In recent years, use methods have been widely employed, in which file servers on the Internet store electronic data (hereinafter simply referred to as data) and various devices (for example, a notebook PC (Personal Computer), a tablet terminal and a smart phone) access the file servers and use the data.
Such use methods of data are highly convenient, whereas the user methods involve a risk that an unintended third party on the Internet refers to the data. Therefore, operation of information security, such as encryption and access control, is essential for confidential data.
In a case of operating a file encryption system for a long period of time, there is a problem of deterioration (imperilment) of the cipher strength according to continuous use of a same cryptographic key (a pair of a public key and a secret key in a case of public key encryption).
The problem of imperilment is dealt with, in many examples, regenerating encryption keys periodically, and re-encrypting encrypted data.
For example, in a case of PKI (Public Key Infrastructure), a term of validity is set for a public key certificate, wherein a key is regenerated and the public key certificate is updated before the term of validity is reached.
Similarly in a file encryption system, in order to prevent the cipher strength from deteriorating due to use of a same cryptographic key for a long period of time, an operation of updating an encryption key periodically is necessary (periodic update of an encryption key is called master key update).
There are several methods of master key update, for example, in a case of an RSA (registered trademark) encryption, all key pairs are regenerated, and all encrypted data is re-encrypted.
In this method, since the encrypted data is decrypted once, there is a security issue, and a great amount of time is required for decryption and re-encryption processing of all the encrypted data stored, and further, the processing cost is extremely high.
In a case of an ID (Identifier)-based encryption, a master key is regenerated, and all encrypted data is re-encrypted.
In a case of the ID-based encryption, in order to prevent the contents of the encrypted data from leaking, it is necessary to execute re-encryption while the encrypted data remains encrypted.
As an encryption technique that satisfies both of complicated access control and encryption, there exists an encryption technique called a functional encryption scheme described in Patent Literature 1.
The functional encryption scheme is a type of a public key cryptosystem.
Unlike an RSA (registered trademark) encryption currently used as the mainstream, the functional encryption scheme is an encryption scheme which enables decryption of encrypted data with a decryption key to restore the data when a prescribed relation is established between a parameter (hereinafter referred to as a decryption condition) set at the time of encrypting the data, and a parameter (hereinafter referred to as attribute information) set to the decryption key.
For example, a logical formula such as “department=general affairs department AND section=personnel section” is set as a decryption condition at the time of encrypting data, and “department=general affairs department, section=accounting section” is set for a decryption key as attribute information representing a holder of the decryption key.
Then, decryption of the encrypted data is possible only when relation between the decryption condition set at the time of encrypting the data, and the attribute information set for the decryption key is true.
Hereinafter, encrypted data and a decryption condition are collectively called an encrypted file.
As a method to change a decryption condition while keeping an encrypted file that has been encrypted in a functional encryption scheme encrypted, there is a method as described in Non-patent Literature 1.
The scheme described in Non-patent Literature 1 is referred to as a proxy re-encryption scheme.
In the proxy re-encryption scheme, by using a key for re-encryption referred to as a re-encryption key, it is possible to change a decryption condition without decrypting the encrypted file.
However, the scheme described in Non-patent Literature 1 is inefficient, whereby re-encryption can be executed only one to a few times in practice.
Therefore, in the scheme of Non-Patent Literature 2, efficiency is improved from the scheme of Non-Patent Literature 1, where there is no practical limit in the number of re-encryption.