  • ASP Application Service Provide
  • a hardware entity is configured by executing a predetermined program on a computer, but at least part of these processing contents may be implemented by hardware.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne une technologie cryptographique pouvant être mise à jour, avec une quantité minimale de fuite d'informations. La présente invention comprend : un dispositif de génération de clé qui utilise une variante de chiffrement de clé publique PKE Regev pour générer une clé ke pour une période e à partir d'un paramètre public pp ; un dispositif de chiffrement qui utilise la variante de chiffrement de clé publique PKE Regev, le paramètre public pp, et la clé ke pour la période e afin de générer, à partir du texte en clair μ, un cryptogramme cte du texte en clair μ dans la période e ; un dispositif de déchiffrement qui utilise la variante de chiffrement de clé publique PKE Regev, le paramètre public pp, et la clé ke pour la période e afin de générer un texte en clair μ à partir du cryptogramme cte du texte en clair μ dans la période e ; un dispositif de génération de jeton qui utilise un algorithme de puissance de deux P2 et le paramètre public pp afin de générer un jeton Δe+1 pour la période e+1 à partir de la clé ke pour la période e et une clé ke+1 pour la période e+1 ; et un dispositif de mise à Jour de cryptogramme qui utilise un algorithme de décomposition binaire BD afin de générer un cryptogramme cte+1 pour la période e+1 à partir du jeton Δe+1 pour la période e+1 et le cryptogramme cte pour la période e.
PCT/JP2021/020849 2021-06-01 2021-06-01 Système cryptographique, dispositif de mise à jour de cryptogramme et programme WO2022254578A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/020849 WO2022254578A1 (fr) 2021-06-01 2021-06-01 Système cryptographique, dispositif de mise à jour de cryptogramme et programme

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/020849 WO2022254578A1 (fr) 2021-06-01 2021-06-01 Système cryptographique, dispositif de mise à jour de cryptogramme et programme

Publications (1)

Publication Number Publication Date
WO2022254578A1 true WO2022254578A1 (fr) 2022-12-08

Family

ID=84322842

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/020849 WO2022254578A1 (fr) 2021-06-01 2021-06-01 Système cryptographique, dispositif de mise à jour de cryptogramme et programme

Country Status (1)

Country Link
WO (1) WO2022254578A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012150399A (ja) * 2011-01-21 2012-08-09 Nippon Telegr & Teleph Corp <Ntt> プロキシ再暗号化システム、委譲情報生成装置、被委譲情報生成装置、変換鍵生成装置、暗号文変換装置、プロキシ再暗号化方法、及びそれらのプログラム
JP2015177506A (ja) * 2014-03-18 2015-10-05 国立研究開発法人情報通信研究機構 暗号データ更新システム、暗号データ更新方法
JP2019211735A (ja) * 2018-06-08 2019-12-12 日本電信電話株式会社 変換鍵生成装置、暗号文変換装置、復号装置、暗号文変換システム、変換鍵生成方法、暗号文変換方法、復号方法、及びプログラム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012150399A (ja) * 2011-01-21 2012-08-09 Nippon Telegr & Teleph Corp <Ntt> プロキシ再暗号化システム、委譲情報生成装置、被委譲情報生成装置、変換鍵生成装置、暗号文変換装置、プロキシ再暗号化方法、及びそれらのプログラム
JP2015177506A (ja) * 2014-03-18 2015-10-05 国立研究開発法人情報通信研究機構 暗号データ更新システム、暗号データ更新方法
JP2019211735A (ja) * 2018-06-08 2019-12-12 日本電信電話株式会社 変換鍵生成装置、暗号文変換装置、復号装置、暗号文変換システム、変換鍵生成方法、暗号文変換方法、復号方法、及びプログラム

Similar Documents

Publication Publication Date Title
US10361841B2 (en) Proxy computing system, computing apparatus, capability providing apparatus, proxy computing method, capability providing method, program, and recording medium
JP6363032B2 (ja) 鍵付替え方向制御システムおよび鍵付替え方向制御方法
JP5338668B2 (ja) 秘密情報分散システム、方法及びプログラム並びに伝送システム
US20130051552A1 (en) Device and method for obtaining a cryptographic key
JP5670365B2 (ja) 暗号文検索システム、検索情報生成装置、検索実行装置、検索要求装置、暗号文検索方法、検索情報生成方法、検索実行方法、検索要求方法、およびプログラム
US20060126836A1 (en) System and method for dynamic generation of encryption keys
CN110635909A (zh) 一种基于属性的抗合谋攻击的代理重加密方法
Aloufi et al. Computing blindfolded on data homomorphically encrypted under multiple keys: An extended survey
JP2018036418A (ja) 暗号システム、暗号方法及び暗号プログラム
JP7024666B2 (ja) Idベースハッシュ証明系構成装置、idベース暗号装置及びプログラム
Li et al. Efficient and adaptively secure attribute-based proxy reencryption scheme
JP5730805B2 (ja) 格子問題に基づく階層型内積暗号システム,格子問題に基づく階層型内積暗号方法,装置
WO2022254578A1 (fr) Système cryptographique, dispositif de mise à jour de cryptogramme et programme
JP6840685B2 (ja) データ共有方法、データ共有システム、通信端末、データ共有サーバ、プログラム
WO2019235102A1 (fr) Dispositif de génération de clé de conversion, dispositif de conversion de cryptogramme&amp;lt;b&amp;gt; &amp;lt;/b&amp;gt;, dispositif de déchiffrement, système de conversion de cryptogramme&amp;lt;b&amp;gt; &amp;lt;/b&amp;gt;, procédé de génération de clé de conversion, procédé de conversion de cryptogramme &amp;lt;b&amp;gt; &amp;lt;/b&amp;gt;, procédé de déchiffrement et programme
JP5513444B2 (ja) ベクトル構成システム、方法、装置及びプログラム並びに暗号システム
JP4685621B2 (ja) 鍵生成装置、暗号化装置、復号化装置、乗法型ナップザック暗号システム、乗法型ナップザック暗号復号方法およびプログラム
JP2019200382A (ja) 暗号化システム、暗号化装置、復号装置、暗号化方法、復号方法、及びプログラム
KR20100003093A (ko) 암호문 크기를 줄이기 위한 공개키 기반의 검색가능암호문생성 방법과, 그에 따른 공개키 기반의 데이터 검색 방법
JP5038866B2 (ja) 暗号通信方法、暗号化装置、復号装置、及びそれらのプログラム
JP6885325B2 (ja) 暗号化装置、復号装置、暗号化方法、復号方法、プログラム
JP2007189597A (ja) 暗号化装置および暗号化方法、並びに復号化装置および復号化方法
JP6189788B2 (ja) 鍵生成装置、再暗号化装置、およびプログラム
JP6759168B2 (ja) 難読化回路生成装置、難読化回路計算装置、難読化回路生成方法、難読化回路計算方法、プログラム
WO2022219785A1 (fr) Système cryptographique, dispositif de chiffrement, dispositif de déchiffrement, procédé et programme

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21944084

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21944084

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP