Re-encryption key generator, re-encryption device, encryption device, decryption device, and program

The invention claimed is: 1. A re-encryption key generator device that generates a re-encryption key to re-encrypt, without decryption, ciphertext data as re-encrypted data, the re-encrypted data can be decrypted using a second private key of a second user device, and the ciphertext data being plaintext data encrypted using a first public key of a first user device, the re-encryption key generator device comprising: a first storage configured to store a first private key corresponding to the first public key, the first private key being securely obtained from the first user device, and the first public key being different from a first re-encryption key generation key of the first user device; a second storage configured to store a second re-encryption key generation key generated by the second user device, the second re-encryption key generation key being different from a second public key corresponding to the second private key, wherein the second private key decrypts plaintext data that has been encrypted using the second public key; communication circuitry configured to communicate, via a communication network, with a key generator device, which generates a public parameter and a public key and a private key, each corresponding to the re-encryption key generator device, and publishes the public key of re-encryption key generator device, and the public parameter and the second re-encryption key generation key, wherein the first and second re-encryption key generation keys are respectively different from each of the public and private keys of the re-encryption key generator device, and the first user device, which encrypts the plaintext data using the public parameter and one of the second public key and the public key of the re-encryption key generator device, and communicate the re-encryption key to re-encryption circuitry, which is configured to re-encrypt, without decryption, the ciphertext data as the re-encrypted data, and verify the ciphertext data using a plurality of fixed system values; and processing circuitry configured to generate the re-encryption key using the first private key and the second re-encryption key generation key, wherein the first public key is generated based on the first private key and the plurality of system fixed values, the second public key is generated based on the second private key and the plurality of system fixed values, and the second re-encryption key generation key is generated using the second private key, a random number, and the plurality of system fixed values, the second re-encryption key generation key being different from the second public key, and the second re-encryption key generation key is communicated to the re-encryption key generator device when re-encryption of the ciphertext data as re-encrypted data is authorized by the second user device. 2. The re-encryption key generator device according to claim 1 , wherein when the first private key is represented by sk i =(x i ,y i ,z i ), the second private key is represented by sk j =(x j ,y j ,z j ), the plurality of system fixed values are represented by g, g 1 , and g 2 (where g, g 1 , g 2 εG when bilinear map groups as groups of an order p for which a bilinear map e:G×G→G T exists are represented by G, G T ), and the first public key is represented by pk i , the first public key pk i contains data X i , Y 1i , Z i , Z 1i (where X i =g X i , Y 1i =g 1 Y i , Z i =g Z i , Z 1i =g 1 Z i ), when the second public key is represented by pk j , the second public key pk j contains data X j , Y 1j , Z j , Z 1j (where X j =g X j , Y 1j =g 1 Y j , Z j =g Z j , Z 1j =g 1 Z j ), when the random number related to the second re-encryption key generation key is represented by π, a value based on the random number π and the system fixed value g is represented by g 3 , the value based on the random number π and the system fixed value g 1 is represented by g 4 , the value based on the random number π and the system fixed value g 2 is represented by g 5 (where g 3 =g π , g 4 =g 1 π , and g 5 =g 2 π ), and the second re-encryption key generation key is represented by rk j , rk j =(X 3j ,Y 5j ) holds (where X 3j =g 3 X j , Y 5j =g 5 Y j ), when the plaintext data is represented by m (where mεG T ), the random number related to the ciphertext data is represented by r, and the ciphertext data is represented by C i (where the bilinear map e:G×G→G T is represented by e(,)), the ciphertext data C i contains data C 2X , C 2Y , C 2Z , C 2Z1 , C 3 (where C 2X =X i r , C 2Y =Y 1i r , C 2Z =Z i r , C 2Z1 =Z 1i r , C 3 =e(g 4 g 5 ,g) r ·m), when the random number related to the re-encryption key is represented by θ, an exponent related to the system fixed values g, g 2 is represented by β (where g 2 =g β ), and the re-encryption key is represented by R ij , R ij =(R ij1 ,R ij2 ,R ij3 ) holds (where R ij ⁢ ⁢ 1 = ( X 3 ⁢ j · g 3 θ ) 1 / x i = g π ⁡ ( x j + θ ) x i , ⁢ R ij ⁢ ⁢ 2 = ( Y 5