INFORMATION GENERATION APPARATUS,METHOD, PROGRAM, AND RECORDING MEDIUM THEREFOR

Information

  • Patent Application
  • 20120027206
  • Publication Number
    20120027206
  • Date Filed
    April 23, 2010
    14 years ago
  • Date Published
    February 02, 2012
    12 years ago
Abstract
Hierarchical cryptography expressed in a general semiordered structure other than a tree structure is implemented. In information generation, random numbers σv and (σvj)jεw(v)εZq are generated; main information kv=σvΣiε{1, . . . , N-1}\w(v)vibi*+bN* is calculated; and derivation information kvj=σvjΣiε{1, . . . , N-1}\w(v)vibi*+bj* is calculated for each jεw(v). In information derivation, random numbers σu and (σuj)jεw(u)εZq are generated; main information ku=σuΣiεw(v)\w(u)uikvi+kv is calculated; and derivation information kuj=σujΣiεw(v)\w(u)uikvi+kvj is calculated for each jεw(v).
Description
TECHNICAL FIELD

The present invention relates to an application of information security technology. For example, the present invention relates to hierarchical cryptography in which a decryption key having a limited decryption ability can be derived from another decryption key.


BACKGROUND ART

The technology described in Non-patent literature 1 is a known conventional technology for hierarchical cryptography.


PRIOR ART LITERATURE
Non-Patent Literature



  • Non-patent literature 1: Craig Gentry, Alice Siverberg, “Hierarchical ID-Based Cryptography,” ASIACRYPT 2002, pp. 548-566



DISCLOSURE OF THE INVENTION
Problems to be Solved by the Invention

In the technology described in Non-patent literature 1, a key corresponding to a child node in a tree structure can be derived from a key corresponding to a parent node, but key derivation cannot be implemented in a general semiordered structure s other than a tree structure. For example, in a structure having a parent node A, a parent node B, and a common child node C, it is not possible to derive a key of the common child node C from a key of the parent node A or to derive a key of the common child node C from a key of the parent node B.


Means to Solve the Problems

To solve the foregoing problem, an information generation apparatus according to Claim 1 includes a random number generator adapted to generate a random number σYεZq and a random number σYjεZq corresponding to each element jεw(Y) of a set w(Y); a main information generator adapted to use the generated random number σY to calculate main information kY that satisfies kYYΣiε{1, . . . , N-1}\w(Y)Yibi*+bN*; and a derivation information generator adapted to use the generated random number σYj to calculate derivation information kYj that satisfies kYjYjΣeε{1, . . . , N-1}\w(Y)Yibi*+bj* for each element jεw(Y) of the set w(Y); where e is a non-degenerate, bilinear function that outputs one element of a cyclic group GT in response to inputs of N elements γL (L=1, . . . , N) (N≧2) of a cyclic group G1 and N elements γL*(L=1, . . . , N) of a cyclic group G2; biεG1N (i=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G1 as elements; bj*εG2N (j=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G2 as elements; a function value obtained when each element of the basis vector biεG1N (i=1, . . . , N) and each element of the basis vector bj*εG2N (j=1, . . . , N) are put into the bilinear function e is represented by gTτ·δ(i,j)εGT, using a Kronecker's delta function in which δ(i,j)=1F when i=j and δ(i,j)=0F when i≠j; 0F is an additive unit element of a finite field Fq; 1F is a multiplicative unit element of the finite field Fq; τ is an element of the finite field Fq, other than 0F; and gT is a generator of the cyclic group GT; * indicates an indeterminate character; an index Y is Y=(Y1, . . . , YN-1)εI=(Fq∪{*})N-1; and the set w(Y) corresponds to the index Y, and w(Y)={i|Y1=*}.


An information generation apparatus according to Claim 4 includes a storage unit adapted to store main information kv serving as main information kY or corresponding to an index v, derived from the main information kY and derivation information kYi, and derivation information kvj serving as the derivation information kYi or corresponding to the index v, derived from the derivation information kYi; a child random number generator adapted to generate a random number σuεZq; and a main information deriving unit adapted to use the main information kv and derivation information kvi, both of which are read from the storage unit, and the generated random number σu to calculate main information ku corresponding to an index u, which satisfies kuuΣiεw(v)\w(u)uikvi+kv; where e is a non-degenerate, bilinear function that outputs one element of a cyclic group GT in response to inputs of N elements γL (L=1, . . . , N)(N≧2) of a cyclic group G1 and N elements γL*(L=1, . . . , N) of a cyclic group G2; biεG1N (i=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G1 as elements; bj*εG2N (j=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G2 as elements; a function value obtained when each element of the basis vector biεG1N (i=1, . . . , N) and each element of the basis vector bj*εG2N (j=1, . . . , N) are put into the bilinear function e is represented by gTτ·δ(i,j)εGT, using a Kronecker's delta function in which δ(i, j)=1F when i=j and δ(i, j)=0F when i≠j; 0F is an additive unit element of a finite field Fq; 1F is a multiplicative unit element of the finite field Fq; τ is an element of the finite field Fq, other than 0F; and gT is a generator of the cyclic group GT; * indicates an indeterminate character; an index Y is Y=(Y1, . . . , YN-1)εI=(Fq∪{*})N-1; a set w(Y) corresponding to the index Y is w(Y)={i|Yi=*}; σYεZq is a random number; σYiεZq is a random number corresponding to each element jεw(Y) of the set w(Y); the main information kY corresponds to the index Y and satisfies kYYΣiε{1, . . . , N-1}\w(Y)Yibi*+bN*; the derivation information kYi, corresponds to the index Y and satisfies kYjYjΣiε{1, . . . , N-1}\w(Y)Yibi*+bj*; * indicates an indeterminate character; the index v is v=(v1, . . . , VN-1)εI=(Fq∪{*})N-1; the index u is u=(u1, . . . , uN-1)εI=(Fq∪{*})N-1; w(v) is a set corresponding to the index v and w(v)={i|vi=*}; w(u) is a set corresponding to the index u and w(u)={i|ui=*}; w(u)⊂w(v); and vi=ui(iε{1, . . . , N−1}\w(v)).


An information generation apparatus according to Claim 6 includes a random number generator adapted to generate a random number rYεZq; a first main information generator adapted to use the generated random number rY to calculate first main information kY that satisfies kY=g2a(g3Πiε{1, . . . , N-1}\w(Y)hiYi)rY; a second main information generator adapted to use the generated random number rY to calculate second main information grY; and a derivation information generator adapted to use the generated random number rY to calculate derivation information kYj that satisfies kYj=hjrY for each element jεw(Y) of a set w(Y); where G and GT are cyclic groups having a prime number order q; g is a generator of the cyclic group G; the cyclic group G has a pairing function e: G×G→GT, which makes gT=e(g, g) a generator of the cyclic group GT; a is a random number selected at random from Zp; g, g1=gaεG, and g2, g3, h1, . . . , hN-1εG randomly selected from the cyclic group G are made publicly available as public keys; * indicates an indeterminate character; an index Y is Y=(Y1, . . . , YN-1)εI=(Fq∪{*})N-1; the set w(Y) corresponds to the index Y; and w(Y)={i|Yi=*}.


An information generation apparatus according to Claim 9 includes a random number generator adapted to generate a random number ruεZq; a storage unit adapted to store main information kv serving as main information KY or corresponding to an index v, derived from first main information kY and derivation information kYi, and derivation information kvj serving as derivation information kYi or corresponding to the index v, derived from the derivation information kYi; a first main information deriving unit adapted to use the first main information kv and derivation information kvi, both of which are read from the storage unit, to calculate first main information ku corresponding to an index u, which satisfies ku=kviεw(v)\w(u)kviui)(g3Πiε{1, . . . , N-1}\w(v)hiviΠiεw(v)\w(u)hiui)ru; and a second main information deriving unit adapted to use the generated random number ru to calculate second main information gru; where G and GT are cyclic groups having a prime number order q; g is a generator of the cyclic group G; the cyclic group G has a pairing function e: G×G→GT, which makes gT=e(g, g) a generator of the cyclic group GT; a is a random number selected at random from Zp; g, g1=gaεG, and g2, g3, h1, . . . , hN-1εG randomly selected from the cyclic group G are made publicly available as public keys; * indicates an indeterminate character; an index Y is Y=(Y1, . . . , YN-1)εI=(Fq∪{*})N-1; a set w(Y) corresponding to the index Y is w(Y)={i|Yi=*}; rYεZq is a random number; the first main information kY corresponds to the index Y and satisfies kY=g2a(g3Πiε{1, . . . , N-1}\w(Y)hiYi)rY; grY is second main information corresponding to the index Y; the derivation information kYi corresponds to the index Y and satisfies kYj=hjrY; * indicates an indeterminate character; the index v is v=(v1, . . . , vN-1)εI=(Fq∪{*})N-1; w(v) is a set corresponding to the index v and w(v)={i|vi=*}; the index u is u=(u1, . . . , uN-1)εI=(Fq∪{*})N-1; w(u) is a set corresponding to the index u and w(u)={i|ui=*}; set w(u)⊂ set w(v); and vi=ui(iε{1, . . . , N−1}\w(v)).


Effects of the Invention

In a structure having a parent node A, a parent node B, and a common child node C, it is possible to derive information of the common child node C from information of the parent node A and to derive information of the common child node C from information of the parent node B.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is an example functional block diagram of an information generation apparatus according to a first embodiment;



FIG. 2 is an example flowchart of information generation in the first embodiment;



FIG. 3 is an example flowchart of information derivation in the first embodiment;



FIG. 4 is an example functional block diagram of an information generation apparatus according to a second embodiment;



FIG. 5 is an example flowchart of information generation in the second embodiment; and



FIG. 6 is an example flowchart of information derivation in the second embodiment.





DETAILED DESCRIPTION OF THE EMBODIMENTS

Embodiments of the present invention will be described below in detail.


Predicate Encryption

An overview of predicate encryption, which is a concept used in a first embodiment, will be described first.


Definitions

Terms and symbols to be used in the embodiments will be defined first.


Matrix: A matrix represents a rectangular arrangement of elements of a set in which an operation is defined. Not only elements of a ring but also elements of a group can form the matrix.


(•)T: Transposed matrix of “•”


(•)−1: Inverse matrix of “•”



custom-character Logical AND



custom-character Logical OR


Z: Set of integers


k: Security parameter (kεZ, k>0)


{0, 1}*: Binary sequence having a desired bit length. An example is a sequence formed of integers 0 and 1. However, {0, 1}* is not limited to sequences formed of integers 0 and 1. {0, 1}* is a finite field of order 2 or its extention field.


{0, 1}ζ: Binary sequence having a bit length ζ (ζεZ, ζ>0). An example is a sequence formed of integers 0 and 1. However, {0, 1}ζ is not limited to sequences formed of integers 0 and 1. {0, 1}ζ is a finite field of order 2 (when ζ=1) or an extention field obtained by extending the finite field by degree ζ (when ζ>1).


(+): Exclusive OR operator between binary sequences. For example, the following is satisfied: 10110011(+)11100001=01010010.


Fq: Finite field of order q, where q is an integer equal to or larger than 1. For example, the order q is a prime number of a power of a prime number. In other words, the finite field Fq is a prime field or an extention field of the prime field, for example. When the finite field Fq is a prime field, remainder calculations to modulus q can be easily performed, for example. When the finite field Fq is an extention field, remainder calculations modulo an irreducible polynomial can be easily performed, for example. A specific method for configuring a finite field Fq is disclosed, for example, in reference literature 1, “ISO/IEC 18033-2: Information technology—Security techniques—Encryption algorithms—Part 2: Asymmetric ciphers”.


0F: Additive unit element of the finite field Fq


1F: Multiplicative unit element of the finite field Fq


δ(i, j): Kronecker's delta function. When i=j, δ(i, j)=1F.


When i≠j, δ(i, j)=0F.


E: Elliptic curve defined on the finite field Fq. It is defined as a special point O called the point of infinity plus a set of points (x, y) satisfying x, yεFq and the Weierstrass equation in an affine coordinate system






y
2
+a
1
xy+a
3
y=x
3
+a
2
x
2
+a
4
x+a
6  (1)


where a1, a2, a3, a4, a6εFq. A binary operation + called an elliptic addition can be defined for any two points on the elliptic curve E, and a unary operation − called an elliptic inverse can be defined for any one point on the elliptic curve E. It is well known that a finite set of rational points on the elliptic curve E forms a group with respect to the elliptic addition. It is also well known that an operation called an elliptic scalar multiplication can be defined with the elliptic addition. A specific operation method of elliptic operations such as the elliptic addition on a computer is also well known. (For example, see reference literature 1, reference literature 2, “RFC 5091: Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems”, and reference literature 3, Ian F. Blake, Gadiel Seroussi, and Nigel P. Smart, “Elliptic Curves in Cryptography”, Pearson Education, ISBN 4-89471-431-0.)


A finite set of rational points on the elliptic curve E has a subgroup of order p (p≧1). When the number of elements in a finite set of rational points on the elliptic curve E is #E and p is a large prime number that can divide #E without a remainder, for example, a finite set E[p] of p equally divided points on the elliptic curve E forms a subgroup of the finite set of rational points on the elliptic curve E. The p equally divided points on the elliptic curve E are points A on the elliptic curve E which satisfy the elliptic scalar multiplication pA=O.


G1, G2, GT: Cyclic groups of order q. Examples of the cyclic groups G1 and G2 include the finite set E[p] of p equally divided points on the elliptic curve E and subgroups thereof. G1 may equal G2, or G1 may not equal G2. Examples of the cyclic group GT include a finite set constituting an extention field of the finite field Fq. A specific example thereof is a finite set of the p-th root of 1 in the algebraic closure of the finite field Fq.


In the embodiments, operations defined on the cyclic groups G1 and G2 are expressed as additions, and an operation defined on the cyclic group GT is expressed as a multiplication. More specifically, χ·ΩεG1 for χεFq and ΩεG1 means that the operation defined in the cyclic group G1 is applied to ΩεG1χ times, and Ω12εG1 for Ω1, Ω2εG1 means that the operation defined in the cyclic group G1 is applied to Ω1εG1 and Ω2εG1. In the same way, χ·ΩεG2 for χεFq and ΩεG2 means that the operation defined in the cyclic group G2 is applied to ΩεG2, times, and Ω12εG2 for Ω1, Ω2εG2 means that the operation defined in the cyclic group G2 is applied to Ω1εG2 and Ω2εG2. In contrast, ΩχεGT for χεFq and ΩεGT means that the operation defined in the cyclic group GT is applied to ΩεGTχ times, and Ω1·Ω2εGT for Ω1, Ω2εGT means that the operation defined in the cyclic group GT is applied to Ω1εGT and Ω2εGT.


G1n+1: Direct product of (n+1) cyclic groups G1(n≧1)


G2n+1: Direct product of (n+1) cyclic groups G2


g1, g2, gT: Generators of the cyclic groups G1, G2, GT


V: (n+1)-dimensional vector space formed of the direct product of the (n+1) cyclic groups G1


V*: (n+1)-dimensional vector space formed of the direct product of the (n+1) cyclic groups G2


e: Function (bilinear function) for calculating a non-degenerate bilinear map that maps the direct product G1n+1×G2n+1 of the direct product G1n+1 and the direct product G2n+1 to the cyclic group GT. The bilinear function e receives (n+1) elements γL (L=1, . . . , n+1) (n≧1) of the cyclic group G1 and (n+1) elements γL*(L=1, . . . , n+1) of the cyclic group G2 and outputs one element of the cyclic group GT.






e: G
1
n+1
×G
2
n+1
→G
T  (2)


The bilinear function e satisfies the following characteristics:


Bilinearity: The following relationship is satisfied for all Γ1εG1n+1, Γ2εG2n+1, and ν, κεFq






e(ν·Γ1,κ·Γ2)=e12)ν·κ  (3)


Non-degeneracy: This function does not map all





Γ1εG1n+12εG2n+1  (4)


onto the unit element of the cyclic group GT.


Computability: There exists an algorithm for efficiently calculating e(Γ1, Γ2) for all Γ1εG1n+1, Γ2εG2n+1.


In the embodiments, the following function for calculating a non-degenerate bilinear map that maps the direct product G1×G2 of the cyclic group G1 and the cyclic group G2 to the cyclic group GT constitutes the bilinear function e.





Pair: G1×G2→GT  (5)


The bilinear function e receives an (n+1)-dimensional vector (γ1, . . . , γn+1) formed of (n+1) elements γL (L=1, . . . , n+1) of the cyclic group G1 and an (n+1)-dimensional vector (γ1*, . . . , γn+1*) formed of (n+1) elements γL*(i=1, . . . , n+1) of the cyclic group G2 and outputs one element of the cyclic group GT.






e=Π
L=1
n+1Pair(γLL*)  (6)


The bilinear function Pair receives one element of the cyclic group G1 and one element of the cyclic group G2 and outputs one element of the cyclic group GT, and satisfies the following characteristics:


Bilinearity: The following relationship is satisfied for all Ω1e G1, Ω2εG2, and ν, κεFq





Pair(ν·Ω1,κ·Ω2)=Pair(Ω12)ν·κ  (7)


Non-degeneracy: This function does not map all





Ω1εG12εG2  (8)


onto the unit element of the cyclic group GT.


Computability: There exists an algorithm for efficiently calculating Pair(Ω1, Ω2) for all Ω1εG1, Ω2εG2.


A specific example of the bilinear function Pair is a function for performing a pairing operation such as Weil pairing or Tate pairing. (See reference literature 4, Alfred. J. Menezes, “Elliptic Curve Public Key Cryptosystems”, Kluwer Academic Publishers, ISBN 0-7923-9368-6, pp. 61-81, for example.) A modified pairing function e(Ω1, phi(Ω2)) (Ω1εG1, Ω2εG2) obtained by combining a function for performing a pairing operation, such as Tate pairing, and a predetermined function phi according to the type of the elliptic curve E may be used as the bilinear function Pair (see reference literature 2, for example). As the algorithm for performing a pairing operation on a computer, the Miller algorithm (see reference literature 5, V. S. Miller, “Short Programs for Functions on Curves”, 1986, http://crypto.stanford.edu/miller/miller.pdf) or some other known algorithm can be used. Methods for configuring a cyclic group and an elliptic curve used to efficiently perform a pairing operation have been known. (For example, see reference literature 2; reference literature 6, A. Miyaji, M. Nakabayashi, and S. Takano, “New Explicit Conditions of Elliptic Curve Traces for FR Reduction”, IEICE Trans. Fundamentals, Vol. E84-A, No. 5, pp. 1234-1243, May 2001; reference literature 7, P. S. L. M. Barreto, B. Lynn, M. Scott, “Constructing Elliptic Curves with Prescribed Embedding Degrees”, Proc. SCN '2002, LNCS 2576, pp. 257-267, Springer-Verlag. 2003; and reference literature 8, R. Dupont, A. Enge, F. Morain, “Building Curves with Arbitrary Small MOV Degree over Finite Prime Fields”, http://eprint.iacr.org/2002/094/).


ai(i=1, . . . , n+1): (n+1)-dimensional basis vectors having (n+1) elements of the cyclic group G1 as elements. An example of the basis vectors ai is an (n+1)-dimensional basis vector having κ1·g1εG1 as an i-dimensional element and the unit element (expressed as “0” in additive expression) of the cyclic group G1 as the remaining n elements. In that case, the elements of the (n+1)-dimensional basis vectors ai (i=1, . . . , n+1) can be listed as follows:











a
1

=

(



κ
1

·

g
1


,
0
,
0
,





,
0

)









a
2

=

(

0
,


κ
1

·

g
1


,
0
,





,
0

)















a

n
+
1


=

(

0
,
0
,
0
,





,


κ
1

·

g
1



)






(
9
)







Here, κ1 is a constant formed of an element of the finite field Fq other than the additive unit element 0F. An example of κ1εFq is κ1=1F. The basis vectors ai are orthogonal bases. Each (n+1)-dimensional vector having (n+1) elements of the cyclic group G1 as elements is expressed by a linear sum of (n+1)-dimensional basis vectors ai (i=1, . . . , n+1). Therefore, the (n+1)-dimensional basis vectors ai span the vector space V, described earlier.


ai* (i=1, . . . , n+1): (n+1)-dimensional basis vectors having (n+1) elements of the cyclic group G2 as elements. An example of the basis vectors ai* is an (n+1)-dimensional basis vector having κ2·g2εG2 as an i-dimensional element and the unit element (expressed as “0” in additive expression) of the cyclic group G2 as the remaining n elements. In that case, the elements of the (n+1)-dimensional basis vectors ai* (i=1, . . . , n+1) can be listed as follows:











a
1
*

=

(



κ
2

·

g
2


,
0
,
0
,





,
0

)









a
2
*

=

(

0
,


κ
2

·

g
2


,
0
,





,
0

)















a

n
+
1

*

=

(

0
,
0
,
0
,





,


κ
2

·

g
2



)






(
10
)







Here, κ2 is a constant formed of an element of the finite field Fq other than the additive unit element 0F. An example of κ2εFq is κ2=1F. The basis vectors ai* are orthogonal bases. Each (n+1)-dimensional vector having (n+1) elements of the cyclic group G2 as elements is expressed by a linear sum of (n+1)-dimensional basis vectors ai* (i=1, . . . , n+1). Therefore, the (n+1)-dimensional basis vectors ai* span the vector space V*, described earlier.


The basis vectors ai and the basis vectors ai* satisfy the following expression for an element τ=κ1·κ2 of the finite field Fq other than 0F:






e(ai,aj*)=gTτδ(i,j)  (11)


When i=j, the following expression is satisfied from Expressions (6) and (7).










e


(


a
i

,

a
j
*


)


=




Pair


(



κ
1

·

g
1


,


κ
2

·

g
2



)


·

Pair


(

0
,
0

)


·

·

Pair


(

0
,
0

)









=





Pair


(


g
1

,

g
2


)



κ





1

κ





2


·


Pair


(


g
1

,

g
2


)



0
·
0


·

·


Pair


(


g
1

,

g
2


)



0
·
0









=





Pair


(


g
1

,

g
2


)



κ





1

κ





2


=

g
T
τ









When i≠j, e(ai, aj*) does not include Pair(κ1·g1, κ2·g2) and is the product of Pair (κ1·g1, 0), Pair (0, κ2·g2), and Pair(0, 0). In addition, the following expression is satisfied from Expression (7).





Pair(g1,0)=Pair(0,g2)=Pair(g1,g2)0


Therefore, when i≠j, the following expression is satisfied.






e(ai,aj*)=e(g1,g2)0=gT0


Especially when τ=κ1·κ2=1F (for example, κ12=1F), the following expression is satisfied.






e(ai,aj*)=gTδ(i,j)  (12)


Here, gT0=1 is the unit element of the cyclic group GT, and gT1=gT is a generator of the cyclic group GT. In that case, the basis vectors ai and the basis vectors ai* are dual normal orthogonal bases, and the vector space V and the vector space V* are a dual vector space that constitutes bilinear mapping (dual pairing vector space (DPVS)).


A: An (n+1) row by (n+1) column matrix having the basis vectors ai (i=1, . . . , n+1) as elements. When the basis vectors ai (i=1, . . . , n+1) are expressed by Expression (9), for example, the matrix A is as follows:









A
=


(




a
1






a
2











a

n
+
1





)

=

(





κ
1

·

g
1




0





0




0




κ
1

·

g
1

























0




0





0




κ
1

·

g
1





)






(
13
)







A*: An (n+1) row by (n+1) column matrix having the basis vectors ai* (i=1, . . . , n+1) as elements. When the basis vectors ai* (i=1, . . . , n+1) are expressed by Expression (10), for example, the matrix A* is as follows:










A
*

=


(





a
1
*











a
2
*











a

n
+
1

*




)

=

(





κ
2

·

g
1




0





0




0




κ
2

·

g
2

























0




0





0




κ
2

·

g
2





)






(
14
)







X: An (n+1) row by (n+1) column matrix having elements of the finite field Fq as elements. The matrix X is used to apply coordinate conversion to the basis vectors ai. When the element located at the i-th row and the j-th column in the matrix X is expressed as χi,jεFq, the matrix X is as follows:









X
=

(




χ

1
,
1





χ

1
,
2








χ

1
,

n
+
1








χ


2
,
1










χ

2
,
2































χ


n
+
1

,
1





χ


n
+
1

,
2








χ


n
+
1

,

n
+
1






)





(
15
)







Here, each element χij of the matrix X is called a conversion coefficient.


X*: Transposed matrix of the inverse matrix of the matrix X. X*=(X−1)T. The matrix X* is used to apply coordinate conversion to the basis vectors ai*. When the element located at the i-th row and the j-th column in the matrix X* is expressed as χi,j*εFq, the matrix X* is as follows:










X
*

=

(




χ

1
,
1

*




χ

1
,
2

*







χ

1
,

n
+
1


*






χ

2
,
1

*




χ

2
,
2

*






























χ


n
+
1

,
1

*




χ


n
+
1

,
2

*







χ


n
+
1

,

n
+
1


*




)





(
16
)







Here, each element χi,j* of the matrix X* is called a conversion coefficient.


In that case, when an (n+1) row by (n+1) column unit matrix is called I, X·(X*)T=I. In other words, for the unit matrix shown below,









I
=

(




1
F




0
F







0
F






0
F




1
F

























0
F






0
F




0
F







1
F




)





(
17
)







the following expression is satisfied.











(




χ

1
,
1





χ

1
,
2








χ

1
,

n
+
1








χ

2
,
1





χ

2
,
2































χ


n
+
1

,
1





χ


n
+
1

,
2








χ


n
+
1

,

n
+
1






)

·

(




χ

1
,
1

*




χ

2
,
1

*







χ


n
+
1

,
1

*






χ

1
,
2

*




χ

2
,
2

*






























χ

1
,

n
+
1


*




χ

2
,

n
+
1


*







χ


n
+
1

,

n
+
1


*




)


=

(




1
F




0
F







0
F






0
F




1
F

























0
F






0
F




0
F







1
F




)





(
18
)







Here, (n+1)-dimensional vectors will be defined below.





χi=(χi,1, . . . , χi,n+1)  (19)





χj=(χj,1*, . . . , χj,n+1*)  (20)


The inner product of the (n+1)-dimensional vectors χi and χj* satisfies the following expression from Expression (18).





χi·χj*=δ(i,j)  (21)


bi: (n+1)-dimensional basis vectors having (n+1) elements of the cyclic group G1 as elements. The basis vectors bi are obtained by applying coordinate conversion to the basis vectors ai (i=1, . . . , n+1) by using the matrix X. Specifically, the basis vectors bi are obtained by the following calculation






b
ij=1n+1χi,j·aj  (22)


When the basis vectors aj (j=1, . . . , n+1) are expressed by Expression (9), each element of the basis vectors bi is shown below.






b
i=(χi,1·κ1·g1i,2·κ1·g1, . . . ,χi,n+1·κ1·g1)  (23)


Each (n+1)-dimensional vector having (n+1) elements of the cyclic group G1 as elements is expressed by a linear sum of (n+1)-dimensional basis vectors bi (i=1, . . . , n+1). Therefore, the (n+1)-dimensional basis vectors bi span the vector space V, described earlier.


bi*: (n+1)-dimensional basis vectors having (n+1) elements of the cyclic group G2 as elements. The basis vectors bi* are obtained by applying coordinate conversion to the basis vectors ai* (i=1, . . . , n+1) by using the matrix X*. Specifically, the basis vectors bi* are obtained by the following calculation






b
i*=Σj=1n+1χi,j*·aj*  (24)


When the basis vectors aj (j=1, . . . , n+1) are expressed by Expression (10), each element of the basis vectors bi* are shown below.






b
i*=(χi,1*·κ2·g2i,2*·κ2·g2, . . . ,χi,n+1*·κ2·g2)  (25)


Each (n+1)-dimensional vector having (n+1) elements of the cyclic group G2 as elements is expressed by a linear sum of (n+1)-dimensional basis vectors bi* (i=1, . . . , n+1). Therefore, the (n+1)-dimensional basis vectors bi* span the vector space V*, described earlier.


The basis vectors bi and the basis vectors bi* satisfy the following expression for the elements τ=κ1·κ2 of the finite field Fq other than 0F:






e(bi,bj*)=gTτδ(i,j)  (26)


The following expression is satisfied from Expressions (6), (21), (23), and (25).










e


(


b
i

,

b
j
*


)


=






L
=
1


n
+
1




Pair


(



χ

i
,
L


·

κ
1

·

g
1


,


χ

j
,
L

*

·

κ
2

·

g
2



)









=





Pair


(



χ

i
,
1


·

κ
1

·

g
1


,


χ

j
,
1

*

·

κ
2

·

g
2



)


·

·

(



χ

i




,
n


·

κ
1

·

g
1


,


χ

j
,
n

*

·

κ
2

·

g
2



)


×










Pair


(



χ

j
,

n
+
1



·

κ
1

·

g
1


,


χ

j
,

n
+
1


*

·

κ
2

·

g
2



)








=






Pair


(


g
1

,

g
2


)




κ
1

·

κ
2

·

χ

i
,
1


·

χ

j
,
1

*



·

·


Pair


(


g
1

,

g
2


)




κ
1

·

κ
2

·

χ

i
,
2


·

χ

j
,
2

*




×











Pair


(


g
1

,

g
2


)




κ
1

·

κ
2

·

χ

i
,

n
+
1



·

χ

j
,

n
+
1


*









=




Pair


(


g
1

,

g
2


)




κ
1

·


κ
2



(



χ

i
,
1


·

χ

j
,
1

*


+


χ

i
,
2


·

χ

j
,
2

*


+

+


χ

i
,

n
+
1



·

χ

j
,

n
+
1


*



)










=




Pair


(


g
1

,

g
2


)




κ
1

·

κ
2

·

χ

i







·

χ
j


*










=





Pair


(


g
1

,

g
2


)



τ
·

δ


(

i
,
j

)




=

g
T

τ
·

δ


(

i
,
j

)












Especially when τ=κ1·κ2=1F (for example, κ12=1F), the following expression is satisfied.






e(bi,bj*)=gTδ(i,j)  (27)


In that case, the basis vectors bi and the basis vectors bi* are the dual normal orthogonal basis of a dual pairing vector space (the vector space V and the vector space V*).


As long as Expression (26) is satisfied, the basis vectors ai and ai* other than those shown in Expressions (9) and (10) as examples, and the basis vectors bi and bi* other than those shown in Expressions (22) and (24) as examples may be used.


B: An (n+1) row by (n+1) column matrix having the basis vectors bi (i=1, . . . , n+1) as elements. B=X·A is satisfied. When the basis vectors b, are expressed by Expression (23), for example, the matrix B is as follows:












B
=



(




b
1






b

2
















b

n
+
1





)







=



(





χ

1
,
1


·

κ
1

·

g
1






χ

1
,
2


·

κ
1

·

g
1









χ

1
,

n
+
1



·

κ
1

·

g
1








χ

2
,
1


·

κ
1

·

g
1






χ

2
,
2


·

κ
1

·

g
1



























χ

n
,

n
+
1



·

κ
1

·

g

1













χ


n
+
1

,
1


·

κ
1

·

g
1









χ


n
+
1

,
n


·

κ
1

·

g
1






χ


n
+
1

,

n
+
1



·

κ
1

·

g
1





)








(
28
)







B*: An (n+1) row by (n+1) column matrix having the basis vectors bi* (i=1, . . . , n+1) as elements. B*=X*·A* is satisfied. When the basis vectors bi*(i=1, . . . , n+1) are expressed by Expression (25), for example, the matrix B* is as follows:













B
*

=



(




b
1
*






b

2





*











b

n
+
1

*




)







=



(





χ

1
,
1

*

·

κ
2

·

g
2






χ

1
,
2

*

·

κ
2

·

g
2









χ

1
,

n
+
1


*

·

κ
2

·

g
2








χ

2
,
1

*

·

κ
2

·

g
2






χ

2
,
2

*

·

κ
2

·

g
2



























χ

n
,

n
+
1


*

·

κ
2

·

g
2








χ


n
+
1

,
1

*

·

κ
2

·

g
2









χ


n
+
1

,
n

*

·

κ
2

·

g
2






χ


n
+
1

,

n
+
1


*

·

κ
2

·

g
2





)








(
29
)







w: An n-dimensional vector having elements of the finite field Fq as elements.






w
=(w1, . . . ,wnFqn  (30)


wμ: The μ-th (t=1, . . . , n) element of the n-dimensional vector.


v: An n-dimensional vector having elements of the finite field Fq as elements.






v
=(v1, . . . ,vnFqn  (31)


vμ: The μ-th (μ=1, . . . , n) element of the n-dimensional vector.


Collision-resistant function: A function h that satisfies the following condition with respect to a sufficiently larger security parameter k, or a function regarded as such.






Pr[A(h)=(x,y)|h(x)=h(y)custom-characterx≠y]<ε(k)  (32)


Here, Pr[•] is the probability of the event [•]; A(h) is a probability polynomial time algorithm for calculating x and y (x≠y) that satisfy h(x)=h(y) for a function h; and ε(k) is a polynomial for the security parameter k. An example collision-resistant function is a hash function such as the cryptographic hash function disclosed in reference literature 1.


Injective function: A function by which each element belonging to a value range is expressed as the image of only one element in the definition range, or a function regarded as such.


Quasi-random function: A function belonging to a subset φζ when a probability polynomial time algorithm cannot distinguish between the subset φζ and its whole set Φζ, or a function regarded as such. The set Φζ is a set of all functions that map an element of a set {0, 1}ζ to an element of the set {0, 1}ζ. An example quasi-random function is a hash function such as that described above.


H1: A collision-resistant function that receives two binary sequences (ω1, ω2)ε{0, 1}k×{0, 1}* and outputs two elements (ψ1, ψ2)εFq×Fq of the finite field Fq.






H
1: {0,1}k×{0,1}*→Fq×Fq  (33)


An example of the function H1 is a function that outputs two elements (ψ1, ψ2)εFq×Fq of the finite field Fq in response to the connected bits ω1∥ω2 of input ω1 and ω2. This function includes calculations with a hash function such as the cryptographic hash function disclosed in reference literature 1, a binary-sequence-to-integer conversion function (octet string/integer conversion), and a binary-sequence-to-finite-field-element conversion function (octet string and integer/finite field conversion). It is preferred that the function H1 be a quasi-random function.


H2: A collision-resistant function that receives an element of the cyclic group GT and a binary sequence (ξ, ω2)εGT×{0, 1}* and outputs one element ψεFq of the finite field Fq.






H
2
: G
T×{0,1}*→Fq  (34)


An example of the function H2 is a function that receives an element ξεGT of the cyclic group GT and a binary sequence ω2ε{0, 1}*, inputs the element ξεGT of the cyclic group GT to a finite-field-element-to-binary-sequence conversion function (octet string and integer/finite field conversion) disclosed in reference literature 1 to obtain a binary sequence, applies a hash function such as the cryptographic hash function disclosed in reference literature 1 to the connected bits of the obtained binary sequence and the binary sequence ω2ε{0, 1}*, performs the binary-sequence-to-finite-field-element conversion function (octet string and integer/finite field conversion), and outputs one element ψεFq of the finite field Fq. It is preferred from a security viewpoint that the function H2 be a quasi-random function.


R: An injective function that receives an element ξεGT of the cyclic group GT and outputs one binary sequence ωε{0, 1}k.






R: G
T→{0,1}k  (35)


An example of the injective function R is a function that receives an element ξεGT of the cyclic group GT, performs calculations with the finite-field-element-to-binary-sequence conversion function (octet string and integer/finite field conversion) and then with a hash function such as the KDF (key derivation function) disclosed in reference literature 1, and outputs one binary sequence ωε{0, 1}k. From a security viewpoint, it is preferred that the function R be a collision-resistant function, and it is more preferred that the function R be a quasi-random function.


Enc: A common key encryption function that indicates encryption processing of a common key cryptosystem. Example common key cryptosystems are Camellia and AES.


Enck(M): Ciphertext obtained by encrypting plaintext M by the common key encryption function Enc with the use of a common key K.


Dec: A common key decryption function that indicates decryption processing of the common key cryptosystem.


Deck(C): A decryption result obtained by decrypting ciphertext C by the common key decryption function Dec with the use of the common key K.


Inner Product Predicate Encryption


The basic configuration of inner product predicate encryption will be described below.


Predicate Encryption

Predicate encryption (sometimes called function encryption) means that ciphertext can be decrypted when a combination of attribute information and predicate information makes a predetermined logical expression true. One of the attribute information and predicate information is embedded in the ciphertext and the other is embedded in key information. The configuration of conventional predicate encryption is, for example, disclosed in reference literature 9, “Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products” with Amit Sahai and Brent Waters, one of four papers from Eurocrypt 2008 invited by the Journal of Cryptology.


Inner Product Predicate Encryption


Inner product predicate encryption means that ciphertext can be decrypted when the inner product of attribute information and predicate information handled as vectors is zero. In inner product predicate encryption, an inner product of zero is equivalent to a logical expression of true.


Relationship Between Logical Expression and Polynomial


In inner product predicate encryption, a logical expression formed of a logical OR(s) and/or a logical AND(s) is expressed by a polynomial.


The logical OR (x=η1)custom-character(x=η2) of statement 1 indicating that x is η1 and statement 2 indicating that x is η2 is expressed by the following polynomial.





(x−η1)·(x−η2)  (36)


Then, the relationships between true values and the function values of Expression (36) are shown in the following table.












TABLE 1





Statement 1
Statement 2
Logical OR
Function value


(x = η1)
(x = η2)
(x = η1) custom-character  (x = η2)
(x = η1) · (x = η2)







True
True
True
0


True
False
True
0


False
True
True
0


False
False
False
Other than 0









As understood from Table 1, when the logical OR (x=η1)custom-character(x=η2) is true, the function value of Expression (36) is zero; and when the logical OR (x=η1)custom-character(x=η2) is false, the function value of Expression (36) is a value other than zero. In other words, the logical OR (x=η1)custom-character(x=η2) of true is equivalent to the function value of zero in Expression (36). Therefore, the logical OR can be expressed by Expression (36).


The logical AND (x=η1)custom-character(x=η2) of statement 1 indicating that x is η1 and statement 2 indicating that x is η2 is expressed by the following polynomial





τ1·(x−η1)+τ2·(x−η2)  (37)


where τ1 and τ2 are random numbers. Then, the relationships between true values and the function values of Expression (37) are shown in the following table.












TABLE 2





Statement


Function value


1
Statement 2
Logical AND
ι1 · (x − η1) + ι2 · (x −


(x = η1)
(x = η2)
(x = η1) custom-character  (x = η2)
η2)







True
True
True
0


True
False
False
Other than 0


False
True
False
Other than 0


False
False
False
Other than 0









As understood from Table 2, when the logical AND (x=η1)custom-character(x=η2) is true, the function value of Expression (37) is zero; and when the logical AND (x=η1)custom-character(x=η2) is false, the function value of Expression (37) is a value other than zero. In other words, a logical AND (x=η1)custom-character(x=η2) of true is equivalent to a function value of zero in Expression (37). Therefore, the logical AND can be expressed by Expression (37).


As described above, by using Expressions (36) and (37), a logical expression formed of a logical OR(s) and/or a logical AND(s) can be expressed by a polynomial f(x). An example will be shown below.





Logical expression: {(x=η1)custom-character(x=η2)custom-character(x=η3)}custom-character(x=η4)custom-character(x=η5)





Polynomial: f(x)=τ1·{(x−η1)·(x−η2)·(X−η3)}+τ2·(X=η4)+τ3·(x=↓5)  (38)


In Expression (36), one indeterminate element x is used to express the logical OR. A plurality of indeterminate elements can also be used to express a logical OR. For example, two indeterminate elements X0 and X1 are used to express the logical OR (x00) custom-character(X11) of statement 1 indicating that x0 is η0 and statement 2 indicating that x1 is η1 by the following polynomial.





(x0−η0)·(x1−η1)


Three or more indeterminate elements can also be used to express a logical OR by a polynomial.


In Expression (37), one indeterminate element x is used to express the logical AND. A plurality of indeterminate elements can also be used to express a logical AND. For example, the logical AND (x00)custom-character(x11) of statement 1 indicating that x0 is η0 and statement 2 indicating that x1 is η1 can be expressed by the following polynomial.





τ0·(x0−η0)+τ1·(x1−η1)


Three or more indeterminate elements can also be used to express a logical AND by a polynomial.


A logical expression that includes a logical OR(s) and/or a logical AND(s) is expressed with H(H≧1) types of indeterminate elements X0, . . . , xH-1 as the polynomial f(x0, . . . , xH-1). It is assumed that a statement for each of the indeterminate elements x0, . . . , xH-1 is “xh is ηh”, where ηh (h=0, . . . , H−1) is a constant determined for each statement. Then, in the polynomial f(x0, . . . , xH-1) indicating the logical expression, the statement indicating that an indeterminate element xh is a constant ηh is expressed by the polynomial indicating the difference between the indeterminate element xh and the constant ηh; the logical OR of statements is expressed by the product of the polynomials indicating the statements; and the logical AND of statements or the logical ORs of statements is expressed by a linear OR of the polynomials indicating the statements or the logical ORs of statements. For example, five indeterminate elements x0, . . . , x4 are used to express a logical expression





{(x00)custom-character(x11)custom-character(x22)}custom-character(x33)custom-character(x44)


by the following polynomial






f(x0, . . . ,x4)=τ0·{(x0−η0)·(x1−η1)·(x2−η2)}+τ1·(x33)+τ2·(x44)


Relationship Between Polynomial and Inner Product


The polynomial f(x0, . . . , xH-1) indicating a logical expression can be expressed by the inner product of two n-dimensional vectors. More specifically, a vector having the indeterminate elements of the terms of the polynomial f(x0, . . . , xH-1) as elements,






v
=(v1, . . . ,vn)


and a vector having the coefficients of the terms of the polynomial f(x0, . . . , xH-1) as elements,






w
=(w1, . . . ,wn)


are used to generate the inner product thereof,






f(x0, . . . ,xH-1)=w·v


which is equal to the polynomial f(x0, . . . , xH-1). In other words, whether the polynomial f(x0, . . . , xH-1) indicating a logical expression is zero is equivalent to whether the inner product of the vector v having the indeterminate elements of the terms of the polynomial f(x0, . . . , xH-1) as elements and the vector w having the coefficients of the terms of the polynomial f(x0, . . . , xH-1) as elements is zero.






f(x0, . . . ,xH-1)=0←→w·v=0


For example, a polynomial f(x)=θ0·x01·x+ . . . +θn-1·xn-1 expressed with one indeterminate element x can be expressed with two n-dimensional vectors






w
=(w1, . . . ,wn)=(θ0, . . . ,θn-1)  (39)






v
=(v1, . . . ,vn)=(x0, . . . ,xn-1)  (40)


by the inner product thereof.






f(x)=w·v  (41)


In other words, whether the polynomial f(x) indicating a logical expression is zero is equivalent to whether the inner product in Expression (41) is zero.






f(x)=0←→w·v=0  (42)


When a vector having the indeterminate elements of the terms of the polynomial f(x0, . . . , xH-1) as elements is expressed by






w
=(w1, . . . ,wn)


and a vector having the coefficients of the terms of the polynomial f(x0, . . . , xH-1) as elements is expressed by






v
=(v1, . . . ,vn)


whether the polynomial f(x0, . . . , xH-1) indicating a logical expression is zero is equivalent to whether the inner product of the vector w and the vector v is zero.


For example, when the following expressions are used instead of Expressions (39) and (40),






w
=(w1, . . . ,wn)=(x0, . . . ,xn)  (43)






v
=(v1, . . . ,vn)=(θ1, . . . ,θn-1)  (44)


whether the polynomial f(x) indicating a logical expression is zero is equivalent to whether the inner product in Expression (41) is zero.


In inner product predicate encryption, one of the vectors v=(v0, . . . , vn-1) and w=(w0, . . . , wn-1) is used as attribute information and the other is used as predicate information. One of the attribute information and predicate information is embedded in ciphertext and the other is embedded in key information. For example, an n-dimensional vector (θ0, . . . , θn-1) is used as predicate information, another n-dimensional vector (x0, . . . , xn-1) is used as attribute information, one of the attribute information and predicate information is embedded in ciphertext, and the other is embedded in key information. It is assumed in the following description that an n-dimensional vector embedded in key information is w=(w1, . . . , wn) and another n-dimensional vector embedded in ciphertext is v=(v1, . . . , vn).


For example,


Predicate information: w=(w1, . . . , wn)=(θ0, . . . , θn-1)


Attribute information: v=(v1, . . . , vn)=(x0, . . . , xn-1)


Alternatively,

Predicate information: v=(v1, . . . , vn)=(θ0, . . . , θn-1)


Attribute information: w=(w1, . . . , wn)=(x0, . . . , xn-1)


Basic Configuration of Inner Product Predicate Encryption


An example basic configuration of a key encapsulation mechanism (KEM) using inner product predicate encryption will be described below. This configuration includes Setup(1k), GenKey(MSK, w), Enc(PA, v), and Dec(SKw, C2).


Setting up Setup(1k)


Input: Security parameter k


Output: Master key information MSK, public parameter PK


In an example of Setup(1k), a security parameter k is used as n, and an (n+1) row by (n+1) column matrix A having (n+1)-dimensional basis vectors ai (i=1, . . . , n+1) as elements, an (n+1) row by (n+1) column matrix A* having basis vectors ai*(i=1, . . . , n+1) as elements, and (n+1) row by (n+1) column matrixes X and X* used for coordinate conversion are selected. Then, (n+1)-dimensional basis vectors bi (i=1, . . . , n+1) are calculated through coordinate conversion by Expression (22), and (n+1)-dimensional basis vectors bi* (i=1, . . . , n+1) are calculated through coordinate conversion by Expression (24). Then, an (n+1) row by (n+1) column matrix B* having the basis vectors bi*(i=1, . . . , n+1) as elements is output as master key information MSK; and vector spaces V and V*, an (n+1) row by (n+1) column matrix B having the basis vectors bi (i=1, . . . , n+1) as elements, the security parameter k, a finite field Fq, an elliptic curve E, cyclic groups G1, G2, and GT, generators g1, g2, and gT, a bilinear function e, and others are output as a public parameter PK.


Key Information Generation GenKey(MSK, w)


Input: Master key information MSK, vector w


Output: Key information D* corresponding to vector w


In an example of GenKey(MSK, w), an element αεFq is selected from the finite field Fq. Then, the matrix B*, which is the master key information MSK, is used to generate and output key information D* corresponding to the vector w in the following way.






D*=α·(Σμ=1nwμ·bμ*)+bn+1*εG2n+1  (45)


If it is difficult to solve a discrete logarithmic problem on the cyclic group G2, it is difficult to separate and extract the components of wμ·bμ* and bn+1* from the key information D*.


Encryption Enc(PA, v)


Input: Public parameter PK, vector v


Output: Ciphertext C2, common key K


In an example of Enc(PA, v), a common key K and a random number υ1, which is an element of the finite field Fq, are generated. Then, the public parameter PK, such as the matrix B, an element υ2 corresponding to a value that includes the common key K, in the finite field Fq, the vector v, and the random number υ1 are used to generate ciphertext C2 in the following way.






C
21·(Σμ=1nvμ·bμ)+υ2·bn+1εG1n+1  (46)


The ciphertext C2 and the common key K are output. An example of the common key K is gTτ·υ2εGT, where υ2 means υ2. An example of τ is 1F, as described above. If it is difficult to solve a discrete logarithmic problem on the cyclic group G1, it is difficult to separate and extract the components of vμ·bμ and υ2·bn+1 from the ciphertext C2.


Decryption and Key Sharing Dec(SKw, C2)


Input: Key information D1* corresponding to vector w, ciphertext C2


Output: Common key K


In an example of Dec(SKw, C2), the ciphertext C2 and the key information D1* are input to the bilinear function e of Expression (2). Then, from the characteristics of Expressions (3) and (26), the following is satisfied.













e


(


C
2

,

D
*


)


=



e


(




υ
1

·

(




μ
=
1

n




v
μ

·

b
μ



)


+


υ
2

·

b

n
+
1




,


α
·

(




μ
=
1

n




w
μ

·

b
μ
*



)


+

b

n
+
1

*



)








=





e


(



υ
1

·

v
1

·

b
1


,

α
·

w
1

·

b
1
*



)


·

·

e


(



υ
1

·

v
n

·

b
n


,

α
·

w
n

·

b
n
*



)



×










e


(



υ
2

·

b

n
+
1



,

b

n
+
1

*


)








=





e


(


b
1

,

b
1
*


)




υ
1

·

v
1

·
α
·

w

1








·

·


e


(


b
n

,

b
n
*


)




υ
1

·

v
n

·
α
·

w
n



·


e


(


b

n
+
1


,

b

n
+
1

*


)



υ
2









=




g
T

τ
·

υ
1

·

v
1

·
α
·

w
1



·

·

g
T

τ
·

υ
1

·

v
n

·
α
·

w
n



·

g
T

τ
·

υ
2










=




g

τ
·

υ
1

·
α
·

v


·

w




·

g
T

τ
·

υ
2











(
47
)







When the inner product w·v is zero, Expression (47) can be changed to the following.













e


(


C
2

,

D
*


)


=




g
T

τ
·

υ
1

·
α
·
0


·

g
T

τ
·

υ
2










=



g
T

τ
·

υ
2










(
48
)







From this result, the common key K is generated and output. An example of the common key K is gTτ·υ2εGT.


First Embodiment

An information generation apparatus and method according to a first embodiment implement hierarchical cryptography by using the predicate encryption described above. More specifically, they employ the basis b* used in the predicate encryption described above to implement information derivation expressed in general semiordered structures other than tree structures.



FIG. 1 is an example of a functional block diagram of the information generation apparatus according to the first embodiment.


Each piece of information is assigned an index v=(v1, . . . , VN-1)εI=(Fq∪{*})N-1, and a set w(v)={i|vi=*}corresponding to the index v is defined, where * indicates an indeterminate character. Indexes that will be described below, such as an index u and an index Y, have the same structure as the index v: u=(u1, . . . , UN-1)εI=(Fq∪{*})N-1 and Y=(Y1, . . . , YN-1)εI=(Fq∪{*})N-1. When w(u)⊂w(v) and vi=ui (iε{1, . . . , N−1}\w(v)) for the index uεI and the index vεI, in other words, when w(u)⊂w(v) and vi=ui for any iε{1, . . . , N−1}\w(v), the index u≦the index v and the index v is higher information than the index u, where the symbol \ indicates the subtraction of set and, for example, A\B={2, 3} when set A={1, 2, 3} and set B={1}.


When the index v={v1, v2, v3}={2, *, *} and the index u={u1, u2, u3}={2, *, 4}, for example, w(v)={2, 3} and w(u)={2} and w(u)⊂w(v) is satisfied. Here, v1=u1=2. Therefore, the index u≦the index v and the index v is higher information than the index u


In the following description, the index Y corresponds to information generated from the basis bi*, the index v corresponds to information of a derivation base, and the index u corresponds to information derived from information of the derivation base.


Information Generation


The information generation apparatus and method generate information KY corresponding to the index Y by using the basis bi* in Step A1 to Step A3 in FIG. 2. The information KY includes main information kY and derivation information kYj. The main information kY is used as a decryption key, for example, in predicate encryption. The derivation information kYj is used to generate information lower than the information KY corresponding to the index Y.


The information generation apparatus receives the index YεI.


A random number generator 1 generates a random number σYεZq and a random number σYjεZq corresponding to each element jεw(Y) of a set w(Y) (in step A1). The generated random number σY is sent to a main information generator 2. The generated random number σYj is sent to a derivation information generator 3. When the set w(Y)={2, 3}, for example, the random number generator 1 generates σY, σY2, and σY3.


The main information generator 2 uses the generated random number σY to calculate main information kY that satisfies kYYΣiε{1, . . . , N-1}\w(Y)Yibi*+bN* (in step A2). The calculated main information kY is stored in a storage 4.


The derivation information generator 3 uses the generated random number σYj to calculate derivation information kYj that satisfies kYjYjΣiε{1, . . . , N-1}\w(Y)Yibi*+bj* for each element jεw(Y) of the set w(Y) (in step A3). The calculated derivation information kYj is stored in the storage 4.


Information Derivation


The information generation apparatus and method generate information Ku corresponding to a lower index u from information Kv corresponding to an upper index v, where u≦v, in step B1 to step B3 shown in FIG. 3.


The information Kv corresponding to the index v includes main information kv and derivation information kvj. The main information kv is used as a decryption key, for example, in predicate encryption. The derivation information kvj is used to generate information lower than the information Kv corresponding to the index v. For example, the index v=Y and the information Kv=KY. The information Ku generated in the processing of steps B1 to B3 may be regarded as new information Kv to generate information Ku′ (u′≦u) lower than the information Ku corresponding to the index u.


The information Ku corresponding to the index u includes main information ku and derivation information kuj. The main information ku is used as a decryption key, for example, in predicate encryption. The derivation information kuj is used to generate information lower than the information Ku corresponding to the index u.


The information generation apparatus receives the index v and the index u.


It is assumed that the storage 4 has stored the information Kv corresponding to the index v.


The random number generator 1 generates a random number σuεZq and a random number σujεZq corresponding to each element jεw(u) of a set w(u) (in step B1). The generated random number σu is sent to a main information deriving unit 5. The generated random number σuj is sent to a derivation information deriving unit 6.


The main information deriving unit 5 uses the main information kv and the derivation information kvi, both of which are read from the storage 4, and the generated random number σu to calculate main information ku corresponding to the index u, that satisfies kuuΣiεw(v)\w(u)iikvi+kv (in step B2). The calculated main information ku is stored in the storage 4.


The derivation information deriving unit 6 uses the derivation information kvj read from the storage 4 and the generated random number σuj to calculate derivation information kuj that satisfies kujujΣiεw(v)\w(u)uikvi+kvj for each element jεw(u) of the set w(u) (in step B3). The calculated derivation information kuj is stored in the storage 4.


As described above, the information KY corresponding to the index Y is generated and information corresponding to a lower index is derived from the information KY. This means that, for a parent node A and a parent node B both having a common child node C, information of the common child node C can be derived from information of the parent node A and information of the common child node C can be derived from information of the parent node B.


Specific Case 1


A case will be described below in which information of each node serves as a key in predicate encryption and information of an index v3, generated from information of an index v1 matches information of the index v3, generated from information of an index v2 in terms of a key in predicate encryption. The indexes v1, v2, and v3, described below, are examples, and the same things can apply to the other indexes.


It is assumed that the index v1={v1, v2, *, *}, the index v2={*, *, v3, V4}, and the index v3={v1, v2, v3, v4}. From the definition, v1≧v3 and v2≧v3 and the index v1, serving as a parent node, and the index v2, serving as a parent node, have the index v3 as a common child node. In the following description, vi(i=1, 2, 3) may be indicated by v̂i, and the j-th element of the index vi may be indicated by v̂ij.


N is set to 5, and information KV̂1 corresponding to the index v1 and information Kv̂3′ corresponding to the index v2 are generated from N bases b1*, b2*, b3*, b4*, and b5*. Random numbers σv̂1, σv̂13, σv̂14, σv̂2, σv̂23, σv̂24, σv̂3, and σv̂3′ are generated by the random number generator 1.


The information KV̂1 (main information kv̂1 and derivation information kv̂3 and kv̂4) corresponding to the index v1 is as described below.






k
v̂1̂1(v1b1*+V2b2*)+b5*






k
v̂13v̂13(v1b1*+v2b2*)+b3*






k
v̂14v̂14(v1b1*+v2b2*)+b4*


The information Kv̂2 (main information kv̂2 and derivation information kv̂21 and kv̂22) corresponding to the index v2 is as described below.






k
v̂2v̂2(v3b3*+v4b4*)+b5*






k
v̂21v̂23(v3b3*+v4b4*)+b1*






k
v̂22v̂24(v3b3*+v4b4*)+b2*


The main information kv̂3 corresponding to the index v3 is derived from the information Kv̂1 corresponding to the index v1 as described below.













k

v
^
3


=





σ

v
^
3




(



v
3



k

v
^
13



+


v
4



k

v
^
1




)


+

k

v




^
1









=





σ


(

v
^
3





(



v
3



σ

v
^
13



+


v
4



σ

v
^
14




)

+

σ

v
^
1



)



(



v
1



b
1
*


+


v
2



b
2
*



)


+












σ

v
^
3




(



v
3



b
3
*


+


v
4



b
4
*



)


+

b
5
*








=




a


(



v
1



b
1
*


+


v
2



b
2
*



)


+

b


(



v
3



b
3
*


+


v
4



b
4
*



)


+

b
5
*









(
A
)







where a=(σv̂3(v3σv̂13+v4σv̂14)+σv1) and b=σv̂3.


Main information kv̂3 corresponding to the index v3 is derived from the information Kv̂2 corresponding to the index v2 as described below.













k

v
^
3


=





σ

v
^
3





(



v
1



k

v
^
21



+

v
21

+


v
2



k

v
^
22




)


+

k

v
^
2









=





(



σ

v
^
3





(



v
1



σ

v
^
23



+


v
4



σ

v
^
24




)


+

σ

v
^
2



)



(



v
3



b
3
*


+


v
4



b
4
*



)


+












σ

v
^
3





(



v
1



b
1
*


+


v
2



b
2



)


+

b
5
*








=




c


(



v
1



b
1
*


+


v
2



b
2
*



)


+

d


(



v
3



b
3
*


+


v
4



b
4
*



)


+

b
5
*









(
B
)







where c=σv̂3′ and d=(σv̂3′(V1σv̂23+V4σv̂24)+σv̂2).


The main information kv̂3 derived from the information Kv̂1, shown in Expression (A), and the main information kv3 derived from the information Kv2, shown in Expression (B), are not equal in value but are a same-value key in predicate encryption. More specifically, when (v1b1*+v2b2*) is regarded as the inner product of a vector (b1*, b2*) and a vector (v1, V2), the direction of the vector (v1, v2) with respect to the vector (b1*, b2*) is the same in both Expressions (A) and (B); when (v3b3*+v4b4*) is regarded as the inner product of a vector (b3*, b4*) and a vector (v3, v4), the direction of the vector (v3, v4) with respect to the vector (b3*, b4*) is the same in both Expressions (A) and (B). This means that both keys are a same-value key in predicate encryption.


Second Embodiment


FIG. 4 is an example functional block diagram of an information generation apparatus according to a second embodiment.


It is assumed that cyclic groups G and GT has a prime number order q; the cyclic group G has a generator g; the cyclic group G has a pairing function e: G×G→GT, which makes gT=e(g, g) a generator of the cyclic group GT; a random number a is selected from Zp at random; and g, g1=gaεG, and g2, g3, h1, . . . , hN-1εG randomly selected from the cyclic group G are made publicly available as public keys.


Information Generation


The information generation apparatus and an information generation method generate information KY corresponding to an index Y by using the public keys in step C1 to step C4 in FIG. 5. The information KY includes first main information kY, second main information grY, and derivation information kyj. The first main information kY and the second main information grY are used, for example, as decryption keys. The derivation information kYj is used to generate information lower than the information KY corresponding to the index Y.


The information generation apparatus receives the index YεI.


A random number generator 1 generates a random number rYεZq (in step C1). The generated random number rY is sent to a first main information generator 21, a second main information generator 22, and a derivation information generator 3.


The first main information generator 21 uses the generated random number rY to calculate first main information kY that satisfies kY=g2a(g3Πiε{1, . . . , N-1}\w(Y)hiYi)rY (in step C2). The calculated first main information kY is stored in a storage 4.


The second main information generator 22 uses the generated random number rY to calculate second main information grY (in step C3). The calculated second main information grY is stored in the storage 4.


The derivation information generator 3 uses the generated random number rY to calculate derivation information kYj that satisfies kYj=hjrY for each element jεw(Y) of a set w(Y) (in step C4). The calculated derivation information kYj is stored in the storage 4.


Information Derivation


The information generation apparatus and method generate information Ku corresponding to a lower index u from information Kv corresponding to an upper index v, where u≦v, in step D1 to step D4 shown in FIG. 6.


The information Kv corresponding to the index v includes first main information kv, second main information grv, and derivation information kvj. The first main information kv and the second main information grv are used, for example, as decryption keys. The derivation information kvj is used to generate information lower than the information Kv corresponding to the index v. For example, the index v=Y and the information Kv=KY. The information Ku generated in the processing of steps D1 to D4 may be regarded as new information Kv to generate information Ku′ (u′≦u) lower than the information Ku corresponding to the index u.


The information Ku corresponding to the index u includes first main information ku, second main information gru, and derivation information kuj. The first main information ku and the second main information gru are used, for example, as decryption keys. The derivation information kuj is used to generate information lower than the information Ku corresponding to the index u.


The information generation apparatus receives the index v and the index u.


It is assumed that the storage 4 has stored the information Kv corresponding to the index v.


The random number generator 1 generates a random number ru (in step D1). The generated random number is sent to a first main information deriving unit 51, a second main information deriving unit 52, and a derivation information deriving unit 6.


The first main information deriving unit 51 uses the first main information kv and the derivation information kvi, both of which are read from the storage 4, and the generated random number ru to calculate first main information ku corresponding to the index u, that satisfies ku=kviεw(v)\w(u)kviui)(g3Πiε{1, . . . , N-1}\w(v)\w(u)hiui)ru (in step D2). The calculated first main information ku is stored in the storage 4.


The second main information deriving unit 52 uses the generated random number ru to calculate second main information gru (in step D3). The calculated second main information gru is stored in the storage 4.


The derivation information deriving unit 6 uses the derivation information kvi read from the storage and the generated random number ru to calculate derivation information kuj that satisfies kuj=kvjhjru for each element jεw(u) of a set w(u) (in step D4). The calculated derivation information kuj is stored in the storage 4.


As described above, the information KY corresponding to the index Y is generated and information corresponding to a lower index is derived from the information Kv. This means that, for a parent node A and a parent node B both having a common child node C, information of the common child node C can be derived from information of the parent node A and information of the common child node C can be derived from information of the parent node B.


Specific Case 2


A case will be described below in which information of each node serves as a key in predicate encryption and information of an index v3, generated from information of an index v1 matches information of the index v3, generated from information of an index v2 in terms of a key in predicate encryption. The indexes v1, v2, and v3, described below, are examples, and the same things can apply to the other indexes.


It is assumed that the index v1={v1, v2, *, *}, the index v2={*, *, v3, v4}, and the index v3={v1, v2, v3, v4}. From the definition, v1≧v3 and v2≧v3 and the index v1, serving as a parent node, and the index v2, serving as a parent node, have the index v3 as a common child node. In the following description, v1 (i=1, 2, 3) may be indicated by v̂i, and the j-th element of the index vi may be indicated by v̂ij.


It is assumed that N is set to 5 and g1=ga, ga, g3, h1, h2, h3, h4εG are made publicly available as public keys. From these public keys, information Kv̂1 corresponding to the index v1 and information Kv̂2 corresponding to the index v2 are generated. Random numbers rv̂1 and rv̂2 are generated by the random number generator 1.


The information Kv̂1 (first main information kv̂1, second main information grv̂1, and derivation information kv̂13 and kv̂14) corresponding to the index v1 is as described below.






k
v̂1
=g
2
a(g3h1v1h2v2)rv̂1






g
rv̂1






k
v̂13
=h
3
rv̂1






k
v̂14
=h
4
rv̂1


The information Kv̂2 (first main information kv̂2, second derivation information grv̂2, and derivation information kv̂21 and kv̂22) corresponding to the index v2 is as described below.






k
v̂2
=g
2
a(g3h3v3h4v4)rv̂2






g
rv̂2






k
v̂21
=h
1
rv̂2






k
v̂22
=h
2
rv̂2


First main information kv̂3 corresponding to the index v3 is derived from the information Kv̂1 corresponding to the index v1 as described below.













k

v
^
3


=





k

v
^
1




(


k

v
^
13


v





3




k

v
^
14


v





4



)





(


g
3



h
1

v





1




h
2

v





2




h
3

v





3




h
4

v





4



)


rv




^
3









=





g
2
a



(


g
3



h
1

v





1




h
2

v





2




h
3

v





3




h
4

v





4



)


r








(
C
)







where rv̂3 is a random number generated by the random number generator 1, and r=rv̂1+rv̂3.


First main information kv̂3 corresponding to the index v3 is derived from the information Kv̂2 corresponding to the index v2 as described below.













k

v
^
3


=





k

v
^
1




(


k

v
^
13


v





3




k

v
^
14


v





4



)





(


g
3



h
1

v





1




h
2

v





2




h
3

v





3




h
4

v





4



)


rv




^
3









=





g
2
a



(


g
3



h
1

v





1




h
2

v





2




h
3

v





3




h
4

v





4



)


r








(
D
)







where rv̂3′ is a random number and r′=rv̂2+rv̂3′.


The first main information kv̂3 derived from the information Kv̂1, shown in Expression (C), and the second main information grv̂3, and the first main information kv̂3 derived from the information Kv̂2, shown in Expression (D), and the second main information grv̂3′ are not equal in value but are a same-value key in predicate encryption because the ratios of the exponents of the public keys g3, h1, h2, h3, and h4 are equal.


Modifications and Others


In each of the above described embodiments, the information generation apparatus includes all of the main information generator 2, the derivation information generator 3, the main information deriving unit 5, and the derivation information deriving unit 6, but the information generation apparatus needs to have at least one of them. For example, the information generation apparatus may have only the main information generator 2 and the derivation information generator 3. Alternatively, the information generation apparatus may have only the main information deriving unit 5 and the derivation information deriving unit 6, and may use the information Kv already generated and stored in the storage 4 to generate the information Ku.


Each operation defined on the finite field Fq may be replaced with an operation defined on a finite ring Zq of order q. An example of replacing each operation defined on the finite field Fq with an operation defined on the finite ring Zq is a method of permitting q other than a prime number or a power thereof.


Each of the information generation apparatuses described above can be implemented by a computer. In that case, the processing details of the functions that should be provided by the apparatus are described in a program. When the program is executed by a computer, the processing functions of the apparatus are implemented on the computer.


The information generation program containing the processing details can be recorded in a computer-readable recording medium. The information generation apparatus is configured when the program is executed by a computer. At least a part of the processing details may be implemented by hardware.


The present invention is not limited to the above described embodiments. Any modifications are possible within the scope of the present invention.

Claims
  • 1: An information generation apparatus comprising: a random number generator adapted to generate a random number σYεZq and a random number σYjεZq corresponding to each element jεw(Y) of a set w(Y);a main information generator adapted to use the generated random number σY to calculate main information kY that satisfies kYj=σYjΣiε{1, . . . , N-1}\w(Y)Yibi*+bN*; anda derivation information generator adapted to use the generated random number σYj to calculate derivation information kYj that satisfies kYjΣiε{1, . . . , N-1}\w(Y)Yibi*+bj* for each element jεw(Y) of the set w(Y);where e is a non-degenerate, bilinear function that outputs one element of a cyclic group GT in response to inputs of N elements γL (L=1, . . . , N) (N≧2) of a cyclic group G1 and N elements γL* (L=1, . . . , N) of a cyclic group G2; biεG1N (i=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G1 as elements; bj*εG2N (j=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G2 as elements; a function value obtained when each element of the basis vector biεG1N (i=1, . . . , N) and each element of the basis vector bj*εG2N (j=1, . . . , N) are put into the bilinear function e is represented by gTτ·δ(i,j)εGT, using a Kronecker's delta function in which δ(i, j)=1F when i=j and δ(i, j)=0F when i≠j; 0F is an additive unit element of a finite field Fq; 1F is a multiplicative unit element of the finite field Fq; τ is an element of the finite field Fq, other than 0F; and gT is a generator of the cyclic group GT; and* indicates an indeterminate character, an index Y is Y=(Y1, . . . , YN-1)εI=(Fq∪{*})N-1, the set w(Y) corresponds to the index Y, and w(Y)={i|Yi=*}.
  • 2: The information generation apparatus according to Claim 1, wherein the random number generator further generates a random number σuεZq,the information generation apparatus comprising:a storage unit adapted to store main information kv corresponding to an index v and derivation information kvj corresponding to the index v; anda main information deriving unit adapted to use the main information kv and derivation information kvi, both of which are read from the storage unit, and the generated random number σu to calculate main information ku corresponding to an index u, which satisfies ku=σuΣiεw(v)\w(u)uikvi+kv;where * indicates an indeterminate character; the index v is v=(v1, . . . , VN-1)εI=(Fq∪{*})N-1; w(v) is a set corresponding to the index v and w(v)={i|vi=*}; the index uis u=(u1, . . . , uN-1)εI=(Fq∪{*})N-1; w(u) is a set corresponding to the index u and w(u)={i|ui=*}; w(u)⊂w(v); and vi=ui(iε{1, . . . , N−1}\w(v)).
  • 3: The information generation apparatus according to Claim 2, wherein the random number generator further generates a random number σujεZq, corresponding to each element jεw(u) of the set w(u); the information generation apparatus further comprising:a derivation information deriving unit adapted to use the derivation information kvj read from the storage unit and the generated random number σuj to calculate derivation information kuj corresponding to the index u, which satisfies kuj=σujΣiεw(v)\w(u)uikvi+kvj, for each element jεw(u) of the set w(u).
  • 4: An information generation apparatus comprising: a storage unit adapted to store main information kv serving as main information kY or corresponding to an index v, derived from the main information kY and derivation information kYj, and derivation information kvj serving as the derivation information kYj or corresponding to the index v, derived from the derivation information kYj;a random number generator adapted to generate a random number σuεZq; anda main information deriving unit adapted to use the main information kv and derivation information kvi, both of which are read from the storage unit, and the generated random number σu to calculate main information ku corresponding to an index u, which satisfies ku=σuZiεw(v)\w(u)uikvi+kv;where e is a non-degenerate, bilinear function that outputs one element of a cyclic group GT in response to inputs of N elements γL (L=1, . . . , N) (N≧2) of a cyclic group G1 and N elements γL* (L=1, . . . , N) of a cyclic group G2; biεG1N (i=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G1 as elements; bj*εG2N (j=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G2 as elements; a function value obtained when each element of the basis vector biεG1N (i=1, . . . , N) and each element of the basis vector bj*εG2N (j=1, . . . , N) are put into the bilinear function e is represented by gTτ·δ(i,j)εGT, using a Kronecker's delta function in which δ(i, j)=1F when i=j and δ(i, j)=0F when i≠j; 0F is an additive unit element of a finite field Fq; 1F is a multiplicative unit element of the finite field Fq; τ is an element of the finite field Fq, other than 0F; and gT is a generator of the cyclic group GT; and* indicates an indeterminate character; an index Y is Y=(Y1, . . . , YN-1)εI=(Fq∪{*})N-1; a set w(Y) corresponding to the index Y is w(Y)={i|Yi=*}; σYεZq is a random number; σYiεZq is a random number corresponding to each element jεw(Y) of the set w(Y); the main information kY corresponds to the index Y and satisfies kY=σYΣiε{1, . . . , N-1}\w(Y)Yibi*+bN*; and the derivation information kyi corresponds to the index Y and satisfies kYj=σYjΣiε{1, . . . , N-1}\w(y)Yibi*+bj*;* indicates an indeterminate character; the index v is v=(v1, . . . , VN-1)εI=(Fq∪{*})N-1; the index u is u=(u1, . . . , UN-1)εI=(Fq∪{*})N-1; w(v) is a set corresponding to the index v and w(v)={i|vi=*}; w(u) is a set corresponding to the index u and w(u)={i|ui=*}; w(u)⊂w(v); and vi=ui (iε{1, . . . , N−1}\w(v)).
  • 5: The information generation apparatus according to Claim 4, wherein the random number generator further generates a random number σujεZq, corresponding to each element jεw(u) of the set w(u); the information generation apparatus further comprising:a derivation information deriving unit adapted to use the derivation information kv j read from the storage unit and the generated random number σuj to calculate derivation information kuj that satisfies kuj=σujΣiεw(v)\w(u)uikvi+kvj for each element jεw(u) of the set w(u).
  • 6: An information generation apparatus comprising: a random number generator adapted to generate a random number rYεZq;a first main information generator adapted to use the generated random number rY to calculate first main information kY that satisfies kY=g2a(g3Πiε{1, . . . , N-1}\w(Y)hiYi)rY;a second main information generator adapted to use the generated random number rY to calculate second main information grY; anda derivation information generator adapted to use the generated random number rY to calculate derivation information kYj that satisfies kYj=hjrY for each element jεw(Y) of a set w(Y);where G and GT are cyclic groups having a prime number order q; g is a generator of the cyclic group G; the cyclic group G has a pairing function e: G×G→GT, which makes gT=e(g, g) a generator of the cyclic group GT; a is a random number selected at random from Zp; and g, g1=gaεG, and g2, g3, h1, . . . , hN-1εG randomly selected from the cyclic group G are made publicly available as public keys; and* indicates an indeterminate character; an index Y is Y=(Y1, . . . , YN-1)εI=(Fq∪{*})N-1; the set w(Y) corresponds to the index Y; and w(Y)={i|Yi=*}.
  • 7: The information generation apparatus according to Claim 6, wherein the random number generator further generates a random number ruεZq, the information generation apparatus comprising:a storage unit adapted to store first main information kv corresponding to an index v, second main information gr, and derivation information kvj corresponding to the index v;a first main information deriving unit adapted to use the first main information kv and derivation information kvi, both of which are read from the storage unit, to calculate first main information ku corresponding to an index u, which satisfies ku=kv(Πiεw(v)\w(u)kviui)(g3Πiε{1, . . . , N-1}\w(v)hiviΠiεw(v)\w(u)hiui)ru; anda second main information deriving unit adapted to use the generated random number ru to calculate second main information gru;where * indicates an indeterminate character; the index v is v=(v1, . . . , vN-1)εI=(Fq∪{*})N-1; w(v) is a set corresponding to the index v and w(v)={i|vi=*}; the index u is u=(u1, . . . , UN-1)εI=(Fq∪{*})N-1; and w(u) is a set corresponding to the index u and w(u)={i|ui=*}; w(u)⊂w(v); and vi=ui(iε{1, . . . , N−1}\w(v)).
  • 8: The information generation apparatus according to Claim 7, further comprising a derivation information deriving unit adapted to use the derivation information kvi read from the storage unit and the generated random number ru to calculate derivation information kuj that satisfies kuj=kvjhjru for element jεw(u) of the set w(u).
  • 9: An information generation apparatus comprising: a random number generator adapted to generate a random number ruεZq;a storage unit adapted to store main information kv serving as main information KY or corresponding to an index v, derived from first main information kY and derivation information kYj, and derivation information kvj serving as derivation information KYj or corresponding to the index v, derived from the derivation information kYj;a first main information deriving unit adapted to use the first main information kv and derivation information kvi, both of which are read from the storage unit, to calculate first main information ku corresponding to an index u, which satisfies ku=kv(Πiεw(v)\w(u)kviiu)(g3Πiε{1 . . . , N-1}\w(v)hiviΠiεw(v)\w(u)hiui)ru; anda second main information deriving unit adapted to use the generated random number ru to calculate second main information gru;where G and GT are cyclic groups having a prime number order q; g is a generator of the cyclic group G; the cyclic group G has a pairing function e: G×G→GT, which makes gT=e(g, g) a generator of the cyclic group GT; a is a random number selected at random from Zp; and g, g1=gaεG, and g2, g3, h1, . . . , hN-1εG randomly selected from the cyclic group G are made publicly available as public keys;* indicates an indeterminate character; an index Y is Y=(Y1, . . . , YN-1)εI=(Fq∪{*})N-1; and a set w(Y) corresponding to the index Y is w(Y)={i|Yi=*};rYεZq is a random number; the first main information kY corresponds to the index Y and satisfies kY=g2a(g3Πiε{1, . . . , N-1}\w(Y)hiYi)rY; grY is second main information corresponding to the index Y; and the derivation information kYj corresponds to the index Y and satisfies kYj=hjrY; and* indicates an indeterminate character; the index v is v=(v1, . . . , VN-1)εe I=(Fq∪{*})N-1; w(v) is a set corresponding to the index v and w(v)={i|vi=*}; the index u is u=(u1, . . . , uN-1)εI=(Fq∪{*})N-1; w(u) is a set corresponding to the index u and w(u)={i|ui=*}; set w(u)⊂set w(v); and vi=ui(iε{1, . . . , N−1}\w(v)).
  • 10: The information generation apparatus according to Claim 9, further comprising a derivation information deriving unit adapted to use the derivation information kvi read from the storage unit and the generated random number ru to calculate derivation information kuj that satisfies kuji=kvjhjru for element jεw(u) of the set w(u).
  • 11: An information generation method comprising: a random number generation step of generating, in a random number generator, a random number σYεZq and a random number σYjεZq corresponding to each element jεw(Y) of a set w(Y);a main information generation step of using, in a main information generator, the generated random number σY to calculate main information kY that satisfies kY=σYΣiε{1, . . . , N-1}\w(Y)Yibi*+bN*; anda derivation information generation step of using, in a derivation information generator, the generated random number σYj to calculate derivation information kYj that satisfies kYjΣiε{1, . . . , N-1}\w(Y)Yibi*+bj* for each element jεw(Y) of the set w(Y);where e is a non-degenerate, bilinear function that outputs one element of a cyclic group GT in response to inputs of N elements γL (L=1, . . . , N) (N≧2) of a cyclic group G1 and N elements γL*(L=1, . . . , N) of a cyclic group G2; biεG1N(i=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G1 as elements; bjεG2N (j=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G2 as elements; a function value obtained when each element of the basis vector biεG1N (i=1, . . . , N) and each element of the basis vector bj*εG2N (j=1, . . . , N) are put into the bilinear function e is represented by gTτ·δ(i,j)εGT, using a Kronecker's delta function in which δ(i, j)=1F when i=j and δ(i, j)=0F when i≠j; 0F is an additive unit element of a finite field Fq; 1F is a multiplicative unit element of the finite field Fq; τ is an element of the finite field Fq, other than 0F; and gT is a generator of the cyclic group GT; and* indicates an indeterminate character, an index Y is Y=(Y1, . . . , YN-1)εI=(Fq∪{*})N-1, and the set w(Y) corresponds to the index Y and w(Y)={i|Yi=*}.
  • 12: An information generation method comprising: a random number generation step of generating, in a random number generator, a random number rYεZq;a first main information generation step of using, in a first main information generator, the generated random number rY to calculate first main information kY that satisfies kY=g2a(g3Πiε({1, . . . . N-1}\w(Y)hiYi)rY;a second main information generation step of using, in a second main information generator, the generated random number rY to calculate second main information grY; anda derivation information generation step of using, in a derivation information generator, the generated random number rY to calculate derivation information kYj that satisfies kYj=hjrY for each element jεw(Y) of a set w(Y);where G and GT are cyclic groups having a prime number order q; g is a generator of the cyclic group G; the cyclic group G has a pairing function e: G×G→GT, which makes gT=e(g, g) a generator of the cyclic group GT; a is a random number selected at random from Zp; and g, g1=gaεG, and g2, g3, h1, . . . , hN-1εG randomly selected from the cyclic group G are made publicly available as public keys; and* indicates an indeterminate character; an index Y is Y=(Y1, . . . , YN-1)εI=(Fq∪{*})N-1; and the set w(Y) corresponds to the index Y and w(Y)={i|Yi=*}.
  • 13: An information generation program causing a computer to function as each unit of the information generation apparatus according to one of claims 1 to 10.
  • 14: A computer-readable recording medium having stored thereon the information generation program according to Claim 13.
Priority Claims (1)
Number Date Country Kind
2009-106009 Apr 2009 JP national
PCT Information
Filing Document Filing Date Country Kind 371c Date
PCT/JP2010/057279 4/23/2010 WO 00 10/14/2011