Hierarchical Time-Released Proxy Re-Encryption

全文

(1)Vol.2014-DPS-158 No.11 Vol.2014-CSEC-64 No.11 2014/3/6. ৘ใॲཧֶձ‫ڀݚ‬ใࠂ IPSJ SIG Technical Report. Hierarchical Time-Released Proxy Re-Encryption খᖒ ‫ݡ‬༎1,a). ᴡ౻ ହҰ1,b). ֓ཁɿ෮߸࣌ؒΛࢦఆՄೳͳϚϧνΩϟετ҉߸௨৴Λ࣮‫ݱ‬Մೳͳެ։‫ ͯ͠ͱࣜํ߸҉ݤ‬Timed-Release. Proxy Re-Encryption(TR-PRE) ͕͋Δɻ͔͠͠ɺ͜ͷํࣜ͸Ұͭͷ Proxy ʹ࠶҉߸Խॲཧ͕ूத͢Δͱ ͍͏໰୊͕͋Δɻ ຊߘͰ͸ɺෳ਺ͷ Proxy Λ֊૚తʹ഑ஔ͢Δ͜ͱʹΑΓ࠶҉߸ԽॲཧΛ෼ࢄՄೳͳެ։ ‫ ”ࣜํ߸҉ݤ‬hierarchical Timed-Release Proxy Re-Encryption(hierarchicalTR-PRE)”ΛఏҊ͢Δɻ. 1. ͸͡Ίʹ ެ։લͷ৽࡞өըɺ‫ۀا‬ͷܾࢉɾ‫ג‬Ձ৘ใɺిࢠ౤ථͷ ू‫݁ܭ‬ՌͳͲ͸ɺಛఆ࣌ࠁ·Ͱ৘ใΛൿಗ͠ɺಛఆ࣌ࠁ‫ޙ‬ Ұ੪ʹެ։͢Δඞཁ͕͋Δɻଟ͘ͷ৔߹͜ͷΑ͏ͳ৘ใ͸ ෳ਺ͷϢʔβʹର͠ެ։͞ΕΔ͜ͱ͕༧૝͞ΕΔɻಛఆ࣌ ࠁ·ͰൿີΛकΔͨΊͷํ๏ͱͯ͠ߟ͑ΒΕΔͷ͸ɺಛఆ ࣌ࠁ·Ͱ͸෺ཧతʹൿີʹ͓͖ͯ͠ɺಛఆ࣌ࠁʹͳΔͱಉ ࣌ʹωοτͳͲͷ֤ഔମΛ௨͡৘ใΛެ։͢Δํ๏Ͱ͋ Δɻ͔͠͠࠷৽ͷ৘ใ͸ެ։௚‫ʹޙ‬ଟ਺ͷϢʔβ͕Ұ੪ʹ ‫ٻ‬ΊΔ͜ͱ͕ଟ͘ɺ͜ͷํ๏Ͱ͸γεςϜʹଟେͳෛՙ͕ ֻ͔ͬͯ͠·͏͜ͱ͕༧૝͞ΕΔɻ ຊ‫ڀݚ‬͸ɺ҉߸Խͷࡍʹ෮߸࣌ࠁΛࢦఆͰ͖ɺଟ਺ͷϢʔβ ʹର͠҉߸ԽσʔλΛૹ৴Ͱ͖Δɺ෮߸࣌ࠁ੍‫ޚ‬ՄೳͳϚ. 2. ؔ࿈ٕज़ 2.1 ID-based Encryption ID-based Encryption(IBE) ͱ͸ ID ʹ‫[ ࣜํ߸҉ͮ͘ج‬3] ͷ͜ͱͰ͋Δɻ͜͜Ͱ ID ͱ͸ Identity ·ͨ͸ Identifica-. tion ΛऔΓɺ‫ݸ‬ਓΛಛఆ͢Δ͜ͱ͕Մೳͳ৘ใΛҙຯ͢Δɻ ྫ͑͹ࢯ໊ɺemail ΞυϨεɺి࿩ͷ൪߸ͱ͍ͬͨ΋ͷ͸. ID ͱͯ͠ѻ͏͜ͱ͕ՄೳͰ͋ΔɻIBE ͸ฏจɺड৴ऀͷ ID ɺ‫ڞ‬௨ύϥϝʔλͷΈΛ༻͍ͯड৴ऀ΁ͷ҉߸จΛ࡞ ੒͢Δ͜ͱ͕Ͱ͖ΔͷͰɺެ։‫߸҉ݤ‬ͷΑ͏ʹެ։‫ݤ‬ೝূ ηϯλ͸ඞཁͱ͠ͳ͍ɻͭ·Γެ։‫ݤ‬ೝূηϯλ͕ެ։‫ݤ‬ ʹ༩͑Δ৴པੑͷ͔ΘΓʹ ID ͷ৴པੑΛར༻͢ΔํࣜͰ ͋ΔɻIBE ͸ (Setup,Extract,Enc,Dec) ͷ̐ͭͷΞϧΰϦζ ϜͰߏ੒͞ΕΔɻ. ϧνΩϟετ҉߸ํࣜ hierarchical Time-Released Proxy. Re-Encryption(hTR-PRE) ͷ࣮‫ݱ‬Λ໨ࢦ͢ɻ ෮߸࣌ࠁͷ੍‫ͱޚ‬ϚϧνΩϟετ҉߸௨৴ͷ྆ํΛ࣮‫ݱ‬ Մೳͳެ։‫ ͯ͠ͱࣜํ߸҉ݤ‬Timed-Release Proxy Re-. Encryption(TR-PRE)[5] ͕͋Δɻ͔͠͠ɺ͜ͷํࣜ͸Ұͭ ͷ Proxy ʹ࠶҉߸Խॲཧ͕ूத͢Δͱ͍͏໰୊͕͋Δɻ ͦ͜Ͱຊ‫Ͱڀݚ‬͸ multi-hop ͱ͍͏ੑ࣭Λ࣋ͭ Proxy Re-. Encryption(PRE) Λ༻͍Δɻmulti-hopPRE ͱ͸ɺ࠶҉߸ ԽͷॲཧΛෳ਺ճߦ͏͜ͱ͕Ͱ͖Δ PRE Ͱ͋Δɻྫ͑͹ Ϣʔβ A Ѽͯͷ҉߸จΛϢʔβ B ѼͯʹɺͦΕΛ͞Βʹผ ͷϢʔβ C Ѽͯʹมߋ͢Δ͜ͱ͕Ͱ͖Δɻ͜ͷ multi-hop. PRE Λ༻͍ͯ Proxy Λ֊૚తʹ഑ஔ͢Δ͜ͱʹΑΓɺෛ ՙΛෳ਺ͷ Proxy ʹ෼ࢄ͠໰୊ͷղܾΛ໨ࢦ͢ɻ. ʕ Setup ɿ Setup(1k ) → (msk, params) ηΩϡϦςΟύϥϝʔλ 1k Λೖྗͱ͠ɼϚελʔൿ ີ‫ڞͱݤ‬௨ύϥϝʔλͷϖΞ (msk, params) Λग़ྗ ͢Δɽ ʕ Extract ɿExtract(msk, ID, params) → dID Ϛελʔ‫ ݤ‬msk, ID ͱ‫ڞ‬௨ύϥϝʔλ params Λೖ ྗͱ͠ɺID ʹରԠͨ͠෮߸‫ ݤ‬dID Λग़ྗ͢Δɻ ʕ Encryption ɿEnc(m, ID, params) → C ฏจ m ∈ MɼID ͱ‫ڞ‬௨ύϥϝʔλ params Λೖྗ ͱ͠ɺ҉߸จ C Λग़ྗ͢Δɻͨͩ͠ M ͸ฏจۭؒͰ ͋Δɻ ʕ Decryption ɿDec(C, dID ) → C ҉߸จ C ͱ෮߸‫ ݤ‬dID Λೖྗͱ͠ɼฏจ mɺ΋͘͠ ͸ΤϥʔγϯϘϧ ⊥ Λग़ྗ͢Δɻ. 1 a) b). ౦‫ػిژ‬େֶ, Tokyou Denki Uniersity,Adachi,Tokyo,120-8551,Japan [email protected] [email protected]. ⓒ 2014 Information Processing Society of Japan. 1.

(2) Vol.2014-DPS-158 No.11 Vol.2014-CSEC-64 No.11 2014/3/6. ৘ใॲཧֶձ‫ڀݚ‬ใࠂ IPSJ SIG Technical Report. ΔɻmDBDH ໰୊ͱ DBDH ໰୊͸౳ՁͰ͋Δ [1]ɻ. 2.2 Proxy Re-Encryption Proxy Re-Encryption(PRE) ͱ͸ຊདྷͷ҉߸จͷड৴ऀ A ͕ɺड͚औͬͨ҉߸จΛ৴པͰ͖Δୈ 3 ऀͰ͋Δ Proxy. 3. ఏҊํࣜ. ʹૹ৴͠ɺProxy ͕ड৴ऀ A ͕ࢦఆͨ͠ϢʔβѼͯͷ҉߸. 3.1 ఆٛ. จʹมߋͰ͖Δ‫ػ‬ೳΛ࣋ͭ҉߸ํࣜͰ͋Δɻ·ͨҎԼͷΑ. hTR-PRE ͸ (Setup,KeyGen,TS-Release,ReKeyGen,Enc, ReEnc,Dec) ͷ 7 ͭͷΞϧΰϦζϜͰߏ੒͞ΕΔɻ. ͏ͳੑ࣭Λ࣋ͭɻ. • single-hop/multi-hopɿ࠶҉߸Խͨ͠҉߸จΛߋʹผ ͷϢʔβͷൿີ‫Ͱݤ‬෮߸Ͱ͖Δ҉߸จʹ࠶҉߸ԽͰ͖. ʕ Setup. ΔํࣜΛ multi-hopɺ࠶҉߸ԽΛͨ͠҉߸จΛߋʹ࠶. Setup(1k ) → (params, tspriv ). ҉߸Խ͢Δ͜ͱ͕Ͱ͖ͳ͍ํࣜ single-hop ͱ͍͏ɻ. ηΩϡϦςΟύϥϝʔλ 1k Λೖྗͱ͠ެ։ύϥϝʔλ. • bidirectinal/unidirectinal ɿϢʔβ A ͱϢʔβ B ؒͷ ࠶҉߸Խ‫ݤ‬Λ༻͍ͯϢʔβ A Ѽͯͷ҉߸จ CA ΛϢʔ. params ͱλΠϜαʔόͷൿີ‫ ݤ‬tspriv Λग़ྗ͢Δɻ ʕ KeyGeneration. β B Ѽͯͷ҉߸จ CB ʹม‫͖Ͱ׵‬ɺ·ͨϢʔβ B Ѽ. KeyGen(1k ) → (pk, sk). ͯͷ҉߸จ CB ΛϢʔβ A Ѽͯͷ҉߸จ CA ʹม‫Ͱ׵‬. ηΩϡϦςΟύϥϝʔλ 1k Λೖྗͱ͠ެ։‫ ݤ‬pk ɺൿ. ͖ΔํࣜΛ bidirectinalɺͲͪΒ͔͔͠Ͱ͖ͳ͍ํࣜΛ. ີ‫ ݤ‬sk Λग़ྗ͢Δɻ ʕ TimeServer-Release. unidirectinal ͱ͍͏ɻ multi-hop bidirectinal PRE ͸ (KeyGen,ReKeyGen,Enc,Re. TS-Release(params, tspriv , T ) → (ST ). Enc,Dec) ͷ 5 ͭͷΞϧΰϦζϜͰߏ੒͞ΕΔɻ. params, tspriv ɺ։ࣔ࣌ࠁ T Λೖྗͱ͠ɺ࣌ࠁ‫ ݤ‬ST Λ. k. ʕ KeyGenerationɿKeyGen(1 ) → (pk, sk). ग़ྗ͢Δɻ. ηΩϡϦςΟύϥϝʔλ 1k Λೖྗͱ͠ެ։‫ ݤ‬pk ɺൿ. ʕ ReEncryptionKeyGeneration. ReKeyGen(params, skA , skB ) → (rkAB ). ີ‫ ݤ‬sk Λग़ྗ͢Δɻ. paramsɺ2 ͭͷൿີ‫ ݤ‬skA , skB Λೖྗͱ͠ɺ࠶҉߸. ʕ ReEncryptionKeyGenerationɿ. ReKeyGen(skA , skB ) → rkAB. Խ‫ ݤ‬rkAB Λग़ྗ͢Δɻ. 2 ͭͷൿີ‫ ݤ‬skA , skB Λೖྗͱ͠ɺ࠶҉߸Խ‫ ݤ‬rkAB. ʕ Encryption. Enc(params, pk, m, T ) → C. Λग़ྗ͢Δɻ ʕ Encryption ɿ Enc(pk, m) → C. ެ։‫ ݤ‬pk ɺϝοηʔδ mɺ։ࣔ࣌ࠁ T Λೖྗͱ͠҉. ެ։‫ ݤ‬pk ɺϝοηʔδ m Λೖྗͱ͠҉߸จ C Λग़ྗ. ߸จ C Λग़ྗ͢Δɻ ʕ ReEncryption. ͢Δɻ. ReEnc(params, rkAB , CA ) → CB. ʕ ReEncryption ɿ ReEnc(rkAB , CA ) → CB ࠶҉߸Խ‫ ݤ‬rkAB ɺϢʔβ A Ѽͷ҉߸จ CA Λೖྗͱ. paramsɺ࠶҉߸Խ‫ ݤ‬rkAB ɺϢʔβ A Ѽͷ҉߸จ CA. ͠Ϣʔβ B Ѽͷ҉߸จ CB Λग़ྗ͢Δɻ. Λೖྗͱ͠Ϣʔβ B Ѽͷ҉߸จ CB Λग़ྗ͢Δɻ͋. ʕ Decryption ɿ Dec(sk, C) → m. Δ͍͸˵ Λग़ྗ͢Δɻ. ൿີ‫ ݤ‬sk ɺ҉߸จ C Λೖྗͱ͠ɺϝοηʔδ m Λग़. ʕ Decryption. Dec(params, sk, pk, C, ST ) → m. ྗ͢Δɻ͋Δ͍͸ ⊥ Λग़ྗ͢Δɻ. paramsɺൿີ‫ ݤ‬sk ɺެ։‫ ݤ‬pk ɺ҉߸จ C ɺ࣌ࠁ‫ ݤ‬ST Λೖྗͱ͠ɺϝοηʔδ m Λग़ྗ͢Δɻ͋Δ͍͸˵. 2.3 ൑ఆ૒ઢ‫ ܕ‬Diffie-HellmanʢDBDHʣԾఆ DBDH Ծఆͱ͸ DBDH ໰୊͕೉͍͠ͱ͍͏ԾఆͰ͋. Λग़ྗ͢Δɻ. Δ ɻૉ ਺ p Λ Ґ ਺ ͱ ͠ ͨ ͷ ‫ ܈‬G, GT ʹ ϖ Ξ Ϧ ϯ ά ԋ ࢉ e(G × G → GT ) ͕ఆٛ͞Ε͍ͯΔͱ͢Δɻ͜ͷ࣌ a. b. c. g ∈ G ʹ͓͍ͯ < g, g , g , g , T > ͷ૊͕༩͑ΒΕͨͱ͖ T = e(g, g)abc ΋͘͠͸ T ͕ϥϯμϜͰ͋Δɺͱ൑ఆ͢Δ. 3.2 ҆શੑఆٛ 3.2.1 ४උ ೖྗ৚݅Λ໌֬ʹ͢ΔͨΊʹެ։‫ʹݤ‬ϥϕϧΛ෇͚ɺແ. ໰୊Λɺ൑ఆ૒ઢ‫ ܕ‬Diffie-Hellman(DBDH) ໰୊ͱ͍͏ɻ. ޲άϥϑ (V,E) Λߟ͑ΔɻUncorrupted key generation Φ. DBDH ໰୊͕ղ͚Δ Algorithm B ͷ੒ޭ֬཰ AdvB ͸࣍. ϥΫϧ΁ͷΫΤϦͰಘͨ pk ʹϥϕϧʠuncorruptedʡΛ෇. a. b. c. abc. ͷΑ͏ʹͳΔɻAdvB = |P r[B(g, g , g , g , e(g, g). ) = 1]. ͚ΔɻCorrupted key generation ΦϥΫϧ΁ͷΫΤϦͰಘ. − P r[B(g, g a , g b , g c , R) = 1]|. AdvB ͕ negligible Ͱ͋Δͱ. ͨ pk ʹϥϕϧʠcorruptedʡΛ෇͚ΔɻνϟϨϯδެ։‫ݤ‬. ͖ DBDH Ծఆ͕੒Γཱͭͱ͍͏ɻຊ‫Ͱڀݚ‬͸ DBDH ໰୊. pk ∗ ʹϥϕϧʠtargetʡΛ෇͚Δɻ࣍ʹແ޲άϥϑ (V,E). Λมߋͨ͠ Modified DBDH(mDBDH) ໰୊Λ༻͍Δɻ۩. Λఆٛ͢Δɻ. ମతʹ͸ e(g, g)abc ͱ͍ͯͨ͠ͱ͜ΖΛɺe(g, g)ab/c ͱ͢. ⓒ 2014 Information Processing Society of Japan. • V = {pkA , pkB , pkC , ...}, E ⊆ V × V 2.

(3) Vol.2014-DPS-158 No.11 Vol.2014-CSEC-64 No.11 2014/3/6. ৘ใॲཧֶձ‫ڀݚ‬ใࠂ IPSJ SIG Technical Report. • V ɿެ։‫ݤ‬ͷू߹. ༧૝͠ग़ྗ͢Δɻ. • Τοδ (pkA , pkB ) ∈ E ⇔ʠϢʔβ AɺϢʔβ B ؒͰ ΋͠ b ͱ b ͕౳͚͠Ε͹ A ͷউརͱͳΔɻA ͷউར֬཰. ࠶҉߸Խ‫ ݤ‬rkAB ͕ੜ੒ࡁΈʡ Ҏ্ͷΑ͏ͳάϥϑͷதͰ target Λ‫ؚ‬Ή࿈݁੒෼Λʠtarget. Λ࣍ͷΑ͏ʹఆٛ͢ΔɻAdvΓ,A (1k ) = 2P r[b = b ] − 1. άϧʔϓ (Target)ʡɺcorrupted Λ‫ؚ‬Ή࿈݁੒෼ΛʠCor-. ఆٛ 1ɿhTR-PRE ํࣜ Γ ʹର͢Δ೚ҙͷଟ߲ࣜ࣌ؒΞϧ. rupted άϧʔϓ (Corrupted)ʡɺͦΕҎ֎ΛʠUncorrupted. ΰϦζϜ A ͷউར֬཰ AdvΓ,A (1k ) ͕ negligible Ͱ͋Δ࣌. άϧʔϓ (Uncorrupted)ʡͱ‫Ϳݺ‬ɻ·ͨɺTarget ͱ Uncor-. Γ ͸ Malicious TimeServer Security Λຬͨ͢ͱ͍͏ɻ. rupted ؒͰ͸Τοδ͕ுΒΕΔ৔߹͕͋Δ͕ͦͷ৔߹࿈ ݁੒෼͢΂͕ͯ Target ͱͳΔɻྫ͑͹ɺpkA ∈Target ͱ. pkB ∈Uncorupted ؒͰ࠶҉߸Խ‫ ݤ‬rkAB ͕ੜ੒͞Εͨ৔ ߹ pkB Λ‫ؚ‬Ήάϧʔϓ΋ Target ͱͳΔɻ·ͨ҉߸จ C˄. 3.2.3 Malicious User Security hTR-PRE ํࣜ Γ ʹର͢Δ Malicious User Security Λఆ ٛ͢Δɻଟ߲ࣜ࣌ؒΞϧΰϦζϜͰ͋Δ߈ܸऀ A ͸͢΂ͯ. Λ 1 ճҎ্࠶҉߸ԽΛߦ͍ಘͨ҉߸จ C ΛʠC⇐ C˄ʡͷ. ͷϢʔβͷൿີ‫ݤ‬ɺެ։‫ݤ‬ΛಘΔ͜ͱ͕Ͱ͖ɺ௅ઓऀ CH. Α͏ʹॻ͘ɻ. ͱҎԼͷΑ͏ͳήʔϜΛߦ͏ɻ. 3.2.2 Malicious TimeServer Security. Keygeneration. hTR-PRE ํࣜ Γ(Setup,KeyGen,TS-Release,ReKeyGen,. A ͕ΫΤϦ͢Δͱ‫ݤ‬ϖΞ (pk, sk) ←KeyGen(1k ) Λ A ʹฦ. Enc,ReEnc,Dec) ʹର͢Δ Malicious TimeServer Security. ͢ɻ. Λఆٛ͢Δɻଟ߲ࣜ࣌ؒΞϧΰϦζϜͰ͋Δ߈ܸऀ A ͸. TS-Rslease. TimeServer ͷൿີ‫ݤ‬Λॴ͓࣋ͯ͠Γɺ௅ઓऀ CH ͱҎԼ. T ΛΦϥΫϧ΁ͷೖྗͱ͠ɺΦϥΫϧ͸࣌ࠁ‫ ݤ‬ST ← TS-. ͷΑ͏ͳήʔϜΛߦ͏ɻ. Rslease(params, tspriv , T ) Λฦ͢ɻͨͩ͠ T = T ∗ ͷ৔߹. A ʹ͸ҎԼͷΦϥΫϧ΁ͷΞΫηεΛ‫͢ڐ‬ɻ. ͸ ⊥ Λฦ͢ɻ. Uncorrupted key generatio. Challenge k. A ͕ΫΤϦ͢Δͱ (pk, sk) ←KeyGen(1 ) Λ࣮ߦ͠ A ʹ pk. ͜ͷΦϥΫϧ΁ͷΫΤϦ͸ 1 ճͷΈ‫͞ڐ‬ΕΔɻ. Λฦ͢ɻ. (pk ∗ , T ∗ , m∗0 , m∗1 ) ΛΦϥΫϧ΁ͷೖྗͱ͢Δɻpk ∗ Λνϟ Ϩϯδ key ͱ͢ΔɻΦϥΫϧ͸ b ← {0, 1} ΛϥϯμϜʹܾ. Corrupted key generation k. A ͕ΫΤϦ͢Δͱ (pk, sk) ←KeyGen(1 ) Λ࣮ߦ͠ A ʹ. ఆ͠νϟϨϯδ҉߸จ C ∗ ←Enc(pk ∗ , T ∗ , m∗b ) Λฦ͢ɻͨ. (pk, sk) Λฦ͢ɻ. ͩ͠ೖྗ T ∗ ͕ TS-Rslease ͰΫΤϦ͞Ε͍ͯΔ৔߹˵Λฦ. Re-Encryption key generation. ͢ɻ. (pkA , pkB ) Λ Φ ϥ Ϋ ϧ ΁ ͷ ೖ ྗ ͱ ͠ ɺΦ ϥ Ϋ ϧ ͸ ࠶. Decryption. ҉ ߸ Խ ‫ ݤ‬rkAB ←ReKeyGen(skA , skB ) Λ ฦ ͢ ɻͨ ͩ. (pk, T, C) Λ Φ ϥ Ϋ ϧ ΁ ͷ ೖ ྗ ͢ Δ ͱ ͠ ɺϝ ο η ʔ δ. ͠ʠpkA ∈Uncorrupted ͔ ͭ pkB ∈Corruptedʡ· ͨ ͸. m = Dec(sk, C, ST ) Λ ฦ ͢ ɻͨ ͩ ͠ C = C ∗ · ͨ ͸. ʠpkA ∈Corrupted ͔ͭ pkB ∈ Uncorruptedʡͷ৔߹ ⊥ Λ. C ⇐ C ∗ ͷ৔߹͸˵Λग़ྗ͢Δɻ. ग़ྗ͢Δɻ. Decision. Challenge. A ͸ b Λ༧૝͠ग़ྗ͢Δɻ. ͜ͷΦϥΫϧ΁ͷΫΤϦ͸ 1 ճͷΈ‫͞ڐ‬ΕΔɻ. (pk ∗ , T ∗ , m∗0 , m∗1 ) ΛΦϥΫϧ΁ͷೖྗͱ͢Δɻpk ∗ Λνϟ. ΋͠ b ͱ b ͕౳͚͠Ε͹ A ͷউརͱͳΔɻA ͷউར֬཰. Ϩϯδ key ͱ͢ΔɻΦϥΫϧ͸ b ← {0, 1} ΛϥϯμϜʹܾ. Λ࣍ͷΑ͏ʹఆٛ͢ΔɻAdvΓ,A (1k ) = 2P r[b = b ] − 1. ఆ͠νϟϨϯδ҉߸จ C ∗ ←Enc(pk ∗ , m∗b , T ∗ ) Λฦ͢ɻ. ఆٛ 2ɿhTR-PRE ํࣜ Γ ʹର͢Δ೚ҙͷଟ߲ࣜ࣌ؒΞϧ. Re-Encryption. ΰϦζϜ A ͷউར֬཰ AdvΓ,A (1k ) ͕ negligible Ͱ͋Δ࣌. (pkA , pkB , CA ) ΛΦϥΫϧ΁ͷೖྗͱ͠ɺϢʔβ B Ѽͷ҉. Γ ͸ Malicious User Security Λຬͨ͢ͱ͍͏ɻ. ߸จ CB ←ReEnc(ReKeyGen(skA , skB ), CA ) Λฦ͢ɻͨͩ ͠ɺpkA ∈Target, pkB ∈Corrupted, CA ⇐ C ∗ ͕͢΂ͯ੒ Γཱͭ৔߹৔߹ ⊥ Λฦ͢ɻ. 3.3 ϓϩτίϧ ຊઅͰ͸ఏҊํࣜͷৄࡉΛॻ͘ɻ ʕ Setup. Decryption (pk, T, C) Λ Φ ϥ Ϋ ϧ ΁ ͷ ೖ ྗ ͢ Δ ͱ ͠ ɺϝ ο η ʔ δ ∗. m = Dec(sk, pk, C, ST ) Λฦ͢ɻͨͩ͠ C = C ·ͨ͸ ∗. ηΩϡϦςΟύϥϝʔλ 1k Λೖྗͱ͢ΔɻG, GT Λ ૉ ਺ Ґ ਺ p ͷ ‫ ܈‬ɺe : G × G → G T ͱ ͠ ɺ. C ⇐ C ͷ৔߹͸˵Λग़ྗ͢Δɻ. g, g2 , g3 , h1 , h2 , h3 ∈ Gɺs ← Zp∗ Λબ୒͢ΔɻT Spub =. Decision. g s , tspriv = s ͱ͠ɺϋογϡؔ਺ΛҎԼͷΑ͏ʹબ୒. pk∗ ∈Corrupted ͷ৔߹͸ ⊥ɺͦ͏Ͱͳ͍ͳΒ͹ A ͸ b Λ. ͢Δɻ. ⓒ 2014 Information Processing Society of Japan. 3.

(4) Vol.2014-DPS-158 No.11 Vol.2014-CSEC-64 No.11 2014/3/6. ৘ใॲཧֶձ‫ڀݚ‬ใࠂ IPSJ SIG Technical Report. ɾ. ϋογϡؔ਺ H ɿ{0, 1}l → G. ൿ ີ ‫ ݤ‬sk ɺެ ։ ‫ ݤ‬pk ɺ҉ ߸ จ C Λ ೖ ྗ ͱ ͢ Δ ɻ. ϋογϡؔ਺ H ͸ pairwise independent ͳ univer-. CheckPRE(C, pk) = 1 ͔ͭ CheckIBE(C, pk) = 1 ͳ. sal one-way hash function family [4][6] Λ༻͍Δɻ. Β͹ҎԼΛ‫͢ࢉܭ‬Δɻͦ͏Ͱͳ͚Ε͹˵Λग़ྗ͢Δɻ. x ∈ {0, 1} ͱ y ∈ G ͕༩͑ΒΕͨͱ͖ɺH(x) = y. ɾ e(C6 , hrT1 ) · C7rT1 = e(g, h1 )r2. Λຬͨ͢ H Λޮ཰Α͘‫͚ͭݟ‬ΔΞϧΰϦζϜ͕ଘࡏ. ɾ. l. m = C3 /{e(C2 , H(C1 ))1/sk · e(g, h1 )r2 } Λग़ྗɻ. ͢Δɻ ɾ. ϋογϡؔ਺ F ɿZp → Gɺͨͩ͠ϋογϡؔ਺. g2y. F ͸ F (y) = ɾ ɾ. · g3 ͱ͢Δɻ(g2 , g3 ∈ G). ϋογϡؔ਺ H1 : {0, 1}. m. ϧΰϦζϜʹ͍ͭͯॻ͘ɻ. CheckPRE ΞϧΰϦζϜΛҎԼͷΑ͏ʹఆٛ͢Δɻೖྗ͸. → Zp ∗. ϋ ο γ ϡ ؔ ਺ H2 : {0, 1}. ํࣜͰ༻͍ͨ CheckPRE ΞϧΰϦζϜ͓Αͼ CheckIBE Ξ. → Zp params =. ҉߸จ C = (C1 , C2 , C3 , C4 , C5 , C6 , C7 , C8 , σ) ͱެ։‫ ݤ‬pk. (g, g2 , g3 , h, h1 , h2 , h3 , H, F, H1 , H2 , T Spub ) Λެ։ύ. Ͱ͋Δɻ. ϥϝʔλͱ͢Δɻ. ( 1 ) Ver(C1 , (C2 , C3 , C4 , C5 , C6 , C7 , C8 ), σ) Λௐ΂Δɻσ ͸ (C3 , C4 , C5 , C6 , C7 , C8 ) ʹର͢Δॺ໊Ͱ͋Γ C1 ͸‫ݕ‬. ʕ KeyGeneration k. ηΩϡϦςΟύϥϝʔλ 1 Λೖྗͱ͠ɺx ∈ Zp Λϥ x. ( 2 ) e(C2 , F (C1 )) = e(pk, C4 ), e(C2 , h) = e(pk, C5 ) ͕੒Γ. ϯμϜʹબ୒ɻpk = g , sk = x ͱ͢Δɻ. ཱ͔ͭௐ΂Δ. ʕ Re-EncryptionKeyGeneration. ski = xi , skj = xj Λೖྗͱ͠࠶҉߸Խ‫ ݤ‬rkij = ski skj. mod p =. xi xj. ূ‫͋Ͱݤ‬Δɻ. ( 3 ) 1,2 ͷͲͪΒ͔ҰํͰ΋੒Γཱͨͳ͚Ε͹ 0ɺͦ͏Ͱͳ ͚Ε͹ 1 Λग़ྗɻ. mod p ͱ͢Δɻ. CheckIBE ΞϧΰϦζϜΛҎԼͷΑ͏ʹఆٛ͢Δɻೖྗ͸. ʕ TS-Release ։ࣔ࣌ࠁ T ͱλΠϜαʔόͷൿີ‫ ݤ‬tspriv = s Λೖྗ. ҉߸จ C = (C1 , C2 , C3 , C4 , C5 , C6 , C7 , C8 , σ) ͱެ։‫ ݤ‬pk. ͱ͠ rT1 , rT2 , rT3 ← Zp∗ ΛϥϯμϜʹબ୒ɻ։ࣔ࣌ࠁ. Ͱ͋Δɻ. ʹରԠ͢Δ࣌ࠁ‫ ݤ‬ST ΛҎԼͷ௨Γ‫͢ࢉܭ‬Δɻ. ৔߹͸̍Λ੒Γཱͨͳ͍৔߹͸̌Λग़ྗ͢Δɻ. ST = ((rT1 , (hrT1 ), (rT2 , (hrT2 ), (rT3 , (hrT3 )) hrTn = (hn · g. −rTn. ). 1 (s−H(T )). 1. ( 1 ) C8 = e(C6 , (h2 · g −rT2 ) s−H1 (T ) , C7rT2 +rT3 ) ͕੒Γཱͭ. ), (n ∈ {1, 2, 3}). ఏҊͨ͠ hTR-PRE ͸ɺC.H.PRE[7] ͱ G.IBE[1] Λ૊Έ߹ ΘͤΔΞΠσΞʹ‫ߏ͍ͯͮج‬੒ͨ͠ɻC1 = svk, C2 =. ʕ Encryption. pk ͱϝοηʔδ m ∈ GT ɺ։ࣔ࣌ࠁ T Λೖྗͱ͢Δɻ. pk r1 , C4 = F (svk)r1 = (g2svk · g3 )r1 , C5 = hr1 ͷ ཁ ૉ. ɾ. ͸ C.H.PRE ͷ Enc ΞϧΰϦζϜͱಉ༷Ͱ͋ΓɺC6 =. ϫϯλΠϜॺ໊ͷ KeyGeneration ΞϧΰϦζϜΑ k. Γ Gen(1 ) → (svk, ssk) ΛಘΔɻC1 = svk ͱ͢Δɻ. (g −H1 (T ) · T spub)r2 , C7 = e(g, g)r2 , C8 = (e(e(g, h2 ) ·. ཚ਺ r1 , r2 ∈ Zp Λબ୒࣍͠Λ‫͢ࢉܭ‬Δɻ. e(g, h3 ))β )r2 ͷཁૉ͸ G.IBE ͷ Enc ΞϧΰϦζϜͱಉ༷. C2 = pk r1 , C3 = m · e(g, H(svk))r1 · e(g, h1 )r2 ). Ͱ͋ΔɻC3 = m · e(g, H(svk))r1 · e(g, h1 )r2 ) ʹ͓͍ͯ. ɾ. r1. m · e(g, H(svk))r1 ͷ෦෼ͷΈʹ஫໨͢ΔͱɺC.H.PRE ͷ. C6 = (g −H1 (T ) · T spub )r2 , C7 = e(g, g)r2. ҉߸จͷཁૉͷҰ෦ʹͳΓɺ·ͨ m · e(g, h1 )r2 ͷ෦෼ʹ஫. C8 = (e(e(g, h2 ) · e(g, h3 ))β )r2. ໨͢Δͱ G.IBE ͷ҉߸จͷཁૉͷҰ෦ʹͳΔɻ. C4 = F (svk). r1. =. (g2svk. r1. · g 3 ) , C5 = h. β = H2 (C3 , C6 , C7 ) ɾ. (C3 , C4 , C5 , C6 , C7 , C8 ) ʹରͯ͠ϫϯλΠϜॺ໊. ຊઅͰ͸ఏҊͨ҆͠શੑఆٛʹ‫ ͖ͮج‬hTR-PRE ͷ҆શ. ͷ Signature ΞϧΰϦζϜΛ࣮ߦɻ. σ ← Sig(ssk, (C3 , C4 , C5 , C6 , C7 , C8 )) ɾ. ੑͷূ໌Λߦ͏ɻ. C = (C1 , C2 , C3 , C4 , C5 , C6 , C7 , C8 , σ) Λ҉߸จ. 3.4.1 Malicious User Secrity Malicious User Secrity Λ ഁ Δ ߈ ܸ ऀ A Λ ༻ ͍ ͯ. ͱ͢Δɻ ʕ. 3.4 ҆શੑূ໌. GentryIBE ͷ҆શੑΛഁΔΞϧΰϦζϜ B Λߏ੒͢Δɻ. Re-Encryption ҉߸จ Cj ͱ࠶҉߸Խ‫ ݤ‬rkij Λೖྗͱ࣍͠ͷ‫ࢉܭ‬Λ. ఆཧ 1ɿIND-ID-CCA ҆શͳ GentryIBE Λ༻͍ͯߏ੒͠. ߦ͏ɻ rk C2 ij. ɾ. C2. ɾ. CheckPRE(Cj , pkj ). =. =g. xi r1. ͨ hTR-PRE ͸ Malicious User Secrity Λຬͨ͢ɻ. =. 1 ͳ Β ͹ Ci. =. (C1 , C2 , C3 , C4 , C5 , C6 , C7 , C8 , σ) ͱ ͠ ͯ ग़ ྗ ɻ. ূ໌. ͦ͏Ͱͳ͍৔߹͸ ⊥ Λग़ྗɻ. ௅ઓऀ CH ͸ g, h1 , h2 , h3 ∈ G1 ΛϥϯμϜʹબ୒͢Δɻ. ʕ Decryption. s ← Zp∗ ΛϥϯμϜʹબ୒͠ɺtsprive = s, T Spub = g s ͱ ͢Δɻ(g, h1 , h2 , h3 , T Spub, H1 , H2 ) ΛγϛϡϨʔλ B ʹ. ⓒ 2014 Information Processing Society of Japan. 4.

(5) Vol.2014-DPS-158 No.11 Vol.2014-CSEC-64 No.11 2014/3/6. ৘ใॲཧֶձ‫ڀݚ‬ใࠂ IPSJ SIG Technical Report. Β͹ 1 Λɺͦ͏Ͱͳ͚Ε͹ 0 Λग़ྗ͢Δɻ. ૹΔɻ. Setup B ͸ g2 , g3 , h. ∈. G ΛϥϯμϜʹબ୒͢Δɻ. A ͕ C. =. (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ , C6 , C7 , C8 , σ ∗ ). ,. · ͨ ϫ ϯ λ Π Ϝ ॺ ໊ ͷ KeyGeneration Ξ ϧ. CheckPRE(pk, C) = 1, CheckIBE(pk, C) = 1 Λ ͢ ΂. ΰ Ϧ ζ Ϝ Gen(1k ). ͯຬͨ͢ (pk , C ) ΛΫΤϦ͖ͯͨ͠৔߹ɺB ͸ Decryption. (ssk ∗ , svk ∗ ) Λ ࣮ ߦ ͠. →. ∗. Λ. (g, g2 , g3 , h, h1 , h2 , h3 , e, H, F, H1 , H2 , T Spub, svk ). ΦϥΫϧΛγϛϡϨʔτ͢Δ͜ͱ͕ෆՄೳͰ͋Δɻ͔͠. A ʹૹΔɻ. ͠ɺ͜Ε͸ IND-ID-CCA ͷ҆શੑΛഁ͍ͬͯΔ͜ͱʹͳ. KeyGen. ΔɻͦͷଞͷγϛϡϨʔγϣϯʹ͍ͭͯ͸ࣦഊ͢Δࣄ͸ͳ. A ͕ΫΤϦ͢Δͱ B ͸ x ← Zp ΛϥϯμϜʹબ୒͠ x. (pk, sk) = (g , x) Λ A ʹฦ͢ɻ. ͍ͷͰɺA ͷউར֬཰͕ 1/2 ʹରͯ͠༏ҐੑΛ࣋ͭͳΒ ͹ɺB ͷ੒ޭ֬཰΋ 1/2 ʹରͯ͠༏ҐੑΛ࣋ͭɻ. TS-Release A ͸ TS-Release ΫΤϦͱͯ࣌͠ࠁ T Λ B ʹૹΔɻB ͸. 3.4.2 Malicious TimeServer Security. IND-ID-CCA ήʔϜʹ͓͚Δ Extract ΫΤϦͱͯ͠ T Λ. ఆٛͨ͠ Malicious TimeServer Security ΛഁΔ߈ܸऀ. ͦͷ·· CH ʹૹΓ, ରԠ͢Δ෮߸‫ݤ‬ʢൿີ‫ݤ‬ʣdT Λखʹ. A Λ༻͍ͯ mDBDH ໰୊ΛഁΔΞϧΰϦζϜ B Λߏ੒͢. ೖΕΔɻB ͸ TS-Release ΫΤϦͷฦ౴ͱͯ͠ ST = dT Λ. Δɻ. B ʹฦ͢ɻ ఆ ཧ 2ɿmDBDH Ծ ఆ ͷ Լ Ͱ hTR-PRE ͸ Malicious. Challenge A ͸ ̎ ͭ ͷ ฏ จ ɺ࣌ ࠁ ɺ೚ ҙ ͷ ެ ։ ‫ ݤ‬ͷ η ο τ ∗. TimeServer Security Λຬͨ͢ɻ. ∗. (m0 , m1 , pk , T ) Λ B ʹૹΔɻB ͸ r1 ← Zp ΛϥϯμϜʹ બ୒͠ m0 = m0 ·e(g, H(svk ∗ )), m1 = m1 ·e(g, H(svk ∗ ))r1. ূ໌. Λ ‫ ͢ ࢉ ܭ‬Δ ɻ࣍ ʹ B ͸ IND-ID-CCA ή ʔ Ϝ ʹ ͓ ͚ Δ. B ΁ͷೖྗ͸ mDBDH ͷೖྗ (g, g a , g b , g c , Q) ͱͳΓɺB. Challenge ͱ ͠ ͯ CH ʹ (m0 , m1 , T ∗ ) Λ ૹ Δ ɻCH ͸. ͷΰʔϧ͸ Q = e(g, g)ab/c ͕੒Γཱ͔ͭδϟοδ͢Δ͜. b ← {0, 1} ͱཚ਺ r2 ← Zp Λબ୒͠ҎԼΛ‫͢ࢉܭ‬Δɻ. ͱͰ͋ΔɻΞϧΰϦζϜ B ͸࣍ͷΑ͏ʹߏ੒͢Δɻ. C3∗. =. C7∗. mb. r2. · e(g, h1 ) , r2. C8∗. = e(g, g) ,. C6∗. = (g. −H1 (T ). r2. · T SP ub ) ,. Setup. β r2. B ͸ϫϯλΠϜॺ໊ͷ‫ݤ‬ੜ੒ΞϧΰϦζϜ. = (e(g, h2 ) · e(g, h3 ) ). Λ IND-ID-. Gen(1k ) → (ssk ∗ , svk ∗ ) Λ࣮ߦ͢Δɻ࣍ʹ ω, α1 , α2 ∈ Zp. CCA ͷ ν ϟ Ϩ ϯ δ ҉ ߸ จ ͱ ͠ ͯ B ʹ ૹ Δ ɻB ͸. ΛϥϯμϜʹબ୒͠ɺh = g cω , g2 = g α1 , g3 = g −α1 svk ·g cα2. C1∗. =. Λ ‫ ͢ ࢉ ܭ‬Δ ɻs ← Zp Λ ϥ ϯ μ Ϝ ʹ બ ୒ ͠ ɺλ Π Ϝ. Λ ‫ܭ‬. α ʔ ό ͷ ൿ ີ ‫ ެ ͱ ݤ‬։ ‫ ݤ‬Λ tspriv = s, T Spub = g s. CH ͸ ҉ ߸ จ C =. r1. h ,σ. svk ∗ , C2∗. =. pk r1 , C4∗. =. Sig(ssk. =. (C3∗ , C6∗ , C7∗ , C8∗ ). ∗. =. F (svk ∗ )r1 , C5∗. , (C3∗ , C4∗ , C5∗ , C6∗ , C7∗ , C8∗ )). ࢉ ͢ Δ ɻB ͸ Challenge ͷ ฦ ౴ ͱ ͠ ͯ C ∗. (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ , C6∗ , C7∗ , C8∗ , σ ∗ ). =. Λ A ʹૹΔɻ. ∗. ͱ ͢ Δ ɻB ͸ H(svk∗). =. ga ͱ ͳ Δ Α ͏ ͳ ϋ ο. γ ϡ ؔ ਺ H Λ બ ͼ ɺγ ε ς Ϝ ύ ϥ ϝ ʔ λ Λ. Decryption. (p, h, h2 , h3 , tspriv , T Spub , g,2 , g3 , G, GT , e, H1 , H2 , H, F ). A ͸ Decryption Ϋ Τ Ϧ ͱ ͠ ͯ ެ ։ ‫ ݤ‬ɺ҉ ߸ จ ɺ࣌ ࠁ. ͱ͢Δɻ. (pk, C, T ) Λ B ʹૹΔɻ. Uncorrupted key generation. C3 =. mb. r2. · e(g, h1 ) , C6 = (g. −H1 (T ). r2. B ͸ཚ਺ x ∈ Zp Λબͼ pk = g cx ͱ͠ A ʹग़ྗ͢Δɻ. · T SP ub ) ,. C7 = e(g, g)r2 , C8 = (e(g, h2 ) · e(g, h3 )β )r2 σ = Sig(ssk. ∗. , (C3∗ , C4∗ , C5∗ , C6∗ , C7∗ , C8∗ )) ∗. Corrupted key generation. ͕͢΂ͯ੒Γཱͭ. B ͸ཚ਺ x ∈ Zp Λબͼ pk = g x , sk = x ͱ͠ A ʹग़ྗ͢. ৔߹ C ⇐ C ͳͷͰ˵Λग़ྗ͢Δɻͦ͏Ͱͳ͍৔߹ B ͸. Δɻ. ҎԼͷॲཧΛߦ͏ɻ. Re-Encryption key generation. ( 1 ) CheckPRE(pk, C) = 0 ·ͨ͸ CheckIBE(pk, C) = 0 ͷ. pki , pkj Λ ೖ ྗ ͱ ͢ Δ ɻpki , pkj ∈Uncorrupted · ͨ ͸. ৔߹҉߸จ͸ਖ਼͘͠ੜ੒͞Ε͍ͯͳ͍ͷͰ ⊥ Λฦ͢ɻ. ( 2 ) e(C6 , hT 1 ) ·. C7rT 1. = e(g, h1 ). r2. ɹ, ɹ. C1. =. C3 e(g,h1 )r2. Λ. ‫͢ࢉܭ‬Δɻ ͱͯ͠ C =. xj xi. ͱͯ͠ A ʹग़ྗ͢. Δɻͦ͏Ͱͳ͍৔߹ ⊥ Λग़ྗ͢Δɻ. Challenge. ( 3 ) B ͸ IND-ID-CCA ήʔϜʹ͓͚Δ Decryption ΫΤϦ ∗. pki , pkj ∈Corrupted ͷ৔߹ rkij =. (C1 , C6 , C7 , C8 ). Λ CH ʹૹΓɺ෮߸݁Ռ. m Λͦͷ·· A ʹૹΔɻ. A ͸ Φ ϥ Ϋ ϧ ʹ (pk ∗ , m0 , m1 ) Λ ૹ ৴ ͢ Δ (pk ∗ ∈Uncorrupted)ɻB ͸ϥϯμϜʹ b ← {0, 1} Λબ୒ b/c. ͠ҎԼΛ‫͢ࢉܭ‬ΔɻC1∗ = svk ∗ , C2∗ = (g b )xi = pki , C3∗ =. Decition. Q · mb · e(g, h1 )r2 , C4∗ = (g b )α2 = (g2svk∗ · g3 )b/c , C5∗ =. A ͸ b Λ༧૝͠ग़ྗ͢ΔɻB ͸ b Λड͚औΓɺb = b ͳ. (g b )ω. ⓒ 2014 Information Processing Society of Japan. =. hb/c , C6∗. =. (g −H1 (T ) · T SP ub )r2 , C7∗. =. 5.

(6) Vol.2014-DPS-158 No.11 Vol.2014-CSEC-64 No.11 2014/3/6. ৘ใॲཧֶձ‫ڀݚ‬ใࠂ IPSJ SIG Technical Report. e(g, g)r2 , C8∗. (e(g, h2 ) · e(g, h3 )β )r2 , σ ∗. =. =. Encryption ΦϥΫϧ͸γϛϡϨʔγϣϯ͕ෆՄೳͰ͋Δɻ. Sig(ssk ∗ , (C3 , C4 , C5 , C6 , C7 , C8 )) ν ϟ Ϩ ϯ δ ҉ ߸ จ. ͔ͦ͠͠ͷΑ͏ͳ҉߸จ͸ (C3 , C4 , C5 , C6 , C7 , C8 , σ) =. C ∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ , C6∗ , C7∗ , C8∗ , σ ∗ ) Λ A ʹ༩͑Δɻ. (C3∗ , C4∗ , C5∗ , C6∗ , C7∗ , C8∗ , σ ∗ ) ͱͳ͍ͬͯΔͨΊϫϯλΠϜ. Decryption. ॺ໊ΛഁΒΕ͍ͯΔ͜ͱʹͳΔɻB ͕ mDBDH ͷ໰୊Λ. (pk, C, T ) Λೖྗͱ͢ΔɻCheckPRE(C, pk) = 0 ·ͨ͸. ड͚औͬͨͳΒ͹ mDBDH ໰୊ΛຒΊࠐΜͩνϟϨϯ. CheckIBE(C, pk) = 0 ͷ৔߹҉߸จ͸ਖ਼͘͠ੜ੒͞Εͯ. δ҉߸จ C ∗ ͷ෼෍ͱ mb Λϝοηʔδͱͨ͠௨҉߸จ. ͳ͍ͷͰ B ͸ ⊥ Λग़ྗ͢Δɻ࣍ʹ C ⇐ C ∗ Ͱ͋Δ͔. C = Enc(pk ∗ , m∗b , T ∗ ) ͷ෼෍͸‫׬‬શʹҰக͢ΔɻΑͬͯ. ֬ೝΛ͢ΔɻC1 = svk∗, C3 = Q · mb · e(g, h1 )r2 , C4 =. A ͕ b = b Λਖ਼ղ͢Δ֬཰͸ɺmDBDH ͷ໰୊ΛຒΊࠐΜ. (g b )α2 , C5 = (g b )ω , σ = σ ∗ Λ֬ೝ͢͠΂ͯ੒Γཱͭ৔߹ɺ. ͩ৔߹΋ɺmb Λ༻͍ͯ௨ৗͷ҉߸ԽΛߦͬͨ৔߹΋౳͠. ∗. ∗. C ͸ C Λ࠶҉߸Խͯ͠ಘΒΕͨ΋ͷɺC ⇐ C ʹͳΔͨ. ͘ͳΔɻB ͕ mDBDH ͷ໰୊Λड͚औ͍ͬͯͳ͍৔߹͸. Ί ⊥ Λग़ྗ͢ΔɻͦͷͲͪΒͰ΋ͳ͍৔߹ɺB ͸࣍ͷΑ. ҉߸จͷཁૉ C3 ͸ b ͱಠཱͯ͠ GT ্ʹҰ༷ʹ෼෍͢Δ. ͏ͳ‫ࢉܭ‬Λ͠ϝοηʔδ m Λग़ྗ͢Δɻ. ͷͰ mb ͷ৘ใ͸Ұ੾‫ؚ‬ΜͰ͍ͳ͍ɻΑͬͯ A ͕ b = b Λ. t=. C4. α /x. C2 2. ,λ=. 3 m = e(tλ ,H(C1C))e(g,h r 1) 2 C2 = pk r1 , C4 = F (C1 )r1 ͱͳ. 1 α1 (C1 −svk) ,. ਖ਼͘͠ੜ੒͞Εͨ҉߸จ͸. Γɺಉ͡ཚ਺ r1 Λ༻͍͍ͯΔɻ F (C1 )r1 pkr1 α2 /x. t =. =. g rα1 (C1 −svk)+cα2 g r1 cα2. r C r g21 1 g3 1 r1 α2 pk x. =. =. = g r1 α1 (C1 −svk). Re-Encryption (pki , pkj , Ci ) Λ ೖ ྗ ͱ ͢ Δ ɻCheckPRE(C, pk) = 0 · ͨ ͸ CheckIBE(C, pk) = 0 ͷ ৔ ߹ ɺ҉ ߸ จ Ci ͸ ਖ਼ ͠ ͘ ੜ ੒ ͞ Ε ͯ ͍ ͳ ͍ ͷ Ͱ ⊥ Λ ग़ ྗ ͢ Δ ɻ· ͨ ɺ. i ∈Target ͔ͭ j ∈Corrupt ͔ͭ C ⇐ C ∗ ͭ·Γ C1 = svk∗, C3 = Q · mb · e(g, h1 )r2 , C4 = (g b )α2 , C5 = (g b )ω , σ = Sig(ssk ∗ , (C3 , C4 , C5 , C6 , C7 , C8 ))”ͷ৔߹΋ ⊥ Λฦ͢ɻͦ ͏Ͱͳ͍৔߹͸ҎԼͷΑ͏ʹಈ࡞͢Δɻ. ∈Uncorrupted,. ͨ ͸ʠi ͸ʠj. Ͱ hTR-PRE ͸ Malicious TimeServer Security Λຬͨ͢ɻ. 4. ·ͱΊ. r1 (g α1 )r1 C1 (g −α1 svk+cα2 ) r1 α2 (g cx ) x. Αͬͯ C1 = svk ∗ Ͱͳ͍ͱ͖ tλ = g r ʹͳΔɻ. ( 1 ) ʠ(i, j). ਖ਼ղ͢Δ֬཰͸ 1/2 ͱͳΔɻҎ্ΑΓ mDBDH ԾఆͷԼ. Target,. ∈Uncorrupted ͔ ͭ j. ∈Uncorrupted ͔ ͭ i. hTR-PRE ͷߏ੒๏Λࣔ҆͠શੑূ໌Λߦͬͨɻຊ‫ڀݚ‬ Ͱ͸ఏҊͨ͠ hTR-PRE ํࣜʹର͠ Malicious TimeServer Security ͱ Malicious User Security ͷ̎ͭͷ҆શੑΛఆٛ ͠ɺ҆શੑͷূ໌ΛߦͬͨɻMalicious TimeServer Security ͷ҆શੑ͸ mDBDH Ծఆͱ͍͏‫ͮ͘جʹྔࢉܭ‬Ծఆʹ‫ؼ‬ ண͠ɺMalicious User Security ͷ҆શੑ͸ G.IBE[3] ͷ҆ શੑ IND-ID-CCA ʹ‫ؼ‬ண͢ΔɻఏҊͨ͠ํࣜͰ͸ G.IBE ͱ C.H.PRE[7] Λ༻͍ͯํࣜΛߏ੒͕ͨ͠ G.IBE Ҏ֎ͷ IBE Λ༻͍Δ͜ͱͰ΋ߏ੒͢Δ͜ͱ͕ՄೳͰ͋Δͱߟ͑Β ΕΔɻ͔͠͠ G.IBE ͱ C.H.PRE ͸‫ڞ‬௨ͯ͠ DBDH Ծఆ Λ҆શੑͷࠜ‫͍ͯ͠ͱڌ‬ΔͷͰɺ҆શੑͷ໘Ͱ͸࠷ྑͰ͋ Δͱߟ͑Δɻ ࢀߟจ‫ݙ‬ [1] [2]. Corruptedʡ· ∈Targetʡ· ͨ. ∈Targetʡͷ ৔ ߹ ɺ. [3]. Cj = ReEnc(xj /xi , Ci ) Λग़ྗ͢Δɻ ( 2 ) i ∈Corrupted ͔ ͭ j ∈Uncorrupted ͷ ৔ ߹ B ͸ x /ω. C5 j. = g crxj = pkjr = C2 Λ ‫ ͠ ࢉ ܭ‬ɺCj =. [4]. (C1 , C2 , C3 , C4 , C5 , C6 , C7 , C8 , σ) Λग़ྗ͢Δɻ ( 3 ) i ∈Uncorrupted ͔ ͭ j ∈Corrupted ͷ ৔ ߹ ɺtλ = g. r. ΑΓ g. rxj. =. pkjr. C2. =. (C1 , C2 , C3 , C4 , C5 , C6 , C7 , C8 , σ). Λ ‫ ͠ ࢉ ܭ‬Cj. =. Λग़ྗ͢Δɻ [6]. Decision . [5]. . . A ͸ b Λ༧૝͠ग़ྗ͢ΔɻB ͸ b Λड͚औΓɺb = b ͳΒ ͹ 1 Λɺͦ͏Ͱͳ͚Ε͹ 0 Λग़ྗ͢Δɻ. [7]. A ͕ C1 = svk ∗ ͱͳΔ҉߸จΛΫΤϦ͢Δ৔߹͕͋Δɻ. [8]. νϟϨϯδ҉߸จ C ∗ Λಘͨ‫ޙ‬ɺCheckPRE(C, pk) = 1,. CheckIBE(C, pk) = 1ɺC1 = svk ∗ , C ⇐ C ∗ ͷ શ ͯ. Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In EUROCRYPT, pages 457-473, 2005. Benoit Libert, Damien Vergnaud. Unidirectional chosenciphertext secure proxy reencryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360ʕ379. Springer, Heidelberg (2008). Craig Gentry. Practical identity-based encryption without random oracles. In Advances in Cryptologyʕ EUROCRYPT 2006, Lecture Notes in Computer Science. Springer-Verlag, 2006. Dan Boneh and Xavier Boyen. Efcient selective-ID secure identity-based encryption without random oracles. In EUROCRYPT ’04, vol. 3027 of LNCS, pages 223-238, 2004. Keita Emura, Atsuko Miyaji, and Kazumasa Omote. A Timed-Release Proxy Re-encryption Scheme and Its Application to Fairly-Opened Multicast Communication. In ProvSec 2010, LNCS 6402, pp. 200ʕ213, 2010. Ran Canetti, Shai Halevi, and Jonathan Katz. A forwardsecure public-key encryption scheme. In EUROCRYPT, vol 2656 of LNCS, pp. 255-271, 2003. Ran Canetti, Susan Hohenbergery. Chosen-Ciphertext Secure Proxy Re-Encryption. In ACM CCS 2007, pp.185ʕ 194. ACM Press, New York (2007). খᖒ ‫ݡ‬༎ , ᴡ౻ ହҰ. Canetti-Hohenberger ͷ multi-hop ϓϩΩγ࠶҉߸Խ҆શੑϞσϧʹ͍ͭͯ. 2013 ೥҉߸ͱ৘ ใηΩϡϦςΟγϯϙδ΢Ϝ,2013.. Λ Λ ຬ ͨ ͢ ҉ ߸ จ Λ Ϋ Τ Ϧ ͢ Δ ͱ ɺDecryptionɺRe-. ⓒ 2014 Information Processing Society of Japan. 6.

(7)