JP2002374236A - Encryption data deliverying system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an encryption data delivery system, where data resulting from digitalizing contents which are works, such as movies are stored in a large-capacity medium such as a digital optical disk, particularly designated terminals among all terminals cannot acquire the original data but all other terminals can acquire the original data completely. SOLUTION: The encryption data delivery system is provided with two kinds of encryption sections: one uses tree structure division method and the other uses secret dispersion method. Those two methods are used, in such a way that when the number of the invalidated terminals is within the permissible range of the secret dispersion method, the secret dispersion method is selected; or when the number of the invalidated terminals exceeds the permissible range or a lot of invalidated terminals take place, the tree structure division method is used.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for storing digitized data of a copyrighted content such as a movie on a large-capacity medium such as a digital optical disk, so that data can be completely acquired only at a specific terminal. The present invention relates to an encrypted data delivery system in which original data cannot be obtained at a certain specified terminal among all terminals.

[0002]

2. Description of the Related Art In recent years, as storage media have become larger in capacity, systems for digitizing literary contents such as movies and storing and distributing them to media such as digital optical disks have become widespread. In such a system, the copyright of the content is protected, and it is necessary that the reproduction or duplication of the content is executed only under the restriction by agreement with the copyright holder.

A general system for protecting a copyrighted work from unauthorized copying or the like without the permission of the copyright holder encrypts digital contents with an encryption key managed by the copyright holder, records the encrypted digital contents on a disk, A mechanism is provided such that only a terminal having a corresponding decryption key can decrypt it.
In order to obtain the decryption key, a provision for copyright protection is obligated with the copyright holder.

As an example of such a system, "Nation
al Technical Report Vol. 43, No. 3, p. 118-p. 122 "
(Matsushita Electric Industrial Co., Ltd.
(Published on the 18th) discloses a DVD copyright protection system.

In this case, the decryption key of the terminal needs to be strictly managed so as not to be exposed to the outside, but the decryption key of a certain terminal may be exposed to an unauthorized person due to some accident or incident. Maybe. Once a device's decryption key has been exposed to an unauthorized person, the unauthorized person can use this to decrypt the content and escape restrictions imposed by the copyright holder, Alternatively, it is conceivable to create software and distribute it via the Internet or the like.

[0006]

In such a case, the copyright holder wants to make it impossible for a specific terminal to which the decryption key has been exposed to be decrypted from the content to be provided next. However, in this DVD copyright protection system, since a common master key is assigned to a plurality of terminals as a decryption key, it is not possible to exclude only specific terminals that have been illegally exposed. Once the decryption key is exposed, the master key is updated so that terminals can be eliminated in groups of a plurality of terminals. However, this causes a problem that other terminals to which a common master key with the terminal to be revoked is also revoked.

[0007] In order to solve the above problem, instead of assigning a common master key to a plurality of terminals, it is also possible to individually assign a master key to each terminal. However, in that case, the master key is required for the total number of terminals,
For example, in the case of a system in which the total number of terminals in the world is considered to be hundreds of millions, there is a problem that the amount of encrypted data to be stored in a medium becomes enormous.

In addition, Japanese Patent Application Laid-Open No. 09-212089 discloses a method of excluding only a specific terminal and sharing secret information (key) with the remaining terminals. This method applies a secret sharing method, and obtains secret information from shared information held by itself and shared information sent from a center. By sending shared information of a terminal to be invalidated to all terminals, the secret sharing method is used. This is a method in which secret information is shared by all terminals except the terminal to be invalidated. However, in this method, the secret information can be used only once, and in order to perform the invalidation a plurality of times, the shared information is secretly updated by assuming a tamper-resistant area, or a plurality of the secret information and the shared information are previously stored. If a plurality of pieces of information that need to be prepared and can be realized relatively easily are prepared in advance, there is a problem that the number of terminals that can be invalidated after system operation starts is limited.

Patent No. 3074164 “Exclusive key agreement method”
Is a method in which shared information can be repeatedly used, but there is a problem that the amount of calculation for sharing secret information in a terminal is large.

References (1) Nakano, Omori, Tatebayashi, “Key Management Method for Protecting Digital Contents”, Symposium on Cryptography and Information Security 2001, SCIS2001 5A-5, Jan. Two
001 describes an invalidation method using a tree structure, and it is also required to further reduce the amount of encrypted data stored in a medium.

Therefore, the present invention solves the above-mentioned problems, and eliminates only a specific terminal that has been illegally exposed without restriction on the number of terminals.
It is another object of the present invention to provide an encrypted data delivery system capable of playing back contents and the like while reducing the amount of encrypted data stored in a recording medium.

[0012]

In order to solve the above-mentioned conventional problems, the present invention provides a data encryption device for encrypting data, a data recording medium for recording the encrypted data, and a data recording medium. An encrypted data delivery system comprising a plurality of data decryption devices for decrypting encrypted data read from a recording medium and a key setting device for setting an encryption key for the encryption and a decryption key for the decryption. The key setting device includes a tree structure key setting device and a secret sharing key setting device. In the system preparation phase, the tree structure key setting device connects the plurality of data decryption devices to a lowest layer node. One or more encryption keys are assigned to each node of the tree structure corresponding to the first predetermined method, and the plurality of data decryption devices include one or more decryption keys corresponding to the encryption keys. To 2 in the predetermined method, and further, in the operation phase of the system, the tree-structured key setting device determines, from among the one or more encryption keys, information identifying one or more data decryption devices to be invalidated. One or more encryption keys identified by the predetermined method of 3,
Key specification information for specifying the encryption key is set in the data encryption device, and the secret sharing key setting device sets one or more encryption keys to a fourth predetermined Method, generating a plurality of pieces of shared key information from the encryption key, the plurality of data decryption devices,
A plurality of decryption keys corresponding to the encryption keys are assigned by a fifth predetermined method, and in the operation phase of the system, among the one or more encryption keys generated by the secret sharing key setting device, the key is invalidated. One or more encryption keys specified by a sixth predetermined method from information specifying one or more data decryption devices to be provided and key identification information for identifying the encryption key to the data encryption device. Setting, the data encryption device encrypts data using the encryption key set by the third or sixth, or both predetermined methods by the key setting device, and the encrypted data recording medium The encrypted data and the data decryption device, together with key identification information for identifying the encryption key that encrypted the data, and the data decryption device encrypts the encrypted data from the encrypted data recording medium. The encryption data and the key identification information are extracted, a decryption key corresponding to the encryption key is identified from the encryption data, and the encryption data is decrypted using the decryption key.

Further, in the present invention, the tree structure key setting device includes a tree structure construction means for constructing a tree structure for assigning the encryption key in a system preparation phase, Constructs one tree structure so that the lowest layer node corresponds to the data decryption device, and the first predetermined method in which the tree structure key setting device assigns the encryption key is as follows: In the data decoding device corresponding to the node of the lowest layer that reaches by branching, the node where the data decoding device to be invalidated is in the invalidation state, and in all nodes except the lowest layer of the tree structure, A method of assigning an encryption key corresponding to node revocation information indicating a revocation state of a node of one lower layer connected to each node, wherein the tree structure key setting device comprises a plurality of decryption data devices. Assigning a decryption key to the second
Is a decryption key corresponding to a plurality of encryption keys assigned to each node located on the path from the lowest layer node to the highest layer corresponding to each data decryption device, It is a method of assigning a decryption key corresponding to node revocation information indicating that the data decryption device has not been revoked.

In the present invention, the third predetermined method in which the tree structure key setting device specifies an encryption key for encrypting data in an operation phase of a system includes branching from each node. Among the encryption keys assigned by the tree structure key setting device, at the node where the data decryption device to be invalidated exists in the data decryption device corresponding to the lowest layer node that arrives at It is a method of selecting an encryption key corresponding to node revocation information.

Further, in the present invention, the secret sharing key setting device includes a secret information generation storage unit for generating and storing an encryption key in a system preparation phase, wherein the secret information generation storage unit stores the encryption key. Is a method of generating an encryption key and defining an n-dimensional (n ≧ 1) polynomial corresponding to the encryption key, wherein the secret sharing key The fifth predetermined method in which the setting device allocates a decryption key to the plurality of decryption data devices, the encryption method stores the secret information in the secret information generation storage unit based on information unique to the plurality of data decryption devices. Generates a plurality of pieces of shared key information based on the polynomial, and generates the shared key information,
Only when n or more pieces of shared key information are gathered, an original encryption key can be obtained, and a decryption key corresponding to the shared key information is assigned to the corresponding data decryption device. Features.

Further, the present invention is characterized in that the secret sharing key setting device sets an encryption key corresponding to each number of data decryption devices to be invalidated.

Further, the present invention provides the secret sharing key setting apparatus, wherein in the operation phase of the system, the sixth predetermined method for specifying an encryption key for encrypting data includes the steps of: A method of selecting an encryption key corresponding to the number of devices, and further setting all the shared key information assigned to one or more data decryption devices to be invalidated as key identification information in the data encryption device. It is characterized by the following.

Further, the present invention provides a tree structure constructing section,
Instead of constructing only one tree structure for allocating the encryption key, a plurality of tree structures are constructed, and each lower-layer node of the plurality of tree structures corresponds to the data decryption device. It is characterized by constructing a structure.

Further, the present invention provides a data encryption device, comprising:
2. The encrypted data delivery system according to claim 1, wherein a decision is made as to which one of a sixth method, a sixth method, or both methods is used.

According to the present invention, the encrypted data and key identification information for identifying the encryption key are delivered to each data decryption device using a communication medium instead of a data recording medium. It is characterized by.

According to the present invention, in a data encryption apparatus, a data key of a random number is generated instead of encrypting data using the plurality of encryption keys, and the data is generated using the plurality of encryption keys. A key is encrypted, and the data is encrypted using the data key.

[0022] Also, the present invention provides a method for recording only the key identification information using a key identification information recording device instead of recording the encrypted data and the key identification information using a data encryption device. Recording on a recording medium, the user data encryption device extracts the key identification information recorded by the key identification information recording device from the encrypted data recording medium, identifies an encryption key therefrom, and uses this. Data is encrypted, and the encrypted data is recorded on the encrypted data recording medium.

[0023]

FIG. 1 is a block diagram of an encrypted data delivery system according to the present invention. The solid line in the figure indicates the flow of information in the system preparation phase, and the broken line indicates the flow of information in the system operation phase.

This is because a data encryption device 101 for encrypting digital data content, a plurality of recording media on which the content encrypted by the data encryption device 101 is recorded, for example, a digital optical disk 102, A plurality of data decryption devices 103 for decrypting and outputting the encrypted content of the optical disc 102, preparing an encryption key in a system preparation phase and assigning a decryption key to the data decryption device 103, and further in a system operation phase The data encryption device 101 comprises a key setting device 104 for setting an encryption key and key identification information.

When the encrypted data distribution system is used for copyright protection, a copyright protection management system for separately managing copyright protection is provided with a key setting device.
It operates 104 and the data encryption device 101. The data decoding device 103 is provided in a general terminal or a reproducing device. When the copyright protection management system recognizes that a specific data decryption device provided in a terminal or a playback device has been tampered with or that the decryption key data stored inside has been exposed, the key setting device 104 is used. Activate the key setting device 1
In step 04, an encryption key is set in the data encryption device 101 so that the function of the data decryption device is invalidated and the newly generated content recorded on the digital optical disk 102 cannot be decrypted by the data decryption device. The copyright protection management system exists independently of the present invention, and a detailed description thereof will be omitted.

As shown in FIG. 2, the data encryption device 101
Is a first encryption unit 201 that encrypts content data with a randomly generated content key, and a second encryption unit 202 that encrypts the content key with an encryption key of the tree structure division method
A third encryption unit 203 that encrypts the content key with the encryption key of the secret sharing method, and a first encryption key that stores the encryption key of the tree structure division method set by the key setting device 104 A storage unit 204, a second encryption key storage unit 205 for storing an encryption key of the secret sharing method set by the key setting device 104, and decryption by the data decryption device 103 also set by the key setting device 104. A key identification information storage unit 206 for storing information for determining a key; a random number generator 207 for generating a content key; and a second encryption unit 202 based on information of the key identification information storage unit 206.
Alternatively, an encryption unit selection unit 208 for selecting one of the third encryption units 203 is provided. In the figure, a broken line indicates the flow of the encrypted content, a broken line indicates the flow of the encrypted content key, and the dotted line indicates the flow of the key specifying information. Here, the tree structure division method and the secret sharing method are described in the first embodiment and the second embodiment.
A specific example will be shown in the embodiment.

As shown in FIG. 3, the data decoding device 103
First decryption section 301 that decrypts the content with the content key
A second decryption unit 302 that decrypts the content key with a decryption key for each data decryption device 103;
, A decryption key determination unit 303 that determines or calculates a decryption key to be used from a plurality of decryption key information of the data decryption device 103, and a key identification information extraction unit that extracts key identification information from the digital optical disc 102 And a decryption key information storage unit 305 for storing decryption key information assigned by the key setting device 104 for the tree structure division method and the secret sharing method. Note that the decryption key information is information for calculating the decryption key itself or the decryption key. In the figure, a broken line indicates the flow of the encrypted content, a broken line indicates the flow of the encrypted content key, and the dotted line indicates the flow of the key specifying information. Here, the setting of the encryption key, the decryption key, and the key identification information by the key setting device 104 will be described in detail in <Key setting in system preparation phase> described later.

<Data Encryption in System Operation Phase> First, the operation of the data encryption device 101 having the above configuration will be described below with reference to FIG. (1) A random number is generated by a random number generator 207 provided in the data encryption device 101 and is used as a content key. Using this content key, the first encryption unit 201 encrypts the content. As the encryption algorithm, for example, DES encryption is used. (2) The encryption unit selection unit 208 determines whether the second encryption unit 202 or the third encryption unit 203 is based on the key identification information set in the key identification information storage unit 206 by the key setting device 104. Select either one. For example, if the most significant bit of the key specifying information indicates “0”, the second encrypting unit 202 is determined.
Is selected. (3) When the second encryption unit 202 is selected, the first encryption key storage unit 204 uses one or more encryption keys received from the key setting device 104 and stored, Second encryption unit 202
Encrypts each content key. (4) When the third encryption unit 203 is selected, the second encryption key storage unit 205 uses one or more encryption keys received and stored from the key setting device 104, Third encryption unit 203
Encrypts each content key. (5) The content encrypted by the first encryption unit 201 (hereinafter, referred to as encrypted content) and the second encryption unit 202
Alternatively, the content key encrypted by the third encryption unit 203 (hereinafter, referred to as an encrypted content key) and a key to be used by the data decryption device 103 held by the key identification information storage unit 206 to determine the decryption key. The key specifying information is stored on the digital optical disc 102 in a predetermined format. <Data Decoding in System Operation Phase> Next, the operation of the data decoding device 103 having the above configuration will be described below with reference to FIG. (1) The key specifying information extracting unit 304 extracts key specifying information stored in the digital optical disc 102 in a predetermined format. (2) The decryption key determination unit 303, based on the plurality of decryption key information stored in the decryption key information storage unit 305 previously received from the key setting device 104 and the key identification information extracted in (1) above, The corresponding decryption key is specified or calculated. (3) The second decryption unit 302 decrypts the encrypted content key using the decryption key determined in this way. (4) The first decryption unit 301 decrypts the encrypted content using the content key decrypted in this way to obtain a predetermined content. The content data obtained in this way expands the compressed state to an uncompressed state,
The audio / video signal is reproduced by being converted into an analog AV signal by the A-converter. However, since this reproduction method is general, its description is omitted. <Key setting> The key setting device 104 prepares an encryption key in the system preparation phase and the data decryption device 103
A method for allocating decryption key information to the data and a method for determining and setting an encryption key used in the data encryption device 101 in the system operation phase will be described with reference to FIGS. 4, 5, and 6. FIG. The broken line in the figure indicates the flow of the encryption key and the key identification information, and the solid line indicates the flow of the decryption key assignment.

As shown in FIG. 4, the key setting device 104 includes a tree structure key setting device 401 for setting an encryption key and a decryption key according to the tree structure division method, and sets an encryption key and a decryption key according to the secret sharing method. And a secret sharing key setting device 402 to perform the setting. As shown in FIG.
The tree structure key setting device 401 includes a tree structure construction unit 501, a tree structure storage unit 502, an encryption key assignment unit 503, and a decryption key assignment unit 504.
, An invalidated terminal information storage unit 511, a tree structure update unit 512,
An encryption key setting unit 513 and a key specifying information setting unit 514 are provided.
As shown in FIG. 6, secret sharing key setting apparatus 402 includes secret information generation / storage section 601, shared key information generation section 602, decryption key allocation section 603, invalidated terminal information storage section 611, encryption A key setting unit 612 and a key specifying information setting unit 613 are provided. <Key Setting in System Preparation Phase> First, the operation of the tree structure key setting device 401 will be described below with reference to FIG. The following method will be described in detail in <Specific Example of Tree Structure Division Method> described later. (1) The tree structure construction unit 501 uses n for assigning an encryption key.
The branch tree data structure is constructed so that different data decoding devices 103 correspond one-to-one to the nodes of the lowest layer, and stored in the tree structure storage unit 502. Here, n is an integer of 2 or more. FIG. 7 is an example of a quadtree. In the figure, the data decoding device 103 corresponding to the lowest layer node is described as being provided in each terminal. (2) The encryption key assignment unit 503 assigns one or more encryption keys to nodes of the n-ary tree stored in the tree structure storage unit 502. (3) For the node of the n-ary tree to which the encryption key is assigned,
The decryption key allocation unit 504 allocates a plurality of appropriate decryption keys to each data decryption device 103. Next, the operation of secret sharing key setting apparatus 402 will be described below with reference to FIG. The method described below will be described in detail in <Specific Example of Secret Sharing Method> described later. (1) The secret information generation / storage unit 601 randomly generates secret information including an encryption key and stores it. (2) The shared key information generation unit 602 includes a secret information generation unit / storage unit 60
From the secret information stored in 1, the data decryption device 103 generates shared key information for determining a decryption key. (3) The decryption key allocating unit 603 allocates an appropriate plurality of decryption keys to each data decryption device 103 using the generated shared key information as a decryption key. <Key setting in system operation phase> The tree structure key setting device 401 and the secret sharing key setting device 402 determine the encryption key to be used for encrypting the content key as shown below in the operation phase of the encrypted data distribution system. I do.

First, the operation of the tree structure key setting device 401 will be described with reference to FIG.
This will be described below with reference to FIG. The method described below will be described in detail in <Encryption / Decryption Method of Tree Structure Partitioning Method in System Operation Phase> described later. (1) If the copyright protection management system recognizes that a specific data decryption device to be provided in a certain terminal or playback device has been tampered with or that the decryption key stored inside has been exposed, invalidate it Terminal information storage section 511 stores information for specifying a terminal to be invalidated. The information specifying the terminal is, for example, a unique number of the terminal to be invalidated. (2) The tree structure updating unit 512 updates the tree structure to which the encryption key stored in the tree structure storage unit 502 is assigned, based on the output information of the invalidated terminal information storage unit 511. (3) The encryption key setting unit 513 determines an encryption key for encrypting the content key from the latest tree structure updated by the tree structure update unit 502, and the key specifying information setting unit 514
Sets the key identification information for determining the decryption key in the data encryption device 101. Next, the operation of secret sharing key setting apparatus 402 will be described below with reference to FIG. In addition,
The following method will be described in detail in <Encryption / Decryption Method of Secret Sharing Method in System Operation Phase> described later. (1) If the copyright protection management system recognizes that a specific data decryption device to be provided in a certain terminal or playback device has been tampered with or that the decryption key stored inside has been exposed, invalidate it Terminal information storage section 511 stores information for specifying a terminal to be invalidated. The information specifying the terminal is, for example, a unique number of the terminal to be invalidated. (2) The encryption key setting unit 612 encrypts the content key from the secret information stored in the secret information generation / storage unit 601 based on the output information of the invalidation terminal information storage unit 611. The key is determined, and the key specifying information setting unit 613 sets key specifying information for determining the decryption key in the data decryption device 103 in the data encryption device 101, respectively.

In the following, the data decoding device may be referred to as a terminal. (First Embodiment) The first embodiment is a case where one tree structure exists in the system. <System Preparation Phase> In the following, the key setting device 104
However, a method for preparing an encryption key in the system preparation phase and a method for allocating decryption key information to the data decryption device 103 will be described using specific examples. First, a method of preparing an encryption key and assigning a decryption key performed by the tree structure key setting device 401 of the key setting device 104 will be described. FIG. 7 illustrates a quadtree that is an example of a tree structure constructed by the tree structure construction unit 501. The uppermost layer 701 of the tree structure is denoted as level 0, the next lower layer 702 is denoted as level 1, and the lowermost layer 704 is denoted as level D. The node 705 of the highest layer is referred to as a root, and the node 706 of the lowest layer is referred to as a leaf. Nodes at each level are given node relative numbers at each level. Each leaf has a terminal
Each node is assigned one by one, and a plurality of encryption keys are assigned to all nodes except the leaf (hereinafter, such an encryption key assigned to such a tree structure is referred to as a key set). Further, in the example of FIG. 7, there are four nodes one level below that branch off and reach from a certain node. The four nodes are called child nodes of the original node, and the original node is called the parent node. When at least one terminal of the terminal corresponding to the leaf of the lowest layer arriving at a branch from a certain node is invalidated, the node is determined to be in an invalidated state, and all nodes other than the leaf are in the invalidated state. It holds node revocation information indicating the revocation status of the child nodes of the node. Specifically, the invalidation state is represented by 1 bit of 0 or 1, where 0 is the non-invalidation state, 1 is the invalidation state, and each node concatenates the 4 bits obtained by linking the invalidation state of its own child node. Stored as node invalidation information. Hereinafter, a specific example will be described. <Specific Example of Tree Structure Partitioning Method> FIG. 8 shows a specific example in the case of D = 3 in the tree structure of the quadtree shown in FIG. Since one terminal is assigned to each leaf, the total number of terminals is 4 ³ = 64.

First, a method will be described in which the encryption key assigning unit 503 of the tree structure key setting device 401 assigns an encryption key to each node including a root other than a leaf.

FIG. 9 shows, as an example, root node invalidation information when none of the root child nodes are invalidated. FIG. 10 also shows, by way of example, one of the root child nodes invalidated. Indicates the node invalidation information when it is set. In the initial state (a state in which no terminal is excluded), as shown in FIG. 9, none of the four child nodes of the root are invalidated, so the root node invalidation information is expressed as "0000". I do. When a terminal is removed (invalidated) from this state and transits to the state shown in FIG. 10, the root node invalidation information also changes from "0000" to "1000".
Changes to Here, the node relative number of the invalidated child node connected to the root corresponds to the bit position of “1” indicating the node invalidation information of the root.

Each node includes all node invalidation information.
A corresponding encryption key is assigned. Specifically, no
Encryption key (hereafter K₀₀₀₀Called
), The encryption key in the node revocation information "1111"
(Hereinafter K₁₁₁₁Up to 16 encryption keys)
Hit. Encryption corresponding to all node invalidation information
Keys are assigned to all nodes except the leaf
The location of the node to identify each
Is added to the notation of the encryption key. As an example, _2-4K
₀₀₀₁Indicates that the node phase exists at level 2.
In the node invalidation information "0001" for the node with pair number 4
And the same notation.
Used.

FIG. 11 is a diagram showing the encryption keys assigned to the level 0 and level 1 nodes using the above notation.

FIG. 12 is a diagram showing a decryption key assigned to the terminal 1.

Among the decryption keys corresponding to the plurality of encryption keys assigned to the nodes 1203 and 1202 located on the route from the terminal 1 (leaf 1204) to the route 1201, the terminal 1 is invalidated. A decryption key corresponding to the node revocation information indicating that there is no decryption key is assigned to the terminal 1 (hereinafter, a decryption key corresponding to the encryption key is simply referred to as a decryption key).

[0038] In the route 1201, the encryption key for the node revocation information "0xxx" indicating that the terminal 1 has not been invalidated is _0-1 K _0xxx. Here, “x” in the notation “0xxx” is a symbol meaning that either “0” or “1” may be used. Therefore, among the encryption key assigned to the root 1201, the decryption key assigned to the terminal 1 is the eight decryption keys _0-1 K _0xxx. Next, in the level 1 node 1202, the encryption key for the node revocation information “0xxx” indicating that the terminal 1 has not been revoked is:
_{It is 1-1} K _0xxx . Therefore, among the encryption keys allocated to the level 1 node 1202, the decryption keys allocated to the terminal 1 are eight decryption keys of _{1-1 K0xxx} . Similarly, by repeating the process up to level 3, the decryption key can be assigned to the terminal 1, and the decryption key is assigned to the other terminals in the same manner. <General Example of Secret Sharing Method Based on Polynomial Interpolation> Next, as a specific example of secret sharing, based on a secret sharing method based on polynomial interpolation, the secret sharing key setting device 4 of the key setting device 104 will be described.
A method of preparing an encryption key and assigning a decryption key performed in 02 will be described.

As shown in FIG. 6, secret information generation / storage unit 6
01 is the secret information K that is n random numbers _jGenerate (j = 1 to n)
And store. J is the platform of the data decryption device to be invalidated.
Number. Therefore, having n pieces of secret information
More than one to n data decryption devices
Wear. Also, K_jIs considered to be an integer, K_jPrime numbers above
p and an arbitrarily selected integer a less than p_j1, A_j2,…, A_jj
And generate a polynomial f with respect to the variable x_j(x) = K_j+ a_j1x + a_j2x^Two
+… + A_jjx^j (mod p) is stored. Individual numbers for all terminals
Number is assigned. Shared key information generation unit 602
Is the individual number ID of terminal i_iKey information f using₁(ID_i), F
_Two(ID_i),…, F_j(ID_i), And the decryption key assignment unit 603
Individual number ID for end i_iAll shared key information f₁(I
D_i), F_Two(ID_i),…, F_j(ID_i) And the prime p
Assign to 103. <Specific Example of Secret Sharing Scheme Based on Polynomial Interpolation> FIG.
In the secret sharing method based on the term interpolation, n = 3
1 shows a specific example. (1) The secret information generation / storage unit 601 invalidates one terminal
Confidential information K₁ , When disabling two devices
Secret information K_Two, Secret information K when disabling three terminals
_ThreeAnd an arbitrarily generated integer a₁₁, A_{twenty one}, A_{twenty two}, A₃₁, A₃₂, A
₃₃ , And a polynomial f consisting of prime numbers p₁(x), f_Two(x), f_Three(x)
Store. (2) The shared key information generation unit 602₁For terminal 1 with
Is the shared key information f₁(I D₁), F_Two(ID₁), F_Three(ID₁Generate)
You. (3) The decryption key assignment unit 603 generates the
Three shared key information f₁(ID₁), F_Two(ID₁), F_Three(ID₁) And prime numbers
Assign p to terminal 1.

As described above, in addition to the decryption key assigned by the decryption key assigning unit 504 of the tree structure key setting device 401 shown in FIG. The key information and the prime number are stored in the decryption key information storage unit 305. The decryption key stored in the decryption key storage unit 305 of the terminal 1 is shown.
See Figure 14. The same applies to any terminal having ID _i . <System Operation Phase> In the following, in the system operation phase, the key setting device 104
A method for determining the encryption key used in the method, a method for the data encryption device 101 to encrypt data, and a method for the data decryption device 103 to decrypt data will be described using specific examples.

The key setting device 104 holds all the encryption keys for one key set shown in FIG. Each terminal holds the decryption key assigned by the tree structure key setting device 401 and the decryption key assigned by the secret sharing key setting device 402, as already shown.

In the initial state, the encryption key setting unit 5 shown in FIG.
13 examines the node revocation information of the root 1501 of the tree structure stored in the tree structure storage unit 502, and since this is "0000", the encryption key _0-1 K ₀₀₀₀ for this is stored in the first first Is set in the encryption key storage unit 204, and the second encryption unit 202 encrypts the content key using the encryption key. In the initial state, the encryption unit selection unit 208 always includes the second encryption unit 20.
Select 2.

Next, when all of the decryption keys held by the terminal 1 are exposed, the decryption keys are invalidated and encryption is performed so that all terminals except the terminal 1 can acquire the content. <Encryption / Decryption Method of Tree Structure Partitioning Method in System Operation Phase> First, the encryption unit selection unit 208 shown in FIG.
The following describes an encryption method and a decryption method using a tree structure when the encryption unit 202 is selected. The tree structure updating unit 512 illustrated in FIG. 5 performs a tree structure storage unit 502 based on the information of the terminal to be invalidated output from the invalidated terminal information storage unit 511.
Is updated to the tree structure shown in FIG. 16 stored in FIG.

As shown in FIG. 16, when the terminal 1 is a terminal to be invalidated, the tree structure updating unit 512 updates the invalidation state of all nodes existing on the route from the terminal 1 to the route, and updates the invalidation state. The obtained tree structure is stored in the tree structure storage unit 502. At this time, the node invalidation information of the route 1601 is expressed as "1000" because the leftmost child among the four children is invalidated. Similarly, the leftmost node 1 belonging to level 1
The node invalidation information of 602 is expressed as "1000", and the node invalidation information of the leftmost node 1603 belonging to level 2 is also "1000".
Is expressed as

At this time, the encryption key setting unit 513 selects an encryption key corresponding to the node revocation information of the revoked node from the tree structure storage unit 502, and 1 is set in the encryption key storage unit 204. Specifically, _{0-1K 1000 for} level 0 route 1601, level 1
Node 1602 at _1-1 K ₁₀₀₀ , level 2 node 160
In 3, three keys of _2-1 K ₀₀₀₀ are stored in the first encryption key storage unit 2.
Set to 04.

The second encryption unit 202 encrypts the content key generated by the random number generator 207 using the set encryption key as follows. Also, the first encryption unit 201
Encrypts the content with the content key generated by the random number generator 207. (1) is encrypted by using a _0-1 K ₁₀₀₀ of the content key level 0. (2) is encrypted by using a _1-1 K ₁₀₀₀ of the content key level 1. (3) encrypted using a _2-1 K ₁₀₀₀ of the content key level 2. (4) Encrypt the content using the content key.

As described above, the encrypted content keys (1) to (3)
The key identification information for determining the encrypted content and the decryption key of (4) is stored on the digital optical disk 102. here,
The key specifying information includes, for example, an ID (alphabet or numeral) added to each encryption key. One example is shown in FIG. This digital optical disk 10
The terminal that has received the second, for example, the terminal 17 to the terminal 64 extracts the key identification information stored in the digital optical disk 102 by the key identification information extracting unit 304, a plurality of decryption keys held decryption key determination unit 303 from the key identification information extracted to determine the decryption key _0-1 K _1000. Next, the second decryption unit 302 decrypts the cipher text of (1) with the determined decryption key to obtain a content key. Further, the first decryption unit 301 decrypts the encrypted content with the acquired content key to obtain a predetermined content. At this time, instead of immediately decrypting the content using the decrypted content key, the validity of the decrypted content key can be confirmed first. As this confirmation method, an arbitrary method such as a generally used digital signature can be applied.

Similarly, terminals 5 to 16 communicate with decryption key _1-1 K ₁₀₀₀
The terminal 2 to the terminal 4 determines the decryption key _2-1 K _1000, each of the above (2), acquiring the content key by decrypting the ciphertext (3), to obtain a predetermined content.

[0049] All of the decoded invalidated terminal 1 of the key, _0-1
K ₁₀₀₀ , _1-1 K ₁₀₀₀ , and _2-1 K ₁₀₀₀ do not hold any of the decryption keys, so the second decryption unit 302 cannot decrypt the correct content key and obtain predetermined content. Can not. <Encryption of secret sharing scheme in system operation phase /
Decryption Method> Next, an encryption method and a decryption method using secret sharing when the encryption unit selection unit 208 shown in FIG. 2 selects the third encryption unit 203 will be described.

In FIG. 18, the encryption key setting section 612 uses a secret for invalidating one terminal based on the information “invalidating one terminal” from the invalidated terminal information storage section 611. sets information K ₁ to the second encryption key storage unit 205. At this time, the key specifying information setting unit 613 is
In addition to the information of `` invalidating one terminal '' from the above, based on the information of `` invalidating terminal 1 '', based on information of terminal ₁ , shared key information f ₁ (ID ₁ ) of secret information K ₁ held by terminal 1, Terminal 1 unique number ID
₁ is set in the key identification information storage unit 206.

The third encrypting unit 203 stores the set encryption key.
With K _1, it encrypts as follows generated content key with a random number generator 207. Also, the first encryption unit 201
The content is encrypted with the content key generated by the random number generator 207. The (1) the content key encrypted using the encryption key K _1. (2) Encrypt the content using the content key. As described above, the encrypted content key of (1), the encrypted content of (2), the key identification information f ₁ (ID ₁ ) for determining the decryption key, and the unique number ID ₁ of the terminal 1 are stored in the digital optical disc 102. Store.

This digital optical disk 102 was received
The terminal, for example, the terminal 2 receives the digital
The key identification information stored in the
In the decryption key storage unit 305 received from the key setting device 104 in advance
Decrypt from the held decryption key and the extracted key identification information
The key determination unit 303 determines a decryption key. Specifically, FIG.
As shown, the extracted key specifying information f₁(ID₁) And ID₁When,
Decryption key f held by terminal 2 ₁(ID_Two) And ID_TwoUsing
By solving the equation, the decryption key K₁Ask for.

Next, the second decryption section 302 decrypts the encrypted content key of (1) with the determined decryption key to obtain a content key. Further, the first decryption unit 301 decrypts the encrypted content with the acquired content key to obtain a predetermined content. At this time, instead of immediately decrypting the content using the decrypted content key, the validity of the decrypted content key can be confirmed first. As a method of this confirmation, an arbitrary method such as a generally used digital signature can be applied.

As shown in FIG. 19, the revoked terminal 1 sends the key identification information f ₁ (ID
₁ ) and ID ₁ and the decryption key f ₁ (ID ₁ ) and ID ₁ held by itself are equal, and there is insufficient information for solving the simultaneous equations, so the decryption key K ₁ cannot be obtained. Therefore, the second decryption unit 302 cannot decrypt a correct content key, and cannot obtain predetermined content. (Second Embodiment) A second embodiment is directed to a method for determining an encryption key used in the data encryption device 101 when a system has two or more tree structures, and a data encryption device. The data encryption method performed in 101 and the data decryption method performed in the data decryption device 103 will be described using specific examples.

For the four key sets shown in FIG. 20, the tree structure storage unit 502 and the secret information generation / storage unit 601 hold all the encryption keys. Each terminal holds a tree-structured decryption key allocated by the decryption key allocation unit 504 and a secret sharing decryption key allocated by the decryption key allocation unit 603, as described in the first embodiment. <System Operation Phase> In the initial state, the encryption key setting unit 513 checks the node invalidation information of each of the roots 2001 to 2004 of the tree structure stored in the tree structure storage unit 502,
Since this is "0000", the encryption key for this is _0-1 K
_{0000, 0-2 K 0000, 0-3 K} 0000, four of _0-4 K ₀₀₀₀ is set to the first encryption key storage unit 204, by using the encryption key, the second encryption unit 202 encrypts the content key.

Next, when all the decryption keys held by the terminal 1 are exposed, the decryption keys are invalidated and encryption is performed so that all the terminals except the terminal 1 can acquire the contents. As shown in FIG. 21, for a key set in which terminal revocation has occurred, the encryption unit selection unit 208 selects the third encryption unit 203 and uses secret sharing, and otherwise performs terminal revocation. For the key set for which no encryption has occurred, the encryption unit selection unit
208 selects the second encryption unit 202 and uses the tree structure.

First, in a key set in which a terminal is revoked, as shown in FIG. 18, the encryption key setting unit 612 reads “one terminal is revoked” from the revoked terminal information storage unit 611. based on the information, sets the secret information K ₁ for invalidating one device to a second encryption key storage unit 205. At this time, the key specifying information setting unit 613 is
In addition to the information of `` invalidating one terminal '' from the above, based on the information of `` invalidating terminal 1 '', based on information of terminal ₁ , shared key information f ₁ (ID ₁ ) of secret information K ₁ held by terminal 1, Terminal 1 unique number ID
₁ is set in the key identification information storage unit 206.

The third encryption unit 203 encrypts the content key generated by the random number generator 207 using the set encryption key as follows. Further, the first encryption unit 201 encrypts the content with the content key generated by the random number generator 207.

[0059] (1) use of an encryption key K ₁ the content key.

(2) Encrypt the content using the content key.

Next, in the key set in which none of the terminals has been revoked, an encryption key corresponding to the root node revocation information is selected, and the plurality of selected encryption keys are replaced with the first encryption key. Set in the storage unit 204. Specifically, _{0- 2} K ₀₀₀₀ at the root 2101 to 2103 levels 0, _0-3 K _{0000, 0-4} K
Three encryption keys of ₀₀₀₀ are set in the first encryption key storage unit 204.

The second encrypting section 202 encrypts the content key generated by the random number generator 207 using the set encryption key as follows. Also, the first encryption unit 201
Encrypts the content with the content key generated by the random number generator 207.

[0063] (3) to encrypt using a _0-2 K ₀₀₀₀ of the content key level 0.

[0064] (4) to encrypt using a _0-3 K ₀₀₀₀ of the content key level 0.

[0065] (5) to encrypt using a _0-4 K ₀₀₀₀ of the content key level 0.

As described above, the encrypted content key of (1), (3) to (5), the encrypted content of (2), and the key specifying information for determining the decryption key are stored in the digital optical disc 102.
Here, the key specifying information also includes information for specifying which key set each terminal belongs to. The terminal that has received the digital optical disk 102, for example, the terminal 2, extracts the key identification information stored in the digital optical disk 102 by the key identification information extracting unit 304, a decryption key held decryption key determination unit 303 from the key identification information extracted to determine the decryption key K _1.

Next, the second decryption section 302 decrypts the encrypted content key of (1) with the determined decryption key to obtain a content key. Further, the first decryption unit 301 decrypts the encrypted content (2) with the obtained content key to obtain a predetermined content.

For example, the terminals 17 to 64 take out the key specifying information stored in the digital optical disk 102 by the key specifying information extracting unit 304 and store the key specifying information in the decryption key storage unit 305 received from the key setting device 104 in advance. The decryption key determination unit 303 determines the decryption key _{0-1K 1000 based on the} extracted plurality of decryption keys and the extracted key specifying information.
To determine. Next, the second decryption unit 302 decrypts the encrypted content key of (3) with the determined decryption key to obtain a content key. Further, the first decryption unit 301 decrypts the encrypted content (2) with the acquired content key to obtain a predetermined content.

The terminal 1 that has been invalidated, as shown in FIG.
The key identification information f ₁ (ID ₁ ) and ID ₁ extracted by the key identification information extraction unit 304 are equal to the decryption key f ₁ (ID ₁ ) and ID ₁ held by the key identification information extracting unit 304, and there is insufficient information for solving simultaneous equations. Because
The decryption key K ₁ cannot be determined, and _0-2 K ₀₀₀₀ , _0-3 K
_Since it does not hold any of the decryption keys ₀₀₀₀ and _0-4 K ₀₀₀₀ ,
The second decryption unit 302 cannot decrypt a correct content key, and cannot obtain predetermined content.

In the embodiment of the present invention described above, the content is stored in advance on a DVD-Vis
I explained pre-recorded media such as deo. However, recordable media such as DVD-RAM can be realized in a similar manner. The block diagram is shown in FIG.

In the digital optical disk 102 shown in FIG. 15, only the key specifying information is stored in advance by the key specifying information recording device 1501. Multiple user data encryption devices 1502
Identifies the encryption key from the key identification information. This specifying method is the same as the method described in the first embodiment in which the terminal specifies the decryption key from the key specifying information recorded on the digital optical disk 102. Then, the user data encryption device 1502 encrypts the data using the specified encryption key, and transmits the encrypted data to the digital optical disk 102.
To store. This encryption and storage method in the digital optical disk 102 are described in the first embodiment.
It is the same as the method of storing in 02. However, the key specifying information recording device 1501 is a part of the data encryption device 101,
The data encryption device 101 includes a portion for storing encrypted data on the digital optical disk 102 and a portion for storing key identification information on the digital optical disk 102.

Further, in the present invention in which the tree structure division method and the secret sharing method are combined, not only the two are switched and used in one tree structure, but also the secret sharing method is provided below a certain level of one tree structure. , And a higher level includes a method using a tree structure.

Further, the key setting device may be integrated with the data encryption device. In the data encryption device, switching between the tree structure division method and the secret sharing method is performed not only for the number of terminals to be invalidated but also for the terminals. It shall be determined by various factors such as computational power.

[0074]

[Other Modifications] Although the present invention has been described based on the above embodiment, it is needless to say that the present invention is not limited to the above embodiment. The following cases are also included in the present invention. (1) The present invention may be the method described above.
Further, these methods may be a computer program that is realized by a computer, or may be a digital signal formed by the computer program.

The present invention also provides a computer-readable recording medium for the computer program or the digital signal, for example, a flexible disk, a hard disk, a CD-ROM, an MO, a DVD, and a DVD-RO.
M, DVD-RAM, semiconductor memory, etc. Further, the present invention may be the computer program or the digital signal recorded on these recording media.

In the present invention, the computer program or the digital signal may be transmitted via an electric communication line, a wireless or wired communication line, a network represented by the Internet, or the like.

The present invention is also a computer system including a microprocessor and a memory, wherein the memory stores the computer program,
The microprocessor may operate according to the computer program.

Further, by recording the program or the digital signal on the recording medium and transferring it, or by transferring the program or the digital signal via the network or the like, an independent other computer system is provided. May be implemented. (2) The above embodiments and the above modifications may be combined.

[0079]

As is apparent from the above description, the encrypted data delivery system according to the present invention can eliminate only a specific terminal while suppressing the amount of information stored in a medium.

In this method, the amount of information stored in a medium can be reduced by using a secret sharing scheme that can invalidate a terminal with a small amount of information. However, when the secret sharing method is used, it is necessary to preset the number of terminals to be invalidated and to assign a decryption key corresponding to the number to each terminal. Therefore, if the number of invalidated units exceeds the allowable range, the terminal cannot be invalidated.

The encrypted data distribution system according to the present invention combines the tree structure division method and the secret sharing method,
If the number of invalidated units is within the allowable range of secret sharing, use the secret sharing method.If the number exceeds the allowable range or if invalidation occurs collectively, use the tree switching method by switching between the two. By doing so, it is possible to invalidate only specific terminals without limitation on the number of terminals while suppressing the amount of information stored in the medium.

According to the third aspect of the present invention, by holding a plurality of key sets in advance, the total number of encryption keys managed by the data distributor is reduced. The storage capacity of the decryption key held by each terminal can be small.

[Brief description of the drawings]

[Figure 1] Block diagram of an encrypted data delivery system

FIG. 2 is a configuration diagram of a data encryption device.

[Figure 3] Configuration diagram of data decryption measure

FIG. 4 is a configuration diagram of a key setting device.

FIG. 5 is a configuration diagram of a tree structure key setting device.

FIG. 6 is a configuration diagram of a secret sharing key installation device.

FIG. 7 is a configuration diagram of a quad tree that is an example of a tree structure

FIG. 8 is a configuration diagram of a quadtree with 64 terminals

FIG. 9 is a diagram showing root node invalidation information.

FIG. 10 is a diagram showing root node invalidation information.

FIG. 11 is an allocation diagram of encryption keys in the tree structure partitioning method

[Fig. 12] Fig. 12 is an assignment diagram of decryption keys in the tree structure partitioning method.

FIG. 13 is a flowchart for determining an encryption key and a decryption key for three invalidated units.

FIG. 14 is a diagram showing the assignment of decryption keys in the tree structure division method and the secret sharing method.

FIG. 15 is a configuration diagram of a quadtree with 64 terminals in an initial state.

FIG. 16 is a configuration diagram of a quadtree with 64 terminals in which one invalidated terminal has occurred.

FIG. 17 illustrates an example of key identification information.

FIG. 18 is a flowchart for determining an encryption key and key identification information in a secret sharing scheme.

FIG. 19 is a diagram illustrating an example of calculating a decryption key in the secret sharing scheme.

FIG. 20 is a diagram showing an initial state in four key sets.

FIG. 21 is a diagram illustrating a state in which one invalidation terminal occurs in four key sets.

FIG. 22 is a block diagram of an encrypted data delivery system.

[Explanation of symbols]

 101 data encryption device 102 digital optical disk 103 data decryption device 104 key setting device first encryption unit 201 first encryption unit 202 second encryption unit 203 third encryption unit 204 first encryption key storage unit 205 Second encryption key storage unit 206 Key identification information storage unit 207 Random number generator 208 Encryption unit selection unit 301 First decryption unit 302 Second decryption unit 303 Decryption key determination unit 304 Key identification information extraction unit 305 Decryption key Information storage unit 401 tree structure key setting device 402 secret sharing key setting device 501 tree structure construction unit 502 tree structure storage unit 503 encryption key allocation unit 504 decryption key allocation unit 511 invalidated terminal information storage unit 512 tree structure update unit 513 encryption Encryption key setting unit 514 Key identification information setting unit 601 Secret information generation / storage unit 602 Distributed key information generation unit 603 Decryption key allocation unit 611 Invalidated terminal information storage unit 612 Encryption key setting unit 613 Key identification information setting unit 701 Tree structure Hierarchy (level 0) 702 tree structure hierarchy (level 1) 703 tree structure hierarchy (level D-1) 704 tree structure floor Layer (Level D) 705 Tree structure root 706 Tree structure leaf 1201 Level 0 root 1202 Level 1 node 1203 Level 2 node 1204 Level 3 node 1205 Decryption key assigned to terminal 1 (tree structure division method) "1501 Level 0 node 1601 Level 0 node 2001 Level 1 root of first key set 2002 Level 0 root of second key set 2003 Level 0 root of third key set 2004 Level 0 root of fourth key set 2101 Level 2 root of the second key set 2102 Level 0 root of the third key set 2103 Level 0 root of the fourth key set 2201 Key identification information recording device 2202 User data encryption device

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme coat ゛ (Reference) H04N 5/91 P (72) Inventor Makoto Tatebayashi 1006 Kazuma, Kadoma City, Osaka Prefecture Matsushita Electric Industrial Co., Ltd. F Term (Reference) 5B017 AA03 BA07 CA16 5C053 FA13 FA24 FA25 FA30 GB18 GB40 HA29 HA33 JA21 JA26 JA30 KA01 KA21 KA24 KA25 KA30 LA11 LA14 5D044 AB07 BC03 CC06 DE17 DE48 FG18 GK12 GK17 HH15 HL02 HL11 5A04 A36 DA15

Claims (11)

[Claims] A data encryption device for encrypting data, a data recording medium for recording the encrypted data, a plurality of data decryption devices for decrypting encrypted data read from the data recording medium, An encrypted data distribution system comprising a key setting device for setting an encryption key for encryption and a decryption key for decryption, wherein the key setting device includes a tree structure key setting device and a secret sharing key. A setting device, the tree structure key setting device, in a preparation phase of the system, each of the plurality of data decryption devices correspond to a node of the lowest layer, each node of the tree structure, one or more of the encryption A key is assigned by a first predetermined method, and one or more decryption keys corresponding to the encryption keys are assigned to the plurality of data decryption devices by a second predetermined method. In the tree structure key setting device of the one or more encryption key, the information identifying one or more data decoding apparatus to be revoked third
One or more encryption keys specified by a predetermined method, and key specifying information for specifying the encryption key is set in the data encryption device, the secret sharing key setting device, the secret sharing key setting device of the system In the preparation phase, one or more encryption keys are generated by a fourth predetermined method, a plurality of pieces of shared key information are generated from the encryption keys, and the plurality of data decryption devices include: Assigning a plurality of corresponding decryption keys by a fifth predetermined method, further in the operation phase of the system, among one or more encryption keys generated by the secret sharing key setting device,
The one or more encryption keys identified by the sixth predetermined method from the information identifying one or more data decryption devices to be invalidated, and the key identification information for identifying the encryption key are subjected to the data encryption. Setting the device, the data encryption device encrypts data using an encryption key set by the key setting device according to the third or sixth, or both predetermined methods, the encrypted data recording The medium records both the encrypted data and key identification information for identifying the encryption key that has encrypted the data in the data decryption device, and the data decryption device encrypts the encrypted data from the encrypted data recording medium. Data and the key specifying information are taken out, a decryption key corresponding to the encryption key is specified therefrom, and the encrypted data is decrypted by using the decryption key. Beam. 2. The tree structure key setting device includes a tree structure construction unit for constructing a tree structure for allocating the encryption key in a system preparation phase, wherein the tree structure construction unit includes A tree structure is constructed such that a node of the layer corresponds to the data decryption device, and the first predetermined method in which the tree structure key setting device allocates the encryption key is performed by branching from each node and arriving. In the data decoding device corresponding to the lowest layer node, the node where the data decoding device to be invalidated exists is in the invalidated state, and all nodes except the lowest layer of the tree structure are connected to each node. A method of allocating an encryption key corresponding to node revocation information indicating a revocation status of one lower layer node, wherein the tree structure key setting device allocates a decryption key to the plurality of decryption data devices. The second predetermined method comprises: decoding corresponding to a plurality of encryption keys assigned to each node located on a path from the lowest layer node to the highest layer corresponding to each data decoding device. 2. The encrypted data delivery system according to claim 1, wherein, among the keys, a decryption key corresponding to node revocation information indicating that the data decryption device is not revoked is assigned. 3. The method according to claim 3, wherein the tree structure key setting device specifies an encryption key for encrypting data in an operation phase of the system. In a node in which a data decryption device to be invalidated exists in a data decryption device corresponding to a node in a lower layer, node invalidation information of the node at that time among the encryption keys allocated in the tree structure key setting device 3. The encrypted data delivery system according to claim 1, wherein the encryption key is a method for selecting an encryption key corresponding to the encrypted data. 4. The secret sharing key setting device includes a secret information generation storage unit that generates and stores an encryption key in a system preparation phase, and the secret information generation storage unit generates and stores the encryption key. The fourth predetermined method includes generating an encryption key and generating an n-dimensional (n
≧ 1), wherein the secret sharing key setting device assigns a decryption key to the plurality of decryption data devices. The fifth predetermined method is a method in which unique information possessed by the plurality of data decryption devices is provided. A plurality of shared key information is generated based on the polynomial based on the encryption key stored in the secret information generation storage unit, and the shared key information is generated only when n or more shared key information is collected. 2. The encrypted data according to claim 1, wherein the encrypted data is a method of assigning a decryption key corresponding to the distributed key information to the data decryption apparatus, which has a feature that an original encryption key can be obtained. Delivery system. 5. The encrypted data distribution system according to claim 1, wherein the secret sharing key setting device sets an encryption key corresponding to each number of data decryption devices to be invalidated. 6. The method according to claim 6, wherein the secret sharing key setting device specifies an encryption key for encrypting data in an operation phase of a system. Selecting a corresponding encryption key, and further setting all the shared key information allocated to one or more data decryption devices to be invalidated as key identification information in the data encryption device. 5. The encrypted data delivery system according to claim 1, wherein 7. The tree structure construction unit according to claim 2, wherein a plurality of tree structures are constructed instead of constructing only one tree structure for assigning the encryption key, and 3. The encrypted data delivery system according to claim 1, wherein a node of a layer constructs each tree structure so as to correspond to the data decryption device. 8. The data encryption device according to claim 1, wherein a third one is set according to the number of data decryption devices to be invalidated.
2. The encrypted data delivery system according to claim 1, wherein a decision is made as to which one of a sixth method, a sixth method, or both methods is used. 9. Instead of the data recording medium according to claim 1,
2. The encrypted data delivery system according to claim 1, wherein key identification information for identifying the encryption key is delivered to each of the encrypted data and the data decryption device using a communication medium. 10. The data encryption device according to claim 1, wherein instead of encrypting data using the plurality of encryption keys, a data key of a random number is generated, and the data key is generated using the plurality of encryption keys. 2. The encrypted data delivery system according to claim 1, wherein the data key is encrypted, and the data is encrypted using the data key. 11. Instead of recording the encrypted data and the key identification information using the data encryption device according to claim 1, encrypting only the key identification information using a key identification information recording device. Recorded on a data recording medium, the user data encryption device retrieves the key identification information recorded by the key identification information recording device from the encrypted data recording medium, identifies an encryption key therefrom, and uses this. 11. The encrypted data delivery system according to claim 1, wherein the encrypted data is recorded on the encrypted data recording medium, and the encrypted data is recorded on the encrypted data recording medium.