KR101160812B1 - Method for key generation to reduce transmission overhead in Broadcast Encryption, Encryption and Decryption using the key generation - Google Patents

Abstract

Disclosed is a key generation method used in broadcast encryption. The key generation method allocates a plurality of nodes to each of a plurality of rows, and at least one node constituting any one of the plurality of rows comprises at least one node constituting another one of the plurality of rows. Forming a hierarchical node group composed of a plurality of nodes to be associated with each other; Assigning at least one node key to each of the nodes forming the hierarchical node group; Assigning at least one one-way function to each of the plurality of rows; Setting a section consisting of two nodes selected from all nodes forming the hierarchical node group, and setting at least one one-way function assigned to at least one row including each of the two nodes forming the section. Generating an interval key of the interval and assigning the generated interval key to any one of the selected two nodes; and a user to each of a plurality of nodes constituting a last row among the plurality of rows. The step of assigning. The key generation method can reduce the amount of transmission in broadcast encryption.

Broadcast encryption, throughput

Description

Method for key generation to reduce transmission overhead in Broadcast Encryption, Encryption and Decryption using the key generation}

The detailed description of each drawing is provided in order to provide a thorough understanding of the drawings cited in the detailed description of the invention.

1 shows a network structure of a data transmission system using general broadcast encryption.

2 conceptually illustrates a network structure of a data transmission system using broadcast encryption according to an embodiment of the present invention.

3 is a flowchart illustrating a key generation method according to an embodiment of the present invention.

4 is a conceptual diagram illustrating a hierarchical node group including a plurality of nodes according to an embodiment of the present invention.

5 is a conceptual diagram illustrating a first section set according to an embodiment of the present invention and a method of allocating the section key thereof.

6 is a conceptual diagram illustrating a second section set according to an embodiment of the present invention and a section key allocation method thereof.

7 is a conceptual diagram illustrating a method for allocating a third section and section key set according to an embodiment of the present invention.

8 is a flowchart illustrating a broadcast encryption method according to an embodiment of the present invention.

9 is a flowchart illustrating a method of calculating a right section key and a left section key according to an embodiment of the present invention.

10 is a flowchart illustrating a decoding method according to an embodiment of the present invention.

11 is a block diagram of a receiver according to an embodiment of the present invention.

12 conceptually illustrates a method of calculating a section to which it belongs and calculating a section key of the section according to an embodiment of the present invention.

Figure 13 shows a graph comparing the transmission amount according to the conventional method and the transmission amount according to an embodiment of the present invention.

The present invention relates to an encryption / decryption method, and more particularly, to a key generation method, a broadcast encryption method, a broadcast decryption method, and an apparatus for implementing each of the above methods, which can reduce a transmission amount in broadcast encryption. It relates to a recording medium.

Broadcast encryption is a method in which the sender (i.e., broadcast center) among all the users effectively delivers information to the desired users. The set of users to receive the information is randomly and dynamically. It must be able to be used effectively in case of change. The most important property in broadcast encryption is the revocation or exclusion of unwanted users (eg, illegal users or expired users).

FIG. 1 is a diagram illustrating a network structure 100 of a data transmission system using general broadcast encryption. Referring to FIG. 1, the content producer 110 produces various useful data, including audio or video data, and provides the produced audio or video data to the service provider 120. The service provider 120 may provide legitimate users (eg, a mobile digital right management (DRM) network and a smart home DRM network) for paying for the data through various wired and wireless communication networks for various data provided from the content producer 110. Broadcast to).

That is, the service provider 120 may transmit data to the user's device 161 such as a set-top box equipped with various satellite receivers through the satellite 130, and may transmit the mobile communication network 140. It can also be transmitted to the mobile communication terminal 163 through. In addition, it may transmit to various terminals 165 of the smart home network through the Internet network 150.

In this case, the data is encrypted by broadcast encryption in order to prevent the revoked-user 167 who does not pay a fair fee for the data from using the data.

The security of such an encryption and decryption system usually depends on the system that manages the encryption key. The most important thing in such an encryption key management system is how to generate an encryption key. In addition, it is also important to manage and update the generated encryption key (Key Update).

Since the concept of broadcast encryption was first proposed in 1991, a number of changes have been made. It is assumed that the receiver's key cannot be updated in the current broadcast encryption (stateless receiver). This concept means that each session's private key is never changed or updated as the session changes. In this case, the term 'k-resilient' is used in terms of safety, which means that the k-resilient user is unable to recover information even after a public attack. Since r usually represents the number of excluded users, 'r-resilient' means that all excluded users are safe to collaborate.

On the other hand, in broadcast encryption, transmission overhead, storage size, and computation cost are important, respectively, the amount of headers to be transmitted by the transmitting side, and the amount of private keys that a user must store. And the amount of computation required for the user to obtain a session key. Among these, reducing the amount of transmission is a major problem.

Accordingly, the technical problem to be achieved by the present invention is to provide a key generation method that can reduce the amount of transmission in broadcast encryption, an encryption and decryption method using the same.

According to an aspect of the present invention, there is provided a method of generating a key, the method comprising: generating a hierarchical tree such that an ^nth row of the plurality of rows includes nodes of (m) ⁿ ; Assigning at least one node key to each of the nodes forming the hierarchical tree; Assigning at least one one-way function to each of the plurality of rows; Obtaining a section consisting of two nodes selected from all nodes forming the hierarchical tree, generating a section key of the section using at least one one-way function included in the section and assigned to each row, and generating Assigning the selected interval key to any one of the two selected nodes; and assigning a user to each of the nodes in the lowest row of the hierarchical tree.

The key generation method for achieving the technical problem comprises the steps of: creating a hierarchical node group so that each parent node of each layer has a plurality of child nodes; Assigning at least one node key to each parent node of each layer and each of the child nodes forming the lowest hierarchy; Assigning at least one one-way function to each layer; Setting a section consisting of two nodes selected from a plurality of nodes forming the hierarchical node group; Generating a section key of the section using a one-way function assigned to each layer included in the section, and assigning the generated section key to any one of the two selected nodes: and the lowest layer And assigning a user corresponding to each of the child nodes to be formed.

The key generation method further includes assigning at least one interval key to each parent node of each layer and / or each of the child nodes forming the lowest hierarchy. The key generation method may include at least one node key assigned to a direct parent node of each of the nodes forming the lowest hierarchy and / or at least one assigned to the direct parent node in each of the child nodes forming the lowest hierarchy. And allocating the interval key of.

The key generation method for achieving the technical problem is to assign a plurality of nodes to each of a plurality of rows, wherein at least one node constituting any one of the plurality of rows is the other row of the plurality of rows Forming a hierarchical node group consisting of a plurality of nodes to be associated with at least one constituting node; Assigning at least one node key to each of the nodes forming the hierarchical node group; Assigning at least one one-way function to each of the plurality of rows; Setting a section consisting of two nodes selected from all nodes forming the hierarchical node group, and setting at least one one-way function assigned to at least one row including each of the two nodes forming the section. Generating an interval key of the interval and assigning the generated interval key to any one of the selected two nodes; and a user to each of a plurality of nodes constituting a last row among the plurality of rows. The step of assigning.

The key generation method for achieving the technical problem is composed of N (where N is a natural number), each of the N rows includes a plurality of nodes, I (where I is N of the N rows) A smaller natural number) assigns each of the plurality of nodes constituting the first row as a parent node, and at least one node selected from among the plurality of nodes constituting the (I + 1) th row constitutes the Ith row Creating a hierarchical node group by assigning as a child node of at least one parent node among the nodes of; Assigning at least one node key to each of the nodes forming the hierarchical node group; Assigning at least one one-way function to each of the N rows; Setting a section consisting of two nodes selected from all nodes forming the hierarchical node group, and setting at least one one-way function assigned to at least one row including each of the two nodes forming the section. Generating a section key of the section by allocating the assigned section key and assigning the generated section key to any one of the selected two nodes; and assigning a user to each of a plurality of nodes constituting the Nth row. With steps.

The broadcast encryption method for achieving the technical problem comprises the steps of encrypting a message using a session key; And a legitimate user belonging to the section indicated in the header of the message, calculates the section to which the user belongs, calculates the session key using the calculated section key, and decrypts the encrypted message using the calculated session key. And transmitting an encrypted message to each of the legitimate user and the illegal user so that an illegal user who does not belong to the interval does not decrypt the encrypted message.

The broadcast encryption method for achieving the technical problem comprises the steps of removing at least one illegal user from a plurality of users, and obtaining a plurality of sections each including at least one legitimate user; Generating two interval keys by using a one-way function corresponding to each of the plurality of intervals, and encrypting a session key using each of the generated two interval keys; And transmitting an encrypted message comprising information about legitimate users constituting each of the intervals, an encrypted session key, and content encrypted using the session key to decrypt the session key. do.

The broadcast encryption method for achieving the above technical problem comprises the steps of: dividing one section including only valid receivers into a first section and a second section; Calculating a second section key corresponding to the second section using a second one-way function corresponding to the first section key corresponding to the first section using a corresponding first one-way function; And encrypting the generated session key using the first section key and the second section key, respectively.

When the section includes a plurality of nodes that map each of the legitimate receivers, the first section including the node of the highest layer included in the section and the start node of the section is formed, and is included in the section. The second section includes a node of an uppermost layer and an end node of the section.

In order to achieve the above technical problem, a broadcast encryption method includes at least one user among each parent node forming each layer having a plurality of child nodes and mapped to each of a plurality of linear child nodes forming a lowest layer. Removing the illegal user; Obtaining a section including legitimate users on the straight line; Finding a node of a top layer among the layers included in the section; Obtaining a left section formed of the node of the top layer and the start node of the section, and a right section formed of the node of the top layer and the end node of the section; Computing a right section key corresponding to the right section using a first one-way function assigned to each layer, and calculating a left section key corresponding to the left section using a second one-way function assigned to each layer step; Generating a session key; And encrypting the session key using each of the left interval key and the right interval key, and including information about the interval, information about each encrypted session key, and content encrypted using the session key. It comprises the step of transmitting.

Broadcast transmission apparatus for achieving the technical problem is an encryptor for encrypting a message; And at least one legitimate user belonging to the predetermined section indicated in the header included in the encrypted message decrypts the encrypted message, and at least one illegal user who does not belong to the predetermined section prevents the encrypted message from being decrypted. And a transmitter for transmitting encrypted content to at least one party user and at least one illegal user.

A receiver for achieving the technical problem comprises a key storage means for storing a predetermined interval key; And receiving an encrypted message, obtaining a section to which the receiver itself belongs based on the section information included in the message, calculating a section key of the section to which the receiver belongs using the predetermined section key, and calculating the section. The session key is decrypted using the key, and the content included in the message is decrypted using the decrypted session key.

The decryption method for achieving the technical problem comprises the steps of receiving a message encrypted using the session key; The legitimate user belonging to the section included in the header of the encrypted message obtains the section key of the section to which the section belongs by calculating a one-way function of the section key, and calculates the session key using the obtained section key. Decrypting the encrypted message using the calculated session key. The computer readable recording medium stores the method.

In order to fully understand the present invention, the operational advantages of the present invention, and the objects achieved by the practice of the present invention, reference should be made to the accompanying drawings which illustrate preferred embodiments of the present invention and the contents described in the accompanying drawings.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the preferred embodiments of the present invention with reference to the accompanying drawings. Like reference numerals in the drawings denote like elements.

2 conceptually illustrates a network structure of a data transmission system using broadcast encryption according to an embodiment of the present invention. Referring to FIG. 2, the network structure 200 according to the present invention includes a transmitting device 210 of a broadcasting center, a legitimate user (or a receiver of a legitimate user; 230), and an illegal user (receiver of an illegal user; 240). Equipped.

The user or receiver has processors therein for decoding broadcast content. In the present specification, a legitimate user means a user who pays a fair fee for broadcast content, and an illegal user means a user who does not pay a fair cost for the broadcast content.

The transmitter 210 includes an encryptor 213 having a key generation module 211 and a transmitter 215. The operation of the key generation module 211 will be described in detail with reference to FIG. 3. The encryptor 213 encrypts a message (or content) in accordance with an embodiment of the invention.

The transmitter 215 decrypts the encrypted message (more specifically, the content) by at least one legitimate user who belongs to the interval indicated in the header, and the encrypted message (or Send an encrypted message to the at least one fully exchanged user and the at least one illegal user to prevent decryption of the content).

The encrypted message is delivered to each user 230 and 240 via a medium or wireless communication network. Such media include, but are not limited to, DVDs, CDs, hard disks, flash memory devices, and the like.

Accordingly, the legitimate user 230 may calculate the section key of the section to which the legitimate user belongs by applying the key generation method according to the present invention, and thus may decrypt the encrypted message. However, since the illegal user 240 does not belong to any section indicated in the header, the illegal user 240 cannot calculate the section key and thus cannot decrypt the encrypted message.

3 is a flowchart illustrating a key generation method according to an embodiment of the present invention. 4 is a conceptual diagram illustrating a hierarchical node group including a plurality of nodes according to an embodiment of the present invention.

3 and 4, a plurality of parent nodes (N1 to NC; C is a natural number) is allocated to the first row (or 'tier' or less). Each parent node N1 to NC is given a label. Each of the parent nodes N1 to NC allocated to the first row is assigned a plurality of child nodes N11 to N1C, N21 to N2C, N31 to N3C, ..., NC1 to NCC. In FIG. 4, for convenience of description, the number of parent nodes in the first row and the number of child nodes of each parent node are the same, but the inventive concept is not limited thereto.

Each child node (N11 to N1C, N21 to N2C, N31 to N3C, ..., NC1 to NCC) in the first row becomes the parent node of the second row. Each parent node N11 to N1C, N21 to N2C, N31 to N3C, ..., NC1 to NCC forming a second row has a plurality of child nodes N111 to N11C, N121 to N12C, and N1C1 to N1CC. , NCC1 to NCCC) are allocated.

As described above, each child node of the i th (i ≧ 1) row is assigned to a parent node of the (i + 1) th row. That is, in the i th row (i ≧ 1), a plurality of parent nodes are allocated and a label is assigned to each of the assigned parent nodes.

A plurality of child nodes is allocated to each parent node of the i th (i ≧ 1) row. Each child node of the i th (i ≧ 1) row becomes a parent node of the (i + 1) th row, and a plurality of child nodes are allocated to each parent node of the (i + 1) th row. In this manner, a hierarchical node group 400 including a plurality of nodes is generated 310.

Each parent node N1 to NC in the first row, each parent node in the second row (= each child node in the first row; N11 to N1C, N21 to N2C, N31 to N3C, ..., NC1 to NCC) At least one node key is allocated to each of the child nodes N111 to N11C, N121 to N12C, N1C1 to N1CC, and NCC1 to NCCC in the second row. The node keys assigned to the nodes NC, NCC, and NCCC are represented by K (NC), K (NCC), and K (NCCC).

For example, one node key can be assigned to each child node (N111 to N11C, N121 to N12C, N1C1 to N1CC, NCC1 to NCCC) in the second row, that is, the third row, and each parent constituting the first row. Two node keys may be assigned to the nodes N1 to NC and each of the parent nodes N11 to N1C, N21 to N2C, N31 to N3C, ..., NC1 to NCC constituting the second row.

Since only two rows are shown in FIG. 4 for convenience of description, the child nodes of the second row are the child nodes of the lowest row. In some cases, each child node of the second row is referred to as nodes forming a third row (lowest row).

At least one one-way function (e.g., denoted by a hash function h) is allocated to a row (or a third row) including the first row, the second row, and each child node of the second row (330). ).

For example, a first one-way function (or right one-way function Rh1) and a second one-way function (or left one-way function Lh1) are assigned to the first row, and a third one-way function (or right one-way function; Rh2 is assigned to the second row. ) And a fourth one-way function (or left one-way function Lh2) may be allocated, and a fifth one-way function hd may be assigned to a row (or a third row) including each child node of the second row.

All nodes forming the hierarchical node group 400 (N1 to NC, N11 to N1C, N21 to N2C, N31 to N3C, ..., NC1 to NCC, N11 to N1C, N21 to N2C, N31 to N3C, ..., and sets a section consisting of two nodes selected from NC1 to NCC (340).

Then, by using (operating) one-way functions Rh1, Lh1, Rh2, Lh2, and hd assigned to each row, an interval key corresponding to the interval is generated, and the generated interval key is used as the selected two nodes. The allocation to one of the nodes (350).

A method of generating a section key of a set section will now be described with reference to FIGS. 5 to 7. 5 illustrates a case in which a first section is configured with two nodes existing in the same row.

First, the first section is formed by the nodes N21 and NC1 in the second row. If the lengths of the selected nodes N21 and NC1 are m, the node key assigned to the node N21 is K (N21), and the one-way function assigned to the second row is Rh2, The interval key RIK of the first section formed of the nodes N21 and NC1 may be obtained through Equation 1.

The interval key RIK generated through Equation 1 is assigned to the node NC1. At this time, since the section is formed between the same row (second row), it is preferable to obtain the section key by applying a one-way function to the right side only.

In addition, the node NC1 includes a section key of a section consisting of a node N11 and a node NC1, a section key of a section consisting of a node N12 and a node NC1, and a node N1C and a node NC1. At least one of an interval key of an interval including one node except for the node NC1 among all nodes forming the hierarchical node NC1 and the hierarchical node group 500 is assigned.

FIG. 6 illustrates a case in which a second section is set to two nodes N21 and NC22 existing in different rows. Referring to FIG. 6, the upper node N21 exists in the second row, and the lower node NC22 is the right side of the upper node N21 and formed by the child nodes of the second row (that is, the third row). Present in)

If the length between two nodes N21 and NC1 is n, the length between node NC21 and node NC22 is 1, the node key assigned to node N21 is K (N21), When the one-way function assigned to the second row is Rh2 and the one-way function assigned to the third row is hd, the interval key RIK of the second section formed by the nodes N21 and NC22 is represented by Equation 2. You can get it.

The interval key RIK generated through Equation 2 is preferably assigned to the node NC22. In addition, the node NC22 includes a section key of a section consisting of a node N22 and a node NC22, a section key of a section consisting of a node N2C and a node NC22, and a node N32 and a node NC22. At least one of a section key of a section, among the nodes constituting the hierarchical node NC22 and the hierarchical node group 600, is assigned to at least one section key of a section except for the node NC22.

In addition, as described with reference to FIG. 5, the node NC22 has a section key of a section consisting of the node N111 and the node NC22, a section key of a section consisting of the node N121 and the node NC22, and a node N1CC. Section key of the section consisting of the node NC22, among the nodes forming the hierarchical node group 600 with the back node NC22, and the section key of the section consisting of any one node except the node NC22. At least one is assigned.

Referring to Equation 2, the one-way function Rh2 assigned to the second row to obtain the interval key applies only from the node N21 to the node NC1 that exists immediately before the parent node NC2 of the node NC22. . If the one-way function assigned to the second row is applied to the parent node NC2 of the node NC22, at least one illegal user (eg, NC2C) among the child nodes NC21 to NC2C of the node NC2 has its own. Since it has a key assigned to its parent node NC2, it is possible to decrypt an encrypted message using the key assigned to its parent node NC2. Therefore, in order to prevent this, the one-way function corresponding to only the node existing before the parent node to which it belongs is applied.

Subsequently, the second section is set to two nodes N1 and N321 existing in different rows.

The length of the two nodes N1 and N2 is 1, the length between the two nodes N2C and N31 is 1, the length of the two nodes N31C and N321 is 1, and the node N1 When the node key assigned to is K (N1), the one-way function assigned to the first row is Rh1, the one-way function assigned to the second row is Rh2, and the one-way function assigned to the third row is hd. The interval key RIK of the second section formed of the nodes N1 and N321 may be obtained through Equation 3 below.

The interval key RIK generated through Equation 3 is preferably assigned to the node N321.

Referring to Equation 3, the node N321 has a node key assigned to its immediate parent nodes M32 and N3. Therefore, if the user assigned to the node N321 is an illegal user, the illegal user should give the node N321 an interval key to prevent decryption of the encrypted message.

FIG. 7 illustrates a case in which a third section is set with two nodes N31 and N121 existing in different rows. Referring to FIG. 7, the upper node N31 is present in the second row, and the lower node N121 is left of the upper node N31 and is present in the third row.

If the lengths of the two nodes N31 and N1C are t, the lengths of the nodes N12C and N121 are c, the node key assigned to the node N31 is K (N31), and the second When the one-way function assigned to the row is Lh2 and the one-way function assigned to the third row is hd, the interval key LIK of the third section formed by the nodes N31 and N121 can be obtained from Equation 4. have.

The interval key LIK generated through Equation 4 is preferably assigned to the node N121. In addition, the node N121 includes a section key of a section consisting of a node N2C and a node N121, a section key of a section consisting of a node N22 and a node N121, and a node N1C and a node N121. At least one of a section key of a section, among the nodes forming the hierarchical node group N121 and the hierarchical node group 700, is assigned at least one of a section key of a section except for the node N121.

Apply a one-way function to the right (Rhi, i is a natural number) if the node in the child row is to the right of the node in the parent row, or a one-way function to the left if the node in the child row is to the left of the node in the parent row ( Lhi, i is a natural number).

Each parent node or each child node of each row includes at least one interval key generated by a one-way function assigned to each row and functions assigned to different rows (eg, Rhi and hd). At least one interval key generated by applying and at least one interval key generated by applying functions Lhi and hd respectively assigned to different rows are assigned.

Therefore, each node forming the hierarchical group node 400 (N1 to NC, N11 to N1C, N21 to N2C, N31 to N3C, NC1 to NCC, N111 to N11C, N121 to N12C, N1C1 to N1CC, NCC1 to NCCC) At least one of at least one node key and at least one interval key is assigned.

Users corresponding to the child nodes N111 to N11C, N121 to N12C, N1C1 to N1CC, and NCC1 to NCCC in the second row are allocated 360. That is, users are assigned to each of the nodes constituting the last row among a hierarchical node group composed of D (D is a natural number) rows.

A direct line of each of the nodes forming the lowest row in each of the child nodes N111 to N11C, N121 to N12C, N1C1 to N1CC, and NCC1 to NCCC shown in FIG. 4. Assign at least one said node key assigned to a parent node and / or at least one said interval key assigned to said immediate parent node.

Node N11 is a parent node of each node N111-N11C, and node N1 is a node of each node N11-N1C. That is, node N111 is assigned node keys K (N11, K (N1)) assigned to its direct parent nodes N11 and N1, and node N121 is assigned to its direct parent node N12. Node keys K (N12) and K (N1) assigned to N1) are assigned, and node keys K (NCC) and K (assigned to their immediate parent nodes NCC and NC are assigned to node NCCC. NC)) is assigned.

4 to 7, the one-way function allocates two one-way functions Rhi and Lhi to each i (i is a natural number) row among D (D is a natural number) rows.

A method of calculating a section key of a section by using a stepwise one-way function will be described with reference to FIGS. 4 to 7.

이고

이고

, 즉 B가 A의 우측에 있다(

)고 하자.

ego

ego

, B is on the right side of A (

Let's say

는

에 대하여

으로 정의한다.1) When k = 1, the right oneway function is used. In other words,

Is

about

It is defined as

는

,

에 대하여

으로 정의한다.2) If k <1, the right cascade function is used. In other words,

Is

,

about

It is defined as

는

,

에 대하여

으로 정의한다.3) If k> 1, the left cascade function is used.

Is

,

about

It is defined as

The right one-way function is equal to Rhi in the present specification, and the left one-way function is equal to Lhi in the present specification.

8 is a flowchart illustrating a broadcast encryption method according to an embodiment of the present invention. 9 is a flowchart illustrating a method of calculating a right section key and a left section key according to an embodiment of the present invention.

8 and 9, the broadcast center (broadcast transmitter or encryption apparatus) is a node in the hierarchical node group 900, each node in a straight line (N111 to N11C, N121 to N12C, N1C1 to N1CC, NCC1 to NCCC) At least one illegal user (N211 and NCCC) among the users mapped with) is represented by X, and X is obtained on the straight line to obtain at least one section [A, B] including legitimate users. Remove the user indicated by (810).

Accordingly, the broadcast center obtains a plurality of sections including legitimate users in a straight line (820). As shown in Fig. 9, the broadcasting center removes illegal users N211 and NCCC on a straight line and obtains a section [A, B] = [N212, NCC2].

Then, the broadcasting center compares the length of the interval [A, B] with the size of the node's reference length Cd (eg, the length of the row to which the user is assigned) (830), and the interval ([A, B]). When the length of P is smaller than the reference length Cd of the node, the interval [A, B] is called a basic interval, and the interval key BIK of the basic interval is obtained using Equation 5 (831).

Where hd represents a one-way function assigned to the lowest row and KA represents a node key assigned to node A.

)로 계산한다. 그러나 노드(B')가 노드(A')보다 상위 행에 존재하는 경우 구간[A, B]의 구간 키는

으로 계산한다.The interval key of the interval [A, B] is the node A and the node (A) using the stepwise one-way function described above with respect to the node key K _A of the node _A and the node key K _B of the node _B. If B) is a node in the same row or node A exists in a row higher than node B, the node key of the interval [A, B] is (

Calculate However, if node B 'exists in a row higher than node A', the interval key of the interval [A, B] is

Calculate

If the length of the interval [A, B] is greater than the reference length Cd of the node, the broadcast center finds the node (N3 = C) of the best row included in the interval [A, B] (840). .

The left section LI = [A, C] formed by the node C of the top row and the start node A of the section [A, B], the node C of the top row and the section The right section RI = [C, B] formed by the end node B of ([A, B]) is obtained (850).

Using the first one-way functions Rh1 and Rh2 assigned to each row, a right interval key RIK corresponding to the right interval [C, B] is calculated and the first assigned to each row is calculated. A left interval key LIK corresponding to the left interval [A, C] is calculated using the two-way functions Lh1 and Lh2 (860).

이다. 또한, 노드(N31)와 노드(N22)의 길이가 n이고, 노드(N221)와 노드(N212)의 길이가 m인 경우, 왼쪽 구간([A, C])에 상응하는 왼쪽 구간 키(LIK)는

이다. Referring to FIG. 9, when the length of the node N3C and the node NC2 is t and the length of the node NC2C and the node NCC2 is s, the right side corresponding to the right section [C, B] Segment key (RIK)

to be. In addition, when the lengths of the nodes N31 and N22 are n and the lengths of the nodes N221 and N212 are m, the left interval key LIK corresponding to the left interval [A, C] is obtained. )

to be.

In operation 870, the broadcasting center generates a session key SK.

)한다(880). The broadcasting center encrypts the session key SK using the left interval key LIK and the right interval key RIK, respectively.

(880).

The broadcasting center encrypts a message using a session key (SK) (885), and encrypts a message including information on the section, information on each encrypted session key, and content encrypted using the session key. The message is sent (890).

That is, the broadcasting center transmits an encrypted message represented by Equation 6.

10 is a flowchart illustrating a decoding method according to an embodiment of the present invention. 11 is a block diagram of a receiver according to an embodiment of the present invention. 12 conceptually illustrates a method of calculating a section to which it belongs and calculating a section key of the section according to an embodiment of the present invention.

The receiver 230 has a key storage means 231 and a processor 233. The key storage means 231 stores at least one node key and at least one interval key allocated according to the key generation method described with reference to FIGS. 3 to 7.

The processor 233 receives the encrypted message (1010), and based on the section information included in the header of the received message, the user (or receiver) section to which it belongs (for example, the basic section, the right section and the left section One section), using the user key (or section key) stored in the key storage means 231, calculating the section key of the section to which the user belongs (1030), and using the calculated section key. The session key is decrypted (1040) and the content is decrypted using the session key (1050).

The processor 233 receives the message encrypted using the session key, and the processor of a legitimate user belonging to the section indicated in the header of the encrypted message calculates the session key using the section key of the section to which the processor belongs. And decrypt the encrypted message using the calculated session key.

12 illustrates a concept in which a user (receiver or processor) obtains a section to which the user belongs.

The user N312 = UK obtains the section ([A, B] = [N211, N32C]) to which he belongs, and from the node (N2 = C) of the highest row included in the section ([A, B]), It has a segment key Rh ₂ (K (N2)) obtained by applying a one-way function Rh2 corresponding to the highest immediate parent node N31 of the user UK.

)을 노드(N32C)까지 m번 일방향 함수(hd)로 연산하여 암호화된 메시지를 복호하는데 필요한 구간 키(

)을 구한다. 그리고 계산된 구간 키(

)를 이용하여 세션 키(SK)를 복호하고(1040), 복호된 세션 키(SK)를 이용하여 암호화된 컨텐츠를 복호한다(1050).Therefore, the user UK assigned to the node N312 has its own interval key (

) Is a one-way function (hd) m to node N32C to compute the interval key (

). And the calculated interval key (

Decrypt the session key (SK) using the (1040), and decrypts the encrypted content using the decrypted session key (SK) (1050).

For example, when node A is a node of the top row, the user B having the interval keys K _{A and B} of the sections _{A and B} is the interval keys K _{A and C} of the sections _{A and C.} In order to decrypt the encrypted session key, the interval key (K _{A, C} ) of the interval [A, C] from the interval key (K _{A, B} ) is calculated through Equation (7).

)로 암호화된 세션 키를 복호화하기 위해 구간 키(K_{A, B})로부터 구간[B, C]의 구간 키(

)를 수학식8을 통하여 계산한다.When node B is a node of the top row, the user B having the interval keys K _{A and B} of the interval [A, B] is the interval key (the interval B of the interval [B, C]).

The interval key of the interval [B, C] from the interval key (K _{A, B} ) to decrypt the session key encrypted with

) Is calculated through Equation 8.

Figure 13 shows a graph comparing the transmission amount according to the conventional method and the transmission amount according to an embodiment of the present invention. Referring to FIG. 13, the transmission amount according to the broadcast encryption method described in US Patent Publication No. US 2002/0147906 A1 increases at a rate of 2r as the number of illegal users r increases. However, in case of using the broadcast encryption method according to the present invention, the amount of transmission is increased by the ratio of 2r until the number of illegal users (r) is (N / Cd), but the number of illegal users (r) is (N / Cd). If exceeds, the amount of transmission increases at the rate of r as the number of illegal users (r) increases. Where N represents the total number of users and Cd represents the length (or number) of users forming the last row.

Embodiments of the present invention can be written as a program executable in a computer system. Also, the program read out from the computer-readable recording medium that recorded the program can be executed in the digital computer system. The recording medium may include a magnetic storage medium (e.g., ROM, floppy disk, hard disk, etc.), an optical reading medium (e.g., CD-ROM, DVD, etc.) and a carrier wave (e.g., transmission over the Internet). Media.

Although the present invention has been described with reference to one embodiment shown in the drawings, this is merely exemplary, and those skilled in the art will understand that various modifications and equivalent other embodiments are possible therefrom. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

As described above, the key generation method, the encryption method and the decryption method using the key generation method of the present invention have the effect of reducing the amount of transmission.

Claims (20)

In the key generation method, A plurality of nodes are assigned to each of the plurality of rows, and the at least one node constituting any one of the plurality of rows is associated with at least one node constituting another one of the plurality of rows to be associated with each other. Forming a hierarchical node group composed of nodes of; At least one node key is assigned to each of all nodes forming the hierarchical node group; Assigning at least one one-way function to each of the plurality of rows; A section consisting of two nodes selected from all nodes forming the hierarchical node group is set, and at least one one-way function assigned to at least one row including each of the two nodes forming the section. Applying an interval key of the interval, and assigning the generated interval key to any one of the selected two nodes; and And assigning a user to each of a plurality of nodes constituting a last row among the plurality of rows. In the key generation method, N (where N is a natural number), each of the N rows includes a plurality of nodes, and a plurality of rows forming an I (where I is a natural number less than N) of the N rows. Each node is assigned a parent node, and at least one node selected from among a plurality of nodes constituting the (I + 1) th row is assigned to at least one child node of the plurality of parent nodes, thereby hierarchical node group. generating a hierarchical node group; At least one node key is assigned to each of all nodes forming the hierarchical node group; Assigning at least one one-way function to each of the N rows; A section consisting of two nodes selected from all nodes forming the hierarchical node group is set, and at least one one-way function assigned to at least one row including each of the two nodes forming the section. Calculating and generating an interval key of the interval, and assigning the generated interval key to any one of the selected two nodes; and And assigning a user to each of a plurality of nodes constituting the Nth row. 3. The node of claim 2, wherein one node key is assigned to each of the plurality of nodes constituting the Nth row of the hierarchical node group, and two node keys are assigned to each of the plurality of nodes constituting the remaining row. Key generation. 3. The method of claim 2, wherein one N-way function is assigned to the N-th row of the hierarchical node group, and two one-way functions are assigned to each of the remaining rows. The method of claim 2, wherein the key generation method comprises: Each of the nodes constituting the Nth row includes at least one of the at least one node key assigned to the direct parent node of each of the nodes constituting the Nth row or at least one interval key assigned to the direct parent node. The key generation method further comprises the step of assigning one. In the key generation method, (A) allocating a plurality of nodes to an I (I is a natural number) row; (B) forming a (I + 1) -th row by assigning a plurality of nodes to each of the plurality of nodes allocated to the I-th row; The step (b) is repeated until the (I + 1) th row becomes the D (D is a natural number) row while increasing I by 1 to form a hierarchical node group including a plurality of nodes. (C) being; (D) at least one node key is assigned to each of all nodes forming the hierarchical node group; (E) assigning at least one one-way function to each row formed through steps (a) to (c); A section consisting of two nodes selected from all the nodes forming the hierarchical node group is set, and is assigned to at least one row including each of the two nodes forming the section through step (e). (F) a step key of the section is generated by calculating at least one one-way function, and the generated section key is assigned to any one of the selected two nodes; and And (g) assigning a user to each of a plurality of nodes constituting the D-th row. The method of claim 6, wherein the key generation method comprises: Each of the plurality of nodes constituting the D-th row has at least one node key assigned through the steps (a) and (C) and (d) or at least one assigned through the step (f). And at least one of the one interval key is assigned. A computer-readable recording medium having recorded thereon a program for executing the method according to any one of claims 1 to 7. delete delete delete delete delete delete delete delete delete delete delete delete

Images