The present invention relates to at least either one of a high-security identity (ID)-based encryption (to be referred to as IBE hereinafter) scheme and a high-security attribute-based encryption (to be referred to as ABE hereinafter) scheme.
Quantum computers are being developed worldwide. Ciphers using isogenies have been proposed as encryption schemes that can maintain security even against the quantum computers. Non-Patent Literature 1 describes a partially quantum-resistant attribute-based encryption scheme that provides pre-challenge quantum security based on Isog-DBDH assumption.
However, it is unclear whether the scheme described in Non-Patent Literature 1 can prove its security from a pairing-related problem hardness such as DBDH assumption that has been conventionally used widely. In general, the isogeny problem is recognized as harder than the pairing-related problem because, for example, it indicates quantum resistance. Meanwhile, since the hardness has not yet been fully verified, it is worried that unknown attacks might be found.
It is an objective of the present invention to make it possible to configure an encryption scheme capable of providing security from a plurality of problem hardnesses.
An encryption device according to the present invention is an encryption device in a cryptographic system that uses a group G0, a group Gt associated with the group G0, a group G{circumflex over ( )}0, a group G{circumflex over ( )}t associated with the group G{circumflex over ( )}0, and a group GT associated with the group G0 and the group G{circumflex over ( )}0 by pairing operation e0 and associated with the group Gt and the group G{circumflex over ( )}t by pairing operation et, the encryption device comprising;
a ciphertext generation unit to generate a ciphertext ct using a generation element of an element X of the group GT and a generation element of an element Y{circumflex over ( )} of the group G{circumflex over ( )}t, the element X being generated through conversion of a generator of the group GT by a key generation random, or the element Y{circumflex over ( )} being generated through conversion of a generator of the group G{circumflex over ( )}t by the key generation random,
wherein the ciphertext generation unit comprises:
a first cipher element generation unit to generate a cipher element cT which is an element of the ciphertext ct, by setting a message m to conversion information z in which an encryption random ζ is set to the element X; and
a second cipher element generation unit to generate a cipher element c which is an element of the ciphertext ct, by setting the encryption random ζ to the element Y{circumflex over ( )}.
In the present invention, it is possible to provide security from a certain problem hardness by using a plurality of groups that are associated with each other. Also, in the present invention, it is possible to provide security from another problem hardness by generating a ciphertext ctID′ using a generation element generated by conversion using a key generation random.
In Embodiment 1, high-security, high-efficient IBE scheme will be described.
The notation in the following description will be explained.
In the following explanation, when in a formula a symbol or the like is written above a variable, in the sentence this symbol or the like is placed on an upper right of the variable. Specifically, in a formula a symbol “{circumflex over ( )}” or a symbol “→” is written above a variable, but in the sentence it is placed on an upper right of the variable. For example, formula 101 is written as B{circumflex over ( )} in the sentence.
{circumflex over (B)} [Formula 101]
When a symbol “→” expressing a vector is annexed to a superscript, assume that this symbol “→” is a superscript to that superscript. This means that in gy→, y→ is expressed as a superscript to g.
When A is a random variable or distribution, formula 102 denotes that y is randomly selected from A according to the distribution of A. That is, in formula 102, y is a random.
When A is a set, formula 103 denotes that y is uniformly selected from A. That is, in formula 103, y is a uniform random.
Formula 104, namely Fq, denotes a finite field of order q.
q [Formula 104]
Assume that formula 105 holds for an integer n larger than 0.
[n]:={1, . . . ,n},
[0,n]:={0, . . . ,n} [Formula 105]
Formula 106 denotes an inner product indicated by formula 108 of two vectors y→ and v→ indicated in formula 107.
{right arrow over (x)}·{right arrow over (v)} [Formula 106]
{right arrow over (x)}=(x1, . . . ,xn),
{right arrow over (v)}=(v1, . . . ,vn) [Formula 107]
Σi=1nxivi [Formula 108]
For an element g in a product group K (resp. an element g{circumflex over ( )} in a product group K{circumflex over ( )}) indicated in formula 109 and a vector y denoted by formula 110, gy→ denotes a group element denoted by formula 111.
:=1× ⋅ ⋅ ⋅ ×r (resp. :=1× ⋅ ⋅ ⋅ ×r)
g:=(gi) (resp. ĝ:=(ĝi) [Formula 109]
{right arrow over (y)}=(yi)y∈[r]∈qr [Formula 110]
(giy
For a scalar ζ∈Fq, gζ denotes a scalar exponentiation denoted by formula 112.
(giζ)i∈[r] [Formula 112]
For the element g:=(gi) and the element g{circumflex over ( )}:=(g{circumflex over ( )}i) in the respective product groups K and K{circumflex over ( )} mentioned above, if a pairing ei is defined on a space denoted by formula 113, a pairing eK is defined as in Formula 114.
i×i for i∈[r] [Formula 113]
(g,ĝ):=Πi∈[r]ei(gi,ĝi) [Formula 114]
An isogenous pairing group (to be referred to as IPG hereinafter) employed in an IBE scheme according to Embodiment 1 will be explained referring to
IPG has a plurality of groups that are associated by isogeny and pairing operation.
More specifically, IPG has a group G0, groups Gt for t=1, . . . , d associated with the group G0 by isogeny ϕt, groups G{circumflex over ( )}t for t=1, . . . , d associated with a group G{circumflex over ( )}0 by isogeny ϕt, and a group GT associated with the groups Gt and the group G{circumflex over ( )}t for t=1, . . . , d by pairing operation et. In IPG, assuming a case where elements from group G0×group G{circumflex over ( )}0 are converted by pairing operation e0 and a case where elements from group G0×group G{circumflex over ( )}0 are converted to groups Gt×groups G{circumflex over ( )}t by isogeny ϕt for any one integer t of t=1, . . . , d and then converted by pairing operation et, results between the two cases are equal.
For example, groups Gt and groups G{circumflex over ( )}t for each integer t of t=0, . . . , d are groups on different elliptic curves.
More precisely, IPG is defined as follows.
According to IPG generation algorithm GenIPG (1λ, N), a master key pair of a public parameter pkIPG and a master secret key mskIPG indicated in formula 115 is generated randomly.
Note that (Gt, G{circumflex over ( )}t, et, GT) are asymmetric pairing groups of a prime order q with pairings et: Gt×G{circumflex over ( )}t→GT and trapdoor homomorphisms ϕt. Trapdoor homomorphisms ϕt are mapping from G0×G{circumflex over ( )}0 to Gt×G{circumflex over ( )}t such that Gt=ϕt(G0) and G{circumflex over ( )}t=ϕt(G{circumflex over ( )}0) under natural identifications G=G×1G{circumflex over ( )} and G{circumflex over ( )}=1G×G{circumflex over ( )} given by isogenies between different elliptic curves. Also, gt=ϕt(g0)∈Gt, g{circumflex over ( )}t=ϕt(g{circumflex over ( )}0)∈G{circumflex over ( )}t.
IPG has compatibility denoted by formula 116.
e
0(g0,ĝ0)=et(gt,ĝt)=et(ϕt(g0),ĝ0) for any t∈[N] [Formula 116]
Note that gT=e0(g0, g{circumflex over ( )}0)≠1 and Gt≠G{circumflex over ( )}t.
A configuration of the IBE scheme according to Embodiment 1 will be described.
The IBE scheme comprises Setup algorithm, KeyGen algorithm, Enc algorithm, and Dec algorithm.
Setup algorithm takes as input a security parameter 1λ and outputs public parameters pk and a master secret key msk.
KeyGen algorithm takes as input the public parameters pk, the master secret key msk, and an identity ID, and outputs a decryption key skID corresponding to the identity ID.
Enc algorithm takes as input the public parameters pk, a message m in a message space msg, and an identity ID′, and outputs a ciphertext ctID′.
Dec algorithm takes as input the public parameters pk, the decryption key skID corresponding to the identity ID, and the ciphertext ctID′ encrypted under the identity ID′, and outputs either a message m′∈msg or a distinguished symbol ⊥ which indicates that decryption failed.
A configuration of a cryptographic system 1 according to Embodiment 1 will be described referring to
The cryptographic system 1 is provided with a key generation device 10, an encryption device 20, and a decryption device 30. The key generation device 10, the encryption device 20, and the decryption device 30 are connected to each other via a transmission line. A specific example of the transmission line is a local area network (LAN) or the Internet. The key generation device 10, the encryption device 20, and the decryption device 30 can communicate with each other via the transmission line.
The key generation device 10 takes as input a security parameter 1λ and executes Setup algorithm to generate public parameters pk and a master secret key msk. The key generation device 10 also takes as input the public parameters pk, the master secret key msk, and an identity ID and executes KeyGen algorithm to generate a decryption key skID.
The key generation device 10 publishes the public parameters pk and outputs the decryption key skID to the decryption device 30 corresponding to the identity ID. The key generation device 10 keeps the master secret key msk.
Setup algorithm may be executed only once in setup or the like of the cryptographic system 10.
The encryption device 20 takes as input the public parameters pk, a message m, and an identity ID′ and executes Enc algorithm to generate a ciphertext ctID′. The encryption device 20 outputs the ciphertext ctID′ to the decryption device 30.
The decryption device 30 takes as input the public parameters pk, the decryption key skID, and the ciphertext ctID′ and executes Dec algorithm to generate a message m′ or a distinguished symbol ⊥ which indicates that decryption failed.
A configuration of the key generation device 10 according to Embodiment 1 will be described referring to
The key generation device 10 is provided with hardware devices which are a processor 11, a storage device 12, and an input/output interface 13. The processor 11 is connected to the other hardware devices via a signal line and controls these other hardware devices.
The key generation device 10 is provided with a master key generation unit 14, a decryption key generation unit 15, and a key output unit 16, as function configuration elements. Functions of the master key generation unit 14, decryption key generation unit 15, and key output unit 16 are implemented by software.
A program that implements the functions of the individual units of the key generation device 10 is stored in the storage device 12. This program is read by the processor 11 and executed by the processor 11. The functions of the individual units of the key generation device 10 are thus implemented.
A configuration of the encryption device 20 according to Embodiment 1 will be described referring to
The encryption device 20 is provided with hardware devices which are a processor 21, a storage device 22, and an input/output interface 23. The processor 21 is connected to the other hardware devices via a signal line and controls these other hardware devices.
The encryption device 20 is provided with an acquisition unit 24, a ciphertext generation unit 25, and a ciphertext output unit 26, as function configuration elements. The ciphertext generation unit 25 is provided with a conversion information generation unit 251, a first cipher element generation unit 252, and a second cipher element generation unit 253. Functions of the acquisition unit 24, ciphertext generation unit 25, conversion information generation unit 251, first cipher element generation unit 252, second cipher element generation unit 253, and ciphertext output unit 26 are implemented by software.
A program that implements the functions of the individual units of the encryption device 20 is stored in the storage device 22. This program is read by the processor 21 and executed by the processor 21. The functions of the individual units of the encryption device 20 are thus implemented.
A configuration of the decryption device 30 according to Embodiment 1 will be described referring to
The decryption device 30 is provided with hardware devices which are a processor 31, a storage device 32, and an input/output interface 33. The processor 31 is connected to the other hardware devices via a signal line and controls these other hardware devices.
The decryption device 30 is provided with an acquisition unit 34, a decryption unit 35, and a message output unit 36, as function configuration elements. The acquisition unit 34 is provided with a decryption key acquisition unit 341 and a ciphertext acquisition unit 342. The decryption unit 35 is provided with a conversion information generation unit 351 and a message generation unit 352. Functions of the acquisition unit 34, decryption key acquisition unit 341, ciphertext acquisition unit 342, decryption unit 35, conversion information generation unit 351, message generation unit 352, and message output unit 36 are implemented by software.
A program that implements the functions of the individual units of the decryption device 30 is stored in the storage device 32. This program is read by the processor 31 and executed by the processor 31. The functions of the individual units of the decryption device 30 are thus implemented.
Each of the processors 11, 21, and 31 is an integrated circuit (IC) that performs processing. Specific examples of each of the processors 11, 21, and 31 are a central processing unit (CPU), a digital signal processor (DSP), and a graphics processing unit (GPU).
Specific examples of each of the storage devices 12, 22, and 32 are a random access memory (RAM) and a hard disk drive (HDD). Each of the storage devices 12, 22, and 32 may be a portable storage medium such as a secure digital (SD) memory card, a compact flash (CF), a NAND flash, a flexible disk, an optical disk, a compact disk, a blu-ray (registered trademark) disk, and a DVD.
Each of the input/output interfaces 13, 23, and 33 is an interface to receive as input, data from the outside and to output data to the outside. A specific example of each of the input/output interfaces 13, 23, and 33 is a connector such as a universal serial bus (USB), PS/2, and a high-definition multimedia interface (HDMI; registered trademark) that connects an input device such as a keyboard and an output device such as a display. A specific example of each of the input/output interfaces 13, 23, and 33 may also be a network interface card (NIC) that receives data from the outside and transmits data via the network.
Information, data, signal values, and variable values indicating processing results of the functions of the individual units implemented by the processor 11 are stored in the storage device 12, or a register or cache memory in the processor 11. Likewise, information, data, signal values, and variable values indicating processing results of the functions of the individual units implemented by the processor 21 are stored in the storage device 22, or a register or cache memory in the processor 21. Likewise, information, data, signal values, and variable values indicating processing results of the functions of the individual units implemented by the processor 31 are stored in the storage device 32, or a register or cache memory in the processor 31.
The program that implements the individual functions implemented by the processor 11 is stored in the storage device 12, as described above. Likewise, the program that implements the individual functions implemented by the processor 21 is stored in the storage device 22, as described above. Likewise, the program that implements the individual functions implemented by the processor 31 is stored in the storage device 32. Alternatively, these programs may be stored in a portable storage medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a blu-ray (registered trademark) disk, and a DVD.
An operation of the cryptographic system 1 according to Embodiment 1 will be described referring to
The operation of the cryptographic system 1 according to Embodiment 1 is equivalent to a cryptographic method according to Embodiment 1. The operation of the cryptographic system 1 according to Embodiment 1 is also equivalent to processing of a cryptographic program according to Embodiment 1.
An operation of the key generation device 10 according to Embodiment 1 is equivalent to a key generation method according to Embodiment 1. The operation of the key generation device 10 according to Embodiment 1 is also equivalent to processing of a key generation program according to Embodiment 1.
An operation of the encryption device 20 according to Embodiment 1 is equivalent to an encryption method according to Embodiment 1. The operation of the encryption device 20 according to Embodiment 1 is also equivalent to processing of an encryption program according to Embodiment 1.
An operation of the decryption device 30 according to Embodiment 1 is equivalent to a decryption method according to Embodiment 1. The operation of the decryption device 30 according to Embodiment 1 is also equivalent to processing of a decryption program according to Embodiment 1.
Setup algorithm according to Embodiment 1 will be described referring to
Setup algorithm is executed by the key generation device 10.
(Step S11: IPG Generation Process)
The master key generation unit 14 receives as input the security parameter 1λ via the input/output interface 13. The master key generation unit 14 takes as input the received security parameter 1λ and d=1 and executes IPG generation algorithm GenIPG (1λ, d) to generate a master key pair of the public parameters pkIPG and the master secret key mskIPG indicated in formula 117.
That is, in Embodiment 1, the group Gt and the group G{circumflex over ( )}t for t=0, 1, the pairing operation et, the group GT, and isogeny ϕ1 are generated, as illustrated in
As illustrated in
(Step S12: Hash Function Generation Process)
The master key generation unit 14 generates a random hash function H which converts an element of a field Fq, being a space of an identity, to an element of the group G0.
(Step S13: Key Generation Random Generation Process)
The master key generation unit 14 generates a key generation random γ which is a uniform random.
(Step S14: Master Key Generation Process)
Using the public parameters pkIPG generated in step S11 and the hash function H generated in step S12, the master key generation unit 14 generates the public parameters pk:=((Gt, G{circumflex over ( )}t, et)t=0,1, g{circumflex over ( )}0′:=g{circumflex over ( )}0γ, g{circumflex over ( )}1, GT, H). The key output unit 16 outputs the public parameters pk to the encryption device 20 and the decryption device 30 by outputting the public parameters pk to an external public server or the like via the input/output interface 13.
Using the master secret key mskIPG generated in step S11 and the key generation random γ generated in step S13, the master key generation unit 14 generates the master secret key msk:=(ϕ1, γ). The master key generation unit 14 writes the generated master secret key msk to the storage device 12.
That is, the master key generation unit 14 generates the master key pair by executing the Setup algorithm indicated in formula 118.
KeyGen algorithm according to Embodiment 1 will be described referring to
KeyGen algorithm is executed by the key generation device 10.
(S21: ID Receipt Process)
The decryption key generation unit 15 receives as input the identity ID of a user who uses the decryption key skID, via the input/output interface 13. The identity ID is inputted by, for example, a user of the key generation device 10, via the input device.
(Step S22: Key Element Generation Process)
The decryption key generation unit 15 takes as input the identity ID received in step S21 and calculates the hash function H included in the public parameters pk, to generate an element h0 which is an element of the group G0.
The decryption key generation unit 15 converts the element h0 by isogeny ϕ1 and the key generation random γ both included in the master secret key msk, to generate an element h1. More specifically, the decryption key generation unit 15 converts the element h0 by isogeny ϕ1 and the key generation random γ, to generate the element h1 which is a key element k, as indicated in formula 119.
h
1:=ϕ1(h0γ) [Formula 119]
That is, the element h1 is an element of the group Gt (=group G1) converted by the key generation random γ.
(Step S23: Key Output Process)
The key output unit 16 outputs the decryption key skID including the identity ID received in step S21 and the element h1 generated in step S22 to the decryption device 30 via the input/output interface 13. At this time, the key output unit 16 prevents leakage of the decryption key skID to a third party by taking a method such as encryption according to some encryption scheme.
That is, the decryption key generation unit 15 generates the decryption key skID by executing the KeyGen algorithm indicated in formula 120.
KeyGen(pk,sk,ID):
h
0
:=H(ID)∈0,h1:=ϕ1(h0γ),
return skID:=(ID,h1). [Formula 120]
Enc algorithm according to Embodiment 1 will be described referring to
Enc algorithm is executed by the encryption device 20.
(Step S31: Acquisition Process)
The acquisition unit 24 acquires, via the input/output interface 23, the public parameters pk generated by the key generation device 10. The acquisition unit 24 also receives as input the message m being an encryption target and the identity ID′ being a decryption condition. The message m and the identity ID′ are inputted by, for example, a user of the encryption device 20 via the input device.
(Step S32: Ciphertext Generation Process)
The ciphertext generation unit 25 generates elements of the ciphertext ctID′ using the public parameters pk and the identity ID′ which are acquired in step S31. The ciphertext generation unit 25 generates the elements of the ciphertext ctID′ using a generation element of an element X of the group GT and a generation element of an element Y{circumflex over ( )} of the group G{circumflex over ( )}t. The element X refers to e0(h0, g{circumflex over ( )}0′) described later. The element Y{circumflex over ( )} refers to g{circumflex over ( )}1 included in the public parameters pk.
The ciphertext generation process includes processes of step S321 to step S323.
(Step S321: Conversion Information Generation Process)
The conversion information generation unit 251 takes as input the identity ID′ received in step S31 and calculates the hash function H included in the public parameters pk to generate the element h0 which is an element of the group G0. The conversion information generation unit 251 also generates an encryption random ζ which is a uniform random.
Using the element h0 and the encryption random ζ, the conversion information generation unit 251 generates conversion information z, as indicated in formula 121.
z:=e
0(h0,ĝ0′)ζ [Formula 121]
That is, the conversion information generation unit 251 generates the conversion information z by converting e0(h0, g{circumflex over ( )}0′) which is the element X of the group GT, using the encryption random ζ. Since e0(h0, g{circumflex over ( )}0′) which is the element X includes g{circumflex over ( )}0′:=g{circumflex over ( )}0γ, e0(h0, g{circumflex over ( )}0′) is generated by converting a generator (g{circumflex over ( )}0) of the group GT using the key generation random γ.
(Step S322: First Cipher Element Generation Process)
The first cipher element generation unit 252 generates a cipher element cT which is an element of the ciphertext ctID′ by setting the message m to the conversion information z generated in step S321, as indicated in formula 122.
c
T
:=z·m [Formula 122]
(Step S323: Second Cipher Element Generation Process)
The second cipher element generation unit 253 generates a cipher element c which is an element of the ciphertext ctID′ by setting the encryption random ζ to g{circumflex over ( )}1 which is the element Y{circumflex over ( )}, as indicated in formula 123.
c:=ĝ
1
ζ [Formula 123]
(Step S33: Ciphertext Output Process)
The ciphertext output unit 26 outputs the ciphertext ctID′ having, as cipher elements, the identity ID′ received in step S31 and the cipher elements cT and c generated in step S32 to the decryption device 30 via the input/output interface 23.
That is, the encryption device 20 generates the ciphertext ctID′ by executing the Enc algorithm indicated in formula 124.
Dec algorithm according to Embodiment 1 will be described referring to
Dec algorithm is executed by the decryption device 30.
(Step S41: Acquisition Process)
The acquisition unit 34 acquires, via the input/output interface 33, the public parameters pk and the decryption key skID which are generated by the key generation device 10 and the ciphertext ctID′ generated by the encryption device 20.
The acquisition process includes processes of step S411 and step S412.
(Step S411: Decryption Key Acquisition Process)
The decryption key acquisition unit 341 acquires, via the input/output interface 33, the public parameters pk and the decryption key skID which are generated by the key generation device 10. The decryption key skID includes, as the key element k, the element h1 which is an element of the group Gt (=group G1) converted by the key generation random γ.
(Step S412: Ciphertext Acquisition Process)
The ciphertext acquisition unit 342 acquires the ciphertext ctID′ generated by the encryption device 20. The ciphertext ctID′ includes the cipher element cT and the cipher element c. In the cipher element cT, the message m is set to the conversion information z in which the encryption random ζ is set to the element X which is generated through conversion of the generator (e0(h0, g{circumflex over ( )}0′)) of the group GT by the key generation random γ. In the cipher element c, the encryption random ζ is set to g{circumflex over ( )}1 which is the element Y{circumflex over ( )}.
(Step S42: Decryption Determination Process)
The decryption unit 35 determines whether or not the identity ID included in the decryption key skID received in step S41 and the identity ID′ included in the ciphertext ctID′ received in step S41 are equal. Hence, whether the ciphertext ctID′ can be decrypted by the decryption key skID is determined.
If it is determined that the identity ID and the identity DI′ are equal, that is, if it is determined that decryption is possible, the decryption unit 35 advances the processing to step S43. If not, the decryption unit 35 advances the processing to step S45.
(Step S43: Decryption Process)
The decryption unit 35 generates the message m′ by decrypting the ciphertext ctID′ by the decryption key skID received in step S41.
The decryption process includes processes of step S431 and step S432.
(Step S431: Conversion Information Generation Process)
The conversion information generation unit 351 generates conversion information z′ using the element h1 included in the decryption key skID acquired in step S411 and the cipher element c included in the ciphertext ctID′ acquired in step S412, as indicated in formula 125.
z′:=e
1(h1,c) [Formula 125]
Since formula 126 holds, if the decryption key skID can decrypt the ciphertext ctID′, then the conversion information z′ and the conversion information z are identical.
(Step S432: Message Generation Process)
The message generation unit 352 generates the message m′ using the conversion information z′ generated in step S431 and the cipher element cT included in the ciphertext ctID′ acquired in step S412, as indicated in formula 127.
m′:=c
T·(z′)−1 [Formula 127]
(Step S44: Message Output Process)
The message output unit 36 outputs the message m′ calculated in step S43, via the input/output interface 33.
(Step S45: Distinguished Symbol Output Process)
The message output unit 36 outputs the distinguished symbol ⊥ which indicates that decryption failed, via the input/output interface 33.
That is, the decryption device 30 executes the Dec algorithm indicated in formula 128 to decrypt the ciphertext ctID′ by the decryption key SKID.
Dec(pk,skID,ctID′):
if ID=ID′,
z′:=e
1(h1,c), m′:=cT·(z′)−1,
return m′,
otherwise, return ⊥. [Formula 128]
As described above, the cryptographic system 1 according to Embodiment 1 implements the IBE scheme using IPG. IPG is formed of a plurality of groups associated with each other. Therefore, it is possible to provide security from the problem hardness that is based on mapping used for associating the plurality of groups. More specifically, in IPG, the group G0 and each group GT for t=1, . . . , d are associated with each other by isogeny ϕt, and the group G{circumflex over ( )}0 and each group G{circumflex over ( )}t for t=1, . . . , d are associated with each other by isogeny ϕt. Therefore, it is possible to provide security from the isogeny problem hardness.
The cryptographic system 1 according to Embodiment 1 generates the ciphertext ctID′ using the element X which is a generation element converted by the key generation random γ. More specifically, the cryptographic system 1 generates the cipher element cT which is an element of the ciphertext ctID′, using e0(h0, g{circumflex over ( )}0′) which is the element X. Note that e0(h0, g{circumflex over ( )}0′) which is the element X is generated by converting the generator (g{circumflex over ( )}0) of the group GT by the key generation random γ. Therefore, it is possible to provide security from pairing problem hardness.
<Modification 1>
In Embodiment 1, the functions of the individual units of each of the key generation device 10, encryption device 20, and decryption device 30 are implemented by software. In Modification 1, functions of individual units of each of a key generation device 10, encryption device 20, and decryption device 30 may be implemented by hardware. Modification 1 will now be described regarding its differences from Embodiment 1.
Configurations of the key generation device 10, encryption device 20, and decryption device 30 according to Modification 1 will be described referring to
In cases where the functions of the individual units are implemented by hardware, the key generation device 10, encryption device 20, and decryption device 30 are respectively provided with electronic circuits 18, 28, and 38 in place of the respective processors 11, 21, and 31 and the respective storage devices 12, 22, and 32. The electronic circuits 18, 28, and 38 are dedicated circuits that implement functions of the individual units of the key generation device 10, encryption device 20, and decryption device 30, respectively, and functions of the storage devices 12, 22, and 32, respectively.
It is assumed that each of the electronic circuits 18, 28, and 38 is a single circuit, a composite circuit, a programmed processor, a parallel-programmed processor, a logic IC, a gate array (GA), an application specific integrated circuit (ASIC), or a field-programmable gate array (FPGA).
The key generation device 10, encryption device 20, and decryption device 30 may be each provided with a plurality of electronic circuits that replace the electronic circuits 18, 28, and 38, respectively. These plurality of electronic circuits implement together the functions of the individual units. Each electronic circuit is a dedicated circuit, as each of the electronic circuits 18, 28, and 38 is.
<Modification 2>
In Modification 2, some functions may be implemented by hardware, and the other functions may be implemented by software. That is, of the functions of each of the key generation device 10, encryption device 20, and decryption device 30, some may be implemented by hardware, and the other may be implemented by software.
The processors 11, 21, 31, the storage devices 12, 22, 32, and the electronic circuits 18, 28, and 38 are called processing circuitry. That is, the functions of the individual units are implemented by the processing circuitry.
In Embodiment 2, high-security basic IBE scheme will be described.
In Embodiment 2, description on matters that are identical with their counterparts of Embodiment 1 will be omitted, and differences from Embodiment 1 will be described.
A key technique known in the IBE scheme according to Embodiment 2 will be described.
In IBE which is conventionally implemented using pairing, a secret key and a ciphertext are encoded on only one pair of paring groups G and G{circumflex over ( )}. In contrast to this, in IBE according to Embodiment 2, different groups GID and G{circumflex over ( )}ID are made to correspond to different IDs. These groups GID and G{circumflex over ( )}ID will be called ID groups.
Hence, a relation illustrated in
This will be described more specifically referring to
As illustrated in
As illustrated in
As illustrated in
As illustrated in
A configuration of a key generation device 10 according to Embodiment 2 will be described referring to
The key generation device 10 is different from the key generation device 10 illustrated in
A configuration of an encryption device 20 according to Embodiment 2 will be described referring to
The encryption device 20 is different from the encryption device 20 illustrated in
An operation of a cryptographic system 1 according to Embodiment 2 will be described referring to
Setup algorithm according to Embodiment 2 will be described referring to
(Step S51: IPG Generation Process)
A master key generation unit 14 receives as input a security parameter 1λ and a value n which is a bit number of the ID via an input/output interface 13. The master key generation unit 14 takes as input the received security parameter 1λ and d=2n and executes IPG generation algorithm GenIPG (1ζ, d) to generate a master key pair of public parameters pkIPG and a master secret key mskIPG indicated in formula 129.
(Step S52: Secret Information Generation Process)
The master key generation unit 14 generates secret information s0 which is a uniform random.
The master key generation unit 14 generates an element hT by setting the secret information s0 to an element gT of the group GT, as indicated in formula 130.
h
T
:=g
T
s
[Formula 130]
(Step S53: Key Generation Random Generation Process)
The master key generation unit 14 generates a key generation random τj,ι which is a uniform random, for each integer j of j=1, . . . , n and each integer ι of ι=0, 1.
The master key generation unit 14 generates an element h{circumflex over ( )}j,ι for each integer j of j=1, . . . , n and each integer ι of ι=0, 1 by setting the key generation random τj,ι to an element g{circumflex over ( )}j,ι of the group G{circumflex over ( )}j,ι, as indicated in Formula 131.
ĥ
j,ι
:=ĝ
j,ι
τ
[Formula 131]
The master key generation unit 14 also generates an element hj,ι for each integer j of j=1, . . . , n and each integer ι of ι=0, 1 by setting a reciprocal 1/τj,ι of the key generation random τj,ι to an element gj,ι of the group Gj,ι, as indicated in Formula 132.
h
j,ι
:=g
j,ι
1/τ
[Formula 132]
(Step S54: Master Key Generation Process)
Using the public parameters pkIPG generated in step S51, the element hT generated in step S52, and the element h{circumflex over ( )}j,ι generated in step S53, the master key generation unit 14 generates public parameters pk:=((Gj,ι, G{circumflex over ( )}j,ι, h{circumflex over ( )}j,ι, ej,ι)j∈[n],ιE[0,1], GT, hT). A key output unit 16 outputs the public parameters pk to an encryption device 20 and a decryption device 30 by outputting the public parameters pk to an external public server or the like via the input/output interface 13.
Using the secret information s0 generated in step S52 and the element hj,ι generated in step S53, the master key generation unit 14 generates a master secret key msk:=(s0, (hj,ι)j∈[n],ι★[0,1]). The master key generation unit 14 writes the generated master secret key msk to a storage device 12.
That is, the master key generation unit 14 generates the master key pair by executing the Setup algorithm indicated in formula 133.
KeyGen algorithm according to Embodiment 2 will be described referring to
(S61: ID Receipt Process)
A decryption key generation unit 15 receives as input the identity ID of a user who uses a decryption key skID, via the input/output interface 13. The identity ID is inputted by, for example, a user of the key generation device 10, via an input device.
As described above, identity ID:=(IDj)j=1 . . . , n. Each IDj is 0 or 1.
(Step S62: ID Group Assigning Process)
The ID group assigning unit 17 assigns IDj for each integer j of j=1, . . . , n to different groups out of the groups Gj,ι which are the group Gt. More specifically, the ID group assigning unit 17 assigns IDj for each integer j of j=1, . . . , n to the groups Gj,IDj. Then, the ID group assigning unit 17 takes a direct product of the groups Gj,IDj for each integer j of j=1, . . . , n as an ID group GID. Namely, the ID group assigning unit 17 generates the ID group GID, as indicated in formula 134.
ID:=1,ID
Out of the elements hj,ι included in the master secret key msk, the ID group assigning unit 17 generates, as an element hID, a set of those elements hj,ι that are included in the ID group GID. More specifically, the ID group assigning unit 17 generates the element hID, as indicated in formula 135.
h
ID:=(hj,ID
(Step S63: Distributed Information Generation Process)
The decryption key generation unit 15 generates distributed information s→ randomly, as indicated in formula 136. The distributed information s→ is information in which the secret information s0 is distributed.
{right arrow over (s)}:=(sj)j∈[n]∈qn such that s0=Σj=1
(Step 64: Key Element Generation Process)
The decryption key generation unit 15 generates a key element k by setting the distributed information s→ generated in step S63 to the element hID generated in step S62, as indicated in Formula 137.
k:=h
ID
{right arrow over (s)} [Formula 137]
(Step S65: Key Output Process)
The key output unit 16 outputs the decryption key skID including the identity ID received in step S61 and the key element k generated in step S64 to the decryption device 30 via the input/output interface 13.
That is, the decryption key generation unit 15 generates the decryption key skID by executing the KeyGen algorithm indicated in formula 138.
ID := 1,ID
Enc algorithm according to Embodiment 2 will be described referring to
(Step S71: Acquisition Process)
An acquisition unit 24 acquires, via an input/output interface 23, the public parameters pk generated by the key generation device 10. The acquisition unit 24 also receives as input a message m being an encryption target and the identity ID′ being a decryption condition. The message m and the identity ID′ are inputted by, for example, a user of the encryption device 20 via the input device.
As described above, identity ID′:=(ID′j)j=1, . . . , n. Each ID′j is 0 or 1.
(Step S72: ID Group Assigning Process)
The ID group assigning unit 27 assigns ID′j for each integer j of j=1, . . . , n to different groups out of groups G{circumflex over ( )}j,ι which are a group G{circumflex over ( )}t. More specifically, the ID group assigning unit 17 assigns ID′j for each integer j of j=1, . . . , n to groups G{circumflex over ( )}j,ID′j. Then, the ID group assigning unit 17 takes a direct product of the groups G{circumflex over ( )}j,ID′j for each integer j of j=1, . . . , n as an ID group G{circumflex over ( )}ID. Namely, the ID group assigning unit 17 generates the ID group G{circumflex over ( )}ID, as indicated in formula 139.
ID:=1,ID′
Out of the elements h{circumflex over ( )}j,ι included in the public parameters pk, the ID group assigning unit 17 generates, as an element h{circumflex over ( )}ID, a set of those elements h{circumflex over ( )}j,ι that are included in the ID group G{circumflex over ( )}ID. More specifically, the ID group assigning unit 17 generates the element h{circumflex over ( )}ID, as indicated in formula 140.
ĥ
ID:=(ĥj,ID′
(Step S73: Ciphertext Generation Process)
A ciphertext generation unit 25 generates elements of a ciphertext ctID′ using the public parameters pk acquired in step S71 and the element h{circumflex over ( )}ID generated in step S72. The ciphertext generation unit 25 generates the elements of the ciphertext ctID′ using a generation element of an element X of the group GT and a generation element of an element Y{circumflex over ( )} of a group G{circumflex over ( )}t. The element X refers to the element hT included in the public parameters pk. The element Y{circumflex over ( )} refers to the element h{circumflex over ( )}ID generated in step S72.
The ciphertext generation process includes processes of step S731 to step S733.
(Step S731: Conversion Information Generation Process)
A conversion information generation unit 251 generates an encryption random ζ which is a uniform random.
Using the element hT and the encryption random ζ, the conversion information generation 251 generates conversion information z, as indicated in formula 141.
z:=h
T
ζ [Formula 141]
(Step S732: First Cipher Element Generation Process)
A first cipher element generation unit 252 generates a cipher element cT which is an element of the ciphertext ctID′ by setting the message m to the conversion information z generated in step S731, as indicated in formula 142.
c
T
:=z·m [Formula 142]
(Step S733: Second Cipher Element Generation Process)
A second cipher element generation unit 253 generates a cipher element c which is an element of the ciphertext ctID′ by setting the encryption random ζ to the element h{circumflex over ( )}ID which is the element Y{circumflex over ( )}, as indicated in formula 143.
c:=ĥ
ID
ζ [Formula 143]
(Step S74: Ciphertext Output Process)
A ciphertext output unit 26 outputs the ciphertext ctID′ having, as cipher elements, the identity ID′ received in step S71 and the cipher elements cT and c generated in step S73, to the decryption device 30 via the input/output interface 23.
That is, the encryption device 20 generates the ciphertext ctID′ by executing the Enc algorithm indicated in formula 144.
Dec algorithm according to Embodiment 2 will be described referring to
Processes of step S41 and step S42 and processes of step S44 and step S45 are the same as those in Embodiment 1.
Note that the decryption key skID includes the key element k in which the distributed information s→ is set to the element hID. Note that the element hID is generated using the element hj,t. In the element hj,ι, the reciprocal 1/τj,ι of the key generation random τj,ι is set to the element gj,ι of the group Gj,ι. Therefore, the decryption key skID includes the key element k which is an element of the group Gt (=group Gj,ι) converted by the key generation random τj,ι.
The ciphertext ctID′ includes the cipher element cT and the cipher element c. In the cipher element cT, the message m is set to the conversion information z in which the encryption random ζ is set to the element X which is the generator hT of the group GT. In the cipher element c, the encryption random ζ is set to the element h{circumflex over ( )}ID which is the element Y{circumflex over ( )} being converted from a generator g{circumflex over ( )}j,ι of the group G{circumflex over ( )}t by the key generation random τj,ι.
(Step S43: Decryption Process)
A decryption unit 35 generates a message m′ by decrypting the ciphertext ctID′ by the decryption key skID received in step S41.
The decryption process includes processes of step S431 and step S432.
(Step S431: Conversion Information Generation Process)
A conversion information generation unit 351 generates conversion information z′ using the element k included in the decryption key skID and the cipher element c included in the ciphertext ctID′, as indicated in formula 145.
z′:=e
1(k,c) [Formula 145]
Since formula 146 holds, if the decryption key skID can decrypt the ciphertext ctID′, then the conversion information z′ and the conversion information z are identical.
(Step S432: Message Generation Process)
A message generation unit 352 generates the message m′ using the conversion information z′ generated in step S431 and the cipher element cT included in the ciphertext ctID′, as indicated in formula 147.
m′:=c
T·(z′)−1 [Formula 147]
That is, the decryption device 30 executes the Dec algorithm indicated in formula 148 to decrypt the ciphertext ctID′ by the decryption key skID.
Dec(pk,skID,ctID′):
if ID=ID′,
z′:=e
1(k,c), m′:=cT·(z′)−1,
return m′,
otherwise, return ⊥. [Formula 148]
As described above, the cryptographic system 1 according to Embodiment 2 implements the IBE scheme using IPG, as the cryptographic system 1 according to Embodiment 1 does. Therefore, it is possible to provide security from the isogeny problem hardness.
The cryptographic system 1 according to Embodiment 2 generates the ciphertext ctID′ using the element Y{circumflex over ( )} which is a generation element converted by the key generation random τj,ι. Therefore, it is possible to provide security from the pairing problem hardness.
The cryptographic system 1 according to Embodiment 2 uses the ID groups GID and G{circumflex over ( )}ID. Accordingly, in cases where the identity ID and the identity ID′ do not coincide, the group GID and the group G{circumflex over ( )}ID do not coincide. As a result, decryption can be disabled.
In the cryptographic system 1 according to Embodiment 2, KeyGen algorithm, Enc algorithm, and Dec algorithm do not use isogeny ϕt. Consequently, KeyGen algorithm, Enc algorithm, and Dec algorithm need not use a hash function H.
KeyGen algorithm, Enc algorithm, and Dec algorithm do not use isogeny ϕt. Accordingly, in step S51 of
In Embodiment 3, an ABE scheme with a small set of attributes will be described.
In Embodiment 3, description on matters that are identical with their counterparts of Embodiment 2 will be omitted, and differences from Embodiment 2 will be described.
In Embodiment 3, description will be made on a key-policy-type ABE (to be referred to as KP-ABE hereinafter) scheme according to which a policy being a decryption condition is set in a decryption key. The KP-ABE scheme can be converted by a method such as Naor conversion to a ciphertext-policy-type ABE (to be referred to CP-ABE hereinafter) scheme according to which a policy is set in a ciphertext.
The KP-ABE scheme comprises Setup algorithm, KeyGen algorithm, Enc algorithm, and Dec algorithm.
Setup algorithm takes as input a security parameter 1λ and outputs public parameters pk and a master secret key msk.
KeyGen algorithm takes as input the public parameters pk, the master secret key msk, and an access structure S:=(M, ρ), and outputs a decryption key skS corresponding to an input tag tag and the access structure S.
Enc algorithm takes as input the public parameters pk, a message m in a message space msg, and a set of attributes, Γ, and outputs a ciphertext ctΓ.
Dec algorithm takes as input the public parameters pk, the decryption key skS for the access structure S, and the ciphertext ctΓ encrypted under the set of attributes, Γ, and outputs either a message m′∈msg or a distinguished symbol ⊥ which indicates that decryption failed.
A configuration of a cryptographic system 1 according to Embodiment 3 will be described referring to
The cryptographic system 1 is provided with a key generation device 10, an encryption device 20, and a decryption device 30. The key generation device 10, the encryption device 20, and the decryption device 30 are connected to each other via a transmission line. A specific example of the transmission line is a local area network (LAN) or the Internet. The key generation device 10, the encryption device 20, and the decryption device 30 can communicate with each other via the transmission line.
The key generation device 10 takes as input a security parameter 1λ and executes Setup algorithm to generate public parameters pk and a master secret key msk. The key generation device 10 also takes as input the public parameters pk, the master secret key msk, and an access structure S:=(M, ρ) and executes KeyGen algorithm to generate a decryption key skS.
The key generation device 10 publishes the public parameters pk and outputs the decryption key skS to the decryption device 30 corresponding to the access structure S. The key generation device 10 keeps the master secret key msk.
The encryption device 20 takes as input the public parameters pk, a message m, and a set of attributes, Γ, and executes Enc algorithm to generate a ciphertext ctΓ. The encryption device 20 outputs the ciphertext ctΓ to the decryption device 30.
The decryption device 30 takes as input the public parameters pk, the decryption key skS, and the ciphertext ctΓ and executes Dec algorithm to generate a message m′ or a distinguished symbol ⊥ which indicates that decryption failed.
An idea employed in the ABE scheme according to Embodiment 2 will be explained.
A span program will be described. As the span program is an existing idea, it will be explained briefly concerning only on a range necessary in the following description.
A span program over a field Fq is a labeled matrix S:=(M, ρ). Note that a matrix M is an (L rows×r columns) matrix over the field Fq. A labeling ρ is a labeling of the rows of the matrix M by an attribute from {(t, v), (t′, v′), . . . }. Note that every row is labeled by one attribute, that is, ρ:{1, . . . , L}→{(t, v), (t′, v′), . . . }.
The span program accepts or rejects an input by the following criterion. Assume that Γ is a set of attributes, that is, Γ={(tj, xj)}1≤j≤d′(xj∈Utj). The span program S accepts the set of attributes, Γ, if and only if 1→ ∈span<(Mi))ρ(i)∈Γ>. Acceptance of the set of attributes, Γ, by the span program S is expressed as R(S, Γ)=1. That is, the span program S accepts the set of attributes, Γ, if and only if a vector whose elements are all 1 is obtained by linear combination of a row (Mi)ρ(i)∈Γ of the matrix M. The span program S will be referred to as access structure.
An operation of the cryptographic system 1 according to Embodiment 3 will be described referring to
Setup algorithm according to Embodiment 3 will be described referring to
(Step S51: IPG Generation Process)
A master key generation unit 14 receives as input the security parameter 1λ and a value d which is the maximum number of the attributes, via an input/output interface 13. The master key generation unit 14 takes as input the received security parameter 1λ and d and executes IPG generation algorithm GenIPG (1λ, d) to generate a master key pair of public parameters pkIPG and a master secret key mskIPG indicated in formula 149.
(Step S52: Secret Information Generation Process)
The master key generation unit 14 generates secret information s0 which is a uniform random.
The master key generation unit 14 generates an element hT by setting the secret information s0 to an element gT of a group GT, as indicated in formula 150.
h
T
:=g
T
s
[Formula 150]
(Step S53: Key Generation Random Generation Process)
The master key generation unit 14 generates a key generation random τt which is a uniform random, for each integer t of t∈[d].
The master key generation unit 14 generates an element h{circumflex over ( )}t for each integer t of t∈[d] by setting the key generation random τt to an element g{circumflex over ( )}t of a group G{circumflex over ( )}t, as indicated in Formula 151.
ĥ
t
:=ĝ
t
τ
[Formula 151]
The master key generation unit 14 also generates an element ht for each integer t of t∈[d] by setting a reciprocal 1/τt of the key generation random τt to an element gt of a group Gt, as indicated in Formula 152.
h
t
:=g
t
1/τ
[Formula 152]
(Step S54: Master Key Generation Process)
Using the public parameters pkIPG generated in step S51, the element hT generated in step S52, and the element h{circumflex over ( )}t generated in step S53, the master key generation unit 14 generates the public parameters pk:=((Gt, G{circumflex over ( )}t, h{circumflex over ( )}t, et)t∈[d], GT, hT). A key output unit 16 outputs the public parameters pk to the encryption device 20 and the decryption device 30 by outputting the public parameters pk to an external public server or the like via the input/output interface 13.
Using the secret information s0 generated in step S52 and the element ht generated in step S53, the master key generation unit 14 generates the master secret key msk:=(s0, (ht)t∈[d]). The master key generation unit 14 writes the generated master secret key msk to a storage device 12.
That is, the master key generation unit 14 generates the master key pair by executing the Setup algorithm indicated in formula 153.
KeyGen algorithm according to Embodiment 3 will be described referring to
(S61: ID Receipt Process)
A decryption key generation unit 15 receives as input the access structure S:=(M, ρ) of a user who uses a decryption key skS, via the input/output interface 13. The access structure S is information indicating a range where decryption by the decryption key skS is possible.
(Step S62: ID Group Assigning Process)
An ID group assigning unit 17 takes a direct product of the group Gt where t=ρ(i) for each integer i of i∈[L], as an ID group GID. Out of the elements ht included in the master secret key msk, the ID group assigning unit 17 generates, as an element hID, a set of those elements ht that are included in the ID group GID. More specifically, the ID group assigning unit 17 generates the element hID, as indicated in formula 154.
h
ID:=(ht)∈ID [Formula 154]
(Step S63: Distributed Information Generation Process)
The decryption key generation unit 15 generates distributed information s→, as indicated in formula 155.
{right arrow over (1)}·{right arrow over (u)}=s0,
s
i
:=M
i
·{right arrow over (u)} for i∈[L],
{right arrow over (s)}:=(si)i∈[L] [Formula 155]
(Step 64: Key Element Generation Process)
The decryption key generation unit 15 generates a key element k:={ki} by setting the distributed information s→ generated in step S63 to the element hID generated in step S62, as indicated in Formula 156.
for i∈[L]
t:=ρ(i),
k
i
:=h
t
s
[Formula 156]
(Step S65: Key Output Process)
The key output unit 16 outputs the decryption key skS including the access structure S received in step S61 and the key element k:={ki} generated in step S64 to the decryption device 30 via the input/output interface 13.
That is, the decryption key generation unit 15 generates the decryption key skS by executing the KeyGen algorithm indicated in formula 157.
ID := Πi∈[L]t = ρ(i),
Enc algorithm according to Embodiment 3 will be described referring to
A process of step S73 is the same as that of Embodiment 2.
(Step S71: Acquisition Process)
An acquisition unit 24 acquires, via an input/output interface 23, the public parameters pk generated by the key generation device 10. The acquisition unit 24 also receives as input the message m being an encryption target and the set of attributes, Γ, being a decryption condition.
(Step S72: ID Group Assigning Process)
An ID group assigning unit 27 takes a direct product of the group G{circumflex over ( )}t for each integer t of t∈Γ, as G{circumflex over ( )}ID. Out of elements h{circumflex over ( )}t included in the public parameters pk, the ID group assigning unit 17 generates, as an element h{circumflex over ( )}ID, set of those elements h{circumflex over ( )}t that are included in the ID group G{circumflex over ( )}ID. More specifically, the ID group assigning unit 17 generates the element h{circumflex over ( )}ID, as indicated in formula 158.
ĥ
ID:=(ĥt)∈ID [Formula 158]
(Step S74: Ciphertext Output Process)
A ciphertext output unit 26 outputs the ciphertext ctΓ having, as cipher elements, the set of attributes, Γ, received in step S71 and cipher elements cT and c:={ct:=h{circumflex over ( )}tζ} generated in step S73, to the decryption device 30 via the input/output interface 23.
That is, the encryption device 20 generates the ciphertext ctΓ by executing the Enc algorithm indicated in formula 159.
Dec algorithm according to Embodiment 3 will be described referring to
Processes of step S44 and step S45 are the same as those in Embodiment 2.
(Step S41: Acquisition Process)
An acquisition unit 34 acquires, via an input/output interface 33, the public parameters pk and the decryption key skS which are generated by the key generation device 10, and the ciphertext ctΓ generated by the encryption device 20.
(Step S411: Decryption Key Acquisition Process)
A decryption key acquisition unit 341 acquires, via the input/output interface 33, the public parameters pk and the decryption key skS which are generated by the key generation device 10. The decryption key skS includes the key element k:={ki} in which the distributed information s→ is set to the element hID. That is, the decryption key skS includes the key element k which is an element of the group Gt converted by the key generation random τt, as with Embodiment 2.
(Step S412: Ciphertext Acquisition Process)
A ciphertext acquisition unit 342 acquires the ciphertext ctΓ generated by the encryption device 20. The ciphertext ctΓ includes the cipher element cT and the cipher element c:={ct}. In the cipher element cT, the message m is set to conversion information z in which an encryption random ζ is set to an element X which is the generator hT of the group GT. In the cipher element c, the encryption random ζ is set to the element h{circumflex over ( )}ID which is an element Y{circumflex over ( )} being converted from the generator g{circumflex over ( )}t of the group G{circumflex over ( )}t by the key generation random τt.
(Step S42: Decryption Determination Process)
A decryption unit 35 determines whether or not the access structure S included in the decryption key skS received in step S41 accepts the set of attributes, Γ, included in the ciphertext ctΓ. Hence, whether the ciphertext ctΓ can be decrypted by the decryption key skS is determined.
If it is determined to accept the set of attributes, Γ, that is, if it is determined that decryption is possible, the decryption unit 35 advances the processing to step S43. If not, the decryption unit 35 advances the processing to step S45.
(Step S43: Decryption Process)
The decryption unit 35 generates the message m′ by decrypting the ciphertext ctΓ by the decryption key skS received in step S41.
The decryption process includes processes of step S431 and step S432.
(Step S431: Conversion Information Generation Process)
A conversion information generation unit 351 calculates a complementary coefficient σi indicated in formula 160.
{σi}ρ(i)∈Γ such that {right arrow over (1)}=Σρ(i)∈ΓσiMi
where Mi is the i-th row of M [Formula 160]
The conversion information generation unit 351 generates conversion information z′ using the complementary coefficient σi, the element k included in the decryption key skS, and the cipher element c included in the ciphertext ctΓ, as indicated in formula 161.
z′:=Π
t:=ρ(i)∈Γ
e
t(ki,ct)σ
Since formula 162 holds, if the decryption key skS can decrypt the ciphertext ctΓ, then the conversion information z′ and the conversion information z are identical.
(Step S432: Message Generation Process)
A message generation unit 352 generates the message m′ using the conversion information z′ generated in step S431 and the cipher element cT included in the ciphertext ctΓ, as indicated in formula 163.
m′:=c
T·(z′)−1[Formula 163]
That is, the decryption device 30 executes the Dec algorithm indicated in formula 164 to decrypt a ciphertext ctID′ by a decryption key skID.
As described above, the cryptographic system 1 according to Embodiment 3 implements the ABE scheme using IPG. Therefore, it is possible to indicate security from the isogeny problem hardness.
The cryptographic system 1 according to Embodiment 3 generates the ciphertext ctΓ using the element Y{circumflex over ( )} which is a generation element converted by the key generation random τt. Therefore, it is possible to indicate security from the pairing problem hardness.
In Embodiment 4, an ABE scheme with a large set of attributes will be described.
In Embodiment 4, description on matters that are identical with their counterparts of Embodiment 3 will be omitted, and differences from Embodiment 3 will be described.
In Embodiment 3, the attribute t is included in the set of attributes, Γ. In Embodiment 4, a category t of attribute and an attribute about the category t, xt:=(xt,j) ∈{0, 1}n, are included in a set of attributes, Γ.
In the following description, when xt is expressed as a subscript, this xt signifies xt. When vi is expressed as a subscript, this vi signifies v1.
An operation of a cryptographic system 1 according to Embodiment 4 will be described referring to
Setup algorithm according to Embodiment 4 will be described referring to
(Step S51: IPG Generation Process)
A master key generation unit 14 receives as input a security parameter 1λ, a value d which is the maximum number of attributes, and a value n representing the number of bits of each category t via an input/output interface 13. The master key generation unit 14 takes as input the received security parameter 1λ, d, and n and executes IPG generation algorithm GenIPG (1λ, d, n) to generate a master key pair of public parameters pkIPG and a master secret key mskIPG indicated in formula 165.
(Step S52: Secret Information Generation Process)
The master key generation unit 14 generates secret information s0 which is a uniform random.
The master key generation unit 14 generates an element hT by setting the secret information s0 to an element gT of a group GT, as indicated in formula 166.
h
T
:=g
T
s
[Formula 166]
(Step S53: Key Generation Random Generation Process)
The master key generation unit 14 generates a key generation random τt,j,ι which is a uniform random, for each integer t, each integer j, and each integer ι of t∈[d],j∈[n], and ι∈[0, 1], respectively.
The master key generation unit 14 generates an element h{circumflex over ( )}t,j,ι for each integer t, each integer j, and each integer ι of t∈[d], j∈[n], and t∈[0, 1], respectively, by setting the key generation random τt,j,ι to an element g{circumflex over ( )}t,j,ι of a group G{circumflex over ( )}t,j,ι, as indicated in Formula 167.
ĥ
t,j,ι
:=ĝ
t,j,ι
τ
[Formula 167]
The master key generation unit 14 also generates an element ht,j,ι for each integer t, each integer j, and each integer ι of t∈[d], j∈[n], and ι∈[0, 1], respectively, by setting a reciprocal 1/τt,j,ι of the key generation random τt,j,ι to an element gt,j,ι of a group Gt,j,ι, as indicated in Formula 168.
h
t,j,ι
:=g
t,j,ι
1/τ
[Formula 168]
(Step S54: Master Key Generation Process)
Using the public parameters pkIPG generated in step S51, the element hT generated in step S52, and the element h{circumflex over ( )}t,j,ι generated in step S53, the master key generation unit 14 generates public parameters pk:=((Gt,j,ι, G{circumflex over ( )}t,j,ι, h{circumflex over ( )}t,j,ι, et,j,ι)t∈[d],j∈[n],ι∈[0,1], GT, hT). A key output unit 16 outputs the public parameters pk to an encryption device 20 and a decryption device 30 by outputting the public parameters pk to an external public server or the like via the input/output interface 13.
Using the secret information s0 generated in step S52 and the element ht,j,ι generated in step S53, the master key generation unit 14 generates a master secret key msk:=(s0, (ht,j,ι)t∈[d],j∈[n],ι∈[0,1]). The master key generation unit 14 writes the generated master secret key msk to a storage device 12.
That is, the master key generation unit 14 generates the master key pair by executing the Setup algorithm indicated in formula 169.
KeyGen algorithm according to Embodiment 4 will be described referring to
A process of step S61 is the same as that of Embodiment 3.
(Step S62: ID Group Assigning Process)
For each integer i of i∈[L], when ρ(i)=(t, vi:=(vi,j)∈{0, 1}n), an ID group assigning unit 17 takes, as an ID group Gt,vi, a direct product of a group Gt,j,vi for each integer j of j=1, . . . , n. Note that the ID group Gt,vi is a t-th basis group. That is, the ID group assigning unit 17 generates the ID group Gt,vi, as indicated in formula 170.
for i∈[L]
if ρ(i)=(t,vi:=(vi,j)∈{0,1}n
t,v
:=t,1,v
Out of elements ht,j,ι included in the master secret key msk, the ID group assigning unit 17 generates, as an element ht,vi, a set of those elements ht,j,ι that are included in the ID group Gt,vi. More specifically, the ID group assigning unit 17 generates the element ht,vi, as indicated in formula 171.
h
t,v
:=(ht,j,v
(Step S63: Distributed Information Generation Process)
A decryption key generation unit 15 generates distributed information s→i for each integer i of i∈[L], as indicated in formula 172.
{right arrow over (1)}·{right arrow over (u)}=s0,
s
i
:=M
i
·{right arrow over (u)} for i∈[L],
{right arrow over (s)}:=(si,j)j∈[n]∈qn such that si=Σj=1nsi,j [Formula 172]
(Step 64: Key Element Generation Process)
The decryption key generation unit 15 generates a key element ki by setting the distributed information s→i generated in step S63 to the element ht,vi generated in step S62, as indicated in Formula 173.
for i∈[L]
if ρ(i)=(t,vi:=(vi,j)∈{0,1}n
k
i
:=h
t,v
{right arrow over (s)}
[Formula 173]
(Step S65: Key Output Process)
The key output unit 16 outputs a decryption key skS including an access structure S received in step S61 and a key element k:={ki} generated in step S64 to the decryption device 30 via the input/output interface 13.
That is, the decryption key generation unit 15 generates the decryption key skS by executing the KeyGen algorithm indicated in formula 174.
Enc algorithm according to Embodiment 4 will be described referring to
Processes of step S73 and step S74 are the same as those of Embodiment 2.
(Step S71: Acquisition Process)
An acquisition unit 24 acquires, via an input/output interface 23, the public parameters pk generated by a key generation device 10. The acquisition unit 24 also receives as input a message m being an encryption target and a set of attributes, Γ, being a decryption condition.
(Step S72: ID Group Assigning Process)
An ID group assigning unit 27 takes a direct product of a group G{circumflex over ( )}t,j,xt of each integer j of j=1, . . . , n for each integer t of (t, xt:=(xt,j)∈{0, 1}n)∈Γ, as an ID group G{circumflex over ( )}t,xt. That is, the ID group assigning unit 27 generates the ID group G{circumflex over ( )}t,xt, as indicated in formula 175.
for (t,xt:=(xt,j)∈{0,1}n)∈Γ
t,x
:=t,1,x
Out of elements h{circumflex over ( )}t,j,xt included in the public parameters pk, the ID group assigning unit 17 generates, as an element h{circumflex over ( )}t,xt, a set of those elements h{circumflex over ( )}t,j,tx that are included in the ID group G{circumflex over ( )}t,xt. More specifically, the ID group assigning unit 17 generates the element h{circumflex over ( )}t,xt, as indicated in formula 176.
ĥ
t,x
:=(ĥt,j,x
(Step S73: Ciphertext Generation Process)
A ciphertext generation unit 25 generates elements of a ciphertext ctΓ using the public parameters pk acquired in step S71 and the element h{circumflex over ( )}t,xt generated in step S72. The ciphertext generation unit 25 generates the elements of the ciphertext ctΓ using a generation element of an element X of the group GT and a generation element of an element Y{circumflex over ( )} of the group G{circumflex over ( )}t,xt. The element X refers to the element hT included in the public parameters pk. The element Y{circumflex over ( )} refers to the element h{circumflex over ( )}t,xt generated in step S72.
The ciphertext generation process includes processes of step S731 to step S733.
(Step S731: Conversion Information Generation Process)
A conversion information generation unit 251 generates an encryption random ζ which is a uniform random.
Using the element hT and the encryption random ζ, the conversion information generation 251 generates conversion information z, as indicated in formula 177.
z:=h
T
ζ [Formula 177]
(Step S732: First Cipher Element Generation Process)
A first cipher element generation unit 252 generates a cipher element cT which is an element of the ciphertext ctδ by setting the message m to the conversion information z generated in step S731, as indicated in formula 178.
c
T
:=z·m [Formula 178]
(Step S73: Second Cipher Element Generation Process)
A second cipher element generation unit 253 generates, for each integer t of (t, xt:=(xt,j)∈{0, 1}n)∈Γ, a cipher element ct which is an element of the ciphertext ctΓ by setting the encryption random ζ to the element h{circumflex over ( )}t,xt which is the element Y{circumflex over ( )}, as indicated in formula 179.
c
t
:=ĥ
t,x
ζ∈t,x
(Step S74: Ciphertext Output Process)
A ciphertext output unit 26 outputs the ciphertext ctΓ having, as cipher elements, the set of attributes, Γ, received in step S71 and cipher elements cT and c:={ct}t∈Γ generated in step S73, to the decryption device 30 via the input/output interface 23.
That is, the encryption device 20 generates the ciphertext ctΓ by executing the Enc algorithm indicated in formula 180.
Dec algorithm according to Embodiment 4 will be described referring to
Processes of step S41 and step S42 and processes of step S44 and step S45 are the same as those in Embodiment 3.
Note that the decryption key skS includes the key element k in which distributed information s→ is set to the element ht,vi. That is, the decryption key skS includes the key element k:={ki} which is an element of the group Gt,vi converted by the key generation random τt,j,t, as in Embodiment 3.
The ciphertext ctΓ includes the cipher element cT and the cipher element c. In the cipher element cT, the message m is set to the conversion information z in which the encryption random ζ is set to the element X which is the generator hT of the group GT. In the cipher element c, the encryption random ζ is set to the element ht,xt which is the element Y{circumflex over ( )} being converted from the generator g{circumflex over ( )}t,j,ι of the group G{circumflex over ( )}t,xt by the key generation random τt,j,ι.
(Step S43: Decryption Process)
A decryption unit 35 generates a message m′ by decrypting the ciphertext ctΓ by the decryption key skS received in step S41.
The decryption process includes processes of step S431 and step S432. (Step S431: Conversion Information Generation Process)
A conversion information generation unit 351 calculates a complementary coefficient σi indicated in formula 181.
{σi}ρ(i)∈Γ such that {right arrow over (1)}=Σρ(i)∈ΓσiMi
where Mi is the i-th row of M
The conversion information generation unit 351 generates conversion information z′ using the complementary coefficient σi, the element k:={ki} included in the decryption key skS, and the cipher element c:={ct} included in the ciphertext ctΓ, as indicated in formula 182.
z′:=Π
ρ(i)=(t,v
)∈Γ
e
t,v
(ki,ct)σi [Formula 182]
Since formula 183 holds, if the decryption key skS can decrypt the ciphertext ctΓ, then the conversion information z′ and the conversion information z are identical.
(Step S432: Message Generation Process)
A message generation unit 352 generates the message m′ using the conversion information z′ generated in step S431 and the cipher element cT included in the ciphertext ctΓ, as indicated in formula 184.
m′:=c
T·(z′)−1 [Formula 184]
That is, the decryption device 30 executes the Dec algorithm indicated in formula 185 to decrypt a ciphertext ctID′ by a decryption key skID.
As described above, the cryptographic system 1 according to Embodiment 4 implements the ABE scheme using IPG. Therefore, it is possible to indicate security from the isogeny problem hardness.
The cryptographic system 1 according to Embodiment 4 generates the ciphertext ctΓ using the element Y{circumflex over ( )} which is a generation element converted by the key generation random τt,j,ι. Therefore, it is possible to indicate security from the pairing problem hardness.
In Embodiment 5, hierarchical IBE (to be referred to as HIBE hereinafter) based on the IBE scheme described in Embodiment 2 will be described.
In Embodiment 5, description on matters that are identical with their counterparts of Embodiment 2 will be omitted, and differences from Embodiment 2 will be described.
In Embodiment 5, 1-bit HIBE will be described first, and thereafter n (n≥1)-bit HIBE to which 1-bit HIBE is applied will be described.
The HIBE scheme comprises Setup algorithm, KeyGen algorithm, Enc algorithm, Dec algorithm, and Delegate algorithm.
Setup algorithm takes as input a security parameter 1λ and outputs public parameters pk and a master secret key msk.
KeyGen algorithm takes as input the public parameters pk, the master secret key msk, and an identity ID, and outputs a decryption key skID corresponding to the identity ID.
Enc algorithm takes as input the public parameters pk, a message m in a message space msg, and an identity ID′, and outputs a ciphertext ctID′.
Dec algorithm takes as input the public parameters pk, the decryption key skID for the identity ID, and the ciphertext ctID′ encrypted under the identity ID′, and outputs either a message m′∈msg or a distinguished symbol ⊥ which indicates that decryption failed.
Delegate algorithm takes as input the public parameters pk, a secret key skID for a hierarchical identity ID of a length L, and (L+1)th IDL+1, and outputs either a secret key skID′ for a hierarchical identity ID′:=(ID, IDL+1) of a length (L+1) or a distinguished symbol ⊥ which indicates that key generation failed.
A configuration of a cryptographic system 1 according to Embodiment 5 will be described referring to
The cryptographic system 1 is provided with a key generation device 10, an encryption device 20, a decryption device 30, and a key delegation device 40. The key generation device 10, the encryption device 20, the decryption device 30, and the key delegation device 40 are connected to each other via a transmission line.
The key delegation device 40 takes as input public parameters pk, a secret key skID for a hierarchical identity ID of a length L, and (L+1)th IDL+1, and executes Delegate algorithm to generate either a secret key skID for a hierarchical identity ID′:=(ID, IDL+1) of a length (L+1) or a distinguished symbol ⊥ which indicates that key generation failed.
A configuration of the key delegation device 40 according to Embodiment 5 will be described referring to
The key delegation device 40 is provided with hardware devices which are a processor 41, a storage device 42, and an input/output interface 43. The processor 41 is connected to the other hardware devices via signal lines and controls these other hardware devices.
The key delegation device 40 is provided with an acquisition unit 44, an ID group assigning unit 45, a low-level key generation unit 46, and a low-level key output unit 47, as function configuration elements. Functions of the acquisition unit 44, ID group assigning unit 45, low-level key generation unit 46, and low-level key output unit 47 are implemented by software.
A program that implements the functions of the individual units of the key delegation device 40 is stored in the storage device 42. This program is read by the processor 41 and executed by the processor 41. Thus, the functions of the individual units of the key delegation device 40 are implemented.
An operation of the cryptographic system 1 according to Embodiment 5 will be described referring to
Note that Dec algorithm is the same as that of Embodiment 2 and accordingly its description will be omitted.
First, 1-bit HIBE will be described.
In the following description, when IDt is expressed as a subscript, this IDt signifies IDt. When ID′t is expressed as a subscript, this ID′t signifies ID′i.
Setup algorithm according to Embodiment 5 will be described referring to
(Step S51: IPG Generation Process)
A master key generation unit 14 receives as input a security parameter 1λ and a value d≥2, which is a hierarchical number. The master key generation unit 14 takes as input the received security parameter 1λ and 2d and executes IPG generation algorithm GenIPG (1λ, 2d) to generate a master key pair of public parameters pkIPG and a master secret key mskIPG indicated in formula 186.
(Step S52: Secret Information Generation Process)
The master key generation unit 14 generates secret information s0 which is a uniform random.
The master key generation unit 14 generates an element hT by setting the secret information s0 to an element gT of a group GT, as indicated in formula 187.
h
T
:=g
T
s
[Formula 187]
(Step S53: Key Generation Random Generation Process)
The master key generation unit 14 generates a key generation random τt,ι which is a uniform random, for each integer ι of ι∈[d] and each integer ι of ι∈[0, 1].
The master key generation unit 14 generates an element h{circumflex over ( )}t,ι for each integer t of t∈[d] and each integer ι of ι∈[0, 1] by setting a key generation random τt,ι to an element g{circumflex over ( )}t,ι of a group G{circumflex over ( )}t,ι as indicated in Formula 188.
ĥ
t,ι
:=ĝ
t,ι
τ
[Formula 188]
The master key generation unit 14 also generates an element ht,ι for each integer t of t∈[d] and each integer ι of ι∈[0, 1] by setting a key generation random τt,ι to an element gt,ι of a group Gt,ι, as indicated in Formula 189.
h
t,ι
:=g
t,ι
1/τ
[Formula 189]
(Step S54: Master Key Generation Process)
Using the public parameters pkIPG generated in step S51, the element hT generated in step S52, and the element h{circumflex over ( )}t,t and the element ht,ι generated in step S53, the master key generation unit 14 generates public parameters pk:=((Gt,ι, G{circumflex over ( )}t,ι, ht,ι, h{circumflex over ( )}t,ι, et,ι)t∈[d],ι∈[0,1], GT, hT). The key output unit 16 outputs the public parameters pk to the encryption device 20 and the decryption device 30 by outputting the public parameters pk to an external public server or the like via the input/output interface 13.
Using the secret information s0 generated in step S52, the master key generation unit 14 generates a master secret key msk:=s0. The master key generation unit 14 writes the generated master secret key msk to a storage device 12.
That is, the master key generation unit 14 generates the master key pair by executing the Setup algorithm indicated in formula 190.
KeyGen algorithm according to Embodiment 5 will be described referring to
(S61: ID Receipt Process)
A decryption key generation unit 15 receives as input the identity ID of a user who uses the decryption key skID, via the input/output interface 13. The identity ID is inputted by, for example, a user of the key generation device 10 via an input device.
Assume that in this case identity ID:=(IDt)t∈[L]. Note that L<d. Also, each IDt is 0 or 1.
(Step S62: ID Group Assigning Process)
An ID group assigning unit 17 assigns ID, for each integer t of t∈[L] to the group Gt,IDt. The ID group assigning unit 17 takes a direct product of a group Gt,IDt for each integer t of t∈[L] as an ID group GID. Namely, the ID group assigning unit 17 generates the ID group GID, as indicated in formula 191.
ID:=1,ID
The ID group assigning unit 17 generates an element hID, as indicated in formula 192.
h
ID:=(ht,ID
(Step S63: Distributed Information Generation Process) The decryption key generation unit 15 generates distributed information s→, as indicated in formula 193. The distributed information s→ is information in which the secret information s0 is distributed.
{right arrow over (s)}:=(st)t∈[L]∈qL such that s0=Σt=1Lst [Formula 193]
(Step 64: Key Element Generation Process)
The decryption key generation unit 15 generates a key element k by setting the distributed information s→ generated in step S63 to the element hID generated in step S62, as indicated in Formula 194.
k:=h
ID
{right arrow over (s)} [Formula 194]
(Step S65: Key Output Process)
A key output unit 16 outputs the decryption key skID including the identity ID received in step S61 and the key element k generated in step S64 to the decryption device 30 via the input/output interface 13.
That is, the decryption key generation unit 15 generates the decryption key skID by executing the KeyGen algorithm indicated in formula 195.
ID := 1,ID
Enc algorithm according to Embodiment 5 will be described referring to
(Step S71: Acquisition Process)
An acquisition unit 24 acquires, via an input/output interface 23, the public parameters pk generated by the key generation device 10. The acquisition unit 24 also receives as input a message m being an encryption target and the identity ID′ being a decryption condition. The message m and the identity ID′ are inputted by, for example, a user of the encryption device 20 via the input device.
Assume that identity ID′:=(ID′t)t∈[L]. Note that L<d. Also, each IDt is 0 or 1.
(Step S72: ID Group Assigning Process)
An ID group assigning unit 27 assigns ID′t for each integer t of t∈[L] to a group G{circumflex over ( )}t,IDt. The ID group assigning unit 27 takes a direct product of a group G{circumflex over ( )}t,ID′t for each integer t of t∈[L] as an ID group G{circumflex over ( )}ID. Namely, the ID group assigning unit 27 generates the ID group G{circumflex over ( )}ID, as indicated in formula 196.
ID:=1,ID′
The ID group assigning unit 27 generates an element h{circumflex over ( )}ID, as indicated in formula 197.
ĥ
ID:=(ĥL,ID′
(Step S73: Ciphertext Generation Process)
A ciphertext generation unit 25 generates elements of a ciphertext ctID′ using the public parameters pk acquired in step S71 and the element h{circumflex over ( )}ID generated in step S72. The ciphertext generation unit 25 generates the elements of the ciphertext ctID′ using a generation element of an element X of the group GT and a generation element of an element Y{circumflex over ( )} of a group G{circumflex over ( )}t. The element X refers to the element hT included in the public parameters pk. The element Y{circumflex over ( )} refers to the element h{circumflex over ( )}ID generated in step S72.
The ciphertext generation process includes processes of step S731 to step S733.
(Step S731: Conversion Information Generation Process)
A conversion information generation unit 251 generates an encryption random ζ0 which is a uniform random.
Using the element hT and the encryption random ζ, the conversion information generation 251 generates conversion information z, as indicated in formula 198.
z:=h
T
ζ [Formula 198]
(Step S732: First Cipher Element Generation Process)
A first cipher element generation unit 252 generates a cipher element cT which is an element of the ciphertext ctID′ by setting the message m to the conversion information z generated in step S731, as indicated in formula 199.
c
T
:=z·m [Formula 199]
(Step S733: Second Cipher Element Generation Process)
A second cipher element generation unit 253 generates a cipher element c which is an element of the ciphertext ctID′ by setting the encryption random ζ to the element h{circumflex over ( )}ID which is the element Y{circumflex over ( )}, as indicated in formula 200.
c:=ĥ
ID
ζ [Formula 200]
(Step S74: Ciphertext Output Process)
A ciphertext output unit 26 outputs the ciphertext ctID′ having, as cipher elements, the identity ID′ received in step S71 and the cipher elements cT and c generated in step S73, to the decryption device 30 via the input/output interface 23.
That is, the encryption device 20 generates the ciphertext ctID′ by executing the Enc algorithm indicated in formula 201.
Delegate algorithm according to Embodiment 5 will be described referring to
Delegate algorithm is executed by the key delegation device 40.
(Step S81: Acquisition Process)
The acquisition unit 44 acquires, via the input/output interface 43, the public parameters pk generated by the key generation device 10 and the decryption key skID:=k for which a low-level key is to be generated. The acquisition unit 44 also receives as input an identity IDL+1∈{0, 1} of a user who uses a low-level decryption key skID* of the decryption key skID, via the input/output interface 43.
(Step S82: ID Group Assigning Process)
The ID group assigning unit 45 takes ID*:=(ID, IDL+1). The ID group assigning unit 45 also generates an ID group GID*, as indicated in formula 202.
ID*:=ID×L+1,ID
The ID group assigning unit 45 generates an element k+ and an element hID*, as indicated in formula 203.
k
ID
+:=(kID,1),
h
ID*:=(ht,ID
(Step S83: Distributed Information Generation Process)
The low-level key generation unit 46 generates distributed information Σ→′, as indicated in formula 204.
(Step 84: Key Element Generation Process)
The low-level key generation unit 46 generates a key element kID* by setting the distributed information Σ→′ generated in step S83 to the element hID* generated in step S82, as indicated in Formula 205.
k
ID*
:=k
ID
+
·h
ID*
{right arrow over (Σ)}′∈ID* [Formula 205]
(Step S85: Key Output Process)
The low-level key output unit 47 outputs the low-level decryption key skID* including the identity ID* and the key element kID* which is generated in step S64 to the decryption device 30 via the input/output interface 13.
That is, the decryption key generation unit 15 generates the low-level decryption key skID* by executing the Delegate algorithm indicated in formula 206.
Description will be made on n (n≥1)-bit HIBE to which 1-bit HIBE described above is applied.
The n-bit HIBE scheme is configured using 1-bit HIBE Setup algorithm, 1-bit HIBE KeyGen algorithm, 1-bit HIBE Enc algorithm, 1-bit HIBE Dec algorithm, and 1-bit HIBE Delegate algorithm.
In describing the n-bit HIBE scheme, 1-bit HIBE Setup algorithm, 1-bit HIBE KeyGen algorithm, 1-bit HIBE Enc algorithm, 1-bit HIBE Dec algorithm, and 1-bit HIBE Delegate algorithm which are mentioned above will be referred to as obHIBE_Setup, obHIBE_KeyGen, obHIBE_Enc, obHIBE_Dec, and obHIBE_Delegate, respectively.
In contrast, n-bit HIBE Setup algorithm, n-bit HIBE KeyGen algorithm, n-bit HIBE Enc algorithm, n-bit HIBE Dec algorithm, and n-bit HIBE Delegate algorithm will be referred to as nbHIBE_Setup, nbHIBE_KeyGen, nbHIBE_Enc, nbHIBE_Dec, and nbHIBE_Delegate, respectively.
Description will be made on nbHIBE_Setup.
The master key generation unit 14 receives as input the security parameter 1λ, the value d which is a hierarchical number, and the value n which is a bit number. The master key generation unit 14 takes as input the security parameter 1λ and a value d×n and executes obHIBE_Setup to generate public parameters pkob and a master secret key mskob. The master key generation unit 14 takes the public parameters pkob as public parameters pk of the n-bit HIGE scheme and the master secret key mskob as a master secret key msk of the n-bit HIBE scheme.
That is, master key generation unit 14 generates a master key pair by executing nbHIBE_Setup indicated in Formula 207.
Description will be made on nbHIBE_KeyGen.
The decryption key generation unit 15 receives as input the identity ID of a user who uses the decryption key skID via the input/output interface 13. Assume that identity ID:=(IDt:=(IDt,j))t∈[L],j∈[n]. Note that L<d. Also, each IDt,j is 0 or 1.
ID{circumflex over ( )}:=(IDt,j)t∈[L],j∈[n] is treated as a hierarchical 1-bit identity having a hierarchical number Ln. The decryption key generation unit 15 takes as input the public parameters pk and the master secret key msk which are generated by nbHIBE_Setup, and the identity ID{circumflex over ( )}, and executes obHIBE_KeyGen to generate the decryption key skID.
Namely, the decryption key generation unit 15 generates the decryption key skID by executing obHIBE_KeyGen indicated in formula 208.
Description will be made on nbHIBE_Enc.
The acquisition unit 24 acquires the public parameters pk via an input/output interface 23. The acquisition unit 24 also receives as input the message m being an encryption target and the identity ID′ being a decryption condition. Assume that the identity ID′:=(ID′t:=(ID′t,j))t∈[L],j∈[n].
ID′*:=(ID′t,j)t∈[L],j∈[n] is treated as a hierarchical 1-bit identity having a hierarchical number Ln. The ciphertext generation unit 25 and the ID group assigning unit 27 take as input the public parameters pk, the message m, and the identity ID′* and execute obHIBE_Enc to generate the ciphertext ctID′.
That is, the encryption device 20 generates the ciphertext ctID′ by executing the nbHIBE_Enc indicated in formula 209.
nbHIBE_Enc(pk,m∈T,ID′:=(ID′t:=(ID′t,j)t∈[L],j∈[n]):
return ctID:=obHIBE_Enc(pk,m∈T,
ID{circumflex over ( )}′:=(IDt{circumflex over ( )}′:=(IDt,j{circumflex over ( )}′)t∈[L],j∈[n]). [Formula 209]
Description will be made on nbHIBE_Dec.
An acquisition unit 34 acquires the public parameters pk, the decryption key skID, and the ciphertext ctID′ via the input/output interface 33.
A decryption unit 35 takes as input the public parameters pk, the decryption key skID* obtained by replacing ID in the decryption key skID by ID*, and the ciphertext ctID′* obtained by replacing ID′ of the ciphertext ctID′ by ID′*, and executes obHIBE_Dec to generate the message m′.
That is, the decryption device 30 executes nbHIBE_Dec indicated in formula 210 to decrypt the ciphertext ctID′ by the decryption key skID.
nbHIBE_Dec(pk,skID,ctID):
return obHIBE_Dec(pk,skID{circumflex over ( )},ctID{circumflex over ( )}). [Formula 210]
Description will be made on nbHIBE_Delegate.
The acquisition unit 44 acquires the public parameters pk and the decryption key skID via the input/output interface 43. The acquisition unit 44 also receives as input the identity IDL+1∈{0, 1}n via the input/output interface 43. The ID group assigning unit 45 and the low-level key generation unit 46 take the identity IDL+1 as (IDL+1,j)j∈[n] and the decryption key skID as sk0. For each integer j of j∈[n], the ID group assigning unit 45 and the low-level key generation unit 46 take as input the public parameters pk, a decryption key skj−1, and an identity IDL+1,j and execute obHIBE_Delegate to generate a decryption key skj. The low-level key output unit 47 then outputs a decryption key skn as a low-level decryption key skID′.
That is, the decryption key generation unit 15 generates the low-level decryption key skID′ by executing the nbHIBE_Delegate indicated in formula 211.
As described above, the cryptographic system 1 according to Embodiment 5 implements the HIBE scheme using IPG. Therefore, it is possible to indicate security from the isogeny problem hardness.
The cryptographic system 1 according to Embodiment 5 generates a ciphertext ctΓ using the element Y{circumflex over ( )} which is a generation element converted by a key generation random τt,ι. Therefore, it is possible to indicate security from the pairing problem hardness.
In Embodiment 6, high-security Boneh-Boyen type 1-bit HIBE will be described.
In Embodiment 6, description on matters that are identical with their counterparts of Embodiment 5 will be omitted, and differences from Embodiment 5 will be described.
An operation of a cryptographic system 1 according to Embodiment 6 will be described referring to
Setup algorithm according to Embodiment 6 will be described referring to
(Step S51: IPG Generation Process)
A master key generation unit 14 receives as input a security parameter 1λ and a value d≥2, which is a hierarchical number, via an input/output interface 13. The master key generation unit 14 takes as input the received security parameter 1λ and 4d and executes IPG generation algorithm GenIPG(1λ, 4d) to generate a master key pair of public parameters pkIPG and a master secret key mskIPG indicated in formula 212.
(Step S52: Secret Information Generation Process)
The master key generation unit 14 generates secret information π and secret information τ which are uniform randoms.
The master key generation unit 14 generates an element hT by setting the secret information π and the secret information τ to an element gT of a group GT, as indicated in formula 213.
h
T
:=g
T
πτ [Formula 213]
The master key generation unit 14 also generates an element fLt,ι, an element fRt,ι, and an element uLι, for each integer t of t∈[d] and each integer ι of ι∈[0, 1] using the secret information π and the secret information τ, as indicated in formula 214.
f
t,ι
L:=(gt,ιL)π,
{circumflex over (f)}
t,ι
R:=(ĝt,ιR)π,
u
ι
L:=(g1,ιL)πτ,[Formula 214]
(Step S53: Key Generation Random Generation Process)
The master key generation unit 14 generates a key generation random σt,ι which is a uniform random, for each integer t of t∈[d] and each integer ι of ι∈[0, 1].
The master key generation unit 14 generates an element h{circumflex over ( )}Rt,ι for each integer t of t∈[d] and each integer ι of ι∈[0, 1] by setting the key generation random σt,ι to an element g{circumflex over ( )}Rt,ι of a group G{circumflex over ( )}Rt,ι, as indicated in formula 215.
ĥ
t,ι
R:=(ĝt,ιR)σ
The master key generation unit 14 also generates an element hLt,ι for each integer t of t∈[d] and each integer ι of ι∈[0, 1] by setting the key generation random σt,ι to an element gLt,ι of a group GLt,ι, as indicated in formula 216.
h
t,ι
L:=(gt,ιL)σ
(Step S54: Master Key Generation Process)
Using the public parameters pkIPG generated in step S51; the element hT, element fLt,ι, element f{circumflex over ( )}Rt,ι, and element uLι generated in step S52; and the element h{circumflex over ( )}Rt,ι and element hLt,ι generated in step S53, the master key generation unit 14 generates public parameters pk:=(((GLt,ι, G{circumflex over ( )}Lt,ι, fLt,ι, g{circumflex over ( )}Lt,ι, eLt,ι), (GRt,ι, G{circumflex over ( )}Rt,ι, gRt, f{circumflex over ( )}Rt,ι, h{circumflex over ( )}Rt,ι, ι, eRt,ι))t∈[d],ι∈[0,1], GT, hT). A key output unit 16 outputs the public parameters pk to an encryption device 20 and a decryption device 30 by outputting the public parameters pk to an external public server or the like via the input/output interface 13.
Using the element uLι generated in step S52, the master key generation unit 14 generates a master secret key msk:=(uLι)ι∈[0,1]. The master key generation unit 14 also writes the generated master secret key msk to a storage device 12.
That is, the master key generation unit 14 generates master key pair by executing the Setup algorithm indicated in formula 217.
KeyGen algorithm according to Embodiment 6 will be described referring to
(S61: ID Receipt Process)
The decryption key generation unit 15 receives as input an identity ID of a user who uses a decryption key skID, via the input/output interface 13. The identity ID is inputted by, for example, a user of the key generation device 10 via an input device.
Assume that identity ID:=(IDt)t∈[L]. Note that L<d. Also, each IDt is 0 or 1.
(Step S62: ID Group Assigning Process)
An ID group assigning unit 17 assigns IDt for each integer t of t∈[L] to a group GLt,IDt and a group GRt,IDt. The ID group assigning unit 17 takes a direct product of the group GLt,IDt for each integer t of t∈[L] as an ID group GLID, and a direct product of the group GRt,IDt for each integer t of t∈[L] as an ID group GRID. Namely, the ID group assigning unit 17 generates the ID group GLID and the ID group GRID, as indicated in formula 218.
ID
L:=1,ID
ID
R:=1,ID
The ID group assigning unit 17 generates an element gLID, an element fLID, an element hLID, and an element gRID, as indicated in formula 219.
g
ID
L:=(gt,ID
f
ID
L:=(ft,ID
h
ID
L:=(ht,ID
g
ID
R:=(gt,ID
(Step S63: Distributed Information Generation Process)
A decryption key generation unit 15 generates distributed information τ→, as indicated in formula 220.
(Step 64: Key Element Generation Process)
The decryption key generation unit 15 generates a key element k:={vLID·FL(ID)r→, (gRID)} by employing the distributed information τ→ generated in step S63 and a uniform random r→:=(rt)t∈[L] for the element gLID, element fLID, element hLID, and element gRID generated in step S62, as indicated in formula 221.
(Step S65: Key Output Process)
The key output unit 16 outputs the decryption key skID including the identity ID received in step S61 and the key element k generated in step S64 to the decryption device 30 via the input/output interface 13.
That is, the decryption key generation unit 15 generates the decryption key skID by executing the KeyGen algorithm indicated in formula 222.
Enc algorithm according to Embodiment 6 will be described referring to
(Step S71: Acquisition Process)
An acquisition unit 24 acquires, via an input/output interface 23, the public parameters pk generated by a key generation device 10. The acquisition unit 24 also receives as input a message m being an encryption target and an identity ID′ being a decryption condition. The message m and the identity ID′ are inputted by, for example, a user of the encryption device 20 via the input device.
Assume that identity ID′:=(ID′t)t∈[L]. Note that L<d. Also, each ID′t is 0 or 1.
(Step S72: ID Group Assigning Process)
An ID group assigning unit 27 assigns ID′t for each integer t of t∈[L] to a group G{circumflex over ( )}Lt,IDt and a group G{circumflex over ( )}Rt,IDt. The ID group assigning unit 27 takes a direct product of a group G{circumflex over ( )}Lt,ID′t for each integer t of t∈[L] as an ID group G{circumflex over ( )}LID and a direct product of a group G{circumflex over ( )}Rt,ID′t for each integer t of t∈[L] as an ID group GRID. Namely, the ID group assigning unit 27 generates the ID group G{circumflex over ( )}LID and the ID group G{circumflex over ( )}RID, as indicated in formula 223.
ID
L:=1,ID
ID
R:=1,ID
The ID group assigning unit 27 generates an element g{circumflex over ( )}LID, an element f{circumflex over ( )}RID, and an element h{circumflex over ( )}RID, as indicated in formula 224.
ĝ
ID
L:=(ĝt,ID
{circumflex over (f)}
ID
R:=({circumflex over (f)}t,ID
ĥ
ID
R:=(ĥt,ID
(Step S73: Ciphertext Generation Process)
A ciphertext generation unit 25 generates elements of a ciphertext ctID′ using the public parameters pk acquired in step S71 and the element g{circumflex over ( )}LID, element f{circumflex over ( )}RID, and element h{circumflex over ( )}RID which are generated in step S72. The ciphertext generation unit 25 generates the elements of the ciphertext ctID′ using a generation element of an element X of the group GT and a generation element of an element Y{circumflex over ( )} of a group G{circumflex over ( )}t. The element X refers to the element hT included in the public parameters pk. The element Y{circumflex over ( )} refers to the element g{circumflex over ( )}LID, element f{circumflex over ( )}RID′ and element h{circumflex over ( )}RID which are generated in step S72.
The ciphertext generation process includes processes of step S731 to step S733.
(Step S731: Conversion Information Generation Process)
A conversion information generation unit 251 generates an encryption random ζ which is a uniform random.
Using the element hT and the encryption random ζ, the conversion information generation 251 generates conversion information z, as indicated in formula 225.
z:=h
T
ζ [Formula 225]
(Step S732: First Cipher Element Generation Process)
A first cipher element generation unit 252 generates a cipher element cT which is an element of the ciphertext ctID′ by setting the message m to the conversion information z generated in step S731, as indicated in formula 226.
c
T
:=z·m [Formula 226]
(Step S733: Second Cipher Element Generation Process)
A second cipher element generation unit 253 generates a cipher element c:={(g{circumflex over ( )}LID)ζ, F R(ID)ζ} which is an element of the ciphertext ctID′ by setting the encryption random ζ to the element g LID, element f{circumflex over ( )}RID, and element h{circumflex over ( )}RID which are each the element Y{circumflex over ( )}, as indicated in formula 227.
(Step S74: Ciphertext Output Process)
A ciphertext output unit 26 outputs the ciphertext ctID′ having, as cipher elements, the identity ID′ received in step S71 and the cipher elements cT and c generated in step S73, to the decryption device 30 via the input/output interface 23.
That is, the encryption device 20 generates the ciphertext ctID′ by executing the Enc algorithm indicated in formula 228.
Dec algorithm according to Embodiment 6 will be described referring to
Processes of step S41 and step S42 and processes of step S44 and step S45 are the same as those in Embodiment 5.
(Step S43: Decryption Process)
A decryption unit 35 generates a message m′ by decrypting the ciphertext ctID′ by the decryption key skID received in step S41.
The decryption process includes processes of step S431 and step S432.
(Step S431: Conversion Information Generation Process)
A conversion information generation unit 351 generates conversion information z′ using the element k:={vLID·FL(ID)r→, (gRID)} included in the decryption key skID and the cipher element c:={(g LID)ζ, F{circumflex over ( )}R(ID)ζ} included in the ciphertext ctIDζ, as indicated in formula 229. Note that kL:=LID·FL(ID)r→ and that kR:=(gRID). Also note that cL:=(g{circumflex over ( )}LID)ζ and that cR:=F{circumflex over ( )}R(ID)ζ.
Since formula 230 holds, if the decryption key skID can decrypt the ciphertext ctID′, then the conversion information z′ and the conversion information z are identical.
(Step S432: Message Generation Process)
A message generation unit 352 generates the message m′ using the conversion information z′ generated in step S431 and the cipher element cT included in the ciphertext ctID′, as indicated in formula 231.
m′:=c
T·(z′)−1 [Formula 231]
That is, the decryption device 30 executes the Dec algorithm indicated in formula 232 to decrypt the ciphertext ctID′ by the decryption key skID.
Delegate algorithm according to Embodiment 6 will be described referring to
Delegate algorithm is executed by a key delegation device 40.
(Step S81: Acquisition Process)
An acquisition unit 44 acquires, via an input/output interface 43, the public parameters pk generated by the key generation device 10 and the decryption key skID:=(ID, kL, kR) for which a low-level key is to be generated. Note that kL:=LID·FL(ID)r→ and that kR:=(gRID). The acquisition unit 44 also receives as input an identity IDL+1∈{0, 1} of a user who uses a low-level decryption key skID′ of the decryption key skID, via the input/output interface 43.
(Step S82: ID Group Assigning Process)
An ID group assigning unit 45 takes ID′:=(ID, IDL+1). The ID group assigning unit 45 also generates an ID group GLID′ and an ID group GRID′, as indicated in formula 233.
ID*
L:=IDL×L+1,ID
ID*
R:=IDR×L+1,ID
The ID group assigning unit 45 generates an element k+L, an element gLID′, an element k+R, and an element gRID′, as indicated in formula 234.
k
+L:=(kL,1),gID*L:=(gIDL,gL+1,ID
k
+R:=(kR,1),gID*R:=(gIDR,gL+1,ID
(Step S83: Distributed Information Generation Process)
A low-level key generation unit 46 generates distributed information τ→′, as indicated in formula 235.
(Step 84: Key Element Generation Process)
The low-level key generation unit 46 generates the key element k:={kL, kR} by setting the distributed information τ→′ generated in step S83 and a uniform random r→′ to the element element k+L, element gLID′, element k+R, and element gRID′ which are generated in step S82, as indicated in Formula 236.
k′
L
:=k
+L·(gID*L){right arrow over (r)}′,
k′
R
:=k
+R·(gID*R){right arrow over (r)}′ [Formula 236]
(Step S85: Key Output Process)
A low-level key output unit 47 outputs the low-level decryption key skID′ including the identity ID′ and the key element k which is generated in step S84 to the decryption device 30 via the input/output interface 13.
That is, the decryption key generation unit 15 generates the low-level decryption key skID′ by executing the Delegate algorithm indicated in formula 237.
As described above, the cryptographic system 1 according to Embodiment 6 implements the HIBE scheme using IPG. Therefore, it is possible to indicate security from the isogeny problem hardness.
The cryptographic system 1 according to Embodiment 6 generates a ciphertext ctΓ using the element Y{circumflex over ( )} which is a generation element converted by the key generation random σt,ι. Therefore, it is possible to indicate security from the pairing problem hardness.
1: cryptographic system; 10: key generation device; 11: processor; 12: storage device; 13: input/output interface; 14: master key generation unit; 15: decryption key generation unit; 16: key output unit 16; 17: ID group assigning unit; 18: electronic circuit; 20: encryption device; 21: processor; 22: storage device; 23: input/output interface; 24: acquisition unit; 25: ciphertext generation unit; 26: ciphertext output unit; 27: ID group assigning unit; 28: electronic circuit; 30: decryption device; 31: processor; 32: storage device; 33: input/output interface; 34: acquisition unit; 35: decryption unit; 36: message output unit; 38: electronic circuit; 40: key delegation device; 41: processor; 42: storage device; 43: input/output interface; 44: acquisition unit; 45: ID group assigning unit; 46: low-level key generation unit; 47: low-level key output unit; 48: electronic circuit
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2017/026283 | 7/20/2017 | WO | 00 |