CRYPTOGRAPHIC PROCESSING SYSTEM, KEY GENERATION DEVICE, ENCRYPTION DEVICE, DECRYPTION DEVICE, KEY DELEGATION DEVICE, CRYPTOGRAPHIC PROCESSING METHOD, AND CRYPTOGRAPHIC PROCESSING PROGRAM

Information

  • Patent Application
  • 20130336474
  • Publication Number
    20130336474
  • Date Filed
    December 12, 2011
    13 years ago
  • Date Published
    December 19, 2013
    11 years ago
Abstract
Hierarchical predicate encryption (HPE) for inner products with enhanced efficiency of operations. A cryptographic processing system includes a key generation device, an encryption device, and a decryption device. The key generation device generates, as a decryption key skL, a vector in which predicate information v{right arrow over ( )}t is embedded in a basis vector of a basis B*t for each integer t of t=1, . . . , L. The encryption device generates, as a ciphertext ct, a vector in which attribute information x{right arrow over ( )}t is embedded in a basis vector of a basis Bt for at least some integer t of t=1, . . . , L. The decryption device performs a pairing operation on the decryption key skL generated by the key generation device and the ciphertext ct generated by the encryption device, and decrypts the ciphertext ct.
Description
TECHNICAL FIELD

The present invention relates to hierarchical predicate encryption (HPE).


BACKGROUND ART

Non-Patent Literature 21 discusses HPE for inner products. Non-Patent Literature 18 discusses functional encryption.


CITATION LIST
Non-Patent Literature



  • Non-Patent Literature 1: Beimel, A., Secure schemes for secret sharing and key distribution. PhD Thesis, Israel Institute of Technology, Technion, Haifa, Israel, 1996.

  • Non-Patent Literature 2: Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In:2007 IEEE Symposium on Security and Privacy, pp. 321•34. IEEE Press (2007)

  • Non-Patent Literature 3: Boneh, D., Boyen, X.: Efficient selective-ID secure identity based encryption without random oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223•38. Springer Heidelberg (2004)

  • Non-Patent Literature 4: Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In:Franklin, M. K. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443•59. Springer Heidelberg (2004)

  • Non-Patent Literature 5: Boneh, D., Boyen, X., Goh, E.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440•56. Springer Heidelberg (2005)

  • Non-Patent Literature 6: Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213•29. Springer Heidelberg (2001)

  • Non-Patent Literature 7: Boneh, D., Hamburg, M.: Generalized identity based and broadcast encryption scheme. In:Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 455•70. Springer Heidelberg (2008)

  • Non-Patent Literature 8: Boneh, D., Katz, J., Improved efficiency for CCA-secure cryptosystems built using identity based encryption. RSA-CT 2005, LNCS, Springer Verlag (2005)

  • Non-Patent Literature 9: Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In:Vadhan, S. P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535•54. Springer Heidelberg (2007)

  • Non-Patent Literature 10: Boyen, X., Waters, B.: Anonymous hierarchical identity-based encryption (without random oracles). In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290•07. Springer Heidelberg (2006)

  • Non-Patent Literature 11: Canetti, R., Halevi S., Katz J.: Chosen-ciphertext security from identity-based encryption. EUROCRYPT 2004, LNCS, Springer-Verlag (2004)

  • Non-Patent Literature 12: Cocks, C.: An identity based encryption scheme based on quadratic residues. In: Honary, B. (ed.) IMA Int. Conf. LNCS, vol. 2260, pp. 360•63. Springer Heidelberg (2001)

  • Non-Patent Literature 13: Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445•64. Springer Heidelberg (2006)

  • Non-Patent Literature 14: Gentry, C., Halevi, S.: Hierarchical identity-based encryption with polynomially many levels. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 437•56. Springer Heidelberg (2009)

  • Non-Patent Literature 15: Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548•66. Springer Heidelberg (2002)

  • Non-Patent Literature 16: Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: ACM Conference on Computer and Communication Security 2006, pp. 89•8, ACM (2006)

  • Non-Patent Literature 17: Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146•62. Springer Heidelberg (2008)

  • Non-Patent Literature 18: Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption, EUROCRYPT 2010. LNCS, Springer Heidelberg (2010)

  • Non-Patent Literature 19: Lewko, A. B., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455•79. Springer Heidelberg (2010)

  • Non-Patent Literature 20: Okamoto, T., Takashima, K.: Homomorphic encryption and signatures from vector decomposition. In: Galbraith, S. D., Paterson, K. G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 57•4. Springer Heidelberg (2008)

  • Non-Patent Literature 21: Okamoto, T., Takashima, K.: Hierarchical predicate encryption for inner-products, In:ASIACRYPT 2009, Springer Heidelberg (2009)

  • Non-Patent Literature 22: Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based encryption with non-monotonic access structures. In: ACM Conference on Computer and Communication Security 2007, pp. 195•03, ACM (2007)

  • Non-Patent Literature 23: Pirretti, M., Traynor, P., McDaniel, P., Waters, B.: Secure attribute-based systems. In: ACM Conference on Computer and Communication Security 2006, pp. 99•12, ACM, (2006)

  • Non-Patent Literature 24: Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 494, pp. 457•73. Springer Heidelberg (2005)

  • Non-Patent Literature 25: Shi, E., Waters, B.: Delegating capability in predicate encryption systems. In: Aceto, L., Damgaard, I., Goldberg, L. A., Halldorsson, M. M., Ingolfsdottir, A., Walukiewicz, I. (eds.) ICALP (2) 2008. LNCS, vol. 5126, pp. 560.578. Springer Heidelberg (2008)

  • Non-Patent Literature 26: Waters, B.: Efficient identity based encryption without random oracles. Eurocrypt 2005, LNCS, vol. 3152, pp. 443•59. Springer Verlag, (2005)

  • Non-Patent Literature 27: Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. ePrint, IACR, http://eprint.iacr.org/2008/290

  • Non-Patent Literature 28: Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619˜36. Springer Heidelberg (2009)



DISCLOSURE OF INVENTION
Technical Problem

In an HPE scheme for inner products discussed in Non-Patent Literature 21, cryptographic processes are constructed using one large space. Thus, when this HPE scheme for inner products is implemented, key sizes could be large, adversely affecting efficiency of operations and so on.


It is an object of the present invention to provide an HPE scheme for inner products with enhanced efficiency of operations and so on.


Solution to Problem

A cryptographic processing system according to this invention is a cryptographic processing system that performs a cryptographic process using a basis Bt and a basis B*t for each integer t of t=1, . . . , L+1 (L being an integer of 1 or more), the cryptographic processing system, and includes


an encryption device that generates, as a ciphertext et, a vector in which attribute information x{right arrow over ( )}t is embedded in a basis vector of the basis Bt for at least some integer t of t=1, . . . , L;


a decryption device that uses, as a decryption key skL, a vector in which predicate information v{right arrow over ( )}t is embedded in a basis vector of the basis B*t for each integer t of t=1, . . . , L, performs a pairing operation on the ciphertext ct generated by the encryption device and the decryption key skL, and decrypts the ciphertext ct; and


a key delegation device that generates a lower-level decryption key skL+1 of the decryption key skL, based on a vector in which predicate information v{right arrow over ( )}L+1 is embedded in a basis vector of a basis B*L+1 and the decryption key skL used by the decryption device.


Advantageous Effects of Invention

In a cryptographic processing system according to the present invention, a hierarchical structure is constructed using a plurality of spaces. Thus, key sizes can be made small, thereby enhancing efficiency of operations.





BRIEF DESCRIPTION OF DRAWINGS


FIG. 1 is a diagram for explaining a notion of “delegation (hierarchical delegation)”;



FIG. 2 is a diagram for explaining delegation skipping over a level;



FIG. 3 is a diagram showing hierarchical structures of attribute information and predicate information;



FIG. 4 is a diagram showing an example of hierarchical identity-based encryption;



FIG. 5 is a diagram for explaining a basis and a basis vector;



FIG. 6 is a diagram for explaining an example of a method for implementing a hierarchical structure in vector spaces;



FIG. 7 is a configuration diagram of a cryptographic processing system 10 that executes algorithms of an HPE scheme for inner products.



FIG. 8 is a functional block diagram showing functions of a key generation device 100;



FIG. 9 is a functional block diagram showing functions of an encryption device 200;



FIG. 10 is functional block diagram showing functions of a decryption device 300;



FIG. 11 is a functional block diagram showing functions of a key delegation device 400;



FIG. 12 is a flowchart showing a process of a Setup algorithm;



FIG. 13 is a flowchart showing a process of a KeyGen algorithm;



FIG. 14 is a flowchart showing a process of an Enc algorithm;



FIG. 15 is a flowchart showing a process of a Dec algorithm;



FIG. 16 is a flowchart showing a process of a DelegateL algorithm;



FIG. 17 is a flowchart showing a process of a KeyGen algorithm;



FIG. 18 is a flowchart showing a process of the Dec algorithm;



FIG. 19 is a flowchart showing a process of the DelegateL algorithm; and



FIG. 20 is a diagram showing an example of a hardware configuration of the key generation device 100, the encryption device 200, and the decryption device 300.





DESCRIPTION OF PREFERRED EMBODIMENTS

Embodiments of the invention will now be described with reference to drawings.


In the following description, a processing device is a CPU 911 or the like to be described later. A storage device is a ROM 913, a RAM 914, a magnetic disk 920 or the like to be described later. A communication device is a communication board 915 or the like to be described later. An input device is a keyboard 902, the communication board 915 or the like to be described later. An output device is the RAM 914, the magnetic disk 920, the communication board 915, an LCD 901 or the like to be described later. That is, the processing device, the storage device, the communication device, the input device, and the output device are hardware.


Notations to be used in the following description will be described.


When A is a random variable or distribution, Formula 101 denotes that y is randomly selected from A according to the distribution of A. That is, y is a random number in Formula 101.









y



R


A




[

Formula





101

]







When A is a set, Formula 102 denotes that y is uniformly selected from A.


That is, y is a uniform random number in Formula 102.









y



U


A




[

Formula





102

]







Formula 103 denotes that y is set, defined or substituted by z.






y:=z  [Formula 103]


When a is a fixed value, Formula 104 denotes that a machine (algorithm) A outputs a on an input x.






A(x)→a  [Formula 104]


for example,


A(x)→1

Formula 105, that is, Fq, denotes a finite field of order q.






custom-character
q  [Formula 105]


A vector symbol denotes a vector representation over the finite field Fq, that is, Formula 106.






{right arrow over (x)} denotes





(x1, . . . , xncustom-characterq.  [Formula 106]


Formula 107 denotes the inner product, shown in Formula 109, of two vectors x{right arrow over ( )} and v{right arrow over ( )} shown in Formula 108.






{right arrow over (x)}·{right arrow over (v)}  [Formula 107]






{right arrow over (x)}=(x1, . . . , xn),






{right arrow over (v)}=(v1, . . . , vn)  [Formula 108]





Σi=1nxivi  [Formula 109]


XT denotes the transpose of a matrix X.


For a basis B and a basis B* shown in Formula 110, Formula 111 is defined.






custom-character:=(b1, . . . , bN),






custom-character*:=(b*1, . . . , b*N)  [Formula 110]





(X1, . . . , xNcustom-character:=Σi=1Nxibi,





(y1, . . . , yNcustom-character:=Σi=1Nyibi*  [Formula 111]


e{right arrow over ( )}t,j denotes an orthonormal basis vector shown in Formula 112.













e



t
,
j




:








(

0











0





j
-
1




,
1
,




0











0

)





n
t

-
j




ε







q

n
t









for







j
=
1

,





,

n
t






[

Formula





112

]







Formula 113 to Formula 117 are defined.











(



(


x


0

)



0
*


,





,


(


x


d

)



d
*



)

+

(



(


y


0

)



0
*


,





,


(


y


d

)



d
*



)


:=

(



(



x


0

+


y


0


)



0
*


,





,


(



x


d

+


y


d


)



d
*



)





[

Formula





113

]








(
x
)



t
*


:=

(



(

0


)



0
*


,





,


(

0


)




t
-
1

*


,


(

x


)



t
*


,


(

0


)




t
+
1

*


,





,


(

0


)



d
*



)





[

Formula





114

]












(



(


x


i

)



i
*


,


(


x


j

)



j
*



)

:=

(



(


x


i

)



i
*


+


(


x


j

)



j
*









[

Formula





115

]







(



(


x


0

)



0
*


,



(


x


t

)



t
*


;

t
=
1


,







L


)

:=

(



(


x


0

)



0
*


,





,


(


x


L

)



L
*



)





[

Formula





116

]













e


(

c
,

k
*


)


:=




t
=
0

d







e


(


c
t

,

k
t
*


)




,










where





c

:=

(



c
0


ε





0




,





,


c
d


ε





d





)


,










k
*

:=

(



k

L
,
0

*


ε





0
*




,





,


k
d
*


ε





d
*





)







[

Formula





117

]







For Formula 118, Formula 119 is defined.






k*:=(({right arrow over (x)}0custom-character, . . . , ({right arrow over (x)}dcustom-character)  [Formula 118]





[k*]L:=(({right arrow over (x)}0custom-character, . . . , ({right arrow over (x)}Lcustom-character, ({right arrow over (0)}custom-character, . . . , ({right arrow over (0)}custom-character),





[k*]L:=(({right arrow over (0)}custom-character, . . . , ({right arrow over (0)}custom-character,({right arrow over (x)}L+1custom-character, . . . , ({right arrow over (x)}dcustom-character)  [Formula 119]


In the following description, nt in Fqnt denotes nt.


Likewise, (v→1, . . . , v→4) in a secret key sk(v→1, . . . , v→L) denotes (v{right arrow over ( )}1, . . . , v{right arrow over ( )}L), and (v→1, . . . , v→L+1) in a secret key sk(v→1, . . . , v→L+1) denotes (v{right arrow over ( )}1, . . . , v{right arrow over ( )}L+1).


Likewise, when “δi,j” is shown as a superscript, this δi,j denotes δi,j.


When “→” representing a vector is attached to a subscript or superscript, this “→” is attached as a superscript to the subscript or superscript.


In the following description, a cryptographic process includes an encryption process, a decryption process, a key generation process, and a key delegation process.


First Embodiment

In this embodiment, basic concepts for implementing “HPE for inner products” and constructions of “HPE for inner products” will be described.


Firstly, a notion of HPE for inner products will be described. To describe the notion of HPE for inner products, a notion of “delegation” will be described first, together with a notion of “hierarchical delegation”. Then, “predicate encryption (PE) for inner products” will be described. Then, “HPE for inner products”, which is a type of PE for inner products with the notion of hierarchical delegation, will be described. Further, to reinforce the understanding of HPE for inner products, an application example of HPE for inner products will be described.


Secondly, HPE for inner products in vector spaces will be described. In this and subsequent embodiments, HPE and hierarchical predicate key encapsulation mechanism (HPKEM) are implemented in vector spaces. “A basis” and “a basis vector” will be described first. Then, “PE for inner products in vector spaces” will be described. Then, “a method for implementing a hierarchical structure in vector spaces” will be described. Further, to reinforce the understanding, an implementation example of the hierarchical structure will be described.


Thirdly, “dual pairing vector spaces (DPVS)” having rich mathematical structures for implementing HPE for inner products will be described.


Fourthly, basic constructions of “an HPE scheme for inner products” according to this embodiment will be described. Then, basic constructions of “a cryptographic processing system 10” that implements HPE will be described. Then, the HPE scheme and the cryptographic processing system 10 according to this embodiment will be described in detail.


<1. HPE for Inner Products>


<1-1. Notion of Delegation (Hierarchical Delegation)>



FIG. 1 is a diagram for explaining the notion of “delegation (hierarchical delegation)”.


Delegation means that a user who has a higher-level key generates a lower-level key having more limited capabilities than the user's (higher-level) key.


In FIG. 1, a root (key generation device) generates secret keys for first-level (level-1) users by using a master secret key. That is, the root generates keys 1, 2, and 3 for first-level users 1, 2, and 3, respectively. Then, using the key 1, for example, the user 1 can generate keys 11, 12, and 13 for users 11, 12, and 13, respectively, who are lower-level (second-level) users of the user 1. The keys 11, 12, and 13 owned by the users 11, 12, and 13 have more limited capabilities than the key 1 owned by the user 1. The limited capabilities mean that ciphertexts that can be decrypted by that secret key are limited. That is, a lower-level secret key can only decrypt some of ciphertexts that can be decrypted by a higher-level secret key. This means that the keys 11, 12, and 13 owned by the users 11, 12, and 13 can only decrypt some of ciphertexts that can be decrypted by the key 1 owned by the user 1. Generally, the keys 11, 12, and 13 can decrypt respectively different ciphertexts. On the other hand, a ciphertext that can be decrypted by the keys 11, 12, or 13 can be decrypted by the key 1.


As shown in FIG. 1, each secret key is provided for a specific level. This is described as “hierarchical”. That is, as shown in FIG. 1, hierarchical generation of lower-level keys is called “hierarchical delegation”.


In FIG. 1, it has been described that the root generates the secret keys for the first-level users, the first-level users generate the secret keys for the second-level users, and the second-level users generate the secret keys for the third-level users. However, as shown in FIG. 2, the root can generate not only the secret keys for the first-level users, but also the secret keys for the second-level or lower-level users. Likewise, the first-level users can generate not only the secret keys for the second-level users, but also the secret keys for the third-level or lower-level users. That is, the root or each user can generate the secret keys for levels lower than the level of its own secret key.


<1-2. PE for Inner Products>


Next, “PE for inner products” will be described.


PE is a cryptographic scheme in which a ciphertext can be decrypted if a result of inputting attribute information x to predicate information fv is 1 (true) (fv(x)=1). Generally, the attribute information x is embedded in a ciphertext, and the predicate information fv is embedded in a secret key. That is, in PE, a ciphertext c encrypted based on the attribute information x is decrypted by a secret key SKf generated based on the predicate information fv. PE may be described as a cryptographic scheme in which, for example, the predicate information fv is a conditional expression and the attribute information x is information to be input to the conditional expression, and a ciphertext can be decrypted if the input information (attribute information x) satisfies the conditional expression (predicate information fv) (fv(x)=1).


PE is discussed in detail in Non-Patent Literature 17.


PE for inner products is a type of PE in which fv(x)=1 if the inner product of attribute information x and predicate information fv is a predetermined value. That is, a ciphertext c encrypted by the attribute information x can be decrypted by a secret key SKf generated based on the predicate information fv if and only if the inner product of the attribute information x and the predicate information fv is a predetermined value.


In the first embodiment, it is assumed as a general rule that fv(x)=1 if the inner product of the attribute information x and the predicate information fv is 0.


<1-3. HPE for Inner Products>


HPE for inner products (HPKEM for inner products) is a type of “PE for inner products” with the above-described notion of “hierarchical delegation”.


In HPE for inner products, attribute information and predicate information have hierarchical structures, in order to incorporate a hierarchical delegation system in PE for inner products.



FIG. 3 is a diagram showing hierarchical structures of attribute information and predicate information.


In FIG. 3, attribute information and predicate information with the same reference numerals correspond to each other (i.e., their inner product is 0). That is, the inner product of an attribute 1 and a predicate 1 is 0, the inner product of an attribute 11 and a predicate 11 is 0, the inner product of an attribute 12 and a predicate 12 is 0, and the inner product of an attribute 13 and a predicate 13 is 0. This means that a ciphertext c1 encrypted by the attribute 1 can be decrypted by a secret key k1 generated based on the predicate 1. A ciphertext c11 encrypted by the attribute 11 can be decrypted by a secret key k11 generated based on the predicate 11. The same can be said of the attribute 12 and the predicate 12 as well as the attribute 13 and the predicate 13.


As described above, HPE for inner products has the hierarchical delegation system. Thus, the secret key k11 can be generated based on the predicate 11 and the secret key k1 generated based on the predicate 1. That is, a user having the higher-level secret key k1 can generate its lower-level secret key k11 from the secret key k1 and the lower-level predicate 11. Likewise, a secret key k12 can be generated from the secret key k1 and the predicate 12, and a secret key k13 can be generated from the secret key k1 and the predicate 13.


A ciphertext encrypted by a key (public key) corresponding to a lower-level secret key can be decrypted by a higher-level secret key. On the other hand, a ciphertext encrypted by a key (public key) corresponding to a higher-level secret key cannot be decrypted by a lower-level secret key. That is, the ciphertexts c11, c12, and c13 encrypted by the attributes 11, 12, and 13, respectively, can be decrypted by the secret key k1 generated based on the predicate 1. On the other hand, the ciphertext c1 encrypted by the attribute 1 cannot be decrypted by the secret keys k11, k12, and k13 generated based on the predicates 11, 12, and 13, respectively. That is, the inner product of the attribute 11, 12, or 13 and the predicate 1 is 0. On the other hand, the inner product of the attribute 1 and the predicate 11, 12, or 13 is not 0.


<1-4. Application Example of HPE for Inner Products>



FIG. 4 is a diagram showing an example of hierarchical identity-based encryption (HIBE), which is an application example of the HPE scheme for inner products to be described later. HIBE is a cryptographic process in which the notion of hierarchical is applied to identity-based encryption (IBE). IBE is a type of PE, namely, matching PE, which allows a ciphertext to be decrypted if an ID included in the ciphertext matches an ID included in a secret key.


In the example shown in FIG. 4, based on a master secret key sk and an ID “A” of Company A, a root (key generation device) generates a secret key (key A) corresponding to the ID “A”. For example, based on the key A and the ID of each division, a security administrator of Company A generates a secret key corresponding to that ID. For example, the security administrator generates a secret key (key 1) corresponding to an ID “A-1” of a sales division. Then, based on the secret key of each division and the ID of each unit belonging to that division, for example, an administrator of each division generates a secret key corresponding to that ID. For example, an administrator of the sales division generates a secret key (key 11) corresponding to an ID “A-11” of a sales unit 1.


In this case, a ciphertext encrypted by the ID “A-11” of the sales unit 1 can be decrypted by the key 11 which is the secret key corresponding to the ID “A-11” of the sales unit 1. However, a ciphertext encrypted by the ID of a sales unit 2 or a sales unit 3 cannot be decrypted by the key 11. Also, a ciphertext encrypted by the ID of the sales division cannot be decrypted by the key 11.


A ciphertext encrypted by the ID “A-1” of the sales division can be decrypted by the key 1 which is the secret key corresponding to the ID “A-1” of the sales division. Also, a ciphertext encrypted by the ID of a unit belonging to the sales division can be decrypted by the key 1. That is, a ciphertext encrypted by the ID of the sales unit 1, 2, or 3 can be decrypted by the key 1. However, a ciphertext encrypted by the ID of a manufacturing division (ID: A-2) or a staff division (ID: A-3) cannot be decrypted by the key 1. Also, a ciphertext encrypted by the ID of Company A cannot be decrypted by the key 1.


A ciphertext encrypted by the ID “A” of Company A can be decrypted by the key A which is the secret key corresponding to the ID “A” of Company A. Also, a ciphertext encrypted by the ID of each division belonging to Company A or the ID of a unit belonging to each division can be decrypted by the key A.


HPE for inner products can be adapted to various applications other than IBE. In particular, cryptographic processes to be described later are not limited to a class of equality tests, so that they can be applied to a vast number of applications. For example, with respect to searchable encryption or the like which is a type of PE for inner products, the cryptographic processes allow applications that cannot be implemented with conventional PE having the delegation system, such as limiting a searchable range at each level by using a conditional expression such as AND or OR.


That is, the HPKEM and HPE schemes to be described in the subsequent embodiments can be applied to a wide variety of applications such as IBE and searchable encryption.


<2. HPE for Inner Products in Vector Spaces>


HPKEM and HPE are implemented in high-dimensional vector spaces called dual pairing vector spaces (DPVS) to be described later. Thus, HPE for inner products in vector spaces will be described.


<2-1. Basis and Basis Vector>


First, “a basis” and “a basis vector” to be used for explaining a vector space will be briefly explained.



FIG. 5 is a diagram for explaining the basis and the basis vector.



FIG. 5 shows a vector v of a 2-dimensional vector space. The vector v is c1a1+c2a2. Further, the vector v is y1b1+y2b2. Here, a1 and a2 are called basis vectors in a basis A, and are represented as basis A:=(a1, a2). b1 and b2 are called basis vectors in a basis B, and are represented as basis B:=(b1, b2). c1, c2, y1, and y2 are coefficients of respective basis vectors. FIG. 5 shows a 2-dimensional vector space, so that there are two basis vectors in each basis. In an N-dimensional vector space, there are an N number of basis vectors in each basis.


<2-2. PE for Inner Products in Vector Spaces>


PE for inner products in vector spaces will now be described.


As described above, PE for inner products is a type of PE in which fv(x)=1 if the inner product of the attribute information x and the predicate information fv is a predetermined value (0 in this case). When the attribute information x and the predicate information fv are vectors, namely, an attribute vector x{right arrow over ( )} and a predicate vector v{right arrow over ( )}, their inner-product predicate is defined as shown in Formula 120.





If {right arrow over (x)}·{right arrow over (v)}=Σi=1nxivi=0, then f{right arrow over (v)}({right arrow over (x)})=1, and





if {right arrow over (x)}·{right arrow over (v)}=Σi=1nxivi≠0, then f{right arrow over (v)}({right arrow over (x)})=0,  [Formula 120]


where


{right arrow over (x)}=(x1, . . . , xn),


{right arrow over (v)}=(v1, . . . , vn),


That is, it is a type of PE in which a result of inputting the attribute information x to the predicate information fv is 1 (true) if the inner product of the attribute vector x{right arrow over ( )} and the predicate vector {right arrow over (v)} (i.e., the sum of element-wise inner products) is 0, and a result of inputting the attribute information x to the predicate information fv is 0 (false) if the inner product of the attribute vector x{right arrow over ( )} and the predicate vector v{right arrow over ( )} is not 0.


<2-3. Method for Implementing a Hierarchical Structure in Vector Spaces>


A method for implementing a hierarchical structure in vector spaces will now be described.



FIG. 6 is a diagram for explaining an example of the method for implementing a hierarchical structure in vector spaces.


A d number (d is an integer of 1 or more) of vector spaces will be discussed here. Each vector space is a high-dimensional (Nt-dimensional (t=1, . . . , d)) vector space. That is, there exist an Nt number of basis vectors ci (i=1, . . . , Nt) in a predetermined basis Ct (t=1, . . . , d) in each vector space.


A basis C1 is a space for setting attribute information and predicate information of a first level. A basis C2 is a space for setting attribute information and predicate information of a second level. Likewise, a basis CL is a space for setting attribute information and predicate information of an L-th level. Thus, d levels can be represented here.


A secret key of the L-th level is generated not only by setting the predicate information of the L-th level using the basis CL, but also by setting the predicate information of the first to (L−1)-th levels using the bases C1 to CL−1. That is, in a lower-level secret key, the predicate information to be set in a higher-level secret key is also set. This arrangement allows the predicate information to have a hierarchical structure. Then, using the hierarchical structure of the predicate information, a delegation system in PE for inner products is constructed.


In the following description, a format of hierarchy n{right arrow over ( )}:=(d; N1, . . . , Nd) is used to denote the hierarchical structure in a vector space, where d is a value representing the depth of levels described above, and Ni (i=1, . . . , d) is a value representing the number of dimensions, that is, the number of basis vectors, allocated to each level i.


<2-4. Implementation Example of the Hierarchical Structure>


The hierarchical structure will be explained using a simple example. Explanation will be given using an example where there are three levels and each level is allocated a two-dimensional space. That is, n{right arrow over ( )}:=(d; N1, . . . , Nd)=(3; 2, 2, 2).


A user who has a first-level secret key sk1 generated based on a first-level predicate vector v{right arrow over ( )}1:=(v1, v2) can generate a second-level secret key sk2 based on the first-level secret key sk1 and a second-level predicate vector v{right arrow over ( )}2:=(v3, v4). That is, the second-level secret key sk2 is generated based on the predicate vectors (v{right arrow over ( )}1, v{right arrow over ( )}2). Likewise, a user who has the second-level secret key sk2 can generate a third-level secret key sk3 based on the second-level secret key sk2 and a third-level predicate vector v{right arrow over ( )}3=(v5, v6). That is, the third-level secret key sk3 is generated based on the predicate vectors (v{right arrow over ( )}1, v{right arrow over ( )}2, v{right arrow over ( )}3).


The first-level secret key sk1 generated based on the first-level predicate vector v{right arrow over ( )}1 is a secret key generated by (v{right arrow over ( )}1, (0, 0), (0, 0)). Thus, the first-level secret key sk1 can decrypt a ciphertext encrypted by an attribute vector (x{right arrow over ( )}1, (*, *), (*, *)):=((x1, x2), (*, *), (*, *)) if v{right arrow over ( )}1·x{right arrow over ( )}1=0. This is because (*, *) (0, 0)=0. Here, “*” denotes an arbitrary value.


Likewise, the second-level secret key sk2 generated based on the second-level predicate vectors (v{right arrow over ( )}1, v{right arrow over ( )}2) is a secret key generated by (v{right arrow over ( )}1, v{right arrow over ( )}2, (0, 0)). Thus, the second-level secret key sk2 can decrypt a ciphertext encrypted by attribute vectors (x{right arrow over ( )}1, x{right arrow over ( )}2, (*, *))=((x1, x2), (x3, x4), (*, *)) if v{right arrow over ( )}1·x{right arrow over ( )}1=0 and v{right arrow over ( )}2·x{right arrow over ( )}2=0.


However, the second-level secret key sk2 cannot decrypt a ciphertext encrypted by the first-level attribute vector x{right arrow over ( )}1:=(x1, x2) (i.e., (x{right arrow over ( )}1, (*, *), (*, *)). This is because if not v{right arrow over ( )}2=(0, 0), then (*, *)·v{right arrow over ( )}2≠0 and v{right arrow over ( )}2·x{right arrow over ( )}2≠0. Therefore, it can be stated that the second-level secret key sk2 has more limited capabilities than the parent secret key key sk2.


<3. Dual Pairing Vector Spaces (DPVS)>


Symmetric bilinear pairing groups will be described first.


Symmetric bilinear pairing groups (q, G, GT, g, e) are a tuple of a prime q, a cyclic additive group G of order q, a cyclic multiplicative group GT of order q, g≠0εG, and a polynomial-time computable nondegenerate bilinear pairing e: G×G→GT. The nondegenerate bilinear pairing is e(sg, tg)=e(g, g)st and e(g,g)≠1.


In the following description, Formula 121 is an algorithm that takes 1λ as input and outputs values of parameter paramG:=(q, G, GT, g, e) of bilinear pairing groups with a security parameter λ.






G
bpg  [Formula 121]


Dual pairing vector spaces will now be described.


Dual pairing vector spaces (q, V, GT, A, e) can be constructed by a direct product of the symmetric bilinear pairing groups (paramG:=(q, G, GT, g, e)). The dual pairing vector spaces (q, V, GT, A, e) are a tuple of a prime q, an N-dimensional vector space V over Fq shown in Formula 122, a cyclic group GT of order q, and a canonical basis A:=(a1, . . . , aN) of the space V, and have the following operations (1) and (2). Here, ai is as shown in Formula 123.










:=



×

×




N






[

Formula





122

]







a
i

:=

(



0
,





,
0




i
-
1



,
g
,


0
,





,
0




N
-
i




)





[

Formula





123

]







Operation (1): Nondegenerate Bilinear Pairing


A pairing in the space V is defined by Formula 124.






e(x,y):=Πi=1Ne(Gi,Hicustom-characterT  [Formula 124]


where


(G1, . . . , GN):=xεcustom-character

(H1, . . . , HN):=yεcustom-character


This is nondegenerate bilinear, that is, e(sx, ty)=e(x, y)st and if e(x, y)=1 for all yεV, then x=0. For all i and j, e(ai, aj)=e(g, g)δi,j, where δi,j=1 if i=j, and δi,j=0 if i≠j, and e(g, g)≠1εGT.


Operation (2): Distortion Maps


Linear transformations φi,j on the space V shown in Formula 125 can achieve Formula 126.











If







φ

i
,
j




(

a
j

)



=

a
i







and







k

j

,




then









φ

i
,
j




(

a
k

)


=
0.





[

Formula





125

]









φ

i
,
j




(
x
)


:=

(



0
,





,
0




i
-
1



,

g
j

,


0
,





,
0




N
-
i




)









where




(


g
1

,








g
N



)

:=

x
.






[

Formula





126

]







The linear transformations φi,j will be called distortion maps.


In the following description, Formula 127 is an algorithm that takes as input 1λ (λεnatural number), Nεnatural number, and values of parameter paramG:=(q, G, GT, g, e) of bilinear pairing groups, and outputs values of parameter paramv:=(q, V, GT, A, e) of dual pairing vector spaces with a security parameter λ and an N-dimensional space V.






G
dpvs  [Formula 127]


Description will be directed herein to a case where the dual pairing vector spaces are constructed using the above-described symmetric bilinear pairing groups. The dual pairing vector spaces can also be constructed using asymmetric bilinear pairing groups. The following description can easily be adapted to a case where the dual pairing vector spaces are constructed using asymmetric bilinear pairing groups.


<4. Construction of HPE and Cryptographic Processing System 10>


<4-1. Basic Construction of HPE for Inner Products>


A construction of the HPE scheme for inner products will be briefly described.


The HPE scheme for inner products includes five probabilistic polynomial-time algorithms: Setup, KeyGen, Enc, Dec, and DelegateL (L=1, . . . , d−1).


(Setup)


The Setup algorithm takes as input a security parameter 1λ and a format of hierarchy n{right arrow over ( )}:=(d; N0, . . . , Nd), and outputs a master public key pk and a master secret key sk. The master secret key sk is a top-level key.


(KeyGen)


The KeyGen algorithm takes as input the master public key pk, the master secret key sk, and predicate vectors (v{right arrow over ( )}1, v{right arrow over ( )}L) (1≦L≦d), and outputs an L-th-level secret key sk(v→1, . . . , v→L).


(Enc)


The Enc algorithm takes as input the master public key pk, attribute vectors (x{right arrow over ( )}1, . . . , x{right arrow over ( )}h) (1≦h≦d), and a message m, and outputs a ciphertext et (encrypted text). That is, the Enc algorithm outputs the ciphertext ct containing the message m and encrypted by the attribute vectors (x{right arrow over ( )}1, . . . , x{right arrow over ( )}h).


(Dec)


The Dec algorithm takes as input the master public key pk, the L-th-level secret key sk(v→1, . . . , v→L), and the ciphertext ct, and outputs the message m or a distinguished symbol ⊥. The distinguished symbol ⊥ is information indicating decryption failure. That is, the Dec algorithm decrypts the ciphertext ct by the L-th-level secret key, and extracts the message m. In case of decryption failure, the Dec algorithm outputs the distinguished symbol ⊥.


(DelegateL)


DelegateL, takes as input the master public key pk, the L-th-level secret key sk(v→1, . . . , v→L), and an (L+1)-th-level predicate vector v{right arrow over ( )}L+1 (L+1≦d), and outputs an (L+1)-th-level secret key sk(v→1, . . . , v→L+1). That is, the DelegateL, algorithm outputs a lower-level secret key.


<4-2. Cryptographic Processing System 10>


The cryptographic processing system 10 that executes the algorithms of the HPE scheme for inner products will be described.



FIG. 7 is a configuration diagram of the cryptographic processing system 10 that executes the algorithms of the HPE scheme for inner products.


The cryptographic processing system 10 includes a key generation device 100, an encryption device 200, a decryption device 300, and a key delegation device 400. Description will be given herein assuming that the decryption device 300 includes the key delegation device 400. However, the key delegation device 400 may be provided separately from the decryption device 300.


The key generation device 100 executes the Setup algorithm taking as input a security parameter λ and a format of hierarchy n{right arrow over ( )}:=(d; N0, . . . , Nd), and generates a master public key pk and a master secret key sk. Then, the key generation device 100 makes public the generated master public key pk. The key generation device 100 also executes the KeyGen algorithm taking as input the master public key pk, the master secret key sk, and predicate vectors (v{right arrow over ( )}1, . . . , v{right arrow over ( )}L) (1≦L≦d), generates an L-th-level secret key sk(v→1, . . . , v→L), and secretly provides the L-th-level secret key to the L-th-level decryption device 300.


The encryption device 200 executes the Enc algorithm taking as input the master public key pk, attribute vectors (x{right arrow over ( )}1, . . . , x{right arrow over ( )}h) (1≦h≦d), and a message m, and generates a ciphertext ct. The encryption device 200 transmits the generated ciphertext ct to the decryption device 300.


The decryption device 300 executes the Dec algorithm taking as input the master public key pk, the L-th-level secret key sk(v→1, . . . , v→L), and the ciphertext ct, and outputs the message m or the distinguished symbol ⊥.


The key delegation device 400 executes the DelegateL algorithm taking as input the master public key pk, the L-th-level secret key sk(v→1, . . . , v→L), and an (L+1)-th-level predicate vector v{right arrow over ( )}L+1 (L+1≦d), and generates an (L+1)-th-level secret key sk(v→1, . . . , v→L+1), and secretly provides the (L+1)-th-level secret key to the (L+1)-th-level decryption device 300.


<4-3. Details of HPE Scheme for Inner Products and Cryptographic Processing System 10>


Referring to FIGS. 8 to 16, description will be directed to the HPE scheme for inner products according to the first embodiment. Description will also be directed to functions and operations of the cryptographic processing system 10 that implements the HPE scheme for inner products.



FIG. 8 is a functional block diagram showing functions of the key generation device 100. FIG. 9 is a functional block diagram showing functions of the encryption device 200. FIG. 10 is a functional block diagram showing functions of the decryption device 300. FIG. 11 is a functional block diagram showing functions of the key delegation device 400.



FIGS. 12 and 13 are flowcharts showing operations of the key generation device 100. FIG. 12 is a flowchart showing a process of the Setup algorithm. FIG. 13 is a flowchart showing a process of the KeyGen algorithm. FIG. 14 is a flowchart showing operations of the encryption device 200 and showing a process of the Enc algorithm. FIG. 15 is a flowchart showing operations of the decryption device 300 and showing a process of the Dec algorithm. FIG. 16 is a flowchart showing operations of the key delegation device 400 and showing a process of the DelegateL algorithm.


In the following description, a subscript “dec” stands for “decryption”. The subscript “dec” indicates a decryption element used for decrypting a ciphertext. A subscript “ran” stands for “randomization”. The subscript “ran” indicates a randomizing element for randomizing the coefficient of a predetermined basis vector of a lower-level decryption key. A subscript “del” stands for “delegation”. The subscript “del” indicates a delegation element for generating a lower-level decryption key.


The functions and operations of the key generation device 100 will be described.


As shown in FIG. 8, the key generation device 100 includes a master key generation unit 110, a master key storage unit 120, an information input unit 130 (first information input unit), a decryption key generation unit 140, and a key distribution unit 150 (decryption key transmission unit).


The decryption key generation unit 140 includes a random number generation unit 141, a decryption element generation unit 142, a randomizing element generation unit 143, and a delegation element generation unit 144.


Referring to FIG. 12, the process of the Setup algorithm will be described first.


(S101: Orthonormal Basis Generation Step)


Using the processing device, the master key generation unit 110 computes Formula 128, and randomly generates paramn→ as well as a basis Bt and a basis B*t for each integer t of t=0, . . . , d.









[

Formula





128

]
















input







1
λ

,


n


:=

(

d
;


n


:=

(


d
;

n
1


,





,

n
d

,

u
0

,





,

u
d

,

w
0

,





,

w
d

,

z
0

,





,

z
d


)



)















N
0

:=

1
+

u
0

+
1
+

w
0

+

z
0



;












N
t

:=


n
t

+

u
t

+

w
t

+


z
t



(


t
=
1

,

,
d

)









(
1
)












param


:=


(

q
,

,


T

,
g
,
e

)




R





bpg



(

1
λ

)








(
2
)












ψ



U




q
x


,










Steps






(
4
)






to






(
8
)






are





executed





for





each





t





of





t

=
0

,









,

d
.






(
3
)







param


t


:=


(

q
,


t

,


T

,


t

,
e

)

:=



dpvs



(


1
λ

,

N
t

,

param



)







(
4
)












X
t

:=



(

χ

t
,
i
,
j


)


i
,
j





U



GL


(


N
t

,


q


)








(
5
)













(

v

t
,
i
,
j


)


i
,
j


:=


ψ
·

(

X
t
T

)


-
1






(
6
)













t

:=

(


b

t
,
1


,





,

b
t

,

N
t


)






(
7
)













t
*

:=

(


b

t
,
1

*

,





,


b

t
,

*



N
t



)






(
8
)












param

n



:=

(



{

param


t


}



t
=
0

,









,
d
,




g
T


)






(
9
)







That is, the master key generation unit 110 executes the following steps.


(1) Using the input device, the master key generation unit 110 inputs a security parameter λ(1λ) and a format of attribute n{right arrow over ( )}:=(d; n1, . . . , nd, u0, . . . , ud, w0, . . . , wd, z0, . . . , zd), where d is an integer of 1 or more, nt is an integer of 1 or more for each integer t of t=1, . . . , d, and ut, wt, zt are integers of 1 or more for each integer t of t=0, . . . d. The master key generation unit 110 also sets N0:=1+u0+1+w0+z0 and Nt: =nt+ut+wt+zt for each integer t of t=1, . . . , d.


(2) Using the processing device, the master key generation unit 110 executes the algorithm Gbpg taking as input the security parameter λ(1λ) input in (1), and randomly generates values of parameter paramG:=(q, G, GT, g, e) of bilinear pairing groups.


(3) Using the processing device, the master key generation unit 110 generates a random number ψ.


Then, the master key generation unit 110 executes the following steps (4) to (8) for each integer t of t=0, . . . , d.


(4) Using the processing device, the master key generation unit 110 executes the algorithm Gdpvs taking as input the security parameter λ(1λ) and Nt input in (1) and the values of paramG:=(q, G, GT, g, e) generated in (2), and generates values of parameter paramVt:=(q, Vt, GT, At, e) of dual pairing vector spaces.


(5) Using the processing device, the master key generation unit 110 randomly generates a linear transformation Xt:=(χt,i,j)i,j taking as input Nt set in (3) and Fq. Note that GL stands for general linear. That is, GL is a general linear group, a set of square matrices with nonzero determinants, and a group under multiplication. (χt,i,j)i,j denotes a matrix associated with the subscripts i,j of the matrix χt,i,j, where i, j=1, . . . , Nt.


(6) Using the processing device and based on the random number ψ and the linear transformation Xt, the master key generation unit 110 generates (νt,i,j)i,j:=ψ·(XtT)−1. As in the case of (χt,i,j)i,j, (νt,i,j)i,j denotes a matrix associated with the subscripts j of the matrix νt,i,j where i, j=1, . . . , Nt.


(7) Using the processing device and based on the linear transformation Xt generated in (5), the master key generation unit 110 generates the basis Bt from the orthonormal basis At generated in (4).


(8) Using the processing device and based on (νt,i,j)i,j generated in (6), the master key generation unit 110 generates the basis B*t from the orthonormal basis At generated in (4).


(9) Using the processing device, the master key generation unit 110 sets e(g,g)ψ in gT. The master key generation unit 110 also sets {paramVt} t=0, . . . , d generated in (4) and gT in paramn→, where gT=bt,i, b*t,i) for each integer t of t=0, . . . , d and each integer i of i=1, . . . , Nt.


To summarize, in (S101), the master key generation unit 110 executes the algorithm Gob shown in Formula 129, and generates paramn→ as well as the basis Bt and the basis B*t for each integer t of t=0, . . . , d.











ob

(


1
λ

,


n


:=



(

d
;


n


:=

(


d
;

n
1


,





,

n
d

,

u
0

,





,

u
d

,

w
0

,





,

w
d

,

z
0

,





,

z
d


)



)

:









N
0


:=

1
+

u
0

+
1
+

w
0

+

z
0




,


N
t

:=



n
t

+

u
t

+

w
t

+


z
t










for





t


=
1


,





,
d
,










param


:=


(

q
,

,


T

,
g
,
e

)




R





bpg



(

1
λ

)




,









ψ



U




q
x


,










For





t

=
0

,





,
d
,






param


t


:=


(

q
,


t

,


T

,


t

,
e

)

:=



dpvs



(


1
λ

,

N
t

,

param



)




,










X
t

:=



(

χ

t
,
i
,
j


)


i
,
j





U



GL


(


N
t

,


q


)




,















(

v

t
,

i
.
j



)


i
,
j


:=


ψ
·

(

X
t
T

)


-
1


,










b

t
,
i


:=



(



χ

t
,
i
,
1
,









,

χ

t
,
i
,

N
t




)




t


=




j
=
1


N
t









χ

t
,
i
,
j




a

t
,
j






,















t

:=

(


b

t
,
1


,





,

b

t
,

N
t




)


,










b

t
,
i

*

:=



(



v

t
,
i
,
1
,









,

v

t
,
i
,

N
t




)




t


=




j
=
1


N
t









v

t
,
i
,
j




a

t
,
j






,















t
*

:=

(


b

t
,
1

*

,





,

b
t
*




,
N

t


)


,










g
T

:=


e


(

g
,
g

)


ψ


,














param

n



:=


(



{

param


t


}



t
=
0

,









,
d
,




g
T


)










return







(


param

n



,


{



t

,


t
*


}



t
=
0

,









,
d



)

.








[

Formula





129

]







(S102: Master Public Key Generation Step)


Using the processing device, the master key generation unit 110 generates a partial basis B̂0 of the basis B0 and a partial basis B̂t of the basis Bt for each integer t of t=1, . . . , d, as shown in Formula 130.






custom-character
0:=(b0,1, b0,1+u0+1,bd0,1+u0+1+w0+1, . . . , b0,1+u0+1+w0+z0),






custom-character
t:=(bt,1, . . . , bt,nt,bt,nt+ut+wt+1, . . . , bt,nt+ut+wt+zt) for t=1, . . . , d  [Formula 130]


The master key generation unit 110 designates, as a master public key pk, a combination of the generated partial basis B̂0 and partial basis B̂t, the security parameter λ(1λ) input in (S101), and param, the basis vectors b*0,1+u0+1+1, . . . , b*0,1+u0+1+w0 (where u0 and w0 respectively denote u0 and w0), and the basis vectors b*t,nt+ut+1, . . . , b*t,nt+ut+wt (where nt, ut, and wt respectively denote nt, ut, and wt) for each integer t of t=1, . . . , d generated in (S101).


(S103: Master Secret Key Generation Step)


Using the processing device, the master key generation unit 110 generates a partial basis B̂*0 of the basis B*0 and a partial basis B̂*t of the basis B*t for each integer t of t=1, . . . , d, as shown in Formula 131.






custom-character*0:=(b*0,1,b*0,1+u0+1),






custom-character*t:=(b*t,1, . . . , b*t,nt) for t=1, . . . , d  [Formula 131]


The master key generation unit 110 designates the generated partial basis B̂*0 and partial basis B̂*t as a master secret key.


(S104: Master Key Storage Step)


The master key storage unit 120 stores the master public key pk generated in (S102) in the storage device. The master key storage unit 120 also stores the master secret key sk generated in (S103) in the storage device.


To summarize, in (S101) to (S103), the key generation device 100 executes the Setup algorithm shown in Formula 132, and generates the master public key pk and the master secret key sk. Then, in (S104), the key generation device 100 stores the generated public parameter pk and master key sk in the storage device.


The master public key pk is made public through a network, for example, so as to be made available for the decryption device 300.












Setup






(


1
λ

,


n


:=

(


d
;

n
1


,





,

n
d

,

u
0

,





,

u
d

,

w
0

,





,

w
d

,

z
0

,





,

z
d


)



)


:










(


param

n



,


{



t

,


t
*


}



t
=
0

,









,
d



)




R





ob



(


1
λ

,

n



)




,








^

0

:=

(


b

0
,
1


,

b

0
,

1
+

u
0

+
1



,

b

0
,

1
+

u
0

+

1


w
0


+
1



,





,

b

0
,

1
+

u
0

+
1
+

w
0

+

z
0





)


,








^

t

:=

(


b

t
,
1


,





,

b

t
,

n
t



,

b

t
,


n
t

+

u
t

+

w
t

+
1



,





,

b

t
,


n
t

+

u
t

+

w
t

+

z
t





)



















for





t

=
1

,





,
d
,












^

0
*

:=

(


b

0
,
1

*

,

b

0
,

1
+

u
0

+
1


*


)


,












^

t
*

:=



(


b

t
,
1

*

,





,

b

t
,

n
t


*


)






for





t

=
1


,





,
d
,





pk
:=

(


1
λ

,

param

n



,


{



^

t

}



t
=
0

,





,
d


,





b

01
+

u
0

+
1
+
1

*

,





,

b

0
,

1
+

u
0

+
1
+

w
0



*

,


{


b

t
,


n
t

+

u
t


,

+
1


*

,





,

b

t
,


n
t

+

u
t

+

w
t



*


}



t
=
1

,









,
d



)


,









sk
:=


{



^

t
*

}



t
=
0

,











d




,









return





pk

,

sk
.






[

Formula





132

]







Referring to FIG. 13, the process of the KeyGen algorithm executed by the key generation device 100 will now be described.


(S201: Information Input Step)


Using the input device, the information input unit 130 inputs predicate information (v{right arrow over ( )}1, . . . , v{right arrow over ( )}L):=((v1,i (i=1, . . . , n1)), . . . , (vL,i (i=1, . . . , nL))). As predicate information, an attribute of a user of a key is input.


(S202: Random Number Generation Step)


Using the processing device, the random number generation unit 141 generates a random number ψ, random numbers sdec,t, sran,j,t (t=1, . . . , L), random numbers θdec,t, θran,j,t, η{right arrow over ( )}dec,t, η{right arrow over ( )}ran,j,t (t=0, . . . , L), random numbers sran,(τ,ι)t, sdel,(τ,ι),t (t=1, . . . , L+1), and random numbers θran,(τ,ι),t, θdel,(τ,ι),t, η{right arrow over ( )}ran,(τ,ι),t, η{right arrow over ( )}del,(τ,ι),t (t=0, . . . , L+1) for each integer j, τ, ι of j=1, . . . , 2L, τ of τ=L+1, . . . d, and (τ,ι)=(τ,1), . . . , (τ,nτ), as shown in Formula 133.














for











j
=
1

,





,


2

L

;













τ
=

L
+
1


,





,

d
;














(

τ
,
l

)

=

(

τ
,
1

)


,





,


(

τ
,

n
τ


)

;












ψ
,

s

dec
,
t


,


s

ran
,
j
,
t





U





q



(


t
=
1

,





,
L

)



,









θ

dec
,
t


,


θ

ran
,
j
,
t





U





q



(


t
=
0

,





,
L

)



,







η
->


dec
,
t


:=


(


η

dec
,
t
,
1


,





,

η

dec
,
t
,

w
t




)




U





q

w
t




(


t
=
0

,





,
L

)




,







η
->


ran
,
j
,
t


:=


(


η

ran
,
j
,
t
,
1


,





,

η

ran
,
j
,
t
,

w
t




)




U





q

w
t




(


t
=
0

,





,
L

)




,









s

ran
,

(

τ
,
l

)

,
t


,


s

del
,

(

τ
,
l

)

,
t





U





q



(


t
=
1

,





,

L
+
1


)



,









θ

ran
,

(

τ
,
l

)

,
t


,


θ

del
,

(

τ
,
l

)

,
t





U





q



(


t
=
0

,





,

L
+
1


)



,







η
->


ran
,

(

τ
,
l

)

,
t


:=


(


η

ran
,

(

τ
,
l

)

,
t
,
1


,





,

η

ran
,

(

τ
,
l

)

,
t
,

w
t




)




U





q

w
t




(


t
=
0

,





,

L
+
1


)




,







η
->


del
,

(

τ
,
l

)

,
t


:=


(


η

del
,

(

τ
,
l

)

,
t
,
1


,





,

η

del
,

(

τ
,
l

)

,
t
,

w
t




)




U





q

w
t




(


t
=
0

,





,

L
+
1


)










[

Formula





133

]







Also, sdec,0, sran,j,0, sran,(τ,ι),0, and sdel,(τ,ι),0 are set as shown in Formula 134.






s
dec,0:=Σt=1Lsdec,t,






s
ran,j,0:=Σt=1Lsran,j,t,






s
ran,(τ,ι),0:=Σt=1L+1sran,(τ,ι),t,






s
del,(τ,ι),0:=Σt=1L+1sdel,(τ,ι),t  [Formula 134]


(S203: Decryption Element Generation Step)


Using the processing device, the decryption element generation unit 142 generates a decryption element k*L,dec which is an element of a decryption key skL, as shown in Formula 135.






k*
L,dec:=((−sdec,0,0u0,1,{right arrow over (η)}dec,0,0z0custom-character, (sdec,t{right arrow over (e)}t,1dec,t{right arrow over (v)}t,0ut,{right arrow over (η)}dec,t,0ztcustom-character:t=1, . . . , L)  [Formula 135]


As described above, for the basis B and the basis B* shown in Formula 110, Formula 111 is defined. Thus, Formula 135 denotes that coefficients of basis vectors of the basis B*0 and the basis B*t (t=1, . . . , L) are set as described below to generate the decryption element k*L,dec.


First, description will be directed to the basis B*0. For simplicity of notation, a basis vector b*0,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*0,1. Basis vectors 1, . . . , 3 denote basis vectors b*0,1, . . . , b*0,3.


−sdec,0 is set as a coefficient of a basis vector 1 of the basis B*0. 0 is set as a coefficient of each of basis vectors 1+1, . . . , 1+u0. 1 is set as a coefficient of a basis vector 1+u0+1. ηdec,0,1, . . . , ηdec,0,w0 (where w0 denotes w0) are respectively set as coefficients of basis vectors 1+u0+1+1, . . . , 1+u0+1+w0. 0 is set as a coefficient of each of basis vectors 1+u0+1+w0+1, . . . , 1+u0+1+w0+z0.


Next, description will be directed to the basis B*t (t=1, . . . , L). For simplicity of notation, a basis vector b*t,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*t,1. Basis vectors 1, . . . , 3 denote basis vectors b*t,1, . . . , b*t,3.


sdec,tdec,tvt,1 is set as a coefficient of a basis vector 1 of the basis B*t (t=1, . . . , L). θdec,tvt,2, . . . , θdec,tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 2, . . . , nt. 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηdec,t,1, . . . , ηdec,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


(S204: First Randomizing Element Generation Step)


Using the processing device, the randomizing element generation unit 143 generates a first randomizing element k*L,ran,j which is an element of the decryption key skL, for each integer j of j=1, . . . , 2L, as shown in Formula 136.






k*
L,ran,j:=((−sran,j,00u0,0,{right arrow over (η)}ran,j,0,0z0custom-character, (sran,j,t{right arrow over (e)}t,1ran,j,t{right arrow over (v)}t,0ut,{right arrow over (η)}ran,j,t,0ztcustom-character:t=1, . . . , L)  [Formula 136]


As described above, for the basis B and the basis B* shown in Formula 110, Formula 111 is defined. Thus, Formula 136 denotes that coefficients of basis vectors of the basis B*0 and the basis B*t (t=1, . . . , L) are set as described below to generate the first randomizing element k*L,ran,j.


First, description will be directed to the basis B*0. For simplicity of notation, a basis vector b*0,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*0,1. Basis vectors 1, . . . , 3 denote basis vectors b*0,1, . . . , b*0,3.


−sran,j,0 is set as a coefficient of a basis vector 1 of the basis B*0. 0 is set as a coefficient of each of basis vectors 1+1, . . . , 1+u0+1. ηran,j,0,1, . . . , ηran,j,0,w0 (where w0 denotes w0) are respectively set as coefficients of basis vectors 1+u0+1+1, . . . , 1+u0+1+w0. 0 is set as a coefficient of each of basis vectors 1+u0+1+w0+1, . . . , 1+u0+1+w0+z0.


Next, description will be directed to the basis B*t (t=1, . . . , L). For simplicity of notation, a basis vector b*t,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*t,1. Basis vectors 1, . . . , 3 denote basis vectors b*t,1, . . . , b*t,3.


sran,j,tran,j,tvt,1 is set as a coefficient of a basis vector 1 of the basis B*t (t=1, . . . , L). θran,j,tvt,2, . . . , θran,j,tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 2, . . . , nt. 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηran,j,t,1, . . . , ηran,j,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


(S205: Second Randomizing Element Generation Step)


Using the processing device, the randomizing element generation unit 143 generates a second randomizing element k*L,ran,(τ,ι) which is an element of the decryption key skL, for each integer τ of τ=L+1, . . . , d and each integer ι of ι=1, . . . , nt with respect to each integer τ, as shown in Formula 137.






k*
L,ran,(τ,ι)
L=((−sran,(τ,ι),0,0u0,0,{right arrow over (η)}ran,(τ,ι),0,0z0custom-character,(sran,(τ,ι),t{right arrow over (e)}t,1ran,(τ,ι),t{right arrow over (v)}t,0ut,{right arrow over (η)}ran,(τ,ι),t,0ztcustom-character:t=1, . . . , L(sran,(τ,ι),L+1{right arrow over (e)}τ,1,0yτ,{right arrow over (n)}ran,(τ,ι),L+1,0zτcustom-character  [Formula 137]


As described above, for the basis B and the basis B* shown in Formula 110, Formula 111 is defined. Thus, Formula 137 denotes that coefficients of basis vectors of the basis B*0, the basis B*t (t=1, . . . , L), and a basis B*τ are set as described below to generate the second randomizing element k*L,ran,(τ,ι).


First, description will be directed to the basis B*0. For simplicity of notation, a basis vector b*0,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*0,1. Basis vectors 1, . . . , 3 denote basis vectors b*0,1, . . . , b*0,3.


−sran,(τ,ι),0 is set as a coefficient of a basis vector 1 of the basis B*0. 0 is set as a coefficient of each of basis vectors 1+1, . . . , 1+u0+1. ηran,(τ,ι),0,1, . . . , ηran,(τ,ι),0,w0 (where w0 denotes w0) are respectively set as coefficients of basis vectors 1+u0+1+1, . . . , 1+u0+1+w0. 0 is set as a coefficient of each of basis vectors 1+u0+1+w0+1, . . . , 1+u0+1+w0+z0.


Next, description will be directed to the basis B*t (t=1, . . . , L). For simplicity of notation, a basis vector b*t,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*t,1. Basis vectors 1, . . . , 3 denote basis vectors b*t,1, . . . , b*t,3.


sran,(τ,ι),tran,(τ,ι),tvt,1 is set as a coefficient of a basis vector 1 of the basis B*t (t=1, . . . , L). θran,(τ,ι),tvt,2, . . . , θran,(τ,ι),tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 2, . . . , nt. 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηran,(τ,ι),t,1, . . . , ηran,(τ,ι),t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


Next, description will be directed to the basis B*τ. For simplicity of notation, a basis vector b*τ,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*τ,1. Basis vectors 1, . . . , 3 denote basis vectors b*τ,1, . . . , b*τ,3.


sran,(τ,ι),L+1 is set as a coefficient of a basis vector 1 of the basis B*τ. 0 is set as a coefficient of each of basis vectors 2, . . . , nτ, . . . nτ+uτ. ηran,(τ,ι),L+1,1, . . . , ηran,(τ,ι),L+1,wτ (where wτ denotes wt) are respectively set as coefficients of basis vectors nτ+uτ+1, . . . , nτ+uτ+wτ. 0 is set as a coefficient of each of basis vectors nτ+uτ+wτ+1, . . . , nτ+uτ+wτ+zτ.


(S206: Delegation Element Generation Step)


Using the processing device, the delegation element generation unit 144 generates a delegation element k*L,del,(τ,ι) which is an element of the decryption key skL, for each integer τ of τ=L+1, . . . , d and each integer ι of ι=1, . . . , nτ with respect to each integer τ, as shown in Formula 138.






k*
L,del,(τ,ι):=((−s
del,(τ,ι,0,0u0,0,{right arrow over (η)}del,(τ,ι),0,0z0custom-character,(sdel,(τ,ι),t{right arrow over (e)}t,1del,(τ,ι),t{right arrow over (v)}t,0ut,{right arrow over (η)}del,(τ,ι),t,0ztcustom-character:t=1, . . . , L(sdel,(τ,ι),L+1{right arrow over (e)}τ,1+ψ{right arrow over (e)}τ,ι,0uτ,{right arrow over (η)}del,(τ,ι),L+1,0zτcustom-character)  [Formula 138]


As described above, for the basis B and the basis B* shown in Formula 110, Formula 111 is defined. Thus, Formula 138 denotes that coefficients of basis vectors of the basis B*0 and the basis B*t (t=1, . . . , L) are set as described below to generate the delegation element k*L,del,(τ,ι).


First, description will be directed to the basis B*0. For simplicity of notation, a basis vector b*0,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*0,1. Basis vectors 1, . . . , 3 denote basis vectors b*0,1, . . . , b*0,3.


−sdel,(τ,t),0 is set as a coefficient of a basis vector 1 of the basis B*0. 0 is set as a coefficient of each of basis vectors 1+1, . . . , 1+u0+1. ηdel,(τ,ι),0,1, . . . , ηdel,(τ,ι),0,w0 (where w0 denotes w0) are respectively set as coefficients of basis vectors 1+u0+1+1, . . . , 1+u0+1+w0. 0 is set as a coefficient of each of basis vectors 1+u0+l+w0+1, . . . , 1+u0+1+w0+z0.


Next, description will be directed to the basis B*t (t=1, . . . , L). For simplicity of notation, a basis vector b*t,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*t,1. Basis vectors 1, . . . , 3 denote basis vectors b*t,1, . . . , b*t,3.


sdel,(τ,ι),tdel,(τ,ι),tvt,1 is set as a coefficient of a basis vector 1 of the basis B*t (t=1, . . . , L). θdel,(τ,ι),tvt,2, . . . , θdel,(τ,ι),tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 2, . . . , nt. 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut, ηdel,(τ,ι),t,1, . . . , ηdel,(τ,ι),t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut±wt+zt.


Next, description will be directed to the basis B*τ. For simplicity of notation, a basis vector b*τ,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*τ,1. Basis vectors 1, . . . , 3 denote basis vectors b*τ,1, . . . , b*τ,3.


sdel,(τ,ι),L+1e{right arrow over ( )}τ,1+ψe{right arrow over ( )}τ,ι is set as a coefficient of each of basis vectors 1, . . . , nτ of the basis B*τ. 0 is set as a coefficient of each of basis vectors nτ+1, . . . , nτ+uτ. ηdel,(τ,ι),L+1,1, . . . , ηdel,(τ,ι),L+1,wτ (where wτ denotes wτ) are respectively set as coefficients of basis vectors nτ+uτ+1, . . . , nτ+uτ+wτ. 0 is set as a coefficient of each of basis vectors nτ+uτ+wτ+1, . . . , nτ+uτ+wτ+zτ.


(S207: Key Distribution Step)


Using the communication device and through the network, for example, the key distribution unit 150 secretly provides to the decryption device 300 the decryption key skL having elements of the decryption element k*L,dec, the first randomizing element k*L,ran,j (j=1, . . . , 2L), the second randomizing element k*L,ran,(τ,ι) (τ=L+1, . . . , d; (τ,ι)=(τ,1), . . . , (τ,nτ)), and the delegation element k*L,del,(τ,ι) (τ=L+1, . . . , d; (τ,ι)=(τ,1), . . . , (τ,nτ)). It is obvious that the decryption key skL may be provided to the decryption device 300 by other methods.


To summarize, in (S201) to (S206), the key generation device 100 executes the KeyGen algorithm shown in Formulas 139 and 140, and generates the decryption key skL. Then, in (S207), the key generation device 100 provides the generated decryption key skL to the decryption device 300.










KeyGen


(

pk
,
sk
,


(



v
->

1

,





,


v
->

L


)

:=

(


v

1
,
1


,





,

v

1
,

n
1




)


,









,

(


v

L
,
1


,





,

v

L
,

n
L




)


)


:




[

Formula





139

]











for











j
=
1

,





,


2

L

;













τ
=

L
+
1


,





,

d
;














(

τ
,
l

)

=

(

τ
,
1

)


,





,


(

τ
,

n
τ


)

;








ψ

,

s

dec
,
t


,




s

ran
,
j
,
t





U




q








(


t
=
1

,





,
L

)


;















θ

dec
,
t


,


θ

ran
,
j
,
t





U




q


,


η
->


dec
,
t


,





η
->


ran
,
j
,
t





U




q

w
t









(


t
=
0

,





,
L

)


;













s

ran
,

(

τ
,
l

)

,
t


,




s

del
,

(

τ
,
l

)

,
t





U




q








(


t
=
1

,





,

L
+
1


)


;













θ

ran
,

(

τ
,
l

)

,
t


,


θ

del
,

(

τ
,
l

)

,
t





U




q


,


η
->


ran
,

(

τ
,
l

)

,
t


,



η
->


del
,

(

τ
,
l

)

,
t





U




q

w
t



,


(


t
=
0

,





,

L
+
1


)

;














s

dec
,
0


:=




t
=
1

L



s

dec
,
t




,


s

ran
,
j
,
0


:=




t
=
1

L



s

ran
,
j
,
t




,













s

ran
,

(

τ
,
l

)

,
0


:=




t
=
1


L
+
1




s

ran
,

(

τ
,
l

)

,
t




,


s

del
,

(

τ
,
l

)

,
0


:=




t
=
1


L
+
1




s

del
,

(

τ
,
l

)

,
t




,













k

L
,
dec

*

:=

(



(


-

s

dec
,
0



,

0

u
0


,
1
,


η
->


dec
,
0


,

0

z
0



)



0
*


,




(




s

dec
,
t





e
->


t
,
1



+


θ

dec
,
t





v
->

t



,

0

u
t


,


η
->


dec
,
t


,

0

z
t



)



t
*


:
t

=
1

,





,
L

)


,




[

Formula





140

]








k

L
,
ran
,
j

*

:=

(



(


-

s

ran
,
j
,
0



,

0

u
0


,
0
,


η
->


ran
,
j
,
0


,

0

z
0



)



0
*


,




(




s

ran
,
j
,
t





e
->


t
,
1



+


θ

ran
,
j
,
t





v
->

t



,

0

u
t


,


η
->


ran
,
j
,
t


,

0

z
t



)



t
*


:
t

=
1

,









,
L

)


,














k

L
,
ran
,

(

τ
,
l

)


*

:=

(



(


-

s

ran
,

(

τ
,
l

)

,
0



,

0

u
0


,
0
,


η
->


ran
,

(

τ
,
l

)

,
0


,

0

z
0



)



0
*


,




(




s

ran
,

(

τ
,
l

)

,
t





e
->


t
,
1



+


θ

ran
,

(

τ
,
l

)

,
t





v
->

t



,

0

u
t


,


η
->


ran
,

(

τ
,
l

)

,
t


,

0

z
t



)



t
*


:
t

=
1

,









,


L


(



s

ran
,

(

τ
,
l

)

,

L
+
1






e
->


τ
,
1



,


η
->


ran
,

(

τ
,
l

)

,

L
+
1



,

0

z
τ



)




τ
*



)


,


















k

L
,
del
,

(

τ
,
l

)


*

:=

(



(


-

s

del
,

(

τ
,
l

)

,
0



,

0

u
0


,
0
,


η
->


del
,

(

τ
,
l

)

,
0


,

0

z
0



)



0
*


,




(




s

del
,

(

τ
,
l

)

,
t





e
->


t
,
1



+


θ

del
,

(

τ
,
l

)

,
t





v
->

t



,

0

u
t


,


η
->


del
,

(

τ
,
l

)

,
t


,

0

z
t



)



t
*


:
t

=
1

,









,


L


(




s

del
,

(

τ
,
l

)

,

L
+
1






e
->


τ
,
1



+

ψ



e
->


τ
,
l




,

0

u
τ


,


η
->


del
,

(

τ
,
l

)

,

L
+
1



,

0

z
τ



)




τ
*



)


,













sk
L

:=

(


k

L
,
dec

*

,


{

k

L
,
ran
,
j

*

}



j
=
1

,









,

2

L



,


{

k

L
,
ran
,

(

τ
,
l

)


*

}



τ
=

L
+
1


,









,

d
;


(

τ
,
l

)

=

(

τ
,
1

)



,









,

(

τ
,

n
τ


)



,


{

k

L
,
del
,

(

τ
,
l

)


*

}



τ
=

L
+
1


,









,

d
;


(

τ
,
l

)

=

(

τ
,
l

)



,









,

(

τ
,

n
τ


)




)


,











return







sk
L

.













The functions and operations of the encryption device 200 will be described.


As shown in FIG. 9, the encryption device 200 includes a master public key acquisition unit 210, an information input unit 220 (second information input unit), a ciphertext generation unit 230, and a data transmission unit 240.


The information input unit 220 includes an attribute information input unit 221 and a message input unit 222. The ciphertext generation unit 230 includes a random number generation unit 231, a ciphertext c1 generation unit 232, and a ciphertext c2 generation unit 233.


Referring to FIG. 14, the process of the Enc algorithm executed by the encryption device 200 will be described.


(S301: Master Public Key Acquisition Step)


Using the communication device and through the network, for example, the master public key acquisition unit 210 obtains the master public key pk generated by the key generation device 100.


(S302: Information Input Step)


Using the input device, the attribute information input unit 221 inputs attribute information (x{right arrow over ( )}1, . . . , x{right arrow over ( )}L):=((x1,i (i=1, . . . , n1)), . . . , (xL,i (i=1, . . . , nL))). As attribute information, an attribute of a person who can decrypt an encrypted message is input.


Using the input device, the message input unit 222 inputs a message m to be encrypted.


(S303: Random Number Generation Step)


Using the processing device, the random number generation unit 231 generates random numbers (x̂L+1, . . . , x{right arrow over ( )}d):=((xL+1,i (i=1, . . . , nL+1)), . . . , (xd,i (i=1, . . . , nd))) and random numbers ω, ζ, φ{right arrow over ( )}t (t=0, . . . , d), as shown in Formula 141.











(



x
->


L
+
1


,





,


x
->

d


)

:=



(


(


x


L
+
1

,
1


,





,

x


L
+
1

,

n

L
+
1





)

,





,

(


x

d
,
1


,





,

x

d
,

n
d




)


)




U




q

n

L
+
1




×

×


q

n
d




,








ω
,

ζ



U




q


,















ϕ
->

t

:=


(


ϕ

t
,
1


,





,

ϕ

t
,

z
t




)




U





q

z
t




(


t
=
0

,





,
d

)








[

Formula





141

]







(S304: Ciphertext c1 Generation Step)


Using the processing device, the ciphertext c1 generation unit 232 generates a ciphertext c1 which is an element of a ciphertext ct, as shown in Formula 142.






c
1:=((ω,0u0,ζ,0w0,{right arrow over (φ)}0custom-character,(ω{right arrow over (x)}t,0ut,0wt,{right arrow over (φ)}tcustom-character:t=1, . . . , d)  [Formula 142]


As described above, for the basis B and the basis B* shown in Formula 110, Formula 111 is defined. Thus, Formula 142 denotes that coefficients of basis vectors of the basis B0 and the basis Bt (t=1, . . . , d) are set as described below to generate the ciphertext c1.


First, description will be directed to the basis B0. For simplicity of notation, a basis vector b0,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b0,1. Basis vectors 1, . . . , 3 denote basis vectors b0,1, . . . , b0,3.


ω is set as a coefficient of a basis vector 1 of the basis B0. 0 is set as a coefficient of each of basis vectors 1+1, . . . , 1+u0. ζ is set as a coefficient of a basis vector 1+u0+1. 0 is set as a coefficient of each of basis vectors 1+u0+1+1, . . . , 1+u0+1+w0. φ0,1, . . . , φ0,z0 (where z0 denotes z0) are respectively set as coefficients of basis vectors 1+u0+1+w0+1, . . . , 1+u0+1+w0+z0.


Next, description will be directed to the basis Bt (t=1, . . . , d). For simplicity of notation, a basis vector bt,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector bt,1. Basis vectors 1, . . . , 3 denote basis vectors bt,1, . . . , bt,3.


ωxt,1, . . . , ωxt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 1, . . . , nt of the basis Bt (t=1, . . . , d). 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut+wt. φt,1, . . . , φt,zt (where zt denotes zt) are respectively set as coefficients of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


(S305: Ciphertext c2 Generation Step)


Using the processing device, the ciphertext c2 generation unit 233 generates a ciphertext c2 which is an element of the ciphertext ct, as shown in Formula 143.






c
2
:=g
T
ζ
m  [Formula 143]


(S306: Data Transmission Step)


Using the communication device and through the network, for example, the data transmission unit 240 transmits to the decryption device 300 the ciphertext ct including the ciphertext c1 and the ciphertext c2. It is obvious that the ciphertext ct may be transmitted to the decryption device 300 by other methods.


To summarize, in (S301) to (S305), the encryption device 200 executes the Enc algorithm shown in Formula 144, and generates the ciphertext ct. Then, in (S306), the encryption device 200 transmits the generated ciphertext ct to the decryption device 300.









Enc
(

pk
,

m



T


,



(



x
->

1

,





,


x
->

L


)

:=


(


(


x

1
,
1


,





,

x

1
,

n
1




)

,





,

(


x

L
,
1


,





,

x

L
,

n
L




)


)

:











(



x
->


L
+
1


,





,


x
->

d


)




U




q

n

L
+
1




×

×


q

n
d





;








ω

,

ζ



U




q


,



ϕ
->

t




U





q

z
t




(


t
=
0

,





,
d

)



,






c
1

:=

(



(

ω
,

0

u
0


,
ζ
,

0

w
0


,


ϕ
->

0


)



0


,




(


ω







x
->

t


,

0

u
t


,

0

w
t


,


ϕ
->

t


)








t


:
t

=
1

,





,
d

)


,










c
2

:=


g
T
ζ


m


,









ct
:=

(


c
1

,

c
2


)


,









return






ct
.







[

Formula





144

]







The functions and operations of the decryption device 300 will be described.


As shown in FIG. 10, the decryption device 300 includes a decryption key acquisition unit 310, a data receiving unit 320, a pairing operation unit 330, and a message computation unit 340.


Referring to FIG. 15, the process of the Dec algorithm executed by the decryption device 300 will be described.


(S401: Decryption Key Acquisition Step)


Using the communication device and through the network, for example, the decryption key acquisition unit 310 obtains the decryption key skL. The decryption key acquisition unit 310 also obtains the public parameter pk generated by the key generation device 100.


(S402: Data Receiving Step)


Using the communication device and through the network, for example, the data receiving unit 320 receives the ciphertext ct transmitted by the encryption device 200.


(S403: Pairing Operation Step)


Using the processing device, the pairing operation unit 330 performs a pairing operation shown in Formula 145, and computes a session key K=gTζ.






K:=e(c1,k*L,dec)  [Formula 145]


If the inner product of (v{right arrow over ( )}1, . . . , {right arrow over (v)}L) and (x{right arrow over ( )}1, . . . , x{right arrow over ( )}L) is 0, the session key K is computed by computing Formula 145.


(S404: Message Computation Step)


Using the processing device, the message computation unit 340 computes a message m′(=m) by dividing the ciphertext c2 by the session key K.


To summarize, in (S401) to (S404), the decryption device 300 executes the Dec algorithm shown in Formula 146, and computes the message m′ (=m).






Dec(pk,k*L,dec,ct):m′:=c2,be(c1,k*L,dec)return m′.  [Formula 146]


The functions and operations of the key delegation device 400 will be described.


As shown in FIG. 11, the key delegation device 400 includes a decryption key acquisition unit 410, an information input unit 420 (third information input unit), a delegation key generation unit 430, and a key distribution unit 440 (delegation key transmission unit).


The delegation key generation unit 430 includes a random number generation unit 431, a lower-level decryption element generation unit 432, a lower-level randomizing element generation unit 433, and a lower-level delegation element generation unit 434.


Referring to FIG. 16, the process of the DelegateL algorithm executed by the key delegation device 400 will be described.


(S501: Decryption Key Acquisition Step)


Using the communication device and through the network, for example, the decryption key acquisition unit 410 obtains the decryption key skL. The decryption key acquisition unit 410 also obtains the public parameter pk generated by the key generation device 100.


(S502: Information Input Step)


Using the input device, the information input unit 420 inputs predicate information v{right arrow over ( )}L+1=(vL+1,i (i=1, . . . , nL+1)). As predicate information, an attribute of a person to whom the key is delegated is input.


(S503: Random Number Generation Step)


Using the processing device, the random number generation unit 431 generates random numbers αdec,j, σdec, αran,j′,j, σran,j′, αran,(τ,ι),j, σran,(τ,ι), φran,(τ,ι), αdel,(τ,ι),j, σdel,(τ,ι), φdel,(τ,ι), ψ′, ηdec,(t,i), ηran,j′,(t,i), ηran,(τ,ι,(t,i), ηdel,(τ,ι),(t,i) for each integer j, j′, τ, ι, t, i of j=1, . . . , 2L, j′=1, . . . , 2(L+1), τ=L+2, . . . , d, (τ,ι)=(τ,1), . . . , (τ,nτ), t=0, . . . , L+1, τ, (t,i)=(t,1), . . . , (t,nt), as shown in Formula 147.










for






j
=
1

,





,


2

L

;










j


=
1

,





,


2


(

L
+
1

)


;









τ
=

L
+
2


,





,

d
;










(

τ
,
l

)

=

(

τ
,
1

)


,





,


(

τ
,

n
τ


)

;









t
=
0

,





,

L
+
1

,

τ
;










(

t
,
i

)

=

(

t
,
1

)


,





,


(

t
,

w
t


)

;









α

dec
,
j


,

σ
dec

,

α

ran
,

j


,
j


,

σ

ran
,

j




,

α

ran
,

(

τ
,
l

)

,
j


,

σ

ran
,

(

τ
,
l

)



,





φ

ran
,

(

τ
,
l

)



,

α

del
,

(

τ
,
l

)

,
j


,

σ

del
,

(

τ
,
l

)



,

φ

del
,

(

τ
,
l

)



,

ψ


,





η

dec
,

(

t
,
i

)



,

η

ran
,

j


,

(

t
,
i

)



,

η

ran
,

(

τ
,
l

)

,

(

t
,
i

)



,


η

del
,

(

τ
,
l

)

,

(

t
,
i

)






U




q







[

Formula





147

]







(S504: Lower-Level Decryption Element Generation Step)


Using the processing device, the lower-level decryption element generation unit 432 generates a lower-level decryption element k*L+1,dec which is an element of a delegation key skL+1, as shown in Formula 148.










k


L
+
1

,
dec

*

:=


k

L
,
dec

*

+




j
=
1


2

L





α

dec
,
j




k

L
,
ran
,
j

*



+


σ
dec



(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+




i
=
1


w
i





η

dec
,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

dec
,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*









[

Formula





148

]







(S505: First Lower-Level Randomizing Element Generation Step)


Using the processing device, the lower-level randomizing element generation unit 433 generates a first lower-level randomizing element k*L+1,ran,j′ which is an element of the delegation key skL+1, for each integer j′ of j′=1, . . . , 2(L+1), as shown in Formula 149.










k


L
+
1

,
ran
,

j



*

:=





j
=
1


2

L





α

ran
,

j


,
j




k

L
,
ran
,
j

*



+


σ

ran
,

j






(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+




i
=
1


w
t





η

ran
,

j


,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

ran
,

j


,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*









[

Formula





149

]







(S506: Second Lower-Level Randomizing Element Generation Step)


Using the processing device, the lower-level randomizing element generation unit 433 generates a second lower-level randomizing element k*L+1,ran,(τ,ι) which is an element of the delegation key skL+1, for each integer τ of τ=L+2, . . . , d and each integer ι of ι=1, . . . , nτ with respect to each integer τ, as shown in Formula 150.










k


L
+
1

,
ran
,

(

τ
,
l

)


*

:=





j
=
1


2

L





α

ran
,

(

τ
,
l

)

,
j




k

L
,
ran
,
j

*



+


σ

ran
,

(

τ
,
l

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+


φ

ran
,

(

τ
,
l

)





k

L
,
ran
,

(

τ
,
l

)


*


+




i
=
1


w
t





η

ran
,

(

τ
,
l

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

ran
,

(

τ
,
l

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

ran
,

(

τ
,
l

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*








[

Formula





150

]







(S507: Lower-Level Delegation Element Generation Step)


Using the processing device, the lower-level delegation element generation unit 434 generates a lower-level delegation element k*L+1,del,(τ,ι) which is an element of the delegation key slL+1, for each integer τ of τ=L+2, . . . , d and each integer ι of ι=1, . . . , nτ with respect to each integer τ, as shown in Formula 151.











k


L
+
1

,
del
,

(

τ
,
l

)


*

:=





j
=
1


2

L





α

del
,

(

τ
,
l

)

,
j




k

L
,
ran
,
j

*



+


σ

del
,

(

τ
,
l

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+


ψ




k

L
,
del
,

(

τ
,
i

)


*


+


φ

del
,

(

τ
,
l

)





k

L
,
ran
,

(

τ
,
l

)


*


+




i
=
1


w
t





η

del
,

(

τ
,
i

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

del
,

(

τ
,
l

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

del
,

(

τ
,
l

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*





,




[

Formula





151

]







(S508: Key Distribution Step)


Using the communication device and through the network, for example, the key distribution unit 150 secretly provides to the lower-level decryption device 300 the delegation key skL+1 (lower-level decryption key) having elements of the lower-level decryption element k*L+1,dec, the first lower-level randomizing element k*L+1,ran,j′ (j′=1, . . . , 2(L+1)), the second lower-level randomizing element k*L+1,ran,(τ,ι)(τ=L+2, . . . , d; (τ,ι)=(τ,1), . . . , (τ,nτ)), and the lower-level delegation element k*L+1,del,(τ,ι) (τ=L+2, . . . , d; (τ,ι)=(τ,1), . . . , (τ,nτ)). It is obvious that the delegation key skL+1 may be provided to the lower-level decryption device 300 by other methods.


To summarize, in (S501) to (S507), the key delegation device 400 executes the DelegateL, algorithm shown in Formulas 152 and 153, and generates the delegation key skL+1. Then, in (S508), the key delegation device 400 provides the generated delegation key skL+1 to the lower-level decryption device 300.











Delegate
L



(

pk
,

sk
L

,



v
->


L
+
1


:=

(


v


L
+
1

,
1


,





,

v


L
+
1

,

n

L
+
1





)



)


:




[

Formula





152

]











for











j
=
1

,





,


2

L

;














j


=
1

,





,


2


(

L
+
1

)


;













τ
=

L
+
2


,





,

d
;














(

τ
,
l

)

=

(

τ
,
l

)


,





,


(

τ
,

n
τ


)

;













t
=
0

,





,

L
+
1

,

τ
;






















(

t
,
i

)

=

(

t
,
1

)


,





,


(

t
,

w
t


)

;













α

dec
,
j


,

σ
dec

,

α

ran
,

j


,
j


,

σ

ran
,

j




,

α

ran
,

(

τ
,
l

)

,
j


,

σ

ran
,

(

τ
,
l

)



,









φ

ran
,

(

τ
,
l

)



,

α

del
,

(

τ
,
l

)

,
j


,

σ

del
,

(

τ
,
l

)



,

φ

del
,

(

τ
,
l

)



,

ψ


,









η

dec
,

(

l
,
i

)



,

η

ran
,

j


,

(

t
,
i

)



,

η

ran
,

(

τ
,
l

)

,

(

t
,
i

)



,


η

del
,

(

τ
,
l

)

,

(

t
,
i

)






U




q


,















k


L
+
1

,
dec

*

:=


k

L
,
dec

*

+




j
=
1


2

L





α

dec
,
j




k

L
,
ran
,
j

*



+


σ
dec



(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+




i
=
1


w
i





η

dec
,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

dec
,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*






,




[

Formula





153

]








k


L
+
1

,
ran
,

j



*

:=





j
=
1


2

L





α

ran
,

j


,
j




k

L
,
ran
,
j

*



+


σ

ran
,

j






(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+




i
=
1


w
t





η

ran
,

j


,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

ran
,

j


,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*






,













k


L
+
1

,
ran
,

(

τ
,
l

)


*

:=





j
=
1


2

L





α

ran
,

(

τ
,
l

)

,
j




k

L
,
ran
,
j

*



+


σ

ran
,

(

τ
,
l

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+


φ

ran
,

(

τ
,
l

)





k

L
,
ran
,

(

τ
,
l

)


*


+




i
=
1


w
t





η

ran
,

(

τ
,
l

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

ran
,

(

τ
,
l

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

ran
,

(

τ
,
l

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*





,













k


L
+
1

,
del
,

(

τ
,
l

)


*

:=





j
=
1


2

L





α

del
,

(

τ
,
l

)

,
j




k

L
,
ran
,
j

*



+


σ

del
,

(

τ
,
l

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+


ψ




k

L
,
del
,

(

τ
,
l

)


*


+


φ

del
,

(

τ
,
l

)





k

L
,
ran
,

(

τ
,
l

)


*


+




i
=
1


w
i





η

del
,

(

τ
,
l

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

del
,

(

τ
,
l

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

del
,

(

τ
,
l

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*





,













sk

L
+
1


:=

(


k


L
+
1

,
dec

*

,


{

k


L
+
1

,
ran
,

j



*

}




j


=
1

,









,

2


(

L
+
1

)




,


{


k


L
+
1

,
ran
,

(

τ
,
l

)


*

,

k


L
+
1

,
del
,

(

τ
,
l

)


*


}



τ
=

L
+
2


,









,

d
;


(

τ
,
t

)

=

(

τ
,
1

)



,









,

(

τ
,

n
τ


)




)


,









return






sk

L
+
1















When the lower-level decryption device 300 executes the Dec algorithm using the delegation key skL+1, the session key K is computed in (S403) of FIG. 15 by computing Formula 145 if the inner product of (v{right arrow over ( )}1, . . . , v{right arrow over ( )}L+1) and (x{right arrow over ( )}1, . . . , x{right arrow over ( )}L+1) is 0.


As described above, the cryptographic processing system 10 according to the first embodiment implements the HPE scheme for inner products of d levels using the (d+1) number of Nt (t=0, . . . , d)-dimensional spaces. Spaces required for the cryptographic processes at the L-th level (1≦L≦d) are the (L+1) number of Nt (t=0, . . . , L)-dimensional spaces. Thus, key sizes can be made small, and efficiency of operations and so on can be enhanced. Memory and register areas and so on for storing keys are also made small.


In the above description, dimensions ut, wt, and zt (t=0, . . . , d) are provided for enhanced security. Therefore, at the cost of reduced security, dimensions ut, wt, and zt (t=0, . . . , d) may be omitted by setting ut, wt, and zt (t=0, . . . , d) respectively to 0.


In the above description, 1+u0+1+w0+z0 is set in N0, and nt+ut+wt+zt is set in Nt. However, 1+u0+1+w0+z0 may be replaced with 1+1+1+1+1 so that 5 is set in N0, and nt+ut+wt+zt may be replaced with nt+nt+nt+1 so that 3nt+1 is set in Nt.


In this case, the Setup algorithm shown in Formula 132 is rewritten as shown in Formula 154. Gob is rewritten as shown in Formula 155.









Setup
(


1
λ

,


n
->

:=


(


d
;

n
1


,





,

n
d


)

:



(


param

n
->


,


{



t

,


t
*


}



t
=
0

,









,
d



)




R




ob




(


1
λ

,

n
->


)




,





[

Formula





154

]










^

0

:=

(


b

0
,
1


,

b

0
,
3


,

b

0
,
5



)


,




^

t

:=



(


b

t
,
1


,





,

b

t
,

n
t



,

b

t
,


3


n
t


+
1




)










for









t

=
1


,





,
d
,












^

0
*

:=

(


b

0
,
1

*

,

b

0
,
3

*


)


,




^

t
*

:=



(


b

t
,
1

*

,





,

b

t
,

n
t


*


)










for









t

=
1


,





,
d
,












pk
:=

(


1
λ

,

param

n
->


,


{



^

t

}



t
=
0

,









,
d


,

b

0
,
4

*

,


{


b

t
,


2


n
t


+
1


*

,





,

b

t
,

3


n
t



*


}



t
=
1

,









,
d



)


,

















sk
:=


{



^

t
*

}



t
=
0

,









,
d



,









return





pk

,

sk
.























ob



(


1
λ

,


n
->

:=

(


d
;

n
1


,





,

n
d


)



)


:









N
0


:=
5

,


N
t

:=


3


n
t


+

1






(


t
-
1

,





,
d

)




,










param


:=


(

q
,

,


T

,
g
,
e

)




R





bpg



(

1
λ

)




,









ψ



U




q
x


,










For





t

=
0

,





,
d
,





[

Formula





155

]








param


t


:=


(

q
,


t

,


T

,


t

,
e

)

:=



dpvs



(


1
λ

,

N
t

,

param



)




,













X
t

:=



(

χ

t
,
i
,
j


)


i
,
j





U



GL


(


N
t

,


q


)




,



(

v

t
,
i
,
j


)


i
,
j


:=

ψ
·


(

X
t
T

)


-
1




,













b

t
,
i


:=



(



χ

t
,
i
,
1
,













,

χ

t
,
i
,

N
t




)



t


=




j
=
1


N
t





χ

t
,
i
,
j




a

t
,
j






,



t

:=

(


b

t
,
1


,





,

b

t
,

N
t




)


,













b

t
,
i

*

:=



(



v

t
,
i
,
1
,













,

v

t
,
i
,

N
t




)



t


=




j
=
1


N
t





v

t
,
i
,
j




a

t
,
j






,



t
*

:=

(


b

t
,
1

*

,





,

b

t
,

N
t


*


)


,













g
T

:=


e


(

g
,
g

)


ψ


,


param

n
->


:=

(



{

param


t


}



t
=
1

,









,
d
,




g
T


)













return







(


param

n
->


,


{



t

,


t
*


}



t
=
0

,









,
d



)

.













The KeyGen algorithm shown in Formulas 139 and 140 is rewritten as shown in Formulas 156 and 157.










KeyGen


(

pk
,
sk
,


(



v
->

1

,





,


v
->

L


)

:=

(


v

1
,
1


,





,

v

1
,

n
1




)


,









,

(


v

L
,
1


,





,

v

L
,

n
L




)


)


:




[

Formula





156

]











for











j
=
1

,





,


2

L

;













τ
=

L
+
1


,





,

d
;














(

τ
,
l

)

=

(

τ
,
1

)


,





,


(

τ
,

n
τ


)

;












ψ
,

s

dec
,
t


,




s

ran
,
j
,
t





U




q








(


t
=
1

,





,
L

)


;















θ

dec
,
t


,


θ

ran
,
j
,
t





U




q


,


η
->


dec
,
t


,





η
->


ran
,
j
,
t





U




q

n
t









(


t
=
0

,





,
L

)


;













s

ran
,

(

τ
,
l

)

,
t


,



s

del
,

(

τ
,
l

)

,
t





U





q



(


t
=
1

,





,

L
+
1


)



;













θ

ran
,

(

τ
,
l

)

,
t


,


θ

del
,

(

τ
,
l

)

,
t





U




q


,


η
->


ran
,

(

τ
,
l

)

,
t


,



η
->


del
,

(

τ
,
l

)

,
t





U




q

n
t



,


(


t
=
0

,





,

L
+
1


)

;



















s

dec
,
0


:=




t
=
1

L



s

dec
,
t




,


s

ran
,
j
,
0


:=




t
=
1

L



s

ran
,
j
,
t




,






s

ran
,

(

τ
,
l

)

,
0


:=




t
=
1


L
+
1




s

ran
,

(

τ
,
l

)

,
t




,


s

del
,

(

τ
,
l

)

,
0


:=




t
=
1


L
+
1




s

del
,

(

τ
,
l

)

,
t




,














k

L
,
dec

*

:

(



(


-

s

dec
,
0



,
0
,
1
,

η

dec
,
0


,
0

)



0
*


,



(




s

dec
,
t





e
->


t
,
1



+


θ

dec
,
t





v
->

t



,

0

n
t


,


η
->


dec
,
t


,
0

)



t
*


:=
1

,





,
L

)


,




[

Formula





157

]








k

L
,
ran
,
j

*

:=

(



(


-

s

ran
,
j
,
0



,
0
,
0
,

η

ran
,
j
,
0


,
0

)



0
*


,




(




s

ran
,
t





e
->


t
,
1



+


θ

ran
,
j
,
t





v
->

t



,

0

n
t


,


η
->


ran
,
j
,
t


,
0

)



t
*


:
t

=
1

,





,
L

)


,













k

L
,
ran
,

(

τ
,
l

)


*

:=

(



(



-

s

ran
,

(

τ
,
l

)

,
0




0

,
0
,

η

ran
,

(

τ
,
l

)

,
0


,
0

)



0
*


,




(




s

ran
,

(

τ
,
l

)

,
t





e
->


t
,
1



+


θ

ran
,

(

τ
,
l

)

,
t





v
->

t



,

0

n
t


,


η
->


ran
,

(

τ
,
l

)

,
t


,
0

)



t
*


:
t

=
1

,









,


L


(



s

ran
,

(

τ
,
l

)

,

L
+
1






e
->


τ
,
1



,

0

n
τ


,


η
->


ran
,

(

τ
,
l

)

,

L
+
1



,
0

)




τ
*



)


,













k

L
,
del
,

(

τ
,
l

)


*

:=

(



(


-

s

del
,

(

τ
,
l

)

,
0



,
0
,
0
,

η

del
,

(

τ
,
l

)

,
0


,
0

)



0
*


,




(




s

del
,

(

τ
,
l

)

,
t





e
->


t
,
1



+


θ

del
,

(

τ
,
l

)

,
t





v
->

t



,

0

n
t


,


η
->


del
,

(

τ
,
l

)

,
t


,
0

)



t
*


:
t

=
1

,









,


L


(




s

del
,

(

τ
,
l

)

,

L
=
1






e
->


τ
,
1



+

ψ







e
->


τ
,
l




,

0

n
τ


,


η
->


del
,

(

τ
,
l

)

,

L
+
1



,
0

)




τ
*



)


,













sk
L

:=

(


k

L
,
dec

*

,


{

k

L
,
ran
,
j

*

}



j
=
1

,









,

2

L



,



{

k

L
,
ran
,

(

τ
,
l

)


*

}



τ
=

L
+
1


,












d

;


(

τ
,
l

)

=

(

τ
,
1

)



,









,

(

τ
,

n
τ


)

,





{

k

L
,
del
,

(

τ
,
l

)


*

}



τ
=

L
+
1


,









,

d
;


(

τ
,
l

)

=

(

τ
,
1

)



,









,

(

τ
,

n
τ


)





)


,












return







sk
L

.


















The Enc algorithm shown in Formula 144 is rewritten as shown in Formula 158.









Enc
(

pk
,

m



T


,



(



x
->

1

,





,


x
->

L


)

:=


(


(


x

1
,
1


,





,

x

1
,

n
1




)

,





,

(


x

L
,
1


,





,

x

L
,

n
L




)


)

:











(



x
->


L
+
1


,





,


x
->

d


)




U




q

n

L
+
1




×

×


q

n
d





;








ω

,
ζ
,

ϕ
0

,





,


ϕ
d




U




q


,






c
1

:=

(



(

ω
,
0
,
ζ
,
0
,

ϕ
0


)



0


,




(


ω







x
->

t


,

0

n
t


,

0

n
t


,

ϕ
t


)








t


:
t

=
1

,





,
d

)


,










c
2

:=


g
T
ζ


m


,









ct
:=

(


c
1

,

c
2


)


,









return






ct
.







[

Formula





158

]







The DelegateL algorithm shown in Formulas 152 and 153 is rewritten as shown in Formulas 159 and 160.











Delegate
L



(

pk
,

sk
L

,



v
->


L
+
1


:=

(


v


L
+
1

,
1


,





,

v


L
+
1

,

n

L
+
1





)



)


:




[

Formula





159

]











for











j
=
1

,





,


2

L

;














j


=
1

,








2


(

L
+
1

)


;













τ
=

L
+
2


,





,

d
;














(

τ
,
l

)

=

(

τ
,
1

)


,





,


(

τ
,

n
τ


)

;













t
=
0

,





,

L
+
1

,

τ
;






















(

t
,
i

)

=

(

t
,
1

)


,





,


(

t
,

n
t


)

;













α

dec
,
j


,

σ
dec

,

α

ran
,

j


,
j


,


σ

ran
,

j


,




α

ran
,

(

τ
,
l

)

,
j



,

σ

ran
,

(

τ
,
l

)



,









φ

ran
,

(

τ
,
l

)



,

α

del
,

(

τ
,
l

)

,
j


,

σ

del
,

(

τ
,
l

)



,

φ

del
,

(

τ
,
l

)



,

ψ


,









η

dec
,

(

t
,
i

)



,

η

ran
,

j


,

(

t
,
i

)



,

η

ran
,

(

τ
,
l

)

,

(

t
,
i

)



,


η

del
,

(

τ
,
l

)

,

(

t
,
i

)






U




q


,















k


L
+
1

,
dec

*

:=


k

L
,
dec

*

+




j
=
1


2

L





α

dec
,
j




k

L
,
ran
,
j

*



+


σ
dec



(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+


η

dec
,

(

0
,
1

)





b

0
,
4

*


+




t
=
1


L
+
1







i
=
1


n
t





η

dec
,

(

t
,
i

)





b

t
,


2


n
t


+
i


*






,




[

Formula





160

]








k


L
+
1

,
ran
,

j



*

:=





j
=
1


2

L





α

ran
,

j


,
j




k

L
,
ran
,
j

*



+


σ

ran
,

j






(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+


η

ran
,

j


,

(

0
,
1

)





b

0
,
4

*


+




t
=
1


L
+
1







i
=
1


n
t





η

ran
,

j


,

(

t
,
i

)





b

t
,


2


n
t


+
i


*






,













k


L
+
1

,
ran
,

(

τ
,
l

)


*

:=





j
=
1


2

L





α

ran
,

(

τ
,
l

)

,
j




k

L
,
ran
,
j

*



+


σ

ran
,

(

τ
,
l

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+


φ

ran
,

(

τ
,
l

)





k

L
,
ran
,

(

τ
,
l

)


*


+


η

ran
,

(

τ
,
l

)

,

(

0
,
1

)





b

0
,
4

*


+




t
=
1


L
+
1







i
=
1


n
t





η

ran
,

(

τ
,
l

)

,

(

t
,
i

)





b

t
,


2


n
t


+
i


*




+




i
=
1


n
τ





η

ran
,

(

τ
,
l

)

,

(

τ
,
i

)





b

τ
,


2


n
τ


+
i


*





,













k


L
+
1

,
del
,

(

τ
,
l

)


*

:=





j
=
1


2

L





α

del
,

(

τ
,
l

)

,
j




k

L
,
ran
,
j

*



+


σ

del
,

(

τ
,
l

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+


ψ




k

L
,
del
,

(

τ
,
i

)


*


+


φ

del
,

(

τ
,
l

)





k

L
,
ran
,

(

τ
,
l

)


*


+


η

del
,

(

τ
,
l

)

,

(

0
,
1

)





b

0
,
4

*


+




t
=
1


L
+
1







i
=
1


n
t





η

del
,

(

τ
,
l

)

,

(

t
,
i

)





b

t
,


2


n
t


+
i


*




+




i
=
1


n
τ





η

del
,

(

τ
,
l

)

,

(

τ
,
i

)





b

τ
,


2


n
τ


+
i


*





,













sk

L
+
1


:=

(


k


L
+
1

,
dec

*

,


{

k


L
+
1

,
ran
,

j



*

}




j


=
1

,









,

2


(

L
+
1

)




,


{


k


L
+
1

,
ran
,

(

τ
,
l

)


*

,

k


L
+
1

,
del
,

(

τ
,
l

)


*


}



τ
=

L
+
2


,









,

d
;


(

τ
,
l

)

=

(

τ
,
1

)



,









,

(

τ
,

n
τ


)




)


,
















return






sk

L
+
1















The Dec algorithm shown in Formula 146 remains the same.


The Setup algorithm needs to be executed once when the cryptographic processing system 10 is set up, and does not have to be executed each time a decryption key is generated. In the above description, the Setup algorithm and the KeyGen algorithm are executed by the key generation device 100. However, the Setup algorithm and the KeyGen algorithm may be executed by different devices.


Second Embodiment

In this embodiment, a generalized version of the HPE scheme for inner products discussed in the first embodiment will be described.


In the HPE scheme for inner products discussed in the first embodiment, a ciphertext ct can be decrypted by a decryption key, as a general rule, if the inner product of attribute information set in the ciphertext ct and predicate information set in the decryption key is 0.


However, in the HPE scheme for inner products to be discussed in the second embodiment, it may be arranged that decryption is possible even if the inner product of the attribute information set in the ciphertext ct and the predicate information set in the decryption key is not 0.


Specifically, in the following description, decryption is possible if the inner product of attribute information x{right arrow over ( )}t and predicate information v{right arrow over ( )}t is 0 for each integer t of ρt (t=1, . . . , d) having the value of 0 and if the inner product of the attribute information x{right arrow over ( )}t and the predicate information v{right arrow over ( )}t is not 0 for each integer t of ρt (t=1, . . . , d) having the value of 1.


With this arrangement, it is possible to set a positive conditional expression (e.g., attribute information=predicate information) or a negative conditional expression (attribute information≠predicate information) depending on the setting of the value of ρt (t=1, . . . , d).


Referring to FIGS. 17 and 19, the HPE scheme for inner products according to the second embodiment will be described, and functions and operations of the cryptographic processing system 10 that implements the HPE scheme for inner products will be described.


A functional configuration of the cryptographic processing system 10 according to the second embodiment is the same as a functional configuration of the cryptographic processing system 10 according to the first embodiment shown in FIGS. 8 to 11.



FIG. 17 is a flowchart showing operations of the key generation device 100 and showing a process of the KeyGen algorithm. FIG. 18 is a flowchart showing operations of the decryption device 300 and showing a process of the Dec algorithm.



FIG. 19 is a flowchart showing operations of the key delegation device 400 and showing a process of the DelegateL algorithm.


Processes of the Setup algorithm and the Enc algorithm according to the second embodiment are the same as the processes of the Setup algorithm and the Enc algorithm according to the first embodiment, so that description will be omitted. In the Enc algorithm, however, a ciphertext ct to be transmitted to the decryption device 300 includes not only ciphertexts c1 and c2 but also attribute information x{right arrow over ( )}i (i=1, . . . , L).


Referring to FIG. 17, the process of the KeyGen algorithm executed by the key generation device 100 will be described.


(S601: Information Input Step)


Using the input device, the information input unit 130 inputs predicate information ((v{right arrow over ( )}11), (v{right arrow over ( )}LL)):=((v1,i (i=1, . . . , n1), ρ1ε{0,1}), . . . , (vL,i (i=1, . . . , nL), ρLε{0,1})). As predicate information, an attribute of a user of a key is input.


(S602: Random Number Generation Step)


Using the processing device, the random number generation unit 141 generates a random number ψ, random numbers sdec,t, sran,j,t (t=1, . . . , L), random numbers θdec,t, θran,j,t, η{right arrow over ( )}dec,t, η{right arrow over ( )}ran,j,t, η{right arrow over ( )}ran,0,t, η{right arrow over ( )}del,0,t, η{right arrow over ( )}del,1,t (t=0, . . . , L), random numbers sran,0,t, sdel,0,t, sdel,1,t (t=0, . . . , L+1), random numbers θran,0,t, θdel,0,t, θdel,1,t (t=0, . . . , L+1), and random numbers η{right arrow over ( )}ran,(τ,ι), η{right arrow over ( )}del,0,(τ,ι), η{right arrow over ( )}del,1,(τ,ι) for each of integers j, τ, ι of j=1, . . . , 2L, τ=L+1, . . . , d, (τ,ι)=(τ,1), . . . , (τ,nτ), as shown in Formula 161.















for











j
=
1

,





,


2

L

;














τ
=

l
+
1


,





,

d
;














(

τ
,
l

)

=

(

τ
,
1

)


,





,


(

τ
,

n
τ


)

;












ψ
,

s

dec
,
t


,



s

ran
,
j
,
t





U




q








(


t
=
1

,





,
L

)


,









θ

dec
,
t


,



θ

ran
,
j
,
t





U




q








(


t
=
0

,





,
L

)


,







η
->


dec
,
t


:=



(


η

dec
,
t
,
1


,





,

η

dec
,
t
,

w
t




)




U




q

w
t









(


t
=
0

,





,
L

)



,







η
->


ran
,
j
,
t


:=



(


η

ran
,
j
,
t
,
1


,





,

η

ran
,
j
,
t
,

w
t




)




U




q

w
t









(


t
=
0

,





,
L

)



,







η
->


ran
,
0
,
t


:=



(


η

ran
,
0
,
t
,
1


,





,

η

ran
,
0
,
t
,

w
t




)




U




q

w
t









(


t
=
0

,





,
L

)



,







η
->


del
,
0
,
t


:=



(


η

del
,
0
,
t
,
1


,





,

η

del
,
0
,
t
,

w
t




)




U




q

w
t









(


t
=
0

,





,
L

)



,







η
->


del
,
1
,
t


:=



(


η

del
,
1
,
t
,
1


,





,

η

del
,
1
,
t
,

w
t




)




U




q

w
t









(


t
=
0

,





,
L

)



,









s

ran
,
0
,
t


,

s

del
,
0
,
t


,



s

del
,
1
,
t





U




q








(


t
=
1

,





,

L
+
1


)


,









θ

ran
,
0
,
t


,

θ

del
,
0
,
t


,



θ

del
,
1
,
t





U




q








(


t
=
0

,





,

L
+
1


)


,











η
->


ran
,
0
,

(

τ
,
l

)



:=


(


η

ran
,
0
,

(

τ
,
l

)

,
1


,





,

η

ran
,
0
,

(

τ
,
l

)

,

w
l




)




U




q

w
t




,











η
->


del
,
0
,

(

τ
,
l

)



:=


(


η

del
,
0
,

(

τ
,
l

)

,
1


,





,

η

del
,
0
,

(

τ
,
l

)

,

w
t




)




U




q

w
t




,











η
->


del
,
1
,

(

τ
,
l

)



:=


(


η

del
,
1
,

(

τ
,
l

)

,
1


,





,

η

del
,
1
,

(

τ
,
l

)

,

w
l




)




U




q

w
t










[

Formula





161

]







sdec,0, sran,j,0, sran,0,0, sdel,0,0, and sdel,1,0 are set as shown in Formula 162.






s
dec,0:=Σt=1Lsdec,t,






s
ran,j,0:=Σt=1Lsran,j,t,






s
ran,0,0:=Σr=1Lsran,0,t,






s
del,0,0:=Σt=1L+1sdel,0,t,






s
del,1,0:=Σt=1L+1sdel,1,t  [Formula 162]


(S603: Decryption Element Generation Step)


Using the processing device, the decryption element generation unit 142 generates a decryption element k*L,dec which is an element of a decryption key skL, as shown in Formula 163.










k

L
,
dec

*

:=

(



(


-

s

dec
,
0



,

0

u
0


,
1
,


η



dec
,
0


,

0

z
0



)


,



{






(




s

dec
,
t





e



t
,
1



+


θ

dec
,
t
,





v


t



,

0

u
t


,


η



dec
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
0








(



s

dec
,
t





v


t


,

0

u
t


,


η



dec
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
1




}

:
t

=
1

,





,
L

)





[

Formula





163

]







As described above, for the basis B and the basis B* shown in Formula 110, Formula 111 is defined. Thus, Formula 163 denotes that coefficients of basis vectors of the basis B*0 and the basis B*t (t=1, . . . , L) are set as described below to generate the decryption element k*L,dec.


First, description will be directed to the basis B*0. For simplicity of notation, a basis vector b*0,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*0,1. Basis vectors 1, . . . , 3 denote basis vectors b*0,1, . . . , b*0,3.


−sdec,0 is set as a coefficient of a basis vector 1 of the basis B*0. 0 is set as a coefficient of each of basis vectors 1+1, . . . , 1+u0. 1 is set as a coefficient of a basis vector 1+u0+1. ηdec,0,1, . . . , ηdec,0,w0 (where w0 denotes w0) are respectively set as coefficients of basis vectors 1+u0+1+1, . . . , 1+u0+1+w0. 0 is set as a coefficient of each of basis vectors 1+u0+1+w0+1, . . . , 1+u0+1+w0+z0.


Next, description will be directed to the basis B*t (t=1, . . . , L). For simplicity of notation, a basis vector b*t,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*t,1. Basis vectors 1, . . . , 3 denote basis vectors b*t,1, . . . , b*t,3. Settings of the basis B*t (t=1, . . . , L) vary depending on whether the value of ρt is 0 or 1.


When the value of ρt is 0, sdec,tdec,tvt,1 is set as a coefficient of a basis vector 1 of the basis B*t (t=1, . . . , L). θdec,tvt,2, . . . , θdec,tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 2, . . . , nt. 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηdec,t,1, . . . , ηdec,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


On the other hand, when the value of ρt is 1, sdec,tvt,1, . . . , sdec,tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 1, . . . , nt of the basis B*t (t=1, . . . , L). 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηdec,t,1, . . . , ηdec,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


(S604: First Randomizing Element Generation Step)


Using the processing device, the randomizing element generation unit 143 generates a first randomizing element k*L,ran,j which is an element of the decryption key skL, for each integer j of j=1, . . . , 2L, as shown in Formula 164.










k

L
,
ran
,
j

*

:=

(



(


-

s

ran
,
j
,
0



,

0

u
0


,
0
,


η



ran
,
j
,
0


,

0

z
0



)


,



{






(




s

ran
,
j
,
t





e



t
,
1



+


θ

ran
,
j
,
t
,





v


t



,

0

u
t


,


η



ran
,
j
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
0








(



s

ran
,
j
,
t





v


t


,

0

u
t


,


η



ran
,
j
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
1








}





:
t

=
1

,





,
L

)





[

Formula





164

]







As described above, for the basis B and the basis B* shown in Formula 110, Formula 111 is defined. Thus, Formula 164 denotes that coefficients of basis vectors of the basis B*0 and the basis B*t (t=1, . . . , L) are set as described below to generate the first randomizing element k*L,ran,j.


First, description will be directed to the basis B*0. For simplicity of notation, a basis vector b*0,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*0,1. Basis vectors 1, . . . , 3 denote basis vectors b*0,1, . . . , b*0,3.


−sran,j,0 is set as a coefficient of a basis vector 1 of the basis B*0. 0 is set as a coefficient of each of basis vectors 1+1, . . . , 1+u0+1. ηran,j,0,1, . . . , ηran,j,0,w0 (where w0 denotes w0) are respectively set as coefficients of basis vectors 1+u0+1+1, . . . , 1+u0+1+w0. 0 is set as a coefficient of each of basis vectors 1+u0+1+w0+1, . . . , 1+u0+1+w0+z0.


Next, description will be directed to the basis B*t (t=1, . . . , L). For simplicity of notation, a basis vector b*t,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*t,1. Basis vectors 1, . . . , 3 denote basis vectors b*t,1, b*t,3. Settings of the basis B*t (t=1, . . . , L) vary depending on whether the value of ρt is 0 or 1.


When the value of ρt is 0, sran,j,tran,j,tvt,1 is set as a coefficient of a basis vector 1 of the basis B*t (t=1, . . . , L). θran,j,tvt,2, . . . , θran,j,tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 2, . . . , nt. 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηran,j,t,1, . . . , ηran,j,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


On the other hand, when the value of ρt is 1, sran,j,tvt,1, . . . , sran,j,tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 1, . . . , nt of the basis B*t (t=1, . . . , L). 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηran,j,t,1, . . . , ηran,j,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


(S605: Second Randomizing Element Generation Step)


Using the processing device, the randomizing element generation unit 143 generates a second randomizing element k*L,ran,(τ,ι,0) which is an element of the decryption key skL, for each integer τ of τ=L+1, . . . , d and each integer ι of ι=nτ with respect to each integer τ, as shown in Formula 165.












k

L
,
ran
,

(

τ
,
ι
,
0

)


*

:=

(



(


-

s

ran
,
0
,
0



,

0

u
0


,
0
,


η



ran
,
0
,
0


,

0

z
0



)


0
*


,



{






(




s

ran
,
0
,
t





e



t
,
1



+


θ

ran
,
0
,
t
,





v


t



,

0

u
t


,


η



ran
,
0
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
0








(



s

ran
,
0
,
t





v


t


,

0

u
t


,


η



ran
,
0
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
1








}





:
t

=
1

,





,
L

)


,










(



s

ran
,
0
,

L
+
1










τ
,
1



,

0

u
τ


,


η



ran
,
0
,

(

τ
,
ι

)



,

0

z
τ



)


τ
*



)




[

Formula





165

]







As described above, for the basis B and the basis B* shown in Formula 110, Formula 111 is defined. Thus, Formula 165 denotes that coefficients of basis vectors of the basis B*0, the basis B*t (t=1, . . . , L) and the basis B*τ are set as described below to generate the second randomizing element k*L,ran,(τ,ι,0).


First, description will be directed to the basis B*0. For simplicity of notation, a basis vector b*0,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*0,1. Basis vectors 1, . . . , 3 denote basis vectors b*0,1, b*0,3.


−sran,0,0 is set as a coefficient of a basis vector 1 of the basis B*0. 0 is set as a coefficient of each of basis vectors 1+1, . . . , 1+u0+1. ηran,0,0,1, . . . , ηran,0,0,w0 (where w0 denotes w0) are respectively set as coefficients of basis vectors 1+u0+1+1, . . . , 1+u0+1+w0. 0 is set as a coefficient of each of basis vectors 1+u0+1+w0+1, . . . , 1+u0+1+w0+z0.


Next, description will be directed to the basis B*t (t=1, . . . , L). For simplicity of notation, a basis vector b*t,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*t,i. Basis vectors 1, . . . , 3 denote basis vectors b*t,1, . . . , b*t,3. Settings of the basis B*t (t=1, . . . , L) vary depending on whether the value of ρt is 0 or 1.


When the value of ρt is 0, sran,0,tran,0,tvt,1 is set as a coefficient of a basis vector 1 of the basis B*t (t=1, . . . , L). θran,0,tvt,2, . . . , θran,0,tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 2, . . . , nt. 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηran,0,t,1, . . . , ηran,0,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


On the other hand, when the value of ρt is 1, sran,0,tvt,1, . . . , sran,0,tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 1, . . . , nt of basis B*t (t=1, . . . , L). 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηran,0,t,1, . . . , ηran,0,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


Next, description will be directed to the basis B*τ. For simplicity of notation, a basis vector b*τ,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*τ,1. Basis vectors 1, . . . , 3 denote basis vectors b*τt,1, b*τ,3.


sran,0,L+1 is set as a coefficient of a basis vector 1 of the basis B*τ. 0 is set as a coefficient of each of basis vectors 2, . . . , nτ, . . . , nτ+uτ. ηran,0,(τ,ι),1, . . . , ηran,0,(τ,ι)s,wτ (where wτ denotes wτ) are respectively set as coefficients of basis vectors nτ+uτ+1, . . . , nτ+uτ+wτ. 0 is set as a coefficient of each of basis vectors nτ+uτ+wτ+1, . . . , nτ+uτ+wτ+zτ.


(S606: First Delegation Element Generation Step)


Using the processing device, the delegation element generation unit 144 generates a first delegation element k*L,del,(τ,ι,0) which is an element of the decryption key skL, for each integer τ of τ=L+1, . . . , d and each integer ι of ι=1, . . . , nτ with respect to each integer τ, as shown in Formula 166.












k

L
,
del
,

(

τ
,
ι
,
0

)


*

:=

(



(


-

s

del
,
0
,
0



,

0

u
0


,
0
,


η



del
,
0
,
0


,

0

z
0



)


0
*


,



{






(




s

del
,
0
,
t





e



t
,
1



+


θ

del
,
0
,
t
,





v


t



,

0

u
t


,


η



del
,
0
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
0








(



s

del
,
0
,
t





v


t


,

0

u
t


,


η



del
,
0
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
1








}





:
t

=
1

,





,
L

)


,










(



s

del
,
0
,

L
+
1






e



τ
,
1



,


+
ψ








e



τ
,
ι



,

0

u
τ


,


η



del
,
0
,

(

τ
,
ι

)



,

0

z
τ



)


τ
*



)




[

Formula





166

]







As described above, for the basis B and the basis B* shown in Formula 110, Formula 111 is defined. Thus, Formula 166 denotes that coefficients of basis vectors of the basis B*0, the basis B*t (t=1, . . . , L), and the basis B*τ are set as described below to generate the first delegation element k*L,del,(τ,ι,0).


First, description will be directed to the basis B*0. For simplicity of notation, a basis vector b*0,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*0,1. Basis vectors 1, . . . , 3 denote basis vectors b*0,1, b*0,3.


−sdel,0,0 is set as a coefficient of a basis vector 1 of the basis B*0. 0 is set as a coefficient of each of basis vectors 1+1, . . . , 1+u0+1. ηdel,0,0,1, . . . , ηdel,0,0,w0 (where w0 denotes w0) are respectively set as coefficients of basis vectors 1+u0+1+1, . . . , 1+u0+1+w0. 0 is set as a coefficient of each of basis vectors 1+u0+1+w0+1, . . . , 1+u0+1+w0+z0.


Next, description will be directed to the basis B*t (t=1, . . . , L). For simplicity of notation, a basis vector b*t,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*t,1. Basis vectors 1, . . . , 3 denote basis vectors b*t,1, . . . , b*t,3. Settings of the basis B*t (t=1, . . . , L) vary depending on whether the value of ρt is 0 or 1.


When the value of ρt is 0, sdel,0,tdel,0,tvt,1 is set as a coefficient of a basis vector 1 of the basis B*t (t=1, . . . , L). θdel,0,tvt,2, . . . , θdel,0,tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 2, . . . , nt. 0s is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηdel,0,t,1, . . . , ηdel,0,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt±ut+wt+zt.


On the other hand, when the value of ρt is 1, sdel,0,tvt,1, . . . , sdel,0,t,vt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 1, . . . , nt of the basis B*t (t=1, . . . , L). 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηdel,0,t,1, . . . , ηdel,0,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


Next, description will be directed to the basis B*τ. For simplicity of notation, a basis vector b*τ,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*τ,1. Basis vectors 1, . . . , 3 denote basis vectors b*τ,1, . . . , b*τ,3.


sdel,0,L+1e{right arrow over ( )}τ,1+ψe{right arrow over ( )}τ,ι is set as a coefficient of basis vectors 1, . . . , nτ of the basis B*τ. 0 is set as a coefficient of each of basis vectors nτ+1, . . . , nτ+uτ. ηdel,0,(τ,ι),1, . . . , ηdel,0,(τ,ι),wτ (where wτ denotes wτ) are respectively set as coefficients of basis vectors nτ+uτ+1, . . . , nτ+uτ+wτ. 0 is set as a coefficient of each of basis vectors nτ+uτ+wτ+1, . . . , nτ+uτ+wτ+zτ.


(S607: Second Delegation Element Generation Step)


Using the processing device, the delegation element generation unit 144 generates a second delegation element k*L,del,(τ,ι,1) which is an element of the decryption key skL, for each integer τ of τ=L+1, . . . , d and each integer ι of ι=1, . . . , nτ with respect to each integer τ, as shown in Formula 167.












k

L
,
del
,

(

τ
,
ι
,
1

)


*

:=

(



(


-

s

del
,
1
,
0



,

0

u
0


,
0
,


η



del
,
1
,
0


,

0

z
0



)


0
*


,



{






(




s

del
,
1
,
t





e



t
,
1



+


θ

del
,
1
,
t
,





v


t



,

0

u
t


,


η



del
,
1
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
0








(



s

del
,
1
,
t





v


t


,

0

u
t


,


η



del
,
1
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
1








}





:
t

=
1

,





,
L

)


,










(



s

del
,
1
,

L
+
1






e



τ
,
ι



,

0

u
τ


,


η



del
,
1
,

(

τ
,
ι

)



,

0

z
τ



)


τ
*



)




[

Formula





167

]







As described above, for the basis B and the basis B* shown in Formula 110, Formula 111 is defined. Thus, Formula 167 denotes that coefficients of basis vectors of the basis B*0, the basis B*t (t=1, . . . , L) and the basis B*τ are set as described below to generate the second delegation element k*L,del,(τ,ι,1).


First, description will be directed to the basis B*0. For simplicity of notation, a basis vector b*0,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*0,1. Basis vectors 1, . . . , 3 denote basis vectors b*0,1, . . . , b*0,3.


−sdel,1,0 is set as a coefficient of a basis vector 1 of the basis B*0. 0 is set as a coefficient of each of basis vectors 1+1, . . . , 1+u0+1. ηdel,1,0,1, . . . , ηdel,1,0,w0 (where w0 denotes w0) are respectively set as coefficients of basis vectors 1+u0+1+1, . . . , 1+u0+1+w0. 0 is set as a coefficient of each of basis vectors 1+u0+1+w0+1, . . . , 1+u0+1+w0+z0.


Next, description will be directed to the basis B*t (t=1, . . . , L). For simplicity of notation, a basis vector b*t,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*t,1. Basis vectors 1, . . . , 3 denotes basis vectors b*t,1, . . . , b*t,3. Settings of the basis B*t (t=1, . . . , L) vary depending on whether the value of ρt is 0 or 1.


When the value ρt is 0, sdel,1,tdel,1,tvt,1 is set as a coefficient of a basis vector 1 of the basis B*t (t=1, . . . , L). θdel,1,tvt,2, . . . , θdel,1,tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 2, . . . , nt. 0 is set as a coefficient of each of basis vectors nt+1, . . . , nt+ut. ηdel,1,t,1, . . . , ηdel,1,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wt+zt.


On the other hand, when the value of ρt is 1, sdel,1,tvt,1, . . . , sdel,1,tvt,nt (where nt denotes nt) are respectively set as coefficients of basis vectors 1, . . . , nt of the basis B*t (t=1, . . . , L). 0 is set as a coefficient of each of basis vectors nt+1, nt+ut. ηdel,1,t,1, . . . , ηdel,1,t,wt (where wt denotes wt) are respectively set as coefficients of basis vectors nt+ut+1, . . . , nt+ut+wt. 0 is set as a coefficient of each of basis vectors nt+ut+wt+1, . . . , nt+ut+wi+zt.


Next, description will be directed to the basis B*τ. For simplicity of notation, a basis vector b*τ,i is identified using only the i portion. For example, a basis vector 1 denotes a basis vector b*τ,1. Basis vectors 1, . . . , 3 denote basis vectors b*τ,1, . . . , b*τ,3.


sdel,1,L+1e{right arrow over ( )}τ,ι is set as a coefficient of basis vectors 1, . . . , nτ of the basis B*τ. 0 is set as a coefficient of each of basis vectors nτ+1, . . . , nτ+uτ. ηdel,1,(τ,ι),1,, . . . , ηdel,1,(τ,ι),wτ (where wτ denotes wτ) are respectively set as coefficients of basis vectors nτ+uτ+1, . . . , nτ+uτ+wτ. 0 is set as a coefficient of each of basis vectors nτ+uτ+wτ+1, . . . , nτ+uτ+wτ+zτ.


(S608: Key Distribution Step)


Using the communication device and through the network, for example, the key distribution unit 150 secretly provides to the decryption device 300 the decryption key skL having elements of the decryption element k*L,dec, the first randomizing element k*L,ran,j (j=1, . . . , 2L), the second randomizing element k*L,ran,(τ,ι,0) (τ=L+1, . . . , d; (τ,ι)=(τ,1), . . . , (τ,nτ)), the first delegation element k*L,del,(τ,ι,0) (τ=L+1, . . . , d; (τ,ι)=(τ,1), . . . , (τ,nτ)), and the second delegation element k*L,del,(τ,ι,1) (τ=L+1, . . . , d; (τ,ι)=(τ,1), . . . , (τ,nτ)). It is obvious that the decryption key skL may be provided to the decryption device 300 by other methods.


To summarize, in (S601) to (S607), the key generation device 100 executes the KeyGen algorithm shown in Formulas 168 and 169, and generates the decryption key skL. Then, in (S608), the key generation device 100 provides the generated decryption key skL to the decryption device 300.










KeyGen


(


p





k

,
sk
,

(



v


1

,

ρ
1


)

,





,

(



v


L

,

ρ
L


)


)


:=


(


(



(


v
1



,
1

,





,

v
1



,

n
1



)



q

n
1



,


ρ
1



{

0
,
1

}



)

,





,

(



(


v
L



,
1

,





,

v
L



,

n
L



)



q

n
L



,


ρ
L



{

0
,
1

}



)


)

:





[

Formula





168

]








for





j

=
1

,





,


2

L

;

τ
=

L
+

1










,

d
;


(

τ
,
ι

)

=

(

τ
,
1

)



,





,


(

τ
,

n
τ


)

;













ψ
,

s

dec
,
t


,




s

ran
,
j
,
t





U



q




(


t
=
1

,





,
L

)


;













θ

dec
,
t


,


θ


ran
.
j

,
t





U



q


,










η



dec
,
t


,


η



ran
,
j
,
t


,


η



ran
,
0
,
t


,
















η



del
,
0
,
t






η



del
,
1
,
t





U



q

w
t





(


t
=
0

,





,
L

)


;












s

ran
,
0
,
t


,

s

del
,
0
,
t


,


s

del
,
1
,
t





U



q


,









θ

ran
,
0
,
t


,

θ

del
,
0
,
t


,


θ

del
,
1
,
t





U



q


,














η



ran
,
0
,

(

τ
,
ι

)



,


η



del
,
0
,

(

τ
,
ι

)



,



η



del
,
1
,

(

τ
,
ι

)






U



q

w
t



,










(


t
=
0

,





,

L
+
1


)

;














s

dec
,
0


:=




t
=
1

L



s

dec
,
t




,


s

ran
,
j
,
0


:=




t
=
1

L



s

ran
,
j
,
t




,










s

ran
,
0
,
0


:=




t
=
1

L



s

ran
,
0
,
t




,


s

del
,
0
,
0


:=




t
=
1


L
+
1




s

del
,
0
,
t




,













s

del
,
1
,
0


:=




t
=
1


L
+
1








s

del
,
1
,
t




,












k

L
,
dec

*

:=

(



(


-

s

dec
,
0



,

0

u
0


,
1
,


η



dec
,
0


,

0

z
0



)


,



{






(




s

dec
,
t





e



t
,
1



+


θ

dec
,
t
,





v


t



,

0

u
t


,


η



dec
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
0







(



s

dec
,
t





v


t


,

0

u
t


,


η



dec
,
t


,

0

z
t



)


t
*






if






ρ
t


=
1




}

:
t

=
1

,





,
L

)













k

L
,
ran
,
j

*

:=

(



(


-

s

ran
,
j
,
0



,

0

u
0


,
0
,


η



ran
,
j
,
0


,

0

z
0



)


,



{






(




s

ran
,
j
,
t





e



t
,
1



+


θ

ran
,
j
,
t
,





v


t



,

0

u
t


,


η



ran
,
j
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
0







(



s

ran
,
j
,
t





v


t


,

0

u
t


,


η



ran
,
j
,
t


,

0

z
t



)


t
*






if






ρ
t


=
1








}





:
t

=
1

,





,
L

)














k

L
,
ran
,

(

τ
,
ι
,
0

)


*

:=

(



(


-

s

ran
,
0
,
0



,

0

u
0


,
0
,


η



ran
,
0
,
0


,

0

z
0



)


0
*


,



{






(




s

ran
,
0
,
t





e



t
,
1



+


θ

ran
,
0
,
t
,





v


t



,

0

u
t


,


η



ran
,
0
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
0








(



s

ran
,
0
,
t





v


t


,

0

u
t


,


η



ran
,
0
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
1








}





:
t

=
1

,





,
L

)


,




[

Formula





169

]









(



s

ran
,
0
,

L
+
1










τ
,
1



,

0

u
τ


,


η



ran
,
0
,

(

τ
,
ι

)



,

0

z
τ



)


τ
*


)

,













k

L
,
del
,

(

τ
,
ι
,
1

)


*

:=

(



(


-

s

del
,
1
,
0



,

0

u
0


,
0
,


η



del
,
1
,
0


,

0

z
0



)


0
*


,



{






(




s

del
,
1
,
t





e



t
,
1



+


θ

del
,
1
,
t
,





v


t



,

0

u
t


,


η



del
,
1
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
0








(



s

del
,
1
,
t





v


t


,

0

u
t


,


η



del
,
1
,
t


,

0

z
t



)


t
*


,





if






ρ
t


=
1








}





:
t

=
1

,





,
L

)


,














(



s

del
,
1
,

L
+
1






e



τ
,
ι



,

0

u
τ


,


η



del
,
1
,

(

τ
,
ι

)



,

0

z
τ



)


τ
*


)

,










sk

L
+
1


:=

(



(


(



v


1

,

ρ
1


)

,





,

(



v


L

,

ρ
L


)


)

;









k

L
,
dec

*


,


{

k

L
,
ran
,
j

*

}



j
=
1

,





,

2


(
L
)




,















{


k

L
,
ran
,

(

τ
,
ι
,
0

)


*

,

k

L
,
del
,

(

τ
,
ι
,
0

)


*

,




k

L
,
del
,

(

τ
,
ι
,
1

)


*

}



τ
=

L
+
1


,





,

d
;


(

τ
,
ι

)

=

(

τ
,
1

)



,





,

(

τ
,

n
τ


)




)

,











return







sk
L

.













Referring to FIG. 18, the process of the Dec algorithm executed by the decryption device 300 will be described.


(S701: Decryption Key Acquisition Step)


Using the communication device and through the network, for example, the decryption key acquisition unit 310 obtains the decryption key skL. The decryption key acquisition unit 310 also obtains the public parameter pk generated by the key generation device 100.


(S702: Data Receiving Step)


Using the communication device and through the network, for example, the data receiving unit 320 receives the ciphertext ct transmitted by the encryption device 200.


(S703: Pairing Operation Step)


Using the processing device, the pairing operation unit 330 performs a pairing operation shown in Formula 170, and computes a session key K=gTζ.









K
:=


e


(


c

1
,
0


,

k

L
,
dec
,
0

*


)


·





1

t


d


ρ
t



=
0









e


(


c

1
,
t


,

k

L
,
dec
,
t

*


)


·





1

t


d


ρ
t



=
1









e


(


c

1
,
t


,

k

L
,
dec
,
t

*


)



1
/

(



v


t

·


x


t


)











[

Formula





170

]







Here, Formula 171 is defined.





(k*L,dec,0εcustom-character, . . . , k*L,dec,dεcustom-character):=k*L,dec, (c1,0εcustom-character, . . . , c1,dεcustom-character:=c1  [Formula 171]


The session key K is computed by computing Formula 170 if the inner product of v{right arrow over ( )}t and x{right arrow over ( )}t is 0 for each integer t of ρt=0 and if the inner product of v{right arrow over ( )}t and x{right arrow over ( )}t is not 0 for each integer t of ρt=1 with respect to each integer t of t=1, . . . , L.


(S704: Message Computation Step)


Using the processing device, the message computation unit 340 divides the ciphertext c2 by the session key K, and thereby computes a message m′ (=m).


To summarize, in (S701) to (S704), the decryption device 300 executes the Dec algorithm shown in Formula 172, and computes the message m′ (=m).
















Dec


(


p





k

,

sk
L

,
ct

)




:









K
:=


e


(


c

1
,
0




k

L
,
dec
,
0

*


)


·





1

t


d


ρ
t



=
0









e


(


c

1
,
t


,

k

L
,
dec
,
t

*


)


·





1

t


d


ρ
t



=
1









e


(


c

1
,
t


,

k

L
,
dec
,
t

*


)



1
/

(



v


t

·


x


t


)








,










where








(



k

L
,
dec
,
0

*





0
*




,





,


k

L
,
dec
,
d

*





d
*





)

:=

k

L
,
dec

*


,










(



c

1
,
0






0
*




,





,


c

1
,
d






d
*





)

:=

c
1


,










m


:=


c
2

/
K


,









return







m


.








[

Formula





172

]







Referring to FIG. 19, the process of the DelegateL algorithm executed by the key delegation device 400 will be described.


(S801: Decryption Key Acquisition Step)


Using the communication device and through the network, for example, the decryption key acquisition unit 410 obtains the decryption key skL. The decryption key acquisition unit 410 also obtains the public parameter pk generated by the key generation device 100.


(S802: Information Input Step)


Using the input device, the information input unit 420 inputs predicate information (v{right arrow over ( )}L+1, ρL+1):=(vL+1,i (i=1, . . . , nL+1), ρL+1ε{0,1}). As predicate information, an attribute of a person to whom the key is delegated is input.


(S803: Random Number Generation Step)


Using the processing device, the random number generation unit 431 generates random numbers αdec,j, σdec, αran,j′,j, σran,j′, αran,(τ,ι,0),j, σran,(τ,ι,0), φran,(τ,ι,0), αdel,(τ,ι,0),j, σdel,(τ,ι,0), φdel,(τ,ι,0), αdel,(τ,ι,1),j, σdel,(τ,ι,1), φdel,(τ,ι,1), ηdec,(t,i), ηran,j′,(t,i), ηran,(τ,ι,0),(t,i), ηdel,(τ,ι,0),(t,i), ηdel,(τ,ι,1),(t,i), ψ0, ψ1, for each integer j, j′, τ, ι, t, i of j=1, . . . , 2L, j′=1, . . . , 2(L+1), τ=L+2, . . . , d, (τ,ι)=(τ,1), . . . , (τ,nτ), t=0, . . . , L+1, τ, (t,i)=(t,1), . . . , (t,nt), as shown in Formula 173.












for





j

=
1

,





,


2

L

;


j


=
1


,





,


2


(

L
+
1

)


;









τ
=

L
+
2


,





,

d
;


(

τ
,
ι

)

=

(

τ
,
1

)



,





,


(

τ
,

n
τ


)

;









t
=
0

,





,

L
+
1

,

τ
;


(

t
,
i

)

=

(

t
=
1

)



,





,


(

t
,

w
t


)

;








α

dec
,
j


,

σ
dec

,

α

ran
,

j


,
j


,

σ

ran
,

j




,

α

ran
,

(

τ
,
ι
,
0

)

,
j


,





σ

ran
,

(

τ
,
ι
,
0

)



,

φ

ran
,

(

τ
,
ι
,
0

)



,

α

del
,

(

τ
,
ι
,
0

)

,
j


,

σ

del
,

(

τ
,
ι
,
0

)



,





φ

del
,

(

τ
,
ι
,
0

)



,

α

del
,

(

τ
,
ι
,
l

)

,
j


,

σ

del
,

(

τ
,
ι
,
1

)



,

φ

del
,

(

τ
,
ι
,
l

)



,





η

dec
,

(

t
,
i

)



,

η

ran
,

j


,

(

t
,
i

)



,

η

ran
,

(

τ
,
ι
,
0

)

,

(

t
,
i

)



,

η

del
,

(

τ
,
ι
,
0

)

,

(

t
,
i

)



,





η

del
,

(

τ
,
ι
,
1

)

,

(

t
,
i

)



,

ψ
0

,

ψ
1

,



U



q






[

Formula





173

]







(S804: Lower-Level Decryption Element Generation Step)


Using the processing device, the lower-level decryption element generation unit 432 generates a lower-level decryption element k*L+1,dec which is an element of a delegation key skL+1, as shown in Formula 174.










k


L
+
1

,
dec

*

:=


k

L
,
dec

*

+




j
=
1


2

L





α

dec
,
j




k

L
,
ran
,
j

*



+

{




(


σ
dec



(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)







if






ρ
t


=
0






(


σ
dec

(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+







if






ρ
t


=
1










i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L


)









}

+




i
=
1


w
t





η

dec
,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

dec
,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*









[

Formula





174

]







(S805: First Lower-Level Randomizing Element Generation Step)


Using the processing device, the lower-level randomizing element generation unit 433 generates a first lower-level randomizing element k*L+1,ran,j′ which is an element of the delegation key skL+1, for each integer j′ of j′=1, . . . , 2(L+1), as shown in Formula 175.










k


L
+
1

,
ran
,

j



*

:=





j
=
1


2

L





α

ran
,

j


,
j




k

L
,
ran
,
j

*



+

{





σ

ran
,

j






(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

ran
,

j




(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+






if






ρ
t


=
1










i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L


)









}

+




i
=
1


w
t





η

ran
,

j


,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

ran
,

j


,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*









[

Formula





175

]







(S806: Second Lower-Level Randomizing Element Generation Step)


Using the processing device, the lower-level randomizing element generation unit 433 generates a second lower-level randomizing element k*L+1,ran,(τ,ι) which is an element of the delegation key skL+1, for each integer τ of τ=L+2, . . . , d and each integer ι of ι=1, . . . , nτ with respect to each integer τ, as shown in Formula 176.










k


L
+
1

,
ran
,

(

τ
,
ι
,
0

)


*

:=





j
=
1


2

L





α

ran
,


(

τ
,
ι

)


j

,




k

L
,
ran
,
j

*



+


φ

ran
,

(

τ
,
ι
,
0

)





k

L
,
ran
,

(

τ
,
ι
,
0

)


*


+

{





σ

ran
,

(

τ
,
ι
,
0

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

ran
,

(

τ
,
ι
,
0

)



(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+






if






ρ
t


=
1










i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L


)









}

+




i
=
1


w
t





η

del
,

(

τ
,
ι
,
0

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

del
,

(

τ
,
ι
,
0

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

del
,

(

τ
,
ι
,
0

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*








[

Formula





176

]







(S807: First Lower-Level Delegation Element Generation Step)


Using the processing device, the lower-level delegation element generation unit 434 generates a first lower-level delegation element k*L+1,del,(τ,ι,0) which is an element of the delegation key skL+1, for each integer τ of τ=L+2, . . . , d and each integer ι of ι=1, . . . , nτ with respect to each integer τ, as shown in Formula 177.










k


L
+
1

,
del
,

(

τ
,
ι
,
0

)


*

:=





j
=
1


2

L





α

del
,

(

τ
,
ι
,
0

)

,
j




k

L
,
ran
,
j

*



+


φ

del
,

(

τ
,
ι
,
0

)





k

L
,

ran


(

τ
,
ι
,
0

)



*


+


ψ
0



k

L
,

del


(

τ
,
ι
,
0

)



*


+

{





σ

del
,

(

τ
,
ι
,
0

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

del
,

(

τ
,
ι
,
0

)



(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+






if






ρ
t


=
1










i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L


)









}

+




i
=
1


w
t





η

del
,

(

τ
,
ι
,
0

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

del
,

(

τ
,
ι
,
0

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

del
,

(

τ
,
ι
,
0

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*








[

Formula





177

]







(S808: Second Lower-Level Delegation Element Generation Step)


Using the processing device, the lower-level delegation element generation unit 434 generates a second lower-level delegation element k*L+1,del,(τ,ι,1) which is an element of the delegation key skL+1, for each integer τ of τ=L+2, . . . , d and each integer ι of ι=1, . . . , nτ with respect to each integer τ, as shown in Formula 178.










k


L
+
1

,
del
,

(

τ
,
ι
,
1

)


*

:=





j
=
1


2

L





α


del


(

τ
,
ι
,
1

)


,
j




k

L
,
ran
,
j

*



+


ψ
1



k

L
,

del


(

τ
,
ι
,
1

)



*


+

{





σ

del
,

(

τ
,
ι
,
1

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

del
,

(

τ
,
ι
,
1

)



(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+






if






ρ
t


=
1










i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L


)









}

+




i
=
1


w
t





η

del
,

(

τ
,
ι
,
1

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

del
,

(

τ
,
ι
,
1

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

del
,

(

τ
,
ι
,
1

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*








[

Formula





178

]







(S809: Key Distribution Step)


Using the communication device and through the network, for example, the key distribution unit 150 secretly provides to the lower-level decryption device 300 the delegation key skL+1 having elements of the lower-level decryption element k*L+1,dec, the first lower-level randomizing element k*L+1,ran,j′ (j′=1, . . . , 2(L+1)), the second lower-level randomizing element k*L+1,ran,(τ,ι,0)(τ=L+2, . . . , d; (τ,ι)=(τ,1), . . . , (τ,nτ)), the first lower-level delegation element k*L+2,del,(τ,ι,0) (τ=L+2, . . . , d; (τ,ι)=(τ,1), . . . , (τ,nτ)), and the second lower-level delegation element k*L+2,del,(τ,ι,1)(τ=L+2, . . . , d; (τ,ι)=(τ,1), . . . , (τ,nτ)). It is obvious that the delegation key skL+1 may be provided to the lower-level decryption device 300 by other methods.


To summarize, in (S501) to (S507), the key delegation device 400 executes the DelegateL algorithm shown in Formulas 179 and 180, and generates the delegation key skL+1. Then, in (S508), the key delegation device 400 provides the generated delegation key skL+1 to the lower-level decryption device 300.











Delegate
L



(


p





k

,

sk
L

,


(



v



L
+
1


,

ρ

L
+
1



)

:=

(


(


v


L
+
1

,
1


,





,

v


L
+
1

,

n

L
+
1





)

,

ρ

L
+
1



)



)


:




[

Formula





179

]









for





j

=
1

,





,


2

L

;


j


=
1


,





,


2


(

L
+
1

)


;













τ
=

L
+
2


,





,

d
;


(

τ
,
ι

)

=

(

τ
,
1

)



,





,


(

τ
,

n
τ


)

;













t
=
0

,





,

L
+
1

,

τ
;


(

t
,
i

)

=

(

t
=
1

)



,





,


(

t
,

w
t


)

;













α

dec
,
j


,

σ
dec

,

α

ran
,

j


,
j


,

σ

ran
,

j




,

α

ran
,

(

τ
,
ι
,
0

)

,
j


,


















σ

ran
,

(

τ
,
ι
,
0

)



,

φ

ran
,

(

τ
,
ι
,
0

)



,

α

del
,

(

τ
,
ι
,
0

)

,
j


,

σ

del
,

(

τ
,
ι
,
0

)



,









φ

del
,

(

τ
,
ι
,
0

)



,

α

del
,

(

τ
,
ι
,
l

)

,
j


,

σ

del
,

(

τ
,
ι
,
1

)



,

φ

del
,

(

τ
,
ι
,
l

)



,









η

dec
,

(

t
,
i

)



,

η

ran
,

j


,

(

t
,
i

)



,

η

ran
,

(

τ
,
ι
,
0

)

,

(

t
,
i

)



,

η

del
,

(

τ
,
ι
,
0

)

,

(

t
,
i

)



,









η

del
,

(

τ
,
ι
,
1

)

,

(

t
,
i

)



,

ψ
0

,

ψ
1

,



U



q


,













k


L
+
1

,
dec

*

:=


k

L
,
dec

*

+




j
=
1


2

L





α

dec
,
j




k

L
,
ran
,
j

*



+

{




(


σ
dec



(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)







if






ρ
t


=
0






(


σ
dec

(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+







if






ρ
t


=
1










i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L


)









}

+




i
=
1


w
t





η

dec
,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

dec
,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i

,

*

















k


L
+
1

,
ran
,

j



*

:=





j
=
1


2

L





α

ran
,

j


,
j




k

L
,
ran
,
j

*



+

{





σ

ran
,

j






(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

ran
,

j




(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+






if






ρ
t


=
1










i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L


)









}

+




i
=
1


w
t





η

ran
,

j


,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

ran
,

j


,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i

,

*


















k


L
+
1

,
ran
,

(

τ
,
ι
,
0

)


*

:=





j
=
1


2

L





α

ran
,


(

τ
,
ι

)


j

,




k

L
,
ran
,
j

*



+


φ

ran
,

(

τ
,
ι
,
0

)





k

L
,
ran
,

(

τ
,
ι
,
0

)


*


+

{





σ

ran
,

(

τ
,
ι
,
0

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

ran
,

(

τ
,
ι
,
0

)



(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+






if






ρ
t


=
1










i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L


)









}

+




i
=
1


w
t





η

del
,

(

τ
,
ι
,
0

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

del
,

(

τ
,
ι
,
0

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

del
,

(

τ
,
ι
,
0

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*





,













k


L
+
1

,
del
,

(

τ
,
ι
,
0

)


*

:=





j
=
1


2

L





α

del
,

(

τ
,
ι
,
0

)

,
j




k

L
,
ran
,
j

*



+


φ

del
,

(

τ
,
ι
,
0

)





k

L
,

ran


(

τ
,
ι
,
0

)



*


+


ψ
0



k

L
,

del


(

τ
,
ι
,
0

)



*


+

{





σ

del
,

(

τ
,
ι
,
0

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

del
,

(

τ
,
ι
,
0

)



(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+






if






ρ
t


=
1










i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L


)









}

+




i
=
1


w
t





η

del
,

(

τ
,
ι
,
0

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

del
,

(

τ
,
ι
,
0

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

del
,

(

τ
,
ι
,
0

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*





,




[

Formula





180

]








k


L
+
1

,
del
,

(

τ
,
ι
,
1

)


*

:=





j
=
1


2

L





α

del
,

(

τ
,
ι
,
1

)

,
j




k

L
,
ran
,
j

*



+


ψ
1



k

L
,

del


(

τ
,
ι
,
1

)



*


+

{





σ

del
,

(

τ
,
ι
,
1

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

del
,

(

τ
,
ι
,
1

)



(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+






if






ρ
t


=
1










i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L


)









}

+




i
=
1


w
t





η

del
,

(

τ
,
ι
,
1

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

del
,

(

τ
,
ι
,
1

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

del
,

(

τ
,
ι
,
1

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*





,












sk

L
+
1


:=

(



(


(



v


1

,

ρ
1


)

,





,

(



v



L
+
1


,

ρ

L
+
1



)


)

;









k


L
+
1

,
dec

*


,


{

k


L
+
1

,
ran
,

j



*

}




j


=
1

,





,

2


(

L
+
1

)




,














{


k


L
+
1

,
ran
,

(

τ
,
ι
,
0

)


*

,

k


L
+
1

,
del
,

(

τ
,
ι
,
0

)


*

,




k


L
+
1

,
del
,

(

τ
,
ι
,
1

)


*

}



τ
=

L
+
2


,





,

d
;


(

τ
,
ι

)

=

(

τ
,
1

)



,





,

(

τ
,

n
τ


)




)

,











return







sk

L
+
1


.













When the lower-level decryption device 300 executes the Dec algorithm using the delegation key skL+1, the session key K is computed by computing Formula 170 if the inner product of (v{right arrow over ( )}1, . . . , v{right arrow over ( )}L+1) and (x{right arrow over ( )}1, . . . , x{right arrow over ( )}L+1) is 0 in (S403) of FIG. 15.


As described above, the cryptographic processing system 10 according to the second embodiment realizes the HPE scheme for inner products that allows decryption if the inner product of the attribute information and the predicate information is 0 for some portions and if the inner product of the attribute information and the predicate information is not 0 for the remaining portions. Therefore, it is possible to set a combination of positive and negative conditions and so on, for example.


In the above description, dimensions ut, wt, and zt (t=0, . . . , d) are provided for enhanced security. Therefore, at the cost of reduced security, dimensions ut, wt, and zt (t=0, . . . , d) may be omitted by setting ut, wt, and zt (t=0, . . . , d) respectively to 0.


In the above description, 1+u0+1+w0+z0 is set in N0 and nt+ut+wt+zt is set in Nt. However, 1+u0+1+w0+z0 may be replaced with 1+1+1+1+1 so that 5 is set in N0, and nt+ut+wt+zt may be replaced with nt+nt+nt+1 so that 3nt+1 is set in Nt.


In this case, the KeyGen algorithm shown in Formulas 168 and 169 are rewritten as shown in Formulas 181 and 182.










KeyGen


(

pk
,
sk
,

(



v
->

1

,

ρ
1


)

,





,

(



v
->

L

,

ρ
L


)


)


:=




[

Formula





181

]











(


(



(


v

1
,
1


,





,

v
1



,

n
1



)




q

n
1



,


ρ
1



{

0
,
1

}



)

,





,



















(



(


v

L
,
1


,





,

v

L
,

n
L




)




q

n
L



,


ρ
L



{

0
,
1

}



)

)

:
















for











j
=
1

,





,


2

L

;













τ
=

L
+
1


,





,

d
;


(

τ
,
l

)

=

(

τ
,
1

)



,





,


(

τ
,

n
τ


)

;




















ψ
,

s

dec
,
t


,



s

ran
,
j
,
t





U





q



(


t
=
1

,





,
L

)



;













θ

dec
,
t


,


θ

ran
,
j
,
t





U




q


,















η
->


dec
,
t


,


η
->


ran
,
j
,
t


,


η
->


ran
,
0
,
t


,




η
->


del
,
0
,
t










η
->


del
,
1
,
t





U




q

w
t









(


t
=
0

,





,
L

)


;


















s

ran
,
0
,
t


,

s

del
,
0
,
t


,


s

del
,
1
,
t





U




q


,









θ

ran
,
0
,
t


,

θ

del
,
0
,
t


,


θ

del
,
1
,
t





U




q


,














η
->


ran
,
0
,

(

τ
,
1

)



,


η
->


del
,
0
,

(

τ
,
l

)



,



η
->


del
,
1
,

(

τ
,
l

)






U




q

n
t



,


(


t
=
0

,





,

L
+
1


)

;














s

dec
,
0


:=




t
=
1

L



s

dec
,
t




,


s

ran
,
j
,
0


:=




t
=
1

L



s

ran
,
j
,
t




,


s

ran
,
0
,
0


:=




t
=
1

L



s

ran
,
0
,
t




,


















s

del
,
0
,
0


:=




t
=
1


L
+
1




s

del
,
0
,
t




,


s

del
,
1
,
0


:=




t
=
1


L
+
1




s

del
,
1
,
t




,













k

L
,
dec

*

:=

(



(


-

s

dec
,
0



,
0
,
1
,

η

dec
,
0


,
0

)



0
*


,


















{






(




s

dec
,
t





e
->


t
,
1



+


θ

dec
,
t
,





v
->

t



,

0

n
t


,


η
->


dec
,
t


,
0

)



t
*


,





if






ρ
t


=
0








(



s

dec
,
t





v
->

t


,

0

n
t


,


η
->


dec
,
t


,
0

)



t
*


,





if






ρ
t


=
1




}

:
t

=

1








,
L

)

,












k

L
,
ran
,
j

*

:=

(



(


-

s

ran
,
j
,
0



,
0
,
0
,

η

ran
,
j
,
0


,
0

)



0
*


,














{






(




s

ran
,
j
,
t





e
->


t
,
1



+


θ

ran
,
j
,
t





v
->

t



,

0

n
t


,


η
->


ran
,
j
,
t


,
0

)



t
*


,





if






ρ
t


=
0








(



s

ran
,
j
,
t





v
->

t


,

0

n
t


,


η
->


ran
,
j
,
t


,
0

)



t
*


,





if






ρ
t


=
1




}





:


















t
=
1

,





,
L

)

,












k

L
,
ran
,

(

τ
,
l
,
0

)


*

:=

(



(


-

s

ran
,
0
,
0



,
0
,
0
,

η

ran
,
0
,
0


,
0

)



0
*


,






[

Formula





182

]







{






(




s

ran
,
0
,
t





e
->


t
,
1



+


θ

ran
,
0
,
t





v
->

t



,

0

n
t


,


η
->


ran
,
0
,
t


,
0

)



t
*


,





if






ρ
t


=
0








(



s

ran
,
0
,
t





v
->

t


,

0

n
t


,


η
->


ran
,
0
,
t


,
0

)



t
*


,





if






ρ
t


=
1








}





:


















t
=
1

,





,
L

)

,


















(



s

ran
,
0
,

L
+
1






e
->


τ
,
1



,

0

n
τ


,


η
->


ran
,
0
,

(

τ
,
l

)



,
0

)



τ
*


)

,












k

L
,
del
,

(

τ
,
l
,
0

)


*

:=

(



(


-

s

del
,
0
,
0



,
0
,
0
,

η

del
,
0
,
0


,
0

)



0
*


,














{






(




s

del
,
0
,
t





e
->


t
,
1



+


θ

del
,
0
,
t





v
->

t



,

0

n
t


,


η
->


del
,
0
,
t


,
0

)



t
*


,





if






ρ
t


=
0








(



s

del
,
0
,
t





v
->

t


,

0

n
t


,


η
->


del
,
0
,
t


,
0

)



t
*


,





if






ρ
t


=
1








}





:


















t
=
1

,





,
L

)

,

















(



s

del
,
0
,

L
+
1






e
->


τ
,
l



,

ψ







e
->


τ
,
l



,

0

n
τ


,


η
->


del
,
0
,

(

τ
,
l

)



,
0

)



τ
*


)












k

L
,
del
,


(

τ
,
l
,
1

)

:


*

:=

(



(


-

s

del
,
1
,
0



,
0
,
0
,

η

del
,
1
,
0


,
0

)



0
*


,














{






(




s

del
,
1
,
t





e
->


t
,
1



+


θ

del
,
1
,
t





v
->

t



,

0

n
t


,


η
->


del
,
1
,
t


,
0

)



t
*


,





if






ρ
t


=
0








(



s

del
,
1
,
t





v
->

t


,

0

n
t


,


η
->


del
,
1
,
t


,
0

)



t
*


,





if






ρ
t


=
1








}





:


















t
=
1

,





,
L

)

,


















(



s

del
,
1
,

L
+
1






e
->


τ
,
l



,

0

n
τ


,


η
->


del
,
1
,

(

τ
,
l

)



,
0

)



τ
*


)

,












sk
L

:=

















(






(


(



v
->

1

,

ρ
1


)

,





,

(



v
->

L

,

ρ
L


)


)

;

k

L
,
dec

*


,


{

k

L
,
ran
,
j

*

}



j
=
1

,









,

2

L



,







{





k

L
,
ran
,

(

τ
,
l
,
0

)


*

,

k

L
,
del
,

(

τ
,
l
,
0

)


*

,






k

L
,
del
,

(

τ
,
l
,
1

)


*




}



τ
=

L
+
1


,





,

d
;


(

τ
,
l

)

=

(

τ
,
1

)



,





,

(

τ
,

n
τ


)






)

,

















return







sk
L

.














The DelegateL algorithm shown in Formulas 179 and 180 are rewritten as shown in Formulas 183 and 184.

















Delegate
L



(

pk
,

sk
L

,


(



v
->


L
+
1


,

ρ

L
+
1



)

:=

(


(


v


L
+
1

,


,





,

v


L
+
1

,

n

L
+
1





)

,

ρ

L
+
1



)



)


:








for












j
=
1

,









,


2

L

;














j


=
1

,





,


2


(

L
+
1

)


;













τ
=

L
+
2


,





,

d
;














(

τ
,
l

)

=

(

τ
,
1

)


,





,


(

τ
,

n
τ


)

;













t
=
0

,





,

L
+
1

,

τ
;














(

t
,
i

)

=

(

t
,
1

)


,





,


(

t
,

n
t


)

;













α

dec
,
j


,

σ
dec

,

α

ran
,

j


,
j


,

σ

ran
,

j




,

α

ran
,

(

τ
,
l
,
0

)

,
j


,

σ

ran
,

(

τ
,
l
,
0

)



,

φ

ran
,

(

τ
,
l
,
0

)



,










α

del
,

(

τ
,
l
,
0

)

,




σ

del
,

(

τ
,
l
,
0

)




,

φ

del
,

(

τ
,
l
,
0

)



,

α

del
,

(

τ
,
l
,
1

)

,
j


,

σ

del
,

(

τ
,
l
,
1

)



,

φ

del
,

(

τ
,
l
,
1

)



,









η

dec
,

(

t
,
i

)



,

η

ran
,

j


,

(

t
,
i

)



,

η

ran
,

(

τ
,
l
,
0

)

,

(

t
,
i

)



,

η

del
,

(

τ
,
l
,
0

)

,

(

t
,
i

)



,

η

del
,

(

τ
,
l
,
1

)

,

(

t
,
i

)



,









ψ
0

,

ψ
1

,



U




q


,






[

Formula





183

]








k


L
+
1

,
dec

*

:=


k

L
,
dec

*

+




j
=
1


2

L





α

dec
,
j




k

L
,
ran
,
j

*



+

{




(


σ
dec



(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)







if






ρ
t


=
0






(


σ
dec



(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+




i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L



)







if






ρ
t


=
1




}

+


η

dec
,

(

0
,
1

)





b

0
,
4

*


+




t
=
1


L
+
1







i
=
1


n
i





η

dec
,

(

t
,
i

)





b

t
,


2


n
t


+
i

,

*














k


L
+
1

,
ran
,

j



*

:=





j
=
1


2

L





α

ran
,

j


,
j




k

L
,
ran
,
j

*



+

{





σ

ran
,

j






(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,

del


(


L
+
1

,
i
,
0

)



*



)






if






ρ
t


=
0







σ

ran
,

j






(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+




i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L



)






if






ρ
t


=
1




}

+


η

ran
,

j


,

(

0
,
1

)





b

0
,
4

*


+




t
=
1


L
+
1







i
=
1


n
t





η

ran
,

j


,

(

t
,
i

)





b

t
,


2


n
t


+
i


*






,














k


L
+
1

,
ran
,

(

τ
,
l
,
0

)


*

:=




j
=
1


2

L




α

ran
,


(

τ
,
l

)


j





,


k

L
,
ran
,
j

*

+


φ

ran
,

(

τ
,
l
,
0

)





k

L
,
ran
,

(

τ
,
l
,
0

)


*


+

{





σ

ran
,

(

τ
,
l
,
0

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

ran
,

(

τ
,
l
,
0

)





(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+




i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L



)






if






ρ
t


=
1




}

+


η

del
,

(

τ
,
l
,
0

)

,

(

0
,
1

)





b

0
,
4

*


+




t
=
1


L
+
1







i
=
1


n
t





η

del
,

(

τ
,
l
,
0

)

,

(

t
,
i

)





b

t
,


2


n
t


+
i


*




+




i
=
1


n
τ





η

del
,

(

τ
,
l
,
0

)

,

(

τ
,
i

)





b

τ
,


2


n
τ


+
i


*




,














k


L
+
1

,
del
,

(

τ
,
l
,
0

)


*

:=





j
=
1


2

L





α

del
,

(

τ
,
l
,
0

)

,
j




k

L
,
ran
,
j

*



+


φ

del
,

(

τ
,
l
,
0

)





k

L
,

ran


(

τ
,
l
,
0

)



*


+


ψ
0



k

L
,

del


(

τ
,
l
,
0

)



*


+

{





σ

del
,

(

τ
,
l
,
0

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

del
,

(

τ
,
l
,
0

)





(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L






i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L



)






if






ρ
t


=
1




}

+


η

del
,

(

τ
,
l
,
0

)

,

(

0
,
1

)





b

0
,
4

*


+




t
=
1


L
+
1







i
=
1


n
t





η

del
,

(

τ
,
l
,
0

)

,

(

t
,
i

)





b

t
,


2


n
t


+
i


*




+




i
=
1


n
τ





η

del
,

(

τ
,
l
,
0

)

,

(

τ
,
i

)





b

τ
,


2


n
τ


+
i


*





,






k


L
+
1

,
del
,

(

τ
,
l
,
1

)


*

:=





j
=
1


2

L





α


del


(

τ
,
l
,
1

)


,
j




k

L
,
ran
,
j

*



+


ψ
1



k

L
,

del


(

τ
,
l
,
1

)



*


+

{





σ

del
,

(

τ
,
l
,
1

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

del
,

(

τ
,
l
,
1

)





(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+




i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L



)






if






ρ
t


=
1




}

+


η

del
,

(

τ
,
l
,
1

)

,

(

0
,
1

)





b

0
,
4

*


+




t
=
1


L
+
1







i
=
1


n
t





η

del
,

(

τ
,
l
,
1

)

,

(

t
,
i

)





b

t
,


2


n
t


+
i


*




+




i
=
1


n
τ





η

del
,

(

τ
,
l
,
1

)

,

(

τ
,
i

)





b

τ
,


2


n
τ


+
i


*





,






sk

L
+
1


:=

(



(


(



v
->

1

,

ρ
1


)

,





,

(



v
->


L
+
1


,

ρ

L
+
1



)


)

;

k


L
+
1

,
dec

*


,


{

k


L
+
1

,
ran
,

j



*

}




j


=
1

,









,

2


(

L
+
1

)




,


{


k


L
+
1

,
ran
,

(

τ
,
l
,
0

)


*

,

k


L
+
1

,
del
,

(

τ
,
l
,
0

)


*

,

k


L
+
1

,
del
,

(

τ
,
l
,
1

)


*


}



τ
=

L
+
2


,









,

d
;


(

τ
,
l

)

=

(

τ
,
1

)



,









,

(

τ
,

n
τ


)




)


,









return







sk

L
+
1


.











[

Formula





184

]







The Dec algorithm shown in Formula 172 remains the same.


The Setup algorithm needs to be executed once when the cryptographic processing system 10 is set up, and does not have to be executed each time a decryption key is generated. In the above description, the Setup algorithm and the KeyGen algorithm are executed by the key generation device 100. However, the Setup algorithm and the KeyGen algorithm may be executed by different devices.


Third Embodiment

In the above embodiments, the methods for implementing the cryptographic processes in dual vector spaces have been described. In this embodiment, a method for implementing the cryptographic processes in dual modules will be described.


That is, in the above embodiments, the cryptographic processes are implemented in cyclic groups of prime order q. However, when a ring R is expressed using a composite number M as shown in Formula 185, the cryptographic processes described in the above embodiments can be adapted to a module having the ring R as a coefficient.






custom-character/Mcustom-character  [Formula 185]


where

custom-character: integer,


M: composite number.


When the HPE scheme described in the first embodiment is implemented in the module having the R as the coefficient, the HPE scheme is represented as shown in Formulas 186 to 193.











Setup


(


1
λ

,


n
->

:=

(


d
;

n
1


,





,

n
d

,

u
0

,









,

u
d

,

w
0

,





,

w
d

,

z
0

,





,

z
d


)



)


:



(


param

n
->


,


{



t

,


t
*


}



t
=
0

,









,
d



)




R




ob




(


1
λ

,

n
->


)



,




[

Formula





186

]










^

0

:=

(


b

0
,
1


,

b

0
,

1
+

u
0

+
1



,

b

0
,

1
+

u
0

+
1
+

w
0

+
1



,









,

b

0
,

1
+

u
0

+
1
+

w
0

+

z
0





)


,














^

t

:=

(


b

t
,
1


,





,

b

t
,

n
t



,

b

t
,


n
t

+

u
t

+

w
t

+
1



,





,

b

t
,


n
t

+

u
t

+

w
t

+

z
t





)



















for





t

=
1

,





,
d
,












^

0
*

:=

(


b

0
,
1

*

,

b

0
,

1
+

u
0

+
1


*


)


,












^

t
*

:=



(


b

t
,
1

*

,





,

b

t
,

n
t


*


)










for





t

=
1


,





,
d
,













pk
:=

(


1
λ

,

param

n
->


,


{



^

t

}



t
=
0

,









,
d


,

b

0
,

1
+

u
0

+
1
+
1


*

,





,

b

0
,

1
+

u
0

+
1
+

w
0



*

,


{


b

t
,


n
t

+

u
t

+
1


*

,





,

b

t
,


n
t

+

u
t

+

w
t



*


}



t
=
1

,









,
d



)


,

















sk
:=


{



^

t
*

}



t
=
0

,









,
d



,









return





pk

,

sk
.















ob

(


1
λ

,


n
->

:=

(

d
;


n
->

:=

(


d
;

n
1


,





,

n
d

,

u
0

,





,

u
d

,

w
0

,





,

w
d

,

z
0

,





,

z
d


)










[

Formula





187

]








N
0

:=

1
+

u
0

+
1
+

w
0

+

z
0



,


N
t

:=


n
t

+

u
t

+

w
t

+

z
t
















for





t

=
1

,





,
d
,










param


:=



(

q
,

,


T

,
g
,
e

)




R




bpg




(

1
λ

)



,

















ψ



U




x


,










For





t

=
0

,





,
d
,














param


t


:=


(

q
,


t

,


T

,


t

,
e

)

:=



dpvs



(


1
λ

,

N
t

,

param



)




,













X
t

:=



(

χ

i
,
i
,
j


)


i
,
j





U



GL


(


N
t

,


)




,



(

v

t
,
i
,
j


)


i
,
j


:=

ϕ
·


(

X
t
T

)


-
1




,













b

t
,
i


:=



(


χ

t
,
i
,
1


,





,

χ

t
,
i
,

N
t




)



t


=




j
=
1


N
t





χ

t
,
i
,
j




a

t
,
j






,














t

:=

(


b

t
,
1


,





,

b

t
,

N
t




)


,













b

t
,
i

*

:=



(


v

t
,
i
,
1


,





,

v

t
,
i
,

N
t




)



t


=




j
=
1


N
t





v

t
,
i
,
j




a

t
,
j






,














t
*

:=

(


b

t
,
1

*

,





,

b

t
,

N
t


*


)


,


g
T

:=


e


(

g
,
g

)


ψ


,












param

n
->


:=

(



{

param


t


}



t
=
0

,









,
d
,




g
T


)

















return







(


param

n
->


,


{



t

,


t
*


}



t
=
0

,









,
d



)

.














KeyGen


(

pk
,
sk
,


(



v
->

1

,





,


v
->

L


)

:=

(


v

1
,
1


,





,

v

1
,

n
1




)


,









,

(


v

L
,
1


,





,

v

L
,

n
L




)


)


:




[

Formula





188

]









for





j

=
1

,









,


2

L

;













τ
=

L
+
1


,





,

d
;














(

τ
,
l

)

=

(

τ
,
1

)


,





,


(

τ
,

n
τ


)

;


















ψ
,

s

dec
,
t


,




s

ran
,
j
,
t





U






(


t
=
1

,





,
L

)


;














θ

dec
,
t


,


θ

ran
,
j
,
t





U




,


η
->


dec
,
t


,




η
->


ran
,
j
,
t





U






w
t




(


t
=
0

,





,
L

)



;


















s

ran
,

(

τ
,
l

)

,
t


,




s

del
,

(

τ
,
l

)

,
t





U






(


t
=
1

,





,

L
+
1


)


;














θ

ran
,

(

τ
,
l

)

,
t


,


θ

del
,

(

τ
,
l

)

,
t





U




,


η
->


ran
,

(

τ
,
l

)

,
t


,














η
->


del
,

(

τ
,
l

)

,
t





U





w
t



,


(


t
=
0

,





,

L
+
1


)

;














s

dec
,
0


:=




t
=
1

L



s

dec
,
t




,


s

ran
,
j
,
0


:=




t
=
1

L



s

ran
,
j
,
t




,













s

ran
,

(

τ
,
l

)

,
0


:=




t
=
1


L
+
1




s

ran
,

(

τ
,
l

)

,
t




,


s

del
,

(

τ
,
l

)

,
0


:=




t
=
1


L
+
1




s

del
,

(

τ
,
l

)

,
t




,












k

L
,
dec

*

:=

(



(


-

s

dec
,
0



,

0

u
0


,
1
,


η
->


dec
,
0


,

0

z
0



)



0
*


,






[

Formula





189

]












(




s

dec
,
t





e
->


t
,
1



+


θ

dec
,
t





v
->

t



,

0

u
t


,


η
->


dec
,
t


,

0

z
t



)



t
*


:
t

=
1

,





,
L

)

,












k

L
,
ran
,
j

*

:=

(



(


-

s

ran
,
j
,
0



,

0

u
0


,
0
,


η
->


ran
,
j
,
0


,

0

z
0



)



0
*


,


















(




s

ran
,
j
,
t





e
->


t
,
1



+


θ

ran
,
j
,
t





v
->

t



,

0

u
t


,


η
->


ran
,
j
,
t


,

0

z
t



)



t
*


:

t
-
1


,









,
L

)

,












k

L
,
ran
,

(

τ
,
l

)


*

:=

(



(


-

s

ran
,

(

τ
,
l

)

,
0



,

0

u
0


,
0
,


η
->


ran
,

(

τ
,
l

)

,
0


,

0

z
0



)



0
*


,




(




s

ran
,

(

τ
,
l

)

,
t





e
->


t
,
1



+


θ

ran
,

(

τ
,
l

)

,
t





v
->

t



,

0

u
t


,


η
->


ran
,

(

τ
,
l

)

,
t


,

0

z
t



)



t
*


:
t

=
















1
,









,


L


(



s

ran
,

(

τ
,
l

)

,

L
+
1






e
->


τ
,
1



,

0

u
τ


,


η
->


ran
,

(

τ
,
l

)

,

L
+
1



,

0

z
τ



)




τ
*



)

,












k

L
,
del
,

(

τ
,
l

)


*

:=

(



(


-

s

del
,

(

τ
,
l

)

,
0



,

0

u
0


,
0
,


η
->


del
,

(

τ
,
l

)

,
0


,

0

z
0



)



0
*


,

















(




s

del
,

(

τ
,
t

)

,
t





e
->


t
,
1



+


θ

del
,

(

τ
,
l

)

,
t





v
->

t



,

0

u
t


,


η
->


del
,

(

τ
,
l

)

,
t


,

0

z
t



)



t
*


:
t

=
1

,









,













L



(




s

del
,

(

τ
,
l

)

,

L
+
1






e
->


τ
,
1



+

ψ







e
->


τ
,
l




,

0

u
τ


,


η
->


del
,

(

τ
,
l

)

,

L
+
1



,

0

z
τ



)



τ
*



)

,













sk
L

:=

(


k

L
,
dec

*

,


{

k

L
,
ran
,
j

*

}



j
=
1

,









,

2

L



,


{

k

L
,
ran
,

(

τ
,
l

)


*

}



τ
=

L
+
1


,









,

d
;


(

τ
,
l

)

=

(

τ
,
1

)



,









,

(

τ
,

n
τ


)



,


{

k

L
,
del
,

(

τ
,
l

)


*

}



τ
=

L
+
1


,









,

d
;


(

τ
,
1

)

=

(

τ
,
1

)



,









,

(

τ
,

n
τ


)




)


,












return







sk
L

.

















Enc
(

pk
,

m



T


,



(



x
->

1

,





,


x
->

L


)

:=


(


(


x

1
,
1


,





,

x

1
,

n
1




)

,





,

(


x

L
,
1


,





,

x

L
,

n
L




)


)

:



(



x
->


L
+
1


,





,


x
->

d


)




U





n

L
+
1




×

×



n
d





;






[

Formula





190

]











ω
,

ζ



U




,




ϕ
->

t




U





z
t





(


t
=
0

,





,
d

)


,














c
1

:=

(



(

ω
,

0

u
0


,
ζ
,

0

w
0


,


ϕ
->

0


)



0


,




(


ω







x
->

t


,

0

u
t


,

0

w
t


,


ϕ
->

t


)








t


:
t

=
1

,





,
d

)


,













c
2

:=


g
T
ζ


m


,













ct
:=

(


c
1

,

c
2


)


,









return






ct
.





















Dec


(

pk
,

k

L
,
dec

*

,
ct

)


:

m



:=


c
2

/

e


(


c
1

,

k

L
,
dec

*


)














return







m


.







[

Formula





191

]








Delegate
L



(

pk
,

sk
L

,



v
->


L
+
1


:=

(


v


L
+
1

,
1


,





,

v


L
+
1

,

n

L
+
1





)



)


;




[

Formula





192

]






for











j
=
1

,





,


2

L

;














j


=
1

,





,


2


(

L
+
1

)


;













τ
=

L
+
2


,









,

d
;





















(

τ
,
l

)

=

(

τ
,
l

)


,





,


(

τ
,

n
τ


)

;













t
=
0

,





,

L
+
1

,

τ
;














(

t
,
i

)

=

(

t
,
1

)


,





,


(

t
,

w
t


)

;













α

dec
,
j


,

σ
dec

,

α

ran
,

j


,
j


,

σ

ran
,

j




,

α

ran
,

(

τ
,
l

)

,
j


,

σ

ran
,

(

τ
,
l

)



,



















φ

ran
,

(

τ
,
l

)



,

α

del
,

(

τ
,
l

)

,
j


,

σ

del
,

(

τ
,
l

)



,

φ

del
,

(

τ
,
l

)



,

ψ


,









η

dec
,

(

t
,
i

)



,

η

ran
,

(

t
,
i

)



,

η

ran
,

(

τ
,
l

)

,

(

t
,
i

)



,


η

del
,

(

τ
,
l

)

,

(

t
,
i

)






U




,














k


L
+
1

,
dec

*

:=


k

L
,
dec

*

+




j
=
1


2

L





α

dec
,
j




k

L
,
ran
,
j

*



+


σ
dec



(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+




i
=
1


w
i





η

dec
,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
i





η

dec
,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*






,




[

Formula





193

]








k


L
+
1

,
ran
,

j



*

:=





j
=
1


2

L





α

ran
,

j


,
j




k

L
,
ran
,
j

*



+


σ

ran
,

j






(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+




i
=
1


w
t





η

ran
,

j


,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
i





η

ran
,

j


,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*






,













k


L
+
1

,
ran
,

(

τ
,
l

)


*

:=





j
=
1


2

L





α

ran
,

(

τ
,
l

)

,
j




k

L
,
ran
,
j

*



+


σ

ran
,

(

τ
,
l

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+


φ

ran
,

(

τ
,
l

)





k

L
,
ran
,

(

τ
,
l

)


*


+




i
=
1


w
t





η

ran
,

(

τ
,
l

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
i





η

ran
,

(

τ
,
l

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

ran
,

(

τ
,
l

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*





,













k


L
+
1

,
del
,

(

τ
,
l

)


*

:=





j
=
1


2

L





α

del
,

(

τ
,
i

)

,
j




k

L
,
ran
,
j

*



+


σ

del
,

(

τ
,
l

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i

)


*



)


+


ψ




k

L
,
del
,

(

τ
,
l

)


*


+


φ

del
,

(

τ
,
l

)





k

L
,

ran


(

τ
,
l

)



*


+




i
=
1


w
t





η

del
,

(

τ
,
l

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

del
,

(

τ
,
l

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

del
,

(

τ
,
l

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*





,













sk

L
+
1


:=

(


k


L
+
1

,
dec

*

,


{

k


L
+
1

,
ran
,

j



*

}




j


=
1

,









,

2


(

L
+
1

)




,


{


k


L
+
1

,
ran
,

(

τ
,
l

)


*

,

k


L
+
1

,
del
,

(

τ
,
l

)


*


}



τ
=

L
+
2


,









,

d
;


(

τ
,
l

)

=

(

τ
,
1

)



,









,

(

τ
,

n
τ


)




)


,









return






sk

L
+
1















When the HPE scheme described in the second embodiment is implemented in the module having the ring R as the coefficient, the HPE scheme is expressed as shown in Formulas 194 to 199. The Setup algorithm and the Gob algorithm are as shown in Formulas 186 and 187 respectively.











KeyGen


(

pk
,
sk
,

(



v
->

1

,

ρ
1


)

,





,

(



v
->

L

,

ρ
L


)


)


:=


(


(



(


v

1
,
1


,





,

v

1
,

n
1




)





n
1



,


ρ
1



{

0
,
1

}



)

,





,

(



(


v

L
,
1


,





,

v

L
,

n
L




)





n
L



,


ρ
L



{

0
,
1

}



)


)

:








for













j
=
1

,





,


2

L

;













τ
=

L
+
1


,





,

d
;














(

τ
,
l

)

=

(

τ
,
1

)


,





,


(

τ
,

n
τ


)

;












ψ
,

s

dec
,
t


,



s

ran
,
j
,
t





U






(


t
=
1

,





,
L

)



;













θ

dec
,
t


,


θ

ran
,
j
,
t





U




,










η
->


dec
,
t


,


η
->


ran
,
j
,
t


,


η
->


ran
,
0
,
t


,




η
->


del
,
0
,
t






η
->


del
,
1
,
t





U





w
t









(


t
=
0

,





,
L

)


;













s

ran
,
0
,
t


,

s

del
,
0
,
t


,


s

del
,
1
,
t





U




,









θ

ran
,
0
,
t


,

θ

del
,
0
,
t


,


θ

del
,
1
,
t





U




,





[

Formula





194

]














η
->


ran
,
0
,

(

τ
,
l

)



,


η



del
,
0
,

(

τ
,
l

)



,



η
->


del
,
1
,

(

τ
,
l

)






U





w
t



,


(


t
=
0

,





,

L
+
1


)

;














s

dec
,
0


:=




t
=
1

L



s

dec
,
t




,


s

ran
,
j
,
0


:=




t
=
1

L



s

ran
,
j
,
t




,


s

ran
,
0
,
0


:=




t
=
1

L



s

ran
,
0
,
t




,










s

del
,
0
,
0


:=




t
=
1


L
+
1




s

del
,
0
,
t




,


s

del
,
1
,
0


:=




t
=
1


L
+
1




s

del
,
1
,
t




,










k

L
,
dec

*

:=

(



(


-

s

dec
,
0



,

0

u
0


,
1
,


η
->


dec
,
0


,

0

z
0



)



0
*


,



{






(




s

dec
,
t





e
->


t
,
1



+


θ

dec
,
t
,





v
->

t



,

0

u
t


,


η
->


dec
,
t


,

0

z
t



)



t
*


,





if






ρ
t


=
0








(



s

dec
,
t





v
->

t


,

0

u
t


,


η
->


dec
,
t


,

0

z
t



)



t
*


,





if






ρ
t


=
1




}

:
t

=
1

,





,
L

)


,










k

L
,
ran
,
j

*

:=

(



(


-

s

ran
,
j
,
0



,

0

u
0


,
0
,


η
->


ran
,
j
,
0


,

0

z
0



)



0
*


,



{






(




s

ran
,
j
,
t





e
->


t
,
1



+


θ

ran
,
j
,
t





v
->

t



,

0

u
t


,


η
->


ran
,
j
,
t


,

0

z
t



)




*
t



,





if






ρ
t


=
0








(



s

ran
,
j
,
t





v
->

t


,

0

u
t


,


η
->


ran
,
j
,
t


,

0

z
t



)



t
*


,





if






ρ
t


=
1








}





:
t

=
1

,





,
L

)


,























k

L
,
ran
,

(

τ
,
l
,
0

)


*

:=

(



(


-

s

ran
,
0
,
0



,

0

u
0


,
0
,


η
->


ran
,
0
,
0


,

0

z
0



)



0
*


,



{






(




s

ran
,
0
,
t





e
->


t
,
1



+


θ

ran
,
0
,
t





v
->

t



,

0

u
t


,


η
->


ran
,
0
,
t


,

0

z
t



)



t
*


,





if






ρ
t


=
0








(



s

ran
,
0
,
t





v
->

t


,

0

u
t


,


η
->


ran
,
0
,
t


,

0

z
t



)



t
*


,





if






ρ
t


=
1








}





:
t

=
1

,





,
L

)


,










(



s

ran
,
0
,

L
+
1






e
->


τ
,
1



,

0

u
τ


,


η
->


ran
,
0
,

(

τ
,
l

)



,

0

z
τ



)



τ
*



)

,










k

L
,
del
,

(

τ
,
l
,
0

)


*

:=

(



(


-

s

del
,
0
,
0



,

0

u
0


,
0
,


η
->


del
,
0
,
0


,

0

z
0



)



0
*


,



{






(




s

del
,
0
,
t





e
->


t
,
1



+


θ

del
,
0
,
t





v
->

t



,

0

u
t


,


η
->


del
,
0
,
t


,

0

z
t



)



t
*


,





if






ρ
t


=
0








(



s

del
,
0
,
t





v
->

t


,

0

u
t


,


η
->


del
,
0
,
t


,

0

z
t



)



t
*


,





if






ρ
t


=
1








}





:
t

=
1

,





,
L

)


,










(



s

del
,
0
,

L
+
1






e
->


τ
,
1



,


+
ψ




e
->


τ
,
l



,

0

u
τ


,


η
->


del
,
0
,

(

τ
,
l

)



,

0

z
τ



)



τ
*



)

,




[

Formula





195

]














k

L
,
del
,

(

τ
,
t
,
1

)


*

:=

(



(



-

s

del
,
1
,
0





0

u
0



,
0
,


η
->


del
,
1
,
0


,

0

z
0



)



0
*


,



{





(




s

del
,
1
,
t





e
->


t
,
1



+


θ

del
,
1
,
t





v
->

t



,

0

u
t


,


η
->


del
,
1
,
t


,

0

z
t



)



t
*






if






ρ
t


=
0








(



s

del
,
1
,
t





v
->

t


,

0

u
t


,


η
->


del
,
1
,
t


,

0

z
t



)



t
*


,





if






ρ
t


=
1








}





:
t

=
1

,





,
L

)


,










(



s

del
,
1
,

L
+
1






e
->


τ
,
l



,

0

u
τ


,


η
->


del
,
1
,

(

τ
,
l

)



,

0

z
t



)



τ
*



)

,










sk
L

:=

(






(


(



v
->

1

,

ρ
1


)

,





,

(



v
->

L

,

ρ
L


)


)

;

k

L
,
dec

*


,


{

k

L
,
ran
,
j

*

}



j
=
1

,









,

2

L



,







{





k

L
,
ran
,

(

τ
,
l
,
0

)


*

,

k

L
,
del
,

(

τ
,
l
,
0

)


*

,






k

L
,
del
,

(

τ
,
l
,
1

)


*




}



τ
=

L
+
1


,









,

d
;


(

τ
,
l

)

=

(

τ
,
1

)



,









,

(

τ
,

n
τ


)






)


,









return







sk
L

.


















Enc
(

pk
,

m



T


,



(



x
->

1

,





,


x
->

L


)

:=


(


(


x

1
,
1


,





,

x

1
,

n
1




)

,





,

(


x

L
,
1


,





,

x

L
,

n
L




)


)

:











(



x
->


L
+
1


,





,


x
->

d


)




U





n

L
+
1




×

×



n
d





;








ω

,

ζ



U




,



ϕ
->

t




U






z
t




(


t
=
0

,





,
d

)



,










c
1

:=

(



(

ω
,

0

u
0


,
ζ
,

0

w
0


,


ϕ
->

0


)



0


,




(


ω







x
->

t


,

0

u
t


,

0

w
t


,


ϕ
->

t


)








t


:
t

=
1

,





,
d

)


,










c
2

:=


g
T
ζ


m


,









ct
:=

(



(



x
->

1

,





,


x
->

L


)

;

c
1


,

c
2


)


,









return






ct
.








[

Formula





196

]














Dec


(

pk
,

sk
L

,
ct

)


:
K

:=


e


(


c

1
,
0


,

k

L
,
dec
,
0

*


)


·





1

t


d


ρ
t



=
0





e


(


c

1
,
t


,

k

L
,
dec
,
t

*


)


·





1

t


d


ρ
t



=
1





e


(


c

1
,
t


,

k

L
,
dec
,
t

*


)



1
/

(



v
->

t

·


x
->

t


)








,










where








(



k

L
,
dec
,
0

*






0
*




,





,


k

L
,
dec
,
d

*






d
*





)

:=

k

L
,
dec

*


,









(



c

1
,
0







0
*




,





,



c

1
,
d







d
*




:=

c
1


,










m


:=


c
2

/
K


,









return







m


.









[

Formula





197

]














Delegate
L



(

pk
,

sk
L

,


(


v
->



L
+
1

,

ρ

L
+
1




)

:=

(


(

v


L
+
1

,
1
,









,

v


L
+
1

,

n

L
+
1






)

,

ρ

L
+
1



)



)


:








for












j
=
1

,





,


2

L

;














j


=
1

,





,


2


(

L
+
1

)


;













τ
=

L
+
2


,





,

d
;














(

τ
,
l

)

=

(

τ
,
1

)


,





,


(

τ
,

n
τ


)

;













t
=
0

,





,

L
+
1

,

τ
;














(

t
,
i

)

=

(

t
,
1

)


,





,


(

t
,

w
t


)

;













α

dec
,
j


,

σ
dec

,

α

ran
,

j


,
j


,

σ

ran
,

j




,

α

ran
,

(

τ
,
l
,
0

)

,
j


,

σ

ran
,

(

τ
,
l
,
0

)



,

φ

ran
,

(

τ
,
l
,
0

)



,









α

del
,

(

τ
,
l
,
0

)

,
j


,

σ

del
,

(

τ
,
l
,
0

)



,

φ

del
,

(

τ
,
l
,
0

)



,

α

del
,

(

τ
,
l
,
1

)

,
j


,

σ

del
,

(

τ
,
l
,
1

)



,

φ

del
,

(

τ
,
l
,
1

)



,









η

dec
,

(

t
,
i

)



,

η

ran
,

j


,

(

t
,
i

)



,

η

ran
,

(

τ
,
l
,
0

)

,

(

t
,
i

)



,

η

del
,

(

τ
,
l
,
0

)

,

(

t
,
i

)



,

η

del
,

(

τ
,
t
,
1

)

,

(

t
,
i

)



,









ψ
0

,

ψ
1

,



U




,






k


L
+
1

,
dec

*

:=


k

L
,
dec

*

+




j
=
1


2

L





α

dec
,
j




k

L
,
ran
,
j

*



+

{




(


σ
dec



(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)







if






ρ
t


=
0






(


σ
dec



(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+




i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L



)







if






ρ
t


=
1




}

+




i
=
1


w
t





η

dec
,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

dec
,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i

,

*














k


L
+
1

,
ran
,

j



*

:=





j
=
1


2

L





α

ran
,

j


,
j




k

L
,
ran
,
j

*



+

{





σ

ran
,

j






(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

ran
,

j






(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+




i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L



)






if






ρ
t


=
1




}

+




i
=
1


w
t





η

ran
,

j


,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

ran
,

j


,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i

,

*











[

Formula





198

]








k


L
+
1

,
ran
,

(

τ
,
l
,
0

)


*

:=





j
=
1


2

L





α

ran
,


(

τ
,
l

)


j

,




k

L
,
ran
,
j

*



+


φ

ran
,

(

τ
,
l
,
0

)





k

L
,
ran
,

(

τ
,
l
,
0

)


*


+

{





σ

ran
,

(

τ
,
l
,
0

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

ran
,

(

τ
,
l
,
0

)





(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+




i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L



)






if






ρ
t


=
1




}

+




i
=
1


w
t





η

del
,

(

τ
,
l
,
0

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

del
,

(

τ
,
l
,
0

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
t





η

del
,

(

τ
,
l
,
0

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i


*





,















k


L
+
1

,
del
,

(

τ
,
l
,
0

)


*

:=





j
=
1


2

L





α

del
,

(

τ
,
l
,
0

)

,
j




k

L
,
ran
,
j

*



+


φ

del
,

(

τ
,
l
,
0

)





k

L
,

ran


(

τ
,
l
,
0

)



*


+


ψ
0



k

L
,

del


(

τ
,
l
,
0

)



*


+

{





σ

del
,

(

τ
,
l
,
0

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

del
,

(

τ
,
l
,
0

)





(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+




i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L



)






if






ρ
t


=
1




}

+




i
=
1


w
t





η

del
,

(

τ
,
l
,
0

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
t





η

del
,

(

τ
,
l
,
0

)

,

(

t
,
i

)





b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

del
,

(

τ
,
l
,
0

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i

,

*












k


L
+
1

,
del
,

(

τ
,
l
,
1

)


*

:=





j
=
1


2

L





α

del
,

(

τ
,
l
,
1

)

,
j




k

L
,
ran
,
j

*



+


ψ
1



k

L
,

del


(

τ
,
l
,
1

)



*


+

{





σ

del
,

(

τ
,
l
,
1

)





(




i
=
1


n

L
+
1






v


L
+
1

,
i




k

L
,
del
,

(


L
+
1

,
i
,
0

)


*



)






if






ρ
t


=
0







σ

del
,

(

τ
,
l
,
1

)





(



[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]

L

+




i
=
1


n

L
+
1







v


L
+
1

,
i




[

k

L
,
del
,

(


L
+
1

,
i
,
1

)


*

]


L



)






if






ρ
t


=
1




}

+




i
=
1


w
t





η

del
,

(

τ
,
l
,
1

)

,

(

0
,
i

)





b

0
,

1
+

u
0

+
1
+
i


*



+




t
=
1


L
+
1







i
=
1


w
i





η

del
,

(

τ
,
l
,
1

)

,
i




b

t
,


n
t

+

u
t

+
i


*




+




i
=
1


w
τ





η

del
,

(

τ
,
l
,
1

)

,

(

τ
,
i

)





b

τ
,


n
τ

+

u
τ

+
i

,

*














sk

L
+
1


:=

(



(


(



v
->

1

,

ρ
1


)

,





,

(



v
->


L
+
1


,

ρ

L
+
1



)


)

;

k


L
+
1

,
dec

*


,


{

k


L
+
1

,
ran
,

j



*

}




j


=
1

,









,

2


(

L
+
1

)




,


{


k


L
+
1

,
ran
,

(

τ
,
l
,
0

)


*

,

k


L
+
1

,
del
,

(

τ
,
l
,
0

)


*

,

k


L
+
1

,
del
,

(

τ
,
l
,
1

)


*


}



τ
=

L
+
2


,









,

d
;


(

τ
,
l

)

=

(

τ
,
1

)



,









,

(

τ
,

n
τ


)




)


,









return







sk

L
+
1


.












[

Formula





199

]







A hardware configuration of the cryptographic processing system 10 (the key generation device 100, the encryption device 200, the decryption device 300, the key delegation device 400) in the embodiments will now be described.



FIG. 20 is a diagram showing an example of a hardware configuration of the key generation device 100, the encryption device 200, the decryption device 300, and the key delegation device 400.


As shown in FIG. 20, the key generation device 100, the encryption device 200, the decryption device 300, and the key delegation device 400 each include the CPU 911 (central processing unit, also called a processing unit, an arithmetic unit, a microprocessor, a microcomputer, or a processor). The CPU 911 is connected through a bus 912 with the ROM 913, the RAM 914, the LCD 901 (liquid crystal display), the keyboard 902 (K,bB), the communication board 915, and the magnetic disk device 920, and controls these hardware devices. The magnetic disk device 920 (fixed disk device) may be replaced with a storage device such as an optical disk device or a memory card read,bwrite device. The magnetic disk device 920 is connected through a predetermined fixed disk interface.


The ROM 913 and the magnetic disk device 920 are examples of a nonvolatile memory. The RAM 914 is an example of a volatile memory. The ROM 913, the RAM 914, and the magnetic disk device 920 are examples of a storage device (memory). The keyboard 902 and the communication board 915 are examples of an input device. The communication board 915 is an example of a communication device. The LCD 901 is an example of a display device.


The magnetic disk device 920, the ROM 913, or the like stores an operating system 921 (OS), a window system 922, programs 923, and files 924. The programs 923 are executed by the CPU 911, the operating system 921, and the window system 922.


The programs 923 store software or programs for executing the functions described hereinabove as “the master key generation unit 110”, “the master key storage unit 120”, “the information input unit 130”, “the decryption key generation unit 140”, “the key distribution unit 150”, “the master public key acquisition unit 210”, “the information input unit 220”, “the ciphertext generation unit 230”, “the data transmission unit 240”, “the decryption key acquisition unit 310”, “the data receiving unit 320”, “the pairing operation unit 330”, “the message computation unit 340”, “the decryption key acquisition unit 410”, “the information input unit 420”, “the delegation key generation unit 430”, “the key distribution unit 440” and so on, as well as other programs. The programs are read and executed by the CPU 911. The files 924 store information, data, signal values, variable values, and parameters, such as “the master public key pk”, “the master secret key sk”, “the decryption key skL”, “the delegation key skL+1”, “the ciphertext ct”, “the attribute information”, “the predicate information”, and “the message m” described hereinabove, each of which is stored as an item of a “file” or a “database”. The “file” or “database” is stored in a storage device such as a disk or memory. The information, data, signal values, variable values, and parameters stored in the storage device such as the disk or memory are read by the CPU 911 through a read,bwrite circuit to a main memory or a cache memory, and are used for operations of the CPU 911 such as extraction, search, reference, comparison, calculation, computation, processing, output, printing, and display. The information, data, signal values, variable values, and parameters are temporarily stored in the main memory, the cache memory, or a buffer memory during the operations of the CPU 911 such as extraction, search, reference, comparison, calculation, computation, processing, output, printing, and display.


In the flowcharts described hereinabove, an arrow mainly represents an input,boutput of data or a signal, and each data or signal value is stored in the RAM 914, or other types of storage medium such as an optical disk, or an IC chip. The data or signal is transferred online through the bus 912, a signal line, a cable, other types of transfer medium, or a radio wave.


What is described hereinabove as “ . . . unit” may be “ . . . circuit”, “ . . . device”, “ . . . equipment”, “ . . . means”, or “ . . . function”, and may also be “ . . . step”, “ . . . procedure”, or “ . . . process”. What is described as “ . . . device” may be “ . . . circuit”, “ . . . equipment”, “ . . . means”, or “ . . . function”, and may also be “ . . . step”, “ . . . procedure”, or “ . . . process”. What is described as “ . . . process” may be “ . . . step”. That is, what is described as “ . . . unit” may be implemented by firmware stored in the ROM 913. Alternatively, “ . . . unit” may be implemented solely by software, or solely by hardware such as elements, devices, boards, and wiring, or by a combination of software and hardware, or by a combination including firmware. Firmware or software is stored as a program in a storage medium such as the ROM 913. The programs are read by the CPU 911 and executed by the CPU 911. That is, each program causes a computer or the like to function as “ . . . unit” described above. Alternatively, each program causes the computer or the like to execute a procedure or a method of “ . . . unit” described above.


LIST OF REFERENCE SIGNS




  • 10: cryptographic processing system, 100: key generation device, 110: master key generation unit, 120: master key storage unit, 130: information input unit, 140: decryption key generation unit, 141: random number generation unit, 142: decryption element generation unit, 143: randomizing element generation unit, 144: delegation element generation unit, 150: key distribution unit, 200: encryption device, 210: master public key acquisition unit, 220: information input unit, 221: attribute information input unit, 222: message input unit, 230: ciphertext generation unit, 231: random number generation unit, 232: ciphertext c1 generation unit, 233: ciphertext c2 generation unit, 240: data transmission unit, 300: decryption device, 310: decryption key acquisition unit, 320: data receiving unit, 330: pairing operation unit, 340: message computation unit, 400: key delegation device, 410: decryption key acquisition unit, 420: information input unit, 430: delegation key generation unit, 431: random number generation unit, 432: lower-level decryption element generation unit, 433: lower-level randomizing element generation unit, 434: lower-level delegation element generation unit, 440: key distribution unit


Claims
  • 1. A cryptographic processing system that performs a cryptographic process using a basis Bt and a basis B*t for each integer t of t=1, . . . , L+1 (L being an integer of 1 or more), the cryptographic processing system comprising: an encryption device that generates, as a ciphertext ct, a vector in which attribute information x{right arrow over ( )}t is embedded in a basis vector of the basis Bt for at least some integer t of t=1, . . . , L;a decryption device that uses, as a decryption key skL, a vector in which predicate information v{right arrow over ( )}t is embedded in a basis vector of the basis B*t for each integer t of t=1, . . . , L, performs a pairing operation on the ciphertext ct generated by the encryption device and the decryption key skL, and decrypts the ciphertext ct; anda key delegation device that generates a lower-level decryption key skL+1 of the decryption key skL, based on a vector in which predicate information v{right arrow over ( )}L+1 is embedded in a basis vector of a basis B*L+1 and the decryption key skL used by the decryption device.
  • 2. The cryptographic processing system of claim 1, further comprising: a key generation device that generates the decryption key skL,wherein the key generation device includesa first information input unit that inputs predicate information v{right arrow over ( )}t: (vt,i) (i=1, . . . , nt) for each integer t of t=1, . . . , L;a decryption element generation unit that, using the predicate information v{right arrow over ( )}t input by the first information input unit, a predetermined value Δ, a predetermined value θdec,t for each integer t of t=1, . . . , L, and a predetermined value sdec,t for each integer t of t=0, . . . , L such that sdec,0=τt=1Lsdec,t, generates a decryption element k*L,dec in which −sdec,0 is set as a coefficient of a basis vector b*0,p (p being a predetermined value) of a basis B*0, the Δ is set as a coefficient of a basis vector b*0,q (q being a predetermined value) of the basis B*0, and sdec,te{right arrow over ( )}t,1+θdec,tvt,i (i=1, . . . , nt) is set as a coefficient of abasis vector b*t,i (i=1, . . . , nt) of the basis B*t for each integer t of t=1, . . . , L; anda decryption key transmission unit that transmits to the decryption device the decryption key skL including the decryption element k*L,dec generated by the decryption element generation unit,wherein the encryption device includesa second information input unit that inputs attribute information x{right arrow over ( )}t:=(xt,i) (i=1, . . . , nt) for at least some integer t of t=1, . . . , L;a ciphertext c1 generation unit that, using the attribute information x{right arrow over ( )}t input by the second information input unit and predetermined values ω and ζ, generates a ciphertext c1 in which the ω is set as a coefficient of a basis vector b0,p of a basis B0, the ζ is set as a coefficient of a basis vector b0,q of the basis B0, and ωxt,i (i=1, . . . , nt) is set as a coefficient of a basis vector bt,i (i=1, . . . , nt) of the basis Bt for the at least some integer t; anda data transmission unit that transmits to the decryption device the ciphertext ct including the ciphertext c1 generated by the ciphertext c1 generation unit, andwherein the decryption device includesa pairing operation unit that performs a pairing operation e (c1, k*L,dec) on the ciphertext c1 included in the ciphertext ct transmitted by the data transmission unit and the decryption element k*L,dec included in the decryption key skL transmitted by the decryption key transmission unit.
  • 3. The cryptographic processing system of claim 2, wherein the encryption device further includesa ciphertext c2 generation unit that generates a ciphertext c2 by multiplying a message m by gTΔζ obtained by a value gT=e(b0,1, b*0,1), the Δ, and the ζ,wherein the data transmission unit transmits to the decryption device the ciphertext ct including the ciphertext c2 generated by the ciphertext c2 generation unit and the ciphertext c1,wherein the pairing operation unit performs the pairing operation e (c1, k*L,dec) and computes a session key K:=gTΔζ, andwherein the decryption device further includesa message computation unit that computes the message m by dividing the ciphertext c2 by the session key K computed by the pairing operation unit.
  • 4. The cryptographic processing system of claim 2, wherein the key generation device further includesa delegation element generation unit that generates a delegation element k*L,del,(τ,ι) for an integer τ of τ=L+1 and each integer ι of ι=1, . . . , nτ, the delegation element generation unit generating the delegation element k*L,del,(τ,ι) by using a predetermined value θdel,(τ,ι) for each integer t of t=1, . . . , L, a predetermined value ψ, and a predetermined value sdel,(τ,ι),t for each integer t of t=0, . . . , L+1 such that sdel,(τ,ι),0=Σt=1L+1sdel,(τ,ι),t, and by setting −sdel,(τ,ι),0 as the coefficient of the basis vector b*0,p of the basis B*0, setting sdel,(τ,ι),te{right arrow over ( )}t,1+θdel,(τ,ι),tvt,i (i=1, . . . , nt) as the coefficient of the basis vector b*t,i (i=1, . . . , nt) of the basis B*t for each integer t of t=1, . . . , L, and setting sdel,(τ,ι),L+1e{right arrow over ( )}τ,1+ψe{right arrow over ( )}τ,ι (i=1, . . . , nτ) as a coefficient of a basis vector b*τ,i (i=1, . . . , nτ) of a basis B*τ,wherein the decryption key transmission unit transmits to the delegation device the decryption key skL including the delegation element k*L,del,(τ,ι) generated by the delegation element generation unit and the decryption element k*L,dec, andwherein the key delegation device includesa third information input unit that inputs predicate information v{right arrow over ( )}L+1:=(vL+1,i) (i=1, . . . , nL+1);a lower-level decryption element generation unit that, using the predicate information v{right arrow over ( )}L+1 input by the third information input unit and the decryption key skL transmitted by the decryption key transmission unit, generates a lower-level decryption element k*L+1,dec including a vector shown in Formula 1; anda delegation key transmission unit that transmits to a lower-level decryption device a lower-level decryption key skL+1 including the lower-level decryption element k*L+1,dec generated by the lower-level decryption element generation unit. k*L,dec+Σi=1nL+1vL+1,ik*L,del,(L+1,i)  [Formula 1]
  • 5. The cryptographic processing system of claim 4, wherein the cryptographic processing system performs the cryptographic process using the basis B0 having at least a basis vector b0,i (i=1, . . . , 1+n0, 1+n0+1, . . . , 1+n0+1+u0, . . . , 1+n0+1+u0+w0, . . . , 1+n0+1+u0+w0+z0) (n0, u0, w0, and z0 respectively being an integer of 1 or more),the basis B*0 having at least a basis vector b*0,i (i=1, . . . , 1+n0, 1+n0+1, . . . , 1+n0+1+u0, . . . , 1+n0+1+u0+w0, . . . , 1+n0+1+u0+w0+z0) (n0, n0, w0, and z0 respectively being an integer of 1 or more),the basis Bt (t=1, . . . , L+1) having at least a basis vector bt,i (i=1, . . . , nt, . . . , nt+ut, . . . , nt+ut+wt, . . . , nt+ut+wt+zt) (ut, wt, and zt respectively being an integer of 1 or more), andthe basis B*t (t=1, . . . , L+1) having at least a basis vector b*t,i (i=1, . . . , nt, . . . , nt+ut, . . . , nt+ut+wt, . . . , nt+ut+wt+zt),wherein the decryption element generation unit generates the decryption element k*L,dec as shown in Formula 2, based on a random number η{right arrow over ( )}dec,t:=(ηdec,t,i) (i=1, . . . , wt) for each integer t of t=0, . . . , L, andwherein the ciphertext c1 generation unit generates the ciphertext c1 as shown in Formula 3, based on a random number φ{right arrow over ( )}t:=(φt,i) (i=1, . . . , zt) for each integer t of t=0, . . . , L. K*L,dec:=((−sdec,0,0u0,Δ,{right arrow over (η)}dec,0,0z0)B*0,(sdec,t{right arrow over (e)}t,1+θdec,t{right arrow over (v)}t,0ut,{right arrow over (η)}dec,t,0zt)B*t:t=1, . . . , L)  [Formula 2]c1:=((ω,0u0,ζ,0w0,{right arrow over (φ)}0)B0θ(ω{right arrow over (x)}t,0ut,0wt,{right arrow over (φ)}t)Bt0:t=1, . . . , L)  [Formula 3]
  • 6. The cryptographic processing system of claim 5, wherein the key generation device further includesa randomizing element generation unit that generates a first randomizing element k*L,ran,j for each integer j of j=1, . . . , 2L, and generates a second randomizing element k*L,ran,(τ,ι) for each integer τ of τ=L+1, . . . , d (d being an integer of L+1 or more) and each integer t of t=1, . . . , nτ with respect to each integer τ,the randomizing element generation unit generating the first randomizing element k*L,ran,j as shown in Formula 4, based on a predetermined value θran,j,t for each integer t of t=1, . . . , L, a predetermined value sran,j,t for t=0, . . . , L such that sran,j,0=τt=1Lsran,j,t, and a random number η{right arrow over ( )}ran,j,t:=(ηran,j,t,i) (i=1, . . . , wt) for each integer t of t=0, . . . , L, andgenerating the second randomizing element k*L,ran,(τ,ι) as shown in Formula 5, based on a predetermined value θran,(τ,ι),t for each integer t of t=1, . . . , L, a predetermined value sran,(τ,ι),t:=for t=0, . . . , L+1 such that sran,(τ,ι),0=Σt=1L+1sran,(τ,ι),t, and a random number η{right arrow over ( )}ran,(τ,ι),t:=(ηran,(τ,ι),t,i) (i=1, . . . , wt) (i=1, . . . , wt) for each integer t of t=0, . . . , L+1,wherein the delegation element generation unit generates the delegation element k*L,del,(τ,ι) as shown in Formula 6 for each integer τ of τ=L+1, . . . , d and each integer ι of ι=1, . . . , nτ with respect to each integer τ, based on a random number η{right arrow over ( )}del,(τ,ι),t:=(ηdel,(τ,ι),t,i) (i=1, . . . , wt) for each integer t of t=0, . . . , L+1,wherein the decryption key transmission unit transmits to the delegation device the decryption key skL including the first randomizing element k*L,ran,j and the second randomizing element k*L,ran,(τ,ι) generated by the randomizing element generation unit, the delegation element k*L,del(τ,ι) generated by the delegation element generation unit, and the decryption element k*L,dec, andwherein the lower-level decryption element generation unit generates the lower-level decryption element k*L+1,dec as shown in Formula 7, using the predicate information v{right arrow over ( )}L+1, the decryption key skL transmitted by the decryption key transmission unit, a random number αdec,j for each integer j of j=1, . . . , 2L, a random number σdec, and a random number ηdec,(t,i) for each integer t of t=0, . . . , L+1 and each integer i of i=1, . . . , wt.
  • 7. The cryptographic processing system of claim 6, wherein the delegation device further includesa lower-level randomizing element generation unit that generates a first lower-level randomizing element k*L+1,ran,j′ for each integer j′ of j′=1, . . . , 2(L+1), and generates a second lower-level randomizing element k*L+1,ran,(τ,ι) for each integer τ of τ=L+2, . . . , d (d being an integer of L+2 or more) and each integer ι of ι=1, . . . , nτ with respect to each integer τ,the lower-level randomizing element generation unit generating the first lower-level randomizing element k*L+1,ran,j′ as shown in Formula 8, based on the predicate information v{right arrow over ( )}L+1, the decryption key skL, a random number αran,j′,j for each integer j of j=1, . . . , 2L and each integer j′ of j′=1, . . . , 2(L+1), a random number σran,j′ for each integer j′ of j′=1, . . . , 2(L+1), and a random number ηran,j′,(t,i) for each integer t of t=0, . . . , L+1 and each integer i of i=1, . . . , wt, andgenerating the second lower-level randomizing element k*L+1,ran,(τ,ι) as shown in Formula 9, based on the predicate information v{right arrow over ( )}L+1, the decryption key skL, a random number αran,(τ,ι),j for each integer j of j=1, . . . , 2L, a random number σran,(τ,ι), a random number φran,(τ,ι), and a random number ηran,(τ,ι),(t,i) for each integer t of t=0, . . . , L+1, τ and each integer i of i=1, . . . , wt; anda lower-level delegation element generation unit that generates a lower-level delegation element k*L+1,del,(τ,ι) for each integer τ of τ=L+2, . . . , d (d being an integer of L+2 or more) and each integer ι of ι=1, . . . , nτ with respect to each integer τ, the lower-level delegation element generation unit generating the lower-level delegation element k*L+1,del,(τ,ι) as shown in Formula 10, based on the predicate informationv{right arrow over ( )}L+1, the decryption key skL, a random number αdel,(τ,ι),j for each integer j of j=1, . . . , 2L, a random number σdel,(τ,ι), a random number ψ′, a random number φdel,(τ,ι), and a random number ηdel,(τ,ι),(t,i) for each integer t of t=0, . . . , L+1, τ and each integer i of i=1, . . . , wt, andwherein the delegation key transmission unit transmits to a lower-level delegation device a lower-level decryption key skL+1 including the lower-level decryption element k*L+1,dec generated by the lower-level decryption element generation unit, the first lower-level randomizing element k*L+1,ran,j′ and the second lower-level randomizing element k*L+1,ran,(τ,ι) generated by the lower-level randomizing element generation unit, and the lower-level delegation element k*L+1,del,(τ,ι) generated by the lower-level delegation element generation unit.
  • 8. The cryptographic processing system of claim 2, wherein the first information input unit inputs predicate information (v{right arrow over ( )}t:=(vt,i)(i=1, . . . , nt), ρtε{0, 1}) for each integer t of t=1, . . . , L, andwherein the decryption element generation unit generates the decryption element k*L,dec in which −sdec,0 is set as the coefficient of the basis vector b*0,p, the Δ is set as the coefficient of the basis vector b*0,q, and sdec,te{right arrow over ( )}t+1+θdec,tvt,i (i=1, . . . , nt) when ρt is 0 or sdec,tvt,i (i=1, . . . , nt) when ρt is 1 is set as the coefficient of the basis vector b*t,i for each integer t of t=1, . . . , L.
  • 9. The cryptographic processing system of claim 8, wherein the key generation device further includesa delegation element generation unit that generates a first delegation element k*L,del,(τ,ι,0) and a second delegation element k*L,del,(τ,ι,1) for an integer τ of τ=L+1 and each integer ι of ι=1, . . . , nτ,the delegation element generation unit generating the first delegation element k*L,del,(τ,ι,0) by using a predetermined value θdel,0,t for each integer t of t=1, . . . , L, a predetermined value ψ, and a predetermined value sdel,0,t for t=0, . . . , L+1 such that sdel,0,0=Σt=1L+1sdel,0,t, and by setting −sdel,0,0 as the coefficient of the basis vector b*0,p of the basis B*0, setting sdel,0,te{right arrow over ( )}t,1+θdel,0,tvt,i (i=1, . . . , nt) when ρt is 0 or sdel,0,tvt,i (i=1, . . . , nt) when ρt is 1 as the coefficient of the basis vector b*t,i (i=1, . . . , nt) for each integer t of t=1, . . . , L, and setting sdel,0,L+1e{right arrow over ( )}τ,1+ψe{right arrow over ( )}τ,ι (i=1, . . . , nτ) as a coefficient of a basis vector b*τ,i (i=1, . . . , nτ) of a basis B*τ, andgenerating the second delegation element k*L,del,(τ,ι,1) by using a predetermined value θdel,1,t for each integer t of t=1, . . . , L and a predetermined value sde1,1,t for t=0, . . . , L+1 such that sdel,1,0=Σt=1L+1sdel,1,t, and by setting −sdel,1,0 as the coefficient of the basis vector b*0,p of the basis B*0, setting sdel,1,te{right arrow over ( )}t,1+θdel,1,tvt,i (i=1, . . . , nt) when ρt is 0 or sdel,1,tvt,i (i=1, . . . , nt) when ρt is 1 as the coefficient of the basis vector b*t,i (i=1, . . . , nt) of the basis B*t for each integer t of t=1, . . . , L, and setting sdel,1,L+1e{right arrow over ( )}τ,1 (i=1, . . . , nτ) as the coefficient of the basis vector b*τ,i (i=1, . . . , nτ) of the basis B*τ,wherein the decryption key transmission unit transmits to the delegation device the decryption key skL including the first delegation element k*L,del,(τ,ι,0) and the second delegation element k*L,del,(τ,ι,1) generated by the delegation element generation unit and the decryption element k*L,dec, andwherein the key delegation device includesa third information input unit that inputs predicate information (v{right arrow over ( )}L+1:=(vL+1,i)(i=1, . . . , nL+1), ρL+1ε{0, 1}); anda lower-level decryption element generation unit that generates a lower-level decryption element k*L+1,dec including a vector shown in Formula 11, using the predicate information v{right arrow over ( )}L+1 input by the third information input unit and the decryption key skL transmitted by the decryption key transmission unit.
  • 10. The cryptographic processing system of claim 9, wherein the cryptographic processing system performs the cryptographic process using the basis B0 having at least a basis vector b0,i (i=1, . . . , 1+n0, 1+n0+1, . . . , 1+n0+1+u0, . . . , 1+n0+1+u0+w0, . . . , 1+n0+1+u0+w0+z0) (n0, u0, w0, and z0 respectively being an integer of 1 or more),the basis B*0 having at least a basis vector b*0,i (i=1, . . . , 1+n0, 1+n0+1, . . . , 1+n0+1+u0, . . . , 1+n0+1+u0+w0, . . . , 1+n0+1+u0+w0+z0) (n0, u0, w0, and z0 respectively being an integer of 1 or more),the basis Bt (t=1, . . . , L+1) having at least a basis vector bt,i (i=1, . . . , , nt, . . . , , nt+ut, . . . , nt+ut+wt, . . . , nt+ut+wt+zt) (ut, wt, and zt respectively being an integer of 1 or more), andthe basis B*t (t=1, . . . , L+1) having at least a basis vector b*t,i (i=1, . . . , nt, . . . , nt+ut, . . . , nt+ut+wt, . . . , nt+ut+wt+zt),wherein the decryption element generation unit generates the decryption element k*L,dec as shown in Formula 12, based on a random number η{right arrow over ( )}dec,t:=(ηdec,t,i) (i=1, . . . , wt) for each integer t of t=0, . . . , L, andwherein the ciphertext c1 generation unit generates the ciphertext c1 as shown in Formula 13, based on a random number φ{right arrow over ( )}t:=(φt,i) (i=1, . . . , zt) for each integer t of t=0, . . . , L.
  • 11. The cryptographic processing system of claim 10, wherein the key generation device further includesa randomizing element generation unit that generates a first randomizing element k*L,ran,j for each integer j of j=1, . . . , 2L, and generates a second randomizing element k*L,ran,(τ,ι,0) for each integer τ of τ=L+1, . . . , d (d being an integer of L+1 or more) and each integer ι of ι=1, . . . , nτ with respect to each integer τ,the randomizing element generation unit generating the first randomizing element k*L,ran,j as shown in Formula 14, based on a predetermined value θran,j,t for each integer t of t=1, . . . , L, a predetermined value sran,j,t for t=0, . . . , L such that sran,j,0=Σt=1Lsran,j,t, and a random number η{right arrow over ( )}ran,j,t:=(ηran,j,t,i) (i=1, . . . , wt) for each integer t of t=0, . . . , L, andgenerating the second randomizing element k*L,ran,(τ,ι,0) as shown in Formula 15, based on a predetermined value θran,0,t for each integer t of t=1, . . . , L, a predetermined value sran,0,t for t=0, . . . , L+1 such that sran,0,0=Σt=1L+1sran,0,t, a random number η{right arrow over ( )}ran,0,t:=(ηran,0,t,i) (i=1, . . . , wt) for each integer t of t=0, . . . , L, and a random number η{right arrow over ( )}ran,0,(τ,ι):=(ηran,0,(τ,ι),i) (i=1, . . . , wt),wherein the delegation element generation unit generates the first delegation element k*L,del,(τ,ι,0) as shown in Formula 16 for each integer τ of τ=L+1, . . . , d and each integer ι of ι=1, . . . , nτ with respect to each integer τ, based on a random number η{right arrow over ( )}del,0,t:=(ηdel,0,t,i) (i=1, . . . , wt) for each integer t of t=0, . . . , L and a random number η{right arrow over ( )}del,0,(τ,ι):=(ηdel,0,(τ,ι),i) (i=1, . . . , wt), and generates the second delegation element k*L,del,(τ,ι,1) as shown in Formula 17 for each integer τ of τ=L+1, . . . , d and each integer ι of ι=1, . . . , nτ with respect to each integer τ, based on a random number η{right arrow over ( )}del,1,t:=(ηdel,1,t,i) (i=1, . . . , wt) for each integer t of t=0, . . . , L and a random number η{right arrow over ( )}del,1,(τ,ι):=(ηdel,1,(τ,ι),i) (i=1, . . . , wt),wherein the decryption key transmission unit transmits to the delegation device the decryption key skL including the first randomizing element k*L,ran,j and the second randomizing element k*L,ran,(τ,ι,0) generated by the randomizing element generation unit, the first delegation element k*L,del,(τ,ι,0) and the second delegation element k*L,del,(τ,ι,1) generated by the delegation element generation unit, and the decryption element k*L,dec, andwherein the lower-level decryption element generation unit generates the lower-level decryption element k*L+1,dec as shown in Formula 18, using the predicate information v{right arrow over ( )}L+1, the decryption key skL transmitted by the decryption key transmission unit, a random number αdec,j for each integer j of j=1, . . . , 2L, a random number σdec, and a random number ηdec,(t,i) for each integer t of t=0, . . . , L+1 and each integer i of i=1, . . . , wt.
  • 12. The cryptographic processing system of claim 11, wherein the delegation device further includesa lower-level randomizing element generation unit that generates a first lower-level randomizing element k*L+1,ran,j′ for each integer j′ of j′=1, . . . , 2(L+1), and generates a second lower-level randomizing element k*L+1,ran,(τ,ι,0) for each integer τ of τ=L+2, . . . , d (d being an integer of L+2 or more) and each integer ι of ι=1, . . . , nτ with respect to each integer τ,the lower-level randomizing element generation unit generating the first lower-level randomizing element k*L+1,ran,j′ as shown in Formula 19, based on the predicate information v{right arrow over ( )}L+1, the decryption key skL, a random number αran,j′,j for each integer j of j=1, . . . , 2L and each integer j′ of j′=1, . . . , 2(L+1), a random number σran,j′ for each integer j′ of j′=1, . . . , 2(L+1), and a random number ηran,j′,(t,i) for each integer t of t=0, . . . , L+1 and each integer i of i=1, . . . , wt, andgenerating the second lower-level randomizing element k*L+1,ran,(τ,ι,0) as shown in Formula 20, based on the predicate information v{right arrow over ( )}L+1, the decryption key skL, a random number αran,(τ,ι),j for each integer j of j=1, . . . , 2L, a random number σran,(τ,ι,0), a random number φran,(τ,ι,0), and ηran,(τ,ι,0),(t,i) for each integer t of t=0, L+1 and each integer i of i=1, . . . , wt; anda lower-level delegation element generation unit that generates a first lower-level delegation element k*L+1,del,(τ,ι,0) and a second lower-level delegation element k*L+1,del,(τ,ι,1) for each integer τ of τ=L+2, . . . , d (d being an integer or L+2 or more) and each integer ι of ι=1, . . . , nτ with respect to each integer τ,the lower-level delegation element generation unit generating the first lower-level delegation element k*L+1,del,(τ,ι,0) as shown in Formula 21, based on the predicate information v{right arrow over ( )}L+1, the decryption key skL, a random number αdel,(τ,ι,0),j for each integer j of j=1, . . . , 2L, a random number σdel,(τ,ι,0), a random number ψ0, a random number φdel,(τ,ι,0), and ηdel,(τ,ι,0),(t,i) for each integer t of t=0, . . . , L+1 and each integer i of i=1, . . . , wt, andgenerating the second lower-level delegation element k*L+1,del,(τ,ι,1) as shown in Formula 22, based on the predicate information v{right arrow over ( )}L+1, the decryption key skL, a random number αdel,(τ,ι,1),j for each integer j of j=1, . . . , 2L, and a random number σdel,(τ,ι,1), a random number ψ1, a random number φdel,(τ,ι,1), and ηdel,(τ,ι,1),(t,i) for each integer t of t=0, . . . , L+1 and each integer i of i=1, . . . , wt.
  • 13. A key generation device that generates a decryption key skL in a cryptographic processing system that performs a cryptographic process using a basis Bt and a basis B*t for each integer t of t=1, . . . , L (L being an integer of 1 or more), the key generation device comprising: a first information input unit that inputs predicate information v{right arrow over ( )}t:=(vt,i) (i=1, . . . , nt) for each integer t of t=1, . . . , L;a decryption element generation unit that, using the predicate information v{right arrow over ( )}t input by the first information input unit, a predetermined value Δ, a predetermined value θdec,t for each integer t of t=1, . . . , L, and a predetermined value sdec,t for each integer t of t=0, . . . , L such that sdec,0=Σt=1Lsdec,t, generates a decryption element k*L,dec in which −sdec,0 is set as a coefficient of a basis vector b*0,p (p being a predetermined value) of a basis B*0, the Δ is set as a coefficient of a basis vector b*0,q (q being a predetermined value) of the basis B*0, and sdec,te{right arrow over ( )}t,1+θdec,tvt,i (i=1, . . . , nt) is set as a coefficient of a basis vector b*t,i (i=1, . . . , nt) of the basis B*t for each integer t of t=1, . . . , L; anda decryption key transmission unit that transmits to a decryption device the decryption key skL including the decryption element k*L,dec generated by the decryption element generation unit.
  • 14. An encryption device that generates a ciphertext ct in a cryptographic processing system that performs a cryptographic process using a basis Bt and a basis B*t for each integer t of t=1, . . . , L (L being an integer of 1 or more), the encryption device comprising: a second information input unit that inputs attribute information x{right arrow over ( )}t:=(xt,i) (i=1, . . . , nt) for at least some integer t of t=1, . . . , L;a ciphertext c1 generation unit that, using the attribute information x{right arrow over ( )}t input by the second information input unit and predetermined values ω and ζ, generates a ciphertext c1 in which the ω is set as a coefficient of a basis vector b0,p (p being a predetermined value) of a basis B0, the ζ is set as a coefficient of a basis vector b0,q (q being a predetermined value) of the basis B0, and ωxt,i (i=1, . . . , nt) is set as a coefficient of a basis vector bt,i (i=1, . . . , nt) of the basis Bt for the at least some integer t; anda data transmission unit that transmits to a decryption device the ciphertext ct including the ciphertext c1 generated by the ciphertext c1 generation unit.
  • 15. A decryption device that decrypt a ciphertext c1 by a decryption key skL in a cryptographic processing system that performs a cryptographic process using a basis Bt and a basis B*t for each integer t of t=1, . . . , L (L being an integer of 1 or more), the decryption device comprising: a data receiving unit that receives from an encryption device the ciphertext c1 in which, using attribute information x{right arrow over ( )}t:=(xt,i) (i=1, . . . , nt) and predetermined values ω and ζ, the ω is set as a coefficient of a basis vector b0,p (p being a predetermined value) of a basis B0, the ζ is set as a coefficient of a basis vector b0,q (q being a predetermined value) of the basis B0, and ωxt,i (i=1, . . . , nt) is set as a coefficient of a basis vector bt,i (i=1, . . . , nt) of the basis Bt for at least some integer t;a decryption key acquisition unit that obtains from a key generation device the decryption key skL including a decryption element k*L,dec in which, using predicate information v{right arrow over ( )}t:=(vt,i) (i=1, . . . , nt), a predetermined value Δ, a predetermined value θdec,t for each integer t of t=1, . . . , L,and a predetermined value sdec,t for each integer t of t=0, . . . , L such that sdec,0=Σt=1Lsdec,t,−sdec,0 is set as a coefficient of a basis vector b*0,p (p being a predetermined value) of a basis B*0, the Δ is set as a coefficient of a basis vector b*0,q (q being a predetermined value) of the basis B*0, and sdec,te{right arrow over ( )}t,1+θdec,tvt,i (i=1, . . . , nt) is set as a coefficient of a basis vector b*t,i (i=1, . . . , nt) of the basis B*t for each integer t of t=1, . . . , L; anda pairing operation unit that performs a pairing operation e (c1, k*L,dec) on the ciphertext c1 received by the data receiving unit and the decryption element k*L,dec included in the decryption key k obtained by the decryption key acquisition unit, and decrypts the ciphertext c1.
  • 16. A key delegation device that generates a lower-level decryption key skL+1 of a decryption key skL in a cryptographic processing system that performs a cryptographic process using a basis Bt and a basis B*t for each integer t of t=1, . . . , L+1 (L being an integer of 1 or more), the key delegation device comprising: a decryption key acquisition unit that obtains, as the decryption key skL, a vector in which predicate information v{right arrow over ( )}t is embedded in a basis vector of the basis B*t for each integer t of t=1, . . . , L; anda delegation key generation unit that generates the lower-level decryption key skL+1 of the decryption key skL, based on the decryption key skL obtained by the decryption key acquisition unit and a vector in which predicate information v{right arrow over ( )}L+1 is embedded in a basis vector of a basis B*L+1.
  • 17. A cryptographic processing method using a basis Bt and a basis B*t for each integer t of t=1, . . . , L+1 (L being an integer of 1 or more), the cryptographic processing method comprising: an encryption process by an encryption device of generating, as a ciphertext ct, a vector in which attribute information x{right arrow over ( )}t is embedded in a basis vector of the basis Bt for at least some integer t of t=1, . . . , L;a decryption process by a decryption device of using, as a decryption key skL, a vector in which predicate information v{right arrow over ( )}t is embedded in a basis vector of the basis B*t for each integer t of t=1, . . . , L, performing a pairing operation on the ciphertext ct generated in the encryption process and the decryption key skL, and decrypting the ciphertext ct; anda key delegation process by a key delegation device of generating a lower-level decryption key skL+1 of the decryption key skL, based on a vector v{right arrow over ( )}L+1 in which predicate information is embedded in a basis vector of a basis B*L+1 and the decryption key skL used in the decryption process.
  • 18. A cryptographic processing program that executes a cryptographic process using a basis Bt and a basis B*t for each integer t of t=1, . . . , L+1 (L being an integer of 1 or more), the cryptographic processing program comprising: an encryption process of generating, as a ciphertext ct, a vector in which attribute information x{right arrow over ( )}t is embedded in a basis vector of the basis Bt for at least some integer t of t=1, . . . , L;a decryption process of using, as a decryption key skL, a vector in which predicate information v{right arrow over ( )}t is embedded in a basis vector of the basis B*t for each integer t of t=1, . . . , L, performing a pairing operation on the ciphertext ct generated by the encryption process and the decryption key skL, and decrypting the ciphertext ct; anda key delegation process of generating a lower-level decryption key skL+1 of the decryption key skL, based on a vector v{right arrow over ( )}L+1 in which predicate information is embedded in a basis vector of a basis B*L+1 and the decryption key skL used in the decryption process.
Priority Claims (1)
Number Date Country Kind
2011-026216 Feb 2011 JP national
PCT Information
Filing Document Filing Date Country Kind 371c Date
PCT/JP2011/078668 12/12/2011 WO 00 7/31/2013