JP2000244474A - Group key method, device therefor and recording medium recorded with group key program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To decode information which is ciphered in the past only by means of holding the latest group key by a group member by decoding shared information ciphered by a past group key through the use of the group key derived by using one direction function from the latest group key that a user himself holds. SOLUTION: A user holds the latest group key, ciphers shared information by using the latest group key and decodes shared information ciphered by the group key with the group key. Shared information ciphered by the past group key is decoded by using the group key derived from the latest group key that the user himself holds by using the one direction function. This group key device is composed of a group key generation mechanism 1 for generating the group key and plural user terminals 3a-3c using shared information of the group by ciphering/decoding it by using the generated group key.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a group key method and apparatus for sharing information by sharing a key for encrypting / decrypting shared information among a group of a plurality of users. A group key method, a device, and a group key program, in which the shared information of a group of users is encrypted with a group key and shared by the group, and the user decrypts and uses the encrypted shared information with the group key. To a recording medium.

[0002]

2. Description of the Related Art Businesses and workflows in a company are often performed by a group for each organization or each business. For example, whether to operate or view confidential information is determined depending on the department, post, etc. In order to protect such confidential information that is confidential to the group, a group must be created for each job, department, and position, and an encryption key (hereafter referred to as a group key) must be assigned to each group, and encryption must be performed. Is an effective method.

Arai et al. Attach a destination list to a shared document of a group, compare the destination list with user attribute information (name, department name, etc.) stored in an IC card or the like, and control access to the shared information. He proposes a group key method to be performed (Masato Arai, Tadashi Kazumi, Hiromichi Ito, Toshiyuki Shibata: Group encryption system for corporate information, computer security 1-3, p.11-16, May 29.1998). The destination list describes the names or department names of users who can access the shared document. However, groups in the workflow can be created for more detailed tasks other than department names,
In general, it is easy to add and delete groups.

In addition, Matsuzaki et al. Have proposed a method in which a key is updated in a new group in all the remaining terminals except the terminal specified by the center in a mobile communication system (Natsume Matsuzaki, Junjun Azai: Mobile Group Key Update Method Suitable for Mobile Communication (II), Group Key Update Method Suitable for Mobile Communication
(III), ISEC 97-73, p.51-62, Mar. 1998).

[0005]

According to the method of Arai et al. Described above, in order to add a new group, the IC card is collected and attribute information is changed, or a destination list of shared information of the newly added group is added. Has to list the names of the members of the group.

The above-mentioned method of Matsuzaki et al., When applied to encryption of shared information in a group, has the following problem.

In the case of a method of paying out a group key for each group, when a member X of the group withdraws at a certain time t,
It is necessary to update the group key GK _old of the group to a new group key GK _new that the member X cannot know.
The members remaining in the group obtain GK _new, and after t, encrypt with GK _new . However, since GK _old is required to decrypt a document encrypted before time t,
The remaining members of the group must hold GK _old and GK _new . In this way, the number of keys held by the members remaining in the group increases each time the key is updated. Also, members newly joining the group are updated with the latest group key GK.
There is also a problem that the past group key GK _old must be obtained in addition to _new .

On the other hand, in a plurality of groups having a hierarchical structure, it is common that upper-level group members have authority to encrypt / decrypt information of lower-level groups. For example, in a model in which a department manager group, a section manager group, and a section manager group exist in a corporate organization as shown in FIG. Can generally encrypt / decrypt the information of the section manager group and the section manager group. In the case of the method of dispensing keys for each group, there is a problem that members of each group must hold lower-level group keys in addition to their own group keys.

As described above, in the conventional method of issuing a group key for each group, (1) when a group key is updated, a past group key must be held in addition to the latest group key. (2) A newly added member must obtain a past group key in addition to the latest group key. (3) Each member of a plurality of groups having a hierarchical structure has its own group key. In addition to the above, there is a problem that a lower-level group key must be held.

[0010] The present invention has been made in view of the above,
The purpose is to provide a group key method in which a group member can decrypt information encrypted in the past and decrypt / encrypt information of a lower class group only by holding the latest group key, and It is an object of the present invention to provide a recording medium in which an apparatus and a group key program are recorded.

[0011]

In order to achieve the above object, according to the present invention, the shared information of a group of a plurality of users is encrypted with a group key and shared by the group. A group key method in which encrypted shared information is decrypted with a group key and used, wherein the group key is a key of a common key cryptosystem and uses a one-way function f published from secret information S. each value of n to be created Te _{t n = f (S),} ..., t k + 1 = f (t k + 2), t k = f
_{(T k + 1), ...} , key derived from _{t 1 = f (t 2)} (, GK n ..., GK k + 1, GK k, ..., GK 1) is, to update the group key Each time, the key (GK _1, ..., G
_{K k + 1, GK k,} ..., to use in the order of GK _n), at the time of update of the group key GK _k, it generates a new group key GK k _{+ 1,} the user, the updated latest of the group key GK holding only _k , encrypts the shared information of the group using this latest group key, decrypts the shared information encrypted with the group key with the group key, and encrypts the shared information encrypted with the past group key. The gist is that decryption is performed using a group key derived from the latest group key GK _k held by the user using a one-way function.

According to the first aspect of the present invention, the group key is a key of the common key cryptosystem, and each of the n group keys is created by using a one-way function f published from the secret information S. Value t _n = f (S),..., T _{k + 1} = f (t _{k + 2} ), t _k =
f (t _{k + 1} ),..., t ₁ = key (GK _n ,..., GK _{k + 1} , GK _k ,..., GK ₁ ) derived from f (t ₂ ), and updates the group key Each time the key (GK ₁ , ..., GK
_{k + 1, GK k, ...} , to use in the order of GK _n), at the time of update of the group key GK _k generates a new group key GK k _{+ 1,} the user holds only the most recent of the group key GK _k, This latest group key is used to encrypt the shared information of the group, the shared information encrypted with the group key is decrypted with the group key, and the shared information encrypted with the past group key is retained by the user himself The decryption is performed using the group key derived from the latest group key GK _k using a one-way function, so that the user does not need to retain the past group key as in the related art, and also needs to newly create the group. The members who have joined need only obtain the latest group key, and do not need to obtain the past group key.

Here, the group key is, for example, a key for encrypting / decrypting shared information, and is a key shared by the group.

According to a second aspect of the present invention, shared information of a group consisting of a plurality of users is encrypted with a group key and shared by the group, and the user decrypts the encrypted shared information with the group key. A group key method, wherein the group key is a key of a public key cryptosystem, and each of _n values t _n created using a one-way function f published from the secret information S. = F (S), ..., t _{k + 1} = f (t
_{k + 2} ), t _k = f (t _{k + 1} ),..., t ₁ = f (t ₂ ) derived secret keys (SGK _n ,..., SGK _{k + 1} , SG
K _k ,..., SGK ₁ ) and the public key (PGK _n ,.
GK _{k + 1} , PGK _k ,..., PGK ₁ ). Each time the group key is updated, the key (SGK ₁ , PGK ₁ ,
K ₁ ),..., (SGK _{k + 1} , PGK _{k + 1} ), (SG
_{K k, PGK k), ...} , the (SGK _n, used in the order of PGK _n), a group key (SGK _k, at the time of update of the PGK _k), a new group key _{(SGK k + 1, PGK k} + 1) The user generates and updates the latest group key (SGK
_k , PGK _k ), and encrypts the shared information of the group using the latest public key PGK _k of the group key. The shared information encrypted with the public key PGK _k of the group key is used For shared information decrypted with the secret key SGK _k and encrypted with the past group key, decryption is performed using a secret key derived from the latest group key secret key SGK _k using a one-way function. Make a summary.

According to the second aspect of the present invention, the group key is a key of a public key cryptosystem, and each of n group keys created by using a one-way function f published from the secret information S. Value t _n = f (S),..., T _{k + 1} = f (t _{k + 2} ), t _k = f
_{(T k + 1), ...} , t 1 = secret key that is derived from _{f (t 2) (SGK n} , ..., SGK k + 1, SGK k, ..., SGK
₁ ) and public keys (PGK _n ,..., PGK _{k + 1} , PGK)
_k, ..., is a pair of PGK _1), each time you update the group key, key _{(SGK 1, PGK 1),} ..., (SGK
_{k + 1, PGK k + 1} ), (SGK k, PGK k), ...,
(SGK _n , PGK _n ) in this order and use the group key (S
When updating GK _k , PGK _k , a new group key (SGK _{k + 1} , PGK _{k + 1} ) is generated, and the user holds only the updated latest group key (SGK _k , PGK _k ). , Using the latest group key public key PGK _k to encrypt the group shared information,
The shared information encrypted by GK _k is used as the secret key S of the group key.
Since the shared information decrypted with GK _k and encrypted with the past group key is decrypted using a secret key derived from the latest secret key SGK _k of the group key using a one-way function, the user must Unlike the related art, it is not necessary to hold the past group key, and a member newly joining the group only needs to obtain the latest group key, and does not need to obtain the past group key.

Further, the present invention according to claim 3 has a hierarchical structure composed of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key, and shares the information with the group. A group key method capable of decrypting and using the shared information with a group key and encrypting / decrypting each user's own class and information of a class lower than the own class, The group key is a key of a common key cryptosystem, and m values y each created using a one-way function g disclosed from the secret information S
_m = g (S),..., y _{k + 1} = g (y _{k + 2} ), y _k = g
(Y _{k + 1} ),..., Y ₁ = g (y ₂ ) derived keys (GK _m ,..., GK _{k + 1} , GK _k ,..., GK ₁ ). (G
_{K 1, ..., GK k +} 1, GK k, ..., assigned to the user in the order of GK _m), user, holds only the latest of the group key GK _k assigned, using the group key, group In order to encrypt the shared information and decrypt the encrypted shared information with the group key of its own class, and to decrypt the information encrypted with the group key of the lower class, the user himself The gist is to use a key derived from its own group key GK _k using a one-way function.

According to the third aspect of the present invention, in a plurality of groups having a hierarchical structure, the group key is a key of a common key cryptosystem, and the one-way function g disclosed from the secret information S is M values y _m = g created using
(S),..., Y _{k + 1} = g (y _{k + 2} ), y _k = g
(Y _{k + 1} ),..., Y ₁ = g (y ₂ ) derived keys (GK _m ,..., GK _{k + 1} , GK _k ,..., GK ₁ ). (G
_{K 1, ..., GK k +} 1, GK k, ..., order on allocation to the user of the GK _m), the user holds only the most recent of the group key GK _k, the shared information of the group using the group key In order to encrypt and decrypt the shared information encrypted with the group key of its own class, and to decrypt the information encrypted with the group key of a lower class than itself, the user himself / herself must use his / her own group key. Since a key derived from GK _k using a one-way function is used, the user does not need to retain a past group key as in the past, and members of each group have a lower level in addition to their own group key. It is not necessary to hold the group key of the class.

According to a fourth aspect of the present invention, there is provided a hierarchical structure including a plurality of classes, wherein shared information of a group of a plurality of users is encrypted with a group key and shared by the group.
A user decrypts and uses the encrypted shared information with a group key, and the user uses a group key method capable of encrypting / decrypting his / her class and information of a class lower than his / her class. Then, the group key is a key of a public key cryptosystem, and _m values y _m = g created using a one-way function g published from the secret information S
(S),..., Y _{k + 1} = g (y _{k + 2} ), y _k = g
, SGK _m , SGK _{k + 1} , SGK _k , SGK _m derived from (y _{k + 1} ),..., Y ₁ = g (y ₂ )
₁ ) and public keys (PGK _m ,..., PGK _{k + 1} , PGK
_k, ..., is a PGK _1), as a group key from the top of each class in each _{class, (SGK 1, PGK 1)} , ..., (S
GK _{k + 1} , PGK _{k + 1} ), (SGK _k , PGK _k ),
, (SGK _m , PGK _m ) are sequentially assigned to the user, and the user assigns the latest group key (S
GK _k, holds the PGK _k) only, using the public key PGK _k of this group key, to encrypt the shared information of the group, using a secret key SGK _k, public key PGK _k of the group key to the class of its own Decrypts the shared information encrypted with
In order to decrypt information encrypted with a group key of a class lower than itself, it is essential that the user himself uses a key derived from his own secret key SGK _k using a one-way function. .

According to the fourth aspect of the present invention, in a plurality of groups having a hierarchical structure, the group key is a key of a public key cryptosystem, and the one-way function g disclosed from the secret information S is M values y _m = g created using
(S),..., Y _{k + 1} = g (y _{k + 2} ), y _k = g
, SGK _m , SGK _{k + 1} , SGK _k , SGK _m derived from (y _{k + 1} ),..., Y ₁ = g (y ₂ )
₁ ) and public keys (PGK _m ,..., PGK _{k + 1} , PGK
_k, ..., is a PGK _1), as a group key from the top of each class in each _{class, (SGK 1, PGK 1)} , ..., (S
GK _{k + 1} , PGK _{k + 1} ), (SGK _k , PGK _k ),
, (SGK _m , PGK _m ) are sequentially assigned to the user, and the user assigns the latest group key (SG
K _k , PGK _k ) and encrypts the group's shared information using the public key PGK _k of this group key,
To decrypt the shared information encrypted with the public key PGK _k of the own class key using the secret key SGK _k and to decrypt the information encrypted with the group key of a lower class than itself Since the user himself / herself uses a key derived from his / her own secret key SGK _k using a one-way function, the user does not need to hold the past group key as in the related art, and the member of each group Does not need to hold lower-level group keys in addition to its own group key.

The present invention according to claim 5 has a hierarchical structure composed of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key, and shares the information with the group. A group key method for decrypting and using the shared information with a group key, and enabling each user to encrypt / decrypt information of its own class and information of a class lower than its own class, The group key is a key of a common key cryptosystem, and each of _n values t _n = f (S1),..., _{Tk +} created using a one-way function f disclosed from the secret information S1. ₁ = f (t _{k + 2} ), t _k =
f (t _{k + 1} ),..., t ₁ = f (t ₂ ) and secret information S
M using the one-way function g published from
Values y _m = g (S2),..., Y _{k + 1} = g
(Y _{k + 2} ), y _k = g (y _{k + 1} ),..., Y ₁ = g
(GK _r ,..., GK _{k + 1} , G) derived from (y ₂ )
_Kk ,..., GK ₁ ). When the group key GK _k is updated, a new group key GK _{k + 1} is generated, and the user
Only the updated latest group key GK _k is retained, the shared information of the group is encrypted using the updated group key, and the shared information encrypted with the group key of its own class is decrypted. The shared information encrypted with the group key is decrypted using the group key derived by using the one-way function f from the latest group key GK _k held by the user himself, and is classified into a lower class than itself. The gist is that the information encrypted with the group key is decrypted by the user using a key derived from the own group key with the one-way function g.

According to the fifth aspect of the present invention, in a plurality of groups having a hierarchical structure, the group key is a key of a common key cryptosystem, and the one-way function g disclosed from the secret information S1 is N values t _n = f created using
_{(S1), ..., t k} + 1 = f (t k + 2), t k = f (t
_{k + 1} ),..., t ₁ = f (t ₂ ) and _m values y _m = g (S2),..., y created using the one-way function g disclosed from the secret information S2. _{k + 1} = g (y _{k + 2} ), y _k
= G (y _{k + 1} ),..., Y ₁ = keys (GK _r ,..., GK _{k + 1} , GK _k ,..., GK ₁ ) derived from g (y ₂ ), and the group key GK _k At the time of updating, a new group key GK _{k + 1} is generated, and the user holds only the latest group key GK _k , encrypts the shared information of the group using this latest group key, The shared information encrypted with the group key of the class is decrypted, and the shared information encrypted with the past group key is derived from the latest group key GK _k held by the user using the one-way function f. The information encrypted with the group key of the lower level and the information encrypted with the group key of a lower level than itself is decrypted with the key derived by the user himself from the own group key with the one-way function g. Therefore, the user needs to keep the past group key as before. Ku, also members joined the new group it is sufficient to obtain only the latest of the group key,
There is no need to obtain a past group key, and furthermore, each group member does not need to hold a lower-level group key in addition to its own group key.

Furthermore, the present invention according to claim 6 has a hierarchical structure composed of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key, and shares the information with the group. A group key method for decrypting and using the shared information with a group key, and enabling each user to encrypt / decrypt information of its own class and information of a class lower than its own class, The group key is a key of the public key cryptosystem, and each of _n values t _n = f (S1),..., _{Tk +} created using the one-way function f disclosed from the secret information S1. ₁ = f (t _{k + 2} ), t _k =
f (t _{k + 1} ),..., t ₁ = f (t ₂ ) and secret information S
M using the one-way function g published from
Values y _m = g (S2),..., Y _{k + 1} = g
(Y _{k + 2} ), y _k = g (y _{k + 1} ),..., Y ₁ = g
Secret key (SGK _r ,..., SGK) derived from (y ₂ )
_{k + 1} , SGK _k ,..., SGK ₁ ) and the public key (PGK
_{r, ..., PGK k + 1} , PGK k, ..., is a pair of PGK _1), a group key (SGK _k, at the time of renewal of the PGK _k), a new group key _{(SGK k + 1, PGK k} + 1) Is generated, and the user enters the latest group key (SGK _k , PGK
_k ) only, and the public key PG of this latest group key
The shared information of the group is encrypted using K _k , the shared information encrypted with the public key PGK _k of the group key is decrypted with the secret key SGK _k of the group key, and the shared information encrypted with the past group key is encrypted. The information is decrypted using the secret key derived from the latest secret key SGK _k of the group key using the one-way function f, and the information encrypted with the group key of a lower class than itself is obtained. In other words, the gist is that the user himself is decrypted using a secret key derived from his / her own group key with the one-way function g.

According to the sixth aspect of the present invention, the group key is a key of a public key cryptosystem, and each of the n group keys is created by using a one-way function f published from the secret information S1. Value t _n = f (S1),..., T _{k + 1} = f (t _{k + 2} ), t _k
= F (t _{k + 1} ),..., T ₁ = f (t ₂ ) and _m values y _m = g (S2) created using the one-way function g published from the secret information S2 , ..., y _{k + 1} = g
(Y _{k + 2} ), y _k = g (y _{k + 1} ),..., Y ₁ = g
Secret key (SGK _r ,..., SGK) derived from (y ₂ )
_{k + 1} , SGK _k ,..., SGK ₁ ) and the public key (PGK
_{r, ..., PGK k + 1} , PGK k, ..., is a pair of PGK _1), a group key (SGK _k, at the time of renewal of the PGK _k), a new group key _{(SGK k + 1, PGK k} + 1) Is generated, and the user receives the latest group key (SGK _k , PG
K _k ) and the public key P of this latest group key
Using GK _k , the shared information of the group is encrypted, the shared information encrypted with the public key PGK _k of the group key is decrypted with the secret key SGK _k of the group key, and the shared information encrypted with the past group key is encrypted. Information is the secret key S of the latest group key
Information decrypted using a secret key derived from GK _k using a one-way function f and encrypted with a group key of a lower class than itself is used by the user himself to obtain a one-way function g from his own group key. Since it is decrypted using the secret key derived in the above, the user does not need to keep the past group key as in the past, and if newly added members only get the latest group key Often, there is no need to obtain a past group key, and furthermore, each group member does not need to hold a lower-level group key in addition to its own group key.

The present invention according to claim 7 provides the invention according to claims 3 to 6
In the invention according to any one of the above,
Using the public information Y ₁ , Y ₂ ,..., Y _m representing the hierarchical organization, _m values y _m =
g (S‖Y _m ),..., y _{k + 1} = g (y ′ _{k + 1} ‖
Y _{k + 1} ), y _k = g (y ′ _k ‖Y _k ),..., Y ₁ = g
It is derived from (y ′ ₁ ‖Y ₁ ), where y ′ _k is a gist that is a value of an upper layer of y _k .

[0025] In the present invention according to claim 7, group key public information Y _1, Y ₂ representing the hierarchical organization, ..., using the Y _m, m-number of which is created by the one-way function g Each value y _m =
g (S‖Y _m ),..., y _{k + 1} = g (y ′ _{k + 1} ‖
Y _{k + 1} ), y _k = g (y ′ _k ‖Y _k ),..., Y ₁ = g
(Y ′ ₁ ‖Y ₁ ).

The present invention according to claim 8 provides the present invention according to claim 1.
In the invention according to any one of the first to seventh aspects, the shared information is encrypted with an arbitrary key generated by a user, and the key is encrypted with a group key and attached to the encrypted shared information as attached information. Is the gist.

According to the present invention as set forth in claim 8, the shared information is encrypted with an arbitrary key generated by the user, and this key is encrypted with a group key, and the encrypted shared information is added as attached information to the encrypted shared information. Attach.

Further, the present invention described in claim 9 is based on claim 8.
In the invention described above, the gist is that the attached information is encrypted with the latest group key every time the group key is updated.

According to the ninth aspect of the present invention, each time the group key is updated, the attached information is encrypted with the latest group key.

According to a tenth aspect of the present invention, shared information of a group including a plurality of users is encrypted with a group key and shared by the group, and the user decrypts the encrypted shared information with the group key. A group key device to be used, which is a key of a common key cryptosystem, and each of n values t created by using a one-way function f disclosed from secret information S
_{n = f (S), ...} , t k + 1 = f (t k + 2), t k = f
Group keys (GK _n ,..., GK _{k + 1} , GK _k ,..., GK ₁ ) derived from (t _{k + 1} ),..., T ₁ = f (t ₂ )
.., GK _{k + 1} , GK ₁ each time the generated group key is updated.
K _k, ..., to use in the order of GK _n), at the time of update of the group key GK _k, and the group key update means for generating a new group key GK k _{+ 1,} provided to the user terminal, the updated latest Using the group key holding means for holding only the group key GK _k as the user's own group key and the latest group key held in the group key holding means, the shared information of the group is encrypted, and the group key is encrypted. Encryption to decrypt shared information encrypted with
A decryption means, and a user's own latest group key G stored in the group key storage means, for storing a group key for decrypting the shared information encrypted with the past group key.
The key point is to have a past information group key deriving unit that derives from K _k using a one-way function.

According to the tenth aspect of the present invention, the group key is a key of a common key cryptosystem, and each of the n group keys is generated by using a one-way function f published from the secret information S. Value t _n = f (S),..., T _{k + 1} = f (t _{k + 2} ), t _k =
f (t _{k + 1} ),..., t ₁ = key (GK _n ,..., GK _{k + 1} , GK _k ,..., GK ₁ ) derived from f (t ₂ ), and updates the group key Each time the key (GK ₁ , ..., GK
_{k + 1, GK k, ...} , to use in the order of GK _n), at the time of update of the group key GK _k generates a new group key GK k _{+ 1,} the user holds only the most recent of the group key GK _k, This latest group key is used to encrypt the shared information of the group, the shared information encrypted with the group key is decrypted with the group key, and the shared information encrypted with the past group key is retained by the user himself The decryption is performed using the group key derived from the latest group key GK _k using a one-way function, so that the user does not need to retain the past group key as in the related art, and also needs to newly create the group. The members who have joined need only obtain the latest group key, and do not need to obtain the past group key.

Further, according to the present invention, the shared information of a group consisting of a plurality of users is encrypted with a group key and shared by the group, and the user decrypts the encrypted shared information with the group key. A group key device that is used in the form of a key, and is a key of a public key cryptosystem, and each of _n values t _n = f (S (S) created using a one-way function f published from secret information S ),..., T _{k + 1} = f (t _{k + 2} ), t _k =
secret keys (SGK _n ,..., SGK _{k + 1} , SGK _k ,..., SG) derived from f (t _{k + 1} ),..., t ₁ = f (t ₂ )
K ₁ ) and public keys (PGK _n ,..., PGK _{k + 1} , PG
K _k, ..., and a private key / public key generation means for the group key to generate a pair of PGK _1), each time you update the group key, key _{(SGK k, PGK 1),} ..., (SGK k + 1 , P
GK _{k + 1} ), (SGK _k , PGK _k ), ..., (SG
K _n , PGK _n ) in order, and the group key (SG
K _k , PGK _k ), the new group key (S
Group key updating means for generating GK _{k + 1} , PGK _{k + 1} ), and group key holding means provided in the user terminal and holding only the updated latest group key (SGK _k , PGK _k ); Using the latest group key public key PGK _k held in the group key holding means, the group shared information is encrypted, and the group key public key PGK
_The shared information encrypted with _k is used as the secret key SGK of the group key.
an encryption / decryption means for decrypting with _k , and a secret key of a group key for decrypting the shared information encrypted with the past group key, the latest group key held by the group key holding means. and summarized in that and a past information for the group key derivation means for deriving by using a one-way function from the secret key SGK _k of.

According to the eleventh aspect of the present invention, the group key is a key of a public key cryptosystem, and each of the n keys generated using a one-way function f published from the secret information S is used. Value t _n = f (S),..., T _{k + 1} = f (t _{k + 2} ), t _k =
secret keys (SGK _n ,..., SGK _{k + 1} , SGK _k ,..., SG) derived from f (t _{k + 1} ),..., t ₁ = f (t ₂ )
K ₁ ) and public keys (PGK _n ,..., PGK _{k + 1} , PG
K _k, ..., is a pair of PGK _1), each time you update the group key, key _{(SGK 1, PGK 1),} ..., (SGK
_{k + 1, PGK k + 1} ), (SGK k, PGK k), ...,
(SGK _n , PGK _n ) in this order and use the group key (S
When updating GK _k , PGK _k , a new group key (SGK _{k + 1} , PGK _{k + 1} ) is generated, and the user holds only the updated latest group key (SGK _k , PGK _k ). , Using the latest group key public key PGK _k to encrypt the group shared information,
The shared information encrypted by GK _k is used as the secret key S of the group key.
Since the shared information decrypted with GK _k and encrypted with the past group key is decrypted using a secret key derived from the latest secret key SGK _k of the group key using a one-way function, the user must Unlike the related art, it is not necessary to hold the past group key, and a member newly joining the group only needs to obtain the latest group key, and does not need to obtain the past group key.

Further, the invention according to claim 12 has a hierarchical structure composed of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key, and shares the information with the group. A group key device capable of decrypting and using the shared information with a group key and encrypting / decrypting each user's own class and information of a class lower than the own class, M values y _m = g (S), which are keys of a common key cryptosystem and are created using a one-way function g disclosed from secret information S
.., Y _{k + 1} = g (y _{k + 2} ), y _k = g (y _{k + 1} ),.
keys (GK _m ,..., GK) derived from y ₁ = g (y ₂ )
_{k + 1} , GK _k ,..., GK ₁ ), and a group key of each class from the top for each class.
(GK ₁ ,..., GK _{k + 1} , GK _k ,..., GK _m ) and a group key assigning means assigned to the user in the order, and the latest group key GK _k provided in the user terminal and assigned to the user Using the group key holding means holding only the group key and the group key held in the group key holding means, the shared information of the group is encrypted and the shared information encrypted with the group key of its own class is decrypted. Encryption / decryption means, and a user's own group key GK _k held in the group key holding means for obtaining a key for decoding information encrypted with a group key of a lower rank than the own. A key deriving unit for deriving lower-class information using a one-way function.

According to the twelfth aspect of the present invention, in a plurality of groups having a hierarchical structure, the group key is a key of a common key cryptosystem, and the one-way function g disclosed from the secret information S is M values y _m = g created using
(S),..., Y _{k + 1} = g (y _{k + 2} ), y _k = g
(Y _{k + 1} ),..., Y ₁ = g (y ₂ ) derived keys (GK _m ,..., GK _{k + 1} , GK _k ,..., GK ₁ ). (G
_{K 1, ..., GK k +} 1, GK k, ..., order on allocation to the user of the GK _m), the user holds only the most recent of the group key GK _k, the shared information of the group using the group key In order to encrypt and decrypt the shared information encrypted with the group key of its own class, and to decrypt the information encrypted with the group key of a lower class than itself, the user himself / herself must use his / her own group key. Since a key derived from GK _k by using a one-way function is used, the user does not need to retain the past group key as in the past, and the members of the group are not limited to their own group key but also the lower group keys. There is no need to keep class keys.

According to a thirteenth aspect of the present invention, a shared structure of a group of a plurality of users is encrypted with a group key and shared by the group, and the users are encrypted. A group key device capable of decrypting and using shared information with a group key and allowing a user to encrypt / decrypt information of his / her own class and classes lower than his / her own class. Key of the scheme, a one-way function g published from secret information S
M values y _m = g (S),..., Y created using
_{k + 1 = g (y k} + 2), y k = g (y k + 1), ..., y 1 =
secret key (SGK _m ,..., SG) derived from g (y ₂ )
K _{k + 1} , SGK _k ,..., SGK ₁ ) and the public key (PG
_{K m, ..., PGK k +} 1, PGK k, ..., and a private key / public key generation means for the group key to generate a PGK _1), as a group key of each class from the upper level to each class, (SGK _1, P
GK ₁ ),..., (SGK _{k + 1} , PGK _{k + 1} ), (SGK
_{k, PGK k), ...,} (SGK m, and the group key assignment means hitting assigned to the user a pair of PGK _m) in the order, provided to the user terminal, the group key assigned to the user (S
GK _k , PGK _k ) and the public key PGK _k of the group key held in the group key holding means, encrypts the shared information of the group, and uses the secret key SGK _k . Encrypting / decrypting means for decrypting the shared information encrypted with the public key PGK _k of the own group key, and decrypting the information encrypted with the group key of a lower class than itself. The user himself / herself holds a key for the secret key SGK by the group key holding means.
and a key deriving means for lower-class information derived from _k using a one-way function.

According to the thirteenth aspect of the present invention, in a plurality of groups having a hierarchical structure, the group key is a key of a public key cryptosystem, and a one-way function g published from the secret information S is used. M values y _m = g created using
(S),..., Y _{k + 1} = g (y _{k + 2} ), y _k = g
, SGK _m , SGK _{k + 1} , SGK _k , SGK _m derived from (y _{k + 1} ),..., Y ₁ = g (y ₂ )
₁ ) and public keys (PGK _m ,..., PGK _{k + 1} , PGK
_k, ..., is a PGK _1), as a group key from the top of each class in each _{class, (SGK 1, PGK 1)} , ..., (S
GK _{k + 1} , PGK _{k + 1} ), (SGK _k , PGK _k ),
, (SGK _m , PGK _m ) are sequentially assigned to the user, and the user assigns the assigned group key (SGK _k ,
PGK _k ) and the public key PG of this group key
Using K _k , the group shared information is encrypted, and the private key SGK _k is used to encrypt the public key P of the own group key.
In order to decrypt shared information encrypted with GK _k and decrypt information encrypted with a group key of a lower class than itself, the user himself / herself obtains a one-way function from his / her own secret key SGK _k. The user does not need to retain the past group keys as in the past, and the members of each group retain the lower-level group keys in addition to their own group keys because the derived keys are used. No need.

The present invention according to claim 14 has a hierarchical structure composed of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key, and shares the information with the group. A group key device capable of decrypting and using the shared information with a group key and encrypting / decrypting each user's own class and information of a class lower than the own class, A key of the common key cryptosystem, and each of _n values t _n = f (S (S) created using a one-way function f published from the secret information S1
_{1), ..., t k +} 1 = f (t k + 2), t k = f
(T _{k + 1} ),..., T ₁ = f (t ₂ ) and secret information S2
, Each value y _m = g (S2),..., Y _{k + 1} = g (y _{k + 2} ), created using the one-way function g published from
The group keys (GK _r ,..., GK _{k + 1} , GK _k ,...) derived from y _k = g (y _{k + 1} ),..., y ₁ = g (y ₂ )
GK ₁₎ generates, when updating the group key GK _k includes a group key generating means for generating a new group key GK k _{+ 1,} is provided to the user terminal, the updated latest group key GK _k only Using the latest group key held by the group key holding means for holding the group information as the user's own group key, encrypting the shared information of the group, and using the group key of its own class. An encryption / decryption unit for decrypting the encrypted shared information, and a user holding a group key for decrypting the shared information encrypted with the past group key in the group key holding unit. A past information group key deriving unit that derives from the latest group key GK _{k of} the own device using a one-way function f, and a device that decrypts information encrypted with a group key of a lower rank than the own device. And a group key deriving unit for lower class information that derives the key from the user's own group key held in the group key holding unit by a one-way function g.

According to the fourteenth aspect of the present invention, in a plurality of groups having a hierarchical structure, the group key is a key of a common key cryptosystem, and the one-way function f disclosed from the secret information S1 is N values t _n = f created using
_{(S1), ..., t k} + 1 = f (t k + 2), t k = f (t
_{k + 1} ),..., t ₁ = f (t ₂ ) and _m values y _m = g (S2),..., y created using the one-way function g disclosed from the secret information S2. _{k + 1} = g (y _{k + 2} ), y _k
= G (y _{k + 1} ),..., Y ₁ = keys (GK _r ,..., GK _{k + 1} , GK _k ,..., GK ₁ ) derived from g (y ₂ ), and the group key GK _k Is updated, a new group key G
After generating K _{k + 1} , the user holds only the latest group key GK _k , encrypts the shared information of the group using the latest group key, and encrypts the information with the group key of its own class. The shared information encrypted with the past group key is decrypted using the group key derived using the one-way function f from the latest group key GK _k held by the user. Then, the information encrypted with the group key of a lower class than itself is decrypted by the user himself using the key derived from the own group key by the one-way function g, so that the user can It is not necessary to retain the past group key, and newly joined members need only obtain the latest group key. There is no need to hold the group key of the lower class in addition to the group key only.

According to a fifteenth aspect of the present invention, there is provided a hierarchical structure including a plurality of classes, wherein shared information of a group of a plurality of users is encrypted with a group key and shared by the group. A group key device for decrypting and using shared information with a group key, and allowing each user to encrypt / decrypt information of his / her own class and classes lower than his / her own class. _N values t _n = f (S1), which are keys of an encryption method and are created using a one-way function f published from secret information S1,
_{..., t k + 1 = f} (t k + 2), t k = f (t k + 1), ...,
_m values y _m = g created using t ₁ = f (t ₂ ) and the one-way function g published from the secret information S2
(S2),..., Y _{k + 1} = g (y _{k + 2} ), y _k = g (y
_{k + 1), ..., y} 1 = g ( secret key that is derived from _{y 2) (SGK r, ...} , SGK k + 1, SGK k, ..., SG
K ₁ ) and public keys (PGK _r ,..., PGK _{k + 1} , PG
K _k ,..., PGK ₁ ) and generates a group key (S
When updating the GK _k , PGK _k ), a group key secret key / public key generation means for generating a new group key (SGK _{k + 1} , PGK _{k + 1} ) and a user terminal are provided and updated. Using a group key holding unit that holds only the latest group key (SGK _k , PGK _k ) as a user's own group key and a public key PGK _k of the latest group key held in the group key holding unit, Encrypting / decrypting means for encrypting the shared information of the group, decrypting the shared information encrypted with the public key PGK _k of the group key with the secret key SGK _k of the group key, and encrypting with the past group key; A past information secret derived by using a one-way function f from a secret key SGK _k of the latest group key of the user held by the group key holding means, for obtaining a secret key for decrypting the shared information. Key leader Means and a secret key for decrypting information encrypted with a group key of a lower rank than itself, is derived by a one-way function g from the user's own group key held in said group key holding means. And a secret key deriving means for lower class information.

According to the fifteenth aspect of the present invention, the group key is a key of the public key cryptosystem, and each of the n group keys created by using the one-way function f published from the secret information S1. Value t _n = f (S1),..., T _{k + 1} = f (t _{k + 2} ), t
_k = f (t _{k + 1} ),..., t ₁ = f (t ₂ ) and _m values y _m = g (S 2) created using the one-way function g published from the secret information S 2. ),..., Y _{k + 1} = g (y
_{k + 2} ), y _k = g (y _{k + 1} ),..., y ₁ = g (y ₂ ) derived secret keys (SGK _r ,..., SGK _{k + 1} , SG
K _k ,..., SGK ₁ ) and the public key (PGK _r ,.
GK _{k + 1} , PGK _k ,..., PGK ₁ ). When the group key (SGK _k , PGK _k ) is updated, a new group key (SGK _{k + 1} , PGK _{k + 1} ) is generated. The user holds only the latest group key (SGK _k , PGK _k ), encrypts the group's shared information using the latest group key's public key PGK _k , and encrypts it with the group key's public key PGK _k . The encrypted shared information is decrypted with the secret key SGK _k of the group key, and the shared information encrypted with the past group key is used as the secret derived by using the one-way function f from the secret key SGK _k of the latest group key. The user decrypts the information using the key, and encrypts the information encrypted with the group key of a lower class than the user.
Since it is decrypted using the secret key derived in, the user does not need to retain the past group key as in the past,
Also, newly added members need only obtain the latest group key, and do not need to obtain the past group key. In addition, members of each group have their own group key as well as lower-level groups. There is no need to keep keys.

The invention of claim 16 is the invention according to any one of claims 12 to 15, wherein the group key, public information Y _1, Y ₂ representing the hierarchical organization, ..., using the Y _m , M values y produced by the one-way function g
_m = g (S‖Y _m ),..., y _{k + 1} = g (y ′ _{k + 1} ‖Y
_{k + 1} ), y _k = g (y ′ _k ‖Y _k ),..., y ₁ = g
It is derived from (y ′ ₁ ‖Y ₁ ), where y ′ _k is a gist that is a value of an upper layer of y _k .

According to the present invention, the group key is public information Y ₁ , Y ₂ ,..., Y _m representing a hierarchical organization.
And _m values y _m created by the one-way function g
= G (S‖Y _m ),..., Y _{k + 1} = g (y ′ _{k + 1} ‖
Y _{k + 1} ), y _k = g (y ′ _k ‖Y _k ),..., Y ₁ = g
(Y ′ ₁ ‖Y ₁ ).

According to a seventeenth aspect of the present invention, in the invention according to any one of the tenth to sixteenth aspects, the shared information is encrypted with an arbitrary key generated by a user, and the key is encrypted with a group key. The gist is to attach the encrypted information as attached information to the encrypted shared information.

According to the seventeenth aspect of the present invention, the shared information is encrypted with an arbitrary key generated by the user, and this key is encrypted with the group key, and the encrypted shared information is added as the attached information to the encrypted shared information. Attach.

Further, the present invention according to claim 18 is characterized in that, in the invention according to claim 17, every time the group key is updated, the attached information is encrypted with the latest group key.

According to the present invention, each time the group key is updated, the attached information is encrypted with the latest group key.

According to a nineteenth aspect of the present invention, shared information of a group consisting of a plurality of users is encrypted with a group key and shared by the group, and the user decrypts the encrypted shared information with the group key. A recording medium on which a group key program to be used is recorded, wherein the group key is a key of a common key cryptosystem, and each of n pieces of keys generated by using a one-way function f disclosed from the secret information S. Value t _n = f (S),
_{..., t k + 1 = f} (t k + 2), t k = f (t k + 1), ...,
Keys (GK _n ,..., GK) derived from t ₁ = f (t ₂ )
_1, GK _k, ..., is a GK _1), each time you update the group key, key _{(GK 1, ..., GK k} + 1, GK k, ..., G
K _n ), and when updating the group key GK _k ,
A new group key GK _{k + 1} is generated, and the user holds only the updated latest group key GK _k , encrypts the shared information of the group using the updated group key,
The shared information encrypted with the group key is decrypted with the group key. For the shared information encrypted with the past group key, a one-way function is calculated from the latest group key GK _k held by the user himself / herself. The gist of the invention is to record a group key program to be decrypted using a group key derived by using the recording medium on a recording medium.

According to the nineteenth aspect of the present invention, the group key is a key of a common key cryptosystem, and each of the n group keys is created using a one-way function f published from the secret information S. Value t _n = f (S),..., T _{k + 1} = f (t _{k + 2} ), t _k =
f (t _{k + 1} ),..., t ₁ = key (GK _n ,..., GK _{k + 1} , GK _k ,..., GK ₁ ) derived from f (t ₂ ), and updates the group key Each time the key (GK ₁ , ..., GK
_{k + 1, GK k, ...} , to use in the order of GK _n), at the time of update of the group key GK _k generates a new group key GK k _{+ 1,} the user holds only the most recent of the group key GK _k, Using this latest group key, the group shared information is encrypted, the shared information encrypted with the group key is decrypted with the group key, and the shared information encrypted with the past group key is retained by the user himself. Since the group key program for decrypting using the group key derived from the latest group key GK _k using the one-way function is recorded on the recording medium, the distribution medium is improved by using the recording medium. be able to.

Further, according to the present invention, the shared information of a group consisting of a plurality of users is encrypted with a group key and shared by the group, and the user decrypts the encrypted shared information with the group key. A recording medium that stores a group key program to be used after conversion, wherein the group key is a key of a public key cryptosystem and is created using a public one-way function f composed of secret information S. Values t _n =
f (S), ..., t k + 1 = f (t k + 2), t k = f (t
_{k + 1), ..., t} 1 = secret key that is derived from _{f (t 2) (SGK n} , ..., SGK k + 1, SGK k, ..., SG
K ₁ ) and public keys (PGK _n ,..., PGK _{k + 1} , PG
K _k, ..., is a pair of PGK _1), each time you update the group key, key _{(SGK 1, PGK 1),} ..., (SGK
_{k + 1, PGK k + 1} ), (SGK k, PGK k), ...,
(SGK _n , PGK _n ) in this order and use the group key (S
When GK _k , PGK _k ) is updated, a new group key (SGK _{k + 1} , PGK _{k + 1} ) is generated, and the user holds only the updated latest group key (SGK _k , PGK _k ). Then, the shared information of the group is encrypted using the latest public key PGK _k of the group key, and the shared information encrypted with the public key PGK _k of the group key is decrypted with the secret key SGK _k of the group key. For the shared information encrypted with the past group key, a group key program for decrypting with the secret key derived from the latest secret key SGK _k of the group key using a one-way function is recorded on the recording medium. That is the gist.

According to the twentieth aspect of the present invention, the group key is a key of a public key cryptosystem, and each of the n group keys is created by using a one-way function f published from the secret information S. Value t _n = f (S),..., T _{k + 1} = f (t _{k + 2} ), t _k =
secret keys (SGK _n ,..., SGK _{k + 1} , SGK _k ,..., SG) derived from f (t _{k + 1} ),..., t ₁ = f (t ₂ )
K ₁ ) and public keys (PGK _n ,..., PGK _{k + 1} , PG
K _k, ..., is a pair of PGK _1), each time you update the group key, key _{(SGK k, PGK 1),} ..., (SGK
_{k + 1, PGK k + 1} ), (SGK k, PGK k), ...,
(SGK _n , PGK _n ) in this order and use the group key (S
When updating GK _k , PGK _k , a new group key (SGK _{k + 1} , PGK _{k + 1} ) is generated, and the user holds only the updated latest group key (SGK _k , PGK _k ). , Using the latest group key public key PGK _k to encrypt the group shared information,
The shared information encrypted by GK _k is used as the secret key S of the group key.
The shared information decrypted with GK _k and encrypted with the past group key records a group key program to be decrypted using a secret key derived from the latest secret key SGK _k of the group key using a one-way function. Since the information is recorded on a medium, the distribution of the medium can be improved by using the recording medium.

Further, the present invention according to claim 21 has a hierarchical structure composed of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key, and shares the information with the group. A record that records a group key program that can use the decrypted shared information by decrypting it with a group key and encrypt / decrypt each user's own class and information of a class lower than the own class. Medium, wherein the group key is a key of a common key cryptosystem, and _m values y _m = g (S), which are created using a one-way function g disclosed from the secret information S, …, Y _{k + 1} =
g (y _{k + 2} ), y _k = g (y _{k + 1} ),..., y ₁ = g (y
₂ ) derived keys (GK _m ,..., GK _{k + 1} , G
K _k, ..., is a GK _1), as a group key of each class from the upper level to each _{class, (GK 1, ..., GK} k + 1, GK k,
.., GK _m ) in this order, the user holds only the latest assigned group key GK _k , uses this group key to encrypt the shared information of the group, In order to decrypt the shared information encrypted with the group key and decrypt the information encrypted with the lower group key, the user himself / herself obtains a one-way function from his / her own group key GK _k. The gist of the present invention is to record a group key program using a key derived by using the recording medium on a recording medium.

According to the twenty-first aspect of the present invention, in a plurality of groups having a hierarchical structure, the group key is a key of a common key cryptosystem, and the one-way function g disclosed from the secret information S is M values y _m = g created using
(S),..., Y _{k + 1} = g (y _{k + 2} ), y _k = g
(Y _{k + 1} ),..., Y ₁ = g (y ₂ ) derived keys (GK _m ,..., GK _{k + 1} , GK _k ,..., GK ₁ ). (G
_{K 1, ..., GK k +} 1, GK k, ..., order on allocation to the user of the GK _m), the user holds only the most recent of the group key GK _k, the shared information of the group using the group key In order to encrypt and decrypt the shared information encrypted with the group key of its own class, and to decrypt the information encrypted with the group key of a lower class than itself, the user himself / herself must use his / her own group key. Since a group key program using a key derived from GK _k using a one-way function is recorded on a recording medium, the distribution can be enhanced using the recording medium.

The invention according to claim 22 has a hierarchical structure composed of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key, and shares the information with the group. The shared medium is decrypted with a group key and used, and the user is a recording medium that records a group key program capable of encrypting / decrypting his / her own class and information of a class lower than his / her own class. The group key is a public key encryption key,
Each of the _m values y _m = g (S),..., Y _{k + 1} = g (y) created using the one-way function g published from the secret information S
_{k + 2} ), y _k = g (y _{k + 1} ),..., y ₁ = g (y ₂ ), derived from secret keys (SGK _m ,..., SGK _{k + 1} , SG
K _k ,..., SGK ₁ ) and the public key (PGK _m ,.
GK _{k + 1} , PGK _k ,..., PGK ₁ ), and (SGK ₁ , PGK ₁ , PGK ₁ )
K ₁ ),..., (SGK _{k + 1} , PGK _{k + 1} ), (SG
_{K k, PGK k), ...} , assigned to the user to order a pair of (SGK _m, PGK _m), user, group assigned key (SGK _k, holds the PGK _k) only, of this group key Using the public key PGK _k , the shared information of the group is encrypted. Using the secret key SGK _k , the shared information encrypted with the public key PGK _k of the own group key is decrypted. To decrypt the information encrypted with the class key of the class, the user himself records a group key program using a key derived from his own secret key SGK _k using a one-way function on a recording medium. That is the gist.

According to the twenty-second aspect of the present invention, in a plurality of groups having a hierarchical structure, a group key is a key of a public key cryptosystem, and a one-way function g disclosed from secret information S is M values y _m = g created using
(S),..., Y _{k + 1} = g (y _{k + 2} ), y _k = g
, SGK _m , SGK _{k + 1} , SGK _k , SGK _m derived from (y _{k + 1} ),..., Y ₁ = g (y ₂ )
₁ ) and public keys (PGK _m ,..., PGK _{k + 1} , PGK
_k, ..., is a PGK _1), as a group key from the top of each class in each _{class, (SGK 1, PGK 1)} , ..., (S
GK _{k + 1} , PGK _{k + 1} ), (SGK _k , PGK _k ),
, (SGK _m , PGK _m ) are sequentially assigned to the user, and the user assigns the assigned group key (SGK _k ,
PGK _k ) and the public key PG of this group key
Using K _k , the group shared information is encrypted, and the private key SGK _k is used to encrypt the public key P of the own group key.
In order to decrypt shared information encrypted with GK _k and decrypt information encrypted with a group key of a lower class than itself, the user himself / herself obtains a one-way function from his / her own secret key SGK _k. Since the group key program using the key derived using the recording medium is recorded on the recording medium, the distribution can be improved by using the recording medium.

The present invention according to claim 23 has a hierarchical structure composed of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key, and shares the information with the group. A record that records a group key program capable of encrypting and using encrypted shared information with a group key and allowing each user to encrypt / decrypt information of his / her own class and information of a class lower than his / her own class. A medium, wherein the group key is a key of a common key cryptosystem, and each of _n values t _n = f (S1), which is created using a one-way function f disclosed from the secret information S1, …, T _{k + 1
= F (t k + 2)} , t k = f (t k + 1), ..., t 1 = f
(T ₂ ) and _m values y _m = g (S 2) created using the one-way function g published from the secret information S 2,
.., Y _{k + 1} = g (y _{k + 2} ), y _k = g (y _{k + 1} ),.
Keys (GK _r ,..., GK) derived from y ₁ = g (y ₂ )
_{k + 1} , GK _k ,..., GK ₁ ) and the group key GK _k
At the time of updating, a new group key GK _{k + 1} is generated, and the user holds only the updated latest group key GK _k and encrypts the group shared information using the updated group key. In addition, the shared information encrypted with the group key of the own class is decrypted, and the shared information encrypted with the past group key is one-way from the latest group key GK _k held by the user. For information that has been decrypted using a group key derived using the gender function f and has been encrypted with a group key of a lower rank than itself, the user himself / herself uses the one-way function g from his / her own group key. The gist of the present invention is to record a group key program decrypted using the key derived in the above on a recording medium.

According to the twenty-third aspect of the present invention, in a plurality of groups having a hierarchical structure, the group key is a key of a common key cryptosystem, and the one-way function f disclosed from the secret information S1 is Each of the _n values t _n = f created using
_{(S1), ..., t k} + 1 = f (t k + 2), t k = f (t
_{k + 1} ),..., t ₁ = f (t ₂ ) and _m values y _m = g (S2),..., y created using the one-way function g disclosed from the secret information S2. _{k + 1} = g (y _{k + 2} ), y _k
= G (y _{k + 1} ),..., Y ₁ = keys (GK _r ,..., GK _{k + 1} , GK _k ,..., GK ₁ ) derived from g (y ₂ ), and the group key GK _k At the time of updating, a new group key GK _{k + 1} is generated, and the user holds only the latest group key GK _k , encrypts the shared information of the group, and The shared information encrypted with the group key of the class is decrypted, and the shared information encrypted with the past group key is derived from the latest group key GK _k held by the user using the one-way function f. Is decrypted using the group key obtained by the user, and the information encrypted by the group key of a lower class than the user is decrypted by the user using the key derived from the own group key by the one-way function g. Since the group key program is recorded on the recording medium, With, it is possible to enhance the flow properties.

Further, the present invention according to claim 24 has a hierarchical structure composed of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key, and shares the information with the group. A record that records a group key program capable of encrypting and using encrypted shared information with a group key and allowing each user to encrypt / decrypt information of his / her own class and a class lower than his / her own class. Medium, wherein the group key is a key of a public key cryptosystem, and each of _n values t _n = f (S1) created using a one-way function f published from the secret information S1; …, T _{k + 1
= F (t k + 2)} , t k = f (t k + 1), ..., t 1 = f
(T ₂ ) and _m values y _m = g (S 2) created using the one-way function g published from the secret information S 2,
.., Y _{k + 1} = g (y _{k + 2} ), y _k = g (y _{k + 1} ),.
secret key (SGK _r , derived from y ₁ = g (y ₂ ))
_{..., SGK k + 1, SGK} k, ..., SGK 1) and the public key _{(PGK r, ..., PGK k} + 1, PGK k, ..., PGK
₁ ) and a group key (SGK _k , PGK _k )
Is updated, a new group key (SGK _{k + 1} , PGK
_{k + 1} ), the user holds only the updated latest group key (SGK _k , PGK _k ), and uses the public key PGK _k of the updated group key to divide the group shared information. The shared information encrypted with the public key PGK _k of the group key is decrypted with the secret key SGK _k of the group key, and the shared information encrypted with the past group key is replaced with the latest group key. decrypted by using a secret key that is derived using a one-way function f from the secret key SGK _k, in the information that has been encrypted with a group key of a lower class than its own, the group key is the user himself own From the one-way function g
The gist of the present invention is to record a group key program decrypted using the secret key derived in the above on a recording medium.

According to the twenty-fourth aspect of the present invention, the group key is a key of a public key cryptosystem, and each of n group keys is created by using a one-way function f published from the secret information S1. Value t _n = f (S1),..., T _{k + 1} = f (t _{k + 2} ), t
_k = f (t _{k + 1} ),..., t ₁ = f (t ₂ ) and _m values y _m = g (S 2) created using the one-way function g published from the secret information S 2. ),..., Y _{k + 1} = g (y
_{k + 2} ), y _k = g (y _{k + 1} ),..., y ₁ = g (y ₂ ) derived secret keys (SGK _r ,..., SGK _{k + 1} , SG
K _k ,..., SGK ₁ ) and the public key (PGK _r ,.
GK _{k + 1} , PGK _k ,..., PGK ₁ ). When the group key (SGK _k , PGK _k ) is updated, a new group key (SGK _{k + 1} , PGK _{k + 1} ) is generated. The user holds only the latest group key (SGK _k , PGK _k ), encrypts the group's shared information using the latest group key's public key PGK _k , and encrypts it with the group key's public key PGK _k . The encrypted shared information is decrypted with the secret key SGK _k of the group key, and the shared information encrypted with the past group key is used as the secret derived by using the one-way function f from the secret key SGK _k of the latest group key. The user decrypts the information using the key, and encrypts the information encrypted with the group key of a lower class than the user.
Since the group key program that is decrypted using the secret key derived in step (1) is recorded on the recording medium, the distribution of the program can be improved using the recording medium.

[0060] The present invention of claim 25 is the invention according to any one of claims 21 to 24, wherein the group key, public information Y _1, Y ₂ representing the hierarchical organization, ..., using the Y _m , M values y produced by the one-way function g
_m = g (S‖Y _m ),..., y _{k + 1} = g (y ′ _{k + 1} ‖Y
_{k + 1} ), y _k = g (y ′ _k ‖Y _k ),..., y ₁ = g
It is derived from (y ′ ₁ ‖Y ₁ ), where y ′ _k is the gist of recording the group key program, which is the value of the upper layer of y _k , on the recording medium.

According to the present invention, the group key is public information Y ₁ , Y ₂ ,..., Y _m representing a hierarchical organization.
And _m values y _m created by the one-way function g
= G (S‖Y _m ),..., Y _{k + 1} = g (y ′ _{k + 1} ‖
Y _{k + 1} ), y _k = g (y ′ _k ‖Y _k ),..., Y ₁ = g
Since the group key program derived from (y ′ ₁ ‖Y ₁ ) is recorded on a recording medium, using the recording medium,
Its distribution can be improved.

According to a twenty-sixth aspect of the present invention, in the invention according to any one of the nineteenth to twenty-fifth aspects, the shared information is encrypted with an arbitrary key generated by a user, and the key is encrypted with a group key. The gist of the present invention is to record a group key program for attaching the encrypted information as attached information to the encrypted shared information on a recording medium.

According to the twenty-sixth aspect of the present invention, shared information is encrypted with an arbitrary key generated by a user, and this key is encrypted with a group key, and the encrypted shared information is converted into attached information as attached information. Since the attached group key program is recorded on the recording medium, it is possible to enhance the distribution of the program by using the recording medium.

According to a twenty-seventh aspect of the present invention, in the invention according to the twenty-sixth aspect, a group key program for encrypting the attached information with the latest group key every time the group key is updated is recorded on a recording medium. It shall be recorded.

According to the present invention, a group key program for encrypting the attached information with the latest group key is recorded on the recording medium every time the group key is updated. The medium can be used to enhance its distribution.

[0066]

DESCRIPTION OF THE PREFERRED EMBODIMENTS In a group key method according to the present invention, a group key is derived from each of n values created using a one-way function published from secret information to generate a group key. are but a value of the one-way function f is applied k + 1 times the initial value S as shown in FIG. 2 When h _nk, is easy to compute the h _nk-1 from h _nk by the features of the one-way function However, it is difficult to calculate _{hn-k + 1} .

The present invention makes use of the above-described features to make it easier for the user to manage the group key. As the one-way function, any method may be used as long as it is a one-way function having the above characteristics.

First, a description will be given of an apparatus configuration for implementing the group key method according to the first embodiment of the present invention. FIG.
FIG. 3 is a diagram illustrating a configuration of a group key device that implements a group key method according to the present embodiment. The group key device illustrated in FIG. The user decrypts the encrypted shared information with the group key and uses the encrypted shared information. A plurality of user terminals 3a for encrypting / decrypting and using shared information
To 3n.

The group key generator 1 includes a group key generator 11 for generating a group key and a group key transmitter 13 for transmitting the generated group key to each of the user terminals 3a to 3n. Further, each of the plurality of user terminals 3a to 3n includes a group key receiving unit 31 that receives a group key transmitted from the group key transmitting unit 13 of the group key generating organization 1, a latest group held by the user himself / herself. A group key deriving unit 33 that derives a group key for decrypting shared information encrypted with a past group key using a one-way function from a key, an encrypting unit that encrypts shared information with a group key 35, and a decryption unit 37 for decrypting the shared information encrypted with the group key.

Next, a group key method by the group key device of the present embodiment configured as described above will be described. In this embodiment, a group key is paid out for each group, and a group member can decrypt a document encrypted in the past only by holding the latest key.

The secret information S is generated for each group, and n values (t _n =
f (S), ..., t k + 1 = f (t k + 2), t k = f (t
_{k + 1), ..., t} 1 = f (t 2)) to generate. Function G1
GK _n ,..., GK _{k + 1} , GK _k ,
..., using the GK ₁ as a group key, GK ₁ for each update of the group _{key, ..., GK k + 1,} GK k, ..., for use in the order of GK _n. Note that the function G1 may be an identity function.

Assuming that the group key at a certain point in time is GK _k , the group key generator newly generates GK _{k + 1} when updating the group key. On the other hand, the user obtains the latest group key GK _{k + 1} and holds only that key. GK _k
In order to decrypt the past document encrypted by the above, the following is performed.

(1) t _{k + 1} from GK _{k + 1} by the function G1
Convert to

[0074] (2) determine the t _k by one-way function _{f (t k = f (t} k + 1)).

[0075] (3) converting from t _k by a function G1 ^-1 to GK _k.

(4) Decoding is performed using GK _k .

The document encrypted with GK ₁ ,..., GK _k−1 is also decrypted by the same processing.

Next, a group key method according to the second embodiment of the present invention will be described. In this embodiment, in a group having a hierarchical structure, it is possible to encrypt / decrypt information of a lower class group only by holding its own group key.

The secret information S is generated, and n values (yn = g (S), _n ) are obtained using the one-way function g published from S.
.., Y _{k + 1} = g (y _{k + 2} ), y _k = g (y _{k + 1} ),.
y ₁ = g (y ₂ )). GK _n obtained by converting the values by the function _{G2, ..., GK k + 1} , GK k, ..., allocated from the upper every class of GK ₁ as a group key for each class. Note that the function G2 may be an identity function.

A user of a certain class has his own group key (G
_Kk ) only, and _GKk is used to encrypt / decrypt own group shared information. In order to decrypt the information of the group lower than the self encrypted by GK _k−1 , the following is performed.

[0081] (1) converting the GK _k by the function G2 to y _k.

(2) y _{k -1} is _{obtained from the one-} way function g (y _{k -1} = g (y _k )).

(3) GK is obtained from y _k−1 by the function G2 ⁻¹
Convert to _k-1 .

(4) Decoding is performed using GK _k−1 .

The shared information encrypted by GK ₁ ,..., GK _k-2 is also decrypted by the same processing.

Next, a group key method according to the third embodiment of the present invention will be described. In this embodiment, in a group having a hierarchical structure, group members only hold their latest keys, and can also encrypt / decrypt information of lower-level groups and documents encrypted in the past. Is what you do.

The secret information S1 is generated for each class, and n values (t _n =
f (S1), ..., t k + 1 = f (t k + 2), t k = f (t
_{k + 1), ..., t} 1 = f (t 2)) to generate.

Further, secret information S2 is generated, and m values (y _m = g
(S2),..., Y _{K + 1} = g (y _{k + 2} ), y _k = g (y
_k + 1), ..., to generate a _{y 1 = g (y 2)} ).

The group key of each class is a one-way function f, g
Are converted by a function G3 by combining the values obtained from. Note that the function G3 may be an identity function. FIG.
In the case of this model, the group key is calculated from the intersection shown in FIG. The group key of the manager group at a certain point is GK ₁
Datosuruto, director group member decrypts the key which generated the encrypted document group key of the oblique line portion from the GK _1.

If the update of the group key is repeated in a certain specific group, there is a possibility that a group key that cannot be derived from a group higher than the group is held (see the group key of the section manager group in FIG. 4). This process involves allocating group keys so that the upper group can always derive the group key of the lower group.

Next, a specific example will be described. Here, the following case will be described.

(1) It is possible to decrypt a past cipher text using only the latest group key.

(2) The group key is a public key cryptosystem (ElGa
mal method is described as an example).

(3) The shared document is encrypted with the temporary key SK, and the SK is further encrypted with the group key and attached to the ciphertext.

The group key generating organization applies the one-way function f from the secret information (S) n times to calculate t ₁ .

T ₁ = f ⁿ (S) Next, a primitive element g of the prime number p and the multiplicative group Zp ^* is generated, and t ₁
Is the secret key of the group key, and ( ^{gt 1} (mod p), p,
g) is the public key of the group key. The secret key may be distributed to the group members or may not be distributed every time it is updated, but may be stored in a group key generation organization and distributed to the members when a group key is requested from the group members.

When the group key is updated, for example, because a group member has left, the group key generating organization applies the one-way function f from the secret information (S) again n-1 times.
the t ₂ is ^{_{calculated, t 2 = f n-1}} (S) secret key t _2, the public key ^{(g t2 (mod p),} p, g) to create.

Assuming that the secret key of the group key at a certain time is t _k and the public key is (g ^tk (mod p), p, g), the group members perform cryptographic operations as follows.

Encryption: (1) Create a temporary key SK and encrypt the document.

(2) Obtain the public key of the group key from the group key generating organization.

(3) SK is encrypted with the public key of the group key and attached to the ciphertext.

[0102] decryption: (1) if necessary, to obtain the secret key t _k of the group key from the group key generation institutions.

[0103] (2) If the SK of the accompanying information is encrypted with g ^tk, be decrypted using the private key t _k of the group key. If encrypted with g ^tk-r earlier than g ^tk ,
The secret key t _k to the one-way function f of the group key to t _kr is calculated by applying r times, be decrypted using the t _kr.

When a group member is added, only the latest group key is assigned to the new member.

Next, as another specific example, a group having a hierarchical structure only holds its own group key, decrypts an encrypted document in a lower group, and uses a group key of a common key encryption method. The case will be described with reference to FIG.

In FIG. 5, the group key generator applies a one-way function g from the secret information S to generate group keys y ₁ ,..., Y ₅ for each class.

Development department group key: y ₁ = g (S‖ “development department”) Section 1 group key: y ₂ = g (y ₁ ‖ “section 1”) Section 2 group key: y ₃ = g (Y ₂ ‖ “second section”) First engagement group key: y ₄ = g (y ₂ ‖ “first engagement”) Second engagement group key: y ₅ = g (y ₂ ‖ “second engagement”) Note that a character string such as “development department” is public information indicating a hierarchical organization.

A group key is assigned to a user belonging to each department. At this time, it may be distributed to the group members, or may be stored in the group key generating organization and distributed to the members at the time of a group key acquisition request from the group members, instead of being distributed every time an update is performed.

The group members perform cryptographic operations as follows.

Encryption: (1) Encrypt the text with its own group key.

Decryption: (1) If necessary, obtain a group key from a group key generation organization.

(2) If the ciphertext is encrypted with the group key to which the ciphertext belongs, decryption is performed using the group key of the ciphertext.

If the data is encrypted with the lower-level group key, the lower-level group key is calculated and decrypted based on the public information representing the hierarchical structure.

By recording the processing of the above-described embodiment as a program on a recording medium, it is possible to use the recording medium to enhance its circulation.

[0115]

As described above, according to the present invention,
The user holds only the latest group key GK _k , encrypts the shared information of the group using the latest group key, decrypts the shared information encrypted with the group key with the group key, and stores the past group key. Is decrypted using the group key derived from the latest group key GK _k held by the user using a one-way function, so that the user can use the past group as in the past. There is no need to hold the key, and members newly joining the group need only obtain the latest group key, and do not need to obtain a past group key.

Further, according to the present invention, the user holds only the latest group key GK _k , encrypts the shared information of the group using the group key, and encrypts the information with the group key of the own class. Decrypts the shared information, and decrypts the information encrypted with the group key of a lower class than itself using a key derived from the user's own group key GK _k using a one-way function. , The user does not need to retain the past group key as in the past,
Members of each group do not need to hold lower-level group keys in addition to their own group keys.

Further, according to the present invention, the user holds only the latest group key GK _k , encrypts the shared information of the group using the latest group key, and encrypts the shared information with the group key of the own class. Decrypts the shared information
Further, the shared information encrypted with the past group key is decrypted using the group key derived from the latest group key GK _k held by the user using the one-way function f,
Information encrypted with a group key of a lower class than itself is decrypted using a key derived by a one-way function g from a group key held by the user himself / herself. It is not necessary to keep the group key of the group, and members newly joining the group only need to obtain the latest group key, and it is not necessary to obtain the group key of the past. There is no need to hold a lower-level group key in addition to the group key.

[Brief description of the drawings]

FIG. 1 is a diagram illustrating a configuration of a group key device that performs a group key method according to a first embodiment of the present invention.

FIG. 2 is an explanatory diagram for explaining properties of a one-way function used in the group key method of the present invention.

FIG. 3 is a diagram illustrating a range in which a section length can be decoded in a third embodiment of the present invention.

FIG. 4 is a diagram for explaining a group key that cannot be derived from a higher-level group when a group key is repeatedly updated in a third embodiment of the present invention.

FIG. 5 is an explanatory diagram showing a configuration of a group having a hierarchical structure as a specific example of the second embodiment of the present invention.

FIG. 6 is an explanatory diagram showing a plurality of groups having a hierarchical structure including a manager, a section manager, and a section manager.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 1 Group key generation organization 3a-3n User terminal 11 Group key generation part 13 Group key transmission part 31 Group key reception part 33 Group key derivation part 35 Encryption part 37 Decryption part

Continued on the front page (72) Inventor Kimihiko Sekino F-term (reference) in Nippon Telegraph and Telephone Corporation 3-19-2 Nishishinjuku, Shinjuku-ku, Tokyo 5J104 AA16 EA07 EA16 EA19 MA06 NA02 NA11 NA12

Claims (27)

[Claims] 1. A group key method in which shared information of a group of a plurality of users is encrypted with a group key and shared by the group, and the user decrypts and uses the encrypted shared information with a group key. The group key is a key of a common key cryptosystem, and is created using a one-way function f disclosed from the secret information S.
, Each value t _n = f (S),..., T _{k + 1} = f (t _{k + 2} ),
Keys (GK _n ,..., GK _{k + 1} , GK _k ,..., GK ₁ ) derived from t _k = f (t _{k + 1} ),..., t ₁ = f (t ₂ )
Each time the group key is updated, the key (GK ₁ ,..., GK
_{k + 1} , GK _k ,..., GK _n ), and when the group key GK _k is updated, a new group key GK is used.
_{k + 1} is generated, and the user holds only the updated latest group key GK _k , encrypts the shared information of the group using the updated group key, and uses the shared key encrypted with the group key. The information is decrypted with the group key, and the shared information encrypted with the past group key is decrypted using the group key derived from the latest group key GK _k held by the user using a one-way function. A group key method. 2. A group key method in which shared information of a group of a plurality of users is encrypted with a group key and shared by the group, and the users decrypt the encrypted shared information with a group key and use the same. The group key is a key of the public key cryptosystem, and is generated using a one-way function f published from the secret information S.
, Each value t _n = f (S),..., T _{k + 1} = f (t _{k + 2} ),
secret keys (SGK _n ,..., SGK _{k + 1} , SGK _k , derived from t _k = f (t _{k + 1} ),..., t ₁ = f (t ₂ )
..., SGK ₁ ) and the public key (PGK _n , ..., PGK)
_{k + 1} , PGK _k ,..., PGK ₁ ), and each time the group key is updated, a key (SGK _k , PGK _k ,
K ₁ ),..., (SGK _{k + 1} , PGK _{k + 1} ), (SG
_{K k, PGK k), ...} , the (SGK _n, used in the order of PGK _n), a group key (SGK _k, at the time of update of the PGK _k), a new group key _{(SGK k + 1, PGK k} + 1) The user generates and updates the latest group key (SGK _k , P
GK _k ), encrypts the shared information of the group using the latest public key PGK _k of the group key, and converts the shared information encrypted with the public key PGK _k of the group key to the secret key of the group key. The shared information decrypted with the SGK _k and encrypted with the past group key is decrypted using a secret key derived from the secret key SGK _k of the latest group key using a one-way function. Group key method to do. 3. It has a hierarchical structure of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key and shares the information with the group, and the user shares the encrypted shared information with the group key. A group key method in which each user can encrypt / decrypt information of his / her own class and a class lower than his / her own class while using by decrypting. M, which is a key and is created using a one-way function g published from the secret information S
, Each value y _m = g (S),..., Y _{k + 1} = g (y _{k + 2} ),
Keys (GK _m ,..., GK _{k + 1} , GK _k ,..., GK ₁ ) derived from y _k = g (y _{k + 1} ),..., y ₁ = g (y ₂ )
And as a group key of each class from the higher rank for each class, (G
K ₁ ,..., GK _{k + 1} , GK _k ,..., GK _m ) in this order. The user holds only the latest group key GK _k assigned, and uses this group key. To encrypt the shared information of the group, decrypt the encrypted shared information with the group key of its own class, and decrypt the information encrypted with the group key of the lower class, Is their own group key GK _k
A key method using a key derived using a one-way function from. 4. It has a hierarchical structure of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key and shares the information with the group, and the user shares the encrypted shared information with the group key. A group key method in which a user can encrypt and decrypt information of his / her own class and a class lower than his / her own class while using by decrypting. The group key is a key of a public key cryptosystem. And m created using a one-way function g published from the secret information S
, Each value y _m = g (S),..., Y _{k + 1} = g (y _{k + 2} ),
The secret keys (SGK _m ,..., SGK _{k + 1} , SGK _k , derived from y _k = g (y _{k + 1} ),..., y ₁ = g (y ₂ )
.., SGK ₁ ) and the public key (PGK _m ,.
_{k + 1} , PGK _k ,..., PGK ₁ ), and (SGK
₁ , PGK ₁ ), ..., (SGK _{k + 1} , PGK _{k + 1} ),
(SGK _k , PGK _k ),..., (SGK _m , PGK _m )
Are sequentially assigned to the user, and the user assigns the assigned group key (SGK _k , PG
K _k ) and the public key PGK _{k of} this group key
Is used to encrypt the shared information of the group, and the secret key SG
Using K _k , the public key PGK of the own group key
_In order to decrypt shared information encrypted with _k and decrypt information encrypted with a group key of a lower class than itself, the user himself uses a one-way function from his private key SGK _k. A key method using a key derived from the group key. 5. It has a hierarchical structure consisting of a plurality of classes, encrypts shared information of a group of a plurality of users with a group key and shares the information with the group, and the user shares the encrypted shared information with the group key. A group key method in which each user can encrypt / decrypt information of his / her own class and a class lower than his / her own class while using by decrypting. a key, each value of n which is created using a one-way function f, which is published by the secret information _{S1 t n = f (S1)} , ..., t k + 1 = f
(T _{k + 2} ), t _k = f (t _{k + 1} ),..., T ₁ = f
(T ₂ ) and _m values y _m = g (S 2) created using the one-way function g published from the secret information S 2,
.., Y _{k + 1} = g (y _{k + 2} ), y _k = g (y _{k + 1} ),.
Keys (GK _r ,..., GK) derived from y ₁ = g (y ₂ )
_{k + 1} , GK _k ,..., GK ₁ ), and when the group key GK _k is updated, a new group key GK
_{k + 1} , the user holds only the updated latest group key GK _k , encrypts the shared information of the group using the updated group key, and uses the group key of its own class. The encrypted shared information is decrypted, and the shared information encrypted with the past group key uses a group key derived from the latest group key GK _k held by the user using a one-way function f. The information that has been decrypted by the user and encrypted with the group key of a lower class than itself is used by the user himself to obtain the one-way function g
A group key method characterized by being decrypted using the key derived in (1). 6. A hierarchical structure including a plurality of classes, wherein shared information of a group of a plurality of users is encrypted with a group key and shared by the group, and the users share the encrypted shared information with a group key. A group key method in which each user can encrypt / decrypt information of his / her own class and a class lower than his / her own class while using it by decryption. a key, each value of n which is created using a one-way function f, which is published by the secret information _{S1 t n = f (S1)} , ..., t k + 1 = f
(T _{k + 2} ), t _k = f (t _{k + 1} ),..., T ₁ = f
(T ₂ ) and _m values y _m = g (S 2) created using the one-way function g published from the secret information S 2,
.., Y _{k + 1} = g (y _{k + 2} ), y _k = g (y _{k + 1} ),.
secret key (SGK _r , derived from y ₁ = g (y ₂ ))
_{..., SGK k + 1, SGK} k, ..., SGK 1) and the public key _{(PGK r, ..., PGK k} + 1, PGK k, ..., PGK
₁ ), and when the group key (SGK _k , PGK _k ) is updated, a new group key (SGK _{k + 1} , PGK _{k + 1} ) is generated, and the user updates the updated group key. (SGK _k , P
GK _k ), encrypts the shared information of the group using the latest public key PGK _k of the group key, and converts the shared information encrypted with the public key PGK _k of the group key to the secret key of the group key. The shared information decrypted with SGK _k and encrypted with the past group key is decrypted using the secret key derived from the latest secret key SGK _k of the group key using the one-way function f, The information encrypted with the group key of the class is obtained by the user using the one-way function g
A group key method characterized by being decrypted using a secret key derived in (1). 7. The group key is obtained by using public information Y ₁ , Y ₂ ,..., Y _m representing a hierarchical organization, and each of _m values y _m = g (g) created by the one-way function g. S‖Y _m ),…,
y _{k + 1} = g (y ′ _{k + 1} ‖Y _{k + 1} ), y _k = g (y ′ _k ‖
Y _k ),..., Y ₁ = g (y ′ ₁ ‖Y ₁ )
Here y _'k is group key method according to any one of claims 3 to 6, characterized in that the value of the upper hierarchy of y _k. 8. The shared information is encrypted with an arbitrary key generated by a user, and the key encrypted with a group key is attached to the encrypted shared information as attached information. 8. The group key method according to any one of 1 to 7. 9. The group key method according to claim 8, wherein each time the group key is updated, the attached information is encrypted with the latest group key. 10. A group key device that encrypts shared information of a group of a plurality of users with a group key and shares the information with the group, and decrypts the encrypted shared information with a group key for use. And _n values t _n = _n , which are keys of the common key cryptosystem and are created using the one-way function f disclosed from the secret information S,
f (S), ..., t k + 1 = f (t k + 2), t k = f (t
_{k + 1), ..., t} 1 = f ( a group key derived from _{t 2) (GK n, ...} , GK k + 1, GK k, ..., and a group key generating means for generating a GK _1), the Each time the generated group key is updated, the key (G
_{K 1, ..., GK k +} 1, GK k, ..., to use in the order of GK _n), at the time of update of the group key GK _k, and the group key update means for generating a new group key GK _{k + 1,} the user The latest group key G provided and updated in the terminal
A group key holding unit that holds only K _k as a user's own group key, and a group shared information is encrypted using the latest group key held by the group key holding unit,
An encryption / decryption means for decrypting the shared information encrypted with the group key with the group key; and a group key for decrypting the shared information encrypted with the past group key to the group key holding means. A group key deriving means for deriving a past information group key deriving from a held user's own latest group key GK _k using a one-way function. 11. A group key device that encrypts shared information of a group of a plurality of users with a group key and shares the information with the group, and decrypts the encrypted shared information with a group key for use. Then, each of the _n values t _n = _n , which is a key of the public key cryptosystem and is created using the one-way function f published from the secret information S,
f (S), ..., t k + 1 = f (t k + 2), t k = f (t
_{k + 1), ..., t} 1 = secret key that is derived from _{f (t 2) (SGK n} , ..., SGK k + 1, SGK k, ..., SG
K ₁ ) and public keys (PGK _n ,..., PGK _{k + 1} , PG
K _k ,..., PGK ₁ ) private key / public key generating means for generating a pair of keys (SGK ₁ , PGK ₁ , PGK _1)
1 ),..., (SGK _{k + 1} , PGK _{k + 1} ), (SGK _k ,
PGK _k ),..., (SGK _n , PGK _n ) in order, and when updating the group key (SGK _k , PGK _k ),
A group key updating means for generating a new group key (SGK _{k + 1} , PGK _{k + 1} ); and a group provided in the user terminal and holding only the updated latest group key (SGK _k , PGK _k ) Using the key holding means and the latest group key public key PGK _k held in the group key holding means, the shared information of the group is encrypted, and the shared information encrypted with the group key public key PGK _k is encrypted. An encryption / decryption means for decrypting information with a secret key SGK _k of a group key, and a secret key of a group key for decrypting shared information encrypted with a past group key by the group key holding means. A group key deriving means for deriving a past information group key deriving means from a held latest secret key SGK _k of the group key using a one-way function. 12. It has a hierarchical structure consisting of a plurality of classes,
The shared information of the group consisting of multiple users is encrypted with the group key and shared by the group, and the user decrypts and uses the encrypted shared information with the group key,
Each user is a group key device capable of encrypting / decrypting information of his / her own class and classes lower than his / her own class, and is a key of a common key cryptosystem and is disclosed from secret information S. and each value of m which is created using a one-way function g y _m =
g (S),..., y _{k + 1} = g (y _{k + 2} ), y _k = g (y
_k + 1), ..., key derived from _{y 1 = g (y 2)} (GK
_m ,..., GK _{k + 1} , GK _k ,..., GK ₁ ), and (G)
K ₁ ,..., GK _{k + 1} , GK _k ,..., GK _m ) and only the latest group key GK _k provided in the user terminal and assigned to the user. Using the group key held by the group key holding means, and encrypting the shared information of the group and decrypting the shared information encrypted by the group key of its own class. An encryption / decryption means, and a key for decrypting information encrypted with a group key of a lower rank than itself, from a user's own group key GK _k held in the group key holding means. A key deriving means for deriving lower-class information using a direction function. 13. It has a hierarchical structure consisting of a plurality of classes,
The shared information of the group consisting of multiple users is encrypted with the group key and shared by the group, and the user decrypts and uses the encrypted shared information with the group key,
The user is a group key device capable of encrypting / decrypting information of his / her own class and a class lower than his / her own class, and is a key of a public key cryptosystem and is disclosed from secret information S. Each of _m values ym = created using the one-way function g =
g (S),..., y _{k + 1} = g (y _{k + 2} ), y _k = g (y
_{k + 1), ..., y} 1 = g ( secret key that is derived from _{y 2) (SGK m, ...} , SGK k + 1, SGK k, ..., SG
K ₁ ) and public keys (PGK _m ,..., PGK _{k + 1} , PG
K _k ,... PGK ₁ )
Public key generation means, and a group key of each class from the higher rank (SGK
₁ , PGK ₁ ), ..., (SGK _{k + 1} , PGK _{k + 1} ),
(SGK _k , PGK _k ),..., (SGK _m , PGK _m )
Group key assigning means for sequentially assigning pairs of users to a user, group key holding means provided in a user terminal and holding only group keys (SGK _k , PGK _k ) assigned to the user, and group key holding means Using the public key PGK _k of the group key held in the means, the shared information of the group is encrypted,
Encrypting / decrypting means for decrypting shared information encrypted with the public key PGK _k of the own group key using the secret key SGK _k ; Key deriving means for deriving a key for decrypting the decrypted information from the user's own private key SGK _k held in the group key holding means using a one-way function. Group key device. 14. It has a hierarchical structure consisting of a plurality of classes,
The shared information of the group consisting of multiple users is encrypted with the group key and shared by the group, and the user decrypts and uses the encrypted shared information with the group key,
Each user is a group key device capable of encrypting / decrypting information of his / her own class and classes lower than his / her own class. The user is a key of a common key cryptosystem and is disclosed from secret information S1. _N values t _n created using the one-way function f
= F (S1), ..., t k + 1 = f (t k + 2), t k = f
(T _{k + 1} ),..., T ₁ = f (t ₂ ) and secret information S2
, Each value y _m = g (S2),..., Y _{k + 1} = g (y _{k + 2} ), created using the one-way function g published from
The group keys (GK _r ,..., GK _{k + 1} , GK _k ,...) derived from y _k = g (y _{k + 1} ),..., y ₁ = g (y ₂ )
GK ₁ ), and at the time of updating the group key GK _k , a group key generating means for generating a new group key GK _{k + 1,} and an updated latest group key G provided at the user terminal.
Group key holding means for holding only K _k as a user's own group key, and using the latest group key held in the group key holding means to encrypt shared information of the group and An encryption / decryption unit for decrypting the shared information encrypted with the group key, and a group key for decrypting the shared information encrypted with the past group key, held in the group key holding unit. A past information group key deriving means for deriving from a user's own latest group key GK _k using a one-way function f, and for decrypting information encrypted with a group key of a lower class than the user And a group key deriving means for lower class information, which derives a key from the user's own group key held in the group key holding means by a one-way function g. Group key device to do. 15. It has a hierarchical structure consisting of a plurality of classes,
The shared information of the group consisting of multiple users is encrypted with the group key and shared by the group, the users use the encrypted shared information by encrypting it with the group key, and each user uses his or her own class and A group key device capable of encrypting / decrypting information of a class lower than its own class, using a one-way function f which is a key of a public key cryptosystem and is disclosed from secret information S1. _N values t _n created by
= F (S1), ..., t k + 1 = f (t k + 2), t k = f
(T _{k + 1} ),..., T ₁ = f (t ₂ ) and secret information S2
, Each value y _m = g (S2),..., Y _{k + 1} = g (y _{k + 2} ), created using the one-way function g published from
The secret keys (SGK _r ,..., SGK _{k + 1} , SGK _k , derived from y _k = g (y _{k + 1} ),..., y ₁ = g (y ₂ )
.., SGK ₁ ) and the public key (PGK _r ,.
_{k + 1} , PGK _k ,..., PGK ₁ ), and a group key for generating a new group key (SGK _{k + 1} , PGK _{k + 1} ) when updating the group key (SGK _k , PGK _k ) Secret key / public key generating means, group key holding means provided in the user terminal, and holding only the updated latest group key (SGK _k , PGK _k ) as the user's own group key; The shared information of the group is encrypted using the latest public key PGK _k of the group key held in the key holding means, and the shared information encrypted with the public key PGK _k of the group key is converted to the secret key SGK _{k of the} group key. Encryption / decryption means for decrypting the shared information, and a user's own latest group key stored in said group key storage means for storing a secret key for decrypting shared information encrypted with a past group key. the secret of Said group key holding means a secret key for decrypting the past information secret key derivation means for deriving the information encrypted by the group key of the lower ranks than own using SGK _k from one-way function f And a means for deriving a secret key for lower-class information derived from the user's own group key held by the one-way function g. 16. The group key, public information Y _1, Y ₂ representing the hierarchical organization, ..., Y _m using the one-way function values of the m created by g y _m = g ( S‖Y _m ),
.., Y _{k + 1} = g (y ′ _{k + 1} ‖Y _{k + 1} ), y _k = g (y ′
_k ‖Y _k), ..., 'derived from ₁ ‖Y _1), where _{y' y 1 = g (y} k is the claims 12 to 15, characterized in that the value of the upper hierarchy of y _k The group key device according to any one of the above. 17. The shared information is encrypted with an arbitrary key generated by a user, and the key encrypted with a group key is attached to the encrypted shared information as attached information. 17. The group key device according to any one of 10 to 16. 18. The group key device according to claim 17, wherein each time the group key is updated, the attached information is encrypted with the latest group key. 19. The shared information of a group including a plurality of users is encrypted with a group key and shared by the group, and the user records a group key program to be used by decrypting the encrypted shared information with a group key. The group key is a key of a common key cryptosystem, and is created using a one-way function f published from the secret information S.
, Each value t _n = f (S),..., T _{k + 1} = f (t _{k + 2} ),
Keys (GK _n ,..., GK _{k + 1} , GK _k ,..., GK ₁ ) derived from t _k = f (t _{k + 1} ),..., t ₁ = f (t ₂ )
Each time the group key is updated, the key (GK ₁ ,..., GK
_{k + 1} , GK _k ,..., GK _n ), and when the group key GK _k is updated, a new group key GK is used.
_{k + 1} is generated, and the user holds only the updated latest group key GK _k , encrypts the shared information of the group using the updated group key, and uses the shared key encrypted with the group key. The information is decrypted with the group key, and the shared information encrypted with the past group key is decrypted using the group key derived from the latest group key GK _k held by the user using a one-way function. A recording medium on which a group key program is recorded. 20. Encrypt shared information of a group of a plurality of users with a group key and share the group, and the user records a group key program to be used by decrypting the encrypted shared information with a group key. The group key is a key of the public key cryptosystem, and is created using a one-way function f published from the secret information S.
, Each value t _n = f (S),..., T _{k + 1} = f (t _{k + 2} ),
secret keys (SGK _n ,..., SGK _{k + 1} , SGK _k , derived from t _k = f (t _{k + 1} ),..., t ₁ = f (t ₂ )
..., SGK ₁ ) and the public key (PGK _n , ..., PGK)
_{k + 1} , PGK _k ,..., PGK ₁ ). Each time the group key is updated, the key (SGK ₁ , PGK ₁ ,
K ₁ ),..., (SGK _{k + 1} , PGK _{k + 1} ), (SG
_{K k, PGK k), ...} , the (SGK _n, used in the order of PGK _n), a group key (SGK _k, at the time of update of the PGK _k), a new group key _{(SGK k + 1, PGK k} + 1) The user generates and updates the latest group key (SGK _k , P
GK _k ), encrypts the shared information of the group using the latest public key PGK _k of the group key, and converts the shared information encrypted with the public key PGK _k of the group key to the secret key of the group key. The shared information decrypted with the SGK _k and encrypted with the past group key is decrypted using a secret key derived using a one-way function from the secret key SGK _k of the latest group key. A recording medium on which a group key program to be recorded is recorded. 21. It has a hierarchical structure consisting of a plurality of classes,
The shared information of the group consisting of multiple users is encrypted with the group key and shared by the group, and the user decrypts and uses the encrypted shared information with the group key,
Each user is a recording medium recording a group key program capable of encrypting / decrypting information of his / her own class and classes lower than his / her own class. The group key is a key of a common key cryptosystem. And m created using the one-way function g published from the secret information S
, Each value y _m = g (S),..., Y _{k + 1} = g (y _{k + 2} ),
Keys (GK _m ,..., GK _{k + 1} , GK _k ,..., GK ₁ ) derived from y _k = g (y _{k + 1} ),..., y ₁ = g (y ₂ )
And as a group key of each class from the higher rank for each class, (G
K ₁ ,..., GK _{k + 1} , GK _k ,..., GK _m ) in this order. The user holds only the latest group key GK _k assigned, and uses this group key. To encrypt the shared information of the group, decrypt the encrypted shared information with the group key of its own class, and decrypt the information encrypted with the group key of the lower class, Is their own group key GK _k
A recording medium recording a group key program, characterized in that a key derived using a one-way function from is used. 22. It has a hierarchical structure consisting of a plurality of classes,
The shared information of the group consisting of multiple users is encrypted with the group key and shared by the group, and the user decrypts and uses the encrypted shared information with the group key,
The user is a recording medium storing a group key program capable of encrypting / decrypting his / her own class and information of a class lower than his / her own class. The group key is a key of a public key cryptosystem. M using the one-way function g published from the secret information S
, Each value y _m = g (S),..., Y _{k + 1} = g (y _{k + 2} ),
The secret keys (SGK _m ,..., SGK _{k + 1} , SGK _k , derived from y _k = g (y _{k + 1} ),..., y ₁ = g (y ₂ )
.., SGK ₁ ) and the public key (PGK _m ,.
_{k + 1} , PGK _k ,..., PGK ₁ ), and (SGK
₁ , PGK ₁ ), ..., (SGK _{k + 1} , PGK _{k + 1} ),
(SGK _k , PGK _k ),..., (SGK _m , PGK _m )
Are sequentially assigned to the user, and the user assigns the assigned group key (SGK _k , PG
K _k ) and the public key PGK _{k of} this group key
Is used to encrypt the shared information of the group, and the secret key SG
Using K _k , the public key PGK of the own group key
_In order to decrypt the shared information encrypted with _k and decrypt the information encrypted with the group key of a lower rank than itself, the user himself uses a one-way function from his own secret key SGK _k. A recording medium on which a group key program is recorded, using a key derived in such a manner. 23. It has a hierarchical structure consisting of a plurality of classes,
The shared information of the group consisting of multiple users is encrypted with the group key and shared by the group, and the user decrypts and uses the encrypted shared information with the group key,
Each user is a recording medium recording a group key program capable of encrypting / decrypting information of his / her own class and classes lower than his / her own class. The group key is a key of a common key cryptosystem. Then, each of the _n values t _n = f (S1),..., T _{k + 1} = f created using the one-way function f published from the secret information S1
(T _{k + 2} ), t _k = f (t _{k + 1} ),..., T ₁ = f
(T ₂ ) and _m values y _m = g (S 2) created using the one-way function g published from the secret information S 2,
.., Y _{k + 1} = g (y _{k + 2} ), y _k = g (y _{k + 1} ),.
Keys (GK _r ,..., GK) derived from y ₁ = g (y ₂ )
_{k + 1} , GK _k ,..., GK ₁ ), and when the group key GK _k is updated, a new group key GK
_{k + 1} , the user holds only the updated latest group key GK _k , encrypts the shared information of the group using the updated group key, and uses the group key of its own class. The encrypted shared information is decrypted, and the shared information encrypted with the past group key uses a group key derived from the latest group key GK _k held by the user using a one-way function f. The information that has been decrypted by the user and encrypted with the group key of a lower class than itself is used by the user himself to obtain the one-way function g
A recording medium recording a group key program, wherein the group key program is decrypted by using the key derived in the above. 24. It has a hierarchical structure consisting of a plurality of classes,
The shared information of the group consisting of multiple users is encrypted with the group key and shared by the group, and the user decrypts and uses the encrypted shared information with the group key,
Each user is a recording medium recording a group key program capable of encrypting / decrypting information of his / her own class and classes lower than his / her own class. The group key is a key of a public key cryptosystem. Then, each of the _n values t _n = f (S1),..., T _{k + 1} = f created using the one-way function f published from the secret information S1
(T _{k + 2} ), t _k = f (t _{k + 1} ),..., T ₁ = f
(T ₂ ) and _m values y _m = g (S 2) created using the one-way function g published from the secret information S 2,
.., Y _{k + 1} = g (y _{k + 2} ), y _k = g (y _{k + 1} ),.
secret key (SGK _r , derived from y ₁ = g (y ₂ ))
_{..., SGK k + 1, SGK} k, ..., SGK 1) and the public key _{(PGK r, ..., PGK k} + 1, PGK k, ..., PGK
₁ ), and when the group key (SGK _k , PGK _k ) is updated, a new group key (SGK _{k + 1} , PGK _{k + 1} ) is generated, and the user updates the updated group key. (SGK _k , P
GK _k ), encrypts the shared information of the group using the latest public key PGK _k of the group key, and converts the shared information encrypted with the public key PGK _k of the group key to the secret key of the group key. The shared information decrypted with SGK _k and encrypted with the past group key is decrypted using the secret key derived from the latest secret key SGK _k of the group key using the one-way function f, The information encrypted with the group key of the class is obtained by the user using the one-way function g
A recording medium on which a group key program is recorded, wherein the group key program is decrypted using the secret key derived in the above. 25. The group key, public information Y _1, Y ₂ representing the hierarchical organization, ..., Y _m using the one-way function values of the m created by g y _m = g ( S‖Y _m ),
.., Y _{k + 1} = g (y ′ _{k + 1} ‖Y _{k + 1} ), y _k = g (y ′
_k ‖Y _k), ..., 'derived from ₁ ‖Y _1), where _{y' y 1 = g (y} k is the claims 21 to 24, characterized in that the value of the upper hierarchy of y _k A recording medium on which any of the group key programs described above is recorded. 26. The shared information is encrypted with an arbitrary key generated by a user, and the key encrypted with a group key is attached to the encrypted shared information as attached information. A recording medium recording the group key program according to any one of 19 to 25. 27. The recording medium according to claim 26, wherein the attached information is encrypted with the latest group key every time the group key is updated.