The present invention relates to an encryption system, method and program.
Multi-input functional encryption is a cryptographic scheme capable of decrypting only function values having a plurality of pieces of data as an input from ciphertext of the plurality of pieces of data, and has one characteristic that the content of the original data other than the function values cannot be leaked in this case. More specifically, in a case in which ciphertext of n pieces of data x1, . . . , xn are CT1, . . . , CTn, a function having n arguments is f, and a secret key corresponding to the function f is SK, only a function value f(x1, . . . , xn) is obtained when CT1, . . . , CTn are decrypted with the secret key SK, and no other information on x1, . . . , xn is leaked.
Currently known composition methods for multi-input functional encryption are roughly configured as two types. A first method is a method that is capable of handling a function of a general circuit class and is so heavy that implementation is substantially impossible, and whose safety is unclear (for example, NPL 1), and a second method is a method that is capable of handling only a specific function called a primary function and can be implemented relatively lightly, and whose safety is reliable (for example, NPL 2).
As described above, at present, the only multi-input functional encryptions known that can be realized with a relatively light implementation are those capable of calculating a primary function. However, for example, because a quadratic function needs to be calculated when it is desired to calculate a variance using a plurality of pieces of data, the first very heavy multi-input functional encryption described above needs to be used in such a case.
An embodiment of the present invention has been made in view of the above points, and an object thereof is to realize an efficient multi-input functional encryption using a quadratic function.
In order to achieve the above object, an encryption system according to an embodiment is an encryption system for performing encryption and decryption using functional encryption using a quadratic function having n (where n is a predetermined integer of 2 or more) arguments, which includes a setup unit configured to generate a master secret key of the functional encryption using a master secret key of function concealed inner product functional encryption composed of pairing calculation and a master secret key of multi-input function concealed inner product functional encryption obtained by extending the function concealed inner product functional encryption to multi-inputs, an encryption unit configured to generate n pieces of ciphertext obtained by encrypting n pieces of data using the master secret key of the function concealed inner product functional encryption, the master secret key of the multi-input function concealed inner product functional encryption, and the master secret key of the functional encryption, a key generation unit configured to generate a secret key for decrypting the n pieces of ciphertext using data representing the quadratic function and the secret key of the multi-input function concealed inner product functional encryption, and a decryption unit configured to decrypt the n pieces of ciphertext using the secret key generated by the key generation unit to generate a value of the quadratic function for the n pieces of data.
It is possible to realize efficient multi-input functional encryption using a quadratic function.
Hereinafter, an embodiment of the present invention will be described. In the present embodiment, an encryption system 1 that realizes efficient multi-input functional encryption using a quadratic function will be described.
<Theoretical Configuration of Efficient Multi-Input Functional Encryption Using Quadratic Function>
First, a theoretical configuration of the multi-input functional encryption used by the encryption system 1 according to the present embodiment will be described.
«Preparation»
p is a prime number, Z is an integer ring, and a quotient ring Z/pZ is expressed as Zp (where Z is expressed in white letters to be exact hereinafter, similarly, Z in the text of the specification is represented by white characters to be exact). Further, an operation of randomly selecting an element from Zp is expressed as z←Zp. An output of a certain algorithm Alg being y is expressed as y←Alg.
A known function concealed inner product functional encryption composed of pairing is iFE=(iSetup, iEnc, iKeyGen, iDec), and multi-input function concealed inner product functional encryption that is a multi-input version thereof is miFE=(miSetup, miEnc, miKeyGen, miDec). As the pairing constituting such function concealed inner product functional encryption, pairing defined by using a known bilinear type group may be used, or pairing defined by using a bilinear type group generated by a setup algorithm Setup, which will be described below, may be used.
As a function concealed inner product functional encryption iFE=(iSetup, iEnc, iKeyGen, iDec) composed of pairing, for example, function concealed inner product functional encryption proposed in reference 1 “J. Tomida, M. Abe, and T. Okamoto. Efficient functional encryption for inner-product values with full-hiding security. In M. Bishop and A. C. A. Nascimento, editors, ISC 2016, volume 9866 of LNCS, pages 408-425. Springer, Heidelberg, September 2016.” may be used.
Further, as a multi-input function concealed inner product functional encryption miFE=(miSetup, miEnc, miKeyGen, miDec) composed of pairing, for example, multi-input function concealed inner product functional encryption proposed in Reference 2 “P. Datta, T. Okamoto, and J. Tomida. Full-hiding (unbounded) multi-input inner product functional encryption from the k-linear assumption. In M. Abdalla and R. Da-hab, editors, PKC 2018, Part II, volume 10770 of LNCS, pages 245-277. Springer, Heidelberg, March 2018” may be used.
«Specific Configuration of Each Algorithm that Realizes Multi-Input Functional Encryption»
It is assumed that m is a dimension of a vector at the time of encryption, and n is the number of inputs of the function (number of arguments). In this case, the multi-input functional encryption according to the present embodiment includes four algorithms, that is, a setup algorithm Setup, an encryption algorithm Enc, a key generation algorithm KeyGen, and a decryption algorithm Dec.
Setup Algorithm Setup
This algorithm generates and outputs a master secret key MSK as follows.
iMSK1,iMSK2←iSetup
miMSK←miSetup
u
i,j
,ũ
i,j
,v
i,j
,{tilde over (v)}
i,j
,w
i,j,k,l←p
MSK:=(iMSK1,iMSK2,miMSK,
{ui,j,ũi,j,vi,j,{tilde over (v)}i,j}i∈[n],j∈[m],{∈[m])
However, iMSK1 is a master secret key of iFE having an input number n in which the number of dimensions is 2n+3+mn, and iMSK2 is a master secret key of iFE having an input number n in which the number of dimensions is 1. Further, miMSK is a master secret key of miFE having an input number n, in which the number of dimensions is 2.
Encryption Algorithm Enc (MSK, i, x)
This algorithm generates and outputs a ciphertext CTi corresponding to an input i of x∈Zm as follows.
s,{tilde over (s)},r,t,L←
p,
L:=(02(i−1),1,L,02(n−i)),{tilde over (L)}:=(02(i−1),L,−1,02(n−i))
b
j:(L,xj,sw1,1,i,j, . . . ,wwm,n,i,j,uij,tvi,j),{tilde over (b)}j:=({tilde over (L)},xj,{tilde over (s)}ei,j,rũi,j{tilde over (v)}i,j)
f:=(r,t)
iCTi,j←iEnc(iMSK1,bj),iSKi,j←iKeyGen(iMSK1,bj)
iCTi←iEnc(iMSK2,s),iSKiοiKeyGen(iMSK2,{tilde over (s)})
miCTi←miEnc(miMSK,i,f)
CTi:=({iCTi,j,iSKi,j}j∈[m],iCTi,iSKi,miCTi) [Math. 2]
Here, x=(x1, . . . , xm). Further, ei,j∈Zpmn is a vector in which a (i, j) component is 1 and other components are 0.
Key Generation Algorithm KeyGen (MSK, c)
This algorithm is as follows and generates and outputs the secret key SK corresponding to:
Here, the above c is a vector expressing the following quadratic function f.
f(X1, . . . ,Xn):=<c,X(x)X>
Here, (x) is a Kronecker product, X1, . . . , Xn∈Zpm, Xτ=(X1τ∥ . . . ∥Xnτ), τ is a transpose, and ∥ is a symbol representing concatenation. That is, c is a vector representing a quadratic function defined by an inner product with a value obtained naturally vectorizing X(x)X.
Decryption Algorithm Dec (CT1, . . . , CTn, SK)
This algorithm generates and outputs a decryption result d as follows.
<Overall Configuration of Encryption System 1>
Next, an overall configuration of the encryption system 1 according to the present embodiment will be described with reference to
As illustrated in
The setup device 10 is a computer or a computer system that executes the setup algorithm Setup. The setup device 10 includes a setup processing unit 101 that executes the setup algorithm Setup, and a storage unit 102 that stores various pieces of data used for execution of the setup algorithm Setup, an output result thereof, and the like.
The encryption device 20 is a computer or a computer system that executes an encryption algorithm Enc (MSK, i, x). The encryption device 20 includes an encryption processing unit 201 that executes the encryption algorithm Enc (MSK, i, x), and a storage unit 202 that stores various pieces of data used for execution of the encryption algorithm Enc (MSK, i, x), an output result thereof, and the like.
The key generation device 30 is a computer or a computer system that executes the key generation algorithm KeyGen (MSK, c). The key generation device 30 includes a key generation processing unit 301 that executes the key generation algorithm KeyGen (MSK, c), and a storage unit 302 that stores various pieces of data used for execution of the key generation algorithm KeyGen (MSK, c) or an output result thereof.
The decryption device 40 is a computer or a computer system that executes the decryption algorithm Dec (CT1, . . . , CTn, SK). The decryption device 40 includes a decryption processing unit 401 that executes the decryption algorithm Dec (CT1, . . . , CTn, SK), and a storage unit 402 that stores various pieces of data used for execution of the decryption algorithm Dec (CT1, . . . , CTn, SK) or an output result thereof.
An overall configuration of the encryption system 1 illustrated in
<Flow of Processing>
Next, a flow of various processing executed by the encryption system 1 according to the present embodiment will be described.
«Setup Processing»
First, a flow of the setup processing according to the present embodiment will be described with reference to
The setup processing unit 101 of the setup device 10 executes the setup algorithm Setup to generate and output the master secret key MSK (step S101). When the setup algorithm Setput is executed, for example, a security parameter 1λ or the like is input.
The setup processing unit 101 of the setup device 10 transmits the master secret key MSK generated and output in step S101 above to the encryption device 20 and the key generation device 30 (step S102). The setup device 10 may transmit the master secret key MSK to the encryption device 20 and the key generation device 30 using any secure method.
«Encryption Processing»
Next, a flow of encryption processing according to the present embodiment will be described with reference to
The encryption processing unit 201 of the encryption device 20 executes the encryption algorithm Enc (MSK, i, x) to generate and output the ciphertext CTi corresponding to the input i of x∈Zm (step S201). It is assumed that the data x that is an encryption target or the master secret key MSK is stored in the storage unit 202 of the encryption device 20.
The encryption processing unit 201 of the encryption device 20 transmits the ciphertext CTi generated and output in step S201 above to the decryption device 40 (step S202).
«Key Generation Processing»
Next, a flow of the key generation processing according to the present embodiment will be described with reference to
The key generation processing unit 301 of the key generation device 30 executes the key generation algorithm KeyGen (MSK, c) to generate and output the secret key SK corresponding to c (step S301). It is assumed that data c representing the quadratic function or the master secret key MSK are stored in the storage unit 302 of the key generation device 30.
The key generation processing unit 301 of the key generation device 30 transmits the secret key SK generated and output in step S301 above to the decryption device 40 (step S302). The key generation device 30 may transmit the secret key SK to the decryption device 40 using any secure method.
«Decryption Processing»
Next, a flow of the decryption processing according to the present embodiment will be described with reference to
The decryption processing unit 401 of the decryption device 40 executes the decryption algorithm Dec (CT1, . . . , CTn, SK) to generate and output the decryption result d (step S401).
The decryption processing unit 401 of the decryption device 40 stores a composite result d generated and output in step S401 above in the storage unit 402 (step S402).
<Hardware Configuration>
Next, hardware configurations of the setup device 10, the encryption device 20, the key generation device 30, and the decryption device 40 included in the encryption system 1 according to the present embodiment will be described. The hardware configuration of these devices can be realized, for example, by a hardware configuration of a computer 500 illustrated in
The computer 500 illustrated in
The input device 501 is, for example, a keyboard, a mouse, or a touch panel. The display device 502 is, for example, a display or the like. The computer 500 may not include, for example, at least one of the input device 501 and the display device 502.
The external I/F 503 is an interface with an external device such as a recording medium 503a. Examples of the recording medium 503a include a flexible disk, a compact disc (CD), a digital versatile disk (DVD), a secure digital memory card (SD memory card), and a Universal Serial Bus (USB) memory card.
The communication I/F 504 is an interface for connecting the computer 500 to the communication network N. The processor 505 is, for example, a calculation device such as a central processing unit (CPU). The memory device 506 is, for example, any of various storage devices such as a hard disk drive (HDD), a solid state drive (SSD), a random access memory (RAM), a read only memory (ROM), and a flash memory.
The setup device 10, the encryption device 20, the key generation device 30, and the decryption device 40 according to the present embodiment can realize the various processing described above by having the hardware configuration of the computer 500 illustrated in
As described above, the encryption system 1 according to the present embodiment realizes encryption and decryption through multi-input functional encryption of a quadratic function using the function concealed inner product functional encryption iFE that can be composed of pairing and the multi-input function concealed inner product functional encryption miFE that is a multi-input version thereof (that is, obtained by an extension to multi-input) as components. Because the functional concealed inner product functional encryption itself can be composed of pairing calculation that can be performed at high speed, it is possible to also eventually calculate the multi-input functional encryption using these functional concealed inner product functional encryptions as components at high speed. Therefore, the encryption system 1 according to the present embodiment can realize efficient multi-input functional encryption using a quadratic function.
Therefore, using the encryption system 1 according to the present embodiment, it is possible to calculate a quadratic function value at an extremely high speed as compared with the related art without leaking information of other original data from a plurality of ciphertext. As an application example, for example, in a situation in which there are persons who want to perform statistical calculation requiring a quadratic function such as a variance using a plurality of pieces of databases, while an owner of the databases may disclose statistical values, but does not want disclose original data, it is possible to calculate only the statistical values at high speed without leaking the information of the original data using the encryption system 1 according to the present embodiment.
The present invention is not limited to the specifically disclosed embodiment, and various modifications or changes, combinations with known technologies, and the like can be made without departing from the description of the claims.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2020/033946 | 9/8/2020 | WO |