A file sharing system in which a user uploads a file to a server device, and the file is shared by a plurality of users has been known. In addition, a method using a proxy re-encryption scheme to keep the shared file secret has been known.
FIG. 4 is a schematic diagram for illustrating the proxy re-encryption scheme. Users A and B of the file sharing system each have a different pair of a private key sk and a public key pk (hereinafter also referred to as a “key pair”). A terminal of user U, who uploads file D to be shared, encrypts file D with a public key (hereinafter referred to as a “group public key”) pkGr of an entity managing a group in which file D is to be shared (hereinafter referred to as a “group manager Gr”) (ST1). The encrypted file E (pkGr,D) obtained by the encryption is uploaded from the terminal of user U to a server device 1 (ST2), and stored in the server device 1. The server device 1 may be a cloud storage.
When user A obtains file D stored in the state of encrypted file E (pkGr,D), the server device 1 re-encrypts the encrypted file E (pkGr,D) based on a re-encryption key rkGr→A for user A (ST3), and transmits the obtained re-encrypted file E (pkA,D) to (the terminal of) user A (ST4).
The terminal of user A decrypts the received re-encrypted file E (pkA,D) based on a private key skA of user A, and obtains file D.
The re-encryption key rkGr→A is a key created by the group manager Gr based on a private key skGr of the group manager Gr and a public key pkA of user A. With the re-encryption key rkGr→A, the encrypted file E for the group manager Gr (pkGr,D) can be converted into the encrypted file E for user A (pkA,D) without being decrypted. Here, Gr, which is the left member of the subscript of the re-encryption key rkGr→A, is called a “source of conversion,” and A, which is the right member of the subscript, is called a “target of conversion.” The above explanation applies when “user A” is replaced with “user B,” and “A” in the subscript is replaced with “B.” Similarly, “file D” may be replaced with “data D.”
When an encryption technology is used, a mechanism for updating a key is necessary as preparation for a leak or loss of a key, or developments in cryptographic technology, etc. The same applies to the case where the proxy re-encryption scheme is used.
When user A or B, or the group manager Gr updates a key (key pair) in a file sharing system using the proxy re-encryption scheme, the following measures need to be taken in response to the updating of the key. Referring to the time of updating the key, the key before the update time is called an “old key,” and the key after the update time is called a “new key.”
(1) Convert data encrypted by the old key to be undecryptable with the old key and decryptable with the new key.
(2) Update the re-encryption key corresponding to the old key.
Measure (1) corresponds to the case where the key (pkGr, skGr) of the group manager Gr is updated in the example shown in FIG. 4. The encrypted file E (pkGr,D) obtained by encryption with the old group public key pkGr needs to be undecryptable with the old key (skGr) of the group manager Gr, and decryptable with the new key (skGr′). Therefore, a conceivable method is to decrypt once, with the old key skGr, the encrypted file E (pkGr,D) obtained by encryption with the old key pkGr, and encrypt the obtained file D with the new key (pkGr′).
However, this method can be performed only by a user who can perform decrypting with the old key, i.e., the group manager Gr. Therefore, the group manager Gr needs to download all the encrypted files and decrypt them with the old key, re-encrypt, the obtained files D with the new key, and re-upload them. When the data amount of the encrypted files is huge, this method is not realistic because of inconveniences such as an increased load on the user as the group manager Gr, and an excessive communication time.
Another conceivable method is to use a re-encryption function of the proxy re-encryption scheme to re-encrypt the key that encrypts data from the old key to the new key. The proxy re-encryption scheme is described in non-patent literature 1 (Hayashi, et al., “Unforgeability of Re-Encryption Keys against Collusion Attack in Proxy Re-Encryption”, IWSEC 2011, LNCS 7038, pp. 210-229, 2011; hereinafter referred to as “non-patent literature 1”). However, the proxy re-encryption scheme of non-patent literature 1 is a scheme capable of only one re-encryption. Therefore, if a key is re-encrypted by this scheme, the inconvenience of disabling an encrypted file from being re-encrypted or that of disabling a key from being updated twice or more is caused.
Measure (2) includes the case where the key of user A, who is the target of conversion of the re-encryption key, is updated, and the case where the key of the group manager Gr, who is the source of conversion of the re-encryption key, is updated in the example shown in FIG. 4.
In the former case, all the re-encryption keys whose target of conversion is user A need to be re-created based on the new key. In this case, the group manager Gr creates one re-encryption key for user A and re-uploads it to the server. If there is an encryption key for user A from another group which is not shown, the group manager Gr of that group creates one re-encryption key for user A and re-uploads it to the server device 1. Accordingly, each group manager Gr may generate one re-encryption key and re-upload it.
In the latter case, all the re-encryption keys whose source of conversion is the group manager Gr need to be re-created based on the new key. This process can be performed only by a user who has a new private key, i.e., the group manager Gr. Therefore, the group manager Gr needs to re-create all re-encryption keys and re-upload them to the server device 1. If the number of re-encryption keys is large, it causes an inconvenience of placing a burden on the user as the group manager Gr.
Accordingly, the embodiments are intended to provide a data management device, system, re-encryption device, data sharing device, and storage medium that can reduce the load on a user when updating encrypted data and an re-encryption key in accordance with update of a key of the user in a proxy re-encryption scheme.