WO2024004116A1 - 鍵発行装置、情報処理システム、方法及びコンピュータ可読媒体 - Google Patents

鍵発行装置、情報処理システム、方法及びコンピュータ可読媒体 Download PDF

Info

Publication number
WO2024004116A1
WO2024004116A1 PCT/JP2022/026138 JP2022026138W WO2024004116A1 WO 2024004116 A1 WO2024004116 A1 WO 2024004116A1 JP 2022026138 W JP2022026138 W JP 2022026138W WO 2024004116 A1 WO2024004116 A1 WO 2024004116A1
Authority
WO
WIPO (PCT)
Prior art keywords
random number
key
distributed
share
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2022/026138
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
光 土田
春菜 福田
健吾 森
寿幸 一色
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to JP2024530188A priority Critical patent/JP7852717B2/ja
Priority to PCT/JP2022/026138 priority patent/WO2024004116A1/ja
Publication of WO2024004116A1 publication Critical patent/WO2024004116A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present disclosure relates to a key issuing device, an information processing system, a method, and a computer-readable medium.
  • Non-Patent Document 1 discloses a technique of ID-based proxy re-encryption scheme (IB-PRE).
  • Non-Patent Document 2 and Non-Patent Document 3 disclose techniques related to ID-based encryption.
  • Non-Patent Document 4 and Non-Patent Document 5 disclose techniques related to the present disclosure.
  • ID-based proxy re-encryption a master public key and a master private key are issued by a key issuing authority.
  • a master private key and a user's ID can be used to generate a private key for that user.
  • the user's ID is publicly known. Therefore, a person who has acquired the master private key can easily generate a user's private key. Therefore, in the technology according to Non-Patent Document 1, if the key issuing authority has malicious intent, there is a risk that all the ciphertexts in the system will be decrypted using the master private key.
  • An object of the present disclosure is to provide a key issuing device, system, method, and program that can prevent a sentence from being decrypted.
  • a key issuing device uses a distributed master key generation means that generates at least a distributed master private key distributed among a plurality of key issuing devices, and the distributed master private key and user identification information.
  • the distributed master key generation means includes a distributed user private key generation means for generating a distributed user private key, and a transmission means for transmitting the distributed user private key to the user device of the user, Generate the distributed master private key based on the share of the first random number in the state in which the second random number to be kept secret is distributed, and the share in the second random number in the state in which the second random number to be kept secret is distributed, and generate the distributed user private key.
  • the means includes a share of a third random number in which a third random number that is kept confidential and is an element of the user private key is distributed, and a share of a fourth random number in which a fourth random number to be kept confidential is distributed.
  • the information processing system includes a plurality of key issuing devices, a plurality of user devices, and a re-encryption device, and each of the plurality of key issuing devices is distributed among the plurality of key issuing devices.
  • distributed master key generating means for generating at least a distributed master private key in a state in which the user's user private key is distributed using the distributed master private key and the user's identification information; a distributed user private key generation means for generating a distributed user private key, wherein the user private key is obtained using the distributed user private keys obtained from a plurality of key issuing devices; transmitting means for transmitting to the user device of the user, and the distributed master key generating means is configured to generate a share of the first random number in a state in which the first random number to be concealed is distributed, and a second random number to be concealed.
  • the distributed master secret key is generated based on the second random number share in which the random numbers are distributed, and the distributed user private key generation means generates a third secret key that is kept secret and becomes an element of the user private key.
  • the user generates the distributed user private key based on the obtained product, and each of the plurality of user devices generates the user private key using the distributed user private key obtained from the plurality of key issuing devices.
  • the re-encryption method includes a private key generation means, a re-encryption key generation means for generating a re-encryption key using the user private key, and a decryption means for decrypting the ciphertext to obtain the plaintext.
  • the device uses the re-encryption key to enable a second user device of the plurality of user devices to decrypt a ciphertext that can be decrypted by a first user device of the plurality of user devices.
  • the decryption means of the second user device re-encrypts the ciphertext that can be decrypted with the user private key related to the first user device without decrypting it, and the decryption means of the second user device decrypts the user private key related to the second user device. is used to decrypt the re-encrypted ciphertext.
  • the key issuance method includes a share of the first random number in which the first random number to be kept secret is distributed, and a share of the second random number in which the second random number to be concealed is distributed. at least generate a distributed master private key distributed among a plurality of key issuing devices based on the shared information, and the user private key of the user is distributed using the distributed master private key and identification information of the user.
  • the fourth the distributed user private key is generated based on the product obtained as a result of the multiplication, and the distributed user private key is transmitted to the user device of the user.
  • a share of the first random number in which the first random number to be concealed is distributed and a share of the second random number to be concealed is distributed by each of the plurality of key issuing devices.
  • the share of the third random number in which the third random number that is concealed and is an element of the user private key is distributed, and the share of the fourth random number in which the fourth random number to be concealed is distributed.
  • Obtain shares of random numbers and obtain a share of the first random number that is an element of the distributed master private key, a share of the second random number that is an element of the distributed master private key, and a share of the third random number that is an element of the distributed master private key. multiplying each by a share of the fourth random number, generating the distributed user private key based on the product obtained as a result of the multiplication, and transmitting the distributed user private key to the user device of the user.
  • the user device generates the user private key using the distributed user private keys acquired from the plurality of key issuing devices, generates a re-encryption key using the user private key, and decrypts the ciphertext.
  • the re-encryption device uses the re-encryption key to enable the second user device to decrypt the ciphertext that can be decrypted by the first user device.
  • the ciphertext that can be decrypted with the user private key related to the user device is re-encrypted without being decrypted, and the second user device uses the user private key related to the second user device to re-encrypt the ciphertext.
  • the encoded ciphertext is decrypted.
  • the program according to the present disclosure includes a first random number share in which the first random number to be concealed is distributed, and a second random number share in which the second random number to be concealed is distributed.
  • a key issuance that can prevent a ciphertext from being decrypted by a key issuing authority even if the key issuing authority has malicious intent.
  • Devices, systems, methods and programs can be provided.
  • FIG. 2 is a diagram for explaining general public key cryptography.
  • FIG. 2 is a diagram for explaining ID-based encryption.
  • FIG. 3 is a diagram for explaining general proxy re-encryption.
  • FIG. 3 is a diagram for explaining ID-based proxy re-encryption.
  • 1 is a diagram showing the configuration of an information processing system according to a first embodiment;
  • FIG. 1 is a diagram showing the configuration of a key issuing device according to a first embodiment;
  • FIG. 1 is a diagram showing a configuration of a user device according to Embodiment 1.
  • FIG. 1 is a diagram showing the configuration of a re-encryption device according to a first embodiment;
  • FIG. 3 is a flowchart showing processing executed by the information processing system according to the first embodiment.
  • FIG. 3 is a flowchart showing processing executed by the information processing system according to the first embodiment.
  • 3 is a flowchart showing processing executed by the information processing system according to the first embodiment.
  • 3 is a flowchart showing processing executed by the information processing system according to the first embodiment.
  • FIG. 3 is a diagram showing the configuration of a key issuing device according to a second embodiment.
  • FIG. 1 is a block diagram schematically showing an example of a hardware configuration of a calculation processing device that can implement the device and system according to each embodiment.
  • FIGS. 1 to 4 are diagrams for explaining ID-based proxy re-encryption.
  • FIG. 1 is a diagram for explaining general public key cryptography.
  • the ciphertext creator owns the public keys of users A to C.
  • the ciphertext creator creates ciphertext Ca with user A's public key, creates ciphertext Cb with user B's public key, and creates ciphertext Cc with user C's public key.
  • User A owns User A's private key.
  • User A can decrypt ciphertext Ca using user A's private key.
  • user B owns user B's private key.
  • User B can decrypt ciphertext Cb using user B's private key.
  • User C owns User C's private key.
  • User C can decrypt ciphertext Cc using user C's private key.
  • FIG. 2 is a diagram for explaining ID-based encryption (IBE).
  • ID-based cryptography the key issuance period generates a master public key and a master private key. Then, the key issuing authority obtains the private keys of each of the users A to C by embedding each user's ID (actually, a hash value of the ID, etc.) in the master private key.
  • the user's ID (Identification: identification information) may be, for example, the user's email address.
  • the key issuing authority distributes the user private keys of users A to C to users A to C, respectively.
  • the key issuing authority also distributes the master public key to the ciphertext creator.
  • the ciphertext creator can obtain the public keys of each of users A to C by embedding the user ID in the obtained master public key.
  • the ciphertext creator creates ciphertext Ca with user A's public key, creates ciphertext Cb with user B's public key, and creates ciphertext Cc with user C's public key in the same manner as in FIG. Create. Then, the user A decrypts the ciphertext Ca using the user A's private key generated from the master private key by the key issuing authority. Further, user B decrypts the ciphertext Cb using the user B's private key generated from the master private key. User C decrypts the ciphertext Cc using the user C's private key generated from the master private key by the key issuing authority. ID-based cryptography provides the following advantages compared to the public key cryptography of FIG.
  • an arbitrary character string (email address, etc.) can be embedded in a user key (public key and private key) or ciphertext as a user ID. Further, a ciphertext can be created in advance for a user who does not exist in the system (such as the user D who does not exist in the example of FIG. 2). Furthermore, the public key certificate that was necessary in the case of FIG. 1 is no longer necessary.
  • FIG. 3 is a diagram for explaining general proxy re-encryption (PRE).
  • Proxy re-encryption is a technology that allows you to change the decryption destination while encrypting information on a server such as a cloud environment.
  • a conversion key (re-encryption key) necessary for re-encryption is generated using the public key of the user of the conversion destination (converted decryption destination) and the private key of the conversion-source user. Can be done.
  • user A conversion source
  • D conversion destination
  • the conversion keys K A ⁇ B , K A ⁇ C , K A ⁇ D transform the ciphertext Ca that can be decrypted with the private key of user A into the ciphertexts Cb, Cc, and ciphertexts that can be decrypted with the private keys of users B to D, respectively.
  • This is a key (re-encryption key) for converting to Cd.
  • the agent corresponds to, for example, a proxy server or a gateway server.
  • the agent re-encrypts the ciphertext, for example, when the network environment to which the ciphertext is made public changes.
  • the agent re-encrypts the ciphertext Ca that can be decrypted with the user A's private key using each conversion key without decrypting the ciphertext Ca.
  • the ciphertext Ca is converted to the ciphertext Cb that can be decrypted with the user B's private key using the conversion key KA ⁇ B .
  • ciphertext Ca is converted to ciphertexts Cc and Cd that can be decrypted with the private keys of users C and D, respectively, using conversion keys K A ⁇ C and K A ⁇ D .
  • Users B to D can each decrypt the ciphertexts Cb, Cc, and Cd with their own private keys. Note that if user A does not wish to disclose the ciphertext Ca to user D, user A need not generate the conversion key K A ⁇ D . Thereby, the ciphertext Ca remains hidden from the user D.
  • FIG. 4 is a diagram for explaining ID-based proxy re-encryption (IB-PRE).
  • ID-based proxy re-encryption performs proxy re-encryption on an ID basis.
  • the key issuing authority generates a master public key and a master private key. Then, the key issuing authority obtains the private keys of each of the users A to D by embedding each user's ID in the master private key. Further, in the example of FIG. 4, the key issuing authority distributes the master public key to user A. User A generates a conversion key (re-encryption key) using the master public key and the conversion source private key.
  • user A uses the IDs of users B to D to obtain public keys of users B to D. Then, as in the case of FIG. 3, user A generates conversion keys K A ⁇ B , K A ⁇ C , K A ⁇ D using user A's private key and the public keys of users B to D. do.
  • user A sends each conversion key to the agent.
  • the agent re-encrypts the ciphertext Ca that can be decrypted with the user A's private key using each conversion key without decrypting the ciphertext Ca.
  • the ciphertext Ca is converted into the ciphertexts Cb, Cc, and Cd.
  • users B to D can each decrypt the ciphertexts Cb, Cc, and Cd with their own private keys.
  • Non-Patent Document 1 discloses a technology for ID-based proxy re-encryption.
  • the technology according to Non-Patent Document 1 can achieve key private, in which information regarding the ID of the conversion destination is not leaked from the conversion key.
  • Non-Patent Document 1 realizes a re-encryption function for so-called exponent-inversion type IBE among the three classifications of elliptic curve-based IBE.
  • the Kasahara-Sakai method is an exponent-inversion type IBE method, but it should be noted that the method based on Non-Patent Document 1 is not the Kasahara-Sakai method.
  • Non-Patent Document 1 uses symmetric pairing and the q-DDHE (Decisional Diffie-Hellman Exponent) assumption. Use.
  • Non-Patent Document 2 and Non-Patent Document 3 propose DKG for the Kasahara-Sakai method.
  • Non-Patent Document 2 and Non-Patent Document 3 are technologies related to ID-based encryption (IBE), and are not related to ID-based proxy re-encryption (IB-PRE). Therefore, the format of the private key according to Non-Patent Document 2 and Non-Patent Document 3 is different from the format of the private key related to IB-PRE as related to Non-Patent Document 1.
  • Shamir's secret sharing method is a type of (t,n) threshold secret sharing.
  • n is the total number of participants P i and t ( ⁇ n) is the threshold value.
  • f is a polynomial for polynomial completion.
  • s ⁇ Z p is a value to be kept secret (secret value).
  • Z p is a set of values from 0 to p-1.
  • [s] can also be said to indicate a state in which the secret value s is distributed to all participants.
  • [s] i indicates the value (distributed value) that participant P i has when the secret value s is distributed.
  • share [s] will be used when s indicates the variance value [s] i , ... [s] n , which is distributed among each participant, without distinguishing between them. There is.
  • the secret value is restored as follows. That is, the reconstructing party receives t [s] i from each participant P i . Then, the reconstructing party reconstructs the secret value s using the following equation (1) by polynomial completion. ...(1)
  • ⁇ i is a Lagrangian coefficient and is expressed by the following equation (2). ...(2)
  • formula (3) is expressed as "[[s]]".
  • participant P i may keep ⁇ i [s] i as a secret and redistribute it as [[ ⁇ i [s] i ]].
  • ⁇ [[ ⁇ i [s] i ]] the threshold value and the number of participants may be changed from t and n to t' and n', respectively. It should be noted that this may be achieved under the assumption that the old share before the change is safely deleted.
  • Mult() can be realized in various ways.
  • Mult() may be realized by the method shown in Non-Patent Document 4. Note that when implementing Mult(), it is necessary to communicate between participants. Further, for example, Mult() may be realized by the following steps, but is not limited thereto.
  • Step A2 By calculating the following equation (8), [c], which is the result of multiplication of [a] and [b], is obtained. ...(8)
  • pairing (bilinear mapping) is used.
  • calculations are performed under pairing conditions as described below.
  • G and GT be multiplicative cyclic groups of order p (p is a sufficiently large prime number).
  • p is a sufficiently large prime number.
  • g ⁇ G is a generator of G.
  • g is, for example, a rational point on an elliptic curve, but is not limited thereto.
  • G is a set composed of generators that are, for example, rational points on an elliptic curve, but is not limited thereto.
  • GT is, for example, a set of elements of an extension field, but is not limited thereto.
  • the bilinear mapping e: G ⁇ G ⁇ G T satisfies the following property.
  • ⁇ Bilinearity: e (g 1 a , g 2 b ) e (g 1 , g 2 ) ab
  • a and b are arbitrary values randomly selected from Z p * .
  • Z p * is a set of values from 1 to p-1.
  • e(g 1 , g 2 ) is an element of the multiplicative cyclic group G T of order p.
  • the key issuing authority cannot directly pass s to the user in order to prevent leakage of the master private key, but the user cannot decrypt the ciphertext unless it passes some value related to s. Therefore, the key issuing authority passes, for example, a value in the form of gs to the user as a private key. Note that it is not possible to calculate s from g s at this time.
  • FIG. 5 is a diagram showing the configuration of the information processing system 50 according to the first embodiment.
  • the information processing system 50 includes a plurality of key issuing devices 100-1 to 100-n (n is an integer of 2 or more), an encryption device 60, a plurality of user devices 200, and a re-encryption device 300.
  • the key issuing device 100, the encryption device 60, the user device 200, and the re-encryption device 300 are connected to each other via wire or wirelessly so that they can communicate with each other.
  • Each device configuring the information processing system 50 can be realized by, for example, a computer.
  • the information processing system 50 implements the DKG in the IB-PRE using the above-mentioned devices. The details will be described later.
  • the information processing system 50 can also function as a key generation system (key issuing system) that generates public keys and private keys.
  • the key issuing device 100 may be managed by the key issuing authority mentioned above.
  • the key issuing device 100 is configured to generate at least a distributed master private key, and to generate distributed user private keys in which user private keys are distributed, using the distributed master private key and user identification information. There is. Then, the key issuing device 100 transmits the distributed user private key to the user's user device.
  • the distributed master secret key can also be said to be a master secret key in a virtually distributed state. Note that in this embodiment, a master secret key is not actually generated.
  • the distributed master private key is distributed among a plurality of key issuing devices 100, and includes elements for generating distributed user private keys. Further, the distributed user private key is distributed to a plurality of key issuing devices 100, and the user private key is configured to be obtained using the distributed user private key obtained from the plurality of key issuing devices 100. . The details will be described later.
  • the encryption device 60 is configured to create ciphertext. Specifically, the encryption device 60 creates a ciphertext C by encrypting the plaintext m. Note that the encryption device 60 may be integrated with the user device 200. In this case, for example, user A's user device 200A may function as the encryption device 60.
  • the user device 200 may be managed by the user described above.
  • user devices 200A-200D may be managed by users AD, respectively.
  • the number of user devices 200 is arbitrary.
  • Each of the user devices 200 is configured to use the distributed user private keys obtained from the plurality of key issuing devices 100 to generate a user private key of a user who manages the user device 200.
  • the user device 200 is configured to generate a re-encryption key (conversion key) using the user private key.
  • the user device 200 is configured to decrypt the ciphertext and obtain the plaintext using the user private key related to the user device 200. The details will be described later.
  • the re-encryption device 300 may be managed by the agent mentioned above.
  • the re-encryption device 300 may be configured with the above-described proxy server or gateway server, for example.
  • the re-encryption device 300 is configured to use the re-encryption key to re-encrypt the ciphertext that can be decrypted with the user private key of the first user device of the plurality of user devices 200 without decrypting it. has been done.
  • the re-encryption device 300 uses the re-encryption key to convert ciphertext that can be decrypted with the user private key related to the first user device into ciphertext that can be decrypted with the user private key related to the second user device. Convert.
  • this re-encryption key is a conversion key for making the ciphertext decryptable by the first user device decryptable by the second user device of the plurality of user devices 200.
  • the second user device decrypts the re-encrypted ciphertext using the user private key related to the second user device. The details will be described later.
  • user A's user device 200A is the first user device
  • user B's user device 200B is the second user device.
  • the re-encryption device 300 converts (re-encrypts) the ciphertext Ca into the ciphertext Cb using the re-encryption key KA ⁇ B .
  • the user device 200B decrypts the re-encrypted ciphertext Cb using the user B's user private key.
  • FIG. 6 is a diagram showing the configuration of the key issuing device 100 according to the first embodiment.
  • the key issuing device 100 includes a random number generation section 102, a distribution section 104, a random number share acquisition section 106, a share multiplication section 108, a restoration section 110, and a share storage section 112 as components.
  • the key issuing device 100 also includes a distributed master key generation section 120, a master public key generation section 130, a distributed user private key generation section 140, and a transmission section 150 as components.
  • the random number generation unit 102 may be configured as a subroutine called by the distributed master key generation unit 120, the master public key generation unit 130, and the distributed user private key generation unit 140.
  • the distribution unit 104, the random number share acquisition unit 106, the share multiplication unit 108, the restoration unit 110, and the share storage unit 112 are connected to the distributed master key generation unit 120, the master public key generation unit 130, and the distributed user private key generation unit 140. It may also be configured as a called subroutine.
  • the random number generation unit 102 has a function as a random number generation means.
  • the dispersion unit 104 has a function as a dispersion means.
  • the random number share acquisition unit 106 has a function as a random number share acquisition means.
  • the share multiplier 108 has a function as a share multiplier.
  • the restoring unit 110 has a function as a restoring means.
  • the distributed master key generation unit 120 has a function as a distributed master key generation means.
  • the master public key generation unit 130 has a function as a master public key generation means.
  • the distributed user private key generation unit 140 has a function as a distributed user private key generation means.
  • the transmitter 150 has a function as a transmitter.
  • the random number generation unit 102 is configured to generate random numbers. Further, the random number generation unit 102 generates a random number element that becomes an element of a random number to be kept secret.
  • the distribution unit 104 is configured to perform secret sharing on random numbers (random number elements). The distribution unit 104 may obtain the share (distribution value) of the random number elements by performing secret sharing using, for example, the function shown by the above-mentioned formula (4). The distribution unit 104 transmits the acquired random number element share (distribution value) to other key issuing devices 100.
  • the random number share acquisition unit 106 is configured to acquire a random number share using shares of a plurality of random number elements received from a plurality of key issuing devices 100.
  • the random number share acquisition unit 106 may acquire the random number share by summing the shares (variance values) of the plurality of random number elements received from the plurality of key issuing devices 100.
  • the share multiplication unit 108 is configured to perform multiplication between shares.
  • the share multiplication unit 108 may perform multiplication between shares using, for example, the function shown in equation (6) above.
  • the restoring unit 110 performs restoring on a share of a certain value (secret value) and obtains the value.
  • the restoration unit 110 may perform the restoration using, for example, the function expressed by the above-mentioned equation (5).
  • the share storage unit 112 stores shares (variance values) acquired in the process of calculations regarding shares.
  • the share storage unit 112 stores shares (dispersion values) acquired in the processes of S120 to S140, which will be described later.
  • the share storage unit 112 may temporarily store shares (dispersion values).
  • the distributed master key generation unit 120 is configured to at least generate distributed master secret keys distributed among the plurality of key issuing devices 100.
  • the distributed master key generation unit 120 may generate distributed master public keys that are distributed among a plurality of key issuing devices 100.
  • the details will be described later.
  • the master public key generation unit 130 is configured to generate a master public key.
  • the distributed user private key generation unit 140 is configured to generate a distributed user private key using the distributed master private key and user identification information. The details will be described later.
  • the transmitter 150 is configured to transmit the distributed user private key to the user device 200 of the user corresponding to the above identification information.
  • FIG. 7 is a diagram showing the configuration of the user device 200 according to the first embodiment.
  • the user device 200 includes a user private key generation section 210, a user private key storage section 220, a re-encryption key generation section 230, and a decryption section 240.
  • the user secret key generation unit 210 has a function as a user secret key generation means.
  • the user secret key storage unit 220 has a function as a user secret key storage means.
  • the re-encryption key generation section 230 has a function as a re-encryption key generation means.
  • the decoding unit 240 has a function as a decoding means.
  • the user private key generation unit 210 is configured to generate a user private key of a user who manages the user device 200 using distributed user private keys obtained from a plurality of key issuing devices 100. The details will be described later.
  • the user private key storage unit 220 is configured to store the generated user private key.
  • the re-encryption key generation unit 230 is configured to generate a re-encryption key using the user private key.
  • the re-encryption key generation unit 230 of the user device 200A uses the user A's user secret key K A to generate re-encryption keys (conversion keys) K A ⁇ B , K A ⁇ C , K A ⁇ D. generate.
  • the details will be described later.
  • the decryption unit 240 is configured to decrypt the ciphertext and obtain the plaintext using the user private key related to the user device 200. The details will be described later.
  • FIG. 8 is a diagram showing the configuration of the re-encryption device 300 according to the first embodiment.
  • the re-encryption device 300 includes a re-encryption key storage section 310, a ciphertext storage section 320, and a re-encryption section 330.
  • the re-encryption key storage unit 310 has a function as a re-encryption key storage means.
  • the ciphertext storage unit 320 has a function as a ciphertext storage means.
  • the re-encryption unit 330 has a function as a re-encryption means.
  • the re-encryption key storage unit 310 stores the re-encryption key generated by the user device 200.
  • the ciphertext storage unit 320 stores the ciphertext generated by the encryption device 60.
  • the re-encryption unit 330 is configured to use the re-encryption key to re-encrypt the ciphertext that can be decrypted with the user private key regarding the first user device of the plurality of user devices 200 without decrypting it. has been done.
  • the re-encryption unit 330 uses the re-encryption key to convert a ciphertext that can be decrypted with the user secret key related to the first user device into a ciphertext that can be decrypted with the user secret key related to the second user device. Convert (re-encrypt). The details will be described later.
  • FIG. 9 to 12 are flowcharts showing processes executed by the information processing system 50 according to the first embodiment.
  • FIG. 9 shows an information processing method (key issuing method, key generating method) executed by the information processing system 50.
  • S120 to S160 indicate a key issuing method (key generation method) implemented by the key issuing device 100.
  • the information processing system 50 sets the global parameter gparam (step S102).
  • the information processing system 50 performs "Global Setup".
  • Global parameters gparam may be exposed within information handling system 50. Note that the setting of the global parameters may be performed by any of the key issuing devices 100, or may be performed by a device (not shown) managed by a standards organization.
  • p is a prime number.
  • G is a multiplicative cyclic group of order p.
  • e is a bilinear mapping, e:G ⁇ G ⁇ GT .
  • g is a generator of G, and g ⁇ G.
  • H is a hash function, H:G T ⁇ Z p .
  • h which is an element of G, is set as a global parameter (public parameter), but in this embodiment, h is not disclosed. This is because if h is made public, an attacker may be able to obtain the plaintext from the ciphertext.
  • the distributed master key generation unit 120 of each of the plurality of key issuing devices 100 generates a distributed master key (step S120).
  • the key issuing device 100 performs "Distribute Setup".
  • mpk i is the distributed master public key.
  • msk i is a distributed master secret key. That is, the distributed master key (mpk i , msk i ) is a set of the distributed master public key mpk i and the distributed master private key msk i .
  • each of the plurality of key issuing devices 100-1 to 100-n generating a distributed master key
  • the distributed master public keys mpk 1 to mpk n are distributed among a plurality of key issuing devices 100.
  • distributed master secret keys msk 1 to msk n are distributed among a plurality of key issuing devices 100.
  • the plurality of key issuing devices 100-1 to 100-n cooperate to generate distributed master keys ⁇ (mpk i , msk i ) ⁇ .
  • the distributed master key generation unit 120 generates a random number element (step S122). That is, the distributed master key generation unit 120 of the key issuing device 100-i generates random number elements ⁇ i and ⁇ i . Note that the distributed master key generation unit 120 may perform the process of S122 using the random number generation unit 102 described above. Here, ⁇ i , ⁇ i ⁇ Z p . Further, the random number element ⁇ i (first random number element) becomes an element of the random number ⁇ (first random number). Further, the random number element ⁇ i (second random number element) becomes an element of the random number ⁇ (second random number). Note that the values of the random numbers ⁇ and ⁇ are kept secret from each key issuing device 100, that is, not known to each key issuing device 100.
  • the distributed master key generation unit 120 secretly shares the random number elements (step S124). That is, the distributed master key generation unit 120 of the key issuing device 100-i shares the secrets of the random number elements ⁇ i and ⁇ i . Note that the distributed master key generation unit 120 may perform the process of S124 using the above-mentioned distribution unit 104.
  • the distributed master key generation unit 120 performs secret sharing on the random number elements ⁇ i and ⁇ i , and calculates the share [ ⁇ i ] (distribution value) of the random number element ⁇ i and the share of the random number element ⁇ i obtained by the secret sharing. [ ⁇ i ] (dispersion value) is transmitted to other key issuing devices 100.
  • the distributed master key generation unit 120 of the key issuing device 100-i generates the share [ ⁇ i ] (dispersion value) of the random number element ⁇ i using the following equation (9). ...(9)
  • the distributed master key generation unit 120 of the key issuing device 100-i generates the share [ ⁇ i ] (dispersion value) of the random number element ⁇ i using the following equation (10). ...(10)
  • the key issuing device 100-i receives [ ⁇ 1 ] i , . . . , [ ⁇ n ] i and [ ⁇ 1 ] i , . . . , [ ⁇ n ] from the plurality of key issuing devices 100. Get i .
  • the distributed master key generation unit 120 obtains shares [ ⁇ ] and [ ⁇ ] (distribution values) of random numbers ⁇ and ⁇ (step S126).
  • the distributed master key generation unit 120 may perform the process of S126 using the random number share acquisition unit 106 described above.
  • the distributed master key generation unit 120 obtains the share [ ⁇ ] (dispersion value) of the random number ⁇ (first random number) using the share (dispersion value) of the first random number element obtained from the plurality of key issuing devices 100. do.
  • the distributed master key generation unit 120 uses the shares (distribution values) of the second random number elements obtained from the plurality of key issuing devices 100 to generate a share [ ⁇ ] (distribution value) of the random number ⁇ (second random number). ) to obtain.
  • the distributed master key generation unit 120 totals the shares (variance values) of the first random number elements obtained from the plurality of key issuing devices 100, and calculates the share [ ⁇ ] (variance value). Similarly, the distributed master key generation unit 120 totals the shares (variance values) of the second random number elements obtained from the plurality of key issuing devices 100, and calculates the share [ ⁇ ]( variance value).
  • the distributed master key generation unit 120 generates shares [ ⁇ ] and [ ⁇ ] (distribution values) using the following equations (11) and (12), respectively. ...(11) ...(12)
  • the distributed master key generation unit 120 generates a distributed master key (step S128). Specifically, the distributed master key generation unit 120 generates a distributed master key based on the acquired shares [ ⁇ ] and [ ⁇ ] (distribution values).
  • the distributed master key generation unit 120 of the key issuing device 100- i generates distributed master keys (mpk i , msk i ). That is, the distributed master key generation unit 120 generates a plurality of key issuing devices 100 based on the share [ ⁇ ] (distribution value) of the first random number ⁇ and the share [ ⁇ ] (distribution value) of the second random number ⁇ .
  • the distributed master key generation unit 120 also generates a share [ ⁇ ] (dispersion value) of the first random number in which the first random number ⁇ is distributed and a second share [ ⁇ ] (dispersion value) in which the second random number ⁇ is distributed.
  • a distributed master secret key in a distributed state is generated based on the random number share [ ⁇ ] (distribution value).
  • the distributed master key generation unit 120 of the key issuing device 100-i generates the distributed master public key mpk i using the following equation (15). ...(15)
  • the distributed master key generation unit 120 of the key issuing device 100-i generates the distributed master private key msk i using the following equation (16). ...(16)
  • random numbers ⁇ are sent to multiple key issuing devices 100-1 to 100-n without informing any key issuing device 100 (key issuing authority) of the values of random numbers ⁇ and ⁇ .
  • can be distributed. That is, as in the example of FIG. 4, when keys are not generated in a distributed manner, a single key issuing authority (key issuing device) only needs to generate the random numbers ⁇ and ⁇ . On the other hand, when keys are generated in a distributed manner, no key issuing device 100 (key issuing authority) must know the random numbers ⁇ and ⁇ in order to achieve the purpose of suppressing leakage of the private key.
  • each key issuing device 100 uses the share (dispersion value) of the random numbers ⁇ and ⁇ to create a distributed master. A key can be generated.
  • the master public key generation unit 130 of each of the plurality of key issuing devices 100 generates a master public key (step S130).
  • the key issuing device 100 performs "Distribute PKG (Public Key Generation)".
  • n generates a master public key mpk using the global parameter gparam and the set of distributed master public keys ⁇ mpk i ⁇ . That is, the master public key generation unit 130 generates a master public key based on the distributed master public keys obtained from the plurality of key issuing devices 100-1 to 100-n.
  • FIG. 11 is a flowchart showing the process of S130 in FIG. FIG. 11 shows the processing of the master public key generation unit 130 according to the first embodiment.
  • the master public key generation unit 130 generates the master public key mpk using the following equations (17) and (18). Note that through such processing, the same master public key can be generated in each key issuing device 100. In this way, by performing restoration using the exponent parts of the powers of g and the powers of e (g, g), any key issuing device 100 (key issuing institution) can publish the master without knowing the random numbers ⁇ and ⁇ .
  • the master public key generation unit 130 can generate g ⁇ by acquiring t or more [ ⁇ ] i (variance value of ⁇ ).
  • the master public key generation unit 130 can generate e(g,g) ⁇ by acquiring t or more [ ⁇ ] i (variance value of ⁇ ).
  • the distributed user private key generation unit 140 of each of the plurality of key issuing devices 100 generates a distributed user private key (step S140).
  • the key issuing device 100 performs "Distribute KeyGen (Key Generation)."
  • the key issuing device 100-i corresponds to the identification information ID using the global parameter gparam, the set of distributed master private keys ⁇ msk i ⁇ , and the ID that is the user identification information.
  • a distributed user private key is generated in which the user private keys of the users who are to be accessed are distributed.
  • the distributed user private key generation unit 140 generates the distributed user private key dk based on the distributed master private key ⁇ msk i ⁇ acquired from the plurality of key issuing devices 100-1 to 100-n and the user identification information ID. Generate ID,i .
  • the distributed user secret keys dk ID,1 , . . . , dk ID,n are distributed among a plurality of key issuing devices 100.
  • the identification information ID is, for example, an e-mail address, the user's identification information ID may be made public.
  • FIG. 12 is a flowchart showing the process of S140 in FIG. FIG. 12 shows the processing of the distributed user private key generation unit 140 according to the first embodiment.
  • the distributed user private key generation unit 140 generates a random number element (step S142). That is, the distributed user private key generation unit 140 of the key issuing device 100-i generates random number elements r ID,i , w i . Note that the distributed user private key generation unit 140 may perform the process of S142 using the random number generation unit 102 described above. Here, r ID,i , w i ⁇ Z p . Furthermore, the random number element r ID,i (third random number element) becomes an element of the random number r ID (third random number).
  • the random number element w i (fourth random number element) becomes an element of the random number w (fourth random number). It should be noted that the values of the random numbers r ID and w are kept secret from each key issuing device 100, that is, not known to each key issuing device 100.
  • the distributed user private key generation unit 140 secretly shares the random number elements (step S144). That is, the distributed user private key generation unit 140 of the key issuing device 100-i secretly shares the random number elements r ID,i , w i . Note that the distributed user private key generation unit 140 may perform the process of S144 using the above-mentioned distribution unit 104.
  • the distributed user private key generation unit 140 performs secret sharing on the random number elements r ID,i , w i , and calculates the share [r ID,i ] (distribution value) of the random number element r ID,i obtained by secret sharing. and the share [w i ] (dispersion value) of the random number element w i to other key issuing devices 100.
  • the distributed user private key generation unit 140 of the key issuing device 100-i generates the share [r ID,i ] (distributed value) of the random number element r ID ,i using the following equation (20). . ...(20)
  • the distributed user private key generation unit 140 of the key issuing device 100-i generates the share [w i ] (dispersion value) of the random number element w i using the following equation (21). ...(21)
  • the key issuing device 100-i receives [r ID,1 ] i , ..., [r ID,n ] i and [w 1 ] i , ..., from the plurality of key issuing devices 100. [ wn ] Obtain i .
  • the distributed user private key generation unit 140 obtains the shares [r ID ], [w] (distribution values) of the random numbers r ID , w (step S146).
  • the distributed user private key generation unit 140 may perform the process of S146 using the random number share acquisition unit 106 described above.
  • the distributed user private key generation unit 140 generates a share [r ID ] (distribution value) of the random number r ID (third random number) using the share (distribution value) of the third random number element obtained from the plurality of key issuing devices 100. ) to obtain.
  • the distributed user private key generation unit 140 uses the share (dispersion value) of the fourth random number element obtained from the plurality of key issuing devices 100 to generate a share [w] (dispersion value) of the random number w (fourth random number). value).
  • the distributed user private key generation unit 140 totals the shares (variance values) of the third random number elements obtained from the plurality of key issuing devices 100, and calculates the share of the random number r ID (third random number). Obtain [r ID ] (dispersion value). Similarly, the distributed user private key generation unit 140 totals the shares (variance values) of the fourth random number elements obtained from the plurality of key issuing devices 100, and calculates the share [w] of the random number w (fourth random number). (variance value).
  • the distributed user private key generation unit 140 generates shares [r ID ] and [w] (distribution values) using the following equations (22) and (23), respectively. ...(22) ...(23)
  • the distributed user private key generation unit 140 Focusing on the key issuing device 100- i , the distributed user private key generation unit 140 generates a distributed value [r ID, j ] i to obtain a variance value (share) [r ID ] i of the random number r ID . That is, the distributed user private key generation unit 140 generates the distributed value [r ID ] i using the following equation (24). ...(24)
  • the distributed user private key generation unit 140 performs share multiplication (step S148).
  • the distributed user private key generation unit 140 may perform the process of S148 using the share multiplication unit 108 described above.
  • the distributed user private key generation unit 140 multiplies each of [ ⁇ ]-[r ID ] and [ ⁇ ]-ID by [w].
  • the distributed user private key generation unit 140 generates a share [ ⁇ ] of ⁇ (first random number), a share [ ⁇ ] of ⁇ (second random number), and a share [r ID ] is multiplied by the share [w] of w (fourth random number).
  • [ ⁇ ] and [ ⁇ ] are elements of the distributed master secret key msk i .
  • the distributed user private key generation unit 140 generates a share [ ⁇ ] of ⁇ which is an element of the distributed master private key msk i , a share [ ⁇ ] of ⁇ which is an element of the distributed master private key msk i , and a share of r ID . Multiply each [r ID ] by the share [w] of w.
  • the distributed user private key generation unit 140 executes multiplication according to the following equations (26) and (27) in parallel. In this manner, in this embodiment, multiple multiplications between shares are executed. Note that, as described above, when executing Mult(), communication is performed between the plurality of key issuing apparatuses 100. ...(26) ...(27)
  • the distributed user private key generation unit 140 restores [( ⁇ -ID) ⁇ w] and calculates 1/( ⁇ -ID) ⁇ w, which is the inverse of the restoration result (step S150).
  • the distributed user private key generation unit 140 may perform the process of S150 using the restoration unit 110 described above.
  • the distributed user private key generation unit 140 multiplies the user private key element ( ⁇ -ID) obtained from the share [ ⁇ ] of the random number ⁇ and the identification information ID by the share [w] of the random number w. Restoration is performed on the first product [( ⁇ -ID) ⁇ w]. As a result, the value of ( ⁇ -ID) ⁇ w is obtained. Further, the distributed user private key generation unit 140 calculates the inverse element v (first value) of the value ( ⁇ -ID) ⁇ w obtained as a result of the restoration.
  • the distributed user private key generation unit 140 restores [( ⁇ -ID) ⁇ w] using the following equation (28), and obtains the value of ( ⁇ -ID) ⁇ w. ...(28)
  • the distributed user private key generation unit 140 generates a distributed user private key (step S152). As shown below, the distributed user private key generation unit 140 generates a distributed user private key based on the product obtained as a result of the multiplication of equations (26) to (27). Note that, as described later, the distributed user private key generation unit 140 calculates the share (dispersion value) of the random number w when the user private key is acquired using the distributed user private keys obtained from the plurality of key issuing devices 100. Generate a distributed user private key so that it can be removed.
  • the distributed user private key generation unit 140 of the key issuing device 100-i calculates the element h of the distributed user private key expressed by the following formula (30) from the above formulas (26) and (29). Calculate ID,i .
  • the distributed user private key generation unit 140 raises the power g ⁇ ([( ⁇ -r ID ) ⁇ w] i ) of g to the power (power operation) by v, and obtains the result of (g ⁇ ([( ⁇ - r ID ) ⁇ w] i )) ⁇ v is calculated as h ID,i .
  • the distributed user private key generation unit 140 generates a second power (g Calculate ⁇ ([( ⁇ -r ID ) ⁇ w] i )) ⁇ v as h ID,i .
  • the exponent (power exponent) of the first power of g (first power) is the product [( ⁇ -r ID ) ⁇ w] i (second product). ...(30)
  • the distributed user private key generation unit 140 of the key issuing device 100-i generates the distributed user private key dk ID,i expressed by the following equation (31). ...(31)
  • the distributed user secret key dk ID,i is a set of [r ID ] i and h ID,i . That is, the distributed user private key generation unit 140 generates a set of the share (distribution value) of the random number r ID and the first data as the distributed user private key.
  • the first data is the product obtained by multiplying the element of the user private key obtained by the share of the random number ⁇ and the share of the random number r ID by the share of the random number w (second product), and Let v (first value) be an element.
  • the user secret key generation unit 210 may perform the process of S162 using substantially the same function as the recovery unit 110 described above.
  • the user private key generated by the user private key generation section 210 is stored in the user private key storage section 220.
  • the user private key generation unit 210 generates r ID using the following equation (32). ...(32)
  • the random number w is removed in the processing of the user private key generation unit 210 in the user device 200. That is, by setting h ID,i to the format shown in equation (30), the random number w is removed. Therefore, the distributed user private key generation unit 140 generates a distributed user secret so that the share of the random number w is removed when the user private key is obtained using the distributed user private keys obtained from the plurality of key issuing devices 100. It can be said that a key is being generated. In this way, random numbers w that are not elements of the user private key are removed.
  • Non-Patent Document 2 and Non-Patent Document 3 which disclose the technology related to IBE, the user private key is configured with one value. Therefore, the format of the user private key is different between IB-PRE and IBE. Therefore, as described above, it is extremely difficult to simply combine the technology related to Non-Patent Document 1 and the technologies related to Non-Patent Document 2 and Non-Patent Document 3.
  • the key issuing device 100 has the above-described configuration, so that the user private key and the elements of the user private key (random number ⁇ , random number ⁇ , and random number r ID ) are known to any key issuing device 100. It is possible to generate a user private key without being asked to do so. Therefore, with the configuration according to the first embodiment, in the ID-based proxy re-encryption technology, even if the key issuing authority has malicious intent, it is possible to prevent the ciphertext from being decrypted by the key issuing authority. becomes possible.
  • the encryption device 60 creates a ciphertext (step S170).
  • the encryption device 60 may create ciphertext from plaintext in substantially the same manner as the method of Non-Patent Document 1.
  • the ciphertext created by the encryption device 60 is stored in the ciphertext storage section 320 of the re-encryption device 300.
  • the encryption device 60 generates the ciphertext C ID from the plaintext m using the following equation (34). This generates a ciphertext that can be decrypted with the user's private key related to the ID. Note that the master public key mpk and the identification information ID can generate a public key regarding the user corresponding to the ID. ...(34)
  • the re-encryption key generation unit 230 of the user device 200 generates a re-encryption key (step S174).
  • the re-encryption key generation unit 230 generates a re-encryption key using the user's private key.
  • the re-encryption key generation unit 230 may generate the re-encryption key in substantially the same manner as the method of Non-Patent Document 1.
  • the re-encryption key generation unit 230 generates the re-encryption key rk_(ID i ⁇ ID j ) using the following equation (36).
  • dk_(ID i ) is the user private key of user i.
  • the re-encryption unit 330 of the re-encryption device 300 re-encrypts the ciphertext stored in the ciphertext storage unit 320 (step S176).
  • the re-encryption unit 330 uses the re-encryption key stored in the re-encryption key storage unit 310 to decrypt the ciphertext that can be decrypted with the user private key regarding the first user device of the plurality of user devices 200. Re-encrypt without doing anything.
  • the re-encryption unit 330 may perform re-encryption using substantially the same method as in Non-Patent Document 1.
  • the re-encrypted ciphertext may be stored in the ciphertext storage unit 320.
  • the re-encryption unit 330 performs re-encryption using the following equation (37).
  • the re-encryption unit 330 uses the re-encryption key to transfer a ciphertext that can be decrypted with the user private key regarding the first user device (user i's user device 200) to the second user device (user j's user device 200).
  • the user device 200) is converted into a ciphertext that can be decrypted using the user's private key. ...(37)
  • the decryption unit 240 of the user device 200 decrypts the ciphertext and obtains the plaintext (step S180).
  • the decryption unit 240 decrypts the ciphertext using the user private key of the corresponding user.
  • the decryption unit 240 may decrypt the ciphertext using substantially the same method as in Non-Patent Document 1.
  • the decryption unit 240 When decrypting the ciphertext created in the process of S170, the decryption unit 240 performs decryption using the following equation (38) to obtain plaintext m.
  • ID corresponds to the identification information ID i of user i. ...(38)
  • the decryption unit 240 when decrypting the ciphertext re-encrypted in the process of S176, the decryption unit 240 performs decryption using the following equation (39) to obtain plaintext m.
  • ID corresponds to identification information ID j of user j. That is, the decryption unit 240 of the second user device decrypts the re-encrypted ciphertext using the user private key related to the second user device. ...(39)
  • the re-encryption key may be changed by the user device 200 or may be changed by multi-party calculation in the key issuing device 100. Furthermore, the update of the ciphertext may be performed without the involvement of the user device 200 that can decrypt the ciphertext.
  • Non-Patent Document 3 terminates the protocol when fraud is detected.
  • the share of each participant in the SSS may be a duplicate secret sharing method, and a majority vote may be taken at the time of multiplication. In this way, by having each participant (key issuing device 100) copy the share, it is safe even against attackers who attempt to falsify the calculation results.
  • CCA Code Ciphertext Attack
  • a system that achieves CCA security can be configured by using Fujisaki-Okamoto transformation. That is, by applying the Fujisaki-Okamoto transformation to the encryption method (S170) according to this embodiment, CCA security can be achieved.
  • Embodiment 2 shows an outline of the configuration according to the embodiment described above.
  • the information processing system 50 according to the second embodiment is substantially the same as that according to the first embodiment, so a description thereof will be omitted.
  • the information processing system 50 according to the second embodiment includes a plurality of key issuing devices.
  • FIG. 13 is a diagram showing the configuration of the key issuing device 10 according to the second embodiment.
  • Key issuing device 10 according to the second embodiment corresponds to key issuing device 100 according to the first embodiment.
  • the key issuing device 10 according to the second embodiment includes a distributed master key generation section 12, a distributed user private key generation section 14, and a transmission section 16.
  • the distributed master key generation unit 12 has a function as a distributed master key generation means.
  • the distributed user private key generation unit 14 has a function as a distributed user private key generation means.
  • the transmitter 16 has a function as a transmitter.
  • the distributed master key generation unit 12 corresponds to the distributed master key generation unit 120 according to the first embodiment.
  • the distributed master key generation section 12 can be realized by substantially the same function as the distributed master key generation section 120.
  • the distributed master key generation unit 12 generates at least distributed master secret keys distributed among the plurality of key issuing devices 10.
  • the distributed master key generation unit 12 generates a share ([ ⁇ ]) of the first random number in which the first random number ( ⁇ ) to be concealed is distributed, and a share ([ ⁇ ]) of the first random number in which the first random number ( ⁇ ) to be concealed is distributed, and a share in which the second random number ( ⁇ ) to be concealed is distributed.
  • a distributed master secret key is generated based on the second random number share ([ ⁇ ]) in the state.
  • the distributed user private key generation unit 14 corresponds to the distributed user private key generation unit 140 according to the first embodiment.
  • the distributed user private key generation section 14 can be realized by substantially the same function as the distributed user private key generation section 140.
  • the distributed user private key generation unit 14 generates a distributed user private key using the distributed master private key and user identification information.
  • a user private key is obtained using the distributed user private keys obtained from a plurality of key issuing devices.
  • the distributed user private key generation unit 14 generates a share of the third random number ([r ID ]) in which the third random number (r ID ) which is kept confidential and becomes an element of the user private key is distributed, and a third random number to be kept confidential.
  • the distributed user private key generation unit 14 obtains the share ([w]) of the fourth random number in which the random number (w) of 4 is distributed.
  • the distributed user private key generation unit 14 generates a first random number share that is an element of the distributed master private key, a second random number share that is an element of the distributed master private key, and a third random number share that is an element of the distributed master private key. and is multiplied by the share of the fourth random number.
  • the distributed user private key generation unit 14 generates a distributed user private key based on the product obtained as a result of the multiplication.
  • the transmitter 16 transmits the distributed user private key to the user device 200 of the user.
  • the user device 200 can generate a user private key using a plurality of distributed user private keys obtained from a plurality of key issuing devices 10.
  • the key issuing device 10 has the user secret key and the elements of the user secret key (the first random number, the second random number, and the third random number) as described above.
  • a user secret key can be generated without being known by any key issuing device 10. Therefore, in the ID-based proxy re-encryption technique, even if the key issuing authority has malicious intent, it is possible to prevent the ciphertext from being decrypted by the key issuing authority.
  • This also applies to the information processing system 50 having a plurality of key issuing devices 10, the key issuing method executed by the key issuing device 10, and the program that implements the key issuing method.
  • Hard configuration example An example of a configuration of hardware resources that implements the apparatus and system according to each of the embodiments described above using one calculation processing device (information processing device, computer) will be described.
  • the devices according to each embodiment key issuing device, encryption device, user device, re-encryption device, etc.
  • the device according to each embodiment may be physically or functionally realized using at least two computing devices.
  • the device according to each embodiment may be realized as a dedicated device or may be realized as a general-purpose information processing device.
  • FIG. 14 is a block diagram schematically showing an example of a hardware configuration of a calculation processing device that can implement the device and system according to each embodiment.
  • the calculation processing device 1000 includes a CPU 1001, a volatile storage device 1002, a disk 1003, a nonvolatile recording medium 1004, and a communication IF (IF) 1007. Therefore, it can be said that the device according to each embodiment includes a CPU 1001, a volatile storage device 1002, a disk 1003, a nonvolatile recording medium 1004, and a communication IF 1007.
  • the calculation processing device 1000 may be connectable to an input device 1005 and an output device 1006.
  • the calculation processing device 1000 may include an input device 1005 and an output device 1006. Further, the calculation processing device 1000 can send and receive information to and from other calculation processing devices and communication devices via the communication IF 1007.
  • the nonvolatile recording medium 1004 is a computer-readable medium, such as a compact disc or a digital versatile disc. Further, the nonvolatile recording medium 1004 may be a USB (Universal Serial Bus) memory, a solid state drive, or the like. The non-volatile recording medium 1004 retains the program even without supplying power, making it portable. Note that the nonvolatile recording medium 1004 is not limited to the above-mentioned medium. Further, instead of the nonvolatile recording medium 1004, the program may be supplied via the communication IF 1007 and the communication network.
  • USB Universal Serial Bus
  • the volatile storage device 1002 is computer readable and can temporarily store data.
  • the volatile storage device 1002 is a memory such as DRAM (dynamic random access memory) or SRAM (static random access memory).
  • the CPU 1001 copies a software program (computer program: hereinafter simply referred to as a "program") stored on the disk 1003 to the volatile storage device 1002 when executing it, and executes arithmetic processing.
  • the CPU 1001 reads data necessary for program execution from the volatile storage device 1002. If display is necessary, the CPU 1001 displays the output result on the output device 1006.
  • the CPU 1001 acquires the program from the input device 1005.
  • the CPU 1001 interprets and executes programs corresponding to the functions (processing) of each component shown in FIGS. 6 to 8 and 13 described above.
  • the CPU 1001 executes the processing described in each of the embodiments described above. In other words, the functions of each component shown in FIGS. 6 to 8 and 13 described above can be realized by the CPU 1001 executing a program stored in the disk 1003 or the volatile storage device 1002.
  • each embodiment can be considered to be achieved by the programs described above. Furthermore, each of the above-described embodiments can be realized by a computer-readable nonvolatile recording medium on which the above-described program is recorded.
  • the distributed user private key generation unit 140 multiplies [ ⁇ ] ⁇ [r ID ] by [w], but the configuration is not limited to this. [ ⁇ ] and 0 ⁇ [r ID ] may be separately multiplied by [w] as in the following equations (40) and (41). ...(40) ...(41)
  • the user private key generation unit 210 generates h ID using the following equation (43). ...(43)
  • the program includes instructions (or software code) that, when loaded into a computer, cause the computer to perform one or more of the functions described in the embodiments.
  • the program may be stored on a non-transitory computer readable medium or a tangible storage medium.
  • computer readable or tangible storage media may include random-access memory (RAM), read-only memory (ROM), flash memory, solid-state drive (SSD) or other memory technology, CD - Including ROM, digital versatile disk (DVD), Blu-ray disk or other optical disk storage, magnetic cassette, magnetic tape, magnetic disk storage or other magnetic storage device.
  • the program may be transmitted on a transitory computer-readable medium or a communication medium.
  • transitory computer-readable or communication media includes electrical, optical, acoustic, or other forms of propagating signals.
  • the distributed user private key generation means for generating a distributed user private key, from which the user private key is obtained; transmitting means for transmitting the distributed user private key to a user device of the user; has The distributed master key generation means has a share of the first random number in which the first random number to be kept secret is distributed and a share of the second random number in which the second random number to be concealed is distributed. generating the distributed master private key based on the The distributed user private key generation means includes: Obtain the share of the third random number in a state in which the third random number that is concealed and becomes an element of the user secret key is distributed, and the share in the fourth random number in the state in which the fourth random number to be concealed is distributed.
  • the distributed user private key generation means generates the distributed user private key so that the share of the fourth random number is removed when the user private key is obtained using the distributed user private keys obtained from a plurality of key issuing devices. Generate a distributed user private key, The key issuing device described in Appendix 1.
  • the distributed user private key generation means generates a first random number obtained by multiplying an element of the user private key obtained by the first random number share and the identification information by the fourth random number share. performing restoration on the product and generating the distributed user private key using a first value that is the inverse of the value obtained as a result of the restoration; The key issuing device described in Appendix 2. (Additional note 4) The distributed user private key generation means generates the fourth random number for the element of the user private key obtained by the share of the third random number, the share of the second random number, and the share of the third random number.
  • the distributed user private key generation means generates, as the first data, a second power of a first power of a generation source of a multiplicative cyclic group of a predetermined order, with the first value as an exponent. generate, the exponent of the first power corresponds to the second product;
  • the distributed master key generation means includes: generating a first random number element serving as an element of the first random number and a second random number element serving as an element of the second random number; Secret sharing is performed on the first random number element and the second random number element, and the share of the first random number element and the share of the second random number element obtained by the secret sharing are divided into the shares of the first random number element and the second random number element.
  • a share of the first random number element is obtained using a share of the first random number element obtained from the plurality of key issuing apparatuses, and a share of the second random number element obtained from the plurality of key issuing apparatuses is used.
  • the distributed user private key generation means includes: generating a third random number element that is a third random number element that is concealed and that is an element of the user private key, and a fourth random number element that is a concealed fourth random number element; Secret sharing is performed on the third random number element and the fourth random number element, and the share of the third random number element and the share of the fourth random number element obtained by the secret sharing are Send it to the key issuing device, A share of the third random number is obtained using a share of the third random number element obtained from the plurality of key issuing devices, and a share of the fourth random number element obtained from the plurality of key issuing devices is used.
  • the key issuing device described in Appendix 1. (Appendix 8) a master public key generation means for generating a master public key; It further has The distributed master key generation means further generates a distributed master public key distributed among a plurality of key issuing devices based on the first random number share and the second random number share, The master public key generation means generates the master public key based on the distributed master public keys obtained from the plurality of key issuing devices.
  • (Appendix 9) multiple key issuing devices; a plurality of user devices; a re-encryption device; has Each of the plurality of key issuing devices is distributed master key generation means for generating at least distributed master secret keys distributed among a plurality of key issuing devices; Using the distributed master private key and the user's identification information, the user's user private key is distributed as a distributed user private key, and the distributed user private key obtained from a plurality of key issuing devices is used.
  • the distributed user private key generation means for generating a distributed user private key, from which the user private key is obtained; transmitting means for transmitting the distributed user private key to a user device of the user; has The distributed master key generation means has a share of the first random number in which the first random number to be kept secret is distributed and a share of the second random number in which the second random number to be concealed is distributed. generating the distributed master private key based on the The distributed user private key generation means includes: Obtain the share of the third random number in a state in which the third random number that is concealed and becomes an element of the user secret key is distributed, and the share in the fourth random number in the state in which the fourth random number to be concealed is distributed.
  • Each of the plurality of user devices includes: a user private key generation means for generating the user private key using the distributed user private keys obtained from the plurality of key issuing devices; re-encryption key generation means for generating a re-encryption key using the user private key; a decryption means for decrypting the ciphertext to obtain the plaintext; has The re-encryption device uses the re-encryption key to enable a second user device of the plurality of user devices to decrypt a ciphertext that can be decrypted by a first user device of the plurality of user devices.
  • the distributed user private key generation means of the key issuing device removes the share of the fourth random number when the user private key is obtained using the distributed user private keys obtained from a plurality of key issuing devices. generating the distributed user private key so as to The user private key generation means of the user device generates the distributed user private key such that the share of the fourth random number is removed.
  • the distributed user private key generation means of the key issuing device generates a distributed user private key by multiplying an element of the user private key obtained by the first random number share and the identification information by the fourth random number share. performing restoration on the obtained first product, and generating the distributed user private key using the first value that is the inverse of the value obtained as a result of the restoration;
  • the information processing system according to appendix 10.
  • the distributed user private key generation means of the key issuing device generates an element of the user private key obtained by the share of the third random number, the share of the second random number, and the share of the third random number.
  • the user private key generation means of the user device generates the user private key by restoring each of the third random number share and the second product.
  • the distributed user private key generation means of the key issuing device generates a second power of a first power of a generation source of a multiplicative cyclic group of a predetermined order, with the first value as an exponent. generated as the first data, the exponent of the first power corresponds to the second product;
  • the distributed master key generation means of the key issuing device includes: generating a first random number element serving as an element of the first random number and a second random number element serving as an element of the second random number; Secret sharing is performed on the first random number element and the second random number element, and the share of the first random number element and the share of the second random number element obtained by the secret sharing are divided into the shares of the first random number element and the second random number element.
  • a share of the first random number element is obtained using a share of the first random number element obtained from the plurality of key issuing apparatuses, and a share of the second random number element obtained from the plurality of key issuing apparatuses is used.
  • the distributed user private key generation means of the key issuing device includes: generating a third random number element that is a third random number element that is concealed and that is an element of the user private key, and a fourth random number element that is a concealed fourth random number element; Secret sharing is performed on the third random number element and the fourth random number element, and the share of the third random number element and the share of the fourth random number element obtained by the secret sharing are Send it to the key issuing device, A share of the third random number is obtained using a share of the third random number element obtained from the plurality of key issuing devices, and a share of the fourth random number element obtained from the plurality of key issuing devices is used.
  • the key issuing device is a master public key generation means for generating a master public key; It further has The distributed master key generation means of the key issuing device further generates a distributed master public key distributed among a plurality of key issuing devices based on the share of the first random number and the share of the second random number. generate, The master public key generation means of the key issuing device generates the master public key based on the distributed master public keys obtained from the plurality of key issuing devices, The re-encryption key generation means of the user device generates a re-encryption key using the master public key and the user private key.
  • the user's user private key is distributed as a distributed user private key, and the distributed user private key obtained from a plurality of key issuing devices is used.
  • the user's user private key is distributed as a distributed user private key, and the distributed user private key obtained from a plurality of key issuing devices is used.
  • Each of the second random number share and the third random number share is multiplied by the fourth random number share, and the distributed user secret key is generated based on the product obtained as a result of the multiplication. death, transmitting the distributed user private key to a user device of the user; By the user equipment, generating the user private key using the distributed user private keys obtained from a plurality of the key issuing devices; generating a re-encryption key using the user private key; Decrypt the ciphertext and get the plaintext, The re-encryption device uses the re-encryption key to enable the second user device to decrypt a ciphertext that can be decrypted by the first user device, and generates the user secret key for the first user device.
  • the distributed user secret is configured such that the share of the fourth random number is removed by the key issuing device when the user private key is obtained using the distributed user private keys obtained from a plurality of key issuing devices. generate a key, generating, by the user device, the distributed user private key such that a share of the fourth random number is removed; The information processing method described in Appendix 25.
  • the key issuing device generates, as the first data, a second power of a first power of a generation source of a multiplicative cyclic group of a predetermined order, with the first value as an index; the exponent of the first power corresponds to the second product; Information processing method according to appendix 28.
  • the user's user private key is distributed as a distributed user private key, and the distributed user private key obtained from a plurality of key issuing devices is used.
  • Each of the second random number share and the third random number share is multiplied by the fourth random number share, and the distributed user secret key is generated based on the product obtained as a result of the multiplication.
  • the step of transmitting the distributed user private key to a user device of the user; A non-transitory computer-readable medium that stores a program that causes a computer to execute.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
PCT/JP2022/026138 2022-06-30 2022-06-30 鍵発行装置、情報処理システム、方法及びコンピュータ可読媒体 Ceased WO2024004116A1 (ja)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2024530188A JP7852717B2 (ja) 2022-06-30 2022-06-30 鍵発行装置、情報処理システム、方法及びプログラム
PCT/JP2022/026138 WO2024004116A1 (ja) 2022-06-30 2022-06-30 鍵発行装置、情報処理システム、方法及びコンピュータ可読媒体

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/026138 WO2024004116A1 (ja) 2022-06-30 2022-06-30 鍵発行装置、情報処理システム、方法及びコンピュータ可読媒体

Publications (1)

Publication Number Publication Date
WO2024004116A1 true WO2024004116A1 (ja) 2024-01-04

Family

ID=89382279

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/026138 Ceased WO2024004116A1 (ja) 2022-06-30 2022-06-30 鍵発行装置、情報処理システム、方法及びコンピュータ可読媒体

Country Status (2)

Country Link
JP (1) JP7852717B2 (https=)
WO (1) WO2024004116A1 (https=)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015505230A (ja) * 2012-01-25 2015-02-16 サーティボックス エルティーディーCertivox,Ltd. 分散秘密鍵ジェネレータ(d−pkg)ノードから発行された秘密鍵をセキュリティ保護するためのシステム及び方法
US20200252211A1 (en) * 2019-01-31 2020-08-06 Cobinhood Ltd. Method for generating secure randomness on blockchain
WO2020251795A1 (en) * 2019-06-10 2020-12-17 tZERO Group, Inc. Key recovery using encrypted secret shares
CN113079003A (zh) * 2021-03-26 2021-07-06 中国科学院信息工程研究所 一种分布式sm9密钥生成方法及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015505230A (ja) * 2012-01-25 2015-02-16 サーティボックス エルティーディーCertivox,Ltd. 分散秘密鍵ジェネレータ(d−pkg)ノードから発行された秘密鍵をセキュリティ保護するためのシステム及び方法
US20200252211A1 (en) * 2019-01-31 2020-08-06 Cobinhood Ltd. Method for generating secure randomness on blockchain
WO2020251795A1 (en) * 2019-06-10 2020-12-17 tZERO Group, Inc. Key recovery using encrypted secret shares
CN113079003A (zh) * 2021-03-26 2021-07-06 中国科学院信息工程研究所 一种分布式sm9密钥生成方法及系统

Also Published As

Publication number Publication date
JPWO2024004116A1 (https=) 2024-01-04
JP7852717B2 (ja) 2026-04-28

Similar Documents

Publication Publication Date Title
CN104429019B (zh) 秘密分散系统、数据分散装置、分散数据变换装置以及秘密分散方法
Perlner et al. Quantum resistant public key cryptography: a survey
US8429408B2 (en) Masking the output of random number generators in key generation protocols
US9607158B2 (en) Proxy computing system, computing apparatus, capability providing apparatus, proxy computing method, capability providing method, program, and recording medium
EP3741081B1 (en) Computer implemented method and system for obtaining digitally signed data
TW201733302A (zh) 用於基於區塊鏈的系統結合錢包管理系統中的安全多方防遺失儲存及加密金鑰轉移
Mansouri et al. Learning from failures: Secure and fault-tolerant aggregation for federated learning
Son et al. Conditional proxy re-encryption for secure big data group sharing in cloud environment
US20170366338A1 (en) Method and system for providing encrypted data
Kanna et al. Enhancing the security of user data using the keyword encryption and hybrid cryptographic algorithm in cloud
CN117240433A (zh) 一种基于代理重加密的信息分享方法及装置
US11811741B2 (en) Information processing system and information processing method
JP7125857B2 (ja) 暗号化システム、暗号化装置、復号装置、暗号化方法、復号方法、及びプログラム
CN115361109A (zh) 一种支持双向代理重加密的同态加密方法
CA2742530C (en) Masking the output of random number generators in key generation protocols
Chakraborty et al. A secure cloud computing authentication using cryptography
JP7852717B2 (ja) 鍵発行装置、情報処理システム、方法及びプログラム
Hyla et al. Certificate-based encryption scheme with general access structure
Gaidhani et al. A SURVEY REPORT ON TECHNIQUES FOR DATA CONFIDENTIALITY IN CLOUD COMPUTING USING HOMOMORPHIC ENCRYPTION.
Sahana Raj et al. Identity based cryptography using matrices
JP5513444B2 (ja) ベクトル構成システム、方法、装置及びプログラム並びに暗号システム
Chopra Comparative analysis of key exchange algorithms in cryptography and its implementation
Chandrakala et al. Secure and efficient bi-directional proxy re-encyrption technique
CN113872757A (zh) 一种基于sm2公钥加密算法的广播加密方法
CN114528569B (zh) 一种同态计算方法及系统、同态请求、计算和服务设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22949390

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2024530188

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22949390

Country of ref document: EP

Kind code of ref document: A1