主权项 |
1. A cryptographic processing system having therein at least one of non-transitory computer readable medium and hardware permitting the cryptographic processing system to execute procedures for cryptographic processing, said cryptographic processing system comprising:
d (d is an integer of 1 or more) units of key generation devices, an encryption device, and a decryption device, and serving to execute a cryptographic process using a basis Bt and a basis B*t for at least one integer t=1, . . . , d, wherein each key generation device of the d units of the key generation devices of the cryptographic processing system includes a first information input part which takes as input attribute information x→t:=(xt,i) (i=1, . . . , nt where nt is an integer of 1 or more) for an integer t among integers t=1, . . . , d which is predetermined for each key generation device, a key element generation part which generates a key element k*t including a vector indicated in Formula 1 based on the integer t, the attribute information x→t inputted by the first information input part, a predetermined value δ, and a basis vector b*t,i(i=1, . . . , 2nt) of the basis B*t, and a decryption key transmission part which transmits to the decryption device, a decryption key usk including the key element k*t generated by the key element generation part and the attribute information x→t, wherein the encryption device of the cryptographic processing system includes a second information input part which takes as input a variable ρ(i) for each integer i=1, . . . , L (L is an integer of 1 or more), which variable ρ(i) is either one of a positive tuple (t, v→i) and a negative tuple (t, v→i) of the identification information t (t is any one integer of t=1, . . . , d) and attribute information v→i:=(vi,i′) (i′=1, . . . , nt); and a predetermined matrix M having L rows and r columns (r is an integer of 1 or more), a vector generation part which generates a column vector s→T:=(S1, . . . , sL)T:=M·f→T based on a vector f→ having r pieces of elements and the matrix M inputted by the second information input part, and generates a column vector (s→′)T:=(s1′, . . . , sL′)T:=M·(f→′)T based on the matrix M and a vector having r pieces of elements and satisfying s0=h→·(f→′)T where s0=h→·f→T, a cipher element ci generation part which, for each integer i=1, . . . , L and based on the column vector s→T and the column vector (s→′)T which are generated by the vector generation part, and predetermined values θi and θi′ for each integer i=1, . . . , L, generates a cipher element ci including a vector indicated in Formula 2, when the variable ρ(i) is a positive tuple (t, v→i), using a basis vector bt,i′(i′=1, . . . , 2nt) of the basis Bt indicated by identification information t of the positive tuple, and generates a cipher element ci including a vector indicated in Formula 3, when the variable ρ(i) is a negative tuple (t, v→i), using a basis vector bt,i(i=1, . . . , 2nt) indicated by identification information t of the negative tuple, and a ciphertext transmission part which transmits to the decryption device, a ciphertext cts including: the cipher element ci generated for each integer i=1, . . . , L by the cipher element ci generation part; the variable ρ(i); and the matrix M, and wherein the decryption device of the cryptographic processing system includes a decryption key reception part which receives the decryption key usk transmitted by the decryption key transmission part of at least one key generation device among the d units of key generation devices, a data reception part which receives the ciphertext cts transmitted by the ciphertext transmission part, a complementary coefficient calculation part which, based on the attribute information x→t included in the decryption key usk received by the decryption key reception part, and the variable ρ(i) included in the ciphertext cts received by the data reception part, specifies, among integers i=1, . . . , L, a set I of an integer i for which the variable ρ(i) is a positive tuple (t, v→i), the decryption key usk including x→t indicated by identification information t of the positive tuple being received by the decryption key reception part, and with which an inner-product of v→i of the positive tuple and the attribute information x→t indicated by the identification information t of the positive tuple becomes 0, and an integer i for which the variable ρ(i) is a negative tuple (t, v→i), the decryption key usk including x→t indicated by identification information t of the negative tuple being received by the decryption key reception part, and with which an inner-product of v→i of the negative tuple and the attribute information x→t indicated by the identification information t of the negative tuple does not become 0; and calculates, concerning i included in the set I specified, a complementary coefficient αi with which a total of αiMi based on Mi which is an element on an i-th row of the matrix M included in the ciphertext cts becomes the predetermined vector h→, and a pairing operation part which calculates predetermined information K by conducting a pairing operation indicated in Formula 4 for the cipher element ci included in the ciphertext cts and the key element k*t included in the decryption key usk based on the set I and the complementary coefficient αi which are calculated by the complementary coefficient calculation part,((δ+1)xt,1,…,(δ+1)xt,nt,︷nt-δxt,1,…,-δxt,nt,︷nt,0,…,0)Bt*[Formula1](si+θivi,1,θivi,2,…,θivi,nt,︷ntsi′+θi′vi,1,θi′vi,2,…,θi′vi,nt,︷nt0,…,0)Bt[Formula2](sivi,1,…,sivi,nt,︷ntst′vi,1,…,s′vi,nt,︷nt0,…,0)Bt[Formula3]K:=∏i∈I⋀ρ(i)=(t,v→i)e(ci,kt*)αi·∏i∈I⋀ρ(i)=⫬(t,v→i)e(ci,kt*)αi/(v→i·x→t).[Formula4] |