WO2024157662A1 - Message presentation system and message presentation method - Google Patents

Abstract

According to the present invention, a DB transmits, to an encryption device, a first encrypted message generated by first encryption processing using a first encryption key for a message, the encryption device generates and transmits, to a presentation device, a double-encrypted message by performing second encryption processing on the first encrypted message using a second encryption key, and the presentation device generates a second encrypted message by performing first decryption processing on the double-encrypted message using a first decryption key, and, on the basis of the second encrypted message, generates and outputs such a transmission second encrypted message that a function value based on a predetermined function of the message can be decrypted by a second decryption key corresponding to the second encryption key.

Description

Message presentation system and method Incorporation by Reference

This application claims priority to Japanese Patent Application No. 2023-008894, filed on January 24, 2023, the contents of which are incorporated herein by reference.

The present invention relates to a message presentation system and a message presentation method.

A message presentation system is known in which a DB (Data Base) stores an encrypted message obtained by performing an encryption process on an electronically represented message, a user decrypts the encrypted message by performing a decryption process on the message, and the message or data calculated based on the message is presented to a third-party verifier.

For example, the technology described in Non-Patent Document 1 discloses a method in which credentials are handled as an example of a message, an Identity Hub as an example of a DB stores encrypted credentials, and an identity entity as an example of a user decrypts the credentials and presents the decrypted credentials or data obtained based on the credentials.

Stockburger et al., "Blockchain-enabled decentralized identity management: The case of self-sovereign identity in public transportation," Blockchain: Research and Applications, Volume 2, Issue 2, June 2021, [Retrieved December 2, 2022], Internet <https://www.sciencedirect.com/science/article/pii/S2096720921000099>

In the method described in Non-Patent Document 1, the decrypted message appears temporarily on the presentation device used by the user for presentation. Therefore, if the presentation device is not properly managed, there is a possibility that the temporarily appearing message may be leaked. Therefore, one aspect of the present invention reduces the risk of message leakage from the DB and the risk of message leakage from the presentation device.

In order to solve the above problems, one aspect of the present invention employs the following configuration. The message presentation system includes a DB that holds a first encrypted message generated by a first encryption process using a first encryption key for a message, an encryption device that holds a second encryption key, and a presentation device that holds a first decryption key corresponding to the first encryption key, the DB transmits the first encrypted message to the encryption device, the encryption device generates a doubly encrypted message by performing a second encryption process on the first encrypted message using the second encryption key, and transmits the doubly encrypted message to the presentation device, the presentation device generates a second encrypted message by performing a first decryption process on the doubly encrypted message using the first decryption key, generates a second encrypted message for transmission based on the second encrypted message such that a function value of the message according to a predetermined function can be restored by the second decryption key corresponding to the second encryption key, and outputs the second encrypted message for transmission.

According to one aspect of the present invention, the risk of message leakage from the DB and the risk of message leakage from the presentation device are reduced.

　Problems, configurations and advantages other than those mentioned above will become clear from the description of the embodiments below.

1 is a block diagram showing a configuration example of a message presentation system according to a first embodiment. 2 is a block diagram illustrating an example of a hardware configuration of a computer that constitutes each entity included in the message presentation system according to the first embodiment. FIG. FIG. 11 is a sequence diagram illustrating an example of an issuer key pair process in the first embodiment. FIG. 11 is a sequence diagram illustrating an example of an owner proof key pair generation process according to the first embodiment. FIG. 11 is a sequence diagram illustrating an example of a first encryption key pair generation process in the first embodiment. FIG. 11 is a sequence diagram illustrating an example of an issuing process in the first embodiment. FIG. 11 is a sequence diagram illustrating an example of a presentation process according to the first embodiment. FIG. 11 is a sequence diagram illustrating an example of a content confirmation process according to the first embodiment. FIG. 11 is a block diagram showing a configuration example of a message presentation system according to a second embodiment. FIG. 11 is a sequence diagram illustrating an example of an owner key generation process according to the second embodiment. FIG. 11 is a sequence diagram illustrating an example of an owner key recovery process according to the second embodiment.

Below, an embodiment of the present invention will be described in detail with reference to the drawings. Note that this embodiment is merely one example for realizing the present invention, and does not limit the technical scope of the present invention.

In Example 1, a message presentation system via a network is described. A message is any data such as a character string, an image, or a value that is electronically represented. For example, a name, address, date of birth, gender, purchase history, and credit card usage history that are electronically represented are all examples of messages. In addition, any data (for example, attribute information such as name, address, date of birth, and gender included in a driver's license) included in any certificate such as a driver's license, My Number card, employment history certificate, education certificate, course completion certificate, vaccination certificate, employee ID card, student ID card, and membership card that are electronically represented are all examples of messages. Hereinafter, messages are assumed to be electronically represented, and the provisos "electronically represented" will be omitted.

[System configuration]
1 is a block diagram showing a configuration example of a message presentation system. The message presentation system 10 includes, for example, an issuer key pair generation device 100, an issuer private key DB 110, an issuer public key DB 120, an owner certification key pair generation device 130, an owner certification private key DB 140, an owner verification public key DB 150, a first encryption key pair generation device 160, a first encryption key DB 170, a first decryption key DB 180, an issuing device 200, a first encryption device 250, an encrypted message DB 260, a second encryption key pair generation device 300, a second encryption device 350, a presentation device 400, a verification device 450, and a content confirmation device 500.

The issuer key pair generation device 100, the issuer private key DB 110, the issuer public key DB 120, the owner certification key pair generation device 130, the owner certification private key DB 140, the owner verification public key DB 150, the first encryption key pair generation device 160, the first encryption key DB 170, the first decryption key DB 180, the issuing device 200, the first encryption device 250, the encrypted message DB 260, the second encryption key pair generation device 300, the second encryption device 350, the presentation device 400, the verification device 450, and the content confirmation device 500 are connected to each other via a network 900.

However, not all of these entities (devices and DBs) necessarily need to be able to communicate with each other; for example, it is sufficient that the entities that perform the respective communications in each process described below are able to communicate with each other. Furthermore, the network 900 may be wired or wireless. The Internet, a local network within an organization, etc. are examples of the network 900. Furthermore, when multiple devices are included in one physical device, the network within the device may also be considered to be part of the network 900.

　The issuer key pair generation device 100 generates an issuer private key and an issuer public key. The issuer key pair generation device 100 includes, for example, a communication unit 101 and an issuer key pair generation unit 102, both of which are functional units. The issuer key pair generation device 100 is operated, for example, by a message issuer (hereinafter simply referred to as the "issuer") or a system administrator. The issuer may be an individual, a public institution such as a national or local government, or an organization such as a private company. The issuer private key is used to generate an issuance certificate. The issuer public key is used to verify a presentation certificate generated based on the issuance certificate.

The owner proof key pair generating device 130 generates an owner proof private key and an owner verification public key. The owner proof key pair generating device 130 includes, for example, a communication unit 131 and an owner proof key pair generating unit 132, both of which are functional units. The owner proof key pair generating device 130 is operated, for example, by the owner of the message (hereinafter also simply referred to as the "owner") or a system administrator. However, the owner is also referred to as the owner even before the time when the message is owned (for example, the time when the message is stored in the encrypted message DB 260). The owner proof private key is used for generating a presentation proof, etc.

The first encryption key pair generation device 160 generates a first encryption key and a first decryption key. The first encryption key pair generation device 160 includes, for example, a communication unit 161 and a first encryption key pair generation unit 162, both of which are functional units. The first encryption key pair generation device 160 is operated, for example, by the owner or a system administrator. The first encryption key is used in the first encryption process for the message and issuance certificate, and the first decryption key is used in the first decryption process for the first encrypted message, the first encrypted issuance certificate, and the doubly encrypted message.

The issuing device 200 generates a message and an issuance certificate. The issuing device 200 includes, for example, a communication unit 201, a message generation unit 202, and an issuance certificate generation unit 203, which are all functional units. The issuing device 200 is operated, for example, by an issuer.

The first encryption device 250 performs a first encryption process on the message and the issuance certificate to generate a first encrypted message and a first encrypted issuance certificate. The first encryption device 250 includes, for example, a communication unit 251 and a first encryption unit 252, both of which are functional units. The first encryption device 250 is operated, for example, by the issuer or the owner. The first encryption device 250 may be a terminal that is physically the same as the issuing device 200 or the encrypted message DB 260.

The second encryption key pair generation device 300 generates a second encryption key and a second decryption key. The second encryption key pair generation device 300 includes, for example, a communication unit 301 and a second encryption key pair generation unit 302, both of which are functional units. The second encryption key pair generation device 300 receives a request for a second encryption key pair generation process from another entity (for example, the second encryption device 350, the presentation device 400, the verification device 450, or the encrypted message DB 260) and performs the process. The second encryption key pair generation device 300 may be a terminal that is physically the same as the second encryption device 350, the verification device 450, or the encrypted message DB 260. The second encryption key is used in the second encryption process for the first encrypted message. The second decryption key is used in the second decryption process for the converted second encrypted message.

The second encryption device 350 performs a second encryption process on the first encrypted message to generate a doubly encrypted message. The second encryption device 350 includes, for example, a communication unit 351 and a second encryption unit 352, both of which are functional units. The second encryption device 350 performs the process upon receiving a request for the second encryption process from, for example, another entity (for example, the second encryption key pair generation device 300, the presentation device 400, the verification device 450, or the encrypted message DB 260). The second encryption device 350 may be a terminal that is physically the same as the second encryption key pair generation device 300 or the encrypted message DB 260.

The presentation device 400 performs a first decryption process on the doubly encrypted message and the first encrypted issuance certificate to generate a second encrypted message and restore the issuance certificate, and then performs a presentation conversion on the second encrypted message to generate a converted second encrypted message and further generate a presentation certificate. The presentation device 400 includes, for example, a communication unit 401, a first decryption unit 402, a presentation conversion unit 403, and a presentation certificate generation unit 404, all of which are functional units. The presentation device 400 is operated, for example, by the owner.

The verification device 450 restores the function value of the message by performing a second decryption process on the converted second encrypted message. Then, the verification device 450 performs a verification process using the restored function value of the message and the presentation proof to verify whether the function value of the message (or the message itself) has been presented by a legitimate owner. The verification device 450 includes, for example, a communication unit 451, a second decryption unit 452, a verification unit 453, and an output unit 454, all of which are functional units. The verification device 450 is operated, for example, by a person to whom the function value of the message is presented (hereinafter also referred to as a "verifier").

The content confirmation device 500 restores the first encrypted message by performing a first decryption process on the first encrypted message. The content confirmation device 500 includes, for example, a communication unit 501, a first decryption unit 502, and an output unit 503, all of which are functional units. The content confirmation device 500 is operated, for example, by an owner and used to confirm the contents of a message owned by the owner. Since the message is decrypted in the content confirmation device 500, it is desirable that the content confirmation device 500 be a device that is more secure against information leakage than the presentation device 400.

In addition, instead of being operated by an operator as described above, each device may receive processing requests from other entities and perform some or all of the processing automatically in response to the requests.

Each private key should be managed so that it is accessible from a device using the private key when the device is operated or managed by a legitimate person, but is difficult to access in other cases. For access management, any authentication means can be used, for example, using a password, a physical token, biometric information, or a combination of these. Each public key may be made public, and it is sufficient that it is accessible at least from a device using the public key. The management method for each decryption key is, for example, the same as the management method for each private key.

If the first encryption key is an encryption key in a public key cryptosystem, the first encryption key can be made public. If the first encryption key is an encryption key in a common key cryptosystem, the management method of the first encryption key is, for example, the same as the management method of each private key. Also, if the first encryption key pair is a common key cryptosystem, the system may not have the first encryption key DB 170 and may perform encryption processing using the first decryption key.

FIG. 2 is a block diagram showing an example of the hardware configuration of the computers constituting each entity included in the message presentation system 10 in the first embodiment. The computer 10000 has, for example, a CPU (Central Processing Unit) 10001, a memory 10002, an auxiliary storage device 10003, an input device 10004, an output device 10005, a communication device 10006, and a reading device 10007.

The CPU 10001 includes a processor and executes programs stored in the memory 10002. The memory 10002 includes a ROM (Read Only Memory), which is a non-volatile storage element, and a RAM (Random Access Memory), which is a volatile storage element. The ROM stores immutable programs (e.g., BIOS (Basic Input/Output System)). The RAM is a high-speed, volatile storage element such as a DRAM (Dynamic Random Access Memory), and temporarily stores programs executed by the CPU 10001 and data used when the programs are executed.

The auxiliary storage device 10003 is, for example, a large-capacity, non-volatile storage device such as a magnetic storage device (HDD (Hard Disk Drive)) or a flash memory (SSD (Solid State Drive)), and stores the programs executed by the CPU 10001 and data used when the programs are executed. In other words, the programs are read from the auxiliary storage device 10003, loaded into the memory 10002, and executed by the CPU 10001.

The input device 10004 is a device, such as a keyboard or mouse, that receives input from an operator. The output device 10005 is a device, such as a display device or printer, that outputs the results of program execution in a format that can be viewed by the operator.

The communication device 10006 is a network interface device that controls communication with other devices according to a specific protocol. The communication device 10006 may also include a serial interface such as a Universal Serial Bus (USB).

A part or all of the programs executed by the CPU 10001 may be provided to the computer 10000 via a network from a removable medium (CD-ROM, flash memory, etc.) that is a non-transitory storage medium, or from an external computer equipped with a non-transitory storage device, and may be stored in a non-volatile auxiliary storage device 10003 that is a non-transitory storage medium. The reading device 10007 is, for example, an interface device that reads data from such removable media.

Each entity is a computer system configured on one physical computer 10000, or on multiple computers 10000 configured logically or physically, and may operate in separate threads on the same computer 10000, or may operate on a virtual computer constructed on multiple physical computer resources.

The CPU 10001 included in the computer 10000 constituting each device includes the functional units of the device described in FIG. 1. Specifically, for example, the CPU 10001 included in the computer 10000 constituting the issuer key pair generation device 100 includes, for example, a communication unit 101 and an issuer key pair generation unit 102. For example, the CPU 10001 included in the computer 10000 constituting the issuer key pair generation device 100 functions as the communication unit 101 by operating according to a communication program loaded into a memory 10002 included in the computer 10000, and functions as the issuer key pair generation unit 102 by operating according to an issuer key pair generation program loaded into the memory 10002. The relationship between the program and the functional unit is similar for other functional units included in the CPU 10001 included in the computer 10000 constituting other devices.

In addition, some or all of the functions of the functional units included in each device may be realized by hardware such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field-Programmable Gate Array).

The information held by each entity included in the message presentation system 10 is stored in the memory 10002 or auxiliary storage device 10003 of the computer 10000 constituting the entity. Note that in this embodiment, the information used by the message presentation system 10 may be expressed in any data structure independent of the data structure. For example, the information may be stored in a data structure appropriately selected from a list, a table, a database, or a queue.

Note that, for example, some or all of the DBs included in the message presentation system 10 may be realized by IC (Integrated Circuit) cards or removable media. In this case, instead of each device sending data to a DB, the device writes the data to the IC card or removable media, and instead of each DB sending data to each device, the device reads the data from the IC card or removable media.

[Overview of message-related processes]
An overview of each process related to a message in this embodiment is as follows: In the issuing process, the issuing device 200 generates a message and transmits it to the first encryption device 250. The first encryption device 250 performs a first encryption process on the message to generate a first encrypted message and transmits it to the encrypted message DB 260. The encrypted message DB 260 stores the first encrypted message.

In the presentation process, the encrypted message DB 260 transmits the first encrypted message to the second encryption device 350. The second encryption device 350 generates a doubly encrypted message by performing a second encryption process on the first encrypted message, and transmits it to the presentation device 400. The presentation device 400 generates a second encrypted message by performing a first decryption process on the doubly encrypted message, and transmits it to the verification device 450. The verification device 450 decrypts the message by performing a second decryption process on the second encrypted message. In this manner, the message is presented from the presentation device 400 to the verification device 450.

As such, it should be noted that when presenting a message in this embodiment, the message itself is not sent from the presentation device 400 to the verification device 450, but rather a second encrypted message is sent.

More generally, in the presentation process, the objective may be to present a function value of a message. For example, a message may consist of a pair of two values (m_1, m_2), and the objective is to present m_1+m_2 as the function value. Here, the symbol "_" represents a subscript. Presenting the function value of a message, rather than the message itself, is effective in preventing the owner from presenting more information than necessary when the verifier requests the presentation of the function value of the message.

In order to explain the case where the function value of a message is presented as well, the flow of a more generalized presentation process will be described below. Note that the case where the message itself is presented as described above is also included in the generalized presentation process below. In other words, when the message itself is presented, it can be considered that in the following example, the presentation transformation is an identity transformation (including the case where the presentation transformation is not executed) and the function value of the message is the message itself.

In a more generalized presentation process flow, the encrypted message DB 260 transmits a first encrypted message to the second encryption device 350. The second encryption device 350 generates a doubly encrypted message by performing a second encryption process on the first encrypted message, and transmits the message to the presentation device 400. The presentation device 400 generates a second encrypted message by performing a first decryption process on the doubly encrypted message. Furthermore, the presentation device 400 generates a converted second encrypted message by performing a presentation conversion on the second encrypted message, and transmits the converted message to the verification device 450. The verification device 450 decrypts the functional value of the message by performing a second decryption process on the converted second encrypted message. In this way, the functional value of the message is presented from the presentation device 400 to the verification device 450.

It should be noted that even in this more generalized presentation process in this embodiment, when presenting the function value of the message, the function value of the message itself is not transmitted from the presentation device 400 to the verification device 450, but the converted second encrypted message is transmitted.

In addition, in this embodiment, the issuing device 200 generates an issuance proof together with the message. The issuance proof is information for proving, for example, the contents of the message and the legitimacy of the owner. Furthermore, the presentation device 400 generates a presentation proof based on the issuance proof. The presentation proof is information for proving, for example, the legitimacy of the function value of the presented message and that the presentation process is being performed by the correct owner.

This processing flow for messages, issuance proofs, and presentation proofs can be used, for example, in systems related to self-sovereign identity and decentralized identity.

However, the process in which a message is generated together with an issuance certificate by the issuing device 200 is merely one example, and the present invention can be used for any message, not just messages generated in this way. To do so, the first encryption device 250 receives the message, and each entity performs the same process as in this embodiment as the subsequent process.

Furthermore, the issuance certificate does not necessarily have to be generated. When the issuance certificate is not generated, the message presentation system 10 may omit subsequent processing related to the issuance certificate, and may also omit the generation and storage of the issuer key pair. In this case, the message presentation system 10 may not be provided with a functional unit and DB corresponding to each omitted process. Furthermore, the message presentation system 10 may generate a presentation certificate even when the issuance certificate is not generated. When the presentation certificate is not generated, the message presentation system 10 may omit subsequent processing related to the presentation certificate (e.g., the verification process by the verification device 450), and may also omit the generation and storage of the owner certification key pair.

[Processing flow]
3 is a sequence diagram showing an example of an issuer key pair generation process in the embodiment 1. In step S1101, the issuer key pair generation unit 102 generates an issuer private key and an issuer public key.

In step S1102, the communication unit 101 of the issuer key pair generation device 100 transmits the generated issuer private key to the issuer private key DB 110. In step S1111, the issuer private key DB 110 stores the issuer private key.

In step S1103, communication unit 101 of issuer key pair generation device 100 transmits the generated issuer public key to issuer public key DB 120. In step S1121, issuer public key DB 120 stores the issuer public key.

FIG. 4 is a sequence diagram showing an example of an owner certification key pair generation process in the first embodiment. In step S2131, the owner certification key pair generation unit 132 generates an owner certification private key and an owner verification public key.

In step S2132, the communication unit 131 of the owner certification key pair generation device 130 transmits the generated owner certification private key to the owner certification private key DB 140. In step S2141, the owner certification private key DB 140 stores the owner certification private key.

In step S2133, the communication unit 131 of the owner verification key pair generation device 130 transmits the generated owner verification public key to the owner verification public key DB 150. In step S2151, the owner verification public key DB 150 stores the owner verification public key.

FIG. 5 is a sequence diagram showing an example of a first encryption key pair generation process in the first embodiment. In step S3161, the first encryption key pair generation unit 162 performs a key pair generation process of the first encryption method to generate a first encryption key and a first decryption key. A specific example of the first encryption method will be described later.

In step S3162, the communication unit 161 of the first encryption key pair generation device 160 transmits the generated first encryption key to the first encryption key DB 170. In step S3171, the first encryption key DB 170 stores the first encryption key.

In step S3163, the communication unit 161 of the first encryption key pair generation device 160 transmits the generated first decryption key to the first decryption key DB 180. In step S3181, the first decryption key DB 180 stores the first decryption key.

FIG. 6 is a sequence diagram showing an example of an issuance process in the first embodiment. In step S4111, the issuer private key DB 110 transmits the stored issuer private key to the issuing device 200.

In step S4201, the message generating unit 202 generates a message. In step S4151, the owner verification public key DB 150 transmits the stored owner verification public key to the issuing device 200. Note that in order to confirm whether the transmitted owner verification public key belongs to the owner who is the subject of the issuance process, the issuing device 200 may use a method such as requesting the owner verification private key DB 140 for that owner to transmit a knowledge proof of the owner verification private key and verifying the knowledge proof of the received owner verification private key.

In step S4202, the issuance certificate generation unit 203 generates an issuance certificate using the issuer private key, the owner verification public key, and the generated message. Note that the issuance certificate generation unit 203 does not need to use the owner verification public key to generate the issuance certificate, but using the owner verification public key allows the verifier to verify information about the owner to whom the certificate is issued. If the owner verification public key is not used, the message presentation system 10 may omit the processing of step S4151.

In step S4203, the communication unit 201 of the issuing device 200 transmits the generated message and the issuance certificate to the first encryption device 250. In step S4171, the first encryption key DB 170 transmits the stored first encryption key to the first encryption device 250.

In step S4251, the first encryption unit 252 performs a first encryption process using a first encryption key on the generated message to generate a first encrypted message. The first encryption unit 252 also performs a first encryption process using the first encryption key on the generated issuance certificate to generate a first encrypted issuance certificate. The first encryption process is, for example, an encryption process using the first encryption method.

In step S4252, the communication unit 251 of the first encryption device 250 transmits the generated first encrypted message and the first encryption issuance certificate to the encrypted message DB 260. In step S4261, the encrypted message DB 260 stores the first encrypted message and the first encryption issuance certificate.

FIG. 7 is a sequence diagram showing an example of the presentation process in the first embodiment. In step S5261, the encrypted message DB 260 transmits the stored first encrypted message to the second encryption device 350. In step S5262, the encrypted message DB 260 transmits the stored first encryption issuance proof to the presentation device 400.

In step S5301, the second encryption key pair generation unit 302 performs a key pair generation process for the second encryption method to generate a second encryption key and a second decryption key. A specific example of the second encryption method will be described later. In step S5302, the communication unit 301 of the second encryption key pair generation device 300 transmits the generated second encryption key to the second encryption device 350. In step S5303, the communication unit 301 of the second encryption key pair generation device 300 transmits the generated second decryption key to the verification device 450.

In step S5351, the second encryption unit 352 performs a second encryption process on the first encrypted message using a second encryption key, thereby generating a doubly encrypted message. An example of the second encryption process is an encryption process using the second encryption method. In addition, the second encryption process may be an internal encryption process, which will be described later.

In step S5352, the communication unit 351 of the second encryption device 350 transmits the generated double encrypted message to the presentation device 400. In step S5181, the first decryption key DB 180 transmits the stored first decryption key to the presentation device 400. In step S5141, the owner certification private key DB 140 transmits the stored owner certification private key to the presentation device 400.

In step S5401, the first decryption unit 402 performs a first decryption process on the doubly encrypted message using the first decryption key to generate a second encrypted message. An example of the first decryption process is a decryption process using the first encryption method. The first decryption unit 402 also performs a decryption process using the first encryption method on the first encrypted issuance certificate using the first decryption key to restore the issuance certificate.

In step S5402, the presentation conversion unit 403 performs a presentation conversion using the generated second encrypted message and the restored issuance certificate to generate a converted second encrypted message. In step S5403, the communication unit 401 of the presentation device 400 transmits the generated converted second encrypted message to the verification device 450. Note that if the presentation conversion is an identity conversion (including the case where the presentation conversion is not performed), the converted second encrypted message is the same as the second encrypted message. A second encrypted message generated using a presentation conversion other than an identity conversion and a second encrypted message generated using an identity conversion (including the case where the presentation conversion is not performed) are collectively referred to simply as a second encrypted message or as a transmission second encrypted message.

In step S5404, the presentation proof generating unit 404 generates a presentation proof. In generating the presentation proof, the presentation proof generating unit 404 may use at least one of the second encrypted message and the issuance proof, or may receive data such as a random number from the verification device 450 and use the received data. In step S5405, the communication unit 401 of the presentation device 400 transmits the generated presentation proof to the verification device 450.

In step S5451, the second decryption unit 452 performs a second decryption process using the second decryption key on the converted second encrypted message to restore the function value of the message. Note that it is assumed that the combination of the first encryption process, the second encryption process, the first decryption process, the presentation conversion process, and the second decryption process is appropriately set so that the function value of the message can be correctly restored by the second decryption process when the series of processes is performed correctly. Examples of combinations of the first encryption process, the second encryption process, the first decryption process, the presentation conversion process, and the second decryption process will be described later.

Note that the probability that the function value of the message can be correctly restored by the second decoding process when the series of processes is performed correctly does not necessarily have to be 1. However, in order to achieve the goal of presenting the function value of the message, it is desirable for this probability to be as high as possible.

In step S5452, the verification unit 453 performs a verification process using the proof for presentation and the function value of the restored message, and outputs the verification result. Examples of the output verification results are "verification success" or "verification failure". It is assumed that the combination of the proof for issuance generation process, the proof for presentation generation process, and the verification process is appropriately set so that the verification result is "verification success" with a high probability if the series of processes is performed correctly, and the verification result is "verification failure" with a high probability if any fraud has occurred in the series of processes. Specific examples of combinations of the proof for issuance generation process, the proof for presentation generation process, and the verification process will be described later.

In step S5453, the output unit 454 outputs the function value of the restored message and the verification result. The output destination to which the output unit 454 outputs the function value of the restored message and the verification result may be the output device 10005 (display screen) included in the computer 10000 constituting the verification device 450, or may be any output means, such as another device connected to the verification device 450.

FIG. 8 is a sequence diagram showing an example of content confirmation processing in the first embodiment. In step S6261, the encrypted message DB 260 transmits the stored first encrypted message to the content confirmation device 500. In step S6181, the first decryption key DB 180 transmits the stored first decryption key to the content confirmation device 500.

In step S6501, the first decryption unit 502 performs a first decryption process on the first encrypted message using the first decryption key to restore the message. In step S6502, the output unit 503 outputs the decrypted message. The output destination to which the output unit 503 outputs the restored message may be the output device 10005 (display screen) included in the computer 10000 constituting the content confirmation device 500, or may be any output means, such as another device connected to the content confirmation device 500.

Although omitted in each sequence diagram, the initial processing by each entity may be started, for example, by receiving a processing start request from a user operating the entity, by receiving a processing start request from another entity, or by receiving specified data, and the conditions for starting processing may be determined in advance.

For example, the second encryption key pair generation device 300 may start processing in the presentation process by receiving a processing start request from the presentation device 400. At this time, the processing start request from the presentation device 400 to the second encryption key pair generation device 300 may be made by the presentation device 400 receiving a request to start the presentation process from the owner.

Furthermore, with regard to the transmission of each data, an entity requiring the data may send a transmission request to an entity that holds the data, and in response to the transmission request, the entity that holds the data may transmit the data. The transmission request may include a request to an operator or administrator of each entity. For example, if the first decryption key DB180 is an IC card, the entity requiring the first decryption key may display text or output audio guidance to the administrator (i.e., the owner) of the IC card to hold the IC card over the entity.

[Specific example of combination of first encryption process, second encryption process, first decryption process, presentation conversion process, and second decryption process]
First, a specific example of an encryption method will be described in order to explain a specific example of a combination of the first encryption process in step S4251, the second encryption process in step S5351, the first decryption process in step S5401, the presentation conversion process in step S5402, and the second decryption process in step S5451. Each encryption method includes a key pair generation process, an encryption process, and a decryption process. In the following description, devices that perform the key pair generation process, the encryption process, and the decryption process are called a key pair generation device, an encryption device, and a decryption device, respectively.

In the following explanation of the encryption method, the message to be encrypted is denoted as m, the encryption key as ek, the decryption key as dk, the encrypted message to be decrypted as c, and the decrypted message as m'. The key pair generation process, encryption process, and decryption process included in encryption method X are denoted as KG_X, Enc_X, and Dec_X, respectively. In encryption method X, the result of encryption process for m using ek is denoted as Enc_X(m;ek). In encryption method X, the result of decryption process for c using dk is denoted as Dec_X(c;dk).

Encryption method A is, for example, the following common key encryption method. m is an element of a commutative group, the group operation is represented by "+", and the inverse operation of + is represented by "-". In the key pair generation process, the key pair generation device generates a random number s, and generates a key pair by setting ek = s and dk = s. The encryption process is defined as Enc_A(m; ek) = m + ek. The decryption process is defined as Dec_A(c; dk) = c - dk.

In addition, in the key pair generation process, s may be a function value for another random number s' (e.g., a value obtained by a pseudorandom number generator). In that case, s' may be stored instead of ek and dk, and s may be calculated from s' during encryption and decryption processes.

Furthermore, in the encryption and decryption processes of cryptographic method A, data a other than the data to be processed may be additionally input, in which case Enc_A((m,a);ek) = (Enc_A(m;ek),a) and Dec_A((c,a);dk) = (Dec_X(c;dk),a).

The encryption method B is, for example, ElGamal encryption. m is an element of a commutative group. However, for application to this embodiment, each process is defined as follows. In the key pair generation process, the key pair generation device generates a random number x, and determines ek = g^s and dk = s. Here, g is the generator of the commutative group, and the symbol "^" represents a power.

In the encryption process of encryption method B, m and list L are input, and the encryption device outputs c and the updated list L'. This is expressed as (c, L') = Enc_B((m, L); ek), where { } is the empty list, and m and (m, { }) are considered to be the same. (c, L') is calculated as follows. The encryption device generates a random number r, and sets c = ek^r * m, where the symbol "*" represents a product. Furthermore, the encryption device adds g^r to list L, and sets L' to it. Each g^L added to list L is hereafter referred to as an auxiliary ciphertext.

In the decryption process of encryption method B, c and list L are input, and the decryption device outputs m' and the updated list L'. (m', L') is calculated as follows. The decryption device obtains from list L the auxiliary ciphertext z that was added to list L in the encryption process performed using ek corresponding to dk. The decryption device then decrypts using m' = c * z^(-dk). The decryption device also defines L' as list L with z removed. However, removing z from L is not essential, and list L' may be defined as list L itself.

The encryption method C may be, for example, any public key encryption method that is homomorphic. In other words, the encryption method C has the property that for two messages m[1] and m[2], Enc_C(m[1]+m[2];ek) can be calculated from Enc_C(m[1];ek) and Enc_C(m[2];ek). However, the operation + does not necessarily have to be additive, and may be any operation related to groups. In this case, the operation - may be the inverse operation of +. For example, any public key encryption method that is homomorphic, such as RSA encryption, ElGamal encryption, Lifted-ElGamal encryption, or Pailler encryption, may be used as the encryption method C.

Using these encryption methods, a specific example of a combination of the first encryption process, the second encryption process, the first decryption process, the presentation conversion process, and the second decryption process will be described. In the following, the first encryption key will be represented as ek_1, and the second encryption key as ek_2. Similarly, the decryption keys, variables, functions, and processes will be distinguished between those of the first encryption method and those of the second encryption method by subscripts. For example, the first encryption method will be represented as dk_1, s_1, h_1, Enc_1, Dec_1, etc. Furthermore, the first encrypted message will be represented as q_1, the doubly encrypted message as q_12, and the second encrypted message as q_2. The message function value will be represented as f(m), and the decrypted message function value will be represented as M'. In this case, the goal is to design a combination of processes such that M' = f(m).

In the first to fourth specific examples described below, the first encryption process is an encryption process using the first encryption method, the second encryption process is an encryption process using the second encryption method, the first decryption process is a decryption process using the first encryption method, the presentation conversion process is an identity conversion, the second decryption process is a decryption process using the second encryption method, and the function value f(m) of the message is f(m) = m.

The first specific example will be explained. The first encryption method is encryption method A, and the second encryption method is encryption method A. In this case, the first encrypted message q_1 is q_1=Enc_A(m;ek_1)=m+ek_1. Therefore, the doubly encrypted message q_12 is q_12=Enc_A(q_1;ek_2)=m+ek_1+ek_2. However, ek_1=dk_1, ek_2=dk_2.

Therefore, the second encrypted message q_2 is q_2 = Dec_A(q_12; dk_1) = m + ek_1 + ek_2 - dk_1 = m + ek_2, and the decrypted message function value is M' = Dec_A(q_2; dk_2) = m + ek_2 - dk_2 = m. Therefore, m is correctly restored.

The second specific example will be explained. The first encryption method is encryption method B, and the second encryption method is encryption method B. In this case, q_1 = Enc_B(m;ek_1) = (ek_1^r_1*m, {g_1^r_1}). Therefore, q_12 = Enc_B(q_1;ek_2) = (ek_2^r_2*ek_1^r_1*m, {g_1^r_1, g_2^r_2}).

Note that in the first decryption process, g_1^r_1 is extracted from the list {g_1^r_1, g_2^r_2}, so q_2 = Dec_B(q_12; dk_1) = (ek_2^r_2 * ek_1^r_1 * m * (g_1^r_1) ^ (-dk_1), {g_2^r_2}) = (ek_2^r_2 * m, {g_2^r_2}). Therefore, M' = Dec_B(q_2; dk_2) = ek_2^r_2 * m * (g_2^r_2) ^ (-dk_2) = m. Therefore, m is correctly restored.

The third specific example will be explained. The first encryption method is encryption method A, and the second encryption method is encryption method B. However, the commutative group in encryption method A is the same as the commutative group in encryption method B. In this case, q_1 = Enc_A(m;ek_1) = m*ek_1. Therefore, q_12 = Enc_B(q_1;ek_2) = (ek_2^r_2*m*ek_1, {g_2^r_2}).

Therefore, q_2 = Dec_A(q_12; dk_1) = (ek_2^r_2*m*ek_1*dk_1^(-1), {g_2^r_2}) = (ek_2^r_2*m, {g_2^r_2}). Therefore, M' = Dec_B(q_2; dk_2) = ek_2^r_2*m*(g_2^r_2)^(-dk_2) = m. Therefore, m is correctly restored.

As a fourth concrete example, it can be seen that m can be correctly restored even if the first encryption method is encryption method B and the second encryption method is encryption method A.

As in the first to fourth concrete examples above, if the encryption processes of the first and second encryption methods are interchangeable, that is, if the condition that "for any message, the ciphertext obtained by performing the first encryption process using the first encryption method and then the second encryption process using the second encryption method is equal to the ciphertext obtained by performing the second encryption process using the second encryption method and then the first encryption process using the first encryption method is equal (however, if random numbers are used internally in the first encryption process, the random numbers are set to the same value, and if random numbers are used internally in the second encryption process, the random numbers are set to the same value before comparison) is met, then the message can be correctly decrypted by setting the first encryption process to an encryption process using the first encryption method, the second encryption process to an encryption process using the second encryption method, the first decryption process to a decryption process using the first encryption method, the presentation conversion process to an identity conversion, and the second decryption process to a decryption process using the second encryption method.

In the fifth specific example, the first encryption method is encryption method C and the second encryption method is encryption method A. The first encryption process is encryption process of the first encryption method, the first decryption process is decryption process of the first encryption method, the presentation conversion process is identity conversion, the second decryption process is decryption process of the second encryption method, and the message function value f(m) is f(m) = m. The second encryption process is a process of calculating q_12 = Enc_C(m + ek_2; ek_1) using ek_1, ek_2 and q_1 = Enc_C(m; ek_1). However, since ek_1 is a public key, it is possible for the second encryption device 350 to use ek_1 while maintaining security. One example of a method for calculating q_12 is to calculate Enc_C(ek_2;ek_1), and then use the homomorphism of encryption method C to calculate q_12=Enc_C(m+ek_2;ek_1) from q_1=Enc_C(m;ek_1) and Enc_C(ek_2;ek_1).

In this case, q_12 = Enc_C(m + ek_2; ek_1) = Enc_C(Enc_A(m; ek_2); ek_1). Therefore, by performing the decryption process of encryption method C, which is the first encryption method, in the first decryption process, Enc_A(m; ek_2) is obtained. In other words, q_2 = Dec_C(q_12; dk_1) = Enc_A(m; ek_2). Therefore, M' = Dec_A(q_2; dk_2) = m. Therefore, m is correctly decrypted.

In the fifth specific example mentioned above, Enc_1(Enc_2(m;ek_2);ek_1) is calculated from the first encrypted message q_1=Enc_1(m;ek_1) generated by the encryption process using the first encryption method, and this value is defined as q_12. In other words, a process is performed to generate a ciphertext obtained by encryption process using the first encryption method for the "ciphertext obtained by encryption process using the second encryption method for the message" from the ciphertext obtained by encryption process using the first encryption method for the message. This process is referred to as internal encryption.

In addition to the fifth specific example described above, m can be correctly decrypted by setting the first encryption process to an encryption process using the first encryption method, the second encryption process to an internal encryption process, the first decryption process to a decryption process using the first encryption method, the presentation conversion process to an identity conversion, and the second decryption process to a decryption process using the second encryption method. For example, in the first specific example described above, q_12 = Enc_A (Enc_A (m; ek_2); ek_1). Therefore, the first specific example can be considered to be an example in which the first encryption process is an encryption process using the first encryption method, the second encryption process is an internal encryption process, the first decryption process is a decryption process using the first encryption method, the presentation conversion process to an identity conversion, and the second decryption process is a decryption process using the second encryption method.

In addition, m can be correctly decrypted by making the first decryption process an internal decryption process as follows, instead of making the second encryption process an internal encryption process. If the first encryption process is an encryption process of the first encryption method, and the second encryption process is an encryption process of the second encryption method, then q_12 = Enc_2 (Enc_1 (m; ek_1); ek_2). The internal decryption process is defined as a process for obtaining Enc_2 (m; ek_2) from such q_12. Using such internal decryption process, if the first encryption process is an encryption process of the first encryption method, the second encryption process is an encryption process of the second encryption method, the first decryption process is an internal decryption process, the presentation conversion process is an identity conversion, and the second decryption process is a decryption process of the second encryption method, then m can be correctly decrypted by the second decryption process.

For example, in the first specific example, q_12 = Enc_2 (Enc_1 (m; ek_1); ek_2) and q_2 = Enc_2 (m; ek_2). Therefore, the first specific example can also be considered as an example in which the first encryption process is an encryption process of the first encryption method, the second encryption process is an encryption process of the second encryption method, the first decryption process is an internal decryption process, the presentation conversion process is an identity conversion, and the second decryption process is a decryption process of the second encryption method.

In addition, in the first to fifth specific examples above, the second encrypted message is in the form of an encrypted message obtained by performing encryption processing of the second encryption method on the message. Not limited to the above specific examples, the message can be restored by the second decryption processing by using a combination of the first encryption processing, the second encryption processing, and the first decryption processing such that the second encrypted message satisfies these conditions.

The sixth concrete example will be explained. Here, when message m consists of one or more sets of messages m[1], m[2], ..., m[n] (where n is an integer equal to or greater than 1), each of m[1], m[2], ..., m[n] is called a message element. In the sixth concrete example, message m is defined as a set of two message elements m[1] and m[2] as m=(m[1], m[2]), and an example of how to present f(m)=m[1]+m[2] as the function value of the message is given.

　As for the first encryption process, second encryption process, and first decryption process in the sixth specific example, the method of the first specific example is applied independently to m[1] and m[2]. In this case, if the second encrypted messages corresponding to m[1] and m[2] are represented as q_2[1] and q_2[2], respectively, q_2 is a set of these, and q_2 = (q_2[1], q_2[2]) = (m[1] + ek_2[1], m[2] + ek_2[2]). However, the second encryption keys corresponding to m[1] and m[2] are represented as ek_2[1] and ek_2[2], respectively, and the second decryption keys corresponding to m[1] and m[2] are represented as dk_2[1] and dk_2[2], respectively.

Furthermore, the converted second encrypted message is calculated by q_2[1] + q_2[2]. Furthermore, in the second decryption process, M' = q_2[1] + q_2[2] - dk_2[1] - dk_2[2] is calculated. As a result, M' = m[1] + ek_2[1] + m[2] + ek_2[2] - dk_2[1] - dk_2[2] = m[1] + m[2], and f(m) is correctly restored.

Note that the second encryption key pair generation device 300 may transmit (dk_2[1], dk_2[2]) as the second decryption key to the verification device 450, or dk_2[1]+dk_2[2] may be transmitted. As in this example, only the data necessary for the second decryption may be transmitted, rather than the second decryption key itself.

The above-mentioned combination of the first encryption process, second encryption process, first decryption process, presentation conversion process, and second decryption process is merely an example, and any combination that correctly decrypts the function value of the message may be used.

It should be noted that in order for the function value of the message to be restored in the second decryption process, the combination of the first encryption process, the second encryption process, the first decryption process, the presentation conversion process, and the second decryption process must be designed appropriately. For example, consider a case where encryption method A' is a method that uses the same process as encryption method A but targets a non-commutative group, and encryption method A' is used instead of encryption method A in specific example 1. In this case, the value obtained by sequentially performing the first encryption process, the second encryption process, the first decryption process, and the second decryption process is m + ek_1 + ek_2 - dk_1 - dk_2, but this value does not necessarily match m.

[Specific example of combination of issuance certificate generation process, presentation certificate generation process, and verification process]
A specific example of a combination of the issuance certificate generation process in step S4202, the presentation certificate generation process in step S5404, and the verification process in step S5452 will be described. The first example will be described. In the first example, an issuance certificate is not required. However, an issuance certificate may be generated by performing a process of combining with the subsequent examples.

In the presentation proof generation process, the presentation proof generation unit 404 uses the owner proof private key to generate a knowledge proof of the owner proof private key. In generating the knowledge proof, the presentation proof generation unit 404 may receive data such as random numbers generated by the verification device 450. The presentation proof generation unit 404 also generates a digital signature for the converted second encrypted message to be presented. The presentation proof generation unit 404 then generates a pair of the issuance proof and the knowledge proof of the owner proof private key as the presentation proof.

In the verification process, the verification unit 453 first verifies the knowledge proof of the owner certification private key using the owner verification public key. This allows the verification unit 453 to verify that the person operating the presentation device 400 is the correct owner. The verification unit 453 also uses the owner verification public key to verify the relationship between the second encrypted message and the digital signature for the second encrypted message. This allows the verification unit 453 to verify the fact that the second encrypted message was sent by the owner.

In addition, because the function value of the message is decrypted from the second encrypted message using the second decryption key, this also means that the fact that the owner presented the function value of the message is verified. Note that by having the verification device 450 or another entity store the second encrypted message, the digital signature for the second encrypted message, and the second decryption key, it is possible to verify after the fact that the owner presented the function value of the message.

In order to verify both that the person operating the presentation device 400 is the correct owner and that the owner has presented the function value of the message, the presentation proof generating unit 404 may generate an electronic signature for a pair of the second encrypted message and data such as a random number sent from the verification device 450, and use the generated electronic signature as the presentation proof.

The second specific example will be explained. In the second specific example, an example will be explained in which a certificate for issuance is generated using the sanitizable signature method. Assume that a message consists of a set of n message elements m[1], m[2], ..., m[n] (n is an integer equal to or greater than 1). In other words, assume that m is defined as m = (m[1], m[2], ..., m[n]).

The function value for message m is f(m) = (m[i_1], ..., m[i_k]), where k is an integer between 1 and n, and {i_1, ... , i_b} is a subset of {1, ... n}. In other words, f(m) is a set consisting of some or all of the message elements contained in m. Also, let N = {1, ... , n} and D = {i_1, ... , i_b}.

In the issuance proof generation process, the issuance proof generation unit 203 uses the hash function Hash to calculate Hash(m[i]) for each i = 1,...,n. Then, the issuance proof generation unit 203 determines H = (Hash(m[1]),...,Hash(m[n])) and generates a digital signature q_0 for H using the issuer private key. Then, the issuance proof generation unit 203 determines the issuance proof by (N,H,q_0).

In the presentation proof generation process, the presentation proof generation unit 404 determines the presentation proof by (D, H, q_0).

In the verification process, the verification unit 453 verifies the relationship between H and q_0 using the issuer public key. Furthermore, for each i included in D, the verification unit 453 verifies the value of each Hash(m[i]) included in H and Hash(m[i]) calculated from each m[i] included in the decrypted f(m) = (m[i_1], ..., m[i_k]). If both verifications are successful, the verification unit 453 outputs a verification result indicating successful verification, and otherwise outputs a verification result indicating unsuccessful verification.

By using such processing, the message presentation system 10 can present only a portion of the message and verify the validity of the presented portion. Furthermore, by making one or more of the message elements an owner verification public key or its function value (hash value, etc.), the issuer can prove that the owner verification public key is legitimate. Furthermore, by combining the method of the first specific example with the method of the second specific example, the verification unit 453 can verify that the person operating the presentation device 400 is the legitimate owner and that the legitimate owner has presented the function value of the message.

In addition, if there is only one message to be sent or selective presentation is not required, any signature method can be used, not just the sanitized signature method. In that case, the presentation certificate is the issuance certificate itself, and the verification process is the electronic signature verification process.

The third specific example will now be explained. In the third specific example, an application example to an ACS (Anonymous Credential System) will be explained. Specifically, an application example to the Sanders method will be explained. In the third specific example, as in the second specific example, a message is assumed to consist of n message elements, and the notation related to messages will also be the same as in the second specific example.

As the first encryption, second encryption, and first decryption processes for the message, the first encryption, second encryption, and first decryption processes in the first specific example shown as a combination of the first encryption process, second encryption process, first decryption process, presentation conversion process, and second decryption process are used for each message element. In this case, if the second encryption key corresponding to the message element m[i] is s[i] for each i=1,...,n, the message is (m[1]+s[1],m[2]+s[2],...,m[n]+s[n]) and the second decryption key is (s[1],s[2],...,s[n]).

Let p be a prime number, G_1, G_2, and G_T be groups of order p, and e be the pairing from the direct product of G_1 and G_2 to G_T. Let each message element be an element of the coset ring Z_p modulo p. Let D_0 be the set consisting of elements of D and 0. Let U be the set obtained by removing the elements of D from N.

In the issuer key pair generation process, the issuer key pair generation unit 102 randomly selects elements g and h from G_1 and G_2, respectively, that are not identity elements. Furthermore, the issuer key pair generation unit 102 randomly generates (n+2) elements x, y_0, y_1, ..., y_n from Z_p, and sets these elements as the issuer private key. On the other hand, the issuer key pair generation unit 102 determines the issuer public key by pk defined by the following (Equation 1).

In the owner proving private key generation process, the owner proving key pair generation unit 132 randomly generates an owner proving private key usk from Z_p, and determines an owner verification public key upk by upk=h^usk.
In the issuance proof generation process, the issuance proof generation unit 203 randomly generates a random number r from Z_p, and then generates an issuance proof q according to the following (Equation 2).

In the presentation process, prior to the presentation conversion process, the presentation proof generation unit 404 randomly generates a random number t from Z_p. In the presentation process, the aim is to present (m[i_1], ..., m[i_k]), and as additional data for verification, (a_1, a_2) defined in (Equation 3) and (Equation 4) below are also added to obtain the message function value.

To present (m[i_1], ..., m[i_b], a_1, a_2), the presentation conversion unit 403 calculates (a_1', a_2') using the following (Equation 5) and (Equation 6).

Then, the presentation conversion unit 403 determines the converted second encrypted message as (m[i_1]+s[i_1],...,m[i_b]+s[i_b],a_1',a_2').

In the second decryption process, the second decryption unit 452 first calculates (m[i_1], ..., m[i_k]) from (m[i_1] + s[i_1], ..., m[i_b] + s[i_b]) using the second decryption key (s[1], s[2], ..., s[n]). Furthermore, since the relationships in (Equation 7) and (Equation 8) below hold, the second decryption unit 452 restores (a_1, a_2) using these relational expressions.

The presentation proof generation process and the presentation proof verification process are performed interactively as follows. First, the presentation proof generation unit 404 generates random numbers k and r, and generates q' using the issuance proof q and the generated k, r, and t as shown in Equation 9 below. The communication unit 401 of the presentation device 400 transmits q' to the verification device 450.

If at least one of the first and second components of q' is an identity element, the verification unit 453 outputs "verification failed". Otherwise, the verification unit 453 generates a random number c. The communication unit 451 of the verification device 450 transmits c to the presentation device 400. The presentation proof generation unit 404 calculates s using the following (Equation 10). The communication unit 401 of the presentation device 400 transmits s to the verification device 450.

The verification unit 453 calculates B using the following (Equation 11), and outputs "verification successful" if (Equation 12) holds, and outputs "verification failed" if it does not hold.

In this way, this embodiment can be applied to an ACS. Note that, in order to strengthen the anonymity of the owner from the verification device 450, the second encryption key pair generation device 300 may be configured to perform presentation processes for multiple owners. In that case, an ID may be assigned to the key pair for each presentation process so that the verification device 450 can distinguish which presentation process the transmitted second decryption key corresponds to.

[Example of process flow modification]
Each process using each private key may be performed by each DB storing the private key instead of each device receiving the private key. In this case, data required for each process using the private key may be transmitted to the DB. For example, instead of the first decryption unit 402 of the presentation device 400 performing the first decryption process using the first decryption key on the doubly encrypted message, the first decryption key DB 180 may receive the doubly encrypted message, perform the first decryption process using the first decryption key on the doubly encrypted message, generate a second encrypted message, and transmit the generated second encrypted message to the presentation device 400.

Before performing the issuing process, the message presentation system 10 may also perform identity verification to confirm that the owner of the message to be issued is legitimate. Identity verification may be performed by the owner presenting a certificate (e.g., a driver's license, My Number card, or health insurance card) to the issuer in person, or by transmitting information to the issuing device 200 that certifies the owner online. For identity verification, information using an owner certification private key (e.g., proof of knowledge of an owner certification private key) may be transmitted from a device operated by the owner.

In addition, the message to be encrypted in this embodiment may be a private key of a different encryption method. For example, the first encryption device 250 may generate a temporary common key, generate encrypted data by common key encryption of arbitrary data using the temporary common key, and then perform the processing of this embodiment using the temporary common key as a message. The encrypted data may be transmitted to the verification device 450, for example, together with the first encrypted message, the doubly encrypted message, and the second encrypted message (however, in these data, the message is the temporary common key). In this way, the verification device 450 can decrypt the temporary common key, and by decrypting the encrypted data using the temporary common key, the data encrypted in the first encryption device 250 can be restored.

In addition, in this embodiment, the message presentation system 10 generates a second encryption key pair for each presentation process, but instead, the message presentation system 10 may generate a second encryption key and a second decryption key in advance by a second encryption key pair generation process and store them in a DB or the like.

In addition, in this embodiment, the presentation device 400 restores the certificate for issuance, but in order to reduce the risk of leakage of the certificate for issuance, the certificate for issuance itself may not be restored. For example, in the second specific example of the combination of the process for generating a certificate for issuance, the process for generating a certificate for presentation, and the process for verification, the method of this embodiment can be applied with H or q_0 included in the certificate for issuance as a message.

In addition, in the third specific example of the combination of the process for generating a certificate for issuance, the process for generating a certificate for presentation, and the process for verifying, by performing this embodiment with m[n+1] as a random number and (m[1], ..., m[n], m[n+1]) as the message, the risk of the message being inferred from the certificate for issuance can be further reduced.

The message presentation system 10 may also include a plurality of entities of one or more types. For example, the message presentation system 10 may include one or more encrypted message DBs 260 for each user. Alternatively, one or more of the provided encrypted message DBs 260 may be used for multiple users. When a plurality of encrypted message DBs 260 are provided, the message presentation system 10, for example, determines, in each process, the encrypted message DB 260 to be used in that process.

To achieve this, one of the entities can identify the location on the network of the encrypted message DB 260 used in the process (e.g., URI (Uniform Resource Identifier)). As a method of identification, the entity can request the operator of the entity (e.g., the owner) to input information about the location, and identify the location based on the input information.

Instead of the entity requesting input of the location information, the message presentation system 10 may store in advance pairs of candidate network locations and their identifiers (e.g., character strings (which may include numbers)), and when the network location of the encrypted message DB 260 to be used for processing is required, any entity may request input of the identifier and identify the location based on the input identifier. Instead of an identifier, any means for identifying an individual (e.g., proof of knowledge of an owner-proving private key, a password, biometric information, etc.) may be used for identification. For entities other than the encrypted message DB 260, the message presentation system 10 may be provided with multiple such entities, and a similar method may be used to determine the entity to be used for processing.

The verification device 450 used in the presentation process (i.e., the presentation destination of the function value of the message) is determined by, for example, the presentation device 400. As a countermeasure against an attack in which the presentation device 400 fraudulently determines the presentation destination, for example, the second encryption key pair generation device 300 may notify the owner of the presentation destination. Any means may be used for notification, such as email, telephone, SMS (Short Message Service), or mail. Alternatively, the second encryption key pair generation device 300 may record the history of the presentation destinations and disclose it to the owner upon request from the owner.

This allows the owner to detect fraud when a message is presented to an unauthorized recipient, which is an effective countermeasure against attacks. Furthermore, if the second encryption key pair generation device 300 issues a notification before transmitting the second decryption key (step S5303), the risk of the message being presented to an unauthorized recipient can be reduced by confirming consent from the owner. The notification and consent confirmation may be performed by another entity (e.g., the encrypted message DB 260) instead of the second encryption key pair generation device 300.

Furthermore, one or more of the private keys used in the process may be generated based on private information such as a password. In this case, the message presentation system 10 does not need to have a DB for storing the private keys, and when performing a process using the private keys, it only needs to request the administrator of the private information (for example, in the case of an owner certification private key, an example of the administrator of the private information is the owner) to input the private information required to generate the private key.

[Effects of this embodiment]
In the message presentation system 10 of this embodiment, the presentation device 400 for presenting a message receives the message in an encrypted state. Therefore, it is difficult for the presentation device 400 to restore the message or the function value of the message. This reduces the risk of the message being leaked from the presentation device 400. In addition, since the message itself is stored in the encrypted message DB 260 in an encrypted state, the risk of the message being leaked from the encrypted message DB 260 is also reduced.

The processing of this embodiment is particularly effective when the owner does not need to check the message presented in the presentation process. For example, when presenting information that the owner knows without the need for confirmation, such as the owner's own name or date of birth, this is an example of a case where the owner does not need to check the message presented in the presentation process.

Furthermore, even in cases where the owner needs to check the contents of the message during the presentation process, the message presentation system 10 of this embodiment can be applied, for example, as follows. For example, the presentation device 400 is a shared terminal installed in a store or the like, and the content confirmation device 500 is a terminal such as a smartphone that is owned by the owner. In this case, the owner can check the contents of the message using the content confirmation device 500 and then perform the presentation process using the presentation device 400, thereby keeping the message secret from the presentation device 400.

Furthermore, even when the presentation device 400 has a function for reducing the risk of information leakage (e.g., Trusted Execution Environment, etc.), this embodiment has the following effect. A calculation area with a function for reducing the risk of information leakage may be inferior to a normal calculation area in terms of calculation speed and memory size that can be used for processing. By using the method of this embodiment, the risk of message leakage can be reduced in the presentation device 400, so that calculations related to messages (e.g., calculation of message function values and presentation proof generation processing, etc.) can be performed in the normal calculation area. This has the effect of reducing the resource consumption of the calculation area for reducing the risk of information leakage.

In addition, instead of reducing the resource consumption of the calculation area for reducing the risk of information leakage, the risk of leakage may be further reduced by performing message-related processing in the calculation area for reducing the risk of information leakage.

In addition, application of the above-mentioned ACS has the following effects. In conventional ACS, the presentation device 400 needs not only message elements to be presented but also message elements that are not presented in order to generate a presentation proof. The owner of the presented message elements may use them to confirm the contents, but there is little need for the user to have the presentation device 400 restore the message elements that are not presented. With the method of this embodiment, the message elements that are not presented can be kept secret from the presentation device 400.

In addition, in the application to the ACS described above, this embodiment may be applied to conceal message elements that are not presented from the presentation device 400, and the message elements that are presented may be restored by the presentation device 400. In this case, instead of transmitting (m[i_1]+s[i_1], ..., m[i_b]+s[i_b], a_1', a_2') as the converted second encrypted message, for example, (m[i_1], ..., m[i_b], a_1', a_2') is transmitted. In this way, this embodiment can be applied to part of a message, and the system can be designed according to the necessity for content confirmation and the security policy.

Other than ACS, for example in the sanitized signature method, there are methods that require the use of message elements that are not presented in order to generate a proof to be presented. This embodiment can be applied to such methods as well in order to conceal the message elements that are not presented from the presentation device 400.

In addition to the effects listed here, there are also safety-improving effects, as already mentioned, depending on the specific examples of each process.

In Example 2, a message presentation system 20 via a network will be described. The message presentation system 10 in Example 1 stores the owner certification private key and the first decryption key in a DB, but the message presentation system 20 in Example 2 restores the owner certification private key and the first decryption key using a template that has been generated and registered in advance and the owner's biometric information. The owner certification private key and the first decryption key have fixed values for each owner, but the message presentation system 20 can update the owner certification private key and the first decryption key by performing the owner key generation process again.

FIG. 9 is a block diagram showing an example of the configuration of a message presentation system 20 in Example 2. Unlike the message presentation system 10 in Example 1, the message presentation system 20 does not include an owner certification private key DB 140 and a first decryption key DB 180, but instead includes an owner key generation device 600, a template DB 610, and an owner key recovery device 650.

The functional units included in the entities included in the message presentation system 20 of Example 2 that are also included in the message presentation system 10 of Example 1 are not shown in FIG. 9, but are included in the entities of Example 2.

The owner key generation device 600 uses the owner's biometric information to generate a template, a public key for owner verification, and a first decryption key. The owner key generation device 600 includes, for example, a communication unit 601, a biometric information for key generation acquisition unit 602, and an owner key generation unit 603, all of which are functional units. The owner key generation device 600 is operated, for example, by the owner.

The owner key restoration device 650 restores the owner verification public key and the first decryption key using the owner's biometric information and a template. The owner key restoration device 650 includes, for example, a communication unit 651, a key restoration biometric information acquisition unit 652, and an owner key restoration unit 653, all of which are functional units. The owner key restoration device 650 is operated, for example, by the owner.

The message presentation system 20 of the second embodiment performs the issuer key pair generation process and the issuance process in the same manner as in the first embodiment. Furthermore, the message presentation system 20 of the second embodiment performs the owner key generation process instead of the owner certification key pair generation process and the first encryption key pair generation process of the first embodiment.

Furthermore, in the presentation process in the first embodiment, the first decryption key DB 180 transmits the first decryption key to the presentation device 400, and the owner certification private key DB 140 transmits the owner certification private key to the presentation device 400, but in the second embodiment, instead of these processes, the owner key restoration device 650 restores the first decryption key and the owner certification private key by the owner key restoration process and transmits them to the presentation device 400. The other processes executed in the presentation process are the same as those in the first embodiment.

In addition, in the content confirmation process in the first embodiment, the first decryption key DB 180 transmits the first decryption key to the content confirmation device 500, but in the second embodiment, instead of this process, the owner key restoration device 650 restores the first decryption key by the owner key restoration process and transmits it to the content confirmation device 500. The other processes executed in the content confirmation process are the same as those in the first embodiment.

The owner key restoration device 650 used for the owner key restoration process performed in the presentation process and the owner key restoration device 650 used for the owner key restoration process performed in the content confirmation process do not have to be the same device (i.e., the message presentation system 20 may include multiple owner key restoration devices 650). In addition, the owner key restoration device 650 used for the owner key restoration process performed in the presentation process may be the same physically terminal as the presentation device 400. In addition, the owner key restoration device 650 used for the owner key restoration process performed in the content confirmation process may be the same physically terminal as the content confirmation device 500.

The hardware configurations of the owner key generation device 600, template DB 610, and owner key recovery device 650 are similar to the hardware configuration described in Example 1 using FIG. 2, for example. However, the computer 10000 constituting the owner key generation device 600 and the owner key recovery device 650 has a sensor for acquiring biometric information such as a face, fingerprint, iris, palm print, and finger veins (the biometric information may be used to generate an encryption key). The sensor may be intended only to acquire biometric information, or may be a device whose purpose is not limited to acquiring biometric information (for example, a camera intended to acquire images and videos in addition to biometric information, or a microphone intended to acquire audio in addition to biometric information).

[Processing flow]
The message presentation system 20 of this embodiment executes the same processes as the message presentation system 10 of the embodiment 1, except for the following points. Specifically, the message presentation system 20 of this embodiment executes the owner key generation process shown in Fig. 10 without executing the owner certification key pair generation process shown in Fig. 4 and the first encryption key pair generation process shown in Fig. 5.

11 instead of the process of step S5181, the message presentation system 20 of this embodiment executes the owner key restoration process shown in FIG. 11, and the owner key restoration device 650 transmits the restored first decryption key to the presentation device 400. Also, instead of the process of step S5141, the message presentation system 20 of this embodiment executes the owner key restoration process shown in FIG. 11, and the owner key restoration device 650 transmits the restored owner certification private key to the presentation device 400. Also, instead of the process of step S6181, the message presentation system 20 of this embodiment executes the owner key restoration process shown in FIG. 11, and the owner key restoration device 650 transmits the restored first decryption key to the content confirmation device 500. Note that instead of transmitting these keys, the owner key restoration device 650 may receive data necessary for each process using the key and then perform each process using the key.

FIG. 10 is a sequence diagram showing an example of an owner key generation process in the second embodiment. In step S7601, the key generation biometric information acquisition unit 602 acquires biometric information for key generation from the owner. The type of biometric information acquired by the key generation biometric information acquisition unit 602 can be any type, such as face, iris, fingerprint, finger vein, or palm print. In addition, the data format of the biometric information can be any format, such as image, video, or audio.

In step S7602, the owner key generation unit 603 uses the biometric information for key generation to generate a template, a first encryption key, and an owner verification public key. In step S7603, the communication unit 601 of the owner key generation device 600 transmits the generated template to the template DB 610. In step S7611, the template DB 610 stores the template.

In step S7604, the communication unit 601 of the owner key generating device 600 transmits the generated owner verification public key to the owner verification public key DB 150. In step S7151, the owner verification public key DB 150 stores the owner verification public key.

In step S7605, the communication unit 601 of the owner key generating device 600 transmits the generated first encryption key to the first encryption key DB 170. In step S7171, the first encryption key DB 170 stores the first encryption key.

FIG. 11 is a sequence diagram showing an example of the owner key restoration process in the second embodiment. In step S8651, the key restoration biometric information acquisition unit 652 acquires the same type of key restoration biometric information as in step S7601 from the owner. In step S8611, the template DB 610 transmits the stored template to the owner key restoration device 650.

In step S8652, the owner key restoration unit 653 restores the owner proof private key and the first decryption key using the template and the acquired key restoration biometric information. If the key restoration biometric information is sufficiently close to the key generation biometric information used in the owner key generation process (for example, if the distance between the feature vectors indicating the biometric information is equal to or less than a predetermined value), it is deemed that the owner key generation process and the owner key restoration process are appropriately set so that the owner proof private key and the first decryption key, which have unique values for each owner, are correctly restored with a high probability from the template and key restoration biometric information.

[Specific examples of owner key generation and owner key recovery processes]
A method using a biometric encryption method will be described as a specific example of the owner key generation process in step S7602 and the owner key recovery process in step S8652. For the sake of explanation, an example of the biometric encryption process will be described. The biometric encryption method includes a key generation process and a key recovery process. The key generation process is a process that generates a private key s_G and a helper string hs using biometric information for key generation x_G as input. The key generation process is represented as (s_G, hs) = Gen(x_G).

The key recovery process is a process of recovering a private key from hs and key recovery biometric information x_R. The private key to be recovered is represented as s_R, and the key recovery process is represented as s_R = Rec(hs, x_R). When x_G and x_R are sufficiently close (for example, the distance is equal to or less than a predetermined value), s_G = s_R holds. In other words, the private key is correctly recovered. Also, it is difficult to estimate x_G or s_G from hs. Any method such as Fuzzy Extractor, Fuzzy Signature, Fuzzy Commitment, Fuzzy Vault, etc. can be used as the biometric encryption method.

A specific example of the owner key generation process will be described. The owner key generation unit 603 generates a template T, a first encryption key ek_1, and an owner verification public key pk1 as follows. First, the owner key generation unit 603 uses the key generation biometric information x_G to generate a secret key s_G and a helper string hs through a key generation process of a biometric encryption method.

Next, the owner key generation unit 603 uses the private key s_G to generate the encryption key ek_0 and the decryption key dk_0. To generate (ek_0, dk_0), a key pair generation process of any encryption method can be used. The encryption process and decryption process of this encryption method are represented as Enc_0 and Dec_0, respectively.

However, the key pair generation process is a deterministic process that uses s_G as input so that the same (ek_0, dk_0) can be obtained from s_G. The owner key generation unit 603 generates ek_0 by performing a deterministic conversion on s_G, for example, and generates dk_0 corresponding to the generated ek_0. As an example, the owner key generation unit 603 may determine ek_0 according to ek_0=s_G and dk_0 according to dk_0=ek_0 in a common key cryptosystem.

The owner key generation unit 603 also generates a first encryption key ek_1 and a first decryption key dk_1 in the same manner as the first encryption key pair generation process of step S3161. The owner key generation unit 603 also generates an owner certification private key sk_1 and an owner verification public key pk1 in the same manner as the owner certification key pair generation process of step S2131. Then, the owner key generation unit 603 determines the template T as T = (hs, Enc_0 (dk_1; ek_0), Enc_0 (sk_1; ek_0)).

Note that since the purpose of the key generation process is not to output s_G, dk_0, and sk, these values do not need to be explicitly calculated in the key generation process. Also, ek_0 may be discarded after the key generation process.

A specific example of an owner key restoration process corresponding to this specific example of an owner key generation process will be described below. The first decryption key and owner proof private key to be restored are represented as dk_1' and sk_1'. The owner key restoration unit 653 first restores the private key by performing key restoration process of the biometric encryption method using the key restoration biometric information x_R and hs included in T.

Next, the owner key restoration unit 653 restores the key decryption key using the restored private key s_R. Next, the owner key restoration unit 653 performs Dec_0 on Enc_0(dk_1;ek_0) and Enc_0(sk_1;ek_0) included in T using the restored key decryption key dk_0' to restore the first decryption key dk_1 and the owner proof private key sk_1.

When x_G and x_R are sufficiently close (e.g., the distance is equal to or less than a predetermined value), s_G = s_R. Therefore, at this time, dk_0 = dk_0'. Therefore, at this time, the first decryption key and the owner proof private key are correctly restored. The owner key restoration unit 653 may verify whether the first decryption key and the owner proof private key have been correctly restored, and may abort the process if they have not been correctly restored. The owner key restoration unit 653 may use, for example, the first encryption key and the owner verification public key for this verification.

In the present embodiment, the message presentation system 20 generates keys related to the owner (i.e., the owner authentication private key, the owner authentication public key, the first encryption key, and the first decryption key) based on the owner's biometric information. In addition to this, or instead, keys related to the issuer (i.e., the issuer private key and the issuer public key) may be generated based on the issuer's biometric information.

[Effects of this embodiment]
According to this embodiment, the owner does not need to manage the owner proof private key and the first decryption key, which are private keys related to the owner, and convenience is improved. In addition, since there is no need to store these keys, there is also an effect of improving security. In addition, when the key related to the issuer is generated based on the biometric information of the issuer, similarly, management of the key related to the issuer is not required, and there are effects of improving convenience and security.

[Other points to note]
The present invention is not limited to the above-mentioned embodiment, and various modifications are included. For example, the above-mentioned embodiment has been described in detail to clearly explain the present invention, and is not necessarily limited to those having all the configurations described. In addition, it is also possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. In addition, it is also possible to add, delete, or replace a part of the configuration of each embodiment with another configuration.

Furthermore, the above-mentioned configurations, functions, processing units, processing means, etc. may be realized in hardware, in part or in whole, for example by designing them as integrated circuits. Furthermore, the above-mentioned configurations, functions, etc. may be realized in software, by a processor interpreting and executing a program that realizes each function. Information on the programs, tables, files, etc. that realize each function can be stored in a memory, a recording device such as a hard disk or SSD (Solid State Drive), or a recording medium such as an IC card, SD card, or DVD.

Furthermore, the control lines and information lines shown are those considered necessary for the explanation, and do not necessarily show all control lines and information lines on the product. In reality, it can be assumed that almost all components are interconnected.

Claims (10)

A message presentation system, comprising:
a DB for storing a first encrypted message generated by a first encryption process using a first encryption key for a message;
an encryption device that holds a second encryption key;
a presentation device that holds a first decryption key corresponding to the first encryption key;
The DB transmits the first encrypted message to the encryption device;
The encryption device includes:
performing a second encryption process on the first encrypted message using the second encryption key to generate a doubly encrypted message;
sending the double encrypted message to the presentation device;
The presentation device includes:
performing a first decryption process on the doubly encrypted message using the first decryption key to generate a second encrypted message;
generating a second encrypted message for transmission based on the second encrypted message such that a function value of the message according to a predetermined function can be restored by a second decryption key corresponding to the second encryption key;
a message presentation system that outputs the second encrypted message for transmission; The message presentation system according to claim 1,
The presentation device includes:
Hold the proof of ownership private key,
generating a presentation proof, using at least one of the owner proof private key and the second encrypted message for transmission, which enables a verification process using the restored function value and an owner verification public key corresponding to the owner proof private key;
A message presentation system that outputs the presentation proof. The message presentation system according to claim 2,
The presentation device includes:
maintaining an issuing certificate generated using the message and an issuer private key;
a message presentation system that uses the issue certificate to generate the presentation certificate, the presentation certificate enabling a verification process using an issuer public key corresponding to the issuer private key. The message presentation system according to claim 3,
the message includes a plurality of message elements;
the plurality of message elements includes a message element to be presented;
The function value includes a message element to be presented. The message presentation system according to claim 3,
the message includes a plurality of message elements;
The plurality of message elements include a message element that is not a presentation target,
The function value includes a value calculated from the non-presented message elements. The message presentation system according to claim 1,
A message presentation system, wherein the first decryption key is generated based on a template generated using biometric information of a message owner and biometric information reacquired from the message owner. The message presentation system according to claim 1,
A message presentation system, wherein the first encryption process and the second encryption process are defined to be commutative operations on the message. The message presentation system according to claim 1,
A message presentation system, wherein the first encryption process and the second encryption process are defined as operations that obtain, from the first encrypted message and the second encryption key, a ciphertext obtained by the first encryption process for the ciphertext obtained by the second encryption process on the message. The message presentation system according to claim 1,
A message presentation system, wherein the first encryption process and the second encryption process are defined as operations that result in a ciphertext obtained by the second encryption process on the message from the doubly encrypted message and the first decryption key. A method for presenting a message by a message presentation system, comprising:
The message presentation system comprises:
a DB for storing a first encrypted message generated by a first encryption process using a first encryption key for a message;
an encryption device that holds a second encryption key;
a presentation device that holds a first decryption key corresponding to the first encryption key;
The message presentation method includes:
The DB transmits the first encrypted message to the encryption device;
the encryption device performs a second encryption process on the first encrypted message using the second encryption key to generate a doubly encrypted message;
the encryption device transmits the doubly encrypted message to the presentation device;
the presentation device performs a first decryption process on the doubly encrypted message using the first decryption key to generate a second encrypted message;
the presentation device generates, based on the second encrypted message, a second encrypted message for transmission such that a function value of the message according to a predetermined function can be restored by a second decryption key corresponding to the second encryption key;
The presentation device outputs the second encrypted message for transmission.

Images