Patent Grant
10778431
The present invention relates to homomorphic encryption. The invention relates to an encryption device, an encrypted text conversion device, an encryption program, an encrypted text conversion program, an encryption method, and an encrypted text conversion method, each of which uses homomorphic encryption.
When data is encrypted, it is normally impossible to read and edit data inside unless the data is decrypted. Therefore, in order to edit data in a plurality of encrypted texts, it is necessary to decrypt the plurality of encrypted texts once, extract plain texts as data, then edit the plain texts, and encrypt the plain texts again. On the contrary, in homomorphic encryption, it is possible to edit data in an encrypted text without decrypting the encrypted text. Processing at that time is referred to as “homomorphic computation”, and a type that can be subjected to homomorphic computation and the number of times of homomorphic computation are changed depending on a specific method.
As homomorphic encryption, there are proposed homomorphic encryption in which only addition or multiplication can be performed, such as ElGamal encryption and Pailier encryption, and Gentry encryption or the like in which addition and multiplication can be executed without limitation. In those methods, as a first point, encrypted texts need to be generated by using the same public key when homomorphic computation is performed. As a second point, an encrypted text that has not been subjected to homomorphic computation yet is computed while being encrypted, and therefore it is problematic in that, even in a case where a plain text is changed by homomorphic computation, such a change cannot be detected.
Some methods for solving such a problem are proposed (see, for example, Patent Literature 1 and Non-Patent Literature 1).
In a method disclosed in Patent Literature 1, encrypted texts generated by using a plurality of different keys are changed to encrypted texts having a single specified key by a technology referred to as “proxy re-encryption” and are subjected to homomorphic computation.
However, in this method, safety of encrypted texts that have not been subjected to homomorphic computation yet is low, and therefore it is problematic in that plain text data is changeable.
In another method disclosed in Non-Patent Literature 1, although a special key is needed to perform homomorphic computation, strength of safety of encrypted texts that have not been subjected to homomorphic computation yet is improved. Specifically, falsification of plain text data is prevented.
However, this method is problematic in that a user who can decrypt encrypted texts that have been subjected to homomorphic computation can also decrypt encrypted texts that have not been subjected to homomorphic computation yet.
As described above, in Patent Literature 1 and Non-Patent Literature 1, content of a plain text of an encrypted text that has not been subjected to homomorphic computation yet may be changed.
In view of this, an object of the invention is to provide a device, a program, and a method for detecting a change in an encrypted text that has not been subjected to homomorphic computation yet.
An encryption device according to the present invention includes:
an encryption unit to encrypt a plain text M by using one of a pair of keys to generate an encrypted text D into which the plain text M is encrypted and which can be subjected to homomorphic computation;
a detection element generation unit to generate a detection element E used to detect a change in the encrypted text D by using the one key and the encrypted text D; and
an output unit to output the encrypted text D and the detection element E.
The invention employs a detection element for detecting a change in an encrypted text in a homomorphic encryption technology capable of computing data while the data is being encrypted and can therefore detect a change in an encrypted text that has not been subjected to homomorphic computation yet. This makes it possible to achieve the use of safe homomorphic computation using an unchanged genuine encrypted text.
Hereinafter, a key generation device 300 and the like are referred to as follows.
(1) Embodiment 1 discloses a key generation device 300 for generating a pair of a public key pk and a decryption key sk (secret key). This key generation device 300 is referred to as “first key generation device 300”.
(2) The public key pk and the decryption key sk generated by the first key generation device 300 are referred to as “first public key pk” and “first decryption key sk”. Note that those keys are also referred to as “public key pk” and “decryption key sk”.
(3) Embodiment 1 discloses a post-homomorphic-computation key generation device 400 for generating a pair of a public key epk and a decryption key esk (secret key). This post-homomorphic-computation key generation device 400 is referred to as “second key generation device”.
(4) The public key epk and the decryption key esk generated by the second key generation device are referred to as “second public key epk” and “second decryption key esk”. Note that those keys are also referred to as “public key epk” and “decryption key esk”.
(5) Embodiment 1 discloses a decryption device 900 for decrypting an encrypted text by using the first decryption key sk. This decryption device 900 is referred to as “first decryption device”.
(6) Embodiment 1 discloses a decryption device 1000 for decrypting an encrypted text that has been subjected to homomorphic computation by using the second decryption key esk. This decryption device 1000 is referred to as “second decryption device”.
The confidential analysis system 100 may be achieved in such a way that the common parameter generation device 200 to the second decryption device 1000 are connected not via Internet 101 but via a local area network (LAN) provided in the same company.
The Internet 101 is a communication channel for connecting the common parameter generation device 200, the plurality of first key generation devices 300, the plurality of second key generation devices 400, the encryption device 500, the conversion key generation device 600, the encrypted text conversion device 700, the homomorphic computation device 800, the first decryption device 900, and the second decryption device 1000. The Internet 101 is an example of a network. Another type of network may be used instead of the Internet 101.
The common parameter generation device 200 generates a common parameter pub that is a common parameter to be used in the system and transmits the common parameter pub to the plurality of first key generation devices 300, the plurality of second key generation devices 400, the encryption device 500, the conversion key generation device 600, the encrypted text conversion device 700, the homomorphic computation device 800, the first decryption device 900, and the second decryption device 1000 via the Internet 101. Note that this common parameter pub may be provided via a mail, a bulletin board on a website, or the like instead of the Internet 101.
Note that it is assumed that, in a case where acquisition of the common parameter pub is not described in the following description of the encryption device 500 and the like, the common parameter pub has already been acquired.
Each first key generation device 300 may be a personal computer. The first key generation device 300 is a computer that generates the public key pk and the decryption key sk, transmits the public key pk to the encryption device 500, the encrypted text conversion device 700, and the first decryption device 900, and transmits the decryption key sk to the conversion key generation device 600 and the first decryption device 900.
Each second key generation device 400 may be a personal computer. The second key generation device 400 is a computer that generates the second public key epk and the second decryption key esk, transmits the second public key epk to the conversion key generation device 600 and the homomorphic computation device 800, and transmits the second decryption key esk to the second decryption device 1000.
The encryption device 500 functions as an encryption device of data and may be a personal computer. The encryption device 500 is a computer that receives the public key pk from the first key generation device 300, accepts input of a plain text M from the outside, and outputs an encrypted text C.
The conversion key generation device 600 may be a personal computer. The conversion key generation device 600 is a computer that receives the decryption key sk from the first key generation device 300 and the second public key epk from the second key generation device 400, generates a conversion key rk, and transmits the conversion key rk to the encrypted text conversion device 700.
The encrypted text conversion device 700 may be a personal computer. The encrypted text conversion device 700 is a computer that receives the conversion key rk from the conversion key generation device 600, accepts input of the encrypted text C, acquires the public key pk, generates a converted encrypted-text RC into which the encrypted text C is converted, and outputs the converted encrypted-text RC.
The homomorphic computation device 800 may be a personal computer. The homomorphic computation device 800 is a computer that receives the second public key epk from the second key generation device 400, accepts input of a plurality of converted encrypted-texts RC, and outputs encrypted texts EC (hereinafter, encrypted texts EC) that have been subjected to homomorphic computation.
The first decryption device 900 may be a personal computer. The first decryption device 900 is a computer that receives the decryption key sk from the first key generation device 300, acquires the public key pk, accepts input of the encrypted text C, and outputs a decryption result of the encrypted text C.
The second decryption device 1000 may be a personal computer. The second decryption device 1000 is a computer that receives the second decryption key esk from the second key generation device 400, accepts input of the encrypted texts EC, and outputs a decryption result of the encrypted texts EC.
Note that two or more of the first key generation device 300, the decryption device 900, and the conversion key generation device 600 may be simultaneously included in the same personal computer.
Note that the second key generation device 400 and the second decryption device 1000 may be simultaneously included in the same personal computer.
Note that two or more of the conversion key generation device 600, the encrypted text conversion device 700, and the homomorphic computation device 800 may be simultaneously included in the same personal computer.
<***Description of Configuration***>
Hereinafter, a configuration of this embodiment will be described.
As illustrated in
In this embodiment, the common parameter generation device 200, the first key generation devices 300, the second key generation devices 400, the encryption device 500, the conversion key generation device 600, the encrypted text conversion device 700, the homomorphic computation device 800, the first decryption device 900, and the second decryption device 1000 are computers.
The common parameter generation device 200, the first key generation devices 300, and the second key generation devices 400 include hardware such as a processor 91, an input interface 93, and an output interface 94. The encryption device 500 to the second decryption device 1000 include hardware such as the processor 91, a storage device 92, the input interface 93, and the output interface 94. Hereinafter, the input interface 93 and the output interface 94 are referred to as “input I/F 93” and “output I/F 94”.
The processor 91 is connected to other pieces of hardware via a signal line and controls those other pieces of hardware. The processor 91 is an integrated circuit (IC) for performing processing. The processor 91 is specifically a central processing unit (CPU).
The storage device 92 includes an auxiliary storage device 92a and a memory 92b. The auxiliary storage device 92a is specifically a read only memory (ROM), a flash memory, or a hard disk drive (HDD). The memory 92b is specifically a random access memory (RAM).
The input I/F 93 is a port through which signals are input. Further, the input I/F 93 may be a port to be connected to an input device such as a mouse, a keyboard, and a touchscreen. The input I/F 93 is specifically a universal serial bus (USB) terminal. Note that the input interface 93 may be a port to be connected to a local area network (LAN).
The output I/F 94 is a port through which signals are output. The output OF 94 may be a USB terminal.
The auxiliary storage device 92a stores a program that achieves a function of the “ . . . unit” serving as the processor 91. This program is loaded into the memory 92b, is read by the processor 91, and is executed by the processor 91. The auxiliary storage device 92a also stores an operating system (OS). At least part of the OS is loaded into the memory 92b, and the processor 91 executes the program that achieves the function of the “unit” serving as the processor 91 while executing the OS.
The common parameter generation device 200 to the second decryption device 1000 may include only a single processor 91 or may include a plurality of processors 91. The plurality of processors 91 may cooperatively execute the program that achieves the function of the “unit”.
Information indicating a result of processing by the function of the “unit” serving as the processor 91, data, signal values, and variable values are stored on the auxiliary storage device 92a, the memory 92b, or a register or cache memory in the processor 91.
The program that achieves the function of the “unit” serving as the processor 91 may be stored on portable record media such as a magnetic disc, a flexible disk, an optical disc, a compact disk, and a digital versatile disc (DVD).
In other words,
rk=RKG (epk, sk) is satisfied.
The symbol “RKG” is a computation symbol showing generation of the conversion key rk. Although not illustrated, the conversion key generation unit 604 may have a function of generating random sampling numbers in order to generate the conversion key rk. The transmission unit 605 transmits the conversion key rk to the encrypted text conversion device 700.
The reception unit 701 receives the conversion key rk. The storage unit 702 stores the conversion key rk. The input unit 703 accepts input of the encrypted text C=(D, E) and the first public key pk. The change detection unit 704 verifies, by using the first public key pk, whether or not the plain text M of the encrypted text C input to the input unit 703 has been changed. The encrypted text conversion unit 705 generates the converted encrypted-text RC on the basis of the conversion key rk stored on the storage unit 702 and the encrypted text C input to the input unit 703. In a case where the change detection unit 704 detects a change, the encrypted text conversion unit 705 substitutes a special symbol indicating the change for the converted encrypted-text RC as the converted encrypted-text RC. In a case where the change detection unit 704 does not detect the change, the encrypted text conversion unit 705 generates the converted encrypted-text RC. Although not illustrated, the encrypted text conversion unit 705 may have a function of generating random sampling numbers in order to generate the converted encrypted-text RC. The transmission unit 706 outputs the converted encrypted-text RC.
Hereinafter, operation of each device corresponding to a calculation method in each device of this embodiment will be described.
Description will be provided also with reference to
In Step S201, the input unit 201 receives the bit length Lbit of the key.
In Step S202, based on the bit length Lbit of the key, the common parameter generation unit 202 generates an element BG=(p, G, GT, e) that can be subjected to pairing computation.
Herein,
the symbol “p” denotes order of a group G and a group GT.
The symbol “e” is a bilinear mapping having a mapping of G×G→GT. The bilinear mapping is a mapping in which e(ga, gb)=e(g, g)ab∈GT is satisfied for all g∈G, and a, b∈Zp. This computation using e is referred to as “pairing computation”. Note that Zp is an aggregation of integers of mod=p.
In Step S203, the common parameter generation unit 202 generates a hash function H and a hash function key k.
In Step S204, the common parameter generation unit 202 selects g from the group G at random and selects u, v, and w∈Zp at random.
In Step S205, the common parameter generation unit 202 calculates
U=gu,V=gv,W=gw, and P=e(g,g)
and generates the common parameter pub=(BG, g, U, V, W, P, k).
In Step S206, the transmission unit 203 outputs the common parameter pub. Note that the transmission unit 203 is an output unit, and is assumed to perform transmission via the Internet 101 as illustrated in
In Step S301, the input unit 301 receives the common parameter pub.
In Step S302, the key generation unit 302 selects a decryption key sk∈Zp at random.
In Step S303, the key generation unit 302 calculates a public key pk=gsk.
In Step S304, the key transmission unit 303 transmits the public key pk and the decryption key sk.
In Step S401, the input unit 401 receives the common parameter pub.
In Step S402, the key generation unit 402 selects a decryption key esk∈Zp at random by using the common parameter pub.
In Step S403, the key generation unit 402 calculates a public key epk=gesk.
In Step S404, the key transmission unit 403 transmits the second public key epk and the second decryption key esk.
In Step S501, the reception unit 501 receives the common parameter pub and the public key pk. The storage unit 502 stores the common parameter pub and the public key pk.
The input unit 503 receives the plain text M.
In Step S502, the encryption unit 504 selects random sampling numbers r and s∈Zp at random by using the common parameter pub.
In Step S503, the encryption unit 504 encrypts the plain text M by using the first public key pk that is one of the pair of keys, thereby generating the encrypted text D into which the plain text M is encrypted and which can be subjected to homomorphic computation.
Specifically, the encryption unit 504 calculates
C0=M·Pr (Expression 1)
C1=pkr (Expression 2)
for the encrypted text D.
D=(C0,C1)
is satisfied. Herein, the symbol “⋅” denotes multiplication defined in the group G.
In Expression 1 and Expression 2,
the symbol “M” is the plain text.
The symbol “P” is pairing computation P included in the common parameter pub.
The random sampling number r is selected in S502.
The symbol “pk” is the first public key pk.
As described above, the encryption unit 504 selects the first random sampling number r and the second random sampling number s and generates the encrypted text D by using not only the first public key pk but also the first random sampling number r and the common parameter pub.
Further, the detection element generation unit 505 generates the detection element E used to detect a change in the encrypted text D by using the first public key pk and the encrypted text D=(C0, C1).
Specifically, the detection element generation unit 505 calculates
t=H(k,(pk,C0,C1) (Expression 3)
C2=(UsVtW)r (Expression 4).
In (Expression 3) and (Expression 4),
the right side “H(k, (pk, C0, C1))” in Expression 3 indicates that (pk, C0, C1) is encrypted by using the hash function H and the hash key k. Information of the hash function H and the hash key k is included in the common parameter pub. The symbols “U”, “V”, and “W” on the right side of Expression 4 are included in the common parameter pub. The symbol “t” is obtained by Expression 3, and the random sampling number r and the random sampling number s are random sampling numbers in S502. The random sampling number r is referred to as “first random sampling number”, and the random sampling number s is referred to as “second random sampling number”. As shown in Expression 3 and Expression 4, the detection element generation unit 505 generates the detection element E by using not only the first public key pk and the encrypted text D but also the first random sampling number r, the second random sampling number s, and the common parameter pub.
In Step S504, the transmission unit 506 outputs C=(C0, C1, s, C2).
C=(C0,C1,s,C2)=(D,E)
is satisfied. Herein, C0 and C1 correspond to the encrypted text D, and C2 corresponds to the detection element E.
The transmission unit 506, which is an output unit, outputs the encrypted text D and the detection element E.
In Step S601, the reception unit 601 receives the decryption key sk, and the storage unit 602 stores the decryption key sk. The input unit 603 receives the second public key epk.
In Step S602, the conversion key generation unit 604 calculates
rk=epk1/sk.
The conversion key rk is generated on the basis of the second public key epk paired with the second secret key esk (second decryption key) which is used to decrypt a computation result of homomorphic computation in a case where the encrypted text D is subjected to homomorphic computation and the first decryption key sk (first secret key).
In Step S603, the transmission unit 605 outputs the conversion key rk.
In Step S701, the reception unit 701 receives the conversion key rk. The storage unit 702 stores the conversion key rk, the common parameter pub, the first public key pk, and the like. The conversion key rk is used for conversion into the converted encrypted-text RC that is an encrypted text different from the encrypted text D. The input unit 703 receives the encrypted text C=(D, E) and the first public key pk. The encrypted text C includes the encrypted text D into which the plain text M has been encrypted and the detection element E. The encrypted text D can be subjected to homomorphic computation. As described above, the input unit 703, which is an acquisition unit, acquires the encrypted text D into which the plain text M is encrypted and which can be subjected to homomorphic computation and the detection element E used to detect a change in the encrypted text D.
In Step S702,
the change detection unit 704 calculates
t′=H(k,(pk,C0,C1)).
The expression “t′=H(k, (pk, C0, C1))”
means that (pk, C0, C1) is encrypted by using the hash function H and the hash key k. The symbols “C0” and “C1” are included in the encrypted text C.
In Step S703, the change detection unit 704 verifies whether or not
e(C2,pk)=e(C1,(UsVt′W))
is satisfied. In a case where e(C2, pk)=e(C1, (UsVt′W)) is satisfied, i.e., a change is not detected, the processing proceeds to Step S705. In a case where e(C2, pk)=e(C1, (UsVt′W)) is not satisfied, i.e., a change is detected, the processing proceeds to Step S704.
As described above, the change detection unit 704 generates a reference value e(C2, pk), which is a reference used to determine whether or not the encrypted text D has been changed, on the basis of C2 that is the detection element E and generates a collation value e(C1, (UsVt′W)), which is to be collated with the reference value, on the basis of the encrypted text D. The collation value e(C1, (UsVt′W)) includes
t′=H(k,(pk,C0,C1)).
In t′, the symbols “C0” and “C1” are the encrypted text D.
Therefore, the collation value e(C1, (UsVt′W)) is generated on the basis of the encrypted text D.
The change detection unit 704 collates the reference value with the collation value.
More specifically, the change detection unit 704 generates the reference value e(C2, pk) on the basis of the detection element E and the first public key pk and generates the collation value e(C1, (UsVt′W)) on the basis of the first public key pk and the encrypted text D.
In Step S704, RC=⊥ is satisfied in the encrypted text conversion unit 705.
The symbol “⊥” is a special symbol indicating failure of conversion and may be any symbol as long as the symbol specifies that conversion of an encrypted text fails.
In Step S705, the encrypted text conversion unit 705 calculates
C′1=e(C1,rk)=e(pkr,rk)
and generates a converted encrypted-text RC=(C0, C′1)=(M·Pr, e(pkr, rk)). As described above, in a case where a change in the encrypted text D is not detected as a result of collation using the change detection unit 704, the encrypted text conversion unit 705, which is a conversion unit, converts the encrypted text D into the converted encrypted-text RC converted from the encrypted text D by using the conversion key rk.
In Step S706, the transmission unit 706, which is an output unit, outputs the converted encrypted-text RC=(C0, C′1).
In Step S801, the reception unit 801 receives the encrypted-texts RC that have been converted, and the storage unit 802 stores the encrypted-texts RC. Then, the input unit 803 receives the second public key epk.
In Step S802, the homomorphic computation unit 804 selects
a random sampling number r′∈Zp.
In Step S803, the homomorphic computation unit 804 newly calculates C0 and C′1 on the left side in the following expressions.
In the following expressions, it is assumed that a request for results of homomorphic computation obtained in the following expressions has been issued. The homomorphic computation unit 804 computes the following expressions in response to this request.
C0=Pr′Πi∈[n]Ci0
C′1=e(g,epk)r′×Πi∈[n]C″i1
are calculated.
In Step S804, the transmission unit 805 outputs
EC=(C0,C′1),
which is the encrypted text EC that has been subjected to the above homomorphic computation.
As illustrated in
In Step S901, the reception unit 901 receives the common parameter pub, the first public key pk, and the first decryption key sk. The storage unit 902 stores the common parameter pub, the first public key pk, and the first decryption key sk. The input unit 903 receives the encrypted text C.
In Step S902, the decryption processing unit 904 calculates
t′=H(k,(pk,C0,C1)).
In Step S903, the decryption processing unit 904 verifies whether or not
e(C2,pk)=e(C1,(UsVt′W))
is satisfied. In a case where e(C2, pk)=e(C1, (UsVt′W)) is satisfied, the processing proceeds to Step S905. In a case where e(C2, pk)=e(C1, (UsVt′W)) is not satisfied, the processing proceeds to Step S904.
In Step S904,
M=⊥
is satisfied in the decryption processing unit 904. The symbol “1” is a special symbol indicating failure of conversion and may be any symbol as long as the symbol specifies that conversion of an encrypted text fails.
In Step S905, the decryption processing unit 904 calculates
M=C0/e(C1,g)1/sk.
In Step S906, the transmission unit 905 outputs a decryption result M.
In Step S1001, the reception unit 1001 receives the second decryption key esk, and the storage unit 1002 stores the second decryption key esk. The input unit 1003 receives the encrypted text EC that has been subjected to homomorphic computation.
In Step S1002, the decryption processing unit 1004 calculates
EM=C0/(C′1)1/esk.
In Step S1003, the transmission unit 1005 outputs the decryption result EM.
<***Description of Effects of Embodiment 1***>
This embodiment has the following effects.
(1) In this embodiment, even data encrypted by using different public keys can be converted into encrypted texts having the same second public key epk by using a conversion key. With this, it is possible to compute plain texts by using a homomorphic computation device while information of the individual encrypted texts are being kept secret.
(2) In this embodiment, the plain text M in the encrypted text C cannot be changed because a verification expression using t is used in decryption processing in the decryption device to check the encrypted text C. However, by using the conversion key, encrypted texts can be converted into encrypted texts of the same second public key epk. Therefore, it is possible to compute plain texts by using the homomorphic computation device while information of the individual encrypted texts are being kept secret.
(3) In this embodiment, although safety of the encrypted text C using the public key pk can be extremely high, it is possible to compute the plain text M while the encrypted text C is being kept secret. Therefore, it is possible to achieve a safe confidential analysis system.
(4) The encryption device causes the encrypted text C to include not only the encrypted text D but also the detection element E for detecting a change in the encrypted text D. Therefore, it is possible to prevent a change in the encrypted text D.
(5) In a case where whether or not the encrypted text D has been changed is verified by using the detection element E and then it is determined that the encrypted text D has not been changed, the encrypted text conversion device converts the encrypted text C into the encrypted-text RC. Therefore, it is possible to provide the encrypted text C that has not been changed to the homomorphic computation device.
***Other Configurations***
Further, in this embodiment, the function of the “unit” serving as the processor 91 is achieved by software. However, the function of the “unit” serving as the processor 91 may be achieved by hardware as a modification example.
The function of the “unit” serving as the processor 91 may be achieved by a single processing circuit 99 or may be dispersively achieved by a plurality of processing circuits 99.
As another modification example, the devices illustrated in
The processor 91, the storage device 92, and the processing circuit 99 are collectively referred to as “processing circuitry”. In other words, the function of the “unit” serving as the processor 91 and the “storage unit” in
The “unit” serving as the processor 91 may be read as “step”, “procedure”, or “processing”. Further, the function of the “unit” serving as the processor 91 may be achieved by firmware.
Further, operation of the common parameter generation device 200 to the second decryption device 1000 illustrated in
Operation of the encryption device 500 is an encryption method. Further, the encrypted text conversion device 700 is operated by an encrypted text conversion program. Operation of the encrypted text conversion device 700 is an encrypted text conversion method.
Note that, although the public key pk and the decryption key sk are used in Embodiment 1, a role of the public key pk and a role of the decryption key may be switched and the public key pk may be used for decryption. The same applies to the public key epk and the decryption key esk.
pub: common parameter, RC: encrypted-text, pk: first public key, sk: first decryption key, epk: second public key, esk: second decryption key, rk: conversion key, 91: processor, 92: storage device, 93: input I/F, 94: output I/F, 99: processing circuit, 99a: signal line, 100: confidential analysis system, 101: Internet, 200: common parameter generation device, 201: input unit, 202: common parameter generation unit, 203: transmission unit, 300: first key generation device, 301: input unit, 302: key generation unit, 303: key transmission unit, 400: second key generation device, 401: input unit, 402: key generation unit, 403: key transmission unit, 500: encryption device, 501: reception unit, 502: storage unit, 503: input unit, 504: encryption unit, 505: detection element generation unit, 506: transmission unit, 600: conversion key generation device, 601: reception unit, 602: storage unit, 603: input unit, 604: conversion key generation unit, 605: transmission unit, 700: encrypted text conversion device, 701: reception unit, 702: storage unit, 703: input unit, 704: change detection unit, 705: encrypted text conversion unit, 706: transmission unit, 800: homomorphic computation device, 801: reception unit, 802: storage unit, 803: input unit, 804: homomorphic computation unit, 805: transmission unit, 900: first decryption device, 901: reception unit, 902: storage unit, 903: input unit, 904: decryption processing unit, 905: transmission unit, 1000: second decryption device, 1001: reception unit, 1002: storage unit, 1003: input unit, 1004: decryption processing unit, 1005: transmission unit.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2016/051245 | 1/18/2016 | WO | 00 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2017/126001 | 7/27/2017 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 8635465 | Juels | Jan 2014 | B1 |
| 20140115321 | Isshiki | Apr 2014 | A1 |
| 20140208101 | Naganuma | Jul 2014 | A1 |
| 20150046708 | Yasuda et al. | Feb 2015 | A1 |
| 20150172258 | Komano et al. | Jun 2015 | A1 |
| 20150270964 | Yasuda et al. | Sep 2015 | A1 |
| 20150341174 | Mandal et al. | Nov 2015 | A1 |
| 20160080333 | Isshiki | Mar 2016 | A1 |
| 20160282923 | Itabashi et al. | Sep 2016 | A1 |
| Number | Date | Country |
|---|---|---|
| 2006-184831 | Jul 2006 | JP |
| 2012-195733 | Oct 2012 | JP |
| 2013-26995 | Feb 2013 | JP |
| 2013-205592 | Oct 2013 | JP |
| 2013-205655 | Oct 2013 | JP |
| 2013-205796 | Oct 2013 | JP |
| 2015-31935 | Feb 2015 | JP |
| 2015-114629 | Jun 2015 | JP |
| 2015-135407 | Jul 2015 | JP |
| 2015-184490 | Oct 2015 | JP |
| WO 2012169153 | Dec 2012 | WO |
| WO 2013046320 | Apr 2013 | WO |
| WO 2013153628 | Oct 2013 | WO |
| WO 2014010202 | Jan 2014 | WO |
| WO 2014185450 | Nov 2014 | WO |
| Entry |
|---|
| Boneh et al., “Evaluating 2-DNF Formulas on Ciphertexts,” TCC 2005, 2005, pp. 325-341. |
| Bresson et al., “A Simple Public-Key Cryptosystem with a Double Trapdoor Decryption Mechanism and Its Applications,” ASIACRYPT 2003, 2003, pp. 37-54. |
| Catalano et al., “Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data,” IACR Cryptology ePrint Archive: Report 2014/813, 2014,28 pages. |
| Freeman, “Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups,” EUROCRYPT 2010, 2010, pp. 44-61. |
| Gentry et al., “Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based,” Crypto 2013, Lecture Notes in Computer Science 8042, pp. 1-25. |
| Gentry, “Fully Homomorphic Encryption Using Ideal Lattices,” STOC'09, Bethesda, Maryland, USA, May 31-Jun. 2, 2009, pp. 169-178. |
| Paillier,“Public-Key Cryptosystems Based on Composite Degree Residuosity Classes,” EUROCRYPT'99, 1999, pp. 223-238. |
| Extended European Search Report issued in corresponding European Application No. 16886244.9 dated Dec. 17, 2018. |
| Xavier Boyen et al., “Direct Chosen Ciphertext Security from Identity-Based Techniques”, Nov. 7-11, 2005, pp. 320-330. |
| Emura et al., “Chosen Ciphertext Secure Keyed-Homomorphic Public-Key Encryption”, Public Key Cryptography 2013: 32-50, May 13, 2014, pp. 1-46. |
| International Search Report for PCT/JP2016/051245 (PCT/ISA/210) dated Mar. 22, 2016. |
| Lai et al., “Efficient CCA-Secure PKE from Identity-Based Techniques”, LNCS, Topics in Cryptology—CT-RSA 2010, vol. 5985, pp. 132-147. |
| Libert et al., “Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption”, IEEE Transactions on Information Theory, vol. 57, No. 3, Mar. 2011, pp. 1786-1802. |
| U.S. Appl. No. 16/327,107, filed Feb. 21, 2019. |
| Office Action issued in corresponding Indian Application No. 201847024570 dated Jun. 22, 2020. |
| Number | Date | Country | |
|---|---|---|---|
| 20190260585 A1 | Aug 2019 | US |
