In a file sharing system in which the user uploads a file onto a server, and that file is shared by a plurality of users, as a method of maintaining the secrecy of file with respect to the server, the following three methods (1) to (3) are used.
(1) An individual key system for encrypting a file by means of an individual encryption key for each user.
(2) A common key system for encrypting a file by means of an encryption key common to respective users.
(3) A re-encryption system for encrypting a file using a proxy re-encryption system.
In the systems (1) to (3), assume that a user A uploads a file onto a server, and the user A shares the file with users B and C.
In the individual key system (1), each user has a pair of a private key and public key, which are different for each user. The user A encrypts a file by means of a public key of the user B, and uploads the encrypted file onto the server. Note that the public key of the user B is an individual encryption key for the user B. Likewise, the user A encrypts a file by means of a public key of the user C, and uploads the encrypted file onto the server. The public key of the user C is an individual encryption key for the user C. That is, the user A encrypts a file individually for the users who share that file.
In the common key system (2), each user shares a pair of a private key and public key, which are common to the respective users. The user A encrypts a file by means of a public key (as an encryption key common to the respective users), and uploads the encrypted file onto the server. The respective users share an identical private key.
In the proxy re-encryption system (3), each user has a pair of a private key and public key, which are different for respective users like in the individual key system (1). However, unlike in the individual key system (1), the user A need only encrypt a file by means of a public key (to be referred to as a group public key hereinafter) of an entity (to be referred to as a group administrator hereinafter) who manages a group of users. The server re-encrypts the encrypted file (uploaded by the user A) based on a re-encryption key. By the re-encryption, an encrypted file which can be decrypted by each user is generated. Details of the proxy re-encryption system will be described later.
In the individual key system (1), when a file is to be shared also by a new user D, the user A has to encrypt a file by means of a public key of the user D, and has to upload the encrypted file onto the server, thus posing a problem. Note that the public key of the user D is an individual encryption key for the user D. Therefore, the system (1) is not suitable for the file sharing system since troublesome processing is required at the time of addition of a new user when the number of new users or the number of files to be shared is large.
In the common key system (2), when a file sharing permission for a certain user is canceled from a certain timing (to exclude that user from the file sharing system), a mechanism for updating the private key and public key common to the respective users is additionally required, thus posing a problem. In the common key system (2), if the private key common to the respective users has leaked due to some reason, a person who acquired the leaked private key can decrypt all encrypted files, thus posing a problem. For this reason, the common key system (2) is not suitable for the file sharing system.
On the other hand, in the proxy re-encryption system (3), since the server re-encrypts one ciphertext to that which can be decrypted by each user, using a re-encryption key, a configuration which does not notify the users of the re-encryption key is adopted, thus solving the aforementioned problems. For this reason, the proxy re-encryption system (3) is suitable for the file sharing system.
However, in the proxy re-encryption system (3), when the server and users collude, a decryption right is re-delegated. More specifically, when the server and users B and E collude, an authentic re-encryption key (rkA→E) required to re-encrypt ciphertext for the user A to that for the user E is generated without any permission of the user A using a re-encryption key (rkA→B) required to re-encrypt ciphertext for the user A to that for the user B, a private key (skB) of the user B, and a private key (skE) of the user E.
A solution to such problem of the present invention is to provide a re-encryption key generator, re-encryption apparatus, and program, which cannot generate a re-encryption key without any permission of a transfer source even when the server and users collude.