JPH10210025A - Cipher communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a cipher communication system which makes it difficult for the third person to estimate a secret key by an attack and can reduce an influence upon the system in the case that the secret key is decoded. SOLUTION: In the cipher communication system consisting of 28 one transmission equipment 10 and reception equipments A1 to G4 in total which are classified into seven groups A to G, two secret keys which are selected from 14 kinds of secret keys without duplication are preliminarily delivered t each group. The transmission equipment 10 uses either of two secret keys delivered to each group to cipher the same message M and transmits it to reception equipments in the corresponding group. Each reception equipment uses two secret keys delivered to the group, to which the reception equipment belongs, to decipher a received cipher text and discriminates whether two obtained deciphered texts meet certain regularity respectively or not, thereby specifying a correct deciphered text.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a system for encrypting and transmitting digitalized data such as documents, voices, images, and programs via a transmission medium or a recording medium. The present invention relates to a technology for encrypting and transmitting to a plurality of receiving devices by using a method.

[0002]

2. Description of the Related Art Conventionally, digitized documents, voices,
In a secret key cryptographic communication system in which data such as images and programs are encrypted with a secret key and communicated via a transmission medium, and recorded / reproduced via a recording medium, each of a transmitting device and a receiving device includes a device in advance. The encryption and decryption are performed using one common secret key determined between them.

[0003] In other words, even when each of the transmitting device and the receiving device has a plurality of secret keys, one secret key is specified and used immediately before performing communication. . This is to ensure that the cipher text sent from the transmitting device is securely decrypted in the receiving device.

[0004]

However, in such a conventional cryptographic communication system, the communication system is one-to-many, that is, one transmission device provides information to many reception devices. In the case of (1), if the secret key is decrypted, it is necessary to reset a new secret key for all the receiving devices, and a large amount of work of changing the system configuration is required.

[0005] For example, if the secret keys of one broadcasting station and 100 receivers that receive programs provided by the broadcasting station are decrypted, the broadcasting station and All private keys stored in 100 receivers must be changed. In other words, even if the secret key is decrypted by eavesdropping on the communication between one transmitting device and one receiving device, not only those two devices but also all the devices sharing the same secret key are decrypted. The receiving device is affected.

Accordingly, the present invention has been made in view of the above problems, and makes it difficult to estimate a secret key by an attack by a third party, and reduces the influence on the system when the secret key is decrypted. It is an object of the present invention to provide a cryptographic communication system capable of suppressing it.

[0007]

In order to achieve the above object, an encryption communication system according to the present invention is an encryption communication system comprising one transmission device and a plurality of grouped reception devices. Two or more secret keys selected without duplication from a plurality of different secret keys are distributed to the group in advance, and the transmitting device transmits one plaintext using each of the one selected secret key for each group. And transmits the obtained ciphertext to receiving apparatuses belonging to the corresponding group. Each receiving device decrypts the received ciphertext using each of the plurality of private keys distributed to the group to which the receiving device belongs, and determines whether or not a certain regularity exists for each of the obtained decrypted texts. By doing so, a correct decrypted text is specified.

[0008] Here, the transmitting device may attach the ciphertext indicating the regularity to the ciphertext and transmit the ciphertext to each receiving device.

[0009]

BEST MODE FOR CARRYING OUT THE INVENTION

(Embodiment 1) Hereinafter, Embodiment 1 of a cryptographic communication system according to the present invention will be described in detail with reference to the drawings.
The present cryptographic communication system is characterized in that even if a secret key is decrypted, the scale of damage caused by the decryption can be suppressed. [Overview of Cryptographic Communication System] FIG. 1 is a diagram for explaining the system configuration of the entire cryptographic communication system according to the first embodiment and the principle of cryptographic communication.

This system comprises one transmitting apparatus 10 and 28 receiving apparatuses A1 to G4 for receiving transmission information transmitted from the transmitting apparatus 10 in one direction. The 28 receivers A1 to G4 belong to one of a total of seven groups A to G forming one group with four receivers. Specifically, the 28 receiving devices A1 to G4 are connected to the bus line 14
four receivers A1 belonging to group A connected to a
To A4 (only two of them are shown), four receiving devices B1 to B4 belonging to group B connected to the bus line 14b (only two of them are shown),.
And four receiving devices G1 to G4 belonging to the group G connected to the bus line 14g (only two of which are shown).

The transmitting device 10 includes all the receiving devices A 1 to G 4
By using seven bus lines 14a to 14g independently provided with a message 13 to be transmitted to the user, fourteen different secret keys 11, and one encryptor 12.
Simultaneous broadcast can be performed for each group, that is, for each of four receivers. Each of the receiving devices A1 to G4 has two secret keys 21a to 21g and 26a to 26g, and one decryptor 22a corresponding to the above-mentioned encryptor 12 (reverse conversion).
To 22 g and 27 a to 27 g.

The purpose of the present system is that one transmitting apparatus 10 is connected to 28 receiving apparatuses A by encrypted communication using a secret key.
One G message is transmitted to 1 to G4. First, the relationship between the 14 secret keys 11 included in the transmitting device 10 and the two secret keys included in each receiving device (distribution mode of the secret keys) will be described.

In each of the seven groups A to G, two non-duplicated 2 types of secret keys selected from 14 different secret keys are provided.
Private keys are distributed in advance. That is, the secret keys Ka1 and Ka2 are distributed to the group A, the secret keys Kb1 and Kb2 are distributed to the group B,.
Distribute g1 and Kg2. Then, each of the receiving devices A1 to
Each G4 is distributed to the group to which it belongs.
Private keys are stored.

On the other hand, the transmitting apparatus 10 has seven groups A
.. G are stored in association with each group. Thus, 14
Private keys are shared between receiving devices belonging to the same group, and between receiving devices belonging to different groups,
Try not to be common.

Next, the transmitting device 10 has 28 receiving devices A
The specific contents of the cipher text transmitted to 1 to G4 will be described. The cipher text transmitted by the transmitting device 10 to the 28 receiving devices A1 to G4 is as shown on the bus lines 14a to 14g in FIG. Here, the symbol E (M, K) means an encrypted text obtained by encrypting the plaintext M using the encryption key K based on the encryption algorithm E. Similarly, the symbol D
(C, K) means a decrypted text obtained by decrypting the encrypted text C using the decryption key K based on the decryption algorithm D.

That is, the transmitting device 10 is connected to the bus line 1
4 receivers A1 to 4 belonging to group A via 4a
For A4, the ciphertext E (M, Ka1) or E (M, Ka1)
2) In this figure, E (M, Ka1) / E (M, Ka2) is transmitted to the four receiving devices B1 to B4 belonging to the group B via the bus line 14b. To transmit the ciphertext E (M, Kb1) or E (M, Kb2).
The encrypted text E (M, Kg1) or E is output to the four receiving devices G1 to G4 belonging to the group G via the bus line 14g.
(M, Kg2) is transmitted.

More specifically, the transmitting device 10
, Two private keys (K
a1 and Ka2) are randomly selected, the message M is encrypted by the encryptor 12 using the selected one, and the obtained ciphertext E (M, Ka1) or E (M, Ka2) belongs to the group A. It broadcasts simultaneously to the four receiving devices A1 to A4. Similarly, for group B, 2
Of the private keys (Kb1 and Kb2), the message M is encrypted by the encryptor 12 using the selected secret keys, and the obtained encrypted text E (M, Kb1) or E (M, Kb2) is grouped. Broadcast to the four receiving devices B1 to B4 belonging to B at once. In this way, different ciphertexts are sequentially broadcast simultaneously for each group.

On the other hand, each of the receiving devices A1 to G4 decrypts the received cipher text using each of its two private keys, and at least one of the two types of decrypted text obtained is reliable. If it is the content, the decrypted text is the message M transmitted by the transmitting device 10, and
The secret key used to obtain the decrypted text is identified as the same as the one used by the transmitting device 10.

Specifically, the receiving apparatus 20a decrypts the received cipher text (E (M, Ka1) or E (M, Ka2)) using the secret keys Ka1 and Ka2, respectively. It is determined whether or not at least one of the obtained two decrypted texts is reliable, based on whether or not the content has a certain regularity. The specific criterion of “certain regularity” will be described later.

As described above, one message M is transmitted from one transmission device 10 to 28
Although this system was secretly transmitted to two receiving devices 20a, this system has two main features. First, a secret key is not shared between receiving apparatuses belonging to different groups.

Therefore, even if the secret key distributed to one group is decrypted by an unauthorized person,
There is an advantage that the receiving devices belonging to other groups are not affected, that is, the change of the secret key is not required. Second, two secret keys are distributed to one group, but only one secret key selected from them is actually used.

Therefore, even if the one secret key is decrypted by an unauthorized person, the subsequent transmission uses the remaining one secret key, so that even if the receiving device belongs to the same group, However, the secret communication can be continued without changing the secret key. [Concrete Configuration] FIG. 2 is a block diagram showing a detailed configuration of the transmitting device 10 and one receiving device 20a in the cryptographic communication system shown in FIG.

The transmitting device 100 corresponds to the transmitting device 10 in FIG. 1, and includes a digital work 101 and a secret key storage unit 1.
03, secret key selecting unit 104, three encryptors 102,
5, 107, a message generation unit 106, and three transmission units 110 to 112. This transmitting device 100
Has the ultimate purpose of encrypting its digital work and transmitting it to the receiving device A1. For that purpose, in addition to the encrypted digital work Cd, two types of ciphertext, namely, 1 used to encrypt the digital work
The cipher text Ca for implicitly transmitting the secret keys and the cipher text Cm for transmitting a certain regularity serving as a criterion for specifying the secret key are transmitted to the receiving device A1.

The digital work 101 is a hard disk or the like in which data such as digitized documents, sounds, images, and programs are stored in advance. Secret key storage unit 10
3 corresponds to the secret key 11 in FIG. 1, and the same 14 secret keys distributed to all the groups A to G are used.
It is a semiconductor memory or the like which is stored in advance in association with the distributed group.

Prior to the generation and transmission of the three ciphertexts, the secret key selection unit 104 randomly selects one of the two secret keys corresponding to the group to which the destination receiving device belongs and selects the secret key. Read from the storage unit 103,
To each of the encryptors 102 and 105. Specifically, when the transmission destination is the receiving device A1, the secret key Ka1 or Ka2 is selected, read out from the secret key storage unit 103, and sent to the encryptors 102 and 105.

The encryptor 102 is an IC or the like which performs encryption based on the secret encryption algorithm E 1, reads out digital data Data in block units from the digital work 101, and receives the data from the secret key selecting unit 104. Encrypted with the secret key Ka1 or Ka2
The process of sending (= E1 (Data, Ka1) / E1 (Data, Ka2)) to the transmitting unit 110 is repeated for all the digital works 101.

The message generator 106 corresponds to the message 13 in FIG. 1, and is a random number generator or the like that generates a new random number every time the destination group is different and holds it as a message M. In the present embodiment, the message M is dummy data used as a carrier for transmitting the secret key used for encrypting the digital work 101 to the receiving device A1, and its content is not important.

The encryptor 105 is an IC or the like that performs encryption based on the secret encryption algorithm E 2, reads out the message M stored in the message generation unit 106, and receives the message M from the message M from the secret key selection unit 104. Secret key K
The encrypted text Ca (= E2) obtained by encrypting with a1 or Ka2
(M, Ka1) / E2 (M, Ka2)) is sent to the transmission unit 111.

The encryptor 107 is an IC or the like that performs encryption based on the secret encryption algorithm E3, reads out the message M stored in the message generator 106, and uses the message M as an encryption key. The encrypted text Cm (= E3 (M, M)) obtained by encryption is transmitted to the transmission unit 112. The transmission units 110, 111, 112
It comprises a parallel-to-serial converter, an amplifier, etc., and transmits the above three types of ciphertexts Cd, Ca, Cm to the receiving device A1 via bus lines 120, 121, 122, respectively. In addition, 3
A set of the bus lines 120 to 122 corresponds to one bus line 14a in FIG.

On the other hand, the receiving device A1 corresponds to the receiving device 20a in FIG.
22, 231, 232, two secret key storage units 220, 2
30, two determination units 223 and 233, a total determination unit 20
3, secret key selection unit 202, three reception units 210 to 212
Consists of This receiving device A1 is a transmitting device 100
The ultimate purpose is to decrypt and use the encrypted digital work Cd sent from the company, and a secret key to be used for the decryption, that is, a secret key used by the transmitting apparatus 100 is an encrypted digital work. It is specified from two types of ciphertexts Ca and Cm received together with the work Cd.

The receiving units 210, 211 and 212 are connected in series
It is composed of a parallel converter and the like.
The three types of ciphertexts Cd, Ca,
Cm is received. The decryption unit 201 performs decryption based on a secret decryption algorithm D1, which is an inverse transform of the encryption algorithm E1 of the encryptor 102 provided in the transmission device 100.
C or the like, and the secret key Ka1 or K
When a2 is given, the cipher text Cd sent from the receiving unit 210 is decrypted using the secret key to obtain the block data Data of the original digital work.
To restore.

It should be noted that this decoder 201
As long as the encrypted digital work Cd is repeatedly sent from 0, the decryption is repeated. Also, the secret key selection unit 2
If no secret key is given from 02, it is recognized that the identification of the secret key has failed, and the encrypted digital work Cd is not decrypted. Secret key storage unit 220, decryptor 22
1, a decoder group 222 and a determination unit 223 aim at determining whether the secret key used in the transmitting device 100 is Ka1. On the other hand, the secret key storage unit 230, Decoder 231, decoder 232, and determination unit 233
The other set of circuits consisting of is intended to determine whether or not the secret key used in transmitting apparatus 100 is Ka2. These two groups of circuits have the same basic configuration and function except that one secret key stored in the secret key storage units 220 and 230 is different. Therefore, only one set will be described in detail.

The secret key storage unit 220 corresponds to the secret key 21a in FIG. 1, and is a semiconductor memory or the like that stores the secret key Ka1 in advance. The decryptor 221 is an IC that performs decryption based on a secret decryption algorithm D2 which is an inverse transform of the encryption algorithm E2 of the encryptor 105 provided in the transmission device 100.
And decrypts the ciphertext Ca sent from the receiving unit 211 using the secret key Ka1 read from the secret key storage unit 220.
The obtained decrypted text M1 (= D2 (Ca, Ka1)) is determined by the determination unit 2
23 and the decoder 222.

The decryptor 222 is an IC or the like that performs decryption based on a secret decryption algorithm D3 which is an inverse conversion of the encryption algorithm E3 of the encryptor 107 provided in the transmitting apparatus 100. The text Cm is decrypted using the decrypted text M1 sent from the decryptor 221 as a decryption key, and the obtained decrypted text M11 (= D3 (Cm, M
1)) is sent to the determination unit 223.

The determination section 223 comprises a comparator, a selector and the like, and determines whether or not the decrypted text M1 sent from the decoder 221 matches the decrypted text M11 sent from the decoder 222. If they match, the decrypted text M1 is output to the overall judgment unit 203 if they do not match. Here, the case where they match (M1 = M11) corresponds to the case where the secret key selected and used in the transmitting apparatus 100 is Ka1. The reason is as follows.

Now, it is assumed that secret key selecting section 104 of transmitting apparatus 100 has selected secret key Ka1. Then, the following holds. Ca = E2 (M, Ka1) -Equation 1 Cm = E3 (M, M) -Equation 2 Accordingly, the decoded text M1 output from the decoder 221 of the receiving device A1 can be expressed as follows by using the equation 1. Become.

M 1 = D 2 (Ca, Ka 1) = D 2 (E 2 (M, Ka 1), Ka 1) = M-Equation 3 On the other hand, the decrypted text M 1 output from the decoder 222 of the receiving device A 1
1 is as follows by using Equations 2 and 3.

M 11 = D 3 (C m, M 1) = D 3 (E 3 (M, M), M) = M−Equation 4 From Equations 3 and 4, the following holds. M1 = M11-Equation 5 Similarly, the determination unit 233 of another circuit group is set.
Determines whether or not the decrypted text M2 sent from the decoder 231 matches the decrypted text M22 sent from the decoder 232. If they match, the decrypted text M2 is matched. Is output to the overall determination unit 203.

The general judgment section 203 is composed of an OR circuit, a selector, and the like. Based on the decrypted text output from the judgment section 223 and the judgment section 233, the decoding to be used for decoding the received encrypted digital work Cd is performed. An instruction to specify a key (either Ka1 or Ka2) or an instruction to find no decryption key is sent to secret key selecting section 202. Specifically, when the determining unit 223 outputs a decrypted text M2 that is not “0”, the secret key K is output regardless of the output of the determining unit 233.
If the determination unit 223 outputs “0” and the determination unit 233 outputs a decrypted text M2 that is not “0”, the instruction “2” selects the secret key Ka2. To
In other cases, an instruction "0" indicating that no decryption key is found
Are sent to the secret key selection unit 202, respectively.

The secret key selection unit 202 is composed of a selector and the like.
2), the secret key is not output / the secret key Ka1 is output / the secret key Ka2 is output to the decryptor 201, respectively. The secret key selecting unit 202 continues to output the encrypted digital work Cd while the transmitting apparatus 100 repeatedly transmits the encrypted digital work Cd.

The determining unit 223 (233) determines whether the decrypted
When 1 (M2) and the decrypted text M11 (M22) do not match, “0” is output. As a result, the comprehensive judgment unit 203 selects the secret key Ka1 (Ka2) corresponding to the mismatch in the transmitting apparatus 100. Although the above processing is performed assuming that the key is not a secret key, it uses the following properties of an encryption (decryption) algorithm normally employed in the present system.

That is, the decrypted text obtained when a secret key different from the originally intended secret key is used as a decryption key is different from the original plaintext. [Operation of Cryptographic Communication System] Next, the operation of the present cryptographic communication system configured as described above will be described.

FIG. 3 is a flowchart showing the operation procedure of transmitting apparatus 100. The transmitting apparatus 100 performs the following processing for each of the seven groups A to G (step S5).
1 to S53) are repeated (steps S50 to S54).
The symbols and expressions written in steps S51 to S53 are for the case of processing for group A, and only the case will be described below.

First, the secret key selection unit 104
From the two secret keys Ka1 and Ka2 corresponding to
Is selected and sent to the encryptor 102 and the encryptor 105 (step S51). Next, the encryptor 102 performs the above-described step S
The encrypted data Cd is generated by encrypting the block data Data of the digital work 101 using the one secret key Ka1 / Ka2 selected in 51, and the encryptor 105 generates the same one secret key Ka1 / Ka2. Is used to generate a ciphertext Ca by encrypting the message M generated by the message generating unit 106, and the encryptor 107 encrypts the message M using the same message M as an encryption key to generate a ciphertext Cm. It is generated (step S52). These three encryptions are performed simultaneously and in parallel.

Finally, the three transmitting units 110, 111, 1
12 respectively transmit the three ciphertexts Cd, Ca, and Cm obtained in step S52 to the bus lines 120, 1
Simultaneously broadcast to the four receiving devices A1 to A4 belonging to the group A via the respective devices 21 and 122 (step S5).
4). When transmission to group A is completed in this way, transmitting apparatus 100 sequentially performs similar processing on all seven groups A to G, such that the same transmission processing is performed on group B next. It repeats (steps S50-S54).

FIG. 4 is a flowchart showing the operation procedure of the receiving device A1. The operation procedures of the other receiving devices A2 to G4 are basically the same as those in FIG. First, the receiving unit 2
10, 211, and 212 receive the three ciphertexts Cd, Ca, and Cm sent from the transmitting device 100 via the bus lines 120, 121, and 122, respectively, and
1, are sent to the decoder 221 and the decoder 231, the decoder 222 and the decoder 232 (step S60).

Next, as the first stage of decoding, the receiving unit 2
11 decrypts the ciphertext Ca sent from the
1 generates a decrypted text M1 by decrypting using the private key Ka1 read from the private key storage unit 220, and at the same time, the decryption unit 231 decrypts using the private key Ka2 read from the private key storage unit 230. Thus, a decrypted text M2 is generated (step S61).

Subsequently, in the second stage of decryption, the ciphertext Cm sent from the receiving unit 212 is
22 uses the decryption text M1 generated by the decoder 221 as a decryption key to generate a decryption text M11. Simultaneously with this, the decoder 232 decrypts the decryption text M2 generated by the decoder 231. A decrypted text M22 is generated by performing decryption using the key (step S62).

The determination unit 223 determines whether the decrypted text M1 generated by the decoder 221 and the decrypted text M11 generated by the
Is determined as to whether or not they match, and if they do match, the decrypted text M1 is used.
, And in parallel with this, the determination unit 233 outputs
It is determined whether or not the decrypted text M2 generated by the decoder 31 matches the decrypted text M22 generated by the decoder 232. If they match, the decrypted text M2 is determined. The data is output to the terminal 203 (steps S63 and S64).

As a result, when a notification (decrypted text M 1) indicating the coincidence is received from the determination unit 223,
3 gives priority to the notification from the determination unit 233,
An instruction “1” to select the secret key Ka1 is sent to the secret key selection unit 202. Therefore, the decoder 201 includes the receiving unit 2
Using the secret key Ka1 sent from the secret key selection unit 202, the ciphertext Cd sent from 10 is decrypted into the original digital work Data (step S65).

On the other hand, when receiving a notification (“0”) indicating that they do not match from the determining unit 223, the comprehensive determining unit 203
Furthermore, the content of the notification received from the determination unit 233 is determined, and as a result, when the notification is a coincidence notification (decrypted text M2), the instruction “2” for selecting the secret key Ka2 to the secret key selection unit 202 is given. Send. Accordingly, the decryption unit 201 decrypts the cipher text Cd sent from the reception unit 210 into the original digital work Data using the secret key Ka2 sent from the secret key selection unit 202 (step S66). ).

When a notification ("0") indicating that they do not match is received from either of the judgment unit 223 and the judgment unit 233,
The comprehensive determination unit 203 sends a notification “0” to that effect to the secret key selection unit 202. Therefore, the decryptor 201 does not decrypt the cipher text Cd sent from the receiving unit 210 (step S66). As described above, according to the present embodiment, two secret keys selected from 14 different secret keys without duplication are previously distributed to each of the seven groups, and the transmitting apparatus 100 By encrypting using one arbitrarily selected secret key, the digital work 101 and the message M can be confidentially transmitted to the 28 receiving apparatuses A1 to E4.

According to this method, for example, the bus line 1
Even if one secret key Ka1 is decrypted by an unauthorized person by repeatedly tapping 4a, the receiving devices belonging to other groups B to G use secret keys different from the secret key Ka1. Therefore, communication can be continued without being affected by the communication. Further, the transmitting device 10 can continue communication with the receiving device belonging to the group A by using the remaining secret key Ka2 without using the decrypted secret key Ka1.

That is, even if one secret key is leaked or decrypted, the transmitting device and all the receiving devices can
The secret communication can be continued without receiving and storing a new secret key or updating the secret key to be stored. As described above, the cryptographic communication system according to the present invention has been described based on the embodiments. However, it goes without saying that the present invention is not limited to these embodiments. That is, (1) In the present embodiment, the network form of the cryptographic communication system is a star type, and one transmitting apparatus transmits a different cipher text for each receiving apparatus. Not limited to A bus-type network in which a transmitting device and all receiving devices are connected to one coaxial cable, and one transmitting device collectively encrypts ciphertexts for all receiving devices for a plurality of receiving devices. You may broadcast. (2) Although the communication medium in the present cryptographic communication system is the wired bus lines 14a to 14g, the CD-RO
It may be a recording medium such as M.

FIG. 5 is a diagram showing the contents of the CD-ROM 250 written by the transmitting device when the communication medium of the cryptographic communication system according to the present invention is the CD-ROM 250. The transmission device (CD-ROM writer)
Seven recording positions 2 predetermined for each group
Transmit to each group allocation for each of 51 to 257 3
The two ciphertexts Cd258, Ca259 and Cm260 are recorded, while the receiving device (CD-ROM drive)
An encryption communication system that reads out three ciphertexts Cd258, Ca259, and Cm260 recorded at the recording positions corresponding to the group to which the self belongs, and decrypts them into digital work data may be used. (3) In this embodiment, three different encryption algorithms are used, but they may be the same. Further, a plurality of secret key storage units and a plurality of encryptors / decryptors may be realized by a circuit formed in one semiconductor IC. (4) In the present embodiment, the secret key selecting unit 104 randomly selects the secret key. However, the present invention is not limited to such a selection method. For example, the secret key is selected according to a predetermined priority. When the secret key is decrypted, another secret key may be selected. (5) In the present embodiment, two secret keys are distributed to each group, and only one selected from them is used for encryption. However, the present invention is not limited to such numerical values. For example, the transmitting apparatus 100 uses a combination of three secret keys selected from four secret keys distributed for each group (for example, an exclusive OR for each bit) as an encryption key, , And each receiving apparatus obtains, for each of the ciphertexts, all the combinations of the three secret keys that can be selected from the four secret keys, by bitwise exclusive OR of the three secret keys. The same determination as in the present embodiment is performed by decrypting each of the decrypted texts as decryption keys, and when the above two decrypted texts Mn and Mnn match for at least one set of decryption keys, the secret key What is necessary is just to determine that the combination is selected by the transmitting apparatus 100. (6) Further, in this embodiment, one group is formed by two or more receivers, but one receiver may belong to each group. That is, two or more different secret keys may be distributed for each receiving device, and the transmitting device may transmit a ciphertext using a different secret key for each receiving device. (Embodiment 2) Next, Embodiment 2 of the cryptographic communication system according to the present invention will be described in detail with reference to the drawings.
This cryptographic communication system is characterized by performing three-layer encryption. [Configuration of Cryptographic Communication System] FIG. 6 is a diagram for explaining the system configuration of the entire cryptographic communication system according to the second embodiment and the principle of cryptographic communication.

This system is an encryption communication system that protects the copyright of digital works and the like by three-layer encryption, and is a DVD (Digital Video / Versatile Disc).
It comprises a recording device 300 for 310 and a reproducing device 320. The recording device 300 stores the digital data on a DVD3
10, a master key (Km) storage unit 301, a medium key (Kd) generation unit 302, a title key (Kt) generation unit 303, and three types of encryptors 305 to 30.
7 and a digital work 304 for storing digital data such as documents, images, sounds and the like.

The master key storage unit 301 stores the master key K
m, that is, the authorized (reproduction permitted) reproduction device 320
The medium key generation unit 302 holds in advance a secret key shared with the
Generates a medium key Kd, that is, a secret key for distinguishing each DVD 310, and the title key generation unit 303 generates a title key Kt, that is, a title of the digital work 304 recorded on the DVD 310 (for example, one title). A secret key to be assigned to each movie is generated.

The three encryptors 305 to 307 respectively transmit a medium key Kd, a title key Kt, and a digital work Da based on different secret encryption algorithms E1, E2, and E3.
ta is encrypted to generate an encrypted medium key 311, an encrypted title key 312, and an encrypted digital work 313, respectively. The playback device 320 is a legitimate device that reads and decrypts the encrypted digital work 313 of the DVD 310 recorded by the recording device 300, and has the same master key Km as the master key storage unit 301 provided in the recording device 300.
, And a master key Km storage unit 321 for storing.

The three decryptors 322 to 324 are respectively provided with the encryptors 305, 306, and 3 provided in the recording device 300.
Based on a secret decryption algorithm D1, D2, D3 which is an inverse transform of the encryption algorithm E1, E2, E3
The encrypted medium key 311, the encrypted title key 312, and the encrypted digital work 313 read from the VD 310 are decrypted. [Operation of Cryptographic Communication System] The operation of the present cryptographic communication system configured as described above will be described with reference to FIG.

In the recording device 300, the following three-layer encryption is performed. In other words, the encryptor 305 encrypts the medium key Kd generated by the medium key generation unit 302 using the master key Km read from the master key storage unit 301 as an encryption key, and thereby encrypts the encrypted medium key E1 (Kd, Km) 311. Is generated, and the encryptor 306 encrypts the title key Kt generated by the title key generation unit 303 using the medium key Kd as an encryption key, thereby generating an encrypted title key E2 (Kt, Kd) 3.
Then, the encryptor 307 generates an encrypted digital work E3 (Data, Kt) 313 by encrypting the digital work Data 304 using the title key Kt as an encryption key.

The generated encrypted medium key E1 (Kd, Km)
311, the encrypted title key E 2 (Kt, Kd) 312, and the encrypted digital work E 3 (Data, Kt) 313 are recorded at predetermined locations on the DVD 310 by the recording device 300. On the other hand, in the reproducing device 320, the following three layers are decoded. That is, the encrypted medium key E1 (Kd, Km) 311, the encrypted title key E2 (Kt, Kd) 312, and the encrypted digital work E3 recorded on the DVD 310
After the (Data, Kt) 313 is read by the playback device 320, first, the decryptor 322 uses the master key Km read from the master key Km storage unit 321 as a decryption key, and then encrypts the encrypted medium key E1 (Kd, Km) 311. Is decrypted to generate a medium key Kd. This is clear from Equation 6 below.

Kd = D1 (E1 (Kd, Km), Km) -Equation 6 Subsequently, the decoder 323 uses the medium key Kd generated by the decoder 322 as a decryption key and encrypts the encrypted title key E2 (K
(t, Kd) 312 to generate a title key Kt. This is clear from Equation 7 below. Kt = D2 (E2 (Kt, Kd), Kd) -Equation 7 Finally, the decryption unit 324 uses the title key Kt generated by the decryption unit 323 as a decryption key and encrypts the digital work E3 (Data, Kt) 313. To generate digital copyrighted work Data. This is clear from Equation 8 below.

Data = D 3 (E 3 (Data, Kt), Kt) −Equation 8 Here, if the master key Km of the playback device 320 is provided.
Does not match the master key Km of the recording device 300, the key generated by the decryptor 322 no longer matches the title key Kt of the recording device 300. Therefore, even if the decoding of the remaining two layers is performed, the data output from the decoder 324 does not match the original digital work Data 304.

That is, only the reproducing device 320 having the same master key as the master key Km of the recording device 300 can obtain the original digital work 304. As described above, according to the present encryption communication system, the digital work 304 is encrypted and recorded on the DVD 310, and the encrypted digital work 313 can be read and decrypted only by the master key Km. It is limited to the playback device 320. Then, the DVD 31 further includes the DVD 31
0, a unique medium key Kd and a unique title key Kt for each title of the digital work 304 are recorded in an encrypted form. Successful decryption of digital work Data.

In other words, it is possible to prevent a failure or impropriety such as leakage of the encryption key or dead copy due to the storage of all the encryption keys in the recording medium. It becomes easy to manage such as providing a distinction. (Embodiment 3) Next, Embodiment 3 of the encryption apparatus according to the present invention will be described in detail with reference to the drawings. The present encryption device is characterized in that a secret key is not used as it is, but is encrypted using a modified secret key obtained by adding a modification. [Configuration of Encryption Device] FIG. 7 is a block diagram showing a configuration of an encryption device 400 according to the third embodiment.

The encrypting device 400 stores the digital work 40
2 is a device for encrypting and transmitting the title 2 and includes a title key Kt generating unit 401, a digital work 402, a correcting unit 403, a separating unit 404, an encryptor 405, and a combining unit 406.
The title key Kt generation unit 401, the digital work 402, and the encryptor 405 are the same as the title key generation unit 303, the digital work 304, and the encryptor 307 in the second embodiment.

The separating section 404 is composed of a latch circuit and the like.
Block data Da extracted from digital work 402
The ta is separated into a part not to be encrypted (separated data Data1) and a part to be encrypted (separated data Data2), the former is sent to the correcting unit 403 and the combining unit 406, and the latter is
Send to 05. The correction unit 403 is composed of an exclusive OR circuit or the like, and includes the title key Kt generated by the title key Kt generation unit 401 and the separation data D transmitted from the separation unit 404.
The exclusive OR of each bit with ata1 is calculated, and the result is used as the modified title key K
It is sent to the encryptor 405 as p.

Kp = Kt (+) Data1-Equation 9 The sign (+) is an operator indicating exclusive OR.
The encryptor 405 encrypts the separated data Data2 sent from the separating unit 404 based on the secret encryption algorithm E using the modified title key Kp sent from the correcting unit 403 as an encryption key, and obtains the obtained ciphertext E. (Data2, Kp) is sent to the combining unit 406. This ciphertext E (Data2, Kp) is expressed as in the following Expression 10 from Expression 9 above.

E (Data2, Kp) = E (Data2, Kt (+) Data1) −Equation 10 The coupling unit 406 includes a latch circuit and the like, and the separation unit 404
By combining the separated data Data1 sent from the device and the ciphertext E (Data2, Kp) sent from the encryptor 405, the encrypted block data Edata corresponding to the original block data Data is output.

FIG. 8 shows block data before being encrypted.
FIG. 6 is a diagram showing the structure of Data and encrypted block data Edata. The separated data Data1 does not change as it is, but the separated data Data2 is encrypted with the title key Kp corrected by the separated data Data1. As described above, according to the present encryption device 400, the secret key is not used as it is, but is used after being modified. Then, a part of the digital work to be encrypted is used as the content of the correction.

As a result, the final encryption key is determined depending on the content, which makes it difficult for an unauthorized third party to estimate the secret key, and that only the secret key leaks to prevent the secret key from being leaked. The worst case in which all contents are decrypted is also avoided.

[0072]

As is apparent from the above description, the cryptographic communication system according to the present invention is a cryptographic communication system including one transmitting device and a plurality of grouped receiving devices. Distribute in advance two or more secret keys selected without duplication from a plurality of different secret keys,
The transmitting device encrypts one plaintext using each of the secret keys selected one by one for each group, and transmits the obtained ciphertext to the receiving devices belonging to the corresponding group. Each receiving device decrypts the received ciphertext using each of the plurality of private keys distributed to the group to which the receiving device belongs, and determines whether or not a certain regularity exists for each of the obtained decrypted texts. By doing so, a correct decrypted text is specified.

As a result, even if one secret key is decrypted, encrypted communication for a group different from the group to which the secret key has been distributed can be continued without being affected. Also, for the group to which the decrypted secret key has been distributed, it is possible to continue the encrypted communication using the remaining secret key. Furthermore, since the transmitting device can arbitrarily change the secret key used for each group, it is avoided to use the same secret key repeatedly, and it becomes difficult for a third party to decrypt the secret key.

That is, a cryptographic communication system that makes it difficult to estimate the secret key by an attack by a third party and that can reduce the influence on the system when the secret key is decrypted is realized. Here, the transmitting device may attach the ciphertext indicating the regularity to the ciphertext and transmit the ciphertext to each receiving device.

As a result, the criterion when the receiving apparatus specifies the correct one of the plurality of decrypted texts is encrypted and transmitted from the transmitting apparatus to the receiving apparatus. Information on which key is hidden is also hidden, and highly secure encrypted communication is realized.

[Brief description of the drawings]

FIG. 1 is a diagram for explaining a configuration of an entire cryptographic communication system and a principle of cryptographic communication according to a first embodiment of the present invention.

FIG. 2 is a diagram illustrating transmission devices 10 and 1 in the cryptographic communication system.
FIG. 3 is a block diagram showing a detailed connection and configuration of one receiving device 20a.

FIG. 3 is a flowchart showing an operation procedure of the transmitting apparatus 100.

FIG. 4 is a flowchart showing an operation procedure of the receiving device A1.

FIG. 5 is a diagram showing contents written on the recording medium when the communication medium of the cryptographic communication system according to the present invention is a recording medium.

FIG. 6 is a diagram illustrating the configuration of the entire cryptographic communication system and the principle of cryptographic communication according to Embodiment 2 of the present invention.

FIG. 7 is a block diagram illustrating a configuration of an encryption device according to a third embodiment of the present invention.

FIG. 8 shows block data Data before encryption by the encryption device and block data Eda after encryption.
It is a figure showing the structure of ta.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 10 Transmitting apparatus 11 Private key 12 Encryptor 13 Message 14a-14g Bus line 20a, 25a Receiving apparatus A1, A4 20b, 25b of group A Receiving apparatus B1, B4 20g, 25g of group B Receiving apparatus G1, G4 21a of group G , 26a Private key for grape A 21b, 26b Private key for grape B 21c, 26c Private key for grape C 22a-22g, 27a-27g Decryptor 100 Transmitter 101 Digital work 102 Encryptor E1 103 Private key storage Unit 104 secret key selecting unit 105 encryptor E2 106 message generating unit 107 encryptor E3 110-112 transmitting unit 120-122 bus line 201 decryptor D1 202 secret key selecting unit 203 general determining unit 210-212 receiving unit 220 secret key ( Ka1) Storage unit 221 Decoder D2 222 Encoder D3 223 Judgment unit 230 Private key (Ka2) storage unit 231 Decoder D2 232 Decoder D3 233 Judgment unit 250 CD-ROM 251 to 257 Recording area 300 Recording device 301 Master key storage unit 302 Medium key generation unit 303 Title key Generation unit 304 Digital work 305 to 307 Encryptor E1 to E3 310 DVD 311 Encrypted media key 312 Encrypted title key 313 Encrypted digital work 320 Playback device 321 Master key storage unit 322 to 324 Decoder D1 to D3 400 Encryption Encrypting device 401 title key generating unit 402 digital work 403 modifying unit 404 separating unit 405 encryptor E 406 combining unit

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Takehisa Kato 70, Yanagicho, Yukicho, Kawasaki-shi, Kanagawa Prefecture Inside the Toshiba Yanagicho Plant (72) Inventor Naoki Endo 70, Yanagicho, Yukicho, Kawasaki-shi, Kanagawa Prefecture In-plant (72) Inventor Koichi Hirayama 70, Yanagicho, Yuki-ku, Kawasaki-shi, Kanagawa Pref.

Claims (6)

[Claims] 1. A cryptographic communication system comprising n receiving devices and one transmitting device for transmitting digital information to the n receiving devices, wherein the n receiving devices are m And k groups of non-overlapping k secret keys selected from m × k different secret keys are distributed to each group. The transmitting apparatus includes the m × k secret keys and Secret key storage means for storing the same secret key in advance in association with the distributed group; k secret keys corresponding to each group stored in the secret key storage means for each of the m groups Secret key selecting means for selecting and reading one of the secret keys; encrypting means for encrypting one plaintext using each of the read m secret keys; and m secret keys obtained by the encrypting means. Ciphertext is generated for each ciphertext Transmitting means for transmitting to each of the receiving devices having the same secret key as the secret key used at the time of transmission, wherein each of the n receiving devices includes the k secret keys distributed to the group to which the receiving device belongs. Secret key storage means for storing a key in advance; receiving means for receiving the ciphertext transmitted from the transmitting device; and decoding for decoding the received ciphertext using each of the k secret keys. Means, and whether or not a predetermined regularity exists for each of the decrypted text obtained by the decrypting means. If at least one of the decrypted texts has a regularity, the regularity exists. A cryptographic communication system comprising: a determination unit configured to determine that one of the decrypted texts is the same as the plain text. 2. The transmitting means of the transmitting device performs the transmission by attaching the ciphertext indicating the regularity to the ciphertext, and the determining means of the receiving device transmits the ciphertext, 2. The cryptographic communication system according to claim 1, wherein the determination is made based on a ciphertext indicating regularity. 3. A transmitting device for transmitting digital information to n receiving devices, wherein said n receiving devices are classified into m groups, and each group includes m × k different secret keys. K secret keys selected without duplication are distributed, each receiving device has k secret keys distributed to the group to which the receiving device belongs, and the transmitting device has the m × k secret keys and Secret key storage means for storing the same secret key in advance in association with the distributed group; k secret keys corresponding to each group stored in the secret key storage means for each of the m groups Secret key selecting means for selecting and reading one of the secret keys; encrypting means for encrypting one plaintext using each of the read m secret keys; and m secret keys obtained by the encrypting means. When each ciphertext is generated Transmitting device, characterized in that it comprises a transmitting means for transmitting to a receiving device each having the same secret key and a private key used. 4. The transmitting apparatus according to claim 3, wherein said transmitting means transmits said ciphertext by attaching a ciphertext indicating regularity of the original plaintext to said ciphertext. 5. A receiving apparatus for receiving digital information transmitted from one transmitting apparatus, comprising: secret key storing means for storing k secret keys distributed in advance; and k secret keys. Receiving means for receiving, from the transmitting device, a ciphertext encrypted by using any one of the following: a decrypting means for decrypting the received ciphertext using each of the k secret keys; It is determined whether or not a predetermined regularity exists for each of the decrypted texts obtained by the means. If at least one of the decrypted texts has a regularity, one of the decrypted texts having the regularity is determined. A receiving device comprising: a judging means for judging a correct decrypted text. 6. The method according to claim 1, wherein the receiving unit also receives the ciphertext indicating the regularity together with the ciphertext, and the determining unit makes the determination based on the ciphertext indicating the regularity. The receiving device according to claim 5.